Hi Dave,
Actually it was a consideration. One I had to convince Drew was good to have. The thing that convinced him in the end was you could do it in NT security and that's what we were basing the design on.

Groups within Groups is working as designed. What this means is if Group B is a member of Group A, then A inherits all rights that Group B has. It doesn't work the other way around. Group B, as a member, does not have access to Group A's accesses.

Take the following groups:

Management
Accounting
Human Resources

Human Resources is configured with access to their stuff. Accounting is configured with access to their stuff. For this example, they do not overlap at all. Management hasn't been configured with any access so by default, it has no access to anything.

If you add the Accounting group and the Human Resources group as members of the management group then they now have access to everything because it inherits all the rights of its member groups.

The system is designed to grant the greatest (least restrictive) access for a user/group. This is best illustrated with a person being both a member of the Everyone group and Adminstrators group in NT. "Everyone" has no access to perform user maintenance. The Administrators group does. If you are a member of both, which access level should you be granted?

HTH.

>Susan,
>
>>David -- Thanks for the tips. What I discovered was that my testing of putting a group within a group was what was causing the problem. In Group A, I'd put group B (which had full access). Group A itself had read-only access, but apparently putting group B into group A gave anyone with group A full access (even though they weren't members of group A and even though group A didn't have full access). I'd understood that giving one person several groups would result in the least restrictive access rights (e.g., group A + group B for a person would result in full access), but not that having group B be a member of group A would extend group B's rights to any group A member... Anyway, removing the group within a group solved the problem. -- Sue
>
>Glad you solved it. I would guess that group within a group was not one of the design considerations of the framework, although I'm very impressed with Drew's overall security design -- especially all the way down to individual controls on a form.