[Zope3-dev] RFC: Aggregate Permissions and Principal Groups

[Nicolas Évrard]

* Jim Fulton  [22:59 22/07/04 CEST]: 

Fowarded to this list since I pressed 'r' instead of 'L'.

>I've posted a proposal:
>
>   http://dev.zope.org/Zope3/AggregatePermissionsAndPrincipalGroups
>
>to replace roles with aggregated permissions and add principal groups
>after Zope X3.0.
>
>Comments are welcome.

Ok, here are the idea I had while reading the proposal and talking about
it with Roger.

- Groups as Principals: Really fine, Roger and I talked about it a few
  days ago and it seems a very good idea the me. Moreover I wonder will
  it be possible to have principal inside group inside group inside
  group ? This is not exactly the same as Aggregate Permissions but
  serve the same purpose.

- Aggregate permissions: Fine too. It will be more easy to create
  "package" of permissions and to assign them.

I'm really happy with these two concepts.

When talking about Aggregate Permissions, you say: "There is a direct
allow grant if there is an allow grant on the object, including acquired
grants. (Obviously, inner grants override outer grants,
object-location-wise.)"

So I suppose there will be some sort of a local service that will define
the permissions on the container in which this service is located. But
then where is the mapping Principals/Group located.

Not in the authentication service as this is a "corruption" of the idea
of authentication. A global service or a local one ? The global one has
the advantage to have one unique location that define security add that
to the location-wise permission and everything is done. The local one
add a more fine-grained control but I think it is redudant with
"location-wiseabilty" of the permissions.

Anyway correct me if I don't see things the right way or if i did
understand fully the proposa (or anything else).

-- 
(°>  Nicolas Évrard
/ )  Liège - Belgique
^^   Listening to: Change the guard
                   Steve Coleman and Five Elements