Once a user is authenticated, authorization determines what resources they can access and what actions they can perform. It's based on roles, groups, or individual permissions.
Proper authorization ensures the principle of least privilege: users have only the minimum access needed to perform their job functions.