<?php // I create a permission $permission=\Model\Auth_Permission::forge( array( 'area' => 'admin', 'permission' => 'list', 'description' => $desc, 'actions' => array('list', 'add', 'edit', 'delete', 'modify'), ) ); $permission->save(); // return ID 1 // I link a permission with a group $permission_group=\Model\Auth_Grouppermission::forge(array( 'group_id'=>4, 'perms_id'=>1, 'actions'=>= array(1,2) )); $permission_group->save(); // user ID:6 associated to group_id: 4 log on this controller : if ( \Auth::has_access('admin.list[delete]')) { echo 'you have access ...'; } // its echo : you have access ... /// but it should not, is a bug ?