[Zope3-dev] Permission granularity/permission groups
Jim Fulton
jim at zope.com
Wed Feb 9 12:39:52 EST 2005
Garrett Smith wrote:
> As I define the permissions for my application, two things strike me:
>
> - I'm wanting to group permissions -- e.g. 'manage content' might be a
> permission that also includes 'add content', 'modify content', and
> 'delete content'.
>
> - Because permission grouping is yet another complexity layer, I'm
> thinking that creating fine level permissions is better than generalized
> permissions (i.e. scrap 'manage' in favor of separate 'add', 'modify',
> and 'delete') -- I can then get permission groups using roles.
>
> So my questions:
>
> 1 - Do people generally agree that permission groups is unneeded because
> the same effect can be accomplished using roles (and perhaps otherwise
> bad for complexity/performance reasons).
Assuming that you don't let users grant permission sto roles, then
I think that roles is an acceptable short-term alternative to permission
groups. I don't have time to implement permission groups anytime soon.
Someday, I'd like to use roles for something a little different than
permission groups, but I don't know if I'll every get around to that.
> 2 - When defining permissions for an application, is it better to start
> with fine level permissions -- i.e. try to get everything right from the
> start? Or is there a good strategy to start with more general
> permissions and migrate an app later as needs require?
I'm inclined to think starting general is better.
> My concern in question 2 is that I'm not sure what permissions are
> 'correct' and would prefer to start at a high level and move to finer
> level permissions over time.
Right
> But won't this imply complicated upgrade
> scripts over time?
Only if you let users grant to permissions directly.
Give the current permissions+roles scheme, I'd like
to remove permissions from the current granting UI.
(This would make a much better UI possible, BTW.)
If user's can only grant to roles, then all you need
to do when you change permissions is to adjust the
role-permission map as necessary.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope3-dev
mailing list