I'm developing a document oriented application and need to manage user access to the documents. I have a module that handles user authentication, and another module that handles document CRUD operations on the data store. Once a user is authenticated I need to enforce what operations the user can and cannot perform to documents based upon the user's permissions. The best option I could think of to integrate these two pieces together would be to create another module that duplicates the data API but that also takes the authenticated user as a parameter. The module would delegate the authorization check to the auth module and delegate the document operation to the data access module. Something like:

 -module(auth_data_access).

 % User is authenticated (logged into the system)
 % save_doc validates if user is allowed to save the given document and if so
 % saves it returning ok, else returns {error, permission_denied}
 save_doc(Doc, User) ->
    case auth:save_allowed(Doc, User) of
       ok ->
          data_access:save_doc(Doc);
       denied ->
          {error, permission_denied}
     end
  end. 

Is there a better way I can handle this?