has anybody ever set up a site with a large number of roles?
we're contemplating a security model for our app that might
lead to ~ 100 Roles within a year, possibly thousands
within the next 5 years. (Outline of the actual problem is
at the end of this message)
(The users and roles will be managed in LDAP, by the way;
we plan to use LDAPUserFolder for this and not do any
user or role administration in Zope.)
I seem to recall the Zope Book or some other text
advising against large numbers of roles, but IIRC that
was only because of the UI. Obviously the ZMI default
Security tab will not scale.
I think I can replace that without too much trouble:
possibly have the main page list only the roles vertically,
with each one being a link to manage_roleForm as it is currently.
As the number of roles grows very large this main page
could be broken into batches if necessary.
And of course there'd be a link to another page with a list
of permissions to manage, and each of those would link
i'm also thinking to use checkboxes as the current UI is too easy
to unselect everything by accident.
The question is, if I can solve the interface issues, are
there other reasons not to have hundreds or thousands of roles?
It seems to me that there should not be performance issues,
since I assume that finding the current user's roles
is just a dictionary lookup which should scale pretty well...
we're not talking millions of roles here, and each user
will have only a handful of roles.
more about our scenario:
* We must anticipate users at hundreds of locations
* there might be 10 or so users at each location
* permissions can be grouped pretty well into tasks, but are
specific to a location - permission to do a task at one
location must not mean permission at all locations.
To me this suggests several Roles per location, corresponding
to the grouped tasks at that location.
* each user might work from several different locations
* each user might need different permissions when working
at different locations
* We have multiple applications, not all in zope, so LDAP is looking
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -