[Zope-PAS] Re: struggling with Local Role plugin

Stan McFarland sfmcfar at gmail.com
Wed Apr 11 18:55:32 EDT 2007

Wichert Akkerman <wichert at ...> writes:

> Use a dynamic group.
> Wichert.


Thanks for the response.  I can see where there's some similarity in the 
notion of adding a role to a user dynamically and adding a user to a group
dynamically, assuming that the group has the requisite roles.  But my
(and maybe I wasn't clear about this before) is that the condition that
determines access is based on both an external condition and an attribute 
of the object itself, which is why was trying to make this work with 
local roles.  I didn't think that the object was available from the role or
group plugins, but if I'm wrong, please let me know.  
Actually, maybe I should rephrase my problem, and see if you have a 
suggestion. Basically, I need to set up a security model such that 
access to a given object requires a combination of "roles". For example, 
I might have an object that would be labeled "Alpha", "Beta", "Gamma", 
and a user must possess, at a minimum, all three roles to be able 
to see the object.  I could implement this with 2**n - 1 roles, so I 
would have 7 roles and a separate workflow state for each role - not too
The problem is one of scale - if I have 6 labels, I end up with 63 
workflow states.  So instead, I was trying to use the labels as object
attributes and adding roles at runtime.  Does this make sense?

Any advice you could give would be greatly appreciated.  

Thanks again,


More information about the Zope-PAS mailing list