From 3dc9116f868c40aed42904b95b0ca703b2f73aa3 Mon Sep 17 00:00:00 2001
From: Casey Duncan <casey.duncan@gmail.com>
Date: Sat, 15 Jan 2011 22:20:52 -0700
Subject: XXX explain the authentication/authorization separate in pyramid.
 Confirm this is correct XXX

---
 docs/narr/security.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'docs/narr/security.rst')

diff --git a/docs/narr/security.rst b/docs/narr/security.rst
index 6ea48794c..f20c9f63e 100644
--- a/docs/narr/security.rst
+++ b/docs/narr/security.rst
@@ -41,6 +41,15 @@ allowed.  Here's how it works at a high level:
 - If the authorization policy denies access, the view callable is not
   invoked; instead the :term:`forbidden view` is invoked.
 
+Security in :app:`Pyramid`, unlike many systems, cleanly and explicitly
+separates authentication and authorization. Authentication is merely the
+mechanism by which credentials provided in the :term:`request` are
+resolved to one or more :term:`principal` identifiers. These identifiers
+represent the users and groups in effect during the request.
+Authorization then determines access based on the :term:`principal`
+identifiers, the :term:`view callable` being invoked, and the
+:term:`context` resource.
+
 Authorization is enabled by modifying your application to include an
 :term:`authentication policy` and :term:`authorization policy`.
 :app:`Pyramid` comes with a variety of implementations of these
-- 
cgit v1.2.3