I understand the difference between assigning a Role (site-wide using the 'tick box') vs. Group (which members are added to group and each group can be assigned to various sections in the site). Also, I believe the current trend is to lean towards using either groups and/or the sharing tab, as opposed to site-wide roles. In all but two cases - admin and site admin - I get it.
However for two 'roles' - admin and site admin - the default Plone installation creates groups for these. thus, by default, you can either use Roles or Groups for admin and site admin.
Other than for large and involved sites where, for example, each department in a college might have its own site admin or admin, I can't think of any reason not to use Admin and Site Admin Roles vs. Groups. Am I missing anything?
I realize this may be a small issue; however, I want to nail down how I will approach the sites that I will build (knowing I don't expect a really large, complicated site.
I'd appreciate any thoughts on what I might be missing.
Commonly Site Administrator and Manager are global roles just because it make no sense to give them locally in the default Plone security setting: if you look at the sharing tab those roles are not involved in set of roles that you can assign to.
A Manager can do dangerous things like going into ZMI, while the Site Administrator can do something less, like managing users. What you can get by assign those roles locally?
So, from Plone UI (by default) you are not able to give those two roles to users locally even if you are using groups.
Will be simple for us to help you if you describe which kind of actions you want to be able to do in your complex site and subsection. It seems you want to get a sort of local administrator, but what he can do? Probably there a simpler way to go.
I think, his main question is "why is there an Administrator group?" -- as you can do all relevant things just with the corresponding role.
There's a performance penalty when using roles, which is not there when you use the corresponding groups. If e.g. you add the 'Administrator' role to a user sitewide, all objects in your site will be reinidexed recursively. Multiple times even. If you add that user to the 'Administrators' group no such reindexing takes place while the outcome (i.e. access controls) is the same.
@keul exactly right.
@gyst thanks for that explanation. hadn't thought of that.
Since I don't ever plan on working on a large site where the perfomance issue would be a factor, for the admin and site admin I will use the check box. For me that makes more sense.