1. Understanding How ACL Works

Most important, powerful things require some sort of access control. Access control lists are a way to manage application permissions in a fine-grained, yet easily maintainable and manageable way. Access control lists, or ACL, handle two main things: things that want stuff, and things that are wanted. In ACL lingo, things (most often users) that want to use stuff are called access request objects, or AROs. Things in the system that are wanted (most often actions or data) are called access control objects, or ACOs. The entities are called 'objects' because sometimes the requesting object isn't a person - sometimes you might want to limit the access certain Cake controllers have to initiate logic in other parts of your application. ACOs could be anything you want to control, from a controller action, to a web service, to a line on your grandma's online diary.

To use all the acronyms at once: ACL is what is used to decide when an ARO can have access to an ACO.

Now, in order to help you understand this, let's use a practial example. Imagine, for a moment, a computer system used by a group of adventurers. The leader of the group wants to forge ahead on their quest while maintaining a healthy amount of privacy and security for the other members of the party. The AROs involved are as following:

Gandalf
Aragorn
Bilbo
Frodo
Gollum
Legolas
Gimli
Pippin
Merry

These are the entities in the system that will be requesting things (the ACOs) from the system. It should be noted that ACL is *not* a system that is meant to authenticate users. You should already have a way to store user information and be able to verify that user's identity when they enter the system. Once you know who a user is, that's where ACL really shines. Okay - back to our adventure.

The next thing Gandalf needs to do is make an initial list of things, or ACOs, the system will handle. His list might look something like:

Weapons
The One Ring
Salted Pork
Diplomacy
Ale

Traditionally, systems were managed using a sort of matrix, that showed a basic set of users and permissions relating to objects. If this information were stored in a table, it might look like the following, with X's indicating denied access, and O's indicating allowed access.

         Weapons    The One Ring    Salted Pork      Diplomacy       Ale
Gandalf     X             X              O               O            O
Aragorn     O             X              O               O            O
Bilbo       X             X              X               X            O
Frodo       X             O              X               X            O
Gollum      X             X              O               X            X
Legolas     O             X              O               O            O       
Gimli       O             X              O               X            X
Pippin      X             X              X               O            O
Merry       X             X              X               X            O

At first glance, it seems that this sort of system could work rather well. Assignments can be made to protect security (only Frodo can access the ring) and protect against accidents (keeping the hobbits out of the salted pork). It seems fine grained enough, and easy enough to read, right?

For a small system like this, maybe a matrix setup would work. But for a growing system, or a system with a large amount of resources (ACOs) and users (AROs), a table can become unwieldy rather quickly. Imagine trying to control access to the hundreds of war encampments and trying to manage them by unit, for example. Another drawback to matrices is that you can't really logically group sections of users, or make cascading permissions changes to groups of users based on those logical groupings. For example, it would sure be nice to automatically allow the hobbits access to the ale and pork once the battle is over: Doing it on an indivudual user basis would be tedious and error prone, while making a cascading permissions change to all 'hobbits' would be easy.

ACL is most usually implemented in a tree structure. There is usually a tree of AROs and a tree of ACOs. By organizing your objects in trees, permissions can still be dealt out in a granular fashion, while still maintaining a good grip on the big picture. Being the wise leader he is, Gandalf elects to use ACL in his new system, and organizes his objects along the following lines:

Fellowship of the Ring:
Warriors
    Aragorn
    Legolas
    Gimli
Wizards
    Gandalf
Hobbits
    Frodo
    Bilbo
    Merry
    Pippin
Vistors
    Gollum

By structuring our party this way, we can define access controls to the tree, and apply those permissions to any children. The default permission is to deny access to everything. As you work your way down the tree, you pick up permissions and apply them. The last permission applied (that applies to the ACO you're wondering about) is the one you keep. So, using our ARO tree, Gandalf can hang on a few permissions:

Fellowship of the Ring: [Deny: ALL]
    Warriors                [Allow: Weapons, Ale, Elven Rations, Salted Pork]
        Aragorn
        Legolas
        Gimli
    Wizards                 [Allow: Salted Pork, Diplomacy, Ale]
        Gandalf
    Hobbits                 [Allow: Ale]
        Frodo
        Bilbo
        Merry
        Pippin
    Vistors                 [Allow: Salted Pork]
        Gollum

If we wanted to use ACL to see if the Pippin was allowed to access the ale, we'd first get his path in the tree, which is Fellowship->Hobbits->Pippin. Then we see the different permissions that reside at each of those points, and use the most specific permission relating to Pippin and the Ale.

The tree also allows us to make finer adjustments for more granular control - while still keeping the ability to make sweeping changes to groups of AROs:

Fellowship of the Ring: [Deny: ALL]
    Warriors                [Allow: Weapons, Ale, Elven Rations, Salted Pork]
        Aragorn             [Allow: Diplomacy]
        Legolas
        Gimli
    Wizards                 [Allow: Salted Pork, Diplomacy, Ale]
        Gandalf
    Hobbits                 [Allow: Ale]
        Frodo               [Allow: Ring]
        Bilbo
        Merry               [Deny: Ale]
        Pippin              [Allow: Diplomacy]
    Vistors                 [Allow: Salted Pork]
        Gollum

You can see this because the Aragorn ARO maintains is permissions just like others in the Warriors ARO group, but you can still make fine-tuned adjustments and special cases when you see fit. Again, permissions default to DENY, and only change as the traversal down the tree forces an ALLOW. To see if Merry can access the Ale, we'd find his path in the tree: Fellowship->Hobbits->Merry and work our way down, keeping track of ale-related permissions: