[Major] Moved privilege management into separate services

- instead of just calling the methods from the REST API, now we call services - this allows auditing who changes which privileges
2015-04-05 00:16:30 +02:00 · 2015-04-05 00:16:30 +02:00 · bd4291b483
parent 6bd1ed58ad
commit bd4291b483
40 changed files with 1353 additions and 237 deletions
--- a/ch.eitchnet.privilege
+++ b/ch.eitchnet.privilege
@ -1 +1 @@
-Subproject commit 2607bbef3fc7df863548820665d8ed133e524c39
+Subproject commit 4c6434f475dc40e73b54890540eaf943f21e1084
--- a/li.strolch.agent/src/main/java/li/strolch/agent/impl/ComponentContainerImpl.java
+++ b/li.strolch.agent/src/main/java/li/strolch/agent/impl/ComponentContainerImpl.java
@ -131,7 +131,7 @@ public class ComponentContainerImpl implements ComponentContainer {
 					StrolchConstants.PROP_REALM, realmName), e);
 		}
 	}
-
+	
 	private void setupComponent(Map<Class<?>, StrolchComponent> componentMap,
 			Map<String, ComponentController> controllerMap, ComponentConfiguration componentConfiguration) {

--- a/li.strolch.agent/src/main/java/li/strolch/runtime/StrolchConstants.java
+++ b/li.strolch.agent/src/main/java/li/strolch/runtime/StrolchConstants.java
@ -19,6 +19,7 @@ import static ch.eitchnet.utils.helper.StringHelper.DOT;
 import li.strolch.agent.api.ObserverHandler;
 import li.strolch.model.StrolchModelConstants;
 import li.strolch.persistence.api.PersistenceHandler;
+import ch.eitchnet.privilege.handler.PrivilegeHandler;

 /**
 * @author Robert von Burg <eitch@eitchnet.ch>
@ -58,4 +59,35 @@ public class StrolchConstants {
 			realmKey += DOT + realmName;
 		return realmKey;
 	}
+
+	/**
+	 * Constants used for Privilege management, configuration, etc.
+	 * 
+	 * @author Robert von Burg <eitch@eitchnet.ch>
+	 */
+	public static class StrolchPrivilegeConstants {
+
+		public static final String PRIVILEGE = "Privilege"; //$NON-NLS-1$
+		public static final String CERTIFICATE = "Certificate"; //$NON-NLS-1$
+		public static final String ROLE = "Role"; //$NON-NLS-1$
+		public static final String USER = "User"; //$NON-NLS-1$
+
+		public static final String PRIVILEGE_GET_ROLE = PrivilegeHandler.PRIVILEGE_GET_ROLE;
+		public static final String PRIVILEGE_ADD_ROLE = PrivilegeHandler.PRIVILEGE_ADD_ROLE;
+		public static final String PRIVILEGE_REMOVE_ROLE = PrivilegeHandler.PRIVILEGE_REMOVE_ROLE;
+		public static final String PRIVILEGE_MODIFY_ROLE = PrivilegeHandler.PRIVILEGE_MODIFY_ROLE;
+
+		public static final String PRIVILEGE_GET_USER = PrivilegeHandler.PRIVILEGE_GET_USER;
+		public static final String PRIVILEGE_ADD_USER = PrivilegeHandler.PRIVILEGE_ADD_USER;
+		public static final String PRIVILEGE_REMOVE_USER = PrivilegeHandler.PRIVILEGE_REMOVE_USER;
+		public static final String PRIVILEGE_MODIFY_USER = PrivilegeHandler.PRIVILEGE_MODIFY_USER;
+		public static final String PRIVILEGE_ADD_ROLE_TO_USER = PrivilegeHandler.PRIVILEGE_ADD_ROLE_TO_USER;
+		public static final String PRIVILEGE_REMOVE_ROLE_FROM_USER = PrivilegeHandler.PRIVILEGE_REMOVE_ROLE_FROM_USER;
+		public static final String PRIVILEGE_SET_USER_LOCALE = PrivilegeHandler.PRIVILEGE_SET_USER_LOCALE;
+		public static final String PRIVILEGE_SET_USER_STATE = PrivilegeHandler.PRIVILEGE_SET_USER_STATE;
+		public static final String PRIVILEGE_SET_USER_PASSWORD = PrivilegeHandler.PRIVILEGE_SET_USER_PASSWORD;
+
+		public static final String PRIVILEGE_INVALIDATE_SESSION = "InvalidateSession";
+		public static final String PRIVILEGE_GET_SESSION = "GetSession";
+	}
 }
--- a/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/DefaultStrolchPrivilegeHandler.java
+++ b/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/DefaultStrolchPrivilegeHandler.java
@ -27,6 +27,7 @@ import li.strolch.exception.StrolchException;
 import li.strolch.model.audit.AccessType;
 import li.strolch.model.audit.Audit;
 import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
 import li.strolch.runtime.configuration.ComponentConfiguration;
 import li.strolch.runtime.configuration.RuntimeConfiguration;
 import ch.eitchnet.privilege.base.AccessDeniedException;
@ -119,7 +120,8 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements
 			try (StrolchTransaction tx = realm.openTx(certificate, getClass())) {
 				tx.setSuppressDoNothingLogging(true);
 				tx.setSuppressAudits(true);
-				Audit audit = tx.auditFrom(AccessType.CREATE, PRIVILEGE, CERTIFICATE, username);
+				Audit audit = tx.auditFrom(AccessType.CREATE, StrolchPrivilegeConstants.PRIVILEGE,
+						StrolchPrivilegeConstants.CERTIFICATE, username);
 				tx.getAuditTrail().add(tx, audit);
 			}
 			return certificate;
@ -148,7 +150,8 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements
 		try (StrolchTransaction tx = realm.openTx(certificate, getClass())) {
 			tx.setSuppressDoNothingLogging(true);
 			tx.setSuppressAudits(true);
-			Audit audit = tx.auditFrom(AccessType.DELETE, PRIVILEGE, CERTIFICATE, certificate.getUsername());
+			Audit audit = tx.auditFrom(AccessType.DELETE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.CERTIFICATE, certificate.getUsername());
 			tx.getAuditTrail().add(tx, audit);
 		}
 		return invalidateSession;
--- a/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/PrivilegeHandler.java
+++ b/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/PrivilegeHandler.java
@ -25,9 +25,6 @@ import ch.eitchnet.privilege.model.PrivilegeContext;
 */
 public interface PrivilegeHandler {

-	public static final String PRIVILEGE = "Privilege"; //$NON-NLS-1$
-	public static final String CERTIFICATE = "Certificate"; //$NON-NLS-1$
-
 	/**
 	 * @param username
 	 * @param password
--- a/li.strolch.agent/src/main/java/li/strolch/service/api/AbstractService.java
+++ b/li.strolch.agent/src/main/java/li/strolch/service/api/AbstractService.java
@ -18,6 +18,7 @@ package li.strolch.service.api;
 import java.text.MessageFormat;

 import li.strolch.agent.api.ComponentContainer;
+import li.strolch.agent.api.StrolchComponent;
 import li.strolch.agent.api.StrolchRealm;
 import li.strolch.exception.StrolchException;
 import li.strolch.persistence.api.StrolchTransaction;
@ -42,6 +43,8 @@ public abstract class AbstractService<T extends ServiceArgument, U extends Servi
 	private PrivilegeContext privilegeContext;

 	/**
+	 * Called by the {@link ServiceHandler} to set the {@link PrivilegeContext} before this service is performed
+	 * 
 	 * @param privilegeContext
 	 *            the privilegeContext to set
 	 */
@ -51,6 +54,8 @@ public abstract class AbstractService<T extends ServiceArgument, U extends Servi
 	}

 	/**
+	 * Return the {@link PrivilegeContext} to perform further privilege authorization validation
+	 * 
 	 * @return the privilegeContext
 	 */
 	public final PrivilegeContext getPrivilegeContext() {
@ -58,6 +63,8 @@ public abstract class AbstractService<T extends ServiceArgument, U extends Servi
 	}

 	/**
+	 * Returns the {@link Certificate} of the user who is performing this service
+	 * 
 	 * @return the certificate
 	 */
 	protected final Certificate getCertificate() {
@ -65,6 +72,9 @@ public abstract class AbstractService<T extends ServiceArgument, U extends Servi
 	}

 	/**
+	 * Called by the {@link ServiceHandler} to set a reference to the {@link ComponentContainer} to be used during
+	 * service execution
+	 * 
 	 * @param container
 	 *            the container to set
 	 */
@ -73,6 +83,8 @@ public abstract class AbstractService<T extends ServiceArgument, U extends Servi
 	}

 	/**
+	 * Returns the reference to the {@link ComponentContainer}
+	 * 
 	 * @return the container
 	 */
 	protected final ComponentContainer getContainer() {
@ -80,45 +92,116 @@ public abstract class AbstractService<T extends ServiceArgument, U extends Servi
 	}

 	/**
+	 * Returns the reference to the {@link StrolchComponent} with the given name, if it exists. If it does not exist, an
+	 * {@link IllegalArgumentException} is thrown
+	 * 
 	 * @param clazz
-	 * @return
+	 * 
+	 * @return the component with the given name
+	 * 
+	 * @throws IllegalArgumentException
+	 *             if the component does not exist
 	 */
 	protected final <V> V getComponent(Class<V> clazz) {
 		return this.container.getComponent(clazz);
 	}

 	/**
-	 * @return
+	 * Returns the Strolch {@link RuntimeConfiguration}
+	 * 
+	 * @return the Strolch {@link RuntimeConfiguration}
 	 */
 	protected final RuntimeConfiguration getRuntimeConfiguration() {
 		return this.container.getAgent().getStrolchConfiguration().getRuntimeConfiguration();
 	}

 	/**
+	 * Returns the {@link StrolchRealm} with the given name. If the realm does not exist, then a
+	 * {@link StrolchException} is thrown
+	 * 
 	 * @param realm
-	 * @return
+	 *            the name of the {@link StrolchRealm} to return
+	 * @return the {@link StrolchRealm} with the given name
+	 * 
+	 * @throws StrolchException
+	 *             if the {@link StrolchRealm} does not exist with the given name
 	 */
-	protected final StrolchRealm getRealm(String realm) {
+	protected final StrolchRealm getRealm(String realm) throws StrolchException {
 		return this.container.getRealm(realm);
 	}

 	/**
+	 * Opens a {@link StrolchTransaction} for the given realm, the action for the TX is this implementation's class
+	 * name. This transaction should be used in a try-with-resource clause so it is properly closed
+	 * 
 	 * @param realm
-	 * @return
+	 *            the name of the realm to return
+	 * 
+	 * @return the realm with the given name
+	 * 
+	 * @throws StrolchException
+	 *             if the {@link StrolchRealm} does not exist with the given name
 	 */
-	protected final StrolchTransaction openTx(String realm) {
+	protected StrolchTransaction openTx(String realm) throws StrolchException {
 		return this.container.getRealm(realm).openTx(getCertificate(), getClass());
 	}

 	/**
+	 * Opens a {@link StrolchTransaction} for the given realm. This transaction should be used in a try-with-resource
+	 * clause so it is properly closed
+	 * 
 	 * @param realm
+	 *            the name of the realm to return
 	 * @param action
-	 * @return
+	 *            the action to use for the opened TX
+	 * 
+	 * @return the realm with the given name
+	 * 
+	 * @throws StrolchException
+	 *             if the {@link StrolchRealm} does not exist with the given name
 	 */
-	protected final StrolchTransaction openTx(String realm, String action) {
+	protected StrolchTransaction openTx(String realm, String action) throws StrolchException {
 		return this.container.getRealm(realm).openTx(getCertificate(), action);
 	}

+	/**
+	 * Opens a {@link StrolchTransaction} where the realm retrieved using
+	 * {@link ComponentContainer#getRealm(Certificate)}, the action for the TX is this implementation's class name. This
+	 * transaction should be used in a try-with-resource clause so it is properly closed
+	 * 
+	 * @return the realm with the given name
+	 * 
+	 * @throws StrolchException
+	 *             if the {@link StrolchRealm} does not exist with the given name
+	 */
+	protected StrolchTransaction openUserTx() throws StrolchException {
+		return this.container.getRealm(getCertificate()).openTx(getCertificate(), getClass());
+	}
+
+	/**
+	 * Opens a {@link StrolchTransaction} where the realm retrieved using
+	 * {@link ComponentContainer#getRealm(Certificate)}. This transaction should be used in a try-with-resource clause
+	 * so it is properly closed
+	 * 
+	 * @param realm
+	 *            the name of the realm to return
+	 * @param action
+	 *            the action to use for the opened TX
+	 * 
+	 * @return the realm with the given name
+	 * 
+	 * @throws StrolchException
+	 *             if the {@link StrolchRealm} does not exist with the given name
+	 */
+	protected StrolchTransaction openUserTx(String action) throws StrolchException {
+		return this.container.getRealm(getCertificate()).openTx(getCertificate(), action);
+	}
+
+	/**
+	 * This method is final as it enforces that the argument is valid, and catches all exceptions and enforces that a
+	 * service result is returned. A concrete implementation will implement the business logic in
+	 * {@link #internalDoService(ServiceArgument)}
+	 */
 	@Override
 	public final U doService(T argument) {

@ -155,6 +238,8 @@ public abstract class AbstractService<T extends ServiceArgument, U extends Servi
 	}

 	/**
+	 * Returns true if this Service requires an argument
+	 * 
 	 * @return if true, then an argument must be set to execute the service. If the argument is missing, then the
 	 *         service execution fails immediately
 	 */
@ -166,7 +251,7 @@ public abstract class AbstractService<T extends ServiceArgument, U extends Servi
 	 * This method is called if the service execution fails and an instance of the expected {@link ServiceResult} is
 	 * required to return to the caller
 	 * 
-	 * @return
+	 * @return an instance of the {@link ServiceResult} returned by this implementation
 	 */
 	protected abstract U getResultInstance();

@ -175,6 +260,7 @@ public abstract class AbstractService<T extends ServiceArgument, U extends Servi
 	 * done in the {@link #doService(ServiceArgument)} which calls this method
 	 * 
 	 * @param arg
+	 *            the {@link ServiceArgument} containing the arguments to perform the concrete service
 	 * 
 	 * @return a {@link ServiceResult} which denotes the execution state of this {@link Service}
 	 * 
--- a/li.strolch.agent/src/main/java/li/strolch/service/api/Service.java
+++ b/li.strolch.agent/src/main/java/li/strolch/service/api/Service.java
@ -20,9 +20,20 @@ import java.io.Serializable;
 import ch.eitchnet.privilege.model.Restrictable;

 /**
+ * Interface for Strolch service's. Service's are the main object in which business logic is implemented in a Strolch
+ * agent.
+ * 
 * @author Robert von Burg <eitch@eitchnet.ch>
 */
 public interface Service<T extends ServiceArgument, U extends ServiceResult> extends Serializable, Restrictable {

+	/**
+	 * Performs the actual service
+	 * 
+	 * @param argument
+	 *            the argument for the service
+	 * 
+	 * @return the service result
+	 */
 	public U doService(T argument);
 }
--- a/li.strolch.agent/src/main/java/li/strolch/service/api/ServiceResult.java
+++ b/li.strolch.agent/src/main/java/li/strolch/service/api/ServiceResult.java
@ -42,7 +42,6 @@ public class ServiceResult implements Serializable {
 	 * @param message
 	 */
 	public ServiceResult(ServiceResultState state, String message) {
-		super();
 		this.state = state;
 		this.message = message;
 	}
--- a/li.strolch.rest/src/main/java/li/strolch/rest/DefaultStrolchSessionHandler.java
+++ b/li.strolch.rest/src/main/java/li/strolch/rest/DefaultStrolchSessionHandler.java
@ -15,6 +15,9 @@
 */
 package li.strolch.rest;

+import static li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants.PRIVILEGE_GET_SESSION;
+import static li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants.PRIVILEGE_INVALIDATE_SESSION;
+
 import java.text.MessageFormat;
 import java.time.Instant;
 import java.time.LocalDateTime;
@ -53,8 +56,6 @@ import ch.eitchnet.utils.dbc.DBC;
 */
 public class DefaultStrolchSessionHandler extends StrolchComponent implements StrolchSessionHandler {

-	public static final String PRIVILEGE_INVALIDATE_SESSION = "InvalidateSession";
-	public static final String PRIVILEGE_GET_SESSION = "GetSession";
 	public static final String PARAM_SESSION_TTL_MINUTES = "session.ttl.minutes"; //$NON-NLS-1$

 	private static final Logger logger = LoggerFactory.getLogger(DefaultStrolchSessionHandler.class);
--- a/li.strolch.rest/src/main/java/li/strolch/rest/StrolchRestfulExceptionMapper.java
+++ b/li.strolch.rest/src/main/java/li/strolch/rest/StrolchRestfulExceptionMapper.java
@ -42,7 +42,7 @@ public class StrolchRestfulExceptionMapper implements ExceptionMapper<Exception>
 				sb.append(restrictable.getPrivilegeValue());
 			}

-			return Response.status(Status.FORBIDDEN).entity(sb.toString()).type(MediaType.TEXT_PLAIN).build();
+			return Response.status(Status.UNAUTHORIZED).entity(sb.toString()).type(MediaType.TEXT_PLAIN).build();
 		}

 		return Response.serverError().entity(new Result(ex)).type(MediaType.APPLICATION_JSON).build();
--- a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/AuthenticationService.java
+++ b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/AuthenticationService.java
@ -43,6 +43,7 @@ import li.strolch.runtime.privilege.PrivilegeHandler;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

+import ch.eitchnet.privilege.base.AccessDeniedException;
 import ch.eitchnet.privilege.base.PrivilegeException;
 import ch.eitchnet.privilege.model.Certificate;
 import ch.eitchnet.privilege.model.IPrivilege;
@ -111,10 +112,14 @@ public class AuthenticationService {
 					.header(HttpHeaders.AUTHORIZATION, certificate.getAuthToken())//
 					.build();

-		} catch (StrolchException | PrivilegeException e) {
+		} catch (AccessDeniedException e) {
 			logger.error(e.getMessage(), e);
 			loginResult.setMsg(MessageFormat.format("Could not log in due to: {0}", e.getMessage())); //$NON-NLS-1$
 			return Response.status(Status.UNAUTHORIZED).entity(loginResult).build();
+		} catch (StrolchException | PrivilegeException e) {
+			logger.error(e.getMessage(), e);
+			loginResult.setMsg(MessageFormat.format("Could not log in due to: {0}", e.getMessage())); //$NON-NLS-1$
+			return Response.status(Status.FORBIDDEN).entity(loginResult).build();
 		} catch (Exception e) {
 			logger.error(e.getMessage(), e);
 			String msg = e.getMessage();
--- a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeRolesService.java
+++ b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeRolesService.java
@ -36,10 +36,17 @@ import li.strolch.agent.api.ComponentContainer;
 import li.strolch.rest.RestfulStrolchComponent;
 import li.strolch.rest.StrolchRestfulConstants;
 import li.strolch.rest.model.Result;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
+import li.strolch.service.api.ServiceHandler;
+import li.strolch.service.privilege.roles.PrivilegeAddOrReplacePrivilegeOnRoleArgument;
+import li.strolch.service.privilege.roles.PrivilegeAddOrReplacePrivilegeOnRoleService;
+import li.strolch.service.privilege.roles.PrivilegeAddRoleService;
+import li.strolch.service.privilege.roles.PrivilegeRemovePrivilegeFromRoleArgument;
+import li.strolch.service.privilege.roles.PrivilegeRemovePrivilegeFromRoleService;
+import li.strolch.service.privilege.roles.PrivilegeRemoveRoleService;
+import li.strolch.service.privilege.roles.PrivilegeRoleArgument;
+import li.strolch.service.privilege.roles.PrivilegeRoleNameArgument;
+import li.strolch.service.privilege.roles.PrivilegeRoleResult;
+import li.strolch.service.privilege.roles.PrivilegeUpdateRoleService;
 import ch.eitchnet.privilege.base.AccessDeniedException;
 import ch.eitchnet.privilege.base.PrivilegeException;
 import ch.eitchnet.privilege.handler.PrivilegeHandler;
@ -53,8 +60,6 @@ import ch.eitchnet.privilege.model.RoleRep;
@Path("strolch/privilege/roles")
 public class PrivilegeRolesService {

-	private static final Logger logger = LoggerFactory.getLogger(PrivilegeRolesService.class);
-
 	private PrivilegeHandler getPrivilegeHandler(Certificate cert) {
 		ComponentContainer container = RestfulStrolchComponent.getInstance().getContainer();
 		return container.getPrivilegeHandler().getPrivilegeHandler(cert);
@ -88,21 +93,14 @@ public class PrivilegeRolesService {
 	@Produces(MediaType.APPLICATION_JSON)
 	public Response addRole(RoleRep newRole, @Context HttpServletRequest request) {
 		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
-		try {

-			PrivilegeHandler privilegeHandler = getPrivilegeHandler(cert);
-			RoleRep role = privilegeHandler.addRole(cert, newRole);
-			return Response.ok(role, MediaType.APPLICATION_JSON).build();
+		ServiceHandler svcHandler = RestfulStrolchComponent.getInstance().getComponent(ServiceHandler.class);
+		PrivilegeAddRoleService svc = new PrivilegeAddRoleService();
+		PrivilegeRoleArgument arg = new PrivilegeRoleArgument();
+		arg.role = newRole;

-		} catch (AccessDeniedException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.UNAUTHORIZED).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		} catch (PrivilegeException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.FORBIDDEN).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		}
+		PrivilegeRoleResult svcResult = svcHandler.doService(cert, svc, arg);
+		return handleServiceResult(svcResult);
 	}

 	@PUT
@ -112,25 +110,18 @@ public class PrivilegeRolesService {
 	public Response replaceRole(@PathParam("rolename") String rolename, RoleRep updatedRole,
 			@Context HttpServletRequest request) {
 		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
-		try {

-			if (!rolename.equals(updatedRole.getName()))
-				return Response.serverError().entity(new Result("Path rolename and data do not have same role name!"))
-						.type(MediaType.APPLICATION_JSON).build();
-
-			PrivilegeHandler privilegeHandler = getPrivilegeHandler(cert);
-			RoleRep role = privilegeHandler.replaceRole(cert, updatedRole);
-			return Response.ok(role, MediaType.APPLICATION_JSON).build();
-
-		} catch (AccessDeniedException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.UNAUTHORIZED).entity(new Result(e.getMessage()))
+		if (!rolename.equals(updatedRole.getName()))
+			return Response.serverError().entity(new Result("Path rolename and data do not have same role name!"))
 					.type(MediaType.APPLICATION_JSON).build();
-		} catch (PrivilegeException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.FORBIDDEN).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		}
+
+		ServiceHandler svcHandler = RestfulStrolchComponent.getInstance().getComponent(ServiceHandler.class);
+		PrivilegeUpdateRoleService svc = new PrivilegeUpdateRoleService();
+		PrivilegeRoleArgument arg = new PrivilegeRoleArgument();
+		arg.role = updatedRole;
+
+		PrivilegeRoleResult svcResult = svcHandler.doService(cert, svc, arg);
+		return handleServiceResult(svcResult);
 	}

 	@DELETE
@ -139,21 +130,14 @@ public class PrivilegeRolesService {
 	@Path("{rolename}")
 	public Response removeRole(@PathParam("rolename") String rolename, @Context HttpServletRequest request) {
 		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
-		try {

-			PrivilegeHandler privilegeHandler = getPrivilegeHandler(cert);
-			RoleRep role = privilegeHandler.removeRole(cert, rolename);
-			return Response.ok(role, MediaType.APPLICATION_JSON).build();
+		ServiceHandler svcHandler = RestfulStrolchComponent.getInstance().getComponent(ServiceHandler.class);
+		PrivilegeRemoveRoleService svc = new PrivilegeRemoveRoleService();
+		PrivilegeRoleNameArgument arg = new PrivilegeRoleNameArgument();
+		arg.roleName = rolename;

-		} catch (AccessDeniedException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.UNAUTHORIZED).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		} catch (PrivilegeException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.FORBIDDEN).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		}
+		PrivilegeRoleResult svcResult = svcHandler.doService(cert, svc, arg);
+		return handleServiceResult(svcResult);
 	}

 	@PUT
@ -163,21 +147,15 @@ public class PrivilegeRolesService {
 	public Response addOrReplacePrivilegeOnRole(@PathParam("rolename") String rolename, PrivilegeRep privilegeRep,
 			@Context HttpServletRequest request) {
 		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
-		try {

-			PrivilegeHandler privilegeHandler = getPrivilegeHandler(cert);
-			RoleRep updatedRole = privilegeHandler.addOrReplacePrivilegeOnRole(cert, rolename, privilegeRep);
-			return Response.ok(updatedRole, MediaType.APPLICATION_JSON).build();
+		ServiceHandler svcHandler = RestfulStrolchComponent.getInstance().getComponent(ServiceHandler.class);
+		PrivilegeAddOrReplacePrivilegeOnRoleService svc = new PrivilegeAddOrReplacePrivilegeOnRoleService();
+		PrivilegeAddOrReplacePrivilegeOnRoleArgument arg = new PrivilegeAddOrReplacePrivilegeOnRoleArgument();
+		arg.roleName = rolename;
+		arg.privilegeRep = privilegeRep;

-		} catch (AccessDeniedException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.UNAUTHORIZED).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		} catch (PrivilegeException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.FORBIDDEN).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		}
+		PrivilegeRoleResult svcResult = svcHandler.doService(cert, svc, arg);
+		return handleServiceResult(svcResult);
 	}

 	@DELETE
@ -187,20 +165,30 @@ public class PrivilegeRolesService {
 	public Response removePrivilegeFromRole(@PathParam("rolename") String rolename,
 			@PathParam("privilege") String privilege, @Context HttpServletRequest request) {
 		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
-		try {

-			PrivilegeHandler privilegeHandler = getPrivilegeHandler(cert);
-			RoleRep updatedRole = privilegeHandler.removePrivilegeFromRole(cert, rolename, privilege);
-			return Response.ok(updatedRole, MediaType.APPLICATION_JSON).build();
+		ServiceHandler svcHandler = RestfulStrolchComponent.getInstance().getComponent(ServiceHandler.class);
+		PrivilegeRemovePrivilegeFromRoleService svc = new PrivilegeRemovePrivilegeFromRoleService();
+		PrivilegeRemovePrivilegeFromRoleArgument arg = new PrivilegeRemovePrivilegeFromRoleArgument();
+		arg.roleName = rolename;
+		arg.privilegeName = privilege;

-		} catch (AccessDeniedException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.UNAUTHORIZED).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		} catch (PrivilegeException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.FORBIDDEN).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
+		PrivilegeRoleResult svcResult = svcHandler.doService(cert, svc, arg);
+		return handleServiceResult(svcResult);
+	}
+
+	private Response handleServiceResult(PrivilegeRoleResult svcResult) {
+		if (svcResult.isOk()) {
+			return Response.ok(svcResult.getRole(), MediaType.APPLICATION_JSON).build();
+		} else if (svcResult.getThrowable() != null) {
+			Throwable t = svcResult.getThrowable();
+			if (t instanceof AccessDeniedException) {
+				return Response.status(Status.FORBIDDEN).entity(new Result(t.getMessage()))
+						.type(MediaType.APPLICATION_JSON).build();
+			} else if (t instanceof PrivilegeException) {
+				return Response.status(Status.UNAUTHORIZED).entity(new Result(t.getMessage())).build();
+			}
 		}
+
+		return Response.status(Status.INTERNAL_SERVER_ERROR).entity(new Result(svcResult.getMessage())).build();
 	}
 }
--- a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeUsersService.java
+++ b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeUsersService.java
@ -37,12 +37,26 @@ import javax.ws.rs.core.Response.Status;
 import li.strolch.agent.api.ComponentContainer;
 import li.strolch.rest.RestfulStrolchComponent;
 import li.strolch.rest.StrolchRestfulConstants;
+import li.strolch.rest.StrolchSessionHandler;
 import li.strolch.rest.model.PasswordField;
 import li.strolch.rest.model.Result;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
+import li.strolch.service.api.ServiceHandler;
+import li.strolch.service.api.ServiceResult;
+import li.strolch.service.privilege.users.PrivilegeAddRoleToUserService;
+import li.strolch.service.privilege.users.PrivilegeAddUserService;
+import li.strolch.service.privilege.users.PrivilegeRemoveRoleFromUserService;
+import li.strolch.service.privilege.users.PrivilegeRemoveUserService;
+import li.strolch.service.privilege.users.PrivilegeRoleUserNamesArgument;
+import li.strolch.service.privilege.users.PrivilegeSetUserLocaleArgument;
+import li.strolch.service.privilege.users.PrivilegeSetUserLocaleService;
+import li.strolch.service.privilege.users.PrivilegeSetUserPasswordArgument;
+import li.strolch.service.privilege.users.PrivilegeSetUserPasswordService;
+import li.strolch.service.privilege.users.PrivilegeSetUserStateArgument;
+import li.strolch.service.privilege.users.PrivilegeSetUserStateService;
+import li.strolch.service.privilege.users.PrivilegeUpdateUserService;
+import li.strolch.service.privilege.users.PrivilegeUserArgument;
+import li.strolch.service.privilege.users.PrivilegeUserNameArgument;
+import li.strolch.service.privilege.users.PrivilegeUserResult;
 import ch.eitchnet.privilege.base.AccessDeniedException;
 import ch.eitchnet.privilege.base.PrivilegeException;
 import ch.eitchnet.privilege.handler.PrivilegeHandler;
@ -56,8 +70,6 @@ import ch.eitchnet.privilege.model.UserState;
@Path("strolch/privilege/users")
 public class PrivilegeUsersService {

-	private static final Logger logger = LoggerFactory.getLogger(PrivilegeUsersService.class);
-
 	private PrivilegeHandler getPrivilegeHandler(Certificate cert) {
 		ComponentContainer container = RestfulStrolchComponent.getInstance().getContainer();
 		return container.getPrivilegeHandler().getPrivilegeHandler(cert);
@ -105,21 +117,14 @@ public class PrivilegeUsersService {
 	@Produces(MediaType.APPLICATION_JSON)
 	public Response addUser(UserRep newUser, @Context HttpServletRequest request) {
 		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
-		try {

-			PrivilegeHandler privilegeHandler = getPrivilegeHandler(cert);
-			UserRep user = privilegeHandler.addUser(cert, newUser, null);
-			return Response.ok(user, MediaType.APPLICATION_JSON).build();
+		ServiceHandler svcHandler = RestfulStrolchComponent.getInstance().getComponent(ServiceHandler.class);
+		PrivilegeAddUserService svc = new PrivilegeAddUserService();
+		PrivilegeUserArgument arg = new PrivilegeUserArgument();
+		arg.user = newUser;

-		} catch (AccessDeniedException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.UNAUTHORIZED).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		} catch (PrivilegeException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.FORBIDDEN).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		}
+		PrivilegeUserResult svcResult = svcHandler.doService(cert, svc, arg);
+		return handleServiceResult(svcResult);
 	}

 	@DELETE
@ -128,21 +133,14 @@ public class PrivilegeUsersService {
 	@Path("{username}")
 	public Response removeUser(@PathParam("username") String username, @Context HttpServletRequest request) {
 		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
-		try {

-			PrivilegeHandler privilegeHandler = getPrivilegeHandler(cert);
-			UserRep user = privilegeHandler.removeUser(cert, username);
-			return Response.ok(user, MediaType.APPLICATION_JSON).build();
+		ServiceHandler svcHandler = RestfulStrolchComponent.getInstance().getComponent(ServiceHandler.class);
+		PrivilegeRemoveUserService svc = new PrivilegeRemoveUserService();
+		PrivilegeUserNameArgument arg = new PrivilegeUserNameArgument();
+		arg.username = username;

-		} catch (AccessDeniedException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.UNAUTHORIZED).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		} catch (PrivilegeException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.FORBIDDEN).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		}
+		PrivilegeUserResult svcResult = svcHandler.doService(cert, svc, arg);
+		return handleServiceResult(svcResult);
 	}

 	@PUT
@ -152,25 +150,14 @@ public class PrivilegeUsersService {
 	public Response updateUser(@PathParam("username") String username, UserRep updatedFields,
 			@Context HttpServletRequest request) {
 		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
-		try {

-			if (!username.equals(updatedFields.getUsername()))
-				return Response.serverError().entity(new Result("Path username and data do not have same username!"))
-						.type(MediaType.APPLICATION_JSON).build();
+		ServiceHandler svcHandler = RestfulStrolchComponent.getInstance().getComponent(ServiceHandler.class);
+		PrivilegeUpdateUserService svc = new PrivilegeUpdateUserService();
+		PrivilegeUserArgument arg = new PrivilegeUserArgument();
+		arg.user = updatedFields;

-			PrivilegeHandler privilegeHandler = getPrivilegeHandler(cert);
-			UserRep updatedUser = privilegeHandler.updateUser(cert, updatedFields);
-			return Response.ok(updatedUser, MediaType.APPLICATION_JSON).build();
-
-		} catch (AccessDeniedException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.UNAUTHORIZED).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		} catch (PrivilegeException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.FORBIDDEN).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		}
+		PrivilegeUserResult svcResult = svcHandler.doService(cert, svc, arg);
+		return handleServiceResult(svcResult);
 	}

 	@PUT
@ -180,21 +167,15 @@ public class PrivilegeUsersService {
 	public Response addRoleToUser(@PathParam("username") String username, @PathParam("rolename") String rolename,
 			@Context HttpServletRequest request) {
 		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
-		try {

-			PrivilegeHandler privilegeHandler = getPrivilegeHandler(cert);
-			UserRep updatedUser = privilegeHandler.addRoleToUser(cert, username, rolename);
-			return Response.ok(updatedUser, MediaType.APPLICATION_JSON).build();
+		ServiceHandler svcHandler = RestfulStrolchComponent.getInstance().getComponent(ServiceHandler.class);
+		PrivilegeAddRoleToUserService svc = new PrivilegeAddRoleToUserService();
+		PrivilegeRoleUserNamesArgument arg = new PrivilegeRoleUserNamesArgument();
+		arg.username = username;
+		arg.rolename = rolename;

-		} catch (AccessDeniedException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.UNAUTHORIZED).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		} catch (PrivilegeException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.FORBIDDEN).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		}
+		PrivilegeUserResult svcResult = svcHandler.doService(cert, svc, arg);
+		return handleServiceResult(svcResult);
 	}

 	@DELETE
@ -204,21 +185,15 @@ public class PrivilegeUsersService {
 	public Response removeRoleFromUser(@PathParam("username") String username, @PathParam("rolename") String rolename,
 			@Context HttpServletRequest request) {
 		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
-		try {

-			PrivilegeHandler privilegeHandler = getPrivilegeHandler(cert);
-			UserRep updatedUser = privilegeHandler.removeRoleFromUser(cert, username, rolename);
-			return Response.ok(updatedUser, MediaType.APPLICATION_JSON).build();
+		ServiceHandler svcHandler = RestfulStrolchComponent.getInstance().getComponent(ServiceHandler.class);
+		PrivilegeRemoveRoleFromUserService svc = new PrivilegeRemoveRoleFromUserService();
+		PrivilegeRoleUserNamesArgument arg = new PrivilegeRoleUserNamesArgument();
+		arg.username = username;
+		arg.rolename = rolename;

-		} catch (AccessDeniedException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.UNAUTHORIZED).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		} catch (PrivilegeException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.FORBIDDEN).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		}
+		PrivilegeUserResult svcResult = svcHandler.doService(cert, svc, arg);
+		return handleServiceResult(svcResult);
 	}

 	@PUT
@ -227,54 +202,39 @@ public class PrivilegeUsersService {
 	public Response setUserState(@PathParam("username") String username, @PathParam("state") String state,
 			@Context HttpServletRequest request) {
 		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
+
+		UserState userState;
 		try {
-
-			UserState userState;
-			try {
-				userState = UserState.valueOf(state);
-			} catch (Exception e) {
-				String msg = MessageFormat.format("UserState {0} is not valid!", state);
-				return Response.serverError().entity(new Result(msg)).type(MediaType.APPLICATION_JSON).build();
-			}
-
-			PrivilegeHandler privilegeHandler = getPrivilegeHandler(cert);
-			UserRep updatedUser = privilegeHandler.setUserState(cert, username, userState);
-			return Response.ok(updatedUser, MediaType.APPLICATION_JSON).build();
-
-		} catch (AccessDeniedException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.UNAUTHORIZED).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		} catch (PrivilegeException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.FORBIDDEN).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
+			userState = UserState.valueOf(state);
+		} catch (Exception e) {
+			String msg = MessageFormat.format("UserState {0} is not valid!", state);
+			return Response.serverError().entity(new Result(msg)).type(MediaType.APPLICATION_JSON).build();
 		}
+
+		ServiceHandler svcHandler = RestfulStrolchComponent.getInstance().getComponent(ServiceHandler.class);
+		PrivilegeSetUserStateService svc = new PrivilegeSetUserStateService();
+		PrivilegeSetUserStateArgument arg = new PrivilegeSetUserStateArgument();
+		arg.username = username;
+		arg.userState = userState;
+
+		PrivilegeUserResult svcResult = svcHandler.doService(cert, svc, arg);
+		return handleServiceResult(svcResult);
 	}

-	@PUT
-	@Produces(MediaType.APPLICATION_JSON)
-	@Path("{username}/password")
-	public Response setUserPassword(@PathParam("username") String username, PasswordField passwordField,
-			@Context HttpServletRequest request) {
-		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
-		try {
-
-			// if user changing own password, then no need for StrolchPrivilegeAdmin
-			PrivilegeHandler privilegeHandler = getPrivilegeHandler(cert);
-
-			privilegeHandler.setUserPassword(cert, username, passwordField.getPassword().getBytes());
-			return Response.ok(new Result(), MediaType.APPLICATION_JSON).build();
-
-		} catch (AccessDeniedException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.UNAUTHORIZED).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		} catch (PrivilegeException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.FORBIDDEN).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
+	private Response handleServiceResult(PrivilegeUserResult svcResult) {
+		if (svcResult.isOk()) {
+			return Response.ok(svcResult.getUser(), MediaType.APPLICATION_JSON).build();
+		} else if (svcResult.getThrowable() != null) {
+			Throwable t = svcResult.getThrowable();
+			if (t instanceof AccessDeniedException) {
+				return Response.status(Status.FORBIDDEN).entity(new Result(t.getMessage()))
+						.type(MediaType.APPLICATION_JSON).build();
+			} else if (t instanceof PrivilegeException) {
+				return Response.status(Status.UNAUTHORIZED).entity(new Result(t.getMessage())).build();
+			}
 		}
+
+		return Response.status(Status.INTERNAL_SERVER_ERROR).entity(new Result(svcResult.getMessage())).build();
 	}

 	@PUT
@ -283,30 +243,60 @@ public class PrivilegeUsersService {
 	public Response setUserLocale(@PathParam("username") String username, @PathParam("locale") String localeS,
 			@Context HttpServletRequest request) {
 		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
-		try {

-			Locale locale;
-			try {
-				locale = new Locale(localeS);
-			} catch (Exception e) {
-				String msg = MessageFormat.format("Locale {0} is not valid!", localeS);
-				return Response.serverError().entity(new Result(msg)).type(MediaType.APPLICATION_JSON).build();
+		Locale locale;
+		try {
+			locale = new Locale(localeS);
+		} catch (Exception e) {
+			String msg = MessageFormat.format("Locale {0} is not valid!", localeS);
+			return Response.serverError().entity(new Result(msg)).type(MediaType.APPLICATION_JSON).build();
+		}
+
+		ServiceHandler svcHandler = RestfulStrolchComponent.getInstance().getComponent(ServiceHandler.class);
+		PrivilegeSetUserLocaleService svc = new PrivilegeSetUserLocaleService();
+		PrivilegeSetUserLocaleArgument arg = new PrivilegeSetUserLocaleArgument();
+		arg.username = username;
+		arg.locale = locale;
+
+		PrivilegeUserResult svcResult = svcHandler.doService(cert, svc, arg);
+		return handleServiceResult(svcResult);
+	}
+
+	@PUT
+	@Produces(MediaType.APPLICATION_JSON)
+	@Path("{username}/password")
+	public Response setUserPassword(@PathParam("username") String username, PasswordField passwordField,
+			@Context HttpServletRequest request) {
+		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
+
+		ServiceHandler svcHandler = RestfulStrolchComponent.getInstance().getComponent(ServiceHandler.class);
+		PrivilegeSetUserPasswordService svc = new PrivilegeSetUserPasswordService();
+		PrivilegeSetUserPasswordArgument arg = new PrivilegeSetUserPasswordArgument();
+		arg.username = username;
+		arg.password = passwordField.getPassword().getBytes();
+
+		ServiceResult svcResult = svcHandler.doService(cert, svc, arg);
+		if (svcResult.isOk()) {
+
+			// if user changes their own password, then invalidate the session
+			if (cert.getUsername().equals(username)) {
+				StrolchSessionHandler sessionHandler = RestfulStrolchComponent.getInstance().getSessionHandler();
+				sessionHandler.invalidate(cert);
 			}

-			// if user changing own locale, then no need for StrolchPrivilegeAdmin
-			PrivilegeHandler privilegeHandler = getPrivilegeHandler(cert);
+			// TODO invalidate any other sessions for this user

-			UserRep updatedUser = privilegeHandler.setUserLocale(cert, username, locale);
-			return Response.ok(updatedUser, MediaType.APPLICATION_JSON).build();
-
-		} catch (AccessDeniedException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.UNAUTHORIZED).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
-		} catch (PrivilegeException e) {
-			logger.error(e.getMessage(), e);
-			return Response.status(Status.FORBIDDEN).entity(new Result(e.getMessage()))
-					.type(MediaType.APPLICATION_JSON).build();
+			return Response.ok(new Result(), MediaType.APPLICATION_JSON).build();
+		} else if (svcResult.getThrowable() != null) {
+			Throwable t = svcResult.getThrowable();
+			if (t instanceof AccessDeniedException) {
+				return Response.status(Status.UNAUTHORIZED).entity(new Result(t.getMessage()))
+						.type(MediaType.APPLICATION_JSON).build();
+			} else if (t instanceof PrivilegeException) {
+				return Response.status(Status.FORBIDDEN).entity(new Result(t.getMessage())).build();
+			}
 		}
+
+		return Response.status(Status.INTERNAL_SERVER_ERROR).entity(new Result(svcResult.getMessage())).build();
 	}
 }
--- a/li.strolch.rest/src/main/java/li/strolch/rest/filters/AuthenicationRequestFilter.java
+++ b/li.strolch.rest/src/main/java/li/strolch/rest/filters/AuthenicationRequestFilter.java
@ -46,7 +46,7 @@ public class AuthenicationRequestFilter implements ContainerRequestFilter {
 		String sessionId = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
 		if (StringHelper.isEmpty(sessionId)) {
 			logger.error("No SessionID on request to URL " + requestContext.getUriInfo().getPath());
-			requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED)
+			requestContext.abortWith(Response.status(Response.Status.FORBIDDEN)
 					.header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN).entity("Missing Authorization!").build()); //$NON-NLS-1$
 			return;
 		}
@ -58,7 +58,7 @@ public class AuthenicationRequestFilter implements ContainerRequestFilter {
 			requestContext.setProperty(STROLCH_CERTIFICATE, certificate);
 		} catch (Exception e) {
 			logger.error(e.getMessage(), e);
-			requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED)
+			requestContext.abortWith(Response.status(Response.Status.FORBIDDEN)
 					.header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
 					.entity("User cannot access the resource.").build()); //$NON-NLS-1$
 		}
--- a/li.strolch.rest/src/test/java/li/strolch/rest/inspector/test/AuthenticationTest.java
+++ b/li.strolch.rest/src/test/java/li/strolch/rest/inspector/test/AuthenticationTest.java
@ -109,7 +109,7 @@ public class AuthenticationTest extends AbstractRestfulTest {
 		login.setPassword("blalba");
 		Entity<Login> loginEntity = Entity.entity(login, MediaType.APPLICATION_JSON);
 		Response result = target().path(ROOT_PATH).request(MediaType.APPLICATION_JSON).post(loginEntity);
-		assertEquals(Status.UNAUTHORIZED.getStatusCode(), result.getStatus());
+		assertEquals(Status.FORBIDDEN.getStatusCode(), result.getStatus());
 		LogoutResult logoutResult = result.readEntity(LogoutResult.class);
 		assertNotNull(logoutResult);
 		assertEquals("Could not log in due to: Authentication credentials are invalid", logoutResult.getMsg());
@ -133,7 +133,7 @@ public class AuthenticationTest extends AbstractRestfulTest {

 		// logout
 		result = target().path(ROOT_PATH + "/blabla").request(MediaType.APPLICATION_JSON).delete();
-		assertEquals(Status.UNAUTHORIZED.getStatusCode(), result.getStatus());
+		assertEquals(Status.FORBIDDEN.getStatusCode(), result.getStatus());
 		LogoutResult logoutResult = result.readEntity(LogoutResult.class);
 		assertNotNull(logoutResult);
 		assertThat(logoutResult.getMsg(), containsString("No certificate exists for sessionId blabla"));
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddOrReplacePrivilegeOnRoleArgument.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddOrReplacePrivilegeOnRoleArgument.java
@ -0,0 +1,10 @@
+package li.strolch.service.privilege.roles;
+
+import ch.eitchnet.privilege.model.PrivilegeRep;
+import li.strolch.service.api.ServiceArgument;
+
+public class PrivilegeAddOrReplacePrivilegeOnRoleArgument extends ServiceArgument {
+	private static final long serialVersionUID = 1L;
+	public String roleName;
+	public PrivilegeRep privilegeRep;
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddOrReplacePrivilegeOnRoleService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddOrReplacePrivilegeOnRoleService.java
@ -0,0 +1,66 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.service.privilege.roles;
+
+import li.strolch.model.audit.AccessType;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
+import li.strolch.service.api.AbstractService;
+import ch.eitchnet.privilege.handler.PrivilegeHandler;
+import ch.eitchnet.privilege.model.RoleRep;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class PrivilegeAddOrReplacePrivilegeOnRoleService extends
+		AbstractService<PrivilegeAddOrReplacePrivilegeOnRoleArgument, PrivilegeRoleResult> {
+
+	private static final long serialVersionUID = 1L;
+
+	@Override
+	protected PrivilegeRoleResult getResultInstance() {
+		return new PrivilegeRoleResult();
+	}
+
+	@Override
+	protected PrivilegeRoleResult internalDoService(PrivilegeAddOrReplacePrivilegeOnRoleArgument arg) throws Exception {
+
+		li.strolch.runtime.privilege.PrivilegeHandler strolchPrivilegeHandler = getContainer().getPrivilegeHandler();
+		PrivilegeHandler privilegeHandler = strolchPrivilegeHandler.getPrivilegeHandler(getCertificate());
+
+		RoleRep role = privilegeHandler.addOrReplacePrivilegeOnRole(getCertificate(), arg.roleName, arg.privilegeRep);
+
+		try (StrolchTransaction tx = openUserTx(PrivilegeHandler.PRIVILEGE_MODIFY_ROLE)) {
+			tx.setSuppressAudits(true);
+			Audit audit = tx.auditFrom(AccessType.UPDATE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.ROLE, role.getName());
+			tx.getAuditTrail().add(tx, audit);
+		}
+
+		return new PrivilegeRoleResult(role);
+	}
+
+	@Override
+	public String getPrivilegeName() {
+		return StrolchPrivilegeConstants.PRIVILEGE_MODIFY_ROLE;
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return null;
+	}
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddRoleService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddRoleService.java
@ -0,0 +1,65 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.service.privilege.roles;
+
+import li.strolch.model.audit.AccessType;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
+import li.strolch.service.api.AbstractService;
+import ch.eitchnet.privilege.handler.PrivilegeHandler;
+import ch.eitchnet.privilege.model.RoleRep;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class PrivilegeAddRoleService extends AbstractService<PrivilegeRoleArgument, PrivilegeRoleResult> {
+
+	private static final long serialVersionUID = 1L;
+
+	@Override
+	protected PrivilegeRoleResult getResultInstance() {
+		return new PrivilegeRoleResult();
+	}
+
+	@Override
+	protected PrivilegeRoleResult internalDoService(PrivilegeRoleArgument arg) throws Exception {
+
+		li.strolch.runtime.privilege.PrivilegeHandler strolchPrivilegeHandler = getContainer().getPrivilegeHandler();
+		PrivilegeHandler privilegeHandler = strolchPrivilegeHandler.getPrivilegeHandler(getCertificate());
+
+		RoleRep role = privilegeHandler.addRole(getCertificate(), arg.role);
+
+		try (StrolchTransaction tx = openUserTx(PrivilegeHandler.PRIVILEGE_ADD_ROLE)) {
+			tx.setSuppressAudits(true);
+			Audit audit = tx.auditFrom(AccessType.CREATE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.ROLE, role.getName());
+			tx.getAuditTrail().add(tx, audit);
+		}
+
+		return new PrivilegeRoleResult(role);
+	}
+
+	@Override
+	public String getPrivilegeName() {
+		return StrolchPrivilegeConstants.PRIVILEGE_ADD_ROLE;
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return null;
+	}
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeRemovePrivilegeFromRoleArgument.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeRemovePrivilegeFromRoleArgument.java
@ -0,0 +1,9 @@
+package li.strolch.service.privilege.roles;
+
+import li.strolch.service.api.ServiceArgument;
+
+public class PrivilegeRemovePrivilegeFromRoleArgument extends ServiceArgument {
+	private static final long serialVersionUID = 1L;
+	public String roleName;
+	public String privilegeName;
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeRemovePrivilegeFromRoleService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeRemovePrivilegeFromRoleService.java
@ -0,0 +1,66 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.service.privilege.roles;
+
+import li.strolch.model.audit.AccessType;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
+import li.strolch.service.api.AbstractService;
+import ch.eitchnet.privilege.handler.PrivilegeHandler;
+import ch.eitchnet.privilege.model.RoleRep;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class PrivilegeRemovePrivilegeFromRoleService extends
+		AbstractService<PrivilegeRemovePrivilegeFromRoleArgument, PrivilegeRoleResult> {
+
+	private static final long serialVersionUID = 1L;
+
+	@Override
+	protected PrivilegeRoleResult getResultInstance() {
+		return new PrivilegeRoleResult();
+	}
+
+	@Override
+	protected PrivilegeRoleResult internalDoService(PrivilegeRemovePrivilegeFromRoleArgument arg) throws Exception {
+
+		li.strolch.runtime.privilege.PrivilegeHandler strolchPrivilegeHandler = getContainer().getPrivilegeHandler();
+		PrivilegeHandler privilegeHandler = strolchPrivilegeHandler.getPrivilegeHandler(getCertificate());
+
+		RoleRep role = privilegeHandler.removePrivilegeFromRole(getCertificate(), arg.roleName, arg.privilegeName);
+
+		try (StrolchTransaction tx = openUserTx(StrolchPrivilegeConstants.PRIVILEGE_MODIFY_ROLE)) {
+			tx.setSuppressAudits(true);
+			Audit audit = tx.auditFrom(AccessType.UPDATE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.ROLE, role.getName());
+			tx.getAuditTrail().add(tx, audit);
+		}
+
+		return new PrivilegeRoleResult(role);
+	}
+
+	@Override
+	public String getPrivilegeName() {
+		return StrolchPrivilegeConstants.PRIVILEGE_MODIFY_ROLE;
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return null;
+	}
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeRemoveRoleService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeRemoveRoleService.java
@ -0,0 +1,65 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.service.privilege.roles;
+
+import li.strolch.model.audit.AccessType;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
+import li.strolch.service.api.AbstractService;
+import ch.eitchnet.privilege.handler.PrivilegeHandler;
+import ch.eitchnet.privilege.model.RoleRep;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class PrivilegeRemoveRoleService extends AbstractService<PrivilegeRoleNameArgument, PrivilegeRoleResult> {
+
+	private static final long serialVersionUID = 1L;
+
+	@Override
+	protected PrivilegeRoleResult getResultInstance() {
+		return new PrivilegeRoleResult();
+	}
+
+	@Override
+	protected PrivilegeRoleResult internalDoService(PrivilegeRoleNameArgument arg) throws Exception {
+
+		li.strolch.runtime.privilege.PrivilegeHandler strolchPrivilegeHandler = getContainer().getPrivilegeHandler();
+		PrivilegeHandler privilegeHandler = strolchPrivilegeHandler.getPrivilegeHandler(getCertificate());
+
+		RoleRep role = privilegeHandler.removeRole(getCertificate(), arg.roleName);
+
+		try (StrolchTransaction tx = openUserTx(PrivilegeHandler.PRIVILEGE_REMOVE_ROLE)) {
+			tx.setSuppressAudits(true);
+			Audit audit = tx.auditFrom(AccessType.DELETE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.ROLE, role.getName());
+			tx.getAuditTrail().add(tx, audit);
+		}
+
+		return new PrivilegeRoleResult(role);
+	}
+
+	@Override
+	public String getPrivilegeName() {
+		return StrolchPrivilegeConstants.PRIVILEGE_REMOVE_ROLE;
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return null;
+	}
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeRoleArgument.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeRoleArgument.java
@ -0,0 +1,9 @@
+package li.strolch.service.privilege.roles;
+
+import li.strolch.service.api.ServiceArgument;
+import ch.eitchnet.privilege.model.RoleRep;
+
+public class PrivilegeRoleArgument extends ServiceArgument {
+	private static final long serialVersionUID = 1L;
+	public RoleRep role;
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeRoleNameArgument.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeRoleNameArgument.java
@ -0,0 +1,8 @@
+package li.strolch.service.privilege.roles;
+
+import li.strolch.service.api.ServiceArgument;
+
+public class PrivilegeRoleNameArgument extends ServiceArgument {
+	private static final long serialVersionUID = 1L;
+	public String roleName;
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeRoleResult.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeRoleResult.java
@ -0,0 +1,32 @@
+package li.strolch.service.privilege.roles;
+
+import li.strolch.service.api.ServiceResult;
+import li.strolch.service.api.ServiceResultState;
+import ch.eitchnet.privilege.model.RoleRep;
+
+public class PrivilegeRoleResult extends ServiceResult {
+	private static final long serialVersionUID = 1L;
+
+	private RoleRep role;
+
+	public PrivilegeRoleResult() {
+		super();
+	}
+
+	public PrivilegeRoleResult(ServiceResultState state, String message) {
+		super(state, message);
+	}
+
+	public PrivilegeRoleResult(ServiceResultState state) {
+		super(state);
+	}
+
+	public PrivilegeRoleResult(RoleRep role) {
+		setState(ServiceResultState.SUCCESS);
+		this.role = role;
+	}
+
+	public RoleRep getRole() {
+		return role;
+	}
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeUpdateRoleService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeUpdateRoleService.java
@ -0,0 +1,65 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.service.privilege.roles;
+
+import li.strolch.model.audit.AccessType;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
+import li.strolch.service.api.AbstractService;
+import ch.eitchnet.privilege.handler.PrivilegeHandler;
+import ch.eitchnet.privilege.model.RoleRep;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class PrivilegeUpdateRoleService extends AbstractService<PrivilegeRoleArgument, PrivilegeRoleResult> {
+
+	private static final long serialVersionUID = 1L;
+
+	@Override
+	protected PrivilegeRoleResult getResultInstance() {
+		return new PrivilegeRoleResult();
+	}
+
+	@Override
+	protected PrivilegeRoleResult internalDoService(PrivilegeRoleArgument arg) throws Exception {
+
+		li.strolch.runtime.privilege.PrivilegeHandler strolchPrivilegeHandler = getContainer().getPrivilegeHandler();
+		PrivilegeHandler privilegeHandler = strolchPrivilegeHandler.getPrivilegeHandler(getCertificate());
+
+		RoleRep role = privilegeHandler.replaceRole(getCertificate(), arg.role);
+
+		try (StrolchTransaction tx = openUserTx(PrivilegeHandler.PRIVILEGE_MODIFY_ROLE)) {
+			tx.setSuppressAudits(true);
+			Audit audit = tx.auditFrom(AccessType.UPDATE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.ROLE, role.getName());
+			tx.getAuditTrail().add(tx, audit);
+		}
+
+		return new PrivilegeRoleResult(role);
+	}
+
+	@Override
+	public String getPrivilegeName() {
+		return StrolchPrivilegeConstants.PRIVILEGE_MODIFY_ROLE;
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return null;
+	}
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeAddRoleToUserService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeAddRoleToUserService.java
@ -0,0 +1,65 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.service.privilege.users;
+
+import li.strolch.model.audit.AccessType;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
+import li.strolch.service.api.AbstractService;
+import ch.eitchnet.privilege.handler.PrivilegeHandler;
+import ch.eitchnet.privilege.model.UserRep;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class PrivilegeAddRoleToUserService extends AbstractService<PrivilegeRoleUserNamesArgument, PrivilegeUserResult> {
+
+	private static final long serialVersionUID = 1L;
+
+	@Override
+	protected PrivilegeUserResult getResultInstance() {
+		return new PrivilegeUserResult();
+	}
+
+	@Override
+	protected PrivilegeUserResult internalDoService(PrivilegeRoleUserNamesArgument arg) throws Exception {
+
+		li.strolch.runtime.privilege.PrivilegeHandler strolchPrivilegeHandler = getContainer().getPrivilegeHandler();
+		PrivilegeHandler privilegeHandler = strolchPrivilegeHandler.getPrivilegeHandler(getCertificate());
+
+		UserRep user = privilegeHandler.addRoleToUser(getCertificate(), arg.username, arg.rolename);
+
+		try (StrolchTransaction tx = openUserTx(PrivilegeHandler.PRIVILEGE_ADD_ROLE_TO_USER)) {
+			tx.setSuppressAudits(true);
+			Audit audit = tx.auditFrom(AccessType.UPDATE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.USER, user.getUsername());
+			tx.getAuditTrail().add(tx, audit);
+		}
+
+		return new PrivilegeUserResult(user);
+	}
+
+	@Override
+	public String getPrivilegeName() {
+		return StrolchPrivilegeConstants.PRIVILEGE_ADD_ROLE_TO_USER;
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return null;
+	}
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeAddUserService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeAddUserService.java
@ -0,0 +1,65 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.service.privilege.users;
+
+import li.strolch.model.audit.AccessType;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
+import li.strolch.service.api.AbstractService;
+import ch.eitchnet.privilege.handler.PrivilegeHandler;
+import ch.eitchnet.privilege.model.UserRep;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class PrivilegeAddUserService extends AbstractService<PrivilegeUserArgument, PrivilegeUserResult> {
+
+	private static final long serialVersionUID = 1L;
+
+	@Override
+	protected PrivilegeUserResult getResultInstance() {
+		return new PrivilegeUserResult();
+	}
+
+	@Override
+	protected PrivilegeUserResult internalDoService(PrivilegeUserArgument arg) throws Exception {
+
+		li.strolch.runtime.privilege.PrivilegeHandler strolchPrivilegeHandler = getContainer().getPrivilegeHandler();
+		PrivilegeHandler privilegeHandler = strolchPrivilegeHandler.getPrivilegeHandler(getCertificate());
+
+		UserRep user = privilegeHandler.addUser(getCertificate(), arg.user, null);
+
+		try (StrolchTransaction tx = openUserTx(PrivilegeHandler.PRIVILEGE_ADD_USER)) {
+			tx.setSuppressAudits(true);
+			Audit audit = tx.auditFrom(AccessType.CREATE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.USER, user.getUsername());
+			tx.getAuditTrail().add(tx, audit);
+		}
+
+		return new PrivilegeUserResult(user);
+	}
+
+	@Override
+	public String getPrivilegeName() {
+		return StrolchPrivilegeConstants.PRIVILEGE_ADD_USER;
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return null;
+	}
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeRemoveRoleFromUserService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeRemoveRoleFromUserService.java
@ -0,0 +1,66 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.service.privilege.users;
+
+import li.strolch.model.audit.AccessType;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
+import li.strolch.service.api.AbstractService;
+import ch.eitchnet.privilege.handler.PrivilegeHandler;
+import ch.eitchnet.privilege.model.UserRep;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class PrivilegeRemoveRoleFromUserService extends
+		AbstractService<PrivilegeRoleUserNamesArgument, PrivilegeUserResult> {
+
+	private static final long serialVersionUID = 1L;
+
+	@Override
+	protected PrivilegeUserResult getResultInstance() {
+		return new PrivilegeUserResult();
+	}
+
+	@Override
+	protected PrivilegeUserResult internalDoService(PrivilegeRoleUserNamesArgument arg) throws Exception {
+
+		li.strolch.runtime.privilege.PrivilegeHandler strolchPrivilegeHandler = getContainer().getPrivilegeHandler();
+		PrivilegeHandler privilegeHandler = strolchPrivilegeHandler.getPrivilegeHandler(getCertificate());
+
+		UserRep user = privilegeHandler.removeRoleFromUser(getCertificate(), arg.username, arg.rolename);
+
+		try (StrolchTransaction tx = openUserTx(PrivilegeHandler.PRIVILEGE_REMOVE_ROLE_FROM_USER)) {
+			tx.setSuppressAudits(true);
+			Audit audit = tx.auditFrom(AccessType.UPDATE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.USER, user.getUsername());
+			tx.getAuditTrail().add(tx, audit);
+		}
+
+		return new PrivilegeUserResult(user);
+	}
+
+	@Override
+	public String getPrivilegeName() {
+		return StrolchPrivilegeConstants.PRIVILEGE_REMOVE_ROLE_FROM_USER;
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return null;
+	}
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeRemoveUserService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeRemoveUserService.java
@ -0,0 +1,65 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.service.privilege.users;
+
+import li.strolch.model.audit.AccessType;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
+import li.strolch.service.api.AbstractService;
+import ch.eitchnet.privilege.handler.PrivilegeHandler;
+import ch.eitchnet.privilege.model.UserRep;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class PrivilegeRemoveUserService extends AbstractService<PrivilegeUserNameArgument, PrivilegeUserResult> {
+
+	private static final long serialVersionUID = 1L;
+
+	@Override
+	protected PrivilegeUserResult getResultInstance() {
+		return new PrivilegeUserResult();
+	}
+
+	@Override
+	protected PrivilegeUserResult internalDoService(PrivilegeUserNameArgument arg) throws Exception {
+
+		li.strolch.runtime.privilege.PrivilegeHandler strolchPrivilegeHandler = getContainer().getPrivilegeHandler();
+		PrivilegeHandler privilegeHandler = strolchPrivilegeHandler.getPrivilegeHandler(getCertificate());
+
+		UserRep user = privilegeHandler.removeUser(getCertificate(), arg.username);
+
+		try (StrolchTransaction tx = openUserTx(PrivilegeHandler.PRIVILEGE_REMOVE_USER)) {
+			tx.setSuppressAudits(true);
+			Audit audit = tx.auditFrom(AccessType.DELETE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.USER, user.getUsername());
+			tx.getAuditTrail().add(tx, audit);
+		}
+
+		return new PrivilegeUserResult(user);
+	}
+
+	@Override
+	public String getPrivilegeName() {
+		return StrolchPrivilegeConstants.PRIVILEGE_REMOVE_USER;
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return null;
+	}
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeRoleUserNamesArgument.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeRoleUserNamesArgument.java
@ -0,0 +1,9 @@
+package li.strolch.service.privilege.users;
+
+import li.strolch.service.api.ServiceArgument;
+
+public class PrivilegeRoleUserNamesArgument extends ServiceArgument {
+	private static final long serialVersionUID = 1L;
+	public String username;
+	public String rolename;
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeSetUserLocaleArgument.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeSetUserLocaleArgument.java
@ -0,0 +1,11 @@
+package li.strolch.service.privilege.users;
+
+import java.util.Locale;
+
+import li.strolch.service.api.ServiceArgument;
+
+public class PrivilegeSetUserLocaleArgument extends ServiceArgument {
+	private static final long serialVersionUID = 1L;
+	public String username;
+	public Locale locale;
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeSetUserLocaleService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeSetUserLocaleService.java
@ -0,0 +1,65 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.service.privilege.users;
+
+import li.strolch.model.audit.AccessType;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
+import li.strolch.service.api.AbstractService;
+import ch.eitchnet.privilege.handler.PrivilegeHandler;
+import ch.eitchnet.privilege.model.UserRep;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class PrivilegeSetUserLocaleService extends AbstractService<PrivilegeSetUserLocaleArgument, PrivilegeUserResult> {
+
+	private static final long serialVersionUID = 1L;
+
+	@Override
+	protected PrivilegeUserResult getResultInstance() {
+		return new PrivilegeUserResult();
+	}
+
+	@Override
+	protected PrivilegeUserResult internalDoService(PrivilegeSetUserLocaleArgument arg) throws Exception {
+
+		li.strolch.runtime.privilege.PrivilegeHandler strolchPrivilegeHandler = getContainer().getPrivilegeHandler();
+		PrivilegeHandler privilegeHandler = strolchPrivilegeHandler.getPrivilegeHandler(getCertificate());
+
+		UserRep user = privilegeHandler.setUserLocale(getCertificate(), arg.username, arg.locale);
+
+		try (StrolchTransaction tx = openUserTx(PrivilegeHandler.PRIVILEGE_MODIFY_USER)) {
+			tx.setSuppressAudits(true);
+			Audit audit = tx.auditFrom(AccessType.UPDATE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.USER, user.getUsername());
+			tx.getAuditTrail().add(tx, audit);
+		}
+
+		return new PrivilegeUserResult(user);
+	}
+
+	@Override
+	public String getPrivilegeName() {
+		return StrolchPrivilegeConstants.PRIVILEGE_MODIFY_USER;
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return null;
+	}
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeSetUserPasswordArgument.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeSetUserPasswordArgument.java
@ -0,0 +1,9 @@
+package li.strolch.service.privilege.users;
+
+import li.strolch.service.api.ServiceArgument;
+
+public class PrivilegeSetUserPasswordArgument extends ServiceArgument {
+	private static final long serialVersionUID = 1L;
+	public String username;
+	public byte[] password;
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeSetUserPasswordService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeSetUserPasswordService.java
@ -0,0 +1,65 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.service.privilege.users;
+
+import li.strolch.model.audit.AccessType;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
+import li.strolch.service.api.AbstractService;
+import li.strolch.service.api.ServiceResult;
+import ch.eitchnet.privilege.handler.PrivilegeHandler;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class PrivilegeSetUserPasswordService extends AbstractService<PrivilegeSetUserPasswordArgument, ServiceResult> {
+
+	private static final long serialVersionUID = 1L;
+
+	@Override
+	protected ServiceResult getResultInstance() {
+		return new ServiceResult();
+	}
+
+	@Override
+	protected ServiceResult internalDoService(PrivilegeSetUserPasswordArgument arg) throws Exception {
+
+		li.strolch.runtime.privilege.PrivilegeHandler strolchPrivilegeHandler = getContainer().getPrivilegeHandler();
+		PrivilegeHandler privilegeHandler = strolchPrivilegeHandler.getPrivilegeHandler(getCertificate());
+
+		privilegeHandler.setUserPassword(getCertificate(), arg.username, arg.password);
+
+		try (StrolchTransaction tx = openUserTx(PrivilegeHandler.PRIVILEGE_MODIFY_USER)) {
+			tx.setSuppressAudits(true);
+			Audit audit = tx.auditFrom(AccessType.UPDATE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.USER, arg.username);
+			tx.getAuditTrail().add(tx, audit);
+		}
+
+		return ServiceResult.success();
+	}
+
+	@Override
+	public String getPrivilegeName() {
+		return StrolchPrivilegeConstants.PRIVILEGE_MODIFY_USER;
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return null;
+	}
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeSetUserStateArgument.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeSetUserStateArgument.java
@ -0,0 +1,10 @@
+package li.strolch.service.privilege.users;
+
+import li.strolch.service.api.ServiceArgument;
+import ch.eitchnet.privilege.model.UserState;
+
+public class PrivilegeSetUserStateArgument extends ServiceArgument {
+	private static final long serialVersionUID = 1L;
+	public String username;
+	public UserState userState;
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeSetUserStateService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeSetUserStateService.java
@ -0,0 +1,65 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.service.privilege.users;
+
+import li.strolch.model.audit.AccessType;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
+import li.strolch.service.api.AbstractService;
+import ch.eitchnet.privilege.handler.PrivilegeHandler;
+import ch.eitchnet.privilege.model.UserRep;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class PrivilegeSetUserStateService extends AbstractService<PrivilegeSetUserStateArgument, PrivilegeUserResult> {
+
+	private static final long serialVersionUID = 1L;
+
+	@Override
+	protected PrivilegeUserResult getResultInstance() {
+		return new PrivilegeUserResult();
+	}
+
+	@Override
+	protected PrivilegeUserResult internalDoService(PrivilegeSetUserStateArgument arg) throws Exception {
+
+		li.strolch.runtime.privilege.PrivilegeHandler strolchPrivilegeHandler = getContainer().getPrivilegeHandler();
+		PrivilegeHandler privilegeHandler = strolchPrivilegeHandler.getPrivilegeHandler(getCertificate());
+
+		UserRep user = privilegeHandler.setUserState(getCertificate(), arg.username, arg.userState);
+
+		try (StrolchTransaction tx = openUserTx(PrivilegeHandler.PRIVILEGE_MODIFY_USER)) {
+			tx.setSuppressAudits(true);
+			Audit audit = tx.auditFrom(AccessType.UPDATE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.USER, user.getUsername());
+			tx.getAuditTrail().add(tx, audit);
+		}
+
+		return new PrivilegeUserResult(user);
+	}
+
+	@Override
+	public String getPrivilegeName() {
+		return StrolchPrivilegeConstants.PRIVILEGE_MODIFY_USER;
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return null;
+	}
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeUpdateUserService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeUpdateUserService.java
@ -0,0 +1,65 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.service.privilege.users;
+
+import li.strolch.model.audit.AccessType;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
+import li.strolch.service.api.AbstractService;
+import ch.eitchnet.privilege.handler.PrivilegeHandler;
+import ch.eitchnet.privilege.model.UserRep;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class PrivilegeUpdateUserService extends AbstractService<PrivilegeUserArgument, PrivilegeUserResult> {
+
+	private static final long serialVersionUID = 1L;
+
+	@Override
+	protected PrivilegeUserResult getResultInstance() {
+		return new PrivilegeUserResult();
+	}
+
+	@Override
+	protected PrivilegeUserResult internalDoService(PrivilegeUserArgument arg) throws Exception {
+
+		li.strolch.runtime.privilege.PrivilegeHandler strolchPrivilegeHandler = getContainer().getPrivilegeHandler();
+		PrivilegeHandler privilegeHandler = strolchPrivilegeHandler.getPrivilegeHandler(getCertificate());
+
+		UserRep user = privilegeHandler.updateUser(getCertificate(), arg.user);
+
+		try (StrolchTransaction tx = openUserTx(PrivilegeHandler.PRIVILEGE_MODIFY_USER)) {
+			tx.setSuppressAudits(true);
+			Audit audit = tx.auditFrom(AccessType.UPDATE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.USER, user.getUsername());
+			tx.getAuditTrail().add(tx, audit);
+		}
+
+		return new PrivilegeUserResult(user);
+	}
+
+	@Override
+	public String getPrivilegeName() {
+		return StrolchPrivilegeConstants.PRIVILEGE_MODIFY_USER;
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return null;
+	}
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeUserArgument.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeUserArgument.java
@ -0,0 +1,9 @@
+package li.strolch.service.privilege.users;
+
+import li.strolch.service.api.ServiceArgument;
+import ch.eitchnet.privilege.model.UserRep;
+
+public class PrivilegeUserArgument extends ServiceArgument {
+	private static final long serialVersionUID = 1L;
+	public UserRep user;
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeUserNameArgument.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeUserNameArgument.java
@ -0,0 +1,8 @@
+package li.strolch.service.privilege.users;
+
+import li.strolch.service.api.ServiceArgument;
+
+public class PrivilegeUserNameArgument extends ServiceArgument {
+	private static final long serialVersionUID = 1L;
+	public String username;
+}
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeUserResult.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeUserResult.java
@ -0,0 +1,32 @@
+package li.strolch.service.privilege.users;
+
+import li.strolch.service.api.ServiceResult;
+import li.strolch.service.api.ServiceResultState;
+import ch.eitchnet.privilege.model.UserRep;
+
+public class PrivilegeUserResult extends ServiceResult {
+	private static final long serialVersionUID = 1L;
+
+	private UserRep user;
+
+	public PrivilegeUserResult() {
+		super();
+	}
+
+	public PrivilegeUserResult(ServiceResultState state, String message) {
+		super(state, message);
+	}
+
+	public PrivilegeUserResult(ServiceResultState state) {
+		super(state);
+	}
+
+	public PrivilegeUserResult(UserRep user) {
+		setState(ServiceResultState.SUCCESS);
+		this.user = user;
+	}
+
+	public UserRep getUser() {
+		return user;
+	}
+}