I have a product which declares a security classification ("View Reservation System") and I've restricted the roles that apply to that classification to Authenticated and Manager. Then, in my code, I have: security = ClassSecurityInfo() security.setDefaultAccess("deny") __roles__ = () security.setPermissionDefault("View Reservation System", ['Authenticated', 'Manager']) ... def getFormErrors(...): ... security.declareProtected('View Reservation System', 'getFormErrors') Now, when I attempt to access the object as an Anonymous user, Zope doesn't prompt me for a user ID and password (as it would if the role were restricted to Manager only) to satisfy the Authenticated role requirements; instead it simply throws an exception. Is this a bug in Zope 2.5.1? -- Michael S. Fischer / michael at dynamine.net / +1 650-533-4684 Lead Hacketeer, Dynamine Consulting, Silicon Valley, CA