[Zope3-dev] Permission granularity/permission groups
Garrett Smith
garrett at mojave-corp.com
Wed Feb 9 12:37:38 EST 2005
As I define the permissions for my application, two things strike me:
- I'm wanting to group permissions -- e.g. 'manage content' might be a
permission that also includes 'add content', 'modify content', and
'delete content'.
- Because permission grouping is yet another complexity layer, I'm
thinking that creating fine level permissions is better than generalized
permissions (i.e. scrap 'manage' in favor of separate 'add', 'modify',
and 'delete') -- I can then get permission groups using roles.
So my questions:
1 - Do people generally agree that permission groups is unneeded because
the same effect can be accomplished using roles (and perhaps otherwise
bad for complexity/performance reasons).
2 - When defining permissions for an application, is it better to start
with fine level permissions -- i.e. try to get everything right from the
start? Or is there a good strategy to start with more general
permissions and migrate an app later as needs require?
My concern in question 2 is that I'm not sure what permissions are
'correct' and would prefer to start at a high level and move to finer
level permissions over time. But won't this imply complicated upgrade
scripts over time?
-- Garrett
More information about the Zope3-dev
mailing list