[Zope3-dev] User groups

Florent Guillaume fg@nuxeo.com
Tue, 30 Apr 2002 18:56:25 +0000 (UTC) 

From: "Brian Lloyd" <brian@ZOPE.COM>
> The current Zope 3 work is already starting to tackle groups and 
> 'deny' as a first-class part of the security infrastructure, and he 
> noted that it might be a good idea for people interested in getting 
> groups & deny into Z2 to pitch in with those in Zope 3 first.

Hi,

>From what I understand the "deny" and "grouping" discussion that's going
on in Zope 3 is about grouping of permissions, not of users.
I'm referring to http://dev.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/GroupingPermissions
here.

The only wiki documents I'm aware of that talks about user grouping is
http://dev.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/SecurityFramework
and the one by Lennart:
http://dev.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/AccessControlProposal

We'll update that last one soon but I wanted to discuss things here
first too.

What Lennart and I envision for Zope 2 is this:

- A group of users is defined at the user folder level. A group is the
  definition of an id, title, and a list of users that belong to it. A
  group can also be associated with a list of roles, let's call it the
  roleset for that group.

- A user can belong to zero or more groups.

- Today, at the "local roles" level (that is, placefully)
  a user can be associated with an additionnal set of roles.

  We propose that at that same point additionnal features be available:

   - a group can be associated with an additional set of roles, in
     effect locally giving to all users of that group those roles,

   - a group can see its roleset applied, in effect locally giving to
     all users of that group the roles defined in the roleset.

- Lennart has an additionnal feature: blacklists. Instead of simply
  locally adding to the set of roles a user has, there can be "blocking"
  (denying) of roles.


All this code can be put shortly in CVS for Zope 2, but Brian wants more
discussion to ensure that Zope 3 has compatible concepts, which is wise.

For Zope 3 the above concepts can be mirrored, but a group is actually
also a principal and thus the separation of user and groups at the
"local role" level is not needed anymore. The "principal" concept
encompasses both.

The notion of roleset for a principal is a bit hazy, it's a kind of
"default" set of roles that's only applied locally when needed.

Blocking (denying), being non-monotonous, introduces complexity because
the order in which things are applied changes the result. I don't know
the state of Zope 3 in this regard, is there any code yet ?


Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com