I want to implement user security.  Am I correct in understanding that I should use the CheckSecurity method on the business object to determine that an action is to be allowed or denied THEN use the SecurityDenied method in the object on the form to display the denied message to the user?

If this is the correct procedure would passing "Denied messages\reasons" to the SecurityDenied method thru the brokenrules collection be appropriate?  I want my BO to determine why access is being denied and just let the UI display the message to the user.

On the same topic, to determine who the current logged in user is I am using a static property on the AppMain class.  My problem here is I can not see the AppMain object and its properties from my BO project.  How do I have a "global" user object yet keep the BO independent.  How should this be handled?