Douwe reported a problem that in his ZClass the permission "Manage properties" is mapped to "Add XXX" but a role with "Add XXX" permission is unable to manage properties. I analysed this problem: * The ZClass instance contains a correct "_permissionMapper" object. * When the permission "Manage properties" is resolved for a ZInstance, "ImPermissionRole" looks for "_Manage_properties_Permission". When it finds an attribute with this name and a string value, then it interprets this as a permission mapping and continues to look for this new permission. * In Douwes example, the ZInstance does not contain any "_Manage_properties_Permission", neither itself nor acquired nor its class. The class' permission mapping is ineffective for the ZInstance. I do not yet understand what happens here. Normally, I would say, that permission mappings are ineffective altogether. But, I saw lots of cases where the permission mapping was very effective. I will continue the investigation in the next few days... Dieter