Rupashri, thanks for the reply. If I understand you correctly, this would yield a trusted sub-system model, which is not what we are after. We need a delegation model because at the end of the day, we need to be able to audit the databases that contain sensitive data. If domain\jdoe logs onto the network, accesses an application, which then executes a stored procedure, then we need to be able to follow domain\jdoe all of the way through. And the only way to do this effectively is to use a delegation model and permission domain\jdoe at the database level.