I answered Kathy personally, but I thought I would put the solution here as well for others with similar questions. There is no cache to clean out or anything like that. Access control rules are cumulative. Whatever permissions are given to someone in rules 1, 2, and 3, their resulting permissions are a combination of all three. Since your first rule gives the role Read/Modify/Create for All states, the second rule is rendered obsolete (Read for a single state). The first rule needs to be modified and should only specify the exact state where they have Read/Modify/Create permissions. If this is more than one state, you will have to create additional rules. Sincerely, Ben Duquette Application Engineer TriStar, Inc.