diff --git a/lib/models/access-token.js b/lib/models/access-token.js
index f5f66d20..2171016e 100644
--- a/lib/models/access-token.js
+++ b/lib/models/access-token.js
@@ -191,11 +191,9 @@ function tokenIdForRequest(req, options) {
   var length;
   var id;
 
-  params.push('access_token');
-  headers.push('X-Access-Token');
-  headers.push('authorization');
-  cookies.push('access_token');
-  cookies.push('authorization');
+  params = params.concat(['access_token']);
+  headers = headers.concat(['X-Access-Token', 'authorization']);
+  cookies = cookies.concat(['access_token', 'authorization']);
 
   for(length = params.length; i < length; i++) {
     id = req.param(params[i]);
diff --git a/lib/models/persisted-model.js b/lib/models/persisted-model.js
index 020398d1..c87d8e4f 100644
--- a/lib/models/persisted-model.js
+++ b/lib/models/persisted-model.js
@@ -189,6 +189,26 @@ PersistedModel.destroyAll = function destroyAll(where, cb) {
   throwNotAttached(this.modelName, 'destroyAll');
 };
 
+/**
+ * Update multiple instances that match the where clause
+ *
+ * Example:
+ *
+ *```js
+ * Employee.update({managerId: 'x001'}, {managerId: 'x002'}, function(err) {
+ *     ...
+ * });
+ * ```
+ *
+ * @param {Object} [where] Search conditions (optional)
+ * @param {Object} data Changes to be made
+ * @param {Function} cb Callback, called with (err, count)
+ */
+PersistedModel.update =
+  PersistedModel.updateAll = function updateAll(where, data, cb) {
+    throwNotAttached(this.modelName, 'updateAll');
+  };
+
 /**
  * Destroy a record by id
  * @param {*} id The id value
@@ -461,6 +481,17 @@ PersistedModel.setupRemoting = function() {
     shared: false
   });
 
+  setRemoting(PersistedModel, 'updateAll', {
+    description: 'Update instances of the model matched by where from the data source',
+    accepts: [
+      {arg: 'where', type: 'object', http: {source: 'query'},
+        description: 'Criteria to match model instances'},
+      {arg: 'data', type: 'object', http: {source: 'body'},
+        description: 'An object of model property name/value pairs'},
+    ],
+    http: {verb: 'post', path: '/update'}
+  });
+
   setRemoting(PersistedModel, 'removeById', {
     description: 'Delete a model instance by id from the data source',
     accepts: {arg: 'id', type: 'any', description: 'Model id', required: true,
diff --git a/lib/models/role.js b/lib/models/role.js
index 072b7a76..5e733b15 100644
--- a/lib/models/role.js
+++ b/lib/models/role.js
@@ -7,7 +7,7 @@ var AccessContext = require('./access-context').AccessContext;
 
 // Role model
 var RoleSchema = {
-  id: {type: String, id: true}, // Id
+  id: {type: String, id: true, generated: true}, // Id
   name: {type: String, required: true}, // The name of a role
   description: String, // Description
 
@@ -20,8 +20,8 @@ var RoleSchema = {
  * Map principals to roles
  */
 var RoleMappingSchema = {
-  id: {type: String, id: true}, // Id
-  roleId: String, // The role id
+  id: {type: String, id: true, generated: true}, // Id
+  // roleId: String, // The role id, to be injected by the belongsTo relation
   principalType: String, // The principal type, such as user, application, or role
   principalId: String // The principal id
 };
diff --git a/test/role.test.js b/test/role.test.js
index 3c43bc9e..9252743e 100644
--- a/test/role.test.js
+++ b/test/role.test.js
@@ -77,6 +77,40 @@ describe('role model', function () {
 
   });
 
+
+  it("should automatically generate role id", function () {
+
+    User.create({name: 'Raymond', email: 'x@y.com', password: 'foobar'}, function (err, user) {
+      // console.log('User: ', user.id);
+      Role.create({name: 'userRole'}, function (err, role) {
+        assert(role.id);
+        role.principals.create({principalType: RoleMapping.USER, principalId: user.id}, function (err, p) {
+          assert(p.id);
+          assert.equal(p.roleId, role.id);
+          Role.find(function (err, roles) {
+            assert(!err);
+            assert.equal(roles.length, 1);
+            assert.equal(roles[0].name, 'userRole');
+          });
+          role.principals(function (err, principals) {
+            assert(!err);
+            // console.log(principals);
+            assert.equal(principals.length, 1);
+            assert.equal(principals[0].principalType, RoleMapping.USER);
+            assert.equal(principals[0].principalId, user.id);
+          });
+          role.users(function (err, users) {
+            assert(!err);
+            assert.equal(users.length, 1);
+            assert.equal(users[0].principalType, RoleMapping.USER);
+            assert.equal(users[0].principalId, user.id);
+          });
+        });
+      });
+    });
+
+  });
+
   it("should support getRoles() and isInRole()", function () {
     User.create({name: 'Raymond', email: 'x@y.com', password: 'foobar'}, function (err, user) {
       // console.log('User: ', user.id);