[Zope-PTK] Roles, Groups, Security and Group Membership

[Chris Withers]

Shane Hathaway wrote:
> > The Zope problem is that Zope security has no idea about Groups.
> > As in Users/Members exist
> > There may have roles
> > They may also be members of Groups.
> > Groups may also be members of Groups.
> > Groups may also have roles associated with THEM.

> Although it's not exactly the same, you can set up "group roles".  Just
> name your roles "Group x" and assign users to those groups by giving
> them those roles.
> 
> The one thing missing in this scheme is that role mappings currently
> can't be set up to inherit from other role mappings.

If you mean a "Group X" role can't be set to be a member of the "Group
Y" role, then yes, that's exactly what I meant ;-)

> Perhaps you're looking for the ability to
> assign local roles based on group memberships.  

This is different but also exceptionally useful...

An example that might be relevent:

Group X produces a doc. All people in Group X can hence see it.
However, Group Y also need to see it, but Group Z absolutely must not
see it (it's their pay decreases and 'rationalization' package ;-)

How would you do this? (roles, groups, anything else ;-)

...which makes me think of a problem with 'group role': There is
potential for a large number of groups to exist. If each has a role,
your manage_security screen becomes VERY wide and a nightmare to use.
What you really want to do is, on a per object basis, say 'This group
can view this', with of course acquired defaults...

Can you put this into Zope terms for me please, my brain is a bit fried
right now... ;-)

cheers,

Chris