On Wed, Mar 20, 2002 at 07:01:13PM +0100, Lennart Regebro wrote: > From: "Jim Penny" <[EMAIL PROTECTED]> > > > I now have two kinds of administrators, and two kinds of users. > > An interesting case. If I understand it correctly, with our workgroups > scheme,the restricted administrators would have administration rights on a > workgroup. They would then be able to create users and add them to the > workgroup they manage, but they wouldn't be able to give the users any > priviligies outside the workgroup, and hence the new users priviligies would > be limited to whatever priviligies they can get through the workgroup. > >
Right, although they may have adminstration priveleges on a set of workgroups. To give a motivation, consider a large company that has parallel design groups. The groups are intentionally kept in the dark about the other groups' work. Some companies do this to get a variety of choices to base the final decision on. Just to label them, call them Green, Blue, and Red teams. In this case, I might delegate an administrator who has authority over all of these teams, i.e, the administrator can (partially) control users or other administrators who have a subset of (Green, Red, and Blue) in their group list. The administrator, being a busy fellow himself, might create a Red administrator, who can (partially) control users or other adminstrators that have Red in their group list. Now, I am not really deep into modifying Zope core code at this point. The list of acceptable groups is available for any given user. The application programmer handles authorization and presentation. We have to have this for both reasons of scale and delegation of authority. Some, even many, of the design teams themselves use sub-contractors. We have no way of knowing the contractor's day-to-day relationships with the groups, and prefer not to know. Also, we are in a somewhat incestuous industry, and people move from company to company. While they obviously have what is in their head at the time of the move, we do not wish to give them knowledge of future plans. There are interesting policy decisions to make. Should an administrator be allowed to grant workgroup access to a pre-existing user? Can an administrator change a pre-existing user into an administrator? What does delete mean if the use has workgroups that the administrator does not control? Can the administrator see what workgroups the user has? Jim _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
