In the context of access control, what does authorization define?

• A. A defense mechanism against network attacks.
• B. The grant of access rights after authentication.
• C. The backup schedule of data.
• D. The daily operations policy.

Answer: (D)

Authorization is about what an authenticated user is allowed to do. After identity is verified (authentication), the system applies policies that grant or deny specific access rights and actions. This is implemented through permissions, roles, and access control lists that determine which resources a user can view, modify, delete, or execute. For example, someone who has logged in to a database might be authorized to read financial reports but not to delete data, or may be restricted to certain tables. Authorization answers the question of what you are allowed to do, distinct from authentication, which answers who you are. It’s about enforcing least privilege, ensuring access is limited to what’s necessary for the user’s role, not about defending against attacks, backups, or daily operations policies.