Determines what verified users can do.
Models:
o ACLs – user-by-user access lists.
o RBAC – access by role.
o ABAC – access by attributes (user + resource + environment).
o PBAC – policy-driven, business logic based.
Authentication Context: Adds fine-grained access requirements (e.g., only from
managed devices).