Hi, I'm building a CMF site for a client who wants to organize users within groups. The twofold purpose of this organization is: 1) to be able to send mail to specific constituencies of users; and 2) to assign permissions to specific constituencies of users. My client wants the application to have it's own custom administrative interface (he does not want the site's administrators to be exposed to ZMI) that will enable the administrators to set permissions for specific groups on specific folders. The permissions that the administrator sees may be simplified versions of the more complex sets of permissions you see through ZMI. For example, for a folder the administrator would only see the permissions "No Access," "Read Only," "Submit File," and "Approve File." It is also important to know that the site is structured as multi-community portal. In other words, members are defined at the level of the portal, and they will have permission to belong to specific communities within the portal. Each community will have the same functionality (content folders, discussions, news, etc.) but the content will be different for each. It seems to me that the simplest way to do this is is to implement a "group" as a role. In other words, what my client is calling a "group" would be the equivalent of a Zope "role." When the administrator adds a new group, he would under the hood be adding a new role. When he adds a user to one or more groups, he would be associating the user with the roles (users need to be able to belong to more than one group at a time). Listing the members of a group and sending mail to them would mean filtering the user objects based on their role (assuming this can be done). As for the simplified permissions, there would need to be a dictionary in a script that correlates each of these simple permissions with one or more of the native Zope permissions. I think the only major problem with my approach stems from the fact that the groups/roles would be different for each comunity -- they would not apply to the entire portal. However, users would still be defined at the portal level because they will have access to multiple communities. Through ZMI, it looks like you can only assign a role to a user if the role has been defined at the same level as the user in the hierarchy or at a containing level in the hierarchy; in this case, I want to be able to assign a role that has been defined at a level below the level at which the user is defined. So my question is: is there a workaround for assigning a role to a user when the role is defined further down in the hierarchy from where the user is, or is there some other way entirely that I should be solving this problem? Many thanks! Philip Glaser Principal and Software Architect Sustainable Software Solutions, LLC StillSmallVoice@DirectvInternet.com www.sustainsoft.com 973-951-9522