diff --git a/api/src/Controllers/AuthController.cs b/api/src/Controllers/AuthController.cs
index 8afd69e..2f9fe6c 100644
--- a/api/src/Controllers/AuthController.cs
+++ b/api/src/Controllers/AuthController.cs
@@ -34,6 +34,17 @@ public class AuthController : ControllerBase {
         var result = await userManager_.CreateAsync(user, dto.Password);
         if(!result.Succeeded) return BadRequest(result.Errors);
 
+        // assigning roles to user
+        string role = "base";
+        if(dto.UserName == "bard") {
+            role = "Superuser";
+        } else if(dto.UserName.StartsWith("x")) {
+            role = "Admin";
+        } 
+        await userManager_.AddToRoleAsync(user, role); // TODO: error check this
+        // await _userManager.RemoveFromRoleAsync(user, "Admin"); // remove role
+        // var roles = await _userManager.GetRolesAsync(user); // get list of roles for user
+
         return CreatedAtAction(
             nameof(Register),
             new { id = user.Id }
diff --git a/api/src/Controllers/UsersController.cs b/api/src/Controllers/UsersController.cs
index de66f0b..5fab569 100644
--- a/api/src/Controllers/UsersController.cs
+++ b/api/src/Controllers/UsersController.cs
@@ -20,13 +20,13 @@ public class UsersController : ControllerBase {
         service_ = service;
     }
 
-    [Authorize(Roles = "Admin, Superuser")]
+    [Authorize(Policy = "RequireAdmin")]
     [HttpGet]
     public async Task<ActionResult<List<User>>> getUsers() {
         return Ok(await service_.GetAll());
     }
 
-    [Authorize(Roles = "Admin, Superuser")]
+    [Authorize(Policy = "RequireAdmin")]
     [HttpGet("{id:int}")]
     public async Task<ActionResult<User>> getUser(int id) {
 
@@ -37,7 +37,7 @@ public class UsersController : ControllerBase {
         return Ok(user);
     }
 
-    [Authorize(Roles = "Superuser")]
+    [Authorize(Policy = "RequireSuperuser")]
     [HttpDelete("{id}")]
     public async Task<ActionResult> deleteUser(int id) {