Access control requires two things: authentication and authorisation. Apache can do basic and digest authentication (authentication), and Apache can control which user can access which script (authorisation). Both of these can be configured via htaccess.

If that authorisation isn't fine grained enough for you (i.e. you want to control access to records, not to urls), you can do the autorisation in the Perl script by grabbing the authenticated user from $cgi->remote_user.

You could also do the authorisation yourself if you wish to wish to allow users to logout or become other users. This is a bit more involved since it requires maintaining a state over multiple requests. This is usually done using a session.