diff --git a/.travis.yml b/.travis.yml
index 51c3295..27ef003 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -7,7 +7,7 @@ services:
   - elasticsearch
 
 install:
-  - "pip install flake8"
+  - "pip install flake8 sphinx"
   - "python setup.py install"
 
 before_script:
@@ -16,3 +16,4 @@ before_script:
 script:
   - 'flake8'
   - python setup.py test
+  - "python setup.py build_sphinx"
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
new file mode 100644
index 0000000..7c6aeab
--- /dev/null
+++ b/CHANGELOG.rst
@@ -0,0 +1,35 @@
+===================
+Libreant changelog
+===================
+
+0.3
++++
+
+Major changes:
+--------------
+- Implemented a role-based access control layer.
+  This means that libreant now support the common ``login`` procedure.
+  This functionality isn't documented yet, anyway you can use the brand new ``libreant-users`` command to manage users, groups and capabilities,
+  and enable this feature at runtime with the ``--users-db`` parameter.
+  The default user is (user: admin, password: admin)
+
+Web interface:
+--------------
+- Added possibility to delete a volume through a button on the single-volume-view page.
+- New user menu (only in users-mode)
+- New login/logut pages.
+- Improoved error messages/pages
+
+Deployment:
+-----------
+- Removed elasticsearch strong dependecy.
+  Now libreant can be started with elasticsearch still not ready or not running.
+- Bugfix: make libreant command exits with code 1 on exception.
+- Fixed ``elasticsearch-py`` version dependency. Now the version must be ``>=1`` and ``<2``.
+- Reloader is used only in debug mode (``--debug``).
+- More uniform logs.
+
+Documentation:
+--------------
+- The suggested version for elasticsearch installation has been updated: ``1.4`` -> ``1.7``
+- A lot of packages have been inserted in the official docs.
diff --git a/DATA.mdwn b/DATA.mdwn
deleted file mode 100644
index 130d2d2..0000000
--- a/DATA.mdwn
+++ /dev/null
@@ -1,25 +0,0 @@
-Rationale
-===========
-
-You have installed elasticsearch, setup your virtualenv and your python dependencies. Now you want to test it
-a bit. Or maybe you want to develop, and need some "lorem ipsum" data. This howto is for you!
-
-HowTo
-=====
-
-First of all, make sure that elasticsearch is running.
-
-Then, "enter" your virtualenv. This typically is
-
-```sh
-source ve/bin/activate
-```
-
-Now run
-```sh
-curl -s 'http://boyska.s.pt-labs.net/libreant/contrib/colibri.json' 'http://boyska.s.pt-labs.net/libreant/contrib/rabbia/rabbia.json' 'http://boyska.s.pt-labs.net/libreant/contrib/csv2json/info_forte.json' |  webant-manage db_import -
-```
-
-This will fetch three sample "libraries" and add every book to your elasticsearch.
-
-Of course you can exclude the ones that you don't like, or create your own.
diff --git a/MANIFEST.in b/MANIFEST.in
index cab3948..726d9c0 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -3,3 +3,4 @@ recursive-include webant/templates *
 recursive-include webant/translations *.po
 include msgfmt.py
 include README.rst
+include CHANGELOG.rst
diff --git a/Vagrantfile b/Vagrantfile
index f330258..a5846f4 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -14,7 +14,7 @@ end
 
 $script = <<SCRIPT
 wget -qO - https://packages.elasticsearch.org/GPG-KEY-elasticsearch | apt-key add -
-echo "deb http://packages.elasticsearch.org/elasticsearch/1.4/debian stable main" >> /etc/apt/sources.list
+echo "deb http://packages.elasticsearch.org/elasticsearch/1.7/debian stable main" >> /etc/apt/sources.list
 apt-get update && apt-get install -y python python-dev python-virtualenv openjdk-7-jre-headless elasticsearch
 update-rc.d elasticsearch defaults
 service elasticsearch start
diff --git a/archivant/__init__.py b/archivant/__init__.py
index e02bdbf..dc48b05 100644
--- a/archivant/__init__.py
+++ b/archivant/__init__.py
@@ -1,4 +1,4 @@
 from archivant import Archivant
 
 
-__all__ = [Archivant]
+__all__ = ['Archivant']
diff --git a/archivant/archivant.py b/archivant/archivant.py
index ec681f6..af477d5 100644
--- a/archivant/archivant.py
+++ b/archivant/archivant.py
@@ -19,12 +19,13 @@
 class Archivant():
     ''' Implementation of a Data Access Layer
 
-        Archivant handling both an fsdb instance and
-        a libreantdb one exposes an API to operate on 'volumes'.
+        Archivant handles both an fsdb instance and
+        a libreantdb one and exposes an high-level API to operate on 'volumes'.
 
         A 'volume' represents a physical/digital object stored within archivant.
-        Volumes are structured as described in `Archivant.normalize_volume`,
-        these have metadata and a list of attachments.
+        Volumes are structured as described in :meth:`~Archivant.normalize_volume`;
+        shortly, they have language, metadata and attachments.
+        An attachment is an URL plus some metadata.
 
         If you won't configure the FSDB_PATH parameter, fsdb will not be initialized
         and archivant will start in metadata-only mode.
@@ -50,10 +51,16 @@ def __init__(self, conf={}):
         # initialize elasticsearch
         if not self._config['ES_INDEXNAME']:
             raise ValueError('ES_INDEXNAME cannot be empty')
-        db = DB(Elasticsearch(hosts=self._config['ES_HOSTS']),
-                index_name=self._config['ES_INDEXNAME'])
-        db.setup_db()
-        self._db = db
+        self.__db = None
+
+    @property
+    def _db(self):
+        if self.__db is None:
+            db = DB(Elasticsearch(hosts=self._config['ES_HOSTS']),
+                    index_name=self._config['ES_INDEXNAME'])
+            db.setup_db()
+            self.__db = db
+        return self.__db
 
     @property
     def _fsdb(self):
@@ -76,25 +83,27 @@ def normalize_volume(volume):
 
            This function makes side effect on input volume
 
-           output example:
-           {
-            'id': 'AU0paPZOMZchuDv1iDv8',
-            'type': 'volume',
-            'metadata': {'_language': 'en',
-                         'key1': 'value1',
-                         'key2': 'value2',
-                         'key3': 'value3'},
-            'attachments': [{'id': 'a910e1kjdo2d192d1dko1p2kd1209d',
-                             'type' : 'attachment',
-                             'url': 'fsdb:///624bffa8a6f90813b7982d0e5b4c1475ebec40e3',
-                             'metadata': {'download_count': 0,
-                                          'mime': 'application/json',
-                                          'name': 'tmp9fyat_',
-                                          'notes': 'this file is awsome',
-                                          'sha1': '624bffa8a6f90813b7982d0e5b4c1475ebec40e3',
-                                          'size': 10}
-                           }]
-           }
+           output example::
+
+            {
+                'id': 'AU0paPZOMZchuDv1iDv8',
+                'type': 'volume',
+                'metadata': {'_language': 'en',
+                            'key1': 'value1',
+                            'key2': 'value2',
+                            'key3': 'value3'},
+                'attachments': [{'id': 'a910e1kjdo2d192d1dko1p2kd1209d',
+                                'type' : 'attachment',
+                                'url': 'fsdb:///624bffa8a6f90813b7982d0e5b4c1475ebec40e3',
+                                'metadata': {'download_count': 0,
+                                            'mime': 'application/json',
+                                            'name': 'tmp9fyat_',
+                                            'notes': 'this file is awsome',
+                                            'sha1': '624bffa8a6f90813b7982d0e5b4c1475ebec40e3',
+                                            'size': 10}
+                            }]
+            }
+
         '''
         res = dict()
         res['type'] = 'volume'
@@ -223,25 +232,30 @@ def insert_attachments(self, volumeID, attachments):
     def insert_volume(self, metadata, attachments=[]):
         '''Insert a new volume
 
-           Returns the ID of the added volume
+        Returns the ID of the added volume
 
-           `metadata` must be a dict containg metadata of the volume.
-           The only required key is `_language`
-           {
-             "_language" : "it",  # language of the metadata
-             "key1" : "value1",   # attribute
-             "key2" : "value2",
+        `metadata` must be a dict containg metadata of the volume::
+
+            {
+              "_language" : "it",  # language of the metadata
+              "key1" : "value1",   # attribute
+              "key2" : "value2",
               ...
-             "keyN" : "valueN"
-           }
-
-           `attachments` must be an array of dict
-           {
-               "file"  : "/prova/una/path/a/caso" # path or fp
-               "name"  : "nome_buffo.ext"         # name of the file (extension included) [optional if a path was given]
-               "mime"  : "application/json"       # mime type of the file [optional]
-               "notes" : "this file is awesome"   # notes that will be attached to this file [optional]
-           }
+              "keyN" : "valueN"
+            }
+
+            The only required key is `_language`
+
+
+        `attachments` must be an array of dict::
+
+            {
+              "file"  : "/prova/una/path/a/caso" # path or fp
+              "name"  : "nome_buffo.ext"         # name of the file (extension included) [optional if a path was given]
+              "mime"  : "application/json"       # mime type of the file [optional]
+              "notes" : "this file is awesome"   # notes that will be attached to this file [optional]
+            }
+
         '''
 
         log.debug("adding new volume:\n\tdata: {}\n\tfiles: {}".format(metadata, attachments))
@@ -328,9 +342,9 @@ def update_volume(self, volumeID, metadata):
     def update_attachment(self, volumeID, attachmentID, metadata):
         '''update an existing attachment
 
-           the given metadata dict will be merged with the old one.
-           only the following fields could be updated:
-             [name, mime, notes, download_count]
+        the given metadata dict will be merged with the old one.
+        only the following fields could be updated:
+        [name, mime, notes, download_count]
         '''
         log.debug('updating metadata of attachment {} from volume {}'.format(attachmentID, volumeID))
         modifiable_fields = ['name', 'mime', 'notes', 'download_count']
diff --git a/archivant/test/class_template.py b/archivant/test/class_template.py
index 1bee908..8e44e9b 100644
--- a/archivant/test/class_template.py
+++ b/archivant/test/class_template.py
@@ -27,12 +27,15 @@ def setUp(self):
         self.arc = Archivant(conf)
 
     def tearDown(self):
-        self.es.delete_by_query(index=self.TEST_ES_INDEX,
-                                body={'query': {'match_all': {}}})
+        self.arc._db.es.delete_by_query(index=self.TEST_ES_INDEX,
+                                        body={'query': {'match_all': {}}})
         rmtree(self.tmpDir)
         self.tmpDir = None
         self.arc = None
 
+    def refresh_index(self):
+        self.arc._db.es.indices.refresh(index=self.TEST_ES_INDEX)
+
     @staticmethod
     def generate_volume_metadata():
         return {'_language': 'en',
diff --git a/archivant/test/test_get_attachment.py b/archivant/test/test_get_attachment.py
index 8b940c2..95d95e0 100644
--- a/archivant/test/test_get_attachment.py
+++ b/archivant/test/test_get_attachment.py
@@ -11,7 +11,6 @@ def test_get_attachment(self):
         attachments = self.generate_attachments(1)
         id = self.arc.insert_volume(volume_metadata, attachments=attachments)
         added_volume = self.arc.get_volume(id)
-        print added_volume['attachments'][0]['id']
         self.arc.get_attachment(id, added_volume['attachments'][0]['id'])
 
     def test_get_file(self):
diff --git a/archivant/test/test_get_volume.py b/archivant/test/test_get_volume.py
index 2d5ea31..a63663b 100644
--- a/archivant/test/test_get_volume.py
+++ b/archivant/test/test_get_volume.py
@@ -20,7 +20,7 @@ def test_get_all_volumes(self):
         for _ in range(n):
             id = self.arc.insert_volume(self.generate_volume_metadata())
             ids.append(id)
-        self.arc._db.es.indices.refresh()
+        self.refresh_index()
         volumes = [vol for vol in self.arc.get_all_volumes()]
         for vol in volumes:
             ok_(vol['id'] in ids)
diff --git a/archivant/test/test_instantiation.py b/archivant/test/test_instantiation.py
index 6a8c80e..51b7365 100644
--- a/archivant/test/test_instantiation.py
+++ b/archivant/test/test_instantiation.py
@@ -2,9 +2,8 @@
 from archivant.exceptions import FileOpNotSupported
 from tempfile import mkdtemp
 from shutil import rmtree
-from elasticsearch import Elasticsearch
+from elasticsearch import Elasticsearch, ElasticsearchException
 from nose.tools import raises
-from urllib3.exceptions import LocationValueError
 
 
 TEST_ES_INDEX = 'test-archivant'
@@ -14,7 +13,8 @@
 def cleanup(esIndex=None, tmpDir=None):
     if esIndex is not None:
         es = Elasticsearch()
-        es.indices.delete(esIndex)
+        if es.indices.exists(esIndex):
+            es.indices.delete(esIndex)
 
     if tmpDir is not None:
         rmtree(tmpDir)
@@ -45,13 +45,27 @@ def test_instantiation_no_indexname():
         cleanup(tmpDir=tmpDir)
 
 
-@raises(LocationValueError)
 def test_instantiation_hosts_error():
+    '''this should not raise errors'''
     tmpDir = mkdtemp(prefix=FSDB_PATH_PREFIX)
     conf = {'ES_INDEXNAME': TEST_ES_INDEX,
-            'ES_HOSTS': "",
+            'ES_HOSTS': "127.0.0.1:12345",
             'FSDB_PATH': tmpDir}
     try:
         Archivant(conf)
     finally:
         cleanup(tmpDir=tmpDir)
+
+
+@raises(ElasticsearchException)
+def test_instantiation_hosts_error_on_query():
+    '''explicitly doing queries will raise error'''
+    tmpDir = mkdtemp(prefix=FSDB_PATH_PREFIX)
+    conf = {'ES_INDEXNAME': TEST_ES_INDEX,
+            'ES_HOSTS': "127.0.0.1:12345",
+            'FSDB_PATH': tmpDir}
+    try:
+        arc = Archivant(conf)
+        arc.get_volume('whatever')
+    finally:
+        cleanup(tmpDir=tmpDir)
diff --git a/archivant/test/test_shrink.py b/archivant/test/test_shrink.py
index 1003459..8a98503 100644
--- a/archivant/test/test_shrink.py
+++ b/archivant/test/test_shrink.py
@@ -15,7 +15,7 @@ def test_dangling_files_empty(self):
         volume_metadata = self.generate_volume_metadata()
         attachments = self.generate_attachments(n)
         self.arc.insert_volume(volume_metadata, attachments=attachments)
-        self.arc._db.es.indices.refresh()
+        self.refresh_index()
         eq_(len([fid for fid in self.arc.dangling_files()]), 0)
 
     def test_dangling_files(self):
@@ -24,7 +24,7 @@ def test_dangling_files(self):
         attachments = self.generate_attachments(n)
         id = self.arc.insert_volume(volume_metadata, attachments=attachments)
         self.arc.delete_volume(id)
-        self.arc._db.es.indices.refresh()
+        self.refresh_index()
         eq_(len([fid for fid in self.arc.dangling_files()]), n)
 
     def test_shrink_dangling(self):
@@ -33,7 +33,7 @@ def test_shrink_dangling(self):
         attachments = self.generate_attachments(n)
         id = self.arc.insert_volume(volume_metadata, attachments=attachments)
         self.arc.delete_volume(id)
-        self.arc._db.es.indices.refresh()
+        self.refresh_index()
         eq_(self.arc.shrink_local_fsdb(dangling=True), n)
         eq_(len(self.arc._fsdb), 0)
 
@@ -43,6 +43,6 @@ def test_shrink_dryrun(self):
         attachments = self.generate_attachments(n)
         id = self.arc.insert_volume(volume_metadata, attachments=attachments)
         self.arc.delete_volume(id)
-        self.arc._db.es.indices.refresh()
+        self.refresh_index()
         eq_(self.arc.shrink_local_fsdb(dangling=True, dryrun=True), n)
         eq_(len(self.arc._fsdb), n)
diff --git a/archivant/test/test_update_volume.py b/archivant/test/test_update_volume.py
index 78c321d..87ca357 100644
--- a/archivant/test/test_update_volume.py
+++ b/archivant/test/test_update_volume.py
@@ -22,8 +22,6 @@ def test_update_volume_add(self):
         volume_metadata = {'_language': 'en',
                            'old_1': 'old_value_1'}
         id = self.arc.insert_volume(volume_metadata)
-        from pprint import pprint
-        pprint(volume_metadata)
         volume_metadata['new_1'] = 'new_value_1'
         self.arc.update_volume(id, volume_metadata)
         vol_metadata = (self.arc.get_volume(id))['metadata']
diff --git a/cli/libreant.py b/cli/libreant.py
index 2d21191..deb43c9 100644
--- a/cli/libreant.py
+++ b/cli/libreant.py
@@ -18,10 +18,11 @@
 @click.option('--fsdb-path', type=click.Path(), metavar="<path>", help=get_help('FSDB_PATH'))
 @click.option('--es-indexname', type=click.STRING, metavar="<name>", help=get_help('ES_INDEXNAME'))
 @click.option('--es-hosts', type=StringList(), metavar="<host>..", help=get_help('ES_HOSTS'))
+@click.option('--users-db', type=click.Path(), metavar="<url>", help=get_help('USERS_DATABASE') )
 @click.option('--preset-paths', type=StringList(), metavar="<path>..", help=get_help('PRESET_PATHS'))
 @click.option('--agherant-descriptions', type=StringList(), metavar="<url>..", help=get_help('AGHERANT_DESCRIPTIONS'))
 @click.option('--dump-settings', is_flag=True, help='dump current settings and exit')
-def libreant(settings, debug, port, address, fsdb_path, es_indexname, es_hosts, preset_paths, agherant_descriptions, dump_settings):
+def libreant(settings, debug, port, address, fsdb_path, es_indexname, es_hosts, users_db, preset_paths, agherant_descriptions, dump_settings):
     initLoggers(logNames=['config_utils'])
     conf = config_utils.load_configs('LIBREANT_', defaults=get_def_conf(), path=settings)
     cliConf = {}
@@ -37,6 +38,8 @@ def libreant(settings, debug, port, address, fsdb_path, es_indexname, es_hosts,
         cliConf['ES_INDEXNAME'] = es_indexname
     if es_hosts:
         cliConf['ES_HOSTS'] = es_hosts
+    if users_db:
+        cliConf['USERS_DATABASE'] = users_db
     if preset_paths:
         cliConf['PRESET_PATHS'] = preset_paths
     if agherant_descriptions:
@@ -55,6 +58,7 @@ def libreant(settings, debug, port, address, fsdb_path, es_indexname, es_hosts,
             raise
         else:
             click.secho(str(e), fg='yellow', err=True)
+            exit(1)
 
 if __name__ == '__main__':
     libreant()
diff --git a/cli/libreant_users.py b/cli/libreant_users.py
new file mode 100644
index 0000000..2a4a1fd
--- /dev/null
+++ b/cli/libreant_users.py
@@ -0,0 +1,261 @@
+import click
+import logging
+import json
+
+import users.api
+import users
+
+from conf import config_utils
+from conf.defaults import get_def_conf, get_help
+from utils.loggers import initLoggers
+
+json_dumps = json.dumps
+usersDB = None
+conf = dict()
+
+
+def pretty_json_dumps(*args, **kargs):
+    kargs['indent'] = 3
+    return json.dumps(*args, **kargs)
+
+
+def die(msg, exit_code=1):
+        click.secho('ERROR: ' + msg, err=True, fg='red')
+        exit(exit_code)
+
+
+@click.group(name="libreant-users", help="manage libreant users")
+@click.version_option()
+@click.option('-s', '--settings', type=click.Path(exists=True, readable=True), help='file from wich load settings')
+@click.option('-d', '--debug', is_flag=True, help=get_help('DEBUG'))
+@click.option('--users-db', type=click.Path(), metavar="<url>", help=get_help('USERS_DATABASE') )
+@click.option('-p', '--pretty', is_flag=True, help="format the output on multiple lines")
+def libreant_users(debug, settings, users_db, pretty):
+    initLoggers(logNames=['config_utils'])
+    global conf
+    conf = config_utils.load_configs('LIBREANT_', defaults=get_def_conf(), path=settings)
+    cliConf = {}
+    if debug:
+        cliConf['DEBUG'] = True
+    if users_db:
+        cliConf['USERS_DATABASE'] = users_db
+    conf.update(cliConf)
+    if conf['USERS_DATABASE'] is None:
+        die('--users-db not set')
+    if pretty:
+        global json_dumps
+        json_dumps = pretty_json_dumps
+    initLoggers(logging.DEBUG if conf.get('DEBUG', False) else logging.WARNING)
+
+    global usersDB
+    try:
+        usersDB = users.init_db(conf['USERS_DATABASE'],
+                                   pwd_salt_size=conf['PWD_SALT_SIZE'],
+                                   pwd_rounds=conf['PWD_ROUNDS'])
+        users.populate_with_defaults()
+    except Exception as e:
+        if conf['DEBUG']:
+            raise
+        else:
+            die(str(e))
+
+
+class ExistingUserType(click.ParamType):
+    name = 'existinguser'
+
+    def convert(self, value, param, ctx):
+        try:
+            return users.api.get_user(name=value)
+        except users.api.NotFoundException:
+            self.fail('Cannot find user "%s"' % value)
+
+
+class ExistingGroupType(click.ParamType):
+    name = 'existinggroup'
+
+    def convert(self, value, param, ctx):
+        try:
+            return users.api.get_group(name=value)
+        except users.api.NotFoundException:
+            self.fail('Cannot find group "%s"' % value)
+
+
+@libreant_users.group(name='user')
+def user_subcmd():
+    pass
+
+
+@user_subcmd.command(name='create', help='Create new user')
+@click.argument('username')
+def user_add(username):
+    try:
+        users.api.get_user(name=username)
+    except users.api.NotFoundException:
+        pass
+    else:
+        click.secho('User already present', err=True)
+        exit(1)
+    password = click.prompt('Password', hide_input=True,
+                            confirmation_prompt=True)
+    user = users.api.add_user(username, password)
+    click.echo(json_dumps(user.to_dict()))
+
+
+@user_subcmd.command(name='list', help='List all the users')
+@click.option('--password', is_flag=True, help='Show also password (in hashed form)')
+def user_list(password):
+    if password:
+        all_users = [{'name': user.name, 'id': user.id, 'pwd_hash': user.pwd_hash} for user in users.User.select()]
+    else:
+        all_users = [{'name': user.name, 'id': user.id} for user in users.User.select()]
+    click.echo(json_dumps(all_users))
+
+
+@user_subcmd.command(name='show', help='Show user infos')
+@click.argument('user', metavar='USERNAME', type=ExistingUserType())
+def user_show(user):
+    data = user.to_dict()
+    data['groups'] = [group.to_dict() for group in user.groups]
+    click.echo(json_dumps(data))
+
+
+@user_subcmd.command(name='passwd', help='change the password for a user')
+@click.argument('user', metavar='USERNAME', type=ExistingUserType())
+def user_set_password(user):
+    password = click.prompt('Password', hide_input=True,
+                            confirmation_prompt=True)
+    users.api.update_user(user.id, {'password': password})
+
+
+@user_subcmd.command(name='check-password',
+                        help='check if a password is correct')
+@click.argument('user', metavar='USERNAME', type=ExistingUserType())
+def user_check_password(user):
+    password = click.prompt('Password', hide_input=True,
+                            confirmation_prompt=False)
+    if user.verify_password(password):
+        click.secho('Password correct', fg='green')
+    else:
+        click.secho('Incorrect password', fg='red', err=True)
+
+
+@user_subcmd.command(name='delete', help='Delete a user')
+@click.argument('user', metavar='USERNAME', type=ExistingUserType())
+def user_del(user):
+    users.api.delete_user(user.id)
+
+
+@libreant_users.group(name='group')
+def group_subcmd():
+    pass
+
+
+@group_subcmd.command(name='delete', help='Delete a group')
+@click.argument('group', metavar='GROUPNAME', type=ExistingGroupType())
+def group_del(group):
+    users.api.delete_group(group.id)
+
+
+@group_subcmd.command(name='create', help='Create a group')
+@click.argument('groupname')
+def group_add(groupname):
+    try:
+        users.api.get_group(name=groupname)
+    except users.api.NotFoundException:
+        pass
+    else:
+        die('Group already present')
+    group = users.api.add_group(groupname)
+    click.echo(json_dumps(group.to_dict()))
+
+
+@group_subcmd.command(name='list', help='List groups')
+def list_groups():
+    click.echo(json_dumps([g.to_dict() for g in users.Group.select()]))
+
+
+@group_subcmd.command(name='show', help='Show group properties and members')
+@click.argument('group', metavar='GROUPNAME', type=ExistingGroupType())
+def show_group(group):
+    groupdict = group.to_dict()
+    groupdict['users'] = [user.to_dict() for user in users.api.get_users_in_group(group.id)]
+    click.echo(json_dumps(groupdict))
+
+
+@group_subcmd.command(name='user-remove', help='Remove a user from a group')
+@click.argument('user', metavar='USERNAME', type=ExistingUserType())
+@click.argument('group', metavar='GROUPNAME', type=ExistingGroupType())
+def remove_from_group(user, group):
+    users.api.remove_user_from_group(user.id, group.id)
+    userdata = user.to_dict()
+    userdata['groups'] = [ug.to_dict() for ug in
+                          users.api.get_groups_of_user(user.id)]
+    click.echo(json_dumps(userdata))
+
+
+@group_subcmd.command(name='user-add', help='Add a user to a group')
+@click.argument('user', metavar='USERNAME', type=ExistingUserType())
+@click.argument('group', metavar='GROUPNAME', type=ExistingGroupType())
+def add_to_group(user, group):
+    users.api.add_user_to_group(user.id, group.id)
+    userdata = user.to_dict()
+    userdata['groups'] = [ug.to_dict() for ug in users.api.get_groups_of_user(user.id)]
+    click.echo(json_dumps(userdata))
+
+
+@libreant_users.group(name='capability')
+def caps_subcmd():
+    pass
+
+
+@group_subcmd.command(name='cap-list', help='List capabilities owned by group')
+@click.argument('group', metavar='GROUPNAME', type=ExistingGroupType())
+def list_capabilities(group):
+    click.echo(json_dumps([c.to_dict() for c in group.capabilities]))
+
+
+class ActionParamType(click.ParamType):
+    name='action'
+
+    def convert(self, value, param, ctx):
+        possibleactions = {v[0]: v for v in users.Action.ACTIONS}
+        value = '' if value == '0' else value
+        try:
+            value = [possibleactions[x] for x in value]
+        except KeyError as exc:
+            self.fail('"%s is not a valid literal; '
+                        'valid values are %s (which stand for %s)' % (
+                            exc.args[0],
+                            ', '.join(possibleactions.keys()),
+                            ', '.join(possibleactions.values())
+                        ))
+        return users.Action.from_list(value)
+
+
+@group_subcmd.command(name='cap-add',
+                      short_help='Add a new capability to a group',
+                      help='Add a new capability to a group\n\n'
+                      'An action is expressed as a subset of the string "CRUD"\n'
+                      'Examples of valid values are R,CR,CRUD,CD,etc.')
+@click.argument('group', metavar='GROUPNAME', type=ExistingGroupType())
+@click.argument('domain')
+@click.argument('action', type=ActionParamType())
+def capability_add(group, domain, action):
+    cap = users.api.add_capability(domain, action)
+    users.api.add_capability_to_group(cap.id, group.id)
+
+    groupdata = group.to_dict()
+    groupdata['capabilities'] = [c.to_dict() for c in group.capabilities]
+    click.echo(json_dumps(groupdata))
+
+
+@caps_subcmd.command(name='delete')
+@click.argument('capID')
+def capability_del(capid):
+    users.api.delete_capability(capid)
+
+
+@caps_subcmd.command(name='list', help='List every capability')
+def capability_list():
+    allcaps = users.Capability.select()
+    click.echo(json_dumps([c.to_dict() for c in allcaps]))
diff --git a/cli/tests/test_libreant_users.py b/cli/tests/test_libreant_users.py
new file mode 100644
index 0000000..9a35976
--- /dev/null
+++ b/cli/tests/test_libreant_users.py
@@ -0,0 +1,27 @@
+import os.path
+
+from click.testing import CliRunner
+
+from cli.libreant_users import libreant_users
+
+
+def get_runner():
+    runner = CliRunner()
+    runner.isolation(env={})
+    return runner
+
+
+def test_usersdb_mandatory():
+    result = get_runner().invoke(libreant_users, ['user', 'list'])
+    assert result.exit_code != 0
+    assert '--users-db' in result.output
+
+
+def test_usersdb_works():
+    runner = get_runner()
+    with runner.isolated_filesystem():
+        assert not os.path.exists('u.db')
+        base = ['--users-db', 'sqlite:///u.db', 'user']
+        result = runner.invoke(libreant_users, base +['list'])
+        assert os.path.exists('u.db')
+        assert result.exit_code == 0
diff --git a/conf/config_utils.py b/conf/config_utils.py
index f53c430..47b08a7 100644
--- a/conf/config_utils.py
+++ b/conf/config_utils.py
@@ -75,14 +75,15 @@ def from_envvars(prefix=None, environ=None, envvars=None, as_json=True):
 
 
 def load_configs(envvar_prefix, defaults=None, path=None):
-    '''load configuration
-
-    the following steps will be undertake:
-     - if `defaults` is provided, defaults are loded.
-     - It will attempt to load configs from file:
-       if `path` is provided, it will be used, otherwise the path
-       will be taken from envvar `envvar_prefix`+"SETTINGS"
-     - all envvars starting with `envvar_prefix` will be loaded
+    '''Load configuration
+
+    The following steps will be undertake:
+        * if `defaults` is provided, defaults are loded.
+        * It will attempt to load configs from file:
+          if `path` is provided, it will be used, otherwise the path
+          will be taken from envvar `envvar_prefix` + "SETTINGS".
+        * all envvars starting with `envvar_prefix` will be loaded.
+
     '''
     conf = {}
     if defaults:
diff --git a/conf/defaults.py b/conf/defaults.py
index c134b54..7ea0251 100644
--- a/conf/defaults.py
+++ b/conf/defaults.py
@@ -1,3 +1,5 @@
+from passlib.hash import pbkdf2_sha256
+
 defConf = {
   'DEBUG':        (False, "operate in debug mode"),
   'PORT':         (5000, "port on which daemon will listen"),
@@ -8,7 +10,10 @@
   'PRESET_PATHS': ([], "list of paths where to look for presets definition"),
   'AGHERANT_DESCRIPTIONS': (None, "list of description urls of nodes to aggregate"),
   'BOOTSTRAP_SERVE_LOCAL': (True, "decide to serve bootstrap related files as local content"),
-  'MAX_RESULTS_PER_PAGE': (50, "number of max results for one request")
+  'MAX_RESULTS_PER_PAGE': (50, "number of max results for one request"),
+  'USERS_DATABASE': (None, "url of the database used for users managment"),
+  'PWD_SALT_SIZE': (16, "size of the salt used by password hashing algorithm"),
+  'PWD_ROUNDS': (pbkdf2_sha256.default_rounds, "number of rounds runs by password hashing algorithm")
 }
 
 
diff --git a/contrib/.gitignore b/contrib/.gitignore
deleted file mode 100644
index febb709..0000000
--- a/contrib/.gitignore
+++ /dev/null
@@ -1,3 +0,0 @@
-*.json
-*.csv
-*.sql
diff --git a/contrib/csv2json/csv2json.py b/contrib/csv2json/csv2json.py
deleted file mode 100644
index d42812b..0000000
--- a/contrib/csv2json/csv2json.py
+++ /dev/null
@@ -1,31 +0,0 @@
-'''
-Get a CSV (tab-delimited) where columns are:
-1) # of items
-2) Authors, comma delimited
-3) Title
-4) Publisher
-'''
-import sys
-import csv
-import json
-
-
-if __name__ == '__main__':
-    csvpath = sys.argv[1]
-    reader = csv.reader(open(csvpath, 'rb'), delimiter=',', quotechar='"')
-    for line in reader:
-        line += [''] * (6 - len(line))
-        line = map(lambda s: s.decode('latin1'), line)
-        numloc, authors, title, date, collana, editor = line[:6]
-        loc = ' '.join(numloc.split()[1:])
-        book = {
-            'location': loc,
-            'title': title,
-            'actors': authors.split('-') + [editor],
-            'pubYear': date,
-            'collana': collana
-        }
-        print json.dumps(book)
-
-
-# vim: set ts=4 sw=4 et:
diff --git a/contrib/sql/Makefile b/contrib/sql/Makefile
deleted file mode 100644
index a241635..0000000
--- a/contrib/sql/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-all: rabbia.json colibri.json
-
-rabbia.json: rabbia2json.py
-	python2 $<
-
-colibri.json: colibri2json.py
-	python2 $<
diff --git a/contrib/sql/README.mdwn b/contrib/sql/README.mdwn
deleted file mode 100644
index fb886f2..0000000
--- a/contrib/sql/README.mdwn
+++ /dev/null
@@ -1,19 +0,0 @@
-This directory
-==============
-
-Colibri
--------
-
-Colibri is a library manager, developed by MSAck.[3]
-
-colibri2json take the mysql database and creates colibri.json
-
-Rabbia
-------
-
-RABbiA is a network of self-managed libraries [1]. rabbia2json is a script to
-help migrating from its database (which is a slight variant on [2])
-
-[1] https://www.inventati.org/rabbia/
-[2] https://wordpress.org/plugins/weblibrarian/
-[3] http://colibri.msack.org/
diff --git a/contrib/sql/colibri2json.py b/contrib/sql/colibri2json.py
deleted file mode 100644
index 558f043..0000000
--- a/contrib/sql/colibri2json.py
+++ /dev/null
@@ -1,73 +0,0 @@
-import json
-import calendar
-import datetime
-import decimal
-
-import oursql
-
-
-def json_default(obj):
-    """Default JSON serializer. It solves the datetime problem"""
-    if isinstance(obj, datetime.date):
-        obj = datetime.datetime.fromordinal(obj.toordinal())
-    if isinstance(obj, datetime.datetime):
-        if obj.utcoffset() is not None:
-            obj = obj - obj.utcoffset()
-    if isinstance(obj, decimal.Decimal):
-        if int(obj) == 0:
-            return None
-        obj = datetime.datetime(day=1, month=1, year=int(obj))
-    millis = int(
-        calendar.timegm(obj.timetuple()) * 1000 +
-        obj.microsecond / 1000
-    )
-    return millis
-
-
-def canonize(row):
-    '''
-    Name of fields are not perfectly matching between rabbia and libreant.
-    Let's fix it
-    '''
-    row['title'] = row['titolo']
-    del row['titolo']
-
-    row['actors'] = filter(bool,  # exclude empty strings
-                           row['autore'].split(',') +
-                           row['editore'].split(','))
-    del row['autore']
-    del row['editore']
-
-    row['location'] = '%s - %s' % (row['descrizione'], row['nome'])
-    del row['descrizione']
-    del row['nome']
-    del row['ID_LOC']
-    del row['IDB']
-
-    del row['ID_LIBRO']
-    del row['prestabilita']
-    if row['ISBN']:
-        row['isbn'] = row['ISBN']
-    del row['ISBN']
-    if not row['note']:
-        del row['note']
-    return row
-
-
-def db_to_json(connection):
-    c = connection.cursor(oursql.DictCursor)
-    c.execute('SELECT * FROM libri ' +
-              'NATURAL JOIN lib_biblio NATURAL JOIN biblioteche')
-
-    for row in c:
-        yield json.dumps(canonize(row), default=json_default)
-
-
-def main():
-    conn = oursql.connect(db='colibri', user='root', passwd='root')
-    with open('colibri.json', 'w') as buf:
-        for json_string in db_to_json(conn):
-            buf.write(json_string + '\n')
-
-if __name__ == '__main__':
-    main()
diff --git a/contrib/sql/rabbia2json.py b/contrib/sql/rabbia2json.py
deleted file mode 100644
index 20dcb29..0000000
--- a/contrib/sql/rabbia2json.py
+++ /dev/null
@@ -1,51 +0,0 @@
-import json
-import calendar
-import datetime
-
-import oursql
-
-
-def json_default(obj):
-    """Default JSON serializer. It solves the datetime problem"""
-    if isinstance(obj, datetime.date):
-        obj = datetime.datetime.fromordinal(obj.toordinal())
-    if isinstance(obj, datetime.datetime):
-        if obj.utcoffset() is not None:
-            obj = obj - obj.utcoffset()
-    millis = int(
-        calendar.timegm(obj.timetuple()) * 1000 +
-        obj.microsecond / 1000
-    )
-    return millis
-
-
-def canonize(row):
-    '''
-    Name of fields are not perfectly matching between rabbia and libreant.
-    Let's fix it
-    '''
-    if 'author' in row:
-        row['actors'] = [row['author']]
-        del row['author']
-    if 'type' in row:
-        row['location'] = row['type']
-        del row['type']
-    return row
-
-
-def db_to_json(connection):
-    c = connection.cursor(oursql.DictCursor)
-    c.execute('SELECT * FROM wp_rabbiaweblib_collection')
-
-    for row in c:
-        yield json.dumps(canonize(row), default=json_default)
-
-
-def main():
-    conn = oursql.connect(db='rabbia', user='root', passwd='root')
-    with open('rabbia.json', 'w') as buf:
-        for json_string in db_to_json(conn):
-            buf.write(json_string + '\n')
-
-if __name__ == '__main__':
-    main()
diff --git a/contrib/sql/requirements.txt b/contrib/sql/requirements.txt
deleted file mode 100644
index 8f79ccb..0000000
--- a/contrib/sql/requirements.txt
+++ /dev/null
@@ -1 +0,0 @@
-oursql
diff --git a/doc/source/api/archivant.rst b/doc/source/api/archivant.rst
new file mode 100644
index 0000000..6b05d30
--- /dev/null
+++ b/doc/source/api/archivant.rst
@@ -0,0 +1,22 @@
+archivant package
+=================
+
+.. automodule:: archivant
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Submodules
+----------
+
+.. automodule:: archivant.archivant
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+.. automodule:: archivant.exceptions
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+
diff --git a/doc/source/api/conf.rst b/doc/source/api/conf.rst
new file mode 100644
index 0000000..83ff01b
--- /dev/null
+++ b/doc/source/api/conf.rst
@@ -0,0 +1,22 @@
+conf package
+============
+
+.. automodule:: conf
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Submodules
+----------
+
+.. automodule:: conf.config_utils
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+.. automodule:: conf.defaults
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+
diff --git a/doc/source/api/libreantdb.rst b/doc/source/api/libreantdb.rst
index 9a1e0b9..0a0198d 100644
--- a/doc/source/api/libreantdb.rst
+++ b/doc/source/api/libreantdb.rst
@@ -1,7 +1,17 @@
-libreantdb
-===============
+libreantdb package
+==================
+
+.. automodule:: libreantdb
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Submodules
+----------
+
+.. automodule:: libreantdb.api
+    :members:
+    :undoc-members:
+    :show-inheritance:
 
-.. autoclass:: libreantdb.DB
-   :members:
-   :undoc-members:
 
diff --git a/doc/source/api/modules.rst b/doc/source/api/modules.rst
index fc0cb32..ac347b1 100644
--- a/doc/source/api/modules.rst
+++ b/doc/source/api/modules.rst
@@ -1,7 +1,11 @@
 API
-=============
+===
 
 .. toctree::
-   :maxdepth: 4
+   :maxdepth: 1
 
+   archivant
+   conf
    libreantdb
+   presets
+   users
diff --git a/doc/source/api/presets.rst b/doc/source/api/presets.rst
new file mode 100644
index 0000000..bb124d8
--- /dev/null
+++ b/doc/source/api/presets.rst
@@ -0,0 +1,17 @@
+presets package
+===============
+
+.. automodule:: presets
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Submodules
+----------
+
+.. automodule:: presets.presetManager
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+
diff --git a/doc/source/api/users.rst b/doc/source/api/users.rst
new file mode 100644
index 0000000..af3401e
--- /dev/null
+++ b/doc/source/api/users.rst
@@ -0,0 +1,22 @@
+users package
+=============
+
+.. automodule:: users
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Submodules
+----------
+
+.. automodule:: users.api
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+.. automodule:: users.models
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+
diff --git a/doc/source/sysadmin.rst b/doc/source/sysadmin.rst
index d20b2ff..ceb9978 100644
--- a/doc/source/sysadmin.rst
+++ b/doc/source/sysadmin.rst
@@ -18,7 +18,7 @@ Download and install the Public Signing Key for elasticsearch repo::
 
 Add elasticsearch repos in /etc/apt/sources.list.d/elasticsearch.list::
 
-    echo "deb http://packages.elasticsearch.org/elasticsearch/1.4/debian stable main" | sudo tee /etc/apt/sources.list.d/elasticsearch.list
+    echo "deb http://packages.elasticsearch.org/elasticsearch/1.7/debian stable main" | sudo tee /etc/apt/sources.list.d/elasticsearch.list
 
 Install requirements::
     
diff --git a/libreantdb/__init__.py b/libreantdb/__init__.py
index d78ebbe..6c96a54 100644
--- a/libreantdb/__init__.py
+++ b/libreantdb/__init__.py
@@ -1,4 +1,4 @@
 from api import DB
 
 
-__all__ = [DB]
+__all__ = ['DB']
diff --git a/presets/__init__.py b/presets/__init__.py
index 48d8fff..222acd1 100644
--- a/presets/__init__.py
+++ b/presets/__init__.py
@@ -1,4 +1,4 @@
 from presetManager import PresetManager
 
 
-__all__ = [PresetManager]
+__all__ = ['PresetManager']
diff --git a/presets/presetManager.py b/presets/presetManager.py
index 5283dd2..062e373 100644
--- a/presets/presetManager.py
+++ b/presets/presetManager.py
@@ -8,10 +8,10 @@
 class PresetManager(object):
     '''PresetManager deals with presets loading, validating, storing
 
-    you can use it like this:
+    you can use it like this::
+
+        pm = PresetManager(["/path/to/presets/folder", "/another/path"])
 
-    python::
-    pm = PresetManager(["/path/to/presets/folder", "/another/path"])
     '''
 
     MAX_DEPTH = 5
@@ -109,14 +109,15 @@ class Schema(object):
     a specific object structure.
 
     all child class in order to use schema validation must:
-     - describe the desired object schema using ```self.fields```
-     - save input object in ```self.body```
+     - describe the desired object schema using `self.fields`
+     - save input object in `self.body`
 
-    ```self.fields``` must be a ```dict```,
-    where keys match the relative self.body keys
+    `self.fields` must be a dict,
+    where keys match the relative `self.body` keys
     and values describe how relative self.body valuse must be.
 
     Example::
+
         self.fields = { 'description': {
                             'type': basestring,
                             'required': False,
@@ -128,6 +129,7 @@ class Schema(object):
                             'default': True
                         }
                       }
+
     '''
 
     fields = {}
diff --git a/setup.cfg b/setup.cfg
index fe6bdd1..5286f47 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -1,7 +1,7 @@
 [nosetests]
 all-modules=1
 with-coverage=1
-cover-package=libreantdb, webant, presets, archivant, utils, cli, conf
+cover-package=libreantdb, webant, presets, archivant, users, utils, cli, conf
 
 [flake8]
 ignore=E1,E2,E5
diff --git a/setup.py b/setup.py
index bb15108..eafc348 100644
--- a/setup.py
+++ b/setup.py
@@ -87,7 +87,7 @@ def read(fname):
 
 conf = dict(
         name='libreant',
-        version='0.2.2',
+        version='0.3',
         description='{e,}book archive focused on small grass root archives, distributed search, low assumptions',
         long_description=read('README.rst'),
         author='insomnialab',
@@ -99,6 +99,7 @@ def read(fname):
                   'webant.api',
                   'presets',
                   'archivant',
+                  'users',
                   'utils',
                   'cli',
                   'conf'],
@@ -108,10 +109,13 @@ def read(fname):
           'flask-bootstrap',
           'Flask-Babel',
           'flask-script',
+          'Flask-Authbone >=0.2',
           'Flask',
           'opensearch',
           'Fsdb',
-          'click'
+          'click',
+          'peewee',
+          'passlib >=1.6, <1.7' # version 1.7 will drop python2 suport
         ],
         package_data = {
           # If any package contains *.mo include them
@@ -129,6 +133,7 @@ def read(fname):
         entry_points={'console_scripts': [
           'libreant=cli.libreant:libreant',
           'agherant=cli.agherant:agherant',
+          'libreant-users=cli.libreant_users:libreant_users',
           'libreant-db=cli.libreant_db:libreant_db'
         ]},
         classifiers=[
diff --git a/users/__init__.py b/users/__init__.py
new file mode 100644
index 0000000..334dbd9
--- /dev/null
+++ b/users/__init__.py
@@ -0,0 +1,135 @@
+'''
+The `users` package manages the models and the API about users, groups and
+capabilities. Note that this package does **not** specify permissions for
+objects. Actual permissions are handled at the UI level.
+
+The main concepts are:
+
+- A :py:class:`~users.models.User` is what you think it is; something that you can login as.
+- A :py:class:`~users.models.Group` is a collection of users. Note that a user can belong to multiple
+  groups. A group has capabilities.
+- A :py:class:`~users.models.Capability` is a "granted permission". You can think of it like a piece of
+  paper saying, ie. "you can create new attachments".
+
+  - Its :py:attr:`~users.models.Capability.action` is a composition of Create, Read, Update, Delete
+    (it follows the CRUD model).
+  - A :py:attr:`~users.models.Capability.domain` is a regular expression that
+    must "match" to the description of an object. ie. ``/cars/*`` means "every
+    car", while ``/cars/*/tires/`` means "the tires of every car"
+
+This also means that a user has no capability (directly). It just belongs to
+groups, which, in turn, have capabilities.
+
+The rationale behind what a Capability is may seem baroque, but there are
+several advantages to it:
+
+- it is decoupled from  the actual domains used by the UI
+- the regular expression make it possible to create groups that can operate on
+  everything (``*``).
+'''
+from peewee import SqliteDatabase
+from playhouse import db_url
+from passlib.context import CryptContext
+from models import db_proxy,\
+    User, Group, UserToGroup, GroupToCapability, Capability, Action
+import logging
+
+
+class SqliteFKDatabase(SqliteDatabase):
+    '''SqliteDatabase with foreignkey support enabled'''
+
+    def initialize_connection(self, conn):
+        self.execute_sql('PRAGMA foreign_keys=ON;')
+
+
+# replace default sqlite scheme
+# in order to support foreign key
+db_url.schemes['sqlite'] = SqliteFKDatabase
+
+# context to be use for password hashing
+# it's initialized and configured by
+pwdCryptCtx=None
+
+db = db_proxy
+
+
+def init_proxy(dbURL):
+    '''Instantiate proxy to the database
+
+    :param dbURL: the url describing connection parameters
+        to the choosen database. The url must have format explained in the `Peewee url documentation
+        <http://peewee.readthedocs.org/en/latest/peewee/playhouse.html#db-url>`_.
+
+        examples:
+         * sqlite: ``sqlite:///my_database.db``
+         * postgres: ``postgresql://postgres:my_password@localhost:5432/my_database``
+         * mysql: ``mysql://user:passwd@ip:port/my_db``
+    '''
+    db_proxy.initialize(db_url.connect(dbURL))
+    return db_proxy
+
+
+def create_tables(database):
+    '''Create all tables in the given database'''
+    logging.getLogger(__name__).debug("Creating missing database tables")
+    database.connect()
+    database.create_tables([User,
+                            Group,
+                            UserToGroup,
+                            GroupToCapability,
+                            Capability], safe=True)
+
+
+def populate_with_defaults():
+    '''Create user admin and grant him all permission
+
+    If the admin user already exists the function will simply return
+    '''
+    logging.getLogger(__name__).debug("Populating with default users")
+    if not User.select().where(User.name == 'admin').exists():
+        admin = User.create(name='admin', password='admin')
+        admins = Group.create(name='admins')
+        starCap = Capability.create(domain='.+',
+                                    action=(Action.CREATE |
+                                            Action.READ |
+                                            Action.UPDATE |
+                                            Action.DELETE))
+        admins.capabilities.add(starCap)
+        admin.groups.add(admins)
+        admin.save()
+    if not User.select().where(User.name == 'anonymous').exists():
+        anon = User.create(name='anonymous', password='')
+        anons = Group.create(name='anonymous')
+        anon.groups.add(anons)
+        anon.save()
+
+
+def init_db(dbURL, pwd_salt_size=None, pwd_rounds=None):
+    '''Initialize users database
+
+    initialize database and create necessary tables
+    to handle users oprations.
+
+    :param dbURL: database url, as described in :func:`init_proxy`
+    '''
+    if not dbURL:
+        dbURL = 'sqlite:///:memory:'
+    logging.getLogger(__name__).debug("Initializing database: {}".format(dict(url=dbURL,
+                                                                              pwd_salt_size=pwd_salt_size,
+                                                                              pwd_rounds=pwd_rounds)))
+    try:
+        db = init_proxy(dbURL)
+        global pwdCryptCtx
+        pwdCryptCtx = gen_crypt_context(salt_size=pwd_salt_size, rounds=pwd_rounds)
+        create_tables(db)
+        return db
+    except Exception as e:
+        e.args = (e.args[0] + ' [users database]',)
+        raise
+
+
+def gen_crypt_context(salt_size=None, rounds=None):
+    return CryptContext(schemes=['pbkdf2_sha256', 'pbkdf2_sha512'],
+                        default='pbkdf2_sha256',
+                        all__salt_size=salt_size,
+                        all__default_rounds=rounds)
diff --git a/users/api.py b/users/api.py
new file mode 100644
index 0000000..1f8b49e
--- /dev/null
+++ b/users/api.py
@@ -0,0 +1,167 @@
+from users import User, Group, Capability, db
+from peewee import IntegrityError
+
+
+def add_user(name, password):
+    try:
+        return User.create(name=name, password=password)
+    except IntegrityError:
+        raise ConflictException("user with the same name already exists")
+
+
+def delete_user(id):
+    if not User.delete().where(User.id == id).execute():
+        raise NotFoundException('no user could be found with this id')
+
+
+def update_user(id, updates):
+    with db.atomic():
+        u = get_user(id)
+        if 'password' in updates:
+            u.set_password(updates['password'])
+        if 'name' in updates:
+            u.name = updates['name']
+        u.save()
+
+
+def get_user(id=None, name=None):
+    try:
+        if id:
+            return User.get(User.id==id)
+        elif name:
+            return User.get(User.name==name)
+        else:
+            raise ValueError('nither `id` or `name` was given')
+    except User.DoesNotExist:
+        raise NotFoundException("no user could be found with these attributes")
+
+
+def add_group(name):
+    try:
+        return Group.create(name=name)
+    except IntegrityError:
+        raise ConflictException("a group with the same name already exists")
+
+
+def delete_group(id):
+    if not Group.delete().where(Group.id == id).execute():
+        raise NotFoundException('no group could be found with this id')
+
+
+def update_group(id, updates):
+    with db.atomic():
+        g = get_group(id)
+        if 'name' in updates:
+            g.name = updates['name']
+        g.save()
+
+
+def get_group(id=None, name=None):
+    try:
+        if id:
+            return Group.get(Group.id==id)
+        elif name:
+            return Group.get(Group.name==name)
+        else:
+            raise ValueError('nither `id` or `name` was given')
+    except Group.DoesNotExist:
+        raise NotFoundException("no group could be found with these attributes")
+
+
+def add_user_to_group(userID, groupID):
+    with db.atomic():
+        u = get_user(userID)
+        g = get_group(groupID)
+        u.groups.add(g)
+        u.save()
+
+
+def remove_user_from_group(userID, groupID):
+    with db.atomic():
+        u = get_user(userID)
+        g = get_group(groupID)
+        u.groups.remove(g)
+        u.save()
+
+
+def get_groups_of_user(userID):
+    for g in get_user(id=userID).groups:
+        yield g
+
+
+def get_users_in_group(groupID):
+    for u in get_group(id=groupID).users:
+        yield u
+
+
+def get_capability(capID):
+    try:
+        return Capability.get(Capability.id == capID)
+    except Capability.DoesNotExist:
+        raise NotFoundException("no capability could be found with these attributes")
+
+
+def add_capability(domain, action, simplified=True):
+    try:
+        if simplified:
+           domain = Capability.simToReg(domain)
+        return Capability.create(domain=domain, action=action)
+    except IntegrityError:
+        raise ConflictException("a capability with the same attributes already exists")
+
+
+def delete_capability(capID):
+    if not Capability.delete().where(Capability.id == capID).execute():
+        raise NotFoundException('no capability could be found with this id')
+
+
+def update_capability(id, updates):
+    with db.atomic():
+        cap = get_capability(id)
+        if 'domain' in updates:
+            cap.domain = Capability.simToReg(updates['domain'])
+        if 'action' in updates:
+            cap.action = updates['action']
+        cap.save()
+
+
+def add_capability_to_group(capID, groupID):
+    with db.atomic():
+        cap = get_capability(capID)
+        grp = get_group(groupID)
+        grp.capabilities.add(cap)
+        cap.save()
+
+
+def remove_capability_from_group(capID, groupID):
+    with db.atomic():
+        cap = get_capability(capID)
+        grp = get_group(groupID)
+        grp.capabilities.remove(cap)
+        cap.save()
+
+
+def get_groups_with_capability(capID):
+    for g in get_capability(capID).groups:
+        yield g
+
+
+def get_capabilities_of_group(groupID):
+    for c in get_group(groupID).capabilities:
+        yield c
+
+
+def get_anonymous_user():
+    return get_user(name='anonymous')
+
+
+def is_anonymous(user):
+    return user.name == 'anonymous'
+
+
+class NotFoundException(Exception):
+    pass
+
+
+class ConflictException(Exception):
+    pass
diff --git a/users/models.py b/users/models.py
new file mode 100644
index 0000000..7c088eb
--- /dev/null
+++ b/users/models.py
@@ -0,0 +1,224 @@
+import re
+from peewee import PrimaryKeyField, CharField, ForeignKeyField, IntegerField,\
+    Model, Proxy, CompositeKey
+from playhouse.fields import ManyToManyField
+import users
+
+# Create a proxy to DB that can
+# be instantiated at runtime
+db_proxy = Proxy()
+
+GroupToCapabilityProxy = Proxy()
+UserToGroupProxy = Proxy()
+
+
+class ActionField(IntegerField):
+    db_field = 'action'
+
+    def db_value(self, value):
+        return value
+
+    def python_value(self, value):
+        return Action(value)
+
+
+class BaseModel(Model):
+    class Meta:
+        database = db_proxy  # Use proxy for our DB.
+
+    def to_dict(self):
+        return dict(id=self.id)
+
+
+class Capability(BaseModel):
+    """
+    Capability model
+
+    A capability is composed by a :attr:`domain`
+    and an :attr:`action`. It represent the possibility
+    to perform a specific set of actions on the resources
+    described by the domain
+
+    .. py:attribute:: domain
+
+        is a regular expression that describe all the resources involved in the
+        capability.  You can use :func:`simToReg` and :func:`regToSim` utility
+        function to easily manipulate domain regular expressions.
+
+    .. py:attribute:: action
+
+        an :class:`~users.models.ActionField` *what* can be done on :attr:`domain`
+    """
+
+    id = PrimaryKeyField()
+    domain = CharField()
+    action = ActionField()
+
+    class Meta:
+        indexes = ((('domain', 'action'), False),)
+
+    def to_dict(self):
+        return dict(id=self.id, domain=self.regToSim(self.domain), action=self.action.to_list())
+
+    @classmethod
+    def simToReg(self, sim):
+        """Convert simplified domain expression to regular expression"""
+        # remove initial slash if present
+        res = re.sub('^/', '', sim)
+        res = re.sub('/$', '', res)
+        return '^/?' + re.sub('\*', '[^/]+', res) + '/?$'
+
+    @classmethod
+    def regToSim(self, reg):
+        """Convert regular expression to simplified domain expression"""
+        return re.sub('\[\^/\]\+', '*', reg[3:-3])
+
+    def match_domain(self, dom):
+        """Check if the given `dom` is included in this capability domain"""
+        return bool(re.match(self.domain, dom))
+
+    def match_action(self, act):
+        """Check if the given `act` is allowed from this capability"""
+        return (self.action & act) == act
+
+    def match(self, dom, act):
+        """
+        Check if the given `domain` and `act` are allowed
+        by this capability
+        """
+        return self.match_domain(dom) and self.match_action(act)
+
+
+class Action(int):
+    """Actions utiliy class
+
+    You can use this class attributes to compose the actions bitmask::
+        bitmask = Action.CREATE | Action.DELETE
+
+    The following actions are supported:
+     - CREATE
+     - READ
+     - UPDATE
+     - DELETE
+    """
+
+    # the index of the action in the list correspond to the its position in the bitmask
+    ACTIONS = ['CREATE', 'READ', 'UPDATE', 'DELETE']
+
+    def __new__(cls, bitmask):
+        if bitmask >= 2**len(cls.ACTIONS):
+            raise ValueError('bitmask %d is too big' % bitmask)
+        return super(Action, cls).__new__(cls, bitmask)
+
+    def to_list(self):
+        '''convert an actions bitmask into a list of action strings'''
+        res = []
+        for a in self.__class__.ACTIONS:
+            aBit = self.__class__.action_bitmask(a)
+            if ((self & aBit) == aBit):
+                res.append(a)
+        return res
+
+    @classmethod
+    def from_list(cls, actions):
+        '''convert list of actions into the corresponding bitmask'''
+        bitmask = 0
+        for a in actions:
+            bitmask |= cls.action_bitmask(a)
+        return Action(bitmask)
+
+    @classmethod
+    def action_bitmask(cls, action):
+        '''return the bitmask associated withe the given action name'''
+        return 2**cls.ACTIONS.index(action.upper())
+
+for i, act in enumerate(Action.ACTIONS):
+    setattr(Action, act.upper(), 2**i)
+
+
+class Group(BaseModel):
+    """Group model
+
+    A group has a set of capabilities and a
+    number of users belonging to it.
+    It's an handy way of grouping users with the same capability.
+    """
+    id = PrimaryKeyField()
+    name = CharField(unique=True)
+    capabilities = ManyToManyField(Capability, related_name='groups', through_model=GroupToCapabilityProxy)
+
+    def to_dict(self):
+        return dict(id=self.id, name=self.name)
+
+    def can(self, domain, action):
+        for cap in self.capabilities:
+            if(cap.match(domain, action)):
+                return True
+        return False
+
+
+class User(BaseModel):
+    """User model"""
+    id = PrimaryKeyField()
+    name = CharField(unique=True)
+    pwd_hash = CharField(max_length=255, null=True)
+    groups = ManyToManyField(Group, related_name='users', through_model=UserToGroupProxy)
+
+    def __init__(self, **kargs):
+        super(User, self).__init__()
+        if 'name' in kargs:
+            self.name = kargs['name']
+        if 'password' in kargs:
+            self.set_password(kargs['password'])
+
+    def to_dict(self):
+        return dict(id=self.id, name=self.name)
+
+    def set_password(self, password):
+        """set user password
+
+        Generate random salt, derivate the given password using pbkdf2
+        algorith and store a summarizing string in :attr:`pwd_hash`.
+        For hash format refer to `passlib documentation <https://pythonhosted.org/passlib/lib/passlib.hash.pbkdf2_digest.html#format-algorithm>`_.
+        """
+        self.pwd_hash = users.pwdCryptCtx.encrypt(password)
+
+    def verify_password(self, password):
+        """Check if the given password is the same
+        stored for this user"""
+        return users.pwdCryptCtx.verify(password, self.pwd_hash)
+
+    @property
+    def capabilities(self):
+        return (Capability
+                .select()
+                .join(GroupToCapability).join(Group)
+                .join(UserToGroup).join(User)
+                .where(User.id == self.id))
+
+    def can(self, domain, action):
+        """Can perform `action` on the given `domain`."""
+        for cap in self.capabilities:
+            if(cap.match(domain, action)):
+                return True
+        return False
+
+
+class GroupToCapability(BaseModel):
+    group = ForeignKeyField(Group, on_delete='CASCADE')
+    capability = ForeignKeyField(Capability, on_delete='CASCADE')
+
+    class Meta:
+        primary_key = CompositeKey('group', 'capability')
+
+
+class UserToGroup(BaseModel):
+    user = ForeignKeyField(User, on_delete='CASCADE')
+    group = ForeignKeyField(Group, on_delete='CASCADE')
+
+    class Meta:
+        primary_key = CompositeKey('user', 'group')
+
+
+GroupToCapabilityProxy.initialize(GroupToCapability)
+UserToGroupProxy.initialize(UserToGroup)
diff --git a/users/test/__init__.py b/users/test/__init__.py
new file mode 100644
index 0000000..324d194
--- /dev/null
+++ b/users/test/__init__.py
@@ -0,0 +1,8 @@
+from unittest import TestCase
+from users import init_db
+
+
+class TestBaseClass(TestCase):
+
+    def setUp(self):
+        self.udb = init_db('sqlite:///:memory:', pwd_rounds=1)
diff --git a/users/test/test_capability.py b/users/test/test_capability.py
new file mode 100644
index 0000000..327e17c
--- /dev/null
+++ b/users/test/test_capability.py
@@ -0,0 +1,129 @@
+from . import TestBaseClass
+from nose.tools import eq_
+from users import User, Group, GroupToCapability, Capability, Action
+from peewee import IntegrityError
+
+
+class TestCapability(TestBaseClass):
+
+    def populate(self):
+        with self.udb.atomic():
+            cap1 = Capability.create(domain='res1', action=Action.READ)
+            cap2 = Capability.create(domain='res2', action=Action.UPDATE)
+            grp1 = Group.create(name='grp2')
+            grp2 = Group.create(name='grp1')
+            usr = User.create(name='usr')
+            grp1.capabilities.add(cap1)
+            grp2.capabilities.add(cap2)
+            usr.groups.add([grp1, grp2])
+        return usr, [cap1, cap2]
+
+    def test_capability_creation(self):
+        Capability.create(domain='res', action=Action.CREATE)
+        eq_(Capability.select().count(), 1)
+
+    def test_assign_capability_to_group(self):
+        cap = Capability.create(domain='res', action=Action.DELETE)
+        anons = Group.create(name='anons')
+        anons.capabilities.add(cap)
+        anons.save()
+        eq_(anons.capabilities.count(), 1)
+        eq_(anons.capabilities.get(), cap)
+
+    def test_assign_same_capability_to_group(self):
+        cap = Capability.create(domain='res', action=Action.DELETE)
+        anons = Group.create(name='anons')
+        anons.capabilities.add(cap)
+        anons.save()
+        with self.assertRaises(IntegrityError):
+            anons.capabilities.add(cap)
+            anons.save()
+        eq_(anons.capabilities.count(), 1)
+        eq_(anons.capabilities.get(), cap)
+
+    def test_get_capabilities_from_user(self):
+        usr, caps = self.populate()
+        userCapIds = [c.id for c in usr.capabilities]
+        eq_(len(userCapIds), 2)
+        eq_(set(userCapIds), set([c.id for c in caps]))
+
+    def test_remove_capabilities(self):
+        usr, caps = self.populate()
+        Capability.delete().where(Capability.domain == caps[0].domain,
+                                  Capability.action == caps[0].action).execute()
+        eq_(usr.capabilities.count(), 1)
+        eq_(usr.capabilities.get(), caps[1])
+        eq_(GroupToCapability.select().count(), 1)
+
+    def test_action_creation(self):
+        Action.from_list(Action.ACTIONS)
+        with self.assertRaises(ValueError):
+            Action(Action.from_list(Action.ACTIONS) + 1)
+
+    def test_action_matching(self):
+        cap = Capability.create(domain='s',
+                                action=(Action.CREATE | Action.READ | Action.UPDATE))
+        self.assertTrue(cap.match_action(Action.UPDATE))
+        self.assertTrue(cap.match_action(Action.READ | Action.READ))
+        self.assertFalse(cap.match_action(Action.DELETE))
+        self.assertFalse(cap.match_action(Action.READ | Action.DELETE))
+        self.assertFalse(cap.match_action(123123))
+
+    def test_domain_matching_true(self):
+        res = Capability.simToReg('volumes/*/attachments/*')
+        cap = Capability.create(domain=res, action='21')
+        self.assertTrue(cap.match_domain('volumes/j12j3213j/attachments/z7s71kj23'))
+        self.assertTrue(cap.match_domain('/volumes/123nj12j3k/attachments/kj321k'))
+        self.assertTrue(cap.match_domain('volumes/123nj12j3k/attachments/kj321k/'))
+
+    def test_domain_matching_false(self):
+        res = Capability.simToReg('volumes/*/attachments/*')
+        cap = Capability.create(domain=res, action='21')
+        self.assertFalse(cap.match_domain('volumes//attachments/z7s71kj23'))
+        self.assertFalse(cap.match_domain('volumes/123123'))
+        self.assertFalse(cap.match_domain('volumes/123123/attachments'))
+        self.assertFalse(cap.match_domain('volumes/attachments/z7s71kj23'))
+        self.assertFalse(cap.match_domain('volumes/j12j3213j/attachments'))
+        self.assertFalse(cap.match_domain('volumes/j12j3213j/attachments/123123/name'))
+        self.assertFalse(cap.match_domain('nothere/volumes/j12j3213j/attachments/123123/name'))
+
+    def test_capability_matching(self):
+        res = Capability.simToReg('/volumes/*/attachemnts/*')
+        cap = Capability.create(domain=res, action=Action.READ)
+        cap.match('volumes/1/attachments/3', Action.READ)
+
+    def test_simplified_to_reg_conversion(self):
+        self.assertEqual(Capability.regToSim(Capability.simToReg('/volumes/*/attachments')), 'volumes/*/attachments')
+        self.assertEqual(Capability.regToSim(Capability.simToReg('volumes/*/attachments/')), 'volumes/*/attachments')
+        self.assertEqual(Capability.regToSim(Capability.simToReg('/*/')), '*')
+
+    def test_user_can(self):
+        cap1 = Capability.create(domain=Capability.simToReg('volumes/*'),
+                                 action=Action.CREATE | Action.READ)
+        cap2 = Capability.create(domain=Capability.simToReg('volumes/123'),
+                                 action=Action.UPDATE)
+        grp1 = Group.create(name='grp2')
+        grp2 = Group.create(name='grp1')
+        usr = User.create(name='usr')
+        grp1.capabilities.add(cap1)
+        grp2.capabilities.add(cap2)
+        usr.groups.add([grp1, grp2])
+        self.assertTrue(usr.can('volumes/61273', action=Action.CREATE))
+        self.assertTrue(usr.can('volumes/123', Action.CREATE | Action.READ))
+        self.assertFalse(usr.can('volumes/82828', Action.DELETE))
+        self.assertFalse(usr.can('volumes/123', Action.DELETE))
+
+    def test_group_can(self):
+        cap1 = Capability.create(domain=Capability.simToReg('volumes/*'),
+                                 action=Action.CREATE | Action.READ)
+        cap2 = Capability.create(domain=Capability.simToReg('users/123'),
+                                 action=Action.CREATE | Action.DELETE)
+        grp = Group.create(name='grp2')
+        grp.capabilities.add([cap1, cap2])
+        self.assertTrue(grp.can('volumes/123', Action.CREATE | Action.READ))
+        self.assertFalse(grp.can('volumes/82828', Action.DELETE))
+        self.assertTrue(grp.can('users/123', Action.DELETE))
+        self.assertFalse(grp.can('users/123', Action.UPDATE))
+
+    def test_bitmask(self):
+        self.assertEqual(Action.from_list(Action.ACTIONS).to_list(), Action.ACTIONS)
diff --git a/users/test/test_groups.py b/users/test/test_groups.py
new file mode 100644
index 0000000..b57faf9
--- /dev/null
+++ b/users/test/test_groups.py
@@ -0,0 +1,57 @@
+from . import TestBaseClass
+from nose.tools import eq_
+from users import User, Group, UserToGroup
+from peewee import IntegrityError
+
+
+class TestGroup(TestBaseClass):
+
+    def test_group_creation(self):
+        newGroup = Group.create(name='chefs')
+        Group.get(Group.name == newGroup.name)
+        eq_(Group.select().count(), 1)
+
+    def test_group_unique_name(self):
+        Group.create(name='cyclists')
+        with self.assertRaises(IntegrityError):
+            Group.create(name='cyclists')
+
+    def test_assign_user_to_group(self):
+        anons = Group.create(name='anons')
+        jhondohe = User.create(name='jhondhoe', password='pass')
+        anons.users.add(jhondohe)
+        anons.save()
+        eq_(jhondohe.groups.count(), 1)
+        eq_(jhondohe.groups.get().id, anons.id)
+
+    def test_assign_duplicate_user_to_group(self):
+        anons = Group.create(name='anons')
+        jhondohe = User.create(name='jhondhoe', password='pass')
+        anons.users.add(jhondohe)
+        anons.save()
+        with self.assertRaises(IntegrityError):
+            anons.users.add(jhondohe)
+            anons.save()
+        eq_(jhondohe.groups.count(), 1)
+        eq_(jhondohe.groups.get().id, anons.id)
+
+    def test_remove_user_from_group(self):
+        anons = Group.create(name='anons')
+        jhondohe = User.create(name='jhondhoe', password='pass')
+        anons.users.add(jhondohe)
+        anons.save()
+        anons.users.remove(jhondohe)
+        anons.save()
+        eq_(jhondohe.groups.count(), 0)
+        eq_(UserToGroup.select().count(), 0)
+
+    def test_assign_user_to_multiple_group(self):
+        rebels = Group.create(name='rebels')
+        aliens = Group.create(name='aliens')
+        allGroups = [aliens, rebels]
+        # https://en.wikipedia.org/wiki/They_Live
+        user = User.create(name='doubtful')
+        user.groups.add(allGroups)
+        belongsID = [g.id for g in user.groups]
+        allGroupsID = [g.id for g in allGroups]
+        eq_((set(belongsID), len(belongsID)), (set(allGroupsID), len(allGroupsID)))
diff --git a/users/test/test_users.py b/users/test/test_users.py
new file mode 100644
index 0000000..27588bd
--- /dev/null
+++ b/users/test/test_users.py
@@ -0,0 +1,39 @@
+from . import TestBaseClass
+from peewee import IntegrityError
+from nose.tools import eq_, ok_
+from users import User
+
+
+class TestUsers(TestBaseClass):
+
+    def test_user_creation(self):
+        newUser = User.create(name='test', password='pass')
+        User.get(User.name == newUser.name)
+        eq_(User.select().count(), 1)
+
+    def test_user_removal(self):
+        newUser = User.create(name='test', password='pass')
+        newUser.delete_instance()
+        eq_(User.select().count(), 0)
+
+    def test_user_unique_name(self):
+        User.create(name='test', password='pass')
+        with self.assertRaises(IntegrityError):
+            User.create(name='test', password='plusPass')
+
+    def test_user_verify_right_password(self):
+        User.create(name='test', password='right_pass')
+        ok_(User.get(User.name == 'test').verify_password('right_pass'))
+
+    def test_user_verify_wrong_password(self):
+        User.create(name='test', password='pass')
+        ok_(not User.get(User.name == 'test').verify_password('wrong_pass'))
+
+    def test_user_change_password(self):
+        u = User.create(name='test', password='pass_1')
+        u = User.get(User.name == 'test')
+        u.set_password('pass_2')
+        u.save()
+        u = User.get(User.name == 'test')
+        ok_(not u.verify_password('pass_1'))
+        ok_(u.verify_password('pass_2'))
diff --git a/utils/loggers.py b/utils/loggers.py
index 70cc003..0b57b9b 100644
--- a/utils/loggers.py
+++ b/utils/loggers.py
@@ -1,7 +1,7 @@
 import logging
 
 
-LOG_NAMES = ['webant', 'fsdb', 'presets', 'agherant', 'config_utils', 'libreantdb', 'archivant']
+LOG_NAMES = ['webant', 'fsdb', 'presets', 'agherant', 'config_utils', 'libreantdb', 'archivant', 'users']
 
 
 def initLoggers(logLevel=logging.WARNING, logNames=LOG_NAMES):
diff --git a/webant/api/archivant_api.py b/webant/api/archivant_api.py
new file mode 100644
index 0000000..43e4967
--- /dev/null
+++ b/webant/api/archivant_api.py
@@ -0,0 +1,181 @@
+import json
+import tempfile
+import os
+from werkzeug import secure_filename
+from webant.util import send_attachment_file, routes_collector
+from flask import request, current_app, url_for, jsonify
+from archivant import Archivant
+from archivant.exceptions import NotFoundException
+from util import ApiError, make_success_response
+
+
+routes = []
+route = routes_collector(routes)
+
+
+@route('/volumes/')
+def get_volumes():
+    q = request.args.get('q', "*:*")
+    try:
+        from_ = int(request.args.get('from', 0))
+    except ValueError:
+        raise ApiError("Bad Request", 400, details="could not covert 'from' parameter to number")
+    try:
+        size = int(request.args.get('size', 10))
+    except ValueError:
+        raise ApiError("Bad Request", 400, details="could not covert 'size' parameter to number")
+    if size > current_app.config.get('MAX_RESULTS_PER_PAGE', 50):
+        raise ApiError("Request Entity Too Large", 413, details="'size' parameter is too high")
+
+    q_res = current_app.archivant._db.get_books_querystring(query=q, from_=from_, size=size)
+    volumes = map(Archivant.normalize_volume, q_res['hits']['hits'])
+    next_args = "?q={}&from={}&size={}".format(q, from_ + size, size)
+    prev_args = "?q={}&from={}&size={}".format(q, from_ - size if ((from_ - size) > -1) else 0, size)
+    base_url = url_for('.get_volumes', _external=True)
+    res = {'link_prev': base_url + prev_args,
+           'link_next': base_url + next_args,
+           'total': q_res['hits']['total'],
+           'data': volumes}
+    return jsonify(res)
+
+
+@route('/volumes/', methods=['POST'])
+def add_volume():
+    metadata = receive_volume_metadata()
+    try:
+        volumeID = current_app.archivant.insert_volume(metadata)
+    except ValueError, e:
+        raise ApiError("malformed metadata", 400, details=str(e))
+    link_self = url_for('.get_volume', volumeID=volumeID, _external=True)
+    response = jsonify({'data': {'id': volumeID, 'link_self': link_self}})
+    response.status_code = 201
+    response.headers['Location'] = link_self
+    return response
+
+
+@route('/volumes/<volumeID>', methods=['PUT'])
+def update_volume(volumeID):
+    metadata = receive_volume_metadata()
+    try:
+        current_app.archivant.update_volume(volumeID, metadata)
+    except NotFoundException, e:
+        raise ApiError("volume not found", 404, details=str(e))
+    except ValueError, e:
+        raise ApiError("malformed metadata", 400, details=str(e))
+    return make_success_response("volume successfully updated", 201)
+
+
+@route('/volumes/<volumeID>', methods=['GET'])
+def get_volume(volumeID):
+    try:
+        volume = current_app.archivant.get_volume(volumeID)
+    except NotFoundException, e:
+        raise ApiError("volume not found", 404, details=str(e))
+    return jsonify({'data': volume})
+
+
+@route('/volumes/<volumeID>', methods=['DELETE'])
+def delete_volume(volumeID):
+    try:
+        current_app.archivant.delete_volume(volumeID)
+    except NotFoundException, e:
+        raise ApiError("volume not found", 404, details=str(e))
+    return make_success_response("volume has been successfully deleted")
+
+
+@route('/volumes/<volumeID>/attachments/', methods=['GET'])
+def get_attachments(volumeID):
+    try:
+        atts = current_app.archivant.get_volume(volumeID)['attachments']
+    except NotFoundException, e:
+        raise ApiError("volume not found", 404, details=str(e))
+    return jsonify({'data': atts})
+
+
+@route('/volumes/<volumeID>/attachments/', methods=['POST'])
+def add_attachments(volumeID):
+    metadata = receive_metadata(optional=True)
+    if 'file' not in request.files:
+        raise ApiError("malformed request", 400, details="file not found under 'file' key")
+    upFile = request.files['file']
+    tmpFileFd, tmpFilePath = tempfile.mkstemp()
+    upFile.save(tmpFilePath)
+    fileInfo = {}
+    fileInfo['file'] = tmpFilePath
+    fileInfo['name'] = secure_filename(upFile.filename)
+    fileInfo['mime'] = upFile.mimetype
+    fileInfo['notes'] = metadata.get('notes', '')
+    # close fileDescriptor
+    os.close(tmpFileFd)
+    try:
+        attachmentID = current_app.archivant.insert_attachments(volumeID, attachments=[fileInfo])[0]
+    except NotFoundException, e:
+        raise ApiError("volume not found", 404, details=str(e))
+    finally:
+        # remove temp files
+        os.remove(fileInfo['file'])
+    link_self = url_for('.get_attachment', volumeID=volumeID, attachmentID=attachmentID, _external=True)
+    response = jsonify({'data': {'id': attachmentID, 'link_self': link_self}})
+    response.status_code = 201
+    response.headers['Location'] = link_self
+    return response
+
+
+@route('/volumes/<volumeID>/attachments/<attachmentID>', methods=['GET'])
+def get_attachment(volumeID, attachmentID):
+    try:
+        att = current_app.archivant.get_attachment(volumeID, attachmentID)
+    except NotFoundException, e:
+        raise ApiError("attachment not found", 404, details=str(e))
+    return jsonify({'data': att})
+
+
+@route('/volumes/<volumeID>/attachments/<attachmentID>', methods=['DELETE'])
+def delete_attachment(volumeID, attachmentID):
+    try:
+        current_app.archivant.delete_attachments(volumeID, [attachmentID])
+    except NotFoundException, e:
+        raise ApiError("attachment not found", 404, details=str(e))
+    return make_success_response("attachment has been successfully deleted")
+
+
+@route('/volumes/<volumeID>/attachments/<attachmentID>', methods=['PUT'])
+def update_attachment(volumeID, attachmentID):
+    metadata = receive_metadata()
+    try:
+        current_app.archivant.update_attachment(volumeID, attachmentID, metadata)
+    except ValueError, e:
+        raise ApiError("malformed request", 400, details=str(e))
+    return make_success_response("attachment has been successfully updated")
+
+
+@route('/volumes/<volumeID>/attachments/<attachmentID>/file', methods=['GET'])
+def get_file(volumeID, attachmentID):
+    try:
+        return send_attachment_file(current_app.archivant, volumeID, attachmentID)
+    except NotFoundException, e:
+        raise ApiError("file not found", 404, details=str(e))
+
+
+def receive_volume_metadata():
+    metadata = receive_metadata()
+    # TODO check also for preset consistency?
+    requiredFields = ['_language']
+    for requiredField in requiredFields:
+        if requiredField not in metadata:
+            raise ApiError("malformed metadata", 400, details="Required field '{}' is missing in metadata".format(requiredField))
+    return metadata
+
+
+def receive_metadata(optional=False):
+    if optional and 'metdata' not in request.values:
+        return {}
+    try:
+        metadata = json.loads(request.values['metadata'])
+    except KeyError:
+        raise ApiError("malformed request", 400, details="missing 'metadata' in request")
+    except Exception, e:
+        raise ApiError("malformed metadata", 400, details=str(e))
+    if not isinstance(metadata, dict):
+        raise ApiError("malformed metadata", 400, details="metadata value should be a json object")
+    return metadata
diff --git a/webant/api/blueprint_api.py b/webant/api/blueprint_api.py
index 42ae073..6438ceb 100644
--- a/webant/api/blueprint_api.py
+++ b/webant/api/blueprint_api.py
@@ -1,34 +1,13 @@
-import json
-import tempfile
-import os
-
-from flask import Blueprint, current_app, jsonify, request, url_for
-from werkzeug import secure_filename
-
-from archivant.archivant import Archivant
-from archivant.exceptions import NotFoundException
-from webant.util import send_attachment_file
-
-
-class ApiError(Exception):
-    def __init__(self, message, http_code, err_code=None, details=None):
-        Exception.__init__(self, http_code, err_code, message, details)
-        self.http_code = http_code
-        self.err_code = err_code
-        self.message = message
-        self.details = details
-
-    def __str__(self):
-        return "http_code: {}, err_code: {}, message: '{}', details: '{}'".format(self.http_code, self.err_code, self.message, self.details)
-
-
-def make_success_response(message, http_code=200):
-    response = jsonify({'code': http_code, 'message': message})
-    response.status_code = http_code
-    return response
+from flask import Blueprint, current_app, jsonify
+from webant.util import add_routes
+from util import ApiError
+from archivant_api import routes as archivantRoutes
+from users_api import routes as usersRoutes
 
 
 api = Blueprint('api', __name__)
+add_routes(api, archivantRoutes)
+add_routes(api, usersRoutes)
 
 
 @api.errorhandler(ApiError)
@@ -53,171 +32,3 @@ def apiNotFound(invalid_path):
 def exceptionHandler(e):
     current_app.logger.exception(e)
     return apiErrorHandler(ApiError("internal server error", 500))
-
-
-@api.route('/volumes/')
-def get_volumes():
-    q = request.args.get('q', "*:*")
-    try:
-        from_ = int(request.args.get('from', 0))
-    except ValueError:
-        raise ApiError("Bad Request", 400, details="could not covert 'from' parameter to number")
-    try:
-        size = int(request.args.get('size', 10))
-    except ValueError:
-        raise ApiError("Bad Request", 400, details="could not covert 'size' parameter to number")
-    if size > current_app.config.get('MAX_RESULTS_PER_PAGE', 50):
-        raise ApiError("Request Entity Too Large", 413, details="'size' parameter is too high")
-
-    q_res = current_app.archivant._db.get_books_querystring(query=q, from_=from_, size=size)
-    volumes = map(Archivant.normalize_volume, q_res['hits']['hits'])
-    next_args = "?q={}&from={}&size={}".format(q, from_ + size, size)
-    prev_args = "?q={}&from={}&size={}".format(q, from_ - size if ((from_ - size) > -1) else 0, size)
-    base_url = url_for('.get_volumes', _external=True)
-    res = {'link_prev': base_url + prev_args,
-           'link_next': base_url + next_args,
-           'total': q_res['hits']['total'],
-           'data': volumes}
-    return jsonify(res)
-
-
-@api.route('/volumes/', methods=['POST'])
-def add_volume():
-    metadata = receive_volume_metadata()
-    try:
-        volumeID = current_app.archivant.insert_volume(metadata)
-    except ValueError, e:
-        raise ApiError("malformed metadata", 400, details=str(e))
-    link_self = url_for('.get_volume', volumeID=volumeID, _external=True)
-    response = jsonify({'data': {'id': volumeID, 'link_self': link_self}})
-    response.status_code = 201
-    response.headers['Location'] = link_self
-    return response
-
-
-@api.route('/volumes/<volumeID>', methods=['PUT'])
-def update_volume(volumeID):
-    metadata = receive_volume_metadata()
-    try:
-        current_app.archivant.update_volume(volumeID, metadata)
-    except NotFoundException, e:
-        raise ApiError("volume not found", 404, details=str(e))
-    except ValueError, e:
-        raise ApiError("malformed metadata", 400, details=str(e))
-    return make_success_response("volume successfully updated", 201)
-
-
-@api.route('/volumes/<volumeID>', methods=['GET'])
-def get_volume(volumeID):
-    try:
-        volume = current_app.archivant.get_volume(volumeID)
-    except NotFoundException, e:
-        raise ApiError("volume not found", 404, details=str(e))
-    return jsonify({'data': volume})
-
-
-@api.route('/volumes/<volumeID>', methods=['DELETE'])
-def delete_volume(volumeID):
-    try:
-        current_app.archivant.delete_volume(volumeID)
-    except NotFoundException, e:
-        raise ApiError("volume not found", 404, details=str(e))
-    return make_success_response("volume has been successfully deleted")
-
-
-@api.route('/volumes/<volumeID>/attachments/', methods=['GET'])
-def get_attachments(volumeID):
-    try:
-        atts = current_app.archivant.get_volume(volumeID)['attachments']
-    except NotFoundException, e:
-        raise ApiError("volume not found", 404, details=str(e))
-    return jsonify({'data': atts})
-
-
-@api.route('/volumes/<volumeID>/attachments/', methods=['POST'])
-def add_attachments(volumeID):
-    metadata = receive_metadata(optional=True)
-    if 'file' not in request.files:
-        raise ApiError("malformed request", 400, details="file not found under 'file' key")
-    upFile = request.files['file']
-    tmpFileFd, tmpFilePath = tempfile.mkstemp()
-    upFile.save(tmpFilePath)
-    fileInfo = {}
-    fileInfo['file'] = tmpFilePath
-    fileInfo['name'] = secure_filename(upFile.filename)
-    fileInfo['mime'] = upFile.mimetype
-    fileInfo['notes'] = metadata.get('notes', '')
-    # close fileDescriptor
-    os.close(tmpFileFd)
-    try:
-        attachmentID = current_app.archivant.insert_attachments(volumeID, attachments=[fileInfo])[0]
-    except NotFoundException, e:
-        raise ApiError("volume not found", 404, details=str(e))
-    finally:
-        # remove temp files
-        os.remove(fileInfo['file'])
-    link_self = url_for('.get_attachment', volumeID=volumeID, attachmentID=attachmentID, _external=True)
-    response = jsonify({'data': {'id': attachmentID, 'link_self': link_self}})
-    response.status_code = 201
-    response.headers['Location'] = link_self
-    return response
-
-
-@api.route('/volumes/<volumeID>/attachments/<attachmentID>', methods=['GET'])
-def get_attachment(volumeID, attachmentID):
-    try:
-        att = current_app.archivant.get_attachment(volumeID, attachmentID)
-    except NotFoundException, e:
-        raise ApiError("attachment not found", 404, details=str(e))
-    return jsonify({'data': att})
-
-
-@api.route('/volumes/<volumeID>/attachments/<attachmentID>', methods=['DELETE'])
-def delete_attachment(volumeID, attachmentID):
-    try:
-        current_app.archivant.delete_attachments(volumeID, [attachmentID])
-    except NotFoundException, e:
-        raise ApiError("attachment not found", 404, details=str(e))
-    return make_success_response("attachment has been successfully deleted")
-
-
-@api.route('/volumes/<volumeID>/attachments/<attachmentID>', methods=['PUT'])
-def update_attachment(volumeID, attachmentID):
-    metadata = receive_metadata()
-    try:
-        current_app.archivant.update_attachment(volumeID, attachmentID, metadata)
-    except ValueError, e:
-        raise ApiError("malformed request", 400, details=str(e))
-    return make_success_response("attachment has been successfully updated")
-
-
-@api.route('/volumes/<volumeID>/attachments/<attachmentID>/file', methods=['GET'])
-def get_file(volumeID, attachmentID):
-    try:
-        return send_attachment_file(current_app.archivant, volumeID, attachmentID)
-    except NotFoundException, e:
-        raise ApiError("file not found", 404, details=str(e))
-
-
-def receive_volume_metadata():
-    metadata = receive_metadata()
-    # TODO check also for preset consistency?
-    requiredFields = ['_language']
-    for requiredField in requiredFields:
-        if requiredField not in metadata:
-            raise ApiError("malformed metadata", 400, details="Required field '{}' is missing in metadata".format(requiredField))
-    return metadata
-
-
-def receive_metadata(optional=False):
-    if optional and 'metdata' not in request.values:
-        return {}
-    try:
-        metadata = json.loads(request.values['metadata'])
-    except KeyError:
-        raise ApiError("malformed request", 400, details="missing 'metadata' in request")
-    except Exception, e:
-        raise ApiError("malformed metadata", 400, details=str(e))
-    if not isinstance(metadata, dict):
-        raise ApiError("malformed metadata", 400, details="metadata value should be a json object")
-    return metadata
diff --git a/webant/api/users_api.py b/webant/api/users_api.py
new file mode 100644
index 0000000..f9933f2
--- /dev/null
+++ b/webant/api/users_api.py
@@ -0,0 +1,242 @@
+from webant.util import routes_collector
+from util import ApiError, make_success_response, on_json_load_error
+from flask import request, url_for, jsonify#, current_app, jsonify
+import users.api
+from users import Action, Capability
+
+routes = []
+route = routes_collector(routes)
+
+
+@route('/users/<int:userID>', methods=['GET'])
+def get_user(userID):
+    try:
+        u = users.api.get_user(id=userID)
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return jsonify({'data': {'id': u.id, 'name': u.name}})
+
+
+@route('/users/<int:userID>', methods=['DELETE'])
+def delete_user(userID):
+    try:
+        users.api.delete_user(id=userID)
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return make_success_response("user has been successfully deleted")
+
+
+@route('/users/', methods=['POST'])
+def add_user():
+    request.on_json_loading_failed = on_json_load_error
+    userData = request.json
+    if not userData:
+        raise ApiError("Unsupported media type", 415)
+    name = userData.get('name', None)
+    if not name:
+        raise ApiError("Bad Request", 400, details="missing 'name' parameter")
+    password = userData.get('password', None)
+    if not password:
+        raise ApiError("Bad Request", 400, details="missing 'password' parameter")
+    try:
+        user = users.api.add_user(name=name, password=password)
+    except users.api.ConflictException, e:
+        raise ApiError("Conflict", 409, details=str(e))
+    link_self = url_for('.get_user', userID=user.id, _external=True)
+    response = jsonify({'data': {'id': user.id, 'link_self': link_self}})
+    response.status_code = 201
+    response.headers['Location'] = link_self
+    return response
+
+
+@route('/users/<int:userID>', methods=['PATCH'])
+def update_user(userID):
+    request.on_json_loading_failed = on_json_load_error
+    if not request.json:
+        raise ApiError("Unsupported media type", 415)
+    try:
+        users.api.update_user(userID, request.json)
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return make_success_response("user has been successfully updated")
+
+
+@route('/groups/<int:groupID>', methods=['GET'])
+def get_group(groupID):
+    try:
+        g = users.api.get_group(id=groupID)
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return jsonify({'data': {'id': g.id, 'name': g.name}})
+
+
+@route('/groups/<int:groupID>', methods=['DELETE'])
+def delete_group(groupID):
+    try:
+        users.api.delete_group(id=groupID)
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return make_success_response("group has been successfully deleted")
+
+
+@route('/groups/', methods=['POST'])
+def add_group():
+    request.on_json_loading_failed = on_json_load_error
+    groupData = request.json
+    if not groupData:
+        raise ApiError("Unsupported media type", 415)
+    name = groupData.get('name', None)
+    if not name:
+        raise ApiError("Bad Request", 400, details="missing 'name' parameter")
+    try:
+        group = users.api.add_group(name=name)
+    except users.api.ConflictException, e:
+        raise ApiError("Conflict", 409, details=str(e))
+    link_self = url_for('.get_group', groupID=group.id, _external=True)
+    response = jsonify({'data': {'id': group.id, 'link_self': link_self}})
+    response.status_code = 201
+    response.headers['Location'] = link_self
+    return response
+
+
+@route('/groups/<int:groupID>', methods=['PATCH'])
+def update_group(groupID):
+    request.on_json_loading_failed = on_json_load_error
+    if not request.json:
+        raise ApiError("Unsupported media type", 415)
+    try:
+        users.api.update_group(groupID, request.json)
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return make_success_response("group has been successfully updated")
+
+
+@route('/groups/<int:groupID>/users/<int:userID>', methods=['PUT'])
+def add_user_to_group(groupID, userID):
+    try:
+        users.api.add_user_to_group(userID, groupID)
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return make_success_response("user has been successfully added to group")
+
+
+@route('/groups/<int:groupID>/users/<int:userID>', methods=['DELETE'])
+def delete_user_from_group(groupID, userID):
+    try:
+        users.api.remove_user_from_group(userID, groupID)
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return make_success_response("user has been successfully removed from group")
+
+
+@route('/groups/<int:groupID>/users/', methods=['GET'])
+def get_users_in_group(groupID):
+    try:
+        us = [{'id': u.id} for u in users.api.get_users_in_group(groupID)]
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return jsonify({'data': us})
+
+
+@route('/users/<int:userID>/groups/', methods=['GET'])
+def get_groups_of_user(userID):
+    try:
+        groups = [{'id': g.id} for g in users.api.get_groups_of_user(userID)]
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return jsonify({'data': groups})
+
+
+@route('/capabilities/<int:capID>', methods=['GET'])
+def get_capability(capID):
+    try:
+        cap = users.api.get_capability(capID)
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return jsonify({'data':
+                      {'id': cap.id,
+                       'domain': Capability.regToSim(cap.domain),
+                       'actions': cap.action.to_list()}})
+
+
+@route('/capabilities/<int:capID>', methods=['DELETE'])
+def delete_capability(capID):
+    try:
+        users.api.delete_capability(capID)
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return make_success_response("capability has been successfully deleted")
+
+
+@route('/capabilities/', methods=['POST'])
+def add_capability():
+    request.on_json_loading_failed = on_json_load_error
+    capData = request.json
+    if not capData:
+        raise ApiError("Unsupported media type", 415)
+    domain = capData.get('domain', None)
+    if not domain:
+        raise ApiError("Bad Request", 400, details="missing 'domain' parameter")
+    actions = capData.get('actions', None)
+    if not actions:
+        raise ApiError("Bad Request", 400, details="missing 'actions' parameter")
+    try:
+        cap = users.api.add_capability(domain=domain, action=Action.from_list(actions))
+    except users.api.ConflictException, e:
+        raise ApiError("Conflict", 409, details=str(e))
+    link_self = url_for('.get_capability', capID=cap.id, _external=True)
+    response = jsonify({'data': {'id': cap.id, 'link_self': link_self}})
+    response.status_code = 201
+    response.headers['Location'] = link_self
+    return response
+
+
+@route('/capabilities/<int:capID>', methods=['PATCH'])
+def update_capability(capID):
+    request.on_json_loading_failed = on_json_load_error
+    if not request.json:
+        raise ApiError("Unsupported media type", 415)
+    updates = request.json
+    if 'actions' in updates:
+        updates['action'] = Action.from_list(updates.pop('actions'))
+    try:
+        users.api.update_capability(capID, updates)
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return make_success_response("capability has been successfully updated")
+
+
+@route('/groups/<int:groupID>/capabilities/<int:capID>', methods=['PUT'])
+def add_capability_to_group(groupID, capID):
+    try:
+        users.api.add_capability_to_group(capID, groupID)
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return make_success_response("capability has been successfully added to group")
+
+
+@route('/groups/<int:groupID>/capabilities/<int:capID>', methods=['DELETE'])
+def delete_capability_from_group(groupID, capID):
+    try:
+        users.api.remove_capability_from_group(capID, groupID)
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return make_success_response("capability has been successfully removed from group")
+
+
+@route('/groups/<int:groupID>/capabilities/', methods=['GET'])
+def get_capabilities_of_group(groupID):
+    try:
+        caps = [{'id': cap.id} for cap in users.api.get_capabilities_of_group(groupID)]
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return jsonify({'data': caps})
+
+
+@route('/capabilities/<int:capID>/groups/', methods=['GET'])
+def get_groups_with_capability(capID):
+    try:
+        groups = [{'id': g.id} for g in users.api.get_groups_with_capability(capID)]
+    except users.api.NotFoundException, e:
+        raise ApiError("Not found", 404, details=str(e))
+    return jsonify({'data': groups})
diff --git a/webant/api/util.py b/webant/api/util.py
new file mode 100644
index 0000000..91fb03e
--- /dev/null
+++ b/webant/api/util.py
@@ -0,0 +1,23 @@
+from flask import jsonify
+
+
+class ApiError(Exception):
+    def __init__(self, message, http_code, err_code=None, details=None):
+        Exception.__init__(self, http_code, err_code, message, details)
+        self.http_code = http_code
+        self.err_code = err_code
+        self.message = message
+        self.details = details
+
+    def __str__(self):
+        return "http_code: {}, err_code: {}, message: '{}', details: '{}'".format(self.http_code, self.err_code, self.message, self.details)
+
+
+def on_json_load_error(e):
+    raise ApiError("Bad request", 400, details=str(e))
+
+
+def make_success_response(message, http_code=200):
+    response = jsonify({'code': http_code, 'message': message})
+    response.status_code = http_code
+    return response
diff --git a/webant/static/js/action-toolbar.js b/webant/static/js/action-toolbar.js
new file mode 100644
index 0000000..2e71b58
--- /dev/null
+++ b/webant/static/js/action-toolbar.js
@@ -0,0 +1,12 @@
+$("#delete-button").on("click", function() {
+    $.ajax({ method: "DELETE", url: API_URL + "/volumes/" + $(this).data('target') })
+      .done(function() {
+        window.history.back();
+      })
+      .fail(function() {
+        alert("deletion failed");
+      })
+      .always(function() {
+        $('#confirm-deletion-modal').modal('hide');
+      });
+});
diff --git a/webant/templates/add.html b/webant/templates/add.html
index 507d7d1..4114787 100644
--- a/webant/templates/add.html
+++ b/webant/templates/add.html
@@ -13,7 +13,7 @@
 {% endblock %}
 
 {% block navbar %}
-{% import 'navbar.html' as navbar %}
+{% import 'navbar.html' as navbar with context %}
 {{navbar.navbar()}}
 {% endblock %}
 
diff --git a/webant/templates/details.html b/webant/templates/details.html
index 25eb1dd..7726f54 100644
--- a/webant/templates/details.html
+++ b/webant/templates/details.html
@@ -1,12 +1,13 @@
 {% extends "bootstrap/base.html" %}
 {% import "bootstrap/fixes.html" as fixes %}
 
+{% set title = volume['metadata']['title'] if 'title' in volume['metadata'] else volume['id'] %}
 {% block title %}
-Libreant | {{ volume['metadata']['title'] if 'title' in volume['metadata'] else volume['id'] }}
+Libreant | {{ title }}
 {% endblock %}
 
 {% block navbar %}
-{% import 'navbar.html' as navbar %}
+{% import 'navbar.html' as navbar with context%}
 {{navbar.navbar()}}
 {% endblock %}
 
@@ -14,16 +15,26 @@
 
 <div class="container">
     <header class="page-header" style="margin-top:0px">
-	    <h1>{{ volume['metadata']['title'] if 'title' in volume['metadata'] else volume['id'] }}
+	    <h1>{{ title }}
 		    <small>{{ volume['metadata']['actors'] | sort | join(',') }}</small>
 	    </h1>
     </header>
+    <div class="btn-toolbar" role="toolbar" aria-label="toolbar">
+        <div class="btn-group pull-right" role="group" aria-label="action toolbar">
+            {% if not hide_from_toolbar['delete'] %}
+            <button data-toggle="modal" data-target="#confirm-deletion-modal"
+                    type="button" class="btn btn-default red-on-hover" aria-label='delete'>
+                <span class="glyphicon glyphicon-trash"></span>
+            </button>
+            {% endif %}
+       </div>
+    </div>
      {% if (volume['attachments'] | length) > 0 %}
         {% for attachment in volume['attachments'] %}
              <a class="btn btn-default" href="{{ url_for('download_attachment', volumeID=volume['id'], attachmentID=attachment['id']) }}">
                 <div class="row" style="display: flex; align-items: center;">
                     <div class="col-xs-1">
-                        <span class="glyphicon glyphicon glyphicon-download-alt" aria-hidden="true"></span>
+                        <span class="glyphicon glyphicon-download-alt" aria-hidden="true"></span>
                     </div>
                     <div class="col-xs-11">
                         <strong>{{ attachment['metadata']['name'] }}</strong>
@@ -35,7 +46,7 @@ <h1>{{ volume['metadata']['title'] if 'title' in volume['metadata'] else volume[
     <br>
     <br>
     {% endif %}
-    
+
     <article>
         <h4>{%trans%}Details{%endtrans%}</h4>
         <table class="table table-striped">
@@ -75,5 +86,29 @@ <h3>{%trans%}Similar books{%endtrans%}</h3>
         </table>
         {% endif %}
     </article>
-<div class="container">
+</div>
+
+<!-- Confirm Deletion Modal -->
+<div class="modal fade" id="confirm-deletion-modal" tabindex="-1" role="dialog" aria-labelledby="confirm deletion modal">
+  <div class="modal-dialog" role="document">
+    <div class="modal-content">
+      <div class="modal-header">
+        <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">&times;</span></button>
+        <h4 class="modal-title">{%trans%}Confirm deletion{%endtrans%}</h4>
+      </div>
+      <div class="modal-body">
+      <p>{%trans%}Are you sure you want to delete this volume?{%endtrans%}</p>
+      </div>
+      <div class="modal-footer">
+        <button type="button" class="btn btn-default" data-dismiss="modal">No</button>
+        <button id="delete-button" data-target="{{volume['id']}}" type="button" class="btn btn-primary">{%trans%}Yes{%endtrans%}</button>
+      </div>
+    </div>
+  </div>
+</div>
 {% endblock content %}
+{% block scripts%}
+    {{super()}}
+    <script src="{{ url_for('static', filename='js/action-toolbar.js') }}"></script>
+    <script>var API_URL="{{ api_url }}"</script>
+{% endblock scripts%}
diff --git a/webant/templates/error.html b/webant/templates/error.html
index 59000bd..846c416 100644
--- a/webant/templates/error.html
+++ b/webant/templates/error.html
@@ -6,7 +6,7 @@
 {% endblock %}
 
 {% block navbar %}
-{% import 'navbar.html' as navbar %}
+{% import 'navbar.html' as navbar with context %}
 {{navbar.navbar(search=True)}}
 {% endblock %}
 
diff --git a/webant/templates/index.html b/webant/templates/index.html
index 30df406..c620e46 100644
--- a/webant/templates/index.html
+++ b/webant/templates/index.html
@@ -7,7 +7,7 @@
 {% endblock %}
 
 {% block navbar %}
-{% import 'navbar.html' as navbar %}
+{% import 'navbar.html' as navbar with context %}
 {{navbar.navbar(search=False)}}
 {% endblock %}
 
diff --git a/webant/templates/login.html b/webant/templates/login.html
new file mode 100644
index 0000000..93799ed
--- /dev/null
+++ b/webant/templates/login.html
@@ -0,0 +1,41 @@
+{% extends "bootstrap/base.html" %}
+{% import "bootstrap/fixes.html" as fixes %}
+{% import 'searchbar.html' as searchbar %}
+
+{% block title %}
+Libreant | {%trans%}Login{%endtrans%}
+{% endblock %}
+
+{% block navbar %}
+{% import 'navbar.html' as navbar with context%}
+{{navbar.navbar()}}
+{% endblock %}
+
+{% block styles %}
+{{ super() }}
+{% endblock styles %}
+
+{% block content %}
+<div class="container">
+   <div class="row">
+        <div class="col-sm-offset-3 col-sm-6">
+            {% if message %}
+            <div class="alert alert-warning" role="alert">
+                {{ message }}
+            </div>
+            {% endif %}
+            <form class="form" method="post">
+                <div class="form-group">
+                  <label for="username">{%trans%}Username{%endtrans%}:</label>
+                  <input type="text" class="form-control" name="username" id="username" autocomplete="username" autofocus="true" required>
+                </div>
+                <div class="form-group">
+                  <label for="password">{%trans%}Password{%endtrans%}:</label>
+                  <input type="password" class="form-control" name="password" id="password" autocomplete="current-password" required>
+                </div>
+                <button type="submit" class="btn btn-default">{%trans%}Submit{%endtrans%}</button>
+            </form>
+        </div>
+    </div>
+</div>
+{% endblock content %}
diff --git a/webant/templates/navbar.html b/webant/templates/navbar.html
index 5f0e729..f30c118 100644
--- a/webant/templates/navbar.html
+++ b/webant/templates/navbar.html
@@ -1,7 +1,7 @@
 {% macro navbar(search=True, search_query="") %}
 <nav class="navbar navbar-default">
     <div class="container-fluid">
-        
+
         <div class="navbar-header">
             <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#navbar-responsive-collapse">
                 <span class="icon-bar"></span>
@@ -10,7 +10,7 @@
             </button>
             <a class="navbar-brand" href="/">LibreAnt</a>
         </div>
-        
+
         <div class="navbar-collapse collapse" id="navbar-responsive-collapse">
             <ul class="nav navbar-nav">
                 <li class="{{ "active" if request.path == url_for('add') }}">
@@ -26,6 +26,23 @@
                 <input class="form-control col-lg-8" placeholder="Search" type="text" id="search" name="q" value="{{ search_query }}">
             </form>
             {% endif %}
+            {% if users_enabled %}
+            <ul class="nav navbar-nav navbar-right">
+                <li class="dropdown">
+                    {% set user = current_user() %}
+                    <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">
+                        <span class="glyphicon glyphicon-user"></span> {{ user.name }} <span class="caret"></span>
+                    </a>
+                    <ul class="dropdown-menu">
+                        {% if user %}
+                        <li><a href="{{url_for('logout')}}">{%trans%}Logout{%endtrans%}</a></li>
+                        {% else %}
+                        <li><a href="{{url_for('login')}}">{%trans%}Login{%endtrans%}</a></li>
+                        {% endif %}
+                    </ul>
+                </li>
+            </ul>
+            {% endif %}
         </div><!-- /.navbar-collapse -->
     </div><!-- /.container-fluid -->
 </nav>
diff --git a/webant/templates/recents.html b/webant/templates/recents.html
index d047192..c47e7e0 100644
--- a/webant/templates/recents.html
+++ b/webant/templates/recents.html
@@ -22,7 +22,7 @@
 {% endblock %}
 
 {% block navbar %}
-{% import 'navbar.html' as navbar %}
+{% import 'navbar.html' as navbar with context %}
 {{ navbar.navbar(search=True) }}
 {% endblock %}
 
diff --git a/webant/templates/search.html b/webant/templates/search.html
index 040f7af..dd4109f 100644
--- a/webant/templates/search.html
+++ b/webant/templates/search.html
@@ -7,7 +7,7 @@
 {% endblock %}
 
 {% block navbar %}
-{% import 'navbar.html' as navbar %}
+{% import 'navbar.html' as navbar with context %}
 {{navbar.navbar(search=False)}}
 {% endblock %}
 
diff --git a/webant/test/__init__.py b/webant/test/__init__.py
new file mode 100644
index 0000000..c951e12
--- /dev/null
+++ b/webant/test/__init__.py
@@ -0,0 +1,13 @@
+import unittest
+from webant import create_app
+from conf.defaults import get_def_conf
+
+
+class WebantTestCase(unittest.TestCase):
+
+    def setUp(self):
+        conf = get_def_conf()
+        conf['USERS_DATABASE'] = "sqlite:///:memory:"
+        conf['PWD_ROUNDS'] = 1
+        conf['TESTING'] = True
+        self.wtc = create_app(conf).test_client()
diff --git a/webant/test/api/__init__.py b/webant/test/api/__init__.py
new file mode 100644
index 0000000..cd79233
--- /dev/null
+++ b/webant/test/api/__init__.py
@@ -0,0 +1,42 @@
+from webant.test import WebantTestCase
+from flask.json import loads, dumps
+
+
+class WebantTestApiCase(WebantTestCase):
+
+    API_PREFIX = '/api/v1'
+
+    GRP_URI = API_PREFIX + '/groups/'
+    USR_URI = API_PREFIX + '/users/'
+    CAP_URI = API_PREFIX + '/capabilities/'
+
+    def add_user(self, userData):
+        res = self.wtc.post(self.API_PREFIX + '/users/',
+                          data=dumps(userData),
+                          content_type="application/json")
+        if not res.status_code == 201:
+            raise ApiClientError(res)
+        return loads(res.data)['data']['id']
+
+    def add_group(self, groupData):
+        res = self.wtc.post(self.GRP_URI,
+                          data=dumps(groupData),
+                          content_type="application/json")
+        if not res.status_code == 201:
+            raise ApiClientError(res)
+        return loads(res.data)['data']['id']
+
+    def add_capability(self, capData):
+        res = self.wtc.post(self.CAP_URI,
+                            data=dumps(capData),
+                            content_type="application/json")
+        if not res.status_code == 201:
+            raise ApiClientError(res)
+        return loads(res.data)['data']['id']
+
+
+class ApiClientError(Exception):
+
+    def __init__(self, res):
+        super(ApiClientError, self).__init__(loads(res.data))
+        self.res = res
diff --git a/webant/test/api/test_api_capabilities.py b/webant/test/api/test_api_capabilities.py
new file mode 100644
index 0000000..f2296cb
--- /dev/null
+++ b/webant/test/api/test_api_capabilities.py
@@ -0,0 +1,152 @@
+from webant.test.api import WebantTestApiCase, ApiClientError
+from nose.tools import eq_
+from flask.json import loads, dumps
+
+
+class TestApiCapabilities(WebantTestApiCase):
+
+    def test_get_capability_not_exist(self):
+        r = self.wtc.get(self.CAP_URI + 'a1s2d')
+        eq_(r.status_code, 404)
+        r = self.wtc.get(self.CAP_URI + '10233')
+        eq_(r.status_code, 404)
+
+    def test_add_capability(self):
+        self.add_capability({'domain':'/res1/id1/res2/*', 'actions':['READ','UPDATE']})
+
+    def test_add_capability_wrong_content_type(self):
+        r = self.wtc.post(self.CAP_URI,
+                          data=dumps({'domain':'/res1/id1/res2/*', 'actions':['READ','UPDATE']}))
+        eq_(r.status_code, 415)
+        r = self.wtc.post(self.CAP_URI,
+                          data="asdasd",
+                          content_type="application/json")
+        eq_(r.status_code, 400)
+
+    def test_add_capability_no_actions(self):
+        with self.assertRaises(ApiClientError) as ace:
+            self.add_capability({'domain':'/res1/id1/res2/*'})
+            eq_(ace.res.status_code, 400)
+
+    def test_add_capability_no_domain(self):
+        with self.assertRaises(ApiClientError) as ace:
+            self.add_capability({'actions':['UPDATE', 'DELETE']})
+            eq_(ace.res.status_code, 400)
+
+    def test_add_capability_same_name(self):
+        capData = {'domain':'/res1/id1/res2/*', 'actions':['READ','UPDATE']}
+        self.add_capability(capData)
+        self.add_capability(capData)
+
+    def test_get_capability(self):
+        capData = {'domain':'res1/id1/res2/*', 'actions':['READ','UPDATE']}
+        capID = self.add_capability(capData)
+        rg = self.wtc.get(self.CAP_URI + str(capID))
+        eq_(rg.status_code, 200)
+        capDataRet = loads(rg.data)['data']
+        eq_(capDataRet['domain'], capData['domain'])
+        eq_(capDataRet['actions'], capData['actions'])
+
+    def test_delete_capability(self):
+        capData = {'domain':'*', 'actions':['DELETE']}
+        capID = self.add_capability(capData)
+        r = self.wtc.delete(self.CAP_URI + str(capID))
+        eq_(r.status_code, 200)
+
+    def test_delete_capability_not_exists(self):
+        r = self.wtc.delete(self.CAP_URI + str(2))
+        eq_(r.status_code, 404)
+
+    def test_update_capability(self):
+        capData = {'domain':'res1/id1/res2/*', 'actions':['READ','UPDATE']}
+        capID = self.add_capability(capData)
+        r = self.wtc.patch(self.CAP_URI + str(capID),
+                           data=dumps({'actions':['READ']}),
+                           content_type="application/json")
+        eq_(r.status_code, 200)
+        r = self.wtc.get(self.CAP_URI + str(capID))
+        eq_(loads(r.data)['data']['actions'], ['READ'])
+        r = self.wtc.patch(self.CAP_URI + str(capID),
+                           data=dumps({'domain':'*'}),
+                           content_type="application/json")
+        eq_(r.status_code, 200)
+        r = self.wtc.get(self.CAP_URI + str(capID))
+        eq_(loads(r.data)['data']['domain'], '*')
+
+    def test_update_capability_wrong_content_type(self):
+        capData = {'domain':'res1/id1/res2/*', 'actions':['READ','UPDATE']}
+        capID = self.add_capability(capData)
+        r = self.wtc.patch(self.CAP_URI + str(capID),
+                           data=dumps(capData))
+        eq_(r.status_code, 415)
+        r = self.wtc.patch(self.CAP_URI + str(capID),
+                           data="asdasd",
+                           content_type="application/json")
+        eq_(r.status_code, 400)
+
+    def test_update_capability_not_exist(self):
+        capData = {'domain':'res1/id1/res2/*', 'actions':['READ','UPDATE']}
+        r = self.wtc.patch(self.CAP_URI + str(50),
+                           content_type="application/json",
+                           data=dumps(capData))
+        eq_(r.status_code, 404)
+
+    def test_add_capability_to_group(self):
+        gid = self.add_group({'name':'groupName'})
+        capData = {'domain':'res1/id1/res2/*', 'actions':['READ','UPDATE']}
+        capID = self.add_capability(capData)
+        r = self.wtc.put(self.GRP_URI + str(gid) + '/capabilities/' + str(capID))
+        eq_(r.status_code, 200)
+
+    def test_add_capabilty_to_group_not_exist(self):
+        gid = self.add_group({'name':'groupName'})
+        capData = {'domain':'res1/id1/res2/*', 'actions':['READ','UPDATE']}
+        capID = self.add_capability(capData)
+        r = self.wtc.put(self.GRP_URI + str(123) + '/capabilities/' + str(capID))
+        eq_(r.status_code, 404)
+        r = self.wtc.put(self.GRP_URI + str(gid) + '/capabilities/' + str(123))
+        eq_(r.status_code, 404)
+
+    def test_get_capability_in_group(self):
+        gid = self.add_group({'name':'groupName'})
+        capData = {'domain':'res1/*', 'actions':['CREATE']}
+        capID = self.add_capability(capData)
+        r = self.wtc.put(self.GRP_URI + str(gid) + '/capabilities/' + str(capID))
+        r = self.wtc.get(self.GRP_URI + str(gid) + '/capabilities/')
+        eq_(r.status_code, 200)
+        eq_(loads(r.data)['data'][0]['id'], capID)
+
+    def test_get_capabilities_of_group_not_exist(self):
+        r = self.wtc.get(self.GRP_URI + str(1233) + '/capabilities/')
+        eq_(r.status_code, 404)
+
+    def test_get_groups_with_capability(self):
+        gid = self.add_group({'name':'groupName'})
+        capData = {'domain':'res1/*', 'actions':['CREATE']}
+        capID = self.add_capability(capData)
+        r = self.wtc.put(self.GRP_URI + str(gid) + '/capabilities/' + str(capID))
+        r = self.wtc.get(self.CAP_URI + str(capID) + '/groups/')
+        eq_(r.status_code, 200)
+        eq_(loads(r.data)['data'][0]['id'], gid)
+
+    def test_get_groups_with_capability_not_exist(self):
+        r = self.wtc.get(self.CAP_URI + str(1233) + '/groups/')
+        eq_(r.status_code, 404)
+
+    def test_remove_capabilty_from_group(self):
+        gid = self.add_group({'name':'groupName'})
+        capData = {'domain':'res1/*', 'actions':['CREATE']}
+        capID = self.add_capability(capData)
+        r = self.wtc.put(self.GRP_URI + str(gid) + '/capabilities/' + str(capID))
+        r = self.wtc.delete(self.GRP_URI + str(gid) + '/capabilities/' + str(capID))
+        eq_(r.status_code, 200)
+
+    def test_remove_capability_from_group_not_exist(self):
+        gid = self.add_group({'name':'groupName'})
+        capData = {'domain':'res1/*', 'actions':['CREATE']}
+        capID = self.add_capability(capData)
+        r = self.wtc.put(self.GRP_URI + str(gid) + '/capabilities/' + str(capID))
+        r = self.wtc.delete(self.GRP_URI + str(gid) + '/capabilities/' + str(3214))
+        eq_(r.status_code, 404)
+        r = self.wtc.delete(self.GRP_URI + str(3123) + '/capabilities/' + str(capID))
+        eq_(r.status_code, 404)
diff --git a/webant/test/api/test_api_groups.py b/webant/test/api/test_api_groups.py
new file mode 100644
index 0000000..b180aff
--- /dev/null
+++ b/webant/test/api/test_api_groups.py
@@ -0,0 +1,129 @@
+from webant.test.api import WebantTestApiCase, ApiClientError
+from nose.tools import eq_
+from flask.json import loads, dumps
+
+
+class TestApiGroups(WebantTestApiCase):
+
+    def test_get_group_not_exist(self):
+        r = self.wtc.get(self.GRP_URI + 'a1s2d')
+        eq_(r.status_code, 404)
+        r = self.wtc.get(self.GRP_URI + '10233')
+        eq_(r.status_code, 404)
+
+    def test_add_group(self):
+        self.add_group({'name':'groupName'})
+
+    def test_add_group_wrong_content_type(self):
+        r = self.wtc.post(self.GRP_URI,
+                          data=dumps({'name':'groupStoName'}))
+        eq_(r.status_code, 415)
+        r = self.wtc.post(self.GRP_URI,
+                          data="asdasd",
+                          content_type="application/json")
+        eq_(r.status_code, 400)
+
+    def test_add_group_no_name(self):
+        with self.assertRaises(ApiClientError) as ace:
+            self.add_group({'altro':'altroValue'})
+            eq_(ace.res.status_code, 400)
+
+    def test_add_group_same_name(self):
+        self.add_group({'name':'groupName'})
+        with self.assertRaises(ApiClientError) as ace:
+            self.add_group({'name':'groupName'})
+            eq_(ace.res.status_code, 409)
+
+    def test_get_group(self):
+        gid = self.add_group({'name':'groupName'})
+        rg = self.wtc.get(self.GRP_URI + str(gid))
+        eq_(rg.status_code, 200)
+
+    def test_delete_group(self):
+        gid = self.add_group({'name':'groupName'})
+        r = self.wtc.delete(self.GRP_URI + str(gid))
+        eq_(r.status_code, 200)
+
+    def test_delete_grop_not_exists(self):
+        r = self.wtc.delete(self.GRP_URI + str(56))
+        eq_(r.status_code, 404)
+
+    def test_update_group(self):
+        gid = self.add_group({'name':'groupName'})
+        r = self.wtc.patch(self.GRP_URI + str(gid),
+                           data=dumps({'name':'otherGroupName'}),
+                           content_type="application/json")
+        eq_(r.status_code, 200)
+        r = self.wtc.get(self.GRP_URI + str(gid))
+        eq_(loads(r.data)['data']['name'], 'otherGroupName')
+
+    def test_update_group_wrong_content_type(self):
+        gid = self.add_group({'name':'groupName'})
+        r = self.wtc.patch(self.GRP_URI + str(gid),
+                           data=dumps({'name':'groupStoName'}))
+        eq_(r.status_code, 415)
+        r = self.wtc.patch(self.GRP_URI + str(gid),
+                           data="asdasd",
+                           content_type="application/json")
+        eq_(r.status_code, 400)
+
+    def test_update_group_not_exist(self):
+        self.add_group({'name':'groupName'})
+        r = self.wtc.patch(self.GRP_URI + str(50),
+                           content_type="application/json",
+                           data=dumps({'name':'seStaAFaTardi'}))
+        eq_(r.status_code, 404)
+
+    def test_add_user_to_group(self):
+        gid = self.add_group({'name':'groupName'})
+        uid = self.add_user({'name':'userName', 'password':'pwd'})
+        r = self.wtc.put(self.GRP_URI + str(gid) + '/users/' + str(uid))
+        eq_(r.status_code, 200)
+
+    def test_add_user_to_group_not_exist(self):
+        uid = self.add_user({'name':'userName', 'password':'pwd'})
+        gid = self.add_group({'name':'groupName'})
+        r = self.wtc.put(self.GRP_URI + str(123) + '/users/' + str(uid))
+        eq_(r.status_code, 404)
+        r = self.wtc.put(self.GRP_URI + str(gid) + '/users/' + str(123))
+        eq_(r.status_code, 404)
+
+    def test_get_users_in_group(self):
+        gid = self.add_group({'name':'groupName'})
+        uid = self.add_user({'name':'userName', 'password':'pwd'})
+        r = self.wtc.put(self.GRP_URI + str(gid) + '/users/' + str(uid))
+        r = self.wtc.get(self.GRP_URI + str(gid) + '/users/')
+        eq_(r.status_code, 200)
+        eq_(loads(r.data)['data'][0]['id'], uid)
+
+    def test_get_users_from_group_not_exist(self):
+        r = self.wtc.get(self.GRP_URI + str(1233) + '/users/')
+        eq_(r.status_code, 404)
+
+    def test_get_groups_from_user(self):
+        gid = self.add_group({'name':'groupName'})
+        uid = self.add_user({'name':'userName', 'password':'pwd'})
+        r = self.wtc.put(self.GRP_URI + str(gid) + '/users/' + str(uid))
+        r = self.wtc.get(self.USR_URI + str(uid) + '/groups/')
+        eq_(r.status_code, 200)
+        eq_(loads(r.data)['data'][0]['id'], gid)
+
+    def test_get_groups_from_user_not_exist(self):
+        r = self.wtc.get(self.USR_URI + str(1233) + '/groups/')
+        eq_(r.status_code, 404)
+
+    def test_remove_user_from_group(self):
+        gid = self.add_group({'name':'groupName'})
+        uid = self.add_user({'name':'userName', 'password':'pwd'})
+        r = self.wtc.put(self.GRP_URI + str(gid) + '/users/' + str(uid))
+        r = self.wtc.delete(self.GRP_URI + str(gid) + '/users/' + str(uid))
+        eq_(r.status_code, 200)
+
+    def test_remove_user_from_group_not_exist(self):
+        gid = self.add_group({'name':'groupName'})
+        uid = self.add_user({'name':'userName', 'password':'pwd'})
+        r = self.wtc.put(self.GRP_URI + str(gid) + '/users/' + str(uid))
+        r = self.wtc.delete(self.GRP_URI + str(gid) + '/users/' + str(3214))
+        eq_(r.status_code, 404)
+        r = self.wtc.delete(self.GRP_URI + str(3123) + '/users/' + str(uid))
+        eq_(r.status_code, 404)
diff --git a/webant/test/api/test_api_users.py b/webant/test/api/test_api_users.py
new file mode 100644
index 0000000..8ad23fd
--- /dev/null
+++ b/webant/test/api/test_api_users.py
@@ -0,0 +1,85 @@
+from webant.test.api import WebantTestApiCase, ApiClientError
+from nose.tools import eq_
+from flask.json import dumps
+
+
+class TestApiUsers(WebantTestApiCase):
+
+    def test_add_user(self):
+        self.add_user({'name':'testName', 'password': 'testPassword'})
+
+    def test_add_user_wrong_content_type(self):
+        r = self.wtc.post(self.USR_URI,
+                          data=dumps({'name':'testName', 'password': 'testPassword'}))
+        eq_(r.status_code, 415)
+        r = self.wtc.post(self.USR_URI,
+                          data="asdasd",
+                          content_type="application/json")
+        eq_(r.status_code, 400)
+
+    def test_get_user_not_exist(self):
+        r = self.wtc.get(self.API_PREFIX + '/users/12')
+        eq_(r.status_code, 404)
+
+    def test_get_user(self):
+        userData = {'name':'testName', 'password': 'testPassword'}
+        uid = self.add_user(userData)
+        rg = self.wtc.get(self.API_PREFIX + '/users/' + str(uid))
+        eq_(rg.status_code, 200)
+
+    def test_add_user_no_name(self):
+        with self.assertRaises(ApiClientError) as ace:
+            self.add_user({'password':'testPassword'})
+            eq_(ace.res.status_code, 400)
+
+    def test_add_user_no_pass(self):
+        with self.assertRaises(ApiClientError) as ace:
+            self.add_user({'name':'testName'})
+            eq_(ace.res.status_code, 400)
+
+    def test_add_user_same_name(self):
+        user_data = {'name':'testName', 'password': 'testPassword'}
+        self.add_user(user_data)
+        with self.assertRaises(ApiClientError) as ace:
+            self.add_user(user_data)
+            eq_(ace.res.status_code, 409)
+
+    def test_delete_user(self):
+        userData = {'name':'testName', 'password': 'testPassword'}
+        uid = self.add_user(userData)
+        r = self.wtc.delete(self.API_PREFIX + '/users/' + str(uid))
+        eq_(r.status_code, 200)
+
+    def test_delete_user_not_exists(self):
+        r = self.wtc.delete(self.API_PREFIX + '/users/' + str(56))
+        eq_(r.status_code, 404)
+
+    def test_update_user(self):
+        userData = {'name':'testName', 'password': 'testPassword'}
+        uid = self.add_user(userData)
+        userData = {'name':'testName2', 'password': 'testPassword2'}
+        r = self.wtc.patch(self.API_PREFIX + '/users/' + str(uid),
+                         data=dumps(userData),
+                         content_type="application/json")
+        eq_(r.status_code, 200)
+
+    def test_update_user_wrong_content_type(self):
+        userData = {'name':'testName', 'password': 'testPassword'}
+        uid = self.add_user(userData)
+        userData = {'name':'testName2', 'password': 'testPassword2'}
+        r = self.wtc.patch(self.API_PREFIX + '/users/' + str(uid),
+                         data=dumps(userData))
+        eq_(r.status_code, 415)
+        r = self.wtc.patch(self.API_PREFIX + '/users/' + str(uid),
+                         data="asdasd",
+                         content_type="application/json")
+        eq_(r.status_code, 400)
+
+    def test_update_user_not_exist(self):
+        userData = {'name':'testName', 'password': 'testPassword'}
+        self.add_user(userData)
+        userData = {'name':'testName2', 'password': 'testPassword2'}
+        r = self.wtc.patch(self.API_PREFIX + '/users/' + str(50),
+                           content_type="application/json",
+                           data=dumps(userData))
+        eq_(r.status_code, 404)
diff --git a/webant/test/test_api_archivant.py b/webant/test/test_api_archivant.py
new file mode 100644
index 0000000..bba8ecc
--- /dev/null
+++ b/webant/test/test_api_archivant.py
@@ -0,0 +1,10 @@
+from webant.test import WebantTestCase
+from nose.tools import eq_
+
+
+class TestApiArchivant(WebantTestCase):
+
+    API_PREFIX = '/api/v1'
+
+    def test_get_volumes(self):
+        eq_(self.wtc.get(self.API_PREFIX + '/volumes/').status_code, 200)
diff --git a/webant/util.py b/webant/util.py
index e0e2b1c..574e605 100644
--- a/webant/util.py
+++ b/webant/util.py
@@ -1,5 +1,7 @@
 import functools
-from flask import send_file
+from flask import send_file, session
+from authbone import Authenticator, Authorizator
+from users.api import get_user, get_anonymous_user, NotFoundException
 
 
 def memoize(obj):
@@ -48,3 +50,96 @@ def send_attachment_file(archivant, volumeID, attachmentID):
                      mimetype=attachment['metadata']['mime'],
                      attachment_filename=attachment['metadata']['name'],
                      as_attachment=True)
+
+
+def routes_collector(gatherer):
+    """Decorator utility to collect flask routes in a dictionary.
+
+    This function together with :func:`add_routes` provides an
+    easy way to split flask routes declaration in multiple modules.
+
+    :param gatherer: dict in which will be collected routes
+
+    The decorator provided by this function should be used as the
+    `original flask decorator <http://flask.pocoo.org/docs/latest/api/#flask.Flask.route>`_
+    example::
+
+       routes = []
+       route = routes_collector(routes)
+
+       @route('/volumes/', methods=['GET', 'POST'])
+       def volumes():
+           return 'page body'
+
+    After you've collected your routes you can use :func:`add_routes` to register
+    them onto the main blueprint/flask_app.
+    """
+    def hatFunc(rule, **options):
+        def decorator(f):
+            rule_dict = {'rule':rule, 'view_func':f}
+            rule_dict.update(options)
+            gatherer.append(rule_dict)
+        return decorator
+    return hatFunc
+
+
+def add_routes(fapp, routes, prefix=""):
+    """Batch routes registering
+
+    Register routes to a blueprint/flask_app previously collected
+    with :func:`routes_collector`.
+
+    :param fapp: bluprint or flask_app to whom attach new routes.
+    :param routes: dict of routes collected by :func:`routes_collector`
+    :param prefix: url prefix under which register all routes
+    """
+    for r in routes:
+        r['rule'] = prefix + r['rule']
+        fapp.add_url_rule(**r)
+
+
+class AuthtFromSession(Authenticator):
+
+    USERID_KEY = 'user_id'
+
+    def login(self, userID):
+        session[self.USERID_KEY] = userID
+
+    def logout(self):
+        session.pop(self.USERID_KEY)
+
+    def is_logged_in(self):
+        return self.USERID_KEY in session
+
+    def auth_data_getter(self):
+        return session.get(self.USERID_KEY, None)
+
+    def authenticate(self, userID):
+        try:
+            return get_user(id=userID)
+        except NotFoundException:
+            return None
+
+    def bad_auth_data_callback(self):
+        self.identity_elaborator(get_anonymous_user())
+
+    def not_authenticated_callback(self):
+        self.identity_elaborator(get_anonymous_user())
+
+
+class AuthzFromSession(Authorizator):
+
+    def check_capability(self, identity, capability):
+        return identity.can(capability[0], capability[1])
+
+
+class TransparentAutht(AuthtFromSession):
+
+    def perform_authentication(self, *args, **kwargs):
+        pass
+
+
+class TransparentAuthz(AuthzFromSession):
+
+    def perform_authorization(self, *args, **kwargs):
+        pass
diff --git a/webant/webant.py b/webant/webant.py
index 0ba210f..71833bd 100644
--- a/webant/webant.py
+++ b/webant/webant.py
@@ -1,13 +1,14 @@
 import tempfile
 import os
 
-from flask import Flask, render_template, request, abort, Response, redirect, url_for, make_response
+from flask import Flask, render_template, request, Response, redirect, url_for
 from werkzeug import secure_filename
 from flask_bootstrap import Bootstrap
 from elasticsearch import exceptions as es_exceptions
 from flask.ext.babel import Babel, gettext
 from babel.dates import format_timedelta
 from datetime import datetime
+from logging import getLogger
 
 from presets import PresetManager
 from constants import isoLangs
@@ -17,6 +18,9 @@
 from agherant import agherant
 from api.blueprint_api import api
 from webserver_utils import gevent_run
+import users
+import util
+from authbone.authorization import CapabilityMissingException
 
 
 class LibreantCoreApp(Flask):
@@ -27,29 +31,59 @@ def __init__(self, import_name, conf={}):
             'FSDB_PATH': "",
             'SECRET_KEY': 'really insecure, please change me!',
             'ES_HOSTS': None,
-            'ES_INDEXNAME': 'libreant'
+            'ES_INDEXNAME': 'libreant',
+            'USERS_DATABASE': "",
+            'PWD_ROUNDS': None,
+            'PWD_SALT_SIZE': None
         }
         defaults.update(conf)
         self.config.update(defaults)
 
+        '''dirty trick: prevent default flask handler to be created
+           in flask version > 0.10.1 will be a nicer way to disable default loggers
+           tanks to this new code mitsuhiko/flask@84ad89ffa4390d3327b4d35983dbb4d84293b8e2
+        '''
+        self._logger = getLogger(self.import_name)
+
         self.archivant = Archivant(conf={k: self.config[k] for k in ('FSDB_PATH', 'ES_HOSTS', 'ES_INDEXNAME')})
         self.presetManager = PresetManager(self.config['PRESET_PATHS'])
 
+        if self.config['USERS_DATABASE']:
+            self.usersDB = users.init_db(self.config['USERS_DATABASE'],
+                                         pwd_salt_size=self.config['PWD_SALT_SIZE'],
+                                         pwd_rounds=self.config['PWD_ROUNDS'])
+            users.populate_with_defaults()
+        else:
+            self.logger.warning("""It has not been set any value for 'USERS_DATABASE', \
+all operations about users will be unsupported. Are all admins.""")
+            self.usersDB = None
+
+    @property
+    def users_enabled(self):
+        return bool(self.usersDB)
+
 
 class LibreantViewApp(LibreantCoreApp):
     def __init__(self, import_name, conf={}):
         defaults = {
             'BOOTSTRAP_SERVE_LOCAL': True,
             'AGHERANT_DESCRIPTIONS': [],
+            'API_URL': "/api/v1"
         }
         defaults.update(conf)
         super(LibreantViewApp, self).__init__(import_name, defaults)
         if self.config['AGHERANT_DESCRIPTIONS']:
             self.register_blueprint(agherant, url_prefix='/agherant')
-        self.register_blueprint(api, url_prefix='/api/v1')
+        self.register_blueprint(api, url_prefix=self.config['API_URL'])
         Bootstrap(self)
         self.babel = Babel(self)
         self.available_translations = [l.language for l in self.babel.list_translations()]
+        if self.users_enabled:
+            self.autht = util.AuthtFromSession()
+            self.authz = util.AuthzFromSession(authenticator=self.autht)
+        else:
+            self.autht = util.TransparentAutht()
+            self.authz = util.TransparentAuthz()
 
 
 def create_app(conf={}):
@@ -63,7 +97,7 @@ def index():
     def search():
         query = request.args.get('q', None)
         if query is None:
-            abort(400, "No query given")
+            return renderErrorPage(message='No query given', httpCode=400)
         res = app.archivant._db.user_search(query)['hits']['hits']
         books = []
         for b in res:
@@ -81,9 +115,10 @@ def search():
                                             books=books, query=query),
                             mimetype='text/xml')
         else:
-            abort(500)
+            return renderErrorPage(message='Unknown format requested', httpCode=400)
 
     @app.route('/add', methods=['POST'])
+    @app.authz.requires_capability(('/volumes', users.Action.CREATE))
     def upload():
         requiredFields = ['_language']
         optFields = ['_preset']
@@ -127,6 +162,7 @@ def upload():
         return redirect(url_for('view_volume', volumeID=addedVolumeID))
 
     @app.route('/add', methods=['GET'])
+    @app.authz.requires_capability(('/volumes', users.Action.CREATE))
     def add():
         reqPreset = request.args.get('preset', None)
 
@@ -146,14 +182,25 @@ def description():
                         mimetype='text/xml')
 
     @app.route('/view/<volumeID>')
+    @app.autht.requires_authentication
     def view_volume(volumeID):
+        app.authz.perform_authorization(('volumes/{}'.format(volumeID), users.Action.READ))
         try:
             volume = app.archivant.get_volume(volumeID)
         except NotFoundException:
             return renderErrorPage(message='no volume found with id "{}"'.format(volumeID), httpCode=404)
+        # hide button from action toolbar if current user has not capability to perform them
+        hideFromToolbar = None
+        if app.users_enabled:
+            currentDomain = 'volumes/{}'.format(volumeID)
+            hideFromToolbar = {}
+            hideFromToolbar['delete'] = not app.autht.currIdentity.can(currentDomain, users.Action.DELETE)
         similar = app.archivant._db.mlt(volume['id'])['hits']['hits'][:10]
         return render_template('details.html',
-                               volume=volume, similar=similar)
+                               volume=volume,
+                               similar=similar,
+                               hide_from_toolbar=hideFromToolbar,
+                               api_url=app.config['API_URL'])
 
     @app.route('/download/<volumeID>/<attachmentID>')
     def download_attachment(volumeID, attachmentID):
@@ -175,6 +222,47 @@ def get_locale():
                 return request.values['lang']
         return request.accept_languages.best_match(app.available_translations)
 
+    if app.users_enabled:
+        @app.route('/login', methods=['GET'])
+        def login_form():
+            if app.autht.is_logged_in():
+                return renderErrorPage('you are already logged in', 400)
+            return render_template('login.html')
+
+        @app.route('/login', methods=['POST'])
+        def login():
+            name = request.form.get('username', None)
+            pwd = request.form.get('password', None)
+            if not name:
+                return render_template('login.html', message='Missing username'), 400
+            elif not pwd:
+                return render_template('login.html', message='Missing password'), 400
+            try:
+                usr = users.api.get_user(name=name)
+            except users.api.NotFoundException:
+                return render_template('login.html', message='"{}" is not registered'.format(name)), 400
+            if usr.verify_password(pwd):
+                app.autht.login(usr.id)
+                return redirect(url_for('index'), code=302)
+            return render_template('login.html', message='Wrong password')
+
+        @app.route('/logout')
+        def logout():
+            if not app.autht.is_logged_in():
+                return renderErrorPage('you are not logged in', 400)
+            app.autht.logout()
+            return redirect(url_for('index'), code=302)
+
+        def current_user():
+            app.autht.perform_authentication()
+            if users.api.is_anonymous(app.autht.currIdentity):
+                return None
+            return app.autht.currIdentity
+
+        @app.context_processor
+        def user_processor():
+            return dict(users_enabled = True, current_user = current_user)
+
     @app.template_filter('timepassedformat')
     def timepassedformat_filter(timestamp):
         '''given a timestamp it returns a string
@@ -190,9 +278,8 @@ def timepassedformat_filter(timestamp):
 
     @app.errorhandler(es_exceptions.ConnectionError)
     def handle_elasticsearch_down(error):
-        rsp = make_response('DB connection error', 503)
-        app.logger.error("Error connecting to DB; check your configuration")
-        return rsp
+        app.logger.exception("Error connecting to DB; check your configuration")
+        return renderErrorPage(message='DB connection error', httpCode=503)
 
     @app.errorhandler(404)
     def not_found(error):
@@ -203,6 +290,10 @@ def not_found(error):
     def internal_server_error(error):
         return renderErrorPage(message='Internal Server Error', httpCode=500)
 
+    @app.errorhandler(CapabilityMissingException)
+    def not_authenticated_handler(error):
+        return renderErrorPage(message='Authorization Required', httpCode=401)
+
     return app
 
 
diff --git a/webant/webserver_utils.py b/webant/webserver_utils.py
index 68c60b3..f5b5ca7 100644
--- a/webant/webserver_utils.py
+++ b/webant/webserver_utils.py
@@ -7,16 +7,20 @@ def gevent_run(app):
     from gevent.wsgi import WSGIServer
     import gevent.monkey
     from werkzeug.debug import DebuggedApplication
-    from werkzeug.serving import run_with_reloader
     gevent.monkey.patch_socket()
     run_app = app
     if app.config['DEBUG']:
         run_app = DebuggedApplication(app)
 
-    @run_with_reloader
     def run_server():
         port = int(app.config.get('PORT', 5000))
         address = app.config.get('ADDRESS', '')
         print('Listening on http://%s:%d/' % (address or '0.0.0.0', port))
         http_server = WSGIServer((address, port), run_app)
         http_server.serve_forever()
+
+    if app.config['DEBUG']:
+        from werkzeug.serving import run_with_reloader
+        run_with_reloader(run_server)
+    else:
+        run_server()