[Zope3-dev] a note on groups and roles
Jeremy Hylton
jeremy@zope.com
Mon, 25 Mar 2002 11:41:02 -0500
>>>>> "JF" == Jim Fulton <jim@zope.com> writes:
JF> This is in line with the intent of Zope 3's security model. I
JF> intend that it will be possible for principals to elect which
JF> roles they have at any point in time.
JF> There are other differences between roles and groups. Groups are
JF> not context-dependent. A user's membership in a group doesn't
JF> depend on location. The user's role varies from object to
JF> object.
I'd like to think about this more. The notion of a "local role" is
interesting, but I wonder if it isn't more appropriate to talk about a
"local group." *Or* a place as a principal that delegates to a user
for requests "in the context of the folder." (The last part in quotes
because I'm not sure I understand it yet :-).
In other words -- a group is about adding permissions, a role is about
taking them away.
Jeremy