> Exactly: if you don't want "conversion" from UserRequest to User, then just > give anyone the possibility to create / update / delete users: ...a bit weak > security-wise, isn’t it?
Well, that's I would use the workflow to handel special cases were this would be acceptable. (e.g. auto registration + confirmation token email) Access to non-sensitive applications where the only requirement would be to have simple authentication & a default role. But I'll implement it in my own interface. regards Bob
