Don
Thanks - in our case - flexibility wasn't the issue. The multi-role permissions model works well for us. The question is the completeness of the api's.
I guess what i'm saying is that if there are api's to add and query permissions, there should be comparable api's to remove and modify users as well. People may move or get demoted (especially these days :-{).
I hacked modifying the role mappings (once you unravel the spaghetti it's pretty simple). In acs 4 - i'd like to see api's that address the whole lifecycle of permissions (add, mod, del, query)
danny
