Wichert Akkerman <[EMAIL PROTECTED]> writes:
> Use a dynamic group.
Thanks for the response. I can see where there's some similarity in the
notion of adding a role to a user dynamically and adding a user to a group
dynamically, assuming that the group has the requisite roles. But my
(and maybe I wasn't clear about this before) is that the condition that
determines access is based on both an external condition and an attribute
of the object itself, which is why was trying to make this work with
local roles. I didn't think that the object was available from the role or
group plugins, but if I'm wrong, please let me know.
Actually, maybe I should rephrase my problem, and see if you have a
suggestion. Basically, I need to set up a security model such that
access to a given object requires a combination of "roles". For example,
I might have an object that would be labeled "Alpha", "Beta", "Gamma",
and a user must possess, at a minimum, all three roles to be able
to see the object. I could implement this with 2**n - 1 roles, so I
would have 7 roles and a separate workflow state for each role - not too
The problem is one of scale - if I have 6 labels, I end up with 63
workflow states. So instead, I was trying to use the labels as object
attributes and adding roles at runtime. Does this make sense?
Any advice you could give would be greatly appreciated.
Zope-PAS mailing list