"John R. Daily" wrote: > > That is precisely what is wrong with the model. To achieve manageable > and genuine security, I want to acquire _all_ permissions and > specifically deny those roles to which the inherited permissions may > not be correct. I'd agree with this, but I don't know how important it is. I'd suggest chucking it in the colelctor asa Featuer Request. cheers, Chris