Security

ACL

Website security is a problem for everyone including Microsoft. Everyone has read about webpage defacement when a cracker breaks into a website and alters the page. Even worse break-ins involve theft of credit card information. Zope is 'secure by default.' When it is installed on a server all security features are enabled at their maximum level. The administrator must turn features off or reduce them to make Zope vulnerable to attack. Only one Zope website has ever been broken into. Someone sniffed a password at a conference and entered as a privileged user. Other technologies must be 'locked down' to make them secure. Some take as long as 8 to 9 hours to setup the security. Steps are often missed.

Ultra Fine-Grained ACL

Most security technologies offer an either/or scheme. Either you can have access to the backend or you can't. Microsoft's IIS server technology acts as a gateway to a multi-layer security system called an Access Control List (ACL). Unfortunately, it uses the NT logon manager so the only browser that can use this technology is their own, Internet Explorer. Zope's ACL is browser transparent; that is, all browsers can use it. An ACL allows the administrator to grant fine-grained permissions to a site. For example a user might have permission to add content to a page but not change or delete content. Control can be set to add, change, create, delete, edit, view, import, export, manage, open and close. These permissions can be set to specific objects and not others or to a particular area and nowhere else. They can be set to a whole group or to an individual. With an ACL a company can give its sales staff in the field access to information in the website that no one else can see. The entire website can be managed by a group with each member possessing different responsibilities thus different permissions.

CompoundDoc allows even finer control of permissions. Password administrators can grant access to only sub-areas of a CompoundDoc such as a specific text field. Most other ACLs don't have this level of control.

With Zope's security even if crackers gains access to one object, they are locked out of everywhere else.