I have the following problem regarding local roles and acquisition: Folder structure: A------B------index_html | ----worker A and B are folders, worker is an object with some handy methods. These methods are declared protected with security.declareProtected('Manage properties'). The index_html in B uses some of the functions in worker, so whoever is using index_html must have a role that has the permission 'Manage properties'. When I assign a local role to someone in folder B that has the permission 'Manage properties', I still cannot access the protected methods in worker. Also, trying to do things like http://mysite/A/B/worker/someMethod or http://mysite/A/worker/B/someMethod doesn't work (I get the login box.) How does Zope resolve security when using acquisition to access methods. Proxy roles won't help as I am using a product and in this case, index_html is a skin method in a CMF site, so I can't assign a proxy role to index_html. Thanks Etienne.