PUSecurity

Hi, I'm struggling to understand how to use Pier Security. I have a number of different types of users (registeredUsers, projectOwners, AdminUsers, ....). I'd like to enable user specific options on the main pages, and restrict access to specific pages and commands to groups of users. I've grouped my users into different PUGroup s . Then without entirely understanding the intent of the code in PRDistribution>>root : self rootPage enumerator with; all; do: [ :each | each securityDecoration owner: self kernel users anyOne. each securityDecoration group: self kernel groups anyOne ]. self makePrivate: self systemPage. I modified my own configuration code to read: self homePage enumerator with; all; do: [ :each | each securityDecoration owner: self kernel users anyOne. each securityDecoration group: self kernel groups anyOne. each securityDecoration group: self kernel registeredUserGroup. each securityDecoration group: self kernel projectUserGroup. each securityDecoration group: self kernel adminUserGroup. ]. I can see that PUSecurity>>hasPermission:for: and PRStructure>>isAllowedCommand:in: should reveal the secrets of how security is designed to work, however the following code assumes all decorations satisfy the conditions PRStructure>>isAllowedCommand:in: ^ self decorations allSatisfy: [ :each | each isAllowedCommand: aCommandClass in: aContext ] In my case this tests fails as not all decorations are allowed. For example if a user is in the group "projectOwners", isAllowedCommand:in: fails for the security decorator for "registeredUserGroup" and "adminUserGroup". With my limited understanding I would have expect the above loop to read "anySatisfy:" rather than "allSatisfy" . Clearly I've a misunderstanding about how Pier security is designed to function. Any pointers gratefully received. Thanks Nick