Show the layers: "Firewalls handle who you are. Access control handles which paths require which roles. Voters handle can-this-user-do-this-to-this-object — that is where business logic lives."
Firewalls define authentication boundaries — which routes require login and how users authenticate (form login, API token, etc.). Access control rules in security.yaml provide simple path-based role checks. Voters are the fine-grained authorisation layer — custom classes that vote GRANT, DENY, or ABSTAIN on specific attributes and subjects. The access decision manager aggregates votes (default: affirmative strategy). Strong candidates explain when to use each: access_control for broad route protection, voters for object-level permissions like "can this user edit this post."
Tests understanding of Symfony security architecture. Candidates who put all authorisation logic in controllers are missing the voter system. Those who understand the layered approach write more maintainable and testable security code.