Right, that's what I mean by putting the enforcement code directly into the DB or as close to it as possible. But most authoriztion issues are not just for secret data. You may have a rule that only the admin can enroll new users. So then you have to hook the "enroll new user" service into the security kernel, and the easiest way to do that is at the data store level, e.g. right before (or during) the insert user operation.