I''ve got my app setup and authentication running with authlogic. I followed the guide on asciicasts - very good. Basically it''s a site with a database of teachers and the fields required for authentication are included in the Teacher model. This is a fine a teacher can register and then login, logout and manage their profile. Anyway, I now need an admin user. I also want to secure the app so it''s secure by default. I have a couple of scaffolded controllers used for maintaining peripheral app data and these must be protected so that only an admin can access them. Other controllers e.g. the welcome controller should be globally accesable. The admin user/teacher should be all powerful and able to update any teachers profile/access all the scaffolded controllers and generally be able to do everything. Teachers themselves are only allowed to update their own profile (this parts working). I figure I need to maybe add a boolean field to Teacher such as (admin) and then do some filtering in the app. I could just have a single particular Teacher setup as an admin for this to work (I could set the boolean flag manually). Is my approach ok, how do I achieve this with filters? - can I protect the whole app in application.rb and then selectively turn off the filter for particular controllers / actions? Be grateful for insight... bb -- Posted via http://www.ruby-forum.com/.