Defining "Who sees what" and "who does what" are the two important aspects of access control in any software application.
The Older Paradigm - Roles and Page level access controls
When you build a custom application for a specific customer, the access control policies of the organization are often defined upfront as part of the requirements phase. Depending on the vertical, domain and the specific organizational structure of the business, roles are defined. Each role is given access to a set of screens, forms, pages and reports. Of course, certain areas in the application can be accessed by multiple roles. While building software products used by several customers, the roles are often generalized and predefined. The various access control policies of the product are often hard coded in to the roles. The customer will be able to assign one or more roles to their users.
The new paradigm - Privilege based Access Controls
In the new paradigm, before doing any action, you check / demand for the privilege to view that information or do a certain action. It could be standard actions such as view, edit and delete or special privileges such as "Access to History Data" or "Access to information” or content created by people other than yourself. In the new paradigm, a user / roles privileges are resolved during run time - not hard coded at design time. This allows the product developer to complete the development just by demanding the necessary privileges at each step, without having to worry about the users and roles in the system.
