Guideline: Complete AuthorizationPart of: Information Security Guidelines
Overview: Building a set of Guidelines for Security and Privacy
Every form of access is based on a complete authorization scheme (identification -> authentication -> authorization) and authorization is never implicitly granted.
In an information system in a hospital an assistant might access contact details about a patient. But it would violate the patient’s medical confidentiality when the assistant can also access the medical records stored in the database. Therefore, the person’s identity must be authenticated and based on that authorizations needs to be granted or not. Based on this information the doctor would see more information than the assistant.
Explicit authorization can be done with security tickets or tokens traveling with the identity. But the mere fact that the token exists should not lead to access. The ticket or token should be validated for proper authorization before access is granted.
More information from Wikipedia about Authorization.