I was thinking, take the confidential data and store it in directory C.
All other data in directory S.
Have the network Admin create three groups, each with a different permission levels. Also have the network Admin use EFS to encrypt the C data files.

Now the data is secure. VFP needs to access and set relations to it based on user Windows permissions.

I think we can access the groups or permission levels, store them in an object and dim appropriate controls in an app with an internal security model Les Pinter suggested. The relations and areas where maybe portions of a normal view were accessable, these would be more difficult. We would also have to code for relations when there were no rights to access the info. I know theres more behind this. I'm just trying to concieve a security model using VFP, Windows 2000 server and NO upsizing to SQL or Oracle. Someone has to have thought thru this before (many times).

Still thinking,....

Thanks anyone.