diff --git a/gui/admin-gui/src/main/resources/initial-objects/010-value-policy.xml b/gui/admin-gui/src/main/resources/initial-objects/010-value-policy.xml
index 46d33fbca92..7bb2ce27362 100644
--- a/gui/admin-gui/src/main/resources/initial-objects/010-value-policy.xml
+++ b/gui/admin-gui/src/main/resources/initial-objects/010-value-policy.xml
@@ -58,4 +58,5 @@
             <!-- 			</limit> -->
         </limitations>
     </stringPolicy>
+    <minOccurs>0</minOccurs>
 </valuePolicy>
diff --git a/infra/common/src/main/java/com/evolveum/midpoint/common/policy/PasswordPolicyUtils.java b/infra/common/src/main/java/com/evolveum/midpoint/common/policy/PasswordPolicyUtils.java
index b4a90b5e81d..58bb1400d67 100644
--- a/infra/common/src/main/java/com/evolveum/midpoint/common/policy/PasswordPolicyUtils.java
+++ b/infra/common/src/main/java/com/evolveum/midpoint/common/policy/PasswordPolicyUtils.java
@@ -22,6 +22,7 @@
 import org.apache.commons.lang.Validate;
 
 import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.xml.XsdTypeMapper;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
 import com.evolveum.midpoint.util.logging.Trace;
@@ -159,21 +160,23 @@ public static boolean validatePassword(String password, ValuePolicyType pp, Oper
 	 * @return - Operation result of this validation
 	 */
 	public static OperationResult validatePassword(String password, ValuePolicyType pp) {
-		// check input params
-//		if (null == pp) {
-//			throw new IllegalArgumentException("No policy provided: NULL");
-//		}
-//
-//		if (null == password) {
-//			throw new IllegalArgumentException("Password for validaiton is null.");
-//		}
-		
-		Validate.notNull(pp, "Password policy must not be null.");
-		Validate.notNull(password, "Password to validate must not be null.");
 
+		Validate.notNull(pp, "Password policy must not be null.");
+		
         OperationResult ret = new OperationResult(OPERATION_PASSWORD_VALIDATION);
         ret.addParam("policyName", pp.getName());
 		normalize(pp);
+		
+		if (password == null && pp.getMinOccurs() != null && XsdTypeMapper.multiplicityToInteger(pp.getMinOccurs()) == 0) {
+			// No password is allowed
+			ret.recordSuccess();
+			return ret;
+		}
+		
+		if (password == null) {
+			password = "";
+		}
+		
 		LimitationsType lims = pp.getStringPolicy().getLimitations();
 
 		StringBuilder message = new StringBuilder();
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/parser/DomParser.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/parser/DomParser.java
index cd72d21de85..b33fe475f13 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/parser/DomParser.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/parser/DomParser.java
@@ -420,6 +420,18 @@ public String serializeToString(RootXNode xnode) throws SchemaException {
 		Element element = serializer.serialize(xnode);
 		return DOMUtil.serializeDOMToString(element);
 	}
+	
+	public Element serializeUnderElement(XNode xnode, QName rootElementName, Element parentElement) throws SchemaException {
+		DomSerializer serializer = new DomSerializer(this, schemaRegistry);
+		RootXNode xroot;
+		if (xnode instanceof RootXNode) {
+			xroot = (RootXNode) xnode;
+		} else {
+			xroot = new RootXNode(rootElementName);
+			xroot.setSubnode(xnode);
+		}
+		return serializer.serializeUnderElement(xroot, parentElement);
+	}
 
     public Element serializeXMapToElement(MapXNode xmap, QName elementName) throws SchemaException {
 		DomSerializer serializer = new DomSerializer(this, schemaRegistry);
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/parser/DomSerializer.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/parser/DomSerializer.java
index 54bbce85d30..3a7dfd09500 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/parser/DomSerializer.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/parser/DomSerializer.java
@@ -86,19 +86,27 @@ private void initializeWithExistingDocument(Document document) {
 
 	public Element serialize(RootXNode rootxnode) throws SchemaException {
 		initialize();
-        return serializeInternal(rootxnode);
+        return serializeInternal(rootxnode, null);
     }
 
     // this one is used only from within JaxbDomHack.toAny(..) - hopefully it will disappear soon
     @Deprecated
     public Element serialize(RootXNode rootxnode, Document document) throws SchemaException {
         initializeWithExistingDocument(document);
-        return serializeInternal(rootxnode);
+        return serializeInternal(rootxnode, null);
+    }
+    
+    public Element serializeUnderElement(RootXNode rootxnode, Element parentElement) throws SchemaException {
+    	initializeWithExistingDocument(parentElement.getOwnerDocument());
+    	return serializeInternal(rootxnode, parentElement);
     }
 
-    private Element serializeInternal(RootXNode rootxnode) throws SchemaException {
+    private Element serializeInternal(RootXNode rootxnode, Element parentElement) throws SchemaException {
 		QName rootElementName = rootxnode.getRootElementName();
-		Element topElement = createElement(rootElementName, null);
+		Element topElement = createElement(rootElementName, parentElement);
+		if (parentElement != null) {
+			parentElement.appendChild(topElement);
+		}
 		QName typeQName = rootxnode.getTypeQName();
         if (typeQName == null && rootxnode.getSubnode().getTypeQName() != null) {
             typeQName = rootxnode.getSubnode().getTypeQName();
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/parser/PrismBeanConverter.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/parser/PrismBeanConverter.java
index 2d8105d8d44..aada5410dea 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/parser/PrismBeanConverter.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/parser/PrismBeanConverter.java
@@ -110,6 +110,10 @@ public boolean canProcess(Class<?> clazz) {
 		return RawType.class.equals(clazz) || clazz.getAnnotation(XmlType.class) != null;
 	}
 	
+	public QName determineTypeForClass(Class<?> clazz) {
+		return inspector.determineTypeForClass(clazz);
+	}
+	
 	public <T> T unmarshall(MapXNode xnode, QName typeQName) throws SchemaException {
 		Class<T> classType = getSchemaRegistry().determineCompileTimeClass(typeQName);
 		return unmarshall(xnode, classType);
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
index 2eedcb1995e..65b112c467b 100644
--- a/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
@@ -58,6 +58,7 @@ public abstract class SchemaConstants {
 	public static final String NS_MATCHING_RULE = NS_MIDPOINT_PUBLIC + "/common/matching-rule-3";
     public static final String NS_WFCF = "http://midpoint.evolveum.com/xml/ns/model/workflow/common-forms-3";
     public static final String NS_WFPIS = "http://midpoint.evolveum.com/xml/ns/model/workflow/process-instance-state-3";
+    public static final String NS_FAULT = "http://midpoint.evolveum.com/xml/ns/public/common/fault-3";
 
 	// COMMON NAMESPACE
 	
@@ -230,4 +231,6 @@ public abstract class SchemaConstants {
     public static final QName C_ASSIGNMENT = new QName(SchemaConstants.NS_C, "assignment");
 
     public static final QName C_NAME = new QName(SchemaConstants.NS_C, "name");
+    
+	public static final QName FAULT_MESSAGE_ELEMENT_NAME = new QName(NS_FAULT, "fault");
 }
diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-3.xsd
index 39bf7a98f17..1a8c18c212c 100644
--- a/infra/schema/src/main/resources/xml/ns/public/common/common-3.xsd
+++ b/infra/schema/src/main/resources/xml/ns/public/common/common-3.xsd
@@ -7667,6 +7667,24 @@
                 <xsd:sequence>
                     <xsd:element name="lifetime" type="c:PasswordLifeTimeType" minOccurs="1" maxOccurs="1"/>
                     <xsd:element name="stringPolicy" type="c:StringPolicyType" minOccurs="1" maxOccurs="1"/>
+                    <xsd:element name="minOccurs" type="xsd:string" minOccurs="0">
+                    	<xsd:annotation>
+                    		<xsd:documentation>
+                    			Minimal number of value occurences. minOccurs set to zero means that the value
+                    			is optional.
+                    			E.g. when applied to passwords the minOccurs=0 means that the policy will
+                    			accept no password at all. But it will still validate the password using
+                    			stringPolicy if a password is present.
+                    		</xsd:documentation>
+                    	</xsd:annotation>
+                    </xsd:element>
+                    <xsd:element name="maxOccurs" type="xsd:string" minOccurs="0">
+                    	<xsd:annotation>
+                    		<xsd:documentation>
+                    			Maximal number of value occurences.
+                    		</xsd:documentation>
+                    	</xsd:annotation>
+                    </xsd:element>
                 </xsd:sequence>
             </xsd:extension>
         </xsd:complexContent>
@@ -8020,7 +8038,7 @@
                                 TODO: better documentation
                             </xsd:documentation>
                             <xsd:appinfo>
-                    			<a:objectReferenceTargetType>tns:ValuePolicyType</a:objectReferenceTargetType>
+                    			<a:objectReferenceTargetType>tns:SecurityPolicyType</a:objectReferenceTargetType>
                     		</xsd:appinfo>
                         </xsd:annotation>
                     </xsd:element>
diff --git a/infra/schema/src/main/resources/xml/ns/public/common/fault-3.wsdl b/infra/schema/src/main/resources/xml/ns/public/common/fault-3.wsdl
index eafe2583b98..a04c2767d54 100644
--- a/infra/schema/src/main/resources/xml/ns/public/common/fault-3.wsdl
+++ b/infra/schema/src/main/resources/xml/ns/public/common/fault-3.wsdl
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2010-2014 Evolveum
+  ~ Copyright (c) 2010-2015 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -25,18 +25,23 @@
 			 xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/fault-3">
     
 	<types>
-		<xsd:schema targetNamespace="http://midpoint.evolveum.com/xml/ns/public/common/fault-3">
+		<xsd:schema targetNamespace="http://midpoint.evolveum.com/xml/ns/public/common/fault-3"
+					elementFormDefault="qualified">
+					
 			<xsd:import namespace="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
 						schemaLocation="http://midpoint.evolveum.com/xml/ns/public/common/common-3"/>
 
 			<xsd:complexType name="FaultType" abstract="true">
 				<xsd:sequence>
-					<xsd:element name="message" type="xsd:string" />
-					<xsd:element name="operationResult" type="c:OperationResultType" />
+					<xsd:element ref="tns:message" />
+					<xsd:element ref="tns:operationResult" />
 				</xsd:sequence>
 			</xsd:complexType>
 
-			<xsd:element name="fault" type="tns:FaultType" />			
+			<xsd:element name="fault" type="tns:FaultType" />
+			
+			<xsd:element name="message" type="xsd:string" />
+			<xsd:element name="operationResult" type="c:OperationResultType" />			
 
 			<xsd:complexType name="SystemFaultType">
 				<xsd:annotation>
@@ -128,7 +133,38 @@
 				</xsd:complexContent>
 			</xsd:complexType>
 
-			<xsd:element name="schemaViolationFaul" type="tns:SchemaViolationFaultType" />
+			<xsd:element name="schemaViolationFault" type="tns:SchemaViolationFaultType" />
+			
+			<xsd:complexType name="PolicyViolationFaultType">
+				<xsd:annotation>
+					<xsd:documentation>
+				Provided object does not conform to the policies (such as password policy).
+					</xsd:documentation>
+				</xsd:annotation>
+				<xsd:complexContent>
+					<xsd:extension base="tns:ObjectAccessFaultType">
+					</xsd:extension>
+				</xsd:complexContent>
+			</xsd:complexType>
+
+			<xsd:element name="policyViolationFault" type="tns:PolicyViolationFaultType" />
+			
+			<xsd:complexType name="ConcurrencyFaultType">
+				<xsd:annotation>
+					<xsd:documentation>
+						Exceptional concurrency state or operation invocation.
+						
+ 						This fault is thrown in case of race conditions and similar conflicting concurrency conditions.
+						It is also thrown in an attempt to acquire already acquired locks and similar cases.
+ 					</xsd:documentation>
+				</xsd:annotation>
+				<xsd:complexContent>
+					<xsd:extension base="tns:ObjectAccessFaultType">
+					</xsd:extension>
+				</xsd:complexContent>
+			</xsd:complexType>
+
+			<xsd:element name="concurrencyFault" type="tns:ConcurrencyFaultType" />
 
 			<xsd:complexType name="ReferentialIntegrityFaultType">
 				<xsd:annotation>
@@ -198,6 +234,38 @@
 			</xsd:complexType>
 
 			<xsd:element name="unsupportedOperationFault" type="tns:UnsupportedOperationFaultType" />
+			
+			<xsd:complexType name="CommunicationFaultType">
+				<xsd:annotation>
+					<xsd:documentation>
+						Generic communication error. May happen in case of various network communication errors, including
+ 						(but not limited to) connection refused and timeouts.
+					</xsd:documentation>
+				</xsd:annotation>
+				<xsd:complexContent>
+					<xsd:extension base="tns:FaultType">
+					</xsd:extension>
+				</xsd:complexContent>
+			</xsd:complexType>
+
+			<xsd:element name="communicationFault" type="tns:CommunicationFaultType" />
+			
+			<xsd:complexType name="ConfigurationFaultType">
+				<xsd:annotation>
+					<xsd:documentation>
+						Configuration exception indicates that something is mis-configured.
+						
+ 						The system or its part is misconfigured and therefore the intended operation
+						cannot be executed.
+					</xsd:documentation>
+				</xsd:annotation>
+				<xsd:complexContent>
+					<xsd:extension base="tns:FaultType">
+					</xsd:extension>
+				</xsd:complexContent>
+			</xsd:complexType>
+
+			<xsd:element name="configurationFault" type="tns:ConfigurationFaultType" />
 
 		</xsd:schema>
 	</types>
diff --git a/infra/util/src/main/java/com/evolveum/midpoint/util/exception/ConsistencyViolationException.java b/infra/util/src/main/java/com/evolveum/midpoint/util/exception/ConsistencyViolationException.java
index f5df8b0bae2..c9737714f4a 100644
--- a/infra/util/src/main/java/com/evolveum/midpoint/util/exception/ConsistencyViolationException.java
+++ b/infra/util/src/main/java/com/evolveum/midpoint/util/exception/ConsistencyViolationException.java
@@ -34,6 +34,7 @@
  * @author Radovan Semancik
  *
  */
+@Deprecated
 public class ConsistencyViolationException extends CommonException {
 	private static final long serialVersionUID = -4194650066561884619L;
 
diff --git a/model/model-client/src/main/java/com/evolveum/midpoint/model/client/ModelClientUtil.java b/model/model-client/src/main/java/com/evolveum/midpoint/model/client/ModelClientUtil.java
index ee7712632c0..84099d2a30b 100644
--- a/model/model-client/src/main/java/com/evolveum/midpoint/model/client/ModelClientUtil.java
+++ b/model/model-client/src/main/java/com/evolveum/midpoint/model/client/ModelClientUtil.java
@@ -21,6 +21,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.StringReader;
+import java.io.StringWriter;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -28,6 +30,7 @@
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBElement;
 import javax.xml.bind.JAXBException;
+import javax.xml.bind.Marshaller;
 import javax.xml.bind.Unmarshaller;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
@@ -35,16 +38,21 @@
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.ws.BindingProvider;
 
+import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ObjectDeltaListType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ObjectDeltaOperationListType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectDeltaOperationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 import com.evolveum.prism.xml.ns._public.query_3.FilterClauseType;
 import com.evolveum.prism.xml.ns._public.query_3.SearchFilterType;
 import com.evolveum.prism.xml.ns._public.types_3.ChangeTypeType;
+import com.evolveum.prism.xml.ns._public.types_3.ItemDeltaType;
 import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
+import com.evolveum.prism.xml.ns._public.types_3.ModificationTypeType;
 import com.evolveum.prism.xml.ns._public.types_3.ObjectDeltaType;
 import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
@@ -120,6 +128,10 @@ public static PolyStringType createPolyStringType(String string, Document doc) {
 		return polyStringType;
 	}
     
+    public static PolyStringType createPolyStringType(String string) {
+		return createPolyStringType(string, getDocumnent());
+	}
+    
     public static String getOrig(PolyStringType polyStringType) {
         if (polyStringType == null) {
             return null;
@@ -177,17 +189,26 @@ public static Document getDocumnent() {
 	}
 
 	public static String getTypeUri(Class<? extends ObjectType> type) {
-//		QName typeQName = JAXBUtil.getTypeQName(type);
-//		String typeUri = QNameUtil.qNameToUri(typeQName);
 		String typeUri = NS_COMMON + "#" + type.getSimpleName();
 		return typeUri;
 	}
 	
 	public static QName getTypeQName(Class<? extends ObjectType> type) {
-//		QName typeQName = JAXBUtil.getTypeQName(type);
 		QName typeQName = new QName(NS_COMMON, type.getSimpleName());
 		return typeQName;
 	}
+
+	public static QName getElementName(Class<? extends ObjectType> type) {
+		String local = type.getSimpleName();
+		int typeIndex = local.lastIndexOf("Type");
+		if (typeIndex > 0) {
+			local = local.substring(0, typeIndex);
+		}
+		if (Character.isUpperCase(local.charAt(0))) {
+			local = local.substring(0,1).toLowerCase() + local.substring(1);
+		}
+		return new QName(NS_COMMON, local);
+	}	
 	
 	public static Element parseElement(String stringXml) throws SAXException, IOException {
 		Document document = domDocumentBuilder.parse(IOUtils.toInputStream(stringXml, "utf-8"));
@@ -246,6 +267,42 @@ public static ObjectDeltaOperationType findInDeltaOperationList(ObjectDeltaOpera
         return null;
     }
     
+    public static <O extends ObjectType> ObjectDeltaListType createModificationDeltaList(Class<O> type, String oid, 
+    		String path, ModificationTypeType modType, Object... values) {
+		ObjectDeltaListType deltaList = new ObjectDeltaListType();
+    	ObjectDeltaType delta = new ObjectDeltaType();
+    	delta.setObjectType(getTypeQName(type));
+    	delta.setChangeType(ChangeTypeType.MODIFY);
+    	delta.setOid(oid);
+    	ItemDeltaType itemDelta = new ItemDeltaType();
+    	itemDelta.setPath(ModelClientUtil.createItemPathType(path));
+    	itemDelta.setModificationType(modType);
+    	itemDelta.getValue().addAll(Arrays.asList(values));
+		delta.getItemDelta().add(itemDelta);
+		deltaList.getDelta().add(delta);
+		return deltaList;
+	}
+    
+    public static <O extends ObjectType, T extends ObjectType> ObjectDeltaListType createAssignDeltaList(Class<O> focusType, String focusOid, 
+    		Class<T> targetType, String targetOid) {
+    	return createAssignmentDeltaList(focusType, focusOid, targetType, targetOid, ModificationTypeType.ADD);
+    }
+
+    public static <O extends ObjectType, T extends ObjectType> ObjectDeltaListType createUnassignDeltaList(Class<O> focusType, String focusOid, 
+    		Class<T> targetType, String targetOid) {
+    	return createAssignmentDeltaList(focusType, focusOid, targetType, targetOid, ModificationTypeType.DELETE);
+    }
+
+    private static <O extends ObjectType, T extends ObjectType> ObjectDeltaListType createAssignmentDeltaList(Class<O> focusType, String focusOid, 
+    		Class<T> targetType, String targetOid, ModificationTypeType modificationType) {
+    	AssignmentType assignment = new AssignmentType();
+    	ObjectReferenceType targetRef = new ObjectReferenceType();
+    	targetRef.setOid(targetOid);
+    	targetRef.setType(getTypeQName(targetType));
+		assignment.setTargetRef(targetRef);
+    	return createModificationDeltaList(focusType, focusOid, "assignment", modificationType, assignment);
+    }
+    
     public static <O> O unmarshallResource(String path) throws JAXBException, FileNotFoundException {
 		Unmarshaller unmarshaller = jaxbContext.createUnmarshaller(); 
 		 
@@ -286,6 +343,23 @@ public static <O> O unmarshallFile(File file) throws JAXBException, FileNotFound
 		}
 		return element.getValue();
 	}
+    
+    public static <O extends ObjectType> String marshallToSting(O object) throws JAXBException {
+    	return marshallToSting(object, true);
+    }
+    
+    public static <O extends ObjectType> String marshallToSting(O object, boolean formatted) throws JAXBException {
+    	Marshaller marshaller = jaxbContext.createMarshaller();
+    	marshaller.setProperty(Marshaller.JAXB_ENCODING, "UTF-8");
+    	if (formatted) {
+    		marshaller.setProperty( Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.TRUE );
+    	}
+    	java.io.StringWriter sw = new StringWriter();
+    	Class<O> type = (Class<O>) object.getClass();
+    	JAXBElement<O> element = new JAXBElement<O>(getElementName(type), type, object);
+    	marshaller.marshal(element, sw);
+    	return sw.toString();
+    }
 
     public static <O extends ObjectType> String toString(O obj) {
 		if (obj == null) {
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelWebService.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelWebService.java
index 1d4b1a6302e..cb93f861594 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelWebService.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelWebService.java
@@ -17,6 +17,7 @@
 
 import com.evolveum.midpoint.model.api.ModelExecuteOptions;
 import com.evolveum.midpoint.model.api.ModelPort;
+import com.evolveum.midpoint.model.api.PolicyViolationException;
 import com.evolveum.midpoint.model.api.ScriptExecutionResult;
 import com.evolveum.midpoint.model.api.ScriptingService;
 import com.evolveum.midpoint.model.common.util.AbstractModelWebService;
@@ -44,6 +45,7 @@
 import com.evolveum.midpoint.util.exception.AuthorizationException;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
+import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
 import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
@@ -66,11 +68,15 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceObjectShadowChangeDescriptionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+import com.evolveum.midpoint.xml.ns._public.common.fault_3.CommunicationFaultType;
+import com.evolveum.midpoint.xml.ns._public.common.fault_3.ConfigurationFaultType;
 import com.evolveum.midpoint.xml.ns._public.common.fault_3.FaultMessage;
 import com.evolveum.midpoint.xml.ns._public.common.fault_3.FaultType;
 import com.evolveum.midpoint.xml.ns._public.common.fault_3.IllegalArgumentFaultType;
 import com.evolveum.midpoint.xml.ns._public.common.fault_3.ObjectAlreadyExistsFaultType;
 import com.evolveum.midpoint.xml.ns._public.common.fault_3.ObjectNotFoundFaultType;
+import com.evolveum.midpoint.xml.ns._public.common.fault_3.PolicyViolationFaultType;
+import com.evolveum.midpoint.xml.ns._public.common.fault_3.SchemaViolationFaultType;
 import com.evolveum.midpoint.xml.ns._public.common.fault_3.SystemFaultType;
 import com.evolveum.midpoint.xml.ns._public.model.model_3.ExecuteScriptsResponseType;
 import com.evolveum.midpoint.xml.ns._public.model.model_3.ExecuteScriptsType;
@@ -380,6 +386,16 @@ public void throwFault(Exception ex, OperationResult result) throws FaultMessage
 			faultType = new IllegalArgumentFaultType();
 		} else if (ex instanceof ObjectAlreadyExistsException){
 			faultType = new ObjectAlreadyExistsFaultType();
+		} else if (ex instanceof CommunicationException){
+			faultType = new CommunicationFaultType();
+		} else if (ex instanceof ConfigurationException){
+			faultType = new ConfigurationFaultType();
+		} else if (ex instanceof ExpressionEvaluationException){
+			faultType = new SystemFaultType();
+		} else if (ex instanceof SchemaException){
+			faultType = new SchemaViolationFaultType();
+		} else if (ex instanceof PolicyViolationException){
+			faultType = new PolicyViolationFaultType();
 		} else if (ex instanceof AuthorizationException) {
 			throw new Fault(new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION),
 					WSSecurityException.ErrorCode.FAILED_AUTHENTICATION.getQName());
@@ -394,7 +410,9 @@ public void throwFault(Exception ex, OperationResult result) throws FaultMessage
 			faultType.setOperationResult(result.createOperationResultType());
 		}
 
-		throw new FaultMessage(ex.getMessage(), faultType, ex);
+		FaultMessage fault = new FaultMessage(ex.getMessage(), faultType, ex);
+		LOGGER.trace("Throwing fault message type: {}", faultType.getClass(), fault);
+		throw fault;
 	}
 
 	@Override
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelWebServiceRaw.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelWebServiceRaw.java
index 150b6dc0850..6657024cf92 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelWebServiceRaw.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelWebServiceRaw.java
@@ -17,6 +17,9 @@
 
 import com.evolveum.midpoint.model.api.ModelPort;
 import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.xnode.RootXNode;
+import com.evolveum.midpoint.prism.xnode.XNode;
+import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.exception.SchemaException;
@@ -45,6 +48,7 @@
 import com.evolveum.midpoint.xml.ns._public.model.model_3.SearchObjectsType;
 import com.evolveum.midpoint.xml.ns._public.model.model_3.TestResourceResponseType;
 import com.evolveum.midpoint.xml.ns._public.model.model_3.TestResourceType;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.w3c.dom.Document;
@@ -61,6 +65,7 @@
 import javax.xml.ws.Provider;
 import javax.xml.ws.WebServiceProvider;
 import javax.xml.ws.soap.SOAPFaultException;
+
 import java.io.PrintWriter;
 import java.io.StringWriter;
 
@@ -100,6 +105,8 @@ public DOMSource invoke(DOMSource request) {
                 SOAPFault soapFault = factory.createFault();
                 soapFault.setFaultCode(SOAP11_FAULTCODE_SERVER);           // todo here is a constant until we have a mechanism to determine the correct value (client / server)
                 soapFault.setFaultString(faultMessage.getMessage());
+                Detail detail = soapFault.addDetail();
+                serializeFaultMessage(detail, faultMessage);
                 // fault actor?
                 // stack trace of the outer exception (FaultMessage) is unimportant, because it is always created at one place
                 // todo consider providing stack trace of the inner exception
@@ -112,7 +119,7 @@ public DOMSource invoke(DOMSource request) {
         }
     }
 
-    public DOMSource invokeAllowingFaults(DOMSource request) throws FaultMessage {
+	public DOMSource invokeAllowingFaults(DOMSource request) throws FaultMessage {
         Node rootNode = request.getNode();
         Element rootElement;
         if (rootNode instanceof Document) {
@@ -201,19 +208,32 @@ public DOMSource invokeAllowingFaults(DOMSource request) throws FaultMessage {
 
         return new DOMSource(response);
     }
+	
+	private void serializeFaultMessage(Detail detail, FaultMessage faultMessage) {
+		try {
+			XNode faultMessageXnode = prismContext.getBeanConverter().marshall(faultMessage.getFaultInfo());
+			RootXNode xroot = new RootXNode(SchemaConstants.FAULT_MESSAGE_ELEMENT_NAME, faultMessageXnode);
+			xroot.setExplicitTypeDeclaration(true);
+			QName faultType = prismContext.getBeanConverter().determineTypeForClass(faultMessage.getFaultInfo().getClass());
+			xroot.setTypeQName(faultType);
+			prismContext.getParserDom().serializeUnderElement(xroot, SchemaConstants.FAULT_MESSAGE_ELEMENT_NAME, detail);
+		} catch (SchemaException e) {
+			LOGGER.error("Error serializing fault message (SOAP fault detail): {}", e.getMessage(), e);
+		}
+	}
 
-    private DOMSource serializeFaultMessage(FaultMessage faultMessage) {
-        Element faultElement = DOMUtil.createElement(SOAP11_FAULT);
-        Element faultCodeElement = DOMUtil.createSubElement(faultElement, SOAP11_FAULTCODE);
-        faultCodeElement.setTextContent(SOAP11_FAULTCODE_SERVER);           // todo here is a constant until we have a mechanism to determine the correct value (client / server)
-        Element faultStringElement = DOMUtil.createSubElement(faultElement, SOAP11_FAULTSTRING);
-        faultStringElement.setTextContent(faultMessage.getMessage());
-        Element faultActorElement = DOMUtil.createSubElement(faultElement, SOAP11_FAULTACTOR);
-        faultActorElement.setTextContent("TODO");               // todo
-        Element faultDetailElement = DOMUtil.createSubElement(faultElement, SOAP11_FAULT_DETAIL);
-        faultDetailElement.setTextContent(getStackTraceAsString(faultMessage));
-        return new DOMSource(faultElement.getOwnerDocument());
-    }
+//    private DOMSource serializeFaultMessage(FaultMessage faultMessage) {
+//        Element faultElement = DOMUtil.createElement(SOAP11_FAULT);
+//        Element faultCodeElement = DOMUtil.createSubElement(faultElement, SOAP11_FAULTCODE);
+//        faultCodeElement.setTextContent(SOAP11_FAULTCODE_SERVER);           // todo here is a constant until we have a mechanism to determine the correct value (client / server)
+//        Element faultStringElement = DOMUtil.createSubElement(faultElement, SOAP11_FAULTSTRING);
+//        faultStringElement.setTextContent(faultMessage.getMessage());
+//        Element faultActorElement = DOMUtil.createSubElement(faultElement, SOAP11_FAULTACTOR);
+//        faultActorElement.setTextContent("TODO");               // todo
+//        Element faultDetailElement = DOMUtil.createSubElement(faultElement, SOAP11_FAULT_DETAIL);
+//        faultDetailElement.setTextContent(getStackTraceAsString(faultMessage));
+//        return new DOMSource(faultElement.getOwnerDocument());
+//    }
 
     private String getStackTraceAsString(FaultMessage faultMessage) {
         StringWriter sw = new StringWriter();
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java
index 72311a7ba7d..f14a1b6954a 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java
@@ -877,22 +877,31 @@ private <F extends ObjectType> void logFinalReadable(LensContext<F> context, Tas
 				sb.toString());
 	}
 	
-	private <F extends ObjectType> void authorizeContextRequest(LensContext<F> context, Task task, OperationResult result) throws SecurityViolationException, SchemaException {
-		final LensFocusContext<F> focusContext = context.getFocusContext();
-		OwnerResolver ownerResolver = null;
-		if (focusContext != null) {
-			ownerResolver = new OwnerResolver() {
-				@Override
-				public <F extends FocusType> PrismObject<F> resolveOwner(PrismObject<ShadowType> shadow) {
-					return (PrismObject<F>) focusContext.getObjectCurrent();
-				}
-			};
-			authorizeElementContext(context, focusContext, ownerResolver, true, task, result);
-		}
-		for (LensProjectionContext projectionContext: context.getProjectionContexts()) {
-			authorizeElementContext(context, projectionContext, ownerResolver, false, task, result);
+	private <F extends ObjectType> void authorizeContextRequest(LensContext<F> context, Task task, OperationResult parentResult) throws SecurityViolationException, SchemaException {
+		OperationResult result = parentResult.createMinorSubresult(Clockwork.class.getName()+".authorizeRequest");
+		try {
+			
+			final LensFocusContext<F> focusContext = context.getFocusContext();
+			OwnerResolver ownerResolver = null;
+			if (focusContext != null) {
+				ownerResolver = new OwnerResolver() {
+					@Override
+					public <F extends FocusType> PrismObject<F> resolveOwner(PrismObject<ShadowType> shadow) {
+						return (PrismObject<F>) focusContext.getObjectCurrent();
+					}
+				};
+				authorizeElementContext(context, focusContext, ownerResolver, true, task, result);
+			}
+			for (LensProjectionContext projectionContext: context.getProjectionContexts()) {
+				authorizeElementContext(context, projectionContext, ownerResolver, false, task, result);
+			}
+			context.setRequestAuthorized(true);
+			result.recordSuccess();
+			
+		} catch (SecurityViolationException | SchemaException e) {
+			result.recordFatalError(e);
+			throw e;
 		}
-		context.setRequestAuthorized(true);
 	}
 	
 	private <F extends ObjectType, O extends ObjectType> ObjectSecurityConstraints authorizeElementContext(LensContext<F> context, LensElementContext<O> elementContext,
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.java
index b78d3f25043..9fa6e908f3e 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.java
@@ -365,13 +365,13 @@ private <F extends ObjectType> boolean isCheckOrgPolicy(LensContext<F> context)
     // On missing password this returns empty string (""). It is then up to password policy whether it allows empty passwords or not.
 	private String determinePasswordValue(PrismProperty<PasswordType> password) {
 		if (password == null || password.getValue(ProtectedStringType.class) == null) {
-			return "";
+			return null;
 		}
 
 		ProtectedStringType passValue = password.getValue(ProtectedStringType.class).getValue();
 
 		if (passValue == null) {
-			return "";
+			return null;
 		}
 
 		String passwordStr = passValue.getClearValue();
@@ -385,7 +385,7 @@ private String determinePasswordValue(PrismProperty<PasswordType> password) {
 			}
 		}
 
-		return passwordStr != null ? passwordStr : "";
+		return passwordStr;
 	}
 
 
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/PasswordCallback.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/PasswordCallback.java
index cdc08dc2bf1..43d764cd6ac 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/PasswordCallback.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/PasswordCallback.java
@@ -80,9 +80,6 @@ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallback
 			securityHelper.auditLoginFailure(username, "No user", SchemaConstants.CHANNEL_WEB_SERVICE_URI);
 			throw new PasswordCallbackException("Authentication failed");
 		}
-        if (user == null) {
-            throw new SecurityException("unknown user");
-        }
         UserType userType = user.getUser();
         CredentialsType credentials = userType.getCredentials();
         if (credentials == null) {
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SpringAuthenticationInjectorInterceptor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SpringAuthenticationInjectorInterceptor.java
index f9a17363ef3..df46c2e735f 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SpringAuthenticationInjectorInterceptor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SpringAuthenticationInjectorInterceptor.java
@@ -19,6 +19,7 @@
 import com.evolveum.midpoint.audit.api.AuditEventStage;
 import com.evolveum.midpoint.audit.api.AuditEventType;
 import com.evolveum.midpoint.audit.api.AuditService;
+import com.evolveum.midpoint.common.ActivationComputer;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
@@ -33,6 +34,7 @@
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 
@@ -79,13 +81,15 @@ public class SpringAuthenticationInjectorInterceptor implements PhaseInterceptor
     private UserProfileService userDetailsService;
     private SecurityEnforcer securityEnforcer;
 	private SecurityHelper securityHelper;
+	private ActivationComputer activationComputer;
 
     public SpringAuthenticationInjectorInterceptor(UserProfileService userDetailsService,
-    		SecurityEnforcer securityEnforcer, SecurityHelper securityHelper) {
+    		SecurityEnforcer securityEnforcer, SecurityHelper securityHelper, ActivationComputer activationComputer) {
         super();
         this.userDetailsService = userDetailsService;
         this.securityEnforcer = securityEnforcer;
         this.securityHelper = securityHelper;
+        this.activationComputer = activationComputer;
         id = getClass().getName();
         phase = Phase.PRE_PROTOCOL;
         getAfter().add(WSS4JInInterceptor.class.getName());
@@ -144,6 +148,14 @@ public void handleMessage(SoapMessage message) throws Fault {
         		securityHelper.auditLoginFailure(username, "No user", SchemaConstants.CHANNEL_WEB_SERVICE_URI);
             	throw createFault(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
         	}
+        	
+        	if (!activationComputer.isActive(principal.getUser().getActivation())) {
+        		LOGGER.trace("Refusing access to {} because the user is not active", username);
+        		message.setContextualProperty(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, true);
+        		securityHelper.auditLoginFailure(username, "User not active", SchemaConstants.CHANNEL_WEB_SERVICE_URI);
+            	throw createFault(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+        	}
+        	
             Authentication authentication = new UsernamePasswordAuthenticationToken(principal, null);
             SecurityContextHolder.getContext().setAuthentication(authentication);
             
diff --git a/model/model-impl/src/main/resources/ctx-model.xml b/model/model-impl/src/main/resources/ctx-model.xml
index 561ecc12f15..769e150dd95 100644
--- a/model/model-impl/src/main/resources/ctx-model.xml
+++ b/model/model-impl/src/main/resources/ctx-model.xml
@@ -432,6 +432,7 @@
         <constructor-arg name="userDetailsService" ref="userDetailsService"/>
         <constructor-arg name="securityEnforcer" ref="securityEnforcer"/>
         <constructor-arg name="securityHelper" ref="securityHelper"/>
+        <constructor-arg name="activationComputer" ref="activationComputer"/>
     </bean>
     
     <bean id="wsFaultListener" class="com.evolveum.midpoint.model.impl.security.WsFaultListener">
diff --git a/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java b/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java
index ca0b14d3c19..a6c619a68a1 100644
--- a/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java
+++ b/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2013 Evolveum
+ * Copyright (c) 2010-2015 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/testing/wstest/src/test/java/com/evolveum/midpoint/testing/wstest/AbstractWebserviceTest.java b/testing/wstest/src/test/java/com/evolveum/midpoint/testing/wstest/AbstractWebserviceTest.java
index 145031ac9bf..f12f9539419 100644
--- a/testing/wstest/src/test/java/com/evolveum/midpoint/testing/wstest/AbstractWebserviceTest.java
+++ b/testing/wstest/src/test/java/com/evolveum/midpoint/testing/wstest/AbstractWebserviceTest.java
@@ -111,7 +111,7 @@ public abstract class AbstractWebserviceTest {
  	public static final String USER_NOBODY_GIVEN_NAME = "No";
  	public static final String USER_NOBODY_FAMILY_NAME = "Body";
  	public static final String USER_NOBODY_PASSWORD = "nopassword";
-
+ 	
  	// WS authorization only
  	public static final File USER_CYCLOPS_FILE = new File(COMMON_DIR, "user-cyclops.xml");
  	public static final String USER_CYCLOPS_USERNAME = "cyclops";
@@ -121,9 +121,23 @@ public abstract class AbstractWebserviceTest {
  	public static final File USER_SOMEBODY_FILE = new File(COMMON_DIR, "user-somebody.xml");
  	public static final String USER_SOMEBODY_USERNAME = "somebody";
  	public static final String USER_SOMEBODY_PASSWORD = "somepassword";
+
+ 	// WS, reader and adder authorization
+ 	public static final File USER_DARTHADDER_FILE = new File(COMMON_DIR, "user-darthadder.xml");
+ 	public static final String USER_DARTHADDER_OID = "1696229e-d90a-11e4-9ce6-001e8c717e5b";
+ 	public static final String USER_DARTHADDER_USERNAME = "darthadder";
+ 	public static final String USER_DARTHADDER_PASSWORD = "iamyouruncle";
  	
+ 	// Authorizations, but no password
+ 	public static final File USER_NOPASSWORD_FILE = new File(COMMON_DIR, "user-nopassword.xml");
+ 	public static final String USER_NOPASSWORD_USERNAME = "nopassword";
+
  	public static final File ROLE_WS_FILE = new File(COMMON_DIR, "role-ws.xml");
 	public static final File ROLE_READER_FILE = new File(COMMON_DIR, "role-reader.xml");
+	public static final File ROLE_ADDER_FILE = new File(COMMON_DIR, "role-adder.xml");
+	
+	public static final File ROLE_MODIFIER_FILE = new File(COMMON_DIR, "role-modifier.xml");
+	public static final String ROLE_MODIFIER_OID = "82005ae4-d90b-11e4-bdcc-001e8c717e5b";
  	
 	protected static final Pattern PATTERN_AUDIT_EVENT_ID = Pattern.compile(".*\\seid=([^,]+),\\s.*");
 	protected static final Pattern PATTERN_AUDIT_SESSION_ID = Pattern.compile(".*\\ssid=([^,]+),\\s.*");
@@ -250,12 +264,11 @@ protected <O extends ObjectType> O getObject(Class<O> type, String oid) throws F
      * returns URI of type passed as argument
      * */
     protected static String getTypeUri(Class<? extends ObjectType> type){
-        String typeUri = NS_COMMON + "#" + type.getSimpleName();
-        return typeUri;
+    	return ModelClientUtil.getTypeUri(type);
     }
 
     protected static QName getTypeQName(Class<? extends ObjectType> type){
-        return new QName(NS_COMMON, type.getSimpleName());
+    	return ModelClientUtil.getTypeQName(type);
     }
 
     /**
@@ -407,11 +420,15 @@ protected void assertSuccess(OperationResultType result) {
 		// TODO: look inside
 	}
 	
-	protected <F extends FaultType> void assertFaultMessage(FaultMessage fault, Class<F> expectedFaultInfoClass) {
+	protected <F extends FaultType> void assertFaultMessage(FaultMessage fault, Class<F> expectedFaultInfoClass, String expectedMessage) {
     	FaultType faultInfo = fault.getFaultInfo();
     	if (expectedFaultInfoClass != null && !expectedFaultInfoClass.isAssignableFrom(faultInfo.getClass())) {
     		AssertJUnit.fail("Expected that faultInfo will be of type "+expectedFaultInfoClass+", but it was "+faultInfo.getClass());
     	}
+    	if (expectedMessage != null) {
+    		assertTrue("Wrong message in fault: "+fault.getMessage(), fault.getMessage().contains(expectedMessage));
+    		assertTrue("Wrong message in fault info: "+faultInfo.getMessage(), faultInfo.getMessage().contains(expectedMessage));
+    	}
     	OperationResultType result = faultInfo.getOperationResult();
     	assertEquals("Expected that resut in FaultInfo will be fatal error, but it was "+result.getStatus(),
     			OperationResultStatusType.FATAL_ERROR, result.getStatus());
@@ -441,6 +458,12 @@ protected void display(String msg) {
 		System.out.println(msg);
 		LOGGER.info("{}", msg);
 	}
+	
+	protected <O extends ObjectType> void display(O object) throws JAXBException {
+		String xmlString = ModelClientUtil.marshallToSting(object);
+		System.out.println(xmlString);
+		LOGGER.info("{}", xmlString);
+	}
 
 	protected LogfileTestTailer createLogTailer() throws IOException {
 		return new LogfileTestTailer(SERVER_LOG_FILE, AUDIT_LOGGER_NAME, true);
@@ -460,23 +483,14 @@ private void checkAuditEnabled(SystemConfigurationType configurationType) throws
         	auditConfig.setEnabled(true);
         }
         
-        ObjectDeltaListType deltaList = new ObjectDeltaListType();
-    	ObjectDeltaType delta = new ObjectDeltaType();
-    	delta.setObjectType(getTypeQName(SystemConfigurationType.class));
-    	delta.setChangeType(ChangeTypeType.MODIFY);
-    	delta.setOid(SystemObjectsType.SYSTEM_CONFIGURATION.value());
-    	ItemDeltaType itemDelta = new ItemDeltaType();
-    	itemDelta.setPath(ModelClientUtil.createItemPathType("logging"));
-    	itemDelta.setModificationType(ModificationTypeType.REPLACE);
-    	itemDelta.getValue().add(loggingConfig);
-		delta.getItemDelta().add(itemDelta);
-		deltaList.getDelta().add(delta);
+        ObjectDeltaListType deltaList = ModelClientUtil.createModificationDeltaList(SystemConfigurationType.class, 
+        		SystemObjectsType.SYSTEM_CONFIGURATION.value(), "logging", ModificationTypeType.REPLACE, loggingConfig);
 		
 		ObjectDeltaOperationListType deltaOpList = modelPort.executeChanges(deltaList, null);
 		
 		assertSuccess(deltaOpList);
 	}
-	
+		
 	protected void assertAuditLoginFailed(LogfileTestTailer tailer, String expectedMessage) {
         tailer.assertAudit(1);
         String auditMessage = tailer.getAuditMessages().get(0);
@@ -560,6 +574,11 @@ protected void assertAuditLoginLogout(LogfileTestTailer tailer) {
 	}
 	
 	protected void assertAuditOperation(LogfileTestTailer tailer, String expectedEventType) {
+		assertAuditOperation(tailer, expectedEventType, OperationResultStatusType.SUCCESS, null);
+	}
+	
+	protected void assertAuditOperation(LogfileTestTailer tailer, String expectedEventType, 
+			OperationResultStatusType expectedStatus, String expectedMessage) {
 		List<String> msgs = tailer.getAuditMessages();
 		String reqMsg = msgs.get(1);
         assertTrue("Audit: request: wrong operation: "+reqMsg, reqMsg.contains("et="+expectedEventType));
@@ -568,7 +587,10 @@ protected void assertAuditOperation(LogfileTestTailer tailer, String expectedEve
         String execMsg = msgs.get(2);
         assertTrue("Audit: exec: wrong operation: "+execMsg, execMsg.contains("et="+expectedEventType));
         assertTrue("Audit: exec: not execution: "+execMsg, execMsg.contains("es=EXECUTION"));
-        assertTrue("Audit: exec: not success: "+execMsg, execMsg.contains("o=SUCCESS"));
+        assertTrue("Audit: exec: wrong status, expected '"+expectedStatus+"': "+execMsg, execMsg.contains("o="+expectedStatus));
+        if (expectedMessage != null) {
+        	assertTrue("Audit: exec: wrong message, expected '"+expectedMessage+"': "+execMsg, execMsg.matches(".*m=.*"+expectedMessage+".*"));
+        }
 	}
 
 
diff --git a/testing/wstest/src/test/java/com/evolveum/midpoint/testing/wstest/WebserviceSecurityTest.java b/testing/wstest/src/test/java/com/evolveum/midpoint/testing/wstest/WebserviceSecurityTest.java
index 07f7d83a604..5ffffd94435 100644
--- a/testing/wstest/src/test/java/com/evolveum/midpoint/testing/wstest/WebserviceSecurityTest.java
+++ b/testing/wstest/src/test/java/com/evolveum/midpoint/testing/wstest/WebserviceSecurityTest.java
@@ -39,7 +39,11 @@
 
 import com.evolveum.midpoint.model.client.ModelClientUtil;
 import com.evolveum.midpoint.test.util.LogfileTestTailer;
+import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ObjectDeltaListType;
+import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ObjectDeltaOperationListType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ObjectModificationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.OperationResultStatusType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.OperationResultType;
@@ -49,8 +53,12 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 import com.evolveum.midpoint.xml.ns._public.common.fault_3.FaultMessage;
 import com.evolveum.midpoint.xml.ns._public.common.fault_3.FaultType;
+import com.evolveum.midpoint.xml.ns._public.common.fault_3.PolicyViolationFaultType;
 import com.evolveum.midpoint.xml.ns._public.model.model_3.ModelPortType;
 import com.evolveum.midpoint.xml.ns._public.model.model_3.ModelService;
+import com.evolveum.prism.xml.ns._public.types_3.ModificationTypeType;
+import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
+import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBElement;
@@ -63,6 +71,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -78,24 +87,8 @@
 @DirtiesContext(classMode = ClassMode.AFTER_CLASS)
 public class WebserviceSecurityTest extends AbstractWebserviceTest {
 
-    private static final String PACKAGE_API_TYPES_2 = "com.evolveum.midpoint.xml.ns._public.common.api_types_3";
-    private static final String PACKAGE_COMMON_2A = "com.evolveum.midpoint.xml.ns._public.common.common_3";
-
-    private static final String SECURITY_DIR_NAME = "src/test/resources/security/";
-
-    private static final String USER_TEST_2_FILENAME = "user_test2.xml";
-    private static final String USER_TEST_2_CLEAN_PASS_FILENAME = "user_test2_clean_pass.xml";
-
-    private static final String SYSTEM_CONFIG_FILENAME = "system_config_without_pass_policy.xml";
-    private static final String SYSTEM_CONFIG_NORMAL_FILENAME = "system_config_normal.xml";
-
-    private static final String USER_TEST_5_FILENAME = "user_test5.xml";
-    private static final String USER_TEST_6_FILENAME = "user_test6.xml";
-
-    private static final String test_user_oid_2 = "c0c010c0-d34d-b33f-f00d-111111111112";
-    private static final String system_config_oid = "00000000-0000-0000-0000-000000000001";
-
-    private static final String UNIVERSAL_USER_PASSWORD = "ineedmorepower";
+	private static final String USER_DARTHADDER_PASSWORD_NEW1 = "iamyourgreatgranduncle";
+	private static final String USER_DARTHADDER_PASSWORD_NEW2 = "iamyourdog";
 
     
     /*===============================================================================================================*/
@@ -495,6 +488,9 @@ public void test130AddRolesAndUsersAsAdministrator() throws Exception {
 
         role = ModelClientUtil.unmarshallFile(ROLE_READER_FILE);
         addObject(role);
+        
+        role = ModelClientUtil.unmarshallFile(ROLE_ADDER_FILE);
+        addObject(role);
 
         UserType user = ModelClientUtil.unmarshallFile(USER_CYCLOPS_FILE);
         String userCyclopsOid = addObject(user);
@@ -502,12 +498,18 @@ public void test130AddRolesAndUsersAsAdministrator() throws Exception {
         user = ModelClientUtil.unmarshallFile(USER_SOMEBODY_FILE);
         addObject(user);
         
+        user = ModelClientUtil.unmarshallFile(USER_DARTHADDER_FILE);
+        addObject(user);
+        
+        user = ModelClientUtil.unmarshallFile(USER_NOPASSWORD_FILE);
+        addObject(user);
+        
         // GET user
         UserType userAfter = getObject(UserType.class, userCyclopsOid);
         assertUser(userAfter, userCyclopsOid, USER_CYCLOPS_USERNAME);
         
-        assertObjectCount(UserType.class, 4);
-        assertObjectCount(RoleType.class, 4);
+        assertObjectCount(UserType.class, 6);
+        assertObjectCount(RoleType.class, 5);
     }
 
 	@Test
@@ -534,7 +536,6 @@ public void test131GetConfigAsCyclopsGoodPasswordDigest() throws Exception {
         }
         
         tailer.tail();
-        displayAudit(tailer);
         assertAuditLoginLogout(tailer);
     }
 	
@@ -559,12 +560,475 @@ public void test132GetConfigAsSomebodyGoodPasswordDigest() throws Exception {
         assertAuditIds(tailer);
         tailer.assertAudit(2);
     }
+	
+	@Test
+    public void test133ModifyConfigAsSomebody() throws Exception {
+    	final String TEST_NAME = "test133ModifyConfigAsSomebody";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+
+        ObjectReferenceType ref = new ObjectReferenceType();
+        ref.setOid("c4e998e6-d903-11e4-9aaf-001e8c717e5b"); // fake
+        
+        ObjectDeltaListType deltaList = ModelClientUtil.createModificationDeltaList(SystemConfigurationType.class, 
+        		SystemObjectsType.SYSTEM_CONFIGURATION.value(), "globalSecurityPolicyRef", ModificationTypeType.REPLACE, 
+        		ref);
+        
+        try {
+    		// WHEN
+            modelPort.executeChanges(deltaList, null);
+        	
+        	AssertJUnit.fail("Unexpected success");
+        	
+        } catch (SOAPFaultException e) {
+        	assertSoapFault(e, "FailedAuthentication", "could not be authenticated or authorized");        	
+        }
+        
+        // THEN
+        tailer.tail();
+        displayAudit(tailer);
+        assertAuditLoginLogout(tailer);
+        assertAuditIds(tailer);
+        assertAuditOperation(tailer, "MODIFY_OBJECT", OperationResultStatusType.FATAL_ERROR, "not authorized");
+        tailer.assertAudit(4);
+    }
+	
+	@Test
+    public void test134GetConfigAsDarthAdderGoodPasswordDigest() throws Exception {
+    	final String TEST_NAME = "test134GetConfigAsDarthAdderGoodPasswordDigest";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+        modelPort = createModelPort(USER_DARTHADDER_USERNAME, USER_DARTHADDER_PASSWORD, WSConstants.PW_DIGEST);
+
+        Holder<ObjectType> objectHolder = new Holder<ObjectType>();
+        Holder<OperationResultType> resultHolder = new Holder<OperationResultType>();
+        
+        /// WHEN
+        modelPort.getObject(getTypeQName(SystemConfigurationType.class), SystemObjectsType.SYSTEM_CONFIGURATION.value(), 
+        		null, objectHolder, resultHolder);
+        
+        // THEN
+        tailer.tail();
+        assertAuditLoginLogout(tailer);
+        assertAuditIds(tailer);
+        tailer.assertAudit(2);
+    }
+	
+	@Test
+    public void test135ModifyConfigAsDarthAdder() throws Exception {
+    	final String TEST_NAME = "test135ModifyConfigAsDarthAdder";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+
+        ObjectReferenceType ref = new ObjectReferenceType();
+        ref.setOid("c4e998e6-d903-11e4-9aaf-001e8c717e5b"); // fake
+        
+        ObjectDeltaListType deltaList = ModelClientUtil.createModificationDeltaList(SystemConfigurationType.class, 
+        		SystemObjectsType.SYSTEM_CONFIGURATION.value(), "globalSecurityPolicyRef", ModificationTypeType.REPLACE, 
+        		ref);
+        
+        try {
+    		// WHEN
+            modelPort.executeChanges(deltaList, null);
+        	
+        	AssertJUnit.fail("Unexpected success");
+        	
+        } catch (SOAPFaultException e) {
+        	assertSoapFault(e, "FailedAuthentication", "could not be authenticated or authorized");        	
+        }
+        
+        // THEN
+        tailer.tail();
+        displayAudit(tailer);
+        assertAuditLoginLogout(tailer);
+        assertAuditIds(tailer);
+        assertAuditOperation(tailer, "MODIFY_OBJECT", OperationResultStatusType.FATAL_ERROR, "not authorized");
+        tailer.assertAudit(4);
+    }
+	
+	@Test
+    public void test136AddRoleAsDarthAdder() throws Exception {
+    	final String TEST_NAME = "test136AddRoleAsDarthAdder";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+        
+        RoleType role = ModelClientUtil.unmarshallFile(ROLE_MODIFIER_FILE);
+        
+        /// WHEN
+        addObject(role);
+        
+        // THEN
+        tailer.tail();
+        displayAudit(tailer);
+        assertAuditLoginLogout(tailer);
+        assertAuditIds(tailer);
+        assertAuditOperation(tailer, "ADD_OBJECT");
+        tailer.assertAudit(4);
+        
+        assertObjectCount(UserType.class, 6);
+        assertObjectCount(RoleType.class, 6);
+    }
+	
+	@Test
+    public void test135AssignRoleAsDarthAdder() throws Exception {
+    	final String TEST_NAME = "test135ModifyConfigAsDarthAdder";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+        
+        ObjectDeltaListType deltaList = ModelClientUtil.createAssignDeltaList(UserType.class, USER_DARTHADDER_OID, 
+        		RoleType.class, ROLE_MODIFIER_OID);
+        
+        try {
+    		// WHEN
+            modelPort.executeChanges(deltaList, null);
+        	
+        	AssertJUnit.fail("Unexpected success");
+        	
+        } catch (SOAPFaultException e) {
+        	assertSoapFault(e, "FailedAuthentication", "could not be authenticated or authorized");        	
+        }
+        
+        // THEN
+        tailer.tail();
+        displayAudit(tailer);
+        assertAuditLoginLogout(tailer);
+        assertAuditIds(tailer);
+        assertAuditOperation(tailer, "MODIFY_OBJECT", OperationResultStatusType.FATAL_ERROR, "not authorized");
+        tailer.assertAudit(4);
+        
+    }
+	
+	@Test
+    public void test140AssignRoleToDarthAdderAsAdministrator() throws Exception {
+    	final String TEST_NAME = "test140AssignRoleToDarthAdderAsAdministrator";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+    	modelPort = createModelPort();
+        
+        ObjectDeltaListType deltaList = ModelClientUtil.createAssignDeltaList(UserType.class, USER_DARTHADDER_OID, 
+        		RoleType.class, ROLE_MODIFIER_OID);
+        
+        // WHEN
+        ObjectDeltaOperationListType deltaOpList = modelPort.executeChanges(deltaList, null);
+        	        
+        // THEN
+        assertSuccess(deltaOpList);
+        
+        tailer.tail();
+        displayAudit(tailer);
+        assertAuditLoginLogout(tailer);
+        assertAuditIds(tailer);
+        assertAuditOperation(tailer, "MODIFY_OBJECT");
+        tailer.assertAudit(4);
+    }
+	
+	@Test
+    public void test141ModifyTitleAsDarthAdder() throws Exception {
+    	final String TEST_NAME = "test141ModifyTitleAsDarthAdder";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+        modelPort = createModelPort(USER_DARTHADDER_USERNAME, USER_DARTHADDER_PASSWORD, WSConstants.PW_DIGEST);
+
+        ObjectDeltaListType deltaList = ModelClientUtil.createModificationDeltaList(UserType.class, USER_DARTHADDER_OID,
+        		"title", ModificationTypeType.REPLACE, ModelClientUtil.createPolyStringType("Dark Lord"));
+        
+        // WHEN
+        ObjectDeltaOperationListType deltaOpList = modelPort.executeChanges(deltaList, null);
+        	        
+        // THEN
+        assertSuccess(deltaOpList);
+        
+        tailer.tail();
+        displayAudit(tailer);
+        assertAuditLoginLogout(tailer);
+        assertAuditIds(tailer);
+        assertAuditOperation(tailer, "MODIFY_OBJECT");
+        tailer.assertAudit(4);
+        
+        UserType user = getObject(UserType.class, USER_DARTHADDER_OID);
+        PolyStringType title = user.getTitle();
+        assertEquals("Wrong title", "Dark Lord", ModelClientUtil.getOrig(title));
+    }
     
+	@Test
+	public void test142DisableHimselfAsDarthAdder() throws Exception {
+    	final String TEST_NAME = "test142DisableHimselfAsDarthAdder";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+
+        ObjectDeltaListType deltaList = ModelClientUtil.createModificationDeltaList(UserType.class, USER_DARTHADDER_OID,
+        		"activation/administrativeStatus", ModificationTypeType.REPLACE, ActivationStatusType.DISABLED);
+        
+        // WHEN
+        ObjectDeltaOperationListType deltaOpList = modelPort.executeChanges(deltaList, null);
+        	        
+        // THEN
+        assertSuccess(deltaOpList);
+        
+        tailer.tail();
+        displayAudit(tailer);
+        assertAuditLoginLogout(tailer);
+        assertAuditIds(tailer);
+        assertAuditOperation(tailer, "MODIFY_OBJECT");
+        tailer.assertAudit(4);     
+        
+        modelPort = createModelPort();
+        UserType user = getObject(UserType.class, USER_DARTHADDER_OID);
+        display(user);
+        assertEquals("Wrong administrative status in "+ModelClientUtil.toString(user), ActivationStatusType.DISABLED, user.getActivation().getAdministrativeStatus());
+    }
+	
+	@Test
+    public void test143GetConfigAsDarthAdderGoodPasswordDigest() throws Exception {
+    	final String TEST_NAME = "test143GetConfigAsDarthAdderGoodPasswordDigest";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+        modelPort = createModelPort(USER_DARTHADDER_USERNAME, USER_DARTHADDER_PASSWORD, WSConstants.PW_DIGEST);
+
+        Holder<ObjectType> objectHolder = new Holder<ObjectType>();
+        Holder<OperationResultType> resultHolder = new Holder<OperationResultType>();
+        
+        try {
+	        /// WHEN
+	        modelPort.getObject(getTypeQName(SystemConfigurationType.class), SystemObjectsType.SYSTEM_CONFIGURATION.value(), 
+	        		null, objectHolder, resultHolder);
+	        
+	        AssertJUnit.fail("Unexpected success");
+        	
+        } catch (SOAPFaultException e) {
+        	assertSoapFault(e, "FailedAuthentication", "could not be authenticated or authorized");        	
+        }
+        
+        // THEN
+        tailer.tail();
+        assertAuditLoginFailed(tailer, "User not active");
+    }
     
-    // TODO: user with no password
+	@Test
+    public void test145ModifyConfigAsDarthAdder() throws Exception {
+    	final String TEST_NAME = "test145ModifyConfigAsDarthAdder";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+
+        ObjectReferenceType ref = new ObjectReferenceType();
+        ref.setOid("c4e998e6-d903-11e4-9aaf-001e8c717e5b"); // fake
+        
+        ObjectDeltaListType deltaList = ModelClientUtil.createModificationDeltaList(SystemConfigurationType.class, 
+        		SystemObjectsType.SYSTEM_CONFIGURATION.value(), "globalSecurityPolicyRef", ModificationTypeType.REPLACE, 
+        		ref);
+        
+        try {
+    		// WHEN
+            modelPort.executeChanges(deltaList, null);
+        	
+        	AssertJUnit.fail("Unexpected success");
+        	
+        } catch (SOAPFaultException e) {
+        	assertSoapFault(e, "FailedAuthentication", "could not be authenticated or authorized");        	
+        }
+        
+        // THEN
+        tailer.tail();
+        assertAuditLoginFailed(tailer, "User not active");
+    }
+	
+	@Test
+	public void test146EnableDarthAdder() throws Exception {
+    	final String TEST_NAME = "test146EnableDarthAdder";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+
+    	modelPort = createModelPort();
+        ObjectDeltaListType deltaList = ModelClientUtil.createModificationDeltaList(UserType.class, USER_DARTHADDER_OID,
+        		"activation/administrativeStatus", ModificationTypeType.REPLACE, ActivationStatusType.ENABLED);
+        
+        // WHEN
+        ObjectDeltaOperationListType deltaOpList = modelPort.executeChanges(deltaList, null);
+        	        
+        // THEN
+        assertSuccess(deltaOpList);
+        
+        tailer.tail();
+        displayAudit(tailer);
+        assertAuditLoginLogout(tailer);
+        assertAuditIds(tailer);
+        assertAuditOperation(tailer, "MODIFY_OBJECT");
+        tailer.assertAudit(4);     
+        
+        modelPort = createModelPort(USER_DARTHADDER_USERNAME, USER_DARTHADDER_PASSWORD, WSConstants.PW_DIGEST);
+        UserType user = getObject(UserType.class, USER_DARTHADDER_OID);
+        display(user);
+        assertEquals("Wrong administrative status in "+ModelClientUtil.toString(user), ActivationStatusType.ENABLED, user.getActivation().getAdministrativeStatus());
+    }
+	
+	@Test
+    public void test150GetConfigNoPasswordWrongDigest() throws Exception {
+    	final String TEST_NAME = "test150GetConfigNoPasswordWrongDigest";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+        modelPort = createModelPort(USER_NOBODY_USERNAME, "wrongPassword", WSConstants.PW_DIGEST);
+
+        Holder<ObjectType> objectHolder = new Holder<ObjectType>();
+        Holder<OperationResultType> resultHolder = new Holder<OperationResultType>();
+        
+        // WHEN
+        try {
+        	modelPort.getObject(getTypeQName(SystemConfigurationType.class), SystemObjectsType.SYSTEM_CONFIGURATION.value(), 
+        		null, objectHolder, resultHolder);
+        	
+        	AssertJUnit.fail("Unexpected success");
+        	
+        } catch (SOAPFaultException e) {
+        	assertSoapFault(e, "FailedAuthentication", "could not be authenticated or authorized");        	
+        }
+        
+        tailer.tail();
+        assertAuditLoginFailed(tailer, "could not be authenticated or authorized");
+    }
+	
+	@Test
+    public void test152GetConfigNoPasswordEmptyDigest() throws Exception {
+    	final String TEST_NAME = "test152GetConfigNoPasswordEmptyDigest";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+        modelPort = createModelPort(USER_NOBODY_USERNAME, " ", WSConstants.PW_DIGEST);
+
+        Holder<ObjectType> objectHolder = new Holder<ObjectType>();
+        Holder<OperationResultType> resultHolder = new Holder<OperationResultType>();
+        
+        // WHEN
+        try {
+        	modelPort.getObject(getTypeQName(SystemConfigurationType.class), SystemObjectsType.SYSTEM_CONFIGURATION.value(), 
+        		null, objectHolder, resultHolder);
+        	
+        	AssertJUnit.fail("Unexpected success");
+        	
+        } catch (SOAPFaultException e) {
+        	assertSoapFault(e, "FailedAuthentication", "could not be authenticated or authorized");        	
+        }
+        
+        tailer.tail();
+        assertAuditLoginFailed(tailer, "could not be authenticated or authorized");
+    }
+	
+	@Test
+	public void test160ChangeDarthAdderPasswordSatisfiesPolicyShortcut() throws Exception {
+    	final String TEST_NAME = "test160ChangeDarthAdderPasswordSatisfiesPolicyShortcut";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+    	modelPort = createModelPort(USER_DARTHADDER_USERNAME, USER_DARTHADDER_PASSWORD, WSConstants.PW_DIGEST);
+
+    	ProtectedStringType protectedString = new ProtectedStringType();
+    	protectedString.getContent().add(USER_DARTHADDER_PASSWORD_NEW1);
+    	
+        ObjectDeltaListType deltaList = ModelClientUtil.createModificationDeltaList(UserType.class, USER_DARTHADDER_OID,
+        		"credentials/password/value", ModificationTypeType.REPLACE, protectedString);
+        
+        // WHEN
+        ObjectDeltaOperationListType deltaOpList = modelPort.executeChanges(deltaList, null);
+        	        
+        // THEN
+        assertSuccess(deltaOpList);
+        
+        tailer.tail();
+        displayAudit(tailer);
+        assertAuditLoginLogout(tailer);
+        assertAuditIds(tailer);
+        assertAuditOperation(tailer, "MODIFY_OBJECT");
+        tailer.assertAudit(4);     
+        
+        modelPort = createModelPort(USER_DARTHADDER_USERNAME, USER_DARTHADDER_PASSWORD_NEW1, WSConstants.PW_DIGEST);
+        UserType user = getObject(UserType.class, USER_DARTHADDER_OID);
+        display(user);
+        // TODO: check password change timestamp
+    }
+	
+	@Test
+	public void test161ChangeDarthAdderPasswordSatisfiesPolicyStrict() throws Exception {
+    	final String TEST_NAME = "test160ChangeDarthAdderPasswordSatisfiesPolicyShortcut";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
+
+    	ProtectedStringType protectedString = ModelClientUtil.createProtectedString(USER_DARTHADDER_PASSWORD_NEW2);
+    	
+        ObjectDeltaListType deltaList = ModelClientUtil.createModificationDeltaList(UserType.class, USER_DARTHADDER_OID,
+        		"credentials/password/value", ModificationTypeType.REPLACE, protectedString);
+        
+        // WHEN
+        ObjectDeltaOperationListType deltaOpList = modelPort.executeChanges(deltaList, null);
+        	        
+        // THEN
+        assertSuccess(deltaOpList);
+        
+        tailer.tail();
+        displayAudit(tailer);
+        assertAuditLoginLogout(tailer);
+        assertAuditIds(tailer);
+        assertAuditOperation(tailer, "MODIFY_OBJECT");
+        tailer.assertAudit(4);     
+        
+        modelPort = createModelPort(USER_DARTHADDER_USERNAME, USER_DARTHADDER_PASSWORD_NEW2, WSConstants.PW_DIGEST);
+        UserType user = getObject(UserType.class, USER_DARTHADDER_OID);
+        display(user);
+        // TODO: check password change timestamp
+    }
+	
+	@Test
+	public void test162ChangeDarthAdderPasswordViolatesPolicy() throws Exception {
+    	final String TEST_NAME = "test162ChangeDarthAdderPasswordViolatesPolicy";
+    	displayTestTitle(TEST_NAME);
+    	
+    	LogfileTestTailer tailer = createLogTailer();
 
-    // TODO: disabled user
+    	ProtectedStringType protectedString = ModelClientUtil.createProtectedString("x");
+    	
+        ObjectDeltaListType deltaList = ModelClientUtil.createModificationDeltaList(UserType.class, USER_DARTHADDER_OID,
+        		"credentials/password/value", ModificationTypeType.REPLACE, protectedString);
+        
+        try {
+	        // WHEN
+	        modelPort.executeChanges(deltaList, null);
+        	        
+        	AssertJUnit.fail("Unexpected success");
+        	
+        } catch (FaultMessage e) {
+        	assertFaultMessage(e, PolicyViolationFaultType.class, "password does not satisfy password policies");        	
+        }
+        
+        // THEN
+        tailer.tail();
+        displayAudit(tailer);
+        assertAuditLoginLogout(tailer);
+        assertAuditIds(tailer);
+        assertAuditOperation(tailer, "MODIFY_OBJECT", OperationResultStatusType.FATAL_ERROR, "password does not satisfy password policies");
+        tailer.assertAudit(4);
+        
+        UserType user = getObject(UserType.class, USER_DARTHADDER_OID);
+        display(user);
+        // TODO: check that password is unchanged
+        // TODO: check password change timestamp
+    }
+	
+	// Set password: satisfies policy
+	// Set password: violates policy
+	// remove password (set no password)
 
+	// TODO: fetch&parse schema http://..?WSDL
 
 
 }
diff --git a/testing/wstest/src/test/resources/common/role-adder.xml b/testing/wstest/src/test/resources/common/role-adder.xml
new file mode 100644
index 00000000000..924a2c0d16d
--- /dev/null
+++ b/testing/wstest/src/test/resources/common/role-adder.xml
@@ -0,0 +1,24 @@
+<!--
+  ~ Copyright (c) 2010-2015 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role oid="8a48a97e-d909-11e4-8413-001e8c717e5b"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
+    <name>Adder</name>    
+    <authorization>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
+    </authorization>
+</role>
diff --git a/testing/wstest/src/test/resources/common/role-modifier.xml b/testing/wstest/src/test/resources/common/role-modifier.xml
new file mode 100644
index 00000000000..706598c6751
--- /dev/null
+++ b/testing/wstest/src/test/resources/common/role-modifier.xml
@@ -0,0 +1,24 @@
+<!--
+  ~ Copyright (c) 2010-2015 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role oid="82005ae4-d90b-11e4-bdcc-001e8c717e5b"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
+    <name>Modifier</name>    
+    <authorization>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+    </authorization>
+</role>
diff --git a/testing/wstest/src/test/resources/common/user-cyclops.xml b/testing/wstest/src/test/resources/common/user-cyclops.xml
index c8e1e9f5189..495108e8c4e 100644
--- a/testing/wstest/src/test/resources/common/user-cyclops.xml
+++ b/testing/wstest/src/test/resources/common/user-cyclops.xml
@@ -20,6 +20,9 @@
 	<c:assignment>
 		<c:targetRef oid="ac4c987a-d7b3-11e4-9623-001e8c717e5b" type="c:RoleType"/>
 	</c:assignment>
+	<c:activation>
+		<c:administrativeStatus>enabled</c:administrativeStatus>
+	</c:activation>	
 	<c:fullName>Cyclops</c:fullName>
 	<c:givenName>Cyclo</c:givenName>
 	<c:familyName>Cyclops</c:familyName>
diff --git a/testing/wstest/src/test/resources/common/user-darthadder.xml b/testing/wstest/src/test/resources/common/user-darthadder.xml
new file mode 100644
index 00000000000..611460076db
--- /dev/null
+++ b/testing/wstest/src/test/resources/common/user-darthadder.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2015 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<c:user oid="1696229e-d90a-11e4-9ce6-001e8c717e5b" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<c:name>darthadder</c:name>
+	<c:assignment>
+		<!-- WS -->
+		<c:targetRef oid="ac4c987a-d7b3-11e4-9623-001e8c717e5b" type="c:RoleType"/>
+	</c:assignment>
+	<c:assignment>
+		<!-- Reader -->
+		<c:targetRef oid="eb243068-d48d-11e4-a83a-001e8c717e5b" type="c:RoleType"/>
+	</c:assignment>
+	<c:assignment>
+		<!-- Adder -->
+		<c:targetRef oid="8a48a97e-d909-11e4-8413-001e8c717e5b" type="c:RoleType"/>
+	</c:assignment>
+	<c:activation>
+		<c:administrativeStatus>enabled</c:administrativeStatus>
+	</c:activation>
+	<c:fullName>Darth Adder</c:fullName>
+	<c:givenName>Darth</c:givenName>
+	<c:familyName>Adder</c:familyName>
+	<c:credentials xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+		<c:password>
+			<c:value xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+				<clearValue>iamyouruncle</clearValue>
+			</c:value>
+		</c:password>
+	</c:credentials>
+</c:user>
\ No newline at end of file
diff --git a/testing/wstest/src/test/resources/common/user-nobody.xml b/testing/wstest/src/test/resources/common/user-nobody.xml
index 76782641216..2417609ceba 100644
--- a/testing/wstest/src/test/resources/common/user-nobody.xml
+++ b/testing/wstest/src/test/resources/common/user-nobody.xml
@@ -17,6 +17,9 @@
 <c:user oid="ffb9729c-d48b-11e4-9720-001e8c717e5b" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
 	<c:name>nobody</c:name>
+	<c:activation>
+		<c:administrativeStatus>enabled</c:administrativeStatus>
+	</c:activation>
 	<c:fullName>No Body</c:fullName>
 	<c:givenName>No</c:givenName>
 	<c:familyName>Body</c:familyName>
diff --git a/testing/wstest/src/test/resources/common/user-nopassword.xml b/testing/wstest/src/test/resources/common/user-nopassword.xml
new file mode 100644
index 00000000000..e732517ee83
--- /dev/null
+++ b/testing/wstest/src/test/resources/common/user-nopassword.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2015 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<c:user oid="a21fd032-d91c-11e4-85d3-001e8c717e5b" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<c:name>nopassword</c:name>
+	<c:assignment>
+		<!-- WS -->
+		<c:targetRef oid="ac4c987a-d7b3-11e4-9623-001e8c717e5b" type="c:RoleType"/>
+	</c:assignment>
+	<c:assignment>
+		<!-- Reader -->
+		<c:targetRef oid="eb243068-d48d-11e4-a83a-001e8c717e5b" type="c:RoleType"/>
+	</c:assignment>	
+	<c:activation>
+		<c:administrativeStatus>enabled</c:administrativeStatus>
+	</c:activation>
+	<c:fullName>No Password</c:fullName>
+	<c:givenName>No</c:givenName>
+	<c:familyName>Password</c:familyName>
+</c:user>
\ No newline at end of file
diff --git a/testing/wstest/src/test/resources/common/user-somebody.xml b/testing/wstest/src/test/resources/common/user-somebody.xml
index be706b7cce7..d809f617760 100644
--- a/testing/wstest/src/test/resources/common/user-somebody.xml
+++ b/testing/wstest/src/test/resources/common/user-somebody.xml
@@ -18,11 +18,16 @@
 	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
 	<c:name>somebody</c:name>
 	<c:assignment>
+		<!-- WS -->
 		<c:targetRef oid="ac4c987a-d7b3-11e4-9623-001e8c717e5b" type="c:RoleType"/>
 	</c:assignment>
 	<c:assignment>
+		<!-- Reader -->
 		<c:targetRef oid="eb243068-d48d-11e4-a83a-001e8c717e5b" type="c:RoleType"/>
 	</c:assignment>
+	<c:activation>
+		<c:administrativeStatus>enabled</c:administrativeStatus>
+	</c:activation>	
 	<c:fullName>Some Body</c:fullName>
 	<c:givenName>Some</c:givenName>
 	<c:familyName>body</c:familyName>