Access Authorization and Authentication in Operating System

In this tutorial we learn about the Access Authorization and Authentication in Operating System in Security of operating system.

Access Authorization


Authorization is the process of giving someone permission to do or have something. In multi-user computer systems, a system administrator defines for the system which users are allowed access to the system and what privileges of use (such as access to which file directories, hours of access, amount of allocated storage space, and so forth).

Assuming that someone has logged in to a computer operating system or application, the system or application may want to identify what resources the user can be given during this session.

Thus, authorization is sometimes seen as both the preliminary setting up of permissions by a system administrator and the actual checking of the permission values that have been set up when a user is getting access.

  • Authorization is a process by which a server determines if the client has permission to use a resource or access a file.
  • Authorization is usually coupled with authentication so that the server has some concept of who the client is that is requesting access.
  • The type of authentication required for authorization may vary; passwords may be required in some cases but not in others.
  • In some cases, there is no authorization; any user may be use a resource or access a file simply by asking for it. Most of the web pages on the Internet require no authentication or authorization.

Most web security systems are based on a two-step process. The first step is authentication, which ensures about the user identity and the second stage is authorization, which allows the user to access the various resources based on the user’s identity. Modern operating systems depend on effectively designed authorization processes to facilitate application deployment and management.

Key factors contain user type, number and credentials, requiring verification and related actions and roles.

Access control in computer systems and networks relies on access policies and it is divided into two phases:

  1. Policy definition phase where access is authorized.
  2. Policy enforcement phase where access requests are permitted or not permitted.

Thus authorization is the function of the policy definition phase which precedes the policy enforcement phase where access requests are permitted or not permitted based on the previously defined authorizations.

Access control also uses authentication to check the identity of consumers. When a consumer attempts to access a resource, the access control process investigates that the consumer has been authorized to use that resource. Authorization services are implemented by the Security Server which can control access at the level of individual files or programs.

Authentication in Operating System


Authentication mechanism determines the user’s identity before revealing the sensitive information. It is very crucial for the system or interfaces where the user’s priority is to protect the confidential information. In the process, the user makes a provable claim about individual identity (his or her) or an entity’s identity.

The credentials or claim could be a username, password, fingerprint etc. The authentication and non-repudiation, kind of issues are handled in the application layer. The inefficient authentication mechanism could significantly affect the availability of the service.

Use of Authentication in OS


  • Authentication is used by a server when the server needs to know exactly who is accessing their information or site.
  • Authentication is used by a client when the client needs to know that the server is system it claims to be.
  • In authentication, the user or computer has to prove its identity to the server or client.
  • Usually, authentication by a server entails the use of a user name and password. Other ways to authenticate can be through cards, retina scans, voice recognition, and fingerprints.
  • Authentication by a client usually involves the server giving a certificate to the client in which a trusted third party such as Verisign or Thawte states that the server belongs to the entity (such as a bank) that the client expects it to.
  • Authentication does not determine what tasks the individual can do or what files the individual can see. Authentication merely identifies and verifies who the person or system is.

Example of Authentication:

For example, there is a sender A sending an electronic document to the receiver B over the internet. How does the system will identify that the sender A has sent a message dedicated to the receiver B. An intruder C may intercept, modify and replay the document in order trick or steal the information this type of attack is called fabrication.

In the given situation authentication mechanism ensures two things; first, it ensures that the sender and receiver are righteous people and it’s known as data-origin authentication. Secondly, it ensures the security of the established connection between sender and receiver with the help of secret session key so that it could not be inferred and it is known as peer entity authentication.

Authentication refers to identifying each user of the system and associating the executing programs with those users. It is the responsibility of the Operating System to create a protection system which ensures that a user who is running a particular program is authentic. Operating Systems generally identifies/authenticates users using following three ways −

  • Username / Password − User need to enter a registered username and password with Operating system to login into the system.
  • User card/key − User need to punch card in card slot, or enter key generated by key generator in option provided by operating system to login into the system.
  • User attribute – fingerprint/ eye retina pattern/ signature − User need to pass his/her attribute via designated input device used by operating system to login into the system

Be the first to comment

Leave a Reply

Your email address will not be published.


*