Context Navigation

Rules

-              v1
+              v2
 A default realm entity can be any type of person entity - an organisation, a facility, a team etc. When the user's affiliation with that entity ends, the realm of that entity will no longer belong to the user's default realm. This allows for implicit control of permissions through user-managed relationships (e.g. staff records, team memberships).
+== Non-ACL Rules ==
+Controllers are free to implement additional authorization requirements outside of ACLs, and call auth.permission.fail() individually.
+Those non-ACL rules can further '''restrict''' access to data or functions, but they can not bypass ACL rules applied by S3 framework functions.
+In particular, non-ACL rules can not allow access to controllers while ACL rules deny it.