From http://csrc.nist.gov/rbac/ : 'With RBAC, security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier.' RBAC is a draft NIST standard, and is patent encumbered (by them). The page linked to above has quite a few technical papers on implementing the standard, including reference implementations of a webserver for Unix/NT with RBAC security. Also of interest may be this http://www.javaworld.com/javaworld/jw-06-2001/jw-0615-tapestry_p.html - article on Tapestry, an RBAC implementation which acts as a standalone server (accessible via SOAP). ------- CategorySecurityModel, LimitsOfHierarchies