Orthodoxy in e-security holds that we must separate "authentication" of who someone is, from "authorisation" of what they can do. The distinction is actually arbitrary and unhelpful.
See also http://lockstep.com.au/blog/2011/01/22/forget-authentication.
A more powerful, more general idea than the orthodox separation of primary authentication and secondary authorisations, is that we really exercise a portfolio of separate identities. It is not helpful to insist on there being just one "true" identity which must be necessarily involved in every transaction.
See Babystep 15: Introducing "Identity Plurality".