WEBVTT 00:00:00.800 --> 00:00:04.760 The final step in identity and access management systems is 00:00:04.760 --> 00:00:07.960 the authorization and accounting processes. 00:00:09.010 --> 00:00:13.290 Authorization refers to the rights, the privileges, 00:00:13.290 --> 00:00:17.410 the permissions that we grant an authorized user. 00:00:18.050 --> 00:00:22.700 It's granted to an entity that has been authenticated so we know 00:00:22.700 --> 00:00:25.270 that that person should be allowed on the system. 00:00:25.410 --> 00:00:28.610 Now, what can they do once they are on the system? 00:00:29.050 --> 00:00:32.000 This is where we often use the term granularity. 00:00:32.130 --> 00:00:35.600 What level of access permissions will we give them? 00:00:35.940 --> 00:00:39.870 Will it be to read only, to write and modify data, 00:00:40.050 --> 00:00:44.890 to update data, execute a program or a process, 00:00:44.890 --> 00:00:47.290 create a new record or delete? 00:00:48.040 --> 00:00:52.300 And this is where we use those concepts we looked at earlier of least privilege, 00:00:52.300 --> 00:00:54.930 need to know, and separation of duties. 00:00:56.070 --> 00:00:58.560 The important thing here is that we don't want 00:00:58.570 --> 00:01:00.890 unauthorized activity on the system, 00:01:01.060 --> 00:01:04.489 which means that unauthorized users could not make any 00:01:04.489 --> 00:01:09.040 modifications and an authorized user should not be able to 00:01:09.040 --> 00:01:11.520 make improper modifications. 00:01:13.530 --> 00:01:17.590 We also keep a record of everything that was done on the system. 00:01:17.890 --> 00:01:22.370 This is usually known as accounting, but sometimes called auditing as well. 00:01:22.990 --> 00:01:27.260 It's the tracking and logging of all of the activity on the system. 00:01:27.670 --> 00:01:30.870 And this is why we wanted unique user IDs, 00:01:30.870 --> 00:01:37.080 so we're able to associate all activity with an identified user, 00:01:37.090 --> 00:01:39.510 individual, or process. 00:01:40.770 --> 00:01:45.440 We should keep these logs so we can review them to see are 00:01:45.440 --> 00:01:47.810 people trying to get access they shouldn't? 00:01:47.820 --> 00:01:52.620 Are people accessing something that we would prefer they didn't have access to? 00:01:53.040 --> 00:01:58.600 This can be important from a regulatory perspective to prove to some type of, 00:01:58.600 --> 00:01:58.840 say, 00:01:58.840 --> 00:02:03.380 government agency that is looking into privacy laws whether or not 00:02:03.380 --> 00:02:07.980 we are compliant with good practices of protecting information from 00:02:07.980 --> 00:02:10.070 those who do not have a need to know. 00:02:10.830 --> 00:02:16.080 We should always base this level of access we grant on what is 00:02:16.080 --> 00:02:21.930 required in order to execute their job or business needs. 00:02:23.760 --> 00:02:29.110 In summary, in this module, we set out the concepts of access controls. 00:02:29.650 --> 00:02:33.970 That means that all authorized users should be identified, 00:02:34.440 --> 00:02:38.160 then authenticated, authorized, and, of course, 00:02:38.170 --> 00:02:41.560 subject to logging of all actions taken.