Role
Role
A role is a responsibility of a principal with respect to an object. Principals are assigned roles for objects. If the objects for which roles are assigned are containers, then the roles apply to sub-objects as well, unless the role assignment is specifically contradicted.
Roles are given permissions necessary to carry out the responsibility. Principals that have roles have the permissions assigned to the role transitively.
As an example, assume that reporters have the responsibility for
creating articles. A Reporter role is defined to model this
responsibility. To carry out the responsibility, the Reporter
role is given permission to create articles. Sally is a sports
reporter, so she is given the Reporter role in the sports section
of a site. She does not have the Reporter role in the business
section of the site. Because Sally has the Reporter role in the
sports section, she has permission to create articles in the sports
section.
It is possible that users will be able to elect which roles are enabled at a point in time for some principle associated with them.
Note that, at least in Zope 2, roles are operationally similar to the notion of "groups" in other systems. The intent, however, is different. A role is a responsibility, while a group is a collection of principals. Zope 3 will likely have Groups, however, roles and groups will differ in a number of ways:
- Roles are for specific objects in a system.
- Groups apply to he domain or realm in which a user is defined.
- It may (probably will) be possible for a user to elect which roles are possible for a time period for a principal.
Other ways to think about roles
Roles can correspond to positions in an organization.
Roles correspond to use case actors. When a use-case approach is used to define requirements for a system, it will usually be very natural to create roles for each actor.