phpGACL中文手册（六）

Adding groups
添加组
Han feels this ACL is starting to look a little complicated. There are so many exceptions! Perhaps he should make another group, "Engineers", containing the people who are allowed access to the Engines and Guns. That group should contain Han and R2D2 since they're both capable of repairing the engines and guns. This means Han can remove some of those messy exceptions-to-the-rules, and that has the benefit of making the description clearer:
Han觉得这个ACL列表看上去有点复杂，那儿有太多的例外了！也许他可以设一个"工程师"组，以便将那些有权进入发动机室和武器室的人包含在这个组里。这个组里包括Han和R2D2，因为他们两个都有修理发动机和武器的能力。这就意味着Han可以删除一些乱七八糟的例外规则，并且可以描述地再清楚：

 缺省：全部拒绝

千年隼号乘客

├─船员 [允许：全部]

│ ├─Han

│ └─Chewie [拒绝：发动机室]

├─乘客 [允许：休息室 ]

│ ├─绝地战士 [允许：驾驶室]

│ │ ├─Obi-wan

│ │ └─Luke [允许：武器室]

│ ├─R2D2 [允许：发动机室]

│ └─C3PO

└─工程师 [允许：发动机室，武器室]

   ├─Han

   └─R2D2

We can read this as "By default, no-one has access to anywhere. Crew have access to everywhere (except Chewie, who has no access to the Engines). Passengers only have access to the Lounge, except Jedi who also have access to the Cockpit. Luke has access to the Guns too. Engineers are allowed access to the Engines and Guns."
我们可以这样理解"缺省状态下，没有人可以进入任何房间。船员有权进入任何房间（Chewie除外，他没权进入发动机室）。乘客只有进休息室的权限，除了绝对战士可以进入驾驶室，Luke也有权进入武器室。工程师则被允许进入发动机室和武器室。"

Most importantly, we can see that Han and R2D2 are now in two places in the ACL. It is not necessary for them to be uniquely categorized at all. This defines the policy more clearly to the reader: "Ahh, Han and R2D2 have access to the Engines and Guns because they're engineers."
最重要的是，我们现在看到Han和R2D2在ACL列表中出现了两次。将他们放入唯一的分类中是根本没有必要的。这样的设置策略对人们来说更清楚："啊，Han和R2D2有权进入发动机室和武器室的原因是因为他们是工程师。"

Adding people
添加人

Han goes to Cloud City to pick up Lando and get some repairs. Lando's the Millennium Falcon's previous owner, so Han reckons he qualifies as Crew. Lando also offers the services of his top engineer, Hontook, for help with repairing the ship while they're in dock.
Han去云中城会见Lando并得到 了一些修理。因为Lando是千年隼号的前主人，所以Han认为他有资格做船员。在码头期间，Lando也提供了他的顶级工程师Hontook来帮助维修飞船。

缺省：全部拒绝

千年隼号乘客

├─船员 [允许：全部]

│ ├─Han

│ ├─Chewie [拒绝：发动机室]

│ └─Lando

├─乘客 [允许：休息室 ]

│ ├─绝地战士 [允许：驾驶室]

│ │ ├─Obi-wan

│ │ └─Luke [允许：武器室]

│ ├─R2D2 [允许：发动机室]

│ └─C3PO

└─工程师 [允许：发动机室，武器室]

   ├─Han

   ├─R2D2

   └─Hontook

This shows how easy it is to grant new people access. If we used the original matrix scheme, we'd have to set permissions for each room for both Lando and Hontook. Instead, we simply add them to their appropriate groups and their access is implicitly and easily defined.
上例显示出添加新人的权限是多么的容易。如果我们还使用原始的权限表的话，我们将不得不为Lando和Hontook设置到每个房间的权限。而现在，我们只需要简单将他们添加到合适的组中，他们的权限就被轻易的设定了。