diff --git a/catalyst/api-bundle/Entity/Role.php b/catalyst/api-bundle/Entity/Role.php
new file mode 100644
index 00000000..534638b3
--- /dev/null
+++ b/catalyst/api-bundle/Entity/Role.php
@@ -0,0 +1,120 @@
+<?php
+
+namespace Catalyst\APIBundle\Entity;
+
+use Doctrine\ORM\Mapping as ORM;
+use Doctrine\Common\Collections\ArrayCollection;
+use Symfony\Component\Validator\Constraints as Assert;
+use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
+
+/**
+ * @ORM\Entity
+ * @ORM\Table(name="api_role")
+ * @UniqueEntity("id")
+ * @UniqueEntity("name")
+ */
+class Role
+{
+    const SUPER_ADMIN = 'ROLE_SUPER_ADMIN';
+
+    /**
+     * @ORM\Id
+     * @ORM\Column(type="string", length=80)
+     * @Assert\NotBlank()
+     */
+    protected $id;
+
+    /**
+     * @ORM\Column(type="string", length=80)
+     * @Assert\NotBlank()
+     */
+    protected $name;
+
+    /**
+     * @ORM\ManyToMany(targetEntity="User", mappedBy="roles", fetch="EXTRA_LAZY")
+     */
+    protected $users;
+
+    /**
+     * @ORM\Column(type="json_array")
+     */
+    protected $acl_attributes;
+
+    public function __construct()
+    {
+        $this->users = new ArrayCollection();
+        $this->acl_attributes = [];
+    }
+
+    public function setID($id)
+    {
+        // example ROLE_SUPER_ADMIN, ROLE_CASHIER, etc
+        $this->id = $id;
+        return $this;
+    }
+
+    public function getID()
+    {
+        return $this->id;
+    }
+
+    public function setName($name)
+    {
+        $this->name = $name;
+        return $this;
+    }
+
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    public function getUsers()
+    {
+        return $this->users;
+    }
+
+    public function getUsersCount()
+    {
+        return $this->users->count();
+    }
+
+    public function isSuperAdmin()
+    {
+        if ($this->id == self::SUPER_ADMIN)
+            return true;
+
+        return false;
+    }
+
+    // TODO: shift out ACL stuff to its own class
+    public function clearACLAttributes()
+    {
+        $this->acl_attributes = [];
+        return $this;
+    }
+
+    public function getACLAttributes()
+    {
+        return $this->acl_attributes;
+    }
+
+    public function addACLAccess($attribute)
+    {
+        $this->acl_attributes[$attribute] = true;
+        return $this;
+    }
+
+    public function hasACLAccess($attribute)
+    {
+        // if it's super admin, they always have access
+        if ($this->isSuperAdmin())
+            return true;
+
+        // check ACL attributes
+        if (isset($this->acl_attributes[$attribute]) && $this->acl_attributes[$attribute])
+            return true;
+
+        return false;
+    }
+}
diff --git a/catalyst/api-bundle/Entity/User.php b/catalyst/api-bundle/Entity/User.php
index 8d0aa1ec..bc174c13 100644
--- a/catalyst/api-bundle/Entity/User.php
+++ b/catalyst/api-bundle/Entity/User.php
@@ -4,6 +4,8 @@ namespace Catalyst\APIBundle\Entity;
 
 use Symfony\Component\Security\Core\User\UserInterface;
 use Doctrine\ORM\Mapping as ORM;
+use Doctrine\ORM\Mapping\JoinColumn;
+use Doctrine\Common\Collections\ArrayCollection;
 use DateTime;
 
 /**
@@ -37,7 +39,10 @@ class User implements UserInterface
     protected $date_create;
 
     // roles
-    // TODO: make this db loaded
+    /**
+     * @ORM\ManyToMany(targetEntity="Role", inversedBy="users")
+     * @ORM\JoinTable(name="api_user_role")
+     */
     protected $roles;
 
     public function __construct()
@@ -48,6 +53,8 @@ class User implements UserInterface
 
         // set date created
         $this->date_create = new DateTime();
+
+        $this->roles = new ArrayCollection();
     }
 
     public function getID()
@@ -90,7 +97,11 @@ class User implements UserInterface
 
     public function getRoles()
     {
-        return ['ROLE_API'];
+        $str_roles = [];
+        foreach ($this->roles as $role)
+            $str_roles[] = $role->getID();
+
+        return $str_roles;
     }
 
     public function getDateCreate()