Zope user with 'few rights'

Is it possible to add a Zope user with 'less rights than admin'. I want to run a cron script (from another server) which basically just accesses a (private) Plone page.

Create a user within the related Plone Site with the rights and permissions you need.
From your script, you can create a new security context (newSecurityManager() ) for this user. Also plone.api has something to switch to a different user context.

Do you mean a Plone user? (my customer did not want 'another user' to be listed within the Plone site, so that is what I am trying to avoid)

It may be possible to add an addition (set of) PluggableAuthService plugin(s) to keep you "service users" managed in a separate place, via the ZMI, such that they are not enumerated or searchable in Plone Users and Groups control panel. I have not tried this, but am almost certain it could be wired together with minimal effort in the ZMI.

But — I suspect stuffing your service users elsewhere (not in source_users, not in some kind of directory system or ldap or IdP or such) is anti-pattern with regard to transparency and easy auditability of things security related.


1 Like

The easiest way, I think, is to simply create another users vocabulary which omits the special user and you use that instead of the one provided by p.a.vocabularies. The other option would be:

If you can use an existing user account, use JWT authentication from plone.restapi. You just need to install the plugin another way than activating the add-on if you do not want to use it. You will just need to share the signing secret to the script so that it can generate a valid token.

Another way is to use ssh to run a Plone script instead of a browser view.