update changelog and docs

1 files changed, 43 insertions, 0 deletions

diff --git a/docs/api/authorization.rst b/docs/api/authorization.rst
index c6b3d090e..fac47490a 100644
--- a/docs/api/authorization.rst
+++ b/docs/api/authorization.rst
@@ -10,3 +10,46 @@
 
   .. autoclass:: ACLAuthorizationPolicy
 
+Constants
+---------
+
+.. attribute:: Everyone
+
+    The special principal id named 'Everyone'.  This principal id is
+    granted to all requests.  Its actual value is the string
+    'system.Everyone'.
+
+.. attribute:: Authenticated
+
+    The special principal id named 'Authenticated'.  This principal id
+    is granted to all requests which contain any other non-Everyone
+    principal id (according to the :term:`authentication policy`).
+    Its actual value is the string 'system.Authenticated'.
+
+.. attribute:: ALL_PERMISSIONS
+
+    An object that can be used as the ``permission`` member of an ACE
+    which matches all permissions unconditionally.  For example, an
+    ACE that uses ``ALL_PERMISSIONS`` might be composed like so:
+    ``('Deny', 'system.Everyone', ALL_PERMISSIONS)``.
+
+.. attribute:: DENY_ALL
+
+    A convenience shorthand ACE that defines ``('Deny',
+    'system.Everyone', ALL_PERMISSIONS)``.  This is often used as the
+    last ACE in an ACL in systems that use an "inheriting" security
+    policy, representing the concept "don't inherit any other ACEs".
+
+Return Values
+-------------
+
+.. autoclass:: ACLDenied
+   :members: msg
+
+   .. automethod:: __new__
+
+.. autoclass:: ACLAllowed
+   :members: msg
+
+   .. automethod:: __new__
+