John K. Hohm wrote: > > It seems like the concept of assigning a permission or role to a user at an > object but not at any of its contained objects would be generally useful. You can never assign a permission to a user, only to a role. What you're after, if I understand correctly, is what's called local roles blacklisting, which is in Zope 3, again, if I understand correctly... cheers, Chris