[Zope3-dev] Permission granularity/permission groups

Jim Fulton jim at zope.com
Wed Feb 9 12:39:52 EST 2005 

Garrett Smith wrote:
> As I define the permissions for my application, two things strike me:
> 
> - I'm wanting to group permissions -- e.g. 'manage content' might be a
> permission that also includes 'add content', 'modify content', and
> 'delete content'.
> 
> - Because permission grouping is yet another complexity layer, I'm
> thinking that creating fine level permissions is better than generalized
> permissions (i.e. scrap 'manage' in favor of separate 'add', 'modify',
> and 'delete') -- I can then get permission groups using roles.
> 
> So my questions:
> 
> 1 - Do people generally agree that permission groups is unneeded because
> the same effect can be accomplished using roles (and perhaps otherwise
> bad for complexity/performance reasons).

Assuming that you don't let users grant permission sto roles, then
I think that roles is an acceptable short-term alternative to permission
groups.  I don't have time to implement permission groups anytime soon.

Someday, I'd like to use roles for something a little different than
permission groups, but I don't know if I'll every get around to that.

> 2 - When defining permissions for an application, is it better to start
> with fine level permissions -- i.e. try to get everything right from the
> start? Or is there a good strategy to start with more general
> permissions and migrate an app later as needs require?

I'm inclined to think starting general is better.

> My concern in question 2 is that I'm not sure what permissions are
> 'correct' and would prefer to start at a high level and move to finer
> level permissions over time.

Right

 > But won't this imply complicated upgrade
> scripts over time?

Only if you let users grant to permissions directly.

Give the current permissions+roles scheme, I'd like
to remove permissions from the current granting UI.
(This would make a much better UI possible, BTW.)

If user's can only grant to roles, then all you need
to do when you change permissions is to adjust the
role-permission map as necessary.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope3-dev mailing list