Symfony sfGuardPlugin (group, permissions and credentials) question

I am using symfony 1.31 with propel ORM and sfGuardPlugin

I am about to setup groups and permissions. AFAIK, permissions map unto Credentials, and permissions can be assigned to groups.

I have two questions

1. Suppose a user belongs to group A, and group A has credentials 'foobar'. When a user that belongs to group A logs in, does he 'automagically' get assigned credential 'foobar', or do I have to manually, add the credential to the user (by say looking up its gr开发者_运维百科oup->permissions in the db) ?
2. Assuming the SF framework 'automagically' takes care of user credential depending on group membership, is the effect real time, or does a user have to logout/login before the changes are applied/in effect?

[Edit]

Regarding question 1, I would be grateful for a link to (preferrably the SF official documentation - failing that, any other doc), that states that this is indeed the case.

Regarding question 2, the sfSecurityUser has addCredentials method that stores credentials in the user session. Consequently, I suspect that any group membership changes are NOT real time, so I will either have to force use to logout/login or maybe use an event listener or something.. am I right (or wrong)?

EDIT:

• sfGuard Plugin Page with HTML version of Readme
• sfGuard Readme (txt) (should be included in your plugins installation dir)

If you set up sfGuard right then the crednetials will be automagic. In particular this requires you apps/$appname/lib/$userClass.class.php (typically MyUser.class.php) to extend sfGuardSecurityUser. Setting this up should be in the plugin readme.

As far as 2 goes, since the credentials have to be queried each request then it would happen immediately from the users perspective (unless of course youre using ajax to add a perm/crednetial).