[Zope3-dev] a note on groups and roles

[Jeremy Hylton]

>>>>> "JF" == Jim Fulton <jim@zope.com> writes:

  JF> This is in line with the intent of Zope 3's security model.  I
  JF> intend that it will be possible for principals to elect which
  JF> roles they have at any point in time.

  JF> There are other differences between roles and groups. Groups are
  JF> not context-dependent.  A user's membership in a group doesn't
  JF> depend on location. The user's role varies from object to
  JF> object.

I'd like to think about this more.  The notion of a "local role" is
interesting, but I wonder if it isn't more appropriate to talk about a
"local group."  *Or* a place as a principal that delegates to a user
for requests "in the context of the folder."  (The last part in quotes
because I'm not sure I understand it yet :-).

In other words -- a group is about adding permissions, a role is about
taking them away.

Jeremy