[Zope3-dev] RFC: Aggregate Permissions and Principal Groups

Nicolas Évrard nicoe at no-log.org
Thu Jul 29 18:40:26 EDT 2004 

* Florent Guillaume  [17:44 29/07/04 CEST]: 
>In article <41002A9B.80906 at zope.com> you write:
>>    http://dev.zope.org/Zope3/AggregatePermissionsAndPrincipalGroups
>> 
>> to replace roles with aggregated permissions and add principal groups
>> after Zope X3.0.
>
>Also, is there somewhere a list of use cases for the grant/deny stuff ?
>I'd like to be sure that all the ones we have are modeled in a natural
>manner. Also it would be nice if it was pluggable as I'm sure there will
>be needs to extend the model at some point. For instance is there a way
>to say

Let's repeat the proposed algo used to determine access on ressource:
 
 When the security policy checks whether a principal has a permission on
 an object it will check to see if there is an "allow" grant for the
 permission:

    * There is an allow grant for a permission if:
          o there is a direct allow grant or                      (1.1)
          o there is not a direct deny grant and there is an 
            indirect allow grant                                  (1.2)

    * There is a direct allow grant if there is an allow grant on the
      object, including acquired grants. (Obviously, inner grants
      override outer grants, object-location-wise.)                 (2)
    
    * There is a direct deny grant if there is an deny grant on the
      object, including acquired grants.                            (3)
    
    * There is an indirect allow grant for a permission if there is an
      allow grant on any of the permission's parents.               (4)


And now that's how I interpret it, correct me if I'm wrong:

>  grant View here to group_secretary but not bob (even if he's in the group)

permissions: view and parent_view (containing view)

direct allow grant on group_secretary for parent_view
direct deny grant on bob for view

since the allow grant for view is indirect on bob, the deny grant take
precedence.

>  deny View here to group_secretary but still allow bob

no need for another permission.

direct allow grant on bob for view
direct deny grant for group_secretary on view

-- 
(°>  Nicolas Évrard
/ )  Liège - Belgique
^^   Listening to: Fish
                   An Pierlé

More information about the Zope3-dev mailing list