[Zope3-dev] a note on groups and roles
Lennart Regebro
regebro at nuxeo.com
Wed Nov 19 13:06:01 EST 2003
Martijn Faassen wrote:
> I'm not sure what you mean here. Roles should be assigned to groups just like
> to any other principal like a user, so why is a separate service needed?
No, because that may not be the case at all. For example, the groups may
contain role assignments in themselves.
I wrote a propsal about that once upon a time, which was favourably
received by those few who read it. Yeah, I know, it's too long. :)
http://dev.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/AccessControlProposal
For this post you only need to read the groups part.
Roles and and simple groups are both sets of groupings, to allow you do
assign a fixed set of permissions to users. They therefore overlap in a
way that doesn't extend the flexibility much. By letting groups contain
role mappings you add another dimentionality on the access control. Much
neater.
If we DON'T implement flexibility in this, and have just a fixed built
in non-replacable and non-exendable type of groups, I think at least
this should be implemented, so we have groups that are really useful.
Of course, nothing prevents you from assigning roles to these groups
too, and hence you can get bort worlds. :)
> The 'service you need for munging roles' bit I'm not sure I comprehend
> either -- what does it do?
Allow you to extend and modify the role assignment principles. With for
example role blacklists.
More information about the Zope3-dev
mailing list