[Zope3-dev] Re: a note on groups and roles

[Florent Guillaume]

Chris McDonough <chrism@zope.com> wrote:
> Maybe, I dunno.  Actually, Zope ships with only one "true" role, "Manager"
> (the others are pretty silly).  Most apps define three or four more.  If
> roles/groups are really placeful, you only need to see the ones you're
> interested in by visiting the place in which they're defined.  Can you
> provide a set of circumstances would cause you to need a huge set of roles?

In my proposal (see other post) Manager would be seen as a permission
group of all permissions, I'd call it AllPermissions.

We'd still call it Manager of course, but here I'm chosing different
kinds of names to put things under a different light.


> I want to be able to grant a set of permissions to a group of users.
> Whether that group of users is called a role or a group is not that
> meaningful of a distinction to me. ;-)  I understand that there is some
> defacto jargon centered around roles as collections of permissions and
> groups as collections of users and that this jargon is starting to gel.  I
> just want to raise a red flag at this point to say that I don't understand
> why it needs to be this complicated, seeing as we're essentially starting
> from scratch and no other system that I can think of has this particular
> combination of (extensible) collections.

I really don't see it as complicated. Grouping things is very
natural. You have individual users, you want groups of users. You have
individual permissions, you want groups of permissions, practically
equivalent to roles. Then you want mappings between those two,
basically local roles, but which we must think of a bit differently
now that we want to restate it in Zope 3 terms.


Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 10  http://nuxeo.com  mailto:fg@nuxeo.com