>I would dynamically load the controls and programatically check for permission. If the user doesn't belong to the role the control doesn't get loaded.

Right, but how about read only? I see it needing two roles for each field...

ReadField
EditField.... If edit field role you make it a text box, if read field a lable, is neither than they don't get the control.

Of course, how do you dynamically load controls on a web form... I think the controls will have to be there already. I figure a custom server control whre I add two properties to hold the required roles... Of, can you put the permission attribute on the constructor of the control? Hmmm...

BOb