VuFind has included standard authentication function for a long time, but more detailed authorization logic was introduced in release 2.4.
VuFind's authorization is built using the ZfcRbac component.
Documentation on how to define roles (or configure existing ones) can be found in permissions.ini.
The authorization service can be injected into an object by implementing ZfcRbac\Service\AuthorizationServiceAwareInterface.
The authorization service provides a simple isGranted() method to check if a particular permission is granted.
VuFind's standard controllers implement an accessPermission property that, if set, can specify the name of a permission that must be granted in order to allow access to the controller. If the permission is missing, the user will be redirected to the login screen (or, if already logged in, will be presented with an error screen).