Authorisation follows the concept of authentication. After we successfully identified a user the authorisation must determine his rights on the available resources. For this it uses the user information that was retrieved in authentication - mainly the users names and the groups he is member of - and tries to match it against authorisation rules.
Authorisation in OpenWGA applications happens on many levels. One important level is defining access restrictions to applications at whole, i.e. allow/deny special users access to it completely. When a user has access to an application there are other restrictions on a finer granularity level defining what types of documents he is allowed to read, create, modify or delete.
All security features described here are enforced by OpenWGA automatically for the whole OpenWGA/WebTML feature set (with the exception of functionalities running in master sessions). OpenWGA designs that choose to not rely on these built-in features but add restrictions that are enforced by the design code itself may need to adapt their browsing security setting which is configurable in design configuration to fully enforce these restrictions.