Alright, let’s have a chat. There’s a concept that has been kicking around the tech world since the days of dial-up and digital dinosaurs, but it’s more important now than ever. It’s the trio of Authentication, Authorisation, and Access: “AAA” if you’re into the whole brevity thing.
Too many people think that once you’ve logged into a system, you’ve got the keys to the entire kingdom. But that’s like thinking that because you have a ticket to the cinema, you’re also allowed to go into the projection booth and start cutting the film. The reality is a lot more nuanced, and getting it right is critical.
The Three A’s: Who, What, and How
Let’s break this down.
1. Authentication (The “Who”): This is the first question on the exam: Who are you? When you log in with a username and password, you’re presenting your credentials to a system that, hopefully, confirms you are who you claim to be. It’s the digital equivalent of knowing the secret handshake to get into the speakeasy. The problem is, many people stop here, thinking the job is done.
2. Authorisation (The “What”): Okay, so you’re in the door. Now what? Authorisation is what you are actually allowed to do. In a consumer world like Netflix, this might seem simple, but it’s there. You can watch shows, but can you change the parental controls? That’s a question of authorisation. In a business context, it’s even more crucial. You should be able to see your own pay stubs, but you can’t just go peeking at your neighbour’s. Authorisation isn’t about being an administrator of everything or nothing; it’s about having the correct permissions for your role.
3. Access (The “How”): This is about the path you take to get to the resource. Is it on the public internet? Or is it tucked away inside a corporate network where you need something like a zero-trust solution to get there?
The Problem with “All or Nothing” Access
So, where does this get tricky? Let’s talk about a real-world scenario. In the industrial space, we see a fantastic bit of kit called Ignition, which has a dashboard tool called Perspectives. It’s not uncommon for a company to run multiple “perspectives” from a single server. Imagine one for the water utility and another for the wastewater utility, or a multi-tenant setup where you host dashboards for Customer A and Customer B.
On the server, these would just be different paths in the URL, like my-server.com/water and my-server.com/wastewater.
If you’re using an old-school VPN or a simple port forward, you’re giving someone access to the entire server. You then have to just cross your fingers and hope that the person who is only supposed to see the water dashboard doesn’t get curious and type /wastewater into their browser. Relying on “security by obscurity” is no security at all. You’re basically just hoping they don’t find the vulnerability.
Enter Fine-Grained Authorisation
This is where the magic happens. With a proper fine-grained authorisation system, you can set rules that are far more specific. You can say, “Dawn is allowed to access the Perspectives server, but only the /water subdirectory, not /wastewater.”
Now, even if I get clever and try to manually change the URL in my browser, I can’t get there. The system simply won’t let me. It’s not that I get an “access denied” page; from my point of view, that other resource just doesn’t exist. It’s like trying to noclip through a wall in a video game and discovering the developers actually built a proper wall. There’s nothing on the other side for you. That is what we mean by fine-grained: defining access on a per-resource basis, where a “resource” is more granular than a whole server or IP address.
The Trusty Sidekick: Fine-Grained Audit
Like Watson to Sherlock, fine-grained authorisation has a partner in crime: fine-grained audit. When something inevitably goes wrong—someone steals information, or ransomware gets in—you need to be able to answer the tough questions.
A simple log that says “Don logged in at 2:00 PM” is not enough. You need to know what Don did. A fine-grained audit trail will tell you, “Don used the water dashboard,” which is distinct from the wastewater dashboard. It can even tell you what level of access was used. Did he just read data, or did he make a change? When the digital Excalibur is pulled from the stone, you need to know who pulled it, from where, and what they did with it.
That’s what a modern, secure system needs:
- Distinct Authentication: To know who the person is.
- Fine-Grained Authorisation: To control exactly what they are allowed to do—less than everything.
- A Detailed Audit Trail: To have a record of every significant action.