[Zope3-dev] a note on groups and roles
Florent Guillaume
fg@nuxeo.com
Sun, 24 Mar 2002 21:55:18 +0000 (UTC)
Here's my take on those concepts.
We're interested in doing security assertion in the context of a given place.
We have two fundamental entities, the users and the permissions.
In Zope 2 we have a notion of role, and the following mappings between
these three entities:
- In a user folder, we define a placeless mapping from users
to roles (in addition to defining the users themselves).
userfolder: placeless user->role
- In the local roles tab, we define a placeful mapping from users to
roles.
localrole: placeful user->role
- In the security tab, we define a define a placeful mapping from
roles to permissions.
securitytab: placeful role->permission
In the most basic system, we could do completely without roles and
have instead simply a placeless or placeful mapping between users and
permissions. Of course this would be unmanageable, because there
would be no way to factor things.
So roles are a way to factor security assertions between users and
permissions. Indirection is a way of factoring. Factoring gives
managability.
Now why are we interested in the notion of groups ? Because even with
roles we keep repeating some patterns, and we also want to factor them
to make them easier to manage.
- In several places I have the same bunch of users used in the local
roles tab. I want to manage them simply.
The solution is to have user groups, that can be treated as one
user entity in a user->role mapping. NuxUserGroups provides this.
- In several places I keep repeating in the local roles tab the same
pattern of users to roles mapping.
The solution is to have Torped's workgroups.
This is beginning to sound pretty ad hoc.
But this is because we're in Zope 2 and we have already the notion of
roles. What if we start back from the simplest system with only users
and permissions ?
- We want, in some context, to group related users together. We
define placeful user groups. Let's call them UGroups. UGroups can be
defined in terms of other UGroups.
(Question: do we want to introduce restriction at that point ? Like,
UGroup "board" is UGroup "vps" minus the UGroup "losers" ?)
- We want (in some context?) to group related permissions together. We
define permission groups. Let's call them PGroups. PGroups can be
defined in terms of other PGroups. (If products can be added locally
I don't see why permissions couldn't be placeful.)
PGroups are basically what we think of as Roles today.
(Same question about restriction.)
- We want, in some context, to give some users some permissions. We
define placeful mappings from UGroups to PGroups. Let's call those
U2PMappings. U2PMappings can actually be a bunch of individual
simpler U2PMappings.
U2PMappings are what we think of today as local roles.
(Here the question of restriction also arises, it would be basically
equivalent to Torped's local roles blacklists.)
- If in different contexts we repeat over and over some U2PMappings,
then we must be able to factor them higher (lower for chrism :) in
the tree. It means that a U2PMapping can be defined at some place
and used elsewhere.
(That's basically Torped's workgroups.)
For example, what does the Reviewer role become ?
- The fact that a Reviewer has permission to view and modify
documents becomes embodied in the ReviewPermissions PGroup.
- The fact that one group "foo" of users is a Reviewer in some
subtree is defined by saying that at the root of that subtree the
U2PMapping has the arrow "foo" -> ReviewPermissions.
As another example, what about the workgroups I'm used to ?
- I define any number of UGroups to set the membership.
- I define a GroupMemberPermission PGroup that can modify documents,
request reviews, discuss documents, etc.
- At the top of each workarea I put the U2PMapping between the
appropriate UGroup and GroupMemberPermission.
I'll let others think of their favorite example and how to implement
it in this system.
Florent
--
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 10 http://nuxeo.com mailto:fg@nuxeo.com