Authorization is a process undertaken by applications to determine whether a subject can undertake a particular action with a specified resource. This service supports that process by providing an interface by which applications can ask for authorization decisions.

This type of service is known more widely by several different acronyms: either as an Access Control Decision Function (ADF) in ISO terminology, or a Policy Decision Point in XACML and SAML specifications from OASIS.

An Authorization service accepts a request for a decision from an application or service, with the following parameters:

• Information about the subject (application, user, agent)
• Information about the resource (document, object, machine...)
• Information about the action requested (create, edit, delete, move, copy...)

The Authorization service examines available policies, and responds with a Decision, which comprises:

• The decision itself: either Permit, Deny, or Not Applicable. The latter being the case where no policies can be found by the service that describe the situation in the request
• Any conditions that apply to the decision, such as time constraints
• Any obligations that the requester should undertake, such as ensuring that the request is logged

Note that is up to the requester to process and enforce this decision - the Authorization service simply informs a requester of the result of examining applicable policy, it cannot enforce that policy on the requester's behalf.

A supporting capability of an Authorization service is the ability to manage policies.