I am stuck with a fairly complex permissions issue. What we are trying to do: 1. Allow our internal Admins to manage all assets at all locations. 2. Allow a vendor in one DC location to view and co-manage assets in *only that location*. Allow a second vendor to view and co-manage assets in *a second location*. (have to use userid for these as the accounts are in "email address format" and rackcode doesn't like "@" 3. Allow vendors to see Index page, backspace and the depot. 4. Deny access to creating new racks or editing rack properties, som of the report tabs and the config page. 5. Internal readonly user that can view everything. Tag tree: -RemoteSupport -Vendor1 -Vendor2 Assets are either tags with Vendor1 or Vendor2 or untagged. The problem is that vendors can view and modify *any* assets when I do: allow {$username_vendor1} and {vendor1} But when I do allow {$username_vendor1} and {vendor1} and {vendor1 asset} the vendor can't access anything I am stuck, any ideas? Here is the Rackcode: allow {$userid_1} or {Admins} deny {$page_config} allow {RemoteSupport} and {asset} and {$tab_default} and {$page_index} and {$page_rackspace} and {$page_depot} and {$page_rack} deny {$tab_rackcode} or {$tab_system} or ({$page_rackspace} and {$tab_edit} ) or ({$page_rack} and {$tab_edit}) or {$tab_newrack} or {$tab_tagroller} allow {$username_vendor1} and {vendor1} and {vendor1 asset} deny {$username_vendor1} allow {$username_vendor2} and {vendor2} and {vendor2 asset} deny {$username_vendor2} allow {$username_readonly} and {$tab_default} deny {$username_readonly}