Many thanks to everyone who responded to my problem. After about the 3rd or 4th email mentioning the special case for user #1, I finally realized what I needed to do. I also wish to respond to some of the issues brought up as a result of this discussion. The solution I made the following modification to the first line, and it worked: if ($primary_field == 'nid' && !node_access_view_all_nodes() && !user_access('administer nodes')) { Overriding node_db_rewrite_sql() David Cohen wrote: i'll go further, and suggest that you should not implement that hook in your module either. you want to restrict nodes using the node access API, just like og itself. See the example node_access module on api.drupal.org I'm sure you're right. This particular issue is part of a larger effort I've embarked on to make different access control systems work together. See: http://groups.drupal.org/access-control. Yes, OG uses the node access API for OG permissions, but what I am trying to do is make OG work with TAC and Content Access. Actually, I have done this. http://groups.drupal.org/node/3700 But, right now, I have to patch core and contributed modules. This effort here is about moving the functionality of that patched code into a separate module altogether. So, in order to not have to patch core code, I have to override the default hook_db_rewrite_sql() functions from a separate custom module. Why not use node access API, just like og itself? I am very familiar with the node access API from my work on OG User Roles: http://drupal.org/node/87679 The way the default system appears to work is to determine whether Module A or Module B or Module C says a user can have access to a node. In order to make OG User Roles, OG, TAC and CA work together, I need to be able to say: Allow the user access if Module A AND (Module B OR Module C ) says it's ok. If someone knows how to accomplish this with node grants, and is willing to work with me, I am all ears. The way I figured out how to do it was by using the "Extensible Node Access/Authoriisation Capability" patch: http://drupal.org/node/122173. This same mechanism is discussed here: http://drupal.org/node/143075. Many of us hope it finds its way into Drupal 6. Anyway, this patch helps me refine node access to my exact specifications. And, it works. However, as you know, node_access only handles create/view/update/delete requests and NOT list requests. In order for node listing to match node access in my environment, I needed to modify the node_db_rewrite_sql() function (as well as the hook_db_rewrite_sql() functions in OG and TAC). I did that, and I've had this wonderful cooperative environment working for a few months now. Using user #1 for development testing Honestly, I think the only reason I do this is because it's what I'm used to. I can see and do everything I need to quickly and easily. Besides, if I wasn't in this habit, I probably wouldn't have noticed the problem with my hook_db_rewrite_sql() code, at least not right away. -ron -- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com SDSS Subscription Mgmt Service http://sdss.scbbs.com Central Ave Dance Ensemble http://www.centralavedance.com R & B Salsa http://www.randbsalsa.com