I'm experimenting myself with the clean architecture, but I've also given some thought to the question of security.
It all depends on what those security restrictions are. I'd consider making the User object a dependency of the interactor, and use constructor injection with a dependency injection tool. In my web framework, the MVC controller already provides me with a User object with its roles/groups (which I associate to permissions). And I'd consider making the entity responsible for determining the user's level of access, since it seems to me that it's a business rule, not an application rule.
I'll give an example from Mark Seeman's book, "
Dependency Injection in .NET", from chapter 2, section 2.2.1. It's about a commerce application. The use case is about getting discounted products for the authenticated user with a "GetFeaturedProducts" method. The use case requires deciding wether the user is a preferred customer and apply discounts accordingly. The author shows a ProductService class (the more or less DDD equivalent of the interactor if I'm getting it right) which calls a repository to retrieve the featured products.
- The ProductService class requires a ProductRepository as a dependency by constructor injection.
- The GetFeaturedProducts of the service class requires a User object by method injection (actually, an IPrincipal .NET interface but that's a detail).
- The service class retrieves the featured products, and then filters the result using the ApplyDiscountFor method of the Product entity.
- The ApplyDiscountFor method requires a User object and returns a collection of DiscountedProduct objects, which inherit from Product.
- The result from the GetFeaturedProducts from the service class is a collection of DiscountedProduct objects.
In this example, access is handled by the entity because it's a business rule.
Now, in the context of Entity-Boundary-Interactor a.k.a. Clean Architecture, I'd have the interactor require the User object by constructor injection, and probably have the interactor implement the Command pattern, as in Uncle Bob's PayRoll example.,The interactor itself would correspond to the ProductService class' GetFeaturedProducts method: "GetFeaturedProductsInteractor" or something like that. The rest would be similar.