**Access control** on the web is quite varied, but the most common form of it comes in the form of role-based access list.

In brief, every identified user may be given any number of //usergroups// and any number of user-individual //access rights//. The usergroups can be given any number of access rights. Usergroups are always additive - if usergroup A has the rights X and Y and usergroup B has the rights X and Z, a user in both usergroup A and B will have the rights X, Y and Z. Every //access right// can be arbitrarily assigned to low-level or high-level actions, any of which may be ladden with or without prerequisites (such as the in-built 'democratic' modifier that requires other members of the usergroup to agree).

===== Common access rights =====

  * RESTART (the right to restart a Fragment, server or network)
  * REVOKE (the right to remove any access rights)
  * GRANT (the right to grant other users rights from the set that oneself has, including GRANT, and to remove access rights from users without GRANT)
  * EVICT (the right to kick or ban a user)
  * MOLD (the right to reshape the landscape)
  * GLOBAL (the right to send Fragment-global messages)
  * ROLE (the right to swap places with a Puppet with a predefined role)
  * QUARANTINE (the right to create a quarantine zone)
  * [[technology:evanescing|RELOCATE]] (the right to remotely teleport another user)
  * [[technology:avatar|FMORPH]] (the right to bypass avatar restrictions)
  * [[technology:metadata|WRITE]] (the right to write or re-write metadata in the Fragment)
  * [[technology:metadata|FREAD]] (the right to access all metadata in the Fragment - even metadata flagged as incomplete or Fragment-private)
  * [[technology:evanescing|HOP]] (the right to teleport throughout the Fragment)
  * [[technology:avatar|MORPH]] (the right to change one's avatar in accordance with avatar restrictions)
  * [[technology:metadata|READ]] (the right to access regular metadata)

===== Common usergroups =====

Guest / User:

  * HOP
  * MORPH
  * READ

Guide:

  * //all guest/user access rights//
  * ROLE
  * RELOCATE
  * FMORPH
  * FREAD

Gamemaster:

  * //all guide access rights//
  * WRITE

Moderator:

  * //all gamemaster access rights//
  * EVICT

Admin:

  * //all moderator access rights//
  * QUARANTINE
  * GRANT
  * MOLD
  * GLOBAL

Founder:

  * //all admin access rights//
  * REVOKE
  * RESTART (democratic; requires all founders to agree)

===== Authentication =====

Actual user authentication (i.e. determining the identity of a user) varies strongly between servers. Sanctuary (re)identifies users on connection to a Fragment using their hostmask and an automated challenge-response handshake the user needs access to their private key for - and maintains a session for the time the user remains in the Fragment. This is true for [[terminology:Denizen|Denizens]] (which are expected to have a //localhost// hostmask) as well as [[terminology:Citizen|Citizens]]. [[terminology:Puppet:autonomous|Autonomous Puppets]] are free to move between Fragments, but foreign autonomous Puppets are authenticated on connection with Sanctuary as a whole.

{{tag>[work-in-progress]}}