Hello all, Hoping for some help on permissions & security. I have a root folder defined as UserFolder. Within UserFolder, I've defined 3 additional roles of FolderManager, Author & Reviewer. None of the permissions are acquired from parent, Author, Reviewer & FolderManager roles have appropriate explicit permission settings. Manager has been granted ALL permissions. FolderManager has been granted only the following permissions (below) - Access Transient Objects Access arbitrary user session data Access contents information Add Folders Access session data Add Forum posting Add MetaEntrys Add User Folders Change ExtFile/ExtImage Change Local File System properties Change MetaPublisher FTP access List folder contents Log Site Errors Mail forgotten password Manage users MetaPublisher: Add Entry MetaPublisher: Edit Entry MetaPublisher: List Entries MetaPublisher: Manage MetaPublisher: Search Entries Overwrite local files Query Vocabulary Set Own Password View View Forum View management screens query No "local roles" have been defined. What I'm trying to do is create a user within the UserFolder who has permission to grant access to other users from the management screen. I.e., the FolderManager should be able to grant access to other users as either (Authenticated, Author, Reviewer) by updating the User Folder with additional usernames. The problem I'm having is that I find the FolderManager can create a user with a role of "Manager' and this user will then have the ability to change any of the permissions - permissions not originally available to FolderManager. Question - 1) how do I allow the FolderManager to create users with ONLY one of the following roles - Authenticated, Author, Reviewer - and exclude them from creating users with the Manager role? Can this be done through the normal management views? 2) Is there a better way of achieving this - creating a user within a folder who has the ability to add/delete users in other roles, but cannot assign themselves to any other role but of FolderManager? If any of the above is confusing PLEASE let me know, as I'm in a real twist over how to change this behaviour. Thanks in advance. Regards, Samir.