and encourage USNH community members not to reuse their USNH password as the password in any
locally authenticated information technology resource.
AUTHORIZATION
Authorization is the third element that is required when accessing USNH information and information
technology resources. Where identity confirmation and authentication are used to determine and
confirm the USNH community member’s identity, authorization defines what that community member
can access, as well as what they can do with that access.
Authorization can occur on several different levels.
A USNH community member can be authorized to access an information technology resource, which is
usually done with an account. The account pairs credentials with a set of permissions, which are the
specific instructions defining what that account is authorized to do. When a USNH community member
has an account for a resource, they are authorized to access it. For some information technology
resources, this is the only level of authorization required, USNH community members either have access
or they don’t.
However, most information technology resources use multiple levels of authorization in order to ensure
that each community member only has access to the information and functionality necessary. This
structured authorization is called the principle of least privilege. To ensure each USNH community
member is only able to access what they need to, specific authorizations, also called permissions, are
associated with each account. The permissions granted to an account determines what information that
account can access and what functions it can perform.
Permissions can also be grouped into roles which simplifies management of access for groups of USNH
community members that need the same level of access. Roles used for authorization can be coarse-
grained, like those defined in the Identity Management Standard, but they can also be fine-grained or
information resource specific.
To demonstrate, if the information technology resource was a house, having an account, the first level
of authorization, allows a USNH community member to come through the front door but the other
levels of authorization, organized by permissions or roles, determine where that community member
can go, what they see, and what they can do once they are inside.
Least Privilege
Authorization to access USNH or component institution information and information technology
resources shall be based on job function, responsibilities, and/or need-to-know according to the
principle of least privilege. Individual USNH community members, groups of USNH community
members, and roles shall only be authorized to access the information and functionality necessary for
the work to be performed or access needed, and no more.