[Zope3-dev] Initial thoughts on the Zope3 security framework

[Martijn Faassen]

Jeremy Hylton wrote:
> How much stress would it cause if we migrated more of the Zope
> security architecture towards standard terminology?  I believe the
> thing Zope calls a "role" is typically called a "group."  A group has
> a set of permissions associated with it.  A principal is associated
> with a set of groups, which implies the permissions of the group.

implies the permissions of the principal, right? Another thing to note
is that these are "local groups"; is that standard terminology at all?

How does this interact with the desire to have named groups in Zope?

I.e, I want to say Foo is in group Bar. Then I say Bar gets local role
X here, and local role Y there. Any user in Bar gets the same permissions.
The group a user may be in could be stored literally, but it could also be
determined (globally this time) out of user metadata (such as ldap data;
users that are employees in LDAP join the employee group which may have
certain local roles in certain places).

If we call role 'group' this implies we do this directly, but then does
this mean I hae to set a large number of local permissions everywhere I
want to give this group extra permissions somewhere (such as read permission)?

Regards,

Martijn