What is authorization?

Authorization is the process that determines whether a user, system, or application receives access to specific applications, data, or other IT resources. The first step is often verifying the identity of the requester. For users this often still involves a username and password. After authentication, authorization determines which access rights a person has and which actions are allowed. These actions can range from viewing data only to modifying and deleting it.

An ACL, or Access Control List, is a security method in digital networks in which it is recorded per user which applications, data, and other IT resources the person can access. Because this is managed per individual user, it is particularly suitable for a smaller organization or a single system. In larger environments, Role Based Access Control (RBAC) is usually used, where access rights depend on a person’s role in the organization.

What does 'need to know' mean?

Within Identity and Access Management, the term 'need to know' refers to a policy rule for access to systems. With 'need to know', users only receive access to systems and data that they need to perform their job. For example, a healthcare worker only receives access to the medical records of the clients they care for. 'Need to know' is often confused with 'least privilege'. The concepts are similar, but officially 'need to know' refers only to access rights, while 'least privilege' also concerns permissions; what someone is allowed to do with the data.

Authorization Matrix

What is an Authorization Matrix?

An authorization matrix is a document, tool, or system that provides a detailed overview of which users or groups have access to specific applications, data, or other facilities within your organization. It is an important aid for account and access management, and it supports your information security and compliance.

An authorization matrix has two objectives:

The matrix serves as the source for all user permissions as they are issued and managed within your Identity and Access Management (IAM) platform. The IAM ensures that all users receive access to all required applications, data, and other resources.
It is therefore also the 'single source of truth' that can be used during audits or after a security incident to inventory all access rights and, for example, generate an audit trail.

An authorization matrix is required to comply with the Principle of Least Privilege (PoLP), a leading principle within security standards such as ISO 27001 and the General Data Protection Regulation (GDPR). This principle means that every employee receives rights only to those applications, data, and facilities that are truly needed to perform their job. Each user is granted access based on the 'need to know' principle. This contrasts with small start-ups, where all users often have access to all facilities, unless the information is very specific and confidential. This is also called the 'open, unless' principle.

IAM systems are typically designed on a need-to-know basis, and an authorization matrix is necessary to keep that manageable.

Is an Authorization Matrix Mandatory?

Security guidelines such as ISO 27001 or BIO often reference an authorization matrix, although a matrix is not officially mandatory. There is no fixed guideline for what the matrix should look like or how it must be implemented. It is more of a general term for a single central, structured, and managed record of all authorization rules. A record is simply necessary to comply with current security and privacy guidelines. In our own HelloID platform, a literal matrix is not used, but we safeguard authorization management through a set of structured business rules.

You also frequently see authorization matrices at two or more levels within organizations:

At the organizational or governance level, the focus is often on rights and responsibilities for entire processes or subprocesses, and for groups of data. For example, who is the business owner of all customer data and customer systems?
At a more operational level, such as within the IAM system, an authorization matrix is much more detailed and concerns access to specific systems and data shares.

Creating an Authorization Matrix

How should you create an authorization matrix, and is there a standard template for it? Templates are available, but as noted, the actual setup depends on the organization and the management applications in use. In essence, creating an authorization matrix always comes down to the following items:

Identify the resources, meaning all information systems, applications, databases, and physical locations that require access management.
Define users, user groups, or roles for which you must grant and manage rights.
Determine, for each user, group, or role, which systems, applications, and other facilities they should access on a need-to-know basis.
Access rights can then be refined further. For example, in the form of permitted actions such as view, edit, and delete. In healthcare, an additional 'scope' is often applied to access healthcare systems: a person only receives access to data for a specific location or group of clients.

You must then implement this information in your IAM system. As noted in step 4 above, when you refine access rights, the authorization matrix effectively becomes multidimensional. A simple tabular structure is too limited for that, which is why our HelloID platform uses business rules. These are more flexible and versatile, and you can enter, view, evaluate, and modify them directly online in the HelloID platform through a user-friendly interface.

Mapping all users or groups, roles, and their rights can be quite complex in a larger organization. You need a complete analysis of the existing organizational structure and all business processes. A useful aid for quickly and easily creating an initial authorization matrix is called role mining. This is a smart analysis of existing users and their access rights to produce a first version of the authorization matrix.

What are Alternatives to an Authorization Matrix?

There isn't much of an alternative to the authorization matrix itself. As noted, it is a general term for a document or tool used to register and manage access rights in a structured way. The way you organize those access rights can vary. Below, we outline some possible forms of access management:

Authorization management models	Explanation
Access Control List (ACL)	With this approach, access to systems and data is managed on a per-user basis. This is closest to the basic concept of an authorization matrix. It works well for small systems and organizations, but in larger environments, it quickly becomes difficult to manage.
Role-Based Access Control (RBAC)	With RBAC, you organize access rights not per person, but by the roles or functions people can fulfill within an organization. A salesperson, therefore, has different access rights than an administrator.
Attribute-Based Access Control (ABAC)	ABAC is similar to RBAC but is more flexible and more complex because more properties (or attributes) of users, applications, and data can be used. To access to certain data, a person must have a specific role and be authorized for data with a particular classification level.
Policy-Based Access Control (PBAC)	With PBAC, you use policy rules to determine who has access to which data and applications. You can make application access dependent on the time of day, for example, only during working hours, the network used for access, or the sensitivity of the data.

These are several ways to organize and structure access rights. Each of the described control options has its own advantages and disadvantages, depending on the type of organization, the size, and the sensitivity of the data being managed. In practice, you will also often see advanced IAM solutions use a combination of these methods for authorization management.

IAM and Authorization Matrix

How do you use an authorization matrix to set up your Identity and Access Management? In many IAM solutions, including HelloID, Role-Based Access Control is usually the starting point for access management. This is logical because RBAC aligns well with the Least Privilege principle: you determine which access rights are needed for each role.

In practice, HelloID offers a more comprehensive mechanism for managing authorization rules, namely ABAC. Attributes are the various characteristics of users. It can be a person’s role or function, the department they work in, or the work location. We can assign access rights based on combinations of attributes, which makes the system very powerful. Below are some examples of business rules:

Using a business rule, we can easily configure it so that someone with the role 'healthcare worker' also receives access to the Electronic Client Record (ECD) in addition to standard M365 software. This is a role-based access right.
You can refine access rights by using other attributes as well. For example, a healthcare worker then only receives access to ECD data of clients treated at the location and department where the employee works.
Business rules also support time-based conditions. For example, you can grant the required authorizations several days before a person’s onboarding. You can also block an account when the employee leaves, but keep the associated authorizations in the system for a grace period

With HelloID, you can also grant individual access rights. For example, a specific application for a temporary project. A right does not follow from attributes or policies, which is why we do not manage these rights through general business rules. Instead, we use the HelloID Service Automation module. It automates and records online requests for optional requests, including validation and approval, issuance, and, if desired, timely revocation.

You can see that HelloID gives you the flexibility to combine different controls within your IAM environment and to tune your IAM authorization matrix precisely to your organization.

Want to learn more about setting up your authorization rules and authorization matrix using HelloID business rules? Watch our webinar.