It seems to me you cannot securely allow users access to the "Security" tab in the management interface. It's easy enough to shut this off, but that does take away an awful lot of functionality. Is this an intended design, or is it a flaw in the Zope security model?
It is possible to do what you are asking (with a few caveats). Local roles let you give a user roles *only in the context of a particular object* rather than associating the roles directly with the user. The easiest way to accomplish what you are asking: There is a predefined "Owner" role in Zope. When a user creates an object, he/she is automatically given the local role "Owner" on that object. Lets say you want to totally delegate control of the "Reports" area of your site to Fred. First, create a "Reports" folder somewhere on your site. Now go to the "Security" tab of the Folder and click on "local roles" and give Fred the "Owner" local role. Now, go up at least one folder (or even all the way to the top of the site) and on the "Security" screen give the "Owner" role all of the permissions you want Folder owners to have on their area (this can include the "Change Permissions" permission too). Now, Fred will have all of the permissions associated with the "Owner" role - but only in _his_ Folder, where he has the local role "Owner". In other words, he could see and use the "Security" tab in _his_ Folder, but if he went higher up in the site he couldn't (because he doesn't have the local role "Owner" there). Now the caveat: when you give someone the "Change permissions" permission, you are effectively trusting him as a Manager in his own area. Though he can't affect things outside his area, it is not really possible to actually restrict what he can do in his own area once you've given "Change permissions". This is because he is now free to give himself any permission he wants (in his own folder) if he doesn't already have it. It is possible that this behavior could be modified in the future (by enforcing some rules whereby a user can only modify roles or permissions that he already has), but some thought would need to go into this to be sure that there is a real need for it and that the behavior is well understood. Hope this helps! Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com