Hello all, I am working on a Zope app, and would like to see if anyone has any tips for how I should handle access control in this situation... The site is a corporate organization site. It has many corporate members, each has an admin which has control over a subset of information kept in a relational database. I want to have just one role (comp_admin) for this. But each company can only have access to their company info. Thus I need to check that the admin belongs to that company. (there are also regular users who also have to login. they can view, but not modify) The users, passwords and roles are kept in the database too (UserDB). Each company has a unique id, and this is the primary keys in the DB. Each user is associated to the company using this id (a field in their table). Make sense? My current idea is: 1. Have a general main page which both users and admins login to. If they use the admin login, get their company id (comp_id) and create a link to the admin section using the magic of direct traversal (this way they can bookmark the admin page). Eg. <a href="/comp/1/admin/">admin section</a> ('comp' is the zsql method, 1 is the comp_id, admin is the folder) Thus the comp_id of the company will be available, and I could: A. I could then (mabey?) use the comp_id in the UserDB query (in the admin folder) to only retrieve those people belonging to that company. OR (if I can't get to the comp_id from the UserDB query). B. I could then compare to the person's comp_id to the company's comp_id in each of the effect pages via a new standard_header. Thoughts? Better ways to do this? --- John Eikenberry [jae@kavi.com - http://taos.kavi.com/~jae/] ______________________________________________________________ "A society that will trade a little liberty for a little order will deserve neither and lose both." --B. Franklin