has anybody ever set up a site with a large number of roles? we're contemplating a security model for our app that might lead to ~ 100 Roles within a year, possibly thousands within the next 5 years. (Outline of the actual problem is at the end of this message)
(The users and roles will be managed in LDAP, by the way; we plan to use LDAPUserFolder for this and not do any user or role administration in Zope.) I seem to recall the Zope Book or some other text advising against large numbers of roles, but IIRC that was only because of the UI. Obviously the ZMI default Security tab will not scale. I think I can replace that without too much trouble: possibly have the main page list only the roles vertically, with each one being a link to manage_roleForm as it is currently. As the number of roles grows very large this main page could be broken into batches if necessary. And of course there'd be a link to another page with a list of permissions to manage, and each of those would link to manage_permissionForm. i'm also thinking to use checkboxes as the current UI is too easy to unselect everything by accident. The question is, if I can solve the interface issues, are there other reasons not to have hundreds or thousands of roles? It seems to me that there should not be performance issues, since I assume that finding the current user's roles is just a dictionary lookup which should scale pretty well... we're not talking millions of roles here, and each user will have only a handful of roles. comments? more about our scenario: * We must anticipate users at hundreds of locations * there might be 10 or so users at each location * permissions can be grouped pretty well into tasks, but are specific to a location - permission to do a task at one location must not mean permission at all locations. To me this suggests several Roles per location, corresponding to the grouped tasks at that location. * each user might work from several different locations * each user might need different permissions when working at different locations * We have multiple applications, not all in zope, so LDAP is looking attractive. -- Paul Winkler http://www.slinkp.com _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )