That’s a very broad question. Access control can be handled in a variety of ways. Ultimately, for every “action” on your site — each thing that a logged-in user might be able to do (or see) — you need to determine if the current user is authorized to do that thing.

The most basic approach is to designate a particular group of users who can do everything (“admins” generally):

if ($user->is_admin) {
    // Do stuff...
}

The most sophisticated approach is (arguably) to keep a separate privilege for each thing people might be able to do:

if ($user->can_edit_things) {
    // Edit things
}
if ($user->can_add_things) {
    // Add things
}
if ($user->can_delete_things) {
    // Delete things
}

Somewhere in the middle falls a common, “role-based” approach. There you’ll assign each user a role, and each action a set of roles that are allowed to perform it.

if ($user->role == 'Admin' || $user->role == 'Adder of Things' || $user->role == 'Cool Guy') {
    // Add things
}
if ($user->role == 'Admin' || $user->role == 'Deleter of Stuff' || $user->role == 'Evil') {
    // Delete things
}

Ultimately you’ll have to decide what approach works best for your site, keeping in mind that you can combine these basic approaches (along with a million subtle and not-so-subtle variations) to get the best balance between “easy to develop” and “able to express the permissions you care about.”