I'm not sure I clearly get what you want to achieve. As I understood, you have a handful of user groups with common permissions for each object in the system, and going to tune access to a particular object for a particular user. For example, owner of an object has all permissions for the object regardless of owner's user group.
Firstly, you should use a hierarchy of location-aware resources. In this way you can keep default permissions in the root resource and tune them in the child one:
class RootFactory(object):
__name__ = ''
__parent__ = None
__acl__ = [
(Allow, '__ADMIN__', ALL_PERMISSIONS),
(Allow, 'creator', ('VIEWER', 'ANALYST', 'MANAGER', 'CREATOR')),
(Allow, 'manager', ('VIEWER', 'ANALYST', 'MANAGER')),
(Allow, 'analyst', ('VIEWER', 'ANALYST')),
(Allow, 'viewer', ('VIEWER')),
# (Allow, Everyone, NO_PERMISSION_REQUIRED)
# It seems, here you want to deny access for all other users,
# so you should use this:
# (Deny, Everyone, ALL_PERMISSIONS)
# or simply:
DENY_ALL
]
def __init__(self, request):
self.request = request
def __getitem__(self, name):
return ChildObject(name, self)
Then in the child object constructor, you can add a special permissions for this particular object:
class ChileObject(object):
def __init__(self, request, name, parent):
self.__parent__ = parent
self.__name__ = name
# Do some stuff, for example loading object from DB
# and populate other attributes of the object.
# Then add permission for the object's owner
self.__acl__ = [(Allow, self.owner_id, ALL_PERMISSIONS)]
The result ACL will be merged version of root's ACL and child's one, i.e:
[
(Allow, self.owner_id, ALL_PERMISSIONS),
(Allow, '__ADMIN__', ALL_PERMISSIONS),
(Allow, 'creator', ('VIEWER', 'ANALYST', 'MANAGER', 'CREATOR')),
(Allow, 'manager', ('VIEWER', 'ANALYST', 'MANAGER')),
(Allow, 'analyst', ('VIEWER', 'ANALYST')),
(Allow, 'viewer', ('VIEWER')),
DENY_ALL
]
As for your second question, you can find a useful functions for checking permissions in the pyramid.security module.