[Zope3-dev] Initial thoughts on the Zope3 security framework

[Shane Hathaway]

Guido van Rossum wrote:

> I think Phillip has made a very clear distinction between roles and
> groups: roles are local, groups are not.  It also makes sense to map
> groups to local roles.


Here are my thoughts.  "Groups" is a fuzzy term, but there is a definite 
need for "workgroups"--places where sets of principals are given extra 
privileges.  Today people do this using local roles, but it can be 
cumbersome.  You'd really like to have a central principal source, such 
as an LDAP connection, then grant roles in specific places according to 
data provided in the LDAP record.

Zope security uses three mappings: principals to roles, roles to 
permissions, and permissions to methods.  I've been trying to prove to 
myself for months that we really need four mappings, with principals 
mapping to groups and groups mapping to roles, but have failed to do so 
since it would add complexity and you can already achieve the desired 
effect if you just have computed local roles.

So we need either computed local roles or groups.

Shane