If authentication is the way you define who can access a particular resource, authorization is the way you define what a user can and cannot do once they have access to the domain.
It's like allowing someone to get into your house, but denying them access to the remote control for your TV (very important access, by the way), or allowing access to the remote control, but denying access to adult channels.
One way to do this is through profiles, and that's what we are going to do in this recipe.