AW: [Zope3-dev] Re: role (contextual) services?l

Roger ineichen dev at projekt01.ch
Sun Apr 4 11:11:14 EDT 2004 

> I would like to have a standard implementation of groups in 
> Zope 3. If you 
> allow them to be a general graph, like Tres said, it will 
> satisfy 95% of the 
> users.
> 
> Note however, that a new security policy might not be 
> necessary. Groups are 
> really just principals. So it might be enough to deal with them in an 
> authentication service level. Mmmh, maybe not. I guess the 
> security policy 
> would need to know about groups as well. 
> 
> Shane once suggested that there is a common pattern here. 
> 
> Groups contain Users contain Roles contain Permissions
> 
> for some definition of "contain". Of course a Group can be 
> assigned roles and 
> permissions directly too. But I wonder whether we could 
> abstract the security 
> policy in a way that we could insert a new segment in this 
> path at any time. 
> If all the information lies in one registry, then this could 
> be really fast 
> as well. 
> 
> From the TODOLATER.txt list:
> 
> - Support for groups in the security model. No one has been
>   interested in working on this and, at this point, there are
>   too many other things to do. We *are* committed to adding this
>   eventually.
> 
> - Support for permission categories in the security model. No
>   one has been interested in working on this and, at this point,
>   there are too many other things to do. We *are* committed to
>   adding this eventually assuming that it becomes necessary due
>   to a large number of permissions.
> 
> So these suggest that there will be at least two more new security 
> artifacts...

I don't think I got this right; 
A permission category collects permissions in a category
say: 
Category Editor has the persmissions:
- "Edit Content"
- "View Content"

Isn't that a role? What exactly is a Permission Category?

Is a permission category a "permission" where we can
abstract permissions of components.
And this permission category acts as one permission.
Like a mapping:

permission "DoAll" is a mapping to the permission
- "Edit View"
- "View Content"

This let you give the permission "DoAll" to the Role "Master"?
This whould mean we can simplify and map a lot of permissions 
from different packages together in a useable way.
Like "Edit Wiki" "Edit Document" can be mapped to "Edit".
This whould sometimes make the live easier. ;-)

> Regards,
> Stephan
> -- 
> Stephan Richter
> CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. 
> student) Web2k - Web Software Design, Development and Training
> 
> _______________________________________________
> Zope3-dev mailing list
> Zope3-dev at zope.org http://mail.zope.org/mailman/listinfo/zope3-dev
>

More information about the Zope3-dev mailing list