Most apps think they are secure because they have login pages.

But authentication is only the first step.

Once a user is logged in, your app still needs to answer a bigger question:

What should this user be allowed to do?

That is where access control comes in.