I'm working on designing a web application, and right now I'm particularly scrutinizing Zope's permission model. In trying to think how I'd use it to do what our existing, highly custom system does today, I wonder: 1) How does one examine the logged-in user's username from DTML? I think I just need the variable name here... 2) Once I know the user ID, how can I get a list of places the user is permitted, so that all users can enter via one "front door" that always shows exactly those rooms the user may enter? 3) Is there any form of permission inheritance or impersonation implemented? Our application interfaces with other systems, and maps some local user IDs to remote user IDs. Assistants log in with their own IDs, then pick a "primary" user on whose behalf to work; the system then uses the "primary" user's permissions and presents the "primary" user's remote credentials. I'm thinking I'll have to do this myself, since I need to keep both IDs around for auditing info...fortunately I'm already expecting to use a custom authentication layer (ever try to time out a session with basic authentication?). 4) The security screen's permission settings have "acquire" checkboxes, whose point is obvious, and per-role checkboxes. I take it those enable permissions? So we can allow inherited permissions, and we can explicitly add permissions, but there's no way to add-only-if-inherited or inherit-but-deny-particular-loons-anyway? Also, the permissions on intervening levels of the tree are not checked, only inherited, right? 5) If I define users at a high level, can I grant those users roles defined at deeper levels? This would make my job with point (2) much easier, as I could create roles Foobar_Peon and Foobar_Boss in the Foobar folder, then offer the user buttons into Foobar if they have Foobar_whatever roles... 6) Is there any plan for, or how hard would it be to implement, a "reverse" permission manipulation screen where the role is fixed and the subsystems are columns? I'm largely looking at Zope and ACE--and may wind up using them in conjunction somehow--to recommend as frameworks; ACE (plus TAO) has good RPC and OS abstraction layers for C++, while Zope is a much richer framework for web applications. If I have to write in permission checking and proxy users along with the audit trail and the actual application functionality, no biggie... Keith (I may need to inhale the developer docs now...)