diff --git a/admin/auth.go b/admin/auth.go
index a12f6c78..561a5fcf 100644
--- a/admin/auth.go
+++ b/admin/auth.go
@@ -154,7 +154,7 @@ func handlerAuthCheck(h http.Handler) http.Handler {
 				http.Redirect(w, r, forbiddenPath, http.StatusForbidden)
 				return
 			}
-			newUser, err := adminUsers.New(username, "", email, fullname, (s[ctxLevel] == adminLevel))
+			newUser, err := adminUsers.New(username, "", email, fullname, headersConfig.DefaultEnv, (s[ctxLevel] == adminLevel))
 			if err != nil {
 				log.Printf("Error with new user %s: %v", username, err)
 				http.Redirect(w, r, forbiddenPath, http.StatusFound)
diff --git a/admin/handlers/post.go b/admin/handlers/post.go
index 56685597..ef3f5c4c 100644
--- a/admin/handlers/post.go
+++ b/admin/handlers/post.go
@@ -40,7 +40,9 @@ func (h *HandlersAdmin) LoginPOSTHandler(w http.ResponseWriter, r *http.Request)
 	}
 	permissions, err := h.Users.ConvertPermissions(user.Permissions.RawMessage)
 	if err != nil {
-
+		adminErrorResponse(w, "error processing login", http.StatusInternalServerError, err)
+		h.Inc(metricAdminErr)
+		return
 	}
 	_, err = h.Sessions.Save(r, w, user, permissions)
 	if err != nil {
@@ -52,7 +54,7 @@ func (h *HandlersAdmin) LoginPOSTHandler(w http.ResponseWriter, r *http.Request)
 	if h.Settings.DebugService(settings.ServiceAdmin) {
 		log.Println("DebugService: Login response sent")
 	}
-	adminOKResponse(w, "OK")
+	adminOKResponse(w, "/environment/"+user.DefaultEnv+"/active")
 	h.Inc(metricAdminOK)
 }
 
@@ -987,7 +989,7 @@ func (h *HandlersAdmin) EnvsPOSTHandler(w http.ResponseWriter, r *http.Request)
 		adminOKResponse(w, "environment created successfully")
 	case "delete":
 		if c.Name == h.Settings.DefaultEnv(settings.ServiceAdmin) {
-			adminErrorResponse(w, "not a good idea", http.StatusInternalServerError, fmt.Errorf("attempt to remove environment %s", c.Name))
+			adminErrorResponse(w, "nope, this is the default environment", http.StatusInternalServerError, fmt.Errorf("attempt to remove default environment %s", c.Name))
 			h.Inc(metricAdminErr)
 			return
 		}
@@ -1153,8 +1155,14 @@ func (h *HandlersAdmin) UsersPOSTHandler(w http.ResponseWriter, r *http.Request)
 			h.Inc(metricAdminErr)
 			return
 		}
+		// Check that default environment exists
+		if (u.DefaultEnv == "") || !h.Envs.Exists(u.DefaultEnv) {
+			adminErrorResponse(w, "error adding user", http.StatusInternalServerError, fmt.Errorf("environment %s does not exist", u.DefaultEnv))
+			h.Inc(metricAdminErr)
+			return
+		}
 		// Prepare user to create
-		newUser, err := h.Users.New(u.Username, u.Password, u.Email, u.Fullname, u.Admin)
+		newUser, err := h.Users.New(u.Username, u.Password, u.Email, u.Fullname, u.DefaultEnv, u.Admin)
 		if err != nil {
 			adminErrorResponse(w, "error with new user", http.StatusInternalServerError, err)
 			h.Inc(metricAdminErr)
@@ -1166,19 +1174,22 @@ func (h *HandlersAdmin) UsersPOSTHandler(w http.ResponseWriter, r *http.Request)
 			h.Inc(metricAdminErr)
 			return
 		}
+		namesEnvs := []string{u.DefaultEnv}
+		access := users.EnvLevel
 		if u.Admin {
-			namesEnvs, err := h.Envs.Names()
+			access = users.AdminLevel
+			namesEnvs, err = h.Envs.Names()
 			if err != nil {
 				adminErrorResponse(w, "error getting environments user", http.StatusInternalServerError, err)
 				h.Inc(metricAdminErr)
 				return
 			}
-			perms := h.Users.GenPermissions(namesEnvs, u.Admin)
-			if err := h.Users.ChangePermissions(u.Username, perms); err != nil {
-				adminErrorResponse(w, "error changing permissions", http.StatusInternalServerError, err)
-				h.Inc(metricAdminErr)
-				return
-			}
+		}
+		perms := h.Users.GenPermissions(namesEnvs, access)
+		if err := h.Users.ChangePermissions(u.Username, perms); err != nil {
+			adminErrorResponse(w, "error changing permissions", http.StatusInternalServerError, err)
+			h.Inc(metricAdminErr)
+			return
 		}
 		if u.Token {
 			token, exp, err := h.Users.CreateToken(newUser.Username)
@@ -1209,6 +1220,13 @@ func (h *HandlersAdmin) UsersPOSTHandler(w http.ResponseWriter, r *http.Request)
 				return
 			}
 		}
+		if u.DefaultEnv != "" {
+			if err := h.Users.ChangeDefaultEnv(u.Username, u.DefaultEnv); err != nil {
+				adminErrorResponse(w, "error changing default environment", http.StatusInternalServerError, err)
+				h.Inc(metricAdminErr)
+				return
+			}
+		}
 		adminOKResponse(w, "user updated successfully")
 	case "remove":
 		if u.Username == ctx[sessions.CtxUser] {
@@ -1243,7 +1261,7 @@ func (h *HandlersAdmin) UsersPOSTHandler(w http.ResponseWriter, r *http.Request)
 					h.Inc(metricAdminErr)
 					return
 				}
-				perms := h.Users.GenPermissions(namesEnvs, u.Admin)
+				perms := h.Users.GenPermissions(namesEnvs, users.AdminLevel)
 				if err := h.Users.ChangePermissions(u.Username, perms); err != nil {
 					adminErrorResponse(w, "error changing permissions", http.StatusInternalServerError, err)
 					h.Inc(metricAdminErr)
diff --git a/admin/handlers/types-requests.go b/admin/handlers/types-requests.go
index d68c27f1..9e111862 100644
--- a/admin/handlers/types-requests.go
+++ b/admin/handlers/types-requests.go
@@ -107,14 +107,15 @@ type EnvironmentsRequest struct {
 
 // UsersRequest to receive user action requests
 type UsersRequest struct {
-	CSRFToken string `json:"csrftoken"`
-	Action    string `json:"action"`
-	Username  string `json:"username"`
-	Email     string `json:"email"`
-	Fullname  string `json:"fullname"`
-	Password  string `json:"password"`
-	Token     bool   `json:"token"`
-	Admin     bool   `json:"admin"`
+	CSRFToken  string `json:"csrftoken"`
+	Action     string `json:"action"`
+	Username   string `json:"username"`
+	Email      string `json:"email"`
+	Fullname   string `json:"fullname"`
+	Password   string `json:"password"`
+	Token      bool   `json:"token"`
+	Admin      bool   `json:"admin"`
+	DefaultEnv string `json:"environment"`
 }
 
 // TagsRequest to receive tag action requests
diff --git a/admin/static/js/login.js b/admin/static/js/login.js
index d04e6cad..819452d9 100644
--- a/admin/static/js/login.js
+++ b/admin/static/js/login.js
@@ -7,7 +7,9 @@ function sendLogin() {
       username: _user,
       password: _password
   };
-  sendPostRequest(data, _url, '/dashboard', false);
+  sendPostRequest(data, _url, '', false, function(_data){
+    window.location.replace(_data.message);
+  });
 }
 
 function sendLogout() {
diff --git a/admin/static/js/users.js b/admin/static/js/users.js
index c3e68ee0..f9784bac 100644
--- a/admin/static/js/users.js
+++ b/admin/static/js/users.js
@@ -17,6 +17,7 @@ function confirmAddUser() {
   var _password = $("#user_password").val();
   var _admin = $("#user_admin").is(':checked');
   var _token = $("#user_token").is(':checked');
+  var _env = $("#default_env").val();
 
   var data = {
     csrftoken: _csrftoken,
@@ -26,7 +27,8 @@ function confirmAddUser() {
     fullname: _fullname,
     password: _password,
     admin: _admin,
-    token: _token
+    token: _token,
+    environment: _env
   };
   sendPostRequest(data, _url, _url, false);
 }
diff --git a/admin/templates/users.html b/admin/templates/users.html
index c80e2a1f..dc735552 100644
--- a/admin/templates/users.html
+++ b/admin/templates/users.html
@@ -125,7 +125,6 @@ <h4 class="modal-title">Add new user</h4>
                       <div class="col-md-4">
                         <input class="form-control" name="user_password" id="user_password" type="password" autocomplete="off">
                       </div>
-
                     </div>
                     <div class="form-group row">
                       <label class="col-md-2 col-form-label" for="user_email">Email: </label>
@@ -138,20 +137,32 @@ <h4 class="modal-title">Add new user</h4>
                       </div>
                     </div>
                     <div class="form-group row">
-                      <label class="col-md-3 col-form-label" for="user_admin">Enable Admin Level: </label>
-                      <div class="col-md-3">
+                      <label class="col-md-1 col-form-label" for="user_admin">Admin: </label>
+                      <div class="col-md-2">
                         <label class="switch switch-label switch-pill switch-success switch-sm" data-tooltip="true" data-placement="top" title="Change">
                           <input id="user_admin" class="switch-input" type="checkbox">
                           <span class="switch-slider" data-checked="On" data-unchecked="Off"></span>
                         </label>
                       </div>
-                      <label class="col-md-3 col-form-label" for="user_token">Create API Token: </label>
-                      <div class="col-md-3">
+                      <label class="col-md-1 col-form-label" for="user_token">API: </label>
+                      <div class="col-md-2">
                         <label class="switch switch-label switch-pill switch-success switch-sm" data-tooltip="true" data-placement="top" title="Change">
                           <input id="user_token" class="switch-input" type="checkbox">
                           <span class="switch-slider" data-checked="On" data-unchecked="Off"></span>
                         </label>
                       </div>
+
+                      <label class="col-md-3 col-form-label" for="default_env">Default Environment: </label>
+                      <div class="col-md-3">
+                        <select class="form-control" style="width: 100%;" name="default_env" id="default_env">
+                          <option value=""></option>
+                        {{ range  $i, $e := $.Environments }}
+                          <option value="{{ $e.Name }}">{{ $e.Name }}</option>
+                        {{ end }}
+                        </select>
+                        <small class="text-muted">read access will be granted</small>
+                      </div>
+
                     </div>
                   </div>
                   <div class="modal-footer">
@@ -335,6 +346,11 @@ <h4 class="modal-title">User Permissions</h4>
         // Enable all tooltips
         $('[data-tooltip="true"]').tooltip({trigger : 'hover'});
 
+        // Select2 initialization
+        $('#default_env').select2({
+          theme: "classic"
+        });
+
         // Clipboard.js initialization
         var clipboard_sh = new ClipboardJS('#button-clipboard-sh');
         clipboard_sh.on('success', function(e) {
diff --git a/cli/main.go b/cli/main.go
index 32a2dcb9..8921da04 100644
--- a/cli/main.go
+++ b/cli/main.go
@@ -83,6 +83,11 @@ func init() {
 							Hidden: false,
 							Usage:  "Make this user an admin",
 						},
+						cli.StringFlag{
+							Name:  "environment, E",
+							Value: "",
+							Usage: "Default environment for the new user",
+						},
 						cli.StringFlag{
 							Name:  "email, e",
 							Usage: "Email for the new user",
@@ -125,6 +130,10 @@ func init() {
 							Hidden: false,
 							Usage:  "Make this user an non-admin",
 						},
+						cli.StringFlag{
+							Name:  "environment, E",
+							Usage: "Default environment for this user",
+						},
 					},
 					Action: cliWrapper(editUser),
 				},
diff --git a/cli/user.go b/cli/user.go
index 6c5d3bf1..004abd33 100644
--- a/cli/user.go
+++ b/cli/user.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/jmpsec/osctrl/users"
 	"github.com/olekukonko/tablewriter"
 	"github.com/urfave/cli"
 )
@@ -20,17 +21,37 @@ func addUser(c *cli.Context) error {
 		fmt.Println("username is required")
 		os.Exit(1)
 	}
+	defaultEnv := c.String("environment")
+	if defaultEnv == "" {
+		fmt.Println("environment is required")
+		os.Exit(1)
+	}
 	password := c.String("password")
 	email := c.String("email")
 	fullname := c.String("fullname")
 	admin := c.Bool("admin")
-	user, err := adminUsers.New(username, password, email, fullname, admin)
+	user, err := adminUsers.New(username, password, email, fullname, defaultEnv, admin)
 	if err != nil {
 		return err
 	}
+	// Create user
 	if err := adminUsers.Create(user); err != nil {
 		return err
 	}
+	// Assign permissions to user
+	permEnv := []string{defaultEnv}
+	access := users.EnvLevel
+	if admin {
+		access = users.AdminLevel
+		permEnv, err = envs.Names()
+		if err != nil {
+			return err
+		}
+	}
+	perms := adminUsers.GenPermissions(permEnv, access)
+	if err := adminUsers.ChangePermissions(username, perms); err != nil {
+		return err
+	}
 	fmt.Printf("Created user %s successfully", username)
 	return nil
 }
@@ -72,6 +93,12 @@ func editUser(c *cli.Context) error {
 			return err
 		}
 	}
+	defaultEnv := c.String("environment")
+	if defaultEnv != "" {
+		if err := adminUsers.ChangeDefaultEnv(username, defaultEnv); err != nil {
+			return err
+		}
+	}
 	fmt.Printf("Edited user %s successfully", username)
 	return nil
 }
@@ -97,6 +124,7 @@ func listUsers(c *cli.Context) error {
 		"Fullname",
 		"PassHash",
 		"Admin?",
+		"Environment",
 		"Last IPAddress",
 		"Last UserAgent",
 	})
@@ -108,6 +136,7 @@ func listUsers(c *cli.Context) error {
 				u.Fullname,
 				truncateString(u.PassHash, lengthToTruncate),
 				stringifyBool(u.Admin),
+				u.DefaultEnv,
 				u.LastIPAddress,
 				u.LastUserAgent,
 			}
diff --git a/deploy/docker/admin/wait.sh b/deploy/docker/admin/wait.sh
index 280b846f..d5be3c45 100644
--- a/deploy/docker/admin/wait.sh
+++ b/deploy/docker/admin/wait.sh
@@ -48,7 +48,7 @@ SECRET_FILE="$CONFIG/docker.secret"
 ./bin/osctrl-cli -D "$DB_JSON" environment flags -n dev -crt "/$CRT_FILE" -secret "/$SECRET_FILE" | sed 's/=uuid/=ephemeral/g' > "$FLAGS_FILE"
 
 # Create admin user
-OUTPUT_ADMIN="$(./bin/osctrl-cli -D "$DB_JSON" user add -u admin -p admin -a -n Admin)"
+OUTPUT_ADMIN="$(./bin/osctrl-cli -D "$DB_JSON" user add -u admin -p admin -a -E dev -n Admin)"
 if [ $? -eq 0 ]; then
   echo "Created admin user"
 else
diff --git a/deploy/provision.sh b/deploy/provision.sh
index cdefd57d..c31823ae 100755
--- a/deploy/provision.sh
+++ b/deploy/provision.sh
@@ -724,7 +724,7 @@ else
 
   # Create admin user
   log "Creating admin user"
-  "$DEST_PATH"/osctrl-cli -D "$__db_conf" user add -u "$_ADMIN_USER" -p "$_ADMIN_PASS" -a -n "Admin"
+  "$DEST_PATH"/osctrl-cli -D "$__db_conf" user add -u "$_ADMIN_USER" -p "$_ADMIN_PASS" -a -E "$ENVIRONMENT" -n "Admin"
 
   # Create initial environment to enroll machines
   log "Creating environment $ENVIRONMENT"
diff --git a/types/go.mod b/types/go.mod
index a1d6ba68..cd231708 100644
--- a/types/go.mod
+++ b/types/go.mod
@@ -1,3 +1,5 @@
 module github.com/jmpsec/osctrl/types
 
 go 1.15
+
+require github.com/jmpsec/osctrl/queries v0.0.0-20210108060250-175f09fbfa70
diff --git a/types/go.sum b/types/go.sum
new file mode 100644
index 00000000..dc2f16ab
--- /dev/null
+++ b/types/go.sum
@@ -0,0 +1,128 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.37.4/go.mod h1:NHPJ89PdicEuT9hdPXMROBD91xc5uRDxsMtSB16k7hw=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
+github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/denisenkom/go-mssqldb v0.0.0-20190423183735-731ef375ac02/go.mod h1:zAg7JM8CkOJ43xKXIj7eRO9kmWm/TW578qo+oDO6tuM=
+github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
+github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
+github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
+github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
+github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/jinzhu/gorm v1.9.8 h1:n5uvxqLepIP2R1XF7pudpt9Rv8I3m7G9trGxJVjLZ5k=
+github.com/jinzhu/gorm v1.9.8/go.mod h1:bdqTT3q6dhSph2K3pWxrHP6nqxuAp2yQ3KFtc3U3F84=
+github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a h1:eeaG9XMUvRBYXJi4pg1ZKM7nxc5AfXfojeLLW7O5J3k=
+github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
+github.com/jinzhu/now v1.0.0/go.mod h1:oHTiXerJ20+SfYcrdlBO7rzZRJWGwSTQ0iUY2jI6Gfc=
+github.com/jmpsec/osctrl v0.2.1 h1:NsR2alFig9wzS/giEBkI3U3CIEGTHsjpqqcRzke/6+E=
+github.com/jmpsec/osctrl/nodes v0.0.0-20200321003619-c21be7214ee4 h1:E2HUseTq4nCI0H9o3RYQo1BP/YAegllbLDkT6E56u6M=
+github.com/jmpsec/osctrl/nodes v0.0.0-20200321003619-c21be7214ee4/go.mod h1:o8iBR3e+m2Rxaf8tnIWSVtKieL7UenN2NjidHclvoII=
+github.com/jmpsec/osctrl/queries v0.0.0-20210108060250-175f09fbfa70 h1:ym+eqbiNIGMIbzYBWH/z229AtconnkZDqYeUacr+R4U=
+github.com/jmpsec/osctrl/queries v0.0.0-20210108060250-175f09fbfa70/go.mod h1:cOxQtPrEmN7d5xn/WVB5zeibyVQnYKVcPvhGXKj7x44=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
+github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
+github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
diff --git a/types/types.go b/types/types.go
index 3e14b123..ae9374ae 100644
--- a/types/types.go
+++ b/types/types.go
@@ -21,6 +21,7 @@ type JSONConfigurationHeaders struct {
 	DisplayName       string `json:"displayName"`
 	DistinguishedName string `json:"distinguishedName"`
 	Groups            string `json:"groups"`
+	DefaultEnv        string `json:"defaultEnv"`
 }
 
 // JSONConfigurationJWT to hold all JWT configuration values
diff --git a/users/go.mod b/users/go.mod
index f65fde01..ef90bfc0 100644
--- a/users/go.mod
+++ b/users/go.mod
@@ -5,5 +5,7 @@ go 1.15
 require (
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/jinzhu/gorm v1.9.8
+	github.com/jmpsec/osctrl/queries v0.0.0-20210108060250-175f09fbfa70 // indirect
+	github.com/jmpsec/osctrl/types v0.0.0-20210108060250-175f09fbfa70
 	golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5
 )
diff --git a/users/go.sum b/users/go.sum
index 4c5f1f7e..2ba8d602 100644
--- a/users/go.sum
+++ b/users/go.sum
@@ -43,6 +43,13 @@ github.com/jinzhu/gorm v1.9.8/go.mod h1:bdqTT3q6dhSph2K3pWxrHP6nqxuAp2yQ3KFtc3U3
 github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a h1:eeaG9XMUvRBYXJi4pg1ZKM7nxc5AfXfojeLLW7O5J3k=
 github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.0.0/go.mod h1:oHTiXerJ20+SfYcrdlBO7rzZRJWGwSTQ0iUY2jI6Gfc=
+github.com/jmpsec/osctrl v0.2.1 h1:NsR2alFig9wzS/giEBkI3U3CIEGTHsjpqqcRzke/6+E=
+github.com/jmpsec/osctrl/nodes v0.0.0-20200321003619-c21be7214ee4 h1:E2HUseTq4nCI0H9o3RYQo1BP/YAegllbLDkT6E56u6M=
+github.com/jmpsec/osctrl/nodes v0.0.0-20200321003619-c21be7214ee4/go.mod h1:o8iBR3e+m2Rxaf8tnIWSVtKieL7UenN2NjidHclvoII=
+github.com/jmpsec/osctrl/queries v0.0.0-20210108060250-175f09fbfa70 h1:ym+eqbiNIGMIbzYBWH/z229AtconnkZDqYeUacr+R4U=
+github.com/jmpsec/osctrl/queries v0.0.0-20210108060250-175f09fbfa70/go.mod h1:cOxQtPrEmN7d5xn/WVB5zeibyVQnYKVcPvhGXKj7x44=
+github.com/jmpsec/osctrl/types v0.0.0-20210108060250-175f09fbfa70 h1:iurvsNmLwgEk4fgy4rhqxtFEt+JeAHDbiiYE2fBfDEU=
+github.com/jmpsec/osctrl/types v0.0.0-20210108060250-175f09fbfa70/go.mod h1:LAMgw1CJsHAmDZGBZ8G93ZCbKXsh4q7uNO3pCXe57Ko=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
diff --git a/users/permissions.go b/users/permissions.go
index 4b2d0383..c68c525a 100644
--- a/users/permissions.go
+++ b/users/permissions.go
@@ -33,15 +33,15 @@ const (
 )
 
 // GenPermissions to generate the struct with empty permissions
-func (m *UserManager) GenPermissions(environments []string, level bool) UserPermissions {
+func (m *UserManager) GenPermissions(environments []string, level AccessLevel) UserPermissions {
 	envs := make(EnvPermissions)
 	for _, e := range environments {
-		envs[e] = level
+		envs[e] = true
 	}
 	perms := UserPermissions{
 		Environments: envs,
-		Query:        level,
-		Carve:        level,
+		Query:        (level == QueryLevel || level == AdminLevel),
+		Carve:        (level == CarveLevel || level == AdminLevel),
 	}
 	return perms
 }
diff --git a/users/users.go b/users/users.go
index 4fe6e30f..fb5df130 100644
--- a/users/users.go
+++ b/users/users.go
@@ -23,6 +23,7 @@ type AdminUser struct {
 	APIToken      string
 	TokenExpire   time.Time
 	Admin         bool
+	DefaultEnv    string
 	CSRFToken     string
 	Permissions   postgres.Jsonb
 	LastIPAddress string
@@ -148,13 +149,14 @@ func (m *UserManager) Create(user AdminUser) error {
 }
 
 // New empty user
-func (m *UserManager) New(username, password, email, fullname string, admin bool) (AdminUser, error) {
+func (m *UserManager) New(username, password, email, fullname, defaultEnv string, admin bool) (AdminUser, error) {
 	if !m.Exists(username) {
 		passhash, err := m.HashPasswordWithSalt(password)
 		if err != nil {
 			return AdminUser{}, err
 		}
-		permsRaw, err := json.Marshal(m.GenPermissions([]string{}, admin))
+		// Permissions are empty for an empty user
+		permsRaw, err := json.Marshal(m.GenPermissions([]string{}, EnvLevel))
 		if err != nil {
 			permsRaw = []byte("{}")
 		}
@@ -162,6 +164,7 @@ func (m *UserManager) New(username, password, email, fullname string, admin bool
 			Username:    username,
 			PassHash:    passhash,
 			Admin:       admin,
+			DefaultEnv:  defaultEnv,
 			Permissions: postgres.Jsonb{RawMessage: permsRaw},
 			Email:       email,
 			Fullname:    fullname,
@@ -294,6 +297,14 @@ func (m *UserManager) ChangeEmail(username, email string) error {
 	return nil
 }
 
+// ChangeDefaultEnv for user by username
+func (m *UserManager) ChangeDefaultEnv(username, env string) error {
+	if err := m.DB.Model(&AdminUser{}).Where("username = ?", username).Update("default_env", env).Error; err != nil {
+		return fmt.Errorf("Update default_env %v", err)
+	}
+	return nil
+}
+
 // ChangeFullname for user by username
 func (m *UserManager) ChangeFullname(username, fullname string) error {
 	user, err := m.Get(username)