Another security fundamentals topic is authentication versus authorization. For those who have a clear understanding of the difference between the two, like with Recovery Point Objective (RPO) vs. Recovery Time Objective (RTO), it is sometimes easy to forget that others mix them up. In a nutshell:
Authentication is proving who you are.
Authorization is what you’re allowed to do.
Authorization is dependent on Authentication. If I don’t know who you are, I don’t know what your permissions are.
One way I’ve recommended for folks to remember the difference is saying to yourself, “I authorize you to enter this restricted facility,” meaning you are giving permission for that person to enter. You wouldn’t allow someone to enter the facility whom you didn’t already recognize / validate.
Yes, a lot of identity solutions do both and for the end user it may appear to be one and the same. For instance, when someone logs in to an Windows computer (on a domain or not), that person is authenticated, and if that authentication is successful, the security layer looks up the user and their security group memberships, among other things, and puts it all together into an access token (two for administrators) which, from an authorization perspective, includes those security group memberships and other permissions. To the person logging in, though, it appears to be one and the same process.