[Zope] Doing security the right way roles/localroles/permissions

Toby Dickenson tdickenson@geminidataloggers.com
Wed, 26 Sep 2001 11:18:57 +0100


On Tue, 25 Sep 2001 19:53:53 +0200, "Max M" <maxmcorp@worldonline.dk>
wrote:

>Every class is an objectManager, and I give the users a local role of
>"manager" for their own area. I do this in dtml as it has to be =
automated.
>Users and such are set up by secretaries, and they should not have to
>understand security ti add a student to a class.
>
>But I wonder if it would be smarter to set the permissions directly for
>their own areas? Is it dangerous to give them local roles of managers?
>
>What does everybody else do in practice?

Setting a local role is the right way to express that relationship
between the person and their area.

However, you might want to look at the permissions associated with the
manager 'Manager'; I suspect you didnt intend for users to be able to
create new user accounts, even if those new accounts would only be
valid within their area.

It might be better to create a new role with exactly the permissions
that you want to give out. (but still allocating it as a local role).
Exactly what you call this role depends on what users will be doing in
this area..... I often find the standard 'Owner' role expresses the
right relationship.



Toby Dickenson
tdickenson@geminidataloggers.com