[Zope-dev] LOTS of roles?

Oliver Bleutgen myzope@gmx.net
Mon, 24 Feb 2003 12:41:01 +0100


Paul Winkler wrote:
> On Sat, Feb 22, 2003 at 02:24:10PM +0100, Oliver Bleutgen wrote:
> 
>>With locations, do you mean physical locations of the clients (i.e. 
>>IP-adresses), or the locations of objects inside zope (i.e. 
>>/department1, /department2 etc.)?
> 
> 
> Both.
> Let's call them "sites" instead of locations, because they're
> physical sites: a discrete physical resource that our users need to 
> manage. One user may have certain permissions
> at one of these sites, and different permissions at another.
> Unfortunately this is a required feature
> 
> It's also true that there may be specific content 
> and applications in zope which correspond to a specific 
> physical site, but not to the whole group of sites.
> and that's why zope needs to be involved with
> such a complex security model.

 From that I gather that your "sites" don't map 1:1 to objects into 
zope, so that you cannot use local roles for that, right?
E.g, there are methods like doTaskX(location,...), where the permission 
to execute that method depend on location, and location is not an object 
inside zope.

> [example snipped]
> 
> The solution we are considering is to have one
> role per site per task.
> If we were to name the roles after the site and task identifiers,
> we'd end up with something like:
> 
> User A has roles 1X, 1Y, 2Y, 2Z
> User B has roles 2X, 3X, 3Y, 3Z
> 
> ... but this obviously leads to an explosion of roles.
> e.g. 10 tasks * 200 sites = 2000 roles.
> Hence my original question. :)
 > [...]
> The other possibility I've considered is a custom UserFolder
> which assigns the user's roles dynamically depending on what
> physical site they are working on (which we can always find out).
> This seems less bulky - many fewer roles from Zope's perspective -
> but i'm concerned about introducing security bugs that might
> go unnoticed, and I've never written a UserFolder so I don't know
> how long it would take.  

There's a nice "template" for userfolder from ChrisW:
http://www.zope.org/Members/NIP/SimpleUserFolder

> And I'm worried about session issues -
> if user A is doing some remote work for site 1 and then switches
> to site 2, would all of his roles be updated immediately and correctly?
> And we may need to allow a user to work on two sites 
> *simultaneously* which would not be possible in this model.

Well, for me roles are just a simplification/optimization for getting 
permissions of a user (for an object) for the sake of easier management.
 From the mapping
user_id -> set of permissions, we go to
user_id -> set of roles -> set of permissions, where the last mapping is 
defined by mappings of the form role -> set of permissions.
This works, because for typical situations, you just need to define a 
handful of roles.

Since your application might not be suited for that scheme, it might be 
worth throwing out roles altogether. How about creating a role for each 
user (i.e. user "user_id" get's just the role "user_id", instead of 
creating a role for for each possible (task,location) tuple.
When creating a new user, the admin would have to just assign the 
permissions, instead of roles. This task could be made easier by 
creating template permission sets.

You might wind up with less roles and I bet administration is a lot easier.



cheers,
oliver