Currently Attributes and Documentation Types have a security of Deny or nothing (nothing implies granted) This makes setting roles quite cumbersom. In order to limit an Attriubute to a small number of people I have to create a role - Deny the Attribute - and then apply the role to EVERYONE except those who need access to the attribute. This is the same for document type security. it would make much more sense to apply the same Grant/Deny functionality that the rest of BBEC uses to give access to tasks, functionality, buttons, forms, data lists etc. A role can grant - given access deny - where deny takes priority over a grant or nothing which also implies not a granted access to. This would make security for Attributes and Document types MUCH easier to manage than creating a list of Deny roles and then taking the time to apply that role to everyone in the organization except the few who need it.