[Zope3-dev] Re: a note on groups and roles

[Joachim Werner]

> Yes, that is how it is done most of the time. When you only have groups
and
> not roles, you often end up with creating groups for certain roles. That
> only shows that the roles concept is a valid concept that should stay.

But what is really bad about this, except for the naming?

> > I'm not sure if you really need ROLES. Don't you actually only need what
> > Zope calls permissions?
>
> When you have 30-40 permissions you don't want to assign them individually
> to groups. You want to somehow make collections of permissions that you
> assign. That is what roles are.

O.k., so instead of having to group permissions by creating a group that has
these permissions, you have to do exactly the same thing, but call it a
role, yes? This doesn't make things easier I think ... The point is: If the
admin (and not the programmer) should have the right to group permissions,
then some kind of mapping has to take place anyway. So the argument that you
don't want to have to assign these permissions individually does not count
...

Remember: Placeful groups can be mapped to a user as easily as you now give
him a role ...

> > If you want a fixed set of features to belong to the
> > same permission, you could either have single permissions for all of
them
> > and group them into a role or just give them the same permission.
>
> No. What grouping of permissions you want to have is up the each site
> implementation. What permissions exists are up to the programmers.
Therefore
> you need to separate them, so that the grouping is configurable.

But that's exactly my point: If the programmer already knows what will
belong together, he can use a single permission. If not, he'll use different
ones, which means that somebody will have to do the mapping later ...