In the past, I have used a solution of Rights/Roles/Users as outlined by Chad Fowler in his original Rails Recipes but this is different. I am dealing with a legacy application, written in PHP with users, passwords and security values that I can easily access in RAILS but I am primarily interested in using Rails to write reports and don''t see much need to create new tables - at least not yet. So if I put into application_controller.rb, before_filter :authenticate, :authorize, :except => [:login, :err_handler] def authorize unless session[:securitylevel] >= session[:pageseclevel] flash[:notice] = "You are not authorized to do that" request.env["HTTP_REFERER"] ? (redirect_to :back, :params => @params) : (redirect_to $SOMETHING) return false end end and I try to set session[:pageseclevel] inside of each method, that isn''t going to work. I think I just need a way to use a before_filter but have a very small table of lookup values for the security level for the few methods I am going to create. Does anyone have a suggestion? Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.