Who is responsible for authorizing access to a business application system?

The data owner is responsible for authorizing access to a business application system because this individual has the ultimate authority over the data and its usage within the organization. The data owner typically understands the sensitivity and importance of the information within the system and is best positioned to make informed decisions about who should have access based on the business needs and security considerations.

This role entails responsibility for defining access controls, ensuring compliance with relevant regulations, and determining how and by whom the data can be accessed and used. By doing so, the data owner ensures that access is appropriately restricted to protect the confidentiality, integrity, and availability of the data, which aligns with the organization's overall security strategy.

While other roles, like the security administrator or IT security manager, may implement and manage access controls or oversee security policies, they typically do so under the guidance or direction of the data owner. The requestor's immediate supervisor may provide input regarding access requirements, but the final authority to grant access resides with the data owner who ultimately answers for the management of the data.