Okay, I have this in a dtml method called by a dtml document... (This does the same, btw from the dtml document directly) <hr> <dtml-var expr="_.SecurityGetUser().getUserName()"> <br> <dtml-var expr="AUTHENTICATED_USER.hasRole('Manager', index_html)"> <br> <dtml-var expr="AUTHENTICATED_USER.hasRole('Manager')"> <br> <dtml-var expr="'Manager' in _.SecurityGetUser().getRoles()"> <br> From a non-logged in browser I get: Anonymous User 1 1 0 From a logged in browser (with Manager Role): docwhat 1 1 1 The problem here is that AUTHENTICATED_USER does *not* have the role of 'Manager', despite zope's claims to the contrary! I have tried swapping in and out _.SecurityGetUser() for AUTHENTICATED_USER and have made sure this isn't a caching/proxy problem. Am i brain dead here? This is zope 2.3.1 I am currently using the last one (as it works) but shouldn't the first ones work too? Ciao! -- A hacker does for love what others would not do for money. The Doctor What: Need I say more? http://docwhat.gerf.org/ docwhat@gerf.org KF6VNC