[Zope] Zope security management

[Simon Michael]

"John R. Daily" <jdaily@progeny.com> writes:
> Within any sub-folder, one can do the following to a given role:
<snip>
> What's missing is this:
<snip>
> I can't think of any other security system that makes it difficult to
> deny access. The only way to deny access at a local level is to
> duplicate and tweak the security information from the parent node, and
> duplication of information is anathema to manageability.

I agree with John that this is a weakness in the current system. I
have often found myself wishing for something like tri-state
checkboxes (grant/deny/don't care).

Would it be correct to say this is not a limitation of the zope
security model, but a user interface issue ?

-Simon