Given a layout such as this: /Control_Panel/Products/UserProperties/UserPropertyClass/ /nmn/premium/acl_users(GenericUserFolder)/userA(role subscriber) /nmn/premium/user_profiles |role subscriber has permission to add UserProperties[s] |role subscriber has permission to View Management Screens |role subscriber has permission to Access contents Scenario: anonymous user access /nmn/premium causes GUF user login logs in as jjp(has role subscriber) sees /nmn/premium/index_html jjp access /nmn/premium/user_profiles/manage sees manage screen with [ADD]UserProperties jjp selects [ADD]UserProperties causes GUF user login screen the log shows that jjp tried to access /nmn/Premium/Users/manage_addProduct/UserProperties/UserPropertiesClass_factory and failed with a 500 Looking at GUF debug messages, it looks like the authentication ``crawls'' up and fails at the root. After perusing the Acquisition Algebra paper Jim Fulton wrote, I see: Acquisition and Security Based on aq_inner Can't access a protected object unless the user database is a common ancestor. Without these rules, it would be possible to "steal" access through acquisition. Is this second item what is causing me to fail? If so, any insights ino how I can work around it? TIA -Jon