[Zope3-dev] a note on groups and roles

Jim Fulton jim@zope.com
Mon, 25 Mar 2002 10:02:21 -0500 

Jeremy Hylton wrote:
> 
> A conversation with Matt Behrens and Shane Hathaway lead me to write
> this note on the difference between groups and roles in Zope
> security.  I'd be grateful for comments and criticism.
> 
> Jeremy
> 
> A note on groups and roles
> 
> The current Zope philosophy advocates a distinction between group and
> role that is not found in the security literature. 

That's odd for you to say, since later in your note, you give a meaning
for role from the security literature that is distinct from group.

> This note argues
> that Zope's concepts of group and role both correspond to the
> traditional notion of group, and that roles are a separate and useful
> concept.
> 
> I believe the current Zope philosophy is this:
> 
>     A principal corresponds to a user, e.g. Jeremy.
> 
>     A group is a set of principals, e.g. Jeremy is in group PythonLabs.
> 
>     A role is a collection of permissions, e.g. Developer role has
>         permission to do CVS checkins.

No, the role is a responsibility or job of a user. To fullfil a responsibility, 
the role is given certain permissions.

(snip a correct argument that groups and roles have the same effect, as roles
 are now defined, especially in Zope 2).


> Why should we care about a model where group' subsumes group and role?
> 
> There are two reasons:
> 
>     It simplifies the security architecture, making it simpler to
>     reason about and implement.  A security architecture is hard to
>     get right, but we increase our chances if it involves the minimum
>     number of basic concepts.
> 
>     We can communicate more easily with people who are not familiar
>     with Zope, because we can use standard terminology.
> 
> What's a role'?
> 
> Funny you should ask.  The term role -- I'll spell it role' -- is used
> in the security literature is used to refer to a mechanism to achieve
> the principle of least privilege.  A role' is a way for a principal to
> limit the permissions it has.  If you know Unix, it might be helpful
> to think of it as a fine-grained setuid.
> 
> If a technical manager has two roles' -- Developer and Manager -- he
> might want to perform an operation using only one set of permissions.
> When we performs a CVS checkin, he performs is using the Developer
> role'.  As a result, the access controller only checks his Developer
> permissions.
> 
> Why might this be important?  One reason is to limit the damage done
> by a Trojan horse.  An attacker might trick the manager into running a
> program that secretly tries to approve a bogus expense report.  If the
> manager ran the program using his Developer role', the Trojan horse
> would fail because it didn't have the necessary permission even though
> the manager did.
> 
>     This concept of role' is formalized using the "speaks as"
>     relationship.  It's fundamentally different than speaks for.  One
>     extends the permissions of a principal, the other limits them.
> 
> Would roles' be useful in Zope?  I expect so, but that's a different
> topic.

This is in line with the intent of Zope 3's security model.  I intend
that it will be possible for principals to elect which roles they have
at any point in time.

There are other differences between roles and groups. Groups are
not context-dependent.  A user's membership in a group doesn't depend on
location. The user's role varies from object to object.

Jim

--
Jim Fulton           mailto:jim@zope.com       Python Powered!        
CTO                  (888) 344-4332            http://www.python.org  
Zope Corporation     http://www.zope.com       http://www.zope.org