For your application, document which roles you will support and which functions and types of data these roles can access. Document any non-role based access control you plan to enforce as well. Then map these rules to the mechanisms you have selected to enforce this policy.