Hi, I'm working on a Zope intranet site involving several Zope products that I have written, like : - Branch, - DocsManager, - NewsManager, - EventsManager A branch is a Folder subclass, and a container for the other "Manager" products. Access rules are quite complex in several cases, but I can define several roles : - webmaster - manager - contributor - visitor My problem is that : - some roles are only defined in the context of a Manager (for example, 'Contributor' or 'Visitor'), - access rights are sometimes defined at the 'Branch' level. Until now, what I did is : - define 'webmaster' and 'manager' in the '__ac_roles__' list of Branch - define 'contributor' and 'visitor' in '__ac_roles__' of Managers. Finally (!!), my questions are : - is this the best way to design and implement my roles ? - can I define permissions at the Branch level (with manage_permission) for roles which are not present in '__ac_roles__' ? And if so, are these permissions acquired in the usual way ?? Thanks for any help, Thierry -- Linux every day, keeps Dr Watson away... http://gpc.sourceforge.net -- http://www.ulthar.net