diff --git a/config-demo/company.json b/config-demo/company.json
index a34d61dd..18050956 100644
--- a/config-demo/company.json
+++ b/config-demo/company.json
@@ -203,13 +203,5 @@
         }
       ]
     }
-  ],
-  "departments": [
-    "Engineering",
-    "Operations",
-    "Finance",
-    "Legal",
-    "Security",
-    "Marketing"
   ]
 }
diff --git a/config-demo/modules.json b/config-demo/modules.json
index fbe88b5c..2ac1b89f 100644
--- a/config-demo/modules.json
+++ b/config-demo/modules.json
@@ -18,11 +18,6 @@
             "label": "Birthday",
             "required": false
           },
-          "department": {
-            "label": "Department",
-            "placeholder": "Select a department",
-            "required": true
-          },
           "team": {
             "label": "Team",
             "placeholder": "Team name",
diff --git a/docs/configuration.md b/docs/configuration.md
index 7d86f29b..25c830cd 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -19,11 +19,6 @@ e.g
             "label": "Birthday",
             "required": false
         },
-        "department": {
-            "label": "Department",
-            "placeholder": "Select a department",
-            "required": true,
-        },
         "team": {
             "label": "Team",
             "placeholder": "Team name",
diff --git a/scripts/client.build.ts b/scripts/client.build.ts
index c2c1356b..5f9d266f 100644
--- a/scripts/client.build.ts
+++ b/scripts/client.build.ts
@@ -57,12 +57,6 @@ function getBuildConfig(): BuildOptions {
           ])
         )
       ),
-      'process.env.DIVISIONS': JSON.stringify(
-        appConfig.config.company.divisions
-      ),
-      'process.env.DEPARTMENTS': JSON.stringify(
-        appConfig.config.company.departments
-      ),
       'process.env.LAYOUT': JSON.stringify(appConfig.config.application.layout),
       'process.env.APP_NAME': JSON.stringify(appConfig.config.application.name),
       'process.env.COMPANY_NAME': JSON.stringify(appConfig.config.company.name),
@@ -71,10 +65,13 @@ function getBuildConfig(): BuildOptions {
       'process.env.AUTH_MESSAGE_TO_SIGN': JSON.stringify(
         config.authMessageToSign
       ),
-      'process.env.ROLES': JSON.stringify(
-        appConfig.config.permissions.roles.map((x) => ({
-          ...fp.pick(['id', 'name', 'accessByDefault'])(x),
-          lowPriority: x.id === appConfig.lowPriorityRole,
+      'process.env.ROLE_GROUPS': JSON.stringify(
+        appConfig.config.permissions.roleGroups.map((x) => ({
+          ...x,
+          roles: x.roles.map((r) => ({
+            ...fp.pick(['id', 'name', 'accessByDefault'])(r),
+            lowPriority: r.id === appConfig.lowPriorityRole,
+          })),
         }))
       ),
     },
diff --git a/src/client/components/AdminHome.tsx b/src/client/components/AdminHome.tsx
index 5d0f8036..800b00e8 100644
--- a/src/client/components/AdminHome.tsx
+++ b/src/client/components/AdminHome.tsx
@@ -2,28 +2,28 @@ import * as React from 'react'
 import { useStore } from '@nanostores/react'
 import * as stores from '#client/stores'
 import config from '#client/config'
-import { prop, propEq } from '#shared/utils/fp'
+import {
+  ADMIN_ACCESS_PERMISSION_RE,
+  ADMIN_ACCESS_PERMISSION_POSTFIX,
+} from '#client/constants'
 import { Button, ComponentWrapper } from '#client/components/ui'
 import Permissions from '#shared/permissions'
-import { DefaultPermissionPostfix } from '#shared/types'
 import { PermissionsSet } from '#shared/utils'
 
 type ModuleWithAdminComponents = {
   id: string
   name: string
-  paths: string[]
+  routes: string[]
 }
 const modulesWithAdminComponents: ModuleWithAdminComponents[] =
   config.modules.reduce((acc, m) => {
     if (!m.router.admin) return acc
-    const adminRoutePaths = Object.keys(m.router.admin)
-      .map((x) => m.router.admin![x])
-      .map(prop('path'))
-    if (adminRoutePaths.length) {
+    const routes = Object.keys(m.router.admin)
+    if (routes.length) {
       const moduleInfo: ModuleWithAdminComponents = {
         id: m.id,
         name: m.name,
-        paths: adminRoutePaths,
+        routes,
       }
       return [...acc, moduleInfo]
     }
@@ -33,7 +33,7 @@ const modulesWithAdminComponents: ModuleWithAdminComponents[] =
 type Props = { children: React.ReactNode }
 
 const doesUserHaveAdminPermission = (granted: PermissionsSet) => {
-  return granted.some((x) => x.endsWith(`.${DefaultPermissionPostfix.Admin}`))
+  return granted.some((x) => ADMIN_ACCESS_PERMISSION_RE.test(x))
 }
 
 export const AdminHome: React.FC<Props> = (props) => {
@@ -50,42 +50,51 @@ export const AdminHome: React.FC<Props> = (props) => {
 const _AdminHome: React.FC<Props> = ({ children }) => {
   const permissions = useStore(stores.permissions)
   const page = useStore(stores.router)
-  const moduleVisibilityFilter = React.useCallback(
-    (m: ModuleWithAdminComponents): boolean => {
+  const officeId = useStore(stores.officeId)
+
+  const filteredModules = React.useMemo(() => {
+    return modulesWithAdminComponents.filter((m) => {
       const modulePermissions: string[] = Object.values(
         Permissions[m.id as keyof typeof Permissions] || {}
       )
-      const adminPermission = `${m.id}.${DefaultPermissionPostfix.Admin}`
+      const adminPermission = `${m.id}.${ADMIN_ACCESS_PERMISSION_POSTFIX}`
+      const adminPermissionPerOffice = `${adminPermission}:${officeId}`
       return (
-        permissions.has(adminPermission) &&
-        modulePermissions.includes(adminPermission)
+        modulePermissions.includes(adminPermission) &&
+        (permissions.has(adminPermissionPerOffice) ||
+          permissions.has(adminPermission))
       )
-    },
-    [permissions]
-  )
+    })
+  }, [permissions, officeId])
 
   return (
     <ComponentWrapper wide>
-      <div className="-mx-8 -mt-4 sm:mt-0 px-2 sm:px-8 mb-6 pb-2 sm:pb-4 border-b border-gray-200">
-        {modulesWithAdminComponents.filter(moduleVisibilityFilter).map((x) => {
-          return (
-            <Button
-              key={x.id}
-              kind={
-                page?.route && x.paths.includes(page.route)
-                  ? 'primary'
-                  : 'secondary'
-              }
-              href={`/admin/${x.id}`}
-              className="mb-2 sm:mb-4 mr-2 sm:mr-4 rounded-[24px] relative focus:ring-0"
-            >
-              {x.name}
-              {/* {!!counter && <CounterBadge count={counter} />} */}
-            </Button>
-          )
-        })}
-      </div>
-      {children}
+      {filteredModules.length ? (
+        <>
+          <div className="-mx-8 -mt-4 sm:mt-0 px-2 sm:px-8 mb-6 pb-2 sm:pb-4 border-b border-gray-200">
+            {filteredModules.map((x) => {
+              return (
+                <Button
+                  key={x.id}
+                  kind={
+                    page && x.routes.includes(page.route)
+                      ? 'primary'
+                      : 'secondary'
+                  }
+                  href={`/admin/${x.id}`}
+                  className="mb-2 sm:mb-4 mr-2 rounded-[24px] relative focus:ring-0"
+                >
+                  {x.name}
+                  {/* {!!counter && <CounterBadge count={counter} />} */}
+                </Button>
+              )
+            })}
+          </div>
+          {children}
+        </>
+      ) : (
+        <div>Please select an office that you can work with.</div>
+      )}
     </ComponentWrapper>
   )
 }
diff --git a/src/client/components/EntityAccessSelector.tsx b/src/client/components/EntityAccessSelector.tsx
index 7e0c19f5..ae48c3a1 100644
--- a/src/client/components/EntityAccessSelector.tsx
+++ b/src/client/components/EntityAccessSelector.tsx
@@ -1,8 +1,15 @@
 import { ENTITY_VISIBILITY_LABEL } from '#client/components/EntityVisibilityTag'
-import { CheckboxGroup, RadioGroup } from '#client/components/ui'
+import {
+  Button,
+  CheckboxGroup,
+  LabelWrapper,
+  Link,
+  RadioGroup,
+} from '#client/components/ui'
 import config from '#client/config'
 import { EntityVisibility } from '#shared/types'
 import { cn } from '#client/utils'
+import { USER_ROLES } from '#client/constants'
 import { prop } from '#shared/utils/fp'
 import React from 'react'
 
@@ -44,8 +51,11 @@ export const EntityAccessSelector: React.FC<Props> = ({
   visibilityTypes,
   ...props
 }) => {
+  const [showAllRoles, setShowAllRoles] = React.useState(
+    USER_ROLES.length <= 10
+  )
   const roleIds = React.useMemo(
-    () => config.roles.filter(prop('accessByDefault')).map(prop('id')),
+    () => USER_ROLES.filter(prop('accessByDefault')).map(prop('id')),
     []
   )
 
@@ -122,6 +132,22 @@ export const EntityAccessSelector: React.FC<Props> = ({
       ]
     )
 
+  const filteredRoles = React.useMemo<
+    Array<{ value: string; label: string }>
+  >(() => {
+    const availableRoles = USER_ROLES.map(prop('id'))
+    const unsupportedRoles = (props.value.allowedRoles || [])
+      .filter((x) => !availableRoles.includes(x))
+      .map((x) => ({ value: x, label: `${x} (UNSUPPORTED)` }))
+    const filteredRoles = USER_ROLES.filter(
+      (x) => showAllRoles || x.accessByDefault
+    ).map((x) => ({
+      value: x.id,
+      label: x.name,
+    }))
+    return unsupportedRoles.concat(filteredRoles)
+  }, [showAllRoles, props.value.allowedRoles])
+
   return (
     <div
       className={cn(
@@ -144,12 +170,14 @@ export const EntityAccessSelector: React.FC<Props> = ({
             name="roles"
             label="Allowed user roles"
             value={allowedRolesValue}
-            options={config.roles.map((x) => ({
-              value: x.id,
-              label: x.name,
-            }))}
+            options={filteredRoles}
             onChange={onChange('allowedRoles')}
           />
+          {!showAllRoles && (
+            <LabelWrapper label="">
+              <Link onClick={() => setShowAllRoles(true)}>Show all roles</Link>
+            </LabelWrapper>
+          )}
         </div>
       )}
       {showOfficesList && (
diff --git a/src/client/components/PermissionsValidator.tsx b/src/client/components/PermissionsValidator.tsx
index 7b39644c..a0405a89 100644
--- a/src/client/components/PermissionsValidator.tsx
+++ b/src/client/components/PermissionsValidator.tsx
@@ -4,21 +4,27 @@ import React from 'react'
 
 type Props = {
   required: string[]
+  officeId?: string
   onReject?: () => void
+  onRejectRender?: React.ReactElement
   onRejectGoHome?: boolean
   children: React.ReactNode
 }
 
 export const PermissionsValidator: React.FC<Props> = ({
   required = [],
+  officeId,
   children,
   onReject,
   onRejectGoHome = false,
+  onRejectRender = null,
 }) => {
   const permissions = useStore(stores.permissions)
-  const [isValid, setIsValid] = React.useState(permissions.hasAll(required))
+  const [isValid, setIsValid] = React.useState(
+    permissions.hasAll(required, officeId)
+  )
   React.useEffect(() => {
-    if (!permissions.hasAll(required)) {
+    if (!permissions.hasAll(required, officeId)) {
       if (onRejectGoHome) {
         setTimeout(() => stores.goTo('home'), 0)
       } else if (onReject) {
@@ -28,6 +34,12 @@ export const PermissionsValidator: React.FC<Props> = ({
     } else {
       setIsValid(true)
     }
-  }, [required])
-  return isValid ? <>{children}</> : null
+  }, [required, officeId])
+  if (isValid) {
+    return <>{children}</>
+  }
+  if (onRejectRender) {
+    return onRejectRender
+  }
+  return null
 }
diff --git a/src/client/components/ui/Filters.tsx b/src/client/components/ui/Filters.tsx
index 0b4a758c..33beaa22 100644
--- a/src/client/components/ui/Filters.tsx
+++ b/src/client/components/ui/Filters.tsx
@@ -61,6 +61,7 @@ export const Filters = <T,>(props: React.PropsWithChildren<Props<T>>) => {
           }
           return (
             <Tag
+              size="small"
               key={String(x.id || '~none~')}
               className="inline-block cursor-pointer hover:opacity-70 mr-1 mb-1"
               color={isSelected ? 'blue' : 'gray'}
diff --git a/src/client/components/ui/Input.tsx b/src/client/components/ui/Input.tsx
index 172fe011..47c606dd 100644
--- a/src/client/components/ui/Input.tsx
+++ b/src/client/components/ui/Input.tsx
@@ -32,7 +32,7 @@ type Props = Omit<React.InputHTMLAttributes<HTMLInputElement>, 'onChange'> & {
 const labeledTypes = ['checkbox', 'radio']
 type LabelProps = {
   name?: string | undefined
-  label: string | undefined
+  label: string | React.ReactNode | undefined
   required?: boolean | undefined
   type?: string | undefined
   extraLabel?: string | null
diff --git a/src/client/components/ui/UserLabel.tsx b/src/client/components/ui/UserLabel.tsx
index 45c12a6d..7998d892 100644
--- a/src/client/components/ui/UserLabel.tsx
+++ b/src/client/components/ui/UserLabel.tsx
@@ -8,9 +8,8 @@ import { USER_ROLE_BY_ID } from '#client/constants'
 
 type Props = {
   user: User | UserCompact
-  hideRole?: boolean
 }
-export const UserLabel: React.FC<Props> = ({ user, hideRole = false }) => {
+export const UserLabel: React.FC<Props> = ({ user }) => {
   return user ? (
     <span className="inline-flex items-center w-max">
       <Avatar
@@ -23,30 +22,35 @@ export const UserLabel: React.FC<Props> = ({ user, hideRole = false }) => {
         href={`/profile/${user.id}`}
         target="_blank"
         className={cn(!user.isInitialised && 'opacity-50')}
-        title={!user.isInitialised ? 'The user has not been onboarded yet' : undefined}
+        title={
+          !user.isInitialised
+            ? 'The user has not been onboarded yet'
+            : undefined
+        }
         kind="secondary"
       >
         {user.fullName}
       </Link>
-      {!hideRole && (
-        <UserRoleLabel
-          role={user.role}
-          className="ml-2"
-        />
-      )}
     </span>
   ) : null
 }
 
 type UserRoleLabelType = {
-  role: User['role']
+  role: string
   className?: string
 }
-export const UserRoleLabel: React.FC<UserRoleLabelType> = ({ role, ...props }) => {
+export const UserRoleLabel: React.FC<UserRoleLabelType> = ({
+  role,
+  ...props
+}) => {
   const roleRecord = USER_ROLE_BY_ID[role]
-  // TODO: use roleRecord.color ?
   return (
-    <Tag className={cn(props.className)} color="gray" size="small">
+    <Tag
+      className={cn(props.className)}
+      size="small"
+      color={roleRecord ? 'gray' : 'red'}
+      title={roleRecord ? '' : 'Unsupported role'}
+    >
       {roleRecord?.name || role}
     </Tag>
   )
diff --git a/src/client/config.ts b/src/client/config.ts
index bf465443..3b3f3abe 100644
--- a/src/client/config.ts
+++ b/src/client/config.ts
@@ -2,7 +2,8 @@ import {
   Layout,
   ModuleClientRouter,
   Office,
-  AppRole,
+  UserRole,
+  UserRoleGroup,
   AppModule,
 } from '#shared/types'
 
@@ -26,21 +27,26 @@ export type ClientOfficeConfig = Pick<
   | 'allowRoomReservation'
 >
 
-type ClientUserRole = Pick<AppRole, 'id' | 'name' | 'accessByDefault'> & {
+export type ClientUserRole = Pick<
+  UserRole,
+  'id' | 'name' | 'accessByDefault'
+> & {
   lowPriority: boolean
 }
 
+export type ClientUserRoleGroup = UserRoleGroup & {
+  roles: ClientUserRole[]
+}
+
 type ClientAppConfig = {
   modules: ClientModuleConfig[]
   offices: ClientOfficeConfig[]
-  departments: string[]
-  divisions: string[]
   appName: string
   companyName: string
   appHost: string
   mapBoxApiKey: string
   layout: Layout
-  roles: ClientUserRole[]
+  roleGroups: ClientUserRoleGroup[]
   auth: ClientAuthConfig
   authMessageToSign: string
 }
@@ -50,14 +56,12 @@ type ClientAuthConfig = { providers: string[] }
 const config: ClientAppConfig = {
   modules: process.env.APP_MODULES as unknown as ClientModuleConfig[],
   offices: process.env.APP_OFFICES as unknown as ClientOfficeConfig[],
-  departments: process.env.DEPARTMENTS as unknown as string[],
-  divisions: process.env.DIVISIONS as unknown as string[],
   appName: process.env.APP_NAME as unknown as string,
   companyName: process.env.COMPANY_NAME as unknown as string,
   appHost: process.env.APP_HOST as unknown as string,
   mapBoxApiKey: process.env.MAPBOX_API_KEY as unknown as string,
   layout: process.env.LAYOUT as unknown as Layout,
-  roles: process.env.ROLES as unknown as ClientUserRole[],
+  roleGroups: process.env.ROLE_GROUPS as unknown as ClientUserRoleGroup[],
   auth: process.env.AUTH as unknown as ClientAuthConfig,
   authMessageToSign: process.env.AUTH_MESSAGE_TO_SIGN as unknown as string,
 }
diff --git a/src/client/constants.ts b/src/client/constants.ts
index 113211c2..6138cfa0 100644
--- a/src/client/constants.ts
+++ b/src/client/constants.ts
@@ -1,5 +1,6 @@
 import config from '#client/config'
 
+// TODO: implement shared constants and move it there
 export const DATE_FORMAT = 'YYYY-MM-DD'
 
 export const DATE_FORMAT_DAY_NAME = 'ddd, MMMM D'
@@ -8,12 +9,22 @@ export const DATE_FORMAT_DAY_NAME_FULL = 'dddd, MMMM D'
 
 export const FRIENDLY_DATE_FORMAT = 'MMMM D YYYY'
 
-export const USER_ROLE_BY_ID = config.roles.reduce(
+export const USER_ROLES = config.roleGroups.map((x) => x.roles).flat()
+
+export const USER_ROLE_BY_ID = USER_ROLES.reduce(
   (acc, x) => ({ ...acc, [x.id]: x }),
-  {} as Record<string, (typeof config.roles)[0]>
+  {} as Record<string, (typeof USER_ROLES)[0]>
 )
 
 export const OFFICE_BY_ID = config.offices.reduce(
   (acc, x) => ({ ...acc, [x.id]: x }),
   {} as Record<string, (typeof config.offices)[0]>
 )
+
+// TODO: implement shared constants and move it there
+export const ADMIN_ACCESS_PERMISSION_POSTFIX = '__admin'
+
+// TODO: implement shared constants and move it there
+export const ADMIN_ACCESS_PERMISSION_RE = new RegExp(
+  `^.*\.${ADMIN_ACCESS_PERMISSION_POSTFIX}`
+)
diff --git a/src/client/utils/index.ts b/src/client/utils/index.ts
index 81672075..65709b89 100644
--- a/src/client/utils/index.ts
+++ b/src/client/utils/index.ts
@@ -4,7 +4,6 @@ import dayjs, { Dayjs } from 'dayjs'
 export const cn = (
   ...chunks: Array<string | boolean | null | undefined>
 ): string => {
-  // return chunks.map((x) => (typeof x === 'string' ? x : '')).join(' ')
   return twMerge(...chunks.map((x) => (typeof x === 'string' ? x : '')))
 }
 
@@ -12,9 +11,10 @@ export const toggleInArray = <T>(
   arr: T[],
   item: T,
   keepOne: boolean = false,
-  maxNumber?: number
+  maxNumber?: number,
+  autoDeselect?: boolean
 ): T[] => {
-  if (arr.indexOf(item) > -1) {
+  if (arr.includes(item)) {
     if (keepOne && arr.length === 1) {
       return arr
     }
@@ -22,6 +22,9 @@ export const toggleInArray = <T>(
   } else {
     if (maxNumber) {
       if (arr.length >= maxNumber) {
+        if (autoDeselect) {
+          return arr.slice(1).concat(item)
+        }
         return arr
       }
     }
@@ -56,11 +59,13 @@ export const generateId = (length: number = 16, prefix?: string): string => {
 //   window.location.href = url.toString()
 // }
 
-export const trimString = (str: string, length: number = 32, postfix: string = '...'): string => {
+export const trimString = (
+  str: string,
+  length: number = 32,
+  postfix: string = '...'
+): string => {
   if (!str) return ''
-  return str.length < length
-    ? str
-    : str.slice(0, length) + postfix
+  return str.length < length ? str : str.slice(0, length) + postfix
 }
 
 export const formatDateRange = (
diff --git a/src/integrations/email-smtp/index.ts b/src/integrations/email-smtp/index.ts
index 231b22d4..509aade8 100644
--- a/src/integrations/email-smtp/index.ts
+++ b/src/integrations/email-smtp/index.ts
@@ -70,11 +70,7 @@ class EmailSMTP extends Integration {
     })
   }
 
-  public async sendEmail({
-    to,
-    html,
-    subject,
-  }: Email): Promise<SafeResponse<void>> {
+  public async sendEmail({ to, html, subject }: Email): Promise<SafeResponse> {
     if (config.debug) {
       console.log(
         `Sending email skipped (debug mode).\nemail: ${to}\nsubject: ${subject}\nhtml: ${html}\n`
diff --git a/src/integrations/integration.ts b/src/integrations/integration.ts
index 889499de..f35f741b 100644
--- a/src/integrations/integration.ts
+++ b/src/integrations/integration.ts
@@ -20,10 +20,10 @@ export class Integration {
     return { success: false, error: error as Error }
   }
 
-  success<T = void>(data?: T): SafeResponse<T> {
+  success<T>(data?: T): SafeResponse<T> {
     if (data !== undefined) {
       return { success: true, data: data } as SafeResponse<T>
     }
-    return { success: true }
+    return { success: true } as SafeResponse<T>
   }
 }
diff --git a/src/integrations/matrix/index.ts b/src/integrations/matrix/index.ts
index 5001f289..57fa18d1 100644
--- a/src/integrations/matrix/index.ts
+++ b/src/integrations/matrix/index.ts
@@ -1,6 +1,6 @@
 import axios from 'axios'
 import config from '#server/config'
-import { escapeRegExpSensitiveCharacters } from '#server/utils'
+import { escapeRegExpSensitiveCharacters } from '#shared/utils/fp'
 import { User } from '#modules/users/server/models/user'
 import { SafeResponse } from '#server/types'
 import { Integration } from '../integration'
@@ -143,7 +143,7 @@ class Matrix extends Integration {
   public async inviteUserInRoom(
     roomId: MatrixRoomId,
     username: MatrixUsername
-  ): Promise<SafeResponse<void>> {
+  ): Promise<SafeResponse> {
     const usernameFormatted = this.sanitizeUsername(username)
     if (config.debug) {
       console.log(
@@ -175,10 +175,7 @@ class Matrix extends Integration {
     process.nextTick(() => this.inviteUserInRoom(roomId, username))
   }
 
-  async sendMessageToUser(
-    user: User,
-    message: string
-  ): Promise<SafeResponse<void>> {
+  async sendMessageToUser(user: User, message: string): Promise<SafeResponse> {
     try {
       const roomId = await this.ensureUserRoom(user)
       if (roomId) {
@@ -194,9 +191,7 @@ class Matrix extends Integration {
     process.nextTick(() => this.sendMessageToUser(user, message))
   }
 
-  public async sendMessageInAdminRoom(
-    message: string
-  ): Promise<SafeResponse<void>> {
+  public async sendMessageInAdminRoom(message: string): Promise<SafeResponse> {
     try {
       await this.sendMessageInRoom(this.credentials.adminRoomId, message)
       return this.success()
diff --git a/src/modules/announcements/client/components/AdminAnnouncements.tsx b/src/modules/announcements/client/components/AdminAnnouncements.tsx
index 4c56c7a9..bfd1ffdc 100644
--- a/src/modules/announcements/client/components/AdminAnnouncements.tsx
+++ b/src/modules/announcements/client/components/AdminAnnouncements.tsx
@@ -50,7 +50,7 @@ export const _AdminAnnouncements: React.FC<{}> = () => {
         Header: 'Creator',
         accessor: (one: any) => {
           const user = usersById[one.creatorUserId]
-          return <UserLabel user={user} hideRole />
+          return <UserLabel user={user} />
         },
       },
       {
diff --git a/src/modules/announcements/server/router.ts b/src/modules/announcements/server/router.ts
index 35047f8b..9a8b9c40 100644
--- a/src/modules/announcements/server/router.ts
+++ b/src/modules/announcements/server/router.ts
@@ -27,7 +27,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       order: [['scheduledAt', 'ASC']],
       where: {
         visibility: EntityVisibility.Visible,
-        allowedRoles: { [Op.contains]: [req.user.role] },
+        allowedRoles: { [Op.overlap]: req.user.roles },
         offices: { [Op.contains]: [req.office.id] },
         scheduledAt: { [Op.lte]: today.toDate() },
         expiresAt: { [Op.gt]: today.toDate() },
diff --git a/src/modules/events/client/components/AdminEvents.tsx b/src/modules/events/client/components/AdminEvents.tsx
index 419286ad..2b8a5880 100644
--- a/src/modules/events/client/components/AdminEvents.tsx
+++ b/src/modules/events/client/components/AdminEvents.tsx
@@ -13,6 +13,7 @@ import {
   Tag,
   UserLabel,
   Filters,
+  UserRoleLabel,
 } from '#client/components/ui'
 import config from '#client/config'
 import { OFFICE_BY_ID, USER_ROLE_BY_ID } from '#client/constants'
@@ -141,7 +142,7 @@ export const AdminEvents = () => {
           Header: 'Creator',
           accessor: (event: EventAdminResponse) => {
             const user = usersById[event.creatorUserId]
-            return <UserLabel user={user} hideRole />
+            return <UserLabel user={user} />
           },
         },
         {
@@ -167,9 +168,7 @@ export const AdminEvents = () => {
           accessor: (event: EventAdminResponse) => (
             <span className="inline-block -mr-1">
               {event.allowedRoles.map((x) => (
-                <Tag key={x} color="gray" size="small" className="mr-1">
-                  {USER_ROLE_BY_ID[x]?.name || x}
-                </Tag>
+                <UserRoleLabel role={x} />
               ))}
             </span>
           ),
diff --git a/src/modules/events/server/jobs/pull-global-events.ts b/src/modules/events/server/jobs/pull-global-events.ts
index 4c40ea1c..f87fdb05 100644
--- a/src/modules/events/server/jobs/pull-global-events.ts
+++ b/src/modules/events/server/jobs/pull-global-events.ts
@@ -1,6 +1,7 @@
 import { UniqueConstraintError } from 'sequelize'
 import { CronJob, CronJobContext } from '#server/types'
 import { EntityVisibility } from '#shared/types'
+import * as fp from '#shared/utils/fp'
 import {
   getGlobalEventDefaultChecklist,
   getGlobalEventDefaultContent,
@@ -96,9 +97,11 @@ export const cronJob: CronJob = {
             ? EntityVisibility.None
             : EntityVisibility.Visible
 
-          const allowedRoles = ctx.appConfig.config.permissions.roles
+          const allowedRoles = ctx.appConfig.config.permissions.roleGroups
+            .map(fp.prop('roles'))
+            .flat()
             .filter((x) => (isInternal ? x.accessByDefault : true))
-            .map((x) => x.id)
+            .map(fp.prop('id'))
 
           try {
             await ctx.models.Event.create({
diff --git a/src/modules/events/server/router.ts b/src/modules/events/server/router.ts
index 5937a350..450fe872 100644
--- a/src/modules/events/server/router.ts
+++ b/src/modules/events/server/router.ts
@@ -12,6 +12,7 @@ import {
   PublicForm,
 } from '#modules/forms/types'
 import { EntityVisibility } from '#shared/types'
+import * as fp from '#shared/utils/fp'
 import { Permissions } from '../permissions'
 import {
   Event,
@@ -58,8 +59,10 @@ const publicRouter: FastifyPluginCallback = async function (fastify, opts) {
         if (event.visibility === EntityVisibility.None) {
           return reply.throw.notFound()
         }
-        const userRole = req.user ? req.user.role : appConfig.lowPriorityRole
-        if (!event.allowedRoles.includes(userRole)) {
+        const userRoles = req.user
+          ? req.user.roles
+          : [appConfig.lowPriorityRole]
+        if (!fp.hasIntersection(event.allowedRoles, userRoles)) {
           return reply.throw.notFound()
         }
       }
@@ -100,7 +103,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
         if (event.visibility === EntityVisibility.None) {
           return reply.throw.notFound()
         }
-        if (!event.allowedRoles.includes(req.user.role)) {
+        if (!fp.hasIntersection(event.allowedRoles, req.user.roles)) {
           return reply.throw.notFound()
         }
       }
@@ -169,7 +172,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
           return reply.throw.notFound()
         }
         // Inherit access policy from the parent event
-        if (!event.allowedRoles.includes(req.user.role)) {
+        if (!fp.hasIntersection(event.allowedRoles, req.user.roles)) {
           return reply.throw.notFound()
         }
       }
@@ -235,7 +238,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
           return reply.throw.notFound()
         }
         // Inherit access policy from the parent event
-        if (!event.allowedRoles.includes(req.user.role)) {
+        if (!fp.hasIntersection(event.allowedRoles, req.user.roles)) {
           return reply.throw.notFound()
         }
       }
@@ -444,7 +447,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
           [Op.gte]: new Date(),
         },
         visibility: EntityVisibility.Visible,
-        allowedRoles: { [Op.contains]: [req.user.role] },
+        allowedRoles: { [Op.overlap]: req.user.roles },
         offices: { [Op.contains]: [req.office.id] },
       },
       order: ['startDate'],
@@ -574,7 +577,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
         if (event.visibility === EntityVisibility.None) {
           return reply.throw.accessDenied()
         }
-        if (!event.allowedRoles.includes(req.user.role)) {
+        if (!fp.hasIntersection(event.allowedRoles, req.user.roles)) {
           return reply.throw.accessDenied()
         }
       }
@@ -761,7 +764,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
               },
               'metadata.global': true,
               visibility: EntityVisibility.Visible,
-              allowedRoles: { [Op.contains]: [req.user.role] },
+              allowedRoles: { [Op.overlap]: req.user.roles },
             },
           ],
         },
@@ -789,7 +792,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
         },
       }
       if (!req.can(Permissions.AdminManage)) {
-        where.allowedRoles = { [Op.contains]: [req.user.role] }
+        where.allowedRoles = { [Op.overlap]: req.user.roles }
       }
       const event = await fastify.db.Event.findOne({ where })
       if (!event) {
@@ -1162,7 +1165,7 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
       Permissions.AdminReceiveNotifications
     )
     return fastify.db.User.findAllActive({
-      where: { role: { [Op.in]: roles } },
+      where: { roles: { [Op.overlap]: roles } },
     })
   })
 }
diff --git a/src/modules/forms/client/components/AdminForms.tsx b/src/modules/forms/client/components/AdminForms.tsx
index 421e7304..c8e2e1ab 100644
--- a/src/modules/forms/client/components/AdminForms.tsx
+++ b/src/modules/forms/client/components/AdminForms.tsx
@@ -13,6 +13,7 @@ import {
   UserLabel,
   Filters,
   LabelWrapper,
+  UserRoleLabel,
 } from '#client/components/ui'
 import { showNotification } from '#client/components/ui/Notifications'
 import { USER_ROLE_BY_ID } from '#client/constants'
@@ -138,7 +139,7 @@ export const AdminForms = () => {
           Header: 'Creator',
           accessor: (form: FormAdminResponse) => {
             const user = usersById[form.creatorUserId]
-            return <UserLabel user={user} hideRole />
+            return <UserLabel user={user} />
           },
         },
         {
@@ -152,9 +153,7 @@ export const AdminForms = () => {
           accessor: (form: FormAdminResponse) => (
             <span className="inline-block -mr-1">
               {form.allowedRoles.map((x) => (
-                <Tag key={x} color="gray" size="small" className="mr-1">
-                  {USER_ROLE_BY_ID[x]?.name || x}
-                </Tag>
+                <UserRoleLabel role={x} />
               ))}
             </span>
           ),
diff --git a/src/modules/forms/server/router.ts b/src/modules/forms/server/router.ts
index ab99e864..ae4a0df1 100644
--- a/src/modules/forms/server/router.ts
+++ b/src/modules/forms/server/router.ts
@@ -10,6 +10,7 @@ import { Op, Filterable } from 'sequelize'
 import { appConfig } from '#server/app-config'
 import { getJSONdiff } from '#server/utils'
 import { EntityVisibility } from '#shared/types'
+import * as fp from '#shared/utils/fp'
 import { User } from '#modules/users/types'
 import { useRateLimit } from '#server/utils/rate-limit'
 import { Permissions } from '../permissions'
@@ -47,7 +48,7 @@ const publicRouter: FastifyPluginCallback = async (fastify, opts) => {
           return reply.throw.notFound()
         }
         if (form.visibility !== EntityVisibility.UrlPublic) {
-          if (!form.allowedRoles.includes(req.user.role)) {
+          if (!fp.hasIntersection(form.allowedRoles, req.user.roles)) {
             return reply.throw.notFound()
           }
         }
@@ -97,7 +98,7 @@ const publicRouter: FastifyPluginCallback = async (fastify, opts) => {
         return reply.throw.gone()
       }
       if (form.visibility !== EntityVisibility.UrlPublic) {
-        if (!form.allowedRoles.includes(req.user.role)) {
+        if (!fp.hasIntersection(form.allowedRoles, req.user.roles)) {
           return reply.throw.notFound()
         }
       }
@@ -383,7 +384,7 @@ const adminRouter: FastifyPluginCallback = async (fastify, opts) => {
       Permissions.AdminReceiveNotifications
     )
     return fastify.db.User.findAllActive({
-      where: { role: { [Op.in]: roles } },
+      where: { roles: { [Op.overlap]: roles } },
     })
   })
 
diff --git a/src/modules/guest-invites/client/components/AdminGuestInvite.tsx b/src/modules/guest-invites/client/components/AdminGuestInvite.tsx
index f5941714..2b4329c3 100644
--- a/src/modules/guest-invites/client/components/AdminGuestInvite.tsx
+++ b/src/modules/guest-invites/client/components/AdminGuestInvite.tsx
@@ -3,7 +3,7 @@ import dayjs from 'dayjs'
 import { useStore } from '@nanostores/react'
 import config from '#client/config'
 import * as stores from '#client/stores'
-import { useUserAdmin } from '#modules/users/client/queries'
+import { useUserCompact } from '#modules/users/client/queries'
 import {
   useVisitsAreas,
   useAvailableDesks,
@@ -30,7 +30,7 @@ export const AdminGuestInvite: React.FC = () => {
   const inviteId =
     page?.route === 'adminGuestInvite' ? page.params.inviteId : null
   const { data: invite } = useGuestInviteAdmin(inviteId)
-  const { data: user } = useUserAdmin(invite?.creatorUserId || '', {
+  const { data: user } = useUserCompact(invite?.creatorUserId || '', {
     enabled: !!invite?.creatorUserId,
   })
   const office = React.useMemo(() => {
@@ -47,10 +47,10 @@ export const AdminGuestInvite: React.FC = () => {
     }
   }, [areas])
   const area = React.useMemo(() => areas.find((x) => areaId === x.id), [areaId])
-  const onAreaChange = React.useCallback(
-    (areaId: string) => setAreaId(areaId),
-    []
-  )
+  const onAreaChange = React.useCallback((areaId: string) => {
+    setSelectedDeskId(null)
+    setAreaId(areaId)
+  }, [])
 
   const { data: availableDesks = [] } = useAvailableDesks(
     office?.id || '',
@@ -111,7 +111,7 @@ export const AdminGuestInvite: React.FC = () => {
                   <div className="flex flex-col gap-4">
                     {invite.dates.map((x, i) => (
                       <span key={x}>
-                        <Tag color="gray">
+                        <Tag color="gray" className="nowrap" size="small">
                           {dayjs(x, DATE_FORMAT).format('D MMMM, YYYY')}
                         </Tag>
                         {i !== invite.dates.length - 1 && ', '}
@@ -141,6 +141,7 @@ export const AdminGuestInvite: React.FC = () => {
                   inputs={[
                     areas.length > 1 && (
                       <Select
+                        className="w-full"
                         label="Area"
                         options={areas.map((x) => ({
                           label: x.name,
diff --git a/src/modules/guest-invites/client/components/AdminGuestInvites.tsx b/src/modules/guest-invites/client/components/AdminGuestInvites.tsx
index d04660c1..87edef57 100644
--- a/src/modules/guest-invites/client/components/AdminGuestInvites.tsx
+++ b/src/modules/guest-invites/client/components/AdminGuestInvites.tsx
@@ -21,17 +21,21 @@ import { useUsersCompact } from '#modules/users/client/queries'
 import { useGuestInvitesAdmin, useUpdateGuestInvite } from '../queries'
 import { GuestInviteStatusTag } from './GuestInviteStatusTag'
 
-export const AdminGuestInvites = () => (
-  <PermissionsValidator
-    required={[
-      Permissions['guest-invites'].__Admin,
-      Permissions['guest-invites'].AdminList,
-    ]}
-    onRejectGoHome
-  >
-    <_AdminGuestInvites />
-  </PermissionsValidator>
-)
+export const AdminGuestInvites = () => {
+  const officeId = useStore(stores.officeId)
+  return (
+    <PermissionsValidator
+      officeId={officeId}
+      required={[
+        Permissions['guest-invites'].__Admin,
+        Permissions['guest-invites'].AdminList,
+      ]}
+      onRejectGoHome
+    >
+      <_AdminGuestInvites />
+    </PermissionsValidator>
+  )
+}
 
 export const _AdminGuestInvites: React.FC = () => {
   useDocumentTitle('Guest Invites')
diff --git a/src/modules/guest-invites/client/components/GuestInviteDetail.tsx b/src/modules/guest-invites/client/components/GuestInviteDetail.tsx
index 1ba9e73e..c75c4b51 100644
--- a/src/modules/guest-invites/client/components/GuestInviteDetail.tsx
+++ b/src/modules/guest-invites/client/components/GuestInviteDetail.tsx
@@ -21,7 +21,7 @@ import { GuestInviteStatus } from '#shared/types'
 import { DATE_FORMAT_DAY_NAME_FULL } from '#client/constants'
 import { useVisitsAreas } from '#modules/visits/client/queries'
 import { OfficeFloorMap } from '#client/components/OfficeFloorMap'
-import { useUserAdmin } from '#modules/users/client/queries'
+import { useUserCompact } from '#modules/users/client/queries'
 
 export const GuestInviteDetail = () => (
   <PermissionsValidator
@@ -63,7 +63,7 @@ export const _GuestInviteDetail = () => {
     () => guestInivite?.creatorUserId === me?.id,
     [guestInivite, me]
   )
-  const { data: user = null } = useUserAdmin(
+  const { data: user = null } = useUserCompact(
     guestInivite?.creatorUserId || '',
     {
       enabled: !!guestInivite && guestInivite.creatorUserId !== me?.id,
diff --git a/src/modules/guest-invites/client/components/GuestInviteRequestForm.tsx b/src/modules/guest-invites/client/components/GuestInviteRequestForm.tsx
index d1714cce..ead043b0 100644
--- a/src/modules/guest-invites/client/components/GuestInviteRequestForm.tsx
+++ b/src/modules/guest-invites/client/components/GuestInviteRequestForm.tsx
@@ -16,14 +16,18 @@ import { useDocumentTitle } from '#client/utils/hooks'
 import Permissions from '#shared/permissions'
 import { useCreateGuestInvite } from '../queries'
 
-export const GuestInviteRequestForm = () => (
-  <PermissionsValidator
-    required={[Permissions['guest-invites'].Create]}
-    onRejectGoHome
-  >
-    <_GuestInviteRequestForm />
-  </PermissionsValidator>
-)
+export const GuestInviteRequestForm = () => {
+  const officeId = useStore(stores.officeId)
+  return (
+    <PermissionsValidator
+      officeId={officeId}
+      required={[Permissions['guest-invites'].Create]}
+      onRejectGoHome
+    >
+      <_GuestInviteRequestForm />
+    </PermissionsValidator>
+  )
+}
 
 export const _GuestInviteRequestForm: React.FC = () => {
   useDocumentTitle('Guest invite')
diff --git a/src/modules/guest-invites/server/router.ts b/src/modules/guest-invites/server/router.ts
index 165ee32f..8820935c 100644
--- a/src/modules/guest-invites/server/router.ts
+++ b/src/modules/guest-invites/server/router.ts
@@ -134,17 +134,15 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       if (!req.params.inviteId) {
         return reply.throw.badParams('Missing invitation id')
       }
-      const where: Filterable<GuestInvite>['where'] = {
-        id: req.params.inviteId,
-      }
-      if (!req.can(Permissions.AdminList)) {
-        where.creatorUserId = req.user.id
-      }
-      const invite = await fastify.db.GuestInvite.findOne({ where })
+      const invite = await fastify.db.GuestInvite.findByPk(req.params.inviteId)
       if (!invite) {
         return reply.throw.notFound()
       }
-
+      if (invite.creatorUserId !== req.user.id) {
+        req.check(Permissions.AdminList, invite.office)
+      } else {
+        req.check(Permissions.Create, invite.office)
+      }
       return invite
     }
   )
@@ -152,11 +150,10 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
   fastify.post(
     '/invite',
     async (req: FastifyRequest<{ Body: GuestInviteRequest }>, reply) => {
-      req.check(Permissions.Create)
-
       if (!req.office) {
         return reply.throw.badParams('Invalid office ID')
       }
+      req.check(Permissions.Create, req.office.id)
 
       const email = req.body.email.trim().toLowerCase()
 
@@ -230,7 +227,6 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       }>,
       reply
     ) => {
-      req.check(Permissions.Create)
       const status = req.body.status
       const invite = await fastify.db.GuestInvite.findOne({
         where: {
@@ -241,6 +237,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       if (!invite) {
         return reply.throw.notFound()
       }
+      req.check(Permissions.Create, invite.office)
 
       if (
         invite.status !== 'confirmed' &&
@@ -318,10 +315,10 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
 
 const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
   fastify.get('/invite', async (req, reply) => {
-    req.check(Permissions.AdminList)
     if (!req.office) {
       return reply.throw.badParams('Invalid office ID')
     }
+    req.check(Permissions.AdminList, req.office.id)
     const invites = await fastify.db.GuestInvite.findAll({
       where: { office: req.office.id },
       order: [['createdAt', 'DESC']],
@@ -332,11 +329,14 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
   fastify.get(
     '/invite/:inviteId',
     async (req: FastifyRequest<{ Params: { inviteId: string } }>, reply) => {
-      req.check(Permissions.AdminList)
       if (!req.params.inviteId) {
         return reply.throw.badParams('Missing invite ID')
       }
       const invite = await fastify.db.GuestInvite.findByPk(req.params.inviteId)
+      if (!invite) {
+        return reply.throw.notFound()
+      }
+      req.check(Permissions.AdminList, invite.office)
       return invite
     }
   )
@@ -350,11 +350,11 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
       }>,
       reply
     ) => {
-      req.check(Permissions.AdminManage)
       const invite = await fastify.db.GuestInvite.findByPk(req.params.inviteId)
       if (!invite) {
         return reply.throw.notFound()
       }
+      req.check(Permissions.AdminManage, invite.office)
       const { status, areaId, deskId } = req.body
 
       if (invite.code === 'manual') {
@@ -429,7 +429,7 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
                 {
                   email: invite.email,
                   fullName: invite.fullName,
-                  role: appConfig.getDefaultUserRoleByEmail(invite.email),
+                  roles: [appConfig.getDefaultUserRoleByEmail(invite.email)],
                 },
                 { transaction: t }
               )
diff --git a/src/modules/news/client/components/AdminNews.tsx b/src/modules/news/client/components/AdminNews.tsx
index f04f9baa..2e7ef15b 100644
--- a/src/modules/news/client/components/AdminNews.tsx
+++ b/src/modules/news/client/components/AdminNews.tsx
@@ -63,7 +63,7 @@ export const _AdminNews = () => {
         Header: 'Creator',
         accessor: (one: any) => {
           const user = usersById[one.creatorUserId]
-          return <UserLabel user={user} hideRole />
+          return <UserLabel user={user} />
         },
       },
       {
diff --git a/src/modules/news/server/router.ts b/src/modules/news/server/router.ts
index 15ddbd18..f25500ba 100644
--- a/src/modules/news/server/router.ts
+++ b/src/modules/news/server/router.ts
@@ -16,7 +16,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       order: [['publishedAt', 'DESC']],
       where: {
         visibility: EntityVisibility.Visible,
-        allowedRoles: { [Op.contains]: [req.user.role] },
+        allowedRoles: { [Op.overlap]: req.user.roles },
         offices: { [Op.contains]: [req.office.id] },
         published: true,
       },
@@ -39,7 +39,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
         where.visibility = {
           [Op.in]: [EntityVisibility.Visible, EntityVisibility.Url],
         }
-        where.allowedRoles = { [Op.contains]: [req.user.role] }
+        where.allowedRoles = { [Op.overlap]: req.user.roles }
         where.published = true
       }
       const newsArticle = await fastify.db.News.findOne({ where })
diff --git a/src/modules/office-visits/client/components/Actions.tsx b/src/modules/office-visits/client/components/Actions.tsx
index 14693374..47f42a36 100644
--- a/src/modules/office-visits/client/components/Actions.tsx
+++ b/src/modules/office-visits/client/components/Actions.tsx
@@ -20,7 +20,7 @@ export const Actions = () => {
     () => config.offices.find(fp.propEq('id', officeId)),
     [officeId]
   )
-  if (!permissions.hasAnyOf(requiredPermissions)) {
+  if (!permissions.hasAnyOf(requiredPermissions, officeId)) {
     return null
   }
   if (
@@ -35,7 +35,10 @@ export const Actions = () => {
     <WidgetWrapper>
       <div className="flex justify-around items-start -mx-4 -my-4">
         {office.allowDeskReservation && (
-          <PermissionsValidator required={[Permissions.visits.Create]}>
+          <PermissionsValidator
+            officeId={officeId}
+            required={[Permissions.visits.Create]}
+          >
             <CTA
               type={CTAType.Visit}
               onClick={() => stores.goTo('visitRequest')}
@@ -44,6 +47,7 @@ export const Actions = () => {
         )}
         {office.allowRoomReservation && (
           <PermissionsValidator
+            officeId={officeId}
             required={[Permissions['room-reservation'].Create]}
           >
             <CTA
@@ -54,6 +58,7 @@ export const Actions = () => {
         )}
         {office.allowGuestInvitation && (
           <PermissionsValidator
+            officeId={officeId}
             required={[Permissions['guest-invites'].Create]}
           >
             <CTA
diff --git a/src/modules/office-visits/client/components/VisitsStats.tsx b/src/modules/office-visits/client/components/VisitsStats.tsx
index 6a244adc..da6b914d 100644
--- a/src/modules/office-visits/client/components/VisitsStats.tsx
+++ b/src/modules/office-visits/client/components/VisitsStats.tsx
@@ -10,11 +10,17 @@ import { VisitsDailyStats } from '#shared/types'
 import { cn, toggleInArray } from '#client/utils'
 import { useVisitsStatsAdmin } from '../queries'
 
-export const VisitsStats = () => (
-  <PermissionsValidator required={[Permissions['office-visits'].AdminList]}>
-    <_VisitsStats />
-  </PermissionsValidator>
-)
+export const VisitsStats = () => {
+  const officeId = useStore(stores.officeId)
+  return (
+    <PermissionsValidator
+      officeId={officeId}
+      required={[Permissions['office-visits'].AdminList]}
+    >
+      <_VisitsStats />
+    </PermissionsValidator>
+  )
+}
 
 const _VisitsStats: React.FC = () => {
   const officeId = useStore(stores.officeId)
@@ -39,7 +45,7 @@ const _VisitsStats: React.FC = () => {
     { enabled: isShown && period.from.isValid() && period.to.isValid() }
   )
 
-  const onToggleDepartmentStats = React.useCallback(
+  const onToggleRolesStats = React.useCallback(
     (date: string) => (ev: React.MouseEvent) => {
       setExpandedDates((dates) => toggleInArray(dates, date))
     },
@@ -71,7 +77,7 @@ const _VisitsStats: React.FC = () => {
                     className="ml-2"
                     size="small"
                     kind="secondary"
-                    onClick={onToggleDepartmentStats(x.date)}
+                    onClick={onToggleRolesStats(x.date)}
                   >
                     {isExpanded ? 'Less' : 'More'} info
                   </Button>
@@ -79,10 +85,10 @@ const _VisitsStats: React.FC = () => {
               </div>
               {isExpanded && (
                 <div className="mt-2">
-                  {x.occupancyPercentByDepartment.map((d) => (
-                    <div key={d.department}>
-                      {d.department} –{' '}
-                      {Number((d.occupancyPercent * 100).toFixed(1))}%
+                  {x.occupancyPercentByRole.map((d) => (
+                    <div key={d.role}>
+                      {d.role} – {Number((d.occupancyPercent * 100).toFixed(1))}
+                      %
                     </div>
                   ))}
                   {!!x.guests.length && (
diff --git a/src/modules/office-visits/metadata-schema.ts b/src/modules/office-visits/metadata-schema.ts
new file mode 100644
index 00000000..bc4ac8c1
--- /dev/null
+++ b/src/modules/office-visits/metadata-schema.ts
@@ -0,0 +1,11 @@
+import { z } from 'zod'
+
+export const schema = z
+  .object({
+    statistics: z.object({
+      splitByRoleGroup: z.string(),
+    }),
+  })
+  .strict()
+
+export type Metadata = z.infer<typeof schema>
diff --git a/src/modules/office-visits/server/router.ts b/src/modules/office-visits/server/router.ts
index 23e86764..cc3ac4f0 100644
--- a/src/modules/office-visits/server/router.ts
+++ b/src/modules/office-visits/server/router.ts
@@ -10,9 +10,10 @@ import {
   getBusinessDaysFromDate,
   getDate,
 } from './helpers'
-import { Permissions } from '../permissions'
 import { Visit, GenericVisit, VisitType, VisitsDailyStats } from '#shared/types'
 import * as fp from '#shared/utils'
+import { Permissions } from '../permissions'
+import { Metadata } from '../metadata-schema'
 
 dayjs.extend(localizedFormat)
 
@@ -178,10 +179,11 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
       }>,
       reply
     ) => {
-      req.check(Permissions.AdminList)
       if (!req.office) {
         return reply.throw.badParams('Missing office ID')
       }
+      req.check(Permissions.AdminList, req.office.id)
+      const metadata = appConfig.getModuleMetadata('office-visits') as Metadata
       const { from, to, format } = req.query
       if (!from || !to) {
         return reply.throw.badParams('Missing "from" or "to" parameter')
@@ -243,23 +245,30 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
           const date = dateRange[0].add(i, 'day').format(DATE_FORMAT)
           const visits = visitsByDate[date] || []
           const existingVisitsNumber = visits.length
-          const departments = visits.map((x) => {
+          const roleGroup = appConfig.config.permissions.roleGroups.find(
+            fp.propEq('id', metadata.statistics.splitByRoleGroup)
+          )!
+          const roleById = roleGroup.roles.reduce(fp.by('id'), {})
+          const roleIds = roleGroup.roles.map(fp.prop('id'))
+          const visitorsRoles = visits.map((x) => {
             if (!!x.metadata.guestInviteId) {
               return 'Guests'
             }
-            return userById[x.userId]?.department || 'Unknown'
+            const user = userById[x.userId]
+            const role = user.roles.find(fp.isIn(roleIds))
+            return role ? roleById[role].name : 'Unknown'
           })
-          const departmentDistribution = departments.reduce((acc, x) => {
+          const roleDistribution = visitorsRoles.reduce((acc, x) => {
             return acc[x] ? { ...acc, [x]: acc[x] + 1 } : { ...acc, [x]: 1 }
           }, {} as Record<string, number>)
-          const departmentRatios: Array<{
-            department: string
+          const roleRatios: Array<{
+            role: string
             occupancyPercent: number
           }> = []
-          for (const [key, value] of Object.entries(departmentDistribution)) {
-            departmentRatios.push({
-              department: key,
-              occupancyPercent: value / departments.length,
+          for (const [key, value] of Object.entries(roleDistribution)) {
+            roleRatios.push({
+              role: key,
+              occupancyPercent: value / visitorsRoles.length,
             })
           }
           const guests = visits
@@ -283,7 +292,7 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
             maxCapacity: visitsConfig.maxCapacity,
             existingVisitsNumber,
             occupancyPercent: existingVisitsNumber / visitsConfig.maxCapacity,
-            occupancyPercentByDepartment: departmentRatios,
+            occupancyPercentByRole: roleRatios,
             guests,
           })
         }
diff --git a/src/modules/office-visits/types.ts b/src/modules/office-visits/types.ts
index 631f2cdc..b12340bf 100644
--- a/src/modules/office-visits/types.ts
+++ b/src/modules/office-visits/types.ts
@@ -26,8 +26,8 @@ export type VisitsDailyStats = {
   maxCapacity: number
   existingVisitsNumber: number
   occupancyPercent: number
-  occupancyPercentByDepartment: Array<{
-    department: string
+  occupancyPercentByRole: Array<{
+    role: string
     occupancyPercent: number
   }>
   guests: Array<{ fullName: string; email: string }>
diff --git a/src/modules/room-reservation/client/components/AdminRoomReservations.tsx b/src/modules/room-reservation/client/components/AdminRoomReservations.tsx
index ef2fa90c..2f46b4ee 100644
--- a/src/modules/room-reservation/client/components/AdminRoomReservations.tsx
+++ b/src/modules/room-reservation/client/components/AdminRoomReservations.tsx
@@ -21,17 +21,21 @@ import { RoomReservationStatusTag } from './RoomReservationStatusTag'
 
 dayjs.extend(dayjsTimezone)
 
-export const AdminRoomReservations = () => (
-  <PermissionsValidator
-    required={[
-      Permissions['room-reservation'].__Admin,
-      Permissions['room-reservation'].AdminList,
-    ]}
-    onRejectGoHome
-  >
-    <_AdminRoomReservations />
-  </PermissionsValidator>
-)
+export const AdminRoomReservations = () => {
+  const officeId = useStore(stores.officeId)
+  return (
+    <PermissionsValidator
+      officeId={officeId}
+      required={[
+        Permissions['room-reservation'].__Admin,
+        Permissions['room-reservation'].AdminList,
+      ]}
+      onRejectGoHome
+    >
+      <_AdminRoomReservations />
+    </PermissionsValidator>
+  )
+}
 
 const _AdminRoomReservations: React.FC = () => {
   useDocumentTitle('Meeting Rooms')
@@ -117,7 +121,7 @@ const _AdminRoomReservations: React.FC = () => {
             }`
           },
         },
-        permissions.has(Permissions['room-reservation'].AdminManage)
+        permissions.has(Permissions['room-reservation'].AdminManage, officeId)
           ? {
               Header: 'Actions',
               accessor: (x: RoomReservation) => {
diff --git a/src/modules/room-reservation/client/components/RoomDisplayDevice.tsx b/src/modules/room-reservation/client/components/RoomDisplayDevice.tsx
index 2af26f1d..437673a1 100644
--- a/src/modules/room-reservation/client/components/RoomDisplayDevice.tsx
+++ b/src/modules/room-reservation/client/components/RoomDisplayDevice.tsx
@@ -1,20 +1,33 @@
 import React from 'react'
 import { useStore } from '@nanostores/react'
+import config from '#client/config'
 import * as stores from '#client/stores'
+import * as fp from '#shared/utils/fp'
 import { Button, ButtonsWrapper, Select } from '#client/components/ui'
 import { showNotification } from '#client/components/ui/Notifications'
 import { PermissionsValidator } from '#client/components/PermissionsValidator'
 import Permissions from '#shared/permissions'
-import { useUpdateRoomDisplayDevice, useRooms } from '../queries'
+import { useUpdateRoomDisplayDevice, useAdminRooms } from '../queries'
 
-export const RoomDisplayDevice = () => (
-  <PermissionsValidator
-    required={[Permissions['room-reservation'].AdminManage]}
-    onRejectGoHome
-  >
-    <_RoomDisplayDevice/>
-  </PermissionsValidator>
-)
+export const RoomDisplayDevice = () => {
+  const officeId = useStore(stores.officeId)
+  return (
+    <PermissionsValidator
+      officeId={officeId}
+      required={[Permissions['room-reservation'].AdminManage]}
+      onRejectRender={
+        <div>
+          You don't have permission to set up the display in the "{officeId}"
+          office.
+          <br />
+          Please select an office you can work with.
+        </div>
+      }
+    >
+      <_RoomDisplayDevice />
+    </PermissionsValidator>
+  )
+}
 
 const _RoomDisplayDevice: React.FC = () => {
   const page = useStore(stores.router)
@@ -24,7 +37,17 @@ const _RoomDisplayDevice: React.FC = () => {
     stores.goTo('admin')
     showNotification('The device was confirmed successfully', 'success')
   })
-  const { data: rooms = [] } = useRooms(undefined)
+  const { data: rooms = [] } = useAdminRooms()
+  const options = React.useMemo(() => {
+    const officeById = config.offices.reduce(fp.by('id'), {})
+    return rooms.map((x) => {
+      const office = officeById[x.officeId]
+      return {
+        value: x.id,
+        label: `${x.name}, ${office.name}`,
+      }
+    })
+  }, [rooms])
   const [roomId, setRoomId] = React.useState<string | undefined>(undefined)
   React.useEffect(() => {
     if (rooms.length) {
@@ -53,10 +76,7 @@ const _RoomDisplayDevice: React.FC = () => {
         className="mt-4 w-full"
         value={roomId}
         onChange={setRoomId}
-        options={rooms.map((x) => ({
-          value: x.id,
-          label: x.name,
-        }))}
+        options={options}
       />
       <ButtonsWrapper
         className="mt-6"
diff --git a/src/modules/room-reservation/client/components/RoomReservationDetail.tsx b/src/modules/room-reservation/client/components/RoomReservationDetail.tsx
index e1cce4e4..32802daa 100644
--- a/src/modules/room-reservation/client/components/RoomReservationDetail.tsx
+++ b/src/modules/room-reservation/client/components/RoomReservationDetail.tsx
@@ -15,7 +15,7 @@ import dayjs from 'dayjs'
 import { DATE_FORMAT_DAY_NAME_FULL } from '#client/constants'
 import { useMemo } from 'react'
 import { RoomReservationStatusTag } from './RoomReservationStatusTag'
-import { useUserAdmin } from '#modules/users/client/queries'
+import { useUserCompact } from '#modules/users/client/queries'
 
 export const RoomReservationDetail = () => (
   <PermissionsValidator required={[]} onRejectGoHome>
@@ -44,7 +44,7 @@ const _RoomReservationDetail = () => {
     () => roomReservation?.creatorUserId === me?.id,
     [roomReservation, me]
   )
-  const { data: user = null } = useUserAdmin(
+  const { data: user = null } = useUserCompact(
     roomReservation?.creatorUserId || '',
     {
       enabled: !!roomReservation && roomReservation.creatorUserId !== me?.id,
diff --git a/src/modules/room-reservation/client/components/RoomReservationRequest.tsx b/src/modules/room-reservation/client/components/RoomReservationRequest.tsx
index 92675c35..4e118fed 100644
--- a/src/modules/room-reservation/client/components/RoomReservationRequest.tsx
+++ b/src/modules/room-reservation/client/components/RoomReservationRequest.tsx
@@ -6,7 +6,6 @@ import {
   ComponentWrapper,
   H1,
   Icons,
-  Input,
   P,
   TabSlider,
   showNotification,
@@ -20,6 +19,8 @@ import {
 } from '#shared/types'
 import { cn } from '#client/utils'
 import { renderMarkdown } from '#client/utils/markdown'
+import { PermissionsValidator } from '#client/components/PermissionsValidator'
+import Permissions from '#shared/permissions'
 import { RoomListing } from './RoomListing'
 import { TimeSlotsListing } from './TimeSlotsListing'
 import { MeetingRoomBookingModal } from './MeetingRoomBookingModal'
@@ -29,13 +30,26 @@ import {
   useAvailableTimeRanges,
   useAvailableTimeSlotsForRoom,
   useCreateRoomReservation,
-  usePlaceholderMessages,
+  usePlaceholderMessage,
   useRooms,
 } from '../queries'
 
 dayjs.extend(dayjsDuration)
 
-export const RoomReservationRequest: React.FC = () => {
+export const RoomReservationRequest = () => {
+  const officeId = useStore(stores.officeId)
+  return (
+    <PermissionsValidator
+      officeId={officeId}
+      required={[Permissions['room-reservation'].Create]}
+      onRejectGoHome
+    >
+      <_RoomReservationRequest />
+    </PermissionsValidator>
+  )
+}
+
+const _RoomReservationRequest: React.FC = () => {
   const officeId = useStore(stores.officeId)
   const [showModal, setShowModal] = useState(false)
   const [timeDuration, setTimeDuration] = useState(
@@ -50,7 +64,7 @@ export const RoomReservationRequest: React.FC = () => {
 
   const [mode, setMode] = useState(RoomBookingModes.AnyRoom)
   const [timeSlots, setTimeSlots] = useState<Array<string>>([])
-  const { data: placeholderMessage } = usePlaceholderMessages(officeId)
+  const { data: placeholderMessage } = usePlaceholderMessage(officeId)
   const { data: slots } = useAvailableTimeRanges(
     officeId,
     timeDuration.asMinutes(),
diff --git a/src/modules/room-reservation/client/queries.ts b/src/modules/room-reservation/client/queries.ts
index 7b4619fe..6e4c115b 100644
--- a/src/modules/room-reservation/client/queries.ts
+++ b/src/modules/room-reservation/client/queries.ts
@@ -3,6 +3,7 @@ import { useMutation, useQuery } from 'react-query'
 import { api } from '#client/utils/api'
 import {
   OfficeRoom,
+  OfficeRoomCompact,
   RoomDisplayData,
   RoomReservation,
   RoomReservationRequest,
@@ -10,8 +11,8 @@ import {
   RoomReservationUpdateRequest,
 } from '#shared/types'
 
-export const usePlaceholderMessages = (officeId: string | undefined) => {
-  const path = '/user-api/room-reservation/placeholder-messages'
+export const usePlaceholderMessage = (officeId: string | undefined) => {
+  const path = '/user-api/room-reservation/placeholder'
   return useQuery<string, AxiosError>(
     [path, { office: officeId }],
     async ({ queryKey }) =>
@@ -27,7 +28,8 @@ export const useRooms = (
   return useQuery<OfficeRoom[], AxiosError>(
     [path, { office: officeId, allRooms: allRooms || undefined }],
     async ({ queryKey }) =>
-      (await api.get<OfficeRoom[]>(path, { params: queryKey[1] })).data
+      (await api.get<OfficeRoom[]>(path, { params: queryKey[1] })).data,
+    { enabled: !!officeId }
   )
 }
 
@@ -207,3 +209,11 @@ export const useUpdateRoomReservationByUser = (cb: () => void) => {
     { onSuccess: cb }
   )
 }
+
+export const useAdminRooms = () => {
+  const path = '/admin-api/room-reservation/room'
+  return useQuery<OfficeRoomCompact[], AxiosError>(
+    path,
+    async () => (await api.get<OfficeRoomCompact[]>(path)).data
+  )
+}
diff --git a/src/modules/room-reservation/server/router.ts b/src/modules/room-reservation/server/router.ts
index cab4d417..4c1828c4 100644
--- a/src/modules/room-reservation/server/router.ts
+++ b/src/modules/room-reservation/server/router.ts
@@ -23,6 +23,7 @@ import {
 import { isWithinWorkingHours } from '../shared-helpers'
 import { Permissions } from '../permissions'
 import {
+  OfficeRoomCompact,
   RoomDisplayData,
   RoomReservationRequest,
   RoomReservationStatus,
@@ -254,14 +255,14 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
     '/time-slots/rooms',
     async (
       req: FastifyRequest<{
-        Querystring: { office: string; slot: string; date: string }
+        Querystring: { slot: string; date: string }
       }>,
       reply
     ) => {
-      req.check(Permissions.Create)
-      if (!req.query.office) {
+      if (!req.office) {
         return reply.throw.badParams('Invalid office ID')
       }
+      req.check(Permissions.Create, req.office.id)
       if (!req.query.slot) {
         return reply.throw.badParams('Specify time slot')
       }
@@ -269,15 +270,14 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       if (isWeekend(req.query.date) || isBeforeToday(req.query.date)) {
         return []
       }
-      const office = req.office!
       const { startT, endT } = parseTimeSlot(req.query.slot)
       const start = getDateTimeInTimezone(
-        office.timezone,
+        req.office.timezone,
         startT,
         req.query.date
       ).utc()
       const end = getDateTimeInTimezone(
-        office.timezone,
+        req.office.timezone,
         endT,
         req.query.date
       ).utc()
@@ -291,7 +291,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       const reservations = await fastify.db.RoomReservation.findAll({
         attributes: ['roomId', 'startDate', 'endDate'],
         where: {
-          office: office.id,
+          office: req.office.id,
           [Op.or]: [
             {
               startDate: isBetweenNotIncludingBounds,
@@ -332,14 +332,14 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
     async (
       req: FastifyRequest<{
         Params: { roomId: string }
-        Querystring: { office: string; duration: number; date: string }
+        Querystring: { duration: number; date: string }
       }>,
       reply
     ) => {
-      req.check(Permissions.Create)
-      if (!req.query.office) {
+      if (!req.office) {
         return reply.throw.badParams('Invalid office ID')
       }
+      req.check(Permissions.Create, req.office.id)
       if (!req.params.roomId) {
         return reply.throw.badParams('Invalid room ID')
       }
@@ -351,7 +351,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
         return []
       }
       const requestedDuration = req.query.duration ?? 30
-      const office = appConfig.getOfficeById(req.query.office)
+      const office = req.office
       const room = office.rooms!.find((room) => room.id === req.params.roomId)
       if (!room || !room.available) {
         return reply.throw.badParams('Invalid room ID')
@@ -422,15 +422,18 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
   )
 
   fastify.get(
-    '/placeholder-messages',
+    '/placeholder',
     async (
       req: FastifyRequest<{
-        Querystring: { office: string; duration?: number }
+        Querystring: { duration?: number }
       }>,
       reply
     ) => {
       req.check(Permissions.Create)
-      return req.office?.roomsPlaceholderMessage ?? ''
+      if (!req.office) {
+        return reply.throw.badParams('Invalid office ID')
+      }
+      return req.office.roomsPlaceholderMessage ?? ''
     }
   )
 
@@ -438,14 +441,14 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
     '/time-slots',
     async (
       req: FastifyRequest<{
-        Querystring: { office: string; duration?: number; date: string }
+        Querystring: { duration?: number; date: string }
       }>,
       reply
     ) => {
-      req.check(Permissions.Create)
-      if (!req.query.office || !req.office) {
+      if (!req.office) {
         return reply.throw.badParams('Invalid office ID')
       }
+      req.check(Permissions.Create, req.office.id)
       if (!req.query.date) {
         return reply.throw.badParams('Missing date')
       }
@@ -589,10 +592,10 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       }>,
       reply
     ) => {
-      req.check(Permissions.Create)
       if (!req.office) {
         return reply.throw.badParams('Invalid office ID')
       }
+      req.check(Permissions.Create, req.office.id)
       const room = req.office.rooms!.find((x) => x.id === req.params.roomId)
       if (!room || !room.available) {
         return reply.throw.badParams('Invalid room ID')
@@ -624,10 +627,10 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
   fastify.post(
     '/room-reservations',
     async (req: FastifyRequest<{ Body: RoomReservationRequest }>, reply) => {
-      req.check(Permissions.Create)
       if (!req.office) {
         return reply.throw.badParams('Invalid office ID')
       }
+      req.check(Permissions.Create, req.office.id)
       const data = req.body
       const room = (req.office.rooms || []).find((x) => x.id === data.roomId)
       if (!room || !room.available) {
@@ -712,10 +715,10 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
   )
 
   fastify.get('/room-reservation', async (req, reply) => {
-    req.check(Permissions.Create)
     if (!req.office) {
       return reply.throw.badParams('Invalid office ID')
     }
+    req.check(Permissions.Create, req.office.id)
     const reservations = await fastify.db.RoomReservation.findAll({
       where: {
         office: req.office.id,
@@ -739,18 +742,18 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       }>,
       reply
     ) => {
-      req.check(Permissions.Create)
       const id = req.params.reservationId
       const status = req.body.status
       const reservation = await fastify.db.RoomReservation.findOne({
         where: {
-          id: req.params.reservationId,
+          id,
           creatorUserId: req.user.id,
         },
       })
       if (!reservation) {
         return reply.throw.notFound()
       }
+      req.check(Permissions.Create, reservation.office)
 
       if (
         reservation.status !== 'confirmed' &&
@@ -800,6 +803,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       return reply.ok()
     }
   )
+
   fastify.get(
     '/room-reservation/:reservationId',
     async (
@@ -809,17 +813,22 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       }>,
       reply
     ) => {
-      req.check(Permissions.Create)
-      const where: Filterable<RoomReservation>['where'] = {
-        id: req.params.reservationId,
-      }
-      if (!req.can(Permissions.AdminList)) {
-        where.creatorUserId = req.user.id
-      }
-      const reservation = await fastify.db.RoomReservation.findOne({ where })
+      const reservation = await fastify.db.RoomReservation.findByPk(
+        req.params.reservationId
+      )
       if (!reservation) {
         return reply.throw.notFound()
       }
+
+      if (
+        req.user.id !== reservation.creatorUserId &&
+        !req.can(Permissions.AdminList, reservation.office)
+      ) {
+        return reply.throw.accessDenied()
+      } else {
+        req.check(Permissions.Create, reservation.office)
+      }
+
       const office = appConfig.getOfficeById(reservation.office) || {}
       const roomDetail = office?.rooms!.find(
         (room) => room.id == reservation?.roomId
@@ -847,7 +856,9 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
       }>,
       reply
     ) => {
-      req.check(Permissions.AdminManage)
+      if (!req.permissions.hasRoot(Permissions.AdminManage)) {
+        return reply.throw.accessDenied()
+      }
       const device = await fastify.db.RoomDisplayDevice.findByPk(
         req.params.deviceId
       )
@@ -877,10 +888,10 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
   )
 
   fastify.get('/room-reservation', async (req, reply) => {
-    req.check(Permissions.AdminList)
     if (!req.office) {
       return reply.throw.badParams('Invalid office ID')
     }
+    req.check(Permissions.AdminList, req.office.id)
     const reservations = await fastify.db.RoomReservation.findAll({
       where: {
         office: req.office.id,
@@ -899,19 +910,19 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
       }>,
       reply
     ) => {
-      req.check(Permissions.AdminManage)
       const reservation = await fastify.db.RoomReservation.findByPk(
         req.params.reservationId
       )
       if (!reservation) {
         return reply.throw.notFound()
       }
+      req.check(Permissions.AdminManage, reservation.office)
       await reservation
         .set({
           status: req.body.status,
         })
         .save()
-      appEvents.useModule('admin').emit('update_counters')
+      // appEvents.useModule('admin').emit('update_counters')
       // Send user notification to the user via Matrix
       if (req.body.status === 'cancelled' && fastify.integrations.Matrix) {
         process.nextTick(async () => {
@@ -956,6 +967,26 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
       return reply.ok()
     }
   )
+
+  fastify.get('/room', async (req, reply) => {
+    if (!req.permissions.hasRoot(Permissions.AdminManage)) {
+      return reply.throw.accessDenied()
+    }
+    const officeIds = req.permissions.extractOfficeIds(Permissions.AdminManage)
+    if (!officeIds) {
+      return reply.throw.accessDenied()
+    }
+    return appConfig.offices
+      .filter((x) => (officeIds.length ? officeIds.includes(x.id) : true))
+      .reduce<OfficeRoomCompact[]>((acc, x) => {
+        const rooms = (x.rooms || []).map((r) => ({
+          id: r.id,
+          name: r.name,
+          officeId: x.id,
+        }))
+        return [...acc, ...rooms]
+      }, [])
+  })
 }
 
 module.exports = {
diff --git a/src/modules/room-reservation/types.ts b/src/modules/room-reservation/types.ts
index e464a4f3..79dbe74d 100644
--- a/src/modules/room-reservation/types.ts
+++ b/src/modules/room-reservation/types.ts
@@ -1,5 +1,3 @@
-import { OfficeRoom } from '#shared/types'
-
 export type RoomReservationStatus = 'pending' | 'confirmed' | 'cancelled'
 
 export type RoomReservation = {
@@ -46,12 +44,20 @@ export type RoomDisplayData = {
   usersById: Record<string, { fullName: string; avatar: string }>
 }
 
+// TODO: make it enum
 export const RoomBookingModes: Record<string, string> = {
   AnyRoom: 'Any Room Available',
   SpecificRoom: 'Specific Room',
 }
 
+// TODO: move it to client helpers/components
 export const RoomBookingTabHeaders = {
   [RoomBookingModes.AnyRoom]: ['Book Any Room Available', 'Any Room'],
   [RoomBookingModes.SpecificRoom]: ['Book Specific Room', 'Specific Room'],
 }
+
+export type OfficeRoomCompact = {
+  id: string
+  name: string
+  officeId: string
+}
diff --git a/src/modules/search/server/router.ts b/src/modules/search/server/router.ts
index e83c36fe..474f90f7 100644
--- a/src/modules/search/server/router.ts
+++ b/src/modules/search/server/router.ts
@@ -54,7 +54,7 @@ const getWhereClauseForUserSearch = (
   return {
     // TODO: full text search (+ ignore email/matrix domain)
     isInitialised: true,
-    role: { [Op.in]: SEARCHABLE_ROLES },
+    roles: { [Op.overlap]: SEARCHABLE_ROLES },
     [Op.or]: [
       { fullName: { [Op.iLike]: wrappedQuery } },
       { email: { [Op.iLike]: wrappedQuery } },
@@ -92,7 +92,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       if (EMAIL_REGEX.test(originalQuery)) {
         const user = await fastify.db.User.findOneActive({
           where: {
-            role: { [Op.in]: SEARCHABLE_ROLES },
+            roles: { [Op.overlap]: SEARCHABLE_ROLES },
             email: originalQuery,
           },
         })
@@ -105,7 +105,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       if (fastify.integrations.Matrix?.usernameRegex?.test(originalQuery)) {
         const user = await fastify.db.User.findOneActive({
           where: {
-            role: { [Op.in]: SEARCHABLE_ROLES },
+            roles: { [Op.overlap]: SEARCHABLE_ROLES },
             'contacts.matrix': originalQuery,
           },
         })
@@ -146,7 +146,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       if (EMAIL_REGEX.test(originalQuery)) {
         const user = await fastify.db.User.findOneActive({
           where: {
-            role: { [Op.in]: SEARCHABLE_ROLES },
+            roles: { [Op.overlap]: SEARCHABLE_ROLES },
             email: originalQuery,
           },
         })
diff --git a/src/modules/users/client/components/AdminUsers.tsx b/src/modules/users/client/components/AdminUsers.tsx
index 6b1bc706..7c014abf 100644
--- a/src/modules/users/client/components/AdminUsers.tsx
+++ b/src/modules/users/client/components/AdminUsers.tsx
@@ -19,21 +19,27 @@ import {
   Button,
   Textarea,
   UserLabel,
-  Select,
   Filters,
   LabelWrapper,
   Input,
 } from '#client/components/ui'
 import { showNotification } from '#client/components/ui/Notifications'
 import { PermissionsValidator } from '#client/components/PermissionsValidator'
-import { pick, prop, propEq, propNotEq } from '#shared/utils/fp'
-import { User, Tag, ImportedTagGroup } from '#shared/types'
-import { FRIENDLY_DATE_FORMAT, USER_ROLE_BY_ID } from '#client/constants'
+import {
+  pick,
+  prop,
+  propNotEq,
+  hasIntersection,
+  propEq,
+} from '#shared/utils/fp'
+import { User, ImportedTagGroup, Tag } from '#shared/types'
+import { FRIENDLY_DATE_FORMAT, USER_ROLES } from '#client/constants'
 import { useDebounce, useDocumentTitle } from '#client/utils/hooks'
 import { useStore } from '@nanostores/react'
 import * as stores from '#client/stores'
 import Permissions from '#shared/permissions'
 import { DeleteUserModal } from './DeleteUserModal'
+import { UserRolesEditorModal } from './UserRolesEditorModal'
 
 export const AdminUsers: React.FC = () => {
   useDocumentTitle('Users')
@@ -52,15 +58,7 @@ export const AdminUsers: React.FC = () => {
 }
 
 function matchRole(user: User, roles: string[]): boolean {
-  return roles.length ? roles.includes(user.role) : true
-}
-function matchDivision(user: User, divisions: string[]): boolean {
-  return divisions.length ? divisions.includes(user.division || '~none~') : true
-}
-function matchDepartment(user: User, departments: string[]): boolean {
-  return departments.length
-    ? departments.includes(user.department || '~none~')
-    : true
+  return roles.length ? hasIntersection(user.roles, roles) : true
 }
 function matchSearch(user: User, query: string): boolean {
   const trimmedQuery = query.trim()
@@ -77,11 +75,10 @@ function matchSearch(user: User, query: string): boolean {
 export const UserTable: React.FC = () => {
   const permissions = useStore(stores.permissions)
   const [editedUserId, setEditedUserId] = React.useState<string | null>(null)
+  const [roleFilterIsShown, setRoleFilterIsShown] = React.useState(false)
   const [roleFilter, setRoleFilter] = React.useState<string[]>(
-    config.roles.filter(propNotEq('lowPriority', true)).map(prop('id'))
+    USER_ROLES.filter(prop('accessByDefault')).map(prop('id'))
   )
-  const [divisionFilter, setDivisionFilter] = React.useState<string[]>([])
-  const [departmentFilter, setDepartmentFilter] = React.useState<string[]>([])
   const [searchQuery, setSearchQuery] = React.useState<string>('')
   const debouncedSearchQuery = useDebounce(searchQuery, 300)
   const [showDeleteModal, setShowDeleteModal] = useState(false)
@@ -107,36 +104,46 @@ export const UserTable: React.FC = () => {
     refetch()
   })
 
+  const onChangeUserRoles = React.useCallback(
+    (userId: string) => (roles: string[]) => {
+      updateUser({ id: userId, roles })
+    },
+    []
+  )
+
   const filteredUsers = React.useMemo(() => {
     return users.filter((x) => {
       return !(
-        !matchRole(x, roleFilter) ||
-        !matchDivision(x, divisionFilter) ||
-        !matchDepartment(x, departmentFilter) ||
-        !matchSearch(x, debouncedSearchQuery)
+        !matchRole(x, roleFilter) || !matchSearch(x, debouncedSearchQuery)
       )
     })
-  }, [
-    users,
-    roleFilter,
-    divisionFilter,
-    departmentFilter,
-    debouncedSearchQuery,
-  ])
+  }, [users, roleFilter, debouncedSearchQuery])
 
   const columns = React.useMemo(
     () => [
       {
         Header: 'Name',
-        accessor: (x: User) => <UserLabel user={x} hideRole />,
+        accessor: (x: User) => <UserLabel user={x} />,
       },
       {
-        Header: 'Role',
+        Header: 'Email',
+        accessor: (x: User) => (
+          <Link href={`mailto:${x.email}`} kind="secondary">
+            {x.email}
+          </Link>
+        ),
+      },
+      {
+        Header: 'Roles',
         accessor: (u: User) => (
-          <div>
-            <div className="flex">
+          <>
+            <div className="flex items-start">
               <div className="flex-1">
-                <UserRoleLabel role={u.role} />
+                <div className="-mb-1 -mr-1 flex flex-wrap">
+                  {u.roles.map((x) => (
+                    <UserRoleLabel key={x} role={x} className="mr-1 mb-1" />
+                  ))}
+                </div>
               </div>
               {permissions.has(Permissions.users.AdminAssignRoles) && (
                 <Button
@@ -146,50 +153,26 @@ export const UserTable: React.FC = () => {
                     setEditedUserId(editedUserId === u.id ? null : u.id)
                   }
                 >
-                  {editedUserId === u.id ? 'Cancel' : 'Edit'}
+                  Edit
                 </Button>
               )}
             </div>
             {editedUserId === u.id && (
-              <div className="mt-4 _-mb-2 _flex _flex-wrap">
-                <Select
-                  className="py-1 px-3"
-                  onChange={onChangeUserRole(u.id)}
-                  value={u.role}
-                  options={config.roles.map((x) => ({
-                    label: x.name,
-                    value: x.id,
-                  }))}
-                />
-              </div>
+              <UserRolesEditorModal
+                user={u}
+                onClose={() => setEditedUserId(null)}
+                onChange={onChangeUserRoles(u.id)}
+              />
             )}
-          </div>
-        ),
-      },
-      {
-        Header: 'Email',
-        accessor: (x: User) => (
-          <Link href={`mailto:${x.email}`} kind="secondary">
-            {x.email}
-          </Link>
+          </>
         ),
       },
-      {
-        Header: 'Division',
-        accessor: (u: User) =>
-          u.division || <span className="text-gray-300">UNKNOWN</span>,
-      },
-      {
-        Header: 'Department',
-        accessor: (u: User) =>
-          u.department || <span className="text-gray-300">UNKNOWN</span>,
-      },
       {
         Header: 'Created at',
         accessor: (x: User) => dayjs(x.createdAt).format('D MMM, YYYY'),
       },
       {
-        Header: 'Delete',
+        Header: 'Actions',
         accessor: (u: User) => {
           if (u.scheduledToDelete && !u.deletedAt) {
             const scheduledAt = dayjs(u.scheduledToDelete).startOf('day')
@@ -246,25 +229,6 @@ export const UserTable: React.FC = () => {
     [editedUserId]
   )
 
-  const onChangeUserRole = React.useCallback(
-    (userId: string /*, newRole: string*/) => (role: string) => {
-      const user = users.find(propEq('id', userId))
-      if (!user) return
-      const currentRole = USER_ROLE_BY_ID[user.role]
-      const targetRole = USER_ROLE_BY_ID[role]
-      if (
-        window.confirm(
-          `🛑 Are you sure to change ${user.fullName}'s role from "${
-            currentRole?.name || user.role
-          }" to "${targetRole.name}"?`
-        )
-      ) {
-        updateUser({ id: user.id, role })
-      }
-    },
-    [users]
-  )
-
   return (
     <div>
       {showDeleteModal && userForDeletion && (
@@ -276,44 +240,48 @@ export const UserTable: React.FC = () => {
       )}
       <H1>Users</H1>
 
+      <div className="mb-4">
+        <LabelWrapper
+          label={
+            <Button
+              size="small"
+              onClick={() => setRoleFilterIsShown((x) => !x)}
+              className="relative"
+            >
+              {!roleFilterIsShown ? 'Show' : 'Hide'} filters
+            </Button>
+          }
+        >
+          {!roleFilterIsShown && !!roleFilter.length && (
+            <span className="text-text-tertiary">Some filters are applied</span>
+          )}
+        </LabelWrapper>
+      </div>
+
       <div className="flex flex-col gap-y-4 mb-6">
-        {!!config.divisions && !!config.divisions.length && (
-          <LabelWrapper label="Division">
-            <Filters
-              options={[
-                { id: null, name: 'Any' },
-                ...config.divisions.map((x) => ({ id: x, name: x })),
-              ]}
-              value={divisionFilter}
-              onChange={setDivisionFilter}
-              multiple
-            />
-          </LabelWrapper>
-        )}
-        {!!config.departments && !!config.departments.length && (
-          <LabelWrapper label="Department">
-            <Filters
-              options={[
-                { id: null, name: 'Any' },
-                ...config.departments.map((x) => ({ id: x, name: x })),
-              ]}
-              value={departmentFilter}
-              onChange={setDepartmentFilter}
-              multiple
-            />
-          </LabelWrapper>
+        {roleFilterIsShown && (
+          <>
+            <LabelWrapper label="">
+              <Filters
+                options={[{ id: null, name: 'Any role' }]}
+                value={roleFilter}
+                onChange={setRoleFilter}
+                multiple
+              />
+            </LabelWrapper>
+            {config.roleGroups.map((g) => (
+              <LabelWrapper key={g.name} label={g.name}>
+                <Filters
+                  options={g.roles}
+                  value={roleFilter}
+                  onChange={setRoleFilter}
+                  multiple
+                />
+              </LabelWrapper>
+            ))}
+          </>
         )}
-        <LabelWrapper label="Role">
-          <Filters
-            options={[
-              { id: null, name: 'Any' },
-              ...config.roles.map((x) => ({ id: x.id, name: x.name })),
-            ]}
-            value={roleFilter}
-            onChange={setRoleFilter}
-            multiple
-          />
-        </LabelWrapper>
+
         <LabelWrapper label="Search">
           <Input
             type="text"
diff --git a/src/modules/users/client/components/DeleteUserModal.tsx b/src/modules/users/client/components/DeleteUserModal.tsx
index cc55e7a1..9413c3fe 100644
--- a/src/modules/users/client/components/DeleteUserModal.tsx
+++ b/src/modules/users/client/components/DeleteUserModal.tsx
@@ -35,14 +35,7 @@ export const DeleteUserModal: React.FC<{
               {user?.fullName}
             </P>
             <div className="text-text-tertiary text-center sm:text-left text-base leading-6">
-              {[user.jobTitle, user.team, user.department]
-                .filter(Boolean)
-                .map((x, i) => (
-                  <span key={`${x}${i}`}>
-                    {!!i && <span> &#183; </span>}
-                    {x}
-                  </span>
-                ))}
+              {[user.jobTitle, user.team].filter(Boolean).join(' · ')}
             </div>
           </div>
         </div>
diff --git a/src/modules/users/client/components/ProfileCard.tsx b/src/modules/users/client/components/ProfileCard.tsx
index 23527406..b332383a 100644
--- a/src/modules/users/client/components/ProfileCard.tsx
+++ b/src/modules/users/client/components/ProfileCard.tsx
@@ -16,7 +16,7 @@ import { PublicUserProfile, UserMe } from '#shared/types'
 import dayjs from 'dayjs'
 import { PermissionsValidator } from '#client/components/PermissionsValidator'
 import Permissions from '#shared/permissions'
-import { USER_ROLE_BY_ID } from '#client/constants'
+import { USER_ROLES } from '#client/constants'
 
 const ProfileRow = ({
   label,
@@ -53,8 +53,6 @@ export const Card = ({
   fullView?: boolean
   isMine?: boolean
 }) => {
-  const permissions = useStore(stores.permissions)
-
   const location = React.useMemo(() => {
     if (user && !user.geodata?.doNotShareLocation) {
       const city = user.city || ''
@@ -65,9 +63,11 @@ export const Card = ({
     return null
   }, [user])
 
-  const userRole = React.useMemo(() => {
-    const role = USER_ROLE_BY_ID[user.role]
-    return role?.name || user.role
+  const userRoles = React.useMemo<string[]>(() => {
+    return USER_ROLES.reduce<string[]>((acc, x) => {
+      if (!user.roles.includes(x.id)) return acc
+      return acc.concat(x.name)
+    }, [])
   }, [user])
 
   return (
@@ -85,20 +85,15 @@ export const Card = ({
           <P className="mb-0">{user.fullName}</P>
           <PermissionsValidator required={[Permissions.users.ListProfiles]}>
             <div className="text-text-tertiary text-base leading-6">
-              {[user.jobTitle, user.team, user.department]
-                .filter(Boolean)
-                .map((x, i) => (
-                  <span key={`${x}${i}`}>
-                    {!!i && <span> &#183; </span>}
-                    {x}
-                  </span>
-                ))}
+              {[user.jobTitle, user.team].filter(Boolean).join(' · ')}
             </div>
           </PermissionsValidator>
-          <div className="mt-3 mb-2">
-            <Tag size="small" color="yellow">
-              {userRole}
-            </Tag>
+          <div className="mt-3">
+            {userRoles.map((x) => (
+              <Tag key={x} size="small" color="gray" className="mr-1 mb-2">
+                {x}
+              </Tag>
+            ))}
           </div>
         </div>
         <PermissionsValidator required={[Permissions.users.ListProfiles]}>
diff --git a/src/modules/users/client/components/ProfileForm.tsx b/src/modules/users/client/components/ProfileForm.tsx
index 48726de2..7f32fbde 100644
--- a/src/modules/users/client/components/ProfileForm.tsx
+++ b/src/modules/users/client/components/ProfileForm.tsx
@@ -20,6 +20,8 @@ import {
   RootComponentProps,
   Tag as TagType,
 } from '#shared/types'
+import { toggleInArray } from '#client/utils'
+import * as fp from '#shared/utils/fp'
 import {
   useCitySearchSuggestion,
   useCountries,
@@ -28,6 +30,12 @@ import {
   useUpdateProfile,
 } from '../queries'
 
+const EDITABLE_ROLE_GROUPS = config.roleGroups.filter(
+  (x) => x.rules.editableByRoles.length
+)
+
+type RolesByGroupId = Record<string, string[]>
+
 export const ProfileForm: React.FC<RootComponentProps> = ({ portals }) => {
   const me = useStore(stores.me)
   const [cityQuery, setCityQuery] = React.useState('')
@@ -41,7 +49,6 @@ export const ProfileForm: React.FC<RootComponentProps> = ({ portals }) => {
   const [state, setState] = React.useState<ProfileFormData>({
     fullName: me?.fullName || '',
     birthday: me?.birthday || '',
-    department: me?.department || null,
     team: me?.team || '',
     jobTitle: me?.jobTitle || '',
     country: me?.country || null,
@@ -50,7 +57,21 @@ export const ProfileForm: React.FC<RootComponentProps> = ({ portals }) => {
     bio: me?.bio || '',
     geodata: me?.geodata || undefined,
     defaultLocation: me?.defaultLocation || null,
+    roles: [], // will be overwritten in the `onSubmitForm` function
   })
+  const [rolesByGroupId, setRolesByGroupId] = React.useState<RolesByGroupId>(
+    (() => {
+      const result: RolesByGroupId = {}
+      EDITABLE_ROLE_GROUPS.filter((g) =>
+        g.rules.editableByRoles.some(fp.isIn(me?.roles || []))
+      ).forEach((g) => {
+        result[g.id] = g.roles
+          .map(fp.prop('id'))
+          .filter(fp.isIn(me?.roles || []))
+      })
+      return result
+    })()
+  )
 
   const { data: countries } = useCountries()
   const { data: citySuggestions = [] } = useCitySearchSuggestion(
@@ -133,16 +154,16 @@ export const ProfileForm: React.FC<RootComponentProps> = ({ portals }) => {
       const c = cityValue[0]
       save({
         ...state,
-        department: state.department || '',
         country: state.country || '',
         city: c ? c.label : '',
         birthday: !state.birthday ? null : state.birthday,
         geodata: {
           doNotShareLocation: state.geodata?.doNotShareLocation || false,
         },
+        roles: Object.values(rolesByGroupId).flat(),
       })
     },
-    [state, cityValue]
+    [state, cityValue, rolesByGroupId]
   )
   const onShareLocationChange = () => {
     setState({
@@ -171,6 +192,24 @@ export const ProfileForm: React.FC<RootComponentProps> = ({ portals }) => {
     setIsChanged(true)
   }
 
+  const onToggleRole = React.useCallback(
+    (groupId: string, roleId: string) => (ev: React.MouseEvent) => {
+      const group = EDITABLE_ROLE_GROUPS.find(fp.propEq('id', groupId))!
+      setRolesByGroupId((value) => ({
+        ...value,
+        [groupId]: toggleInArray(
+          value[groupId],
+          roleId,
+          true,
+          group.rules.max,
+          true
+        ),
+      }))
+      setIsChanged(true)
+    },
+    []
+  )
+
   React.useEffect(() => {
     if (
       REQUIRED_FIELDS.every(
@@ -200,6 +239,31 @@ export const ProfileForm: React.FC<RootComponentProps> = ({ portals }) => {
           containerClassName="w-full"
           required={isRequired('fullName')}
         />
+        {EDITABLE_ROLE_GROUPS.filter((g) =>
+          g.rules.editableByRoles.some(fp.isIn(me?.roles || []))
+        ).map((g) => (
+          <div key={g.id}>
+            <LabelWrapper label={g.name}>
+              <div className="flex flex-wrap gap-2">
+                <div className="flex flex-wrap -mr-1 -mb-2">
+                  {g.roles.map((x) => (
+                    <Tag
+                      key={x.id}
+                      size="normal"
+                      color={
+                        rolesByGroupId[g.id].includes(x.id) ? 'purple' : 'gray'
+                      }
+                      className="mb-2 mr-1 cursor-pointer hover:opacity-80"
+                      onClick={onToggleRole(g.id, x.id)}
+                    >
+                      {x.name}
+                    </Tag>
+                  ))}
+                </div>
+              </div>
+            </LabelWrapper>
+          </div>
+        ))}
         {metadata?.birthday && (
           <Input
             type="date"
@@ -211,21 +275,6 @@ export const ProfileForm: React.FC<RootComponentProps> = ({ portals }) => {
             containerClassName="w-full"
           />
         )}
-        {metadata?.department && (
-          <Select
-            name="department"
-            options={config.departments.map((x) => ({
-              value: x,
-              label: x,
-            }))}
-            value={state.department || undefined}
-            placeholder={metadata.department.placeholder}
-            label={metadata.department.label}
-            onChange={onChangeForm('department')}
-            required={isRequired('department')}
-            containerClassName="w-full"
-          />
-        )}
         {metadata?.team && (
           <Input
             type="text"
diff --git a/src/modules/users/client/components/UserRolesEditorModal.tsx b/src/modules/users/client/components/UserRolesEditorModal.tsx
new file mode 100644
index 00000000..c73e79c9
--- /dev/null
+++ b/src/modules/users/client/components/UserRolesEditorModal.tsx
@@ -0,0 +1,185 @@
+import * as React from 'react'
+import config from '#client/config'
+import {
+  Tag as TagSpan,
+  UserLabel,
+  Modal,
+  FButton,
+  ButtonsWrapper,
+} from '#client/components/ui'
+import { User } from '#shared/types'
+import * as fp from '#shared/utils/fp'
+import { USER_ROLE_BY_ID } from '#client/constants'
+import { toggleInArray } from '#client/utils'
+
+type GroupedRoleIds = Record<string, string[]>
+
+export const UserRolesEditorModal: React.FC<{
+  user: User
+  onClose: () => void
+  onChange: (roles: string[]) => void
+}> = ({ user, ...props }) => {
+  const [changed, setChanged] = React.useState(false)
+  const [unsupportedRoleIds, setUnsupportedRoleIds] = React.useState<string[]>(
+    user.roles.filter((x) => !USER_ROLE_BY_ID[x])
+  )
+  const [groupedRoleIds, setGroupedRoleIds] = React.useState<GroupedRoleIds>(
+    (() => {
+      const res: GroupedRoleIds = {}
+      config.roleGroups.forEach((g) => {
+        res[g.id] = g.roles
+          .filter(fp.propIn('id', user.roles))
+          .map(fp.prop('id'))
+      })
+      return res
+    })()
+  )
+
+  const unsupportedUserRoles = React.useMemo(() => {
+    return unsupportedRoleIds.map((x) => ({
+      id: x,
+      name: x,
+      accessByDefault: false,
+      lowPriority: false,
+    }))
+  }, [unsupportedRoleIds])
+
+  const onToggleRole = React.useCallback(
+    (groupId: string, roleId: string) => (ev: React.MouseEvent) => {
+      ev.preventDefault()
+      setChanged(true)
+      const rules = config.roleGroups.find(fp.propEq('id', groupId))!.rules
+      setGroupedRoleIds((value) => {
+        return {
+          ...value,
+          [groupId]: toggleInArray(
+            value[groupId],
+            roleId,
+            false,
+            rules.max || undefined,
+            true
+          ),
+        }
+      })
+    },
+    []
+  )
+
+  const onToggleUnsupportedRole = React.useCallback(
+    (roleId: string) => (ev: React.MouseEvent) => {
+      ev.preventDefault()
+      setChanged(true)
+      setUnsupportedRoleIds((ids) => toggleInArray(ids, roleId))
+    },
+    []
+  )
+
+  const onCloseSafe = React.useCallback(() => {
+    if (changed) {
+      if (window.confirm('You have unsaved changes. Close anyway?')) {
+        props.onClose()
+      }
+      return
+    }
+    props.onClose()
+  }, [props.onClose, changed])
+
+  const onSave = React.useCallback(() => {
+    props.onChange([
+      ...unsupportedRoleIds,
+      ...Object.values(groupedRoleIds).flat(),
+    ])
+    props.onClose()
+  }, [props.onChange, props.onClose, groupedRoleIds, unsupportedRoleIds])
+
+  return (
+    <Modal title="Roles editor" size="normal" onClose={onCloseSafe}>
+      <div className="mb-6">
+        <UserLabel user={user} />
+      </div>
+
+      {!!unsupportedUserRoles.length && (
+        <div className="mb-12">
+          <div className="mb-2">
+            <div className="font-semibold">Unsupported roles</div>
+            <div className="text-sm text-text-disabled">
+              The following roles are not supported by the current configuration
+              of the app. You can only deselect them. Make sure that these roles
+              are not used in other parts of the app.
+            </div>
+          </div>
+          <div className="flex flex-wrap -mr-1 mb-3">
+            {unsupportedUserRoles.map((x) => (
+              <TagSpan
+                key={x.id}
+                size="normal"
+                color="red"
+                className="mb-2 mr-1 cursor-pointer hover:opacity-80"
+                onClick={onToggleUnsupportedRole(x.id)}
+              >
+                {x.name}{' '}
+                <span className="text-text-disabled italic">UNSUPPORTED</span>
+              </TagSpan>
+            ))}
+          </div>
+        </div>
+      )}
+
+      {config.roleGroups.map((g, i) => (
+        <div key={g.id} className="mb-4">
+          {!!i && <hr className="mb-4" />}
+          <div className="mb-2">
+            <div className="font-semibold">{g.name}</div>
+            <div className="text-sm">
+              {!!g.rules.max && (
+                <span className="text-text-disabled">
+                  Only {g.rules.max} role{g.rules.max > 1 && 's'} can be
+                  selected.{' '}
+                </span>
+              )}
+              {!!g.rules.unique && (
+                <span className="text-text-disabled">
+                  Unique role per user.{' '}
+                </span>
+              )}
+              {!!g.rules.editableByRoles.length && (
+                <div className="text-text-disabled">
+                  Users with the following roles can change these roles in the
+                  profile form:{' '}
+                  {g.rules.editableByRoles
+                    .map((x) => USER_ROLE_BY_ID[x].name)
+                    .join(', ')}
+                  .
+                </div>
+              )}
+            </div>
+          </div>
+          <div className="flex flex-wrap -mr-1 mb-3">
+            {g.roles.map((x) => (
+              <TagSpan
+                key={x.id}
+                size="normal"
+                color={groupedRoleIds[g.id].includes(x.id) ? 'blue' : 'gray'}
+                className="mb-2 mr-1 cursor-pointer hover:opacity-80"
+                onClick={onToggleRole(g.id, x.id)}
+              >
+                {x.name}
+              </TagSpan>
+            ))}
+          </div>
+        </div>
+      ))}
+
+      <ButtonsWrapper
+        right={[
+          <FButton kind="secondary" onClick={props.onClose}>
+            Cancel
+          </FButton>,
+          <FButton kind="primary" onClick={onSave} disabled={!changed}>
+            Save
+          </FButton>,
+        ]}
+      />
+    </Modal>
+  )
+}
diff --git a/src/modules/users/client/components/UsersMap.tsx b/src/modules/users/client/components/UsersMap.tsx
index eebec13e..44d84960 100644
--- a/src/modules/users/client/components/UsersMap.tsx
+++ b/src/modules/users/client/components/UsersMap.tsx
@@ -46,10 +46,7 @@ const PersonRow: React.FC<{ person: UserMapPin }> = ({ person }) => (
       >
         {person.fullName}
       </a>
-      <p>
-        {person.jobTitle ?? ''} {person.team ? `@ ${person.team}` : ''}{' '}
-        {person.department ? `- ${person.department}` : ' '}
-      </p>
+      <p>{[person.jobTitle, person.team].filter(Boolean).join(' · ')}</p>
     </div>
   </div>
 )
diff --git a/src/modules/users/client/components/Welcome.tsx b/src/modules/users/client/components/Welcome.tsx
index 3aabe3c9..de29be28 100644
--- a/src/modules/users/client/components/Welcome.tsx
+++ b/src/modules/users/client/components/Welcome.tsx
@@ -22,7 +22,7 @@ import config from '#client/config'
 import * as stores from '#client/stores'
 import { ProfileField, OnboardingProfileRequest, Tag } from '#shared/types'
 import { toggleInArray } from '#client/utils'
-import { groupBy, pick, prop } from '#shared/utils/fp'
+import * as fp from '#shared/utils/fp'
 import { PermissionsValidator } from '#client/components/PermissionsValidator'
 import Permissions from '#shared/permissions'
 import {
@@ -34,6 +34,12 @@ import {
   useTags,
 } from '../queries'
 
+const EDITABLE_ROLE_GROUPS = config.roleGroups.filter(
+  (x) => x.rules.editableByRoles.length
+)
+
+type RolesByGroupId = Record<string, string[]>
+
 enum ScreenName {
   General = 'General',
   Contacts = 'Contacts',
@@ -53,13 +59,13 @@ export const _Welcome: React.FC = () => {
   const me = useStore(stores.me)
 
   const [state, setState] = React.useState<OnboardingProfileRequest>({
-    department: me?.department || '',
     team: me?.team || '',
     jobTitle: me?.jobTitle || '',
     country: me?.country || '',
     city: me?.city || '',
     tagIds: [],
     contacts: me?.contacts ?? {},
+    roles: me?.roles || [], // will be overwritten in the `onSubmitForm` function
   })
 
   const { data: metadata = null, isFetched: isMetadataFetched } = useMetadata()
@@ -109,7 +115,7 @@ export const _Welcome: React.FC = () => {
   const stepComponents = {
     [ScreenName.General]: (
       <GeneralInfo
-        formData={pick(['jobTitle', 'country', 'city', 'department', 'team'])(
+        formData={fp.pick(['jobTitle', 'country', 'city', 'team', 'roles'])(
           state
         )}
         onSubmit={onSubmitStep()}
@@ -156,14 +162,31 @@ export const _Welcome: React.FC = () => {
   )
 }
 
-type GeneralInfoFormData = Pick<OnboardingProfileRequest, 'city' | 'country'> &
-  Partial<Pick<OnboardingProfileRequest, 'jobTitle' | 'department' | 'team'>>
+type GeneralInfoFormData = Pick<
+  OnboardingProfileRequest,
+  'city' | 'country' | 'roles'
+> &
+  Partial<Pick<OnboardingProfileRequest, 'jobTitle' | 'team'>>
 
 const GeneralInfo: React.FC<{
   formData: GeneralInfoFormData
   onSubmit: (value: GeneralInfoFormData) => void
 }> = ({ formData, onSubmit }) => {
+  const me = useStore(stores.me)
   const [state, setState] = React.useState(formData)
+  const [rolesByGroupId, setRolesByGroupId] = React.useState<RolesByGroupId>(
+    (() => {
+      const result: RolesByGroupId = {}
+      EDITABLE_ROLE_GROUPS.filter((g) =>
+        g.rules.editableByRoles.some(fp.isIn(me?.roles || []))
+      ).forEach((g) => {
+        result[g.id] = g.roles
+          .map(fp.prop('id'))
+          .filter(fp.isIn(formData.roles))
+      })
+      return result
+    })()
+  )
 
   const [cityQuery, setCityQuery] = React.useState('')
   const [cityOption, setCityOption] = React.useState<TypeaheadInputOption[]>([])
@@ -200,9 +223,25 @@ const GeneralInfo: React.FC<{
   const onSubmitClick = React.useCallback(
     (ev: React.MouseEvent) => {
       ev.preventDefault()
-      onSubmit(state)
+      onSubmit({ ...state, roles: Object.values(rolesByGroupId).flat() })
     },
-    [state]
+    [state, rolesByGroupId]
+  )
+  const onToggleRole = React.useCallback(
+    (groupId: string, roleId: string) => (ev: React.MouseEvent) => {
+      const group = EDITABLE_ROLE_GROUPS.find(fp.propEq('id', groupId))!
+      setRolesByGroupId((value) => ({
+        ...value,
+        [groupId]: toggleInArray(
+          value[groupId],
+          roleId,
+          true,
+          group.rules.max,
+          true
+        ),
+      }))
+    },
+    []
   )
 
   React.useEffect(() => {
@@ -218,37 +257,49 @@ const GeneralInfo: React.FC<{
   }, [])
 
   const generalInfoConfigured =
-    !!metadata && (metadata.department || metadata.team || metadata.jobTitle)
+    !!metadata && (metadata.team || metadata.jobTitle)
   return (
     <div>
       <H1 className="my-10">Complete Setting Up Your Profile</H1>
       {generalInfoConfigured && (
         <div className="my-10">
           <FormLabel>General Information</FormLabel>
-          <P className="text-text-tertiary">
+          <P className="text-text-tertiary mb-4">
             Specify what you're working on for hub members who'll be interested
             in collaborating on new projects
           </P>
-          {!!metadata.department && (
-            <Select
-              name="department"
-              options={config.departments.map((x) => ({
-                value: x,
-                label: x,
-              }))}
-              value={state.department || undefined}
-              placeholder={metadata.department.placeholder}
-              className="w-full"
-              containerClassName="mb-4"
-              onChange={(value) =>
-                setState((x) => ({ ...x, department: value }))
-              }
-              required={true}
-            />
-          )}
+
+          {EDITABLE_ROLE_GROUPS.filter((g) =>
+            g.rules.editableByRoles.some(fp.isIn(me?.roles || []))
+          ).map((g) => (
+            <div key={g.id} className="mb-4">
+              <LabelWrapper label={g.name}>
+                <div className="flex flex-wrap gap-2">
+                  <div className="flex flex-wrap -mr-1 -mb-2">
+                    {g.roles.map((x) => (
+                      <TagSpan
+                        key={x.id}
+                        size="normal"
+                        color={
+                          rolesByGroupId[g.id].includes(x.id)
+                            ? 'purple'
+                            : 'gray'
+                        }
+                        className="mb-2 mr-1 cursor-pointer hover:opacity-80"
+                        onClick={onToggleRole(g.id, x.id)}
+                      >
+                        {x.name}
+                      </TagSpan>
+                    ))}
+                  </div>
+                </div>
+              </LabelWrapper>
+            </div>
+          ))}
 
           {!!metadata?.team && (
             <Input
+              label={metadata.team.label}
               name="team"
               type="text"
               placeholder={metadata.team.placeholder}
@@ -263,6 +314,7 @@ const GeneralInfo: React.FC<{
 
           {!!metadata.jobTitle && (
             <Input
+              label={metadata.jobTitle.label}
               name="jobTitle"
               type="text"
               placeholder={metadata.jobTitle.placeholder}
@@ -277,7 +329,7 @@ const GeneralInfo: React.FC<{
       )}
       <div className="my-10">
         <FormLabel>What is you permanent Location?</FormLabel>
-        <P className="text-text-tertiary">
+        <P className="text-text-tertiary mb-4">
           By knowing your timezone hub members would better adjust teamwork and
           meetings time
         </P>
@@ -329,13 +381,19 @@ const Contacts: React.FC<{
   onSubmit: (value: { contacts: Record<string, string> }) => void
   onMoveBack: () => void
 }> = ({ metadata, onSubmit, onMoveBack }) => {
+  const me = useStore(stores.me)
   const metadataFields = Object.keys(metadata)
   const [state, setState] = React.useState<Record<string, string>>({})
   const [isValid, setIsValid] = React.useState(false)
 
-  const requiredFieldsIds: string[] = metadataFields.filter(
-    (contactId) => metadata[contactId].required
-  )
+  const requiredFieldsIds: string[] = metadataFields.filter((contactId) => {
+    const contactField = metadata[contactId]
+    const userRoles = me?.roles || []
+    return (
+      contactField.required ||
+      fp.hasIntersection(contactField.requiredForRoles, userRoles)
+    )
+  })
 
   const [selectedFieldIds, setSelectedFieldIds] =
     React.useState<string[]>(requiredFieldsIds)
@@ -410,7 +468,7 @@ const Contacts: React.FC<{
                   }
                   label={x.label}
                   containerClassName="w-full mb-4"
-                  required={x.required}
+                  required={requiredFieldsIds.includes(x.id)}
                 />
               )
             })}
@@ -469,7 +527,7 @@ const Tags: React.FC<{
     React.useState<string[]>(presavedTagIds)
 
   const groupedTags = React.useMemo<GroupedTags>(() => {
-    const tagsByCategory = (tags || []).reduce(groupBy('category'), {})
+    const tagsByCategory = (tags || []).reduce(fp.groupBy('category'), {})
     return Object.keys(tagsByCategory).map((x) => ({
       category: x,
       tags: tagsByCategory[x],
@@ -500,7 +558,7 @@ const Tags: React.FC<{
   // DELETE: ?
   React.useEffect(() => {
     if (userTags.length) {
-      setSelectedTagIds(userTags.map(prop('id')))
+      setSelectedTagIds(userTags.map(fp.prop('id')))
     }
   }, [userTags])
 
diff --git a/src/modules/users/client/components/index.ts b/src/modules/users/client/components/index.ts
index 3a2e9ba8..c91dba8c 100644
--- a/src/modules/users/client/components/index.ts
+++ b/src/modules/users/client/components/index.ts
@@ -15,3 +15,4 @@ export { UsersMap } from './UsersMap'
 export { UsersMapPage } from './UsersMapPage'
 export { UsersMapWidget } from './UsersMapWidget'
 export { Welcome } from './Welcome'
+export { UserRolesEditorModal } from './UserRolesEditorModal'
diff --git a/src/modules/users/client/queries.ts b/src/modules/users/client/queries.ts
index 260dd1b2..adff98d1 100644
--- a/src/modules/users/client/queries.ts
+++ b/src/modules/users/client/queries.ts
@@ -79,20 +79,8 @@ export const useMapStats = () => {
   )
 }
 
-export const useUserAdmin = (
-  userId: string,
-  { enabled } = { enabled: true }
-) => {
-  const path = `/admin-api/users/users/${userId}`
-  return useQuery<User, AxiosError>(
-    path,
-    async () => (await api.get<User>(path)).data,
-    { enabled }
-  )
-}
-
 export const useUpdateUserAdmin = (cb: () => void) =>
-  useMutation<void, AxiosError, Pick<User, 'role' | 'id'>>(
+  useMutation<void, AxiosError, Pick<User, 'id' | 'roles'>>(
     ({ id, ...data }) => api.put(`/admin-api/users/user/${id}`, data),
     { onSuccess: cb }
   )
@@ -123,7 +111,7 @@ export const useSubmitOnboarding = (cb: () => void) =>
   )
 
 export const usePublicProfile = (userId: string | null) => {
-  const path = `/user-api/users/user/${userId}`
+  const path = `/user-api/users/profile/${userId}`
   return useQuery<PublicUserProfile, AxiosError>(
     path,
     async () => (await api.get<PublicUserProfile>(path)).data,
@@ -131,6 +119,18 @@ export const usePublicProfile = (userId: string | null) => {
   )
 }
 
+export const useUserCompact = (
+  userId: string | null,
+  { enabled } = { enabled: true }
+) => {
+  const path = `/user-api/users/user/${userId}`
+  return useQuery<UserCompact, AxiosError>(
+    path,
+    async () => (await api.get<UserCompact>(path)).data,
+    { enabled }
+  )
+}
+
 export const useCountries = () => {
   const path = '/user-api/users/countries'
   return useQuery<CountryQueryResponse, AxiosError>(
diff --git a/src/modules/users/metadata-schema.ts b/src/modules/users/metadata-schema.ts
index 72251b04..ffbc253c 100644
--- a/src/modules/users/metadata-schema.ts
+++ b/src/modules/users/metadata-schema.ts
@@ -4,6 +4,7 @@ const contactFieldSchema = z.object({
   label: z.string().optional(),
   placeholder: z.string().optional(),
   required: z.boolean().optional(),
+  requiredForRoles: z.array(z.string()).default([]),
   prefix: z.string().optional(), // Optional because not all fields have it
 })
 
@@ -19,7 +20,6 @@ export const schema = z
   .object({
     profileFields: z.object({
       birthday: profileFieldSchema.optional(),
-      department: profileFieldSchema.optional(),
       team: profileFieldSchema.optional(),
       jobTitle: profileFieldSchema.optional(),
       bio: profileFieldSchema.optional(),
diff --git a/src/modules/users/server/migrations/20231206175252_users_add-roles-list.js b/src/modules/users/server/migrations/20231206175252_users_add-roles-list.js
new file mode 100644
index 00000000..709fdcfd
--- /dev/null
+++ b/src/modules/users/server/migrations/20231206175252_users_add-roles-list.js
@@ -0,0 +1,39 @@
+// @ts-check
+const { Sequelize, DataTypes } = require('sequelize')
+
+module.exports = {
+  async up({ context: queryInterface, appConfig }) {
+    await queryInterface.sequelize.transaction(async (transaction) => {
+      await queryInterface.addColumn(
+        'users',
+        'roles',
+        {
+          type: DataTypes.ARRAY(DataTypes.STRING),
+          allowNull: false,
+          defaultValue: [],
+        },
+        { transaction }
+      )
+      await queryInterface.sequelize.query(
+        `
+        UPDATE users
+        SET roles = ARRAY[role]::varchar[]
+        WHERE role IS NOT NULL;
+      `,
+        { transaction }
+      )
+      await queryInterface.changeColumn(
+        'users',
+        'role',
+        {
+          type: DataTypes.STRING,
+          allowNull: true,
+        },
+        { transaction }
+      )
+    })
+  },
+  async down({ context: queryInterface, appConfig }) {
+    await queryInterface.removeColumn('users', 'roles')
+  },
+}
diff --git a/src/modules/users/server/models/user.ts b/src/modules/users/server/models/user.ts
index 4d786423..64a71e3c 100644
--- a/src/modules/users/server/models/user.ts
+++ b/src/modules/users/server/models/user.ts
@@ -21,7 +21,7 @@ import { Tag } from './tag'
 import { appConfig } from '#server/app-config'
 import dayjs from 'dayjs'
 
-type UserCreateFields = Pick<UserModel, 'fullName' | 'email' | 'role'> &
+type UserCreateFields = Pick<UserModel, 'fullName' | 'email' | 'roles'> &
   Partial<UserModel>
 
 export class User
@@ -29,16 +29,16 @@ export class User
   implements UserModel
 {
   declare id: CreationOptional<string>
-  declare role: UserModel['role']
+  // declare role: UserModel['role'] TODO: migration: delete column
+  declare roles: UserModel['roles']
   declare fullName: UserModel['fullName']
   declare birthday: UserModel['birthday']
   declare email: UserModel['email']
   declare stealthMode: UserModel['stealthMode']
   declare avatar: UserModel['avatar']
-  declare department: UserModel['department']
+  // declare department: UserModel['department'] TODO: migration: delete column
   declare team: UserModel['team']
   declare jobTitle: UserModel['jobTitle']
-  declare division: UserModel['division']
   declare country: UserModel['country']
   declare city: UserModel['city']
   declare contacts: UserModel['contacts']
@@ -70,12 +70,22 @@ export class User
         'avatar',
         'email',
         'isInitialised',
-        'role',
-        'division',
+        'roles',
       ],
     })
   }
 
+  useCompactView(): UserCompact {
+    return {
+      id: this.id,
+      fullName: this.fullName,
+      avatar: this.avatar,
+      email: this.email,
+      isInitialised: this.isInitialised,
+      roles: this.roles,
+    }
+  }
+
   useMeView(): UserMe {
     const country = COUNTRIES.find((x) => x.code === this.country) || null
     return { ...this.toJSON(), countryName: country?.name || null }
@@ -107,7 +117,6 @@ export class User
       birthday: this.birthday,
       email: this.email,
       avatar: this.avatar,
-      department: this.department,
       team: this.team,
       jobTitle: this.jobTitle,
       country: hideGeoData ? null : this.country,
@@ -118,7 +127,7 @@ export class User
       geodata: this.geodata,
       defaultLocation: hideGeoData ? null : this.defaultLocation,
       tags,
-      role: this.role,
+      roles: this.roles,
     }
   }
 
@@ -179,7 +188,7 @@ export class User
   async anonymize(this: User): Promise<User> {
     const shortId = this.id.split('-').reverse()[0]
     return this.set({
-      role: appConfig.lowPriorityRole,
+      roles: [appConfig.lowPriorityRole],
       fullName: shortId,
       birthday: null,
       email: `${shortId}@delet.ed`,
@@ -208,9 +217,10 @@ User.init(
       allowNull: false,
       primaryKey: true,
     },
-    role: {
-      type: DataTypes.STRING,
+    roles: {
+      type: DataTypes.ARRAY(DataTypes.STRING),
       allowNull: false,
+      defaultValue: [],
     },
     fullName: {
       type: DataTypes.STRING,
@@ -236,14 +246,6 @@ User.init(
       type: DataTypes.STRING,
       allowNull: true,
     },
-    division: {
-      type: DataTypes.STRING,
-      allowNull: true,
-    },
-    department: {
-      type: DataTypes.STRING,
-      allowNull: true,
-    },
     team: {
       type: DataTypes.STRING,
       allowNull: true,
diff --git a/src/modules/users/server/router.ts b/src/modules/users/server/router.ts
index 387368b0..a32ad6b0 100644
--- a/src/modules/users/server/router.ts
+++ b/src/modules/users/server/router.ts
@@ -1,13 +1,19 @@
+import dayjs from 'dayjs'
 import { FastifyPluginCallback, FastifyRequest } from 'fastify'
 import { Filterable, Op } from 'sequelize'
 import { appConfig } from '#server/app-config'
 import config from '#server/config'
-import { COUNTRIES, COUNTRY_COORDINATES, DATE_FORMAT } from '#server/constants'
-import { AuthAccount, DefaultPermissionPostfix } from '#shared/types'
+import {
+  COUNTRIES,
+  COUNTRY_COORDINATES,
+  DATE_FORMAT,
+  ADMIN_ACCESS_PERMISSION_RE,
+} from '#server/constants'
+import { AuthAccount } from '#shared/types'
+import * as fp from '#shared/utils/fp'
 import { Permissions } from '../permissions'
 import {
   AuthProvider,
-  ProfileField,
   GeoData,
   ImportedTag,
   ImportedTagGroup,
@@ -23,7 +29,7 @@ import {
   getUserProviderQuery,
   removeAuthId,
 } from './helpers'
-import dayjs from 'dayjs'
+
 import { Metadata } from '../metadata-schema'
 
 const ROLES_ALLOWED_TO_BE_ON_MAP = appConfig.getRolesByPermission(
@@ -38,9 +44,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
 
   fastify.get('/me', async (req, reply) => {
     return {
-      isAdmin: req.permissions.some((x) =>
-        x.endsWith(DefaultPermissionPostfix.Admin)
-      ),
+      isAdmin: req.permissions.some((x) => ADMIN_ACCESS_PERMISSION_RE.test(x)),
       user: req.user.useMeView(), // FIXME: store countryName in the database (geodata)
       permissions: Array.from(req.permissions),
     }
@@ -87,11 +91,20 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
         )
       }
 
+      // process roles
+      const mergeRolesRequest = appConfig.validateAndMergeEditableRoles(
+        req.user.roles,
+        req.body.roles
+      )
+      if (!mergeRolesRequest.success) {
+        return reply.throw.badParams(mergeRolesRequest.error.message)
+      }
+      const roles = mergeRolesRequest.data
+
       await req.user
         .set({
           fullName: req.body.fullName,
           birthday: req.body.birthday,
-          department: req.body.department,
           team: req.body.team,
           jobTitle: req.body.jobTitle,
           country: req.body.country,
@@ -109,6 +122,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
             appConfig.offices[0].id,
             appConfig.offices
           ),
+          roles,
         })
         .save()
       return reply.ok()
@@ -125,8 +139,15 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       if (req.user.isInitialised) {
         return reply.throw.rejected()
       }
+      const mergeRolesRequest = appConfig.validateAndMergeEditableRoles(
+        req.user.roles,
+        req.body.roles || []
+      )
+      if (!mergeRolesRequest.success) {
+        return reply.throw.badParams(mergeRolesRequest.error.message)
+      }
+      const roles = mergeRolesRequest.data
       const userData: Partial<User> = {
-        department: req.body.department || null,
         team: req.body.team || null,
         jobTitle: req.body.jobTitle || null,
         country: req.body.country || null,
@@ -138,6 +159,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
           appConfig.offices
         ),
         contacts: req.body.contacts,
+        roles,
       }
 
       // build `geodata` field
@@ -177,10 +199,10 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
 
   // NOTE: temporary route for the onboarding demo
   fastify.get('/me/reset', async (req, reply) => {
-    req.check(Permissions.UseOnboarding, Permissions.AdminManage)
+    req.check(Permissions.UseOnboarding)
+    req.check(Permissions.AdminManage)
     await req.user
       .set({
-        department: null,
         team: null,
         jobTitle: null,
         country: null,
@@ -232,7 +254,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
   )
 
   fastify.get(
-    '/user/:userId',
+    '/profile/:userId',
     async (req: FastifyRequest<{ Params: { userId: string } }>, reply) => {
       req.check(Permissions.ListProfiles)
       const user = await fastify.db.User.findByPkActive(req.params.userId, {
@@ -251,6 +273,18 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
     }
   )
 
+  fastify.get(
+    '/user/:userId',
+    async (req: FastifyRequest<{ Params: { userId: string } }>, reply) => {
+      req.check(Permissions.ListProfiles)
+      const user = await fastify.db.User.findByPkActive(req.params.userId)
+      if (!user) {
+        return reply.throw.notFound()
+      }
+      return user.useCompactView()
+    }
+  )
+
   fastify.post(
     '/user/batch',
     async (req: FastifyRequest<{ Body: string[] }>, reply) => {
@@ -356,7 +390,8 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
   )
 
   fastify.get('/me/tags', async (req, reply) => {
-    req.check(Permissions.ManageProfile, Permissions.ListProfiles)
+    req.check(Permissions.ManageProfile)
+    req.check(Permissions.ListProfiles)
     // FIXME: missed types for sequelize lazy loading methods (many-to-many relation)
     // @ts-ignore
     const tags = (await req.user.getTags()) as Tag[]
@@ -382,7 +417,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
     return fastify.db.User.findAllActive({
       where: {
         [Op.and]: [
-          { role: { [Op.in]: ROLES_ALLOWED_TO_BE_ON_MAP } },
+          { roles: { [Op.overlap]: ROLES_ALLOWED_TO_BE_ON_MAP } },
           { 'geodata.doNotShareLocation': 'false' },
           { 'geodata.coordinates': { [Op.ne]: '[0, 0]' } },
         ],
@@ -395,7 +430,6 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
         'email',
         'avatar',
         'city',
-        'department',
         'team',
       ],
     })
@@ -406,7 +440,7 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
     const users = await fastify.db.User.findAllActive({
       where: {
         [Op.and]: [
-          { role: { [Op.in]: ROLES_ALLOWED_TO_BE_ON_MAP } },
+          { roles: { [Op.overlap]: ROLES_ALLOWED_TO_BE_ON_MAP } },
           { 'geodata.doNotShareLocation': 'false' },
           { country: { [Op.ne]: null } },
         ],
@@ -581,49 +615,71 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
     }
   )
 
-  fastify.get(
-    '/users/:userId',
-    async (req: FastifyRequest<{ Params: { userId: string } }>, reply) => {
-      return fastify.db.User.findByPkActive(req.params.userId)
-    }
-  )
-
   fastify.put(
     '/user/:userId',
     async (
       req: FastifyRequest<{
         Params: { userId: string }
-        Body: Pick<User, 'role'>
+        Body: Pick<User, 'roles'>
       }>,
       reply
     ) => {
       req.check(Permissions.AdminAssignRoles)
-      if (
-        !appConfig.config.permissions.roles.some((x) => x.id === req.body.role)
-      ) {
-        return reply.throw.badParams('Invalid role')
+
+      const newRoleIds = req.body.roles
+      const roleGroups = appConfig.config.permissions.roleGroups
+      const availableRoles = roleGroups.map(fp.prop('roles')).flat()
+
+      // check for conflicts
+      for (const roleGroup of roleGroups) {
+        if (roleGroup.rules.unique) {
+          const availableRoles = roleGroup.roles.map(fp.prop('id'))
+          const roles = newRoleIds.filter(fp.isIn(availableRoles))
+          if (!roles.length) continue
+          const users = await fastify.db.User.findAll({
+            where: {
+              id: { [Op.not]: req.params.userId },
+              roles: {
+                [Op.overlap]: roles,
+              },
+            },
+          })
+          if (users.length) {
+            return reply.throw.badParams(
+              `Roles from the ${
+                roleGroup.name
+              } group should be unique. Conflicts with users: ${users
+                .map(fp.prop('email'))
+                .join(', ')}`
+            )
+          }
+        }
       }
+
+      // sort roles array before saving
+      const roles = appConfig.sortRoles(newRoleIds)
+
       const user = await fastify.db.User.findByPkActive(req.params.userId)
       if (!user) {
         return reply.throw.notFound()
       }
-      const previousRole = user.role
-      await user.set({ role: req.body.role }).save()
+      const previousRoles = [...user.roles]
+      await user.set({ roles }).save()
+
       if (fastify.integrations.Matrix) {
-        const rolesById = appConfig.config.permissions.roles.reduce(
-          (acc, x) => ({ ...acc, [x.id]: x }),
-          {} as Record<string, any>
+        const rolesById = availableRoles.reduce(fp.by('id'), {})
+        const previousRoleNames = previousRoles.map(
+          (x) => rolesById[x]?.name || x
         )
-        const previousRoleName = rolesById[previousRole]?.name || previousRole
-        const targetRoleName = rolesById[req.body.role]?.name || req.body.role
+        const targetRoleNames = newRoleIds.map((x) => rolesById[x]?.name || x)
         const message = appConfig.templates.notification(
           'users',
           'roleChanged',
           {
             admin: req.user.usePublicProfileView(),
             user: user.usePublicProfileView(),
-            previousRoleName,
-            targetRoleName,
+            previousRoleNames,
+            targetRoleNames,
           }
         )
         if (message) {
diff --git a/src/modules/users/templates/notification.yaml b/src/modules/users/templates/notification.yaml
index 029d030c..d8155523 100644
--- a/src/modules/users/templates/notification.yaml
+++ b/src/modules/users/templates/notification.yaml
@@ -1,2 +1,12 @@
 roleChanged: |
-  {{ admin.fullName }} ({{ admin.email }}) assigned {{ user.fullName }}'s ({{ user.email }}) role: "{{ previousRoleName }}" -> "{{ targetRoleName }}"
+  {{ admin.fullName }} ({{ admin.email }}) updated {{ user.fullName }}'s ({{ user.email }}) roles set:
+  <br>
+  Previous:
+  {{#previousRoleNames}}
+    <code>{{.}}</code>
+  {{/previousRoleNames}}
+  <br>
+  New:
+  {{#targetRoleNames}}
+    <code>{{.}}</code>
+  {{/targetRoleNames}}
diff --git a/src/modules/users/types.ts b/src/modules/users/types.ts
index 6b629cd4..b3d12c8b 100644
--- a/src/modules/users/types.ts
+++ b/src/modules/users/types.ts
@@ -1,15 +1,13 @@
 export interface User {
   id: string
-  role: string
+  roles: string[]
   fullName: string
   birthday: string | null
   email: string
   stealthMode: boolean
   avatar: string | null
-  department: string | null
   team: string | null
   jobTitle: string | null
-  division: string | null
   country: string | null
   city: string | null
   contacts: Record<string, string>
@@ -56,19 +54,18 @@ export interface Session {
 }
 
 export type OnboardingProfileRequest = {
-  department: string | null
   team: string | null
   jobTitle: string | null
   country: string | null
   city: string | null
   contacts: Record<string, string>
   tagIds: string[]
+  roles: string[]
 }
 
 export type ProfileRequest = {
   fullName: string
   birthday: string | null
-  department: string
   team: string
   jobTitle: string
   country: string
@@ -77,10 +74,10 @@ export type ProfileRequest = {
   geodata?: GeoData
   defaultLocation: string | null
   contacts: Record<string, string> | null
+  roles: string[]
 }
 
-export type ProfileFormData = Omit<ProfileRequest, 'department' | 'country'> & {
-  department: string | null
+export type ProfileFormData = Omit<ProfileRequest, 'country'> & {
   country: string | null
   contacts: Record<string, string> | null
 }
@@ -92,7 +89,7 @@ export type UserMe = User & {
 
 export type UserCompact = Pick<
   User,
-  'id' | 'fullName' | 'email' | 'avatar' | 'isInitialised' | 'role' | 'division'
+  'id' | 'fullName' | 'email' | 'avatar' | 'isInitialised' | 'roles'
 >
 
 export type PublicUserProfile = Pick<
@@ -102,7 +99,6 @@ export type PublicUserProfile = Pick<
   | 'birthday'
   | 'email'
   | 'avatar'
-  | 'department'
   | 'team'
   | 'jobTitle'
   | 'country'
@@ -111,7 +107,7 @@ export type PublicUserProfile = Pick<
   | 'bio'
   | 'geodata'
   | 'defaultLocation'
-  | 'role'
+  | 'roles'
 > & {
   countryName: string | null
   tags: Tag[]
@@ -130,7 +126,6 @@ export type UserMapPin = Pick<
   | 'id'
   | 'fullName'
   | 'avatar'
-  | 'department'
   | 'team'
   | 'jobTitle'
   | 'country'
@@ -203,6 +198,7 @@ export type ProfileField = {
   required: boolean
   placeholder?: string
   prefix?: string
+  requiredForRoles: string[]
 }
 
 export type ProfileFieldsMetadata = {
@@ -211,7 +207,6 @@ export type ProfileFieldsMetadata = {
 
 export type ProfileMetadata = {
   birthday: ProfileField
-  department: ProfileField
   team: ProfileField
   jobTitle: ProfileField
   bio: ProfileField
diff --git a/src/modules/visits/client/components/AdminVisits.tsx b/src/modules/visits/client/components/AdminVisits.tsx
index f3438c69..b8cd8159 100644
--- a/src/modules/visits/client/components/AdminVisits.tsx
+++ b/src/modules/visits/client/components/AdminVisits.tsx
@@ -14,14 +14,18 @@ import { useUsersCompact } from '#modules/users/client/queries'
 import { useUpdateVisitAdmin, useVisitsAdmin } from '../queries'
 import { VisitStatusTag } from './VisitStatusTag'
 
-export const AdminVisits: React.FC<RootComponentProps> = ({ portals }) => (
-  <PermissionsValidator
-    required={[Permissions.visits.__Admin, Permissions.visits.AdminList]}
-    onRejectGoHome
-  >
-    <_AdminVisits portals={portals} />
-  </PermissionsValidator>
-)
+export const AdminVisits: React.FC<RootComponentProps> = ({ portals }) => {
+  const officeId = useStore(stores.officeId)
+  return (
+    <PermissionsValidator
+      officeId={officeId}
+      required={[Permissions.visits.__Admin, Permissions.visits.AdminList]}
+      onRejectGoHome
+    >
+      <_AdminVisits portals={portals} />
+    </PermissionsValidator>
+  )
+}
 
 export const _AdminVisits: React.FC<RootComponentProps> = ({ portals }) => {
   useDocumentTitle('Visits')
diff --git a/src/modules/visits/client/components/VisitDetail.tsx b/src/modules/visits/client/components/VisitDetail.tsx
index 1a299ce0..ab18f58c 100644
--- a/src/modules/visits/client/components/VisitDetail.tsx
+++ b/src/modules/visits/client/components/VisitDetail.tsx
@@ -16,7 +16,7 @@ import { propEq } from '#shared/utils/fp'
 import { useStore } from '@nanostores/react'
 import dayjs from 'dayjs'
 import React from 'react'
-import { useUserAdmin } from '#modules/users/client/queries'
+import { useUserCompact } from '#modules/users/client/queries'
 import {
   useUpdateVisit,
   useUpdateVisitAdmin,
@@ -38,7 +38,7 @@ export const _VisitDetail = () => {
   const page = useStore(stores.router)
   const visitId = page?.route === 'visit' ? page.params.visitId : ''
   const { data: visit = null, refetch: refetchVisit } = useVisit(visitId)
-  const { data: user = null } = useUserAdmin(visit?.userId || '', {
+  const { data: user = null } = useUserCompact(visit?.userId || '', {
     enabled: !!visit && visit.userId !== me?.id,
   })
   const { data: areas = [] } = useVisitsAreas(visit?.officeId || '', {
diff --git a/src/modules/visits/client/components/VisitRequestForm.tsx b/src/modules/visits/client/components/VisitRequestForm.tsx
index 04ab9b90..605162d5 100644
--- a/src/modules/visits/client/components/VisitRequestForm.tsx
+++ b/src/modules/visits/client/components/VisitRequestForm.tsx
@@ -24,11 +24,18 @@ type VisitRequestStep =
   | 'wait-for-confirmation'
   | 'needs_confirmation'
 
-export const VisitRequestForm = () => (
-  <PermissionsValidator required={[Permissions.visits.Create]} onRejectGoHome>
-    <_VisitRequestForm />
-  </PermissionsValidator>
-)
+export const VisitRequestForm = () => {
+  const officeId = useStore(stores.officeId)
+  return (
+    <PermissionsValidator
+      officeId={officeId}
+      required={[Permissions.visits.Create]}
+      onRejectGoHome
+    >
+      <_VisitRequestForm />
+    </PermissionsValidator>
+  )
+}
 
 export const _VisitRequestForm: React.FC = () => {
   useDocumentTitle('Office visit request')
diff --git a/src/modules/visits/server/helpers/index.ts b/src/modules/visits/server/helpers/index.ts
index 43321272..c925e361 100644
--- a/src/modules/visits/server/helpers/index.ts
+++ b/src/modules/visits/server/helpers/index.ts
@@ -56,7 +56,7 @@ export const getFullBookableAreas = (
   areas
     .filter((a) => a.bookable)
     .map((a) => {
-      const desk = a.desks.find((d) => d.type === 'full_area')
+      const desk = a.desks.find((d) => d.fullAreaBooking)
       return desk ? { areaId: a.id, deskId: desk.id } : null
     })
     .filter(Boolean)
diff --git a/src/modules/visits/server/router.ts b/src/modules/visits/server/router.ts
index 6e43b170..32fd4c9f 100644
--- a/src/modules/visits/server/router.ts
+++ b/src/modules/visits/server/router.ts
@@ -11,6 +11,7 @@ import {
 import config from '#server/config'
 import { OfficeArea, Office } from '#server/app-config/types'
 import { appEvents } from '#server/utils/app-events'
+import * as fp from '#shared/utils/fp'
 import {
   getConflictedVisits,
   getFullBookableAreas,
@@ -49,10 +50,10 @@ const publicRouter: FastifyPluginCallback = async (fastify, opts) => {
 
 const userRouter: FastifyPluginCallback = async (fastify, opts) => {
   fastify.get('/notice', async (req: FastifyRequest, reply) => {
-    req.check(Permissions.Create)
     if (!req.office) {
       return reply.throw.badParams('Missing office ID')
     }
+    req.check(Permissions.Create, req.office.id)
     return appConfig.templates.text(mId, 'visitNotice', {
       officeId: req.office,
     })
@@ -67,10 +68,10 @@ const userRouter: FastifyPluginCallback = async (fastify, opts) => {
       }>,
       reply
     ) => {
-      req.check(Permissions.Create)
       if (!req.office) {
         return reply.throw.badParams('Missing office ID')
       }
+      req.check(Permissions.Create, req.office.id)
       if (!req.office.allowDeskReservation) {
         return reply.throw.misconfigured(
           `The ${req.office.name} office doesn't support desk reservation`
@@ -102,18 +103,20 @@ const userRouter: FastifyPluginCallback = async (fastify, opts) => {
       }>,
       reply
     ) => {
-      req.check(Permissions.Create)
       if (!req.params.visitId) {
         return reply.throw.badParams()
       }
-      const where: Filterable<Visit>['where'] = { id: req.params.visitId }
-      if (!req.can(Permissions.AdminList)) {
-        where.userId = req.user.id
-      }
-      const visit = await fastify.db.Visit.findOne({ where })
+      const visit = await fastify.db.Visit.findByPk(req.params.visitId)
       if (!visit) {
         return reply.throw.notFound()
       }
+      req.check(Permissions.Create, visit.officeId)
+      if (
+        req.user.id !== visit.id &&
+        !req.can(Permissions.AdminManage, visit.officeId)
+      ) {
+        return reply.throw.accessDenied()
+      }
       return reply.send(visit)
     }
   )
@@ -127,20 +130,21 @@ const userRouter: FastifyPluginCallback = async (fastify, opts) => {
       }>,
       reply
     ) => {
-      req.check(Permissions.Create)
       const visitId = req.params.visitId
       const status = req.body.status
-
-      const where: Filterable<Visit>['where'] = { id: req.params.visitId }
-      if (!req.can(Permissions.AdminManage)) {
-        where.userId = req.user.id
-      }
-      const visit = await fastify.db.Visit.findOne({ where })
+      const visit = await fastify.db.Visit.findByPk(visitId)
       if (!visit) {
         return reply.throw.notFound()
       }
+      req.check(Permissions.Create, visit.officeId)
+      if (
+        req.user.id !== visit.userId &&
+        !req.can(Permissions.AdminManage, visit.officeId)
+      ) {
+        return reply.throw.accessDenied()
+      }
 
-      if (visit.status !== 'confirmed' && req.body.status !== 'cancelled') {
+      if (visit.status !== 'confirmed' && status !== 'cancelled') {
         return reply.throw.rejected()
       }
       await fastify.db.Visit.update({ status }, { where: { id: visitId } })
@@ -190,10 +194,10 @@ const userRouter: FastifyPluginCallback = async (fastify, opts) => {
   fastify.get(
     '/occupancy',
     async (req: FastifyRequest<{ Reply: VisitsOccupancy }>, reply) => {
-      req.check(Permissions.Create)
       if (!req.office) {
         return reply.throw.badParams('Missing office ID')
       }
+      req.check(Permissions.Create, req.office.id)
       if (!req.office.allowDeskReservation) {
         return reply.throw.misconfigured(
           `The ${req.office.name} office doesn't support desk reservation`
@@ -247,10 +251,10 @@ const userRouter: FastifyPluginCallback = async (fastify, opts) => {
   fastify.get(
     '/areas',
     async (req: FastifyRequest<{ Reply: OfficeArea[] }>, reply) => {
-      req.check(Permissions.Create)
       if (!req.office) {
         return reply.throw.badParams('Missing office ID')
       }
+      req.check(Permissions.Create, req.office.id)
       if (!req.office.allowDeskReservation) {
         return reply.throw.misconfigured(
           `The ${req.office.name} office doesn't support desk reservation`
@@ -263,7 +267,10 @@ const userRouter: FastifyPluginCallback = async (fastify, opts) => {
   fastify.post(
     '/visit',
     async (req: FastifyRequest<{ Body: VisitsCreationRequest }>, reply) => {
-      req.check(Permissions.Create)
+      if (!req.body.officeId) {
+        return reply.throw.badParams()
+      }
+      req.check(Permissions.Create, req.body.officeId)
       let visits: Array<PickedVisit> = []
       for (const visitsGroup of req.body.visits) {
         for (const date of visitsGroup.dates) {
@@ -326,7 +333,7 @@ const userRouter: FastifyPluginCallback = async (fastify, opts) => {
             )
           }
 
-          // "full_area" areaId + deskId pairs
+          // "fullAreaBooking" areaId + deskId pairs
           const bookableAreaDeskPairs = getFullBookableAreas(office.areas!)
 
           // check whether the requested desks are in fully booked areas
@@ -443,10 +450,10 @@ const userRouter: FastifyPluginCallback = async (fastify, opts) => {
       }>,
       reply
     ) => {
-      req.check(Permissions.Create)
       if (!req.office) {
         return reply.throw.badParams('Missing office ID')
       }
+      // req.check(Permissions.Create, req.office.id)
       if (!req.office.allowDeskReservation) {
         return reply.throw.misconfigured(
           `The ${req.office.name} office doesn't support desk reservation`
@@ -477,7 +484,7 @@ const userRouter: FastifyPluginCallback = async (fastify, opts) => {
         fullBookableAreas
       )
 
-      const desks = req.office
+      const allDesks = req.office
         .areas!.filter((a) => a.available)
         .map((a) =>
           a.desks.map((d) => ({
@@ -486,14 +493,40 @@ const userRouter: FastifyPluginCallback = async (fastify, opts) => {
             type: d.type,
             user: d.user,
             multiple: d.allowMultipleBookings,
+            permittedRoles: d.permittedRoles,
           }))
         )
         .flat()
+
+      const deskRoles = Array.from(
+        new Set(
+          allDesks
+            .filter((x) => x.permittedRoles.length)
+            .map((x) => x.permittedRoles)
+            .flat()
+        )
+      )
+      const usersWithDeskRoles = await fastify.db.User.findAll({
+        where: { roles: { [Op.overlap]: deskRoles } },
+      })
+      const deskRolesPresented = deskRoles.filter((x) =>
+        usersWithDeskRoles.some((u) => u.roles.includes(x))
+      )
+
+      const desks = allDesks
         .filter((x) => {
           // desk is in the fully reserved area
           if (reservedAreaIds.includes(x.areaId)) {
             return false
           }
+          // desk is only available for specified list of roles
+          if (x.permittedRoles.length) {
+            if (x.permittedRoles.some((x) => deskRolesPresented.includes(x))) {
+              if (!x.permittedRoles.some((x) => req.user.roles.includes(x))) {
+                return false
+              }
+            }
+          }
           // Desk can be booked multiple times
           if (x.multiple) {
             return true
@@ -518,6 +551,7 @@ const userRouter: FastifyPluginCallback = async (fastify, opts) => {
           )
         })
         .map((x) => ({ areaId: x.areaId, deskId: x.deskId }))
+
       return desks
     }
   )
@@ -531,10 +565,10 @@ const userRouter: FastifyPluginCallback = async (fastify, opts) => {
       }>,
       reply
     ) => {
-      req.check(Permissions.ListVisitors)
       if (!req.office) {
         return reply.throw.badParams('Missing office ID')
       }
+      req.check(Permissions.ListVisitors, req.office.id)
       if (!req.office.allowDeskReservation) {
         return reply.throw.misconfigured(
           `The ${req.office.name} office doesn't support desk reservation`
@@ -571,7 +605,6 @@ const userRouter: FastifyPluginCallback = async (fastify, opts) => {
   fastify.post(
     '/stealth',
     async (req: FastifyRequest<{ Body: { stealthMode: boolean } }>, reply) => {
-      req.check(Permissions.ListVisitors)
       await fastify.db.User.update(
         { stealthMode: req.body.stealthMode },
         { where: { id: req.user.id } }
@@ -591,10 +624,10 @@ const adminRouter: FastifyPluginCallback = async (fastify, opts) => {
       }>,
       reply
     ) => {
-      req.check(Permissions.AdminList)
       if (!req.office) {
         return reply.throw.badParams('Missing office ID')
       }
+      req.check(Permissions.AdminList, req.office.id)
       const dates = req.query['dates[]']
       const where: Filterable<Visit>['where'] = { officeId: req.office.id }
       if (dates?.length) {
@@ -616,13 +649,13 @@ const adminRouter: FastifyPluginCallback = async (fastify, opts) => {
       }>,
       reply
     ) => {
-      req.check(Permissions.AdminList, Permissions.AdminManage)
       const visitId = req.params.visitId
       const status = req.body.status
       const visit = await fastify.db.Visit.findByPk(req.params.visitId)
       if (!visit) {
         return reply.throw.notFound()
       }
+      req.check(Permissions.AdminManage, visit.officeId)
       await fastify.db.Visit.update({ status }, { where: { id: visitId } })
       // Send user notification to the user via Matrix
       if (fastify.integrations.Matrix) {
@@ -665,7 +698,7 @@ const adminRouter: FastifyPluginCallback = async (fastify, opts) => {
           )
         }
       }
-      appEvents.useModule('admin').emit('update_counters')
+      // appEvents.useModule('admin').emit('update_counters')
       return reply.code(200).send()
     }
   )
diff --git a/src/modules/working-hours/client/components/AdminWorkingHours.tsx b/src/modules/working-hours/client/components/AdminWorkingHours.tsx
index 92d4e49d..f964efc5 100644
--- a/src/modules/working-hours/client/components/AdminWorkingHours.tsx
+++ b/src/modules/working-hours/client/components/AdminWorkingHours.tsx
@@ -1,5 +1,6 @@
 import * as React from 'react'
 import dayjs, { Dayjs } from 'dayjs'
+import config from '#client/config'
 import {
   Button,
   H1,
@@ -10,9 +11,9 @@ import {
   Tag,
   UserLabel,
 } from '#client/components/ui'
-import { by, groupBy, propEq, sortBy } from '#shared/utils/fp'
+import { by, groupBy, pick, propEq, propIn, sortBy } from '#shared/utils/fp'
 import { formatDateRange } from '#client/utils'
-import { DATE_FORMAT } from '#client/constants'
+import { DATE_FORMAT, USER_ROLES } from '#client/constants'
 import { useUsersCompact } from '#modules/users/client/queries'
 import {
   useAdminEntries,
@@ -53,7 +54,7 @@ type Unit = 'week' | 'month'
 export const AdminWorkingHours: React.FC = () => {
   const [offset, setOffset] = React.useState<number>(0)
   const [unit, setUnit] = React.useState<Unit>('week')
-  const [division, setDivision] = React.useState<string>('')
+  const [role, setRole] = React.useState<string>('')
   const [showExportModal, setShowExportModal] = React.useState(false)
   const [shownUser, setShownUser] = React.useState<UserCompact | null>(null)
 
@@ -65,7 +66,7 @@ export const AdminWorkingHours: React.FC = () => {
     return [start, end]
   }, [offset, unit])
 
-  const { data: configByDivision = {} } = useAdminConfig()
+  const { data: configByRole = {} } = useAdminConfig()
   const { data: entries = [] } = useAdminEntries(
     period[0].format(DATE_FORMAT),
     period[1].format(DATE_FORMAT),
@@ -77,7 +78,7 @@ export const AdminWorkingHours: React.FC = () => {
     null
   )
   const { data: userConfigs = [] } = useAdminUserConfigs({
-    division,
+    role,
   })
 
   const userConfigByUserId = React.useMemo(
@@ -85,14 +86,16 @@ export const AdminWorkingHours: React.FC = () => {
     [userConfigs]
   )
 
-  const divisions = React.useMemo(
-    () => Object.keys(configByDivision),
-    [configByDivision]
-  )
+  const roles = React.useMemo(() => {
+    const allowedRoles = Object.keys(configByRole)
+    return USER_ROLES.filter((x) => allowedRoles.includes(x.id)).map(
+      pick(['id', 'name'])
+    )
+  }, [configByRole])
 
   const moduleConfig = React.useMemo(
-    () => (division ? configByDivision[division] : null),
-    [configByDivision, division]
+    () => (role ? configByRole[role] : null),
+    [configByRole, role]
   )
 
   const { data: users = [] } = useUsersCompact(undefined, {
@@ -124,7 +127,10 @@ export const AdminWorkingHours: React.FC = () => {
 
   const userWorkingHours = React.useMemo<UserWorkingHours[]>(() => {
     return users
-      .filter((user) => user.division === division)
+      .filter((user) => {
+        const userRole = roles.find(propIn('id', user.roles))
+        return userRole?.id === role
+      })
       .map((user) => {
         const workingHours = calculateTotalWorkingHours(
           entriesByUser[user.id] || []
@@ -164,7 +170,8 @@ export const AdminWorkingHours: React.FC = () => {
   }, [
     entriesByUser,
     users,
-    division,
+    role,
+    roles,
     moduleConfig,
     unit,
     period,
@@ -184,14 +191,9 @@ export const AdminWorkingHours: React.FC = () => {
         {
           Header: 'User',
           accessor: (x: UserWorkingHours) => {
-            return <UserLabel user={x.user} hideRole />
+            return <UserLabel user={x.user} />
           },
         },
-        {
-          Header: 'Division',
-          accessor: (x: UserWorkingHours) =>
-            x.user.division || <span className="text-gray-300">UNKNOWN</span>,
-        },
         {
           Header: 'Working hours',
           accessor: (x: UserWorkingHours) => {
@@ -261,10 +263,10 @@ export const AdminWorkingHours: React.FC = () => {
   )
 
   React.useEffect(() => {
-    if (divisions.length) {
-      setDivision(divisions[0])
+    if (roles.length) {
+      setRole(roles[0].id)
     }
-  }, [divisions])
+  }, [roles])
 
   const isQueryParamsHandled = React.useRef<boolean>(false)
 
@@ -355,14 +357,14 @@ export const AdminWorkingHours: React.FC = () => {
             containerClassName="mr-2"
           />
 
-          {/* division picker */}
+          {/* role picker */}
           <Select
             className="py-[5px]"
-            options={divisions.map((x) => ({ value: x, label: x }))}
-            value={division}
+            options={roles.map((x) => ({ value: x.id, label: x.name }))}
+            value={role}
             onChange={(value) => {
               setOffset(0)
-              setDivision(value)
+              setRole(value)
             }}
           />
         </div>
@@ -393,7 +395,7 @@ export const AdminWorkingHours: React.FC = () => {
       {showExportModal && (
         <WorkingHoursExportModal
           onClose={() => setShowExportModal(false)}
-          divisions={divisions}
+          roles={roles}
           defaultPeriod={period}
         />
       )}
diff --git a/src/modules/working-hours/client/components/WorkingHoursExportModal.tsx b/src/modules/working-hours/client/components/WorkingHoursExportModal.tsx
index b62196fc..3b78d09e 100644
--- a/src/modules/working-hours/client/components/WorkingHoursExportModal.tsx
+++ b/src/modules/working-hours/client/components/WorkingHoursExportModal.tsx
@@ -6,26 +6,26 @@ import { DATE_FORMAT } from '#client/constants'
 
 export const WorkingHoursExportModal: React.FC<{
   onClose: () => void
-  divisions: string[]
+  roles: Array<{ id: string; name: string }>
   defaultPeriod: [Dayjs, Dayjs]
-}> = ({ onClose, divisions, defaultPeriod }) => {
+}> = ({ onClose, roles, defaultPeriod }) => {
   const [period, setPeriod] = React.useState<{ from: Dayjs; to: Dayjs }>({
     from: defaultPeriod[0],
     to: defaultPeriod[1],
   })
-  const [division, setDivision] = React.useState<string>('')
+  const [role, setRole] = React.useState<string>('')
   const [roundUp, setRoundUp] = React.useState(false)
 
   const exportUrl = React.useMemo(() => {
     const url = new URL(config.appHost + '/admin-api/working-hours/export')
     url.searchParams.set('from', period.from.format(DATE_FORMAT))
     url.searchParams.set('to', period.to.format(DATE_FORMAT))
-    url.searchParams.set('division', division)
+    url.searchParams.set('role', role)
     if (roundUp) {
       url.searchParams.set('roundUp', '1')
     }
     return url.toString()
-  }, [period, division, roundUp])
+  }, [period, role, roundUp])
 
   const onPeriodChange = React.useCallback(
     (field: 'from' | 'to') => (date: string | boolean) => {
@@ -38,10 +38,10 @@ export const WorkingHoursExportModal: React.FC<{
   )
 
   React.useEffect(() => {
-    if (divisions.length) {
-      setDivision(divisions[0])
+    if (roles.length) {
+      setRole(roles[0].id)
     }
-  }, [divisions])
+  }, [roles])
 
   return (
     <Modal onClose={onClose} title="Export working hours">
@@ -64,11 +64,11 @@ export const WorkingHoursExportModal: React.FC<{
           </div>
         </div>
         <div>
-          <div className="text-text-tertiary mb-1">Division</div>
+          <div className="text-text-tertiary mb-1">Role</div>
           <Select
-            options={divisions.map((x) => ({ value: x, label: x }))}
-            value={division}
-            onChange={setDivision}
+            options={roles.map((x) => ({ value: x.id, label: x.name }))}
+            value={role}
+            onChange={setRole}
           />
         </div>
         <div>
diff --git a/src/modules/working-hours/client/components/WorkingHoursUserModal.tsx b/src/modules/working-hours/client/components/WorkingHoursUserModal.tsx
index 34e39b35..cb69b225 100644
--- a/src/modules/working-hours/client/components/WorkingHoursUserModal.tsx
+++ b/src/modules/working-hours/client/components/WorkingHoursUserModal.tsx
@@ -245,7 +245,7 @@ export const WorkingHoursUserModal: React.FC<{
   return (
     <Modal onClose={onClose} title="User working hours" size="wide">
       <div className="flex flex-col gap-y-6">
-        <UserLabel user={user} hideRole />
+        <UserLabel user={user} />
         <div>Agreed working week: {mergedModuleConfig.weeklyWorkingHours}h</div>
         <div className="flex">
           <div className="flex-1">
diff --git a/src/modules/working-hours/client/queries.ts b/src/modules/working-hours/client/queries.ts
index b40918fc..d5899d1a 100644
--- a/src/modules/working-hours/client/queries.ts
+++ b/src/modules/working-hours/client/queries.ts
@@ -194,21 +194,21 @@ export const useAdminUserConfigs = (
     | {
         userId: string
       }
-    | { division: string }
+    | { role: string }
 ) => {
   const path = '/admin-api/working-hours/user-configs'
-  const query: { userId?: string; division?: string } = {}
+  const query: { userId?: string; role?: string } = {}
   if ('userId' in opts) {
     query.userId = opts.userId
   }
-  if ('division' in opts) {
-    query.division = opts.division
+  if ('role' in opts) {
+    query.role = opts.role
   }
   return useQuery<WorkingHoursUserConfig[], AxiosError>(
     [path, query],
     async ({ queryKey }) =>
       (await api.get<WorkingHoursUserConfig[]>(path, { params: queryKey[1] }))
         .data,
-    { enabled: !!query.userId || !!query.division }
+    { enabled: !!query.userId || !!query.role }
   )
 }
diff --git a/src/modules/working-hours/metadata-schema.ts b/src/modules/working-hours/metadata-schema.ts
index 13466010..62ca7aa9 100644
--- a/src/modules/working-hours/metadata-schema.ts
+++ b/src/modules/working-hours/metadata-schema.ts
@@ -4,7 +4,7 @@ const timeSchema = z.string().regex(/^([0-1][0-9]|2[0-3]):[0-5][0-9]$/)
 
 export const schema = z
   .object({
-    configByDivision: z.record(
+    configByRole: z.record(
       z
         .object({
           workingDays: z.array(z.number().min(0).max(6)).min(1),
diff --git a/src/modules/working-hours/server/jobs/fetch-default-working-hours.ts b/src/modules/working-hours/server/jobs/fetch-default-working-hours.ts
index 8b2e1dc7..baf408c4 100644
--- a/src/modules/working-hours/server/jobs/fetch-default-working-hours.ts
+++ b/src/modules/working-hours/server/jobs/fetch-default-working-hours.ts
@@ -8,31 +8,23 @@ export const cronJob: CronJob = {
   name: 'fetch-default-hours-reminder',
   cron: '0 21 * * 0-4', // daily Sun-Thu at 9PM
   fn: async (ctx: CronJobContext) => {
-    if (!ctx.integrations.Matrix) {
-      ctx.log.error(
-        'Cannot send working hours reminders: disabled Matrix integration.'
-      )
-      return
-    }
     if (!ctx.integrations.BambooHR) {
-      ctx.log.error(
-        'Cannot send working hours reminders: disabled Matrix integration.'
-      )
+      ctx.log.error('Cannot run the job: disabled BambooHR integration.')
       return
     }
 
     const moduleMetadata = ctx.appConfig.getModuleMetadata(
       'working-hours'
     ) as Metadata
-    const configByDivision = moduleMetadata?.configByDivision as Record<
+    const configByRole = moduleMetadata?.configByRole as Record<
       string,
       WorkingHoursConfig
     >
-    const divisions = Object.keys(configByDivision)
+    const allowedRoles = Object.keys(configByRole)
 
     const users = await ctx.models.User.findAllActive({
       where: {
-        division: { [Op.in]: divisions },
+        roles: { [Op.overlap]: allowedRoles },
         isInitialised: true,
       },
     })
diff --git a/src/modules/working-hours/server/jobs/working-hours-reminder.ts b/src/modules/working-hours/server/jobs/working-hours-reminder.ts
index 60517c66..ac2e13c8 100644
--- a/src/modules/working-hours/server/jobs/working-hours-reminder.ts
+++ b/src/modules/working-hours/server/jobs/working-hours-reminder.ts
@@ -20,11 +20,11 @@ export const cronJob: CronJob = {
     const moduleMetadata = ctx.appConfig.getModuleMetadata(
       'working-hours'
     ) as Metadata
-    const configByDivision = moduleMetadata?.configByDivision as Record<
+    const configByRole = moduleMetadata?.configByRole as Record<
       string,
       WorkingHoursConfig
     >
-    const divisions = Object.keys(configByDivision)
+    const allowedRoles = Object.keys(configByRole)
 
     const lastWorkingDay = getPreviousWeekday()
     const today = dayjs()
@@ -55,7 +55,7 @@ export const cronJob: CronJob = {
     const users = await ctx.models.User.findAllActive({
       where: {
         id: { [Op.notIn]: excludedUserIds },
-        division: { [Op.in]: divisions },
+        roles: { [Op.overlap]: allowedRoles },
         isInitialised: true,
         // NOTE: test mode
         email: { [Op.in]: config.workingHoursTestGroup },
@@ -82,7 +82,8 @@ export const cronJob: CronJob = {
 
     const report = { succeeded: 0, failed: 0 }
     for (const user of users) {
-      const config = configByDivision[user.division || '']
+      const userRole = user.roles.find((x) => allowedRoles.includes(x))
+      const config = configByRole[userRole || '']
       if (!config) continue
       const response = await ctx.integrations.Matrix.sendMessageToUser(
         user,
diff --git a/src/modules/working-hours/server/router.ts b/src/modules/working-hours/server/router.ts
index 625ced63..62030063 100644
--- a/src/modules/working-hours/server/router.ts
+++ b/src/modules/working-hours/server/router.ts
@@ -51,11 +51,16 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
       return null
     }
     const metadata = appConfig.getModuleMetadata('working-hours') as Metadata
-    if (!metadata || !req.user.division) return null
-    const divisionConfig = metadata.configByDivision[req.user.division] || null
-    if (!divisionConfig) return null
+    if (!metadata) return null
+
+    const allowedRoles = Object.keys(metadata.configByRole)
+    const userRole = req.user.roles.find((x) => allowedRoles.includes(x))
+    if (!userRole) return null
+
+    const roleConfig = metadata.configByRole[userRole] || null
+    if (!roleConfig) return null
     const result: WorkingHoursConfig = {
-      ...divisionConfig,
+      ...roleConfig,
       personalDefaultEntries: [],
     }
 
@@ -376,7 +381,7 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
   fastify.get('/config', async (req: FastifyRequest, reply) => {
     req.check(Permissions.AdminList)
     const metadata = appConfig.getModuleMetadata('working-hours') as Metadata
-    return metadata.configByDivision
+    return metadata.configByRole
   })
 
   fastify.get(
@@ -448,7 +453,7 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
     async (
       req: FastifyRequest<{
         Querystring: {
-          division?: string
+          role?: string
           userId?: string
         }
       }>,
@@ -456,19 +461,17 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
     ) => {
       req.check(Permissions.AdminList)
       const metadata = appConfig.getModuleMetadata('working-hours') as Metadata
-      const divisions = Object.keys(metadata.configByDivision)
+      const allowedRoles = Object.keys(metadata.configByRole)
 
       const where: WhereOptions<WorkingHoursUserConfig> = {}
       if (req.query.userId) {
         where['userId'] = req.query.userId
-      } else if (req.query.division) {
-        if (!divisions.includes(req.query.division)) {
-          return reply.throw.badParams(
-            `Unknown division "${req.query.division}"`
-          )
+      } else if (req.query.role) {
+        if (!allowedRoles.includes(req.query.role)) {
+          return reply.throw.badParams(`Unknown role "${req.query.role}"`)
         }
         const userIds = await fastify.db.User.findAllActive({
-          where: { division: req.query.division },
+          where: { roles: { [Op.contains]: [req.query.role] } },
           attributes: ['id'],
         }).then(map(prop('id')))
         where['userId'] = { [Op.in]: userIds }
@@ -486,7 +489,7 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
     async (
       req: FastifyRequest<{
         Querystring: {
-          division: string
+          role: string
           from: string
           to: string
           roundUp?: string
@@ -495,19 +498,19 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
       reply
     ) => {
       req.check(Permissions.AdminList)
-      if (!req.query.division || !req.query.from || !req.query.to) {
+      if (!req.query.role || !req.query.from || !req.query.to) {
         return reply.throw.badParams('Missing parameters')
       }
       const metadata = appConfig.getModuleMetadata('working-hours') as Metadata
       if (
         !metadata ||
-        !req.query.division ||
-        !metadata.configByDivision[req.query.division]
+        !req.query.role ||
+        !metadata.configByRole[req.query.role]
       ) {
-        return reply.throw.misconfigured('Unsuported division')
+        return reply.throw.misconfigured('Unsuported role')
       }
-      const moduleConfig = metadata.configByDivision[
-        req.query.division
+      const moduleConfig = metadata.configByRole[
+        req.query.role
       ] as WorkingHoursConfig
 
       const roundUp = !!req.query.roundUp
@@ -523,7 +526,7 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
       )
 
       const users = await fastify.db.User.findAll({
-        where: { division: req.query.division },
+        where: { roles: { [Op.contains]: [req.query.role] } },
       })
       const userConfigs = await fastify.db.WorkingHoursUserConfig.findAll({
         where: { userId: { [Op.in]: users.map(prop('id')) } },
@@ -717,7 +720,7 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
       const csvContent = csvParser.unparse(csvRows)
       reply.headers({
         'Content-Type': 'text/csv',
-        'Content-Disposition': `attachment; filename=time-tracking-${req.query.division}-${req.query.from}-${req.query.to}.csv`,
+        'Content-Disposition': `attachment; filename=time-tracking-${req.query.role}-${req.query.from}-${req.query.to}.csv`,
         Pragma: 'no-cache',
       })
       return reply.code(200).send(csvContent)
@@ -739,16 +742,12 @@ const adminRouter: FastifyPluginCallback = async function (fastify, opts) {
       }
 
       const metadata = appConfig.getModuleMetadata('working-hours') as Metadata
-      if (
-        !metadata ||
-        !req.user.division ||
-        !metadata.configByDivision[req.user.division]
-      ) {
-        return reply.throw.misconfigured('Unsuported division')
+      const allowedRoles = Object.keys(metadata.configByRole)
+      const userRole = user.roles.find((x) => allowedRoles.includes(x))
+      if (!userRole) {
+        return reply.throw.misconfigured('Unsuported role')
       }
-      const moduleConfig = metadata.configByDivision[
-        req.user.division
-      ] as WorkingHoursConfig
+      const moduleConfig = metadata.configByRole[userRole] as WorkingHoursConfig
 
       const userConfig = await fastify.db.WorkingHoursUserConfig.findOne({
         where: { userId: user.id },
diff --git a/src/server/app-config/index.ts b/src/server/app-config/index.ts
index d8f75b8b..16619cea 100644
--- a/src/server/app-config/index.ts
+++ b/src/server/app-config/index.ts
@@ -6,6 +6,7 @@ import { safeRequire, getFilePath } from '#server/utils'
 import { PermissionsSet } from '#shared/utils'
 import * as fp from '#shared/utils/fp'
 import { log } from '#server/utils/log'
+import { SafeResponse } from '#server/types'
 import { AppTemplates } from './templates'
 import {
   AppModule,
@@ -13,6 +14,7 @@ import {
   IntegrationManifest,
   Office,
   AppConfigJson,
+  UserRole,
 } from './types'
 import * as schemas from './schemas'
 
@@ -28,6 +30,8 @@ class AppError extends Error {
 export class AppConfig {
   private superusers: Set<string> = new Set(config.superusers)
   private permissionsByRole!: Record<string, string[]>
+  private allRoles!: UserRole[]
+  private allRoleIds!: string[]
   private allPermissions!: string[]
 
   public config!: AppConfigJson
@@ -180,8 +184,31 @@ export class AppConfig {
     }
     this.integrations = integrations
 
+    // validate the `permittedRoles` lists for each desk
+    this.allRoles = this.config.permissions.roleGroups
+      .map(fp.prop('roles'))
+      .flat()
+    this.allRoleIds = this.allRoles.map(fp.prop('id'))
+    this.config.company.offices.forEach((o) => {
+      o.areas?.forEach((a) => {
+        a.desks.forEach((d) => {
+          if (d.permittedRoles.length) {
+            const unsupportedRole = d.permittedRoles.find(
+              (x) => !this.allRoleIds.includes(x)
+            )
+            if (unsupportedRole) {
+              throw new AppError(
+                `There is an unsupported role assigned to the "${o.id} ${a.id} ${d.id}" desk. Please change it to one of the roles listed in the "./config/permissions.json" file.`,
+                unsupportedRole
+              )
+            }
+          }
+        })
+      })
+    })
+
     // store permissions
-    this.permissionsByRole = this.config.permissions.roles.reduce((acc, x) => {
+    this.permissionsByRole = this.allRoles.reduce((acc, x) => {
       return { ...acc, [x.id]: x.permissions }
     }, {})
     this.allPermissions = appModules
@@ -231,7 +258,7 @@ export class AppConfig {
   getUserPermissions(
     email: string | null,
     authAddresses: string[],
-    role: string
+    roles: string[]
   ): PermissionsSet {
     if (email && this.superusers.has(email)) {
       return new PermissionsSet(this.allPermissions)
@@ -243,7 +270,9 @@ export class AppConfig {
         }
       }
     }
-    return new PermissionsSet(this.permissionsByRole[role] || [])
+    return new PermissionsSet(
+      roles.map((x) => this.permissionsByRole[x] || []).flat()
+    )
   }
 
   getModuleMetadata(moduleId: string): unknown | null {
@@ -262,10 +291,37 @@ export class AppConfig {
   }
 
   getRolesByPermission(permission: string): string[] {
-    return this.config.permissions.roles
+    return this.allRoles
       .filter((x) => x.permissions.includes(permission))
       .map((x) => x.id)
   }
+
+  sortRoles(roleIds: string[]): string[] {
+    const unsupportedRoles = roleIds.filter(fp.isNotIn(this.allRoleIds))
+    const allowedRoles = this.allRoleIds.filter(fp.isIn(roleIds))
+    return unsupportedRoles.concat(allowedRoles)
+  }
+
+  validateAndMergeEditableRoles(
+    userRoles: string[],
+    editedRoles: string[]
+  ): SafeResponse<string[]> {
+    const editableRoleGroups = appConfig.config.permissions.roleGroups.filter(
+      (x) =>
+        x.rules.editableByRoles.length &&
+        x.rules.editableByRoles.some(fp.isIn(userRoles))
+    )
+    const editableRoles = editableRoleGroups
+      .map(fp.prop('roles'))
+      .flat()
+      .map(fp.prop('id'))
+    if (editedRoles.some(fp.isNotIn(editableRoles))) {
+      return { success: false, error: new Error('Invalid roles') }
+    }
+    let roles = userRoles.filter(fp.isNotIn(editableRoles)) // non-editable roles
+    roles = roles.concat(editedRoles) // concat them with editable roles from the request
+    return { success: true, data: this.sortRoles(roles) }
+  }
 }
 
 export const appConfig = new AppConfig()
diff --git a/src/server/app-config/schemas.ts b/src/server/app-config/schemas.ts
index 2c2e3c8a..51edb932 100644
--- a/src/server/app-config/schemas.ts
+++ b/src/server/app-config/schemas.ts
@@ -52,9 +52,11 @@ export const officeAreaDesk = z
       y: z.number().min(0).max(100),
     }),
     allowMultipleBookings: z.boolean().default(false).optional(),
-    user: z.string().email().optional(),
+    fullAreaBooking: z.boolean().default(false),
+    permittedRoles: z.array(z.string()).default([]),
   })
   .and(
+    // TODO: delete `type` & `user` fields
     z.union([
       z.object({
         type: z.literal('personal'),
@@ -155,19 +157,38 @@ export const office = z
 export const companyConfig = z.object({
   name: z.string().nonempty(),
   offices: z.array(office).min(1),
-  departments: z.array(z.string()).min(1).optional(),
-  divisions: z.array(z.string()).min(1).optional(),
 })
 
-export const appRole = z.object({
+export const userRole = z.object({
   id: z.string(),
   name: z.string(),
-  permissions: z.array(z.string()),
+  permissions: z.array(z.string()).default([]),
   accessByDefault: z.boolean().default(false).optional(),
 })
 
+export const userRoleGroup = z.object({
+  id: z.string(),
+  name: z.string(),
+  rules: z
+    .object({
+      max: z.number().min(1).optional(),
+      unique: z.boolean().default(false),
+      editableByRoles: z.array(z.string()).default([]),
+    })
+    .superRefine((rules, ctx) => {
+      if (rules.unique && rules.editableByRoles.length) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: 'Unique fields cannot be editable by users',
+        })
+      }
+    })
+    .default({ max: undefined, unique: false }),
+  roles: z.array(userRole).min(1),
+})
+
 export const permissionsConfig = z.object({
-  roles: z.array(appRole).min(1),
+  roleGroups: z.array(userRoleGroup).min(1),
   defaultRoleByEmailDomain: z
     .record(z.string())
     .and(z.object({ __default: z.string() })),
diff --git a/src/server/app-config/types.ts b/src/server/app-config/types.ts
index e8a33088..301feeee 100644
--- a/src/server/app-config/types.ts
+++ b/src/server/app-config/types.ts
@@ -10,7 +10,8 @@ export type OfficeArea = z.infer<typeof schemas.officeArea>
 export type OfficeRoom = z.infer<typeof schemas.officeRoom>
 export type Office = z.infer<typeof schemas.office>
 export type CompanyConfig = z.infer<typeof schemas.companyConfig>
-export type AppRole = z.infer<typeof schemas.appRole>
+export type UserRole = z.infer<typeof schemas.userRole>
+export type UserRoleGroup = z.infer<typeof schemas.userRoleGroup>
 export type PermissionsConfig = z.infer<typeof schemas.permissionsConfig>
 export type ModuleConfig = z.infer<typeof schemas.moduleConfig>
 export type ModulesConfig = z.infer<typeof schemas.modulesConfig>
diff --git a/src/server/auth/providers/google/index.ts b/src/server/auth/providers/google/index.ts
index 719039c7..9fe90d0c 100644
--- a/src/server/auth/providers/google/index.ts
+++ b/src/server/auth/providers/google/index.ts
@@ -72,7 +72,7 @@ export const plugin: FastifyPluginCallback = async (
           fullName: data.name,
           email: data.email,
           avatar: data.picture,
-          role: appConfig.getDefaultUserRoleByEmail(data.email),
+          roles: [appConfig.getDefaultUserRoleByEmail(data.email)],
         })
       } else {
         await user.set({ avatar: data.picture }).save()
diff --git a/src/server/auth/providers/polkadot/index.ts b/src/server/auth/providers/polkadot/index.ts
index 8a330c7b..af7663bc 100644
--- a/src/server/auth/providers/polkadot/index.ts
+++ b/src/server/auth/providers/polkadot/index.ts
@@ -118,7 +118,7 @@ export const plugin: FastifyPluginCallback = async (
       const newUser = await fastify.db.User.create({
         authIds: authIds as AuthIds,
         fullName: '',
-        role: appConfig.lowPriorityRole,
+        roles: [appConfig.lowPriorityRole],
         isInitialised: false,
         email: '',
       })
diff --git a/src/server/constants.ts b/src/server/constants.ts
index e6f5bcff..d0c80593 100644
--- a/src/server/constants.ts
+++ b/src/server/constants.ts
@@ -2,12 +2,21 @@ export const ROBOT_USER_ID = '00000000-0000-0000-0000-000000000000'
 
 export const SESSION_TOKEN_COOKIE_NAME = 'hqappjwt'
 
+// TODO: implement shared constants and move it there
 export const DATE_FORMAT = 'YYYY-MM-DD'
 
 export const FRIENDLY_DATE_FORMAT = 'MMMM D YYYY'
 
 export const DATE_FORMAT_DAY_NAME = 'ddd, MMMM D'
 
+// TODO: implement shared constants and move it there
+export const ADMIN_ACCESS_PERMISSION_POSTFIX = '__admin'
+
+// TODO: implement shared constants and move it there
+export const ADMIN_ACCESS_PERMISSION_RE = new RegExp(
+  `^.*\.${ADMIN_ACCESS_PERMISSION_POSTFIX}`
+)
+
 export const COUNTRIES = [
   { name: 'Afghanistan', code: 'AF', emoji: '🇦🇫' },
   { name: 'Åland Islands', code: 'AX', emoji: '🇦🇽' },
diff --git a/src/server/module-router-plugin.ts b/src/server/module-router-plugin.ts
index 3b1f8637..ce50ffad 100644
--- a/src/server/module-router-plugin.ts
+++ b/src/server/module-router-plugin.ts
@@ -1,9 +1,12 @@
-import path from 'path'
 import Bottleneck from 'bottleneck'
 import { FastifyPluginCallback, FastifyRequest } from 'fastify'
 import nodeCron from 'node-cron'
-import { SESSION_TOKEN_COOKIE_NAME } from '#server/constants'
-import { appConfig, AppConfig } from '#server/app-config'
+import {
+  SESSION_TOKEN_COOKIE_NAME,
+  ADMIN_ACCESS_PERMISSION_POSTFIX,
+  ADMIN_ACCESS_PERMISSION_RE,
+} from '#server/constants'
+import { appConfig } from '#server/app-config'
 import config from '#server/config'
 import { sequelize } from '#server/db'
 import { safeRequire, getFilePath } from '#server/utils'
@@ -13,7 +16,6 @@ import {
   ConnectedModels,
   ConnectedIntegrations,
 } from '#server/types'
-import { DefaultPermissionPostfix } from '#shared/types'
 import { PermissionsSet } from '#shared/utils'
 import * as fp from '#shared/utils/fp'
 
@@ -125,16 +127,16 @@ export const moduleRouterPlugin =
                   req.permissions = appConfig.getUserPermissions(
                     user.email,
                     user.getAuthAddresses(),
-                    user.role
+                    user.roles
                   )
                 }
               }
             }
-            req.can = (permission: string) => {
-              return req.permissions.has(permission)
+            req.can = (permission: string, officeId?: string) => {
+              return req.permissions.has(permission, officeId)
             }
-            req.check = (...permissions: string[]) => {
-              if (!req.permissions.hasAll(permissions)) {
+            req.check = (permission: string, officeId?: string) => {
+              if (!req.can(permission, officeId)) {
                 reply.status(403)
                 throw new Error('Access denied')
               }
@@ -169,9 +171,11 @@ export const moduleRouterPlugin =
             if (moduleRouters.adminRouter) {
               fastify.register(async (fastify) => {
                 fastify.addHook('onRequest', async (req, reply) => {
-                  if (
-                    !req.can(`${module.id}.${DefaultPermissionPostfix.Admin}`)
-                  ) {
+                  const adminAccessPermission = `${module.id}.${ADMIN_ACCESS_PERMISSION_POSTFIX}`
+                  const canAccess = req.permissions.some((x) =>
+                    x.startsWith(adminAccessPermission)
+                  )
+                  if (!canAccess) {
                     return reply.throw.accessDenied()
                   }
                 })
@@ -223,9 +227,9 @@ export const moduleRouterPlugin =
     fastify.decorate('sequelize', sequelize)
   }
 
-const initialiseIntegrations = async (): Promise<
+async function initialiseIntegrations(): Promise<
   Record<string, { name: string; instance: any }>
-> => {
+> {
   const integrationById: Record<string, { name: string; instance: any }> = {}
   for (const appIntegration of appConfig.integrations) {
     const { default: Integration } = require(getFilePath(
diff --git a/src/server/types/index.ts b/src/server/types/index.ts
index af6e7448..c964e650 100644
--- a/src/server/types/index.ts
+++ b/src/server/types/index.ts
@@ -24,8 +24,8 @@ declare module 'fastify' {
   interface FastifyRequest {
     user: User
     permissions: PermissionsSet
-    can: (permission: string) => boolean
-    check: (...permissions: string[]) => void | never
+    can: (permission: string, officeId?: string) => boolean
+    check: (permission: string, officeId?: string) => void | never
     office?: Office
   }
   interface FastifyReply {
@@ -66,7 +66,6 @@ export type GoogleParsedStateQueryParam = Record<
   string | null
 >
 
-export type SafeResponse<T = undefined> =
-  | { success: true; data: T extends undefined ? never : T }
-  | { success: false; error: Error }
-  | { success: true }
+export type SafeResponse<T = undefined> = T extends undefined
+  ? { success: true } | { success: false; error: Error }
+  : { success: true; data: T } | { success: false; error: Error }
diff --git a/src/server/utils/index.ts b/src/server/utils/index.ts
index 3e7d9de7..7af7c210 100644
--- a/src/server/utils/index.ts
+++ b/src/server/utils/index.ts
@@ -54,9 +54,6 @@ export const getUtcHourForTimezone = (
   return result
 }
 
-export const escapeRegExpSensitiveCharacters = (str: string): string =>
-  str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
-
 export const cloneRegExp = (input: RegExp, injectFlags: string = '') => {
   const pattern = input.source
   let flags = ''
diff --git a/src/shared/types/index.ts b/src/shared/types/index.ts
index c4eec800..e73fc237 100644
--- a/src/shared/types/index.ts
+++ b/src/shared/types/index.ts
@@ -7,7 +7,3 @@ export enum EntityVisibility {
   Visible = 'visible',
   UrlPublic = 'url_public',
 }
-
-export enum DefaultPermissionPostfix {
-  Admin = '__admin',
-}
diff --git a/src/shared/utils/fp.ts b/src/shared/utils/fp.ts
index 65905fc6..809ce146 100644
--- a/src/shared/utils/fp.ts
+++ b/src/shared/utils/fp.ts
@@ -18,6 +18,16 @@ export const propNotEq =
   (obj: O): boolean =>
     obj[field] !== ref
 
+export const isIn =
+  <E>(refArray: E[]) =>
+  (el: E): boolean =>
+    refArray.includes(el)
+
+export const isNotIn =
+  <E>(refArray: E[]) =>
+  (el: E): boolean =>
+    !refArray.includes(el)
+
 export const propIn =
   <O>(field: keyof O, refArray: any[]) =>
   (obj: O): boolean =>
@@ -161,3 +171,11 @@ export function camelcasify(text: string): string {
     .map((x: string) => capitalize(x))
     .join('')
 }
+
+export function escapeRegExpSensitiveCharacters(str: string): string {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
+}
+
+export function hasIntersection<T>(arr1: T[], arr2: T[]): boolean {
+  return arr1.some((x) => arr2.includes(x))
+}
diff --git a/src/shared/utils/permissions-set.ts b/src/shared/utils/permissions-set.ts
index f0fc77ba..e88dcacc 100644
--- a/src/shared/utils/permissions-set.ts
+++ b/src/shared/utils/permissions-set.ts
@@ -1,6 +1,19 @@
+import { escapeRegExpSensitiveCharacters, last } from './fp'
+
 type PermissionsSetMapFn = (value: string) => boolean
 
 export class PermissionsSet extends Set<string> {
+  has(permission: string, officeId?: string): boolean {
+    if (!officeId) {
+      return super.has(permission)
+    }
+    return super.has(permission + ':' + officeId) || super.has(permission)
+  }
+  hasRoot(permissionRoot: string): boolean {
+    const escaped = escapeRegExpSensitiveCharacters(permissionRoot)
+    const re = new RegExp(`^${escaped}(:.*)?$`)
+    return this.some((x) => re.test(x))
+  }
   some(fn: PermissionsSetMapFn, thisArg?: any): boolean {
     for (const value of this) {
       if (fn.call(thisArg, value)) {
@@ -9,18 +22,21 @@ export class PermissionsSet extends Set<string> {
     }
     return false
   }
-  every(fn: PermissionsSetMapFn, thisArg?: any): boolean {
-    for (const value of this) {
-      if (!fn.call(thisArg, value)) {
-        return false
-      }
-    }
-    return true
+  hasAll(values: string[], officeId?: string): boolean {
+    return values.every((x) => this.has(x, officeId))
   }
-  hasAll(values: string[]): boolean {
-    return values.every((x) => this.has(x))
+  hasAnyOf(values: string[], officeId?: string): boolean {
+    return values.some((x) => this.has(x, officeId))
   }
-  hasAnyOf(values: string[]): boolean {
-    return values.some((x) => this.has(x))
+  extractOfficeIds(permissionRoot: string): string[] | null {
+    if (this.has(permissionRoot)) {
+      return []
+    }
+    const escaped = escapeRegExpSensitiveCharacters(permissionRoot)
+    const re = new RegExp(`^${escaped}(:.*)?$`)
+    const officeIds = Array.from(this)
+      .filter((x) => re.test(x))
+      .map((x) => last(x.split(':')))
+    return officeIds.length ? officeIds : null
   }
 }