[Zope3-dev] Groups and Roles *not* interchangeable
Phillip J. Eby
pje@telecommunity.com
Fri, 14 Dec 2001 11:20:32 -0500
At 03:43 PM 12/14/01 +0000, Chris Withers wrote:
>Shane Hathaway wrote:
> >
> > Zope security uses three mappings: principals to roles, roles to
> > permissions, and permissions to methods. I've been trying to prove to
> > myself for months that we really need four mappings, with principals
> > mapping to groups and groups mapping to roles, but have failed to do so
> > since it would add complexity and you can already achieve the desired
> > effect if you just have computed local roles.
> >
> > So we need either computed local roles or groups.
>
>Given that groups is a fairly global term and one of our stated aims is to
>grow
>Zope 10x, I would vote for groups over comptued local roles here...
Given that supporting applications based on non-ZODB data sources is also
relevant to 10x, I'd have to say that computed roles and groups are *not*,
repeat *not* interchangeable. As Shane and I have both pointed out, groups
can't do what computed roles can, but computed roles *can* do what groups can.
Btw, I might also note that LoginManager also supports group-to-roles
mappings now, in the sense that you can create dummy roles that mean group
membership. There is a role-to-role mapping that you can then set up that
converts "group roles" into "real roles". So I wouldn't say that
supporting the concept of groups necessarily involves a great deal of
complexity.