As the name suggests, access control is the function that checks whether somebody should be able to access something. With “somebody”, I mean the actor that is requesting access. This actor can be a person, but also a mobile app or an API and even a person working on behalf of a company. With “something” I mean a digital asset (e.g. a file, an article, or a picture), an application serving digital assets (e.g. SAP, a web portal or a SaaS), or a container storing digital assets (e.g. a database, a catalogue, or a store).
Because accessing the database is different from accessing an individual record in a database the terms “coarse-grained access” and “fine-grained access” are being used.
So what is authorisation then mean? As the name suggests, it is the function that checks whether somebody can perform a certain operation with the things it has access to. In the physical world access control checks whether you have access to a room, whereas authorisation checks whether you can take a record out of a file cabinet and alter its contents (e.g. add a note, take out a picture).
Both access control and authorisation can be combined in what I call Policy Enforcement, that I covered in my post on how to implement Policy Verification and Policy Enforcement.
Controlled AI services 