The product I work on follows the ASP model. I have moved our applications security model to VPD. The current security scheme is pretty general, people have access to all information within their "domain" or group they belong to. This was easily accomplished by placing the domain key on each row on tables with required it. Not too hard. Now I'm being asked to improve this security model to restrict access to people based on various rules. These rule can be different within different domains. In some domain, some users will have access to only certain data elements because that element is directly assigned. In other domains, some users will be able only to see elements based on values in other tables. Confusing, I know, Daunting, I know. Insane, maybe. Can anyone point me to an actual implementation of VPD that goes beyond the simple "check an attribute on the row" design?