Permissions vs authority

A discussion of the differences between "having permissions" and "having authority".

Permissions vs authority

In computing, along with life, you can be assigned permissions, or rights[1], that allow you to perform certain actions on a system.  It's important not to confuse these permissions with authority, as to do so could land you in a spot of bother.

What are "permissions"?

Much like in everyday life, if you have permission to do something you're able to do it (assuming you physically can of course).  That doesn't say anything about the moral implications (more on that later), just that there's no technical control stopping you from doing something.  For example, my daughter asks my permission to play games on my computer.  I can say yes or no, the technical control for the latter being that the computer is off and not logged in.

When considering the file system (e.g. NTFS or ext4), having access to a file means your user object must have permissions to access the file.  Those permissions can vary, from being allowed to read a file (but not change it) to being able to modify a file.  If a user account does not have permissions they won't be able to perform any action on the file (and potentially won't be able to see it).  A good example is when I try to delete a file that I don't have permissions to delete, I get an alert that I need to provide administrator permission:

Windows "file access denied" dialog.
Windows prevented me from deleting this file because I don't have permission.

(For the avoidance of doubt, I've got the authority to delete that file, I just didn't hold the relevant permissions at the time.)

For systems with Role Based Access Control (RBAC), permissions dictate what you can do within the system.  Thinking about eVitabu, where RBAC is used extensively, all users have permission to edit their own profile.  Some can download content and use the Android app, others can manage the content in the system (uploading content, unpublishing content etc.) while others still can change the system configuration.  Unless a user is holding the relevant permissions they cannot perform the action.

How about "authority"?

The Oxford dictionary[2] defines authority as:

the right to act in a specified way, delegated from one person or organisation to another.

It's unfortunate that, in English at least, the words "right" (as in the definition above) and "rights" (permissions) are almost the same, but hopefully I'm able to explain everything well enough to make sense!  In this case, having the right to do something is because we've been allowed to do something.  For example, I have the authority to purchase items on behalf of the church (spending the church's money) because I head up our tech team.  I've been given the right to act in that way as control of my budget was delegated to me by the trustees.  I do not have the authority to spend someone else's budget.

Having permissions, but not authority

To give an example from work, I have permissions that allow me to do many things.  I have administrator permissions in a lot of systems[3], which means that I can make massive changes, up to and including the deletion (destruction) of the system.  Similarly I can change the passwords of other people and then login as them.

With such large amounts of power (permissions), it's important to consider whether or not I have the authority to act in a particular way.  I was in a meeting with someone once that needed access to their account.  For reasons I won't go into, their account access had been temporarily removed but it was important that the individual was given their account back for the afternoon.  That re-granting of access was approved, but then the person couldn't recall their password.

I have the permissions that allow me to reset the user's password, and I could have done so.  Technically the user should file a support ticket to get their password reset though.  In the end they went through the service desk, which kept everything above board (and documented).

Oh, I don't have the authority to destroy the systems by the way - just the permissions that would allow me to do so!

Ethics of using permissions

I touched on this briefly above - when is it ethical to use those permissions?  When I'm conducting audits or forensic investigations I often get given permissions that I wouldn't normally hold - for example to access someone's email account.  I've covered the ethics of investigating users before, so I won't go into it again, but it's something to be mindful of.

Conclusion

"just because you can, doesn't mean you should"

This old adage  still holds true.  Often when you've got the authority to do something you'll find you have the permissions to perform the associated actions.  Sometimes though you'll have the permissions to perform actions you're not authorised to do - quite a temptation.

In secure systems there's the principle of least privilege that explains someone should be granted the minimum permissions they need in order to perform their tasks.  Sadly not every system is granular enough that you can provide someone only the permissions that match their authorisations.

Be honourable out there folks!


Banner image: a Windows deletion dialogue

[1] Not to be confused with having the right (or moral right) to do something.

[2] https://www.lexico.com/en/definition/authority

[3] Via a separate account that's not my day to day one.