[Zope3-dev] User groups

Florent Guillaume fg@nuxeo.com
Fri, 17 May 2002 12:04:02 +0000 (UTC) 

Hi,

Anybody has any lights on this topic ?

Thanks,
Florent

Florent Guillaume  <fg@nuxeo.com> wrote:
> From: "Brian Lloyd" <brian@ZOPE.COM>
> > The current Zope 3 work is already starting to tackle groups and 
> > 'deny' as a first-class part of the security infrastructure, and he 
> > noted that it might be a good idea for people interested in getting 
> > groups & deny into Z2 to pitch in with those in Zope 3 first.
> 
> Hi,
> 
> >From what I understand the "deny" and "grouping" discussion that's going
> on in Zope 3 is about grouping of permissions, not of users.
> I'm referring to
> http://dev.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/GroupingPermissions
> here.
> 
> The only wiki documents I'm aware of that talks about user grouping is
> http://dev.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/SecurityFramework
> and the one by Lennart:
> http://dev.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/AccessControlProposal
> 
> We'll update that last one soon but I wanted to discuss things here
> first too.
> 
> What Lennart and I envision for Zope 2 is this:
> 
> - A group of users is defined at the user folder level. A group is the
>   definition of an id, title, and a list of users that belong to it. A
>   group can also be associated with a list of roles, let's call it the
>   roleset for that group.
> 
> - A user can belong to zero or more groups.
> 
> - Today, at the "local roles" level (that is, placefully)
>   a user can be associated with an additionnal set of roles.
> 
>   We propose that at that same point additionnal features be available:
> 
>    - a group can be associated with an additional set of roles, in
>      effect locally giving to all users of that group those roles,
> 
>    - a group can see its roleset applied, in effect locally giving to
>      all users of that group the roles defined in the roleset.
> 
> - Lennart has an additionnal feature: blacklists. Instead of simply
>   locally adding to the set of roles a user has, there can be "blocking"
>   (denying) of roles.
> 
> 
> All this code can be put shortly in CVS for Zope 2, but Brian wants more
> discussion to ensure that Zope 3 has compatible concepts, which is wise.
> 
> For Zope 3 the above concepts can be mirrored, but a group is actually
> also a principal and thus the separation of user and groups at the
> "local role" level is not needed anymore. The "principal" concept
> encompasses both.
> 
> The notion of roleset for a principal is a bit hazy, it's a kind of
> "default" set of roles that's only applied locally when needed.
> 
> Blocking (denying), being non-monotonous, introduces complexity because
> the order in which things are applied changes the result. I don't know
> the state of Zope 3 in this regard, is there any code yet ?
> 
> 
> Florent
-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com