[Zope-CMF] Grouping Members ??

Shane Hathaway shane@digicool.com
Thu, 05 Apr 2001 10:09:04 -0400


Johan Carlsson wrote:
> > I believe you can get a similar effect by assigning many users a role.
> > This allows you to achieve the effect that you are looking for.
> 
> IMHO, This isn't flexible enought.
> I would like to assign special roles with in a group, for instance
> have someone having a Manager role within the group.
> You do this in Zope by having a seperate acl_folder but the
> you would tie that group to a specific branch. Also the
> acl_folder would have to be a proxy for a centralized acl_folder
> if you want to manage all users form the same source.
> 
> The thing is that groups should connect user together with different
> roles (and in turn diffrent permissions), not connect users together
> to a fixed set of set of permissions.
> 
> Another problem with using roles as groups is that in a large
> community with allot of groups you would have roles polution
> making the current permission UI virtualy unmanagable.
> Sticking to a small set of roles   and using local_roles and
> local_groups would avoid that problem.

I came to exactly the same conclusion with regards to roles and groups. 
Let's say you have 1000 users and 10 different folders for each of 10
company departments.  Your roles are simple: "Employee", "Department
manager", and "Department member".  Everyone is an employee so that's
easy.  But you don't want to have to set the local roles for each
employee manually.  Instead, you want to assign each employee to a
group: "HR", "Accounting", "Engineering", etc.  Then you want Zope to
give them local roles according to their group assignments.  The group
assignments don't necessarily correspond to folder names.  The group
assignments would be easily managed since they would all be in one
place.  Local roles, as they are now, are scattered.

Again, this is what ACLManager did.  But instead of doing it the way
ACLManager did it, I think we need to look at patching the
getRolesInContext() method so that local roles can be computed
dynamically without requiring excessive computation.

Shane