Does the solution use Role Based permissions/authorisation? Does it support multiple roles per user, if so how is the authorisation calculated?
The access rights to alloy is controlled using user groups. Each user group is granted permissions to perform Create/Read/Update/Delete (CRUD) operations on specific data in Alloy. If a user is allocated to a user group, they then gain the privileges of said group using an opt-in strategy. This is a common model of User Access Control (UAC) used by operating systems to control logical access to data. The access to data is controlled securely and uniformly by the web api.