In the pyramid documentation, the Sqlalchemy Dispatch Tutorial uses dummy data in security.py. I needed to use mysql data so I implemented it like this:

My Login Code

@view_config(route_name='login', renderer='json',permission='view')
def user_login(request):
    session = DBSession
    username = request.params['username']
    password = request.params['password']
    sha = hashlib.md5()
    sha.update(password)
    password = sha.digest().encode('hex')
    user = session.query(Users).filter(and_(Users.username==username,Users.password ==password)).count()   
    if(user != 0):
        headers = remember(request, username)
        return HTTPFound(location = '/index/',
                             headers =headers)
    else:
        print "error"

The above makes the system remember username that will be used in security.py. Below, I use this to get the group the user is in.

from .models import (
    DBSession,
    Users,
    )

def groupfinder(userid, request): 
    session = DBSession()
    for instance in session.query(Users).filter(Users.username==userid):
        group = 'group:'+instance.group  
        lsth = {'userid':[group]}
        return lsth.get  ('userid')   

Is this the best way to use pyramid authorization?

You have the idea right.

Your groupfinder is broken right now. Notice you have a for-loop with a return statement inside. The groupfinder should return at least an empty list [] if the user is valid. Only return None if the user is invalid.

Also an md5 of the password is pretty crappy these days. Look at the cryptacular or passlib libraries for performing a cryptographic hash instead via bcrypt.