In the sample application, each expense report has an owner; the actions a user can perform on a specific report depends on whether she owns it, and whether she’s a manager or a regular employee. To implement these requirements, we need a way to identify application users and tell what type of user they are.
A process referred to as authentication identifies users. To access the application, the user has to provide personal information that only a real, registered user would know. The application authenticates the information, e.g., by comparing it to information in a registry of known users. If the information is authentic, the application recognizes the user as a specific person. Once the application knows who the user is, it can use this knowledge to decide what the person is allowed to do (also known as authorization).