Who holds the responsibility for authorizing access to a business application system?

The Data Owner holds the responsibility for authorizing access to a business application system because they are the individual or entity that has the authority over the data and understands its sensitivity and the associated risks. The Data Owner defines who can access the data, under what conditions, and ensures that appropriate security measures are in place to protect that data. This role is crucial in establishing policies for data access, ensuring compliance with regulations, and ultimately safeguarding the organization’s information assets.

While other roles such as the system administrator might manage technical access controls, it is the Data Owner who decides on who should have access in the first place based on business needs and security considerations. The end-user typically does not have the authority to grant access; they are the recipients of access privileges granted by the Data Owner. The IT manager may oversee the broader IT infrastructure and security but does not necessarily have the specific authority concerning individual data sets and access rights.