Hi all, I'm having a problem, but first let me explain generally what I'm trying to do. I'm want to provide alternative management screens to those found at /manage. The goal is also not to use any additional products that don't come with a vanilla zope install (actually, I've allowed myself the luxury of Formulator, but that doesn't matter for these purposes). So, I've added a folder called 'control' that contains all of my management screens. These work pretty nicely (even though I say so myself ;-) ). Now, users just need to append /control to their url and they get quite a user friendly editing experience. In the 'control' security tab, I've left everything on 'Acquire Permissions' except for 'View', which I've limited to 'Manager' only. This works well when the user logging in is defined in an acl_users that is a sibling of 'control', but does not work when the acl_users is defined further down the tree and 'control' is being acquired. e.g. - site_root_folder - acl_users - control - folder1 - acl_users /site_root_folder/control works; /site_root_folder/folder1/control raises Unauthorized when the user is defined in site_root_folder/folder1/acl_users instead of site_root_folder/acl_users. I did a little searching on this list, and I think found that this is an explicit feature of the zope security policy that is designed to stop people from circumventing security by using url traversal tricks - which I guess is effectively what I'm trying to do. So, my questions are: Is my diagnosis right? Is there any way around this problem without going to filesystem code? Does anybody have a suitable __of__ method (or somesuch) that would allow me to achieve what I want if I do have to use fs code? cheers, tim