diff --git a/vcell-rest/src/main/resources/scripts/init.sql b/vcell-rest/src/main/resources/scripts/init.sql
index 18c6d5b1eb..88e02e2392 100644
--- a/vcell-rest/src/main/resources/scripts/init.sql
+++ b/vcell-rest/src/main/resources/scripts/init.sql
@@ -97,4 +97,6 @@ INSERT INTO vc_group VALUES (6,0,0,0,0);
 INSERT INTO vc_available VALUES (7,current_timestamp,'true',NULL,NULL);
 INSERT INTO vc_apiclient VALUES (8,'defaultApiClient','85133f8d-26f7-4247-8356-d175399fc2e6','98d000d6-adff-4f8f-a00e-6c28dbd8c571');
 INSERT INTO vc_useridentity VALUES ( 9, 2,'auth0|65cb6311365d79c2fb96a005', 'https://dev-dzhx7i2db3x3kkvq.us.auth0.com/', CURRENT_TIMESTAMP);
-INSERT INTO vc_specialusers VALUES ( 10,'publication',2,NULL);
+INSERT INTO vc_specialusers VALUES ( 10,'publicationEditors',2,NULL);
+INSERT INTO vc_specialusers VALUES ( 11,'powerUsers',2,NULL);
+INSERT INTO vc_specialusers VALUES ( 12,'admins',2,NULL);
diff --git a/vcell-rest/src/test/java/org/vcell/restq/AdminResourceTest.java b/vcell-rest/src/test/java/org/vcell/restq/AdminResourceTest.java
new file mode 100644
index 0000000000..a95fc0d774
--- /dev/null
+++ b/vcell-rest/src/test/java/org/vcell/restq/AdminResourceTest.java
@@ -0,0 +1,70 @@
+package org.vcell.restq;
+
+import cbit.vcell.resource.PropertyLoader;
+import cbit.vcell.xml.XmlParseException;
+import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.keycloak.client.KeycloakTestClient;
+import io.restassured.response.Response;
+import jakarta.inject.Inject;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.junit.jupiter.api.*;
+import org.vcell.restclient.ApiClient;
+import org.vcell.restclient.ApiException;
+import org.vcell.restclient.api.UsersResourceApi;
+import org.vcell.restq.config.CDIVCellConfigProvider;
+import org.vcell.restq.db.AgroalConnectionFactory;
+import org.vcell.util.DataAccessException;
+
+import java.beans.PropertyVetoException;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.sql.SQLException;
+
+import static io.restassured.RestAssured.given;
+
+@QuarkusTest
+public class AdminResourceTest {
+    @ConfigProperty(name = "quarkus.http.test-port")
+    Integer testPort;
+
+    KeycloakTestClient keycloakClient = new KeycloakTestClient();
+    @Inject
+    AgroalConnectionFactory agroalConnectionFactory;
+
+    private ApiClient aliceAPIClient;
+
+    @BeforeAll
+    public static void setupConfig(){
+        PropertyLoader.setConfigProvider(new CDIVCellConfigProvider());
+    }
+
+    @BeforeEach
+    public void createClients(){
+        aliceAPIClient = TestEndpointUtils.createAuthenticatedAPIClient(keycloakClient, testPort, TestEndpointUtils.TestOIDCUsers.alice);
+    }
+
+    @AfterEach
+    public void removeOIDCMappings() throws SQLException, DataAccessException {
+        TestEndpointUtils.removeAllMappings(agroalConnectionFactory);
+    }
+
+    // TODO: Right now the biomodel endpoint doesn't implement authentication, but when it does it'll need to
+    @Test
+    public void testGetUsage() throws IOException, ApiException, XmlParseException, PropertyVetoException {
+
+        boolean mapped = new UsersResourceApi(aliceAPIClient).mapUser(TestEndpointUtils.administratorUserLoginInfo);
+        Assertions.assertTrue(mapped);
+
+        Response response = given()
+                .auth().oauth2(keycloakClient.getAccessToken(TestEndpointUtils.TestOIDCUsers.alice.name()))
+                .when().get("/api/v1/admin/usage")
+                .then().extract().response();
+
+        Assertions.assertEquals(200, response.getStatusCode());
+        Assertions.assertEquals("application/pdf", response.getContentType());
+
+        byte[] pdfBytes = response.asByteArray();
+        Assertions.assertTrue(pdfBytes.length > 0);
+    }
+}
diff --git a/vcell-rest/src/test/java/org/vcell/restq/apiclient/AdminApiTest.java b/vcell-rest/src/test/java/org/vcell/restq/apiclient/AdminApiTest.java
new file mode 100644
index 0000000000..a3d4cb4157
--- /dev/null
+++ b/vcell-rest/src/test/java/org/vcell/restq/apiclient/AdminApiTest.java
@@ -0,0 +1,115 @@
+package org.vcell.restq.apiclient;
+
+import cbit.vcell.resource.PropertyLoader;
+import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.keycloak.client.KeycloakTestClient;
+import jakarta.inject.Inject;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.junit.jupiter.api.*;
+import org.vcell.restclient.ApiClient;
+import org.vcell.restclient.ApiException;
+import org.vcell.restclient.api.AdminResourceApi;
+import org.vcell.restclient.api.UsersResourceApi;
+import org.vcell.restq.TestEndpointUtils;
+import org.vcell.restq.config.CDIVCellConfigProvider;
+import org.vcell.restq.db.AgroalConnectionFactory;
+import org.vcell.util.DataAccessException;
+
+import java.io.File;
+import java.sql.SQLException;
+
+@QuarkusTest
+public class AdminApiTest {
+
+    @ConfigProperty(name = "quarkus.oidc.auth-server-url")
+    String authServerUrl;
+
+    @ConfigProperty(name = "quarkus.http.test-port")
+    Integer testPort;
+
+    @Inject
+    AgroalConnectionFactory agroalConnectionFactory;
+
+    KeycloakTestClient keycloakClient = new KeycloakTestClient();
+
+    private ApiClient aliceAPIClient;
+    private ApiClient bobAPIClient;
+
+    @BeforeAll
+    public static void setupConfig(){
+        PropertyLoader.setConfigProvider(new CDIVCellConfigProvider());
+    }
+
+    @BeforeEach
+    public void createClients(){
+        aliceAPIClient = TestEndpointUtils.createAuthenticatedAPIClient(keycloakClient, testPort, TestEndpointUtils.TestOIDCUsers.alice);
+        bobAPIClient = TestEndpointUtils.createAuthenticatedAPIClient(keycloakClient, testPort, TestEndpointUtils.TestOIDCUsers.bob);
+    }
+
+    @AfterEach
+    public void removeOIDCMappings() throws SQLException, DataAccessException {
+        TestEndpointUtils.removeAllMappings(agroalConnectionFactory);
+    }
+
+    @Test
+    public void testUsageReport_AdminRole_AdminUser() throws ApiException {
+        // alice has admin role, mapped to an admin user - should succeed
+        boolean mapped = new UsersResourceApi(aliceAPIClient).mapUser(TestEndpointUtils.administratorUserLoginInfo);
+        Assertions.assertTrue(mapped);
+        File usageSummaryFile = new AdminResourceApi(aliceAPIClient).getUsage();
+        Assertions.assertTrue(usageSummaryFile.exists());
+        Assertions.assertTrue(usageSummaryFile.isFile());
+        Assertions.assertTrue(usageSummaryFile.length() > 0);
+    }
+
+    @Test
+    public void testUsageReport_AdminRole_NonadminUser() throws ApiException {
+        // alice has an admin role, but is mapped to a non-admin user - should fail
+        boolean mapped = new UsersResourceApi(aliceAPIClient).mapUser(TestEndpointUtils.vcellNagiosUserLoginInfo);
+        Assertions.assertTrue(mapped);
+        ApiException apiException = Assertions.assertThrows(ApiException.class, () -> {
+            new AdminResourceApi(aliceAPIClient).getUsage();
+        });
+        Assertions.assertEquals(403, apiException.getCode());
+    }
+
+    @Test
+    public void testUsageReport_AdminRole_NotMapped() throws ApiException {
+        // alice has admin role, but is not mapped any user - should fail
+        ApiException apiException = Assertions.assertThrows(ApiException.class, () -> {
+            new AdminResourceApi(aliceAPIClient).getUsage();
+        });
+        Assertions.assertEquals(401, apiException.getCode());
+    }
+
+    @Test
+    public void testUsageReport_NonadminRole_AdminUser() throws ApiException {
+        // bob does not have admin role, mapped to admin user - should fail
+        boolean mapped = new UsersResourceApi(bobAPIClient).mapUser(TestEndpointUtils.administratorUserLoginInfo);
+        Assertions.assertTrue(mapped);
+        ApiException apiException = Assertions.assertThrows(ApiException.class, () -> {
+            new AdminResourceApi(aliceAPIClient).getUsage();
+        });
+        Assertions.assertEquals(401, apiException.getCode());
+    }
+
+    @Test
+    public void testUsageReport_NonadminRole_NonadminUser() throws ApiException {
+        // bob is not an admin, mapped to a non-admin user - should fail
+        boolean mapped = new UsersResourceApi(bobAPIClient).mapUser(TestEndpointUtils.vcellNagiosUserLoginInfo);
+        Assertions.assertTrue(mapped);
+        ApiException apiException = Assertions.assertThrows(ApiException.class, () -> {
+            new AdminResourceApi(aliceAPIClient).getUsage();
+        });
+        Assertions.assertEquals(401, apiException.getCode());
+    }
+
+    @Test
+    public void testUsageReport_NonadminRole_NotMapped() throws ApiException {
+        // bob is not an admin, and is not mapped to any user - should fail
+        ApiException apiException = Assertions.assertThrows(ApiException.class, () -> {
+            new AdminResourceApi(aliceAPIClient).getUsage();
+        });
+        Assertions.assertEquals(401, apiException.getCode());
+    }
+}