[Zope3-dev] Re: Security Model
Shane Hathaway
shane at zope.com
Fri Dec 5 12:28:12 EST 2003
On Fri, 5 Dec 2003, Evan Simpson wrote:
> [Excellent, clear explanation snipped]
Thanks.
> > I see two strategies for inventing a user interface based on these
> > concepts. We could call everything managed by site managers "roles".
> > I presume this is basically the route Oracle takes. What would be
> > much cooler would be to let site managers define their own security
> > nomenclature. When you add a security moniker like 'Editor', you
> > would also select what kind of moniker it is
>
> That's not just cooler, it's critical to making this scheme usable.
> Roles, workgroups, permissions, privileges, and so forth can be
> abstractly treated as simple classification labels. These labels can be
Ah, label. That's the word I was looking for in place of "moniker". :-)
> applied to other labels and directly to users. As you point out, all
> questions about group membership and security boil down to asking
> whether there is a chain linking a user to a group label or a security
> permission label. It doesn't take very many labels before the
> collection becomes unmanageable, though -- just look at the Security tab
> of a typical Zope Folder.
Right. That's why I'd like to give site managers the ability to manage
the label types. Zope 3 might ship with only two kinds of labels: 'group'
and 'role'. I can imagine an extra-simplified Zope 3 that provides only
one label type, 'group'. Sites add their own label types only as needed.
I'd also like a user interface that lets you manage security as a list of
rules. I have a hypothesis that if your site's security policy is so
complicated that you need to manage it using a grid rather than a set of
rules, perhaps you need to simplify your policy.
Shane
More information about the Zope3-dev
mailing list