I''ll be grateful to any cancan guru to give me some advice on how to formulate the abilities in a structure with associations ... I have the following tree association : Subdomain (has_one) > Portfolio (has_many) > Projects (has_many) > Payments Subdomain (has_many) > Users (w roles) I want a ''user'' with role ''owner'' to be able to manage all model instances in the hierarchy ONLY within his subdomain I wrote ( need to understand if it''s fine ... or if there is a better way... I know CanCan 2.0 is coming but..) class Ability include CanCan::Ability def initialize(user) user ||= User.new subdomain = user.subdomain can :manage, Portfolio, :subdomain_id => subdomain[:id] can :create, Project can :modify, Project, :portfolio => {:subdomain_id => subdomain[:id]} can :create, Payment can :modify, Payment, :project => {:portfolio => {:subdomain_id => subdomain[:id]} } Why is it not possible to check the subdomain on ''create'' when resources are not nested ? I tried can :create, Project, :portfolio => {:subdomain_id => subdomain[:id]} but then it raises a CanCan::AccessDenied error on form submit.. thanks for your feedback -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.