[Zope3-dev] Re: a note on groups and roles

Lennart Regebro lennart@torped.se
Mon, 25 Mar 2002 11:19:36 +0100 

From: "Joachim Werner" <joe@iuveno-net.de>
> "Lennart Regebro" <lennart@torped.se>
> > Yes, that is how it is done most of the time. When you only have groups
> > and not roles, you often end up with creating groups for certain roles.
That
> > only shows that the roles concept is a valid concept that should stay.
>
> But what is really bad about this, except for the naming?

Nothing at all. What would be bad is removing the support for roles that
are, and again force people to use groups as if they were roles.

> O.k., so instead of having to group permissions by creating a group that
has
> these permissions, you have to do exactly the same thing, but call it a
> role, yes?

No. It is not the same thing. A group is a collection of users, and a role
is a collection of permissions.
You can do similar things, but it is not the same thing, and would not have
the same UI and it isn't mutually exclusive. You can easily have both groups
and roles.

> This doesn't make things easier I think ... The point is: If the
> admin (and not the programmer) should have the right to group permissions,
> then some kind of mapping has to take place anyway. So the argument that
you
> don't want to have to assign these permissions individually does not count

Of course some kind of mapping has to take place. You have users, and you
have permissions. Giving users permissions is a mapping, and if there is no
mapping, users doens't have any permissions.

> Remember: Placeful groups can be mapped to a user as easily as you now
give
> him a role ...

Of course. I don't understand what you are trying to say. Are you trying to
say that you want to replace the roles system with a groups system?

> But that's exactly my point: If the programmer already knows what will
> belong together, he can use a single permission. If not, he'll use
different
> ones, which means that somebody will have to do the mapping later ...

I assume you mean grouping instead of mapping. And yes, you are correct. If
you programmer knows that two actions never needs separate permissions they
should have the same permission. If the programmer can see that separate
permissions might be useful, then they should have separate permissions.

This means that there need to be some kind of grouping of permissions
configurable by the site administrator. This grouping is called "Roles".

Best Regards

Lennart Regebro
Torped Strategi och Kommunikation AB