diff --git a/lib/models/acl.js b/lib/models/acl.js
index d10f2c3c..07a941c0 100644
--- a/lib/models/acl.js
+++ b/lib/models/acl.js
@@ -1,17 +1,32 @@
-// Schema ACL options
+/**
+Schema ACL options
 
+Object level permissions, for example, an album owned by a user
 
-// Object level permissions
+Factors to be authorized against:
 
-// open: no protection
-// none: always rejected
-// owner: only the owner
-// loggedIn: any logged in user
-// roles: logged in users with the roles
-// related: owner of the related objects
+* model name: Album
+* model instance properties: userId of the album, friends, shared
+* methods
+* app and/or user ids/roles
+ ** loggedIn
+ ** roles
+ ** userId
+ ** appId
+ ** none
+ ** everyone
+ ** relations: owner/friend/granted
 
-// Class level permissions
+Class level permissions, for example, Album
+ * model name: Album
+ * methods
 
-// scopes
+URL/Route level permissions
+ * url pattern
+ * application id
+ * ip addresses
+ * http headers
 
-// URL level permissions
\ No newline at end of file
+Map to oAuth 2.0 scopes
+
+*/
\ No newline at end of file
diff --git a/lib/models/role.js b/lib/models/role.js
index a9546777..a04ad962 100644
--- a/lib/models/role.js
+++ b/lib/models/role.js
@@ -2,9 +2,9 @@
 var RoleSchema = {
     id: {type: String, required: true},
     name: {type: String, required: true},
-    roles: [String],
-    users: [String],
-    acl: [],
+    roles: [String], // A role can be an aggregate of other roles
+    users: [String], // A role contains a list of users
+    acls: [],
 
     created: Date,
     lastUpdated: Date
diff --git a/lib/models/user.js b/lib/models/user.js
index 38d20452..ec63821a 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -1,11 +1,21 @@
 // User model
 var UserSchema = {
     id: {type: String, required: true},
+    realm: {type: String},
     username: {type: String, required: true},
-    password: String,
-    authData: [],
+    password: {type: String, transient: true}, // Transient property
+    hash: {type: String}, // Hash code calculated from sha256(realm, username, password, salt, macKey)
+    salt: {type: String},
+    macKey: {type: String}, // HMAC to calculate the hash code
     email: String,
     emailVerified: Boolean,
+    credentials: [
+        'UserCredential' // User credentials, private or public, such as private/public keys, Kerberos tickets, oAuth tokens, facebook, google, github ids
+    ],
+    challenges: [
+        'Challenge' // Security questions/answers
+    ],
+    status: String,
     created: Date,
     lastUpdated: Date
 }
\ No newline at end of file