Is there any best practice data model for authentication/authorization scheme?
A data model that consists of a mapping of roles to privileges is fairly flexible and suits most purposes.
Then you assign roles to users (the concept is essentially the same as that of groups)...a user may have more than one role, and their role(s) define the privileges they have.
In the code, you check (via their roles) that the user holds the required privilege to perform a function.
Authentication is separate, that's just validating who the user is, not what they can do. Usually you should maintain this separation (though there are schemes that are designed so that they only care what the user can do, not who they are).
In your design you can visualise the access control system as a matrix (roles to privileges).
I would also expand on the 'do not store passwords' answer - don't design your own authentication scheme at all. You'll probably get it wrong. Reuse one that is proven.