Thanks, seems that I'm on right track. But how do you support password
changes by users?

Riho-Rene Ellermaa
senior programmer
Hansabank

>
> I use this very technique, although with a slight variation, the
> usernames are "mangled" so that the user can't login as himself
> and select the applications role, and potentially do damage. These
> users are maintained from inside the application. Roles are handy
> when you do it this way, because security is bound to the role
> once, when you grant access to the role, users are granted the role
> at user creation time.
>
> Paul