This is related to both ASP and COM.. any comments would be appreciated. thanks.<BR><BR>I am developing an application using ASP and COM. In the application each user has a database (Oracle) logon id. There is a table in the db that specifies what &#039roles&#039 each user has in the application (administrator, regular user, readonly, etc). <BR><BR>There are certain methods in the com objects that I would like to restrict to certain user roles. I could, of course, check in the ASP that the user would have a certain level of access in order to use that ASP functionality. However, in theory, one could make their own ASP page without this check and access the COM object methods directly (if they were able to place this new page in the webroot directory). <BR><BR>Access could be restricted at the db level, per table, pretty easily, but the grainularity of that approach is not very flexible, and implementing security at the per-row level would be extremely complex.<BR><BR>In my estimation, this leaves passing the userId to the com object and checking the user role. When the object is created, it could load the access restrictions for all methods within and store them in local variables, therefore there would only be one db lookup per created object for security checking. But is there a better way (less db accesses) that is still secure? The DB structure is fairly inflexible.<BR><BR>Thanks.