diff --git a/OVERVIEW.md b/OVERVIEW.md
index 74674bd4..c349ae4e 100644
--- a/OVERVIEW.md
+++ b/OVERVIEW.md
@@ -63,12 +63,10 @@ Redis and ARDB overview
 | | | |
 | user_metadata:**user id** | token | **token**  |
 |                           | change_passwd  | **boolean** |
+|                           | role  | **role** |
 
 | Set Key | Value |
 | ------ | ------ |
-| user:request_password_change | **user id** |
-| user:admin | **user id** |
-| | |
 | user_role:**role** | **user id** |
 
 
diff --git a/bin/packages/User.py b/bin/packages/User.py
index cac5c688..829e4205 100755
--- a/bin/packages/User.py
+++ b/bin/packages/User.py
@@ -42,7 +42,16 @@ class User(UserMixin):
     def get(self_class, id):
         return self_class(id)
 
+    def user_is_anonymous(self):
+        if self.id == "__anonymous__":
+            return True
+        else:
+            return False
+
     def check_password(self, password):
+        if self.user_is_anonymous():
+            return False
+
         password = password.encode()
         hashed_password = self.r_serv_db.hget('user:all', self.id).encode()
         if bcrypt.checkpw(password, hashed_password):
diff --git a/var/www/Flask_server.py b/var/www/Flask_server.py
index 3dbab06a..fa8ec95f 100755
--- a/var/www/Flask_server.py
+++ b/var/www/Flask_server.py
@@ -33,7 +33,7 @@ from pytaxonomies import Taxonomies
 import Flask_config
 
 # Import Role_Manager
-from Role_Manager import create_user_db, check_password_strength
+from Role_Manager import create_user_db, check_password_strength, check_user_role_integrity
 from Role_Manager import login_admin, login_analyst
 
 # CONFIG #
@@ -162,19 +162,24 @@ def login():
         if username is not None:
             user = User.get(username)
             if user and user.check_password(password):
+                if not check_user_role_integrity(user.get_id()):
+                    error = 'Incorrect User ACL, Please contact your administrator'
+                    return render_template("login.html", error=error)
                 login_user(user) ## TODO: use remember me ?
                 if user.request_password_change():
                     return redirect(url_for('change_password'))
                 else:
                     return redirect(url_for('dashboard.index'))
             else:
-                return 'incorrect password'
+                error = 'Password Incorrect'
+                return render_template("login.html", error=error)
 
-        return 'none'
+        return 'please provide a valid username'
 
     else:
         #next_page = request.args.get('next')
-        return render_template("login.html")
+        error = request.args.get('error')
+        return render_template("login.html" , error=error)
 
 @app.route('/change_password', methods=['POST', 'GET'])
 @login_required
diff --git a/var/www/modules/Role_Manager.py b/var/www/modules/Role_Manager.py
index aa524265..bb48898a 100644
--- a/var/www/modules/Role_Manager.py
+++ b/var/www/modules/Role_Manager.py
@@ -67,6 +67,14 @@ def login_analyst(func):
 ###############################################################
 ###############################################################
 
+def generate_new_token(user_id):
+    # create user token
+    current_token = r_serv_db.hget('user_metadata:{}'.format(user_id), 'token')
+    r_serv_db.hdel('user:tokens', current_token)
+    token = secrets.token_urlsafe(41)
+    r_serv_db.hset('user:tokens', token, user_id)
+    r_serv_db.hset('user_metadata:{}'.format(user_id), 'token', token)
+
 def get_default_admin_token():
     if r_serv_db.exists('user_metadata:admin@admin.test'):
         return r_serv_db.hget('user_metadata:admin@admin.test', 'token')
@@ -78,9 +86,7 @@ def create_user_db(username_id , password, default=False, role=None, update=Fals
     password_hash = hashing_password(password)
 
     # create user token
-    token = secrets.token_urlsafe(41)
-    r_serv_db.hset('user:tokens', token, username_id)
-    r_serv_db.hset('user_metadata:{}'.format(username_id), 'token', token)
+    generate_new_token(username_id)
 
     if update:
         r_serv_db.hdel('user_metadata:{}'.format(username_id), 'change_passwd')
@@ -150,5 +156,29 @@ def get_all_user_role(user_role):
     current_role_val = get_role_level(user_role)
     return r_serv_db.zrange('ail:all_role', current_role_val -1, -1)
 
+def get_all_user_upper_role(user_role):
+    current_role_val = get_role_level(user_role)
+    # remove one rank
+    if current_role_val > 1:
+        return r_serv_db.zrange('ail:all_role', 0, current_role_val -2)
+    else:
+        return []
+
 def get_user_role_by_range(inf, sup):
     return r_serv_db.zrange('ail:all_role', inf, sup)
+
+def get_user_role(user_id):
+    return r_serv_db.hget('user_metadata:{}'.format(user_id), 'role')
+
+def check_user_role_integrity(user_id):
+    user_role = get_user_role(user_id)
+    all_user_role = get_all_user_role(user_role)
+    res = True
+    for role in all_user_role:
+        if not r_serv_db.sismember('user_role:{}'.format(role), user_id):
+            res = False
+    upper_role = get_all_user_upper_role(user_role)
+    for role in upper_role:
+        if r_serv_db.sismember('user_role:{}'.format(role), user_id):
+            res = False
+    return res
diff --git a/var/www/modules/settings/Flask_settings.py b/var/www/modules/settings/Flask_settings.py
index 2080c637..b1d89554 100644
--- a/var/www/modules/settings/Flask_settings.py
+++ b/var/www/modules/settings/Flask_settings.py
@@ -8,7 +8,7 @@ from flask import Flask, render_template, jsonify, request, Blueprint, redirect,
 from flask_login import login_required, current_user
 
 from Role_Manager import login_admin, login_analyst
-from Role_Manager import create_user_db, edit_user_db, delete_user_db, check_password_strength
+from Role_Manager import create_user_db, edit_user_db, delete_user_db, check_password_strength, generate_new_token
 
 import json
 import secrets
@@ -44,14 +44,6 @@ def check_email(email):
     else:
         return False
 
-def generate_new_token(user_id):
-    # create user token
-    current_token = r_serv_db.hget('user_metadata:{}'.format(user_id), 'token')
-    r_serv_db.hdel('user:tokens', current_token)
-    token = secrets.token_urlsafe(41)
-    r_serv_db.hset('user:tokens', token, user_id)
-    r_serv_db.hset('user_metadata:{}'.format(user_id), 'token', token)
-
 def get_git_metadata():
     dict_git = {}
     dict_git['current_branch'] = git_status.get_current_branch()
diff --git a/var/www/templates/login.html b/var/www/templates/login.html
index b846aaa9..d7c1b60b 100644
--- a/var/www/templates/login.html
+++ b/var/www/templates/login.html
@@ -72,8 +72,13 @@
 		      <label for="inputEmail" class="sr-only">Email address</label>
 		      <input type="email" id="inputEmail" name="username" class="form-control" placeholder="Email address" required autofocus>
 		      <label for="inputPassword" class="sr-only">Password</label>
-		      <input type="password" id="inputPassword" name="password" class="form-control" placeholder="Password" required>
-		      <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
+		      <input type="password" id="inputPassword" name="password" class="form-control {% if error %}is-invalid{% endif %}" placeholder="Password" required>
+					{% if error %}
+						<div class="invalid-feedback">
+							{{error}}
+						</div>
+					{% endif %}
+					<button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
 		    </form>