It is a common thing in any application to restrict access to different parts of an application depending on who the user is. In Symfony, this can be done in many places, such as through annotations on the controller (or some equivalent configuration), via Access Control Lists (ACL), and through voters.

Controller annotations are role-based, which is fine for a lot of cases, but won't be adapted when we want to exercise fine-grained controls. At that point, you either have to create many more roles to express all of the permissions of a user or start using ACLs. ACLs provide much more fine-grained control, but they are very inexpressive. A user's rights on a given object or page are stored in the database as just that; these rights are called granular permissions. These permissions have to be granted and revoked one by one in your code; so, if you decide one day to completely change the logic of how some users are allowed to do something and others are not, you will have to...