Thanks for the rapid response Kevin,
I think the idea here is that you may wish to factor out permissions a bit more. Perhaps the standard "view management screens" permission works fine for most objects, but you have a particular widget that you want to handle more specifically. So, you can set map the permission to "View Widget Screens". Then, users whose role gives them the "view management screens" permission is free to do so with standard items, but they can't view those screens for your Widget class unless their role specifically gives them "View Widget Screens" permission.
Ok, so we need a corresponding "Zope permission" instance. So, here's a step-by-step (pretty much following what I can make out of your KmNews product). Consider a product MyProduct : /MyProduct /MyClass /index_html /method2 /MyClass_add_permission /MyClass_factory /MyClass_add /MyClass_addForm To add permissions to let method2 change properties : 1) add a Zope Permission to the MyProduct folder. Let's call it "MyPermission" 2) go to MyClass and click on the "Permissions" tab. 3) select "MyPermission" from the multiple select list. This is saying 'any instances of this product have the permission MyPermission'. This seems to be very much like a role. 4) go to MyClass and then click on the "Define permissions" tab. 5) opposite the "Manage Properties" label, select the "MyPermission" ie. allow any instances of the class to manage the properties. However, I seem to have missed something since nowhere did we specify *who* has this permission. (eg. anonymous users, or just managers.). Damn, I feel dense.
Sure, you could muddle with the Security tab of each instance so that only the right people can view the management screens... but, using a mapping like this, you can set it at a higher level in the hierarchy and be done with it.
Actually, I'd have really liked it if there were a security tab on the zclass (not the instance) - but I notice that there are no security tabs there.... only these wonderful "define permission" pages. Wait, perhaps that's a clue - why *aren't* there "security" tabs in zclasses ? I mean, for something as simple as setting "anonymous user can manage properties", a standard security tab would have done the job fine.
Hope this helps/makes sense...
Half way .... and your help is much appreciated. Do you remember at school there was that annoying kid who stuck his hand up, asked a question, the teacher replied, yet still he didn't understand ? I'm that kid :) chas