>I think you may be confusing "Role" with "Group". For instance, in SQL Server you have Users, Groups, and Roles. Roles would be "AcctBalanceReader", "DepositEnterer", "WithdrawalApprover", etc...
>Contrasted with groups such as "Managers" -> "Supervisors" -> "Tellers".
>A member of the Managers group would also be a member of Supervisors and Tellers. Groups are hierarchal. Roles are flat.

There's no such thing as 'Groups' in SQL server 2000, just Users and Roles. However, a Windows 'Group' can be a user in SQL server, but the concept of 'group' is a windows server/domain entity. From the SQL BOL:

Groups
There are no groups in Microsoft® SQL Server™ 2000 or SQL Server version 7.0. You can, however, manage SQL Server security at the level of an entire Microsoft Windows NT® or Microsoft Windows® 2000 group.

Also, in SQL server ROLES can be hierarchal, you can assign a ROLE to a ROLE.

In .Net the only items the security knows is User (Identity) and Roles (Principal). It has no concept of "groups" either.

>The Principal class allows you to store all of the roles that a Group (and by inference, a User) is a member of in an array of strings. So a User/Group can have many roles and code-access security is designed around a User/Group performing many roles.

Exactally, which leads to my question which is about creating PrincipalPermission objects. For example, in code I could do:

If (User.IsInRole("Function Specific") or User.IsInRole("Administrator"))
blah blah blah

But, if I want to use permission attributes how would I do the above? That is my quesion? So, this isn't about the user, it's about the secured item. I can't seem to find this documentated.

BOb