[Zope3-dev] Re: a note on groups and roles

Phillip J. Eby pje@telecommunity.com
Mon, 25 Mar 2002 10:40:48 -0500 

At 10:11 AM 3/25/02 +0100, Joachim Werner wrote:
> > There is an extremely important use for roles that are *not* groups.  A
> > person may be a project manager of five projects, but not of ten others.
>A
> > "project managers" group is useless for granting the user permissions
> > relative to his five projects.
> >
> > Now, if you want to call that a "local group", I'm sure you could.  But
> > that's not what most workflow and content management systems call that
> > concept.  They call it a *role*, as in the "project manager role".  And
> > those workflow systems use roles to define permissions.
>
>Isn't that just a GUI issue? Technically speaking, it makes perfect sense to
>me to implement a local "role" of a project manager as a group that is
>associated with certain permissions. I think makes the implementation easier
>than it is now.

That depends a *lot* on the implementation.  If the system doesn't allow 
you to compute groups relative to *every* object, it *won't* be the same as 
a role system.  Calling it a role makes it clear that it is relative to an 
object and is not an entity in itself.

Say "group", and what comes to mind?  A group of people that exist in their 
own right.  Say "role", and what comes to mind?  An abstraction, a part 
that different people could play.  The latter is what I need, not the former.

That's why I oppose a name change; "role" better implies the *requirements* 
of that capability.


> > I'd rather have groups be placeless, the way they are in the vast majority
> > of systems that I've encountered.  It might be nice to have them nestable,
> > the way they can be in LDAP, where a group can be a member of another
> > group.  But that's optional to me.
>
>Probably groups COULD be placeless in the concept Chris has proposed:
>Mr X can be a member of the group "Assistant Administrators of the News
>Board", and THAT group is then placefully bound to a certain set of roles in
>the news board zone of the site. The confusions comes from the fact that
>most acl_user folder implementations now mix up the user source (or group
>source if you want) with the binding of the group to a role. So currently
>somebody can only BE or NOT BE an Editor or Administrator, but there is no
>way of telling the system (without add-on products) that he or she is an
>Editor in a certain part of the website.

I really don't care about any of that; I don't use user folders or worry 
about their placement because I don't build "content" sites with Zope.


> > In a folder-oriented view of the world, this makes some sense.  From a web
> > applications perspective, it doesn't.  As an application developer, I need
> > roles much more than I need groups.  If I can compute roles, I can
> > supplement it with my own group system if I need it.
>
>I'm not sure if you really need ROLES. Don't you actually only need what
>Zope calls permissions? If you want a fixed set of features to belong to the
>same permission, you could either have single permissions for all of them
>and group them into a role or just give them the same permission. If,
>however, you want to keep things separate, two seperate roles would be
>needed anyway, so you can also use two permissions (can anybody still follow
>me? ;-)) ...

If you want to call it a permission, that would be okay, *as long as* it's 
still computable.  Permission has some implication of abstractness, but 
IMHO it's not as clearly a relationship as the word "role".



>I think as soon as the code checks for people's roles (which is the case in
>the CMF and unfortunately also in Kontentor), something is going terribly
>wrong. Code should check for permissions, and permissions can be bound to
>users or groups of users.

I don't need to check roles.  I need to compute them.  If my code is 
dealing with an SQL database that has a field for the project manager, I 
need to be able to have my code compute and return that the user has the 
project manager role.

In order to do this efficiently, I need to know what role will grant the 
principal the needed permissions, so I only load and check what is 
necessary.  This means that the Zope machinery has to tell my application 
code what roles would be useful.

I can see how this could be simulated if permissions were hierarchical, 
i.e. implied other permissions.



> > Part of Zope 3's
> > goals, as I understand them, is to make Zope more usable for corporate
> > applications development.  Corporate applications developers need roles,
> > and the more complex the application, the more roles they need.
>
>The question is WHERE you are actually going to to the mapping of users to
>permissions. My personal opinion is that any basic components of an
>application (which is what we do on the Python level) should NOT check
>against roles, but use permissions instead.

Again, it's computing them, not checking them, that needs to be done in the 
application.


>The mapping of these permissions with the appropriate users or groups is
>done on the administration level.

No.  It's done by the application, from its underlying database.  It is 
*not* an administrative function.  This is why I'm being so vociferous 
about my use cases; they do not match the models being discussed here, that 
are being promoted as reasons for dropping the notion of roles.


>There might be a need for a two-level
>administrative interface, so on one level only the system integrator can
>have access (and predefine groups or roles if you want) and on the second
>level the client's administrator can map those presets to actual users ...

Again, this is almost entirely irrelevant.  Pretty much in my situations, 
if someone's a user at all, they get the same set of global 
permissions.  (Actually, I usually deal with 2 or 3 broad classes of 
access).  The fine-grained permissions are all data-driven, often according 
to fairly complex rules, which require SQL database lookups to sort out.


> > I am really violently opposed to replacing the term "role" with "group",
> > because it's a widely used term for something that I *don't* really need
>or
> > want.  And it's *much* harder to get somebody to assign a new meaning to a
> > word they already know than to give them a word which either they know
>from
> > another context (workflow or content management), or don't know and thus
> > realize they have to learn.
>
>I see that it might be a good idea in many applications to call the "things"
>users can become part of "roles". But I still see no real need for having a
>different technical implementation for that ...

As long as it is computable by the application on an object-by-object 
basis, no, there's no need for a seperate implementation.  Computable, 
hierarchical permissions would probably suffice for my purposes.