[Zope3-dev] a note on groups and roles

Jeremy Hylton jeremy@zope.com
Sat, 23 Mar 2002 13:42:22 -0500 

>>>>> "LR" == Lennart Regebro <lennart@torped.se> writes:

  LR> From: "Jeremy Hylton" <jeremy@zope.com>
  >> I believe the current Zope philosophy is this:
  >>
  >> A principal corresponds to a user, e.g. Jeremy.
  >>
  >> A group is a set of principals, e.g. Jeremy is in group
  >> PythonLabs.

  LR> Well, currently Zope doesn't have any groups at all, so what the
  LR> Zope philosophy in that case is a bit fuzzy. :-) But yes, a
  LR> group would be a set ofprincipals.

Groups are a big help, and we can already use roles to implement
"groups," so they exist in some sense.  (Is it possible to assign one
role to another role?  A SuperDeveloper had developer and super
roles?)

  >> Groups and roles serve the same purpose.

  LR> Well, not really. But if groups do nothing more than group
  LR> principals, then groups are only a way to make assignments of
  LR> one principal to several roles quicker.

Quick has nothing to do with it.  The hierarchy promotes modularity in
security administration and makes it easier to reason about the policy.

  LR> Your group' scheme may simplify the implementation of groups and
  LR> roles, but infortunately it doesn't make the security any easier
  LR> to explain to outsiders, because you then end up with two
  LR> different types of groups' that act slightly different, or you'd
  LR> end up with a concept of group' that is highly abstract.

I meant, in particular, explaining it to someone who is familiar with
standard security terminology.

What we're left with is one concept group, that can be used for
multiple purposes.  For a user manual, it would be helpful to describe
several different uses of groups.

  LR> end up with a concept of group' that is highly abstract.  I
  LR> don't think people will generally understand when you say that
  LR> "a group' speaks for principals". I myself had to think about
  LR> it. Abstraction can be a good thing, especially if it leads to
  LR> higher functionality or flexibility but it doesn't in this case,
  LR> it's just a nother way of looking or implementing grous and
  LR> roles.

Only the implementors need to think about speaks for or speaks as.
It's important for the implementation to have as few concepts as
possible, since it keeps the implementation simple.  The user
interface / policy language for expressing things *might* introduce
several concepts that map onto groups in the implementation.

  LR> When this needs to be extended with some kind of "grouping" of
  LR> principals, it's easy to get stuck "how did they do that in
  LR> <insert favourite security system here>". And since most people
  LR> here have used unix or NT, you start thinking of making groups
  LR> of principals, because thats how everybody else is doing
  LR> it. *But*, that doesn't fit well with the innovative roles
  LR> concept.

I'm not sure what the innovate roles concept is :-).  It sounds a lot
like groups, and that's an old idea.  

Jeremy