2 files changed, 55 insertions, 0 deletions

diff --git a/docs/modules/index.rst b/docs/modules/index.rst
index 38cd5a29d..644b9fdf4 100644
--- a/docs/modules/index.rst
+++ b/docs/modules/index.rst
@@ -16,3 +16,5 @@ Sub-packages
    :maxdepth: 2
 
    router
+   security
+
diff --git a/docs/modules/security.rst b/docs/modules/security.rst
new file mode 100644
index 000000000..0a692e521
--- /dev/null
+++ b/docs/modules/security.rst
@@ -0,0 +1,53 @@
+.. _security_module:
+
+:mod:`repoze.bfg.security`
+==========================
+
+.. automodule:: repoze.bfg.security
+
+  .. autofunction:: has_permission
+
+  .. attribute:: Everyone
+
+    The special principal id named 'Everyone'.  This principal id is
+    granted to all requests.  Its actual value is the string
+    'system.Everyone'.
+
+  .. attribute:: Authenticated
+
+    The special principal id named 'Authenticated'.  This principal id
+    is granted to all requests which contain any other non-Everyone
+    principal id (according to the security policy).  Its actual value
+    is the string 'system.Authenticated'.
+
+  .. attribute:: Allow
+
+    The ACE "action" (the first element in an ACE e.g. ``(Allow, Everyone,
+    'read')`` that means allow access.  A sequence of ACEs makes up an
+    ACL.  It is a string, and it's actual value is "Allow".
+
+  .. attribute:: Deny
+
+    The ACE "action" (the first element in an ACE e.g. ``(Deny,
+    'george', 'read')`` that means deny access.  A sequence of ACEs
+    makes up an ACL.  It is a string, and it's actual value is "Deny".
+
+  :class:`RemoteUserACLSecurityPolicy`
+  ------------------------------------
+
+  .. autoclass:: RemoteUserACLSecurityPolicy
+
+     .. automethod:: permits
+
+  :class:`Denied`
+  ===============
+
+  .. autoclass:: Denied
+     :members:
+
+  :class:`Allowed`
+  ================
+
+  .. autoclass:: Allowed
+     :members:
+