[Zope3-dev] RFC: Aggregate Permissions and Principal Groups

[Jim Fulton]

Florent Guillaume wrote:
> In article <41002A9B.80906 at zope.com> you write:
> 
>>   http://dev.zope.org/Zope3/AggregatePermissionsAndPrincipalGroups
>>
>>to replace roles with aggregated permissions and add principal groups
>>after Zope X3.0.
> 
> 
> Also, is there somewhere a list of use cases for the grant/deny stuff ?

No, there isn't. There should be.

> I'd like to be sure that all the ones we have are modeled in a natural
> manner.

Perhaps you can put ypur use cases in the wiki somewhere, or provide a link.


 > Also it would be nice if it was pluggable as I'm sure there will
> be needs to extend the model at some point.

Well, the security policy itself is pluggable.

 > For instance is there a way
> to say
>   grant View here to group_secretary but not bob (even if he's in the group)

Yes

> and also be able to say
>   deny View here to group_secretary but still allow bob

Yes

> Finally I'm not sure I completely understand the algorithm for
> grant/deny you outline. Examples would be nice.

Agreed. I'll add these when I have time.

 > I'll expand on my use
> cases and the current algorithm we use in CPS in Zope 2 (which however
> has explicit distinction between users and groups of users) early next
> week.

Great.

I'll note that the semantics of Deny are very difficult.  I punted for
now and decided that the rules for grant and eny should be the same, but
that's really not ideal.  Unfortunately, really doing deny "right", imo,
adds far more complexity than we want at this time. (IMO, you should
only be able to deny what you've granted, whatever that means. ;)

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org