Hi I am developing a small product using ZClasses that creates a self contained application (i.e. not reliant on ZMI) with the following structure: /--StudyBase | --- acl_users | --- study1 | --- study2 | etc Users are to be managed in the one top level acl_users folder (where they will be given a role of 'researcher') and then assigned local roles (administrator, investigator, coordinator) in each study folder. A user may be a coordinator in one study and investigator in one or more other studies. Anonymous access is allowed to the site, including limited read access to documents in study folders. The top-level ZClass ('StudyBase') in the product is the only one visible in the 'Select type to add...' list in the root (i.e. all other ZClasses are nested in the StudyBase class). A python script called when a StudyBase is instantiated adds an acl_user folder, ZCatalog and certain other standard folders. I have two questions: Firstly, I have a login dtml method defined in the ZClass. I want this to be constrained to authenticated users only, so that a login dialog is presented when the anonymous user clicks the login link on the front screen. I can see no facility in the ZClass ZMI to define security of DTMLMethods. However, if I copy the method to a normal folder I can change the security, and these settings are preserved if I then copy the method back into the Product's folder! The second related question is how to specify user roles within the ZClass. How can I define the user roles in my product (and then add them programmatically when StudyBase is instantiated) when there is no security tab in the Product ZMI through which to define the product's roles? Surely there should be a security tab in the Product ZMI or am I missing something? Am I at the limit of ZClasses? If so, how can this be achieved through a python product? Thanks for any pointers! Nick Gaunt