If I give FolderViewer access to Client1, then can they still not just change the url to /Client2 and because access it; Since both folders have access for FolderViewer and the acutal person logging on has a local role of FolderViewer.

It seems like I have to create a FolderViewer1 for Client1 and FolderViewer2 for Client2.

I'd try to answer in French, but frankly I'd just be embarassing myself... If Person1 has a local role of 'FolderViewer' in Folder1, but not in Folder2, he cannot do 'FolderViewer' things in Folder2, even through acquisition. At least, that's how it should work. Security in Zope is an entirely local affair, and neither the client session state nor anything other than location matters. You only have the access of a local role in the object in which it was granted and its children. Not siblings, not ancestors, nothing else. Consider it like placing a user folder in a subfolder of root: users cannot authenticate at the root level or in other folders, only in the folder in which the user folder lives. --jcc (authenticated)