[Zope3-dev] Re: a note on groups and roles
Steve Alexander
steve@cat-box.net
Thu, 28 Mar 2002 08:08:48 +0000
Phillip J. Eby wrote:
>
> It seems to me that this could lead to a proliferation of extremely
> fine-grained permissions, which are then managed by higher-level
> permissions.
I don't see why. For example, all of your methods could be protected by
the "Zope.View" permission. This permission is defined by Zope, and
common to many packages.
I think that groups of permissions are useful. I spent some time talking
about this with Casey Duncan at the pre-IPC10 sprint. We mocked up some
UIs, which are on a wiki somewhere.
The notion was that permissions are grouped into logical groups, perhaps
both by package and by meaning. Permissions may be managed as a group,
for example by mapping all "Manage Content Permissions" to a particular
role, rather than selecting each permission of that group individually.
There would be a UI and/or zcml for a system administrator to create new
groups of permissions and put permissions (non-exclusively) in those groups.
The UI was designed to show when the permissions of a group were not all
mapped in the same way, so you could see from the management interface
where your security system had special cases.
However, these groups of permissions exist only for managing and viewing
security arrangements. As far as the Zope core security system goes, it
only knows about individual permissions and does not care how they are
grouped.
This is fine because:
1: This limits the complexity of the core security system.
2: The core security system doesn't have a problem dealing with a
large number of permissions.
So, as far as the core security system is concerned, permissions are
identified by a FQN, which includes a python package. However, they are
not grouped.
> I'm assuming, however, that when you say "protected by a single
> permission" that there is "only one permission which allows access", as
> opposed to "only one permission required". :)
I'm not sure what your distinction is here.
I'm certainly not saying "each permission allows access to only one method".
--
Steve Alexander