Definition
Authorisation is the process of determining what a verified user is allowed to do within a system. It happens after authentication — once the system knows who you are, authorisation decides what you can access. This is typically managed through roles and permissions: a user might have a “manager” role that grants permission to view reports and approve expenses, while a “staff” role can only submit expenses. Authorisation rules control which pages a user can see, which actions they can perform, and which data they can access. The goal is to ensure that every user can do their job without accessing anything they should not.
Why It Matters
Without proper authorisation, any logged-in user could access any part of your system — a customer could view other customers’ data, a junior employee could modify billing settings, or a contractor could access confidential financial reports. Authorisation enforces the principle of least privilege: each user gets exactly the access they need and nothing more. This limits the damage if an account is compromised, reduces the risk of accidental changes to sensitive data, and helps meet compliance requirements that mandate access controls. A well-designed authorisation system also makes auditing straightforward, because every access decision is based on clearly defined roles and permissions.
Example
Your client portal has three user types: clients, account managers, and administrators. A client can view their own projects and invoices but cannot see other clients’ data. An account manager can view and edit projects for their assigned clients but cannot change billing rates. An administrator has full access to all clients, all projects, and all system settings. When a new account manager joins, they are assigned the account manager role and immediately have the correct level of access — no manual configuration of individual permissions required.