[Zope3-dev] Groups and Roles *not* interchangeable

[Phillip J. Eby]

At 03:43 PM 12/14/01 +0000, Chris Withers wrote:
>Shane Hathaway wrote:
> >
> > Zope security uses three mappings: principals to roles, roles to
> > permissions, and permissions to methods.  I've been trying to prove to
> > myself for months that we really need four mappings, with principals
> > mapping to groups and groups mapping to roles, but have failed to do so
> > since it would add complexity and you can already achieve the desired
> > effect if you just have computed local roles.
> >
> > So we need either computed local roles or groups.
>
>Given that groups is a fairly global term and one of our stated aims is to 
>grow
>Zope 10x, I would vote for groups over comptued local roles here...

Given that supporting applications based on non-ZODB data sources is also 
relevant to 10x, I'd have to say that computed roles and groups are *not*, 
repeat *not* interchangeable.  As Shane and I have both pointed out, groups 
can't do what computed roles can, but computed roles *can* do what groups can.

Btw, I might also note that LoginManager also supports group-to-roles 
mappings now, in the sense that you can create dummy roles that mean group 
membership.  There is a role-to-role mapping that you can then set up that 
converts "group roles" into "real roles".  So I wouldn't say that 
supporting the concept of groups necessarily involves a great deal of 
complexity.