>Hi Doug,
>I appreciate the added details, and I'm not writing to disagee, but to clarify. If user ID_A logins in, he might not have full rights to the application. I understand that. Network security might be set up to allow access to the DBFs, but the user can't edit, say, the SecretCodes table. Why not make a group, SecrectCodesEditors, and put the folks allowed to edit in it. The rules object for the business object SecretCodes, checks to see if the User is a member of that group. In some instances, the reason not to do this type of thing is that the network admin guy and the application's guy just don't get along..., and it results in just what you were saying. You spent a lot of time that you could have spent on improving functionality of the app writing security code.
>After writing my note yesterday, I did some research on IsMemberOfGroup code. (I actually haven't implemented security through groups, it just seems right to me.) I can find Novell ActiveX controls to discern the group membership of users, but I don't see it available for MS. I thought the Network object would have it. I guess the active direction stuff has it, but I don't see anything that would deal with this for straight NT server.


Charlie, I agree with you. And it should work. The problem I ran into (other than the politics) is that on very large or interconnected LAN/WAN, groups administration becomes a problem for the sysadmin(s) that may be widely distributed around the globe, and more inclined to watch over his/her local LAN. But this may well be a whole different area, and I know a great deal of thought and work is going into creation and administation ot WAN that include many disparate and individual LANs. I have an application that will have a user here and a user there that may be the only user of my application in that local network. As expediency, we created a special group that allows access to my application and then further security is contained within the app. This requires a separate login, etc. Not the most convenient, but until the technology is figured out on the larger scene, this method is allowing the application to be deployed and used, and the data is available only to its intended user.

I hate to even go in this area, and would prefer to spend my time developing the applications, and leave the admin to the admin guys, but we must all work together, right?