For any in house built applications where their is an authentication process (i.e. username and password), and where access to the app should be tied down to only what the other needs to see, i.e. their account, team area of an application etc, where is access control typically designed. Lets for argument sake say its a text based records in the app, where do you develop your access logic in the app, is this at underlying database level, or within your code, or within both? how do you prevent them breaking out their area of the app, i.e. messing with object references to see if they can get to anothers area of the app/account
if for example you needed to demonstrate to an auditor that your app properly limits access to data based on "need to know" principles, how would you go about demonstrating this? where would you pluck the evidence from?
I appreciate this is very vague I was just intrigued where the access control is designed, and at what level of the apps stack