[Zope3-dev] Re: a note on groups and roles

Steve Alexander steve@cat-box.net
Thu, 28 Mar 2002 08:08:48 +0000 

Phillip J. Eby wrote:
>
> It seems to me that this could lead to a proliferation of extremely 
> fine-grained permissions, which are then managed by higher-level 
> permissions.

I don't see why. For example, all of your methods could be protected by 
the "Zope.View" permission. This permission is defined by Zope, and 
common to many packages.

I think that groups of permissions are useful. I spent some time talking 
about this with Casey Duncan at the pre-IPC10 sprint. We mocked up some 
UIs, which are on a wiki somewhere.

The notion was that permissions are grouped into logical groups, perhaps 
both by package and by meaning. Permissions may be managed as a group, 
for example by mapping all "Manage Content Permissions" to a particular 
role, rather than selecting each permission of that group individually.

There would be a UI and/or zcml for a system administrator to create new 
groups of permissions and put permissions (non-exclusively) in those groups.

The UI was designed to show when the permissions of a group were not all 
mapped in the same way, so you could see from the management interface 
where your security system had special cases.

However, these groups of permissions exist only for managing and viewing 
security arrangements. As far as the Zope core security system goes, it 
only knows about individual permissions and does not care how they are 
grouped.
This is fine because:

  1: This limits the complexity of the core security system.

  2: The core security system doesn't have a problem dealing with a
     large number of permissions.

So, as far as the core security system is concerned, permissions are 
identified by a FQN, which includes a python package. However, they are 
not grouped.


> I'm assuming, however, that when you say "protected by a single 
> permission" that there is "only one permission which allows access", as 
> opposed to "only one permission required".  :)

I'm not sure what your distinction is here.

I'm certainly not saying "each permission allows access to only one method".

--
Steve Alexander