<p>A user interface and a processor coupled to the user interface wherein the processor receives access requests through the user interface and authorizes access through the user interface. The processor associates a rights request with a role based policy to determine access rights, modifies the determined access rights in accordance with an exception list related to particular users and records, and authorizes access to a record based upon the modified determined access rights.</p>