How ACL is maintaned internally by Symfony2?

Question

The documentation lacks some details about ACL. It' simple as invoking createAcl on the domain object after persisting it. Then putting a mask with insertObjectAce on the user/object.

But how internally Symfony2 manage ACL? Are some extra columns added to the table?

$entityManager = $this->get('doctrine.orm.default_entity_manager');
$entityManager->persist($comment);
$entityManager->flush();

// creating the ACL
$aclProvider = $this->get('security.acl.provider');
$objectIdentity = ObjectIdentity::fromDomainObject($comment);
$acl = $aclProvider->createAcl($objectIdentity);

// retrieving the security identity of the currently logged-in user
$securityContext = $this->get('security.context');
$user = $securityContext->getToken()->getUser();
$securityIdentity = UserSecurityIdentity::fromAccount($user);

// grant owner access
$acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_OWNER);
$aclProvider->updateAcl($acl);

Answer 1

It creates bunch of new tables,

The tables are ordered from least rows to most rows in a typical application:

• acl_security_identities: This table records all security identities (SID) which hold ACEs. The default implementation ships with two
  security identities: RoleSecurityIdentity, and UserSecurityIdentity
• acl_classes: This table maps class names to a unique id which can be referenced from other tables.
• acl_object_identities: Each row in this table represents a single domain object instance.
• acl_object_identity_ancestors: This table allows us to determine all the ancestors of an ACL in a very efficient way.
• acl_entries: This table contains all ACEs. This is typically the table with the most rows. It can contain tens of millions without significantly impacting performance.

in fact this chapter explains to you a lot of things about how ACL are managed internally by Symfony2 :

http://symfony.com/doc/current/cookbook/security/acl_advanced.html