[Zope3-dev] Re: a note on groups and roles

Jim Fulton jim at zope.com
Fri Nov 21 13:39:29 EST 2003 

Y'all:

Please see:

   http://dev.zope.org/Zope3/Zope3SecurityModel

This is a bit out of date, but the core ideas, wrt this discussion
are still current.

Also see:

   http://dev.zope.org/Zope3/Principal

Note that this quotes a standard definition of the term. Note the
emphasis on something one can attach authorization to. There is
not an emphasis on auditing.

Also:

   http://dev.zope.org/Zope3/User
   http://dev.zope.org/Zope3/Role
   http://dev.zope.org/Zope3/Group
   http://dev.zope.org/Zope3/Principal

The terms being debated here are defined in the Glossary:

   http://dev.zope.org/Zope3/Glossary

which illustrates that writing documentation is futile. ;)

I haven't read all of the messages in this thread in detail, although
I've tried to skim most of them.  I think Martijn has a pretty solid
understanding of the model, or, at least he did at the start.

I'm open to revisiting the definitions we came up with almost 2 years
ago.  If we do though, we should use the current definitions as a
base line.  IOW, any possible debate should start from a study of
the current documentation.

WRT implementation status:

   - Groups are not implemented at all.

   - The ability for roles to be treated like "hats" hasn't been
     implemented yet. I think this could be pretty important.

   - The current implementation of the Zope security policy uses annotations
     to store authorization information on objects.

One of the projects I plan to do soon (for some definition of soon) is
to reorganize the security software that is associated with the existing zope
security policy into a separate package, to clarify the components that
depend on the security policy and what is entailed in plugging in an alternative
policy.  At the same time, I'd like to come up with an implementation of a Zope
security policy that:

   - Is similar to the existing one concpetually, but

   - Stores authorization information centrally to:

     o Improve performance, and to

     o Provide better management and auditing

   - Perhaps provides an architecture that allows ways of organizing
     authorization information other than location.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope3-dev mailing list