Ariadne has a extensive and fine grained security system built-in. This system is divided into user access and grant management as well as an internal coding firewall.
Templates are how you get Ariadne to do anything. All system templates check for specific grants. Grants can be set on objects and trees of objects. So for anything Ariadne does on any object, the users grants are checked. This is not something which is done once, but it is done on any access to any object.
Ariadne's user and grants system is a hybrid of a Role based and Capabilities based security system. Roles can be added by creating groups and assigning users to them. You can assign grants on groups just like on users. You can even add your own custom grants and check for these in your own templates. Grants trickle down the content tree by default, but not necessarily.
An Ariadne programmer who is allowed to create Ariadne templates in a part of an Ariadne system cannot access the 'bare metal'. Ariadne provides a coding firewall which prevents this. Any template code is scanned and compiled. Any code which is not allowed, like accessing the file system directly, is disabled.
This means that it is even possible to allow different users to create and manage different websites on a single Ariadne system without being able to access other users websites. Ariadne even allows users to create and manage new users and their grants, if so set up, but only for those parts where they themselves have sufficient access.