What is the purpose of authorization in access management?

Authorization in access management plays a critical role in establishing the permissions and privileges assigned to users within an information system. It determines which resources a user is allowed to access and what level of access (such as read, write, or execute) they have to those resources.

When a user attempts to access a system, the authorization process assesses their identity (typically verified through authentication) and matches it with predefined access control policies. This ensures that users can only perform actions and access data that align with their roles, responsibilities, or the least privilege principle, which minimizes the risk of unauthorized access or potential data breaches.

The focus of authorization is fundamentally different from the other options presented. Collecting and verifying user information is part of authentication, not authorization. Creating new user accounts pertains to account provisioning processes, which occur before authorization can take place. Maintaining a history of user access relates to auditing and monitoring rather than the direct assignment of permissions or access levels. Therefore, the primary purpose of authorization is indeed to determine the resources a user needs and the type of access they require to those resources.