[Zope3-dev] a note on groups and roles

[Lennart Regebro]

From: "Martijn Faassen" <faassen at infrae.com>
> The concept of a group meaning that everybody in that group has the
> *same* role assigned to them is extremely useful all by itself. You can
> assign a class of users a role (like 'allowed to access this part of the
site').

Yes, sure. But how often to that class of users map to something real, that
is not actually a role, and not an organisatonal entity? Most of the time,
it's an organisational entity. And in organisational entities, you typically
have different roles for different people.

> I don't think conflating the workgroup concept with the group concept
> this way is very useful if what I say above about workgroups and groups
> offering different functionalities is true.

Well they to. Groups are simply a way to assigning local roles to several
users at once. Workgroups is a way to let role assignments be based on your
organisational position. That is, you don't have to make a separate group
for people who are bosses, you instead add them into their organisational
group, as a boss, and the will have boss priviliges wherever the group is
active. So, yes, the functionality is different.

I can imagine that there may be cases where you want all over the
organisational group to have an additional role as well, though. Even if I
actually can't think of such a case right now. :-)

> security hooks in the name of efficiency. For instance, if group
membership
> is defined globally, you only need to calculcate what group a user is in
> once per request, not once per object (which you'd need to do if there
> were hooks or locally defined groups).

Yes, but in both cases groups membership are defined globally, so that
doesn't make a difference. The problem with completely generic hooks is that
it's hard to make efficient shortcuts. You may have to calculate the roles
from top to bottom, instead of as now, from the bottom to the top, and then
bail out once you found a matching role.