authorization provider

Aug 14, 2007 at 7:20 AM

I don't get this authorization provider thing. What is the point of defining the authorization rules in the config file? Anybody can edit this file and give themselfes greater privileges.
How can I define the rules in some place else where users can't edit them.