Access control determines what functionality and which data a user can see or edit. You must create a clear overview of which functionalities are accessible by which roles and which users.
The access control mechanism must implement:
- The mechanism must be implemented centrally
- Different users must not be able to access another user his information
- A user must not be able to get more privileges that his roles allow.
- Protection against tampering
- They need to be implemented at the client as the server side
If the application has a higher security risk, step-up authentication needs to be implemented to access high value/risk transactions.
OWASP has an access control cheat sheet where you can find more information about the different types of access control and how to safely implement them.