[Zope-dev] LOTS of roles?

Paul Winkler pw_lists@slinkp.com
Fri, 21 Feb 2003 16:28:47 -0500


has anybody ever set up a site with a large number of roles?
we're contemplating a security model for our app that might
lead to ~ 100 Roles within a year, possibly thousands 
within the next 5 years.  (Outline of the actual problem is
at the end of this message)

(The users and roles will be managed in LDAP, by the way;
we plan to use LDAPUserFolder for this and not do any
user or role administration in Zope.)

I seem to recall the Zope Book or some other text
advising against large numbers of roles, but IIRC that
was only because of the UI. Obviously the ZMI default 
Security tab will not scale.
I think I can replace that without too much trouble:
possibly have the main page list only the roles vertically,
with each one being a link to manage_roleForm as it is currently.
As the number of roles grows very large this main page
could be broken into batches if necessary.
And of course there'd be a link to another page with a list
of permissions to manage, and each of those would link
to manage_permissionForm.
i'm also thinking to use checkboxes as the current UI is too easy
to unselect everything by accident.

The question is, if I can solve the interface issues, are
there other reasons not to have hundreds or thousands of roles?
It seems to me that there should not be performance issues,
since I assume that finding the current user's roles
is just a dictionary lookup which should scale pretty well...
we're not talking millions of roles here, and each user
will have only a handful of roles.

comments?

more about our scenario:
    
* We must anticipate users at hundreds of locations

* there might be 10 or so users at each location

* permissions can be grouped pretty well into tasks, but are
  specific to a location - permission to do a task at one
  location must not mean permission at all locations.
  To me this suggests several Roles per location, corresponding
  to the grouped tasks at that location.

* each user might work from several different locations

* each user might need different permissions when working
  at different locations

* We have multiple applications, not all in zope, so LDAP is looking
  attractive.  


-- 

Paul Winkler
http://www.slinkp.com