[Zope3-dev] Re: Security Model
Evan Simpson
evan at 4-am.com
Fri Dec 5 11:56:21 EST 2003
Shane Hathaway wrote:
> Zope lacks a very neat feature, though: in Oracle, you can grant a
> role to other roles. I don't think this capability is yet planned for
> Zope 3. Roles that support inheritance could be an excellent way to
> simplify security.
[Excellent, clear explanation snipped]
> I see two strategies for inventing a user interface based on these
> concepts. We could call everything managed by site managers "roles".
> I presume this is basically the route Oracle takes. What would be
> much cooler would be to let site managers define their own security
> nomenclature. When you add a security moniker like 'Editor', you
> would also select what kind of moniker it is
That's not just cooler, it's critical to making this scheme usable.
Roles, workgroups, permissions, privileges, and so forth can be
abstractly treated as simple classification labels. These labels can be
applied to other labels and directly to users. As you point out, all
questions about group membership and security boil down to asking
whether there is a chain linking a user to a group label or a security
permission label. It doesn't take very many labels before the
collection becomes unmanageable, though -- just look at the Security tab
of a typical Zope Folder.
Cheers,
Evan @ 4-am
More information about the Zope3-dev
mailing list