diff --git a/devops-service/db/mongo/models/user.rb b/devops-service/db/mongo/models/user.rb
index 6adb27d..fdb04e3 100644
--- a/devops-service/db/mongo/models/user.rb
+++ b/devops-service/db/mongo/models/user.rb
@@ -10,7 +10,7 @@ class User < MongoModel
   ROOT_PASSWORD = ''
 
   PRIVILEGES = ["r", "w", "x"]
-  PRIVILEGES_REGEX = /r?w?x?/
+  PRIVILEGES_REGEX = /^r?w?x?$/
 
   attr_accessor :id, :password, :privileges, :email
   types :id => {:type => String, :empty => false},
@@ -36,7 +36,7 @@ class User < MongoModel
     if !priv.empty? and PRIVILEGES_REGEX.match(priv).to_s.empty?
       raise InvalidCommand.new "Invalid privileges '#{priv}'. Available values are '#{PRIVILEGES.join("', '")}'"
     end
-    raise InvalidCommand.new "Can't grant privileges to root" if self.id == ROOT_USER_NAME
+    raise InvalidPrivileges.new "Can't grant privileges to root" if self.id == ROOT_USER_NAME
 
     case cmd
     when "all"
diff --git a/devops-service/routes/v2.0/user.rb b/devops-service/routes/v2.0/user.rb
index d37aedf..9a3d82b 100644
--- a/devops-service/routes/v2.0/user.rb
+++ b/devops-service/routes/v2.0/user.rb
@@ -116,7 +116,7 @@ module Version2_0
     #   - body :
     #   {
     #     "cmd": "command or all", -> if empty, set default privileges
-    #     "privileges": "priv" -> 'r', 'rw' or ''
+    #     "privileges": "priv" -> 'rwx' or ''
     #   }
     #
     # * *Returns* :
diff --git a/devops-service/tests/features/step_definitions/http_queries_steps.rb b/devops-service/tests/features/step_definitions/http_queries_steps.rb
index fd0d194..b34e5b6 100644
--- a/devops-service/tests/features/step_definitions/http_queries_steps.rb
+++ b/devops-service/tests/features/step_definitions/http_queries_steps.rb
@@ -91,6 +91,11 @@ When(/^I send PUT '(.*)' query with JSON body without header '(.*)'$/) do |path,
   res = put_body(path, body, headers)
 end
 
+When(/^I send PUT '(.*)' query with JSON body with user without privileges$/) do |path, body|
+  JSON.parse(body) unless body.strip.empty?
+  res = put_without_privileges(path, body, DEFAULT_HEADERS)
+end
+
 Then(/^response should be '(\d+)'$/) do |code|
   assert(code.to_i == last_response.status, "Status is not #{code}, it is #{last_response.status}")
 end
diff --git a/devops-service/tests/features/support/env.rb b/devops-service/tests/features/support/env.rb
index 2ac9a4c..be854b1 100644
--- a/devops-service/tests/features/support/env.rb
+++ b/devops-service/tests/features/support/env.rb
@@ -96,9 +96,9 @@ class RequestSender
     end
   end
 
-  def put_without_privileges path, query={}, headers={}
+  def put_without_privileges path, query="", headers={}
     user_without_privileges do
-      put(path, query, headers)
+      put_body(path, query, headers)
     end
   end
 
diff --git a/devops-service/tests/generate_tests.rb b/devops-service/tests/generate_tests.rb
index f65b091..f268bfc 100755
--- a/devops-service/tests/generate_tests.rb
+++ b/devops-service/tests/generate_tests.rb
@@ -44,6 +44,7 @@ templates = {
 
   #update
   "templates/api_v2/20_update/10_image.feature.erb" => "features/api_v2/20_update/10_image.feature",
+  "templates/api_v2/20_update/00_user.feature.erb" => "features/api_v2/20_update/00_user.feature",
 
   #delete
   "templates/api_v2/90_delete/10_script.feature.erb" => "features/api_v2/90_delete/10_script.feature",
diff --git a/devops-service/tests/templates/api_v2/20_update/00_user.feature.erb b/devops-service/tests/templates/api_v2/20_update/00_user.feature.erb
new file mode 100644
index 0000000..5c2c584
--- /dev/null
+++ b/devops-service/tests/templates/api_v2/20_update/00_user.feature.erb
@@ -0,0 +1,202 @@
+@user
+Feature: change user privileges and password
+
+  <% %w{password email}.each do |k| %>
+  <% val = (k == "email" ? "#{@config["user"]["name"]}@test.test" : @config["user"]["name"]) %>
+  Scenario: change user <%= k %> with user without privileges
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>/<%= k %>' query with JSON body with user without privileges
+    """
+    {
+      "<%= k %>": "<%= val %>"
+    }
+    """
+    Then response should be '401'
+
+  Scenario: change root <%= k %>
+    When I send PUT '/v2.0/user/root/<%= k %>' query with JSON body
+    """
+    {
+      "<%= k %>": "<%= val %>"
+    }
+    """
+    Then response should be '401'
+
+  Scenario: change user <%= k %> without header 'Accept'
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>/<%= k %>' query with JSON body without header 'Accept'
+    """
+    {
+      "<%= k %>": "<%= val %>"
+    }
+    """
+    Then response should be '406'
+
+  Scenario: change user <%= k %> without header 'Content-Type'
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>/<%= k %>' query with JSON body without header 'Content-Type'
+    """
+    {
+      "<%= k %>": "<%= val %>"
+    }
+    """
+    Then response should be '415'
+
+  Scenario: change user <%= k %>, invalid body: empty
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>/<%= k %>' query with JSON body
+    """
+    """
+    Then response should be '400'
+
+  <% ["{}", "[]", ""].each do |body| %>
+  Scenario: change user <%= k %>, invalid body: body is a '<%= body %>'
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>/<%= k %>' query with JSON body
+    """
+    <%= body %>
+    """
+    Then response should be '400'
+  <% end %>
+  <% elements = ["{}", "[]", "null" ] %>
+  <% elements.each do |value| %>
+  Scenario: change user <%= k %>, invalid body: <%= k %> is a '<%= value %>'
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>/<%= k %>' query with JSON body
+    """
+    {
+      "<%= k %>": <%= value %>
+    }
+    """
+    Then response should be '400'
+  <% end %>
+
+  Scenario: change user <%= k %>
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>/<%= k %>' query with JSON body
+    """
+    {
+      "<%= k %>": "<%= val %>"
+    }
+    """
+    Then response should be '200'
+    And the Content-Type header should include 'application/json'
+
+  <% end %>
+
+  Scenario: change user privileges with user without privileges
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>' query with JSON body with user without privileges
+    """
+    {}
+    """
+    Then response should be '401'
+
+  Scenario: change root privileges
+    When I send PUT '/v2.0/user/root' query with JSON body
+    """
+    {}
+    """
+    Then response should be '401'
+
+  Scenario: change user privileges without header 'Accept'
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>' query with JSON body without header 'Accept'
+    """
+    {}
+    """
+    Then response should be '406'
+
+  Scenario: change user privileges without header 'Content-Type'
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>' query with JSON body without header 'Content-Type'
+    """
+    {}
+    """
+    Then response should be '415'
+
+  <% ["[]", ""].each do |body| %>
+  Scenario: change user privileges, invalid body: body is a '<%= body %>'
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>' query with JSON body
+    """
+    <%= body %>
+    """
+    Then response should be '400'
+  <% end %>
+  <% elements = ["{}", "[]" ] %>
+  <% elements.each do |value| %>
+  Scenario: change user privileges, invalid body: cmd is a '<%= value %>'
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>' query with JSON body
+    """
+    {
+      "cmd": "<%= value %>",
+      "privileges": "r"
+    }
+    """
+    Then response should be '400'
+
+  Scenario: change user privileges, invalid body: privileges is a '<%= value %>'
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>' query with JSON body
+    """
+    {
+      "cmd": "all",
+      "privileges": "<%= value %>"
+    }
+    """
+    Then response should be '400'
+  <% end %>
+
+  Scenario: change user privileges: foo - r
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>' query with JSON body
+    """
+    {
+      "cmd": "foo",
+      "privileges": "r"
+    }
+    """
+    Then response should be '400'
+  <% %w{foo, rr, rwwww, rwxxx, rwf}.each do |priv| %>
+  Scenario: change user privileges: all - <%= priv %>
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>' query with JSON body
+    """
+    {
+      "cmd": "all",
+      "privileges": "<%= priv %>"
+    }
+    """
+    Then response should be '400'
+  <% end %>
+
+  <% privs = %w{r w x rw rx wx rwx} %>
+
+  <% %w{flavor group image project server key user filter network provider script templates all}.each do |cmd| %>
+    <% privs.each do |priv| %>
+  Scenario: change user privileges: <%= cmd %> - <%= priv %>
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>' query with JSON body
+    """
+    {
+      "cmd": "<%= cmd %>",
+      "privileges": "<%= priv %>"
+    }
+    """
+    Then response should be '200'
+    <% end %>
+  Scenario: change user privileges: <%= cmd %> - without privileges
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>' query with JSON body
+    """
+    {
+      "cmd": "<%= cmd %>"
+    }
+    """
+    Then response should be '200'
+
+  Scenario: change user privileges: <%= cmd %> - '  '
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>' query with JSON body
+    """
+    {
+      "cmd": "<%= cmd %>",
+      "privileges": "  "
+    }
+    """
+    Then response should be '400'
+
+  <% end %>
+
+  Scenario: change user privileges: set default privileges
+    When I send PUT '/v2.0/user/<%= @config["user"]["name"] %>' query with JSON body
+    """
+    {
+    }
+    """
+    Then response should be '200'
+