[Zope-CMF] Question on users/roles in CMF

[Lynn Walton]

In CMF, can someone tell me how I create a new role besides Manager,
Owner, Member, Reviewer and then let persons with that role access only
a certain folder and the objects in that folder?

Some questions regarding this:
Does the person have to be Member as well as the new Role?
Does the person have to be defined in the root acl_users folder of the
zope installation?
Does the person have to be defined in the acl_users folder of the portal
root?

I have tried defining a role in a portal folder that is not the portal
root, then adding a user in an acl_user folder within that portal folder
and granting that role all permissions using the security tab on the
portal folder and on the one CMFExtFile inside the portal folder.  I can
login as that user, but I don't get edit permissions (though out of
desperation I made sure EVERY permission possible was on for that role
in the folder and on the object) (or listFolderContents permissions on
the portal folder) and even though I'm logged into the portal, I still
get the web (basic http) authentication. (I have the default CMF 1.1
CookieCrumbler settings on) so I'm not sure why just being logged into
the portal isn't enough.   But even when I add that user to the Zope
installation's acl_user folder and then enter that name/password in the
web authentication it still says I don't have permissions.

I'd like it if I can define users and roles at sub-folders within the
portal, without defining them in the zope install's root acl_users. This
seems to be the normal way with just Zope without CMF, but I can't get
it to work with CMF. Am I missing something? I've read everything I can
find on Membership/Roles etc.

Zope 2.4.1 CMF 1.1

Thanks,
Lynn