Authorization is the process of deciding what an authenticated user or system is allowed to do. Once authentication has confirmed identity, authorization decides which resources can be accessed and which actions are permitted. Common examples include checking whether a user can view a record, edit it, or delete it. Authorization rules are usually based on roles, permissions, ownership, or policies that consider fields on both the user and the resource. Clear authorization boundaries help keep sensitive data protected even if many people share access to the same application. Mixing up authentication and authorization can lead to serious security bugs, because you may know who someone is without checking whether they are allowed to perform an action.
how it works
In a typical web application, each incoming request passes through authentication middleware that attaches user identity to the context. The application then evaluates authorization rules, which might be role based, attribute based, or hard coded checks in specific handlers. Data access layers often include authorization filters so queries only return rows the user is allowed to see in the database. Some systems move authorization into a central policy engine to keep rules consistent across services and avoid duplication. When working with APIs, authorization is enforced on each endpoint using tokens, scopes, or permission checks. Good logging around authorization decisions is critical for debugging access issues and for security audits.