[Zope-dev] Enhancing Zope's security model

David Jacobs jacobsl001@hawaii.rr.com
Wed, 7 Jul 1999 10:05:01 -1000


Is anyone currently working on enhancing Zope's security model?

Traditional web servers have horrible security model's for the application
designer.  They leave almost all the security work to be done by the
application itself.  With Zope abstracting all access into a nice object
oriented fashion, much more powerful models are possible.

What you guys have done with users, permissions and roles is already far
ahead of other web servers.  I am interested in taking it a step further to
remove even more security code that currently resides in dtml scripts.

My vision is to provide the following capabilities.

Provide for positive and negative authorizations.
* We may want to give a role Employees access to a method, but not if the
user is also in the role Bad Boys.

Provide for resolution rules for when positive and negative authorization
conflict.
* (e.g. lower in the object hierarchy overrides inherited auths, negative
overrides positive, order dependent)

Allow time restrictions on user/role associations or method/role
associations (duration or cyclical restrictions)
* This would allow you to say Joe is a Manager from June 1 to June 30th.
* This would allow you to say the Pay Payroll method can only be run on
Friday's.
* This is useful in that you don't have to remember to remove Joe from the
role.  It also helps when looking at audit logs you can see that he was
authorized to perform those functions during that time.

Allow actions to be associated with an authorization event.
* on success (e.g. write audit entry in log)
* on failure (e.g. write audit entry in log and call routine that checks for
excessive failures and pages sys admin if over the threshold.send email)

Allow expressions that include object values to play in the authorization
decision.
* Given an expense voucher (EV) object, a 1st Level Manager can 'sign' (an
EV method) if the EV.amount is less than $2500 and the EV.author is not the
AUTHENTICATED_USER.


What do people think?  Does this functionality sound useful?  Do certain
features call louder than others.  I believe these features will make Zope
MUCH more attractive for developing intranet applications, which typically
have much more complex security requirements than public web sites do.

I realize that most if not all of these features can be accomplished by
coding in dtml.  I would like to see much of that abstracted out into the
security interface so that security policies can be more easily changed.

I also realize that besides implementation, there is also the problem of
coming up with a reasonable user interface that does not swamp the average
person with possibilities.  Good default behavior is necessary, with the
full complexity of options only showing if the application designer asks for
it.

I've started familiarizing myself with the source code but have a ways to
go.  Obviously I would be making lots of changes in the access control
directory, but it looks like a lot of the security framework is also
embedded into the Zope objects like Folder and Document Objects.  Any tips
on code to pay special attention to or code that I can safely ignore would
be greatly appreciated.

Thanks in advance for any comments.
David Jacobs
MITRE Corporation