diff --git a/lib/models/user.js b/lib/models/user.js
index 86ad3d50..bfb431e3 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -13,7 +13,9 @@ var Model = require('../loopback').Model
   , BaseAccessToken = require('./access-token')
   , DEFAULT_TTL = 1209600 // 2 weeks in seconds
   , DEFAULT_RESET_PW_TTL = 15 * 60 // 15 mins in seconds
-  , DEFAULT_MAX_TTL = 31556926; // 1 year in seconds
+  , DEFAULT_MAX_TTL = 31556926 // 1 year in seconds
+  , Role = require('./role').Role
+  , ACL = require('./acl').ACL;
 
 /**
  * Default User properties.
@@ -44,12 +46,32 @@ var properties = {
     lastUpdated: Date
 }
 
+/**
+ * Default User options.
+ */
+
+var options = {
+  acls: [
+    {
+      principalType: ACL.ROLE,
+      principalId: Role.EVERYONE,
+      permission: ACL.ALLOW,
+      property: 'create'
+    },
+    {
+      principalType: ACL.ROLE,
+      principalId: Role.OWNER,
+      permission: ACL.ALLOW,
+      property: 'removeById'
+    }
+  ]
+};
 
 /**
  * Extends from the built in `loopback.Model` type.
  */
 
-var User = module.exports = Model.extend('User', properties);
+var User = module.exports = Model.extend('User', properties, options);
 
 /**
  * Login a user by with the given `credentials`.