Comment #2 above should be extended by saying in many cases, objects should have additional security metadata associated with them, so you can say things like "allow update when user has the Reviewer role and they are a member of this object's primary security group." For example, the Foo folder may be associated with the "Foo_association" security group, and thus I want to apply "Foo_association" rules to it, NOT go pollinate every f*cking possible object and slam on new local roles. Some of that can be handles as guards on workflow transitions, but the Zope model is just not designed to accomodate anything more than a fairly simple permission mapping.