Hi, I'm trying to work out a security strategy for data stored in Specialists, where specific users need access to specific data instances. For example: A Customer object is linked to a Person and Address objects. The customer needs permission to edit the her - and only her - Address object. Using the Owner local role won't work, because customers can be registered by site managers and customer support people, in which case Owner won't be the customer. I can solve this by giving the customer a local role when creating her Address object: Customers.addCustomer(REQUEST): ni = container.addItem(some_id) container.Addresses.addAddressFor(ni.id, REQUEST) Addresses.addAddressFor(for_id, REQUEST): ni = container.addItem(some_id) ni.manage_addLocalRole(for_id, 'EditMyDetails') But this can be a lot of work - If an Address object can also be created for a CreditCard object, addCreditCard will have to both set its own local role, and pass the customer id on to Address... But the main problem is that I'm not sure if it will work at all - can local roles be set for DataSkins that aren't stored in the ZODB? From what I can see ZPatterns doesn't support this, so I'll have to do it myself. __ac_local_roles__ can't be accessed in a SkinScript - so will I have to override has_local_roles, get_local_roles and get_local_roles_for_userid and call them from the SkinScript? This is getting hairy... Without local roles, all I can think of is explicitly checking that the logged in user is the right customer in all the methods that display and edit the object, which is very ugly. Plus it would require Address to know a customer_id even when it actually belongs to a CreditCard, not a Customer... there goes Demeter. Or I can add a findUserID to Address, CreditCard and Customer, all of which pass the request upwards until one is reached that actually knows the customer. Still ugly. TIA for Any comments/suggestions. Itai -- Itai Tavor "Je sautille, donc je suis." C3Works itai@c3works.com - Kermit the Frog "If you haven't got your health, you haven't got anything"