diff --git a/browser/loops.css b/browser/loops.css
index 622e04d..4ca8eb1 100644
--- a/browser/loops.css
+++ b/browser/loops.css
@@ -81,15 +81,15 @@ fieldset.box table.listing td {
     padding: 0 1px 0 1px;
 }
 
-table.listing td.number {
+table.listing .number {
     text-align: right;
 }
 
-table.listing td.center {
+table.listing .center {
     text-align: center;
 }
 
-table.listing td.nowrap {
+table.listing .nowrap {
     white-space: nowrap;
 }
 
diff --git a/browser/skin/lobo/lobo.css b/browser/skin/lobo/lobo.css
index 3478880..3dae66b 100644
--- a/browser/skin/lobo/lobo.css
+++ b/browser/skin/lobo/lobo.css
@@ -93,15 +93,15 @@ fieldset.box table.listing td {
     padding: 0 1px 0 1px;
 }
 
-table.listing td.number {
+table.listing .number {
     text-align: right;
 }
 
-table.listing td.center {
+table.listing .center {
     text-align: center;
 }
 
-table.listing td.nowrap {
+table.listing .nowrap {
     white-space: nowrap;
 }
 
diff --git a/security/browser/__init__.py b/security/browser/__init__.py
new file mode 100644
index 0000000..38314f3
--- /dev/null
+++ b/security/browser/__init__.py
@@ -0,0 +1,3 @@
+"""
+$Id$
+"""
diff --git a/security/browser.py b/security/browser/admin.py
similarity index 100%
rename from security/browser.py
rename to security/browser/admin.py
diff --git a/security/browser/audit.pt b/security/browser/audit.pt
new file mode 100644
index 0000000..5c2305d
--- /dev/null
+++ b/security/browser/audit.pt
@@ -0,0 +1,58 @@
+<html i18n:domain="loops">
+<!-- $Id$ -->
+
+
+<metal:macro define-macro="role_permissions">
+    <metal:headline use-macro="view/concept_macros/concepttitle" />
+    <div>
+      <form>
+        <b>Type:</b>
+        <span tal:condition="python:len(item.types) <= 1">
+          <span tal:content="item/selectedType/label" />&nbsp;&nbsp;&nbsp;</span>
+        <span tal:condition="python:len(item.types) > 1">
+          <select name="selected_type"
+                  onchange="submit()">
+            <option tal:repeat="type item/types"
+                    tal:content="type/label"
+                    tal:attributes="value type/token;
+                                    selected python:
+                            type['token'] == item.selectedType['token']">View</option>
+          </select>&nbsp;&nbsp;&nbsp;</span>
+        <b>Permission:</b>
+        <span tal:condition="python:len(item.permissions) <= 1"
+              tal:content="item/selectedPermission" />
+        <select name="selected_permission"
+                tal:condition="python:len(item.permissions) > 1"
+                onchange="submit()">
+            <option tal:repeat="perm item/permissions"
+                    tal:content="perm"
+                    tal:attributes="value perm;
+                                    selected python:
+                            perm == item.selectedPermission">View</option>
+        </select>
+      </form>
+    </div>
+    <table class="listing">
+      <tr>
+        <th>Object</th>
+        <th class="center"
+            tal:repeat="role item/roles"
+            tal:content="role" />
+      </tr>
+      <tr tal:repeat="obj item/objects">
+        <td tal:content="obj/title" />
+        <td class="center"
+            tal:repeat="setting obj/settings"
+            tal:content="setting" />
+      </tr>
+    </table>
+</metal:macro>
+
+
+<metal:macro define-macro="workspace_assignments">
+    <metal:headline use-macro="view/concept_macros/concepttitle" />
+    blubb
+</metal:macro>
+
+
+</html>
\ No newline at end of file
diff --git a/security/browser/audit.py b/security/browser/audit.py
new file mode 100644
index 0000000..6ace1b1
--- /dev/null
+++ b/security/browser/audit.py
@@ -0,0 +1,109 @@
+#
+#  Copyright (c) 2010 Helmut Merz helmutm@cy55.de
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or
+#  (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+
+"""
+End user views for security audits and similar tasks.
+
+$Id$
+"""
+
+from zope import interface, component
+from zope.app.pagetemplate import ViewPageTemplateFile
+from zope.app.securitypolicy.interfaces import IRolePermissionMap
+from zope.app.securitypolicy.zopepolicy import SettingAsBoolean
+from zope.cachedescriptors.property import Lazy
+from zope.traversing.api import getName, getParent
+
+from loops.browser.concept import ConceptView
+from loops import util
+from loops.util import _
+
+
+class BaseSecurityView(ConceptView):
+
+    template = ViewPageTemplateFile('audit.pt')
+
+
+class RolePermissionsByType(BaseSecurityView):
+
+    @Lazy
+    def macro(self):
+        return self.template.macros['role_permissions']
+
+    @Lazy
+    def types(self):
+        result = [self.conceptManager.get(name) for name in self.options('types')]
+        return [dict(token=getName(t), label=t.title, object=t)
+                        for t in result if t is not None]
+
+    @Lazy
+    def selectedType(self):
+        if 'selected_type' in self.request.form:
+            typeName = self.request.form['selected_type']
+            type = self.conceptManager.get(typeName)
+            return dict(token=getName(type), label=type.title, object=type)
+        if self.types:
+            return self.types[0]
+        return dict(token=u'', label=u'', object=None)
+
+    @Lazy
+    def objects(self):
+        if not self.selectedType:
+            return []
+        result = self.selectedType['object'].getChildren([self.typePredicate])
+        return [dict(title=o.title, settings=self.getPermissionSettings(o))
+                        for o in result]
+
+    def getPermissionSettings(self, obj):
+        result = []
+        rpm = IRolePermissionMap(obj, None)
+        for r in self.roles:
+            if rpm is not None:
+                setting = rpm.getSetting(self.selectedPermission, r)
+                setting = SettingAsBoolean[setting]
+                if setting is not None:
+                    result.append(setting and '+' or '-')
+                else:
+                    result.append(u'')
+            else:
+                result.append(u'')
+        return result
+
+    @Lazy
+    def permissions(self):
+        return self.options('permissions')
+
+    @Lazy
+    def selectedPermission(self):
+        if 'selected_permission' in self.request.form:
+            return self.request.form['selected_permission']
+        if self.permissions:
+            return self.permissions[0]
+        return u''
+
+    @Lazy
+    def roles(self):
+        return self.options('roles')
+
+
+class WorkspaceAssignments(BaseSecurityView):
+
+    @Lazy
+    def macro(self):
+        return self.template.macros['workspace_assignments']
+
diff --git a/security/granting.pt b/security/browser/granting.pt
similarity index 100%
rename from security/granting.pt
rename to security/browser/granting.pt
diff --git a/security/manage_permissionform.pt b/security/browser/manage_permissionform.pt
similarity index 100%
rename from security/manage_permissionform.pt
rename to security/browser/manage_permissionform.pt
diff --git a/security/manage_workspace.pt b/security/browser/manage_workspace.pt
similarity index 100%
rename from security/manage_workspace.pt
rename to security/browser/manage_workspace.pt
diff --git a/security/configure.zcml b/security/configure.zcml
index 2c7b334..dba17bf 100644
--- a/security/configure.zcml
+++ b/security/configure.zcml
@@ -37,28 +37,48 @@
   <zope:subscriber handler="loops.security.common.addGroupMembershipOnAssignment" />
   <zope:subscriber handler="loops.security.common.removeGroupMembershipOnDeassignment" />
 
+  <!-- views -->
+
   <browser:page
         for="zope.annotation.interfaces.IAnnotatable"
         name="permissions.html"
         permission="zope.Security"
-        template="manage_permissionform.pt"
-        class="loops.security.browser.PermissionView"
+        template="browser/manage_permissionform.pt"
+        class="loops.security.browser.admin.PermissionView"
         menu="zmi_actions" title="Edit Permissions" />
 
   <browser:page
         for="loops.interfaces.IConcept"
         name="grant.html"
         permission="zope.Security"
-        template="granting.pt"
-        class="loops.security.browser.Granting"
+        template="browser/granting.pt"
+        class="loops.security.browser.admin.Granting"
         menu="zmi_actions" title="Grant" />
 
   <browser:page
         for="loops.interfaces.IConcept"
         name="manage_workspace.html"
         permission="zope.Security"
-        template="manage_workspace.pt"
-        class="loops.security.browser.ManageWorkspaceView"
+        template="browser/manage_workspace.pt"
+        class="loops.security.browser.admin.ManageWorkspaceView"
         menu="zmi_actions" title="Manage Workspace" />
 
+  <!-- end user (audit) views -->
+
+  <zope:adapter
+      name="role_permission_by_type.html"
+      for="loops.interfaces.IConcept
+           zope.publisher.interfaces.browser.IBrowserRequest"
+      provides="zope.interface.Interface"
+      factory="loops.security.browser.audit.RolePermissionsByType"
+      permission="loops.ManageSite" />
+
+  <zope:adapter
+      name="workspace_assignments.html"
+      for="loops.interfaces.IConcept
+           zope.publisher.interfaces.browser.IBrowserRequest"
+      provides="zope.interface.Interface"
+      factory="loops.security.browser.audit.WorkspaceAssignments"
+      permission="loops.ManageSite" />
+
 </configure>