Where to securely store custom access rights for a user? Cookies / Local Storage / somewhere else?

The application I am working on, requires users to have specific access rights or / and belong to certain custom roles within the application.
These access rights are stored in a database.

My question is what is the best way to store that retrieved access rights securely so that a user cannot change the settings in their browser (inspect) and gain access to sections they should not have access to?
Also, I do not want to have the application query the database every time to get the access.
Is it best to store this information in secure cookies or local storage or is there a better way?

Thank you in advance!
Kind Regards

You’re not going to like this answer, but:

There isn’t one.

All access control must be done server-side, where the code is running on machines under your control. You cannot “gate off” client-side features. Now, you can certainly do soft access control client-side, such as disabling buttons and navigation options that are not appropriate for the current user. That cannot be a complete substitute for proper server-side access control, though.

Ok, so I get that the actual restrictions needs to happen server side, which is fine because the server-side function can validate the acl before performing such an action.
However, from a UX point, we do not want to show users what they should not see as it can confuse matters.
So I guess the acl would then as you mention, only filter things like menu items, buttons, sections not actual server-side functions.
If this is the case, what is the best way to achieve this?

Thank you again for the help.

Kind Regards

Can’t presume to speak to “best”, but what I do is use this idiom to propagate user authentication status across parts of my app that care about it, and Angular route guards to wall off sections of the UI that aren’t appropriate.