[Zope-dev] LOTS of roles?

Paul Winkler pw_lists@slinkp.com
Sat, 22 Feb 2003 14:27:38 -0500


On Sat, Feb 22, 2003 at 02:24:10PM +0100, Oliver Bleutgen wrote:
> With locations, do you mean physical locations of the clients (i.e. 
> IP-adresses), or the locations of objects inside zope (i.e. 
> /department1, /department2 etc.)?

Both.
Let's call them "sites" instead of locations, because they're
physical sites: a discrete physical resource that our users need to 
manage. One user may have certain permissions
at one of these sites, and different permissions at another.
Unfortunately this is a required feature.

It's also true that there may be specific content 
and applications in zope which correspond to a specific 
physical site, but not to the whole group of sites.
and that's why zope needs to be involved with
such a complex security model.

example:


Three physical sites, 1 2 and 3.

Three tasks, X Y and Z. 
task X involves reading some class of data.
task Y involves reading some other class of data.
task Z involves writing some class of data.

Two users, A and B.

User A working at site 1 performs tasks X and Y.
User A working at site 2 performs tasks Y and Z.
User A working at site 3 cannot do anything.

User B working at site 1 cannot do anything.
User B working at site 2 performs task X.
User B working at site 3 performs tasks X, Y, and Z.


The solution we are considering is to have one
role per site per task.
If we were to name the roles after the site and task identifiers,
we'd end up with something like:

User A has roles 1X, 1Y, 2Y, 2Z
User B has roles 2X, 3X, 3Y, 3Z

... but this obviously leads to an explosion of roles.
e.g. 10 tasks * 200 sites = 2000 roles.
Hence my original question. :)

Bear in mind that we do not intend to do any of the user or
role management in Zope; that would all be done in LDAP, and
it would be officially Not My Problem. ;-)
So "all" I'd need to do in Zope would be to assign permissions
on particular folders to one or more of these 2000-some roles.
So I'd need to write a security UI for the ZMI that can handle this
well, because the default one cannot.

We've also discussed the possibility of making this modified
zope security UI available publically, if there is community interest.
Does anybody actually like the one huge security grid?
Try adding a couple roles to a CMF site and it already gets a bit unwieldy...

The other possibility I've considered is a custom UserFolder
which assigns the user's roles dynamically depending on what
physical site they are working on (which we can always find out).
This seems less bulky - many fewer roles from Zope's perspective -
but i'm concerned about introducing security bugs that might
go unnoticed, and I've never written a UserFolder so I don't know
how long it would take.  And I'm worried about session issues -
if user A is doing some remote work for site 1 and then switches
to site 2, would all of his roles be updated immediately and correctly?
And we may need to allow a user to work on two sites 
*simultaneously* which would not be possible in this model.

--

Paul Winkler
www.slinkp.com