Previous Chapter | Next Chapter | Up | Next Section | Contents

Architecture


The security architecture concerns itself with two basic ideas: who are you (authentication) and are you allowed to do this operation (authorization). Authentication involves determining who the user is based on an HTTP authentication protocol and what types of things that user is allowed to do. Authorization, on the other hand, is concerned with the operation on the object. Namely, what privileges are needed by this user to perform this operation? Managing Zope security involves managing both information about users and permissions on objects.

At first it would appear straightforward. Just keep a list of users and a list of things they can do. This model, however, would quickly break down as the number of object operations and users grew. Thus, an abstraction is inserted between users and object operations. This abstraction, discussed below, allows users and operations to be generalized.

A fundamental idea in Zope security is that administration should be turned over to others as you traverse the folders in a URL. The administrators at each level can define new administrators below their folder, thus passing the work down the hierarchy. To do this effectively, one must understand the four key components of Zope security: users , roles , permissions , and acquisition.

Users

People (or groups of people) who interact with Zope are represented by Zope "users", or "user objects." Zope user objects provide management of authentication information and the kind of access people have.

Roles

Roles represent kinds of responsibility and authorization, such as "Manager" or "Author." Roles provide the linkage between authentication and authorization. They are functionally similar to "groups" in other security systems.

Permissions

Permissions represent like operations on objects and provide an organized mechanism for setting access control on objects. Permissions correspond to the high-level permissions, like "read," "write," and "execute," found in file systems. However, permissions are specific to objects. Different types of objects can provide different, object-specific permissions.

Acquisition

Acquisition is the mechanism in Zope for sharing information among objects contained in a folder and its subfolders. The Zope security system uses acquisition to share permission settings, so that access can be controlled from high-level folders.

These concepts will be discussed in more detail in the sections that follow.

Previous Chapter | Next Chapter | Up | Next Section | Contents
Banner.Novgorod.Ru