Version 13 (modified by Dominic König, 11 years ago) ( diff )


DeveloperGuidelinesS3Framework | S3AAA

S3 Authentication, Authorization and Accounting

Authentication is the act of establishing or confirming someone's identity.
Authorization is the concept of allowing access to resources only to those permitted to use them.
Accounting refers to the tracking of user actions - an audit trail.


AAA functions for S3 are implemented in the modules/s3/ module. This module extends the web2py Auth class as AuthS3 (Authentication), and defines additional classes for role management, access control and audit.

AuthS3modules/s3/s3aaa.pyAuthentication, Login
S3Permissionmodules/s3/s3aaa.pyAuthorization of Access, ACLs
S3Auditmodules/s3/s3aaa.pyData access logging, audit trail
S3RoleManagermodules/s3/s3aaa.pyRESTful method to manage roles and ACLs
Admin controllerscontrollers/admin.pyUser Management, role management


Current user

Interactive Login

HTTP Simple Authentication


Roles are defined in the auth_group table, which is defined by the AuthS3 module (in modules/s3/
Each role as an ID, a unique name and an optional description.

Access permissions are granted to roles, while a user gets permissions by assigning roles to him. Role assignment is stored in the auth_membership table, which is defined by the AuthS3 class (in modules/s3/

At the start of every request, the IDs of all roles of the currently logged-in user are stored as list in session.s3.roles (in models/ In cases where the user is logged-in during the request (e.g. by HTTP simple auth), a refresh of this list is also triggered by the login_bare() method of AuthS3.

Roles can be managed in the S3RoleManager interface (Administration => User Management => Roles).

The following roles are pre-defined in S3 and cannot be changed:

1Administratorsystem administrator
2Authenticatedall authenticated users
3Creatorcurrently unused
4Editordata editor

The first registered user gets the Administrator role assigned.
Users with the Administrator role always have all permissions, and may access all pages in Eden. The Administrator may also manage Users, Roles and ACLs.

Users with the Editor role may access all data with all methods, except they can not manage Users, Roles or ACLs.

Every authenticated user gets automatically the Authenticated role assigned. This role assignment cannot be revoked.


Access Control Lists (ACLs) are bit arrays with each bit representing a permissions to access data with a particular method:

auth.permission.CREATE0x01may create new records
auth.permission.READ0x02may read or list records
auth.permission.UPDATE0x04may update existing records
auth.permission.DELETE0x08may delete records

ACLs are combinations of these bits (by logical OR), e.g. an ACL with the value 0x06 defines permissions to read and update records, while no permission to add or to delete any records.

ACLs are stored per role and request destination in the s3_permission table, which is defined by the S3Permission class (in modules/s3/

Record Ownership

Controller Restriction

Resource Restriction

Implementation of Access Control



Data Access Logging (Audit)


Note: See TracWiki for help on using the wiki.