[Zope-dev] LOTS of roles?

Leonardo Rochael Almeida leo@hiper.com.br
24 Feb 2003 19:18:21 -0300


I don't think a multitude of roles is the way to go. The way your
problem sounds, you need users being allowed/forbiden to do certain
tasks depending on which part of the site they are. This is what
local-roles are for: parameterizing the permissions of a user based on
the location of the objects inside Zope.

However you do mention that you need to manage this centrally,
especially since this information won't be used by Zope alone (and even
if it was, you need centralized administration of these local roles,
something that Zope doesn't give you, unless you consider Zope "central"
:-), which I think you don't, because you consider LDAP "central". Is
this correct?).

So I think you need dynamically calculated local roles. This can be
achieved by a user folder that returns a user object that overrides
".getRolesInContext(object)" to take the location (or any other
attribute, such as an acquired "site") of "object" and check it against
your central authorization source (eg. LDAP).

exUserFolder has had modifications to allow construction of
authentication sources that override user.getRolesInContext, but none of
its default auth sources use this so far.

Hope I made some sense :-)

Cheers, Leo

On Fri, 2003-02-21 at 18:28, Paul Winkler wrote:
> has anybody ever set up a site with a large number of roles?
> we're contemplating a security model for our app that might
> lead to ~ 100 Roles within a year, possibly thousands 
> within the next 5 years.  (Outline of the actual problem is
> at the end of this message)
> 
> (The users and roles will be managed in LDAP, by the way;
> we plan to use LDAPUserFolder for this and not do any
> user or role administration in Zope.)
> 
> I seem to recall the Zope Book or some other text
> advising against large numbers of roles, but IIRC that
> was only because of the UI. Obviously the ZMI default 
> Security tab will not scale.
> I think I can replace that without too much trouble:
> possibly have the main page list only the roles vertically,
> with each one being a link to manage_roleForm as it is currently.
> As the number of roles grows very large this main page
> could be broken into batches if necessary.
> And of course there'd be a link to another page with a list
> of permissions to manage, and each of those would link
> to manage_permissionForm.
> i'm also thinking to use checkboxes as the current UI is too easy
> to unselect everything by accident.
> 
> The question is, if I can solve the interface issues, are
> there other reasons not to have hundreds or thousands of roles?
> It seems to me that there should not be performance issues,
> since I assume that finding the current user's roles
> is just a dictionary lookup which should scale pretty well...
> we're not talking millions of roles here, and each user
> will have only a handful of roles.
> 
> comments?
> 
> more about our scenario:
>     
> * We must anticipate users at hundreds of locations
> 
> * there might be 10 or so users at each location
> 
> * permissions can be grouped pretty well into tasks, but are
>   specific to a location - permission to do a task at one
>   location must not mean permission at all locations.
>   To me this suggests several Roles per location, corresponding
>   to the grouped tasks at that location.
> 
> * each user might work from several different locations
> 
> * each user might need different permissions when working
>   at different locations
> 
> * We have multiple applications, not all in zope, so LDAP is looking
>   attractive.  
> 
> 
> -- 
> 
> Paul Winkler
> http://www.slinkp.com
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://mail.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope )
> 
-- 
Ideas don't stay in some minds very long because they don't like
solitary confinement.