Neil,

>This is my question: At a much later date, when I add web pages to the application that contain additionally secured controls, how do I *later* update the Northwind database on the production server without overwritting the data in the exisiting tables? How do I keep the autoincrementing of the PKs in sync after I update. Or... do I only have to update the 1 Security table, which only holds the secured control info? It seems to me that the secure controls are global to all server installations of the application whereas the other aspects of security ie: roles, users, usersecurity and userroles are specific to the site the applicaiton is running on. And... if I only have to update the Security table I don't have to worry about keeping autoincrementing PKs in sync since it's unique key is a guid.

You're right in that the Security table's GUID PK is the only information that you need to keep in sync across different sites. Each record in the Security table represents a unique object (usually a UI element) that you want to secure. At each site you can then specify user and role access to each secure object.

Regards,