For an application I'm building, I'm looking at trying to figure out a simple and robust method of doing access control - there's a bunch of different users who each have access to certain objects (stored in Oracle), and they should get different access based on which object ids they are trying to access. What I want to be able to do is have something I can call in standard_html_header which does something like * get AUTHENTICATED_USER. * get REQUEST['object_id']. * lookup in SQL the rights that this user has over the object with object id object_id. * set the roles of the user for this transaction, to either 'anonymous/none', 'readonly', 'readwrite', or some other variation, and let the permissions on the appropriate DTML and SQL methods control what they can do. What's the mechanism for editing the roles of a transaction? Is it even doable? Could I simply use a UserDb, add 'object_id' to the list of arguments for sqlListUser, and make the SQL magic supply the roles? Will this get called for each transaction? thanks, Anthony -- Anthony Baxter <anthony@interlink.com.au> It's never too late to have a happy childhood.