[Zope3-dev] Initial thoughts on the Zope3 security framework

[Martijn Faassen]

Shane Hathaway wrote:
[snip]
> Zope security uses three mappings: principals to roles, roles to 
> permissions, and permissions to methods.  I've been trying to prove to 
> myself for months that we really need four mappings, with principals 
> mapping to groups and groups mapping to roles, but have failed to do so 
> since it would add complexity and you can already achieve the desired 
> effect if you just have computed local roles.
> 
> So we need either computed local roles or groups.

Workgroups seem to be easier on a caching system such as the catalog than
computed local roles, right?

Are there use cases where computed local roles can do what groups can't
do?

Regards,

Martijn