It is easy to confuse the mechanism of authentication with that of authorization. In many host-based systems (and even some client/server systems), the two mechanisms are performed by the same physical hardware and, in some cases, the same software.
It is important to draw the distinction between these two mechanisms, however, since they can (and, one might argue, should) be performed by separate systems.
What, then, distinguishes these two mechanisms from one another?
Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions:
Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the datbase, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:
Authentication and authorization are somewhat tightly-coupled mechanisms -- authorization systems depend on secure authentication systems to ensure that users are who they claim to be and thus prevent unauthorized users from gaining access to secured resources.
Figure I, below, graphically depicts the interactions between arbitrary authentication and authorization systems and a typical client/server application.