Authentication vs Authorization – Who vs Who+What

The first job after completing education is always special. I joined a Software company and on the first day itself, I got an ID CARD where my name, employee Ids were mentioned. HR said that you are now authenticated to enter company premises now. By wearing that ID card I was able to enter the company premises which was a multistory building.

I liked the building and was visiting floor to floor. I tried swiping my card to unlock the gate on some random floors but access was denied. The security guard said that you are not authorized to enter this floor as you belong to some other team. A pretty exciting day that was.

Let’s come to the topic now – Authentication vs Authorization. One second! Did I just give a real-time example above?

The very first thing you should understand that both are not the same and both are not related to the word “access“.

Authentication is to prove identity and Authorization is related to access to resources.

In the above example, an ID card given by the company (Not any ID card is valid) is an example of Authentication i.e. identity, or to prove that I am an employee of the company.

I was not allowed or authorized or given access to enter all the floors. I am an authenticated employee but not authorized to access all floors.

You might hear of the term IAM ( Identity and Access management) used by Amazon AWS or Google Cloud etc. Identity is Authentication and Access is authorization.

Please note hear that If you are not authenticated then you do not reach the level of authorization. If I am not an employee of a company I will not able to enter the company premises only. There is no meaning in talking about access on floors.

Let’s understand Authentication and Authorization on a real application. We generally submit timesheets through an application. An employee will log in to the timesheets application using their credentials to submit hours. They will not have any access to approve the timesheets of other employees. But if a manager logs in they will see the option to approve timesheets of their team members. An Employee and manager both are authenticated to access the timesheets application but authorized for similar actions.

You can subscribe to my YouTube channel RetargetCommon to learn from video tutorials.

If you have any doubt, feel free to comment below.
If you like my posts, please like, comment, share and subscribe.

Find all Selenium related posts here, all API manual and automation related posts here, and find frequently asked Java Programs here.

Many other topics you can navigate through the menu.

6 thoughts on “Authentication vs Authorization – Who vs Who+What

  1. In the last you mentioned both manager and employee both are authenticated to access the timesheets application but NOT authorized for similar actions

  2. Thanks for explaining in simple terms.
    One line in the blog hat summarizes everything:
    “Authentication is to prove identity and Authorization is related to access to resources.”

Leave a Reply

Your email address will not be published. Required fields are marked *