Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
An access control matrix mapping subjects (users) to objects (resources) and the permissions—read, write, execute—each is granted.
Authorization Matrix Definition: An access control matrix mapping subjects (users) to objects (resources) and the permissions—read, write, execute—each is granted.
An Authorization Matrix, also called an access control matrix, is a model that defines the permissions every subject (user, group, or process) holds over every object (file, database, application, or system resource). Subjects appear as rows and objects as columns, and each cell specifies the allowed actions such as read, write, modify, execute, or delete.
Conceptually formalized by Lampson's access matrix model, this structure is the abstract basis for two common real-world implementations. Reading the matrix by column produces an Access Control List (ACL), which attaches to each object the list of subjects and their rights. Reading it by row produces a capability list, which attaches to each subject the set of objects it may access and how. RBAC and ABAC systems are practical, scalable ways to populate and manage this underlying matrix.
The authorization matrix matters because it makes access decisions explicit, reviewable, and enforceable, supporting least privilege and separation of duties. Documenting who can do what to which resource exposes excessive permissions, orphaned accounts, and toxic combinations that lead to privilege abuse or fraud. Auditors and access reviews rely on this mapping; without it, permissions sprawl invisibly and breaches escalate because compromised accounts have far more access than they need.
For example, a finance application defines a matrix where the AP Clerk role can read and create invoices but not approve them, the Manager role can read and approve invoices but not create them, and the Auditor role has read-only access to all. By enforcing this matrix, the organization implements separation of duties so no single person can both create and approve a payment, blocking a common path to internal fraud.
Authorization Matrix is one of the topics you'll master in the Security+ Boot Camp.
Security+ Boot Camp →