I have a class that inherits from RoleManager (via Folder). It defined additional roles, including 'Administrator'. I would like the Administrator to be able to view management screens and create objects of certain types, but not be able to delete or rename objects of certain types. I tried using a ClassSecurityInfo instance as follows (I've removed the copy/delete objects part for simplicity and am just focusing on the view management screens part) class Myfolder(Folder): """ The base folder for the product """ meta_type="Myfolder" __ac_roles__=('Manager', 'Administrator', 'Researcher', 'Reviewer') security = ClassSecurityInfo() security.declareObjectProtected() security.declareProtected('View management screens', 'manage') # ..snip my methods ... security.setPermissionDefault('View management screens',('Manager', 'Administrator')) But a user with just an Administrator role could not view the myfolder/manage screen I also tried using __ac__permissions__ class Myfolder(Folder): """ The base folder for the product """ meta_type="Myfolder" __ac_roles__=('Manager', 'Administrator', 'Researcher', 'Reviewer') __ac_permissions__= ( ('View management screens', ('manage','manage_main'), ('Manager', 'Administrator'), ), ) with the same result. In both cases if I visit the Security tab of that folder (as a Manager) none of the default check boxes for the various roles and permissions have been altered; ie, the one for "View Management Screens" still has "Acquire Permissions Settings" checked. My specific question is, what am I doing wrong? My more general question is what is the interplay between using ClassSecurityInfo and __ac__permissions__? Should both be set, or should the latter be used to handle everything? Thanks, John Hunter zope 2.7