> Now: I've been having a look at your web site, but I didn't find > references about the new security model, so I don't know how to > manage it (allow user x with full rights, allow user y only certain > tab, etc.). Did I overlook something? A key concept of the new model is the "security context", which is a sequence of tags. The tags can be: - explicit: those listed for current entity by user - implicit: all parent tags of the explicit tags - automatic: injected internally The default setting is to show the first two lists on each entity's page, this can be changed on the "user interface" page. The security context is a combination of all three lists above. For most of the locations authorization is done only once and itself is an evaluation of the context against the RackCode. Each allow/deny rule is matched against the meta-list of tags and if the rule condition evaluates to true, the allow/deny decision is returned. It's very easy to mimic the former UserPermission syntax, because the automatic tag list always contains autotags for the current page and tab, e.g.: {$page_object} {$tab_ipv4} These cannot be forged, because ordinary tag names cannot start with dollar sign. Given all of the above, an example of permitting everybody to browse all objects and someone to manage IP addresses of any object is as simple as: allow {$page_object} and {$tab_default} allow {$username_someuser} and {$page_object} and {$tab_ipv4} If no rule matched, the default decision is to deny access, so real-world configurations will likely have more rules. I hope it helps. -- DO4-UANIC