The last step in applying IAM practices is to ensure that known entities are authorized entities. To authorize someone or something asking for access, combine successful authentication with additional pieces of information required to approve the transaction. Approval constitutes matching the information against a policy or checklist.
Failing authorization amounts to being told, “I know who you are, but you can’t do that.” Whether it’s a doctor trying to get access to the EHR for a patient to which he’s not assigned, or a smartphone application trying to control a CPAP machine to which it shouldn’t be connected, or a medical assistant trying to access a smart medications cabinet when he’s not clocked in, limits are important to set.