I have a problem which can easily be solved by local roles: - several workgroups (each one is basically a folder) - for each workgroup, a list of users who are allowed to do stuff in it What I do is create a role WorkgroupMember, and in each workgroup assign a local role of WorkgroupMember to the users who are authorized. However I'd like all this information about workgroup membership to be stored in an LDAP directory, where it belongs. Currently I'm a bit stuck. What I envision would be something akin to LDAPLoginAdapter but whose effect would be on the local roles of a given folder. In my LDAP directory, I would have something like: dn: cn=WorkgroupMember, ou=workgroup1, ou=workgroups, dc=example, dc=com objectClass: groupOfUniqueNames uniqueMember: cn=bob, ou=people, dc=example, dc=com uniqueMember: cn=pete, ou=people, dc=example, dc=com uniqueMember: cn=joe, ou=people, dc=example, dc=com And the local roles in the folder would be parametrized by: groups base DN: ou=workgroups, dc=example, dc=com groups attribute: ou local role name attribute: cn login name attribute: cn user base DN: ou=people, dc=intercom, dc=gouv, dc=fr user RDN attribute: cn (all this can be factored somewhere) group: workgroup1 Well, that's how I see it. I have three questions: - is there a better way to do it ? - has someone done something like that ? Would a LDAPified Slave User Folder fit the bill ? (BTW, I should do a separate message about this, but Slave User Folder and LDAPLoginAdapter don't mix well, as LDAPLoginAdapter.getUsers returns only *cached* users... It could work if Slave User Folder only used getUserNames when listing available users) - If i do it with local roles, where and how would I plug the machinery to do this ? I need to replace the RoleManager, but I don't want to re-derive all classes. I could patch the folder to have a callable __ac_local_roles__, and I think things would mostly work (AccessControl.User does the right thing with callable __ac_local_roles__), but I'm not completely sure, beside that's ugly. Thanks, Florent Guillaume Nuxeo