[Zope3-dev] Re: a note on groups and roles

[Lennart Regebro]

From: "Chris McDonough" <chrism@zope.com>
> (I mistakenly responded to a crosspost to the Zope maillist with this, but
> wanted it to go to Zope3-dev)

Yeah, thats my fault...

> Yes!  In the current Zope 2 system, some roles are essentially placeless
> (ala Anonymous, Manager, Authenticated, Owner... Owner! ;-)) while local
> roles and user defined roles are placeful.  I'd like to be able to get rid
> of the placeless roles.

Absolutely. I agrre totally.

> Note that if you'd rather call what I call groups "roles", it doesn't
matter
> much to me, there's no distinction between roles and groups to me.  At
least
> if there is one, it's almost negligible.

No, it's not. Groups are collections of principals, roles are collections of
permissions. Both make are an indirect way of mapping principals to
permissions, but we can't equate them in this discussion, because then most
of the points of the discussion disappear. :-)

> This is a whole different can of worms, but I would like to see Zope
clearly
> define a fairly comprehensive "top-level" set of permission objects (e.g.
> "Add Content", "Change Content", "Delete Content") that act as
> mini-registries and can be "drilled into" for the ability to have
> finer-grained control.  When developers register a permission, they would
> register it with one of the top-level permission objects.  For example, if
> someone wanted to register "Change ZWiki Pages", they would register this
> permission with the "Change Content" top-level permission object.

That is not a bad idea. But it doesn't really diminish the use of collecting
permissions into roles, because there is still a huge set of roles.

As I understand your suggestion, you, instead of defining roles that have a
set of permissions and then adding users to these roles, you want to define
groups with a set of users, and add permissions to these groups. If this is
correct, then yes, the difference between roles and groups are mostly a case
of terminology and userinterface (is is principally a collection of user?
Call it group. Is it a collection of permissions? Call it role).

However, the discussions and requests for groups so far have been founded in
the need for another level of indirection in the user to permissions
mapping. Your suggestion doesn't solve that. You just replace roles with
groups. There is no real simplification, and there is no additional
features.

> There is no Authorized role currently.. you probably mean the
Authenticated
> role.

Oops, yes.

> I agree that this is kind of a stretch, but it was necessary for a
> couple of our applications (ala CMF) that must present action lists based
> solely on roles.  Actually, I think having the global role "Authenticated"
> is no worse than having the global role "Owner". ;-)

Yeah, the Owner role is easily confused with actually being an owner. Is
there any reason it can't be dropped? Shouldn't "Can own objects" rather be
a permission?