On Tue, 01 Apr 2003 00:47:53 -0500 GMT (..7:47 where i live(GMT+1) ) Michael Long asked the Zope mailinglist about the following: ML> Hi all, ML> Is it possible to restrict access to an object to the owner of the ML> object without creating separate roles for each object. ML> where each addressbook is owned by a different user. ML> I would like to set up permissions within a product to control access to ML> to the various methods that manipulate the data in each of these ML> addressbooks. Some of the methods should only be available if the user ML> has both the permission and is the owner of the addressbook. Other ML> methods would be available to all users with the appropriate permissions ML> regardless of ownership. ML> I can't find much documentation showing how to use an objects ownership ML> attribute to control access to an object. Is this a sane approach and if ML> so how would I go about implementing this? you don't have to use the ownership attribute. The owner automagically has a role "Owner" on objects he/she owns. So restricting access to only allow the "Owner" role to access these functions should get you where you want. These restrictions can be set just as you would other permissions, and the "Owner" role is no more special than the Manager or Anonymous ones. For more info, see the security chapter in the latest edition of the Zope book http://www.zope.org/Documentation/Books/ZopeBook/2_6Edition/Security.stx :) -- Geir Bækholt