[Zope-dev] delegable user folder

Jim Penny jpenny@universal-fasteners.com
Thu, 23 Aug 2001 18:55:34 -0400 

Hi:

(This message is an attempt to state a problem and solicit
feedback.  I am not looking for collaborators, someone to
code it for me, or the like.  I want to know if other people
have thought along these lines and would be interested in
such a UserFolder.) (I will cheerfully ignore "not another
userFolder" messages.  I have no choice!)

I am starting to be in desperate need of a delegable user folder.

By this, I mean that I want a user folder that allows the superuser
to delegate account creation, revocation, and passwording to another
less powerful administrator.  This less powerful administrator would
belong to a set of "associations".  The individuals that he granted
authority to would have no more associations than the granting
administrator.  (He might grant a proper subset of his associations, 
though).

For example, I might create an administrator Andy who had authority
over ('Gap', 'Old Navy', 'Banana Republic').  Andy could create
users who had any, or all, of these associations.  Andy could 
also create other administrators who had any or all of these
associations.

Question:  Suppose Barb was an administrator for ('Levi') and
created user Chris (along with some identifying information).
Should Andy be able to add his (one of) association(s) to Chris,
or should he be forced to create a new user?  I could code either
one and live with either one.  This question is concerned with the
'greater good'.

I also want some options and data I have not seen under other
userfolders.  I want (at least) these: timestamp of last login,
number of consecutive login failures, IP of last login,
authorizing administrator(s).  I want a forcePasswordChange
method.  I would also want a passesPasswordPolicy
method, which would be (at least) somewhat configureable without
coding and would be called before account creation or password
change.

Are there any other things that occur to you as being necessary
to determining revocation policy?

What about privacy?  Should a user be allowed to mark some (or all)
of his identifying data private?  Should an adminstrator be allowed
to add his association to another individual who has all of his
data marked private?

Finally, given that I have to do this, do you have any advice on
how to start.  ZPatterns/loginmanager, extUserFolder, some other
UserFolder, or "just start hacking"?

Thanks

Jim Penny