Heinz-Josef Claes writes:

.... dynamic permissions .... It is not Zope's normal behaviour.

Of cause, you could plug in a new UserFolder that implements the features you require (someone else recommended "LoginManager"). On the other hand, Zope is flexible enough to let you approximate the desired behaviour - at the expense of a bit extra work: You create a folder like ZClass for your documents. Each document goes into its own ZInstance. You ensure, that the document is not accessible directly. You give your ZClass a method "index_html". It performs your application specific security checking. If the check succeeds, it renders the document. You may need to set a proxy role for your "index_html" be able to render the document. This approach is only an approximation. It looses the fine grained permission checking during the rendering of your document. Dieter