Navigate back to the homepage

Intro to Identity and Access Management | Software Engineering

Mostafa Bohram
August 26th, 2021 · 1 min read

Every web and mobile application requires identity and access management as each user has his own data and permissions of accessing specific part of the application, making a certain action or manipulate data, but the question is, how to differentiate between the identity and the access permissions? 🤔

Authentication

Authentication in a web or mobile application is the way to know the identity of the user accessing the application only, whether he has access or not!

There are many ways to know the identity of a user, the following are examples of different inputs to identify the user:

This is the alt text large image
  • Email and Password.
  • Third-party authorization services (Facebook, Google, ..etc), using OAuth and OCID protocols.
  • Email and OTP (stands for One Time Password), which is also considered as a Passwordless method.
  • Fingerprint (Biometric method), which is also considered as a Passwordless method.

Each method has its own pros and cons and it depends on your design and approach, but what you should think of it as a compromise between security and user experience and trying to get the best of both.

Authorization

Authorization in a web or mobile application is the way of knowing users roles and permissions (sometimes called scopes or other names) to allow and prevent access to certain parts of the application or systems.

Authorization comes as a second step after the Authentication process, you should receive with the user information the permissions in which the user has access and use it to limit or grant user access to certain parts of application.

User with limited access should see only what he is allowed to do or see as data and actions, but showing blank data or an error when he is trying to do a certain action is definitely a bad user experience. An example of that is a user who does not have the admin permissions shouldn’t be allowed to see the admin dashboard, however, he should be able to see an error page showing something like “Sorry, but you are not authorized” exactly like the 404 not found error page.

Summary

The authentication process is used to answer the question, what is the user identity, while the authorization process is used to answer the question, what permissions does the user have to grant or limit the access to a certain part of the application whether it is data or an action.

Get notified about new content

Be the first to receive my latest content with the ability to opt-out at anytime. I promise to not spam your inbox or share your email with any third parties.

More articles from Mostafa Bohram

Content Delivery Network (CDN) | DevOps Engineering

Latency in computer science is the amount of time needed for an operation to complete. In web and mobile applications, latency is referred…

August 26th, 2021 · 2 min read

Infrastructure As a Code (IaC) | DevOps Engineering

Provisioning infrastructure on public or private cloud providers is one of the main practices of a DevOps Engineer. However, should you do…

August 26th, 2021 · 2 min read
© 2021 Mostafa Bohram
Link to $https://github.com/M-BohramLink to $https://www.linkedin.com/in/mostafa-bohram/