A Fibre Channel (FC) storage area network (SAN) environment includes servers that perform IO Input-Output (IO) operations on logical partitions of a storage array over an FC switch fabric. The SAN environment authorizes the IO operations, and permits only authorized IO operations to pass from the servers to the logical partitions. Using conventional authorization techniques, the SAN environment performs two-stage authorization of the IO operations. In a first stage, the FC switch fabric enforces port zoning rules on the IO operations passing through the FC switch fabric. This stage ensures only zoned source FC identifiers (FCIDs) (SIDs) and destination FCIDs (DIDs) are communicating with each other. In a second stage, the storage array enforces logical partition masking, such as logical unit number (LUN) masking and namespace identifier (NSID) masking, on the IO operations arriving at the storage array. This stage ensures only authorized server SIDs perform IO operations on the logic partition. Thus, the two-stage authorization distributes authorization enforcement across different types of entities in the SAN environment, which adds both complexity and latency to the authorization process.