[Zope3-dev] Re: a note on groups and roles

Lennart Regebro lennart@torped.se
Mon, 25 Mar 2002 10:38:30 +0100 

From: "Joachim Werner" <joe@iuveno-net.de>
> Isn't that just a GUI issue? Technically speaking, it makes perfect sense
to
> me to implement a local "role" of a project manager as a group that is
> associated with certain permissions.

Yes, that is how it is done most of the time. When you only have groups and
not roles, you often end up with creating groups for certain roles. That
only shows that the roles concept is a valid concept that should stay.

> I'm not sure if you really need ROLES. Don't you actually only need what
> Zope calls permissions?

When you have 30-40 permissions you don't want to assign them individually
to groups. You want to somehow make collections of permissions that you
assign. That is what roles are.

> If you want a fixed set of features to belong to the
> same permission, you could either have single permissions for all of them
> and group them into a role or just give them the same permission.

No. What grouping of permissions you want to have is up the each site
implementation. What permissions exists are up to the programmers. Therefore
you need to separate them, so that the grouping is configurable.

> I think as soon as the code checks for people's roles (which is the case
in
> the CMF and unfortunately also in Kontentor), something is going terribly
> wrong.

Absolutely true.

> done on the administration level. There might be a need for a two-level
> administrative interface, so on one level only the system integrator can
> have access (and predefine groups or roles if you want) and on the second
> level the client's administrator can map those presets to actual users ...

Hmm, yes, you are right. The mapping of roles to permissions, and the
mapping of users to roles and groups should have different permissions.

> I see that it might be a good idea in many applications to call the
"things"
> users can become part of "roles".

Nah. The things users become a part of is not and should not be called a
role. Roles are something users *have*.
Permissions are a part of a role, or in  another way: Roles are collections
of permissions.

Best Regards

Lennart Regebro
Torped Strategi och Kommunikation AB