Authorization in GraphQL refers to the set of rules that determines what a user can see or do. Unlike authentication, which checks the identity of the user, authorization applies these rules to restrict access to data and actions. The author suggests that defining permission rules per node (i.e., on each type) is the most sensible approach, but notes that `graphql-js` does not have a built-in type-level resolve function to enforce this. Instead, a decent solution is to factor out data fetching logic into a separate layer and apply authorization checks there. This allows for consistent application of permissions regardless of how the data is fetched. The author also mentions that permission checks can be implemented on nodes or edges, but notes that defining rules per node is generally more practical and efficient.