[Zope3-dev] Re: a note on groups and roles
Garrett Smith
garrett at mojave-corp.com
Thu Nov 20 14:04:10 EST 2003
Martijn Faassen wrote:
> I also think that in Zope 3 it should be typical that such grants depend
> on context; I think local roles are very important.
Absolutely -- this is certainly the typical mode for our application.
> A workgroup is a list of users + groups with permission/role grants.
> (it looks like there's a concept of 'IRoleGrantable' which is possible
> for both users and groups in a location..)
It seems we could avoid the new term 'workgroup' if groups could contain
other groups.
> If a workgroup is 'added' to a location, then the user and groups in the
> group will gain the specified grants in this location. It's a different
> kind of "macro" than the role or the group again.
With respect to *location*, my understanding is that:
- Permissions can be associated with roles
- Principals can be granted roles
I'm not aware of any notion of located *principals* -- these are site
wide. While principals can be *defined* in different locations, the
principals themselves aren't located. (Maybe I'm confused here.)
Similarly, I would expect that groups would also be site wide -- there
would no such thing as 'adding' a group to a location. However, I would
expect to see a facility that allowed groups to be redefined for a
location -- i.e. a group may have a different set of principals for a
particular location. This is analogous to 'local role permissions'.
> A workgroup is a convenience that saves the headache of granting *different*
> users/groups different permissions/roles with the same pattern in multiple
> locations.
If I am reading this correctly, this functionality can be covered by
redefining the principals for a group in a particular location -- called
'local group principals' perhaps?
-- Garrett
More information about the Zope3-dev
mailing list