Authorization controls user access to resources, whatever they may
be, and is sometimes referred to as AuthZ. These could be API
endpoints, functionality in an application or anything else. This is a
logical next step after knowing who the user is, as most applications
have different levels of access.

Consider the example of a blog. Some users may be administrators,
able to change configuration settings. Others may be editors, able
to approve and publish articles. Yet other users may be writers,
unable to publish, but who can log in, add content, and submit it
for approval. Each action (log in, change config settings, publish
articles, etc), has a permission associated with it.