Could someone please try if the following line works as expected ? $HandleAuth['crypt'] = 'edit'; Even with this line in config.php, users seem to be able to use action=crypt even when they have no "edit" rights. Thank you in anticipation. Christophe