In responding to this thread the concept of a "derived" or "virtual" binding (similar to user.memberOf in AD for a users calculated group membership) occurred to me ... whereby a new type of binding that accepted an xpath statement instead of a value could be used to augment the properties of an object without having to replicate data unnecessarily. In the example I was thinking of this would be useful in order to grant rights via a "relative to attribute" style MPR for a manager's assistant. Another use for this would be to extend this idea slightly to some sort of a role binding to a user ... i.e. if a user could be bound to a role object by a custom reference attribute, then a calculated binding could be used to grant rights in a similar way to all users referencing that same role object - I guess another flavour of RBAC. This idea came about largely because the "relative to attribute" idea with MPRs extends only to attributes of the object in context. Bob Bradley, www.unifysolutions.net (FIMBob?)