[Zope3-dev] Initial thoughts on the Zope3 security framework
Jim Fulton
jim@zope.com
Mon, 10 Dec 2001 13:56:13 -0500
Guido van Rossum wrote:
>
> > > [me]
> > > > > OK, that makes sense -- just as there can be user folders sitting
> > > > > anywhere in a tree, there can be roles defined anywhere in the tree,
> > > > > and they propagate down in the same way. Right?
> > >
> > > [Ken]
> > > > Close.
>
> [me again]
> > > This suggests I wasn't quite right (as in "close, but no cigar"), but
> > > the rest of what you write doesn't explain where I was wrong.
>
> [Ken again]
> > I was trying to clarify "roles defined". I saw at least three
> > alternatives: declaration of role names, role-to-permission mapping, and
> > role-to-user mappings. In fact, it's the third - local roles express
> > role-to-user mappings. (As i went on to say, role-to-permision mappings
> > are done separately, and i also (patting myself on the back:) gave some
> > examples using local roles.)
>
> Ah, that *does* clarify things. So role names and role-to-permission
> mappings are totally global and central?
Any setting can be made in multiple places, however, role and permission
*definition* tends to be done centrally, where "central" in this sense is
a bit relative. In most cases, as site will have one set of role definitions
and once set of permission definitions. Some sites might include "sub-sites",
where sub-sites have their own "global" definitions, that build on
the site global definitions.
Jim
--
Jim Fulton mailto:jim@zope.com Python Powered!
CTO (888) 344-4332 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org