Group based access control should be implemented to assign permissions to application users

Consistent authorization checking should be performed on all application pages

A set of all allowable actions should be defined for each user role and all other's denied

All failed access authorization requests should be logged to a secure location for review by administrators