[Zope3-dev] Permission granularity/permission groups

Jim Fulton jim at zope.com
Wed Feb 9 14:46:39 EST 2005 

Roger Ineichen wrote:
> Hi
> 
> 
>>-----Original Message-----
>>From: zope3-dev-bounces+dev=projekt01.ch at zope.org 
>>[mailto:zope3-dev-bounces+dev=projekt01.ch at zope.org] On 
>>Behalf Of Jim Fulton
>>Sent: Wednesday, February 09, 2005 6:40 PM
>>To: Garrett Smith
>>Cc: zope3-dev (E-mail)
>>Subject: Re: [Zope3-dev] Permission granularity/permission groups
>>
>>Garrett Smith wrote:
>>
>>>As I define the permissions for my application, two things 
>>
>>strike me:
>>
>>>- I'm wanting to group permissions -- e.g. 'manage content' 
>>
>>might be a
>>
>>>permission that also includes 'add content', 'modify content', and
>>>'delete content'.
>>>
>>>- Because permission grouping is yet another complexity layer, I'm
>>>thinking that creating fine level permissions is better 
>>
>>than generalized
>>
>>>permissions (i.e. scrap 'manage' in favor of separate 
>>
>>'add', 'modify',
>>
>>>and 'delete') -- I can then get permission groups using roles.
>>>
>>>So my questions:
>>>
>>>1 - Do people generally agree that permission groups is 
>>
>>unneeded because
>>
>>>the same effect can be accomplished using roles (and 
>>
>>perhaps otherwise
>>
>>>bad for complexity/performance reasons).
>>
>>Assuming that you don't let users grant permission sto roles, then
>>I think that roles is an acceptable short-term alternative to 
>>permission
>>groups.  I don't have time to implement permission groups 
>>anytime soon.
>>
>>Someday, I'd like to use roles for something a little different than
>>permission groups, but I don't know if I'll every get around to that.
>>
>>
>>>2 - When defining permissions for an application, is it 
>>
>>better to start
>>
>>>with fine level permissions -- i.e. try to get everything 
>>
>>right from the
>>
>>>start? Or is there a good strategy to start with more general
>>>permissions and migrate an app later as needs require?
>>
>>I'm inclined to think starting general is better.
>>
>>
>>>My concern in question 2 is that I'm not sure what permissions are
>>>'correct' and would prefer to start at a high level and 
>>
>>move to finer
>>
>>>level permissions over time.
>>
>>Right
>>
>> > But won't this imply complicated upgrade
>>
>>>scripts over time?
>>
>>Only if you let users grant to permissions directly.
>>
>>Give the current permissions+roles scheme, I'd like
>>to remove permissions from the current granting UI.
>>(This would make a much better UI possible, BTW.)
>>
>>If user's can only grant to roles, then all you need
>>to do when you change permissions is to adjust the
>>role-permission map as necessary.
> 
> 
> A permission group or role is the same, it's just 
> the name that doesn't fit?

In theory, they are different.  In practice,
as currently implemented, a role is just a group
of permissions.

> Both a role or a permision group are contained or mapped to
> principals and declare which permission they have.
> 
> Or I'm wrong?

I would word it differently.

- Roles can be granted to users

- Permissions can be grantd to users

- Permissions can be granted to roles

You can think of this as "mapping", but I prefer the
term grant.  Actually, if we were using roles as "roles",
rather than permission groups, I would say that roles are
assigned to users. Theoretically, roles are "jobs" or positions
people have relative to the system.

> If I understand you correct, we shouldn't map permissions
> to principals directly for a better separation and future
> migrations.

IMO, the granting of permissions to roles should be hidden from
users. I would treat this as software configuration.  That's
why I moved this UI to ++etc++site a few months ago.

IMO, users should not be allowed to grant permissions to users.
Disallowing this would:

- Allow us to change role-permission assignments centrally, and

- would simplify and allow a much better granting interface.

An even better alternative, if someone was so inspired, would
be for someone to make a new security policy from the
current one by changing the word "role" to something else
(e.g. "privilege") throughout. (There would probably be some
other minor word changes.) This would be a purely mechanical
change -- still a fair bit of work.  We could make this new
security policy  the default.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope3-dev mailing list