The problem of authorization is often considered to be identical to that of authentication: however, there are many cases in which these two problems are different.
For example, it is often desirable to grant access without requiring a unique identity. Familiar examples of authorization tokens include keys and tickets: they grant access without proving identity.
Even when authorization is performed by using a combination of authentication and access control lists, the problems of maintaining the access control lists is non-trivial, and often represents as much administrative burden as proving the necessary user identities. It is often desirable to remove a user's authorization: to do this with access control lists requires that the lists be updateable. Attacking the access control list updates can then compromise the entire system, and if any update is needed, communication systems are required, together with additional authorization and security systems to protect the access control list updates.
It may also be desired to grant authorization in a way that is irrevocable: this is hard to do with access control list systems.
much more needs to be written
See also: