>OK, I'm out to learn from others' experience.
>
>Has anyone out there implemented field level and control level security in their application or framework?

I did something similar to what you suggest
there is a subclass for each object that is a "secure object"
the securiy levels are
0 - admin
.
.
9 - guest
and are stored in the users table - the users table is encrypted
each object has 3 properties
userlevel <-settable at runtime
Viewlevel - users whose userlevel is a lower number than this property will be able to see this object
FullAcccessLevel - users whose userlevel is alower number than this property can make changes to this object (where applicable)

in the init of an object it checks its parents userlevel property
and either not instantiate at all or sets the proper behavior (read only or full access)

notes :

the login screen has no security limitations/checks

the application object which is the uppermost parent gets its userlevel
from the login screen

to speed the process with forms the form checks it level in
the load event (before other objects are instantiated )

objects in containers are instantiated after the container (ie NOINIT in the DEFINE) - another way is to check the application object

Arnon