[Zope3-dev] User groups
Florent Guillaume
fg@nuxeo.com
Fri, 17 May 2002 12:04:02 +0000 (UTC)
Hi,
Anybody has any lights on this topic ?
Thanks,
Florent
Florent Guillaume <fg@nuxeo.com> wrote:
> From: "Brian Lloyd" <brian@ZOPE.COM>
> > The current Zope 3 work is already starting to tackle groups and
> > 'deny' as a first-class part of the security infrastructure, and he
> > noted that it might be a good idea for people interested in getting
> > groups & deny into Z2 to pitch in with those in Zope 3 first.
>
> Hi,
>
> >From what I understand the "deny" and "grouping" discussion that's going
> on in Zope 3 is about grouping of permissions, not of users.
> I'm referring to
> http://dev.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/GroupingPermissions
> here.
>
> The only wiki documents I'm aware of that talks about user grouping is
> http://dev.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/SecurityFramework
> and the one by Lennart:
> http://dev.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/AccessControlProposal
>
> We'll update that last one soon but I wanted to discuss things here
> first too.
>
> What Lennart and I envision for Zope 2 is this:
>
> - A group of users is defined at the user folder level. A group is the
> definition of an id, title, and a list of users that belong to it. A
> group can also be associated with a list of roles, let's call it the
> roleset for that group.
>
> - A user can belong to zero or more groups.
>
> - Today, at the "local roles" level (that is, placefully)
> a user can be associated with an additionnal set of roles.
>
> We propose that at that same point additionnal features be available:
>
> - a group can be associated with an additional set of roles, in
> effect locally giving to all users of that group those roles,
>
> - a group can see its roleset applied, in effect locally giving to
> all users of that group the roles defined in the roleset.
>
> - Lennart has an additionnal feature: blacklists. Instead of simply
> locally adding to the set of roles a user has, there can be "blocking"
> (denying) of roles.
>
>
> All this code can be put shortly in CVS for Zope 2, but Brian wants more
> discussion to ensure that Zope 3 has compatible concepts, which is wise.
>
> For Zope 3 the above concepts can be mirrored, but a group is actually
> also a principal and thus the separation of user and groups at the
> "local role" level is not needed anymore. The "principal" concept
> encompasses both.
>
> The notion of roleset for a principal is a bit hazy, it's a kind of
> "default" set of roles that's only applied locally when needed.
>
> Blocking (denying), being non-monotonous, introduces complexity because
> the order in which things are applied changes the result. I don't know
> the state of Zope 3 in this regard, is there any code yet ?
>
>
> Florent
--
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87 http://nuxeo.com mailto:fg@nuxeo.com