I'm having a problem with user folder permissions: I have one acl_users folder at the root folder of a website, www.mysite.org, using Cookie Crumbler I also have an acl_users folder in parallel to this, allowing access to an XML-RPC application server area. I need to keep them separate, or failed XML-RPC authentications are picked up by the Cookie Crumbler code, and the XML-RPC client gets the login_form html page sent back! I need to let certain users of the website create user accounts in the xml-rpc server area. I have a user role, hq_user, who creates the user in the xml-rpc area. The permissions on the xml-rpc root directory grant hq_user the manage_users permission. But when I try to add users in this other acl_users folder, I get an error that it is not allowed. But this user, if I change the code, can create users in its "own" acl_users folder. The hq_user role is created in the root directory above both the acl_users folders in question. the python code: context.xmlrpcfolder.acl_users.userFolderAddUser(name=f_username, password=f_pwd, roles=['c_lcp'], domains=()) can anyone shed light on this? what permissions do I have to set to add a user to an acl_folder? TIA Ben Avery (zope 2.6.0, pyth 2.1.3, solaris 2.7)