Access Control vs Authorization
When first learning about the difference between authentication and access control, it may be easy to confuse the two. However, they are two very different concepts. Also, they should understood well by any developer that is writing applications where access to the application needs to be controlled.
Authentication is the process and means that are used to ensure that a person, user, or system is who they claim to be. Usually, this is performed by a username and password combination. However, this is not always the case. In the case of a person, this could be a biometric (e.g. fingerprint) or a some type of key card. An employee key card is a great analogy. A key card may give you access to a building. However, it may not provide access to every room within the building.
Once authentication has been completed, then the process of controlling access occurs. All access control methods determine whether a person, user, or system, having already been authenticated, is allowed to access the desired resource or area. The employee key card is once again a great analogy. For example, the receptionist’s key card may be used to both authenticate and grant access to the common areas of the building. However, it may also disallow access to the top secret research lab on sub-level 4.