> The Security Setup form displays a user’s “actual” rights. The form checks which groups a user is in (if any) and the access level setting displayed for the selected user reflects all of the roles they are in as well as any override set specifically for that user. If you change this form so it displays “Not Specified” if there is no specific override for a user, then there would be no way to see what their actual run time rights are based on which groups they belong to.

That makes sense.

Forgive me for struggling a bit with a new UI pattern, but I still find it a little disconcerting to not be able to tell whether a user's actual rights for a control are coming from a user-granted right, a role-granted right, or a default right. If an administrator can't tell that a user's Read-Only access to a paricular control hails from a user-granted right, then she might spin her wheels trying to give that user Full rights by adding him to a role that has Full rights to that control. If she came back afterwards to view the user's actual rights to the control and saw that he still only had Read-Only access, then she could deduce that the user must have a user-granted right for the control. She still wouldn't have any way to revoke that user-granted right, though (via the UI), to allow role-based security to control access for the user.

It would be nice if, in the Users list on the User Security Setup form, users with user-granted rights were indicated visually, with an asterisk at the end of their name, for example. (Users with role-granted rights could have two asterisks, I suppose.) Still no way to revoke user-granted rights, though. One quick fix would be to add this logic: setting a user's access to the default Access Level causes the UserSecurity record to be deleted.

One other simple solution (for neurotics like myself) would be a DataGrid per user (e.g., a 4th tab on the Users form) that showed all the user's UserSecurity records and allowed them to be deleted. I'll make it a homework assignment for my MM.NET study :)

I do have one related programming question. In reality, what I'd like to do for my current client is simply remove the whole concept of user-granted rights from the UI, so that all rights are controlled via roles. Conceptuatlly, a simple way to do this would be to hide or remove lstUsers, cboUserAccessLevel, etc., from the User Security Setup form.

My old-school approach to this task would be to copy the original MM.NET mmSecuritySetupForm.cs into my project and remove the user-rights-related controls and objects. In this case, would you recommend, instead, that I subclass the original form and set Visible=No on lstUsers, cboUserAccessLevel, etc.?

Thanks.