diff --git a/dcm4chee-arc-assembly/src/main/resources/ldap/add-keycloak-admin.ldif b/dcm4chee-arc-assembly/src/main/resources/ldap/add-keycloak-admin.ldif
index c6a00f925..679fa529d 100644
--- a/dcm4chee-arc-assembly/src/main/resources/ldap/add-keycloak-admin.ldif
+++ b/dcm4chee-arc-assembly/src/main/resources/ldap/add-keycloak-admin.ldif
@@ -9,7 +9,7 @@ sn:: IA==
cn:: IA==
userPassword:: Y2hhbmdlaXQ=
-dn: cn=user,ou=users,dc=dcm4che,dc=org
+dn: cn=auth,ou=users,dc=dcm4che,dc=org
changetype: modify
add: member
member: uid=keycloak-admin,ou=users,dc=dcm4che,dc=org
diff --git a/dcm4chee-arc-assembly/src/main/resources/ldap/add-wildfly-admin.ldif b/dcm4chee-arc-assembly/src/main/resources/ldap/add-wildfly-admin.ldif
index cace2993d..a7be7173f 100644
--- a/dcm4chee-arc-assembly/src/main/resources/ldap/add-wildfly-admin.ldif
+++ b/dcm4chee-arc-assembly/src/main/resources/ldap/add-wildfly-admin.ldif
@@ -9,7 +9,7 @@ sn:: IA==
cn:: IA==
userPassword:: Y2hhbmdlaXQ=
-dn: cn=user,ou=users,dc=dcm4che,dc=org
+dn: cn=auth,ou=users,dc=dcm4che,dc=org
changetype: modify
add: member
member: uid=wildfly-admin,ou=users,dc=dcm4che,dc=org
diff --git a/dcm4chee-arc-assembly/src/main/resources/ldap/assign-role-to-user.ldif b/dcm4chee-arc-assembly/src/main/resources/ldap/assign-role-to-user.ldif
new file mode 100644
index 000000000..a02dcc22c
--- /dev/null
+++ b/dcm4chee-arc-assembly/src/main/resources/ldap/assign-role-to-user.ldif
@@ -0,0 +1,6 @@
+version: 1
+
+dn: cn=role,ou=users,dc=dcm4che,dc=org
+changetype: modify
+add: member
+member: uid=user,ou=users,dc=dcm4che,dc=org
diff --git a/dcm4chee-arc-assembly/src/main/resources/ldap/default-users.ldif b/dcm4chee-arc-assembly/src/main/resources/ldap/default-users.ldif
index 9457722f4..e7c1921ae 100644
--- a/dcm4chee-arc-assembly/src/main/resources/ldap/default-users.ldif
+++ b/dcm4chee-arc-assembly/src/main/resources/ldap/default-users.ldif
@@ -29,6 +29,13 @@ sn:: IA==
cn:: IA==
userPassword:: Y2hhbmdlaXQ=
+dn: cn=auth,ou=users,dc=dcm4che,dc=org
+objectClass: groupOfNames
+cn: auth
+member: uid=root,ou=users,dc=dcm4che,dc=org
+member: uid=admin,ou=users,dc=dcm4che,dc=org
+member: uid=user,ou=users,dc=dcm4che,dc=org
+
dn: cn=root,ou=users,dc=dcm4che,dc=org
objectClass: groupOfNames
cn: root
@@ -39,11 +46,9 @@ objectClass: groupOfNames
cn: admin
member: uid=admin,ou=users,dc=dcm4che,dc=org
-dn: cn=user,ou=users,dc=dcm4che,dc=org
+dn: cn=auth,ou=users,dc=dcm4che,dc=org
objectClass: groupOfNames
cn: user
-member: uid=root,ou=users,dc=dcm4che,dc=org
-member: uid=admin,ou=users,dc=dcm4che,dc=org
member: uid=user,ou=users,dc=dcm4che,dc=org
dn: cn=auditlog,ou=users,dc=dcm4che,dc=org
diff --git a/dcm4chee-arc-assembly/src/main/resources/ldap/init-role.ldif b/dcm4chee-arc-assembly/src/main/resources/ldap/init-role.ldif
new file mode 100644
index 000000000..d483da6e7
--- /dev/null
+++ b/dcm4chee-arc-assembly/src/main/resources/ldap/init-role.ldif
@@ -0,0 +1,7 @@
+version: 1
+
+dn: cn=role,ou=users,dc=dcm4che,dc=org
+changetype: add
+objectClass: groupOfNames
+cn: role
+member: uid=user,ou=users,dc=dcm4che,dc=org
diff --git a/dcm4chee-arc-assembly/src/main/resources/ldap/unassign-role-from-user.ldif b/dcm4chee-arc-assembly/src/main/resources/ldap/unassign-role-from-user.ldif
new file mode 100644
index 000000000..8a04e3905
--- /dev/null
+++ b/dcm4chee-arc-assembly/src/main/resources/ldap/unassign-role-from-user.ldif
@@ -0,0 +1,6 @@
+version: 1
+
+dn: cn=role,ou=users,dc=dcm4che,dc=org
+changetype: modify
+delete: member
+member: uid=user,ou=users,dc=dcm4che,dc=org
diff --git a/dcm4chee-arc-ui2/src/main/webxml/web-secure.xml b/dcm4chee-arc-ui2/src/main/webxml/web-secure.xml
index 7d6d8026e..cd16a6733 100644
--- a/dcm4chee-arc-ui2/src/main/webxml/web-secure.xml
+++ b/dcm4chee-arc-ui2/src/main/webxml/web-secure.xml
@@ -55,13 +55,13 @@
/*
- ${auth-user-role:user}
+ ${auth-user-role:auth}
OIDC
- ${auth-user-role:user}
+ ${auth-user-role:auth}
diff --git a/dcm4chee-arc-ui2/src/main/webxml/web.xml b/dcm4chee-arc-ui2/src/main/webxml/web.xml
index 3018cdc94..8ac969808 100644
--- a/dcm4chee-arc-ui2/src/main/webxml/web.xml
+++ b/dcm4chee-arc-ui2/src/main/webxml/web.xml
@@ -56,14 +56,14 @@
/*
- ${auth-user-role:user}
+ ${auth-user-role:auth}
OIDC
- ${auth-user-role:user}
+ ${auth-user-role:auth}
-->
diff --git a/dcm4chee-arc-war/src/main/webxml/web-secure.xml b/dcm4chee-arc-war/src/main/webxml/web-secure.xml
index a4b0e005b..3373ba568 100644
--- a/dcm4chee-arc-war/src/main/webxml/web-secure.xml
+++ b/dcm4chee-arc-war/src/main/webxml/web-secure.xml
@@ -53,13 +53,13 @@
OPTIONS
- ${auth-user-role:user}
+ ${auth-user-role:auth}
OIDC
- ${auth-user-role:user}
+ ${auth-user-role:auth}
diff --git a/dcm4chee-arc-war/src/main/webxml/web.xml b/dcm4chee-arc-war/src/main/webxml/web.xml
index 628c7ebfc..5a0cae77d 100644
--- a/dcm4chee-arc-war/src/main/webxml/web.xml
+++ b/dcm4chee-arc-war/src/main/webxml/web.xml
@@ -13,14 +13,14 @@
/*
- ${auth-user-role:user}
+ ${auth-user-role:auth}
OIDC
- ${auth-user-role:user}
+ ${auth-user-role:auth}
-->
diff --git a/dcm4chee-arr-query/src/main/webapp-secure/WEB-INF/web.xml b/dcm4chee-arr-query/src/main/webapp-secure/WEB-INF/web.xml
index 9f70d6127..d272b313c 100644
--- a/dcm4chee-arr-query/src/main/webapp-secure/WEB-INF/web.xml
+++ b/dcm4chee-arr-query/src/main/webapp-secure/WEB-INF/web.xml
@@ -50,13 +50,13 @@
/*
- ${auth-user-role:user}
+ ${auth-user-role:auth}
OIDC
- ${auth-user-role:user}
+ ${auth-user-role:auth}
diff --git a/dcm4chee-arr-query/src/main/webapp/WEB-INF/web.xml b/dcm4chee-arr-query/src/main/webapp/WEB-INF/web.xml
index 3ddb7be65..7bb7a31a6 100644
--- a/dcm4chee-arr-query/src/main/webapp/WEB-INF/web.xml
+++ b/dcm4chee-arr-query/src/main/webapp/WEB-INF/web.xml
@@ -51,14 +51,14 @@
/*
- ${auth-user-role:user}
+ ${auth-user-role:auth}
OIDC
- ${auth-user-role:user}
+ ${auth-user-role:auth}
-->