diff --git a/VERSION b/VERSION
index c3c8e8c6..75900061 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-Version 2.4.7-stable+timestamp.2013.05.31.10.40.23
+Version 2.4.7-stable+timestamp.2013.05.31.11.25.20
diff --git a/applications/welcome/controllers/default.py b/applications/welcome/controllers/default.py
index 005b558a..e43cbc46 100644
--- a/applications/welcome/controllers/default.py
+++ b/applications/welcome/controllers/default.py
@@ -31,12 +31,14 @@ def user():
     http://..../[app]/default/user/profile
     http://..../[app]/default/user/retrieve_password
     http://..../[app]/default/user/change_password
+    http://..../[app]/default/user/manage_users (requires membership in 
     use @auth.requires_login()
         @auth.requires_membership('group name')
         @auth.requires_permission('read','table name',record_id)
     to decorate functions that need access control
     """
-    return dict(form=auth())
+    auth.settings.manager_group_id=1
+    return auth() if request.extension=='load' else dict(form=auth())
 
 
 @cache.action()
diff --git a/applications/welcome/views/default/user.html b/applications/welcome/views/default/user.html
index b4bd0a15..64433249 100644
--- a/applications/welcome/views/default/user.html
+++ b/applications/welcome/views/default/user.html
@@ -1,4 +1,23 @@
 {{extend 'layout.html'}}
+{{if request.args(0) == 'manage':}}
+<h2>{{=T('Manage Access Control')}}</h2>
+<ul class="nav nav-tabs">
+  <li class="active"><a href="#users" data-toggle="tab">Users</a></li>
+  <li><a href="#roles" data-toggle="tab">Roles</a></li>
+  <li><a href="#permissions" data-toggle="tab">Permissions</a></li>
+</ul>
+<div class="tab-content">
+  <div class="tab-pane active" id="users">
+    {{=LOAD(f='user.load', args=[request.args(0), auth.settings.table_user_name], ajax=True, user_signature=True)}}
+  </div>
+  <div class="tab-pane" id="roles">
+    {{=LOAD(f='user.load', args=[request.args(0), auth.settings.table_group_name], ajax=True, user_signature=True)}}
+  </div>
+  <div class="tab-pane" id="permissions">
+    {{=LOAD(f='user.load', args=[request.args(0), auth.settings.table_permission_name], ajax=True, user_signature=True)}}
+  </div>
+</div>
+{{else:}}
 <h2>{{=T( request.args(0).replace('_',' ').capitalize() )}}</h2>
 <div id="web2py_user_form">
 {{
@@ -21,3 +40,4 @@ jQuery("#web2py_user_form input:visible:enabled:first").focus();
     web2py_validate_entropy(jQuery('#no_table_new_password'),100);
 {{pass}}
 //--></script>
+{{pass}}
diff --git a/gluon/tools.py b/gluon/tools.py
index 4417dcb6..870a956e 100644
--- a/gluon/tools.py
+++ b/gluon/tools.py
@@ -878,6 +878,7 @@ class Auth(object):
         alternate_requires_registration=False,
         create_user_groups="user_%(id)s",
         everybody_group_id=None,
+        manager_group_id=None,
         login_captcha=None,
         register_captcha=None,
         retrieve_username_captcha=None,
@@ -1278,7 +1279,7 @@ class Auth(object):
                        'retrieve_username', 'retrieve_password',
                        'reset_password', 'request_reset_password',
                        'change_password', 'profile', 'groups',
-                       'impersonate', 'not_authorized'):
+                       'impersonate', 'not_authorized','manage'):
             if len(request.args) >= 2 and args[0] == 'impersonate':
                 return getattr(self, args[0])(request.args[1])
             else:
@@ -2935,6 +2936,40 @@ class Auth(object):
             return SQLFORM.factory(Field('user_id', 'integer'))
         return SQLFORM(table_user, user.id, readonly=True)
 
+    def manage(self):
+        T = current.T
+        request = current.request
+        db = self.db
+        tablename = request.args(1)
+        if not self.has_membership(self.settings.manager_group_id):
+            # not URL.verify(request, user_signature=True, hash_vars=False):
+            raise HTTP(403)
+        if not tablename or not tablename in db.tables:
+            return ''
+        table = db[tablename]
+        formname = '%s_grid' % tablename
+        if tablename == self.settings.table_user_name:
+            self.settings.table_user._plural = T('Users')
+            self.settings.table_membership._plural = T('Roles')
+            self.settings.table_membership._id.readable = False
+            self.settings.table_membership.user_id.label = T('User')
+            self.settings.table_membership.group_id.label = T('Role')
+            grid = SQLFORM.smartgrid(
+                table, args=request.args[:2], 
+                user_signature=True,
+                linked_tables=[self.settings.table_membership_name],
+                maxtextlength=1000, formname=formname)
+        else:
+            table._id.readable = False
+            self.settings.table_permission.group_id.label = T('Role')
+            self.settings.table_permission.name.label = T('Permission')
+            orderby = 'role' if tablename == self.settings.table_group_name \
+                else 'group_id'
+            grid = SQLFORM.grid(
+                table, args=request.args[:2], orderby=table[orderby],
+                user_signature=True, maxtextlength=1000, formname=formname)
+        return grid
+
     def update_groups(self):
         if not self.user:
             return