[Zope3-dev] Re: principals vs. users

Jim Fulton jim@zope.com
Fri, 14 Dec 2001 10:58:33 -0500 

Meta-note.  I've got to finish some other work today, so I won't
have time to participate in the discussion much. I'll try to
dive soon though.

Guido van Rossum wrote:
> 
> I just wrote a reply to Jeremy's question about the definition of
> principals, roles and permissions, and found that almost every time I
> wrote users^H^H^H^H^Hprincipals.  Is it really worth changing the
> well-known term User into the apparently not very popular term
> Principal, just to allow for the fact that some login names aren't for
> people?  Unix calls them users but has a whole slew of usernames that
> don't correspond to people, e.g. root, bin, daemon, adm, lp, mail,
> news, uucp, games, gopher, ftp, xfs, gdm...  In addition, there's the
> annoying fact that Principal and Permission both start with P.

I'm open to using user, or maybe to exposing principals as users
in user interfaces when we can tell from the context that we are
actually associated with humans.

OTOH, I think that there will be good reasons to stick with "principal", 
though the motivation won't be so strong until we start doing some
things that we can't do now. Consider some different kinds of
Principals:

- User authenticated (identified) by name only

- User authenticated by session

- User authenticated by basic auth

- User authenticated by digest auth

- An SSL certificate that might not identify a human

- A group of other principals.

Given that several principals can be associated with a single
human, it might be confusing to talk about them as separate
users.  It *might* be useful to actually have a concept labeled
"user" that is a (possibl implicit) "group" of all of the 
principals associated with a particulat human.
 
> And another thing that came to me while writing that reply: in terms
> of the principal <--> permission mapping, groups and roles really are
> equivalent: both define a set of (principal, permission) pairs that's
> the intersection of some rows and some columns.  Where is my thinking
> wrong?  What is in your opinion the difference between these two?

I agree that, currently, roles and groups are operationally the same, however
the intent is very different. A "role" is a responsability of a principal
in some place.  A group is a principal that is an assembly of other
principals.  There are (well, will be) some operational differences:

- Roles are relative to a particular object (and sub-objects).
  Groups are not context-dependent (other than the context 
  of the authentication service where they are defined.

- In the future, principals will be able to control what roles
  they can have at a point in time. They will be able to enable and
  disable roles much as they would put on and take off hats.
  It may turn out that people only have one role (wear one hat) at
  a time. This provides some significant benefits:

  o More focused user interfaces can be provides based on the
    current role,

  o Risks of client-side trojan attacks will be partly mitigated.

Jim



--
Jim Fulton           mailto:jim@zope.com       Python Powered!        
CTO                  (888) 344-4332            http://www.python.org  
Zope Corporation     http://www.zope.com       http://www.zope.org