Dear everyone, I'm badly stuck with my problem and while I think that I'm using valid OOP design I don't think that Zope currently supports this. Here's a description of my current design: In our company there are different research groups whom I gave their own subfolders. /databases /bioinformatics etc. Within each group there are pseudo-managers defined (i.e. they have most of the full manager role, i.e. can create/delete documents etc., so I'll use "manager" as role when describing my problem.) I want all groups to share a common set of both DTML methods and SQL functions, so I placed them in the root folder. In the root folder there is for example a new management function that - when called like /databases/show_management_screen - will show the management options for the group specified by the containing folder. It will also allow database inserts depending on the containing folder. I do that in my inherited "show_management_screen" dtml method by using statements like: <dtml-call "sqlAddProjects(ResearchGroupName = id, ...)"> which will do: INSERT INTO table (...) VALUES(...) WHERE ResearchGroupName=<dtml-sqlvar id type=nb> It's critical that a manager from /databases is *not* allowed to access the sql method in the /bioinformatics group, else he would be able to insert values under a fake GroupID by calling the method like /bioinformatics/sqlAddProjects directly. Another thing that's critical is that no researcher from any group nor the anonymous user has direct access to this Database method: that's why I not only placed them in the root folder but also restricted the "Access contents information", "Use Database Methods" and "View" permission of that sqlAddProjects Method to Managers. Problem which is solved by that: no anonymous user can access that method. Problem that comes up: no Researcher (i.e. subfolder manager) can access that method either, because root manager is, of course, != subfolder manager. Possible solution for inherited DTML methods: a) Disable that "Access contents information", "Use DB Methods" and "View" permissions protection in root folder. b) Check for permissions in the method itself. <dtml-if "AuthenticatedUser.has_role(this(), ['Manager'])"> as outlined in http://www.zope.org/Members/tseaver/user_settable_passwords. It's supposed to check, whether the accessing user has the Manager Role in the context the DTML method is called on. But this fails for SQL Methods and I'm pretty confident that there should be a simpler way in Zope itself. My idea to fully support this OOP design was the following: Enable local roles not only to extend the user's roles but also restrict them. I.e. in my case I would define all researchers from the various groups in the root acl_users folder as Managers. But - at the same time - change the local roles of the root folder to _not_ give the researchers the Manager role in the root folder (understandable?) In the /databases folder, however, I would give the database-researcher back his "Manager" role, via local roles. This would solve my whole problem: Step 1: restrict again all critical dtml and sql methods in the root folder to managers (as already outlined above: "...but also restricted the "Access contents information", "Use Database Methods" and "View" permission of that sqlAddProjects Method to Managers"). Step 2: If the database researcher calls the "show_management_screen" dtml method like /databases/show_management_screen it would work because a) he is defined as Manager in the root folder (but local roles restrict them there to be a "real" Manager) b) he has the proper local roles set in his /databases folder so that there he finally is a "real" Manager. He couldn't, however, access the function like /show_management_screen (i.e. in the root folder) or like /bioinformatics/show_management_screen: both would be restricted by the local rules. Shouldn't that be valid OOP design? Please let me know what you think or - if I oversaw another solution to my problem - please let me know how to solve it :-) My original problem was outlined in my previous post at http://groups.yahoo.com/group/zope/message/70099 where I unfortunately didn't get any replies. Thanks in advance, Philipp Robbel