Authentication, authorization, session lifecycle, and request-scoped authority decisions — the decision layer of "who can do what".
The decision layer: "should this caller be allowed to perform this action?"
In scope. Authentication mechanisms (password, MFA, social, OAuth, API keys, service-to-service), authorization decisions (RBAC, ABAC, ownership checks, tenant scoping of requests), session lifecycle (creation, expiry, rotation, revocation, fixation), request-level authority gates on protected routes and mutations, step-up authentication, and auth-bypass patterns (debug paths, environment-conditional skips).
Not in scope. Credential storage, hashing, and the cryptographic material itself — those are cryptography-and-secrets. Per-record tenant isolation at the persistence layer — that's data-integrity. Submitted-input validation that happens before an auth decision — that's injection-and-input-trust.
Distinct because. Access control is the decision layer. cryptography-and-secrets is the material layer (keys, hashes, certs). data-integrity is the storage layer. A pattern about "admin route lacks role check" is access-control; a pattern about "password hashed with MD5" is cryptography-and-secrets; a pattern about "query missing tenant_id filter" is data-integrity.
Conceptual sub-structure. Authentication (proving identity), authorization (deciding permissions), session (lifecycle of the authenticated state), tenant-scoping (request-level multi-tenant boundaries). Formal sub-taxon paths may be introduced when any one sub-area exceeds ~500 patterns.