This page hosts the detailed specification for the [https://blueprints.launchpad.net/sahana3/+spec/authentication-authorization Blueprint for the Authentication & Access].

S3 currently uses the default T2 AAA system at a very basic level: {{{t2.logged_in}}}
 * http://trac.sahana3.org/wiki/DeveloperGuidelinesAuthenticationAccess

However this won't be appropriate for all deployment scenarios.
The specification we should be working to implement is in the Wiki:
 * http://wiki.sahana.lk/doku.php?id=dev:security

(NB Sahana is about to change AAA method to it's 3rd & the Vol module currently uses a separate method)

This should (mostly?) be possible using other T2 methods:
 * {{{t2.have_membership()}}}
 * {{{t2.have_access()}}}

This should probably be done by hooking into the [wiki:BluePrintREST RESTlike controller]

We also want to look at linking the AAA t2_person table with the Person Registry's person table

S2 supports OpenID (as does Launchpad ;) ), so that would be good to support & looks easy:
 * http://openidenabled.com/python-openid/

T3 defines a simple {{{t2.is_admin}}} defined in {{{db.py}}}:
{{{
is_admin=(t2.logged_in and (not settings.administrator_emails or t2.person_email in settings.administrator_emails))
t2.is_admin=is_admin
}}}
 * Function components protected with: {{{if not is_admin: t2.redirect('index',flash=T('Not Authorised'))}}}
 * appadmin protected in the same way :)

----
BluePrints