Well the basic behind it is to add a before_filter to the controllers you want authentication for. You can also include only or exclude specific actions
class ApplicationController ...
before_filter :authenticated, :except [:list,:show] OR before_filter :authenticated :only [:create,:edit,:delete]
... your normal actions ...
private def authenticated ...check user permissions... ...return true or false ... end
end