[ZDP] BackTalk to Document The Zope Book (2.5 Edition)/Using Zope

nobody@nowhere.com nobody@nowhere.com
Fri, 20 Sep 2002 09:59:04 -0400 

A comment to the paragraph below was recently added via http://www.zope.org/Documentation/Books/ZopeBook/current/UsingZope.stx#2-36

---------------

    Managers can create Zope users in a unique kind
    of folder called a *User Folder*.

      % Anonymous User - May 2, 2002 7:32 pm:
       The introduction of this material is premature.

      % kaleissin - May 16, 2002 12:59 pm:
       Not really, but since it's so early, the focus should perhaps be on making test-users in a little sub-tree of
       their own, for a safe place to experiment in so you don't mangle the root-folder. BTDT.

      % Anonymous User - May 24, 2002 10:38 am:
       I installed Zope < 5 minutes ago. I'm working my way through at least the first part of the book now, and
       found this appropriately placed.

      % Anonymous User - Sep. 11, 2002 11:54 am:
       It should move into develmpent and implementation before users

      % Anonymous User - Sep. 20, 2002 9:59 am:
       What is the difference between a "Manager account" and a "Manager user" (see above)?
       Also: Don't "Emergency User" create users?
       Also: Creating Users is about security. 
       Explain: "Access Control List":
       We have a conceptual 2-dimensional Matrix (ie a table), with a _row_ for each User and a _column_ for each
       Object. The table cells contain *Permissions*, ie. descriptions of the operations user x is allowed on object
       y. Organizing security as attaching to each user _row_ a list of all objects and her permissions thereon is
       makes a *"capability"*; organizing security as attaching to each object _column_ a list of users and their
       permissions gives an *"Access Control List"*. This is usually large. To fold it up, users are organized as
       *roles*. Furthermore, objects are organized treelike the access control list factored out into an *acl_users*
       object, such that a user role may *aquire* a permission for the *current object* from acl_users higher up the
       tree.
       Correct me if i am imprecise, but the whole security terminology here is a bit foggy and premature. At least
       a forward ref to a later/deeper chapter? How about a (hyperlinked) glossary?