No security design would be complete without some authorization checks on the server. Least privilege means that a user has no more access than is absolutely necessary to do his or her job.

No user should be apart of multiple roles. If a user performs two jobs, that user should have two logins. If that requires the user to have two client programs running, so be it. If a standard user is hacked, in no way should administrative or high-privileged areas be accessible to that user.

This is common sense and due diligence of design.

Many times, the second version of an application will require the addition of more roles or expansion of one or more roles to use a common area. Always consider the risk of impersonation and identity theft in those cases.

Authorization checks should occur right after authentication checks. Where authentication can be cached, authorization cannot. Every resource that is newly accessed must be checked against the user's access rights.

When creating .NET applications, the code can even be segmented so that an administrator access object is created when an administrator authenticates to the system, and a user access object is created when the standard user authenticates to the system. The code can perform assertions that the identity of the user is within a given role. Even if a user somehow accesses an administrator object, a security exception will fire when the user activates a method or accesses a property of that object.