Jim Penny <jpenny@universal-fasteners.com> wrote: [...]
I needed a generalization of this scheme (and so ended up writing my own User Folder).
We manufacture parts which are controlled by second parties, but bought primarily by third parties. I will call these parties Manufacturer, Brand Owners, and Contractors.
I now have two kinds of administrators, and two kinds of users. There are unrestricted administrators and users. Since this really is enforced only at the user folder level (normal zope machinery is used elsewhere), a quick description is that an unrestricted administrator may create, modify or destroy any user or Brand Owner Name, and may associate any list of Brand owner names with any user. Any unrestricted user has a flag designating him as such and it is expected that application code check the flag and permit access to the contents held for Brand Owners.
Restricted Administrators may create new users, modify users, or delete (some) users. However, any user they create may have only a subset of their brand owner name list (and their normal zope permissions). They may remove any of their brand names from a user that has one or more of the brand names under their control. They may delete users that have brand names only under their control. They may also create other administrators, subject to the subset restictions.
Restricted Users have a brand list associated with them. Application logic can use this brand list to filter content.
The restricted administrator is a big deal to us. If this takes off, we will not be able to properly control the set of Restricted Users (at Brand Owners and Contractors). Failure to do so could lead to legal exposure, so by creating Restricted Administrators who are Brand Owners, the contrl (and thus most of the legal exposure) can be shifted back to the Brand Owner.
This screams of ACLs for user management... I'm having the need too, in the context of CMF. I ended up writing an additional service (portal_directory) that has a complex set of ACLs to mediate access to the user folder. Some code will be released soon. Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 10 http://nuxeo.com mailto:fg@nuxeo.com