Very high level article on access control strategies: https://community.jboss.org/wiki/FineGrainedAccessControlStrategies