diff --git a/INSTALL.md b/INSTALL.md
index be67fd19a..48b5eba08 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -422,15 +422,23 @@ $ cd lib/Doctrine
 $ php deploy/DeployRequiredDataRunner.php requiredData
 ```
 
-### Deploy Sample Data<a id="deploy-sample-data"></a>
+### OPTIONAL: Deploy Sample Data<a id="deploy-sample-data"></a>
 
-Optional - you can deploy some sample data to seed your DB with sample users,
-sites and services.
+You can choose to deploy some sample data to seed your DB with sample users,
+sites and services. Two sample data sets are available. Choose one of -
 
-```bash
-$ cd lib/Doctrine
-$ php deploy/DeploySampleDataRunner.php sampleData
-```
+1. Minimal - just enough to get going with no real-world associations.
+
+    ```bash
+    $ cd lib/Doctrine
+    $ php deploy/DeploySampleDataRunner.php simpleSampleData
+    ```
+1. "Real World" - a small subset derived from real data.
+
+    ```bash
+    $ cd lib/Doctrine
+    $ php deploy/DeploySampleDataRunner.php sampleData
+    ```
 
 ### ORACLE ONLY: Deploy an existing DB .dmp file to populate your DB<a id="deploy-existing-dump"></a>
 
diff --git a/config/RoleActionMappings.xml b/config/RoleActionMappings.xml
index 6f7f7978a..4fbc1724f 100644
--- a/config/RoleActionMappings.xml
+++ b/config/RoleActionMappings.xml
@@ -12,33 +12,33 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
-@author David Meredith 
+@author David Meredith
 -->
 
 
-<RoleActionMappingRules     
+<RoleActionMappingRules
     xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
     xmlns='http://goc.egi.eu/2015/03/spec1.0_r1'
-    xsi:schemaLocation='http://goc.egi.eu/2015/03/spec1.0_r1 ./RoleActionMappingsSchema.xsd'> 
+    xsi:schemaLocation='http://goc.egi.eu/2015/03/spec1.0_r1 ./RoleActionMappingsSchema.xsd'>
 
-   
-    <RoleActionMapping> 
 
-        <!-- 
-        Define the Role names and which of the owned entity types they apply to. 
-        Note, role name and alias values must be unique (names have a DB unique constraint).  
-        Aliases are used as a convenient shorthand to define the XML rules. 
-        --> 
+    <RoleActionMapping>
+
+        <!--
+        Define the Role names and which of the owned entity types they apply to.
+        Note, role name and alias values must be unique (names have a DB unique constraint).
+        Aliases are used as a convenient shorthand to define the XML rules.
+        -->
 	<RoleNames over="ServiceGroup">
             <Role id="SERVICE_GROUP_ADMIN">Service Group Administrator</Role>
         </RoleNames>
-	
+
         <RoleNames over="Project">
             <Role id="COD_STAFF">COD Staff</Role>
             <Role id="COD_ADMIN">COD Administrator</Role>
             <Role id="EGI_CSIRT_OFFICER">EGI CSIRT Officer</Role>
             <Role id="COO">Chief Operations Officer</Role>
-        </RoleNames>  
+        </RoleNames>
 
 
         <RoleNames over="Ngi">
@@ -49,17 +49,17 @@
             <Role id="REG_FIRST_LINE_SUPPORT">Regional First Line Support</Role>
         </RoleNames>
 
-        <RoleNames over="Site"> 
+        <RoleNames over="Site">
             <Role id="SITE_ADMIN">Site Administrator</Role>
             <Role id="SITE_SECOFFICER">Site Security Officer</Role>
             <Role id="SITE_OPS_DEP_MAN">Site Operations Deputy Manager</Role>
             <Role id="SITE_OPS_MAN">Site Operations Manager</Role>
-        </RoleNames> 
+        </RoleNames>
 
 
         <!--
-        The listed Roles enable the Actions over the target object(s). 
-        --> 
+        The listed Roles enable the Actions over the target object(s).
+        -->
 
 	<RoleMapping>
             <Roles>
@@ -72,25 +72,25 @@
                     <Action>ACTION_REJECT_ROLE</Action>
                     <Action>ACTION_REVOKE_ROLE</Action>
                 </Actions>
-                <Target>ServiceGroup</Target> 
+                <Target>ServiceGroup</Target>
             </EnabledActions>
         </RoleMapping>
 
         <RoleMapping>
             <Roles>
                 <RoleRef idRef="COD_STAFF"/>
-                <RoleRef idRef="COD_ADMIN"/> 
+                <RoleRef idRef="COD_ADMIN"/>
                 <RoleRef idRef="EGI_CSIRT_OFFICER"/>
                 <RoleRef idRef="COO"/>
-            </Roles>  
+            </Roles>
             <EnabledActions>
                 <Actions>
                     <Action>ACTION_EDIT_OBJECT</Action>
                     <Action>ACTION_GRANT_ROLE</Action>
                     <Action>ACTION_REJECT_ROLE</Action>
                     <Action>ACTION_REVOKE_ROLE</Action>
-                </Actions> 
-                <Target>Project</Target> 
+                </Actions>
+                <Target>Project</Target>
             </EnabledActions>
             <EnabledActions>
                 <Actions>
@@ -135,112 +135,113 @@
             </EnabledActions>
         </RoleMapping>
 
-        <RoleMapping> 
+        <RoleMapping>
             <Roles>
                 <RoleRef idRef="SITE_ADMIN"/>
-                <RoleRef idRef="SITE_SECOFFICER"/> 
-                <RoleRef idRef="SITE_OPS_DEP_MAN"/> 
+                <RoleRef idRef="SITE_SECOFFICER"/>
+                <RoleRef idRef="SITE_OPS_DEP_MAN"/>
                 <RoleRef idRef="SITE_OPS_MAN"/>
-                <RoleRef idRef="REG_FIRST_LINE_SUPPORT"/> 
-                <RoleRef idRef="REG_STAFF_ROD"/> 
-                <RoleRef idRef="NGI_SEC_OFFICER"/> 
-                <RoleRef idRef="NGI_OPS_DEP_MAN"/> 
-                <RoleRef idRef="NGI_OPS_MAN"/> 
-            </Roles>  
-            <EnabledActions> 
+                <RoleRef idRef="REG_FIRST_LINE_SUPPORT"/>
+                <RoleRef idRef="REG_STAFF_ROD"/>
+                <RoleRef idRef="NGI_SEC_OFFICER"/>
+                <RoleRef idRef="NGI_OPS_DEP_MAN"/>
+                <RoleRef idRef="NGI_OPS_MAN"/>
+            </Roles>
+            <EnabledActions>
                 <Actions>
                     <Action>ACTION_EDIT_OBJECT</Action>
-                    <Action>ACTION_SITE_ADD_SERVICE</Action> 
+                    <Action>ACTION_SITE_ADD_SERVICE</Action>
                     <Action>ACTION_SITE_DELETE_SERVICE</Action>
-                </Actions> 
-                <Target>Site</Target>   
-            </EnabledActions> 
-        </RoleMapping> 
+                    <Action>ACTION_READ_PERSONAL_DATA</Action>
+                </Actions>
+                <Target>Site</Target>
+            </EnabledActions>
+        </RoleMapping>
 
 
-        <RoleMapping> 
+        <RoleMapping>
             <Roles>
-                <RoleRef idRef="SITE_SECOFFICER"/> 
-                <RoleRef idRef="SITE_OPS_DEP_MAN"/> 
+                <RoleRef idRef="SITE_SECOFFICER"/>
+                <RoleRef idRef="SITE_OPS_DEP_MAN"/>
                 <RoleRef idRef="SITE_OPS_MAN"/>
-                <RoleRef idRef="NGI_SEC_OFFICER"/> 
-                <RoleRef idRef="NGI_OPS_DEP_MAN"/> 
-                <RoleRef idRef="NGI_OPS_MAN"/> 
-            </Roles> 
-            <EnabledActions> 
+                <RoleRef idRef="NGI_SEC_OFFICER"/>
+                <RoleRef idRef="NGI_OPS_DEP_MAN"/>
+                <RoleRef idRef="NGI_OPS_MAN"/>
+            </Roles>
+            <EnabledActions>
                 <Actions>
                     <Action>ACTION_GRANT_ROLE</Action>
-                    <Action>ACTION_REJECT_ROLE</Action> 
+                    <Action>ACTION_REJECT_ROLE</Action>
                     <Action>ACTION_REVOKE_ROLE</Action>
-                </Actions> 
-                <Target>Site</Target>   
-            </EnabledActions> 
-        </RoleMapping> 
+                </Actions>
+                <Target>Site</Target>
+            </EnabledActions>
+        </RoleMapping>
+
 
- 
-        <RoleMapping> 
+        <RoleMapping>
             <Roles>
-                <RoleRef idRef="NGI_SEC_OFFICER"/> 
-                <RoleRef idRef="NGI_OPS_DEP_MAN"/> 
-                <RoleRef idRef="NGI_OPS_MAN"/>  
+                <RoleRef idRef="NGI_SEC_OFFICER"/>
+                <RoleRef idRef="NGI_OPS_DEP_MAN"/>
+                <RoleRef idRef="NGI_OPS_MAN"/>
                 <RoleRef idRef="COD_STAFF"/>
                 <RoleRef idRef="COD_ADMIN"/>
                 <RoleRef idRef="EGI_CSIRT_OFFICER"/>
                 <RoleRef idRef="COO"/>
-            </Roles>  
-            <EnabledActions> 
+            </Roles>
+            <EnabledActions>
                 <Actions>
                     <Action>ACTION_SITE_EDIT_CERT_STATUS</Action>
-                </Actions> 
-                <Target>Site</Target>   
-            </EnabledActions> 
-        </RoleMapping> 
+                </Actions>
+                <Target>Site</Target>
+            </EnabledActions>
+        </RoleMapping>
 
 
 
 
-        <!-- 
-        For the newly proposed edit NGI cert status: 
-        <RoleMapping> 
+        <!--
+        For the newly proposed edit NGI cert status:
+        <RoleMapping>
            <Roles>
                <RoleRef idRef="COD_STAFF"/>
                <RoleRef idRef="COD_ADMIN"/>
                <RoleRef idRef="EGI_CSIRT_OFFICER"/>
                <RoleRef idRef="COO"/>
-           </Roles>  
-           <EnabledActions> 
-             <Actions><Action>ACTION_NGI_EDIT_CERT_STATUS</Action></Actions> 
-             <Target>Ngi</Target>   
-           </EnabledActions> 
-        </RoleMapping> 
+           </Roles>
+           <EnabledActions>
+             <Actions><Action>ACTION_NGI_EDIT_CERT_STATUS</Action></Actions>
+             <Target>Ngi</Target>
+           </EnabledActions>
+        </RoleMapping>
         -->
 
 
-         
+
 	<!--
-        TODO - Only Project level users can assign reserved scope tags to resources in their project.  
-        Useless until a dedicated interface is added which allows project-level users 
-        to edit reserved scopes on resources (Edit Site/Service/NGI Reserved Scopes), especially 
-        since rule-mappings may prevent proj-level users from adding/editing sites/services.  
+        TODO - Only Project level users can assign reserved scope tags to resources in their project.
+        Useless until a dedicated interface is added which allows project-level users
+        to edit reserved scopes on resources (Edit Site/Service/NGI Reserved Scopes), especially
+        since rule-mappings may prevent proj-level users from adding/editing sites/services.
         -->
-<!--        <RoleMapping> 
+<!--        <RoleMapping>
            <Roles>
                <RoleRef idRef="COD_STAFF"/>
                <RoleRef idRef="COD_ADMIN"/>
                <RoleRef idRef="EGI_CSIRT_OFFICER"/>
                <RoleRef idRef="COO"/>
-           </Roles>  
-           <EnabledActions> 
+           </Roles>
+           <EnabledActions>
                 <Actions>
                     <Action>ACTION_APPLY_RESERVED_SCOPE_TAG</Action>
-                </Actions> 
-             <Target>Ngi</Target>   
-             <Target>Site</Target>   
-             <Target>Project</Target>   
-           </EnabledActions> 
+                </Actions>
+             <Target>Ngi</Target>
+             <Target>Site</Target>
+             <Target>Project</Target>
+           </EnabledActions>
         </RoleMapping> -->
-       
 
-    </RoleActionMapping> 
+
+    </RoleActionMapping>
 
 </RoleActionMappingRules>
diff --git a/config/RoleActionMappingsSchema.xsd b/config/RoleActionMappingsSchema.xsd
index a78fbcde4..f9207a0ee 100644
--- a/config/RoleActionMappingsSchema.xsd
+++ b/config/RoleActionMappingsSchema.xsd
@@ -12,103 +12,103 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
-@author David Meredith 
---> 
+@author David Meredith
+-->
 
-<xs:schema targetNamespace="http://goc.egi.eu/2015/03/spec1.0_r1" 
+<xs:schema targetNamespace="http://goc.egi.eu/2015/03/spec1.0_r1"
            version="1.0"
            xmlns="http://www.w3.org/2001/XMLSchema"
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
-           xmlns:goc="http://goc.egi.eu/2015/03/spec1.0_r1" 
+           xmlns:goc="http://goc.egi.eu/2015/03/spec1.0_r1"
            elementFormDefault="qualified"
-           attributeFormDefault="unqualified"> 
+           attributeFormDefault="unqualified">
 
     <xs:element name="RoleActionMappingRules">
         <annotation>
             <documentation>
 <![CDATA[
-This XSD defines role-action mapping rules for GOCDB projects stored in the DB 
+This XSD defines role-action mapping rules for GOCDB projects stored in the DB
 ==============================================================================
-Authorisation decisions are made by comparing a user's actual roles 
-held over different {@see \OwnedEntity} objects (OEs) in the DB, with the role 
-action mapping rules defined in an instance doc of this XSD. 
-- Only the relevant user's Roles that are included in this comparison which 
-  includes those that are 'reachable' from the target entity when ASCENDING 
-  the OE domain graph. 
-- The relevant role-action-mapping rules are those defined for the PARENT/ANCESTOR 
-  Project(s) of the target entity;  parent/ancestor projects are those that are 
+Authorisation decisions are made by comparing a user's actual roles
+held over different {@see \OwnedEntity} objects (OEs) in the DB, with the role
+action mapping rules defined in an instance doc of this XSD.
+- Only the relevant user's Roles that are included in this comparison which
+  includes those that are 'reachable' from the target entity when ASCENDING
+  the OE domain graph.
+- The relevant role-action-mapping rules are those defined for the PARENT/ANCESTOR
+  Project(s) of the target entity;  parent/ancestor projects are those that are
   'reachable' from the target entity when ASCENDING the OE domain graph.
 
-The root element is <RoleActionMappingRules>. It defines one 
-<RoleActionMapping>s. The mapping defines a set of role-action mapping rules 
-that apply to all projects in the DB. A single <RoleActionMapping> declares which 
-Actions the different Role types enable over the different types of target object. 
+The root element is <RoleActionMappingRules>. It defines one
+<RoleActionMapping>s. The mapping defines a set of role-action mapping rules
+that apply to all projects in the DB. A single <RoleActionMapping> declares which
+Actions the different Role types enable over the different types of target object.
 
 Domain Model
 ------------
-The domain model is hierarchical; a parent object links to child objects in a 
-tree like structure. It is not a strict tree since many-to-many 
-relationships can exist, e.g. between Project and NGI where a single Project can 
-link many child NGIs while a single NGI can link to many parent Projects.  
+The domain model is hierarchical; a parent object links to child objects in a
+tree like structure. It is not a strict tree since many-to-many
+relationships can exist, e.g. between Project and NGI where a single Project can
+link many child NGIs while a single NGI can link to many parent Projects.
 The basic domain model is illustrated below:
 
-- Users own Roles of different types (r1,r2,r3...) that are held over/link-to 
-  OwnedEntity (OE) implementations. 
-- The multiplicity of the relationships between domain objects is: 
-  '1' = one, '*' = many 
+- Users own Roles of different types (r1,r2,r3...) that are held over/link-to
+  OwnedEntity (OE) implementations.
+- The multiplicity of the relationships between domain objects is:
+  '1' = one, '*' = many
 
-      r1->Project(OE)         UserA owns: r1,r2,r3,r4,r5,r6 
-           |*               
-           |*  
-      r2->Ngi(OE)  
-           |1 
+      r1->Project(OE)         UserA owns: r1,r2,r3,r4,r5,r6
+           |*
+           |*
+      r2->Ngi(OE)
+           |1
            |*
       r3->Site(OE)  ServiceGroup(OE)<-r5,r6
            |1      /1
            |*     /*
       r4->Service
-           |1     \1  
-           |*      | 
+           |1     \1
+           |*      |
       EndpointLoc  |
-            \*     |*  
+            \*     |*
              \* Downtime
 
-The role-action mappings for a particular project propagate to all its children 
+The role-action mappings for a particular project propagate to all its children
 -------------------------------------------------------------------------------
 If a domain object is 'reachable' from a project by navigating down through
-the OE object graph, this object and all its descendents become subject to the 
-mapping rules of that particular project. For example: 
+the OE object graph, this object and all its descendents become subject to the
+mapping rules of that particular project. For example:
 
-  p1   p2      Domain graph: p = project, n = ngi, s = site 
-  |    |      
-  n1   n2      Each project's role-action-mappings are defined separately.  
-  |    | 
-  s1   s2 
+  p1   p2      Domain graph: p = project, n = ngi, s = site
+  |    |
+  n1   n2      Each project's role-action-mappings are defined separately.
+  |    |
+  s1   s2
 
   n1 gets linked to p2, n1 and s1 then become subject to the role action mapping
-  rules of both p1 and p2: 
+  rules of both p1 and p2:
 
-  p1   p2      The role-action mappings for a particular project propagate to all   
-  |  / |       children (p2's mapping rules apply to n1,n2,s1,s2). 
-  n1   n2    
-  |    | 
-  s1   s2 
+  p1   p2      The role-action mappings for a particular project propagate to all
+  |  / |       children (p2's mapping rules apply to n1,n2,s1,s2).
+  n1   n2
+  |    |
+  s1   s2
 
 
 Sample Instance Document
 ------------------------
 
-<RoleActionMappingRules     
+<RoleActionMappingRules
     xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
     xmlns='http://goc.egi.eu/2015/03/spec1.0_r1'
-    xsi:schemaLocation='http://goc.egi.eu/2015/03/spec1.0_r1 ../../../../config/RoleActionMappingsSchema.xsd'> 
+    xsi:schemaLocation='http://goc.egi.eu/2015/03/spec1.0_r1 ../../../../config/RoleActionMappingsSchema.xsd'>
 
-    <!-- 
-    RoleMapping 1: 'RoleH' held over a 'Project' enables action 'AZ' on sites and the project. 
-    RoleMapping 2: 'RoleN' held over a 'Ngi' enables action 'AY' on ngis and sites.  
+    <!--
+    RoleMapping 1: 'RoleH' held over a 'Project' enables action 'AZ' on sites and the project.
+    RoleMapping 2: 'RoleN' held over a 'Ngi' enables action 'AY' on ngis and sites.
     -->
 
-    <RoleActionMapping> 
+    <RoleActionMapping>
 
         <RoleNames over="Project">
             <Role id="RH">RoleH</Role>
@@ -116,7 +116,7 @@ Sample Instance Document
         <RoleNames over="Ngi">
             <Role id="RN">RoleN</Role>
         </RoleNames>
-        
+
         <RoleMapping>
             <Roles>
                 <RoleRef idRef="RH"/>
@@ -142,22 +142,22 @@ Sample Instance Document
                 <Target>site</Target>
             </EnabledActions>
         </RoleMapping>
-    </RoleActionMapping> 
+    </RoleActionMapping>
  </RoleActionMappingRules>
 ]]>
             </documentation>
         </annotation>
         <xs:complexType>
             <xs:sequence>
-                <xs:element ref="goc:RoleActionMapping" minOccurs="1" maxOccurs="1"></xs:element> 
+                <xs:element ref="goc:RoleActionMapping" minOccurs="1" maxOccurs="1"></xs:element>
             </xs:sequence>
-        </xs:complexType> 
+        </xs:complexType>
         <!--
         <xs:unique name="testRoleActionMappingTargetProjectUnique">
             <xs:annotation>
                 <xs:documentation>
-<![CDATA[ Declares a unique constraint on the value of <TargetProject> 
-to ensure only ONE <RoleActionMapping> applies to a particular project. 
+<![CDATA[ Declares a unique constraint on the value of <TargetProject>
+to ensure only ONE <RoleActionMapping> applies to a particular project.
 ]]>
                 </xs:documentation>
             </xs:annotation>
@@ -166,19 +166,19 @@ to ensure only ONE <RoleActionMapping> applies to a particular project.
         </xs:unique>
 	-->
     </xs:element>
-    
+
     <xs:element name="RoleActionMapping">
         <xs:annotation>
             <xs:documentation>
 <![CDATA[ Defines the role-to-action mappings for a set of projects named by
-the nested <TargetProject> elements. The basic structure of the element is as follows: 
+the nested <TargetProject> elements. The basic structure of the element is as follows:
 
-<RoleActionMapping> 
-    <RoleNames/>     (0..*) 
-    <RoleMapping/>   (0..*)   
-</RoleActionMapping> 
+<RoleActionMapping>
+    <RoleNames/>     (0..*)
+    <RoleMapping/>   (0..*)
+</RoleActionMapping>
 ]]>
-            </xs:documentation> 
+            </xs:documentation>
         </xs:annotation>
         <xs:complexType>
             <xs:sequence>
@@ -186,28 +186,28 @@ the nested <TargetProject> elements. The basic structure of the element is as fo
                 <xs:element name="TargetProject" minOccurs="0" maxOccurs="unbounded">
                     <xs:annotation>
                         <xs:documentation>
-<![CDATA[ Optional; used to name which project(s) this <RoleActionMapping> applies to. 
-There can be only one <RoleActionMapping> that does not define any 
-<TargetProject> elements, and this serves as the default. 
+<![CDATA[ Optional; used to name which project(s) this <RoleActionMapping> applies to.
+There can be only one <RoleActionMapping> that does not define any
+<TargetProject> elements, and this serves as the default.
 ]]>
-                        </xs:documentation> 
+                        </xs:documentation>
                     </xs:annotation>
                     <xs:complexType>
                         <xs:simpleContent>
                             <xs:extension base="xs:string">
                             </xs:extension>
                         </xs:simpleContent>
-                    </xs:complexType>  
+                    </xs:complexType>
                 </xs:element>
 		-->
-                <xs:element ref="goc:RoleNames" minOccurs="0" maxOccurs="unbounded"></xs:element> 
+                <xs:element ref="goc:RoleNames" minOccurs="0" maxOccurs="unbounded"></xs:element>
                 <xs:element ref="goc:RoleMapping" minOccurs="0" maxOccurs="unbounded"/>
             </xs:sequence>
             <!--<xs:attribute name="forProjects" type="string"/>-->
-        </xs:complexType> 
-        <!-- 
-        Ensure that Role values are unique within the context of any single RoleActionMapping. 
-        This allows different RoleActionMapping elements to define the same Role values.   
+        </xs:complexType>
+        <!--
+        Ensure that Role values are unique within the context of any single RoleActionMapping.
+        This allows different RoleActionMapping elements to define the same Role values.
         -->
         <xs:unique name="testRolesUniqueInRoleActionMapping">
             <xs:selector xpath="goc:RoleNames/goc:Role"/>
@@ -222,21 +222,21 @@ There can be only one <RoleActionMapping> that does not define any
     <xs:element name="RoleNames">
         <xs:annotation>
             <xs:documentation>
-<![CDATA[ Defines the role names that apply 'over' a specified 
-{@see \OwnedObject} type. The value of the 'over' attribute is case 
-insensitive. Nests zero or more <Role> elements.   
+<![CDATA[ Defines the role names that apply 'over' a specified
+{@see \OwnedObject} type. The value of the 'over' attribute is case
+insensitive. Nests zero or more <Role> elements.
 ]]>
-            </xs:documentation> 
+            </xs:documentation>
         </xs:annotation>
         <xs:complexType>
             <xs:sequence>
                 <xs:element name="Role" minOccurs="0" maxOccurs="unbounded">
                     <xs:annotation>
                         <xs:documentation>
-<![CDATA[ Defines a role name as the element value, case insensitive.  
-The id attribute is used to reference this role name throughout the document. 
+<![CDATA[ Defines a role name as the element value, case insensitive.
+The id attribute is used to reference this role name throughout the document.
 ]]>
-                        </xs:documentation> 
+                        </xs:documentation>
                     </xs:annotation>
                     <xs:complexType>
                         <xs:simpleContent>
@@ -246,19 +246,19 @@ The id attribute is used to reference this role name throughout the document.
                             </xs:extension>
                         </xs:simpleContent>
                     </xs:complexType>
-                </xs:element> 
-            </xs:sequence>    
+                </xs:element>
+            </xs:sequence>
             <xs:attribute name="over" type="string"/>
-        </xs:complexType> 
+        </xs:complexType>
     </xs:element>
-  
+
     <element name="RoleMapping">
         <xs:annotation>
             <xs:documentation>
-<![CDATA[ Used to specify which roles enable a set of actions over the 
-specified target object(s), i.e. it actually defines the role-to-action mapping. 
+<![CDATA[ Used to specify which roles enable a set of actions over the
+specified target object(s), i.e. it actually defines the role-to-action mapping.
 ]]>
-            </xs:documentation> 
+            </xs:documentation>
         </xs:annotation>
         <complexType>
             <sequence>
@@ -268,11 +268,30 @@ specified target object(s), i.e. it actually defines the role-to-action mapping.
                         <xs:sequence>
                             <xs:element name="RoleRef" minOccurs="0" maxOccurs="unbounded">
                                 <xs:complexType>
-                                    <xs:attribute name="idRef" type="xs:IDREF" use="required" />
-                                </xs:complexType> 
+                                    <xs:attribute name="idRef" use="required">
+                                        <xs:simpleType>
+                                            <xs:restriction base="xs:string">
+                                                <xs:enumeration value="COD_ADMIN"/>
+                                                <xs:enumeration value="COD_STAFF"/>
+                                                <xs:enumeration value="COO"/>
+                                                <xs:enumeration value="EGI_CSIRT_OFFICER"/>
+                                                <xs:enumeration value="NGI_OPS_DEP_MAN"/>
+                                                <xs:enumeration value="NGI_OPS_MAN"/>
+                                                <xs:enumeration value="NGI_SEC_OFFICER"/>
+                                                <xs:enumeration value="REG_FIRST_LINE_SUPPORT"/>
+                                                <xs:enumeration value="REG_STAFF_ROD"/>
+                                                <xs:enumeration value="SERVICE_GROUP_ADMIN"/>
+                                                <xs:enumeration value="SITE_ADMIN"/>
+                                                <xs:enumeration value="SITE_OPS_DEP_MAN"/>
+                                                <xs:enumeration value="SITE_OPS_MAN"/>
+                                                <xs:enumeration value="SITE_SECOFFICER"/>
+                                        </xs:restriction>
+                                        </xs:simpleType>
+                                    </xs:attribute>
+                                </xs:complexType>
                             </xs:element>
                         </xs:sequence>
-                    </xs:complexType> 
+                    </xs:complexType>
                 </xs:element>
                 <element name="EnabledActions" minOccurs="0" maxOccurs="unbounded">
                     <complexType>
@@ -281,14 +300,24 @@ specified target object(s), i.e. it actually defines the role-to-action mapping.
                                 <xs:annotation>
                                     <xs:documentation>
 <![CDATA[ This RoleMapping enables the listed Actions ]]>
-                                    </xs:documentation> 
+                                    </xs:documentation>
                                 </xs:annotation>
                                 <xs:complexType>
                                     <xs:sequence>
                                         <xs:element name="Action" minOccurs="0" maxOccurs="unbounded">
                                             <xs:simpleType>
                                                 <xs:restriction base="xs:string">
-                                                    <xs:pattern value="[a-zA-Z0-9_\s]+"/>
+                                                    <xs:enumeration value="ACTION_APPLY_RESERVED_SCOPE_TAG"/>
+                                                    <xs:enumeration value="ACTION_EDIT_OBJECT"/>
+                                                    <xs:enumeration value="ACTION_GRANT_ROLE"/>
+                                                    <xs:enumeration value="ACTION_NGI_ADD_SITE"/>
+                                                    <xs:enumeration value="ACTION_REJECT_ROLE"/>
+                                                    <xs:enumeration value="ACTION_REVOKE_ROLE"/>
+                                                    <xs:enumeration value="ACTION_NGI_EDIT_CERT_STATUS"/>
+                                                    <xs:enumeration value="ACTION_SITE_ADD_SERVICE"/>
+                                                    <xs:enumeration value="ACTION_SITE_DELETE_SERVICE"/>
+                                                    <xs:enumeration value="ACTION_SITE_EDIT_CERT_STATUS"/>
+                                                    <xs:enumeration value="ACTION_READ_PERSONAL_DATA"/>
                                                 </xs:restriction>
                                             </xs:simpleType>
                                         </xs:element>
@@ -298,21 +327,23 @@ specified target object(s), i.e. it actually defines the role-to-action mapping.
                             <element name="Target" minOccurs="1" maxOccurs="unbounded">
                                 <xs:annotation>
                                     <xs:documentation>
-<![CDATA[ The type-name of the object in the domain model that 
+<![CDATA[ The type-name of the object in the domain model that
 this RoleMapping applies. Case-insenstive. ]]>
-                                    </xs:documentation> 
+                                    </xs:documentation>
                                 </xs:annotation>
-                                <xs:complexType>
-                                    <xs:simpleContent>
-                                        <xs:extension base="xs:string">
-                                        </xs:extension>
-                                    </xs:simpleContent>
-                                </xs:complexType>  
+                                <xs:simpleType>
+                                    <xs:restriction base="xs:string">
+                                        <xs:enumeration value="Ngi"/>
+                                        <xs:enumeration value="Project"/>
+                                        <xs:enumeration value="ServiceGroup"/>
+                                        <xs:enumeration value="Site"/>
+                                    </xs:restriction>
+                                </xs:simpleType>
                             </element>
                         </sequence>
-                    </complexType> 
-                </element>  
-            </sequence> 
+                    </complexType>
+                </element>
+            </sequence>
         </complexType>
     </element>
 
diff --git a/config/gocdb_schema.xml b/config/gocdb_schema.xml
index 3a87b0911..3077c58c2 100644
--- a/config/gocdb_schema.xml
+++ b/config/gocdb_schema.xml
@@ -606,5 +606,9 @@
             <length>255</length>
             <regex>/^(X509|OIDC Subject)$/</regex>
         </field>
+		<field>
+			<fname>ALLOW_WRITE</fname>
+			<ftype>boolean</ftype>
+		</field>
     </entity>
 </schema>
diff --git a/config/local_info.xml b/config/local_info.xml
index a477e1a56..d804c7652 100755
--- a/config/local_info.xml
+++ b/config/local_info.xml
@@ -186,6 +186,17 @@
     order of tokens in MyConfig1 if user has multiple identifiers -->
     <API_all_auth_realms>false</API_all_auth_realms>
 
+    <!-- restrict_personal_data
+      Whether or not to honour legacy behaviour for showing personal data
+      If false, a user need only be self-registered with an acceptable certificate
+              i.e. authenticated and registered
+      If true, display of personal data depends on the role assignment xml schema
+              i.e. authenticated, registered AND have ACTION_READ_PERSONAL_DATA enabled
+              in config/RoleActionMappings.xml
+
+    -->
+    <restrict_personal_data>false</restrict_personal_data>
+
   </local_info>
 
   <!--
diff --git a/htdocs/PI/index.php b/htdocs/PI/index.php
index 4027de40c..2aa31e9c9 100644
--- a/htdocs/PI/index.php
+++ b/htdocs/PI/index.php
@@ -2,6 +2,9 @@
 
 namespace org\gocdb\services;
 
+use Factory;
+use LogicException;
+
 /* ______________________________________________________
  * ======================================================
  * File: index.php
@@ -65,7 +68,7 @@ function xecho($data) {
 }
 
 // Initialise the configuration service with the host url of the incoming request.
-// Allows the overriding of configuration values. Do not use 'new' to create a new 
+// Allows the overriding of configuration values. Do not use 'new' to create a new
 // instance after this.
 
 \Factory::getConfigService()->setLocalInfoOverride($_SERVER['SERVER_NAME']);
@@ -140,7 +143,7 @@ function getXml() {
             switch ($this->method) {
                 case "get_site":
                     require_once($directory . 'GetSite.php');
-                    $this->authAnyCert();
+                    $this->authByCert();
                     $getSite = new GetSite($em, $this->baseUrl, $this->baseApiUrl);
                     $getSite->setDefaultPaging($this->defaultPaging);
                     $getSite->setPageSize($this->defaultPageSize);
@@ -161,7 +164,7 @@ function getXml() {
                     break;
                 case "get_site_contacts":
                     require_once($directory . 'GetSiteContacts.php');
-                    $this->authAnyCert();
+                    $this->authByCert();
                     $getSiteContacts = new GetSiteContacts($em, $this->baseApiUrl);
                     $getSiteContacts->setDefaultPaging($this->defaultPaging);
                     $getSiteContacts->setPageSize($this->defaultPageSize);
@@ -172,7 +175,7 @@ function getXml() {
                     break;
                 case "get_site_security_info":
                     require_once($directory . 'GetSiteSecurityInfo.php');
-                    $this->authAnyCert();
+                    $this->authByCert();
                     $getSiteSecurityInfo = new GetSiteSecurityInfo($em, $this->baseApiUrl);
                     $getSiteSecurityInfo->setDefaultPaging($this->defaultPaging);
                     $getSiteSecurityInfo->setPageSize($this->defaultPageSize);
@@ -199,7 +202,7 @@ function getXml() {
                     break;
                 case "get_roc_contacts":
                     require_once($directory . 'GetNGIContacts.php');
-                    $this->authAnyCert();
+                    $this->authByCert();
                     $getNGIContacts = new GetNGIContacts($em, $this->baseUrl, $this->baseApiUrl);
                     $getNGIContacts->setDefaultPaging($this->defaultPaging);
                     $getNGIContacts->setPageSize($this->defaultPageSize);
@@ -270,7 +273,7 @@ function getXml() {
                     break;
                 case "get_user":
                     require_once($directory . 'GetUser.php');
-                    $this->authAnyCert();
+                    $this->authByCert();
                     $getUser = new GetUser($em, \Factory::getRoleActionAuthorisationService(), $this->baseUrl, $this->baseApiUrl);
                     $getUser->setDefaultPaging($this->defaultPaging);
                     $getUser->setPageSize($this->defaultPageSize);
@@ -281,7 +284,7 @@ function getXml() {
                     break;
                 case "get_project_contacts":
                     require_once($directory . 'GetProjectContacts.php');
-                    $this->authAnyCert();
+                    $this->authByCert();
                     $getProjCon = new GetProjectContacts($em, $this->baseApiUrl);
                     $getProjCon->setDefaultPaging($this->defaultPaging);
                     $getProjCon->setPageSize($this->defaultPageSize);
@@ -292,7 +295,7 @@ function getXml() {
                     break;
                 case "get_ngi":
                     require_once($directory . 'GetNGI.php');
-                    $this->authAnyCert();
+                    $this->authByCert();
                     $getNGI = new GetNGI($em, $this->baseApiUrl);
                     $getNGI->setDefaultPaging($this->defaultPaging);
                     $getNGI->setPageSize($this->defaultPageSize);
@@ -303,7 +306,7 @@ function getXml() {
                     break;
                 case "get_service_group" :
                     require_once($directory . 'GetServiceGroup.php');
-                    $this->authAnyCert();
+                    $this->authByCert();
                     $getServiceGroup = new GetServiceGroup($em, $this->baseUrl, $this->baseApiUrl);
                     $getServiceGroup->setDefaultPaging($this->defaultPaging);
                     $getServiceGroup->setPageSize($this->defaultPageSize);
@@ -314,7 +317,7 @@ function getXml() {
                     break;
                 case "get_service_group_role" :
                     require_once($directory . 'GetServiceGroupRole.php');
-                    $this->authAnyCert();
+                    $this->authByCert();
                     $getServiceGroupRole = new GetServiceGroupRole($em, $this->baseUrl, $this->baseApiUrl);
                     $getServiceGroupRole->setDefaultPaging($this->defaultPaging);
                     $getServiceGroupRole->setPageSize($this->defaultPageSize);
@@ -325,7 +328,7 @@ function getXml() {
                     break;
                 case "get_cert_status_date" :
                     require_once($directory . 'GetCertStatusDate.php');
-                    $this->authAnyCert();
+                    $this->authByCert();
                     $getCertStatusDate = new GetCertStatusDate($em, $this->baseApiUrl);
                     $getCertStatusDate->setDefaultPaging($this->defaultPaging);
                     $getCertStatusDate->setPageSize($this->defaultPageSize);
@@ -336,7 +339,7 @@ function getXml() {
                     break;
                 case "get_cert_status_changes":
                     require_once($directory . 'GetCertStatusChanges.php');
-                    $this->authAnyCert();
+                    $this->authByCert();
                     $getCertStatusChanges = new GetCertStatusChanges($em, $this->baseApiUrl);
                     $getCertStatusChanges->setDefaultPaging($this->defaultPaging);
                     $getCertStatusChanges->setPageSize($this->defaultPageSize);
@@ -367,11 +370,48 @@ function getXml() {
 
     /* Authorize a user based on their certificate */
 
-    function authAnyCert() {
-        if (empty($this->dn))
-            die("<No valid credentials provided. A suitable credential is " .
-                    "required to access this resource. Try accessing this " .
+    function authByCert() {
+        require_once __DIR__.'/../web_portal/controllers/utils.php';
+        require_once __DIR__.'/../../lib/Doctrine/entities/APIAuthentication.php';
+
+        if (empty($this->dn)) {
+            throw new \Exception("No valid certificate found. A trusted certificate is " .
+                    "required to access this resource. Try accessing the " .
                     "resource through the private interface.");
+        }
+
+        $admin = false;
+        $authenticated = false;
+
+        $user = \Factory::getUserService()->getUserByPrinciple($this->dn);
+
+        if ($user == null) {
+            // Incoming credential is not that of a registered user.
+            // Check if it is registered API Authentication credential.
+
+            $authEntServ = \Factory::getAPIAuthenticationService();
+            $authEnt = $authEntServ->getAPIAuthentication($this->dn, "X509");
+
+            if (!is_null($authEnt)) {
+                $authEntServ->updateLastUseTime($authEnt);
+                $authenticated = true;
+            }
+
+            if (!\Factory::getConfigService()->isRestrictPDByRole()) {
+                // Only a 'valid' (IGTF) certificate is needed.
+                $authenticated = true;
+            }
+        } else {
+            // $authenticated will be set to indicate whether the user can read Personal Data under the
+            // current configuration -
+            // i.e. a combination of local_info.xml restrict_personal_data element and whether
+            // the user has a role that permits.
+
+            list($admin, $authenticated) = getReadPDParams($user);
+        }
+        if (!($admin || $authenticated)) {
+            throw new \Exception("Authorisation required to read personal data (". getInfoMessage(). "). ");
+        }
     }
 
 }
diff --git a/htdocs/web_portal/controllers/project/view_project.php b/htdocs/web_portal/controllers/project/view_project.php
index fb3b75411..6aee7db9f 100644
--- a/htdocs/web_portal/controllers/project/view_project.php
+++ b/htdocs/web_portal/controllers/project/view_project.php
@@ -52,10 +52,8 @@ function show_project() {
 //       $params['ShowEdit'] = true;
 //    }
 
-    $params['authenticated'] = false;
-    if($user != null){
-        $params['authenticated'] = true;
-    }
+    // Overload the 'authenticated' key for use to disable display of personal data
+    list(, $params['authenticated']) = getReadPDParams($user);
 
     // Add RoleActionRecords to params
     $params['RoleActionRecords'] = \Factory::getRoleService()->getRoleActionRecordsById_Type($project->getId(), 'project');
@@ -70,4 +68,4 @@ function show_project() {
     show_view('project/view_project.php', $params, $params['Name']);
 }
 
-?>
\ No newline at end of file
+?>
diff --git a/htdocs/web_portal/controllers/service/view_service.php b/htdocs/web_portal/controllers/service/view_service.php
index ab6f897dd..7c4da468a 100644
--- a/htdocs/web_portal/controllers/service/view_service.php
+++ b/htdocs/web_portal/controllers/service/view_service.php
@@ -15,10 +15,8 @@ function view_se() {
 
     $serv = \Factory::getServiceService();
 
-    $params['authenticated'] = false;
-    if($user != null){
-        $params['authenticated'] = true;
-    }
+    // Set values for showing personal data
+    list( , $params['authenticated']) = getReadPDParams($user);
 
     $params['portalIsReadOnly'] = portalIsReadOnlyAndUserIsNotAdmin($user);
     $se = $serv->getService($id);
@@ -44,4 +42,4 @@ function view_se() {
 
     $params['Downtimes'] = $downtimes;
     show_view("service/view_service.php", $params, $title);
-}
\ No newline at end of file
+}
diff --git a/htdocs/web_portal/controllers/service/view_service_endpoint.php b/htdocs/web_portal/controllers/service/view_service_endpoint.php
index 1e5b45a21..d88efeb0d 100644
--- a/htdocs/web_portal/controllers/service/view_service_endpoint.php
+++ b/htdocs/web_portal/controllers/service/view_service_endpoint.php
@@ -35,6 +35,8 @@ function view_endpoint() {
        $params['ShowEdit'] = true;
     }
 
+    list(, $params['authenticated']) = getReadPDParams($user);
+
     $title = $endpoint->getName();
     $params['endpoint'] = $endpoint;
     //$params['sGroups'] = $se->getServiceGroups();
diff --git a/htdocs/web_portal/controllers/service_group/view_sgroup.php b/htdocs/web_portal/controllers/service_group/view_sgroup.php
index 3612344f2..7b17d967f 100644
--- a/htdocs/web_portal/controllers/service_group/view_sgroup.php
+++ b/htdocs/web_portal/controllers/service_group/view_sgroup.php
@@ -1,5 +1,7 @@
 <?php
 function showServiceGroup() {
+
+    require_once __DIR__.'/../../../../lib/Doctrine/entities/ServiceGroup.php';
     require_once __DIR__.'/../../../web_portal/components/Get_User_Principle.php';
     require_once __DIR__ . '/../utils.php';
 
@@ -8,6 +10,7 @@ function showServiceGroup() {
     }
     $sGroupId = $_GET['id'];
 
+    /* @var $sGroup \ServiceGroup */
     $sGroup = \Factory::getServiceGroupService()->getServiceGroup($sGroupId);
     $params['sGroup'] = $sGroup;
 
@@ -22,10 +25,7 @@ function showServiceGroup() {
 
     $params['portalIsReadOnly'] = portalIsReadOnlyAndUserIsNotAdmin($user);
 
-    $params['authenticated'] = false;
-    if($user != null){
-        $params['authenticated'] = true;
-    }
+    list(, $params['authenticated']) = getReadPDParams($user);
 
     $allRoles = $sGroup->getRoles();
     $roles = array();
@@ -49,4 +49,4 @@ function showServiceGroup() {
     $title = $sGroup->getName();
 
     show_view("service_group/view_sgroup.php", $params, $title);
-}
\ No newline at end of file
+}
diff --git a/htdocs/web_portal/controllers/site/add_api_auth.php b/htdocs/web_portal/controllers/site/add_api_auth.php
index 1dd9b51b9..b718b427a 100644
--- a/htdocs/web_portal/controllers/site/add_api_auth.php
+++ b/htdocs/web_portal/controllers/site/add_api_auth.php
@@ -60,12 +60,15 @@ function draw(\User $user = null, \Site $site = null) {
     $params['authTypes'] = array();
     $params['authTypes'][]='X509';
     $params['authTypes'][]='OIDC Subject';
+    $params['user'] = $user;
+    $params['allowWrite'] = false;
 
     show_view("site/add_api_auth.php", $params);
+
     die();
 }
 
-function submit(\User $user = null, \Site $site, $serv) {
+function submit(\User $user = null, \Site $site, \org\gocdb\services\Site $serv) {
     $newValues = getAPIAuthenticationFromWeb();
 
     try {
diff --git a/htdocs/web_portal/controllers/site/edit_api_auth.php b/htdocs/web_portal/controllers/site/edit_api_auth.php
index 3120cca85..e75a2cfec 100644
--- a/htdocs/web_portal/controllers/site/edit_api_auth.php
+++ b/htdocs/web_portal/controllers/site/edit_api_auth.php
@@ -45,6 +45,11 @@ function edit_entity() {
     $authEnt = $serv->getAPIAuthenticationEntity($_REQUEST['authentityid']);
     $site = $authEnt->getParentSite();
 
+    // Validate the user has permission to edit properties
+    if (!$serv->userCanEditSite($user, $site)) {
+        throw new \Exception("Permission denied: a site role is required to edit authentication entities at " . $site->getShortName());
+    }
+
     if($_POST) {     // If we receive a POST request it's to edit an authentication entity
         submit($user, $authEnt, $site, $serv);
     } else { // If there is no post data, draw the edit authentication entity form
@@ -57,17 +62,19 @@ function draw(\User $user = null, \APIAuthentication $authEnt = null, \Site $sit
         throw new Exception("Unregistered users can't edit authentication credentials");
     }
 
+    $params = array();
     $params['site'] = $site;
     $params['authEnt'] = $authEnt;
     $params['authTypes'] = array();
     $params['authTypes'][]='X509';
     $params['authTypes'][]='OIDC Subject';
+    $params['user'] = $user;
 
     show_view("site/edit_api_auth.php", $params);
     die();
 }
 
-function submit(\User $user, \APIAuthentication $authEnt, \Site $site, $serv) {
+function submit(\User $user, \APIAuthentication $authEnt, \Site $site, org\gocdb\services\Site $serv) {
     $newValues = getAPIAuthenticationFromWeb();
 
     try {
@@ -76,6 +83,8 @@ function submit(\User $user, \APIAuthentication $authEnt, \Site $site, $serv) {
         show_view('error.php', $e->getMessage());
         die();
     }
+
+    $params = array();
     $params['apiAuthenticationEntity'] = $authEnt;
     $params['site'] = $site;
     show_view("site/edited_api_auth.php", $params);
diff --git a/htdocs/web_portal/controllers/site/view_site.php b/htdocs/web_portal/controllers/site/view_site.php
index 5e2d31db6..8528e2985 100644
--- a/htdocs/web_portal/controllers/site/view_site.php
+++ b/htdocs/web_portal/controllers/site/view_site.php
@@ -6,38 +6,40 @@ function view_site() {
 
     $serv = \Factory::getSiteService();
     $servServ  = \Factory::getServiceService();
+    $userServ = \Factory::getUserService();
+    $authServ = \Factory::getRoleActionAuthorisationService();
 
     if (!isset($_GET['id']) || !is_numeric($_GET['id']) ){
         throw new Exception("An id must be specified");
     }
     $siteId = $_GET['id'];
-
     $site = $serv->getSite($siteId);
-    $allRoles = $site->getRoles();
-    $roles = array();
-    foreach ($allRoles as $role){
-        if($role->getStatus() == \RoleStatus::GRANTED){
-            $roles[] = $role;
-        }
-    }
 
     //get user for case that portal is read only and user is admin, so they can still see edit links
     $dn = Get_User_Principle();
-    $user = \Factory::getUserService()->getUserByPrinciple($dn);
-    $params['UserIsAdmin']=false;
-    if(!is_null($user)) {
-        $params['UserIsAdmin']=$user->isAdmin();
-    }
+    $user = $userServ->getUserByPrinciple($dn);
+
+    // Set values for showing personal data
+    $params = array();
+    list($params['UserIsAdmin'], $params['authenticated']) = getReadPDParams($user);
 
-    $params['authenticated'] = false;
-    if($user != null){
-        $params['authenticated'] = true;
+    // Only load roles if personal data is being displayed
+    if ($params['authenticated']) {
+        $allRoles = $site->getRoles();
+        $roles = array();
+        foreach ($allRoles as $role){
+            if($role->getStatus() == \RoleStatus::GRANTED){
+                $roles[] = $role;
+            }
+        }
+        $params['roles'] = $roles;
     }
 
     // Does current viewer have edit permissions over Site ?
     $params['ShowEdit'] = false;
     //if(count($serv->authorize Action(\Action::EDIT_OBJECT, $site, $user))>=1){
-    if(\Factory::getRoleActionAuthorisationService()->authoriseAction(\Action::EDIT_OBJECT, $site, $user)->getGrantAction()){
+    if ($authServ->authoriseAction(\Action::EDIT_OBJECT, $site, $user)
+                    ->getGrantAction()) {
        $params['ShowEdit'] = true;
     }
 
@@ -54,9 +56,8 @@ function view_site() {
     $params['portalIsReadOnly'] = portalIsReadOnlyAndUserIsNotAdmin($user);
     $title = $site->getShortName();
     $params['site'] = $site;
-    $params['roles'] = $roles;
 
-    $params['APIAuthenticationEntities'] = $site->getAPIAuthenticationEntities();
+    $params['APIAuthEnts'] = $site->getAPIAuthenticationEntities();
 
     // Add RoleActionRecords to params
     $params['RoleActionRecords'] = \Factory::getRoleService()->getRoleActionRecordsById_Type($site->getId(), 'site');
diff --git a/htdocs/web_portal/controllers/user/view_user.php b/htdocs/web_portal/controllers/user/view_user.php
index 1ff0f540e..47a23bd05 100644
--- a/htdocs/web_portal/controllers/user/view_user.php
+++ b/htdocs/web_portal/controllers/user/view_user.php
@@ -21,113 +21,141 @@
  /*====================================================== */
 function view_user() {
     require_once __DIR__.'/utils.php';
+    require_once __DIR__.'/../../../../lib/Gocdb_Services/User.php';
     require_once __DIR__.'/../../../../lib/Gocdb_Services/Factory.php';
     require_once __DIR__.'/../../components/Get_User_Principle.php';
 
     if (!isset($_GET['id']) || !is_numeric($_GET['id']) ){
         throw new Exception("An id must be specified");
     }
-    $userId =  $_GET['id'];
 
-    $serv = \Factory::getUserService();
-    $user = $serv->getUser($userId);
-    if ($user === null) {
+    $userService = \Factory::getUserService();
+    $user = $userService->getUser($_GET['id']);
+
+    if($user === null){
        throw new Exception("No user with that ID");
     }
 
-    $params = [];
-    $params['user'] = $user;
+    $params = array();
 
     // Check if user only has one identifier to disable unlinking
     $params['lastIdentifier'] = (count($user->getUserIdentifiers()) === 1);
     // Add the display locations of the policy files.
     getPolicyURLs($params);
 
+    $apiAuthEnts = $user->getAPIAuthenticationEntities();
+    $authEntSites = array();
+    /** @var \APIAuthentication $apiAuth */
+    foreach ($apiAuthEnts as $apiAuth) {
+        $authEntSites[$apiAuth->getParentSite()->getId()]++;
+    }
+
+    /** @var \User $callingUser */
+    $callingUser = $userService->getUserByPrinciple(Get_User_Principle());
+
+    // Restrict users to see only their own data unless authorised.
+    // User objects are not 'owned' so we check their authz at connected sites.
+    if (is_null($callingUser) ||
+        (!$callingUser->isAdmin() &&
+         $user !== $callingUser &&
+        !$userService->isAllowReadPD($callingUser)))
+        {
+            throw new Exception('You are not authorised to read other users\' personal data.');
+        }
+
+    $params['user'] = $user;
+
     // 2D array, each element stores role and a child array holding project Ids
     $role_ProjIds = array();
 
     // get the targetUser's roles
-    $roles = \Factory::getRoleService()->getUserRoles($user, \RoleStatus::GRANTED); //$user->getRoles();
+    $roleService = \Factory::getRoleService();
+    $roles = $roleService->getUserRoles($user, \RoleStatus::GRANTED); //$user->getRoles();
 
     $currentIdString = Get_User_Principle();
     $params['currentIdString'] = $currentIdString;
-    $callingUser = $serv->getUserByPrinciple($currentIdString);
 
     // can the calling user revoke the targetUser's roles?
-    /* @var $r \Role */
+    /** @var \Role $r */
+
     foreach ($roles as $r) {
-    //echo $r->getId().', '.$r->getRoleType()->getName().', '.$r->getOwnedEntity()->getName().'<br>';
 
-    // determine if callingUser can REVOKE this role instance
-    if($user != $callingUser){
-        //echo '<br>'.$r->getOwnedEntity()->getName().' ';
+        $decoratorString = '';
+        $disableButton = '';
 
-            $authorisingRoles = \Factory::getRoleActionAuthorisationService()
-            ->authoriseAction(\Action::REVOKE_ROLE, $r->getOwnedEntity(), $callingUser)
+        /** @var \OwnedEntity $roleOwnedEntity */
+        $roleOwnedEntity = $r->getOwnedEntity();
+
+        try {
+            // only meaningful for Site entities, but there is an
+            // internal check in the function.
+            $roleService->checkOrphanAPIAuth($r);
+        } catch (Exception $e) {
+            $disableButton = 'disabled';
+        }
+
+        $authorisingRoles = \Factory::getRoleActionAuthorisationService()
+            ->authoriseAction(\Action::REVOKE_ROLE, $roleOwnedEntity, $callingUser)
             ->getGrantingRoles();
-            $authorisingRoleNames = array();
-        //echo ' callingUser authorising Roles: ';
-            /* @var $authRole \Role */
-            foreach($authorisingRoles as $authRole){
-               $authorisingRoleNames[] = $authRole->getRoleType()->getName();
-           //echo $authRole->getRoleType()->getName().', ';
-            }
 
-            if(count($authorisingRoleNames)>=1){
-                $allAuthorisingRoleNames = '';
-                foreach($authorisingRoleNames as $arName){
-                    $allAuthorisingRoleNames .= $arName.', ';
+        if ($user != $callingUser) {
+            // determine if callingUser can REVOKE this role instance
+            if ($callingUser->isAdmin()) {
+                $decoratorString .= 'GOCDB_ADMIN';
+                if (count($authorisingRoles) >= 1) {
+                    $decoratorString .= ': ' ;
                 }
-                $allAuthorisingRoleNames = substr($allAuthorisingRoleNames, 0, strlen($allAuthorisingRoleNames)-2);
-                $r->setDecoratorObject('['.$allAuthorisingRoleNames.'] ');
             }
-            if($callingUser->isAdmin()){
-                $existingVal = $r->getDecoratorObject();
-                if($existingVal != null){
-                   $r->setDecoratorObject('GOCDB ADMIN: '.$existingVal);
-                } else {
-                    $r->setDecoratorObject('GOCDB ADMIN');
+            if (count($authorisingRoles) >= 1) {
+                /** @var \Role $authRole */
+                $roleNames = array();
+                foreach ($authorisingRoles as $authRole) {
+                    $roleNames[] = $authRole->getRoleType()->getName();
                 }
+                $decoratorString .= '[' . implode(', ', $roleNames) . '] ';
             }
-    } else {
-        // current user is viewing their own roles, so they can revoke their own roles
-        $r->setDecoratorObject('[Self revoke own role]');
-    }
-
-    // Get the names of the parent project(s) for this role so we can
-    // group by project in the view
-    $parentProjectsForRole = \Factory::getRoleActionAuthorisationService()
-        ->getReachableProjectsFromOwnedEntity($r->getOwnedEntity());
-    $projIds = array();
-    foreach($parentProjectsForRole as $_proj){
-        $projIds[] = $_proj->getId();
-    }
-
-    // store role and parent projIds in a 2D array for viewing
-    $role_ProjIds[] = array($r, $projIds);
-
+        } else {
+            // current user is viewing their own roles, so they can revoke their own roles
+            $decoratorString = '[Self revoke own role]';
+        }
+
+        if (strlen($decoratorString) > 0 || $disableButton == 'disabled') {
+            $r->setDecoratorObject(array("revokeButton" => $disableButton, "revokeMessage" => $decoratorString));
+        }
+
+        // Get the names of the parent project(s) for this role so we can
+        // group by project in the view
+        $parentProjectsForRole = \Factory::getRoleActionAuthorisationService()
+            ->getReachableProjectsFromOwnedEntity($r->getOwnedEntity());
+        $projIds = array();
+        foreach ($parentProjectsForRole as $_proj) {
+            $projIds[] = $_proj->getId();
+        }
+
+        // store role and parent projIds in a 2D array for viewing
+        $role_ProjIds[] = array($r, $projIds);
     }// end iterating roles
 
     // Get a list of the projects and their Ids for grouping roles by proj in view
     $projectNamesIds = array();
     $projects = \Factory::getProjectService()->getProjects();
     foreach($projects as $proj){
-    $projectNamesIds[$proj->getId()] = $proj->getName();
+        $projectNamesIds[$proj->getId()] = $proj->getName();
     }
 
     // Check to see if the current calling user has permission to edit the target user
     try {
-        $serv->editUserAuthorization($user, $callingUser);
+        $userService->editUserAuthorization($user, $callingUser);
         $params['ShowEdit'] = true;
     } catch (Exception $e) {
         $params['ShowEdit'] = false;
     }
 
-    $params['idString'] = $serv->getDefaultIdString($user);
-
+    $params['idString'] = $userService->getDefaultIdString($user);
     $params['projectNamesIds'] = $projectNamesIds;
     $params['role_ProjIds'] = $role_ProjIds;
     $params['portalIsReadOnly'] = \Factory::getConfigService()->IsPortalReadOnly();
+    $params['APIAuthEnts'] = $user->getAPIAuthenticationEntities();
     $title = $user->getFullName();
     show_view("user/view_user.php", $params, $title);
 }
diff --git a/htdocs/web_portal/controllers/utils.php b/htdocs/web_portal/controllers/utils.php
index 91dfadb21..08e5efcf0 100644
--- a/htdocs/web_portal/controllers/utils.php
+++ b/htdocs/web_portal/controllers/utils.php
@@ -688,7 +688,70 @@ function getSTDataFromWeb() {
 function getAPIAuthenticationFromWeb() {
     $authEntityData['TYPE'] = $_REQUEST['TYPE'];
     $authEntityData['IDENTIFIER'] = trim($_REQUEST['IDENTIFIER']);
+    $authEntityData['ALLOW_WRITE'] = key_exists('ALLOW_WRITE', $_REQUEST)?
+                                        trim($_REQUEST['ALLOW_WRITE']) == 'checked':
+                                        false;
 
     return $authEntityData;
 
 }
+/**
+ * Return information message text
+ *
+ * @return string short message, a dash, supplementary text
+ * e.g. "PROTECTED - Registration required"
+ */
+function getInfoMessage($code = null) {
+
+    if ($code == null) {
+        $code = 'privacy-1';
+    }
+
+    $messages = array();
+
+    switch (\Factory::getConfigService()->isRestrictPDByRole()) {
+        case true:
+            $messages['privacy-1'] = "PROTECTED - Role required";
+            break;
+        case false:
+            $messages['privacy-1'] = "PROTECTED - Registration required";
+            break;
+    }
+
+    if (!array_key_exists($code, $messages)) {
+        throw new LogicException("Information message code $code has not been defined. Please contact GOCDB administrators.");
+    }
+
+    return $messages[$code];
+
+}
+/**
+ * Helper function to set view parameters for deciding to show personal data
+ *
+ * @return array parameter array
+ */
+function getReadPDParams($user) {
+    require_once __DIR__.'/../../../lib/Doctrine/entities/User.php';
+
+    $userIsAdmin = false;
+    $authenticated = false;
+
+    /*  */
+    if(!is_null($user)) {
+        // User will only see personal data if they have a role somewhere
+        // ToDo: should this be restricted to role at a site?
+
+        if (!$user instanceof \User) {
+            throw new LogicException("Personal data read authorisation expected User object as input. Received ". get_class($user) . "'.");
+        }
+
+        if($user->isAdmin()) {
+            $userIsAdmin = true;
+            $authenticated = true;
+        }
+        elseif (\Factory::getUserService()->isAllowReadPD($user)) {
+            $authenticated = true;
+        }
+    }
+    return array($userIsAdmin, $authenticated);
+}
diff --git a/htdocs/web_portal/css/web_portal.php b/htdocs/web_portal/css/web_portal.php
index fd2fe4dcc..4a68c0c3a 100644
--- a/htdocs/web_portal/css/web_portal.php
+++ b/htdocs/web_portal/css/web_portal.php
@@ -133,9 +133,6 @@
 h1 {
     font-size: 2.5em;
 }
-
-
-
 /*
     *	Containing DIV's
 	*	Page Container is the whole page
@@ -256,6 +253,26 @@
     font-size: 0.9em;
 }
 
+.input_checkbox {
+    display: inline;
+    margin-left: 2em;
+}
+
+.input_label {
+    font-size: 0.9em;
+    font-weight: normal;
+    vertical-align: middle;
+}
+
+.input_warning {
+    font-weight: bold;
+    word-break: normal;
+    margin-right: 10%;
+    padding-left: 5em; /* Hanging indent */
+    text-indent: -5em;
+    margin-bottom: 0.5em;
+}
+
 .input_syntax {
     display: inline;
     color: #909090;
diff --git a/htdocs/web_portal/views/fragments/hidePersonalData.php b/htdocs/web_portal/views/fragments/hidePersonalData.php
new file mode 100644
index 000000000..f148228c6
--- /dev/null
+++ b/htdocs/web_portal/views/fragments/hidePersonalData.php
@@ -0,0 +1,5 @@
+<?php
+echo '<span class="header" style="vertical-align:middle; float: left; padding-top: 0.9em; padding-left: 1em;">';
+echo 'User personal data is hidden (' . getInfoMessage() . ') </span>';
+echo '<img src="' . \GocContextPath::getPath() . 'img/people.png" class="decoration" />';
+?>
diff --git a/htdocs/web_portal/views/project/view_project.php b/htdocs/web_portal/views/project/view_project.php
index c44e71c4d..b676862d6 100644
--- a/htdocs/web_portal/views/project/view_project.php
+++ b/htdocs/web_portal/views/project/view_project.php
@@ -1,4 +1,7 @@
-<?php $ngiCount = sizeof($params['NGIs']) ?>
+<?php
+$ngiCount = sizeof($params['NGIs']);
+$showPD = $params['authenticated']; // display Personal Data
+?>
 <script type="text/javascript" src="<?php echo \GocContextPath::getPath()?>javascript/confirm.js"></script>
 <!-- onclick="return confirmSubmit()" -->
 <div class="rightPageContainer">
@@ -108,52 +111,62 @@
 
     <!-- Roles -->
     <div class="tableContainer" style="width: 99.5%; float: left; margin-top: 3em; margin-right: 10px;">
-        <span class="header" style="vertical-align:middle; float: left; padding-top: 0.9em; padding-left: 1em;">
-            Users (Click on name to manage roles)
-        </span>
-        <img src="<?php echo \GocContextPath::getPath()?>img/people.png" class="decoration" />
-        <?php if (sizeof($params['Roles'])>0): ?>
 
-            <table id="usersTable" class="table table-striped table-condensed tablesorter">
-                <thead>
-                    <tr>
-                        <th></th>
-                        <th>Name</th>
-                        <th>Role</th>
-                    </tr>
-                </thead>
-                <tbody>
-                    <?php
-                    foreach($params['Roles'] as $role) {
-                    ?>
+        <?php
+        if ($showPD) { ?>
+            <span class="header" style="vertical-align:middle; float: left; padding-top: 0.9em; padding-left: 1em;">
+            Users (Click on name to manage roles)
+            </span>
+            <img src="<?php echo \GocContextPath::getPath()?>img/people.png" class="decoration" />
+            <?php
+            if (sizeof($params['Roles'])>0) { ?>
+                <table id="usersTable" class="table table-striped table-condensed tablesorter">
+                    <thead>
                         <tr>
-                            <td>
-                                <img src="<?php echo \GocContextPath::getPath()?>img/person.png" class="person" />
-                            </td>
-                            <td>
-                                <?php
-                                if($params['authenticated']) {
-                                ?>
-                                    <a href="index.php?Page_Type=User&id=<?php echo $role->getUser()->getId()?>">
-                                        <?php echo $role->getUser()->getFullName()?>
-                                    </a>
-                                <?php
-                                } else {
-                                    echo 'PROTECTED';
-                                } ?>
-                            </td>
-                            <td>
-                                <?php if($params['authenticated']) { xecho($role->getRoleType()->getName()); } else {echo('PROTECTED'); } ?>
-                            </td>
+                            <th></th>
+                            <th>Name</th>
+                            <th>Role</th>
                         </tr>
+                    </thead>
+                    <tbody>
                         <?php
-                            } // End of the foreach loop iterating over user roles
+                        foreach($params['Roles'] as $role) {
                         ?>
-                </tbody>
-            </table>
-        <?php else: echo "<br><br>&nbsp &nbsp There are currently no users with roles over this project<br>"; endif; ?>
+                            <tr>
+                                <td>
+                                    <img src="<?php echo \GocContextPath::getPath()?>img/person.png" class="person" />
+                                </td>
+                                <td>
+                                    <?php
+                                    if($params['authenticated']) {
+                                    ?>
+                                        <a href="index.php?Page_Type=User&id=<?php echo $role->getUser()->getId()?>">
+                                            <?php echo $role->getUser()->getFullName()?>
+                                        </a>
+                                    <?php
+                                    } else {
+                                        echo 'PROTECTED';
+                                    } ?>
+                                </td>
+                                <td>
+                                    <?php if($params['authenticated']) { xecho($role->getRoleType()->getName()); } else {echo('PROTECTED'); } ?>
+                                </td>
+                            </tr>
+                            <?php
+                                } // End of the foreach loop iterating over user roles
+                            ?>
+                    </tbody>
+                </table>
+            <?php
+            } else {
+                echo "<br><br>&nbsp &nbsp There are currently no users with roles over this project<br>";
+            }
+        } else {
+            require_once __DIR__.'/../fragments/hidePersonalData.php';
+        }
+        ?>
         <!-- don't allow role requests in read only mode -->
-        <?php if(!$params['portalIsReadOnly'] && $params['authenticated']):?>
+        <?php if(!$params['portalIsReadOnly'] && $showPD):?>
             <a href="index.php?Page_Type=Request_Role&amp;id=<?php echo $params['ID'];?>">
                 <img src="<?php echo \GocContextPath::getPath()?>img/add.png" height="50px" style="float: left; padding-top: 0.9em; padding-left: 1.2em; padding-bottom: 0.9em;"/>
                 <span class="header" style="vertical-align:middle; float: left; padding-top: 1.1em; padding-left: 1em; padding-bottom: 0.9em;">
diff --git a/htdocs/web_portal/views/service/view_service.php b/htdocs/web_portal/views/service/view_service.php
index 5c77446f4..1d4efe983 100644
--- a/htdocs/web_portal/views/service/view_service.php
+++ b/htdocs/web_portal/views/service/view_service.php
@@ -1,12 +1,12 @@
 <?php
-$se = $params['se'];
-//throw new \Exception(var_dump(get_class($se)));
+require_once __DIR__."/../../controllers/utils.php";
 
-//throw new \Exception(var_dump($se));
+$se = $params['se'];
 $parentSiteName = $se->getParentSite()->getName();
 $extensionProperties = $se->getServiceProperties();
 $seId = $se->getId();
 $configService = \Factory::getConfigService();
+$showPD = $params['authenticated'];
 ?>
 <div class="rightPageContainer rounded">
     <div style="float: left; text-align: center;">
@@ -51,44 +51,44 @@
             <table style="clear: both; width: 100%;">
                 <tr class="site_table_row_1">
                     <td class="site_table">Host name</td><td class="site_table">
-                        <?php if ($params['authenticated']) {
+                        <?php if ($showPD) {
                             xecho($se->getHostName());
-                        } else echo('PROTECTED - Registration required'); ?>
+                        } else echo(getInfoMessage()); ?>
                     </td>
                 </tr>
                 <tr class="site_table_row_2">
                     <td class="site_table">IP Address</td><td class="site_table">
-                        <?php if ($params['authenticated']) {
+                        <?php if ($showPD) {
                           xecho($se->getIpAddress());
-                        }else echo('PROTECTED - Registration required');  ?>
+                        } else echo(getInfoMessage());  ?>
                     </td>
                 </tr>
                 <tr class="site_table_row_1">
                     <td class="site_table">IP v6 Address</td><td class="site_table">
-                        <?php if ($params['authenticated']) {
+                        <?php if ($showPD) {
                             xecho($se->getIpV6Address());
-                        } else echo('PROTECTED - Registration required'); ?>
+                        } else echo(getInfoMessage()); ?>
                     </td>
                 </tr>
                 <tr class="site_table_row_2">
                     <td class="site_table">Operating System</td><td class="site_table">
-                        <?php if ($params['authenticated']) {
+                        <?php if ($showPD) {
                             xecho($se->getOperatingSystem());
-                        } else echo('PROTECTED - Registration required'); ?>
+                        } else echo(getInfoMessage()); ?>
                     </td>
                 </tr>
                 <tr class="site_table_row_1">
                     <td class="site_table">Architecture</td><td class="site_table">
-                        <?php if ($params['authenticated']) {
+                        <?php if ($showPD) {
                             xecho($se->getArchitecture());
-                        } else echo('PROTECTED - Registration required'); ?>
+                        } else echo(getInfoMessage()); ?>
                     </td>
                 </tr>
                 <tr class="site_table_row_2">
                     <td class="site_table">Contact E-Mail</td><td class="site_table">
-                        <?php if ($params['authenticated']) {
-                            xecho($se->getEmail());
-                        } else echo('PROTECTED - Registration required'); ?>
+                    <?php if ($showPD) {
+                        xecho($se->getEmail());
+                    } else echo(getInfoMessage()); ?>
                     </td>
                 </tr>
                 <tr class="site_table_row_1">
@@ -114,9 +114,9 @@
                 <tr class="site_table_row_1">
                     <td class="site_table" style="width: 5em;">Host DN</td><td class="site_table">
                         <div style="word-wrap: break-word;">
-                                <?php if ($params['authenticated']) {
+                                <?php if ($showPD) {
                                     xecho($se->getDn()) ;
-                                } else echo('PROTECTED - Registration required'); ?>
+                                } else echo(getInfoMessage()); ?>
                         </div>
                     </td>
                 </tr>
diff --git a/htdocs/web_portal/views/service/view_service_endpoint.php b/htdocs/web_portal/views/service/view_service_endpoint.php
index 724578ba2..0944b428e 100644
--- a/htdocs/web_portal/views/service/view_service_endpoint.php
+++ b/htdocs/web_portal/views/service/view_service_endpoint.php
@@ -1,5 +1,6 @@
 <?php
 $endpoint = $params['endpoint'];
+$showPD = $params['authenticated'];
 $se = $endpoint->getService();
 $extensionProperties = $endpoint->getEndpointProperties();
 $epId = $endpoint->getId();
@@ -86,7 +87,15 @@
                     <td class="site_table">Id</td><td class="site_table"><?php echo $endpoint->getId() ?></td>
                 </tr>
                 <tr class="site_table_row_2">
-                    <td class="site_table">Contact E-mail</td><td class="site_table"><?php echo $endpoint->getEmail() ?></td>
+                    <td class="site_table">Contact E-mail</td><td class="site_table">
+                        <?php
+                            if ($showPD) {
+                                xecho ($endpoint->getEmail());
+                            } else {
+                                echo getInfoMessage();
+                            }
+                        ?>
+                    </td>
                 </tr>
                 <tr class="site_table_row_1">
                     <td class="site_table">Monitored</td>
diff --git a/htdocs/web_portal/views/service_group/view_sgroup.php b/htdocs/web_portal/views/service_group/view_sgroup.php
index 03cd4f402..9a4961486 100644
--- a/htdocs/web_portal/views/service_group/view_sgroup.php
+++ b/htdocs/web_portal/views/service_group/view_sgroup.php
@@ -1,5 +1,8 @@
 <?php
+require_once __DIR__ . '/../../controllers/utils.php';
+
 $extensionProperties = $params['sGroup']->getServiceGroupProperties();
+$showPD = $params['authenticated'];
 ?>
 
 <script type="text/javascript" src="<?php echo \GocContextPath::getPath()?>javascript/confirm.js"></script>
@@ -41,7 +44,7 @@
         <?php endif; ?>
     <?php endif; ?>
 
-    <!-- Virtual Site Properties container div -->
+    <!-- Virtual Service Group Properties container div -->
     <div style="float: left; width: 100%; margin-top: 2em;">
         <!--  Data -->
         <div class="tableContainer" style="width: 55%; float: left;">
@@ -81,11 +84,11 @@
                 <tr class="site_table_row_1">
                     <td class="site_table">Contact E-Mail</td>
                     <td class="site_table">
-                        <?php if($params['authenticated']) { ?>
+                        <?php if($showPD) { ?>
                         <a href="mailto:<?php xecho($params['sGroup']->getEmail()); ?>">
                             <?php xecho($params['sGroup']->getEmail()); ?>
                         </a>
-                        <?php } else {echo('PROTECTED - Registration required');} ?>
+                        <?php } else {echo(getInfoMessage());} ?>
                     </td>
                 </tr>
             </table>
@@ -174,43 +177,44 @@
 
     <!-- Roles -->
     <div class="tableContainer" style="width: 99.5%; float: left; margin-top: 3em; margin-right: 10px;">
-        <span class="header" style="vertical-align:middle; float: left; padding-top: 0.9em; padding-left: 1em;">Users (Click on name to manage roles)</span>
-        <img src="<?php echo \GocContextPath::getPath()?>img/people.png" class="decoration" />
-        <table style="clear: both; width: 100%;">
-            <tr class="site_table_row_1">
-                <th class="site_table">Name</th>
-                <th class="site_table">Role</th>
-            </tr>
-            <?php
-                $num = 2;
-                foreach($params['Roles'] as $role) {
-            ?>
-            <tr class="site_table_row_<?php echo $num ?>">
-                <td class="site_table">
-                    <div style="background-color: inherit;">
-                        <img src="<?php echo \GocContextPath::getPath()?>img/person.png" class="person" />
-                        <?php if($params['authenticated']) { ?>
+        <?php
+        if ($showPD) { ?>
+            <span class="header" style="vertical-align:middle; float: left; padding-top: 0.9em; padding-left: 1em;">Users (Click on name to manage roles)</span>
+            <img src="<?php echo \GocContextPath::getPath()?>img/people.png" class="decoration" />
+            <table style="clear: both; width: 100%;">
+                <tr class="site_table_row_1">
+                    <th class="site_table">Name</th>
+                    <th class="site_table">Role</th>
+                </tr>
+                <?php
+                    $num = 2;
+                    foreach($params['Roles'] as $role) {
+                ?>
+                <tr class="site_table_row_<?php echo $num ?>">
+                    <td class="site_table">
+                        <div style="background-color: inherit;">
+                            <img src="<?php echo \GocContextPath::getPath()?>img/person.png" class="person" />
                             <a style="vertical-align: middle;" href="index.php?Page_Type=User&id=<?php echo $role->getUser()->getId()?>">
-                                <?php xecho($role->getUser()->getFullName())?>
+                                <?php xecho($role->getUser()->getFullName()); ?>
                             </a>
-                        <?php } else {echo 'PROTECTED'; } ?>
-                    </div>
-                </td>
-                <td class="site_table">
-                    <?php
-                    if($params['authenticated']) {
-                       xecho($role->getRoleType()->getName()) ;
-                    } else {echo 'PROTECTED'; }
-                    ?>
-                </td>
-            </tr>
-            <?php
-                if($num == 1) { $num = 2; } else { $num = 1; }
-                } // End of the foreach loop iterating over user roles
-            ?>
-        </table>
+                        </div>
+                    </td>
+                    <td class="site_table">
+                        <?php xecho($role->getRoleType()->getName()); ?>
+                    </td>
+                </tr>
+                <?php
+                    if($num == 1) { $num = 2; } else { $num = 1; }
+                    } // End of the foreach loop iterating over user roles
+                ?>
+            </table>
+        <?php
+        } else {
+            require_once __DIR__.'/../fragments/hidePersonalData.php';
+        }
+        ?>
         <!--  only show this link if we're in read / write mode -->
-        <?php if(!$params['portalIsReadOnly'] && $params['authenticated']): ?>
+        <?php if(!$params['portalIsReadOnly'] && $showPD): ?>
             <!-- Request role Link -->
             <a href="index.php?Page_Type=Request_Role&amp;id=<?php echo $params['sGroup']->getId();?>">
                 <img src="<?php echo \GocContextPath::getPath()?>img/add.png" height="50px" style="float: left; padding-top: 0.9em; padding-left: 1.2em; padding-bottom: 0.9em;"/>
diff --git a/htdocs/web_portal/views/site/add_api_auth.php b/htdocs/web_portal/views/site/add_api_auth.php
index 005e710ac..675734656 100644
--- a/htdocs/web_portal/views/site/add_api_auth.php
+++ b/htdocs/web_portal/views/site/add_api_auth.php
@@ -1,19 +1,32 @@
 <div class="rightPageContainer">
     <h1>Add new API credential to <?php xecho($params['site']->getName());?></h1>
-    <br />
-    <b>Caution: it is possible to delete information using the write functionality of the API.</b>
-    <br/>
+    <h4>The credential added will be linked to GOCDB account
+        <a href="<?php echo \GocContextPath::getPath()?>index.php?Page_Type=User&id=<?php echo $params['user']->getId()?>" >
+                <?php xecho($params['user']->getForename()." ".$params['user']->getSurname())?>
+        </a>
+    </h4>
     <form class="inputForm" method="post" action="index.php?Page_Type=Add_API_Authentication_Entity&parentid=<?php echo($params['site']->getId());?>" name="addAPIAuthenticationEntity">
-        <span class="input_name">Identifier (e.g. Certificate DN or OIDC Subject)*</span>
-        <input type="text" value="" name="IDENTIFIER" class="input_input_text">
-        <br />
-        <span class="input_name">Credential type*</span>
-        <select name="TYPE" class="input_input_text">
-            <?php foreach($params['authTypes'] as $authType) {?>
-                <option value="<?php xecho($authType) ?>"><?php xecho($authType) ?></option>
-            <?php } ?>
-        </select>
-        <br />
+        <div style="margin-bottom: 0.5em;">
+            <span class="input_name">Identifier (e.g. Certificate DN or OIDC Subject)*</span>
+            <input type="text" value="" name="IDENTIFIER" class="input_input_text">
+        </div>
+        <div style="margin-bottom: 0.5em;">
+            <span class="input_name">Credential type*</span>
+            <select name="TYPE" class="input_input_text">
+                <?php foreach($params['authTypes'] as $authType) {?>
+                    <option value="<?php xecho($authType) ?>"><?php xecho($authType) ?></option>
+                <?php } ?>
+            </select>
+        </div>
+        <div style="margin-bottom: 1em">
+            <b>Caution: it is possible to delete information using the write functionality of the API.</b></br>
+            <div class="input_checkbox">
+                <input type="checkbox" name="ALLOW_WRITE" id="ALLOW_WRITE" value="checked"
+                    <?php if ($params['allowWrite']) { xecho(' checked="checked"'); } ?>
+                />
+                <label class="input_label" for="ALLOW_WRITE">Allow API write</label>
+            </div>
+        </div>
         <input type="submit" value="Add credential" class="input_button">
     </form>
 </div>
diff --git a/htdocs/web_portal/views/site/delete_api_auth.php b/htdocs/web_portal/views/site/delete_api_auth.php
index e7f143f26..cd41913bd 100644
--- a/htdocs/web_portal/views/site/delete_api_auth.php
+++ b/htdocs/web_portal/views/site/delete_api_auth.php
@@ -6,7 +6,7 @@
     <h1 class="Success">Delete API Authentication Credential</h1><br/>
     <p>
     You are about to delete the following API authorisation credential:<br/>
-    Creedential identifier: <b><?php xecho($authEnt->getIdentifier());?><br/></b>
+    Credential identifier: <b><?php xecho($authEnt->getIdentifier());?><br/></b>
     Credential type: <b><?php xecho($authEnt->getType());?><br/></b>
     Site Name: <b><?php xecho($site->getName());?><br/></b>
     </p>
diff --git a/htdocs/web_portal/views/site/edit_api_auth.php b/htdocs/web_portal/views/site/edit_api_auth.php
index f30848efb..9663b898b 100644
--- a/htdocs/web_portal/views/site/edit_api_auth.php
+++ b/htdocs/web_portal/views/site/edit_api_auth.php
@@ -1,19 +1,72 @@
 <div class="rightPageContainer">
-    <h1>Edit API credential for <?php xecho($params['site']->getName());?></h1>
-    <br />
-    <form class="inputForm" method="post" action="index.php?Page_Type=Edit_API_Authentication_Entity&parentid=<?php echo($params['site']->getId())?>&authentityid=<?php echo($params['authEnt']->getId())?>" name="addAPIAuthenticationEntity">
-        <span class="input_name">Identifier (e.g. Certificate DN or OIDC Subject)*</span>
-        <input type="text" value="<?php xecho($params['authEnt']->getIdentifier()) ?>" name="IDENTIFIER" class="input_input_text">
-        <br />
-        <span class="input_name">Credential type*</span>
-        <select name="TYPE" class="input_input_text">
-            <?php foreach($params['authTypes'] as $authType) {?>
-                <option value="<?php xecho($authType) ?>"<?php if ($params['authEnt']->getType() == $authType) {echo " selected=\"selected\"";} ?>>
-                    <?php xecho($authType) ?>
-                </option>
-            <?php } ?>
-        </select>
-        <br />
+    <?php
+
+    $user = $params['user'];
+    $entUser = $params['authEnt']->getUser();
+
+    echo('<h1>Edit API credential for ');
+    xecho($params['site']->getName());
+    echo('</h1>');
+
+    if (!is_null($entUser)) {
+
+        echo('<h4>This credential is linked to GOCDB user ');
+        echo('<a href="');
+        xecho(\GocContextPath::getPath());
+        echo('index.php?Page_Type=User&id=');
+        xecho($entUser->getId());
+        echo('">');
+        xecho($entUser->getFullname());
+        echo('</a></h4>');
+
+        // entities created prior to GOCDB5.8 have a null owning user
+        if ($entUser->getId() != $user->getId()) {
+            echo('<div class="input_warning">');
+            echo("WARNING: editing will change the linked user from '");
+            xecho($entUser->getFullname());
+            echo("' to '");
+            xecho($user->getFullname());
+            echo("'. Click the browser Back button to cancel the edit.</div>");
+            }
+
+        } else {
+            // This clause should be deleted or replaced with exception after all
+            // authentication entities are assigned a user.
+            echo('<div class="input_warning">');
+            echo("WARNING: editing will link user '");
+            xecho($user->getFullname());
+            echo("' to this credential. Click the browser Back button to cancel the edit.</div>");
+    }
+    ?>
+    <form class="inputForm" method="post" action="index.php?Page_Type=Edit_API_Authentication_Entity&parentid=<?php echo($params['site']->getId())?>&authentityid=<?php xecho($params['authEnt']->getId())?>" name="addAPIAuthenticationEntity">
+        <div style="margin-bottom: 0.5em;">
+            <span class="input_name">Identifier (e.g. Certificate DN or OIDC Subject)*</span>
+            <input type="text" value="<?php xecho($params['authEnt']->getIdentifier()) ?>" name="IDENTIFIER" class="input_input_text">
+        </div>
+        <div style="margin-bottom: 0.5em;">
+            <span class="input_name">Credential type*</span>
+            <select name="TYPE" class="input_input_text">
+                <?php foreach($params['authTypes'] as $authType) {?>
+                    <option value="<?php xecho($authType) ?>"<?php if ($params['authEnt']->getType() == $authType) {echo " selected=\"selected\"";} ?>>
+                        <?php xecho($authType) ?>
+                    </option>
+                <?php } ?>
+            </select>
+        </div>
+        <div style="margin-bottom: 1em">
+            <div class="input_warning">
+                WARNING: it is possible to delete information using the write functionality of the API. Leave Allow API write unchecked if
+                you do not need to write data.
+            </div>
+            <div class="input_checkbox">
+                <input type="checkbox" name="ALLOW_WRITE" id="ALLOW_WRITE" value="checked"
+                    <?php
+                        if ($params['authEnt']->getAllowAPIWrite()) { echo('checked="checked"');}
+                    ?>
+                />
+                <label class="input_label" for="ALLOW_WRITE">Allow API write</label>
+            </div>
+        </div>
         <input type="submit" value="Edit credential" class="input_button">
     </form>
 </div>
diff --git a/htdocs/web_portal/views/site/view_site.php b/htdocs/web_portal/views/site/view_site.php
index 538bcd8f3..32ab5f00a 100644
--- a/htdocs/web_portal/views/site/view_site.php
+++ b/htdocs/web_portal/views/site/view_site.php
@@ -1,9 +1,12 @@
 <?php
+require_once __DIR__."/../../controllers/utils.php";
+
 $site = $params['site'];
 $downtimes = $params['Downtimes'];
 $parentNgiName = $site->getNgi()->getName();
 $portalIsReadOnly = $params['portalIsReadOnly'];
 $extensionProperties = $site->getSiteProperties();
+$showPD = $params['authenticated']; // display Personal Data
 ?>
 <div class="rightPageContainer">
     <div style="float: left; text-align: center;">
@@ -54,65 +57,65 @@
         <table style="clear: both; width: 100%; table-layout: fixed;">
         <tr class="site_table_row_1">
             <td class="site_table" style="width: 30%">E-Mail</td><td class="site_table">
-            <?php if ($params['authenticated']) { ?>
+            <?php if ($showPD) { ?>
                 <a href="mailto:<?php xecho($site->getEmail()) ?>">
                 <?php xecho($site->getEmail()) ?>
                 </a>
-            <?php } else echo('PROTECTED - Registration required'); ?>
+            <?php } else echo(getInfoMessage()); ?>
             </td>
         </tr>
         <tr class="site_table_row_2">
             <td class="site_table">Telephone</td><td class="site_table"><?php
-            if ($params['authenticated']) {
+            if ($showPD) {
                 xecho($site->getTelephone());
             } else
-                echo('PROTECTED - Registration required');
+                echo(getInfoMessage());
             ?></td>
         </tr>
         <tr class="site_table_row_1">
             <td class="site_table">Emergency Tel</td><td class="site_table"><?php
-            if ($params['authenticated']) {
+            if ($showPD) {
                 xecho($site->getEmergencyTel());
             } else
-                echo('PROTECTED - Registration required');
+                echo(getInfoMessage());
             ?></td>
         </tr>
         <tr class="site_table_row_2">
             <td class="site_table">CSIRT Tel</td><td class="site_table"><?php
-            if ($params['authenticated']) {
+            if ($showPD) {
                 xecho($site->getCsirtTel());
             } else
-                echo('PROTECTED - Registration required')
+                echo(getInfoMessage())
                 ?></td>
         </tr>
         <tr class="site_table_row_1">
             <td class="site_table">CSIRT E-Mail</td>
             <td class="site_table">
-            <?php if ($params['authenticated']) { ?>
+            <?php if ($showPD) { ?>
                 <a href="mailto:<?php xecho($site->getCsirtEmail()) ?>">
                 <?php xecho($site->getCsirtEmail()) ?>
                 </a>
-            <?php } else echo('PROTECTED - Registration required'); ?>
+            <?php } else echo(getInfoMessage()); ?>
             </td>
         </tr>
         <tr class="site_table_row_2">
             <td class="site_table">Emergency E-Mail</td>
             <td class="site_table">
-            <?php if ($params['authenticated']) { ?>
+            <?php if ($showPD) { ?>
                 <a href="mailto:<?php xecho($site->getEmergencyEmail()) ?>">
                 <?php xecho($site->getEmergencyEmail()) ?>
                 </a>
-            <?php } else echo('PROTECTED - Registration required'); ?>
+            <?php } else echo(getInfoMessage()); ?>
             </td>
         </tr>
         <tr class="site_table_row_1">
             <td class="site_table">Helpdesk E-Mail</td>
             <td class="site_table">
-            <?php if ($params['authenticated']) { ?>
+            <?php if ($showPD) { ?>
                 <a href="mailto:<?php xecho($site->getHelpdeskEmail()); ?>">
                 <?php xecho($site->getHelpdeskEmail()) ?>
                 </a>
-            <?php } else echo('PROTECTED - Registration required'); ?>
+            <?php } else echo(getInfoMessage()); ?>
             </td>
         </tr>
         <tr class="site_table_row_2">
@@ -147,14 +150,14 @@
                 <tr class="site_table_row_1">
                     <td class="site_table">Certification Status</td>
                     <td class="site_table">
-            <?php if ($params['authenticated']) { ?>
+            <?php if ($showPD) { ?>
                 <?php xecho($site->getCertificationStatus()->getName()) ?>
                 &nbsp;
                 <!--  only show this link if we're in read / write mode -->
                 <?php if (!$portalIsReadOnly): ?>
                 <a href="index.php?Page_Type=Edit_Certification_Status&amp;id=<?php echo($site->getId()) ?>">Change</a>
                 <?php endif; ?>
-            <?php } else echo('PROTECTED - Registration required'); ?>
+            <?php } else echo(getInfoMessage()); ?>
                     </td>
                 </tr>
 
@@ -199,21 +202,21 @@
                 <tr class="site_table_row_1">
                     <td class="site_table">Home URL</td>
             <td class="site_table">
-            <?php if ($params['authenticated']) { ?>
+            <?php if ($showPD) { ?>
                 <a href="<?php xecho($site->getHomeUrl()) ?>">
                 <?php xecho($site->getHomeUrl()) ?>
                 </a>
-            <?php } else echo('PROTECTED - Registration required'); ?>
+            <?php } else echo(getInfoMessage()); ?>
             </td>
                 </tr>
                 <tr class="site_table_row_2">
                     <td class="site_table">GIIS URL</td>
                     <td class="site_table">
             <?php
-            if ($params['authenticated']) {
+            if ($showPD) {
                 xecho($site->getGiisUrl());
             } else
-                echo('PROTECTED - Registration required');
+                echo(getInfoMessage());
             ?>
                     </td>
                 </tr>
@@ -221,10 +224,10 @@
                     <td class="site_table">IP Range</td>
                     <td class="site_table">
             <?php
-            if ($params['authenticated']) {
+            if ($showPD) {
                 xecho($site->getIpRange());
             } else
-                echo('PROTECTED - Registration required');
+                echo(getInfoMessage());
             ?>
                     </td>
                 </tr>
@@ -232,10 +235,10 @@
                     <td class="site_table" style="width:20%">IP v6 Range</td>
                     <td class="site_table">
             <?php
-            if ($params['authenticated']) {
+            if ($showPD) {
                 xecho($site->getIpV6Range());
             } else
-                echo('PROTECTED - Registration required');
+                echo(getInfoMessage());
             ?>
                     </td>
                 </tr>
@@ -243,10 +246,10 @@
                     <td class="site_table">Domain</td>
                     <td class="site_table">
                         <?php
-                            if ($params['authenticated']) {
+                            if ($showPD) {
                                 xecho($site->getDomain());
                             } else
-                                echo('PROTECTED - Registration required');
+                                echo(getInfoMessage());
                         ?>
                     </td>
                 </tr>
@@ -261,10 +264,10 @@
                 <tr class="site_table_row_1">
                     <td class="site_table">Country</td><td class="site_table">
             <?php
-            if ($params['authenticated']) {
+            if ($showPD) {
                 xecho($site->getCountry()->getName());
             } else {
-                echo 'PROTECTED';
+                echo getInfoMessage();
             }
             ?>
                     </td>
@@ -272,10 +275,10 @@
                 <tr class="site_table_row_2">
                     <td class="site_table">Latitude</td><td class="site_table">
             <?php
-            if ($params['authenticated']) {
+            if ($showPD) {
                 xecho($site->getLatitude());
             } else {
-                echo 'PROTECTED';
+                echo getInfoMessage();
             }
             ?>
                     </td>
@@ -283,10 +286,10 @@
                 <tr class="site_table_row_1">
                     <td class="site_table">Longitude</td><td class="site_table">
             <?php
-            if ($params['authenticated']) {
+            if ($showPD) {
                 xecho($site->getLongitude());
             } else {
-                echo 'PROTECTED';
+                echo getInfoMessage();
             }
             ?>
                     </td>
@@ -294,10 +297,10 @@
                 <tr class="site_table_row_2">
                     <td class="site_table">Time Zone</td><td class="site_table">
             <?php
-            if ($params['authenticated']) {
+            if ($showPD) {
                 xecho($site->getTimezoneId());
             } else {
-                echo 'PROTECTED';
+                echo getInfoMessage();
             }
             ?>
                     </td>
@@ -305,10 +308,10 @@
                 <tr class="site_table_row_1">
                     <td class="site_table">Location</td><td class="site_table">
             <?php
-            if ($params['authenticated']) {
+            if ($showPD) {
                 xecho($site->getLocation());
             } else {
-                echo 'PROTECTED';
+                echo getInfoMessage();
             }
             ?>
                     </td>
@@ -434,54 +437,53 @@
 
     <!--  Users -->
     <div class="tableContainer" style="width: 99.5%; float: left; margin-top: 3em; margin-right: 10px;">
-        <span class="header" style="vertical-align:middle; float: left; padding-top: 0.9em; padding-left: 1em;">Users (Click on name to manage roles)</span>
-        <img src="<?php echo \GocContextPath::getPath() ?>img/people.png" class="decoration" />
 
-        <table id="siteUsersTable" class="table table-striped table-condensed tablesorter">
-            <thead>
-                <tr>
-                    <th>Name</th>
-                    <th>Role</th>
-                </tr>
-            </thead>
-            <tbody>
-                <?php
-                foreach ($params['roles'] as $role) {
-                ?>
-                    <tr>
-                        <td>
-                            <div style="background-color: inherit;">
-                                <?php if ($params['authenticated']) { ?>
-                                <a style="vertical-align: middle;" href="index.php?Page_Type=User&id=<?php echo($role->getUser()->getId()) ?>">
-                                    <img src="<?php echo \GocContextPath::getPath()?>img/person.png" class="person" />
-                                    <?php xecho($role->getUser()->getFullName()) ?>
-                                </a>
-                                <?php
-                                } else {
-                                echo 'PROTECTED';
-                                }
-                                ?>
-                            </div>
-                        </td>
-                        <td>
-                            <?php
-                            if ($params['authenticated']) {
-                                xecho($role->getRoleType()->getName());
-                            } else {
-                                echo 'PROTECTED';
-                            }
-                            ?>
-                        </td>
-                    </tr>
-                <?php
-                }
-                ?>
-            </tbody>
-        </table>
+        <?php
+            if ($showPD) { ?>
+                <span class="header" style="vertical-align:middle; float: left; padding-top: 0.9em; padding-left: 1em;">Users (Click on name to manage roles)</span>
+                <img src="<?php echo \GocContextPath::getPath() ?>img/people.png" class="decoration" />
+                <table id="siteUsersTable" class="table table-striped table-condensed tablesorter">
+                    <thead>
+                        <tr>
+                            <th>Name</th>
+                            <th>Role</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        <?php
+                        foreach ($params['roles'] as $role) {
+                        ?>
+                            <tr>
+                                <td>
+                                    <div style="background-color: inherit;">
+                                        <a style="vertical-align: middle;" href="index.php?Page_Type=User&id=<?php echo($role->getUser()->getId()) ?>">
+                                            <img src="<?php echo \GocContextPath::getPath()?>img/person.png" class="person" />
+                                            <?php xecho($role->getUser()->getFullName()) ?>
+                                        </a>
+                                    </div>
+                                </td>
+                                <td>
+                                    <?php
+                                        xecho($role->getRoleType()->getName());
+                                    ?>
+                                </td>
+                            </tr>
+                        <?php
+                        }
+                        ?>
+                    </tbody>
+                </table>
+        <?php
+        } else {
+            echo '<span class="header" style="vertical-align:middle; float: left; padding-top: 0.9em; padding-left: 1em;">';
+            echo 'User personal data is hidden (' . getInfoMessage() . ') </span>';
+            echo '<img src="' . \GocContextPath::getPath() . 'img/people.png" class="decoration" />';
+        }
+        ?>
 
     <!-- Request Role Link -->
     <!--  only show this link if we're in read / write mode -->
-    <?php if (!$portalIsReadOnly && $params['authenticated']): ?>
+    <?php if (!$portalIsReadOnly && $showPD): ?>
         <div style="padding: 1em; padding-left: 1.4em; overflow: hidden;">
             <a href="index.php?Page_Type=Request_Role&amp;id=<?php echo($site->getId()); ?>">
             <img src="<?php echo \GocContextPath::getPath() ?>img/add.png" height="50px" style="float: left; padding-top: 0.9em; padding-left: 1.2em; padding-bottom: 0.9em;"/>
@@ -553,40 +555,77 @@
     <?php if($params['ShowEdit']):?>
         <div class="tableContainer" style="width: 99.5%; float: left; margin-top: 3em; margin-right: 10px;">
             <span class="header" style="vertical-align:middle; float: left; padding-top: 0.9em; padding-left: 1em;">
-                Credentials authorised to use the GOCDB write API (Only shown if you have the relevant permissions)
+                Credentials authorised to use the GOCDB read and write APIs (Only shown if you have the relevant permissions)
             </span>
+            <img src="<?php echo \GocContextPath::getPath() ?>img/key.png" class="decoration" />
             <table id="AuthenticatedEntities" class="table table-striped table-condensed tablesorter">
                 <thead>
                     <tr>
                         <th>Type</th>
                         <th>Identifier</th>
-                        <th>Edit</th>
-                        <th>Delete</th>
+                        <th>User</th>
+                        <th style="text-align:center">API Write</th>
+                        <th style="text-align:center">Edit</th>
+                        <th style="text-align:center">Delete</th>
                     </tr>
                 </thead>
                 <tbody>
                     <?php
-                    foreach ($params['APIAuthenticationEntities'] as $authEnt) {
+                    /** @var \APIAuthentication $APIAuthEnt */
+                    foreach ($params['APIAuthEnts'] as $APIAuthEnt) {
+                        // Finer grain control of edit or delete could be put here
+                        // Currently work around pre-5.8 credentials having no owning user.
+                        $disableEdit = true;
+                        $disableDelete = true;
+                        if ($APIAuthEnt->getIdentifier() == Get_User_Principle()) {
+                            // If the owning user is making the request, we always allow them to
+                            // delete the credential
+                            $disableDelete = false;
+                        }
                     ?>
                     <tr>
                         <td>
-                            <?php xecho($authEnt->getType())?>
+                            <?php xecho($APIAuthEnt->getType())?>
                         </td>
                         <td>
-                            <?php xecho($authEnt->getIdentifier())?>
+                            <?php xecho($APIAuthEnt->getIdentifier())?>
                         </td>
-                        <td style="width: 10%;"align = "center">
+                        <td>
+                            <?php
+                            $disableEdit = false;
+                            $disableDelete = false;
+                            if ($APIAuthEnt->getUser() != null) {
+                                // Credentials added prior to 5.8 have no owning user
+                                echo "<a href=\"index.php?Page_Type=User&amp;id=", $APIAuthEnt->getUser()->getId(), "\" ";
+                                echo "title=\"", $APIAuthEnt->getUser()->getFullname(), "\">";
+                                echo substr($APIAuthEnt->getUser()->getSurname(),0,10);
+                                echo "</a>";
+                            }
+                            ?>
+                        </td>
+                        <td style="width: 8%; text-align:center">
+                            <img height="22px" src=
+                                <?php if (($APIAuthEnt->getAllowAPIWrite())) {
+                                    echo '"'.\GocContextPath::getPath().'img/tick.png"';
+                                } else {
+                                    echo '"'.\GocContextPath::getPath().'img/cross.png"';
+                                } ?>
+                            />
+                        </td>
+                        <td style="width: 8%;"align = "center">
                             <?php if(!$portalIsReadOnly):?>
-                                <a href="index.php?Page_Type=Edit_API_Authentication_Entity&amp;authentityid=<?php echo $authEnt->getId();?>">
-                                    <img height="25px" src="<?php echo \GocContextPath::getPath()?>img/pencil.png"/>
-                                </a>
-                            <?php endif;?>
+                                <form action="index.php?Page_Type=Edit_API_Authentication_Entity&amp;authentityid=<?php echo $APIAuthEnt->getId();?>" method="post">
+                                    <button type="submit" <?php if ($disableEdit) echo "disabled"; ?>
+                                        >Edit</button>
+                                </form>
+                             <?php endif;?>
                         </td>
-                        <td style="width: 10%;"align = "center">
+                        <td style="width: 8%;"align = "center">
                             <?php if(!$portalIsReadOnly):?>
-                                <a href="index.php?Page_Type=Delete_API_Authentication_Entity&amp;authentityid=<?php echo $authEnt->getId();?>">
-                                    <img height="25px" src="<?php echo \GocContextPath::getPath()?>img/cross.png"/>
-                                </a>
+                                <form action="index.php?Page_Type=Delete_API_Authentication_Entity&amp;authentityid=<?php echo $APIAuthEnt->getId();?>" method="post">
+                                    <button type="submit" <?php if ($disableDelete) echo "disabled"; ?>
+                                        >Delete</button>
+                                </form>
                             <?php endif;?>
                         </td>
                     </tr>
@@ -595,11 +634,11 @@
             </table>
 
             <?php if (!$portalIsReadOnly): ?>
-                <!-- Add new Downtime Link -->
+                <!-- Add new API credential -->
                 <a href="index.php?Page_Type=Add_API_Authentication_Entity&amp;parentid=<?php echo $site->getId()?>">
                     <img src="<?php echo \GocContextPath::getPath() ?>img/add.png" height="50px" style="float: left; padding-top: 0.9em; padding-left: 1.2em; padding-bottom: 0.9em;"/>
                     <span class="header" style="vertical-align:middle; float: left; padding-top: 1.1em; padding-left: 1em; padding-bottom: 0.9em;">
-                        Add new API credential
+                        Add API credential
                     </span>
                 </a>
             <?php endif; ?>
diff --git a/htdocs/web_portal/views/user/view_user.php b/htdocs/web_portal/views/user/view_user.php
index e94b4f58c..7f9605212 100644
--- a/htdocs/web_portal/views/user/view_user.php
+++ b/htdocs/web_portal/views/user/view_user.php
@@ -27,13 +27,27 @@
             </div>
             <div style="float: right;">
                 <script type="text/javascript" src="<?php echo \GocContextPath::getPath()?>javascript/confirm.js"></script>
-                <a onclick="return confirmSubmit()"
-                    href="index.php?Page_Type=Delete_User&id=<?php echo $params['user']->getId() ?>">
-                    <img src="<?php echo \GocContextPath::getPath()?>img/trash.png" height="25px" style="float: right; margin-right: 0.4em;" />
-                    <br />
-                    <br />
-                    <span>Delete</span>
-                </a>
+                <?php
+                    # If the user owns any API Credentials we grey and disable the delete-user icon
+                    $opacity = "1.0";
+                    if (!$params['APIAuthEnts']->isEmpty()) {
+                        $opacity = "0.5";
+                    }
+                    echo '<div style="opacity: '. $opacity . '" >';
+                        echo '<a ';
+                            if ($params['APIAuthEnts']->isEmpty()) {
+                                echo ' onclick="return confirmSubmit()"';
+                                echo ' href="index.php?Page_Type=Delete_User&id='. $params['user']->getId() . '"';
+                            } else {
+                                echo ' title="Delete disabled: Remove API credentials before deleting this user."';
+                            }
+                        echo ' >'; # <a ...
+                            echo '<img src="' . \GocContextPath::getPath() .'img/trash.png" height="25px" style="float: right; margin-right: 0.4em;" />';
+                            echo '<br /><br /><span>Delete</span>';
+                        echo '</a>';
+                    echo '</div>';
+
+                ?>
             </div>
         <?php endif; ?>
     </div>
@@ -181,7 +195,8 @@
                 <th class="site_table">Role Type <!--[roleId] --></th>
                 <th class="site_table">Held Over</th>
                 <?php if(!$params['portalIsReadOnly']):?>
-                    <th class="site_table">Revoke Role</th>
+                    <th class="site_table" style="width: 8em; text-align:center">Revoke Role</th>
+                    <th><!--Disabled revoke button message--></th>
                 <?php endif; ?>
             </tr>
             <?php
@@ -228,16 +243,27 @@
                        </a>
                     <?php } ?>
                 </td>
-                <td class="site_table">
-                    <?php if(!$params['portalIsReadOnly'] && $role->getDecoratorObject() != null):?>
-                        <form action="index.php?Page_Type=Revoke_Role" method="post">
-                            <input type="hidden" name="id" value="<?php echo $role->getId()?>" />
-                            <input id="revokeButton" type="submit" value="Revoke" class="btn btn-sm btn-danger" onclick="return confirmSubmit()"
-                                   title="Your roles allowing revoke: <?php xecho($role->getDecoratorObject()); ?>" >
-                        </form>
-                    <?php endif;?>
+                <td class="site_table" style="text-align:center">
+                    <?php
+                        $decorator = $role->getDecoratorObject();
+                        if(!$params['portalIsReadOnly'] && $decorator != null) {
+                            echo '<form action="index.php?Page_Type=Revoke_Role" method="post">';
+                                echo "<input type='hidden' name='id' value='{$role->getId()}'/>";
+                                echo "<input id='revokeButton' type='submit' {$decorator["revokeButton"]} " .
+                                        "value='Revoke' class='btn btn-sm btn-danger' onclick='return confirmSubmit()' " .
+                                        "title='Your roles allowing revoke: {$decorator['revokeMessage']}'/>";
+                            echo '</form>';
+                        };
+                    ?>
+                </td>
+                <td class="site_table" style="width: 26%; padding-left:0em">
+                    <?php
+                        if(!$params['portalIsReadOnly'] &&
+                            is_array($decorator) && $decorator["revokeButton"] == 'disabled') {
+                                echo 'Remove or reassign API credentials from site before revoking this role.';
+                        }
+                    ?>
                 </td>
-
             </tr>
             <?php
               if($num == 1) { $num = 2; } else { $num = 1; }
@@ -316,7 +342,7 @@
                         <form action="index.php?Page_Type=Revoke_Role" method="post">
                             <input type="hidden" name="id" value="<?php echo $role->getId()?>" />
                             <input id="revokeButton" type="submit" value="Revoke" class="btn btn-sm btn-danger" onclick="return confirmSubmit()"
-                                   title="Your roles allowing revoke: <?php xecho($role->getDecoratorObject()); ?>" >
+                                   title="Your roles allowing revoke: <?php xecho($decorator); ?>" >
                         </form>
                     <?php endif;?>
                 </td>
@@ -330,7 +356,46 @@
             ?>
         </table>
     </div>
-
+    <?php if (!$params['APIAuthEnts']->isEmpty()) { ?>
+        <!-- API credentials -->
+        <div class="listContainer" style="width: 99.5%; float: left; margin-top: 3em; margin-right: 10px;">
+            <span class="header" style="vertical-align:middle; float: left; padding-top: 0.9em; padding-left: 1em;">
+                Owned API Credentials (Add and remove credentials by clicking the relevant Site.)
+            </span>
+            <img src="<?php echo \GocContextPath::getPath()?>img/key.png" class="decoration" />
+            <table style="clear: both; width: 100%;">
+                <tr class="site_table_row_1">
+                    <th class="site_table">Type</th>
+                    <th class="site_table">Identifier</th>
+                    <th class="site_table">Site</th>
+                    <th class="site_table" style="width:10%">API Write</th>
+                </tr>
+                <?php
+                    foreach ($params['APIAuthEnts'] as $APIAuthEnt) { ?>
+                        <tr>
+                            <td class="site_table"><?php xecho($APIAuthEnt->getType());?></td>
+                            <td class="site_table"><?php xecho($APIAuthEnt->getIdentifier());?></td>
+                            <td class="site_table">
+                                <a href="index.php?Page_Type=Site&amp;id=<?php xecho($APIAuthEnt->getParentSite()->getId())?>"
+                                    title="<?php xecho($APIAuthEnt->getParentSite()->getShortName())?>">
+                                    <?php xecho(substr($APIAuthEnt->getParentSite()->getShortName(),0,16));?>
+                                </a>
+                            </td>
+                            <td class="site_table" style="width: 8%; text-align:center">
+                                <img height="22px" src=
+                                    <?php if (($APIAuthEnt->getAllowAPIWrite())) {
+                                        echo '"'.\GocContextPath::getPath().'img/tick.png"';
+                                    } else {
+                                        echo '"'.\GocContextPath::getPath().'img/cross.png"';
+                                    } ?>
+                                />
+                            </td>
+                        </tr>
+                <?php
+                    } ?>
+            </table>
+        </div>
+    <?php } ?>
 </div>
 
  <script type="text/javascript">
diff --git a/lib/Doctrine/deploy/AddGroupRoles.php b/lib/Doctrine/deploy/AddGroupRoles.php
index ab4f7a5d1..23228a918 100644
--- a/lib/Doctrine/deploy/AddGroupRoles.php
+++ b/lib/Doctrine/deploy/AddGroupRoles.php
@@ -3,38 +3,6 @@
 require_once __DIR__."/../bootstrap.php";
 require_once __DIR__."/AddUtils.php";
 
-/**
- * AddNGIs.php: Loads a list of NGIs from an XML file and inserts them into
- * the doctrine prototype.
- * XML format is the output from get_roc_list PI query, e.g:
-
-
- <EGEE_USER USER_ID=" " PRIMARY_KEY="63777G0">
-        <FORENAME>Patricia</FORENAME>
-        <SURNAME>Gomes</SURNAME>
-        <TITLE>Miss</TITLE>
-        <DESCRIPTION></DESCRIPTION>
-        <GOCDB_PORTAL_URL>https://testing.host.com/portal/index.php?Page_Type=View_Object&amp;object_id=113158&amp;grid_id=0</GOCDB_PORTAL_URL>
-        <EMAIL>pgomes@cbpf.br</EMAIL>
-        <TEL>+55(21)21417419</TEL>
-        <WORKING_HOURS_START></WORKING_HOURS_START>
-        <WORKING_HOURS_END></WORKING_HOURS_END>
-        <CERTDN>/C=BR/O=ICPEDU/O=UFF BrGrid CA/O=CBPF/OU=LAFEX/CN=Patricia Gomes</CERTDN>
-        <APPROVED></APPROVED>
-        <ACTIVE></ACTIVE>
-        <HOMESITE></HOMESITE>
-        <USER_ROLE>
-            <USER_ROLE>Regional First Line Support</USER_ROLE>
-            <ON_ENTITY>ROC_LA</ON_ENTITY>
-            <ENTITY_TYPE>group</ENTITY_TYPE>
-        </USER_ROLE>
-        <USER_ROLE>
-            <USER_ROLE>Site Operations Deputy Manager</USER_ROLE>
-            <ON_ENTITY>CBPF</ON_ENTITY>
-            <ENTITY_TYPE>site</ENTITY_TYPE>
-        </USER_ROLE>
-    </EGEE_USER>
- */
 $usersRolesFileName = __DIR__ . "/" . $GLOBALS['dataDir'] . "/UsersAndRoles.xml";
 $usersRoles = simplexml_load_file($usersRolesFileName);
 
@@ -125,4 +93,4 @@
     }
 }
 
-$entityManager->flush();
\ No newline at end of file
+$entityManager->flush();
diff --git a/lib/Doctrine/deploy/AddServiceGroups.php b/lib/Doctrine/deploy/AddServiceGroups.php
new file mode 100644
index 000000000..c4e7ba75a
--- /dev/null
+++ b/lib/Doctrine/deploy/AddServiceGroups.php
@@ -0,0 +1,51 @@
+<?php
+
+require_once __DIR__."/../bootstrap.php";
+require_once __DIR__."/AddUtils.php";
+
+/* Loads a list of service types from an XML file and inserts them into
+ * the doctrine prototype.
+ * XML format is the PROM GOCDB PI output for get_service_type
+ */
+$stFileName = __DIR__ . "/" . $GLOBALS['dataDir'] . "/ServiceGroups.xml";
+$sts = simplexml_load_file($stFileName);
+
+foreach($sts as $st) {
+    $instance = new ServiceGroup();
+    $name = "";
+    $desc = "";
+    $monitored = false;
+    $email = "default@an_email.net";
+    $scope = "Local";
+
+    foreach ($st as $key => $value) {
+        switch ($key) {
+            case "NAME":
+                $name = (string) $value;
+                break;
+            case "DESCRIPTION":
+                $desc = (string) $value;
+                break;
+            case "MONITORED":
+                if ( (string) $value == "Y") {$monitored = true;}
+                break;
+            case "CONTACT_EMAIL":
+                $email = (string) $value;
+                break;
+            case "SCOPE":
+                $scope = (string) $value;
+                break;
+            default:
+                throw new LogicException("Unknown ServiceGroup key in input XML: ". $key);
+        }
+    }
+    $instance->setName($name);
+    $instance->setDescription($desc);
+    $instance->setMonitored($monitored);
+    $instance->setEmail($email);
+    $instance->addScope(getScope($entityManager, $scope));
+
+    $entityManager->persist($instance);
+}
+
+$entityManager->flush();
diff --git a/lib/Doctrine/deploy/AddSiteRoles.php b/lib/Doctrine/deploy/AddSiteRoles.php
index 9aef8b5cf..b8fc466b0 100644
--- a/lib/Doctrine/deploy/AddSiteRoles.php
+++ b/lib/Doctrine/deploy/AddSiteRoles.php
@@ -102,4 +102,4 @@
         }
     }
 }
-$entityManager->flush();
\ No newline at end of file
+$entityManager->flush();
diff --git a/lib/Doctrine/deploy/AddSites.php b/lib/Doctrine/deploy/AddSites.php
index 699b2297a..bb2210ad8 100644
--- a/lib/Doctrine/deploy/AddSites.php
+++ b/lib/Doctrine/deploy/AddSites.php
@@ -98,21 +98,7 @@
     }
     $doctrineSite->setCertificationStatus($certStatus);
 
-    // get the scope
-    $dql = "SELECT s FROM Scope s WHERE s.name = ?1";
-    $scopes = $entityManager->createQuery($dql)
-                                 ->setParameter(1, (string) $xmlSite->SCOPE)
-                                 ->getResult();
-    /* Error checking: ensure each Site's "SCOPE" refers to exactly
-     * one SCOPE */
-    if(count($scopes) !== 1) {
-        throw new Exception(count($scopes) . " SCOPEs found with name: " .
-            $xmlSite->SCOPE);
-    }
-    foreach($scopes as $scope) {
-        $scope = $scope;
-    }
-    $doctrineSite->addScope($scope);
+    $doctrineSite->addScope(getScope($entityManager, (string) $xmlSite->SCOPE));
 
     // get / set the country
     $dql = "SELECT c FROM Country c WHERE c.name = ?1";
@@ -241,4 +227,4 @@
     $entityManager->flush();
 } catch (Exception $e) {
     echo $e->getMessage();
-}
\ No newline at end of file
+}
diff --git a/lib/Doctrine/deploy/AddTiers.php b/lib/Doctrine/deploy/AddTiers.php
deleted file mode 100644
index c30485c4a..000000000
--- a/lib/Doctrine/deploy/AddTiers.php
+++ /dev/null
@@ -1,15 +0,0 @@
-<?php
-require_once __DIR__."/../bootstrap.php";
-require_once __DIR__."/AddUtils.php";
-/* AddTiers.php: Manually inserts a list of tiers into
- * the doctrine prototype.
- */
-$tierArray = array ("0", "1", "2");
-
-foreach($tierArray as $tierName) {
-    $tier = new Tier();
-    $tier->setName($tierName);
-    $entityManager->persist($tier);
-}
-
-$entityManager->flush();
\ No newline at end of file
diff --git a/lib/Doctrine/deploy/AddTimezones.php b/lib/Doctrine/deploy/AddTimezones.php
deleted file mode 100644
index 3e86a5d33..000000000
--- a/lib/Doctrine/deploy/AddTimezones.php
+++ /dev/null
@@ -1,22 +0,0 @@
-<?php
-/**
- * @deprecated since version v5.4
- */
-require_once __DIR__."/../bootstrap.php";
-require_once __DIR__."/AddUtils.php";
-
-/* AddNGIs.php: Loads a list of timezones from an XML file and inserts them into
- * the doctrine prototype.
- * XML format is the PROM GOCDB PI get_timezones_doctrine query.
- */
-$timezonesFileName = __DIR__ . "/" . $GLOBALS['dataDir'] . "/Timezones.xml";
-$timezones = simplexml_load_file($timezonesFileName);
-
-foreach($timezones as $timezone) {
-    $doctrineTimezone = new Timezone();
-    $name = (string) $timezone;
-    $doctrineTimezone->setName($name);
-    $entityManager->persist($doctrineTimezone);
-}
-
-$entityManager->flush();
\ No newline at end of file
diff --git a/lib/Doctrine/deploy/AddUtils.php b/lib/Doctrine/deploy/AddUtils.php
index 20904d298..a029702f6 100644
--- a/lib/Doctrine/deploy/AddUtils.php
+++ b/lib/Doctrine/deploy/AddUtils.php
@@ -46,4 +46,24 @@ function isBad($site) {
     } else {
         return true;
     }
-}
\ No newline at end of file
+}
+/**
+ * Return a scope object given a scope name
+ * @param EntityManager $entityManager
+ * @param string $scope
+ * @return \Scope
+ */
+function getScope($entityManager, $scope) {
+    // get the scope
+    $dql = "SELECT s FROM Scope s WHERE s.name = ?1";
+    $scopes = $entityManager->createQuery($dql)
+                                ->setParameter(1, $scope)
+                                ->getResult();
+    /* Error checking: ensure each Site's "SCOPE" refers to exactly
+    * one SCOPE */
+    if(count($scopes) !== 1) {
+        throw new Exception(count($scopes) . " SCOPEs found with name: " . $scope);
+    }
+
+    return $scopes[0];
+}
diff --git a/lib/Doctrine/deploy/DeployRequiredDataRunner.php b/lib/Doctrine/deploy/DeployRequiredDataRunner.php
index 486968d42..5b030a921 100644
--- a/lib/Doctrine/deploy/DeployRequiredDataRunner.php
+++ b/lib/Doctrine/deploy/DeployRequiredDataRunner.php
@@ -29,12 +29,6 @@
 require __DIR__."/AddCountries.php";
 echo "Added Countries OK\n";
 
-//require __DIR__."/AddTimezones.php";
-//echo "Added Timezones OK\n";
-
-require __DIR__."/AddTiers.php";
-echo "Added Tiers OK\n";
-
 require __DIR__."/AddRoleTypes.php";
 echo "Added Roles OK\n";
 
@@ -42,4 +36,4 @@
 echo "Added Certification Statuses OK\n";
 
 require __DIR__."/AddServiceTypes.php";
-echo "Added Service Types OK\n";
\ No newline at end of file
+echo "Added Service Types OK\n";
diff --git a/lib/Doctrine/deploy/DeploySampleDataRunner.php b/lib/Doctrine/deploy/DeploySampleDataRunner.php
index 06b11c851..1d0985283 100644
--- a/lib/Doctrine/deploy/DeploySampleDataRunner.php
+++ b/lib/Doctrine/deploy/DeploySampleDataRunner.php
@@ -22,7 +22,7 @@
     die("Please specify your data directory (sampleData) \n");
 }
 
-print_r("Deploying Sample Data\n");
+print_r("Deploying Sample Data from ".$GLOBALS['dataDir']."\n");
 
 require __DIR__."/AddProjects.php";
 echo "Added Projects OK\n";
@@ -49,4 +49,7 @@
 echo "Added NGI level Roles OK\n";
 
 require __DIR__."/AddEgiRoles.php";
-echo "Added EGI level Roles OK\n";
\ No newline at end of file
+echo "Added EGI level Roles OK\n";
+
+require __DIR__."/AddServiceGroups.php";
+echo "Added Service Groups OK\n";
diff --git a/lib/Doctrine/deploy/simpleSampleData/CertStatusChanges.xml b/lib/Doctrine/deploy/simpleSampleData/CertStatusChanges.xml
new file mode 100644
index 000000000..5be1583ba
--- /dev/null
+++ b/lib/Doctrine/deploy/simpleSampleData/CertStatusChanges.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<results>
+    <result>
+        <UNIX_TIME>1262304001</UNIX_TIME>
+        <SITE>SITE_1</SITE>
+        <OLD_STATUS>Uncertified</OLD_STATUS>
+        <NEW_STATUS>Certified</NEW_STATUS>
+        <CHANGED_BY>/CN=SOME CN</CHANGED_BY>
+        <COMMENT>Record of a change of status</COMMENT>
+    </result>
+</results>
diff --git a/lib/Doctrine/deploy/simpleSampleData/CertStatusDate.xml b/lib/Doctrine/deploy/simpleSampleData/CertStatusDate.xml
new file mode 100644
index 000000000..cd427ac2a
--- /dev/null
+++ b/lib/Doctrine/deploy/simpleSampleData/CertStatusDate.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<results>
+    <site>
+        <name>SITE_1</name>
+        <cert_status>Certified</cert_status>
+        <cert_date>01-JAN-10 00.00.01 AM</cert_date>
+    </site>
+</results>
diff --git a/lib/Doctrine/deploy/simpleSampleData/NGIs.xml b/lib/Doctrine/deploy/simpleSampleData/NGIs.xml
new file mode 100644
index 000000000..f29e8f9a7
--- /dev/null
+++ b/lib/Doctrine/deploy/simpleSampleData/NGIs.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<results>
+  <NGI>
+    <NAME>NGI-1</NAME>
+    <DESCRIPTION>A sample NGI</DESCRIPTION>
+    <EMAIL>ngi-contact@ngi-1.org</EMAIL>
+    <SECURITY_EMAIL>ngi-1-security@ngi-1.org</SECURITY_EMAIL>
+  </NGI>
+</results>
diff --git a/lib/Doctrine/deploy/simpleSampleData/Scopes.xml b/lib/Doctrine/deploy/simpleSampleData/Scopes.xml
new file mode 100644
index 000000000..80b16439f
--- /dev/null
+++ b/lib/Doctrine/deploy/simpleSampleData/Scopes.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Required tag seed data for scoping Sites and SEs -->
+<results>
+    <tag grid_id="0">
+        <name key="primary">Local</name>
+    </tag>
+    <tag grid_id="0">
+        <name key="primary">EGI</name>
+    </tag>
+</results>
diff --git a/lib/Doctrine/deploy/simpleSampleData/ServiceEndpoints.xml b/lib/Doctrine/deploy/simpleSampleData/ServiceEndpoints.xml
new file mode 100644
index 000000000..d1fb8f9d5
--- /dev/null
+++ b/lib/Doctrine/deploy/simpleSampleData/ServiceEndpoints.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<results>
+    <SERVICE_ENDPOINT PRIMARY_KEY="44657G0">
+        <SITENAME>SITE-1</SITENAME>
+        <HOSTNAME>service-1.site-1.org</HOSTNAME>
+        <SERVICE_TYPE>CE</SERVICE_TYPE>
+        <IN_PRODUCTION>Y</IN_PRODUCTION>
+        <NODE_MONITORED>Y</NODE_MONITORED>
+        <SCOPE>Local</SCOPE>
+        <HOSTDN>/DC=org/DC=site-1/CN=service-1.site-1.org</HOSTDN>
+        <HOST_IP>127.0.0.01</HOST_IP>
+        <HOST_OS>SL5</HOST_OS>
+        <HOST_ARCH>64 bit</HOST_ARCH>
+        <DESCRIPTION>A service on Site 1</DESCRIPTION>
+
+        <URL></URL>
+        <!--
+        <PRIMARY_KEY>44657G0</PRIMARY_KEY>
+        <GOCDB_PORTAL_URL>https://testing.host.com/portal/index.php?Page_Type=View_Object&amp;object_id=26149&amp;grid_id=0</GOCDB_PORTAL_URL>
+        <BETA>N</BETA>
+        <CORE></CORE>
+        <COUNTRY_NAME>Switzerland</COUNTRY_NAME>
+        <COUNTRY_CODE>CH</COUNTRY_CODE>
+        <ROC_NAME>NGI_CH</ROC_NAME> -->
+    </SERVICE_ENDPOINT>
+</results>
diff --git a/lib/Doctrine/deploy/simpleSampleData/ServiceGroups.xml b/lib/Doctrine/deploy/simpleSampleData/ServiceGroups.xml
new file mode 100644
index 000000000..22d04513e
--- /dev/null
+++ b/lib/Doctrine/deploy/simpleSampleData/ServiceGroups.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<results>
+  <SERVICE_GROUP>
+    <NAME>Group1_Services</NAME>
+    <DESCRIPTION>A test service group</DESCRIPTION>
+    <MONITORED>Y</MONITORED>
+    <CONTACT_EMAIL>contact@site-1.org</CONTACT_EMAIL>
+    <SCOPE>Local</SCOPE>
+    <!--
+      <SERVICE_ENDPOINT>
+      <HOSTNAME>service-1.site-1.org</HOSTNAME>
+      <SERVICE_TYPE>CE</SERVICE_TYPE>
+      <HOST_IP>127.0.0.01</HOST_IP>
+      <IN_PRODUCTION>Y</IN_PRODUCTION>
+      <NODE_MONITORED>Y</NODE_MONITORED>
+    </SERVICE_ENDPOINT>
+    -->
+  </SERVICE_GROUP>
+</results>
diff --git a/lib/Doctrine/deploy/simpleSampleData/Sites.xml b/lib/Doctrine/deploy/simpleSampleData/Sites.xml
new file mode 100644
index 000000000..e99e04048
--- /dev/null
+++ b/lib/Doctrine/deploy/simpleSampleData/Sites.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<results>
+  <SITE>
+    <PRIMARY_KEY>SITE-PK-1</PRIMARY_KEY>
+    <SHORT_NAME>SITE-1</SHORT_NAME>
+    <OFFICIAL_NAME>SITE NUMBER 1</OFFICIAL_NAME>
+    <SITE_DESCRIPTION>Test site description for Site 1.</SITE_DESCRIPTION>
+    <HOME_URL>http://www.site-1.org/</HOME_URL>
+    <CONTACT_EMAIL>contact@site-1.org</CONTACT_EMAIL>
+    <CSIRT_EMAIL>csirt@site-1.org</CSIRT_EMAIL>
+    <CONTACT_TEL>+12 34 5678 01</CONTACT_TEL>
+    <COUNTRY_CODE>DK</COUNTRY_CODE>
+    <COUNTRY>Denmark</COUNTRY>
+    <ROC>NGI-1</ROC>
+    <PRODUCTION_INFRASTRUCTURE>Test</PRODUCTION_INFRASTRUCTURE>
+    <CERTIFICATION_STATUS>Certified</CERTIFICATION_STATUS>
+    <TIMEZONE>Europe/Zurich</TIMEZONE>
+    <IP_RANGE>127.0.0.1/127.0.0.99</IP_RANGE>
+    <CSIRTTEL>+12 34 5678 02</CSIRTTEL>
+    <EMERGENCYTEL>+12 34 5678 03</EMERGENCYTEL>
+    <SCOPE>EGI</SCOPE>
+    <DOMAIN>
+      <DOMAIN_NAME>site-1.org</DOMAIN_NAME>
+    </DOMAIN>
+    <LONGITUDE>-06.47</LONGITUDE>
+    <LATITUDE>62.00</LATITUDE>
+  </SITE>
+</results>
diff --git a/lib/Doctrine/deploy/simpleSampleData/UsersAndRoles.xml b/lib/Doctrine/deploy/simpleSampleData/UsersAndRoles.xml
new file mode 100644
index 000000000..b1ed7d386
--- /dev/null
+++ b/lib/Doctrine/deploy/simpleSampleData/UsersAndRoles.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<results>
+    <EGEE_USER>
+        <FORENAME>Alpha</FORENAME>
+        <SURNAME>Beta</SURNAME>
+        <TITLE></TITLE>
+        <EMAIL>alpha.beta@beta.com</EMAIL>
+        <TEL>+01 2345 67 0000</TEL>
+        <WORKING_HOURS_START></WORKING_HOURS_START>
+        <WORKING_HOURS_END></WORKING_HOURS_END>
+        <CERTDN>/CN=Alpha Beta</CERTDN>
+        <APPROVED></APPROVED>
+        <ACTIVE></ACTIVE>
+        <HOMESITE>SITE-1</HOMESITE>
+        <USER_ROLE>
+            <USER_ROLE>Site Administrator</USER_ROLE>
+            <ON_ENTITY>SITE-1</ON_ENTITY>
+            <ENTITY_TYPE>site</ENTITY_TYPE>
+        </USER_ROLE>
+        <USER_ROLE>
+            <USER_ROLE>Regional Staff (ROD)</USER_ROLE>
+            <ON_ENTITY>NGI-1</ON_ENTITY>
+            <ENTITY_TYPE>group</ENTITY_TYPE>
+        </USER_ROLE>
+        <USER_ROLE>
+            <USER_ROLE>COD Staff</USER_ROLE>
+            <ON_ENTITY>EGI</ON_ENTITY>
+            <ENTITY_TYPE>group</ENTITY_TYPE>
+        </USER_ROLE>
+    </EGEE_USER>
+</results>
diff --git a/lib/Doctrine/entities/APIAuthentication.php b/lib/Doctrine/entities/APIAuthentication.php
index 7c704d38e..548ac15bf 100644
--- a/lib/Doctrine/entities/APIAuthentication.php
+++ b/lib/Doctrine/entities/APIAuthentication.php
@@ -12,7 +12,7 @@
  * limitations under the License.
  */
 
- /**
+/**
   * The APIAuthenticationEntity defines a credential that can be used to makce
   * changes throught he API for a specific {@see Site}. Each site can have
   * 0-many APIAuthentication entities associated with it. Each entity has an ID,
@@ -45,6 +45,42 @@ class APIAuthentication
     * @Column(type="string", nullable=false) */
     protected $identifier = null;
 
+    /**
+     * The registered User that added this APIAuthentication entity
+     * One user may have zero or more APIAuthentication entities.
+     * If edited or renewed, this will be the user that did this.
+     *
+     * @ManyToOne(targetEntity="User", inversedBy="APIAuthenticationEntities")
+     * @JoinColumn(name="user_id", referencedColumnName="id", onDelete="CASCADE")
+     */
+    protected $user = null;
+
+     /**
+      * For new instances this is the time of creation. Existing entities
+      * pre-GOCDB5.8 do not have this field and are initialised with the
+      * time the schema is updated.
+      * @Column(type="datetime", nullable=false, options={"default" : "CURRENT_TIMESTAMP"})
+      */
+    protected $lastRenewTime = null;
+
+    /**
+     * When this APIAuthentication entity was most recently used.
+     * @Column(type="datetime", nullable=true)
+     */
+    protected $lastUseTime = null;
+
+    /**
+     * Existing entities pre-GOCDB5.8 do not have this field and are assumed
+     * to be write-enabled. New entities are assumed write-DISabled so the
+     * constructor behaviour differs from the Doctrine annotation.
+     * @Column(type="boolean", nullable=false, options={"default" : true})
+     */
+    protected $allowAPIWrite = false;
+
+    /**  */
+    public function __construct() {
+        $this->setLastRenewTime();
+    }
     /**
      * Get PK of Authentication entity
      * @return int
@@ -77,6 +113,34 @@ public function getIdentifier() {
         return $this->identifier;
     }
 
+    /**
+     * @return \User
+     */
+    public function getUser() {
+        return $this->user;
+    }
+
+    /**
+     * @return bool $allowAPIWrite
+     */
+    public function getAllowAPIWrite () {
+        return $this->allowAPIWrite;
+    }
+
+    /**
+     * @return \DateTime
+     */
+    public function getLastUseTime () {
+        return $this->lastUseTime;
+    }
+
+    /**
+     * @return \DateTime $time
+     */
+    protected function getLastRenewTime() {
+        return $this->lastRenewTime;
+    }
+
     /**
      * Set the type of this authentication entity
      * @param string $name
@@ -93,6 +157,45 @@ public function setIdentifier($identifier) {
         $this->identifier = $identifier;
     }
 
+    /**
+     * @param \DateTime $time if null, current UTC time is set
+     */
+    public function setLastUseTime (\DateTime $time = null) {
+
+        $useTime = $time;
+
+        if (is_null($time)) {
+            $useTime = new \DateTime('now', new \DateTimeZone('UTC'));
+        }
+
+        $this->lastUseTime = $useTime;
+    }
+
+    /**
+     * @param \DateTime $time if null, current UTC time is set
+     */
+    public function setLastRenewTime(\DateTime $time = null) {
+
+        $renewTime = $time;
+
+        if (is_null($time)) {
+            $renewTime = new \DateTime('now', new \DateTimeZone('UTC'));
+        }
+
+        $this->lastRenewTime = $renewTime;
+    }
+
+    /**
+     *
+     * @param bool $allowAPIWrite
+     */
+    public function setAllowAPIWrite ($allowWrite) {
+        if (!is_bool($allowWrite)) {
+            throw new LogicException("Expected bool, received".gettype($allowWrite));
+        }
+        $this->allowAPIWrite = $allowWrite;
+    }
+
     /**
      * Do not call in client code, always use the opposite
      * <code>$site->addAuthenticationEntityDoJoin($authenticationEntity)</code>
@@ -104,7 +207,13 @@ public function setIdentifier($identifier) {
      *
      * @param \Site $site
      */
-    public function _setParentSite($site){
+    public function _setParentSite(\Site $site){
         $this->parentSite = $site;
     }
+    /**
+    * @param \User $user
+    */
+    public function _setUser(\User $user) {
+        $this->user = $user;
+    }
   }
diff --git a/lib/Doctrine/entities/Site.php b/lib/Doctrine/entities/Site.php
index eeff09ee7..f1d8cccbc 100644
--- a/lib/Doctrine/entities/Site.php
+++ b/lib/Doctrine/entities/Site.php
@@ -198,6 +198,7 @@ public function __construct() {
         $this->scopes = new ArrayCollection();
         $this->users = new ArrayCollection();
         $this->certificationStatusLog = new ArrayCollection();
+        $this->APIAuthenticationEntities = new ArrayCollection();
     }
 
 
@@ -583,7 +584,7 @@ public function addSitePropertyDoJoin($siteProperty) {
     }
 
     /**
-     * Add an API authentication entity to this Site's collection of autherntication
+     * Add an API authentication entity to this Site's collection of authentication
      * entities. This method also sets the authentication entity's parentSite.
      * @param \APIAuthentication $authenticationEntity
      */
diff --git a/lib/Doctrine/entities/User.php b/lib/Doctrine/entities/User.php
index fa5c14763..d26749367 100644
--- a/lib/Doctrine/entities/User.php
+++ b/lib/Doctrine/entities/User.php
@@ -77,6 +77,12 @@ class User {
      */
     protected $userIdentifiers = null;
 
+    /**
+     * Bidirectional - A User can have many APIAuthenication Entities.
+     * @OneToMany(targetEntity="APIAuthentication", mappedBy="user")
+     */
+    protected $APIAuthenticationEntities = null;
+
     /*
      * TODO:
      * This entity will need to own a property bag (akin to custom props)
@@ -94,6 +100,7 @@ public function __construct() {
         //$this->sites = new ArrayCollection();
         $this->roles = new ArrayCollection();
         $this->userIdentifiers = new ArrayCollection();
+        $this->APIAuthenticationEntities = new ArrayCollection();
     }
 
     /**
@@ -370,4 +377,22 @@ public function addUserIdentifierDoJoin($userIdentifier) {
         $userIdentifier->_setParentUser($this);
     }
 
+    /**
+     * Keep track of the authentication entities associated with this user,
+     * including updating the entity itself as the owning side of the
+     * relation.
+     * @param \APIAuthentication $authenticationEntity
+     */
+    public function addAPIAuthenticationEntitiesDoJoin (\APIAuthentication $authenticationEntity) {
+        $this->APIAuthenticationEntities->add($authenticationEntity);
+        //$this->APIAuthenticationEntities[] = $authenticationEntity;
+        $authenticationEntity->_setUser($this);
+    }
+    /**
+     * Get the user's API credentials
+     * @return ArrayCollection
+     */
+    public function getAPIAuthenticationEntities () {
+        return $this->APIAuthenticationEntities;
+    }
 }
diff --git a/lib/Gocdb_Services/APIAuthenticationService.php b/lib/Gocdb_Services/APIAuthenticationService.php
new file mode 100644
index 000000000..8b939a04a
--- /dev/null
+++ b/lib/Gocdb_Services/APIAuthenticationService.php
@@ -0,0 +1,268 @@
+<?php
+namespace org\gocdb\services;
+/* Copyright (c) 2011 STFC
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * GOCDB Stateless service facade (business routines) for group objects.
+ * The public API methods are transactional.
+ *
+ * @author Ian Neilson after originals -
+ * @author John Casson
+ * @author David Meredith
+ * @author George Ryall
+ */
+
+require_once __DIR__ . '/AbstractEntityService.php';
+require_once __DIR__.  '/../Doctrine/entities/APIAuthentication.php';
+
+use Doctrine\ORM\QueryBuilder;
+
+class APIAuthenticationService extends AbstractEntityService{
+
+    function __construct() {
+        parent::__construct();
+    }
+
+    /**
+     * Returns the APIAuthentication entity associated with the given identifier.
+     *
+     * @param string $ident Identifier (e.g. X.509 DN as string)
+     * @param string $type  Identifyer type (e.g. "X509")
+     * @return \APIAuthentication APIAuthentication associated with this identifier
+     */
+    public function getAPIAuthentication($ident, $type) {
+
+        if (!is_string($ident)) {
+            throw new \LogicException("Expected string APIAuthentication identifier.");
+        }
+
+        $dql = "SELECT a FROM APIAuthentication a " .
+                "WHERE (a.identifier = :ident AND a.type = :type)" ;
+
+        $qry = $this->em->createQuery($dql);
+        $qry->setParameter('ident', $ident);
+        $qry->setParameter('type', $type);
+
+        $apiAuth = $qry->getOneOrNullResult();
+
+        return $apiAuth;
+    }
+
+        /**
+     * Update the fields of an APIAuthentication entity and commit the resulting entity
+     *
+     * @param \Site Parent site
+     * @param \User Owning user
+     * @param array Array containing new values
+     * @throws \Exception on error with commit rolled back
+     * @return \APIAuthentication
+     */
+    public function addAPIAuthentication(\Site $site, \User $user, $newValues) {
+
+        $identifier = $newValues['IDENTIFIER'];
+        $type = $newValues['TYPE'];
+        $allowWrite = $newValues['ALLOW_WRITE'];
+
+        //Check that an identifier has been provided
+        if(empty($identifier)){
+            throw new \Exception("A value must be provided for the identifier");
+        }
+
+        //validate the values against the schema
+        $this->validate($newValues, $identifier, $type);
+
+        //Check there isn't already a identifier of that type with that identifier for that Site
+        $this->uniqueAPIAuthEnt($site, $identifier, $type);
+
+        //Add the properties
+        $this->em->getConnection()->beginTransaction();
+        try {
+            $authEnt = new \APIAuthentication();
+            $authEnt->setIdentifier($identifier);
+            $authEnt->setAllowAPIWrite($allowWrite);
+            $authEnt->setType($type);
+
+            $site->addAPIAuthenticationEntitiesDoJoin($authEnt);
+            $user->addAPIAuthenticationEntitiesDoJoin($authEnt);
+
+            $this->em->persist($authEnt);
+
+            $this->em->flush();
+            $this->em->getConnection()->commit();
+        } catch (\Exception $e) {
+            $this->em->getConnection()->rollback();
+            $this->em->close();
+            throw $e;
+        }
+
+        return $authEnt;
+    }
+
+    /**
+     * Update the fields of an APIAuthentication entity and commit the resulting entity
+     *
+     * @param \APIAuthentication Entity to delete
+     * @throws \Exception on error with commit rolled back
+     */
+    public function deleteAPIAuthentication(\APIAuthentication $authEntity) {
+
+        $this->em->getConnection()->beginTransaction();
+
+        $parentSite = $authEntity->getParentSite();
+        $user = $authEntity->getUser();
+
+        try {
+            //Remove the authentication entity from the site then remove the entity
+            $parentSite->getAPIAuthenticationEntities()->removeElement($authEntity);
+            $user->getAPIAuthenticationEntities()->removeElement($authEntity);
+
+            $this->em->remove($authEntity);
+
+            $this->em->persist($parentSite);
+            $this->em->persist($user);
+
+            $this->em->flush();
+            $this->em->getConnection()->commit();
+        } catch (\Exception $e) {
+            $this->em->getConnection()->rollback();
+            $this->em->close();
+            throw $e;
+        }
+    }
+
+        /**
+     * Update the fields of an APIAuthentication entity and commit the resulting entity
+     *
+     * @param \APIAuthentication Entity to update
+     * @param \User Owning user
+     * @param array Array containing new values
+     * @throws \Exception on error with commit rolled back
+     * @return \APIAuthentication
+     */
+    public function editAPIAuthentication(\APIAuthentication $authEntity, \User $user, $newValues) {
+
+        $identifier = $newValues['IDENTIFIER'];
+        $type = $newValues['TYPE'];
+        $allowWrite = $newValues['ALLOW_WRITE'];
+
+        //Check that an identifier ha been provided
+        if(empty($identifier)){
+            throw new \Exception("A value must be provided for the identifier");
+        }
+
+        //validate the values against the schema
+        $this->validate($newValues, $identifier, $type);
+
+        //Edit the property
+        $this->em->getConnection()->beginTransaction();
+        try {
+            // This would probably be the place hook for any future policy acceptance tracking
+            if ($user->getId() != $authEntity->getUser()) {
+                $authEntity->setLastRenewTime();
+            }
+            $authEntity->setIdentifier($identifier);
+            $authEntity->setType($type);
+            $authEntity->setAllowAPIWrite($allowWrite);
+            $user->addAPIAuthenticationEntitiesDoJoin($authEntity);
+
+            $this->em->persist($authEntity);
+            $this->em->persist($user);
+
+            $this->em->flush();
+            $this->em->getConnection()->commit();
+
+        } catch (\Exception $e) {
+            $this->em->getConnection()->rollback();
+            $this->em->close();
+            throw $e;
+        }
+    }
+    /**
+     * Set the last use time field to the current UTC time
+     *
+     * @param \APIAuthentication $authEntity entity to update
+     * @throws \Exception if the update fails
+     */
+    public function updateLastUseTime(\APIAuthentication $authEntity) {
+
+        $this->em->getConnection()->beginTransaction();
+
+        try {
+            $authEntity->setLastUseTime();
+
+            $this->em->persist($authEntity);
+
+            $this->em->flush();
+            $this->em->getConnection()->commit();
+
+        } catch (\Exception $e) {
+            $this->em->getConnection()->rollback();
+            $this->em->close();
+            throw $e;
+        }
+    }
+    /**
+     * Fail if there is already an identifier of given type and identifier
+     * for a given Site.
+     *
+     * @param \Site $site field values for an APIAuthentication object
+     * @param string $identifier to check
+     * @param string $type to check
+     * @throws \Exception if the data can't be validated.
+     */
+    public function uniqueAPIAuthEnt(\Site $site, $identifier, $type) {
+
+        $authEnt = $this->getAPIAuthentication($identifier, $type);
+
+        if (!is_null($authEnt) &&
+                $authEnt->getParentSite()->getId() == $site->getId()) {
+            throw new \Exception(
+                "An authentication object of type \"$type\" and with identifier " .
+                "\"$identifier\" already exists for " . $site->getName()
+            );
+        }
+    }
+    /**
+     * Validates the user inputted site data against the
+     * checks in the gocdb_schema.xml and applies additional logic checks
+     * that can't be described in the gocdb_schema.xml.
+     *
+     * @param array $data field values for an APIAuthentication object
+     * @param mixed $type a valid
+     * @throws \Exception if the data can't be validated.
+     * @return null
+     */
+    private function validate($data, $identifier, $type) {
+
+        require_once __DIR__.'/Validate.php';
+        $serv = new \org\gocdb\services\Validate();
+        foreach($data as $field => $value) {
+            $valid = $serv->validate('APIAUTHENTICATION', $field, $value);
+            if(!$valid) {
+                $error = "$field contains an invalid value: $value";
+                throw new \Exception($error);
+            }
+        }
+        //If the entity is of type X509, do a more thorough check than the validate service (as we know the type)
+        //Note that we are allowing ':' as they can appear in robot DN's
+        if ($type == 'X509' && !preg_match("/^(\/[A-Za-z]+=[a-zA-Z0-9\/\-\_\s\.,'@:\/]+)*$/", $identifier)) {
+            throw new \Exception("Invalid x509 DN");
+        }
+
+        //If the entity is of type OIDC subject, do a more thorough check again
+        if ($type == 'OIDC Subject' && !preg_match("/^([a-f0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12})$/", $identifier)) {
+            throw new \Exception("Invalid OIDC Subject");
+        }
+
+    }
+}
diff --git a/lib/Gocdb_Services/AbstractEntityService.php b/lib/Gocdb_Services/AbstractEntityService.php
index b6996b856..9246e8eaa 100644
--- a/lib/Gocdb_Services/AbstractEntityService.php
+++ b/lib/Gocdb_Services/AbstractEntityService.php
@@ -74,8 +74,8 @@ protected function checkPortalIsNotReadOnlyOrUserIsAdmin(\User $user = NULL){
     private function portalIsReadOnly() {
         require_once __DIR__ . '/Config.php';
 
-        $configServ = new \org\gocdb\services\Config();
-        return $configServ->IsPortalReadOnly();
+        return \Factory::getConfigService()->IsPortalReadOnly();
+
     }
 
     /**
@@ -121,10 +121,13 @@ public function authorisedAPIIdentifier (\Site $site, $identifier, $type) {
         #TODO: this may be more effecient as a DQL query
         foreach($site->getAPIAuthenticationEntities() as $authEnt) {
             if ($authEnt->getType() == $type && $authEnt->getIdentifier() == $identifier) {
-                return true;
+                // Honour the legacy behaviour where any registered auth cred could write
+                if (!\Factory::getConfigService()->isRestrictPDByRole()) {
+                    return true;
+                }
+                return $authEnt->getAllowAPIWrite();
             }
         }
-
         return false;
     }
 
diff --git a/lib/Gocdb_Services/Config.php b/lib/Gocdb_Services/Config.php
index 56bdc5e7b..19e350b15 100644
--- a/lib/Gocdb_Services/Config.php
+++ b/lib/Gocdb_Services/Config.php
@@ -331,7 +331,20 @@ public function GetPortalURL() {
         $url = $localInfo->web_portal_url;
         return strval($url);
     }
-
+    /**
+     * How Personal Data is restricted;
+     * See description in local_info.xml but in brief:
+     * @returns false for legacy behaviour, true for role-based personal data restriction
+     */
+    public function isRestrictPDByRole() {
+        $localInfo = $this->GetLocalInfoXML();
+        $value = $localInfo->restrict_personal_data;
+        if((string) $value == "true") {
+            return true;
+        } else {
+            return false;
+        }
+    }
     /**
      * The PI URL as recorded in local_info.xml.
      */
@@ -352,7 +365,7 @@ public function getServerBaseUrl(){
     }
 
     /**
-     * The wtite API documentation URL as recorded in local_info.xml.
+     * The write API documentation URL as recorded in local_info.xml.
      * This URL is given to users of the write API in error messages
      */
     public function getWriteApiDocsUrl(){
diff --git a/lib/Gocdb_Services/Factory.php b/lib/Gocdb_Services/Factory.php
index 339b9727d..6082d462d 100644
--- a/lib/Gocdb_Services/Factory.php
+++ b/lib/Gocdb_Services/Factory.php
@@ -49,6 +49,7 @@ class Factory {
     private static $notificationService = null;
     private static $emailService = null;
     private static $linkIdentityService = null;
+    private static $APIAuthenticationService = null;
 
     public static $properties = array();
     //private static $properties = null;
@@ -111,6 +112,18 @@ public static function getEntityManager(){
         return self::$em;
     }
 
+    /**
+     * Set an externally provided Entity Manager.
+     * ++ONLY++ used for initialising phpunit tests. Allows Factory services to
+     * create and use other Factory services.
+     * Without this, the include paths inside Gocdb_Services code require the
+     * presence of a second bootstrap_doctrine.php file.
+     * @param \Doctrine\ORM\EntityManager $entityManager
+     */
+    public static function setEntityManager($entityManager){
+        self::$em = $entityManager;
+    }
+
     /**
      * Sinlgeton Site service
      * @return org\gocdb\services\Site
@@ -399,6 +412,18 @@ public static function getEmailService() {
         }
         return self::$emailService;
     }
+    /**
+     * Singleton APIAuthenticationService service
+     * @return org\gocdb\services\APIAuthenticationService
+     */
+    public static function getAPIAuthenticationService() {
+        if (self::$APIAuthenticationService == null) {
+            require_once __DIR__ . '/APIAuthenticationService.php';
+            self::$APIAuthenticationService = new org\gocdb\services\APIAuthenticationService();
+            self::$APIAuthenticationService->setEntityManager(self::getEntityManager());
+        }
+        return self::$APIAuthenticationService;
+    }
 }
 
 ?>
diff --git a/lib/Gocdb_Services/Role.php b/lib/Gocdb_Services/Role.php
index b528f66d4..df59beefe 100644
--- a/lib/Gocdb_Services/Role.php
+++ b/lib/Gocdb_Services/Role.php
@@ -1,5 +1,8 @@
 <?php
 namespace org\gocdb\services;
+
+use Exception;
+
 /* Copyright © 2011 STFC
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,7 +24,6 @@
 require_once __DIR__ . '/RoleActionAuthorisationService.php';
 require_once __DIR__ . '/RoleActionMappingService.php';
 
-
 /**
  * GOCDB Stateless service facade (business routnes) for role objects.
  * The public API methods are transactional.
@@ -182,8 +184,8 @@ public function getUserRoleNamesOverEntity(\OwnedEntity $entity, \User $user,
         //
         //$entityClassName= get_class($entity);
         require_once __DIR__.'/OwnedEntity.php';
-        $OwnedEntityService = new \org\gocdb\services\OwnedEntity();
-        $entityClassName = $OwnedEntityService->getOwnedEntityDerivedClassName($entity);
+        $ownedEntityService = new \org\gocdb\services\OwnedEntity();
+        $entityClassName = $ownedEntityService->getOwnedEntityDerivedClassName($entity);
 
         $dql = "SELECT rt.name
             FROM Role r
@@ -542,14 +544,15 @@ public function addRole($roleTypeName, \User $user, \OwnedEntity $entity){
             // getRoleTypeName throws a NoResultException if the roleType with the
             // specfied name don't exist in in the DB.
             $roleType = $this->getRoleTypeByName($roleTypeName);
-            $r = new \Role($roleType, $user, $entity, $roleStatus);
-            $this->em->persist($r);
+            $role = new \Role($roleType, $user, $entity, $roleStatus);
+            $this->em->persist($role);
+            $this->em->flush(); // See - https://github.com/GOCDB/gocdb/issues/255
 
             // Ensure roleId has been generated
             $this->em->flush();
 
             // create a RoleActionRecord after role has been persisted (to get id)
-            $rar = \RoleActionRecord::construct($user, $r, \RoleStatus::PENDING);
+            $rar = \RoleActionRecord::construct($user, $role, \RoleStatus::PENDING);
             $this->em->persist($rar);
 
             $this->em->flush();
@@ -559,7 +562,7 @@ public function addRole($roleTypeName, \User $user, \OwnedEntity $entity){
             $this->em->close();
             throw $e;
         }
-        return $r;
+        return $role;
     }
 
 
@@ -640,16 +643,18 @@ public function revokeRole(\Role $role, \User $callingUser){
             throw new \LogicException('Error - target entity of role is null');
         }
 
-        // if calling user is not the same person, need to check permissions
-        if ($role->getUser() != $callingUser) {
+        $roleUser = $role->getUser();
+        // check permission to revoke if calling user is not this role's owner
+        if ($roleUser != $callingUser) {
             // Revocation by 2nd party
             //$grantingRoles = $this->authorize Action(\Action::REVOKE_ROLE, $entity, $callingUser);
             if($this->roleActionAuthorisationService->authoriseAction(\Action::REVOKE_ROLE, $entity, $callingUser)->getGrantAction() == FALSE){
                 throw new \Exception('You do not have permission to revoke this role');
             }
-        } else {
-            // self revoke - user is allowed to revoke their own roles
         }
+        // Check that removing the role would not leave APIAuth credentials owned by the user
+        // who no longer has a role at the site.
+        $this->checkOrphanAPIAuth($role);
 
         if($role->getStatus() == \RoleStatus::PENDING){
             // if this role has not yet been granted, then new status is REJECTION
@@ -676,7 +681,40 @@ public function revokeRole(\Role $role, \User $callingUser){
         }
 
     }
+    /**
+     * Check that removing a site role from a user would not leave an orphaned API credential:
+     * attached to a site where the user no longer has a active role.
+     * @param \Role $role
+     * @throws \Exception If revoking the Role would leave an APIAuthentication
+     *                    credential owned by a user without a role at the site
+     */
+    public function checkOrphanAPIAuth (\Role $role) {
+        /** @var \OwnedEntity $entity */
+        $entity = $role->getOwnedEntity();
 
+        if ($entity->getType() == \OwnedEntity::TYPE_SITE) {
+            $site = $entity;
+            $roleUser = $role->getUser();
+            $userAPIEnts = $roleUser->getAPIAuthenticationEntities();
+            /** @var \APIAuthentication $cred */
+            foreach ($userAPIEnts as $cred) {
+                if ($cred->getParentSite() == $site) {
+                    $roleCount = count($this->getUserRoleNamesOverEntity($site, $roleUser, \RoleStatus::GRANTED));
+                    if ($roleCount <= 1) {
+                        throw new Exception("Request to remove role rejected: role removal would" .
+                            " leave one or more API credentials at the site which are owned by a user" .
+                            " who has no site role. Delete or reassign ownership of credentials" .
+                            " owned by this user from the site to enable revocation" .
+                            ". Site:" . $site->getShortName() .
+                            ". User:" . $roleUser->getFullName() .
+                            ". Role:" . $role->getRoleType()->getName());
+                    }
+                    return; // only need to check the first we find
+                }
+            }
+            // if we fall through to here, the user has no APIAuths for the role's site.
+        }
+    }
     /**
      * Calling user attempts to reject the given Role request.
      * Role rejection is slightly different revoking a role: a rejected is not
diff --git a/lib/Gocdb_Services/RoleActionAuthorisationService.php b/lib/Gocdb_Services/RoleActionAuthorisationService.php
index 6b439d0af..95b44c240 100644
--- a/lib/Gocdb_Services/RoleActionAuthorisationService.php
+++ b/lib/Gocdb_Services/RoleActionAuthorisationService.php
@@ -106,69 +106,9 @@ public function authoriseAction($action, \OwnedEntity $targetEntity, $user){
          if(is_null($user->getId())){
             return new AuthoriseActionResult();
         }
-        // If we limit the actions, then its hard to test using some sample
-        // roleActionMapping files. Need to decide to include this.
-//        if(!in_array($action, \Action::getAsArray())){
-//            throw new \LogicException('Coding Error - Invalid action not known');
-//        }
-
-//         IGNORE THIS COMMENT BLOCK - DECLARING DIFFERENT ROLE ACTION MAPPINGS PER
-//       PROJECT MAY BE NEEDED IN FUTURE, BUT RIGHT NOW IT ADDS UNNECESSARY COMPLEXITY.
-//       IF THE NEED ARISES, THIS STUFF WILL BE USEFUL:
-//       =======================================================================
-//       // Get a list of DB projects that are 'reachable' from the given entity
-//       // by moving up the OwnedEntity hierarchy.
-//       // Note, some objects don't come under the remit of a Project, e.g.
-//       // ServiceGroups, so dbProjects may be empty (this is normal).
-//       //$dbProjects = $this->getReachableProjectsFromOwnedEntity($targetEntity);
-//
-//        // TODO?
-//        // iterate the dbProjects and exclude those that are not mapped in the
-//        // roleActionMappings file
-//        foreach($dbProjects as $dbProj){
-//           if($this->roleActionMappingService->isProjectMapped($dbProj->getName())){
-//              $dbProjects[] = $dbProj;
-//           }
-//        }
-//
-//        if(count($dbProjects) > 0){
-//            // If there is an ancestor project, then we ignore the default role action mappings
-//            foreach ($dbProjects as $dbProject) {
-//                //print_r('reachable project: ['.$dbProject->getName()."] \n");
-//                // Lookup the role type mappings for this project (['RoleTypeName'] => 'overOwnedEntity').
-//                // throws LogicException if the dbProjectName does not exist in the
-//                // mapping file! (not so with action or entity-type)
-//                // For example, the following role-types over the specified object
-//                // types could enable 'actionX':
-//                // array (
-//                //   ['Site Administrator'] => 'Site',
-//                //   ['NGI Operations Manager'] => 'Ngi',
-//                //   ['Chief Operations Officer'] => 'Project'
-//                // );
-//                $roleTypeMappingsForProj = $this->roleActionMappingService->
-//                        getRoleTypeNamesThatEnableActionOnTargetObjectType(
-//                        $action, $targetEntity->getType(), $dbProject->getName());
-//                //print_r('roleTypeMappings for reachable project: ['.$dbProject->getName()."] \n");
-//                //print_r($roleTypeMappingsForProj);
-//
-//                // If there are roles that enable the action, store the roles for the project
-//                if (count($roleTypeMappingsForProj) > 0) {
-//                    $requiredRoleTypesPerProj[] = $roleTypeMappingsForProj;
-//                }
-//            }
-//        } else {
-//            // The entity dont come under a Project, e.g. the entity was
-//            // Project agnostic like a ServiceGroup, or there was an instance of
-//            // an orphan NGI or Site, therefore get the default RoleActionMappings.
-//            $requiredRoleTypesPerProj[] = $this->roleActionMappingService->
-//                    getRoleTypeNamesThatEnableActionOnTargetObjectType(
-//                        $action, $targetEntity->getType(), null);
-//            //print_r($requiredRoleTypesPerProj); // e.g.
-//            // Array ( [0] => Array ( [Service Group Administrator] => ServiceGroup ) )
-//        }
-//       =======================================================================
-
 
+        //  16-Dec-2020 - There was a large block of commented code here related to
+        //                role action mappings per project. Deleted.
 
         // Lookup+store the role type mappings that enable
         // the action on the specified entity type (mappings stored in RoleActionMappings XML).
diff --git a/lib/Gocdb_Services/RoleActionMappingService.php b/lib/Gocdb_Services/RoleActionMappingService.php
index 58345417f..5e4f1bc3e 100644
--- a/lib/Gocdb_Services/RoleActionMappingService.php
+++ b/lib/Gocdb_Services/RoleActionMappingService.php
@@ -32,11 +32,15 @@
  */
 class RoleActionMappingService /* extends AbstractEntityService */ {
 
-    private $roleActionMappingsXmlPath;
-    private $roleActionMappingsXsdPath;
+    private $roleActionMappingsXmlPath; // path to xml data file
+    private $roleActionMappingsXsdPath; // path to xsd schema file
+    private $roleActionMapXmlDom;       // DOM object loaded from xml data path
 
     const ROLE_ACTION_MAPPING_NS = 'http://goc.egi.eu/2015/03/spec1.0_r1';
 
+    const FAILED_TO_READ_XML_DATA = 1;   // Constants to distinguish exception cases
+    const FAILED_TO_READ_XML_SCHEMA = 2;
+
     /**
      * Service for querying the Role-Action mappings defined in the RoleActionMappingRules XML file.
      */
@@ -44,6 +48,7 @@ function __construct() {
         //parent::__construct();
         $this->roleActionMappingsXmlPath = __DIR__ . '/../../config/RoleActionMappings.xml';
         $this->roleActionMappingsXsdPath = __DIR__ . '/../../config/RoleActionMappingsSchema.xsd';
+        $this->roleActionMapXmlDom = null;
     }
 
     /**
@@ -53,6 +58,7 @@ function __construct() {
      */
     public function setRoleActionMappingsXmlPath($xmlDocPath) {
         $this->roleActionMappingsXmlPath = $xmlDocPath;
+        $this->roleActionMapXmlDom = null;
     }
 
     /**
@@ -62,58 +68,83 @@ public function setRoleActionMappingsXmlPath($xmlDocPath) {
      */
     public function setRoleActionMappingsXsdPath($xsdDocPath) {
         $this->roleActionMappingsXsdPath = $xsdDocPath;
+        $this->roleActionMapXmlDom = null;
     }
 
     /**
      * Validate the XML file located at $roleActionMappingsXmlPath with the XSD
      * located at $roleActionMappingsXsdPath.
+     * Only used for debug and testing schema and validation logic, use
+     * loadRoleActionsXmlFile for most purposes
      *
-     * @return array an array with LibXMLError objects if there are any errors
-     * or an empty array otherwise.
-     * @throws \LogicException if XML/XSD fiels can't be loaded
-     * @throws \Exception If the role action mapping file is invalid against its XSD.
+     * @return array Array of LibXMLError objects, or empty
+     * @throws \LogicException if XML file can't be loaded
      */
     public function validateRoleActionMappingFileAgainstXsd() {
-        // http://stackoverflow.com/questions/12368453/domdocumentschemavalidate-throwing-warning-errors
-        //libxml_use_internal_errors(true);
-        $xml = new \DOMDocument();
-        if (FALSE === $xml->load($this->roleActionMappingsXmlPath)) {
-            throw new \LogicException("Couldn't load RoleActionMappings file, "
-            . "invalid roleActionMappingsXmlPath: [$this->roleActionMappingsXmlPath]");
+
+        try {
+            $this->loadRoleActionsXmlFile();
+        } catch (\LogicException $e) {
+            // Trap the schema validation error and return the error stack.
+            if ($e->getCode() == $this->FAILED_TO_READ_XML_SCHEMA) {
+                return libxml_get_errors();
+            }
+            throw $e;
         }
-        return $this->_validateRoleActionMappingFileAgainstXsd($xml);
+        return array();
     }
+    /**
+     * Helper function for xml schema validation
+     * @param \DOMDocument $dom DOM object to validate
+     * @param string $xmlDocPath Path to data used to generate the DOM (for error message only).
+     * @param string $xsdDocPath Path to schema file to be used for data validation
+     * @throws \LogicException with code FAILED_TO_READ_XML_SCHEMA on failure to validate
+     */
+    private function _validateRoleActionMappingFileAgainstXsd(\DOMDocument $dom, $xmlDocPath, $xsdDocPath) {
 
-    private function _validateRoleActionMappingFileAgainstXsd(\DOMDocument $xml){
-        if (!$xml->schemaValidate($this->roleActionMappingsXsdPath)) {
-            return libxml_get_errors();
+        if (!$dom->schemaValidate($xsdDocPath)) {
+            throw new \LogicException("Failed validate RoleActionMappings against schema. xml:[{$xmlDocPath}] xsd:[{$xsdDocPath}]",
+                        $this->FAILED_TO_READ_XML_SCHEMA);
         }
-        return array();
     }
+    /**
+     * Helper function for xml schema validation
+     * @param \DOMDocument $dom DOM object to validate
+     * @param string $xmlDocPath Path to data used to generate the DOM (for error message only).
+     * @param string $xsdDocPath Path to schema file to be used for data validation
+     * @throws \LogicException Exception with code FAILED_TO_READ_XML_DATA on failure to validate
+     * @return \DOMDocument
+     */
+    private function _loadRoleActionsXmlFile($xmlDocPath) {
+
+        $dom = new \DOMDocument();
 
+        if (!$dom->load($xmlDocPath)) {
+            throw new \LogicException("Failed to load RoleActionMappings. xml:[{$xmlDocPath}]",
+                            $this->FAILED_TO_READ_XML_DATA);
+        }
+        return $dom;
+    }
 
     /**
      * Load and validate the role actions xml file referenced from $roleActionMappingsXmlPath;
      * @return \DOMDocument
      * @throws \LogicException
      */
-    private function loadRoleActionsXmlFile(){
-        //http://stackoverflow.com/questions/12368453/domdocumentschemavalidate-throwing-warning-errors
-        //libxml_use_internal_errors(true);
-        // load file
-        $roleActionMapXmlDom = new \DOMDocument();
-        if (FALSE === $roleActionMapXmlDom->load($this->roleActionMappingsXmlPath)) {
-            throw new \LogicException("Couldn't load RoleActionMappings file, "
-            . "invalid roleActionMappingsXmlPath: [$this->roleActionMappingsXmlPath].");
+    private function loadRoleActionsXmlFile()
+    {
+        if (is_null($this->roleActionMapXmlDom)) {
+            // Throws LogicException if the file can't be loaded
+            // Exception code can distinguish between them if wanted.
+            $this->roleActionMapXmlDom = $this->_loadRoleActionsXmlFile($this->roleActionMappingsXmlPath);
+
+            // Throws LogicException is the schema doesn't validate
+            $this->_validateRoleActionMappingFileAgainstXsd($this->roleActionMapXmlDom,
+                                                            $this->roleActionMappingsXmlPath,
+                                                            $this->roleActionMappingsXsdPath);
         }
 
-        $errors = $this->_validateRoleActionMappingFileAgainstXsd($roleActionMapXmlDom);
-        if(count($errors) > 0){
-            throw new \LogicException("Invalid RoleActionMappingsFile "
-                    . "[$this->roleActionMappingsXmlPath], use libxml_get_errors() "
-                    . "for error details.");
-        }
-        return $roleActionMapXmlDom;
+        return $this->roleActionMapXmlDom;
     }
 
 
@@ -354,7 +385,7 @@ public function getRoleTypeNamesThatEnableActionOnTargetObjectType($action, $obj
         // Iterate RoleMapping elements and identify/collect those that have a child
         // 'EnabledActions' element that groups together BOTH the required  Target $entityType
         // AND the required $action listed in <Actions> e.g.
-        // if $action = ACtion_EDIT_OBJECT and $entityType = SERviceGroup a
+        // if $action = ACTION_EDIT_OBJECT and $entityType = ServiceGroup a
         // conforming element would be:
         //
         //  <EnabledActions>
@@ -364,7 +395,7 @@ public function getRoleTypeNamesThatEnableActionOnTargetObjectType($action, $obj
         //            <Action>ACTION_REJECT_ROLE</Action>
         //            <Action>ACTION_REVOKE_ROLE</Action>
         //      </Actions>
-        //      <Target>SERviceGroup</Target>
+        //      <Target>ServiceGroup</Target>
         //  </EnabledActions>
         //
         $inScopeRoleMappings = array();
@@ -396,7 +427,7 @@ public function getRoleTypeNamesThatEnableActionOnTargetObjectType($action, $obj
                     }
                 }
 //                // when actions were listed as a single text node value using comma sep list e.g.
-//                //  <Actions>ACtion_EDIT_OBJECT,ACTION_GRANT_ROLE, ACTION_REJECT_ROLE, ACTION_REVOKE_ROLE</Actions>
+//                //  <Actions>ACTION_EDIT_OBJECT,ACTION_GRANT_ROLE, ACTION_REJECT_ROLE, ACTION_REVOKE_ROLE</Actions>
 //                $actionsNodes = $xpath->query('goc:Actions[text()]', $enabledAction);
 //                foreach ($actionsTextNodes as $actionsText) {
 //                    //print_r($actionsText->nodeValue. "\n");
diff --git a/lib/Gocdb_Services/RoleConstants.php b/lib/Gocdb_Services/RoleConstants.php
index 5b5c4ffa4..51a510f59 100644
--- a/lib/Gocdb_Services/RoleConstants.php
+++ b/lib/Gocdb_Services/RoleConstants.php
@@ -149,6 +149,9 @@ class Action {
     // Actions that apply to Service
     //const SE_ADD_DOWNTIME = 'ACTION_SE_ADD_DOWNTIME';
 
+    //
+    const READ_PERSONAL_DATA = 'ACTION_READ_PERSONAL_DATA';
+
     /**
      * private constructor to limit instantiation
      */
diff --git a/lib/Gocdb_Services/Site.php b/lib/Gocdb_Services/Site.php
index 3151c46bd..b07874d4a 100644
--- a/lib/Gocdb_Services/Site.php
+++ b/lib/Gocdb_Services/Site.php
@@ -11,6 +11,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+require_once __DIR__ . '/Factory.php';
 require_once __DIR__ . '/AbstractEntityService.php';
 require_once __DIR__ . '/Role.php';
 require_once __DIR__ . '/RoleConstants.php';
@@ -71,7 +72,7 @@ public function setScopeService(Scope $scopeService){
     /**
      * Finds a single site by ID and returns its entity
      * @param int $id the site ID
-     * @return Site a site object
+     * @return \Site a site object
      */
     public function getSite($id) {
         $dql = "SELECT s FROM Site s WHERE s.id = :id";
@@ -407,12 +408,14 @@ public function getSitesFilterByParams($filterParams){
      * @param integer $siteId Site id or null
      * @param string $siteExtPropKeyName Site extension property name
      * @param string $siteExtPropKeyValue Site extension property value
+     * @param string $apiAuthId Authentication entity identifier
      * @return array An array of site objects with joined entities.
      */
     public function getSitesBy(
             $ngiName=NULL, $prodStatus=NULL, $certStatus=NULL,
             $scopeName=NULL, $showClosed=NULL, $siteId=NULL,
-            $siteExtPropKeyName=NULL, $siteExtPropKeyValue=NULL) {
+            $siteExtPropKeyName=NULL, $siteExtPropKeyValue=NULL,
+            $apiAuthId=NULL) {
 
         $qb = $this->em->createQueryBuilder();
         $qb ->select('DISTINCT s', 'sc', 'n', 'i')
@@ -472,6 +475,17 @@ public function getSitesBy(
 
         }
 
+        if ($apiAuthId != null && $apiAuthId != '%%') {
+            $sQ = $this->em->createQueryBuilder();
+            $sQ ->select('s1'.'.id')
+            ->from('Site', 's1')
+            ->join('s1.APIAuthenticationEntities', 'authEnt')
+            ->andWhere($sQ->expr()->eq('authEnt.identifier', ':authid'));
+
+            $qb->andWhere($qb->expr()->in('s', $sQ->getDQL()));
+            $qb->setParameter('authid', $apiAuthId);
+        }
+
         $query = $qb->getQuery();
         $sites = $query->execute();
 
@@ -646,7 +660,7 @@ public function addSite($values, \User $user =null) {
         $this->checkPortalIsNotReadOnlyOrUserIsAdmin($user);
 
         if(is_null($user)){
-            throw new Exception("Unregistered users may not add new sites");
+            throw new \Exception("Unregistered users may not add new sites");
         }
 
         // get the parent NGI entity
@@ -886,9 +900,7 @@ public function moveSite(\Site $site, \NGI $ngi, \User $user = null) {
     }
 
     private function checkNumberOfScopes(array $myArray){
-        require_once __DIR__ . '/Config.php';
-        $configService = new \org\gocdb\services\Config();
-        $minumNumberOfScopes = $configService->getMinimumScopesRequired('site');
+        $minumNumberOfScopes = $this->configService->getMinimumScopesRequired('site');
         if(sizeof($myArray)<$minumNumberOfScopes){
             throw new \Exception("A site must have at least " . $minumNumberOfScopes . " optional scope(s) assigned to it.");
         }
@@ -969,11 +981,16 @@ public function validatePropertyActions(\User $user, \Site $site) {
     * @return boolian
     */
     public function userCanEditSite(\User $user, \Site $site) {
-        if ($this->roleActionAuthorisationService->authoriseAction(\Action::EDIT_OBJECT, $site, $user)->getGrantAction() == FALSE) {
+
+        if (is_null($user)) {
             return false;
-        } else {
+        }
+
+        if ($this->roleActionAuthorisationService->authoriseAction(\Action::EDIT_OBJECT, $site, $user)->getGrantAction() == TRUE) {
             return true;
         }
+
+        return false;
     }
 
     /**
@@ -1114,7 +1131,7 @@ protected function addPropertiesLogic(\Site $site, array $propArr, $preventOverw
         }
 
         //Check to see if adding the new properties will exceed the max limit defined in local_info.xml, and throw an exception if so
-        $extensionLimit = \Factory::getConfigService()->getExtensionsLimit();
+        $extensionLimit = $this->configService->getExtensionsLimit();
         if ($propertyCount > $extensionLimit){
             throw new \Exception("Property(s) could not be added due to the property limit of $extensionLimit");
         }
@@ -1371,20 +1388,6 @@ public function getMapXMLString(){
         return $xmlString;
     }
 
-    private function uniqueAPIAuthEnt(\Site $site, $identifier, $type) {
-        //TODO: This would probably be more effecient as a DQL query
-        $existingAuthEnts = $site->getAPIAuthenticationEntities();
-
-        foreach ($existingAuthEnts as $authEnt) {
-            if($authEnt->getIdentifier()==$identifier && $authEnt->getType() == $type) {
-                throw new \Exception(
-                    "An authentication object of type \"$type\" and with identifier " .
-                    "\"$identifier\" already exists for" . $site->getName()
-                );
-            }
-        }
-    }
-
     /**
      * Finds a single API authentication entity by ID and returns its entity
      * @param int $id the authentication entity ID
@@ -1400,114 +1403,47 @@ public function getAPIAuthenticationEntity($id) {
     }
 
     public function addAPIAuthEntity(\Site $site, \User $user, $newValues) {
-        //Check the portal is not in read only mode, throws exception if it is
-        $this->checkPortalIsNotReadOnlyOrUserIsAdmin($user);
 
         // Validate the user has permission to add properties
-        if (!$this->userCanEditSite($user, $site)) {
-            throw new \Exception("You don't have permission to add authentication entties to " . $site->getShortName());
-        }
-
-        $identifier = $newValues['IDENTIFIER'];
-        $type = $newValues['TYPE'];
+        $this->checkUserAuthz ($user, $site);
 
-        //Check that an identifier ha been provided
-        if(empty($identifier)){
-            throw new \Exception("A value must be provided for the identifier");
-        }
+        $authEntServ = \Factory::getAPIAuthenticationService();
+        $authEntServ->setEntityManager($this->em);
 
-        //validate the values against the schema
-        $this->validate($newValues,'APIAUTHENTICATION');
-
-        //If the entity is of type X509, do a more thorough check than the validate service (as we know the type)
-        //Note that we are allowing ':' as they can appear in robot DN's
-        if ($type == 'X509' && !preg_match("/^(\/[A-Za-z]+=[a-zA-Z0-9\/\-\_\s\.,'@:\/]+)*$/", $identifier)) {
-            throw new \Exception("Invalid x509 DN");
-        }
-        
-        //If the entity is of type OIDC subject, do a more thorough check again
-        if ($type == 'OIDC Subject' && !preg_match("/^([a-f0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12})$/", $identifier)) {
-            throw new \Exception("Invalid OIDC Subject");
-        }
-
-        //Check there isn't already a identifier of that type with that identifier for that Site
-        $this->uniqueAPIAuthEnt($site, $identifier, $type);
-
-        //Add the properties
-        $this->em->getConnection()->beginTransaction();
-        try {
-            $authEnt = new \APIAuthentication();
-            $authEnt->setIdentifier($identifier);
-            $authEnt->setType($type);
-            $site->addAPIAuthenticationEntitiesDoJoin($authEnt);
-            $this->em->persist($authEnt);
-            $this->em->flush();
-            $this->em->getConnection()->commit();
-        } catch (\Exception $e) {
-            $this->em->getConnection()->rollback();
-            $this->em->close();
-            throw $e;
-        }
+        $authEnt = $authEntServ->addAPIAuthentication($site, $user, $newValues);
 
         return $authEnt;
     }
 
     public function deleteAPIAuthEntity(\APIAuthentication $authEntity, \User $user) {
-        //Check the portal is not in read only mode, throws exception if it is
-        $this->checkPortalIsNotReadOnlyOrUserIsAdmin($user);
 
         // Validate the user has permission to delete properties
-        if (!$this->userCanEditSite($user, $authEntity->getParentSite())) {
-            throw new \Exception("You don't have permission to add authentication entties to " . $site->getShortName());
-        }
+        $parentSite = $authEntity->getParentSite();
 
-        //delete the entity
-        $this->em->getConnection()->beginTransaction();
-        try {
-            $parentSite = $authEntity->getParentSite();
+        // Check the user can do this. Thows exception if not.
+        $this->checkUserAuthz($user, $parentSite);
 
-            //Remove the authentication entity from the site then remove the entity
-            $parentSite->getAPIAuthenticationEntities()->removeElement($authEntity);
-            $this->em->remove($authEntity);
+        $authEntServ = \Factory::getAPIAuthenticationService();
+        $authEntServ->setEntityManager($this->em);
 
-            $this->em->persist($parentSite);
-            $this->em->flush();
-            $this->em->getConnection()->commit();
-        } catch (\Exception $e) {
-            $this->em->getConnection()->rollback();
-            $this->em->close();
-            throw $e;
-        }
+        $authEntServ->deleteAPIAuthentication($authEntity);
     }
 
     public function editAPIAuthEntity(\APIAuthentication $authEntity, \User $user, $newValues) {
-        //Check the portal is not in read only mode, throws exception if it is
-        $this->checkPortalIsNotReadOnlyOrUserIsAdmin($user);
 
-        $site = $authEntity->getParentSite();
+        $parentSite = $authEntity->getParentSite();
 
-        // Validate the user has permission to edit properties
-        if (!$this->userCanEditSite($user, $site)) {
-            throw new \Exception("You don't have permission to add authentication entties to " . $site->getShortName());
-        }
+        // Check the user can do this. Thows exception if not.
+        $this->checkUserAuthz($user, $parentSite);
 
         $identifier = $newValues['IDENTIFIER'];
         $type = $newValues['TYPE'];
 
-        //Check that an identifier ha been provided
-        if(empty($identifier)){
-            throw new \Exception("A value must be provided for the identifier");
-        }
-
-        //validate the values against the schema
-        $this->validate($newValues,'APIAUTHENTICATION');
-
-
-        //If the entity is of type X509, do a more thorough check than the validate service (as we know the type)
-        //Note that we are allowing ':' as they can appear in robot DN's
-        if ($type == 'X509' && !preg_match("/^(\/[A-Za-z]+=[a-zA-Z0-9\/\-\_\s\.,'@:\/]+)*$/", $identifier)) {
-            throw new \Exception("Invalid x509 DN");
-        }
+        /**
+        @var org\gocdb\services\APIAuthenticationService
+        */
+        $authEntServ = \Factory::getAPIAuthenticationService();
+        $authEntServ->setEntityManager($this->em);
 
         //If the entity is of type OIDC subject, do a more thorough check again
         if ($type == 'OIDC Subject' && !preg_match("/^([a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12})$/", $identifier)) {
@@ -1515,27 +1451,31 @@ public function editAPIAuthEntity(\APIAuthentication $authEntity, \User $user, $
         }
 
         /**
-        * As long as something has changed, check there isn't already a
-        * identifier of that type with that identifier for that Site
+        * If identifier or type has changed, check the credential is not
+        * already registered.
         */
-        if (!($authEntity->getIdentifier()==$identifier && $authEntity->getType() == $type)) {
-            $this->uniqueAPIAuthEnt($site, $identifier, $type);
+        if (!($authEntity->getIdentifier() == $identifier &&
+              $authEntity->getType() == $type)) {
+            $authEntServ->uniqueAPIAuthEnt($parentSite, $identifier, $type);
         }
 
-        //Edit the property
-        $this->em->getConnection()->beginTransaction();
-        try {
-            $authEntity->setIdentifier($identifier);
-            $authEntity->setType($type);
-            $this->em->persist($authEntity);
-            $this->em->flush();
-            $this->em->getConnection()->commit();
-        } catch (\Exception $e) {
-            $this->em->getConnection()->rollback();
-            $this->em->close();
-            throw $e;
-        }
+        $authEntServ->editAPIAuthentication($authEntity, $user, $newValues);
 
         return $authEntity;
     }
+    /**
+     * Helper combines admin check and authz check to make sure a user
+     * can modify properties of the site.
+     *
+     * @throws \Exception
+     */
+    private function checkUserAuthz (\User $user, \Site $site) {
+
+        $this->checkPortalIsNotReadOnlyOrUserIsAdmin($user);
+
+        // Validate the user has permission to edit properties
+        if (!$this->userCanEditSite($user, $site)) {
+            throw new \Exception("Permission denied: a site role is required to modify authentication entities on site " . $site->getShortName());
+        }
+    }
 }
diff --git a/lib/Gocdb_Services/User.php b/lib/Gocdb_Services/User.php
index c926e8e7f..74570bc59 100644
--- a/lib/Gocdb_Services/User.php
+++ b/lib/Gocdb_Services/User.php
@@ -42,16 +42,16 @@ class User extends AbstractEntityService{
     /**
      * Gets a user object from the DB
      * @param $id User ID
-     * @return User object
+     * @return \User object
      */
     public function getUser($id) {
         return $this->em->find("User", $id);
     }
 
     /**
-     * Lookup a User object by user's ID string, stored in certificateDn.
-     * @param string $userPrinciple the user's principle ID string, e.g. DN.
-     * @return User object or null if no user can be found with the specified principle
+     * Lookup a User object by user's principle id string.
+     * @param string $userPrinciple the user's principle id string, e.g. DN.
+     * @return \User object or null if no user can be found with the specified principle
      */
     public function getUserByCertificateDn($userPrinciple) {
         if (empty($userPrinciple)) {
@@ -102,7 +102,36 @@ public function getUserByPrincipleAndType($userPrinciple, $authType) {
 
         return $user;
     }
+    /**
+     * Check if a user is allowed to read personal data at sites.
+     * @param \User The user to check for
+     * @return Boolean true if allowed, else false;
+     */
+    public function isAllowReadPD(\User $user) {
+
+        if ($user->isAdmin()) {
+            return true;
+        }
+
+        if (!\Factory::getConfigService()->isRestrictPDByRole()) {
+            return true;
+        }
 
+        $sites = $this->getSitesFromRoles($user, \RoleStatus::GRANTED);
+        $authServ = \Factory::getRoleActionAuthorisationService();
+
+        foreach ($sites as $site) {
+            if ($authServ->authoriseAction(\Action::READ_PERSONAL_DATA, $site, $user)
+                ->getGrantAction()
+            ) {
+                // exit the first time we find a grant as we don't support
+                // site-level viewing granularity.
+                return true;
+            }
+        }
+        // No site was found with an authorisation.
+        return false;
+    }
     /**
      * Updates the users last login time to the current time in UTC.
      * @param \User $user
@@ -408,6 +437,15 @@ public function deleteUser(\User $user, \User $currentUser = null) {
         $this->checkPortalIsNotReadOnlyOrUserIsAdmin($currentUser);
 
         $this->editUserAuthorization($user, $currentUser);
+
+        if (!$user->getAPIAuthenticationEntities()->isEmpty()) {
+            // Must remove attached API credentials before removal
+            $userName = $user->getFullName();
+            throw new \Exception("Request to delete user $userName rejected:" .
+                " Delete or reassign API credentials owned by user" .
+                " from sites before deletion.");
+        }
+
         $this->em->getConnection()->beginTransaction();
         try {
             $this->em->remove($user);
diff --git a/tests/DoctrineTestSuite1.php b/tests/DoctrineTestSuite1.php
index 984979220..ec1d51efc 100644
--- a/tests/DoctrineTestSuite1.php
+++ b/tests/DoctrineTestSuite1.php
@@ -18,6 +18,10 @@
 require_once __DIR__ . '/unit/lib/Gocdb_Services/RoleActionAuthorisationServiceTest.php';
 require_once __DIR__ . '/unit/lib/Gocdb_Services/RoleActionMappingServiceTest.php';
 require_once __DIR__ . '/unit/lib/Gocdb_Services/ScopeServiceTest.php';
+require_once __DIR__ . '/unit/lib/Gocdb_Services/UserServiceTest.php';
+require_once __DIR__ . '/unit/lib/Gocdb_Services/SiteServiceTest.php';
+require_once __DIR__ . '/unit/lib/Gocdb_Services/RoleServiceTest2.php';
+require_once __DIR__ . '/unit/lib/Gocdb_Services/APIAuthenticationServiceTest.php';
 require_once __DIR__ . '/writeAPI/siteMethods.php';
 require_once __DIR__ . '/writeAPI/serviceMethods.php';
 require_once __DIR__ . '/writeAPI/endpointMethods.php';
@@ -50,6 +54,10 @@ public static function suite() {
     $suite->addTestSuite('RoleActionAuthorisationServiceTest');
     $suite->addTestSuite('RoleActionMappingServiceTest');
     $suite->addTestSuite('ScopeServiceTest');
+    $suite->addTestSuite('UserServiceTest');
+    $suite->addTestSuite('SiteServiceTest');
+    $suite->addTestSuite('RoleServiceTest2');
+    $suite->addTestSuite('APIAuthenticationServiceTest');
     $suite->addTestSuite('WriteAPIsiteMethodsTests');
     $suite->addTestSuite('WriteAPIserviceMethodsTests');
     $suite->addTestSuite('WriteAPIendpointMethodsTests');
diff --git a/tests/doctrine/TestUtil.php b/tests/doctrine/TestUtil.php
index ca97235e0..eedafeeba 100644
--- a/tests/doctrine/TestUtil.php
+++ b/tests/doctrine/TestUtil.php
@@ -11,6 +11,14 @@
  */
 class TestUtil {
 
+    // A helper function for several of the helper functions:
+    // Create a new object of the given name and call the 'setName' method.
+    private static function createAndName($className, $name) {
+        $instance = new $className();
+        $instance->setName($name);
+        return $instance;
+    }
+
     public static function createRoleActionRecord(){
          /*$rar = new RoleActionRecord($updatedByUserId, $updatedByUserPrinciple,
                 $roleId, $rolePreStatus, $roleNewStatus, $roleTypeId,
@@ -134,11 +142,37 @@ public static function createSampleCertStatusLog($addedBy = '/some/user'){
     }
 
     public static function createSampleScope($description, $name){
-        $scope = new Scope();
+        $scope = self::createAndName('Scope', $name);
         $scope->setDescription($description);
-        $scope->setName($name);
         return $scope;
     }
+    public static function createSampleInfrastructure($name){
+        return self::createAndName('Infrastructure', $name);
+    }
+    public static function createSampleCertStatus($name){
+        return self::createAndName('certificationStatus',$name);
+    }
+    public static function createSampleCountry($name){
+        $country = self::createAndName('country',$name);
+        $country->setCode('UTP');
+        return $country;
+    }
+    /**
+     * Generate a useless minimal Role Action Auth Service
+     * NB. Should be done in the siteService constructor (?)
+     */
+    public static function createSampleRoleAAS($xmlRoleMappings = null) {
+
+        // Dump mappings to a temporary file
+        // Create RoleActionMappingService with non-default roleActionMappings file
+        $roleAMS = new org\gocdb\services\RoleActionMappingService();
+        $roleAMS->setRoleActionMappingsXmlPath($xmlRoleMappings);
+
+        // Create RoleActionAuthorisationService with dependencies
+        $roleAAS = new org\gocdb\services\RoleActionAuthorisationService($roleAMS);
+
+        return $roleAAS;
+    }
 
     public static function createSampleUserIdentifier($name, $key) {
         $identifier = new UserIdentifier();
@@ -146,7 +180,5 @@ public static function createSampleUserIdentifier($name, $key) {
         $identifier->setKeyValue($key);
         return $identifier;
     }
-
 }
-
 ?>
diff --git a/tests/doctrine/truncateDataTables.xml b/tests/doctrine/truncateDataTables.xml
index 2973a98bd..0380b72bf 100644
--- a/tests/doctrine/truncateDataTables.xml
+++ b/tests/doctrine/truncateDataTables.xml
@@ -8,21 +8,21 @@
         With the default operation of CLEAN_INSERT, you can specify that you
         want to TRUNCATE a table and not insert any values by listing that
         table as an element without any attributes (to ensure an empty table).
-        
+
         Impt: You can specify DELETE_ALL rather than TRUNCATE in your fixture (see getSetUpOperation())
-        to issue a DELETE from <table> which is more portable than a 
-        TRUNCATE table <table> (some DBs require high privileges for truncate statements 
-        and also do not allow truncates across tables with FK contstraints e.g. Oracle). 
-        
+        to issue a DELETE from <table> which is more portable than a
+        TRUNCATE table <table> (some DBs require high privileges for truncate statements
+        and also do not allow truncates across tables with FK contstraints e.g. Oracle).
+
         Ordering of the table elements below is SIGNIFICANT. You must consider
-        foreign key constraints when deleting data from tables. When 
+        foreign key constraints when deleting data from tables. When
         DELETE_ALL is used, the order of the tables below is read in REVERSE
-        by phpunit (so the last table specified is truncated/delete_all first). 
-        
-        Therefore, entities that hold/own the FKs must be deleted FIRST, e.g. 
-        Site has many Services, therefore since Services holds 
-        the FK (as it is on the 'many' side), this table MUST be cleared before Site ! 
-        
+        by phpunit (so the last table specified is truncated/delete_all first).
+
+        Therefore, entities that hold/own the FKs must be deleted FIRST, e.g.
+        Site has many Services, therefore since Services holds
+        the FK (as it is on the 'many' side), this table MUST be cleared before Site !
+
         The most common reason you would want to ensure an empty table as
         a part of your fixture is when your test should be inserting data to
         that table.
@@ -30,26 +30,27 @@
 
 <dataset>
 
-    <PrimaryKeys/>    
-    <Timezones/> 
+    <PrimaryKeys/>
+    <Timezones/>
     <Tiers/>
-        
+
     <Countries/>
     <CertificationStatuses/>
-    <Infrastructures/> 
+    <Infrastructures/>
     <Scopes/>
-        
+
+    <APIAuthenticationEntities/>
     <OwnedEntities/>
     <Projects/>
-    <NGIs/> 
-    <SubGrids/> 
+    <NGIs/>
+    <SubGrids/>
     <ServiceTypes/>
     <Sites/>
         <!--<PROMSiteId/>-->
-    <ServiceGroups/> 
+    <ServiceGroups/>
     <Services/>
         <!--<PROMSEId/>-->
-    <EndpointLocations/>  
+    <EndpointLocations/>
     <Downtimes/>
     <CertificationStatusLogs/>
 
@@ -58,26 +59,26 @@
     <Service_Properties/>
     <Endpoint_Properties/>
     <User_Identifiers/>
-       
-        <!-- Join tables that hold FKs must be deleted before the referencing tables above --> 
+
+        <!-- Join tables that hold FKs must be deleted before the referencing tables above -->
     <Projects_NGIs/>
-    <NGIs_Scopes/> 
+    <NGIs_Scopes/>
     <Sites_Scopes/>
     <Services_Scopes/>
-    <ServiceGroups_Scopes/>  
-    <ServiceGroups_Services/> 
+    <ServiceGroups_Scopes/>
+    <ServiceGroups_Services/>
     <Downtimes_Services/>
     <Downtimes_EndpointLocations/>
-        
+
     <Users/>
     <LinkIdentityRequests/>
     <RoleTypes/>
     <Roles/>
-        
+
     <ArchivedNGIs/>
     <ArchivedServices/>
     <ArchivedServiceGroups/>
-    <ArchivedSites/> 
+    <ArchivedSites/>
     <RoleActionRecords/>
-    
+
 </dataset>
diff --git a/tests/phpunit.xml b/tests/phpunit.xml
index 8858faf55..c065d13cd 100644
--- a/tests/phpunit.xml
+++ b/tests/phpunit.xml
@@ -9,12 +9,12 @@
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
- * 
- * @author David Meredith <david.meredith@stfc.ac.uk> 
+ *
+ * @author David Meredith <david.meredith@stfc.ac.uk>
  */-->
 
-<!-- 
-PHPUnit configuration file for tests. 
+<!--
+PHPUnit configuration file for tests.
 -->
 <phpunit
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -43,7 +43,7 @@ PHPUnit configuration file for tests.
          <!--printerFile="/path/to/ResultPrinter.php"-->
          <!--testSuiteLoaderFile="/path/to/StandardTestSuiteLoader.php"-->
          <!--bootstrap="/path/to/bootstrap.php" -->
-  
+
 <filter>
   <!--<blacklist>
     <directory suffix=".php">/path/to/files</directory>
@@ -53,12 +53,12 @@ PHPUnit configuration file for tests.
       <file>/path/to/file</file>
     </exclude>
   </blacklist>-->
-  
-  <!-- 
-  Name the core packages to be included in coverage reports. 
+
+  <!--
+  Name the core packages to be included in coverage reports.
   It is not desirable to produce coverage for every package, it is not useful
-  to do so. We have to be selective on which tests to write for which packages.  
-  --> 
+  to do so. We have to be selective on which tests to write for which packages.
+  -->
   <whitelist processUncoveredFilesFromWhitelist="true">
     <directory suffix=".php">../lib/Doctrine/entities/</directory>
     <directory suffix=".php">../lib/DAOs/</directory>
@@ -71,5 +71,22 @@ PHPUnit configuration file for tests.
     </exclude>
   </whitelist>
 </filter>
-  
-</phpunit>
\ No newline at end of file
+
+<php>
+  <!--
+    database_connection.php will check if this variable is defined.
+    Add line of this format substituting the chosen suffix
+    which will be added to the configured database name
+
+      <server name='phpunitdb' value='_test' />
+
+    The value '_test' is arbitrary, but must match what you used when creating
+    the database with the mysql command.
+    Export a phpunitdb variable when using doctrine schema tool
+    to create or update a database.
+    -->
+
+  <server name='phpunitdb' value='_test' />
+</php>
+
+</phpunit>
diff --git a/tests/unit/lib/Gocdb_Services/APIAuthenticationServiceTest.php b/tests/unit/lib/Gocdb_Services/APIAuthenticationServiceTest.php
new file mode 100644
index 000000000..2c2f65dae
--- /dev/null
+++ b/tests/unit/lib/Gocdb_Services/APIAuthenticationServiceTest.php
@@ -0,0 +1,169 @@
+<?php
+/*
+ * Copyright (C) 2015 STFC
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+require_once __DIR__ . '/ServiceTestUtil.php';
+require_once __DIR__ . '/../../../../lib/Gocdb_Services/APIAuthenticationService.php';
+
+use Doctrine\ORM\EntityManager;
+
+/**
+ * DBUnit test class for the {@see \org\gocdb\services\Site} service.
+ *
+ * @author Ian Neilson (after David Meredith)
+ */
+class APIAuthEnticationServiceTest extends PHPUnit_Extensions_Database_TestCase {
+  private $entityManager;
+  private $dbOpsFactory;
+
+  function __construct() {
+    parent::__construct();
+    // Use a local instance to avoid Mess Detector's whinging about avoiding
+    // static access.
+    $this->dbOpsFactory = new PHPUnit_Extensions_Database_Operation_Factory();
+  }
+  /**
+  * Overridden.
+  */
+  public static function setUpBeforeClass() {
+    parent::setUpBeforeClass();
+    echo "\n\n-------------------------------------------------\n";
+    echo "Executing APIAuthEntServiceTest. . .\n";
+  }
+
+  /**
+  * Overridden. Returns the test database connection.
+  * @return PHPUnit_Extensions_Database_DB_IDatabaseConnection
+  */
+  protected function getConnection() {
+    require_once __DIR__ . '/../../../doctrine/bootstrap_pdo.php';
+    return getConnectionToTestDB();
+  }
+
+  /**
+  * Overridden. Returns the test dataset.
+  * Defines how the initial state of the database should look before each test is executed.
+  * @return PHPUnit_Extensions_Database_DataSet_IDataSet
+  */
+  protected function getDataSet() {
+    $dataset = $this->createFlatXMLDataSet(__DIR__ . '/../../../doctrine/truncateDataTables.xml');
+    return $dataset;
+    // Use below to return an empty data set if we don't want to truncate and seed
+    //return new PHPUnit_Extensions_Database_DataSet_DefaultDataSet();
+  }
+
+  /**
+  * Overridden.
+  */
+  protected function getSetUpOperation() {
+    // CLEAN_INSERT is default
+    //return PHPUnit_Extensions_Database_Operation_Factory::CLEAN_INSERT();
+    //return PHPUnit_Extensions_Database_Operation_Factory::UPDATE();
+    //return PHPUnit_Extensions_Database_Operation_Factory::NONE();
+    //
+    // Issue a DELETE from <table> which is more portable than a
+    // TRUNCATE table <table> (some DBs require high privileges for truncate statements
+    // and also do not allow truncates across tables with FK contstraints e.g. Oracle)
+    return $this->dbOpsFactory->DELETE_ALL();
+  }
+
+  /**
+  * Overridden.
+  */
+  protected function getTearDownOperation() {
+    // NONE is default
+    return $this->dbOpsFactory->NONE();
+  }
+
+  /**
+  * Sets up the fixture, e.g create a new entityManager for each test run
+  * This method is called before each test method is executed.
+  */
+  protected function setUp() {
+    parent::setUp();
+    $this->entityManager = $this->createEntityManager();
+    // Pass the Entity Manager into the Factory to allow Gocdb_Services
+    // to use other Gocdb_Services.
+    \Factory::setEntityManager($this->entityManager);
+  }
+
+  /**
+  * @return EntityManager
+  */
+  private function createEntityManager(){
+    $entityManager = null; // Initialise in local scope to avoid unused variable warnings
+    require __DIR__ . '/../../../doctrine/bootstrap_doctrine.php';
+    return $entityManager;
+  }
+
+  /**
+  * Called after setUp() and before each test. Used for common assertions
+  * across all tests.
+  */
+  protected function assertPreConditions() {
+    $con = $this->getConnection();
+    $fixture = __DIR__ . '/../../../doctrine/truncateDataTables.xml';
+    $tables = simplexml_load_file($fixture);
+
+    foreach($tables as $tableName) {
+      $sql = "SELECT * FROM ".$tableName->getName();
+      $result = $con->createQueryTable('results_table', $sql);
+      if($result->getRowCount() != 0){
+        throw new RuntimeException("Invalid fixture. Table has rows: ".$tableName->getName());
+      }
+    }
+  }
+  public function testGetAPIAuthentication () {
+    print __METHOD__ . "\n";
+
+    $siteData = ServiceTestUtil::getSiteData($this->entityManager);
+    $siteService = ServiceTestUtil::getSiteService($this->entityManager);
+    $site = ServiceTestUtil::createAndAddSite($this->entityManager, $siteData);
+
+    $user = TestUtil::createSampleUser('Beta','User');
+    $user->setAdmin(true);
+
+    $identifier = TestUtil::createSampleUserIdentifier('X.509','/Beta.User');
+    ServiceTestUtil::persistAndFlush($this->entityManager, $identifier);
+
+    $user->addUserIdentifierDoJoin($identifier);
+
+    ServiceTestUtil::persistAndFlush($this->entityManager, $user);
+
+    $authEntServ = new org\gocdb\services\APIAuthenticationService();
+    $authEntServ->setEntityManager($this->entityManager);
+
+    $this->assertTrue($authEntServ instanceof org\gocdb\services\APIAuthenticationService,
+                        'Failed to create APIAuthenticationService');
+
+    $ident = '/CN=A Dummy Subject';
+    $type = 'X509';
+    // Start with no APIAuthentication entities to be found
+    $this->assertNull($authEntServ->getAPIAuthentication($ident, $type),
+                        "Non-null value returned when searching for APIAuthentication entity " .
+                        "for id:{$ident} with type:{$type} when expected none.");
+
+    $authEnt = $siteService->addAPIAuthEntity($site, $user,
+                              array('IDENTIFIER' =>  $ident,
+                              'TYPE' => $type,
+                              'ALLOW_WRITE' => false));
+
+    $this->assertTrue($authEnt instanceof \APIAuthentication,
+                      "Failed to add APIAuthentication entity for id:{$ident} with type:{$type}.");
+
+    $authEntMatched = $authEntServ->getAPIAuthentication($ident, $type);
+
+    $this->assertTrue($authEnt === $authEntMatched,
+                      "Failed to return APIAuthentication entity for id:{$ident} with type:{$type}.");
+
+  }
+}
diff --git a/tests/unit/lib/Gocdb_Services/RoleActionMappingServiceTest.php b/tests/unit/lib/Gocdb_Services/RoleActionMappingServiceTest.php
index 2c7f6bcd9..ea7885cf9 100644
--- a/tests/unit/lib/Gocdb_Services/RoleActionMappingServiceTest.php
+++ b/tests/unit/lib/Gocdb_Services/RoleActionMappingServiceTest.php
@@ -170,6 +170,7 @@ public function testGetEnablingRolesForTargetedAction1(){
   public function testGetEnablingRolesForTargetedAction2(){
     print __METHOD__ . "\n";
     $roleActionService = new org\gocdb\services\RoleActionMappingService();
+    $roleActionService->setRoleActionMappingsXsdPath(__DIR__."/../../resources/roleActionMappingSamples/TestRoleActionMappings4.xsd");
     $roleActionService->setRoleActionMappingsXmlPath(__DIR__."/../../resources/roleActionMappingSamples/TestRoleActionMappings4.xml");
 
     // to do action 'AX' on a 'site' requires roles:
@@ -214,6 +215,7 @@ public function testGetEnablingRolesForTargetedAction2(){
   public function testGetEnabledActionsForRoleType1() {
     print __METHOD__ . "\n";
     $roleActionService = new org\gocdb\services\RoleActionMappingService();
+    $roleActionService->setRoleActionMappingsXsdPath(__DIR__ . "/../../resources/roleActionMappingSamples/TestRoleActionMappings4.xsd");
     $roleActionService->setRoleActionMappingsXmlPath(__DIR__ . "/../../resources/roleActionMappingSamples/TestRoleActionMappings4.xml");
 
     $enabledActionsOnTargets = $roleActionService->getEnabledActionsForRoleType('RoleA');
@@ -265,8 +267,8 @@ public function testGetEnabledActionsForRoleType2() {
     $expectedActionsOnTargets[] = array('ACTION_SITE_ADD_SERVICE', 'Site');
     $expectedActionsOnTargets[] = array('ACTION_SITE_DELETE_SERVICE', 'Site');
     $expectedActionsOnTargets[] = array('ACTION_GRANT_ROLE', 'Site');
-    $expectedActionsOnTargets[] = array(' ACTION_REJECT_ROLE', 'Site');
-    $expectedActionsOnTargets[] = array(' ACTION_REVOKE_ROLE', 'Site');
+    $expectedActionsOnTargets[] = array('ACTION_REJECT_ROLE', 'Site');
+    $expectedActionsOnTargets[] = array('ACTION_REVOKE_ROLE', 'Site');
     $expectedActionsOnTargets[] = array('ACTION_SITE_EDIT_CERT_STATUS', 'Site');
     // assert
     $this->assertEquals($expectedActionsOnTargets, $enabledActionsOnTargets);
diff --git a/tests/unit/lib/Gocdb_Services/RoleServiceTest2.php b/tests/unit/lib/Gocdb_Services/RoleServiceTest2.php
new file mode 100644
index 000000000..d21f488e7
--- /dev/null
+++ b/tests/unit/lib/Gocdb_Services/RoleServiceTest2.php
@@ -0,0 +1,223 @@
+<?php
+/*
+ * Copyright (C) 2015 STFC
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+require_once __DIR__ . '/../../../doctrine/TestUtil.php';
+//require_once __DIR__ . '/../../../../lib/Doctrine/entities/User.php';
+//require_once __DIR__ . '/../../../../lib/Gocdb_Services/User.php';
+//require_once __DIR__ . '/../../../../lib/Gocdb_Services/Config.php';
+require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php';
+
+use Doctrine\ORM\EntityManager;
+use org\gocdb\services\RoleActionAuthorisationService;
+
+//use org\gocdb\services\User;
+//use User;
+
+/**
+ * DBUnit test class for the {@see \org\gocdb\services\Role} service.
+ *
+ * @author Ian Neilson (after David Meredith)
+ */
+class RoleServiceTest2 extends PHPUnit_Extensions_Database_TestCase {
+  private $entityManager;
+  private $dbOpsFactory;
+  private $user;
+  private $site;
+
+  function __construct() {
+    parent::__construct();
+    // Use a local instance to avoid Mess Detector's whinging about avoiding
+    // static access.
+    $this->dbOpsFactory = new PHPUnit_Extensions_Database_Operation_Factory();
+  }
+  /**
+  * Overridden.
+  */
+  public static function setUpBeforeClass() {
+    parent::setUpBeforeClass();
+    echo "\n\n-------------------------------------------------\n";
+    echo "Executing RoleServiceTest. . .\n";
+  }
+
+  /**
+  * Overridden. Returns the test database connection.
+  * @return PHPUnit_Extensions_Database_DB_IDatabaseConnection
+  */
+  protected function getConnection() {
+    require_once __DIR__ . '/../../../doctrine/bootstrap_pdo.php';
+    return getConnectionToTestDB();
+  }
+
+  /**
+  * Overridden. Returns the test dataset.
+  * Defines how the initial state of the database should look before each test is executed.
+  * @return PHPUnit_Extensions_Database_DataSet_IDataSet
+  */
+  protected function getDataSet() {
+    return $this->createFlatXMLDataSet(__DIR__ . '/../../../doctrine/truncateDataTables.xml');
+    // Use below to return an empty data set if we don't want to truncate and seed
+    //return new PHPUnit_Extensions_Database_DataSet_DefaultDataSet();
+  }
+
+  /**
+  * Overridden.
+  */
+  protected function getSetUpOperation() {
+    // CLEAN_INSERT is default
+    //return PHPUnit_Extensions_Database_Operation_Factory::CLEAN_INSERT();
+    //return PHPUnit_Extensions_Database_Operation_Factory::UPDATE();
+    //return PHPUnit_Extensions_Database_Operation_Factory::NONE();
+    //
+    // Issue a DELETE from <table> which is more portable than a
+    // TRUNCATE table <table> (some DBs require high privileges for truncate statements
+    // and also do not allow truncates across tables with FK contstraints e.g. Oracle)
+    return $this->dbOpsFactory->DELETE_ALL();
+  }
+
+  /**
+  * Overridden.
+  */
+  protected function getTearDownOperation() {
+    // NONE is default
+    return $this->dbOpsFactory->NONE();
+  }
+
+  /**
+  * Sets up the fixture, e.g create a new entityManager for each test run
+  * This method is called before each test method is executed.
+  */
+  protected function setUp() {
+    parent::setUp();
+    $this->entityManager = $this->createEntityManager();
+    $this->util = new TestUtil();
+    $this->user = $this->util->createSampleUser("Alpha", "Beta");
+    $this->user->setAdmin(true);
+
+    $identifier = $this->util->createSampleUserIdentifier('X.509',"/CN=Alpha Beta");
+    $this->entityManager->persist($identifier);
+
+    $this->user->addUserIdentifierDoJoin($identifier);
+    $this->entityManager->persist($this->user);
+
+    $this->site = $this->util->createSampleSite("Site1");
+    $this->entityManager->persist($this->site);
+
+    $this->roleServ = new \org\gocdb\services\Role();
+    $this->roleServ->setEntityManager($this->entityManager);
+  }
+
+  /**
+  * @return EntityManager
+  */
+  private function createEntityManager(){
+    $entityManager = null; // Initialise in local scope to avoid unused variable warnings
+    require __DIR__ . '/../../../doctrine/bootstrap_doctrine.php';
+    return $entityManager;
+  }
+
+  /**
+  * Called after setUp() and before each test. Used for common assertions
+  * across all tests.
+  */
+  protected function assertPreConditions() {
+    $con = $this->getConnection();
+    $fixture = __DIR__ . '/../../../doctrine/truncateDataTables.xml';
+    $tables = simplexml_load_file($fixture);
+
+    foreach($tables as $tableName) {
+      $sql = "SELECT * FROM ".$tableName->getName();
+      $result = $con->createQueryTable('results_table', $sql);
+      if($result->getRowCount() != 0){
+        throw new RuntimeException("Invalid fixture. Table has rows: ".$tableName->getName());
+      }
+    }
+  }
+  /**
+   * Create some roles
+   */
+  private function createTestRoles (array $roleNames) {
+
+    foreach ($roleNames as $type) {
+      $roleType = $this->util->createSampleRoleType($type);
+      $role = $this->util->createSampleRole($this->user, $roleType, $this->site, \RoleStatus::GRANTED);
+      $this->entityManager->persist($roleType);
+      $this->entityManager->persist($role);
+      $roles[] = $role;
+    };
+
+    $this->entityManager->flush();
+
+    return $roles;
+  }
+  /**
+   * Attach an APIAuthentication credential to user and site
+   */
+  private function addAPIAuthEntity() {
+    // The only way to add an APIAuthentication credential is by creating
+    // a site service ...
+
+    $siteServ = new \org\gocdb\services\Site();
+    $siteServ->setEntityManager($this->entityManager);
+
+    // No role mappings are created or tested - we rely in user being an admin
+    $ram = new \org\gocdb\services\RoleActionMappingService();
+    $ras = new \org\gocdb\services\RoleActionAuthorisationService($ram);
+
+    $ras->setEntityManager($this->entityManager);
+
+    $siteServ->setRoleActionAuthorisationService($ras);
+
+    $siteServ->addAPIAuthEntity(
+      $this->site,
+      $this->user,
+      array(
+        "IDENTIFIER" => $this->user->getUserIdentifiers()[0]->getKeyValue(),
+        "TYPE" => "X509",
+        "ALLOW_WRITE" => false
+      )
+    );
+    return;
+  }
+  /**
+   * Tests begin here
+   */
+  public function testNullCheckOrphanAPIAuth () {
+    print __METHOD__ . "\n";
+
+    $roles = $this->createTestRoles(array("Manager","Administrator"));
+
+    // No APIAuthentication credentials are yet assigned so the
+    // check should pass.
+    $this->assertNull($this->roleServ->checkOrphanAPIAuth($roles[0]));
+
+    $this->addAPIAuthEntity();
+
+    // User has two roles so the check should pass.
+    $this->assertNull($this->roleServ->checkOrphanAPIAuth($roles[0]));
+
+  }
+  /**
+   * @depends testNullCheckOrphanAPIAuth
+   * @expectedException Exception
+   */
+  public function testFailCheckOrphanAPIAuth () {
+    print __METHOD__ . "\n";
+
+    $roles = $this->createTestRoles(array("Manager"));
+
+    $this->addAPIAuthEntity();
+
+    // Should fail because there is only one role.
+    $this->roleServ->checkOrphanAPIAuth($roles[0]);
+  }
+}
diff --git a/tests/unit/lib/Gocdb_Services/ServiceTestUtil.php b/tests/unit/lib/Gocdb_Services/ServiceTestUtil.php
new file mode 100644
index 000000000..f0bdcfab5
--- /dev/null
+++ b/tests/unit/lib/Gocdb_Services/ServiceTestUtil.php
@@ -0,0 +1,128 @@
+<?php
+
+require_once __DIR__ . "/../../../doctrine/TestUtil.php";
+
+/**
+ *  Helper functions for GOCDB_Services tests
+ *
+ * @author Ian Neilsony
+ */
+class ServiceTestUtil {
+  /**
+   * Persist and flush an entity
+   * @param \Doctrine\ORM\EntityManager $em Entity manager
+   * @param Object $instance
+   */
+  public static function persistAndFlush ($em, $instance) {
+      $em->persist($instance);
+      $em->flush();
+  }
+  /**
+   * Create some test site data
+   * @param EntityManager $em Entity Manager handle
+   */
+  public static function getSiteData ($em) {
+
+    $infra = TestUtil::createSampleInfrastructure('Production');
+    $em->persist($infra);
+
+    $ngi = TestUtil::createSampleNGI('ngi1_');
+    $em->persist($ngi);
+
+    $scope = TestUtil::createSampleScope('scope 1', 'Scope1');
+    $em->persist($scope);
+
+    $certStatus = TestUtil::createSampleCertStatus('Certified');
+    $em->persist($certStatus);
+
+    $country = TestUtil::createSampleCountry('Utopia');
+    $em->persist($country);
+
+    $em->flush();
+
+    $siteData = array (
+      'NGI' => $ngi->getId(),
+      'Site' => array(
+        'SHORT_NAME' => 's1',
+        'DESCRIPTION' => 'A test site',
+        'OFFICIAL_NAME' => 'An-official-site',
+        'EMAIL' => 'anon@localhost.net',
+        'HOME_URL' => 'https://www.s1.localhost.net',
+        'CONTACTTEL' => '001 234 567 8',
+        'GIIS_URL' => null,
+        'LATITUDE' => '0',
+        'LONGITUDE' => '0',
+        'CSIRTEMAIL' => null,
+        'IP_RANGE' => null,
+        'IP_V6_RANGE' => null,
+        'DOMAIN' => 's1.localhost.net',
+        'LOCATION' => null,
+        'CSIRTTEL' => '001 234 567 8',
+        'EMERGENCYTEL' => '001 234 567 8',
+        'EMERGENCYEMAIL' => 'anon@localhost.net',
+        'HELPDESKEMAIL' => 'anon@localhost.net',
+        'TIMEZONE' => 'GMT'),
+      'Scope_ids' => array($scope->getId()),
+      'ReservedScope_ids' => array(),
+      'ProductionStatus' => $infra->getId(),
+      'Certification_Status' => $certStatus->getId(),
+      'Country' => $country->getId()
+    );
+
+    return $siteData;
+  }
+  /**
+   * Create and return a minimal Site Service instance
+   * @param \Doctrine\ORM\EntityManager EntityManager $em
+   * @param array $siteData Minimal initial site data array
+   * @return \Site $site
+   */
+  public static function createAndAddSite ($em, $siteData) {
+
+    $user = TestUtil::createSampleUser('Alpha','User');
+    // We don't want to test all the roleAction logic here so simply make us an admin
+    $user->setAdmin(true);
+
+    $identifier = TestUtil::createSampleUserIdentifier('X.509', '/Alpha.User');
+    ServiceTestUtil::persistAndFlush($em, $identifier);
+
+    $user->addUserIdentifierDoJoin($identifier);
+
+    ServiceTestUtil::persistAndFlush($em, $user);
+
+    $siteService = ServiceTestUtil::getSiteService($em);
+
+    $site = $siteService->addSite($siteData, $user);
+
+    return $site;
+  }
+  /**
+   * Generate minimal Site Service
+   * @param \Doctrine\ORM\EntityManager EntityManager $em
+   * @return org\gocdb\services\Site $siteService
+   */
+  public static function getSiteService ($em) {
+    $siteService = new org\gocdb\services\Site();
+    $siteService->setEntityManager($em);
+
+    // Need stubs for both role and scope services
+    $roleAAS = TestUtil::createSampleRoleAAS(__DIR__ .
+              "/../../resources/roleActionMappingSamples/TestRoleActionMappings5.xml");
+
+    $roleAAS->setEntityManager($em);
+    $siteService->setRoleActionAuthorisationService($roleAAS);
+    $siteService->setScopeService(ServiceTestUtil::getScopeService($em));
+
+    return $siteService;
+  }
+    /**
+   * Generate a useless minimal Scope Service
+   * NB. Should be done in the siteService constructor (?)
+   */
+  private static function getScopeService($em) {
+    $scopeService = new \org\gocdb\services\Scope();
+    $scopeService->setEntityManager($em);
+
+    return $scopeService;
+  }
+}
diff --git a/tests/unit/lib/Gocdb_Services/SiteServiceTest.php b/tests/unit/lib/Gocdb_Services/SiteServiceTest.php
new file mode 100644
index 000000000..e76efcc38
--- /dev/null
+++ b/tests/unit/lib/Gocdb_Services/SiteServiceTest.php
@@ -0,0 +1,207 @@
+<?php
+/*
+ * Copyright (C) 2015 STFC
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+require_once __DIR__ . '/../../../doctrine/TestUtil.php';
+require_once __DIR__ . '/ServiceTestUtil.php';
+require_once __DIR__ . '/../../../../lib/Doctrine/entities/User.php';
+require_once __DIR__ . '/../../../../lib/Gocdb_Services/Site.php';
+require_once __DIR__ . '/../../../../lib/Gocdb_Services/Config.php';
+require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php';
+require_once __DIR__ . '/../../../../lib/Gocdb_Services/Scope.php';
+
+use Doctrine\ORM\EntityManager;
+
+/**
+ * DBUnit test class for the {@see \org\gocdb\services\Site} service.
+ *
+ * @author Ian Neilson (after David Meredith)
+ */
+class siteServiceTest extends PHPUnit_Extensions_Database_TestCase {
+  private $entityManager;
+  private $dbOpsFactory;
+  /** @var TestUtil $testUtil */
+  private $testUtil;
+
+  function __construct() {
+    parent::__construct();
+    // Use a local instance to avoid Mess Detector's whinging about avoiding
+    // static access.
+    $this->dbOpsFactory = new PHPUnit_Extensions_Database_Operation_Factory();
+  }
+  /**
+  * Overridden.
+  */
+  public static function setUpBeforeClass() {
+    parent::setUpBeforeClass();
+    echo "\n\n-------------------------------------------------\n";
+    echo "Executing SiteServiceTest. . .\n";
+  }
+
+  /**
+  * Overridden. Returns the test database connection.
+  * @return PHPUnit_Extensions_Database_DB_IDatabaseConnection
+  */
+  protected function getConnection() {
+    require_once __DIR__ . '/../../../doctrine/bootstrap_pdo.php';
+    return getConnectionToTestDB();
+  }
+
+  /**
+  * Overridden. Returns the test dataset.
+  * Defines how the initial state of the database should look before each test is executed.
+  * @return PHPUnit_Extensions_Database_DataSet_IDataSet
+  */
+  protected function getDataSet() {
+    $dataset = $this->createFlatXMLDataSet(__DIR__ . '/../../../doctrine/truncateDataTables.xml');
+    return $dataset;
+    // Use below to return an empty data set if we don't want to truncate and seed
+    //return new PHPUnit_Extensions_Database_DataSet_DefaultDataSet();
+  }
+
+  /**
+  * Overridden.
+  */
+  protected function getSetUpOperation() {
+    // CLEAN_INSERT is default
+    //return PHPUnit_Extensions_Database_Operation_Factory::CLEAN_INSERT();
+    //return PHPUnit_Extensions_Database_Operation_Factory::UPDATE();
+    //return PHPUnit_Extensions_Database_Operation_Factory::NONE();
+    //
+    // Issue a DELETE from <table> which is more portable than a
+    // TRUNCATE table <table> (some DBs require high privileges for truncate statements
+    // and also do not allow truncates across tables with FK contstraints e.g. Oracle)
+    return $this->dbOpsFactory->DELETE_ALL();
+  }
+
+  /**
+  * Overridden.
+  */
+  protected function getTearDownOperation() {
+    // NONE is default
+    return $this->dbOpsFactory->NONE();
+  }
+
+  /**
+  * Sets up the fixture, e.g create a new entityManager for each test run
+  * This method is called before each test method is executed.
+  */
+  protected function setUp() {
+    parent::setUp();
+    $this->entityManager = $this->createEntityManager();
+    $this->testUtil = new TestUtil();
+    // Pass the Entity Manager into the Factory to allow Gocdb_Services
+    // to use other Gocdb_Service.
+    \Factory::setEntityManager($this->entityManager);
+  }
+
+  /**
+  * @return EntityManager
+  */
+  private function createEntityManager(){
+    $entityManager = null; // Initialise in local scope to avoid unused variable warnings
+    require __DIR__ . '/../../../doctrine/bootstrap_doctrine.php';
+    return $entityManager;
+  }
+
+  /**
+  * Called after setUp() and before each test. Used for common assertions
+  * across all tests.
+  */
+  protected function assertPreConditions() {
+    $con = $this->getConnection();
+    $fixture = __DIR__ . '/../../../doctrine/truncateDataTables.xml';
+    $tables = simplexml_load_file($fixture);
+
+    foreach($tables as $tableName) {
+      $sql = "SELECT * FROM ".$tableName->getName();
+      $result = $con->createQueryTable('results_table', $sql);
+      if($result->getRowCount() != 0){
+        throw new RuntimeException("Invalid fixture. Table has rows: ".$tableName->getName());
+      }
+    }
+  }
+  /**
+   * Helper function to persist a test object
+   */
+  protected function persistAndFlush ($instance) {
+    $this->entityManager->persist($instance);
+    $this->entityManager->flush();
+  }
+
+  /*
+  * Tests begin here
+  * First basic check we can instantiate a Site Service and create a site with it.
+  */
+  public function testAddSite() {
+    print __METHOD__ . "\n";
+
+    $siteData = ServiceTestUtil::getSiteData($this->entityManager);
+    $siteService = ServiceTestUtil::getSiteService($this->entityManager);
+
+    // The most basic check
+    $this->assertTrue($siteService instanceof org\gocdb\services\Site,
+                        'Site Service failed to create and return a Site service');
+
+    ServiceTestUtil::createAndAddSite($this->entityManager, $siteData);
+
+    // Check
+    // N.B. Although getSitesFilterByParams says all the filters are optional,
+    // in fact, if you don't specify a scope 'EGI' is forced on you :-(
+
+    $this->assertCount(1, $siteService->getSitesFilterByParams( array('scope' => 'Scope1')));
+  }
+  /**
+   * @depends testAddSite
+   * Check that authentication entities can be added and removed correctly using the Site Service
+   */
+  public function testAddAPIAuthentication() {
+    print __METHOD__ . "\n";
+
+    /** @var \User */
+    $user = $this->testUtil->createSampleUser('Beta','User','/Beta.User');
+    // We don't want to test all the roleAction logic here so simply make us an admin
+    $user->setAdmin(true);
+    $this->persistAndFlush($user);
+
+    $siteData = ServiceTestUtil::getSiteData($this->entityManager);
+    $siteService = ServiceTestUtil::getSiteService($this->entityManager);
+    ServiceTestUtil::createAndAddSite($this->entityManager, $siteData);
+
+    $sites = $siteService->getSitesFilterByParams(array('scope' => 'Scope1'));
+    $site = $sites[0];
+
+    // Check we can add an authenticationEntity to a site and it is properly
+    // associated with the user.
+
+    $authEnt = $siteService->addAPIAuthEntity($site, $user,
+                              array('IDENTIFIER' => '/CN=A Dummy Subject' ,
+                              'TYPE' => 'X509',
+                              'ALLOW_WRITE' => false));
+
+    $this->assertTrue($authEnt instanceof \APIAuthentication,
+                      'Site Service failed to add APIAuthentication');
+    $siteAuthEnts = $site->getAPIAuthenticationEntities();
+    $userAuthEnts = $user->getAPIAuthenticationEntities();
+    $this->assertTrue($userAuthEnts[0] === $siteAuthEnts[0],
+                      'Site Service failed to link user and site APIAuthenticationEntity');
+
+    // Check the delete and cleanup on site and user sides goes ok
+
+    $this->assertNull($siteService->deleteAPIAuthEntity($authEnt, $user),
+                      'Site Service failed to delete APIAuthenticationEntity');
+    $this->assertEmpty($user->getAPIAuthenticationEntities(),
+                      'Site Service failed to remove APIAuthenticationEntity from User');
+    $this->assertEmpty($site->getAPIAuthenticationEntities(),
+                      'Site Service failed to remove APIAuthenticationEntity from Site');
+  }
+}
diff --git a/tests/unit/lib/Gocdb_Services/UserServiceTest.php b/tests/unit/lib/Gocdb_Services/UserServiceTest.php
new file mode 100644
index 000000000..1aa47a98d
--- /dev/null
+++ b/tests/unit/lib/Gocdb_Services/UserServiceTest.php
@@ -0,0 +1,197 @@
+<?php
+/*
+ * Copyright (C) 2015 STFC
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+require_once __DIR__ . '/../../../doctrine/TestUtil.php';
+require_once __DIR__ . '/../../../../lib/Doctrine/entities/User.php';
+require_once __DIR__ . '/../../../../lib/Gocdb_Services/User.php';
+require_once __DIR__ . '/../../../../lib/Gocdb_Services/Config.php';
+require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php';
+
+use Doctrine\ORM\EntityManager;
+//use org\gocdb\services\User;
+//use User;
+
+/**
+ * DBUnit test class for the {@see \org\gocdb\services\User} service.
+ *
+ * @author Ian Neilson (after David Meredith)
+ */
+class UserServiceTest extends PHPUnit_Extensions_Database_TestCase {
+  private $entityManager;
+  private $dbOpsFactory;
+
+  function __construct() {
+    parent::__construct();
+    // Use a local instance to avoid Mess Detector's whinging about avoiding
+    // static access.
+    $this->dbOpsFactory = new PHPUnit_Extensions_Database_Operation_Factory();
+  }
+  /**
+  * Overridden.
+  */
+  public static function setUpBeforeClass() {
+    parent::setUpBeforeClass();
+    echo "\n\n-------------------------------------------------\n";
+    echo "Executing UserServiceTest. . .\n";
+  }
+
+  /**
+  * Overridden. Returns the test database connection.
+  * @return PHPUnit_Extensions_Database_DB_IDatabaseConnection
+  */
+  protected function getConnection() {
+    require_once __DIR__ . '/../../../doctrine/bootstrap_pdo.php';
+    return getConnectionToTestDB();
+  }
+
+  /**
+  * Overridden. Returns the test dataset.
+  * Defines how the initial state of the database should look before each test is executed.
+  * @return PHPUnit_Extensions_Database_DataSet_IDataSet
+  */
+  protected function getDataSet() {
+    return $this->createFlatXMLDataSet(__DIR__ . '/../../../doctrine/truncateDataTables.xml');
+    // Use below to return an empty data set if we don't want to truncate and seed
+    //return new PHPUnit_Extensions_Database_DataSet_DefaultDataSet();
+  }
+
+  /**
+  * Overridden.
+  */
+  protected function getSetUpOperation() {
+    // CLEAN_INSERT is default
+    //return PHPUnit_Extensions_Database_Operation_Factory::CLEAN_INSERT();
+    //return PHPUnit_Extensions_Database_Operation_Factory::UPDATE();
+    //return PHPUnit_Extensions_Database_Operation_Factory::NONE();
+    //
+    // Issue a DELETE from <table> which is more portable than a
+    // TRUNCATE table <table> (some DBs require high privileges for truncate statements
+    // and also do not allow truncates across tables with FK contstraints e.g. Oracle)
+    return $this->dbOpsFactory->DELETE_ALL();
+  }
+
+  /**
+  * Overridden.
+  */
+  protected function getTearDownOperation() {
+    // NONE is default
+    return $this->dbOpsFactory->NONE();
+  }
+
+  /**
+  * Sets up the fixture, e.g create a new entityManager for each test run
+  * This method is called before each test method is executed.
+  */
+  protected function setUp() {
+    parent::setUp();
+    $this->entityManager = $this->createEntityManager();
+  }
+
+  /**
+  * @return EntityManager
+  */
+  private function createEntityManager(){
+    $entityManager = null; // Initialise in local scope to avoid unused variable warnings
+    require __DIR__ . '/../../../doctrine/bootstrap_doctrine.php';
+    return $entityManager;
+  }
+
+  /**
+  * Called after setUp() and before each test. Used for common assertions
+  * across all tests.
+  */
+  protected function assertPreConditions() {
+    $con = $this->getConnection();
+    $fixture = __DIR__ . '/../../../doctrine/truncateDataTables.xml';
+    $tables = simplexml_load_file($fixture);
+
+    foreach($tables as $tableName) {
+      $sql = "SELECT * FROM ".$tableName->getName();
+      $result = $con->createQueryTable('results_table', $sql);
+      if($result->getRowCount() != 0){
+        throw new RuntimeException("Invalid fixture. Table has rows: ".$tableName->getName());
+      }
+    }
+  }
+  /**
+   * Create some test user data
+   */
+  private function getUserData () {
+
+    $userData = array (
+      'TITLE' => 'President',
+      'FORENAME' => 'Forename',
+      'SURNAME' => 'Surname',
+      'EMAIL' => 'forename.surname@somedomain.net',
+      'TELEPHONE' => '01234 56789'
+    );
+
+    return $userData;
+  }
+  /**
+   * Create a minimal identifier
+   */
+  private function getUserIdentifier () {
+
+    $userIdentifier = array ('NAME'=>'X.509','VALUE'=>'/CN=Forename Surname');
+
+    return ($userIdentifier);
+  }
+
+  private function createAndRegisterUser ($userData, $userIdentifier) {
+
+    $userService = new org\gocdb\services\User();
+    $userService->setEntityManager($this->entityManager);
+    $userService->register($userData, $userIdentifier);
+
+    return $userService;
+  }
+  /*
+  * Tests begin here
+  */
+  public function testRegisterUser() {
+    print __METHOD__ . "\n";
+
+    $userData = $this->getUserData();
+    $userIdentifier = $this->getUserIdentifier();
+    $userService = $this->createAndRegisterUser($userData, $userIdentifier);
+
+    $user = $userService->getUserByPrinciple($userIdentifier['VALUE']);
+
+    // Check that we get an instance of User class in the correct namespace returned.
+    $this->assertTrue($user instanceof \User, 'User service failed to registered and return a User');
+
+  }
+  /**
+   * @depends testRegisterUser
+   */
+  public function testAddAPIAuthentication () {
+    print __METHOD__ . "\n";
+
+    $userData = $this->getUserData();
+    $userIdentifier = $this->getUserIdentifier();
+    $userService = $this->createAndRegisterUser($userData, $userIdentifier);
+
+    $authEnt = new \APIAuthentication();
+    $authEnt->setIdentifier($userIdentifier['VALUE']);
+    $authEnt->setType("X509");
+
+    $user = $userService->getUserByPrinciple($userIdentifier['VALUE']);
+
+    $user->addAPIAuthenticationEntitiesDoJoin($authEnt);
+
+    $authUser = $authEnt->getUser();
+    // Check that both sides of the relationship match
+    $this->assertEquals($user->getId(), $authUser->getId());
+  }
+}
diff --git a/tests/unit/resources/roleActionMappingSamples/TestRoleActionMappings4.xsd b/tests/unit/resources/roleActionMappingSamples/TestRoleActionMappings4.xsd
new file mode 100644
index 000000000..c4acae2c8
--- /dev/null
+++ b/tests/unit/resources/roleActionMappingSamples/TestRoleActionMappings4.xsd
@@ -0,0 +1,131 @@
+<?xml version="1.0"?>
+<!--
+/*
+* Copyright (C) 2015 STFC
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+* http://www.apache.org/licenses/LICENSE-2.0
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+@author David Meredith.
+
+@notes Ian Neilson - For annotation see the default file in the config directory
+-->
+
+<xs:schema targetNamespace="http://goc.egi.eu/2015/03/spec1.0_r1"
+           version="1.0"
+           xmlns="http://www.w3.org/2001/XMLSchema"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns:goc="http://goc.egi.eu/2015/03/spec1.0_r1"
+           elementFormDefault="qualified"
+           attributeFormDefault="unqualified">
+
+    <xs:element name="RoleActionMappingRules">
+        <xs:complexType>
+            <xs:sequence>
+                <xs:element ref="goc:RoleActionMapping" minOccurs="1" maxOccurs="1"></xs:element>
+            </xs:sequence>
+        </xs:complexType>
+    </xs:element>
+
+    <xs:element name="RoleActionMapping">
+        <xs:complexType>
+            <xs:sequence>
+                <xs:element ref="goc:RoleNames" minOccurs="0" maxOccurs="unbounded"></xs:element>
+                <xs:element ref="goc:RoleMapping" minOccurs="0" maxOccurs="unbounded"/>
+            </xs:sequence>
+        </xs:complexType>
+        <xs:unique name="testRolesUniqueInRoleActionMapping">
+            <xs:selector xpath="goc:RoleNames/goc:Role"/>
+            <xs:field xpath="."/>
+        </xs:unique>
+    </xs:element>
+
+    <xs:element name="RoleNames">
+        <xs:complexType>
+            <xs:sequence>
+                <xs:element name="Role" minOccurs="0" maxOccurs="unbounded">
+                    <xs:complexType>
+                        <xs:simpleContent>
+                            <xs:extension base="xs:string">
+                                <xs:attribute name="id" type="xs:ID">
+                                </xs:attribute>
+                            </xs:extension>
+                        </xs:simpleContent>
+                    </xs:complexType>
+                </xs:element>
+            </xs:sequence>
+            <xs:attribute name="over" type="string"/>
+        </xs:complexType>
+    </xs:element>
+
+    <element name="RoleMapping">
+        <complexType>
+            <sequence>
+                <!-- Inline Roles element -->
+                <xs:element name="Roles">
+                    <xs:complexType>
+                        <xs:sequence>
+                            <xs:element name="RoleRef" minOccurs="0" maxOccurs="unbounded">
+                                <xs:complexType>
+                                    <xs:attribute name="idRef" use="required">
+                                        <xs:simpleType>
+                                            <xs:restriction base="xs:string">
+                                                <xs:enumeration value="RA"/>
+                                                <xs:enumeration value="RB"/>
+                                                <xs:enumeration value="RC"/>
+                                                <xs:enumeration value="RD"/>
+                                                <xs:enumeration value="RE"/>
+                                                <xs:enumeration value="RF"/>
+                                        </xs:restriction>
+                                        </xs:simpleType>
+                                    </xs:attribute>
+                                </xs:complexType>
+                            </xs:element>
+                        </xs:sequence>
+                    </xs:complexType>
+                </xs:element>
+                <element name="EnabledActions" minOccurs="0" maxOccurs="unbounded">
+                    <complexType>
+                        <sequence>
+                            <element name="Actions">
+                                <xs:complexType>
+                                    <xs:sequence>
+                                        <xs:element name="Action" minOccurs="0" maxOccurs="unbounded">
+                                            <xs:simpleType>
+                                                <xs:restriction base="xs:string">
+                                                    <xs:enumeration value="A1"/>
+                                                    <xs:enumeration value="A2"/>
+                                                    <xs:enumeration value="A3"/>
+                                                    <xs:enumeration value="A4"/>
+                                                    <xs:enumeration value="A5"/>
+                                                    <xs:enumeration value="AX"/>
+                                                    <xs:enumeration value="AY"/>
+                                                </xs:restriction>
+                                            </xs:simpleType>
+                                        </xs:element>
+                                    </xs:sequence>
+                                </xs:complexType>
+                            </element>
+                            <element name="Target" minOccurs="1" maxOccurs="unbounded">
+                                <xs:simpleType>
+                                    <xs:restriction base="xs:string">
+                                        <xs:enumeration value="project"/>
+                                        <xs:enumeration value="service"/>
+                                        <xs:enumeration value="site"/>
+                                    </xs:restriction>
+                                </xs:simpleType>
+                            </element>
+                        </sequence>
+                    </complexType>
+                </element>
+            </sequence>
+        </complexType>
+    </element>
+
+</xs:schema>
diff --git a/tests/unit/resources/roleActionMappingSamples/TestRoleActionMappings5.xml b/tests/unit/resources/roleActionMappingSamples/TestRoleActionMappings5.xml
index 36f4f2074..c9d60007f 100644
--- a/tests/unit/resources/roleActionMappingSamples/TestRoleActionMappings5.xml
+++ b/tests/unit/resources/roleActionMappingSamples/TestRoleActionMappings5.xml
@@ -15,39 +15,39 @@
 -->
 
 
-<RoleActionMappingRules     
+<RoleActionMappingRules
     xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
     xmlns='http://goc.egi.eu/2015/03/spec1.0_r1'
-    xsi:schemaLocation='http://goc.egi.eu/2015/03/spec1.0_r1 ../../../../config/RoleActionMappingsSchema.xsd'> 
+    xsi:schemaLocation='http://goc.egi.eu/2015/03/spec1.0_r1 ../../../../config/RoleActionMappingsSchema.xsd'>
 
     <!--<RoleActionMapping>
         <TargetProject>EUDAT</TargetProject>
-           
+
         <RoleNames over="Project">
             <Role id="eudat_COD_STAFF">eCOD Staff</Role>
             <Role id="eudat_COD_ADMIN">eCOD Administrator</Role>
             <Role id="eudat_EGI_CSIRT_OFFICER">eEGI CSIRT Officer</Role>
             <Role id="eudat_COO">eChief Operations Officer</Role>
             <Role id="eudat_COOCOO">eCOOChief Operations Officer</Role>
-        </RoleNames>  
-        
-    </RoleActionMapping>--> 
+        </RoleNames>
+
+    </RoleActionMapping>-->
 
     <!--<RoleActionMapping>
         <TargetProject>WLCG</TargetProject>
-           
+
         <RoleNames over="site">
             <Role id="wlcg_COD_STAFF">wlcgCOD Staff</Role>
             <Role id="wlcg_COD_ADMIN">wlcgCOD Administrator</Role>
             <Role id="wlcg_EGI_CSIRT_OFFICER">wlcgEGI CSIRT Officer</Role>
             <Role id="wlcg_COO">wlcgChief Operations Officer</Role>
-        </RoleNames>  
-        
-    </RoleActionMapping>--> 
+        </RoleNames>
+
+    </RoleActionMapping>-->
 
 
     <!--<RoleActionMapping>
-           
+
         <RoleNames over="ServiceGroup">
             <Role id="defSERVICE_GROUP_ADMIN">defService Group Administrator</Role>
         </RoleNames>
@@ -58,32 +58,32 @@
             </Roles>
             <EnabledActions>
                 <Actions>
-                    <Action>ACtion_EDIT_OBJECT</Action>
-                    <Action>ACTION_GRANT_ROLE</Action> 
-                    <Action>ACTION_REJECT_ROLE</Action> 
+                    <Action>ACTION_EDIT_OBJECT</Action>
+                    <Action>ACTION_GRANT_ROLE</Action>
+                    <Action>ACTION_REJECT_ROLE</Action>
                     <Action>ACTION_REVOKE_ROLE</Action>
                 </Actions>
-                <Target>SERviceGroup</Target> 
+                <Target>ServiceGroup</Target>
             </EnabledActions>
         </RoleMapping>
-        
-    </RoleActionMapping>--> 
 
+    </RoleActionMapping>-->
 
-    <RoleActionMapping> 
-        <!--<TargetProject>EGI</TargetProject>--> 
 
-        <!-- 
-        Define the Role names and which of the owned entity types they apply to. 
-        Note, role name and alias values must be unique (names have a DB unique constraint).  
-        Aliases are used as a convenient shorthand to define the XML rules. 
-        --> 
+    <RoleActionMapping>
+        <!--<TargetProject>EGI</TargetProject>-->
+
+        <!--
+        Define the Role names and which of the owned entity types they apply to.
+        Note, role name and alias values must be unique (names have a DB unique constraint).
+        Aliases are used as a convenient shorthand to define the XML rules.
+        -->
         <RoleNames over="Project">
             <Role id="COD_STAFF">COD Staff</Role>
             <Role id="COD_ADMIN">COD Administrator</Role>
             <Role id="EGI_CSIRT_OFFICER">EGI CSIRT Officer</Role>
             <Role id="COO">Chief Operations Officer</Role>
-        </RoleNames>  
+        </RoleNames>
 
 
         <RoleNames over="Ngi">
@@ -94,12 +94,12 @@
             <Role id="REG_FIRST_LINE_SUPPORT">Regional First Line Support</Role>
         </RoleNames>
 
-        <RoleNames over="Site"> 
+        <RoleNames over="Site">
             <Role id="SITE_ADMIN">Site Administrator</Role>
             <Role id="SITE_SECOFFICER">Site Security Officer</Role>
             <Role id="SITE_OPS_DEP_MAN">Site Operations Deputy Manager</Role>
             <Role id="SITE_OPS_MAN">Site Operations Manager</Role>
-        </RoleNames> 
+        </RoleNames>
 
         <RoleNames over="ServiceGroup">
             <Role id="SERVICE_GROUP_ADMIN">Service Group Administrator</Role>
@@ -107,24 +107,24 @@
 
 
         <!--
-        The listed Roles enable the Actions over the target object(s). 
-        --> 
+        The listed Roles enable the Actions over the target object(s).
+        -->
 
         <RoleMapping>
             <Roles>
                 <RoleRef idRef="COD_STAFF"/>
-                <RoleRef idRef="COD_ADMIN"/> 
+                <RoleRef idRef="COD_ADMIN"/>
                 <RoleRef idRef="EGI_CSIRT_OFFICER"/>
                 <RoleRef idRef="COO"/>
-            </Roles>  
+            </Roles>
             <EnabledActions>
                 <Actions>
                     <Action>ACTION_EDIT_OBJECT</Action>
                     <Action>ACTION_GRANT_ROLE</Action>
                     <Action>ACTION_REJECT_ROLE</Action>
                     <Action>ACTION_REVOKE_ROLE</Action>
-                </Actions> 
-                <Target>Project</Target> 
+                </Actions>
+                <Target>Project</Target>
             </EnabledActions>
             <EnabledActions>
                 <Actions>
@@ -169,66 +169,66 @@
             </EnabledActions>
         </RoleMapping>
 
-        <RoleMapping> 
+        <RoleMapping>
             <Roles>
                 <RoleRef idRef="SITE_ADMIN"/>
-                <RoleRef idRef="SITE_SECOFFICER"/> 
-                <RoleRef idRef="SITE_OPS_DEP_MAN"/> 
+                <RoleRef idRef="SITE_SECOFFICER"/>
+                <RoleRef idRef="SITE_OPS_DEP_MAN"/>
                 <RoleRef idRef="SITE_OPS_MAN"/>
-                <RoleRef idRef="REG_FIRST_LINE_SUPPORT"/> 
-                <RoleRef idRef="REG_STAFF_ROD"/> 
-                <RoleRef idRef="NGI_SEC_OFFICER"/> 
-                <RoleRef idRef="NGI_OPS_DEP_MAN"/> 
-                <RoleRef idRef="NGI_OPS_MAN"/> 
-            </Roles>  
-            <EnabledActions> 
+                <RoleRef idRef="REG_FIRST_LINE_SUPPORT"/>
+                <RoleRef idRef="REG_STAFF_ROD"/>
+                <RoleRef idRef="NGI_SEC_OFFICER"/>
+                <RoleRef idRef="NGI_OPS_DEP_MAN"/>
+                <RoleRef idRef="NGI_OPS_MAN"/>
+            </Roles>
+            <EnabledActions>
                 <Actions>
                     <Action>ACTION_EDIT_OBJECT</Action>
                     <Action>ACTION_SITE_ADD_SERVICE</Action>
                     <Action>ACTION_SITE_DELETE_SERVICE</Action>
-                </Actions> 
-                <Target>Site</Target>   
-            </EnabledActions> 
-        </RoleMapping> 
+                </Actions>
+                <Target>Site</Target>
+            </EnabledActions>
+        </RoleMapping>
 
 
-        <RoleMapping> 
+        <RoleMapping>
             <Roles>
-                <RoleRef idRef="SITE_SECOFFICER"/> 
-                <RoleRef idRef="SITE_OPS_DEP_MAN"/> 
+                <RoleRef idRef="SITE_SECOFFICER"/>
+                <RoleRef idRef="SITE_OPS_DEP_MAN"/>
                 <RoleRef idRef="SITE_OPS_MAN"/>
-                <RoleRef idRef="NGI_SEC_OFFICER"/> 
-                <RoleRef idRef="NGI_OPS_DEP_MAN"/> 
-                <RoleRef idRef="NGI_OPS_MAN"/> 
-            </Roles> 
-            <EnabledActions> 
+                <RoleRef idRef="NGI_SEC_OFFICER"/>
+                <RoleRef idRef="NGI_OPS_DEP_MAN"/>
+                <RoleRef idRef="NGI_OPS_MAN"/>
+            </Roles>
+            <EnabledActions>
                 <Actions>
-                    <Action>ACTION_GRANT_ROLE</Action> 
-                    <Action> ACTION_REJECT_ROLE</Action> 
-                    <Action> ACTION_REVOKE_ROLE</Action>
-                </Actions> 
-                <Target>Site</Target>   
-            </EnabledActions> 
-        </RoleMapping> 
-
- 
-        <RoleMapping> 
+                    <Action>ACTION_GRANT_ROLE</Action>
+                    <Action>ACTION_REJECT_ROLE</Action>
+                    <Action>ACTION_REVOKE_ROLE</Action>
+                </Actions>
+                <Target>Site</Target>
+            </EnabledActions>
+        </RoleMapping>
+
+
+        <RoleMapping>
             <Roles>
-                <RoleRef idRef="NGI_SEC_OFFICER"/> 
-                <RoleRef idRef="NGI_OPS_DEP_MAN"/> 
-                <RoleRef idRef="NGI_OPS_MAN"/>  
+                <RoleRef idRef="NGI_SEC_OFFICER"/>
+                <RoleRef idRef="NGI_OPS_DEP_MAN"/>
+                <RoleRef idRef="NGI_OPS_MAN"/>
                 <RoleRef idRef="COD_STAFF"/>
                 <RoleRef idRef="COD_ADMIN"/>
                 <RoleRef idRef="EGI_CSIRT_OFFICER"/>
                 <RoleRef idRef="COO"/>
-            </Roles>  
-            <EnabledActions> 
+            </Roles>
+            <EnabledActions>
                 <Actions>
                     <Action>ACTION_SITE_EDIT_CERT_STATUS</Action>
-                </Actions> 
-                <Target>Site</Target>   
-            </EnabledActions> 
-        </RoleMapping> 
+                </Actions>
+                <Target>Site</Target>
+            </EnabledActions>
+        </RoleMapping>
 
 
         <RoleMapping>
@@ -237,31 +237,31 @@
             </Roles>
             <EnabledActions>
                 <Actions>
-                    <Action>ACtion_EDIT_OBJECT</Action>
-                    <Action>ACTION_GRANT_ROLE</Action> 
-                    <Action>ACTION_REJECT_ROLE</Action> 
+                    <Action>ACTION_EDIT_OBJECT</Action>
+                    <Action>ACTION_GRANT_ROLE</Action>
+                    <Action>ACTION_REJECT_ROLE</Action>
                     <Action>ACTION_REVOKE_ROLE</Action>
                 </Actions>
-                <Target>SERviceGroup</Target> 
+                <Target>ServiceGroup</Target>
             </EnabledActions>
         </RoleMapping>
 
-        <!-- 
-        For the newly proposed edit NGI cert status: 
-        <RoleMapping> 
+        <!--
+        For the newly proposed edit NGI cert status:
+        <RoleMapping>
            <Roles>
                <RoleRef idRef="COD_STAFF"/>
                <RoleRef idRef="COD_ADMIN"/>
                <RoleRef idRef="EGI_CSIRT_OFFICER"/>
                <RoleRef idRef="COO"/>
-           </Roles>  
-           <EnabledActions> 
-             <Actions><Action>ACTION_NGI_EDIT_CERT_STATUS</Action></Actions> 
-             <Target>Ngi</Target>   
-           </EnabledActions> 
-        </RoleMapping> 
+           </Roles>
+           <EnabledActions>
+             <Actions><Action>ACTION_NGI_EDIT_CERT_STATUS</Action></Actions>
+             <Target>Ngi</Target>
+           </EnabledActions>
+        </RoleMapping>
         -->
- 
-    </RoleActionMapping> 
+
+    </RoleActionMapping>
 
 </RoleActionMappingRules>
diff --git a/tests/unit/resources/roleActionMappingSamples/TestRoleActionMappings6.xml b/tests/unit/resources/roleActionMappingSamples/TestRoleActionMappings6.xml
index 733dadbe7..f26500ab2 100644
--- a/tests/unit/resources/roleActionMappingSamples/TestRoleActionMappings6.xml
+++ b/tests/unit/resources/roleActionMappingSamples/TestRoleActionMappings6.xml
@@ -15,29 +15,29 @@
 -->
 
 
-<RoleActionMappingRules     
+<RoleActionMappingRules
     xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
     xmlns='http://goc.egi.eu/2015/03/spec1.0_r1'
-    xsi:schemaLocation='http://goc.egi.eu/2015/03/spec1.0_r1 ../../../../config/RoleActionMappingsSchema.xsd'> 
+    xsi:schemaLocation='http://goc.egi.eu/2015/03/spec1.0_r1 ../../../../config/RoleActionMappingsSchema.xsd'>
 
 
-    <RoleActionMapping> 
-        <!-- TargetProject is optional, if not specifid the RoleActionMapping is 
+    <RoleActionMapping>
+        <!-- TargetProject is optional, if not specifid the RoleActionMapping is
         considered default and it applies to all projects unless a named
         RoleActionMapping for a particular project overrides the default -->
         <!--<TargetProject>p1</TargetProject>-->
 
-        <!-- 
-        Define the Role names and which of the owned entity types they apply to. 
-        Note, role name and alias values must be unique (names have a DB unique constraint).  
-        Aliases are used as a convenient shorthand to define the XML rules. 
-        --> 
+        <!--
+        Define the Role names and which of the owned entity types they apply to.
+        Note, role name and alias values must be unique (names have a DB unique constraint).
+        Aliases are used as a convenient shorthand to define the XML rules.
+        -->
         <RoleNames over="Project">
             <Role id="COD_STAFF">COD Staff</Role>
             <Role id="COD_ADMIN">COD Administrator</Role>
             <Role id="EGI_CSIRT_OFFICER">EGI CSIRT Officer</Role>
             <Role id="COO">Chief Operations Officer</Role>
-        </RoleNames>  
+        </RoleNames>
 
 
         <RoleNames over="Ngi">
@@ -48,12 +48,12 @@
             <Role id="REG_FIRST_LINE_SUPPORT">Regional First Line Support</Role>
         </RoleNames>
 
-        <RoleNames over="Site"> 
+        <RoleNames over="Site">
             <Role id="SITE_ADMIN">Site Administrator</Role>
             <Role id="SITE_SECOFFICER">Site Security Officer</Role>
             <Role id="SITE_OPS_DEP_MAN">Site Operations Deputy Manager</Role>
             <Role id="SITE_OPS_MAN">Site Operations Manager</Role>
-        </RoleNames> 
+        </RoleNames>
 
         <RoleNames over="ServiceGroup">
             <Role id="SERVICE_GROUP_ADMIN">Service Group Administrator</Role>
@@ -61,24 +61,24 @@
 
 
         <!--
-        The listed Roles enable the Actions over the target object(s). 
-        --> 
+        The listed Roles enable the Actions over the target object(s).
+        -->
 
         <RoleMapping>
             <Roles>
                 <RoleRef idRef="COD_STAFF"/>
-                <RoleRef idRef="COD_ADMIN"/> 
+                <RoleRef idRef="COD_ADMIN"/>
                 <RoleRef idRef="EGI_CSIRT_OFFICER"/>
                 <RoleRef idRef="COO"/>
-            </Roles>  
+            </Roles>
             <EnabledActions>
                 <Actions>
                     <Action>ACTION_EDIT_OBJECT</Action>
                     <Action>ACTION_GRANT_ROLE</Action>
                     <Action>ACTION_REJECT_ROLE</Action>
                     <Action>ACTION_REVOKE_ROLE</Action>
-                </Actions> 
-                <Target>Project</Target> 
+                </Actions>
+                <Target>Project</Target>
             </EnabledActions>
             <EnabledActions>
                 <Actions>
@@ -123,66 +123,66 @@
             </EnabledActions>
         </RoleMapping>
 
-        <RoleMapping> 
+        <RoleMapping>
             <Roles>
                 <RoleRef idRef="SITE_ADMIN"/>
-                <RoleRef idRef="SITE_SECOFFICER"/> 
-                <RoleRef idRef="SITE_OPS_DEP_MAN"/> 
+                <RoleRef idRef="SITE_SECOFFICER"/>
+                <RoleRef idRef="SITE_OPS_DEP_MAN"/>
                 <RoleRef idRef="SITE_OPS_MAN"/>
-                <RoleRef idRef="REG_FIRST_LINE_SUPPORT"/> 
-                <RoleRef idRef="REG_STAFF_ROD"/> 
-                <RoleRef idRef="NGI_SEC_OFFICER"/> 
-                <RoleRef idRef="NGI_OPS_DEP_MAN"/> 
-                <RoleRef idRef="NGI_OPS_MAN"/> 
-            </Roles>  
-            <EnabledActions> 
+                <RoleRef idRef="REG_FIRST_LINE_SUPPORT"/>
+                <RoleRef idRef="REG_STAFF_ROD"/>
+                <RoleRef idRef="NGI_SEC_OFFICER"/>
+                <RoleRef idRef="NGI_OPS_DEP_MAN"/>
+                <RoleRef idRef="NGI_OPS_MAN"/>
+            </Roles>
+            <EnabledActions>
                 <Actions>
                     <Action>ACTION_EDIT_OBJECT</Action>
                     <Action>ACTION_SITE_ADD_SERVICE</Action>
                     <Action>ACTION_SITE_DELETE_SERVICE</Action>
-                </Actions> 
-                <Target>Site</Target>   
-            </EnabledActions> 
-        </RoleMapping> 
+                </Actions>
+                <Target>Site</Target>
+            </EnabledActions>
+        </RoleMapping>
 
 
-        <RoleMapping> 
+        <RoleMapping>
             <Roles>
-                <RoleRef idRef="SITE_SECOFFICER"/> 
-                <RoleRef idRef="SITE_OPS_DEP_MAN"/> 
+                <RoleRef idRef="SITE_SECOFFICER"/>
+                <RoleRef idRef="SITE_OPS_DEP_MAN"/>
                 <RoleRef idRef="SITE_OPS_MAN"/>
-                <RoleRef idRef="NGI_SEC_OFFICER"/> 
-                <RoleRef idRef="NGI_OPS_DEP_MAN"/> 
-                <RoleRef idRef="NGI_OPS_MAN"/> 
-            </Roles> 
-            <EnabledActions> 
+                <RoleRef idRef="NGI_SEC_OFFICER"/>
+                <RoleRef idRef="NGI_OPS_DEP_MAN"/>
+                <RoleRef idRef="NGI_OPS_MAN"/>
+            </Roles>
+            <EnabledActions>
                 <Actions>
-                    <Action>ACTION_GRANT_ROLE</Action> 
-                    <Action> ACTION_REJECT_ROLE</Action> 
-                    <Action> ACTION_REVOKE_ROLE</Action>
-                </Actions> 
-                <Target>Site</Target>   
-            </EnabledActions> 
-        </RoleMapping> 
-
- 
-        <RoleMapping> 
+                    <Action>ACTION_GRANT_ROLE</Action>
+                    <Action>ACTION_REJECT_ROLE</Action>
+                    <Action>ACTION_REVOKE_ROLE</Action>
+                </Actions>
+                <Target>Site</Target>
+            </EnabledActions>
+        </RoleMapping>
+
+
+        <RoleMapping>
             <Roles>
-                <RoleRef idRef="NGI_SEC_OFFICER"/> 
-                <RoleRef idRef="NGI_OPS_DEP_MAN"/> 
-                <RoleRef idRef="NGI_OPS_MAN"/>  
+                <RoleRef idRef="NGI_SEC_OFFICER"/>
+                <RoleRef idRef="NGI_OPS_DEP_MAN"/>
+                <RoleRef idRef="NGI_OPS_MAN"/>
                 <RoleRef idRef="COD_STAFF"/>
                 <RoleRef idRef="COD_ADMIN"/>
                 <RoleRef idRef="EGI_CSIRT_OFFICER"/>
                 <RoleRef idRef="COO"/>
-            </Roles>  
-            <EnabledActions> 
+            </Roles>
+            <EnabledActions>
                 <Actions>
                     <Action>ACTION_SITE_EDIT_CERT_STATUS</Action>
-                </Actions> 
-                <Target>Site</Target>   
-            </EnabledActions> 
-        </RoleMapping> 
+                </Actions>
+                <Target>Site</Target>
+            </EnabledActions>
+        </RoleMapping>
 
 
         <RoleMapping>
@@ -191,35 +191,35 @@
             </Roles>
             <EnabledActions>
                 <Actions>
-                    <Action>ACtion_EDIT_OBJECT</Action>
-                    <Action>ACTION_GRANT_ROLE</Action> 
-                    <Action>ACTION_REJECT_ROLE</Action> 
+                    <Action>ACTION_EDIT_OBJECT</Action>
+                    <Action>ACTION_GRANT_ROLE</Action>
+                    <Action>ACTION_REJECT_ROLE</Action>
                     <Action>ACTION_REVOKE_ROLE</Action>
                 </Actions>
-                <Target>SERviceGroup</Target> 
+                <Target>ServiceGroup</Target>
             </EnabledActions>
         </RoleMapping>
 
-        <!-- 
-        For the newly proposed edit NGI cert status: 
-        <RoleMapping> 
+        <!--
+        For the newly proposed edit NGI cert status:
+        <RoleMapping>
            <Roles>
                <RoleRef idRef="COD_STAFF"/>
                <RoleRef idRef="COD_ADMIN"/>
                <RoleRef idRef="EGI_CSIRT_OFFICER"/>
                <RoleRef idRef="COO"/>
-           </Roles>  
-           <EnabledActions> 
-             <Actions><Action>ACTION_NGI_EDIT_CERT_STATUS</Action></Actions> 
-             <Target>Ngi</Target>   
-           </EnabledActions> 
-        </RoleMapping> 
+           </Roles>
+           <EnabledActions>
+             <Actions><Action>ACTION_NGI_EDIT_CERT_STATUS</Action></Actions>
+             <Target>Ngi</Target>
+           </EnabledActions>
+        </RoleMapping>
         -->
- 
-    </RoleActionMapping> 
 
-    <!-- 
-    <RoleActionMapping> 
+    </RoleActionMapping>
+
+    <!--
+    <RoleActionMapping>
         <TargetProject>p2</TargetProject>
 
         <RoleNames over="Project">
@@ -227,7 +227,7 @@
             <Role id="p2COD_ADMIN">COD Administrator</Role>
             <Role id="p2EGI_CSIRT_OFFICER">EGI CSIRT Officer</Role>
             <Role id="p2COO">Chief Operations Officer</Role>
-        </RoleNames>  
+        </RoleNames>
 
 
         <RoleNames over="Ngi">
@@ -238,12 +238,12 @@
             <Role id="p2REG_FIRST_LINE_SUPPORT">Regional First Line Support</Role>
         </RoleNames>
 
-        <RoleNames over="Site"> 
+        <RoleNames over="Site">
             <Role id="p2SITE_ADMIN">Site Administrator</Role>
             <Role id="p2SITE_SECOFFICER">Site Security Officer</Role>
             <Role id="p2SITE_OPS_DEP_MAN">Site Operations Deputy Manager</Role>
             <Role id="p2SITE_OPS_MAN">Site Operations Manager</Role>
-        </RoleNames> 
+        </RoleNames>
 
         <RoleNames over="ServiceGroup">
             <Role id="p2SERVICE_GROUP_ADMIN">Service Group Administrator</Role>
@@ -252,18 +252,18 @@
         <RoleMapping>
             <Roles>
                 <RoleRef idRef="p2COD_STAFF"/>
-                <RoleRef idRef="p2COD_ADMIN"/> 
+                <RoleRef idRef="p2COD_ADMIN"/>
                 <RoleRef idRef="p2EGI_CSIRT_OFFICER"/>
                 <RoleRef idRef="p2COO"/>
-            </Roles>  
+            </Roles>
             <EnabledActions>
                 <Actions>
                     <Action>ACTION_EDIT_OBJECT</Action>
                     <Action>ACTION_GRANT_ROLE</Action>
                     <Action>ACTION_REJECT_ROLE</Action>
                     <Action>ACTION_REVOKE_ROLE</Action>
-                </Actions> 
-                <Target>Project</Target> 
+                </Actions>
+                <Target>Project</Target>
             </EnabledActions>
             <EnabledActions>
                 <Actions>
@@ -308,66 +308,66 @@
             </EnabledActions>
         </RoleMapping>
 
-        <RoleMapping> 
+        <RoleMapping>
             <Roles>
                 <RoleRef idRef="p2SITE_ADMIN"/>
-                <RoleRef idRef="p2SITE_SECOFFICER"/> 
-                <RoleRef idRef="p2SITE_OPS_DEP_MAN"/> 
+                <RoleRef idRef="p2SITE_SECOFFICER"/>
+                <RoleRef idRef="p2SITE_OPS_DEP_MAN"/>
                 <RoleRef idRef="p2SITE_OPS_MAN"/>
-                <RoleRef idRef="p2REG_FIRST_LINE_SUPPORT"/> 
-                <RoleRef idRef="p2REG_STAFF_ROD"/> 
-                <RoleRef idRef="p2NGI_SEC_OFFICER"/> 
-                <RoleRef idRef="p2NGI_OPS_DEP_MAN"/> 
-                <RoleRef idRef="p2NGI_OPS_MAN"/> 
-            </Roles>  
-            <EnabledActions> 
+                <RoleRef idRef="p2REG_FIRST_LINE_SUPPORT"/>
+                <RoleRef idRef="p2REG_STAFF_ROD"/>
+                <RoleRef idRef="p2NGI_SEC_OFFICER"/>
+                <RoleRef idRef="p2NGI_OPS_DEP_MAN"/>
+                <RoleRef idRef="p2NGI_OPS_MAN"/>
+            </Roles>
+            <EnabledActions>
                 <Actions>
                     <Action>ACTION_EDIT_OBJECT</Action>
                     <Action>ACTION_SITE_ADD_SERVICE</Action>
                     <Action>ACTION_SITE_DELETE_SERVICE</Action>
-                </Actions> 
-                <Target>Site</Target>   
-            </EnabledActions> 
-        </RoleMapping> 
+                </Actions>
+                <Target>Site</Target>
+            </EnabledActions>
+        </RoleMapping>
 
 
-        <RoleMapping> 
+        <RoleMapping>
             <Roles>
-                <RoleRef idRef="p2SITE_SECOFFICER"/> 
-                <RoleRef idRef="p2SITE_OPS_DEP_MAN"/> 
+                <RoleRef idRef="p2SITE_SECOFFICER"/>
+                <RoleRef idRef="p2SITE_OPS_DEP_MAN"/>
                 <RoleRef idRef="p2SITE_OPS_MAN"/>
-                <RoleRef idRef="p2NGI_SEC_OFFICER"/> 
-                <RoleRef idRef="p2NGI_OPS_DEP_MAN"/> 
-                <RoleRef idRef="p2NGI_OPS_MAN"/> 
-            </Roles> 
-            <EnabledActions> 
+                <RoleRef idRef="p2NGI_SEC_OFFICER"/>
+                <RoleRef idRef="p2NGI_OPS_DEP_MAN"/>
+                <RoleRef idRef="p2NGI_OPS_MAN"/>
+            </Roles>
+            <EnabledActions>
                 <Actions>
-                    <Action>ACTION_GRANT_ROLE</Action> 
-                    <Action> ACTION_REJECT_ROLE</Action> 
-                    <Action> ACTION_REVOKE_ROLE</Action>
-                </Actions> 
-                <Target>Site</Target>   
-            </EnabledActions> 
-        </RoleMapping> 
-
- 
-        <RoleMapping> 
+                    <Action>ACTION_GRANT_ROLE</Action>
+                    <Action>ACTION_REJECT_ROLE</Action>
+                    <Action>ACTION_REVOKE_ROLE</Action>
+                </Actions>
+                <Target>Site</Target>
+            </EnabledActions>
+        </RoleMapping>
+
+
+        <RoleMapping>
             <Roles>
-                <RoleRef idRef="p2NGI_SEC_OFFICER"/> 
-                <RoleRef idRef="p2NGI_OPS_DEP_MAN"/> 
-                <RoleRef idRef="p2NGI_OPS_MAN"/>  
+                <RoleRef idRef="p2NGI_SEC_OFFICER"/>
+                <RoleRef idRef="p2NGI_OPS_DEP_MAN"/>
+                <RoleRef idRef="p2NGI_OPS_MAN"/>
                 <RoleRef idRef="p2COD_STAFF"/>
                 <RoleRef idRef="p2COD_ADMIN"/>
                 <RoleRef idRef="p2EGI_CSIRT_OFFICER"/>
                 <RoleRef idRef="p2COO"/>
-            </Roles>  
-            <EnabledActions> 
+            </Roles>
+            <EnabledActions>
                 <Actions>
                     <Action>ACTION_SITE_EDIT_CERT_STATUS</Action>
-                </Actions> 
-                <Target>Site</Target>   
-            </EnabledActions> 
-        </RoleMapping> 
+                </Actions>
+                <Target>Site</Target>
+            </EnabledActions>
+        </RoleMapping>
 
 
         <RoleMapping>
@@ -376,21 +376,21 @@
             </Roles>
             <EnabledActions>
                 <Actions>
-                    <Action>ACtion_EDIT_OBJECT</Action>
-                    <Action>ACTION_GRANT_ROLE</Action> 
-                    <Action>ACTION_REJECT_ROLE</Action> 
+                    <Action>ACTION_EDIT_OBJECT</Action>
+                    <Action>ACTION_GRANT_ROLE</Action>
+                    <Action>ACTION_REJECT_ROLE</Action>
                     <Action>ACTION_REVOKE_ROLE</Action>
                 </Actions>
-                <Target>SERviceGroup</Target> 
+                <Target>ServiceGroup</Target>
             </EnabledActions>
         </RoleMapping>
 
-    </RoleActionMapping> 
+    </RoleActionMapping>
     -->
    <!--
-    <RoleActionMapping> 
+    <RoleActionMapping>
         <TargetProject>p3</TargetProject>
-    </RoleActionMapping> 
-    --> 
-            
+    </RoleActionMapping>
+    -->
+
 </RoleActionMappingRules>