I'm new to MM.NET, and I was just kicking the tires on the sample WinForms application (against Northwind db), including adding MM.NET security to it. Most everything seems to work fine, but I was struck with one shortcoming of the UI for setting access levels for users and roles to WinForms components.

I realize I can create my own UI to handle the task of granting access to users and roles, but please let me know if I've misunderstood something about the way this is supposed to work out of the box.

The UI in question is the "User Security Setup" form that you get when Security Setup is enabled in the app and you click on the padlock icon. In this form, there are two lists -- Users and Roles -- and in each list you can click on one user or role and then assign an Access Level via a dropdown list at right.

The odd thing about this form is that it does not give the you any clue about whether or not an Access Level has been assigned to a given user. When you click on a user, if you see the Access Level display "Read Only", you cannot tell whether "Read Only" is being displayed because 1) no Access Level has been assigned to the user so you're seeing the default setting or because 2) the "Read Only" Access Level has been specifically assigned to the user (and a UserSecurity record exists in the db).

Even though there is no visual indication of this difference, it makes all the difference in the world in terms of determining the user's access to the control. MM.NET looks for a UserSecurity record first and ignores role assignments if a UserSecurity record exists. As a result, if the user is a member of a role with Full Access to the control, I don't see how a person setting up security could determine from the UI what access the user would have (short of opening the UserSecurity table to see if a record exists), since some other administrator may have specifically set the user to the Read Only Access Level.

Again, I know I can work around this by creating my own User Setup Setup UI, but as I work to learn a new tool, such as MM.NET, I like to dig down to the bottom of a particular issue or two and see how well the tool works out of the box.

Am I just missing something on this one? (Personally, I'd be tempted to add a fourth choice to the Access Level dropdown: "Not Specified". This way administrators could tell that no UserSecurity record exists for a particular user/control combination.)

Thanks.