diff --git a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/ERP5Type_asSecurityGroupId.xml b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/ERP5Type_asSecurityGroupId.xml
index b0bbd06330ecdae2b5a4dc04a9804c78691fd930..02eafd3b2b8650c94deffc2a0cd560edc5be0abb 100755
--- a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/ERP5Type_asSecurityGroupId.xml
+++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/ERP5Type_asSecurityGroupId.xml
@@ -74,12 +74,16 @@
 #                    site=\'france/lille\', group=\'nexedi\', function=\'accounting/accountant\')\n
 # This will generate a string like \'LIL_NXD_ACT\' where "LIL", "NXD" and "ACT" are the codification\n
 #   of respecively "france/lille", "nexedi" and "accounting/accountant" categories\n
+#\n
+# ERP5Type_asSecurityGroupId can also return a list of users whenever a category points\n
+# to a Person instance. This is useful to implement user based local role assignments\n
 \n
 code_list = []\n
+user_list = []\n
 \n
 # sort the category list lexicographically\n
 # this prevents us to choose the exact order we want,\n
-# but also prevents some human mistake to f*ck everything up by creating site_function instead of function_site\n
+# but also prevents some human mistake to break everything up by creating site_function instead of function_site\n
 if category_order not in (None, \'\'):\n
   category_order = [ x for x in category_order]\n
   category_order.sort()\n
@@ -87,14 +91,23 @@ else:\n
   category_order = []\n
 \n
 for base_category in category_order:\n
-  category        = kw[base_category]\n
-  category_path   = \'%s/%s\' % (base_category, category)\n
-  category_object = context.portal_categories.getCategoryValue(category_path)\n
-  if category_object in (None, \'\'):\n
-    raise "SecurityRoleDefinitionError", "Category \'%s\' doesn\'t exist" % (category_path)\n
-  category_code   = category_object.getCodification() or category_object.getId()\n
-  code_list.append(category_code)\n
+  category_list   = kw[base_category]\n
+  for category in category_list:\n
+    category_path   = \'%s/%s\' % (base_category, category)\n
+    category_object = context.portal_categories.getCategoryValue(category_path)\n
+    if category_object in (None, \'\'):\n
+      raise "SecurityRoleDefinitionError", "Category \'%s\' doesn\'t exist" % (category_path)\n
+    if category_object.getPortalType() == \'Person\':\n
+      # We define a person here\n
+      user_name = category_object.getReference()\n
+      if user_name is not None: user_list.append(user_name)\n
+    else:\n
+      # We define a group item here\n
+      category_code   = category_object.getCodification() or category_object.getId()\n
+      code_list.append(category_code)\n
 \n
+# Return a list of users or a single group\n
+if user_list: return user_list\n
 return \'_\'.join(code_list)\n
 </string> </value>
         </item>
@@ -139,6 +152,7 @@ return \'_\'.join(code_list)\n
                             <string>category_order</string>
                             <string>kw</string>
                             <string>code_list</string>
+                            <string>user_list</string>
                             <string>None</string>
                             <string>append</string>
                             <string>$append0</string>
@@ -147,10 +161,12 @@ return \'_\'.join(code_list)\n
                             <string>_getattr_</string>
                             <string>base_category</string>
                             <string>_getitem_</string>
+                            <string>category_list</string>
                             <string>category</string>
                             <string>category_path</string>
                             <string>context</string>
                             <string>category_object</string>
+                            <string>user_name</string>
                             <string>category_code</string>
                           </tuple>
                         </value>
diff --git a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/ERP5Type_getSecurityCategoryFromArrow.xml b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/ERP5Type_getSecurityCategoryFromArrow.xml
new file mode 100755
index 0000000000000000000000000000000000000000..02ed27ee947ab75ba42b3289dd7287d9c2b48d0a
--- /dev/null
+++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/ERP5Type_getSecurityCategoryFromArrow.xml
@@ -0,0 +1,179 @@
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <tuple>
+        <tuple>
+          <string>Products.PythonScripts.PythonScript</string>
+          <string>PythonScript</string>
+        </tuple>
+        <none/>
+      </tuple>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Python_magic</string> </key>
+            <value> <string encoding="base64">O/INCg==</string> </value>
+        </item>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>__ac_local_roles__</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_body</string> </key>
+            <value> <string># XXX For now, this script requires proxy manager\n
+\n
+# base_category_list : list of category values we need to retrieve\n
+# user_name : string obtained from getSecurityManager().getUser().getUserName() [NuxUserGroup]\n
+#             When using PluggableAuthService with ERP5GroupMAnager, user_name is the id\n
+#             of the person linked to getUser().getId() through getReference() (which is its login).\n
+# object : object which we want to assign roles to.\n
+# portal_type : portal type of object\n
+\n
+# must always return a list of dicts\n
+\n
+category_list = []\n
+\n
+if object is None:\n
+  return []\n
+\n
+for base_category in base_category_list:\n
+  category_list.append({base_category: object.getCategoryMembershipList(base_category)})\n
+\n
+return category_list\n
+</string> </value>
+        </item>
+        <item>
+            <key> <string>_code</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>_filepath</string> </key>
+            <value> <string>Script (Python):/nexedi/portal_skins/erp5_core/ERP5Type_getSecurityCategoryFromArrow</string> </value>
+        </item>
+        <item>
+            <key> <string>_owner</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>base_category_list, user_name, object, portal_type</string> </value>
+        </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>errors</string> </key>
+            <value>
+              <tuple/>
+            </value>
+        </item>
+        <item>
+            <key> <string>func_code</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="FuncCode" module="Shared.DC.Scripts.Signature"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>co_argcount</string> </key>
+                        <value> <int>4</int> </value>
+                    </item>
+                    <item>
+                        <key> <string>co_varnames</string> </key>
+                        <value>
+                          <tuple>
+                            <string>base_category_list</string>
+                            <string>user_name</string>
+                            <string>object</string>
+                            <string>portal_type</string>
+                            <string>category_list</string>
+                            <string>None</string>
+                            <string>_getiter_</string>
+                            <string>base_category</string>
+                            <string>_getattr_</string>
+                          </tuple>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>func_defaults</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ERP5Type_getSecurityCategoryFromArrow</string> </value>
+        </item>
+        <item>
+            <key> <string>warnings</string> </key>
+            <value>
+              <tuple/>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
diff --git a/product/ERP5/bootstrap/erp5_core/bt/change_log b/product/ERP5/bootstrap/erp5_core/bt/change_log
index ffcb20b3c7672d2f3f909eee7aa3dcecd0fb34d9..d3d2e4640f32ffabf2b06b25063c341fde39b5ba 100755
--- a/product/ERP5/bootstrap/erp5_core/bt/change_log
+++ b/product/ERP5/bootstrap/erp5_core/bt/change_log
@@ -1,3 +1,6 @@
+2006-01-21 JP
+* Added support for user based role assignment (ERP5Type_getSecurityCategoryFromArrow)
+
 2006-01-20 JP & Jerome
 * Added document template initial support to Base_doAction and erp5_html_style