lThe user-role assignment may be inherent in the authorisation system,or might be read externally, say from an ADS server via LDAP
lThe object matching might involve callouts to more sophisticated checking code plugins that query other systems
lAuthorisation is usually applied at application level to check actions
lIt can also be applied at database level to filter all access to data the user is allowedto see, either by a database view or by using a relational database object wrapper layerto provide an additional safety net, e.g.
DBIx::Class::Schema::RestrictWithObject