Using the request/response cycle as a guide, here's how authorization fits in:

1. The browser makes a request for a URL
2. The request hits the Rails router
3. Before the router sends the request on to the controller action, the app determines whether the user has access permission by looking at the user's role.

What is a role? A role is a way to manage what parts of a site a user has access to. A user's role is specified in the database.