From c51a4c072a191618b5cc0b8e18add16247c99be6 Mon Sep 17 00:00:00 2001
From: Brutus5000 <Brutus5000@gmx.net>
Date: Mon, 23 Sep 2019 04:21:40 +0200
Subject: [PATCH 1/5] Implement user permission system (fixes #271)

---
 .idea/runConfigurations/FafApiApplication.xml |   9 -
 .../api/AbstractIntegrationTest.java          |  20 +-
 .../api/avatar/AvatarControllerTest.java      |  53 ++--
 ...st.java => AvatarAssignmentElideTest.java} | 116 +++++---
 .../java/com/faforever/api/data/BanTest.java  | 131 ++++-----
 .../api/data/DomainBlacklistTest.java         | 134 +++++++--
 .../faforever/api/data/Ladder1v1MapTest.java  |  43 ++-
 .../com/faforever/api/data/TeamkillTest.java  |  48 ++-
 .../faforever/api/data/TutorialElideTest.java | 111 +++++--
 .../com/faforever/api/data/UserNoteTest.java  |  76 +++--
 .../faforever/api/data/VotingElideTest.java   | 128 +++++---
 .../api/event/EventControllerTest.java        |  12 +-
 .../ModerationReportTest.java                 | 274 ++++++++++--------
 .../api/user/UsersControllerTest.java         |  34 ++-
 .../com/faforever/api/utils/OAuthHelper.java  |  36 ++-
 src/inttest/resources/sql/prepAvatarData.sql  |  25 +-
 src/inttest/resources/sql/prepBanData.sql     |   8 +-
 src/inttest/resources/sql/prepDefaultUser.sql |  14 +-
 .../sql/prepModerationReportData.sql          |   6 +-
 .../resources/sql/prepUserNoteData.sql        |   3 -
 .../api/avatar/AvatarController.java          |   8 +-
 .../api/config/elide/ElideConfig.java         |  29 +-
 .../faforever/api/data/DataController.java    |  13 +-
 .../api/data/checks/UserGroupPublicCheck.java |  24 ++
 .../data/checks/permission/HasBanRead.java    |  11 -
 .../data/checks/permission/HasBanUpdate.java  |  11 -
 .../checks/permission/HasLadder1v1Update.java |  13 -
 .../com/faforever/api/data/domain/Avatar.java |   7 +-
 .../api/data/domain/AvatarAssignment.java     |  13 +-
 .../faforever/api/data/domain/BanInfo.java    |  12 +-
 .../api/data/domain/DomainBlacklist.java      |  10 +-
 .../api/data/domain/GroupPermission.java      |  86 ++++++
 .../api/data/domain/Ladder1v1Map.java         |   8 +-
 .../com/faforever/api/data/domain/Login.java  |  20 +-
 .../api/data/domain/ModerationReport.java     |  18 +-
 .../faforever/api/data/domain/Teamkill.java   |   4 +-
 .../faforever/api/data/domain/Tutorial.java   |  11 +-
 .../api/data/domain/TutorialCategory.java     |  11 +-
 .../com/faforever/api/data/domain/User.java   |   3 +-
 .../faforever/api/data/domain/UserGroup.java  |  82 ++++++
 .../faforever/api/data/domain/UserNote.java   |  11 +-
 .../com/faforever/api/data/domain/Vote.java   |   3 +-
 .../api/data/domain/VotingAnswer.java         |   3 +-
 .../api/data/domain/VotingChoice.java         |  11 +-
 .../api/data/domain/VotingQuestion.java       |  16 +-
 .../api/data/domain/VotingSubject.java        |  11 +-
 .../FafUserAuthenticationConverter.java       |  10 +-
 .../api/security/FafUserDetails.java          |  17 +-
 .../api/security/FafUserDetailsService.java   |  31 +-
 .../faforever/api/security/OAuthScope.java    |  11 +-
 .../com/faforever/api/security/UserRole.java  |  37 +++
 .../permission/AdminAccountBanCheck.java      |  17 ++
 .../permission/AdminAccountNoteCheck.java     |  17 ++
 .../elide/permission/AdminMapCheck.java       |  17 ++
 .../elide/permission/AdminModCheck.java       |  17 ++
 .../AdminModerationReportCheck.java           |  17 ++
 .../elide/permission/AdminVoteCheck.java      |  17 ++
 .../elide/permission/FafUserCheck.java        |  81 ++++++
 .../ReadAccountPrivateDetailsCheck.java       |  17 ++
 .../permission/ReadTeamkillReportCheck.java   |  17 ++
 .../elide/permission/ReadUserGroupCheck.java  |  17 ++
 .../elide/permission/WriteAvatarCheck.java    |  16 +
 .../permission/WriteEmailDomainBanCheck.java  |  16 +
 .../permission/WriteMatchmakerMapCheck.java   |  16 +
 .../permission/WriteMatchmakerPoolCheck.java  |  16 +
 .../elide/permission/WriteMessageCheck.java   |  16 +
 .../elide/permission/WriteNewsPostCheck.java  |  16 +
 .../elide/permission/WriteTutorialCheck.java  |  16 +
 .../elide/permission/WriteUserGroupCheck.java |  17 ++
 69 files changed, 1578 insertions(+), 621 deletions(-)
 rename src/inttest/java/com/faforever/api/data/{AvatarElideTest.java => AvatarAssignmentElideTest.java} (59%)
 create mode 100644 src/main/java/com/faforever/api/data/checks/UserGroupPublicCheck.java
 delete mode 100644 src/main/java/com/faforever/api/data/checks/permission/HasBanRead.java
 delete mode 100644 src/main/java/com/faforever/api/data/checks/permission/HasBanUpdate.java
 delete mode 100644 src/main/java/com/faforever/api/data/checks/permission/HasLadder1v1Update.java
 create mode 100644 src/main/java/com/faforever/api/data/domain/GroupPermission.java
 create mode 100644 src/main/java/com/faforever/api/data/domain/UserGroup.java
 create mode 100644 src/main/java/com/faforever/api/security/UserRole.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/AdminAccountBanCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/AdminAccountNoteCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/AdminMapCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/AdminModCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/AdminModerationReportCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/AdminVoteCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/FafUserCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/ReadAccountPrivateDetailsCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/ReadTeamkillReportCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/ReadUserGroupCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/WriteAvatarCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/WriteEmailDomainBanCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/WriteMatchmakerMapCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/WriteMatchmakerPoolCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/WriteMessageCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/WriteNewsPostCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/WriteTutorialCheck.java
 create mode 100644 src/main/java/com/faforever/api/security/elide/permission/WriteUserGroupCheck.java

diff --git a/.idea/runConfigurations/FafApiApplication.xml b/.idea/runConfigurations/FafApiApplication.xml
index c4595cae7..6e564d6b5 100644
--- a/.idea/runConfigurations/FafApiApplication.xml
+++ b/.idea/runConfigurations/FafApiApplication.xml
@@ -8,17 +8,8 @@
       </pattern>
     </extension>
     <option name="SPRING_BOOT_MAIN_CLASS" value="com.faforever.api.FafApiApplication" />
-    <option name="VM_PARAMETERS" value="-Xmx256m" />
     <option name="ALTERNATIVE_JRE_PATH" />
     <option name="SHORTEN_COMMAND_LINE" value="MANIFEST" />
-    <envs>
-      <env name="MAUTIC_BASE_URL" value="http://mautic.test.faforever.com/api" />
-      <env name="MAUTIC_CLIENT_ID" value="faf-java-api" />
-      <env name="MAUTIC_CLIENT_SECRET" value="banana" />
-      <env name="REGISTRATION_EMAIL_BODY" value="User: {0}, Link: {1}" />
-      <env name="STEAM_REALM" value="http://www.faforever.com" />
-      <env name="STEAM_API_KEY" value="B71F58265308ADAD5366DC1F3673BB8A" />
-    </envs>
     <method v="2">
       <option name="Make" enabled="true" />
     </method>
diff --git a/src/inttest/java/com/faforever/api/AbstractIntegrationTest.java b/src/inttest/java/com/faforever/api/AbstractIntegrationTest.java
index 7c7a9c7ea..27198d022 100644
--- a/src/inttest/java/com/faforever/api/AbstractIntegrationTest.java
+++ b/src/inttest/java/com/faforever/api/AbstractIntegrationTest.java
@@ -7,6 +7,7 @@
 import com.faforever.commons.api.dto.Avatar;
 import com.faforever.commons.api.dto.AvatarAssignment;
 import com.faforever.commons.api.dto.BanInfo;
+import com.faforever.commons.api.dto.DomainBlacklist;
 import com.faforever.commons.api.dto.ModerationReport;
 import com.faforever.commons.api.dto.Player;
 import com.faforever.commons.api.dto.Tutorial;
@@ -38,6 +39,8 @@
 
 import javax.transaction.Transactional;
 import java.time.format.DateTimeFormatter;
+import java.util.Collections;
+import java.util.Set;
 
 import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
 
@@ -48,6 +51,8 @@
 @Transactional
 @Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/prepDefaultUser.sql")
 public abstract class AbstractIntegrationTest {
+  protected static final String NO_SCOPE = "no_scope";
+  protected static final String NO_AUTHORITIES = "NO_AUTHORITIES";
   protected static final DateTimeFormatter OFFSET_DATE_TIME_FORMATTER = DateTimeFormatter.ISO_OFFSET_DATE_TIME;
 
   protected final static String AUTH_WEBSITE = "WEBSITE";
@@ -82,12 +87,21 @@ public void setUp() {
       Tutorial.class,
       Avatar.class,
       AvatarAssignment.class,
-      BanInfo.class
+      BanInfo.class,
+      DomainBlacklist.class
     );
   }
 
-  protected RequestPostProcessor getOAuthToken(String... scope) {
-    return oAuthHelper.addBearerToken(Sets.newSet(scope));
+  protected RequestPostProcessor getOAuthTokenWithoutUser(String... scope) {
+    return oAuthHelper.addBearerToken(Sets.newSet(scope), null);
+  }
+
+  protected RequestPostProcessor getOAuthTokenWithTestUser(String scope, String authority) {
+    return getOAuthTokenWithTestUser(Collections.singleton(scope), Collections.singleton(authority));
+  }
+
+  protected RequestPostProcessor getOAuthTokenWithTestUser(Set<String> scope, Set<String> authorities) {
+    return oAuthHelper.addBearerToken(5, "ACTIVE_USER", scope, authorities);
   }
 
   protected void assertApiError(MvcResult mvcResult, ErrorCode errorCode) throws Exception {
diff --git a/src/inttest/java/com/faforever/api/avatar/AvatarControllerTest.java b/src/inttest/java/com/faforever/api/avatar/AvatarControllerTest.java
index 972e63986..251dba467 100644
--- a/src/inttest/java/com/faforever/api/avatar/AvatarControllerTest.java
+++ b/src/inttest/java/com/faforever/api/avatar/AvatarControllerTest.java
@@ -2,6 +2,7 @@
 
 import com.faforever.api.AbstractIntegrationTest;
 import com.faforever.api.data.domain.Avatar;
+import com.faforever.api.data.domain.GroupPermission;
 import com.faforever.api.security.AuditService;
 import com.faforever.api.security.OAuthScope;
 import com.faforever.api.utils.FileHandlingHelper;
@@ -11,7 +12,6 @@
 import org.springframework.boot.test.mock.mockito.SpyBean;
 import org.springframework.http.MediaType;
 import org.springframework.mock.web.MockMultipartFile;
-import org.springframework.security.test.context.support.WithUserDetails;
 import org.springframework.test.context.jdbc.Sql;
 import org.springframework.test.context.jdbc.Sql.ExecutionPhase;
 import org.springframework.test.web.servlet.request.MockMultipartHttpServletRequestBuilder;
@@ -42,11 +42,10 @@ public class AvatarControllerTest extends AbstractIntegrationTest {
   AvatarRepository avatarRepository;
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void moderatorCanUpload() throws Exception {
+  public void canUploadWithScopeAndRole() throws Exception {
     mockMvc.perform(
       createAvatarUploadRequest()
-        .with(getOAuthToken(OAuthScope._UPLOAD_AVATAR))
+        .with(getOAuthTokenWithTestUser(OAuthScope._UPLOAD_AVATAR, GroupPermission.ROLE_WRITE_AVATAR))
     ).andExpect(status().isCreated())
       .andExpect(content().string(""));
     final Avatar avatar = avatarRepository.findOneByUrl("http://localhost/faf/avatars/avatar3.png").get();
@@ -57,12 +56,12 @@ public void moderatorCanUpload() throws Exception {
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void moderatorCanReupload() throws Exception {
+  public void canReuploadWithScopeAndRole() throws Exception {
+    Files.createDirectories(Paths.get("build/cache/avatars"));
     Files.copy(FileHandlingHelper.loadResourceAsStream("/avatars/donator.png"), Paths.get("build/cache/avatars/avatar1.png"));
     mockMvc.perform(
       createAvatarReuploadRequest(1)
-        .with(getOAuthToken(OAuthScope._UPLOAD_AVATAR))
+        .with(getOAuthTokenWithTestUser(OAuthScope._UPLOAD_AVATAR, GroupPermission.ROLE_WRITE_AVATAR))
     ).andExpect(status().isOk())
       .andExpect(content().string(""));
     final Avatar avatar = avatarRepository.findOneByUrl("http://localhost/faf/avatars/avatar1.png").get();
@@ -72,73 +71,67 @@ public void moderatorCanReupload() throws Exception {
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void moderatorCanDeleteAvatar() throws Exception {
+  public void canDeleteAvatarWithScopeAndRole() throws Exception {
+    Files.createDirectories(Paths.get("build/cache/avatars"));
     Files.copy(FileHandlingHelper.loadResourceAsStream("/avatars/donator.png"), Paths.get("build/cache/avatars/avatar1.png"));
     mockMvc.perform(
-      delete("/avatars/1")
-        .with(getOAuthToken(OAuthScope._UPLOAD_AVATAR))
+      delete("/avatars/3")
+        .with(getOAuthTokenWithTestUser(OAuthScope._UPLOAD_AVATAR, GroupPermission.ROLE_WRITE_AVATAR))
     ).andExpect(status().isNoContent());
-    assertThat(avatarRepository.findById(1), is(Optional.empty()));
+    assertThat(avatarRepository.findById(3), is(Optional.empty()));
     verify(auditServiceSpy, times(1)).logMessage(any());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void nonModeratorCannotUpload() throws Exception {
+  public void cannotUploadWithoutRole() throws Exception {
     mockMvc.perform(
       createAvatarUploadRequest()
-        .with(getOAuthToken(OAuthScope._UPLOAD_AVATAR))
+        .with(getOAuthTokenWithTestUser(OAuthScope._UPLOAD_AVATAR, NO_AUTHORITIES))
     ).andExpect(status().isForbidden());
     verify(auditServiceSpy, times(0)).logMessage(any());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void nonModeratorCannotReupload() throws Exception {
+  public void cannotReuploadWithoutRole() throws Exception {
     mockMvc.perform(
       createAvatarReuploadRequest(1)
-        .with(getOAuthToken(OAuthScope._UPLOAD_AVATAR))
+        .with(getOAuthTokenWithTestUser(OAuthScope._UPLOAD_AVATAR, NO_AUTHORITIES))
     ).andExpect(status().isForbidden());
     verify(auditServiceSpy, times(0)).logMessage(any());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void nonModeratorCannotDelete() throws Exception {
+  public void cannotDeleteWithoutRole() throws Exception {
     mockMvc.perform(
       delete("/avatars/1")
-        .with(getOAuthToken(OAuthScope._UPLOAD_AVATAR))
+        .with(getOAuthTokenWithTestUser(OAuthScope._UPLOAD_AVATAR, NO_AUTHORITIES))
     ).andExpect(status().isForbidden());
     verify(auditServiceSpy, times(0)).logMessage(any());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void moderatorWithoutScopeCannotUpload() throws Exception {
+  public void cannotUploadWithoutScope() throws Exception {
     mockMvc.perform(
       createAvatarUploadRequest()
-        .with(getOAuthToken())
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_AVATAR))
     ).andExpect(status().isForbidden());
     verify(auditServiceSpy, times(0)).logMessage(any());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void moderatorWithoutScopeCannotReupload() throws Exception {
+  public void cannotReuploadWithoutScope() throws Exception {
     mockMvc.perform(
       createAvatarReuploadRequest(1)
-        .with(getOAuthToken())
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_AVATAR))
     ).andExpect(status().isForbidden());
     verify(auditServiceSpy, times(0)).logMessage(any());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void moderatorWithoutScopeCannotDelete() throws Exception {
+  public void cannotDeleteWithoutScope() throws Exception {
     mockMvc.perform(
       delete("/avatars/1")
-        .with(getOAuthToken())
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_AVATAR))
     ).andExpect(status().isForbidden());
     verify(auditServiceSpy, times(0)).logMessage(any());
   }
diff --git a/src/inttest/java/com/faforever/api/data/AvatarElideTest.java b/src/inttest/java/com/faforever/api/data/AvatarAssignmentElideTest.java
similarity index 59%
rename from src/inttest/java/com/faforever/api/data/AvatarElideTest.java
rename to src/inttest/java/com/faforever/api/data/AvatarAssignmentElideTest.java
index 8e00acc96..5e97bb574 100644
--- a/src/inttest/java/com/faforever/api/data/AvatarElideTest.java
+++ b/src/inttest/java/com/faforever/api/data/AvatarAssignmentElideTest.java
@@ -1,6 +1,8 @@
 package com.faforever.api.data;
 
 import com.faforever.api.AbstractIntegrationTest;
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
 import com.faforever.commons.api.dto.Avatar;
 import com.faforever.commons.api.dto.AvatarAssignment;
 import com.faforever.commons.api.dto.Player;
@@ -24,17 +26,16 @@
 @Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/prepDefaultUser.sql")
 @Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/prepAvatarData.sql")
 @Sql(executionPhase = ExecutionPhase.AFTER_TEST_METHOD, scripts = "classpath:sql/cleanAvatarData.sql")
-public class AvatarElideTest extends AbstractIntegrationTest {
-
+public class AvatarAssignmentElideTest extends AbstractIntegrationTest {
 
   @Test
   public void getUnusedAvatar() throws Exception {
-    mockMvc.perform(get("/data/avatar/1"))
+    mockMvc.perform(get("/data/avatar/3"))
       .andExpect(status().isOk())
-      .andExpect(jsonPath("$.data.id", is("1")))
+      .andExpect(jsonPath("$.data.id", is("3")))
       .andExpect(jsonPath("$.data.type", is("avatar")))
-      .andExpect(jsonPath("$.data.attributes.tooltip", is("Avatar No. 1")))
-      .andExpect(jsonPath("$.data.attributes.url", is("http://localhost/faf/avatars/avatar1.png")))
+      .andExpect(jsonPath("$.data.attributes.tooltip", is("Donator Avatar")))
+      .andExpect(jsonPath("$.data.attributes.url", is("http://localhost/faf/avatars/donator.png")))
       .andExpect(jsonPath("$.data.relationships.assignments.data", hasSize(0)));
   }
 
@@ -46,12 +47,11 @@ public void getAvatarWithPlayer() throws Exception {
       .andExpect(jsonPath("$.data.type", is("avatar")))
       .andExpect(jsonPath("$.data.attributes.tooltip", is("Avatar No. 2")))
       .andExpect(jsonPath("$.data.attributes.url", is("http://localhost/faf/avatars/avatar2.png")))
-      .andExpect(jsonPath("$.data.relationships.assignments.data", hasSize(2)));
+      .andExpect(jsonPath("$.data.relationships.assignments.data", hasSize(1)));
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void moderatorCanAssignAvatar() throws Exception {
+  public void canAssignAvatarWithScopeAndRole() throws Exception {
     final Avatar avatar = (Avatar) new Avatar().setId("1");
     final Player player = (Player) new Player().setId("1");
     final AvatarAssignment avatarAssignment = new AvatarAssignment()
@@ -59,7 +59,8 @@ public void moderatorCanAssignAvatar() throws Exception {
       .setSelected(false);
     mockMvc.perform(
       post("/data/player/{playerId}/avatarAssignments", player.getId())
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_AVATAR))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(avatarAssignment)))
       .andExpect(status().isCreated())
       .andExpect(jsonPath("$.data.relationships.player.data.id", is(player.getId())))
@@ -67,19 +68,22 @@ public void moderatorCanAssignAvatar() throws Exception {
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void moderatorCanDeleteAvatarAssignment() throws Exception {
-    mockMvc.perform(
-      delete("/data/avatarAssignment/{assignmentId}", 1)
-    ).andExpect(status().isNoContent());
+  public void cannotAssignAvatarWithoutScope() throws Exception {
+    final Avatar avatar = (Avatar) new Avatar().setId("1");
+    final Player player = (Player) new Player().setId("1");
+    final AvatarAssignment avatarAssignment = new AvatarAssignment()
+      .setAvatar(avatar)
+      .setSelected(false);
     mockMvc.perform(
-      get("/data/avatarAssignment/{assignmentId}", 1)
-    ).andExpect(status().isNotFound());
+      post("/data/player/{playerId}/avatarAssignments", player.getId())
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_AVATAR))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(avatarAssignment)))
+      .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void userCannotAssignAvatar() throws Exception {
+  public void cannotAssignAvatarWithoutRole() throws Exception {
     final Avatar avatar = (Avatar) new Avatar().setId("1");
     final Player player = (Player) new Player().setId("1");
     final AvatarAssignment avatarAssignment = new AvatarAssignment()
@@ -87,32 +91,50 @@ public void userCannotAssignAvatar() throws Exception {
       .setSelected(false);
     mockMvc.perform(
       post("/data/player/{playerId}/avatarAssignments", player.getId())
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-        .content(createJsonApiContent(avatarAssignment))
-    ).andExpect(status().isForbidden());
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(avatarAssignment)))
+      .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void userCannotDeleteAvatarAssignment() throws Exception {
+  public void canDeleteAvatarAssignmentWithScopeAndRole() throws Exception {
     mockMvc.perform(
       delete("/data/avatarAssignment/{assignmentId}", 1)
-    ).andExpect(status().isForbidden());
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_AVATAR))
+    ).andExpect(status().isNoContent());
     mockMvc.perform(
       get("/data/avatarAssignment/{assignmentId}", 1)
-    ).andExpect(status().isOk());
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_AVATAR))
+    ).andExpect(status().isNotFound());
+  }
+
+  @Test
+  public void cannotDeleteAvatarAssignmentWithoutScope() throws Exception {
+    mockMvc.perform(
+      delete("/data/avatarAssignment/{assignmentId}", 1)
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_AVATAR))
+    ).andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void moderatorCanUpdateAvatarAssignmentExpiration() throws Exception {
+  public void cannotDeleteAvatarAssignmentWithoutRole() throws Exception {
+    mockMvc.perform(
+      delete("/data/avatarAssignment/{assignmentId}", 1)
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+    ).andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void canUpdateAvatarAssignmentExpirationWithScopeAndRole() throws Exception {
     final OffsetDateTime now = OffsetDateTime.now();
     final AvatarAssignment avatarAssignment = (AvatarAssignment) new AvatarAssignment()
       .setExpiresAt(now)
       .setId("1");
     mockMvc.perform(
       patch("/data/avatarAssignment/{assignmentId}", 1)
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_AVATAR))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(avatarAssignment)))
       .andExpect(status().isNoContent());
     mockMvc.perform(
@@ -122,45 +144,61 @@ public void moderatorCanUpdateAvatarAssignmentExpiration() throws Exception {
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void userCannotUpdateAvatarAssignmentExpiration() throws Exception {
+  public void cannotUpdateAvatarAssignmentExpirationWithoutScope() throws Exception {
     final OffsetDateTime now = OffsetDateTime.now();
     final AvatarAssignment avatarAssignment = (AvatarAssignment) new AvatarAssignment()
       .setExpiresAt(now)
       .setId("1");
     mockMvc.perform(
       patch("/data/avatarAssignment/{assignmentId}", 1)
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_AVATAR))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(avatarAssignment)))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotUpdateAvatarAssignmentExpirationWithoutRole() throws Exception {
+    final OffsetDateTime now = OffsetDateTime.now();
+    final AvatarAssignment avatarAssignment = (AvatarAssignment) new AvatarAssignment()
+      .setExpiresAt(now)
+      .setId("1");
+    mockMvc.perform(
+      patch("/data/avatarAssignment/{assignmentId}", 1)
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(avatarAssignment)))
       .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
   public void ownerCanUpdateAvatarAssignmentSelection() throws Exception {
     final AvatarAssignment avatarAssignment = (AvatarAssignment) new AvatarAssignment()
       .setSelected(true)
       .setId("1");
     mockMvc.perform(
       patch("/data/avatarAssignment/{assignmentId}", 1)
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(avatarAssignment)))
       .andExpect(status().isNoContent());
     mockMvc.perform(
-      get("/data/avatarAssignment/{assignmentId}", 1))
+      get("/data/avatarAssignment/{assignmentId}", 1)
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
       .andExpect(status().isOk())
       .andExpect(jsonPath("$.data.attributes.selected", is(true)));
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
+  @WithUserDetails(AUTH_USER)
   public void nonOwnerCannotUpdateAvatarAssignmentSelection() throws Exception {
     final AvatarAssignment avatarAssignment = (AvatarAssignment) new AvatarAssignment()
       .setSelected(false)
-      .setId("1");
+      .setId("2");
     mockMvc.perform(
-      patch("/data/avatarAssignment/{assignmentId}", 1)
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+      patch("/data/avatarAssignment/{assignmentId}", 2)
+        .with(getOAuthTokenWithoutUser(OAuthScope._PUBLIC_PROFILE))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(avatarAssignment)))
       .andExpect(status().isForbidden());
   }
diff --git a/src/inttest/java/com/faforever/api/data/BanTest.java b/src/inttest/java/com/faforever/api/data/BanTest.java
index 669fd256d..9293001f2 100644
--- a/src/inttest/java/com/faforever/api/data/BanTest.java
+++ b/src/inttest/java/com/faforever/api/data/BanTest.java
@@ -1,27 +1,22 @@
 package com.faforever.api.data;
 
 import com.faforever.api.AbstractIntegrationTest;
-import com.faforever.api.player.PlayerRepository;
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
 import com.faforever.commons.api.dto.BanInfo;
 import com.faforever.commons.api.dto.BanLevel;
 import com.faforever.commons.api.dto.ModerationReport;
 import com.faforever.commons.api.dto.Player;
 import org.junit.Test;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpHeaders;
-import org.springframework.security.test.context.support.WithUserDetails;
 import org.springframework.test.context.jdbc.Sql;
 import org.springframework.test.context.jdbc.Sql.ExecutionPhase;
 
-import java.time.OffsetDateTime;
-
+import static com.faforever.api.data.domain.GroupPermission.ROLE_ADMIN_ACCOUNT_BAN;
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.core.Is.is;
-import static org.junit.Assert.assertThat;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -62,103 +57,93 @@ public class BanTest extends AbstractIntegrationTest {
   }
    */
   private static final String testPost = "{\"data\":{\"type\":\"banInfo\",\"attributes\":{\"level\":\"CHAT\",\"reason\":\"This test ban should be revoked\"},\"relationships\":{\"author\":{\"data\":{\"type\":\"player\",\"id\":\"1\"}},\"player\":{\"data\":{\"type\":\"player\",\"id\":\"3\"}}}}}";
-  @Autowired
-  PlayerRepository playerRepository;
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void emptyResultBanInfoAsUser() throws Exception {
-    mockMvc.perform(get("/data/banInfo"))
-      .andExpect(status().isOk())
-      .andExpect(content().string("{\"data\":[]}"));
+  public void cannotReadSpecificBanWithoutScope() throws Exception {
+    mockMvc.perform(get("/data/banInfo/1")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, ROLE_ADMIN_ACCOUNT_BAN)))
+      .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void cannotReadSpecificBanInfoAsUser() throws Exception {
-    mockMvc.perform(get("/data/banInfo/1"))
+  public void cannotReadSpecificBanWithoutRole() throws Exception {
+    mockMvc.perform(get("/data/banInfo/1")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES)))
       .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void cannotCreateBanInfoAsUser() throws Exception {
-    mockMvc.perform(post("/data/banInfo")
-      .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-      .content(testPost))
-      .andExpect(status().isForbidden());
+  public void canReadSpecificBanWithScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/banInfo/1")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_ACCOUNT_BAN)))
+      .andExpect(status().isOk());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canReadBanInfoAsModerator() throws Exception {
-    mockMvc.perform(get("/data/banInfo"))
+  public void canReadBansWithoutScope() throws Exception {
+    mockMvc.perform(get("/data/banInfo")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, ROLE_ADMIN_ACCOUNT_BAN)))
       .andExpect(status().isOk())
-      .andExpect(jsonPath("$.data", hasSize(3)));
+      .andExpect(jsonPath("$.data", hasSize(0)));
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canReadSpecificBanInfoAsModerator() throws Exception {
-    mockMvc.perform(get("/data/banInfo/1"))
-      .andExpect(status().isOk());
+  public void canReadBansWithoutRole() throws Exception {
+    mockMvc.perform(get("/data/banInfo")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES)))
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data", hasSize(0)));
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canCreateBanInfoAsModerator() throws Exception {
-    assertThat(playerRepository.getOne(3).getBans().size(), is(0));
+  public void canReadBansWithScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/banInfo")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_ACCOUNT_BAN)))
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data", hasSize(3)));
+  }
 
+  @Test
+  public void cannotCreateBanWithoutScope() throws Exception {
     mockMvc.perform(post("/data/banInfo")
-      .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, ROLE_ADMIN_ACCOUNT_BAN))
+      .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
       .content(testPost))
-      .andExpect(status().isCreated());
-
-    assertThat(playerRepository.getOne(3).getBans().size(), is(1));
+      .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canCreateBanInfoBasedOnModerationReportAsModerator() throws Exception {
-    final BanInfo banInfo = new BanInfo()
-      .setLevel(BanLevel.CHAT)
-      .setReason("Ban reason")
-      .setPlayer((Player) new Player().setId("3"))
-      .setModerationReport((ModerationReport) new ModerationReport().setId("1"));
+  public void cannotCreateBanWithoutRole() throws Exception {
     mockMvc.perform(post("/data/banInfo")
-      .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-      .content(createJsonApiContent(banInfo)))
-      .andExpect(status().isCreated())
-      .andExpect(jsonPath("$.data.relationships.moderationReport.data.id", is("1")));
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+      .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+      .content(testPost))
+      .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void moderatorCanRevokeBan() throws Exception {
-    final BanInfo banInfo = new BanInfo();
-    banInfo.setId("3");
-    banInfo.setRevokeTime(OffsetDateTime.now());
-    banInfo.setRevokeReason("revoke reason");
-
-    mockMvc.perform(patch("/data/banInfo/3")
-      .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-      .content(createJsonApiContent(banInfo)))
-      .andExpect(status().isNoContent());
-
-    assertThat(playerRepository.getOne(5).isGlobalBanned(), is(false));
+  public void canCreateBanWithScopeAndRole() throws Exception {
+    mockMvc.perform(post("/data/banInfo")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_ACCOUNT_BAN))
+      .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+      .content(testPost))
+      .andExpect(status().isCreated());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void userCanNotRevokeBan() throws Exception {
-    final BanInfo banInfo = new BanInfo();
-    banInfo.setId("3");
-    banInfo.setRevokeTime(OffsetDateTime.now());
-    banInfo.setRevokeReason("new revoke reason");
+  public void canCreateBanWithModerationWithScopeAndRole() throws Exception {
 
-    mockMvc.perform(patch("/data/banInfo/3")
-      .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-      .content(createJsonApiContent(banInfo)))
-      .andExpect(status().isForbidden());
+    final BanInfo ban = new BanInfo()
+      .setLevel(BanLevel.CHAT)
+      .setReason("Ban reason")
+      .setPlayer((Player) new Player().setId("3"))
+      .setModerationReport((ModerationReport) new ModerationReport().setId("1"));
+
+    mockMvc.perform(post("/data/banInfo")
+      .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_ACCOUNT_BAN))
+      .content(createJsonApiContent(ban)))
+      .andExpect(status().isCreated())
+      .andExpect(jsonPath("$.data.relationships.player.data.id", is("3")));
   }
 }
diff --git a/src/inttest/java/com/faforever/api/data/DomainBlacklistTest.java b/src/inttest/java/com/faforever/api/data/DomainBlacklistTest.java
index 94473a875..b4ae82d1f 100644
--- a/src/inttest/java/com/faforever/api/data/DomainBlacklistTest.java
+++ b/src/inttest/java/com/faforever/api/data/DomainBlacklistTest.java
@@ -1,6 +1,8 @@
 package com.faforever.api.data;
 
 import com.faforever.api.AbstractIntegrationTest;
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
 import org.junit.Test;
 import org.springframework.http.HttpHeaders;
 import org.springframework.security.test.context.support.WithUserDetails;
@@ -10,8 +12,8 @@
 import static org.hamcrest.Matchers.hasSize;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -21,70 +23,144 @@
 public class DomainBlacklistTest extends AbstractIntegrationTest {
   private static final String NEW_DOMAIN = "{\"data\":{\"type\":\"domainBlacklist\",\"id\":\"google.com\"}}";
 
+
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void emptyResultDomainBlacklistAsUser() throws Exception {
-    mockMvc.perform(get("/data/domainBlacklist"))
+  public void canReadDomainBlacklistWithScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/domainBlacklist")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_EMAIL_DOMAIN_BAN)))
       .andExpect(status().isOk())
-      .andExpect(content().string("{\"data\":[]}"));
+      .andExpect(jsonPath("$.data", hasSize(1)));
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void cannotReadSpecificDomainBlacklistAsUser() throws Exception {
-    mockMvc.perform(get("/data/domainBlacklist/spam.org"))
-      .andExpect(status().isForbidden());
+  public void canReaDomainBlacklistWithoutScope() throws Exception {
+    mockMvc.perform(get("/data/domainBlacklist")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_EMAIL_DOMAIN_BAN)))
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data", hasSize(0)));
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canReadDomainBlacklistAsModerator() throws Exception {
-    mockMvc.perform(get("/data/domainBlacklist"))
+  public void canReadDomainBlacklistWithoutRole() throws Exception {
+    mockMvc.perform(get("/data/domainBlacklist")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES)))
       .andExpect(status().isOk())
-      .andExpect(jsonPath("$.data", hasSize(1)));
+      .andExpect(jsonPath("$.data", hasSize(0)));
   }
 
+
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canReadSpecificDomainBlacklistAsModerator() throws Exception {
-    mockMvc.perform(get("/data/domainBlacklist/spam.org"))
+  public void canReadSpecificDomainBanWithScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/domainBlacklist/spam.org")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_EMAIL_DOMAIN_BAN)))
       .andExpect(status().isOk());
   }
 
+  @Test
+  public void cannotReadSpecificDomainBanWithoutScope() throws Exception {
+    mockMvc.perform(get("/data/domainBlacklist/spam.org")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_EMAIL_DOMAIN_BAN)))
+      .andExpect(status().isForbidden());
+  }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void cannotCreateDomainBlacklistAsUser() throws Exception {
+  public void cannotReadSpecificDomainBanWithoutRole() throws Exception {
+    mockMvc.perform(get("/data/domainBlacklist/spam.org")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES)))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void canCreateDomainBanWithScopeAndRole() throws Exception {
     mockMvc.perform(
       post("/data/domainBlacklist")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_EMAIL_DOMAIN_BAN))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(NEW_DOMAIN))
+      .andExpect(status().isCreated());
+  }
+
+  @Test
+  public void cannotCreateDomainBanWithoutScope() throws Exception {
+    mockMvc.perform(
+      post("/data/domainBlacklist")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_EMAIL_DOMAIN_BAN))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(NEW_DOMAIN))
       .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canCreateDomainBlacklistAsModerator() throws Exception {
+  public void cannotCreateDomainBanWithoutRole() throws Exception {
     mockMvc.perform(
       post("/data/domainBlacklist")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(NEW_DOMAIN))
-      .andExpect(status().isCreated());
+      .andExpect(status().isForbidden());
   }
 
+
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void cannotDeleteDomainBlacklistAsUser() throws Exception {
+  public void canUpdateDomainBanWithScopeAndRole() throws Exception {
     mockMvc.perform(
-      delete("/data/domainBlacklist/spam.org"))
+      patch("/data/domainBlacklist/spam.org")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_EMAIL_DOMAIN_BAN))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content("{\"data\":{\"type\":\"domainBlacklist\",\"id\":\"spam.org\"}}"))
+      .andExpect(status().isNoContent());
+  }
+
+  @Test
+  public void cannotUpdateDomainBanWithoutScope() throws Exception {
+    mockMvc.perform(
+      patch("/data/domainBlacklist/spam.org")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_EMAIL_DOMAIN_BAN))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(NEW_DOMAIN))
       .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canDeleteDomainBlacklistAsModerator() throws Exception {
+  public void cannotUpdateDomainBanWithoutRole() throws Exception {
     mockMvc.perform(
-      delete("/data/domainBlacklist/spam.org"))
+      patch("/data/domainBlacklist/spam.org")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(NEW_DOMAIN))
+      .andExpect(status().isForbidden());
+  }
+
+
+  @Test
+  public void canDeleteDomainBanWithScopeAndRole() throws Exception {
+    mockMvc.perform(
+      delete("/data/domainBlacklist/spam.org")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_EMAIL_DOMAIN_BAN)))
       .andExpect(status().isNoContent());
   }
+
+  @Test
+  public void cannotDeleteDomainBanWithoutScope() throws Exception {
+    mockMvc.perform(
+      delete("/data/domainBlacklist/spam.org")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_EMAIL_DOMAIN_BAN)))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotDeleteDomainBanWithoutRole() throws Exception {
+    mockMvc.perform(
+      delete("/data/domainBlacklist/spam.org")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES)))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  @WithUserDetails(AUTH_USER)
+  public void cannotDeleteDomainBlacklistAsUser() throws Exception {
+    mockMvc.perform(
+      delete("/data/domainBlacklist/spam.org"))
+      .andExpect(status().isForbidden());
+  }
 }
diff --git a/src/inttest/java/com/faforever/api/data/Ladder1v1MapTest.java b/src/inttest/java/com/faforever/api/data/Ladder1v1MapTest.java
index 8ad9ef35b..4e9d46688 100644
--- a/src/inttest/java/com/faforever/api/data/Ladder1v1MapTest.java
+++ b/src/inttest/java/com/faforever/api/data/Ladder1v1MapTest.java
@@ -1,9 +1,10 @@
 package com.faforever.api.data;
 
 import com.faforever.api.AbstractIntegrationTest;
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
 import org.junit.Test;
 import org.springframework.http.HttpHeaders;
-import org.springframework.security.test.context.support.WithUserDetails;
 import org.springframework.test.context.jdbc.Sql;
 import org.springframework.test.context.jdbc.Sql.ExecutionPhase;
 
@@ -18,38 +19,56 @@ public class Ladder1v1MapTest extends AbstractIntegrationTest {
   private static final String NEW_LADDER_MAP_BODY = "{\"data\":{\"type\":\"ladder1v1Map\",\"relationships\":{\"mapVersion\":{\"data\":{\"type\":\"mapVersion\",\"id\":\"2\"}}}}}";
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void cannotCreateLadderMapAsUser() throws Exception {
+  public void cannotCreateLadderMapWithoutScope() throws Exception {
     mockMvc.perform(
       post("/data/ladder1v1Map")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_MATCHMAKER_MAP))
         .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
         .content(NEW_LADDER_MAP_BODY)) // magic value from prepMapData.sql
       .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canCreateLadderMapAsModerator() throws Exception {
+  public void cannotCreateLadderMapWithoutRole() throws Exception {
     mockMvc.perform(
       post("/data/ladder1v1Map")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .content(NEW_LADDER_MAP_BODY)) // magic value from prepMapData.sql
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void canCreateLadderMapWithScopeAndRole() throws Exception {
+    mockMvc.perform(
+      post("/data/ladder1v1Map")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_MATCHMAKER_MAP))
         .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
         .content(NEW_LADDER_MAP_BODY)) // magic value from prepMapData.sql
       .andExpect(status().isCreated());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void cannotDeleteLadderMapAsUser() throws Exception {
+  public void canDeleteLadderMapWithScopeAndRole() throws Exception {
     mockMvc.perform(
-      delete("/data/ladder1v1Map/1")) // magic value from prepMapData.sql
+      delete("/data/ladder1v1Map/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_MATCHMAKER_MAP))) // magic value from prepMapData.sql
+      .andExpect(status().isNoContent());
+  }
+
+  @Test
+  public void cannotDeleteLadderMapWithoutScope() throws Exception {
+    mockMvc.perform(
+      delete("/data/ladder1v1Map/1")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_MATCHMAKER_MAP))) // magic value from prepMapData.sql
       .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canDeleteLadderMapAsModerator() throws Exception {
+  public void cannotDeleteLadderMapWithoutRole() throws Exception {
     mockMvc.perform(
-      delete("/data/ladder1v1Map/1")) // magic value from prepMapData.sql
-      .andExpect(status().isNoContent());
+      delete("/data/ladder1v1Map/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))) // magic value from prepMapData.sql
+      .andExpect(status().isForbidden());
   }
 }
diff --git a/src/inttest/java/com/faforever/api/data/TeamkillTest.java b/src/inttest/java/com/faforever/api/data/TeamkillTest.java
index b5a5039b6..fa43f11a1 100644
--- a/src/inttest/java/com/faforever/api/data/TeamkillTest.java
+++ b/src/inttest/java/com/faforever/api/data/TeamkillTest.java
@@ -1,14 +1,14 @@
 package com.faforever.api.data;
 
 import com.faforever.api.AbstractIntegrationTest;
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
 import org.junit.Test;
-import org.springframework.security.test.context.support.WithUserDetails;
 import org.springframework.test.context.jdbc.Sql;
 import org.springframework.test.context.jdbc.Sql.ExecutionPhase;
 
 import static org.hamcrest.Matchers.hasSize;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -16,33 +16,49 @@
 @Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/prepTeamkillData.sql")
 @Sql(executionPhase = ExecutionPhase.AFTER_TEST_METHOD, scripts = "classpath:sql/cleanTeamkillData.sql")
 public class TeamkillTest extends AbstractIntegrationTest {
+
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void emptyResultTeamkillsAsUser() throws Exception {
-    mockMvc.perform(get("/data/teamkill"))
+  public void emptyResultTeamkillsWithoutScope() throws Exception {
+    mockMvc.perform(get("/data/teamkill")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_READ_TEAMKILL_REPORT)))
       .andExpect(status().isOk())
-      .andExpect(content().string("{\"data\":[]}"));
+      .andExpect(jsonPath("$.data", hasSize(0)));
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void cannotReadSpecificTeamkillAsUser() throws Exception {
-    mockMvc.perform(get("/data/teamkill/1"))
-      .andExpect(status().isForbidden());
+  public void emptyResultTeamkillsWithoutRole() throws Exception {
+    mockMvc.perform(get("/data/teamkill")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES)))
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data", hasSize(0)));
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canReadTeamkillsAsModerator() throws Exception {
-    mockMvc.perform(get("/data/teamkill"))
+  public void canReadTeamkillsWithScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/teamkill")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_READ_TEAMKILL_REPORT)))
       .andExpect(status().isOk())
       .andExpect(jsonPath("$.data", hasSize(1)));
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canReadSpecificTeamkillAsModerator() throws Exception {
-    mockMvc.perform(get("/data/teamkill/1"))
+  public void cannotReadSpecificTeamkillWithoutScope() throws Exception {
+    mockMvc.perform(get("/data/teamkill/1")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_READ_TEAMKILL_REPORT)))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotReadSpecificTeamkillWithoutRole() throws Exception {
+    mockMvc.perform(get("/data/teamkill/1")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES)))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void canReadSpecificTeamkillWithScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/teamkill/1")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_READ_TEAMKILL_REPORT)))
       .andExpect(status().isOk());
   }
 }
diff --git a/src/inttest/java/com/faforever/api/data/TutorialElideTest.java b/src/inttest/java/com/faforever/api/data/TutorialElideTest.java
index 6668e3514..cb0185488 100644
--- a/src/inttest/java/com/faforever/api/data/TutorialElideTest.java
+++ b/src/inttest/java/com/faforever/api/data/TutorialElideTest.java
@@ -1,20 +1,23 @@
 package com.faforever.api.data;
 
 import com.faforever.api.AbstractIntegrationTest;
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
 import com.faforever.commons.api.dto.Tutorial;
 import com.faforever.commons.api.dto.TutorialCategory;
 import com.jayway.jsonpath.JsonPath;
 import org.junit.Test;
 import org.springframework.http.HttpHeaders;
-import org.springframework.security.test.context.support.WithUserDetails;
 import org.springframework.test.context.jdbc.Sql;
 import org.springframework.test.context.jdbc.Sql.ExecutionPhase;
 import org.springframework.test.web.servlet.MvcResult;
 
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasSize;
+import static org.hamcrest.Matchers.is;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -38,65 +41,111 @@ private static Tutorial tutorial() {
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void nonEmptyResultTutorialsAsUser() throws Exception {
-    mockMvc.perform(get("/data/tutorial"))
+  public void nonEmptyResultTutorialsWithoutScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/tutorial")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
       .andExpect(status().isOk())
       .andExpect(jsonPath("$.data", hasSize(1)));
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void canReadSpecificTutorialAsUser() throws Exception {
-    mockMvc.perform(get("/data/tutorial/1"))
+  public void canReadSpecificTutorialWithoutScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/tutorial/1")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
       .andExpect(status().isOk());
   }
 
-  @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canReadTutorialsAsModerator() throws Exception {
-    mockMvc.perform(get("/data/tutorial"))
-      .andExpect(status().isOk())
-      .andExpect(jsonPath("$.data", hasSize(1)));
-  }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canReadSpecificTutorialAsModerator() throws Exception {
-    mockMvc.perform(get("/data/tutorial/1"))
-      .andExpect(status().isOk());
+  public void canDeleteTutorialWithScopeAndRole() throws Exception {
+    mockMvc.perform(delete("/data/tutorial/1")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_TUTORIAL)))
+      .andExpect(status().isNoContent());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void cannotPostTutorialAsUser() throws Exception {
-    mockMvc.perform(post("/data/tutorial")
-      .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-      .content(createJsonApiContent(tutorial())))
+  public void cannotDeleteTutorialWithoutScope() throws Exception {
+    mockMvc.perform(delete("/data/tutorial/1")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_TUTORIAL)))
       .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void cannotDeleteTutorialAsUser() throws Exception {
-    mockMvc.perform(delete("/data/tutorial/1"))
+  public void cannotDeleteTutorialWithoutRole() throws Exception {
+    mockMvc.perform(delete("/data/tutorial/1")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES)))
       .andExpect(status().isForbidden());
   }
 
-
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void moderatorCanPostTutorial() throws Exception {
+  public void canPostTutorialWithScopeAndRole() throws Exception {
     MvcResult mvcResult = mockMvc.perform(
       post("/data/tutorial")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_TUTORIAL))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(tutorial())))
       .andExpect(status().isCreated())
       .andReturn();
 
     String id = JsonPath.parse(mvcResult.getResponse().getContentAsString()).read("$.data.id");
-    mockMvc.perform(get("/data/tutorial/{0}", id))
+    mockMvc.perform(get("/data/tutorial/{0}", id)
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
       .andExpect(status().isOk())
       .andExpect(jsonPath("$.data.id", equalTo(id)));
   }
+
+  @Test
+  public void cannotPostTutorialWithoutScope() throws Exception {
+    mockMvc.perform(
+      post("/data/tutorial")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_TUTORIAL))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(tutorial())))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotPostTutorialWithoutRole() throws Exception {
+    mockMvc.perform(
+      post("/data/tutorial")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(tutorial())))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void canUpdateTutorialWithScopeAndRole() throws Exception {
+    mockMvc.perform(
+      patch("/data/tutorial/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_TUTORIAL))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(tutorial().setDescription("changed").setId("1"))))
+      .andExpect(status().isNoContent());
+
+    mockMvc.perform(get("/data/tutorial/1")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data.attributes.description", is("changed")));
+  }
+
+  @Test
+  public void cannotUpdateTutorialWithoutScope() throws Exception {
+    mockMvc.perform(
+      patch("/data/tutorial/1")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_TUTORIAL))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(tutorial().setDescription("changed").setId("1"))))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotUpdateTutorialWithoutRole() throws Exception {
+    mockMvc.perform(
+      patch("/data/tutorial/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(tutorial().setDescription("changed").setId("1"))))
+      .andExpect(status().isForbidden());
+  }
 }
diff --git a/src/inttest/java/com/faforever/api/data/UserNoteTest.java b/src/inttest/java/com/faforever/api/data/UserNoteTest.java
index 17d14a273..f00790943 100644
--- a/src/inttest/java/com/faforever/api/data/UserNoteTest.java
+++ b/src/inttest/java/com/faforever/api/data/UserNoteTest.java
@@ -1,11 +1,12 @@
 package com.faforever.api.data;
 
 import com.faforever.api.AbstractIntegrationTest;
+import com.faforever.api.data.domain.GroupPermission;
 import com.faforever.api.player.PlayerRepository;
+import com.faforever.api.security.OAuthScope;
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpHeaders;
-import org.springframework.security.test.context.support.WithUserDetails;
 import org.springframework.test.context.jdbc.Sql;
 import org.springframework.test.context.jdbc.Sql.ExecutionPhase;
 
@@ -14,7 +15,6 @@
 import static org.junit.Assert.assertThat;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -52,51 +52,75 @@ public class UserNoteTest extends AbstractIntegrationTest {
   PlayerRepository playerRepository;
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void emptyResultUserNoteAsUser() throws Exception {
-    mockMvc.perform(get("/data/userNote"))
+  public void emptyResultWithoutScope() throws Exception {
+    mockMvc.perform(get("/data/userNote")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_ADMIN_ACCOUNT_NOTE)))
       .andExpect(status().isOk())
-      .andExpect(content().string("{\"data\":[]}"));
+      .andExpect(jsonPath("$.data", hasSize(0)));
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void cannotReadSpecificUserNoteAsUser() throws Exception {
-    mockMvc.perform(get("/data/userNote/1"))
-      .andExpect(status().isForbidden());
+  public void emptyResultWithoutRole() throws Exception {
+    mockMvc.perform(get("/data/userNote")
+      .with(getOAuthTokenWithTestUser(OAuthScope._READ_SENSIBLE_USERDATA, NO_AUTHORITIES)))
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data", hasSize(0)));
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void cannotCreateUserNoteAsUser() throws Exception {
-    mockMvc.perform(post("/data/userNote")
-      .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-      .content(testPost))
+  public void canReadUserNotesWithScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/userNote")
+      .with(getOAuthTokenWithTestUser(OAuthScope._READ_SENSIBLE_USERDATA, GroupPermission.ROLE_ADMIN_ACCOUNT_NOTE)))
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data", hasSize(1)));
+  }
+
+  @Test
+  public void cannotReadSpecificUserNoteWithoutScope() throws Exception {
+    mockMvc.perform(get("/data/userNote/1")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_ADMIN_ACCOUNT_NOTE)))
       .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canReadUserNoteAsModerator() throws Exception {
-    mockMvc.perform(get("/data/userNote"))
-      .andExpect(status().isOk())
-      .andExpect(jsonPath("$.data", hasSize(1)));
+  public void cannotReadSpecificUserNoteWithoutRole() throws Exception {
+    mockMvc.perform(get("/data/userNote/1")
+      .with(getOAuthTokenWithTestUser(OAuthScope._READ_SENSIBLE_USERDATA, NO_AUTHORITIES)))
+      .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canReadSpecificUserNoteAsModerator() throws Exception {
-    mockMvc.perform(get("/data/userNote/1"))
+  public void canReadSpecificUserNoteWithScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/userNote/1")
+      .with(getOAuthTokenWithTestUser(OAuthScope._READ_SENSIBLE_USERDATA, GroupPermission.ROLE_ADMIN_ACCOUNT_NOTE)))
       .andExpect(status().isOk());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void canCreateUserNoteAsModerator() throws Exception {
+  public void cannotCreateUserNoteWithoutScope() throws Exception {
+    mockMvc.perform(post("/data/userNote")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_ADMIN_ACCOUNT_NOTE))
+      .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+      .content(testPost))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotCreateUserNoteWithoutRole() throws Exception {
+    mockMvc.perform(post("/data/userNote")
+      .with(getOAuthTokenWithTestUser(OAuthScope._READ_SENSIBLE_USERDATA, NO_AUTHORITIES))
+      .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+      .content(testPost))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void canCreateUserNoteWithScopeAndRole() throws Exception {
     assertThat(playerRepository.getOne(3).getUserNotes().size(), is(0));
 
     mockMvc.perform(post("/data/userNote")
-      .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+      .with(getOAuthTokenWithTestUser(OAuthScope._READ_SENSIBLE_USERDATA, GroupPermission.ROLE_ADMIN_ACCOUNT_NOTE))
+      .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
       .content(testPost))
       .andExpect(status().isCreated());
 
diff --git a/src/inttest/java/com/faforever/api/data/VotingElideTest.java b/src/inttest/java/com/faforever/api/data/VotingElideTest.java
index 2faf7aeff..76c99aa8f 100644
--- a/src/inttest/java/com/faforever/api/data/VotingElideTest.java
+++ b/src/inttest/java/com/faforever/api/data/VotingElideTest.java
@@ -1,6 +1,7 @@
 package com.faforever.api.data;
 
 import com.faforever.api.AbstractIntegrationTest;
+import com.faforever.api.data.domain.GroupPermission;
 import com.faforever.api.data.domain.VotingChoice;
 import com.faforever.api.data.domain.VotingQuestion;
 import com.faforever.api.security.OAuthScope;
@@ -9,7 +10,6 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
-import org.springframework.security.test.context.support.WithUserDetails;
 import org.springframework.test.context.jdbc.Sql;
 import org.springframework.test.context.jdbc.Sql.ExecutionPhase;
 
@@ -23,7 +23,6 @@
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -234,43 +233,63 @@ public class VotingElideTest extends AbstractIntegrationTest {
 
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
   public void noBodyCanSeeOtherPeoplesVote() throws Exception {
-    mockMvc.perform(get("/data/vote"))
+    mockMvc.perform(get("/data/vote")
+      .with(getOAuthTokenWithTestUser(OAuthScope._VOTE, NO_AUTHORITIES)))
       .andExpect(status().isOk())
-      .andExpect(content().string("{\"data\":[]}"));
+      .andExpect(jsonPath("$.data", hasSize(0)));
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
   public void everyBodySeesVotingSubjects() throws Exception {
-    mockMvc.perform(get("/data/votingSubject"))
+    mockMvc.perform(get("/data/votingSubject")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
       .andExpect(status().isOk())
       .andExpect(jsonPath("$.data", hasSize(2)));
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
   public void everyBodySeesVotingQuestions() throws Exception {
-    mockMvc.perform(get("/data/votingQuestion"))
+    mockMvc.perform(get("/data/votingQuestion")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
       .andExpect(status().isOk())
       .andExpect(jsonPath("$.data", hasSize(2)));
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
   public void everyBodySeesVotingChoices() throws Exception {
-    mockMvc.perform(get("/data/votingChoice"))
+    mockMvc.perform(get("/data/votingChoice")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
       .andExpect(status().isOk())
       .andExpect(jsonPath("$.data", hasSize(3)));
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void testRevealWinnerOnEndedSubjectWorks() throws Exception {
+  public void cannotRevealWinnerOnEndedSubjectWorksWithoutScope() throws Exception {
     mockMvc.perform(
       patch("/data/votingSubject/2")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_ADMIN_VOTE))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(PATCH_VOTING_SUBJECT_REVEAL_ID_2))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotRevealWinnerOnEndedSubjectWorksWithoutRole() throws Exception {
+    mockMvc.perform(
+      patch("/data/votingSubject/2")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(PATCH_VOTING_SUBJECT_REVEAL_ID_2))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void canRevealWinnerOnEndedSubjectWorksWithScopeAndRole() throws Exception {
+    mockMvc.perform(
+      patch("/data/votingSubject/2")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_VOTE))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(PATCH_VOTING_SUBJECT_REVEAL_ID_2))
       .andExpect(status().isNoContent());
     VotingQuestion question = votingQuestionRepository.getOne(2);
@@ -280,48 +299,87 @@ public void testRevealWinnerOnEndedSubjectWorks() throws Exception {
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void testRevealWinnerOnNoneEndedSubjectFails() throws Exception {
+  public void cannotRevealWinnerOnNoneEndedSubjectFails() throws Exception {
     mockMvc.perform(
       patch("/data/votingSubject/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_VOTE))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(PATCH_VOTING_SUBJECT_REVEAL_ID_1))
       .andExpect(status().is4xxClientError());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void postVote() throws Exception {
-    mockMvc.perform(post("/voting/vote").contentType(MediaType.APPLICATION_JSON).content(POST_VOTE_SUBJECT1).with(getOAuthToken(OAuthScope._VOTE)))
+  public void cannotPostVoteWithoutScope() throws Exception {
+    mockMvc.perform(post("/voting/vote")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES))
+      .contentType(MediaType.APPLICATION_JSON)
+      .content(POST_VOTE_SUBJECT1))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void canPostVoteWithScope() throws Exception {
+    mockMvc.perform(post("/voting/vote")
+      .with(getOAuthTokenWithTestUser(OAuthScope._VOTE, NO_AUTHORITIES))
+      .contentType(MediaType.APPLICATION_JSON)
+      .content(POST_VOTE_SUBJECT1))
       .andExpect(status().isOk());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void postVoteWhereVoteAlreadyExists() throws Exception {
-    mockMvc.perform(post("/voting/vote").contentType(MediaType.APPLICATION_JSON).content(POST_VOTE_SUBJECT1).with(getOAuthToken(OAuthScope._VOTE)))
-      .andExpect(status().is(422));
+  public void cannotPostVoteWhereVoteAlreadyExists() throws Exception {
+    canPostVoteWithScope();
+
+    mockMvc.perform(post("/voting/vote")
+      .with(getOAuthTokenWithTestUser(OAuthScope._VOTE, NO_AUTHORITIES))
+      .contentType(MediaType.APPLICATION_JSON)
+      .content(POST_VOTE_SUBJECT1))
+      .andExpect(status().isUnprocessableEntity());
+  }
+
+  @Test
+  public void cannotPostVoteOnEndedSubject() throws Exception {
+    mockMvc.perform(post("/voting/vote")
+      .with(getOAuthTokenWithTestUser(OAuthScope._VOTE, NO_AUTHORITIES))
+      .contentType(MediaType.APPLICATION_JSON)
+      .content(POST_VOTE_SUBJECT2))
+      .andExpect(status().isUnprocessableEntity());
+  }
+
+  @Test
+  public void cannotPostVotingSubjectWithoutScope() throws Exception {
+    mockMvc.perform(post("/data/votingSubject")
+      .contentType(MediaType.APPLICATION_JSON)
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_ADMIN_VOTE))
+      .content(CREATE_VOTING_SUBJECT_REVEAL_WINNER_FALSE))
+      .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void postVoteOnEndedSubject() throws Exception {
-    mockMvc.perform(post("/voting/vote").contentType(MediaType.APPLICATION_JSON).content(POST_VOTE_SUBJECT2).with(getOAuthToken(OAuthScope._VOTE)))
-      .andExpect(status().is(422));
+  public void cannotPostVotingSubjectWithoutRole() throws Exception {
+    mockMvc.perform(post("/data/votingSubject")
+      .contentType(MediaType.APPLICATION_JSON)
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+      .content(CREATE_VOTING_SUBJECT_REVEAL_WINNER_FALSE))
+      .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void postVotingSubject() throws Exception {
-    mockMvc.perform(post("/data/votingSubject").contentType(MediaType.APPLICATION_JSON).content(CREATE_VOTING_SUBJECT_REVEAL_WINNER_FALSE))
-      .andExpect(status().is(201));
+  public void canPostVotingSubjectWithScopeAndRole() throws Exception {
+    mockMvc.perform(post("/data/votingSubject")
+      .contentType(MediaType.APPLICATION_JSON)
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_VOTE))
+      .content(CREATE_VOTING_SUBJECT_REVEAL_WINNER_FALSE))
+      .andExpect(status().isCreated());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void postVotingSubjectWithRevealWinnerTrueButVoteNotEnded() throws Exception {
+  public void cannotPostVotingSubjectWithRevealWinnerTrueButVoteNotEnded() throws Exception {
     String votingSubject = CREATE_VOTING_SUBJECT_REVEAL_WINNER_TRUE.replaceAll("\\{end-time}", OffsetDateTime.now().plusYears(1).format(DateTimeFormatter.ISO_OFFSET_DATE_TIME));
-    mockMvc.perform(post("/data/votingSubject").contentType(MediaType.APPLICATION_JSON).content(votingSubject))
+    mockMvc.perform(post("/data/votingSubject")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_VOTE))
+      .contentType(MediaType.APPLICATION_JSON)
+      .content(votingSubject))
       .andExpect(status().is(400));
   }
 }
diff --git a/src/inttest/java/com/faforever/api/event/EventControllerTest.java b/src/inttest/java/com/faforever/api/event/EventControllerTest.java
index 7f05554b0..f442840f6 100644
--- a/src/inttest/java/com/faforever/api/event/EventControllerTest.java
+++ b/src/inttest/java/com/faforever/api/event/EventControllerTest.java
@@ -29,7 +29,7 @@ public void singleExistingPlayerEventCanBeUpdated() throws Exception {
       patch("/events/update")
         .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
         .content(objectMapper.writeValueAsString(updatedEvents))
-        .with(getOAuthToken(OAuthScope._WRITE_EVENTS)))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_EVENTS)))
       .andExpect(status().isOk())
       .andExpect(jsonPath("$.data", hasSize(1)))
       .andExpect(jsonPath("$.data[0].attributes.currentCount", Matchers.is(31)))
@@ -43,7 +43,7 @@ public void singleNonExistingPlayerEventCanBeCreated() throws Exception {
       patch("/events/update")
         .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
         .content(objectMapper.writeValueAsString(updatedEvents))
-        .with(getOAuthToken(OAuthScope._WRITE_EVENTS)))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_EVENTS)))
       .andExpect(status().isOk())
       .andExpect(jsonPath("$.data", hasSize(1)))
       .andExpect(jsonPath("$.data[0].attributes.currentCount", Matchers.is(10)))
@@ -60,7 +60,7 @@ public void multipleExistingPlayerEventsCanBeUpdated() throws Exception {
       patch("/events/update")
         .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
         .content(objectMapper.writeValueAsString(updatedEvents))
-        .with(getOAuthToken(OAuthScope._WRITE_EVENTS)))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_EVENTS)))
       .andExpect(status().isOk())
       .andExpect(jsonPath("$.data", hasSize(2)))
       .andExpect(jsonPath("$.data[*].attributes.currentCount", Matchers.containsInAnyOrder(31, 20)))
@@ -84,7 +84,7 @@ public void nonExistingEventShouldFail() throws Exception {
       patch("/events/update")
         .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
         .content(objectMapper.writeValueAsString(updatedEvents))
-        .with(getOAuthToken(OAuthScope._WRITE_EVENTS)))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_EVENTS)))
       .andExpect(status().isUnprocessableEntity());
   }
 
@@ -95,7 +95,7 @@ public void nonExistingPlayerShouldFail() throws Exception {
       patch("/events/update")
         .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
         .content(objectMapper.writeValueAsString(updatedEvents))
-        .with(getOAuthToken(OAuthScope._WRITE_EVENTS)))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_EVENTS)))
       .andExpect(status().isUnprocessableEntity());
   }
 
@@ -106,7 +106,7 @@ public void negativeCountShouldFail() throws Exception {
       patch("/events/update")
         .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
         .content(objectMapper.writeValueAsString(updatedEvents))
-        .with(getOAuthToken(OAuthScope._WRITE_EVENTS)))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_EVENTS)))
       .andExpect(status().isUnprocessableEntity());
   }
 }
diff --git a/src/inttest/java/com/faforever/api/moderationreport/ModerationReportTest.java b/src/inttest/java/com/faforever/api/moderationreport/ModerationReportTest.java
index db4b0218c..9d293c5d5 100644
--- a/src/inttest/java/com/faforever/api/moderationreport/ModerationReportTest.java
+++ b/src/inttest/java/com/faforever/api/moderationreport/ModerationReportTest.java
@@ -1,7 +1,9 @@
 package com.faforever.api.moderationreport;
 
 import com.faforever.api.AbstractIntegrationTest;
-import com.faforever.api.data.JsonApiMediaType;
+import com.faforever.api.data.DataController;
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
 import com.faforever.commons.api.dto.Game;
 import com.faforever.commons.api.dto.ModerationReport;
 import com.faforever.commons.api.dto.ModerationReportStatus;
@@ -11,7 +13,6 @@
 import org.junit.Test;
 import org.springframework.http.HttpHeaders;
 import org.springframework.security.test.context.support.WithAnonymousUser;
-import org.springframework.security.test.context.support.WithUserDetails;
 import org.springframework.test.context.jdbc.Sql;
 import org.springframework.test.context.jdbc.Sql.ExecutionPhase;
 
@@ -46,7 +47,7 @@ public void setUp() {
     Player reporter = (Player) new Player().setId("1");
     Player reportedUser1 = (Player) new Player().setId("3");
     Player reportedUser2 = (Player) new Player().setId("2");
-    Game game = new Game().setId("1");
+    Game game = (Game) new Game().setId("1");
     reportedUsers = Sets.newHashSet(reportedUser1, reportedUser2);
     validModerationReport = new ModerationReport()
       .setReportDescription("Report description")
@@ -63,250 +64,293 @@ public void setUp() {
   public void anonymousUserCannotCreateValidModerationReport() throws Exception {
     mockMvc.perform(
       post("/data/moderationReport")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(validModerationReport)))
       .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void userCanCreateValidModerationReport() throws Exception {
+  public void canCreateValidModerationReportWithoutScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/account"));
     mockMvc.perform(
       post("/data/moderationReport")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(validModerationReport)))
       .andExpect(status().isCreated())
       .andExpect(jsonPath("$.data.attributes.reportStatus", is(ModerationReportStatus.AWAITING.name())))
       .andExpect(jsonPath("$.data.attributes.reportDescription", is("Report description")))
       .andExpect(jsonPath("$.data.attributes.gameIncidentTimecode", is("Incident code")))
       .andExpect(jsonPath("$.data.attributes.reportStatus", is(ModerationReportStatus.AWAITING.name())))
-      .andExpect(jsonPath("$.data.relationships.reporter.data.id", is("1")))
+      .andExpect(jsonPath("$.data.relationships.reporter.data.id", is("5")))
       .andExpect(jsonPath("$.data.relationships.game.data.id", is("1")))
       .andExpect(jsonPath("$.data.relationships.reportedUsers.data", hasSize(2)));
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void userCannotCreateReportWithModeratorsData() throws Exception {
+  public void cannotCreateReportWithModeratorsDataWithoutScopeAndRole() throws Exception {
     validModerationReport
       .setModeratorNotice("Moderation notice")
       .setModeratorPrivateNote("Moderation private note");
     mockMvc.perform(
       post("/data/moderationReport")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(validModerationReport)))
       .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void userCannotCreateReportWithoutReportedUsers() throws Exception {
+  public void cannotCreateReportWithoutReportedUsers() throws Exception {
     validModerationReport
       .setReportedUsers(null);
     mockMvc.perform(
       post("/data/moderationReport")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(validModerationReport)))
       .andExpect(status().isBadRequest());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
   public void userCannotCreateReportWithoutReportDescription() throws Exception {
     validModerationReport
       .setReportDescription(null);
     mockMvc.perform(
       post("/data/moderationReport")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(validModerationReport)))
       .andExpect(status().isBadRequest());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void moderationReportCannotBeDeletedByUser() throws Exception {
+  public void cannotDeleteReportWithoutScopeAndRole() throws Exception {
     mockMvc.perform(
-      delete("/data/moderationReport/1"))
+      delete("/data/moderationReport/1")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
       .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void moderationReportCannotBeDeletedByModerator() throws Exception {
+  public void moderationReportCannotBeDeletedEvenWithScopeAndRole() throws Exception {
     mockMvc.perform(
-      delete("/data/moderationReport/1"))
+      delete("/data/moderationReport/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_ACCOUNT_NOTE)))
       .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void userCanUpdateDescription() throws Exception {
-    final ModerationReport updatedDescriptionModerationReport = (ModerationReport) new ModerationReport()
-      .setReportStatus(null)
-      .setReportDescription("New report description")
-      .setId("1");
-    mockMvc.perform(
-      patch("/data/moderationReport/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-        .content(createJsonApiContent(updatedDescriptionModerationReport)))
-      .andExpect(status().isNoContent());
-    mockMvc.perform(
-      get("/data/moderationReport/1"))
-      .andExpect(jsonPath("$.data.attributes.reportDescription", is("New report description")));
-  }
-
-  @Test
-  @WithUserDetails(AUTH_USER)
-  public void userCanUpdateTimecode() throws Exception {
-    final ModerationReport updatedTimecodeModerationReport = (ModerationReport) new ModerationReport()
-      .setReportStatus(null)
-      .setGameIncidentTimecode("New incident timecode")
-      .setId("1");
-    mockMvc.perform(
-      patch("/data/moderationReport/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-        .content(createJsonApiContent(updatedTimecodeModerationReport)))
-      .andExpect(status().isNoContent());
-    mockMvc.perform(
-      get("/data/moderationReport/1"))
-      .andExpect(jsonPath("$.data.attributes.gameIncidentTimecode", is("New incident timecode")));
-  }
+  public void cannotUpdateSomeoneElsesReport() throws Exception {
+    reportedUsers.add((Player) new Player().setId("2"));
 
-  @Test
-  @WithUserDetails(AUTH_USER)
-  public void userCanUpdateGameId() throws Exception {
-    final ModerationReport updatedGameIdModerationReport = (ModerationReport) new ModerationReport()
+    final ModerationReport updatedModerationReport = (ModerationReport) new ModerationReport()
       .setReportStatus(null)
-      .setGame(new Game().setId("1"))
-      .setId("1");
-    mockMvc.perform(
-      patch("/data/moderationReport/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-        .content(createJsonApiContent(updatedGameIdModerationReport)))
-      .andExpect(status().isNoContent());
+      .setReportDescription("New report description")
+      .setId("2");
     mockMvc.perform(
-      get("/data/moderationReport/1"))
-      .andExpect(jsonPath("$.data.relationships.game.data.id", is("1")));
+      patch("/data/moderationReport/2")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(updatedModerationReport)))
+      .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void userCanUpdateReportedUsers() throws Exception {
+  public void canUpdateOwnReport() throws Exception {
     reportedUsers.add((Player) new Player().setId("1"));
-    final ModerationReport updatedReportedUsersModerationReport = (ModerationReport) new ModerationReport()
+
+    final ModerationReport updatedModerationReport = (ModerationReport) new ModerationReport()
       .setReportStatus(null)
+      .setReportDescription("New report description")
+      .setGameIncidentTimecode("New incident timecode")
+      .setGame((Game) new Game().setId("1"))
       .setReportedUsers(reportedUsers)
       .setId("1");
     mockMvc.perform(
       patch("/data/moderationReport/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-        .content(createJsonApiContent(updatedReportedUsersModerationReport)))
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(updatedModerationReport)))
       .andExpect(status().isNoContent());
     mockMvc.perform(
-      get("/data/moderationReport/1"))
+      get("/data/moderationReport/1")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
+      .andExpect(jsonPath("$.data.attributes.reportDescription", is("New report description")))
+      .andExpect(jsonPath("$.data.attributes.gameIncidentTimecode", is("New incident timecode")))
+      .andExpect(jsonPath("$.data.relationships.game.data.id", is("1")))
       .andExpect(jsonPath("$.data.relationships.reportedUsers.data", hasSize(3)));
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
   public void userCannotUpdateReportInNonAwaitingState() throws Exception {
     reportedUsers.removeIf(player -> player.getId().equals("2"));
     final ModerationReport updatedGameIdModerationReport = (ModerationReport) new ModerationReport()
       .setReportStatus(null)
       .setReportDescription("New report description")
       .setGameIncidentTimecode("New incident timecode")
-      .setGame(new Game().setId("1"))
+      .setGame((Game) new Game().setId("1"))
       .setReportedUsers(reportedUsers)
       .setId("2");
     mockMvc.perform(
       patch("/data/moderationReport/2")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(updatedGameIdModerationReport)))
       .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void reporterCannotUpdateReportStatus() throws Exception {
+  public void cannotUpdateReportStatusWithoutScope() throws Exception {
     final ModerationReport updatedReportStatusModerationReport = (ModerationReport) new ModerationReport()
       .setReportStatus(ModerationReportStatus.AWAITING)
       .setId("1");
     mockMvc.perform(
       patch("/data/moderationReport/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_ADMIN_MODERATION_REPORT))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(updatedReportStatusModerationReport)))
       .andExpect(status().isForbidden());
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void moderatorCanUpdateReportStatus() throws Exception {
+  public void cannotUpdateReportStatusWithoutRole() throws Exception {
     final ModerationReport updatedReportStatusModerationReport = (ModerationReport) new ModerationReport()
       .setReportStatus(ModerationReportStatus.AWAITING)
       .setId("1");
     mockMvc.perform(
       patch("/data/moderationReport/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(updatedReportStatusModerationReport)))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void canUpdateReportStatusWithScopeAndRole() throws Exception {
+    final ModerationReport updatedReportStatusModerationReport = (ModerationReport) new ModerationReport()
+      .setReportStatus(ModerationReportStatus.AWAITING)
+      .setId("1");
+    mockMvc.perform(
+      patch("/data/moderationReport/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_MODERATION_REPORT))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(updatedReportStatusModerationReport)))
       .andExpect(status().isNoContent());
     mockMvc.perform(
-      get("/data/moderationReport/1"))
+      get("/data/moderationReport/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_MODERATION_REPORT)))
       .andExpect(jsonPath("$.data.attributes.reportStatus", is(ModerationReportStatus.AWAITING.name())));
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void moderatorCanUpdateNotice() throws Exception {
-    final ModerationReport updatedModeratorNoticeModerationReport = (ModerationReport) new ModerationReport()
+  public void canUpdateNoticeWithScopeAndRole() throws Exception {
+    final ModerationReport updatedPublicNoteModerationReport = (ModerationReport) new ModerationReport()
       .setModeratorNotice("New moderator notice")
       .setId("1");
     mockMvc.perform(
       patch("/data/moderationReport/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-        .content(createJsonApiContent(updatedModeratorNoticeModerationReport)))
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_MODERATION_REPORT))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(updatedPublicNoteModerationReport)))
       .andExpect(status().isNoContent());
     mockMvc.perform(
-      get("/data/moderationReport/1"))
+      get("/data/moderationReport/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_MODERATION_REPORT)))
       .andExpect(jsonPath("$.data.attributes.moderatorNotice", is("New moderator notice")));
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void moderatorCanUpdatePrivateNote() throws Exception {
-    final ModerationReport updatedModeratorPrivateNoteModerationReport = (ModerationReport) new ModerationReport()
+  public void cannotUpdateNoticeWithoutScope() throws Exception {
+    final ModerationReport updatedPublicNoteModerationReport = (ModerationReport) new ModerationReport()
+      .setModeratorNotice("New moderator notice")
+      .setId("1");
+    mockMvc.perform(
+      patch("/data/moderationReport/1")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_ADMIN_MODERATION_REPORT))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(updatedPublicNoteModerationReport)))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotUpdateNoticeWithoutRole() throws Exception {
+    final ModerationReport updatedPublicNoteModerationReport = (ModerationReport) new ModerationReport()
+      .setModeratorNotice("New moderator notice")
+      .setId("1");
+    mockMvc.perform(
+      patch("/data/moderationReport/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(updatedPublicNoteModerationReport)))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void canUpdatePrivateNoteWithScopeAndRole() throws Exception {
+    final ModerationReport updatedPrivateNoteModerationReport = (ModerationReport) new ModerationReport()
       .setModeratorPrivateNote("New moderator private note")
       .setId("1");
     mockMvc.perform(
       patch("/data/moderationReport/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-        .content(createJsonApiContent(updatedModeratorPrivateNoteModerationReport)))
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_MODERATION_REPORT))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(updatedPrivateNoteModerationReport)))
       .andExpect(status().isNoContent());
     mockMvc.perform(
-      get("/data/moderationReport/1"))
+      get("/data/moderationReport/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_MODERATION_REPORT)))
       .andExpect(jsonPath("$.data.attributes.moderatorPrivateNote", is("New moderator private note")));
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
+  public void cannotUpdatePrivateNoteWithoutScope() throws Exception {
+    final ModerationReport updatedPrivateNoteModerationReport = (ModerationReport) new ModerationReport()
+      .setModeratorPrivateNote("New moderator private note")
+      .setId("1");
+    mockMvc.perform(
+      patch("/data/moderationReport/1")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_ADMIN_MODERATION_REPORT))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(updatedPrivateNoteModerationReport)))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotUpdatePrivateNoteWithoutRole() throws Exception {
+    final ModerationReport updatedPrivateNoteModerationReport = (ModerationReport) new ModerationReport()
+      .setModeratorPrivateNote("New moderator private note")
+      .setId("1");
+    mockMvc.perform(
+      patch("/data/moderationReport/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(updatedPrivateNoteModerationReport)))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
   public void lastModeratorIsUpdatedWhenCalledByModerator() throws Exception {
-    final ModerationReport updatedModeratorPrivateNoteModerationReport = (ModerationReport) new ModerationReport()
+    final ModerationReport updatedPrivateNoteModerationReport = (ModerationReport) new ModerationReport()
       .setModeratorPrivateNote("New moderator private note")
       .setId("1");
     mockMvc.perform(
       patch("/data/moderationReport/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-        .content(createJsonApiContent(updatedModeratorPrivateNoteModerationReport)))
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_MODERATION_REPORT))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(createJsonApiContent(updatedPrivateNoteModerationReport)))
       .andExpect(status().isNoContent());
     mockMvc.perform(
-      get("/data/moderationReport/1"))
-      .andExpect(jsonPath("$.data.relationships.lastModerator.data.id", is("2")));
+      get("/data/moderationReport/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_MODERATION_REPORT)))
+      .andExpect(jsonPath("$.data.relationships.lastModerator.data.id", is("5")));
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void userCanSeeOwnFieldsAndReportStatusAndModeratorNotice() throws Exception {
+  public void userCanSeeOwnFieldsAndReportStatusAndPublicNote() throws Exception {
     mockMvc.perform(
-      get("/data/moderationReport/2"))
+      get("/data/moderationReport/2")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
       .andExpect(jsonPath("$.data.attributes.reportDescription", is("Report description")))
       .andExpect(jsonPath("$.data.attributes.gameIncidentTimecode", is("Incident timecode")))
       .andExpect(jsonPath("$.data.attributes.reportStatus", is(ModerationReportStatus.PROCESSING.name())))
@@ -314,30 +358,30 @@ public void userCanSeeOwnFieldsAndReportStatusAndModeratorNotice() throws Except
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
-  public void userCannotSeeModeratorPrivateNote() throws Exception {
+  public void userCannotSeePrivateNote() throws Exception {
     mockMvc.perform(
-      get("/data/moderationReport/2"))
+      get("/data/moderationReport/2")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
       .andExpect(jsonPath("$.data.attributes.moderatorPrivateNote").doesNotExist());
   }
 
   @Test
-  @WithUserDetails(AUTH_USER)
   public void userCanSeeOnlyOwnReports() throws Exception {
     mockMvc.perform(
-      get("/data/moderationReport"))
-      .andExpect(jsonPath("$.data[*].relationships.reporter.data.id", everyItem(is("1"))));
+      get("/data/moderationReport")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
+      .andExpect(jsonPath("$.data[*].relationships.reporter.data.id", everyItem(is("5"))));
   }
 
   @Test
-  @WithUserDetails(AUTH_MODERATOR)
-  public void moderatorCannotUpdateReportedUsers() throws Exception {
+  public void cannotUpdateReportedUsers() throws Exception {
     final ModerationReport updatedReportedUsersModerationReport = (ModerationReport) new ModerationReport()
       .setReportedUsers(Collections.emptySet())
-      .setId("1");
+      .setId("3");
     mockMvc.perform(
-      patch("/data/moderationReport/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+      patch("/data/moderationReport/3")
+        .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_ADMIN_MODERATION_REPORT))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(updatedReportedUsersModerationReport)))
       .andExpect(status().isForbidden());
   }
diff --git a/src/inttest/java/com/faforever/api/user/UsersControllerTest.java b/src/inttest/java/com/faforever/api/user/UsersControllerTest.java
index 2add75091..1f4b716cb 100644
--- a/src/inttest/java/com/faforever/api/user/UsersControllerTest.java
+++ b/src/inttest/java/com/faforever/api/user/UsersControllerTest.java
@@ -66,7 +66,7 @@ public void registerWithSuccess() throws Exception {
     params.add("password", NEW_PASSWORD);
 
     mockMvc.perform(post("/users/register")
-      .with(getOAuthToken(OAuthScope._CREATE_USER))
+      .with(getOAuthTokenWithoutUser(OAuthScope._CREATE_USER))
       .params(params)
     ).andExpect(status().isOk());
 
@@ -95,7 +95,7 @@ public void registerWithAuthentication() throws Exception {
     params.add("password", NEW_PASSWORD);
 
     MvcResult result = mockMvc.perform(post("/users/register")
-      .with(getOAuthToken(OAuthScope._CREATE_USER))
+      .with(getOAuthTokenWithoutUser(OAuthScope._CREATE_USER))
       .params(params)
     ).andExpect(status().is4xxClientError())
       .andReturn();
@@ -128,7 +128,7 @@ public void changePasswordWithSuccess() throws Exception {
 
     mockMvc.perform(
       post("/users/changePassword")
-        .with(getOAuthToken(OAuthScope._WRITE_ACCOUNT_DATA))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_ACCOUNT_DATA))
         .params(params))
       .andExpect(status().isOk());
 
@@ -139,13 +139,14 @@ public void changePasswordWithSuccess() throws Exception {
 
   @Test
   @WithUserDetails(AUTH_USER)
-  public void changePasswordWithWrongScope() throws Exception {
+  public void changePasswordWithoutScope() throws Exception {
     MultiValueMap<String, String> params = new HttpHeaders();
     params.add("currentPassword", AUTH_USER);
     params.add("newPassword", NEW_PASSWORD);
 
     mockMvc.perform(
       post("/users/changePassword")
+        .with(getOAuthTokenWithoutUser(NO_SCOPE))
         .params(params))
       .andExpect(status().isForbidden());
   }
@@ -159,7 +160,7 @@ public void changePasswordWithWrongPassword() throws Exception {
 
     MvcResult mvcResult = mockMvc.perform(
       post("/users/changePassword")
-        .with(getOAuthToken(OAuthScope._WRITE_ACCOUNT_DATA))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_ACCOUNT_DATA))
         .params(params))
       .andExpect(status().is4xxClientError())
       .andReturn();
@@ -176,7 +177,7 @@ public void changeEmailWithSuccess() throws Exception {
 
     mockMvc.perform(
       post("/users/changeEmail")
-        .with(getOAuthToken(OAuthScope._WRITE_ACCOUNT_DATA))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_ACCOUNT_DATA))
         .params(params))
       .andExpect(status().isOk());
 
@@ -186,13 +187,14 @@ public void changeEmailWithSuccess() throws Exception {
 
   @Test
   @WithUserDetails(AUTH_USER)
-  public void changeEmailWithWrongScope() throws Exception {
+  public void changeEmailWithoutScope() throws Exception {
     MultiValueMap<String, String> params = new HttpHeaders();
     params.add("currentPassword", AUTH_USER);
     params.add("newEmail", NEW_EMAIL);
 
     mockMvc.perform(
       post("/users/changeEmail")
+        .with(getOAuthTokenWithoutUser(NO_SCOPE))
         .params(params))
       .andExpect(status().isForbidden());
   }
@@ -206,7 +208,7 @@ public void changeEmailWithWrongPassword() throws Exception {
 
     MvcResult mvcResult = mockMvc.perform(
       post("/users/changeEmail")
-        .with(getOAuthToken(OAuthScope._WRITE_ACCOUNT_DATA))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_ACCOUNT_DATA))
         .params(params))
       .andExpect(status().is4xxClientError())
       .andReturn();
@@ -223,7 +225,7 @@ public void changeEmailWithInvalidEmail() throws Exception {
 
     MvcResult mvcResult = mockMvc.perform(
       post("/users/changeEmail")
-        .with(getOAuthToken(OAuthScope._WRITE_ACCOUNT_DATA))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_ACCOUNT_DATA))
         .params(params))
       .andExpect(status().is4xxClientError())
       .andReturn();
@@ -296,7 +298,7 @@ public void buildSteamLinkUrlWithWrongScope() throws Exception {
   public void buildSteamLinkUrlAlreadyLinked() throws Exception {
     MvcResult result = mockMvc.perform(
       post("/users/buildSteamLinkUrl?callbackUrl=foo")
-        .with(getOAuthToken(OAuthScope._WRITE_ACCOUNT_DATA)))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_ACCOUNT_DATA)))
       .andExpect(status().is4xxClientError())
       .andReturn();
 
@@ -310,7 +312,7 @@ public void buildSteamLinkUrl() throws Exception {
 
     mockMvc.perform(
       post("/users/buildSteamLinkUrl?callbackUrl=foo")
-        .with(getOAuthToken(OAuthScope._WRITE_ACCOUNT_DATA)))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_ACCOUNT_DATA)))
       .andExpect(status().isOk());
 
     verify(steamService, times(1)).buildLoginUrl(anyString());
@@ -405,7 +407,7 @@ public void changeUsernameSuccess() throws Exception {
 
     mockMvc.perform(
       post("/users/changeUsername")
-        .with(getOAuthToken(OAuthScope._WRITE_ACCOUNT_DATA))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_ACCOUNT_DATA))
         .params(params))
       .andExpect(status().isOk());
 
@@ -422,7 +424,7 @@ public void changeUsernameForcedByUser() throws Exception {
 
     mockMvc.perform(
       post("/users/1/forceChangeUsername")
-        .with(getOAuthToken(OAuthScope._WRITE_ACCOUNT_DATA))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_ACCOUNT_DATA))
         .params(params))
       .andExpect(status().is4xxClientError())
       .andReturn();
@@ -440,7 +442,7 @@ public void changeUsernameForcedByModerator() throws Exception {
 
     mockMvc.perform(
       post("/users/2/forceChangeUsername")
-        .with(getOAuthToken(OAuthScope._WRITE_ACCOUNT_DATA))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_ACCOUNT_DATA))
         .params(params))
       .andExpect(status().isOk());
 
@@ -457,7 +459,7 @@ public void changeUsernameTooEarly() throws Exception {
 
     MvcResult result = mockMvc.perform(
       post("/users/changeUsername")
-        .with(getOAuthToken(OAuthScope._WRITE_ACCOUNT_DATA))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_ACCOUNT_DATA))
         .params(params))
       .andExpect(status().is4xxClientError())
       .andReturn();
@@ -477,7 +479,7 @@ public void changeUsernameTooEarlyButForced() throws Exception {
 
     mockMvc.perform(
       post("/users/2/forceChangeUsername")
-        .with(getOAuthToken(OAuthScope._WRITE_ACCOUNT_DATA))
+        .with(getOAuthTokenWithoutUser(OAuthScope._WRITE_ACCOUNT_DATA))
         .params(params))
       .andExpect(status().isOk())
       .andReturn();
diff --git a/src/inttest/java/com/faforever/api/utils/OAuthHelper.java b/src/inttest/java/com/faforever/api/utils/OAuthHelper.java
index 4e9cef885..137d82806 100644
--- a/src/inttest/java/com/faforever/api/utils/OAuthHelper.java
+++ b/src/inttest/java/com/faforever/api/utils/OAuthHelper.java
@@ -3,8 +3,10 @@
 import org.jetbrains.annotations.NotNull;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
@@ -12,8 +14,13 @@
 import org.springframework.stereotype.Component;
 import org.springframework.test.web.servlet.request.RequestPostProcessor;
 
+import java.util.HashMap;
+import java.util.List;
 import java.util.Set;
 
+import static com.faforever.api.security.FafUserAuthenticationConverter.USER_ID_KEY;
+import static org.springframework.security.oauth2.provider.token.UserAuthenticationConverter.USERNAME;
+
 @Component
 public class OAuthHelper {
 
@@ -23,13 +30,27 @@ public class OAuthHelper {
   @Autowired
   JwtAccessTokenConverter jwtAccessTokenConverter;
 
-  public RequestPostProcessor addBearerToken(Set<String> scope) {
+
+  public RequestPostProcessor addBearerToken(Set<String> scope, Set<String> authorities) {
+    return addBearerToken(null, null, scope, authorities);
+  }
+
+  public RequestPostProcessor addBearerToken(Integer userId, String userName, Set<String> scope, Set<String> authorities) {
     return mockRequest -> {
       Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-      OAuth2Request oauth2Request = createOAuth2Request(scope);
+      OAuth2Request oauth2Request = createOAuth2Request(scope, authorities);
       OAuth2Authentication oauth2auth = new OAuth2Authentication(oauth2Request, authentication);
-      OAuth2AccessToken token = tokenServices.createAccessToken(oauth2auth);
-      token = jwtAccessTokenConverter.enhance(token, oauth2auth);
+      DefaultOAuth2AccessToken token = (DefaultOAuth2AccessToken) tokenServices.createAccessToken(oauth2auth);
+      token.setAdditionalInformation(new HashMap<>(token.getAdditionalInformation()));
+      if (userId != null) {
+        token.getAdditionalInformation().put(USER_ID_KEY, userId);
+      }
+
+      if (userName != null) {
+        token.getAdditionalInformation().put(USERNAME, userName);
+      }
+
+      token = (DefaultOAuth2AccessToken) jwtAccessTokenConverter.enhance(token, oauth2auth);
 
       // Set Authorization header to use Bearer
       mockRequest.addHeader("Authorization", "Bearer " + token.getValue());
@@ -38,7 +59,8 @@ public RequestPostProcessor addBearerToken(Set<String> scope) {
   }
 
   @NotNull
-  private OAuth2Request createOAuth2Request(Set<String> scope) {
-    return new OAuth2Request(null, "test", null, true, scope, null, null, null, null);
+  private OAuth2Request createOAuth2Request(Set<String> scope, Set<String> authorities) {
+    List<GrantedAuthority> grantedAuthorities = authorities == null ? null : AuthorityUtils.createAuthorityList(authorities.toArray(new String[0]));
+    return new OAuth2Request(null, "00000000-0000-0000-0000-000000000000", grantedAuthorities, true, scope, null, null, null, null);
   }
 }
diff --git a/src/inttest/resources/sql/prepAvatarData.sql b/src/inttest/resources/sql/prepAvatarData.sql
index b371f7713..f48a1839c 100644
--- a/src/inttest/resources/sql/prepAvatarData.sql
+++ b/src/inttest/resources/sql/prepAvatarData.sql
@@ -1,11 +1,24 @@
 DELETE FROM avatars;
 DELETE FROM avatars_list;
+DELETE
+FROM group_permission;
+DELETE
+FROM group_permission_assignment;
 
-INSERT INTO avatars_list (id, url, tooltip) VALUES
-  (1, 'http://localhost/faf/avatars/avatar1.png', 'Avatar No. 1'),
-  (2, 'http://localhost/faf/avatars/avatar2.png', 'Avatar No. 2');
 
-INSERT INTO avatars (id, idUser, idAvatar, selected) VALUES
-  (1, 1, 2, 1),
-  (2, 2, 2, 0);
+INSERT INTO avatars_list (id, url, tooltip)
+VALUES
+    (1, 'http://localhost/faf/avatars/avatar1.png', 'Avatar No. 1'),
+    (2, 'http://localhost/faf/avatars/avatar2.png', 'Avatar No. 2'),
+    (3, 'http://localhost/faf/avatars/donator.png', 'Donator Avatar');
+
+INSERT INTO avatars (id, idUser, idAvatar, selected) VALUES (1, 5, 1, 1),
+                                                            (2, 5, 2, 0);
+
+INSERT INTO group_permission(id, technical_name, name_key)
+VALUES (1, 'UPDATE_AVATAR', 'UPDATE_AVATAR');
+
+INSERT INTO group_permission_assignment (group_id, permission_id)
+VALUES (2, 1); -- MODERATOR -> UPDATE_AVATAR
+
 COMMIT;
diff --git a/src/inttest/resources/sql/prepBanData.sql b/src/inttest/resources/sql/prepBanData.sql
index 25fab3919..b8e3bc890 100644
--- a/src/inttest/resources/sql/prepBanData.sql
+++ b/src/inttest/resources/sql/prepBanData.sql
@@ -1,10 +1,6 @@
 DELETE FROM ban;
 
-INSERT INTO login (id, login, email, password) VALUES
-  (4, 'BANNED', 'banned@faforever.com', 'not relevant');
-
-INSERT INTO login (id, login, email, password) VALUES
-  (5, 'TO_BE_REVOKED', 'revoke@faforever.com', 'not-relevant');
+INSERT INTO login (id, login, email, password) VALUES (6, 'TO_BE_REVOKED', 'revoke@faforever.com', 'not-relevant');
 
 INSERT INTO ban (id, player_id, author_id, reason, expires_at, level) VALUE
   (1, 4, 1, 'Test permaban', DATE_ADD(NOW(), INTERVAL 1 DAY), 'GLOBAL');
@@ -12,4 +8,4 @@ INSERT INTO ban (id, player_id, author_id, reason, expires_at, level, revoke_tim
   VALUE
   (2, 2, 1, 'To be revoked ban', DATE_ADD(NOW(), INTERVAL 1 DAY), 'GLOBAL', NOW(), 1, 'Test revoke');
 INSERT INTO ban (id, player_id, author_id, reason, expires_at, level) VALUE
-  (3, 5, 1, 'Ban to be revoked', DATE_ADD(NOW(), INTERVAL 30 DAY), 'GLOBAL');
+    (3, 6, 1, 'Ban to be revoked', DATE_ADD(NOW(), INTERVAL 30 DAY), 'GLOBAL');
diff --git a/src/inttest/resources/sql/prepDefaultUser.sql b/src/inttest/resources/sql/prepDefaultUser.sql
index d09b57036..325c4c16f 100644
--- a/src/inttest/resources/sql/prepDefaultUser.sql
+++ b/src/inttest/resources/sql/prepDefaultUser.sql
@@ -53,11 +53,17 @@ VALUES
 INSERT INTO login (id, login, email, password, steamid)
 VALUES (1, 'USER', 'user@faforever.com', '92b7b421992ef490f3b75898ec0e511f1a5c02422819d89719b20362b023ee4f', NULL),
   (2, 'MODERATOR', 'moderator@faforever.com', '778ac5b81fa251b450f827846378739caee510c31b01cfa9d31822b88bed8441', 1234),
-  (3, 'ADMIN', 'admin@faforever.com', '835d6dc88b708bc646d6db82c853ef4182fabbd4a8de59c213f2b5ab3ae7d9be', NULL);
+       (3, 'ADMIN', 'admin@faforever.com', '835d6dc88b708bc646d6db82c853ef4182fabbd4a8de59c213f2b5ab3ae7d9be', NULL),
+       (4, 'BANNED', 'banned@faforever.com', '', NULL),
+       (5, 'ACTIVE_USER', 'active-user@faforever.com', '', true);
 
-INSERT INTO lobby_admin (user_id, `group`) VALUES
-  (2, 1),
-  (3, 2);
+INSERT INTO user_group (id, technical_name, name_key, parent_group_id, public)
+VALUES (1, 'ADMINISTRATOR', 'administrator', null, true),
+       (2, 'MODERATOR', 'moderator', null, true);
+
+INSERT INTO user_group_assignment (user_id, group_id)
+VALUES (2, 2),
+       (3, 1);
 
 INSERT INTO name_history (change_time, user_id, previous_name) VALUES
   (NOW(), 2, 'OLD_MODERATOR');
diff --git a/src/inttest/resources/sql/prepModerationReportData.sql b/src/inttest/resources/sql/prepModerationReportData.sql
index 4705df2b2..d28f1a651 100644
--- a/src/inttest/resources/sql/prepModerationReportData.sql
+++ b/src/inttest/resources/sql/prepModerationReportData.sql
@@ -2,9 +2,9 @@ DELETE FROM reported_user;
 DELETE FROM moderation_report;
 
 INSERT INTO moderation_report (id, reporter_id, report_description, game_id, report_status, game_incident_timecode, moderator_notice, moderator_private_note, last_moderator)
-VALUES
-  (1, 1, 'Report description', null, 'AWAITING', 'Incident timecode', null, null, null),
-  (2, 1, 'Report description', 1, 'PROCESSING', 'Incident timecode', 'Moderator notice', 'Moderator private note', 2),
+VALUES (1, 5, 'Report description', null, 'AWAITING', 'Incident timecode', null, null, null),
+       (2, 5, 'Report description', 1, 'PROCESSING', 'Incident timecode', 'Moderator notice', 'Moderator private note',
+        2),
   (3, 3, 'Report description', null, 'AWAITING', 'Incident timecode', null, null, null);
 
 INSERT INTO reported_user (id, player_id, report_id) VALUES
diff --git a/src/inttest/resources/sql/prepUserNoteData.sql b/src/inttest/resources/sql/prepUserNoteData.sql
index 114457206..255592e4b 100644
--- a/src/inttest/resources/sql/prepUserNoteData.sql
+++ b/src/inttest/resources/sql/prepUserNoteData.sql
@@ -1,7 +1,4 @@
 DELETE FROM ban;
 
-INSERT INTO login (id, login, email, password) VALUES
-  (4, 'BANNED', 'banned@faforever.com', 'not relevant');
-
 INSERT INTO user_notes (id, user_id, author, watched, note) VALUES
   (1, 4, 1, 0, 'Test user note');
diff --git a/src/main/java/com/faforever/api/avatar/AvatarController.java b/src/main/java/com/faforever/api/avatar/AvatarController.java
index 3b0ca8b8e..7c36f04d9 100644
--- a/src/main/java/com/faforever/api/avatar/AvatarController.java
+++ b/src/main/java/com/faforever/api/avatar/AvatarController.java
@@ -19,6 +19,8 @@
 
 import java.io.IOException;
 
+import static com.faforever.api.data.domain.GroupPermission.ROLE_WRITE_AVATAR;
+
 @RestController
 @RequestMapping(path = "/avatars")
 public class AvatarController {
@@ -39,7 +41,7 @@ public AvatarController(AvatarService avatarService) {
     @ApiResponse(code = 500, message = "Failure", response = ErrorResponse.class)})
   @ResponseStatus(value = HttpStatus.CREATED)
   @RequestMapping(value = "/upload", method = RequestMethod.POST, consumes = MediaType.MULTIPART_FORM_DATA_VALUE)
-  @PreAuthorize("#oauth2.hasScope('" + OAuthScope._UPLOAD_AVATAR + "') and hasAnyRole('ROLE_MODERATOR', 'ROLE_ADMINISTRATOR')")
+  @PreAuthorize("#oauth2.hasScope('" + OAuthScope._UPLOAD_AVATAR + "') and hasAnyRole('" + ROLE_WRITE_AVATAR + "', 'ROLE_ADMINISTRATOR')")
   public void uploadAvatar(
     @ApiParam(name = "metadata") @RequestPart("metadata") AvatarMetadata avatarMetaData,
     @ApiParam(name = "file") @RequestPart("file") MultipartFile avatarImageFile) throws IOException {
@@ -56,7 +58,7 @@ public void uploadAvatar(
     @ApiResponse(code = 500, message = "Failure", response = ErrorResponse.class)})
   @ResponseStatus(value = HttpStatus.OK)
   @RequestMapping(value = "{avatarId}/upload", method = RequestMethod.POST, consumes = MediaType.MULTIPART_FORM_DATA_VALUE)
-  @PreAuthorize("#oauth2.hasScope('" + OAuthScope._UPLOAD_AVATAR + "') and hasAnyRole('ROLE_MODERATOR', 'ROLE_ADMINISTRATOR')")
+  @PreAuthorize("#oauth2.hasScope('" + OAuthScope._UPLOAD_AVATAR + "') and hasAnyRole('" + ROLE_WRITE_AVATAR + "', 'ROLE_ADMINISTRATOR')")
   public void reuploadAvatar(
     @ApiParam(name = "avatarId") @PathVariable("avatarId") Integer avatarId,
     @ApiParam(name = "metadata") @RequestPart(value = "metadata") AvatarMetadata avatarMetaData,
@@ -71,7 +73,7 @@ public void reuploadAvatar(
     @ApiResponse(code = 500, message = "Failure", response = ErrorResponse.class)})
   @ResponseStatus(value = HttpStatus.NO_CONTENT)
   @RequestMapping(value = "/{avatarId}", method = RequestMethod.DELETE)
-  @PreAuthorize("#oauth2.hasScope('" + OAuthScope._UPLOAD_AVATAR + "') and hasAnyRole('ROLE_MODERATOR', 'ROLE_ADMINISTRATOR')")
+  @PreAuthorize("#oauth2.hasScope('" + OAuthScope._UPLOAD_AVATAR + "') and hasAnyRole('" + ROLE_WRITE_AVATAR + "', 'ROLE_ADMINISTRATOR')")
   public void deleteAvatar(
     @ApiParam(name = "avatarId") @PathVariable("avatarId") Integer avatarId) throws IOException {
     avatarService.deleteAvatar(avatarId);
diff --git a/src/main/java/com/faforever/api/config/elide/ElideConfig.java b/src/main/java/com/faforever/api/config/elide/ElideConfig.java
index 876c6abd6..d472a4fa4 100644
--- a/src/main/java/com/faforever/api/config/elide/ElideConfig.java
+++ b/src/main/java/com/faforever/api/config/elide/ElideConfig.java
@@ -5,11 +5,19 @@
 import com.faforever.api.data.checks.IsClanMembershipDeletable;
 import com.faforever.api.data.checks.IsEntityOwner;
 import com.faforever.api.data.checks.IsInAwaitingState;
-import com.faforever.api.data.checks.permission.HasBanRead;
-import com.faforever.api.data.checks.permission.HasBanUpdate;
-import com.faforever.api.data.checks.permission.HasLadder1v1Update;
 import com.faforever.api.data.checks.permission.IsModerator;
 import com.faforever.api.security.ExtendedAuditLogger;
+import com.faforever.api.security.elide.permission.AdminAccountBanCheck;
+import com.faforever.api.security.elide.permission.AdminAccountNoteCheck;
+import com.faforever.api.security.elide.permission.AdminModerationReportCheck;
+import com.faforever.api.security.elide.permission.AdminVoteCheck;
+import com.faforever.api.security.elide.permission.ReadAccountPrivateDetailsCheck;
+import com.faforever.api.security.elide.permission.ReadTeamkillReportCheck;
+import com.faforever.api.security.elide.permission.ReadUserGroupCheck;
+import com.faforever.api.security.elide.permission.WriteAvatarCheck;
+import com.faforever.api.security.elide.permission.WriteEmailDomainBanCheck;
+import com.faforever.api.security.elide.permission.WriteMatchmakerMapCheck;
+import com.faforever.api.security.elide.permission.WriteTutorialCheck;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.yahoo.elide.Elide;
 import com.yahoo.elide.ElideSettingsBuilder;
@@ -95,12 +103,21 @@ public EntityDictionary entityDictionary() {
     checks.put(IsModerator.EXPRESSION, IsModerator.Inline.class);
     checks.put(IsEntityOwner.EXPRESSION, IsEntityOwner.Inline.class);
     checks.put(IsClanMembershipDeletable.EXPRESSION, IsClanMembershipDeletable.Inline.class);
-    checks.put(HasBanRead.EXPRESSION, HasBanRead.Inline.class);
-    checks.put(HasBanUpdate.EXPRESSION, HasBanUpdate.Inline.class);
-    checks.put(HasLadder1v1Update.EXPRESSION, HasLadder1v1Update.Inline.class);
     checks.put(BooleanChange.TO_FALSE_EXPRESSION, BooleanChange.ToFalse.class);
     checks.put(BooleanChange.TO_TRUE_EXPRESSION, BooleanChange.ToTrue.class);
     checks.put(IsInAwaitingState.EXPRESSION, IsInAwaitingState.Inline.class);
+    checks.put(AdminAccountBanCheck.EXPRESSION, AdminAccountBanCheck.class);
+    checks.put(AdminAccountNoteCheck.EXPRESSION, AdminAccountNoteCheck.class);
+    checks.put(AdminModerationReportCheck.EXPRESSION, AdminModerationReportCheck.class);
+    checks.put(ReadAccountPrivateDetailsCheck.EXPRESSION, ReadAccountPrivateDetailsCheck.class);
+    checks.put(ReadTeamkillReportCheck.EXPRESSION, ReadTeamkillReportCheck.class);
+    checks.put(ReadUserGroupCheck.EXPRESSION, ReadUserGroupCheck.class);
+    checks.put(AdminVoteCheck.EXPRESSION, AdminVoteCheck.class);
+    checks.put(WriteMatchmakerMapCheck.EXPRESSION, WriteMatchmakerMapCheck.class);
+    checks.put(WriteTutorialCheck.EXPRESSION, WriteTutorialCheck.class);
+    checks.put(WriteEmailDomainBanCheck.EXPRESSION, WriteEmailDomainBanCheck.class);
+    checks.put(WriteAvatarCheck.EXPRESSION, WriteAvatarCheck.class);
+
     return new EntityDictionary(checks);
   }
 }
diff --git a/src/main/java/com/faforever/api/data/DataController.java b/src/main/java/com/faforever/api/data/DataController.java
index 616562976..8cbc35eff 100644
--- a/src/main/java/com/faforever/api/data/DataController.java
+++ b/src/main/java/com/faforever/api/data/DataController.java
@@ -21,9 +21,6 @@
 import java.lang.reflect.Method;
 import java.util.Map;
 
-import static com.faforever.api.data.JsonApiMediaType.JSON_API_MEDIA_TYPE;
-import static com.faforever.api.data.JsonApiMediaType.JSON_API_PATCH_MEDIA_TYPE;
-
 /**
  * JSON-API compliant data API.
  */
@@ -32,6 +29,8 @@
 public class DataController {
 
   public static final String PATH_PREFIX = "/data";
+  public static final String JSON_API_MEDIA_TYPE = "application/vnd.api+json";
+  public static final String JSON_API_PATCH_MEDIA_TYPE = "application/vnd.api+json;ext=jsonpatch";
 
   private final Elide elide;
 
@@ -67,7 +66,7 @@ public ResponseEntity<String> get(@RequestParam final Map<String, String> allReq
     produces = JSON_API_MEDIA_TYPE,
     value = {"/{entity}", "/{entity}/{id}/relationships/{entity2}", "/{entity}/{id}/{child}", "/{entity}/{id}"})
   @Cacheable(cacheResolver = "elideCacheResolver")
-  @PreAuthorize("hasRole('USER')")
+  @PreAuthorize("isAuthenticated()")
   public ResponseEntity<String> post(@RequestBody final String body,
                                      final HttpServletRequest request,
                                      final Authentication authentication) {
@@ -85,7 +84,7 @@ public ResponseEntity<String> post(@RequestBody final String body,
     consumes = {JSON_API_MEDIA_TYPE, MediaType.APPLICATION_JSON_VALUE},
     produces = JSON_API_MEDIA_TYPE,
     value = {"/{entity}/{id}", "/{entity}/{id}/relationships/{entity2}"})
-  @PreAuthorize("hasRole('USER')")
+  @PreAuthorize("isAuthenticated()")
   public ResponseEntity<String> patch(@RequestBody final String body,
                                       final HttpServletRequest request,
                                       final Authentication authentication) {
@@ -106,7 +105,7 @@ public ResponseEntity<String> patch(@RequestBody final String body,
     produces = JSON_API_PATCH_MEDIA_TYPE,
     value = "/{entity}")
   // should contain "/{entity}/{id}" but spring will call this method even for JSON_API_MEDIA_TYPE
-  @PreAuthorize("hasRole('USER')")
+  @PreAuthorize("isAuthenticated()")
   public ResponseEntity<String> extensionPatch(@RequestBody final String body,
                                                final HttpServletRequest request,
                                                final Authentication authentication) {
@@ -125,7 +124,7 @@ public ResponseEntity<String> extensionPatch(@RequestBody final String body,
     method = RequestMethod.DELETE,
     produces = JSON_API_MEDIA_TYPE,
     value = {"/{entity}/{id}", "/{entity}/{id}/relationships/{entity2}"})
-  @PreAuthorize("hasRole('USER')")
+  @PreAuthorize("isAuthenticated()")
   public ResponseEntity<String> delete(final HttpServletRequest request,
                                        final Authentication authentication) {
     ElideResponse response = elide.delete(
diff --git a/src/main/java/com/faforever/api/data/checks/UserGroupPublicCheck.java b/src/main/java/com/faforever/api/data/checks/UserGroupPublicCheck.java
new file mode 100644
index 000000000..40ab256b7
--- /dev/null
+++ b/src/main/java/com/faforever/api/data/checks/UserGroupPublicCheck.java
@@ -0,0 +1,24 @@
+package com.faforever.api.data.checks;
+
+import com.faforever.api.data.domain.UserGroup;
+import com.yahoo.elide.security.ChangeSpec;
+import com.yahoo.elide.security.RequestScope;
+import com.yahoo.elide.security.User;
+import com.yahoo.elide.security.checks.InlineCheck;
+
+import java.util.Optional;
+
+public class UserGroupPublicCheck extends InlineCheck<UserGroup> {
+
+  public static final String EXPRESSION = "userGroupPublic";
+
+  @Override
+  public boolean ok(UserGroup object, RequestScope requestScope, Optional<ChangeSpec> changeSpec) {
+    return object.isPublic();
+  }
+
+  @Override
+  public boolean ok(User user) {
+    return false;
+  }
+}
diff --git a/src/main/java/com/faforever/api/data/checks/permission/HasBanRead.java b/src/main/java/com/faforever/api/data/checks/permission/HasBanRead.java
deleted file mode 100644
index 7995cb765..000000000
--- a/src/main/java/com/faforever/api/data/checks/permission/HasBanRead.java
+++ /dev/null
@@ -1,11 +0,0 @@
-package com.faforever.api.data.checks.permission;
-
-public class HasBanRead {
-  public static final String EXPRESSION = "Ban.Read";
-
-  public static class Inline extends BasePermission {
-    public Inline() {
-      super(HasBanRead.EXPRESSION);
-    }
-  }
-}
diff --git a/src/main/java/com/faforever/api/data/checks/permission/HasBanUpdate.java b/src/main/java/com/faforever/api/data/checks/permission/HasBanUpdate.java
deleted file mode 100644
index 36234e3ec..000000000
--- a/src/main/java/com/faforever/api/data/checks/permission/HasBanUpdate.java
+++ /dev/null
@@ -1,11 +0,0 @@
-package com.faforever.api.data.checks.permission;
-
-public class HasBanUpdate {
-  public static final String EXPRESSION = "Ban.Update";
-
-  public static class Inline extends BasePermission {
-    public Inline() {
-      super(HasBanUpdate.EXPRESSION);
-    }
-  }
-}
diff --git a/src/main/java/com/faforever/api/data/checks/permission/HasLadder1v1Update.java b/src/main/java/com/faforever/api/data/checks/permission/HasLadder1v1Update.java
deleted file mode 100644
index 40876c3ec..000000000
--- a/src/main/java/com/faforever/api/data/checks/permission/HasLadder1v1Update.java
+++ /dev/null
@@ -1,13 +0,0 @@
-package com.faforever.api.data.checks.permission;
-
-public class HasLadder1v1Update {
-
-  public static final String EXPRESSION = "Ladder1v1.Update";
-
-  public static class Inline extends BasePermission {
-    public Inline() {
-      super(HasLadder1v1Update.EXPRESSION);
-    }
-  }
-
-}
diff --git a/src/main/java/com/faforever/api/data/domain/Avatar.java b/src/main/java/com/faforever/api/data/domain/Avatar.java
index 3b8790c3e..9dd7e9bac 100644
--- a/src/main/java/com/faforever/api/data/domain/Avatar.java
+++ b/src/main/java/com/faforever/api/data/domain/Avatar.java
@@ -1,6 +1,7 @@
 package com.faforever.api.data.domain;
 
-import com.faforever.api.data.checks.permission.IsModerator;
+import com.faforever.api.data.checks.Prefab;
+import com.faforever.api.security.elide.permission.WriteAvatarCheck;
 import com.github.jasminb.jsonapi.annotations.Type;
 import com.yahoo.elide.annotation.Include;
 import com.yahoo.elide.annotation.UpdatePermission;
@@ -34,7 +35,7 @@ public String getUrl() {
   }
 
   @Column(name = "tooltip")
-  @UpdatePermission(expression = IsModerator.EXPRESSION)
+  @UpdatePermission(expression = WriteAvatarCheck.EXPRESSION)
   public String getTooltip() {
     return tooltip;
   }
@@ -42,7 +43,7 @@ public String getTooltip() {
   // Cascading is needed for Create & Delete
   @OneToMany(mappedBy = "avatar", cascade = CascadeType.ALL, orphanRemoval = true)
   // Permission is managed by AvatarAssignment class
-  @UpdatePermission(expression = "Prefab.Role.All")
+  @UpdatePermission(expression = Prefab.ALL)
   public List<AvatarAssignment> getAssignments() {
     return this.assignments;
   }
diff --git a/src/main/java/com/faforever/api/data/domain/AvatarAssignment.java b/src/main/java/com/faforever/api/data/domain/AvatarAssignment.java
index 4f629bcb8..8fea0ae21 100644
--- a/src/main/java/com/faforever/api/data/domain/AvatarAssignment.java
+++ b/src/main/java/com/faforever/api/data/domain/AvatarAssignment.java
@@ -1,7 +1,8 @@
 package com.faforever.api.data.domain;
 
 import com.faforever.api.data.checks.IsEntityOwner;
-import com.faforever.api.data.checks.permission.IsModerator;
+import com.faforever.api.data.checks.Prefab;
+import com.faforever.api.security.elide.permission.WriteAvatarCheck;
 import com.github.jasminb.jsonapi.annotations.Relationship;
 import com.github.jasminb.jsonapi.annotations.Type;
 import com.yahoo.elide.annotation.Audit;
@@ -25,8 +26,8 @@
 @Entity
 @Table(name = "avatars")
 @Include(rootLevel = true, type = AvatarAssignment.TYPE_NAME)
-@CreatePermission(expression = IsModerator.EXPRESSION)
-@DeletePermission(expression = IsModerator.EXPRESSION)
+@CreatePermission(expression = WriteAvatarCheck.EXPRESSION)
+@DeletePermission(expression = WriteAvatarCheck.EXPRESSION)
 @Audit(action = Action.CREATE, logStatement = "Avatar ''{0}'' has been assigned to player ''{1}''", logExpressions = {"${avatarAssignment.avatar.id}", "${avatarAssignment.player.id}"})
 @Audit(action = Action.DELETE, logStatement = "Avatar ''{0}'' has been revoked from player ''{1}''", logExpressions = {"${avatarAssignment.avatar.id}", "${avatarAssignment.player.id}"})
 @Setter
@@ -49,7 +50,7 @@ public Boolean isSelected() {
   }
 
   @Column(name = "expires_at")
-  @UpdatePermission(expression = IsModerator.EXPRESSION + " or Prefab.Common.UpdateOnCreate")
+  @UpdatePermission(expression = WriteAvatarCheck.EXPRESSION + " or " + Prefab.UPDATE_ON_CREATE)
   @Audit(action = Action.UPDATE, logStatement = "Expiration of avatar assignment ''{0}'' has been set to ''{1}''", logExpressions = {"${avatarAssignment.id}", "${avatarAssignment.expiresAt}"})
   public OffsetDateTime getExpiresAt() {
     return expiresAt;
@@ -58,7 +59,7 @@ public OffsetDateTime getExpiresAt() {
   @ManyToOne(fetch = FetchType.LAZY)
   @JoinColumn(name = "idAvatar")
   @NotNull
-  @UpdatePermission(expression = "Prefab.Common.UpdateOnCreate")
+  @UpdatePermission(expression = Prefab.UPDATE_ON_CREATE)
   public Avatar getAvatar() {
     return avatar;
   }
@@ -66,7 +67,7 @@ public Avatar getAvatar() {
   @ManyToOne(fetch = FetchType.LAZY)
   @JoinColumn(name = "idUser")
   @NotNull
-  @UpdatePermission(expression = "Prefab.Common.UpdateOnCreate")
+  @UpdatePermission(expression = Prefab.UPDATE_ON_CREATE)
   public Player getPlayer() {
     return player;
   }
diff --git a/src/main/java/com/faforever/api/data/domain/BanInfo.java b/src/main/java/com/faforever/api/data/domain/BanInfo.java
index 0fa9f2787..d8515d72a 100644
--- a/src/main/java/com/faforever/api/data/domain/BanInfo.java
+++ b/src/main/java/com/faforever/api/data/domain/BanInfo.java
@@ -1,8 +1,8 @@
 package com.faforever.api.data.domain;
 
-import com.faforever.api.data.checks.permission.HasBanRead;
-import com.faforever.api.data.checks.permission.HasBanUpdate;
+import com.faforever.api.data.checks.Prefab;
 import com.faforever.api.security.FafUserDetails;
+import com.faforever.api.security.elide.permission.AdminAccountBanCheck;
 import com.yahoo.elide.annotation.Audit;
 import com.yahoo.elide.annotation.Audit.Action;
 import com.yahoo.elide.annotation.CreatePermission;
@@ -30,10 +30,10 @@
 @Table(name = "ban")
 @Include(rootLevel = true, type = "banInfo")
 // Bans can never be deleted, only disabled over BanDisableData
-@DeletePermission(expression = "Prefab.Role.None")
-@ReadPermission(expression = HasBanRead.EXPRESSION)
-@CreatePermission(expression = HasBanUpdate.EXPRESSION)
-@UpdatePermission(expression = HasBanUpdate.EXPRESSION)
+@DeletePermission(expression = Prefab.NONE)
+@ReadPermission(expression = AdminAccountBanCheck.EXPRESSION)
+@CreatePermission(expression = AdminAccountBanCheck.EXPRESSION)
+@UpdatePermission(expression = AdminAccountBanCheck.EXPRESSION)
 @Audit(action = Action.CREATE, logStatement = "Applied ban with id `{0}` for player `{1}`", logExpressions = {"${banInfo.id}", "${banInfo.player}"})
 @Audit(action = Action.UPDATE, logStatement = "Updated ban with id `{0}` for player `{1}`", logExpressions = {"${banInfo.id}", "${banInfo.player}"})
 @Setter
diff --git a/src/main/java/com/faforever/api/data/domain/DomainBlacklist.java b/src/main/java/com/faforever/api/data/domain/DomainBlacklist.java
index e44924417..05c5f8fe6 100644
--- a/src/main/java/com/faforever/api/data/domain/DomainBlacklist.java
+++ b/src/main/java/com/faforever/api/data/domain/DomainBlacklist.java
@@ -1,6 +1,6 @@
 package com.faforever.api.data.domain;
 
-import com.faforever.api.data.checks.permission.IsModerator;
+import com.faforever.api.security.elide.permission.WriteEmailDomainBanCheck;
 import com.yahoo.elide.annotation.Audit;
 import com.yahoo.elide.annotation.Audit.Action;
 import com.yahoo.elide.annotation.CreatePermission;
@@ -20,10 +20,10 @@
 @Setter
 @Table(name = "email_domain_blacklist")
 @Include(type = "domainBlacklist", rootLevel = true)
-@ReadPermission(expression = IsModerator.EXPRESSION)
-@UpdatePermission(expression = IsModerator.EXPRESSION)
-@CreatePermission(expression = IsModerator.EXPRESSION)
-@DeletePermission(expression = IsModerator.EXPRESSION)
+@ReadPermission(expression = WriteEmailDomainBanCheck.EXPRESSION)
+@UpdatePermission(expression = WriteEmailDomainBanCheck.EXPRESSION)
+@CreatePermission(expression = WriteEmailDomainBanCheck.EXPRESSION)
+@DeletePermission(expression = WriteEmailDomainBanCheck.EXPRESSION)
 @Audit(action = Action.CREATE, logStatement = "Email domain `{0}` added to blacklist", logExpressions = "${domainBlacklist.domain}")
 @Audit(action = Action.DELETE, logStatement = "Email domain `{0}` removed from blacklist", logExpressions = "${domainBlacklist.domain}")
 @EqualsAndHashCode
diff --git a/src/main/java/com/faforever/api/data/domain/GroupPermission.java b/src/main/java/com/faforever/api/data/domain/GroupPermission.java
new file mode 100644
index 000000000..62545f662
--- /dev/null
+++ b/src/main/java/com/faforever/api/data/domain/GroupPermission.java
@@ -0,0 +1,86 @@
+package com.faforever.api.data.domain;
+
+import com.faforever.api.data.checks.permission.IsModerator;
+import com.yahoo.elide.annotation.Include;
+import com.yahoo.elide.annotation.ReadPermission;
+import lombok.Setter;
+import org.springframework.security.core.GrantedAuthority;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.ManyToMany;
+import javax.persistence.Table;
+import javax.persistence.Transient;
+import java.util.Set;
+
+/**
+ * <b>Naming conventions on permission roles</b>
+ * <p>
+ * General structure: ROLE_{ACTION}_{AREA}
+ * <ul>
+ * <li>{AREA} defines a set of use cases (i.e. BAN)
+ * <li>{ACTION} being WRITE, READ or ADMIN
+ * <br>WRITE grants permission to create / add / upload new data
+ * <br>READ grants global read permissions
+ * <br>ADMIN refer to read and write permissions in global context regardless of the ownership
+ * </ul>
+ * <p>
+ * For read and write permissions of data personally owned by user see {@link OwnableEntity}
+ */
+@Entity
+@Table(name = "group_permission")
+@Include(rootLevel = true, type = "groupPermission")
+@Setter
+@ReadPermission(expression = IsModerator.EXPRESSION)
+public class GroupPermission extends AbstractEntity implements GrantedAuthority {
+
+  // Any changes to the permissions here need to be added to the dto class as well!
+  public static final String ROLE_READ_AUDIT_LOG = "ROLE_READ_AUDIT_LOG";
+  public static final String ROLE_READ_TEAMKILL_REPORT = "ROLE_READ_TEAMKILL_REPORT";
+  public static final String ROLE_READ_ACCOUNT_PRIVATE_DETAILS = "ROLE_READ_ACCOUNT_PRIVATE_DETAILS";
+  public static final String ROLE_ADMIN_ACCOUNT_NOTE = "ROLE_ADMIN_ACCOUNT_NOTE";
+  public static final String ROLE_ADMIN_MODERATION_REPORT = "ROLE_ADMIN_MODERATION_REPORT";
+  public static final String ROLE_ADMIN_ACCOUNT_BAN = "ROLE_ADMIN_ACCOUNT_BAN";
+  public static final String ROLE_ADMIN_CLAN = "ROLE_ADMIN_CLAN";
+  public static final String ROLE_WRITE_MAP = "ROLE_WRITE_MAP";
+  public static final String ROLE_WRITE_MOD = "ROLE_WRITE_MOD";
+  public static final String ROLE_WRITE_COOP_MISSION = "ROLE_WRITE_COOP_MISSION";
+  public static final String ROLE_WRITE_AVATAR = "ROLE_WRITE_AVATAR";
+  public static final String ROLE_WRITE_MATCHMAKER_POOL = "ROLE_WRITE_MATCHMAKER_POOL";
+  public static final String ROLE_WRITE_MATCHMAKER_MAP = "ROLE_WRITE_MATCHMAKER_MAP";
+  public static final String ROLE_WRITE_EMAIL_DOMAIN_BAN = "ROLE_WRITE_EMAIL_DOMAIN_BAN";
+  public static final String ROLE_ADMIN_VOTE = "ROLE_ADMIN_VOTE";
+  public static final String ROLE_WRITE_USER_GROUP = "ROLE_WRITE_USER_GROUP";
+  public static final String ROLE_READ_USER_GROUP = "ROLE_READ_USER_GROUP";
+  public static final String ROLE_WRITE_TUTORIAL = "ROLE_WRITE_TUTORIAL";
+  public static final String ROLE_WRITE_NEWS_POST = "ROLE_WRITE_NEWS_POST";
+  public static final String ROLE_WRITE_OAUTH_CLIENT = "ROLE_WRITE_OAUTH_CLIENT";
+  public static final String ROLE_ADMIN_MAP = "ROLE_ADMIN_MAP";
+  public static final String ROLE_ADMIN_MOD = "ROLE_ADMIN_MOD";
+  public static final String ROLE_WRITE_MESSAGE = "ROLE_WRITE_MESSAGE";
+
+  private String technicalName;
+  private String nameKey;
+  private Set<UserGroup> userGroups;
+
+  @Column(name = "technical_name")
+  public String getTechnicalName() {
+    return technicalName;
+  }
+
+  @Column(name = "name_key")
+  public String getNameKey() {
+    return nameKey;
+  }
+
+  @ManyToMany(mappedBy = "permissions")
+  public Set<UserGroup> getUserGroups() {
+    return userGroups;
+  }
+
+  @Override
+  @Transient
+  public String getAuthority() {
+    return "ROLE_" + technicalName;
+  }
+}
diff --git a/src/main/java/com/faforever/api/data/domain/Ladder1v1Map.java b/src/main/java/com/faforever/api/data/domain/Ladder1v1Map.java
index b2640e805..790687a60 100644
--- a/src/main/java/com/faforever/api/data/domain/Ladder1v1Map.java
+++ b/src/main/java/com/faforever/api/data/domain/Ladder1v1Map.java
@@ -1,6 +1,6 @@
 package com.faforever.api.data.domain;
 
-import com.faforever.api.data.checks.permission.HasLadder1v1Update;
+import com.faforever.api.security.elide.permission.WriteMatchmakerMapCheck;
 import com.yahoo.elide.annotation.Audit;
 import com.yahoo.elide.annotation.Audit.Action;
 import com.yahoo.elide.annotation.CreatePermission;
@@ -19,8 +19,8 @@
 import javax.persistence.OneToOne;
 import javax.persistence.Table;
 
-@CreatePermission(expression = HasLadder1v1Update.EXPRESSION)
-@DeletePermission(expression = HasLadder1v1Update.EXPRESSION)
+@CreatePermission(expression = WriteMatchmakerMapCheck.EXPRESSION)
+@DeletePermission(expression = WriteMatchmakerMapCheck.EXPRESSION)
 @Entity
 @Setter
 @Table(name = "ladder_map")
@@ -41,7 +41,7 @@ public int getId() {
 
   @OneToOne
   @JoinColumn(name = "idmap")
-  @UpdatePermission(expression = HasLadder1v1Update.EXPRESSION)
+  @UpdatePermission(expression = WriteMatchmakerMapCheck.EXPRESSION)
   public MapVersion getMapVersion() {
     return mapVersion;
   }
diff --git a/src/main/java/com/faforever/api/data/domain/Login.java b/src/main/java/com/faforever/api/data/domain/Login.java
index 482e93b05..cffd5ee9d 100644
--- a/src/main/java/com/faforever/api/data/domain/Login.java
+++ b/src/main/java/com/faforever/api/data/domain/Login.java
@@ -1,7 +1,11 @@
 package com.faforever.api.data.domain;
 
 import com.faforever.api.data.checks.IsEntityOwner;
+import com.faforever.api.data.checks.Prefab;
 import com.faforever.api.data.checks.permission.IsModerator;
+import com.faforever.api.security.elide.permission.AdminAccountBanCheck;
+import com.faforever.api.security.elide.permission.AdminAccountNoteCheck;
+import com.faforever.api.security.elide.permission.ReadUserGroupCheck;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.yahoo.elide.annotation.ReadPermission;
 import com.yahoo.elide.annotation.UpdatePermission;
@@ -9,9 +13,9 @@
 
 import javax.persistence.Column;
 import javax.persistence.FetchType;
+import javax.persistence.ManyToMany;
 import javax.persistence.MappedSuperclass;
 import javax.persistence.OneToMany;
-import javax.persistence.OneToOne;
 import javax.persistence.Transient;
 import java.time.OffsetDateTime;
 import java.util.HashSet;
@@ -28,7 +32,7 @@ public abstract class Login extends AbstractEntity implements OwnableEntity {
   private String userAgent;
   private Set<BanInfo> bans;
   private Set<UserNote> userNotes;
-  private LobbyGroup lobbyGroup;
+  private Set<UserGroup> userGroups;
   private String recentIpAddress;
   private OffsetDateTime lastLogin;
 
@@ -73,13 +77,13 @@ public String getUserAgent() {
 
   @OneToMany(mappedBy = "player", fetch = FetchType.EAGER)
   // Permission is managed by BanInfo class
-  @UpdatePermission(expression = IsModerator.EXPRESSION)
+  @UpdatePermission(expression = AdminAccountBanCheck.EXPRESSION)
   public Set<BanInfo> getBans() {
     return this.bans;
   }
 
   @OneToMany(mappedBy = "player", fetch = FetchType.EAGER)
-  @UpdatePermission(expression = IsModerator.EXPRESSION)
+  @UpdatePermission(expression = AdminAccountNoteCheck.EXPRESSION)
   public Set<UserNote> getUserNotes() {
     return this.userNotes;
   }
@@ -94,9 +98,11 @@ public boolean isGlobalBanned() {
     return getActiveBans().stream().anyMatch(ban -> ban.getLevel() == BanLevel.GLOBAL);
   }
 
-  @OneToOne(mappedBy = "user")
-  public LobbyGroup getLobbyGroup() {
-    return lobbyGroup;
+  @ReadPermission(expression = IsEntityOwner.EXPRESSION + " OR " + ReadUserGroupCheck.EXPRESSION)
+  @UpdatePermission(expression = Prefab.ALL)
+  @ManyToMany(mappedBy = "members")
+  public Set<UserGroup> getUserGroups() {
+    return userGroups;
   }
 
   @Override
diff --git a/src/main/java/com/faforever/api/data/domain/ModerationReport.java b/src/main/java/com/faforever/api/data/domain/ModerationReport.java
index 20bd1a6a6..26c6b1f48 100644
--- a/src/main/java/com/faforever/api/data/domain/ModerationReport.java
+++ b/src/main/java/com/faforever/api/data/domain/ModerationReport.java
@@ -3,8 +3,8 @@
 import com.faforever.api.data.checks.IsEntityOwner;
 import com.faforever.api.data.checks.IsInAwaitingState;
 import com.faforever.api.data.checks.Prefab;
-import com.faforever.api.data.checks.permission.IsModerator;
 import com.faforever.api.security.FafUserDetails;
+import com.faforever.api.security.elide.permission.AdminModerationReportCheck;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.yahoo.elide.annotation.Audit;
 import com.yahoo.elide.annotation.Audit.Action;
@@ -43,7 +43,7 @@
 @Setter
 @ToString(exclude = {"reportedUsers", "bans"})
 @Include(rootLevel = true, type = ModerationReport.TYPE_NAME)
-@ReadPermission(expression = IsEntityOwner.EXPRESSION + " OR " + IsModerator.EXPRESSION)
+@ReadPermission(expression = IsEntityOwner.EXPRESSION + " OR " + AdminModerationReportCheck.EXPRESSION)
 @DeletePermission(expression = Prefab.NONE)
 @CreatePermission(expression = Prefab.ALL)
 @Audit(action = Action.CREATE, logStatement = "Moderation report `{0}` has been reported", logExpressions = "${moderationReport}")
@@ -65,7 +65,7 @@ public class ModerationReport extends AbstractEntity implements OwnableEntity {
   @Column(name = "report_status")
   @Enumerated(EnumType.STRING)
   @CreatePermission(expression = Prefab.NONE)
-  @UpdatePermission(expression = IsModerator.EXPRESSION)
+  @UpdatePermission(expression = AdminModerationReportCheck.EXPRESSION)
   public ModerationReportStatus getReportStatus() {
     return reportStatus;
   }
@@ -100,15 +100,15 @@ public Game getGame() {
 
   @Column(name = "moderator_notice")
   @CreatePermission(expression = Prefab.NONE)
-  @UpdatePermission(expression = IsModerator.EXPRESSION)
+  @UpdatePermission(expression = AdminModerationReportCheck.EXPRESSION)
   public String getModeratorNotice() {
     return moderatorNotice;
   }
 
   @Column(name = "moderator_private_note")
-  @ReadPermission(expression = IsModerator.EXPRESSION)
+  @ReadPermission(expression = AdminModerationReportCheck.EXPRESSION)
   @CreatePermission(expression = Prefab.NONE)
-  @UpdatePermission(expression = IsModerator.EXPRESSION)
+  @UpdatePermission(expression = AdminModerationReportCheck.EXPRESSION)
   public String getModeratorPrivateNote() {
     return moderatorPrivateNote;
   }
@@ -116,7 +116,7 @@ public String getModeratorPrivateNote() {
   @ManyToOne(fetch = FetchType.LAZY)
   @JoinColumn(name = "last_moderator", referencedColumnName = "id")
   @CreatePermission(expression = Prefab.NONE)
-  @UpdatePermission(expression = IsModerator.EXPRESSION)
+  @UpdatePermission(expression = AdminModerationReportCheck.EXPRESSION)
   public Player getLastModerator() {
     return lastModerator;
   }
@@ -138,7 +138,7 @@ public Set<Player> getReportedUsers() {
   }
 
   @OneToMany(mappedBy = "moderationReport")
-  @ReadPermission(expression = IsModerator.EXPRESSION)
+  @ReadPermission(expression = AdminModerationReportCheck.EXPRESSION)
   // Permission is managed by BanInfo class
   @UpdatePermission(expression = Prefab.ALL)
   public Collection<BanInfo> getBans() {
@@ -169,7 +169,7 @@ public void updateLastModerator(RequestScope scope) {
     final Object caller = scope.getUser().getOpaqueUser();
     if (caller instanceof FafUserDetails) {
       final FafUserDetails fafUser = (FafUserDetails) caller;
-      if (fafUser.hasPermission(IsModerator.EXPRESSION)) {
+      if (fafUser.hasPermission(GroupPermission.ROLE_ADMIN_MODERATION_REPORT)) {
         final Player lastModerator = new Player();
         lastModerator.setId(fafUser.getId());
         this.lastModerator = lastModerator;
diff --git a/src/main/java/com/faforever/api/data/domain/Teamkill.java b/src/main/java/com/faforever/api/data/domain/Teamkill.java
index 8919345c9..181c94142 100644
--- a/src/main/java/com/faforever/api/data/domain/Teamkill.java
+++ b/src/main/java/com/faforever/api/data/domain/Teamkill.java
@@ -1,6 +1,6 @@
 package com.faforever.api.data.domain;
 
-import com.faforever.api.data.checks.permission.IsModerator;
+import com.faforever.api.security.elide.permission.ReadTeamkillReportCheck;
 import com.yahoo.elide.annotation.Include;
 import com.yahoo.elide.annotation.ReadPermission;
 import lombok.Setter;
@@ -21,7 +21,7 @@
 @Table(name = "teamkills")
 @Include(rootLevel = true, type = Teamkill.TYPE_NAME)
 @Immutable
-@ReadPermission(expression = IsModerator.EXPRESSION)
+@ReadPermission(expression = ReadTeamkillReportCheck.EXPRESSION)
 public class Teamkill {
   public static final String TYPE_NAME = "teamkill";
 
diff --git a/src/main/java/com/faforever/api/data/domain/Tutorial.java b/src/main/java/com/faforever/api/data/domain/Tutorial.java
index e9890bd49..9f66a8cd2 100644
--- a/src/main/java/com/faforever/api/data/domain/Tutorial.java
+++ b/src/main/java/com/faforever/api/data/domain/Tutorial.java
@@ -1,7 +1,8 @@
 package com.faforever.api.data.domain;
 
-import com.faforever.api.data.checks.permission.IsModerator;
+import com.faforever.api.data.checks.Prefab;
 import com.faforever.api.data.listeners.TutorialEnricherListener;
+import com.faforever.api.security.elide.permission.WriteTutorialCheck;
 import com.github.jasminb.jsonapi.annotations.Type;
 import com.yahoo.elide.annotation.Audit;
 import com.yahoo.elide.annotation.Audit.Action;
@@ -27,12 +28,12 @@
 @Table(name = "tutorial")
 @Setter
 @Include(rootLevel = true, type = Tutorial.TYPE_NAME)
-@DeletePermission(expression = IsModerator.EXPRESSION)
-@UpdatePermission(expression = IsModerator.EXPRESSION)
-@CreatePermission(expression = IsModerator.EXPRESSION)
+@DeletePermission(expression = WriteTutorialCheck.EXPRESSION)
+@UpdatePermission(expression = WriteTutorialCheck.EXPRESSION)
+@CreatePermission(expression = WriteTutorialCheck.EXPRESSION)
 @Audit(action = Action.DELETE, logStatement = "Tutorial with name `{0}` and ID `{1}` deleted", logExpressions = {"${tutorial.title}", "${tutorial.id}"})
 @Audit(action = Action.CREATE, logStatement = "Tutorial with name `{0}` and ID `{1}` created", logExpressions = {"${tutorial.title}", "${tutorial.id}"})
-@ReadPermission(expression = "Prefab.Role.All")
+@ReadPermission(expression = Prefab.ALL)
 @EntityListeners(TutorialEnricherListener.class)
 @Type(Tutorial.TYPE_NAME)
 public class Tutorial extends AbstractEntity {
diff --git a/src/main/java/com/faforever/api/data/domain/TutorialCategory.java b/src/main/java/com/faforever/api/data/domain/TutorialCategory.java
index 2737b9bec..920e91d9c 100644
--- a/src/main/java/com/faforever/api/data/domain/TutorialCategory.java
+++ b/src/main/java/com/faforever/api/data/domain/TutorialCategory.java
@@ -1,8 +1,9 @@
 package com.faforever.api.data.domain;
 
 
-import com.faforever.api.data.checks.permission.IsModerator;
+import com.faforever.api.data.checks.Prefab;
 import com.faforever.api.data.listeners.TutorialCategoryEnricherListener;
+import com.faforever.api.security.elide.permission.WriteTutorialCheck;
 import com.github.jasminb.jsonapi.annotations.Type;
 import com.yahoo.elide.annotation.Audit;
 import com.yahoo.elide.annotation.Audit.Action;
@@ -31,12 +32,12 @@
 @Table(name = "tutorial_category")
 @Setter
 @Include(rootLevel = true, type = TutorialCategory.TYPE_NAME)
-@DeletePermission(expression = IsModerator.EXPRESSION)
-@UpdatePermission(expression = IsModerator.EXPRESSION)
-@CreatePermission(expression = IsModerator.EXPRESSION)
+@DeletePermission(expression = WriteTutorialCheck.EXPRESSION)
+@UpdatePermission(expression = WriteTutorialCheck.EXPRESSION)
+@CreatePermission(expression = WriteTutorialCheck.EXPRESSION)
 @Audit(action = Action.DELETE, logStatement = "Tutorial Category with title `{0}` and ID `{1}` deleted", logExpressions = {"${tutorialCategory.category}", "${tutorialCategory.id}"})
 @Audit(action = Action.CREATE, logStatement = "Tutorial Category with title `{0}` and ID `{1}` created", logExpressions = {"${tutorialCategory.category}", "${tutorialCategory.id}"})
-@ReadPermission(expression = "Prefab.Role.All")
+@ReadPermission(expression = Prefab.ALL)
 @EntityListeners(TutorialCategoryEnricherListener.class)
 @Type(TutorialCategory.TYPE_NAME)
 public class TutorialCategory {
diff --git a/src/main/java/com/faforever/api/data/domain/User.java b/src/main/java/com/faforever/api/data/domain/User.java
index d623224fe..620e01b02 100644
--- a/src/main/java/com/faforever/api/data/domain/User.java
+++ b/src/main/java/com/faforever/api/data/domain/User.java
@@ -1,5 +1,6 @@
 package com.faforever.api.data.domain;
 
+import com.faforever.api.data.checks.Prefab;
 import com.yahoo.elide.annotation.Include;
 import com.yahoo.elide.annotation.ReadPermission;
 import lombok.Setter;
@@ -16,7 +17,7 @@ public class User extends Login {
   private String password;
 
   @Column(name = "password")
-  @ReadPermission(expression = "Prefab.Role.None")
+  @ReadPermission(expression = Prefab.NONE)
   public String getPassword() {
     return password;
   }
diff --git a/src/main/java/com/faforever/api/data/domain/UserGroup.java b/src/main/java/com/faforever/api/data/domain/UserGroup.java
new file mode 100644
index 000000000..2d19cb30f
--- /dev/null
+++ b/src/main/java/com/faforever/api/data/domain/UserGroup.java
@@ -0,0 +1,82 @@
+package com.faforever.api.data.domain;
+
+
+import com.faforever.api.data.checks.UserGroupPublicCheck;
+import com.faforever.api.security.elide.permission.WriteUserGroupCheck;
+import com.yahoo.elide.annotation.CreatePermission;
+import com.yahoo.elide.annotation.Include;
+import com.yahoo.elide.annotation.ReadPermission;
+import com.yahoo.elide.annotation.UpdatePermission;
+import lombok.Setter;
+
+import javax.persistence.CascadeType;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.JoinColumn;
+import javax.persistence.JoinTable;
+import javax.persistence.ManyToMany;
+import javax.persistence.Table;
+import javax.validation.Valid;
+import javax.validation.constraints.NotNull;
+import java.util.Set;
+
+@Entity
+@Table(name = "user_group")
+@Include(type = "userGroup")
+@UpdatePermission(expression = WriteUserGroupCheck.EXPRESSION)
+@CreatePermission(expression = WriteUserGroupCheck.EXPRESSION)
+@ReadPermission(expression = UserGroupPublicCheck.EXPRESSION + " or " + WriteUserGroupCheck.EXPRESSION)
+@Setter
+public class UserGroup extends AbstractEntity {
+
+  private String technicalName;
+  private String nameKey;
+  private boolean public_;
+  private Set<User> members;
+  private Set<GroupPermission> permissions;
+
+  @Column(name = "technical_name")
+  public String getTechnicalName() {
+    return technicalName;
+  }
+
+  @Column(name = "name_key")
+  public String getNameKey() {
+    return nameKey;
+  }
+
+  @Column(name = "public")
+  public boolean isPublic() {
+    return public_;
+  }
+
+  public void setPublic(boolean public_) {
+    this.public_ = public_;
+  }
+
+  @JoinTable(name = "user_group_assignment",
+    joinColumns = @JoinColumn(name = "group_id"),
+    inverseJoinColumns = @JoinColumn(name = "user_id")
+  )
+  @ManyToMany(cascade = {
+    CascadeType.PERSIST,
+    CascadeType.MERGE
+  })
+  public @NotNull
+  @Valid Set<User> getMembers() {
+    return members;
+  }
+
+  @JoinTable(name = "group_permission_assignment",
+    joinColumns = @JoinColumn(name = "group_id"),
+    inverseJoinColumns = @JoinColumn(name = "permission_id")
+  )
+  @ManyToMany(cascade = {
+    CascadeType.PERSIST,
+    CascadeType.MERGE
+  })
+  public @NotNull
+  @Valid Set<GroupPermission> getPermissions() {
+    return permissions;
+  }
+}
diff --git a/src/main/java/com/faforever/api/data/domain/UserNote.java b/src/main/java/com/faforever/api/data/domain/UserNote.java
index b2933d0b2..ff5a953f6 100644
--- a/src/main/java/com/faforever/api/data/domain/UserNote.java
+++ b/src/main/java/com/faforever/api/data/domain/UserNote.java
@@ -1,6 +1,7 @@
 package com.faforever.api.data.domain;
 
-import com.faforever.api.data.checks.permission.IsModerator;
+import com.faforever.api.data.checks.Prefab;
+import com.faforever.api.security.elide.permission.AdminAccountNoteCheck;
 import com.yahoo.elide.annotation.Audit;
 import com.yahoo.elide.annotation.Audit.Action;
 import com.yahoo.elide.annotation.CreatePermission;
@@ -21,10 +22,10 @@
 @Entity
 @Table(name = "user_notes")
 @Include(rootLevel = true, type = "userNote")
-@ReadPermission(expression = IsModerator.EXPRESSION)
-@CreatePermission(expression = IsModerator.EXPRESSION)
-@UpdatePermission(expression = IsModerator.EXPRESSION)
-@DeletePermission(expression = "Prefab.Role.None")
+@ReadPermission(expression = AdminAccountNoteCheck.EXPRESSION)
+@CreatePermission(expression = AdminAccountNoteCheck.EXPRESSION)
+@UpdatePermission(expression = AdminAccountNoteCheck.EXPRESSION)
+@DeletePermission(expression = Prefab.NONE)
 @Audit(action = Action.CREATE, logStatement = "Note `{0}` for user `{1}` added (watched=`{2}`) with text: {3}", logExpressions = {"${userNote.id}", "${userNote.player.id}", "${userNote.watched}", "${userNote.note}"})
 @Setter
 public class UserNote extends AbstractEntity {
diff --git a/src/main/java/com/faforever/api/data/domain/Vote.java b/src/main/java/com/faforever/api/data/domain/Vote.java
index 5bbf98ca0..0c1ff5b37 100644
--- a/src/main/java/com/faforever/api/data/domain/Vote.java
+++ b/src/main/java/com/faforever/api/data/domain/Vote.java
@@ -1,6 +1,7 @@
 package com.faforever.api.data.domain;
 
 import com.faforever.api.data.checks.IsEntityOwner;
+import com.faforever.api.data.checks.Prefab;
 import com.yahoo.elide.annotation.Include;
 import com.yahoo.elide.annotation.ReadPermission;
 import com.yahoo.elide.annotation.UpdatePermission;
@@ -21,7 +22,7 @@
 @Table(name = "vote")
 @Include(type = Vote.TYPE_NAME, rootLevel = true)
 @ReadPermission(expression = IsEntityOwner.EXPRESSION)
-@UpdatePermission(expression = "Prefab.Role.None")
+@UpdatePermission(expression = Prefab.NONE)
 @EqualsAndHashCode(of = {"player", "votingSubject"}, callSuper = false)
 @Setter
 public class Vote extends AbstractEntity implements OwnableEntity {
diff --git a/src/main/java/com/faforever/api/data/domain/VotingAnswer.java b/src/main/java/com/faforever/api/data/domain/VotingAnswer.java
index c0416cdc7..2459d03bd 100644
--- a/src/main/java/com/faforever/api/data/domain/VotingAnswer.java
+++ b/src/main/java/com/faforever/api/data/domain/VotingAnswer.java
@@ -1,6 +1,7 @@
 package com.faforever.api.data.domain;
 
 import com.faforever.api.data.checks.IsEntityOwner;
+import com.faforever.api.data.checks.Prefab;
 import com.yahoo.elide.annotation.Include;
 import com.yahoo.elide.annotation.ReadPermission;
 import com.yahoo.elide.annotation.UpdatePermission;
@@ -19,7 +20,7 @@
 @Table(name = "voting_answer")
 @Include(type = VotingAnswer.TYPE_NAME)
 @ReadPermission(expression = IsEntityOwner.EXPRESSION)
-@UpdatePermission(expression = "Prefab.Role.None")
+@UpdatePermission(expression = Prefab.NONE)
 @EqualsAndHashCode(of = {"vote", "votingChoice"}, callSuper = false)
 @Setter
 public class VotingAnswer extends AbstractEntity implements OwnableEntity {
diff --git a/src/main/java/com/faforever/api/data/domain/VotingChoice.java b/src/main/java/com/faforever/api/data/domain/VotingChoice.java
index 2c60ddf1c..d6891d4e4 100644
--- a/src/main/java/com/faforever/api/data/domain/VotingChoice.java
+++ b/src/main/java/com/faforever/api/data/domain/VotingChoice.java
@@ -1,7 +1,8 @@
 package com.faforever.api.data.domain;
 
-import com.faforever.api.data.checks.permission.IsModerator;
+import com.faforever.api.data.checks.Prefab;
 import com.faforever.api.data.listeners.VotingChoiceEnricher;
+import com.faforever.api.security.elide.permission.AdminVoteCheck;
 import com.fasterxml.jackson.annotation.JsonBackReference;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.yahoo.elide.annotation.Audit;
@@ -29,10 +30,10 @@
 
 @Entity
 @Table(name = "voting_choice")
-@ReadPermission(expression = "Prefab.Role.All")
-@DeletePermission(expression = IsModerator.EXPRESSION)
-@UpdatePermission(expression = IsModerator.EXPRESSION)
-@CreatePermission(expression = IsModerator.EXPRESSION)
+@ReadPermission(expression = Prefab.ALL)
+@DeletePermission(expression = AdminVoteCheck.EXPRESSION)
+@UpdatePermission(expression = AdminVoteCheck.EXPRESSION)
+@CreatePermission(expression = AdminVoteCheck.EXPRESSION)
 @Audit(action = Action.CREATE, logStatement = "Created voting choice with id: {0} ", logExpressions = {"${votingChoice.id}"})
 @Audit(action = Action.DELETE, logStatement = "Deleted voting choice with id: {0} ", logExpressions = {"${votingChoice.id}"})
 @Audit(action = Action.UPDATE, logStatement = "Updated voting choice with id: {0} ", logExpressions = {"${votingChoice.id}"})
diff --git a/src/main/java/com/faforever/api/data/domain/VotingQuestion.java b/src/main/java/com/faforever/api/data/domain/VotingQuestion.java
index db7fef2fa..62475a92e 100644
--- a/src/main/java/com/faforever/api/data/domain/VotingQuestion.java
+++ b/src/main/java/com/faforever/api/data/domain/VotingQuestion.java
@@ -1,7 +1,8 @@
 package com.faforever.api.data.domain;
 
-import com.faforever.api.data.checks.permission.IsModerator;
+import com.faforever.api.data.checks.Prefab;
 import com.faforever.api.data.listeners.VotingQuestionEnricher;
+import com.faforever.api.security.elide.permission.AdminVoteCheck;
 import com.fasterxml.jackson.annotation.JsonBackReference;
 import com.fasterxml.jackson.annotation.JsonManagedReference;
 import com.yahoo.elide.annotation.Audit;
@@ -32,10 +33,10 @@
 
 @Entity
 @Table(name = "voting_question")
-@ReadPermission(expression = "Prefab.Role.All")
-@DeletePermission(expression = IsModerator.EXPRESSION)
-@UpdatePermission(expression = IsModerator.EXPRESSION)
-@CreatePermission(expression = IsModerator.EXPRESSION)
+@ReadPermission(expression = Prefab.ALL)
+@DeletePermission(expression = AdminVoteCheck.EXPRESSION)
+@UpdatePermission(expression = AdminVoteCheck.EXPRESSION)
+@CreatePermission(expression = AdminVoteCheck.EXPRESSION)
 @Audit(action = Action.CREATE, logStatement = "Created voting question with id:{0}", logExpressions = {"${votingQuestion.id}"})
 @Audit(action = Action.DELETE, logStatement = "Deleted voting question with id:{0}", logExpressions = {"${votingQuestion.id}"})
 @Audit(action = Action.UPDATE, logStatement = "Updated voting question with id:{0}", logExpressions = {"${votingQuestion.id}"})
@@ -57,14 +58,13 @@ public class VotingQuestion extends AbstractEntity {
   private List<VotingChoice> winners;
   private Set<VotingChoice> votingChoices;
 
-  @UpdatePermission(expression = "Prefab.Common.UpdateOnCreate")
+  @UpdatePermission(expression = Prefab.UPDATE_ON_CREATE)
   @Column(name = "alternative_voting")
   public Boolean isAlternativeQuestion() {
     return alternativeQuestion;
   }
 
   @Column(name = "ordinal")
-  @UpdatePermission(expression = IsModerator.EXPRESSION)
   public Integer getOrdinal() {
     return ordinal;
   }
@@ -72,7 +72,7 @@ public Integer getOrdinal() {
   /**
    * Is evaluated when voting ended and revealVote is set to true
    */
-  @UpdatePermission(expression = "Prefab.Role.None")
+  @UpdatePermission(expression = Prefab.NONE)
   @JoinTable(name = "winner_for_voting_question",
     joinColumns = {@JoinColumn(name = "voting_question_id")},
     inverseJoinColumns = {@JoinColumn(name = "voting_choice_id")}
diff --git a/src/main/java/com/faforever/api/data/domain/VotingSubject.java b/src/main/java/com/faforever/api/data/domain/VotingSubject.java
index 64bdb7bb2..b7e9b0a3d 100644
--- a/src/main/java/com/faforever/api/data/domain/VotingSubject.java
+++ b/src/main/java/com/faforever/api/data/domain/VotingSubject.java
@@ -1,8 +1,9 @@
 package com.faforever.api.data.domain;
 
-import com.faforever.api.data.checks.permission.IsModerator;
+import com.faforever.api.data.checks.Prefab;
 import com.faforever.api.data.listeners.VotingSubjectEnricher;
 import com.faforever.api.data.validation.VotingSubjectRevealWinnerCheck;
+import com.faforever.api.security.elide.permission.AdminVoteCheck;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonManagedReference;
 import com.yahoo.elide.annotation.Audit;
@@ -31,10 +32,10 @@
 @Entity
 @Table(name = "voting_subject")
 @Include(rootLevel = true, type = VotingSubject.TYPE_NAME)
-@ReadPermission(expression = "Prefab.Role.All")
-@DeletePermission(expression = IsModerator.EXPRESSION)
-@UpdatePermission(expression = IsModerator.EXPRESSION)
-@CreatePermission(expression = IsModerator.EXPRESSION)
+@ReadPermission(expression = Prefab.ALL)
+@DeletePermission(expression = AdminVoteCheck.EXPRESSION)
+@UpdatePermission(expression = AdminVoteCheck.EXPRESSION)
+@CreatePermission(expression = AdminVoteCheck.EXPRESSION)
 @Audit(action = Action.CREATE, logStatement = "Created voting subject with id: {0}", logExpressions = {"${votingSubject.id}"})
 @Audit(action = Action.DELETE, logStatement = "Deleted voting subject with id: {0}", logExpressions = {"${votingSubject.id}"})
 @Audit(action = Action.UPDATE, logStatement = "Updated voting subject with id: {0}", logExpressions = {"${votingSubject.id}"})
diff --git a/src/main/java/com/faforever/api/security/FafUserAuthenticationConverter.java b/src/main/java/com/faforever/api/security/FafUserAuthenticationConverter.java
index ff238529a..80bb2332a 100644
--- a/src/main/java/com/faforever/api/security/FafUserAuthenticationConverter.java
+++ b/src/main/java/com/faforever/api/security/FafUserAuthenticationConverter.java
@@ -19,8 +19,8 @@
  */
 public class FafUserAuthenticationConverter extends DefaultUserAuthenticationConverter {
 
-  private static final String ID = "user_id";
-  private static final String NON_LOCKED = "non_locked";
+  public static final String USER_ID_KEY = "user_id";
+  public static final String NON_LOCKED = "non_locked";
 
   @Override
   public Map<String, ?> convertUserAuthentication(Authentication authentication) {
@@ -28,7 +28,7 @@ public class FafUserAuthenticationConverter extends DefaultUserAuthenticationCon
 
     @SuppressWarnings("unchecked")
     Map<String, Object> response = (Map<String, Object>) super.convertUserAuthentication(authentication);
-    response.put(ID, fafUserDetails.getId());
+    response.put(USER_ID_KEY, fafUserDetails.getId());
     response.put(NON_LOCKED, fafUserDetails.isAccountNonLocked());
 
     return response;
@@ -36,11 +36,11 @@ public class FafUserAuthenticationConverter extends DefaultUserAuthenticationCon
 
   @Override
   public Authentication extractAuthentication(Map<String, ?> map) {
-    if (!map.containsKey(ID)) {
+    if (!map.containsKey(USER_ID_KEY)) {
       return null;
     }
 
-    int id = (Integer) map.get(ID);
+    int id = (Integer) map.get(USER_ID_KEY);
     String username = (String) map.get(USERNAME);
     boolean accountNonLocked = Optional.ofNullable((Boolean) map.get(NON_LOCKED)).orElse(true);
     Collection<? extends GrantedAuthority> authorities = getAuthorities(map);
diff --git a/src/main/java/com/faforever/api/security/FafUserDetails.java b/src/main/java/com/faforever/api/security/FafUserDetails.java
index fa2d955d8..16a3981bb 100644
--- a/src/main/java/com/faforever/api/security/FafUserDetails.java
+++ b/src/main/java/com/faforever/api/security/FafUserDetails.java
@@ -1,11 +1,11 @@
 package com.faforever.api.security;
 
-import com.faforever.api.data.domain.LegacyAccessLevel;
 import com.faforever.api.data.domain.User;
 import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
 
 import java.util.Collection;
+import java.util.stream.Collectors;
 
 @Getter
 public class FafUserDetails extends org.springframework.security.core.userdetails.User {
@@ -22,17 +22,10 @@ public FafUserDetails(int id, String username, String password, boolean accountN
   }
 
   public boolean hasPermission(String permission) {
-    Collection<GrantedAuthority> authorities = this.getAuthorities();
+    Collection<String> authorities = this.getAuthorities().stream()
+      .map(GrantedAuthority::getAuthority)
+      .collect(Collectors.toList());
 
-    if (authorities.contains(LegacyAccessLevel.ROLE_ADMINISTRATOR)) {
-      return true;
-    }
-
-    if (authorities.contains(LegacyAccessLevel.ROLE_MODERATOR)) {
-      // We have no admin-only permissions yet
-      return true;
-    }
-
-    return false;
+    return authorities.contains(permission) || authorities.contains(UserRole.ADMINISTRATOR.getAuthority());
   }
 }
diff --git a/src/main/java/com/faforever/api/security/FafUserDetailsService.java b/src/main/java/com/faforever/api/security/FafUserDetailsService.java
index b76a009b1..e3dd2bfe0 100644
--- a/src/main/java/com/faforever/api/security/FafUserDetailsService.java
+++ b/src/main/java/com/faforever/api/security/FafUserDetailsService.java
@@ -11,6 +11,11 @@
 
 import javax.inject.Inject;
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 /**
  * Adapter between Spring's {@link UserDetailsService} and FAF's {@code login} table.
@@ -33,9 +38,29 @@ public UserDetails loadUserByUsername(String usernameOrEmail) throws UsernameNot
     ArrayList<GrantedAuthority> authorities = new ArrayList<>();
     authorities.add(LegacyAccessLevel.ROLE_USER);
 
-    if (user.getLobbyGroup() != null) {
-      authorities.add(user.getLobbyGroup().getAccessLevel());
-    }
+    authorities.addAll(getUserRoles(user));
+    authorities.addAll(getPermissionRoles(user));
+
     return new FafUserDetails(user, authorities);
   }
+
+  private Collection<GrantedAuthority> getUserRoles(User user) {
+    Set<GrantedAuthority> userRoles = new HashSet<>();
+
+    userRoles.add(UserRole.USER);
+
+    user.getUserGroups().stream()
+      .map(userGroup -> UserRole.fromString(userGroup.getTechnicalName()))
+      .filter(Optional::isPresent)
+      .map(Optional::get)
+      .forEach(userRoles::add);
+
+    return userRoles;
+  }
+
+  private Collection<GrantedAuthority> getPermissionRoles(User user) {
+    return user.getUserGroups().stream()
+      .flatMap(userGroup -> userGroup.getPermissions().stream())
+      .collect(Collectors.toSet());
+  }
 }
diff --git a/src/main/java/com/faforever/api/security/OAuthScope.java b/src/main/java/com/faforever/api/security/OAuthScope.java
index 0d5b7a609..95cbad38c 100644
--- a/src/main/java/com/faforever/api/security/OAuthScope.java
+++ b/src/main/java/com/faforever/api/security/OAuthScope.java
@@ -6,7 +6,7 @@
 
 public enum OAuthScope {
 
-  PUBLIC_PROFILE(OAuthScope._PUBLIC_PROFILE, "Read your public player data"),
+  PUBLIC_PROFILE(OAuthScope._PUBLIC_PROFILE, "Read your public account data"),
   CREATE_USER(OAuthScope._CREATE_USER, "Create users"),
   READ_ACHIEVEMENTS(OAuthScope._READ_ACHIEVEMENTS, "Read your achievements"),
   WRITE_ACHIEVEMENTS(OAuthScope._WRITE_ACHIEVEMENTS, "Write your achievements"),
@@ -17,8 +17,10 @@ public enum OAuthScope {
   UPLOAD_AVATAR(OAuthScope._UPLOAD_AVATAR, "Upload avatars"),
   WRITE_ACCOUNT_DATA(OAuthScope._WRITE_ACCOUNT_DATA, "Edit account data"),
   EDIT_CLAN_DATA(OAuthScope._EDIT_CLAN_DATA, "Edit clan data"),
-  VOTE(OAuthScope._VOTE, "Vote");
-
+  VOTE(OAuthScope._VOTE, "Vote"),
+  READ_SENSIBLE_USERDATA(OAuthScope._READ_SENSIBLE_USERDATA, "View sensible user data (email addresses, ip addresses, etc.)"),
+  ADMINISTRATIVE_ACTION(OAuthScope._ADMINISTRATIVE_ACTION, "Administrative actions"),
+  MANAGE_VAULT(OAuthScope._MANAGE_VAULT, "Manage vault");
 
   public static final String _PUBLIC_PROFILE = "public_profile";
   public static final String _CREATE_USER = "create_user";
@@ -32,6 +34,9 @@ public enum OAuthScope {
   public static final String _WRITE_ACCOUNT_DATA = "write_account_data";
   public static final String _EDIT_CLAN_DATA = "edit_clan_data";
   public static final String _VOTE = "vote";
+  public static final String _READ_SENSIBLE_USERDATA = "read_sensible_userdata";
+  public static final String _ADMINISTRATIVE_ACTION = "administrative_actions";
+  public static final String _MANAGE_VAULT = "manage_vault";
 
   private static final Map<String, OAuthScope> fromString;
 
diff --git a/src/main/java/com/faforever/api/security/UserRole.java b/src/main/java/com/faforever/api/security/UserRole.java
new file mode 100644
index 000000000..04c90edda
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/UserRole.java
@@ -0,0 +1,37 @@
+package com.faforever.api.security;
+
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+
+public enum UserRole implements GrantedAuthority {
+  USER("USER"),
+  MODERATOR("MODERATOR"),
+  ADMINISTRATOR("ADMINISTRATOR");
+
+  private static final Map<String, UserRole> fromString;
+
+  static {
+    fromString = new HashMap<>();
+    for (UserRole userRole : values()) {
+      fromString.put(userRole.string, userRole);
+    }
+  }
+
+  private final String string;
+
+  UserRole(String string) {
+    this.string = string;
+  }
+
+  public static Optional<UserRole> fromString(String string) {
+    return Optional.ofNullable(fromString.get(string));
+  }
+
+  @Override
+  public String getAuthority() {
+    return "ROLE_" + string;
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/AdminAccountBanCheck.java b/src/main/java/com/faforever/api/security/elide/permission/AdminAccountBanCheck.java
new file mode 100644
index 000000000..b1cc284a1
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/AdminAccountBanCheck.java
@@ -0,0 +1,17 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class AdminAccountBanCheck extends FafUserCheck {
+  public static final String EXPRESSION = "AdminAccountBan";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.ADMINISTRATIVE_ACTION) &&
+      checkUserPermission(user, GroupPermission.ROLE_ADMIN_ACCOUNT_BAN);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/AdminAccountNoteCheck.java b/src/main/java/com/faforever/api/security/elide/permission/AdminAccountNoteCheck.java
new file mode 100644
index 000000000..126392b6b
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/AdminAccountNoteCheck.java
@@ -0,0 +1,17 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class AdminAccountNoteCheck extends FafUserCheck {
+  public static final String EXPRESSION = "AdminAccountNote";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.READ_SENSIBLE_USERDATA) &&
+      checkUserPermission(user, GroupPermission.ROLE_ADMIN_ACCOUNT_NOTE);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/AdminMapCheck.java b/src/main/java/com/faforever/api/security/elide/permission/AdminMapCheck.java
new file mode 100644
index 000000000..847520f88
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/AdminMapCheck.java
@@ -0,0 +1,17 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class AdminMapCheck extends FafUserCheck {
+  public static final String EXPRESSION = "AdminMap";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.MANAGE_VAULT) &&
+      checkUserPermission(user, GroupPermission.ROLE_ADMIN_MAP);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/AdminModCheck.java b/src/main/java/com/faforever/api/security/elide/permission/AdminModCheck.java
new file mode 100644
index 000000000..4fbf7307a
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/AdminModCheck.java
@@ -0,0 +1,17 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class AdminModCheck extends FafUserCheck {
+  public static final String EXPRESSION = "AdminMod";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.MANAGE_VAULT) &&
+      checkUserPermission(user, GroupPermission.ROLE_ADMIN_MOD);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/AdminModerationReportCheck.java b/src/main/java/com/faforever/api/security/elide/permission/AdminModerationReportCheck.java
new file mode 100644
index 000000000..6b84a2444
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/AdminModerationReportCheck.java
@@ -0,0 +1,17 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class AdminModerationReportCheck extends FafUserCheck {
+  public static final String EXPRESSION = "AdminModerationReport";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.ADMINISTRATIVE_ACTION) &&
+      checkUserPermission(user, GroupPermission.ROLE_ADMIN_MODERATION_REPORT);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/AdminVoteCheck.java b/src/main/java/com/faforever/api/security/elide/permission/AdminVoteCheck.java
new file mode 100644
index 000000000..4b30c2b65
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/AdminVoteCheck.java
@@ -0,0 +1,17 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class AdminVoteCheck extends FafUserCheck {
+  public static final String EXPRESSION = "AdminVote";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.ADMINISTRATIVE_ACTION) &&
+      checkUserPermission(user, GroupPermission.ROLE_ADMIN_VOTE);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/FafUserCheck.java b/src/main/java/com/faforever/api/security/elide/permission/FafUserCheck.java
new file mode 100644
index 000000000..4173d9557
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/FafUserCheck.java
@@ -0,0 +1,81 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.security.FafUserDetails;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+import com.yahoo.elide.security.checks.UserCheck;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+@Slf4j
+abstract class FafUserCheck extends UserCheck {
+  protected boolean checkOAuthScopes(OAuthScope... scope) {
+    return checkOAuthScopes(Stream.of(scope).map(OAuthScope::getKey).toArray(String[]::new));
+  }
+
+  private boolean checkOAuthScopes(String... scope) {
+    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+    if (!(authentication instanceof OAuth2Authentication)) {
+      log.trace("Authentication is no OAuth2Authentication: {}", authentication);
+      return false;
+    }
+
+    OAuth2Authentication oAuth2Authentication = ((OAuth2Authentication) authentication);
+    OAuth2Request oAuth2Request = oAuth2Authentication.getOAuth2Request();
+
+    List<String> missedScopes = new ArrayList<>();
+
+    for (String currentScope : scope) {
+      if (!oAuth2Request.getScope().contains(currentScope)) {
+        missedScopes.add(currentScope);
+      }
+    }
+
+    if (log.isTraceEnabled()) {
+      if (missedScopes.isEmpty()) {
+        log.trace("All requested scopes are granted: {}", String.join(", ", scope));
+      } else {
+        log.trace("Scopes '{}' are not granted in requested scopes: {} for client with id {}", String.join(", ", missedScopes), String.join(", ", oAuth2Request.getScope()), oAuth2Request.getResourceIds());
+      }
+    }
+
+    return missedScopes.isEmpty();
+  }
+
+  protected boolean checkUserPermission(User user, String... userPermissionRole) {
+    if (!(user.getOpaqueUser() instanceof FafUserDetails)) {
+      log.warn("UserCheck applied on wrong User type: {}", user);
+      return false;
+    }
+
+    FafUserDetails userDetails = (FafUserDetails) user.getOpaqueUser();
+
+    Set<String> grantedUserRoles = userDetails.getAuthorities().stream()
+      .map(GrantedAuthority::getAuthority)
+      .collect(Collectors.toSet());
+
+    Set<String> missedScopes = Stream.of(userPermissionRole)
+      .collect(Collectors.toSet());
+    missedScopes.removeAll(grantedUserRoles);
+
+    if (log.isTraceEnabled()) {
+      if (missedScopes.isEmpty()) {
+        log.trace("All requested permissions are granted: {}", String.join(", ", userPermissionRole));
+      } else {
+        log.trace("Permissions '{}' are not granted in requested permissions: {} , for user with id: {}", String.join(", ", missedScopes), String.join(", ", grantedUserRoles), userDetails.getId());
+      }
+    }
+
+    return missedScopes.isEmpty();
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/ReadAccountPrivateDetailsCheck.java b/src/main/java/com/faforever/api/security/elide/permission/ReadAccountPrivateDetailsCheck.java
new file mode 100644
index 000000000..940ecdbf1
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/ReadAccountPrivateDetailsCheck.java
@@ -0,0 +1,17 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class ReadAccountPrivateDetailsCheck extends FafUserCheck {
+  public static final String EXPRESSION = "ReadAccountPrivateDetails";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.READ_SENSIBLE_USERDATA) &&
+      checkUserPermission(user, GroupPermission.ROLE_READ_ACCOUNT_PRIVATE_DETAILS);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/ReadTeamkillReportCheck.java b/src/main/java/com/faforever/api/security/elide/permission/ReadTeamkillReportCheck.java
new file mode 100644
index 000000000..074be1384
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/ReadTeamkillReportCheck.java
@@ -0,0 +1,17 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class ReadTeamkillReportCheck extends FafUserCheck {
+  public static final String EXPRESSION = "ReadTeamkillReport";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.ADMINISTRATIVE_ACTION) &&
+      checkUserPermission(user, GroupPermission.ROLE_READ_TEAMKILL_REPORT);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/ReadUserGroupCheck.java b/src/main/java/com/faforever/api/security/elide/permission/ReadUserGroupCheck.java
new file mode 100644
index 000000000..2fef9938b
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/ReadUserGroupCheck.java
@@ -0,0 +1,17 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class ReadUserGroupCheck extends FafUserCheck {
+  public static final String EXPRESSION = "ReadUserGroup";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.READ_SENSIBLE_USERDATA) &&
+      checkUserPermission(user, GroupPermission.ROLE_READ_USER_GROUP);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/WriteAvatarCheck.java b/src/main/java/com/faforever/api/security/elide/permission/WriteAvatarCheck.java
new file mode 100644
index 000000000..8c2936625
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/WriteAvatarCheck.java
@@ -0,0 +1,16 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+
+public class WriteAvatarCheck extends FafUserCheck {
+
+  public static final String EXPRESSION = "WriteAvatar";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.ADMINISTRATIVE_ACTION) &&
+      checkUserPermission(user, GroupPermission.ROLE_WRITE_AVATAR);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/WriteEmailDomainBanCheck.java b/src/main/java/com/faforever/api/security/elide/permission/WriteEmailDomainBanCheck.java
new file mode 100644
index 000000000..a9a1484bd
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/WriteEmailDomainBanCheck.java
@@ -0,0 +1,16 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+
+public class WriteEmailDomainBanCheck extends FafUserCheck {
+
+  public static final String EXPRESSION = "WriteEmailDomainBan";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.ADMINISTRATIVE_ACTION) &&
+      checkUserPermission(user, GroupPermission.ROLE_WRITE_EMAIL_DOMAIN_BAN);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/WriteMatchmakerMapCheck.java b/src/main/java/com/faforever/api/security/elide/permission/WriteMatchmakerMapCheck.java
new file mode 100644
index 000000000..19ad75e74
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/WriteMatchmakerMapCheck.java
@@ -0,0 +1,16 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+
+public class WriteMatchmakerMapCheck extends FafUserCheck {
+
+  public static final String EXPRESSION = "AdminMatchmakerMap";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.ADMINISTRATIVE_ACTION) &&
+      checkUserPermission(user, GroupPermission.ROLE_WRITE_MATCHMAKER_MAP);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/WriteMatchmakerPoolCheck.java b/src/main/java/com/faforever/api/security/elide/permission/WriteMatchmakerPoolCheck.java
new file mode 100644
index 000000000..fc232326d
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/WriteMatchmakerPoolCheck.java
@@ -0,0 +1,16 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+
+public class WriteMatchmakerPoolCheck extends FafUserCheck {
+
+  public static final String EXPRESSION = "AdminMatchmakerPool";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.ADMINISTRATIVE_ACTION) &&
+      checkUserPermission(user, GroupPermission.ROLE_WRITE_MATCHMAKER_POOL);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/WriteMessageCheck.java b/src/main/java/com/faforever/api/security/elide/permission/WriteMessageCheck.java
new file mode 100644
index 000000000..11331930e
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/WriteMessageCheck.java
@@ -0,0 +1,16 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+
+public class WriteMessageCheck extends FafUserCheck {
+
+  public static final String EXPRESSION = "WriteMessage";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.ADMINISTRATIVE_ACTION) &&
+      checkUserPermission(user, GroupPermission.ROLE_WRITE_MESSAGE);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/WriteNewsPostCheck.java b/src/main/java/com/faforever/api/security/elide/permission/WriteNewsPostCheck.java
new file mode 100644
index 000000000..3e9a85aa3
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/WriteNewsPostCheck.java
@@ -0,0 +1,16 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+
+public class WriteNewsPostCheck extends FafUserCheck {
+
+  public static final String EXPRESSION = "WriteNewsPost";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.ADMINISTRATIVE_ACTION) &&
+      checkUserPermission(user, GroupPermission.ROLE_WRITE_NEWS_POST);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/WriteTutorialCheck.java b/src/main/java/com/faforever/api/security/elide/permission/WriteTutorialCheck.java
new file mode 100644
index 000000000..54d2d2eb8
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/WriteTutorialCheck.java
@@ -0,0 +1,16 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+
+public class WriteTutorialCheck extends FafUserCheck {
+
+  public static final String EXPRESSION = "WriteTutorial";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.ADMINISTRATIVE_ACTION) &&
+      checkUserPermission(user, GroupPermission.ROLE_WRITE_TUTORIAL);
+  }
+}
diff --git a/src/main/java/com/faforever/api/security/elide/permission/WriteUserGroupCheck.java b/src/main/java/com/faforever/api/security/elide/permission/WriteUserGroupCheck.java
new file mode 100644
index 000000000..6147fa3c8
--- /dev/null
+++ b/src/main/java/com/faforever/api/security/elide/permission/WriteUserGroupCheck.java
@@ -0,0 +1,17 @@
+package com.faforever.api.security.elide.permission;
+
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import com.yahoo.elide.security.User;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class WriteUserGroupCheck extends FafUserCheck {
+  public static final String EXPRESSION = "WriteUserGroup";
+
+  @Override
+  public boolean ok(User user) {
+    return checkOAuthScopes(OAuthScope.ADMINISTRATIVE_ACTION) &&
+      checkUserPermission(user, GroupPermission.ROLE_WRITE_USER_GROUP);
+  }
+}

From 01b19e61071d6fe69062d6c5d7c73bf58d6d077c Mon Sep 17 00:00:00 2001
From: Brutus5000 <Brutus5000@gmx.net>
Date: Mon, 23 Sep 2019 13:07:33 +0200
Subject: [PATCH 2/5] Adjust to db-migrations v77

---
 .travis.yml                               | 2 +-
 src/main/resources/config/application.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index f1dd9e045..fd7735dac 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -23,7 +23,7 @@ before_install:
 install:
   - git clone https://github.com/FAForever/faf-stack.git faf-stack
     && pushd faf-stack
-    && git checkout e33243c9
+    && git checkout 79c5d9d9
     && cp -r config.template config
     && cp .env.template .env
     && ./scripts/init-db.sh
diff --git a/src/main/resources/config/application.yml b/src/main/resources/config/application.yml
index 04512b97a..9415d4d98 100644
--- a/src/main/resources/config/application.yml
+++ b/src/main/resources/config/application.yml
@@ -9,7 +9,7 @@ faf-api:
   challonge:
     key: ${CHALLONGE_KEY:}
   database:
-    schema-version: ${DATABASE_SCHEMA_VERSION:76}
+    schema-version: ${DATABASE_SCHEMA_VERSION:77}
   mautic:
     base-url: ${MAUTIC_BASE_URL:false}
     client-id: ${MAUTIC_CLIENT_ID:false}

From 9a20cfedd82a163a9ad5a4c2dae9b9da5dda972e Mon Sep 17 00:00:00 2001
From: Brutus5000 <Brutus5000@gmx.net>
Date: Mon, 23 Sep 2019 22:33:15 +0200
Subject: [PATCH 3/5] Migrate all Elide Prefab roles to constants + fix one
 deprecated annotation

---
 src/main/java/com/faforever/api/data/domain/BanInfo.java | 4 ++--
 src/main/java/com/faforever/api/data/domain/Clan.java    | 7 ++++---
 src/main/java/com/faforever/api/data/domain/Game.java    | 5 +++--
 .../java/com/faforever/api/data/domain/GameReview.java   | 5 +++--
 .../java/com/faforever/api/data/domain/MapVersion.java   | 5 +++--
 .../com/faforever/api/data/domain/MapVersionReview.java  | 5 +++--
 src/main/java/com/faforever/api/data/domain/Message.java | 3 ++-
 .../java/com/faforever/api/data/domain/ModVersion.java   | 5 +++--
 .../com/faforever/api/data/domain/ModVersionReview.java  | 5 +++--
 .../java/com/faforever/api/data/domain/NameRecord.java   | 5 +++--
 src/main/java/com/faforever/api/data/domain/Review.java  | 3 ++-
 src/main/java/com/faforever/api/data/package-info.java   | 9 +++++----
 12 files changed, 36 insertions(+), 25 deletions(-)

diff --git a/src/main/java/com/faforever/api/data/domain/BanInfo.java b/src/main/java/com/faforever/api/data/domain/BanInfo.java
index d8515d72a..d7941d33d 100644
--- a/src/main/java/com/faforever/api/data/domain/BanInfo.java
+++ b/src/main/java/com/faforever/api/data/domain/BanInfo.java
@@ -56,7 +56,7 @@ public Player getPlayer() {
   }
 
   @ManyToOne
-  @UpdatePermission(expression = "Prefab.Role.None")
+  @UpdatePermission(expression = Prefab.NONE)
   @JoinColumn(name = "author_id")
   @NotNull
   public Player getAuthor() {
@@ -97,7 +97,7 @@ public String getRevokeReason() {
   }
 
   @ManyToOne
-  @UpdatePermission(expression = "Prefab.Role.None")
+  @UpdatePermission(expression = Prefab.NONE)
   @JoinColumn(name = "revoke_author_id")
   public Player getRevokeAuthor() {
     return revokeAuthor;
diff --git a/src/main/java/com/faforever/api/data/domain/Clan.java b/src/main/java/com/faforever/api/data/domain/Clan.java
index eb58b749d..78e132baf 100644
--- a/src/main/java/com/faforever/api/data/domain/Clan.java
+++ b/src/main/java/com/faforever/api/data/domain/Clan.java
@@ -1,6 +1,7 @@
 package com.faforever.api.data.domain;
 
 import com.faforever.api.data.checks.IsEntityOwner;
+import com.faforever.api.data.checks.Prefab;
 import com.faforever.api.data.listeners.ClanEnricherListener;
 import com.faforever.api.data.validation.IsLeaderInClan;
 import com.yahoo.elide.annotation.ComputedAttribute;
@@ -10,7 +11,6 @@
 import com.yahoo.elide.annotation.SharePermission;
 import com.yahoo.elide.annotation.UpdatePermission;
 import lombok.Setter;
-import org.hibernate.validator.constraints.NotEmpty;
 
 import javax.persistence.CascadeType;
 import javax.persistence.Column;
@@ -22,6 +22,7 @@
 import javax.persistence.OneToMany;
 import javax.persistence.Table;
 import javax.persistence.Transient;
+import javax.validation.constraints.NotEmpty;
 import javax.validation.constraints.NotNull;
 import javax.validation.constraints.Size;
 import java.util.List;
@@ -31,7 +32,7 @@
 @Include(rootLevel = true, type = Clan.TYPE_NAME)
 @SharePermission
 @DeletePermission(expression = IsEntityOwner.EXPRESSION)
-@CreatePermission(expression = "Prefab.Role.All")
+@CreatePermission(expression = Prefab.ALL)
 @Setter
 @IsLeaderInClan
 @EntityListeners(ClanEnricherListener.class)
@@ -90,7 +91,7 @@ public String getTagColor() {
   // Cascading is needed for Create & Delete
   @OneToMany(mappedBy = "clan", cascade = CascadeType.ALL, orphanRemoval = true)
   // Permission is managed by ClanMembership class
-  @UpdatePermission(expression = "Prefab.Role.All")
+  @UpdatePermission(expression = Prefab.ALL)
   @NotEmpty(message = "At least the leader should be in the clan")
   public List<ClanMembership> getMemberships() {
     return this.memberships;
diff --git a/src/main/java/com/faforever/api/data/domain/Game.java b/src/main/java/com/faforever/api/data/domain/Game.java
index a27342e5c..2415781e3 100644
--- a/src/main/java/com/faforever/api/data/domain/Game.java
+++ b/src/main/java/com/faforever/api/data/domain/Game.java
@@ -1,5 +1,6 @@
 package com.faforever.api.data.domain;
 
+import com.faforever.api.data.checks.Prefab;
 import com.faforever.api.data.listeners.GameEnricher;
 import com.yahoo.elide.annotation.ComputedAttribute;
 import com.yahoo.elide.annotation.Include;
@@ -111,14 +112,14 @@ public String getReplayUrl() {
   }
 
   @OneToMany(mappedBy = "game")
-  @UpdatePermission(expression = "Prefab.Role.All")
+  @UpdatePermission(expression = Prefab.ALL)
   public List<GameReview> getReviews() {
     return reviews;
   }
 
   @OneToOne(fetch = FetchType.LAZY)
   @PrimaryKeyJoinColumn
-  @UpdatePermission(expression = "Prefab.Role.All")
+  @UpdatePermission(expression = Prefab.ALL)
   @BatchSize(size = 1000)
   public GameReviewsSummary getReviewsSummary() {
     return reviewsSummary;
diff --git a/src/main/java/com/faforever/api/data/domain/GameReview.java b/src/main/java/com/faforever/api/data/domain/GameReview.java
index 45c4862f2..61378d305 100644
--- a/src/main/java/com/faforever/api/data/domain/GameReview.java
+++ b/src/main/java/com/faforever/api/data/domain/GameReview.java
@@ -1,6 +1,7 @@
 package com.faforever.api.data.domain;
 
 import com.faforever.api.data.checks.IsEntityOwner;
+import com.faforever.api.data.checks.Prefab;
 import com.yahoo.elide.annotation.CreatePermission;
 import com.yahoo.elide.annotation.DeletePermission;
 import com.yahoo.elide.annotation.Include;
@@ -17,7 +18,7 @@
 @Include(rootLevel = true, type = "gameReview")
 @Entity
 @Table(name = "game_review")
-@CreatePermission(expression = "Prefab.Role.All")
+@CreatePermission(expression = Prefab.ALL)
 @DeletePermission(expression = IsEntityOwner.EXPRESSION)
 public class GameReview extends Review {
 
@@ -25,7 +26,7 @@ public class GameReview extends Review {
 
   @ManyToOne(fetch = FetchType.LAZY)
   @JoinColumn(name = "game_id")
-  @UpdatePermission(expression = "Prefab.Role.All and Prefab.Common.UpdateOnCreate")
+  @UpdatePermission(expression = Prefab.ALL_AND_UPDATE_ON_CREATE)
   public Game getGame() {
     return game;
   }
diff --git a/src/main/java/com/faforever/api/data/domain/MapVersion.java b/src/main/java/com/faforever/api/data/domain/MapVersion.java
index d31d69c44..7bb1c9116 100644
--- a/src/main/java/com/faforever/api/data/domain/MapVersion.java
+++ b/src/main/java/com/faforever/api/data/domain/MapVersion.java
@@ -2,6 +2,7 @@
 
 import com.faforever.api.data.checks.BooleanChange;
 import com.faforever.api.data.checks.IsEntityOwner;
+import com.faforever.api.data.checks.Prefab;
 import com.faforever.api.data.checks.permission.IsModerator;
 import com.faforever.api.data.listeners.MapVersionEnricher;
 import com.yahoo.elide.annotation.Audit;
@@ -140,13 +141,13 @@ public String getFolderName() {
   }
 
   @OneToMany(mappedBy = "mapVersion")
-  @UpdatePermission(expression = "Prefab.Role.All")
+  @UpdatePermission(expression = Prefab.ALL)
   public List<MapVersionReview> getReviews() {
     return reviews;
   }
 
   @OneToOne(mappedBy = "mapVersion")
-  @UpdatePermission(expression = "Prefab.Role.All")
+  @UpdatePermission(expression = Prefab.ALL)
   public MapVersionReviewsSummary getReviewsSummary() {
     return reviewsSummary;
   }
diff --git a/src/main/java/com/faforever/api/data/domain/MapVersionReview.java b/src/main/java/com/faforever/api/data/domain/MapVersionReview.java
index 95e4eca76..9a111c856 100644
--- a/src/main/java/com/faforever/api/data/domain/MapVersionReview.java
+++ b/src/main/java/com/faforever/api/data/domain/MapVersionReview.java
@@ -1,6 +1,7 @@
 package com.faforever.api.data.domain;
 
 import com.faforever.api.data.checks.IsEntityOwner;
+import com.faforever.api.data.checks.Prefab;
 import com.yahoo.elide.annotation.CreatePermission;
 import com.yahoo.elide.annotation.DeletePermission;
 import com.yahoo.elide.annotation.Include;
@@ -17,7 +18,7 @@
 @Include(rootLevel = true, type = "mapVersionReview")
 @Entity
 @Table(name = "map_version_review")
-@CreatePermission(expression = "Prefab.Role.All")
+@CreatePermission(expression = Prefab.ALL)
 @DeletePermission(expression = IsEntityOwner.EXPRESSION)
 public class MapVersionReview extends Review {
 
@@ -25,7 +26,7 @@ public class MapVersionReview extends Review {
 
   @ManyToOne(fetch = FetchType.LAZY)
   @JoinColumn(name = "map_version_id")
-  @UpdatePermission(expression = "Prefab.Role.All and Prefab.Common.UpdateOnCreate")
+  @UpdatePermission(expression = Prefab.ALL_AND_UPDATE_ON_CREATE)
   public MapVersion getMapVersion() {
     return mapVersion;
   }
diff --git a/src/main/java/com/faforever/api/data/domain/Message.java b/src/main/java/com/faforever/api/data/domain/Message.java
index c36d0313a..a2a15e33f 100644
--- a/src/main/java/com/faforever/api/data/domain/Message.java
+++ b/src/main/java/com/faforever/api/data/domain/Message.java
@@ -1,5 +1,6 @@
 package com.faforever.api.data.domain;
 
+import com.faforever.api.data.checks.Prefab;
 import com.faforever.api.data.checks.permission.IsModerator;
 import com.faforever.api.data.listeners.MessageReloadListener;
 import com.github.jasminb.jsonapi.annotations.Type;
@@ -29,7 +30,7 @@
 @CreatePermission(expression = IsModerator.EXPRESSION)
 @Audit(action = Action.DELETE, logStatement = "Message with key `{0}` , ID `{1}`, language `{2}` , region `{3}` and value `{4}` deleted", logExpressions = {"${message.key}", "${message.id}", "${message.language}", "${message.region}", "${message.value}"})
 @Audit(action = Action.CREATE, logStatement = "Message with key `{0}` and ID `{1}` created", logExpressions = {"${message.key}", "${message.id}"})
-@ReadPermission(expression = "Prefab.Role.All")
+@ReadPermission(expression = Prefab.ALL)
 @EntityListeners(MessageReloadListener.class)
 @Type(Message.TYPE_NAME)
 public class Message {
diff --git a/src/main/java/com/faforever/api/data/domain/ModVersion.java b/src/main/java/com/faforever/api/data/domain/ModVersion.java
index ded0ad323..4881b2afc 100644
--- a/src/main/java/com/faforever/api/data/domain/ModVersion.java
+++ b/src/main/java/com/faforever/api/data/domain/ModVersion.java
@@ -1,5 +1,6 @@
 package com.faforever.api.data.domain;
 
+import com.faforever.api.data.checks.Prefab;
 import com.faforever.api.data.checks.permission.IsModerator;
 import com.faforever.api.data.listeners.ModVersionEnricher;
 import com.yahoo.elide.annotation.Audit;
@@ -137,13 +138,13 @@ public String getDownloadUrl() {
   }
 
   @OneToMany(mappedBy = "modVersion")
-  @UpdatePermission(expression = "Prefab.Role.All")
+  @UpdatePermission(expression = Prefab.ALL)
   public List<ModVersionReview> getReviews() {
     return reviews;
   }
 
   @OneToOne(mappedBy = "modVersion")
-  @UpdatePermission(expression = "Prefab.Role.All")
+  @UpdatePermission(expression = Prefab.ALL)
   public ModVersionReviewsSummary getReviewsSummary() {
     return reviewsSummary;
   }
diff --git a/src/main/java/com/faforever/api/data/domain/ModVersionReview.java b/src/main/java/com/faforever/api/data/domain/ModVersionReview.java
index 8acd67b04..a843853df 100644
--- a/src/main/java/com/faforever/api/data/domain/ModVersionReview.java
+++ b/src/main/java/com/faforever/api/data/domain/ModVersionReview.java
@@ -1,6 +1,7 @@
 package com.faforever.api.data.domain;
 
 import com.faforever.api.data.checks.IsEntityOwner;
+import com.faforever.api.data.checks.Prefab;
 import com.yahoo.elide.annotation.CreatePermission;
 import com.yahoo.elide.annotation.DeletePermission;
 import com.yahoo.elide.annotation.Include;
@@ -17,7 +18,7 @@
 @Include(rootLevel = true, type = "modVersionReview")
 @Entity
 @Table(name = "mod_version_review")
-@CreatePermission(expression = "Prefab.Role.All")
+@CreatePermission(expression = Prefab.ALL)
 @DeletePermission(expression = IsEntityOwner.EXPRESSION)
 public class ModVersionReview extends Review {
 
@@ -25,7 +26,7 @@ public class ModVersionReview extends Review {
 
   @ManyToOne(fetch = FetchType.LAZY)
   @JoinColumn(name = "mod_version_id")
-  @UpdatePermission(expression = "Prefab.Role.All and Prefab.Common.UpdateOnCreate")
+  @UpdatePermission(expression = Prefab.ALL_AND_UPDATE_ON_CREATE)
   public ModVersion getModVersion() {
     return modVersion;
   }
diff --git a/src/main/java/com/faforever/api/data/domain/NameRecord.java b/src/main/java/com/faforever/api/data/domain/NameRecord.java
index 91fe101aa..c44006fcc 100644
--- a/src/main/java/com/faforever/api/data/domain/NameRecord.java
+++ b/src/main/java/com/faforever/api/data/domain/NameRecord.java
@@ -1,5 +1,6 @@
 package com.faforever.api.data.domain;
 
+import com.faforever.api.data.checks.Prefab;
 import com.yahoo.elide.annotation.DeletePermission;
 import com.yahoo.elide.annotation.Include;
 import com.yahoo.elide.annotation.UpdatePermission;
@@ -18,8 +19,8 @@
 @Entity
 @Table(name = "name_history")
 @Include(rootLevel = true, type = "nameRecord")
-@DeletePermission(expression = "Prefab.Role.None")
-@UpdatePermission(expression = "Prefab.Role.None")
+@DeletePermission(expression = Prefab.NONE)
+@UpdatePermission(expression = Prefab.NONE)
 @Setter
 public class NameRecord {
   private int id;
diff --git a/src/main/java/com/faforever/api/data/domain/Review.java b/src/main/java/com/faforever/api/data/domain/Review.java
index 65f1689c7..52046e257 100644
--- a/src/main/java/com/faforever/api/data/domain/Review.java
+++ b/src/main/java/com/faforever/api/data/domain/Review.java
@@ -1,6 +1,7 @@
 package com.faforever.api.data.domain;
 
 import com.faforever.api.data.checks.IsEntityOwner;
+import com.faforever.api.data.checks.Prefab;
 import com.yahoo.elide.annotation.UpdatePermission;
 import lombok.Setter;
 
@@ -36,7 +37,7 @@ public Byte getScore() {
 
   @ManyToOne(fetch = FetchType.LAZY)
   @JoinColumn(name = "user_id")
-  @UpdatePermission(expression = "Prefab.Role.All and Prefab.Common.UpdateOnCreate")
+  @UpdatePermission(expression = Prefab.ALL_AND_UPDATE_ON_CREATE)
   public Player getPlayer() {
     return player;
   }
diff --git a/src/main/java/com/faforever/api/data/package-info.java b/src/main/java/com/faforever/api/data/package-info.java
index 530493b6a..fb987542c 100644
--- a/src/main/java/com/faforever/api/data/package-info.java
+++ b/src/main/java/com/faforever/api/data/package-info.java
@@ -3,13 +3,14 @@
  */
 @SharePermission
 // Everybody can read from the api
-@ReadPermission(expression = "Prefab.Role.All")
+@ReadPermission(expression = Prefab.ALL)
 // By default restrict all data manipulation operation
-@UpdatePermission(expression = "Prefab.Role.None")
-@CreatePermission(expression = "Prefab.Role.None")
-@DeletePermission(expression = "Prefab.Role.None")
+@UpdatePermission(expression = Prefab.NONE)
+@CreatePermission(expression = Prefab.NONE)
+@DeletePermission(expression = Prefab.NONE)
 package com.faforever.api.data;
 
+import com.faforever.api.data.checks.Prefab;
 import com.yahoo.elide.annotation.CreatePermission;
 import com.yahoo.elide.annotation.DeletePermission;
 import com.yahoo.elide.annotation.ReadPermission;

From 0936e7a2234179cf176630556e2c58fb861ff4d7 Mon Sep 17 00:00:00 2001
From: Brutus5000 <Brutus5000@gmx.net>
Date: Mon, 23 Sep 2019 23:16:14 +0200
Subject: [PATCH 4/5] Replace moderator permission with dedicated Map / Mod
 permissions

---
 .../api/data/MapVersionElideTest.java         |  57 ++++++--
 .../api/data/ModVersionElideTest.java         | 127 ++++++++++++++++++
 src/inttest/resources/config/application.yml  |   3 +
 src/inttest/resources/sql/prepModData.sql     |  13 ++
 .../api/config/elide/ElideConfig.java         |   4 +
 .../com/faforever/api/data/domain/Map.java    |  30 +----
 .../faforever/api/data/domain/MapVersion.java |  10 +-
 .../com/faforever/api/data/domain/Mod.java    |  34 ++---
 .../faforever/api/data/domain/ModVersion.java |  38 ++----
 9 files changed, 222 insertions(+), 94 deletions(-)
 create mode 100644 src/inttest/java/com/faforever/api/data/ModVersionElideTest.java
 create mode 100644 src/inttest/resources/sql/prepModData.sql

diff --git a/src/inttest/java/com/faforever/api/data/MapVersionElideTest.java b/src/inttest/java/com/faforever/api/data/MapVersionElideTest.java
index 97772d4f2..b6a04c8c9 100644
--- a/src/inttest/java/com/faforever/api/data/MapVersionElideTest.java
+++ b/src/inttest/java/com/faforever/api/data/MapVersionElideTest.java
@@ -1,13 +1,18 @@
 package com.faforever.api.data;
 
 import com.faforever.api.AbstractIntegrationTest;
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
 import org.junit.Test;
 import org.springframework.http.HttpHeaders;
 import org.springframework.security.test.context.support.WithUserDetails;
 import org.springframework.test.context.jdbc.Sql;
 import org.springframework.test.context.jdbc.Sql.ExecutionPhase;
 
+import static org.hamcrest.Matchers.hasSize;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 @Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/prepDefaultUser.sql")
@@ -53,43 +58,73 @@ public class MapVersionElideTest extends AbstractIntegrationTest {
     "}";
 
 
-  @WithUserDetails(AUTH_USER)
   @Test
-  public void testUpdateHideToTrueDoesWork() throws Exception {
+  public void canReadMapVersionWithoutScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/mapVersion")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data", hasSize(1)));
+  }
+
+  @Test
+  public void canUpdateMapVersionWithScopeAndRole() throws Exception {
     mockMvc.perform(
       patch("/data/mapVersion/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
-        .content(MAP_VERSION_HIDE_TRUE_ID_1))
+        .with(getOAuthTokenWithTestUser(OAuthScope._MANAGE_VAULT, GroupPermission.ROLE_ADMIN_MAP))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        // update hidden to false requires the extender permission, thus we test it here for the success case
+        .content(MAP_VERSION_HIDE_FALSE_ID_1))
       .andExpect(status().isNoContent());
   }
 
+  @Test
+  public void cannotUpdateMapVersionWithoutScope() throws Exception {
+    mockMvc.perform(
+      patch("/data/mapVersion/1")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_ADMIN_MAP))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        // update hidden to true is less restricted, thus we test it here for the failing case
+        .content(MAP_VERSION_HIDE_TRUE_ID_1))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotUpdateMapVersionWithoutRole() throws Exception {
+    mockMvc.perform(
+      patch("/data/mapVersion/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._MANAGE_VAULT, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        // update hidden to true is less restricted, thus we test it here for the failing case
+        .content(MAP_VERSION_HIDE_TRUE_ID_1))
+      .andExpect(status().isForbidden());
+  }
+
   @WithUserDetails(AUTH_USER)
   @Test
-  public void testUpdateHideToFalseDoesNotWork() throws Exception {
+  public void cannotUpdateHideToFalseAsEntityOwner() throws Exception {
     mockMvc.perform(
       patch("/data/mapVersion/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(MAP_VERSION_HIDE_FALSE_ID_1))
       .andExpect(status().isForbidden());
   }
 
-
   @WithUserDetails(AUTH_USER)
   @Test
-  public void testUpdateRankedToFalseDoesWork() throws Exception {
+  public void canUpdateRankedToFalseAsEntityOwner() throws Exception {
     mockMvc.perform(
       patch("/data/mapVersion/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(MAP_VERSION_RANKED_FALSE_ID_1))
       .andExpect(status().isNoContent());
   }
 
   @WithUserDetails(AUTH_USER)
   @Test
-  public void testUpdateRankedToTrueDoesNotWork() throws Exception {
+  public void cannotUpdateRankedToTrueAsEntityOwner() throws Exception {
     mockMvc.perform(
       patch("/data/mapVersion/1")
-        .header(HttpHeaders.CONTENT_TYPE, JsonApiMediaType.JSON_API_MEDIA_TYPE)
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
         .content(MAP_VERSION_RANKED_TRUE_ID_1))
       .andExpect(status().isForbidden());
   }
diff --git a/src/inttest/java/com/faforever/api/data/ModVersionElideTest.java b/src/inttest/java/com/faforever/api/data/ModVersionElideTest.java
new file mode 100644
index 000000000..0ac0a9884
--- /dev/null
+++ b/src/inttest/java/com/faforever/api/data/ModVersionElideTest.java
@@ -0,0 +1,127 @@
+package com.faforever.api.data;
+
+import com.faforever.api.AbstractIntegrationTest;
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import org.junit.Test;
+import org.springframework.http.HttpHeaders;
+import org.springframework.security.test.context.support.WithUserDetails;
+import org.springframework.test.context.jdbc.Sql;
+import org.springframework.test.context.jdbc.Sql.ExecutionPhase;
+
+import static org.hamcrest.Matchers.hasSize;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/prepDefaultUser.sql")
+@Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/prepModData.sql")
+public class ModVersionElideTest extends AbstractIntegrationTest {
+
+  private static final String MOD_VERSION_HIDE_FALSE_ID_1 = "{\n" +
+    "  \"data\": {\n" +
+    "    \"type\": \"modVersion\",\n" +
+    "    \"id\": \"1\",\n" +
+    "    \"attributes\": {\n" +
+    "    \t\"hidden\": false\n" +
+    "    }\n" +
+    "  } \n" +
+    "}";
+  private static final String MOD_VERSION_HIDE_TRUE_ID_1 = "{\n" +
+    "  \"data\": {\n" +
+    "    \"type\": \"modVersion\",\n" +
+    "    \"id\": \"1\",\n" +
+    "    \"attributes\": {\n" +
+    "    \t\"hidden\": true\n" +
+    "    }\n" +
+    "  } \n" +
+    "}";
+  private static final String MOD_VERSION_RANKED_FALSE_ID_1 = "{\n" +
+    "  \"data\": {\n" +
+    "    \"type\": \"modVersion\",\n" +
+    "    \"id\": \"1\",\n" +
+    "    \"attributes\": {\n" +
+    "    \t\"ranked\": false\n" +
+    "    }\n" +
+    "  } \n" +
+    "}";
+  private static final String MOD_VERSION_RANKED_TRUE_ID_1 = "{\n" +
+    "  \"data\": {\n" +
+    "    \"type\": \"modVersion\",\n" +
+    "    \"id\": \"1\",\n" +
+    "    \"attributes\": {\n" +
+    "    \t\"ranked\": true\n" +
+    "    }\n" +
+    "  } \n" +
+    "}";
+
+
+  @Test
+  public void canReadModVersionWithoutScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/modVersion")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data", hasSize(2)));
+  }
+
+  @Test
+  public void canUpdateModVersionWithScopeAndRole() throws Exception {
+    mockMvc.perform(
+      patch("/data/modVersion/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._MANAGE_VAULT, GroupPermission.ROLE_ADMIN_MOD))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(MOD_VERSION_HIDE_FALSE_ID_1))
+      .andExpect(status().isNoContent());
+  }
+
+  @Test
+  public void cannotModVersionBanWithoutScope() throws Exception {
+    mockMvc.perform(
+      patch("/data/modVersion/1")
+        .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_ADMIN_MOD))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(MOD_VERSION_HIDE_FALSE_ID_1))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotModVersionBanWithoutRole() throws Exception {
+    mockMvc.perform(
+      patch("/data/modVersion/1")
+        .with(getOAuthTokenWithTestUser(OAuthScope._MANAGE_VAULT, NO_AUTHORITIES))
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(MOD_VERSION_HIDE_TRUE_ID_1))
+      .andExpect(status().isForbidden());
+  }
+
+  @WithUserDetails(AUTH_USER)
+  @Test
+  public void cannotUpdateHideToFalseAsEntityOwner() throws Exception {
+    mockMvc.perform(
+      patch("/data/modVersion/1")
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(MOD_VERSION_HIDE_FALSE_ID_1))
+      .andExpect(status().isForbidden());
+  }
+
+  @WithUserDetails(AUTH_USER)
+  @Test
+  public void cannotUpdateRankedToFalseAsEntityOwner() throws Exception {
+    mockMvc.perform(
+      patch("/data/modVersion/1")
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(MOD_VERSION_RANKED_FALSE_ID_1))
+      .andExpect(status().isForbidden());
+  }
+
+  @WithUserDetails(AUTH_USER)
+  @Test
+  public void cannotUpdateRankedToTrueAsEntityOwner() throws Exception {
+    mockMvc.perform(
+      patch("/data/modVersion/1")
+        .header(HttpHeaders.CONTENT_TYPE, DataController.JSON_API_MEDIA_TYPE)
+        .content(MOD_VERSION_RANKED_TRUE_ID_1))
+      .andExpect(status().isForbidden());
+  }
+}
diff --git a/src/inttest/resources/config/application.yml b/src/inttest/resources/config/application.yml
index 2cb9f847c..4a877015b 100644
--- a/src/inttest/resources/config/application.yml
+++ b/src/inttest/resources/config/application.yml
@@ -46,6 +46,9 @@ faf-api:
   mail:
     from-email-name: "integration-test@faforever.com"
     from-email-address: "integration-test@faforever.com"
+  mod:
+    download-url-format: "http://localhost/mod/download-url/%s"
+    preview-url-format: "http://localhost/mod/preview-url/%s"
   password-reset:
     password-reset-url-format: "http://localhost:8010/users/claimPasswordResetToken/%s"
     success-redirect-url: "http://localhost/password_resetted"
diff --git a/src/inttest/resources/sql/prepModData.sql b/src/inttest/resources/sql/prepModData.sql
new file mode 100644
index 000000000..81622a434
--- /dev/null
+++ b/src/inttest/resources/sql/prepModData.sql
@@ -0,0 +1,13 @@
+DELETE
+FROM mod_version;
+DELETE
+FROM `mod`;
+
+INSERT INTO `mod` (id, display_name, author, uploader)
+VALUES (1, 'MOD_001', 'some Author', 1),
+       (2, 'MOD_002', 'some Author', 1);
+
+INSERT INTO mod_version (id, description, type, uid, version, filename, hidden, mod_id)
+VALUES (1, 'SCMP 001', 'SIM', '11111111-1111-1111-1111-111111111111', 1, 'maps/scmp_001.v0001.zip', false, 1),
+       (2, 'SCMP 002', 'SIM', '22222222-2222-2222-2222-222222222222', 1, 'maps/scmp_002.v0001.zip', false, 2);
+
diff --git a/src/main/java/com/faforever/api/config/elide/ElideConfig.java b/src/main/java/com/faforever/api/config/elide/ElideConfig.java
index d472a4fa4..0f36ed5e4 100644
--- a/src/main/java/com/faforever/api/config/elide/ElideConfig.java
+++ b/src/main/java/com/faforever/api/config/elide/ElideConfig.java
@@ -9,6 +9,8 @@
 import com.faforever.api.security.ExtendedAuditLogger;
 import com.faforever.api.security.elide.permission.AdminAccountBanCheck;
 import com.faforever.api.security.elide.permission.AdminAccountNoteCheck;
+import com.faforever.api.security.elide.permission.AdminMapCheck;
+import com.faforever.api.security.elide.permission.AdminModCheck;
 import com.faforever.api.security.elide.permission.AdminModerationReportCheck;
 import com.faforever.api.security.elide.permission.AdminVoteCheck;
 import com.faforever.api.security.elide.permission.ReadAccountPrivateDetailsCheck;
@@ -117,6 +119,8 @@ public EntityDictionary entityDictionary() {
     checks.put(WriteTutorialCheck.EXPRESSION, WriteTutorialCheck.class);
     checks.put(WriteEmailDomainBanCheck.EXPRESSION, WriteEmailDomainBanCheck.class);
     checks.put(WriteAvatarCheck.EXPRESSION, WriteAvatarCheck.class);
+    checks.put(AdminMapCheck.EXPRESSION, AdminMapCheck.class);
+    checks.put(AdminModCheck.EXPRESSION, AdminModCheck.class);
 
     return new EntityDictionary(checks);
   }
diff --git a/src/main/java/com/faforever/api/data/domain/Map.java b/src/main/java/com/faforever/api/data/domain/Map.java
index de3c629db..eb3b821d1 100644
--- a/src/main/java/com/faforever/api/data/domain/Map.java
+++ b/src/main/java/com/faforever/api/data/domain/Map.java
@@ -4,7 +4,6 @@
 import com.yahoo.elide.annotation.Include;
 import lombok.Setter;
 import org.hibernate.annotations.BatchSize;
-import org.hibernate.annotations.Formula;
 import org.hibernate.annotations.Immutable;
 import org.hibernate.annotations.JoinColumnOrFormula;
 import org.hibernate.annotations.JoinColumnsOrFormulas;
@@ -17,18 +16,15 @@
 import javax.persistence.Entity;
 import javax.persistence.EntityListeners;
 import javax.persistence.FetchType;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
 import javax.persistence.JoinColumn;
 import javax.persistence.ManyToOne;
 import javax.persistence.OneToMany;
 import javax.persistence.OneToOne;
 import javax.persistence.Table;
+import javax.persistence.Transient;
 import javax.validation.Valid;
 import javax.validation.constraints.NotNull;
 import javax.validation.constraints.Size;
-import java.time.OffsetDateTime;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -38,16 +34,13 @@
 @Include(rootLevel = true, type = Map.TYPE_NAME)
 @Immutable
 @EntityListeners(MapChangeListener.class)
-public class Map {
+public class Map extends AbstractEntity implements OwnableEntity {
 
   public static final String TYPE_NAME = "map";
 
-  private int id;
   private String displayName;
   private String mapType;
   private String battleType;
-  private OffsetDateTime updateTime;
-  private OffsetDateTime createTime;
   private List<MapVersion> versions = new ArrayList<>();
   private Player author;
   private MapStatistics statistics;
@@ -55,13 +48,6 @@ public class Map {
   private int numberOfReviews;
   private float averageReviewScore;
 
-  @Id
-  @GeneratedValue(strategy = GenerationType.IDENTITY)
-  @Column(name = "id")
-  public int getId() {
-    return id;
-  }
-
   @Column(name = "display_name", unique = true)
   @Size(max = 100)
   @NotNull
@@ -81,11 +67,6 @@ public String getBattleType() {
     return battleType;
   }
 
-  @Column(name = "create_time")
-  public OffsetDateTime getCreateTime() {
-    return createTime;
-  }
-
   @Column(name = "reviews")
   public int getNumberOfReviews() {
     return numberOfReviews;
@@ -130,8 +111,9 @@ public MapVersion getLatestVersion() {
     return latestVersion;
   }
 
-  @Formula(value = "(SELECT MAX(map_version.update_time) FROM map_version WHERE map_version.map_id = id)")
-  public OffsetDateTime getUpdateTime() {
-    return updateTime;
+  @Transient
+  @Override
+  public Login getEntityOwner() {
+    return author;
   }
 }
diff --git a/src/main/java/com/faforever/api/data/domain/MapVersion.java b/src/main/java/com/faforever/api/data/domain/MapVersion.java
index 7bb1c9116..7eb7c1a8b 100644
--- a/src/main/java/com/faforever/api/data/domain/MapVersion.java
+++ b/src/main/java/com/faforever/api/data/domain/MapVersion.java
@@ -3,8 +3,8 @@
 import com.faforever.api.data.checks.BooleanChange;
 import com.faforever.api.data.checks.IsEntityOwner;
 import com.faforever.api.data.checks.Prefab;
-import com.faforever.api.data.checks.permission.IsModerator;
 import com.faforever.api.data.listeners.MapVersionEnricher;
+import com.faforever.api.security.elide.permission.AdminMapCheck;
 import com.yahoo.elide.annotation.Audit;
 import com.yahoo.elide.annotation.Audit.Action;
 import com.yahoo.elide.annotation.ComputedAttribute;
@@ -53,7 +53,7 @@ public class MapVersion extends AbstractEntity implements OwnableEntity {
   private MapVersionReviewsSummary reviewsSummary;
   private Ladder1v1Map ladder1v1Map;
 
-  @UpdatePermission(expression = IsEntityOwner.EXPRESSION + " or " + IsModerator.EXPRESSION)
+  @UpdatePermission(expression = IsEntityOwner.EXPRESSION + " or " + AdminMapCheck.EXPRESSION)
   @Column(name = "description")
   public String getDescription() {
     return description;
@@ -89,14 +89,14 @@ public String getFilename() {
     return filename;
   }
 
-  @UpdatePermission(expression = IsModerator.EXPRESSION + " or (" + IsEntityOwner.EXPRESSION + " and " + BooleanChange.TO_FALSE_EXPRESSION + ")")
+  @UpdatePermission(expression = AdminMapCheck.EXPRESSION + " or (" + IsEntityOwner.EXPRESSION + " and " + BooleanChange.TO_FALSE_EXPRESSION + ")")
   @Audit(action = Action.UPDATE, logStatement = "Updated map version `{0}` attribute ranked to: {1}", logExpressions = {"${mapVersion.id}", "${mapVersion.ranked}"})
   @Column(name = "ranked")
   public boolean isRanked() {
     return ranked;
   }
 
-  @UpdatePermission(expression = IsModerator.EXPRESSION + " or (" + IsEntityOwner.EXPRESSION + " and " + BooleanChange.TO_TRUE_EXPRESSION + ")")
+  @UpdatePermission(expression = AdminMapCheck.EXPRESSION + " or (" + IsEntityOwner.EXPRESSION + " and " + BooleanChange.TO_TRUE_EXPRESSION + ")")
   @Audit(action = Action.UPDATE, logStatement = "Updated map version `{0}` attribute hidden to: {1}", logExpressions = {"${mapVersion.id}", "${mapVersion.hidden}"})
   @Column(name = "hidden")
   public boolean isHidden() {
@@ -155,6 +155,6 @@ public MapVersionReviewsSummary getReviewsSummary() {
   @Transient
   @Override
   public Login getEntityOwner() {
-    return map.getAuthor();
+    return map.getEntityOwner();
   }
 }
diff --git a/src/main/java/com/faforever/api/data/domain/Mod.java b/src/main/java/com/faforever/api/data/domain/Mod.java
index b48704107..c287c194d 100644
--- a/src/main/java/com/faforever/api/data/domain/Mod.java
+++ b/src/main/java/com/faforever/api/data/domain/Mod.java
@@ -2,7 +2,6 @@
 
 import com.yahoo.elide.annotation.Include;
 import lombok.Setter;
-import org.hibernate.annotations.Formula;
 import org.hibernate.annotations.Immutable;
 import org.hibernate.annotations.JoinColumnOrFormula;
 import org.hibernate.annotations.JoinColumnsOrFormulas;
@@ -12,17 +11,14 @@
 import javax.persistence.CascadeType;
 import javax.persistence.Column;
 import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
 import javax.persistence.JoinColumn;
 import javax.persistence.ManyToOne;
 import javax.persistence.OneToMany;
 import javax.persistence.Table;
+import javax.persistence.Transient;
 import javax.validation.Valid;
 import javax.validation.constraints.NotNull;
 import javax.validation.constraints.Size;
-import java.time.OffsetDateTime;
 import java.util.List;
 
 @Entity
@@ -30,28 +26,18 @@
 @Include(rootLevel = true, type = Mod.TYPE_NAME)
 @Immutable
 @Setter
-public class Mod {
+public class Mod extends AbstractEntity implements OwnableEntity {
 
   public static final String TYPE_NAME = "mod";
 
-  private Integer id;
   private String displayName;
   private String author;
-  private OffsetDateTime createTime;
-  private OffsetDateTime updateTime;
   private List<ModVersion> versions;
   private ModVersion latestVersion;
   private Player uploader;
   private int numberOfReviews;
   private float averageReviewScore;
 
-  @Id
-  @Column(name = "id")
-  @GeneratedValue(strategy = GenerationType.IDENTITY)
-  public Integer getId() {
-    return id;
-  }
-
   @Column(name = "display_name")
   @Size(max = 100)
   @NotNull
@@ -82,16 +68,6 @@ public Player getUploader() {
     return uploader;
   }
 
-  @Column(name = "create_time")
-  public OffsetDateTime getCreateTime() {
-    return createTime;
-  }
-
-  @Formula(value = "(SELECT MAX(mod_version.update_time) FROM mod_version WHERE mod_version.mod_id = id)")
-  public OffsetDateTime getUpdateTime() {
-    return updateTime;
-  }
-
   @OneToMany(mappedBy = "mod", cascade = CascadeType.ALL, orphanRemoval = true)
   @NotEmpty
   @Valid
@@ -110,4 +86,10 @@ public List<ModVersion> getVersions() {
   public ModVersion getLatestVersion() {
     return latestVersion;
   }
+
+  @Transient
+  @Override
+  public Login getEntityOwner() {
+    return uploader;
+  }
 }
diff --git a/src/main/java/com/faforever/api/data/domain/ModVersion.java b/src/main/java/com/faforever/api/data/domain/ModVersion.java
index 4881b2afc..fde29702d 100644
--- a/src/main/java/com/faforever/api/data/domain/ModVersion.java
+++ b/src/main/java/com/faforever/api/data/domain/ModVersion.java
@@ -1,8 +1,8 @@
 package com.faforever.api.data.domain;
 
 import com.faforever.api.data.checks.Prefab;
-import com.faforever.api.data.checks.permission.IsModerator;
 import com.faforever.api.data.listeners.ModVersionEnricher;
+import com.faforever.api.security.elide.permission.AdminModCheck;
 import com.yahoo.elide.annotation.Audit;
 import com.yahoo.elide.annotation.Audit.Action;
 import com.yahoo.elide.annotation.ComputedAttribute;
@@ -17,16 +17,12 @@
 import javax.persistence.EnumType;
 import javax.persistence.Enumerated;
 import javax.persistence.FetchType;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
 import javax.persistence.JoinColumn;
 import javax.persistence.ManyToOne;
 import javax.persistence.OneToMany;
 import javax.persistence.OneToOne;
 import javax.persistence.Table;
 import javax.persistence.Transient;
-import java.time.OffsetDateTime;
 import java.util.List;
 
 @Entity
@@ -34,11 +30,10 @@
 @Include(rootLevel = true, type = ModVersion.TYPE_NAME)
 @Setter
 @EntityListeners(ModVersionEnricher.class)
-public class ModVersion {
+public class ModVersion extends AbstractEntity implements OwnableEntity {
 
   public static final String TYPE_NAME = "modVersion";
 
-  private Integer id;
   private String uid;
   private ModType type;
   private String description;
@@ -47,21 +42,12 @@ public class ModVersion {
   private String icon;
   private boolean ranked;
   private boolean hidden;
-  private OffsetDateTime createTime;
-  private OffsetDateTime updateTime;
   private Mod mod;
   private String thumbnailUrl;
   private String downloadUrl;
   private List<ModVersionReview> reviews;
   private ModVersionReviewsSummary reviewsSummary;
 
-  @Id
-  @Column(name = "id")
-  @GeneratedValue(strategy = GenerationType.IDENTITY)
-  public Integer getId() {
-    return id;
-  }
-
   @Column(name = "uid")
   public String getUid() {
     return uid;
@@ -95,30 +81,20 @@ public String getIcon() {
     return icon;
   }
 
-  @UpdatePermission(expression = IsModerator.EXPRESSION)
+  @UpdatePermission(expression = AdminModCheck.EXPRESSION)
   @Audit(action = Action.UPDATE, logStatement = "Updated mod version `{0}` attribute ranked to: {1}", logExpressions = {"${modVersion.id}", "${modVersion.ranked}"})
   @Column(name = "ranked")
   public boolean isRanked() {
     return ranked;
   }
 
-  @UpdatePermission(expression = IsModerator.EXPRESSION)
+  @UpdatePermission(expression = AdminModCheck.EXPRESSION)
   @Audit(action = Action.UPDATE, logStatement = "Updated mod version `{0}` attribute hidden to: {1}", logExpressions = {"${modVersion.id}", "${modVersion.hidden}"})
   @Column(name = "hidden")
   public boolean isHidden() {
     return hidden;
   }
 
-  @Column(name = "create_time")
-  public OffsetDateTime getCreateTime() {
-    return createTime;
-  }
-
-  @Column(name = "update_time")
-  public OffsetDateTime getUpdateTime() {
-    return updateTime;
-  }
-
   @ManyToOne(fetch = FetchType.LAZY)
   @JoinColumn(name = "mod_id")
   public Mod getMod() {
@@ -148,4 +124,10 @@ public List<ModVersionReview> getReviews() {
   public ModVersionReviewsSummary getReviewsSummary() {
     return reviewsSummary;
   }
+
+  @Transient
+  @Override
+  public Login getEntityOwner() {
+    return mod.getEntityOwner();
+  }
 }

From f3684fcf8d3674253298ef9172d2e02a795a5b86 Mon Sep 17 00:00:00 2001
From: Brutus5000 <Brutus5000@gmx.net>
Date: Tue, 24 Sep 2019 08:01:38 +0200
Subject: [PATCH 5/5] Implement summarizing /me payload (replaces redirect)

---
 .../faforever/api/clan/result/ClanResult.java |  2 +-
 .../api/clan/result/PlayerResult.java         |  2 +-
 .../api/data/domain/AbstractEntity.java       |  4 +-
 .../com/faforever/api/user/MeController.java  | 86 +++++++++++++++----
 .../api/web/JsonApiResourceObject.java        |  9 ++
 .../api/web/JsonApiResourceObjectProxy.java   | 27 ++++++
 .../api/web/JsonApiSingleResource.java        | 19 ++++
 7 files changed, 129 insertions(+), 20 deletions(-)
 create mode 100644 src/main/java/com/faforever/api/web/JsonApiResourceObject.java
 create mode 100644 src/main/java/com/faforever/api/web/JsonApiResourceObjectProxy.java
 create mode 100644 src/main/java/com/faforever/api/web/JsonApiSingleResource.java

diff --git a/src/main/java/com/faforever/api/clan/result/ClanResult.java b/src/main/java/com/faforever/api/clan/result/ClanResult.java
index 693faa8d8..5d5fc8618 100644
--- a/src/main/java/com/faforever/api/clan/result/ClanResult.java
+++ b/src/main/java/com/faforever/api/clan/result/ClanResult.java
@@ -5,7 +5,7 @@
 
 @Data
 public class ClanResult {
-  private final int id;
+  private final Integer id;
   private final String tag;
   private final String name;
 
diff --git a/src/main/java/com/faforever/api/clan/result/PlayerResult.java b/src/main/java/com/faforever/api/clan/result/PlayerResult.java
index fa4d4cfb5..8328d73e8 100644
--- a/src/main/java/com/faforever/api/clan/result/PlayerResult.java
+++ b/src/main/java/com/faforever/api/clan/result/PlayerResult.java
@@ -5,7 +5,7 @@
 
 @Data
 public class PlayerResult {
-  private final int id;
+  private final Integer id;
   private final String login;
 
   public static PlayerResult of(Player newMember) {
diff --git a/src/main/java/com/faforever/api/data/domain/AbstractEntity.java b/src/main/java/com/faforever/api/data/domain/AbstractEntity.java
index d3b58325e..82979700b 100644
--- a/src/main/java/com/faforever/api/data/domain/AbstractEntity.java
+++ b/src/main/java/com/faforever/api/data/domain/AbstractEntity.java
@@ -14,14 +14,14 @@
 @Setter
 @EqualsAndHashCode(of = "id")
 public abstract class AbstractEntity {
-  protected int id;
+  protected Integer id;
   protected OffsetDateTime createTime;
   protected OffsetDateTime updateTime;
 
   @Id
   @GeneratedValue(strategy = GenerationType.IDENTITY)
   @Column(name = "id")
-  public int getId() {
+  public Integer getId() {
     return id;
   }
 
diff --git a/src/main/java/com/faforever/api/user/MeController.java b/src/main/java/com/faforever/api/user/MeController.java
index 48ac39826..92a45fd48 100644
--- a/src/main/java/com/faforever/api/user/MeController.java
+++ b/src/main/java/com/faforever/api/user/MeController.java
@@ -1,37 +1,91 @@
 package com.faforever.api.user;
 
+import com.faforever.api.data.domain.Player;
+import com.faforever.api.data.domain.UserGroup;
+import com.faforever.api.player.PlayerService;
 import com.faforever.api.security.FafUserDetails;
+import com.faforever.api.web.JsonApiSingleResource;
 import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiResponse;
-import io.swagger.annotations.ApiResponses;
+import lombok.Builder;
+import lombok.Value;
 import org.springframework.security.access.annotation.Secured;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.util.Objects;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 /**
  * Provides the route {@code /me} which returns the currently logged in user's information.
  */
 @RestController
 public class MeController {
+  private final PlayerService playerService;
+
+  public MeController(PlayerService playerService) {
+    this.playerService = playerService;
+  }
 
   @RequestMapping(method = RequestMethod.GET, value = "/me")
-  @ApiOperation(value = "Returns the authentication object of the current user")
-  @ApiResponses(value = {
-    @ApiResponse(code = 200, message = "Success with JSON { id: ?, type: 'player'}"),
-    @ApiResponse(code = 400, message = "Bad Request")})
-  @Secured({"ROLE_USER"})
-  public void me(HttpServletRequest request,
-                 HttpServletResponse response,
-                 @AuthenticationPrincipal FafUserDetails authentication) throws IOException {
-    // TODO: Find a better way to call elide player route
-
-    response.sendRedirect(String.format("/data/player/%d?%s", authentication.getId(), Objects.toString(request.getQueryString(), "")));
+  @ApiOperation("Returns the authentication object of the current user")
+  @ApiResponse(code = 200, message = "Success with JsonApi compliant MeResult")
+  @Secured("ROLE_USER")
+  public JsonApiSingleResource<MeResult> me(@AuthenticationPrincipal FafUserDetails authentication) {
+
+    Player player = playerService.getById(authentication.getId());
+    Set<String> grantedAuthorities = authentication.getAuthorities().stream()
+      .map(GrantedAuthority::getAuthority)
+      .collect(Collectors.toSet());
+
+    Set<String> groups = player.getUserGroups().stream()
+      .map(UserGroup::getTechnicalName)
+      .collect(Collectors.toSet());
+
+    return MeResult.builder()
+      .userId(player.getId())
+      .userName(player.getLogin())
+      .email(player.getEmail())
+      .clan(player.getClan() == null ? null : Clan.builder()
+        .id(player.getClan().getId())
+        .tag(player.getClan().getTag())
+        .name(player.getClan().getName())
+        .build()
+      )
+      .groups(groups)
+      .permissions(grantedAuthorities)
+      .build()
+      .asJsonApi();
+  }
+
+  @Value
+  @Builder
+  public static class MeResult {
+    Integer userId;
+    String userName;
+    String email;
+    Clan clan;
+    Set<String> groups;
+    Set<String> permissions;
+
+    @SuppressWarnings("unchecked")
+    JsonApiSingleResource<MeResult> asJsonApi() {
+      return JsonApiSingleResource.ofProxy(
+        () -> "me",
+        () -> "me",
+        () -> this
+      );
+    }
+  }
+
+  @Value
+  @Builder
+  public static class Clan {
+    Integer id;
+    String tag;
+    String name;
   }
 }
diff --git a/src/main/java/com/faforever/api/web/JsonApiResourceObject.java b/src/main/java/com/faforever/api/web/JsonApiResourceObject.java
new file mode 100644
index 000000000..8d2040152
--- /dev/null
+++ b/src/main/java/com/faforever/api/web/JsonApiResourceObject.java
@@ -0,0 +1,9 @@
+package com.faforever.api.web;
+
+public interface JsonApiResourceObject {
+  String getType();
+
+  String getId();
+
+  Object getAttributes();
+}
diff --git a/src/main/java/com/faforever/api/web/JsonApiResourceObjectProxy.java b/src/main/java/com/faforever/api/web/JsonApiResourceObjectProxy.java
new file mode 100644
index 000000000..53778a5b1
--- /dev/null
+++ b/src/main/java/com/faforever/api/web/JsonApiResourceObjectProxy.java
@@ -0,0 +1,27 @@
+package com.faforever.api.web;
+
+import java.util.function.Supplier;
+
+class JsonApiResourceObjectProxy<T> implements JsonApiResourceObject {
+  private final Supplier<String> typeExtractor;
+  private final Supplier<String> idExtractor;
+  private final Supplier<T> attributesExtractor;
+
+  JsonApiResourceObjectProxy(Supplier<String> typeExtractor, Supplier<String> idExtractor, Supplier<T> attributesExtractor) {
+    this.typeExtractor = typeExtractor;
+    this.idExtractor = idExtractor;
+    this.attributesExtractor = attributesExtractor;
+  }
+
+  public String getType() {
+    return typeExtractor.get();
+  }
+
+  public String getId() {
+    return idExtractor.get();
+  }
+
+  public T getAttributes() {
+    return attributesExtractor.get();
+  }
+}
diff --git a/src/main/java/com/faforever/api/web/JsonApiSingleResource.java b/src/main/java/com/faforever/api/web/JsonApiSingleResource.java
new file mode 100644
index 000000000..ef206ec07
--- /dev/null
+++ b/src/main/java/com/faforever/api/web/JsonApiSingleResource.java
@@ -0,0 +1,19 @@
+package com.faforever.api.web;
+
+import lombok.Value;
+
+import java.util.function.Supplier;
+
+@Value
+public class JsonApiSingleResource<T> {
+  JsonApiResourceObject data;
+
+  public static JsonApiSingleResource of(JsonApiResourceObject singleDataObject) {
+    return new JsonApiSingleResource(singleDataObject);
+  }
+
+  public static <T> JsonApiSingleResource ofProxy(Supplier<String> typeExtractor, Supplier<String> idExtractor,
+                                                  Supplier<T> attributesExtractor) {
+    return new JsonApiSingleResource<T>(new JsonApiResourceObjectProxy<>(typeExtractor, idExtractor, attributesExtractor));
+  }
+}