1 files changed, 43 insertions, 0 deletions

diff --git a/docs/api/security.rst b/docs/api/security.rst
new file mode 100644
index 000000000..317a7b335
--- /dev/null
+++ b/docs/api/security.rst
@@ -0,0 +1,43 @@
+.. _security_module:
+
+:mod:`repoze.bfg.security`
+==========================
+
+.. automodule:: repoze.bfg.security
+
+  .. autofunction:: has_permission
+
+  .. attribute:: Everyone
+
+    The special principal id named 'Everyone'.  This principal id is
+    granted to all requests.  Its actual value is the string
+    'system.Everyone'.
+
+  .. attribute:: Authenticated
+
+    The special principal id named 'Authenticated'.  This principal id
+    is granted to all requests which contain any other non-Everyone
+    principal id (according to the security policy).  Its actual value
+    is the string 'system.Authenticated'.
+
+  .. attribute:: Allow
+
+    The ACE "action" (the first element in an ACE e.g. ``(Allow, Everyone,
+    'read')`` that means allow access.  A sequence of ACEs makes up an
+    ACL.  It is a string, and it's actual value is "Allow".
+
+  .. attribute:: Deny
+
+    The ACE "action" (the first element in an ACE e.g. ``(Deny,
+    'george', 'read')`` that means deny access.  A sequence of ACEs
+    makes up an ACL.  It is a string, and it's actual value is "Deny".
+
+  .. autoclass:: RemoteUserACLSecurityPolicy
+     :members:
+
+  .. autoclass:: Denied
+     :members:
+
+  .. autoclass:: Allowed
+     :members:
+