--- a/src/pyams_security/zmi/security.py	Thu Oct 08 09:30:56 2015 +0200
+++ b/src/pyams_security/zmi/security.py	Thu Oct 08 09:31:45 2015 +0200
@@ -16,92 +16,69 @@
 # import standard library
 
 # import interfaces
-from pyams_form.interfaces.form import IInnerSubForm
+from pyams_form.interfaces.form import IWidgetForm
 from pyams_security.interfaces import IDefaultProtectionPolicy, IProtectedObject, IRole
+from pyams_security.zmi.interfaces import IObjectSecurityMenu
+from pyams_skin.interfaces import IInnerPage, IPageHeader
 from pyams_skin.layer import IPyAMSLayer
-from pyams_zmi.interfaces.menu import IPropertiesMenu
+from pyams_utils.interfaces import VIEW_SYSTEM_PERMISSION, MANAGE_SECURITY_PERMISSION, MANAGE_ROLES_PERMISSION
+from pyams_zmi.interfaces.menu import ISiteManagementMenu
 from pyams_zmi.layer import IAdminLayer
 from z3c.form.interfaces import DISPLAY_MODE, INPUT_MODE
 
 # import packages
-from pyams_form.form import AJAXEditForm, InnerEditForm
+from pyams_form.form import AJAXEditForm
 from pyams_pagelet.pagelet import pagelet_config
-from pyams_skin.viewlet.menu import MenuItem, MenuDivider
+from pyams_skin.page import DefaultPageHeaderAdapter
+from pyams_skin.viewlet.menu import MenuItem
 from pyams_utils.adapter import adapter_config
 from pyams_utils.registry import get_utility
+from pyams_viewlet.manager import viewletmanager_config
 from pyams_viewlet.viewlet import viewlet_config
-from pyams_zmi.form import AdminDialogEditForm
+from pyams_zmi.form import AdminEditForm, AdminDialogEditForm
 from pyramid.view import view_config
 from z3c.form import field
-from zope.interface import Interface
+from zope.interface import implementer, Interface
 
 from pyams_security import _
 
 
-@viewlet_config(name='protected-object-roles.divider', context=IDefaultProtectionPolicy, layer=IAdminLayer,
-                manager=IPropertiesMenu, permission='system.view', weight=899)
-class ProtectedObjectRolesMenuDivider(MenuDivider):
-    """Protected object roles menu divider"""
-
+#
+# Object roles edit form
+#
 
 @viewlet_config(name='protected-object-roles.menu', context=IDefaultProtectionPolicy, layer=IAdminLayer,
-                manager=IPropertiesMenu, permission='system.view', weight=900)
+                manager=ISiteManagementMenu, permission=VIEW_SYSTEM_PERMISSION, weight=900)
+@viewletmanager_config(name='protected-object-roles.menu', layer=IAdminLayer, context=IDefaultProtectionPolicy,
+                       provides=IObjectSecurityMenu)
+@implementer(IObjectSecurityMenu)
 class ProtectedObjectRolesMenuItem(MenuItem):
     """Protected object roles menu item"""
 
-    label = _("Access rules...")
-    icon_class = 'fa-key'
-    url = 'protected-object-roles.html'
-    modal_target = True
+    label = _("Access rules")
+    icon_class = 'fa-users'
+    url = '#protected-object-roles.html'
+    modal_target = False
 
 
 @pagelet_config(name='protected-object-roles.html', context=IDefaultProtectionPolicy, layer=IPyAMSLayer,
-                permission='system.view')
-class ProtectedObjectRolesEditForm(AdminDialogEditForm):
+                permission=VIEW_SYSTEM_PERMISSION)
+@implementer(IWidgetForm, IInnerPage)
+class ProtectedObjectRolesEditForm(AdminEditForm):
     """Protected object roles edit form"""
 
-    legend = None
-    fieldset_class = 'no-padding'
-
-    fields = field.Fields(Interface)
-    ajax_handler = 'protected-object-roles.json'
-    edit_permission = None
-
-
-@adapter_config(name='security.subform',
-                context=(IDefaultProtectionPolicy, IPyAMSLayer, ProtectedObjectRolesEditForm),
-                provides=IInnerSubForm)
-class ProtectedObjectSecuritySubform(InnerEditForm):
-    """Protected object security sub-form"""
-
-    legend = _("Security management")
-    icon_css_class = 'fa fa-fw fa-key'
-    label_css_class = 'control-label col-md-4'
-    input_css_class = 'col-md-8'
-
-    fields = field.Fields(IProtectedObject)
-    edit_permission = 'security.manage'
-    weight = 1
-
-
-@adapter_config(name='roles.subform',
-                context=(IDefaultProtectionPolicy, IPyAMSLayer, ProtectedObjectRolesEditForm),
-                provides=IInnerSubForm)
-class ProtectedObjectRolesSubform(InnerEditForm):
-    """Protected object roles edit form"""
-
-    legend = _("Granted roles")
+    legend = _("Granted users roles")
     icon_css_class = 'fa fa-fw fa-users'
 
     @property
     def fields(self):
         return field.Fields(self.context.roles_interface)
 
-    edit_permission = 'security.manage_roles'
-    weight = 2
+    ajax_handler = 'protected-object-roles.json'
+    edit_permission = MANAGE_ROLES_PERMISSION
 
     def updateWidgets(self, prefix=None):
-        super(ProtectedObjectRolesSubform, self).updateWidgets(prefix)
+        super(ProtectedObjectRolesEditForm, self).updateWidgets(prefix)
         if self.mode == DISPLAY_MODE:
             return
         principals = self.request.effective_principals
@@ -112,9 +89,53 @@
                 for manager in role.managers:
                     if manager in principals:
                         widget.mode = INPUT_MODE
+                        continue
 
 
 @view_config(name='protected-object-roles.json', context=IDefaultProtectionPolicy, request_type=IPyAMSLayer,
-             permission='security.manage', renderer='json', xhr=True)
+             permission=MANAGE_ROLES_PERMISSION, renderer='json', xhr=True)
 class ProtectedObjectRolesAJAXEditForm(AJAXEditForm, ProtectedObjectRolesEditForm):
     """Protected object roles edit form, AJAX view"""
+
+
+@adapter_config(context=(Interface, IPyAMSLayer, ProtectedObjectRolesEditForm), provides=IPageHeader)
+class ProtectedObjectRolesEditFormHeaderAdapter(DefaultPageHeaderAdapter):
+    """Protected object security edit form header adapter"""
+
+    icon_class = 'fa fa-fw fa-users'
+
+
+#
+# Security policy edit form
+#
+
+@viewlet_config(name='security-policy.menu', context=IDefaultProtectionPolicy, layer=IAdminLayer,
+                manager=IObjectSecurityMenu, permission=MANAGE_SECURITY_PERMISSION, weight=10)
+class ProtectedObjectSecurityPolicyMenuItem(MenuItem):
+    """Protected object security policy menu item"""
+
+    label = _("Security policy...")
+    icon_class = 'fa-key'
+    url = 'security-policy.html'
+    modal_target = True
+
+
+@pagelet_config(name='security-policy.html', context=IDefaultProtectionPolicy, layer=IPyAMSLayer,
+                permission=MANAGE_SECURITY_PERMISSION)
+class ProtectedObjectSecurityPolicyEditForm(AdminDialogEditForm):
+    """Protected object security policy edit form"""
+
+    legend = _("Update security policy")
+    icon_css_class = 'fa fa-fw fa-key'
+
+    fields = field.Fields(IProtectedObject)
+    ajax_handler = 'security-policy.json'
+    edit_permission = MANAGE_SECURITY_PERMISSION
+
+    dialog_class = 'modal-large'
+
+
+@view_config(name='security-policy.json', context=IDefaultProtectionPolicy, request_type=IPyAMSLayer,
+             permission=MANAGE_SECURITY_PERMISSION, renderer='json', xhr=True)
+class ProtectedObjectSecurityPolicyAJAXEditForm(AJAXEditForm, ProtectedObjectSecurityPolicyEditForm):
+    """Protected object security policy edit form, JSON renderer"""