However, for "Owner" is would be unintuitive that the owner of a folder has "Owner" permissions on all contained objects...
Yes, unintuitive and it makes it hard to only allow creaters to delete their own objects. I thought this community policy was common...
Is there any website explaining this thorougly?
Did you read the local roles chapter of the Zope Book?
I can't find any chapter named 'local roles'. I read "Users and Security" though. I grasp local roles now and with a little help by Chris on IRC I understand 'Delete objects' permission on folders. My conclusion is that there's no way to have a "members can create objects on the entire site, but only delete their own ones"-policy without scripting. I figure there are two ways: * Create a script that adds 'Delete objects' permission to the object's container in manage_beforeDelete or similar. You also have to add a script that removes 'Delete objects' after the deletion have been made. * The same solution, but using workflow instead. Maybe workflows use manage_beforeDelete for the work behind the scenes? Maybe there are better ways? These are not easy solutions for a newbie like me :) Tim