The ACL is for determining whether a user has access to a resource. The Auth package is for identifying and authenticating users. What ties them together? Furthermore, what can one use to determine the parent roles of an identity? The answer is the Role Provider. The Role Provider is a mediator that sits between the Acl and Auth packages so neither has to know about the other.

The Role Provider interface, Xyster_Acl_Role_Provider_Interface, has two methods:

Xyster_Acl_Role_Provider is a default implementation of this interface. Given an identity, it will return a Zend_Acl_Role object with the identity as the role ID. The getParents method will just return an empty array.

Using this object makes it simple to authenticate a client and then add it to the ACL.

<?php
$provider = new Xyster_Acl_Role_Provider;
$identity = Zend_Auth::getInstance()->getIdentity();
$role = $provider->getRole($identity);
$acl = new Xyster_Acl;
$acl->addRole($role, $provider->getParents($role));

In this case, having the provider is a convenience more than anything. More importantly, the Xyster_Controller_Plugin_Auth class uses a Role Provider to add the authenticated user to an ACL. See its documentation for more details.