Identity & Access ManagementAlso called: "authn authz", "authentication authorization"
These two security concepts work together but serve different purposes.
Authentication (AuthN)
- Question: Who are you?
- Methods: Passwords, biometrics, tokens, certificates.
- Result: Verified identity (you are User123).
- Examples: Login, SSO, MFA.
Authorization (AuthZ)
- Question: What can you do?
- Methods: Roles, permissions, ACLs, policies.
- Result: Access decision (you can read but not write).
- Examples: RBAC, ABAC, OAuth scopes.
Flow
- User requests access.
- System authenticates user (login).
- System checks authorization (permissions).
- Grant or deny access.
Real-world analogy
- Authentication: Showing ID at airport security.
- Authorization: Boarding pass determines which gate/seat.
Common mistakes
- Confusing the two terms.
- Authorization without authentication.
- Hardcoding permissions (should be dynamic).
- Insufficient access controls.
Standards
- OAuth 2.0: Authorization framework.
- OpenID Connect: Authentication layer on OAuth.
- SAML: Enterprise SSO.
- JWT: Token-based auth/authz.
Related Tools
Explore More Identity & Access Management
View all termsIdentity and Access Management (IAM)
The policies and technologies used to verify identities, govern permissions, and log access across systems.
Read more →Multi-Factor Authentication (MFA)
An authentication method that requires users to provide two or more verification factors to gain access.
Read more →Privileged Access Management (PAM)
A framework for securing and auditing accounts with elevated permissions, such as admins, service accounts, and break-glass users.
Read more →Session Management
The process of securely maintaining user state and authentication across multiple HTTP requests.
Read more →