I have Player role in my site, and Member folder, protected by the following permissions: View [ ]Acquire [ ]Anonymous [x]Authenticated [x]Manager [x]Owner [x]Player Everything behaves like expected but if being Player (having roles "Authenticated" and "Player" only) I am call Python Script from another Python Script (both are located inside this protected folder), my browser pops up Login Dialog and everything works only if I authenticate myself as Manager or if I allow Anonymous to "View" this Python Script. Call looks like: user = context.Member.get_userdata() First thoughts were that I am not passing REQUEST or another security related token to second script (get_userdata in this case). If I get inside there (allowing Anonymous to View it), I am still having "Player" role and none of security tokens lost, but I can't even access this second script if it hasn't "Anonymous" View permission. Please tell me where I am wrong. This is black voodoo compared in complexity with manual sendmail setup. URLs on Zope Security model overview may also help. -- Dmitry