phpGACL中文手册（四）

Fine-grain access control
高精度权限控制

Oops! What about Chewie? By grouping him in "Crew", Han has indirectly given him access to the Engines! He doesn't want that after what Chewie recently did to the hyperdrive, so he adds a rule to disallow this:
哎呀！Chewie怎么办呢？他被分入了"船员"组，Han已经间接地给了他到发动机室的权限了！但这并不是他所想的，因此他增加了一条规则来禁止这个权限：

千年隼号乘客

├─船员 [允许：全部]

│ ├─Han

│ └─Chewie [拒绝：发动机室]

└─乘客 [允许：休息室 ]

   ├─Obi-wan

   ├─Luke

   ├─R2D2

   └─C3PO

This is an example of the way you can control access policy in a fine-grained manner. It is not necessary to move Chewie to another Group; we simply over-ride the access policy at a lower level.
这是一个例子，表明你如何用高精度的方式来进行权限策略的控制。通过这种方式你不需要将Chewie移入另一个组中；我们只需要简单地在较低的层次中覆写权限策略就可以了。

Another example of fine-grain control happens when the Empire attacks; Han needs to let Luke man the guns, and let R2D2 repair the hyperdrive in the Engine room. He can do this by over-riding the general permissions granted by their status as a "Passenger":
另一个高精度控制的例子发生在受到帝国袭击时，Han需要Luke操纵武器，R2D2修理发动机室中的引擎。他可以通过覆写他们作为乘客的通用权限就来实现这一改变：

千年隼号乘客

├─船员 [允许：全部]

│ ├─Han

│ └─Chewie [拒绝：发动机室]

└─乘客 [允许：休息室 ]

   ├─Obi-wan

   ├─Luke [允许：武器室]

   ├─R2D2 [允许：发动机室]

   └─C3PO

Multi-level Groups
多层次组

Groups can be extended to any level in the ARO tree. For example, you could add a Group "Jedi" to "Passengers". Most passengers would be categorized under "Passengers", but Luke and Obi-wan would be under "Jedi" and therefore might be extended extra privileges (like access to the Cockpit):
组可以扩展到ARO树中的任何一个层次。例如，你可以增加"绝地战士"组到"乘客"组中，大多数乘客将被分到"乘客"组下，但Luke和Obi-wan将被分到"绝地战士"组下，因此他们也就扩展了其他额外的权利（如可以到驾驶室）

千年隼号乘客

├─船员 [允许：全部]

│ ├─Han

│ └─Chewie [拒绝：发动机室]

└─乘客 [允许：休息室 ]

   ├─绝地战士 [允许：驾驶室]

   │  ├─Obi-wan

   │  └─Luke [允许：武器室]

   ├─R2D2 [允许：发动机室]

   └─C3PO