diff --git a/webapp/build.xml b/webapp/build.xml
index 41b3269c7..ee1a4280a 100644
--- a/webapp/build.xml
+++ b/webapp/build.xml
@@ -114,8 +114,8 @@ deploy   - Deploy the application directly into the Tomcat webapps directory.
 		      message="${deploy.properties.file} must contain a value for VitroConnection.DataSource.username" />
 		<fail unless="VitroConnection.DataSource.password"
 		      message="${deploy.properties.file} must contain a value for VitroConnection.DataSource.password" />
-		<fail unless="initialAdminUser"
-		      message="${deploy.properties.file} must contain a value for initialAdminUser" />
+		<fail unless="rootUser.emailAddress"
+		      message="${deploy.properties.file} must contain a value for rootUser.emailAddress" />
 
 	</target>
 
diff --git a/webapp/config/example.deploy.properties b/webapp/config/example.deploy.properties
index 9148818b3..339405801 100644
--- a/webapp/config/example.deploy.properties
+++ b/webapp/config/example.deploy.properties
@@ -83,11 +83,11 @@ VitroConnection.DataSource.validationQuery = SELECT 1
 # vitro.local.solr.url = 
 
 #
-# The name of your first admin user for the Vitro application. The password 
-# for this user is initially set to "defaultAdmin", but you will be asked to 
+# The email address of the root user for the VIVO application. The password 
+# for this user is initially set to "rootPassword", but you will be asked to 
 # change the password the first time you log in.
 #
-initialAdminUser = defaultAdmin
+rootUser.emailAddress = root@myDomain.com
 
 #
 # How is a logged-in user associated with a particular Individual? One way is 
diff --git a/webapp/config/web.xml b/webapp/config/web.xml
index 7140c90f7..31e263e37 100644
--- a/webapp/config/web.xml
+++ b/webapp/config/web.xml
@@ -105,11 +105,11 @@
   </listener> 
   
   <!--  Update to the new UserAccounts model (1.3). Needs to run after JenaDataSourceSetup. -->
-  <!-- <listener>
+  <listener>
     <listener-class>
         edu.cornell.mannlib.vitro.webapp.servlet.setup.UpdateUserAccounts
     </listener-class>
-  </listener> -->
+  </listener>
 
   <!-- Attaching submodels permits extra RDF files to be made visible without storing the data in the DB. -->
   <listener>
@@ -151,6 +151,10 @@
     </listener-class>
   </listener>
 
+  <listener>
+    <listener-class> edu.cornell.mannlib.vitro.webapp.auth.policy.RootUserPolicy$Setup</listener-class>
+  </listener>
+
   <!-- The Lucene index uses a "public" filter, so the PropertyRestrictionPolicyHelper must already be set up. -->
   <!--
   <listener>
@@ -635,15 +639,6 @@
     <url-pattern>/keywordEdit</url-pattern>
   </servlet-mapping>
 
-  <servlet>
-    <servlet-name>UserEditController</servlet-name>
-    <servlet-class>edu.cornell.mannlib.vitro.webapp.controller.edit.UserEditController</servlet-class>
-  </servlet>
-  <servlet-mapping>
-    <servlet-name>UserEditController</servlet-name>
-    <url-pattern>/userEdit</url-pattern>
-  </servlet-mapping>
-
   <servlet>
     <servlet-name>OntologyEditController</servlet-name>
     <servlet-class>edu.cornell.mannlib.vitro.webapp.controller.edit.OntologyEditController</servlet-class>
@@ -743,16 +738,6 @@
     <url-pattern>/addRestriction</url-pattern>
   </servlet-mapping>
 
-<!-- TODO This should go away as soon as the new UserAccounts are fully implemented. jblake -->
-  <servlet>
-    <servlet-name>UsersListingController</servlet-name>
-    <servlet-class>edu.cornell.mannlib.vitro.webapp.controller.edit.listing.UsersListingController</servlet-class>
-  </servlet>
-  <servlet-mapping>
-    <servlet-name>UsersListingController</servlet-name>
-    <url-pattern>/listUsers</url-pattern>
-  </servlet-mapping>
-
   <servlet>
     <servlet-name>AccountsAdmin</servlet-name>
     <servlet-class>edu.cornell.mannlib.vitro.webapp.controller.accounts.admin.UserAccountsAdminController</servlet-class>
diff --git a/webapp/src/edu/cornell/mannlib/vedit/beans/LoginStatusBean.java b/webapp/src/edu/cornell/mannlib/vedit/beans/LoginStatusBean.java
index 15cdbbf43..04ec6f276 100644
--- a/webapp/src/edu/cornell/mannlib/vedit/beans/LoginStatusBean.java
+++ b/webapp/src/edu/cornell/mannlib/vedit/beans/LoginStatusBean.java
@@ -9,8 +9,8 @@ import javax.servlet.http.HttpSession;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-import edu.cornell.mannlib.vitro.webapp.beans.User;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
+import edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDao;
 import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
 
 /**
@@ -81,7 +81,7 @@ public class LoginStatusBean {
 	/**
 	 * Get the current user, or null if not logged in.
 	 */
-	public static User getCurrentUser(HttpServletRequest request) {
+	public static UserAccount getCurrentUser(HttpServletRequest request) {
 		if (request == null) {
 			return null;
 		}
@@ -91,7 +91,7 @@ public class LoginStatusBean {
 	/**
 	 * Get the current user, or null if not logged in.
 	 */
-	public static User getCurrentUser(HttpSession session) {
+	public static UserAccount getCurrentUser(HttpSession session) {
 		if (session == null) {
 			return null;
 		}
@@ -108,14 +108,14 @@ public class LoginStatusBean {
 			return null;
 		}
 
-		UserDao userDao = wadf.getUserDao();
-		if (userDao == null) {
-			log.error("No UserDao");
+		UserAccountsDao userAccountsDao = wadf.getUserAccountsDao();
+		if (userAccountsDao == null) {
+			log.error("No UserAccountsDao");
 			return null;
 		}
 
 		String userUri = getBean(session).getUserURI();
-		return userDao.getUserByURI(userUri);
+		return userAccountsDao.getUserAccountByUri(userUri);
 	}
 
 	// ----------------------------------------------------------------------
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/CommonIdentifierBundleFactory.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/CommonIdentifierBundleFactory.java
index 8176ca3b2..b2353e6ae 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/CommonIdentifierBundleFactory.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/CommonIdentifierBundleFactory.java
@@ -22,8 +22,9 @@ import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundleFactory;
 import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.SelfEditingConfiguration;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.dao.IndividualDao;
+import edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDao;
 import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
 
 /**
@@ -49,6 +50,7 @@ public class CommonIdentifierBundleFactory implements IdentifierBundleFactory {
 		ArrayIdentifierBundle bundle = new ArrayIdentifierBundle();
 
 		bundle.addAll(createUserIdentifiers(req));
+		bundle.addAll(createRootUserIdentifiers(req));
 		bundle.addAll(createRoleLevelIdentifiers(req));
 		bundle.addAll(createBlacklistOrAssociatedIndividualIdentifiers(req));
 
@@ -68,6 +70,16 @@ public class CommonIdentifierBundleFactory implements IdentifierBundleFactory {
 		}
 	}
 
+	private Collection<? extends Identifier> createRootUserIdentifiers(
+			HttpServletRequest req) {
+		UserAccount user = LoginStatusBean.getCurrentUser(req);
+		if (isRootUser(user)) {
+			return Collections.singleton(new IsRootUser());
+		} else {
+			return Collections.emptySet();
+		}
+	}
+
 	/**
 	 * Create an identifier that shows the role level of the current user, or
 	 * PUBLIC if the user is not logged in.
@@ -100,16 +112,21 @@ public class CommonIdentifierBundleFactory implements IdentifierBundleFactory {
 		return ids;
 	}
 
+	/**
+	 * Get all Individuals associated with the current user.
+	 * 
+	 * TODO Currently only uses the matching property. Should also use
+	 * "mayEditAs" type of association.
+	 */
 	private Collection<Individual> getAssociatedIndividuals(
 			HttpServletRequest req) {
 		Collection<Individual> individuals = new ArrayList<Individual>();
 
-		User user = LoginStatusBean.getCurrentUser(req);
+		UserAccount user = LoginStatusBean.getCurrentUser(req);
 		if (user == null) {
 			log.debug("No Associated Individuals: not logged in.");
 			return individuals;
 		}
-		String username = user.getUsername();
 
 		WebappDaoFactory wdf = (WebappDaoFactory) context
 				.getAttribute("webappDaoFactory");
@@ -121,25 +138,30 @@ public class CommonIdentifierBundleFactory implements IdentifierBundleFactory {
 		IndividualDao indDao = wdf.getIndividualDao();
 
 		SelfEditingConfiguration sec = SelfEditingConfiguration.getBean(req);
-		String uri = sec.getIndividualUriFromUsername(indDao, username);
-		if (uri == null) {
-			log.debug("Could not find an Individual with a netId of "
-					+ username);
-			return individuals;
-		}
+		individuals.addAll(sec.getAssociatedIndividuals(indDao, user));
 
-		Individual ind = indDao.getIndividualByURI(uri);
-		if (ind == null) {
-			log.warn("Found a URI for the netId " + username
-					+ " but could not build Individual");
-			return individuals;
-		}
-		log.debug("Found an Individual for netId " + username + " URI: " + uri);
-
-		individuals.add(ind);
 		return individuals;
 	}
 
+	/**
+	 * Is this user a root user?
+	 */
+	private boolean isRootUser(UserAccount user) {
+		if (user == null) {
+			return false;
+		}
+
+		WebappDaoFactory wdf = (WebappDaoFactory) context
+				.getAttribute("webappDaoFactory");
+		if (wdf == null) {
+			log.error("Could not get a WebappDaoFactory from the ServletContext");
+			return false;
+		}
+
+		UserAccountsDao uaDao = wdf.getUserAccountsDao();
+		return uaDao.isRootUser(user);
+	}
+
 	@Override
 	public String toString() {
 		return this.getClass().getSimpleName() + " - " + hashCode();
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/IsRootUser.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/IsRootUser.java
new file mode 100644
index 000000000..a41c2ab04
--- /dev/null
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/IsRootUser.java
@@ -0,0 +1,21 @@
+/* $This file is distributed under the terms of the license in /doc/license.txt$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.identifier.common;
+
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
+
+/**
+ * The current user is a root user.
+ */
+public class IsRootUser extends AbstractCommonIdentifier implements Identifier {
+	public static boolean isRootUser(IdentifierBundle ids) {
+		return !getIdentifiersForClass(ids, IsRootUser.class).isEmpty();
+	}
+	
+	@Override
+	public String toString() {
+		return "IsRootUser";
+	}
+
+}
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionSetsLoader.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionSetsLoader.java
index a35877afb..32f8f6519 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionSetsLoader.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionSetsLoader.java
@@ -30,6 +30,11 @@ public class PermissionSetsLoader implements ServletContextListener {
 	private static final Log log = LogFactory
 			.getLog(PermissionSetsLoader.class);
 
+	public static final String URI_SELF_EDITOR = "http://permissionSet-1";
+	public static final String URI_EDITOR = "http://permissionSet-4";
+	public static final String URI_CURATOR = "http://permissionSet-5";
+	public static final String URI_DBA = "http://permissionSet-50";
+	
 	@Override
 	public void contextInitialized(ServletContextEvent sce) {
 		ServletContext ctx = sce.getServletContext();
@@ -46,10 +51,10 @@ public class PermissionSetsLoader implements ServletContextListener {
 					.getUserAccountsModel();
 
 			ModelWrapper wrapper = new ModelWrapper(model);
-			wrapper.createPermissionSet("1", "Self Editor");
-			wrapper.createPermissionSet("2", "Editor");
-			wrapper.createPermissionSet("3", "Curator");
-			wrapper.createPermissionSet("4", "Site Admin");
+			wrapper.createPermissionSet(URI_SELF_EDITOR, "Self Editor");
+			wrapper.createPermissionSet(URI_EDITOR, "Editor");
+			wrapper.createPermissionSet(URI_CURATOR, "Curator");
+			wrapper.createPermissionSet(URI_DBA, "Site Admin");
 		} catch (Exception e) {
 			log.error("could not run PermissionSetsLoader" + e);
 			AbortStartup.abortStartup(ctx);
@@ -77,9 +82,7 @@ public class PermissionSetsLoader implements ServletContextListener {
 			permissionSet = model.createResource(VitroVocabulary.PERMISSIONSET);
 		}
 
-		public void createPermissionSet(String uriSuffix, String label) {
-			String uri = "http://permissionSet-" + uriSuffix;
-
+		public void createPermissionSet(String uri, String label) {
 			model.enterCriticalSection(Lock.WRITE);
 			try {
 				Resource r = model.createResource(uri);
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/RootUserPolicy.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/RootUserPolicy.java
new file mode 100644
index 000000000..362fcba1e
--- /dev/null
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/RootUserPolicy.java
@@ -0,0 +1,164 @@
+/* $This file is distributed under the terms of the license in /doc/license.txt$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import com.hp.hpl.jena.ontology.OntModel;
+import com.hp.hpl.jena.rdf.model.Resource;
+import com.hp.hpl.jena.shared.Lock;
+import com.hp.hpl.jena.vocabulary.RDF;
+
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.IsRootUser;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount.Status;
+import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
+import edu.cornell.mannlib.vitro.webapp.controller.authenticate.Authenticator;
+import edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDao;
+import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
+import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
+import edu.cornell.mannlib.vitro.webapp.dao.jena.ModelContext;
+import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
+
+/**
+ * If the user has an IsRootUser identifier, they can do anything!
+ * 
+ * On setup, check to see that there is a root user. If not, create one. If we
+ * can't create one, abort.
+ */
+public class RootUserPolicy implements PolicyIface {
+	private static final Log log = LogFactory.getLog(RootUserPolicy.class);
+
+	private static final String PROPERTY_ROOT_USER_EMAIL = "rootUser.emailAddress";
+	private static final String ROOT_USER_INITIAL_PASSWORD = "rootPassword";
+
+	/**
+	 * This is the entire policy. If you are a root user, you are authorized.
+	 */
+	@Override
+	public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
+			RequestedAction whatToAuth) {
+		if (IsRootUser.isRootUser(whoToAuth)) {
+			return new BasicPolicyDecision(Authorization.AUTHORIZED,
+					"RootUserPolicy: approved");
+		} else {
+			return new BasicPolicyDecision(Authorization.INCONCLUSIVE,
+					"not root user");
+		}
+	}
+
+	// ----------------------------------------------------------------------
+	// Setup class
+	// ----------------------------------------------------------------------
+
+	public static class Setup implements ServletContextListener {
+
+		@Override
+		public void contextInitialized(ServletContextEvent sce) {
+			ServletContext ctx = sce.getServletContext();
+
+			if (AbortStartup.isStartupAborted(ctx)) {
+				return;
+			}
+
+			try {
+				UserAccountsDao uaDao = getUserAccountsDao(ctx);
+				OntModel userAccountsModel = getUserAccountsModel(ctx);
+
+				if (!rootUserExists(uaDao)) {
+					createRootUser(ctx, uaDao, userAccountsModel);
+				}
+
+				ServletPolicyList.addPolicy(ctx, new RootUserPolicy());
+			} catch (Exception e) {
+				log.error("could not run " + this.getClass().getSimpleName()
+						+ ": " + e);
+				AbortStartup.abortStartup(ctx);
+				throw new RuntimeException(e);
+			}
+		}
+
+		private UserAccountsDao getUserAccountsDao(ServletContext ctx) {
+			WebappDaoFactory wadf = (WebappDaoFactory) ctx
+					.getAttribute("webappDaoFactory");
+			if (wadf == null) {
+				throw new IllegalStateException(
+						"No webappDaoFactory on the servlet context");
+			}
+			return wadf.getUserAccountsDao();
+		}
+
+		private OntModel getUserAccountsModel(ServletContext ctx) {
+			return ModelContext.getBaseOntModelSelector(ctx)
+					.getUserAccountsModel();
+		}
+
+		private boolean rootUserExists(UserAccountsDao uaDao) {
+			for (UserAccount ua : uaDao.getAllUserAccounts()) {
+				if (uaDao.isRootUser(ua)) {
+					return true;
+				}
+			}
+			return false;
+		}
+
+		/**
+		 * TODO The first and last name should be left blank, so the user will
+		 * be forced to edit them. However, that's not in place yet.
+		 */
+		private void createRootUser(ServletContext ctx, UserAccountsDao uaDao,
+				OntModel userAccountsModel) {
+			String emailAddress = ConfigurationProperties.getBean(ctx)
+					.getProperty(PROPERTY_ROOT_USER_EMAIL);
+			if (emailAddress == null) {
+				throw new IllegalStateException(
+						"deploy.properties must contain a value for '"
+								+ PROPERTY_ROOT_USER_EMAIL + "'");
+			}
+
+			if (null != uaDao.getUserAccountByEmail(emailAddress)) {
+				throw new IllegalStateException("Can't create root user - "
+						+ "an account already exists with email address '"
+						+ emailAddress + "'");
+			}
+
+			UserAccount ua = new UserAccount();
+			ua.setEmailAddress(emailAddress);
+			ua.setFirstName("root");
+			ua.setLastName("user");
+			ua.setMd5Password(Authenticator
+					.applyMd5Encoding(ROOT_USER_INITIAL_PASSWORD));
+			ua.setPasswordChangeRequired(true);
+			ua.setStatus(Status.ACTIVE);
+
+			uaDao.insertUserAccount(ua);
+
+			userAccountsModel.enterCriticalSection(Lock.WRITE);
+			try {
+				Resource r = userAccountsModel.getResource(ua.getUri());
+				Resource t = userAccountsModel
+						.getResource(VitroVocabulary.USERACCOUNT_ROOT_USER);
+				userAccountsModel.add(r, RDF.type, t);
+			} finally {
+				userAccountsModel.leaveCriticalSection();
+			}
+
+			log.info("Created root user as '" + emailAddress + "'");
+		}
+
+		@Override
+		public void contextDestroyed(ServletContextEvent sce) {
+			// Nothing to destroy
+		}
+	}
+}
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/beans/BaseResourceBean.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/beans/BaseResourceBean.java
index 4300e2ab0..a82e680ca 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/beans/BaseResourceBean.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/beans/BaseResourceBean.java
@@ -2,6 +2,8 @@
 
 package edu.cornell.mannlib.vitro.webapp.beans;
 
+import java.util.Set;
+
 import javax.servlet.http.HttpServletRequest;
 
 import org.apache.commons.logging.Log;
@@ -9,6 +11,7 @@ import org.apache.commons.logging.LogFactory;
 import org.openrdf.model.impl.URIImpl;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
+import edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionSetsLoader;
 import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
 
 public class BaseResourceBean implements ResourceBean {
@@ -69,17 +72,20 @@ public class BaseResourceBean implements ResourceBean {
         }
         
 		public static RoleLevel getRoleFromLoginStatus(HttpServletRequest req) {
-			User u = LoginStatusBean.getCurrentUser(req);
+			UserAccount u = LoginStatusBean.getCurrentUser(req);
 			if (u == null) {
 				return PUBLIC;
-			} else if ("1".equals(u.getRoleURI())) {
-				return SELF;
-			} else if ("4".equals(u.getRoleURI())) {
-				return EDITOR;
-			} else if ("5".equals(u.getRoleURI())) {
+			}
+			
+			Set<String> roles = u.getPermissionSetUris();
+			if (roles.contains(PermissionSetsLoader.URI_DBA)) {
+				return  DB_ADMIN;
+			} else if (roles.contains(PermissionSetsLoader.URI_CURATOR)) {
 				return CURATOR;
-			} else if ("50".equals(u.getRoleURI())) {
-				return DB_ADMIN;
+			} else if (roles.contains(PermissionSetsLoader.URI_EDITOR)) {
+				return EDITOR;
+			} else if (roles.contains(PermissionSetsLoader.URI_SELF_EDITOR)) {
+				return SELF;
 			} else {
 				return PUBLIC;
 			}
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/beans/SelfEditingConfiguration.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/beans/SelfEditingConfiguration.java
index 7e08b280c..ea1706c48 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/beans/SelfEditingConfiguration.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/beans/SelfEditingConfiguration.java
@@ -2,6 +2,9 @@
 
 package edu.cornell.mannlib.vitro.webapp.beans;
 
+import java.util.Collections;
+import java.util.List;
+
 import javax.servlet.ServletRequest;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
@@ -64,7 +67,9 @@ public class SelfEditingConfiguration {
 	}
 
 	private static SelfEditingConfiguration buildBean(HttpSession session) {
-		String selfEditingIdMatchingProperty = ConfigurationProperties.getBean(session)
+		ConfigurationProperties config = ConfigurationProperties
+				.getBean(session);
+		String selfEditingIdMatchingProperty = config
 				.getProperty(PROPERTY_SELF_EDITING_ID_MATCHING_PROPERTY);
 		return new SelfEditingConfiguration(selfEditingIdMatchingProperty);
 	}
@@ -87,25 +92,39 @@ public class SelfEditingConfiguration {
 		}
 	}
 
-	public String getIndividualUriFromUsername(IndividualDao indDao,
-			String username) {
+	/**
+	 * Get all Individuals associated with this user through the matching
+	 * property. Never returns null.
+	 */
+	public List<Individual> getAssociatedIndividuals(IndividualDao indDao,
+			UserAccount user) {
+		if (user == null) {
+			log.debug("user is null");
+			return Collections.emptyList();
+		}
+		return getAssociatedIndividuals(indDao, user.getExternalAuthId());
+	}
+
+	/**
+	 * Get all Individuals associated with this externalAuthId through the
+	 * matching property. Never returns null.
+	 */
+	public List<Individual> getAssociatedIndividuals(IndividualDao indDao,
+			String externalAuthId) {
 		if (indDao == null) {
 			log.warn("No IndividualDao");
-			return null;
+			return Collections.emptyList();
 		}
-		if (username == null) {
-			log.debug("username is null");
-			return null;
+		if (externalAuthId == null) {
+			log.debug("externalAuthId is null");
+			return Collections.emptyList();
 		}
 		if (selfEditingIdMatchingProperty == null) {
 			log.debug("selfEditingMatchingProperty is null");
-			return null;
+			return Collections.emptyList();
 		}
-
-		String uri = indDao.getIndividualURIFromNetId(username,
-				selfEditingIdMatchingProperty);
-		log.debug("Username=" + username + ", individual URI=" + uri);
-		return uri;
+		return indDao.getIndividualsByDataProperty(
+				selfEditingIdMatchingProperty, externalAuthId);
 	}
 
 	@Override
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/beans/User.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/beans/User.java
deleted file mode 100644
index 67005be08..000000000
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/beans/User.java
+++ /dev/null
@@ -1,137 +0,0 @@
-/* $This file is distributed under the terms of the license in /doc/license.txt$ */
-
-package edu.cornell.mannlib.vitro.webapp.beans;
-
-import java.text.Collator;
-import java.util.Date;
-
-public class User implements Comparable<User> {
-    
-    public final static int MIN_PASSWORD_LENGTH = 6;
-    public final static int MAX_PASSWORD_LENGTH = 12;
-
-    private String URI = null;
-    private String namespace = null;
-    private String localName = null;
-    private String username = null;
-    private String oldPassword = null;
-    private String md5password = null;
-    private Date modTime = null;
-    private Date firstTime = null;
-    private int loginCount = 0;
-    private String roleURI = null;
-    private String lastName = null;
-    private String firstName = null;
-
-    public String getURI() {
-        return URI;
-    }
-    public void setURI(String URI) {
-        this.URI = URI;
-    }
-
-    public String getNamespace() {
-        return namespace;
-    }
-    public void setNamespace(String namespace) {
-        this.namespace = namespace;
-    }
-
-    public String getLocalName() {
-        return localName;
-    }
-    public void setLocalName(String localName) {
-        this.localName = localName;
-    }
-
-    public String getUsername() {
-        return username;
-    }
-    public void setUsername(String username) {
-        this.username = username;
-    }
-
-    public String getOldPassword() {
-        return oldPassword;
-    }
-    public void setOldPassword(String oldPassword) {
-        this.oldPassword = oldPassword;
-    }
-
-    public String getMd5password() {
-        return md5password;
-    }
-    public void setMd5password(String md5password) {
-        this.md5password = md5password;
-    }
-
-    public Date getModTime() {
-        return modTime;
-    }
-    public void setModTime(Date modTime) {
-        this.modTime = modTime;
-    }
-
-    public Date getFirstTime() {
-        return firstTime;
-    }
-    public void setFirstTime(Date firstTime) {
-        this.firstTime = firstTime;
-    }
-
-    public int getLoginCount() {
-        return loginCount;
-    }
-    public void setLoginCount(int loginCount) {
-        this.loginCount = loginCount;
-    }
-
-    public String getRoleURI() {
-        return roleURI;
-    }
-    public void setRoleURI(String roleURI) {
-        this.roleURI = roleURI;
-    }
-
-    public String getLastName() {
-        return lastName;
-    }
-    public void setLastName(String lastName) {
-        this.lastName = lastName;
-    }
-
-    public String getFirstName() {
-        return firstName;
-    }
-    public void setFirstName(String firstName) {
-        this.firstName = firstName;
-    }
-
-    @Override
-	public int compareTo(User other) {
-        Collator collator = Collator.getInstance();
-        if( this.getUsername() == null && other.getUsername() == null )
-        	return 0;
-        else if( this.getUsername() == null )
-        	return -1;
-        else if( other.getUsername() == null)
-        	return 1;
-        else
-        	return collator.compare(this.getUsername(),other.getUsername());
-    }
-    
-	@Override
-	public String toString() {
-		return "User[URI=" + URI + ", namespace=" + namespace + ", localName="
-				+ localName + ", username=" + username + ", oldPassword="
-				+ oldPassword + ", md5password=" + md5password + ", modTime="
-				+ dateToString(modTime) + ", firstTime="
-				+ dateToString(firstTime) + ", loginCount=" + loginCount
-				+ ", roleURI=" + roleURI + ", lastName=" + lastName
-				+ ", firstName=" + firstName + "]";
-	}
-	
-	private String dateToString(Date date) {
-		return (date == null) ? "null" : String.valueOf(date.getTime());
-	}
-}
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/MailUsersServlet.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/MailUsersServlet.java
index 351f10921..647ebcab2 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/MailUsersServlet.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/MailUsersServlet.java
@@ -3,6 +3,7 @@
 package edu.cornell.mannlib.vitro.webapp.controller;
 
 import java.io.IOException;
+import java.util.ArrayList;
 import java.util.Calendar;
 import java.util.Date;
 import java.util.List;
@@ -22,7 +23,8 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
+import edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDao;
 import edu.cornell.mannlib.vitro.webapp.email.FreemarkerEmailFactory;
 
 public class MailUsersServlet extends VitroHttpServlet {
@@ -74,10 +76,8 @@ public class MailUsersServlet extends VitroHttpServlet {
         int recipientCount = 0;
         String deliveryfrom = null;
         
-        UserDao uDao = vreq.getFullWebappDaoFactory().getUserDao();
-        
         // get Individuals that the User mayEditAs
-        deliverToArray = uDao.getUserAccountEmails();
+        deliverToArray = getEmailsForAllUserAccounts(vreq);
         
         //Removed all form type stuff b/c recipients pre-configured
         recipientCount=(deliverToArray == null) ? 0 : deliverToArray.size();
@@ -208,6 +208,18 @@ public class MailUsersServlet extends VitroHttpServlet {
         }
 
     }
+    
+	private List<String> getEmailsForAllUserAccounts(VitroRequest vreq) {
+		UserAccountsDao uaDao = vreq.getFullWebappDaoFactory()
+				.getUserAccountsDao();
+		
+		List<String> emails = new ArrayList<String>();
+		for (UserAccount user : uaDao.getAllUserAccounts()) {
+			emails.add(user.getEmailAddress());
+		}
+
+		return emails;
+	}
 
     @Override
 	public void doPost( HttpServletRequest request, HttpServletResponse response )
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsAddPageStrategy.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsAddPageStrategy.java
index 9de5f2c07..9061030e7 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsAddPageStrategy.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsAddPageStrategy.java
@@ -13,6 +13,7 @@ import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount.Status;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.accounts.UserAccountsPage;
+import edu.cornell.mannlib.vitro.webapp.controller.authenticate.Authenticator;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder;
 import edu.cornell.mannlib.vitro.webapp.email.FreemarkerEmailFactory;
 import edu.cornell.mannlib.vitro.webapp.email.FreemarkerEmailMessage;
@@ -180,7 +181,7 @@ public abstract class UserAccountsAddPageStrategy extends UserAccountsPage {
 
 		@Override
 		protected void setAdditionalProperties(UserAccount u) {
-			u.setMd5Password(initialPassword);
+			u.setMd5Password(Authenticator.applyMd5Encoding(initialPassword));
 			u.setPasswordChangeRequired(true);
 			u.setStatus(Status.ACTIVE);
 		}
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsMyAccountPage.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsMyAccountPage.java
index 51b8f0a3b..fbcf541ec 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsMyAccountPage.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsMyAccountPage.java
@@ -9,15 +9,12 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.accounts.UserAccountsPage;
 import edu.cornell.mannlib.vitro.webapp.controller.accounts.admin.UserAccountsEditPage;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.ResponseValues;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.TemplateResponseValues;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
-import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
 
 /**
  * Handle the "My Account" form display and submission.
@@ -57,7 +54,7 @@ public class UserAccountsMyAccountPage extends UserAccountsPage {
 	public UserAccountsMyAccountPage(VitroRequest vreq) {
 		super(vreq);
 
-		this.userAccount = getLoggedInUser();
+		this.userAccount = LoginStatusBean.getCurrentUser(vreq);
 		this.strategy = UserAccountsMyAccountPageStrategy.getInstance(vreq,
 				this, isExternalAccount());
 
@@ -111,25 +108,6 @@ public class UserAccountsMyAccountPage extends UserAccountsPage {
 		return errorCode.isEmpty();
 	}
 
-	private UserAccount getLoggedInUser() {
-		// TODO This is a bogus measure.
-		// TODO It only works because for now we are not deleting old User
-		// structures, and there is a new UserAccount with email set to the old
-		// User username.
-		String uri = LoginStatusBean.getBean(vreq).getUserURI();
-		WebappDaoFactory wdf = (WebappDaoFactory) this.ctx
-				.getAttribute("webappDaoFactory");
-		User u = wdf.getUserDao().getUserByURI(uri);
-
-		UserAccount ua = userAccountsDao.getUserAccountByEmail(u.getUsername());
-		if (ua == null) {
-			throw new IllegalStateException("Couldn't find a UserAccount "
-					+ "for uri: '" + uri + "'");
-		}
-		log.debug("Logged-in user is " + ua);
-		return ua;
-	}
-
 	private boolean isExternalAccount() {
 		return LoginStatusBean.getBean(vreq).hasExternalAuthentication();
 	}
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AdminLoginController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AdminLoginController.java
index fd16d03db..66dc2c3ae 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AdminLoginController.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AdminLoginController.java
@@ -13,6 +13,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerHttpServlet;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder;
@@ -31,7 +32,7 @@ public class AdminLoginController extends FreemarkerHttpServlet {
 	private static final Log log = LogFactory
 			.getLog(AdminLoginController.class);
 
-	public static final String PARAMETER_USERNAME = "username";
+	public static final String PARAMETER_EMAIL_ADDRESS = "email";
 	public static final String PARAMETER_PASSWORD = "password";
 	public static final String PARAMETER_NEW_PASSWORD = "newPassword";
 	public static final String PARAMETER_CONFIRM_PASSWORD = "confirmPassword";
@@ -41,7 +42,7 @@ public class AdminLoginController extends FreemarkerHttpServlet {
 
 	public static final String TEMPLATE_NAME = "adminLogin.ftl";
 
-	private static final String MESSAGE_NO_USERNAME = "errorNoUser";
+	private static final String MESSAGE_NO_EMAIL_ADDRESS = "errorNoEmail";
 	private static final String MESSAGE_NO_PASSWORD = "errorNoPassword";
 	private static final String MESSAGE_LOGIN_FAILED = "errorLoginFailed";
 	private static final String MESSAGE_NEW_PASSWORD_REQUIRED = "newPasswordRequired";
@@ -65,32 +66,37 @@ public class AdminLoginController extends FreemarkerHttpServlet {
 	private static class Core {
 		private final Authenticator auth;
 
-		private final String username;
+		private final String emailAddress;
 		private final String password;
 		private final String newPassword;
 		private final String confirmPassword;
+		private final UserAccount userAccount;
 
 		public Core(VitroRequest vreq) {
 			this.auth = Authenticator.getInstance(vreq);
 
-			this.username = nonNull(vreq.getParameter(PARAMETER_USERNAME));
+			this.emailAddress = nonNull(vreq
+					.getParameter(PARAMETER_EMAIL_ADDRESS));
 			this.password = nonNull(vreq.getParameter(PARAMETER_PASSWORD));
 			this.newPassword = nonNull(vreq
 					.getParameter(PARAMETER_NEW_PASSWORD));
 			this.confirmPassword = nonNull(vreq
 					.getParameter(PARAMETER_CONFIRM_PASSWORD));
 
-			log.debug("Parameters: username='" + username + "', password='"
+			log.debug("Parameters: email='" + emailAddress + "', password='"
 					+ password + "', newPassword='" + newPassword
 					+ "', confirmPassword='" + confirmPassword + "'");
+
+			this.userAccount = this.auth
+					.getAccountForInternalAuth(emailAddress);
 		}
 
 		public ResponseValues process() {
-			if (username.isEmpty() && password.isEmpty()) {
+			if (emailAddress.isEmpty() && password.isEmpty()) {
 				return showForm();
 			}
-			if (username.isEmpty()) {
-				return showForm(MESSAGE_NO_USERNAME);
+			if (emailAddress.isEmpty()) {
+				return showForm(MESSAGE_NO_EMAIL_ADDRESS);
 			}
 			if (password.isEmpty()) {
 				return showForm(MESSAGE_NO_PASSWORD);
@@ -122,8 +128,8 @@ public class AdminLoginController extends FreemarkerHttpServlet {
 		}
 
 		private boolean newPasswordRequired() {
-			return auth.isCurrentPassword(username, password)
-					&& auth.isPasswordChangeRequired(username);
+			return auth.isCurrentPassword(userAccount, password)
+					&& (userAccount.isPasswordChangeRequired());
 		}
 
 		private boolean isPasswordValidLength(String pw) {
@@ -132,11 +138,11 @@ public class AdminLoginController extends FreemarkerHttpServlet {
 		}
 
 		private boolean tryToLogin() {
-			if (auth.isCurrentPassword(username, password)) {
-				auth.recordLoginAgainstUserAccount(username, INTERNAL);
+			if (auth.isCurrentPassword(userAccount, password)) {
+				auth.recordLoginAgainstUserAccount(userAccount, INTERNAL);
 
 				if (!newPassword.isEmpty()) {
-					auth.recordNewPassword(username, newPassword);
+					auth.recordNewPassword(userAccount, newPassword);
 				}
 
 				return true;
@@ -148,7 +154,7 @@ public class AdminLoginController extends FreemarkerHttpServlet {
 		private ResponseValues showForm(String... codes) {
 			Map<String, Object> body = new HashMap<String, Object>();
 			body.put("controllerUrl", UrlBuilder.getUrl(URL_THIS));
-			body.put("username", username);
+			body.put("email", emailAddress);
 			body.put("password", password);
 			body.put("newPassword", newPassword);
 			body.put("confirmPassword", confirmPassword);
@@ -158,7 +164,7 @@ public class AdminLoginController extends FreemarkerHttpServlet {
 			}
 
 			log.debug("showing form with values: " + body);
-			
+
 			return new TemplateResponseValues(TEMPLATE_NAME, body);
 		}
 
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java
index a212fbe1a..7a94665fa 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java
@@ -11,7 +11,7 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.codec.binary.Hex;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 
 /**
  * The tool that a login process will use to interface with the user records in
@@ -55,37 +55,40 @@ public abstract class Authenticator {
 	public static final int PRIVILEGED_TIMEOUT_INTERVAL = 32000;
 
 	/**
-	 * Does a user by this name exist?
+	 * Get the UserAccount for this external ID, or null if there is none.
 	 */
-	public abstract boolean isExistingUser(String username);
+	public abstract UserAccount getAccountForExternalAuth(String externalAuthId);
 
 	/**
-	 * Does a user by this name have this password?
+	 * Get the UserAccount for this email address, or null if there is none.
 	 */
-	public abstract boolean isCurrentPassword(String username,
+	public abstract UserAccount getAccountForInternalAuth(String emailAddress);
+
+	/**
+	 * Internal: does this UserAccount have this password? False if the
+	 * userAccount is null.
+	 */
+	public abstract boolean isCurrentPassword(UserAccount userAccount,
 			String clearTextPassword);
 
 	/**
-	 * Get the user with this name, or null if no such user exists.
+	 * Internal: record a new password for the user. Takes no action if the
+	 * userAccount is null.
 	 */
-	public abstract User getUserByUsername(String username);
+	public abstract void recordNewPassword(UserAccount userAccount,
+			String newClearTextPassword);
+
+	/**
+	 * Is a change in name or email required when the user logs in?
+	 */
+	public abstract boolean accountRequiresEditing(UserAccount userAccount);
 
 	/**
 	 * Get the URIs of all individuals associated with this user, whether by a
 	 * self-editing property like cornellEmailNetid, or by mayEditAs.
 	 */
-	public abstract List<String> getAssociatedIndividualUris(String username);
-
-	/**
-	 * Is a password change needed when the user logs in?
-	 */
-	public abstract boolean isPasswordChangeRequired(String username);
-
-	/**
-	 * Record a new password for the user.
-	 */
-	public abstract void recordNewPassword(String username,
-			String newClearTextPassword);
+	public abstract List<String> getAssociatedIndividualUris(
+			UserAccount userAccount);
 
 	/**
 	 * <pre>
@@ -97,7 +100,7 @@ public abstract class Authenticator {
 	 * - notify other users of the model
 	 * </pre>
 	 */
-	public abstract void recordLoginAgainstUserAccount(String username,
+	public abstract void recordLoginAgainstUserAccount(UserAccount userAccount,
 			AuthenticationSource authSource);
 
 	/**
@@ -106,9 +109,10 @@ public abstract class Authenticator {
 	 * info, so no internal user account.
 	 * - this involves everything except updating the user record.
 	 * </pre>
+	 * 
+	 * TODO JB This goes away.
 	 */
-	public abstract void recordLoginWithoutUserAccount(String username,
-			String individualUri, AuthenticationSource authSource);
+	public abstract void recordLoginWithoutUserAccount(String individualUri);
 
 	/**
 	 * <pre>
@@ -140,4 +144,8 @@ public abstract class Authenticator {
 		}
 	}
 
+	public static boolean isValidEmailAddress(String emailAddress) {
+		// TODO check for valid syntax.
+		return (emailAddress != null) && (!emailAddress.isEmpty());
+	}
 }
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java
index 8f0fcfb6b..2135f007f 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java
@@ -4,7 +4,6 @@ package edu.cornell.mannlib.vitro.webapp.controller.authenticate;
 
 import java.util.ArrayList;
 import java.util.Collections;
-import java.util.Date;
 import java.util.List;
 import java.util.Map;
 
@@ -18,11 +17,12 @@ import org.apache.commons.logging.LogFactory;
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource;
 import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
+import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.SelfEditingConfiguration;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.controller.edit.Authenticate;
 import edu.cornell.mannlib.vitro.webapp.dao.IndividualDao;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
+import edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDao;
 import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
 import edu.cornell.mannlib.vitro.webapp.dao.jena.LoginEvent;
 import edu.cornell.mannlib.vitro.webapp.dao.jena.LogoutEvent;
@@ -40,75 +40,97 @@ public class BasicAuthenticator extends Authenticator {
 	}
 
 	@Override
-	public boolean isExistingUser(String username) {
-		return getUserByUsername(username) != null;
-	}
-
-	@Override
-	public User getUserByUsername(String username) {
-		UserDao userDao = getUserDao();
-		if (userDao == null) {
+	public UserAccount getAccountForInternalAuth(String emailAddress) {
+		UserAccountsDao userAccountsDao = getUserAccountsDao();
+		if (userAccountsDao == null) {
 			return null;
 		}
-		return userDao.getUserByUsername(username);
+		return userAccountsDao.getUserAccountByEmail(emailAddress);
 	}
 
 	@Override
-	public boolean isCurrentPassword(String username, String clearTextPassword) {
-		User user = getUserDao().getUserByUsername(username);
-		if (user == null) {
-			log.trace("Checking password '" + clearTextPassword
-					+ "' for user '" + username + "', but user doesn't exist.");
+	public UserAccount getAccountForExternalAuth(String externalAuthId) {
+		UserAccountsDao userAccountsDao = getUserAccountsDao();
+		if (userAccountsDao == null) {
+			return null;
+		}
+		return userAccountsDao.getUserAccountByExternalAuthId(externalAuthId);
+	}
+
+	@Override
+	public boolean isCurrentPassword(UserAccount userAccount,
+			String clearTextPassword) {
+		if (userAccount == null) {
 			return false;
 		}
-
-		String md5NewPassword = applyMd5Encoding(clearTextPassword);
-		return md5NewPassword.equals(user.getMd5password());
+		if (clearTextPassword == null) {
+			return false;
+		}
+		String encodedPassword = applyMd5Encoding(clearTextPassword);
+		return encodedPassword.equals(userAccount.getMd5Password());
 	}
 
 	@Override
-	public boolean isPasswordChangeRequired(String username) {
-		User user = getUserDao().getUserByUsername(username);
-		if ((user != null) && (user.getLoginCount() == 0)) {
+	public void recordNewPassword(UserAccount userAccount,
+			String newClearTextPassword) {
+		if (userAccount == null) {
+			log.error("Trying to change password on null user.");
+			return;
+		}
+		userAccount.setMd5Password(applyMd5Encoding(newClearTextPassword));
+		userAccount.setPasswordChangeRequired(false);
+		userAccount.setPasswordLinkExpires(0L);
+		getUserAccountsDao().updateUserAccount(userAccount);
+	}
+
+	@Override
+	public boolean accountRequiresEditing(UserAccount userAccount) {
+		if (userAccount == null) {
+			log.error("Trying to check for valid fields on a null user.");
+			return false;
+		}
+		if (userAccount.getFirstName().isEmpty()) {
 			return true;
-		} else {
-			return false;
 		}
+		if (userAccount.getLastName().isEmpty()) {
+			return true;
+		}
+		if (userAccount.getEmailAddress().isEmpty()) {
+			return true;
+		}
+		if (!isValidEmailAddress(userAccount.getEmailAddress())) {
+			return true;
+		}
+		return false;
 	}
 
 	@Override
-	public void recordNewPassword(String username, String newClearTextPassword) {
-		User user = getUserByUsername(username);
-		if (user == null) {
-			log.error("Trying to change password on non-existent user: "
-					+ username);
-			return;
+	public List<String> getAssociatedIndividualUris(UserAccount userAccount) {
+		List<String> uris = new ArrayList<String>();
+		if (userAccount == null) {
+			return uris;
 		}
-		user.setOldPassword(user.getMd5password());
-		user.setMd5password(applyMd5Encoding(newClearTextPassword));
-		getUserDao().updateUser(user);
+		uris.addAll(getUrisAssociatedBySelfEditorConfig(userAccount));
+		return uris;
 	}
 
 	@Override
-	public void recordLoginAgainstUserAccount(String username,
+	public void recordLoginAgainstUserAccount(UserAccount userAccount,
 			AuthenticationSource authSource) {
-		User user = getUserByUsername(username);
-		if (user == null) {
-			log.error("Trying to record the login of a non-existent user: "
-					+ username);
+		if (userAccount == null) {
+			log.error("Trying to record the login of a null user. ");
 			return;
 		}
 
-		recordLoginOnUserRecord(user);
-
-		String userUri = user.getURI();
-		recordLoginWithOrWithoutUserAccount(userUri, authSource);
+		recordLoginOnUserRecord(userAccount);
+		recordLoginWithOrWithoutUserAccount(userAccount.getUri(), authSource);
 	}
 
+	// TODO JB This goes away.
 	@Override
-	public void recordLoginWithoutUserAccount(String username,
-			String individualUri, AuthenticationSource authSource) {
-		recordLoginWithOrWithoutUserAccount(individualUri, authSource);
+	public void recordLoginWithoutUserAccount(String individualUri) {
+		recordLoginWithOrWithoutUserAccount(individualUri,
+				AuthenticationSource.EXTERNAL);
 	}
 
 	/** This much is in common on login, whether or not you have a user account. */
@@ -124,12 +146,9 @@ public class BasicAuthenticator extends Authenticator {
 	/**
 	 * Update the user record to record the login.
 	 */
-	private void recordLoginOnUserRecord(User user) {
-		user.setLoginCount(user.getLoginCount() + 1);
-		if (user.getFirstTime() == null) { // first login
-			user.setFirstTime(new Date());
-		}
-		getUserDao().updateUser(user);
+	private void recordLoginOnUserRecord(UserAccount userAccount) {
+		userAccount.setLoginCount(userAccount.getLoginCount() + 1);
+		getUserAccountsDao().updateUserAccount(userAccount);
 	}
 
 	/**
@@ -175,54 +194,23 @@ public class BasicAuthenticator extends Authenticator {
 				session.getServletContext(), session);
 	}
 
-	@Override
-	public List<String> getAssociatedIndividualUris(String username) {
+	private List<String> getUrisAssociatedBySelfEditorConfig(UserAccount user) {
 		List<String> uris = new ArrayList<String>();
-		uris.addAll(getUrisAssociatedBySelfEditorConfig(username));
-		uris.addAll(getUrisAssociatedByMayEditAs(username));
-		return uris;
-	}
-
-	private List<String> getUrisAssociatedBySelfEditorConfig(String username) {
-		if (username == null) {
-			return Collections.emptyList();
+		if (user == null) {
+			return uris;
 		}
 
 		IndividualDao iDao = getIndividualDao();
 		if (iDao == null) {
-			return Collections.emptyList();
+			return uris;
 		}
 
-		String selfEditorUri = SelfEditingConfiguration.getBean(request)
-				.getIndividualUriFromUsername(iDao, username);
-		if (selfEditorUri == null) {
-			return Collections.emptyList();
-		} else {
-			return Collections.singletonList(selfEditorUri);
+		List<Individual> associatedIndividuals = SelfEditingConfiguration
+				.getBean(request).getAssociatedIndividuals(iDao, user);
+		for (Individual ind : associatedIndividuals) {
+			uris.add(ind.getURI());
 		}
-	}
-
-	private List<String> getUrisAssociatedByMayEditAs(String username) {
-		if (username == null) {
-			return Collections.emptyList();
-		}
-
-		UserDao userDao = getUserDao();
-		if (userDao == null) {
-			return Collections.emptyList();
-		}
-
-		User user = userDao.getUserByUsername(username);
-		if (user == null) {
-			return Collections.emptyList();
-		}
-
-		String userUri = user.getURI();
-		if (userUri == null) {
-			return Collections.emptyList();
-		}
-
-		return userDao.getIndividualsUserMayEditAs(userUri);
+		return uris;
 	}
 
 	@Override
@@ -233,42 +221,30 @@ public class BasicAuthenticator extends Authenticator {
 	}
 
 	private void notifyOtherUsersOfLogout(HttpSession session) {
-		LoginStatusBean loginBean = LoginStatusBean.getBean(session);
-		if (!loginBean.isLoggedIn()) {
+		String userUri = LoginStatusBean.getBean(session).getUserURI();
+		if ((userUri == null) || userUri.isEmpty()) {
 			return;
 		}
 
-		UserDao userDao = getUserDao();
-		if (userDao == null) {
-			return;
-		}
-
-		String userUri = loginBean.getUserURI();
-		User user = userDao.getUserByURI(userUri);
-		if (user == null) {
-			log.error("Unable to retrieve user " + userUri + " from model");
-			return;
-		}
-
-		Authenticate.sendLoginNotifyEvent(new LogoutEvent(user.getURI()),
+		Authenticate.sendLoginNotifyEvent(new LogoutEvent(userUri),
 				session.getServletContext(), session);
 	}
 
 	/**
-	 * Get a reference to the UserDao, or null.
+	 * Get a reference to the UserAccountsDao, or null.
 	 */
-	private UserDao getUserDao() {
+	private UserAccountsDao getUserAccountsDao() {
 		WebappDaoFactory wadf = getWebappDaoFactory();
 		if (wadf == null) {
 			return null;
 		}
 
-		UserDao userDao = wadf.getUserDao();
-		if (userDao == null) {
-			log.error("getUserDao: no UserDao");
+		UserAccountsDao userAccountsDao = wadf.getUserAccountsDao();
+		if (userAccountsDao == null) {
+			log.error("getUserAccountsDao: no UserAccountsDao");
 		}
 
-		return userDao;
+		return userAccountsDao;
 	}
 
 	/**
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthReturn.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthReturn.java
index eea0f21e0..b4eca1079 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthReturn.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthReturn.java
@@ -15,6 +15,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 
 /**
  * Handle the return from the external authorization login server. If we are
@@ -40,36 +41,44 @@ public class LoginExternalAuthReturn extends BaseLoginServlet {
 	@Override
 	protected void doPost(HttpServletRequest req, HttpServletResponse resp)
 			throws ServletException, IOException {
-		String username = ExternalAuthHelper.getHelper(req).getExternalAuthId(
-				req);
-		List<String> associatedUris = getAuthenticator(req)
-				.getAssociatedIndividualUris(username);
-
-		if (username == null) {
-			log.debug("No username.");
+		String externalAuthId = ExternalAuthHelper.getHelper(req)
+				.getExternalAuthId(req);
+		if (externalAuthId == null) {
+			log.debug("No externalAuthId.");
 			complainAndReturnToReferrer(req, resp, ATTRIBUTE_REFERRER,
 					MESSAGE_LOGIN_FAILED);
-		} else if (getAuthenticator(req).isExistingUser(username)) {
-			log.debug("Logging in as " + username);
-			getAuthenticator(req).recordLoginAgainstUserAccount(username,
+			return;
+		}
+
+		UserAccount userAccount = getAuthenticator(req)
+				.getAccountForExternalAuth(externalAuthId);
+		if (userAccount != null) {
+			log.debug("Logging in as " + userAccount.getUri());
+			getAuthenticator(req).recordLoginAgainstUserAccount(userAccount,
 					AuthenticationSource.EXTERNAL);
 			removeLoginProcessArtifacts(req);
 			new LoginRedirector(req, resp).redirectLoggedInUser();
-		} else if (!associatedUris.isEmpty()) {
-			log.debug("Recognize '" + username + "' as self-editor for "
+			return;
+		}
+
+		List<String> associatedUris = getAuthenticator(req)
+				.getAssociatedIndividualUris(userAccount);
+		// TODO JB - this case should lead to creating a new account.
+		if (!associatedUris.isEmpty()) {
+			log.debug("Recognize '" + externalAuthId + "' as self-editor for "
 					+ associatedUris);
 			String uri = associatedUris.get(0);
 
-			getAuthenticator(req).recordLoginWithoutUserAccount(username, uri,
-					AuthenticationSource.EXTERNAL);
+			getAuthenticator(req).recordLoginWithoutUserAccount(uri);
 			removeLoginProcessArtifacts(req);
 			new LoginRedirector(req, resp).redirectLoggedInUser();
-		} else {
-			log.debug("User is not recognized: " + username);
-			removeLoginProcessArtifacts(req);
-			new LoginRedirector(req, resp)
-					.redirectUnrecognizedExternalUser(username);
+			return;
 		}
+
+		log.debug("User is not recognized: " + externalAuthId);
+		removeLoginProcessArtifacts(req);
+		new LoginRedirector(req, resp)
+				.redirectUnrecognizedExternalUser(externalAuthId);
 	}
 
 	private void removeLoginProcessArtifacts(HttpServletRequest req) {
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginRedirector.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginRedirector.java
index 32e6c28d4..d0746ad92 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginRedirector.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginRedirector.java
@@ -18,10 +18,9 @@ import org.apache.commons.logging.LogFactory;
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
 import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
 import edu.cornell.mannlib.vitro.webapp.beans.DisplayMessage;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
 import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean;
-import freemarker.template.utility.StringUtil;
 
 /**
  * A user has just completed the login process. What page do we direct them to?
@@ -51,23 +50,22 @@ public class LoginRedirector {
 
 	/** Is there an Individual associated with this user? */
 	private String getAssociatedIndividualUri() {
-		User user = LoginStatusBean.getCurrentUser(request);
-		if (user == null) {
-			log.warn("Not logged in? How did we get here?");
+		UserAccount userAccount = LoginStatusBean.getCurrentUser(request);
+		if (userAccount == null) {
+			log.debug("Not logged in? Must be cancelling the password change");
 			return null;
 		}
-		String username = user.getUsername();
 
 		List<String> uris = Authenticator.getInstance(request)
-				.getAssociatedIndividualUris(username);
+				.getAssociatedIndividualUris(userAccount);
 		if (uris.isEmpty()) {
-			log.debug("'" + username
+			log.debug("'" + userAccount.getEmailAddress()
 					+ "' is not associated with an individual.");
 			return null;
 		} else {
 			String uri = uris.get(0);
-			log.debug("'" + username + "' is associated with an individual: "
-					+ uri);
+			log.debug("'" + userAccount.getEmailAddress()
+					+ "' is associated with an individual: " + uri);
 			return uri;
 		}
 	}
@@ -111,13 +109,13 @@ public class LoginRedirector {
 		String backString = "";
 		String greeting = "";
 
-		User user = LoginStatusBean.getCurrentUser(request);
-		if (user != null) {
-			greeting = user.getUsername();
-			if (user.getLoginCount() > 1) {
+		UserAccount userAccount = LoginStatusBean.getCurrentUser(request);
+		if (userAccount != null) {
+			greeting = userAccount.getEmailAddress();
+			if (userAccount.getLoginCount() > 1) {
 				backString = " back";
 			}
-			String name = user.getFirstName();
+			String name = userAccount.getFirstName();
 			if (!StringUtils.isEmpty(name)) {
 				greeting = name;
 			}
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLogin.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLogin.java
index af6368315..bdaef9162 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLogin.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLogin.java
@@ -14,13 +14,18 @@ import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import edu.cornell.mannlib.vitro.webapp.beans.User;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 
 /**
  * Provide a means for programmatic login If they provide the right parameters,
  * log them in and send 200. Otherwise, send 403 error.
  */
 public class ProgramLogin extends HttpServlet {
+	private static final Log log = LogFactory.getLog(ProgramLogin.class);
+
 	@Override
 	protected void doGet(HttpServletRequest req, HttpServletResponse resp)
 			throws ServletException, IOException {
@@ -34,16 +39,16 @@ public class ProgramLogin extends HttpServlet {
 	}
 
 	static class ProgramLoginCore {
-		public static final String PARAM_USERNAME = "username";
+		public static final String PARAM_EMAIL_ADDRESS = "email";
 		public static final String PARAM_PASSWORD = "password";
 		public static final String PARAM_NEW_PASSWORD = "newPassword";
 		public static final int ERROR_CODE = 403;
 
-		private static final String MESSAGE_NEED_USERNAME = PARAM_USERNAME
+		private static final String MESSAGE_NEED_EMAIL_ADDRESS = PARAM_EMAIL_ADDRESS
 				+ " parameter is required.";
 		private static final String MESSAGE_NEED_PASSWORD = PARAM_PASSWORD
 				+ " parameter is required.";
-		private static final String MESSAGE_WRONG_USER_OR_PASSWORD = PARAM_USERNAME
+		private static final String MESSAGE_WRONG_USER_OR_PASSWORD = PARAM_EMAIL_ADDRESS
 				+ " or " + PARAM_PASSWORD + " is incorrect.";
 		private static final String MESSAGE_NEED_NEW_PASSWORD = "first-time login: "
 				+ PARAM_NEW_PASSWORD + " parameter is required.";
@@ -63,24 +68,31 @@ public class ProgramLogin extends HttpServlet {
 		private final HttpServletResponse resp;
 		private final Authenticator auth;
 
-		private final String username;
+		private final String emailAddress;
 		private final String password;
 		private final String newPassword;
+		private final UserAccount userAccount;
 
 		ProgramLoginCore(HttpServletRequest req, HttpServletResponse resp) {
 			this.req = req;
 			this.resp = resp;
 
-			this.username = getParameter(PARAM_USERNAME);
+			this.emailAddress = getParameter(PARAM_EMAIL_ADDRESS);
 			this.password = getParameter(PARAM_PASSWORD);
 			this.newPassword = getParameter(PARAM_NEW_PASSWORD);
 
+			log.debug("request: email='" + emailAddress + "', password='"
+					+ password + "', newPassword='" + newPassword + "'");
+
 			this.auth = Authenticator.getInstance(req);
+
+			this.userAccount = auth
+					.getAccountForInternalAuth(this.emailAddress);
 		}
 
 		void process() throws IOException {
-			if (username.isEmpty()) {
-				sendError(MESSAGE_NEED_USERNAME);
+			if (emailAddress.isEmpty()) {
+				sendError(MESSAGE_NEED_EMAIL_ADDRESS);
 				return;
 			}
 			if (password.isEmpty()) {
@@ -92,9 +104,7 @@ public class ProgramLogin extends HttpServlet {
 				return;
 			}
 
-			boolean passwordChangeRequired = isFirstTimeLogin();
-
-			if (!passwordChangeRequired) {
+			if (!isPasswordChangeRequired()) {
 				if (!newPassword.isEmpty()) {
 					sendError(MESSAGE_NEW_PASSWORD_NOT_NEEDED);
 					return;
@@ -104,7 +114,7 @@ public class ProgramLogin extends HttpServlet {
 				return;
 			}
 
-			if (passwordChangeRequired) {
+			if (isPasswordChangeRequired()) {
 				if (newPassword.isEmpty()) {
 					sendError(MESSAGE_NEED_NEW_PASSWORD);
 					return;
@@ -134,8 +144,7 @@ public class ProgramLogin extends HttpServlet {
 		}
 
 		private boolean usernameAndPasswordAreValid() {
-			return auth.isExistingUser(username)
-					&& auth.isCurrentPassword(username, password);
+			return auth.isCurrentPassword(userAccount, password);
 		}
 
 		private boolean newPasswordIsValidPasswordLength() {
@@ -147,18 +156,17 @@ public class ProgramLogin extends HttpServlet {
 			return newPassword.equals(password);
 		}
 
-		private boolean isFirstTimeLogin() {
-			User user = auth.getUserByUsername(username);
-			return (user.getLoginCount() == 0);
+		private boolean isPasswordChangeRequired() {
+			return (userAccount.isPasswordChangeRequired());
 		}
 
 		private void recordLogin() {
-			auth.recordLoginAgainstUserAccount(username, INTERNAL);
+			auth.recordLoginAgainstUserAccount(userAccount, INTERNAL);
 		}
 
 		private void recordLoginWithPasswordChange() {
-			auth.recordNewPassword(username, newPassword);
-			auth.recordLoginAgainstUserAccount(username, INTERNAL);
+			auth.recordNewPassword(userAccount, newPassword);
+			auth.recordLoginAgainstUserAccount(userAccount, INTERNAL);
 		}
 
 		private void sendError(String message) throws IOException {
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
index 3e1fe3ab0..232e08323 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
@@ -28,7 +28,7 @@ import com.hp.hpl.jena.ontology.OntModel;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
@@ -313,8 +313,9 @@ public class Authenticate extends VitroHttpServlet {
 
 		bean.setUsername(username);
 
-		User user = getAuthenticator(request).getUserByUsername(username);
-		log.trace("User is " + (user == null ? "null" : user.getURI()));
+		UserAccount user = getAuthenticator(request).getAccountForInternalAuth(
+				username);
+		log.trace("User is " + (user == null ? "null" : user.getUri()));
 
 		if (user == null) {
 			bean.setMessage(Message.UNKNOWN_USERNAME, username);
@@ -326,16 +327,16 @@ public class Authenticate extends VitroHttpServlet {
 			return;
 		}
 
-		if (!getAuthenticator(request).isCurrentPassword(username, password)) {
+		if (!getAuthenticator(request).isCurrentPassword(user, password)) {
 			bean.setMessage(Message.INCORRECT_PASSWORD);
 			return;
 		}
 
 		// Username and password are correct. What next?
-		if (isFirstTimeLogin(user)) {
+		if (user.isPasswordChangeRequired()) {
 			transitionToForcedPasswordChange(request);
 		} else {
-			transitionToLoggedIn(request, username);
+			transitionToLoggedIn(request, user);
 		}
 	}
 
@@ -383,13 +384,15 @@ public class Authenticate extends VitroHttpServlet {
 
 		String username = bean.getUsername();
 
-		if (getAuthenticator(request).isCurrentPassword(username, newPassword)) {
+		UserAccount user = getAuthenticator(request).getAccountForInternalAuth(
+				username);
+		if (getAuthenticator(request).isCurrentPassword(user, newPassword)) {
 			bean.setMessage(Message.USING_OLD_PASSWORD);
 			return;
 		}
 
 		// New password is acceptable. Store it and go on.
-		transitionToLoggedIn(request, username, newPassword);
+		transitionToLoggedIn(request, user, newPassword);
 	}
 
 	/**
@@ -400,17 +403,6 @@ public class Authenticate extends VitroHttpServlet {
 		// Nothing to do. No transition.
 	}
 
-	/**
-	 * Has this user ever logged in before?
-	 */
-	private boolean isFirstTimeLogin(User user) {
-		if (user.getLoginCount() == 0) {
-			return true;
-		} else {
-			return false;
-		}
-	}
-
 	/**
 	 * State change: they are starting the login process.
 	 */
@@ -432,9 +424,9 @@ public class Authenticate extends VitroHttpServlet {
 	 * State change: all requirements are satisfied. Log them in.
 	 */
 	private void transitionToLoggedIn(HttpServletRequest request,
-			String username) {
-		log.debug("Completed login: " + username);
-		getAuthenticator(request).recordLoginAgainstUserAccount(username,
+			UserAccount user) {
+		log.debug("Completed login: " + user.getEmailAddress());
+		getAuthenticator(request).recordLoginAgainstUserAccount(user,
 				AuthenticationSource.INTERNAL);
 	}
 
@@ -443,10 +435,11 @@ public class Authenticate extends VitroHttpServlet {
 	 * log them in.
 	 */
 	private void transitionToLoggedIn(HttpServletRequest request,
-			String username, String newPassword) {
-		log.debug("Completed login: " + username + ", password changed.");
-		getAuthenticator(request).recordNewPassword(username, newPassword);
-		getAuthenticator(request).recordLoginAgainstUserAccount(username,
+			UserAccount user, String newPassword) {
+		log.debug("Completed login: " + user.getEmailAddress()
+				+ ", password changed.");
+		getAuthenticator(request).recordNewPassword(user, newPassword);
+		getAuthenticator(request).recordLoginAgainstUserAccount(user,
 				AuthenticationSource.INTERNAL);
 	}
 
@@ -478,7 +471,7 @@ public class Authenticate extends VitroHttpServlet {
 		log.debug("logging in.");
 
 		LoginInProcessFlag.set(vreq);
-		
+
 		String loginProcessPage = LoginProcessBean.getBean(vreq)
 				.getLoginPageUrl();
 		response.sendRedirect(loginProcessPage);
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/N3MultiPartUpload.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/N3MultiPartUpload.java
index 338bb3bea..4c397e20e 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/N3MultiPartUpload.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/N3MultiPartUpload.java
@@ -33,10 +33,9 @@ import com.hp.hpl.jena.rdf.model.StmtIterator;
 import com.hp.hpl.jena.shared.Lock;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet;
-import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
 import edu.cornell.mannlib.vitro.webapp.dao.jena.event.EditEvent;
 import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.EditConfiguration;
 import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.Field;
@@ -507,12 +506,14 @@ public class N3MultiPartUpload extends VitroHttpServlet {
     }
     
     public void sendUserEmail(HttpServletRequest request, HttpSession session, String uploadFileName) {
-        LoginStatusBean loginBean = LoginStatusBean.getBean(request);
-        String userURI = loginBean.getUserURI();
+    	UserAccount userAccount = LoginStatusBean.getCurrentUser(request);
+    	if (userAccount == null) {
+    		return;
+    	}
+    	
         try{
-	        System.out.println("User URI is " + userURI);
-	        UserDao uDao = (new VitroRequest(request)).getFullWebappDaoFactory().getUserDao();
-	        String email = uDao.getUserEmailAddress(userURI);
+	        System.out.println("User URI is " + userAccount.getUri());
+	        String email = userAccount.getEmailAddress();
 	        String deliveryFrom = "hjk54@cornell.edu";//TO DO: replace with email address to be used
 	        //Now send message
 	        MailUtil mu = new MailUtil(request);
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/UserEditController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/UserEditController.java
deleted file mode 100644
index 49a1038c7..000000000
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/UserEditController.java
+++ /dev/null
@@ -1,138 +0,0 @@
-/* $This file is distributed under the terms of the license in /doc/license.txt$ */
-
-package edu.cornell.mannlib.vitro.webapp.controller.edit;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.servlet.RequestDispatcher;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vedit.controller.BaseEditController;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.ManageUserAccounts;
-import edu.cornell.mannlib.vitro.webapp.beans.Individual;
-import edu.cornell.mannlib.vitro.webapp.beans.IndividualImpl;
-import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
-import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatementImpl;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
-import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
-import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
-import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
-
-public class UserEditController extends BaseEditController {
-
-    private String[] roleNameStr = new String[51];
-    private static final Log log = LogFactory.getLog(UserEditController.class.getName());
-
-    public UserEditController() {
-        roleNameStr[1] = "self editor";
-        roleNameStr[4] = "editor";
-        roleNameStr[5] = "curator";
-        roleNameStr[50] = "system administrator";
-    }
-
-    @Override
-	public void doPost (HttpServletRequest request, HttpServletResponse response) throws ServletException {
-    	if (!isAuthorizedToDisplayPage(request, response, new Actions(new ManageUserAccounts()))) {
-    		return;
-    	}
-
-        VitroRequest vreq = new VitroRequest(request);
-
-        UserDao uDao = vreq.getFullWebappDaoFactory().getUserDao();
-
-        String userURIStr = request.getParameter("uri");
-        User u = null;
-
-        if (userURIStr == null) {
-            throw new ServletException(this.getClass().getName()+" expects user URI in 'uri' request parameter");
-        } else {
-            u = uDao.getUserByURI(userURIStr);
-        }
-
-        if (u == null) {
-            throw new ServletException(this.getClass().getName()+" could not find user "+userURIStr);
-        }
-
-        ArrayList<String> results = new ArrayList<String>();
-        results.add("Email address");
-        results.add("first name");
-        results.add("last name");
-        results.add("login count");
-        results.add("role");
-
-        String EMPTY = "";
-
-        String usernameStr = (u.getUsername() != null) ? u.getUsername() : "";
-        results.add(usernameStr);
-        String firstNameStr = (u.getFirstName() != null) ? u.getFirstName() : EMPTY;
-        results.add(firstNameStr);
-        String lastNameStr = (u.getLastName() != null) ? u.getLastName() : EMPTY;
-        results.add(lastNameStr);
-        String loginCountStr = Integer.toString(u.getLoginCount());
-        results.add(loginCountStr);
-        String roleStr = "";
-        try {
-            roleStr = roleNameStr[Integer.decode(u.getRoleURI())];
-        } catch (Exception e) {}
-        results.add(roleStr);
-
-        request.setAttribute("results",results);
-
-        List<String> mayEditAsUris = uDao.getIndividualsUserMayEditAs(u.getURI());
-        if( mayEditAsUris != null && mayEditAsUris.size() > 0 ){
-            List<ObjectPropertyStatement> mayEditAsStmts = 
-                new ArrayList<ObjectPropertyStatement>(mayEditAsUris.size());
-            for(String objURI: mayEditAsUris){
-            	Individual editAs = vreq.getFullWebappDaoFactory().getIndividualDao().getIndividualByURI(objURI);
-                ObjectPropertyStatement stmt = new ObjectPropertyStatementImpl();
-                stmt.setSubjectURI(u.getURI());
-                stmt.setPropertyURI(VitroVocabulary.MAY_EDIT_AS);
-                stmt.setObjectURI(objURI);
-                stmt.setObject(editAs);
-                mayEditAsStmts.add(stmt);
-            }
-            request.setAttribute("mayEditAsStmts", mayEditAsStmts);
-        }
-        
-        /* these are set so that we can use the PropertyEditLinks jsp tags */
-        ObjectProperty prop = new ObjectProperty();
-        prop.setURI(VitroVocabulary.MAY_EDIT_AS);
-        request.setAttribute("mayEditObjProp",prop);        
-        Individual entity = new IndividualImpl();
-        entity.setURI(u.getURI());
-        request.setAttribute("entity", entity);
-        
-        request.setAttribute("results", results);
-        request.setAttribute("columncount", new Integer(5));
-        request.setAttribute("suppressquery", "true");
-
-        RequestDispatcher rd = request.getRequestDispatcher(Controllers.BASIC_JSP);
-        request.setAttribute("user", u);
-        request.setAttribute("bodyJsp","/templates/edit/specific/user_edit.jsp");
-        request.setAttribute("title","User Account Control Panel");
-        request.setAttribute("css", "<link rel=\"stylesheet\" type=\"text/css\" href=\""+vreq.getAppBean().getThemeDir()+"css/edit.css\"/>");
-
-        try {
-            rd.forward(request, response);
-        } catch (Exception e) {
-            log.error(this.getClass().getName()+" could not forward to view.");
-            log.error(e.getMessage());
-            log.error(e.getStackTrace());
-        }
-
-    }
-
-    public void doGet (HttpServletRequest request, HttpServletResponse response) throws ServletException {
-        doPost(request,response);
-    }
-
-}
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/UserRetryController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/UserRetryController.java
deleted file mode 100644
index 36d5d7c6f..000000000
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/UserRetryController.java
+++ /dev/null
@@ -1,365 +0,0 @@
-/* $This file is distributed under the terms of the license in /doc/license.txt$ */
-
-package edu.cornell.mannlib.vitro.webapp.controller.edit;
-
-import java.io.IOException;
-import java.net.URLEncoder;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.LinkedList;
-import java.util.List;
-
-import javax.servlet.RequestDispatcher;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vedit.beans.EditProcessObject;
-import edu.cornell.mannlib.vedit.beans.FormObject;
-import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
-import edu.cornell.mannlib.vedit.beans.Option;
-import edu.cornell.mannlib.vedit.controller.BaseEditController;
-import edu.cornell.mannlib.vedit.forwarder.PageForwarder;
-import edu.cornell.mannlib.vedit.forwarder.impl.UrlForwarder;
-import edu.cornell.mannlib.vedit.listener.ChangeListener;
-import edu.cornell.mannlib.vedit.util.FormUtils;
-import edu.cornell.mannlib.vedit.validator.ValidationObject;
-import edu.cornell.mannlib.vedit.validator.Validator;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.ManageUserAccounts;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
-import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
-import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
-import edu.cornell.mannlib.vitro.webapp.controller.authenticate.Authenticator;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
-
-public class UserRetryController extends BaseEditController {
-
-    private static final String ROLE_PROTOCOL = "role:/";  // this is weird; need to revisit
-    private static final Log log = LogFactory.getLog(UserRetryController.class.getName());
-
-    @Override
-    public void doPost (HttpServletRequest req, HttpServletResponse response) {
-    	if (!isAuthorizedToDisplayPage(req, response, new Actions(new ManageUserAccounts()))) {
-    		return;
-    	}
-
-    	VitroRequest request = new VitroRequest(req);
-
-        //create an EditProcessObject for this and put it in the session
-        EditProcessObject epo = super.createEpo(request);
-        epo.setDataAccessObject(request.getFullWebappDaoFactory().getVClassDao());
-
-        String action = null;
-        if (epo.getAction() == null) {
-            action = "insert";
-            epo.setAction("insert");
-        } else {
-            action = epo.getAction();
-        }
-
-        UserDao uDao = request.getFullWebappDaoFactory().getUserDao();
-        epo.setDataAccessObject(uDao);
-
-        User userForEditing = null;
-        if (!epo.getUseRecycledBean()){
-            if (request.getParameter("uri") != null) {
-                try {
-                    userForEditing = uDao.getUserByURI(request.getParameter("uri"));
-                    userForEditing.setRoleURI(ROLE_PROTOCOL+userForEditing.getRoleURI());
-                    action = "update";
-                    epo.setAction("udpate");
-                } catch (NullPointerException e) {
-                    log.error("Need to implement 'record not found' error message.");
-                }
-            } else {
-                userForEditing = new User();
-                userForEditing.setRoleURI(ROLE_PROTOCOL+"1");
-            }
-            epo.setOriginalBean(userForEditing);
-        } else {
-            userForEditing = (User) epo.getNewBean();
-        }
-
-        populateBeanFromParams(userForEditing, request);
-
-        //validators
-        Validator v = new PairedPasswordValidator();
-        HashMap<String, List<Validator>> validatorMap = new HashMap<String, List<Validator>>();
-        List<Validator> vList = Collections.singletonList(v);
-		validatorMap.put("Md5password", vList);
-		validatorMap.put("passwordConfirmation", vList);
-        epo.setValidatorMap(validatorMap);
-
-        //preprocessors
-       
-        //set up any listeners
-        epo.setChangeListenerList(Collections.singletonList(new UserPasswordChangeListener()));
-
-        //make a postinsert pageforwarder that will send us to a new class's fetch screen
-        epo.setPostInsertPageForwarder(new UserInsertPageForwarder());
-        //make a postdelete pageforwarder that will send us to the list of classes
-        epo.setPostDeletePageForwarder(new UrlForwarder("listUsers"));
-
-        //set the getMethod so we can retrieve a new bean after we've inserted it
-        try {
-            Class<?>[] args = new Class[] {String.class};
-            epo.setGetMethod(uDao.getClass().getDeclaredMethod("getUserByURI",args));
-        } catch (NoSuchMethodException e) {
-            log.error(this.getClass().getName()+" could not find the getVClassByURI method");
-        }
-
-        HashMap<String, List<Option>> optionMap = new HashMap<String, List<Option>>();
-
-        LoginStatusBean loginBean = LoginStatusBean.getBean(request);
-        List<Option> roleOptionList = new LinkedList<Option>();
-        
-        /* bdc34: Datastar needs non-backend-editing users for logging in non-Cornell people*/
-        /* SelfEditingPolicySetup.SELF_EDITING_POLICY_WAS_SETUP is set by the SelfEditingPolicySetup context listener */
-        Option nonEditor = new Option(ROLE_PROTOCOL+1, "self editor");
-        /* self editing should be displayed if we are editing a user account that is already  
-         *  self-editing even if self editing is off. */
-        roleOptionList.add(nonEditor); 
-        
-        Option editor = new Option(ROLE_PROTOCOL+4, "editor");
-        editor.setSelected(userForEditing.getRoleURI().equals(editor.getValue()));
-        Option curator = new Option(ROLE_PROTOCOL+5, "curator");
-        curator.setSelected(userForEditing.getRoleURI().equals(curator.getValue()));
-        Option administrator = new Option (ROLE_PROTOCOL+50, "system administrator");
-        administrator.setSelected(userForEditing.getRoleURI().equals(administrator.getValue()));        
-        
-        roleOptionList.add(editor);
-        roleOptionList.add(curator);
-        roleOptionList.add(administrator);
-
-        optionMap.put("Role", roleOptionList);
-
-        FormObject foo = new FormObject();
-        foo.setErrorMap(epo.getErrMsgMap());
-        foo.setOptionLists(optionMap);
-        epo.setFormObject(foo);
-
-        request.setAttribute("formValue",foo.getValues());
-
-        String html = FormUtils.htmlFormFromBean(userForEditing,action,foo,epo.getBadValueMap());
-
-        RequestDispatcher rd = request.getRequestDispatcher(Controllers.BASIC_JSP);
-        request.setAttribute("formHtml",html);
-        request.setAttribute("user",userForEditing);
-        request.setAttribute("bodyJsp","/templates/edit/formBasic.jsp");
-        if (userForEditing.getMd5password()==null || userForEditing.getMd5password().equals("")) {
-            request.setAttribute("formOnSubmit", "return validatePw(this);");
-            request.setAttribute("formOnCancel", "forceCancel(this.form);");
-        }
-       else {
-            request.setAttribute("formOnSubmit", "return validateUserFields(this);");
-            request.setAttribute("formOnCancel", "forceCancelTwo(this.form);");
-        }
-
-        request.setAttribute("formJsp","/templates/edit/specific/user_retry.jsp");
-        request.setAttribute("scripts","/templates/edit/specific/user_retry_head.jsp");
-        request.setAttribute("title","User Account Editing Form");
-        request.setAttribute("_action",action);
-        request.setAttribute("unqualifiedClassName","User");
-        setRequestAttributes(request,epo);
-
-        try {
-            rd.forward(request, response);
-        } catch (Exception e) {
-            log.error(this.getClass().getName()+" could not forward to view.");
-            log.error(e.getMessage());
-            log.error(e.getStackTrace());
-        }
-
-    }
-
-    @Override
-	public void doGet (HttpServletRequest request, HttpServletResponse response) {
-        doPost(request, response);
-    }
-
-    class UserInsertPageForwarder implements PageForwarder {
-
-        @Override
-		public void doForward(HttpServletRequest request, HttpServletResponse response, EditProcessObject epo){
-            String newUserUrl = "userEdit?uri=";
-            User u = (User) epo.getNewBean();
-            try {
-                newUserUrl += URLEncoder.encode(u.getURI(),"UTF-8");
-            } catch (Exception e) {
-                log.error(this.getClass().getName()+" could not use UTF-8 encoding to encode new URL");
-            }
-            try {
-                response.sendRedirect(newUserUrl);
-            } catch (IOException ioe) {
-                log.error(this.getClass().getName()+" could not send redirect.");
-            }
-        }
-    }
-
-    /**
-     * Create one of these and assign it to both password fields.
-     */
-    class PairedPasswordValidator implements Validator {
-    	private String otherValue;
-    	
-		/**
-		 * Validate the length of this password, and stash it for the other
-		 * validator to compare to.
-		 * 
-		 * This relies on the fact that {@link #validate(Object)} will be called
-		 * once for each of the password fields.
-		 */
-		@Override
-		public ValidationObject validate(Object value)
-				throws IllegalArgumentException {
-			log.trace("validate password pair: " + value + ", " + otherValue);
-
-			// Must be a non-null String
-			if (!(value instanceof String)) {
-				log.trace("not a string: " + value);
-				return ValidationObject.failure(value, "Please enter a value");
-			}
-
-			// Must be within the length limits.
-			String string = (String) value;
-			if ((string.length() < User.MIN_PASSWORD_LENGTH)
-					|| (string.length() > User.MAX_PASSWORD_LENGTH)) {
-				log.trace("bad length: " + value);
-				return ValidationObject.failure(value,
-						"Please enter a password between "
-								+ User.MIN_PASSWORD_LENGTH + " and "
-								+ User.MAX_PASSWORD_LENGTH
-								+ " characters long.");
-			}
-
-			// If we haven't validate the other yet, just store this value.
-			if (otherValue == null) {
-				log.trace("first of the pair: " + value);
-				otherValue = string;
-				return ValidationObject.success(value);
-			}
-
-			// Compare this value to the stored one.
-			String otherString = otherValue;
-			otherValue = null;
-			if (string.equals(otherString)) {
-				log.trace("values are equal: " + value);
-				return ValidationObject.success(value);
-			} else {
-				log.trace("values are not equal: " + value + ", " + otherValue);
-				return ValidationObject.failure(value,
-						"The passwords do not match.");
-			}
-		}
-    }
-
-    /**
-     * When a new password is created, encode it.
-     */
-	class UserPasswordChangeListener implements ChangeListener {
-		/** 
-		 * Encode the password for a new user.
-		 */
-		@Override
-		public void doInserted(Object newObj, EditProcessObject epo) {
-			try {
-				User newUser = convertToUser(newObj);
-				UserDao userDao = getUserDaoFromEPO(epo);
-				encodePasswordAndUpdateUser("insert", newUser, userDao);
-			} catch (PwException e) {
-				log.error(e.getMessage());
-			}
-		}
-
-		/**
-		 * Encode the password for an updated user, if it has changed.
-		 */
-		@Override
-		public void doUpdated(Object oldObj, Object newObj,
-				EditProcessObject epo) {
-			try {
-				User newUser = convertToUser(newObj);
-				User oldUser = convertToUser(oldObj);
-				UserDao userDao = getUserDaoFromEPO(epo);
-				if (passwordHasChanged(newUser, oldUser)) {
-					encodePasswordAndUpdateUser("update", newUser, userDao);
-				} else {
-					log.debug("update: password has not changed.");
-				}
-			} catch (PwException e) {
-				log.error(e.getMessage());
-			}
-		}
-
-		/** 
-		 * Do nothing for a deleted user.
-		 */
-		@Override
-		public void doDeleted(Object oldObj, EditProcessObject epo) {
-			log.debug("delete: nothing to do");
-		}
-		
-		private User convertToUser(Object o) throws PwException {
-			if (o instanceof User) {
-				return (User) o;
-			} else {
-				throw new PwException("Can't apply password encoding without a "
-						+ "User object: " + o);
-			}
-		}
-
-		private UserDao getUserDaoFromEPO(EditProcessObject epo)
-				throws PwException {
-			if (epo == null) {
-				throw new PwException(
-						"Can't apply password encoding without an "
-								+ "EditProcessObject");
-			}
-			
-			Object dao = epo.getDataAccessObject();
-			
-			if (dao instanceof UserDao) {
-				return (UserDao) dao;
-			} else {
-				throw new PwException(
-						"Can't apply password encoding without a "
-								+ "UserDao object: " + dao);
-			}
-		}
-
-		private boolean passwordHasChanged(User newUser, User oldUser)
-				throws PwException {
-			String newPw = newUser.getMd5password();
-			String oldPw = oldUser.getMd5password();
-			if (newPw == null) {
-				throw new PwException("Can't encode a null password");
-			}
-			return !newPw.equals(oldPw);
-		}
-
-		private void encodePasswordAndUpdateUser(String action, User user, UserDao userDao) {
-			String rawPassword = user.getMd5password();
-			if (rawPassword == null) {
-				log.error("Can't encode a null password");
-			}
-
-			String encodedPassword = Authenticator.applyMd5Encoding(rawPassword);
-			log.trace(action + ": Raw password '" + rawPassword
-					+ "', encoded '" + encodedPassword + "'");
-
-			user.setMd5password(encodedPassword);
-
-			userDao.updateUser(user);
-		}
-	}
-	
-	class PwException extends Exception {
-		public PwException(String message) {
-			super(message);
-		}
-	}
-	
-}
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/listing/UsersListingController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/listing/UsersListingController.java
deleted file mode 100644
index 8f0cfdad5..000000000
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/listing/UsersListingController.java
+++ /dev/null
@@ -1,122 +0,0 @@
-/* $This file is distributed under the terms of the license in /doc/license.txt$ */
-
-package edu.cornell.mannlib.vitro.webapp.controller.edit.listing;
-
-import java.net.URLEncoder;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Iterator;
-import java.util.List;
-
-import javax.servlet.RequestDispatcher;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import edu.cornell.mannlib.vedit.controller.BaseEditController;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.ManageUserAccounts;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
-import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
-import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
-
-public class UsersListingController extends BaseEditController {
-	public static final Actions REQUIRED_ACTIONS = new Actions(new ManageUserAccounts());
-
-	private String[] roleNameStr = new String[51];
-
-    public UsersListingController() {
-        roleNameStr[1] = "self editor";
-        roleNameStr[4] = "editor";
-        roleNameStr[5] = "curator";
-        roleNameStr[50] = "system administrator";
-    }
-
-    @Override
-	public void doGet(HttpServletRequest request, HttpServletResponse response) {
-    	if (!isAuthorizedToDisplayPage(request, response, REQUIRED_ACTIONS)) {
-    		return;
-    	}
-    	
-        VitroRequest vrequest = new VitroRequest(request);
-
-        UserDao dao = vrequest.getFullWebappDaoFactory().getUserDao();
-
-        List<User> users = dao.getAllUsers();
-        Collections.sort(users);
-
-        ArrayList<String> results = new ArrayList<String>();
-        results.add("XX");
-        results.add("User");
-        results.add("first name");
-        results.add("last name");
-        results.add("role");
-        results.add("first login");
-        results.add("login count");
-        //results.add("recent edits"); // 2010-01-21 not currently supporting
-        
-        Integer width = results.size();
-
-        String EMPTY = "";
-
-        if (users != null) {
-            Iterator<User> userIt = users.iterator();
-            while (userIt.hasNext()) {
-                User user = userIt.next();
-                results.add("XX");
-                if (user.getUsername() != null) {
-                    try {
-                        results.add("<a href=\"./userEdit?uri="+URLEncoder.encode(user.getURI(),"UTF-8")+"\">"+user.getUsername()+"</a>");
-                    } catch (Exception e) {
-                        results.add(user.getUsername());
-                    }
-                } else {
-                    results.add("");
-                }
-                String firstNameStr = (user.getFirstName() != null) ? user.getFirstName() : EMPTY;
-                results.add(firstNameStr);
-                String lastNameStr = (user.getLastName() != null) ? user.getLastName() : EMPTY;
-                results.add(lastNameStr);
-                String roleStr = "";
-                try {
-                    roleStr = roleNameStr[Integer.decode(user.getRoleURI())];
-                } catch (Exception e) {}
-                results.add(roleStr);
-                String firstLoginStr = "";
-                try {
-                    firstLoginStr = (DISPLAY_DATE_FORMAT.format(user.getFirstTime()));
-                } catch (Exception e) {}
-                results.add(firstLoginStr);
-                String loginCountStr = Integer.toString(user.getLoginCount());
-                results.add(loginCountStr);
-// 2010-01-21 not currently supporting "recent edits"
-//                try {
-//                	results.add("<a href=\"statementHistory?userURI="+URLEncoder.encode(user.getURI(),"UTF-8")+"\">recent edits</a>");
-//                } catch (Exception e) {}
-
-            }
-            request.setAttribute("results",results);
-        }
-
-        request.setAttribute("columncount", width);
-        request.setAttribute("suppressquery","true");
-        request.setAttribute("title","User Accounts");
-        request.setAttribute("bodyJsp", Controllers.HORIZONTAL_JSP);
-        request.setAttribute("horizontalJspAddButtonUrl", Controllers.RETRY_URL);
-        request.setAttribute("horizontalJspAddButtonText", "Add new user account");
-        request.setAttribute("horizontalJspAddButtonControllerParam", "User");
-        RequestDispatcher rd = request.getRequestDispatcher(Controllers.BASIC_JSP);
-        try {
-            rd.forward(request,response);
-        } catch (Throwable t) {
-            t.printStackTrace();
-        }
-
-    }
-
-    @Override
-	public void doPost(HttpServletRequest request, HttpServletResponse response) {
-        doGet(request,response);
-    }
-
-}
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java
index e4a1dcf15..fed74cbe0 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java
@@ -22,7 +22,6 @@ import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions;
 import edu.cornell.mannlib.vitro.webapp.beans.ApplicationBean;
 import edu.cornell.mannlib.vitro.webapp.beans.DisplayMessage;
 import edu.cornell.mannlib.vitro.webapp.config.RevisionInfoBean;
-import edu.cornell.mannlib.vitro.webapp.controller.ContactMailServlet;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.TemplateProcessingHelper.TemplateProcessingException;
@@ -255,6 +254,7 @@ public class FreemarkerHttpServlet extends VitroHttpServlet {
         urls.put("termsOfUse", urlBuilder.getPortalUrl(Route.TERMS_OF_USE));  
         urls.put("login", urlBuilder.getLoginUrl());          
         urls.put("logout", urlBuilder.getLogoutUrl());       
+        urls.put("myAccount", UrlBuilder.getUrl("/accounts/myAccount"));       
         urls.put("siteAdmin", urlBuilder.getPortalUrl(Route.SITE_ADMIN));  
         urls.put("themeImages", urlBuilder.getPortalUrl(themeDir + "/images"));
         urls.put("images", UrlBuilder.getUrl("/images"));
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/IndividualController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/IndividualController.java
index c4ab077f4..303ca289e 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/IndividualController.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/IndividualController.java
@@ -455,8 +455,10 @@ public class IndividualController extends FreemarkerHttpServlet {
             netIdStr = vreq.getParameter("netid");
         if ( netIdStr != null ){
     		SelfEditingConfiguration sec = SelfEditingConfiguration.getBean(vreq);
-    		uri = sec.getIndividualUriFromUsername(iwDao, netIdStr);
-            return iwDao.getIndividualByURI(uri);
+    		List<Individual> assocInds = sec.getAssociatedIndividuals(iwDao, netIdStr);
+    		if (!assocInds.isEmpty()) {
+    			return assocInds.get(0);
+    		}
         }
 
 		return null;		
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/SiteAdminController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/SiteAdminController.java
index 00058d3d9..de1e1c340 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/SiteAdminController.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/SiteAdminController.java
@@ -24,7 +24,6 @@ import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.SeeSiteAdm
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseAdvancedDataToolsPages;
 import edu.cornell.mannlib.vitro.webapp.beans.VClassGroup;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
-import edu.cornell.mannlib.vitro.webapp.controller.edit.listing.UsersListingController;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder.ParamMap;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.ResponseValues;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.TemplateResponseValues;
@@ -119,10 +118,6 @@ public class SiteAdminController extends FreemarkerHttpServlet {
         Map<String, Object> map = new HashMap<String, Object>();
         Map<String, String> urls = new HashMap<String, String>();
         
-		// TODO remove this when the UserAccounts are fully implemented. -- jblake
-        if (PolicyHelper.isAuthorizedForActions(vreq, UsersListingController.REQUIRED_ACTIONS)) {                
-            urls.put("users", urlBuilder.getPortalUrl("/listUsers"));
-        }
         if (PolicyHelper.isAuthorizedForActions(vreq, new ManageUserAccounts())) {
         	urls.put("userList", urlBuilder.getPortalUrl("/accountsAdmin"));
         }
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/IndividualDao.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/IndividualDao.java
index 91b7e0987..87d94c262 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/IndividualDao.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/IndividualDao.java
@@ -108,10 +108,6 @@ public interface IndividualDao extends ObjectSourceIface {
     /**
      * Returns a list of individuals with the given value for the given dataProperty.  If
      * there are no Indiviuals that fit the criteria then an empty list is returned.
-     * 
-     * @param dataPropertyUri
-     * @param value
-     * @return
      */
     public List<Individual> getIndividualsByDataProperty(String dataPropertyUri, String value);
 
@@ -128,9 +124,6 @@ public interface IndividualDao extends ObjectSourceIface {
 
 	List<Keyword> getKeywordObjectsForIndividual(String individualURI);
 
-	/** In most cases, it's best to let ExternalAuthHelper call this for you. */
-	String getIndividualURIFromNetId(String netIdStr, String netidMatchingPropertyUri);
-
 	String getNetId(String entityURI);
 
 	String getStatus(String entityURI);
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/UserAccountsDao.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/UserAccountsDao.java
index ab4ab022e..46115df77 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/UserAccountsDao.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/UserAccountsDao.java
@@ -13,6 +13,11 @@ import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
  */
 public interface UserAccountsDao {
 
+	/**
+	 * Get all of the UserAccounts in the model.
+	 */
+	Collection<UserAccount> getAllUserAccounts();
+
 	/**
 	 * Get the UserAccount for this URI.
 	 * 
@@ -28,6 +33,18 @@ public interface UserAccountsDao {
 	 */
 	UserAccount getUserAccountByEmail(String emailAddress);
 
+	/**
+	 * Get the UserAccount for this External Authentication ID
+	 * 
+	 * @return null if the ID is null, or if there is no such UserAccount
+	 */
+	UserAccount getUserAccountByExternalAuthId(String externalAuthId);
+
+	/**
+	 * Is this UserAccount a root user?
+	 */
+	boolean isRootUser(UserAccount userAccount);
+	
 	/**
 	 * Create a new UserAccount in the model.
 	 * 
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/UserDao.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/UserDao.java
deleted file mode 100644
index ba40168c5..000000000
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/UserDao.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/* $This file is distributed under the terms of the license in /doc/license.txt$ */
-
-package edu.cornell.mannlib.vitro.webapp.dao;
-
-import edu.cornell.mannlib.vitro.webapp.beans.User;
-
-import java.util.List;
-
-public interface UserDao {
-
-    public User getUserByUsername(String username);
-
-    public User getUserByURI(String URI);
-
-    public List <User> getAllUsers();
-
-    public void updateUser(User user);
-
-    public String insertUser(User user);
-
-    public void deleteUser(User user);
-
-    public List<String> getIndividualsUserMayEditAs(String userURI);
-    
-    public List<String> getUserAccountEmails();
-    
-    public String getUserEmailAddress(String userURI);
-}
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/VitroVocabulary.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/VitroVocabulary.java
index c35eccd51..706b665cb 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/VitroVocabulary.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/VitroVocabulary.java
@@ -169,21 +169,12 @@ public class VitroVocabulary {
 
     // =============== Vitro User vocabulary =================================
 
-    // TODO - these go away when the UserAccount stuff is fully implemented - jblake
-    public static final String USER = vitroURI+"User";
-    public static final String USER_USERNAME = vitroURI+"username";
-    public static final String USER_MD5PASSWORD = vitroURI+"md5password";
-    public static final String USER_OLDPASSWORD = vitroURI+"oldpassword";
-    public static final String USER_FIRSTTIME = vitroURI+"firstTime";
-    public static final String USER_LOGINCOUNT = vitroURI+"loginCount";
-    public static final String USER_ROLE = vitroURI+"roleURI";
-    public static final String USER_LASTNAME = vitroURI+"lastName";
-    public static final String USER_FIRSTNAME = vitroURI+"firstName";
-    public static final String MAY_EDIT_AS = vitroURI+"mayEditAs";
+//    public static final String MAY_EDIT_AS = vitroURI+"mayEditAs";
 
     // =============== Vitro UserAccount and PermissionSet vocabulary ===========
     
     public static final String USERACCOUNT = VITRO_AUTH + "UserAccount";
+    public static final String USERACCOUNT_ROOT_USER = VITRO_AUTH + "RootUserAccount";
     public static final String USERACCOUNT_EMAIL_ADDRESS = VITRO_AUTH + "emailAddress";
     public static final String USERACCOUNT_FIRST_NAME = VITRO_AUTH + "firstName";
     public static final String USERACCOUNT_LAST_NAME = VITRO_AUTH + "lastName";
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/WebappDaoFactory.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/WebappDaoFactory.java
index cbc9a5adc..915d15b94 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/WebappDaoFactory.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/WebappDaoFactory.java
@@ -2,7 +2,6 @@
 
 package edu.cornell.mannlib.vitro.webapp.dao;
 
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -118,9 +117,6 @@ public interface WebappDaoFactory {
     public LinksDao getLinksDao();
     public LinktypeDao getLinktypeDao();
 
-    // TODO This goes away when the UserAccounts stuff is fully implemented - jblake.
-    public UserDao getUserDao();
-    
     public UserAccountsDao getUserAccountsDao();
 
     public VClassGroupDao getVClassGroupDao();
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/IndividualDaoFiltering.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/IndividualDaoFiltering.java
index 86c7bb761..ad813013d 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/IndividualDaoFiltering.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/IndividualDaoFiltering.java
@@ -85,16 +85,6 @@ class IndividualDaoFiltering extends BaseFiltering implements IndividualDao{
         innerIndividualDao.fillVClassForIndividual(individual);
     }
 
-
-    public String getIndividualURIFromNetId(String netIdStr, String netidMatchingPropertyUri) {
-        String uri = innerIndividualDao.getIndividualURIFromNetId(netIdStr, netidMatchingPropertyUri);
-        if( uri == null ) return null;
-        Individual ent = getIndividualByURI(uri);
-        if( ent != null && filters.getIndividualFilter().fn(ent) )
-            return uri;
-        else
-            return null;
-    }
     public List<Individual> getIndividualsByDataProperty(String dataPropertyUri, String value) {
         return filterAndWrap(innerIndividualDao.getIndividualsByDataProperty(dataPropertyUri,value),
                      filters);
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/UserAccountsDaoFiltering.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/UserAccountsDaoFiltering.java
index ab46abac6..12b725c5b 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/UserAccountsDaoFiltering.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/UserAccountsDaoFiltering.java
@@ -27,6 +27,11 @@ public class UserAccountsDaoFiltering extends BaseFiltering implements
 		this.filters = filters;
 	}
 
+	@Override
+	public Collection<UserAccount> getAllUserAccounts() {
+		return innerDao.getAllUserAccounts();
+	}
+
 	@Override
 	public UserAccount getUserAccountByUri(String uri) {
 		return innerDao.getUserAccountByUri(uri);
@@ -37,6 +42,16 @@ public class UserAccountsDaoFiltering extends BaseFiltering implements
 		return innerDao.getUserAccountByEmail(emailAddress);
 	}
 
+	@Override
+	public UserAccount getUserAccountByExternalAuthId(String externalAuthId) {
+		return innerDao.getUserAccountByExternalAuthId(externalAuthId);
+	}
+	
+	@Override
+	public boolean isRootUser(UserAccount userAccount) {
+		return innerDao.isRootUser(userAccount);
+	}
+
 	@Override
 	public String insertUserAccount(UserAccount userAccount) {
 		return innerDao.insertUserAccount(userAccount);
@@ -61,4 +76,5 @@ public class UserAccountsDaoFiltering extends BaseFiltering implements
 	public Collection<PermissionSet> getAllPermissionSets() {
 		return innerDao.getAllPermissionSets();
 	}
+
 }
\ No newline at end of file
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/UserDaoFiltering.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/UserDaoFiltering.java
deleted file mode 100644
index 49ddcb37b..000000000
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/UserDaoFiltering.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/* $This file is distributed under the terms of the license in /doc/license.txt$ */
-
-package edu.cornell.mannlib.vitro.webapp.dao.filtering;
-
-import edu.cornell.mannlib.vitro.webapp.beans.*;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
-import edu.cornell.mannlib.vitro.webapp.dao.filtering.filters.VitroFilters;
-import net.sf.jga.fn.UnaryFunctor;
-
-import java.util.List;
-
-public class UserDaoFiltering extends BaseFiltering implements UserDao{
-
-    private final UserDao innerDao;
-    private final VitroFilters filters;
-
-    public UserDaoFiltering(UserDao userDao, VitroFilters filters) {
-        this.innerDao = userDao;
-        this.filters = filters;
-    }
-
-    public List<User> getAllUsers() {
-        return filter(innerDao.getAllUsers(),filters.getUserFilter());
-    }
-
-    public User getUserByURI(String URI) {
-        User u = innerDao.getUserByURI(URI);
-        if( u != null && filters.getUserFilter().fn(u))
-            return u;
-        else
-            return null;
-    }
-
-    public User getUserByUsername(String username) {
-        User u = innerDao.getUserByUsername(username);
-        if( u != null && filters.getUserFilter().fn(u))
-            return u;
-        else
-            return null;
-    }
-
-    public void updateUser(User user) {
-        innerDao.updateUser(user);
-    }
-
-    public String insertUser(User user) {
-        return innerDao.insertUser(user);
-    }
-
-    public void deleteUser(User user) {
-        innerDao.deleteUser(user);
-    }
-
-    public List<String> getIndividualsUserMayEditAs(String userURI) {
-        return innerDao.getIndividualsUserMayEditAs(userURI);
-    }
-    
-    public List<String> getUserAccountEmails() {
-    	return innerDao.getUserAccountEmails();
-    }
-    
-    public String getUserEmailAddress(String userURI) {
-    	return innerDao.getUserEmailAddress(userURI);
-    }
-
-}
\ No newline at end of file
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/WebappDaoFactoryFiltering.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/WebappDaoFactoryFiltering.java
index 184c63479..5462c2ec3 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/WebappDaoFactoryFiltering.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/WebappDaoFactoryFiltering.java
@@ -12,7 +12,6 @@ import edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDao;
 import edu.cornell.mannlib.vitro.webapp.dao.DataPropertyStatementDao;
 import edu.cornell.mannlib.vitro.webapp.dao.DatatypeDao;
 import edu.cornell.mannlib.vitro.webapp.dao.DisplayModelDao;
-import edu.cornell.mannlib.vitro.webapp.dao.FlagDao;
 import edu.cornell.mannlib.vitro.webapp.dao.IndividualDao;
 import edu.cornell.mannlib.vitro.webapp.dao.KeywordDao;
 import edu.cornell.mannlib.vitro.webapp.dao.KeywordIndividualRelationDao;
@@ -27,7 +26,6 @@ import edu.cornell.mannlib.vitro.webapp.dao.PageDao;
 import edu.cornell.mannlib.vitro.webapp.dao.PropertyGroupDao;
 import edu.cornell.mannlib.vitro.webapp.dao.PropertyInstanceDao;
 import edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDao;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
 import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
 import edu.cornell.mannlib.vitro.webapp.dao.VClassGroupDao;
 import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
@@ -69,7 +67,6 @@ public class WebappDaoFactoryFiltering implements WebappDaoFactory {
     transient private ObjectPropertyStatementDao filteringObjectPropertyStatementDao=null;
     transient private VClassDao                filteringVClassDao=null;
 
-    transient private UserDao filteringUserDao=null;     // TODO This goes away when the UserAccounts stuff is fully implemented - jblake.
     transient private UserAccountsDao filteringUserAccountsDao=null;
     transient private VClassGroupDao filteringVClassGroupDao=null;
     transient private PropertyGroupDao filteringPropertyGroupDao=null;
@@ -128,14 +125,6 @@ public class WebappDaoFactoryFiltering implements WebappDaoFactory {
         return filteringIndividualDao;
     }
 
-    // TODO This goes away when the UserAccounts stuff is fully implemented - jblake.
-    public UserDao getUserDao() {
-        if( filteringUserDao == null)
-            filteringUserDao =
-                new UserDaoFiltering(innerWebappDaoFactory.getUserDao(),filters);                                     
-        return filteringUserDao;
-    }
-
     public UserAccountsDao getUserAccountsDao() {
     	if( filteringUserAccountsDao == null)
     		filteringUserAccountsDao =
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFilters.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFilters.java
index 5ce76f052..2f3cbd5e2 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFilters.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFilters.java
@@ -9,38 +9,26 @@ import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.PropertyGroup;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
 import edu.cornell.mannlib.vitro.webapp.beans.VClass;
 import edu.cornell.mannlib.vitro.webapp.beans.VClassGroup;
 
 public interface VitroFilters {
 
-
     public VitroFilters and(VitroFilters other);
 
     public UnaryFunctor<Individual, Boolean> getIndividualFilter();
 
-
     public UnaryFunctor<DataProperty, Boolean> getDataPropertyFilter();
 
-
     public UnaryFunctor<ObjectProperty, Boolean> getObjectPropertyFilter();
 
-
     public UnaryFunctor<DataPropertyStatement, Boolean> getDataPropertyStatementFilter();
 
-
     public UnaryFunctor<ObjectPropertyStatement, Boolean> getObjectPropertyStatementFilter();
 
-
     public UnaryFunctor<VClass, Boolean> getClassFilter();
 
-
     public UnaryFunctor<VClassGroup, Boolean> getVClassGroupFilter();
-
-    // TODO This goes away when the UserAccounts stuff is fully implemented -- jb
-    public UnaryFunctor<User, Boolean> getUserFilter();
-    
     
     public UnaryFunctor<PropertyGroup, Boolean> getPropertyGroupFilter();
 
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFiltersBase.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFiltersBase.java
index 1ff4fded0..b0f13bfd5 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFiltersBase.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFiltersBase.java
@@ -19,7 +19,6 @@ public abstract class VitroFiltersBase implements VitroFilters {
              AdaptorFunctors.and(this.getObjectPropertyStatementFilter(),other.getObjectPropertyStatementFilter()),
              AdaptorFunctors.and(this.getClassFilter(),other.getClassFilter()),
              AdaptorFunctors.and(this.getVClassGroupFilter(),other.getVClassGroupFilter()),
-             AdaptorFunctors.and(this.getUserFilter(), other.getUserFilter()),
              AdaptorFunctors.and(this.getPropertyGroupFilter(), other.getPropertyGroupFilter())
             );
     }
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFiltersImpl.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFiltersImpl.java
index efd70e5b4..1e6abbb7f 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFiltersImpl.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFiltersImpl.java
@@ -10,9 +10,9 @@ import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.PropertyGroup;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
 import edu.cornell.mannlib.vitro.webapp.beans.VClass;
 import edu.cornell.mannlib.vitro.webapp.beans.VClassGroup;
+import edu.cornell.mannlib.vitro.webapp.web.templatemodels.User;
 
 /**
  * A object to hold all the filters commonly used by the vitro webapp.
@@ -43,9 +43,6 @@ public class VitroFiltersImpl extends VitroFiltersBase {
     /** filter for VClassGroup objects */
     UnaryFunctor<VClassGroup,Boolean>          vClassGroupFilter;
 
-    /** filter for User objects */
-    UnaryFunctor<User,Boolean>                 userFilter;
-
     /** fitler for PropertyGroup objects */
     UnaryFunctor<PropertyGroup, Boolean>      propertyGroupFilter;
 
@@ -64,7 +61,6 @@ public class VitroFiltersImpl extends VitroFiltersBase {
         objectPropertyStatementFilter= FILTER_OUT_NOTHING;
         classFilter= FILTER_OUT_NOTHING;
         vClassGroupFilter = FILTER_OUT_NOTHING;
-        userFilter= FILTER_OUT_NOTHING;
         propertyGroupFilter = FILTER_OUT_NOTHING;
     }
 
@@ -76,7 +72,6 @@ public class VitroFiltersImpl extends VitroFiltersBase {
             UnaryFunctor<ObjectPropertyStatement, Boolean> objectPropertyStatementFilter,
             UnaryFunctor<VClass, Boolean> classFilter,
             UnaryFunctor<VClassGroup, Boolean> classGroupFilter,
-            UnaryFunctor<User, Boolean> userFilter,
             UnaryFunctor<PropertyGroup,Boolean>propertyGroupFilter) {
         super();
         this.individualFilter = individualFilter;
@@ -86,7 +81,6 @@ public class VitroFiltersImpl extends VitroFiltersBase {
         this.objectPropertyStatementFilter = objectPropertyStatementFilter;
         this.classFilter = classFilter;
         vClassGroupFilter = classGroupFilter;
-        this.userFilter = userFilter;
         this.propertyGroupFilter = propertyGroupFilter;
     }
 
@@ -180,18 +174,6 @@ public class VitroFiltersImpl extends VitroFiltersBase {
         return this;
     }
 
-    /* (non-Javadoc)
-     * @see edu.cornell.mannlib.vitro.webapp.dao.filtering.VitroFilters#getUserFilter()
-     */
-    public UnaryFunctor<User, Boolean> getUserFilter() {
-        return userFilter;
-    }
-
-    public VitroFilters setUserFilter(UnaryFunctor<User, Boolean> userFilter) {
-        this.userFilter = userFilter;
-        return this;
-    }
-
     public UnaryFunctor<PropertyGroup, Boolean> getPropertyGroupFilter() {
         return propertyGroupFilter;
     }
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualDaoJena.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualDaoJena.java
index 732d40891..29b3b8397 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualDaoJena.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualDaoJena.java
@@ -650,38 +650,20 @@ public class IndividualDaoJena extends JenaBaseDao implements IndividualDao {
         return keywords;
     }
 
-	public String getIndividualURIFromNetId(String netIdStr, String netidMatchingPropertyUri) {
-		if (netidMatchingPropertyUri == null) {
-			return null;
-		}
-
-        Property prop = getOntModel().getProperty(netidMatchingPropertyUri);
-        Literal netid = getOntModel().createLiteral(netIdStr);
-        
-        ResIterator stmts = null;
-        try{
-            stmts = getOntModel().listResourcesWithProperty(prop, netid);
-            if (stmts.hasNext()) {
-                return stmts.nextResource().getURI();
-            } else {
-            	return null;
-            }
-        }   finally{
-            if( stmts != null ) stmts.close();
-        }
-    }
-
     /**
      * In Jena it can be difficult to get an object with a given dataproperty if
      * you do not care about the datatype or lang of the literal.  Use this
      * method if you would like to ignore the lang and datatype.  
+     * 
+     * Note: this method doesn't require that a property be declared in the 
+     * ontology as a data property -- only that it behaves as one.
      */
     public List<Individual> getIndividualsByDataProperty(String dataPropertyUri, String value){        
         Property prop = null;
         if( RDFS.label.getURI().equals( dataPropertyUri )){
             prop = RDFS.label;
         }else{
-            prop = getOntModel().getDatatypeProperty(dataPropertyUri);
+            prop = getOntModel().getProperty(dataPropertyUri);
         }
 
         if( prop == null ) {            
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualDaoSDB.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualDaoSDB.java
index 9604599bd..7e12cf122 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualDaoSDB.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualDaoSDB.java
@@ -222,6 +222,9 @@ public class IndividualDaoSDB extends IndividualDaoJena {
      * In Jena it can be difficult to get an object with a given dataproperty if
      * you do not care about the datatype or lang of the literal.  Use this
      * method if you would like to ignore the lang and datatype.  
+     * 
+     * Note: this method doesn't require that a property be declared in the 
+     * ontology as a data property -- only that it behaves as one.
      */
     @Override
     public List<Individual> getIndividualsByDataProperty(String dataPropertyUri, String value){        
@@ -229,7 +232,7 @@ public class IndividualDaoSDB extends IndividualDaoJena {
         if( RDFS.label.getURI().equals( dataPropertyUri )){
             prop = RDFS.label;
         }else{
-            prop = getOntModel().getDatatypeProperty(dataPropertyUri);
+            prop = getOntModel().getProperty(dataPropertyUri);
         }
 
         if( prop == null ) {            
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDaoCon.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDaoCon.java
index 7d82223b3..c29a19e54 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDaoCon.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDaoCon.java
@@ -104,9 +104,6 @@ public class JenaBaseDaoCon {
     protected DatatypeProperty   LINK_TYPE = _constModel.createDatatypeProperty(VitroVocabulary.LINK_TYPE);
     protected DatatypeProperty   LINK_DISPLAYRANK = _constModel.createDatatypeProperty(VitroVocabulary.LINK_DISPLAYRANK_URL);
 
-    // TODO This goes away when the UserAccount stuff is fully implemented - jblake
-    protected OntClass           USER = _constModel.createClass(VitroVocabulary.USER);
-
 //    protected  OntClass           APPLICATION = null;
 //    protected  DatatypeProperty   APPLICATION_FLAG1NAME = null;
 //    protected  DatatypeProperty   APPLICATION_FLAG2NAME = null;
@@ -158,6 +155,7 @@ public class JenaBaseDaoCon {
     /* ***************** User Account Model constants ***************** */
 
     protected  OntClass           USERACCOUNT = _constModel.createClass(VitroVocabulary.USERACCOUNT);
+    protected  OntClass           USERACCOUNT_ROOT_USER = _constModel.createClass(VitroVocabulary.USERACCOUNT_ROOT_USER);
     protected  DatatypeProperty   USERACCOUNT_EMAIL_ADDRESS = _constModel.createDatatypeProperty(VitroVocabulary.USERACCOUNT_EMAIL_ADDRESS);
     protected  DatatypeProperty   USERACCOUNT_FIRST_NAME = _constModel.createDatatypeProperty(VitroVocabulary.USERACCOUNT_FIRST_NAME);
     protected  DatatypeProperty   USERACCOUNT_LAST_NAME = _constModel.createDatatypeProperty(VitroVocabulary.USERACCOUNT_LAST_NAME);
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaModelUtils.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaModelUtils.java
index 8c1a25df3..a16beba11 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaModelUtils.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaModelUtils.java
@@ -269,23 +269,4 @@ private final OntModelSpec DEFAULT_ONT_MODEL_SPEC = OntModelSpec.OWL_MEM;
 		
 	}
 	
-	public Model extractUserAccountsData(Model inputModel) {
-		
-		Model userAccountsModel = ModelFactory.createDefaultModel();
-		
-		String queryStr = makeDescribeQueryStr( VitroVocabulary.USER, null );
-		
-		Query usersSparqlQuery = QueryFactory.create(queryStr);
-		QueryExecution qe = QueryExecutionFactory.create(usersSparqlQuery,inputModel);
-		try {
-			inputModel.enterCriticalSection(Lock.READ);
-			qe.execDescribe(userAccountsModel);
-		} finally {
-			inputModel.leaveCriticalSection();
-		}
-		
-		return userAccountsModel;
-		
-	}
-	
 }
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/UserAccountsDaoJena.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/UserAccountsDaoJena.java
index 38a811b50..48b53a856 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/UserAccountsDaoJena.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/UserAccountsDaoJena.java
@@ -38,6 +38,36 @@ public class UserAccountsDaoJena extends JenaBaseDao implements UserAccountsDao
 		return getOntModelSelector().getUserAccountsModel();
 	}
 
+	@Override
+	public Collection<UserAccount> getAllUserAccounts() {
+		List<String> userUris = new ArrayList<String>();
+
+		getOntModel().enterCriticalSection(Lock.READ);
+		try {
+			StmtIterator stmts = getOntModel().listStatements((Resource) null,
+					RDF.type, USERACCOUNT);
+			while (stmts.hasNext()) {
+				Resource subject = stmts.next().getSubject();
+				if (subject != null) {
+					userUris.add(subject.getURI());
+				}
+			}
+			stmts.close();
+		} finally {
+			getOntModel().leaveCriticalSection();
+		}
+
+		List<UserAccount> userAccounts = new ArrayList<UserAccount>();
+		for (String userUri : userUris) {
+			UserAccount ua = getUserAccountByUri(userUri);
+			if (ua != null) {
+				userAccounts.add(ua);
+			}
+		}
+
+		return userAccounts;
+	}
+
 	@Override
 	public UserAccount getUserAccountByUri(String uri) {
 		if (uri == null) {
@@ -103,6 +133,45 @@ public class UserAccountsDaoJena extends JenaBaseDao implements UserAccountsDao
 		return getUserAccountByUri(userUri);
 	}
 
+	@Override
+	public UserAccount getUserAccountByExternalAuthId(String externalAuthId) {
+		if (externalAuthId == null) {
+			return null;
+		}
+
+		String userUri = null;
+
+		getOntModel().enterCriticalSection(Lock.READ);
+		try {
+			StmtIterator stmts = getOntModel().listStatements(null,
+					USERACCOUNT_EXTERNAL_AUTH_ID,
+					getOntModel().createLiteral(externalAuthId));
+			if (stmts.hasNext()) {
+				userUri = stmts.next().getSubject().getURI();
+			}
+			stmts.close();
+		} finally {
+			getOntModel().leaveCriticalSection();
+		}
+
+		return getUserAccountByUri(userUri);
+	}
+
+	@Override
+	public boolean isRootUser(UserAccount userAccount) {
+		if (userAccount == null) {
+			return false;
+		}
+
+		getOntModel().enterCriticalSection(Lock.READ);
+		try {
+			OntResource r = getOntModel().getOntResource(userAccount.getUri());
+			return isResourceOfType(r, USERACCOUNT_ROOT_USER);
+		} finally {
+			getOntModel().leaveCriticalSection();
+		}
+	}
+
 	@Override
 	public String insertUserAccount(UserAccount userAccount) {
 		if (userAccount == null) {
@@ -307,6 +376,13 @@ public class UserAccountsDaoJena extends JenaBaseDao implements UserAccountsDao
 	 * There should already be a lock on the model when this is called.
 	 */
 	private boolean isResourceOfType(OntResource r, OntClass type) {
+		if (r == null) {
+			return false;
+		}
+		if (type == null) {
+			return false;
+		}
+		
 		StmtIterator stmts = getOntModel().listStatements(r, RDF.type, type);
 		if (stmts.hasNext()) {
 			stmts.close();
@@ -324,4 +400,5 @@ public class UserAccountsDaoJena extends JenaBaseDao implements UserAccountsDao
 			return ps1.getUri().compareTo(ps2.getUri());
 		}
 	}
+
 }
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/UserDaoJena.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/UserDaoJena.java
deleted file mode 100644
index f331fdab7..000000000
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/UserDaoJena.java
+++ /dev/null
@@ -1,329 +0,0 @@
-/* $This file is distributed under the terms of the license in /doc/license.txt$ */
-
-package edu.cornell.mannlib.vitro.webapp.dao.jena;
-
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-
-import com.hp.hpl.jena.ontology.DatatypeProperty;
-import com.hp.hpl.jena.ontology.Individual;
-import com.hp.hpl.jena.ontology.OntClass;
-import com.hp.hpl.jena.ontology.OntModel;
-import com.hp.hpl.jena.ontology.OntResource;
-import com.hp.hpl.jena.rdf.model.Literal;
-import com.hp.hpl.jena.rdf.model.Property;
-import com.hp.hpl.jena.rdf.model.RDFNode;
-import com.hp.hpl.jena.rdf.model.ResourceFactory;
-import com.hp.hpl.jena.rdf.model.Statement;
-import com.hp.hpl.jena.rdf.model.StmtIterator;
-import com.hp.hpl.jena.shared.Lock;
-import com.hp.hpl.jena.util.iterator.ClosableIterator;
-import com.hp.hpl.jena.vocabulary.RDF;
-
-import edu.cornell.mannlib.vitro.webapp.beans.User;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
-import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
-import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
-
-public class UserDaoJena extends JenaBaseDao implements UserDao {
-
-    private static final String ROLE_PROTOCOL = "role:/";
-
-    public UserDaoJena(WebappDaoFactoryJena wadf) {
-        super(wadf);
-    }
-
-    @Override
-    protected OntModel getOntModel() {
-    	return getOntModelSelector().getUserAccountsModel();
-    }
-    
-    
-    
-    public List<User> getAllUsers() {
-        List<User> allUsersList = new ArrayList<User>();
-        getOntModel().enterCriticalSection(Lock.READ);
-        try {
-            ClosableIterator userStmtIt = getOntModel().listStatements(null, RDF.type, USER);
-            try {
-                while (userStmtIt.hasNext()) {
-                 Statement stmt = (Statement) userStmtIt.next();
-                 OntResource subjRes = (OntResource) stmt.getSubject().as(OntResource.class);
-                 allUsersList.add(userFromUserInd(subjRes));
-                }
-            } finally {
-                userStmtIt.close();
-            }
-        } finally {
-            getOntModel().leaveCriticalSection();
-        }
-        return allUsersList;
-    }
-
-    public User getUserByURI(String URI) {
-        getOntModel().enterCriticalSection(Lock.READ);
-        try {
-            return userFromUserInd(getOntModel().getOntResource(URI));
-        } finally {
-            getOntModel().leaveCriticalSection();
-        }
-    }
-
-    public String insertUser(User user) {
-    	return insertUser(user,getOntModel());
-    }
-
-    public String insertUser(User user, OntModel ontModel) {
-        String userURI = null;
-        ontModel.enterCriticalSection(Lock.WRITE);
-        try {
-            userURI = (user.getURI()==null) ? DEFAULT_NAMESPACE+user.getUsername().replaceAll("\\W","") : user.getURI();
-            com.hp.hpl.jena.ontology.Individual test = ontModel.getIndividual(userURI);
-            int count = 0;
-            while (test != null) {
-                ++count;
-                userURI+="_"+count;
-                test = ontModel.getIndividual(userURI);
-            }
-            com.hp.hpl.jena.ontology.Individual userInd = ontModel.createIndividual(userURI, ontModel.getResource(USER.getURI()));
-            addPropertyStringValue(userInd, ontModel.getProperty(VitroVocabulary.USER_USERNAME), user.getUsername(), ontModel);
-            addPropertyStringValue(userInd, ontModel.getProperty(VitroVocabulary.USER_FIRSTNAME), user.getFirstName(), ontModel);
-            addPropertyStringValue(userInd, ontModel.getProperty(VitroVocabulary.USER_LASTNAME), user.getLastName(), ontModel);
-            addPropertyStringValue(userInd, ontModel.getProperty(VitroVocabulary.USER_MD5PASSWORD), user.getMd5password(), ontModel);
-            addPropertyStringValue(userInd, ontModel.getProperty(VitroVocabulary.USER_ROLE), user.getRoleURI(), ontModel);
-        } catch (Exception e) {
-            e.printStackTrace();
-        } finally {
-            ontModel.leaveCriticalSection();
-        }
-        user.setURI(userURI);
-        return userURI;
-    }
-
-    public void deleteUser(User user) {
-    	deleteUser(user,getOntModel());
-    }
-
-    public void deleteUser(User user, OntModel ontModel) {
-        ontModel.enterCriticalSection(Lock.WRITE);
-        try {
-            OntResource userRes = ontModel.getOntResource(user.getURI());
-            if (userRes != null) {
-                userRes.remove();
-            }
-        } finally {
-            ontModel.leaveCriticalSection();
-        }
-    }
-
-    public User getUserByUsername(String username) {
-        getOntModel().enterCriticalSection(Lock.READ);
-        try {    
-	        Property usernameProp = getOntModel().getProperty(VitroVocabulary.USER_USERNAME);    
-            Iterator stmtIt = getOntModel().listStatements(null, usernameProp, getOntModel().createTypedLiteral(username));
-            if (stmtIt.hasNext()) {
-                Statement stmt = (Statement) stmtIt.next();
-                Individual userInd = getOntModel().getIndividual(stmt.getSubject().getURI());
-                return userFromUserInd(userInd);
-            } else {
-            	stmtIt = getOntModel().listStatements(null, usernameProp, getOntModel().createLiteral(username));
-            	if (stmtIt.hasNext()) {
-                    Statement stmt = (Statement) stmtIt.next();
-                    Individual userInd = getOntModel().getIndividual(stmt.getSubject().getURI());
-                    return userFromUserInd(userInd);
-            	} else {
-            		return null;
-            	}
-            }
-        } finally {
-            getOntModel().leaveCriticalSection();
-        }
-    }
-
-    private User userFromUserInd(OntResource userInd) {
-        User user = new User();
-        user.setURI(userInd.getURI());
-        user.setNamespace(userInd.getNameSpace());
-        user.setLocalName(userInd.getLocalName());
-        try {
-            user.setUsername(((Literal)userInd.getProperty(getOntModel().getProperty(VitroVocabulary.USER_USERNAME)).getObject()).getString());
-        } catch (Exception e) {}
-        try {
-            user.setMd5password(((Literal)userInd.getProperty(getOntModel().getProperty(VitroVocabulary.USER_MD5PASSWORD)).getObject()).getString());
-        } catch (Exception e) {}
-        try {
-            user.setOldPassword(((Literal)userInd.getProperty(getOntModel().getProperty(VitroVocabulary.USER_OLDPASSWORD)).getObject()).getString());
-        } catch (Exception e) {}
-        try {
-            user.setLoginCount(getPropertyNonNegativeIntValue(userInd,ResourceFactory.createProperty(VitroVocabulary.USER_LOGINCOUNT)));
-            if (user.getLoginCount()<0) {
-            	user.setLoginCount(0);
-            }
-        } catch (Exception e) {e.printStackTrace();}
-        try {
-            user.setRoleURI(((Literal)userInd.getProperty(getOntModel().getProperty(VitroVocabulary.USER_ROLE)).getObject()).getString().substring(6));
-        } catch (Exception e) {log.error("Unable to set user role\n");e.printStackTrace(); user.setRoleURI("1");}  // TODO: fix this
-        try {
-            user.setLastName(((Literal)userInd.getProperty(getOntModel().getProperty(VitroVocabulary.USER_LASTNAME)).getObject()).getString());
-        } catch (Exception e) {}
-        try {
-            user.setFirstName(((Literal)userInd.getProperty(getOntModel().getProperty(VitroVocabulary.USER_FIRSTNAME)).getObject()).getString());
-        } catch (Exception e) {}
-        try {
-            user.setFirstTime(getPropertyDateTimeValue(userInd, getOntModel().getProperty(VitroVocabulary.vitroURI+"firstTime")));
-        } catch (Exception e) {}
-        return user;
-    }
-
-    public void updateUser(User user) {
-    	updateUser(user,getOntModel());
-    }
-
-    public void updateUser(User user, OntModel ontModel) {
-       ontModel.enterCriticalSection(Lock.WRITE);
-        try {
-            OntResource userRes = ontModel.getOntResource(user.getURI());
-            if (userRes != null) {
-                updatePropertyStringValue(userRes, ontModel.getProperty(VitroVocabulary.USER_USERNAME), user.getUsername(), ontModel);
-                updatePropertyStringValue(userRes, ontModel.getProperty(VitroVocabulary.USER_FIRSTNAME), user.getFirstName(), ontModel);
-                updatePropertyStringValue(userRes, ontModel.getProperty(VitroVocabulary.USER_LASTNAME), user.getLastName(), ontModel);
-                if (user.getRoleURI() != null && user.getRoleURI().indexOf(ROLE_PROTOCOL) != 0) {
-                    user.setRoleURI(ROLE_PROTOCOL+user.getRoleURI());
-                }
-                updatePropertyStringValue(userRes, ontModel.getProperty(VitroVocabulary.USER_ROLE), user.getRoleURI(), ontModel);
-                updatePropertyStringValue(userRes, ontModel.getProperty(VitroVocabulary.USER_MD5PASSWORD), user.getMd5password(), ontModel);
-                updatePropertyStringValue(userRes, ontModel.getProperty(VitroVocabulary.USER_OLDPASSWORD), user.getOldPassword(), ontModel);
-                updatePropertyDateTimeValue(userRes, ontModel.getProperty(VitroVocabulary.USER_FIRSTTIME), user.getFirstTime(), ontModel);
-                updatePropertyNonNegativeIntValue(userRes, ResourceFactory.createProperty(VitroVocabulary.USER_LOGINCOUNT), user.getLoginCount(), ontModel);
-            } else {
-                log.error("DEBUG UserDaoJena - "+user.getURI()+" not found");
-            }
-        } finally {
-            ontModel.leaveCriticalSection();
-        }
-    }
-
-    public List<String> getIndividualsUserMayEditAs(String userURI) {
-        List<String> uris = new ArrayList<String>();
-        OntModel ontModel = getOntModel();
-        ontModel.enterCriticalSection(Lock.READ);
-        try{
-             StmtIterator it = ontModel.listStatements(
-                    ontModel.createResource(userURI),
-                    ontModel.getProperty(VitroVocabulary.MAY_EDIT_AS),
-                    (RDFNode)null);
-            while(it.hasNext()){
-                try{
-                    Statement stmt = (Statement) it.next();
-                    if( stmt != null && stmt.getObject()!= null 
-                            && stmt.getObject().asNode() != null 
-                            && stmt.getObject().asNode().getURI() != null )
-                        uris.add(stmt.getObject().asNode().getURI());
-                }catch(Exception ex){
-                    log.debug("error in getIndividualsUserMayEditAs()",ex);
-                }
-            }
-        }finally{
-            ontModel.leaveCriticalSection();
-        }
-        return uris;
-    }
-
-    //Method to get all user accounts that are associated with a person where said person has email address
-    public List<String> getUserAccountEmails() {
-        List<String> email = new ArrayList<String>();
-        List<String> uris = new ArrayList<String>();
-        OntModel ontModel = getOntModel();
-        OntModel baseModel =  getOntModelSelector().getFullModel();
-        ontModel.enterCriticalSection(Lock.READ);
-        String swrcOntology = "http://swrc.ontoware.org/ontology#";
-        String emailProperty = swrcOntology + "email";
-        String emailValue, uri;
-        try{
-        	 Property emailProp = ontModel.getProperty(emailProperty);
-             StmtIterator it = ontModel.listStatements(
-                    null,
-                    ontModel.getProperty(VitroVocabulary.MAY_EDIT_AS),
-                    (RDFNode)null);
-            while(it.hasNext()){
-                try{
-                    Statement stmt = (Statement) it.next();
-                    if( stmt != null && stmt.getObject()!= null 
-                            && stmt.getObject().asNode() != null 
-                            && stmt.getObject().asNode().getURI() != null )
-                    {
-                    	
-                    uri = stmt.getObject().asNode().getURI();	
-                    StmtIterator emailIt = baseModel.listStatements(baseModel.createResource(uri), baseModel.createProperty(emailProperty), (RDFNode) null);
-                    while(emailIt.hasNext()) {
-                    	Statement emailSt = (Statement) emailIt.next();
-                    	if(emailSt != null && emailSt.getObject().isLiteral() && emailSt.getObject() != null) {
-                    		email.add(emailSt.getLiteral().getString());
-                    		//Issue: this prints out the email in a tags
-                    	} else {
-                    		//System.out.println("Unfortunately email statement is null");
-                    	}
-                    }
-                       
-                    }
-                }catch(Exception ex){
-                    log.debug("error in get User Account Emails()",ex);
-                }
-                
-                
-            } 
-            
-        }finally{
-            ontModel.leaveCriticalSection();
-        }
-        return email;
-    }
-    
-    //for a specific user account, get the email address
-    public String getUserEmailAddress(String userURI) {
-    	 OntModel ontModel = getOntModel();
-         OntModel baseModel =  getOntModelSelector().getFullModel();
-         ontModel.enterCriticalSection(Lock.READ);
-         String swrcOntology = "http://swrc.ontoware.org/ontology#";
-         String emailProperty = swrcOntology + "email";
-         String personUri, emailValue = "";
-         
-         try {
-        	 //Get person account associated with this email address
-        	 StmtIterator it = ontModel.listStatements(
-                     ontModel.createResource(userURI),
-                     ontModel.getProperty(VitroVocabulary.MAY_EDIT_AS),
-                     (RDFNode)null);
-        	 try{
-	        	 while(it.hasNext()) {
-	        		 Statement personStmt = (Statement) it.next();
-	        		 if(personStmt != null 
-	        		 	&& personStmt.getObject() != null 
-	        		 	&& personStmt.getObject().asNode() != null
-	        		 	&& personStmt.getObject().asNode().getURI() != null) {
-	        			 personUri = personStmt.getObject().asNode().getURI();
-	        			 
-	        			 StmtIterator emailIt = baseModel.listStatements(baseModel.createResource(personUri),
-	        					 baseModel.createProperty(emailProperty),
-	        					 (RDFNode)null);
-	        			 while(emailIt.hasNext()) {
-	        				 Statement emailStmt = (Statement) emailIt.next();
-	        				 if(emailStmt != null && emailStmt.getObject().isLiteral() && emailStmt.getObject() != null) {
-	                     		emailValue = emailStmt.getLiteral().getString();
-	                     	}
-	        			 }
-	        		 }
-	        	 }
-        	 } catch(Exception ex) {
-        		 System.out.println("Error occurred in retrieving email and/or user uri");
-        	 }
-         }finally{
-             ontModel.leaveCriticalSection();
-         }
-         return emailValue;
-    }
-    
-
-}
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/WebappDaoFactoryJena.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/WebappDaoFactoryJena.java
index 08f4f92be..7e926aee5 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/WebappDaoFactoryJena.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/jena/WebappDaoFactoryJena.java
@@ -55,7 +55,6 @@ import edu.cornell.mannlib.vitro.webapp.dao.PageDao;
 import edu.cornell.mannlib.vitro.webapp.dao.PropertyGroupDao;
 import edu.cornell.mannlib.vitro.webapp.dao.PropertyInstanceDao;
 import edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDao;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
 import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
 import edu.cornell.mannlib.vitro.webapp.dao.VClassGroupDao;
 import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
@@ -73,7 +72,6 @@ public class WebappDaoFactoryJena implements WebappDaoFactory {
     protected LinksDao linksDao;
     protected LinktypeDao linktypeDao;
     protected ApplicationDaoJena applicationDao;
-    protected UserDao userDao; // TODO This goes away when the UserAccounts stuff is fully implemented -- jb
     protected UserAccountsDao userAccountsDao;
     protected VClassGroupDao vClassGroupDao;
     protected PropertyGroupDao propertyGroupDao;
@@ -496,14 +494,6 @@ public class WebappDaoFactoryJena implements WebappDaoFactory {
             return propertyGroupDao = new PropertyGroupDaoJena(this);
     }
 
-    // TODO This goes away when the UserAccounts stuff is fully implemented -- jb
-    public UserDao getUserDao() {
-        if (userDao != null)
-            return userDao;
-        else
-            return userDao = new UserDaoJena(this);
-    }
-
     public UserAccountsDao getUserAccountsDao() {
     	if (userAccountsDao != null)
     		return userAccountsDao;
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/JenaDataSourceSetup.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/JenaDataSourceSetup.java
index 047cc0309..24ef19250 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/JenaDataSourceSetup.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/JenaDataSourceSetup.java
@@ -356,24 +356,6 @@ public class JenaDataSourceSetup extends JenaDataSourceSetupBase implements java
     	// Nothing to do.
     }
     
-    private void checkMainModelForUserAccounts(OntModel mainModel, OntModel userAccountsModel) {
-        Model extractedUserData = ((new JenaModelUtils()).extractUserAccountsData(mainModel));
-        if (extractedUserData.size() > 0) {
-            userAccountsModel.enterCriticalSection(Lock.WRITE);
-            try {
-                userAccountsModel.add(extractedUserData);
-            } finally {
-                userAccountsModel.leaveCriticalSection();
-            }
-            mainModel.enterCriticalSection(Lock.WRITE);
-            try {
-                mainModel.remove(extractedUserData);
-            } finally {
-                mainModel.leaveCriticalSection();
-            }
-        }
-    }
-    
     private OntModel ontModelFromContextAttribute(ServletContext ctx, String attribute) {
         OntModel ontModel;
         Object attributeValue = ctx.getAttribute(attribute);
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/JenaDataSourceSetupBase.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/JenaDataSourceSetupBase.java
index efdad9eaa..5dd026b8f 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/JenaDataSourceSetupBase.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/JenaDataSourceSetupBase.java
@@ -7,8 +7,6 @@ import java.sql.SQLException;
 import java.util.Set;
 
 import javax.servlet.ServletContext;
-import javax.servlet.ServletRequest;
-import javax.servlet.http.HttpServletRequest;
 
 import org.apache.commons.dbcp.BasicDataSource;
 import org.apache.commons.lang.StringUtils;
@@ -19,13 +17,11 @@ import com.hp.hpl.jena.graph.Graph;
 import com.hp.hpl.jena.ontology.OntModelSpec;
 import com.hp.hpl.jena.rdf.model.Model;
 import com.hp.hpl.jena.rdf.model.ModelFactory;
-import com.hp.hpl.jena.rdf.model.Resource;
 import com.hp.hpl.jena.sdb.StoreDesc;
 import com.hp.hpl.jena.sdb.store.DatabaseType;
 import com.hp.hpl.jena.sdb.store.LayoutType;
 
 import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
-import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
 import edu.cornell.mannlib.vitro.webapp.dao.jena.JenaBaseDaoCon;
 import edu.cornell.mannlib.vitro.webapp.dao.jena.RDBGraphGenerator;
 import edu.cornell.mannlib.vitro.webapp.dao.jena.RegeneratingGraph;
@@ -350,37 +346,6 @@ public class JenaDataSourceSetupBase extends JenaBaseDaoCon {
         else 
             return defaultformat;
     }
-    /**
-     * If the {@link ConfigurationProperties} has a name for the initial admin
-     * user, create the user and add it to the model.
-     */
-    protected void createInitialAdminUser(Model model, ServletContext ctx) {
-        String initialAdminUsername = ConfigurationProperties
-                .getBean(ctx).getProperty("initialAdminUser");
-        if (initialAdminUsername == null) {
-            return;
-        }
-
-        // A hard-coded MD5 encryption of "defaultAdmin"
-        String initialAdminPassword = "22BA075EC8951A70960A0A95C0BC2294";
-
-        String vitroDefaultNs = DEFAULT_DEFAULT_NAMESPACE;
-
-        Resource user = model.createResource(vitroDefaultNs
-                + "defaultAdminUser");
-        model.add(model.createStatement(user, model
-                .createProperty(VitroVocabulary.RDF_TYPE), model
-                .getResource(VitroVocabulary.USER)));
-        model.add(model.createStatement(user, model
-                .createProperty(VitroVocabulary.USER_USERNAME), model
-                .createTypedLiteral(initialAdminUsername)));
-        model.add(model.createStatement(user, model
-                .createProperty(VitroVocabulary.USER_MD5PASSWORD), model
-                .createTypedLiteral(initialAdminPassword)));
-        model.add(model.createStatement(user, model
-                .createProperty(VitroVocabulary.USER_ROLE), model
-                .createTypedLiteral("role:/50")));
-    }
     
     protected final static String DB_TYPE = "MySQL";
     private static VitroJenaModelMaker vjmm = null;
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/JenaPersistentDataSourceSetup.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/JenaPersistentDataSourceSetup.java
index dd1ef934d..b99a81e86 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/JenaPersistentDataSourceSetup.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/JenaPersistentDataSourceSetup.java
@@ -12,11 +12,7 @@ import org.apache.commons.logging.LogFactory;
 import com.hp.hpl.jena.ontology.OntModel;
 import com.hp.hpl.jena.rdf.model.Model;
 import com.hp.hpl.jena.rdf.model.ModelFactory;
-import com.hp.hpl.jena.rdf.model.ResourceFactory;
-import com.hp.hpl.jena.util.iterator.ClosableIterator;
-import com.hp.hpl.jena.vocabulary.RDF;
 
-import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
 import edu.cornell.mannlib.vitro.webapp.dao.jena.ModelSynchronizer;
 
 public class JenaPersistentDataSourceSetup extends JenaDataSourceSetupBase 
@@ -41,9 +37,6 @@ public class JenaPersistentDataSourceSetup extends JenaDataSourceSetupBase
 				firstStartup = true;
 				readOntologyFilesInPathSet(AUTHPATH, sce.getServletContext(),
 						userAccountsDbModel);
-				if (userAccountsDbModel.size() == 0) {
-					createInitialAdminUser(userAccountsDbModel, ctx);
-				}
 			}
         	OntModel userAccountsModel = ModelFactory.createOntologyModel(
         	        MEM_ONT_MODEL_SPEC);
@@ -85,9 +78,6 @@ public class JenaPersistentDataSourceSetup extends JenaDataSourceSetupBase
 	private void initializeUserAccounts(ServletContext ctx, 
 										Model userAccountsModel) {
 		readOntologyFilesInPathSet(AUTHPATH, ctx, userAccountsModel);
-		if (userAccountsModel.size() == 0) {
-			createInitialAdminUser(userAccountsModel, ctx);
-		}
 	}
 	
 }
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/UpdateUserAccounts.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/UpdateUserAccounts.java
index 36464b6d6..2ad93ec29 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/UpdateUserAccounts.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/servlet/setup/UpdateUserAccounts.java
@@ -6,8 +6,11 @@ import java.io.File;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
+import java.util.List;
 import java.util.Set;
 
 import javax.servlet.ServletContext;
@@ -17,13 +20,23 @@ import javax.servlet.ServletContextListener;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-import edu.cornell.mannlib.vitro.webapp.beans.User;
+import com.hp.hpl.jena.ontology.OntModel;
+import com.hp.hpl.jena.ontology.OntResource;
+import com.hp.hpl.jena.rdf.model.Literal;
+import com.hp.hpl.jena.rdf.model.Property;
+import com.hp.hpl.jena.rdf.model.Resource;
+import com.hp.hpl.jena.rdf.model.Statement;
+import com.hp.hpl.jena.shared.Lock;
+import com.hp.hpl.jena.util.iterator.ClosableIterator;
+import com.hp.hpl.jena.vocabulary.RDF;
+
+import edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionSetsLoader;
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount.Status;
 import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
 import edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDao;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
 import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
+import edu.cornell.mannlib.vitro.webapp.dao.jena.ModelContext;
 
 /**
  * Convert any existing User resources (up to rel 1.2) in the UserAccounts Model
@@ -32,10 +45,17 @@ import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
 public class UpdateUserAccounts implements ServletContextListener {
 	private static final Log log = LogFactory.getLog(UpdateUserAccounts.class);
 
-	private static final String URI_PERMISSION_SET_SELF_EDITOR = "http://permissionSet-1";
-	private static final String URI_PERMISSION_SET_EDITOR = "http://permissionSet-2";
-	private static final String URI_PERMISSION_SET_CURATOR = "http://permissionSet-3";
-	private static final String URI_PERMISSION_SET_DBA = "http://permissionSet-4";
+	public static final String NS = "http://vitro.mannlib.cornell.edu/ns/vitro/0.7#";
+	public static final String USER = NS + "User";
+	public static final String USER_USERNAME = NS + "username";
+	public static final String USER_MD5PASSWORD = NS + "md5password";
+	public static final String USER_OLDPASSWORD = NS + "oldpassword";
+	public static final String USER_FIRSTTIME = NS + "firstTime";
+	public static final String USER_LOGINCOUNT = NS + "loginCount";
+	public static final String USER_ROLE = NS + "roleURI";
+	public static final String USER_LASTNAME = NS + "lastName";
+	public static final String USER_FIRSTNAME = NS + "firstName";
+	public static final String MAY_EDIT_AS = NS + "mayEditAs";
 
 	@Override
 	public void contextInitialized(ServletContextEvent sce) {
@@ -66,7 +86,7 @@ public class UpdateUserAccounts implements ServletContextListener {
 
 	private static class Updater {
 		private final ServletContext ctx;
-		private final UserDao userDao;
+		private final MockUserDao userDao;
 		private final UserAccountsDao userAccountsDao;
 
 		public Updater(ServletContext ctx) {
@@ -74,8 +94,9 @@ public class UpdateUserAccounts implements ServletContextListener {
 
 			WebappDaoFactory wadf = (WebappDaoFactory) ctx
 					.getAttribute("webappDaoFactory");
-			userDao = wadf.getUserDao();
 			userAccountsDao = wadf.getUserAccountsDao();
+
+			userDao = new MockUserDao(ctx);
 		}
 
 		/**
@@ -94,7 +115,7 @@ public class UpdateUserAccounts implements ServletContextListener {
 					+ journal.getPath() + "'");
 
 			try {
-				for (User user : userDao.getAllUsers()) {
+				for (MockUser user : userDao.getAllUsers()) {
 					try {
 						UserAccount ua = getConvertedUser(user);
 						if (ua != null) {
@@ -105,12 +126,10 @@ public class UpdateUserAccounts implements ServletContextListener {
 							ua = convertToUserAccount(user);
 							userAccountsDao.insertUserAccount(ua);
 							journal.noteUserAccount(ua);
-
-							// TODO: for now, keep the User also.
-							journal.note("Not deleting User " + user.getURI());
-							// userDao.deleteUser(user);
-							journal.noteDeletedUser(user);
 						}
+
+						userDao.deleteUser(user);
+						journal.noteDeletedUser(user);
 					} catch (Exception e) {
 						log.error(e, e);
 						journal.noteException(e);
@@ -121,11 +140,11 @@ public class UpdateUserAccounts implements ServletContextListener {
 			}
 		}
 
-		private UserAccount getConvertedUser(User user) {
+		private UserAccount getConvertedUser(MockUser user) {
 			return userAccountsDao.getUserAccountByEmail(user.getUsername());
 		}
 
-		private UserAccount convertToUserAccount(User u) {
+		private UserAccount convertToUserAccount(MockUser u) {
 			UserAccount ua = new UserAccount();
 			ua.setEmailAddress(nonNull(u.getUsername()));
 			ua.setFirstName(nonNull(u.getFirstName()));
@@ -149,13 +168,13 @@ public class UpdateUserAccounts implements ServletContextListener {
 		}
 
 		private Set<String> translateFromRoleUri(String roleUri) {
-			String permissionSetUri = URI_PERMISSION_SET_SELF_EDITOR;
-			if ("4".equals(roleUri)) {
-				permissionSetUri = URI_PERMISSION_SET_EDITOR;
-			} else if ("5".equals(roleUri)) {
-				permissionSetUri = URI_PERMISSION_SET_CURATOR;
-			} else if ("50".equals(roleUri)) {
-				permissionSetUri = URI_PERMISSION_SET_DBA;
+			String permissionSetUri = PermissionSetsLoader.URI_SELF_EDITOR;
+			if ("role:/4".equals(roleUri)) {
+				permissionSetUri = PermissionSetsLoader.URI_EDITOR;
+			} else if ("role:/5".equals(roleUri)) {
+				permissionSetUri = PermissionSetsLoader.URI_CURATOR;
+			} else if ("role:/50".equals(roleUri)) {
+				permissionSetUri = PermissionSetsLoader.URI_DBA;
 			}
 			return Collections.singleton(permissionSetUri);
 		}
@@ -204,13 +223,13 @@ public class UpdateUserAccounts implements ServletContextListener {
 			}
 		}
 
-		public void noteAlreadyConverted(User user, UserAccount ua) {
+		public void noteAlreadyConverted(MockUser user, UserAccount ua) {
 			note("UserAccount '" + ua.getUri() + "' already exists for User '"
 					+ user.getURI() + "', " + user.getFirstName() + " "
 					+ user.getLastName());
 		}
 
-		public void writeUser(User u) {
+		public void writeUser(MockUser u) {
 			w.println();
 			w.println("# converting User: ");
 			w.println(u.getURI());
@@ -229,7 +248,7 @@ public class UpdateUserAccounts implements ServletContextListener {
 					+ ua.getFirstName() + " " + ua.getLastName());
 		}
 
-		public void noteDeletedUser(User user) {
+		public void noteDeletedUser(MockUser user) {
 			note("Delete User: '" + user.getURI() + "'");
 		}
 
@@ -290,4 +309,178 @@ public class UpdateUserAccounts implements ServletContextListener {
 		}
 	}
 
+	// ----------------------------------------------------------------------
+	// Classes to replace the User and UserDao, just for the upgrade.
+	// ----------------------------------------------------------------------
+
+	private static class MockUser {
+		private String username;
+		private String roleURI;
+		private int loginCount;
+		private String md5password;
+		private String lastName;
+		private String firstName;
+		private String URI;
+
+		public String getUsername() {
+			return username;
+		}
+
+		public void setUsername(String username) {
+			this.username = username;
+		}
+
+		public String getRoleURI() {
+			return roleURI;
+		}
+
+		public void setRoleURI(String roleURI) {
+			this.roleURI = roleURI;
+		}
+
+		public int getLoginCount() {
+			return loginCount;
+		}
+
+		public void setLoginCount(int loginCount) {
+			this.loginCount = loginCount;
+		}
+
+		public String getMd5password() {
+			return md5password;
+		}
+
+		public void setMd5password(String md5password) {
+			this.md5password = md5password;
+		}
+
+		public String getLastName() {
+			return lastName;
+		}
+
+		public void setLastName(String lastName) {
+			this.lastName = lastName;
+		}
+
+		public String getFirstName() {
+			return firstName;
+		}
+
+		public void setFirstName(String firstName) {
+			this.firstName = firstName;
+		}
+
+		public String getURI() {
+			return URI;
+		}
+
+		public void setURI(String uRI) {
+			URI = uRI;
+		}
+
+	}
+
+	private static class MockUserDao {
+		private final OntModel model;
+
+		public MockUserDao(ServletContext ctx) {
+			this.model = ModelContext.getBaseOntModelSelector(ctx)
+					.getUserAccountsModel();
+		}
+
+		public Collection<MockUser> getAllUsers() {
+			List<MockUser> allUsersList = new ArrayList<MockUser>();
+			model.enterCriticalSection(Lock.READ);
+			try {
+				ClosableIterator<Statement> userStmtIt = model.listStatements(
+						null, RDF.type, resource(USER));
+				try {
+					while (userStmtIt.hasNext()) {
+						Statement stmt = userStmtIt.next();
+						OntResource subjRes = stmt.getSubject().as(
+								OntResource.class);
+						allUsersList.add(userFromUserInd(subjRes));
+					}
+				} finally {
+					userStmtIt.close();
+				}
+			} finally {
+				model.leaveCriticalSection();
+			}
+			return allUsersList;
+		}
+
+		private MockUser userFromUserInd(OntResource userInd) {
+			MockUser user = new MockUser();
+			user.setURI(userInd.getURI());
+
+			try {
+				user.setUsername(getStringPropertyValue(userInd, USER_USERNAME));
+			} catch (Exception e) {
+				// ignore it.
+			}
+
+			try {
+				user.setMd5password(getStringPropertyValue(userInd,
+						USER_MD5PASSWORD));
+			} catch (Exception e) {
+				// ignore it.
+			}
+
+			try {
+				user.setLoginCount(getIntegerPropertyValue(userInd,
+						USER_LOGINCOUNT));
+			} catch (Exception e) {
+				user.setLoginCount(0);
+			}
+
+			try {
+				user.setRoleURI(getStringPropertyValue(userInd, USER_ROLE));
+			} catch (Exception e) {
+				log.error("Unable to set user role\n", e);
+				e.printStackTrace();
+				user.setRoleURI("1");
+			}
+			try {
+				user.setLastName(getStringPropertyValue(userInd, USER_LASTNAME));
+			} catch (Exception e) {
+				// ignore it.
+			}
+
+			try {
+				user.setFirstName(getStringPropertyValue(userInd,
+						USER_FIRSTNAME));
+			} catch (Exception e) {
+				// ignore it.
+			}
+
+			return user;
+		}
+
+		private String getStringPropertyValue(OntResource userInd,
+				String propertyUri) {
+			Property property = model.getProperty(propertyUri);
+			Literal object = (Literal) userInd.getProperty(property)
+					.getObject();
+			return object.getString();
+		}
+
+		private int getIntegerPropertyValue(OntResource userInd,
+				String propertyUri) {
+			Property property = model.getProperty(propertyUri);
+			Literal object = (Literal) userInd.getProperty(property)
+					.getObject();
+			return object.getInt();
+		}
+
+		public void deleteUser(MockUser user) {
+			model.removeAll(resource(user.getURI()), null, null);
+		}
+		
+		private Resource resource(String uri) {
+			return model.getResource(uri);
+		}
+
+	}
+
 }
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/User.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/User.java
index 3f0cfe775..7600fc41c 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/User.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/User.java
@@ -4,6 +4,7 @@ package edu.cornell.mannlib.vitro.webapp.web.templatemodels;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.RevisionInfoController;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.SiteAdminController;
@@ -11,8 +12,7 @@ import edu.cornell.mannlib.vitro.webapp.controller.freemarker.SiteAdminControlle
 public class User extends BaseTemplateModel {
     private final VitroRequest vreq;
 
-    // TODO JB Modify this to use UserAccount instead of User.
-    private final edu.cornell.mannlib.vitro.webapp.beans.User currentUser;
+    private final UserAccount currentUser;
     
     public User(VitroRequest vreq) {
         this.vreq = vreq;
@@ -24,7 +24,7 @@ public class User extends BaseTemplateModel {
     }
     
     public String getEmailAddress() {
-		return (currentUser == null) ? "" : currentUser.getUsername();
+		return (currentUser == null) ? "" : currentUser.getEmailAddress();
     }
     
     public String getLoginName() {
diff --git a/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java b/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java
index 869812943..6171387f9 100644
--- a/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java
+++ b/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java
@@ -12,7 +12,7 @@ import javax.servlet.http.HttpServletRequest;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 
 /**
  * A simple stub for unit tests that require an Authenticator. Call setup() to
@@ -67,7 +67,9 @@ public class AuthenticatorStub extends Authenticator {
 	// Stub infrastructure
 	// ----------------------------------------------------------------------
 
-	private final Map<String, User> usersByName = new HashMap<String, User>();
+	private final Map<String, UserAccount> usersByEmail = new HashMap<String, UserAccount>();
+	private final Map<String, UserAccount> usersByExternalAuthId = new HashMap<String, UserAccount>();
+
 	private final Map<String, List<String>> editingPermissions = new HashMap<String, List<String>>();
 	private final Map<String, String> associatedUris = new HashMap<String, String>();
 	private final List<String> recordedLogins = new ArrayList<String>();
@@ -79,8 +81,13 @@ public class AuthenticatorStub extends Authenticator {
 		this.request = request;
 	}
 
-	public void addUser(User user) {
-		usersByName.put(user.getUsername(), user);
+	public void addUser(UserAccount user) {
+		usersByEmail.put(user.getEmailAddress(), user);
+
+		String externalAuthId = user.getExternalAuthId();
+		if (!externalAuthId.isEmpty()) {
+			usersByExternalAuthId.put(user.getExternalAuthId(), user);
+		}
 	}
 
 	public void addEditingPermission(String username, String personUri) {
@@ -107,52 +114,55 @@ public class AuthenticatorStub extends Authenticator {
 	// ----------------------------------------------------------------------
 
 	@Override
-	public boolean isExistingUser(String username) {
-		return usersByName.containsKey(username);
+	public UserAccount getAccountForInternalAuth(String emailAddress) {
+		return usersByEmail.get(emailAddress);
 	}
 
 	@Override
-	public User getUserByUsername(String username) {
-		return usersByName.get(username);
+	public UserAccount getAccountForExternalAuth(String externalAuthId) {
+		return usersByExternalAuthId.get(externalAuthId);
 	}
 
 	@Override
-	public List<String> getAssociatedIndividualUris(String username) {
+	public boolean isCurrentPassword(UserAccount userAccount,
+			String clearTextPassword) {
+		if (userAccount == null) {
+			return false;
+		} else {
+			return userAccount.getMd5Password().equals(
+					Authenticator.applyMd5Encoding(clearTextPassword));
+		}
+	}
+
+	@Override
+	public List<String> getAssociatedIndividualUris(UserAccount userAccount) {
 		List<String> uris = new ArrayList<String>();
 
-		if (associatedUris.containsKey(username)) {
-			uris.add(associatedUris.get(username));
+		String emailAddress = userAccount.getEmailAddress();
+		if (associatedUris.containsKey(emailAddress)) {
+			uris.add(associatedUris.get(emailAddress));
 		}
 
-		if (editingPermissions.containsKey(username)) {
-			uris.addAll(editingPermissions.get(username));
+		if (editingPermissions.containsKey(emailAddress)) {
+			uris.addAll(editingPermissions.get(emailAddress));
 		}
 
 		return uris;
 	}
 
 	@Override
-	public boolean isCurrentPassword(String username, String clearTextPassword) {
-		if (!isExistingUser(username)) {
-			return false;
-		}
-		String md5Password = applyMd5Encoding(clearTextPassword);
-		User user = getUserByUsername(username);
-		return md5Password.equals(user.getMd5password());
+	public void recordNewPassword(UserAccount userAccount,
+			String newClearTextPassword) {
+		newPasswords.put(userAccount.getEmailAddress(), newClearTextPassword);
 	}
 
 	@Override
-	public void recordNewPassword(String username, String newClearTextPassword) {
-		newPasswords.put(username, newClearTextPassword);
-	}
-
-	@Override
-	public void recordLoginAgainstUserAccount(String username,
+	public void recordLoginAgainstUserAccount(UserAccount userAccount,
 			AuthenticationSource authSource) {
-		recordedLogins.add(username);
+		recordedLogins.add(userAccount.getEmailAddress());
 
-		User user = getUserByUsername(username);
-		LoginStatusBean lsb = new LoginStatusBean(user.getURI(), authSource);
+		LoginStatusBean lsb = new LoginStatusBean(userAccount.getUri(),
+				authSource);
 		LoginStatusBean.setBean(request.getSession(), lsb);
 	}
 
@@ -167,16 +177,15 @@ public class AuthenticatorStub extends Authenticator {
 	}
 
 	@Override
-	public void recordLoginWithoutUserAccount(String username,
-			String individualUri, AuthenticationSource authSource) {
+	public boolean accountRequiresEditing(UserAccount userAccount) {
+		throw new RuntimeException(
+				"AuthenticatorStub.accountRequiresEditing() not implemented.");
+	}
+
+	@Override
+	public void recordLoginWithoutUserAccount(String individualUri) {
 		throw new RuntimeException(
 				"AuthenticatorStub.recordLoginWithoutUserAccount() not implemented.");
 	}
 
-	@Override
-	public boolean isPasswordChangeRequired(String username) {
-		throw new RuntimeException(
-				"AuthenticatorStub.isPasswordChangeRequired() not implemented.");
-	}
-
 }
diff --git a/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLoginTest.java b/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLoginTest.java
index 871ae5928..666b4b208 100644
--- a/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLoginTest.java
+++ b/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLoginTest.java
@@ -2,15 +2,15 @@
 
 package edu.cornell.mannlib.vitro.webapp.controller.authenticate;
 
+import static edu.cornell.mannlib.vitro.webapp.controller.authenticate.ProgramLogin.ProgramLoginCore.PARAM_EMAIL_ADDRESS;
 import static edu.cornell.mannlib.vitro.webapp.controller.authenticate.ProgramLogin.ProgramLoginCore.PARAM_NEW_PASSWORD;
 import static edu.cornell.mannlib.vitro.webapp.controller.authenticate.ProgramLogin.ProgramLoginCore.PARAM_PASSWORD;
-import static edu.cornell.mannlib.vitro.webapp.controller.authenticate.ProgramLogin.ProgramLoginCore.PARAM_USERNAME;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.fail;
 
 import java.io.IOException;
 import java.net.URL;
-import java.util.Date;
+import java.util.Collections;
 
 import javax.servlet.ServletException;
 
@@ -27,7 +27,8 @@ import stubs.javax.servlet.http.HttpServletResponseStub;
 import stubs.javax.servlet.http.HttpSessionStub;
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
 import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
+import edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionSetsLoader;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 
 /**
  * Test the basic features of ProgramTest.
@@ -38,13 +39,13 @@ public class ProgramLoginTest extends AbstractTestClass {
 	private static final String NEW_USER_URI = "new_user_uri";
 	private static final String NEW_USER_NAME = "new_user";
 	private static final String NEW_USER_PASSWORD = "new_user_pw";
-	private static final User NEW_USER = createUser(NEW_USER_URI,
+	private static final UserAccount NEW_USER = createUserAccount(NEW_USER_URI,
 			NEW_USER_NAME, NEW_USER_PASSWORD, 0);
 
 	private static final String OLD_USER_URI = "old_user_uri";
 	private static final String OLD_USER_NAME = "old_user";
 	private static final String OLD_USER_PASSWORD = "old_user_pw";
-	private static final User OLD_USER = createUser(OLD_USER_URI,
+	private static final UserAccount OLD_USER = createUserAccount(OLD_USER_URI,
 			OLD_USER_NAME, OLD_USER_PASSWORD, 10);
 
 	private AuthenticatorStub authenticator;
@@ -57,7 +58,8 @@ public class ProgramLoginTest extends AbstractTestClass {
 
 	@Before
 	public void setLogging() {
-//		setLoggerLevel(this.getClass(), Level.DEBUG);
+		// setLoggerLevel(this.getClass(), Level.DEBUG);
+		// setLoggerLevel(ProgramLogin.class, Level.DEBUG);
 	}
 
 	@Before
@@ -85,17 +87,16 @@ public class ProgramLoginTest extends AbstractTestClass {
 		response = new HttpServletResponseStub();
 	}
 
-	private static User createUser(String uri, String name, String password,
-			int loginCount) {
-		User user = new User();
-		user.setUsername(name);
-		user.setURI(uri);
-		user.setRoleURI(String.valueOf(50));
-		user.setMd5password(Authenticator.applyMd5Encoding(password));
+	private static UserAccount createUserAccount(String uri, String name,
+			String password, int loginCount) {
+		UserAccount user = new UserAccount();
+		user.setEmailAddress(name);
+		user.setUri(uri);
+		user.setPermissionSetUris(Collections
+				.singleton(PermissionSetsLoader.URI_DBA));
+		user.setMd5Password(Authenticator.applyMd5Encoding(password));
 		user.setLoginCount(loginCount);
-		if (loginCount > 0) {
-			user.setFirstTime(new Date(0));
-		}
+		user.setPasswordChangeRequired(loginCount == 0);
 		return user;
 	}
 
@@ -170,10 +171,10 @@ public class ProgramLoginTest extends AbstractTestClass {
 	// Helper methods
 	// ----------------------------------------------------------------------
 
-	private void executeRequest(String username, String password,
+	private void executeRequest(String email, String password,
 			String newPassword) {
-		if (username != null) {
-			request.addParameter(PARAM_USERNAME, username);
+		if (email != null) {
+			request.addParameter(PARAM_EMAIL_ADDRESS, email);
 		}
 		if (password != null) {
 			request.addParameter(PARAM_PASSWORD, password);
diff --git a/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java b/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java
index 624ca632f..80042b241 100644
--- a/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java
+++ b/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java
@@ -2,6 +2,8 @@
 
 package edu.cornell.mannlib.vitro.webapp.controller.edit;
 
+import static edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionSetsLoader.URI_DBA;
+import static edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionSetsLoader.URI_SELF_EDITOR;
 import static edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean.State.FORCED_PASSWORD_CHANGE;
 import static edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean.State.LOGGING_IN;
 import static org.junit.Assert.assertEquals;
@@ -10,7 +12,7 @@ import static org.junit.Assert.fail;
 
 import java.net.URL;
 import java.util.Arrays;
-import java.util.Date;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
@@ -20,7 +22,7 @@ import org.junit.Before;
 import org.junit.Ignore;
 import org.junit.Test;
 
-import stubs.edu.cornell.mannlib.vitro.webapp.dao.UserDaoStub;
+import stubs.edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDaoStub;
 import stubs.edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactoryStub;
 import stubs.javax.servlet.ServletConfigStub;
 import stubs.javax.servlet.ServletContextStub;
@@ -30,7 +32,7 @@ import stubs.javax.servlet.http.HttpSessionStub;
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource;
 import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.controller.authenticate.Authenticator;
 import edu.cornell.mannlib.vitro.webapp.controller.authenticate.AuthenticatorStub;
 import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean;
@@ -43,7 +45,7 @@ public class AuthenticateTest extends AbstractTestClass {
 	private AuthenticatorStub authenticator;
 	private ServletContextStub servletContext;
 	private WebappDaoFactoryStub webappDaoFactory;
-	private UserDaoStub userDao;
+	private UserAccountsDaoStub userAccountsDao;
 	private ServletConfigStub servletConfig;
 	private HttpSessionStub session;
 	private HttpServletRequestStub request;
@@ -59,27 +61,27 @@ public class AuthenticateTest extends AbstractTestClass {
 	private static final String NEW_DBA_NAME = "new_dba_name";
 	private static final String NEW_DBA_PW = "new_dba_pw";
 	private static final UserInfo NEW_DBA = new UserInfo(NEW_DBA_NAME,
-			"new_dba_uri", NEW_DBA_PW, 50, 0);
+			"new_dba_uri", NEW_DBA_PW, URI_DBA, 0);
 
 	/** A DBA who has logged in before. */
 	private static final String OLD_DBA_NAME = "old_dba_name";
 	private static final String OLD_DBA_PW = "old_dba_pw";
 	private static final String OLD_DBA_URI = "old_dba_uri";
-	private static final int OLD_DBA_SECURITY_LEVEL = 50;
 	private static final UserInfo OLD_DBA = new UserInfo(OLD_DBA_NAME,
-			OLD_DBA_URI, OLD_DBA_PW, OLD_DBA_SECURITY_LEVEL, 5);
+			OLD_DBA_URI, OLD_DBA_PW, URI_DBA, 5);
 
 	/** A self-editor who has logged in before and has a profile. */
 	private static final String OLD_SELF_NAME = "old_self_name";
 	private static final String OLD_SELF_PW = "old_self_pw";
 	private static final UserInfo OLD_SELF = new UserInfo(OLD_SELF_NAME,
-			"old_self_uri", OLD_SELF_PW, 1, 100);
+			"old_self_uri", OLD_SELF_PW, URI_SELF_EDITOR, 100);
 
 	/** A self-editor who has logged in before but has no profile. */
 	private static final String OLD_STRANGER_NAME = "old_stranger_name";
 	private static final String OLD_STRANGER_PW = "stranger_pw";
 	private static final UserInfo OLD_STRANGER = new UserInfo(
-			OLD_STRANGER_NAME, "old_stranger_uri", OLD_STRANGER_PW, 1, 20);
+			OLD_STRANGER_NAME, "old_stranger_uri", OLD_STRANGER_PW,
+			URI_SELF_EDITOR, 20);
 
 	/** the login page */
 	private static final String URL_LOGIN = "/vivo/login";
@@ -114,14 +116,14 @@ public class AuthenticateTest extends AbstractTestClass {
 		authenticator.setAssociatedUri(OLD_SELF.username,
 				"old_self_associated_uri");
 
-		userDao = new UserDaoStub();
-		userDao.addUser(createUserFromUserInfo(NEW_DBA));
-		userDao.addUser(createUserFromUserInfo(OLD_DBA));
-		userDao.addUser(createUserFromUserInfo(OLD_SELF));
-		userDao.addUser(createUserFromUserInfo(OLD_STRANGER));
+		userAccountsDao = new UserAccountsDaoStub();
+		userAccountsDao.addUser(createUserFromUserInfo(NEW_DBA));
+		userAccountsDao.addUser(createUserFromUserInfo(OLD_DBA));
+		userAccountsDao.addUser(createUserFromUserInfo(OLD_SELF));
+		userAccountsDao.addUser(createUserFromUserInfo(OLD_STRANGER));
 
 		webappDaoFactory = new WebappDaoFactoryStub();
-		webappDaoFactory.setUserDao(userDao);
+		webappDaoFactory.setUserAccountsDao(userAccountsDao);
 
 		servletContext = new ServletContextStub();
 		servletContext.setAttribute("webappDaoFactory", webappDaoFactory);
@@ -143,16 +145,14 @@ public class AuthenticateTest extends AbstractTestClass {
 		auth.init(servletConfig);
 	}
 
-	private User createUserFromUserInfo(UserInfo userInfo) {
-		User user = new User();
-		user.setUsername(userInfo.username);
-		user.setURI(userInfo.uri);
-		user.setRoleURI(String.valueOf(userInfo.securityLevel));
-		user.setMd5password(Authenticator.applyMd5Encoding(userInfo.password));
+	private UserAccount createUserFromUserInfo(UserInfo userInfo) {
+		UserAccount user = new UserAccount();
+		user.setEmailAddress(userInfo.username);
+		user.setUri(userInfo.uri);
+		user.setPermissionSetUris(userInfo.permissionSetUris);
+		user.setMd5Password(Authenticator.applyMd5Encoding(userInfo.password));
 		user.setLoginCount(userInfo.loginCount);
-		if (userInfo.loginCount > 0) {
-			user.setFirstTime(new Date(0));
-		}
+		user.setPasswordChangeRequired(userInfo.loginCount == 0);
 		return user;
 	}
 
@@ -617,23 +617,23 @@ public class AuthenticateTest extends AbstractTestClass {
 		final String username;
 		final String uri;
 		final String password;
-		final int securityLevel;
+		final Set<String> permissionSetUris;
 		final int loginCount;
 
 		public UserInfo(String username, String uri, String password,
-				int securityLevel, int loginCount) {
+				String roleUri, int loginCount) {
 			this.username = username;
 			this.uri = uri;
 			this.password = password;
-			this.securityLevel = securityLevel;
+			this.permissionSetUris = Collections.singleton(roleUri);
 			this.loginCount = loginCount;
 		}
 
 		@Override
 		public String toString() {
 			return "UserInfo[username=" + username + ", uri=" + uri
-					+ ", password=" + password + ", securityLevel="
-					+ securityLevel + ", loginCount=" + loginCount + "]";
+					+ ", password=" + password + ", roleUri="
+					+ permissionSetUris + ", loginCount=" + loginCount + "]";
 		}
 	}
 
diff --git a/webapp/test/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/HiddenFromDisplayBelowRoleLevelFilterTest.java b/webapp/test/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/HiddenFromDisplayBelowRoleLevelFilterTest.java
index d4cdef924..6e03bda16 100644
--- a/webapp/test/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/HiddenFromDisplayBelowRoleLevelFilterTest.java
+++ b/webapp/test/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/HiddenFromDisplayBelowRoleLevelFilterTest.java
@@ -3,12 +3,18 @@
 package edu.cornell.mannlib.vitro.webapp.dao.filtering.filters;
 
 import static edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource.INTERNAL;
+import static edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionSetsLoader.URI_CURATOR;
+import static edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionSetsLoader.URI_DBA;
+import static edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionSetsLoader.URI_EDITOR;
+import static edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionSetsLoader.URI_SELF_EDITOR;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.fail;
 
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
+import java.util.Set;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -21,7 +27,7 @@ import org.junit.runners.Parameterized.Parameters;
 import stubs.edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDaoStub;
 import stubs.edu.cornell.mannlib.vitro.webapp.dao.IndividualDaoStub;
 import stubs.edu.cornell.mannlib.vitro.webapp.dao.ObjectPropertyDaoStub;
-import stubs.edu.cornell.mannlib.vitro.webapp.dao.UserDaoStub;
+import stubs.edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDaoStub;
 import stubs.edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactoryStub;
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource;
@@ -35,7 +41,7 @@ import edu.cornell.mannlib.vitro.webapp.beans.IndividualImpl;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatementImpl;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.beans.VClass;
 
 /**
@@ -94,35 +100,32 @@ public class HiddenFromDisplayBelowRoleLevelFilterTest extends
 
 	private static final String NS = "http://someDomain/individual/";
 
-	private static final String ROLE_NON_EDITOR = "1";
-	private static final String ROLE_EDITOR = "4";
-	private static final String ROLE_CURATOR = "5";
-	private static final String ROLE_DBA = "50";
-
-	private static final User USER_SELF = user("userSelf", "self_editor",
-			ROLE_NON_EDITOR);
-	private static final User USER_EDITOR = user("userEditor", "editor",
-			ROLE_EDITOR);
-	private static final User USER_CURATOR = user("userCurator", "curator",
-			ROLE_CURATOR);
-	private static final User USER_DBA = user(NS + "userDba", "dba", ROLE_DBA);
+	private static final UserAccount USER_SELF = userAccount("userSelf",
+			"self_editor", URI_SELF_EDITOR);
+	private static final UserAccount USER_EDITOR = userAccount("userEditor",
+			"editor", URI_EDITOR);
+	private static final UserAccount USER_CURATOR = userAccount("userCurator",
+			"curator", URI_CURATOR);
+	private static final UserAccount USER_DBA = userAccount(NS + "userDba",
+			"dba", URI_DBA);
 
 	/** Create a User */
-	private static User user(String uri, String username, String roleUri) {
-		User user = new User();
-		user.setURI(NS + uri);
-		user.setUsername(username);
-		user.setRoleURI(roleUri);
+	private static UserAccount userAccount(String uri, String emailAddress,
+			String roleUri) {
+		UserAccount user = new UserAccount();
+		user.setUri(NS + uri);
+		user.setEmailAddress(emailAddress);
+		user.setPermissionSetUris(Collections.singleton(roleUri));
 		return user;
 	}
 
-	private static final UserDaoStub DAO_USER = userDao(USER_SELF, USER_EDITOR,
+	private static final UserAccountsDaoStub DAO_USER_ACCOUNT = userAccountsDao(USER_SELF, USER_EDITOR,
 			USER_CURATOR, USER_DBA);
 
-	/** Create the UserDao */
-	private static UserDaoStub userDao(User... users) {
-		UserDaoStub dao = new UserDaoStub();
-		for (User user : users) {
+	/** Create the UserAccountsDao */
+	private static UserAccountsDaoStub userAccountsDao(UserAccount... users) {
+		UserAccountsDaoStub dao = new UserAccountsDaoStub();
+		for (UserAccount user : users) {
 			dao.addUser(user);
 		}
 		return dao;
@@ -138,6 +141,11 @@ public class HiddenFromDisplayBelowRoleLevelFilterTest extends
 	private static final LoginStatusBean LOGIN_DBA = loginStatusBean(USER_DBA,
 			INTERNAL);
 
+	private static LoginStatusBean loginStatusBean(UserAccount user,
+			AuthenticationSource auth) {
+		return new LoginStatusBean(user.getUri(), auth);
+	}
+
 	private static final LoginStatusBean[] LOGINS = new LoginStatusBean[] {
 			LOGIN_NONE, LOGIN_SELF, LOGIN_EDITOR, LOGIN_CURATOR, LOGIN_DBA };
 
@@ -168,11 +176,6 @@ public class HiddenFromDisplayBelowRoleLevelFilterTest extends
 		return i;
 	}
 
-	private static LoginStatusBean loginStatusBean(User user,
-			AuthenticationSource auth) {
-		return new LoginStatusBean(user.getURI(), auth);
-	}
-
 	private static final VClass PUBLIC_VCLASS = vClass("PUBLIC_vclass",
 			RoleLevel.PUBLIC);
 	private static final VClass SELF_VCLASS = vClass("SELF_vclass",
@@ -786,21 +789,21 @@ public class HiddenFromDisplayBelowRoleLevelFilterTest extends
 			return RoleLevel.PUBLIC;
 		}
 
-		User user = DAO_USER.getUserByURI(userUri);
+		UserAccount user = DAO_USER_ACCOUNT.getUserAccountByUri(userUri);
 		if (user == null) {
 			return RoleLevel.PUBLIC;
 		}
 
-		String roleURI = user.getRoleURI();
-		if ("1".equals(roleURI)) {
-			return RoleLevel.SELF;
-		} else if ("4".equals(roleURI)) {
-			return RoleLevel.EDITOR;
-		} else if ("5".equals(roleURI)) {
-			return RoleLevel.CURATOR;
-		} else if ("50".equals(roleURI)) {
-			return RoleLevel.DB_ADMIN;
-		} else {
+		Set<String> roleUris = user.getPermissionSetUris();
+		if (roleUris.contains(URI_DBA)) {
+			return RoleLevel.DB_ADMIN; 
+		} else 		if (roleUris.contains(URI_CURATOR)) {
+			return RoleLevel.CURATOR; 
+		} else 		if (roleUris.contains(URI_EDITOR)) {
+			return RoleLevel.EDITOR; 
+		} else 		if (roleUris.contains(URI_SELF_EDITOR)) {
+			return RoleLevel.SELF; 
+ 		} else {
 			return RoleLevel.PUBLIC;
 		}
 	}
diff --git a/webapp/test/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFiltersFactoryTest.java b/webapp/test/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFiltersFactoryTest.java
index 57c7eb817..9adb416b2 100644
--- a/webapp/test/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFiltersFactoryTest.java
+++ b/webapp/test/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFiltersFactoryTest.java
@@ -200,8 +200,6 @@ public class VitroFiltersFactoryTest {
         Assert.assertNotNull("getObjectPropertyFilter was null", vf.getObjectPropertyFilter());
         Assert.assertNotNull("getObjectPropertyStatementFilter was null", vf.getObjectPropertyStatementFilter());
         Assert.assertNotNull("getIndividualFilter was null", vf.getIndividualFilter());
-        //Assert.assertNotNull("getTabFilter was null", vf.getTabFilter());
-        Assert.assertNotNull("getUserFilter was null", vf.getUserFilter());
         Assert.assertNotNull("getVClassGroupFilter was null", vf.getVClassGroupFilter());
     }
     
diff --git a/webapp/test/edu/cornell/mannlib/vitro/webapp/dao/jena/OntModelSegementationTest.java b/webapp/test/edu/cornell/mannlib/vitro/webapp/dao/jena/OntModelSegementationTest.java
index 70b7f0a6f..fadec9385 100644
--- a/webapp/test/edu/cornell/mannlib/vitro/webapp/dao/jena/OntModelSegementationTest.java
+++ b/webapp/test/edu/cornell/mannlib/vitro/webapp/dao/jena/OntModelSegementationTest.java
@@ -3,19 +3,23 @@
 package edu.cornell.mannlib.vitro.webapp.dao.jena;
 
 import junit.framework.Assert;
+
+import org.junit.Ignore;
+import org.junit.Test;
+
 import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.IndividualImpl;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.Ontology;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.beans.VClass;
 import edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDao;
 import edu.cornell.mannlib.vitro.webapp.dao.IndividualDao;
 import edu.cornell.mannlib.vitro.webapp.dao.InsertException;
 import edu.cornell.mannlib.vitro.webapp.dao.ObjectPropertyDao;
 import edu.cornell.mannlib.vitro.webapp.dao.OntologyDao;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
+import edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDao;
 import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
 import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
 
@@ -32,34 +36,33 @@ public class OntModelSegementationTest {
 		wadf = new WebappDaoFactoryJena(new SimpleOntModelSelector());
 	}
 	
-	@org.junit.Test
+	@Test
 	public void testUserAccountModel() {
 		
-		UserDao udao = wadf.getUserDao();
+		UserAccountsDao uadao = wadf.getUserAccountsDao();
 		OntModelSelector oms = wadf.getOntModelSelector();
-		
-		User user = new User();
+
+		UserAccount user = new UserAccount();
 		user.setFirstName("Chuck");
 		user.setLastName("Roast");
-		user.setUsername("chuckroast");
+		user.setExternalAuthId("chuckroast");
 		
-		String userURI = udao.insertUser(user);
-		user.setURI(userURI);
+		uadao.insertUserAccount(user);
 		Assert.assertTrue(oms.getUserAccountsModel().size() > 0);
 		Assert.assertTrue(oms.getFullModel().size() == 0);
 		Assert.assertTrue(oms.getABoxModel().size() == 0);
 		Assert.assertTrue(oms.getTBoxModel().size() == 0);
 		Assert.assertTrue(oms.getApplicationMetadataModel().size() == 0);
 		
-		user.setUsername("todd");
-		udao.updateUser(user);
+		user.setEmailAddress("todd@somewhere");
+		uadao.updateUserAccount(user);
 		Assert.assertTrue(oms.getUserAccountsModel().size() > 0);
 		Assert.assertTrue(oms.getFullModel().size() == 0);
 		Assert.assertTrue(oms.getABoxModel().size() == 0);
 		Assert.assertTrue(oms.getTBoxModel().size() == 0);
 		Assert.assertTrue(oms.getApplicationMetadataModel().size() == 0);
 		
-		udao.deleteUser(user);
+		uadao.deleteUserAccount(user.getUri());
 		Assert.assertTrue(oms.getUserAccountsModel().size() == 0);
 		Assert.assertTrue(oms.getFullModel().size() == 0);
 		Assert.assertTrue(oms.getABoxModel().size() == 0);
@@ -69,7 +72,7 @@ public class OntModelSegementationTest {
 	}
 	
 	/*
-	@org.junit.Test
+	@Test
 	public void testApplicationMetadataModel() throws InsertException {
 		
 		PortalDao pdao = wadf.getPortalDao();
@@ -134,7 +137,7 @@ public class OntModelSegementationTest {
 	}
 	*/
 	
-	@org.junit.Test
+	@Test
 	public void testTBoxModel() throws InsertException {
 		
 		OntModelSelector oms = wadf.getOntModelSelector();
@@ -189,7 +192,7 @@ public class OntModelSegementationTest {
 			
 	}
 	
-	@org.junit.Test
+	@Test
 	public void testAboxModel() throws InsertException {
 		
 		OntModelSelector oms = wadf.getOntModelSelector();
@@ -242,20 +245,21 @@ public class OntModelSegementationTest {
 		Assert.assertTrue(oms.getUserAccountsModel().size() == 0);
 	}
 	
-	@org.junit.Test
+	@Ignore
+	@Test
 	public void testConcurrency() throws InsertException {
-//		(new Thread(new ClassLister(wadf))).start();
-//		(new Thread(new ClassLister(wadf))).start();
-//		VClass v = null;
-//		for (int i = 0; i < 50; i++) {
-//			v = new VClass();
-//			v.setURI("http://example.org/vclass" + i);
-//			wadf.getVClassDao().insertNewVClass(v);
-//		}
-//		for (int i = 0; i < 500; i++) {
-//			v.setName("blah " + i);
-//			wadf.getVClassDao().updateVClass(v);
-//		}
+		(new Thread(new ClassLister(wadf))).start();
+		(new Thread(new ClassLister(wadf))).start();
+		VClass v = null;
+		for (int i = 0; i < 50; i++) {
+			v = new VClass();
+			v.setURI("http://example.org/vclass" + i);
+			wadf.getVClassDao().insertNewVClass(v);
+		}
+		for (int i = 0; i < 500; i++) {
+			v.setName("blah " + i);
+			wadf.getVClassDao().updateVClass(v);
+		}
 		
 	}
 	
diff --git a/webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/dao/IndividualDaoStub.java b/webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/dao/IndividualDaoStub.java
index 137fe9a8e..4caf12cbe 100644
--- a/webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/dao/IndividualDaoStub.java
+++ b/webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/dao/IndividualDaoStub.java
@@ -205,13 +205,6 @@ public class IndividualDaoStub implements IndividualDao {
 				"IndividualDaoStub.getKeywordObjectsForIndividual() not implemented.");
 	}
 
-	@Override
-	public String getIndividualURIFromNetId(String netIdStr,
-			String netidMatchingPropertyUri) {
-		throw new RuntimeException(
-				"IndividualDaoStub.getIndividualURIFromNetId() not implemented.");
-	}
-
 	@Override
 	public String getNetId(String entityURI) {
 		throw new RuntimeException(
diff --git a/webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/dao/UserAccountsDaoStub.java b/webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/dao/UserAccountsDaoStub.java
new file mode 100644
index 000000000..c0a96befe
--- /dev/null
+++ b/webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/dao/UserAccountsDaoStub.java
@@ -0,0 +1,98 @@
+/* $This file is distributed under the terms of the license in /doc/license.txt$ */
+
+package stubs.edu.cornell.mannlib.vitro.webapp.dao;
+
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import edu.cornell.mannlib.vitro.webapp.beans.PermissionSet;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
+import edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDao;
+
+/**
+ * TODO
+ */
+public class UserAccountsDaoStub implements UserAccountsDao {
+	private static final Log log = LogFactory.getLog(UserAccountsDaoStub.class);
+
+	private final Map<String, UserAccount> userAccountsByUri = new HashMap<String, UserAccount>();
+
+	// ----------------------------------------------------------------------
+	// Stub infrastructure
+	// ----------------------------------------------------------------------
+
+	public void addUser(UserAccount user) {
+		userAccountsByUri.put(user.getUri(), user);
+	}
+
+	// ----------------------------------------------------------------------
+	// Stub methods
+	// ----------------------------------------------------------------------
+
+	@Override
+	public UserAccount getUserAccountByUri(String uri) {
+		return userAccountsByUri.get(uri);
+	}
+
+	// ----------------------------------------------------------------------
+	// Un-implemented methods
+	// ----------------------------------------------------------------------
+
+	@Override
+	public UserAccount getUserAccountByEmail(String emailAddress) {
+		throw new RuntimeException(
+				"UserAccountsDaoStub.getUserAccountByEmail() not implemented.");
+	}
+
+	@Override
+	public boolean isRootUser(UserAccount userAccount) {
+		throw new RuntimeException("UserAccountsDao.isRootUser() not implemented.");
+	}
+
+	@Override
+	public String insertUserAccount(UserAccount userAccount) {
+		throw new RuntimeException(
+				"UserAccountsDaoStub.insertUserAccount() not implemented.");
+	}
+
+	@Override
+	public void updateUserAccount(UserAccount userAccount) {
+		throw new RuntimeException(
+				"UserAccountsDaoStub.updateUserAccount() not implemented.");
+	}
+
+	@Override
+	public void deleteUserAccount(String userAccountUri) {
+		throw new RuntimeException(
+				"UserAccountsDaoStub.deleteUserAccount() not implemented.");
+	}
+
+	@Override
+	public PermissionSet getPermissionSetByUri(String uri) {
+		throw new RuntimeException(
+				"UserAccountsDaoStub.getPermissionSetByUri() not implemented.");
+	}
+
+	@Override
+	public Collection<PermissionSet> getAllPermissionSets() {
+		throw new RuntimeException(
+				"UserAccountsDaoStub.getAllPermissionSets() not implemented.");
+	}
+
+	@Override
+	public UserAccount getUserAccountByExternalAuthId(String externalAuthId) {
+		throw new RuntimeException(
+				"UserAccountsDao.getUserAccountByExternalAuthId() not implemented.");
+	}
+
+	@Override
+	public Collection<UserAccount> getAllUserAccounts() {
+		throw new RuntimeException(
+				"UserAccountsDao.getAllUserAccounts() not implemented.");
+	}
+
+}
diff --git a/webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/dao/UserDaoStub.java b/webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/dao/UserDaoStub.java
deleted file mode 100644
index d3ce6c3ee..000000000
--- a/webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/dao/UserDaoStub.java
+++ /dev/null
@@ -1,83 +0,0 @@
-/* $This file is distributed under the terms of the license in /doc/license.txt$ */
-
-package stubs.edu.cornell.mannlib.vitro.webapp.dao;
-
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import edu.cornell.mannlib.vitro.webapp.beans.User;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
-
-/**
- * TODO
- */
-public class UserDaoStub implements UserDao {
-	// ----------------------------------------------------------------------
-	// Stub infrastructure
-	// ----------------------------------------------------------------------
-
-	private final Map<String, User> userByUriMap = new HashMap<String, User>();
-
-	public void addUser(User user) {
-		userByUriMap.put(user.getURI(), user);
-	}
-	
-	// ----------------------------------------------------------------------
-	// Stub methods
-	// ----------------------------------------------------------------------
-
-	@Override
-	public User getUserByURI(String URI) {
-		return userByUriMap.get(URI);
-	}
-	
-	// ----------------------------------------------------------------------
-	// Un-implemented methods
-	// ----------------------------------------------------------------------
-
-	@Override
-	public User getUserByUsername(String username) {
-		throw new RuntimeException(
-				"UserDaoStub.getUserByUsername() not implemented.");
-	}
-
-	@Override
-	public List<User> getAllUsers() {
-		throw new RuntimeException("UserDaoStub.getAllUsers() not implemented.");
-	}
-
-	@Override
-	public void updateUser(User user) {
-		throw new RuntimeException("UserDaoStub.updateUser() not implemented.");
-	}
-
-	@Override
-	public String insertUser(User user) {
-		throw new RuntimeException("UserDaoStub.insertUser() not implemented.");
-	}
-
-	@Override
-	public void deleteUser(User user) {
-		throw new RuntimeException("UserDaoStub.deleteUser() not implemented.");
-	}
-
-	@Override
-	public List<String> getIndividualsUserMayEditAs(String userURI) {
-		throw new RuntimeException(
-				"UserDaoStub.getIndividualsUserMayEditAs() not implemented.");
-	}
-
-	@Override
-	public List<String> getUserAccountEmails() {
-		throw new RuntimeException(
-				"UserDaoStub.getUserAccountEmails() not implemented.");
-	}
-
-	@Override
-	public String getUserEmailAddress(String userURI) {
-		throw new RuntimeException(
-				"UserDaoStub.getUserEmailAddress() not implemented.");
-	}
-
-}
diff --git a/webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/dao/WebappDaoFactoryStub.java b/webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/dao/WebappDaoFactoryStub.java
index 13277aca5..669e31561 100644
--- a/webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/dao/WebappDaoFactoryStub.java
+++ b/webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/dao/WebappDaoFactoryStub.java
@@ -26,7 +26,6 @@ import edu.cornell.mannlib.vitro.webapp.dao.PageDao;
 import edu.cornell.mannlib.vitro.webapp.dao.PropertyGroupDao;
 import edu.cornell.mannlib.vitro.webapp.dao.PropertyInstanceDao;
 import edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDao;
-import edu.cornell.mannlib.vitro.webapp.dao.UserDao;
 import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
 import edu.cornell.mannlib.vitro.webapp.dao.VClassGroupDao;
 import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
@@ -45,6 +44,7 @@ public class WebappDaoFactoryStub implements WebappDaoFactory {
 	private IndividualDao individualDao;
 	private DataPropertyDao dataPropertyDao;
 	private ObjectPropertyDao objectPropertyDao;
+	private UserAccountsDao userAccountsDao;
 
 	public void setIndividualDao(IndividualDao individualDao) {
 		this.individualDao = individualDao;
@@ -58,10 +58,8 @@ public class WebappDaoFactoryStub implements WebappDaoFactory {
 		this.objectPropertyDao = objectPropertyDao;
 	}
 
-	// TODO This goes away when the UserAccounts stuff is fully implemented -- jb
-	private UserDao userDao;
-	public void setUserDao(UserDao userDao) {
-		this.userDao = userDao;
+	public void setUserAccountsDao(UserAccountsDao userAccountsDao) {
+		this.userAccountsDao = userAccountsDao;
 	}
 
 	// ----------------------------------------------------------------------
@@ -83,10 +81,9 @@ public class WebappDaoFactoryStub implements WebappDaoFactory {
 		return this.objectPropertyDao;
 	}
 
-    // TODO This goes away when the UserAccounts stuff is fully implemented -- jb
 	@Override
-	public UserDao getUserDao() {
-		return this.userDao;
+	public UserAccountsDao getUserAccountsDao() {
+		return this.userAccountsDao;
 	}
 
 	// ----------------------------------------------------------------------
@@ -225,12 +222,6 @@ public class WebappDaoFactoryStub implements WebappDaoFactory {
 				"WebappDaoFactory.getLinktypeDao() not implemented.");
 	}
 
-	@Override
-	public UserAccountsDao getUserAccountsDao() {
-		throw new RuntimeException(
-		"WebappDaoFactory.getUserAccountsDao() not implemented.");
-	}
-	
 	@Override
 	public VClassGroupDao getVClassGroupDao() {
 		throw new RuntimeException(
diff --git a/webapp/web/templates/freemarker/body/admin/admin-showAuth.ftl b/webapp/web/templates/freemarker/body/admin/admin-showAuth.ftl
index e11bb519e..bb1d64f6f 100644
--- a/webapp/web/templates/freemarker/body/admin/admin-showAuth.ftl
+++ b/webapp/web/templates/freemarker/body/admin/admin-showAuth.ftl
@@ -10,12 +10,15 @@ ${stylesheets.add('<link rel="stylesheet" href="${urls.base}/css/showAuth.css" /
     <#if currentUser?has_content>
         <table summary="Information about the current user" style="border: 1">
             <caption>Current user</caption>
-            <tr><th>URI:</th><td>${currentUser.URI}</td></tr>
+            <tr><th>URI:</th><td>${currentUser.uri}</td></tr>
             <tr><th>First name:</th><td>${currentUser.firstName}</td></tr>
             <tr><th>Last name:</th><td>${currentUser.lastName}</td></tr>
-            <tr><th>Username:</th><td>${currentUser.username}</td></tr>
+            <tr><th>Email:</th><td>${currentUser.emailAddress}</td></tr>
+            <tr><th>External Auth ID:</th><td>${currentUser.externalAuthId}</td></tr>
             <tr><th>Login count:</th><td>${currentUser.loginCount}</td></tr>
-            <tr><th>Role:</th><td>${currentUser.roleURI}</td></tr>
+            <#list currentUser.permissionSetUris as role>
+                <tr><th>Role:</th><td>${role}</td></tr>
+            </#list>
         </table>
     <#else>
         <h3>Not logged in</h3>
diff --git a/webapp/web/templates/freemarker/body/login/adminLogin.ftl b/webapp/web/templates/freemarker/body/login/adminLogin.ftl
index 1751efd3f..6bf7228f2 100644
--- a/webapp/web/templates/freemarker/body/login/adminLogin.ftl
+++ b/webapp/web/templates/freemarker/body/login/adminLogin.ftl
@@ -5,7 +5,7 @@
 <section id="internalLogin" role="region">
     <h2>Internal Login</h2>
 
-    <#if errorNoUser??>
+    <#if errorNoEmail??>
         <#assign errorMessage = "No email supplied." />
     </#if>
     
@@ -52,11 +52,11 @@
             <label for="confirmPassword">Confirm Password</label>
             <input id="confirmPassword" name="confirmPassword" class="text-field" type="password" required />
             
-            <input id="username" name="username" type="hidden" value="${username!}" />
+            <input id="email" name="email" type="hidden" value="${email!}" />
             <input id="password" name="password" type="hidden" value="${password!}" />
         <#else>
-            <label for="username">Email</label>
-            <input id="username" name="username" class="text-field focus" type="text" value="${username!}" required autofocus />
+            <label for="email">Email</label>
+            <input id="email" name="email" class="text-field focus" type="text" value="${email!}" required autofocus />
 
         	<label for="password">Password</label>
             <input id="password" name="password" class="text-field" type="password" required />
diff --git a/webapp/web/templates/freemarker/body/siteAdmin/siteAdmin-siteConfiguration.ftl b/webapp/web/templates/freemarker/body/siteAdmin/siteAdmin-siteConfiguration.ftl
index 44b874d75..4a45fc1a5 100644
--- a/webapp/web/templates/freemarker/body/siteAdmin/siteAdmin-siteConfiguration.ftl
+++ b/webapp/web/templates/freemarker/body/siteAdmin/siteAdmin-siteConfiguration.ftl
@@ -17,8 +17,8 @@
                 <li><a href="${siteConfig.urls.menuN3Editor}">Menu management</a></li>  
             </#if>
             
-            <#if siteConfig.urls.users??>
-                <li><a href="${siteConfig.urls.users}">User accounts</a></li>  
+            <#if siteConfig.urls.userList??>
+                <li><a href="${siteConfig.urls.userList}">User accounts</a></li>  
             </#if>
             
         </ul>