Access control determines what functionality and which data a certain user can see/edit or not. You must ensure that those controls protect against tampering and are enforced on the client as well as on the server side.
If the application has a higher security risk, step-up authentication needs to be implemented to access high value/risk transactions.