Authorization is checked after a user authenticates i.e., confirms his or her identity.
Authorization to access a given resource (computer, file, database record, etc.) is usually governed by a set of "permissions" or "access control list". These may in turn describe the user granted access directly by name, or indirectly by some property, such as connecting IP address, membership in a group or attribute such as primary affiliation with the University.
Authorization decisions may grant access to individual users, groups, roles or users bearing other attributes. Technologies like Internet2 applications (Grouper, Shibboleth) and LDAP-based directory servers (groups and roles) make it possible for departments and organizations to leverage shared information to control access more efficiently.