[Zope3-dev] Re: a note on groups and roles
Phillip J. Eby
pje@telecommunity.com
Sun, 24 Mar 2002 10:49:25 -0500
At 06:01 AM 3/24/02 -0500, Chris McDonough wrote:
>I want to be able to grant a set of permissions to a group of users.
>Whether that group of users is called a role or a group is not that
>meaningful of a distinction to me. ;-) I understand that there is some
>defacto jargon centered around roles as collections of permissions and
>groups as collections of users and that this jargon is starting to gel. I
>just want to raise a red flag at this point to say that I don't understand
>why it needs to be this complicated, seeing as we're essentially starting
>from scratch and no other system that I can think of has this particular
>combination of (extensible) collections.
There is an extremely important use for roles that are *not* groups. A
person may be a project manager of five projects, but not of ten others. A
"project managers" group is useless for granting the user permissions
relative to his five projects.
Now, if you want to call that a "local group", I'm sure you could. But
that's not what most workflow and content management systems call that
concept. They call it a *role*, as in the "project manager role". And
those workflow systems use roles to define permissions.
I've never had a problem with the concept of roles, from my first encounter
with them in Principia many years ago, because of this perspective.
A role is usually defined by application data. If you're listed as the
project manager on a project object, that implies your role. In most
security systems, groups are extrinsic, tied to the system rather than to
data, and exist in a "placeless" fashion.
IMHO, it is going to be harder to teach people about "placeful" groups,
than to use existing CMS and workflow terminology for "roles".
>I'm not sure why my suggestion doesn't solve the problem you mention. The
>indirection in my suggestion happens as a result of being able to nest
>groups, which you currently cannot do with roles right now. This inability
>drives normal people insane because they need to do the same thing over and
>over again in different places. This is why everybody is crying for another
>layer of indirection. They need to shoehorn it in to the current Zope 2
>model, so they are thinking in terms of roles, but it doesn't need to be
>this way. ;-)
I'd rather have groups be placeless, the way they are in the vast majority
of systems that I've encountered. It might be nice to have them nestable,
the way they can be in LDAP, where a group can be a member of another
group. But that's optional to me.
>Example: you define a group at the root. You assign a set of users to the
>group. You visit a folder and create another group, which includes a
>"local" set of users as well as the group you defined at the root.
In a folder-oriented view of the world, this makes some sense. From a web
applications perspective, it doesn't. As an application developer, I need
roles much more than I need groups. If I can compute roles, I can
supplement it with my own group system if I need it. Part of Zope 3's
goals, as I understand them, is to make Zope more usable for corporate
applications development. Corporate applications developers need roles,
and the more complex the application, the more roles they need.
I am really violently opposed to replacing the term "role" with "group",
because it's a widely used term for something that I *don't* really need or
want. And it's *much* harder to get somebody to assign a new meaning to a
word they already know than to give them a word which either they know from
another context (workflow or content management), or don't know and thus
realize they have to learn.