One thing I like about proxy roles is that you can't give a proxy role for a role you don't have. Equally, IMHO when you have the "Change permissions" permission you shouldn't be able to grant permissions you don't have. And if we want completeness, when you have "Manage users" you shouldn't be able to give roles you don't have _except_ if you're Manager (because otherwise it would be impossible to create new roles...) Is there a flaw in my reasoning? (What I'd like to do in practice is create an "Admin" role for a subsite and grant "Manage users" to this role, so that they can create new users and grant the "Admin" and "Narrador" roles for other users. But as it currently stands, if I give them "Manage users" they can grant "Manager" to themselves and do pretty much anything.) []s, |alo +---- -- Hack and Roll ( http://www.hackandroll.org ) News for, uh, whatever it is that we are. http://www.webcom.com/lalo mailto:lalo@hackandroll.org pgp key in the personal page Brazil of Darkness (RPG) --- http://zope.gf.com.br/BroDar