For a little more context for those scrolling past, I'm assuming this is around: authentication vs authorization.

Check the person is who they say they are (authenticate), and then check they're allowed to access the thing they want to view (authorize).

The first is quite easy to abstract, the latter is basically custom to most applications (for different definitions of "custom").