Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #505 (closed enhancement: wontfix)

Opened 13 years ago

Last modified 12 years ago

Apply Permissions to Users instead of Groups

Reported by: ienliven@… Owned by: anonymous
Priority: normal Milestone:
Component: Identity Version:
Severity: normal Keywords:


hi, i recently start to play with the identity frameworks from turbogears and i really dont get the point of linking permission to groups. if the 'write' permission is linked against the 'admin' group, all users in admin group have write permission. if i need diferente parmission for a especific user, i need to create another group. so, what is the point? i really think that 'permissions' should be linked against 'users'. this way the 'group' should say which objects u can access and permission what u can do with given objects. thanks for your attention, andre souza

Change History

comment:1 Changed 13 years ago by ienliven@…

class Role(SQLObject):

rolename = StringCol?(length=32, title="Role name",

notNone=True, alternateID=True)

description = StringCol?(length=64, title="Description") members = MultipleJoin?("User", joinColumn="role")

class Permission(SQLObject):

name = StringCol?(length=32, title="permission name",

notNone=True, alternateID=True)

description = StringCol?(length=64, title="Description") members = RelatedJoin?("User")

class User(SQLObject):

username = StringCol?(length=32, title="Username",

notNone=True, alternateID=True)

password = StringCol?(length=48, title="Password", notNone=True) owner = ForeignKey?("User", dbName="owner", notNone=False, default=None) role = ForeignKey?("Role", dbName="role", notNone=True, default=None) permissions = RelatedJoin?("Permission")

def _set_password(self, value):

from md5 import md5 self._SO_set_password(md5(value).hexdigest())

comment:2 Changed 13 years ago by Jeff Watkins

  • Summary changed from Identity misunderstanding to Apply Permissions to Users instead of Groups
  • Severity changed from major to normal
  • Milestone 0.9 deleted

There is nothing preventing you from creating a Model that better suits your needs, however, experience with large user communities shows that you're almost always better off modelling via Users->Groups<-Permissions rather than applying permissions directly to a particular User.

If for no other reason, provisioning new users becomes a huge problem. Consider the following example:

Sally, the nurse retires and her replacement Sam needs to be provisioned in the new system. In an environment where permissions are applied via groups, Sam is made a member of the Nurse group and he immediately acquires *every* applicable permission. If permissions are applied directly to the user, you need to explicitly apply every permission in order to provision Sam.

Six months later, you role out new functionality for nurses. This new functionality includes new permissions -- all nurses should have these permissions. If you've modelled your users using groups, you add the permissions to the nurses group and immediately every nurse, including Sam, can now access the new functionality. If you haven't modelled your data using groups, you need to add the permissions to every single nurse. Now ask yourself, if you don't have groups, how do you know who all the nurses are?

Now if you have a VERY small user community, applying permissions directly to the user isn't a bad model. And I run into this a lot with clients. Mostly when I encounter this model it's after they've grown from a small number of users to many hundreds or even thousands. In these cases, the permissions are often controlled by different application specialists and no one quite knows what the definitive set of permissions actually is for a given group or role.

comment:3 Changed 13 years ago by godoy

  • Status changed from new to closed
  • Resolution set to wontfix

This looks like an informational ticket. I'm closing it...

Note: See TracTickets for help on using tickets.