Paul Winkler wrote:
On Sat, Feb 22, 2003 at 02:24:10PM +0100, Oliver Bleutgen wrote:

With locations, do you mean physical locations of the clients (i.e. IP-adresses), or the locations of objects inside zope (i.e. /department1, /department2 etc.)?

Let's call them "sites" instead of locations, because they're
physical sites: a discrete physical resource that our users need to manage. One user may have certain permissions
at one of these sites, and different permissions at another.
Unfortunately this is a required feature

It's also true that there may be specific content and applications in zope which correspond to a specific physical site, but not to the whole group of sites.
and that's why zope needs to be involved with
such a complex security model.

From that I gather that your "sites" don't map 1:1 to objects into zope, so that you cannot use local roles for that, right?
E.g, there are methods like doTaskX(location,...), where the permission to execute that method depend on location, and location is not an object inside zope.

[example snipped]

The solution we are considering is to have one
role per site per task.
If we were to name the roles after the site and task identifiers,
we'd end up with something like:

User A has roles 1X, 1Y, 2Y, 2Z
User B has roles 2X, 3X, 3Y, 3Z

... but this obviously leads to an explosion of roles.
e.g. 10 tasks * 200 sites = 2000 roles.
Hence my original question. :)
> [...]
The other possibility I've considered is a custom UserFolder
which assigns the user's roles dynamically depending on what
physical site they are working on (which we can always find out).
This seems less bulky - many fewer roles from Zope's perspective -
but i'm concerned about introducing security bugs that might
go unnoticed, and I've never written a UserFolder so I don't know
how long it would take.

There's a nice "template" for userfolder from ChrisW:

And I'm worried about session issues -
if user A is doing some remote work for site 1 and then switches
to site 2, would all of his roles be updated immediately and correctly?
And we may need to allow a user to work on two sites *simultaneously* which would not be possible in this model.

Well, for me roles are just a simplification/optimization for getting permissions of a user (for an object) for the sake of easier management.
From the mapping
user_id -> set of permissions, we go to
user_id -> set of roles -> set of permissions, where the last mapping is defined by mappings of the form role -> set of permissions.
This works, because for typical situations, you just need to define a handful of roles.

Since your application might not be suited for that scheme, it might be worth throwing out roles altogether. How about creating a role for each user (i.e. user "user_id" get's just the role "user_id", instead of creating a role for for each possible (task,location) tuple.
When creating a new user, the admin would have to just assign the permissions, instead of roles. This task could be made easier by creating template permission sets.

You might wind up with less roles and I bet administration is a lot easier.


Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to