AT&T 2.0.19 Code drop, stage 3

Issue-ID: AAF-197 Change-Id: I8b02cb073ccba318ccaf6ea0276446bdce88fb82 Signed-off-by: Instrumental <jcgmisc@stl.gathman.org>
author: Instrumental <jcgmisc@stl.gathman.org> 2018-03-26 13:51:48 -0700
committer: Instrumental <jcgmisc@stl.gathman.org> 2018-03-26 13:52:07 -0700
commit: 71037c39a37d3549dcfe31926832a657744fbe05 (patch)
tree: 78911b2b5e86e4e44228f7a27b3a8cd954b7f3e2 /auth
parent: a20accc73189d8e5454cd26049c0e6fae75da16f (diff)
614 files changed, 84287 insertions, 0 deletions
diff --git a/auth/.gitignore b/auth/.gitignore
new file mode 100644
index 00000000..a2ac34ab
--- /dev/null
+++ b/auth/.gitignore
@@ -0,0 +1,12 @@
+/target
+/.settings
+/dme2reg
+/src
+/.classpath
+/logs
+/bin/
+/temp
+/.project
+/assembly/
+/aaf_2.*/
+/aaf_2.1.0-SNAPSHOT.zip
diff --git a/auth/auth-batch/.gitignore b/auth/auth-batch/.gitignore
new file mode 100644
index 00000000..7743b8df
--- /dev/null
+++ b/auth/auth-batch/.gitignore
@@ -0,0 +1,9 @@
+/logs
+/target
+/.classpath
+/.settings
+/sync
+/data/
+/lib/
+/bin/
+/.project
diff --git a/auth/auth-batch/pom.xml b/auth/auth-batch/pom.xml
new file mode 100644
index 00000000..8aabdf54
--- /dev/null
+++ b/auth/auth-batch/pom.xml
@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.onap.aaf.auth</groupId>
+		<artifactId>parent</artifactId>
+		<version>2.1.0-SNAPSHOT</version>
+		<relativePath>../pom.xml</relativePath>
+	</parent>
+
+	<artifactId>auth-batch</artifactId>
+	<name>AAF Auth Batch</name>
+	<description>Batch Processing for AAF Auth</description>
+	<packaging>jar</packaging>
+
+	<developers>
+		<developer>
+			<name>Jonathan Gathman</name>
+			<email>jonathan.gathman@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Architect</role>
+				<role>Lead Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Gabe Maurer</name>
+			<email>gabe.maurer@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Ian Howell</name>
+			<email>ian.howell@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+	</developers>
+
+	<properties>
+		<maven.test.failure.ignore>false</maven.test.failure.ignore>
+	</properties>
+
+	<dependencies>
+
+		<dependency>
+			<groupId>org.onap.aaf.misc</groupId>
+			<artifactId>aaf-misc-env</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-core</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.misc</groupId>
+			<artifactId>aaf-misc-rosetta</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-aaf</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-cass</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.joda</groupId>
+			<artifactId>joda-time</artifactId>
+			<version>2.5</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-log4j12</artifactId>
+		</dependency>
+
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<configuration>
+					<source>1.7</source>
+					<target>1.7</target>
+				</configuration>
+			</plugin>
+
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-deploy-plugin</artifactId>
+				<configuration>
+					<skip>true</skip>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+</project>
diff --git a/auth/auth-batch/src/main/config/.gitignore b/auth/auth-batch/src/main/config/.gitignore
new file mode 100644
index 00000000..28a74e22
--- /dev/null
+++ b/auth/auth-batch/src/main/config/.gitignore
@@ -0,0 +1,2 @@
+/authBatch.props
+/log4j.properties
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/Batch.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/Batch.java
new file mode 100644
index 00000000..6d9252e2
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/Batch.java
@@ -0,0 +1,524 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintStream;
+import java.lang.reflect.Constructor;
+import java.net.InetAddress;
+import java.net.URL;
+import java.net.UnknownHostException;
+import java.nio.ByteBuffer;
+import java.text.SimpleDateFormat;
+import java.util.GregorianCalendar;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.TimeZone;
+
+import org.apache.log4j.Logger;
+import org.onap.aaf.auth.common.Define;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.OrganizationFactory;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.StaticSlot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.impl.Log4JLogTarget;
+import org.onap.aaf.misc.env.log4j.LogFileNamer;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.Statement;
+
+public abstract class Batch {
+
+	private static String ROOT_NS;
+
+	private static StaticSlot ssargs;
+
+	protected static final String STARS = "*****";
+
+    protected final Cluster cluster; 
+    protected static AuthzEnv env;
+    protected static Session session;
+    protected static Logger aspr;
+    protected static Set<String> specialNames;
+    protected static boolean dryRun; 
+	protected static String batchEnv;
+
+	public static final String CASS_ENV = "CASS_ENV";
+	public static final String LOG_DIR = "LOG_DIR";
+    protected final static String PUNT="punt";
+    protected final static String MAX_EMAILS="MAX_EMAILS";
+    protected final static String VERSION="VERSION";
+    public final static String GUI_URL="GUI_URL";
+    
+    protected final static String ORA_URL="ora_url";
+    protected final static String ORA_PASSWORD="ora_password";
+	protected final Organization org;
+
+
+    
+    protected Batch(AuthzEnv env) throws APIException, IOException, OrganizationException {
+    	// Be able to change Environments
+    	// load extra properties, i.e.
+    	// PERF.cassandra.clusters=....
+    	batchEnv = env.getProperty(CASS_ENV);
+    	if(batchEnv != null) {
+    		batchEnv = batchEnv.trim();
+    		env.info().log("Redirecting to ",batchEnv,"environment");
+    		String str;
+    		for(String key : new String[]{
+    				CassAccess.CASSANDRA_CLUSTERS,
+    				CassAccess.CASSANDRA_CLUSTERS_PORT,
+    				CassAccess.CASSANDRA_CLUSTERS_USER_NAME,
+    				CassAccess.CASSANDRA_CLUSTERS_PASSWORD,
+    				VERSION,GUI_URL,PUNT,MAX_EMAILS,
+    				LOG_DIR,
+    				"SPECIAL_NAMES"
+    				}) {
+    			if((str = env.getProperty(batchEnv+'.'+key))!=null) {
+    			    env.setProperty(key, str);
+    			}
+    		}
+    	}
+
+    	// Setup for Dry Run
+        cluster = CassAccess.cluster(env,batchEnv);
+        env.info().log("cluster name - ",cluster.getClusterName());
+        String dryRunStr = env.getProperty( "DRY_RUN" );
+        if ( dryRunStr == null || dryRunStr.trim().equals("false") ) {
+		    dryRun = false;
+		} else {
+            dryRun = true;
+            env.info().log("dryRun set to TRUE");
+        }
+
+		org = OrganizationFactory.init(env);
+		org.setTestMode(dryRun);
+
+		// Special names to allow behaviors beyond normal rules
+        specialNames = new HashSet<String>();
+        String names = env.getProperty( "SPECIAL_NAMES" );
+        if ( names != null )
+        {
+            env.info().log("Loading SPECIAL_NAMES");
+            for (String s :names.split(",") )
+            {
+                env.info().log("\tspecial: " + s );
+                specialNames.add( s.trim() );
+            }
+        }
+    }
+
+    protected abstract void run(AuthzTrans trans);
+    protected abstract void _close(AuthzTrans trans);
+    
+    public String[] args() {
+    	return (String[])env.get(ssargs);
+    }
+	
+    public boolean isDryRun()
+    {
+        return dryRun;
+    }
+    
+	public boolean isSpecial(String user) {
+		if (specialNames != null && specialNames.contains(user)) {
+			env.info().log("specialName: " + user);
+
+			return (true);
+		} else {
+			return (false);
+		}
+	}
+	
+	public boolean isMechID(String user) {
+		if (user.matches("m[0-9][0-9][0-9][0-9][0-9]")) {
+			return (true);
+		} else {
+			return (false);
+		}
+	}
+
+	protected PrintStream fallout(PrintStream _fallout, String logType)
+			throws IOException {
+		PrintStream fallout = _fallout;
+		if (fallout == null) {
+			File dir = new File("logs");
+			if (!dir.exists()) {
+				dir.mkdirs();
+			}
+
+			File f = null;
+			// String os = System.getProperty("os.name").toLowerCase();
+			long uniq = System.currentTimeMillis();
+
+			f = new File(dir, getClass().getSimpleName() + "_" + logType + "_"
+					+ uniq + ".log");
+
+			fallout = new PrintStream(new FileOutputStream(f, true));
+		}
+		return fallout;
+	}
+
+	public Organization getOrgFromID(AuthzTrans trans, String user) {
+		Organization org;
+		try {
+			org = OrganizationFactory.obtain(trans.env(),user.toLowerCase());
+		} catch (OrganizationException e1) {
+			trans.error().log(e1);
+			org=null;
+		}
+
+		if (org == null) {
+			PrintStream fallout = null;
+
+			try {
+				fallout = fallout(fallout, "Fallout");
+				fallout.print("INVALID_ID,");
+				fallout.println(user);
+			} catch (Exception e) {
+				env.error().log("Could not write to Fallout File", e);
+			}
+			return (null);
+		}
+
+		return (org);
+	}
+	
+	public static Row executeDeleteQuery(Statement stmt) {
+		Row row = null;
+		if (!dryRun) {
+			row = session.execute(stmt).one();
+		}
+
+		return (row);
+
+	}
+        
+	public static int acquireRunLock(String className) {
+		Boolean testEnv = true;
+		String envStr = env.getProperty("AFT_ENVIRONMENT");
+
+		if (envStr != null) {
+			if (envStr.equals("AFTPRD")) {
+				testEnv = false;
+			}
+		} else {
+			env.fatal()
+					.log("AFT_ENVIRONMENT property is required and was not found. Exiting.");
+			System.exit(1);
+		}
+
+		if (testEnv) {
+			env.info().log("TESTMODE: skipping RunLock");
+			return (1);
+		}
+
+		String hostname = null;
+		try {
+			hostname = InetAddress.getLocalHost().getHostName();
+		} catch (UnknownHostException e) {
+			e.printStackTrace();
+			env.warn().log("Unable to get hostname");
+			return (0);
+		}
+
+		ResultSet existing = session.execute(String.format(
+				"select * from authz.run_lock where class = '%s'", className));
+
+		for (Row row : existing) {
+			long curr = System.currentTimeMillis();
+			ByteBuffer lastRun = row.getBytesUnsafe(2); // Can I get this field
+														// by name?
+
+			long interval = (1 * 60 * 1000); // @@ Create a value in props file
+												// for this
+			long prev = lastRun.getLong();
+
+			if ((curr - prev) <= interval) {
+				env.warn().log(
+						String.format("Too soon! Last run was %d minutes ago.",
+								((curr - prev) / 1000) / 60));
+				env.warn().log(
+						String.format("Min time between runs is %d minutes ",
+								(interval / 1000) / 60));
+				env.warn().log(
+						String.format("Last ran on machine: %s at %s",
+								row.getString("host"), row.getDate("start")));
+				return (0);
+			} else {
+				env.info().log("Delete old lock");
+				deleteLock(className);
+			}
+		}
+
+		GregorianCalendar current = new GregorianCalendar();
+
+		// We want our time in UTC, hence "+0000"
+		SimpleDateFormat fmt = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss+0000");
+		fmt.setTimeZone(TimeZone.getTimeZone("UTC"));
+
+		String cql = String
+				.format("INSERT INTO authz.run_lock (class,host,start) VALUES ('%s','%s','%s') IF NOT EXISTS",
+						className, hostname, fmt.format(current.getTime()));
+
+		env.info().log(cql);
+
+		Row row = session.execute(cql).one();
+		if (!row.getBool("[applied]")) {
+			env.warn().log("Lightweight Transaction failed to write lock.");
+			env.warn().log(
+					String.format("host with lock: %s, running at %s",
+							row.getString("host"), row.getDate("start")));
+			return (0);
+		}
+		return (1);
+	}
+	
+    private static void deleteLock( String className) {
+        Row row = session.execute( String.format( "DELETE FROM authz.run_lock WHERE class = '%s' IF EXISTS", className ) ).one();
+        if (! row.getBool("[applied]")) {
+            env.info().log( "delete failed" );
+        }
+    }
+
+    private static void transferVMProps(AuthzEnv env, String ... props) {
+		String value;
+		for(String key : props) {
+			if((value = System.getProperty(key))!=null) {
+			    env.setProperty(key, value);
+			}
+		}
+	}
+	
+	// IMPORTANT! VALIDATE Organization isUser method
+    protected void checkOrganizationAcccess(AuthzTrans trans, Question q) throws APIException, OrganizationException {
+		Set<String> testUsers = new HashSet<String>();
+		Result<List<RoleDAO.Data>> rrd = q.roleDAO.readNS(trans, ROOT_NS);
+		if(rrd.isOK()) {
+			for(RoleDAO.Data r : rrd.value) {
+				Result<List<UserRoleDAO.Data>> rur = q.userRoleDAO.readByRole(trans, r.fullName());
+				if(rur.isOK()) {
+					for(UserRoleDAO.Data udd : rur.value) {
+						testUsers.add(udd.user);
+					}
+				}
+			}
+		}
+		if(testUsers.size()<2) {
+			throw new APIException("Not enough Users in Roles for " + ROOT_NS + " to Validate");
+		}
+		
+		Identity iden;
+		for(String user : testUsers) {
+			if((iden=org.getIdentity(trans,user))==null) {
+				throw new APIException("Failed Organization Entity Validation Check: " + user);
+			} else {
+				trans.info().log("Organization Validation Check: " + iden.id());
+			}
+		}
+    }
+    
+    protected static String logDir() {
+    	String ld = env.getProperty(LOG_DIR);
+    	if(ld==null) {
+	    	if(batchEnv==null) { // Deployed Batch doesn't use different ENVs, and a common logdir
+				ld = "logs/";
+			} else {
+				ld = "logs/"+batchEnv;
+			}
+    	}
+    	return ld;
+    }
+	protected int count(String str, char c) {
+		int count=str==null||str.isEmpty()?0:1;
+		for(int i=str.indexOf(c);i>=0;i=str.indexOf(c,i+1)) {
+			++count;
+		}
+		return count;
+	}
+
+	public final void close(AuthzTrans trans) {
+	    _close(trans);
+	    cluster.close();
+	}
+
+	public static void main(String[] args) {
+		PropAccess access = new PropAccess(args);
+		InputStream is = null;
+		String filename;
+		String propLoc;
+		try {
+			Define.set(access);
+			ROOT_NS=Define.ROOT_NS();
+			
+			File f = new File("etc/authzBatch.props");
+			try {
+				if (f.exists()) {
+					filename = f.getAbsolutePath();
+					is = new FileInputStream(f);
+					propLoc = f.getPath();
+				} else {
+					URL rsrc = ClassLoader.getSystemResource("authBatch.props");
+					filename = rsrc.toString();
+					is = rsrc.openStream();
+					propLoc = rsrc.getPath();
+				}
+				access.load(is);
+			} finally {
+				if (is == null) {
+					System.err.println("authBatch.props must exist in etc dir, or in Classpath");
+					System.exit(1);
+				}
+				is.close();
+			}
+
+			env = new AuthzEnv(access);
+
+			transferVMProps(env, CASS_ENV, "DRY_RUN", "NS", "Organization");
+
+			// Flow all Env Logs to Log4j, with ENV
+
+			LogFileNamer lfn;
+			if ((batchEnv = env.getProperty(CASS_ENV)) == null) {
+				lfn = new LogFileNamer(logDir()).noPID();
+			} else {
+				lfn = new LogFileNamer(logDir()).noPID();
+			}
+
+			lfn.setAppender("authz-batch");
+			lfn.setAppender("aspr|ASPR");
+			lfn.setAppender("sync");
+			lfn.setAppender("jobchange");
+			lfn.setAppender("validateuser");
+			aspr = Logger.getLogger("aspr");
+			Log4JLogTarget.setLog4JEnv("authz-batch", env);
+			if (filename != null) {
+				env.init().log("Instantiated properties from", filename);
+			}
+
+			// Log where Config found
+			env.info().log("Configuring from", propLoc);
+			propLoc = null;
+
+			Batch batch = null;
+			// setup ATTUser and Organization Slots before starting this:
+			// TODO redo this
+			// env.slot(ATT.ATT_USERSLOT);
+			//
+			// OrganizationFactory.setDefaultOrg(env, ATT.class.getName());
+			AuthzTrans trans = env.newTrans();
+
+			TimeTaken tt = trans.start("Total Run", Env.SUB);
+			try {
+				int len = args.length;
+				if (len > 0) {
+					String toolName = args[0];
+					len -= 1;
+					if (len < 0)
+						len = 0;
+					String nargs[] = new String[len];
+					if (len > 0) {
+						System.arraycopy(args, 1, nargs, 0, len);
+					}
+
+					env.put(ssargs = env.staticSlot("ARGS"), nargs);
+
+					/*
+					 * Add New Batch Programs (inherit from Batch) here
+					 */
+
+					// Might be a Report, Update or Temp Batch
+					Class<?> cls;
+					String classifier = "";
+					try {
+						cls = ClassLoader.getSystemClassLoader().loadClass("org.onap.aaf.auth.update." + toolName);
+						classifier = "Update:";
+					} catch (ClassNotFoundException e) {
+						try {
+							cls = ClassLoader.getSystemClassLoader().loadClass("org.onap.aaf.auth.reports." + toolName);
+							classifier = "Report:";
+						} catch (ClassNotFoundException e2) {
+							try {
+								cls = ClassLoader.getSystemClassLoader()
+										.loadClass("org.onap.aaf.auth.temp." + toolName);
+								classifier = "Temp Utility:";
+							} catch (ClassNotFoundException e3) {
+								cls = null;
+							}
+						}
+					}
+					if (cls != null) {
+						Constructor<?> cnst = cls.getConstructor(new Class[] { AuthzTrans.class });
+						batch = (Batch) cnst.newInstance(trans);
+						env.info().log("Begin", classifier, toolName);
+					}
+				
+
+					if (batch == null) {
+						trans.error().log("No Batch named", toolName, "found");
+					}
+					/*
+					 * End New Batch Programs (inherit from Batch) here
+					 */
+
+				}
+				if (batch != null) {
+					batch.run(trans);
+				}
+			} finally {
+				tt.done();
+				if (batch != null) {
+					batch.close(trans);
+				}
+				StringBuilder sb = new StringBuilder("Task Times\n");
+				trans.auditTrail(4, sb, AuthzTrans.SUB, AuthzTrans.REMOTE);
+				trans.info().log(sb);
+			}
+		} catch (Exception e) {
+			e.printStackTrace(System.err);
+			// Exceptions thrown by DB aren't stopping the whole process.
+			System.exit(1);
+		}
+	}
+
+}
+
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/BatchException.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/BatchException.java
new file mode 100644
index 00000000..4ed0940a
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/BatchException.java
@@ -0,0 +1,51 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth;
+
+public class BatchException extends Exception {
+
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = -3877245367723491192L;
+
+	public BatchException() {
+	}
+
+	public BatchException(String message) {
+		super(message);
+	}
+
+	public BatchException(Throwable cause) {
+		super(cause);
+	}
+
+	public BatchException(String message, Throwable cause) {
+		super(message, cause);
+	}
+
+	public BatchException(String message, Throwable cause,
+			boolean enableSuppression, boolean writableStackTrace) {
+		super(message, cause, enableSuppression, writableStackTrace);
+	}
+
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/BatchPrincipal.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/BatchPrincipal.java
new file mode 100644
index 00000000..6ca79018
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/BatchPrincipal.java
@@ -0,0 +1,41 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth;
+
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+
+public class BatchPrincipal extends TaggedPrincipal {
+	private final String name;
+	
+	public BatchPrincipal(final String name) {
+		this.name = name;
+	}
+
+	@Override
+	public String getName() {
+		return name;
+	}
+
+	@Override
+	public String tag() {
+		return "Batch";
+	}
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/CassBatch.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/CassBatch.java
new file mode 100644
index 00000000..32e8f85d
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/CassBatch.java
@@ -0,0 +1,78 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.impl.Log4JLogTarget;
+
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.exceptions.InvalidQueryException;
+
+public abstract class CassBatch extends Batch {
+
+	protected CassBatch(AuthzTrans trans, String log4JName) throws APIException, IOException, OrganizationException {
+		super(trans.env());
+		// Flow all Env Logs to Log4j
+		Log4JLogTarget.setLog4JEnv(log4JName, env);
+		
+		TimeTaken tt = trans.start("Connect to Cluster", Env.REMOTE);
+		try {
+			session = cluster.connect();
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	protected void _close(AuthzTrans trans) {
+	    session.close();
+		trans.info().log("Closed Session");
+	}
+
+	public ResultSet executeQuery(String cql) {
+		return executeQuery(cql,"");
+	}
+
+	public ResultSet executeQuery(String cql, String extra) {
+		if(isDryRun() && !cql.startsWith("SELECT")) {
+			if(extra!=null)env.info().log("Would query" + extra + ": " + cql);
+		} else {
+			if(extra!=null)env.info().log("query" + extra + ": " + cql);
+			try {
+				return session.execute(cql);
+			} catch (InvalidQueryException e) {
+				if(extra==null) {
+					env.info().log("query: " + cql);
+				}
+				throw e;
+			}
+		} 
+		return null;
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/Action.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/Action.java
new file mode 100644
index 00000000..ad3a447d
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/Action.java
@@ -0,0 +1,29 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+
+public interface Action<D,RV,T> {
+	public Result<RV> exec(AuthzTrans trans, D data, T t);
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/ActionDAO.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/ActionDAO.java
new file mode 100644
index 00000000..90400015
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/ActionDAO.java
@@ -0,0 +1,73 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.hl.Function;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.Session;
+
+public abstract class ActionDAO<D,RV,T> implements Action<D,RV,T> {
+	protected final Question q; 
+	protected final Function f;
+	private boolean clean;
+	protected final boolean dryRun;
+
+	public ActionDAO(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		q = new Question(trans, cluster, CassAccess.KEYSPACE, false);
+		f = new Function(trans,q);
+		clean = true;
+		this.dryRun = dryRun;
+	}
+	
+	public ActionDAO(AuthzTrans trans, ActionDAO<?,?,?> predecessor) {
+		q = predecessor.q;
+		f = new Function(trans,q);
+		clean = false;
+		dryRun = predecessor.dryRun;
+	}
+	
+	public Session getSession(AuthzTrans trans) throws APIException, IOException {
+		return q.historyDAO.getSession(trans);
+	}
+	
+	public Question question() {
+		return q;
+	}
+	
+	public Function function() {
+		return f;
+	}
+
+	public void close(AuthzTrans trans) {
+		if(clean) {
+			q.close(trans);
+		}
+	}
+
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/ActionPuntDAO.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/ActionPuntDAO.java
new file mode 100644
index 00000000..332d2509
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/ActionPuntDAO.java
@@ -0,0 +1,72 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+import java.util.Date;
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+
+public abstract class ActionPuntDAO<D, RV, T> extends ActionDAO<D, RV, T> {
+//	private static final SecureRandom random = new SecureRandom();
+	private int months;
+//	private int range;
+	protected static final Date now = new Date();
+
+	public ActionPuntDAO(AuthzTrans trans, Cluster cluster, int months, int range, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster,dryRun);
+		this.months = months;
+//		this.range = range;
+	}
+
+	public ActionPuntDAO(AuthzTrans trans, ActionDAO<?, ?,?> predecessor, int months, int range) {
+		super(trans, predecessor);
+		this.months = months;
+//		this.range = range;
+	}
+	
+
+	protected Date puntDate(Date current) {
+		GregorianCalendar temp = new GregorianCalendar();
+		temp.setTime(current);
+		temp.add(GregorianCalendar.MONTH, months);
+
+		/*
+		 *  This method Randomized date.  This is no longer needed.  Just add the Punt Months.
+		temp.setTime(now);
+		temp.add(GregorianCalendar.MONTH, months);
+		if(range>0) {
+			int forward = Math.abs(random.nextInt()%range);
+			if(forward>1) {
+				temp.add(GregorianCalendar.MONTH, forward);
+				temp.add(GregorianCalendar.DAY_OF_MONTH, (random.nextInt()%30)-15);
+			}
+		}
+		*/
+		return temp.getTime();
+	}
+
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/CacheTouch.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/CacheTouch.java
new file mode 100644
index 00000000..8261c477
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/CacheTouch.java
@@ -0,0 +1,53 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+
+public class CacheTouch extends ActionDAO<String,Void, String> {
+	
+	public CacheTouch(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster, dryRun);
+	}
+
+	public CacheTouch(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<Void> exec(AuthzTrans trans, String table, String text) {
+		if(dryRun) {
+			trans.info().printf("Would mark %s cache in DB for clearing: %s",table, text);
+			return Result.ok();
+		} else {
+			Result<Void> rv = q.clearCache(trans, table);
+			trans.info().printf("Set DB Cache %s for clearing: %s",table, text);
+			return rv;
+		}
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/CredDelete.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/CredDelete.java
new file mode 100644
index 00000000..700aaaea
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/CredDelete.java
@@ -0,0 +1,55 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.Cluster;
+
+public class CredDelete extends ActionDAO<CredDAO.Data,Void, String> {
+	
+	public CredDelete(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster, dryRun);
+	}
+
+	public CredDelete(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<Void> exec(AuthzTrans trans, CredDAO.Data cred, String text) {
+		if(dryRun) {
+			trans.info().log("Would Delete:",text,cred.id,CredPrint.type(cred.type),Chrono.dateOnlyStamp(cred.expires));
+			return Result.ok();
+		} else {
+			Result<Void> rv = q.credDAO.delete(trans, cred, true); // need to read for undelete
+			trans.info().log("Deleted:",text,cred.id,CredPrint.type(cred.type),Chrono.dateOnlyStamp(cred.expires));
+			return rv;
+		}
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/CredPrint.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/CredPrint.java
new file mode 100644
index 00000000..10407ce4
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/CredPrint.java
@@ -0,0 +1,56 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.util.Chrono;
+
+public class CredPrint implements Action<CredDAO.Data,Void,String> {
+	private String info;
+
+	public CredPrint(String text) {
+		this.info = text;
+	}
+
+	@Override
+	public Result<Void> exec(AuthzTrans trans, CredDAO.Data cred, String text) {
+		trans.info().log(info,cred.id,text, type(cred.type),Chrono.dateOnlyStamp(cred.expires));
+		return Result.ok();
+	}
+	
+	
+	public static String type(int type) {
+		switch(type) {
+			case CredDAO.BASIC_AUTH: // 1
+					return "OLD";
+			case CredDAO.BASIC_AUTH_SHA256: // 2 
+					return "U/P"; 
+			case CredDAO.CERT_SHA256_RSA: // 200
+					return "Cert"; 
+			default: 
+				return "Unknown";
+		}
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/CredPunt.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/CredPunt.java
new file mode 100644
index 00000000..78c1f892
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/CredPunt.java
@@ -0,0 +1,70 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+import java.util.Date;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.Cluster;
+
+public class CredPunt extends ActionPuntDAO<CredDAO.Data,Void,String> {
+	
+	public CredPunt(AuthzTrans trans, Cluster cluster, int months, int range, boolean dryRun) throws IOException, APIException {
+		super(trans,cluster,months,range,dryRun);
+	}
+
+	public CredPunt(AuthzTrans trans, ActionDAO<?,?,?> adao, int months, int range) throws IOException {
+		super(trans, adao, months,range);
+	}
+
+	public Result<Void> exec(AuthzTrans trans, CredDAO.Data cdd,String text) {
+		Result<Void> rv = null;
+		Result<List<CredDAO.Data>> read = q.credDAO.read(trans, cdd);
+		if(read.isOKhasData()) {
+			for(CredDAO.Data data : read.value) {
+				Date from = data.expires;
+				data.expires = puntDate(from);
+				if(data.expires.compareTo(from)<=0) {
+					trans.debug().printf("Error: %s is before %s", Chrono.dateOnlyStamp(data.expires), Chrono.dateOnlyStamp(from));
+				} else {
+					if(dryRun) {
+						trans.info().log("Would Update Cred",cdd.id, CredPrint.type(cdd.type), "from",Chrono.dateOnlyStamp(from),"to",Chrono.dateOnlyStamp(data.expires));
+					} else {
+						trans.info().log("Updated Cred",cdd.id, CredPrint.type(cdd.type), "from",Chrono.dateOnlyStamp(from),"to",Chrono.dateOnlyStamp(data.expires));
+						rv = q.credDAO.update(trans, data);
+					}
+				}
+			}
+		}
+		if(rv==null) {
+			rv=Result.err(read);
+		}
+		return rv;
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/Email.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/Email.java
new file mode 100644
index 00000000..346e517f
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/Email.java
@@ -0,0 +1,220 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.PrintStream;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.misc.env.util.Chrono;
+
+public class Email implements Action<Organization,Void, String>{
+	protected final List<String> toList;
+	protected final List<String> ccList;
+	private final String[] defaultCC;
+	protected String subject;
+	private String preamble;
+	private Message msg;
+	private String sig;
+	protected String lineIndent="  ";
+	private long lastSent=0L;
+
+	
+	public Email(String ... defaultCC) {
+		toList = new ArrayList<String>();
+		this.defaultCC = defaultCC;
+		ccList = new ArrayList<String>();
+		clear();
+	}
+	
+	public Email clear() {
+		toList.clear();
+		ccList.clear();
+		for(String s: defaultCC) {
+			ccList.add(s);
+		}
+		return this;
+	}
+	
+
+	public void indent(String indent) {
+		lineIndent = indent;
+	}
+	
+	public void preamble(String format, Object ... args) {
+		preamble = String.format(format, args);
+	}
+
+	public Email addTo(Identity id) {
+		if(id!=null) {
+			if(!toList.contains(id.email())) {
+				toList.add(id.email());
+			}
+		}
+		return this;
+	}
+
+	public Email addTo(Collection<String> users) {
+		for(String u : users) {
+			addTo(u);
+		}
+		return this;
+	}
+
+	public Email addTo(String email) {
+		if(!toList.contains(email)) {
+			toList.add(email);
+		}
+		return this;
+	}
+
+	public Email addCC(Identity id) {
+		if(id!=null) {
+			if(!ccList.contains(id.email())) {
+				ccList.add(id.email());
+			}
+		}
+		return this;
+	}
+
+	public Email addCC(String email) {
+		if(!ccList.contains(email)) {
+			ccList.add(email);
+		}
+		return this;
+	}
+
+	
+	public Email add(Identity id, boolean toSuper) throws OrganizationException {
+		Identity responsible = id.responsibleTo();
+		if(toSuper) {
+			addTo(responsible.email());
+			addCC(id.email());
+		} else {
+			addCC(responsible.email());
+			addTo(id.email());
+		}
+		return this;
+	}
+	
+	public Email subject(String format, Object ... args) {
+		if(format.contains("%s")) {
+			subject = String.format(format, args);
+		} else {
+			subject = format;
+		}
+		return this;
+	}
+	
+	
+	public Email signature(String format, Object ... args) {
+		sig = String.format(format, args);
+		return this;
+	}
+	
+	public void msg(Message msg) {
+		this.msg = msg;
+	}
+	
+	@Override
+	public Result<Void> exec(AuthzTrans trans, Organization org, String text) {
+		StringBuilder sb = new StringBuilder();
+		if(preamble!=null) {
+			sb.append(lineIndent);
+			sb.append(preamble);
+			sb.append("\n\n");
+		}
+		
+		if(msg!=null) {
+			msg.msg(sb,lineIndent);
+			sb.append("\n");
+		}
+
+		if(sig!=null) {
+			sb.append(sig);
+			sb.append("\n");
+		}
+		
+		long ct = System.currentTimeMillis();
+		long wait = ct-lastSent;
+		lastSent = ct;
+		if(wait < 100) { // 10 per second
+			try {
+				Thread.sleep(wait);
+			} catch (InterruptedException e) {
+			}
+		}
+		return exec(trans,org,sb);
+	}
+
+	protected Result<Void> exec(AuthzTrans trans, Organization org, StringBuilder sb) {
+		try {
+			/* int status = */
+			org.sendEmail(trans,
+				toList, 
+				ccList, 
+				subject, 
+				sb.toString(), 
+				false);
+		} catch (Exception e) {
+			return Result.err(Result.ERR_ActionNotCompleted,e.getMessage());
+		}
+		return Result.ok();
+
+	}
+
+	public void log(PrintStream ps, String text) {
+		ps.print(Chrono.dateTime());
+		boolean first = true;
+		for(String s : toList) {
+			if(first) {
+				first = false;
+				ps.print(": ");
+			} else {
+				ps.print(", ");
+			}
+			ps.print(s);
+		}
+		if(!ccList.isEmpty()) {
+			first=true;
+			for(String s : ccList) {
+				if(first) {
+					first = false;
+					ps.print(" [");
+				} else {
+					ps.print(", ");
+				}
+				ps.print(s);
+			}
+			ps.print(']');
+		}
+
+		ps.print(' ');
+		ps.println(text);
+	}
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/EmailPrint.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/EmailPrint.java
new file mode 100644
index 00000000..dba02426
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/EmailPrint.java
@@ -0,0 +1,98 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.PrintStream;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.org.Organization;
+
+public class EmailPrint extends Email {
+
+	private static final int LINE_LENGTH = 100;
+
+	public EmailPrint(String... defaultCC) {
+		super(defaultCC);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.actions.Email#exec(org.onap.aaf.auth.org.test.Organization, java.lang.StringBuilder)
+	 */
+	@Override
+	protected Result<Void> exec(AuthzTrans trans, Organization org, StringBuilder msg) {
+		PrintStream out = System.out;
+		boolean first = true;
+		out.print("To: ");
+		for(String s: toList) {
+			if(first) {first = false;}
+			else {out.print(',');}
+			out.print(s);
+		}
+		out.println();
+		
+		first = true;
+		out.print("CC: ");
+		for(String s: ccList) {
+			if(first) {first = false;}
+			else {out.print(',');}
+			out.print(s);
+		}
+		out.println();
+
+		out.print("Subject: ");
+		out.println(subject);
+		out.println();
+		boolean go = true;
+		
+		for(int start=0, end=LINE_LENGTH;go;start=end,end=Math.min(msg.length(), start+LINE_LENGTH)) {
+			int ret = msg.indexOf("\n",start+1);
+			switch(ret) {
+				case -1:
+					out.println(msg.substring(start,end));
+					break;
+				case 0:
+					end=start+1;
+					out.println();
+					break;
+				default:
+					if(ret<end) {
+						end = ret;
+					}
+					if(end==start+LINE_LENGTH) {
+						// Word-wrapping
+						ret = msg.lastIndexOf(" ", end);
+						if(ret>start && ret<end) {
+							end=ret+1;
+						}
+						out.println(msg.substring(start,end));
+					} else {
+						out.print(msg.substring(start,end));
+					}
+			}
+			go = end<msg.length();
+		}
+		return Result.ok();
+
+	}
+
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/FuturePrint.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/FuturePrint.java
new file mode 100644
index 00000000..34a16d2a
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/FuturePrint.java
@@ -0,0 +1,41 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.Future;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.util.Chrono;
+
+public class FuturePrint implements Action<Future,Void,String> {
+	private String info;
+
+	public FuturePrint(String text) {
+		this.info = text;
+	}
+
+	@Override
+	public Result<Void> exec(AuthzTrans trans, Future f, String text) {
+		trans.info().log(info,f.id(),f.memo(),"expiring on",Chrono.dateOnlyStamp(f.expires()));
+		return Result.ok();
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/Key.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/Key.java
new file mode 100644
index 00000000..8c39e47d
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/Key.java
@@ -0,0 +1,26 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+public interface Key<HELPER> {
+	public String key(HELPER H);
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/Message.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/Message.java
new file mode 100644
index 00000000..98fc0054
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/Message.java
@@ -0,0 +1,53 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class Message {
+	public final List<String> lines;
+		
+	public Message() {
+		lines = new ArrayList<String>();
+	}
+
+	public void clear() {
+		lines.clear();
+	}
+	
+	public String line(String format, Object ... args) {
+		String rv=String.format(format, args);
+		lines.add(rv);
+		return rv;
+	}
+
+	public void msg(StringBuilder sb, String lineIndent) {
+		if(lines.size()>0) {
+			for(String line : lines) {
+				sb.append(lineIndent);
+				sb.append(line);
+				sb.append('\n');
+			}
+		}
+	}
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/NSACreate.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/NSACreate.java
new file mode 100644
index 00000000..3d215871
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/NSACreate.java
@@ -0,0 +1,58 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.NsAttrib;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+
+public class NSACreate extends ActionDAO<NsAttrib,Void,String> {
+	public NSACreate(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster,dryRun);
+	}
+	
+	public NSACreate(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<Void> exec(AuthzTrans trans, NsAttrib nsa, String text) {
+		if(dryRun) {
+			trans.info().printf("Would Create %s Attrib '%s=%s' in %s",text,nsa.key,nsa.value,nsa.ns);
+			return Result.ok();
+		} else {
+			Result<Void> rv = q.nsDAO.dao().attribAdd(trans, nsa.ns, nsa.key, nsa.value);
+			if(rv.isOK()) {
+				trans.info().printf("%s - Created Attrib '%s=%s' in %s",text,nsa.key,nsa.value,nsa.ns);
+			} else {
+				trans.error().printf("Error Creating Attrib '%s=%s' in %s - %s",nsa.key,nsa.value,nsa.ns,rv.details);
+			}
+			return rv;
+		}
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/NSADelete.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/NSADelete.java
new file mode 100644
index 00000000..4b976822
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/NSADelete.java
@@ -0,0 +1,58 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.NsAttrib;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+
+public class NSADelete extends ActionDAO<NsAttrib,Void,String> {
+	public NSADelete(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster,dryRun);
+	}
+	
+	public NSADelete(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<Void> exec(AuthzTrans trans, NsAttrib nsa, String text) {
+		if(dryRun) {
+			trans.info().printf("Would Delete %s Attrib '%s' in %s",text,nsa.key,nsa.ns);
+			return Result.ok();
+		} else {
+			Result<Void> rv = q.nsDAO.dao().attribRemove(trans, nsa.ns, nsa.key);
+			if(rv.isOK()) {
+				trans.info().printf("%s - Deleted Attrib '%s' in %s",text,nsa.key,nsa.value,nsa.ns);
+			} else {
+				trans.error().printf("Error Deleting Attrib '%s' in %s - %s",nsa.key,nsa.value,nsa.ns,rv.details);
+			}
+			return rv;
+		}
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/NSDescUpdate.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/NSDescUpdate.java
new file mode 100644
index 00000000..368c8452
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/NSDescUpdate.java
@@ -0,0 +1,58 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.NS;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+
+public class NSDescUpdate extends ActionDAO<NS,Void,String> {
+	public NSDescUpdate(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster,dryRun);
+	}
+	
+	public NSDescUpdate(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<Void> exec(AuthzTrans trans, NS ns, String desc) {
+		if(dryRun) {
+			trans.info().printf("Would Update '%s' Description to '%s'",ns,desc);
+			return Result.ok();
+		} else {
+			Result<Void> rv = q.nsDAO.dao().addDescription(trans, ns.name, desc);
+			if(rv.isOK()) {
+				trans.info().printf("Updated '%s' Description to '%s'",ns,desc);
+			} else {
+				trans.error().printf("Error Updating '%s' Description to '%s' - %s",ns,desc,rv.details);
+			}
+			return rv;
+		}
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/PermCreate.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/PermCreate.java
new file mode 100644
index 00000000..5f3ab202
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/PermCreate.java
@@ -0,0 +1,69 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.PermDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.Perm;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+
+
+public class PermCreate extends ActionDAO<Perm,Data,String> {
+	public PermCreate(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster, dryRun);
+	}
+	
+	public PermCreate(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<Data> exec(AuthzTrans trans, Perm p,String text) {
+		PermDAO.Data pdd = new PermDAO.Data();
+		pdd.ns = p.ns;
+		pdd.type = p.type;
+		pdd.instance = p.instance;
+		pdd.action = p.action;
+		pdd.description = p.description;
+		pdd.roles = p.roles;
+		
+		if(dryRun) {
+			trans.info().log("Would Create Perm:",text,p.fullType());
+			return Result.ok(pdd);
+		} else {
+			Result<Data> rv = q.permDAO.create(trans, pdd); // need to read for undelete
+			if(rv.isOK()) {
+				trans.info().log("Created Perm:",text,p.fullType());
+			} else {
+				trans.error().log("Error Creating Role -",rv.details,":",p.fullType());
+			}
+			return rv;
+		}
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/PermDelete.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/PermDelete.java
new file mode 100644
index 00000000..02fd3c6c
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/PermDelete.java
@@ -0,0 +1,64 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.Perm;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+
+public class PermDelete extends ActionDAO<Perm,Void,String> {
+	public PermDelete(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster, dryRun);
+	}
+	
+	public PermDelete(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<Void> exec(AuthzTrans trans, Perm p,String text) {
+		PermDAO.Data pdd = new PermDAO.Data();
+		pdd.ns = p.ns;
+		pdd.type = p.type;
+		pdd.instance = p.instance;
+		pdd.action = p.action;
+		if(dryRun) {
+			trans.info().log("Would Delete Perm:",text,p.fullType());
+			return Result.ok();
+		} else {
+			Result<Void> rv = q.permDAO.delete(trans, pdd, true); // need to read for undelete
+			if(rv.isOK()) {
+				trans.info().log("Deleted Perm:",text,p.fullType());
+			} else {
+				trans.error().log("Error Deleting Perm -",rv.details,":",p.fullType());
+			}
+			return rv;
+		}
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/PermModify.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/PermModify.java
new file mode 100644
index 00000000..9b60cee1
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/PermModify.java
@@ -0,0 +1,141 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.cass.PermDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.Perm;
+import org.onap.aaf.auth.helpers.Role;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+
+public class PermModify extends ActionDAO<Perm,PermDAO.Data,PermModify.Modify> {
+	public PermModify(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster,dryRun);
+	}
+	
+	public PermModify(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<PermDAO.Data> exec(AuthzTrans trans, final Perm p, final Modify modify) {
+		Result<List<PermDAO.Data>> rr = q.permDAO.read(trans, p.ns,p.type,p.instance,p.action);
+		if(dryRun) {
+			if(rr.isOKhasData()) {
+				return Result.ok(rr.value.get(0));
+			} else {
+				return Result.err(Result.ERR_NotFound, "Data not Found " + p.toString());
+			}
+		} else {
+			Result<PermDAO.Data> rv = null;
+			if(rr.isOKhasData()) {
+				for(final Data d : rr.value) {
+					modify.change(d);
+					if(d.ns.equals(p.ns) && d.type.equals(p.type) && d.instance.equals(p.instance) && d.action.equals(p.action)) {
+						// update for fields
+						// In either case, adjust Permissions
+						for(String r : d.roles) {
+							if(!p.roles.contains(r)) {
+								q.permDAO.dao().addRole(trans, d, r);
+							}
+						}
+						for(String r : p.roles) {
+							if(!d.roles.contains(r)) {
+								q.permDAO.dao().delRole(trans, d, r);
+							}
+						}
+						rv = Result.ok(d);
+					} else {
+						for(String r : d.roles) {
+							Role role = Role.keys.get(r);
+							if(role.perms.contains(p.encode())) {
+								modify.roleModify().exec(trans, role, new RoleModify.Modify() {
+									@Override
+									public PermModify permModify() {
+										return PermModify.this;
+									}
+									
+									@Override
+									public void change(RoleDAO.Data rdd) {
+										rdd.perms.remove(p.encode());
+										rdd.perms.add(d.encode());
+									}
+								});
+							}
+						}
+		
+						rv = q.permDAO.create(trans, d);
+						if(rv.isOK()) {
+							PermDAO.Data pdd = new PermDAO.Data();
+							pdd.ns = p.ns;
+							pdd.type = p.type;
+							pdd.instance = p.instance;
+							pdd.action = p.action;
+							q.permDAO.delete(trans, pdd, false);
+							trans.info().printf("Updated %s|%s|%s|%s to %s|%s|%s|%s\n", 
+								p.ns, p.type, p.instance, p.action, 
+								d.ns, d.type, d.instance, d.action);
+						} else {
+							trans.info().log(rv.errorString());
+						}
+					}
+					
+				}
+			} else {
+				rv = Result.err(rr);
+			}
+			if(rv==null) {
+				rv = Result.err(Status.ERR_General,"Never get to this code");
+			}
+	
+			return rv;
+		}
+	}
+	
+	public static interface Modify {
+		void change(PermDAO.Data ur);
+		RoleModify roleModify();
+	}
+
+	public Result<Void> delete(AuthzTrans trans, Perm p) {
+		if(dryRun) {
+			return Result.ok();
+		} else {
+			PermDAO.Data data = new PermDAO.Data();
+			data.ns=p.ns;
+			data.type = p.type;
+			data.instance = p.instance;
+			data.action = p.action;
+			return q.permDAO.delete(trans,data,false);
+		}
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/RoleCreate.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/RoleCreate.java
new file mode 100644
index 00000000..50d163ab
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/RoleCreate.java
@@ -0,0 +1,66 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.Role;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+
+public class RoleCreate extends ActionDAO<Role,Data,String> {
+	public RoleCreate(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster,dryRun);
+	}
+	
+	public RoleCreate(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<Data> exec(AuthzTrans trans, Role r,String text) {
+		RoleDAO.Data rdd = new RoleDAO.Data();
+		rdd.ns = r.ns;
+		rdd.name = r.name;
+		rdd.description = r.description;
+		rdd.perms = r.perms;
+		
+		if(dryRun) {
+			trans.info().log("Would Create Role:",text,r.fullName());
+			return Result.ok(rdd);
+		} else {
+			Result<Data> rv = q.roleDAO.create(trans, rdd); // need to read for undelete
+			if(rv.isOK()) {
+				trans.info().log("Created Role:",text,r.fullName());
+			} else {
+				trans.error().log("Error Creating Role -",rv.details,":",r.fullName());
+			}
+			return rv;
+		}
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/RoleDelete.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/RoleDelete.java
new file mode 100644
index 00000000..cbe3c1c5
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/RoleDelete.java
@@ -0,0 +1,62 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.Role;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+
+public class RoleDelete extends ActionDAO<Role,Void,String> {
+	public RoleDelete(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster, dryRun);
+	}
+	
+	public RoleDelete(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<Void> exec(AuthzTrans trans, Role r,String text) {
+		if(dryRun) {
+			trans.info().log("Would Delete Role:",text,r.fullName());
+			return Result.ok();
+		} else {
+			RoleDAO.Data rdd = new RoleDAO.Data();
+			rdd.ns = r.ns;
+			rdd.name = r.name;
+			Result<Void> rv = q.roleDAO.delete(trans, rdd, true); // need to read for undelete
+			if(rv.isOK()) {
+				trans.info().log("Deleted Role:",text,r.fullName());
+			} else {
+				trans.error().log("Error Deleting Role -",rv.details,":",r.fullName());
+			}
+			return rv;
+		}
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/RoleModify.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/RoleModify.java
new file mode 100644
index 00000000..c72a9d8f
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/RoleModify.java
@@ -0,0 +1,152 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.cass.RoleDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.Perm;
+import org.onap.aaf.auth.helpers.Role;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+
+public class RoleModify extends ActionDAO<Role,RoleDAO.Data,RoleModify.Modify> {
+	public RoleModify(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster, dryRun);
+	}
+	
+	public RoleModify(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<RoleDAO.Data> exec(final AuthzTrans trans, final Role r,final RoleModify.Modify modify) {
+		Result<List<Data>> rr = q.roleDAO.read(trans, r.ns,r.name);
+		if(dryRun) {
+			if(rr.isOKhasData()) {
+				return Result.ok(rr.value.get(0));
+			} else {
+				return Result.err(Result.ERR_NotFound, "Data not Found " + r.toString());
+			}
+		} else {
+			Result<Data> rv = null;
+			if(rr.isOKhasData()) {
+				for(final Data d : rr.value) {
+					modify.change(d);
+					if(d.ns.equals(r.ns) && d.name.equals(r.name)) {
+						// update for fields
+						// In either case, adjust Roles
+						for(String p : d.perms) {
+							if(!r.perms.contains(p)) {
+								Result<PermDAO.Data> rpdd = PermDAO.Data.decode(trans, q, p);
+								if(rpdd.isOKhasData()) {
+									q.roleDAO.dao().addPerm(trans, d, rpdd.value);
+								}
+							}
+						}
+						for(String p : r.perms) {
+							if(!d.perms.contains(p)) {
+								Result<PermDAO.Data> rpdd = PermDAO.Data.decode(trans, q, p);
+								if(rpdd.isOKhasData()) {
+									q.roleDAO.dao().delPerm(trans, d, rpdd.value);
+								}
+							}
+						}
+						rv = Result.ok(d);
+					} else {				
+						for(String p : d.perms) {
+							Perm perm = Perm.keys.get(p);
+							if(perm!=null) {
+								if(perm.roles.contains(r.encode())) {
+									modify.permModify().exec(trans, perm, new PermModify.Modify() {
+										@Override
+										public RoleModify roleModify() {
+											return RoleModify.this;
+										}
+										
+										@Override
+										public void change(PermDAO.Data pdd) {
+											pdd.roles.remove(r.encode());
+											pdd.roles.add(d.encode());
+										}
+									});
+								}
+							}
+						}
+						Result<List<Data>> preexist = q.roleDAO.read(trans, d);
+						if(preexist.isOKhasData()) {
+							Data rdd = preexist.value.get(0);
+							for(String p : d.perms) {
+								Result<PermDAO.Data> perm = PermDAO.Data.decode(trans, q, p);
+								if(perm.isOKhasData()) {
+									q.roleDAO.dao().addPerm(trans,rdd, perm.value);
+								}
+							}
+							rv = Result.ok(rdd);
+						} else {
+							rv = q.roleDAO.create(trans, d);
+						}
+						if(rv.isOK()) {
+							trans.info().printf("Updating %s|%s to %s|%s", r.ns, r.name, d.ns, d.name);
+							RoleDAO.Data rmme = new RoleDAO.Data();
+							rmme.ns=r.ns;
+							rmme.name=r.name;
+							q.roleDAO.delete(trans, rmme, false);
+							
+						} else {
+							trans.info().log(rv.errorString());
+						}
+					}
+				}
+			} else {
+				rv = Result.err(rr);
+			}
+			if(rv==null) {
+				rv = Result.err(Status.ERR_General,"Never get to this code");
+			}
+			return rv;
+		}
+	}
+	
+	public static interface Modify {
+		void change(RoleDAO.Data ur);
+		PermModify permModify();
+	}
+	
+	public Result<Void> delete(AuthzTrans trans, Role r) {
+		if(dryRun) {
+			return Result.ok();
+		} else {
+			RoleDAO.Data data = new RoleDAO.Data();
+			data.ns=r.ns;
+			data.name = r.name;
+			return q.roleDAO.delete(trans,data,false);
+		}
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URAdd.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URAdd.java
new file mode 100644
index 00000000..50a5a8f0
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URAdd.java
@@ -0,0 +1,57 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.UserRole;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.Cluster;
+
+public class URAdd extends ActionDAO<UserRole,UserRoleDAO.Data,String> {
+	public URAdd(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster,dryRun);
+	}
+	
+	public URAdd(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<Data> exec(AuthzTrans trans, UserRole ur, String text) {
+		if(dryRun) {
+			trans.info().log("Would Add:",text,ur.role(),ur.user(),"on",Chrono.dateOnlyStamp(ur.expires()));
+			return Result.ok(ur.urdd());
+		} else {
+			Result<Data> rv = q.userRoleDAO.create(trans, ur.urdd());
+			trans.info().log("Added:",text,ur.role(),ur.user(),"on",Chrono.dateOnlyStamp(ur.expires()));
+			return rv;
+		}
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URDelete.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URDelete.java
new file mode 100644
index 00000000..9bc7da49
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URDelete.java
@@ -0,0 +1,59 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.UserRole;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.Cluster;
+
+public class URDelete extends ActionDAO<UserRole,Void,String> {
+	public URDelete(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster,dryRun);
+	}
+	
+	public URDelete(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<Void> exec(AuthzTrans trans, UserRole ur,String text) {
+		if(dryRun) {
+			trans.info().log("Would Delete UserRole:",text,ur.user(),ur.role(),"on",Chrono.dateOnlyStamp(ur.expires()));
+			return Result.ok();
+		} else {
+			Result<Void> rv = q.userRoleDAO.delete(trans,ur.urdd(), true); // need to read for undelete
+			if(rv.isOK()) {
+				trans.info().log("Deleted UserRole:",text,ur.user(),ur.role(),"on",Chrono.dateOnlyStamp(ur.expires()));
+			} else {
+				trans.error().log("Error Deleting User Role -",rv.details,":",ur.user(),ur.role(),"on",Chrono.dateOnlyStamp(ur.expires()) );
+			}
+		return rv;
+		}
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URFutureApprove.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URFutureApprove.java
new file mode 100644
index 00000000..17d9cc01
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URFutureApprove.java
@@ -0,0 +1,111 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+import java.util.Date;
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.auth.dao.cass.FutureDAO;
+import org.onap.aaf.auth.dao.cass.NsDAO;
+import org.onap.aaf.auth.dao.hl.Function;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.dao.hl.Function.FUTURE_OP;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.Approval;
+import org.onap.aaf.auth.helpers.UserRole;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.org.Organization.Expiration;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.Cluster;
+
+public class URFutureApprove extends ActionDAO<UserRole, String,String> implements Action<UserRole,String,String>, Key<UserRole> {
+	private final Date start, expires;
+
+	public URFutureApprove(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans,cluster, dryRun);
+		GregorianCalendar gc = new GregorianCalendar();
+		start = gc.getTime();
+		expires = trans.org().expiration(gc, Expiration.Future).getTime();
+	}
+	
+	public URFutureApprove(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+		GregorianCalendar gc = new GregorianCalendar();
+		start = gc.getTime();
+		expires = trans.org().expiration(gc, Expiration.Future).getTime();
+	}
+
+	@Override
+	public Result<String> exec(AuthzTrans trans, UserRole ur,String text) {
+		if(dryRun) {
+			return Result.ok(text);
+		} else {
+			Result<NsDAO.Data> rns = q.deriveNs(trans, ur.ns());
+			if(rns.isOK()) {
+				
+				FutureDAO.Data data = new FutureDAO.Data();
+				data.id=null; // let Create function assign UUID
+				data.target=Function.FOP_USER_ROLE;
+				
+				data.memo = key(ur);
+				data.start = start;
+				data.expires = ur.expires();
+				try {
+					data.construct = ur.urdd().bytify();
+				} catch (IOException e) {
+					return Result.err(e);
+				}
+				Result<String> rfuture = f.createFuture(trans, data, Function.FOP_USER_ROLE, ur.user(), rns.value, FUTURE_OP.A);
+				if(rfuture.isOK()) {
+					trans.info().log(rfuture.value, text, ur.user(), data.memo);
+				} else {
+					trans.error().log(rfuture.details, text);
+				}
+				return rfuture;
+			} else {
+				return Result.err(rns);
+			}
+		}
+	}
+	
+	@Override
+	public String key(UserRole ur) {
+		String expire;
+		if(expires.before(start)) {
+			expire = "' - EXPIRED ";
+		} else {
+			expire = "' - expiring ";
+		}
+		
+		if(Question.OWNER.equals(ur.rname())) {
+			return Approval.RE_VALIDATE_OWNER + ur.ns() + expire + Chrono.dateOnlyStamp(ur.expires());
+		} else if(Question.ADMIN.equals(ur.rname())) {
+			return Approval.RE_VALIDATE_ADMIN + ur.ns() + expire + Chrono.dateOnlyStamp(ur.expires());
+		} else {
+			return Approval.RE_APPROVAL_IN_ROLE + ur.role() + expire + Chrono.dateOnlyStamp(ur.expires());
+		}
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URFutureApproveExec.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URFutureApproveExec.java
new file mode 100644
index 00000000..6cf2c53e
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URFutureApproveExec.java
@@ -0,0 +1,108 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.cass.ApprovalDAO;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.dao.cass.ApprovalDAO.Data;
+import org.onap.aaf.auth.dao.hl.Function.FUTURE_OP;
+import org.onap.aaf.auth.dao.hl.Function.Lookup;
+import org.onap.aaf.auth.dao.hl.Function.OP_STATUS;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.Approval;
+import org.onap.aaf.auth.helpers.Future;
+import org.onap.aaf.auth.helpers.UserRole;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+
+public class URFutureApproveExec extends ActionDAO<List<Approval>, OP_STATUS, Future> {
+
+	public URFutureApproveExec(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans,cluster, dryRun);
+	}
+	
+	public URFutureApproveExec(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<OP_STATUS> exec(AuthzTrans trans, List<Approval> app, Future future) {
+		if(dryRun) {
+			return Result.err(Result.ERR_ActionNotCompleted,"Not Executed");
+		} else {
+			// Save on Lookups
+			final List<ApprovalDAO.Data> apprs = new ArrayList<ApprovalDAO.Data>();
+			final List<UserRoleDAO.Data> urs = new ArrayList<UserRoleDAO.Data>();
+			for(Approval a : app) {
+				apprs.add(a.add);
+				UserRole ur = UserRole.get(a.add.user, future.role);
+				if(ur!=null) {
+					urs.add(ur.urdd());
+				}
+			}
+			Result<OP_STATUS> rv = f.performFutureOp(trans, FUTURE_OP.A, future.fdd,
+				new Lookup<List<ApprovalDAO.Data>>() {
+					@Override
+					public List<Data> get(AuthzTrans trans, Object ... noop) {
+						return apprs;
+					}
+				},
+				new Lookup<UserRoleDAO.Data>() {
+					@Override
+					public UserRoleDAO.Data get(AuthzTrans trans, Object ... keys) {
+						List<UserRole> lur = UserRole.byUser.get(keys[0]);
+						if(lur!=null) {
+							for(UserRole ur : lur) {
+								if(ur.role().equals(keys[1])) {
+									return ur.urdd();
+								}
+							}
+						}
+						return null;
+					}
+				});
+			if(rv.isOK()) {
+				switch(rv.value) {
+					case D:
+						trans.info().printf("Denied %s on %s", future.memo(),future.fdd.target);
+						break;
+					case E:
+						trans.info().printf("Completed %s on %s", future.memo(),future.fdd.target);
+						break;
+					case L:
+						trans.info().printf("Future %s on %s has lapsed", future.memo(),future.fdd.target);
+						break;
+					default:
+				}
+			} else {
+				trans.error().log("Error completing",future.memo(),rv.errorString());
+			}
+			return rv;
+		}
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URFuturePrint.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URFuturePrint.java
new file mode 100644
index 00000000..83a24c21
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URFuturePrint.java
@@ -0,0 +1,41 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.UserRole;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.util.Chrono;
+
+
+public class URFuturePrint implements  Action<UserRole,String,String> {
+	private String info;
+
+	public URFuturePrint(String text) {
+		this.info = text;
+	}
+
+	@Override
+	public Result<String> exec(AuthzTrans trans, UserRole ur, String text) {
+		trans.info().log(info,text,ur.user(),"to",ur.role(),"on",Chrono.dateOnlyStamp(ur.expires()));
+		return Result.ok(info);
+	}}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URModify.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URModify.java
new file mode 100644
index 00000000..3f65a6a4
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URModify.java
@@ -0,0 +1,80 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.UserRole;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+
+public class URModify extends ActionDAO<UserRole,Void,URModify.Modify> {
+	public URModify(AuthzTrans trans, Cluster cluster, boolean dryRun) throws APIException, IOException {
+		super(trans, cluster,dryRun);
+	}
+	
+	public URModify(AuthzTrans trans, ActionDAO<?,?,?> adao) {
+		super(trans, adao);
+	}
+
+	@Override
+	public Result<Void> exec(AuthzTrans trans, UserRole ur,Modify modify) {
+		if(dryRun) {
+			trans.info().printf("Would Update %s %s", ur.user(), ur.role());
+			return Result.ok();
+		} else {
+			Result<List<Data>> rr = q.userRoleDAO.read(trans, ur.user(),ur.role());
+			if(rr.notOKorIsEmpty()) {
+				return Result.err(rr);
+			}
+			for(Data d : rr.value) {
+				modify.change(d);
+				if(!(ur.expires().equals(d.expires))) {
+					ur.expires(d.expires);
+				}
+				if(ur.user().equals(d.user) && ur.role().equals(d.role)){
+					Result<Void> rv = q.userRoleDAO.update(trans, d);
+					if(rv.isOK()) {
+						trans.info().printf("Updated %s %s to %s", ur.user(), ur.role(), d.toString());
+					} else {
+						trans.info().log(rv.errorString());
+					}
+				} else {
+					return Result.err(Status.ERR_Denied, "You cannot change the key of this Data");
+				}
+			}
+			return Result.err(Status.ERR_UserRoleNotFound,"No User Role with %s %s",ur.user(),ur.role());
+		}
+	}
+	
+	public static interface Modify {
+		void change(UserRoleDAO.Data ur);
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URPrint.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URPrint.java
new file mode 100644
index 00000000..a9bdf9ca
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URPrint.java
@@ -0,0 +1,42 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.UserRole;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.util.Chrono;
+
+public class URPrint implements Action<UserRole,Void,String> {
+	private String info;
+
+	public URPrint(String text) {
+		this.info = text;
+	}
+
+	@Override
+	public Result<Void> exec(AuthzTrans trans, UserRole ur, String text) {
+		trans.info().log(info,text,ur.user(),"to",ur.role(),"expiring on",Chrono.dateOnlyStamp(ur.expires()));
+		return Result.ok();
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URPunt.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URPunt.java
new file mode 100644
index 00000000..8676ef33
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/actions/URPunt.java
@@ -0,0 +1,70 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions;
+
+import java.io.IOException;
+import java.util.Date;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.UserRole;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.Cluster;
+
+public class URPunt extends ActionPuntDAO<UserRole,Void,String> {
+	public URPunt(AuthzTrans trans, Cluster cluster, int months, int range, boolean dryRun) throws APIException, IOException {
+		super(trans,cluster, months, range,dryRun);
+	}
+
+	public URPunt(AuthzTrans trans, ActionDAO<?,?,?> adao, int months, int range) {
+		super(trans, adao, months, range);
+	}
+
+	public Result<Void> exec(AuthzTrans trans, UserRole ur, String text) {
+		if(dryRun) {
+			trans.info().log("Would Update User",ur.user(),"and Role", ur.role(), text);
+			return Result.ok();
+		} else {
+			Result<List<Data>> read = q.userRoleDAO.read(trans, ur.user(), ur.role());
+			if(read.isOK()) {
+				for(UserRoleDAO.Data data : read.value) {
+					Date from = data.expires;
+					data.expires = puntDate(from);
+					if(data.expires.compareTo(from)<=0) {
+						trans.debug().printf("Error: %s is same or before %s", Chrono.dateOnlyStamp(data.expires), Chrono.dateOnlyStamp(from));
+					} else {
+						trans.info().log("Updating User",ur.user(),"and Role", ur.role(), "from",Chrono.dateOnlyStamp(from),"to",Chrono.dateOnlyStamp(data.expires), text);
+						q.userRoleDAO.update(trans, data);
+					}
+				}
+				return Result.ok();
+			} else {
+				return Result.err(read);
+			}
+		}
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/AafEntryConverter.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/AafEntryConverter.java
new file mode 100644
index 00000000..637ee569
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/AafEntryConverter.java
@@ -0,0 +1,46 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.entryConverters;
+
+import java.util.Set;
+
+public abstract class AafEntryConverter {
+
+	protected String formatSet(Set<String> set) {
+		if (set==null || set.isEmpty()) return "";
+		StringBuilder sb = new StringBuilder();
+		int curr = 0;
+		sb.append("{");
+		for (String s : set) {
+			sb.append("'");
+			sb.append(s);
+			sb.append("'");
+			if (set.size() != curr + 1) {
+				sb.append(",");
+			}
+			curr++;
+		}
+		sb.append("}");
+		return sb.toString();
+	}
+
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/CredEntryConverter.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/CredEntryConverter.java
new file mode 100644
index 00000000..6153e75e
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/CredEntryConverter.java
@@ -0,0 +1,48 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.entryConverters;
+
+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+
+import org.onap.aaf.auth.dao.cass.CredDAO;
+
+import com.datastax.driver.core.utils.Bytes;
+import com.googlecode.jcsv.writer.CSVEntryConverter;
+
+public class CredEntryConverter extends AafEntryConverter implements CSVEntryConverter<CredDAO.Data> {
+	private static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ssZ";
+	
+	@Override
+	public String[] convertEntry(CredDAO.Data cd) {
+		String[] columns = new String[5];
+		
+		columns[0] = cd.id;
+		columns[1] = String.valueOf(cd.type);
+		DateFormat df = new SimpleDateFormat(DATE_FORMAT);
+		columns[2] = df.format(cd.expires);
+		columns[3] = Bytes.toHexString(cd.cred);
+		columns[4] = (cd.ns==null)?"":cd.ns;
+		
+		return columns;
+	}
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/NsEntryConverter.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/NsEntryConverter.java
new file mode 100644
index 00000000..b2767ab4
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/NsEntryConverter.java
@@ -0,0 +1,46 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.entryConverters;
+
+import org.onap.aaf.auth.dao.cass.NsDAO;
+
+import com.googlecode.jcsv.writer.CSVEntryConverter;
+
+public class NsEntryConverter extends AafEntryConverter implements CSVEntryConverter<NsDAO.Data> {
+
+	@Override
+	public String[] convertEntry(NsDAO.Data nsd) {
+		String[] columns = new String[5];
+		
+		columns[0] = nsd.name;
+		// Jonathan changed from "scope" to "type"
+		columns[1] = String.valueOf(nsd.type);
+		//TODO Chris: need to look at this 
+//		columns[2] = formatSet(nsd.admin);
+//		columns[3] = formatSet(nsd.responsible);
+//		columns[4] = nsd.description==null?"":nsd.description;
+		columns[5] = nsd.description==null?"":nsd.description;
+		
+		return columns;
+	}
+
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/PermEntryConverter.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/PermEntryConverter.java
new file mode 100644
index 00000000..12995f68
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/PermEntryConverter.java
@@ -0,0 +1,43 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.entryConverters;
+
+import org.onap.aaf.auth.dao.cass.PermDAO;
+
+import com.googlecode.jcsv.writer.CSVEntryConverter;
+
+public class PermEntryConverter extends AafEntryConverter implements CSVEntryConverter<PermDAO.Data>  {
+
+		@Override
+		public String[] convertEntry(PermDAO.Data pd) {
+			String[] columns = new String[6];
+			
+			columns[0] = pd.ns;
+			columns[1] = pd.type;
+			columns[2] = pd.instance;
+			columns[3] = pd.action;
+			columns[4] = formatSet(pd.roles);
+			columns[5] = pd.description==null?"":pd.description;
+			
+			return columns;
+		}
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/RoleEntryConverter.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/RoleEntryConverter.java
new file mode 100644
index 00000000..e236f3c3
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/RoleEntryConverter.java
@@ -0,0 +1,42 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.entryConverters;
+
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+
+import com.googlecode.jcsv.writer.CSVEntryConverter;
+
+public class RoleEntryConverter extends AafEntryConverter implements CSVEntryConverter<RoleDAO.Data>  {
+
+	@Override
+	public String[] convertEntry(RoleDAO.Data rd) {
+		String[] columns = new String[4];
+		
+		columns[0] = rd.ns;
+		columns[1] = rd.name;
+		columns[2] = formatSet(rd.perms);
+		columns[3] = rd.description==null?"":rd.description;
+		
+		return columns;
+	}
+
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/UserRoleEntryConverter.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/UserRoleEntryConverter.java
new file mode 100644
index 00000000..8730f945
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/entryConverters/UserRoleEntryConverter.java
@@ -0,0 +1,45 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.entryConverters;
+
+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+
+import com.googlecode.jcsv.writer.CSVEntryConverter;
+
+public class UserRoleEntryConverter extends AafEntryConverter implements CSVEntryConverter<UserRoleDAO.Data> {
+	private static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ssZ";
+	
+	@Override
+	public String[] convertEntry(UserRoleDAO.Data urd) {
+		String[] columns = new String[3];
+		
+		columns[0] = urd.user;
+		columns[1] = urd.role;
+		DateFormat df = new SimpleDateFormat(DATE_FORMAT);
+		columns[2] = df.format(urd.expires);
+		
+		return columns;
+	}
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Approval.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Approval.java
new file mode 100644
index 00000000..0bd9397c
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Approval.java
@@ -0,0 +1,309 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+import java.util.TreeMap;
+import java.util.UUID;
+
+import org.onap.aaf.auth.dao.cass.ApprovalDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.SimpleStatement;
+import com.datastax.driver.core.Statement;
+
+public class Approval implements CacheChange.Data  {
+	public static final String RE_APPROVAL_IN_ROLE = "Re-Approval in Role '";
+	public static final String RE_VALIDATE_ADMIN = "Re-Validate as Administrator for AAF Namespace '";
+	public static final String RE_VALIDATE_OWNER = "Re-Validate Ownership for AAF Namespace '";
+
+	public static TreeMap<String,List<Approval>> byApprover = new TreeMap<String,List<Approval>>();
+	public static TreeMap<String,List<Approval>> byUser = new TreeMap<String,List<Approval>>();
+	public static TreeMap<UUID,List<Approval>> byTicket = new TreeMap<UUID,List<Approval>>();
+	private final static CacheChange<Approval> cache = new CacheChange<Approval>(); 
+	
+	public final ApprovalDAO.Data add;
+	private String role;
+	
+	public Approval(UUID id, UUID ticket, String approver, Date last_notified, 
+			String user, String memo, String operation, String status, String type, long updated) {
+		add = new ApprovalDAO.Data();
+		add.id = id;
+		add.ticket = ticket;
+		add.approver = approver;
+		add.last_notified = last_notified;
+		add.user = user;
+		add.memo = memo;
+		add.operation = operation;
+		add.status = status;
+		add.type = type;
+		add.updated = new Date(updated);
+		role = roleFromMemo(memo);
+	}
+	
+	public static String roleFromMemo(String memo) {
+		if(memo==null) {
+			return null;
+		}
+		int first = memo.indexOf('\'');
+		if(first>=0) {
+			int second = memo.indexOf('\'', ++first);
+			if(second>=0) {
+				String role = memo.substring(first, second);
+				if(memo.startsWith(RE_VALIDATE_ADMIN)) {
+					return role + ".admin";
+				} else if(memo.startsWith(RE_VALIDATE_OWNER)) {
+					return role + ".owner";
+				} else if(memo.startsWith(RE_APPROVAL_IN_ROLE)) {
+					return role;
+				}
+			}
+		}
+		return null;
+	}
+
+	public static void load(Trans trans, Session session, Creator<Approval> creator ) {
+		trans.info().log( "query: " + creator.select() );
+        TimeTaken tt = trans.start("Load Notify", Env.REMOTE);
+       
+        ResultSet results;
+		try {
+	        Statement stmt = new SimpleStatement(creator.select());
+	        results = session.execute(stmt);
+        } finally {
+        	tt.done();
+        }
+		int count = 0;
+        tt = trans.start("Process Notify", Env.SUB);
+
+        try {
+	        	List<Approval> ln;
+	        	for(Row row : results.all()) {
+	        		++count;
+			        try {
+				        	Approval app = creator.create(row);
+				        	String person = app.getApprover();
+				        	if(person!=null) {
+					        ln = byApprover.get(person);
+					        	if(ln==null) {
+					        		ln = new ArrayList<Approval>();
+					        		byApprover.put(app.getApprover(), ln);
+					        	}
+					        	ln.add(app);
+				        	}
+				        	
+				        	
+				        person = app.getUser();
+				        	if(person!=null) {
+				        		ln = byUser.get(person);
+					        	if(ln==null) {
+					        		ln = new ArrayList<Approval>();
+					        		byUser.put(app.getUser(), ln);
+					        	}
+					        	ln.add(app);
+				        	}
+				        	UUID ticket = app.getTicket();
+				        	if(ticket!=null) {
+					        	ln = byTicket.get(ticket);
+					        	if(ln==null) {
+					        		ln = new ArrayList<Approval>();
+					        		byTicket.put(app.getTicket(), ln);
+					        	}
+					        ln.add(app);
+				        	}
+			        } finally {
+			        	tt.done();
+			        }
+	        	}
+        } finally {
+        	tt.done();
+        	trans.info().log("Found",count,"Approval Records");
+        }
+	}
+	
+	@Override
+	public void expunge() {
+		List<Approval> la = byApprover.get(getApprover());
+		if(la!=null) {
+			la.remove(this);
+		}
+		
+		la = byUser.get(getUser());
+		if(la!=null) {
+			la.remove(this);
+		}
+		UUID ticket = this.add==null?null:this.add.ticket;
+		if(ticket!=null) {
+			la = byTicket.get(this.add.ticket);
+			if(la!=null) {
+				la.remove(this);
+			}
+		}
+	}
+
+	public void update(AuthzTrans trans, ApprovalDAO apprDAO, boolean dryRun) {
+		if(dryRun) {
+			trans.info().printf("Would update Approval %s, %s, last_notified %s",add.id,add.status,add.last_notified);
+		} else {
+			trans.info().printf("Update Approval %s, %s, last_notified %s",add.id,add.status,add.last_notified);
+			apprDAO.update(trans, add);
+		}
+	}
+
+	public static Creator<Approval> v2_0_17 = new Creator<Approval>() {
+		@Override
+		public Approval create(Row row) {
+			return new Approval(row.getUUID(0), row.getUUID(1), row.getString(2), row.getTimestamp(3),
+					row.getString(4),row.getString(5),row.getString(6),row.getString(7),row.getString(8)
+					,row.getLong(9)/1000);
+		}
+
+		@Override
+		public String select() {
+			return "select id,ticket,approver,last_notified,user,memo,operation,status,type,WRITETIME(status) from authz.approval";
+		}
+	};
+
+	/**
+	 * @return the lastNotified
+	 */
+	public Date getLast_notified() {
+		return add.last_notified;
+	}
+	/**
+	 * @param lastNotified the lastNotified to set
+	 */
+	public void setLastNotified(Date last_notified) {
+		add.last_notified = last_notified;
+	}
+	/**
+	 * @return the status
+	 */
+	public String getStatus() {
+		return add.status;
+	}
+	/**
+	 * @param status the status to set
+	 */
+	public void setStatus(String status) {
+		add.status = status;
+	}
+	/**
+	 * @return the id
+	 */
+	public UUID getId() {
+		return add.id;
+	}
+	/**
+	 * @return the ticket
+	 */
+	public UUID getTicket() {
+		return add.ticket;
+	}
+	/**
+	 * @return the approver
+	 */
+	public String getApprover() {
+		return add.approver;
+	}
+	/**
+	 * @return the user
+	 */
+	public String getUser() {
+		return add.user;
+	}
+	/**
+	 * @return the memo
+	 */
+	public String getMemo() {
+		return add.memo;
+	}
+	/**
+	 * @return the operation
+	 */
+	public String getOperation() {
+		return add.operation;
+	}
+	/**
+	 * @return the type
+	 */
+	public String getType() {
+		return add.type;
+	}
+	public void lapsed() {
+		add.ticket=null;
+		add.status="lapsed";
+	}
+	
+	public String getRole() {
+		return role;
+	}
+	
+	public String toString() {
+		return getUser() + ' ' + getMemo();
+	}
+
+	public void delayDelete(AuthzTrans trans, ApprovalDAO ad, boolean dryRun, String text) {
+		if(dryRun) {
+			trans.info().log(text,"- Would Delete: Approval",getId(),"on ticket",getTicket(),"for",getApprover());
+		} else {
+			Result<Void> rv = ad.delete(trans, add, false);
+			if(rv.isOK()) {
+				trans.info().log(text,"- Deleted: Approval",getId(),"on ticket",getTicket(),"for",getApprover());
+				cache.delayedDelete(this);
+			} else {
+				trans.info().log(text,"- Failed to Delete Approval",getId());
+			}
+		}
+	}
+	
+
+	public static void resetLocalData() {
+		cache.resetLocalData();
+	}
+	
+	public static int sizeForDeletion() {
+		return cache.cacheSize();
+	}
+
+	public static void delayDelete(AuthzTrans noAvg, ApprovalDAO apprDAO, boolean dryRun, List<Approval> list, String text) {
+		if(list!=null) {
+			for(Approval a : list) {
+				a.delayDelete(noAvg, apprDAO, dryRun,text);
+			}
+		}
+	}
+
+	public static boolean pendingDelete(Approval a) {
+		return cache.contains(a);
+	}
+
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Approver.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Approver.java
new file mode 100644
index 00000000..6043e436
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Approver.java
@@ -0,0 +1,62 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.onap.aaf.auth.actions.Message;
+import org.onap.aaf.auth.org.Organization;
+
+public class Approver {
+	public String name;
+	public Organization org;
+	public Map<String, Integer> userRequests;
+	
+	public Approver(String approver, Organization org) {
+		this.name = approver;
+		this.org = org;
+		userRequests = new HashMap<String, Integer>();
+	}
+	
+	public void addRequest(String user) {
+		if (userRequests.get(user) == null) {
+		    userRequests.put(user, 1);
+		} else {
+			Integer curCount = userRequests.remove(user);
+			userRequests.put(user, curCount+1);
+		}
+	}
+	
+	/**
+	 * @param sb
+	 * @return
+	 */
+	public void build(Message msg) {
+		msg.clear();
+		msg.line("You have %d total pending approvals from the following users:", userRequests.size());
+		for (Map.Entry<String, Integer> entry : userRequests.entrySet()) {
+			msg.line("  %s (%d)",entry.getKey(),entry.getValue());
+		}
+	}
+
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/CacheChange.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/CacheChange.java
new file mode 100644
index 00000000..02f34d28
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/CacheChange.java
@@ -0,0 +1,63 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class CacheChange<T extends CacheChange.Data> {
+	private List<T> removed;
+	
+	public CacheChange() {
+		removed = new ArrayList<T>();
+	}
+	
+	interface Data {
+		public abstract void expunge();
+	}
+	
+	public final void delayedDelete(T t) {
+		removed.add(t);
+	}
+	
+	public final List<T> getRemoved() {
+		return removed;
+	}
+	
+	public final void resetLocalData() {
+		if(removed==null || removed.isEmpty()) {
+			return;
+		}
+		for(T t : removed) {
+			t.expunge();
+		}
+		removed.clear();
+	}
+
+	public int cacheSize() {
+		return removed.size();
+	}
+
+	public boolean contains(T t) {
+		return removed.contains(t);
+	}
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Creator.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Creator.java
new file mode 100644
index 00000000..da6d558c
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Creator.java
@@ -0,0 +1,41 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import com.datastax.driver.core.Row;
+
+public abstract class Creator<T> {
+	public abstract T create(Row row);
+	public abstract String select();
+	
+	public String query(String where) {
+		StringBuilder sb = new StringBuilder(select());
+		if(where!=null) {
+			sb.append(" WHERE ");
+			sb.append(where);
+		}
+		sb.append(';');
+		return sb.toString();
+	}
+
+
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Cred.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Cred.java
new file mode 100644
index 00000000..58af03b5
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Cred.java
@@ -0,0 +1,306 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+import java.util.TreeMap;
+
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.SimpleStatement;
+import com.datastax.driver.core.Statement;
+
+public class Cred  {
+    public static final TreeMap<String,Cred> data = new TreeMap<String,Cred>();
+    public static final TreeMap<String,List<Cred>> byNS = new TreeMap<String,List<Cred>>();
+
+	public final String id;
+	public final List<Instance> instances;
+	public final String ns;
+	
+	public Cred(String id) {
+		this.id = id;
+		instances = new ArrayList<Instance>();
+		ns=Question.domain2ns(id);
+	}
+	
+	public static class Instance {
+		public final int type;
+		public final Date expires,written;
+		public final Integer other;
+		
+		public Instance(int type, Date expires, Integer other, long written) {
+			this.type = type;
+			this.expires = expires;
+			this.other = other;
+			this.written = new Date(written);
+		}
+	}
+	
+	public Date last(final int ... types) {
+		Date last = null;
+		for(Instance i : instances) {
+        	if(types.length>0) { // filter by types, if requested
+        		boolean quit = true;
+        		for(int t : types) {
+        			if(t==i.type) {
+        				quit=false;
+        				break;
+        			}
+        		}
+        		if(quit) {
+        			continue;
+        		}
+        	}
+			if(last==null || i.expires.after(last)) {
+				last = i.expires;
+			}
+		}
+		return last;
+	}
+
+	
+	public Set<Integer> types() {
+		Set<Integer> types = new HashSet<Integer>();
+		for(Instance i : instances) {
+			types.add(i.type);
+		}
+		return types;
+	}
+
+	public static void load(Trans trans, Session session, int ... types ) {
+		load(trans, session,"select id, type, expires, other, writetime(cred) from authz.cred;",types);
+		
+	}
+
+	public static void loadOneNS(Trans trans, Session session, String ns,int ... types ) {
+		load(trans, session,"select id, type, expires, other, writetime(cred) from authz.cred WHERE ns='" + ns + "';");
+	}
+
+	private static void load(Trans trans, Session session, String query, int ...types) {
+
+        trans.info().log( "query: " + query );
+        TimeTaken tt = trans.start("Read Creds", Env.REMOTE);
+       
+        ResultSet results;
+		try {
+	        Statement stmt = new SimpleStatement( query );
+	        results = session.execute(stmt);
+        } finally {
+        	tt.done();
+        }
+		int count = 0;
+        try {
+	        Iterator<Row> iter = results.iterator();
+	        Row row;
+	        int type; // for filtering
+	        String id;
+	        tt = trans.start("Load Credentials", Env.SUB);
+	        try {
+		        while(iter.hasNext()) {
+		        	++count;
+		        	row = iter.next();
+		        	id = row.getString(0);
+		        	type = row.getInt(1);
+		        	if(types.length>0) { // filter by types, if requested
+		        		boolean quit = true;
+		        		for(int t : types) {
+		        			if(t==type) {
+		        				quit=false;
+		        				break;
+		        			}
+		        		}
+		        		if(quit) {
+		        			continue;
+		        		}
+		        	}
+		        	Cred cred = data.get(id);
+		        	if(cred==null) {
+		        		cred = new Cred(id);
+		        		data.put(id, cred);
+		        	}
+		        	cred.instances.add(new Instance(type, row.getTimestamp(2), row.getInt(3), row.getLong(4)/1000));
+		        	
+		        	List<Cred> lscd = byNS.get(cred.ns);
+		        	if(lscd==null) {
+		        		byNS.put(cred.ns, (lscd=new ArrayList<Cred>()));
+		        	}
+		        	boolean found = false;
+		        	for(Cred c : lscd) {
+		        		if(c.id.equals(cred.id)) {
+		        			found=true;
+		        			break;
+		        		}
+		        	}
+		        	if(!found) {
+		        		lscd.add(cred);
+		        	}
+		        }
+	        } finally {
+	        	tt.done();
+	        }
+        } finally {
+        	trans.info().log("Found",count,"creds");
+        }
+	}
+	
+	/** 
+	 * Count entries in Cred data.
+	 * Note, as opposed to other methods, need to load the whole cred table for the Types.
+	 * @param numbuckets 
+	 * @return
+	 */
+	public static CredCount count(int numbuckets) {
+		CredCount cc = new CredCount(numbuckets);
+		for(Cred c : data.values()) {
+			for (Instance ci : c.instances) {
+				cc.inc(ci.type,ci.written, ci.expires);
+			}
+		}
+		return cc;
+//		String query = "select count(*) from authz.cred LIMIT 1000000;";
+//        trans.info().log( "query: " + query );
+//        TimeTaken tt = trans.start("Count Credentials", Env.REMOTE);
+//        ResultSet results;
+//        try {
+//        	Statement stmt = new SimpleStatement(query).setReadTimeoutMillis(12000);
+//	        results = session.execute(stmt);
+//	        return results.one().getLong(0);
+//        } finally {
+//        	tt.done();
+//        }
+	}
+
+	public static class CredCount {
+		public int raw[];
+		public int basic_auth[];
+		public int basic_auth_256[];
+		public int cert[];
+		public int x509Added[];
+		public int x509Expired[];
+		public Date dates[];
+		
+		public CredCount(int numbuckets) {
+			raw = new int[numbuckets];
+			basic_auth = new int[numbuckets];
+			basic_auth_256 = new int[numbuckets];
+			cert = new int[numbuckets];
+			x509Added = new int[numbuckets];
+			x509Expired = new int[numbuckets];
+			dates = new Date[numbuckets];
+			GregorianCalendar gc = new GregorianCalendar();
+			dates[0]=gc.getTime(); // now
+			gc.set(GregorianCalendar.DAY_OF_MONTH, 1);
+			gc.set(GregorianCalendar.HOUR, 0);
+			gc.set(GregorianCalendar.MINUTE, 0);
+			gc.set(GregorianCalendar.SECOND,0);
+			gc.set(GregorianCalendar.MILLISECOND,0);
+			gc.add(GregorianCalendar.MILLISECOND, -1); // last milli of month
+			for(int i=1;i<numbuckets;++i) {
+				dates[i] = gc.getTime();
+				gc.add(GregorianCalendar.MONTH, -1);
+			}
+			
+		}
+		
+		public void inc(int type, Date start, Date expires) {
+			for(int i=0;i<dates.length-1;++i) {
+				if(start.before(dates[i])) {
+					if(type==CredDAO.CERT_SHA256_RSA) {
+						if(start.after(dates[i+1])) {
+							++x509Added[i];
+						}
+					}
+					if(expires.after(dates[i])) {
+						switch(type) {
+							case CredDAO.RAW:
+								++raw[i];
+								break;
+							case CredDAO.BASIC_AUTH:
+								++basic_auth[i];
+								break;
+							case CredDAO.BASIC_AUTH_SHA256:
+								++basic_auth_256[i];
+								break;
+							case CredDAO.CERT_SHA256_RSA:
+								++cert[i];
+								break;
+						}
+					}
+				}
+			}
+		}
+
+		public long authCount(int idx) {
+			return basic_auth[idx]+basic_auth_256[idx];
+		}
+		
+		public long x509Count(int idx) {
+			return cert[idx];
+		}
+
+	}
+	
+	public String toString() {
+		StringBuilder sb = new StringBuilder(id);
+		sb.append('[');
+		for(Instance i : instances) {
+			sb.append('{');
+			sb.append(i.type);
+			sb.append(",\"");
+			sb.append(i.expires);
+			sb.append("\"}");
+		}
+		sb.append(']');
+		return sb.toString();
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#hashCode()
+	 */
+	@Override
+	public int hashCode() {
+		return id.hashCode();
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#equals(java.lang.Object)
+	 */
+	@Override
+	public boolean equals(Object obj) {
+		return id.equals(obj);
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Future.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Future.java
new file mode 100644
index 00000000..a2dc6b65
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Future.java
@@ -0,0 +1,200 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.nio.ByteBuffer;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+import java.util.Map;
+import java.util.TreeMap;
+import java.util.UUID;
+
+import org.onap.aaf.auth.dao.cass.FutureDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.SimpleStatement;
+import com.datastax.driver.core.Statement;
+
+public class Future implements CacheChange.Data, Comparable<Future> {
+	public static final Map<UUID,Future> data = new TreeMap<UUID,Future>();
+	public static final Map<String,List<Future>> byRole = new TreeMap<String,List<Future>>();
+	
+	public final FutureDAO.Data fdd;
+	public final String role; // derived
+	private final static CacheChange<Future> cache = new CacheChange<Future>(); 
+	
+	
+	public final UUID id() {
+		return fdd.id;
+	}
+	
+	public final String memo() {
+		return fdd.memo;
+	}
+	
+	public final String target() {
+		return fdd.target;
+	}
+	
+	public final Date start() {
+		return fdd.start;
+	}
+	
+	public final Date expires() {
+		return fdd.expires;
+	}
+
+	
+	public Future(UUID id, String memo, String target, Date start, Date expires, ByteBuffer construct) {
+		fdd = new FutureDAO.Data();
+		fdd.id = id;
+		fdd.memo = memo;
+		fdd.target = target;
+		fdd.start = start;
+		fdd.expires = expires;
+		fdd.construct = construct;
+		role = Approval.roleFromMemo(memo);
+	}
+
+	public static void load(Trans trans, Session session, Creator<Future> creator) {
+		trans.info().log( "query: " + creator.select() );
+		ResultSet results;
+		TimeTaken tt = trans.start("Load Futures", Env.REMOTE);
+		try {
+	        Statement stmt = new SimpleStatement(creator.select());
+	        results = session.execute(stmt);
+		} finally {
+			tt.done();
+		}
+		
+		int count = 0;
+		tt = trans.start("Process Futures", Env.SUB);
+		try {
+        	for(Row row : results.all()) {
+        		++count;
+        		Future f = creator.create(row);
+        		data.put(f.fdd.id,f);
+        		if(f.role!=null) {
+        			List<Future> lf = byRole.get(f.role);
+        			if(lf==null) {
+        				byRole.put(f.role,lf = new ArrayList<Future>());
+        			}
+        			lf.add(f);
+        		}
+        	}
+		} finally {
+			tt.done();
+			trans.info().log("Found",count,"Futures");
+		}
+	}
+	
+	public static Creator<Future> v2_0_17 = new Creator<Future>() {
+		@Override
+		public Future create(Row row) {
+			return new Future(row.getUUID(0),row.getString(1),row.getString(2),
+					row.getTimestamp(3),row.getTimestamp(4), null);
+		}
+
+		@Override
+		public String select() {
+			return "select id,memo,target,start,expires from authz.future";
+		}
+	};
+
+	public static Creator<Future> withConstruct = new Creator<Future>() {
+		@Override
+		public String select() {
+			return "select id,memo,target,start,expires,construct from authz.future";
+		}
+		
+		@Override
+		public Future create(Row row) {
+			return new Future(row.getUUID(0),row.getString(1),row.getString(2),
+					row.getTimestamp(3),row.getTimestamp(4), row.getBytes(5));
+		}
+
+	};
+
+	public Result<Void> delayedDelete(AuthzTrans trans, FutureDAO fd, boolean dryRun, String text) {
+		Result<Void> rv;
+		if(dryRun) {
+			trans.info().log(text,"- Would Delete: ",fdd.id,fdd.memo,"expiring on",Chrono.dateOnlyStamp(fdd.expires));
+			rv = Result.ok();
+		} else {
+			rv = fd.delete(trans, fdd, true); // need to read for undelete
+			if(rv.isOK()) {
+				trans.info().log(text, "- Deleted:",fdd.id,fdd.memo,"expiring on",Chrono.dateOnlyStamp(fdd.expires));
+				cache.delayedDelete(this);
+			} else {
+				if(rv.status!=6) {
+					trans.info().log(text,"- Failed to Delete Future", fdd.id);
+				}
+			}
+		}
+		return rv;
+	}
+	
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.helpers.CacheChange.Data#resetLocalData()
+	 */
+	@Override
+	public void expunge() {
+		data.remove(fdd.id);
+		if(role!=null) {
+			List<Future> lf = byRole.get(role);
+			if(lf!=null) {
+				lf.remove(this);
+			}
+		}
+	}
+
+	@Override
+	public int compareTo(Future o) {
+		if(o==null) {
+			return -1;
+		}
+		return fdd.id.compareTo(o.fdd.id);
+	}
+
+	public static void resetLocalData() {
+		cache.resetLocalData();
+	}
+	
+	public static int sizeForDeletion() {
+		return cache.cacheSize();
+	}
+
+	public static boolean pendingDelete(Future f) {
+		return cache.contains(f);
+	}
+
+
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/History.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/History.java
new file mode 100644
index 00000000..f153c06b
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/History.java
@@ -0,0 +1,178 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.nio.ByteBuffer;
+import java.util.Iterator;
+import java.util.UUID;
+
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.SimpleStatement;
+import com.datastax.driver.core.Statement;
+
+public class History  {
+	public final UUID id;
+	public final String action;
+	public final String memo;
+	public final String reconstruct;
+	public final String subject;
+	public final String target;
+	public final String user;
+	public final int yr_mon;
+	
+	public History(UUID id, String action, String memo, String subject, String target, String user, int yr_mon) {
+		this.id = id;
+		this.action = action;
+		this.memo = memo;
+		this.reconstruct = null;
+		this.subject = subject;
+		this.target = target;
+		this.user = user;
+		this.yr_mon = yr_mon;
+	}
+	
+	public History(UUID id, String action, String memo, String reconstruct, String subject, String target, String user, int yr_mon) {
+		this.id = id;
+		this.action = action;
+		this.memo = memo;
+		this.reconstruct = reconstruct;
+		this.subject = subject;
+		this.target = target;
+		this.user = user;
+		this.yr_mon = yr_mon;
+	}
+
+	public static void load(Trans trans, Session session, Creator<History> creator, Loader<History> loader) {
+        trans.info().log( "query: " + creator.select() );
+        TimeTaken tt = trans.start("Read History", Env.REMOTE);
+       
+        ResultSet results;
+		try {
+	        Statement stmt = new SimpleStatement( creator.select() ).setReadTimeoutMillis(240000);
+	        results = session.execute(stmt);
+        } finally {
+        	tt.done();
+        }
+		int count = 0;
+        try {
+	        Iterator<Row> iter = results.iterator();
+	        Row row;
+	        tt = trans.start("Load History", Env.SUB);
+	        try {
+		        while(iter.hasNext()) {
+		        	++count;
+		        	row = iter.next();
+		        	loader.exec(creator.create(row));
+		        }
+	        } finally {
+	        	tt.done();
+	        }
+        } finally {
+        	trans.info().log("Found",count,"histories");
+        }
+	}
+	
+	public String toString() {
+		return String.format("%s %d %s, %s, %s, %s, %s", 
+				id.toString(),
+				yr_mon,
+				user,
+				target,
+				action,
+				subject,
+				memo);
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#hashCode()
+	 */
+	@Override
+	public int hashCode() {
+		return id.hashCode();
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#equals(java.lang.Object)
+	 */
+	@Override
+	public boolean equals(Object obj) {
+		return id.equals(obj);
+	}
+	
+	public static Creator<History> sansConstruct = new Creator<History> () {
+		@Override
+		public History create(Row row) {
+			return new History(
+	        		row.getUUID(0),
+	        		row.getString(1),
+	        		row.getString(2),
+	        		row.getString(3),
+	        		row.getString(4),
+	        		row.getString(5),
+	        		row.getInt(6));
+		}
+
+		@Override
+		public String select() {
+			return "SELECT id, action, memo, subject, target, user, yr_mon from authz.history LIMIT 10000000 ";
+		}
+	};
+
+	public static Creator<History> avecConstruct = new Creator<History> () {
+		private final StringBuilder sb = new StringBuilder();
+		
+		@Override
+		public History create(Row row) {
+			ByteBuffer bb = row.getBytes(3);
+			sb.setLength(0);
+			
+			if(bb!=null && bb.hasRemaining()) {
+				sb.append("0x");
+				while(bb.hasRemaining()) {
+					sb.append(String.format("%02x",bb.get()));
+				}
+				bb.flip();
+			}
+			return new History(
+	        		row.getUUID(0),
+	        		row.getString(1),
+	        		row.getString(2),
+	        		sb.toString(),
+	        		row.getString(4),
+	        		row.getString(5),
+	        		row.getString(6),
+	        		row.getInt(7));
+		}
+
+		@Override
+		public String select() {
+			return "SELECT id, action, memo, reconstruct, subject, target, user, yr_mon from authz.history LIMIT 10000000 ";
+		}
+	};
+
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/InputIterator.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/InputIterator.java
new file mode 100644
index 00000000..cb0bfa6a
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/InputIterator.java
@@ -0,0 +1,69 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.util.Iterator;
+
+public class InputIterator implements Iterable<String> {
+	private BufferedReader in;
+	private final PrintStream out;
+	private final String prompt, instructions;
+	
+	public InputIterator(BufferedReader in, PrintStream out, String prompt, String instructions) {
+		this.in = in;
+		this.out = out;
+		this.prompt = prompt;
+		this.instructions = instructions;
+	}
+	
+	@Override
+	public Iterator<String> iterator() {
+		out.println(instructions);
+		return new Iterator<String>() {
+			String input;
+			@Override
+			public boolean hasNext() {
+				out.append(prompt);
+				try {
+					input = in.readLine();
+				} catch (IOException e) {
+					input = null;
+					return false;
+				}
+				return input.length()>0;
+			}
+
+			@Override
+			public String next() {
+				return input;
+			}
+
+			@Override
+			public void remove() {
+			}
+		};
+	}
+}
+
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Loader.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Loader.java
new file mode 100644
index 00000000..6d27f648
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Loader.java
@@ -0,0 +1,26 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+public interface Loader<T> {
+	public void exec(T t);
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/MiscID.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/MiscID.java
new file mode 100644
index 00000000..1438ffdb
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/MiscID.java
@@ -0,0 +1,188 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.util.Map;
+import java.util.TreeMap;
+
+import org.onap.aaf.auth.BatchException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.SimpleStatement;
+import com.datastax.driver.core.Statement;
+
+public class MiscID  {
+	public static final TreeMap<String,MiscID> data = new TreeMap<String,MiscID>();
+	/*
+	Sample Record
+	aad890|mj9030|20040902|20120207
+
+	**** Field Definitions ****
+	MISCID - AT&T Miscellaneous ID - Non-User ID (Types: Internal Mechanized ID, External Mechanized ID, Datagate ID, Customer ID, Vendor ID, Exchange Mail ID, CLEC ID, Specialized ID, Training ID)
+	SPONSOR_ATTUID - ATTUID of MiscID Sponsor (Owner)
+	CREATE_DATE - Date when MiscID was created 
+	LAST_RENEWAL_DATE - Date when MiscID Sponsorship was last renewed
+	*/
+	public String id,sponsor,created,renewal;
+
+	private static final String fieldString = "id,created,sponsor,renewal";
+	
+	/**
+	 * Load a Row of Strings (from CSV file).
+	 * 
+	 * Be CAREFUL that the Row lists match the Fields above!!!  If this changes, change
+	 * 1) This Object
+	 * 2) DB "suits.cql"
+	 * 3) Alter existing Tables
+	 * @param row
+	 * @throws BatchException 
+	 * @throws IllegalAccessException 
+	 * @throws IllegalArgumentException 
+	 */
+	public void set(String row []) throws BatchException {
+		if(row.length<4) {throw new BatchException("Row of MiscID_XRef is too short");}
+		id      = row[0];
+		sponsor = row[1];
+		created = row[2];
+		renewal = row[3];
+	}
+
+	public void set(Row row) {
+		id      = row.getString(0);
+		sponsor = row.getString(1);
+		created = row.getString(2);
+		renewal = row.getString(3);
+	}
+	
+
+	public static void load(Trans trans, Session session ) {
+		load(trans, session,"SELECT " + fieldString + " FROM authz.miscid;",data);
+	}
+
+	public static void load(Trans trans, Session session, Map<String,MiscID> map ) {
+		load(trans, session,"SELECT " + fieldString + " FROM authz.miscid;",map);
+	}
+
+	public static void loadOne(Trans trans, Session session, String id ) {
+		load(trans, session,"SELECT " + fieldString + " FROM authz.miscid WHERE id ='" + id + "';", data);
+	}
+
+	public static void load(Trans trans, Session session, String query, Map<String,MiscID> map) {
+        trans.info().log( "query: " + query );
+        TimeTaken tt = trans.start("Read MiscID", Env.REMOTE);
+       
+        ResultSet results;
+		try {
+	        Statement stmt = new SimpleStatement( query );
+	        results = session.execute(stmt);
+        } finally {
+        	tt.done();
+        }
+		int count = 0;
+        try {
+	        tt = trans.start("Load Map", Env.SUB);
+	        try {
+	        	for( Row row : results.all()) {
+		        	MiscID miscID = new MiscID();
+		        	miscID.set(row);
+		        	data.put(miscID.id,miscID);
+		        	++count;
+		        }
+			} finally {
+	        	tt.done();
+	        }
+        } finally {
+        	trans.info().log("Found",count,"miscID records");
+        }
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#hashCode()
+	 */
+	@Override
+	public int hashCode() {
+		return id.hashCode();
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#equals(java.lang.Object)
+	 */
+	@Override
+	public boolean equals(Object obj) {
+		if(obj!=null && obj instanceof MiscID) {
+			return id.equals(((MiscID)obj).id);
+		}
+		return false;
+	}
+
+	public StringBuilder insertStmt() throws IllegalArgumentException, IllegalAccessException {
+		StringBuilder sb = new StringBuilder("INSERT INTO authz.miscid (");
+		sb.append(fieldString);
+		sb.append(") VALUES ('");
+		sb.append(id);
+		sb.append("','");
+		sb.append(sponsor);
+		sb.append("','");
+		sb.append(created);
+		sb.append("','");
+		sb.append(renewal);
+		sb.append("')");
+		return sb;
+	}
+	
+	public StringBuilder updateStmt(MiscID source) {
+		StringBuilder sb = null;
+		if(id.equals(source.id)) {
+			sb = addField(sb,"sponser",sponsor,source.sponsor);
+			sb = addField(sb,"created",created,source.created);
+			sb = addField(sb,"renewal",renewal,source.renewal);
+		}
+		if(sb!=null) {
+			sb.append(" WHERE id='");
+			sb.append(id);
+			sb.append('\'');
+		}
+		return sb;
+	}
+
+	private StringBuilder addField(StringBuilder sb, String name, String a, String b) {
+		if(!a.equals(b)) {
+			if(sb==null) {
+				sb = new StringBuilder("UPDATE authz.miscid SET ");		
+			} else {
+				sb.append(',');
+			}
+			sb.append(name);
+			sb.append("='");
+			sb.append(b);
+			sb.append('\'');
+		}
+		return sb;
+	}
+
+		
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/MonthData.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/MonthData.java
new file mode 100644
index 00000000..13a4c923
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/MonthData.java
@@ -0,0 +1,121 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.onap.aaf.misc.env.util.Split;
+
+import java.util.Set;
+import java.util.TreeMap;
+
+public class MonthData {
+    public final Map<Integer,Set<Row>> data = 
+    		new TreeMap<Integer,Set<Row>>();
+	private File f;
+    
+    public MonthData(String env) throws IOException {
+    	f = new File("Monthly"+env+".dat");
+    	
+    	if(f.exists()) {
+    		BufferedReader br = new BufferedReader(new FileReader(f));
+    		try {
+    			String line;
+    			String[] split;
+    			while((line=br.readLine())!=null) {
+    				if(!line.startsWith("#")) {
+    					split = Split.split(',', line);
+    					if(split.length==5) {
+    						add(Integer.parseInt(split[0]),split[1],
+    							Integer.parseInt(split[2]),
+    							Integer.parseInt(split[3]),
+    							Integer.parseInt(split[4])
+    						);
+    					}
+    				}
+    			}
+    		} finally {
+    			br.close();
+    		}
+    	}
+    }
+    
+    public void add(int yr_mon, String target, long total, long adds, long drops) {
+		Set<Row> row = data.get(yr_mon);
+		if(row==null) {
+			data.put(yr_mon, (row=new HashSet<Row>()));
+		}
+		row.add(new Row(target,total,adds,drops));
+	}
+    
+    public boolean notExists(int yr_mon) {
+    	return data.get(yr_mon)==null;
+    }
+    
+ 	public static class Row implements Comparable<Row> {
+    	public final String target;
+    	public final long total;
+    	public final long adds;
+    	public final long drops;
+    	
+    	public Row(String t, long it, long a, long d) {
+    		target = t;
+    		total = it;
+    		adds = a;
+    		drops = d;
+    	}
+
+		@Override
+		public int compareTo(Row o) {
+			return target.compareTo(o.target);
+		}
+		
+		public String toString() {
+			return target + '|' + total + '|' + drops + '|' + adds;
+		}
+    }
+
+    public void write() throws IOException {
+    	if(f.exists()) {
+    		File bu = new File(f.getName()+".bak");
+    		f.renameTo(bu);
+    	}
+		PrintStream ps = new PrintStream(f);
+		try {
+			for( Entry<Integer, Set<Row>> rows : data.entrySet()) {
+				for(Row row : rows.getValue()) {
+					ps.printf("%d,%s,%d,%d,%d\n",rows.getKey(),row.target,row.total,row.adds,row.drops);
+				}
+			}
+		} finally {
+			ps.close();
+		}
+    }
+
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/NS.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/NS.java
new file mode 100644
index 00000000..5dde8895
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/NS.java
@@ -0,0 +1,168 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.util.Iterator;
+import java.util.Map;
+import java.util.TreeMap;
+
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.SimpleStatement;
+import com.datastax.driver.core.Statement;
+
+public class NS implements Comparable<NS> {
+	public final static Map<String,NS> data = new TreeMap<String,NS>();
+
+	public final String name, description, parent;
+	public final int scope,type;
+
+	public NS(String name, String description, String parent, int type, int scope) {
+		this.name = name;
+		this.description = description;
+		this.parent = parent;
+		this.scope = scope;
+		this.type = type;
+	}
+	
+	public static void load(Trans trans, Session session, Creator<NS> creator) {
+		load(trans,session,
+				"select name, description, parent, type, scope from authz.ns;"
+				,creator);
+	}
+	
+	public static void loadOne(Trans trans, Session session, Creator<NS> creator, String ns) {
+	    load(trans,session,
+				("select name, description, parent, type, scope from authz.ns WHERE name='"+ns+"';")
+				,creator
+				);
+	}
+
+	private static void load(Trans trans, Session session, String query, Creator<NS> creator) {
+        trans.info().log( "query: " + query );
+        ResultSet results;
+        TimeTaken tt;
+
+        tt = trans.start("Read Namespaces", Env.REMOTE);
+        try {
+	        Statement stmt = new SimpleStatement( query );
+	        results = session.execute(stmt);
+        } finally {
+        	tt.done();
+        }
+        
+
+        try {
+	        Iterator<Row> iter = results.iterator();
+	        Row row;
+	        tt = trans.start("Load Namespaces", Env.SUB);
+	        try {
+		        while(iter.hasNext()) {
+		        	row = iter.next();
+		        	NS ns = creator.create(row);
+		        	data.put(ns.name,ns);
+		        }
+	        } finally {
+	        	tt.done();
+	        }
+        } finally {
+        	trans.info().log("Found",data.size(),"Namespaces");
+        }
+
+	}
+
+	public static long count(Trans trans, Session session) {
+		String query = "select count(*) from authz.ns LIMIT 1000000;";
+        trans.info().log( "query: " + query );
+        TimeTaken tt = trans.start("Count Namespaces", Env.REMOTE);
+        ResultSet results;
+        try {
+        	Statement stmt = new SimpleStatement(query).setReadTimeoutMillis(12000);
+	        results = session.execute(stmt);
+	        return results.one().getLong(0);
+        } finally {
+        	tt.done();
+        }
+	}
+        
+	public String toString() {
+		return name;
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#hashCode()
+	 */
+	@Override
+	public int hashCode() {
+		return name.hashCode();
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#equals(java.lang.Object)
+	 */
+	@Override
+	public boolean equals(Object obj) {
+		return name.equals(obj);
+	}
+
+	@Override
+	public int compareTo(NS o) {
+		return name.compareTo(o.name);
+	}
+	
+	public static class NSSplit {
+		public String ns;
+		public String other;
+		public NSSplit(String s, int dot) {
+			ns = s.substring(0,dot);
+			other = s.substring(dot+1);
+		}
+	}
+	public static NSSplit deriveParent(String dotted) {
+		if(dotted==null)return null;
+		for(int idx = dotted.lastIndexOf('.');idx>=0; idx=dotted.lastIndexOf('.',idx-1)) {
+			if(data.get(dotted.substring(0, idx))!=null) {
+				return new NSSplit(dotted,idx);
+			}
+		}
+		return null;
+	}
+	
+	public static Creator<NS> v2_0_11 = new Creator<NS> () {
+		@Override
+		public NS create(Row row) {
+			return new NS(row.getString(0),row.getString(1), row.getString(2),row.getInt(3),row.getInt(4));
+		}
+		
+		@Override
+		public String select() {
+			return "SELECT name, description, parent, type, scope FROM authz.ns ";
+		}
+	};
+
+		
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Notification.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Notification.java
new file mode 100644
index 00000000..9614bb19
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Notification.java
@@ -0,0 +1,209 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+import java.util.TreeMap;
+
+import org.onap.aaf.auth.actions.Message;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.SimpleStatement;
+import com.datastax.driver.core.Statement;
+
+public class Notification {
+	public enum TYPE {
+		OA("Owner Approval",1),SA("Supervisor Approval",2),CN("Credential Expiration",20);
+		
+		private String desc;
+		private int type;
+	
+		private TYPE(String desc,int type) {
+			this.desc = desc;
+			this.type = type;
+		}
+		
+		public String desc() {
+			return desc;
+		}
+		
+		public int idx() {
+			return type;
+		}
+
+		public static TYPE get(int idx) {
+			for(TYPE nt : TYPE.values()) {
+				if(idx==nt.type) {
+					return nt;
+				}
+			}
+			return null;
+		}
+	}
+
+
+    public static final TreeMap<String,List<Notification>> data = new TreeMap<String,List<Notification>>();
+    public static final Date now = new Date();
+    
+    public final String user;
+	public final TYPE type;
+	public Date last;
+	public int checksum;
+	public Message msg;
+	private int current;
+	public Organization org;
+	public int count;
+	
+	private Notification(String user, TYPE nt, Date last, int checksum) {
+		this.user = user;
+		this.type = nt;
+		this.last = last;
+		this.checksum = checksum;
+		current = 0;
+		count = 0;
+	}
+	
+	public static void load(Trans trans, Session session, Creator<Notification> creator ) {
+		trans.info().log( "query: " + creator.select() );
+        TimeTaken tt = trans.start("Load Notify", Env.REMOTE);
+       
+        ResultSet results;
+		try {
+	        Statement stmt = new SimpleStatement(creator.select());
+	        results = session.execute(stmt);
+        } finally {
+        	tt.done();
+        }
+		int count = 0;
+        tt = trans.start("Process Notify", Env.SUB);
+
+        try {
+        	for(Row row : results.all()) {
+        		++count;
+		        try {
+		        	Notification not = creator.create(row);
+		        	List<Notification> ln = data.get(not.user);
+		        	if(ln==null) {
+		        		ln = new ArrayList<Notification>();
+		        		data.put(not.user, ln);
+		        	}
+		        	ln.add(not);
+		        } finally {
+		        	tt.done();
+		        }
+        	}
+        } finally {
+        	tt.done();
+        	trans.info().log("Found",count,"Notify Records");
+        }
+	}
+	
+	public static Notification get(String user, TYPE type) {
+		List<Notification> ln = data.get(user);
+		if(ln!=null) {
+	    	for(Notification n : ln) {
+	    		if(type.equals(n.type)) {
+	    			return n;
+	    		}
+	    	}
+		}
+		return null;
+	}
+
+	public static Notification create(String user, TYPE type) {
+		return new Notification(user,type,null,0);
+	}
+	
+	public static Creator<Notification> v2_0_18 = new Creator<Notification>() {
+		@Override
+		public Notification create(Row row) {
+			int idx =row.getInt(1);
+			TYPE type = TYPE.get(idx);
+			if(type==null) {
+				return null;
+			}
+			return new Notification(row.getString(0), type, row.getTimestamp(2), row.getInt(3));
+		}
+
+		@Override
+		public String select() {
+			return "SELECT user,type,last,checksum FROM authz.notify LIMIT 100000";
+		}
+	};
+
+	
+	public void set(Message msg) {
+		this.msg = msg; 
+	}
+
+	public int checksum() {
+		if(msg==null) {
+			current=0;
+		} else if(current==0) {
+			for(String l : msg.lines) {
+				for(byte b : l.getBytes()) {
+					current+=b;
+				}
+			}
+		}
+		return current;
+	}
+	
+	public boolean update(AuthzTrans trans, Session session, boolean dryRun) {
+		checksum();
+		if(last==null || current==0 || current!=checksum) {
+			last = now;
+			current = checksum();
+			String update = "UPDATE authz.notify SET " +
+					"last = '" + Chrono.utcStamp(last) +
+					"', checksum=" +
+					current +
+					" WHERE user='" +
+					user + 
+					"' AND type=" +
+					type.idx() +
+					";";
+			if(dryRun) {
+				trans.info().log("Would",update);
+			} else {
+				session.execute(update);
+			}
+			return true;
+		}
+		return false;
+	}
+
+	public String toString() {
+		return "\"" + user + "\",\"" + type.name() + "\",\"" 
+				+ Chrono.dateTime(last)+ "\", "  + checksum;
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/NsAttrib.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/NsAttrib.java
new file mode 100644
index 00000000..bb76c34c
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/NsAttrib.java
@@ -0,0 +1,107 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.TreeMap;
+
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.SimpleStatement;
+import com.datastax.driver.core.Statement;
+
+public class NsAttrib  {
+	public static final List<NsAttrib> data = new ArrayList<NsAttrib>();
+    public static final TreeMap<String,List<NsAttrib>> byKey = new TreeMap<String,List<NsAttrib>>();
+    public static final TreeMap<String,List<NsAttrib>> byNS = new TreeMap<String,List<NsAttrib>>();
+
+	public final String ns,key,value;
+	
+	public NsAttrib(String ns, String key, String value) {
+		this.ns = ns;
+		this.key = key;
+		this.value = value;
+	}
+	
+	public static void load(Trans trans, Session session, Creator<NsAttrib> creator ) {
+		trans.info().log( "query: " + creator.select() );
+        ResultSet results;
+        TimeTaken tt = trans.start("Load NsAttributes", Env.REMOTE);
+		try {
+	        Statement stmt = new SimpleStatement(creator.select());
+	        results = session.execute(stmt);
+        } finally {
+        	tt.done();
+        }
+		int count = 0;
+        tt = trans.start("Process NsAttributes", Env.SUB);
+
+        try {
+        	for(Row row : results.all()) {
+        		++count;
+	        	NsAttrib ur = creator.create(row);
+	        	data.add(ur);
+	        	
+	        	List<NsAttrib> lna = byKey.get(ur.key);
+	        	if(lna==null) {
+	        		lna = new ArrayList<NsAttrib>();
+		        	byKey.put(ur.key, lna);
+	        	}
+	        	lna.add(ur);
+	        	
+	        	lna = byNS.get(ur.ns);
+	        	if(lna==null) {
+	        		lna = new ArrayList<NsAttrib>();
+		        	byNS.put(ur.ns, lna);
+	        	}
+	        	lna.add(ur);
+        	}
+        } finally {
+        	tt.done();
+        	trans.info().log("Found",count,"NS Attributes");
+        }
+	}
+
+	public static Creator<NsAttrib> v2_0_11 = new Creator<NsAttrib>() {
+		@Override
+		public NsAttrib create(Row row) {
+			return new NsAttrib(row.getString(0), row.getString(1), row.getString(2));
+		}
+
+		@Override
+		public String select() {
+			return "select ns,key,value from authz.ns_attrib";
+		}
+	};
+
+
+	public String toString() {
+		return '"' + ns + "\",\"" + key + "\",\""  + value +'"';
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Perm.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Perm.java
new file mode 100644
index 00000000..51a7098e
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Perm.java
@@ -0,0 +1,172 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+import java.util.TreeMap;
+
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.SimpleStatement;
+import com.datastax.driver.core.Statement;
+
+public class Perm implements Comparable<Perm> {
+    public static final TreeMap<Perm,Set<String>> data = new TreeMap<Perm,Set<String>>();
+    public static final TreeMap<String,Perm> keys = new TreeMap<String,Perm>();
+	private static List<Perm> deletePerms = new ArrayList<Perm>();
+
+	public final String ns, type, instance, action,description;
+	private String fullType = null, fullPerm = null, encode = null;
+	public final Set<String> roles;
+	
+	public String encode() {
+		if(encode == null) {
+			encode = ns + '|' + type + '|' + instance + '|' + action;
+		}
+		return encode;
+	}
+	
+	public String fullType() {
+		if(fullType==null) {
+			fullType = ns + '.' + type;
+		}
+		return fullType;
+	}
+	
+	public String fullPerm() {
+		if(fullPerm==null) {
+			fullPerm = ns + '.' + type  + '|' + instance + '|' + action;
+		}
+		return fullPerm;
+	}
+	
+	public Perm(String ns, String type, String instance, String action, String description, Set<String> roles) {
+		this.ns = ns;
+		this.type = type;
+		this.instance = instance;
+		this.action = action;
+		this.description = description;
+		// 2.0.11
+//		this.full = encode();//ns+'.'+type+'|'+instance+'|'+action;
+		this.roles = roles;
+	}
+
+	public static void load(Trans trans, Session session) {
+        load(trans, session, "select ns, type, instance, action, description, roles from authz.perm;");
+	}
+	
+	public static void loadOneNS(Trans trans, Session session, String ns) {
+        load(trans, session, "select ns, type, instance, action, description, roles from authz.perm WHERE ns='" + ns + "';");
+        
+	}
+
+	private static void load(Trans trans, Session session, String query) {
+        //
+        trans.info().log( "query: " + query );
+        TimeTaken tt = trans.start("Read Perms", Env.REMOTE);
+        ResultSet results;
+		try {
+	        Statement stmt = new SimpleStatement( query );
+	        results = session.execute(stmt);
+        } finally {
+        	tt.done();
+        }
+
+        try {
+	        Iterator<Row> iter = results.iterator();
+	        Row row;
+	        tt = trans.start("Load Perms", Env.SUB);
+	        try {
+		        while(iter.hasNext()) {
+		        	row = iter.next();
+		        	Perm pk = new Perm(row.getString(0),row.getString(1),row.getString(2),row.getString(3), row.getString(4), row.getSet(5,String.class));
+		        	keys.put(pk.encode(), pk);
+		        	data.put(pk,pk.roles);
+		        }
+	        } finally {
+	        	tt.done();
+	        }
+        } finally {
+        	trans.info().log("Found",data.size(),"perms");
+        }
+	}
+
+	public static long count(Trans trans, Session session) {
+		String query = "select count(*) from authz.perm LIMIT 1000000;";
+        trans.info().log( "query: " + query );
+        TimeTaken tt = trans.start("Count Namespaces", Env.REMOTE);
+        ResultSet results;
+        try {
+        	Statement stmt = new SimpleStatement(query).setReadTimeoutMillis(12000);
+	        results = session.execute(stmt);
+	        return results.one().getLong(0);
+        } finally {
+        	tt.done();
+        }
+	}
+
+	public String toString() {
+		return encode();
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#hashCode()
+	 */
+	@Override
+	public int hashCode() {
+		return encode().hashCode();
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#equals(java.lang.Object)
+	 */
+	@Override
+	public boolean equals(Object obj) {
+		return encode().equals(obj);
+	}
+
+	@Override
+	public int compareTo(Perm o) {
+		return encode().compareTo(o.encode());
+	}
+
+	public static void stageRemove(Perm p) {
+		deletePerms.add(p);
+	}
+	
+	public static void executeRemove() {
+		for(Perm p : deletePerms) {
+			keys.remove(p.encode);
+			data.remove(p);
+		}
+		deletePerms.clear();
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Role.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Role.java
new file mode 100644
index 00000000..f48544b1
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Role.java
@@ -0,0 +1,175 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+import java.util.TreeMap;
+
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.SimpleStatement;
+import com.datastax.driver.core.Statement;
+
+public class Role implements Comparable<Role> {
+    public static final TreeMap<Role,Set<String>> data = new TreeMap<Role,Set<String>>();
+    public static final TreeMap<String,Role> keys = new TreeMap<String,Role>();
+    public static final TreeMap<String,Role> byName = new TreeMap<String,Role>();
+	private static List<Role> deleteRoles = new ArrayList<Role>();
+
+	public final String ns, name, description;
+	private String full, encode;
+	public final Set<String> perms;
+	
+	public Role(String full) {
+		ns = name = description = "";
+		this.full = full;
+		perms = new HashSet<String>();
+	}
+	
+	public Role(String ns, String name, String description,Set<String> perms) {
+		this.ns = ns;
+		this.name = name;
+		this.description = description;
+		this.full = null;
+		this.encode = null;
+		this.perms = perms;
+	}
+	
+	public String encode() {
+		if(encode==null) {
+			encode = ns + '|' + name;
+		} 
+		return encode;
+	}
+
+	public String fullName() {
+		if(full==null) {
+			full = ns + '.' + name;
+		} 
+		return full;
+	}
+
+	public static void load(Trans trans, Session session ) {
+		load(trans,session,"select ns, name, description, perms from authz.role;");
+	}
+
+	public static void loadOneNS(Trans trans, Session session, String ns ) {
+		load(trans,session,"select ns, name, description, perms from authz.role WHERE ns='" + ns + "';");
+	}
+
+	private static void load(Trans trans, Session session, String query) {
+        trans.info().log( "query: " + query );
+        TimeTaken tt = trans.start("Read Roles", Env.REMOTE);
+       
+        ResultSet results;
+		try {
+	        Statement stmt = new SimpleStatement( query );
+	        results = session.execute(stmt);
+        } finally {
+        	tt.done();
+        }
+
+        try {
+	        Iterator<Row> iter = results.iterator();
+	        Row row;
+	        tt = trans.start("Load Roles", Env.SUB);
+	        try {
+		        while(iter.hasNext()) {
+		        	row = iter.next();
+		        	Role rk =new Role(row.getString(0),row.getString(1), row.getString(2),row.getSet(3,String.class));
+		        	keys.put(rk.encode(), rk);
+		        	data.put(rk,rk.perms);
+		        	byName.put(rk.fullName(), rk);
+		        }
+	        } finally {
+	        	tt.done();
+	        }
+        } finally {
+        	trans.info().log("Found",data.size(),"roles");
+        }
+	}
+	
+	public static long count(Trans trans, Session session) {
+		String query = "select count(*) from authz.role LIMIT 1000000;";
+        trans.info().log( "query: " + query );
+        TimeTaken tt = trans.start("Count Namespaces", Env.REMOTE);
+        ResultSet results;
+        try {
+        	Statement stmt = new SimpleStatement(query).setReadTimeoutMillis(12000);
+	        results = session.execute(stmt);
+	        return results.one().getLong(0);
+        } finally {
+        	tt.done();
+        }
+	}
+
+	public String toString() {
+		return encode();
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#hashCode()
+	 */
+	@Override
+	public int hashCode() {
+		return encode().hashCode();
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#equals(java.lang.Object)
+	 */
+	@Override
+	public boolean equals(Object obj) {
+		return encode().equals(obj);
+	}
+
+	@Override
+	public int compareTo(Role o) {
+		return encode().compareTo(o.encode());
+	}
+
+	public static String fullName(String role) {
+		return role.replace('|', '.');
+	}
+	
+	public static void stageRemove(Role r) {
+		deleteRoles.add(r);
+	}
+	
+	public static void executeRemove() {
+		for(Role p : deleteRoles) {
+			keys.remove(p.encode);
+			data.remove(p);
+		}
+		deleteRoles.clear();
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/UserRole.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/UserRole.java
new file mode 100644
index 00000000..d990bb11
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/UserRole.java
@@ -0,0 +1,282 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.helpers;
+
+import java.io.PrintStream;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.Iterator;
+import java.util.List;
+import java.util.TreeMap;
+
+import org.onap.aaf.auth.actions.URDelete;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.SimpleStatement;
+import com.datastax.driver.core.Statement;
+
+public class UserRole implements Cloneable, CacheChange.Data  {
+	public static final List<UserRole> data = new ArrayList<UserRole>();
+    public static final TreeMap<String,List<UserRole>> byUser = new TreeMap<String,List<UserRole>>();
+    public static final TreeMap<String,List<UserRole>> byRole = new TreeMap<String,List<UserRole>>();
+	private final static CacheChange<UserRole> cache = new CacheChange<UserRole>(); 
+	private static PrintStream urDelete=System.out,urRecover=System.err;
+	private static int totalLoaded;
+	private static int deleted;
+	
+	private Data urdd;
+
+	public UserRole(String user, String ns, String rname, Date expires) {	
+		urdd = new UserRoleDAO.Data();
+		urdd.user = user;
+		urdd.role = ns + '.' + rname;
+		urdd.ns = ns;
+		urdd.rname = rname;
+		urdd.expires = expires;
+	}
+
+	public UserRole(String user, String role, String ns, String rname, Date expires) {
+		urdd = new UserRoleDAO.Data();
+		urdd.user = user;
+		urdd.role = role;
+		urdd.ns = ns;
+		urdd.rname = rname;
+		urdd.expires = expires;
+	}
+
+	public static void load(Trans trans, Session session, Creator<UserRole> creator ) {
+		load(trans,session,creator,null);
+	}
+
+	public static void loadOneRole(Trans trans, Session session, Creator<UserRole> creator, String role) {
+		load(trans,session,creator,"role='" + role +"' ALLOW FILTERING;");
+	}
+	
+	public static void loadOneUser(Trans trans, Session session, Creator<UserRole> creator, String user ) {
+		load(trans,session,creator,"role='"+ user +"';");
+	}
+
+	private static void load(Trans trans, Session session, Creator<UserRole> creator, String where) {
+		String query = creator.query(where);
+		trans.info().log( "query: " + query );
+        TimeTaken tt = trans.start("Read UserRoles", Env.REMOTE);
+       
+        ResultSet results;
+		try {
+	        Statement stmt = new SimpleStatement( query );
+	        results = session.execute(stmt);
+        } finally {
+        	tt.done();
+        }
+        try {
+	        Iterator<Row> iter = results.iterator();
+	        Row row;
+	        tt = trans.start("Load UserRole", Env.SUB);
+	        try {
+		        while(iter.hasNext()) {
+		        	++totalLoaded;
+		        	row = iter.next();
+		        	UserRole ur = creator.create(row);
+		        	data.add(ur);
+		        	
+		        	List<UserRole> lur = byUser.get(ur.urdd.user);
+		        	if(lur==null) {
+		        		lur = new ArrayList<UserRole>();
+			        	byUser.put(ur.urdd.user, lur);
+		        	}
+		        	lur.add(ur);
+		        	
+		        	lur = byRole.get(ur.urdd.role);
+		        	if(lur==null) {
+		        		lur = new ArrayList<UserRole>();
+			        	byRole.put(ur.urdd.role, lur);
+		        	}
+		        	lur.add(ur);
+		        }
+	        } finally {
+	        	tt.done();
+	        }
+        } finally {
+        	trans.info().log("Loaded",totalLoaded,"UserRoles");
+        }
+	}
+	
+	public int totalLoaded() {
+		return totalLoaded();
+	}
+	
+	public int deleted() {
+		return deleted;
+	}
+	
+	@Override
+	public void expunge() {
+		data.remove(this);
+		
+		List<UserRole> lur = byUser.get(urdd.user);
+		if(lur!=null) {
+			lur.remove(this);
+		}
+	
+		lur = byRole.get(urdd.role);
+		if(lur!=null) {
+			lur.remove(this);
+		}
+	}
+	
+	public static void setDeleteStream(PrintStream ds) {
+		urDelete = ds;
+	}
+
+	public static void setRecoverStream(PrintStream ds) {
+		urRecover = ds;
+	}
+
+	public static long count(Trans trans, Session session) {
+		String query = "select count(*) from authz.user_role LIMIT 1000000;";
+        trans.info().log( "query: " + query );
+        TimeTaken tt = trans.start("Count Namespaces", Env.REMOTE);
+        ResultSet results;
+        try {
+        	Statement stmt = new SimpleStatement(query).setReadTimeoutMillis(12000);
+	        results = session.execute(stmt);
+	        return results.one().getLong(0);
+        } finally {
+        	tt.done();
+        }
+	}
+
+
+	public static Creator<UserRole> v2_0_11 = new Creator<UserRole>() {
+		@Override
+		public UserRole create(Row row) {
+			return new UserRole(row.getString(0), row.getString(1), row.getString(2),row.getString(3),row.getTimestamp(4));
+		}
+
+		@Override
+		public String select() {
+			return "select user,role,ns,rname,expires from authz.user_role";
+		}
+	};
+
+	public UserRoleDAO.Data urdd() {
+		return urdd;
+	}
+	
+	public String user() {
+		return urdd.user;
+	};
+	
+	public String role() {
+		return urdd.role;
+	}
+	
+	public String ns() {
+		return urdd.ns;
+	}
+	
+	public String rname() {
+		return urdd.rname;
+	}
+	
+	public Date expires() {
+		return urdd.expires;
+	}
+	
+	public void expires(Date time) {
+		urdd.expires = time;
+	}
+
+
+
+	public String toString() {
+		return "\"" + urdd.user + "\",\"" + urdd.role + "\",\""  + urdd.ns + "\",\"" + urdd.rname + "\",\""+ Chrono.dateOnlyStamp(urdd.expires);
+	}
+
+	public static UserRole get(String u, String r) {
+		List<UserRole> lur = byUser.get(u);
+		if(lur!=null) {
+			for(UserRole ur : lur) {
+				if(ur.urdd.role.equals(r)) {
+					return ur;
+				}
+			}
+		}
+		return null;
+	}
+	
+	// CACHE Calling
+	private static final String logfmt = "%s UserRole - %s: %s-%s (%s, %s) expiring %s";
+	private static final String replayfmt = "%s|%s|%s|%s|%s\n";
+	private static final String deletefmt = "# %s\n"+replayfmt;
+	
+	// SAFETY - DO NOT DELETE USER ROLES DIRECTLY FROM BATCH FILES!!!
+	// We write to a file, and validate.  If the size is iffy, we email Support
+	public void delayDelete(AuthzTrans trans, String text, boolean dryRun) {
+		String dt = Chrono.dateTime(urdd.expires);
+		if(dryRun) {
+			trans.info().printf(logfmt,text,"Would Delete",urdd.user,urdd.role,urdd.ns,urdd.rname,dt);
+		} else {
+			trans.info().printf(logfmt,text,"Staged Deletion",urdd.user,urdd.role,urdd.ns,urdd.rname,dt);
+		}
+		urDelete.printf(deletefmt,text,urdd.user,urdd.role,dt,urdd.ns,urdd.rname);
+		urRecover.printf(replayfmt,urdd.user,urdd.role,dt,urdd.ns,urdd.rname);
+
+		cache.delayedDelete(this);
+		++deleted;
+	}
+	
+
+	/**
+	 * Calls expunge() for all deleteCached entries
+	 */
+	public static void resetLocalData() {
+		cache.resetLocalData();
+	}
+	
+	public static int sizeForDeletion() {
+		return cache.cacheSize();
+	}
+
+	public static boolean pendingDelete(UserRole ur) {
+		return cache.contains(ur);
+	}
+
+	public static void actuateDeletionNow(AuthzTrans trans, URDelete directDel) {
+		for(UserRole ur : cache.getRemoved()) {
+			directDel.exec(trans, ur, "Actuating UserRole Deletion");
+		}
+		cache.getRemoved().clear();
+		cache.resetLocalData();
+	}
+
+
+}
+\ No newline at end of file
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/reports/ExpiringNext.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/reports/ExpiringNext.java
new file mode 100644
index 00000000..2412f496
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/reports/ExpiringNext.java
@@ -0,0 +1,143 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.reports;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.List;
+
+import org.onap.aaf.auth.Batch;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.Cred;
+import org.onap.aaf.auth.helpers.UserRole;
+import org.onap.aaf.auth.helpers.Cred.Instance;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+
+public class ExpiringNext extends Batch {
+	
+	public ExpiringNext(AuthzTrans trans) throws APIException, IOException, OrganizationException {
+		super(trans.env());
+	    trans.info().log("Starting Connection Process");
+	    
+	    TimeTaken tt0 = trans.start("Cassandra Initialization", Env.SUB);
+	    try {
+			TimeTaken tt = trans.start("Connect to Cluster", Env.REMOTE);
+			try {
+				session = cluster.connect();
+			} finally {
+				tt.done();
+			}
+
+			UserRole.load(trans, session, UserRole.v2_0_11);
+			Cred.load(trans, session);
+	    } finally {
+	    	tt0.done();
+	    }
+	}
+
+	@Override
+	protected void run(AuthzTrans trans) {
+        GregorianCalendar gc = new GregorianCalendar();
+        Date now = gc.getTime();
+        gc.add(GregorianCalendar.WEEK_OF_MONTH, 2);
+        Date twoWeeks = gc.getTime();
+        // Set time way off
+        gc.set(GregorianCalendar.YEAR, 3000);
+        Date earliestUR = gc.getTime();
+        Date earliestCred = gc.getTime();
+        // Run for Roles
+        List<String> expiring = new ArrayList<String>();
+        
+        trans.info().log("Checking for Expired UserRoles");
+    	for(UserRole ur : UserRole.data) {
+    		if(ur.expires().after(now)) {
+    			if(ur.expires().before(twoWeeks)) {
+    				expiring.add(Chrono.dateOnlyStamp(ur.expires()) + ":\t" + ur.user() + '\t' + ur.role());
+    			}
+        		if(ur.expires().before(earliestUR)) {
+        			earliestUR = ur.expires();
+        		}
+    		}
+    	}
+
+    	if(expiring.size()>0) {
+	    	Collections.sort(expiring,Collections.reverseOrder());
+	    	for(String s : expiring) {
+	    		System.err.print('\t');
+	    		System.err.println(s);
+	    	}
+	    	trans.info().printf("Earliest Expiring UR is %s\n\n", Chrono.dateOnlyStamp(earliestUR));
+    	} else {
+    		trans.info().printf("No Expiring UserRoles within 2 weeks");
+    	}
+    	
+    	expiring.clear();
+    	
+        trans.info().log("Checking for Expired Credentials");
+    	for( Cred creds : Cred.data.values()) {
+    		Instance lastInstance=null;
+    		for(Instance inst : creds.instances) {
+    			if(inst.type==CredDAO.BASIC_AUTH || inst.type==CredDAO.BASIC_AUTH_SHA256) {
+	        		if(lastInstance == null || inst.expires.after(lastInstance.expires)) {
+	        			lastInstance = inst;
+	        		}
+    			}
+    		}
+    		if(lastInstance!=null) {
+    			if(lastInstance.expires.after(now)) {
+					if(lastInstance.expires.before(twoWeeks)) {
+	    				expiring.add(Chrono.dateOnlyStamp(lastInstance.expires) + ": \t" + creds.id);
+					}
+    			}
+	    		if(lastInstance.expires.before(earliestCred)) {
+	    			earliestCred = lastInstance.expires;
+	    		}
+    		}
+    	}
+    	
+    	if(expiring.size()>0) {
+	    	Collections.sort(expiring,Collections.reverseOrder());
+	    	for(String s : expiring) {
+	    		System.err.print('\t');
+	    		System.err.println(s);
+	    	}
+	    	trans.info().printf("Earliest Expiring Cred is %s\n\n", Chrono.dateOnlyStamp(earliestCred));
+    	} else {
+    		trans.info().printf("No Expiring Creds within 2 weeks");
+    	}
+
+	}
+	
+	@Override
+	protected void _close(AuthzTrans trans) {
+        session.close();
+	}
+
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/update/Expiring.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/update/Expiring.java
new file mode 100644
index 00000000..d3b80d21
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/update/Expiring.java
@@ -0,0 +1,503 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.update;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.List;
+import java.util.UUID;
+
+import org.onap.aaf.auth.Batch;
+import org.onap.aaf.auth.BatchPrincipal;
+import org.onap.aaf.auth.actions.Action;
+import org.onap.aaf.auth.actions.ActionDAO;
+import org.onap.aaf.auth.actions.CacheTouch;
+import org.onap.aaf.auth.actions.CredDelete;
+import org.onap.aaf.auth.actions.CredPrint;
+import org.onap.aaf.auth.actions.Email;
+import org.onap.aaf.auth.actions.Message;
+import org.onap.aaf.auth.actions.URDelete;
+import org.onap.aaf.auth.actions.URFutureApprove;
+import org.onap.aaf.auth.actions.URFutureApproveExec;
+import org.onap.aaf.auth.actions.URPrint;
+import org.onap.aaf.auth.dao.cass.ApprovalDAO;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.FutureDAO;
+import org.onap.aaf.auth.dao.hl.Function.FUTURE_OP;
+import org.onap.aaf.auth.dao.hl.Function.OP_STATUS;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.Approval;
+import org.onap.aaf.auth.helpers.Cred;
+import org.onap.aaf.auth.helpers.Future;
+import org.onap.aaf.auth.helpers.NS;
+import org.onap.aaf.auth.helpers.Role;
+import org.onap.aaf.auth.helpers.UserRole;
+import org.onap.aaf.auth.helpers.Cred.Instance;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+
+public class Expiring extends Batch {
+	private CredPrint crPrint;
+	private URFutureApprove urFutureApprove;
+	private URFutureApproveExec urFutureApproveExec;
+	private CredDelete crDelete;
+	private URDelete urDelete;
+	private final CacheTouch cacheTouch;
+	private final AuthzTrans noAvg;
+	private final ApprovalDAO apprDAO;
+	private final FutureDAO futureDAO;
+	private final PrintStream urDeleteF,urRecoverF;
+	private final URPrint urPrint;
+	private Email email;
+	private File deletesFile;
+
+	public Expiring(AuthzTrans trans) throws APIException, IOException, OrganizationException {
+		super(trans.env());
+	    trans.info().log("Starting Connection Process");
+	    
+		noAvg = env.newTransNoAvg();
+		noAvg.setUser(new BatchPrincipal("batch:Expiring"));
+		
+	    TimeTaken tt0 = trans.start("Cassandra Initialization", Env.SUB);
+	    try {
+			crPrint = new CredPrint("Expired:");
+
+			TimeTaken tt = trans.start("Connect to Cluster with DAOs", Env.REMOTE);
+			try {
+				urFutureApprove = new URFutureApprove(trans, cluster,isDryRun());
+				checkOrganizationAcccess(trans, urFutureApprove.question());
+				urFutureApproveExec = new URFutureApproveExec(trans, urFutureApprove);
+				urPrint = new URPrint("User Roles:");
+				crDelete = new CredDelete(trans, urFutureApprove);
+				urDelete = new URDelete(trans,urFutureApprove);
+				cacheTouch = new CacheTouch(trans, urFutureApprove);
+				
+				// Reusing... don't destroy
+				apprDAO = urFutureApprove.question().approvalDAO;
+				futureDAO = urFutureApprove.question().futureDAO;
+
+				TimeTaken tt2 = trans.start("Connect to Cluster", Env.REMOTE);
+				try {
+					session = urFutureApprove.getSession(trans);
+				} finally {
+					tt2.done();
+				}
+			} finally {
+				tt.done();
+			}
+			
+			File data_dir = new File(env.getProperty("aaf_data_dir"));
+			if(!data_dir.exists() || !data_dir.canWrite() || !data_dir.canRead()) {
+				throw new IOException("Cannot read/write to Data Directory "+ data_dir.getCanonicalPath() + ": EXITING!!!");
+			}
+			UserRole.setDeleteStream(
+				urDeleteF = new PrintStream(new FileOutputStream(deletesFile = new File(data_dir,"UserRoleDeletes.dat"),false)));
+			UserRole.setRecoverStream(
+				urRecoverF = new PrintStream(new FileOutputStream(new File(data_dir,"UserRoleRecover.dat"),false)));
+			UserRole.load(trans, session, UserRole.v2_0_11);
+			
+			Cred.load(trans, session);
+			NS.load(trans, session,NS.v2_0_11);
+			Future.load(trans,session,Future.withConstruct);
+			Approval.load(trans,session,Approval.v2_0_17);
+			Role.load(trans, session);
+			
+			email = new Email();
+			email.subject("AAF Expiring Process Alert (ENV: %s)",batchEnv);
+			email.preamble("Expiring Process Alert for %s",batchEnv);
+			email.signature("Sincerely,\nAAF Expiring Batch Process\n");
+			String address = env.getProperty("ALERT_TO_ADDRESS");
+			if(address==null) {
+				throw new APIException("ALERT_TO_ADDRESS property is required");
+			}
+			email.addTo(address);
+	
+	    } catch (OrganizationException e) {
+	    	throw new APIException("Error getting valid Organization",e);
+		} finally {
+	    	tt0.done();
+	    }
+	}
+
+	@Override
+	protected void run(AuthzTrans trans) {
+		// Setup Date boundaries
+		
+        final GregorianCalendar gc = new GregorianCalendar();
+        final Date now = gc.getTime();
+        
+        gc.add(GregorianCalendar.MONTH, 1);
+        Date future = gc.getTime();
+//	    Date earliest = null;
+
+        // reset
+        gc.setTime(now);
+        gc.add(GregorianCalendar.DAY_OF_MONTH, -7); // save Expired Roles for 7 days.
+        Date tooLate = gc.getTime();
+        
+        TimeTaken tt;
+       
+    	// Clean out Approvals UserRoles are fixed up.
+		String memo;
+		for(List<Approval> la : Approval.byUser.values()) {
+			for(Approval a : la ) {
+				memo = a.getMemo();
+				if(memo!=null && (memo.contains("Re-Approval") || memo.contains("Re-Validate"))) {
+			    		String role = a.getRole();
+			    		if(role!=null) {
+						UserRole ur = UserRole.get(a.getUser(), a.getRole());
+						Future f=null;
+						if(ur!=null) {
+							if(ur.expires().after(future)) { // no need for Approval anymore
+								a.delayDelete(noAvg, apprDAO, dryRun, "User Role already Extended");
+								UUID tkt = a.getTicket();
+								if(tkt!=null) {
+									f = Future.data.get(tkt);
+								}
+							}
+						} else {
+							a.delayDelete(noAvg, apprDAO, dryRun, "User Role does not exist");
+							f = Future.data.get(a.getTicket());
+						}
+						if(f!=null) {
+							f.delayedDelete(noAvg, futureDAO, dryRun, "Approvals removed");
+						}
+			    		}
+				}
+			}
+		}
+		try {
+	    		trans.info().log("### Removed",Future.sizeForDeletion(),"Future and",Approval.sizeForDeletion(),"Approvals");
+	    		Future.resetLocalData();
+	        Approval.resetLocalData();
+	    	} catch (Throwable t) {
+	    		t.printStackTrace();
+	    	}
+	
+        // Run for Expired Futures
+        trans.info().log("Checking for Expired Approval/Futures");
+        tt = trans.start("Delete old Futures", Env.REMOTE);
+		trans.info().log("### Running Future Execution on ",Future.data.size(), "Items");
+		// Execute any Futures waiting
+	    	for(Future f : Future.data.values()) {
+	    		if(f.memo().contains("Re-Approval") || f.memo().contains("Re-Validate")) {
+		    		List<Approval> la = Approval.byTicket.get(f.id());
+		    		if(la!=null) {
+			    		Result<OP_STATUS> ruf = urFutureApproveExec.exec(noAvg,la,f);
+			    		if(ruf.isOK()) {
+			    			switch(ruf.value) {
+				    			case P:
+				    				break;
+				    			case E:
+				    			case D:
+				    			case L:
+				    				f.delayedDelete(noAvg, futureDAO, dryRun,OP_STATUS.L.desc());
+				    				Approval.delayDelete(noAvg, apprDAO, dryRun, la,OP_STATUS.L.desc());
+				    				break;
+			    			}
+			    		}
+		    		}
+	    		}
+	    	}
+	    	try {
+	    		trans.info().log("### Removed",Future.sizeForDeletion(),"Future and",Approval.sizeForDeletion(),"Approvals");
+	    		Future.resetLocalData();
+	        Approval.resetLocalData();
+	    	} catch (Throwable t) {
+	    		t.printStackTrace();
+	    	}
+
+    	
+		trans.info().log("### Remove Expired on ",Future.data.size(), "Items, or premature ones");
+    	// Remove Expired
+		String expiredBeforeNow = "Expired before " + tooLate;
+		String expiredAfterFuture = "Expired after " + future;
+        try {
+	        	for(Future f : Future.data.values()) {
+	        		if(f.expires().before(tooLate)) {
+	        			f.delayedDelete(noAvg,futureDAO,dryRun, expiredBeforeNow);
+	        			Approval.delayDelete(noAvg, apprDAO, dryRun, Approval.byTicket.get(f.id()), expiredBeforeNow);
+	        		} else if(f.expires().after(future)) {
+	        			f.delayedDelete(noAvg,futureDAO,dryRun, expiredAfterFuture);
+	        			Approval.delayDelete(noAvg,apprDAO,dryRun, Approval.byTicket.get(f.id()), expiredAfterFuture);
+	        		}
+	        	}
+	        	try {
+	        		trans.info().log("### Removed",Future.sizeForDeletion(),"Future and",Approval.sizeForDeletion(),"Approvals");
+	        		Future.resetLocalData();
+	            Approval.resetLocalData();
+	        	} catch (Throwable t) {
+	        		t.printStackTrace();
+	        	}
+        } finally {
+        		tt.done();	
+        }
+        
+		trans.info().log("### Checking Approvals valid (",Approval.byApprover.size(),"Items)");
+        // Make sure users of Approvals are still valid
+        for(List<Approval> lapp : Approval.byTicket.values()) {
+	        	for(Approval app : lapp) {
+	        		Future f;
+	        		if(app.getTicket()==null) {
+	        			f = null;
+	        		} else {
+	        			f = Future.data.get(app.getTicket());
+	        			if(Future.pendingDelete(f)) {
+	    					f=null;
+	    				}
+	        		}
+	        		String msg;
+	        		if(f!=null && app.getRole()!=null && Role.byName.get(app.getRole())==null) {
+	        			f.delayedDelete(noAvg,futureDAO,dryRun,msg="Role '" + app.getRole() + "' no longer exists");
+	        			Approval.delayDelete(noAvg,apprDAO,dryRun, Approval.byTicket.get(f.id()), msg);
+						continue;
+	        		}
+	        		
+	        		switch(app.getStatus()) {
+	        			case "pending":
+	        				if(f==null) {
+							app.delayDelete(noAvg,apprDAO, isDryRun(), "ticketDeleted");
+							continue;
+	        				}
+	        				switch(app.getType()) {
+	        					case "owner":
+								boolean anOwner=false;
+	        						String approle = app.getRole();
+	        						if(approle!=null) {
+		        						Role role = Role.byName.get(approle);
+		        						if(role==null) {
+										app.delayDelete(noAvg, apprDAO, dryRun, "Role No Longer Exists");
+										continue;
+									} else {
+	    								// Make sure Owner Role exists
+										String owner = role.ns + ".owner";
+										if(Role.byName.containsKey(owner)) {
+			    								List<UserRole> lur = UserRole.byRole.get(owner);
+			    								if(lur != null) {
+			        								for(UserRole ur : lur) {
+			        									if(ur.user().equals(app.getApprover())) {
+			        										anOwner = true;
+			        										break;
+			        									}
+			        								}
+			    								}
+										}
+		        						}
+	    								if(!anOwner) {
+										app.delayDelete(noAvg, apprDAO, dryRun, "No longer Owner");
+	    								}
+	
+	        						}
+	        						break;
+	        					case "supervisor":
+								try {
+									Identity identity = org.getIdentity(noAvg, app.getUser());
+									if(identity==null) {
+										if(f!=null) {
+							        			f.delayedDelete(noAvg,futureDAO,dryRun,msg = app.getUser() + " is no longer associated with " + org.getName());
+							        			Approval.delayDelete(noAvg,apprDAO,dryRun, Approval.byTicket.get(f.id()), msg);
+										}
+									} else {
+										if(!app.getApprover().equals(identity.responsibleTo().fullID())) {
+											if(f!=null) {
+								        			f.delayedDelete(noAvg,futureDAO,dryRun,msg = app.getApprover() + " is no longer a Supervisor of " + app.getUser());
+								        			Approval.delayDelete(noAvg,apprDAO,dryRun, Approval.byTicket.get(f.id()), msg);
+											}
+										}
+									}
+								} catch (OrganizationException e) {
+									e.printStackTrace();
+								}
+        						break;
+	        				}
+	        				break;
+	        		}
+	        	}
+        }
+	    	try {
+	    		trans.info().log("### Removed",Future.sizeForDeletion(),"Future and",Approval.sizeForDeletion(),"Approvals");
+	    		Future.resetLocalData();
+	        Approval.resetLocalData();
+	    	} catch (Throwable t) {
+	    		t.printStackTrace();
+	    	}
+        
+        int count = 0, deleted=0, delayedURDeletes = 0;
+
+        // Run for User Roles
+        trans.info().log("Checking for Expired User Roles");
+        try {
+	        	for(UserRole ur : UserRole.data) {
+	        		if(org.getIdentity(noAvg, ur.user())==null) {  // if not part of Organization;
+	        			if(isSpecial(ur.user())) {
+		        			trans.info().log(ur.user(),"is not part of organization, but may not be deleted");
+	        			} else {
+		        			ur.delayDelete(noAvg, "Not Part of Organization", dryRun);
+		        			++deleted;
+		        			++delayedURDeletes;
+	        			}
+	        		} else {
+		        		if(NS.data.get(ur.ns())==null) {
+	            			ur.delayDelete(noAvg,"Namespace " + ur.ns() + " does not exist.",dryRun);
+	            			++delayedURDeletes;
+	            			++deleted;
+		        		} else if(!Role.byName.containsKey(ur.role())) {
+		        			ur.delayDelete(noAvg,"Role " + ur.role() + " does not exist.",dryRun);
+	            			++deleted;
+	            			++delayedURDeletes;
+		        		} else if(ur.expires().before(tooLate)) {
+		        			if("owner".equals(ur.rname())) { // don't delete Owners, even if Expired
+		        				urPrint.exec(noAvg,ur,"Owner Expired (but not deleted)");
+		        			} else {
+			        			// In this case, when UR is expired, not dependent on other lookups, we delete straight out.
+			        			urDelete.exec(noAvg, ur,"Expired before " + tooLate);
+			        			++deleted;
+		        			}
+	            			//trans.logAuditTrail(trans.info());
+		        		} else if(ur.expires().before(future) && ur.expires().after(now)) {
+			        		++count;
+		        			// Is there an Approval set already
+		        			boolean needNew = true;
+		        			if(ur.role()!=null && ur.user()!=null) {
+			        			List<Approval> abm = Approval.byUser.get(ur.user());
+			        			if(abm!=null) {
+			        				for(Approval a : abm) {
+			        					if(a.getOperation().equals(FUTURE_OP.A.name()) && ur.role().equals(a.getRole())) {
+			        						if(Future.data.get(a.getTicket())!=null) {
+			        							needNew = false;
+			        							break;
+			        						}
+			        					}
+			        				}
+			        			}
+		        			}
+		        			if(needNew) {
+			        			urFutureApprove.exec(noAvg, ur,"");
+		        			}
+			        	}
+	        		}
+	        	}
+		} catch (OrganizationException e) {
+			env.info().log(e,"Exiting ...");
+		} finally {
+	        	env.info().log("Found",count,"user roles expiring before",future);
+	        	env.info().log("deleting",deleted,"user roles expiring before",tooLate);
+        }
+        
+        // Actualize UR Deletes, or send Email
+        if(UserRole.sizeForDeletion()>0) {
+        		count+=UserRole.sizeForDeletion();
+            double onePercent = 0.01;
+	        if(((double)UserRole.sizeForDeletion())/UserRole.data.size() > onePercent) {
+		        	Message msg = new Message();
+		        	try {
+					msg.line("Found %d of %d UserRoles marked for Deletion in file %s", 
+						delayedURDeletes,UserRole.data.size(),deletesFile.getCanonicalPath());
+				} catch (IOException e) {
+					msg.line("Found %d of %d UserRoles marked for Deletion.\n", 
+							delayedURDeletes);
+				}
+		        	msg.line("Review the File.  If data is ok, Use ExpiringP2 BatchProcess to complete the deletions");
+		        	
+		        	email.msg(msg);
+		        	email.exec(trans, org, "Email Support");
+	        } else {
+		        	urDeleteF.flush();
+		        	try {
+			        	BufferedReader br = new BufferedReader(new FileReader(deletesFile));
+			        	try {
+			        		ExpiringP2.deleteURs(noAvg, br, urDelete, null /* don't touch Cache here*/);
+			        	} finally {
+			        		br.close();
+			        	}
+		        	} catch (IOException io) {
+		        		noAvg.error().log(io);
+		        	}
+	        }
+        }
+        if(count>0) {
+        		String str = String.format("%d UserRoles modified or deleted", count);
+        		cacheTouch.exec(trans, "user_role", str);
+        }
+        
+        // Run for Creds
+        trans.info().log("Checking for Expired Credentials");
+        System.out.flush();
+        count = 0;
+        try {
+	        	CredDAO.Data crd = new CredDAO.Data();
+	        	Date last = null;
+	        	for( Cred creds : Cred.data.values()) {
+				crd.id = creds.id;
+	        		for(int type : creds.types()) {
+					crd.type = type;
+	        			for( Instance inst : creds.instances) {
+	        				if(inst.expires.before(tooLate)) {
+	        					crd.expires = inst.expires;
+	        					crDelete.exec(noAvg, crd,"Expired before " + tooLate);
+	        				} else if(last==null || inst.expires.after(last)) {
+	    						last = inst.expires;
+	    					}
+	        			}
+	        			if(last!=null) {
+	        				if(last.before(future)) {
+	        					crd.expires = last;
+	        					crPrint.exec(noAvg, crd,"");
+		        				++count;
+	        				}
+	        			}
+	        		}
+	        	}
+        } finally {
+        		String str = String.format("Found %d current creds expiring before %s", count, Chrono.dateOnlyStamp(future));
+        		if(count>0) {
+        			cacheTouch.exec(trans, "cred", str);
+        		}
+        }
+        
+	}
+	
+	@Override
+	protected void _close(AuthzTrans trans) {
+        aspr.info("End " + this.getClass().getSimpleName() + " processing" );
+        for(Action<?,?,?> action : new Action<?,?,?>[] {crDelete}) {
+        	if(action instanceof ActionDAO) {
+        		((ActionDAO<?,?,?>)action).close(trans);
+        	}
+        }
+        session.close();
+        urDeleteF.close();
+        urRecoverF.close();
+	}
+
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/update/ExpiringP2.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/update/ExpiringP2.java
new file mode 100644
index 00000000..f568b330
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/update/ExpiringP2.java
@@ -0,0 +1,158 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.update;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+import java.text.ParseException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.onap.aaf.auth.Batch;
+import org.onap.aaf.auth.BatchPrincipal;
+import org.onap.aaf.auth.actions.Action;
+import org.onap.aaf.auth.actions.ActionDAO;
+import org.onap.aaf.auth.actions.CacheTouch;
+import org.onap.aaf.auth.actions.URDelete;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.UserRole;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.cadi.util.Split;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+
+public class ExpiringP2 extends Batch {
+	private final URDelete urDelete;
+	private final CacheTouch cacheTouch;
+	private final AuthzTrans noAvg;
+	private final BufferedReader urDeleteF;
+
+	public ExpiringP2(AuthzTrans trans) throws APIException, IOException, OrganizationException {
+		super(trans.env());
+	    trans.info().log("Starting Connection Process");
+	    
+		noAvg = env.newTransNoAvg();
+		noAvg.setUser(new BatchPrincipal("batch:ExpiringP2"));
+
+	    TimeTaken tt0 = trans.start("Cassandra Initialization", Env.SUB);
+	    try {
+	    		urDelete = new URDelete(trans, cluster,isDryRun());
+				TimeTaken tt2 = trans.start("Connect to Cluster", Env.REMOTE);
+				try {
+					session = urDelete.getSession(trans);
+				} finally {
+					tt2.done();
+				}
+			cacheTouch = new CacheTouch(trans,urDelete);
+			
+			File data_dir = new File(env.getProperty("aaf_data_dir"));
+			if(!data_dir.exists() || !data_dir.canWrite() || !data_dir.canRead()) {
+				throw new IOException("Cannot read/write to Data Directory "+ data_dir.getCanonicalPath() + ": EXITING!!!");
+			}
+			urDeleteF = new BufferedReader(new FileReader(new File(data_dir,"UserRoleDeletes.dat")));
+			
+		} finally {
+	    	tt0.done();
+	    }
+	}
+
+	@Override
+	protected void run(AuthzTrans trans) {
+		deleteURs(noAvg, urDeleteF, urDelete, cacheTouch);
+	}
+	
+	public static void deleteURs(AuthzTrans trans, BufferedReader urDeleteF, URDelete urDelete, CacheTouch cacheTouch) {
+		String line,prev="";
+		try {
+			UserRole ur;
+			Map<String,Count> tally = new HashMap<String,Count>();
+			int count=0;
+			try {
+				while((line=urDeleteF.readLine())!=null) {
+					if(line.startsWith("#")) {
+						Count cnt = tally.get(line);
+						if(cnt==null) {
+							tally.put(line, cnt=new Count());
+						}
+						cnt.inc();
+						prev = line;
+					} else {
+						String[] l = Split.splitTrim('|', line);
+						try {
+							// Note: following default order from "COPY TO"
+							ur = new UserRole(l[0],l[1],l[3],l[4],Chrono.iso8601Fmt.parse(l[2]));
+							urDelete.exec(trans, ur, prev);
+							++count;
+						} catch (ParseException e) {
+							trans.error().log(e);
+						}
+					}
+				}
+				
+				System.out.println("Tallies of UserRole Deletions");
+				for(Entry<String, Count> es : tally.entrySet()) {
+					System.out.printf("  %6d\t%20s\n", es.getValue().cnt,es.getKey());
+				}
+			} finally {
+				if(cacheTouch!=null && count>0) {
+	        			cacheTouch.exec(trans, "user_roles", "Removing UserRoles");
+				}
+			}
+		} catch (IOException e) {
+			trans.error().log(e);
+		}
+		
+	}
+	private static class Count {
+		private int cnt=0;
+		
+		public /*synchonized*/ void inc() {
+			++cnt;
+		}
+		
+		public String toString() {
+			return Integer.toString(cnt);
+		}
+	}
+	
+	@Override
+	protected void _close(AuthzTrans trans) {
+        aspr.info("End " + this.getClass().getSimpleName() + " processing" );
+        for(Action<?,?,?> action : new Action<?,?,?>[] {urDelete,cacheTouch}) {
+	        	if(action instanceof ActionDAO) {
+	        		((ActionDAO<?,?,?>)action).close(trans);
+	        	}
+        }
+        session.close();
+        try {
+			urDeleteF.close();
+		} catch (IOException e) {
+			trans.error().log(e);
+		}
+	}
+
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/update/NotifyApprovals.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/update/NotifyApprovals.java
new file mode 100644
index 00000000..3314694e
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/update/NotifyApprovals.java
@@ -0,0 +1,236 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.update;
+
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.List;
+import java.util.Map.Entry;
+
+import org.onap.aaf.auth.Batch;
+import org.onap.aaf.auth.BatchPrincipal;
+import org.onap.aaf.auth.actions.Email;
+import org.onap.aaf.auth.actions.EmailPrint;
+import org.onap.aaf.auth.actions.Message;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.cass.ApprovalDAO;
+import org.onap.aaf.auth.dao.cass.FutureDAO;
+import org.onap.aaf.auth.dao.cass.HistoryDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.Approval;
+import org.onap.aaf.auth.helpers.Future;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.OrganizationFactory;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+
+public class NotifyApprovals extends Batch {
+	private static final String LINE = "----------------------------------------------------------------";
+	private final HistoryDAO historyDAO;
+	private final ApprovalDAO apprDAO;
+	private final FutureDAO futureDAO;
+	private Email email;
+	private int maxEmails;
+	private final PrintStream ps;
+	private final AuthzTrans noAvg;
+
+	public NotifyApprovals(AuthzTrans trans) throws APIException, IOException, OrganizationException {
+		super(trans.env());
+		
+		noAvg = env.newTransNoAvg();
+		noAvg.setUser(new BatchPrincipal("batch:NotifyApprovals"));
+
+		historyDAO = new HistoryDAO(trans, cluster, CassAccess.KEYSPACE);
+		session = historyDAO.getSession(trans);
+		apprDAO = new ApprovalDAO(trans, historyDAO);
+		futureDAO = new FutureDAO(trans, historyDAO);
+		if(isDryRun()) {
+			email = new EmailPrint();
+			maxEmails=3;
+		} else {
+			email = new Email();
+			maxEmails = Integer.parseInt(trans.getProperty("MAX_EMAILS","3"));
+		}
+		email.subject("AAF Approval Notification (ENV: %s)",batchEnv);
+		email.preamble("AAF (MOTS 22830) is the AT&T Authorization System used by many AT&T Tools and Applications." +
+				"\n  Your approval is required, which you may enter on the following page:"
+				+ "\n\n\t%s/approve\n\n"
+				,env.getProperty(GUI_URL));
+		email.signature("Sincerely,\nAAF Team (Our MOTS# 22830)\n"
+				+ "https://wiki.web.att.com/display/aaf/Contact+Us\n"
+				+ "(Use 'Other Misc Requests (TOPS)')");
+
+		Approval.load(trans, session, Approval.v2_0_17);
+		Future.load(trans, session, Future.v2_0_17); // Skip the Construct Data
+		
+		ps = new PrintStream(new FileOutputStream(logDir() + "/email"+Chrono.dateOnlyStamp()+".log",true));
+		ps.printf("### Approval Notify %s for %s%s\n",Chrono.dateTime(),batchEnv,dryRun?", DryRun":"");
+	}
+
+	@Override
+	protected void run(AuthzTrans trans) {
+		GregorianCalendar gc = new GregorianCalendar();
+		Date now = gc.getTime();
+		String today = Chrono.dateOnlyStamp(now);
+		gc.add(GregorianCalendar.MONTH, -1);
+		gc=null;
+
+
+		Message msg = new Message();
+		int emailCount = 0;
+		List<Approval> pending = new ArrayList<Approval>();
+		boolean isOwner,isSupervisor;
+		for(Entry<String, List<Approval>> es : Approval.byApprover.entrySet()) {
+			isOwner = isSupervisor = false;
+			String approver = es.getKey();
+			if(approver.indexOf('@')<0) {
+				approver += org.getRealm();
+			}
+			Date latestNotify=null, soonestExpire=null;
+			GregorianCalendar latest=new GregorianCalendar();
+			GregorianCalendar soonest=new GregorianCalendar();
+			pending.clear();
+			
+			for(Approval app : es.getValue()) {
+				Future f = app.getTicket()==null?null:Future.data.get(app.getTicket());
+				if(f==null) { // only Ticketed Approvals are valid.. the others are records.
+					// Approvals without Tickets are no longer valid. 
+					if("pending".equals(app.getStatus())) {
+						app.setStatus("lapsed");
+						app.update(noAvg,apprDAO,dryRun); // obeys dryRun
+					}
+				} else {
+					if((soonestExpire==null && f.expires()!=null) || (soonestExpire!=null && f.expires()!=null && soonestExpire.before(f.expires()))) {
+						soonestExpire=f.expires();
+					}
+
+					if("pending".equals(app.getStatus())) {
+						if(!isOwner) {
+							isOwner = "owner".equals(app.getType());
+						}
+						if(!isSupervisor) {
+							isSupervisor = "supervisor".equals(app.getType());
+						}
+
+						if((latestNotify==null && app.getLast_notified()!=null) ||(latestNotify!=null && app.getLast_notified()!=null && latestNotify.before(app.getLast_notified()))) {
+							latestNotify=app.getLast_notified();
+						}
+						pending.add(app);
+					}
+				}
+			}
+
+			if(!pending.isEmpty()) {
+				boolean go = false;
+				if(latestNotify==null) { // never notified... make it so
+					go=true;
+				} else {
+					if(!today.equals(Chrono.dateOnlyStamp(latest))) { // already notified today
+						latest.setTime(latestNotify);
+						soonest.setTime(soonestExpire);
+						int year;
+						int days = soonest.get(GregorianCalendar.DAY_OF_YEAR)-latest.get(GregorianCalendar.DAY_OF_YEAR);
+						days+=((year=soonest.get(GregorianCalendar.YEAR))-latest.get(GregorianCalendar.YEAR))*365 + 
+								(soonest.isLeapYear(year)?1:0);
+						if(days<7) { // If Expirations get within a Week (or expired), notify everytime.
+							go = true;
+						}
+					}
+				}
+				if(go) {
+					if(maxEmails>emailCount++) {
+						try {
+							Organization org = OrganizationFactory.obtain(env, approver);
+							Identity user = org.getIdentity(noAvg, approver);
+							if(user==null) {
+								ps.printf("Invalid Identity: %s\n", approver);
+							} else {
+								email.clear();
+								msg.clear();
+								email.addTo(user.email());
+								msg.line(LINE);
+								msg.line("Why are you receiving this Notification?\n");
+								if(isSupervisor) {
+									msg.line("%sYou are the supervisor of one or more employees who need access to tools which are protected by AAF.  " + 
+											 "Your employees may ask for access to various tools and applications to do their jobs.  ASPR requires "
+											 + "that you are notified and approve their requests. The details of each need is provided when you click "
+											 + "on webpage above.\n",isOwner?"1) ":"");
+									msg.line("Your participation in this process fulfills the ASPR requirement to re-authorize users in roles on a regular basis.\n\n");
+								}
+							
+								if(isOwner) {
+									msg.line("%sYou are the listed owner of one or more AAF Namespaces. ASPR requires that those responsible for "
+											+ "applications and their access review them regularly for accuracy.  The AAF WIKI page for AT&T is https://wiki.web.att.com/display/aaf.  "
+											+ "More info regarding questions of being a Namespace Owner is available at https://wiki.web.att.com/pages/viewpage.action?pageId=594741363\n",isSupervisor?"2) ":"");
+									msg.line("Additionally, Credentials attached to the Namespace must be renewed regularly.  While you may delegate certain functions to " + 
+											 "Administrators within your Namespace, you are ultimately responsible to make sure credentials do not expire.\n");
+									msg.line("You may view the Namespaces you listed as Owner for in this AAF Env by viewing the following webpage:\n");
+									msg.line("   %s/ns\n\n",env.getProperty(GUI_URL));
+								
+								}
+								msg.line("  If you are unfamiliar with AAF, you might like to peruse the following links:"
+										+ "\n\thttps://wiki.web.att.com/display/aaf/AAF+in+a+Nutshell"
+										+ "\n\thttps://wiki.web.att.com/display/aaf/The+New+Person%%27s+Guide+to+AAF");
+								msg.line("\n  SPECIAL NOTE about SWM Management Groups: Understand that SWM management Groups correlate one-to-one to AAF Namespaces. "
+										+ "(SWM uses AAF for the Authorization piece of Management Groups).  You may be assigned the SWM Management Group by asking "
+										+ "directly, or through any of the above stated automated processes.  Auto-generated Namespaces typically look like 'com.att.44444.PROD' "
+										+ "where '44444' is a MOTS ID, and 'PROD' is PROD|DEV|TEST, etc.  For your convenience, the MOTS link is http://ebiz.sbc.com/mots.\n");
+								msg.line("  Finally, realize that there are automated processes which create Machines and Resources via SWM, Kubernetes or other "
+										+ "such tooling.  If you or your predecessor requested them, you were set as the owner of the AAF Namespace created during "
+										+ "that process.\n");
+								msg.line("  For ALL QUESTIONS of why and how of SWM, and whether you or your reports can be removed, please contact SWM at "
+										+ "https://wiki.web.att.com/display/swm/Support\n");
+
+								email.msg(msg);
+								email.exec(noAvg, org,"");
+								if(!isDryRun()) {
+									email.log(ps,"NotifyApprovals");
+									for(Approval app : pending) {
+										app.setLastNotified(now);
+										app.update(noAvg, apprDAO, dryRun);
+									}
+								}
+							}
+						} catch (OrganizationException e) {
+							trans.info().log(e);
+						}
+					}
+				}
+			}
+		}
+		trans.info().printf("%d emails sent for %s", emailCount,batchEnv);
+	}
+	
+	@Override
+	protected void _close(AuthzTrans trans) {
+		futureDAO.close(trans);
+		apprDAO.close(trans);
+		historyDAO.close(trans);
+		ps.close();
+	}
+}
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/update/NotifyCredExpiring.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/update/NotifyCredExpiring.java
new file mode 100644
index 00000000..bdf8347c
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/update/NotifyCredExpiring.java
@@ -0,0 +1,321 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.update;
+
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.onap.aaf.auth.Batch;
+import org.onap.aaf.auth.BatchPrincipal;
+import org.onap.aaf.auth.actions.Email;
+import org.onap.aaf.auth.actions.EmailPrint;
+import org.onap.aaf.auth.actions.Message;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.Cred;
+import org.onap.aaf.auth.helpers.Notification;
+import org.onap.aaf.auth.helpers.UserRole;
+import org.onap.aaf.auth.helpers.Notification.TYPE;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.org.EmailWarnings;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.OrganizationFactory;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import java.util.TreeMap;
+
+
+public class NotifyCredExpiring extends Batch {
+
+	private static final String UNKNOWN_ID = "unknown@deprecated.id";
+	private static final String AAF_INSTANTIATED_MECHID = "AAF INSTANTIATED MECHID";
+	private static final String EXPIRATION_DATE = "EXPIRATION DATE";
+	private static final String QUICK_LINK = "QUICK LINK TO UPDATE PAGE";
+	private static final String DASH_1 = "-----------------------";
+	private static final String DASH_2 = "---------------";
+	private static final String DASH_3 = "----------------------------------------------------";
+	private static final String LINE = "\n----------------------------------------------------------------";
+	private Email email;
+	private int maxEmails;
+	private final PrintStream ps;
+	private final AuthzTrans noAvg;
+	private String supportEmailAddr;
+
+	public NotifyCredExpiring(AuthzTrans trans) throws APIException, IOException, OrganizationException {
+		super(trans.env());
+		TimeTaken tt = trans.start("Connect to Cluster", Env.REMOTE);
+		try {
+			session = cluster.connect();
+		} finally {
+			tt.done();
+		}
+		
+		noAvg = env.newTransNoAvg();
+		noAvg.setUser(new BatchPrincipal("batch:NotifyCredExpiring"));
+		
+		if((supportEmailAddr = env.getProperty("mailFromUserId"))==null) {
+			throw new APIException("mailFromUserId property must be set");
+		}
+		if(isDryRun()) {
+			email = new EmailPrint();
+			maxEmails=3;
+			maxEmails = Integer.parseInt(trans.getProperty("MAX_EMAILS","3"));
+		} else {
+			email = new Email();
+			maxEmails = Integer.parseInt(trans.getProperty("MAX_EMAILS","3"));
+		}
+		
+		email.subject("AAF Password Expiration Notification (ENV: %s)",batchEnv);
+		email.preamble("AAF (MOTS 22830) is the AT&T Authorization System used by many AT&T Tools and Applications.\n\n" +
+				"  The following Credentials are expiring on the dates shown. Failure to act before the expiration date "
+				+ "will cause your App's Authentications to fail.\n");
+		email.signature("Sincerely,\nAAF Team (Our MOTS# 22830)\n"
+				+ "https://wiki.web.att.com/display/aaf/Contact+Us\n"
+				+ "(Use 'Other Misc Requests (TOPS)')");
+
+		Cred.load(trans, session,CredDAO.BASIC_AUTH, CredDAO.BASIC_AUTH_SHA256);
+		Notification.load(trans, session, Notification.v2_0_18);
+		UserRole.load(trans, session, UserRole.v2_0_11);
+		
+		ps = new PrintStream(new FileOutputStream(logDir() + "/email"+Chrono.dateOnlyStamp()+".log",true));
+		ps.printf("### Approval Notify %s for %s%s\n",Chrono.dateTime(),batchEnv,dryRun?", DryRun":"");
+	}
+	
+	@Override
+	protected void run(AuthzTrans trans) {
+		
+		EmailWarnings ewp = org.emailWarningPolicy();
+		long now = System.currentTimeMillis();
+		Date early = new Date(now+(ewp.credExpirationWarning()*2)); // 2 months back
+		Date must = new Date(now+ewp.credExpirationWarning()); // 1 months back
+		Date critical = new Date(now+ewp.emailUrgentWarning()); // 1 week
+		Date within2Weeks = new Date(now+604800000 * 2);
+		Date withinLastWeek = new Date(now-604800000);
+		Date tooLate = new Date(now);
+		
+		// Temp structures
+		Map<String,Cred> lastCred = new HashMap<String,Cred>();
+		Map<String,List<LastCred>> ownerCreds = new TreeMap<String,List<LastCred>>();
+		Date last;
+		
+
+		List<LastCred> noOwner = new ArrayList<LastCred>();
+		ownerCreds.put(UNKNOWN_ID,noOwner);
+
+		// Get a list of ONLY the ones needing email by Owner
+		for(Entry<String, List<Cred>> es : Cred.byNS.entrySet()) {
+			lastCred.clear();
+			for(Cred c : es.getValue()) {
+				last = c.last(CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256);
+				if(last!=null && last.after(tooLate) && last.before(early)) {
+					List<UserRole> ownerURList = UserRole.byRole.get(es.getKey()+".owner");
+					if(ownerURList!=null) {
+						for(UserRole ur:ownerURList) {
+							String owner = ur.user();
+							List<LastCred> llc = ownerCreds.get(owner);
+							if(llc==null) {
+								ownerCreds.put(owner, (llc=new ArrayList<LastCred>()));
+							}
+							llc.add(new LastCred(c,last));
+						}
+					} else {
+						noOwner.add(new LastCred(c,last));
+					}
+				}
+			}
+		}
+		
+		boolean bCritical,bNormal,bEarly;
+		int emailCount=0;
+		Message msg = new Message();
+		Notification ownNotf;
+		StringBuilder logMessage = new StringBuilder();
+		for(Entry<String,List<LastCred>> es : ownerCreds.entrySet()) {
+			String owner = es.getKey();
+			boolean header = true;
+			try {
+				Organization org = OrganizationFactory.obtain(env, owner);
+				Identity user = org.getIdentity(noAvg, owner);
+				if(!UNKNOWN_ID.equals(owner) && user==null) {
+					ps.printf("Invalid Identity: %s\n", owner);
+				} else {
+					logMessage.setLength(0);
+					if(maxEmails>emailCount) {
+						bCritical=bNormal=bEarly = false;
+						email.clear();
+						msg.clear();
+						email.addTo(user==null?supportEmailAddr:user.email());
+
+						ownNotf = Notification.get(es.getKey(),TYPE.CN);
+						if(ownNotf==null) {
+							ownNotf = Notification.create(user==null?UNKNOWN_ID:user.fullID(), TYPE.CN);
+						}
+						last = ownNotf.last;
+						// Get Max ID size for formatting purposes
+						int length = AAF_INSTANTIATED_MECHID.length();
+						for(LastCred lc : es.getValue()) {
+							length = Math.max(length, lc.cred.id.length());
+						}
+						String id_exp_fmt = "\t%-"+length+"s  %15s  %s";
+
+						Collections.sort(es.getValue(),LastCred.COMPARE);
+						for(LastCred lc : es.getValue()) {
+							if(lc.last.after(must) && lc.last.before(early) && 
+								(ownNotf.last==null || ownNotf.last.before(withinLastWeek))) {
+								if(!bEarly && header) {
+									msg.line("\tThe following are friendly 2 month reminders, just in case you need to schedule your updates early.  "
+											+ "You will be reminded next month\n");
+									msg.line(id_exp_fmt, AAF_INSTANTIATED_MECHID,EXPIRATION_DATE, QUICK_LINK);
+									msg.line(id_exp_fmt, DASH_1, DASH_2, DASH_3);
+									header = false;
+								}
+								bEarly = true;
+							} else if(lc.last.after(critical) && lc.last.before(must) && 
+									(ownNotf.last==null || ownNotf.last.before(withinLastWeek))) {
+								if(!bNormal) {
+									boolean last2wks = lc.last.before(within2Weeks);
+									if(last2wks) {
+										try {
+											Identity supvsr = user.responsibleTo();
+											email.addCC(supvsr.email());
+										} catch(OrganizationException e) {
+											trans.error().log(e, "Supervisor cannot be looked up");
+										}
+									}
+									if(header) {
+										msg.line("\tIt is now important for you to update Passwords all all configurations using them for the following.\n" +
+												(last2wks?"\tNote: Your Supervisor is CCd\n":"\tNote: Your Supervisor will be notified if this is not being done before the last 2 weeks\n"));
+										msg.line(id_exp_fmt, AAF_INSTANTIATED_MECHID,EXPIRATION_DATE, QUICK_LINK);
+										msg.line(id_exp_fmt, DASH_1, DASH_2, DASH_3);
+									}
+									header = false;
+								}
+								bNormal=true;
+							} else if(lc.last.after(tooLate) && lc.last.before(critical)) { // Email Every Day, with Supervisor
+								if(!bCritical && header) {
+									msg.line("\t!!! WARNING: These Credentials will expire in LESS THAN ONE WEEK !!!!\n" +
+											 "\tYour supervisor is added to this Email\n");
+									msg.line(id_exp_fmt, AAF_INSTANTIATED_MECHID,EXPIRATION_DATE, QUICK_LINK);
+									msg.line(id_exp_fmt, DASH_1, DASH_2, DASH_3);
+									header = false;
+								}
+								bCritical = true;
+								try {
+									if(user!=null) {
+										Identity supvsr = user.responsibleTo();
+										if(supvsr!=null) {
+											email.addCC(supvsr.email());
+											supvsr = supvsr.responsibleTo();
+											if(supvsr!=null) {
+												email.addCC(supvsr.email());
+											}
+										}
+									}
+								} catch(OrganizationException e) {
+									trans.error().log(e, "Supervisor cannot be looked up");
+								}
+							}
+							if(bEarly || bNormal || bCritical) {
+								if(logMessage.length()==0) {
+									logMessage.append("NotifyCredExpiring");
+								}
+								logMessage.append("\n\t");
+								logMessage.append(lc.cred.id);
+								logMessage.append('\t');
+								logMessage.append(Chrono.dateOnlyStamp(lc.last));
+								msg.line(id_exp_fmt, lc.cred.id, Chrono.dateOnlyStamp(lc.last)+"     ",env.getProperty(GUI_URL)+"/creddetail?ns="+Question.domain2ns(lc.cred.id));
+							}
+						}
+						
+						if(bEarly || bNormal || bCritical) {
+							msg.line(LINE);
+							msg.line("Why are you receiving this Notification?\n");
+								msg.line("You are the listed owner of one or more AAF Namespaces. ASPR requires that those responsible for "
+										+ "applications and their access review them regularly for accuracy.  The AAF WIKI page for AT&T is https://wiki.web.att.com/display/aaf.  "
+										+ "You might like https://wiki.web.att.com/display/aaf/AAF+in+a+Nutshell.  More detailed info regarding questions of being a Namespace Owner is available at https://wiki.web.att.com/pages/viewpage.action?pageId=594741363\n");
+								msg.line("You may view the Namespaces you listed as Owner for in this AAF Env by viewing the following webpage:\n");
+								msg.line("   %s/ns\n\n",env.getProperty(GUI_URL));
+							email.msg(msg);
+							Result<Void> rv = email.exec(trans, org,"");
+							if(rv.isOK()) {
+								++emailCount;
+								if(!isDryRun()) {
+									ownNotf.update(noAvg, session, false);
+									// SET LastNotification
+								}
+								email.log(ps,logMessage.toString());
+							} else {
+								trans.error().log(rv.errorString());
+							}
+						}
+					}
+				}
+			} catch (OrganizationException e) {
+				trans.info().log(e);
+			}
+		}
+		trans.info().printf("%d emails sent for %s", emailCount,batchEnv);
+	}
+	
+	private static class LastCred {
+		public Cred cred; 
+		public Date last;
+		
+		public LastCred(Cred cred, Date last) {
+			this.cred = cred;
+			this.last = last;
+		}
+		
+		// Reverse Sort (Oldest on top)
+		public static Comparator<LastCred> COMPARE = new Comparator<LastCred>() {
+			@Override
+			public int compare(LastCred o1, LastCred o2) {
+				return o2.last.compareTo(o1.last);
+			}
+		};
+		
+		public String toString() {
+			return Chrono.dateTime(last) + cred.toString();
+		}
+	}
+	
+	@Override
+	protected void _close(AuthzTrans trans) {
+	    session.close();
+		ps.close();
+	}
+}
diff --git a/auth/auth-cass/.gitignore b/auth/auth-cass/.gitignore
new file mode 100644
index 00000000..d7c9d7e7
--- /dev/null
+++ b/auth/auth-cass/.gitignore
@@ -0,0 +1,9 @@
+/.settings
+/bin
+/Old
+/target
+/.classpath
+/.project
+/AAF_2.0.8_alter.zip
+/logs/
+/target/
diff --git a/auth/auth-cass/docker/dinstall b/auth/auth-cass/docker/dinstall
new file mode 100644
index 00000000..17d3e07d
--- /dev/null
+++ b/auth/auth-cass/docker/dinstall
@@ -0,0 +1,29 @@
+
+if [ "`docker ps -a | grep aaf_cass`" == "" ]; then
+  docker run --name aaf_cass  -d cassandra:3.11
+else 
+  docker exec aaf_cass mkdir -p /opt/app/cass_init
+  docker cp "../src/main/cql/." aaf_cass:/opt/app/cass_init
+fi
+
+echo "Docker Installed Basic Cassandra on aaf_cass.  Executing the following "
+echo "NOTE: This creator provided is only a Single Instance. For more complex Cassandra, create independently"
+echo ""
+echo " cd /opt/app/cass_init"  
+echo " cqlsh -u root -p root -f keyspace.cql"
+echo " cqlsh -u root -p root -f init.cql"
+echo " cqlsh -u root -p root -f osaaf.cql"
+echo ""
+echo "The following will give you a temporary identity with which to start working, or emergency"
+echo " cqlsh -u root -p root -f temp_identity.cql"
+echo "Sleeping 10 seconds to allow Cassandra to start"
+sleep 10
+docker exec -it aaf_cass bash -c '\
+cd /opt/app/cass_init; \
+echo "Creating Keyspace";cqlsh -u root -p root -f keyspace.cql;\
+echo "Creating init";cqlsh -u root -p root -f init.cql;\
+echo "Creating osaaf";cqlsh -u root -p root -f osaaf.cql;\
+echo "Creating temp Identity";cqlsh -u root -p root -f temp_identity.cql'
+
+echo "Inspecting aafcassadra.  Use to get the IP address to update org.osaaf.cassandra.props"
+docker inspect aaf_cass | grep '"IPAddress' | head -1
diff --git a/auth/auth-cass/pom.xml b/auth/auth-cass/pom.xml
new file mode 100644
index 00000000..56f367d6
--- /dev/null
+++ b/auth/auth-cass/pom.xml
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.onap.aaf.auth</groupId>
+		<artifactId>parent</artifactId>
+		<version>2.1.0-SNAPSHOT</version>
+		<relativePath>../pom.xml</relativePath>
+	</parent>
+
+	<artifactId>aaf-auth-cass</artifactId>
+	<name>AAF Auth Cass</name>
+	<description>Cassandra Data Libraries for AAF Auth</description>
+	<packaging>jar</packaging>
+	
+	<developers>
+		<developer>
+			<name>Jonathan Gathman</name>
+			<email>jonathan.gathman@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Architect</role>
+				<role>Lead Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Gabe Maurer</name>
+			<email>gabe.maurer@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Ian Howell</name>
+			<email>ian.howell@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+	</developers>
+
+	
+	<dependencies>
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-core</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-aaf</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>com.datastax.cassandra</groupId>
+			<artifactId>cassandra-driver-core</artifactId>
+		</dependency>
+
+		<!-- Cassandra prefers Snappy and LZ4 libs for performance -->
+		<dependency>
+			<groupId>org.xerial.snappy</groupId>
+			<artifactId>snappy-java</artifactId>
+			<version>1.1.1-M1</version>
+		</dependency>
+
+		<dependency>
+			<groupId>net.jpountz.lz4</groupId>
+			<artifactId>lz4</artifactId>
+			<version>1.2.0</version>
+		</dependency>
+
+		<dependency>
+			<groupId>com.googlecode.jcsv</groupId>
+			<artifactId>jcsv</artifactId>
+			<version>1.4.0</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-log4j12</artifactId>
+			<scope>test</scope>
+		</dependency>
+
+
+	</dependencies>
+</project>
+
diff --git a/auth/auth-cass/src/main/cql/.gitignore b/auth/auth-cass/src/main/cql/.gitignore
new file mode 100644
index 00000000..f17048e9
--- /dev/null
+++ b/auth/auth-cass/src/main/cql/.gitignore
@@ -0,0 +1 @@
+/init.cql
diff --git a/auth/auth-cass/src/main/cql/keyspace.cql b/auth/auth-cass/src/main/cql/keyspace.cql
new file mode 100644
index 00000000..ad58090f
--- /dev/null
+++ b/auth/auth-cass/src/main/cql/keyspace.cql
@@ -0,0 +1,9 @@
+// For Developer Machine single instance
+CREATE KEYSPACE authz
+  WITH REPLICATION = {'class' : 'SimpleStrategy','replication_factor':1};
+// 
+//
+ 
+// Example of Network Topology, with Datacenter dc1 & dc2
+// CREATE KEYSPACE authz WITH replication = { 'class': 'NetworkTopologyStrategy', 'dc1': '2', 'dc2': '2' };
+// 
diff --git a/auth/auth-cass/src/main/cql/osaaf.cql b/auth/auth-cass/src/main/cql/osaaf.cql
new file mode 100644
index 00000000..83c7fdf0
--- /dev/null
+++ b/auth/auth-cass/src/main/cql/osaaf.cql
@@ -0,0 +1,61 @@
+USE authz;
+
+// Create 'org' root NS
+INSERT INTO ns (name,description,parent,scope,type)
+  VALUES('org','Root Namespace','.',1,1);
+
+INSERT INTO role(ns, name, perms, description)
+  VALUES('org','admin',{'org.access|*|*'},'Org Admins');
+
+INSERT INTO role(ns, name, perms, description)
+  VALUES('org','owner',{'org.access|*|read,approve'},'Org Owners');
+
+INSERT INTO perm(ns, type, instance, action, roles, description) 
+  VALUES ('org','access','*','read,approve',{'org.owner'},'Org Read Access');
+
+INSERT INTO perm(ns, type, instance, action, roles, description) 
+  VALUES ('org','access','*','*',{'org.admin'},'Org Write Access');
+
+// Create Root pass
+INSERT INTO cred (id,ns,type,cred,expires)
+  VALUES ('initial@osaaf.org','org.osaaf',1,0x008c5926ca861023c1d2a36653fd88e2,'2099-12-31') using TTL 14400;
+
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('initial@osaaf.org','org.admin','2099-12-31','org','admin') using TTL 14400;
+
+
+// Create org.osaaf
+INSERT INTO ns (name,description,parent,scope,type)
+  VALUES('org.osaaf','OSAAF Namespace','org',2,2);
+
+INSERT INTO role(ns, name, perms,description)
+  VALUES('org.osaaf','admin',{'org.osaaf.access|*|*'},'OSAAF Admins');
+
+INSERT INTO perm(ns, type, instance, action, roles,description) 
+  VALUES ('org.osaaf','access','*','*',{'org.osaaf.admin'},'OSAAF Write Access');
+
+INSERT INTO role(ns, name, perms,description)
+  VALUES('org.osaaf','owner',{'org.osaaf.access|*|read,approve'},'OSAAF Owners');
+
+INSERT INTO perm(ns, type, instance, action, roles,description) 
+  VALUES ('org.osaaf','access','*','read,appove',{'org.osaaf.owner'},'OSAAF Read Access');
+
+// Create org.osaaf.aaf
+INSERT INTO ns (name,description,parent,scope,type)
+  VALUES('org.osaaf.aaf','Application Authorization Framework','org.osaaf',3,3);
+
+INSERT INTO role(ns, name, perms, description)
+  VALUES('org.osaaf.aaf','admin',{'org.osaaf.aaf.access|*|*'},'AAF Admins');
+
+INSERT INTO perm(ns, type, instance, action, roles, description) 
+  VALUES ('org.osaaf.aaf','access','*','*',{'org.osaaf.aaf.admin'},'AAF Write Access');
+
+INSERT INTO perm(ns, type, instance, action, roles, description) 
+  VALUES ('org.osaaf.aaf','access','*','read,approve',{'org.osaaf.aaf.owner'},'AAF Read Access');
+
+INSERT INTO role(ns, name, perms, description)
+  VALUES('org.osaaf.aaf','owner',{'org.osaaf.aaf.access|*|read,approve'},'AAF Owners');
+
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('initial@osaaf.org','org.osaaf.aaf.admin','2099-12-31','org.osaaf.aaf','admin') using TTL 14400;
+
diff --git a/auth/auth-cass/src/main/cql/temp_identity.cql b/auth/auth-cass/src/main/cql/temp_identity.cql
new file mode 100644
index 00000000..ba6e7828
--- /dev/null
+++ b/auth/auth-cass/src/main/cql/temp_identity.cql
@@ -0,0 +1,8 @@
+USE authz;
+
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('jonathan@people.osaaf.org','org.admin','2099-12-31','org','admin') ;
+
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('jonathan@people.osaaf.org','org.osaaf.aaf.admin','2099-12-31','org.osaaf.aaf','admin') ;
+
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/AbsCassDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/AbsCassDAO.java
new file mode 100644
index 00000000..9794b2e5
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/AbsCassDAO.java
@@ -0,0 +1,504 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Deque;
+import java.util.List;
+import java.util.concurrent.ConcurrentLinkedDeque;
+
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.TransStore;
+
+import com.datastax.driver.core.BoundStatement;
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.ConsistencyLevel;
+import com.datastax.driver.core.PreparedStatement;
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.ResultSetFuture;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.exceptions.DriverException;
+
+public abstract class AbsCassDAO<TRANS extends TransStore,DATA> {
+	protected static final char DOT = '.';
+	protected static final char DOT_PLUS_ONE = '.'+1;
+	protected static final String FIRST_CHAR = Character.toString((char)0);
+	protected static final String LAST_CHAR = Character.toString((char)Character.MAX_VALUE);
+	protected static final int FIELD_COMMAS = 0;
+	protected static final int QUESTION_COMMAS = 1;
+	protected static final int ASSIGNMENT_COMMAS = 2;
+	protected static final int WHERE_ANDS = 3;
+
+	private Cluster cluster; 
+	/*
+	 * From DataStax
+	 * com.datastax.driver.core.Session
+		A session holds connections to a Cassandra cluster, allowing it to be queried. Each session maintains multiple connections to the cluster nodes, 
+		provides policies to choose which node to use for each query (round-robin on all nodes of the cluster by default), and handles retries for 
+		failed query (when it makes sense), etc...
+		Session instances are thread-safe and usually a single instance is enough per application. However, a given session can only be set to one 
+		keyspace at a time, so one instance per keyspace is necessary.
+	 */
+	private Session session;
+	private final String keyspace;
+	// If this is null, then we own session
+	private final AbsCassDAO<TRANS,?> owningDAO;
+	protected Class<DATA> dataClass;
+	private final String name;
+//	private static Slot sessionSlot; // not used since 2015
+	private static final ArrayList<AbsCassDAO<? extends TransStore,?>.PSInfo> psinfos = new ArrayList<AbsCassDAO<? extends TransStore,?>.PSInfo>();
+	private static final List<Object> EMPTY = new ArrayList<Object>(0);
+	private static final Deque<ResetRequest> resetDeque = new ConcurrentLinkedDeque<ResetRequest>();
+	private static boolean resetTrigger = false;
+	private static long nextAvailableReset = 0;
+	
+	public AbsCassDAO(TRANS trans, String name, Cluster cluster, String keyspace, Class<DATA> dataClass) {
+		this.name = name;
+		this.cluster = cluster;
+		this.keyspace = keyspace;
+		owningDAO = null;  // we own session
+		session = null;
+		this.dataClass = dataClass;
+	}
+
+	public AbsCassDAO(TRANS trans, String name, AbsCassDAO<TRANS,?> aDao, Class<DATA> dataClass) {
+		this.name = name;
+		cluster = aDao.cluster;
+		keyspace = aDao.keyspace;
+		session = null;
+		// We do not own session
+		owningDAO = aDao;
+		this.dataClass = dataClass;
+	}
+	
+// Not used since 2015
+//	public static void setSessionSlot(Slot slot) {
+//		sessionSlot = slot;
+//	}
+
+	//Note: Lower case ON PURPOSE. These names used to create History Messages
+	public enum CRUD {
+		create,read,update,delete;
+	}
+
+	public class PSInfo {
+		private PreparedStatement ps;
+		private final int size;
+		private final Loader<DATA> loader;
+		private final CRUD crud; // Store CRUD, because it makes a difference in Object Order, see Loader
+		private final String cql;
+		private final ConsistencyLevel consistency;
+
+
+		/**
+		 * Create a PSInfo and create Prepared Statement
+		 * 
+		 * @param trans
+		 * @param theCQL
+		 * @param loader
+		 */
+		public PSInfo(TRANS trans, String theCQL, Loader<DATA> loader, ConsistencyLevel consistency) {
+			this.loader = loader;
+			this.consistency=consistency;
+			psinfos.add(this);
+
+			cql = theCQL.trim().toUpperCase();
+			if(cql.startsWith("INSERT")) {
+				crud = CRUD.create;
+			} else if(cql.startsWith("UPDATE")) {
+				crud = CRUD.update;
+			} else if(cql.startsWith("DELETE")) {
+				crud = CRUD.delete;
+			} else {
+				crud = CRUD.read;
+			}
+			
+			int idx = 0, count=0;
+			while((idx=cql.indexOf('?',idx))>=0) {
+				++idx;
+				++count;
+			}
+			size=count;
+		}
+		
+		public synchronized void reset() {
+			ps = null;
+		}
+		
+		private synchronized BoundStatement ps(TransStore trans) throws APIException, IOException {
+			/* From Datastax
+				You should prepare only once, and cache the PreparedStatement in your application (it is thread-safe). 
+				If you call prepare multiple times with the same query string, the driver will log a warning.
+			*/
+			if(ps==null) {
+				TimeTaken tt = trans.start("Preparing PSInfo " + crud.toString().toUpperCase() + " on " + name,Env.SUB);
+				try {
+					ps = getSession(trans).prepare(cql);
+					ps.setConsistencyLevel(consistency);
+				} catch (DriverException e) {
+					reportPerhapsReset(trans,e);
+					throw e;
+				} finally {
+					tt.done();
+				}
+			}
+			// BoundStatements are NOT threadsafe... need a new one each time.
+			return new BoundStatement(ps);
+		}
+
+		/**
+		 * Execute a Prepared Statement by extracting from DATA object
+		 * 
+		 * @param trans
+		 * @param text
+		 * @param data
+		 * @return
+		 */
+		public Result<ResultSetFuture> execAsync(TRANS trans, String text, DATA data) {
+			TimeTaken tt = trans.start(text, Env.REMOTE);
+			try {
+				return Result.ok(getSession(trans).executeAsync(
+						ps(trans).bind(loader.extract(data, size, crud))));
+			} catch (DriverException | APIException | IOException e) {
+				AbsCassDAO.this.reportPerhapsReset(trans,e);
+				return Result.err(Status.ERR_Backend,"%s-%s executing %s",e.getClass().getName(),e.getMessage(), cql);
+			} finally {
+				tt.done();
+			}
+		}
+
+		/**
+		 * Execute a Prepared Statement on Object[] key
+		 * 
+		 * @param trans
+		 * @param text
+		 * @param objs
+		 * @return
+		 */
+		public Result<ResultSetFuture> execAsync(TRANS trans, String text, Object ... objs) {
+			TimeTaken tt = trans.start(text, Env.REMOTE);
+			try {
+				return Result.ok(getSession(trans).executeAsync(ps(trans).bind(objs)));
+			} catch (DriverException | APIException | IOException e) {
+				AbsCassDAO.this.reportPerhapsReset(trans,e);
+				return Result.err(Status.ERR_Backend,"%s-%s executing %s",e.getClass().getName(),e.getMessage(), cql);
+			} finally {
+				tt.done();
+			}
+		}
+		
+		/* 
+		 * Note:
+		 * 
+		 */
+
+		/**
+		 * Execute a Prepared Statement by extracting from DATA object
+		 * 
+		 * @param trans
+		 * @param text
+		 * @param data
+		 * @return
+		 */
+		public Result<ResultSet> exec(TRANS trans, String text, DATA data) {
+			TimeTaken tt = trans.start(text, Env.REMOTE);
+			try {
+				/*
+				 * "execute" (and executeAsync)
+				 * Executes the provided query.
+					This method blocks until at least some result has been received from the database. However, 
+					for SELECT queries, it does not guarantee that the result has been received in full. But it 
+					does guarantee that some response has been received from the database, and in particular 
+					guarantee that if the request is invalid, an exception will be thrown by this method.
+
+					Parameters:
+					statement - the CQL query to execute (that can be any Statement).
+					Returns:
+						the result of the query. That result will never be null but can be empty (and will 
+						be for any non SELECT query).
+				 */
+				return Result.ok(getSession(trans).execute(
+						ps(trans).bind(loader.extract(data, size, crud))));
+			} catch (DriverException | APIException | IOException e) {
+				AbsCassDAO.this.reportPerhapsReset(trans,e);
+				return Result.err(Status.ERR_Backend,"%s-%s executing %s",e.getClass().getName(),e.getMessage(), cql);
+			} finally {
+				tt.done();
+			}
+		}
+
+		/**
+		 * Execute a Prepared Statement on Object[] key
+		 * 
+		 * @param trans
+		 * @param text
+		 * @param objs
+		 * @return
+		 */
+		public Result<ResultSet> exec(TRANS trans, String text, Object ... objs) {
+			TimeTaken tt = trans.start(text, Env.REMOTE);
+			try {
+				return Result.ok(getSession(trans).execute(ps(trans).bind(objs)));
+			} catch (DriverException | APIException | IOException e) {
+				AbsCassDAO.this.reportPerhapsReset(trans,e);
+				return Result.err(Status.ERR_Backend,"%s-%s executing %s",e.getClass().getName(),e.getMessage(), cql);
+			} finally {
+				tt.done();
+			}
+		}
+
+		/**
+		 * Read the Data from Cassandra given a Prepared Statement (defined by the
+		 * DAO Instance)
+		 *
+		 * This is common behavior among all DAOs.
+		 * @throws DAOException
+		 */
+		public Result<List<DATA>> read(TRANS trans, String text, Object[] key) {
+			TimeTaken tt = trans.start(text,Env.REMOTE);
+			
+			ResultSet rs;
+			try {
+				rs = getSession(trans).execute(key==null?ps(trans):ps(trans).bind(key));
+/// TEST CODE for Exception				
+//				boolean force = true; 
+//				if(force) {
+//					Map<InetSocketAddress, Throwable> misa = new HashMap<InetSocketAddress,Throwable>();
+//					//misa.put(new InetSocketAddress(444),new Exception("no host was tried"));
+//					misa.put(new InetSocketAddress(444),new Exception("Connection has been closed"));
+//					throw new com.datastax.driver.core.exceptions.NoHostAvailableException(misa);
+////					throw new com.datastax.driver.core.exceptions.AuthenticationException(new InetSocketAddress(9999),"no host was tried");
+//				}
+//// END TEST CODE
+			} catch (DriverException | APIException | IOException e) {
+				AbsCassDAO.this.reportPerhapsReset(trans,e);
+				return Result.err(Status.ERR_Backend,"%s-%s executing %s",e.getClass().getName(),e.getMessage(), cql);
+			} finally {
+				tt.done();
+			}
+			
+			return extract(loader,rs,null /*let Array be created if necessary*/,dflt);
+		}
+		
+		public Result<List<DATA>> read(TRANS trans, String text, DATA data) {
+			return read(trans,text, loader.extract(data, size, crud));
+		}
+		
+		public Object[] keyFrom(DATA data) {
+			return loader.extract(data, size, CRUD.delete); // Delete is key only
+		}
+
+		/*
+		 * Note: in case PSInfos are deleted, we want to remove them from list.  This is not expected, 
+		 * but we don't want a data leak if it does.  Finalize doesn't have to happen quickly
+		 */
+		@Override
+		protected void finalize() throws Throwable {
+			psinfos.remove(this);
+		}
+	}
+
+	protected final Accept<DATA> dflt = new Accept<DATA>() {
+		@Override
+		public boolean ok(DATA data) {
+			return true;
+		}
+	};
+
+
+	@SuppressWarnings("unchecked")
+    protected final Result<List<DATA>> extract(Loader<DATA> loader, ResultSet rs, List<DATA> indata, Accept<DATA> accept) {
+		List<Row> rows = rs.all();
+		if(rows.isEmpty()) {
+			return Result.ok((List<DATA>)EMPTY); // Result sets now .emptyList(true);
+		} else {
+			DATA d;
+			List<DATA> data = indata==null?new ArrayList<DATA>(rows.size()):indata;
+			
+			for(Row row : rows) {
+				try {
+					d = loader.load(dataClass.newInstance(),row);
+					if(accept.ok(d)) {
+						data.add(d);
+					}
+				} catch(Exception e) {
+					return Result.err(e);
+				}
+			}
+			return Result.ok(data);
+		}
+    }
+    
+	private static final String NEW_CASSANDRA_SESSION_CREATED = "New Cassandra Session Created";
+	private static final String NEW_CASSANDRA_CLUSTER_OBJECT_CREATED = "New Cassandra Cluster Object Created";
+	private static final String NEW_CASSANDRA_SESSION = "New Cassandra Session";
+
+	private static class ResetRequest {
+		//package on purpose
+		Session session;
+		long timestamp;
+		
+		public ResetRequest(Session session) {
+			this.session = session;
+			timestamp = System.currentTimeMillis();
+		}
+	}
+
+	
+	public static final void primePSIs(TransStore trans) throws APIException, IOException {
+		for(AbsCassDAO<? extends TransStore, ?>.PSInfo psi : psinfos) {
+			if(psi.ps==null) {
+				psi.ps(trans);
+			}
+		}
+	}
+	
+	public final Session getSession(TransStore trans) throws APIException, IOException {
+		// SessionFilter unused since 2015
+		// Try to use Trans' session, if exists
+//		if(sessionSlot!=null) { // try to get from Trans
+//			Session sess = trans.get(sessionSlot, null);
+//			if(sess!=null) {
+//				return sess;
+//			}
+//		}
+		
+		// If there's an owning DAO, use it's session
+		if(owningDAO!=null) { 
+			return owningDAO.getSession(trans);
+		}
+		
+		// OK, nothing else works... get our own.
+		if(session==null || resetTrigger) {
+			Cluster tempCluster = null;
+			Session tempSession = null;
+			try {
+				synchronized(NEW_CASSANDRA_SESSION_CREATED) {
+					boolean reset = false;
+					for(ResetRequest r : resetDeque) {
+						if(r.session == session) {
+							if(r.timestamp>nextAvailableReset) {
+								reset=true;
+								nextAvailableReset = System.currentTimeMillis() + 60000;
+								tempCluster = cluster;
+								tempSession = session;
+								break;
+							} else {
+								trans.warn().log("Cassandra Connection Reset Ignored: Recent Reset");
+							}
+						}
+					}
+	
+					if(reset || session == null) {
+						TimeTaken tt = trans.start(NEW_CASSANDRA_SESSION, Env.SUB);
+						try {
+							// Note: Maitrayee recommended not closing the cluster, just
+							// overwrite it. Jonathan 9/30/2016 assuming same for Session
+							// This was a bad idea.  Ran out of File Handles as I suspected, Jonathan
+							if(reset) {
+								for(AbsCassDAO<? extends TransStore, ?>.PSInfo psi : psinfos) {
+									psi.reset();
+								}
+							}
+							if(reset || cluster==null) {
+								cluster = CassAccess.cluster(trans, keyspace);
+								trans.warn().log(NEW_CASSANDRA_CLUSTER_OBJECT_CREATED);
+							}
+							if(reset || session==null) {
+								session = cluster.connect(keyspace);
+								trans.warn().log(NEW_CASSANDRA_SESSION_CREATED);
+							}
+						} finally {
+							resetTrigger=false;
+							tt.done();
+						}
+					}
+				}
+			} finally {
+				TimeTaken tt = trans.start("Clear Reset Deque", Env.SUB);
+				try {
+					resetDeque.clear();
+					// Not clearing Session/Cluster appears to kill off FileHandles
+					if(tempSession!=null && !tempSession.isClosed()) {
+						tempSession.close();
+					}
+					if(tempCluster!=null && !tempCluster.isClosed()) {
+						tempCluster.close();
+					}
+				} finally {
+					tt.done();
+				}
+			}
+		}
+		return session;
+	}
+	
+	public final boolean reportPerhapsReset(TransStore trans, Exception e) {
+		if(owningDAO!=null) {
+			return owningDAO.reportPerhapsReset(trans, e);
+		} else {
+			boolean rv = false;
+			if(CassAccess.isResetException(e)) {
+				trans.warn().printf("Session Reset called for %s by %s ",session==null?"":session,e==null?"Mgmt Command":e.getClass().getName());
+				resetDeque.addFirst(new ResetRequest(session));
+				rv = resetTrigger = true;
+			} 
+			trans.error().log(e);
+			return rv;
+		}
+	}
+
+	public void close(TransStore trans) {
+		if(owningDAO==null) {
+			if(session!=null) {
+				TimeTaken tt = trans.start("Cassandra Session Close", Env.SUB);
+				try {
+					session.close();
+				} finally {
+					tt.done();
+				}
+				session = null;
+			} else {
+				trans.debug().log("close called(), Session already closed");
+			}
+		} else {
+			owningDAO.close(trans);
+		}
+	}
+
+	protected void wasModified(TRANS trans, CRUD modified, DATA data, String ... override) {
+	}
+	
+	protected interface Accept<DATA> {
+		public boolean ok(DATA data);
+	}
+
+}
+
+
+
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Bytification.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Bytification.java
new file mode 100644
index 00000000..279f399d
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Bytification.java
@@ -0,0 +1,30 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+
+public interface Bytification {
+	public ByteBuffer bytify() throws IOException;
+	public void reconstitute(ByteBuffer bb) throws IOException;
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CIDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CIDAO.java
new file mode 100644
index 00000000..83b13c34
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CIDAO.java
@@ -0,0 +1,50 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao;
+
+import java.util.Date;
+
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.Trans;
+
+public interface CIDAO<TRANS extends Trans> {
+
+	/**
+	 * Touch the date field for given Table
+	 *  
+	 * @param trans
+	 * @param name
+	 * @return
+	 */
+	public abstract Result<Void> touch(TRANS trans, String name, int ... seg);
+
+	/**
+	 * Read all Info entries, and set local Date objects
+	 * 
+	 * This is to support regular data checks on the Database to speed up Caching behavior
+	 * 
+	 */
+	public abstract Result<Void> check(TRANS trans);
+
+	public abstract Date get(TRANS trans, String table, int seg);
+
+}
+\ No newline at end of file
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Cacheable.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Cacheable.java
new file mode 100644
index 00000000..d697b90e
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Cacheable.java
@@ -0,0 +1,34 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao;
+/**
+ * Interface to obtain Segment Integer from DAO Data
+ * for use in Caching mechanism
+ * 
+ * This should typically be obtained by getting the Hash of the key, then using modulus on the size of segment.
+ * 
+ * @author Jonathan
+ *
+ */
+public interface Cacheable {
+	public int[] invalidate(Cached<?,?> cache);
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Cached.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Cached.java
new file mode 100644
index 00000000..0797b041
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Cached.java
@@ -0,0 +1,199 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao;
+
+import java.util.Date;
+import java.util.List;
+import java.util.Map;
+import java.util.Timer;
+import java.util.TimerTask;
+
+import org.onap.aaf.auth.cache.Cache;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Trans;
+
+public class Cached<TRANS extends Trans, DATA extends Cacheable> extends Cache<TRANS,DATA> {
+	// Java does not allow creation of Arrays with Generics in them...
+	// private Map<String,Dated> cache[];
+	protected final CIDAO<TRANS> info;
+	
+	private static Timer infoTimer;
+	private Object cache[];
+	public final int segSize;
+
+	protected final String name;
+
+	private final long expireIn;
+	
+
+
+	// Taken from String Hash, but coded, to ensure consistent across Java versions.  Also covers negative case;
+	public int cacheIdx(String key) {
+		int h = 0;
+		for (int i = 0; i < key.length(); i++) {
+		    h = 31*h + key.charAt(i);
+		}
+		if(h<0)h*=-1;
+		return h%segSize;
+	}
+	
+	public Cached(CIDAO<TRANS> info, String name, int segSize, long expireIn) {
+		this.name =name;
+		this.segSize = segSize;
+		this.info = info;
+		this.expireIn = expireIn;
+		cache = new Object[segSize];
+		// Create a new Map for each Segment, and store locally
+		for(int i=0;i<segSize;++i) {
+			cache[i]=obtain(name+i);
+		}
+	}
+	
+	public void add(String key, List<DATA> data) {
+		@SuppressWarnings("unchecked")
+		Map<String,Dated> map = ((Map<String,Dated>)cache[cacheIdx(key)]);
+		map.put(key, new Dated(data, expireIn));
+	}
+
+
+	public int invalidate(String key)  {
+		int cacheIdx = cacheIdx(key);
+		@SuppressWarnings("unchecked")
+		Map<String,Dated> map = ((Map<String,Dated>)cache[cacheIdx]);
+//		if(map.remove(key)!=null) // Not seeming to remove all the time
+		if(map!=null)map.clear();
+//			System.err.println("Remove " + name + " " + key);
+		return cacheIdx;
+	}
+
+	public Result<Void> invalidate(int segment)  {
+		if(segment<0 || segment>=cache.length) return Result.err(Status.ERR_BadData,"Cache Segment %s is out of range",Integer.toString(segment));
+		@SuppressWarnings("unchecked")
+		Map<String,Dated> map = ((Map<String,Dated>)cache[segment]);
+		if(map!=null) {
+			map.clear();
+		}
+		return Result.ok();
+	}
+
+	protected interface Getter<D> {
+		public abstract Result<List<D>> get();
+	};
+	
+	// TODO utilize Segmented Caches, and fold "get" into "reads"
+	@SuppressWarnings("unchecked")
+	public Result<List<DATA>> get(TRANS trans, String key, Getter<DATA> getter) {
+		List<DATA> ld = null;
+		Result<List<DATA>> rld = null;
+		
+		int cacheIdx = cacheIdx(key);
+		Map<String, Dated> map = ((Map<String,Dated>)cache[cacheIdx]);
+		
+		// Check for saved element in cache
+		Dated cached = map.get(key);
+		// Note: These Segment Timestamps are kept up to date with DB
+		Date dbStamp = info.get(trans, name,cacheIdx);
+		
+		// Check for cache Entry and whether it is still good (a good Cache Entry is same or after DBEntry, so we use "before" syntax)
+		if(cached!=null && dbStamp.before(cached.timestamp)) {
+			ld = (List<DATA>)cached.data;
+			rld = Result.ok(ld);
+		} else {
+			rld = getter.get();
+			if(rld.isOK()) { // only store valid lists
+				map.put(key, new Dated(rld.value,expireIn));  // successful item found gets put in cache
+//			} else if(rld.status == Result.ERR_Backend){
+//				map.remove(key);
+			}
+		}
+		return rld;
+	}
+
+	/**
+	 * Each Cached object has multiple Segments that need cleaning.  Derive each, and add to Cleansing Thread
+	 * @param env
+	 * @param dao
+	 */
+	public static void startCleansing(AuthzEnv env, CachedDAO<?,?,?> ... dao) {
+		for(CachedDAO<?,?,?> d : dao) {  
+			for(int i=0;i<d.segSize;++i) {
+				startCleansing(env, d.table()+i);
+			}
+		}
+	}
+
+
+	public static<T extends Trans> void startRefresh(AuthzEnv env, CIDAO<AuthzTrans> cidao) {
+		if(infoTimer==null) {
+			infoTimer = new Timer("CachedDAO Info Refresh Timer");
+			int minRefresh = 10*1000*60; // 10 mins Integer.parseInt(env.getProperty(CACHE_MIN_REFRESH_INTERVAL,"2000")); // 2 second minimum refresh 
+			infoTimer.schedule(new Refresh(env,cidao, minRefresh), 1000, minRefresh); // note: Refresh from DB immediately
+		}
+	}
+	
+	public static void stopTimer() {
+		Cache.stopTimer();
+		if(infoTimer!=null) {
+			infoTimer.cancel();
+			infoTimer = null;
+		}
+	}
+	
+	private final static class Refresh extends TimerTask {
+		private static final int maxRefresh = 2*60*10000; // 20 mins
+		private AuthzEnv env;
+		private CIDAO<AuthzTrans> cidao;
+		private int minRefresh;
+		private long lastRun;
+		
+		public Refresh(AuthzEnv env, CIDAO<AuthzTrans> cidao, int minRefresh) {
+			this.env = env;
+			this.cidao = cidao;
+			this.minRefresh = minRefresh;
+			lastRun = System.currentTimeMillis()-maxRefresh-1000;
+		}
+		
+		@Override
+		public void run() {
+			// Evaluate whether to refresh based on transaction rate
+			long now = System.currentTimeMillis();
+			long interval = now-lastRun;
+
+			if(interval < minRefresh || interval < Math.min(env.transRate(),maxRefresh)) return;
+			lastRun = now;
+			AuthzTrans trans = env.newTransNoAvg();
+			Result<Void> rv = cidao.check(trans);
+			if(rv.status!=Result.OK) {
+				env.error().log("Error in CacheInfo Refresh",rv.details);
+			}
+			if(env.debug().isLoggable()) {
+				StringBuilder sb = new StringBuilder("Cache Info Refresh: ");
+				trans.auditTrail(0, sb, Env.REMOTE);
+				env.debug().log(sb);
+			}
+		}
+	}
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CachedDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CachedDAO.java
new file mode 100644
index 00000000..017f8780
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CachedDAO.java
@@ -0,0 +1,228 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.Trans;
+
+/**
+ * CachedDAO
+ * 
+ * Cache the response of "get" of any DAO.  
+ * 
+ * For simplicity's sake, at this time, we only do this for single Object keys  
+ * 
+ * @author Jonathan
+ *
+ * @param <DATA>
+ */
+public class CachedDAO<TRANS extends Trans,D extends DAO<TRANS,DATA>,DATA extends Cacheable> 
+		extends Cached<TRANS,DATA> implements DAO_RO<TRANS,DATA>{
+//	private final String dirty_str; 
+	
+	private final D dao;
+
+	public CachedDAO(D dao, CIDAO<TRANS> info, int segsize, long expireIn) {
+		super(info, dao.table(), segsize, expireIn);
+		
+		// Instantiate a new Cache per DAO name (so separate instances use the same cache) 
+		this.dao = dao;
+		//read_str = "Cached READ for " + dao.table();
+//		dirty_str = "Cache DIRTY on " + dao.table();
+		if(dao instanceof CassDAOImpl) {
+			((CassDAOImpl<?,?>)dao).cache = this;
+		}
+	}
+	
+	public static<T extends Trans, DA extends DAO<T,DT>, DT extends Cacheable> 
+			CachedDAO<T,DA,DT> create(DA dao, CIDAO<T> info, int segsize, long expireIn) {
+		return new CachedDAO<T,DA,DT>(dao,info, segsize, expireIn);
+	}
+
+	public void add(DATA data)  {
+		String key = keyFromObjs(dao.keyFrom(data));
+		List<DATA> list = new ArrayList<DATA>();
+		list.add(data);
+		super.add(key,list);
+	}
+	
+//	public void invalidate(TRANS trans, Object ... objs)  {
+//		TimeTaken tt = trans.start(dirty_str, Env.SUB);
+//		try {
+//			super.invalidate(keyFromObjs(objs));
+//		} finally {
+//			tt.done();
+//		}
+//	}
+
+	public static String keyFromObjs(Object ... objs) {
+		String key;
+		if(objs.length==1 && objs[0] instanceof String) {
+			key = (String)objs[0];
+		} else {
+			StringBuilder sb = new StringBuilder();
+			boolean first = true;
+			for(Object o : objs) {
+				if(o!=null) {
+					if(first) {
+					    first =false;
+					} else {
+					    sb.append('|');
+					}
+					sb.append(o.toString());
+				}
+			}
+			key = sb.toString();
+		}
+		return key;
+	}
+
+	public Result<DATA> create(TRANS trans, DATA data) {
+		Result<DATA> d = dao.create(trans,data);
+		if(d.status==Status.OK) {
+		    add(d.value);
+		} else {
+			trans.error().log(d.errorString());
+		}
+		// dao.create already modifies cache. Do not invalidate again. invalidate(trans,data);
+		return d;
+	}
+
+	protected class DAOGetter implements Getter<DATA> {
+		protected TRANS trans;
+		protected Object objs[];
+		protected D dao;
+		public Result<List<DATA>> result;
+
+		public DAOGetter(TRANS trans, D dao, Object ... objs) {
+			this.trans = trans;
+			this.dao = dao;
+			this.objs = objs;
+		}
+		
+		/**
+		 * Separated into single call for easy overloading
+		 * @return
+		 */
+		public Result<List<DATA>> call() {
+			return dao.read(trans, objs);
+		}
+		
+		@Override
+		public final Result<List<DATA>> get() {
+			return call();
+//			if(result.isOKhasData()) { // Note, given above logic, could exist, but stale
+//				return result.value;
+//			} else {
+//				return null;
+//			}
+		}
+	}
+
+	@Override
+	public Result<List<DATA>> read(final TRANS trans, final Object ... objs) {
+		DAOGetter getter = new DAOGetter(trans,dao,objs); 
+		return get(trans, keyFromObjs(objs),getter);
+//		if(ld!=null) {
+//			return Result.ok(ld);//.emptyList(ld.isEmpty());
+//		}
+//		// Result Result if exists
+//		if(getter.result==null) {
+//			return Result.err(Status.ERR_NotFound, "No Cache or Lookup found on [%s]",dao.table());
+//		}
+//		return getter.result;
+	}
+
+	// Slight Improved performance available when String and Obj versions are known. 
+	public Result<List<DATA>> read(final String key, final TRANS trans, final Object[] objs) {
+		DAOGetter getter = new DAOGetter(trans,dao,objs); 
+		return get(trans, key, getter);
+//		if(ld!=null) {
+//			return Result.ok(ld);//.emptyList(ld.isEmpty());
+//		}
+//		// Result Result if exists
+//		if(getter.result==null) {
+//			return Result.err(Status.ERR_NotFound, "No Cache or Lookup found on [%s]",dao.table());
+//		}
+//		return getter.result;
+	}
+	
+	@Override
+	public Result<List<DATA>> read(TRANS trans, DATA data) {
+		return read(trans,dao.keyFrom(data));
+	}
+	public Result<Void> update(TRANS trans, DATA data) {
+		Result<Void> d = dao.update(trans, data);
+		if(d.status==Status.OK) {
+		    add(data);
+		} else {
+			trans.error().log(d.errorString());
+		}
+		return d;
+	}
+
+	public Result<Void> delete(TRANS trans, DATA data, boolean reread) {
+		if(reread) { // If reread, get from Cache, if possible, not DB exclusively
+			Result<List<DATA>> rd = read(trans,data);
+			if(rd.notOK()) {
+			    return Result.err(rd);
+//			} else {
+//				trans.error().log(rd.errorString());
+			}
+			if(rd.isEmpty()) {
+				data.invalidate(this);
+				return Result.err(Status.ERR_NotFound,"Not Found");
+			}
+			data = rd.value.get(0);
+		}
+		Result<Void> rv=dao.delete(trans, data, false);
+		data.invalidate(this);
+		return rv;
+	}
+	
+	@Override
+	public void close(TRANS trans) {
+		if(dao!=null) {
+		    dao.close(trans);
+		}
+	}
+	
+
+	@Override
+	public String table() {
+		return dao.table();
+	}
+	
+	public D dao() {
+		return dao;
+	}
+	
+	public void invalidate(TRANS trans, DATA data) {
+        if(info.touch(trans, dao.table(),data.invalidate(this)).notOK()) {
+	    trans.error().log("Cannot touch CacheInfo for Role");
+	}
+	}
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CassAccess.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CassAccess.java
new file mode 100644
index 00000000..e70bffb7
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CassAccess.java
@@ -0,0 +1,223 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.routing.GreatCircle;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.util.Split;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.Cluster.Builder;
+import com.datastax.driver.core.policies.DCAwareRoundRobinPolicy;
+import com.datastax.driver.core.policies.TokenAwarePolicy;
+
+public class CassAccess {
+	public static final String KEYSPACE = "authz";
+	public static final String CASSANDRA_CLUSTERS = "cassandra.clusters";
+	public static final String CASSANDRA_CLUSTERS_PORT = "cassandra.clusters.port";
+	public static final String CASSANDRA_CLUSTERS_USER_NAME = "cassandra.clusters.user";
+	public static final String CASSANDRA_CLUSTERS_PASSWORD = "cassandra.clusters.password";
+	public static final String CASSANDRA_RESET_EXCEPTIONS = "cassandra.reset.exceptions";
+	private static final List<Resettable> resetExceptions = new ArrayList<Resettable>();
+	public static final String ERR_ACCESS_MSG = "Accessing Backend";
+	private static Builder cb = null;
+
+	/**
+	 * To create DCAwareRoundRobing Policy:
+	 * 	 Need Properties
+	 * 		LATITUDE (or AFT_LATITUDE)
+	 * 		LONGITUDE (or AFT_LONGITUDE)
+	 * 		CASSANDRA CLUSTERS with additional information:
+	 * 			machine:DC:lat:long,machine:DC:lat:long
+	 * @param env
+	 * @param prefix
+	 * @return
+	 * @throws APIException
+	 * @throws IOException
+	 */
+
+//	@SuppressWarnings("deprecation")
+	public static synchronized Cluster cluster(Env env, String prefix) throws APIException, IOException {
+		if(cb == null) {
+			String pre;
+			if(prefix==null) {
+				pre="";
+			} else {
+				env.info().log("Cassandra Connection for ",prefix);
+				pre = prefix+'.';
+			}
+			cb = Cluster.builder();
+			String str = env.getProperty(pre+CASSANDRA_CLUSTERS_PORT,env.getProperty(CASSANDRA_CLUSTERS_PORT,"9042"));
+			if(str!=null) {
+				env.init().log("Cass Port = ",str );
+				cb.withPort(Integer.parseInt(str));
+			}
+			str = env.getProperty(pre+CASSANDRA_CLUSTERS_USER_NAME,env.getProperty(CASSANDRA_CLUSTERS_USER_NAME,null));
+			if(str!=null) {
+				env.init().log("Cass User = ",str );
+				String epass = env.getProperty(pre + CASSANDRA_CLUSTERS_PASSWORD,env.getProperty(CASSANDRA_CLUSTERS_PASSWORD,null));
+				if(epass==null) {
+					throw new APIException("No Password configured for " + str);
+				}
+				//TODO Figure out way to ensure Decryptor setting in AuthzEnv
+				if(env instanceof AuthzEnv) {
+					cb.withCredentials(str,((AuthzEnv)env).decrypt(epass,true));
+				} else {
+					cb.withCredentials(str, env.decryptor().decrypt(epass));
+				}
+			}
+	
+			str = env.getProperty(pre+CASSANDRA_RESET_EXCEPTIONS,env.getProperty(CASSANDRA_RESET_EXCEPTIONS,null));
+			if(str!=null) {
+				env.init().log("Cass ResetExceptions = ",str );
+				for(String ex : Split.split(',', str)) {
+					resetExceptions.add(new Resettable(env,ex));
+				}
+			}
+	
+			str = env.getProperty(Config.CADI_LATITUDE);
+			Double lat = str!=null?Double.parseDouble(str):null;
+			str = env.getProperty(Config.CADI_LONGITUDE);
+			Double lon = str!=null?Double.parseDouble(str):null;
+			if(lat == null || lon == null) {
+				throw new APIException(Config.CADI_LATITUDE + " and/or " + Config.CADI_LONGITUDE + " are not set");
+			}
+			
+			env.init().printf("Service Latitude,Longitude = %f,%f",lat,lon);
+			
+			str = env.getProperty(pre+CASSANDRA_CLUSTERS,env.getProperty(CASSANDRA_CLUSTERS,"localhost"));
+			env.init().log("Cass Clusters = ",str );
+			String[] machs = Split.split(',', str);
+			String[] cpoints = new String[machs.length];
+			String bestDC = null;
+			int numInBestDC = 1;
+			double mlat, mlon,temp,distance = Double.MAX_VALUE;
+			for(int i=0;i<machs.length;++i) {
+				String[] minfo = Split.split(':',machs[i]);
+				if(minfo.length>0) {
+					cpoints[i]=minfo[0];
+				}
+				
+				if(minfo.length>3) {
+					if(minfo[1].equals(bestDC)) {
+						++numInBestDC;
+					} else {
+						// Calc closest DC with Great Circle
+						mlat = Double.parseDouble(minfo[2]);
+						mlon = Double.parseDouble(minfo[3]);
+						// Note: GreatCircle Distance is always >= 0.0 (not negative)
+						if((temp=GreatCircle.calc(lat, lon, mlat, mlon)) < distance) {
+							distance = temp;
+							if(bestDC==null || !bestDC.equals(minfo[1])) {
+								bestDC = minfo[1];
+								numInBestDC = 1;
+							}
+						}
+					}
+				}
+			}
+			
+			cb.addContactPoints(cpoints);
+			
+			if(bestDC!=null) {
+				// 8/26/2016 Management has determined that Accuracy is preferred over speed in bad situations
+				// Local DC Aware Load Balancing appears to have the highest normal performance, with the best
+				// Degraded Accuracy
+				DCAwareRoundRobinPolicy dcrrPolicy = DCAwareRoundRobinPolicy.builder()
+					.withLocalDc(bestDC)
+					.withUsedHostsPerRemoteDc(numInBestDC)
+					.build();
+//				cb.withLoadBalancingPolicy(new DCAwareRoundRobinPolicy(
+//						bestDC, numInBestDC, true /*allow LocalDC to look at other DCs for LOCAL_QUORUM */));
+				cb.withLoadBalancingPolicy(new TokenAwarePolicy(dcrrPolicy));
+				env.init().printf("Cassandra configured for DCAwareRoundRobinPolicy with best DC at %s with emergency remote of up to %d node(s)"
+					,bestDC, numInBestDC);
+			} else {
+				env.init().printf("Cassandra is using Default Policy, which is not DC aware");
+			}
+		}
+		return cb.build();
+	}
+	
+	private static class Resettable {
+		private Class<? extends Exception> cls;
+		private List<String> messages;
+		
+		@SuppressWarnings("unchecked")
+		public Resettable(Env env, String propData) throws APIException {
+			if(propData!=null && propData.length()>1) {
+				String[] split = Split.split(':', propData);
+				if(split.length>0) {
+					try {
+						cls = (Class<? extends Exception>)Class.forName(split[0]);
+					} catch (ClassNotFoundException e) {
+						throw new APIException("Declared Cassandra Reset Exception, " + propData + ", cannot be ClassLoaded");
+					}
+				}
+				if(split.length>1) {
+					messages=new ArrayList<String>();
+					for(int i=1;i<split.length;++i) {
+						String str = split[i];
+						int start = str.startsWith("\"")?1:0;
+						int end = str.length()-(str.endsWith("\"")?1:0);
+						messages.add(split[i].substring(start, end));
+					}
+				} else {
+					messages = null;
+				}
+			}
+		}
+		
+		public boolean matches(Exception ex) {
+			if(ex.getClass().equals(cls)) {
+				if(messages!=null) {
+					String msg = ex.getMessage();
+					for(String m : messages) {
+						if(msg.contains(m)) {
+							return true;
+						}
+					}
+				}
+			}
+			return false;
+		}
+	}
+	
+	public static final boolean isResetException(Exception e) {
+		if(e==null) {
+			return true;
+		}
+		for(Resettable re : resetExceptions) {
+			if(re.matches(e)) {
+				return true;
+			}
+		}
+		return false;
+	}
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CassDAOImpl.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CassDAOImpl.java
new file mode 100644
index 00000000..bd6d0863
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CassDAOImpl.java
@@ -0,0 +1,348 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao;
+
+import java.io.ByteArrayInputStream;
+import java.io.DataInputStream;
+import java.lang.reflect.Field;
+import java.nio.ByteBuffer;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.TransStore;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.ConsistencyLevel;
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.ResultSetFuture;
+
+/**
+ * AbsCassDAO
+ *
+ * Deal with the essentials of Interaction with Cassandra DataStore for all Cassandra DAOs
+ *
+ * @author Jonathan
+ *
+ * @param <DATA>
+ */
+public class CassDAOImpl<TRANS extends TransStore,DATA> extends AbsCassDAO<TRANS, DATA> implements DAO<TRANS,DATA> {
+	public static final String USER_NAME = "__USER_NAME__";
+	protected static final String CREATE_SP = "CREATE ";
+	protected static final String UPDATE_SP = "UPDATE ";
+	protected static final String DELETE_SP = "DELETE ";
+	protected static final String SELECT_SP = "SELECT ";
+
+	protected final String C_TEXT = getClass().getSimpleName() + " CREATE";
+	protected final String R_TEXT = getClass().getSimpleName() + " READ";
+	protected final String U_TEXT = getClass().getSimpleName() + " UPDATE";
+	protected final String D_TEXT = getClass().getSimpleName() + " DELETE";
+	private String table;
+	
+	protected final ConsistencyLevel readConsistency,writeConsistency;
+	
+	// Setteable only by CachedDAO
+	protected Cached<?, ?> cache;
+
+	/**
+	 * A Constructor from the originating Cluster.  This DAO will open the Session at need,
+	 * and shutdown the session when "close()" is called.
+	 *
+	 * @param cluster
+	 * @param keyspace
+	 * @param dataClass
+	 */
+	public CassDAOImpl(TRANS trans, String name, Cluster cluster, String keyspace, Class<DATA> dataClass, String table, ConsistencyLevel read, ConsistencyLevel write) {
+		super(trans, name, cluster,keyspace,dataClass);
+		this.table = table;
+		readConsistency = read;
+		writeConsistency = write;
+	}
+	
+	/**
+	 * A Constructor to share Session with other DAOs.
+	 *
+	 * This method get the Session and Cluster information from the calling DAO, and won't
+	 * touch the Session on closure.
+	 *
+	 * @param aDao
+	 * @param dataClass
+	 */
+	public CassDAOImpl(TRANS trans, String name, AbsCassDAO<TRANS,?> aDao, Class<DATA> dataClass, String table, ConsistencyLevel read, ConsistencyLevel write) {
+		super(trans, name, aDao,dataClass);
+		this.table = table;
+		readConsistency = read;
+		writeConsistency = write;
+	}
+
+	protected PSInfo createPS;
+	protected PSInfo readPS;
+	protected PSInfo updatePS;
+	protected PSInfo deletePS;
+	protected boolean async=false;
+
+	public void async(boolean bool) {
+		async = bool;
+	}
+
+	public final String[] setCRUD(TRANS trans, String table, Class<?> dc,Loader<DATA> loader) {
+		return setCRUD(trans, table, dc, loader, -1);
+	}
+	
+	public final String[] setCRUD(TRANS trans, String table, Class<?> dc,Loader<DATA> loader, int max) {
+				Field[] fields = dc.getDeclaredFields();
+				int end = max>=0 & max<fields.length?max:fields.length;
+				// get keylimit from a non-null Loader
+				int keylimit = loader.keylimit();
+			
+				StringBuilder sbfc = new StringBuilder();
+				StringBuilder sbq = new StringBuilder();
+				StringBuilder sbwc = new StringBuilder();
+				StringBuilder sbup = new StringBuilder();
+			
+				if(keylimit>0) {
+					for(int i=0;i<end;++i) {
+						if(i>0) {
+							sbfc.append(',');
+							sbq.append(',');
+							if(i<keylimit) {
+								sbwc.append(" AND ");
+							}
+						}
+						sbfc.append(fields[i].getName());
+						sbq.append('?');
+						if(i>=keylimit) {
+							if(i>keylimit) {
+								sbup.append(',');
+							}
+							sbup.append(fields[i].getName());
+							sbup.append("=?");
+						}
+						if(i<keylimit) {
+							sbwc.append(fields[i].getName());
+							sbwc.append("=?");
+						}
+					}
+			
+					createPS = new PSInfo(trans, "INSERT INTO " + table + " ("+ sbfc +") VALUES ("+ sbq +");",loader,writeConsistency);
+			
+					readPS = new PSInfo(trans, "SELECT " + sbfc + " FROM " + table + " WHERE " + sbwc + ';',loader,readConsistency);
+			
+					// Note: UPDATES can't compile if there are no fields besides keys... Use "Insert"
+					if(sbup.length()==0) {
+						updatePS = createPS; // the same as an insert
+					} else {
+						updatePS = new PSInfo(trans, "UPDATE " + table + " SET " + sbup + " WHERE " + sbwc + ';',loader,writeConsistency);
+					}
+			
+					deletePS = new PSInfo(trans, "DELETE FROM " + table + " WHERE " + sbwc + ';',loader,writeConsistency);
+				}
+				return new String[] {sbfc.toString(), sbq.toString(), sbup.toString(), sbwc.toString()};
+			}
+
+	public void replace(CRUD crud, PSInfo psInfo) {
+		switch(crud) {
+			case create: createPS = psInfo; break;
+			case read:   readPS = psInfo; break;
+			case update: updatePS = psInfo; break;
+			case delete: deletePS = psInfo; break;
+		}
+	}
+
+	public void disable(CRUD crud) {
+		switch(crud) {
+			case create: createPS = null; break;
+			case read:   readPS = null; break;
+			case update: updatePS = null; break;
+			case delete: deletePS = null; break;
+		}
+	}
+
+	
+	/**
+	 * Given a DATA object, extract the individual elements from the Data into an Object Array for the
+	 * execute element.
+	 */
+	public Result<DATA> create(TRANS trans, DATA data)  {
+		if(createPS==null) {
+			Result.err(Result.ERR_NotImplemented,"Create is disabled for %s",getClass().getSimpleName());
+		}
+		if(async) /*ResultSetFuture */ {
+			Result<ResultSetFuture> rs = createPS.execAsync(trans, C_TEXT, data);
+			if(rs.notOK()) {
+				return Result.err(rs);
+			}
+		} else {
+			Result<ResultSet> rs = createPS.exec(trans, C_TEXT, data);
+			if(rs.notOK()) {
+				return Result.err(rs);
+			}
+		}
+		wasModified(trans, CRUD.create, data);
+		return Result.ok(data);
+	}
+
+	/**
+	 * Read the Unique Row associated with Full Keys
+	 */
+	public Result<List<DATA>> read(TRANS trans, DATA data) {
+		if(readPS==null) {
+			Result.err(Result.ERR_NotImplemented,"Read is disabled for %s",getClass().getSimpleName());
+		}
+		return readPS.read(trans, R_TEXT, data);
+	}
+
+	public Result<List<DATA>> read(TRANS trans, Object ... key) {
+		if(readPS==null) {
+			Result.err(Result.ERR_NotImplemented,"Read is disabled for %s",getClass().getSimpleName());
+		}
+		return readPS.read(trans, R_TEXT, key);
+	}
+	
+	public Result<DATA> readPrimKey(TRANS trans, Object ... key) {
+		if(readPS==null) {
+			Result.err(Result.ERR_NotImplemented,"Read is disabled for %s",getClass().getSimpleName());
+		}
+		Result<List<DATA>> rld = readPS.read(trans, R_TEXT, key);
+		if(rld.isOK()) {
+			if(rld.isEmpty()) {
+				return Result.err(Result.ERR_NotFound,rld.details);
+			} else {
+				return Result.ok(rld.value.get(0));
+			}
+		} else {
+			return Result.err(rld);
+		}
+	}
+
+	public Result<Void> update(TRANS trans, DATA data) {
+		return update(trans, data, async);
+	}
+
+	public Result<Void> update(TRANS trans, DATA data, boolean async) {
+		if(updatePS==null) {
+			Result.err(Result.ERR_NotImplemented,"Update is disabled for %s",getClass().getSimpleName());
+		}
+		if(async)/* ResultSet rs =*/ {
+			Result<ResultSetFuture> rs = updatePS.execAsync(trans, U_TEXT, data);
+			if(rs.notOK()) {
+				return Result.err(rs);
+			}
+		} else {
+			Result<ResultSet> rs = updatePS.exec(trans, U_TEXT, data);
+			if(rs.notOK()) {
+				return Result.err(rs);
+			}
+		}
+		
+		wasModified(trans, CRUD.update, data);
+		return Result.ok();
+	}
+
+	// This method Sig for Cached...
+	public Result<Void> delete(TRANS trans, DATA data, boolean reread) {
+		if(deletePS==null) {
+			Result.err(Result.ERR_NotImplemented,"Delete is disabled for %s",getClass().getSimpleName());
+		}
+		// Since Deleting will be stored off, for possible re-constitution, need the whole thing
+		if(reread) {
+			Result<List<DATA>> rd = read(trans,data);
+			if(rd.notOK()) {
+				return Result.err(rd);
+			}
+			if(rd.isEmpty()) {
+				return Result.err(Status.ERR_NotFound,"Not Found");
+			}
+			for(DATA d : rd.value) { 
+				if(async) {
+					Result<ResultSetFuture> rs = deletePS.execAsync(trans, D_TEXT, d);
+					if(rs.notOK()) {
+						return Result.err(rs);
+					}
+				} else {
+					Result<ResultSet> rs = deletePS.exec(trans, D_TEXT, d);
+					if(rs.notOK()) {
+						return Result.err(rs);
+					}
+				}
+				wasModified(trans, CRUD.delete, d);
+			}
+		} else {
+			if(async)/* ResultSet rs =*/ {
+				Result<ResultSetFuture> rs = deletePS.execAsync(trans, D_TEXT, data);
+				if(rs.notOK()) {
+					return Result.err(rs);
+				}
+			} else {
+				Result<ResultSet> rs = deletePS.exec(trans, D_TEXT, data);
+				if(rs.notOK()) {
+					return Result.err(rs);
+				}
+			}
+			wasModified(trans, CRUD.delete, data);
+		}
+		return Result.ok();
+	}
+	
+	public final Object[] keyFrom(DATA data) {
+		return createPS.keyFrom(data);
+	}
+
+	@Override
+	public String table() {
+		return table;
+	}
+	
+	public static final String CASS_READ_CONSISTENCY="cassandra.readConsistency";
+	public static final String CASS_WRITE_CONSISTENCY="cassandra.writeConsistency";
+	protected static ConsistencyLevel readConsistency(AuthzTrans trans, String table) {
+		String prop = trans.getProperty(CASS_READ_CONSISTENCY+'.'+table);
+		if(prop==null) {
+			prop = trans.getProperty(CASS_READ_CONSISTENCY);
+			if(prop==null) {
+				return ConsistencyLevel.ONE; // this is Cassandra Default
+			}
+		}
+		return ConsistencyLevel.valueOf(prop);
+	}
+
+	protected static ConsistencyLevel writeConsistency(AuthzTrans trans, String table) {
+		String prop = trans.getProperty(CASS_WRITE_CONSISTENCY+'.'+table);
+		if(prop==null) {
+			prop = trans.getProperty(CASS_WRITE_CONSISTENCY);
+			if(prop==null) {
+				return ConsistencyLevel.ONE; // this is Cassandra Default\
+			}
+		}
+		return ConsistencyLevel.valueOf(prop);
+	}
+
+	public static DataInputStream toDIS(ByteBuffer bb) {
+		byte[] b = bb.array();
+		return new DataInputStream(
+			new ByteArrayInputStream(b,bb.position(),bb.limit())
+		);
+	}
+
+
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/DAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/DAO.java
new file mode 100644
index 00000000..70db430e
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/DAO.java
@@ -0,0 +1,44 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao;
+
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.Trans;
+
+
+/**
+ * DataAccessObject Interface
+ *
+ * Extend the ReadOnly form (for Get), and add manipulation methods
+ *
+ * @author Jonathan
+ *
+ * @param <DATA>
+ */
+public interface DAO<TRANS extends Trans,DATA> extends DAO_RO<TRANS,DATA> {
+	public Result<DATA> create(TRANS trans, DATA data);
+	public Result<Void> update(TRANS trans, DATA data);
+	// In many cases, the data has been correctly read first, so we shouldn't read again
+	// Use reread=true if you are using DATA with only a Key
+	public Result<Void> delete(TRANS trans, DATA data, boolean reread);
+	public Object[] keyFrom(DATA data);
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/DAOException.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/DAOException.java
new file mode 100644
index 00000000..207576e4
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/DAOException.java
@@ -0,0 +1,51 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao;
+
+public class DAOException extends Exception {
+
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = 1527904125585539823L;
+
+//    // TODO -   enum in result class == is our intended design, currently the DAO layer does not use Result<RV> so we still use these for now
+//    public final static DAOException RoleNotFoundDAOException = new DAOException("RoleNotFound");
+//    public final static DAOException PermissionNotFoundDAOException = new DAOException("PermissionNotFound");
+//    public final static DAOException UserNotFoundDAOException = new DAOException("UserNotFound");
+
+    public DAOException() {
+	}
+
+	public DAOException(String message) {
+		super(message);
+	}
+
+	public DAOException(Throwable cause) {
+		super(cause);
+	}
+
+	public DAOException(String message, Throwable cause) {
+		super(message, cause);
+	}
+
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/DAO_RO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/DAO_RO.java
new file mode 100644
index 00000000..4bffb5f3
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/DAO_RO.java
@@ -0,0 +1,70 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao;
+
+import java.util.List;
+
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.Trans;
+
+/**
+ * DataAccessObject - ReadOnly
+ * 
+ * It is useful to have a ReadOnly part of the interface for CachedDAO
+ * 
+ * Normal DAOs will implement full DAO
+ * 
+ * @author Jonathan
+ *
+ * @param <DATA>
+ */
+public interface DAO_RO<TRANS extends Trans,DATA> {
+	/**
+	 * Get a List of Data given Key of Object Array
+	 * @param objs
+	 * @return
+	 * @throws DAOException
+	 */
+	public Result<List<DATA>> read(TRANS trans, Object ... key);
+
+	/**
+	 * Get a List of Data given Key of DATA Object
+	 * @param trans
+	 * @param key
+	 * @return
+	 * @throws DAOException
+	 */
+	public Result<List<DATA>> read(TRANS trans, DATA key);
+
+	/**
+	 * close DAO
+	 */
+	public void close(TRANS trans);
+
+	/**
+	 * Return name of referenced Data
+	 * @return
+	 */
+	public String table();
+
+
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Loader.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Loader.java
new file mode 100644
index 00000000..485eabc6
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Loader.java
@@ -0,0 +1,214 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao;
+
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Set;
+
+import com.datastax.driver.core.Row;
+
+public abstract class Loader<DATA> {
+	private int keylimit;
+	public Loader(int keylimit) {
+		this.keylimit = keylimit;
+	}
+	
+	public int keylimit() {
+		return keylimit;
+	}
+	
+	protected abstract DATA load(DATA data, Row row);
+	protected abstract void key(DATA data, int idx, Object[] obj);
+	protected abstract void body(DATA data, int idx, Object[] obj);
+
+	public final Object[] extract(DATA data, int size, CassDAOImpl.CRUD type) {
+		Object[] rv=null;
+		switch(type) {
+			case delete:
+				rv = new Object[keylimit()];
+				key(data,0,rv);
+				break;
+			case update:
+				rv = new Object[size];
+				body(data,0,rv);
+				int body = size-keylimit();
+				if(body>0) {
+				    key(data,body,rv);
+				}
+				break;
+			default:
+				rv = new Object[size];
+				key(data,0,rv);
+				if(size>keylimit()) {
+				    body(data,keylimit(),rv);
+				}
+				break;
+		}
+		return rv;
+	}
+	
+	public static void writeString(DataOutputStream os, String s) throws IOException {
+		if(s==null) {
+			os.writeInt(-1);
+		} else {
+			switch(s.length()) {
+				case 0:
+					os.writeInt(0);
+					break;
+				default:
+					byte[] bytes = s.getBytes();
+					os.writeInt(bytes.length);
+					os.write(bytes);
+			}
+		}
+	}
+	
+	
+	/**
+	 * We use bytes here to set a Maximum
+	 * 
+	 * @param is
+	 * @param MAX
+	 * @return
+	 * @throws IOException
+	 */
+	public static String readString(DataInputStream is, byte[] _buff) throws IOException {
+		int l = is.readInt();
+		byte[] buff = _buff;
+		switch(l) {
+			case -1: return null;
+			case  0: return "";
+			default:
+				// Cover case where there is a large string, without always allocating a large buffer.
+				if(l>buff.length) {
+				    buff = new byte[l];
+				}
+				is.read(buff,0,l);
+				return new String(buff,0,l);
+		}
+	}
+
+	/**
+	 * Write a set with proper sizing
+	 * 
+	 * Note: at the moment, this is just String.  Probably can develop system where types
+	 * are supported too... but not now.
+	 * 
+	 * @param os
+	 * @param set
+	 * @throws IOException
+	 */
+	public static void writeStringSet(DataOutputStream os, Collection<String> set) throws IOException {
+		if(set==null) {
+			os.writeInt(-1);
+		} else {
+			os.writeInt(set.size());
+			for(String s : set) {
+				writeString(os, s);
+			}
+		}
+
+	}
+	
+	public static Set<String> readStringSet(DataInputStream is, byte[] buff) throws IOException {
+		int l = is.readInt();
+		if(l<0) {
+		    return null;
+		}
+		Set<String> set = new HashSet<String>(l);
+		for(int i=0;i<l;++i) {
+			set.add(readString(is,buff));
+		}
+		return set;
+	}
+	
+	public static List<String> readStringList(DataInputStream is, byte[] buff) throws IOException {
+		int l = is.readInt();
+		if(l<0) {
+		    return null;
+		}
+		List<String> list = new ArrayList<String>(l);
+		for(int i=0;i<l;++i) {
+			list.add(Loader.readString(is,buff));
+		}
+		return list;
+	}
+
+	/** 
+	 * Write a map
+	 * @param os
+	 * @param map
+	 * @throws IOException
+	 */
+	public static void writeStringMap(DataOutputStream os, Map<String,String> map) throws IOException {
+		if(map==null) {
+			os.writeInt(-1);
+		} else {
+			Set<Entry<String, String>> es = map.entrySet();
+			os.writeInt(es.size());
+			for(Entry<String,String> e : es) {
+				writeString(os, e.getKey());
+				writeString(os, e.getValue());
+			}
+		}
+
+	}
+
+	public static Map<String,String> readStringMap(DataInputStream is, byte[] buff) throws IOException {
+		int l = is.readInt();
+		if(l<0) {
+		    return null;
+		}
+		Map<String,String> map = new HashMap<String,String>(l);
+		for(int i=0;i<l;++i) {
+			String key = readString(is,buff);
+			map.put(key,readString(is,buff));
+		}
+		return map;
+	}
+	public static void writeHeader(DataOutputStream os, int magic, int version) throws IOException {
+		os.writeInt(magic);
+		os.writeInt(version);
+	}
+	
+	public static int readHeader(DataInputStream is, final int magic, final int version) throws IOException {
+		if(is.readInt()!=magic) {
+		    throw new IOException("Corrupted Data Stream");
+		}
+		int v = is.readInt();
+		if(version<0 || v>version) {
+		    throw new IOException("Unsupported Data Version: " + v);
+		}
+		return v;
+	}
+
+}
+
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Streamer.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Streamer.java
new file mode 100644
index 00000000..c40d74fa
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Streamer.java
@@ -0,0 +1,31 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao;
+
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+
+public interface Streamer<DATA> {
+	public abstract void marshal(DATA data, DataOutputStream os) throws IOException;
+	public abstract void unmarshal(DATA data, DataInputStream is) throws IOException;
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Touchable.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Touchable.java
new file mode 100644
index 00000000..c00c1048
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Touchable.java
@@ -0,0 +1,26 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao;
+
+public interface Touchable {
+	 // Or make all DAOs accept list of CIDAOs...
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedCertDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedCertDAO.java
new file mode 100644
index 00000000..9526bf28
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedCertDAO.java
@@ -0,0 +1,54 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cached;
+
+import java.util.List;
+
+import org.onap.aaf.auth.dao.CIDAO;
+import org.onap.aaf.auth.dao.CachedDAO;
+import org.onap.aaf.auth.dao.cass.CertDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+
+public class CachedCertDAO extends CachedDAO<AuthzTrans, CertDAO, CertDAO.Data> {
+	public CachedCertDAO(CertDAO dao, CIDAO<AuthzTrans> info, long expiresIn) {
+		super(dao, info, CertDAO.CACHE_SEG, expiresIn);
+	}
+	
+	/**
+	 * Pass through Cert ID Lookup
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @return
+	 */
+	
+	public Result<List<CertDAO.Data>> readID(AuthzTrans trans, final String id) {
+		return dao().readID(trans, id);
+	}
+	
+	public Result<List<CertDAO.Data>> readX500(AuthzTrans trans, final String x500) {
+		return dao().readX500(trans, x500);
+	}
+
+
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedCredDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedCredDAO.java
new file mode 100644
index 00000000..76fd5530
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedCredDAO.java
@@ -0,0 +1,66 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cached;
+
+import java.util.List;
+
+import org.onap.aaf.auth.dao.CIDAO;
+import org.onap.aaf.auth.dao.CachedDAO;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+
+public class CachedCredDAO extends CachedDAO<AuthzTrans, CredDAO, CredDAO.Data> {
+	public CachedCredDAO(CredDAO dao, CIDAO<AuthzTrans> info, long expiresIn) {
+		super(dao, info, CredDAO.CACHE_SEG, expiresIn);
+	}
+	
+	/**
+	 * Pass through Cred Lookup
+	 * 
+	 * Unlike Role and Perm, we don't need or want to cache these elements... Only used for NS Delete.
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @return
+	 */
+	public Result<List<CredDAO.Data>> readNS(AuthzTrans trans, final String ns) {
+		
+		return dao().readNS(trans, ns);
+	}
+	
+	public Result<List<CredDAO.Data>> readID(AuthzTrans trans, final String id) {
+		DAOGetter getter = new DAOGetter(trans,dao()) {
+			public Result<List<CredDAO.Data>> call() {
+				return dao().readID(trans, id);
+			}
+		};
+		
+		Result<List<CredDAO.Data>> lurd = get(trans, id, getter);
+		if(lurd.isOK() && lurd.isEmpty()) {
+			return Result.err(Status.ERR_UserNotFound,"No User Cred found");
+		}
+		return lurd;
+	}
+
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedNSDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedNSDAO.java
new file mode 100644
index 00000000..be860488
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedNSDAO.java
@@ -0,0 +1,33 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cached;
+
+import org.onap.aaf.auth.dao.CIDAO;
+import org.onap.aaf.auth.dao.CachedDAO;
+import org.onap.aaf.auth.dao.cass.NsDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+
+public class CachedNSDAO extends CachedDAO<AuthzTrans, NsDAO, NsDAO.Data> {
+	public CachedNSDAO(NsDAO dao, CIDAO<AuthzTrans> info, long expiresIn) {
+		super(dao, info, NsDAO.CACHE_SEG, expiresIn);
+	}
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedPermDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedPermDAO.java
new file mode 100644
index 00000000..4cb7cf2e
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedPermDAO.java
@@ -0,0 +1,124 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cached;
+
+import java.util.List;
+
+import org.onap.aaf.auth.dao.CIDAO;
+import org.onap.aaf.auth.dao.CachedDAO;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.cass.PermDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+
+public class CachedPermDAO extends CachedDAO<AuthzTrans,PermDAO, PermDAO.Data> {
+
+	public CachedPermDAO(PermDAO dao, CIDAO<AuthzTrans> info, long expiresIn) {
+		super(dao, info, PermDAO.CACHE_SEG, expiresIn);
+	}
+
+	public Result<List<Data>> readNS(AuthzTrans trans, final String ns) {
+		DAOGetter getter = new DAOGetter(trans,dao()) {
+			public Result<List<Data>> call() {
+				return dao.readNS(trans, ns);
+			}
+		};
+		
+		Result<List<Data>> lurd = get(trans, ns, getter);
+		if(lurd.isOKhasData()) {
+			return lurd;
+		} else {
+			
+		}
+//		if(getter.result==null) {
+//			if(lurd==null) {
+				return Result.err(Status.ERR_PermissionNotFound,"No Permission found - " + lurd.details);
+//			} else {
+//				return Result.ok(lurd);
+//			}
+//		}
+//		return getter.result;
+	}
+
+	public Result<List<Data>> readChildren(AuthzTrans trans, final String ns, final String type) {
+		return dao().readChildren(trans,ns,type);
+	}
+
+	/**
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @param type
+	 * @return
+	 */
+	public Result<List<Data>> readByType(AuthzTrans trans, final String ns, final String type) {
+		DAOGetter getter = new DAOGetter(trans,dao()) {
+			public Result<List<Data>> call() {
+				return dao.readByType(trans, ns, type);
+			}
+		};
+		
+		// Note: Can reuse index1 here, because there is no name collision versus response
+		Result<List<Data>> lurd = get(trans, ns+'|'+type, getter);
+		if(lurd.isOK() && lurd.isEmpty()) {
+			return Result.err(Status.ERR_PermissionNotFound,"No Permission found");
+		}
+		return lurd;
+	}
+	
+	/**
+	 * Add desciption to this permission
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @param type
+	 * @param instance
+	 * @param action
+	 * @param description
+	 * @return
+	 */
+	public Result<Void> addDescription(AuthzTrans trans, String ns, String type, 
+			String instance, String action, String description) {
+		//TODO Invalidate?
+		return dao().addDescription(trans, ns, type, instance, action, description);
+	}
+	
+	public Result<Void> addRole(AuthzTrans trans, PermDAO.Data perm, RoleDAO.Data role) {
+		Result<Void> rv = dao().addRole(trans,perm,role.encode());
+		if(trans.debug().isLoggable())
+			trans.debug().log("Adding",role.encode(),"to", perm, "with CachedPermDAO.addRole");
+		invalidate(trans,perm);
+		return rv;
+	}
+
+	public Result<Void> delRole(AuthzTrans trans, Data perm, RoleDAO.Data role) {
+		Result<Void> rv = dao().delRole(trans,perm,role.encode());
+		if(trans.debug().isLoggable())
+			trans.debug().log("Removing",role.encode(),"from", perm, "with CachedPermDAO.delRole");
+		invalidate(trans,perm);
+		return rv;
+	}
+
+
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedRoleDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedRoleDAO.java
new file mode 100644
index 00000000..5fac680c
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedRoleDAO.java
@@ -0,0 +1,106 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cached;
+
+import java.util.List;
+
+import org.onap.aaf.auth.dao.CIDAO;
+import org.onap.aaf.auth.dao.CachedDAO;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.cass.RoleDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+
+public class CachedRoleDAO extends CachedDAO<AuthzTrans,RoleDAO, RoleDAO.Data> {
+	public CachedRoleDAO(RoleDAO dao, CIDAO<AuthzTrans> info, long expiresIn) {
+		super(dao, info, RoleDAO.CACHE_SEG, expiresIn);
+	}
+
+	public Result<List<Data>> readNS(AuthzTrans trans, final String ns) {
+		DAOGetter getter = new DAOGetter(trans,dao()) {
+			public Result<List<Data>> call() {
+				return dao.readNS(trans, ns);
+			}
+		};
+		
+		Result<List<Data>> lurd = get(trans, ns, getter);
+		if(lurd.isOK() && lurd.isEmpty()) {
+			return Result.err(Status.ERR_RoleNotFound,"No Role found");
+		}
+		return lurd;
+	}
+
+	public Result<List<Data>> readName(AuthzTrans trans, final String name) {
+		DAOGetter getter = new DAOGetter(trans,dao()) {
+			public Result<List<Data>> call() {
+				return dao().readName(trans, name);
+			}
+		};
+		
+		Result<List<Data>> lurd = get(trans, name, getter);
+		if(lurd.isOK() && lurd.isEmpty()) {
+			return Result.err(Status.ERR_RoleNotFound,"No Role found");
+		}
+		return lurd;
+	}
+
+	public Result<List<Data>> readChildren(AuthzTrans trans, final String ns, final String name) {
+		// At this point, I'm thinking it's better not to try to cache "*" results
+		// Data probably won't be accurate, and adding it makes every update invalidate most of the cache
+		// Jonathan 2/4/2014
+		return dao().readChildren(trans,ns,name);
+	}
+
+	public Result<Void> addPerm(AuthzTrans trans, RoleDAO.Data rd, PermDAO.Data perm) {
+		Result<Void> rv = dao().addPerm(trans,rd,perm);
+		if(trans.debug().isLoggable())
+			trans.debug().log("Adding",perm,"to", rd, "with CachedRoleDAO.addPerm");
+		invalidate(trans, rd);
+		return rv;
+	}
+
+	public Result<Void> delPerm(AuthzTrans trans, RoleDAO.Data rd, PermDAO.Data perm) {
+		Result<Void> rv = dao().delPerm(trans,rd,perm);
+		if(trans.debug().isLoggable())
+			trans.debug().log("Removing",perm,"from", rd, "with CachedRoleDAO.addPerm");
+		invalidate(trans, rd);
+		return rv;
+	}
+	
+	/**
+	 * Add description to this role
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @param name
+	 * @param description
+	 * @return
+	 */
+	public Result<Void> addDescription(AuthzTrans trans, String ns, String name, String description) {
+		//TODO Invalidate?
+		return dao().addDescription(trans, ns, name, description);
+
+	}
+
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedUserRoleDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedUserRoleDAO.java
new file mode 100644
index 00000000..dce2beaa
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedUserRoleDAO.java
@@ -0,0 +1,115 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cached;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.CIDAO;
+import org.onap.aaf.auth.dao.CachedDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.Slot;
+
+public class CachedUserRoleDAO extends CachedDAO<AuthzTrans,UserRoleDAO, UserRoleDAO.Data> {
+	private Slot transURSlot;
+
+	public CachedUserRoleDAO(UserRoleDAO dao, CIDAO<AuthzTrans> info, long expiresIn) {
+		super(dao, info, UserRoleDAO.CACHE_SEG, expiresIn);
+		transURSlot = dao.transURSlot;
+	}
+
+	/**
+	 * Special Case.  
+	 * User Roles by User are very likely to be called many times in a Transaction, to validate "May User do..."
+	 * Pull result, and make accessible by the Trans, which is always keyed by User.
+	 * @param trans
+	 * @param user
+	 * @return
+	 */
+	public Result<List<Data>> readByUser(AuthzTrans trans, final String user) {
+		DAOGetter getter = new DAOGetter(trans,dao()) {
+			public Result<List<Data>> call() {
+				// If the call is for THIS user, and it exists, get from TRANS, add to TRANS if not.
+				if(user!=null && user.equals(trans.user())) {
+					Result<List<Data>> transLD = trans.get(transURSlot,null);
+					if(transLD==null ) {
+						transLD = dao.readByUser(trans, user);
+					}
+					return transLD;
+				} else {
+					return dao.readByUser(trans, user);
+				}
+			}
+		};
+		Result<List<Data>> lurd = get(trans, user, getter);
+		if(lurd.isOK() && lurd.isEmpty()) {
+			return Result.err(Status.ERR_UserRoleNotFound,"UserRole not found for [%s]",user);
+		}
+		return lurd;
+	}
+
+	
+	public Result<List<Data>> readByRole(AuthzTrans trans, final String role) {
+		DAOGetter getter = new DAOGetter(trans,dao()) {
+			public Result<List<Data>> call() {
+				return dao.readByRole(trans, role);
+			}
+		};
+		Result<List<Data>> lurd = get(trans, role, getter);
+		if(lurd.isOK() && lurd.isEmpty()) {
+			return Result.err(Status.ERR_UserRoleNotFound,"UserRole not found for [%s]",role);
+		}
+		return lurd;
+	}
+
+	public Result<List<UserRoleDAO.Data>> readUserInRole(final AuthzTrans trans, final String user, final String role) {
+		DAOGetter getter = new DAOGetter(trans,dao()) {
+			public Result<List<Data>> call() {
+				if(user.equals(trans.user())) {
+					Result<List<Data>> rrbu = readByUser(trans, user);
+					if(rrbu.isOK()) {
+						List<Data> ld = new ArrayList<Data>(1);
+						for(Data d : rrbu.value) {
+							if(d.role.equals(role)) {
+								ld.add(d);
+								break;
+							}
+						}
+						return Result.ok(ld).emptyList(ld.isEmpty());
+					} else {
+						return rrbu;
+					}
+				}
+				return dao.readByUserRole(trans, user, role);
+			}
+		};
+		Result<List<Data>> lurd = get(trans, keyFromObjs(user,role), getter);
+		if(lurd.isOK() && lurd.isEmpty()) {
+			return Result.err(Status.ERR_UserRoleNotFound,"UserRole not found for role [%s] and user [%s]",role,user);
+		}
+		return lurd;
+	}
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/.gitignore b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/.gitignore
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/.gitignore
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/ApprovalDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/ApprovalDAO.java
new file mode 100644
index 00000000..284d0a84
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/ApprovalDAO.java
@@ -0,0 +1,277 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.io.IOException;
+import java.util.Date;
+import java.util.List;
+import java.util.UUID;
+
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.exceptions.DriverException;
+
+
+public class ApprovalDAO extends CassDAOImpl<AuthzTrans,ApprovalDAO.Data> {
+	public static final String PENDING = "pending";
+	public static final String DENIED = "denied";
+	public static final String APPROVED = "approved";
+	
+	private static final String TABLE = "approval";
+	private static final String TABLELOG = "approved";
+	private HistoryDAO historyDAO;
+	private PSInfo psByUser, psByApprover, psByTicket, psByStatus;
+
+	
+	public ApprovalDAO(AuthzTrans trans, Cluster cluster, String keyspace) {
+		super(trans, ApprovalDAO.class.getSimpleName(),cluster,keyspace,Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+        historyDAO = new HistoryDAO(trans, this);
+		init(trans);
+	}
+
+
+	public ApprovalDAO(AuthzTrans trans, HistoryDAO hDAO) {
+		super(trans, ApprovalDAO.class.getSimpleName(),hDAO,Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+		historyDAO=hDAO;
+		init(trans);
+	}
+
+	private static final int KEYLIMIT = 1;
+	public static class Data {
+		public UUID   id;
+        public UUID   ticket;
+		public String user;
+		public String approver;
+		public String type;
+		public String status;
+		public String memo;
+		public String operation;
+		public Date last_notified;
+		public Date updated;
+	}
+	
+	private static class ApprovalLoader extends Loader<Data> {
+		public static final ApprovalLoader deflt = new ApprovalLoader(KEYLIMIT);
+		
+		public ApprovalLoader(int keylimit) {
+			super(keylimit);
+		}
+		
+		@Override
+		public Data load(Data data, Row row) {
+			data.id = row.getUUID(0);
+			data.ticket = row.getUUID(1);
+			data.user = row.getString(2);
+			data.approver = row.getString(3);
+			data.type = row.getString(4);
+			data.status = row.getString(5);
+			data.memo = row.getString(6);
+			data.operation = row.getString(7);
+			data.last_notified = row.getTimestamp(8);
+			// This is used to get "WRITETIME(STATUS)" from Approval, which gives us an "updated" 
+			if(row.getColumnDefinitions().size()>9) {
+				// Rows reported in MicroSeconds
+				data.updated = new Date(row.getLong(9)/1000);
+			}
+			return data;
+		}
+
+		@Override
+		protected void key(Data data, int idx, Object[] obj) {
+			obj[idx]=data.id;
+		}
+
+		@Override
+		protected void body(Data data, int _idx, Object[] obj) {
+		    	int idx = _idx;
+			obj[idx]=data.ticket;
+			obj[++idx]=data.user;
+			obj[++idx]=data.approver;
+			obj[++idx]=data.type;
+			obj[++idx]=data.status;
+			obj[++idx]=data.memo;
+			obj[++idx]=data.operation;
+			obj[++idx]=data.last_notified;
+		}
+	}	
+	
+	private void init(AuthzTrans trans) {
+		String[] helpers = setCRUD(trans, TABLE, Data.class, ApprovalLoader.deflt,9);
+		psByUser = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + ", WRITETIME(status) FROM " + TABLE + 
+				" WHERE user = ?", new ApprovalLoader(1) {
+			@Override
+			protected void key(Data data, int idx, Object[] obj) {
+				obj[idx]=data.user;
+			}
+		}, readConsistency);
+		
+		psByApprover = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + ", WRITETIME(status) FROM " + TABLE + 
+				" WHERE approver = ?", new ApprovalLoader(1) {
+			@Override
+			protected void key(Data data, int idx, Object[] obj) {
+				obj[idx]=data.approver;
+			}
+		}, readConsistency);
+
+		psByTicket = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + ", WRITETIME(status) FROM " + TABLE + 
+				" WHERE ticket = ?", new ApprovalLoader(1) {
+			@Override
+			protected void key(Data data, int idx, Object[] obj) {
+				obj[idx]=data.ticket;
+			}
+		}, readConsistency);
+
+		psByStatus = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + ", WRITETIME(status) FROM " + TABLE + 
+				" WHERE status = ?", new ApprovalLoader(1) {
+			@Override
+			protected void key(Data data, int idx, Object[] obj) {
+				obj[idx]=data.status;
+			}
+		}, readConsistency);
+
+
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.dao.CassDAOImpl#create(com.att.inno.env.TransStore, java.lang.Object)
+	 */
+	@Override
+	public Result<Data> create(AuthzTrans trans, Data data) {
+		// If ID is not set (typical), create one.
+		if(data.id==null) {
+			data.id = Chrono.dateToUUID(System.currentTimeMillis());
+		}
+		Result<ResultSet> rs = createPS.exec(trans, C_TEXT, data);
+		if(rs.notOK()) {
+			return Result.err(rs);
+		}
+		return Result.ok(data);	
+	}
+
+
+	public Result<List<ApprovalDAO.Data>> readByUser(AuthzTrans trans, String user) {
+		return psByUser.read(trans, R_TEXT, new Object[]{user});
+	}
+
+	public Result<List<ApprovalDAO.Data>> readByApprover(AuthzTrans trans, String approver) {
+		return psByApprover.read(trans, R_TEXT, new Object[]{approver});
+	}
+
+	public Result<List<ApprovalDAO.Data>> readByTicket(AuthzTrans trans, UUID ticket) {
+		return psByTicket.read(trans, R_TEXT, new Object[]{ticket});
+	}
+
+	public Result<List<ApprovalDAO.Data>> readByStatus(AuthzTrans trans, String status) {
+		return psByStatus.read(trans, R_TEXT, new Object[]{status});
+	}	
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.dao.CassDAOImpl#delete(com.att.inno.env.TransStore, java.lang.Object, boolean)
+	 */
+	@Override
+	public Result<Void> delete(AuthzTrans trans, Data data, boolean reread) {
+		if(reread || data.status == null) { // if Memo is empty, likely not full record
+			Result<ResultSet> rd = readPS.exec(trans, R_TEXT, data);
+			if(rd.notOK()) {
+				return Result.err(rd);
+			}
+			ApprovalLoader.deflt.load(data, rd.value.one());
+		}
+		if("approved".equals(data.status) || "denied".equals(data.status)) { 
+			StringBuilder sb = new StringBuilder("BEGIN BATCH\n");
+			sb.append("INSERT INTO ");
+			sb.append(TABLELOG);
+			sb.append(" (id,user,approver,type,status,memo,operation) VALUES (");
+			sb.append(data.id);
+			sb.append(",'"); sb.append(data.user);
+			sb.append("','"); sb.append(data.approver);
+			sb.append("','"); sb.append(data.type);
+			sb.append("','"); sb.append(data.status);
+			sb.append("','"); sb.append(data.memo.replace("'", "''"));
+			sb.append("','"); sb.append(data.operation);
+			sb.append("');\n");
+			sb.append("DELETE FROM ");
+			sb.append(TABLE);
+			sb.append(" WHERE id=");
+			sb.append(data.id);
+			sb.append(";\n");
+			sb.append("APPLY BATCH;\n");
+			TimeTaken tt = trans.start("DELETE APPROVAL",Env.REMOTE);
+			try {
+				if(async) {
+					getSession(trans).executeAsync(sb.toString());
+					return Result.ok();
+				} else {
+					getSession(trans).execute(sb.toString());
+					return Result.ok();
+				}
+			} catch (DriverException | APIException | IOException e) {
+				reportPerhapsReset(trans,e);
+				return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+			} finally {
+				tt.done();
+			}
+		} else {
+			return super.delete(trans, data, false);
+		}
+
+	}
+
+
+	/**
+     * Log Modification statements to History
+     *
+     * @param modified        which CRUD action was done
+     * @param data            entity data that needs a log entry
+     * @param overrideMessage if this is specified, we use it rather than crafting a history message based on data
+     */
+    @Override
+    protected void wasModified(AuthzTrans trans, CRUD modified, Data data, String ... override) {
+    	boolean memo = override.length>0 && override[0]!=null;
+    	boolean subject = override.length>1 && override[1]!=null;
+
+        HistoryDAO.Data hd = HistoryDAO.newInitedData();
+        hd.user = trans.user();
+        hd.action = modified.name();
+        hd.target = TABLE;
+        hd.subject = subject?override[1]:data.user + "|" + data.approver;
+        hd.memo = memo
+                ? String.format("%s by %s", override[0], hd.user)
+                : (modified.name() + "d approval for " + data.user);
+        // Detail?
+        // Reconstruct?
+        if(historyDAO.create(trans, hd).status!=Status.OK) {
+        	trans.error().log("Cannot log to History");
+        }
+    }
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/ArtiDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/ArtiDAO.java
new file mode 100644
index 00000000..391b55b4
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/ArtiDAO.java
@@ -0,0 +1,303 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.onap.aaf.auth.dao.Bytification;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.dao.Streamer;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.Row;
+
+/**
+ * CredDAO manages credentials. 
+ * @author Jonathan
+ * Date: 7/19/13
+ */
+public class ArtiDAO extends CassDAOImpl<AuthzTrans,ArtiDAO.Data> {
+    public static final String TABLE = "artifact";
+    
+    private HistoryDAO historyDAO;
+    private PSInfo psByMechID,psByMachine, psByNs;
+	
+    public ArtiDAO(AuthzTrans trans, Cluster cluster, String keyspace) {
+        super(trans, ArtiDAO.class.getSimpleName(),cluster, keyspace, Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+        init(trans);
+    }
+
+    public ArtiDAO(AuthzTrans trans, HistoryDAO hDao, CacheInfoDAO ciDao) {
+        super(trans, ArtiDAO.class.getSimpleName(),hDao, Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+        historyDAO = hDao;
+        init(trans);
+    }
+
+    public static final int KEYLIMIT = 2;
+	public static class Data implements Bytification {
+		public String       			mechid;
+		public String       			machine;
+        private Set<String>      		type;
+        public String					sponsor;
+        public String					ca;
+        public String					dir;
+        public String					ns;
+        public String					os_user;
+        public String					notify;
+        public Date      				expires;
+        public int						renewDays;
+        public Set<String>				sans;
+        
+//      // Getters
+		public Set<String> type(boolean mutable) {
+			if (type == null) {
+				type = new HashSet<String>();
+			} else if (mutable && !(type instanceof HashSet)) {
+				type = new HashSet<String>(type);
+			}
+			return type;
+		}
+
+		public Set<String> sans(boolean mutable) {
+			if (sans == null) {
+				sans = new HashSet<String>();
+			} else if (mutable && !(sans instanceof HashSet)) {
+				sans = new HashSet<String>(sans);
+			}
+			return sans;
+		}
+
+		@Override
+		public ByteBuffer bytify() throws IOException {
+			ByteArrayOutputStream baos = new ByteArrayOutputStream();
+			ArtifactLoader.deflt.marshal(this,new DataOutputStream(baos));
+			return ByteBuffer.wrap(baos.toByteArray());
+		}
+		
+		@Override
+		public void reconstitute(ByteBuffer bb) throws IOException {
+			ArtifactLoader.deflt.unmarshal(this, toDIS(bb));
+		}
+
+		public String toString() {
+			return mechid + ' ' + machine + ' ' + Chrono.dateTime(expires);
+		}
+    }
+
+    private static class ArtifactLoader extends Loader<Data> implements Streamer<Data>{
+		public static final int MAGIC=95829343;
+    	public static final int VERSION=1;
+    	public static final int BUFF_SIZE=48; // Note: 
+
+    	public static final ArtifactLoader deflt = new ArtifactLoader(KEYLIMIT);
+    	public ArtifactLoader(int keylimit) {
+            super(keylimit);
+        }
+
+    	@Override
+        public Data load(Data data, Row row) {
+            data.mechid = row.getString(0);
+            data.machine = row.getString(1);
+            data.type = row.getSet(2, String.class);
+            data.sponsor = row.getString(3);
+            data.ca = row.getString(4);
+            data.dir = row.getString(5);
+            data.ns = row.getString(6);
+            data.os_user = row.getString(7);
+            data.notify = row.getString(8);
+            data.expires = row.getTimestamp(9);
+            data.renewDays = row.getInt(10);
+            data.sans = row.getSet(11, String.class);
+            return data;
+        }
+
+        @Override
+        protected void key(final Data data, final int idx, Object[] obj) {
+        	int i;
+            obj[i=idx] = data.mechid;
+            obj[++i] = data.machine;
+        }
+
+        @Override
+        protected void body(final Data data, final int idx, Object[] obj) {
+            int i;
+            obj[i=idx] = data.type;
+            obj[++i] = data.sponsor;
+            obj[++i] = data.ca;
+            obj[++i] = data.dir;
+            obj[++i] = data.ns;
+            obj[++i] = data.os_user;
+            obj[++i] = data.notify;
+            obj[++i] = data.expires;
+            obj[++i] = data.renewDays;
+            obj[++i] = data.sans;
+        }
+
+		@Override
+		public void marshal(Data data, DataOutputStream os) throws IOException {
+			writeHeader(os,MAGIC,VERSION);
+			writeString(os, data.mechid);
+			writeString(os, data.machine);
+			os.writeInt(data.type.size());
+			for(String s : data.type) {
+				writeString(os, s);
+			}
+			writeString(os, data.sponsor);
+			writeString(os, data.ca);
+			writeString(os, data.dir);
+			writeString(os, data.ns);
+			writeString(os, data.os_user);
+			writeString(os, data.notify);
+			os.writeLong(data.expires==null?-1:data.expires.getTime());
+			os.writeInt(data.renewDays);
+			if(data.sans!=null) {
+				os.writeInt(data.sans.size());
+				for(String s : data.sans) {
+					writeString(os, s);
+				}
+			} else {
+				os.writeInt(0);
+			}
+		}
+
+		@Override
+		public void unmarshal(Data data, DataInputStream is) throws IOException {
+			/*int version = */readHeader(is,MAGIC,VERSION);
+			// If Version Changes between Production runs, you'll need to do a switch Statement, and adequately read in fields
+			byte[] buff = new byte[BUFF_SIZE];
+			data.mechid = readString(is,buff);
+			data.machine = readString(is,buff);
+			int size = is.readInt();
+			data.type = new HashSet<String>(size);
+			for(int i=0;i<size;++i) {
+				data.type.add(readString(is,buff));
+			}
+			data.sponsor = readString(is,buff);
+			data.ca = readString(is,buff);
+			data.dir = readString(is,buff);
+			data.ns = readString(is,buff);
+			data.os_user = readString(is,buff);
+			data.notify = readString(is,buff);
+			long l = is.readLong();
+			data.expires = l<0?null:new Date(l);
+			data.renewDays = is.readInt();
+			size = is.readInt();
+			data.sans = new HashSet<String>(size);
+			for(int i=0;i<size;++i) {
+				data.sans.add(readString(is,buff));
+			}
+		}
+    }
+
+    private void init(AuthzTrans trans) {
+        // Set up sub-DAOs
+        if(historyDAO==null) {
+        	historyDAO = new HistoryDAO(trans,this);
+        }
+        
+        String[] helpers = setCRUD(trans, TABLE, Data.class, ArtifactLoader.deflt);
+
+		psByMechID = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE + 
+				" WHERE mechid = ?", new ArtifactLoader(1) {
+			@Override
+			protected void key(Data data, int idx, Object[] obj) {
+				obj[idx]=data.type;
+			}
+		},readConsistency);
+
+		psByMachine = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE + 
+				" WHERE machine = ?", new ArtifactLoader(1) {
+			@Override
+			protected void key(Data data, int idx, Object[] obj) {
+				obj[idx]=data.type;
+			}
+		},readConsistency);
+
+		psByNs = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE + 
+				" WHERE ns = ?", new ArtifactLoader(1) {
+			@Override
+			protected void key(Data data, int idx, Object[] obj) {
+				obj[idx]=data.type;
+			}
+		},readConsistency);
+
+}
+    
+	
+    public Result<List<Data>> readByMechID(AuthzTrans trans, String mechid) {
+		return psByMechID.read(trans, R_TEXT, new Object[]{mechid});
+	}
+
+	public Result<List<ArtiDAO.Data>> readByMachine(AuthzTrans trans, String machine) {
+		return psByMachine.read(trans, R_TEXT, new Object[]{machine});
+	}
+
+	public Result<List<org.onap.aaf.auth.dao.cass.ArtiDAO.Data>> readByNs(AuthzTrans trans, String ns) {
+		return psByNs.read(trans, R_TEXT, new Object[]{ns});
+	}
+
+	/**
+     * Log Modification statements to History
+     *
+     * @param modified        which CRUD action was done
+     * @param data            entity data that needs a log entry
+     * @param overrideMessage if this is specified, we use it rather than crafting a history message based on data
+     */
+    @Override
+    protected void wasModified(AuthzTrans trans, CRUD modified, Data data, String ... override) {
+    	boolean memo = override.length>0 && override[0]!=null;
+    	boolean subject = override.length>1 && override[1]!=null;
+
+        HistoryDAO.Data hd = HistoryDAO.newInitedData();
+        hd.user = trans.user();
+        hd.action = modified.name();
+        hd.target = TABLE;
+        hd.subject = subject?override[1]: data.mechid;
+        hd.memo = memo
+                ? String.format("%s by %s", override[0], hd.user)
+                : String.format("%sd %s for %s",modified.name(),data.mechid,data.machine);
+        // Detail?
+   		if(modified==CRUD.delete) {
+        			try {
+        				hd.reconstruct = data.bytify();
+        			} catch (IOException e) {
+        				trans.error().log(e,"Could not serialize CredDAO.Data");
+        			}
+        		}
+
+        if(historyDAO.create(trans, hd).status!=Status.OK) {
+        	trans.error().log("Cannot log to History");
+        }
+    }
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CacheInfoDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CacheInfoDAO.java
new file mode 100644
index 00000000..e47e9352
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CacheInfoDAO.java
@@ -0,0 +1,464 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URI;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.LinkedBlockingQueue;
+import java.util.concurrent.TimeUnit;
+
+import org.onap.aaf.auth.dao.AbsCassDAO;
+import org.onap.aaf.auth.dao.CIDAO;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.SecuritySetter;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.http.HMangr;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+import com.datastax.driver.core.BoundStatement;
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.PreparedStatement;
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.exceptions.DriverException;
+
+public class CacheInfoDAO extends CassDAOImpl<AuthzTrans,CacheInfoDAO.Data> implements CIDAO<AuthzTrans> {
+
+	private static final String TABLE = "cache";
+	public static final Map<String,Date[]> info = new ConcurrentHashMap<String,Date[]>();
+
+	private static CacheUpdate cacheUpdate;
+	
+	// Hold current time stamps from Tables
+	private final Date startTime;
+	private PreparedStatement psCheck;
+	
+	public CacheInfoDAO(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException {
+		super(trans, CacheInfoDAO.class.getSimpleName(),cluster,keyspace,Data.class,TABLE,readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+		startTime = new Date();
+		init(trans);
+	}
+
+	public CacheInfoDAO(AuthzTrans trans, AbsCassDAO<AuthzTrans,?> aDao) throws APIException, IOException {
+		super(trans, CacheInfoDAO.class.getSimpleName(),aDao,Data.class,TABLE,readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+		startTime = new Date();
+		init(trans);
+	}
+
+
+    //////////////////////////////////////////
+    // Data Definition, matches Cassandra DM
+    //////////////////////////////////////////
+    private static final int KEYLIMIT = 2;
+	/**
+     * @author Jonathan
+     */
+	public static class Data {
+		public Data() {
+			name = null;
+			touched = null;
+		}
+		public Data(String name, int seg) {
+			this.name = name;
+			this.seg = seg;
+			touched = null;
+		}
+		
+		public String		name;
+		public int			seg;
+		public Date			touched;
+    }
+
+    private static class InfoLoader extends Loader<Data> {
+    	public static final InfoLoader dflt = new InfoLoader(KEYLIMIT);
+    	
+		public InfoLoader(int keylimit) {
+			super(keylimit);
+		}
+		
+		@Override
+		public Data load(Data data, Row row) {
+			// Int more efficient
+			data.name = row.getString(0);
+			data.seg = row.getInt(1);
+			data.touched = row.getTimestamp(2);
+			return data;
+		}
+
+		@Override
+		protected void key(Data data, int _idx, Object[] obj) {
+		    	int idx = _idx;
+
+			obj[idx]=data.name;
+			obj[++idx]=data.seg;
+		}
+
+		@Override
+		protected void body(Data data, int idx, Object[] obj) {
+			obj[idx]=data.touched;
+		}
+    }
+    
+	public static<T extends Trans> void startUpdate(AuthzEnv env, HMangr hman, SecuritySetter<HttpURLConnection> ss, String ip, int port) {
+		if(cacheUpdate==null) {
+			Thread t= new Thread(cacheUpdate = new CacheUpdate(env,hman,ss, ip,port),"CacheInfo Update Thread");
+			t.setDaemon(true);
+			t.start();
+		}
+	}
+
+	public static<T extends Trans> void stopUpdate() {
+		if(cacheUpdate!=null) {
+			cacheUpdate.go=false;
+		}
+	}
+
+	private final static class CacheUpdate extends Thread {
+		public static BlockingQueue<Transfer> notifyDQ = new LinkedBlockingQueue<Transfer>(2000);
+
+		private static final String VOID_CT="application/Void+json;q=1.0;charset=utf-8;version=2.0,application/json;q=1.0;version=2.0,*/*;q=1.0";
+		private AuthzEnv env;
+		private HMangr hman;
+		private SecuritySetter<HttpURLConnection> ss;
+		private final String authority;
+		public boolean go = true;
+		
+		public CacheUpdate(AuthzEnv env, HMangr hman, SecuritySetter<HttpURLConnection> ss, String ip, int port) {
+			this.env = env;
+			this.hman = hman;
+			this.ss = ss;
+			
+			this.authority = ip+':'+port;
+		}
+		
+		private static class Transfer {
+			public String table;
+			public int segs[];
+			public Transfer(String table, int[] segs)  {
+				this.table = table;
+				this.segs = segs;
+			}
+		}
+		private class CacheClear extends Retryable<Integer> {
+			public int total=0;
+			private AuthzTrans trans;
+			private String type;
+			private String segs;
+			
+			public CacheClear(AuthzTrans trans) {
+				this.trans = trans;
+			}
+
+			public void set(Entry<String, IntHolder> es) {
+				type = es.getKey();
+				segs = es.getValue().toString();
+			}
+			
+		@Override
+			public Integer code(Rcli<?> client) throws APIException, CadiException {
+				URI to = client.getURI();
+				if(!to.getAuthority().equals(authority)) {
+					Future<Void> f = client.delete("/mgmt/cache/"+type+'/'+segs,VOID_CT);
+					if(f.get(hman.readTimeout())) {
+					    ++total;
+					} else {
+					    trans.error().log("Error During AAF Peer Notify",f.code(),f.body());
+					}
+				}
+				return total;
+			}
+		}
+		
+		private class IntHolder {
+			private int[] raw;
+			HashSet<Integer> set;
+			
+			public IntHolder(int ints[]) {
+				raw = ints;
+				set = null;
+			}
+			public void add(int[] ints) {
+				if(set==null) {
+					set = new HashSet<Integer>();
+					
+					for(int i=0;i<raw.length;++i) {
+						set.add(raw[i]);
+					}
+				}
+				for(int i=0;i<ints.length;++i) {
+					set.add(ints[i]);
+				}
+			}
+
+			@Override
+			public String toString() {
+				StringBuilder sb = new StringBuilder();
+				boolean first = true;
+				if(set==null) {
+					for(int i : raw) {
+						if(first) {
+							first=false;
+						} else {
+							sb.append(',');
+						}
+						sb.append(i);
+					}
+				} else {
+					for(Integer i : set) {
+						if(first) {
+							first=false;
+						} else {
+							sb.append(',');
+						}
+						sb.append(i);
+					}
+				}
+				return sb.toString();
+			}
+		}
+		
+		@Override
+		public void run() {
+			do {
+				try {
+					Transfer data = notifyDQ.poll(4,TimeUnit.SECONDS);
+					if(data==null) {
+						continue;
+					}
+					
+					int count = 0;
+					CacheClear cc = null;
+					Map<String,IntHolder> gather = null;
+					AuthzTrans trans = null;
+					long start=0;
+					// Do a block poll first
+					do {
+						if(gather==null) {
+							start = System.nanoTime();
+							trans = env.newTransNoAvg();
+							cc = new CacheClear(trans);
+							gather = new HashMap<String,IntHolder>();
+						}
+						IntHolder prev = gather.get(data.table);
+						if(prev==null) {
+							gather.put(data.table,new IntHolder(data.segs));
+						} else {
+							prev.add(data.segs);
+						}
+						// continue while there is data
+					} while((data = notifyDQ.poll())!=null);
+					if(gather!=null) {
+						for(Entry<String, IntHolder> es : gather.entrySet()) {
+							cc.set(es);
+							try {
+								if(hman.all(ss, cc, false)!=null) {
+									++count;
+								}
+							} catch (Exception e) {
+								trans.error().log(e, "Error on Cache Update");
+							}
+						}
+						if(env.debug().isLoggable()) {
+							float millis = (System.nanoTime()-start)/1000000f;
+							StringBuilder sb = new StringBuilder("Direct Cache Refresh: ");
+							sb.append("Updated ");
+							sb.append(count);
+							if(count==1) {
+								sb.append(" entry for ");
+							} else { 
+								sb.append(" entries for ");
+							}
+							int peers = count<=0?0:cc.total/count;
+							sb.append(peers);
+							sb.append(" client");
+							if(peers!=1) {
+								sb.append('s');
+							}
+							sb.append(" in ");
+							sb.append(millis);
+							sb.append("ms");
+							trans.auditTrail(0, sb, Env.REMOTE);
+							env.debug().log(sb);
+						}
+					}
+				} catch (InterruptedException e1) {
+					go = false;
+				}
+			} while(go);
+		}
+	}
+
+	private void init(AuthzTrans trans) throws APIException, IOException {
+		
+		String[] helpers = setCRUD(trans, TABLE, Data.class, InfoLoader.dflt);
+		psCheck = getSession(trans).prepare(SELECT_SP +  helpers[FIELD_COMMAS] + " FROM " + TABLE);
+
+		disable(CRUD.create);
+		disable(CRUD.delete);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.dao.cass.CIDAO#touch(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String, int)
+	 */
+	
+	@Override
+	public Result<Void> touch(AuthzTrans trans, String name, int ... seg) {
+		/////////////
+		// Direct Service Cache Invalidation
+		/////////////
+		// ConcurrentQueues are open-ended.  We don't want any Memory leaks 
+		// Note: we keep a separate counter, because "size()" on a Linked Queue is expensive
+		if(cacheUpdate!=null) {
+			try {
+				if(!CacheUpdate.notifyDQ.offer(new CacheUpdate.Transfer(name, seg),2,TimeUnit.SECONDS)) {
+					trans.error().log("Cache Notify Queue is not accepting messages, bouncing may be appropriate" );
+				}
+			} catch (InterruptedException e) {
+				trans.error().log("Cache Notify Queue posting was interrupted" );
+			}
+		}
+
+		/////////////
+		// Table Based Cache Invalidation (original)
+		/////////////
+		// Note: Save time with multiple Sequence Touches, but PreparedStmt doesn't support IN
+		StringBuilder start = new StringBuilder("CacheInfoDAO Touch segments ");
+		start.append(name);
+		start.append(": ");
+		StringBuilder sb = new StringBuilder("BEGIN BATCH\n");
+		boolean first = true;
+		for(int s : seg) {
+			sb.append(UPDATE_SP);
+			sb.append(TABLE);
+			sb.append(" SET touched=dateof(now()) WHERE name = '");
+			sb.append(name);
+			sb.append("' AND seg = ");
+			sb.append(s);
+			sb.append(";\n");	
+			if(first) {
+				first =false;
+			} else {
+				start.append(',');
+			}
+			start.append(s);
+		}
+		sb.append("APPLY BATCH;");
+		TimeTaken tt = trans.start(start.toString(),Env.REMOTE);
+		try {
+			getSession(trans).executeAsync(sb.toString());
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+		} finally {
+			tt.done();
+		}
+		return Result.ok();
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.dao.cass.CIDAO#check(org.onap.aaf.auth.env.test.AuthzTrans)
+	 */
+	@Override
+	public Result<Void> check(AuthzTrans trans) {
+		ResultSet rs;
+		TimeTaken tt = trans.start("Check Table Timestamps",Env.REMOTE);
+		try {
+			rs = getSession(trans).execute(new BoundStatement(psCheck));
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+		} finally {
+			tt.done();
+		}
+		
+		String lastName = null;
+		Date[] dates = null;
+		for(Row row : rs.all()) {
+			String name = row.getString(0);
+			int seg = row.getInt(1);
+			if(!name.equals(lastName)) {
+				dates = info.get(name);
+				lastName=name;
+			}
+			if(dates==null) {
+				dates=new Date[seg+1];
+				info.put(name,dates);
+			} else if(dates.length<=seg) {
+				Date[] temp = new Date[seg+1];
+				System.arraycopy(dates, 0, temp, 0, dates.length);
+				dates = temp;
+				info.put(name, dates);
+			}
+			Date temp = row.getTimestamp(2);
+			if(dates[seg]==null || dates[seg].before(temp)) {
+				dates[seg]=temp;
+			}
+		}
+		return Result.ok();
+	}
+	
+    /* (non-Javadoc)
+	 * @see org.onap.aaf.auth.dao.cass.CIDAO#get(java.lang.String, int)
+	 */
+    @Override
+	public Date get(AuthzTrans trans, String table, int seg) {
+		Date[] dates = info.get(table);
+		if(dates==null) {
+			dates = new Date[seg+1];
+			touch(trans,table, seg);
+		} else if(dates.length<=seg) {
+			Date[] temp = new Date[seg+1];
+			System.arraycopy(dates, 0, temp, 0, dates.length);
+			dates = temp;
+		}
+		Date rv = dates[seg];
+		if(rv==null) {
+			rv=dates[seg]=startTime;
+		}
+		return rv;
+	}
+
+	@Override
+	protected void wasModified(AuthzTrans trans, CRUD modified, Data data, String ... override) {
+		// Do nothing
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CacheableData.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CacheableData.java
new file mode 100644
index 00000000..af4b2302
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CacheableData.java
@@ -0,0 +1,35 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import org.onap.aaf.auth.dao.Cacheable;
+import org.onap.aaf.auth.dao.Cached;
+import org.onap.aaf.auth.dao.CachedDAO;
+
+public abstract class CacheableData implements Cacheable {
+	// WARNING:  DON'T attempt to add any members here, as it will 
+	// be treated by system as fields expected in Tables
+	protected int seg(Cached<?,?> cache, Object ... fields) {
+		return cache==null?0:cache.invalidate(CachedDAO.keyFromObjs(fields));
+	}
+	
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CertDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CertDAO.java
new file mode 100644
index 00000000..a47b8c9e
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CertDAO.java
@@ -0,0 +1,244 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.nio.ByteBuffer;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.Bytification;
+import org.onap.aaf.auth.dao.CIDAO;
+import org.onap.aaf.auth.dao.Cached;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.dao.Streamer;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.Row;
+
+/**
+ * CredDAO manages credentials. 
+ * @author Jonathan
+ * Date: 7/19/13
+ */
+public class CertDAO extends CassDAOImpl<AuthzTrans,CertDAO.Data> {
+    public static final String TABLE = "x509";
+    public static final int CACHE_SEG = 0x40; // yields segment 0x0-0x3F
+    
+    private HistoryDAO historyDAO;
+	private CIDAO<AuthzTrans> infoDAO;
+	private PSInfo psX500,psID;
+	
+    public CertDAO(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException {
+        super(trans, CertDAO.class.getSimpleName(),cluster, keyspace, Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+        init(trans);
+    }
+
+    public CertDAO(AuthzTrans trans, HistoryDAO hDao, CacheInfoDAO ciDao) throws APIException, IOException {
+        super(trans, CertDAO.class.getSimpleName(),hDao, Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+        historyDAO = hDao;
+        infoDAO = ciDao;
+        init(trans);
+    }
+    
+    public static final int KEYLIMIT = 2;
+	public static class Data extends CacheableData implements Bytification {
+    	
+        public String					ca;
+		public BigInteger 				serial;
+        public String	      			id;
+        public String					x500;
+        public String					x509;
+
+        @Override
+		public int[] invalidate(Cached<?,?> cache) {
+        	return new int[] {
+        		seg(cache,ca,serial)
+        	};
+		}
+        
+		@Override
+		public ByteBuffer bytify() throws IOException {
+			ByteArrayOutputStream baos = new ByteArrayOutputStream();
+			CertLoader.deflt.marshal(this,new DataOutputStream(baos));
+			return ByteBuffer.wrap(baos.toByteArray());
+		}
+		
+		@Override
+		public void reconstitute(ByteBuffer bb) throws IOException {
+			CertLoader.deflt.unmarshal(this, toDIS(bb));
+		}
+    }
+
+    private static class CertLoader extends Loader<Data> implements Streamer<Data>{
+		public static final int MAGIC=85102934;
+    	public static final int VERSION=1;
+    	public static final int BUFF_SIZE=48; // Note: 
+
+    	public static final CertLoader deflt = new CertLoader(KEYLIMIT);
+    	public CertLoader(int keylimit) {
+            super(keylimit);
+        }
+
+    	@Override
+        public Data load(Data data, Row row) {
+        	data.ca = row.getString(0);
+            ByteBuffer bb = row.getBytesUnsafe(1);
+            byte[] bytes = new byte[bb.remaining()];
+            bb.get(bytes);
+            data.serial = new BigInteger(bytes);
+            data.id = row.getString(2);
+            data.x500 = row.getString(3);
+            data.x509 = row.getString(4);
+            return data;
+        }
+
+        @Override
+        protected void key(Data data, int idx, Object[] obj) {
+            obj[idx] = data.ca;
+            obj[++idx] = ByteBuffer.wrap(data.serial.toByteArray());
+        }
+
+        @Override
+        protected void body(Data data, int _idx, Object[] obj) {
+        	int idx = _idx;
+
+            obj[idx] = data.id;
+            obj[++idx] = data.x500;
+            obj[++idx] = data.x509;
+
+            
+        }
+
+		@Override
+		public void marshal(Data data, DataOutputStream os) throws IOException {
+			writeHeader(os,MAGIC,VERSION);
+			writeString(os, data.id);
+			writeString(os, data.x500);
+			writeString(os, data.x509);
+			writeString(os, data.ca);
+			if(data.serial==null) {
+				os.writeInt(-1);
+			} else {
+				byte[] dsba = data.serial.toByteArray();
+				int l = dsba.length;
+				os.writeInt(l);
+				os.write(dsba,0,l);
+			}
+		}
+
+		@Override
+		public void unmarshal(Data data, DataInputStream is) throws IOException {
+			/*int version = */readHeader(is,MAGIC,VERSION);
+			// If Version Changes between Production runs, you'll need to do a switch Statement, and adequately read in fields
+			byte[] buff = new byte[BUFF_SIZE];
+			data.id = readString(is,buff);
+			data.x500 = readString(is,buff);
+			data.x509 = readString(is,buff);
+			data.ca = readString(is,buff);
+			int i = is.readInt();
+			if(i<0) {
+				data.serial=null;
+			} else {
+				byte[] bytes = new byte[i]; // a bit dangerous, but lessened because of all the previous sized data reads
+				is.read(bytes);
+				data.serial = new BigInteger(bytes);
+			}
+		}
+    }
+    
+    public Result<List<CertDAO.Data>> read(AuthzTrans trans, Object ... key) {
+    	// Translate BigInteger to Byte array for lookup
+    	return super.read(trans, key[0],ByteBuffer.wrap(((BigInteger)key[1]).toByteArray()));
+    }
+
+    private void init(AuthzTrans trans) throws APIException, IOException {
+        // Set up sub-DAOs
+        if(historyDAO==null) {
+        	historyDAO = new HistoryDAO(trans,this);
+        }
+		if(infoDAO==null) {
+			infoDAO = new CacheInfoDAO(trans,this);
+		}
+
+		String[] helpers = setCRUD(trans, TABLE, Data.class, CertLoader.deflt);
+
+		psID = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE +
+				" WHERE id = ?", CertLoader.deflt,readConsistency);
+
+		psX500 = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE +
+				" WHERE x500 = ?", CertLoader.deflt,readConsistency);
+		
+    }
+    
+	public Result<List<Data>> readX500(AuthzTrans trans, String x500) {
+		return psX500.read(trans, R_TEXT, new Object[]{x500});
+	}
+
+	public Result<List<Data>> readID(AuthzTrans trans, String id) {
+		return psID.read(trans, R_TEXT, new Object[]{id});
+	}
+
+    /**
+     * Log Modification statements to History
+     *
+     * @param modified        which CRUD action was done
+     * @param data            entity data that needs a log entry
+     * @param overrideMessage if this is specified, we use it rather than crafting a history message based on data
+     */
+    @Override
+    protected void wasModified(AuthzTrans trans, CRUD modified, Data data, String ... override) {
+    	boolean memo = override.length>0 && override[0]!=null;
+    	boolean subject = override.length>1 && override[1]!=null;
+
+        HistoryDAO.Data hd = HistoryDAO.newInitedData();
+        hd.user = trans.user();
+        hd.action = modified.name();
+        hd.target = TABLE;
+        hd.subject = subject?override[1]: data.id;
+        hd.memo = memo
+                ? String.format("%s by %s", override[0], hd.user)
+                : (modified.name() + "d certificate info for " + data.id);
+        // Detail?
+   		if(modified==CRUD.delete) {
+        			try {
+        				hd.reconstruct = data.bytify();
+        			} catch (IOException e) {
+        				trans.error().log(e,"Could not serialize CertDAO.Data");
+        			}
+        		}
+
+        if(historyDAO.create(trans, hd).status!=Status.OK) {
+        	trans.error().log("Cannot log to History");
+        }
+        if(infoDAO.touch(trans, TABLE,data.invalidate(cache)).status!=Status.OK) {
+        	trans.error().log("Cannot touch Cert");
+        }
+    }
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java
new file mode 100644
index 00000000..46dc12bf
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java
@@ -0,0 +1,258 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.Date;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.Bytification;
+import org.onap.aaf.auth.dao.CIDAO;
+import org.onap.aaf.auth.dao.Cached;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.dao.Streamer;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.Row;
+
+/**
+ * CredDAO manages credentials. 
+ * @author Jonathan
+ * Date: 7/19/13
+ */
+public class CredDAO extends CassDAOImpl<AuthzTrans,CredDAO.Data> {
+    public static final String TABLE = "cred";
+    public static final int CACHE_SEG = 0x40; // yields segment 0x0-0x3F
+	public static final int RAW = -1;
+    public static final int BASIC_AUTH = 1;
+    public static final int BASIC_AUTH_SHA256 = 2;
+    public static final int CERT_SHA256_RSA =200;
+    
+    private HistoryDAO historyDAO;
+	private CIDAO<AuthzTrans> infoDAO;
+	private PSInfo psNS;
+	private PSInfo psID;
+	
+    public CredDAO(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException {
+        super(trans, CredDAO.class.getSimpleName(),cluster, keyspace, Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+        init(trans);
+    }
+
+    public CredDAO(AuthzTrans trans, HistoryDAO hDao, CacheInfoDAO ciDao) throws APIException, IOException {
+        super(trans, CredDAO.class.getSimpleName(),hDao, Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+        historyDAO = hDao;
+        infoDAO = ciDao;
+        init(trans);
+    }
+
+    public static final int KEYLIMIT = 3;
+	public static class Data extends CacheableData implements Bytification {
+    	
+		public String       			id;
+        public Integer      			type;
+        public Date      				expires;
+        public Integer					other;
+		public String					ns;
+		public String					notes;
+        public ByteBuffer				cred;  //   this is a blob in cassandra
+
+
+        @Override
+		public int[] invalidate(Cached<?,?> cache) {
+        	return new int[] {
+        		seg(cache,id) // cache is for all entities
+        	};
+		}
+        
+		@Override
+		public ByteBuffer bytify() throws IOException {
+			ByteArrayOutputStream baos = new ByteArrayOutputStream();
+			CredLoader.deflt.marshal(this,new DataOutputStream(baos));
+			return ByteBuffer.wrap(baos.toByteArray());
+		}
+		
+		@Override
+		public void reconstitute(ByteBuffer bb) throws IOException {
+			CredLoader.deflt.unmarshal(this, toDIS(bb));
+		}
+
+		public String toString() {
+			return id + ' ' + type + ' ' + Chrono.dateTime(expires);
+		}
+    }
+
+    private static class CredLoader extends Loader<Data> implements Streamer<Data>{
+		public static final int MAGIC=153323443;
+    	public static final int VERSION=1;
+    	public static final int BUFF_SIZE=48; // Note: 
+
+    	public static final CredLoader deflt = new CredLoader(KEYLIMIT);
+    	public CredLoader(int keylimit) {
+            super(keylimit);
+        }
+
+    	@Override
+        public Data load(Data data, Row row) {
+            data.id = row.getString(0);
+            data.type = row.getInt(1);    // NOTE: in datastax driver,  If the int value is NULL, 0 is returned!
+            data.expires = row.getTimestamp(2);
+            data.other = row.getInt(3);
+            data.ns = row.getString(4);     
+            data.notes = row.getString(5);
+            data.cred = row.getBytesUnsafe(6);            
+            return data;
+        }
+
+        @Override
+        protected void key(Data data, int _idx, Object[] obj) {
+	    int idx = _idx;
+
+            obj[idx] = data.id;
+            obj[++idx] = data.type;
+            obj[++idx] = data.expires;
+        }
+
+        @Override
+        protected void body(Data data, int idx, Object[] obj) {
+            int i;
+            obj[i=idx] = data.other;
+            obj[++i] = data.ns;
+            obj[++i] = data.notes;
+            obj[++i] = data.cred;
+        }
+
+		@Override
+		public void marshal(Data data, DataOutputStream os) throws IOException {
+			writeHeader(os,MAGIC,VERSION);
+			writeString(os, data.id);
+			os.writeInt(data.type);	
+			os.writeLong(data.expires==null?-1:data.expires.getTime());
+			os.writeInt(data.other==null?0:data.other);
+			writeString(os, data.ns);
+			writeString(os, data.notes);
+			if(data.cred==null) {
+				os.writeInt(-1);
+			} else {
+				int l = data.cred.limit()-data.cred.position();
+				os.writeInt(l);
+				os.write(data.cred.array(),data.cred.position(),l);
+			}
+		}
+
+		@Override
+		public void unmarshal(Data data, DataInputStream is) throws IOException {
+			/*int version = */readHeader(is,MAGIC,VERSION);
+			// If Version Changes between Production runs, you'll need to do a switch Statement, and adequately read in fields
+			byte[] buff = new byte[BUFF_SIZE];
+			data.id = readString(is,buff);
+			data.type = is.readInt();
+			
+			long l = is.readLong();
+			data.expires = l<0?null:new Date(l);
+			data.other = is.readInt();
+			data.ns = readString(is,buff);
+			data.notes = readString(is,buff);
+			
+			int i = is.readInt();
+			if(i<0) {
+				data.cred=null;
+			} else {
+				byte[] bytes = new byte[i]; // a bit dangerous, but lessened because of all the previous sized data reads
+				is.read(bytes);
+				data.cred = ByteBuffer.wrap(bytes);
+			}
+		}
+    }
+
+    private void init(AuthzTrans trans) throws APIException, IOException {
+        // Set up sub-DAOs
+        if(historyDAO==null) {
+        	historyDAO = new HistoryDAO(trans,this);
+        }
+		if(infoDAO==null) {
+			infoDAO = new CacheInfoDAO(trans,this);
+		}
+		
+
+		String[] helpers = setCRUD(trans, TABLE, Data.class, CredLoader.deflt);
+		
+		psNS = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE +
+				" WHERE ns = ?", CredLoader.deflt,readConsistency);
+		
+		psID = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE +
+				" WHERE id = ?", CredLoader.deflt,readConsistency);
+    }
+    
+	public Result<List<Data>> readNS(AuthzTrans trans, String ns) {
+		return psNS.read(trans, R_TEXT, new Object[]{ns});
+	}
+	
+	public Result<List<Data>> readID(AuthzTrans trans, String id) {
+		return psID.read(trans, R_TEXT, new Object[]{id});
+	}
+	
+    /**
+     * Log Modification statements to History
+     *
+     * @param modified        which CRUD action was done
+     * @param data            entity data that needs a log entry
+     * @param overrideMessage if this is specified, we use it rather than crafting a history message based on data
+     */
+    @Override
+    protected void wasModified(AuthzTrans trans, CRUD modified, Data data, String ... override) {
+    	boolean memo = override.length>0 && override[0]!=null;
+    	boolean subject = override.length>1 && override[1]!=null;
+
+        HistoryDAO.Data hd = HistoryDAO.newInitedData();
+        hd.user = trans.user();
+        hd.action = modified.name();
+        hd.target = TABLE;
+        hd.subject = subject?override[1]: data.id;
+        hd.memo = memo
+                ? String.format("%s by %s", override[0], hd.user)
+                : (modified.name() + "d credential for " + data.id);
+        // Detail?
+   		if(modified==CRUD.delete) {
+        			try {
+        				hd.reconstruct = data.bytify();
+        			} catch (IOException e) {
+        				trans.error().log(e,"Could not serialize CredDAO.Data");
+        			}
+        		}
+
+        if(historyDAO.create(trans, hd).status!=Status.OK) {
+        	trans.error().log("Cannot log to History");
+        }
+        if(infoDAO.touch(trans, TABLE,data.invalidate(cache)).status!=Status.OK) {
+        	trans.error().log("Cannot touch Cred");
+        }
+    }
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/DelegateDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/DelegateDAO.java
new file mode 100644
index 00000000..78a98e1d
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/DelegateDAO.java
@@ -0,0 +1,138 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.Date;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.AbsCassDAO;
+import org.onap.aaf.auth.dao.Bytification;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.dao.Streamer;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.Row;
+
+public class DelegateDAO extends CassDAOImpl<AuthzTrans, DelegateDAO.Data> {
+
+	public static final String TABLE = "delegate";
+	private PSInfo psByDelegate;
+	
+	public DelegateDAO(AuthzTrans trans, Cluster cluster, String keyspace) {
+		super(trans, DelegateDAO.class.getSimpleName(),cluster,keyspace,Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+		init(trans);
+	}
+
+	public DelegateDAO(AuthzTrans trans, AbsCassDAO<AuthzTrans,?> aDao) {
+		super(trans, DelegateDAO.class.getSimpleName(),aDao,Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+		init(trans);
+	}
+	
+	private static final int KEYLIMIT = 1;
+	public static class Data implements Bytification {
+		public String user;
+		public String delegate;
+		public Date expires;
+
+		@Override
+		public ByteBuffer bytify() throws IOException {
+			ByteArrayOutputStream baos = new ByteArrayOutputStream();
+			DelegateLoader.dflt.marshal(this,new DataOutputStream(baos));
+			return ByteBuffer.wrap(baos.toByteArray());
+		}
+		
+		@Override
+		public void reconstitute(ByteBuffer bb) throws IOException {
+			DelegateLoader.dflt.unmarshal(this, toDIS(bb));
+		}
+	}
+	
+	private static class DelegateLoader extends Loader<Data> implements Streamer<Data>{
+		public static final int MAGIC=0xD823ACF2;
+    	public static final int VERSION=1;
+    	public static final int BUFF_SIZE=48;
+
+		public static final DelegateLoader dflt = new DelegateLoader(KEYLIMIT);
+
+		public DelegateLoader(int keylimit) {
+			super(keylimit);
+		}
+		
+		@Override
+		public Data load(Data data, Row row) {
+			data.user = row.getString(0);
+			data.delegate = row.getString(1);
+			data.expires = row.getTimestamp(2);
+			return data;
+		}
+
+		@Override
+		protected void key(Data data, int idx, Object[] obj) {
+			obj[idx]=data.user;
+		}
+
+		@Override
+		protected void body(Data data, int _idx, Object[] obj) {
+		    	int idx = _idx;
+
+			obj[idx]=data.delegate;
+			obj[++idx]=data.expires;
+		}
+
+		@Override
+		public void marshal(Data data, DataOutputStream os) throws IOException {
+			writeHeader(os,MAGIC,VERSION);
+			writeString(os, data.user);
+			writeString(os, data.delegate);
+			os.writeLong(data.expires.getTime());
+		}
+
+		@Override
+		public void unmarshal(Data data, DataInputStream is) throws IOException {
+			/*int version = */readHeader(is,MAGIC,VERSION);
+			// If Version Changes between Production runs, you'll need to do a switch Statement, and adequately read in fields
+			byte[] buff = new byte[BUFF_SIZE];
+			data.user = readString(is, buff);
+			data.delegate = readString(is,buff);
+			data.expires = new Date(is.readLong());
+		}
+	}	
+	
+	private void init(AuthzTrans trans) {
+		String[] helpers = setCRUD(trans, TABLE, Data.class, DelegateLoader.dflt);
+		psByDelegate = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE +
+				" WHERE delegate = ?", new DelegateLoader(1),readConsistency);
+
+	}
+
+	public Result<List<DelegateDAO.Data>> readByDelegate(AuthzTrans trans, String delegate) {
+		return psByDelegate.read(trans, R_TEXT, new Object[]{delegate});
+	}
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/FutureDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/FutureDAO.java
new file mode 100644
index 00000000..0263e009
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/FutureDAO.java
@@ -0,0 +1,183 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.nio.ByteBuffer;
+import java.util.Date;
+import java.util.List;
+import java.util.UUID;
+
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.DAOException;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+
+/**
+ * FutureDAO stores Construction information to create 
+ * elements at another time.
+ * 
+ * @author Jonathan
+ * 8/20/2013
+ */
+public class FutureDAO extends CassDAOImpl<AuthzTrans,FutureDAO.Data> {
+    private static final String TABLE = "future";
+	private final HistoryDAO historyDAO;
+//	private static String createString;
+	private PSInfo psByStartAndTarget;
+	
+    public FutureDAO(AuthzTrans trans, Cluster cluster, String keyspace) {
+        super(trans, FutureDAO.class.getSimpleName(),cluster, keyspace, Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+		historyDAO = new HistoryDAO(trans, this);
+        init(trans);
+    }
+
+    public FutureDAO(AuthzTrans trans, HistoryDAO hDAO) {
+        super(trans, FutureDAO.class.getSimpleName(),hDAO, Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+        historyDAO=hDAO;
+        init(trans);
+    }
+
+    public static final int KEYLIMIT = 1;
+    public static class Data {
+        public UUID         id;
+        public String		target;
+        public String		memo;
+        public Date       	start;
+        public Date       	expires;
+        public ByteBuffer 	construct;  //   this is a blob in cassandra
+    }
+
+    private static class FLoader extends Loader<Data> {
+        public FLoader() {
+            super(KEYLIMIT);
+        }
+
+        public FLoader(int keylimit) {
+            super(keylimit);
+        }
+
+        @Override
+	public Data load(Data data, Row row) {
+            data.id 		= row.getUUID(0);
+            data.target		= row.getString(1);
+            data.memo       = row.getString(2);
+            data.start 		= row.getTimestamp(3);
+            data.expires 	= row.getTimestamp(4);
+            data.construct 	= row.getBytes(5);
+            return data;
+        }
+
+        @Override
+        protected void key(Data data, int idx, Object[] obj) {
+            obj[idx] = data.id;
+        }
+
+        @Override
+        protected void body(Data data, int _idx, Object[] obj) {
+	    int idx = _idx;
+
+            obj[idx] = data.target;
+            obj[++idx] = data.memo;
+            obj[++idx] = data.start;
+            obj[++idx] = data.expires;
+            obj[++idx] = data.construct;
+        }
+    }
+
+    private void init(AuthzTrans trans) {
+        // Set up sub-DAOs
+        String[] helpers = setCRUD(trans, TABLE, Data.class, new FLoader(KEYLIMIT));
+
+        // Uh, oh.  Can't use "now()" in Prepared Statements (at least at this level)
+//		createString = "INSERT INTO " + TABLE + " ("+helpers[FIELD_COMMAS] +") VALUES (now(),";
+//
+//		// Need a specialty Creator to handle the "now()"
+//		replace(CRUD.Create, new PSInfo(trans, "INSERT INTO future (" +  helpers[FIELD_COMMAS] +
+//					") VALUES(now(),?,?,?,?,?)",new FLoader(0)));
+		
+		// Other SELECT style statements... match with a local Method
+		psByStartAndTarget = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] +
+				" FROM future WHERE start <= ? and target = ? ALLOW FILTERING", new FLoader(2) {
+			@Override
+			protected void key(Data data, int _idx, Object[] obj) {
+			    	int idx = _idx;
+
+				obj[idx]=data.start;
+				obj[++idx]=data.target;
+			}
+		},readConsistency);
+		
+
+    }
+
+    public Result<List<Data>> readByStartAndTarget(AuthzTrans trans, Date start, String target) throws DAOException {
+		return psByStartAndTarget.read(trans, R_TEXT, new Object[]{start, target});
+	}
+
+    /**
+	 * Override create to add secondary ID to Subject in History, and create Data.ID, if it is null
+     */
+	public Result<FutureDAO.Data> create(AuthzTrans trans,	FutureDAO.Data data, String id) {
+		// If ID is not set (typical), create one.
+		if(data.id==null) {
+			StringBuilder sb = new StringBuilder(trans.user());
+			sb.append(data.target);
+			sb.append(System.currentTimeMillis());
+			data.id = UUID.nameUUIDFromBytes(sb.toString().getBytes());
+		}
+		Result<ResultSet> rs = createPS.exec(trans, C_TEXT, data);
+		if(rs.notOK()) {
+			return Result.err(rs);
+		}
+		wasModified(trans, CRUD.create, data, null, id);
+		return Result.ok(data);	
+	}
+
+	/**
+	 * Log Modification statements to History
+	 *
+	 * @param modified        which CRUD action was done
+	 * @param data            entity data that needs a log entry
+	 * @param overrideMessage if this is specified, we use it rather than crafting a history message based on data
+	 */
+	@Override
+	protected void wasModified(AuthzTrans trans, CRUD modified, Data data, String ... override) {
+		boolean memo = override.length>0 && override[0]!=null;
+		boolean subject = override.length>1 && override[1]!=null;
+		HistoryDAO.Data hd = HistoryDAO.newInitedData();
+	    hd.user = trans.user();
+		hd.action = modified.name();
+		hd.target = TABLE;
+		hd.subject = subject?override[1]:"";
+	    hd.memo = memo?String.format("%s by %s", override[0], hd.user):data.memo;
+	
+		if(historyDAO.create(trans, hd).status!=Status.OK) {
+	    	trans.error().log("Cannot log to History");
+		}
+	}
+    
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/HistoryDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/HistoryDAO.java
new file mode 100644
index 00000000..8e4ada10
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/HistoryDAO.java
@@ -0,0 +1,238 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.nio.ByteBuffer;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.List;
+import java.util.UUID;
+
+import org.onap.aaf.auth.dao.AbsCassDAO;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.ConsistencyLevel;
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+
+/**
+ * History
+ * 
+ * Originally written PE3617
+ * @author Jonathan
+ * 
+ * History is a special case, because we don't want Updates or Deletes...  Too likely to mess up history.
+ * 
+ * Jonathan 9-9-2013 - Found a problem with using "Prepare".  You cannot prepare anything with a "now()" in it, as
+ * it is evaluated once during the prepare, and kept.  That renders any use of "now()" pointless.  Therefore
+ * the Create function needs to be run fresh everytime.
+ * 
+ * Fixed in Cassandra 1.2.6 https://issues.apache.org/jira/browse/CASSANDRA-5616
+ *
+ */
+public class HistoryDAO extends CassDAOImpl<AuthzTrans, HistoryDAO.Data> {
+	private static final String TABLE = "history";
+
+	public static final SimpleDateFormat monthFormat = new SimpleDateFormat("yyyyMM");
+//	private static final SimpleDateFormat dayTimeFormat = new SimpleDateFormat("ddHHmmss");
+
+	private String[] helpers;
+
+	private HistLoader defLoader;
+
+	private AbsCassDAO<AuthzTrans, Data>.PSInfo readByUser, readBySubject, readByYRMN;
+
+	public HistoryDAO(AuthzTrans trans, Cluster cluster, String keyspace) {
+		super(trans, HistoryDAO.class.getSimpleName(),cluster,keyspace,Data.class,TABLE,ConsistencyLevel.LOCAL_ONE,ConsistencyLevel.ANY);
+		init(trans);
+	}
+
+	public HistoryDAO(AuthzTrans trans, AbsCassDAO<AuthzTrans,?> aDao) {
+		super(trans, HistoryDAO.class.getSimpleName(),aDao,Data.class,TABLE,ConsistencyLevel.LOCAL_ONE,ConsistencyLevel.ANY);
+		init(trans);
+	}
+
+
+	private static final int KEYLIMIT = 1;
+	public static class Data {
+		public UUID id;
+		public int	yr_mon;
+		public String user;
+		public String action;
+		public String target;
+		public String subject;
+		public String  memo;
+//		Map<String, String>  detail = null;
+//		public Map<String, String>  detail() {
+//			if(detail == null) {
+//				detail = new HashMap<String, String>();
+//			}
+//			return detail;
+//		}
+		public ByteBuffer reconstruct;
+	}
+	
+	private static class HistLoader extends Loader<Data> {
+		public HistLoader(int keylimit) {
+			super(keylimit);
+		}
+
+		@Override
+		public Data load(Data data, Row row) {
+			data.id = row.getUUID(0);
+			data.yr_mon = row.getInt(1);
+			data.user = row.getString(2);
+			data.action = row.getString(3);
+			data.target = row.getString(4);
+			data.subject = row.getString(5);
+			data.memo = row.getString(6);
+//			data.detail = row.getMap(6, String.class, String.class);
+			data.reconstruct = row.getBytes(7);
+			return data;
+		}
+
+		@Override
+		protected void key(Data data, int idx, Object[] obj) {
+			obj[idx]=data.id;
+		}
+
+		@Override
+		protected void body(Data data, int _idx, Object[] obj) {
+		    	int idx = _idx;
+			obj[idx]=data.yr_mon;
+			obj[++idx]=data.user;
+			obj[++idx]=data.action;
+			obj[++idx]=data.target;
+			obj[++idx]=data.subject;
+			obj[++idx]=data.memo;
+//			obj[++idx]=data.detail;
+			obj[++idx]=data.reconstruct;		
+		}
+	};
+	
+	private void init(AuthzTrans trans) {
+		// Loader must match fields order
+		defLoader = new HistLoader(KEYLIMIT);
+		helpers = setCRUD(trans, TABLE, Data.class, defLoader);
+
+		// Need a specialty Creator to handle the "now()"
+		// 9/9/2013 - Jonathan - Just great... now() is evaluated once on Client side, invalidating usage (what point is a now() from a long time in the past?
+		// Unless this is fixed, we're putting in non-prepared statement
+		// Solved in Cassandra.  Make sure you are running 1.2.6 Cassandra or later. https://issues.apache.org/jira/browse/CASSANDRA-5616	
+		replace(CRUD.create, new PSInfo(trans, "INSERT INTO history (" +  helpers[FIELD_COMMAS] +
+					") VALUES(now(),?,?,?,?,?,?,?)", 
+					new HistLoader(0) {
+						@Override
+						protected void key(Data data, int idx, Object[] obj) {
+						}
+					},writeConsistency)
+				);
+//		disable(CRUD.Create);
+		
+		replace(CRUD.read, new PSInfo(trans, SELECT_SP +  helpers[FIELD_COMMAS] +
+				" FROM history WHERE id = ?", defLoader,readConsistency) 
+//				new HistLoader(2) {
+//					@Override
+//					protected void key(Data data, int idx, Object[] obj) {
+//						obj[idx]=data.yr_mon;
+//						obj[++idx]=data.id;
+//					}
+//				})
+			);
+		disable(CRUD.update);
+		disable(CRUD.delete);
+		
+		readByUser = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + 
+				" FROM history WHERE user = ?", defLoader,readConsistency);
+		readBySubject = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + 
+				" FROM history WHERE subject = ? and target = ? ALLOW FILTERING", defLoader,readConsistency);
+		readByYRMN = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + 
+				" FROM history WHERE yr_mon = ?", defLoader,readConsistency);
+		async(true); //TODO dropping messages with Async
+	}
+
+	public static Data newInitedData() {
+		Data data = new Data();
+		Date now = new Date();
+		data.yr_mon = Integer.parseInt(monthFormat.format(now));
+		// data.day_time = Integer.parseInt(dayTimeFormat.format(now));
+		return data;		
+	}
+
+	public Result<List<Data>> readByYYYYMM(AuthzTrans trans, int yyyymm) {
+		Result<ResultSet> rs = readByYRMN.exec(trans, "yr_mon", yyyymm);
+		if(rs.notOK()) {
+			return Result.err(rs);
+		}
+		return extract(defLoader,rs.value,null,dflt);
+	}
+
+	/**
+	 * Gets the history for a user in the specified year and month
+	 * year - the year in yyyy format
+	 * month -  the month in a year ...values 1 - 12
+	 **/
+	public Result<List<Data>> readByUser(AuthzTrans trans, String user, int ... yyyymm) {
+		if(yyyymm.length==0) {
+			return Result.err(Status.ERR_BadData, "No or invalid yyyymm specified");
+		}
+		Result<ResultSet> rs = readByUser.exec(trans, "user", user);
+		if(rs.notOK()) {
+			return Result.err(rs);
+		}
+		return extract(defLoader,rs.value,null,yyyymm.length>0?new YYYYMM(yyyymm):dflt);
+	}
+	
+	public Result<List<Data>> readBySubject(AuthzTrans trans, String subject, String target, int ... yyyymm) {
+		if(yyyymm.length==0) {
+			return Result.err(Status.ERR_BadData, "No or invalid yyyymm specified");
+		}
+		Result<ResultSet> rs = readBySubject.exec(trans, "subject", subject, target);
+		if(rs.notOK()) {
+			return Result.err(rs);
+		}
+		return extract(defLoader,rs.value,null,yyyymm.length>0?new YYYYMM(yyyymm):dflt);
+	}
+	
+	private class YYYYMM implements Accept<Data> {
+		private int[] yyyymm;
+		public YYYYMM(int yyyymm[]) {
+			this.yyyymm = yyyymm;
+		}
+		@Override
+		public boolean ok(Data data) {
+			int dym = data.yr_mon;
+			for(int ym:yyyymm) {
+				if(dym==ym) {
+					return true;
+				}
+			}
+			return false;
+		}
+		
+	};
+	
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/LocateDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/LocateDAO.java
new file mode 100644
index 00000000..bdf2748c
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/LocateDAO.java
@@ -0,0 +1,231 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.UUID;
+
+import org.onap.aaf.auth.dao.AbsCassDAO;
+import org.onap.aaf.auth.dao.Bytification;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.dao.Streamer;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.Row;
+
+/**
+ * LocateDAO manages credentials. 
+ * @author Jonathan
+ * Date: 10/11/17
+ */
+public class LocateDAO extends CassDAOImpl<AuthzTrans,LocateDAO.Data> {
+    public static final String TABLE = "locate";
+	private AbsCassDAO<AuthzTrans, Data>.PSInfo psName;
+    
+    public LocateDAO(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException {
+        super(trans, LocateDAO.class.getSimpleName(),cluster, keyspace, Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+        init(trans);
+    }
+
+    public LocateDAO(AuthzTrans trans, AbsCassDAO<AuthzTrans,?> adao) throws APIException, IOException {
+        super(trans, LocateDAO.class.getSimpleName(), adao, Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+        init(trans);
+    }
+    
+    public static final int KEYLIMIT = 3;
+	public static class Data implements Bytification {
+    	
+        public String					name;
+		public String					hostname;
+		public int						port;
+		public int						major;
+		public int						minor;
+		public int						patch;
+		public int						pkg;
+		public float						latitude;
+		public float						longitude;
+		public String					protocol;
+		private Set<String>				subprotocol;
+		public UUID						port_key; // Note: Keep Port_key LAST at all times, because we shorten the UPDATE to leave Port_key Alone during reregistration.
+
+	  // Getters
+		public Set<String> subprotocol(boolean mutable) {
+			if (subprotocol == null) {
+				subprotocol = new HashSet<String>();
+			} else if (mutable && !(subprotocol instanceof HashSet)) {
+				subprotocol = new HashSet<String>(subprotocol);
+			}
+			return subprotocol;
+		}
+		
+        @Override
+		public ByteBuffer bytify() throws IOException {
+			ByteArrayOutputStream baos = new ByteArrayOutputStream();
+			LocateLoader.deflt.marshal(this,new DataOutputStream(baos));
+			return ByteBuffer.wrap(baos.toByteArray());
+		}
+		
+		@Override
+		public void reconstitute(ByteBuffer bb) throws IOException {
+			LocateLoader.deflt.unmarshal(this, toDIS(bb));
+		}
+    }
+
+    private static class LocateLoader extends Loader<Data> implements Streamer<Data>{
+		public static final int MAGIC=85102934;
+	    	public static final int VERSION=1;
+	    	public static final int BUFF_SIZE=48; // Note: 
+	
+	    	public static final LocateLoader deflt = new LocateLoader(KEYLIMIT);
+	    	public LocateLoader(int keylimit) {
+	        super(keylimit);
+        }
+
+    	@Override
+        public Data load(Data data, Row row) {
+    			data.name = row.getString(0);
+    			data.hostname = row.getString(1);
+    			data.port = row.getInt(2);
+    			data.major = row.getInt(3);
+    			data.minor = row.getInt(4);
+    			data.patch = row.getInt(5);
+    			data.pkg = row.getInt(6);
+    			data.latitude = row.getFloat(7);
+    			data.longitude = row.getFloat(8);
+    			data.protocol = row.getString(9);
+    			data.subprotocol = row.getSet(10,String.class);
+    			data.port_key = row.getUUID(11);
+            return data;
+        }
+
+        @Override
+        protected void key(Data data, int idx, Object[] obj) {
+            obj[idx] = data.name;
+            obj[++idx] = data.hostname;
+            obj[++idx] = data.port;
+        }
+
+        @Override
+        protected void body(final Data data, final int _idx, final Object[] obj) {
+        		int idx = _idx;
+            obj[idx] = data.major;
+            obj[++idx] = data.minor;
+            obj[++idx] = data.patch;
+            obj[++idx] = data.pkg;
+            obj[++idx] = data.latitude;
+            obj[++idx] = data.longitude;
+            obj[++idx] = data.protocol;
+            obj[++idx] = data.subprotocol;
+            obj[++idx] = data.port_key;
+        }
+
+		@Override
+		public void marshal(Data data, DataOutputStream os) throws IOException {
+			writeHeader(os,MAGIC,VERSION);
+			writeString(os, data.name);
+			writeString(os, data.hostname);
+			os.writeInt(data.port);
+			os.writeInt(data.major);
+			os.writeInt(data.minor);
+			os.writeInt(data.patch);
+			os.writeInt(data.pkg);
+			os.writeFloat(data.latitude);
+			os.writeFloat(data.longitude);
+			writeString(os, data.protocol);
+			if(data.subprotocol==null) {
+				os.writeInt(0);
+			} else {
+				os.writeInt(data.subprotocol.size());
+				for(String s: data.subprotocol) {
+					writeString(os,s);
+				}
+			}
+			
+			writeString(os,data.port_key==null?"":data.port_key.toString());
+		}
+
+		@Override
+		public void unmarshal(Data data, DataInputStream is) throws IOException {
+			/*int version = */readHeader(is,MAGIC,VERSION);
+			// If Version Changes between Production runs, you'll need to do a switch Statement, and adequately read in fields
+			byte[] buff = new byte[BUFF_SIZE];
+			data.name = readString(is,buff);
+			data.hostname = readString(is,buff);
+			data.port = is.readInt();
+			data.major = is.readInt();
+			data.minor = is.readInt();
+			data.patch = is.readInt();
+			data.pkg = is.readInt();
+			data.latitude = is.readFloat();
+			data.longitude = is.readFloat();
+			data.protocol = readString(is,buff);
+			
+			int size = is.readInt();
+			data.subprotocol = new HashSet<String>(size);
+			for(int i=0;i<size;++i) {
+				data.subprotocol.add(readString(is,buff));
+			}
+			String port_key = readString(is,buff);
+			if(port_key.length()>0) {
+				data.port_key=UUID.fromString(port_key);
+			} else {
+				data.port_key = null;
+			}
+		}
+    }
+    
+    public Result<List<LocateDAO.Data>> readByName(AuthzTrans trans, String service) {
+    		return psName.read(trans, "Read By Name", new Object[] {service});
+    }
+
+    private void init(AuthzTrans trans) throws APIException, IOException {
+        // Set up sub-DAOs
+		String[] helpers = setCRUD(trans, TABLE, Data.class, LocateLoader.deflt);
+//		int lastComma = helpers[ASSIGNMENT_COMMAS].lastIndexOf(',');
+//		replace(CRUD.update,new PSInfo(trans,"UPDATE LOCATE SET " + helpers[ASSIGNMENT_COMMAS].substring(0, lastComma) +
+//				" WHERE name=? AND hostname=? AND port=?;", new LocateLoader(3),writeConsistency));
+		psName = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE +
+				" WHERE name = ?", new LocateLoader(1),readConsistency);
+    }
+    
+    /**
+     * Log Modification statements to History
+     *
+     * @param modified        which CRUD action was done
+     * @param data            entity data that needs a log entry
+     * @param overrideMessage if this is specified, we use it rather than crafting a history message based on data
+     */
+    @Override
+    protected void wasModified(AuthzTrans trans, CRUD modified, Data data, String ... override) {
+    }
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/Namespace.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/Namespace.java
new file mode 100644
index 00000000..4b1ff149
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/Namespace.java
@@ -0,0 +1,150 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map.Entry;
+
+import org.onap.aaf.auth.dao.Bytification;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.rserv.Pair;
+
+
+public class Namespace implements Bytification {
+	public static final int MAGIC=250935515;
+	public static final int VERSION=1;
+	public static final int BUFF_SIZE=48;
+
+	public String name;
+	public List<String> owner;
+	public List<String> admin;
+	public List<Pair<String,String>> attrib;
+	public String description;
+	public Integer type;
+	public String parent;
+	public Namespace() {}
+	
+	public Namespace(NsDAO.Data ndd) {
+		name = ndd.name;
+		description = ndd.description;
+		type = ndd.type;
+		parent = ndd.parent;
+		if(ndd.attrib!=null && !ndd.attrib.isEmpty()) {
+			attrib = new ArrayList<Pair<String,String>>();
+			for( Entry<String, String> entry : ndd.attrib.entrySet()) {
+				attrib.add(new Pair<String,String>(entry.getKey(),entry.getValue()));
+			}
+		}
+	}
+	
+	public Namespace(NsDAO.Data ndd,List<String> owner, List<String> admin) {
+		name = ndd.name;
+		this.owner = owner;
+		this.admin = admin;
+		description = ndd.description;
+		type = ndd.type;
+		parent = ndd.parent;
+		if(ndd.attrib!=null && !ndd.attrib.isEmpty()) {
+			attrib = new ArrayList<Pair<String,String>>();
+			for( Entry<String, String> entry : ndd.attrib.entrySet()) {
+				attrib.add(new Pair<String,String>(entry.getKey(),entry.getValue()));
+			}
+		}
+	}
+
+	public NsDAO.Data data() {
+		NsDAO.Data ndd = new NsDAO.Data();
+		ndd.name = name;
+		ndd.description = description;
+		ndd.parent = parent;
+		ndd.type = type;
+		return ndd;
+	}
+
+	@Override
+	public ByteBuffer bytify() throws IOException {
+		ByteArrayOutputStream baos = new ByteArrayOutputStream();
+		DataOutputStream os = new DataOutputStream(baos);
+
+		Loader.writeHeader(os,MAGIC,VERSION);
+		Loader.writeString(os, name);
+		os.writeInt(type);
+		Loader.writeStringSet(os,admin);
+		Loader.writeStringSet(os,owner);
+		Loader.writeString(os,description);
+		Loader.writeString(os,parent);
+
+		return ByteBuffer.wrap(baos.toByteArray());
+	}
+
+	@Override
+	public void reconstitute(ByteBuffer bb) throws IOException {
+		DataInputStream is = CassDAOImpl.toDIS(bb);
+		/*int version = */Loader.readHeader(is,MAGIC,VERSION);
+		// If Version Changes between Production runs, you'll need to do a switch Statement, and adequately read in fields
+		
+		byte[] buff = new byte[BUFF_SIZE];
+		name = Loader.readString(is, buff);
+		type = is.readInt();
+		admin = Loader.readStringList(is,buff);
+		owner = Loader.readStringList(is,buff);
+		description = Loader.readString(is,buff);
+		parent = Loader.readString(is,buff);
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#hashCode()
+	 */
+	@Override
+	public int hashCode() {
+		return name.hashCode();
+	}
+	
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#toString()
+	 */
+	@Override
+	public String toString() {
+		return name.toString();
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#equals(java.lang.Object)
+	 */
+	@Override
+	public boolean equals(Object arg0) {
+		if(arg0==null || !(arg0 instanceof Namespace)) {
+			return false;
+		}
+		return name.equals(((Namespace)arg0).name);
+	}
+
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/NsDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/NsDAO.java
new file mode 100644
index 00000000..567246d8
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/NsDAO.java
@@ -0,0 +1,560 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.onap.aaf.auth.dao.Bytification;
+import org.onap.aaf.auth.dao.Cached;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.dao.Streamer;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+
+import java.util.Set;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.exceptions.DriverException;
+
+/**
+ * NsDAO
+ * 
+ * Data Access Object for Namespace Data
+ * 
+ * @author Jonathan
+ *
+ */
+public class NsDAO extends CassDAOImpl<AuthzTrans,NsDAO.Data> {
+	public static final String TABLE = "ns";
+	public static final String TABLE_ATTRIB = "ns_attrib";
+    public static final int CACHE_SEG = 0x40; // yields segment 0x0-0x3F
+    public static final int ROOT = 1;
+    public static final int COMPANY=2;
+    public static final int APP = 3;
+
+	private static final String BEGIN_BATCH = "BEGIN BATCH\n";
+	private static final String APPLY_BATCH = "\nAPPLY BATCH;\n";
+	private static final String SQSCCR = "';\n";
+	private static final String SQCSQ = "','";
+    
+	private HistoryDAO historyDAO;
+	private CacheInfoDAO infoDAO;
+	private PSInfo psNS;
+
+	public NsDAO(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException {
+		super(trans, NsDAO.class.getSimpleName(),cluster,keyspace,Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+		init(trans);
+	}
+
+	public NsDAO(AuthzTrans trans, HistoryDAO hDAO, CacheInfoDAO iDAO) throws APIException, IOException {
+		super(trans, NsDAO.class.getSimpleName(),hDAO,Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+		historyDAO=hDAO;
+		infoDAO = iDAO;
+		init(trans);
+	}
+
+
+    //////////////////////////////////////////
+    // Data Definition, matches Cassandra DM
+    //////////////////////////////////////////
+    private static final int KEYLIMIT = 1;
+    /**
+     * Data class that matches the Cassandra Table "role"
+     * 
+     * @author Jonathan
+     */
+	public static class Data extends CacheableData implements Bytification {
+		public String		      name;
+		public int			      type;
+		public String			  description;
+		public String			  parent;
+		public Map<String,String> attrib;
+
+//		////////////////////////////////////////
+//        // Getters
+		public Map<String,String> attrib(boolean mutable) {
+			if (attrib == null) {
+				attrib = new HashMap<String,String>();
+			} else if (mutable && !(attrib instanceof HashMap)) {
+				attrib = new HashMap<String,String>(attrib);
+			}
+			return attrib;
+		}
+
+		@Override
+		public int[] invalidate(Cached<?,?> cache) {
+			return new int[] {
+				seg(cache,name)
+			};
+		}
+
+		public NsSplit split(String name) {
+			return new NsSplit(this,name);
+		}
+
+		@Override
+		public ByteBuffer bytify() throws IOException {
+			ByteArrayOutputStream baos = new ByteArrayOutputStream();
+			NSLoader.deflt.marshal(this,new DataOutputStream(baos));
+			return ByteBuffer.wrap(baos.toByteArray());
+		}
+		
+		@Override
+		public void reconstitute(ByteBuffer bb) throws IOException {
+			NSLoader.deflt.unmarshal(this,toDIS(bb));
+		}
+		
+		@Override
+		public String toString() {
+			return name;
+		}
+		
+    }
+    
+    private void init(AuthzTrans trans) throws APIException, IOException {
+        // Set up sub-DAOs
+        if(historyDAO==null) {
+	    historyDAO = new HistoryDAO(trans, this);
+	}
+        if(infoDAO==null) {
+	    infoDAO = new CacheInfoDAO(trans,this);
+	}
+
+		String[] helpers = setCRUD(trans, TABLE, Data.class, NSLoader.deflt,4/*need to skip attrib */);
+		
+		psNS = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE +
+				" WHERE parent = ?", new NSLoader(1),readConsistency);
+
+	}
+	
+    private static final class NSLoader extends Loader<Data> implements Streamer<Data> {
+		public static final int MAGIC=250935515;
+    	public static final int VERSION=1;
+    	public static final int BUFF_SIZE=48;
+
+    	public static final NSLoader deflt = new NSLoader(KEYLIMIT);
+    	
+		public NSLoader(int keylimit) {
+			super(keylimit);
+		}
+
+		@Override
+		public Data load(Data data, Row row) {
+			// Int more efficient
+			data.name = row.getString(0);
+			data.type = row.getInt(1);
+			data.description = row.getString(2);
+			data.parent = row.getString(3);
+			return data;
+		}
+
+		@Override
+		protected void key(Data data, int idx, Object[] obj) {
+			obj[idx]=data.name;
+		}
+
+		@Override
+		protected void body(Data data, int _idx, Object[] obj) {
+		    	int idx = _idx;
+
+			obj[idx]=data.type;
+			obj[++idx]=data.description;
+			obj[++idx]=data.parent;
+		}
+		
+		@Override
+		public void marshal(Data data, DataOutputStream os) throws IOException {
+			writeHeader(os,MAGIC,VERSION);
+			writeString(os, data.name);
+			os.writeInt(data.type);
+			writeString(os,data.description);
+			writeString(os,data.parent);
+			if(data.attrib==null) {
+				os.writeInt(-1);
+			} else {
+				os.writeInt(data.attrib.size());
+				for(Entry<String, String> es : data.attrib(false).entrySet()) {
+					writeString(os,es.getKey());
+					writeString(os,es.getValue());
+				}
+			}
+		}
+
+		@Override
+		public void unmarshal(Data data, DataInputStream is) throws IOException {
+			/*int version = */readHeader(is,MAGIC,VERSION);
+			// If Version Changes between Production runs, you'll need to do a switch Statement, and adequately read in fields
+			
+			byte[] buff = new byte[BUFF_SIZE];
+			data.name = readString(is, buff);
+			data.type = is.readInt();
+			data.description = readString(is,buff);
+			data.parent = readString(is,buff);
+			int count = is.readInt();
+			if(count>0) {
+				Map<String, String> da = data.attrib(true);
+				for(int i=0;i<count;++i) {
+					da.put(readString(is,buff), readString(is,buff));
+				}
+			}
+		}
+
+    }
+    
+	@Override
+	public Result<Data> create(AuthzTrans trans, Data data) {
+		String ns = data.name;
+		// Ensure Parent is set
+		if(data.parent==null) {
+			return Result.err(Result.ERR_BadData, "Need parent for %s", ns);
+		}
+
+		// insert Attributes
+		StringBuilder stmt = new StringBuilder();
+		stmt.append(BEGIN_BATCH);
+		attribInsertStmts(stmt, data);
+		stmt.append(APPLY_BATCH);
+		try {
+			getSession(trans).execute(stmt.toString());
+//// TEST CODE for Exception				
+//			boolean force = true; 
+//			if(force) {
+//				throw new com.datastax.driver.core.exceptions.NoHostAvailableException(new HashMap<InetSocketAddress,Throwable>());
+////				throw new com.datastax.driver.core.exceptions.AuthenticationException(new InetSocketAddress(9999),"Sample Message");
+//			}
+////END TEST CODE
+
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			trans.info().log(stmt);
+			return Result.err(Result.ERR_Backend, "Backend Access");
+		}
+		return super.create(trans, data);
+	}
+
+	@Override
+	public Result<Void> update(AuthzTrans trans, Data data) {
+		String ns = data.name;
+		// Ensure Parent is set
+		if(data.parent==null) {
+			return Result.err(Result.ERR_BadData, "Need parent for %s", ns);
+		}
+
+		StringBuilder stmt = new StringBuilder();
+		stmt.append(BEGIN_BATCH);
+		try {
+			Map<String, String> localAttr = data.attrib;
+			Result<Map<String, String>> rremoteAttr = readAttribByNS(trans,ns);
+			if(rremoteAttr.notOK()) {
+				return Result.err(rremoteAttr);
+			}
+			// update Attributes
+			String str;
+			for(Entry<String, String> es : localAttr.entrySet()) {
+				str = rremoteAttr.value.get(es.getKey());
+				if(str==null || !str.equals(es.getValue())) {
+					attribUpdateStmt(stmt, ns, es.getKey(),es.getValue());
+				}
+			}
+			
+			// No point in deleting... insert overwrites...
+//			for(Entry<String, String> es : remoteAttr.entrySet()) {
+//				str = localAttr.get(es.getKey());
+//				if(str==null || !str.equals(es.getValue())) {
+//					attribDeleteStmt(stmt, ns, es.getKey());
+//				}
+//			}
+			if(stmt.length()>BEGIN_BATCH.length()) {
+				stmt.append(APPLY_BATCH);
+				getSession(trans).execute(stmt.toString());
+			}
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			trans.info().log(stmt);
+			return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+		}
+
+		return super.update(trans,data);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.dao.CassDAOImpl#read(com.att.inno.env.TransStore, java.lang.Object)
+	 */
+	@Override
+	public Result<List<Data>> read(AuthzTrans trans, Data data) {
+		Result<List<Data>> rld = super.read(trans, data);
+		
+		if(rld.isOKhasData()) {
+			for(Data d : rld.value) {
+				// Note: Map is null at this point, save time/mem by assignment
+				Result<Map<String, String>> rabn = readAttribByNS(trans,d.name);
+				if(rabn.isOK()) {
+					d.attrib = rabn.value;
+				} else {
+					return Result.err(rabn);
+				}
+			}
+		}
+		return rld;
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.dao.CassDAOImpl#read(com.att.inno.env.TransStore, java.lang.Object[])
+	 */
+	@Override
+	public Result<List<Data>> read(AuthzTrans trans, Object... key) {
+		Result<List<Data>> rld = super.read(trans, key);
+
+		if(rld.isOKhasData()) {
+			for(Data d : rld.value) {
+				// Note: Map is null at this point, save time/mem by assignment
+				Result<Map<String, String>> rabn = readAttribByNS(trans,d.name);
+				if(rabn.isOK()) {
+					d.attrib = rabn.value;
+				} else {
+					return Result.err(rabn);
+				}
+			}
+		}
+		return rld;
+	}
+
+	@Override
+	public Result<Void> delete(AuthzTrans trans, Data data, boolean reread) {
+		TimeTaken tt = trans.start("Delete NS Attributes " + data.name, Env.REMOTE);
+		try {
+			StringBuilder stmt = new StringBuilder();
+			attribDeleteAllStmt(stmt, data);
+			try {
+				getSession(trans).execute(stmt.toString());
+			} catch (DriverException | APIException | IOException e) {
+				reportPerhapsReset(trans,e);
+				trans.info().log(stmt);
+				return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+			}
+		} finally {
+			tt.done();
+		}
+		return super.delete(trans, data, reread);
+
+	}
+    
+	public Result<Map<String,String>> readAttribByNS(AuthzTrans trans, String ns) {
+		Map<String,String> map = new HashMap<String,String>();
+		TimeTaken tt = trans.start("readAttribByNS " + ns, Env.REMOTE);
+		try {
+			ResultSet rs = getSession(trans).execute("SELECT key,value FROM " 
+					+ TABLE_ATTRIB 
+					+ " WHERE ns='"
+					+ ns
+					+ "';");
+			
+			for(Iterator<Row> iter = rs.iterator();iter.hasNext(); ) {
+				Row r = iter.next();
+				map.put(r.getString(0), r.getString(1));
+			}
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+		} finally {
+			tt.done();
+		}
+		return Result.ok(map);
+	}
+
+	public Result<Set<String>> readNsByAttrib(AuthzTrans trans, String key) {
+		Set<String> set = new HashSet<String>();
+		TimeTaken tt = trans.start("readNsBykey " + key, Env.REMOTE);
+		try {
+			ResultSet rs = getSession(trans).execute("SELECT ns FROM " 
+				+ TABLE_ATTRIB 
+				+ " WHERE key='"
+				+ key
+				+ "';");
+		
+			for(Iterator<Row> iter = rs.iterator();iter.hasNext(); ) {
+				Row r = iter.next();
+				set.add(r.getString(0));
+			}
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+		} finally {
+			tt.done();
+		}
+		return Result.ok(set);
+	}
+
+	public Result<Void> attribAdd(AuthzTrans trans, String ns, String key, String value) {
+		try {
+			getSession(trans).execute(attribInsertStmt(new StringBuilder(),ns,key,value).toString());
+			return Result.ok();
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+		}
+	}
+	
+	private StringBuilder attribInsertStmt(StringBuilder sb, String ns, String key, String value) {
+		sb.append("INSERT INTO ");
+		sb.append(TABLE_ATTRIB);
+		sb.append(" (ns,key,value) VALUES ('");
+		sb.append(ns);
+		sb.append(SQCSQ);
+		sb.append(key);
+		sb.append(SQCSQ);
+		sb.append(value);
+		sb.append("');");
+		return sb;
+	}
+
+	private StringBuilder attribUpdateStmt(StringBuilder sb, String ns, String key, String value) {
+		sb.append("UPDATE ");
+		sb.append(TABLE_ATTRIB);
+		sb.append(" set value='");
+		sb.append(value);
+		sb.append("' where ns='");
+		sb.append(ns);
+		sb.append("' AND key='");
+		sb.append(key);
+		sb.append("';");
+		return sb;
+	}
+	
+
+	public Result<Void> attribRemove(AuthzTrans trans, String ns, String key) {
+		try {
+			getSession(trans).execute(attribDeleteStmt(new StringBuilder(),ns,key).toString());
+			return Result.ok();
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+		}
+	}
+	
+	private StringBuilder attribDeleteStmt(StringBuilder stmt, String ns, String key) {
+		stmt.append("DELETE FROM ");
+		stmt.append(TABLE_ATTRIB);
+		stmt.append(" WHERE ns='");
+		stmt.append(ns);
+		stmt.append("' AND key='");
+		stmt.append(key);
+		stmt.append("';");
+		return stmt;
+	}
+	
+	private void attribDeleteAllStmt(StringBuilder stmt, Data data) {
+		stmt.append("  DELETE FROM ");
+		stmt.append(TABLE_ATTRIB);
+		stmt.append(" WHERE ns='");
+		stmt.append(data.name);
+		stmt.append(SQSCCR);
+	}
+
+	private void attribInsertStmts(StringBuilder stmt, Data data) {
+		// INSERT new Attrib
+		for(Entry<String,String> es : data.attrib(false).entrySet() ) {
+			stmt.append("  ");
+			attribInsertStmt(stmt,data.name,es.getKey(),es.getValue());
+		}
+	}
+
+	/**
+	 * Add description to Namespace
+	 * @param trans
+	 * @param ns
+	 * @param description
+	 * @return
+	 */
+	public Result<Void> addDescription(AuthzTrans trans, String ns, String description) {
+		try {
+			getSession(trans).execute(UPDATE_SP + TABLE + " SET description = '" 
+				+ description.replace("'", "''") + "' WHERE name = '" + ns + "';");
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+		}
+
+		Data data = new Data();
+		data.name=ns;
+		wasModified(trans, CRUD.update, data, "Added description " + description + " to namespace " + ns, null );
+		return Result.ok();
+	}
+
+	public Result<List<Data>> getChildren(AuthzTrans trans, String parent) {
+		return psNS.read(trans, R_TEXT, new Object[]{parent});
+	}
+		
+
+    /**
+     * Log Modification statements to History
+     * 
+     * @param modified           which CRUD action was done
+     * @param data               entity data that needs a log entry
+     * @param overrideMessage    if this is specified, we use it rather than crafting a history message based on data
+     */
+    @Override
+    protected void wasModified(AuthzTrans trans, CRUD modified, Data data, String ... override) {
+    	boolean memo = override.length>0 && override[0]!=null;
+    	boolean subject = override.length>1 && override[1]!=null;
+
+        //TODO Must log history
+        HistoryDAO.Data hd = HistoryDAO.newInitedData();
+        hd.user = trans.user();
+        hd.action = modified.name();
+        hd.target = TABLE;
+        hd.subject = subject ? override[1] : data.name;
+        hd.memo = memo ? override[0] : (data.name + " was "  + modified.name() + 'd' );
+		if(modified==CRUD.delete) {
+			try {
+				hd.reconstruct = data.bytify();
+			} catch (IOException e) {
+				trans.error().log(e,"Could not serialize NsDAO.Data");
+			}
+		}
+
+        if(historyDAO.create(trans, hd).status!=Status.OK) {
+	    trans.error().log("Cannot log to History");
+	}
+        if(infoDAO.touch(trans, TABLE,data.invalidate(cache)).notOK()) {
+	    trans.error().log("Cannot touch CacheInfo");
+	}
+    }
+
+}
+\ No newline at end of file
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/NsSplit.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/NsSplit.java
new file mode 100644
index 00000000..2694c6c8
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/NsSplit.java
@@ -0,0 +1,61 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+public class NsSplit {
+	public final String ns;
+	public final String name;
+	public final NsDAO.Data nsd;
+	
+	public NsSplit(NsDAO.Data nsd, String child) {
+		this.nsd = nsd;
+		if(child.startsWith(nsd.name)) {
+			ns = nsd.name;
+			int dot = ns.length();
+			if(dot<child.length() && child.charAt(dot)=='.') {
+    			name = child.substring(dot+1);
+			} else {
+				name="";
+			}
+		} else {
+			name=null;
+			ns = null;
+		}
+	}
+	
+	public NsSplit(String ns, String name) {
+		this.ns = ns;
+		this.name = name;
+		this.nsd = new NsDAO.Data();
+		nsd.name = ns;
+		int dot = ns.lastIndexOf('.');
+		if(dot>=0) {
+			nsd.parent = ns.substring(0, dot);
+		} else {
+			nsd.parent = ".";
+		}
+	}
+
+	public boolean isOK() {
+		return ns!=null && name !=null;
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/NsType.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/NsType.java
new file mode 100644
index 00000000..18d5eeec
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/NsType.java
@@ -0,0 +1,74 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+/**
+ * Defines the Type Codes in the NS Table.
+ * @author Jonathan
+ *
+ */
+public enum NsType {
+		UNKNOWN (-1),
+		DOT (0),
+		ROOT (1), 
+		COMPANY (2), 
+		APP (3), 
+		STACKED_APP (10), 
+		STACK (11);
+		
+		public final int type;
+		private NsType(int t) {
+			type = t;
+		}
+		/**
+		 * This is not the Ordinal, but the Type that is stored in NS Tables
+		 * 
+		 * @param t
+		 * @return
+		 */
+		public static NsType fromType(int t) {
+			for(NsType nst : values()) {
+				if(t==nst.type) {
+					return nst;
+				}
+			}
+			return UNKNOWN;
+		}
+		
+		/**
+		 * Use this one rather than "valueOf" to avoid Exception
+		 * @param s
+		 * @return
+		 */
+		public static NsType fromString(String s) {
+			if(s!=null) {
+				for(NsType nst : values()) {
+					if(nst.name().equals(s)) {
+						return nst;
+					}
+				}
+			}
+			return UNKNOWN;
+		}
+
+		
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/OAuthTokenDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/OAuthTokenDAO.java
new file mode 100644
index 00000000..e1375b8a
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/OAuthTokenDAO.java
@@ -0,0 +1,213 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.onap.aaf.auth.dao.AbsCassDAO;
+import org.onap.aaf.auth.dao.Bytification;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.dao.Streamer;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.Row;
+
+/**
+ * CredDAO manages credentials. 
+ * @author Jonathan
+ * Date: 7/19/13
+ */
+public class OAuthTokenDAO extends CassDAOImpl<AuthzTrans,OAuthTokenDAO.Data> {
+    public static final String TABLE = "oauth_token";
+	private AbsCassDAO<AuthzTrans, Data>.PSInfo psByUser;
+    
+    public OAuthTokenDAO(AuthzTrans trans, Cluster cluster, String keyspace) {
+        super(trans, OAuthTokenDAO.class.getSimpleName(),cluster, keyspace, Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+        init(trans);
+    }
+    
+    public OAuthTokenDAO(AuthzTrans trans, AbsCassDAO<AuthzTrans,?> aDao) {
+    		super(trans, OAuthTokenDAO.class.getSimpleName(),aDao, Data.class, TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+    		init(trans);
+    }
+
+
+    public static final int KEYLIMIT = 1;
+	public static class Data implements Bytification {
+		public String	       			id;
+		public String					client_id;
+		public String					user;
+		public boolean					active;
+        public int						type;
+		public String					refresh;
+        public Date      				expires;
+        public long						exp_sec;
+        public String	 				content;  
+        public Set<String>	      		scopes;
+        public String					state;
+        public String					req_ip; // requesting
+
+		public Set<String> scopes(boolean mutable) {
+			if (scopes == null) {
+				scopes = new HashSet<String>();
+			} else if (mutable && !(scopes instanceof HashSet)) {
+				scopes = new HashSet<String>(scopes);
+			}
+			return scopes;
+		}
+
+		@Override
+		public ByteBuffer bytify() throws IOException {
+			ByteArrayOutputStream baos = new ByteArrayOutputStream();
+			OAuthLoader.deflt.marshal(this,new DataOutputStream(baos));
+			return ByteBuffer.wrap(baos.toByteArray());
+		}
+		
+		@Override
+		public void reconstitute(ByteBuffer bb) throws IOException {
+			OAuthLoader.deflt.unmarshal(this, toDIS(bb));
+		}
+
+		public String toString() {
+			return user.toString() + ' ' + id.toString() + ' ' + Chrono.dateTime(expires) + (active?"":"in") + "active";
+		}
+    }
+
+    private static class OAuthLoader extends Loader<Data> implements Streamer<Data>{
+		public static final int MAGIC=235677843;
+    		public static final int VERSION=1;
+	    	public static final int BUFF_SIZE=96; // Note: only used when  
+	
+	    	public static final OAuthLoader deflt = new OAuthLoader(KEYLIMIT);
+	    	public OAuthLoader(int keylimit) {
+	            super(keylimit);
+	        }
+	
+	    	@Override
+        public Data load(Data data, Row row) {
+            data.id = row.getString(0);
+            data.client_id = row.getString(1);
+            data.user = row.getString(2);
+            data.active = row.getBool(3);
+            data.type = row.getInt(4);
+            data.refresh = row.getString(5);
+            data.expires = row.getTimestamp(6);
+            data.exp_sec = row.getLong(7);
+            data.content = row.getString(8);
+            data.scopes = row.getSet(9,String.class);
+            data.state = row.getString(10);
+            data.req_ip = row.getString(11);
+            return data;
+        }
+
+        @Override
+        protected void key(final Data data, final int idx, Object[] obj) {
+            obj[idx] = data.id;
+        }
+
+        @Override
+        protected void body(final Data data, final int idx, Object[] obj) {
+            int i;
+            obj[i=idx] = data.client_id;
+            obj[++i] = data.user;
+            obj[++i] = data.active;
+            obj[++i] = data.type;
+            obj[++i] = data.refresh;
+            obj[++i] = data.expires;
+            obj[++i] = data.exp_sec;
+            obj[++i] = data.content;
+            obj[++i] = data.scopes;
+            obj[++i] = data.state;
+            obj[++i] = data.req_ip;
+        }
+
+		@Override
+		public void marshal(Data data, DataOutputStream os) throws IOException {
+			writeHeader(os,MAGIC,VERSION);
+			writeString(os, data.id);
+			writeString(os, data.client_id);
+			writeString(os, data.user);
+			os.writeBoolean(data.active);
+			os.writeInt(data.type);
+			writeString(os, data.refresh);
+			os.writeLong(data.expires==null?-1:data.expires.getTime());
+			os.writeLong(data.exp_sec);
+			writeString(os, data.content);
+			writeStringSet(os,data.scopes);
+			writeString(os, data.state);
+			writeString(os, data.req_ip);
+		}
+
+
+		@Override
+		public void unmarshal(Data data, DataInputStream is) throws IOException {
+			/*int version = */readHeader(is,MAGIC,VERSION);
+			// If Version Changes between Production runs, you'll need to do a switch Statement, and adequately read in fields
+			byte[] buff = new byte[BUFF_SIZE]; // used only if fits
+			data.id = readString(is,buff);
+			data.client_id = readString(is,buff);
+			data.user = readString(is,buff);
+			data.active = is.readBoolean();
+			data.type = is.readInt();
+			data.refresh = readString(is,buff);
+			long l = is.readLong();
+			data.expires = l<0?null:new Date(l);
+			data.exp_sec = is.readLong();
+			data.content = readString(is,buff); // note, large strings still ok with small buffer
+			data.scopes = readStringSet(is,buff);
+			data.state = readString(is,buff);
+			data.req_ip = readString(is,buff);
+		}
+    }
+
+    private void init(AuthzTrans trans) {
+        String[] helpers = setCRUD(trans, TABLE, Data.class, OAuthLoader.deflt);
+        psByUser = new PSInfo(trans, "SELECT " + helpers[0] + " from " + TABLE + " WHERE user=?",OAuthLoader.deflt,readConsistency);
+    }
+
+	/**
+     * Log Modification statements to History
+     *
+     * @param modified        which CRUD action was done
+     * @param data            entity data that needs a log entry
+     * @param overrideMessage if this is specified, we use it rather than crafting a history message based on data
+     */
+    @Override
+    protected void wasModified(AuthzTrans trans, CRUD modified, Data data, String ... override) {
+    }
+
+	public Result<List<Data>> readByUser(AuthzTrans trans, String user) {
+		return psByUser.read(trans, "Read By User", new Object[]{user});
+	}
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/PermDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/PermDAO.java
new file mode 100644
index 00000000..860b7ea5
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/PermDAO.java
@@ -0,0 +1,501 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.onap.aaf.auth.dao.Bytification;
+import org.onap.aaf.auth.dao.Cached;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.DAOException;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.dao.Streamer;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Split;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.exceptions.DriverException;
+
+public class PermDAO extends CassDAOImpl<AuthzTrans,PermDAO.Data> {
+
+	public static final String TABLE = "perm";
+
+    public static final int CACHE_SEG = 0x40; // yields segment 0x0-0x3F
+	private static final String STAR = "*";
+	
+	private final HistoryDAO historyDAO;
+	private final CacheInfoDAO infoDAO;
+	
+	private PSInfo psNS, psChildren, psByType;
+
+	public PermDAO(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException {
+		super(trans, PermDAO.class.getSimpleName(),cluster,keyspace,Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+		init(trans);
+		historyDAO = new HistoryDAO(trans, this);
+		infoDAO = new CacheInfoDAO(trans,this);
+	}
+
+	public PermDAO(AuthzTrans trans, HistoryDAO hDAO, CacheInfoDAO ciDAO) {
+		super(trans, PermDAO.class.getSimpleName(),hDAO,Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+		historyDAO = hDAO;
+		infoDAO=ciDAO;
+		init(trans);
+	}
+
+
+	private static final int KEYLIMIT = 4;
+	public static class Data extends CacheableData implements Bytification {
+		public String		ns;
+		public String		type;
+		public String		instance;
+		public String		action;
+		public Set<String>  roles; 
+		public String		description;
+
+		public Data() {}
+		
+		public Data(NsSplit nss, String instance, String action) {
+			ns = nss.ns;
+			type = nss.name;
+			this.instance = instance;
+			this.action = action;
+		}
+
+		public String fullType() {
+			return ns + '.' + type;
+		}
+		
+		public String fullPerm() {
+			return ns + '.' + type + '|' + instance + '|' + action;
+		}
+
+		public String encode() {
+			return ns + '|' + type + '|' + instance + '|' + action;
+		}
+		
+		/**
+		 * Decode Perm String, including breaking into appropriate Namespace
+		 * 
+		 * @param trans
+		 * @param q
+		 * @param p
+		 * @return
+		 */
+		public static Result<Data> decode(AuthzTrans trans, Question q, String p) {
+			String[] ss = Split.splitTrim('|', p,4);
+			if(ss[2]==null) {
+				return Result.err(Status.ERR_BadData,"Perm Encodings must be separated by '|'");
+			}
+			Data data = new Data();
+			if(ss[3]==null) { // older 3 part encoding must be evaluated for NS
+				Result<NsSplit> nss = q.deriveNsSplit(trans, ss[0]);
+				if(nss.notOK()) {
+					return Result.err(nss);
+				}
+				data.ns=nss.value.ns;
+				data.type=nss.value.name;
+				data.instance=ss[1];
+				data.action=ss[2];
+			} else { // new 4 part encoding
+				data.ns=ss[0];
+				data.type=ss[1];
+				data.instance=ss[2];
+				data.action=ss[3];
+			}
+			return Result.ok(data);
+		}
+
+		/**
+		 * Decode Perm String, including breaking into appropriate Namespace
+		 * 
+		 * @param trans
+		 * @param q
+		 * @param p
+		 * @return
+		 */
+		public static Result<String[]> decodeToArray(AuthzTrans trans, Question q, String p) {
+			String[] ss = Split.splitTrim('|', p,4);
+			if(ss[2]==null) {
+				return Result.err(Status.ERR_BadData,"Perm Encodings must be separated by '|'");
+			}
+			
+			if(ss[3]==null) { // older 3 part encoding must be evaluated for NS
+				ss[3] = ss[2];
+				ss[2] = ss[1];
+				Result<NsSplit> nss = q.deriveNsSplit(trans, ss[0]);
+				if(nss.notOK()) {
+					return Result.err(nss);
+				}
+				ss[1] = nss.value.name;
+				ss[0] = nss.value.ns;
+			}
+			return Result.ok(ss);
+		}
+
+		public static Data create(NsDAO.Data ns, String name) {
+			NsSplit nss = new NsSplit(ns,name);
+			Data rv = new Data();
+			rv.ns = nss.ns;
+			String[] s = nss.name.split("\\|");
+			switch(s.length) {
+				case 3:
+					rv.type=s[0];
+					rv.instance=s[1];
+					rv.action=s[2];
+					break;
+				case 2:
+					rv.type=s[0];
+					rv.instance=s[1];
+					rv.action=STAR;
+					break;
+				default:
+					rv.type=s[0];
+					rv.instance = STAR;
+					rv.action = STAR;
+			}
+			return rv;
+		}
+		
+		public static Data create(AuthzTrans trans, Question q, String name) {
+			String[] s = name.split("\\|");
+			Result<NsSplit> rdns = q.deriveNsSplit(trans, s[0]);
+			Data rv = new PermDAO.Data();
+			if(rdns.isOKhasData()) {
+				switch(s.length) {
+					case 3:
+						rv.type=s[1];
+						rv.instance=s[2];
+						rv.action=s[3];
+						break;
+					case 2:
+						rv.type=s[1];
+						rv.instance=s[2];
+						rv.action=STAR;
+						break;
+					default:
+						rv.type=s[1];
+						rv.instance = STAR;
+						rv.action = STAR;
+				}
+			}
+			return rv;
+		}
+		
+        ////////////////////////////////////////
+        // Getters
+        public Set<String> roles(boolean mutable) {
+            if (roles == null) {
+                roles = new HashSet<String>();
+            } else if (mutable && !(roles instanceof HashSet)) {
+                roles = new HashSet<String>(roles);
+            }
+            return roles;
+        }
+
+		@Override
+		public int[] invalidate(Cached<?,?> cache) {
+			return new int[] {
+				seg(cache,ns),
+				seg(cache,ns,type),
+				seg(cache,ns,type,STAR),
+				seg(cache,ns,type,instance,action)
+			};
+		}
+
+		@Override
+		public ByteBuffer bytify() throws IOException {
+			ByteArrayOutputStream baos = new ByteArrayOutputStream();
+			PermLoader.deflt.marshal(this, new DataOutputStream(baos));
+			return ByteBuffer.wrap(baos.toByteArray());
+		}
+		
+		@Override
+		public void reconstitute(ByteBuffer bb) throws IOException {
+			PermLoader.deflt.unmarshal(this, toDIS(bb));
+		}
+
+		@Override
+		public String toString() {
+			return encode();
+		}
+	}
+	
+	private static class PermLoader extends Loader<Data> implements Streamer<Data> {
+		public static final int MAGIC=283939453;
+    	public static final int VERSION=1;
+    	public static final int BUFF_SIZE=96;
+
+    	public static final PermLoader deflt = new PermLoader(KEYLIMIT);
+    	
+		public PermLoader(int keylimit) {
+			super(keylimit);
+		}
+		
+		@Override
+		public Data load(Data data, Row row) {
+			// Int more efficient Match "fields" string
+			data.ns = row.getString(0);
+			data.type = row.getString(1);
+			data.instance = row.getString(2);
+			data.action = row.getString(3);
+			data.roles = row.getSet(4,String.class);
+			data.description = row.getString(5);
+			return data;
+		}
+
+		@Override
+		protected void key(Data data, int _idx, Object[] obj) {
+		    	int idx = _idx;
+			obj[idx]=data.ns;
+			obj[++idx]=data.type;
+			obj[++idx]=data.instance;
+			obj[++idx]=data.action;
+		}
+
+		@Override
+		protected void body(Data data, int _idx, Object[] obj) {
+		    	int idx = _idx;
+			obj[idx]=data.roles;
+			obj[++idx]=data.description;
+		}
+
+		@Override
+		public void marshal(Data data, DataOutputStream os) throws IOException {
+			writeHeader(os,MAGIC,VERSION);
+			writeString(os, data.ns);
+			writeString(os, data.type);
+			writeString(os, data.instance);
+			writeString(os, data.action);
+			writeStringSet(os, data.roles);
+			writeString(os, data.description);
+		}
+
+		@Override
+		public void unmarshal(Data data, DataInputStream is) throws IOException {
+			/*int version = */readHeader(is,MAGIC,VERSION);
+			// If Version Changes between Production runs, you'll need to do a switch Statement, and adequately read in fields
+			byte[] buff = new byte[BUFF_SIZE];
+			data.ns = readString(is, buff);
+			data.type = readString(is,buff);
+			data.instance = readString(is,buff);
+			data.action = readString(is,buff);
+			data.roles = readStringSet(is,buff);
+			data.description = readString(is,buff);
+		}
+	}
+	
+	private void init(AuthzTrans trans) {
+		// the 3 is the number of key fields
+		String[] helpers = setCRUD(trans, TABLE, Data.class, PermLoader.deflt);
+		
+		// Other SELECT style statements... match with a local Method
+		psByType = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE + 
+				" WHERE ns = ? AND type = ?", new PermLoader(2) {
+			@Override
+			protected void key(Data data, int idx, Object[] obj) {
+				obj[idx]=data.type;
+			}
+		},readConsistency);
+		
+		psNS = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE +
+				" WHERE ns = ?", new PermLoader(1),readConsistency);
+				
+		psChildren = new PSInfo(trans, SELECT_SP +  helpers[FIELD_COMMAS] +  " FROM " + TABLE + 
+				" WHERE ns=? AND type > ? AND type < ?", 
+				new PermLoader(3) {
+			@Override
+			protected void key(Data data, int _idx, Object[] obj) {
+			    	int idx = _idx;
+				obj[idx] = data.ns;
+				obj[++idx]=data.type + DOT;
+				obj[++idx]=data.type + DOT_PLUS_ONE;
+			}
+		},readConsistency);
+
+	}
+
+
+	/**
+	 * Add a single Permission to the Role's Permission Collection
+	 * 
+	 * @param trans
+	 * @param roleFullName
+	 * @param perm
+	 * @param type
+	 * @param action
+	 * @return
+	 */
+	public Result<Void> addRole(AuthzTrans trans, PermDAO.Data perm, String roleFullName) {
+		// Note: Prepared Statements for Collection updates aren't supported
+		//ResultSet rv =
+		try {
+			getSession(trans).execute(UPDATE_SP + TABLE + " SET roles = roles + {'"	+ roleFullName + "'} " +
+				"WHERE " +
+					"ns = '" + perm.ns + "' AND " +
+					"type = '" + perm.type + "' AND " +
+					"instance = '" + perm.instance + "' AND " +
+					"action = '" + perm.action + "';"
+					);
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+		}
+
+		wasModified(trans, CRUD.update, perm, "Added role " + roleFullName + " to perm " +
+				perm.ns + '.' + perm.type + '|' + perm.instance + '|' + perm.action);
+		return Result.ok();
+	}
+
+	/**
+	 * Remove a single Permission from the Role's Permission Collection
+	 * @param trans
+	 * @param roleFullName
+	 * @param perm
+	 * @param type
+	 * @param action
+	 * @return
+	 */
+	public Result<Void> delRole(AuthzTrans trans, PermDAO.Data perm, String roleFullName) {
+		// Note: Prepared Statements for Collection updates aren't supported
+		//ResultSet rv =
+		try {
+			getSession(trans).execute(UPDATE_SP + TABLE + " SET roles = roles - {'" + roleFullName + "'} " +
+				"WHERE " +
+					"ns = '" + perm.ns + "' AND " +
+					"type = '" + perm.type + "' AND " +
+					"instance = '" + perm.instance + "' AND " +
+					"action = '" + perm.action + "';"
+					);
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+		}
+
+		//TODO how can we tell when it doesn't?
+		wasModified(trans, CRUD.update, perm, "Removed role " + roleFullName + " from perm " +
+				perm.ns + '.' + perm.type + '|' + perm.instance + '|' + perm.action);
+		return Result.ok();
+	}
+
+
+	
+	/**
+	 * Additional method: 
+	 * 		Select all Permissions by Name
+	 * 
+	 * @param name
+	 * @return
+	 * @throws DAOException
+	 */
+	public Result<List<Data>> readByType(AuthzTrans trans, String ns, String type) {
+		return psByType.read(trans, R_TEXT, new Object[]{ns, type});
+	}
+	
+	public Result<List<Data>> readChildren(AuthzTrans trans, String ns, String type) {
+		return psChildren.read(trans, R_TEXT, new Object[]{ns, type+DOT, type + DOT_PLUS_ONE});
+	}
+
+	public Result<List<Data>> readNS(AuthzTrans trans, String ns) {
+		return psNS.read(trans, R_TEXT, new Object[]{ns});
+	}
+
+	/**
+	 * Add description to this permission
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @param type
+	 * @param instance
+	 * @param action
+	 * @param description
+	 * @return
+	 */
+	public Result<Void> addDescription(AuthzTrans trans, String ns, String type,
+			String instance, String action, String description) {
+		try {
+			getSession(trans).execute(UPDATE_SP + TABLE + " SET description = '" 
+				+ description + "' WHERE ns = '" + ns + "' AND type = '" + type + "'"
+				+ "AND instance = '" + instance + "' AND action = '" + action + "';");
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+		}
+
+		Data data = new Data();
+		data.ns=ns;
+		data.type=type;
+		data.instance=instance;
+		data.action=action;
+		wasModified(trans, CRUD.update, data, "Added description " + description + " to permission " 
+				+ data.encode(), null );
+		return Result.ok();
+	}
+	
+	/**
+	 * Log Modification statements to History
+	 */
+	@Override
+	protected void wasModified(AuthzTrans trans, CRUD modified, Data data, String ... override) {
+    	boolean memo = override.length>0 && override[0]!=null;
+    	boolean subject = override.length>1 && override[1]!=null;
+
+		// Need to update history
+		HistoryDAO.Data hd = HistoryDAO.newInitedData();
+		hd.user = trans.user();
+		hd.action = modified.name();
+		hd.target = TABLE;
+		hd.subject = subject ? override[1] : data.fullType();
+		if (memo) {
+            hd.memo = String.format("%s", override[0]);
+        } else {
+            hd.memo = String.format("%sd %s|%s|%s", modified.name(),data.fullType(),data.instance,data.action);
+        }
+		
+		if(modified==CRUD.delete) {
+			try {
+				hd.reconstruct = data.bytify();
+			} catch (IOException e) {
+				trans.error().log(e,"Could not serialize PermDAO.Data");
+			}
+		}
+		
+        if(historyDAO.create(trans, hd).status!=Status.OK) {
+        	trans.error().log("Cannot log to History");
+        }
+        if(infoDAO.touch(trans, TABLE,data.invalidate(cache)).notOK()) {
+        	trans.error().log("Cannot touch CacheInfo");
+        }
+	}
+}
+
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java
new file mode 100644
index 00000000..da7d7a2d
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java
@@ -0,0 +1,412 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.onap.aaf.auth.dao.Bytification;
+import org.onap.aaf.auth.dao.Cached;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.dao.Streamer;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Split;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.exceptions.DriverException;
+
+public class RoleDAO extends CassDAOImpl<AuthzTrans,RoleDAO.Data> {
+
+	public static final String TABLE = "role";
+    public static final int CACHE_SEG = 0x40; // yields segment 0x0-0x3F
+    
+	private final HistoryDAO historyDAO;
+	private final CacheInfoDAO infoDAO;
+
+	private PSInfo psChildren, psNS, psName;
+
+	public RoleDAO(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException {
+		super(trans, RoleDAO.class.getSimpleName(),cluster,keyspace,Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+        // Set up sub-DAOs
+        historyDAO = new HistoryDAO(trans, this);
+		infoDAO = new CacheInfoDAO(trans,this);
+		init(trans);
+	}
+
+	public RoleDAO(AuthzTrans trans, HistoryDAO hDAO, CacheInfoDAO ciDAO) {
+		super(trans, RoleDAO.class.getSimpleName(),hDAO,Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+		historyDAO = hDAO;
+		infoDAO = ciDAO;
+		init(trans);
+	}
+
+
+    //////////////////////////////////////////
+    // Data Definition, matches Cassandra DM
+    //////////////////////////////////////////
+    private static final int KEYLIMIT = 2;
+    /**
+     * Data class that matches the Cassandra Table "role"
+     * @author Jonathan
+     */
+	public static class Data extends CacheableData implements Bytification {
+    	public String		ns;
+		public String		name;
+		public Set<String>  perms;
+		public String		description;
+
+        ////////////////////////////////////////
+        // Getters
+		public Set<String> perms(boolean mutable) {
+			if (perms == null) {
+				perms = new HashSet<String>();
+			} else if (mutable && !(perms instanceof HashSet)) {
+				perms = new HashSet<String>(perms);
+			}
+			return perms;
+		}
+		
+		public static Data create(NsDAO.Data ns, String name) {
+			NsSplit nss = new NsSplit(ns,name);		
+			RoleDAO.Data rv = new Data();
+			rv.ns = nss.ns;
+			rv.name=nss.name;
+			return rv;
+		}
+		
+		public String fullName() {
+			return ns + '.' + name;
+		}
+		
+		public String encode() {
+			return ns + '|' + name;
+		}
+		
+		/**
+		 * Decode Perm String, including breaking into appropriate Namespace
+		 * 
+		 * @param trans
+		 * @param q
+		 * @param r
+		 * @return
+		 */
+		public static Result<Data> decode(AuthzTrans trans, Question q, String r) {
+			String[] ss = Split.splitTrim('|', r,2);
+			Data data = new Data();
+			if(ss[1]==null) { // older 1 part encoding must be evaluated for NS
+				Result<NsSplit> nss = q.deriveNsSplit(trans, ss[0]);
+				if(nss.notOK()) {
+					return Result.err(nss);
+				}
+				data.ns=nss.value.ns;
+				data.name=nss.value.name;
+			} else { // new 4 part encoding
+				data.ns=ss[0];
+				data.name=ss[1];
+			}
+			return Result.ok(data);
+		}
+
+		/**
+		 * Decode from UserRole Data
+		 * @param urdd
+		 * @return
+		 */
+		public static RoleDAO.Data decode(UserRoleDAO.Data urdd) {
+			RoleDAO.Data rd = new RoleDAO.Data();
+			rd.ns = urdd.ns;
+			rd.name = urdd.rname;
+			return rd;
+		}
+
+
+		/**
+		 * Decode Perm String, including breaking into appropriate Namespace
+		 * 
+		 * @param trans
+		 * @param q
+		 * @param p
+		 * @return
+		 */
+		public static Result<String[]> decodeToArray(AuthzTrans trans, Question q, String p) {
+			String[] ss = Split.splitTrim('|', p,2);
+			if(ss[1]==null) { // older 1 part encoding must be evaluated for NS
+				Result<NsSplit> nss = q.deriveNsSplit(trans, ss[0]);
+				if(nss.notOK()) {
+					return Result.err(nss);
+				}
+				ss[0] = nss.value.ns;
+				ss[1] = nss.value.name;
+			}
+			return Result.ok(ss);
+		}
+		
+		@Override
+		public int[] invalidate(Cached<?,?> cache) {
+			return new int[] {
+				seg(cache,ns,name),
+				seg(cache,ns),
+				seg(cache,name),
+			};
+		}
+
+		@Override
+		public ByteBuffer bytify() throws IOException {
+			ByteArrayOutputStream baos = new ByteArrayOutputStream();
+			RoleLoader.deflt.marshal(this,new DataOutputStream(baos));
+			return ByteBuffer.wrap(baos.toByteArray());
+		}
+		
+		@Override
+		public void reconstitute(ByteBuffer bb) throws IOException {
+			RoleLoader.deflt.unmarshal(this, toDIS(bb));
+		}
+
+		@Override
+		public String toString() {
+			return ns + '.' + name;
+		}
+    }
+
+    private static class RoleLoader extends Loader<Data> implements Streamer<Data> {
+		public static final int MAGIC=923577343;
+    	public static final int VERSION=1;
+    	public static final int BUFF_SIZE=96;
+
+    	public static final RoleLoader deflt = new RoleLoader(KEYLIMIT);
+    	
+		public RoleLoader(int keylimit) {
+			super(keylimit);
+		}
+		
+		@Override
+		public Data load(Data data, Row row) {
+			// Int more efficient
+			data.ns = row.getString(0);
+			data.name = row.getString(1);
+			data.perms = row.getSet(2,String.class);
+			data.description = row.getString(3);
+			return data;
+		}
+
+		@Override
+		protected void key(Data data, int _idx, Object[] obj) {
+		    	int idx = _idx;
+			obj[idx]=data.ns;
+			obj[++idx]=data.name;
+		}
+
+		@Override
+		protected void body(Data data, int _idx, Object[] obj) {
+		    	int idx = _idx;
+			obj[idx]=data.perms;
+			obj[++idx]=data.description;
+		}
+
+		@Override
+		public void marshal(Data data, DataOutputStream os) throws IOException {
+			writeHeader(os,MAGIC,VERSION);
+			writeString(os, data.ns);
+			writeString(os, data.name);
+			writeStringSet(os,data.perms);
+			writeString(os, data.description);
+		}
+
+		@Override
+		public void unmarshal(Data data, DataInputStream is) throws IOException {
+			/*int version = */readHeader(is,MAGIC,VERSION);
+			// If Version Changes between Production runs, you'll need to do a switch Statement, and adequately read in fields
+			byte[] buff = new byte[BUFF_SIZE];
+			data.ns = readString(is, buff);
+			data.name = readString(is,buff);
+			data.perms = readStringSet(is,buff);
+			data.description = readString(is,buff);
+		}
+    };
+
+	private void init(AuthzTrans trans) {
+		String[] helpers = setCRUD(trans, TABLE, Data.class, RoleLoader.deflt);
+		
+		psNS = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE +
+				" WHERE ns = ?", new RoleLoader(1),readConsistency);
+
+		psName = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE +
+				" WHERE name = ?", new RoleLoader(1),readConsistency);
+
+		psChildren = new PSInfo(trans, SELECT_SP +  helpers[FIELD_COMMAS] +  " FROM " + TABLE + 
+				" WHERE ns=? AND name > ? AND name < ?", 
+				new RoleLoader(3) {
+			@Override
+			protected void key(Data data, int _idx, Object[] obj) {
+			    	int idx = _idx;
+				obj[idx] = data.ns;
+				obj[++idx]=data.name + DOT;
+				obj[++idx]=data.name + DOT_PLUS_ONE;
+			}
+		},readConsistency);
+		
+	}
+
+	public Result<List<Data>> readNS(AuthzTrans trans, String ns) {
+		return psNS.read(trans, R_TEXT + " NS " + ns, new Object[]{ns});
+	}
+
+	public Result<List<Data>> readName(AuthzTrans trans, String name) {
+		return psName.read(trans, R_TEXT + name, new Object[]{name});
+	}
+
+	public Result<List<Data>> readChildren(AuthzTrans trans, String ns, String role) {
+		if(role.length()==0 || "*".equals(role)) {
+			return psChildren.read(trans, R_TEXT, new Object[]{ns, FIRST_CHAR, LAST_CHAR}); 
+		} else {
+			return psChildren.read(trans, R_TEXT, new Object[]{ns, role+DOT, role+DOT_PLUS_ONE});
+		}
+	}
+
+	/**
+	 * Add a single Permission to the Role's Permission Collection
+	 * 
+	 * @param trans
+	 * @param role
+	 * @param perm
+	 * @param type
+	 * @param action
+	 * @return
+	 */
+	public Result<Void> addPerm(AuthzTrans trans, RoleDAO.Data role, PermDAO.Data perm) {
+		// Note: Prepared Statements for Collection updates aren't supported
+		String pencode = perm.encode();
+		try {
+			getSession(trans).execute(UPDATE_SP + TABLE + " SET perms = perms + {'" + 
+				pencode + "'} WHERE " +
+				"ns = '" + role.ns + "' AND name = '" + role.name + "';");
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+		}
+
+		wasModified(trans, CRUD.update, role, "Added permission " + pencode + " to role " + role.fullName());
+		return Result.ok();
+	}
+
+	/**
+	 * Remove a single Permission from the Role's Permission Collection
+	 * @param trans
+	 * @param role
+	 * @param perm
+	 * @param type
+	 * @param action
+	 * @return
+	 */
+	public Result<Void> delPerm(AuthzTrans trans, RoleDAO.Data role, PermDAO.Data perm) {
+		// Note: Prepared Statements for Collection updates aren't supported
+
+		String pencode = perm.encode();
+		
+		//ResultSet rv =
+		try {
+			getSession(trans).execute(UPDATE_SP + TABLE + " SET perms = perms - {'" + 
+				pencode	+ "'} WHERE " +
+				"ns = '" + role.ns + "' AND name = '" + role.name + "';");
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+		}
+
+		//TODO how can we tell when it doesn't?
+		wasModified(trans, CRUD.update, role, "Removed permission " + pencode + " from role " + role.fullName() );
+		return Result.ok();
+	}
+	
+	/**
+	 * Add description to role
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @param name
+	 * @param description
+	 * @return
+	 */
+	public Result<Void> addDescription(AuthzTrans trans, String ns, String name, String description) {
+		try {
+			getSession(trans).execute(UPDATE_SP + TABLE + " SET description = '" 
+				+ description + "' WHERE ns = '" + ns + "' AND name = '" + name + "';");
+		} catch (DriverException | APIException | IOException e) {
+			reportPerhapsReset(trans,e);
+			return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);
+		}
+
+		Data data = new Data();
+		data.ns=ns;
+		data.name=name;
+		wasModified(trans, CRUD.update, data, "Added description " + description + " to role " + data.fullName(), null );
+		return Result.ok();
+	}
+	
+	
+    /**
+     * Log Modification statements to History
+     * @param modified           which CRUD action was done
+     * @param data               entity data that needs a log entry
+     * @param overrideMessage    if this is specified, we use it rather than crafting a history message based on data
+     */
+    @Override
+    protected void wasModified(AuthzTrans trans, CRUD modified, Data data, String ... override) {
+    	boolean memo = override.length>0 && override[0]!=null;
+    	boolean subject = override.length>1 && override[1]!=null;
+
+    	HistoryDAO.Data hd = HistoryDAO.newInitedData();
+        hd.user = trans.user();
+        hd.action = modified.name();
+        hd.target = TABLE;
+        hd.subject = subject ? override[1] : data.fullName();
+        hd.memo = memo ? override[0] : (data.fullName() + " was "  + modified.name() + 'd' );
+		if(modified==CRUD.delete) {
+			try {
+				hd.reconstruct = data.bytify();
+			} catch (IOException e) {
+				trans.error().log(e,"Could not serialize RoleDAO.Data");
+			}
+		}
+
+        if(historyDAO.create(trans, hd).status!=Status.OK) {
+        	trans.error().log("Cannot log to History");
+        }
+        if(infoDAO.touch(trans, TABLE,data.invalidate(cache)).notOK()) {
+        	trans.error().log("Cannot touch CacheInfo for Role");
+        }
+    }
+
+    
+}
+\ No newline at end of file
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/Status.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/Status.java
new file mode 100644
index 00000000..be52c406
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/Status.java
@@ -0,0 +1,88 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import org.onap.aaf.auth.layer.Result;
+
+
+
+
+/**
+ * Add additional Behavior for Specific Applications for Results
+ * 
+ * In this case, we add additional BitField information accessible by
+ * method (
+ * @author Jonathan
+ *
+ * @param <RV>
+ */
+public class Status<RV> extends Result<RV> {
+	
+	// Jonathan 10/1/2013:  Initially, I used enum, but it's not extensible.
+    public final static int ERR_NsNotFound = Result.ERR_General+1,
+    						ERR_RoleNotFound = Result.ERR_General+2,
+    						ERR_PermissionNotFound = Result.ERR_General+3, 
+    						ERR_UserNotFound = Result.ERR_General+4,
+    						ERR_UserRoleNotFound = Result.ERR_General+5,
+    						ERR_DelegateNotFound = Result.ERR_General+6,
+    						ERR_InvalidDelegate = Result.ERR_General+7,
+    						ERR_DependencyExists = Result.ERR_General+8,
+    						ERR_NoApprovals = Result.ERR_General+9,
+    						ACC_Now = Result.ERR_General+10,
+    						ACC_Future = Result.ERR_General+11,
+    						ERR_ChoiceNeeded = Result.ERR_General+12,
+    						ERR_FutureNotRequested = Result.ERR_General+13;
+  
+	/**
+     * Constructor for Result set. 
+     * @param data
+     * @param status
+     */
+    private Status(RV value, int status, String details, String[] variables ) {
+    	super(value,status,details,variables);
+    }
+
+	public static String name(int status) {
+		switch(status) {
+			case OK: return "OK";
+			case ERR_NsNotFound: return "ERR_NsNotFound";
+			case ERR_RoleNotFound: return "ERR_RoleNotFound";
+			case ERR_PermissionNotFound: return "ERR_PermissionNotFound"; 
+			case ERR_UserNotFound: return "ERR_UserNotFound";
+			case ERR_UserRoleNotFound: return "ERR_UserRoleNotFound";
+			case ERR_DelegateNotFound: return "ERR_DelegateNotFound";
+			case ERR_InvalidDelegate: return "ERR_InvalidDelegate";
+			case ERR_ConflictAlreadyExists: return "ERR_ConflictAlreadyExists";
+			case ERR_DependencyExists: return "ERR_DependencyExists";
+			case ERR_ActionNotCompleted: return "ERR_ActionNotCompleted";
+			case ERR_Denied: return "ERR_Denied";
+			case ERR_Policy: return "ERR_Policy";
+			case ERR_BadData: return "ERR_BadData";
+			case ERR_NotImplemented: return "ERR_NotImplemented";
+			case ERR_NotFound: return "ERR_NotFound";
+			case ERR_ChoiceNeeded: return "ERR_ChoiceNeeded";
+		}
+		//case ERR_General:   or unknown... 
+		return "ERR_General";
+	}
+    
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/UserRoleDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/UserRoleDAO.java
new file mode 100644
index 00000000..301e47fc
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/UserRoleDAO.java
@@ -0,0 +1,319 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.Date;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.Bytification;
+import org.onap.aaf.auth.dao.Cached;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.DAOException;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.dao.Streamer;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.Row;
+
+public class UserRoleDAO extends CassDAOImpl<AuthzTrans,UserRoleDAO.Data> {
+	public static final String TABLE = "user_role";
+	
+    public static final int CACHE_SEG = 0x40; // yields segment 0x0-0x3F
+
+	private static final String TRANS_UR_SLOT = "_TRANS_UR_SLOT_";
+	public Slot transURSlot;
+	
+	private final HistoryDAO historyDAO;
+	private final CacheInfoDAO infoDAO;
+	
+	private PSInfo psByUser, psByRole, psUserInRole;
+
+
+
+	public UserRoleDAO(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException {
+		super(trans, UserRoleDAO.class.getSimpleName(),cluster,keyspace,Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+		transURSlot = trans.slot(TRANS_UR_SLOT);
+		init(trans);
+
+		// Set up sub-DAOs
+		historyDAO = new HistoryDAO(trans, this);
+		infoDAO = new CacheInfoDAO(trans,this);
+	}
+
+	public UserRoleDAO(AuthzTrans trans, HistoryDAO hDAO, CacheInfoDAO ciDAO) {
+		super(trans, UserRoleDAO.class.getSimpleName(),hDAO,Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+		transURSlot = trans.slot(TRANS_UR_SLOT);
+		historyDAO = hDAO;
+		infoDAO = ciDAO;
+		init(trans);
+	}
+
+	private static final int KEYLIMIT = 2;
+	public static class Data extends CacheableData implements Bytification {
+		public String  user;
+		public String  role;
+		public String  ns; 
+		public String  rname; 
+		public Date   expires;
+		
+		@Override
+		public int[] invalidate(Cached<?,?> cache) {
+			// Note: I'm not worried about Name collisions, because the formats are different:
+			// Jonathan... etc versus
+			// com. ...
+			// The "dot" makes the difference.
+			return new int[] {
+				seg(cache,user,role),
+				seg(cache,user),
+				seg(cache,role)
+			};
+		}
+
+		@Override
+		public ByteBuffer bytify() throws IOException {
+			ByteArrayOutputStream baos = new ByteArrayOutputStream();
+			URLoader.deflt.marshal(this,new DataOutputStream(baos));
+			return ByteBuffer.wrap(baos.toByteArray());
+		}
+		
+		@Override
+		public void reconstitute(ByteBuffer bb) throws IOException {
+			URLoader.deflt.unmarshal(this, toDIS(bb));
+		}
+
+		public void role(String ns, String rname) {
+			this.ns = ns;
+			this.rname = rname;
+			this.role = ns + '.' + rname;
+		}
+		
+		public void role(RoleDAO.Data rdd) {
+			ns = rdd.ns;
+			rname = rdd.name;
+			role = rdd.fullName();
+		}
+
+		
+		public boolean role(AuthzTrans trans, Question ques, String role) {
+			this.role = role;
+			Result<NsSplit> rnss = ques.deriveNsSplit(trans, role);
+			if(rnss.isOKhasData()) {
+				ns = rnss.value.ns;
+				rname = rnss.value.name;
+				return true;
+			} else {
+				return false;
+			}
+		}
+
+		@Override
+		public String toString() {
+			return user + '|' + ns + '|' +  rname + '|' + Chrono.dateStamp(expires);
+		}
+
+
+	}
+	
+	private static class URLoader extends Loader<Data> implements Streamer<Data> {
+		public static final int MAGIC=738469903;
+    	public static final int VERSION=1;
+    	public static final int BUFF_SIZE=48;
+    	
+    	public static final URLoader deflt = new URLoader(KEYLIMIT);
+
+		public URLoader(int keylimit) {
+			super(keylimit);
+		}
+
+		@Override
+		public Data load(Data data, Row row) {
+			data.user = row.getString(0);
+			data.role = row.getString(1);
+			data.ns = row.getString(2);
+			data.rname = row.getString(3);
+			data.expires = row.getTimestamp(4);
+			return data;
+		}
+
+		@Override
+		protected void key(Data data, int _idx, Object[] obj) {
+		    	int idx = _idx;
+			obj[idx]=data.user;
+			obj[++idx]=data.role;
+		}
+
+		@Override
+		protected void body(Data data, int _idx, Object[] obj) {
+		    	int idx = _idx;
+			obj[idx]=data.ns;
+			obj[++idx]=data.rname;
+			obj[++idx]=data.expires;
+		}
+		
+		@Override
+		public void marshal(Data data, DataOutputStream os) throws IOException {
+			writeHeader(os,MAGIC,VERSION);
+
+			writeString(os, data.user);
+			writeString(os, data.role);
+			writeString(os, data.ns);
+			writeString(os, data.rname);
+			os.writeLong(data.expires==null?-1:data.expires.getTime());
+		}
+
+		@Override
+		public void unmarshal(Data data, DataInputStream is) throws IOException {
+			/*int version = */readHeader(is,MAGIC,VERSION);
+			// If Version Changes between Production runs, you'll need to do a switch Statement, and adequately read in fields
+			
+			byte[] buff = new byte[BUFF_SIZE];
+			data.user = readString(is,buff);
+			data.role = readString(is,buff);
+			data.ns = readString(is,buff);
+			data.rname = readString(is,buff);
+			long l = is.readLong();
+			data.expires = l<0?null:new Date(l);
+		}
+
+	};
+	
+	private void init(AuthzTrans trans) {
+		String[] helper = setCRUD(trans, TABLE, Data.class, URLoader.deflt);
+		
+		psByUser = new PSInfo(trans, SELECT_SP + helper[FIELD_COMMAS] + " FROM user_role WHERE user = ?", 
+			new URLoader(1) {
+				@Override
+				protected void key(Data data, int idx, Object[] obj) {
+					obj[idx]=data.user;
+				}
+			},readConsistency);
+		
+		// Note: We understand this call may have poor performance, so only should be used in Management (Delete) func
+		psByRole = new PSInfo(trans, SELECT_SP + helper[FIELD_COMMAS] + " FROM user_role WHERE role = ? ALLOW FILTERING", 
+				new URLoader(1) {
+					@Override
+					protected void key(Data data, int idx, Object[] obj) {
+						obj[idx]=data.role;
+					}
+				},readConsistency);
+		
+		psUserInRole = new PSInfo(trans,SELECT_SP + helper[FIELD_COMMAS] + " FROM user_role WHERE user = ? AND role = ?",
+				URLoader.deflt,readConsistency);
+	}
+
+	public Result<List<Data>> readByUser(AuthzTrans trans, String user) {
+		return psByUser.read(trans, R_TEXT + " by User " + user, new Object[]{user});
+	}
+
+	/**
+	 * Note: Use Sparingly. Cassandra's forced key structure means this will perform fairly poorly
+	 * @param trans
+	 * @param role
+	 * @return
+	 * @throws DAOException
+	 */
+	public Result<List<Data>> readByRole(AuthzTrans trans, String role) {
+		return psByRole.read(trans, R_TEXT + " by Role " + role, new Object[]{role});
+	}
+	
+	/**
+	 * Direct Lookup of User Role
+	 * Don't forget to check for Expiration
+	 */
+	public Result<List<Data>> readByUserRole(AuthzTrans trans, String user, String role) {
+		return psUserInRole.read(trans, R_TEXT + " by User " + user + " and Role " + role, new Object[]{user,role});
+	}
+
+
+	/**
+     * Log Modification statements to History
+     * @param modified           which CRUD action was done
+     * @param data               entity data that needs a log entry
+     * @param overrideMessage    if this is specified, we use it rather than crafting a history message based on data
+     */
+	@Override
+	protected void wasModified(AuthzTrans trans, CRUD modified, Data data, String ... override) {
+    	boolean memo = override.length>0 && override[0]!=null;
+    	boolean subject = override.length>1 && override[1]!=null;
+
+		HistoryDAO.Data hd = HistoryDAO.newInitedData();
+		HistoryDAO.Data hdRole = HistoryDAO.newInitedData();
+		
+        hd.user = hdRole.user = trans.user();
+		hd.action = modified.name();
+		// Modifying User/Role is an Update to Role, not a Create.  Jonathan, 07-14-2015
+		hdRole.action = CRUD.update.name();
+		hd.target = TABLE;
+		hdRole.target = RoleDAO.TABLE;
+		hd.subject = subject?override[1] : (data.user + '|'+data.role);
+		hdRole.subject = data.role;
+		switch(modified) {
+			case create: 
+				hd.memo = hdRole.memo = memo
+					? String.format("%s by %s", override[0], hd.user)
+					: String.format("%s added to %s",data.user,data.role);	
+				break;
+			case update: 
+				hd.memo = hdRole.memo = memo
+					? String.format("%s by %s", override[0], hd.user)
+					: String.format("%s - %s was updated",data.user,data.role);
+				break;
+			case delete: 
+				hd.memo = hdRole.memo = memo
+					? String.format("%s by %s", override[0], hd.user)
+					: String.format("%s removed from %s",data.user,data.role);
+				try {
+					hd.reconstruct = hdRole.reconstruct = data.bytify();
+				} catch (IOException e) {
+					trans.warn().log(e,"Deleted UserRole could not be serialized");
+				}
+				break;
+			default:
+				hd.memo = hdRole.memo = memo
+				? String.format("%s by %s", override[0], hd.user)
+				: "n/a";
+		}
+
+		if(historyDAO.create(trans, hd).status!=Status.OK) {
+        	trans.error().log("Cannot log to History");
+		}
+		
+		if(historyDAO.create(trans, hdRole).status!=Status.OK) {
+        	trans.error().log("Cannot log to History");
+		}
+		// uses User as Segment
+        if(infoDAO.touch(trans, TABLE,data.invalidate(cache)).notOK()) {
+        	trans.error().log("Cannot touch CacheInfo");
+        }
+	}
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/CassExecutor.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/CassExecutor.java
new file mode 100644
index 00000000..1979db28
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/CassExecutor.java
@@ -0,0 +1,73 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.hl;
+
+import org.onap.aaf.auth.dao.cass.NsSplit;
+import org.onap.aaf.auth.dao.cass.NsDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.org.Executor;
+
+public class CassExecutor implements Executor {
+
+	private Question q;
+	private Function f;
+	private AuthzTrans trans;
+
+	public CassExecutor(AuthzTrans trans, Function f) {
+		this.trans = trans;
+		this.f = f;
+		this.q = this.f.q;
+	}
+
+	@Override
+	public boolean hasPermission(String user, String ns, String type, String instance, String action) {
+		return isGranted(user, ns, type, instance, action);
+	}
+
+	@Override
+	public boolean inRole(String name) {
+		Result<NsSplit> nss = q.deriveNsSplit(trans, name);
+		if(nss.notOK())return false;
+		return q.roleDAO.read(trans, nss.value.ns,nss.value.name).isOKhasData();
+	}
+
+	public boolean isGranted(String user, String ns, String type, String instance, String action) {
+		return q.isGranted(trans, user, ns, type, instance,action);
+	}
+
+	@Override
+	public String namespace() throws Exception {
+		Result<Data> res = q.validNSOfDomain(trans,trans.user());
+		if(res.isOK()) {
+			String user[] = trans.user().split("\\.");
+			return user[user.length-1] + '.' + user[user.length-2];
+		}
+		throw new Exception(res.status + ' ' + res.details);
+	}
+
+	@Override
+	public String id() {
+		return trans.user();
+	}
+
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java
new file mode 100644
index 00000000..1f679075
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java
@@ -0,0 +1,1792 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.hl;
+
+import static org.onap.aaf.auth.layer.Result.OK;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.UUID;
+
+import org.onap.aaf.auth.common.Define;
+import org.onap.aaf.auth.dao.DAOException;
+import org.onap.aaf.auth.dao.cass.ApprovalDAO;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.DelegateDAO;
+import org.onap.aaf.auth.dao.cass.FutureDAO;
+import org.onap.aaf.auth.dao.cass.Namespace;
+import org.onap.aaf.auth.dao.cass.NsDAO;
+import org.onap.aaf.auth.dao.cass.NsSplit;
+import org.onap.aaf.auth.dao.cass.NsType;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.dao.cass.NsDAO.Data;
+import org.onap.aaf.auth.dao.hl.Question.Access;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.AuthzTrans.REQD_TYPE;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.org.Executor;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.Organization.Expiration;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.auth.org.Organization.Policy;
+
+public class Function {
+
+	private static final String CANNOT_BE_THE_OWNER_OF_A_NAMESPACE = "%s(%s) cannot be the owner of the namespace '%s'. Owners %s.";
+
+	public enum FUTURE_OP {
+		C("Create"),U("Update"),D("Delete"),G("Grant"),UG("UnGrant"),A("Approval");
+		
+		private String desc;
+	
+		private FUTURE_OP(String desc) {
+			this.desc = desc;
+		}
+		
+		public String desc() {
+			return desc;
+		}
+		
+		/**
+		 *  Same as valueOf(), but passes back null instead of throwing Exception
+		 * @param value
+		 * @return
+		 */
+		public static FUTURE_OP toFO(String value) {
+			if(value!=null) {
+				for(FUTURE_OP fo : values()) {
+					if(fo.name().equals(value)){
+						return fo;
+					}
+				}
+			}
+			return null;
+		}
+	}
+
+	public enum OP_STATUS {
+		E("Executed"),D("Denied"),P("Pending"),L("Lapsed");
+		
+		private String desc;
+		public final static Result<OP_STATUS> RE = Result.ok(OP_STATUS.E);
+		public final static Result<OP_STATUS> RD = Result.ok(OP_STATUS.D);
+		public final static Result<OP_STATUS> RP = Result.ok(OP_STATUS.P);
+		public final static Result<OP_STATUS> RL = Result.ok(OP_STATUS.L);
+
+		private OP_STATUS(String desc) {
+			this.desc = desc;
+		}
+		
+		public String desc() {
+			return desc;
+		}
+		
+	}
+
+	public static final String FOP_CRED = "cred";
+	public static final String FOP_DELEGATE = "delegate";
+	public static final String FOP_NS = "ns";
+	public static final String FOP_PERM = "perm";
+	public static final String FOP_ROLE = "role";
+	public static final String FOP_USER_ROLE = "user_role";
+	private static final List<Identity> NO_ADDL_APPROVE = new ArrayList<Identity>();
+	private static final String ROOT_NS = Define.ROOT_NS();
+	// First Action should ALWAYS be "write", see "CreateRole"
+	public final Question q;
+
+	public Function(AuthzTrans trans, Question question) {
+		q = question;
+	}
+
+	private class ErrBuilder {
+		private StringBuilder sb;
+		private List<String> ao;
+
+		public void log(Result<?> result) {
+			if (result.notOK()) {
+				if (sb == null) {
+					sb = new StringBuilder();
+					ao = new ArrayList<String>();
+				}
+				sb.append(result.details);
+				sb.append('\n');
+				for (String s : result.variables) {
+					ao.add(s);
+				}
+			}
+		}
+
+		public String[] vars() {
+			String[] rv = new String[ao.size()];
+			ao.toArray(rv);
+			return rv;
+		}
+
+		public boolean hasErr() {
+			return sb != null;
+		}
+
+		@Override
+		public String toString() {
+			return sb == null ? "" : String.format(sb.toString(), ao);
+		}
+	}
+
+	/**
+	 * createNS
+	 * 
+	 * Create Namespace
+	 * 
+	 * @param trans
+	 * @param org
+	 * @param ns
+	 * @param user
+	 * @return
+	 * @throws DAOException
+	 * 
+	 *             To create an NS, you need to: 1) validate permission to
+	 *             modify parent NS 2) Does NS exist already? 3) Create NS with
+	 *             a) "user" as owner. NOTE: Per 10-15 request for AAF 1.0 4)
+	 *             Loop through Roles with Parent NS, and map any that start
+	 *             with this NS into this one 5) Loop through Perms with Parent
+	 *             NS, and map any that start with this NS into this one
+	 */
+	public Result<Void> createNS(AuthzTrans trans, Namespace namespace, boolean fromApproval) {
+		Result<?> rq;
+//		if (namespace.name.endsWith(Question.DOT_ADMIN)
+//				|| namespace.name.endsWith(Question.DOT_OWNER)) {
+//			return Result.err(Status.ERR_BadData,
+//					"'admin' and 'owner' are reserved names in AAF");
+//		}
+
+		try {
+			for (String u : namespace.owner) {
+				Organization org = trans.org();
+				Identity orgUser = org.getIdentity(trans, u);
+				String reason;
+				if (orgUser == null) {
+					return Result.err(Status.ERR_Policy,"%s is not a valid user at %s",u,org.getName());	
+				} else if((reason=orgUser.mayOwn())!=null) {
+					if (org.isTestEnv()) {
+						String reason2;
+						if((reason2=org.validate(trans, Policy.AS_RESPONSIBLE,new CassExecutor(trans, this), u))!=null) { // can masquerade as responsible
+							trans.debug().log(reason2);
+							return Result.err(Status.ERR_Policy,CANNOT_BE_THE_OWNER_OF_A_NAMESPACE,orgUser.fullName(),orgUser.id(),namespace.name,reason);
+						}
+						// a null means ok
+					} else {
+						if(orgUser.isFound()) {
+							return Result.err(Status.ERR_Policy,CANNOT_BE_THE_OWNER_OF_A_NAMESPACE,orgUser.fullName(),orgUser.id(),namespace.name, reason);
+						} else {
+							return Result.err(Status.ERR_Policy,u + " is an invalid Identity");
+						}
+					}
+				}
+			}
+		} catch (Exception e) {
+			trans.error().log(e,
+					"Could not contact Organization for User Validation");
+		}
+
+		String user = trans.user();
+		// 1) May Change Parent?
+		int idx = namespace.name.lastIndexOf('.');
+		String parent;
+		if (idx < 0) {
+			if (!q.isGranted(trans, user, ROOT_NS,Question.NS, ".", "create")) {
+				return Result.err(Result.ERR_Security,
+						"%s may not create Root Namespaces", user);
+			}
+			parent = null;
+			fromApproval = true;
+		} else {
+			parent = namespace.name.substring(0, idx); // get Parent String
+		}
+
+		Result<NsDAO.Data> rparent = q.deriveNs(trans, parent);
+		if (rparent.notOK()) {
+			return Result.err(rparent);
+		}
+		if (!fromApproval) {
+			rparent = q.mayUser(trans, user, rparent.value, Access.write);
+			if (rparent.notOK()) {
+				return Result.err(rparent);
+			}
+		}
+		parent = namespace.parent = rparent.value.name; // Correct Namespace from real data
+
+		// 2) Does requested NS exist
+		if (q.nsDAO.read(trans, namespace.name).isOKhasData()) {
+			return Result.err(Status.ERR_ConflictAlreadyExists,
+					"Target Namespace already exists");
+		}
+
+		// Someone must be responsible.
+		if (namespace.owner == null || namespace.owner.isEmpty()) {
+			return Result
+					.err(Status.ERR_Policy,
+							"Namespaces must be assigned at least one responsible party");
+		}
+
+		// 3) Create NS
+		Date now = new Date();
+
+		Result<Void> r;
+		// 3a) Admin
+
+		try {
+			// Originally, added the enterer as Admin, but that's not necessary,
+			// or helpful for Operations folks..
+			// Admins can be empty, because they can be changed by lower level
+			// NSs
+			// if(ns.admin(false).isEmpty()) {
+			// ns.admin(true).add(user);
+			// }
+			if (namespace.admin != null) {
+				for (String u : namespace.admin) {
+					if ((r = checkValidID(trans, now, u)).notOK()) {
+						return r;
+					}
+				}
+			}
+
+			// 3b) Responsible
+			Organization org = trans.org();
+			for (String u : namespace.owner) {
+				Identity orgUser = org.getIdentity(trans, u);
+				if (orgUser == null) {
+					return Result
+							.err(Status.ERR_BadData,
+									"NS must be created with an %s approved Responsible Party",
+									org.getName());
+				}
+			}
+		} catch (Exception e) {
+			return Result.err(Status.ERR_UserNotFound, e.getMessage());
+		}
+
+		// VALIDATIONS done... Add NS
+		if ((rq = q.nsDAO.create(trans, namespace.data())).notOK()) {
+		    return Result.err(rq);
+		}
+
+		// Since Namespace is now created, we need to grab all subsequent errors
+		ErrBuilder eb = new ErrBuilder();
+
+		// Add UserRole(s)
+		UserRoleDAO.Data urdd = new UserRoleDAO.Data();
+		urdd.expires = trans.org().expiration(null, Expiration.UserInRole).getTime();
+		urdd.role(namespace.name, Question.ADMIN);
+		for (String admin : namespace.admin) {
+			urdd.user = admin;
+			eb.log(q.userRoleDAO.create(trans, urdd));
+		}
+		urdd.role(namespace.name,Question.OWNER);
+		for (String owner : namespace.owner) {
+			urdd.user = owner;
+			eb.log(q.userRoleDAO.create(trans, urdd));
+		}
+
+		addNSAdminRolesPerms(trans, eb, namespace.name);
+
+		addNSOwnerRolesPerms(trans, eb, namespace.name);
+
+		if (parent != null) {
+			// Build up with any errors
+
+			String targetNs = rparent.value.name; // Get the Parent Namespace,
+													// not target
+			String targetName = namespace.name.substring(targetNs.length() + 1); // Remove the Parent Namespace from the
+									// Target + a dot, and you'll get the name
+			int targetNameDot = targetName.length() + 1;
+
+			// 4) Change any roles with children matching this NS, and
+			Result<List<RoleDAO.Data>> rrdc = q.roleDAO.readChildren(trans,	targetNs, targetName);
+			if (rrdc.isOKhasData()) {
+				for (RoleDAO.Data rdd : rrdc.value) {
+					// Remove old Role from Perms, save them off
+					List<PermDAO.Data> lpdd = new ArrayList<PermDAO.Data>();
+					for(String p : rdd.perms(false)) {
+						Result<PermDAO.Data> rpdd = PermDAO.Data.decode(trans,q,p);
+						if(rpdd.isOKhasData()) {
+							PermDAO.Data pdd = rpdd.value;
+							lpdd.add(pdd);
+							q.permDAO.delRole(trans, pdd, rdd);
+						} else{
+							trans.error().log(rpdd.errorString());
+						}
+					}
+					
+					// Save off Old keys
+					String delP1 = rdd.ns;
+					String delP2 = rdd.name;
+
+					// Write in new key
+					rdd.ns = namespace.name;
+					rdd.name = (delP2.length() > targetNameDot) ? delP2
+							.substring(targetNameDot) : "";
+							
+					// Need to use non-cached, because switching namespaces, not
+					// "create" per se
+					if ((rq = q.roleDAO.create(trans, rdd)).isOK()) {
+						// Put Role back into Perm, with correct info
+						for(PermDAO.Data pdd : lpdd) {
+							q.permDAO.addRole(trans, pdd, rdd);
+						}
+						// Change data for User Roles 
+						Result<List<UserRoleDAO.Data>> rurd = q.userRoleDAO.readByRole(trans, rdd.fullName());
+						if(rurd.isOKhasData()) {
+							for(UserRoleDAO.Data urd : rurd.value) {
+								urd.ns = rdd.ns;
+								urd.rname = rdd.name;
+								q.userRoleDAO.update(trans, urd);
+							}
+						}
+						// Now delete old one
+						rdd.ns = delP1;
+						rdd.name = delP2;
+						if ((rq = q.roleDAO.delete(trans, rdd, false)).notOK()) {
+							eb.log(rq);
+						}
+					} else {
+						eb.log(rq);
+					}
+				}
+			}
+
+			// 4) Change any Permissions with children matching this NS, and
+			Result<List<PermDAO.Data>> rpdc = q.permDAO.readChildren(trans,targetNs, targetName);
+			if (rpdc.isOKhasData()) {
+				for (PermDAO.Data pdd : rpdc.value) {
+					// Remove old Perm from Roles, save them off
+					List<RoleDAO.Data> lrdd = new ArrayList<RoleDAO.Data>();
+					
+					for(String rl : pdd.roles(false)) {
+						Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
+						if(rrdd.isOKhasData()) {
+							RoleDAO.Data rdd = rrdd.value;
+							lrdd.add(rdd);
+							q.roleDAO.delPerm(trans, rdd, pdd);
+						} else{
+							trans.error().log(rrdd.errorString());
+						}
+					}
+					
+					// Save off Old keys
+					String delP1 = pdd.ns;
+					String delP2 = pdd.type;
+					pdd.ns = namespace.name;
+					pdd.type = (delP2.length() > targetNameDot) ? delP2
+							.substring(targetNameDot) : "";
+					if ((rq = q.permDAO.create(trans, pdd)).isOK()) {
+						// Put Role back into Perm, with correct info
+						for(RoleDAO.Data rdd : lrdd) {
+							q.roleDAO.addPerm(trans, rdd, pdd);
+						}
+
+						pdd.ns = delP1;
+						pdd.type = delP2;
+						if ((rq = q.permDAO.delete(trans, pdd, false)).notOK()) {
+							eb.log(rq);
+							// } else {
+							// Need to invalidate directly, because we're
+							// switching places in NS, not normal cache behavior
+							// q.permDAO.invalidate(trans,pdd);
+						}
+					} else {
+						eb.log(rq);
+					}
+				}
+			}
+			if (eb.hasErr()) {
+				return Result.err(Status.ERR_ActionNotCompleted,eb.sb.toString(), eb.vars());
+			}
+		}
+		return Result.ok();
+	}
+
+	private void addNSAdminRolesPerms(AuthzTrans trans, ErrBuilder eb, String ns) {
+		// Admin Role/Perm
+		RoleDAO.Data rd = new RoleDAO.Data();
+		rd.ns = ns;
+		rd.name = "admin";
+		rd.description = "AAF Namespace Administrators";
+
+		PermDAO.Data pd = new PermDAO.Data();
+		pd.ns = ns;
+		pd.type = "access";
+		pd.instance = Question.ASTERIX;
+		pd.action = Question.ASTERIX;
+		pd.description = "AAF Namespace Write Access";
+
+		rd.perms = new HashSet<String>();
+		rd.perms.add(pd.encode());
+		eb.log(q.roleDAO.create(trans, rd));
+
+		pd.roles = new HashSet<String>();
+		pd.roles.add(rd.encode());
+		eb.log(q.permDAO.create(trans, pd));
+	}
+
+	private void addNSOwnerRolesPerms(AuthzTrans trans, ErrBuilder eb, String ns) {
+		RoleDAO.Data rd = new RoleDAO.Data();
+		rd.ns = ns;
+		rd.name = "owner";
+		rd.description = "AAF Namespace Owners";
+
+		PermDAO.Data pd = new PermDAO.Data();
+		pd.ns = ns;
+		pd.type = "access";
+		pd.instance = Question.ASTERIX;
+		pd.action = Question.READ;
+		pd.description = "AAF Namespace Read Access";
+
+		rd.perms = new HashSet<String>();
+		rd.perms.add(pd.encode());
+		eb.log(q.roleDAO.create(trans, rd));
+
+		pd.roles = new HashSet<String>();
+		pd.roles.add(rd.encode());
+		eb.log(q.permDAO.create(trans, pd));
+	}
+
+	/**
+	 * deleteNS
+	 * 
+	 * Delete Namespace
+	 * 
+	 * @param trans
+	 * @param org
+	 * @param ns
+	 * @param force
+	 * @param user
+	 * @return
+	 * @throws DAOException
+	 * 
+	 * 
+	 *             To delete an NS, you need to: 1) validate permission to
+	 *             modify this NS 2) Find all Roles with this NS, and 2a) if
+	 *             Force, delete them, else modify to Parent NS 3) Find all
+	 *             Perms with this NS, and modify to Parent NS 3a) if Force,
+	 *             delete them, else modify to Parent NS 4) Find all IDs
+	 *             associated to this NS, and deny if exists. 5) Remove NS
+	 */
+	public Result<Void> deleteNS(AuthzTrans trans, String ns) {
+		boolean force = trans.requested(REQD_TYPE.force);
+		boolean move = trans.requested(REQD_TYPE.move);
+		// 1) Validate
+		Result<List<NsDAO.Data>> nsl;
+		if ((nsl = q.nsDAO.read(trans, ns)).notOKorIsEmpty()) {
+			return Result.err(Status.ERR_NsNotFound, "%s does not exist", ns);
+		}
+		NsDAO.Data nsd = nsl.value.get(0);
+		NsType nt;
+		if (move && !q.canMove(nt = NsType.fromType(nsd.type))) {
+			return Result.err(Status.ERR_Denied, "Namespace Force=move not permitted for Type %s",nt.name());
+		}
+
+		Result<NsDAO.Data> dnr = q.mayUser(trans, trans.user(), nsd, Access.write);
+		if (dnr.status != Status.OK) {
+			return Result.err(dnr);
+		}
+
+		// 2) Find Parent
+		String user = trans.user();
+		int idx = ns.lastIndexOf('.');
+		NsDAO.Data parent;
+		if (idx < 0) {
+			if (!q.isGranted(trans, user, ROOT_NS,Question.NS, ".", "delete")) {
+				return Result.err(Result.ERR_Security,
+						"%s may not delete Root Namespaces", user);
+			}
+			parent = null;
+		} else {
+			Result<NsDAO.Data> rlparent = q.deriveNs(trans,	ns.substring(0, idx));
+			if (rlparent.notOKorIsEmpty()) {
+				return Result.err(rlparent);
+			}
+			parent = rlparent.value;
+		}
+
+		// Build up with any errors
+		// If sb != null below is an indication of error
+		StringBuilder sb = null;
+		ErrBuilder er = new ErrBuilder();
+
+		// 2a) Deny if any IDs on Namespace
+		Result<List<CredDAO.Data>> creds = q.credDAO.readNS(trans, ns);
+		if (creds.isOKhasData()) {
+			if (force || move) {
+				for (CredDAO.Data cd : creds.value) {
+					er.log(q.credDAO.delete(trans, cd, false));
+					// Since we're deleting all the creds, we should delete all
+					// the user Roles for that Cred
+					Result<List<UserRoleDAO.Data>> rlurd = q.userRoleDAO
+							.readByUser(trans, cd.id);
+					if (rlurd.isOK()) {
+						for (UserRoleDAO.Data data : rlurd.value) {
+						    q.userRoleDAO.delete(trans, data, false);
+						}
+					}
+
+				}
+			} else {
+				// first possible StringBuilder Create.
+				sb = new StringBuilder();
+				sb.append('[');
+				sb.append(ns);
+				sb.append("] contains users");
+			}
+		}
+
+		// 2b) Find (or delete if forced flag is set) dependencies
+		// First, find if NS Perms are the only ones
+		Result<List<PermDAO.Data>> rpdc = q.permDAO.readNS(trans, ns);
+		if (rpdc.isOKhasData()) {
+			// Since there are now NS perms, we have to count NON-NS perms.
+			// FYI, if we delete them now, and the NS is not deleted, it is in
+			// an inconsistent state.
+			boolean nonaccess = false;
+			for (PermDAO.Data pdd : rpdc.value) {
+				if (!"access".equals(pdd.type)) {
+					nonaccess = true;
+					break;
+				}
+			}
+			if (nonaccess && !force && !move) {
+				if (sb == null) {
+					sb = new StringBuilder();
+					sb.append('[');
+					sb.append(ns);
+					sb.append("] contains ");
+				} else {
+					sb.append(", ");
+				}
+				sb.append("permissions");
+			}
+		}
+
+		Result<List<RoleDAO.Data>> rrdc = q.roleDAO.readNS(trans, ns);
+		if (rrdc.isOKhasData()) {
+			// Since there are now NS roles, we have to count NON-NS roles.
+			// FYI, if we delete th)em now, and the NS is not deleted, it is in
+			// an inconsistent state.
+			int count = rrdc.value.size();
+			for (RoleDAO.Data rdd : rrdc.value) {
+				if ("admin".equals(rdd.name) || "owner".equals(rdd.name)) {
+					--count;
+				}
+			}
+			if (count > 0 && !force && !move) {
+				if (sb == null) {
+					sb = new StringBuilder();
+					sb.append('[');
+					sb.append(ns);
+					sb.append("] contains ");
+				} else {
+					sb.append(", ");
+				}
+				sb.append("roles");
+			}
+		}
+
+		// 2c) Deny if dependencies exist that would be moved to root level
+		// parent is root level parent here. Need to find closest parent ns that
+		// exists
+		if (sb != null) {
+			if (!force && !move) {
+				sb.append(".\n  Delete dependencies and try again.  Note: using \"force=true\" will delete all. \"force=move\" will delete Creds, but move Roles and Perms to parent.");
+				return Result.err(Status.ERR_DependencyExists, sb.toString());
+			}
+
+			if (move && (parent == null || parent.type == NsType.COMPANY.type)) {
+				return Result
+						.err(Status.ERR_DependencyExists,
+								"Cannot move users, roles or permissions to [%s].\nDelete dependencies and try again",
+								parent.name);
+			}
+		} else if (move && parent != null) {
+			sb = new StringBuilder();
+			// 3) Change any roles with children matching this NS, and
+			moveRoles(trans, parent, sb, rrdc);
+			// 4) Change any Perms with children matching this NS, and
+			movePerms(trans, parent, sb, rpdc);
+		}
+
+		if (sb != null && sb.length() > 0) {
+			return Result.err(Status.ERR_DependencyExists, sb.toString());
+		}
+
+		if (er.hasErr()) {
+			if (trans.debug().isLoggable()) {
+				trans.debug().log(er.toString());
+			}
+			return Result.err(Status.ERR_DependencyExists,
+					"Namespace members cannot be deleted for %s", ns);
+		}
+
+		// 5) OK... good to go for NS Deletion...
+		if (!rpdc.isEmpty()) {
+			for (PermDAO.Data perm : rpdc.value) {
+				deletePerm(trans, perm, true, true);
+			}
+		}
+		if (!rrdc.isEmpty()) {
+			for (RoleDAO.Data role : rrdc.value) {
+				deleteRole(trans, role, true, true);
+			}
+		}
+
+		return q.nsDAO.delete(trans, nsd, false);
+	}
+
+	public Result<List<String>> getOwners(AuthzTrans trans, String ns,
+			boolean includeExpired) {
+		return getUsersByRole(trans, ns + Question.DOT_OWNER, includeExpired);
+	}
+
+	private Result<Void> mayAddOwner(AuthzTrans trans, String ns, String id) {
+		Result<NsDAO.Data> rq = q.deriveNs(trans, ns);
+		if (rq.notOK()) {
+			return Result.err(rq);
+		}
+
+		rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
+		if (rq.notOK()) {
+			return Result.err(rq);
+		}
+
+		Identity user;
+		Organization org = trans.org();
+		try {
+			if ((user = org.getIdentity(trans, id)) == null) {
+				return Result.err(Status.ERR_Policy,
+						"%s reports that this is not a valid credential",
+						org.getName());
+			}
+			String reason;
+			if ((reason=user.mayOwn())==null) {
+				return Result.ok();
+			} else {
+				if (org.isTestEnv()) {
+					String reason2;
+					if((reason2 = org.validate(trans, Policy.AS_RESPONSIBLE, new CassExecutor(trans, this), id))==null) {
+						return Result.ok();
+					} else {
+						trans.debug().log(reason2);
+					}
+				}
+				return Result.err(Status.ERR_Policy,CANNOT_BE_THE_OWNER_OF_A_NAMESPACE,user.fullName(),user.id(),ns, reason);
+			}
+		} catch (Exception e) {
+			return Result.err(e);
+		}
+	}
+
+	private Result<Void> mayAddAdmin(AuthzTrans trans, String ns,	String id) {
+		// Does NS Exist?
+		Result<Void> r = checkValidID(trans, new Date(), id);
+		if (r.notOK()) {
+			return r;
+		}
+		// Is id able to be an Admin
+		Result<NsDAO.Data> rq = q.deriveNs(trans, ns);
+		if (rq.notOK()) {
+			return Result.err(rq);
+		}
+	
+		rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
+		if (rq.notOK()) {
+			Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO.readUserInRole(trans, trans.user(),ns+".owner");
+			if(!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) {
+				return Result.err(rq);
+			}
+		}
+		return r;
+	}
+
+	private Result<Void> checkValidID(AuthzTrans trans, Date now, String user) {
+		Organization org = trans.org();
+		if (user.endsWith(org.getRealm())) {
+			try {
+				if (org.getIdentity(trans, user) == null) {
+					return Result.err(Status.ERR_Denied,
+							"%s reports that %s is a faulty ID", org.getName(),
+							user);
+				}
+				return Result.ok();
+			} catch (Exception e) {
+				return Result.err(Result.ERR_Security,
+						"%s is not a valid %s Credential", user, org.getName());
+			}
+		//TODO find out how to make sure good ALTERNATE OAUTH DOMAIN USER
+//		} else if(user.endsWith(ALTERNATE OAUTH DOMAIN)) {
+//			return Result.ok();
+		} else {
+			Result<List<CredDAO.Data>> cdr = q.credDAO.readID(trans, user);
+			if (cdr.notOKorIsEmpty()) {
+				return Result.err(Status.ERR_Security,
+						"%s is not a valid AAF Credential", user);
+			}
+	
+			for (CredDAO.Data cd : cdr.value) {
+				if (cd.expires.after(now)) {
+					return Result.ok();
+				}
+			}
+		}
+		return Result.err(Result.ERR_Security, "%s has expired", user);
+	}
+
+	public Result<Void> delOwner(AuthzTrans trans, String ns, String id) {
+		Result<NsDAO.Data> rq = q.deriveNs(trans, ns);
+		if (rq.notOK()) {
+			return Result.err(rq);
+		}
+
+		rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
+		if (rq.notOK()) {
+			return Result.err(rq);
+		}
+
+		return delUserRole(trans, id, ns,Question.OWNER);
+	}
+
+	public Result<List<String>> getAdmins(AuthzTrans trans, String ns, boolean includeExpired) {
+		return getUsersByRole(trans, ns + Question.DOT_ADMIN, includeExpired);
+	}
+
+	public Result<Void> delAdmin(AuthzTrans trans, String ns, String id) {
+		Result<NsDAO.Data> rq = q.deriveNs(trans, ns);
+		if (rq.notOK()) {
+			return Result.err(rq);
+		}
+
+		rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
+		if (rq.notOK()) { 
+			// Even though not a "writer", Owners still determine who gets to be an Admin
+			Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO.readUserInRole(trans, trans.user(),ns+".owner");
+			if(!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) {
+				return Result.err(rq);
+			}
+		}
+
+		return delUserRole(trans, id, ns, Question.ADMIN);
+	}
+
+	/**
+	 * Helper function that moves permissions from a namespace being deleted to
+	 * its parent namespace
+	 * 
+	 * @param trans
+	 * @param parent
+	 * @param sb
+	 * @param rpdc
+	 *            - list of permissions in namespace being deleted
+	 */
+	private void movePerms(AuthzTrans trans, NsDAO.Data parent,
+			StringBuilder sb, Result<List<PermDAO.Data>> rpdc) {
+
+		Result<Void> rv;
+		Result<PermDAO.Data> pd;
+
+		if (rpdc.isOKhasData()) {
+			for (PermDAO.Data pdd : rpdc.value) {
+				String delP2 = pdd.type;
+				if ("access".equals(delP2)) {
+				    continue;
+				}
+				// Remove old Perm from Roles, save them off
+				List<RoleDAO.Data> lrdd = new ArrayList<RoleDAO.Data>();
+				
+				for(String rl : pdd.roles(false)) {
+					Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
+					if(rrdd.isOKhasData()) {
+						RoleDAO.Data rdd = rrdd.value;
+						lrdd.add(rdd);
+						q.roleDAO.delPerm(trans, rdd, pdd);
+					} else{
+						trans.error().log(rrdd.errorString());
+					}
+				}
+				
+				// Save off Old keys
+				String delP1 = pdd.ns;
+				NsSplit nss = new NsSplit(parent, pdd.fullType());
+				pdd.ns = nss.ns;
+				pdd.type = nss.name;
+				// Use direct Create/Delete, because switching namespaces
+				if ((pd = q.permDAO.create(trans, pdd)).isOK()) {
+					// Put Role back into Perm, with correct info
+					for(RoleDAO.Data rdd : lrdd) {
+						q.roleDAO.addPerm(trans, rdd, pdd);
+					}
+
+					pdd.ns = delP1;
+					pdd.type = delP2;
+					if ((rv = q.permDAO.delete(trans, pdd, false)).notOK()) {
+						sb.append(rv.details);
+						sb.append('\n');
+						// } else {
+						// Need to invalidate directly, because we're switching
+						// places in NS, not normal cache behavior
+						// q.permDAO.invalidate(trans,pdd);
+					}
+				} else {
+					sb.append(pd.details);
+					sb.append('\n');
+				}
+			}
+		}
+	}
+
+	/**
+	 * Helper function that moves roles from a namespace being deleted to its
+	 * parent namespace
+	 * 
+	 * @param trans
+	 * @param parent
+	 * @param sb
+	 * @param rrdc
+	 *            - list of roles in namespace being deleted
+	 */
+	private void moveRoles(AuthzTrans trans, NsDAO.Data parent,
+			StringBuilder sb, Result<List<RoleDAO.Data>> rrdc) {
+
+		Result<Void> rv;
+		Result<RoleDAO.Data> rd;
+
+		if (rrdc.isOKhasData()) {
+			for (RoleDAO.Data rdd : rrdc.value) {
+				String delP2 = rdd.name;
+				if ("admin".equals(delP2) || "owner".equals(delP2)) {
+				    continue;
+				}
+				// Remove old Role from Perms, save them off
+				List<PermDAO.Data> lpdd = new ArrayList<PermDAO.Data>();
+				for(String p : rdd.perms(false)) {
+					Result<PermDAO.Data> rpdd = PermDAO.Data.decode(trans,q,p);
+					if(rpdd.isOKhasData()) {
+						PermDAO.Data pdd = rpdd.value;
+						lpdd.add(pdd);
+						q.permDAO.delRole(trans, pdd, rdd);
+					} else{
+						trans.error().log(rpdd.errorString());
+					}
+				}
+				
+				// Save off Old keys
+				String delP1 = rdd.ns;
+
+				NsSplit nss = new NsSplit(parent, rdd.fullName());
+				rdd.ns = nss.ns;
+				rdd.name = nss.name;
+				// Use direct Create/Delete, because switching namespaces
+				if ((rd = q.roleDAO.create(trans, rdd)).isOK()) {
+					// Put Role back into Perm, with correct info
+					for(PermDAO.Data pdd : lpdd) {
+						q.permDAO.addRole(trans, pdd, rdd);
+					}
+
+					rdd.ns = delP1;
+					rdd.name = delP2;
+					if ((rv = q.roleDAO.delete(trans, rdd, true)).notOK()) {
+						sb.append(rv.details);
+						sb.append('\n');
+						// } else {
+						// Need to invalidate directly, because we're switching
+						// places in NS, not normal cache behavior
+						// q.roleDAO.invalidate(trans,rdd);
+					}
+				} else {
+					sb.append(rd.details);
+					sb.append('\n');
+				}
+			}
+		}
+	}
+
+	/**
+	 * Create Permission (and any missing Permission between this and Parent) if
+	 * we have permission
+	 * 
+	 * Pass in the desired Management Permission for this Permission
+	 * 
+	 * If Force is set, then Roles listed will be created, if allowed,
+	 * pre-granted.
+	 */
+	public Result<Void> createPerm(AuthzTrans trans, PermDAO.Data perm, boolean fromApproval) {
+		String user = trans.user();
+		// Next, see if User is allowed to Manage Parent Permission
+
+		Result<NsDAO.Data> rnsd;
+		if (!fromApproval) {
+			rnsd = q.mayUser(trans, user, perm, Access.write);
+			if (rnsd.notOK()) {
+				return Result.err(rnsd);
+			}
+		} else {
+			rnsd = q.deriveNs(trans, perm.ns);
+		}
+
+		// Does Child exist?
+		if (!trans.requested(REQD_TYPE.force)) {
+			if (q.permDAO.read(trans, perm).isOKhasData()) {
+				return Result.err(Status.ERR_ConflictAlreadyExists,
+						"Permission [%s.%s|%s|%s] already exists.", perm.ns,
+						perm.type, perm.instance, perm.action);
+			}
+		}
+
+		// Attempt to add perms to roles, creating as possible
+		Set<String> roles;
+		String pstring = perm.encode();
+
+		// For each Role
+		for (String role : roles = perm.roles(true)) {
+			Result<RoleDAO.Data> rdd = RoleDAO.Data.decode(trans,q,role);
+			if(rdd.isOKhasData()) {
+				RoleDAO.Data rd = rdd.value;
+				if (!fromApproval) {
+					// May User write to the Role in question.
+					Result<NsDAO.Data> rns = q.mayUser(trans, user, rd,
+							Access.write);
+					if (rns.notOK()) {
+						// Remove the role from Add, because
+						roles.remove(role); // Don't allow adding
+						trans.warn()
+								.log("User [%s] does not have permission to relate Permissions to Role [%s]",
+										user, role);
+					}
+				}
+
+				Result<List<RoleDAO.Data>> rlrd;
+				if ((rlrd = q.roleDAO.read(trans, rd)).notOKorIsEmpty()) {
+					rd.perms(true).add(pstring);
+					if (q.roleDAO.create(trans, rd).notOK()) {
+						roles.remove(role); // Role doesn't exist, and can't be
+											// created
+					}
+				} else {
+					rd = rlrd.value.get(0);
+					if (!rd.perms.contains(pstring)) {
+						q.roleDAO.addPerm(trans, rd, perm);
+					}
+				}
+			}
+		}
+
+		Result<PermDAO.Data> pdr = q.permDAO.create(trans, perm);
+		if (pdr.isOK()) {
+			return Result.ok();
+		} else { 
+			return Result.err(pdr);
+		}
+	}
+
+	public Result<Void> deletePerm(final AuthzTrans trans, final PermDAO.Data perm, boolean force, boolean fromApproval) {
+		String user = trans.user();
+
+		// Next, see if User is allowed to Manage Permission
+		Result<NsDAO.Data> rnsd;
+		if (!fromApproval) {
+			rnsd = q.mayUser(trans, user, perm, Access.write);
+			if (rnsd.notOK()) {
+				return Result.err(rnsd);
+			}
+		}
+		// Does Perm exist?
+		Result<List<PermDAO.Data>> pdr = q.permDAO.read(trans, perm);
+		if (pdr.notOKorIsEmpty()) {
+			return Result.err(Status.ERR_PermissionNotFound,"Permission [%s.%s|%s|%s] does not exist.",
+					perm.ns,perm.type, perm.instance, perm.action);
+		}
+		// Get perm, but with rest of data.
+		PermDAO.Data fullperm = pdr.value.get(0);
+
+		// Attached to any Roles?
+		if (fullperm.roles != null) {
+			if (force) {
+				for (String role : fullperm.roles) {
+					Result<Void> rv = null;
+					Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, q, role);
+					if(rrdd.isOKhasData()) {
+						trans.debug().log("Removing", role, "from", fullperm, "on Perm Delete");
+						if ((rv = q.roleDAO.delPerm(trans, rrdd.value, fullperm)).notOK()) {
+							if (rv.notOK()) {
+								trans.error().log("Error removing Role during delFromPermRole: ",
+												trans.getUserPrincipal(),
+												rv.errorString());
+							}
+						}
+					} else {
+						return Result.err(rrdd);
+					}
+				}
+			} else if (!fullperm.roles.isEmpty()) {
+				return Result
+						.err(Status.ERR_DependencyExists,
+								"Permission [%s.%s|%s|%s] cannot be deleted as it is attached to 1 or more roles.",
+								fullperm.ns, fullperm.type, fullperm.instance, fullperm.action);
+			}
+		}
+
+		return q.permDAO.delete(trans, fullperm, false);
+	}
+
+	public Result<Void> deleteRole(final AuthzTrans trans, final RoleDAO.Data role, boolean force, boolean fromApproval) {
+		String user = trans.user();
+
+		// Next, see if User is allowed to Manage Role
+		Result<NsDAO.Data> rnsd;
+		if (!fromApproval) {
+			rnsd = q.mayUser(trans, user, role, Access.write);
+			if (rnsd.notOK()) {
+				return Result.err(rnsd);
+			}
+		}
+
+		// Are there any Users Attached to Role?
+		Result<List<UserRoleDAO.Data>> urdr = q.userRoleDAO.readByRole(trans,role.fullName());
+		if (force) {
+			if (urdr.isOKhasData()) {
+				for (UserRoleDAO.Data urd : urdr.value) {
+					q.userRoleDAO.delete(trans, urd, false);
+				}
+			}
+		} else if (urdr.isOKhasData()) {
+			return Result.err(Status.ERR_DependencyExists,
+							"Role [%s.%s] cannot be deleted as it is used by 1 or more Users.",
+							role.ns, role.name);
+		}
+
+		// Does Role exist?
+		Result<List<RoleDAO.Data>> rdr = q.roleDAO.read(trans, role);
+		if (rdr.notOKorIsEmpty()) {
+			return Result.err(Status.ERR_RoleNotFound,
+					"Role [%s.%s] does not exist", role.ns, role.name);
+		}
+		RoleDAO.Data fullrole = rdr.value.get(0); // full key search
+
+		// Remove Self from Permissions... always, force or not.  Force only applies to Dependencies (Users)
+		if (fullrole.perms != null) {
+			for (String perm : fullrole.perms(false)) {
+				Result<PermDAO.Data> rpd = PermDAO.Data.decode(trans,q,perm);
+				if (rpd.isOK()) {
+					trans.debug().log("Removing", perm, "from", fullrole,"on Role Delete");
+
+					Result<?> r = q.permDAO.delRole(trans, rpd.value, fullrole);
+					if (r.notOK()) {
+						trans.error().log("ERR_FDR1 unable to remove",fullrole,"from",perm,':',r.status,'-',r.details);
+					}
+				} else {
+					trans.error().log("ERR_FDR2 Could not remove",perm,"from",fullrole);
+				}
+			}
+		}
+		return q.roleDAO.delete(trans, fullrole, false);
+	}
+
+	/**
+	 * Only owner of Permission may add to Role
+	 * 
+	 * If force set, however, Role will be created before Grant, if User is
+	 * allowed to create.
+	 * 
+	 * @param trans
+	 * @param role
+	 * @param pd
+	 * @return
+	 */
+	public Result<Void> addPermToRole(AuthzTrans trans, RoleDAO.Data role,PermDAO.Data pd, boolean fromApproval) {
+		String user = trans.user();
+		
+		if (!fromApproval) {
+			Result<NsDAO.Data> rRoleCo = q.deriveFirstNsForType(trans, role.ns, NsType.COMPANY);
+			if(rRoleCo.notOK()) {
+				return Result.err(rRoleCo);
+			}
+			Result<NsDAO.Data> rPermCo = q.deriveFirstNsForType(trans, pd.ns, NsType.COMPANY);
+			if(rPermCo.notOK()) {
+				return Result.err(rPermCo);
+			}
+
+			// Not from same company
+			if(!rRoleCo.value.name.equals(rPermCo.value.name)) {
+				Result<Data> r;
+				// Only grant if User ALSO has Write ability in Other Company
+				if((r = q.mayUser(trans, user, role, Access.write)).notOK()) {
+					return Result.err(r);
+				}
+			}
+			
+
+			// Must be Perm Admin, or Granted Special Permission
+			Result<NsDAO.Data> ucp = q.mayUser(trans, user, pd, Access.write);
+			if (ucp.notOK()) {
+				// Don't allow CLI potential Grantees to change their own AAF
+				// Perms,
+				if ((ROOT_NS.equals(pd.ns) && Question.NS.equals(pd.type)) 
+						|| !q.isGranted(trans, trans.user(),ROOT_NS,Question.PERM, rPermCo.value.name, "grant")) {
+				// Not otherwise granted
+				// TODO Needed?
+					return Result.err(ucp);
+				}
+				// Final Check... Don't allow Grantees to add to Roles they are
+				// part of
+				Result<List<UserRoleDAO.Data>> rlurd = q.userRoleDAO
+						.readByUser(trans, trans.user());
+				if (rlurd.isOK()) {
+					for (UserRoleDAO.Data ur : rlurd.value) {
+						if (role.ns.equals(ur.ns) && role.name.equals(ur.rname)) {
+							return Result.err(ucp);
+						}
+					}
+				}
+			}
+		}
+
+		Result<List<PermDAO.Data>> rlpd = q.permDAO.read(trans, pd);
+		if (rlpd.notOKorIsEmpty()) {
+			return Result.err(Status.ERR_PermissionNotFound,
+					"Permission must exist to add to Role");
+		}
+
+		Result<List<RoleDAO.Data>> rlrd = q.roleDAO.read(trans, role); // Already
+																		// Checked
+																		// for
+																		// can
+																		// change
+																		// Role
+		Result<Void> rv;
+
+		if (rlrd.notOKorIsEmpty()) {
+			if (trans.requested(REQD_TYPE.force)) {
+				Result<NsDAO.Data> ucr = q.mayUser(trans, user, role,
+						Access.write);
+				if (ucr.notOK()) {
+				    return Result
+				    		.err(Status.ERR_Denied,
+				    				"Role [%s.%s] does not exist. User [%s] cannot create.",
+				    				role.ns, role.name, user);
+				}
+
+				role.perms(true).add(pd.encode());
+				Result<RoleDAO.Data> rdd = q.roleDAO.create(trans, role);
+				if (rdd.isOK()) {
+					rv = Result.ok();
+				} else {
+					rv = Result.err(rdd);
+				}
+			} else {
+			    return Result.err(Status.ERR_RoleNotFound,
+			    		"Role [%s.%s] does not exist.", role.ns, role.name);
+			}
+		} else {
+			role = rlrd.value.get(0);
+			if (role.perms(false).contains(pd.encode())) {
+				return Result.err(Status.ERR_ConflictAlreadyExists,
+								"Permission [%s.%s] is already a member of role [%s,%s]",
+								pd.ns, pd.type, role.ns, role.name);
+			}
+			role.perms(true).add(pd.encode()); // this is added for Caching
+												// access purposes... doesn't
+												// affect addPerm
+			rv = q.roleDAO.addPerm(trans, role, pd);
+		}
+		if (rv.status == Status.OK) {
+			return q.permDAO.addRole(trans, pd, role);
+			// exploring how to add information message to successful http
+			// request
+		}
+		return rv;
+	}
+
+	/**
+	 * Either Owner of Role or Permission may delete from Role
+	 * 
+	 * @param trans
+	 * @param role
+	 * @param pd
+	 * @return
+	 */
+	public Result<Void> delPermFromRole(AuthzTrans trans, RoleDAO.Data role,PermDAO.Data pd, boolean fromApproval) {
+		String user = trans.user();
+		if (!fromApproval) {
+			Result<NsDAO.Data> ucr = q.mayUser(trans, user, role, Access.write);
+			Result<NsDAO.Data> ucp = q.mayUser(trans, user, pd, Access.write);
+
+			// If Can't change either Role or Perm, then deny
+			if (ucr.notOK() && ucp.notOK()) {
+				return Result.err(Status.ERR_Denied,
+						"User [" + trans.user()
+								+ "] does not have permission to delete ["
+								+ pd.encode() + "] from Role ["
+								+ role.fullName() + ']');
+			}
+		}
+
+		Result<List<RoleDAO.Data>> rlr = q.roleDAO.read(trans, role);
+		if (rlr.notOKorIsEmpty()) {
+			// If Bad Data, clean out
+			Result<List<PermDAO.Data>> rlp = q.permDAO.read(trans, pd);
+			if (rlp.isOKhasData()) {
+				for (PermDAO.Data pv : rlp.value) {
+					q.permDAO.delRole(trans, pv, role);
+				}
+			}
+			return Result.err(rlr);
+		}
+		String perm1 = pd.encode();
+		boolean notFound;
+		if (trans.requested(REQD_TYPE.force)) {
+			notFound = false;
+		} else { // only check if force not set.
+			notFound = true;
+			for (RoleDAO.Data r : rlr.value) {
+				if (r.perms != null) {
+					for (String perm : r.perms) {
+						if (perm1.equals(perm)) {
+							notFound = false;
+							break;
+						}
+					}
+					if(!notFound) {
+						break;
+					}
+				}
+			}
+		}
+		if (notFound) { // Need to check both, in case of corruption
+			return Result.err(Status.ERR_PermissionNotFound,
+					"Permission [%s.%s|%s|%s] not associated with any Role",
+					pd.ns,pd.type,pd.instance,pd.action);
+		}
+
+		// Read Perm for full data
+		Result<List<PermDAO.Data>> rlp = q.permDAO.read(trans, pd);
+		Result<Void> rv = null;
+		if (rlp.isOKhasData()) {
+			for (PermDAO.Data pv : rlp.value) {
+				if ((rv = q.permDAO.delRole(trans, pv, role)).isOK()) {
+					if ((rv = q.roleDAO.delPerm(trans, role, pv)).notOK()) {
+						trans.error().log(
+								"Error removing Perm during delFromPermRole:",
+								trans.getUserPrincipal(), rv.errorString());
+					}
+				} else {
+					trans.error().log(
+							"Error removing Role during delFromPermRole:",
+							trans.getUserPrincipal(), rv.errorString());
+				}
+			}
+		} else {
+			rv = q.roleDAO.delPerm(trans, role, pd);
+			if (rv.notOK()) {
+				trans.error().log("Error removing Role during delFromPermRole",
+						rv.errorString());
+			}
+		}
+		return rv == null ? Result.ok() : rv;
+	}
+
+	public Result<Void> delPermFromRole(AuthzTrans trans, String role,PermDAO.Data pd) {
+		Result<NsSplit> nss = q.deriveNsSplit(trans, role);
+		if (nss.notOK()) {
+			return Result.err(nss);
+		}
+		RoleDAO.Data rd = new RoleDAO.Data();
+		rd.ns = nss.value.ns;
+		rd.name = nss.value.name;
+		return delPermFromRole(trans, rd, pd, false);
+	}
+
+	/**
+	 * Add a User to Role
+	 * 
+	 * 1) Role must exist 2) User must be a known Credential (i.e. mechID ok if
+	 * Credential) or known Organizational User
+	 * 
+	 * @param trans
+	 * @param org
+	 * @param urData
+	 * @return
+	 * @throws DAOException
+	 */
+	public Result<Void> addUserRole(AuthzTrans trans,UserRoleDAO.Data urData) {
+		Result<Void> rv;
+		if(Question.ADMIN.equals(urData.rname)) {
+			rv = mayAddAdmin(trans, urData.ns, urData.user);
+		} else if(Question.OWNER.equals(urData.rname)) {
+			rv = mayAddOwner(trans, urData.ns, urData.user);
+		} else {
+			rv = checkValidID(trans, new Date(), urData.user);
+		}
+		if(rv.notOK()) {
+			return rv; 
+		}
+		
+		// Check if record exists
+		if (q.userRoleDAO.read(trans, urData).isOKhasData()) {
+			return Result.err(Status.ERR_ConflictAlreadyExists,
+					"User Role exists");
+		}
+		if (q.roleDAO.read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
+			return Result.err(Status.ERR_RoleNotFound,
+					"Role [%s.%s] does not exist", urData.ns, urData.rname);
+		}
+
+		urData.expires = trans.org().expiration(null, Expiration.UserInRole, urData.user).getTime();
+		
+		
+		Result<UserRoleDAO.Data> udr = q.userRoleDAO.create(trans, urData);
+		switch (udr.status) {
+		case OK:
+			return Result.ok();
+		default:
+			return Result.err(udr);
+		}
+	}
+
+	public Result<Void> addUserRole(AuthzTrans trans, String user, String ns, String rname) {
+		try {
+			if(trans.org().getIdentity(trans, user)==null) {
+				return Result.err(Result.ERR_BadData,user+" is an Invalid Identity for " + trans.org().getName());
+			}
+		} catch (OrganizationException e) {
+			return Result.err(e);
+		}
+		UserRoleDAO.Data urdd = new UserRoleDAO.Data();
+		urdd.ns = ns;
+		urdd.role(ns, rname);
+		urdd.user = user;
+		return addUserRole(trans,urdd);
+	}
+
+	/**
+	 * Extend User Role.
+	 * 
+	 * extend the Expiration data, according to Organization rules.
+	 * 
+	 * @param trans
+	 * @param org
+	 * @param urData
+	 * @return
+	 */
+	public Result<Void> extendUserRole(AuthzTrans trans, UserRoleDAO.Data urData, boolean checkForExist) {
+		// Check if record still exists
+		if (checkForExist && q.userRoleDAO.read(trans, urData).notOKorIsEmpty()) {
+			return Result.err(Status.ERR_UserRoleNotFound,
+					"User Role does not exist");
+		}
+		
+		if (q.roleDAO.read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
+			return Result.err(Status.ERR_RoleNotFound,
+					"Role [%s.%s] does not exist", urData.ns,urData.rname);
+		}
+		// Special case for "Admin" roles. Issue brought forward with Prod
+		// problem 9/26
+		Date now = new Date();
+		GregorianCalendar gc = new GregorianCalendar();
+		gc.setTime(now.after(urData.expires)?now:urData.expires);
+		urData.expires = trans.org().expiration(gc, Expiration.UserInRole).getTime(); // get
+																				// Full
+																				// time
+																				// starting
+																				// today
+		return q.userRoleDAO.update(trans, urData);
+	}
+
+	// ////////////////////////////////////////////////////
+	// Special User Role Functions
+	// These exist, because User Roles have Expiration dates, which must be
+	// accounted for
+	// Also, as of July, 2015, Namespace Owners and Admins are now regular User
+	// Roles
+	// ////////////////////////////////////////////////////
+	public Result<List<String>> getUsersByRole(AuthzTrans trans, String role, boolean includeExpired) {
+		Result<List<UserRoleDAO.Data>> rurdd = q.userRoleDAO.readByRole(trans,role);
+		if (rurdd.notOK()) {
+			return Result.err(rurdd);
+		}
+		Date now = new Date();
+		List<UserRoleDAO.Data> list = rurdd.value;
+		List<String> rv = new ArrayList<String>(list.size()); // presize
+		for (UserRoleDAO.Data urdd : rurdd.value) {
+			if (includeExpired || urdd.expires.after(now)) {
+				rv.add(urdd.user);
+			}
+		}
+		return Result.ok(rv);
+	}
+
+	public Result<Void> delUserRole(AuthzTrans trans, String user, String ns, String rname) {
+		UserRoleDAO.Data urdd = new UserRoleDAO.Data();
+		urdd.user = user;
+		urdd.role(ns,rname);
+		Result<List<UserRoleDAO.Data>> r = q.userRoleDAO.read(trans, urdd);
+		if (r.status == 404 || r.isEmpty()) {
+			return Result.err(Status.ERR_UserRoleNotFound,
+					"UserRole [%s] [%s.%s]", user, ns, rname);
+		}
+		if (r.notOK()) {
+			return Result.err(r);
+		}
+
+		return q.userRoleDAO.delete(trans, urdd, false);
+	}
+
+	public Result<String> createFuture(AuthzTrans trans, FutureDAO.Data data, String id, String user,
+			NsDAO.Data nsd, FUTURE_OP op) {
+		StringBuilder sb = new StringBuilder();
+		try {
+			Organization org = trans.org();
+			// For Reapproval, only check Owners.. Do Supervisors, etc, separately
+			List<Identity> approvers = op.equals(FUTURE_OP.A)?NO_ADDL_APPROVE:org.getApprovers(trans, user);
+			List<Identity> owners = new ArrayList<Identity>();
+			if (nsd != null) {
+				Result<List<UserRoleDAO.Data>> rrbr = q.userRoleDAO
+						.readByRole(trans, nsd.name + Question.DOT_OWNER);
+				if (rrbr.isOKhasData()) {
+					for(UserRoleDAO.Data urd : rrbr.value) {
+						Identity owner = org.getIdentity(trans, urd.user);
+						if(owner==null) {
+							return Result.err(Result.ERR_NotFound,urd.user + " is not a Valid Owner of " + nsd.name);
+						} else {
+							owners.add(owner);
+						}
+					}
+				}
+			}
+			
+			if(owners.isEmpty()) {
+				return Result.err(Result.ERR_NotFound,"No Owners found for " + nsd.name);
+			}
+			
+			// Create Future Object
+			
+			Result<FutureDAO.Data> fr = q.futureDAO.create(trans, data, id);
+			if (fr.isOK()) {
+				sb.append("Created Future: ");
+				sb.append(data.id);
+				// User Future ID as ticket for Approvals
+				final UUID ticket = fr.value.id;
+				sb.append(", Approvals: ");
+				Boolean first[] = new Boolean[]{true};
+				if(op!=FUTURE_OP.A) {
+					for (Identity u : approvers) {
+						Result<ApprovalDAO.Data> r = addIdentity(trans,sb,first,user,data.memo,op,u,ticket,org.getApproverType());
+						if(r.notOK()) {
+							return Result.err(r);
+						}
+					}
+				}
+				for (Identity u : owners) {
+					Result<ApprovalDAO.Data> r = addIdentity(trans,sb,first,user,data.memo,op,u,ticket,"owner");
+					if(r.notOK()) {
+						return Result.err(r);
+					}
+				}
+			}
+		} catch (Exception e) {
+			return Result.err(e);
+		}
+		
+		return Result.ok(sb.toString());
+	}
+
+	/*
+	 * This interface is to allow performFutureOps with either Realtime Data, or Batched lookups (See Expiring)
+	 */
+	public interface Lookup<T> {
+		T get(AuthzTrans trans, Object ... keys);
+	}
+	
+	public Lookup<UserRoleDAO.Data> urDBLookup = new Lookup<UserRoleDAO.Data>() {
+		@Override
+		public UserRoleDAO.Data get(AuthzTrans trans, Object ... keys) {
+			Result<List<UserRoleDAO.Data>> r = q.userRoleDAO.read(trans, keys);
+			if(r.isOKhasData()) {
+				return r.value.get(0);
+			} else {
+				return null;
+			}
+		}
+	};
+
+	/**
+	 * Note: if "allApprovals for Ticket is null, it will be looked up.  
+	 *       if "fdd" is null, it will be looked up, but
+	 *       
+	 * They can be passed for performance reasons.
+	 * 
+	 * @param trans
+	 * @param cd
+	 * @param allApprovalsForTicket
+	 * @return
+	 */
+	public Result<OP_STATUS> performFutureOp(final AuthzTrans trans, FUTURE_OP fop, FutureDAO.Data curr, Lookup<List<ApprovalDAO.Data>> la, Lookup<UserRoleDAO.Data> lur) {
+		// Pre-Evaluate if ReApproval is already done.
+		UserRoleDAO.Data urdd = null;
+		if(fop.equals(FUTURE_OP.A) && curr.target.equals(FOP_USER_ROLE) && curr.construct!=null) {
+			try {
+				// Get Expected UserRole from Future
+				urdd = new UserRoleDAO.Data();
+				urdd.reconstitute(curr.construct);
+				// Get Current UserRole from lookup
+				UserRoleDAO.Data lurdd = lur.get(trans, urdd.user,urdd.role);
+				if(lurdd==null) {
+					q.futureDAO.delete(trans, curr, false);
+					return OP_STATUS.RL;
+				} else {
+					if(curr.expires.compareTo(lurdd.expires)<0) {
+						q.futureDAO.delete(trans, curr, false);
+						return OP_STATUS.RL;
+					}
+				}
+			} catch (IOException e) {
+				return Result.err(Result.ERR_BadData,"Cannot reconstitute %1",curr.memo);
+			}
+		}
+		
+		boolean aDenial = false;
+		int cntSuper=0, appSuper=0,cntOwner=0, appOwner=0;
+		for(ApprovalDAO.Data add : la.get(trans)) {
+			switch(add.status) {
+				case "approved":
+					if("owner".equals(add.type)) {
+						++cntOwner;
+						++appOwner;
+					} else if("supervisor".equals(add.type)) {
+						++cntSuper;
+						++appSuper;
+					}
+					break;
+				case "pending":
+					if("owner".equals(add.type)) {
+						++cntOwner;
+					} else if("supervisor".equals(add.type)) {
+						++cntSuper;
+					}
+					break;
+				case "denied":
+					aDenial=true;
+					break;
+			}
+		}
+		
+		Result<OP_STATUS> ros=null;
+		if(aDenial) {
+			// Note: Denial will be Audit-logged.
+//			for (ApprovalDAO.Data ad : allApprovalsForTicket.value) {
+//			    q.approvalDAO.delete(trans, ad, false);
+//			}
+			ros = OP_STATUS.RD;
+			if(q.futureDAO.delete(trans, curr, false).notOK()) {
+				trans.info().printf("Future %s could not be deleted", curr.id.toString());
+			}  else {
+				if (FOP_USER_ROLE.equalsIgnoreCase(curr.target)) {
+					// A Denial means we must remove UserRole
+					if(fop.equals(FUTURE_OP.U) || fop.equals(FUTURE_OP.A)) {
+						UserRoleDAO.Data data = new UserRoleDAO.Data();
+						try {
+							data.reconstitute(curr.construct);
+						} catch (IOException e) {
+							trans.error().log("Cannot reconstitue",curr.memo);
+						}
+						ros = set(OP_STATUS.RD,delUserRole(trans, data.user, data.ns, data.rname));
+					}
+				}
+			}
+		}
+		
+		// Decision: If not Denied, and at least owner, if exists, and at least one Super, if exists
+		boolean goDecision = (cntOwner>0?appOwner>0:true) && (cntSuper>0?appSuper>0:true);
+
+		if(goDecision) {
+			// should check if any other pendings before performing
+			// actions
+			try {
+				if (FOP_ROLE.equalsIgnoreCase(curr.target)) {
+					RoleDAO.Data data = new RoleDAO.Data();
+					data.reconstitute(curr.construct);
+					switch(fop) {
+						case C:
+							ros = set(OP_STATUS.RE,q.roleDAO.dao().create(trans, data));
+							break;
+						case D:
+							ros = set(OP_STATUS.RE,deleteRole(trans, data, true, true));
+							break;
+						default:
+					}
+				} else if (FOP_PERM.equalsIgnoreCase(curr.target)) {
+					PermDAO.Data pdd = new PermDAO.Data();
+					pdd.reconstitute(curr.construct);
+					Set<String> roles;
+					Result<RoleDAO.Data> rrdd;
+					switch(fop) {
+						case C:
+							ros = set(OP_STATUS.RE,createPerm(trans, pdd, true));
+							break;
+						case D:
+							ros = set(OP_STATUS.RE,deletePerm(trans, pdd, true, true));
+							break;
+						case G:
+							roles = pdd.roles(true);
+							for (String roleStr : roles) {
+								rrdd = RoleDAO.Data.decode(trans, q, roleStr);
+								if (rrdd.isOKhasData()) {
+									ros = set(OP_STATUS.RE,addPermToRole(trans, rrdd.value, pdd, true));
+								} else {
+									trans.error().log(rrdd.errorString());
+								}
+							}
+							break;
+						case UG:
+							roles = pdd.roles(true);
+							for (String roleStr : roles) {
+								rrdd = RoleDAO.Data.decode(trans, q, roleStr);
+								if (rrdd.isOKhasData()) {
+									ros = set(OP_STATUS.RE,delPermFromRole(trans, rrdd.value, pdd,	true));
+								} else {
+									trans.error().log(rrdd.errorString());
+								}
+							}
+							break;
+						default:
+					}
+				} else if (FOP_USER_ROLE.equalsIgnoreCase(curr.target)) {
+					if(urdd==null) {
+						urdd = new UserRoleDAO.Data();
+						urdd.reconstitute(curr.construct);
+					}
+					// if I am the last to approve, create user role
+					switch(fop) {
+						case C:
+							ros = set(OP_STATUS.RE,addUserRole(trans, urdd));
+							break;
+						case U:
+						case A:
+							ros = set(OP_STATUS.RE,extendUserRole(trans,urdd,true));
+							break;
+						default:
+					}
+				} else if (FOP_NS.equalsIgnoreCase(curr.target)) {
+					Namespace namespace = new Namespace();
+					namespace.reconstitute(curr.construct);
+					switch(fop) {
+						case C:
+							ros = set(OP_STATUS.RE,createNS(trans, namespace, true));
+							break;
+						default:
+					}
+				} else if (FOP_DELEGATE.equalsIgnoreCase(curr.target)) {
+					DelegateDAO.Data data = new DelegateDAO.Data();
+					data.reconstitute(curr.construct);
+					switch(fop) {
+						case C:
+							ros = set(OP_STATUS.RE,q.delegateDAO.create(trans, data));
+							break;
+						case U:
+							ros = set(OP_STATUS.RE,q.delegateDAO.update(trans, data));
+							break;
+						default:
+					}
+				} else if (FOP_CRED.equalsIgnoreCase(curr.target)) {
+					CredDAO.Data data = new CredDAO.Data();
+					data.reconstitute(curr.construct);
+					switch(fop) {
+						case C:
+							ros = set(OP_STATUS.RE,q.credDAO.dao().create(trans, data));
+							break;
+						default:
+					}
+				}				
+			} catch (Throwable e) {
+				trans.error().log("Exception: ", e.getMessage(),
+					" \n occurred while performing", curr.memo,
+					" from Ticket ", curr.id.toString());
+			}
+			q.futureDAO.delete(trans, curr, false);
+		} // end for goDecision
+		if(ros==null) {
+			//return Result.err(Status.ACC_Future, "Full Approvals not obtained: No action taken");
+			ros = OP_STATUS.RP;
+		}
+			
+		return ros;
+	}
+
+	// Convenience method for setting OPSTatus Results
+	private Result<OP_STATUS> set(Result<OP_STATUS> rs, Result<?> orig) {
+		if(orig.isOK()) {
+			return rs;
+		} else {
+			return Result.err(orig);
+		}
+	}
+
+	private Result<ApprovalDAO.Data>  addIdentity(AuthzTrans trans, StringBuilder sb, 
+						Boolean[] first, String user, String memo, FUTURE_OP op, Identity u, UUID ticket, String type) throws OrganizationException {
+		ApprovalDAO.Data ad = new ApprovalDAO.Data();
+		// Note ad.id is set by ApprovalDAO Create
+		ad.ticket = ticket;
+		ad.user = user;
+		ad.approver = u.fullID();
+		ad.status = ApprovalDAO.PENDING;
+		ad.memo = memo;
+		ad.type = type;
+		ad.operation = op.name();
+		// Note ad.updated is created in System
+	    Result<ApprovalDAO.Data> r = q.approvalDAO.create(trans,ad);
+	    if(r.isOK()) {
+			if(first[0]) {
+				first[0] = false;
+			} else {
+				sb.append(", ");
+			}
+			sb.append(r.value.user);
+			sb.append(':');
+			sb.append(r.value.ticket);
+			return r;
+	    } else {
+	    	return Result.err(Status.ERR_ActionNotCompleted,
+					"Approval for %s, %s could not be created: %s",
+					ad.user, ad.approver,
+					r.details, sb.toString());
+	    }
+	}
+
+	public Executor newExecutor(AuthzTrans trans) {
+		return new CassExecutor(trans, this);
+	}
+
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/PermLookup.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/PermLookup.java
new file mode 100644
index 00000000..615d6b36
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/PermLookup.java
@@ -0,0 +1,185 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.hl;
+
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeSet;
+
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+
+/**
+ * PermLookup is a Storage class for the various pieces of looking up Permission 
+ * during Transactions to avoid duplicate processing
+ * 
+ * @author Jonathan
+ *
+ */
+// Package on purpose
+class PermLookup {
+	private AuthzTrans trans;
+	private String user;
+	private Question q;
+	private Result<List<UserRoleDAO.Data>> userRoles = null;
+	private Result<List<RoleDAO.Data>> roles = null;
+	private Result<Set<String>> permNames = null;
+	private Result<List<PermDAO.Data>> perms = null;
+	
+	private PermLookup() {}
+	
+	static PermLookup get(AuthzTrans trans, Question q, String user) {
+		PermLookup lp=null;
+		Map<String, PermLookup> permMap = trans.get(Question.PERMS, null);
+		if (permMap == null) {
+			trans.put(Question.PERMS, permMap = new HashMap<String, PermLookup>());
+		} else {
+			lp = permMap.get(user);
+		}
+
+		if (lp == null) {
+			lp = new PermLookup();
+			lp.trans = trans;
+			lp.user = user;
+			lp.q = q;
+			permMap.put(user, lp);
+		}
+		return lp;
+	}
+	
+	public Result<List<UserRoleDAO.Data>> getUserRoles() {
+		if(userRoles==null) {
+			userRoles = q.userRoleDAO.readByUser(trans,user);
+			if(userRoles.isOKhasData()) {
+				List<UserRoleDAO.Data> lurdd = new ArrayList<UserRoleDAO.Data>();
+				Date now = new Date();
+				for(UserRoleDAO.Data urdd : userRoles.value) {
+					if(urdd.expires.after(now)) { // Remove Expired
+						lurdd.add(urdd);
+					}
+				}
+				if(lurdd.size()==0) {
+					return userRoles = Result.err(Status.ERR_UserNotFound,
+								"%s not found or not associated with any Roles: ",
+								user);
+				} else {
+					return userRoles = Result.ok(lurdd);
+				}
+			} else {
+				return userRoles;
+			}
+		} else {
+			return userRoles;
+		}
+	}
+
+	public Result<List<RoleDAO.Data>> getRoles() {
+		if(roles==null) {
+			Result<List<UserRoleDAO.Data>> rur = getUserRoles();
+			if(rur.isOK()) {
+				List<RoleDAO.Data> lrdd = new ArrayList<RoleDAO.Data>();
+				for (UserRoleDAO.Data urdata : rur.value) {
+					// Gather all permissions from all Roles
+					    if(urdata.ns==null || urdata.rname==null) {
+					    	return Result.err(Status.ERR_BadData,"DB Content Error: nulls in User Role %s %s", urdata.user,urdata.role);
+					    } else {
+							Result<List<RoleDAO.Data>> rlrd = q.roleDAO.read(
+									trans, urdata.ns, urdata.rname);
+							if(rlrd.isOK()) {
+								lrdd.addAll(rlrd.value);
+							}
+					    }
+					}
+				return roles = Result.ok(lrdd);
+			} else {
+				return roles = Result.err(rur);
+			}
+		} else {
+			return roles;
+		}
+	}
+
+	public Result<Set<String>> getPermNames() {
+		if(permNames==null) {
+			Result<List<RoleDAO.Data>> rlrd = getRoles();
+			if (rlrd.isOK()) {
+				Set<String> pns = new TreeSet<String>();
+				for (RoleDAO.Data rdata : rlrd.value) {
+					pns.addAll(rdata.perms(false));
+				}
+				return permNames = Result.ok(pns);
+			} else {
+				return permNames = Result.err(rlrd);
+			}
+		} else {
+			return permNames;
+		}
+	}
+	
+	public Result<List<PermDAO.Data>> getPerms(boolean lookup) {
+		if(perms==null) {
+			// Note: It should be ok for a Valid user to have no permissions -
+			// Jonathan 8/12/2013
+			Result<Set<String>> rss = getPermNames();
+			if(rss.isOK()) {
+				List<PermDAO.Data> lpdd = new ArrayList<PermDAO.Data>();
+				for (String perm : rss.value) {
+					if(lookup) {
+						Result<String[]> ap = PermDAO.Data.decodeToArray(trans, q, perm);
+						if(ap.isOK()) {
+							 
+							Result<List<PermDAO.Data>> rlpd = q.permDAO.read(perm,trans,ap.value);
+							if (rlpd.isOKhasData()) {
+								for (PermDAO.Data pData : rlpd.value) {
+									lpdd.add(pData);
+								}
+							}
+						} else {
+							trans.error().log("In getPermsByUser, for", user, perm);
+						}
+					} else {
+						Result<PermDAO.Data> pr = PermDAO.Data.decode(trans, q, perm);
+						if (pr.notOK()) {
+							trans.error().log("In getPermsByUser, for", user, pr.errorString());
+						} else {
+							lpdd.add(pr.value);
+						}
+					}
+
+				}
+				return perms = Result.ok(lpdd);
+			} else {
+				return perms = Result.err(rss);
+			}
+		} else {
+			return perms;
+		}
+	}
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
new file mode 100644
index 00000000..6b0bb17b
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
@@ -0,0 +1,1154 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.hl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Random;
+import java.util.Set;
+import java.util.TreeSet;
+
+import org.onap.aaf.auth.common.Define;
+import org.onap.aaf.auth.dao.AbsCassDAO;
+import org.onap.aaf.auth.dao.CachedDAO;
+import org.onap.aaf.auth.dao.DAOException;
+import org.onap.aaf.auth.dao.cached.CachedCertDAO;
+import org.onap.aaf.auth.dao.cached.CachedCredDAO;
+import org.onap.aaf.auth.dao.cached.CachedNSDAO;
+import org.onap.aaf.auth.dao.cached.CachedPermDAO;
+import org.onap.aaf.auth.dao.cached.CachedRoleDAO;
+import org.onap.aaf.auth.dao.cached.CachedUserRoleDAO;
+import org.onap.aaf.auth.dao.cass.ApprovalDAO;
+import org.onap.aaf.auth.dao.cass.CacheInfoDAO;
+import org.onap.aaf.auth.dao.cass.CertDAO;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.DelegateDAO;
+import org.onap.aaf.auth.dao.cass.FutureDAO;
+import org.onap.aaf.auth.dao.cass.HistoryDAO;
+import org.onap.aaf.auth.dao.cass.LocateDAO;
+import org.onap.aaf.auth.dao.cass.NsDAO;
+import org.onap.aaf.auth.dao.cass.NsSplit;
+import org.onap.aaf.auth.dao.cass.NsType;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.dao.cass.CredDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.AuthzTransFilter;
+import org.onap.aaf.auth.env.AuthzTrans.REQD_TYPE;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.cadi.Hash;
+import org.onap.aaf.cadi.aaf.PermEval;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import com.datastax.driver.core.Cluster;
+
+/**
+ * Question HL DAO
+ * 
+ * A Data Access Combination Object which asks Security and other Questions
+ * 
+ * @author Jonathan
+ *
+ */
+public class Question {
+
+	// DON'T CHANGE FROM lower Case!!!
+	public static enum Type {
+		ns, role, perm, cred
+	};
+
+	public static final String OWNER="owner";
+	public static final String ADMIN="admin";
+	public static final String DOT_OWNER=".owner";
+	public static final String DOT_ADMIN=".admin";
+	public static final String ACCESS = "access";
+
+	static final String ASTERIX = "*";
+
+	public static enum Access {
+		read, write, create
+	};
+
+	public static final String READ = Access.read.name();
+	public static final String WRITE = Access.write.name();
+	public static final String CREATE = Access.create.name();
+
+	public static final String ROLE = Type.role.name();
+	public static final String PERM = Type.perm.name();
+	public static final String NS = Type.ns.name();
+	public static final String CRED = Type.cred.name();
+	private static final String DELG = "delg";
+	public static final String ROOT_NS = Define.ROOT_NS();
+	public static final String ATTRIB = "attrib";
+
+
+	public static final int MAX_SCOPE = 10;
+	public static final int APP_SCOPE = 3;
+	public static final int COMPANY_SCOPE = 2;
+	static Slot PERMS;
+
+	private static Set<String> specialLog = null;
+	public static final Random random = new SecureRandom();
+	private static long traceID = random.nextLong();
+	private static Slot specialLogSlot = null;
+	private static Slot transIDSlot = null;
+
+
+	public final HistoryDAO historyDAO;
+	public final CachedNSDAO nsDAO;
+	public final CachedRoleDAO roleDAO;
+	public final CachedPermDAO permDAO;
+	public final CachedUserRoleDAO userRoleDAO;
+	public final CachedCredDAO credDAO;
+	public final CachedCertDAO certDAO;
+	public final DelegateDAO delegateDAO;
+	public final FutureDAO futureDAO;
+	public final ApprovalDAO approvalDAO;
+	private final CacheInfoDAO cacheInfoDAO;
+	public final LocateDAO locateDAO;
+
+	public Question(AuthzTrans trans, Cluster cluster, String keyspace, boolean startClean) throws APIException, IOException {
+		PERMS = trans.slot("USER_PERMS");
+		trans.init().log("Instantiating DAOs");
+		long expiresIn = Long.parseLong(trans.getProperty(Config.AAF_USER_EXPIRES, Config.AAF_USER_EXPIRES_DEF));
+		historyDAO = new HistoryDAO(trans, cluster, keyspace);
+
+		// Deal with Cached Entries
+		cacheInfoDAO = new CacheInfoDAO(trans, historyDAO);
+
+		nsDAO = new CachedNSDAO(new NsDAO(trans, historyDAO, cacheInfoDAO),cacheInfoDAO, expiresIn);
+		permDAO = new CachedPermDAO(new PermDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO, expiresIn);
+		roleDAO = new CachedRoleDAO(new RoleDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO, expiresIn);
+		userRoleDAO = new CachedUserRoleDAO(new UserRoleDAO(trans, historyDAO,cacheInfoDAO), cacheInfoDAO, expiresIn);
+		credDAO = new CachedCredDAO(new CredDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO, expiresIn);
+		certDAO = new CachedCertDAO(new CertDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO, expiresIn);
+
+		locateDAO = new LocateDAO(trans,historyDAO);
+		futureDAO = new FutureDAO(trans, historyDAO);
+		delegateDAO = new DelegateDAO(trans, historyDAO);
+		approvalDAO = new ApprovalDAO(trans, historyDAO);
+
+		// Only want to aggressively cleanse User related Caches... The others,
+		// just normal refresh
+		if(startClean) {
+			CachedDAO.startCleansing(trans.env(), credDAO, userRoleDAO);
+			CachedDAO.startRefresh(trans.env(), cacheInfoDAO);
+		}
+		// Set a Timer to Check Caches to send messages for Caching changes
+		
+		if(specialLogSlot==null) {
+			specialLogSlot = trans.slot(AuthzTransFilter.SPECIAL_LOG_SLOT);
+		}
+		
+		if(transIDSlot==null) {
+			transIDSlot = trans.slot(AuthzTransFilter.TRANS_ID_SLOT);
+		}
+		
+		AbsCassDAO.primePSIs(trans);
+	}
+
+
+	public void close(AuthzTrans trans) {
+		historyDAO.close(trans);
+		cacheInfoDAO.close(trans);
+		nsDAO.close(trans);
+		permDAO.close(trans);
+		roleDAO.close(trans);
+		userRoleDAO.close(trans);
+		credDAO.close(trans);
+		certDAO.close(trans);
+		delegateDAO.close(trans);
+		futureDAO.close(trans);
+		approvalDAO.close(trans);
+	}
+
+	public Result<PermDAO.Data> permFrom(AuthzTrans trans, String type,
+			String instance, String action) {
+		Result<NsDAO.Data> rnd = deriveNs(trans, type);
+		if (rnd.isOK()) {
+			return Result.ok(new PermDAO.Data(new NsSplit(rnd.value, type),
+					instance, action));
+		} else {
+			return Result.err(rnd);
+		}
+	}
+
+	/**
+	 * getPermsByUser
+	 * 
+	 * Because this call is frequently called internally, AND because we already
+	 * look for it in the initial Call, we cache within the Transaction
+	 * 
+	 * @param trans
+	 * @param user
+	 * @return
+	 */
+	public Result<List<PermDAO.Data>> getPermsByUser(AuthzTrans trans, String user, boolean lookup) {
+		return PermLookup.get(trans, this, user).getPerms(lookup);
+	}
+	
+	public Result<List<PermDAO.Data>> getPermsByUserFromRolesFilter(AuthzTrans trans, String user, String forUser) {
+		PermLookup plUser = PermLookup.get(trans, this, user);
+		Result<Set<String>> plPermNames = plUser.getPermNames();
+		if(plPermNames.notOK()) {
+			return Result.err(plPermNames);
+		}
+		
+		Set<String> nss;
+		if(forUser.equals(user)) {
+			nss = null;
+		} else {
+			// Setup a TreeSet to check on Namespaces to 
+			nss = new TreeSet<String>();
+			PermLookup fUser = PermLookup.get(trans, this, forUser);
+			Result<Set<String>> forUpn = fUser.getPermNames();
+			if(forUpn.notOK()) {
+				return Result.err(forUpn);
+			}
+			
+			for(String pn : forUpn.value) {
+				Result<String[]> decoded = PermDAO.Data.decodeToArray(trans, this, pn);
+				if(decoded.isOKhasData()) {
+					nss.add(decoded.value[0]);
+				} else {
+					trans.error().log(pn,", derived from a Role, is invalid:",decoded.errorString());
+				}
+			}
+		}
+
+		List<PermDAO.Data> rlpUser = new ArrayList<PermDAO.Data>();
+		Result<PermDAO.Data> rpdd;
+		PermDAO.Data pdd;
+		for(String pn : plPermNames.value) {
+			rpdd = PermDAO.Data.decode(trans, this, pn);
+			if(rpdd.isOKhasData()) {
+				pdd=rpdd.value;
+				if(nss==null || nss.contains(pdd.ns)) {
+					rlpUser.add(pdd);
+				}
+			} else {
+				trans.error().log(pn,", derived from a Role, is invalid.  Run Data Cleanup:",rpdd.errorString());
+			}
+		}
+		return Result.ok(rlpUser); 
+	}
+
+	public Result<List<PermDAO.Data>> getPermsByType(AuthzTrans trans, String perm) {
+		Result<NsSplit> nss = deriveNsSplit(trans, perm);
+		if (nss.notOK()) {
+			return Result.err(nss);
+		}
+		return permDAO.readByType(trans, nss.value.ns, nss.value.name);
+	}
+
+	public Result<List<PermDAO.Data>> getPermsByName(AuthzTrans trans,
+			String type, String instance, String action) {
+		Result<NsSplit> nss = deriveNsSplit(trans, type);
+		if (nss.notOK()) {
+			return Result.err(nss);
+		}
+		return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action);
+	}
+
+	public Result<List<PermDAO.Data>> getPermsByRole(AuthzTrans trans, String role, boolean lookup) {
+		Result<NsSplit> nss = deriveNsSplit(trans, role);
+		if (nss.notOK()) {
+			return Result.err(nss);
+		}
+
+		Result<List<RoleDAO.Data>> rlrd = roleDAO.read(trans, nss.value.ns,
+				nss.value.name);
+		if (rlrd.notOKorIsEmpty()) {
+			return Result.err(rlrd);
+		}
+		// Using Set to avoid duplicates
+		Set<String> permNames = new HashSet<String>();
+		if (rlrd.isOKhasData()) {
+			for (RoleDAO.Data drr : rlrd.value) {
+				permNames.addAll(drr.perms(false));
+			}
+		}
+
+		// Note: It should be ok for a Valid user to have no permissions -
+		// Jonathan 8/12/2013
+		List<PermDAO.Data> perms = new ArrayList<PermDAO.Data>();
+		for (String perm : permNames) {
+			Result<PermDAO.Data> pr = PermDAO.Data.decode(trans, this, perm);
+			if (pr.notOK()) {
+				return Result.err(pr);
+			}
+
+			if(lookup) {
+				Result<List<PermDAO.Data>> rlpd = permDAO.read(trans, pr.value);
+				if (rlpd.isOKhasData()) {
+					for (PermDAO.Data pData : rlpd.value) {
+						perms.add(pData);
+					}
+				}
+			} else {
+				perms.add(pr.value);
+			}
+		}
+
+		return Result.ok(perms);
+	}
+
+	public Result<List<RoleDAO.Data>> getRolesByName(AuthzTrans trans,
+			String role) {
+		Result<NsSplit> nss = deriveNsSplit(trans, role);
+		if (nss.notOK()) {
+			return Result.err(nss);
+		}
+		String r = nss.value.name;
+		if (r.endsWith(".*")) { // do children Search
+			return roleDAO.readChildren(trans, nss.value.ns,
+					r.substring(0, r.length() - 2));
+		} else if (ASTERIX.equals(r)) {
+			return roleDAO.readChildren(trans, nss.value.ns, ASTERIX);
+		} else {
+			return roleDAO.read(trans, nss.value.ns, r);
+		}
+	}
+
+	/**
+	 * Derive NS
+	 * 
+	 * Given a Child Namespace, figure out what the best Namespace parent is.
+	 * 
+	 * For instance, if in the NS table, the parent "com.att" exists, but not
+	 * "org.osaaf.child" or "org.osaaf.a.b.c", then passing in either
+	 * "org.osaaf.child" or "org.osaaf.a.b.c" will return "com.att"
+	 * 
+	 * Uses recursive search on Cached DAO data
+	 * 
+	 * @param trans
+	 * @param child
+	 * @return
+	 */
+	public Result<NsDAO.Data> deriveNs(AuthzTrans trans, String child) {
+		Result<List<NsDAO.Data>> r = nsDAO.read(trans, child);
+		
+		if (r.isOKhasData()) {
+			return Result.ok(r.value.get(0));
+		} else {
+			int dot = child == null ? -1 : child.lastIndexOf('.');
+			if (dot < 0) {
+				return Result.err(Status.ERR_NsNotFound,
+						"No Namespace for [%s]", child);
+			} else {
+				return deriveNs(trans, child.substring(0, dot));
+			}
+		}
+	}
+
+	public Result<NsDAO.Data> deriveFirstNsForType(AuthzTrans trans, String str, NsType type) {
+		NsDAO.Data nsd;
+
+		for(String lookup = str;!".".equals(lookup) && lookup!=null;) {
+			Result<List<NsDAO.Data>> rld = nsDAO.read(trans, lookup);
+			if(rld.isOKhasData()) {
+				nsd=rld.value.get(0);
+				lookup = nsd.parent;
+				if(type.type == nsd.type) {
+					return Result.ok(nsd);
+				}
+			} else {
+				return Result.err(Status.ERR_NsNotFound,"There is no valid Company Namespace for %s",str);
+			}
+		}
+		return Result.err(Status.ERR_NotFound, str + " does not contain type " + type.name());
+	}
+
+	public Result<NsSplit> deriveNsSplit(AuthzTrans trans, String child) {
+		Result<NsDAO.Data> ndd = deriveNs(trans, child);
+		if (ndd.isOK()) {
+			NsSplit nss = new NsSplit(ndd.value, child);
+			if (nss.isOK()) {
+				return Result.ok(nss);
+			} else {
+				return Result.err(Status.ERR_NsNotFound,
+						"Cannot split [%s] into valid namespace elements",
+						child);
+			}
+		}
+		return Result.err(ndd);
+	}
+
+	/**
+	 * Translate an ID into it's domain
+	 * 
+	 * i.e. myid1234@aaf.att.com results in domain of com.att.aaf
+	 * 
+	 * @param id
+	 * @return
+	 */
+	public static String domain2ns(String id) {
+		int at = id.indexOf('@');
+		if (at >= 0) {
+			String[] domain = id.substring(at + 1).split("\\.");
+			StringBuilder ns = new StringBuilder(id.length());
+			boolean first = true;
+			for (int i = domain.length - 1; i >= 0; --i) {
+				if (first) {
+					first = false;
+				} else {
+					ns.append('.');
+				}
+				ns.append(domain[i]);
+			}
+			return ns.toString();
+		} else {
+			return "";
+		}
+
+	}
+
+	/**
+	 * Validate Namespace of ID@Domain
+	 * 
+	 * Namespace is reverse order of Domain.
+	 * 
+	 * @param trans
+	 * @param id
+	 * @return
+	 */
+	public Result<NsDAO.Data> validNSOfDomain(AuthzTrans trans, String id) {
+		// Take domain, reverse order, and check on NS
+		String ns;
+		if(id.indexOf('@')<0) { // it's already an ns, not an ID
+			ns = id;
+		} else {
+			ns = domain2ns(id);
+		}
+		if (ns.length() > 0) {
+			if(!trans.org().getDomain().equals(ns)) { 
+				Result<List<NsDAO.Data>> rlnsd = nsDAO.read(trans, ns);
+				if (rlnsd.isOKhasData()) {
+					return Result.ok(rlnsd.value.get(0));
+				}
+			}
+		}
+		return Result.err(Status.ERR_NsNotFound,
+				"A Namespace is not available for %s", id);
+	}
+
+	public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user,NsDAO.Data ndd, Access access) {
+		// <ns>.access|:role:<role name>|<read|write>
+		String ns = ndd.name;
+		int last;
+		do {
+			if (isGranted(trans, user, ns, ACCESS, ":ns", access.name())) {
+				return Result.ok(ndd);
+			}
+			if ((last = ns.lastIndexOf('.')) >= 0) {
+				ns = ns.substring(0, last);
+			}
+		} while (last >= 0);
+		// com.att.aaf.ns|:<client ns>:ns|<access>
+		// AAF-724 - Make consistent response for May User", and not take the
+		// last check... too confusing.
+		Result<NsDAO.Data> rv = mayUserVirtueOfNS(trans, user, ndd, ":"	+ ndd.name + ":ns", access.name());
+		if (rv.isOK()) {
+			return rv;
+		} else if(rv.status==Result.ERR_Backend) {
+			return Result.err(rv);
+		} else {
+			return Result.err(Status.ERR_Denied, "[%s] may not %s in NS [%s]",
+					user, access.name(), ndd.name);
+		}
+	}
+
+	public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user, RoleDAO.Data rdd, Access access) {
+		Result<NsDAO.Data> rnsd = deriveNs(trans, rdd.ns);
+		if (rnsd.isOK()) {
+			return mayUser(trans, user, rnsd.value, rdd, access);
+		}
+		return rnsd;
+	}
+
+	public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user, NsDAO.Data ndd, RoleDAO.Data rdd, Access access) {
+		// 1) Is User in the Role?
+		Result<List<UserRoleDAO.Data>> rurd = userRoleDAO.readUserInRole(trans, user, rdd.fullName());
+		if (rurd.isOKhasData()) {
+			return Result.ok(ndd);
+		}
+
+		String roleInst = ":role:" + rdd.name;
+		// <ns>.access|:role:<role name>|<read|write>
+		String ns = rdd.ns;
+		int last;
+		do {
+			if (isGranted(trans, user, ns,ACCESS, roleInst, access.name())) {
+				return Result.ok(ndd);
+			}
+			if ((last = ns.lastIndexOf('.')) >= 0) {
+				ns = ns.substring(0, last);
+			}
+		} while (last >= 0);
+
+		// Check if Access by Global Role perm
+		// com.att.aaf.ns|:<client ns>:role:name|<access>
+		Result<NsDAO.Data> rnsd = mayUserVirtueOfNS(trans, user, ndd, ":"
+				+ rdd.ns + roleInst, access.name());
+		if (rnsd.isOK()) {
+			return rnsd;
+		} else if(rnsd.status==Result.ERR_Backend) {
+			return Result.err(rnsd);
+		}
+
+		// Check if Access to Whole NS
+		// AAF-724 - Make consistent response for May User", and not take the
+		// last check... too confusing.
+		Result<org.onap.aaf.auth.dao.cass.NsDAO.Data> rv = mayUserVirtueOfNS(trans, user, ndd, 
+				":" + rdd.ns + ":ns", access.name());
+		if (rv.isOK()) {
+			return rv;
+		} else if(rnsd.status==Result.ERR_Backend) {
+			return Result.err(rnsd);
+		} else {
+			return Result.err(Status.ERR_Denied, "[%s] may not %s Role [%s]",
+					user, access.name(), rdd.fullName());
+		}
+
+	}
+
+	public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user,PermDAO.Data pdd, Access access) {
+		Result<NsDAO.Data> rnsd = deriveNs(trans, pdd.ns);
+		if (rnsd.isOK()) {
+			return mayUser(trans, user, rnsd.value, pdd, access);
+		}
+		return rnsd;
+	}
+
+	public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user,NsDAO.Data ndd, PermDAO.Data pdd, Access access) {
+		if (isGranted(trans, user, pdd.ns, pdd.type, pdd.instance, pdd.action)) {
+			return Result.ok(ndd);
+		}
+		String permInst = ":perm:" + pdd.type + ':' + pdd.instance + ':' + pdd.action;
+		// <ns>.access|:role:<role name>|<read|write>
+		String ns = ndd.name;
+		int last;
+		do {
+			if (isGranted(trans, user, ns, ACCESS, permInst, access.name())) {
+				return Result.ok(ndd);
+			}
+			if ((last = ns.lastIndexOf('.')) >= 0) {
+				ns = ns.substring(0, last);
+			}
+		} while (last >= 0);
+
+		// Check if Access by NS perm
+		// com.att.aaf.ns|:<client ns>:role:name|<access>
+		Result<NsDAO.Data> rnsd = mayUserVirtueOfNS(trans, user, ndd, ":" + pdd.ns + permInst, access.name());
+		if (rnsd.isOK()) {
+			return rnsd;
+		} else if(rnsd.status==Result.ERR_Backend) {
+			return Result.err(rnsd);
+		}
+
+		// Check if Access to Whole NS
+		// AAF-724 - Make consistent response for May User", and not take the
+		// last check... too confusing.
+		Result<NsDAO.Data> rv = mayUserVirtueOfNS(trans, user, ndd, ":"	+ pdd.ns + ":ns", access.name());
+		if (rv.isOK()) {
+			return rv;
+		} else {
+			return Result.err(Status.ERR_Denied,
+					"[%s] may not %s Perm [%s|%s|%s]", user, access.name(),
+					pdd.fullType(), pdd.instance, pdd.action);
+		}
+
+	}
+
+	public Result<Void> mayUser(AuthzTrans trans, DelegateDAO.Data dd, Access access) {
+		try {
+			Result<NsDAO.Data> rnsd = deriveNs(trans, domain2ns(trans.user()));
+			if(rnsd.isOKhasData() && mayUserVirtueOfNS(trans,trans.user(),rnsd.value, ":"	+ rnsd.value.name + ":ns", access.name()).isOK()) {
+				return Result.ok();
+			}
+			boolean isUser = trans.user().equals(dd.user);
+			boolean isDelegate = dd.delegate != null
+					&& (dd.user.equals(dd.delegate) || trans.user().equals(
+							dd.delegate));
+			Organization org = trans.org();
+			switch (access) {
+			case create:
+				if (org.getIdentity(trans, dd.user) == null) {
+					return Result.err(Status.ERR_UserNotFound,
+							"[%s] is not a user in the company database.",
+							dd.user);
+				}
+				if (!dd.user.equals(dd.delegate) && org.getIdentity(trans, dd.delegate) == null) {
+					return Result.err(Status.ERR_UserNotFound,
+							"[%s] is not a user in the company database.",
+							dd.delegate);
+				}
+				if (!trans.requested(REQD_TYPE.force) && dd.user != null && dd.user.equals(dd.delegate)) {
+					return Result.err(Status.ERR_BadData,
+							"[%s] cannot be a delegate for self", dd.user);
+				}
+				if (!isUser	&& !isGranted(trans, trans.user(), ROOT_NS,DELG,
+								org.getDomain(), Question.CREATE)) {
+					return Result.err(Status.ERR_Denied,
+							"[%s] may not create a delegate for [%s]",
+							trans.user(), dd.user);
+				}
+				break;
+			case read:
+			case write:
+				if (!isUser	&& !isDelegate && 
+						!isGranted(trans, trans.user(), ROOT_NS,DELG,org.getDomain(), access.name())) {
+					return Result.err(Status.ERR_Denied,
+							"[%s] may not %s delegates for [%s]", trans.user(),
+							access.name(), dd.user);
+				}
+				break;
+			default:
+				return Result.err(Status.ERR_BadData,"Unknown Access type [%s]", access.name());
+			}
+		} catch (Exception e) {
+			return Result.err(e);
+		}
+		return Result.ok();
+	}
+
+	/*
+	 * Check (recursively, if necessary), if able to do something based on NS
+	 */
+	private Result<NsDAO.Data> mayUserVirtueOfNS(AuthzTrans trans, String user,	NsDAO.Data nsd, String ns_and_type, String access) {
+		String ns = nsd.name;
+
+		// If an ADMIN of the Namespace, then allow
+		
+		Result<List<UserRoleDAO.Data>> rurd;
+		if ((rurd = userRoleDAO.readUserInRole(trans, user, ns+DOT_ADMIN)).isOKhasData()) {
+			return Result.ok(nsd);
+		} else if(rurd.status==Result.ERR_Backend) {
+			return Result.err(rurd);
+		}
+		
+		// If Specially granted Global Permission
+		if (isGranted(trans, user, ROOT_NS,NS, ns_and_type, access)) {
+			return Result.ok(nsd);
+		}
+
+		// Check recur
+
+		int dot = ns.length();
+		if ((dot = ns.lastIndexOf('.', dot - 1)) >= 0) {
+			Result<NsDAO.Data> rnsd = deriveNs(trans, ns.substring(0, dot));
+			if (rnsd.isOK()) {
+				rnsd = mayUserVirtueOfNS(trans, user, rnsd.value, ns_and_type,access);
+			} else if(rnsd.status==Result.ERR_Backend) {
+				return Result.err(rnsd);
+			}
+			if (rnsd.isOK()) {
+				return Result.ok(nsd);
+			} else if(rnsd.status==Result.ERR_Backend) {
+				return Result.err(rnsd);
+			}
+		}
+		return Result.err(Status.ERR_Denied, "%s may not %s %s", user, access,
+				ns_and_type);
+	}
+
+	
+	/**
+	 * isGranted
+	 * 
+	 * Important function - Check internal Permission Schemes for Permission to
+	 * do things
+	 * 
+	 * @param trans
+	 * @param type
+	 * @param instance
+	 * @param action
+	 * @return
+	 */
+	public boolean isGranted(AuthzTrans trans, String user, String ns, String type,String instance, String action) {
+		Result<List<PermDAO.Data>> perms = getPermsByUser(trans, user, false);
+		if (perms.isOK()) {
+			for (PermDAO.Data pd : perms.value) {
+				if (ns.equals(pd.ns)) {
+					if (type.equals(pd.type)) {
+						if (PermEval.evalInstance(pd.instance, instance)) {
+							if(PermEval.evalAction(pd.action, action)) { // don't return action here, might miss other action 
+								return true;
+							}
+						}
+					}
+				}
+			}
+		}
+		return false;
+	}
+
+	public Result<Date> doesUserCredMatch(AuthzTrans trans, String user, byte[] cred) throws DAOException {
+		Result<List<CredDAO.Data>> result;
+		TimeTaken tt = trans.start("Read DB Cred", Env.REMOTE);
+		try {
+			result = credDAO.readID(trans, user);
+		} finally {
+			tt.done();
+		}
+
+		Result<Date> rv = null;
+		if(result.isOK()) {
+			if (result.isEmpty()) {
+				rv = Result.err(Status.ERR_UserNotFound, user);
+				if (willSpecialLog(trans,user)) {
+					trans.audit().log("Special DEBUG:", user, " does not exist in DB");
+				}
+			} else {
+				Date now = new Date();//long now = System.currentTimeMillis();
+				// Bug noticed 6/22. Sorting on the result can cause Concurrency Issues.	 
+				List<CredDAO.Data> cddl;
+				if(result.value.size() > 1) {
+					cddl = new ArrayList<CredDAO.Data>(result.value.size());
+					for(CredDAO.Data old : result.value) {
+						if(old.type==CredDAO.BASIC_AUTH || old.type==CredDAO.BASIC_AUTH_SHA256) {
+							cddl.add(old);
+						}
+					}
+					if(cddl.size()>1) {
+						Collections.sort(cddl,new Comparator<CredDAO.Data>() {
+							@Override
+							public int compare(org.onap.aaf.auth.dao.cass.CredDAO.Data a,
+											   org.onap.aaf.auth.dao.cass.CredDAO.Data b) {
+								return b.expires.compareTo(a.expires);
+							}
+						});
+					}
+				} else {
+					cddl = result.value;
+				}
+	
+				Date expired = null;
+				StringBuilder debug = willSpecialLog(trans,user)?new StringBuilder():null;
+				for (CredDAO.Data cdd : cddl) {
+					if(!cdd.id.equals(user)) {
+						trans.error().log("doesUserCredMatch DB call does not match for user: " + user);
+					}
+					if (cdd.expires.after(now)) {
+						byte[] dbcred = cdd.cred.array();
+						
+						try {
+							switch(cdd.type) {
+								case CredDAO.BASIC_AUTH:
+									byte[] md5=Hash.hashMD5(cred);
+									if(Hash.compareTo(md5,dbcred)==0) {
+										checkLessThanDays(trans,7,now,cdd);
+										return Result.ok(cdd.expires);
+									} else if (debug!=null) {
+										load(debug, cdd,dbcred);
+									}
+									break;
+								case CredDAO.BASIC_AUTH_SHA256:
+									ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + cred.length);
+									bb.putInt(cdd.other);
+									bb.put(cred);
+									byte[] hash = Hash.hashSHA256(bb.array());
+	
+									if(Hash.compareTo(hash,dbcred)==0) {
+										checkLessThanDays(trans,7,now,cdd);
+										return Result.ok(cdd.expires);
+									} else if (debug!=null) {
+										load(debug, cdd, dbcred);
+									}
+									break;
+								default:
+									trans.error().log("Unknown Credential Type %s for %s, %s",Integer.toString(cdd.type),cdd.id, Chrono.dateTime(cdd.expires));
+							}
+						} catch (NoSuchAlgorithmException e) {
+							trans.error().log(e);
+						}
+					} else {
+						if(expired==null || expired.before(cdd.expires)) {
+							expired = cdd.expires;
+						}
+					}
+				} // end for each
+				if(debug==null) {
+					debug=new StringBuilder();
+				} else {
+					debug.append(", ");
+				}
+				
+				debug.append("cred=");
+				debug.append(new String(cred));
+				trans.audit().printf("No cred matches ip=%s, user=%s, %s\n",trans.ip(),user,trans.encryptor().encrypt(debug.toString()));
+				if(expired!=null) {
+					// Note: this is only returned if there are no good Credentials
+					rv = Result.err(Status.ERR_Security,
+							"Credentials %s from %s expired %s",trans.user(), trans.ip(), Chrono.dateTime(expired));
+				}
+			}
+		} else {
+			return Result.err(result);
+		}
+		return rv == null ? Result.create((Date) null, Status.ERR_Security, "Wrong credential") : rv;
+	}
+
+
+	private void load(StringBuilder debug, Data cdd, byte[] dbcred) {
+		debug.append("DB Entry: user=");
+		debug.append(cdd.id);
+		debug.append(",type=");
+		debug.append(cdd.type);
+		debug.append(",cred=");
+		debug.append(Hash.toHex(dbcred));
+		debug.append(",expires=");
+		debug.append(Chrono.dateTime(cdd.expires));
+		debug.append('\n');
+	}
+
+
+	private void checkLessThanDays(AuthzTrans trans, int days, Date now, Data cdd) {
+		long close = now.getTime() + (days * 86400000);
+		long cexp=cdd.expires.getTime();
+		if(cexp<close) {
+			int daysLeft = days-(int)((close-cexp)/86400000);
+			trans.audit().printf("user=%s,ip=%s,expires=%s,days=%d,msg=\"Password expires in less than %d day%s\"",
+				cdd.id,trans.ip(),Chrono.dateOnlyStamp(cdd.expires),daysLeft, daysLeft,daysLeft==1?"":"s");
+		}
+	}
+
+
+	public Result<CredDAO.Data> userCredSetup(AuthzTrans trans, CredDAO.Data cred) {
+		if(cred.type==CredDAO.RAW) {
+			TimeTaken tt = trans.start("Hash Cred", Env.SUB);
+			try {
+				cred.type = CredDAO.BASIC_AUTH_SHA256;
+				cred.other = random.nextInt();
+				ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + cred.cred.capacity());
+				bb.putInt(cred.other);
+				bb.put(cred.cred);
+				byte[] hash = Hash.hashSHA256(bb.array());
+				cred.cred = ByteBuffer.wrap(hash);
+				return Result.ok(cred);
+			} catch (NoSuchAlgorithmException e) {
+				return Result.err(Status.ERR_General,e.getLocalizedMessage());
+			} finally {
+				tt.done();
+			}
+			
+		}
+		return Result.err(Status.ERR_Security,"invalid/unreadable credential");
+	}
+	
+	public Result<Boolean> userCredCheck(AuthzTrans trans, CredDAO.Data orig, final byte[] raw) {
+			TimeTaken tt = trans.start("CheckCred Cred", Env.SUB);
+			try {
+				switch(orig.type) {
+					case CredDAO.BASIC_AUTH_SHA256:
+						ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + raw.length);
+						bb.putInt(orig.other);
+						bb.put(raw);
+						return Result.ok(Hash.compareTo(orig.cred.array(),Hash.hashSHA256(bb.array()))==0);
+					case CredDAO.BASIC_AUTH:
+						return Result.ok( Hash.compareTo(orig.cred.array(), Hash.hashMD5(raw))==0);
+					default:
+						return Result.ok(false);
+				}
+			} catch (NoSuchAlgorithmException e) {
+				return Result.err(Status.ERR_General,e.getLocalizedMessage());
+			} finally {
+				tt.done();
+			}
+	}
+
+	public static final String APPROVED = "APPROVE";
+	public static final String REJECT = "REJECT";
+	public static final String PENDING = "PENDING";
+
+	public Result<Void> canAddUser(AuthzTrans trans, UserRoleDAO.Data data,
+			List<ApprovalDAO.Data> approvals) {
+		// get the approval policy for the organization
+
+		// get the list of approvals with an accept status
+
+		// validate the approvals against the policy
+
+		// for now check if all approvals are received and return
+		// SUCCESS/FAILURE/SKIP
+		boolean bReject = false;
+		boolean bPending = false;
+
+		for (ApprovalDAO.Data approval : approvals) {
+			if (approval.status.equals(REJECT)) {
+				bReject = true;
+			} else if (approval.status.equals(PENDING)) {
+				bPending = true;
+			}
+		}
+		if (bReject) {
+			return Result.err(Status.ERR_Policy,
+					"Approval Polocy not conformed");
+		}
+		if (bPending) {
+			return Result.err(Status.ERR_ActionNotCompleted,
+					"Required Approvals not received");
+		}
+
+		return Result.ok();
+	}
+
+	private static final String NO_CACHE_NAME = "No Cache Data named %s";
+
+	public Result<Void> clearCache(AuthzTrans trans, String cname) {
+		boolean all = "all".equals(cname);
+		Result<Void> rv = null;
+
+		if (all || NsDAO.TABLE.equals(cname)) {
+			int seg[] = series(NsDAO.CACHE_SEG);
+			for(int i: seg) {cacheClear(trans, NsDAO.TABLE,i);}
+			rv = cacheInfoDAO.touch(trans, NsDAO.TABLE, seg);
+		}
+		if (all || PermDAO.TABLE.equals(cname)) {
+			int seg[] = series(NsDAO.CACHE_SEG);
+			for(int i: seg) {cacheClear(trans, PermDAO.TABLE,i);}
+			rv = cacheInfoDAO.touch(trans, PermDAO.TABLE,seg);
+		}
+		if (all || RoleDAO.TABLE.equals(cname)) {
+			int seg[] = series(NsDAO.CACHE_SEG);
+			for(int i: seg) {cacheClear(trans, RoleDAO.TABLE,i);}
+			rv = cacheInfoDAO.touch(trans, RoleDAO.TABLE,seg);
+		}
+		if (all || UserRoleDAO.TABLE.equals(cname)) {
+			int seg[] = series(NsDAO.CACHE_SEG);
+			for(int i: seg) {cacheClear(trans, UserRoleDAO.TABLE,i);}
+			rv = cacheInfoDAO.touch(trans, UserRoleDAO.TABLE,seg);
+		}
+		if (all || CredDAO.TABLE.equals(cname)) {
+			int seg[] = series(NsDAO.CACHE_SEG);
+			for(int i: seg) {cacheClear(trans, CredDAO.TABLE,i);}
+			rv = cacheInfoDAO.touch(trans, CredDAO.TABLE,seg);
+		}
+		if (all || CertDAO.TABLE.equals(cname)) {
+			int seg[] = series(NsDAO.CACHE_SEG);
+			for(int i: seg) {cacheClear(trans, CertDAO.TABLE,i);}
+			rv = cacheInfoDAO.touch(trans, CertDAO.TABLE,seg);
+		}
+
+		if (rv == null) {
+			rv = Result.err(Status.ERR_BadData, NO_CACHE_NAME, cname);
+		}
+		return rv;
+	}
+
+	public Result<Void> cacheClear(AuthzTrans trans, String cname,Integer segment) {
+		Result<Void> rv;
+		if (NsDAO.TABLE.equals(cname)) {
+			rv = nsDAO.invalidate(segment);
+		} else if (PermDAO.TABLE.equals(cname)) {
+			rv = permDAO.invalidate(segment);
+		} else if (RoleDAO.TABLE.equals(cname)) {
+			rv = roleDAO.invalidate(segment);
+		} else if (UserRoleDAO.TABLE.equals(cname)) {
+			rv = userRoleDAO.invalidate(segment);
+		} else if (CredDAO.TABLE.equals(cname)) {
+			rv = credDAO.invalidate(segment);
+		} else if (CertDAO.TABLE.equals(cname)) {
+			rv = certDAO.invalidate(segment);
+		} else {
+			rv = Result.err(Status.ERR_BadData, NO_CACHE_NAME, cname);
+		}
+		return rv;
+	}
+
+	private int[] series(int max) {
+		int[] series = new int[max];
+		for (int i = 0; i < max; ++i)
+			series[i] = i;
+		return series;
+	}
+
+	public boolean isDelegated(AuthzTrans trans, String user, String approver, Map<String,Result<List<DelegateDAO.Data>>> rldd ) {
+		Result<List<DelegateDAO.Data>> userDelegatedFor = rldd.get(user);
+		if(userDelegatedFor==null) {
+			userDelegatedFor=delegateDAO.readByDelegate(trans, user);
+			rldd.put(user, userDelegatedFor);
+		}
+		if(userDelegatedFor.isOKhasData()) {
+			for (DelegateDAO.Data curr : userDelegatedFor.value) {
+				if (curr.user.equals(approver) && curr.delegate.equals(user)
+						&& curr.expires.after(new Date())) {
+					return true;
+				}
+			}
+		}
+		return false;
+	}
+
+	public static boolean willSpecialLog(AuthzTrans trans, String user) {
+		Boolean b = trans.get(specialLogSlot, null);
+		if(b==null) { // we haven't evaluated in this trans for Special Log yet
+			if(specialLog==null) {
+				return false;
+			} else {
+				b = specialLog.contains(user);
+				trans.put(specialLogSlot, b);
+			}
+		}
+		return b;
+	}
+	
+	public static void logEncryptTrace(AuthzTrans trans, String data) {
+		long ti;
+		trans.put(transIDSlot, ti=nextTraceID());
+		trans.trace().log("id="+Long.toHexString(ti)+",data=\""+trans.env().encryptor().encrypt(data)+'"');
+	}
+
+	private synchronized static long nextTraceID() {
+		return ++traceID;
+	}
+
+	public static synchronized boolean specialLogOn(AuthzTrans trans, String id) {
+		if (specialLog == null) {
+			specialLog = new HashSet<String>();
+		}
+		boolean rc = specialLog.add(id);
+		if(rc) {
+			trans.trace().printf("Trace on for %s requested by %s",id,trans.user());			
+		}
+		return rc;
+	}
+
+	public static synchronized boolean specialLogOff(AuthzTrans trans, String id) {
+		if(specialLog==null) {
+			return false;
+		}
+		boolean rv = specialLog.remove(id);
+		if (specialLog.isEmpty()) {
+			specialLog = null;
+		}
+		if(rv) {
+			trans.trace().printf("Trace off for %s requested by %s",id,trans.user());			
+		}
+		return rv;
+	}
+
+	/** 
+	 * canMove
+	 * Which Types can be moved
+	 * @param nsType
+	 * @return
+	 */
+	public boolean canMove(NsType nsType) {
+		boolean rv;
+		switch(nsType) {
+			case DOT:
+			case ROOT:
+			case COMPANY:
+			case UNKNOWN:
+				rv = false;
+				break;
+			default:
+				rv = true;
+		}
+		return rv;
+	}
+
+	public boolean isAdmin(AuthzTrans trans, String user, String ns) {
+		Date now = new Date();
+		Result<List<UserRoleDAO.Data>> rur = userRoleDAO.read(trans, user,ns+DOT_ADMIN);
+		if(rur.isOKhasData()) {for(UserRoleDAO.Data urdd : rur.value){
+			if(urdd.expires.after(now)) {
+				return true;
+			}
+		}};
+		return false;
+	}
+	
+	public boolean isOwner(AuthzTrans trans, String user, String ns) {
+		Result<List<UserRoleDAO.Data>> rur = userRoleDAO.read(trans, user,ns+DOT_OWNER);
+		Date now = new Date();
+		if(rur.isOKhasData()) {for(UserRoleDAO.Data urdd : rur.value){
+			if(urdd.expires.after(now)) {
+				return true;
+			}
+		}};
+		return false;
+	}
+
+	public int countOwner(AuthzTrans trans, String ns) {
+		Result<List<UserRoleDAO.Data>> rur = userRoleDAO.readByRole(trans,ns+DOT_OWNER);
+		Date now = new Date();
+		int count = 0;
+		if(rur.isOKhasData()) {for(UserRoleDAO.Data urdd : rur.value){
+			if(urdd.expires.after(now)) {
+				++count;
+			}
+		}};
+		return count;
+	}
+	
+	/**
+	 * Return a Unique String, (same string, if it is already unique), with only
+	 * lowercase letters, digits and the '.' character.
+	 * 
+	 * @param name
+	 * @return
+	 * @throws IOException 
+	 */
+	public static String toUnique(String name) throws IOException {
+		byte[] from = name.getBytes();
+		StringBuilder sb = new StringBuilder();
+		byte f;
+		for(int i=0;i<from.length;++i) {
+			f=(byte)(from[i]); // printables;
+			sb.append((char)((f>>4)+0x61));
+			sb.append((char)((f&0x0F)+0x61));
+		}
+		return sb.toString();
+	}
+	
+	public static String fromUnique(String name) throws IOException {
+		byte[] from = name.getBytes();
+		StringBuilder sb = new StringBuilder();
+		char c;
+		for(int i=0;i<from.length;++i) {
+			c = (char)((from[i]-0x61)<<4);
+			c |= (from[++i]-0x61);
+			sb.append(c);
+		}
+		return sb.toString();
+	}
+
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFLocator.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFLocator.java
new file mode 100644
index 00000000..b854deff
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFLocator.java
@@ -0,0 +1,132 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.direct;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.cass.LocateDAO;
+import org.onap.aaf.auth.dao.cass.LocateDAO.Data;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.misc.env.util.Split;
+
+import locate.v1_0.Endpoint;
+
+public class DirectAAFLocator extends AbsAAFLocator<AuthzTrans> {
+	private LocateDAO ldao;
+	private int major=-1, minor=-1, patch=-1, pkg=-1;
+	private AuthzEnv env;
+	private final URI uri;
+
+	/**
+	 * 
+	 * @param env
+	 * @param ldao
+	 * @param key  must be one or more of service, version, other in that order
+	 * @throws LocatorException 
+	 */
+	public DirectAAFLocator(AuthzEnv env, LocateDAO ldao, String name, String version) throws LocatorException {
+		super(env.access(), name, 1000L /* Don't hit DB more than once a second */); 
+		this.env = env;
+		this.ldao = ldao;
+		if(version!=null) {
+			try { 
+				String[] v = Split.split('.',version);
+				if(v.length>0) {major = Integer.parseInt(v[0]);}
+				if(v.length>1) {minor = Integer.parseInt(v[1]);}
+				if(v.length>2) {patch = Integer.parseInt(v[2]);}
+				if(v.length>3) {pkg   = Integer.parseInt(v[3]);}
+			} catch (NumberFormatException e) {
+				throw new LocatorException("Invalid Version String: " + version);
+			}
+		}
+		
+		try {
+			uri = new URI(access.getProperty(Config.AAF_LOCATE_URL, "localhost")+"/locate/"+name+':'+version);
+		} catch (URISyntaxException e) {
+			throw new LocatorException(e);
+		}
+		myhostname=null;
+		myport = 0; 
+	}
+	
+	
+	@Override
+	public boolean refresh() {
+		AuthzTrans trans = env.newTransNoAvg();
+		Result<List<Data>> rl = ldao.readByName(trans, name);
+		if(rl.isOK()) {
+			LinkedList<EP> epl = new LinkedList<EP>();
+			for(Data d : rl.value) {
+//				if(myhostname!=null && d.port==myport && d.hostname.equals(myhostname)) {
+//					continue;
+//				}
+				if((major<0 || major==d.major) &&
+				   (minor<0 || minor<=d.minor) &&
+				   (patch<0 || patch==d.patch) &&
+				   (pkg<0   || pkg  ==d.pkg)) {
+					Endpoint endpoint = new Endpoint();
+					endpoint.setName(d.name);
+					endpoint.setHostname(d.hostname);
+					endpoint.setPort(d.port);
+					endpoint.setMajor(d.major);
+					endpoint.setMinor(d.minor);
+					endpoint.setPatch(d.patch);
+					endpoint.setPkg(d.pkg);
+					endpoint.setLatitude(d.latitude);
+					endpoint.setLongitude(d.longitude);
+					endpoint.setProtocol(d.protocol);
+					for(String s : d.subprotocol(false)) {
+						endpoint.getSubprotocol().add(s);
+					}
+					
+					try {
+						epl.add(new EP(endpoint,latitude,longitude));
+					} catch (URISyntaxException e) {
+						e.printStackTrace();
+					}
+				}
+			}
+			Collections.sort(epl);
+			replace(epl);
+			return true;
+		} else {
+			access.log(Level.ERROR, rl.errorString());
+		}
+		return false;
+	}
+
+	@Override
+	protected URI getURI() {
+		return uri;
+	}
+
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFLur.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFLur.java
new file mode 100644
index 00000000..5bdb215e
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFLur.java
@@ -0,0 +1,193 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.direct;
+
+import static org.onap.aaf.auth.layer.Result.OK;
+
+import java.security.Principal;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.cass.NsSplit;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.cass.PermDAO.Data;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.NullTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.Lur;
+import org.onap.aaf.cadi.Permission;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.lur.LocalPermission;
+import org.onap.aaf.misc.env.util.Split;
+
+public class DirectAAFLur implements Lur {
+	private final AuthzEnv env;
+	private final Question question;
+	
+	public DirectAAFLur(AuthzEnv env, Question question/*, TokenMgr tm*/) {
+		this.env = env;
+		this.question = question;
+//		oauth = new OAuth2Lur(null);
+	}
+
+	@Override
+	public boolean fish(Principal bait, Permission pond) {
+		return fish(env.newTransNoAvg(),bait,pond);
+	}
+	
+	public boolean fish(AuthzTrans trans, Principal bait, Permission pond) {
+		Result<List<Data>> pdr = question.getPermsByUser(trans, bait.getName(),false);
+		switch(pdr.status) {
+			case OK:
+				for(PermDAO.Data d : pdr.value) {
+					if(new PermPermission(d).match(pond)) {
+						return true;
+					}
+				}
+				break;
+			case Status.ERR_UserRoleNotFound:
+			case Status.ERR_BadData:
+				return false;
+			default:
+				trans.error().log("Can't access Cassandra to fulfill Permission Query: ",pdr.status,"-",pdr.details);
+		}
+		return false;
+	}
+
+	@Override
+	public void fishAll(Principal bait, List<Permission> permissions) {
+		Result<List<Data>> pdr = question.getPermsByUser(env.newTrans(), bait.getName(),false);
+		switch(pdr.status) {
+			case OK:
+				for(PermDAO.Data d : pdr.value) {
+					permissions.add(new PermPermission(d));
+				}
+				break;
+			default:
+				env.error().log("Can't access Cassandra to fulfill Permission Query: ",pdr.status,"-", pdr.details);
+		}
+	}
+	
+	@Override
+	public void destroy() {
+	}
+
+	@Override
+	public boolean handlesExclusively(Permission pond) {
+		return false;
+	}
+	
+	/**
+	 * Small Class implementing CADI's Permission with Cassandra Data
+	 * @author Jonathan
+	 *
+	 */
+	public static class PermPermission implements Permission {
+		private PermDAO.Data data;
+		
+		public PermPermission(PermDAO.Data d) {
+			data = d;
+		}
+		
+		public PermPermission(AuthzTrans trans, Question q, String p) {
+			data = PermDAO.Data.create(trans, q, p);
+		}
+		
+		public PermPermission(String ns, String type, String instance, String action) {
+			data = new PermDAO.Data();
+			data.ns = ns;
+			data.type = type;
+			data.instance = instance;
+			data.action = action;
+		}
+
+		@Override
+		public String getKey() {
+			return data.type;
+		}
+
+		@Override
+		public boolean match(Permission p) {
+			if(p==null) {
+				return false;
+			}
+			PermDAO.Data pd;
+			if(p instanceof DirectAAFLur.PermPermission) {
+				pd = ((DirectAAFLur.PermPermission)p).data;
+				if(data.ns.equals(pd.ns))
+					if(data.type.equals(pd.type))
+						if(data.instance!=null && (data.instance.equals(pd.instance) || "*".equals(data.instance)))
+							if(data.action!=null && (data.action.equals(pd.action) || "*".equals(data.action)))
+								return true;
+			} else{
+				String[] lp = p.getKey().split("\\|");
+				if(lp.length<3)return false;
+				if(data.fullType().equals(lp[0]))
+					if(data.instance!=null && (data.instance.equals(lp[1]) || "*".equals(data.instance)))
+						if(data.action!=null && (data.action.equals(lp[2]) || "*".equals(data.action)))
+							return true;
+			}
+			return false;
+		}
+
+		@Override
+		public String permType() {
+			return "AAFLUR";
+		}
+		
+	}
+	
+	public String toString() {
+		return "DirectAAFLur is enabled";
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.cadi.Lur#handles(java.security.Principal)
+	 */
+	@Override
+	public boolean handles(Principal principal) {
+		return true;
+	}
+
+	@Override
+	public Permission createPerm(String p) {
+		String[] params = Split.split('|', p);
+		if(params.length==3) {
+			Result<NsSplit> nss = question.deriveNsSplit(NullTrans.singleton(), params[0]);
+			if(nss.isOK()) {
+				return new PermPermission(nss.value.ns,nss.value.name,params[1],params[2]);
+			}
+		}
+		return new LocalPermission(p);
+	}
+
+	@Override
+	public void clear(Principal p, StringBuilder sb) {
+		AuthzTrans trans = env.newTrans();
+		question.clearCache(trans,"all");
+		env.log(Level.AUDIT, p.getName(), "has cleared Cache for",getClass().getSimpleName());
+		trans.auditTrail(0, sb);
+	}
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFUserPass.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFUserPass.java
new file mode 100644
index 00000000..f241cdf1
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFUserPass.java
@@ -0,0 +1,83 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.direct;
+
+import static org.onap.aaf.auth.layer.Result.OK;
+
+import java.util.Date;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.dao.DAOException;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.CredVal;
+
+/**
+ * DirectAAFUserPass is intended to provide password Validation directly from Cassandra Database, and is only
+ * intended for use in AAF itself.  The normal "AAF Taf" objects are, of course, clients.
+ * 
+ * @author Jonathan
+ *
+ */
+public class DirectAAFUserPass implements CredVal {
+	private final AuthzEnv env;
+	private final Question question;
+	
+	public DirectAAFUserPass(AuthzEnv env, Question question) {
+		this.env = env;
+		this.question = question;
+	}
+
+	@Override
+	public boolean validate(String user, Type type, byte[] pass, Object state) {
+			try {
+				AuthzTrans trans;
+				if(state !=null) {
+					if(state instanceof AuthzTrans) {
+						trans = (AuthzTrans)state;
+					} else {
+						trans = env.newTransNoAvg();
+						if(state instanceof HttpServletRequest) {
+							trans.set((HttpServletRequest)state);
+						}
+					}
+				} else {
+					trans = env.newTransNoAvg();
+				}
+				Result<Date> result = question.doesUserCredMatch(trans, user, pass);
+				trans.logAuditTrail(env.info());
+				switch(result.status) {
+					case OK:
+						return true;
+					default:
+						String ip = trans.ip()==null?"":(", ip="+trans.ip());
+						env.warn().log(user, "failed password validation" + ip + ':',result.errorString());
+				}
+			} catch (DAOException e) {
+				env.error().log(e,"Cannot validate user/pass from cassandra");
+			}
+		return false;
+	}
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java
new file mode 100644
index 00000000..b5fcd690
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java
@@ -0,0 +1,78 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.direct;
+
+import java.nio.ByteBuffer;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.dao.cached.CachedCertDAO;
+import org.onap.aaf.auth.dao.cass.CertDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.rserv.TransFilter;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.cadi.principal.X509Principal;
+import org.onap.aaf.cadi.taf.cert.CertIdentity;
+import org.onap.aaf.cadi.taf.cert.X509Taf;
+
+/**
+ * Direct view of CertIdentities
+ * 
+ * Warning:  this class is difficult to instantiate.  The only service that can use it is AAF itself, and is thus 
+ * entered in the "init" after the CachedCertDAO is created.
+ * 
+ * @author Jonathan
+ *
+ */
+public class DirectCertIdentity implements CertIdentity {
+	private static CachedCertDAO certDAO;
+
+	@Override
+	public TaggedPrincipal identity(HttpServletRequest req, X509Certificate cert,	byte[] _certBytes) throws CertificateException {
+	    	byte[] certBytes = _certBytes;
+		if(cert==null && certBytes==null) {
+		    return null;
+		}
+		if(certBytes==null) {
+		    certBytes = cert.getEncoded();
+		}
+		byte[] fingerprint = X509Taf.getFingerPrint(certBytes);
+
+		AuthzTrans trans = (AuthzTrans) req.getAttribute(TransFilter.TRANS_TAG);
+		
+		Result<List<Data>> cresp = certDAO.read(trans, ByteBuffer.wrap(fingerprint));
+		if(cresp.isOKhasData()) {
+			Data cdata = cresp.value.get(0);
+			return new X509Principal(cdata.id,cert,certBytes);
+		}
+		return null;
+	}
+
+	public static void set(CachedCertDAO ccd) {
+		certDAO = ccd;
+	}
+
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectLocatorCreator.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectLocatorCreator.java
new file mode 100644
index 00000000..3dceb3bf
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectLocatorCreator.java
@@ -0,0 +1,59 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.direct;
+
+import org.onap.aaf.auth.dao.cass.LocateDAO;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator;
+
+public class DirectLocatorCreator implements AbsAAFLocator.LocatorCreator {
+	private final AuthzEnv env;
+	private final LocateDAO locateDAO;
+	private String myhostname;
+	private int myport;
+	
+	public DirectLocatorCreator(AuthzEnv env, LocateDAO locateDAO) {
+		this.env = env;
+		this.locateDAO = locateDAO;
+	}
+	
+	@Override
+	public AbsAAFLocator<?> create(String key, String version) throws LocatorException {
+		DirectAAFLocator dal = new DirectAAFLocator(env,locateDAO,key,version);
+		if(myhostname!=null) {
+			dal.setSelf(myhostname, myport);
+		}
+		return dal;
+	}
+	
+	/**
+	 * Make sure DirectAAFLocator created does not include self.
+	 * @param hostname
+	 * @param port
+	 */
+	public void setSelf(String hostname, int port) {
+		myhostname = hostname;
+		myport = port;
+	}
+
+}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectRegistrar.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectRegistrar.java
new file mode 100644
index 00000000..1e8faa2b
--- /dev/null
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectRegistrar.java
@@ -0,0 +1,106 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.direct;
+
+import java.net.Inet4Address;
+import java.net.UnknownHostException;
+
+import org.onap.aaf.auth.dao.cass.LocateDAO;
+import org.onap.aaf.auth.dao.cass.LocateDAO.Data;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Result;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.register.Registrant;
+import org.onap.aaf.cadi.util.Split;
+
+public class DirectRegistrar implements Registrant<AuthzEnv> {
+	private Data locate;
+	private LocateDAO ldao;
+	public DirectRegistrar(Access access, LocateDAO ldao, String name, String version, int port) throws CadiException {
+		this.ldao = ldao;
+		locate = new LocateDAO.Data();
+		locate.name = name;
+		locate.port = port;
+		
+		try {
+			String latitude = access.getProperty(Config.CADI_LATITUDE, null);
+			if(latitude==null) {
+				latitude = access.getProperty("AFT_LATITUDE", null);
+			}
+			String longitude = access.getProperty(Config.CADI_LONGITUDE, null);
+			if(longitude==null) {
+				longitude = access.getProperty("AFT_LONGITUDE", null);
+			}
+			if(latitude==null || longitude==null) {
+				throw new CadiException(Config.CADI_LATITUDE + " and " + Config.CADI_LONGITUDE + " is required");
+			} else {
+				locate.latitude = Float.parseFloat(latitude);
+				locate.longitude = Float.parseFloat(longitude);
+			}
+			String split[] = Split.splitTrim('.', version);
+			locate.pkg = split.length>3?Integer.parseInt(split[3]):0;
+			locate.patch = split.length>2?Integer.parseInt(split[2]):0;
+			locate.minor = split.length>1?Integer.parseInt(split[1]):0;
+			locate.major = split.length>0?Integer.parseInt(split[0]):0;
+			
+			locate.hostname = access.getProperty(Config.HOSTNAME, Inet4Address.getLocalHost().getHostName());
+			String subprotocols = access.getProperty(Config.CADI_PROTOCOLS, null);
+			if(subprotocols==null) {
+				locate.protocol="http";
+			} else {
+				locate.protocol="https";
+				for(String s : Split.split(',', subprotocols)) {
+					locate.subprotocol(true).add(s);
+				}
+			}
+		} catch (NumberFormatException | UnknownHostException e) {
+			throw new CadiException("Error extracting Data from Properties for Registrar",e);
+		}
+	}
+	
+	@Override
+	public Result<Void> update(AuthzEnv env) {
+		org.onap.aaf.auth.layer.Result<Void> dr = ldao.update(env.newTransNoAvg(), locate);
+		if(dr.isOK()) {
+			return Result.ok(200, null);
+		} else {
+			return Result.err(503, dr.errorString());
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.server.Registrant#cancel(org.onap.aaf.auth.env.test.AuthzEnv)
+	 */
+	@Override
+	public Result<Void> cancel(AuthzEnv env) {
+		org.onap.aaf.auth.layer.Result<Void> dr = ldao.delete(env.newTransNoAvg(), locate, false);
+		if(dr.isOK()) {
+			return Result.ok(200, null);
+		} else {
+			return Result.err(503, dr.errorString());
+		}
+
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/.gitignore b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/.gitignore
new file mode 100644
index 00000000..488b914c
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/.gitignore
@@ -0,0 +1 @@
+/JU_OAuthAppDAO.java
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/AbsJUCass.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/AbsJUCass.java
new file mode 100644
index 00000000..5b6a08c5
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/AbsJUCass.java
@@ -0,0 +1,200 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.security.NoSuchAlgorithmException;
+import java.util.Properties;
+
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.cadi.Hash;
+import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Trans.Metric;
+
+import com.datastax.driver.core.Cluster;
+
+import junit.framework.Assert;
+
+/**
+ * Do Setup of Cassandra for Cassandra JUnit Testing
+ * 
+ * @author Jonathan
+ *
+ */
+public class AbsJUCass {
+	protected static final String AUTHZ = "authz";
+	protected static Cluster cluster;
+	protected static AuthzEnv env;
+	protected static int iterations = 0;
+	protected static float totals=0.0f;
+	protected static float remote = 0.0f;
+	protected static float json = 0.0f;
+	protected static AuthzTrans trans;
+	protected static boolean details = true;
+	
+	@BeforeClass 
+	public static void startup() throws APIException, IOException {
+		try {
+			synchronized(AUTHZ) {
+				if(env==null) {
+					final String resource = "cadi.properties";
+		            File f = new File("etc" + resource);
+		            InputStream is=null;
+		            Properties props = new Properties();
+		            try {
+		                if(f.exists()) {
+		                    is = new FileInputStream(f);
+		                } else {
+		                    URL rsrc = ClassLoader.getSystemResource(resource);
+		                    is = rsrc.openStream();
+		                }
+		                props.load(is);
+		            } finally {
+		                if(is==null) {
+		                	env= new AuthzEnv();
+		                    Assert.fail(resource + " must exist in etc dir, or in Classpath");
+		                }
+		                is.close();
+		            }
+					env = new AuthzEnv(props);
+				}
+			}
+			cluster = CassAccess.cluster(env,"LOCAL");
+	
+			env.info().log("Connecting to Cluster");
+			try {
+				cluster.connect(AUTHZ);
+			} catch(Exception e) {
+				cluster=null;
+				env.error().log(e);
+				Assert.fail("Not able to connect to DB: " + e.getLocalizedMessage());
+			}
+			env.info().log("Connected");
+			
+			// Load special data here
+			
+			iterations = 0;
+		} catch (Throwable t) {
+			t.printStackTrace();
+			throw t;
+		}
+	}
+	
+	@AfterClass
+	public static void shutdown() {
+		if(cluster!=null) {
+			cluster.close();
+			cluster = null;
+		}
+	}
+
+	@Before
+	public void newTrans() {
+		trans = env.newTrans();
+		
+		trans.setProperty(CassDAOImpl.USER_NAME, System.getProperty("user.name"));
+	}
+	
+	@After
+	public void auditTrail() {
+		if(totals==0) { // "updateTotals()" was not called... just do one Trans
+			StringBuilder sb = new StringBuilder();
+			Metric metric = trans.auditTrail(4, sb, Env.JSON, Env.REMOTE);
+			if(details) {
+				env.info().log(
+				sb,
+				"Total time:",
+				totals += metric.total,
+				"JSON time: ",
+				metric.buckets[0],
+				"REMOTE time: ",
+				metric.buckets[1]
+				);
+			} else {
+				totals += metric.total;
+			}
+		}
+	}
+	
+	protected void updateTotals() {
+		Metric metric = trans.auditTrail(0, null, Env.JSON, Env.REMOTE);
+		totals+=metric.total;
+		json  +=metric.buckets[0];
+		remote+=metric.buckets[1];
+	}
+
+
+	@AfterClass
+	public static void print() {
+		float transTime;
+		if(iterations==0) {
+			transTime=totals;
+		} else {
+			transTime=totals/iterations;
+		}
+		env.info().log(
+		"Total time:",
+		totals,   
+		"JSON time:",
+		json,
+		"REMOTE time:",
+		remote,
+		"Iterations:",
+		iterations,
+		"Transaction time:",
+		transTime
+		);
+	}
+	
+	/**
+	 * Take a User/Pass and turn into an MD5 Hashed BasicAuth
+	 * 
+	 * @param user
+	 * @param pass
+	 * @return
+	 * @throws IOException
+	 * @throws NoSuchAlgorithmException
+	 */
+	public static byte[] userPassToBytes(String user, String pass)
+			throws IOException, NoSuchAlgorithmException {
+		// Take the form of BasicAuth, so as to allow any character in Password
+		// (this is an issue in 1.0)
+		// Also, it makes it quicker to evaluate Basic Auth direct questions
+		String ba = Symm.base64url.encode(user + ':' + pass);
+		// Take MD5 Hash, so that data in DB can't be reversed out.
+		return Hash.hashMD5(ba.getBytes());
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_ApprovalDAO.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_ApprovalDAO.java
new file mode 100644
index 00000000..bc860d0a
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_ApprovalDAO.java
@@ -0,0 +1,153 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Date;
+import java.util.List;
+import java.util.UUID;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.ApprovalDAO;
+import org.onap.aaf.auth.dao.cass.ApprovalDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+
+public class JU_ApprovalDAO  extends AbsJUCass {
+	@Test
+	public void testCRUD() throws Exception {
+		ApprovalDAO rrDAO = new ApprovalDAO(trans, cluster, AUTHZ);
+		ApprovalDAO.Data data = new ApprovalDAO.Data();
+		
+		// Note, Create creates the time id
+		data.ticket = UUID.randomUUID(); // normally, read from Future object
+		data.user = "testid@test.com";
+		data.approver = "mySuper@att.com";
+		data.type = "supervisor";
+		data.status = "pending";
+		data.operation = "C";
+		data.updated = new Date();
+		data.memo = "Sing Hey for the break of day";
+		data.last_notified = null;
+		
+		try {
+			// Test create
+			Result<Data> rc = rrDAO.create(trans, data);
+			if(rc.isOKhasData()) { // Create creates the TIMEID.
+				data = rc.value;
+			}
+			
+			// Test Read by Ticket
+			Result<List<ApprovalDAO.Data>> rlad;
+			rlad = rrDAO.readByTicket(trans, data.ticket);
+			assertTrue(rlad.isOK());
+			assertEquals(1,rlad.value.size());
+			compare(data,rlad.value.get(0));
+			
+			// Hold onto original ID for deletion, and read tests
+			UUID id = rlad.value.get(0).id;
+			
+			try {
+				// Test Read by User
+				rlad = rrDAO.readByUser(trans, data.user);
+				assertTrue(rlad.isOKhasData());
+				boolean ok = false;
+				for(ApprovalDAO.Data a : rlad.value) {
+					if(a.id.equals(id)) {
+						ok = true;
+						compare(data,a);
+					}
+				}
+				assertTrue(ok);
+	
+				// Test Read by Approver
+				rlad = rrDAO.readByApprover(trans, data.approver);
+				assertTrue(rlad.isOKhasData());
+				ok = false;
+				for(ApprovalDAO.Data a : rlad.value) {
+					if(a.id.equals(id)) {
+						ok = true;
+						compare(data,a);
+					}
+				}
+				assertTrue(ok);
+	
+				// Test Read by ID
+				rlad = rrDAO.read(trans, id);
+				assertTrue(rlad.isOKhasData());
+				ok = false;
+				for(ApprovalDAO.Data a : rlad.value) {
+					if(a.id.equals(id)) {
+						ok = true;
+						compare(data,a);
+					}
+				}
+				assertTrue(ok);
+	
+				// Test Update
+				data.status = "approved";
+				data.id = id;
+				assertTrue(rrDAO.update(trans, data).isOK());
+				
+				rlad = rrDAO.read(trans, id);
+				assertTrue(rlad.isOKhasData());
+				ok = false;
+				for(ApprovalDAO.Data a : rlad.value) {
+					if(a.id.equals(id)) {
+						ok = true;
+						compare(data,a);
+					}
+				}
+				assertTrue(ok);
+
+			} finally {
+				// Delete
+				data.id = id;
+				rrDAO.delete(trans, data, true);
+				rlad = rrDAO.read(trans, id);
+				assertTrue(rlad.isOK());
+				assertTrue(rlad.isEmpty());
+			}
+			
+		} finally {
+			rrDAO.close(trans);
+		}
+	}
+
+	private void compare(Data d1, Data d2) {
+		assertEquals(d1.id.toString(),d2.id.toString());
+		assertEquals(d1.ticket.toString(),d2.ticket.toString());
+		assertEquals(d1.user,d2.user);
+		assertEquals(d1.approver,d2.approver);
+		assertEquals(d1.type,d2.type);
+		assertEquals(d1.status,d2.status);
+		assertEquals(d1.operation,d2.operation);
+		//assertEquals(d1.updated,d2.updated);
+		assertEquals(d1.memo,d2.memo);
+		assertEquals(d1.last_notified,d2.last_notified);
+	}
+
+	
+	
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_ArtiDAO.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_ArtiDAO.java
new file mode 100644
index 00000000..e104cbe5
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_ArtiDAO.java
@@ -0,0 +1,137 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+import java.util.Date;
+import java.util.List;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.cass.ArtiDAO;
+import org.onap.aaf.auth.dao.cass.ArtiDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+
+/**
+ * UserDAO unit test.
+ * Date: 7/19/13
+ */
+public class JU_ArtiDAO  extends AbsJUCass {
+	@Test
+	public void test() throws IOException, NoSuchAlgorithmException {
+		ArtiDAO adao = new ArtiDAO(trans,cluster,CassAccess.KEYSPACE);
+		try {
+			// TODO: Clean out AT&T specific data
+			// Create
+	        ArtiDAO.Data data = new ArtiDAO.Data();
+	        data.mechid="m553j5@perturbed.onap.org";
+	        data.machine="perturbed1232.onap.org";
+	        data.type(false).add("file");
+	        data.type(false).add("jks");
+	        data.sponsor="Fred Flintstone";
+	        data.ca="devl";
+	        data.dir="/opt/app/aft/keys";
+	        data.ns="kumquat";
+	        data.os_user="aft";
+	        data.notify="email:fred@bogus.com";
+	        data.expires=new Date();
+	        
+//	        Bytification
+	        ByteBuffer bb = data.bytify();
+	        Data bdata = new ArtiDAO.Data();
+	        bdata.reconstitute(bb);
+	        checkData1(data, bdata);
+	        
+	        
+//	        DB work
+			adao.create(trans,data);
+			try {
+				// Validate Read with key fields in Data
+				Result<List<ArtiDAO.Data>> rlcd = adao.read(trans,data);
+				assertTrue(rlcd.isOKhasData());
+				for(ArtiDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}
+	
+				// Validate Read with key fields in Data
+				rlcd = adao.read(trans,data.mechid, data.machine);
+				assertTrue(rlcd.isOKhasData());
+				for(ArtiDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}
+	
+				// By Machine
+				rlcd = adao.readByMachine(trans,data.machine);
+				assertTrue(rlcd.isOKhasData());
+				for(ArtiDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}
+				
+				// By MechID
+				rlcd = adao.readByMechID(trans,data.mechid);
+				assertTrue(rlcd.isOKhasData());
+				for(ArtiDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}
+	
+				// Update
+				data.sponsor = "Wilma Flintstone";
+				adao.update(trans,data);
+				rlcd = adao.read(trans,data);
+				assertTrue(rlcd.isOKhasData());
+				for(ArtiDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}			
+
+			} finally {
+				// Always delete data, even if failure.
+				adao.delete(trans,data, true);
+			}
+		} finally {
+			adao.close(trans);
+		}
+
+		
+	}
+
+	private void checkData1(Data data, Data d) {
+		assertEquals(data.mechid,d.mechid);
+		assertEquals(data.machine,d.machine);
+		assertEquals(data.type(false).size(),d.type(false).size());
+		for(String s: data.type(false)) {
+			assertTrue(d.type(false).contains(s));
+		}
+		assertEquals(data.sponsor,d.sponsor);
+		assertEquals(data.ca,d.ca);
+		assertEquals(data.dir,d.dir);
+		assertEquals(data.ns,d.ns);
+		assertEquals(data.os_user,d.os_user);
+		assertEquals(data.notify,d.notify);
+		assertEquals(data.expires,d.expires);
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_Bytification.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_Bytification.java
new file mode 100644
index 00000000..206c52a7
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_Bytification.java
@@ -0,0 +1,266 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.Date;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.NsDAO;
+import org.onap.aaf.auth.dao.cass.NsType;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+
+public class JU_Bytification {
+
+	@Test
+	public void testNS() throws IOException {
+		
+		// Normal
+		NsDAO.Data ns = new NsDAO.Data();
+		ns.name = "org.osaaf.whatever";
+		ns.type = NsType.APP.type;
+
+		ByteBuffer bb = ns.bytify();
+		
+		NsDAO.Data nsr = new NsDAO.Data();
+		nsr.reconstitute(bb);
+		check(ns,nsr);
+		
+		// Empty admin
+//		ns.admin(true).clear();
+		bb = ns.bytify();
+		nsr = new NsDAO.Data();
+		nsr.reconstitute(bb);
+		check(ns,nsr);
+		
+		// Empty responsible
+//		ns.responsible(true).clear();
+		bb = ns.bytify();
+		nsr = new NsDAO.Data();
+		nsr.reconstitute(bb);
+		check(ns,nsr);
+
+		bb = ns.bytify();
+		nsr = new NsDAO.Data();
+		nsr.reconstitute(bb);
+		check(ns,nsr);
+	}
+	
+	private void check(NsDAO.Data a, NsDAO.Data b) {
+		assertEquals(a.name,b.name);
+		assertEquals(a.type,b.type);
+//		assertEquals(a.admin.size(),b.admin.size());
+		
+//		for(String s: a.admin) {
+//			assertTrue(b.admin.contains(s));
+//		}
+//		
+//		assertEquals(a.responsible.size(),b.responsible.size());
+//		for(String s: a.responsible) {
+//			assertTrue(b.responsible.contains(s));
+//		}
+	}
+
+	@Test
+	public void testRole() throws IOException {
+		RoleDAO.Data rd1 = new RoleDAO.Data();
+		rd1.ns = "org.osaaf.whatever";
+		rd1.name = "my.role";
+		rd1.perms(true).add("org.osaaf.whatever.my.Perm|myInstance|myAction");
+		rd1.perms(true).add("org.osaaf.whatever.my.Perm|myInstance|myAction2");
+
+		// Normal
+		ByteBuffer bb = rd1.bytify();
+		RoleDAO.Data rd2 = new RoleDAO.Data();
+		rd2.reconstitute(bb);
+		check(rd1,rd2);
+		
+		// Overshoot Buffer
+		StringBuilder sb = new StringBuilder(300);
+		sb.append("role|instance|veryLongAction...");
+		for(int i=0;i<280;++i) {
+			sb.append('a');
+		}
+		rd1.perms(true).add(sb.toString());
+		bb = rd1.bytify();
+		rd2 = new RoleDAO.Data();
+		rd2.reconstitute(bb);
+		check(rd1,rd2);
+		
+		// No Perms
+		rd1.perms.clear();
+		
+		bb = rd1.bytify();
+		rd2 = new RoleDAO.Data();
+		rd2.reconstitute(bb);
+		check(rd1,rd2);
+		
+		// 1000 Perms
+		for(int i=0;i<1000;++i) {
+			rd1.perms(true).add("com|inst|action"+ i);
+		}
+
+		bb = rd1.bytify();
+		rd2 = new RoleDAO.Data();
+		rd2.reconstitute(bb);
+		check(rd1,rd2);
+
+	}
+	
+	private void check(RoleDAO.Data a, RoleDAO.Data b) {
+		assertEquals(a.ns,b.ns);
+		assertEquals(a.name,b.name);
+		
+		assertEquals(a.perms.size(),b.perms.size());
+		for(String s: a.perms) {
+			assertTrue(b.perms.contains(s));
+		}
+	}
+
+	@Test
+	public void testPerm() throws IOException {
+		PermDAO.Data pd1 = new PermDAO.Data();
+		pd1.ns = "org.osaaf.whatever";
+		pd1.type = "my.perm";
+		pd1.instance = "instance";
+		pd1.action = "read";
+		pd1.roles(true).add("org.osaaf.whatever.my.Role");
+		pd1.roles(true).add("org.osaaf.whatever.my.Role2");
+
+		// Normal
+		ByteBuffer bb = pd1.bytify();
+		PermDAO.Data rd2 = new PermDAO.Data();
+		rd2.reconstitute(bb);
+		check(pd1,rd2);
+		
+		// No Perms
+		pd1.roles.clear();
+		
+		bb = pd1.bytify();
+		rd2 = new PermDAO.Data();
+		rd2.reconstitute(bb);
+		check(pd1,rd2);
+		
+		// 1000 Perms
+		for(int i=0;i<1000;++i) {
+			pd1.roles(true).add("org.osaaf.whatever.my.Role"+ i);
+		}
+
+		bb = pd1.bytify();
+		rd2 = new PermDAO.Data();
+		rd2.reconstitute(bb);
+		check(pd1,rd2);
+
+	}
+	
+	private void check(PermDAO.Data a, PermDAO.Data b) {
+		assertEquals(a.ns,b.ns);
+		assertEquals(a.type,b.type);
+		assertEquals(a.instance,b.instance);
+		assertEquals(a.action,b.action);
+		
+		assertEquals(a.roles.size(),b.roles.size());
+		for(String s: a.roles) {
+			assertTrue(b.roles.contains(s));
+		}
+	}
+
+	@Test
+	public void testUserRole() throws IOException {
+		UserRoleDAO.Data urd1 = new UserRoleDAO.Data();
+//		TODO: Clean out AT&T specific data
+		urd1.user = "jg1555@abc.att.com";
+		urd1.role("org.osaaf.whatever","my.role");
+		urd1.expires = new Date();
+
+		// Normal
+		ByteBuffer bb = urd1.bytify();
+		UserRoleDAO.Data urd2 = new UserRoleDAO.Data();
+		urd2.reconstitute(bb);
+		check(urd1,urd2);
+		
+		// A null
+		urd1.expires = null; 
+		urd1.role = null;
+		
+		bb = urd1.bytify();
+		urd2 = new UserRoleDAO.Data();
+		urd2.reconstitute(bb);
+		check(urd1,urd2);
+	}
+
+	private void check(UserRoleDAO.Data a, UserRoleDAO.Data b) {
+		assertEquals(a.user,b.user);
+		assertEquals(a.role,b.role);
+		assertEquals(a.expires,b.expires);
+	}
+
+	
+	@Test
+	public void testCred() throws IOException {
+		CredDAO.Data cd = new CredDAO.Data();
+		cd.id = "m55555@abc.att.com";
+		cd.ns = "org.osaaf.abc";
+		cd.type = 2;
+		cd.cred = ByteBuffer.wrap(new byte[]{1,34,5,3,25,0,2,5,3,4});
+		cd.expires = new Date();
+
+		// Normal
+		ByteBuffer bb = cd.bytify();
+		CredDAO.Data cd2 = new CredDAO.Data();
+		cd2.reconstitute(bb);
+		check(cd,cd2);
+		
+		// nulls
+		cd.expires = null;
+		cd.cred = null;
+		
+		bb = cd.bytify();
+		cd2 = new CredDAO.Data();
+		cd2.reconstitute(bb);
+		check(cd,cd2);
+
+	}
+
+	private void check(CredDAO.Data a, CredDAO.Data b) {
+		assertEquals(a.id,b.id);
+		assertEquals(a.ns,b.ns);
+		assertEquals(a.type,b.type);
+		if(a.cred==null) {
+			assertEquals(a.cred,b.cred); 
+		} else {
+			int l = a.cred.limit();
+			assertEquals(l,b.cred.limit());
+			for (int i=0;i<l;++i) {
+				assertEquals(a.cred.get(),b.cred.get());
+			}
+		}
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_CacheInfoDAO.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_CacheInfoDAO.java
new file mode 100644
index 00000000..87b88482
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_CacheInfoDAO.java
@@ -0,0 +1,64 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+
+package com.att.dao.aaf.test;
+
+import java.io.IOException;
+import java.util.Date;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.CIDAO;
+import org.onap.aaf.auth.dao.DAOException;
+import org.onap.aaf.auth.dao.cass.CacheInfoDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import junit.framework.Assert;
+
+
+public class JU_CacheInfoDAO extends AbsJUCass {
+
+	@Test
+	public void test() throws DAOException, APIException, IOException {
+		CIDAO<AuthzTrans> id = new CacheInfoDAO(trans, cluster, AUTHZ);
+		Date date  = new Date();
+		
+		id.touch(trans, RoleDAO.TABLE,1);
+		try {
+			Thread.sleep(3000);
+		} catch (InterruptedException e) {
+		}
+		Result<Void> rid = id.check(trans);
+		Assert.assertEquals(rid.status,Status.OK);
+		Date[] dates = CacheInfoDAO.info.get(RoleDAO.TABLE);
+		if(dates.length>0 && dates[1]!=null) {
+			System.out.println(Chrono.dateStamp(dates[1]));
+			System.out.println(Chrono.dateStamp(date));
+			Assert.assertTrue(Math.abs(dates[1].getTime() - date.getTime())<20000); // allow for 4 seconds, given Remote DB
+		}
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_CertDAO.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_CertDAO.java
new file mode 100644
index 00000000..cd3fb8d0
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_CertDAO.java
@@ -0,0 +1,103 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+import java.util.List;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.cass.CertDAO;
+import org.onap.aaf.auth.dao.cass.CertDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+/**
+ * UserDAO unit test.
+ * Date: 7/19/13
+ */
+public class JU_CertDAO  extends AbsJUCass {
+	@Test
+	public void test() throws IOException, NoSuchAlgorithmException, APIException {
+		CertDAO cdao = new CertDAO(trans,cluster,CassAccess.KEYSPACE);
+		try {
+			// Create
+	        CertDAO.Data data = new CertDAO.Data();
+	        data.serial=new BigInteger("11839383");
+	        data.id = "m55555@tguard.att.com";
+	        data.x500="CN=ju_cert.dao.att.com, OU=AAF, O=\"ATT Services, Inc.\", L=Southfield, ST=Michigan, C=US";
+	        data.x509="I'm a cert";
+	        data.ca = "aaf";
+			cdao.create(trans,data);
+
+//	        Bytification
+	        ByteBuffer bb = data.bytify();
+	        Data bdata = new CertDAO.Data();
+	        bdata.reconstitute(bb);
+	        checkData1(data, bdata);
+
+			// Validate Read with key fields in Data
+			Result<List<CertDAO.Data>> rlcd = cdao.read(trans,data);
+			assertTrue(rlcd.isOKhasData());
+			for(CertDAO.Data d : rlcd.value) {
+				checkData1(data,d);
+			}
+
+			// Validate Read with key fields in Data
+			rlcd = cdao.read(trans,data.ca,data.serial);
+			assertTrue(rlcd.isOKhasData());
+			for(CertDAO.Data d : rlcd.value) {
+				checkData1(data,d);
+			}
+
+			// Update
+			data.id = "m66666.tguard.att.com";
+			cdao.update(trans,data);
+			rlcd = cdao.read(trans,data);
+			assertTrue(rlcd.isOKhasData());
+			for(CertDAO.Data d : rlcd.value) {
+				checkData1(data,d);
+			}			
+			
+			cdao.delete(trans,data, true);
+		} finally {
+			cdao.close(trans);
+		}
+
+		
+	}
+
+	private void checkData1(Data data, Data d) {
+		assertEquals(data.ca,d.ca);
+		assertEquals(data.serial,d.serial);
+		assertEquals(data.id,d.id);
+		assertEquals(data.x500,d.x500);
+		assertEquals(data.x509,d.x509);
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_CredDAO.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_CredDAO.java
new file mode 100644
index 00000000..3ccc4320
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_CredDAO.java
@@ -0,0 +1,250 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+import java.util.Date;
+import java.util.List;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.CredDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+/**
+ * UserDAO unit test.
+ * Date: 7/19/13
+ */
+public class JU_CredDAO  extends AbsJUCass {
+	@Test
+	public void test() throws IOException, NoSuchAlgorithmException, APIException {
+		CredDAO udao = new CredDAO(trans,cluster,CassAccess.KEYSPACE);
+		try {
+			// Create
+	        CredDAO.Data data = new CredDAO.Data();
+	        data.id = "m55555@aaf.att.com";
+	        data.type = CredDAO.BASIC_AUTH;
+	        data.notes = "temp pass";
+	        data.cred      = ByteBuffer.wrap(userPassToBytes("m55555","mypass"));
+	        data.other = 12;
+	        data.expires = new Date(System.currentTimeMillis() + 60000*60*24*90);
+			udao.create(trans,data);
+			
+//	        Bytification
+	        ByteBuffer bb = data.bytify();
+	        Data bdata = new CredDAO.Data();
+	        bdata.reconstitute(bb);
+	        checkData1(data, bdata);
+
+			// Validate Read with key fields in Data
+			Result<List<CredDAO.Data>> rlcd = udao.read(trans,data);
+			assertTrue(rlcd.isOKhasData());
+			for(CredDAO.Data d : rlcd.value) {
+				checkData1(data,d);
+			}
+			
+			// Update
+			data.cred = ByteBuffer.wrap(userPassToBytes("m55555","mynewpass"));
+			udao.update(trans,data);
+			rlcd = udao.read(trans,data);
+			assertTrue(rlcd.isOKhasData());
+			for(CredDAO.Data d : rlcd.value) {
+				checkData1(data,d);
+			}			
+			
+			udao.delete(trans,data, true);
+		} finally {
+			udao.close(trans);
+		}
+
+		
+	}
+
+	private void checkData1(Data data, Data d) {
+		assertEquals(data.id,d.id);
+		assertEquals(data.type,d.type);
+		assertEquals(data.ns,d.ns);
+		assertEquals(data.notes,d.notes);
+		assertEquals(data.cred,d.cred);
+		assertEquals(data.other,d.other);
+		assertEquals(data.expires,d.expires);
+	}
+
+//    private String                          CONST_myName = "MyName";
+//    public static final java.nio.ByteBuffer CONST_MY_CRED = get_CONST_MY_CRED();
+//    public static final int                 CONST_CRED_TYPE = 11;
+//
+//    public static final Date                CONST_UPDATE_DATE = new Date(System.currentTimeMillis()+60000*24);
+//    @Test
+//    public void test() {
+//        UserDAO ud = new UserDAO(trans, cluster,CassAccess.KEYSPACE);
+//        try {
+//            UserDAO.Data data = createPrototypeUserData();
+//            ud.create(trans, data);
+//
+//            // Validate Read with key fields in Data
+//            for(UserDAO.Data d : ud.read(trans, data)) {
+//                checkData1(data,d);
+//            }
+//
+//            // Validate readByName
+//            for(UserDAO.Data d : ud.read(trans, CONST_myName)) {
+//                checkData1(data,d);
+//            }
+//
+//            ud.delete(trans, data);
+//            List<UserDAO.Data> d_2 = ud.read(trans, CONST_myName);
+//
+//            // Validate that data was deleted
+//            assertEquals("User should not be found after deleted", 0, d_2.size() );
+//
+//            data = new UserDAO.Data();
+//            data.name = CONST_myName;
+//            data.cred = CONST_MY_CRED;
+//            data.cred_type= CONST_CRED_TYPE;
+//            data.expires = new Date(System.currentTimeMillis()+60000*24);
+//            final Result<UserDAO.Data> user = ud.r_create(trans, data);
+//            assertEquals("ud.createUser should work", Result.Status.OK, user.status);
+//
+//            checkDataIgnoreDateDiff(data, user.value);
+//
+//            // finally leave system in consistent state by deleting user again
+//            ud.delete(trans,data);
+//
+//        } catch (DAOException e) {
+//            e.printStackTrace();
+//            fail("Fail due to Exception");
+//        } finally {
+//            ud.close(trans);
+//        }
+//    }
+//
+//    private UserDAO.Data createPrototypeUserData() {
+//        UserDAO.Data data = new UserDAO.Data();
+//        data.name = CONST_myName;
+//
+//        data.cred_type = CONST_CRED_TYPE;
+//        data.cred      = CONST_MY_CRED;
+//        data.expires = CONST_UPDATE_DATE;
+//        return data;
+//    }
+//
+//    //    @Test
+//    //    public void testReadByUser() throws Exception {
+//    //           // this test was done above in our super test, since it uses the same setup
+//    //    }
+//
+//    @Test
+//    public void testFunctionCreateUser() throws Exception {
+//        String name = "roger_rabbit";
+//        Integer credType = CONST_CRED_TYPE;
+//        java.nio.ByteBuffer cred = CONST_MY_CRED;
+//        final UserDAO ud = new UserDAO(trans, cluster,CassAccess.KEYSPACE);
+//        final UserDAO.Data data = createPrototypeUserData();
+//        Result<UserDAO.Data> ret = ud.r_create(trans, data);
+//        Result<List<Data>> byUserNameLookup = ud.r_read(trans, name);
+//        
+//        assertEquals("sanity test w/ different username (different than other test cases) failed", name, byUserNameLookup.value.get(0).name);
+//        assertEquals("delete roger_rabbit failed", true, ud.delete(trans, byUserNameLookup.value.get(0)));
+//    }
+//
+//    @Test
+//    public void testLowLevelCassandraCreateData_Given_UserAlreadyPresent_ShouldPass() throws Exception {
+//        UserDAO ud = new UserDAO(trans, cluster,CassAccess.KEYSPACE);
+//
+//        final UserDAO.Data data = createPrototypeUserData();
+//        final UserDAO.Data data1 = ud.create(trans, data);
+//        final UserDAO.Data data2 = ud.create(trans, data);
+//
+//        assertNotNull(data1);
+//        assertNotNull(data2);
+//
+//        assertEquals(CONST_myName, data1.name);
+//        assertEquals(CONST_myName, data2.name);
+//    }
+//
+//    @Test
+//    public void testCreateUser_Given_UserAlreadyPresent_ShouldFail() throws Exception {
+//        UserDAO ud = new UserDAO(trans, cluster,CassAccess.KEYSPACE);
+//
+//        final UserDAO.Data data = createPrototypeUserData();
+//
+//        // make sure that some prev test did not leave the user in the DB
+//        ud.delete(trans, data);
+//
+//        // attempt to create same user twice !!!
+//        
+//        final Result<UserDAO.Data> data1 = ud.r_create(trans, data);
+//        final Result<UserDAO.Data> data2 = ud.r_create(trans, data);
+//
+//        assertNotNull(data1);
+//        assertNotNull(data2);
+//
+//        assertEquals(true,   Result.Status.OK == data1.status);
+//        assertEquals(false,  Result.Status.OK == data2.status);
+//    }
+//
+//    private void checkData1(UserDAO.Data data, UserDAO.Data d) {
+//        data.name = CONST_myName;
+//
+//        data.cred_type = CONST_CRED_TYPE;
+//        data.cred      = CONST_MY_CRED;
+//        data.expires   = CONST_UPDATE_DATE;
+//
+//        assertEquals(data.name, d.name);
+//        assertEquals(data.cred_type, d.cred_type);
+//        assertEquals(data.cred, d.cred);
+//        assertEquals(data.expires, d.expires);
+//
+//    }
+//
+//    private void checkDataIgnoreDateDiff(UserDAO.Data data, UserDAO.Data d) {
+//        data.name = CONST_myName;
+//
+//        data.cred_type = CONST_CRED_TYPE;
+//        data.cred      = CONST_MY_CRED;
+//        data.expires   = CONST_UPDATE_DATE;
+//
+//        assertEquals(data.name, d.name);
+//        assertEquals(data.cred_type, d.cred_type);
+//        assertEquals(data.cred, d.cred);
+//         // we allow dates to be different, e.g. high level calls e.g. createUser sets the date itself.
+//        //assertEquals(data.updated, d.updated);
+//
+//    }
+//
+//    /**
+//     * Get a CONST_MY_CRED ByteBuffer, which is the java type for a cass blob.
+//     * @return
+//     */
+//    private static java.nio.ByteBuffer get_CONST_MY_CRED() {
+//     return ByteBuffer.wrap("Hello".getBytes());
+//    }
+//
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_DelegateDAO.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_DelegateDAO.java
new file mode 100644
index 00000000..1a4d21c4
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_DelegateDAO.java
@@ -0,0 +1,108 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.nio.ByteBuffer;
+import java.util.Date;
+import java.util.List;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.DelegateDAO;
+import org.onap.aaf.auth.dao.cass.DelegateDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+
+
+public class JU_DelegateDAO  extends AbsJUCass {
+	@Test
+	public void testCRUD() throws Exception {
+		DelegateDAO dao = new DelegateDAO(trans, cluster, AUTHZ);
+		DelegateDAO.Data data = new DelegateDAO.Data();
+//		TODO: Clean out AT&T specific data
+		data.user = "jg1555";
+		data.delegate = "rd8227";
+		data.expires = new Date();
+		
+//        Bytification
+        ByteBuffer bb = data.bytify();
+        Data bdata = new DelegateDAO.Data();
+        bdata.reconstitute(bb);
+        compare(data, bdata);
+
+		try {
+			// Test create
+			Result<Data> ddcr = dao.create(trans,data);
+			assertTrue(ddcr.isOK());
+			
+			
+			// Read by User
+			Result<List<DelegateDAO.Data>> records = dao.read(trans,data.user);
+			assertTrue(records.isOKhasData());
+			for(DelegateDAO.Data rdata : records.value) 
+				compare(data,rdata);
+
+			// Read by Delegate
+			records = dao.readByDelegate(trans,data.delegate);
+			assertTrue(records.isOKhasData());
+			for(DelegateDAO.Data rdata : records.value) 
+				compare(data,rdata);
+			
+			// Update
+			// TODO: Clean out AT&T specific data
+			data.delegate = "pf2819";
+			data.expires = new Date();
+			assertTrue(dao.update(trans, data).isOK());
+
+			// Read by User
+			records = dao.read(trans,data.user);
+			assertTrue(records.isOKhasData());
+			for(DelegateDAO.Data rdata : records.value) 
+				compare(data,rdata);
+
+			// Read by Delegate
+			records = dao.readByDelegate(trans,data.delegate);
+			assertTrue(records.isOKhasData());
+			for(DelegateDAO.Data rdata : records.value) 
+				compare(data,rdata);
+
+			// Test delete
+			dao.delete(trans,data, true);
+			records = dao.read(trans,data.user);
+			assertTrue(records.isEmpty());
+			
+			
+		} finally {
+			dao.close(trans);
+		}
+	}
+	
+	private void compare(Data d1, Data d2) {
+		assertEquals(d1.user, d2.user);
+		assertEquals(d1.delegate, d2.delegate);
+		assertEquals(d1.expires,d2.expires);
+	}
+
+
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_FastCalling.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_FastCalling.java
new file mode 100644
index 00000000..9d3ff5db
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_FastCalling.java
@@ -0,0 +1,90 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+import java.util.Date;
+import java.util.List;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.CredDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+public class JU_FastCalling extends AbsJUCass {
+
+	@Test
+	public void test() throws IOException, NoSuchAlgorithmException, APIException {
+		trans.setProperty("cassandra.writeConsistency.cred","ONE");
+		
+		CredDAO udao = new CredDAO(env.newTransNoAvg(),cluster,CassAccess.KEYSPACE);
+		System.out.println("Starting calls");
+		for(iterations=0;iterations<8;++iterations) {
+			try {
+				// Create
+		        CredDAO.Data data = new CredDAO.Data();
+		        data.id = "m55555@aaf.att.com";
+		        data.type = CredDAO.BASIC_AUTH;
+		        data.cred      = ByteBuffer.wrap(userPassToBytes("m55555","mypass"));
+		        data.expires = new Date(System.currentTimeMillis() + 60000*60*24*90);
+				udao.create(trans,data);
+				
+				// Validate Read with key fields in Data
+				Result<List<CredDAO.Data>> rlcd = udao.read(trans,data);
+				assertTrue(rlcd.isOKhasData());
+				for(CredDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}
+				
+				// Update
+				data.cred = ByteBuffer.wrap(userPassToBytes("m55555","mynewpass"));
+				udao.update(trans,data);
+				rlcd = udao.read(trans,data);
+				assertTrue(rlcd.isOKhasData());
+				for(CredDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}			
+				
+				udao.delete(trans,data, true);
+			} finally {
+				updateTotals();
+				newTrans();
+			}
+		}
+
+	}
+
+	private void checkData1(Data data, Data d) {
+		assertEquals(data.id,d.id);
+		assertEquals(data.type,d.type);
+		assertEquals(data.cred,d.cred);
+		assertEquals(data.expires,d.expires);
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_HistoryDAO.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_HistoryDAO.java
new file mode 100644
index 00000000..11d88358
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_HistoryDAO.java
@@ -0,0 +1,153 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import java.nio.ByteBuffer;
+import java.security.SecureRandom;
+import java.util.List;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.HistoryDAO;
+import org.onap.aaf.auth.layer.Result;
+
+public class JU_HistoryDAO  extends AbsJUCass {
+	
+	@Test
+	public void testCreate() throws Exception {
+		HistoryDAO historyDAO = new HistoryDAO(trans, cluster, AUTHZ);
+		HistoryDAO.Data data = createHistoryData();
+		
+		try {
+			historyDAO.create(trans,data);			
+			Thread.sleep(200);// History Create is Async
+			Result<List<HistoryDAO.Data>> records = historyDAO.readByUser(trans,data.user,data.yr_mon);
+			assertTrue(records.isOKhasData());
+			for(HistoryDAO.Data d : records.value) {
+				assertHistory(data, d);
+			}
+		} finally {
+			historyDAO.close(trans);
+		}
+	}
+	
+	@Test
+	public void tesReadByUser() throws Exception {
+		HistoryDAO historyDAO = new HistoryDAO(trans,cluster, AUTHZ);
+		HistoryDAO.Data data = createHistoryData();
+		
+		try {
+			historyDAO.create(trans,data);
+			Thread.sleep(200);// History Create is Async
+			Result<List<HistoryDAO.Data>> records = historyDAO.readByUser(trans, data.user,data.yr_mon);
+			assertTrue(records.isOKhasData());
+			for(HistoryDAO.Data d : records.value) {
+				assertHistory(data, d);
+			}
+		} finally {
+			historyDAO.close(trans);
+		}
+	}
+	
+/*
+	@Test
+	public void readByUserAndMonth() throws Exception {
+		HistoryDAO historyDAO = new HistoryDAO(trans,cluster, AUTHZ);
+		HistoryDAO.Data data = createHistoryData();
+		
+		try {
+			historyDAO.create(trans,data);			
+			Thread.sleep(200);// History Create is Async
+			Result<List<HistoryDAO.Data>> records = historyDAO.readByUserAndMonth(trans,
+					data.user, Integer.valueOf(String.valueOf(data.yr_mon).substring(0, 4)),
+					Integer.valueOf(String.valueOf(data.yr_mon).substring(4, 6)));
+			assertTrue(records.isOKhasData());
+			for(HistoryDAO.Data d : records.value) {
+				assertHistory(data, d);
+			}
+		} finally {
+			historyDAO.close(trans);
+		}
+	}
+*/	
+	//TODO readadd this
+//	@Test
+//	public void readByUserAndDay() throws Exception {
+//		HistoryDAO historyDAO = new HistoryDAO(trans, cluster, AUTHZ);
+//		HistoryDAO.Data data = createHistoryData();
+//		
+//		try {
+//			historyDAO.create(trans, data);		
+//			Thread.sleep(200);// History Create is Async
+//			
+//			String dayTime = String.valueOf(data.day_time);
+//			String day = null;
+//			if (dayTime.length() < 8)
+//				day = dayTime.substring(0, 1);
+//			else 
+//				day = dayTime.substring(0, 2);
+//			
+//			List<HistoryDAO.Data> records = historyDAO.readByUserBetweenDates(trans,
+//							data.user, Integer.valueOf(String.valueOf(data.yr_mon).substring(0, 4)),
+//							Integer.valueOf(String.valueOf(data.yr_mon).substring(4, 6)),
+//							Integer.valueOf(day), 0);
+//			assertEquals(1,records.size());
+//			for(HistoryDAO.Data d : records) {
+//				assertHistory(data, d);
+//			}
+//		} finally {
+//			historyDAO.close(trans);
+//		}
+//	}
+	private HistoryDAO.Data createHistoryData() {
+		HistoryDAO.Data data = HistoryDAO.newInitedData();
+		SecureRandom random = new SecureRandom();
+		data.user = "test" + random.nextInt();
+		data.action = "add";
+		data.target = "history";
+		data.memo = "adding a row into history table";
+//		data.detail().put("id", "test");
+//		data.detail().put("name", "test");
+		//String temp = "Test Blob Message";
+		data.reconstruct = ByteBuffer.wrap("Temp Blob Message".getBytes());		
+		return data;
+	}
+	
+	private void assertHistory(HistoryDAO.Data ip, HistoryDAO.Data op) {
+		assertEquals(ip.yr_mon, op.yr_mon);		
+//		assertEquals(ip.day_time, op.day_time);		
+		assertEquals(ip.user, op.user);		
+		assertEquals(ip.action, op.action);
+		assertEquals(ip.target, op.target);
+		assertEquals(ip.memo, op.memo);
+		//TODO : have to see if third party assert utility can be used
+//		assertTrue(CollectionUtils.isEqualCollection(ip.detail, op.detail));
+//		for (String key : ip.detail().keySet()) {
+//			assertNotNull(op.detail().get(key));
+//		}
+		assertNotNull(op.reconstruct);
+	}
+	
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_LocateDAO.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_LocateDAO.java
new file mode 100644
index 00000000..283a3563
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_LocateDAO.java
@@ -0,0 +1,146 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.List;
+import java.util.Set;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.cass.LocateDAO;
+import org.onap.aaf.auth.dao.cass.LocateDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+/**
+ * Test the LocateDAO
+ * 
+ * Utilize AbsJUCass to initialize and pre-load Cass
+ * 
+ * @author Jonathan
+ *
+ */
+public class JU_LocateDAO extends AbsJUCass{
+
+	@Test
+	public void test() throws APIException, IOException {
+		LocateDAO pd = new LocateDAO(trans,cluster,CassAccess.KEYSPACE);
+		try {
+			LocateDAO.Data data = new LocateDAO.Data();
+			data.name="org.osaaf.aaf.locateTester";
+			data.hostname="mithrilcsp.sbc.com";
+			data.port=19999;
+			data.latitude=32.780140f;
+			data.longitude=-96.800451f;
+			data.major=2;
+			data.minor=0;
+			data.patch=19;
+			data.pkg=23;
+			data.protocol="https";
+			Set<String> sp = data.subprotocol(true);
+			sp.add("TLS1.1");
+			sp.add("TLS1.2");
+			
+
+
+			// CREATE
+			Result<Data> rpdc = pd.create(trans,data);
+			assertTrue(rpdc.isOK());
+
+			Result<List<LocateDAO.Data>> rlpd;
+			try {
+//		        Bytification
+		        ByteBuffer bb = data.bytify();
+		        Data bdata = new LocateDAO.Data();
+		        bdata.reconstitute(bb);
+		        compare(data, bdata);
+
+				// Validate Read with key fields in Data
+		        rlpd = pd.read(trans,data);
+		        assertTrue(rlpd.isOK());
+		        if(rlpd.isOK()) {
+					for(LocateDAO.Data d : rlpd.value) {
+						compare(data,d);
+					}
+		        }
+
+		        // Validate Read by Name
+		        rlpd = pd.readByName(trans,data.name);
+		        assertTrue(rlpd.isOK());
+		        if(rlpd.isOK()) {
+					for(LocateDAO.Data d : rlpd.value) {
+						compare(data,d);
+					}
+		        }
+
+				// Modify
+				data.latitude = -31.0000f;
+				
+				Result<Void> rupd = pd.update(trans, data);
+				assertTrue(rupd.isOK());
+		        rlpd = pd.read(trans,data);
+		        assertTrue(rlpd.isOK());
+		        if(rlpd.isOK()) {
+					for(LocateDAO.Data d : rlpd.value) {
+						compare(data,d);
+					}
+		        }
+
+			} catch (IOException e) {
+				e.printStackTrace();
+			} finally {
+				// DELETE
+				Result<Void> rpdd = pd.delete(trans,data,true);
+				assertTrue(rpdd.isOK());
+				rlpd = pd.read(trans, data);
+				assertTrue(rlpd.isOK() && rlpd.isEmpty());
+				assertEquals(rlpd.value.size(),0);
+			}
+		} finally {
+			pd.close(trans);
+		}
+	}
+
+	private void compare(Data a, Data b) {
+		assertEquals(a.name,b.name);
+		assertEquals(a.hostname,b.hostname);
+		assertEquals(a.port,b.port);
+		assertEquals(a.major,b.major);
+		assertEquals(a.minor,b.minor);
+		assertEquals(a.patch,b.patch);
+		assertEquals(a.pkg,b.pkg);
+		assertEquals(a.latitude,b.latitude);
+		assertEquals(a.longitude,b.longitude);
+		assertEquals(a.protocol,b.protocol);
+		Set<String> spa = a.subprotocol(false);
+		Set<String> spb = b.subprotocol(false);
+		assertEquals(spa.size(),spb.size());
+		for(String s : spa) {
+			assertTrue(spb.contains(s));
+		}
+	}
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_LocationContent.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_LocationContent.java
new file mode 100644
index 00000000..39f096c1
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_LocationContent.java
@@ -0,0 +1,93 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.Data.TYPE;
+import org.onap.aaf.misc.rosetta.env.RosettaDF;
+import org.onap.aaf.misc.rosetta.env.RosettaEnv;
+
+import locate.v1_0.MgmtEndpoint;
+import locate.v1_0.MgmtEndpoint.SpecialPorts;
+import locate.v1_0.MgmtEndpoints;
+
+public class JU_LocationContent {
+
+	@BeforeClass
+	public static void setUpBeforeClass() throws Exception {
+	}
+
+	@AfterClass
+	public static void tearDownAfterClass() throws Exception {
+	}
+
+	@Before
+	public void setUp() throws Exception {
+	}
+
+	@After
+	public void tearDown() throws Exception {
+	}
+
+	@Test
+	public void test() {
+		PropAccess access = new PropAccess();
+		RosettaEnv env = new RosettaEnv(access.getProperties());
+		try {
+			RosettaDF<MgmtEndpoints> medf = env.newDataFactory(MgmtEndpoints.class);
+			medf.out(TYPE.JSON);
+			medf.option(Data.PRETTY);
+			MgmtEndpoint me = new MgmtEndpoint();
+			me.setHostname("mithrilcsp.sbc.com");
+			me.setLatitude(32);
+			me.setLongitude(-90);
+			me.setMajor(2);
+			me.setMinor(0);
+			me.setPatch(19);
+			me.setPort(3312);
+			me.setProtocol("http");
+			me.getSubprotocol().add("TLS1.1");
+
+			SpecialPorts sp = new SpecialPorts();
+			sp.setName("debug");
+			sp.setPort(9000);
+			sp.setProtocol("java");
+			me.getSpecialPorts().add(sp);
+			
+			MgmtEndpoints mes = new MgmtEndpoints();
+			mes.getMgmtEndpoint().add(me);
+			System.out.println(medf.newData().load(mes).asString());
+			
+		} catch (APIException e) {
+			e.printStackTrace();
+		}
+		
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_NsDAO.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_NsDAO.java
new file mode 100644
index 00000000..5b313419
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_NsDAO.java
@@ -0,0 +1,187 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Set;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.NsDAO;
+import org.onap.aaf.auth.dao.cass.NsType;
+import org.onap.aaf.auth.dao.cass.NsDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+
+public class JU_NsDAO extends AbsJUCass {
+	private static final String CRM = "ju_crm";
+	private static final String SWM = "ju_swm";
+
+	@Test
+	public void test() throws APIException, IOException  {
+		NsDAO nsd = new NsDAO(trans, cluster, AUTHZ);
+		try {
+			final String nsparent = "com.test";
+			final String ns1 = nsparent +".ju_ns";
+			final String ns2 = nsparent + ".ju_ns2";
+			
+			Map<String,String> oAttribs = new HashMap<String,String>();
+			oAttribs.put(SWM, "swm_data");
+			oAttribs.put(CRM, "crm_data");
+			Data data = new NsDAO.Data();
+			data.name = ns1;
+			data.type = NsType.APP.type;
+			data.parent = nsparent;
+			data.attrib(true).putAll(oAttribs);
+			
+
+			Result<List<Data>> rdrr;
+
+			// CREATE
+			Result<Data> rdc = nsd.create(trans, data);
+			assertTrue(rdc.isOK());
+			
+			try {
+//		        Bytification
+		        ByteBuffer bb = data.bytify();
+		        Data bdata = new NsDAO.Data();
+		        bdata.reconstitute(bb);
+		        compare(data, bdata);
+
+				// Test READ by Object
+				rdrr = nsd.read(trans, data);
+				assertTrue(rdrr.isOKhasData());
+				assertEquals(rdrr.value.size(),1);
+				Data d = rdrr.value.get(0);
+				assertEquals(d.name,data.name);
+				assertEquals(d.type,data.type);
+				attribsEqual(d.attrib(false),data.attrib(false));
+				attribsEqual(oAttribs,data.attrib(false));
+				
+				// Test Read by Key
+				rdrr = nsd.read(trans, data.name);
+				assertTrue(rdrr.isOKhasData());
+				assertEquals(rdrr.value.size(),1);
+				d = rdrr.value.get(0);
+				assertEquals(d.name,data.name);
+				assertEquals(d.type,data.type);
+				attribsEqual(d.attrib(false),data.attrib(false));
+				attribsEqual(oAttribs,data.attrib(false));
+				
+				// Read NS by Type
+				Result<Set<String>> rtypes = nsd.readNsByAttrib(trans, SWM);
+				Set<String> types;
+				if(rtypes.notOK()) {
+					throw new IOException(rtypes.errorString());
+				} else {
+					types = rtypes.value;
+				}
+				assertEquals(1,types.size());
+				assertEquals(true,types.contains(ns1));
+				
+				// Add second NS to test list of data returned
+				Data data2 = new NsDAO.Data();
+				data2.name = ns2;
+				data2.type = 3; // app
+				data2.parent = nsparent;
+				Result<Data> rdc2 = nsd.create(trans, data2);
+				assertTrue(rdc2.isOK());
+				
+					// Interrupt - test PARENT
+					Result<List<Data>> rdchildren = nsd.getChildren(trans, "com.test");
+					assertTrue(rdchildren.isOKhasData());
+					boolean child1 = false;
+					boolean child2 = false;
+					for(Data dchild : rdchildren.value) {
+						if(ns1.equals(dchild.name))child1=true;
+						if(ns2.equals(dchild.name))child2=true;
+					}
+					assertTrue(child1);
+					assertTrue(child2);
+
+				// FINISH DATA 2 by deleting
+				Result<Void> rddr = nsd.delete(trans, data2, true);
+				assertTrue(rddr.isOK());
+
+				// ADD DESCRIPTION
+				String description = "This is my test Namespace";
+				assertFalse(description.equalsIgnoreCase(data.description));
+				
+				Result<Void> addDesc = nsd.addDescription(trans, data.name, description);
+				assertTrue(addDesc.isOK());
+				rdrr = nsd.read(trans, data);
+				assertTrue(rdrr.isOKhasData());
+				assertEquals(rdrr.value.size(),1);
+				assertEquals(rdrr.value.get(0).description,description);
+				
+				// UPDATE
+				String newDescription = "zz1234 Owns This Namespace Now";
+				oAttribs.put("mso", "mso_data");
+				data.attrib(true).put("mso", "mso_data");
+				data.description = newDescription;
+				Result<Void> update = nsd.update(trans, data);
+				assertTrue(update.isOK());
+				rdrr = nsd.read(trans, data);
+				assertTrue(rdrr.isOKhasData());
+				assertEquals(rdrr.value.size(),1);
+				assertEquals(rdrr.value.get(0).description,newDescription);
+				attribsEqual(oAttribs, rdrr.value.get(0).attrib);
+				
+				
+			} catch (IOException e) {
+				e.printStackTrace();
+			} finally {
+				// DELETE
+				Result<Void> rddr = nsd.delete(trans, data, true);
+				assertTrue(rddr.isOK());
+				rdrr = nsd.read(trans, data);
+				assertTrue(rdrr.isOK() && rdrr.isEmpty());
+				assertEquals(rdrr.value.size(),0);
+			}
+		} finally {
+			nsd.close(trans);
+		}
+	}
+
+	private void compare(NsDAO.Data d, NsDAO.Data data) {
+		assertEquals(d.name,data.name);
+		assertEquals(d.type,data.type);
+		attribsEqual(d.attrib(false),data.attrib(false));
+		attribsEqual(d.attrib(false),data.attrib(false));
+	}
+	
+	private void attribsEqual(Map<String,String> aa, Map<String,String> ba) {
+		assertEquals(aa.size(),ba.size());
+		for(Entry<String, String> es : aa.entrySet()) {
+			assertEquals(es.getValue(),ba.get(es.getKey()));
+		}
+	}
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_NsType.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_NsType.java
new file mode 100644
index 00000000..2644fedd
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_NsType.java
@@ -0,0 +1,58 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.AfterClass;
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.NsType;
+
+public class JU_NsType {
+
+	@AfterClass
+	public static void tearDownAfterClass() throws Exception {
+	}
+
+	@Test
+	public void test() {
+		NsType nt,nt2;
+		String[] tests = new String[] {"DOT","ROOT","COMPANY","APP","STACKED_APP","STACK"};
+		for(String s : tests) {
+			nt = NsType.valueOf(s);
+			assertEquals(s,nt.name());
+			
+			nt2 = NsType.fromString(s);
+			assertEquals(nt,nt2);
+			
+			int t = nt.type;
+			nt2 = NsType.fromType(t);
+			assertEquals(nt,nt2);
+		}
+		
+		nt  = NsType.fromType(Integer.MIN_VALUE);
+		assertEquals(nt,NsType.UNKNOWN);
+		nt = NsType.fromString("Garbage");
+		assertEquals(nt,NsType.UNKNOWN);
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_OAuthTokenDAO.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_OAuthTokenDAO.java
new file mode 100644
index 00000000..f3f91d00
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_OAuthTokenDAO.java
@@ -0,0 +1,134 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+import java.util.Date;
+import java.util.List;
+import java.util.UUID;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.cass.OAuthTokenDAO;
+import org.onap.aaf.auth.dao.cass.OAuthTokenDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.oauth.AAFToken;
+
+/**
+ * UserDAO unit test.
+ * Date: 7/19/13
+ */
+public class JU_OAuthTokenDAO  extends AbsJUCass {
+	@Test
+	public void test() throws IOException, NoSuchAlgorithmException {
+		OAuthTokenDAO adao = new OAuthTokenDAO(trans,cluster,CassAccess.KEYSPACE);
+		UUID uuid = UUID.randomUUID();
+		try {
+			// Create
+	        Data data = new OAuthTokenDAO.Data();
+	        data.id=AAFToken.toToken(uuid);
+	        data.client_id="zClient";
+	        data.user = "xy1255@csp.att.com";
+	        data.active = true;
+	        data.type=1;
+	        data.refresh = AAFToken.toToken(UUID.randomUUID());
+	        data.expires=new Date();
+	        data.scopes(false).add("org.osaaf.aaf");
+	        data.scopes(false).add("org.osaaf.grid");
+	        data.content="{darth:\"I am your content\"}";
+	        data.req_ip="::1";
+	        
+//	        Bytification
+	        ByteBuffer bb = data.bytify();
+	        Data bdata = new OAuthTokenDAO.Data();
+//	        System.out.println(new String(Symm.base64noSplit.encode(bb.array())));
+	        bdata.reconstitute(bb);
+	        checkData1(data, bdata);
+	        
+//	        DB work
+			adao.create(trans,data);
+			try {
+				// Validate Read with Data Object
+				Result<List<OAuthTokenDAO.Data>> rlcd = adao.read(trans,data);
+				assertTrue(rlcd.isOKhasData());
+				for(OAuthTokenDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}
+				// Validate Read with key fields in Data
+				rlcd = adao.read(trans,data.id);
+				assertTrue(rlcd.isOKhasData());
+				for(OAuthTokenDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}
+				
+				// Validate Read by User
+				rlcd = adao.readByUser(trans,data.user);
+				assertTrue(rlcd.isOKhasData());
+				for(OAuthTokenDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}
+
+				// Update
+				data.content = "{darth:\"I am your content\", luke:\"Noooooooo!\"}";
+				data.active = false;
+				adao.update(trans,data);
+				rlcd = adao.read(trans,data);
+				assertTrue(rlcd.isOKhasData());
+				for(OAuthTokenDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}			
+
+			} finally {
+				// Always delete data, even if failure.
+				adao.delete(trans,data, true);
+			}
+		} finally {
+			adao.close(trans);
+		}
+
+	}
+
+	private void checkData1(Data data, Data d) {
+		assertEquals(data.id,d.id);
+		assertEquals(data.client_id,d.client_id);
+		assertEquals(data.user,d.user);
+		assertEquals(data.active,d.active);
+		assertEquals(data.type,d.type);
+		assertEquals(data.refresh,d.refresh);
+		assertEquals(data.expires,d.expires);
+		for(String s: data.scopes(false)) {
+			assertTrue(d.scopes(false).contains(s));
+		}
+		for(String s: d.scopes(false)) {
+			assertTrue(data.scopes(false).contains(s));
+		}
+		assertEquals(data.content,d.content);
+		assertEquals(data.state,d.state);
+		assertEquals(data.req_ip,d.req_ip);
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_PermDAO.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_PermDAO.java
new file mode 100644
index 00000000..0a506db1
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_PermDAO.java
@@ -0,0 +1,176 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.List;
+import java.util.Set;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.PermDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+/**
+ * Test the PermissionDAO
+ * 
+ * Utilize AbsJUCass to initialize and pre-load Cass
+ * 
+ * @author Jonathan
+ *
+ */
+public class JU_PermDAO extends AbsJUCass{
+
+	@Test
+	public void test() throws APIException, IOException {
+		PermDAO pd = new PermDAO(trans,cluster,CassAccess.KEYSPACE);
+		try {
+			PermDAO.Data data = new PermDAO.Data();
+			data.ns = "com.test.ju_perm";
+			data.type = "MyType";
+			data.instance = "MyInstance";
+			data.action = "MyAction";
+			data.roles(true).add(data.ns + ".dev");
+			
+
+
+			// CREATE
+			Result<Data> rpdc = pd.create(trans,data);
+			assertTrue(rpdc.isOK());
+
+			Result<List<PermDAO.Data>> rlpd;
+			try {
+//		        Bytification
+		        ByteBuffer bb = data.bytify();
+		        Data bdata = new PermDAO.Data();
+		        bdata.reconstitute(bb);
+		        compare(data, bdata);
+
+				// Validate Read with key fields in Data
+				if((rlpd = pd.read(trans,data)).isOK())
+				  for(PermDAO.Data d : rlpd.value) {
+					checkData1(data,d);
+				}
+				
+				// Validate readByName
+				if((rlpd = pd.readByType(trans,data.ns, data.type)).isOK())
+				  for(PermDAO.Data d : rlpd.value) {
+					checkData1(data,d);
+				}
+				
+				// Add Role
+				RoleDAO.Data role = new RoleDAO.Data();
+				role.ns = data.ns;
+				role.name = "test";
+				
+				Result<Void> rvpd = pd.addRole(trans, data, role.fullName());
+				assertTrue(rvpd.isOK());
+				// Validate Read with key fields in Data
+				if((rlpd = pd.read(trans,data)).isOK())
+				  for(PermDAO.Data d : rlpd.value) {
+					checkData2(data,d);
+				  }
+				
+				// Remove Role
+				rvpd = pd.delRole(trans, data, role.fullName());
+				assertTrue(rvpd.isOK());
+				if((rlpd = pd.read(trans,data)).isOK())
+					for(PermDAO.Data d : rlpd.value) {
+						checkData1(data,d);
+					}
+				
+				// Add Child
+				Data data2 = new Data();
+				data2.ns = data.ns;
+				data2.type = data.type + ".2";
+				data2.instance = data.instance;
+				data2.action = data.action;
+				
+				rpdc = pd.create(trans, data2);
+				assertTrue(rpdc.isOK());
+				try {
+					rlpd = pd.readChildren(trans, data.ns,data.type);
+					assertTrue(rlpd.isOKhasData());
+					assertEquals(rlpd.value.size(),1);
+					assertEquals(rlpd.value.get(0).fullType(),data2.fullType());
+				} finally {
+					// Delete Child
+					pd.delete(trans, data2,true);
+
+				}
+			} catch (IOException e) {
+				e.printStackTrace();
+			} finally {
+				// DELETE
+				Result<Void> rpdd = pd.delete(trans,data,true);
+				assertTrue(rpdd.isOK());
+				rlpd = pd.read(trans, data);
+				assertTrue(rlpd.isOK() && rlpd.isEmpty());
+				assertEquals(rlpd.value.size(),0);
+			}
+		} finally {
+			pd.close(trans);
+		}
+	}
+
+	private void compare(Data a, Data b) {
+		assertEquals(a.ns,b.ns);
+		assertEquals(a.type,b.type);
+		assertEquals(a.instance,b.instance);
+		assertEquals(a.action,b.action);
+		assertEquals(a.roles(false).size(),b.roles(false).size());
+		for(String s: a.roles(false)) {
+			assertTrue(b.roles(false).contains(s));
+		}
+	}
+	private void checkData1(Data data, Data d) {
+		assertEquals(data.ns,d.ns);
+		assertEquals(data.type,d.type);
+		assertEquals(data.instance,d.instance);
+		assertEquals(data.action,d.action);
+		
+		Set<String> ss = d.roles(true);
+		assertEquals(1,ss.size());
+		assertTrue(ss.contains(data.ns+".dev"));
+	}
+	
+	private void checkData2(Data data, Data d) {
+		assertEquals(data.ns,d.ns);
+		assertEquals(data.type,d.type);
+		assertEquals(data.instance,d.instance);
+		assertEquals(data.action,d.action);
+		
+		Set<String> ss = d.roles(true);
+		assertEquals(2,ss.size());
+		assertTrue(ss.contains(data.ns+".dev"));
+		assertTrue(ss.contains(data.ns+".test"));
+	}
+
+
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_RoleDAO.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_RoleDAO.java
new file mode 100644
index 00000000..56875bdd
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/JU_RoleDAO.java
@@ -0,0 +1,138 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+
+package com.att.dao.aaf.test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.List;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+
+public class JU_RoleDAO extends AbsJUCass {
+
+	@Test
+	public void test()  throws IOException, APIException {
+		RoleDAO rd = new RoleDAO(trans, cluster, AUTHZ);
+		try {
+			Data data = new RoleDAO.Data();
+			data.ns = "com.test.ju_role";
+			data.name = "role1";
+
+//	        Bytification
+	        ByteBuffer bb = data.bytify();
+	        Data bdata = new RoleDAO.Data();
+	        bdata.reconstitute(bb);
+	        compare(data, bdata);
+
+			// CREATE
+			Result<Data> rdc = rd.create(trans, data);
+			assertTrue(rdc.isOK());
+			Result<List<Data>> rdrr;
+			try {
+				// READ
+				rdrr = rd.read(trans, data);
+				assertTrue(rdrr.isOKhasData());
+				assertEquals(rdrr.value.size(),1);
+				Data d = rdrr.value.get(0);
+				assertEquals(d.perms.size(),0);
+				assertEquals(d.name,data.name);
+				assertEquals(d.ns,data.ns);
+
+				PermDAO.Data perm = new PermDAO.Data();
+				perm.ns = data.ns;
+				perm.type = "Perm";
+				perm.instance = "perm1";
+				perm.action = "write";
+				
+				// ADD Perm
+				Result<Void> rdar = rd.addPerm(trans, data, perm);
+				assertTrue(rdar.isOK());
+				rdrr = rd.read(trans, data);
+				assertTrue(rdrr.isOKhasData());
+				assertEquals(rdrr.value.size(),1);
+				assertEquals(rdrr.value.get(0).perms.size(),1);
+				assertTrue(rdrr.value.get(0).perms.contains(perm.encode()));
+				
+				// DEL Perm
+				rdar = rd.delPerm(trans, data,perm);
+				assertTrue(rdar.isOK());
+				rdrr = rd.read(trans, data);
+				assertTrue(rdrr.isOKhasData());
+				assertEquals(rdrr.value.size(),1);
+				assertEquals(rdrr.value.get(0).perms.size(),0);
+
+				// Add Child
+				Data data2 = new Data();
+				data2.ns = data.ns;
+				data2.name = data.name + ".2";
+				
+				rdc = rd.create(trans, data2);
+				assertTrue(rdc.isOK());
+				try {
+					rdrr = rd.readChildren(trans, data.ns,data.name);
+					assertTrue(rdrr.isOKhasData());
+					assertEquals(rdrr.value.size(),1);
+					assertEquals(rdrr.value.get(0).name,data.name + ".2");
+					
+					rdrr = rd.readChildren(trans, data.ns,"*");
+					assertTrue(rdrr.isOKhasData());
+					assertEquals(rdrr.value.size(),2);
+
+				} finally {
+					// Delete Child
+					rd.delete(trans, data2, true);
+				}
+	
+			} finally {
+				// DELETE
+				Result<Void> rddr = rd.delete(trans, data, true);
+				assertTrue(rddr.isOK());
+				rdrr = rd.read(trans, data);
+				assertTrue(rdrr.isOK() && rdrr.isEmpty());
+				assertEquals(rdrr.value.size(),0);
+			}
+		} finally {
+			rd.close(trans);
+		}
+	}
+
+	private void compare(Data a, Data b) {
+		assertEquals(a.name,b.name);
+		assertEquals(a.description, b.description);
+		assertEquals(a.ns,b.ns);
+		assertEquals(a.perms(false).size(),b.perms(false).size());
+		for(String p : a.perms(false)) {
+			assertTrue(b.perms(false).contains(p));
+		}
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/com/att/dao/aaf/test/NS_ChildUpdate.java b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/NS_ChildUpdate.java
new file mode 100644
index 00000000..8e2f78b6
--- /dev/null
+++ b/auth/auth-cass/src/test/java/com/att/dao/aaf/test/NS_ChildUpdate.java
@@ -0,0 +1,74 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.dao.aaf.test;
+
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.env.AuthzEnv;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+
+public class NS_ChildUpdate {
+
+	public static void main(String[] args) {
+		if(args.length < 3 ) {
+			System.out.println("usage: NS_ChildUpdate machine mechid (encrypted)passwd");
+		} else {
+			try {
+				AuthzEnv env = new AuthzEnv();
+				env.setLog4JNames("log.properties","authz","authz","audit","init","trace");
+				
+				Cluster cluster = Cluster.builder()
+						.addContactPoint(args[0])
+						.withCredentials(args[1],env.decrypt(args[2], false))
+						.build();
+	
+				Session session = cluster.connect(CassAccess.KEYSPACE);
+				try {
+					ResultSet result = session.execute("SELECT name,parent FROM ns");
+					int count = 0;
+					for(Row r : result.all()) {
+						++count;
+						String name = r.getString(0);
+						String parent = r.getString(1);
+						if(parent==null) {
+							int idx = name.lastIndexOf('.');
+							
+							parent = idx>0?name.substring(0, idx):".";
+							System.out.println("UPDATE " + name + " to " + parent);
+							session.execute("UPDATE ns SET parent='" + parent + "' WHERE name='" + name + "';");
+						}
+					}
+					System.out.println("Processed " + count + " records");
+				} finally {
+					session.close();
+					cluster.close();
+				}
+			} catch (Exception e) {
+				e.printStackTrace();
+			}
+		}
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/cass/hl/JU_Question.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/cass/hl/JU_Question.java
new file mode 100644
index 00000000..e06a8c57
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/cass/hl/JU_Question.java
@@ -0,0 +1,509 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cass.hl;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertFalse;
+import static junit.framework.Assert.assertTrue;
+
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.NsDAO;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.dao.cass.NsDAO.Data;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.dao.hl.Question.Access;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+
+import com.att.dao.aaf.test.AbsJUCass;
+
+public class JU_Question extends AbsJUCass {
+
+	private static final int EXPIRES_IN = 60000000;
+	private static final String COM_TEST_JU = "com.test.ju_question";
+	private static final String JU9999_JU_TEST_COM = "ju9999@ju.test.com";
+	private static final String JU9998_JU_TEST_COM = "ju9998@ju.test.com";
+	private static final String READ = "read";
+	private static final int NFR_1 = 80;
+	private static final int NFR_2 = 4000;
+	private static final int ROLE_LEVEL1 = 1000;
+	private static final int PERM_LEVEL1 = 1000;
+//	private static final int PERM_LEVEL2 = 20;
+	private static Question q;
+	private static NsDAO.Data ndd;
+
+	@BeforeClass
+	public static void startupBeforeClass() throws Exception {
+		details=false;
+		AuthzTrans trans = env.newTransNoAvg();
+		q = new Question(trans,cluster,AUTHZ, false);
+		ndd = new NsDAO.Data();
+		ndd.name=COM_TEST_JU;
+		ndd.type=3; // app
+		ndd.parent="com.test";
+		ndd.description="Temporary Namespace for JU_Question";
+		q.nsDAO.create(trans, ndd);
+	}
+	
+	@AfterClass
+	public static void endAfterClass() throws Exception {
+		q.nsDAO.delete(trans, ndd,false);
+	}
+//    @Test
+	public void mayUserRead_EmptyPerm() {
+		PermDAO.Data pdd = new PermDAO.Data();
+		Result<NsDAO.Data> result = q.mayUser(trans,JU9999_JU_TEST_COM,pdd,Access.read);
+		assertFalse(result.isOK());
+	}
+
+//    @Test
+	public void mayUserRead_OnePermNotExist() {
+		Result<NsDAO.Data> result = q.mayUser(trans,JU9999_JU_TEST_COM,newPerm(0,0,READ),Access.read);
+		assertFalse(result.isOK());
+		assertEquals("Denied - ["+ JU9999_JU_TEST_COM +"] may not read Perm [" + COM_TEST_JU + ".myPerm0|myInstance0|read]",result.errorString());
+	}
+	
+//    @Test
+	public void mayUserRead_OnePermExistDenied() {
+		PermDAO.Data perm = newPerm(0,0,READ);
+		q.permDAO.create(trans,perm);
+		try {
+			Result<NsDAO.Data> result;
+			TimeTaken tt = trans.start("q.mayUser...", Env.SUB);
+			try {
+				result = q.mayUser(trans,JU9999_JU_TEST_COM,perm,Access.read);
+			} finally {
+				tt.done();
+				assertTrue("NFR time < "+ NFR_1 + "ms",tt.millis()<NFR_1);
+			}
+			assertFalse(result.isOK());
+			assertEquals("Denied - ["+ JU9999_JU_TEST_COM +"] may not read Perm ["+COM_TEST_JU + ".myPerm0|myInstance0|read]",result.errorString());
+		} finally {
+			q.permDAO.delete(trans, perm, false);
+		}
+	}
+
+//    @Test
+	public void mayUserRead_OnePermOneRoleExistOK() {
+		PermDAO.Data perm = newPerm(0,0,READ);
+		RoleDAO.Data role = newRole(0,perm);
+		UserRoleDAO.Data ur = newUserRole(role,JU9999_JU_TEST_COM,EXPIRES_IN);
+		try {
+			q.permDAO.create(trans,perm);
+			q.roleDAO.create(trans,role);
+			q.userRoleDAO.create(trans,ur);
+			
+			Result<NsDAO.Data> result;
+			TimeTaken tt = trans.start("q.mayUser...", Env.SUB);
+			try {
+				result = q.mayUser(trans,JU9999_JU_TEST_COM,perm,Access.read);
+			} finally {
+				tt.done();
+				assertTrue("NFR time < "+ NFR_1 + "ms",tt.millis()<NFR_1);
+			}
+			assertTrue(result.isOK());
+		} finally {
+			q.permDAO.delete(trans, perm, false);
+			q.roleDAO.delete(trans, role, false);
+			q.userRoleDAO.delete(trans, ur, false);
+		}
+	}
+
+//	@Test
+	public void filter_OnePermOneRoleExistOK() {
+		PermDAO.Data perm = newPerm(0,0,READ);
+		RoleDAO.Data role = newRole(0,perm);
+		UserRoleDAO.Data ur1 = newUserRole(role,JU9998_JU_TEST_COM,EXPIRES_IN);
+		UserRoleDAO.Data ur2 = newUserRole(role,JU9999_JU_TEST_COM,EXPIRES_IN);
+		try {
+			q.permDAO.create(trans,perm);
+			q.roleDAO.create(trans,role);
+			q.userRoleDAO.create(trans,ur1);
+			q.userRoleDAO.create(trans,ur2);
+			
+			Result<List<PermDAO.Data>> pres;
+			TimeTaken tt = trans.start("q.getPerms...", Env.SUB);
+			try {
+				pres = q.getPermsByUserFromRolesFilter(trans, JU9999_JU_TEST_COM, JU9999_JU_TEST_COM);
+			} finally {
+				tt.done();
+				trans.info().log("filter_OnePermOneRleExistOK",tt);
+				assertTrue("NFR time < "+ NFR_1 + "ms",tt.millis()<NFR_1);
+			}
+			assertTrue(pres.isOK());
+			
+			try {
+				pres = q.getPermsByUserFromRolesFilter(trans, JU9999_JU_TEST_COM, JU9998_JU_TEST_COM);
+			} finally {
+				tt.done();
+				trans.info().log("filter_OnePermOneRleExistOK No Value",tt);
+				assertTrue("NFR time < "+ NFR_1 + "ms",tt.millis()<NFR_1);
+			}
+			assertFalse(pres.isOKhasData());
+
+		} finally {
+			q.permDAO.delete(trans, perm, false);
+			q.roleDAO.delete(trans, role, false);
+			q.userRoleDAO.delete(trans, ur1, false);
+			q.userRoleDAO.delete(trans, ur2, false);
+		}
+	}
+
+//    @Test
+	public void mayUserRead_OnePermMultiRoleExistOK() {
+		PermDAO.Data perm = newPerm(0,0,READ);
+		List<RoleDAO.Data> lrole = new ArrayList<RoleDAO.Data>();
+		List<UserRoleDAO.Data> lur = new ArrayList<UserRoleDAO.Data>();
+		try {
+			q.permDAO.create(trans,perm);
+			for(int i=0;i<ROLE_LEVEL1;++i) {
+				RoleDAO.Data role = newRole(i,perm);
+				lrole.add(role);
+				q.roleDAO.create(trans,role);
+				
+				UserRoleDAO.Data ur = newUserRole(role,JU9999_JU_TEST_COM,60000000);
+				lur.add(ur);
+				q.userRoleDAO.create(trans,ur);
+			}
+			
+			Result<NsDAO.Data> result;
+			TimeTaken tt = trans.start("mayUserRead_OnePermMultiRoleExistOK", Env.SUB);
+			try {
+				result = q.mayUser(trans,JU9999_JU_TEST_COM,perm,Access.read);
+			} finally {
+				tt.done();
+				env.info().log(tt,ROLE_LEVEL1,"iterations");
+				assertTrue("NFR time < "+ NFR_2 + "ms",tt.millis()<NFR_2);
+			}
+			assertTrue(result.isOK());
+		} finally {
+			q.permDAO.delete(trans, perm, false);
+			for(RoleDAO.Data role : lrole) {
+				q.roleDAO.delete(trans, role, false);
+			}
+			for(UserRoleDAO.Data ur : lur) {
+				q.userRoleDAO.delete(trans, ur, false);
+			}
+		}
+	}
+
+    @Test
+	public void mayUserRead_MultiPermOneRoleExistOK() {
+		RoleDAO.Data role = newRole(0);
+		UserRoleDAO.Data ur = newUserRole(role,JU9999_JU_TEST_COM,EXPIRES_IN);
+		List<PermDAO.Data> lperm = new ArrayList<PermDAO.Data>();
+		try {
+			for(int i=0;i<PERM_LEVEL1;++i) {
+				lperm.add(newPerm(i,i,READ,role));
+			}
+			q.roleDAO.create(trans, role);
+			q.userRoleDAO.create(trans, ur);
+			
+			Result<NsDAO.Data> result;
+			TimeTaken tt = trans.start("mayUserRead_MultiPermOneRoleExistOK", Env.SUB);
+			try {
+				result = q.mayUser(trans,JU9999_JU_TEST_COM,lperm.get(PERM_LEVEL1-1),Access.read);
+			} finally {
+				tt.done();
+				env.info().log(tt,PERM_LEVEL1,"iterations");
+				assertTrue("NFR time < "+ NFR_2 + "ms",tt.millis()<NFR_2);
+			}
+			assertTrue(result.isOK());
+		} finally {
+			for(PermDAO.Data perm : lperm) {
+				q.permDAO.delete(trans, perm, false);
+			}
+			q.roleDAO.delete(trans, role, false);
+			q.userRoleDAO.delete(trans, ur, false);
+		}
+	}
+
+////	@Test
+//	public void mayUserRead_MultiPermMultiRoleExistOK() {
+//		List<PermDAO.Data> lperm = new ArrayList<PermDAO.Data>();
+//		List<RoleDAO.Data> lrole = new ArrayList<RoleDAO.Data>();
+//		List<UserRoleDAO.Data> lur = new ArrayList<UserRoleDAO.Data>();
+//
+//		try {
+//			RoleDAO.Data role;
+//			UserRoleDAO.Data ur;
+//			for(int i=0;i<ROLE_LEVEL1;++i) {
+//				lrole.add(role=newRole(i));
+//				q.roleDAO.create(trans, role);
+//				lur.add(ur=newUserRole(role, JU9999_JU_TEST_COM, EXPIRES_IN));
+//				q.userRoleDAO.create(trans, ur);
+//				for(int j=0;j<PERM_LEVEL2;++j) {
+//					lperm.add(newPerm(i,j,READ,role));
+//				}
+//			}
+//			
+//			Result<NsDAO.Data> result;
+//			TimeTaken tt = trans.start("mayUserRead_MultiPermMultiRoleExistOK", Env.SUB);
+//			try {
+//				result = q.mayUser(trans,JU9999_JU_TEST_COM,lperm.get(ROLE_LEVEL1*PERM_LEVEL2-1),Access.read);
+//			} finally {
+//				tt.done();
+//				env.info().log(tt,lperm.size(),"perms",", ",lrole.size(),"role");
+//				assertTrue("NFR time < "+ NFR_2 + "ms",tt.millis()<NFR_2);
+//			}
+//			assertTrue(result.isOK());
+//		} finally {
+//			for(PermDAO.Data perm : lperm) {
+//				q.permDAO.delete(trans, perm, false);
+//			}
+//			for(RoleDAO.Data role : lrole) {
+//				q.roleDAO.delete(trans, role, false);
+//			}
+//			for(UserRoleDAO.Data ur : lur) {
+//				q.userRoleDAO.delete(trans, ur, false);
+//			}
+//		}
+//	}
+
+	@Test
+	public void mayUserRead_MultiPermMultiRoleExist_10x10() {
+		env.info().log("Original Filter Method 10x10");
+		mayUserRead_MultiPermMultiRoleExist(10,10);
+		env.info().log("New Filter Method 10x10");
+		mayUserRead_MultiPermMultiRoleExist_NewOK(10,10);
+	}
+
+//	@Test
+	public void mayUserRead_MultiPermMultiRoleExist_20x10() {
+		env.info().log("mayUserRead_MultiPermMultiRoleExist_20x10");
+		mayUserRead_MultiPermMultiRoleExist_NewOK(20,10);
+	}
+
+//	@Test
+	public void mayUserRead_MultiPermMultiRoleExist_100x10() {
+		env.info().log("mayUserRead_MultiPermMultiRoleExist_100x10");
+		mayUserRead_MultiPermMultiRoleExist_NewOK(100,10);
+	}
+
+//	@Test
+	public void mayUserRead_MultiPermMultiRoleExist_100x20() {
+		env.info().log("mayUserRead_MultiPermMultiRoleExist_100x20");
+		mayUserRead_MultiPermMultiRoleExist_NewOK(100,20);
+	}
+
+//	@Test
+	public void mayUserRead_MultiPermMultiRoleExist_1000x20() {
+		env.info().log("mayUserRead_MultiPermMultiRoleExist_1000x20");
+		mayUserRead_MultiPermMultiRoleExist_NewOK(1000,20);
+	}
+
+	private void mayUserRead_MultiPermMultiRoleExist(int roleLevel, int permLevel) {
+		List<PermDAO.Data> lperm = new ArrayList<PermDAO.Data>();
+		List<RoleDAO.Data> lrole = new ArrayList<RoleDAO.Data>();
+		List<UserRoleDAO.Data> lur = new ArrayList<UserRoleDAO.Data>();
+		load(roleLevel, permLevel, lperm,lrole,lur);
+
+
+		Result<List<PermDAO.Data>> pres;
+		trans.setUser(new TaggedPrincipal() {
+			@Override
+			public String getName() {
+				return JU9999_JU_TEST_COM;
+			}
+
+			@Override
+			public String tag() {
+				return "JUnit";
+			}
+
+			@Override
+			public String personalName() {
+				return JU9998_JU_TEST_COM;
+			}
+		});
+
+		try {
+			TimeTaken group = trans.start("  Original Security Method (1st time)", Env.SUB);
+			try {
+				TimeTaken tt = trans.start("    Get User Perms for "+JU9998_JU_TEST_COM, Env.SUB);
+				try {
+					pres = q.getPermsByUser(trans,JU9998_JU_TEST_COM,true);
+				} finally {
+					tt.done();
+					env.info().log(tt,"  Looked up (full) getPermsByUser for",JU9998_JU_TEST_COM);
+				}
+				assertTrue(pres.isOK());
+				tt = trans.start("    q.mayUser", Env.SUB);
+				List<PermDAO.Data> reduced = new ArrayList<PermDAO.Data>();
+				
+				try {
+					for(PermDAO.Data p : pres.value) {
+						Result<Data> r = q.mayUser(trans,JU9999_JU_TEST_COM,p,Access.read);
+						if(r.isOK()) {
+							reduced.add(p);
+						}
+					}
+				} finally {
+					tt.done();
+					env.info().log(tt," reduced" + pres.value.size(),"perms","to",reduced.size());
+	//				assertTrue("NFR time < "+ NFR_2 + "ms",tt.millis()<NFR_2);
+				}
+	//			assertFalse(result.isOK());
+			} finally {
+				group.done();
+				env.info().log(group,"  Original Validation Method (1st pass)");
+			}
+			
+
+		} finally {
+			unload(lperm, lrole, lur);
+		}
+	}
+
+	private void mayUserRead_MultiPermMultiRoleExist_NewOK(int roleLevel, int permLevel) {
+		List<PermDAO.Data> lperm = new ArrayList<PermDAO.Data>();
+		List<RoleDAO.Data> lrole = new ArrayList<RoleDAO.Data>();
+		List<UserRoleDAO.Data> lur = new ArrayList<UserRoleDAO.Data>();
+		load(roleLevel, permLevel, lperm,lrole,lur);
+
+		try {
+
+			Result<List<PermDAO.Data>> pres;
+			TimeTaken tt = trans.start("  mayUserRead_MultiPermMultiRoleExist_New New Filter", Env.SUB);
+			try {
+				pres = q.getPermsByUserFromRolesFilter(trans, JU9999_JU_TEST_COM, JU9998_JU_TEST_COM);
+			} finally {
+				tt.done();
+				env.info().log(tt,lperm.size(),"perms",", ",lrole.size(),"role", lur.size(), "UserRoles");
+//				assertTrue("NFR time < "+ NFR_2 + "ms",tt.millis()<NFR_2);
+			}
+//			assertTrue(pres.isOKhasData());
+
+			tt = trans.start("  mayUserRead_MultiPermMultiRoleExist_New New Filter (2nd time)", Env.SUB);
+			try {
+				pres = q.getPermsByUserFromRolesFilter(trans, JU9999_JU_TEST_COM, JU9998_JU_TEST_COM);
+			} finally {
+				tt.done();
+				env.info().log(tt,lperm.size(),"perms",", ",lrole.size(),"role", lur.size(), "UserRoles");
+				assertTrue("NFR time < "+ NFR_2 + "ms",tt.millis()<NFR_2);
+			}
+//			assertTrue(pres.isOKhasData());
+
+		} finally {
+			unload(lperm, lrole, lur);
+		}
+	}
+
+
+	private void load(int roleLevel, int permLevel,	List<PermDAO.Data> lperm , List<RoleDAO.Data> lrole, List<UserRoleDAO.Data> lur) {
+		RoleDAO.Data role;
+		UserRoleDAO.Data ur;
+		PermDAO.Data perm;
+		
+		int onethirdR=roleLevel/3;
+		int twothirdR=onethirdR*2;
+		int onethirdP=permLevel/3;
+		int twothirdP=onethirdP*2;
+
+		for(int i=0;i<roleLevel;++i) {
+			lrole.add(role=newRole(i));
+			if(i<onethirdR) { // one has
+				lur.add(ur=newUserRole(role, JU9998_JU_TEST_COM, EXPIRES_IN));
+				q.userRoleDAO.create(trans, ur);
+				for(int j=0;j<onethirdP;++j) {
+					lperm.add(perm=newPerm(i,j,READ,role));
+					q.permDAO.create(trans, perm);
+				}
+			} else if(i<twothirdR) { // both have
+				lur.add(ur=newUserRole(role, JU9998_JU_TEST_COM, EXPIRES_IN));
+				q.userRoleDAO.create(trans, ur);
+				lur.add(ur=newUserRole(role, JU9999_JU_TEST_COM, EXPIRES_IN));
+				q.userRoleDAO.create(trans, ur);
+				for(int j=onethirdP;j<twothirdP;++j) {
+					lperm.add(perm=newPerm(i,j,READ,role));
+					q.permDAO.create(trans, perm);
+				}
+			} else { // other has
+				lur.add(ur=newUserRole(role, JU9999_JU_TEST_COM, EXPIRES_IN));
+				q.userRoleDAO.create(trans, ur);
+				for(int j=twothirdP;j<permLevel;++j) {
+					lperm.add(perm=newPerm(i,j,READ,role));
+					q.permDAO.create(trans, perm);
+				}
+			}
+			q.roleDAO.create(trans, role);
+		}
+
+	}
+	
+	private void unload(List<PermDAO.Data> lperm , List<RoleDAO.Data> lrole, List<UserRoleDAO.Data> lur) {
+		for(PermDAO.Data perm : lperm) {
+			q.permDAO.delete(trans, perm, false);
+		}
+		for(RoleDAO.Data role : lrole) {
+			q.roleDAO.delete(trans, role, false);
+		}
+		for(UserRoleDAO.Data ur : lur) {
+			q.userRoleDAO.delete(trans, ur, false);
+		}
+
+	}
+	private PermDAO.Data newPerm(int permNum, int instNum, String action, RoleDAO.Data ... grant) {
+		PermDAO.Data pdd = new PermDAO.Data();
+		pdd.ns=COM_TEST_JU;
+		pdd.type="myPerm"+permNum;
+		pdd.instance="myInstance"+instNum;
+		pdd.action=action;
+		for(RoleDAO.Data r : grant) {
+			pdd.roles(true).add(r.fullName());
+			r.perms(true).add(pdd.encode());
+		}
+		return pdd;
+	}
+
+	private RoleDAO.Data newRole(int roleNum, PermDAO.Data ... grant) {
+		RoleDAO.Data rdd = new RoleDAO.Data();
+		rdd.ns = COM_TEST_JU+roleNum;
+		rdd.name = "myRole"+roleNum;
+		for(PermDAO.Data p : grant) {
+			rdd.perms(true).add(p.encode());
+			p.roles(true).add(rdd.fullName());
+		}
+		return rdd;
+	}
+
+	private UserRoleDAO.Data newUserRole(RoleDAO.Data role,String user, long offset) {
+		UserRoleDAO.Data urd = new UserRoleDAO.Data();
+		urd.user=user;
+		urd.role(role);
+		urd.expires=new Date(System.currentTimeMillis()+offset);
+		return urd;
+	}
+
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/cass/hl/JU_Question2.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/cass/hl/JU_Question2.java
new file mode 100644
index 00000000..bfb6fd4e
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/cass/hl/JU_Question2.java
@@ -0,0 +1,73 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cass.hl;
+
+import java.io.IOException;
+
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.onap.aaf.auth.dao.hl.Question;
+
+public class JU_Question2 {
+
+	@BeforeClass
+	public static void setUpBeforeClass() throws Exception {
+	}
+
+	@AfterClass
+	public static void tearDownAfterClass() throws Exception {
+	}
+
+	@Before
+	public void setUp() throws Exception {
+	}
+
+	@After
+	public void tearDown() throws Exception {
+	}
+
+	@Test
+	public void test() throws IOException {
+		String s,u;
+		System.out.println((s="com") + '=' + (u=Question.toUnique(s)));
+		System.out.println(u+'='+(Question.fromUnique(u)));
+		System.out.println((s="org.osaaf.cdp.Tenant32_what-a-joy") + '=' + (u=Question.toUnique(s)));
+		System.out.println(u+'='+(Question.fromUnique(u)));
+		System.out.println((s="org.osaaf.cdp") + '=' + (u=Question.toUnique(s)));
+		System.out.println(u+'='+(Question.fromUnique(u)));
+
+//		Assert.assertSame(s="com", Question.toUnique(s));
+//		Assert.assertSame(s="", Question.toUnique(s));
+//		Assert.assertSame(s="com.aa", Question.toUnique(s));
+//		Assert.assertNotSame(s="com.Aa", Question.toUnique(s));
+//		Assert.assertEquals("com.aa", Question.toUnique(s));
+//		Assert.assertNotSame(s="com.Aa.1", Question.toUnique(s));
+//		Assert.assertEquals("com.aa.1", Question.toUnique(s));
+//		Assert.assertNotSame(s="com.Aa.1-3", Question.toUnique(s));
+//		Assert.assertEquals("com.aa.13", Question.toUnique(s));
+//		Assert.assertEquals("com.aa.13", Question.toUnique("com.aA.1_3"));
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_Cached.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_Cached.java
new file mode 100644
index 00000000..22f9a6f7
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_Cached.java
@@ -0,0 +1,124 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao;
+
+import static org.junit.Assert.*;
+
+import java.util.Date;
+import java.util.List;
+import java.util.Map;
+import java.util.Timer;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.cache.Cache;
+import org.onap.aaf.auth.cache.Cache.Dated;
+import org.onap.aaf.auth.dao.CIDAO;
+import org.onap.aaf.auth.dao.Cached;
+import org.onap.aaf.auth.dao.Cached.Getter;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.Trans;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class JU_Cached {
+	Cached cached;
+	@Mock
+	CIDAO<Trans> ciDaoMock;
+	@Mock
+	AuthzEnv authzEnvMock;
+	@Mock
+	CIDAO<AuthzTrans> cidaoATMock;
+	
+	String name = "nameString";
+	
+	@Before
+	public void setUp(){
+		cached = new Cached(ciDaoMock, name, (int)0, 30000L);
+	}
+	
+	@Test(expected=ArithmeticException.class)
+	public void testCachedIdx(){
+		int Result = cached.cacheIdx("1234567890");		
+	}
+	
+	@Test(expected=ArithmeticException.class)
+	public void testInvalidate(){
+		int Res = cached.invalidate(name);
+	}
+	
+	@SuppressWarnings("static-access")
+	@Test
+	public void testStopTimer(){
+		cached.stopTimer();
+		assertTrue(true);
+	}
+
+	@SuppressWarnings("static-access")
+	@Test
+	public void testStartRefresh(){
+		cached.startRefresh(authzEnvMock, cidaoATMock);
+		assertTrue(true);
+	}
+//	@Mock
+//	Trans transMock;
+//	@Mock
+//	Getter<DAO> getterMock;
+//	
+//	@Test
+//	public void testGet(){
+//		cached.get(transMock, name, getterMock);
+//		fail("not implemented");
+//	}
+//	
+//	@SuppressWarnings("unchecked")
+//	public Result<List<DATA>> get(TRANS trans, String key, Getter<DATA> getter) {
+//		List<DATA> ld = null;
+//		Result<List<DATA>> rld = null;
+//		
+//		int cacheIdx = cacheIdx(key);
+//		Map<String, Dated> map = ((Map<String,Dated>)cache[cacheIdx]);
+//		
+//		// Check for saved element in cache
+//		Dated cached = map.get(key);
+//		// Note: These Segment Timestamps are kept up to date with DB
+//		Date dbStamp = info.get(trans, name,cacheIdx);
+//		
+//		// Check for cache Entry and whether it is still good (a good Cache Entry is same or after DBEntry, so we use "before" syntax)
+//		if(cached!=null && dbStamp.before(cached.timestamp)) {
+//			ld = (List<DATA>)cached.data;
+//			rld = Result.ok(ld);
+//		} else {
+//			rld = getter.get();
+//			if(rld.isOK()) { // only store valid lists
+//				map.put(key, new Dated(rld.value));  // successful item found gets put in cache
+////			} else if(rld.status == Result.ERR_Backend){
+////				map.remove(key);
+//			}
+//		}
+//		return rld;
+//	}
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_CachedDAO.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_CachedDAO.java
new file mode 100644
index 00000000..14612a1f
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_CachedDAO.java
@@ -0,0 +1,64 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao;
+
+import static org.junit.Assert.*;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.dao.CIDAO;
+import org.onap.aaf.auth.dao.CachedDAO;
+import org.onap.aaf.auth.dao.DAO;
+import org.onap.aaf.misc.env.Trans;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class JU_CachedDAO {
+	CachedDAO cachedDAO;
+	@Mock
+	DAO daoMock;
+	@Mock
+	CIDAO<Trans> ciDAOMock; 
+	int segsize=1;
+	Object[ ] objs = new Object[2];
+	
+	@Before
+	public void setUp(){
+		objs[0] = "helo";
+		objs[1] = "polo";
+		cachedDAO = new CachedDAO(daoMock, ciDAOMock, segsize, segsize);
+	}
+		
+	@Test
+	public void testKeyFromObjs(){
+		String result = cachedDAO.keyFromObjs(objs);
+		System.out.println("value of resut " +result);
+		assertTrue(true);
+	}
+	
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_CassAccess.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_CassAccess.java
new file mode 100644
index 00000000..c73371e9
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_CassAccess.java
@@ -0,0 +1,73 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao;
+
+import static org.junit.Assert.*;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+//import org.onap.aaf.auth.dao.CassAccess.Resettable;
+import com.datastax.driver.core.Cluster.Builder;
+
+@RunWith(PowerMockRunner.class)
+public class JU_CassAccess {
+	CassAccess cassAccess;
+	
+	public static final String KEYSPACE = "authz";
+	public static final String CASSANDRA_CLUSTERS = "cassandra.clusters";
+	public static final String CASSANDRA_CLUSTERS_PORT = "cassandra.clusters.port";
+	public static final String CASSANDRA_CLUSTERS_USER_NAME = "cassandra.clusters.user";
+	public static final String CASSANDRA_CLUSTERS_PASSWORD = "cassandra.clusters.password";
+	public static final String CASSANDRA_RESET_EXCEPTIONS = "cassandra.reset.exceptions";
+	public static final String LATITUDE = "LATITUDE";
+	public static final String LONGITUDE = "LONGITUDE";
+	//private static final List<Resettable> resetExceptions = new ArrayList<Resettable>();
+	public static final String ERR_ACCESS_MSG = "Accessing Backend";
+	private static Builder cb = null;
+	@Mock
+	Env envMock;
+	String prefix=null;
+	
+	@Before
+	public void setUp(){
+		cassAccess = new CassAccess();
+	}
+
+
+	@Test(expected=APIException.class)
+	public void testCluster() throws APIException, IOException {
+		cassAccess.cluster(envMock, prefix);
+		
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_CassDAOImpl.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_CassDAOImpl.java
new file mode 100644
index 00000000..d06e38f7
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_CassDAOImpl.java
@@ -0,0 +1,96 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.env.TransStore;
+import org.powermock.api.mockito.PowerMockito;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.ConsistencyLevel;
+
+@RunWith(PowerMockRunner.class)
+public class JU_CassDAOImpl {
+
+public static final String CASS_READ_CONSISTENCY="cassandra.readConsistency";
+public static final String CASS_WRITE_CONSISTENCY="cassandra.writeConsistency";
+
+CassDAOImpl cassDAOImpl;
+
+
+@Mock
+TransStore transStoreMock;
+@SuppressWarnings("rawtypes")
+Class dcMock;
+@SuppressWarnings("rawtypes")
+Loader loaderMock;
+Cluster clusterMock;
+Class<Data> classDataMock;
+ConsistencyLevel consistencyLevelMock;
+Trans transMock;
+
+@Mock
+AuthzTrans authzTransMock;
+
+
+
+	@SuppressWarnings({ "rawtypes", "unchecked" })
+	@Before
+	public void setUp()
+	{
+		String name = "name";
+		String keySpace = "keySpace";
+		String table = "table";
+		cassDAOImpl = new CassDAOImpl(transStoreMock, name, clusterMock, keySpace, classDataMock, table, consistencyLevelMock, consistencyLevelMock);
+	}
+
+	//TODO: Gabe [JUnit] Visibility issue
+	@Test 
+	public void testReadConsistency() {
+		String table = "users";
+		PowerMockito.when(authzTransMock.getProperty(CASS_READ_CONSISTENCY+'.'+table)).thenReturn("TWO");
+		ConsistencyLevel consistencyLevel = cassDAOImpl.readConsistency(authzTransMock, table);
+		System.out.println("Consistency level" + consistencyLevel.name());
+		assertEquals("TWO", consistencyLevel.name());
+	}
+	
+	@Test 
+	public void testWriteConsistency() {
+		String table = "users";
+		PowerMockito.when(authzTransMock.getProperty(CASS_WRITE_CONSISTENCY+'.'+table)).thenReturn(null);
+		ConsistencyLevel consistencyLevel = cassDAOImpl.writeConsistency(authzTransMock, table);
+		System.out.println("Consistency level" + consistencyLevel.name());
+		assertEquals("ONE", consistencyLevel.name());
+	}
+	
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_DAOException.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_DAOException.java
new file mode 100644
index 00000000..8cfb8520
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/JU_DAOException.java
@@ -0,0 +1,49 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.onap.aaf.auth.dao.DAOException;
+import org.powermock.api.mockito.PowerMockito;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class JU_DAOException {
+DAOException daoException;
+
+	//DAOException daoException = new DAOException();
+	String message = "message";
+	Throwable cause;	
+	@Before
+	public void setUp(){
+	daoException = new DAOException();	
+	}
+
+	@Test
+	public void test(){
+		assertTrue(true);
+	}
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/AbsJUCass.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/AbsJUCass.java
new file mode 100644
index 00000000..3064de55
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/AbsJUCass.java
@@ -0,0 +1,200 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao.aaf.test;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.security.NoSuchAlgorithmException;
+import java.util.Properties;
+
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.cadi.Hash;
+import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Trans.Metric;
+
+import com.datastax.driver.core.Cluster;
+
+import junit.framework.Assert;
+
+/**
+ * Do Setup of Cassandra for Cassandra JUnit Testing
+ * 
+ *
+ */
+public class AbsJUCass {
+	protected static final String AUTHZ = "authz";
+	protected static Cluster cluster;
+	protected static AuthzEnv env;
+	protected static int iterations = 0;
+	protected static float totals=0.0f;
+	protected static float remote = 0.0f;
+	protected static float json = 0.0f;
+	protected static AuthzTrans trans;
+	protected static boolean details = true;
+	
+	@BeforeClass 
+	public static void startup() throws APIException, IOException {
+		synchronized(AUTHZ) {
+			if(env==null) {
+				final String resource = "cadi.properties";
+	            File f = new File("etc" + resource);
+	            InputStream is=null;
+	            Properties props = new Properties();
+	            try {
+	                if(f.exists()) {
+	                    is = new FileInputStream(f);
+	                } else {
+	                    URL rsrc = ClassLoader.getSystemResource(resource);
+	                    is = rsrc.openStream();
+	                }
+	                props.load(is);
+	            } finally {
+	                if(is==null) {
+	                	env= new AuthzEnv();
+	                    Assert.fail(resource + " must exist in etc dir, or in Classpath");
+	                }
+	                is.close();
+	            }
+				env = new AuthzEnv(props);
+			}
+		}
+		cluster = CassAccess.cluster(env,"LOCAL");
+
+		env.info().log("Connecting to Cluster");
+		try {
+			cluster.connect(AUTHZ);
+		} catch(Exception e) {
+			cluster=null;
+			env.error().log(e);
+			Assert.fail("Not able to connect to DB: " + e.getLocalizedMessage());
+		}
+		env.info().log("Connected");
+		
+		// Load special data here
+		
+		// WebPhone
+		env.setProperty("java.naming.provider.url","ldap://ldap.webphone.att.com:389");
+		env.setProperty("com.sun.jndi.ldap.connect.pool","true");
+		
+		iterations = 0;
+		
+	}
+	
+	@AfterClass
+	public static void shutdown() {
+		if(cluster!=null) {
+			cluster.close();
+			cluster = null;
+		}
+	}
+
+	@Before
+	public void newTrans() {
+		trans = env.newTrans();
+		
+		trans.setProperty(CassDAOImpl.USER_NAME, System.getProperty("user.name"));
+	}
+	
+	@After
+	public void auditTrail() {
+		if(totals==0) { // "updateTotals()" was not called... just do one Trans
+			StringBuilder sb = new StringBuilder();
+			Metric metric = trans.auditTrail(4, sb, Env.JSON, Env.REMOTE);
+			if(details) {
+				env.info().log(
+				sb,
+				"Total time:",
+				totals += metric.total,
+				"JSON time: ",
+				metric.buckets[0],
+				"REMOTE time: ",
+				metric.buckets[1]
+				);
+			} else {
+				totals += metric.total;
+			}
+		}
+	}
+	
+	protected void updateTotals() {
+		Metric metric = trans.auditTrail(0, null, Env.JSON, Env.REMOTE);
+		totals+=metric.total;
+		json  +=metric.buckets[0];
+		remote+=metric.buckets[1];
+	}
+
+
+	@AfterClass
+	public static void print() {
+		float transTime;
+		if(iterations==0) {
+			transTime=totals;
+		} else {
+			transTime=totals/iterations;
+		}
+		env.info().log(
+		"Total time:",
+		totals,   
+		"JSON time:",
+		json,
+		"REMOTE time:",
+		remote,
+		"Iterations:",
+		iterations,
+		"Transaction time:",
+		transTime
+		);
+	}
+	
+	/**
+	 * Take a User/Pass and turn into an MD5 Hashed BasicAuth
+	 * 
+	 * @param user
+	 * @param pass
+	 * @return
+	 * @throws IOException
+	 * @throws NoSuchAlgorithmException
+	 */
+	//TODO: Gabe [JUnit] Issue
+	public static byte[] userPassToBytes(String user, String pass)
+			throws IOException, NoSuchAlgorithmException {
+		// Take the form of BasicAuth, so as to allow any character in Password
+		// (this is an issue in 1.0)
+		// Also, it makes it quicker to evaluate Basic Auth direct questions
+		String ba = Symm.base64url.encode(user + ':' + pass);
+		// Take MD5 Hash, so that data in DB can't be reversed out.
+		return Hash.hashMD5(ba.getBytes());
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_ApprovalDAO.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_ApprovalDAO.java
new file mode 100644
index 00000000..13a13edf
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_ApprovalDAO.java
@@ -0,0 +1,146 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao.aaf.test;
+
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotSame;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Date;
+import java.util.List;
+import java.util.UUID;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.ApprovalDAO;
+import org.onap.aaf.auth.dao.cass.ApprovalDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+
+public class JU_ApprovalDAO  extends AbsJUCass {
+	@Test
+	public void testCRUD() throws Exception {
+		ApprovalDAO rrDAO = new ApprovalDAO(trans, cluster, AUTHZ);
+		ApprovalDAO.Data data = new ApprovalDAO.Data();
+		
+		data.ticket = UUID.randomUUID(); // normally, read from Future object
+		data.user = "testid@test.com";
+		data.approver = "mySuper@att.com";
+		data.type = "supervisor";
+		data.status = "pending";
+		data.operation = "C";
+		data.updated = new Date();
+		
+		try {
+			// Test create
+			rrDAO.create(trans, data);
+			
+			// Test Read by Ticket
+			Result<List<ApprovalDAO.Data>> rlad;
+			rlad = rrDAO.readByTicket(trans, data.ticket);
+			assertTrue(rlad.isOK());
+			assertEquals(1,rlad.value.size());
+			compare(data,rlad.value.get(0));
+			
+			// Hold onto original ID for deletion, and read tests
+			UUID id = rlad.value.get(0).id;
+			
+			try {
+				// Test Read by User
+				rlad = rrDAO.readByUser(trans, data.user);
+				assertTrue(rlad.isOKhasData());
+				boolean ok = false;
+				for(ApprovalDAO.Data a : rlad.value) {
+					if(a.id.equals(id)) {
+						ok = true;
+						compare(data,a);
+					}
+				}
+				assertTrue(ok);
+	
+				// Test Read by Approver
+				rlad = rrDAO.readByApprover(trans, data.approver);
+				assertTrue(rlad.isOKhasData());
+				ok = false;
+				for(ApprovalDAO.Data a : rlad.value) {
+					if(a.id.equals(id)) {
+						ok = true;
+						compare(data,a);
+					}
+				}
+				assertTrue(ok);
+	
+				// Test Read by ID
+				rlad = rrDAO.read(trans, id);
+				assertTrue(rlad.isOKhasData());
+				ok = false;
+				for(ApprovalDAO.Data a : rlad.value) {
+					if(a.id.equals(id)) {
+						ok = true;
+						compare(data,a);
+					}
+				}
+				assertTrue(ok);
+	
+				// Test Update
+				data.status = "approved";
+				data.id = id;
+				assertTrue(rrDAO.update(trans, data).isOK());
+				
+				rlad = rrDAO.read(trans, id);
+				assertTrue(rlad.isOKhasData());
+				ok = false;
+				for(ApprovalDAO.Data a : rlad.value) {
+					if(a.id.equals(id)) {
+						ok = true;
+						compare(data,a);
+					}
+				}
+				assertTrue(ok);
+
+			} finally {
+				// Delete
+				data.id = id;
+				rrDAO.delete(trans, data, true);
+				rlad = rrDAO.read(trans, id);
+				assertTrue(rlad.isOK());
+				assertTrue(rlad.isEmpty());
+			}
+			
+		} finally {
+			rrDAO.close(trans);
+		}
+	}
+
+	private void compare(Data d1, Data d2) {
+		assertNotSame(d1.id,d2.id);
+		assertEquals(d1.ticket,d2.ticket);
+		assertEquals(d1.user,d2.user);
+		assertEquals(d1.approver,d2.approver);
+		assertEquals(d1.type,d2.type);
+		assertEquals(d1.status,d2.status);
+		assertEquals(d1.operation,d2.operation);
+		assertNotSame(d1.updated,d2.updated);
+	}
+
+	
+	
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_ArtiDAO.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_ArtiDAO.java
new file mode 100644
index 00000000..f095e32f
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_ArtiDAO.java
@@ -0,0 +1,136 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+import java.util.Date;
+import java.util.List;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.ArtiDAO;
+import org.onap.aaf.auth.dao.cass.ArtiDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+
+/**
+ * UserDAO unit test.
+ * User: tp007s
+ * Date: 7/19/13
+ */
+public class JU_ArtiDAO  extends AbsJUCass {
+	@Test
+	public void test() throws IOException, NoSuchAlgorithmException {
+		ArtiDAO adao = new ArtiDAO(trans,cluster,"authz");
+		try {
+			// Create
+	        ArtiDAO.Data data = new ArtiDAO.Data();
+	        data.mechid="m55555@perturbed.att.com";
+	        data.machine="perturbed1232.att.com";
+	        data.type(false).add("file");
+	        data.type(false).add("jks");
+	        data.sponsor="Fred Flintstone";
+	        data.ca="devl";
+	        data.dir="/opt/app/aft/keys";
+	        data.ns="kumquat";
+	        data.os_user="aft";
+	        data.notify="email:myname@bogus.email.com";
+	        data.expires=new Date();
+	        
+//	        Bytification
+	        ByteBuffer bb = data.bytify();
+	        Data bdata = new ArtiDAO.Data();
+	        bdata.reconstitute(bb);
+	        checkData1(data, bdata);
+	        
+	        
+//	        DB work
+			adao.create(trans,data);
+			try {
+				// Validate Read with key fields in Data
+				Result<List<ArtiDAO.Data>> rlcd = adao.read(trans,data);
+				assertTrue(rlcd.isOKhasData());
+				for(ArtiDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}
+	
+				// Validate Read with key fields in Data
+				rlcd = adao.read(trans,data.mechid, data.machine);
+				assertTrue(rlcd.isOKhasData());
+				for(ArtiDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}
+	
+				// By Machine
+				rlcd = adao.readByMachine(trans,data.machine);
+				assertTrue(rlcd.isOKhasData());
+				for(ArtiDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}
+				
+				// By MechID
+				rlcd = adao.readByMechID(trans,data.mechid);
+				assertTrue(rlcd.isOKhasData());
+				for(ArtiDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}
+	
+				// Update
+				data.sponsor = "Wilma Flintstone";
+				adao.update(trans,data);
+				rlcd = adao.read(trans,data);
+				assertTrue(rlcd.isOKhasData());
+				for(ArtiDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}			
+
+			} finally {
+				// Always delete data, even if failure.
+				adao.delete(trans,data, true);
+			}
+		} finally {
+			adao.close(trans);
+		}
+
+		
+	}
+
+	private void checkData1(Data data, Data d) {
+		assertEquals(data.mechid,d.mechid);
+		assertEquals(data.machine,d.machine);
+		assertEquals(data.type(false).size(),d.type(false).size());
+		for(String s: data.type(false)) {
+			assertTrue(d.type(false).contains(s));
+		}
+		assertEquals(data.sponsor,d.sponsor);
+		assertEquals(data.ca,d.ca);
+		assertEquals(data.dir,d.dir);
+		assertEquals(data.ns,d.ns);
+		assertEquals(data.os_user,d.os_user);
+		assertEquals(data.notify,d.notify);
+		assertEquals(data.expires,d.expires);
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_Bytification.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_Bytification.java
new file mode 100644
index 00000000..e316ac7e
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_Bytification.java
@@ -0,0 +1,265 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.Date;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.NsDAO;
+import org.onap.aaf.auth.dao.cass.NsType;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+
+public class JU_Bytification {
+
+	@Test
+	public void testNS() throws IOException {
+		
+		// Normal
+		NsDAO.Data ns = new NsDAO.Data();
+		ns.name = "org.osaaf.<pass>";
+		ns.type = NsType.APP.type;
+
+		ByteBuffer bb = ns.bytify();
+		
+		NsDAO.Data nsr = new NsDAO.Data();
+		nsr.reconstitute(bb);
+		check(ns,nsr);
+		
+		// Empty admin
+//		ns.admin(true).clear();
+		bb = ns.bytify();
+		nsr = new NsDAO.Data();
+		nsr.reconstitute(bb);
+		check(ns,nsr);
+		
+		// Empty responsible
+//		ns.responsible(true).clear();
+		bb = ns.bytify();
+		nsr = new NsDAO.Data();
+		nsr.reconstitute(bb);
+		check(ns,nsr);
+
+		bb = ns.bytify();
+		nsr = new NsDAO.Data();
+		nsr.reconstitute(bb);
+		check(ns,nsr);
+	}
+	
+	private void check(NsDAO.Data a, NsDAO.Data b) {
+		assertEquals(a.name,b.name);
+		assertEquals(a.type,b.type);
+//		assertEquals(a.admin.size(),b.admin.size());
+		
+//		for(String s: a.admin) {
+//			assertTrue(b.admin.contains(s));
+//		}
+//		
+//		assertEquals(a.responsible.size(),b.responsible.size());
+//		for(String s: a.responsible) {
+//			assertTrue(b.responsible.contains(s));
+//		}
+	}
+
+	@Test
+	public void testRole() throws IOException {
+		RoleDAO.Data rd1 = new RoleDAO.Data();
+		rd1.ns = "org.osaaf.<pass>";
+		rd1.name = "my.role";
+		rd1.perms(true).add("org.osaaf.<pass>.my.Perm|myInstance|myAction");
+		rd1.perms(true).add("org.osaaf.<pass>.my.Perm|myInstance|myAction2");
+
+		// Normal
+		ByteBuffer bb = rd1.bytify();
+		RoleDAO.Data rd2 = new RoleDAO.Data();
+		rd2.reconstitute(bb);
+		check(rd1,rd2);
+		
+		// Overshoot Buffer
+		StringBuilder sb = new StringBuilder(300);
+		sb.append("role|instance|veryLongAction...");
+		for(int i=0;i<280;++i) {
+			sb.append('a');
+		}
+		rd1.perms(true).add(sb.toString());
+		bb = rd1.bytify();
+		rd2 = new RoleDAO.Data();
+		rd2.reconstitute(bb);
+		check(rd1,rd2);
+		
+		// No Perms
+		rd1.perms.clear();
+		
+		bb = rd1.bytify();
+		rd2 = new RoleDAO.Data();
+		rd2.reconstitute(bb);
+		check(rd1,rd2);
+		
+		// 1000 Perms
+		for(int i=0;i<1000;++i) {
+			rd1.perms(true).add("com|inst|action"+ i);
+		}
+
+		bb = rd1.bytify();
+		rd2 = new RoleDAO.Data();
+		rd2.reconstitute(bb);
+		check(rd1,rd2);
+
+	}
+	
+	private void check(RoleDAO.Data a, RoleDAO.Data b) {
+		assertEquals(a.ns,b.ns);
+		assertEquals(a.name,b.name);
+		
+		assertEquals(a.perms.size(),b.perms.size());
+		for(String s: a.perms) {
+			assertTrue(b.perms.contains(s));
+		}
+	}
+
+	@Test
+	public void testPerm() throws IOException {
+		PermDAO.Data pd1 = new PermDAO.Data();
+		pd1.ns = "org.osaaf.<pass>";
+		pd1.type = "my.perm";
+		pd1.instance = "instance";
+		pd1.action = "read";
+		pd1.roles(true).add("org.osaaf.<pass>.my.Role");
+		pd1.roles(true).add("org.osaaf.<pass>.my.Role2");
+
+		// Normal
+		ByteBuffer bb = pd1.bytify();
+		PermDAO.Data rd2 = new PermDAO.Data();
+		rd2.reconstitute(bb);
+		check(pd1,rd2);
+		
+		// No Perms
+		pd1.roles.clear();
+		
+		bb = pd1.bytify();
+		rd2 = new PermDAO.Data();
+		rd2.reconstitute(bb);
+		check(pd1,rd2);
+		
+		// 1000 Perms
+		for(int i=0;i<1000;++i) {
+			pd1.roles(true).add("org.osaaf.<pass>.my.Role"+ i);
+		}
+
+		bb = pd1.bytify();
+		rd2 = new PermDAO.Data();
+		rd2.reconstitute(bb);
+		check(pd1,rd2);
+
+	}
+	
+	private void check(PermDAO.Data a, PermDAO.Data b) {
+		assertEquals(a.ns,b.ns);
+		assertEquals(a.type,b.type);
+		assertEquals(a.instance,b.instance);
+		assertEquals(a.action,b.action);
+		
+		assertEquals(a.roles.size(),b.roles.size());
+		for(String s: a.roles) {
+			assertTrue(b.roles.contains(s));
+		}
+	}
+
+	@Test
+	public void testUserRole() throws IOException {
+		UserRoleDAO.Data urd1 = new UserRoleDAO.Data();
+		urd1.user = "myname@abc.att.com";
+		urd1.role("org.osaaf.<pass>","my.role");
+		urd1.expires = new Date();
+
+		// Normal
+		ByteBuffer bb = urd1.bytify();
+		UserRoleDAO.Data urd2 = new UserRoleDAO.Data();
+		urd2.reconstitute(bb);
+		check(urd1,urd2);
+		
+		// A null
+		urd1.expires = null; 
+		urd1.role = null;
+		
+		bb = urd1.bytify();
+		urd2 = new UserRoleDAO.Data();
+		urd2.reconstitute(bb);
+		check(urd1,urd2);
+	}
+
+	private void check(UserRoleDAO.Data a, UserRoleDAO.Data b) {
+		assertEquals(a.user,b.user);
+		assertEquals(a.role,b.role);
+		assertEquals(a.expires,b.expires);
+	}
+
+	
+	@Test
+	public void testCred() throws IOException {
+		CredDAO.Data cd = new CredDAO.Data();
+		cd.id = "m55555@abc.att.com";
+		cd.ns = "org.osaaf.abc";
+		cd.type = 2;
+		cd.cred = ByteBuffer.wrap(new byte[]{1,34,5,3,25,0,2,5,3,4});
+		cd.expires = new Date();
+
+		// Normal
+		ByteBuffer bb = cd.bytify();
+		CredDAO.Data cd2 = new CredDAO.Data();
+		cd2.reconstitute(bb);
+		check(cd,cd2);
+		
+		// nulls
+		cd.expires = null;
+		cd.cred = null;
+		
+		bb = cd.bytify();
+		cd2 = new CredDAO.Data();
+		cd2.reconstitute(bb);
+		check(cd,cd2);
+
+	}
+
+	private void check(CredDAO.Data a, CredDAO.Data b) {
+		assertEquals(a.id,b.id);
+		assertEquals(a.ns,b.ns);
+		assertEquals(a.type,b.type);
+		if(a.cred==null) {
+			assertEquals(a.cred,b.cred); 
+		} else {
+			int l = a.cred.limit();
+			assertEquals(l,b.cred.limit());
+			for (int i=0;i<l;++i) {
+				assertEquals(a.cred.get(),b.cred.get());
+			}
+		}
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_CacheInfoDAO.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_CacheInfoDAO.java
new file mode 100644
index 00000000..7a1bd58c
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_CacheInfoDAO.java
@@ -0,0 +1,63 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao.aaf.test;
+
+import java.io.IOException;
+import java.util.Date;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.CIDAO;
+import org.onap.aaf.auth.dao.DAOException;
+import org.onap.aaf.auth.dao.cass.CacheInfoDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import junit.framework.Assert;
+
+
+public class JU_CacheInfoDAO extends AbsJUCass {
+
+	@Test
+	public void test() throws DAOException, APIException, IOException {
+		CIDAO<AuthzTrans> id = new CacheInfoDAO(trans, cluster, AUTHZ);
+		Date date  = new Date();
+		
+		id.touch(trans, RoleDAO.TABLE,1);
+		try {
+			Thread.sleep(3000);
+		} catch (InterruptedException e) {
+		}
+		Result<Void> rid = id.check(trans);
+		Assert.assertEquals(rid.status,Status.OK);
+		Date[] dates = CacheInfoDAO.info.get(RoleDAO.TABLE);
+		if(dates.length>0 && dates[1]!=null) {
+			System.out.println(Chrono.dateStamp(dates[1]));
+			System.out.println(Chrono.dateStamp(date));
+			Assert.assertTrue(Math.abs(dates[1].getTime() - date.getTime())<20000); // allow for 4 seconds, given Remote DB
+		}
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_CertDAO.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_CertDAO.java
new file mode 100644
index 00000000..8e8ed6ea
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_CertDAO.java
@@ -0,0 +1,103 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+import java.util.List;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.CertDAO;
+import org.onap.aaf.auth.dao.cass.CertDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+/**
+ * UserDAO unit test.
+ * User: tp007s
+ * Date: 7/19/13
+ */
+public class JU_CertDAO  extends AbsJUCass {
+	@Test
+	public void test() throws IOException, NoSuchAlgorithmException, APIException {
+		CertDAO cdao = new CertDAO(trans,cluster,"authz");
+		try {
+			// Create
+	        CertDAO.Data data = new CertDAO.Data();
+	        data.serial=new BigInteger("11839383");
+	        data.id = "m55555@tguard.att.com";
+	        data.x500="CN=ju_cert.dao.att.com, OU=AAF, O=\"ATT Services, Inc.\", L=Southfield, ST=Michigan, C=US";
+	        data.x509="I'm a cert";
+	        data.ca = "aaf";
+			cdao.create(trans,data);
+
+//	        Bytification
+	        ByteBuffer bb = data.bytify();
+	        Data bdata = new CertDAO.Data();
+	        bdata.reconstitute(bb);
+	        checkData1(data, bdata);
+
+			// Validate Read with key fields in Data
+			Result<List<CertDAO.Data>> rlcd = cdao.read(trans,data);
+			assertTrue(rlcd.isOKhasData());
+			for(CertDAO.Data d : rlcd.value) {
+				checkData1(data,d);
+			}
+
+			// Validate Read with key fields in Data
+			rlcd = cdao.read(trans,data.ca,data.serial);
+			assertTrue(rlcd.isOKhasData());
+			for(CertDAO.Data d : rlcd.value) {
+				checkData1(data,d);
+			}
+
+			// Update
+			data.id = "m66666.tguard.att.com";
+			cdao.update(trans,data);
+			rlcd = cdao.read(trans,data);
+			assertTrue(rlcd.isOKhasData());
+			for(CertDAO.Data d : rlcd.value) {
+				checkData1(data,d);
+			}			
+			
+			cdao.delete(trans,data, true);
+		} finally {
+			cdao.close(trans);
+		}
+
+		
+	}
+
+	private void checkData1(Data data, Data d) {
+		assertEquals(data.ca,d.ca);
+		assertEquals(data.serial,d.serial);
+		assertEquals(data.id,d.id);
+		assertEquals(data.x500,d.x500);
+		assertEquals(data.x509,d.x509);
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_CredDAO.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_CredDAO.java
new file mode 100644
index 00000000..bb88a2aa
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_CredDAO.java
@@ -0,0 +1,250 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+import java.util.Date;
+import java.util.List;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.CredDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+/**
+ * UserDAO unit test.
+ * User: tp007s
+ * Date: 7/19/13
+ */
+public class JU_CredDAO  extends AbsJUCass {
+	@Test
+	public void test() throws IOException, NoSuchAlgorithmException, APIException {
+		CredDAO udao = new CredDAO(trans,cluster,"authz");
+		try {
+			// Create
+	        CredDAO.Data data = new CredDAO.Data();
+	        data.id = "m55555@aaf.att.com";
+	        data.type = CredDAO.BASIC_AUTH;
+	        data.notes = "temp pass";
+	        data.cred      = ByteBuffer.wrap(userPassToBytes("m55555","mypass"));
+	        data.other = 12;
+	        data.expires = new Date(System.currentTimeMillis() + 60000*60*24*90);
+			udao.create(trans,data);
+			
+//	        Bytification
+	        ByteBuffer bb = data.bytify();
+	        Data bdata = new CredDAO.Data();
+	        bdata.reconstitute(bb);
+	        checkData1(data, bdata);
+
+			// Validate Read with key fields in Data
+			Result<List<CredDAO.Data>> rlcd = udao.read(trans,data);
+			assertTrue(rlcd.isOKhasData());
+			for(CredDAO.Data d : rlcd.value) {
+				checkData1(data,d);
+			}
+			
+			// Update
+			data.cred = ByteBuffer.wrap(userPassToBytes("m55555","mynewpass"));
+			udao.update(trans,data);
+			rlcd = udao.read(trans,data);
+			assertTrue(rlcd.isOKhasData());
+			for(CredDAO.Data d : rlcd.value) {
+				checkData1(data,d);
+			}			
+			
+			udao.delete(trans,data, true);
+		} finally {
+			udao.close(trans);
+		}
+
+		
+	}
+
+	private void checkData1(Data data, Data d) {
+		assertEquals(data.id,d.id);
+		assertEquals(data.type,d.type);
+		assertEquals(data.ns,d.ns);
+		assertEquals(data.notes,d.notes);
+		assertEquals(data.cred,d.cred);
+		assertEquals(data.other,d.other);
+		assertEquals(data.expires,d.expires);
+	}
+
+//    private String                          CONST_myName = "MyName";
+//    public static final java.nio.ByteBuffer CONST_MY_CRED = get_CONST_MY_CRED();
+//    public static final int                 CONST_CRED_TYPE = 11;
+//
+//    public static final Date                CONST_UPDATE_DATE = new Date(System.currentTimeMillis()+60000*24);
+//    @Test
+//    public void test() {
+//        UserDAO ud = new UserDAO(trans, cluster,"authz");
+//        try {
+//            UserDAO.Data data = createPrototypeUserData();
+//            ud.create(trans, data);
+//
+//            // Validate Read with key fields in Data
+//            for(UserDAO.Data d : ud.read(trans, data)) {
+//                checkData1(data,d);
+//            }
+//
+//            // Validate readByName
+//            for(UserDAO.Data d : ud.read(trans, CONST_myName)) {
+//                checkData1(data,d);
+//            }
+//
+//            ud.delete(trans, data);
+//            List<UserDAO.Data> d_2 = ud.read(trans, CONST_myName);
+//
+//            // Validate that data was deleted
+//            assertEquals("User should not be found after deleted", 0, d_2.size() );
+//
+//            data = new UserDAO.Data();
+//            data.name = CONST_myName;
+//            data.cred = CONST_MY_CRED;
+//            data.cred_type= CONST_CRED_TYPE;
+//            data.expires = new Date(System.currentTimeMillis()+60000*24);
+//            final Result<UserDAO.Data> user = ud.r_create(trans, data);
+//            assertEquals("ud.createUser should work", Result.Status.OK, user.status);
+//
+//            checkDataIgnoreDateDiff(data, user.value);
+//
+//            // finally leave system in consistent state by deleting user again
+//            ud.delete(trans,data);
+//
+//        } catch (DAOException e) {
+//            e.printStackTrace();
+//            fail("Fail due to Exception");
+//        } finally {
+//            ud.close(trans);
+//        }
+//    }
+//
+//    private UserDAO.Data createPrototypeUserData() {
+//        UserDAO.Data data = new UserDAO.Data();
+//        data.name = CONST_myName;
+//
+//        data.cred_type = CONST_CRED_TYPE;
+//        data.cred      = CONST_MY_CRED;
+//        data.expires = CONST_UPDATE_DATE;
+//        return data;
+//    }
+//
+//    //    @Test
+//    //    public void testReadByUser() throws Exception {
+//    //           // this test was done above in our super test, since it uses the same setup
+//    //    }
+//
+//    @Test
+//    public void testFunctionCreateUser() throws Exception {
+//        String name = "roger_rabbit";
+//        Integer credType = CONST_CRED_TYPE;
+//        java.nio.ByteBuffer cred = CONST_MY_CRED;
+//        final UserDAO ud = new UserDAO(trans, cluster,"authz");
+//        final UserDAO.Data data = createPrototypeUserData();
+//        Result<UserDAO.Data> ret = ud.r_create(trans, data);
+//        Result<List<Data>> byUserNameLookup = ud.r_read(trans, name);
+//        
+//        assertEquals("sanity test w/ different username (different than other test cases) failed", name, byUserNameLookup.value.get(0).name);
+//        assertEquals("delete roger_rabbit failed", true, ud.delete(trans, byUserNameLookup.value.get(0)));
+//    }
+//
+//    @Test
+//    public void testLowLevelCassandraCreateData_Given_UserAlreadyPresent_ShouldPass() throws Exception {
+//        UserDAO ud = new UserDAO(trans, cluster,"authz");
+//
+//        final UserDAO.Data data = createPrototypeUserData();
+//        final UserDAO.Data data1 = ud.create(trans, data);
+//        final UserDAO.Data data2 = ud.create(trans, data);
+//
+//        assertNotNull(data1);
+//        assertNotNull(data2);
+//
+//        assertEquals(CONST_myName, data1.name);
+//        assertEquals(CONST_myName, data2.name);
+//    }
+//
+//    @Test
+//    public void testCreateUser_Given_UserAlreadyPresent_ShouldFail() throws Exception {
+//        UserDAO ud = new UserDAO(trans, cluster,"authz");
+//
+//        final UserDAO.Data data = createPrototypeUserData();
+//
+//        // make sure that some prev test did not leave the user in the DB
+//        ud.delete(trans, data);
+//
+//        // attempt to create same user twice !!!
+//        
+//        final Result<UserDAO.Data> data1 = ud.r_create(trans, data);
+//        final Result<UserDAO.Data> data2 = ud.r_create(trans, data);
+//
+//        assertNotNull(data1);
+//        assertNotNull(data2);
+//
+//        assertEquals(true,   Result.Status.OK == data1.status);
+//        assertEquals(false,  Result.Status.OK == data2.status);
+//    }
+//
+//    private void checkData1(UserDAO.Data data, UserDAO.Data d) {
+//        data.name = CONST_myName;
+//
+//        data.cred_type = CONST_CRED_TYPE;
+//        data.cred      = CONST_MY_CRED;
+//        data.expires   = CONST_UPDATE_DATE;
+//
+//        assertEquals(data.name, d.name);
+//        assertEquals(data.cred_type, d.cred_type);
+//        assertEquals(data.cred, d.cred);
+//        assertEquals(data.expires, d.expires);
+//
+//    }
+//
+//    private void checkDataIgnoreDateDiff(UserDAO.Data data, UserDAO.Data d) {
+//        data.name = CONST_myName;
+//
+//        data.cred_type = CONST_CRED_TYPE;
+//        data.cred      = CONST_MY_CRED;
+//        data.expires   = CONST_UPDATE_DATE;
+//
+//        assertEquals(data.name, d.name);
+//        assertEquals(data.cred_type, d.cred_type);
+//        assertEquals(data.cred, d.cred);
+//         // we allow dates to be different, e.g. high level calls e.g. createUser sets the date itself.
+//        //assertEquals(data.updated, d.updated);
+//
+//    }
+//
+//    /**
+//     * Get a CONST_MY_CRED ByteBuffer, which is the java type for a cass blob.
+//     * @return
+//     */
+//    private static java.nio.ByteBuffer get_CONST_MY_CRED() {
+//     return ByteBuffer.wrap("Hello".getBytes());
+//    }
+//
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_DelegateDAO.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_DelegateDAO.java
new file mode 100644
index 00000000..a518e509
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_DelegateDAO.java
@@ -0,0 +1,106 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao.aaf.test;
+
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.nio.ByteBuffer;
+import java.util.Date;
+import java.util.List;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.DelegateDAO;
+import org.onap.aaf.auth.dao.cass.DelegateDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+
+
+public class JU_DelegateDAO  extends AbsJUCass {
+	@Test
+	public void testCRUD() throws Exception {
+		DelegateDAO dao = new DelegateDAO(trans, cluster, AUTHZ);
+		DelegateDAO.Data data = new DelegateDAO.Data();
+		data.user = "myname";
+		data.delegate = "yourname";
+		data.expires = new Date();
+		
+//        Bytification
+        ByteBuffer bb = data.bytify();
+        Data bdata = new DelegateDAO.Data();
+        bdata.reconstitute(bb);
+        compare(data, bdata);
+
+		try {
+			// Test create
+			Result<Data> ddcr = dao.create(trans,data);
+			assertTrue(ddcr.isOK());
+			
+			
+			// Read by User
+			Result<List<DelegateDAO.Data>> records = dao.read(trans,data.user);
+			assertTrue(records.isOKhasData());
+			for(DelegateDAO.Data rdata : records.value) 
+				compare(data,rdata);
+
+			// Read by Delegate
+			records = dao.readByDelegate(trans,data.delegate);
+			assertTrue(records.isOKhasData());
+			for(DelegateDAO.Data rdata : records.value) 
+				compare(data,rdata);
+			
+			// Update
+			data.delegate = "hisname";
+			data.expires = new Date();
+			assertTrue(dao.update(trans, data).isOK());
+
+			// Read by User
+			records = dao.read(trans,data.user);
+			assertTrue(records.isOKhasData());
+			for(DelegateDAO.Data rdata : records.value) 
+				compare(data,rdata);
+
+			// Read by Delegate
+			records = dao.readByDelegate(trans,data.delegate);
+			assertTrue(records.isOKhasData());
+			for(DelegateDAO.Data rdata : records.value) 
+				compare(data,rdata);
+
+			// Test delete
+			dao.delete(trans,data, true);
+			records = dao.read(trans,data.user);
+			assertTrue(records.isEmpty());
+			
+			
+		} finally {
+			dao.close(trans);
+		}
+	}
+	
+	private void compare(Data d1, Data d2) {
+		assertEquals(d1.user, d2.user);
+		assertEquals(d1.delegate, d2.delegate);
+		assertEquals(d1.expires,d2.expires);
+	}
+
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_FastCalling.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_FastCalling.java
new file mode 100644
index 00000000..d7886d3c
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_FastCalling.java
@@ -0,0 +1,89 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+import java.util.Date;
+import java.util.List;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.CredDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+public class JU_FastCalling extends AbsJUCass {
+
+	@Test
+	public void test() throws IOException, NoSuchAlgorithmException, APIException {
+		trans.setProperty("cassandra.writeConsistency.cred","ONE");
+		
+		CredDAO udao = new CredDAO(env.newTransNoAvg(),cluster,"authz");
+		System.out.println("Starting calls");
+		for(iterations=0;iterations<8;++iterations) {
+			try {
+				// Create
+		        CredDAO.Data data = new CredDAO.Data();
+		        data.id = "m55555@aaf.att.com";
+		        data.type = CredDAO.BASIC_AUTH;
+		        data.cred      = ByteBuffer.wrap(userPassToBytes("m55555","mypass"));
+		        data.expires = new Date(System.currentTimeMillis() + 60000*60*24*90);
+				udao.create(trans,data);
+				
+				// Validate Read with key fields in Data
+				Result<List<CredDAO.Data>> rlcd = udao.read(trans,data);
+				assertTrue(rlcd.isOKhasData());
+				for(CredDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}
+				
+				// Update
+				data.cred = ByteBuffer.wrap(userPassToBytes("m55555","mynewpass"));
+				udao.update(trans,data);
+				rlcd = udao.read(trans,data);
+				assertTrue(rlcd.isOKhasData());
+				for(CredDAO.Data d : rlcd.value) {
+					checkData1(data,d);
+				}			
+				
+				udao.delete(trans,data, true);
+			} finally {
+				updateTotals();
+				newTrans();
+			}
+		}
+
+	}
+
+	private void checkData1(Data data, Data d) {
+		assertEquals(data.id,d.id);
+		assertEquals(data.type,d.type);
+		assertEquals(data.cred,d.cred);
+		assertEquals(data.expires,d.expires);
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_HistoryDAO.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_HistoryDAO.java
new file mode 100644
index 00000000..0b552a49
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_HistoryDAO.java
@@ -0,0 +1,153 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import java.nio.ByteBuffer;
+import java.util.List;
+import java.util.Random;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.HistoryDAO;
+import org.onap.aaf.auth.layer.Result;
+
+public class JU_HistoryDAO  extends AbsJUCass {
+	
+	@Test
+	public void testCreate() throws Exception {
+		HistoryDAO historyDAO = new HistoryDAO(trans, cluster, AUTHZ);
+		HistoryDAO.Data data = createHistoryData();
+		
+		try {
+			historyDAO.create(trans,data);			
+			Thread.sleep(200);// History Create is Async
+			Result<List<HistoryDAO.Data>> records = historyDAO.readByUser(trans,data.user,data.yr_mon);
+			assertTrue(records.isOKhasData());
+			for(HistoryDAO.Data d : records.value) {
+				assertHistory(data, d);
+			}
+		} finally {
+			historyDAO.close(trans);
+		}
+	}
+	
+	@Test
+	public void tesReadByUser() throws Exception {
+		HistoryDAO historyDAO = new HistoryDAO(trans,cluster, AUTHZ);
+		HistoryDAO.Data data = createHistoryData();
+		
+		try {
+			historyDAO.create(trans,data);
+			Thread.sleep(200);// History Create is Async
+			Result<List<HistoryDAO.Data>> records = historyDAO.readByUser(trans, data.user,data.yr_mon);
+			assertTrue(records.isOKhasData());
+			for(HistoryDAO.Data d : records.value) {
+				assertHistory(data, d);
+			}
+		} finally {
+			historyDAO.close(trans);
+		}
+	}
+	
+/*
+	@Test
+	public void readByUserAndMonth() throws Exception {
+		HistoryDAO historyDAO = new HistoryDAO(trans,cluster, AUTHZ);
+		HistoryDAO.Data data = createHistoryData();
+		
+		try {
+			historyDAO.create(trans,data);			
+			Thread.sleep(200);// History Create is Async
+			Result<List<HistoryDAO.Data>> records = historyDAO.readByUserAndMonth(trans,
+					data.user, Integer.valueOf(String.valueOf(data.yr_mon).substring(0, 4)),
+					Integer.valueOf(String.valueOf(data.yr_mon).substring(4, 6)));
+			assertTrue(records.isOKhasData());
+			for(HistoryDAO.Data d : records.value) {
+				assertHistory(data, d);
+			}
+		} finally {
+			historyDAO.close(trans);
+		}
+	}
+*/	
+	//TODO readadd this
+//	@Test
+//	public void readByUserAndDay() throws Exception {
+//		HistoryDAO historyDAO = new HistoryDAO(trans, cluster, AUTHZ);
+//		HistoryDAO.Data data = createHistoryData();
+//		
+//		try {
+//			historyDAO.create(trans, data);		
+//			Thread.sleep(200);// History Create is Async
+//			
+//			String dayTime = String.valueOf(data.day_time);
+//			String day = null;
+//			if (dayTime.length() < 8)
+//				day = dayTime.substring(0, 1);
+//			else 
+//				day = dayTime.substring(0, 2);
+//			
+//			List<HistoryDAO.Data> records = historyDAO.readByUserBetweenDates(trans,
+//							data.user, Integer.valueOf(String.valueOf(data.yr_mon).substring(0, 4)),
+//							Integer.valueOf(String.valueOf(data.yr_mon).substring(4, 6)),
+//							Integer.valueOf(day), 0);
+//			assertEquals(1,records.size());
+//			for(HistoryDAO.Data d : records) {
+//				assertHistory(data, d);
+//			}
+//		} finally {
+//			historyDAO.close(trans);
+//		}
+//	}
+	private HistoryDAO.Data createHistoryData() {
+		HistoryDAO.Data data = HistoryDAO.newInitedData();
+		Random random = new Random();
+		data.user = "test" + random.nextInt();
+		data.action = "add";
+		data.target = "history";
+		data.memo = "adding a row into history table";
+//		data.detail().put("id", "test");
+//		data.detail().put("name", "test");
+		//String temp = "Test Blob Message";
+		data.reconstruct = ByteBuffer.wrap("Temp Blob Message".getBytes());		
+		return data;
+	}
+	
+	private void assertHistory(HistoryDAO.Data ip, HistoryDAO.Data op) {
+		assertEquals(ip.yr_mon, op.yr_mon);		
+//		assertEquals(ip.day_time, op.day_time);		
+		assertEquals(ip.user, op.user);		
+		assertEquals(ip.action, op.action);
+		assertEquals(ip.target, op.target);
+		assertEquals(ip.memo, op.memo);
+		//TODO : have to see if third party assert utility can be used
+//		assertTrue(CollectionUtils.isEqualCollection(ip.detail, op.detail));
+//		for (String key : ip.detail().keySet()) {
+//			assertNotNull(op.detail().get(key));
+//		}
+		assertNotNull(op.reconstruct);
+	}
+	
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_NsDAO.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_NsDAO.java
new file mode 100644
index 00000000..eb064959
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_NsDAO.java
@@ -0,0 +1,185 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Set;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.NsDAO;
+import org.onap.aaf.auth.dao.cass.NsType;
+import org.onap.aaf.auth.dao.cass.NsDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+
+public class JU_NsDAO extends AbsJUCass {
+	private static final String CRM = "ju_crm";
+	private static final String SWM = "ju_swm";
+
+	@Test
+	public void test() throws APIException, IOException  {
+		NsDAO nsd = new NsDAO(trans, cluster, AUTHZ);
+		try {
+			final String nsparent = "com.test";
+			final String ns1 = nsparent +".ju_ns";
+			final String ns2 = nsparent + ".ju_ns2";
+			
+			Map<String,String> oAttribs = new HashMap<String,String>();
+			oAttribs.put(SWM, "swm_data");
+			oAttribs.put(CRM, "crm_data");
+			Data data = new NsDAO.Data();
+			data.name = ns1;
+			data.type = NsType.APP.type;
+			data.attrib(true).putAll(oAttribs);
+			
+
+			Result<List<Data>> rdrr;
+
+			// CREATE
+			Result<Data> rdc = nsd.create(trans, data);
+			assertTrue(rdc.isOK());
+			
+			try {
+//		        Bytification
+		        ByteBuffer bb = data.bytify();
+		        Data bdata = new NsDAO.Data();
+		        bdata.reconstitute(bb);
+		        compare(data, bdata);
+
+				// Test READ by Object
+				rdrr = nsd.read(trans, data);
+				assertTrue(rdrr.isOKhasData());
+				assertEquals(rdrr.value.size(),1);
+				Data d = rdrr.value.get(0);
+				assertEquals(d.name,data.name);
+				assertEquals(d.type,data.type);
+				attribsEqual(d.attrib(false),data.attrib(false));
+				attribsEqual(oAttribs,data.attrib(false));
+				
+				// Test Read by Key
+				rdrr = nsd.read(trans, data.name);
+				assertTrue(rdrr.isOKhasData());
+				assertEquals(rdrr.value.size(),1);
+				d = rdrr.value.get(0);
+				assertEquals(d.name,data.name);
+				assertEquals(d.type,data.type);
+				attribsEqual(d.attrib(false),data.attrib(false));
+				attribsEqual(oAttribs,data.attrib(false));
+				
+				// Read NS by Type
+				Result<Set<String>> rtypes = nsd.readNsByAttrib(trans, SWM);
+				Set<String> types;
+				if(rtypes.notOK()) {
+					throw new IOException(rtypes.errorString());
+				} else {
+					types = rtypes.value;
+				}
+				assertEquals(1,types.size());
+				assertEquals(true,types.contains(ns1));
+				
+				// Add second NS to test list of data returned
+				Data data2 = new NsDAO.Data();
+				data2.name = ns2;
+				data2.type = 3; // app
+				Result<Data> rdc2 = nsd.create(trans, data2);
+				assertTrue(rdc2.isOK());
+				
+					// Interrupt - test PARENT
+					Result<List<Data>> rdchildren = nsd.getChildren(trans, "com.test");
+					assertTrue(rdchildren.isOKhasData());
+					boolean child1 = false;
+					boolean child2 = false;
+					for(Data dchild : rdchildren.value) {
+						if(ns1.equals(dchild.name))child1=true;
+						if(ns2.equals(dchild.name))child2=true;
+					}
+					assertTrue(child1);
+					assertTrue(child2);
+
+				// FINISH DATA 2 by deleting
+				Result<Void> rddr = nsd.delete(trans, data2, true);
+				assertTrue(rddr.isOK());
+
+				// ADD DESCRIPTION
+				String description = "This is my test Namespace";
+				assertFalse(description.equalsIgnoreCase(data.description));
+				
+				Result<Void> addDesc = nsd.addDescription(trans, data.name, description);
+				assertTrue(addDesc.isOK());
+				rdrr = nsd.read(trans, data);
+				assertTrue(rdrr.isOKhasData());
+				assertEquals(rdrr.value.size(),1);
+				assertEquals(rdrr.value.get(0).description,description);
+				
+				// UPDATE
+				String newDescription = "zz1234 Owns This Namespace Now";
+				oAttribs.put("mso", "mso_data");
+				data.attrib(true).put("mso", "mso_data");
+				data.description = newDescription;
+				Result<Void> update = nsd.update(trans, data);
+				assertTrue(update.isOK());
+				rdrr = nsd.read(trans, data);
+				assertTrue(rdrr.isOKhasData());
+				assertEquals(rdrr.value.size(),1);
+				assertEquals(rdrr.value.get(0).description,newDescription);
+				attribsEqual(oAttribs, rdrr.value.get(0).attrib);
+				
+				
+			} catch (IOException e) {
+				e.printStackTrace();
+			} finally {
+				// DELETE
+				Result<Void> rddr = nsd.delete(trans, data, true);
+				assertTrue(rddr.isOK());
+				rdrr = nsd.read(trans, data);
+				assertTrue(rdrr.isOK() && rdrr.isEmpty());
+				assertEquals(rdrr.value.size(),0);
+			}
+		} finally {
+			nsd.close(trans);
+		}
+	}
+
+	private void compare(NsDAO.Data d, NsDAO.Data data) {
+		assertEquals(d.name,data.name);
+		assertEquals(d.type,data.type);
+		attribsEqual(d.attrib(false),data.attrib(false));
+		attribsEqual(d.attrib(false),data.attrib(false));
+	}
+	
+	private void attribsEqual(Map<String,String> aa, Map<String,String> ba) {
+		assertEquals(aa.size(),ba.size());
+		for(Entry<String, String> es : aa.entrySet()) {
+			assertEquals(es.getValue(),ba.get(es.getKey()));
+		}
+	}
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_NsType.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_NsType.java
new file mode 100644
index 00000000..06e5f0ed
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_NsType.java
@@ -0,0 +1,58 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao.aaf.test;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.AfterClass;
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.NsType;
+
+public class JU_NsType {
+
+	@AfterClass
+	public static void tearDownAfterClass() throws Exception {
+	}
+
+	@Test
+	public void test() {
+		NsType nt,nt2;
+		String[] tests = new String[] {"DOT","ROOT","COMPANY","APP","STACKED_APP","STACK"};
+		for(String s : tests) {
+			nt = NsType.valueOf(s);
+			assertEquals(s,nt.name());
+			
+			nt2 = NsType.fromString(s);
+			assertEquals(nt,nt2);
+			
+			int t = nt.type;
+			nt2 = NsType.fromType(t);
+			assertEquals(nt,nt2);
+		}
+		
+		nt  = NsType.fromType(Integer.MIN_VALUE);
+		assertEquals(nt,NsType.UNKNOWN);
+		nt = NsType.fromString("Garbage");
+		assertEquals(nt,NsType.UNKNOWN);
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_PermDAO.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_PermDAO.java
new file mode 100644
index 00000000..1a407af7
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_PermDAO.java
@@ -0,0 +1,174 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao.aaf.test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.List;
+import java.util.Set;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.PermDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+/**
+ * Test the PermissionDAO
+ * 
+ * Utilize AbsJUCass to initialize and pre-load Cass
+ * 
+ *
+ */
+public class JU_PermDAO extends AbsJUCass{
+
+	@Test
+	public void test() throws APIException, IOException {
+		PermDAO pd = new PermDAO(trans,cluster,"authz");
+		try {
+			PermDAO.Data data = new PermDAO.Data();
+			data.ns = "com.test.ju_perm";
+			data.type = "MyType";
+			data.instance = "MyInstance";
+			data.action = "MyAction";
+			data.roles(true).add(data.ns + ".dev");
+			
+
+
+			// CREATE
+			Result<Data> rpdc = pd.create(trans,data);
+			assertTrue(rpdc.isOK());
+
+			Result<List<PermDAO.Data>> rlpd;
+			try {
+//		        Bytification
+		        ByteBuffer bb = data.bytify();
+		        Data bdata = new PermDAO.Data();
+		        bdata.reconstitute(bb);
+		        compare(data, bdata);
+
+				// Validate Read with key fields in Data
+				if((rlpd = pd.read(trans,data)).isOK())
+				  for(PermDAO.Data d : rlpd.value) {
+					checkData1(data,d);
+				}
+				
+				// Validate readByName
+				if((rlpd = pd.readByType(trans,data.ns, data.type)).isOK())
+				  for(PermDAO.Data d : rlpd.value) {
+					checkData1(data,d);
+				}
+				
+				// Add Role
+				RoleDAO.Data role = new RoleDAO.Data();
+				role.ns = data.ns;
+				role.name = "test";
+				
+				Result<Void> rvpd = pd.addRole(trans, data, role.fullName());
+				assertTrue(rvpd.isOK());
+				// Validate Read with key fields in Data
+				if((rlpd = pd.read(trans,data)).isOK())
+				  for(PermDAO.Data d : rlpd.value) {
+					checkData2(data,d);
+				  }
+				
+				// Remove Role
+				rvpd = pd.delRole(trans, data, role.fullName());
+				assertTrue(rvpd.isOK());
+				if((rlpd = pd.read(trans,data)).isOK())
+					for(PermDAO.Data d : rlpd.value) {
+						checkData1(data,d);
+					}
+				
+				// Add Child
+				Data data2 = new Data();
+				data2.ns = data.ns;
+				data2.type = data.type + ".2";
+				data2.instance = data.instance;
+				data2.action = data.action;
+				
+				rpdc = pd.create(trans, data2);
+				assertTrue(rpdc.isOK());
+				try {
+					rlpd = pd.readChildren(trans, data.ns,data.type);
+					assertTrue(rlpd.isOKhasData());
+					assertEquals(rlpd.value.size(),1);
+					assertEquals(rlpd.value.get(0).fullType(),data2.fullType());
+				} finally {
+					// Delete Child
+					pd.delete(trans, data2,true);
+
+				}
+			} catch (IOException e) {
+				e.printStackTrace();
+			} finally {
+				// DELETE
+				Result<Void> rpdd = pd.delete(trans,data,true);
+				assertTrue(rpdd.isOK());
+				rlpd = pd.read(trans, data);
+				assertTrue(rlpd.isOK() && rlpd.isEmpty());
+				assertEquals(rlpd.value.size(),0);
+			}
+		} finally {
+			pd.close(trans);
+		}
+	}
+
+	private void compare(Data a, Data b) {
+		assertEquals(a.ns,b.ns);
+		assertEquals(a.type,b.type);
+		assertEquals(a.instance,b.instance);
+		assertEquals(a.action,b.action);
+		assertEquals(a.roles(false).size(),b.roles(false).size());
+		for(String s: a.roles(false)) {
+			assertTrue(b.roles(false).contains(s));
+		}
+	}
+	private void checkData1(Data data, Data d) {
+		assertEquals(data.ns,d.ns);
+		assertEquals(data.type,d.type);
+		assertEquals(data.instance,d.instance);
+		assertEquals(data.action,d.action);
+		
+		Set<String> ss = d.roles(true);
+		assertEquals(1,ss.size());
+		assertTrue(ss.contains(data.ns+".dev"));
+	}
+	
+	private void checkData2(Data data, Data d) {
+		assertEquals(data.ns,d.ns);
+		assertEquals(data.type,d.type);
+		assertEquals(data.instance,d.instance);
+		assertEquals(data.action,d.action);
+		
+		Set<String> ss = d.roles(true);
+		assertEquals(2,ss.size());
+		assertTrue(ss.contains(data.ns+".dev"));
+		assertTrue(ss.contains(data.ns+".test"));
+	}
+
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_RoleDAO.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_RoleDAO.java
new file mode 100644
index 00000000..fda818fc
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/aaf/test/JU_RoleDAO.java
@@ -0,0 +1,137 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.dao.aaf.test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertTrue;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.List;
+
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+
+public class JU_RoleDAO extends AbsJUCass {
+
+	@Test
+	public void test()  throws IOException, APIException {
+		RoleDAO rd = new RoleDAO(trans, cluster, AUTHZ);
+		try {
+			Data data = new RoleDAO.Data();
+			data.ns = "com.test.ju_role";
+			data.name = "role1";
+
+//	        Bytification
+	        ByteBuffer bb = data.bytify();
+	        Data bdata = new RoleDAO.Data();
+	        bdata.reconstitute(bb);
+	        compare(data, bdata);
+
+			// CREATE
+			Result<Data> rdc = rd.create(trans, data);
+			assertTrue(rdc.isOK());
+			Result<List<Data>> rdrr;
+			try {
+				// READ
+				rdrr = rd.read(trans, data);
+				assertTrue(rdrr.isOKhasData());
+				assertEquals(rdrr.value.size(),1);
+				Data d = rdrr.value.get(0);
+				assertEquals(d.perms.size(),0);
+				assertEquals(d.name,data.name);
+				assertEquals(d.ns,data.ns);
+
+				PermDAO.Data perm = new PermDAO.Data();
+				perm.ns = data.ns;
+				perm.type = "Perm";
+				perm.instance = "perm1";
+				perm.action = "write";
+				
+				// ADD Perm
+				Result<Void> rdar = rd.addPerm(trans, data, perm);
+				assertTrue(rdar.isOK());
+				rdrr = rd.read(trans, data);
+				assertTrue(rdrr.isOKhasData());
+				assertEquals(rdrr.value.size(),1);
+				assertEquals(rdrr.value.get(0).perms.size(),1);
+				assertTrue(rdrr.value.get(0).perms.contains(perm.encode()));
+				
+				// DEL Perm
+				rdar = rd.delPerm(trans, data,perm);
+				assertTrue(rdar.isOK());
+				rdrr = rd.read(trans, data);
+				assertTrue(rdrr.isOKhasData());
+				assertEquals(rdrr.value.size(),1);
+				assertEquals(rdrr.value.get(0).perms.size(),0);
+
+				// Add Child
+				Data data2 = new Data();
+				data2.ns = data.ns;
+				data2.name = data.name + ".2";
+				
+				rdc = rd.create(trans, data2);
+				assertTrue(rdc.isOK());
+				try {
+					rdrr = rd.readChildren(trans, data.ns,data.name);
+					assertTrue(rdrr.isOKhasData());
+					assertEquals(rdrr.value.size(),1);
+					assertEquals(rdrr.value.get(0).name,data.name + ".2");
+					
+					rdrr = rd.readChildren(trans, data.ns,"*");
+					assertTrue(rdrr.isOKhasData());
+					assertEquals(rdrr.value.size(),2);
+
+				} finally {
+					// Delete Child
+					rd.delete(trans, data2, true);
+				}
+	
+			} finally {
+				// DELETE
+				Result<Void> rddr = rd.delete(trans, data, true);
+				assertTrue(rddr.isOK());
+				rdrr = rd.read(trans, data);
+				assertTrue(rdrr.isOK() && rdrr.isEmpty());
+				assertEquals(rdrr.value.size(),0);
+			}
+		} finally {
+			rd.close(trans);
+		}
+	}
+
+	private void compare(Data a, Data b) {
+		assertEquals(a.name,b.name);
+		assertEquals(a.description, b.description);
+		assertEquals(a.ns,b.ns);
+		assertEquals(a.perms(false).size(),b.perms(false).size());
+		for(String p : a.perms(false)) {
+			assertTrue(b.perms(false).contains(p));
+		}
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFLur.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFLur.java
new file mode 100644
index 00000000..79d30c4c
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFLur.java
@@ -0,0 +1,63 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.direct.test;
+
+import static org.junit.Assert.assertTrue;
+
+import java.security.Principal;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.direct.DirectAAFLur;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.cadi.Permission;
+import org.powermock.modules.junit4.PowerMockRunner;
+@RunWith(PowerMockRunner.class)
+public class JU_DirectAAFLur {
+	
+public static AuthzEnv env;
+public static Question question;
+public DirectAAFLur directAAFLur;
+
+
+
+	@Before
+	public void setUp()
+	{
+	directAAFLur = new DirectAAFLur(env, question);	
+	}
+	
+	@Test
+	public void testFish()
+	{
+		
+	Principal bait = null;
+	Permission pond=null;
+	directAAFLur.fish(bait, pond);	
+	
+	assertTrue(true);
+		
+	}
+	
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFUserPass.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFUserPass.java
new file mode 100644
index 00000000..6a25d991
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFUserPass.java
@@ -0,0 +1,84 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.direct.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.mockito.Mockito.*;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.direct.DirectAAFUserPass;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.cadi.CredVal.Type;
+import org.powermock.core.classloader.annotations.PrepareForTest;
+import org.powermock.core.classloader.annotations.SuppressStaticInitializationFor;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class JU_DirectAAFUserPass {
+
+	// TODO: Ian - This test is in shambles. fix it
+
+	//public static AuthzEnv env;
+	//public static Question question;
+	public DirectAAFUserPass directAAFUserPass;
+
+	@Mock
+	AuthzEnv env;
+
+	@Mock
+	Question question;
+
+	String user;
+
+	Type type; 
+
+	byte[] pass;
+
+	@Before
+	public void setUp() {
+		directAAFUserPass = new DirectAAFUserPass(env, question);
+	}
+
+	@Test
+	public void testvalidate(){
+
+		//	Boolean bolVal =  directAAFUserPass.validate(user, type, pass);
+		//	assertEquals((bolVal==null),true);
+
+		assertTrue(true);
+
+	}
+
+	@Test
+	public void notYetTested() {
+		fail("Tests not yet implemented");
+	}
+
+}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectCertIdentity.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectCertIdentity.java
new file mode 100644
index 00000000..07cd7ae9
--- /dev/null
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectCertIdentity.java
@@ -0,0 +1,71 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.direct.test;
+
+import static org.junit.Assert.*;
+
+import java.security.Principal;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.dao.cached.CachedCertDAO;
+import org.onap.aaf.auth.direct.DirectCertIdentity;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class JU_DirectCertIdentity {
+	
+	public DirectCertIdentity directCertIdentity;
+	
+	@Before
+	public void setUp(){
+		directCertIdentity = new DirectCertIdentity();
+	}
+
+
+	@Mock
+	HttpServletRequest req;
+	X509Certificate cert;
+	byte[] _certBytes;
+	
+	@Test
+	public void testidentity(){
+		
+		try {
+		Principal p = directCertIdentity.identity(req, cert, _certBytes);
+		assertEquals(( (p) == null),true);
+			
+		} catch (CertificateException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+		//assertTrue(true);
+		
+	}
+
+}
diff --git a/auth/auth-certman/.gitignore b/auth/auth-certman/.gitignore
new file mode 100644
index 00000000..70922378
--- /dev/null
+++ b/auth/auth-certman/.gitignore
@@ -0,0 +1,6 @@
+/target/
+/logs/
+/.settings/
+/.classpath
+/tokens/
+/.project
diff --git a/auth/auth-certman/pom.xml b/auth/auth-certman/pom.xml
new file mode 100644
index 00000000..42be0418
--- /dev/null
+++ b/auth/auth-certman/pom.xml
@@ -0,0 +1,117 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.onap.aaf.auth</groupId>
+		<artifactId>parent</artifactId>
+		<version>2.1.0-SNAPSHOT</version>
+		<relativePath>../pom.xml</relativePath>
+	</parent>
+
+	<artifactId>aaf-auth-certman</artifactId>
+	<name>AAF Auth Certificate Manager</name>
+	<description>Certificate Manager API</description>
+
+	<properties>
+		<project.swmVersion>21</project.swmVersion>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-core</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-cass</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-aaf</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>com.google.code.jscep</groupId>
+			<artifactId>jscep</artifactId>
+			<version>2.4.0</version>
+		</dependency>
+
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-jar-plugin</artifactId>
+				<configuration>
+					<includes>
+						<include>**/*.class</include>
+					</includes>
+				</configuration>
+				<version>2.3.1</version>
+			</plugin>
+
+			<!--This plugin's configuration is used to store Eclipse m2e settings 
+				only. It has no influence on the Maven build itself. -->
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-deploy-plugin</artifactId>
+				<configuration>
+					<skip>true</skip>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.codehaus.mojo</groupId>
+				<artifactId>appassembler-maven-plugin</artifactId>
+				<configuration>
+					<programs>
+						<program>
+							<mainClass>org.onap.aaf.auth.cm.AAF_CM</mainClass>
+							<name>cm</name>
+							<commandLineArguments>
+				                <commandLineArgument>cadi_prop_files=${project.conf_dir}/org.osaaf.cm.props</commandLineArgument>
+				             </commandLineArguments>
+						</program>
+					</programs>
+				</configuration>
+			</plugin>
+			
+		</plugins>
+	</build>
+
+	<distributionManagement>
+		<repository>
+			<id>nexus</id>
+			<name>attarch-releases</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-releases</url>
+		</repository>
+		<snapshotRepository>
+			<id>nexus</id>
+			<name>attarch-snapshots</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-snapshots</url>
+		</snapshotRepository>
+	</distributionManagement>
+</project>
diff --git a/auth/auth-certman/src/main/config/.gitignore b/auth/auth-certman/src/main/config/.gitignore
new file mode 100644
index 00000000..e53ef90a
--- /dev/null
+++ b/auth/auth-certman/src/main/config/.gitignore
@@ -0,0 +1 @@
+/log4j.properties
diff --git a/auth/auth-certman/src/main/config/certman.props b/auth/auth-certman/src/main/config/certman.props
new file mode 100644
index 00000000..1cd42f48
--- /dev/null
+++ b/auth/auth-certman/src/main/config/certman.props
@@ -0,0 +1,22 @@
+##
+## AUTHZ Certman (authz-certman) Properties
+##
+
+hostname=_HOSTNAME_
+
+## DISCOVERY (DME2) Parameters on the Command Line
+AFT_LATITUDE=_AFT_LATITUDE_
+AFT_LONGITUDE=_AFT_LONGITUDE_
+AFT_ENVIRONMENT=_AFT_ENVIRONMENT_
+DEPLOYED_VERSION=_ARTIFACT_VERSION_
+
+## Pull in common/security properties
+
+cadi_prop_files=_COMMON_DIR_/com.att.aaf.common.props:_COMMON_DIR_/com.att.aaf.props
+
+##DME2 related parameters
+DMEServiceName=service=com.att.authz.certman/version=_MAJOR_VER_._MINOR_VER_._PATCH_VER_/envContext=_ENV_CONTEXT_/routeOffer=_ROUTE_OFFER_
+AFT_DME2_PORT_RANGE=_AUTHZ_CERTMAN_PORT_RANGE_
+
+
+
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java
new file mode 100644
index 00000000..c1bc8202
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java
@@ -0,0 +1,239 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+
+package org.onap.aaf.auth.cm;
+
+import java.lang.reflect.Constructor;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.TreeMap;
+
+import javax.servlet.Filter;
+
+import org.onap.aaf.auth.cache.Cache;
+import org.onap.aaf.auth.cache.Cache.Dated;
+import org.onap.aaf.auth.cm.api.API_Artifact;
+import org.onap.aaf.auth.cm.api.API_Cert;
+import org.onap.aaf.auth.cm.ca.CA;
+import org.onap.aaf.auth.cm.facade.Facade1_0;
+import org.onap.aaf.auth.cm.facade.FacadeFactory;
+import org.onap.aaf.auth.cm.mapper.Mapper.API;
+import org.onap.aaf.auth.cm.service.CMService;
+import org.onap.aaf.auth.cm.service.Code;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.cass.LocateDAO;
+import org.onap.aaf.auth.direct.DirectLocatorCreator;
+import org.onap.aaf.auth.direct.DirectRegistrar;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.AuthzTransFilter;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.auth.server.AbsService;
+import org.onap.aaf.auth.server.JettyServiceStarter;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
+import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
+import org.onap.aaf.cadi.aaf.v2_0.AAFTrustChecker;
+import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.register.Registrant;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.util.Split;
+
+import com.datastax.driver.core.Cluster;
+
+public class AAF_CM extends AbsService<AuthzEnv, AuthzTrans> {
+
+	private static final String USER_PERMS = "userPerms";
+	private static final Map<String,CA> certAuths = new TreeMap<String,CA>();
+	public Facade1_0 facade1_0; // this is the default Facade
+	public Facade1_0 facade1_0_XML; // this is the XML Facade
+	public Map<String, Dated> cacheUser;
+	public AAFAuthn<?> aafAuthn;
+	public AAFLurPerm aafLurPerm;
+	final public Cluster cluster;
+	public final LocateDAO locateDAO;
+
+
+	/**
+	 * Construct AuthzAPI with all the Context Supporting Routes that Authz needs
+	 * 
+	 * @param env
+	 * @param si 
+	 * @param dm 
+	 * @param decryptor 
+	 * @throws APIException 
+	 */
+	public AAF_CM(AuthzEnv env) throws Exception {
+		super(env.access(),env);
+		aafLurPerm = aafCon().newLur();
+		// Note: If you need both Authn and Authz construct the following:
+		aafAuthn = aafCon().newAuthn(aafLurPerm);
+
+		String aaf_env = env.getProperty(Config.AAF_ENV);
+		if(aaf_env==null) {
+			throw new APIException("aaf_env needs to be set");
+		}
+
+		// Initialize Facade for all uses
+		AuthzTrans trans = env.newTrans();
+
+		cluster = org.onap.aaf.auth.dao.CassAccess.cluster(env,null);
+		locateDAO = new LocateDAO(trans,cluster,CassAccess.KEYSPACE);
+
+		// Have AAFLocator object Create DirectLocators for Location needs
+		AbsAAFLocator.setCreator(new DirectLocatorCreator(env, locateDAO));
+
+		// Load Supported Certificate Authorities by property
+		// Note: Some will be dynamic Properties, so we need to look through all
+		for(Entry<Object, Object> es : env.access().getProperties().entrySet()) {
+			String key = es.getKey().toString();
+			if(key.startsWith(CA.CM_CA_PREFIX)) {
+				int idx = key.indexOf('.');
+				if(idx==key.lastIndexOf('.')) { // else it's a regular property 
+	
+					env.log(Level.INIT, "Loading Certificate Authority Module: " + key.substring(idx+1));
+					String[] segs = Split.split(',', env.getProperty(key));
+					if(segs.length>0) {
+						String[][] multiParams = new String[segs.length-1][];
+						for(int i=0;i<multiParams.length;++i) {
+							multiParams[i]=Split.split(';',segs[1+i]);
+						}
+						@SuppressWarnings("unchecked")
+						Class<CA> cac = (Class<CA>)Class.forName(segs[0]);
+						Constructor<CA> cons = cac.getConstructor(new Class<?>[] {
+							Access.class,String.class,String.class,String[][].class
+						});
+						Object pinst[] = new Object[4];
+						pinst[0]=env;
+						pinst[1]= key.substring(idx+1);
+						pinst[2]= aaf_env;
+						pinst[3] = multiParams; 
+						CA ca = cons.newInstance(pinst);
+						certAuths.put(ca.getName(),ca);
+					}
+				}
+			}
+		}
+		if(certAuths.size()==0) {
+			throw new APIException("No Certificate Authorities have been configured in CertMan");
+		}
+
+		CMService service = new CMService(trans, this);
+		// note: Service knows how to shutdown Cluster on Shutdown, etc.  See Constructor
+		facade1_0 = FacadeFactory.v1_0(this,trans, service,Data.TYPE.JSON);   // Default Facade
+		facade1_0_XML = FacadeFactory.v1_0(this,trans,service,Data.TYPE.XML); 
+
+
+		synchronized(env) {
+			if(cacheUser == null) {
+				cacheUser = Cache.obtain(USER_PERMS);
+				Cache.startCleansing(env, USER_PERMS);
+			}
+		}
+
+		////////////////////////////////////////////////////////////////////////////
+		// APIs
+		////////////////////////////////////////////////////////////////////////
+		API_Cert.init(this);
+		API_Artifact.init(this);
+
+		StringBuilder sb = new StringBuilder();
+		trans.auditTrail(2, sb);
+		trans.init().log(sb);
+	}
+
+	public CA getCA(String key) {
+		return certAuths.get(key);
+	}
+
+	/**
+	 * Setup XML and JSON implementations for each supported Version type
+	 * 
+	 * We do this by taking the Code passed in and creating clones of these with the appropriate Facades and properties
+	 * to do Versions and Content switches
+	 * 
+	 */
+	public void route(HttpMethods meth, String path, API api, Code code) throws Exception {
+		String version = "1.0";
+		// Get Correct API Class from Mapper
+		Class<?> respCls = facade1_0.mapper().getClass(api); 
+		if(respCls==null) throw new Exception("Unknown class associated with " + api.getClass().getName() + ' ' + api.name());
+		// setup Application API HTML ContentTypes for JSON and Route
+		String application = applicationJSON(respCls, version);
+		route(env,meth,path,code,application,"application/json;version="+version,"*/*");
+
+		// setup Application API HTML ContentTypes for XML and Route
+		application = applicationXML(respCls, version);
+		route(env,meth,path,code.clone(facade1_0_XML),application,"application/xml;version="+version);
+
+		// Add other Supported APIs here as created
+	}
+
+	public void routeAll(HttpMethods meth, String path, API api, Code code) throws Exception {
+		route(env,meth,path,code,""); // this will always match
+	}
+
+	@Override
+	public Filter[] filters() throws CadiException, LocatorException {
+		try {
+			return new Filter[] {
+					new AuthzTransFilter(env,aafCon(),
+		        			new AAFTrustChecker((Env)env))
+				};
+		} catch (NumberFormatException e) {
+			throw new CadiException("Invalid Property information", e);
+		}
+	}
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public Registrant<AuthzEnv>[] registrants(final int port) throws CadiException, LocatorException {
+		return new Registrant[] {
+			new DirectRegistrar(access,locateDAO,app_name,app_version,port)
+		};
+	}
+
+	public void destroy() {
+		Cache.stopTimer();
+		locateDAO.close(env.newTransNoAvg());
+		cluster.close();
+	}
+
+	public static void main(final String[] args) {
+		PropAccess propAccess = new PropAccess(args);
+		try {
+ 			AAF_CM service = new AAF_CM(new AuthzEnv(propAccess));
+//			env.setLog4JNames("log4j.properties","authz","cm","audit","init","trace");
+			JettyServiceStarter<AuthzEnv,AuthzTrans> jss = new JettyServiceStarter<AuthzEnv,AuthzTrans>(service);
+			jss.start();
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+	}
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/api/API_Artifact.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/api/API_Artifact.java
new file mode 100644
index 00000000..5c067ce1
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/api/API_Artifact.java
@@ -0,0 +1,134 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.api;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.cm.AAF_CM;
+import org.onap.aaf.auth.cm.mapper.Mapper.API;
+import org.onap.aaf.auth.cm.service.Code;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.rserv.HttpMethods;
+
+/**
+ * API Deployment Artifact Apis.. using Redirect for mechanism
+ * 
+ * @author Jonathan
+ *
+ */
+public class API_Artifact {
+	private static final String GET_ARTIFACTS = "Get Artifacts";
+
+	/**
+	 * Normal Init level APIs
+	 * 
+	 * @param cmAPI
+	 * @param facade
+	 * @throws Exception
+	 */
+	public static void init(final AAF_CM cmAPI) throws Exception {
+		cmAPI.route(HttpMethods.POST, "/cert/artifacts", API.ARTIFACTS, new Code(cmAPI,"Create Artifacts") {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.createArtifacts(trans, req, resp);
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.CREATED_201);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+
+		/**
+		 * Use Query Params to get Artifacts by Machine or MechID
+		 */
+		cmAPI.route(HttpMethods.GET, "/cert/artifacts", API.ARTIFACTS, new Code(cmAPI,GET_ARTIFACTS) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.readArtifacts(trans, req, resp);
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+
+
+		cmAPI.route(HttpMethods.GET, "/cert/artifacts/:mechid/:machine", API.ARTIFACTS, new Code(cmAPI,GET_ARTIFACTS) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.readArtifacts(trans, resp, pathParam(req,":mechid"), pathParam(req,":machine"));
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+		
+		
+		cmAPI.route(HttpMethods.PUT, "/cert/artifacts", API.ARTIFACTS, new Code(cmAPI,"Update Artifacts") {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.updateArtifacts(trans, req, resp);
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+
+		cmAPI.route(HttpMethods.DELETE, "/cert/artifacts/:mechid/:machine", API.VOID, new Code(cmAPI,"Delete Artifacts") {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.deleteArtifacts(trans, resp, 
+						pathParam(req, ":mechid"), pathParam(req,":machine"));
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+		
+
+		cmAPI.route(HttpMethods.DELETE, "/cert/artifacts", API.VOID, new Code(cmAPI,"Delete Artifacts") {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.deleteArtifacts(trans, req, resp);
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+		
+
+	}
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/api/API_Cert.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/api/API_Cert.java
new file mode 100644
index 00000000..0cea9c73
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/api/API_Cert.java
@@ -0,0 +1,142 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.api;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.cm.AAF_CM;
+import org.onap.aaf.auth.cm.ca.CA;
+import org.onap.aaf.auth.cm.mapper.Mapper.API;
+import org.onap.aaf.auth.cm.service.Code;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.misc.env.Slot;
+
+/**
+ * API Apis.. using Redirect for mechanism
+ * 
+ * @author Jonathan
+ *
+ */
+public class API_Cert {
+	public static final String CERT_AUTH = "CertAuthority";
+	private static Slot sCertAuth;
+
+	/**
+	 * Normal Init level APIs
+	 * 
+	 * @param aafCM
+	 * @param facade
+	 * @throws Exception
+	 */
+	public static void init(final AAF_CM aafCM) throws Exception {
+		// Check for Created Certificate Authorities in TRANS
+		sCertAuth = aafCM.env.slot(CERT_AUTH);
+		
+		////////
+		// Overall APIs
+		///////
+		aafCM.route(HttpMethods.PUT,"/cert/:ca",API.CERT_REQ,new Code(aafCM,"Request Certificate") {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				String key = pathParam(req, ":ca");
+				CA ca;
+				if((ca = aafCM.getCA(key))==null) {
+					context.error(trans,resp,Result.ERR_BadData,"CA %s is not supported",key);
+				} else {
+					trans.put(sCertAuth, ca);
+					Result<Void> r = context.requestCert(trans, req, resp, ca);
+					if(r.isOK()) {
+						resp.setStatus(HttpStatus.OK_200);
+					} else {
+						context.error(trans,resp,r);
+					}
+				}
+			}
+		});
+		
+		aafCM.route(HttpMethods.GET,"/cert/:ca/personal",API.CERT,new Code(aafCM,"Request Personal Certificate") {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				String key = pathParam(req, ":ca");
+				CA ca;
+				if((ca = aafCM.getCA(key))==null) {
+					context.error(trans,resp,Result.ERR_BadData,"CA %s is not supported",key);
+				} else {
+					trans.put(sCertAuth, ca);
+					Result<Void> r = context.requestPersonalCert(trans, req, resp, ca);
+					if(r.isOK()) {
+						resp.setStatus(HttpStatus.OK_200);
+					} else {
+						context.error(trans,resp,r);
+					}
+				}
+			}
+		});
+
+		
+		/**
+		 * 
+		 */
+		aafCM.route(HttpMethods.GET, "/cert/may/:perm", API.VOID, new Code(aafCM,"Check Permission") {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.check(trans, resp, pathParam(req,"perm"));
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					trans.checkpoint(r.errorString());
+					context.error(trans,resp,Result.err(Result.ERR_Denied,"%s does not have Permission.",trans.user()));
+				}
+			}
+		});
+
+		/**
+		 * Get Cert by ID and Machine 
+		 */
+
+		
+		/**
+		 * Get Certs by ID
+		 */
+		aafCM.route(HttpMethods.GET, "/cert/id/:id", API.CERT, new Code(aafCM,"GetByID") {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.readCertsByMechID(trans, resp, pathParam(req,"id"));
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+
+		
+		/**
+		 * Get Certs by Machine
+		 */
+		
+	}
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
new file mode 100644
index 00000000..521c5016
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
@@ -0,0 +1,209 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.cm.ca;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.MessageDigest;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.onap.aaf.auth.cm.cert.CSRMeta;
+import org.onap.aaf.auth.cm.cert.RDN;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.env.util.Split;
+
+public abstract class CA {
+	private static final String MUST_EXIST_TO_CREATE_CSRS_FOR = " must exist to create CSRs for ";
+	//TODO figuring out what is an Issuing CA is a matter of convention.  Consider SubClassing for Open Source
+	public static final String ISSUING_CA = "Issuing CA";
+	public static final String CM_CA_PREFIX = "cm_ca.";
+	public static final String CM_CA_BASE_SUBJECT = ".baseSubject";
+	protected static final String CM_PUBLIC_DIR = "cm_public_dir";
+	private static final String CM_TRUST_CAS = "cm_trust_cas";
+	protected static final String CM_BACKUP_CAS = "cm_backup_cas";
+
+	public static final Set<String> EMPTY = Collections.unmodifiableSet(new HashSet<String>());
+
+	
+	private final String name,env;
+	private MessageDigest messageDigest;
+	private final String permType;
+	private Set<String> caIssuerDNs;
+	private final ArrayList<String> idDomains;
+	private String[] trustedCAs;
+	private List<RDN> rdns; 
+
+
+	protected CA(Access access, String caName, String env) throws IOException, CertException {
+		trustedCAs = new String[4]; // starting array
+		this.name = caName;
+		this.env = env;
+		permType = access.getProperty(CM_CA_PREFIX + name + ".perm_type",null);
+		if(permType==null) {
+			throw new CertException(CM_CA_PREFIX + name + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
+		}
+		caIssuerDNs = new HashSet<String>();
+		
+		String tag = CA.CM_CA_PREFIX+caName+CA.CM_CA_BASE_SUBJECT;
+		
+		String fields = access.getProperty(tag, null);
+		if(fields==null) {
+			throw new CertException(tag + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
+		}
+		for(RDN rdn : rdns = RDN.parse('/',fields)) {
+			if(rdn.aoi==BCStyle.EmailAddress) { // Cert Specs say Emails belong in Subject
+				throw new CertException("email address is not allowed in " + CM_CA_BASE_SUBJECT);
+			}
+		}
+		
+		idDomains = new ArrayList<String>();
+		StringBuilder sb = null;
+		for(String s : Split.splitTrim(',', access.getProperty(CA.CM_CA_PREFIX+caName+".idDomains", ""))) {
+			if(s.length()>0) {
+				if(sb==null) {
+					sb = new StringBuilder();
+				} else {
+					sb.append(", ");
+				}
+				idDomains.add(s);
+				sb.append(s);
+			}
+		}
+		if(sb!=null) {
+			access.printf(Level.INIT, "CA '%s' supports Personal Certificates for %s", caName, sb);
+		}
+		
+		String data_dir = access.getProperty(CM_PUBLIC_DIR,null);
+		if(data_dir!=null) {
+			File data = new File(data_dir);
+			byte[] bytes;
+			if(data.exists()) {
+				String trust_cas = access.getProperty(CM_TRUST_CAS,null);
+				if(trust_cas!=null) {
+					for(String fname : Split.splitTrim(',', trust_cas)) {
+						File crt = new File(data,fname);
+						if(crt.exists()) {
+							access.printf(Level.INIT, "Loading CA Cert from %s", crt.getAbsolutePath());
+							bytes = new byte[(int)crt.length()];
+							FileInputStream fis = new FileInputStream(crt);
+							try {
+								fis.read(bytes);
+								addTrustedCA(new String(bytes));
+							} finally {
+								fis.close();
+							}
+						} else {
+							access.printf(Level.INIT, "FAILED to Load CA Cert from %s", crt.getAbsolutePath());
+						}
+					}
+				} else {
+					access.printf(Level.INIT, "Cannot load external TRUST CAs: No property %s",CM_TRUST_CAS);
+				}
+			} else {
+				access.printf(Level.INIT, "Cannot load external TRUST CAs: %s doesn't exist, or is not accessible",data.getAbsolutePath());
+			}
+		}
+	}
+
+	protected void addCaIssuerDN(String issuerDN) {
+		caIssuerDNs.add(issuerDN);
+	}
+	
+	protected synchronized void addTrustedCA(final String crtString) {
+		String crt;
+		if(crtString.endsWith("\n")) {
+			crt = crtString;
+		} else {
+			crt = crtString + '\n';
+		}
+		for(int i=0;i<trustedCAs.length;++i) {
+			if(trustedCAs[i]==null) {
+				trustedCAs[i]=crt;
+				return;
+			}
+		}
+		String[] temp = new String[trustedCAs.length+5];
+		System.arraycopy(trustedCAs,0,temp, 0, trustedCAs.length);
+		temp[trustedCAs.length]=crt;
+		trustedCAs = temp;
+	}
+	
+	public Set<String> getCaIssuerDNs() {
+		return caIssuerDNs;
+	}
+	
+	public String[] getTrustedCAs() {
+		return trustedCAs;
+	}
+	
+	public String getEnv() {
+		return env;
+	}
+
+	protected void setMessageDigest(MessageDigest md) {
+		messageDigest = md;
+	}
+
+	/*
+	 * End Required Constructor calls
+	 */
+
+	public String getName() {
+		return name;
+	}
+	
+	
+	public String getPermType() {
+		return permType;
+	}
+	
+	public abstract X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException;
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.cm.ca.CA#inPersonalDomains(java.security.Principal)
+	 */
+	public boolean inPersonalDomains(Principal p) {
+		int at = p.getName().indexOf('@');
+		if(at>=0) {
+			return idDomains.contains(p.getName().substring(at+1));
+		} else {
+			return false;
+		}
+	}
+
+	public MessageDigest messageDigest() {
+		return messageDigest;
+	}
+
+	public CSRMeta newCSRMeta() {
+		return new CSRMeta(rdns);
+	}
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java
new file mode 100644
index 00000000..ae4e21aa
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java
@@ -0,0 +1,268 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.cm.ca;
+
+import java.io.FileReader;
+import java.io.IOException;
+import java.net.Authenticator;
+import java.net.MalformedURLException;
+import java.net.PasswordAuthentication;
+import java.net.URL;
+import java.security.cert.CertStoreException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.jscep.client.Client;
+import org.jscep.client.ClientException;
+import org.jscep.client.EnrollmentResponse;
+import org.jscep.client.verification.CertificateVerifier;
+import org.jscep.transaction.TransactionException;
+import org.onap.aaf.auth.cm.cert.BCFactory;
+import org.onap.aaf.auth.cm.cert.CSRMeta;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.Locator.Item;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.locator.HotPeerLocator;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.env.util.Split;
+
+public class JscepCA extends CA {
+	static final String CA_PREFIX = "http://";
+	static final String CA_POSTFIX="/certsrv/mscep_admin/mscep.dll";
+
+	private final static String MS_PROFILE="1";
+	private final static int MAX_RETRY=3;
+	public static final long INVALIDATE_TIME = 1000*60*10; // 10 mins
+
+	// package on purpose
+	private Map<String,X509ChainWithIssuer> mxcwi_s;
+	private Map<Client,X509ChainWithIssuer> mxcwi_c;
+
+
+	private JscepClientLocator clients;
+
+	public JscepCA(final Access access, final String name, final String env, String [][] params) throws IOException, CertException, LocatorException {
+ 		super(access, name, env);
+ 		mxcwi_s = new ConcurrentHashMap<String,X509ChainWithIssuer>();
+ 		mxcwi_c = new ConcurrentHashMap<Client,X509ChainWithIssuer>();
+ 		
+ 		if(params.length<2) {
+ 			throw new CertException("No Trust Chain parameters are included");
+ 		} 
+ 		if(params[0].length<2) {
+ 			throw new CertException("User/Password required for JSCEP");
+ 		}
+ 		final String id = params[0][0];
+ 		final String pw = params[0][1]; 
+		
+		// Set this for NTLM password Microsoft
+		Authenticator.setDefault(new Authenticator() {
+			  public PasswordAuthentication getPasswordAuthentication () {
+		            try {
+						return new PasswordAuthentication (id,access.decrypt(pw,true).toCharArray());
+					} catch (IOException e) {
+						access.log(e);
+					}
+					return null;
+		      }
+		});
+		
+		StringBuilder urlstr = new StringBuilder();
+
+		for(int i=1;i<params.length;++i) { // skip first section, which is user/pass
+			// Work 
+			if(i>1) {
+				urlstr.append(','); // delimiter
+			}
+			urlstr.append(params[i][0]);
+			
+			String dir = access.getProperty(CM_PUBLIC_DIR, "");
+			if(!"".equals(dir) && !dir.endsWith("/")) {
+				dir = dir + '/';
+			}
+			String path;
+			List<FileReader> frs = new ArrayList<FileReader>(params.length-1);
+			try {
+				for(int j=1; j<params[i].length; ++j) { // first 3 taken up, see above
+					path = !params[i][j].contains("/")?dir+params[i][j]:params[i][j];
+					access.printf(Level.INIT, "Loading a TrustChain Member for %s from %s",name, path);
+					frs.add(new FileReader(path));
+				}
+				X509ChainWithIssuer xcwi = new X509ChainWithIssuer(frs);
+				addCaIssuerDN(xcwi.getIssuerDN());
+				mxcwi_s.put(params[i][0],xcwi);
+			} finally {
+				for(FileReader fr : frs) {
+					if(fr!=null) {
+						fr.close();
+					}
+				}
+			}
+		}		
+		clients = new JscepClientLocator(access,urlstr.toString());
+	}
+
+	// package on purpose
+	
+	@Override
+	public X509ChainWithIssuer sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException {
+		TimeTaken tt = trans.start("Generating CSR and Keys for New Certificate", Env.SUB);
+		PKCS10CertificationRequest csr;
+		try {
+			csr = csrmeta.generateCSR(trans);
+			if(trans.info().isLoggable()) {
+				trans.info().log(BCFactory.toString(csr));
+			} 
+			if(trans.info().isLoggable()) {
+				trans.info().log(csr);
+			}
+		} finally {
+			tt.done();
+		}
+		
+		tt = trans.start("Enroll CSR", Env.SUB);
+		Client client = null;
+		Item item = null;
+		for(int i=0; i<MAX_RETRY;++i) {
+			try {
+				item = clients.best();
+				client = clients.get(item);
+				
+				EnrollmentResponse er = client.enrol(
+						csrmeta.initialConversationCert(trans),
+						csrmeta.keypair(trans).getPrivate(),
+						csr,
+						MS_PROFILE /* profile... MS can't deal with blanks*/);
+				
+				while(true) {
+					if(er.isSuccess()) {
+						trans.checkpoint("Cert from " + clients.info(item));
+						X509Certificate x509 = null;
+						for( Certificate cert : er.getCertStore().getCertificates(null)) {
+							if(x509==null) {
+								x509 = (X509Certificate)cert;
+								break;
+							}
+						}
+						X509ChainWithIssuer mxcwi = mxcwi_c.get(client);
+						return new X509ChainWithIssuer(mxcwi,x509);
+//						break;
+					} else if (er.isPending()) {
+						trans.checkpoint("Polling, waiting on CA to complete");
+						Thread.sleep(3000);
+					} else if (er.isFailure()) {
+//						switch(er.getFailInfo()) {
+//							case badMessageCheck:
+//								throw new ClientException("Received BadMessageCheck from Jscep");
+//							case badAlg:
+//							case badCertId:
+//							case badRequest:
+//							case badTime:
+//							default:
+//						}
+						throw new CertException(clients.info(item)+':'+er.getFailInfo().toString());
+					}
+				}
+				//i=MAX_RETRY;
+			} catch(LocatorException e) {
+				trans.error().log(e);
+				i=MAX_RETRY;
+			} catch (ClientException e) {
+				trans.error().log(e,"SCEP Client Error, Temporarily Invalidating Client: " + clients.info(item));
+				try  { 
+					clients.invalidate(client);
+					if(!clients.hasItems()) {
+						clients.refresh();
+					}
+				} catch (LocatorException e1) {
+					trans.error().log(e,clients.info(item));
+					i=MAX_RETRY;  // can't go any further
+				}
+			} catch (InterruptedException|TransactionException|CertificateException|OperatorCreationException | CertStoreException e) {
+				trans.error().log(e);
+				i=MAX_RETRY;
+			} finally {
+				tt.done();
+			}
+		}
+		
+		return null;
+	}
+	
+	/**
+	 * Locator specifically for Jscep Clients.
+	 * 
+	 * Class based client for access to common Map
+	 */
+	private class JscepClientLocator extends HotPeerLocator<Client> {
+
+		protected JscepClientLocator(Access access, String urlstr)throws LocatorException {
+			super(access, urlstr, JscepCA.INVALIDATE_TIME,
+			 	access.getProperty("cadi_latitude","39.833333"), //Note: Defaulting to GEO center of US
+			 	access.getProperty("cadi_longitude","-98.583333")
+			 	);
+		}
+
+		@Override
+		protected Client _newClient(String urlinfo) throws LocatorException {
+			try {
+				String[] info = Split.split('/', urlinfo);
+				Client c = new Client(new URL(JscepCA.CA_PREFIX + info[0] + JscepCA.CA_POSTFIX), 
+						new CertificateVerifier() {
+						@Override
+						public boolean verify(X509Certificate cert) {
+							//TODO checkIssuer
+							return true;
+						}
+					}
+				);
+				// Map URL to Client, because Client doesn't expose Connection
+				mxcwi_c.put(c,mxcwi_s.get(urlinfo));
+				return c;
+			} catch (MalformedURLException e) {
+				throw new LocatorException(e);
+			}
+		}
+
+		@Override
+		protected Client _invalidate(Client client) {
+			return null;
+		}
+
+		@Override
+		protected void _destroy(Client client) {
+			mxcwi_c.remove(client);
+		}
+		
+		
+	}
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
new file mode 100644
index 00000000..b6a2a0a9
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
@@ -0,0 +1,182 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.cm.ca;
+
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.GeneralSecurityException;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.List;
+
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.X500NameBuilder;
+import org.bouncycastle.asn1.x509.BasicConstraints;
+import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.KeyPurposeId;
+import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.crypto.params.RSAKeyParameters;
+import org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.onap.aaf.auth.cm.cert.BCFactory;
+import org.onap.aaf.auth.cm.cert.CSRMeta;
+import org.onap.aaf.auth.cm.cert.RDN;
+import org.onap.aaf.auth.env.NullTrans;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+public class LocalCA extends CA {
+
+	// Extensions
+	private static final KeyPurposeId[] ASN_WebUsage = new KeyPurposeId[] {
+				KeyPurposeId.id_kp_serverAuth, // WebServer
+				KeyPurposeId.id_kp_clientAuth};// WebClient
+				
+	private final RSAPrivateKey caKey;
+	private final X500Name issuer;
+	private final SecureRandom random = new SecureRandom();
+	private byte[] serialish;
+	private final X509ChainWithIssuer x509cwi; // "Cert" is CACert
+
+	public LocalCA(Access access, final String name, final String env, final String[][] params) throws IOException, CertException {
+		super(access, name, env);
+		serialish = new byte[24];
+		if(params.length<1 || params[0].length<2) {
+			throw new IOException("LocalCA expects cm_ca.<ca name>=org.onap.aaf.auth.cm.ca.LocalCA,<full path to key file>[;<Full Path to Trust Chain, ending with actual CA>]+");
+		}
+		
+		// Read in the Private Key
+		File f = new File(params[0][0]); // key
+		if(f.exists()) {
+			caKey = (RSAPrivateKey)Factory.toPrivateKey(NullTrans.singleton(),f);
+		} else {
+			throw new CertException("Private Key, " + f.getPath() + ", does not exist");
+		}
+
+		String dir = access.getProperty(CM_PUBLIC_DIR, "");
+		if(!"".equals(dir) && !dir.endsWith("/")) {
+			dir = dir + '/';
+		}
+		List<FileReader> frs = new ArrayList<FileReader>(params.length-1);
+		try {
+			String path;
+			for(int i=1; i<params[0].length; ++i) { // first param is Private Key, remainder are TrustChain
+				path = !params[0][i].contains("/")?dir+params[0][i]:params[0][i];
+				access.printf(Level.INIT, "Loading a TrustChain Member for %s from %s\n",name, path);
+				frs.add(new FileReader(path));
+			}
+			x509cwi = new X509ChainWithIssuer(frs);
+			X500NameBuilder xnb = new X500NameBuilder();
+			for(RDN rnd : RDN.parse(',', x509cwi.getIssuerDN())) {
+				xnb.addRDN(rnd.aoi,rnd.value);
+			}
+			issuer = xnb.build();
+		} finally {
+			for(FileReader fr : frs) {
+				if(fr!=null) {
+					fr.close();
+				}
+			}
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.cm.service.CA#sign(org.bouncycastle.pkcs.PKCS10CertificationRequest)
+	 */
+	@Override
+	public X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException {
+		GregorianCalendar gc = new GregorianCalendar();
+		Date start = gc.getTime();
+		gc.add(GregorianCalendar.MONTH, 2);
+		Date end = gc.getTime();
+		X509Certificate x509;
+		TimeTaken tt = trans.start("Create/Sign Cert",Env.SUB);
+		try {
+			BigInteger bi;
+			synchronized(serialish) {
+				random.nextBytes(serialish);
+				bi = new BigInteger(serialish);
+			}
+				
+			RSAPublicKey rpk = (RSAPublicKey)csrmeta.keypair(trans).getPublic();
+			X509v3CertificateBuilder xcb = new X509v3CertificateBuilder(
+					issuer,
+					bi, // replace with Serialnumber scheme
+					start,
+					end,
+					csrmeta.x500Name(),
+					SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(new RSAKeyParameters(false,rpk.getModulus(),rpk.getPublicExponent()))
+//					new SubjectPublicKeyInfo(ASN1Sequence.getInstance(caCert.getPublicKey().getEncoded()))
+					);
+			List<GeneralName> lsan = new ArrayList<GeneralName>();
+			for(String s : csrmeta.sans()) {
+				lsan.add(new GeneralName(GeneralName.dNSName,s));
+			}
+			GeneralName[] sans = new GeneralName[lsan.size()];
+			lsan.toArray(sans);
+
+		    JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
+		    	xcb.addExtension(Extension.basicConstraints,
+                    	false, new BasicConstraints(false))
+		            .addExtension(Extension.keyUsage,
+		                true, new KeyUsage(KeyUsage.digitalSignature
+		                                 | KeyUsage.keyEncipherment))
+		            .addExtension(Extension.extendedKeyUsage,
+		                          true, new ExtendedKeyUsage(ASN_WebUsage))
+
+                    .addExtension(Extension.authorityKeyIdentifier,
+		                          false, extUtils.createAuthorityKeyIdentifier(x509cwi.cert))
+		            .addExtension(Extension.subjectKeyIdentifier,
+		                          false, extUtils.createSubjectKeyIdentifier(x509cwi.cert.getPublicKey()))
+		            .addExtension(Extension.subjectAlternativeName,
+		            		false, new GeneralNames(sans))
+		                                           ;
+	
+			x509 = new JcaX509CertificateConverter().getCertificate(
+					xcb.build(BCFactory.contentSigner(caKey)));
+		} catch (GeneralSecurityException|OperatorCreationException e) {
+			throw new CertException(e);
+		} finally {
+			tt.done();
+		}
+		
+		return new X509ChainWithIssuer(x509cwi,x509);
+	}
+
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java
new file mode 100644
index 00000000..e0a85676
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java
@@ -0,0 +1,74 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.cm.ca;
+
+import java.io.IOException;
+import java.io.Reader;
+import java.security.Principal;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.List;
+
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.cm.Factory;
+
+public class X509ChainWithIssuer extends X509andChain {
+	private String issuerDN;
+
+	public X509ChainWithIssuer(X509ChainWithIssuer orig, X509Certificate x509) {
+		super(x509,orig.trustChain);
+		issuerDN=orig.issuerDN;		
+	}
+	
+	public X509ChainWithIssuer(final List<? extends Reader> rdrs) throws IOException, CertException {
+		// Trust Chain.  Last one should be the CA
+		Collection<? extends Certificate> certs;
+		X509Certificate x509;
+		for(Reader rdr : rdrs) {
+			if(rdr!=null) { // cover for badly formed array
+				byte[] bytes = Factory.decode(rdr);
+				try {
+					certs = Factory.toX509Certificate(bytes);
+				} catch (CertificateException e) {
+					throw new CertException(e);
+				}
+				for(Certificate c : certs) {
+					x509=(X509Certificate)c;
+					Principal subject = x509.getSubjectDN();
+					if(subject!=null) {
+						if(cert==null) { // first in Trust Chain
+							issuerDN= subject.toString();
+						}
+						addTrustChainEntry(x509);
+						cert=x509; // adding each time makes sure last one is signer.
+					}
+				}
+			}
+		}
+	}
+	
+	public String getIssuerDN() {
+		return issuerDN;
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java
new file mode 100644
index 00000000..24416c92
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java
@@ -0,0 +1,79 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.cm.ca;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import org.onap.aaf.auth.env.NullTrans;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.cm.Factory;
+
+
+/**
+ * Have to put the Cert and resulting Trust Chain together. 
+ * Treating them separately has caused issues
+ * 
+ * @author jg1555
+ *
+ */
+public class X509andChain {
+	protected X509Certificate cert;
+	protected String[] trustChain;
+	
+	public X509andChain() {
+		cert = null;
+		trustChain = null;
+	}
+	
+	public X509andChain(X509Certificate cert, String[] trustChain) {
+		this.cert = cert;
+		this.trustChain = trustChain;
+	}
+
+	public X509andChain(X509Certificate cert, List<String> chain) {
+		this.cert = cert;
+		trustChain = new String[chain.size()];
+		chain.toArray(trustChain);
+	}
+	
+	
+	public void addTrustChainEntry(X509Certificate x509) throws IOException, CertException {
+		if(trustChain==null) {
+			trustChain = new String[] {Factory.toString(NullTrans.singleton(),x509)};
+		} else {
+			String[] temp = new String[trustChain.length+1];
+			System.arraycopy(trustChain, 0, temp, 0, trustChain.length);
+			temp[trustChain.length]=Factory.toString(NullTrans.singleton(),x509);
+			trustChain=temp;
+		}
+	}
+
+	public X509Certificate getX509() {
+		return cert;
+	}
+	
+	public String[] getTrustChain() {
+		return trustChain;
+	}
+	
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java
new file mode 100644
index 00000000..4fdac6a6
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java
@@ -0,0 +1,151 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.cm.cert;
+
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.SignatureException;
+import java.util.List;
+
+import org.bouncycastle.asn1.ASN1Object;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.onap.aaf.auth.cm.ca.CA;
+import org.onap.aaf.auth.cm.validation.CertmanValidator;
+import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+
+/**
+ * Additional Factory mechanisms for CSRs, and BouncyCastle.  The main Factory
+ * utilizes only Java abstractions, and is useful in Client code.
+ * 
+ * @author jg1555
+ *
+ */
+public class BCFactory extends Factory {
+	private static final JcaContentSignerBuilder jcsb;
+
+
+	static {
+		// Bouncy
+		jcsb = new JcaContentSignerBuilder(Factory.SIG_ALGO);
+	}
+	
+	public static ContentSigner contentSigner(PrivateKey pk) throws OperatorCreationException {
+		return jcsb.build(pk);
+	}
+	
+	public static String toString(PKCS10CertificationRequest csr) throws IOException, CertException {
+		if(csr==null) {
+			throw new CertException("x509 Certificate Request not built");
+		}
+		return textBuilder("CERTIFICATE REQUEST",csr.getEncoded());
+	}
+
+	public static PKCS10CertificationRequest toCSR(Trans trans, File file) throws IOException {
+		TimeTaken tt = trans.start("Reconstitute CSR", Env.SUB);
+		try {
+			FileReader fr = new FileReader(file);
+			return new PKCS10CertificationRequest(decode(strip(fr)));
+		} finally {
+			tt.done();
+		}
+	}
+
+	public static byte[] sign(Trans trans, ASN1Object toSign, PrivateKey pk) throws IOException, InvalidKeyException, SignatureException, NoSuchAlgorithmException {
+		TimeTaken tt = trans.start("Encode Security Object", Env.SUB);
+		try {
+			return sign(trans,toSign.getEncoded(),pk);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	public static CSRMeta createCSRMeta(CA ca, String mechid, String sponsorEmail, List<String> fqdns) throws CertException {
+		CSRMeta csr = ca.newCSRMeta();
+		boolean first = true;
+		// Set CN (and SAN)
+		for(String fqdn : fqdns) {
+			if(first) {
+				first = false;
+				csr.cn(fqdn);
+			}
+			csr.san(fqdn); // duplicate CN in SAN, per RFC 5280 section 4.2.1.6 
+		}
+		
+		csr.challenge(new String(Symm.randomGen(24)));
+		csr.mechID(mechid);
+		csr.email(sponsorEmail);
+		String errs;
+		if((errs=validateApp(csr))!=null) {
+			throw new CertException(errs);
+		}
+		return csr;
+	}
+	
+	private static String validateApp(CSRMeta csr) {
+		CertmanValidator v = new CertmanValidator();
+		if(v.nullOrBlank("cn", csr.cn())
+			.nullOrBlank("mechID", csr.mechID())
+			.nullOrBlank("email", csr.email())
+			.err()) {
+			return v.errs();
+		} else {
+			return null;
+		}
+	}
+
+	public static CSRMeta createPersonalCSRMeta(CA ca, String personal, String email) throws CertException {
+		CSRMeta csr = ca.newCSRMeta();
+		csr.cn(personal);
+		csr.challenge(new String(Symm.randomGen(24)));
+		csr.email(email);
+		String errs;
+		if((errs=validatePersonal(csr))!=null) {
+			throw new CertException(errs);
+		}
+		return csr;
+	}
+
+	private static String validatePersonal(CSRMeta csr) {
+		CertmanValidator v = new CertmanValidator();
+		if(v.nullOrBlank("cn", csr.cn())
+			.nullOrBlank("email", csr.email())
+			.err()) {
+			return v.errs();
+		} else {
+			return null;
+		}
+	}
+	
+
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java
new file mode 100644
index 00000000..2541bea0
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java
@@ -0,0 +1,266 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.cm.cert;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.List;
+
+import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.DERPrintableString;
+import org.bouncycastle.asn1.pkcs.Attribute;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.X500NameBuilder;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.Extensions;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.misc.env.Trans;
+
+public class CSRMeta {
+	private String cn;
+	private String mechID;
+	private String environment;
+	private String email;
+	private String challenge;
+	private List<RDN> rdns;
+	
+	public CSRMeta(List<RDN> rdns) {
+		this.rdns = rdns;
+	}
+	
+	private ArrayList<String> sanList = new ArrayList<String>();
+	private KeyPair keyPair;
+	private X500Name name = null;
+	private SecureRandom random = new SecureRandom();
+
+	public X500Name x500Name() throws IOException {
+		if(name==null) {
+			X500NameBuilder xnb = new X500NameBuilder();
+			xnb.addRDN(BCStyle.CN,cn);
+			xnb.addRDN(BCStyle.E,email);
+			if(mechID!=null) {
+				if(environment==null) {
+					xnb.addRDN(BCStyle.OU,mechID);
+				} else {
+					xnb.addRDN(BCStyle.OU,mechID+':'+environment);
+				}
+			}
+			for(RDN rdn : rdns) {
+				xnb.addRDN(rdn.aoi,rdn.value);
+			}
+			name = xnb.build();
+		}
+		return name;
+	}
+	
+	
+	public PKCS10CertificationRequest  generateCSR(Trans trans) throws IOException, CertException {
+		PKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder(x500Name(),keypair(trans).getPublic());
+		if(challenge!=null) {
+			DERPrintableString password = new DERPrintableString(challenge);
+			builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, password);
+		}
+		
+		int plus = email==null?0:1;
+		if(sanList.size()>0) {
+			GeneralName[] gna = new GeneralName[sanList.size()+plus];
+			int i=-1;
+			for(String s : sanList) {
+				gna[++i]=new GeneralName(GeneralName.dNSName,s);
+			}
+			gna[++i]=new GeneralName(GeneralName.rfc822Name,email);
+			
+			builder.addAttribute(
+					PKCSObjectIdentifiers.pkcs_9_at_extensionRequest,
+					new Extensions(new Extension[] {
+							new Extension(Extension.subjectAlternativeName,false,new GeneralNames(gna).getEncoded())
+					})
+			);
+		}
+		
+		if(email!=null) {
+			
+		}
+		try {
+			return builder.build(BCFactory.contentSigner(keypair(trans).getPrivate()));
+		} catch (OperatorCreationException e) {
+			throw new CertException(e);
+		}
+	}
+	
+	@SuppressWarnings("deprecation")
+	public static void dump(PKCS10CertificationRequest csr) {
+		 Attribute[] certAttributes = csr.getAttributes();
+		 for (Attribute attribute : certAttributes) {
+		     if (attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
+		         Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
+		         GeneralNames gns = GeneralNames.fromExtensions(extensions,Extension.subjectAlternativeName);
+		         GeneralName[] names = gns.getNames();
+		         for(int k=0; k < names.length; k++) {
+		             String title = "";
+		             if(names[k].getTagNo() == GeneralName.dNSName) {
+		                 title = "dNSName";
+		             } else if(names[k].getTagNo() == GeneralName.iPAddress) {
+		                 title = "iPAddress";
+		                 // Deprecated, but I don't see anything better to use.
+		                 names[k].toASN1Object();
+		             } else if(names[k].getTagNo() == GeneralName.otherName) {
+		                 title = "otherName";
+		             } else if(names[k].getTagNo() == GeneralName.rfc822Name) {
+		                 title = "email";
+		             }
+
+		             System.out.println(title + ": "+ names[k].getName());
+		         } 
+		     }
+		 }
+	}
+	
+	public X509Certificate initialConversationCert(Trans trans) throws IOException, CertificateException, OperatorCreationException {
+		GregorianCalendar gc = new GregorianCalendar();
+		Date start = gc.getTime();
+		gc.add(GregorianCalendar.DAY_OF_MONTH,2);
+		Date end = gc.getTime();
+		X509v3CertificateBuilder xcb = new X509v3CertificateBuilder(
+				x500Name(),
+				new BigInteger(12,random), // replace with Serialnumber scheme
+				start,
+				end,
+				x500Name(),
+				new SubjectPublicKeyInfo(ASN1Sequence.getInstance(keypair(trans).getPublic().getEncoded()))
+				);
+		return new JcaX509CertificateConverter().getCertificate(
+				xcb.build(BCFactory.contentSigner(keypair(trans).getPrivate())));
+	}
+
+	public CSRMeta san(String v) {
+		sanList.add(v);
+		return this;
+	}
+
+	public List<String> sans() {
+		return sanList;
+	}
+
+
+	public KeyPair keypair(Trans trans) {
+		if(keyPair == null) {
+			keyPair = Factory.generateKeyPair(trans);
+		}
+		return keyPair;
+	}
+
+	/**
+	 * @return the cn
+	 */
+	public String cn() {
+		return cn;
+	}
+
+
+	/**
+	 * @param cn the cn to set
+	 */
+	public void cn(String cn) {
+		this.cn = cn;
+	}
+
+	/**
+	 * Environment of Service MechID is good for
+	 */
+	public void environment(String env) {
+		environment = env;
+	}
+	
+	/**
+	 * 
+	 * @return
+	 */
+	public String environment() {
+		return environment;
+	}
+	
+	/**
+	 * @return the mechID
+	 */
+	public String mechID() {
+		return mechID;
+	}
+
+
+	/**
+	 * @param mechID the mechID to set
+	 */
+	public void mechID(String mechID) {
+		this.mechID = mechID;
+	}
+
+
+	/**
+	 * @return the email
+	 */
+	public String email() {
+		return email;
+	}
+
+
+	/**
+	 * @param email the email to set
+	 */
+	public void email(String email) {
+		this.email = email;
+	}
+
+	/**
+	 * @return the challenge
+	 */
+	public String challenge() {
+		return challenge;
+	}
+
+
+	/**
+	 * @param challenge the challenge to set
+	 */
+	public void challenge(String challenge) {
+		this.challenge = challenge;
+	}
+	
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/RDN.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/RDN.java
new file mode 100644
index 00000000..7d4161f2
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/RDN.java
@@ -0,0 +1,101 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.cm.cert;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.util.Split;
+
+public class RDN {
+	public String tag;
+	public String value;
+	public ASN1ObjectIdentifier aoi;
+	public RDN(final String tagValue) throws CertException {
+		String[] tv = Split.splitTrim('=',tagValue);
+		switch(tv[0]) {
+			case "cn":case "CN":			aoi = BCStyle.CN; break;
+			case "c":case "C":			aoi = BCStyle.C;break;
+			case "st":case "ST":			aoi = BCStyle.ST;break;
+			case "l":case "L":  			aoi = BCStyle.L;break;
+			case "o":case "O":			aoi = BCStyle.O;break;
+			case "ou":case "OU":			aoi = BCStyle.OU;break;
+			case "dc":case "DC":			aoi = BCStyle.DC;break;
+			case "gn":case "GN":			aoi = BCStyle.GIVENNAME; break;
+			case "sn":case "SN":			aoi = BCStyle.SN; break;  // surname
+			case "email":case "EMAIL":
+			case "emailaddress":
+			case "EMAILADDRESS":			aoi = BCStyle.EmailAddress;break; // should be SAN extension
+			case "initials":				aoi = BCStyle.INITIALS; break; 
+			case "pseudonym":			aoi = BCStyle.PSEUDONYM; break;
+			case "generationQualifier":	aoi = BCStyle.GENERATION; break;
+			case "serialNumber":			aoi = BCStyle.SERIALNUMBER; break;
+			default:
+				throw new CertException("Unknown ASN1ObjectIdentifier for " + tv[0]);
+		}
+		tag = tv[0];
+		value = tv[1];
+	}
+	
+	/**
+	 * Parse various forms of DNs into appropriate RDNs, which have the ASN1ObjectIdentifier
+	 * @param delim
+	 * @param dnString
+	 * @return
+	 * @throws CertException
+	 */
+	public static List<RDN> parse(final char delim, final String dnString ) throws CertException {
+		List<RDN> lrnd = new ArrayList<RDN>();
+		StringBuilder sb = new StringBuilder();
+		boolean inQuotes = false;
+		for(int i=0;i<dnString.length();++i) {
+			char c = dnString.charAt(i);
+			if(inQuotes) {
+				if('"' == c) {
+					inQuotes=false;
+				} else {
+					sb.append(dnString.charAt(i));
+				}
+			} else {
+				if('"' == c) {
+					inQuotes=true;
+				} else if(delim==c) {
+					lrnd.add(new RDN(sb.toString()));
+					sb.setLength(0);
+				} else {
+					sb.append(dnString.charAt(i));
+				}
+			}
+		}
+		if(sb.indexOf("=")>0) {
+			lrnd.add(new RDN(sb.toString()));
+		}
+		return lrnd;
+	}
+	
+	@Override
+	public String toString() {
+		return tag + '=' + value;
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertDrop.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertDrop.java
new file mode 100644
index 00000000..0a9d7661
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertDrop.java
@@ -0,0 +1,26 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.data;
+
+public class CertDrop {
+
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertRenew.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertRenew.java
new file mode 100644
index 00000000..242a18ac
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertRenew.java
@@ -0,0 +1,26 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.data;
+
+public class CertRenew {
+
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertReq.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertReq.java
new file mode 100644
index 00000000..aa0b9c26
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertReq.java
@@ -0,0 +1,49 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.data;
+
+import java.util.List;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+
+import org.onap.aaf.auth.cm.ca.CA;
+import org.onap.aaf.auth.cm.cert.BCFactory;
+import org.onap.aaf.auth.cm.cert.CSRMeta;
+import org.onap.aaf.cadi.cm.CertException;
+
+public class CertReq {
+	// These cannot be null
+	public CA certAuthority;
+	public String mechid;
+	public List<String> fqdns;
+	// Notify
+	public List<String> emails;
+	
+	
+	// These may be null
+	public String sponsor;
+	public XMLGregorianCalendar start, end;
+	
+	public CSRMeta getCSRMeta() throws CertException {
+		return BCFactory.createCSRMeta(certAuthority, mechid, sponsor,fqdns);
+	}
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertResp.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertResp.java
new file mode 100644
index 00000000..595025e7
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertResp.java
@@ -0,0 +1,94 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.data;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.cert.X509Certificate;
+import java.util.Set;
+
+import org.onap.aaf.auth.cm.ca.CA;
+import org.onap.aaf.auth.cm.cert.CSRMeta;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.misc.env.Trans;
+
+public class CertResp {
+	private CA ca;
+	private KeyPair keyPair;
+	private String challenge;
+	
+	private String privateKey, certString;
+	private String[] trustChain;
+	private String[] trustCAs;
+	private String[] notes;
+	
+	public CertResp(Trans trans, CA ca, X509Certificate x509, CSRMeta csrMeta, String[] trustChain, String[] trustCAs, String[] notes) throws IOException, GeneralSecurityException, CertException {
+		keyPair = csrMeta.keypair(trans);
+		privateKey = Factory.toString(trans, keyPair.getPrivate());
+		certString = Factory.toString(trans,x509);
+		challenge=csrMeta.challenge();
+		this.ca = ca;
+		this.trustChain = trustChain;
+		this.trustCAs = trustCAs;
+		this.notes = notes;
+	}
+
+	// Use for Read Responses, etc
+	public CertResp(String cert) {
+		certString = cert;
+	}
+
+	
+	public String asCertString() {
+		return certString;
+	}
+	
+	public String privateString() throws IOException {
+		return privateKey;
+	}
+	
+	public String challenge() {
+		return challenge==null?"":challenge;
+	}
+	
+	public String[] notes() {
+		return notes;
+	}
+	
+	public Set<String> caIssuerDNs() {
+		return ca.getCaIssuerDNs();
+	}
+	
+	public String env() {
+		return ca.getEnv();
+	}
+	
+	public String[] trustChain() {
+		return trustChain;
+	}
+	
+	public String[] trustCAs() {
+		return trustCAs;
+	}
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/Facade.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/Facade.java
new file mode 100644
index 00000000..9eb9c2fa
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/Facade.java
@@ -0,0 +1,182 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.facade;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.auth.cm.ca.CA;
+import org.onap.aaf.auth.cm.mapper.Mapper;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+
+
+/**
+ *   
+ * @author Jonathan
+ *
+ */
+public interface Facade<REQ,CERT,ARTIFACTS,ERROR> {
+
+/////////////////////  STANDARD ELEMENTS //////////////////
+	/** 
+	 * @param trans
+	 * @param response
+	 * @param result
+	 */
+	void error(AuthzTrans trans, HttpServletResponse response, Result<?> result);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param response
+	 * @param status
+	 */
+	void error(AuthzTrans trans, HttpServletResponse response, int status,	String msg, String ... detail);
+
+	/**
+	 * Permission checker
+	 *
+	 * @param trans
+	 * @param resp
+	 * @param perm
+	 * @return
+	 * @throws IOException 
+	 */
+	Result<Void> check(AuthzTrans trans, HttpServletResponse resp, String perm) throws IOException;
+
+	/**
+	 * 
+	 * @return
+	 */
+	public Mapper<REQ,CERT,ARTIFACTS,ERROR> mapper();
+
+/////////////////////  STANDARD ELEMENTS //////////////////
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param resp
+	 * @param rservlet
+	 * @return
+	 */
+	public abstract Result<Void> requestCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, CA ca);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param resp
+	 * @param rservlet
+	 * @return
+	 */
+	public abstract Result<Void> requestPersonalCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, CA ca);
+
+
+	/**
+	 * 
+	 * @param trans
+	 * @param req
+	 * @param resp
+	 * @return
+	 */
+	public abstract Result<Void> renewCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, boolean withTrust);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param req
+	 * @param resp
+	 * @return
+	 */
+	public abstract Result<Void> dropCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+	
+
+	/**
+	 * 
+	 * @param trans
+	 * @param resp
+	 * @param pathParam
+	 * @return
+	 */
+	public Result<Void> readCertsByMechID(AuthzTrans trans, HttpServletResponse resp, String mechID);
+	
+
+	/**
+	 * 
+	 * @param trans
+	 * @param req
+	 * @param resp
+	 * @return
+	 */
+	Result<Void> createArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param req
+	 * @param resp
+	 * @return
+	 */
+	Result<Void> readArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param resp
+	 * @param mechid
+	 * @param machine
+	 * @return
+	 */
+	Result<Void> readArtifacts(AuthzTrans trans, HttpServletResponse resp, String mechid, String machine);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param req
+	 * @param resp
+	 * @return
+	 */
+	Result<Void> updateArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param req
+	 * @param resp
+	 * @return
+	 */
+	Result<Void> deleteArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param resp
+	 * @param mechid
+	 * @param machine
+	 * @return
+	 */
+	Result<Void> deleteArtifacts(AuthzTrans trans, HttpServletResponse resp, String mechid, String machine);
+
+
+}
+\ No newline at end of file
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/Facade1_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/Facade1_0.java
new file mode 100644
index 00000000..49d976b2
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/Facade1_0.java
@@ -0,0 +1,46 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.facade;
+
+import org.onap.aaf.auth.cm.AAF_CM;
+import org.onap.aaf.auth.cm.mapper.Mapper;
+import org.onap.aaf.auth.cm.service.CMService;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+
+import aaf.v2_0.Error;
+import certman.v1_0.Artifacts;
+import certman.v1_0.BaseRequest;
+import certman.v1_0.CertInfo;
+
+/**
+ * @author Jonathan
+ *
+ */
+public class Facade1_0 extends FacadeImpl<BaseRequest,CertInfo, Artifacts, Error> {
+	public Facade1_0(AAF_CM certman, 
+					 CMService service, 
+					 Mapper<BaseRequest,CertInfo,Artifacts,Error> mapper, 
+					 Data.TYPE type) throws APIException {
+		super(certman, service, mapper, type);
+	}
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeFactory.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeFactory.java
new file mode 100644
index 00000000..6eb13f93
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeFactory.java
@@ -0,0 +1,41 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.facade;
+
+import org.onap.aaf.auth.cm.AAF_CM;
+import org.onap.aaf.auth.cm.mapper.Mapper1_0;
+import org.onap.aaf.auth.cm.service.CMService;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+
+
+public class FacadeFactory {
+	public static Facade1_0 v1_0(AAF_CM certman, AuthzTrans trans, CMService service, Data.TYPE type) throws APIException {
+		return new Facade1_0(
+				certman,
+				service,
+				new Mapper1_0(),
+				type);  
+	}
+
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeImpl.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeImpl.java
new file mode 100644
index 00000000..0598ee60
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeImpl.java
@@ -0,0 +1,643 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.facade;
+
+import static org.onap.aaf.auth.layer.Result.ERR_ActionNotCompleted;
+import static org.onap.aaf.auth.layer.Result.ERR_BadData;
+import static org.onap.aaf.auth.layer.Result.ERR_ConflictAlreadyExists;
+import static org.onap.aaf.auth.layer.Result.ERR_Denied;
+import static org.onap.aaf.auth.layer.Result.ERR_NotFound;
+import static org.onap.aaf.auth.layer.Result.ERR_NotImplemented;
+import static org.onap.aaf.auth.layer.Result.ERR_Policy;
+import static org.onap.aaf.auth.layer.Result.ERR_Security;
+import static org.onap.aaf.auth.layer.Result.OK;
+
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.auth.cm.AAF_CM;
+import org.onap.aaf.auth.cm.ca.CA;
+import org.onap.aaf.auth.cm.data.CertResp;
+import org.onap.aaf.auth.cm.mapper.Mapper;
+import org.onap.aaf.auth.cm.mapper.Mapper.API;
+import org.onap.aaf.auth.cm.service.CMService;
+import org.onap.aaf.auth.dao.cass.ArtiDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.aaf.AAFPermission;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Split;
+import org.onap.aaf.misc.rosetta.env.RosettaDF;
+import org.onap.aaf.misc.rosetta.env.RosettaData;
+
+/**
+ * AuthzFacade
+ * 
+ * This Service Facade encapsulates the essence of the API Service can do, and provides
+ * a single created object for elements such as RosettaDF.
+ *
+ * The Responsibilities of this class are to:
+ * 1) Interact with the Service Implementation (which might be supported by various kinds of Backend Storage)
+ * 2) Validate incoming data (if applicable)
+ * 3) Convert the Service response into the right Format, and mark the Content Type
+ * 		a) In the future, we may support multiple Response Formats, aka JSON or XML, based on User Request.
+ * 4) Log Service info, warnings and exceptions as necessary
+ * 5) When asked by the API layer, this will create and write Error content to the OutputStream
+ * 
+ * Note: This Class does NOT set the HTTP Status Code.  That is up to the API layer, so that it can be 
+ * clearly coordinated with the API Documentation
+ * 
+ * @author Jonathan
+ *
+ */
+public abstract class FacadeImpl<REQ,CERT,ARTIFACTS,ERROR> extends org.onap.aaf.auth.layer.FacadeImpl implements Facade<REQ,CERT,ARTIFACTS,ERROR> 
+	{
+	private static final String TRUE = "TRUE";
+	private static final String REQUEST_CERT = "Request New Certificate";
+	private static final String RENEW_CERT = "Renew Certificate";
+	private static final String DROP_CERT = "Drop Certificate";
+	private static final String READ_CERTS_MECHID = "Read Certificates by MechID";
+	private static final String CREATE_ARTIFACTS = "Create Deployment Artifact";
+	private static final String READ_ARTIFACTS = "Read Deployment Artifact";
+	private static final String UPDATE_ARTIFACTS = "Update Deployment Artifact";
+	private static final String DELETE_ARTIFACTS = "Delete Deployment Artifact";
+
+	private CMService service;
+
+	private final RosettaDF<ERROR>	 	errDF;
+	private final RosettaDF<REQ> 		certRequestDF, certRenewDF, certDropDF;
+	private final RosettaDF<CERT>		certDF;
+	private final RosettaDF<ARTIFACTS>	artiDF;
+	private Mapper<REQ, CERT, ARTIFACTS, ERROR> 	mapper;
+//	private Slot sCertAuth;
+	private AAF_CM certman;
+	private final String voidResp;
+
+	public FacadeImpl(AAF_CM certman,
+					  CMService service, 
+					  Mapper<REQ,CERT,ARTIFACTS,ERROR> mapper, 
+					  Data.TYPE dataType) throws APIException {
+		this.service = service;
+		this.mapper = mapper;
+		this.certman = certman;
+		AuthzEnv env = certman.env;
+		//TODO: Gabe [JUnit] Static issue, talk to Jonathan
+		(errDF 				= env.newDataFactory(mapper.getClass(API.ERROR))).in(dataType).out(dataType);
+		(certRequestDF 		= env.newDataFactory(mapper.getClass(API.CERT_REQ))).in(dataType).out(dataType);
+		(certRenewDF 		= env.newDataFactory(mapper.getClass(API.CERT_RENEW))).in(dataType).out(dataType);
+		(certDropDF 		= env.newDataFactory(mapper.getClass(API.CERT_DROP))).in(dataType).out(dataType);
+		(certDF 			= env.newDataFactory(mapper.getClass(API.CERT))).in(dataType).out(dataType);
+		(artiDF 			= env.newDataFactory(mapper.getClass(API.ARTIFACTS))).in(dataType).out(dataType);
+//		sCertAuth = env.slot(API_Cert.CERT_AUTH);
+		if(artiDF.getOutType().name().contains("xml")) {
+			voidResp = "application/Void+xml;charset=utf-8;version=1.0,application/xml;version=1.0,*/*";
+		} else {
+			voidResp = "application/Void+json;charset=utf-8;version=1.0,application/json;version=1.0,*/*";
+		}
+	}
+	
+	public Mapper<REQ,CERT,ARTIFACTS,ERROR> mapper() {
+		return mapper;
+	}
+	
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#error(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, int)
+	 * 
+	 * Note: Conforms to AT&T TSS RESTful Error Structure
+	 */
+	@Override
+	public void error(AuthzTrans trans, HttpServletResponse response, Result<?> result) {
+		error(trans, response, result.status,
+				result.details==null?"":result.details.trim(),
+				result.variables==null?new String[0]:result.variables);
+	}
+		
+	@Override
+	public void error(AuthzTrans trans, HttpServletResponse response, int status, final String _msg, final String ... _detail) {
+		String msgId;
+		String prefix;
+		boolean hidemsg=false;
+		switch(status) {
+			case 202:
+			case ERR_ActionNotCompleted:
+				msgId = "SVC1202";
+				prefix = "Accepted, Action not complete";
+				response.setStatus(/*httpstatus=*/202);
+				break;
+
+			case 403:
+			case ERR_Policy:
+			case ERR_Security:
+			case ERR_Denied:
+				msgId = "SVC1403";
+				prefix = "Forbidden";
+				response.setStatus(/*httpstatus=*/403);
+				break;
+				
+			case 404:
+			case ERR_NotFound:
+				msgId = "SVC1404";
+				prefix = "Not Found";
+				response.setStatus(/*httpstatus=*/404);
+				break;
+
+			case 406:
+			case ERR_BadData:
+				msgId="SVC1406";
+				prefix = "Not Acceptable";
+				response.setStatus(/*httpstatus=*/406);
+				break;
+				
+			case 409:
+			case ERR_ConflictAlreadyExists:
+				msgId = "SVC1409";
+				prefix = "Conflict Already Exists";
+				response.setStatus(/*httpstatus=*/409);
+				break;
+			
+			case 501:
+			case ERR_NotImplemented:
+				msgId = "SVC1501";
+				prefix = "Not Implemented"; 
+				response.setStatus(/*httpstatus=*/501);
+				break;
+				
+
+			default:
+				msgId = "SVC1500";
+				prefix = "General Service Error";
+				response.setStatus(/*httpstatus=*/500);
+				hidemsg=true;
+				break;
+		}
+
+		try {
+			StringBuilder holder = new StringBuilder();
+			ERROR em = mapper().errorFromMessage(holder, msgId,prefix + ": " + _msg,_detail);
+			trans.checkpoint(
+					"ErrResp [" + 
+					msgId +
+					"] " +
+					holder.toString(),
+					Env.ALWAYS);
+			if(hidemsg) {
+				holder.setLength(0);
+				em = mapper().errorFromMessage(holder, msgId, "Server had an issue processing this request");
+			}
+			errDF.newData(trans).load(em).to(response.getOutputStream());
+			
+		} catch (Exception e) {
+			trans.error().log(e,"unable to send response for",_msg);
+		}
+	}
+
+	@Override
+	public Result<Void> check(AuthzTrans trans, HttpServletResponse resp, String perm) throws IOException {
+		String[] p = Split.split('|',perm);
+		if(p.length!=3) {
+			return Result.err(Result.ERR_BadData,"Invalid Perm String");
+		}
+		AAFPermission ap = new AAFPermission(p[0],p[1],p[2]);
+		if(certman.aafLurPerm.fish(trans.getUserPrincipal(), ap)) {
+			resp.setContentType(voidResp);
+			resp.getOutputStream().write(0);
+			return Result.ok();
+		} else {
+			return Result.err(Result.ERR_Denied,"%s does not have %s",trans.user(),ap.getKey());
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.auth.certman.facade.Facade#requestCert(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public Result<Void> requestCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, CA ca) {
+		TimeTaken tt = trans.start(REQUEST_CERT, Env.SUB|Env.ALWAYS);
+		String wt;
+		boolean withTrust=(wt=req.getParameter("withTrust"))!=null || TRUE.equalsIgnoreCase(wt);
+		try {
+			REQ request;
+			try {
+				Data<REQ> rd = certRequestDF.newData().load(req.getInputStream());
+				request = rd.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,REQUEST_CERT);
+				return Result.err(Result.ERR_BadData,"Invalid Input");
+			}
+			
+			Result<CertResp> rcr = service.requestCert(trans,mapper.toReq(trans,request), ca);
+			if(rcr.notOK()) {
+				return Result.err(rcr);
+			}
+			
+//			CA certAuth = trans.get(sCertAuth,null);
+			Result<CERT> rc = mapper.toCert(trans, rcr, withTrust);
+			switch(rc.status) {
+				case OK: 
+					RosettaData<CERT> data = certDF.newData(trans).load(rc.value);
+					data.to(resp.getOutputStream());
+	
+					setContentType(resp,certDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rc);
+			}
+
+		} catch (Exception e) {
+			trans.error().log(e,IN,REQUEST_CERT);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.cm.facade.Facade#requestPersonalCert(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, boolean)
+	 */
+	@Override
+	public Result<Void> requestPersonalCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, CA ca) {
+		return Result.err(Result.ERR_NotImplemented,"not implemented yet");
+//		Result<CertResp> rcr = service.requestPersonalCert(trans,ca);
+//		if(rcr.notOK()) {
+//			return Result.err(rcr);
+//		} else {
+//			try {
+//				resp.setContentType("application/zip, application/octet-stream");
+//				ZipOutputStream zos = new ZipOutputStream(resp.getOutputStream());
+//				PrintStream ps = new PrintStream(zos);
+//				ZipEntry ze = new ZipEntry(trans.user()+".key");
+//				zos.putNextEntry(ze);
+//				ps.print(rcr.value.privateString());
+//				zos.closeEntry();
+//
+//				zos.putNextEntry(new ZipEntry(trans.user()+".crt"));
+//				ps.print(rcr.value.asCertString());
+//				zos.closeEntry();
+//				
+//				String wt;
+//				if((wt=req.getParameter("withTrust"))!=null || TRUE.equalsIgnoreCase(wt)) {
+//					zos.putNextEntry(new ZipEntry(trans.user()+".trustCrts"));
+//					for(String s : ca.getTrustChain()) {
+//						ps.println(s);
+//					}
+//					zos.closeEntry();
+//				}
+//				
+//				boolean withJKS = (wt=req.getParameter("withJKS"))!=null || TRUE.equalsIgnoreCase(wt);
+//				if(withJKS) {
+//					if(trans.getUserPrincipal() instanceof BasicPrincipal) {
+//						char[] cap = new String(((BasicPrincipal)trans.getUserPrincipal()).getCred()).toCharArray();
+//						KeyStore ks = keystore(trans, rcr.value, ca.getTrustChain(), trans.user(), cap);
+//						zos.putNextEntry(new ZipEntry(trans.user()+".jks"));
+//						ks.store(zos, cap);
+//						zos.closeEntry();
+//					}
+//				}
+//				
+//				zos.putNextEntry(new ZipEntry("cert_deploy.sh"));
+//				ps.println("# Deploy Certificate to ~/.aaf");
+//				ps.println("if [ \"$1\" = \"\" ]; then echo \"sh deploy.sh <zipfile>\";exit; else chmod 700 $HOME/.aaf; fi");
+//				ps.println("chmod 600 $1");
+//				ps.println("if [ ! -e $HOME/.aaf ]; then mkdir -m 700 $HOME/.aaf; fi");
+//				ps.println("THE_PWD=`pwd`");
+//				ps.println("cd $HOME/.aaf");
+//				ps.println("echo \"Deploying to `pwd`\"");
+//				ps.println("jar -xvf $THE_PWD/$1 " + trans.user());
+//				ps.println("chmod 600 " + trans.user() + ".key");
+//				if(withJKS) {
+//					ps.println("chmod 600 " + trans.user() + ".jks");
+//				}
+//				ps.println("cd $THE_PWD");
+//				ps.println("rm cert_deploy.sh");
+//				zos.closeEntry();
+//				
+//
+//				zos.close();
+//				
+//			} catch (IOException | KeyStoreException | CertificateException | APIException | CertException | NoSuchAlgorithmException e) {
+//				return Result.err(e);
+//			}
+//		}
+//
+//		return Result.ok();
+	}
+
+	private KeyStore keystore(AuthzTrans trans, CertResp cr, String[] trustChain, String name, char[] cap) throws KeyStoreException, CertificateException, APIException, IOException, CertException, NoSuchAlgorithmException {
+		KeyStore jks = KeyStore.getInstance("jks");
+		jks.load(null, cap);
+		
+		// Get the Cert(s)... Might include Trust store
+		List<String> lcerts = new ArrayList<String>();
+		lcerts.add(cr.asCertString());
+		for(String s : trustChain) {
+			lcerts.add(s);
+		}
+		
+		Collection<? extends Certificate> certColl = Factory.toX509Certificate(lcerts);
+		X509Certificate[] certs = new X509Certificate[certColl.size()];
+		certColl.toArray(certs);
+		KeyStore.ProtectionParameter protParam = new KeyStore.PasswordProtection(cap);
+		
+		PrivateKey pk = Factory.toPrivateKey(trans, cr.privateString());
+		KeyStore.PrivateKeyEntry pkEntry = 
+				new KeyStore.PrivateKeyEntry(pk, new Certificate[] {certs[0]});
+		jks.setEntry(name, pkEntry, protParam);
+		
+		int i=0;
+		for(X509Certificate x509 : certs) {
+			jks.setCertificateEntry("cert_"+ ++i, x509);
+		}
+		return jks;
+	}
+
+	@Override
+	public Result<Void> renewCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, boolean withTrust) {
+		TimeTaken tt = trans.start(RENEW_CERT, Env.SUB|Env.ALWAYS);
+		try {
+			REQ request;
+			try {
+				Data<REQ> rd = certRenewDF.newData().load(req.getInputStream());
+				request = rd.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,RENEW_CERT);
+				return Result.err(Result.ERR_BadData,"Invalid Input");
+			}
+			
+//			String certAuth = trans.get(sCertAuth,null);
+			Result<CertResp> rcr = service.renewCert(trans,mapper.toRenew(trans,request));
+			Result<CERT> rc = mapper.toCert(trans, rcr, withTrust);
+
+			switch(rc.status) {
+				case OK: 
+					RosettaData<CERT> data = certDF.newData(trans).load(rc.value);
+					data.to(resp.getOutputStream());
+
+					setContentType(resp,certDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rc);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,RENEW_CERT);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+
+	}
+
+	@Override
+	public Result<Void> dropCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(DROP_CERT, Env.SUB|Env.ALWAYS);
+		try {
+			REQ request;
+			try {
+				Data<REQ> rd = certDropDF.newData().load(req.getInputStream());
+				request = rd.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,DROP_CERT);
+				return Result.err(Result.ERR_BadData,"Invalid Input");
+			}
+			
+			Result<Void> rv = service.dropCert(trans,mapper.toDrop(trans, request));
+			switch(rv.status) {
+				case OK: 
+					setContentType(resp,certRequestDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rv);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,DROP_CERT);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.cm.facade.Facade#readCertsByMechID(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> readCertsByMechID(AuthzTrans trans, HttpServletResponse resp, String mechID) {
+		TimeTaken tt = trans.start(READ_CERTS_MECHID, Env.SUB|Env.ALWAYS);
+		try {
+			Result<CERT> rc = mapper.toCert(trans, service.readCertsByMechID(trans,mechID));
+			switch(rc.status) {
+				case OK: 
+					RosettaData<CERT> data = certDF.newData(trans).load(rc.value);
+					data.to(resp.getOutputStream());
+	
+					setContentType(resp,certDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rc);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,READ_CERTS_MECHID);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	////////////////////////////
+	// Artifacts
+	////////////////////////////
+	@Override
+	public Result<Void> createArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(CREATE_ARTIFACTS, Env.SUB);
+		try {
+			ARTIFACTS arti;
+			try {
+				Data<ARTIFACTS> rd = artiDF.newData().load(req.getInputStream());
+				arti = rd.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,CREATE_ARTIFACTS);
+				return Result.err(Result.ERR_BadData,"Invalid Input");
+			}
+			
+			return service.createArtifact(trans,mapper.toArtifact(trans,arti));
+		} catch (Exception e) {
+
+			trans.error().log(e,IN,CREATE_ARTIFACTS);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> readArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(READ_ARTIFACTS, Env.SUB);
+		try {
+			String mechid = req.getParameter("mechid");
+			String machine = req.getParameter("machine");
+			String ns = req.getParameter("ns");
+			
+			Result<ARTIFACTS> ra;
+			if( machine !=null && mechid == null) {
+				ra = mapper.fromArtifacts(service.readArtifactsByMachine(trans, machine));
+			} else if(mechid!=null && machine==null) {
+				ra = mapper.fromArtifacts(service.readArtifactsByMechID(trans, mechid));
+			} else if(mechid!=null && machine!=null) {
+				ArtiDAO.Data add = new ArtiDAO.Data();
+				add.mechid = mechid;
+				add.machine = machine;
+				add.ns = ns;
+				ra = mapper.fromArtifacts(service.readArtifacts(trans,add));
+			} else if(ns!=null) {
+				ra = mapper.fromArtifacts(service.readArtifactsByNs(trans, ns));
+			} else {
+				ra = Result.err(Status.ERR_BadData,"Invalid request inputs");
+			}
+			
+			if(ra.isOK()) {
+				RosettaData<ARTIFACTS> data = artiDF.newData(trans).load(ra.value);
+				data.to(resp.getOutputStream());
+				setContentType(resp,artiDF.getOutType());
+				return Result.ok();
+			} else {
+				return Result.err(ra);
+			}
+
+		} catch (Exception e) {
+			trans.error().log(e,IN,READ_ARTIFACTS);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> readArtifacts(AuthzTrans trans, HttpServletResponse resp, String mechid, String machine) {
+		TimeTaken tt = trans.start(READ_ARTIFACTS, Env.SUB);
+		try {
+			ArtiDAO.Data add = new ArtiDAO.Data();
+			add.mechid = mechid;
+			add.machine = machine;
+			Result<ARTIFACTS> ra = mapper.fromArtifacts(service.readArtifacts(trans,add));
+			if(ra.isOK()) {
+				RosettaData<ARTIFACTS> data = artiDF.newData(trans).load(ra.value);
+				data.to(resp.getOutputStream());
+				setContentType(resp,artiDF.getOutType());
+				return Result.ok();
+			} else {
+				return Result.err(ra);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,READ_ARTIFACTS);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+
+	@Override
+	public Result<Void> updateArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(UPDATE_ARTIFACTS, Env.SUB);
+		try {
+			ARTIFACTS arti;
+			try {
+				Data<ARTIFACTS> rd = artiDF.newData().load(req.getInputStream());
+				arti = rd.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,UPDATE_ARTIFACTS);
+				return Result.err(Result.ERR_BadData,"Invalid Input");
+			}
+			
+			return service.updateArtifact(trans,mapper.toArtifact(trans,arti));
+		} catch (Exception e) {
+			trans.error().log(e,IN,UPDATE_ARTIFACTS);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> deleteArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(DELETE_ARTIFACTS, Env.SUB);
+		try {
+			ARTIFACTS arti;
+			try {
+				Data<ARTIFACTS> rd = artiDF.newData().load(req.getInputStream());
+				arti = rd.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,DELETE_ARTIFACTS);
+				return Result.err(Result.ERR_BadData,"Invalid Input");
+			}
+			
+			Result<Void> rv = service.deleteArtifact(trans,mapper.toArtifact(trans,arti));
+			switch(rv.status) {
+				case OK: 
+					setContentType(resp,artiDF.getOutType());
+			} 
+			return rv;
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_ARTIFACTS);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> deleteArtifacts(AuthzTrans trans, HttpServletResponse resp, String mechid, String machine) {
+		TimeTaken tt = trans.start(DELETE_ARTIFACTS, Env.SUB);
+		try {
+			Result<Void> rv = service.deleteArtifact(trans, mechid, machine);
+			switch(rv.status) {
+				case OK: 
+					setContentType(resp,artiDF.getOutType());
+			} 
+			return rv;
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_ARTIFACTS);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+
+}
+\ No newline at end of file
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper.java
new file mode 100644
index 00000000..aadb6650
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper.java
@@ -0,0 +1,54 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.mapper;
+
+import java.io.IOException;
+import java.util.List;
+
+import org.onap.aaf.auth.cm.data.CertDrop;
+import org.onap.aaf.auth.cm.data.CertRenew;
+import org.onap.aaf.auth.cm.data.CertReq;
+import org.onap.aaf.auth.cm.data.CertResp;
+import org.onap.aaf.auth.dao.cass.ArtiDAO;
+import org.onap.aaf.auth.dao.cass.CertDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+
+public interface Mapper<REQ,CERT,ARTIFACTS,ERROR>
+{
+	public enum API{ERROR,VOID,CERT,CERT_REQ,CERT_RENEW,CERT_DROP,ARTIFACTS};
+	
+	public Class<?> getClass(API api);
+	public<A> A newInstance(API api);
+
+	public ERROR errorFromMessage(StringBuilder holder, String msgID, String text, String... detail);
+	
+	public Result<CERT> toCert(AuthzTrans trans, Result<CertResp> in, boolean withTrustChain) throws IOException;
+	public Result<CERT> toCert(AuthzTrans trans, Result<List<CertDAO.Data>> in);
+
+	public Result<CertReq> toReq(AuthzTrans trans, REQ req);
+	public Result<CertRenew> toRenew(AuthzTrans trans, REQ req);
+	public Result<CertDrop>  toDrop(AuthzTrans trans, REQ req);
+	
+	public List<ArtiDAO.Data> toArtifact(AuthzTrans trans, ARTIFACTS arti);
+	public Result<ARTIFACTS> fromArtifacts(Result<List<ArtiDAO.Data>> readArtifactsByMachine);
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java
new file mode 100644
index 00000000..3d865d30
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java
@@ -0,0 +1,274 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.mapper;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.onap.aaf.auth.cm.data.CertDrop;
+import org.onap.aaf.auth.cm.data.CertRenew;
+import org.onap.aaf.auth.cm.data.CertReq;
+import org.onap.aaf.auth.cm.data.CertResp;
+import org.onap.aaf.auth.cm.validation.CertmanValidator;
+import org.onap.aaf.auth.dao.cass.ArtiDAO;
+import org.onap.aaf.auth.dao.cass.CertDAO;
+import org.onap.aaf.auth.dao.cass.ArtiDAO.Data;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.util.FQI;
+import org.onap.aaf.cadi.util.Vars;
+
+import aaf.v2_0.Error;
+import certman.v1_0.Artifacts;
+import certman.v1_0.Artifacts.Artifact;
+import certman.v1_0.BaseRequest;
+import certman.v1_0.CertInfo;
+import certman.v1_0.CertificateDrop;
+import certman.v1_0.CertificateRenew;
+import certman.v1_0.CertificateRequest;
+
+
+public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> {
+	
+	@Override
+	public Class<?> getClass(API api) {
+		switch(api) {
+			case CERT_REQ: return CertificateRequest.class;
+			case CERT_RENEW: return CertificateRenew.class;
+			case CERT_DROP: return CertificateDrop.class;
+			case CERT: return CertInfo.class;
+			case ARTIFACTS: return Artifacts.class;
+			case ERROR: return Error.class;
+			case VOID: return Void.class;
+		}
+		return null;
+	}
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public <A> A newInstance(API api) {
+		switch(api) {
+			case CERT_REQ: return (A) new CertificateRequest();
+			case CERT_RENEW: return (A) new CertificateRenew();
+			case CERT_DROP: return (A) new CertificateDrop();
+			case CERT: return (A) new CertInfo();
+			case ARTIFACTS: return (A) new Artifacts();
+			case ERROR: return (A)new Error();
+			case VOID: return null;
+		}
+		return null;
+	}
+
+	//////////////  Mapping Functions /////////////
+	@Override
+	public Error errorFromMessage(StringBuilder holder, String msgID, String text, String... var) {
+		Error err = new Error();
+		err.setMessageId(msgID);
+		// AT&T Restful Error Format requires numbers "%" placements
+		err.setText(Vars.convert(holder, text, var));
+		for(String s : var) {
+			err.getVariables().add(s);
+		}
+		return err;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.certman.mapper.Mapper#toCert(org.onap.aaf.auth.env.test.AuthzTrans, org.onap.aaf.auth.layer.test.Result)
+	 */
+	@Override
+	public Result<CertInfo> toCert(AuthzTrans trans, Result<CertResp> in, boolean withTrustChain) throws IOException {
+		if(in.isOK()) {
+			CertResp cin = in.value;
+			CertInfo cout = newInstance(API.CERT);
+			cout.setPrivatekey(cin.privateString());
+			String value;
+			if((value=cin.challenge())!=null) {
+				cout.setChallenge(value);
+			}
+			cout.getCerts().add(cin.asCertString());
+			if(cin.trustChain()!=null) {
+				for(String c : cin.trustChain()) {
+					if(c!=null) {
+						cout.getCerts().add(c);
+					}
+				}
+			}
+			// Adding all the Certs in one response is a mistake.  Makes it very hard for Agent to setup 
+			// Certs in keystore versus Truststore.  Separate in Version 2_0
+			if(cin.trustCAs()!=null) {
+				for(String c : cin.trustCAs()) {
+					if(c!=null) {
+						cout.getCerts().add(c);
+					} 
+				}
+			}
+			if(cin.notes()!=null) {
+				boolean first = true;
+				StringBuilder sb = new StringBuilder();
+				for(String n : cin.notes()) {
+					if(first) {
+						first = false;
+					} else {
+						sb.append('\n');
+					}
+					sb.append(n);
+				}
+				cout.setNotes(sb.toString());
+			}
+			cout.getCaIssuerDNs().addAll(cin.caIssuerDNs());
+			cout.setEnv(cin.env());
+			return Result.ok(cout);
+		} else {
+			return Result.err(in);
+		}
+	}
+
+	@Override
+	public Result<CertInfo> toCert(AuthzTrans trans, Result<List<CertDAO.Data>> in) {
+		if(in.isOK()) {
+			CertInfo cout = newInstance(API.CERT);
+			List<String> certs = cout.getCerts();
+			for(CertDAO.Data cdd : in.value) {
+				certs.add(cdd.x509);
+			}
+			return Result.ok(cout);
+		} else {
+			return Result.err(in);
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.certman.mapper.Mapper#toReq(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object)
+	 */
+	@Override
+	public Result<CertReq> toReq(AuthzTrans trans, BaseRequest req) {
+		CertificateRequest in;
+		try {
+			in = (CertificateRequest)req;
+		} catch(ClassCastException e) {
+			return Result.err(Result.ERR_BadData,"Request is not a CertificateRequest");
+		}
+
+		CertReq out = new CertReq();
+		CertmanValidator v = new CertmanValidator();
+		v.isNull("CertRequest", req)
+			.nullOrBlank("MechID", out.mechid=in.getMechid());
+		v.nullBlankMin("FQDNs", out.fqdns=in.getFqdns(),1);
+		if(v.err()) {
+			return Result.err(Result.ERR_BadData, v.errs());
+		}
+		out.emails = in.getEmail();
+		out.sponsor=in.getSponsor();
+		out.start = in.getStart();
+		out.end = in.getEnd();
+		out.fqdns = in.getFqdns();
+		return Result.ok(out);
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.certman.mapper.Mapper#toRenew(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object)
+	 */
+	@Override
+	public Result<CertRenew> toRenew(AuthzTrans trans, BaseRequest req) {
+		return Result.err(Result.ERR_NotImplemented,"Not Implemented... yet");
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.certman.mapper.Mapper#toDrop(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object)
+	 */
+	@Override
+	public Result<CertDrop> toDrop(AuthzTrans trans, BaseRequest req) {
+		return Result.err(Result.ERR_NotImplemented,"Not Implemented... yet");
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.cm.mapper.Mapper#toArtifact(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object)
+	 */
+	@Override
+	public List<ArtiDAO.Data> toArtifact(AuthzTrans trans, Artifacts artifacts) {
+		List<ArtiDAO.Data> ladd = new ArrayList<ArtiDAO.Data>();
+		for(Artifact arti : artifacts.getArtifact()) {
+			ArtiDAO.Data data = new ArtiDAO.Data();
+			data.mechid = arti.getMechid();
+			data.machine = arti.getMachine();
+			data.type(true).addAll(arti.getType());
+			data.ca = arti.getCa();
+			data.dir = arti.getDir();
+			data.os_user = arti.getOsUser();
+			// Optional (on way in)
+			data.ns = arti.getNs();
+			data.renewDays = arti.getRenewDays();
+			data.notify = arti.getNotification();
+			
+			// Ignored on way in for create/update
+			data.sponsor = arti.getSponsor();
+			data.expires = null;
+			
+			// Derive Optional Data from Machine (Domain) if exists
+			if(data.machine!=null) {
+				if(data.ca==null) {
+					if(data.machine.endsWith(".att.com")) {
+						data.ca = "aaf"; // default
+					}
+				}
+				if(data.ns==null ) {
+					data.ns=FQI.reverseDomain(data.machine);
+				}
+			}
+			data.sans(true).addAll(arti.getSans());
+			ladd.add(data);
+		}
+		return ladd;
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.cm.mapper.Mapper#fromArtifacts(org.onap.aaf.auth.layer.test.Result)
+	 */
+	@Override
+	public Result<Artifacts> fromArtifacts(Result<List<Data>> lArtiDAO) {
+		if(lArtiDAO.isOK()) {
+			Artifacts artis = new Artifacts();
+			for(ArtiDAO.Data arti : lArtiDAO.value) {
+				Artifact a = new Artifact();
+				a.setMechid(arti.mechid);
+				a.setMachine(arti.machine);
+				a.setSponsor(arti.sponsor);
+				a.setNs(arti.ns);
+				a.setCa(arti.ca);
+				a.setDir(arti.dir);
+				a.getType().addAll(arti.type(false));
+				a.setOsUser(arti.os_user);
+				a.setRenewDays(arti.renewDays);
+				a.setNotification(arti.notify);
+				a.getSans().addAll(arti.sans(false));
+				artis.getArtifact().add(a);
+			}
+			return Result.ok(artis);
+		} else {
+			return Result.err(lArtiDAO);
+		}
+	}
+	
+	
+
+}
+\ No newline at end of file
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java
new file mode 100644
index 00000000..13123bdf
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java
@@ -0,0 +1,268 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.mapper;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.onap.aaf.auth.cm.data.CertDrop;
+import org.onap.aaf.auth.cm.data.CertRenew;
+import org.onap.aaf.auth.cm.data.CertReq;
+import org.onap.aaf.auth.cm.data.CertResp;
+import org.onap.aaf.auth.cm.validation.CertmanValidator;
+import org.onap.aaf.auth.dao.cass.ArtiDAO;
+import org.onap.aaf.auth.dao.cass.ArtiDAO.Data;
+import org.onap.aaf.auth.dao.cass.CertDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.util.FQI;
+import org.onap.aaf.cadi.util.Vars;
+
+import aaf.v2_0.Error;
+import certman.v1_0.Artifacts;
+import certman.v1_0.Artifacts.Artifact;
+import certman.v1_0.BaseRequest;
+import certman.v1_0.CertInfo;
+import certman.v1_0.CertificateDrop;
+import certman.v1_0.CertificateRenew;
+import certman.v1_0.CertificateRequest;
+
+
+public class Mapper2_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> {
+	
+	@Override
+	public Class<?> getClass(API api) {
+		switch(api) {
+			case CERT_REQ: return CertificateRequest.class;
+			case CERT_RENEW: return CertificateRenew.class;
+			case CERT_DROP: return CertificateDrop.class;
+			case CERT: return CertInfo.class;
+			case ARTIFACTS: return Artifacts.class;
+			case ERROR: return Error.class;
+			case VOID: return Void.class;
+		}
+		return null;
+	}
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public <A> A newInstance(API api) {
+		switch(api) {
+			case CERT_REQ: return (A) new CertificateRequest();
+			case CERT_RENEW: return (A) new CertificateRenew();
+			case CERT_DROP: return (A) new CertificateDrop();
+			case CERT: return (A) new CertInfo();
+			case ARTIFACTS: return (A) new Artifacts();
+			case ERROR: return (A)new Error();
+			case VOID: return null;
+		}
+		return null;
+	}
+
+	//////////////  Mapping Functions /////////////
+	@Override
+	public Error errorFromMessage(StringBuilder holder, String msgID, String text, String... var) {
+		Error err = new Error();
+		err.setMessageId(msgID);
+		// AT&T Restful Error Format requires numbers "%" placements
+		err.setText(Vars.convert(holder, text, var));
+		for(String s : var) {
+			err.getVariables().add(s);
+		}
+		return err;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.certman.mapper.Mapper#toCert(org.onap.aaf.auth.env.test.AuthzTrans, org.onap.aaf.auth.layer.test.Result)
+	 */
+	/* (non-Javadoc)
+	 * @see com.att.authz.certman.mapper.Mapper#toCert(org.onap.aaf.auth.env.test.AuthzTrans, org.onap.aaf.auth.layer.test.Result)
+	 */
+	@Override
+	public Result<CertInfo> toCert(AuthzTrans trans, Result<CertResp> in, boolean withTrustChain) throws IOException {
+		if(in.isOK()) {
+			CertResp cin = in.value;
+			CertInfo cout = newInstance(API.CERT);
+			cout.setPrivatekey(cin.privateString());
+			String value;
+			if((value=cin.challenge())!=null) {
+				cout.setChallenge(value);
+			}
+			cout.getCerts().add(cin.asCertString());
+			if(cin.trustChain()!=null) {
+				for(String c : cin.trustChain()) {
+					cout.getCerts().add(c);
+				}
+			}
+			if(cin.notes()!=null) {
+				boolean first = true;
+				StringBuilder sb = new StringBuilder();
+				for(String n : cin.notes()) {
+					if(first) {
+						first = false;
+					} else {
+						sb.append('\n');
+					}
+					sb.append(n);
+				}
+				cout.setNotes(sb.toString());
+			}
+			cout.getCaIssuerDNs().addAll(cin.caIssuerDNs());
+			cout.setEnv(cin.env());
+			return Result.ok(cout);
+		} else {
+			return Result.err(in);
+		}
+	}
+
+
+	@Override
+	public Result<CertInfo> toCert(AuthzTrans trans, Result<List<CertDAO.Data>> in) {
+		if(in.isOK()) {
+			CertInfo cout = newInstance(API.CERT);
+			List<String> certs = cout.getCerts();
+			for(CertDAO.Data cdd : in.value) {
+				certs.add(cdd.x509);
+			}
+			return Result.ok(cout);
+		} else {
+			return Result.err(in);
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.certman.mapper.Mapper#toReq(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object)
+	 */
+	@Override
+	public Result<CertReq> toReq(AuthzTrans trans, BaseRequest req) {
+		CertificateRequest in;
+		try {
+			in = (CertificateRequest)req;
+		} catch(ClassCastException e) {
+			return Result.err(Result.ERR_BadData,"Request is not a CertificateRequest");
+		}
+
+		CertReq out = new CertReq();
+		CertmanValidator v = new CertmanValidator();
+		v.isNull("CertRequest", req)
+			.nullOrBlank("MechID", out.mechid=in.getMechid());
+		v.nullBlankMin("FQDNs", out.fqdns=in.getFqdns(),1);
+		if(v.err()) {
+			return Result.err(Result.ERR_BadData, v.errs());
+		}
+
+		out.emails = in.getEmail();
+		out.sponsor=in.getSponsor();
+		out.start = in.getStart();
+		out.end = in.getEnd();
+		out.fqdns = in.getFqdns();
+		return Result.ok(out);
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.certman.mapper.Mapper#toRenew(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object)
+	 */
+	@Override
+	public Result<CertRenew> toRenew(AuthzTrans trans, BaseRequest req) {
+		return Result.err(Result.ERR_NotImplemented,"Not Implemented... yet");
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.certman.mapper.Mapper#toDrop(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object)
+	 */
+	@Override
+	public Result<CertDrop> toDrop(AuthzTrans trans, BaseRequest req) {
+		return Result.err(Result.ERR_NotImplemented,"Not Implemented... yet");
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.cm.mapper.Mapper#toArtifact(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object)
+	 */
+	@Override
+	public List<ArtiDAO.Data> toArtifact(AuthzTrans trans, Artifacts artifacts) {
+		List<ArtiDAO.Data> ladd = new ArrayList<ArtiDAO.Data>();
+		for(Artifact arti : artifacts.getArtifact()) {
+			ArtiDAO.Data data = new ArtiDAO.Data();
+			data.mechid = arti.getMechid();
+			data.machine = arti.getMachine();
+			data.type(true).addAll(arti.getType());
+			data.ca = arti.getCa();
+			data.dir = arti.getDir();
+			data.os_user = arti.getOsUser();
+			// Optional (on way in)
+			data.ns = arti.getNs();
+			data.renewDays = arti.getRenewDays();
+			data.notify = arti.getNotification();
+			
+			// Ignored on way in for create/update
+			data.sponsor = arti.getSponsor();
+			data.expires = null;
+			
+			// Derive Optional Data from Machine (Domain) if exists
+			if(data.machine!=null) {
+				if(data.ca==null) {
+					if(data.machine.endsWith(".att.com")) {
+						data.ca = "aaf"; // default
+					}
+				}
+				if(data.ns==null ) {
+					data.ns=FQI.reverseDomain(data.machine);
+				}
+			}
+			data.sans(true).addAll(arti.getSans());
+			ladd.add(data);
+		}
+		return ladd;
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.cm.mapper.Mapper#fromArtifacts(org.onap.aaf.auth.layer.test.Result)
+	 */
+	@Override
+	public Result<Artifacts> fromArtifacts(Result<List<Data>> lArtiDAO) {
+		if(lArtiDAO.isOK()) {
+			Artifacts artis = new Artifacts();
+			for(ArtiDAO.Data arti : lArtiDAO.value) {
+				Artifact a = new Artifact();
+				a.setMechid(arti.mechid);
+				a.setMachine(arti.machine);
+				a.setSponsor(arti.sponsor);
+				a.setNs(arti.ns);
+				a.setCa(arti.ca);
+				a.setDir(arti.dir);
+				a.getType().addAll(arti.type(false));
+				a.setOsUser(arti.os_user);
+				a.setRenewDays(arti.renewDays);
+				a.setNotification(arti.notify);
+				a.getSans().addAll(arti.sans(false));
+				artis.getArtifact().add(a);
+			}
+			return Result.ok(artis);
+		} else {
+			return Result.err(lArtiDAO);
+		}
+	}
+	
+	
+
+}
+\ No newline at end of file
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
new file mode 100644
index 00000000..f6407d90
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
@@ -0,0 +1,693 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.service;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.onap.aaf.auth.cm.AAF_CM;
+import org.onap.aaf.auth.cm.ca.CA;
+import org.onap.aaf.auth.cm.ca.X509andChain;
+import org.onap.aaf.auth.cm.cert.BCFactory;
+import org.onap.aaf.auth.cm.cert.CSRMeta;
+import org.onap.aaf.auth.cm.data.CertDrop;
+import org.onap.aaf.auth.cm.data.CertRenew;
+import org.onap.aaf.auth.cm.data.CertReq;
+import org.onap.aaf.auth.cm.data.CertResp;
+import org.onap.aaf.auth.cm.validation.CertmanValidator;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.cass.ArtiDAO;
+import org.onap.aaf.auth.dao.cass.CacheInfoDAO;
+import org.onap.aaf.auth.dao.cass.CertDAO;
+import org.onap.aaf.auth.dao.cass.CertDAO.Data;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.HistoryDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.cadi.Hash;
+import org.onap.aaf.cadi.aaf.AAFPermission;
+import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.util.FQI;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+
+
+public class CMService {
+	// If we add more CAs, may want to parameterize
+	private static final int STD_RENEWAL = 30;
+	private static final int MAX_RENEWAL = 60;
+	private static final int MIN_RENEWAL = 10;
+	
+	public static final String REQUEST = "request";
+	public static final String RENEW = "renew";
+	public static final String DROP = "drop";
+//	public static final String SANS = "san";
+	public static final String IPS = "ips";
+	public static final String DOMAIN = "domain";
+	
+	private static final String[] NO_NOTES = new String[0];
+	private final CertDAO certDAO;
+	private final CredDAO credDAO;
+	private final ArtiDAO artiDAO;
+//	private DAO<AuthzTrans, ?>[] daos;
+	private AAF_CM certman;
+
+//	@SuppressWarnings("unchecked")
+	public CMService(final AuthzTrans trans, AAF_CM certman) throws APIException, IOException {
+		// Jonathan 4/2015 SessionFilter unneeded... DataStax already deals with Multithreading well
+		
+		HistoryDAO hd = new HistoryDAO(trans,  certman.cluster, CassAccess.KEYSPACE);
+		CacheInfoDAO cid = new CacheInfoDAO(trans, hd);
+		certDAO = new CertDAO(trans, hd, cid);
+		credDAO = new CredDAO(trans, hd, cid);
+		artiDAO = new ArtiDAO(trans, hd, cid);
+		
+//		daos =(DAO<AuthzTrans, ?>[]) new DAO<?,?>[] {
+//				hd,cid,certDAO,credDAO,artiDAO
+//		};
+//
+		this.certman = certman;
+	}
+	
+	public Result<CertResp> requestCert(final AuthzTrans trans,final Result<CertReq> req, final CA ca) {
+		if(req.isOK()) {
+
+			if(req.value.fqdns.isEmpty()) {
+				return Result.err(Result.ERR_BadData,"No Machines passed in Request");
+			}
+			
+			String key = req.value.fqdns.get(0);
+			
+			// Policy 6: Requester must be granted Change permission in Namespace requested
+			String mechNS = FQI.reverseDomain(req.value.mechid);
+			if(mechNS==null) {
+				return Result.err(Status.ERR_Denied, "%s does not reflect a valid AAF Namespace",req.value.mechid);
+			}
+			
+
+			// Disallow non-AAF CA without special permission
+			if(!ca.getName().equals("aaf") && !trans.fish( new AAFPermission(mechNS+".certman", ca.getName(), REQUEST))) {
+				return Result.err(Status.ERR_Denied, "'%s' does not have permission to request Certificates from Certificate Authority '%s'", 
+						trans.user(),ca.getName());
+			}
+
+			List<String> notes = null;
+			List<String> fqdns = new ArrayList<String>(req.value.fqdns);
+			
+			
+			String email = null;
+
+			try {
+				Organization org = trans.org();
+				
+				InetAddress primary = null;
+				// Organize incoming information to get to appropriate Artifact
+				if(fqdns.size()>=1) {
+					// Accept domain wild cards, but turn into real machines
+					// Need *domain.com:real.machine.domain.com:san.machine.domain.com:...
+					if(fqdns.get(0).startsWith("*")) { // Domain set
+						if(!trans.fish(new AAFPermission(ca.getPermType(), ca.getName(), DOMAIN))) {
+							return Result.err(Result.ERR_Denied, "Domain based Authorizations (" + fqdns.get(0) + ") requires Exception");
+						}
+						
+						//TODO check for Permission in Add Artifact?
+						String domain = fqdns.get(0).substring(1);
+						fqdns.remove(0);
+						if(fqdns.size()>=1) {
+							InetAddress ia = InetAddress.getByName(fqdns.get(0));
+							if(ia==null) {
+								return Result.err(Result.ERR_Denied, "Request not made from matching IP matching domain");
+							} else if(ia.getHostName().endsWith(domain)) {
+								primary = ia;
+							}
+						} else {
+							return Result.err(Result.ERR_Denied, "Requests using domain require machine declaration");
+						}
+					
+	 				} else {
+						for(String cn : req.value.fqdns) {
+							try {
+								InetAddress[] ias = InetAddress.getAllByName(cn);
+								Set<String> potentialSanNames = new HashSet<String>();
+								for(InetAddress ia1 : ias) {
+									InetAddress ia2 = InetAddress.getByAddress(ia1.getAddress());
+									if(primary==null && ias.length==1 && trans.ip().equals(ia1.getHostAddress())) {
+										primary = ia1;
+									} else if(!cn.equals(ia1.getHostName()) && !ia2.getHostName().equals(ia2.getHostAddress())) {
+										potentialSanNames.add(ia1.getHostName());
+									}
+								}
+							} catch (UnknownHostException e1) {
+								return Result.err(Result.ERR_BadData,"There is no DNS lookup for %s",cn);
+							}
+						
+						}
+					}
+				}
+				
+				if(primary==null) {
+					return Result.err(Result.ERR_Denied, "Request not made from matching IP (%s)",trans.ip());
+//					return Result.err(Result.ERR_BadData,"Calling Machine does not match DNS lookup for %s",req.value.fqdns.get(0));
+				}
+				
+				ArtiDAO.Data add = null;
+				Result<List<ArtiDAO.Data>> ra = artiDAO.read(trans, req.value.mechid,primary.getHostAddress());
+				if(ra.isOKhasData()) {
+					if(add==null) {
+						add = ra.value.get(0); // single key
+					}
+				} else {
+					 ra = artiDAO.read(trans, req.value.mechid,key);
+					 if(ra.isOKhasData()) { // is the Template available?
+						 add = ra.value.get(0);
+						 add.machine=primary.getHostName();
+						 for(String s : fqdns) {
+							  if(!s.equals(add.machine)) {
+								  add.sans(true).add(s);
+							  }
+						 }
+						 Result<ArtiDAO.Data> rc = artiDAO.create(trans, add); // Create new Artifact from Template
+						 if(rc.notOK()) {
+							 return Result.err(rc);
+						 }
+					 } else {
+						 add = ra.value.get(0);
+					 }
+				}
+				
+				// Add Artifact listed FQDNs
+				if(add.sans!=null) {
+					for(String s : add.sans) {
+						if(!fqdns.contains(s)) {
+							fqdns.add(s);
+						}
+					}
+				}
+
+				// Policy 2: If Config marked as Expired, do not create or renew
+				Date now = new Date();
+				if(add.expires!=null && now.after(add.expires)) {
+					return Result.err(Result.ERR_Policy,"Configuration for %s %s is expired %s",add.mechid,add.machine,Chrono.dateFmt.format(add.expires));
+				}
+				
+				// Policy 3: MechID must be current
+				Identity muser = org.getIdentity(trans, add.mechid);
+				if(muser == null) {
+					return Result.err(Result.ERR_Policy,"MechID must exist in %s",org.getName());
+				}
+				
+				// Policy 4: Sponsor must be current
+				Identity ouser = muser.responsibleTo();
+				if(ouser==null) {
+					return Result.err(Result.ERR_Policy,"%s does not have a current sponsor at %s",add.mechid,org.getName());
+				} else if(!ouser.isFound() || ouser.mayOwn()!=null) {
+					return Result.err(Result.ERR_Policy,"%s reports that %s cannot be responsible for %s",org.getName(),trans.user());
+				}
+				
+				// Set Email from most current Sponsor
+				email = ouser.email();
+				
+				// Policy 5: keep Artifact data current
+				if(!ouser.fullID().equals(add.sponsor)) {
+					add.sponsor = ouser.fullID();
+					artiDAO.update(trans, add);
+				}
+		
+				// Policy 7: Caller must be the MechID or have specifically delegated permissions
+				if(!(trans.user().equals(req.value.mechid) || trans.fish(new AAFPermission(mechNS + ".certman", ca.getName() , "request")))) {
+					return Result.err(Status.ERR_Denied, "%s must have access to modify x509 certs in NS %s",trans.user(),mechNS);
+				}
+				
+				// Policy 8: SANs only allowed by Exception... need permission
+				// 7/25/2017 - SAN Permission no longer required. CSO
+//				if(fqdns.size()>1 && !certman.aafLurPerm.fish(
+//						new Principal() {
+//							@Override
+//							public String getName() {
+//								return req.value.mechid;
+//							}
+//						},
+//						new AAFPermission(ca.getPermType(), ca.getName(), SANS))) {
+//					if(notes==null) {notes = new ArrayList<String>();}
+//					notes.add("Warning: Subject Alternative Names only allowed by Permission: Get CSO Exception.");
+//					return Result.err(Status.ERR_Denied, "%s must have a CSO Exception to work with SAN",trans.user());
+//				}
+				
+				// Make sure Primary is the first in fqdns
+				if(fqdns.size()>1) {
+					for(int i=0;i<fqdns.size();++i) {
+						if(fqdns.get(i).equals(primary.getHostName())) {
+							if(i!=0) {
+								String tmp = fqdns.get(0);
+								fqdns.set(0, primary.getHostName());
+								fqdns.set(i, tmp);
+							}
+						}
+					}
+				}
+			} catch (Exception e) {
+				trans.error().log(e);
+				return Result.err(Status.ERR_Denied,"MechID Sponsorship cannot be determined at this time.  Try later");
+			}
+			
+			CSRMeta csrMeta;
+			try {
+				csrMeta = BCFactory.createCSRMeta(
+						ca, 
+						req.value.mechid, 
+						email, 
+						fqdns);
+				X509andChain x509ac = ca.sign(trans, csrMeta);
+				if(x509ac==null) {
+					return Result.err(Result.ERR_ActionNotCompleted,"x509 Certificate not signed by CA");
+				}
+				trans.info().printf("X509 Subject: %s", x509ac.getX509().getSubjectDN());
+//				for(String s: x509ac.getTrustChain()) {
+//					trans.warn().printf("Trust Cert: \n%s", s);
+//				}
+				
+				X509Certificate x509 = x509ac.getX509();
+				CertDAO.Data cdd = new CertDAO.Data();
+				cdd.ca=ca.getName();
+				cdd.serial=x509.getSerialNumber();
+				cdd.id=req.value.mechid;
+				cdd.x500=x509.getSubjectDN().getName();
+				cdd.x509=Factory.toString(trans, x509);
+				certDAO.create(trans, cdd);
+				
+				CredDAO.Data crdd = new CredDAO.Data();
+				crdd.other = Question.random.nextInt();
+				crdd.cred=getChallenge256SaltedHash(csrMeta.challenge(),crdd.other);
+				crdd.expires = x509.getNotAfter();
+				crdd.id = req.value.mechid;
+				crdd.ns = Question.domain2ns(crdd.id);
+				crdd.type = CredDAO.CERT_SHA256_RSA;
+				credDAO.create(trans, crdd);
+				
+				CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), ca.getTrustedCAs(), compileNotes(notes));
+				return Result.ok(cr);
+			} catch (Exception e) {
+				trans.error().log(e);
+				return Result.err(Result.ERR_ActionNotCompleted,e.getMessage());
+			}
+		} else {
+			return Result.err(req);
+		}
+	}
+
+    public Result<CertResp> renewCert(AuthzTrans trans, Result<CertRenew> renew) {
+		if(renew.isOK()) {
+			return Result.err(Result.ERR_NotImplemented,"Not implemented yet");
+		} else {
+			return Result.err(renew);
+		}	
+	}
+
+	public Result<Void> dropCert(AuthzTrans trans, Result<CertDrop> drop) {
+		if(drop.isOK()) {
+			return Result.err(Result.ERR_NotImplemented,"Not implemented yet");
+		} else {
+			return Result.err(drop);
+		}	
+	}
+
+	public Result<List<Data>> readCertsByMechID(AuthzTrans trans, String mechID) {
+		// Policy 1: To Read, must have NS Read or is Sponsor
+		String ns = Question.domain2ns(mechID);
+		try {
+			if( trans.user().equals(mechID)
+					|| trans.fish(new AAFPermission(ns + ".access", "*", "read"))
+					|| (trans.org().validate(trans,Organization.Policy.OWNS_MECHID,null,mechID))==null) {
+				return certDAO.readID(trans, mechID);
+			} else {
+				return Result.err(Result.ERR_Denied,"%s is not the ID, Sponsor or NS Owner/Admin for %s at %s",
+						trans.user(),mechID,trans.org().getName());
+			}
+		} catch(OrganizationException e) {
+			return Result.err(e);
+		}
+	}
+
+	public Result<CertResp> requestPersonalCert(AuthzTrans trans, CA ca) {
+		if(ca.inPersonalDomains(trans.getUserPrincipal())) {
+			Organization org = trans.org();
+				
+			// Policy 1: MechID must be current
+			Identity ouser;
+			try {
+				ouser = org.getIdentity(trans, trans.user());
+			} catch (OrganizationException e1) {
+				trans.error().log(e1);
+				ouser = null;
+			}
+			if(ouser == null) {
+				return Result.err(Result.ERR_Policy,"Requesting User must exist in %s",org.getName());
+			}
+				
+			// Set Email from most current Sponsor
+				
+			CSRMeta csrMeta;
+			try {
+				csrMeta = BCFactory.createPersonalCSRMeta(
+						ca, 
+						trans.user(), 
+						ouser.email());
+				X509andChain x509ac = ca.sign(trans, csrMeta);
+				if(x509ac==null) {
+					return Result.err(Result.ERR_ActionNotCompleted,"x509 Certificate not signed by CA");
+				}
+				X509Certificate x509 = x509ac.getX509();
+				CertDAO.Data cdd = new CertDAO.Data();
+				cdd.ca=ca.getName();
+				cdd.serial=x509.getSerialNumber();
+				cdd.id=trans.user();
+				cdd.x500=x509.getSubjectDN().getName();
+				cdd.x509=Factory.toString(trans, x509);
+				certDAO.create(trans, cdd);
+				
+				CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), ca.getTrustedCAs(), compileNotes(null));
+				return Result.ok(cr);
+			} catch (Exception e) {
+				trans.error().log(e);
+				return Result.err(Result.ERR_ActionNotCompleted,e.getMessage());
+			}
+		} else {
+			return Result.err(Result.ERR_Denied,trans.user()," not supported for CA",ca.getName());
+		}
+	}
+
+	///////////////
+	// Artifact
+	//////////////
+	public Result<Void> createArtifact(AuthzTrans trans, List<ArtiDAO.Data> list) {
+		CertmanValidator v = new CertmanValidator().artisRequired(list, 1);
+		if(v.err()) {
+			return Result.err(Result.ERR_BadData,v.errs());
+		}
+		for(ArtiDAO.Data add : list) {
+			try {
+				// Policy 1: MechID must exist in Org
+				Identity muser = trans.org().getIdentity(trans, add.mechid);
+				if(muser == null) {
+					return Result.err(Result.ERR_Denied,"%s is not valid for %s", add.mechid,trans.org().getName());
+				}
+				
+				// Policy 2: MechID must have valid Organization Owner
+				Identity ouser = muser.responsibleTo();
+				if(ouser == null) {
+					return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s",
+							trans.user(),add.mechid,trans.org().getName());
+				}
+				
+				// Policy 3: Calling ID must be MechID Owner
+				if(!trans.user().equals(ouser.fullID())) {
+					return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s",
+							trans.user(),add.mechid,trans.org().getName());
+				}
+
+				// Policy 4: Renewal Days are between 10 and 60 (constants, may be parameterized)
+				if(add.renewDays<MIN_RENEWAL) {
+					add.renewDays = STD_RENEWAL;
+				} else if(add.renewDays>MAX_RENEWAL) {
+					add.renewDays = MAX_RENEWAL;
+				}
+				
+				// Policy 5: If Notify is blank, set to Owner's Email
+				if(add.notify==null || add.notify.length()==0) {
+					add.notify = "mailto:"+ouser.email();
+				}
+				
+				// Policy 6: Only do Domain by Exception
+				if(add.machine.startsWith("*")) { // Domain set
+					CA ca = certman.getCA(add.ca);
+
+
+					if(!trans.fish(new AAFPermission(ca.getPermType(), add.ca, DOMAIN))) {
+						return Result.err(Result.ERR_Denied,"Domain Artifacts (%s) requires specific Permission",
+							add.machine);
+					}
+				}
+
+				// Set Sponsor from Golden Source
+				add.sponsor = ouser.fullID();
+				
+				
+			} catch (OrganizationException e) {
+				return Result.err(e);
+			}
+			// Add to DB
+			Result<ArtiDAO.Data> rv = artiDAO.create(trans, add);
+			// TODO come up with Partial Reporting Scheme, or allow only one at a time.
+			if(rv.notOK()) {
+				return Result.err(rv);
+			}
+		}
+		return Result.ok();
+	}
+
+	public Result<List<ArtiDAO.Data>> readArtifacts(AuthzTrans trans, ArtiDAO.Data add) throws OrganizationException {
+		CertmanValidator v = new CertmanValidator().keys(add);
+		if(v.err()) {
+			return Result.err(Result.ERR_BadData,v.errs());
+		}
+		Result<List<ArtiDAO.Data>> data = artiDAO.read(trans, add);
+		if(data.notOKorIsEmpty()) {
+			return data;
+		}
+		add = data.value.get(0);
+		if( trans.user().equals(add.mechid)
+			|| trans.fish(new AAFPermission(add.ns + ".access", "*", "read"))
+			|| trans.fish(new AAFPermission(add.ns+".certman",add.ca,"read"))
+			|| trans.fish(new AAFPermission(add.ns+".certman",add.ca,"request"))
+			|| (trans.org().validate(trans,Organization.Policy.OWNS_MECHID,null,add.mechid))==null) {
+			return data;
+		} else {
+			return Result.err(Result.ERR_Denied,"%s is not %s, is not the sponsor, and doesn't have delegated permission.",trans.user(),add.mechid,add.ns+".certman|"+add.ca+"|read or ...|request"); // note: reason is set by 2nd case, if 1st case misses
+		}
+
+	}
+
+	public Result<List<ArtiDAO.Data>> readArtifactsByMechID(AuthzTrans trans, String mechid) throws OrganizationException {
+		CertmanValidator v = new CertmanValidator();
+		v.nullOrBlank("mechid", mechid);
+		if(v.err()) {
+			return Result.err(Result.ERR_BadData,v.errs());
+		}
+		String ns = FQI.reverseDomain(mechid);
+		
+		String reason;
+		if(trans.fish(new AAFPermission(ns + ".access", "*", "read"))
+			|| (reason=trans.org().validate(trans,Organization.Policy.OWNS_MECHID,null,mechid))==null) {
+			return artiDAO.readByMechID(trans, mechid);
+		} else {
+			return Result.err(Result.ERR_Denied,reason); // note: reason is set by 2nd case, if 1st case misses
+		}
+
+	}
+
+	public Result<List<ArtiDAO.Data>> readArtifactsByMachine(AuthzTrans trans, String machine) {
+		CertmanValidator v = new CertmanValidator();
+		v.nullOrBlank("machine", machine);
+		if(v.err()) {
+			return Result.err(Result.ERR_BadData,v.errs());
+		}
+		
+		// TODO do some checks?
+
+		Result<List<ArtiDAO.Data>> rv = artiDAO.readByMachine(trans, machine);
+		return rv;
+	}
+
+	public Result<List<ArtiDAO.Data>> readArtifactsByNs(AuthzTrans trans, String ns) {
+		CertmanValidator v = new CertmanValidator();
+		v.nullOrBlank("ns", ns);
+		if(v.err()) {
+			return Result.err(Result.ERR_BadData,v.errs());
+		}
+		
+		// TODO do some checks?
+
+		Result<List<ArtiDAO.Data>> rv = artiDAO.readByNs(trans, ns);
+		return rv;
+	}
+
+
+	public Result<Void> updateArtifact(AuthzTrans trans, List<ArtiDAO.Data> list) throws OrganizationException {
+		CertmanValidator v = new CertmanValidator();
+		v.artisRequired(list, 1);
+		if(v.err()) {
+			return Result.err(Result.ERR_BadData,v.errs());
+		}
+		
+		// Check if requesting User is Sponsor
+		//TODO - Shall we do one, or multiples?
+		for(ArtiDAO.Data add : list) {
+			// Policy 1: MechID must exist in Org
+			Identity muser = trans.org().getIdentity(trans, add.mechid);
+			if(muser == null) {
+				return Result.err(Result.ERR_Denied,"%s is not valid for %s", add.mechid,trans.org().getName());
+			}
+			
+			// Policy 2: MechID must have valid Organization Owner
+			Identity ouser = muser.responsibleTo();
+			if(ouser == null) {
+				return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s",
+						trans.user(),add.mechid,trans.org().getName());
+			}
+
+			// Policy 3: Renewal Days are between 10 and 60 (constants, may be parameterized)
+			if(add.renewDays<MIN_RENEWAL) {
+				add.renewDays = STD_RENEWAL;
+			} else if(add.renewDays>MAX_RENEWAL) {
+				add.renewDays = MAX_RENEWAL;
+			}
+
+			// Policy 4: Data is always updated with the latest Sponsor
+			// Add to Sponsor, to make sure we are always up to date.
+			add.sponsor = ouser.fullID();
+
+			// Policy 5: If Notify is blank, set to Owner's Email
+			if(add.notify==null || add.notify.length()==0) {
+				add.notify = "mailto:"+ouser.email();
+			}
+			// Policy 6: Only do Domain by Exception
+			if(add.machine.startsWith("*")) { // Domain set
+				CA ca = certman.getCA(add.ca);
+				if(ca==null) {
+					return Result.err(Result.ERR_BadData, "CA is required in Artifact");
+				}
+				if(!trans.fish(new AAFPermission(ca.getPermType(), add.ca, DOMAIN))) {
+					return Result.err(Result.ERR_Denied,"Domain Artifacts (%s) requires specific Permission",
+						add.machine);
+				}
+			}
+
+			// Policy 7: only Owner may update info
+			if(trans.user().equals(add.sponsor)) {
+				return artiDAO.update(trans, add);
+			} else {
+				return Result.err(Result.ERR_Denied,"%s may not update info for %s",trans.user(),muser.fullID());
+			}
+		}
+		return Result.err(Result.ERR_BadData,"No Artifacts to update");
+	}
+	
+	public Result<Void> deleteArtifact(AuthzTrans trans, String mechid, String machine) throws OrganizationException {
+		CertmanValidator v = new CertmanValidator();
+		v.nullOrBlank("mechid", mechid)
+		 .nullOrBlank("machine", machine);
+		if(v.err()) {
+			return Result.err(Result.ERR_BadData,v.errs());
+		}
+
+		Result<List<ArtiDAO.Data>> rlad = artiDAO.read(trans, mechid, machine);
+		if(rlad.notOKorIsEmpty()) {
+			return Result.err(Result.ERR_NotFound,"Artifact for %s %s does not exist.",mechid,machine);
+		}
+		
+		return deleteArtifact(trans,rlad.value.get(0));
+	}
+		
+	private Result<Void> deleteArtifact(AuthzTrans trans, ArtiDAO.Data add) throws OrganizationException {
+		// Policy 1: Record should be delete able only by Existing Sponsor.  
+		String sponsor=null;
+		Identity muser = trans.org().getIdentity(trans, add.mechid);
+		if(muser != null) {
+			Identity ouser = muser.responsibleTo();
+			if(ouser!=null) {
+				sponsor = ouser.fullID();
+			}
+		}
+		// Policy 1.a: If Sponsorship is deleted in system of Record, then 
+		// accept deletion by sponsor in Artifact Table
+		if(sponsor==null) {
+			sponsor = add.sponsor;
+		}
+		
+		String ns = FQI.reverseDomain(add.mechid);
+
+		if(trans.fish(new AAFPermission(ns + ".access", "*", "write"))
+				|| trans.user().equals(sponsor)) {
+			return artiDAO.delete(trans, add, false);
+		}
+		return null;
+	}
+
+	public Result<Void> deleteArtifact(AuthzTrans trans, List<ArtiDAO.Data> list) {
+		CertmanValidator v = new CertmanValidator().artisRequired(list, 1);
+		if(v.err()) {
+			return Result.err(Result.ERR_BadData,v.errs());
+		}
+
+		try {
+			boolean partial = false;
+			Result<Void> result=null;
+			for(ArtiDAO.Data add : list) {
+				result = deleteArtifact(trans, add);
+				if(result.notOK()) {
+					partial = true;
+				}
+			}
+			if(result == null) {
+				result = Result.err(Result.ERR_BadData,"No Artifacts to delete"); 
+			} else if(partial) {
+				result.partialContent(true);
+			}
+			return result;
+		} catch(Exception e) {
+			return Result.err(e);
+		}
+	}
+
+	private String[] compileNotes(List<String> notes) {
+		String[] rv;
+		if(notes==null) {
+			rv = NO_NOTES;
+		} else {
+			rv = new String[notes.size()];
+			notes.toArray(rv);
+		}
+		return rv;
+	}
+
+	private ByteBuffer getChallenge256SaltedHash(String challenge, int salt) throws NoSuchAlgorithmException {
+		ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + challenge.length());
+		bb.putInt(salt);
+		bb.put(challenge.getBytes());
+		byte[] hash = Hash.hashSHA256(bb.array());
+		return ByteBuffer.wrap(hash);
+	}
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/Code.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/Code.java
new file mode 100644
index 00000000..ce2ca065
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/Code.java
@@ -0,0 +1,45 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.service;
+
+import org.onap.aaf.auth.cm.AAF_CM;
+import org.onap.aaf.auth.cm.facade.Facade1_0;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.rserv.HttpCode;
+
+public abstract class Code extends HttpCode<AuthzTrans,Facade1_0> implements Cloneable {
+
+	public Code(AAF_CM cma, String description, String ... roles) {
+		super(cma.facade1_0, description, roles);
+		// Note, the first "Code" will be created with default Facade, "JSON".
+		// use clone for another Code with XML
+	}
+	
+
+	public <D extends Code> D clone(Facade1_0 facade) throws Exception {
+		@SuppressWarnings("unchecked")
+		D d = (D)clone();
+		d.context = facade;
+		return d;
+	}
+
+}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java
new file mode 100644
index 00000000..d3ce0ace
--- /dev/null
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java
@@ -0,0 +1,121 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.validation;
+
+import java.util.List;
+
+import org.onap.aaf.auth.dao.cass.ArtiDAO;
+import org.onap.aaf.auth.dao.cass.ArtiDAO.Data;
+import org.onap.aaf.auth.validation.Validator;
+
+/**
+ * Validator
+ * Consistently apply content rules for content (incoming)
+ * 
+ * Note: We restrict content for usability in URLs (because RESTful service), and avoid 
+ * issues with Regular Expressions, and other enabling technologies. 
+ * @author Jonathan
+ *
+ */
+public class CertmanValidator extends Validator{
+	// Repeated Msg fragments
+	private static final String MECHID = "mechid";
+	private static final String MACHINE = "machine";
+	private static final String ARTIFACT_LIST_IS_NULL = "Artifact List is null.";
+	private static final String Y = "y.";
+	private static final String IES = "ies.";
+	private static final String ENTR = " entr";
+	private static final String MUST_HAVE_AT_LEAST = " must have at least ";
+	private static final String IS_NULL = " is null.";
+	private static final String ARTIFACTS_MUST_HAVE_AT_LEAST = "Artifacts must have at least ";
+
+	public CertmanValidator nullBlankMin(String name, List<String> list, int min) {
+		if(list==null) {
+			msg(name + IS_NULL);
+		} else {
+			if(list.size()<min) {
+				msg(name + MUST_HAVE_AT_LEAST + min + ENTR + (min==1?Y:IES));
+			} else {
+				for(String s : list) {
+					nullOrBlank("List Item",s);
+				}
+			}
+		}
+		return this;
+	}
+
+	public CertmanValidator artisRequired(List<ArtiDAO.Data> list, int min) {
+		if(list==null) {
+			msg(ARTIFACT_LIST_IS_NULL);
+		} else {
+			if(list.size()<min) {
+				msg(ARTIFACTS_MUST_HAVE_AT_LEAST + min + ENTR + (min==1?Y:IES));
+			} else {
+				for(ArtiDAO.Data a : list) {
+					allRequired(a);
+				}
+			}
+		}
+		return this;
+	}
+
+	public CertmanValidator artisKeys(List<ArtiDAO.Data> list, int min) {
+		if(list==null) {
+			msg(ARTIFACT_LIST_IS_NULL);
+		} else {
+			if(list.size()<min) {
+				msg(ARTIFACTS_MUST_HAVE_AT_LEAST + min + ENTR + (min==1?Y:IES));
+			} else {
+				for(ArtiDAO.Data a : list) {
+					keys(a);
+				}
+			}
+		}
+		return this;
+	}
+
+
+	public CertmanValidator keys(ArtiDAO.Data add) {
+		if(add==null) {
+			msg("Artifact is null.");
+		} else {
+			nullOrBlank(MECHID, add.mechid);
+			nullOrBlank(MACHINE, add.machine);
+		}
+		return this;
+	}
+	
+	private CertmanValidator allRequired(Data a) {
+		if(a==null) {
+			msg("Artifact is null.");
+		} else {
+			nullOrBlank(MECHID, a.mechid);
+			nullOrBlank(MACHINE, a.machine);
+			nullOrBlank("ca",a.ca);
+			nullOrBlank("dir",a.dir);
+			nullOrBlank("os_user",a.os_user);
+			// Note: AppName, Notify & Sponsor are currently not required
+		}
+		return this;
+	}
+
+}
diff --git a/auth/auth-certman/src/test/.gitignore b/auth/auth-certman/src/test/.gitignore
new file mode 100644
index 00000000..e224b1ff
--- /dev/null
+++ b/auth/auth-certman/src/test/.gitignore
@@ -0,0 +1 @@
+/cmd/
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/api/JU_API_Artifact.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/api/JU_API_Artifact.java
new file mode 100644
index 00000000..f50190d3
--- /dev/null
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/api/JU_API_Artifact.java
@@ -0,0 +1,107 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cm.api;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.mock;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cm.AAF_CM;
+import org.onap.aaf.auth.cm.api.API_Artifact;
+import org.onap.aaf.auth.env.AuthzTrans;
+;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_API_Artifact {
+	
+	@Mock
+	private static API_Artifact api;
+	
+	@Mock
+	private static AAF_CM certManApi;
+	
+	private static AAF_CM noMockAPI;
+	private static API_Artifact api_1;
+	
+	private static HttpServletRequest req;
+	private static HttpServletResponse res;
+	
+	@BeforeClass
+	public static void setUp() {
+		AuthzTrans trans = mock(AuthzTrans.class);
+		req = mock(HttpServletRequest.class);
+		trans.setProperty("testTag", "UserValue");
+		trans.set(req);
+	}
+	
+	@Rule
+    public ExpectedException thrown= ExpectedException.none();
+	
+	@Test
+	public void init_bothValued() {
+		try {
+			api.init(certManApi);
+		} catch (Exception e) {
+			thrown.expect(NullPointerException.class);
+			e.printStackTrace();
+		}
+	}
+	
+	@Test
+	public void init_Null_() {
+		try {
+			api.init(null);
+		} catch (Exception e) {
+			//thrown.expect(Exception.class);
+			e.printStackTrace();
+		}
+	}
+	
+	@Test
+	public void init_NMC_Null() {
+		try {
+			api_1.init(null);
+		} catch (Exception e) {
+			//thrown.expect(NullPointerException.class);
+			e.printStackTrace();
+		}
+	}
+	
+	@Test
+	public void init_NMC() {
+		try {
+			api_1.init(noMockAPI);
+		} catch (Exception e) {
+			//thrown.expect(NullPointerException.class);
+			e.printStackTrace();
+		}
+	}
+}
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/api/JU_API_Cert.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/api/JU_API_Cert.java
new file mode 100644
index 00000000..dbd66e41
--- /dev/null
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/api/JU_API_Cert.java
@@ -0,0 +1,107 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cm.api;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.mock;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cm.AAF_CM;
+import org.onap.aaf.auth.cm.api.API_Cert;
+import org.onap.aaf.auth.env.AuthzTrans;
+;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_API_Cert {
+	
+	@Mock
+	private static API_Cert api;
+	
+	@Mock
+	private static AAF_CM certManApi;
+	
+	private static AAF_CM noMockAPI;
+	private static API_Cert api_1;
+	
+	private static HttpServletRequest req;
+	private static HttpServletResponse res;
+	
+	@BeforeClass
+	public static void setUp() {
+		AuthzTrans trans = mock(AuthzTrans.class);
+		req = mock(HttpServletRequest.class);
+		trans.setProperty("testTag", "UserValue");
+		trans.set(req);
+	}
+	
+	@Rule
+    public ExpectedException thrown= ExpectedException.none();
+	
+	@Test
+	public void init_bothValued() {
+		try {
+			api.init(certManApi);
+		} catch (Exception e) {
+			//thrown.expect(NullPointerException.class);
+			e.printStackTrace();
+		}
+	}
+	
+	@Test
+	public void init_Null_() {
+		try {
+			api.init(null);
+		} catch (Exception e) {
+			//thrown.expect(Exception.class);
+			e.printStackTrace();
+		}
+	}
+	
+	@Test
+	public void init_NMC_Null() {
+		try {
+			api_1.init(null);
+		} catch (Exception e) {
+			//thrown.expect(NullPointerException.class);
+			e.printStackTrace();
+		}
+	}
+	
+	@Test
+	public void init_NMC() {
+		try {
+			api_1.init(noMockAPI);
+		} catch (Exception e) {
+			//thrown.expect(NullPointerException.class);
+			e.printStackTrace();
+		}
+	}
+}
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/ca/JU_AppCA.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/ca/JU_AppCA.java
new file mode 100644
index 00000000..f6d5cab1
--- /dev/null
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/ca/JU_AppCA.java
@@ -0,0 +1,283 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cm.ca;
+
+import static org.junit.Assert.assertNotNull;
+import static org.mockito.Mockito.CALLS_REAL_METHODS;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Principal;
+import java.security.PublicKey;
+import java.security.SignatureException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.Set;
+
+import javax.security.auth.x500.X500Principal;
+import javax.servlet.http.HttpServletRequest;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cm.ca.CA;
+import org.onap.aaf.auth.cm.cert.CSRMeta;
+import org.onap.aaf.auth.dao.cached.CachedCertDAO;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.misc.env.Trans;
+
+//TODO: Gabe [JUnit] Import does not exist
+@RunWith(MockitoJUnitRunner.class)
+public class JU_AppCA {
+	
+	@Mock
+	private static CachedCertDAO certDAO;
+	
+	@Mock
+	private static HttpServletRequest req;
+	
+	@Mock
+	private static CSRMeta csrMeta;
+	
+	static Trans trans;
+	
+	static X509andChain cert1;
+	static byte [] name = {1,23,4,54,6,56};
+	
+	private static LocalCA localCA;
+	
+	@BeforeClass
+	public static void setUp() throws CertificateException, CertException, IOException {
+		String str = "core java api";
+        byte[] b = str.getBytes();
+		Principal prc = new X500Principal("CN=Duke, OU=JavaSoft, O=Sun Microsystems, C=US");
+		req = mock(HttpServletRequest.class);
+		localCA = mock(LocalCA.class);
+		X509Certificate cert = new X509Certificate() {
+			
+			@Override
+			public boolean hasUnsupportedCriticalExtension() {
+				return false;
+			}
+			
+			@Override
+			public Set<String> getNonCriticalExtensionOIDs() {
+				 
+				return null;
+			}
+			
+			@Override
+			public byte[] getExtensionValue(String oid) {
+				 
+				return null;
+			}
+			
+			@Override
+			public Set<String> getCriticalExtensionOIDs() {
+				 
+				return null;
+			}
+			
+			@Override
+			public void verify(PublicKey key, String sigProvider) throws CertificateException, NoSuchAlgorithmException,
+					InvalidKeyException, NoSuchProviderException, SignatureException {
+				 
+				
+			}
+			
+			@Override
+			public void verify(PublicKey key) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException,
+					NoSuchProviderException, SignatureException {
+				 
+				
+			}
+			
+			@Override
+			public String toString() {
+				 
+				return null;
+			}
+			
+			@Override
+			public PublicKey getPublicKey() {
+				 
+				return null;
+			}
+			
+			@Override
+			public byte[] getEncoded() throws CertificateEncodingException {
+				 
+				return null;
+			}
+			
+			@Override
+			public int getVersion() {
+				 
+				return 0;
+			}
+			
+			@Override
+			public byte[] getTBSCertificate() throws CertificateEncodingException {
+				 
+				return null;
+			}
+			
+			@Override
+			public boolean[] getSubjectUniqueID() {
+				 
+				return null;
+			}
+			
+			@Override
+			public Principal getSubjectDN() {
+				 
+				return null;
+			}
+			
+			@Override
+			public byte[] getSignature() {
+				 
+				return null;
+			}
+			
+			@Override
+			public byte[] getSigAlgParams() {
+				 
+				return null;
+			}
+			
+			@Override
+			public String getSigAlgOID() {
+				 
+				return null;
+			}
+			
+			@Override
+			public String getSigAlgName() {
+				 
+				return null;
+			}
+			
+			@Override
+			public BigInteger getSerialNumber() {
+				 
+				return null;
+			}
+			
+			@Override
+			public Date getNotBefore() {
+				 
+				return null;
+			}
+			
+			@Override
+			public Date getNotAfter() {
+				 
+				return null;
+			}
+			
+			@Override
+			public boolean[] getKeyUsage() {
+				 
+				return null;
+			}
+			
+			@Override
+			public boolean[] getIssuerUniqueID() {
+				 
+				return null;
+			}
+			
+			@Override
+			public Principal getIssuerDN() {
+				 
+				return null;
+			}
+			
+			@Override
+			public int getBasicConstraints() {
+				 
+				return 0;
+			}
+			
+			@Override
+			public void checkValidity(Date date) throws CertificateExpiredException, CertificateNotYetValidException {
+				 
+				
+			}
+			
+			@Override
+			public void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException {
+				
+			}
+		};
+		X509andChain xac = new X509andChain(cert, new ArrayList<String>());
+		when(localCA.sign(Mockito.any(Trans.class), Mockito.any(CSRMeta.class))).thenReturn(xac);
+		certDAO = mock(CachedCertDAO.class, CALLS_REAL_METHODS);
+	}
+	
+	@Test
+	public void identity_True() throws CertificateException, IOException, CertException {
+		assertNotNull(localCA.sign(trans, csrMeta));
+	}
+	
+	
+	@Test
+	public void identityNull() throws CertificateException {
+		try {
+			assertNotNull(localCA.sign(null, csrMeta));
+		} catch (IOException e) {
+		
+			e.printStackTrace();
+		} catch (CertException e) {
+			
+			e.printStackTrace();
+		}
+	}
+	
+	@Test
+	public void identityBothNull() throws CertificateException {
+		try {
+			assertNotNull(localCA.sign(null, null));
+		} catch (IOException e) {
+		
+			e.printStackTrace();
+		} catch (CertException e) {
+			
+			e.printStackTrace();
+		}
+	}
+
+}
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/ca/JU_DevlCA.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/ca/JU_DevlCA.java
new file mode 100644
index 00000000..13bf6108
--- /dev/null
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/ca/JU_DevlCA.java
@@ -0,0 +1,280 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cm.ca;
+
+import static org.junit.Assert.assertNotNull;
+import static org.mockito.Mockito.CALLS_REAL_METHODS;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Principal;
+import java.security.PublicKey;
+import java.security.SignatureException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+import java.util.Set;
+
+import javax.security.auth.x500.X500Principal;
+import javax.servlet.http.HttpServletRequest;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cm.cert.CSRMeta;
+import org.onap.aaf.auth.dao.cached.CachedCertDAO;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.misc.env.Trans;
+
+//TODO: Gabe [JUnit] Missing class
+@RunWith(MockitoJUnitRunner.class)
+public class JU_DevlCA {
+	
+	@Mock
+	private static CachedCertDAO certDAO;
+	
+	@Mock
+	private static HttpServletRequest req;
+	
+	@Mock
+	private static CSRMeta csrMeta;
+	
+	static Trans trans;
+	
+	static X509andChain cert1;
+	static byte [] name = {1,23,4,54,6,56};
+	
+	private static CA devICA;
+	
+	@BeforeClass
+	public static void setUp() throws CertificateException, CertException, IOException {
+		String str = "core java api";
+        byte[] b = str.getBytes();
+		Principal prc = new X500Principal("CN=Duke, OU=JavaSoft, O=Sun Microsystems, C=US");
+		req = mock(HttpServletRequest.class);
+		devICA = mock(CA.class);
+		X509Certificate cert = new X509Certificate() {
+			
+			@Override
+			public boolean hasUnsupportedCriticalExtension() {
+				return false;
+			}
+			
+			@Override
+			public Set<String> getNonCriticalExtensionOIDs() {
+				 
+				return null;
+			}
+			
+			@Override
+			public byte[] getExtensionValue(String oid) {
+				 
+				return null;
+			}
+			
+			@Override
+			public Set<String> getCriticalExtensionOIDs() {
+				 
+				return null;
+			}
+			
+			@Override
+			public void verify(PublicKey key, String sigProvider) throws CertificateException, NoSuchAlgorithmException,
+					InvalidKeyException, NoSuchProviderException, SignatureException {
+				 
+				
+			}
+			
+			@Override
+			public void verify(PublicKey key) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException,
+					NoSuchProviderException, SignatureException {
+				 
+				
+			}
+			
+			@Override
+			public String toString() {
+				 
+				return null;
+			}
+			
+			@Override
+			public PublicKey getPublicKey() {
+				 
+				return null;
+			}
+			
+			@Override
+			public byte[] getEncoded() throws CertificateEncodingException {
+				 
+				return null;
+			}
+			
+			@Override
+			public int getVersion() {
+				 
+				return 0;
+			}
+			
+			@Override
+			public byte[] getTBSCertificate() throws CertificateEncodingException {
+				 
+				return null;
+			}
+			
+			@Override
+			public boolean[] getSubjectUniqueID() {
+				 
+				return null;
+			}
+			
+			@Override
+			public Principal getSubjectDN() {
+				 
+				return null;
+			}
+			
+			@Override
+			public byte[] getSignature() {
+				 
+				return null;
+			}
+			
+			@Override
+			public byte[] getSigAlgParams() {
+				 
+				return null;
+			}
+			
+			@Override
+			public String getSigAlgOID() {
+				 
+				return null;
+			}
+			
+			@Override
+			public String getSigAlgName() {
+				 
+				return null;
+			}
+			
+			@Override
+			public BigInteger getSerialNumber() {
+				 
+				return null;
+			}
+			
+			@Override
+			public Date getNotBefore() {
+				 
+				return null;
+			}
+			
+			@Override
+			public Date getNotAfter() {
+				 
+				return null;
+			}
+			
+			@Override
+			public boolean[] getKeyUsage() {
+				 
+				return null;
+			}
+			
+			@Override
+			public boolean[] getIssuerUniqueID() {
+				 
+				return null;
+			}
+			
+			@Override
+			public Principal getIssuerDN() {
+				 
+				return null;
+			}
+			
+			@Override
+			public int getBasicConstraints() {
+				 
+				return 0;
+			}
+			
+			@Override
+			public void checkValidity(Date date) throws CertificateExpiredException, CertificateNotYetValidException {
+				 
+				
+			}
+			
+			@Override
+			public void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException {
+				
+			}
+		};
+		when(devICA.sign(Mockito.any(Trans.class), Mockito.any(CSRMeta.class))).thenReturn(cert1);
+		certDAO = mock(CachedCertDAO.class, CALLS_REAL_METHODS);
+	}
+	
+	@Test
+	public void identity_True() throws CertificateException, IOException, CertException {
+		assertNotNull(devICA.sign(trans, csrMeta));
+	}
+	
+	
+	@Test
+	public void identityNull() throws CertificateException {
+		try {
+			assertNotNull(devICA.sign(null, csrMeta));
+		} catch (IOException e) {
+		
+			e.printStackTrace();
+		} catch (CertException e) {
+			
+			e.printStackTrace();
+		}
+	}
+	
+	@Test
+	public void identityBothNull() throws CertificateException {
+		try {
+			assertNotNull(devICA.sign(null, null));
+		} catch (IOException e) {
+		
+			e.printStackTrace();
+		} catch (CertException e) {
+			
+			e.printStackTrace();
+		}
+	}
+
+}
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/cert/JU_BCFactory.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/cert/JU_BCFactory.java
new file mode 100644
index 00000000..856d09c2
--- /dev/null
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/cert/JU_BCFactory.java
@@ -0,0 +1,128 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cm.cert;
+
+import static org.junit.Assert.assertNotNull;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.security.Key;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.junit.runner.RunWith;
+import org.mockito.Mockito;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_BCFactory {
+	
+	private static BCFactory bcFactory = new BCFactory();
+	
+	private static BCFactory bcFact;
+	
+	private static PrivateKey pk;
+	
+	
+	private static Trans trans;
+	
+	
+	private static PKCS10CertificationRequest req;
+	
+	@BeforeClass
+	public static void setUp() throws IOException {
+		pk = new XYZKey();
+		trans = mock(Trans.class);
+		req = mock(PKCS10CertificationRequest.class);
+		when(req.getEncoded()).thenReturn(new byte[1]);
+		when(trans.start(Mockito.anyString(), Mockito.anyInt())).thenReturn(new TimeTaken(null, 0) {
+			
+			@Override
+			public void output(StringBuilder sb) {
+				// TODO Auto-generated method stub
+				
+			}
+		});
+		bcFact = mock(BCFactory.class);
+	}
+	
+	@Test
+	public void toStrin() throws OperatorCreationException, IOException, CertException {
+		assertNotNull(bcFactory.toString(req));
+	}
+	
+	@Test
+	public void toStrinMoc() throws OperatorCreationException, IOException, CertException {
+		assertNotNull(bcFact.toString(req));
+	}
+	
+	@Rule
+    public ExpectedException thrown= ExpectedException.none();
+	
+	@Test
+	public void toCSR()  {
+		try {
+			assertNotNull(bcFactory.toCSR(trans, new File("/random/path")));
+			thrown.expect(FileNotFoundException.class);
+		} catch (IOException e) {
+			
+			e.printStackTrace();
+		}
+	}
+	
+}
+
+class XYZKey implements Key, PublicKey, PrivateKey {
+	
+	int rotValue;
+	public XYZKey() {
+		rotValue = 1200213;
+	}
+	public String getAlgorithm() {
+		return "XYZ";
+	}
+
+	public String getFormat() {
+		return "XYZ Special Format";
+	}
+
+	public byte[] getEncoded() {
+		byte b[] = new byte[4];
+		b[3] = (byte) ((rotValue << 24) & 0xff);
+		b[2] = (byte) ((rotValue << 16) & 0xff);
+		b[1] = (byte) ((rotValue << 8) & 0xff);
+		b[0] = (byte) ((rotValue << 0) & 0xff);
+		return b;
+	}
+}
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/cert/JU_CSRMeta.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/cert/JU_CSRMeta.java
new file mode 100644
index 00000000..acf028c6
--- /dev/null
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/cert/JU_CSRMeta.java
@@ -0,0 +1,88 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cm.cert;
+
+import static org.mockito.Mockito.mock;
+
+import java.util.List;
+
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.misc.env.Trans;
+
+import junit.framework.Assert;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_CSRMeta {
+	
+	private static CSRMeta csrmeta;
+	private static Trans trans;
+	private static PKCS10CertificationRequest req;
+	
+	@BeforeClass
+	public static void setUp() throws CertException {
+		trans = mock(Trans.class);
+		List<RDN> lrdn = RDN.parse('/',"o=ATT Services, Inc/l=St Louis/st=Missouri/c=US");
+		
+		csrmeta = new CSRMeta(lrdn);
+	}
+	
+//	@Test
+//	public void x500Name() throws IOException {
+//		
+//		X500Name x500 = csrmeta.x500Name();
+//		assertEquals(x500.toString(),"CN=CN,E=pupleti@ht.com,OU=HAKJH787,O=O,L=L,ST=ST,C=C");
+//	}
+//	
+//	@Test
+//	public void initialConversationCert() throws CertificateException, OperatorCreationException, IOException {
+//		X509Certificate cert = csrmeta.initialConversationCert(trans);
+//		assertEquals(cert.getBasicConstraints(),-1);
+//	}
+//	
+//	@Test
+//	public void generateCSR() throws IOException, CertException {
+//		req = csrmeta.generateCSR(trans);
+//		assertNotNull(req);
+//	}
+	
+	@Rule
+    public ExpectedException thrown= ExpectedException.none();
+	
+//	@Test
+//	public void dump() throws IOException, CertException {
+//		req = csrmeta.generateCSR(trans);
+//		csrmeta.dump(req);
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		Assert.fail("Tests not yet implemented");
+	}
+	
+}
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/data/JU_CertReq.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/data/JU_CertReq.java
new file mode 100644
index 00000000..f54e36e1
--- /dev/null
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/data/JU_CertReq.java
@@ -0,0 +1,90 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cm.data;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cm.ca.CA;
+import org.onap.aaf.auth.cm.ca.X509andChain;
+import org.onap.aaf.auth.cm.cert.BCFactory;
+import org.onap.aaf.auth.cm.cert.CSRMeta;
+import org.onap.aaf.auth.cm.data.CertReq;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.misc.env.Trans;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_CertReq {
+	
+	private static BCFactory bcFact;
+	
+	private static CSRMeta value;
+	
+	private static CertReq req;
+	
+	@BeforeClass
+	public static void setUp() {
+		bcFact = mock(BCFactory.class);
+		value = mock(CSRMeta.class);
+		req = mock(CertReq.class);
+		
+	}
+	
+//	@Test
+//	public void getCSRMeta() throws CertException, IOException {
+//		//req = new CertReq();
+//		req.mechid = "1213";
+//		List<String> fqdnsas = new ArrayList<String>();
+//		fqdnsas.add("String1");
+//		List<String> emails = new ArrayList<String>();
+//		emails.add("pupleti@hotmail.com");
+//		req.emails = emails;
+//		req.fqdns = fqdnsas;
+//		req.certAuthority = new CA(null, "testName", "ALL") {
+//			//TODO: Gabe [JUnit] REREVIEW
+//			@Override
+//			public X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException {
+//	
+//				return null;
+//			}
+//		};
+//		req.sponsor = "asa@df.co";
+//		assertNull(req.getCSRMeta());
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/facade/JU_FacadeImpl.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/facade/JU_FacadeImpl.java
new file mode 100644
index 00000000..dbfaaeef
--- /dev/null
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/facade/JU_FacadeImpl.java
@@ -0,0 +1,193 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cm.facade;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.CALLS_REAL_METHODS;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.io.IOException;
+
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.namespace.QName;
+import javax.xml.validation.Schema;
+
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mockito;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cm.AAF_CM;
+import org.onap.aaf.auth.cm.facade.FacadeImpl;
+import org.onap.aaf.auth.cm.mapper.Mapper;
+import org.onap.aaf.auth.cm.service.CMService;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.aaf.AAFPermission;
+import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.LogTarget;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.rosetta.env.RosettaDF;
+import org.onap.aaf.misc.rosetta.env.RosettaData;
+
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_FacadeImpl<REQ,CERT,ARTIFACTS,ERROR> {
+	
+	private static AuthzTrans trans;
+	private static HttpServletResponse resp;
+	private static AAF_CM certman;
+	private static FacadeImpl hImpl;
+	private static CMService service;
+	private Mapper<REQ,CERT,ARTIFACTS,ERROR> mapper;
+	private Data.TYPE dataType;
+	private static AuthzEnv env;
+	
+	private static FacadeImpl fImpl;
+	private static HttpServletRequest req;
+	
+	@Before
+	public void setUp() throws APIException, IOException {
+		fImpl = mock(FacadeImpl.class);
+		env = mock(AuthzEnv.class);
+		resp = mock(HttpServletResponse.class);
+		req = mock(HttpServletRequest.class);
+		hImpl = mock(FacadeImpl.class, CALLS_REAL_METHODS);
+		Result<Void> rvd = (Result) mock(Result.class);
+		trans = mock(AuthzTrans.class);
+		when(trans.error()).thenReturn(new LogTarget() {
+			
+			@Override
+			public void printf(String fmt, Object... vars) {}
+			
+			@Override
+			public void log(Throwable e, Object... msgs) {
+				e.getMessage();
+				e.printStackTrace();
+				msgs.toString();
+				
+			}
+			
+			@Override
+			public void log(Object... msgs) {
+			}
+			
+			@Override
+			public boolean isLoggable() {
+				
+				return false;
+			}
+		});
+		when(trans.start(Mockito.anyString(), Mockito.anyInt())).thenReturn(new TimeTaken("Now", 1) {
+			
+			@Override
+			public void output(StringBuilder sb) {
+				
+			}
+		});
+		when(fImpl.check(Mockito.any(AuthzTrans.class), Mockito.any(HttpServletResponse.class), Mockito.anyString())).thenReturn(rvd);
+		when(resp.getOutputStream()).thenReturn(new ServletOutputStream() {
+			
+			@Override
+			public void write(int b) throws IOException {
+				
+				
+			}
+		});
+		
+	}
+	
+	@Test
+	public void check() throws IOException {
+		AAFPermission ap = new AAFPermission("str1","str3","str2");
+		String perms = ap.getInstance();
+		assertNotNull(hImpl.check(trans, resp, perms));
+	}
+	
+	@Test
+	public void checkNull() throws IOException {
+		AAFPermission ap = new AAFPermission(null,"Str3","str2");
+		String perms = ap.getInstance();
+		assertNotNull(hImpl.check(trans, resp, perms));
+	}
+	
+	@Test
+	public void checkTwoNull() throws IOException {
+		AAFPermission ap = new AAFPermission(null,null,"str2");
+		String perms = ap.getInstance();
+		assertNotNull(fImpl.check(trans, resp, perms));
+	}
+	
+	@Test
+	public void checkAllNull() throws IOException {
+		AAFPermission ap = new AAFPermission(null,null,null);
+		String perms = ap.getInstance();
+		assertNotNull(fImpl.check(trans, resp, perms));
+	}
+	
+	@Test
+	public void checkTrans_null() throws IOException {
+		AAFPermission ap = new AAFPermission("str1","str3","str2");
+		String perms = ap.getInstance();
+		assertNotNull(hImpl.check(null, resp, perms));
+	}
+	
+	@Test
+	public void checkRespNull() throws IOException {
+		AAFPermission ap = new AAFPermission("str1","str3","str2");
+		String perms = ap.getInstance();
+		assertNotNull(hImpl.check(trans, null, perms));
+	}
+	
+	@Test
+	public void requestCert() {		
+		assertNotNull(hImpl.requestCert(trans, req, resp, null));
+	}
+	
+	@Test
+	public void renewCert() {		
+		assertNotNull(hImpl.renewCert(trans, req, resp, true));
+	}
+	
+	@Test
+	public void dropCert() {		
+		assertNotNull(hImpl.renewCert(trans, req, resp, true));
+	}
+	
+	@Test
+	public void createArtifacts() {		
+		assertNotNull(hImpl.createArtifacts(trans, req, resp));
+	}
+	
+	@Test
+	public void readArtifacts() {		
+		assertNotNull(hImpl.readArtifacts(trans, req, resp));
+	}
+}
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java
new file mode 100644
index 00000000..3faa5bbf
--- /dev/null
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java
@@ -0,0 +1,170 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.cm.test;
+
+import java.io.InputStream;
+import java.net.HttpURLConnection;
+import java.net.InetAddress;
+import java.net.URI;
+import java.security.cert.CertificateException;
+
+import javax.security.auth.x500.X500Principal;
+
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Locator;
+import org.onap.aaf.cadi.Locator.Item;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.config.SecurityInfoC;
+import org.onap.aaf.cadi.http.HBasicAuthSS;
+import org.onap.aaf.cadi.http.HMangr;
+import org.onap.aaf.cadi.locator.DNSLocator;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.Data.TYPE;
+import org.onap.aaf.misc.env.util.Chrono;
+import org.onap.aaf.misc.rosetta.env.RosettaDF;
+
+import certman.v1_0.CertInfo;
+import certman.v1_0.CertificateRequest;
+import junit.framework.Assert;
+
+public class CertmanTest {
+
+	private static HMangr hman;
+	private static AuthzEnv env;
+	private static HBasicAuthSS ss;
+	private static RosettaDF<CertificateRequest> reqDF;
+	private static RosettaDF<CertInfo> certDF;
+
+	@BeforeClass
+	public static void setUpBeforeClass() throws Exception {
+		env = new AuthzEnv();
+//		InputStream ris = env.classLoader().getResource("certman.props").openStream();
+//		try {
+//			env.load(ris);
+//		} finally {
+//			ris.close();
+//		}
+//
+//		Locator<URI> loc = new DNSLocator(env, "https", "aaf.it.att.com", "8150");
+//		for(Item item = loc.first(); item!=null; item=loc.next(item)) {
+//			System.out.println(loc.get(item));
+//		}
+//		
+//		
+//		SecurityInfoC<HttpURLConnection> si = SecurityInfoC.instance(env, HttpURLConnection.class);
+//		ss = new HBasicAuthSS(si,"m12345@aaf.att.com", 
+//				env.decrypt("enc:gvptdJyo0iKdVZw2rzMb0woxa7YKMdqLuhfQ4OQfZ8k",false));
+//				env.decrypt("enc:jFfAnO3mOKb9Gzm2OFysslmXpbnyuAxuoNJK",false), si);
+//					SecuritySetter<HttpURLConnection> ss = new X509SS(si, "aaf");
+		
+//		hman = new HMangr(env,loc);
+//
+//		reqDF = env.newDataFactory(CertificateRequest.class);
+//		reqDF.out(TYPE.JSON);
+//		certDF = env.newDataFactory(CertInfo.class);
+	}
+
+//	@AfterClass
+//	public static void tearDownAfterClass() throws Exception {
+//		hman.close();
+//	}
+
+	@Before
+	public void setUp() throws Exception {
+
+	}
+
+	@After
+	public void tearDown() throws Exception {
+	}
+
+//	@Test
+//	public void testX500Name() throws Exception {
+//		
+//		for( InetAddress ia : InetAddress.getAllByName("aaf.dev.att.com")) {
+//			System.out.printf("%s - %s\n", ia.getHostName(), ia.getHostAddress());
+//			InetAddress ia1 = InetAddress.getByName(ia.getHostAddress());
+//			System.out.printf("%s - %s\n", ia1.getHostName(), ia1.getHostAddress());
+//		}
+//		
+//		hman.best(ss, new Retryable<Void>() {
+//			@Override
+//			public Void code(Rcli<?> client) throws APIException, CadiException {
+//				CertificateRequest cr = new CertificateRequest();
+//				cr.setMechid("m12345@aaf.att.com");
+//				cr.setSponsor("jg1555");
+//				cr.getFqdns().add("mithrilcsp.sbc.com");
+//				cr.getFqdns().add("zld01907.vci.att.com");
+//				cr.getFqdns().add("aaftest.test.att.com");
+//				
+//				String path = "/cert/local"; // Local Test
+////				String path = "/cert/aaf"; // Official CA
+//				long end=0,start = System.nanoTime();
+//				try {
+//					System.out.println(reqDF.newData().option(Data.PRETTY).load(cr).asString());
+//					Future<String> f = client.updateRespondString(path, reqDF, cr);
+//					if(f.get(10000)) {
+//						end = System.nanoTime();
+//						System.out.println(f.body());
+//						CertInfo capi = certDF.newData().in(Data.TYPE.JSON).load(f.body()).asObject();
+//						for(String c :capi.getCerts()) {
+//							for( java.security.cert.Certificate x509 : Factory.toX509Certificate(c)) {
+//								System.out.println(x509.toString());
+//							}
+//						}
+//					} else {
+//						end = System.nanoTime();
+//						String msg = "Client returned " + f.code() + ": " + f.body();
+//						System.out.println(msg);
+//						Assert.fail(msg);
+//					}
+//				} catch (CertificateException e) {
+//					throw new CadiException(e);
+//				} finally {
+//					System.out.println(Chrono.millisFromNanos(start,end) + " ms");
+//				}
+//				return null;
+//			}
+//		});
+//		
+//		
+//	}
+//
+//	public X500Principal ephemeral() {
+//		return null;
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/JU_KeyMarshaling.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/JU_KeyMarshaling.java
new file mode 100644
index 00000000..7b69d286
--- /dev/null
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/JU_KeyMarshaling.java
@@ -0,0 +1,80 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.test;
+
+import java.io.IOException;
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+
+import org.junit.AfterClass;
+import org.junit.Test;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.cm.Factory;
+
+import junit.framework.Assert;
+
+public class JU_KeyMarshaling {
+
+	@AfterClass
+	public static void tearDownAfterClass() throws Exception {
+	}
+
+	@Test
+	public void test() {
+		AuthzEnv env = new AuthzEnv();
+		AuthzTrans trans = env.newTrans();
+		try {
+			KeyPair kpair = Factory.generateKeyPair(trans);
+			String privateString = Factory.toString(trans, kpair.getPrivate());
+			System.out.println("Private as base64 encoded as PKCS8 Spec");
+			System.out.println(privateString);
+			
+			// Take String, and create Private Key
+			PrivateKey pk = Factory.toPrivateKey(trans, privateString);
+			Assert.assertEquals(kpair.getPrivate().getAlgorithm(), pk.getAlgorithm());
+			Assert.assertEquals(kpair.getPrivate().getFormat(), pk.getFormat());
+			Assert.assertEquals(kpair.getPrivate().getEncoded(), pk.getEncoded());
+		
+			
+			String s = Factory.toString(trans, kpair.getPublic());
+			System.out.println("Public as base64 encoded x509 Spec");
+			System.out.println(s);
+			
+			PublicKey pub = Factory.toPublicKey(trans, s);
+			Assert.assertEquals(kpair.getPublic().toString(), pub.toString());
+			
+			
+		} catch (IOException e) {
+			e.printStackTrace();
+		} catch (CertException e) {
+			e.printStackTrace();
+		} finally {
+			StringBuilder sb = new StringBuilder("=== Timings ===\n");
+			trans.auditTrail(1, sb);
+			System.out.println(sb);
+		}
+	}
+
+}
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/JU_SignTest.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/JU_SignTest.java
new file mode 100644
index 00000000..93013d3f
--- /dev/null
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/JU_SignTest.java
@@ -0,0 +1,109 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cm.test;
+
+import java.io.File;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.Collection;
+
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.Test;
+import static org.junit.Assert.fail;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.cadi.cm.Factory;
+
+public class JU_SignTest {
+
+	@AfterClass
+	public static void tearDownAfterClass() throws Exception {
+	}
+
+	@Test
+	public void test() throws Exception {
+		AuthzEnv env = new AuthzEnv();
+		AuthzTrans trans = env.newTrans();
+		KeyPair kpair = Factory.generateKeyPair(trans);
+		PrivateKey privateKey = kpair.getPrivate();
+		String privateString = Factory.toString(trans, privateKey);
+		System.out.println("Private as base64 encoded as PKCS8 Spec");
+		System.out.println(privateString);
+		
+		PublicKey publicKey = kpair.getPublic();
+		String publicString = Factory.toString(trans, publicKey); 
+		System.out.println("public as base64 encoded as PKCS8 Spec");
+		System.out.println(publicString);
+		
+		byte data[] = "Sign this please.".getBytes();
+		byte sig[] = Factory.sign(trans, data, privateKey);
+		System.out.println("Signature");
+		System.out.println(Factory.toSignatureString(sig));
+		
+		Assert.assertTrue(Factory.verify(trans, data, sig, publicKey));
+	}
+	
+//	@Test
+//	public void test2() throws Exception {
+//		AuthzEnv env = new AuthzEnv();
+//		AuthzTrans trans = env.newTrans();
+//		File key = new File("/opt/app/aaf/common/com.att.aaf.key");
+//		PrivateKey privKey = Factory.toPrivateKey(trans, key);
+//		RSAPrivateKey rPrivKey = (RSAPrivateKey)privKey;
+//		BigInteger privMod, pubMod;
+//		System.out.println((privMod = rPrivKey.getModulus()).toString(16));
+//		
+//		byte data[] = "Sign this please.".getBytes();
+//		byte sig[] = Factory.sign(trans, data, privKey);
+//		System.out.println("Signature");
+//		System.out.println(Factory.toSignatureString(sig));
+//
+//		
+//		File crt = new File("/opt/app/aaf/common/com.att.aaf.crt");
+//		Collection<? extends Certificate> x509s = Factory.toX509Certificate(trans, crt);
+//		X509Certificate cert = null;
+//		for(Certificate c : x509s) {
+//			cert = (X509Certificate)c;
+//			break;
+//		}
+//		PublicKey pubKey = cert.getPublicKey();
+//		RSAPublicKey rPubKey = (RSAPublicKey)pubKey;
+//	
+//		System.out.println((pubMod = rPubKey.getModulus()).toString(16));
+//
+//		Assert.assertTrue(Factory.verify(trans, data, sig, pubKey));
+//		Assert.assertEquals(privMod,pubMod);
+//		
+//	}
+
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-client/.gitignore b/auth/auth-client/.gitignore
new file mode 100644
index 00000000..7a112ea5
--- /dev/null
+++ b/auth/auth-client/.gitignore
@@ -0,0 +1,5 @@
+/.classpath
+/.settings
+/bin
+/target
+/.project
diff --git a/auth/auth-client/pom.xml b/auth/auth-client/pom.xml
new file mode 100644
index 00000000..56672b16
--- /dev/null
+++ b/auth/auth-client/pom.xml
@@ -0,0 +1,131 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<!-- No Parent on Purpose!!! -->
+	<artifactId>aaf-auth-client</artifactId>
+	<name>AAF Auth Client</name>
+	<description>XSD Generated classes for AAF Auth</description>
+	<groupId>org.onap.aaf.auth</groupId>
+	<version>2.10-SNAPSHOT</version>
+	<packaging>jar</packaging>
+
+	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<maven.test.failure.ignore>true</maven.test.failure.ignore>
+	</properties>
+
+	<developers>
+		<developer>
+			<name>Jonathan Gathman</name>
+			<email>jonathan.gathman@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Architect</role>
+				<role>Lead Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Gabe Maurer</name>
+			<email>gabe.maurer@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Ian Howell</name>
+			<email>ian.howell@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+	</developers>
+
+	
+	<dependencies>
+		<dependency>
+			<groupId>junit</groupId>
+			<artifactId>junit</artifactId>
+			<version>4.10</version>
+			<scope>test</scope>
+		</dependency>
+
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.jvnet.jaxb2.maven2</groupId>
+				<artifactId>maven-jaxb2-plugin</artifactId>
+				<version>0.8.2</version>
+				<executions>
+					<execution>
+						<goals>
+							<goal>generate</goal>
+						</goals>
+					</execution>
+				</executions>
+				<configuration>
+					<schemaDirectory>src/main/xsd</schemaDirectory>
+				</configuration>
+			</plugin>
+
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-deploy-plugin</artifactId>
+				<version>2.5</version>
+				<configuration>
+					<skip>false</skip>
+				</configuration>
+			</plugin>
+
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<version>2.3.2</version>
+				<configuration>
+					<source>1.6</source>
+					<target>1.6</target>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+
+	<distributionManagement>
+		<repository>
+			<id>nexus</id>
+			<name>attarch-releases</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-releases</url>
+		</repository>
+		<snapshotRepository>
+			<id>nexus</id>
+			<name>attarch-snapshots</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-snapshots</url>
+		</snapshotRepository>
+	</distributionManagement>
+
+</project>
+
diff --git a/auth/auth-client/src/main/xsd/aaf_2_0.xsd b/auth/auth-client/src/main/xsd/aaf_2_0.xsd
new file mode 100644
index 00000000..b4b1ba9c
--- /dev/null
+++ b/auth/auth-client/src/main/xsd/aaf_2_0.xsd
@@ -0,0 +1,547 @@
+<!-- 
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+
+<xs:schema 
+	xmlns:xs="http://www.w3.org/2001/XMLSchema" 
+	xmlns:aaf="urn:aaf:v2_0" 
+	targetNamespace="urn:aaf:v2_0" 
+	elementFormDefault="qualified">
+	
+<!-- 
+	June 2, 2017, adding Roles, Perms, etc to NSRequest for Onboarding purposes.
+	
+	Note: jan 22, 2015.  Deprecating the "force" element in the "Request" Structure.  Do that
+	with Query Params. 
+	
+	Eliminate in 3.0 
+ -->
+<!--
+	Errors
+	Note: This Error Structure has been made to conform to the AT&T TSS Policies
+ -->
+	<xs:element name="error">
+		<xs:complexType>
+			<xs:sequence>
+				<!--
+				Unique message identifier of the format ‘ABCnnnn’ where ‘ABC’ is
+					either ‘SVC’ for Service Exceptions or ‘POL’ for Policy Exception.
+					Exception numbers may be in the	range of 0001 to 9999 where :
+					* 0001 to 0199 are reserved for	common exception messages
+					* 0200 to 0999 are reserved for Parlay Web Services specification use
+					* 1000-9999 are available for exceptions 
+				 -->
+				<xs:element name="messageId" type="xs:string" minOccurs="1" maxOccurs="1"/>
+				
+				<!-- 
+				Message text, with replacement
+					variables marked with %n, where n is
+					an index into the list of <variables>
+					elements, starting at 1
+				 -->
+				<xs:element name="text" type="xs:string" minOccurs="1" maxOccurs="1"/>
+				
+				<!-- 
+				List of zero or more strings that
+					represent the contents of the variables
+					used by the message text. -->
+				<xs:element name="variables" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+
+<!-- 
+	Requests
+ -->
+	<xs:complexType name="Request">
+		<xs:sequence>
+			<xs:element name="start" type="xs:dateTime" minOccurs="1" maxOccurs="1" />
+			<xs:element name="end" type="xs:dateTime" minOccurs="1" maxOccurs="1"/>
+			<!-- Deprecated.  Use Query Command 
+			<xs:element name="force" type="xs:string" minOccurs="1" maxOccurs="1" default="false"/>
+			-->
+		</xs:sequence>
+	</xs:complexType>
+
+<!--
+	Keys
+ -->
+    <xs:element name="keys">
+    	<xs:complexType>
+    		<xs:sequence>
+    			<xs:element name="key" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+    		</xs:sequence>
+    	</xs:complexType>
+    </xs:element>
+ 
+ 
+<!-- 
+	Permissions 
+-->	
+	<xs:complexType name = "pkey">
+		<xs:sequence>
+			<xs:element name="type" type="xs:string"/>
+			<xs:element name="instance" type="xs:string"/>
+			<xs:element name="action" type="xs:string"/>
+		</xs:sequence>
+	</xs:complexType>
+
+	<xs:element name="permKey">
+		<xs:complexType >
+			<xs:complexContent>
+				<xs:extension base="aaf:pkey" />
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+	
+	<xs:element name="perm">
+		<xs:complexType >
+			<xs:complexContent>
+				<xs:extension base="aaf:pkey">
+					<xs:sequence>					
+						<xs:element name="roles" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+						<!-- Note: feb 23, 2015.  Added description field. Verify backward compatibility. JR -->
+ 						<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"/>
+ 						<!-- This data not filled in unless Requested  -->
+ 						<xs:element name="ns" type="xs:string" minOccurs="0" maxOccurs="1"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+	
+	<xs:element name="perms">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element ref="aaf:perm" minOccurs="0" maxOccurs="unbounded"/>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+
+	<xs:element name="permRequest">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="aaf:Request">
+					<xs:sequence>
+						<xs:element name="type" type="xs:string"/>
+						<xs:element name="instance" type="xs:string"/>
+						<xs:element name="action" type="xs:string"/>
+						<!-- Note: feb 23, 2015.  Added description field. Verify backward compatibility. JR -->
+						<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+
+
+<!-- 
+	Roles 
+-->	
+	<xs:complexType name="rkey">
+		<xs:sequence>
+			<xs:element name="name" type="xs:string"/>
+		</xs:sequence>
+	</xs:complexType>
+	
+	<xs:element name="roleKey">
+		<xs:complexType >
+			<xs:complexContent>
+				<xs:extension base="aaf:rkey" />
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+
+	<xs:element name="role">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="aaf:rkey">
+					<xs:sequence>
+						<xs:element name="perms" type="aaf:pkey" minOccurs="0" maxOccurs="unbounded"/>
+						<!-- Note: feb 23, 2015.  Added description field. Verify backward compatibility. JR -->
+						<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"/>
+						<!-- This data not filled in unless Requested  -->
+ 						<xs:element name="ns" type="xs:string" minOccurs="0" maxOccurs="1"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+	
+	<xs:element name="roles">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element ref="aaf:role" minOccurs="0" maxOccurs="unbounded"/>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+
+	<xs:element name="roleRequest">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="aaf:Request">
+					<xs:sequence>
+						<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"/>
+						<!-- Note: feb 23, 2015.  Added description field. Verify backward compatibility. JR -->
+						<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+
+	<!-- Added userRole return types Jonathan 9/16/2015 -->
+	<xs:element name="userRole">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="user" type="xs:string" minOccurs="1" maxOccurs="1"/>
+				<xs:element name="role" type="xs:string" minOccurs="1" maxOccurs="1"/>
+				<xs:element name="expires" type="xs:date" minOccurs="1" maxOccurs="1" />
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+	
+	<!-- Added userRoles return types Jonathan 9/16/2015 -->
+	<xs:element name="userRoles">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element ref="aaf:userRole" minOccurs="0" maxOccurs="unbounded"/>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+
+	<xs:element name="userRoleRequest">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="aaf:Request">
+					<xs:sequence>
+						<xs:element name="user" type="xs:string" minOccurs="1" maxOccurs="1"/>
+						<xs:element name="role" type="xs:string" minOccurs="1" maxOccurs="1"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+	
+	<xs:element name="rolePermRequest">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="aaf:Request">
+					<xs:sequence>
+						<xs:element name="perm" type="aaf:pkey" minOccurs="1" maxOccurs="1"/>
+						<xs:element name="role" type="xs:string" minOccurs="1" maxOccurs="1"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+	
+	<xs:element name="nsRequest">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="aaf:Request">
+					<xs:sequence>
+						<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"/>
+						<xs:element name="admin" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+						<xs:element name="responsible" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+						<!-- Note: feb 23, 2015.  Added description field. Verify backward compatibility. JR -->
+						<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"/>
+						<!-- Note: dec 11, 2015.  Request-able NS Type Jonathan -->
+						<xs:element name="type" type="xs:string" minOccurs="0" maxOccurs="1"/>
+	
+						<!-- "scope" is deprecated and unused as of AAF 2.0.11.  It will be removed in future versions
+							<xs:element name="scope" type="xs:int" minOccurs="0" maxOccurs="1"/>
+							
+													
+						<xs:element ref="aaf:roleRequest" minOccurs="0" maxOccurs="unbounded"/>
+						<xs:element ref="aaf:permRequest" minOccurs="0" maxOccurs="unbounded"/>
+						<xs:element name="aaf_id" type="xs:string" minOccurs="0" maxOccurs="1"/>
+						<xs:element ref="aaf:userRoleRequest" minOccurs="0" maxOccurs="unbounded"/>
+						<xs:element name = "attrib" minOccurs="0" maxOccurs="unbounded">
+								<xs:complexType>
+									<xs:sequence>
+										<xs:element name = "key" type="xs:string" minOccurs="1" maxOccurs="1"/>
+										<xs:element name = "value" type="xs:string" minOccurs="0" maxOccurs="1"/>
+									</xs:sequence>
+								</xs:complexType>
+							</xs:element>
+
+							
+						-->
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+
+	<xs:element name="nsAttribRequest">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="aaf:Request">
+					<xs:sequence>
+						<xs:element name="ns" type="xs:string" minOccurs="1" maxOccurs="1"/>
+						<xs:element name = "attrib" minOccurs="0" maxOccurs="unbounded">
+							<xs:complexType>
+								<xs:sequence>
+									<xs:element name = "key" type="xs:string" minOccurs="1" maxOccurs="1"/>
+									<xs:element name = "value" type="xs:string" minOccurs="0" maxOccurs="1"/>
+								</xs:sequence>
+							</xs:complexType>
+						</xs:element>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+
+	<xs:element name = "nss">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name = "ns" minOccurs="0" maxOccurs="unbounded">
+					<xs:complexType>
+						<xs:sequence>
+							<xs:element name = "name" type = "xs:string" minOccurs="1" maxOccurs="1"/>
+							<xs:element name = "responsible" type = "xs:string" minOccurs="0" maxOccurs="unbounded"/>
+							<xs:element name = "admin" type = "xs:string" minOccurs="0" maxOccurs="unbounded"/>
+							<!-- Note: feb 23, 2015.  Added description field. Verify backward compatibility. JR -->
+							<xs:element name = "description" type = "xs:string" minOccurs="0" maxOccurs="1"/>
+							<!-- Note: Dec 16, 2015.  Added description field. Verify backward compatibility. Jonathan -->
+							<xs:element name = "attrib" minOccurs="0" maxOccurs="unbounded">
+								<xs:complexType>
+									<xs:sequence>
+										<xs:element name = "key" type="xs:string" minOccurs="1" maxOccurs="1"/>
+										<xs:element name = "value" type="xs:string" minOccurs="0" maxOccurs="1"/>
+									</xs:sequence>
+								</xs:complexType>
+							</xs:element>
+						</xs:sequence>
+					</xs:complexType>
+				</xs:element>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+
+<!-- 
+	Users 
+-->	
+	<xs:element name="users">
+		<xs:complexType>
+			<xs:sequence>
+		   		<xs:element name="user" minOccurs="0" maxOccurs="unbounded">
+		   			<xs:complexType>
+		   				<xs:sequence>
+				       		<xs:element name="id" type="xs:string"  minOccurs="1" maxOccurs="1" />
+				       		<!-- Changed type to dateTime, because of importance of Certs -->
+				       		<xs:element name="expires" type="xs:dateTime" minOccurs="1" maxOccurs="1" />
+				       		<!-- need to differentiate User Cred Types, Jonathan 5/20/2015
+				       			 This Return Object is shared by multiple functions: 
+				       			 	Type is not returned for "UserRole", but only "Cred" 
+				       		-->
+				       		<xs:element name="type" type="xs:int" minOccurs="0" maxOccurs="1" />
+		   				</xs:sequence>
+		   			</xs:complexType>
+		   		</xs:element>
+		   	</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+
+<!-- 
+	Certs
+	Added Jonathan 5/20/2015 to support identifying Certificate based Services
+ -->
+	<xs:element name="certs">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="cert" minOccurs="0" maxOccurs="unbounded">
+					<xs:complexType>
+						<xs:sequence>
+							<xs:element name="id" type="xs:string" minOccurs="1" maxOccurs="1" />
+							<xs:element name="x500" type="xs:string" minOccurs="1" maxOccurs="1" />
+							<xs:element name="expires" type="xs:dateTime" minOccurs="1" maxOccurs="1" />
+							<xs:element name="fingerprint" type="xs:hexBinary" minOccurs="1" maxOccurs="1" />
+						</xs:sequence>
+					</xs:complexType>
+				</xs:element>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+
+<!-- 
+	Credentials 
+-->	
+	<xs:element name="credRequest">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="aaf:Request">
+					<xs:sequence>
+						<xs:element name="id" type="xs:string"/>
+						<xs:element name="type" type="xs:int" minOccurs="0" maxOccurs="1"/>
+						<xs:choice >
+							<xs:element name="password" type="xs:string" />
+							<xs:element name="entry" type="xs:string" />
+						</xs:choice>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+	
+<!--
+	Multi Request 
+ -->
+ 
+    <xs:element name="multiRequest"> 
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="aaf:Request">
+					<xs:sequence>
+						<xs:element ref="aaf:nsRequest" minOccurs="0" maxOccurs="1"/>
+						<xs:element ref="aaf:nsAttribRequest" minOccurs="0" maxOccurs="unbounded"/>
+						<xs:element ref="aaf:roleRequest" minOccurs="0" maxOccurs="unbounded"/>
+						<xs:element ref="aaf:permRequest" minOccurs="0" maxOccurs="unbounded"/>
+						<xs:element ref="aaf:credRequest" minOccurs="0" maxOccurs="unbounded"/>
+						<xs:element ref="aaf:userRoleRequest" minOccurs="0" maxOccurs="unbounded"/>
+						<xs:element ref="aaf:rolePermRequest" minOccurs="0" maxOccurs="unbounded"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+    </xs:element>
+	
+<!--
+	History 
+ -->
+ 	<xs:element name="history">
+ 		<xs:complexType>
+ 			<xs:sequence>
+ 				<xs:element name="item" minOccurs="0" maxOccurs="unbounded">
+			 		<xs:complexType>
+			 			<xs:sequence>
+			 				<xs:element name="YYYYMM" type="xs:string" minOccurs="1" maxOccurs="1"/>
+			 				<xs:element name="timestamp" type="xs:dateTime" minOccurs="1" maxOccurs="1"/>
+			 				<xs:element name="subject" type="xs:string" minOccurs="1" maxOccurs="1"/>
+			 				<xs:element name="target" type = "xs:string" minOccurs="1" maxOccurs="1"/>
+			 				<xs:element name="action" type="xs:string" minOccurs="1" maxOccurs="1"/>
+			 				<xs:element name="memo" type="xs:string" minOccurs="1" maxOccurs="1"/>
+			 				<xs:element name="user" type="xs:string" minOccurs="1" maxOccurs="1"/>
+			 			</xs:sequence>
+			 		</xs:complexType>
+			 	</xs:element>
+		 	</xs:sequence>
+		 </xs:complexType>
+ 	</xs:element>
+ 
+<!-- 
+	Approvals
+ -->
+ 	<xs:complexType name="approval">
+	   <xs:sequence>
+	   	   <!-- Note, id is set by system -->
+	   	   <xs:element name="id" type="xs:string" minOccurs="0" maxOccurs="1"/>
+	   	   <xs:element name="ticket" type="xs:string"/>
+	       <xs:element name="user" type="xs:string"/>
+	       <xs:element name="approver" type="xs:string"/>
+	       <xs:element name="type" type="xs:string"/>
+	       <xs:element name="memo" type="xs:string"/>
+	       <xs:element name="updated" type="xs:dateTime"/>
+	       <xs:element name="status">
+			  <xs:simpleType>
+			    <xs:restriction base="xs:string">
+			      <xs:enumeration value="approve"/>
+			      <xs:enumeration value="reject"/>
+			      <xs:enumeration value="pending"/>
+			    </xs:restriction>
+			  </xs:simpleType>
+		   </xs:element> 	
+		   <xs:element name="operation">
+			  <xs:simpleType>
+			    <xs:restriction base="xs:string">
+			      <xs:enumeration value="C"/>
+			      <xs:enumeration value="U"/>
+			      <xs:enumeration value="D"/>
+			      <xs:enumeration value="G"/>
+			      <xs:enumeration value="UG"/>
+			    </xs:restriction>
+			  </xs:simpleType>
+		   </xs:element> 	
+	   </xs:sequence>
+	</xs:complexType>
+	<xs:element name="approvals">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="approvals" type="aaf:approval" minOccurs="1" maxOccurs="unbounded"/>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+	
+<!-- 
+	Delegates 
+-->	
+	<xs:complexType name="delg">
+	   <xs:sequence>
+	       <xs:element name="user" type="xs:string"/>
+	       <xs:element name="delegate" type="xs:string"/>
+	       <xs:element name="expires" type="xs:date"/>
+	   </xs:sequence>
+	</xs:complexType>
+	
+	<xs:element name="delgRequest">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="aaf:Request">
+					<xs:sequence>
+				       <xs:element name="user" type="xs:string" minOccurs="1" maxOccurs="1"/>
+				       <xs:element name="delegate" type="xs:string" minOccurs="1" maxOccurs="1"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+
+	<xs:element name="delgs">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="delgs" type="aaf:delg" minOccurs="0" maxOccurs="unbounded"/>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+	
+	<!-- Jonathan 3/11/2015 New for 2.0.8 -->
+	<xs:element name="api">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="route" minOccurs="0" maxOccurs="unbounded">
+					<xs:complexType>
+						<xs:sequence>
+							<xs:element name="meth" type="xs:string" minOccurs="1" maxOccurs="1"/>
+							<xs:element name="path" type="xs:string" minOccurs="1" maxOccurs="1"/>
+							<xs:element name="param" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+							<xs:element name="desc" type="xs:string" minOccurs="1" maxOccurs="1"/>
+							<xs:element name="comments" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+							<xs:element name="contentType" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+							<xs:element name="expected" type="xs:int" minOccurs="1" maxOccurs="1"/>
+							<xs:element name="explicitErr" type="xs:int" minOccurs="0" maxOccurs="unbounded"/>
+						</xs:sequence>	
+					</xs:complexType>
+				</xs:element>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+</xs:schema>
diff --git a/auth/auth-client/src/main/xsd/aaf_oauth2.xsd b/auth/auth-client/src/main/xsd/aaf_oauth2.xsd
new file mode 100644
index 00000000..22283184
--- /dev/null
+++ b/auth/auth-client/src/main/xsd/aaf_oauth2.xsd
@@ -0,0 +1,141 @@
+<!-- 
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<xs:schema 
+	xmlns:xs="http://www.w3.org/2001/XMLSchema" 
+	xmlns:aafoauth="urn:aafoauth:v2_0"
+	targetNamespace="urn:aafoauth:v2_0" 
+	elementFormDefault="qualified">
+	
+	
+	<!-- Definition of a GUID found several places on WEB, 5/24/2017
+	Developed a HexToken instead 
+	<xs:simpleType name="guid">
+  		<xs:annotation>
+	    	<xs:documentation xml:lang="en">
+		       The representation of a GUID, generally the id of an element.
+		    </xs:documentation>
+	  	</xs:annotation>
+	  	<xs:restriction base="xs:string">
+	    	<xs:pattern value="\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}"/>
+	  </xs:restriction>
+	</xs:simpleType>
+	-->
+
+	<!--  fill this out 
+	<xs:simpleType name="scope">
+  		<xs:annotation>
+	    	<xs:documentation xml:lang="en">
+		       The representation of a GUID, generally the id of an element.
+		    </xs:documentation>
+	  	</xs:annotation>
+	  	<xs:restriction base="xs:string">
+	    	<xs:pattern value="[&#x|&#x23-&#x5B|&#5D-&#x7E]*"/>
+	  </xs:restriction>
+	</xs:simpleType>
+	-->
+	
+	<!--
+		Authenticate:  consider "redirect" as well as typical connection info like:
+			grant_type - use the value “password”
+			client_id - your API client id
+			client_secret - the secret key of your client
+			username - the account username for which you want to obtain an access token
+			password - the account password
+			response_type - use the value “token”
+		 
+	 -->
+	<!--  RFC 6749, Section 4.2.1 -->
+	<xs:element name="tokenRequest">
+		<xs:complexType>
+			<xs:sequence>
+				<!-- Must be set to "token" -->
+				<xs:element name="response_type" type="xs:string" minOccurs="1" maxOccurs="1"/>
+				<xs:element name="client_id" type="xs:string" minOccurs="1" maxOccurs="1"/>
+				<xs:element name="redirect_uri" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<!-- only include for "refresh_token" type -->
+				<xs:element name="refresh_token" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<xs:element name="state" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<xs:element name="scope" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<!-- Normally put in application/x-www-form-urlencoded  -->
+				<xs:element name="grant_type" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<xs:element name="username" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<xs:element name="password" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<xs:element name="client_secret" type="xs:string" minOccurs="0" maxOccurs="1"/>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+	 
+	<!--  RFC 6749, Section 4.2.2 -->
+	<xs:element name="token">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="access_token" type="xs:string" minOccurs="1" maxOccurs="1"/>
+				<xs:element name="token_type" type="xs:string" minOccurs="1" maxOccurs="1"/>
+				<xs:element name="refresh_token" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<xs:element name="expires_in" type="xs:int" minOccurs="0" maxOccurs="1"/>
+				<xs:element name="scope" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<xs:element name="state" type="xs:string" minOccurs="0" maxOccurs="1"/>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+
+	<!-- RFC 6749, Section  4.2.2.1 -->
+	<xs:element name="error">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="error">
+					<xs:simpleType>
+						<xs:restriction base="xs:string">
+							<xs:enumeration value="invalid_request" />
+							<xs:enumeration value="unauthorized_client" />
+							<xs:enumeration value="access_denied" />
+							<xs:enumeration value="unsupported_response_type" />
+							<xs:enumeration value="invalid_scope" />
+							<xs:enumeration value="server_error" />
+							<xs:enumeration value="temporarily_unavailable" /> 
+						</xs:restriction>
+					</xs:simpleType>
+				</xs:element>
+				<xs:element name="error_description" type="xs:string" minOccurs="0" maxOccurs="1" />
+				<xs:element name="error_uri" type="xs:string" minOccurs="0" maxOccurs="1" />
+				<xs:element name="state" type="xs:string" minOccurs = "0" maxOccurs="1" />
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+
+	<!-- Jonathan 4/21/2016 New for Certificate Info  -->
+	<xs:element name="introspect">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="access_token" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<xs:element name="active" type="xs:boolean" minOccurs="1" maxOccurs="1"/>
+				<xs:element name="client_id" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<xs:element name="username" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<xs:element name="client_type" type="xs:string" minOccurs="1" maxOccurs="1"/>
+				<!-- Seconds from jan 1 1970 -->
+				<xs:element name="exp" type="xs:long" minOccurs="0" maxOccurs="1"/>
+				<xs:element name="scope" type="xs:string" minOccurs="1" maxOccurs="1"/>
+				<xs:element name="content" type="xs:string" minOccurs="0" maxOccurs="1"/>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+		
+</xs:schema>
diff --git a/auth/auth-client/src/main/xsd/certman_1_0.xsd b/auth/auth-client/src/main/xsd/certman_1_0.xsd
new file mode 100644
index 00000000..19c698b9
--- /dev/null
+++ b/auth/auth-client/src/main/xsd/certman_1_0.xsd
@@ -0,0 +1,169 @@
+<!-- 
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+
+<xs:schema 
+	xmlns:xs="http://www.w3.org/2001/XMLSchema" 
+	xmlns:certman="urn:certman:v1_0"
+	targetNamespace="urn:certman:v1_0" 
+	elementFormDefault="qualified">
+	
+	
+	<!-- Jonathan 4/21/2016 New for Certificate Info  -->
+	<xs:element name="certInfo">
+		<xs:complexType>
+			<xs:sequence>
+				<!-- Base64 Encoded Private Key -->
+				<xs:element name="privatekey" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<!-- Base64 Encoded Certificate -->
+				<xs:element name="certs" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+				<!-- Challenge Password (2 method Auth) -->
+				<xs:element name="challenge" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<!-- Notes from Server concerning Cert (not an error) -->
+				<xs:element name="notes" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<!-- Issuer DNs from CA -->
+				<xs:element name="caIssuerDNs" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+				<!-- ENV in Cert -->
+				<xs:element name="env" type="xs:string" minOccurs="0" maxOccurs="1"/>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+	
+	<xs:complexType name="baseRequest">
+		<xs:sequence>
+			<xs:element name="mechid" type="xs:string" minOccurs="1" maxOccurs="1"/>
+			<!-- Sponsor is only required if the caller is not Sponsor.  In that case, the calling ID must be delegated to do the work. -->
+			<xs:element name="sponsor" type="xs:string" minOccurs="0" maxOccurs="1"/>
+			<xs:element name="start" type="xs:dateTime" minOccurs="1" maxOccurs="1" />
+			<xs:element name="end" type="xs:date" minOccurs="1" maxOccurs="1"/>
+		</xs:sequence>
+	</xs:complexType>
+
+	<xs:complexType name="specificRequest">
+		<xs:complexContent>
+			<xs:extension base="certman:baseRequest">
+				<xs:sequence>
+					<xs:element name="serial" type="xs:string" minOccurs="1" maxOccurs="1"/>
+					<!-- Certificate has been compromised or other security issue -->
+					<xs:element name="revoke" type="xs:boolean" minOccurs="0" maxOccurs="1" default="false"/>
+				</xs:sequence>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+		
+	<xs:element name="certificateRequest">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="certman:baseRequest">
+					<xs:sequence>
+						<!-- One FQDN is required.  Multiple driven by Policy -->
+						<xs:element name="fqdns" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+						<!-- Optional Email for getting Public Certificate -->
+						<xs:element name="email" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+	
+	<xs:element name="clientX509Request">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="id" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+				<xs:element name="email" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+				<xs:element name="start" type="xs:dateTime" minOccurs="1" maxOccurs="1" />
+				<xs:element name="end" type="xs:date" minOccurs="1" maxOccurs="1"/>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+
+	<xs:element name="certificateRenew">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="certman:specificRequest">
+					<xs:sequence>
+						<!-- One FQDN is required.  Multiple driven by Policy -->
+						<xs:element name="fqdns" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+						<!-- Challenge Password (for accessing manually) TODO Is it necessary? -->
+						<xs:element name="challenge" type="xs:string" minOccurs="0" maxOccurs="1"/>
+						<!-- Optional Email for getting Public Certificate -->
+						<xs:element name="email" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+	
+	<xs:element name="certificateDrop">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="certman:specificRequest">
+					<xs:sequence>
+						<!-- Challenge Password (for accessing manually) TODO Is it necessary? -->
+						<xs:element name="challenge" type="xs:string" minOccurs="0" maxOccurs="1"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+	
+	<!-- Placement Structures -->
+	
+	<xs:element name="artifacts">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="artifact" minOccurs="0" maxOccurs="unbounded"> 
+					<xs:complexType>
+						<xs:sequence>
+							<xs:element name="mechid" type="xs:string" minOccurs="1" maxOccurs="1"/>
+							<xs:element name="machine" type="xs:string" minOccurs="0" maxOccurs="1" />
+						    <xs:element name="type" minOccurs="1" maxOccurs="3">
+						    	<xs:simpleType>
+								    <xs:restriction base="xs:string">
+								      <xs:enumeration value="file"/>
+								      <xs:enumeration value="jks"/>
+								      <xs:enumeration value="print"/>
+								    </xs:restriction>
+							    </xs:simpleType>
+						    </xs:element>
+							<xs:element name="ca" type="xs:string" minOccurs="1" maxOccurs="1" />
+						    <xs:element name="dir" type="xs:string" minOccurs="1" maxOccurs="1"/>
+							<xs:element name="os_user" type="xs:string" minOccurs="1" maxOccurs="1"/>
+							<!-- Ignored on input, and set by TABLES.  However, returned  on output -->
+							<xs:element name="sponsor" type="xs:string" minOccurs="0" maxOccurs="1" />
+						    <!-- Optional... if empty, will use MechID Namespace -->
+						    <xs:element name="ns" type="xs:string" minOccurs="0" maxOccurs="1"/>
+						    <!-- Optional... if empty, will notify Sponsor -->
+						    <xs:element name="notification" type="xs:string" minOccurs="0" maxOccurs="1"/>
+						    <!-- Optional... Days before auto renewal.  Min is 10.  Max is 1/3 expiration (60) -->
+						    <xs:element name="renewDays" type="xs:int" minOccurs="0" maxOccurs="1" default="30"/>
+						    <!-- Optional... Additional SANS. May be denied by CA. -->
+						    <xs:element name="sans" type="xs:string" minOccurs="0" maxOccurs="99"/>
+						    
+						</xs:sequence>
+					</xs:complexType>
+				</xs:element>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+	
+	
+				
+</xs:schema>
diff --git a/auth/auth-client/src/main/xsd/certman_2_0.xsd b/auth/auth-client/src/main/xsd/certman_2_0.xsd
new file mode 100644
index 00000000..35389402
--- /dev/null
+++ b/auth/auth-client/src/main/xsd/certman_2_0.xsd
@@ -0,0 +1,169 @@
+<!-- 
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+
+<xs:schema 
+	xmlns:xs="http://www.w3.org/2001/XMLSchema" 
+	xmlns:certman="urn:certman:v2_0"
+	targetNamespace="urn:certman:v2_0" 
+	elementFormDefault="qualified">
+	
+	
+	<!-- Jonathan 4/21/2016 New for Certificate Info  -->
+	<xs:element name="certInfo">
+		<xs:complexType>
+			<xs:sequence>
+				<!-- Base64 Encoded Private Key -->
+				<xs:element name="privatekey" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<!-- Base64 Encoded Certificate -->
+				<xs:element name="certs" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+				<!-- Challenge Password (2 method Auth) -->
+				<xs:element name="challenge" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<!-- Notes from Server concerning Cert (not an error) -->
+				<xs:element name="notes" type="xs:string" minOccurs="0" maxOccurs="1"/>
+				<!-- Issuer DNs from CA -->
+				<xs:element name="caIssuerDNs" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+				<!-- ENV in Cert -->
+				<xs:element name="env" type="xs:string" minOccurs="0" maxOccurs="1"/>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+	
+	<xs:complexType name="baseRequest">
+		<xs:sequence>
+			<xs:element name="mechid" type="xs:string" minOccurs="1" maxOccurs="1"/>
+			<!-- Sponsor is only required if the caller is not Sponsor.  In that case, the calling ID must be delegated to do the work. -->
+			<xs:element name="sponsor" type="xs:string" minOccurs="0" maxOccurs="1"/>
+			<xs:element name="start" type="xs:dateTime" minOccurs="1" maxOccurs="1" />
+			<xs:element name="end" type="xs:date" minOccurs="1" maxOccurs="1"/>
+		</xs:sequence>
+	</xs:complexType>
+
+	<xs:complexType name="specificRequest">
+		<xs:complexContent>
+			<xs:extension base="certman:baseRequest">
+				<xs:sequence>
+					<xs:element name="serial" type="xs:string" minOccurs="1" maxOccurs="1"/>
+					<!-- Certificate has been compromised or other security issue -->
+					<xs:element name="revoke" type="xs:boolean" minOccurs="0" maxOccurs="1" default="false"/>
+				</xs:sequence>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+		
+	<xs:element name="certificateRequest">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="certman:baseRequest">
+					<xs:sequence>
+						<!-- One FQDN is required.  Multiple driven by Policy -->
+						<xs:element name="fqdns" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+						<!-- Optional Email for getting Public Certificate -->
+						<xs:element name="email" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+	
+	<xs:element name="clientX509Request">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="id" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+				<xs:element name="email" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+				<xs:element name="start" type="xs:dateTime" minOccurs="1" maxOccurs="1" />
+				<xs:element name="end" type="xs:date" minOccurs="1" maxOccurs="1"/>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+
+	<xs:element name="certificateRenew">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="certman:specificRequest">
+					<xs:sequence>
+						<!-- One FQDN is required.  Multiple driven by Policy -->
+						<xs:element name="fqdns" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+						<!-- Challenge Password (for accessing manually) TODO Is it necessary? -->
+						<xs:element name="challenge" type="xs:string" minOccurs="0" maxOccurs="1"/>
+						<!-- Optional Email for getting Public Certificate -->
+						<xs:element name="email" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+	
+	<xs:element name="certificateDrop">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="certman:specificRequest">
+					<xs:sequence>
+						<!-- Challenge Password (for accessing manually) TODO Is it necessary? -->
+						<xs:element name="challenge" type="xs:string" minOccurs="0" maxOccurs="1"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+	
+	<!-- Placement Structures -->
+	
+	<xs:element name="artifacts">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="artifact" minOccurs="0" maxOccurs="unbounded"> 
+					<xs:complexType>
+						<xs:sequence>
+							<xs:element name="mechid" type="xs:string" minOccurs="1" maxOccurs="1"/>
+							<xs:element name="machine" type="xs:string" minOccurs="0" maxOccurs="1" />
+						    <xs:element name="type" minOccurs="1" maxOccurs="3">
+						    	<xs:simpleType>
+								    <xs:restriction base="xs:string">
+								      <xs:enumeration value="file"/>
+								      <xs:enumeration value="jks"/>
+								      <xs:enumeration value="print"/>
+								    </xs:restriction>
+							    </xs:simpleType>
+						    </xs:element>
+							<xs:element name="ca" type="xs:string" minOccurs="1" maxOccurs="1" />
+						    <xs:element name="dir" type="xs:string" minOccurs="1" maxOccurs="1"/>
+							<xs:element name="os_user" type="xs:string" minOccurs="1" maxOccurs="1"/>
+							<!-- Ignored on input, and set by TABLES.  However, returned  on output -->
+							<xs:element name="sponsor" type="xs:string" minOccurs="0" maxOccurs="1" />
+						    <!-- Optional... if empty, will use MechID Namespace -->
+						    <xs:element name="ns" type="xs:string" minOccurs="0" maxOccurs="1"/>
+						    <!-- Optional... if empty, will notify Sponsor -->
+						    <xs:element name="notification" type="xs:string" minOccurs="0" maxOccurs="1"/>
+						    <!-- Optional... Days before auto renewal.  Min is 10.  Max is 1/3 expiration (60) -->
+						    <xs:element name="renewDays" type="xs:int" minOccurs="0" maxOccurs="1" default="30"/>
+						    <!-- Optional... Additional SANS. May be denied by CA. -->
+						    <xs:element name="sans" type="xs:string" minOccurs="0" maxOccurs="99"/>
+						    
+						</xs:sequence>
+					</xs:complexType>
+				</xs:element>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+	
+	
+				
+</xs:schema>
diff --git a/auth/auth-client/src/main/xsd/locate_1_0.xsd b/auth/auth-client/src/main/xsd/locate_1_0.xsd
new file mode 100644
index 00000000..209e3bf4
--- /dev/null
+++ b/auth/auth-client/src/main/xsd/locate_1_0.xsd
@@ -0,0 +1,79 @@
+<!-- 
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+
+<xs:schema 
+	xmlns:xs="http://www.w3.org/2001/XMLSchema" 
+	xmlns:locate="urn:locate:v1_0"
+	targetNamespace="urn:locate:v1_0" 
+	elementFormDefault="qualified">
+	
+	<xs:complexType name="endpoint">
+		<xs:sequence>
+			<!-- Must be set to "token" -->
+			<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"/>
+			<xs:element name="major" type="xs:int" minOccurs="1" maxOccurs="1"/>
+			<xs:element name="minor" type="xs:int" minOccurs="1" maxOccurs="1"/>
+			<xs:element name="patch" type="xs:int" minOccurs="1" maxOccurs="1"/>
+			<xs:element name="pkg" type="xs:int" minOccurs="1" maxOccurs="1"/>
+			<xs:element name="latitude" type="xs:float" minOccurs="1" maxOccurs="1"/>
+			<xs:element name="longitude" type="xs:float" minOccurs="1" maxOccurs="1"/>
+			<xs:element name="protocol" type="xs:string" minOccurs="1" maxOccurs="1"/>
+			<xs:element name="subprotocol" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+			<xs:element name="hostname" type="xs:string" minOccurs="1" maxOccurs="1"/>
+			<xs:element name="port" type="xs:int" minOccurs="1" maxOccurs="1"/>
+		</xs:sequence>
+	</xs:complexType>
+	
+    	<xs:element name="endpoints">
+	    	<xs:complexType>
+	    		<xs:sequence>
+	    			<xs:element name="endpoint" type="locate:endpoint" minOccurs="0" maxOccurs="unbounded"/>
+	    		</xs:sequence>
+	    	</xs:complexType>
+	</xs:element>
+
+    <xs:complexType name="mgmt_endpoint">
+		<xs:complexContent>
+			<xs:extension base="locate:endpoint">
+				<xs:sequence>	
+					<xs:element name="special_ports"  minOccurs="0" maxOccurs="unbounded" >
+						<xs:complexType>
+							<xs:sequence>
+								<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"/>
+								<xs:element name="port" type="xs:int" minOccurs="1" maxOccurs="1"/>
+								<xs:element name="protocol" type="xs:string" minOccurs="1" maxOccurs="1"/>
+								<xs:element name="protocol_versions" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+							</xs:sequence>
+						</xs:complexType>
+					</xs:element>
+				</xs:sequence>
+			</xs:extension>
+		</xs:complexContent>			
+	</xs:complexType>
+
+    	<xs:element name="mgmt_endpoints">
+	    	<xs:complexType>
+	    		<xs:sequence>
+	    			<xs:element name="mgmt_endpoint" type="locate:mgmt_endpoint" minOccurs="0" maxOccurs="unbounded"/>
+	    		</xs:sequence>
+	    	</xs:complexType>
+	</xs:element>
+</xs:schema>
diff --git a/auth/auth-cmd/.gitignore b/auth/auth-cmd/.gitignore
new file mode 100644
index 00000000..5aee8092
--- /dev/null
+++ b/auth/auth-cmd/.gitignore
@@ -0,0 +1,6 @@
+/.settings
+/bin
+/logs
+/target
+/.classpath
+/.project
diff --git a/auth/auth-cmd/pom.xml b/auth/auth-cmd/pom.xml
new file mode 100644
index 00000000..4b051889
--- /dev/null
+++ b/auth/auth-cmd/pom.xml
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.onap.aaf.auth</groupId>
+		<artifactId>parent</artifactId>
+		<version>2.1.0-SNAPSHOT</version>
+		<relativePath>../pom.xml</relativePath>
+	</parent>
+
+	<artifactId>aaf-auth-cmd</artifactId>
+	<name>AAF Auth Command</name>
+	<description>Command Line Processor for AAF Auth</description>
+	<packaging>jar</packaging>
+
+	<properties>
+		<maven.test.failure.ignore>false</maven.test.failure.ignore>
+	</properties>
+
+	<developers>
+		<developer>
+			<name>Jonathan Gathman</name>
+			<email>jonathan.gathman@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Architect</role>
+				<role>Lead Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Gabe Maurer</name>
+			<email>gabe.maurer@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Ian Howell</name>
+			<email>ian.howell@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+	</developers>
+
+	
+	<dependencies>
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-aaf</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-core</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>jline</groupId>
+			<artifactId>jline</artifactId>
+			<version>2.14.2</version>
+		</dependency>
+
+	</dependencies>
+</project>
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java
new file mode 100644
index 00000000..e8069b8e
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java
@@ -0,0 +1,647 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileReader;
+import java.io.InputStreamReader;
+import java.io.OutputStreamWriter;
+import java.io.PrintWriter;
+import java.io.Reader;
+import java.io.Writer;
+import java.net.HttpURLConnection;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.onap.aaf.auth.cmd.mgmt.Mgmt;
+import org.onap.aaf.auth.cmd.ns.NS;
+import org.onap.aaf.auth.cmd.perm.Perm;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.user.User;
+import org.onap.aaf.auth.common.Define;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Locator;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.SecuritySetter;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.aaf.v2_0.AAFLocator;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.config.SecurityInfoC;
+import org.onap.aaf.cadi.http.HBasicAuthSS;
+import org.onap.aaf.cadi.http.HMangr;
+import org.onap.aaf.cadi.sso.AAFSSO;
+import org.onap.aaf.misc.env.APIException;
+
+import jline.console.ConsoleReader;
+
+public class AAFcli {
+	private static final String HTTPS = "https://";
+	protected static PrintWriter pw;
+	protected HMangr hman;
+	// Storage for last reused client. We can do this
+	// because we're technically "single" threaded calls.
+	public Retryable<?> prevCall;
+
+	protected SecuritySetter<HttpURLConnection> ss;
+//	protected AuthzEnv env;
+	private boolean close;
+	private List<Cmd> cmds;
+
+	// Lex State
+	private ArrayList<Integer> expect = new ArrayList<Integer>();
+	private boolean verbose = true;
+	private int delay;
+	private SecurityInfoC<HttpURLConnection> si;
+	private boolean request = false;
+	private String force = null;
+	private boolean gui = false;
+	// Package on purpose
+	Access access;
+	AuthzEnv env;
+
+	private static int TIMEOUT = Integer.parseInt(Config.AAF_CONN_TIMEOUT_DEF);
+	private static boolean isConsole = false;
+	private static boolean isTest = false;
+	private static boolean showDetails = false;
+	private static boolean ignoreDelay = false;
+	private static int globalDelay=0;
+	
+	public static int timeout() {
+		return TIMEOUT;
+	}
+
+	// Create when only have Access
+	public AAFcli(Access access, Writer wtr, HMangr hman, SecurityInfoC<HttpURLConnection> si, SecuritySetter<HttpURLConnection> ss) throws APIException {
+		this(access,new AuthzEnv(access.getProperties()),wtr,hman, si,ss);
+	}
+
+	public AAFcli(Access access, AuthzEnv env, Writer wtr, HMangr hman, SecurityInfoC<HttpURLConnection> si, SecuritySetter<HttpURLConnection> ss) throws APIException {
+		this.env = env;
+		this.access = access;
+		this.ss = ss;
+		this.hman = hman;
+		this.si = si;
+		if (wtr instanceof PrintWriter) {
+			pw = (PrintWriter) wtr;
+			close = false;
+		} else {
+			pw = new PrintWriter(wtr);
+			close = true;
+		}
+
+
+		/*
+		 * Create Cmd Tree
+		 */
+		cmds = new ArrayList<Cmd>();
+
+		Role role = new Role(this);
+		cmds.add(new Help(this, cmds));
+		cmds.add(new Version(this));
+		cmds.add(new Perm(role));
+		cmds.add(role);
+		cmds.add(new User(this));
+		cmds.add(new NS(this));
+		cmds.add(new Mgmt(this));
+	}
+
+	public void verbose(boolean v) {
+		verbose = v;
+	}
+
+	public void close() {
+		if (hman != null) {
+			hman.close();
+			hman = null;
+		}
+		if (close) {
+			pw.close();
+		}
+	}
+
+	public boolean eval(String line) throws Exception {
+		if (line.length() == 0) {
+			return true;
+		} else if (line.startsWith("#")) {
+			pw.println(line);
+			return true;
+		}
+
+		String[] largs = argEval(line);
+		int idx = 0;
+
+		// Variable replacement
+		StringBuilder sb = null;
+		while (idx < largs.length) {
+			int e = 0;
+			for (int v = largs[idx].indexOf("@["); v >= 0; v = largs[idx].indexOf("@[", v + 1)) {
+				if (sb == null) {
+					sb = new StringBuilder();
+				}
+				sb.append(largs[idx], e, v);
+				if ((e = largs[idx].indexOf(']', v)) >= 0) {
+					String p = access.getProperty(largs[idx].substring(v + 2, e),null);
+					if(p==null) {
+						p = System.getProperty(largs[idx].substring(v+2,e));
+					}
+					++e;
+					if (p != null) {
+						sb.append(p);
+					}
+				}
+			}
+			if (sb != null && sb.length() > 0) {
+				sb.append(largs[idx], e, largs[idx].length());
+				largs[idx] = sb.toString();
+				sb.setLength(0);
+			}
+			++idx;
+		}
+
+		idx = 0;
+		boolean rv = true;
+		while (rv && idx < largs.length) {
+			// Allow Script to change Credential
+			if (!gui) {
+				if("as".equalsIgnoreCase(largs[idx])) {
+					if (largs.length > ++idx) {
+						// get Password from Props with ID as Key
+						String user = largs[idx++];
+						int colon = user.indexOf(':');
+						String pass;
+						if (colon > 0) {
+							pass = user.substring(colon + 1);
+							user = user.substring(0, colon);
+						} else {
+							pass = access.getProperty(user, null);
+						}
+						if (pass != null) {
+							pass = access.decrypt(pass, false);
+							access.getProperties().put(user, pass);
+							ss = new HBasicAuthSS(si, user, pass);
+							pw.println("as " + user);
+						} else { // get Pass from System Properties, under name of
+							// Tag
+							pw.println("ERROR: No password set for " + user);
+							rv = false;
+						}
+						continue;
+					}
+				} else if ("expect".equalsIgnoreCase(largs[idx])) {
+					expect.clear();
+					if (largs.length > idx++) {
+						if (!"nothing".equals(largs[idx])) {
+							for (String str : largs[idx].split(",")) {
+								try {
+									if ("Exception".equalsIgnoreCase(str)) {
+										expect.add(-1);
+									} else {
+										expect.add(Integer.parseInt(str));
+									}
+								} catch (NumberFormatException e) {
+									throw new CadiException("\"expect\" should be followed by Number");
+								}
+							}
+						++idx;
+						}
+					}
+					continue;
+					// Sleep, typically for reports, to allow DB to update
+					// Milliseconds
+					
+				} else if ("sleep".equalsIgnoreCase(largs[idx])) {
+					Integer t = Integer.parseInt(largs[++idx]);
+					pw.println("sleep " + t);
+					Thread.sleep(t);
+					++idx;
+					continue;
+				} else if ("delay".equalsIgnoreCase(largs[idx])) {
+					delay = Integer.parseInt(largs[++idx]);
+					pw.println("delay " + delay);
+					++idx;
+					continue;
+				} else if ("pause".equalsIgnoreCase(largs[idx])) {
+					pw.println("Press <Return> to continue...");
+					++idx;
+					new BufferedReader(new InputStreamReader(System.in)).readLine();
+					continue;
+				} else if ("exit".equalsIgnoreCase(largs[idx])) {
+					pw.println("Exiting...");
+					return false;
+				}
+
+			} 
+			
+			if("REQUEST".equalsIgnoreCase(largs[idx])) {
+				request=true;
+				++idx;
+			} else if("FORCE".equalsIgnoreCase(largs[idx])) {
+				force="true";
+				++idx;
+			} else if("DETAILS".equalsIgnoreCase(largs[idx])) {
+				showDetails=true;
+				++idx;
+			} else if ("set".equalsIgnoreCase(largs[idx])) {
+				while (largs.length > ++idx) {
+					int equals = largs[idx].indexOf('=');
+					String tag, value;
+					if (equals < 0) {
+						tag = largs[idx];
+						value = access.getProperty(Config.AAF_APPPASS,null);
+						if(value==null) {
+							break;
+						} else {
+							value = access.decrypt(value, false);
+							if(value==null) {
+								break;
+							}
+							access.getProperties().put(tag, value);
+							pw.println("set " + tag + " <encrypted>");
+						}
+					} else {
+						tag = largs[idx].substring(0, equals);
+						value = largs[idx].substring(++equals);
+						pw.println("set " + tag + ' ' + value);
+					}
+					boolean isTrue = "TRUE".equalsIgnoreCase(value);
+					if("FORCE".equalsIgnoreCase(tag)) {
+						force = value;
+					} else if("REQUEST".equalsIgnoreCase(tag)) {
+						request = isTrue;
+					} else if("DETAILS".equalsIgnoreCase(tag)) {
+						showDetails = isTrue;
+					} else {
+						access.getProperties().put(tag, value);
+					}
+				}
+				continue;
+				// Allow Script to indicate if Failure is what is expected
+			}
+
+			int ret = 0;
+			for (Cmd c : cmds) {
+				if (largs[idx].equalsIgnoreCase(c.getName())) {
+					if (verbose) {
+						pw.println(line);
+						if (expect.size() > 0) {
+							pw.print("** Expect ");
+							boolean first = true;
+							for (Integer i : expect) {
+								if (first) {
+									first = false;
+								} else {
+									pw.print(',');
+								}
+								pw.print(i);
+							}
+							pw.println(" **");
+						}
+					}
+					try {
+						ret = c.exec(++idx, largs);
+						if (delay+globalDelay > 0) {
+							Thread.sleep(delay+globalDelay);
+						}
+					} catch (Exception e) {
+						if (expect.contains(-1)) {
+							pw.println(e.getMessage());
+							ret = -1;
+						} else {
+							throw e;
+						}
+					} finally {
+						clearSingleLineProperties();
+					}
+					rv = expect.isEmpty() ? true : expect.contains(ret);
+					if (verbose) {
+						if (rv) {
+							pw.println();
+						} else {
+							pw.print("!!! Unexpected Return Code: ");
+							pw.print(ret);
+							pw.println(", VALIDATE OUTPUT!!!");
+						}
+					}
+					return rv;
+				}
+			}
+			pw.write("Unknown Instruction \"");
+			pw.write(largs[idx]);
+			pw.write("\"\n");
+			idx = largs.length;// always end after one command
+		}
+		return rv;
+	}
+
+	private String[] argEval(String line) {
+		StringBuilder sb = new StringBuilder();
+		ArrayList<String> arr = new ArrayList<String>();
+		boolean start = true;
+		char quote = 0;
+		char last = 0;
+		for (int i = 0; i < line.length(); ++i) {
+			char ch;
+			if (Character.isWhitespace(ch = line.charAt(i))) {
+				if (start || last==',') {
+					continue; // trim
+				} else if (quote != 0) {
+					sb.append(ch);
+				} else {
+					arr.add(sb.toString());
+					sb.setLength(0);
+					start = true;
+				}
+			} else if (ch == '\'' || ch == '"') { // toggle
+				if (quote == ch) {
+					quote = 0;
+				} else {
+					quote = ch;
+				}
+			} else if(ch=='|' && quote==0) {
+				arr.add(sb.toString());
+				sb.setLength(0);
+				start = true;
+			} else {
+				start = false;
+				sb.append(ch);
+				last = ch;
+			}
+		}
+		if (sb.length() > 0) {
+			arr.add(sb.toString());
+		}
+
+		String[] rv = new String[arr.size()];
+		arr.toArray(rv);
+		return rv;
+	}
+
+	public static void keyboardHelp() {
+		System.out.println("'C-' means hold the ctrl key down while pressing the next key.");
+		System.out.println("'M-' means hold the alt key down while pressing the next key.");
+		System.out.println("For instance, C-b means hold ctrl key and press b, M-b means hold alt and press b\n");
+
+		System.out.println("Basic Keybindings:");
+		System.out.println("\tC-l - clear screen");        
+		System.out.println("\tC-a - beginning of line");
+		System.out.println("\tC-e - end of line");
+		System.out.println("\tC-b - backward character (left arrow also works)");
+		System.out.println("\tM-b - backward word");
+		System.out.println("\tC-f - forward character (right arrow also works)");
+		System.out.println("\tM-f - forward word");
+		System.out.println("\tC-d - delete character under cursor");
+		System.out.println("\tM-d - delete word forward");
+		System.out.println("\tM-backspace - delete word backward");
+		System.out.println("\tC-k - delete from cursor to end of line");
+		System.out.println("\tC-u - delete entire line, regardless of cursor position\n");
+
+		System.out.println("Command History:");
+		System.out.println("\tC-r - search backward in history (repeating C-r continues the search)");
+		System.out.println("\tC-p - move backwards through history (up arrow also works)");
+		System.out.println("\tC-n - move forwards through history (down arrow also works)\n");
+
+	}
+
+	/**
+	 * @param args
+	 */
+	public static void main(String[] args) {
+		int rv = 0;
+		
+		try {
+			AAFSSO aafsso = new AAFSSO(args);
+			try {
+				PropAccess access = aafsso.access();
+				Define.set(access);
+				AuthzEnv env = new AuthzEnv(access);
+				
+				StringBuilder err = aafsso.err();
+				String noexit = access.getProperty("no_exit");
+				if (err != null) {
+					err.append("to continue...");
+					System.err.println(err);
+					if(noexit!=null) {
+						System.exit(1);
+					}
+				}
+	
+				Reader rdr = null;
+				boolean exitOnFailure = true;
+				/*
+				 * Check for "-" options anywhere in command line
+				 */
+				StringBuilder sb = new StringBuilder();
+				for (int i = 0; i < args.length; ++i) {
+					if ("-i".equalsIgnoreCase(args[i])) {
+						rdr = new InputStreamReader(System.in);
+						// } else if("-o".equalsIgnoreCase(args[i])) {
+						// // shall we do something different? Output stream is
+						// already done...
+					} else if ("-f".equalsIgnoreCase(args[i])) {
+						if (args.length > i + 1) {
+							rdr = new FileReader(args[++i]);
+						}
+					} else if ("-a".equalsIgnoreCase(args[i])) {
+						exitOnFailure = false;
+					} else if ("-c".equalsIgnoreCase(args[i])) {
+						isConsole = true;
+					} else if ("-s".equalsIgnoreCase(args[i]) && args.length > i + 1) {
+						access.setProperty(Cmd.STARTDATE, args[++i]);
+					} else if ("-e".equalsIgnoreCase(args[i]) && args.length > i + 1) {
+						access.setProperty(Cmd.ENDDATE, args[++i]);
+					} else if ("-t".equalsIgnoreCase(args[i])) {
+						isTest = true;
+					} else if ("-d".equalsIgnoreCase(args[i])) {
+						showDetails = true;
+					} else if ("-n".equalsIgnoreCase(args[i])) {
+						ignoreDelay = true;
+					} else {
+						if (sb.length() > 0) {
+							sb.append(' ');
+						}
+						sb.append(args[i]);
+					}
+				}
+	
+				SecurityInfoC<HttpURLConnection> si = SecurityInfoC.instance(access, HttpURLConnection.class);
+				Locator<URI> loc;
+				String aafUrl = access.getProperty(Config.AAF_URL);
+				if(aafUrl==null) {
+					aafsso.setLogDefault();
+					aafsso.setStdErrDefault();
+					aafUrl=AAFSSO.cons.readLine("aaf_url=%s", HTTPS);
+					if(aafUrl.length()==0) {
+						System.exit(0);
+					} else if(!aafUrl.startsWith(HTTPS)) {
+						aafUrl=HTTPS+aafUrl;
+					}
+					aafsso.addProp(Config.AAF_URL, aafUrl);
+				} 
+				// Note, with AAF Locator, this may not longer be necessary 3/2018 Jonathan
+				if(!aafsso.loginOnly()) {
+					try {
+						loc = new AAFLocator(si,new URI(aafUrl));
+					} catch (Throwable t) {
+						aafsso.setStdErrDefault();
+						throw t;
+					} finally {
+						// Other Access is done writing to StdOut and StdErr, reset Std out
+						aafsso.setLogDefault();
+					}
+
+					TIMEOUT = Integer.parseInt(access.getProperty(Config.AAF_CONN_TIMEOUT, Config.AAF_CONN_TIMEOUT_DEF));
+					HMangr hman = new HMangr(access, loc).readTimeout(TIMEOUT).apiVersion("2.0");
+					
+					if(access.getProperty(Config.AAF_DEFAULT_REALM)==null) {
+						access.log(Level.ERROR, Config.AAF_DEFAULT_REALM,"is required");
+					}
+		
+					
+					AAFcli aafcli = new AAFcli(access,env, new OutputStreamWriter(System.out), hman, si, 
+						new HBasicAuthSS(si,aafsso.user(), access.decrypt(aafsso.enc_pass(),false)));
+					if(!ignoreDelay) {
+						File delay = new File("aafcli.delay");
+						if(delay.exists()) {
+							BufferedReader br = new BufferedReader(new FileReader(delay));
+							try {
+								globalDelay = Integer.parseInt(br.readLine());
+							} catch(Exception e) {
+								access.log(Level.DEBUG,e);
+							} finally {
+								br.close();
+							}
+						}
+					}
+					try {
+						if (isConsole) {
+							System.out.println("Type 'help' for short help or 'help -d' for detailed help with aafcli commands");
+							System.out.println("Type '?' for help with command line editing");
+							System.out.println("Type 'q', 'quit', or 'exit' to quit aafcli\n");
+		
+							ConsoleReader reader = new ConsoleReader();
+							try {
+								reader.setPrompt("aafcli > ");
+			
+								String line;
+								while ((line = reader.readLine()) != null) {
+									showDetails = (line.contains("-d"))?true:false;
+			
+									if (line.equalsIgnoreCase("quit") || line.equalsIgnoreCase("q") || line.equalsIgnoreCase("exit")) {
+										break;
+									} else if (line.equalsIgnoreCase("--help -d") || line.equalsIgnoreCase("help -d") 
+											|| line.equalsIgnoreCase("help")) {
+										line = "--help";
+									} else if (line.equalsIgnoreCase("cls")) {
+										reader.clearScreen();
+										continue;
+									} else if (line.equalsIgnoreCase("?")) {
+										keyboardHelp();
+										continue;
+									}
+									try {
+										aafcli.eval(line);
+										pw.flush();
+									} catch (Exception e) {
+										pw.println(e.getMessage());
+										pw.flush();
+									}
+								}
+							} finally {
+								reader.close();
+							}
+						} else if (rdr != null) {
+							BufferedReader br = new BufferedReader(rdr);
+							String line;
+							while ((line = br.readLine()) != null) {
+								if (!aafcli.eval(line) && exitOnFailure) {
+									rv = 1;
+									break;
+								}
+							}
+						} else { // just run the command line
+							aafcli.verbose(false);
+							if (sb.length() == 0) {
+								sb.append("--help");
+							}
+							rv = aafcli.eval(sb.toString()) ? 0 : 1;
+						}
+						
+					} finally {
+						aafcli.close();
+		
+						// Don't close if No Reader, or it's a Reader of Standard In
+						if (rdr != null && !(rdr instanceof InputStreamReader)) {
+							rdr.close();
+						}
+					}
+				}
+				aafsso.writeFiles();
+			} finally {
+				aafsso.close();
+			}
+			
+		} catch (MessageException e) {
+			System.out.println("MessageException caught");
+
+			System.err.println(e.getMessage());
+		} catch (Throwable e) {
+			e.printStackTrace(System.err);
+		}
+		System.exit(rv);
+	}
+
+	public boolean isTest() {
+		return AAFcli.isTest;
+	}
+	
+	public boolean isDetailed() {
+		return AAFcli.showDetails;
+	}
+
+	public String typeString(Class<?> cls, boolean json) {
+		return "application/" + cls.getSimpleName() + "+" + (json ? "json" : "xml") + ";version=" + hman.apiVersion();
+	}
+
+	public String forceString() {
+		return force;
+	}
+
+	public boolean addRequest() {
+		return request;
+	}
+
+	public void clearSingleLineProperties() {
+		force  = null;
+		request = false;
+		showDetails = false;
+	}
+
+	public void gui(boolean b) {
+		gui  = b;
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/BaseCmd.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/BaseCmd.java
new file mode 100644
index 00000000..0bfefd21
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/BaseCmd.java
@@ -0,0 +1,68 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+
+public class BaseCmd<CMD extends Cmd> extends Cmd  {
+	protected List<Cmd> 	cmds;
+
+	public BaseCmd(AAFcli aafcli, String name, Param ... params) {
+		super(aafcli, null, name, params);
+		cmds = new ArrayList<Cmd>();
+	}
+	
+	public BaseCmd(CMD parent, String name, Param ... params) {
+		super(parent.aafcli, parent, name, params);
+		cmds = new ArrayList<Cmd>();
+	}
+
+	
+	@Override
+	public int _exec( int idx, final String ... args) throws CadiException, APIException, LocatorException {
+		if(args.length-idx<1) {
+			pw().println(build(new StringBuilder(),null).toString());
+		} else {
+			String s = args[idx];
+			String name;
+			Cmd empty = null;
+			for(Cmd c: cmds) {
+				name = c.getName();
+				if(name==null && empty==null) { // Mark with Command is null, and take the first one.  
+					empty = c;
+				} else if(s.equalsIgnoreCase(c.getName()))
+					return c.exec(idx+1, args);
+			}
+			if(empty!=null) {
+				return empty.exec(idx, args); // If name is null, don't account for it on command line.  Jonathan 4-29
+			}
+			pw().println("Instructions not understood.");
+		}
+		return 0;
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java
new file mode 100644
index 00000000..9ee321e7
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java
@@ -0,0 +1,541 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd;
+
+import java.io.PrintWriter;
+import java.io.StringReader;
+import java.sql.Date;
+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.Comparator;
+import java.util.GregorianCalendar;
+import java.util.List;
+import java.util.Stack;
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.http.HMangr;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data.TYPE;
+import org.onap.aaf.misc.env.util.Chrono;
+import org.onap.aaf.misc.rosetta.env.RosettaDF;
+
+import aaf.v2_0.Error;
+import aaf.v2_0.History;
+import aaf.v2_0.History.Item;
+import aaf.v2_0.Request;
+
+
+public abstract class Cmd {
+	private static final DateFormat dateFmt = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss:SSS");
+	protected static final String BLANK = "";
+	protected static final String COMMA = ","; // for use in splits
+
+	protected static final int lineLength = 80;
+
+	private final static String hformat = "%-23s %-5s %-20s %-35s\n";
+
+	public static final String STARTDATE = "startdate";
+	public static final String ENDDATE = "enddate";
+	
+	private String name;
+	private final Param[] params;
+	private int required;
+	protected final Cmd parent;
+	protected final List<Cmd> children;
+	private final static ConcurrentHashMap<Class<?>,RosettaDF<?>> dfs = new ConcurrentHashMap<Class<?>,RosettaDF<?>>();
+	public final AAFcli aafcli;
+	protected Access access;
+	private AuthzEnv env;
+	private final String defaultRealm;
+
+	public Cmd(AAFcli aafcli, String name, Param ... params) {
+		this(aafcli,null, name,params);
+	}
+
+	public Cmd(Cmd parent, String name, Param ... params) {
+		this(parent.aafcli,parent, name,params);
+	}
+
+	Cmd(AAFcli aafcli, Cmd parent, String name, Param ... params) {
+		this.parent = parent;
+		this.aafcli = aafcli;
+		this.env = aafcli.env;
+		this.access = aafcli.access;
+		if(parent!=null) {
+			parent.children.add(this);
+		}
+		children = new ArrayList<Cmd>();
+		this.params = params;
+		this.name = name;
+		required=0;
+		for(Param p : params) {
+			if(p.required) {
+				++required;
+			}
+		}
+		
+		String temp = access.getProperty(Config.AAF_DEFAULT_REALM,null);
+		if(temp!=null && !temp.startsWith("@")) {
+			defaultRealm = '@' + temp;
+		} else {
+			defaultRealm="<Set Default Realm>";
+		}
+	}
+	
+	public final int exec(int idx, String ... args) throws CadiException, APIException, LocatorException {
+		if(args.length-idx<required) {
+			throw new CadiException(build(new StringBuilder("Too few args: "),null).toString());
+		}
+		return _exec(idx,args);
+	}
+	
+	protected abstract int _exec(int idx, final String ... args) throws CadiException, APIException, LocatorException;
+	
+	public void detailedHelp(int indent,StringBuilder sb) {
+	}
+
+	protected void detailLine(StringBuilder sb, int length, String s) {
+		multiChar(sb,length,' ',0);
+		sb.append(s);
+	}
+
+	public void apis(int indent,StringBuilder sb) {
+	}
+
+	protected void api(StringBuilder sb, int indent, HttpMethods meth, String pathInfo, Class<?> cls,boolean head) {
+	    final String smeth = meth.name();
+		if(head) {
+			sb.append('\n');
+			detailLine(sb,indent,"APIs:");
+		}
+		indent+=2;
+		multiChar(sb,indent,' ',0);
+		sb.append(smeth);
+		sb.append(' ');
+		sb.append(pathInfo);
+		String cliString = aafcli.typeString(cls,true);
+		if(indent+smeth.length()+pathInfo.length()+cliString.length()+2>80) {
+			sb.append(" ...");
+			multiChar(sb,indent+3+smeth.length(),' ',0);
+		} else { // same line
+			sb.append(' ');
+		}
+		sb.append(cliString);
+	}
+
+	protected void multiChar(StringBuilder sb, int length, char c, int indent) {
+		sb.append('\n');
+		for(int i=0;i<indent;++i)sb.append(' ');
+		for(int i=indent;i<length;++i)sb.append(c);
+	}
+
+	public StringBuilder build(StringBuilder sb, StringBuilder detail) {
+		if(name!=null) {
+			sb.append(name);
+			sb.append(' ');
+		}
+		int line = sb.lastIndexOf("\n")+1;
+		if(line<0) {
+			line=0;
+		}
+		int indent = sb.length()-line;
+		for(Param p : params) {
+			sb.append(p.required?'<':'[');
+			sb.append(p.tag);
+			sb.append(p.required?"> ": "] ");
+		}
+		
+		boolean first = true;
+		for(Cmd child : children) {
+			if(!(child instanceof DeprecatedCMD)) {
+				if(first) {
+					first = false;
+				} else if(detail==null) {
+					multiChar(sb,indent,' ',0);
+				} else {
+					// Write parents for Detailed Report
+					Stack<String> stack = new Stack<String>();
+					for(Cmd c = child.parent;c!=null;c=c.parent) {
+						if(c.name!=null) {
+							stack.push(c.name);
+						}
+					}
+					if(!stack.isEmpty()) {
+						sb.append("  ");
+						while(!stack.isEmpty()) {
+							sb.append(stack.pop());
+							sb.append(' ');
+						}
+					}
+				}
+				child.build(sb,detail);
+				if(detail!=null) {
+					child.detailedHelp(4, detail);
+					// If Child wrote something, then add, bracketing by lines
+					if(detail.length()>0) {
+						multiChar(sb,80,'-',2);
+						sb.append(detail);
+						sb.append('\n');
+						multiChar(sb,80,'-',2);
+						sb.append('\n');
+						detail.setLength(0); // reuse
+					} else {
+						sb.append('\n');
+					}
+				}
+			}
+		}
+		return sb;
+	}
+	
+	protected void error(Future<?> future) {
+		StringBuilder sb = new StringBuilder("Failed");
+		String desc = future.body();
+		int code = future.code();
+		if(desc==null || desc.length()==0) {
+			withCode(sb,code);
+		} else if(desc.startsWith("{")) {
+			StringReader sr = new StringReader(desc);
+			try {
+				// Note: 11-18-2013, JG1555.  This rather convoluted Message Structure required by TSS Restful Specs, reflecting "Northbound" practices.
+				Error err = getDF(Error.class).newData().in(TYPE.JSON).load(sr).asObject();
+				sb.append(" [");
+				sb.append(err.getMessageId());
+				sb.append("]: ");
+				String messageBody = err.getText();
+				List<String> vars = err.getVariables();
+				int pipe;
+				for (int varCounter=0;varCounter<vars.size();) {
+					String var = vars.get(varCounter);
+					++varCounter;
+					if (messageBody.indexOf("%" + varCounter) >= 0) {
+						if((pipe = var.indexOf('|'))>=0) {  // In AAF, we use a PIPE for Choice
+							if (aafcli.isTest()) {
+								String expiresStr = var.substring(pipe);
+								var = var.replace(expiresStr, "[Placeholder]");
+							} else {
+								StringBuilder varsb = new StringBuilder(var);
+								varsb.deleteCharAt(pipe);
+								var = varsb.toString();
+							}
+							messageBody = messageBody.replace("%" + varCounter, varCounter-1 + ") " + var);
+						} else {
+							messageBody = messageBody.replace("%" + varCounter, var);
+						}
+					}
+				}
+				sb.append(messageBody);
+			} catch (Exception e) {
+				withCode(sb,code);
+				sb.append(" (Note: Details cannot be obtained from Error Structure)");
+			}
+		} else if(desc.startsWith("<html>")){ // Core Jetty, etc sends HTML for Browsers
+			withCode(sb,code);
+		} else {
+			sb.append(" with code ");
+			sb.append(code);
+			sb.append(", ");
+			sb.append(desc);
+		}
+		pw().println(sb);
+	}
+
+	
+	private void withCode(StringBuilder sb, Integer code) {
+		sb.append(" with code ");
+		sb.append(code);
+		switch(code) {
+			case 401:
+				sb.append(" (HTTP Not Authenticated)");
+				break;
+			case 403:
+				sb.append(" (HTTP Forbidden)");
+				break;
+			case 404:
+				sb.append(" (HTTP Not Found)");
+				break;
+			default:
+		}
+	}
+
+	/**
+	 * Consistently set start and end dates from Requests (all derived from Request)
+	 * @param req
+	 */
+	protected void setStartEnd(Request req) {
+		// Set Start/End Dates, if exist
+		String str;
+		if((str = access.getProperty(Cmd.STARTDATE,null))!=null) {
+			req.setStart(Chrono.timeStamp(Date.valueOf(str)));
+		}
+		
+		if((str = access.getProperty(Cmd.ENDDATE,null))!=null) {
+			req.setEnd(Chrono.timeStamp(Date.valueOf(str)));
+		}
+	}
+
+	/**
+	 * For Derived classes, who have ENV in this parent
+	 * 
+	 * @param cls
+	 * @return
+	 * @throws APIException
+	 */
+	protected <T> RosettaDF<T> getDF(Class<T> cls) throws APIException {
+		return getDF(env,cls);
+	}
+
+	/**
+	 * This works well, making available for GUI, etc.
+	 * @param env
+	 * @param cls
+	 * @return
+	 * @throws APIException
+	 */
+	@SuppressWarnings("unchecked")
+	public static <T> RosettaDF<T> getDF(AuthzEnv env, Class<T> cls) throws APIException {
+		RosettaDF<T> rdf = (RosettaDF<T>)dfs.get(cls);
+		if(rdf == null) {
+			rdf = env.newDataFactory(cls);
+			dfs.put(cls, rdf);
+		}
+		return rdf;
+	}
+
+	public void activity(History history, String header) {
+		if (history.getItem().isEmpty()) {
+			int start = header.indexOf('[');
+			if (start >= 0) {
+				pw().println("No Activity Found for " + header.substring(start));
+			}
+		} else {
+			pw().println(header);
+			for(int i=0;i<lineLength;++i)pw().print('-');
+			pw().println();
+								
+			pw().format(hformat,"Date","Table","User","Memo");
+			for(int i=0;i<lineLength;++i)pw().print('-');
+			pw().println();
+	
+			// Save Server time by Sorting locally
+			List<Item> items = history.getItem();
+			java.util.Collections.sort(items, new Comparator<Item>() {
+				@Override
+				public int compare(Item o1, Item o2) {
+					return o2.getTimestamp().compare(o1.getTimestamp());
+				}
+			});
+			
+			for(History.Item item : items) {
+				GregorianCalendar gc = item.getTimestamp().toGregorianCalendar();
+				pw().format(hformat,
+					dateFmt.format(gc.getTime()),
+					item.getTarget(),
+					item.getUser(),
+					item.getMemo());
+			}
+		}
+	}
+	
+	/**
+	 * Turn String Array into a | delimited String
+	 * @param options
+	 * @return
+	 */
+	public static String optionsToString(String[] options) {
+		StringBuilder sb = new StringBuilder();
+		boolean first = true;
+		for(String s : options) {
+			if(first) {
+				first = false;
+			} else {
+				sb.append('|');
+			}
+			sb.append(s);
+		}
+		return sb.toString();
+	}
+	
+	/**
+	 * return which index number the Option matches.
+	 * 
+	 * throws an Exception if not part of this Option Set
+	 * 
+	 * @param options
+	 * @param test
+	 * @return
+	 * @throws Exception
+	 */
+	public int whichOption(String[] options, String test) throws CadiException {
+		for(int i=0;i<options.length;++i) {
+			if(options[i].equals(test)) {
+				return i;
+			}
+		}
+		throw new CadiException(build(new StringBuilder("Invalid Option: "),null).toString());
+	}
+
+//	protected RosettaEnv env() {
+//		return aafcli.env;
+//	}
+
+	protected HMangr hman() {
+		return aafcli.hman;
+	}
+
+	public<RET> RET same(Retryable<RET> retryable) throws APIException, CadiException, LocatorException {
+		// We're storing in AAFCli, because we know it's always the same, and single threaded
+		if(aafcli.prevCall!=null) {
+			retryable.item(aafcli.prevCall.item());
+			retryable.lastClient=aafcli.prevCall.lastClient;
+		}
+		
+		RET ret = aafcli.hman.same(aafcli.ss,retryable);
+		
+		// Store last call in AAFcli, because Cmds are all different instances.
+		aafcli.prevCall = retryable;
+		return ret;
+	}
+
+	public<RET> RET all(Retryable<RET> retryable) throws APIException, CadiException, LocatorException {
+		this.setQueryParamsOn(retryable.lastClient);
+		return aafcli.hman.all(aafcli.ss,retryable);
+	}
+
+	public<RET> RET oneOf(Retryable<RET> retryable,String host) throws APIException, CadiException, LocatorException {
+		this.setQueryParamsOn(retryable.lastClient);
+		return aafcli.hman.oneOf(aafcli.ss,retryable,true,host);
+	}
+
+	protected PrintWriter pw() {
+		return AAFcli.pw;
+	}
+
+	public String getName() {
+		return name;
+	}
+	
+	public void reportHead(String ... str) {
+		pw().println();
+		boolean first = true;
+		int i=0;
+		for(String s : str) {
+			if(first) {
+				if(++i>1) {
+					first = false;
+					pw().print("[");
+				}
+			} else {
+				pw().print("] [");
+			}
+			pw().print(s);
+		}
+		if(!first) {
+			pw().print(']');
+		}
+		pw().println();
+		reportLine();
+	}
+	
+	public String reportColHead(String format, String ...  args) {
+		pw().format(format,(Object[])args);
+		reportLine();
+		return format;
+	}
+
+	public void reportLine() {
+		for(int i=0;i<lineLength;++i)pw().print('-');
+		pw().println();
+	}
+	
+	protected void setQueryParamsOn(Rcli<?> rcli) {
+		StringBuilder sb=null;
+		String force;
+		if((force=aafcli.forceString())!=null) {
+			sb = new StringBuilder("force=");
+			sb.append(force);
+		}
+		if(aafcli.addRequest()) {
+			if(sb==null) {
+				sb = new StringBuilder("future=true");
+			} else {
+				sb.append("&future=true");
+			}
+		}
+		if(sb!=null && rcli!=null) {
+			rcli.setQueryParams(sb.toString());
+		}
+	}
+//
+//	/**
+//	 * If Force is set, will return True once only, then revert to "FALSE".
+//	 *  
+//	 * @return
+//	 */
+//	protected String checkForce() {
+//		if(TRUE.equalsIgnoreCase(env.getProperty(FORCE, FALSE))) {
+//			env.setProperty(FORCE, FALSE);
+//			return "true";
+//		}
+//		return FALSE;
+//	}
+
+	public String toString() {
+		StringBuilder sb = new StringBuilder();
+		if(parent==null) { // ultimate parent
+			build(sb,null);
+			return sb.toString();
+		} else {
+			return parent.toString();
+		}
+	}
+	
+//	private String getOrgRealm() {
+//		return ;
+//	}
+//	
+	/**
+	 * Appends shortID with Realm, but only when allowed by Organization
+	 * @throws OrganizationException 
+	 */
+	public String fullID(String id) {
+		if(id != null) {
+			if (id.indexOf('@') < 0) {
+				id+=defaultRealm;
+			} else {
+				return id; // is already a full ID
+			}
+		}
+		return id;
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/DeprecatedCMD.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/DeprecatedCMD.java
new file mode 100644
index 00000000..b13c7333
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/DeprecatedCMD.java
@@ -0,0 +1,53 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd;
+
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+
+/**
+ * Use this class to deprecate methods and features, by pointing to the new
+ * usages.
+ * 
+ * These commands will not show up in Help
+ * @author Jonathan
+ *
+ * @param <X>
+ */
+public class DeprecatedCMD<X extends Cmd> extends BaseCmd<X> {
+	private String text;
+
+	@SuppressWarnings("unchecked")
+	public DeprecatedCMD(Cmd cmd, String name, String text) {
+		super((X)cmd,name);
+		this.text = text;
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+		pw().println(text);
+		return _idx;
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Help.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Help.java
new file mode 100644
index 00000000..ca10915d
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Help.java
@@ -0,0 +1,118 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd;
+
+import java.util.List;
+
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+public class Help extends Cmd {
+	private List<Cmd> cmds;
+
+	public Help(AAFcli aafcli, List<Cmd> cmds) {
+		super(aafcli, "--help", 
+			new Param("-d (more details)", false),
+			new Param("command",false));
+		this.cmds = cmds;
+	}
+
+	@Override
+	public int _exec( int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	        int idx = _idx;
+		boolean first = true;
+		StringBuilder sb = new StringBuilder("AAF Command Line Tool");
+		StringBuilder details;
+		multiChar(sb, 21, '-',0);
+		sb.append("\n  SingleLine Commands");
+		multiChar(sb, 21, '-',2);
+		sb.append("\n    force   - add to regular commands to override depency checks");
+		sb.append("\n    details - add to role list or perm list commands for rich format");
+		multiChar(sb, 48, '-',2);
+		// if details !=null, then extra details are written to it.
+		details = aafcli.isDetailed()?new StringBuilder():null;
+
+		String comp = args.length>idx?args[idx++]:null;
+		if("help".equalsIgnoreCase(comp)) {
+			build(sb,null);
+			detailedHelp(4, sb);
+			sb.append('\n');
+		} else {
+		    for(Cmd c : cmds) {
+		    	if(!(c instanceof DeprecatedCMD)) {
+			    	if(comp!=null) {
+			    		if(comp.equals(c.getName())) {
+			    			multiChar(sb,2,' ',0);
+			    			c.build(sb,details);
+			    		}
+			    	} else {
+			    		if(first) {
+			    			first=false;
+			    		} else {
+			    			multiChar(sb,80,'-',2);
+			    		}
+			    		multiChar(sb,2,' ',0);
+			    		c.build(sb,details);
+			    		if(details!=null) {
+			    			c.detailedHelp(4, sb);
+	//					multiChar(sb,80,'-',2);
+			    		}
+			    	}
+		    	}
+		    }
+		}
+		pw().println(sb.toString());
+		return 200 /*HttpStatus.OK_200*/;
+	}
+	
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,"To print main help, enter \"aafcli\" or \"aafcli --help \"");
+		detailLine(sb,indent,"To print narrow the help content, enter sub-entries after aafcli,");
+		detailLine(sb,indent+2,"i.e. \"aafcli perm\"");
+		detailLine(sb,indent,"To see version of AAF CLI, enter \"aafcli --version \"");
+		sb.append('\n');
+		detailLine(sb,indent,"State Commands: change variables or credentials between calls.");
+		indent+=4;
+		detailLine(sb,indent,"set <tag>=<value>   - Set any System Property to a new value");
+		detailLine(sb,indent,"as <id:password>    - Change Credentials.  Password may be encrypted");
+		detailLine(sb,indent,"expect <int> [int]* - In test mode, check for proper HTTP Status Codes");
+		detailLine(sb,indent,"sleep <int>         - Wait for <int> seconds");
+		detailLine(sb,indent,"force         	  - force deletions that have relationships");
+		detailLine(sb,indent,"details         	  - cause list commands (role, perm) to print rich format");
+		detailLine(sb,indent,"		         	  - In GUI CmdLine, use HourGlass option (top right)");
+		sb.append('\n');
+		detailLine(sb,indent-4,"CmdLine Arguments: change behavior of the aafcli program");
+		detailLine(sb,indent,"-i - Read commands from Shell Standard Input");
+		detailLine(sb,indent,"-f - Read commands from a file");
+		detailLine(sb,indent,"-r - Clear Command Line SSO credential");
+		detailLine(sb,indent,"-a - In test mode, do not stop execution on unexpected error");
+		detailLine(sb,indent,"-t - Test Mode will not print variable fields that could break tc runs");
+		detailLine(sb,indent+6,"such as expiration dates of a credential");
+		detailLine(sb,indent,"-s - Request specific Start Date (not immediately)");
+		detailLine(sb,indent+6,"Format YYYY-MM-DD.  Can also be set with \"set " + Cmd.STARTDATE + "=<value>\"");
+		detailLine(sb,indent,"-e - Set Expiration/End Date, where commands support");
+		detailLine(sb,indent+6,"Format YYYY-MM-DD.  Can also be set with \"set " + Cmd.ENDDATE + "=<value>\"");
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/MessageException.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/MessageException.java
new file mode 100644
index 00000000..3ed81222
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/MessageException.java
@@ -0,0 +1,46 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+/**
+ * 
+ */
+package org.onap.aaf.auth.cmd;
+
+/**
+ * An Exception designed simply to give End User message, no stack trace
+ * 
+ * @author Jonathan
+ *
+ */
+public class MessageException extends Exception {
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = 8143933588878259048L;
+
+	/**
+	 * @param Message
+	 */
+	public MessageException(String msg) {
+		super(msg);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Param.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Param.java
new file mode 100644
index 00000000..0d79df0a
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Param.java
@@ -0,0 +1,37 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd;
+
+public class Param {
+	public final String tag;
+	public final boolean required;
+	
+	/**
+	 * 
+	 * @param t
+	 * @param b
+	 */
+	public Param(String t, boolean required) {
+		tag = t;
+		this.required=required;
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Version.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Version.java
new file mode 100644
index 00000000..316c5334
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Version.java
@@ -0,0 +1,43 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd;
+
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.misc.env.APIException;
+
+public class Version extends Cmd {
+
+
+	public Version(AAFcli aafcli) {
+		super(aafcli, "--version");
+	}
+
+	@Override
+	protected int _exec(int idx, String... args) throws CadiException, APIException, LocatorException {
+		pw().println("AAF Command Line Tool");
+		String version = access.getProperty(Config.AAF_DEFAULT_VERSION, "2.0");
+		pw().println("Version: " + version);
+		return 200 /*HttpStatus.OK_200;*/;
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Cache.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Cache.java
new file mode 100644
index 00000000..cd153537
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Cache.java
@@ -0,0 +1,32 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.mgmt;
+
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.misc.env.APIException;
+
+public class Cache extends BaseCmd<Mgmt> {
+	public Cache(Mgmt mgmt) throws APIException {
+		super(mgmt, "cache");
+		cmds.add(new Clear(this));
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Clear.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Clear.java
new file mode 100644
index 00000000..a18c1c48
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Clear.java
@@ -0,0 +1,85 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.mgmt;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.common.Define;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+/**
+ *
+ * @author Jonathan
+ *
+ */
+public class Clear extends Cmd {
+	public Clear(Cache parent) {
+		super(parent,"clear",
+				new Param("name[,name]*",true));
+	}
+
+	@Override
+	public int _exec(int _idx, String ... args) throws CadiException, APIException, LocatorException {
+	    int idx = _idx;
+		int rv=409;
+		for(final String name : args[idx++].split(COMMA)) {
+			rv = all(new Retryable<Integer>() {
+				@Override
+				public Integer code(Rcli<?> client) throws APIException, CadiException {
+					int rv = 409;
+					Future<Void> fp = client.delete(
+							"/mgmt/cache/"+name, 
+							Void.class
+							);
+					if(fp.get(AAFcli.timeout())) {
+						pw().println("Cleared Cache for " + name + " on " + client);
+						rv=200;
+					} else {
+						if(rv==409)rv = fp.code();
+						error(fp);
+					}
+					return rv;
+				}
+			});
+		}
+		return rv;
+	}
+
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,"Clear the cache for certain tables");
+		indent+=2;
+		detailLine(sb,indent,"name        - name of table or 'all'");
+		detailLine(sb,indent+14,"Must have admin rights to '" + Define.ROOT_NS() + '\'');
+		indent-=2;
+		api(sb,indent,HttpMethods.DELETE,"mgmt/cache/:name",Void.class,true);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Deny.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Deny.java
new file mode 100644
index 00000000..b8fc4a23
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Deny.java
@@ -0,0 +1,101 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.mgmt;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.misc.env.APIException;
+
+public class Deny extends BaseCmd<Mgmt> {
+	private final static String[] options = {"add","del"};
+
+	public Deny(Mgmt mgmt) throws APIException {
+		super(mgmt, "deny");
+		cmds.add(new DenySomething(this,"ip","ipv4or6[,ipv4or6]*"));
+		cmds.add(new DenySomething(this,"id","identity[,identity]*"));
+	}
+	
+	public class DenySomething extends Cmd {
+
+		private boolean isID;
+
+		public DenySomething(Deny deny, String type, String repeatable) {
+			super(deny, type,
+				new Param(optionsToString(options),true),
+				new Param(repeatable,true));
+			isID = "id".equals(type);
+		}
+
+		@Override
+		protected int _exec(int _idx, String... args) throws CadiException, APIException, LocatorException {
+		        int idx = _idx;
+			String action = args[idx++];
+			final int option = whichOption(options, action);
+			int rv=409;
+			for(final String name : args[idx++].split(COMMA)) {
+				final String append;
+				if(isID && name.indexOf("@")<0) {
+					append='@'+ access.getProperty(Config.AAF_DEFAULT_REALM,null);
+				} else {
+					append = "";
+				}
+				final String path = "/mgmt/deny/"+getName() + '/'+ name + append;
+				rv = all(new Retryable<Integer>() {
+					@Override
+					public Integer code(Rcli<?> client) throws APIException, CadiException  {
+						int rv = 409;
+						Future<Void> fp;
+						String resp;
+						switch(option) {
+							case 0: 
+								fp = client.create(path, Void.class);
+								resp = " added";
+								break;
+							default: 
+								fp = client.delete(path, Void.class);
+								resp = " deleted";
+						}
+						if(fp.get(AAFcli.timeout())) {
+							pw().println(name + append + resp + " on " + client);
+							rv=fp.code();
+						} else {
+							if(rv==409)rv = fp.code();
+							error(fp);
+						}
+						return rv;
+					}
+				});
+			}
+			return rv;
+		}
+
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Log.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Log.java
new file mode 100644
index 00000000..80ad8a46
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Log.java
@@ -0,0 +1,108 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.mgmt;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.common.Define;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.misc.env.APIException;
+
+public class Log extends BaseCmd<Mgmt> {
+	private final static String[] options = {"add","del"};
+
+	public Log(Mgmt mgmt) throws APIException {
+		super(mgmt, "log",
+				new Param(optionsToString(options),true),
+				new Param("id[,id]*",true));
+	}
+	
+	@Override
+	public int _exec(int _idx, String ... args) throws CadiException, APIException, LocatorException {
+		int rv=409;
+		int idx = _idx;
+		final int option = whichOption(options, args[idx++]);
+
+		for(String name : args[idx++].split(COMMA)) {
+			final String fname;
+			if(name.indexOf("@")<0) {
+				fname=name+'@'+ access.getProperty(Config.AAF_DEFAULT_REALM,null);
+			} else {
+				fname = name;
+			}
+			
+			rv = all(new Retryable<Integer>() {
+				@Override
+				public Integer code(Rcli<?> client) throws APIException, CadiException {
+					int rv = 409;
+					Future<Void> fp;
+					String str = "/mgmt/log/id/"+fname;
+					String msg;
+					switch(option) {
+						case 0:	
+							fp = client.create(str,Void.class);
+							msg = "Added";
+							break;
+						case 1:
+							fp = client.delete(str,Void.class);
+							msg = "Deleted";
+							break;
+						default:
+							fp = null;
+							msg = "Ignored";
+					}
+							
+					if(fp!=null) {
+						if(fp.get(AAFcli.timeout())) {
+							pw().println(msg + " Special Log for " + fname + " on " + client);
+							rv=200;
+						} else {
+							if(rv==409)rv = fp.code();
+							error(fp);
+						}
+						return rv;
+					}
+					return rv;
+				}
+			});
+		}
+		return rv;
+	}
+
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,"Clear the cache for certain tables");
+		indent+=2;
+		detailLine(sb,indent,"name        - name of table or 'all'");
+		detailLine(sb,indent+14,"Must have admin rights to '" + Define.ROOT_NS() + '\'');
+		indent-=2;
+		api(sb,indent,HttpMethods.DELETE,"mgmt/cache/:name",Void.class,true);
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Mgmt.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Mgmt.java
new file mode 100644
index 00000000..6b5e2d66
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Mgmt.java
@@ -0,0 +1,36 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.mgmt;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.misc.env.APIException;
+
+public class Mgmt extends BaseCmd<Mgmt> {
+	public Mgmt(AAFcli aafcli) throws APIException {
+		super(aafcli, "mgmt");
+		cmds.add(new Cache(this));
+		cmds.add(new Deny(this));
+		cmds.add(new Log(this));
+		cmds.add(new Session(this));
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/SessClear.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/SessClear.java
new file mode 100644
index 00000000..cfd2fa8d
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/SessClear.java
@@ -0,0 +1,83 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.mgmt;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.common.Define;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+/**
+ * p
+ * @author Jonathan
+ *
+ */
+public class SessClear extends Cmd {
+	public SessClear(Session parent) {
+		super(parent,"clear",
+				new Param("machine",true));
+	}
+
+	@Override
+	public int _exec(int idx, String ... args) throws CadiException, APIException, LocatorException {
+		int rv=409;
+		String machine = args[idx++];
+		rv = oneOf(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws APIException, CadiException {
+				int rv = 409;
+				Future<Void> fp = client.delete(
+						"/mgmt/dbsession", 
+						Void.class
+						);
+				if(fp.get(AAFcli.timeout())) {
+					pw().println("Cleared DBSession on " + client);
+					rv=200;
+				} else {
+					if(rv==409)rv = fp.code();
+					error(fp);
+				}
+				return rv;
+			}
+		},machine);
+		return rv;
+	}
+
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,"Clear the cache for certain tables");
+		indent+=2;
+		detailLine(sb,indent,"name        - name of table or 'all'");
+		detailLine(sb,indent+14,"Must have admin rights to " + Define.ROOT_NS() + '\'');
+		indent-=2;
+		api(sb,indent,HttpMethods.DELETE,"mgmt/cache/:name",Void.class,true);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Session.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Session.java
new file mode 100644
index 00000000..5929caea
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/mgmt/Session.java
@@ -0,0 +1,32 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.mgmt;
+
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.misc.env.APIException;
+
+public class Session extends BaseCmd<Mgmt> {
+	public Session(Mgmt mgmt) throws APIException {
+		super(mgmt, "dbsession");
+		cmds.add(new SessClear(this));
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Admin.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Admin.java
new file mode 100644
index 00000000..363c7482
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Admin.java
@@ -0,0 +1,103 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+public class Admin extends BaseCmd<NS> {
+	private final static String[] options = {"add","del"};
+
+	public Admin(NS ns) throws APIException {
+		super(ns,"admin",
+				new Param(optionsToString(options),true),
+				new Param("ns-name",true),
+				new Param("id[,id]*",true)
+		);
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	    	int idx = _idx;
+		final int option = whichOption(options, args[idx++]);
+		final String ns = args[idx++];
+		final String ids[] = args[idx++].split(",");
+
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {	
+				Future<Void> fp = null;
+				for(String id : ids) {
+					id = fullID(id);
+					String verb;
+					switch(option) {
+						case 0: 
+							fp = client.create("/authz/ns/"+ns+"/admin/"+id,Void.class);
+							verb = " added to ";
+							break;
+						case 1: 
+							fp = client.delete("/authz/ns/"+ns+"/admin/"+id,Void.class);
+							verb = " deleted from ";
+							break;
+						default:
+							throw new CadiException("Bad Argument");
+					};
+				
+					if(fp.get(AAFcli.timeout())) {
+						pw().append("Admin ");
+						pw().append(id);
+						pw().append(verb);
+						pw().println(ns);
+					} else {
+						error(fp);
+						return fp.code();
+					}
+					
+				}
+				return fp==null?500:fp.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	    	int indent = _indent;
+		detailLine(sb,indent,"Add or Delete Administrator to/from Namespace");
+		indent+=4;
+		detailLine(sb,indent,"name - Name of Namespace");
+		detailLine(sb,indent,"id   - Credential of Person(s) to be Administrator");
+		sb.append('\n');
+		detailLine(sb,indent,"aafcli will call API on each ID presented.");
+		indent-=4;
+		api(sb,indent,HttpMethods.POST,"authz/ns/<ns>/admin/<id>",Void.class,true);
+		api(sb,indent,HttpMethods.DELETE,"authz/ns/<ns>/admin/<id>",Void.class,false);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Attrib.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Attrib.java
new file mode 100644
index 00000000..cc0d2586
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Attrib.java
@@ -0,0 +1,113 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+public class Attrib extends BaseCmd<NS> {
+	private final static String[] options = {"add","upd","del"};
+
+	public Attrib(NS ns) throws APIException {
+		super(ns,"attrib",
+				new Param(optionsToString(options),true),
+				new Param("ns-name",true),
+				new Param("key",true),
+				new Param("value",false)
+		);
+	}
+
+	@Override
+	public int _exec(final int idx, final String ... args) throws CadiException, APIException, LocatorException {
+		final int option = whichOption(options, args[idx]);
+		final String ns = args[idx+1];
+		final String key = args[idx+2];
+		final String value;
+		if(option!=2) {
+			if(args.length<=idx+3) {
+				throw new CadiException("Not added: Need more Data");
+			}
+			value = args[idx+3];
+		} else {
+			value = "";
+		}
+		
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {	
+				Future<Void> fp = null;
+				String message;
+				switch(option) {
+					case 0: 
+						fp = client.create("/authz/ns/"+ns+"/attrib/"+key+'/'+value,Void.class);
+						message = String.format("Add Attrib %s=%s to %s",
+								key,value,ns);
+						break;
+					case 1: 
+						fp = client.update("/authz/ns/"+ns+"/attrib/"+key+'/'+value);
+						message = String.format("Update Attrib %s=%s for %s",
+								key,value,ns);
+						break;
+					case 2: 
+						fp = client.delete("/authz/ns/"+ns+"/attrib/"+key,Void.class);
+						message = String.format("Attrib %s deleted from %s",
+								key,ns);
+						break;
+					default:
+						throw new CadiException("Bad Argument");
+				};
+			
+				if(fp.get(AAFcli.timeout())) {
+					pw().println(message);
+				} else {
+					error(fp);
+					return fp.code();
+				}
+					
+				return fp==null?500:fp.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	    	int indent = _indent;
+		detailLine(sb,indent,"Add or Delete Administrator to/from Namespace");
+		indent+=4;
+		detailLine(sb,indent,"name - Name of Namespace");
+		detailLine(sb,indent,"id   - Credential of Person(s) to be Administrator");
+		sb.append('\n');
+		detailLine(sb,indent,"aafcli will call API on each ID presented.");
+		indent-=4;
+		api(sb,indent,HttpMethods.POST,"authz/ns/<ns>/admin/<id>",Void.class,true);
+		api(sb,indent,HttpMethods.DELETE,"authz/ns/<ns>/admin/<id>",Void.class,false);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Create.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Create.java
new file mode 100644
index 00000000..a62d5531
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Create.java
@@ -0,0 +1,123 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.NsRequest;
+
+/**
+ * @author Jonathan
+ *
+ */
+public class Create extends Cmd {
+	private static final String COMMA = ",";
+
+	public Create(NS parent) {
+		super(parent,"create", 
+				new Param("ns-name",true),
+				new Param("owner (id[,id]*)",true), 
+				new Param("admin (id[,id]*)",false));
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	    	int idx = _idx;
+
+		final NsRequest nr = new NsRequest();
+		
+		nr.setName(args[idx++]);
+		String[] responsible = args[idx++].split(COMMA);
+		for(String s : responsible) {
+			nr.getResponsible().add(fullID(s));
+		}
+		String[] admin;
+		if(args.length>idx) {
+			admin = args[idx++].split(COMMA);
+		} else {
+			admin = responsible;
+		}
+		for(String s : admin) {
+			nr.getAdmin().add(fullID(s));
+		}
+		
+		// Set Start/End commands
+		setStartEnd(nr);
+		
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				// Requestable
+				setQueryParamsOn(client);
+				Future<NsRequest> fp = client.create(
+						"/authz/ns", 
+						getDF(NsRequest.class),
+						nr
+						);
+				if(fp.get(AAFcli.timeout())) {
+					pw().println("Created Namespace");
+				} else {
+					if(fp.code()==202) {
+						pw().println("Namespace Creation Accepted, but requires Approvals before actualizing");
+					} else {
+						error(fp);
+					}
+				}
+				return fp.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	    	int indent = _indent;
+		detailLine(sb,indent,"Create a Namespace");
+		indent+=2;
+		detailLine(sb,indent,"name        - Namespaces are dot-delimited, ex com.att.myapp");
+		detailLine(sb,indent+14,"and must be created with parent credentials.");
+		detailLine(sb,indent+14,"Ex: to create com.att.myapp, you must be admin for com.att");
+		detailLine(sb,indent+14,"or com");
+		detailLine(sb,indent,"owner       - This is the person(s) who is responsible for the ");
+		detailLine(sb,indent+14,"app. These person or persons receive Notifications and");
+		detailLine(sb,indent+14,"approves Requests regarding this Namespace. Companies have");
+		detailLine(sb,indent+14,"Policies as to who may take on this responsibility");
+		detailLine(sb,indent,"admin       - These are the people who are allowed to make changes on");
+		detailLine(sb,indent+14,"the Namespace, including creating Roles, Permissions");
+		detailLine(sb,indent+14,"and Credentials");
+		sb.append('\n');
+		detailLine(sb,indent,"Namespaces can be created even though there are Roles/Permissions which");
+		detailLine(sb,indent,"start with the requested sub-namespace.  They are reassigned to the");
+		detailLine(sb,indent,"Child Namespace");
+		indent-=2;
+		api(sb,indent,HttpMethods.POST,"authz/ns",NsRequest.class,true);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Delete.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Delete.java
new file mode 100644
index 00000000..19915f4e
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Delete.java
@@ -0,0 +1,89 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+/**
+ * p
+ * @author Jonathan
+ *
+ */
+public class Delete extends Cmd {
+	public Delete(NS parent) {
+		super(parent,"delete", 
+				new Param("ns-name",true)); 
+	}
+
+	@Override
+	public int _exec(final int idx, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int index = idx;
+				StringBuilder path = new StringBuilder("/authz/ns/");
+				path.append(args[index++]);
+				
+				// Send "Force" if set
+				setQueryParamsOn(client);
+				Future<Void> fp = client.delete(path.toString(),Void.class);
+				
+				if(fp.get(AAFcli.timeout())) {
+					pw().println("Deleted Namespace");
+				} else {
+					error(fp);
+				}
+				return fp.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,"Delete a Namespace");
+		indent+=4;
+		detailLine(sb,indent,"Namespaces cannot normally be deleted when there are still credentials,");
+		detailLine(sb,indent,"permissions or roles associated with them. These can be deleted");
+		detailLine(sb,indent,"automatically by setting \"force\" property.");
+		detailLine(sb,indent,"i.e. set force=true or just starting with \"force\"");
+		detailLine(sb,indent," (note force is unset after first use)");
+		sb.append('\n');
+		detailLine(sb,indent,"If \"set force=move\" is set, credentials are deleted, but ");
+		detailLine(sb,indent,"Permissions and Roles are assigned to the Parent Namespace instead of");
+		detailLine(sb,indent,"being deleted.  Similarly, Namespaces can be created even though there");
+		detailLine(sb,indent,"are Roles/Perms whose type starts with the requested sub-namespace.");
+		detailLine(sb,indent,"They are simply reassigned to the Child Namespace");
+		indent-=4;
+		api(sb,indent,HttpMethods.DELETE,"authz/ns/<ns>[?force=true]",Void.class,true);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Describe.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Describe.java
new file mode 100644
index 00000000..af40ff99
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Describe.java
@@ -0,0 +1,94 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.NsRequest;
+
+public class Describe extends Cmd {
+	private static final String NS_PATH = "/authz/ns";
+	public Describe(NS parent) {
+		super(parent,"describe", 
+				new Param("ns-name",true),
+				new Param("description",true)); 
+	}
+
+	@Override
+	public int _exec(final int index, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int idx = index;
+				String name = args[idx++];
+				StringBuilder desc = new StringBuilder();
+				while (idx < args.length) {
+					desc.append(args[idx++] + ' ');
+				}
+		
+				NsRequest nsr = new NsRequest();
+				nsr.setName(name);
+				nsr.setDescription(desc.toString());
+		
+				// Set Start/End commands
+				setStartEnd(nsr);
+				
+				Future<NsRequest> fn = null;
+				int rv;
+
+				fn = client.update(
+					NS_PATH,
+					getDF(NsRequest.class),
+					nsr
+					);
+
+				if(fn.get(AAFcli.timeout())) {
+					rv=fn.code();
+					pw().println("Description added to Namespace");
+				} else {
+					if((rv=fn.code())==202) {
+						pw().print("Adding description");
+						pw().println(" Accepted, but requires Approvals before actualizing");
+					} else {
+						error(fn);
+					}
+				}
+				return rv;
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,"Add a description to a namespace");
+		api(sb,indent,HttpMethods.PUT,"authz/ns",NsRequest.class,true);
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java
new file mode 100644
index 00000000..387bae00
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java
@@ -0,0 +1,176 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import java.util.Collections;
+import java.util.Comparator;
+
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.auth.cmd.DeprecatedCMD;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import aaf.v2_0.Nss;
+import aaf.v2_0.Nss.Ns;
+import aaf.v2_0.Perms;
+import aaf.v2_0.Roles;
+import aaf.v2_0.Users;
+import aaf.v2_0.Users.User;
+
+public class List extends BaseCmd<NS> {
+
+	public List(NS parent) {
+		super(parent,"list");
+		cmds.add(new ListByName(this));
+		
+//		TODO: uncomment when on cassandra 2.1.2 if we like cli command to get all ns's 
+//				a user is admin or responsible for 
+		cmds.add(new ListAdminResponsible(this));
+		cmds.add(new DeprecatedCMD<List>(this,"responsible","'responsible' is deprecated.  use 'owner'")); // deprecated
+		cmds.add(new ListActivity(this));
+		cmds.add(new ListUsers(this));
+		cmds.add(new ListChildren(this));
+		cmds.add(new ListNsKeysByAttrib(this));
+	}
+
+	private static final String sformat = "        %-72s\n";
+	protected static final String kformat = "  %-72s\n";
+
+	
+	public void report(Future<Nss> fp, String ... str) {
+		reportHead(str);
+		if(fp==null) {
+			pw().println("    *** Namespace Not Found ***");
+		}
+		
+		if(fp!=null && fp.value!=null) {
+		    for(Ns ns : fp.value.getNs()) {
+		    	pw().println(ns.getName());
+		    	if (this.aafcli.isDetailed()) {
+		    		pw().println("    Description");
+		    		pw().format(sformat,ns.getDescription()==null?"":ns.getDescription());
+		    	}
+		    	if(ns.getAdmin().size()>0) {
+		    		pw().println("    Administrators");
+		    		for(String admin : ns.getAdmin()) {
+		    			pw().format(sformat,admin);
+		    		}
+		    	}
+		    	if(ns.getResponsible().size()>0) {
+		    		pw().println("    Owners (Responsible for Namespace)");
+		    		for(String responsible : ns.getResponsible()) {
+		    			pw().format(sformat,responsible);
+		    		}
+		    	}
+		    	if(ns.getAttrib().size()>0) {
+		    		pw().println("    Namespace Attributes");
+					for(  Ns.Attrib attr : ns.getAttrib()) {
+		    			StringBuilder sb = new StringBuilder(attr.getKey());
+		    			if(attr.getValue()==null || attr.getValue().length()>0) {
+		    				sb.append('=');
+		    				sb.append(attr.getValue());
+		    			}
+		    			pw().format(sformat,sb.toString());
+		    		}
+		    		
+		    	}
+		    }
+		}
+	}
+	
+	public void reportName(Future<Nss> fp, String ... str) {
+		reportHead(str);
+		if(fp!=null && fp.value!=null) {
+			java.util.List<Ns> nss = fp.value.getNs();
+			Collections.sort(nss, new Comparator<Ns>() {
+				@Override
+				public int compare(Ns ns1, Ns ns2) {
+					return ns1.getName().compareTo(ns2.getName());
+				}
+			});
+			
+			for(Ns ns : nss) {
+				pw().println(ns.getName());
+				if (this.aafcli.isDetailed() && ns.getDescription() != null) {
+				    pw().println("   " + ns.getDescription());
+				}
+			}
+		}
+	}
+
+	public void reportRole(Future<Roles> fr) {
+		if(fr!=null && fr.value!=null && fr.value.getRole().size()>0) {
+			pw().println("    Roles");
+			for(aaf.v2_0.Role r : fr.value.getRole()) {
+				pw().format(sformat,r.getName());
+			}
+		}
+	}
+
+	private static final String pformat = "        %-30s %-24s %-15s\n";
+	public void reportPerm(Future<Perms> fp) {
+		if(fp!=null && fp.value!=null && fp.value.getPerm().size()>0) {
+			pw().println("    Permissions");
+			for(aaf.v2_0.Perm p : fp.value.getPerm()) {
+				pw().format(pformat,p.getType(),p.getInstance(),p.getAction());
+			}
+		}
+	}
+	
+	
+	private static final String cformat = "        %-30s %-6s %-24s\n";
+	public void reportCred(Future<Users> fc) {		
+		if(fc!=null && fc.value!=null && fc.value.getUser().size()>0) {
+			pw().println("    Credentials");
+			java.util.List<User> users = fc.value.getUser();
+			Collections.sort(users, new Comparator<User>() {
+				@Override
+				public int compare(User u1, User u2) {
+					return u1.getId().compareTo(u2.getId());
+				}
+			});
+			for(aaf.v2_0.Users.User u : users) {
+				if (this.aafcli.isTest()) {
+				    pw().format(sformat,u.getId());
+				} else {
+					pw().format(cformat,u.getId(),getType(u),Chrono.niceDateStamp(u.getExpires()));
+				}
+			}
+		}
+	}
+
+	public static String getType(User u) {
+		Integer type;
+		if((type=u.getType())==null) {
+			type = 9999;
+		} 
+		switch(type) {
+			case 1:   return "U/P";
+			case 2:	  return "U/P2";
+			case 10:  return "Cert";
+			case 200: return "x509";
+			default:
+				return "n/a";
+		}
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListActivity.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListActivity.java
new file mode 100644
index 00000000..4cc4236e
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListActivity.java
@@ -0,0 +1,80 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.History;
+
+/**
+ *  * @author Jonathan
+ *
+ */
+public class ListActivity extends Cmd {
+	private static final String HEADER = "List Activity of Namespace";
+	
+	public ListActivity(List parent) {
+		super(parent,"activity", 
+				new Param("ns-name",true));
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	        int idx = _idx;
+		final String ns = args[idx++];
+		
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				Future<History> fp = client.read(
+						"/authz/hist/ns/"+ns, 
+						getDF(History.class)
+						);
+	
+				if(fp.get(AAFcli.timeout())) {
+					activity(fp.value, HEADER + " [ " + ns + " ]");
+				} else {
+					error(fp);
+				}
+				return fp.code();
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/hist/ns/<ns>",History.class,true);
+	}
+
+
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListAdminResponsible.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListAdminResponsible.java
new file mode 100644
index 00000000..e17436a2
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListAdminResponsible.java
@@ -0,0 +1,77 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Nss;
+
+public class ListAdminResponsible extends Cmd {
+	private static final String HEADER="List Namespaces with ";
+	private final static String[] options = {"admin","owner"};
+	
+	public ListAdminResponsible(List parent) {
+		super(parent,null, 
+				new Param(optionsToString(options),true),
+				new Param("user",true)); 
+	}
+
+	@Override
+	protected int _exec(final int index, final String... args) throws CadiException, APIException, LocatorException {
+
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int idx = index;
+				String title = args[idx++];
+				String user = fullID(args[idx++]);
+				String apipart = "owner".equals(title)?"responsible":title;
+				
+				Future<Nss> fn = client.read("/authz/nss/"+apipart+"/"+user,getDF(Nss.class));
+				if(fn.get(AAFcli.timeout())) {
+					((List)parent).reportName(fn,HEADER + title + " privileges for ",user);
+				} else if(fn.code()==404) {
+					((List)parent).report(null,HEADER + title + " privileges for ",user);
+					return 200;
+				} else {	
+					error(fn);
+				}
+				return fn.code();
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER + "admin or owner privileges for user");
+		api(sb,indent,HttpMethods.GET,"authz/nss/<admin|owner>/<user>",Nss.class,true);
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListByName.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListByName.java
new file mode 100644
index 00000000..ffc1af89
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListByName.java
@@ -0,0 +1,105 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Nss;
+import aaf.v2_0.Nss.Ns;
+import aaf.v2_0.Perms;
+import aaf.v2_0.Roles;
+import aaf.v2_0.Users;
+
+/**
+ * p
+ * @author Jonathan
+ *
+ */
+public class ListByName extends Cmd {
+	private static final String HEADER="List Namespaces by Name";
+	
+	public ListByName(List parent) {
+		super(parent,"name", 
+				new Param("ns-name",true));
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	        int idx = _idx;
+		final String ns=args[idx++];
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				Future<Nss> fn = client.read("/authz/nss/"+ns,getDF(Nss.class));
+				if(fn.get(AAFcli.timeout())) {
+					((List)parent).report(fn,HEADER,ns);
+					if(fn.value!=null) {
+						for(Ns n : fn.value.getNs()) {
+							Future<Roles> fr = client.read("/authz/roles/ns/"+n.getName(), getDF(Roles.class));
+							if(fr.get(AAFcli.timeout())) {
+								((List)parent).reportRole(fr);
+							}
+						}
+						for(Ns n : fn.value.getNs()) {
+							Future<Perms> fp = client.read("/authz/perms/ns/"+n.getName()+(aafcli.isDetailed()?"?ns":""), getDF(Perms.class));
+							if(fp.get(AAFcli.timeout())) {
+								((List)parent).reportPerm(fp);
+							}
+						}
+						for(Ns n : fn.value.getNs()) {
+							Future<Users> fu = client.read("/authn/creds/ns/"+n.getName()+(aafcli.isDetailed()?"?ns":""), getDF(Users.class));
+							if(fu.get(AAFcli.timeout())) {
+								((List)parent).reportCred(fu);
+							}
+						}
+					}
+				} else if(fn.code()==404) {
+					((List)parent).report(null,HEADER,ns);
+					return 200;
+				} else {	
+					error(fn);
+				}
+				return fn.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/nss/<ns>",Nss.class,true);
+		detailLine(sb,indent,"Indirectly uses:");
+		api(sb,indent,HttpMethods.GET,"authz/roles/ns/<ns>",Roles.class,false);
+		api(sb,indent,HttpMethods.GET,"authz/perms/ns/<ns>",Perms.class,false);
+		api(sb,indent,HttpMethods.GET,"authn/creds/ns/<ns>",Users.class,false);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListChildren.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListChildren.java
new file mode 100644
index 00000000..07dcf701
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListChildren.java
@@ -0,0 +1,81 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Nss;
+import aaf.v2_0.Nss.Ns;
+
+/**
+ * p
+ * @author Jonathan
+ *
+ */
+public class ListChildren extends Cmd {
+	private static final String HEADER="List Child Namespaces";
+	
+	public ListChildren(List parent) {
+		super(parent,"children", 
+				new Param("ns-name",true));
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	        int idx = _idx;
+		final String ns=args[idx++];
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				Future<Nss> fn = client.read("/authz/nss/children/"+ns,getDF(Nss.class));
+				if(fn.get(AAFcli.timeout())) {
+					parent.reportHead(HEADER);
+					for(Ns ns : fn.value.getNs()) {
+						pw().format(List.kformat, ns.getName());
+					}
+				} else if(fn.code()==404) {
+					((List)parent).report(null,HEADER,ns);
+					return 200;
+				} else {	
+					error(fn);
+				}
+				return fn.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/nss/children/<ns>",Nss.class,true);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListNsKeysByAttrib.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListNsKeysByAttrib.java
new file mode 100644
index 00000000..7c449565
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListNsKeysByAttrib.java
@@ -0,0 +1,88 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Keys;
+import aaf.v2_0.Nss;
+import aaf.v2_0.Perms;
+import aaf.v2_0.Roles;
+import aaf.v2_0.Users;
+
+/**
+ * p
+ * @author Jonathan
+ *
+ */
+public class ListNsKeysByAttrib extends Cmd {
+	private static final String HEADER="List Namespace Names by Attribute";
+	
+	public ListNsKeysByAttrib(List parent) {
+		super(parent,"keys", 
+				new Param("attrib",true)); 
+	}
+
+	@Override
+	public int _exec(final int idx, final String ... args) throws CadiException, APIException, LocatorException {
+		final String attrib=args[idx];
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				Future<Keys> fn = client.read("/authz/ns/attrib/"+attrib,getDF(Keys.class));
+				if(fn.get(AAFcli.timeout())) {
+					parent.reportHead(HEADER);
+					for(String key : fn.value.getKey()) {
+						pw().printf(List.kformat, key);
+					}
+				} else if(fn.code()==404) {
+					parent.reportHead(HEADER);
+					pw().println("    *** No Namespaces Found ***");
+					return 200;
+				} else {	
+					error(fn);
+				}
+				return fn.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/nss/<ns>",Nss.class,true);
+		detailLine(sb,indent,"Indirectly uses:");
+		api(sb,indent,HttpMethods.GET,"authz/roles/ns/<ns>",Roles.class,false);
+		api(sb,indent,HttpMethods.GET,"authz/perms/ns/<ns>",Perms.class,false);
+		api(sb,indent,HttpMethods.GET,"authn/creds/ns/<ns>",Users.class,false);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListUsers.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListUsers.java
new file mode 100644
index 00000000..7106ba6d
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListUsers.java
@@ -0,0 +1,76 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+
+import aaf.v2_0.Nss;
+import aaf.v2_0.Users.User;
+
+public class ListUsers extends BaseCmd<List> {
+	
+	public ListUsers(List parent) {
+		super(parent,"user");
+		cmds.add(new ListUsersWithPerm(this));
+		cmds.add(new ListUsersInRole(this));
+	}
+	private static final Future<Nss> dummy = new Future<Nss>(){
+
+		@Override
+		public boolean get(int timeout) throws CadiException {
+			return false;
+		}
+
+		@Override
+		public int code() {
+			return 0;
+		}
+
+		@Override
+		public String body() {
+			return null;
+		}
+
+		@Override
+		public String header(String tag) {
+			return null;
+		}
+	};
+	public void report(String header, String ns) {
+		((List)parent).report(dummy, header,ns);
+	}
+
+	public void report(String subHead) {
+		pw().println(subHead);
+	}
+
+	private static final String uformat = "%s%-50s expires:%02d/%02d/%04d\n";
+	public void report(String prefix, User u) {
+		XMLGregorianCalendar xgc = u.getExpires();
+		pw().format(uformat,prefix,u.getId(),xgc.getMonth()+1,xgc.getDay(),xgc.getYear());
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListUsersContact.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListUsersContact.java
new file mode 100644
index 00000000..1c988e30
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListUsersContact.java
@@ -0,0 +1,128 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Nss;
+import aaf.v2_0.Nss.Ns;
+import aaf.v2_0.Role;
+import aaf.v2_0.Roles;
+import aaf.v2_0.Users;
+import aaf.v2_0.Users.User;
+
+/**
+ * p
+ * @author Jonathan
+ *
+ */
+public class ListUsersContact extends Cmd {
+	private static final String HEADER="List Contacts of Namespace ";
+	
+	public ListUsersContact(ListUsers parent) {
+		super(parent,"contact", 
+				new Param("ns-name",true)); 
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	        int idx = _idx;
+		final String ns=args[idx++];
+		final boolean detail = aafcli.isDetailed();
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				((ListUsers)parent).report(HEADER,ns);
+				Future<Nss> fn = client.read("/authz/nss/"+ns,getDF(Nss.class));
+				if(fn.get(AAFcli.timeout())) {
+					if(fn.value!=null) {
+						Set<String> uset = detail?null:new HashSet<String>();
+						for(Ns n : fn.value.getNs()) {
+							Future<Roles> fr = client.read("/authz/roles/ns/"+n.getName(), getDF(Roles.class));
+							if(fr.get(AAFcli.timeout())) {
+								for(Role r : fr.value.getRole()) {
+									if(detail) {
+										((ListUsers)parent).report(r.getName());
+									}
+									Future<Users> fus = client.read(
+											"/authz/users/role/"+r.getName(), 
+											getDF(Users.class)
+											);
+									if(fus.get(AAFcli.timeout())) {
+										for(User u : fus.value.getUser()) {
+											if(detail) {
+												((ListUsers)parent).report("  ",u);
+											} else {
+											    uset.add(u.getId());
+											}
+										}
+									} else if(fn.code()==404) {
+										return 200;
+									}
+								}
+							}
+						}
+						if(uset!=null) {
+							for(String u : uset) {
+								pw().print("  ");
+								pw().println(u);
+							}
+						}
+					}
+				} else if(fn.code()==404) {
+					return 200;
+				} else {	
+					error(fn);
+				}
+				return fn.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,HEADER);
+		indent+=4;
+		detailLine(sb,indent,"Report Users associated with this Namespace's Roles");
+		sb.append('\n');
+		detailLine(sb,indent,"If \"set details=true\" is specified, then all roles are printed ");
+		detailLine(sb,indent,"with the associated users and expiration dates");
+		indent-=4;
+		api(sb,indent,HttpMethods.GET,"authz/nss/<ns>",Nss.class,true);
+		api(sb,indent,HttpMethods.GET,"authz/roles/ns/<ns>",Roles.class,false);
+		api(sb,indent,HttpMethods.GET,"authz/users/role/<ns>",Users.class,false);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListUsersInRole.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListUsersInRole.java
new file mode 100644
index 00000000..2ee8bd2c
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListUsersInRole.java
@@ -0,0 +1,128 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Nss;
+import aaf.v2_0.Nss.Ns;
+import aaf.v2_0.Role;
+import aaf.v2_0.Roles;
+import aaf.v2_0.Users;
+import aaf.v2_0.Users.User;
+
+/**
+ * p
+ * @author Jonathan
+ *
+ */
+public class ListUsersInRole extends Cmd {
+	private static final String HEADER="List Users in Roles of Namespace ";
+	
+	public ListUsersInRole(ListUsers parent) {
+		super(parent,"role", 
+				new Param("ns-name",true)); 
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	        int idx = _idx;
+		final String ns=args[idx++];
+		final boolean detail = aafcli.isDetailed();
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				((ListUsers)parent).report(HEADER,ns);
+				Future<Nss> fn = client.read("/authz/nss/"+ns,getDF(Nss.class));
+				if(fn.get(AAFcli.timeout())) {
+					if(fn.value!=null) {
+						Set<String> uset = detail?null:new HashSet<String>();
+						for(Ns n : fn.value.getNs()) {
+							Future<Roles> fr = client.read("/authz/roles/ns/"+n.getName(), getDF(Roles.class));
+							if(fr.get(AAFcli.timeout())) {
+								for(Role r : fr.value.getRole()) {
+									if(detail) {
+										((ListUsers)parent).report(r.getName());
+									}
+									Future<Users> fus = client.read(
+											"/authz/users/role/"+r.getName(), 
+											getDF(Users.class)
+											);
+									if(fus.get(AAFcli.timeout())) {
+										for(User u : fus.value.getUser()) {
+											if(detail) {
+												((ListUsers)parent).report("  ",u);
+											} else {
+											    uset.add(u.getId());
+											}
+										}
+									} else if(fn.code()==404) {
+										return 200;
+									}
+								}
+							}
+						}
+						if(uset!=null) {
+							for(String u : uset) {
+								pw().print("  ");
+								pw().println(u);
+							}
+						}
+					}
+				} else if(fn.code()==404) {
+					return 200;
+				} else {	
+					error(fn);
+				}
+				return fn.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,HEADER);
+		indent+=4;
+		detailLine(sb,indent,"Report Users associated with this Namespace's Roles");
+		sb.append('\n');
+		detailLine(sb,indent,"If \"set details=true\" is specified, then all roles are printed ");
+		detailLine(sb,indent,"with the associated users and expiration dates");
+		indent-=4;
+		api(sb,indent,HttpMethods.GET,"authz/nss/<ns>",Nss.class,true);
+		api(sb,indent,HttpMethods.GET,"authz/roles/ns/<ns>",Roles.class,false);
+		api(sb,indent,HttpMethods.GET,"authz/users/role/<ns>",Users.class,false);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListUsersWithPerm.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListUsersWithPerm.java
new file mode 100644
index 00000000..97ccf569
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/ListUsersWithPerm.java
@@ -0,0 +1,128 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Nss;
+import aaf.v2_0.Nss.Ns;
+import aaf.v2_0.Perm;
+import aaf.v2_0.Perms;
+import aaf.v2_0.Users;
+import aaf.v2_0.Users.User;
+
+/**
+ * p
+ * @author Jonathan
+ *
+ */
+public class ListUsersWithPerm extends Cmd {
+	private static final String HEADER="List Users of Permissions of Namespace ";
+	
+	public ListUsersWithPerm(ListUsers parent) {
+		super(parent,"perm", 
+				new Param("ns-name",true)); 
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	        int idx = _idx;
+		final String ns=args[idx++];
+		final boolean detail = aafcli.isDetailed();
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				((ListUsers)parent).report(HEADER,ns);
+				Future<Nss> fn = client.read("/authz/nss/"+ns,getDF(Nss.class));
+				if(fn.get(AAFcli.timeout())) {
+					if(fn.value!=null) {
+						Set<String> uset = detail?null:new HashSet<String>();
+						
+						for(Ns n : fn.value.getNs()) {
+							Future<Perms> fp = client.read("/authz/perms/ns/"+n.getName()+(aafcli.isDetailed()?"?ns":"")
+									, getDF(Perms.class));
+							if(fp.get(AAFcli.timeout())) {
+								for(Perm p : fp.value.getPerm()) {
+									String perm = p.getType()+'/'+p.getInstance()+'/'+p.getAction();
+									if(detail)((ListUsers)parent).report(perm);
+									Future<Users> fus = client.read(
+											"/authz/users/perm/"+perm, 
+											getDF(Users.class)
+											);
+									if(fus.get(AAFcli.timeout())) {
+										for(User u : fus.value.getUser()) {
+											if(detail)
+												((ListUsers)parent).report("  ",u);
+											else 
+												uset.add(u.getId());
+										}
+									} else if(fn.code()==404) {
+										return 200;
+									}
+								}
+							}
+						}
+						if(uset!=null) {
+							for(String u : uset) {
+								pw().print("  ");
+								pw().println(u);
+							}
+						}
+					}
+				} else if(fn.code()==404) {
+					return 200;
+				} else {	
+					error(fn);
+				}
+				return fn.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,HEADER);
+		indent+=4;
+		detailLine(sb,indent,"Report Users associated with this Namespace's Permissions");
+		sb.append('\n');
+		detailLine(sb,indent,"If \"set detail=true\" is specified, then Permissions are printed with the associated");
+		detailLine(sb,indent,"users and expiration dates");
+		indent-=4;
+		api(sb,indent,HttpMethods.GET,"authz/nss/<ns>",Nss.class,true);
+		api(sb,indent,HttpMethods.GET,"authz/perms/ns/<ns>",Perms.class,false);
+		api(sb,indent,HttpMethods.GET,"authz/users/perm/<type>/<instance>/<action>",Users.class,false);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/NS.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/NS.java
new file mode 100644
index 00000000..8ceffde7
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/NS.java
@@ -0,0 +1,45 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.auth.cmd.DeprecatedCMD;
+import org.onap.aaf.misc.env.APIException;
+
+public class NS extends BaseCmd<NS> {
+//	final Role role;
+
+	public NS(AAFcli aafcli) throws APIException {
+		super(aafcli, "ns");
+//		this.role = role;
+	
+		cmds.add(new Create(this));
+		cmds.add(new Delete(this));
+		cmds.add(new Admin(this));
+		cmds.add(new Owner(this));
+		cmds.add(new DeprecatedCMD<NS>(this,"responsible","'responsible' is deprecated.  use 'owner'")); // deprecated
+		cmds.add(new Describe(this));
+		cmds.add(new Attrib(this));
+		cmds.add(new List(this));
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Owner.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Owner.java
new file mode 100644
index 00000000..5d1df496
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/Owner.java
@@ -0,0 +1,109 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.ns;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+public class Owner extends BaseCmd<NS> {
+	private final static String[] options = {"add","del"};
+
+	public Owner(NS ns) throws APIException {
+		super(ns,"owner",
+				new Param(optionsToString(options),true),
+				new Param("ns-name",true),
+				new Param("id[,id]*",true)
+		);
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	    	int idx = _idx;
+
+		final int option = whichOption(options, args[idx++]);
+		final String ns = args[idx++];
+		final String ids[] = args[idx++].split(",");
+
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				Future<Void> fp=null;
+				for(String id : ids) {
+					id=fullID(id);
+					String verb;
+					switch(option) {
+						case 0: 
+							fp = client.create("/authz/ns/"+ns+"/responsible/"+id,Void.class);
+							verb = " is now ";
+							break;
+						case 1: 
+							fp = client.delete("/authz/ns/"+ns+"/responsible/"+id,Void.class);
+							verb = " is no longer ";
+							break;
+						default:
+							throw new CadiException("Bad Argument");
+					};
+				
+					if(fp.get(AAFcli.timeout())) {
+						pw().append(id);
+						pw().append(verb);
+						pw().append("responsible for ");
+						pw().println(ns);
+					} else {
+						error(fp);
+						return fp.code();
+					}
+				}
+				return fp==null?500:fp.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	    	int indent = _indent;
+		detailLine(sb,indent,"Add or Delete Responsible person to/from Namespace");
+		indent+=2;
+		detailLine(sb,indent,"Namespace Owners are responsible to receive Notifications and ");
+		detailLine(sb,indent,"approve Requests regarding this Namespace. Companies have ");
+		detailLine(sb,indent,"Policies as to who may take on this responsibility");
+
+		indent+=2;
+		detailLine(sb,indent,"name - Name of Namespace");
+		detailLine(sb,indent,"id   - Credential of Person(s) to be made responsible");
+		sb.append('\n');
+		detailLine(sb,indent,"aafcli will call API on each ID presented.");
+		indent-=4;
+		api(sb,indent,HttpMethods.POST,"authz/ns/<ns>/responsible/<id>",Void.class,true);
+		api(sb,indent,HttpMethods.DELETE,"authz/ns/<ns>/responsible/<id>",Void.class,false);
+	}
+
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Create.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Create.java
new file mode 100644
index 00000000..cc674568
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Create.java
@@ -0,0 +1,163 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.perm;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.PermRequest;
+import aaf.v2_0.RoleRequest;
+
+/**
+ * 
+ * @author Jonathan
+ *
+ */
+public class Create extends Cmd {
+	public Create(Perm parent) {
+		super(parent,"create", 
+				new Param("type",true), 
+				new Param("instance",true),
+				new Param("action", true),
+				new Param("role[,role]* (to Grant to)", false)
+				);
+	}
+
+	@Override
+	public int _exec(final int index, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int idx = index;
+				final PermRequest pr = new PermRequest();  
+				pr.setType(args[idx++]);
+				pr.setInstance(args[idx++]);
+				pr.setAction(args[idx++]);
+				String roleCommas = (args.length>idx)?args[idx++]:null;
+				String[] roles = roleCommas==null?null:roleCommas.split("\\s*,\\s*");
+				boolean force = aafcli.forceString()!=null;
+				int rv;
+				
+				if(roles!=null && force) { // Make sure Roles are Created
+					RoleRequest rr = new RoleRequest();
+					for(String role : roles) {
+						rr.setName(role);;
+						Future<RoleRequest> fr = client.create(
+							"/authz/role",
+							getDF(RoleRequest.class),
+							rr
+							);
+						fr.get(AAFcli.timeout());
+						switch(fr.code()){
+							case 201:
+								pw().println("Created Role [" + role + ']');
+								break;
+							case 409:
+								break;
+							default: 
+								pw().println("Role [" + role + "] does not exist, and cannot be created.");
+								return 206 /*HttpStatus.PARTIAL_CONTENT_206*/;
+						}
+					}
+				}
+
+				// Set Start/End commands
+				setStartEnd(pr);
+				setQueryParamsOn(client);
+				Future<PermRequest> fp = client.create(
+						"/authz/perm",
+						getDF(PermRequest.class),
+						pr
+						);
+				if(fp.get(AAFcli.timeout())) {
+					rv = fp.code();
+					pw().println("Created Permission");
+					if(roles!=null) {
+						if(aafcli.forceString()!=null) { // Make sure Roles are Created
+							RoleRequest rr = new RoleRequest();
+							for(String role : roles) {
+								rr.setName(role);;
+								Future<RoleRequest> fr = client.create(
+									"/authz/role",
+									getDF(RoleRequest.class),
+									rr
+									);
+								fr.get(AAFcli.timeout());
+								switch(fr.code()){
+									case 201:
+									case 409:break;
+									default: 
+										
+								}
+							}
+						}
+						
+						try {
+							if(201!=(rv=((Perm)parent)._exec(0, 
+									new String[] {"grant",pr.getType(),pr.getInstance(),pr.getAction(),roleCommas}))) {
+								rv = 206 /*HttpStatus.PARTIAL_CONTENT_206*/;
+							}
+						} catch (LocatorException e) {
+							throw new CadiException(e);
+						}
+					}
+				} else {
+					rv = fp.code();
+					if(rv==409 && force) {
+						rv = 201;
+					} else if(rv==202) {
+						pw().println("Permission Creation Accepted, but requires Approvals before actualizing");
+						if (roles!=null)
+							pw().println("You need to grant the roles after approval.");
+					} else {
+						error(fp);
+					}
+				}
+				return rv;
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,"Create a Permission with:");
+		detailLine(sb,indent+=2,"type     - A Namespace qualified identifier identifying the kind of");
+		detailLine(sb,indent+11,"resource to be protected");
+		detailLine(sb,indent,"instance - A name that distinguishes a particular instance of resource");
+		detailLine(sb,indent,"action   - What kind of action is allowed");
+		detailLine(sb,indent,"role(s)  - Perms granted to these Comma separated Role(s)");
+		detailLine(sb,indent+11,"Nonexistent role(s) will be created, if in same namespace");
+		sb.append('\n');
+		detailLine(sb,indent+2,"Note: Instance and Action can be a an '*' (enter \\\\* on Unix Shell)");
+		api(sb,indent,HttpMethods.POST,"authz/perm",PermRequest.class,true);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Delete.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Delete.java
new file mode 100644
index 00000000..ba123d58
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Delete.java
@@ -0,0 +1,89 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.perm;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.PermRequest;
+
+/**
+ * p
+ * @author Jonathan
+ *
+ */
+public class Delete extends Cmd {
+	public Delete(Perm parent) {
+		super(parent,"delete", 
+				new Param("type",true), 
+				new Param("instance",true),
+				new Param("action", true));
+	}
+
+	@Override
+	public int _exec(final int index, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int idx = index;
+				// Object Style Delete
+				PermRequest pk = new PermRequest();
+				pk.setType(args[idx++]);
+				pk.setInstance(args[idx++]);
+				pk.setAction(args[idx++]);
+		
+				// Set "Force" if set
+				setQueryParamsOn(client);
+				Future<PermRequest> fp = client.delete(
+						"/authz/perm", 
+						getDF(PermRequest.class),
+						pk);
+				if(fp.get(AAFcli.timeout())) {
+					pw().println("Deleted Permission");
+				} else {
+					if(fp.code()==202) {
+						pw().println("Permission Deletion Accepted, but requires Approvals before actualizing");
+					} else {
+						error(fp);
+					}
+				}
+				return fp.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,"Delete a Permission with type,instance and action");
+		detailLine(sb,indent+4,"see Create for definitions");
+		api(sb,indent,HttpMethods.DELETE,"authz/perm",PermRequest.class,true);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Describe.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Describe.java
new file mode 100644
index 00000000..5a3fad3e
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Describe.java
@@ -0,0 +1,100 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.perm;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.PermRequest;
+
+public class Describe extends Cmd {
+	private static final String PERM_PATH = "/authz/perm";
+	public Describe(Perm parent) {
+		super(parent,"describe", 
+				new Param("type",true),
+				new Param("instance", true),
+				new Param("action", true),
+				new Param("description",true)); 
+	}
+
+	@Override
+	public int _exec(final int index, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int idx = index;
+				String type = args[idx++];
+				String instance = args[idx++];
+				String action = args[idx++];
+				StringBuilder desc = new StringBuilder();
+				while (idx < args.length) {
+					desc.append(args[idx++] + ' ');
+				}
+		
+				PermRequest pr = new PermRequest();
+				pr.setType(type);
+				pr.setInstance(instance);
+				pr.setAction(action);
+				pr.setDescription(desc.toString());
+		
+				// Set Start/End commands
+				setStartEnd(pr);
+				
+				Future<PermRequest> fp = null;
+				int rv;
+
+				fp = client.update(
+					PERM_PATH,
+					getDF(PermRequest.class),
+					pr
+					);
+
+				if(fp.get(AAFcli.timeout())) {
+					rv=fp.code();
+					pw().println("Description added to Permission");
+				} else {
+					if((rv=fp.code())==202) {
+						pw().print("Adding description");
+						pw().println(" Accepted, but requires Approvals before actualizing");
+					} else {
+						error(fp);
+					}
+				}
+				return rv;
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,"Add a description to a permission");
+		api(sb,indent,HttpMethods.PUT,"authz/perm",PermRequest.class,true);
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Grant.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Grant.java
new file mode 100644
index 00000000..d4b26a84
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Grant.java
@@ -0,0 +1,150 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.perm;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Pkey;
+import aaf.v2_0.RolePermRequest;
+
+/**
+ * 
+ * @author Jonathan
+ *
+ */
+public class Grant extends Cmd {
+	private final static String[] options = {"grant","ungrant","setTo"};
+
+	public Grant(Perm parent) {
+		super(parent,null,
+			new Param(optionsToString(options),true),
+			new Param("type",true),
+			new Param("instance",true),
+			new Param("action",true),
+			new Param("role[,role]* (!REQ S)",false)
+			); 
+	}
+
+	@Override
+	public int _exec(final int index, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int idx = index;
+				String action = args[idx++];
+				int option = whichOption(options, action);
+		
+				RolePermRequest rpr = new RolePermRequest();
+				Pkey pk = new Pkey();
+				pk.setType(args[idx++]);
+				pk.setInstance(args[idx++]);
+				pk.setAction(args[idx++]);
+				rpr.setPerm(pk);
+				setStartEnd(rpr);
+				
+				Future<RolePermRequest> frpr = null;
+		
+				if (option != 2) {
+					String[] roles = args[idx++].split(",");
+					String strA,strB;
+					for(String role : roles) {
+						rpr.setRole(role);
+						if(option==0) {
+							// You can request to Grant Permission to a Role
+							setQueryParamsOn(client);
+							frpr = client.create(
+									"/authz/role/perm", 
+									getDF(RolePermRequest.class),
+									rpr
+									);
+							strA = "Granted Permission [";
+							strB = "] to Role [";
+						} else {
+							// You can request to UnGrant Permission to a Role
+							setQueryParamsOn(client);
+							frpr = client.delete(
+									"/authz/role/" + role + "/perm", 
+									getDF(RolePermRequest.class),
+									rpr
+									);
+							strA = "UnGranted Permission [";
+							strB = "] from Role [";
+						}
+						if(frpr.get(AAFcli.timeout())) {
+							pw().println(strA + pk.getType() + '|' + pk.getInstance() + '|' + pk.getAction() 
+									+ strB + role +']');
+						} else {
+							if (frpr.code()==202) {
+								pw().print("Permission Role ");
+								pw().print(option==0?"Granted":"Ungranted");
+								pw().println(" Accepted, but requires Approvals before actualizing");
+							} else {
+								error(frpr);
+								idx=Integer.MAX_VALUE;
+							}			
+						}
+					}
+				} else {
+					String allRoles = "";
+					if (idx < args.length) 
+						allRoles = args[idx++];
+						
+					rpr.setRole(allRoles);
+					frpr = client.update(
+							"/authz/role/perm", 
+							getDF(RolePermRequest.class), 
+							rpr);
+					if(frpr.get(AAFcli.timeout())) {
+						pw().println("Set Permission's Roles to [" + allRoles + "]");
+					} else {
+						error(frpr);
+					}			
+				} 
+				return frpr==null?0:frpr.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,"Grant a Permission to a Role or Roles  OR");
+		detailLine(sb,indent,"Ungrant a Permission from a Role or Roles  OR");
+		detailLine(sb,indent,"Set a Permission's roles to roles supplied.");
+		detailLine(sb,indent+4,"WARNING: Roles supplied with setTo will be the ONLY roles attached to this permission");
+		detailLine(sb,indent+8,"If no roles are supplied, permission's roles are reset.");
+		detailLine(sb,indent,"see Create for definitions of type,instance and action");
+		api(sb,indent,HttpMethods.POST,"authz/role/perm",RolePermRequest.class,true);
+		api(sb,indent,HttpMethods.DELETE,"authz/role/<role>/perm",RolePermRequest.class,false);
+		api(sb,indent,HttpMethods.PUT,"authz/role/perm",RolePermRequest.class,false);
+
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/List.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/List.java
new file mode 100644
index 00000000..2eadd38c
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/List.java
@@ -0,0 +1,116 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.perm;
+
+import java.util.Collections;
+import java.util.Comparator;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Perms;
+
+public class List extends BaseCmd<Perm> {
+//	private static final String LIST_PERM_DETAILS = "list permission details";
+	
+	public List(Perm parent) {
+		super(parent,"list");
+
+		cmds.add(new ListByUser(this));
+		cmds.add(new ListByName(this));
+		cmds.add(new ListByNS(this));
+		cmds.add(new ListByRole(this));
+		cmds.add(new ListActivity(this));
+	}
+	// Package Level on purpose
+	abstract class ListPerms extends Retryable<Integer> {
+		protected int list(Future<Perms> fp,String header, String parentPerm) throws CadiException, APIException  {
+			if(fp.get(AAFcli.timeout())) {	
+				report(fp,header, parentPerm);
+			} else {
+				error(fp);
+			}
+			return fp.code();
+		}
+	}
+
+	private static final Comparator<aaf.v2_0.Perm> permCompare = new Comparator<aaf.v2_0.Perm>() {
+		@Override
+		public int compare(aaf.v2_0.Perm a, aaf.v2_0.Perm b) {
+			int rc;
+			if((rc=a.getType().compareTo(b.getType()))!=0) {
+			    return rc;
+			}
+			if((rc=a.getInstance().compareTo(b.getInstance()))!=0) {
+			    return rc;
+			}
+			return a.getAction().compareTo(b.getAction());
+		}
+	};
+	
+	private static final String permFormat = "%-30s %-30s %-10s\n";
+	
+	void report(Future<Perms> fp, String ... str) {
+		reportHead(str);
+		if (this.aafcli.isDetailed()) {		
+			String format = "%-36s %-30s %-15s\n";
+			String descFmt = "   %-75s\n";
+			reportColHead(format + descFmt,"[PERM NS].Type","Instance","Action", "Description");
+			Collections.sort(fp.value.getPerm(),permCompare);
+			for(aaf.v2_0.Perm p : fp.value.getPerm()) {
+				String pns = p.getNs();
+				if(pns==null) {
+					pw().format(format,
+							p.getType(),
+							p.getInstance(),
+							p.getAction());
+				} else {
+					pw().format(format,
+							'['+pns + "]." + p.getType().substring(pns.length()+1),
+							p.getInstance(),
+							p.getAction());
+				}
+				String desc = p.getDescription();
+				if(desc!=null && desc.length()>0) {
+					pw().format(descFmt,p.getDescription());
+				}
+			}
+			pw().println();
+		} else {
+			String format = reportColHead(permFormat,"PERM Type","Instance","Action");
+
+			Collections.sort(fp.value.getPerm(),permCompare);
+			for(aaf.v2_0.Perm p : fp.value.getPerm()) {
+				pw().format(format,
+					p.getType(),
+					p.getInstance(),
+					p.getAction());
+			}
+			pw().println();
+		}
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListActivity.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListActivity.java
new file mode 100644
index 00000000..4b5f569b
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListActivity.java
@@ -0,0 +1,76 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.perm;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.History;
+
+/**
+ *  * @author Jonathan
+ *
+ */
+public class ListActivity extends Cmd {
+	private static final String HEADER = "List Activity of Permission";
+	
+	public ListActivity(List parent) {
+		super(parent,"activity", 
+				new Param("type",true));
+	}
+
+	@Override
+	public int _exec(final int index, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int idx = index;
+				String type = args[idx++];
+				Future<History> fp = client.read(
+						"/authz/hist/perm/"+type, 
+						getDF(History.class)
+						);
+				if(fp.get(AAFcli.timeout())) {
+					activity(fp.value, HEADER + " [ " + type + " ]");
+				} else {
+					error(fp);
+				}
+				return fp.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/hist/perm/<type>",History.class,true);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListByNS.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListByNS.java
new file mode 100644
index 00000000..304055bf
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListByNS.java
@@ -0,0 +1,71 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.perm;
+
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Perms;
+
+/**
+ * Return Perms by NS
+ * 
+ * @author Jeremiah
+ *
+ */
+public class ListByNS extends Cmd {
+	private static final String HEADER = "List Perms by NS ";
+	
+	public ListByNS(List parent) {
+		super(parent,"ns", 
+				new Param("name",true)); 
+	}
+
+	public int _exec( int idx, final String ... args) throws CadiException, APIException, LocatorException {
+		final String ns=args[idx];
+
+		return same(((List)parent).new ListPerms() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				Future<Perms> fp = client.read(
+						"/authz/perms/ns/"+ns+(aafcli.isDetailed()?"?ns":""), 
+						getDF(Perms.class)
+						);
+				return list(fp, HEADER, ns);
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/perms/ns/<ns>",Perms.class,true);
+	}
+
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListByName.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListByName.java
new file mode 100644
index 00000000..6310e24b
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListByName.java
@@ -0,0 +1,69 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.perm;
+
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Perms;
+
+/**
+ * 
+ * @author Jonathan
+ *
+ */
+public class ListByName extends Cmd {
+	private static final String HEADER = "List Child Permissions";
+	
+	public ListByName(List parent) {
+		super(parent,"name", 
+				new Param("root perm name",true)); 
+	}
+
+	public int _exec(final int index, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(((List)parent).new ListPerms() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				String parentPerm=args[index];
+				
+				Future<Perms> fp = client.read(
+						"/authz/perms/"+parentPerm+(aafcli.isDetailed()?"?ns":""), 
+						getDF(Perms.class) 
+						);
+				return list(fp,HEADER,parentPerm);
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/perms/<parent type>",Perms.class,true);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListByRole.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListByRole.java
new file mode 100644
index 00000000..75b88538
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListByRole.java
@@ -0,0 +1,72 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.perm;
+
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Perms;
+
+/**
+ * Return Perms by Role
+ * 
+ * @author Jeremiah
+ *
+ */
+public class ListByRole extends Cmd {
+	private static final String HEADER = "List Perms by Role ";
+	
+	public ListByRole(List parent) {
+		super(parent,"role", 
+				new Param("name",true)); 
+	}
+
+	public int _exec(final int idx, final String ... args) throws CadiException, APIException, LocatorException {
+		final String role=args[idx];
+
+		return same(((List)parent).new ListPerms() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+
+				Future<Perms> fp = client.read(
+						"/authz/perms/role/"+role+(aafcli.isDetailed()?"?ns":""), 
+						getDF(Perms.class)
+						);
+				return list(fp, HEADER, role);
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/perms/role/<role>",Perms.class,true);
+	}
+
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListByUser.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListByUser.java
new file mode 100644
index 00000000..ba708273
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/ListByUser.java
@@ -0,0 +1,82 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.perm;
+
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Perms;
+
+/**
+ * 
+ * @author Jonathan
+ *
+ */
+public class ListByUser extends Cmd {
+	private static final String HEADER = "List Permissions by User";
+	public ListByUser(List parent) {
+		super(parent,"user", 
+				new Param("id",true)); 
+	}
+
+	public int _exec( int idx, final String ... args) throws CadiException, APIException, LocatorException {
+		final String user=fullID(args[idx]);
+		
+		return same(((List)parent).new ListPerms() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				StringBuilder sb = null;
+				if("true".equalsIgnoreCase(aafcli.forceString())) {
+					sb = new StringBuilder();
+					sb.append("?force");
+				}
+				if(aafcli.isDetailed()) {
+					if(sb==null) {
+						sb = new StringBuilder('?');
+					} else {
+						sb.append('&');
+					}
+					sb.append("ns");
+				}
+				Future<Perms> fp = client.read(
+						"/authz/perms/user/"+user+(sb==null?"":sb), 
+						getDF(Perms.class)
+						);
+				return list(fp,HEADER, user);
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/perms/user/<user id>",Perms.class,true);
+	}
+
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Perm.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Perm.java
new file mode 100644
index 00000000..805b6e62
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Perm.java
@@ -0,0 +1,42 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.perm;
+
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.misc.env.APIException;
+
+public class Perm extends BaseCmd<Perm> {
+	Role role;
+
+	public Perm(Role role) throws APIException {
+		super(role.aafcli, "perm");
+		this.role = role;
+
+		cmds.add(new Create(this));
+		cmds.add(new Delete(this));
+		cmds.add(new Grant(this));
+		cmds.add(new Rename(this));
+		cmds.add(new Describe(this));
+		cmds.add(new List(this));
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Rename.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Rename.java
new file mode 100644
index 00000000..fa65f61a
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/perm/Rename.java
@@ -0,0 +1,102 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.perm;
+
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.PermRequest;
+
+public class Rename extends Cmd {
+	public Rename(Perm parent) {
+		super(parent,"rename", 
+				new Param("type",true), 
+				new Param("instance",true),
+				new Param("action", true),
+				new Param("new type",true), 
+				new Param("new instance",true),
+				new Param("new action", true)
+				);
+	}
+	
+	@Override
+	public int _exec(final int index, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int idx = index;
+				String origType = args[idx++];
+				String origInstance = args[idx++];
+				String origAction = args[idx++];
+				
+				//Create new permission
+				PermRequest pr = new PermRequest();
+				pr.setType(args[idx++]);
+				pr.setInstance(args[idx++]);
+				pr.setAction(args[idx++]);
+				
+				// Set Start/End commands
+				setStartEnd(pr);
+				Future<PermRequest> fp = client.update(
+						"/authz/perm/"+origType+"/"+origInstance+"/"+origAction,
+						getDF(PermRequest.class),
+						pr
+						);
+				int rv;
+				if(fp.get(AAFcli.timeout())) {
+					rv = fp.code();
+					pw().println("Updated Permission");
+				} else {
+					rv = fp.code();
+					if(rv==202) {
+						pw().println("Permission Update Accepted, but requires Approvals before actualizing");
+					} else {
+						error(fp);
+					}
+				}
+				return rv;
+			}
+		});
+		
+	}
+	
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,"Rename a Permission from:");
+		detailLine(sb,indent+2,"<type> <instance> <action>");
+		detailLine(sb,indent,"to:");
+		detailLine(sb,indent+2,"<new type> <new instance> <new action>");
+		sb.append('\n');
+		detailLine(sb,indent,"Namespace must be the same in <type> and <new type>");
+		detailLine(sb,indent+4,"see Create for definitions of type,instance and action");
+		api(sb,indent,HttpMethods.PUT,"authz/perm/<type>/<instance>/<action>",PermRequest.class,true);
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/CreateDelete.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/CreateDelete.java
new file mode 100644
index 00000000..99d55839
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/CreateDelete.java
@@ -0,0 +1,130 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.role;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.RoleRequest;
+
+/**
+ * 
+ * @author Jonathan
+ *
+ */
+public class CreateDelete extends Cmd {
+	private static final String ROLE_PATH = "/authz/role";
+	private final static String[] options = {"create","delete"};
+	public CreateDelete(Role parent) {
+		super(parent,null, 
+				new Param(optionsToString(options),true),
+				new Param("name",true)); 
+	}
+
+	@Override
+	public int _exec(final int index, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int idx = index;
+				String action = args[idx++];
+				int option = whichOption(options, action);
+		
+				RoleRequest rr = new RoleRequest();
+				rr.setName(args[idx++]);
+		
+				// Set Start/End commands
+				setStartEnd(rr);
+				
+				Future<RoleRequest> fp = null;
+				String verb = null;
+				int rv;
+				switch(option) {
+					case 0:
+						fp = client.create(
+							ROLE_PATH,
+							getDF(RoleRequest.class),
+							rr
+							);
+						verb = "Create";
+						break;
+					case 1:
+						// Send "Force" if set
+						setQueryParamsOn(client);
+						fp = client.delete(
+								ROLE_PATH, // +args[idx++], 
+								getDF(RoleRequest.class),
+								rr
+								);
+						verb = "Delete";
+						break;
+					default: // note, if not an option, whichOption throws Exception
+						break;
+						
+				}
+				boolean rolesSupplied = (args.length>idx);
+				if(fp.get(AAFcli.timeout())) {
+					rv=fp.code();
+					pw().print(verb);
+					pw().println("d Role");
+					if(rolesSupplied) {
+						for(;args.length>idx;++idx ) {
+							try {
+								if(201!=(rv=((Role)parent)._exec(0,new String[] {"user","add",rr.getName(),args[idx]}))) {
+									rv = 206 /*HttpStatus.PARTIAL_CONTENT_206*/;
+								}
+							} catch (LocatorException e) {
+								throw new CadiException(e);
+							}
+						}
+					}
+				} else {
+					if((rv=fp.code())==202) {
+						pw().print("Role ");
+						pw().print(verb);
+						pw().println(" Accepted, but requires Approvals before actualizing");
+					} else {
+						error(fp);
+					}
+				}
+				return rv;
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,"Create OR Delete a Role");
+		detailLine(sb,indent+2,"name - Name of Role to create");
+		api(sb,indent,HttpMethods.POST,"authz/role",RoleRequest.class,true);
+		api(sb,indent,HttpMethods.DELETE,"authz/role",RoleRequest.class,false);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/Describe.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/Describe.java
new file mode 100644
index 00000000..5498f29a
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/Describe.java
@@ -0,0 +1,94 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.role;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.RoleRequest;
+
+public class Describe extends Cmd {
+	private static final String ROLE_PATH = "/authz/role";
+	public Describe(Role parent) {
+		super(parent,"describe", 
+				new Param("name",true),
+				new Param("description",true)); 
+	}
+
+	@Override
+	public int _exec(final int index, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int idx = index;
+				String role = args[idx++];
+				StringBuilder desc = new StringBuilder();
+				while (idx < args.length) {
+					desc.append(args[idx++] + ' ');
+				}
+		
+				RoleRequest rr = new RoleRequest();
+				rr.setName(role);
+				rr.setDescription(desc.toString());
+		
+				// Set Start/End commands
+				setStartEnd(rr);
+				
+				Future<RoleRequest> fp = null;
+				int rv;
+
+				fp = client.update(
+					ROLE_PATH,
+					getDF(RoleRequest.class),
+					rr
+					);
+
+				if(fp.get(AAFcli.timeout())) {
+					rv=fp.code();
+					pw().println("Description added to role");
+				} else {
+					if((rv=fp.code())==202) {
+						pw().print("Adding description");
+						pw().println(" Accepted, but requires Approvals before actualizing");
+					} else {
+						error(fp);
+					}
+				}
+				return rv;
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,"Add a description to a role");
+		api(sb,indent,HttpMethods.PUT,"authz/role",RoleRequest.class,true);
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/List.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/List.java
new file mode 100644
index 00000000..2e09b03b
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/List.java
@@ -0,0 +1,211 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.role;
+
+import java.util.Collections;
+import java.util.Comparator;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import aaf.v2_0.Perm;
+import aaf.v2_0.Perms;
+import aaf.v2_0.Pkey;
+import aaf.v2_0.Roles;
+import aaf.v2_0.UserRole;
+import aaf.v2_0.UserRoles;
+
+
+
+public class List extends BaseCmd<Role> {
+	private static final String XXXX_XX_XX = "XXXX-XX-XX";
+	private static final String LIST_ROLES_BY_NAME = "list roles for role";
+
+	public List(Role parent) {
+		super(parent,"list");
+		cmds.add(new ListByUser(this));
+		cmds.add(new ListByRole(this));
+		cmds.add(new ListByNS(this));
+		cmds.add(new ListByNameOnly(this));
+		cmds.add(new ListByPerm(this));
+		cmds.add(new ListActivity(this));
+	}
+	
+	// Package Level on purpose
+	abstract class ListRoles extends Retryable<Integer> {
+		protected int list(Future<Roles> fr,Rcli<?> client, String header) throws APIException, CadiException {
+			if(fr.get(AAFcli.timeout())) {
+				Perms perms=null;
+				if (aafcli.isDetailed()) {
+					for(aaf.v2_0.Role r : fr.value.getRole()) {
+						Future<Perms> fp = client.read(
+								"/authz/perms/role/"+r.getName()+(aafcli.isDetailed()?"?ns":""), 
+								getDF(Perms.class)
+							);
+						if(fp.get(AAFcli.timeout())) {
+							if(perms==null) {
+								perms = fp.value;
+							} else {
+								perms.getPerm().addAll(fp.value.getPerm());
+							}
+						}
+					}
+				}
+				report(fr.value,perms,null,header);
+			} else {
+				error(fr);
+			}
+			return fr.code();
+		}
+	}
+
+	private final static String roleFormat = "%-56s Expires %s\n";
+	private final static String roleFormatNoDate = "%-61s\n";
+	private final static String roleExpiredFormat = "%-53s !!! EXPIRED !!! %s\n";
+	private final static String permFormat = "   %-30s %-30s %-15s\n";
+
+	
+	private static final Comparator<aaf.v2_0.Role> roleCompare = new Comparator<aaf.v2_0.Role>() {
+		@Override
+		public int compare(aaf.v2_0.Role a, aaf.v2_0.Role b) {
+			return a.getName().compareTo(b.getName());
+		}
+	};
+	public void report(Roles roles, Perms perms, UserRoles urs, String ... str) {
+		reportHead(str);
+		XMLGregorianCalendar now = Chrono.timeStamp().normalize();
+		if(roles==null || roles.getRole().isEmpty()) {
+			pw().println("<No Roles Found>");
+		} else if (aafcli.isDetailed()){
+			if (aafcli.isDetailed() && str[0].toLowerCase().contains(LIST_ROLES_BY_NAME)) {
+				String description = roles.getRole().get(0).getDescription();
+				if (description == null) description = "";
+				reportColHead("%-80s\n","Description: " + description);
+			} 			
+
+			String fullFormat = roleFormat+permFormat;
+			reportColHead(fullFormat,"[ROLE NS].Name","","[PERM NS].Type","Instance","Action");
+			Collections.sort(roles.getRole(),roleCompare);
+			for(aaf.v2_0.Role r : roles.getRole()) {
+				String roleName = r.getName();
+				String ns = r.getNs();
+				if(aafcli.isTest()) {
+					if(ns==null) {
+						pw().format(roleFormat, roleName,XXXX_XX_XX);
+					} else {
+						pw().format(roleFormat, "["+ns+"]"+roleName.substring(ns.length()),XXXX_XX_XX);
+					}
+				} else {
+					UserRole ur = get(roleName,urs);
+					if(ur!=null && now.compare(ur.getExpires().normalize())>0) {
+						if(ns==null) {
+							pw().format(roleExpiredFormat, roleName,Chrono.dateOnlyStamp(ur.getExpires()));
+						} else {
+							pw().format(roleExpiredFormat, "["+ns+"]"+roleName.substring(ns.length()),Chrono.dateOnlyStamp(ur.getExpires()));
+						}
+					} else {
+						if(ns==null) {
+							pw().format(roleFormat, roleName,ur!=null?Chrono.dateOnlyStamp(ur.getExpires()):"");
+						} else {
+							pw().format(roleFormat, "["+ns+"]"+roleName.substring(ns.length()),ur!=null?Chrono.dateOnlyStamp(ur.getExpires()):"");
+						}
+					}
+				}
+
+				for(Pkey pkey : r.getPerms()) {
+					Perm perm = get(pkey,perms);
+					if(perm==null || perm.getNs()==null) {
+						pw().format(permFormat, 
+								pkey.getType(),
+								pkey.getInstance(),
+								pkey.getAction());
+					} else {
+						String ns1 = perm.getNs();
+						pw().format(permFormat, 
+								'['+ns1+"]"+perm.getType().substring(ns1.length()),
+								perm.getInstance(),
+								perm.getAction());
+					}
+				}
+			}
+		} else {
+			String fullFormat = roleFormat;
+			reportColHead(fullFormat,"ROLE Name","","PERM Type","Instance","Action");
+			Collections.sort(roles.getRole(),roleCompare);
+			for(aaf.v2_0.Role r : roles.getRole()) {
+				if (urs != null) {
+					String roleName = r.getName();
+					if(!aafcli.isTest()) {
+						UserRole ur = get(roleName,urs);
+						if(ur!=null && now.compare(ur.getExpires().normalize())>0) {
+							pw().format(roleExpiredFormat, roleName+"*",Chrono.dateOnlyStamp(ur.getExpires()));
+						} else {
+							pw().format(roleFormat, roleName,ur!=null?Chrono.dateOnlyStamp(ur.getExpires()):"");
+						}
+					} else {
+						pw().format(roleFormat, roleName,XXXX_XX_XX);
+					}
+				} else {
+					pw().format(roleFormatNoDate, r.getName());
+					for(Pkey perm : r.getPerms()) {
+						pw().format(permFormat, 
+								perm.getType(),
+								perm.getInstance(),
+								perm.getAction());
+					}
+				}
+			}
+		}
+	}
+	private Perm get(Pkey pkey, Perms perms) {
+		if(perms!=null) {
+			for(Perm p : perms.getPerm()) {
+				if(pkey.getAction().equals(p.getAction()) &&
+				   pkey.getInstance().equals(p.getInstance()) &&
+				   pkey.getType().equals(p.getType())) {
+					return p;
+				}
+			}
+		}
+		return null;
+	}
+	// The assumption is that these UserRoles are already pulled in by User... no need to check
+	private UserRole get(String roleName, UserRoles urs) {
+		if(urs!=null) {
+			for(UserRole ur : urs.getUserRole()) {
+				if(roleName.equals(ur.getRole())) {
+					return ur;
+				}
+			}
+		}
+		return null;
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListActivity.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListActivity.java
new file mode 100644
index 00000000..0331ae09
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListActivity.java
@@ -0,0 +1,75 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.role;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.History;
+
+/**
+ *  * @author Jonathan
+ *
+ */
+public class ListActivity extends Cmd {
+	private static final String HEADER = "List Activity of Role";
+
+	public ListActivity(List parent) {
+		super(parent,"activity", 
+				new Param("name",true));
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	        int idx = _idx;
+		final String role = args[idx++];
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				Future<History> fp = client.read(
+						"/authz/hist/role/"+role, 
+						getDF(History.class)
+						);
+				if(fp.get(AAFcli.timeout())) {
+					activity(fp.value,HEADER + " [ " + role + " ]");
+				} else {
+					error(fp);
+				}
+				return fp.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/hist/role/<role>",History.class,true);
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByNS.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByNS.java
new file mode 100644
index 00000000..11476f10
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByNS.java
@@ -0,0 +1,72 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.role;
+
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Roles;
+
+/**
+ * Return Roles by NS
+ * 
+ * @author Jonathan
+ *
+ */
+public class ListByNS extends Cmd {
+	private static final String HEADER = "List Roles by NS ";
+	
+	public ListByNS(List parent) {
+		super(parent,"ns", 
+				new Param("name",true)); 
+	}
+
+	@Override
+	public int _exec( int idx, final String ... args) throws CadiException, APIException, LocatorException {
+		final String ns=args[idx];
+
+		return same(((List)parent).new ListRoles() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				Future<Roles> fp = client.read(
+						"/authz/roles/ns/"+ns+(aafcli.isDetailed()?"?ns":""), 
+						getDF(Roles.class)
+						);
+				return list(fp,client, HEADER+"["+ns+"]");
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/roles/name/<ns>",Roles.class,true);
+	}
+
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByNameOnly.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByNameOnly.java
new file mode 100644
index 00000000..81b86718
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByNameOnly.java
@@ -0,0 +1,72 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.role;
+
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Roles;
+
+/**
+ * Return Roles by NS
+ * 
+ * @author Jonathan
+ *
+ */
+public class ListByNameOnly extends Cmd {
+	private static final String HEADER = "List Roles by Name ";
+	
+	public ListByNameOnly(List parent) {
+		super(parent,"name", 
+				new Param("name",true)); 
+	}
+
+	@Override
+	public int _exec( int idx, final String ... args) throws CadiException, APIException, LocatorException {
+		final String name=args[idx];
+
+		return same(((List)parent).new ListRoles() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				Future<Roles> fp = client.read(
+						"/authz/roles/name/"+name+(aafcli.isDetailed()?"?ns":""), 
+						getDF(Roles.class)
+						);
+				return list(fp,client, HEADER+"["+name+"]");
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/roles/name/<name>",Roles.class,true);
+	}
+
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByPerm.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByPerm.java
new file mode 100644
index 00000000..cb18eb34
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByPerm.java
@@ -0,0 +1,78 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.role;
+
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Roles;
+
+/**
+ * Return Roles by NS
+ * 
+ * @author Jonathan
+ *
+ */
+public class ListByPerm extends Cmd {
+	private static final String HEADER = "List Roles by Perm ";
+	
+	public ListByPerm(List parent) {
+		super(parent,"perm", 
+				new Param("type",true),
+				new Param("instance", true),
+				new Param("action", true)); 
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	        int idx = _idx;
+		final String type=args[idx];
+		final String instance=args[++idx];
+		final String action=args[++idx];
+
+		return same(((List)parent).new ListRoles() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+
+				Future<Roles> fp = client.read(
+						"/authz/roles/perm/"+type+'/'+instance+'/'+action, 
+						getDF(Roles.class)
+						);
+				return list(fp,client, HEADER+type+'|'+instance+'|'+action);
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/roles/user/<user>",Roles.class,true);
+	}
+
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByRole.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByRole.java
new file mode 100644
index 00000000..0fafbd92
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByRole.java
@@ -0,0 +1,69 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.role;
+
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Roles;
+
+/**
+ * 
+ * @author Jonathan
+ *
+ */
+public class ListByRole extends Cmd {
+	private static final String HEADER="List Roles for Role";
+	
+	public ListByRole(List parent) {
+		super(parent,"role", 
+				new Param("role",true)); 
+	}
+
+	@Override
+	public int _exec(final int idx, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(((List)parent).new ListRoles() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				String role=args[idx];	
+				Future<Roles> fp = client.read(
+						"/authz/roles/"+role+(aafcli.isDetailed()?"?ns":""), 
+						getDF(Roles.class) 
+						);
+				return list(fp,client,HEADER+"["+role+"]");
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/roles/<role>",Roles.class,true);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByUser.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByUser.java
new file mode 100644
index 00000000..7165de67
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByUser.java
@@ -0,0 +1,99 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.role;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Perms;
+import aaf.v2_0.Roles;
+import aaf.v2_0.UserRoles;
+
+/**
+ * p
+ * @author Jonathan
+ *
+ */
+public class ListByUser extends Cmd {
+	private static final String HEADER = "List Roles for User ";
+	
+	public ListByUser(List parent) {
+		super(parent,"user", 
+				new Param("id",true),
+				new Param("detail", false)); 
+	}
+
+	@Override
+	public int _exec( int idx, final String ... args) throws CadiException, APIException, LocatorException {
+		final String user=fullID(args[idx]);
+		
+
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				Perms perms=null;
+				UserRoles urs=null;
+				Future<Roles> fr = client.read(
+						"/authz/roles/user/"+user+(aafcli.isDetailed()?"?ns":""), 
+						getDF(Roles.class)
+						);
+				Future<UserRoles> fur = client.read(
+						"/authz/userRoles/user/"+user,
+						getDF(UserRoles.class)
+					);
+				if(fr.get(AAFcli.timeout())) {
+					if (aafcli.isDetailed()) {
+						Future<Perms> fp = client.read(
+								"/authz/perms/user/"+user+(aafcli.isDetailed()?"?ns":""), 
+								getDF(Perms.class)
+							);
+						if(fp.get(AAFcli.timeout())) {
+							perms = fp.value;
+						}
+					}
+					if (fur.get(AAFcli.timeout())) {
+						urs = fur.value;
+					}
+					
+					((List)parent).report(fr.value,perms,urs,HEADER,user);
+				} else {
+					error(fr);
+				}
+				return fr.code();
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/roles/user/<user>",Roles.class,true);
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/Role.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/Role.java
new file mode 100644
index 00000000..f28654ee
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/Role.java
@@ -0,0 +1,39 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.role;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.misc.env.APIException;
+
+public class Role extends BaseCmd<Role> {
+	public List list;
+
+	public Role(AAFcli aafcli) throws APIException {
+		super(aafcli, "role");
+		cmds.add(new CreateDelete(this));
+//		cmds.add(new Delete(this));
+		cmds.add(new User(this));
+		cmds.add(new Describe(this));
+		cmds.add(list = new List(this));
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/User.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/User.java
new file mode 100644
index 00000000..181804b9
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/User.java
@@ -0,0 +1,169 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.role;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.UserRoleRequest;
+
+/**
+ * p
+ * @author Jonathan
+ *
+ */
+public class User extends Cmd {
+	private final static String[] options = {"add","del","setTo","extend"};
+	public User(Role parent) {
+		super(parent,"user", 
+				new Param(optionsToString(options),true),
+				new Param("role",true),
+				new Param("id[,id]* (not required for setTo)",false)); 
+	}
+
+	@Override
+	public int _exec(final int index, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int idx = index;
+				String action = args[idx++];
+				int option = whichOption(options, action);
+				UserRoleRequest urr = new UserRoleRequest();
+				urr.setRole(args[idx++]);
+				// Set Start/End commands
+				setStartEnd(urr);
+				
+				Future<?> fp = null;
+				
+				if (option != 2) {
+					String[] ids = args[idx++].split(",");
+					String verb=null,participle=null;
+					// You can request to be added or removed from role.
+					setQueryParamsOn(client);
+
+					for(String id: ids) {
+						id=fullID(id);
+						urr.setUser(id);
+						switch(option) {
+							case 0:
+								fp = client.create(
+										"/authz/userRole", 
+										getDF(UserRoleRequest.class), 
+										urr);
+								verb = "Added";
+								participle = "] to Role [" ;
+								break;
+							case 1:
+								fp = client.delete(
+										"/authz/userRole/"+urr.getUser()+'/'+urr.getRole(), 
+										Void.class);
+								verb = "Removed";
+								participle = "] from Role [" ;
+								break;
+						    case 3:
+								fp = client.update("/authz/userRole/extend/" + urr.getUser() + '/' + urr.getRole());
+								verb = "Extended";
+								participle = "] in Role [" ;
+								break;
+
+							default: // actually, should never get here...
+								throw new CadiException("Invalid action [" + action + ']');
+						}
+						if(fp.get(AAFcli.timeout())) {
+							pw().print(verb);
+							pw().print(" User [");
+							pw().print(urr.getUser());
+							pw().print(participle);
+							pw().print(urr.getRole());
+							pw().println(']');
+						} else {
+							switch(fp.code()) {
+								case 202:
+									pw().print("User Role ");
+									pw().print(action);
+									pw().println(" is Accepted, but requires Approvals before actualizing");
+									break;
+								case 404:
+									if(option==3) {
+										pw().println("Failed with code 404: UserRole is not found, or you do not have permission to view");
+										break;
+									}
+								default:
+									error(fp);
+							}
+						}
+					}
+				} else {
+					String allUsers = "";
+					if (idx < args.length) 
+						allUsers = args[idx++];
+					StringBuilder finalUsers = new StringBuilder();	
+					for (String u : allUsers.split(",")) {
+						if (u != "") {
+							u=fullID(u);
+							if (finalUsers.length() > 0) finalUsers.append(",");
+							finalUsers.append(u);
+						}
+					}
+
+					urr.setUser(finalUsers.toString());
+					fp = client.update(
+							"/authz/userRole/role", 
+							getDF(UserRoleRequest.class), 
+							urr);
+					if(fp.get(AAFcli.timeout())) {
+						pw().println("Set the Role to Users [" + allUsers + "]");
+					} else {
+						error(fp);
+					}		
+				}
+				return fp==null?0:fp.code();
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,"Add OR Delete a User to/from a Role OR");
+		detailLine(sb,indent,"Set a User's Roles to the roles supplied");
+		detailLine(sb,indent+2,"role  - Name of Role to create");
+		detailLine(sb,indent+2,"id(s) - ID or IDs to add to the Role");
+		sb.append('\n');
+		detailLine(sb,indent+2,"Note: this is the same as \"user role add...\" except allows");
+		detailLine(sb,indent+2,"assignment of role to multiple userss");
+		detailLine(sb,indent+2,"WARNING: Users supplied with setTo will be the ONLY users attached to this role");
+		detailLine(sb,indent+2,"If no users are supplied, the users attached to this role are reset.");
+		api(sb,indent,HttpMethods.POST,"authz/userRole",UserRoleRequest.class,true);
+		api(sb,indent,HttpMethods.DELETE,"authz/userRole/<user>/<role>",Void.class,false);
+		api(sb,indent,HttpMethods.PUT,"authz/userRole/<role>",UserRoleRequest.class,false);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java
new file mode 100644
index 00000000..4bb2ae30
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java
@@ -0,0 +1,154 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.user;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.CredRequest;
+
+public class Cred extends Cmd {
+	public static final String ATTEMPT_FAILED_SPECIFICS_WITHELD = "Attempt Failed.  Specifics witheld.";
+	private static final String CRED_PATH = "/authn/cred";
+	private static final String[] options = {"add","del","reset","extend"/*,"clean"*/};
+//		private Clean clean;
+	public Cred(User parent) {
+		super(parent,"cred",
+				new Param(optionsToString(options),true),
+				new Param("id",true),
+				new Param("password (! D|E)",false),
+				new Param("entry# (if multi)",false)
+		);
+//			clean = new Clean(this);
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException { 
+	    int idx = _idx;
+		String key = args[idx++];
+		final int option = whichOption(options,key);
+
+		final CredRequest cr = new CredRequest();
+		cr.setId(args[idx++]);
+		if(option!=1 && option!=3) {
+			if(idx>=args.length) throw new CadiException("Password Required");
+			cr.setPassword(args[idx++]);
+		}
+		if(args.length>idx)
+			cr.setEntry(args[idx++]);
+		
+		// Set Start/End commands
+		setStartEnd(cr);
+//			final int cleanIDX = _idx+1;
+		Integer ret = same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				Future<CredRequest> fp=null;
+				String verb =null;
+				switch(option) {
+					case 0:
+						fp = client.create(
+							CRED_PATH, 
+							getDF(CredRequest.class), 
+							cr
+							);
+						verb = "Added Credential [";
+						break;
+					case 1:
+//							if(aafcli.addForce())cr.setForce("TRUE");
+						setQueryParamsOn(client);
+						fp = client.delete(CRED_PATH,
+							getDF(CredRequest.class),
+							cr
+							);
+						verb = "Deleted Credential [";
+						break;
+					case 2:
+						fp = client.update(
+							CRED_PATH,
+							getDF(CredRequest.class),
+							cr
+							);
+						verb = "Reset Credential [";
+						break;
+					case 3:
+						fp = client.update(
+							CRED_PATH+"/5",
+							getDF(CredRequest.class),
+							cr
+							);
+						verb = "Extended Credential [";
+						break;
+//						case 4:
+//							return clean.exec(cleanIDX, args);
+				}
+				if(fp.get(AAFcli.timeout())) {
+					pw().print(verb);
+					pw().print(cr.getId());
+					pw().println(']');
+				} else if(fp.code()==202) {
+						pw().println("Credential Action Accepted, but requires Approvals before actualizing");
+				} else if(fp.code()==406 && option==1) {
+						pw().println("You cannot delete this Credential");
+				} else {
+					pw().println(ATTEMPT_FAILED_SPECIFICS_WITHELD);
+				}
+				return fp.code();
+			}
+		});
+		if(ret==null)ret = -1;
+		return ret;
+	}
+	
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,"Add, Delete or Reset Credential");
+		indent+=2;
+		detailLine(sb,indent,"id       - the ID to create/delete/reset within AAF");
+		detailLine(sb,indent,"password - Company Policy compliant Password (not required for Delete)");
+		detailLine(sb,indent,"entry    - selected option when deleting/resetting a cred with multiple entries");
+		sb.append('\n');
+		detailLine(sb,indent,"The Domain can be related to any Namespace you have access to *");
+		detailLine(sb,indent,"The Domain is in reverse order of Namespace, i.e. ");
+		detailLine(sb,indent+2,"NS of com.att.myapp can create user of XY1234@myapp.att.com");
+		sb.append('\n');
+		detailLine(sb,indent,"NOTE: AAF does support multiple creds with the same ID. Check with your org if you");
+		detailLine(sb,indent+2,"have this implemented. (For example, this is implemented for MechIDs at AT&T)");
+		sb.append('\n');			
+		detailLine(sb,indent,"*NOTE: com.att.csp is a reserved Domain for Global Sign On");
+
+		detailLine(sb,indent,"Delegates can be listed by the User or by the Delegate");
+		indent-=2;
+		api(sb,indent,HttpMethods.POST,"authn/cred",CredRequest.class,true);
+		api(sb,indent,HttpMethods.DELETE,"authn/cred",CredRequest.class,false);
+		api(sb,indent,HttpMethods.PUT,"authn/cred",CredRequest.class,false);
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Delg.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Delg.java
new file mode 100644
index 00000000..ec1aa5a0
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Delg.java
@@ -0,0 +1,131 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.user;
+
+import java.text.ParseException;
+import java.util.Date;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+import org.onap.aaf.misc.rosetta.env.RosettaDF;
+
+import aaf.v2_0.DelgRequest;
+
+public class Delg extends BaseCmd<User> {
+	static final String AUTHZ_DELG = "/authz/delegate";
+	private final static String[] options = {"add","upd","del"};
+
+	public Delg(User user) throws APIException {
+		super(user,"delegate",
+				new Param(optionsToString(options),true),
+				new Param("from",true),
+				new Param("to REQ A&U",false),
+				new Param("until (YYYY-MM-DD) REQ A", false)
+		);
+	}
+
+	@Override
+	public int _exec(final int index, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int idx = index;
+				DelgRequest dr = new DelgRequest();
+				setStartEnd(dr);
+		
+				int option= whichOption(options, args[idx++]);
+				String user = fullID(args[idx++]);
+				dr.setUser(user);
+				if(option<2) {
+					String delegate = fullID(args[idx++]);
+					dr.setDelegate(delegate);
+					if(option<2 && args.length>idx) {
+						Date date;
+						try {
+							date = Chrono.dateOnlyFmt.parse(args[idx++]);
+						} catch (ParseException e) {
+							throw new CadiException(e);
+						}
+						dr.setEnd(Chrono.timeStamp(date));
+					}
+				}
+		
+				Future<DelgRequest> fp;
+				RosettaDF<DelgRequest> df = getDF(DelgRequest.class);
+				String verb;
+				setQueryParamsOn(client);
+
+				switch(option) {
+					case 0: 
+						fp = client.create(AUTHZ_DELG, df, dr);
+						verb = "Added";
+						break;
+					case 1: 
+						fp = client.update(AUTHZ_DELG, df, dr); 
+						verb = "Updated";
+						break;
+					case 2: 
+						fp = client.delete(AUTHZ_DELG, df, dr); 
+						verb = "Deleted";
+						break;
+					default:
+						throw new CadiException("Bad Argument");
+				};
+				
+				if(fp.get(AAFcli.timeout())) {
+					pw().append("Delegate ");
+					pw().println(verb);
+				} else {
+					error(fp);
+				}
+				return fp.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,"Add, Update or Delete Delegate");
+		indent+=2;
+		detailLine(sb,indent,"A Delegate is a person who will temporarily cover the Approval and");
+		detailLine(sb,indent,"Ownership questions on behalf of the person Responsible.");
+		sb.append('\n');
+		detailLine(sb,indent,"fromID - the person who is the Responsible person of record");
+		detailLine(sb,indent,"toID   - the person who will be delegated (required for Add/Update)");
+		detailLine(sb,indent,"until  - the end date for this delegation");
+		indent-=2;
+		api(sb,indent,HttpMethods.POST,AUTHZ_DELG,DelgRequest.class,true);
+		api(sb,indent,HttpMethods.DELETE,AUTHZ_DELG,DelgRequest.class,false);
+		api(sb,indent,HttpMethods.PUT,AUTHZ_DELG,DelgRequest.class,false);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java
new file mode 100644
index 00000000..5c87f906
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java
@@ -0,0 +1,121 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.user;
+
+import java.util.Collections;
+import java.util.Comparator;
+
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import aaf.v2_0.Approval;
+import aaf.v2_0.Approvals;
+import aaf.v2_0.Delg;
+import aaf.v2_0.Delgs;
+import aaf.v2_0.Users;
+
+public class List extends BaseCmd<User> {
+
+	public List(User parent) {
+		super(parent,"list");
+		cmds.add(new ListForRoles(this));
+		cmds.add(new ListForPermission(this));
+		cmds.add(new ListForCreds(this));
+		cmds.add(new ListDelegates(this));
+		cmds.add(new ListApprovals(this));
+		cmds.add(new ListActivity(this));
+	}
+
+	 
+	void report(Users users, boolean count, String ... str) {
+		reportHead(str);
+		int idx = 0;
+		java.util.List<aaf.v2_0.Users.User> sorted = users.getUser();
+		Collections.sort(sorted, new Comparator<aaf.v2_0.Users.User>() {
+			@Override
+			public int compare(aaf.v2_0.Users.User u1, aaf.v2_0.Users.User u2) {
+				if(u2==null || u2 == null) {
+					return -1;
+				}
+				return u1.getId().compareTo(u2.getId());
+			}
+		});
+		String format = reportColHead("%-40s %-10s %-30s\n","User","Type","Expires");
+		String date = "XXXX-XX-XX";
+		for(aaf.v2_0.Users.User user : sorted) {
+			if(!aafcli.isTest()) {
+				date = Chrono.dateOnlyStamp(user.getExpires());
+			}
+			pw().format(format, 
+					count? (Integer.valueOf(++idx) + ") " + user.getId()): user.getId(),
+					org.onap.aaf.auth.cmd.ns.List.getType(user),
+					date);
+		}
+		pw().println();
+	}
+
+	public void report(Approvals approvals, String title, String id) {
+		reportHead(title,id);
+		String format = reportColHead("  %-20s %-20s %-11s %-6s %12s\n","User","Approver","Type","Status","Updated");
+		java.util.List<Approval> lapp = approvals.getApprovals();
+		Collections.sort(lapp, new Comparator<Approval>() {
+			@Override
+			public int compare(Approval a1, Approval a2) {
+				return a1.getTicket().compareTo(a2.getTicket());
+			}
+		} );
+		String ticket = null, prev = null;
+		for(Approval app : lapp ) {
+			ticket = app.getTicket();
+			if(!ticket.equals(prev)) {
+				pw().print("Ticket: ");
+				pw().println(ticket);
+			}
+			prev = ticket;
+
+			pw().format(format,
+					app.getUser(),
+					app.getApprover(),
+					app.getType(),
+					app.getStatus(),
+					Chrono.niceDateStamp(app.getUpdated())
+					);
+		}
+	}
+
+	public void report(Delgs delgs, String title, String id) {
+		reportHead(title,id);
+		String format = reportColHead(" %-25s %-25s  %-10s\n","User","Delegate","Expires");
+		String date = "XXXX-XX-XX";
+		for(Delg delg : delgs.getDelgs()) {
+			if(!this.aafcli.isTest()) 
+				date = Chrono.dateOnlyStamp(delg.getExpires());
+			pw().printf(format, 
+						delg.getUser(),
+						delg.getDelegate(),
+						date
+						);
+		}
+	}
+
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListActivity.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListActivity.java
new file mode 100644
index 00000000..8ffcb0b6
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListActivity.java
@@ -0,0 +1,78 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.user;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.History;
+
+/**
+ *  * @author Jonathan
+ *
+ */
+public class ListActivity extends Cmd {
+	private static final String HEADER = "List Activity of User";
+
+	public ListActivity(List parent) {
+		super(parent,"activity", 
+				new Param("user",true));
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	        int idx = _idx;
+		final String user = fullID(args[idx++]);
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+		
+				Future<History> fp = client.read(
+						"/authz/hist/user/"+user, 
+						getDF(History.class)
+						);
+				if(fp.get(AAFcli.timeout())) {
+					activity(fp.value,HEADER + " [ " + user + " ]");
+				} else {
+					error(fp);
+				}
+				return fp.code();
+			}
+		});
+	}
+	
+
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb,indent,HEADER);
+		api(sb,indent,HttpMethods.GET,"authz/hist/user/<user>",History.class,true);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListApprovals.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListApprovals.java
new file mode 100644
index 00000000..0a461c49
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListApprovals.java
@@ -0,0 +1,102 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.user;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Approvals;
+
+/**
+ * 
+ * @author Jonathan
+ *
+ */
+public class ListApprovals extends Cmd {
+	private static final String HEADER = "List Approvals"; 
+	private final static String[] options = {"user","approver","ticket"};
+	public ListApprovals(List parent) {
+		super(parent,"approvals", 
+				new Param(optionsToString(options),true),
+				new Param("value",true)); 
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	        int idx = _idx;
+		final String type = args[idx++];
+		int option = whichOption(options,type);
+		String value = args[idx++];
+		final String fullValue;
+		if (option != 2) {
+			fullValue = fullID(value);
+		} else {
+		    fullValue = value;
+		}
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				Future<Approvals> fp = client.read(
+						"/authz/approval/"+type+'/'+fullValue, 
+						getDF(Approvals.class)
+						);
+				if(fp.get(AAFcli.timeout())) {
+					((List)parent).report(fp.value,HEADER + " by " + type,fullValue);
+					if(fp.code()==404) {
+					    return 200;
+					}
+				} else {
+					error(fp);
+				}
+				return fp.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,HEADER);
+		indent+=2;
+		detailLine(sb,indent,"Approvals are used when the Requestor does not have the rights");
+		detailLine(sb,indent,"to perform the action required.  Approvers are those listed as");
+		detailLine(sb,indent,"responsible for Namespace associated with the request, and those");
+		detailLine(sb,indent,"required by the Company by Policy.  This may be, for instance");
+		detailLine(sb,indent,"the supervisor of the requestor");
+		sb.append('\n');
+		detailLine(sb,indent,"Delegates can be listed by User, Approver or Ticket.");
+		indent-=2;
+		api(sb,indent,HttpMethods.GET,"authz/approval/user/<value>",Approvals.class,true);
+		api(sb,indent,HttpMethods.GET,"authz/approval/approver/<value>",Approvals.class,false);
+		api(sb,indent,HttpMethods.GET,"authz/approval/ticket/<value>",Approvals.class,false);
+	}
+
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListDelegates.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListDelegates.java
new file mode 100644
index 00000000..4397b426
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListDelegates.java
@@ -0,0 +1,92 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.user;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Delgs;
+
+/**
+ *  * @author Jonathan
+ *
+ */
+public class ListDelegates extends Cmd {
+	private static final String HEADER = "List Delegates"; 
+	private static final String[] options = {"user","delegate"};
+	public ListDelegates(List parent) {
+		super(parent,"delegates", 
+				new Param(optionsToString(options),true),
+				new Param("id",true));
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+		int idx = _idx;
+ 		final String key = args[idx++];
+		//int option = whichOption(options,key);
+		final String id = fullID(args[idx++]);
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+		
+				Future<Delgs> fp = client.read(
+						"/authz/delegates/" + key + '/' + id, 
+						getDF(Delgs.class)
+						);
+				if(fp.get(AAFcli.timeout())) {
+					((List)parent).report(fp.value,HEADER + " by " + key, id);
+					if(fp.code()==404)return 200;
+				} else {
+					error(fp);
+				}
+				return fp.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,HEADER);
+		indent+=2;
+		detailLine(sb,indent,"Delegates are those people temporarily assigned to cover the");
+		detailLine(sb,indent,"responsibility of Approving, etc, while the actual Responsible");
+		detailLine(sb,indent,"Party is absent.  Typically, this is for Vacation, or Business");
+		detailLine(sb,indent,"Travel.");
+		sb.append('\n');
+		detailLine(sb,indent,"Delegates can be listed by the User or by the Delegate");
+		indent-=2;
+		api(sb,indent,HttpMethods.GET,"authz/delegates/user/<id>",Delgs.class,true);
+		api(sb,indent,HttpMethods.GET,"authz/delegates/delegate/<id>",Delgs.class,false);
+	}
+
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListForCreds.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListForCreds.java
new file mode 100644
index 00000000..4aa42f9f
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListForCreds.java
@@ -0,0 +1,100 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.user;
+
+import java.util.Collections;
+import java.util.Comparator;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Users;
+import aaf.v2_0.Users.User;
+
+/**
+ * List for Creds
+ * @author Jonathan
+ *
+ */
+public class ListForCreds extends Cmd {
+	private final static String[] options = {"ns","id"};
+
+	private static final String HEADER = "List creds by Namespace or ID ";
+	public ListForCreds(List parent) {
+		super(parent,"cred",
+				new Param(optionsToString(options),true),
+				new Param("value",true)); 
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	        int idx = _idx;
+		final int option = whichOption(options, args[idx++]);
+		final String which = options[option];
+		final String value = args[idx++];
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				Future<Users> fp = client.read(
+						"/authn/creds/"+which+'/'+value, 
+						getDF(Users.class)
+						);
+				if(fp.get(AAFcli.timeout())) {
+					if (aafcli.isTest())
+						Collections.sort(fp.value.getUser(), new Comparator<User>() {
+							@Override
+							public int compare(User u1, User u2) {
+								return u1.getId().compareTo(u2.getId());
+							}			
+						});
+					((org.onap.aaf.auth.cmd.user.List)parent).report(fp.value,option==1,HEADER+which,value);
+					if(fp.code()==404)return 200;
+				} else {
+					error(fp);
+				}
+				return fp.code();
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,HEADER);
+		indent+=2;
+		detailLine(sb,indent,"This report lists the users associated to either Namespaces or IDs.");
+		detailLine(sb,indent,"ns (literal) - which Namespace");
+		detailLine(sb,indent,"id (literal) - identity");
+		indent-=2;
+		api(sb,indent,HttpMethods.GET,"authn/creds/ns/<ns>",Users.class,true);
+		api(sb,indent,HttpMethods.GET,"authn/creds/id/<identity>",Users.class,true);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListForPermission.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListForPermission.java
new file mode 100644
index 00000000..32938101
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListForPermission.java
@@ -0,0 +1,103 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.user;
+
+import java.util.Collections;
+import java.util.Comparator;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Users;
+import aaf.v2_0.Users.User;
+
+/**
+ * p
+ * @author Jonathan
+ *
+ */
+public class ListForPermission extends Cmd {
+	private static final String HEADER = "List Users for Permission";
+	public ListForPermission(List parent) {
+		super(parent,"perm", 
+				new Param("type",true),
+				new Param("instance",true),
+				new Param("action",true)); 
+	}
+
+	@Override
+	public int _exec(final int index, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int idx = index;
+				String type = args[idx++];
+				String instance = args[idx++];
+				if("\\*".equals(instance))instance="*";
+				String action = args[idx++];
+				if("\\*".equals(action))action="*";
+				Future<Users> fp = client.read(
+						"/authz/users/perm/"+type+'/'+instance+'/'+action, 
+						getDF(Users.class)
+						);
+				if(fp.get(AAFcli.timeout())) {
+					if (aafcli.isTest())
+						Collections.sort(fp.value.getUser(), new Comparator<User>() {
+							@Override
+							public int compare(User u1, User u2) {
+								return u1.getId().compareTo(u2.getId());
+							}			
+						});
+					((org.onap.aaf.auth.cmd.user.List)parent).report(fp.value,false,HEADER,type+"|"+instance+"|"+action);
+					if(fp.code()==404)return 200;
+				} else {
+					error(fp);
+				}
+				return fp.code();
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,HEADER);
+		indent+=2;
+		detailLine(sb,indent,"This report lists the users associated to Permissions.  Since Users");
+		detailLine(sb,indent,"are associated to Roles, and Roles have Permissions, this report");
+		detailLine(sb,indent,"accomodates all these linkages.");
+		sb.append('\n');
+		detailLine(sb,indent,"The URL must contain the Permission's type,instance and action, and ");
+		detailLine(sb,indent,"may include \"*\"s (type in as \\\\*).");
+		detailLine(sb,indent,"See Perm Create Documentation for definitions.");
+		indent-=2;
+		api(sb,indent,HttpMethods.GET,"authz/users/perm/<type>/<instance>/<action>",Users.class,true);
+	}
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListForRoles.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListForRoles.java
new file mode 100644
index 00000000..28d7f57a
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListForRoles.java
@@ -0,0 +1,92 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.user;
+
+import java.util.Collections;
+import java.util.Comparator;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.Users;
+import aaf.v2_0.Users.User;
+
+/**
+ * p
+ * @author Jonathan
+ *
+ */
+public class ListForRoles extends Cmd {
+	private static final String HEADER = "List Users for Role";
+	public ListForRoles(List parent) {
+		super(parent,"role", new Param("role",true)); 
+	}
+
+	@Override
+	public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException {
+	        int idx = _idx;
+		final String role = args[idx++];
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				Future<Users> fp = client.read(
+						"/authz/users/role/"+role, 
+						getDF(Users.class)
+						);
+				if(fp.get(AAFcli.timeout())) {
+					if (aafcli.isTest())
+						Collections.sort(fp.value.getUser(), new Comparator<User>() {
+							@Override
+							public int compare(User u1, User u2) {
+								return u1.getId().compareTo(u2.getId());
+							}			
+						});
+					((org.onap.aaf.auth.cmd.user.List)parent).report(fp.value,false, HEADER,role);
+					if(fp.code()==404)return 200;
+				} else {
+					error(fp);
+				}
+				return fp.code();
+			}
+		});
+	}
+	
+	@Override
+	public void detailedHelp(int _indent, StringBuilder sb) {
+	        int indent = _indent;
+		detailLine(sb,indent,HEADER);
+		indent+=2;
+		detailLine(sb,indent,"This report lists the users associated to Roles.");
+		detailLine(sb,indent,"role - the Role name");
+		indent-=2;
+		api(sb,indent,HttpMethods.GET,"authz/users/role/<role>",Users.class,true);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Role.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Role.java
new file mode 100644
index 00000000..70bc16a3
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Role.java
@@ -0,0 +1,155 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.user;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Param;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.UserRoleRequest;
+
+/**
+ * p
+ * 
+ * @author Jonathan
+ *
+ */
+public class Role extends Cmd {
+	private static final String[] options = {"add", "del", "setTo","extend"};
+	public Role(User parent) {
+		super(parent, "role", new Param(optionsToString(options), true), new Param("user", true), new Param(
+				"role[,role]* (!REQ S)", false));
+	}
+
+	@Override
+	public int _exec(final int index, final String ... args) throws CadiException, APIException, LocatorException {
+		return same(new Retryable<Integer>() {
+			@Override
+			public Integer code(Rcli<?> client) throws CadiException, APIException {
+				int idx = index;
+				String key = args[idx++];
+				int option = whichOption(options, key);
+				final String user = fullID(args[idx++]);
+
+				UserRoleRequest urr = new UserRoleRequest();
+				urr.setUser(user);
+				// Set Start/End commands
+				setStartEnd(urr);
+
+				Future<?> fp = null;
+
+				if (option != 2) {
+					if (args.length < 5) {
+						throw new CadiException(build(new StringBuilder("Too few args: "), null).toString());                        
+					}
+					String[] roles = args[idx++].split(",");
+					for (String role : roles) {
+						String verb = null,participle=null;
+						urr.setRole(role);
+						// You can request to be added or removed from role.
+						setQueryParamsOn(client);
+						switch(option) {
+						  case 0:
+							fp = client.create("/authz/userRole", getDF(UserRoleRequest.class), urr);
+							verb = "Added";
+							participle = "] to User [" ;
+							break;
+						  case 1:
+							fp = client.delete("/authz/userRole/" + urr.getUser() + '/' + urr.getRole(), Void.class);
+							verb = "Removed";
+							participle = "] from User [" ;
+							break;
+						  case 3:
+							fp = client.update("/authz/userRole/extend/" + urr.getUser() + '/' + urr.getRole());
+							verb = "Extended";
+							participle = "] to User [" ;
+							break;
+						  default:
+							throw new CadiException("Invalid action [" + key + ']');
+						}
+						if (fp.get(AAFcli.timeout())) {
+							pw().print(verb);
+							pw().print(" Role [");
+							pw().print(urr.getRole());
+							pw().print(participle);
+							pw().print(urr.getUser());
+							pw().println(']');
+						} else {
+							switch(fp.code()) {
+							case 202:
+								pw().print("UserRole ");
+								pw().print(option == 0 ? "Creation" : option==1?"Deletion":"Extension");
+								pw().println(" Accepted, but requires Approvals before actualizing");
+								break;
+							case 404:
+								if(option==3) {
+									pw().println("Failed with code 404: UserRole is not found, or you do not have permission to view");
+									break;
+								}
+							default:
+								error(fp);
+							}
+						}
+					}
+				} else {
+					// option 2 is setTo command (an update call)
+					String allRoles = "";
+					if (idx < args.length)
+						allRoles = args[idx++];
+
+					urr.setRole(allRoles);
+					fp = client.update("/authz/userRole/user", getDF(UserRoleRequest.class), urr);
+					if (fp.get(AAFcli.timeout())) {
+						pw().println("Set User's Roles to [" + allRoles + "]");
+					} else {
+						error(fp);
+					}
+				}
+				return fp == null ? 0 : fp.code();
+			}
+		});
+	}
+
+	@Override
+	public void detailedHelp(int indent, StringBuilder sb) {
+		detailLine(sb, indent, "Add OR Delete a User to/from a Role OR");
+		detailLine(sb, indent, "Set a User's Roles to the roles supplied");
+		detailLine(sb, indent + 2, "user    - ID of User");
+		detailLine(sb, indent + 2, "role(s) - Role or Roles to which to add the User");
+		sb.append('\n');
+		detailLine(sb, indent + 2, "Note: this is the same as \"role user add...\" except allows");
+		detailLine(sb, indent + 2, "assignment of user to multiple roles");
+		detailLine(sb, indent + 2, "WARNING: Roles supplied with setTo will be the ONLY roles attached to this user");
+		detailLine(sb, indent + 2, "If no roles are supplied, user's roles are reset.");
+		api(sb, indent, HttpMethods.POST, "authz/userRole", UserRoleRequest.class, true);
+		api(sb, indent, HttpMethods.DELETE, "authz/userRole/<user>/<role>", Void.class, false);
+		api(sb, indent, HttpMethods.PUT, "authz/userRole/<user>", UserRoleRequest.class, false);
+	}
+
+}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/User.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/User.java
new file mode 100644
index 00000000..458fc33a
--- /dev/null
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/User.java
@@ -0,0 +1,36 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cmd.user;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.misc.env.APIException;
+
+public class User extends BaseCmd<User> {
+	public User(AAFcli aafcli) throws APIException {
+		super(aafcli,"user");
+		cmds.add(new Role(this));
+		cmds.add(new Cred(this));
+		cmds.add(new Delg(this));
+		cmds.add(new List(this));
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_AAFCli.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_AAFCli.java
new file mode 100644
index 00000000..d0013fef
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_AAFCli.java
@@ -0,0 +1,198 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+import static org.mockito.Mockito.mock;
+
+import java.io.IOException;
+import java.io.OutputStreamWriter;
+import java.net.HttpURLConnection;
+import java.security.GeneralSecurityException;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Locator;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.config.SecurityInfo;
+import org.onap.aaf.cadi.http.HBasicAuthSS;
+import org.onap.aaf.cadi.http.HMangr;
+import org.onap.aaf.cadi.locator.PropertyLocator;
+import org.onap.aaf.misc.env.APIException;
+@RunWith(MockitoJUnitRunner.class)
+public class JU_AAFCli {
+
+	private static AAFcli cli;
+	private static int TIMEOUT = Integer.parseInt(Config.AAF_CONN_TIMEOUT_DEF);
+
+//	@BeforeClass
+//	public static void setUp() throws Exception, Exception {
+//		cli = getAAfCli();
+//	}
+//
+//	@Test
+//	public void eval() throws Exception {
+//		assertTrue(cli.eval("#startswith"));
+//	}
+//
+//	@Test
+//	public void eval_empty() throws Exception {
+//		assertTrue(cli.eval(""));
+//	}
+//
+//	@Test
+//	public void eval1() throws Exception {
+//		assertTrue(cli.eval("@[123"));
+//	}
+//
+//	@Test
+//	public void eval2() throws Exception {
+//		assertFalse(cli.eval("as @[ 123"));
+//	}
+//
+//	@Test
+//	public void eval3() throws Exception {
+//		try {
+//			cli.eval("expect @[ 123");
+//		} catch (Exception e) {
+//			// TODO Auto-generated catch block
+//			assertTrue(e instanceof CadiException);
+//		}
+//	}
+//
+//	public void eval31() throws Exception {
+//		try {
+//			cli.eval("expect 1 @[ 123");
+//		} catch (Exception e) {
+//			// TODO Auto-generated catch block
+//			assertTrue(e instanceof CadiException);
+//		}
+//	}
+//
+//	@Test
+//	public void eval4() throws Exception {
+//		try {
+//			cli.eval("sleep @[ 123");
+//		} catch (Exception e) {
+//			assertTrue(e instanceof NumberFormatException);
+//		}
+//	}
+//
+//	@Test
+//	public void eval41() throws Exception {
+//		assertTrue(cli.eval("sleep 1 @[ 123"));
+//	}
+//
+//	@Test
+//	public void eval5() throws Exception {
+//		try {
+//			cli.eval("delay @[ 123");
+//		} catch (Exception e) {
+//			assertTrue(e instanceof NumberFormatException);
+//		}
+//	}
+//
+//	@Test
+//	public void eval51() throws Exception {
+//		assertTrue(cli.eval("delay 1 @[ 123"));
+//	}
+//
+//	@Test
+//	public void eval7() throws Exception {
+//		assertFalse(cli.eval("exit @[ 123"));
+//	}
+//
+//	@Test
+//	public void eval8() throws Exception {
+//		assertTrue(cli.eval("REQUEST @[ 123"));
+//	}
+//
+//	@Test
+//	public void eval9() throws Exception {
+//		assertTrue(cli.eval("FORCE @[ 123"));
+//	}
+//
+//	@Test
+//	public void eval10() throws Exception {
+//		assertTrue(cli.eval("set @[ 123"));
+//	}
+//
+//	@Test
+//	public void keyboardHelp() throws Exception {
+//		boolean noError=true;
+//		try {
+//			cli.keyboardHelp();
+//		} catch (Exception e) {
+//			noError=false;
+//		}
+//		assertTrue(noError);
+//	}
+//	
+//
+//	
+//	@Test
+//	public void setProp() throws Exception {
+//		boolean noError=true;
+//		try {
+//			cli.keyboardHelp();
+//		} catch (Exception e) {
+//			noError=false;
+//		}
+//		assertTrue(noError);
+//	}
+//	
+//	@Test
+//	public void eval_randomString() throws Exception {
+//		assertTrue(cli.eval("Some random string @#&*& to check complete 100 coverage"));
+//	}
+
+//	public static AAFcli getAAfCli() throws APIException, LocatorException, GeneralSecurityException, IOException {
+//		final AuthzEnv env = new AuthzEnv(System.getProperties());
+//		String aafUrl = "https://DME2RESOLVE";
+//		SecurityInfo si = new SecurityInfo(env);
+//		env.loadToSystemPropsStartsWith("AAF", "DME2");
+//		Locator loc;
+//		loc = new PropertyLocator(aafUrl);
+//		TIMEOUT = Integer.parseInt(env.getProperty(Config.AAF_CONN_TIMEOUT, Config.AAF_CONN_TIMEOUT_DEF));
+//		HMangr hman = new HMangr(env, loc).readTimeout(TIMEOUT).apiVersion("2.0");
+//
+//		// TODO: Consider requiring a default in properties
+//		env.setProperty(Config.AAF_DEFAULT_REALM,
+//				System.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm()));
+//		HBasicAuthSS ss = mock(HBasicAuthSS.class);
+//		//TODO: Gabe[JUnit] constructor issue
+//		return new AAFcli(env, new OutputStreamWriter(System.out), hman, si, ss);
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_BaseCmd.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_BaseCmd.java
new file mode 100644
index 00000000..75ae8160
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_BaseCmd.java
@@ -0,0 +1,243 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Date;
+import java.util.GregorianCalendar;
+
+import javax.xml.datatype.DatatypeConfigurationException;
+import javax.xml.datatype.DatatypeFactory;
+import javax.xml.datatype.XMLGregorianCalendar;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.BaseCmd;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.misc.env.APIException;
+
+import aaf.v2_0.History;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_BaseCmd {
+
+	private static AAFcli cli;
+	private static BaseCmd bCmd;
+
+//	@BeforeClass
+//	public static void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException {
+//		cli = JU_AAFCli.getAAfCli();
+//		bCmd = new BaseCmd<>(cli, "testString");
+//	}
+
+//	@Test
+//	public void exec() throws CadiException, APIException, LocatorException {
+//		assertEquals(bCmd._exec(4, "add", "del", "reset", "extend"), 0);
+//
+//	}
+//	
+//	@Test
+//	public void exec1() throws CadiException, APIException, LocatorException {
+//		assertEquals(bCmd._exec(0, "add", "del", "reset", "extend"), 0);
+//
+//	}
+
+//	@Test
+//	public void error() throws CadiException, APIException, LocatorException {
+//		boolean noError = true;
+//		Future<String> future = new Future<String>() {
+//
+//			@Override
+//			public boolean get(int timeout) throws CadiException {
+//				// TODO Auto-generated method stub
+//				return false;
+//			}
+//
+//			@Override
+//			public int code() {
+//				// TODO Auto-generated method stub
+//				return 0;
+//			}
+//
+//			@Override
+//			public String body() {
+//				// TODO Auto-generated method stub
+//				return "{%}";
+//			}
+//
+//			@Override
+//			public String header(String tag) {
+//				// TODO Auto-generated method stub
+//				return null;
+//			}
+//		};
+//		try {
+//			//TODO: Gabe [JUnit] Not visible for junit
+//			bCmd.error(future);
+//		} catch (Exception e) {
+//			noError = false;
+//		}
+//		assertEquals(noError, true);
+//
+//	}
+//
+//
+//
+//	@Test
+//	public void activity() throws DatatypeConfigurationException {
+//		boolean noError = true;
+//		History history = new History();
+//		History.Item item = new History.Item();
+//		item.setTarget("target");
+//		item.setUser("user");
+//		item.setMemo("memo");
+//
+//		GregorianCalendar c = new GregorianCalendar();
+//		c.setTime(new Date());
+//		XMLGregorianCalendar date = DatatypeFactory.newInstance().newXMLGregorianCalendar(c);
+//		item.setTimestamp(date);
+//		history.getItem().add(item);
+//		try {
+//			bCmd.activity(history, "history");
+//		} catch (Exception e) {
+//			noError = false;
+//		}
+//		assertEquals(noError, true);
+//
+//	}
+//
+//	@Test
+//	public void activity1() throws DatatypeConfigurationException {
+//		boolean noError = true;
+//		History history = new History();
+//		History.Item item = new History.Item();
+//		item.setTarget("target");
+//		item.setUser("user");
+//		item.setMemo("memo");
+//
+//		GregorianCalendar c = new GregorianCalendar();
+//		c.setTime(new Date());
+//		XMLGregorianCalendar date = DatatypeFactory.newInstance().newXMLGregorianCalendar(c);
+//		item.setTimestamp(date);
+//		history.getItem().add(item);
+//		try {
+//			bCmd.activity(history, "1[]");
+//		} catch (Exception e) {
+//			noError = false;
+//		}
+//		assertEquals(noError, true);
+//
+//	}
+//	
+//
+//
+//	@Test
+//	public void error1() {
+//		boolean noError = true;
+//		Future<String> future = new Future<String>() {
+//
+//			@Override
+//			public boolean get(int timeout) throws CadiException {
+//				// TODO Auto-generated method stub
+//				return false;
+//			}
+//
+//			@Override
+//			public int code() {
+//				// TODO Auto-generated method stub
+//				return 0;
+//			}
+//
+//			@Override
+//			public String body() {
+//				// TODO Auto-generated method stub
+//				return "{<html><code>1</code></html>";
+//			}
+//
+//			@Override
+//			public String header(String tag) {
+//				// TODO Auto-generated method stub
+//				return null;
+//			}
+//		};
+//		try {
+//			bCmd.error(future);
+//		} catch (Exception e) {
+//			noError = false;
+//		}
+//		assertEquals(noError, true);
+//
+//	}
+
+//	@Test
+//	public void error2() {
+//		boolean noError = true;
+//		Future<String> future = new Future<String>() {
+//
+//			@Override
+//			public boolean get(int timeout) throws CadiException {
+//				// TODO Auto-generated method stub
+//				return false;
+//			}
+//
+//			@Override
+//			public int code() {
+//				// TODO Auto-generated method stub
+//				return 0;
+//			}
+//
+//			@Override
+//			public String body() {
+//				// TODO Auto-generated method stub
+//				return "other";
+//			}
+//
+//			@Override
+//			public String header(String tag) {
+//				// TODO Auto-generated method stub
+//				return null;
+//			}
+//		};
+//		try {
+//			bCmd.error(future);
+//		} catch (Exception e) {
+//			noError = false;
+//		}
+//		assertEquals(noError, true);
+//
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_BasicAuth.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_BasicAuth.java
new file mode 100644
index 00000000..6e79f816
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_BasicAuth.java
@@ -0,0 +1,53 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test;
+
+import static org.junit.Assert.*;
+
+import java.io.IOException;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+//import org.onap.aaf.auth.cmd.BasicAuth;
+//TODO: Gabe [JUnit] Import missing
+@RunWith(MockitoJUnitRunner.class)
+public class JU_BasicAuth {
+	
+//	@Test
+//	public void getID () {
+//		try {
+//			BasicAuth bAuth = new BasicAuth("testUser", "nopass");
+//			assertEquals(bAuth.getID(), "testUser");
+//			System.out.println(bAuth.getID());
+//		} catch (IOException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//		
+//	}
+	
+	@Test
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_Help.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_Help.java
new file mode 100644
index 00000000..a44804d9
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_Help.java
@@ -0,0 +1,97 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.Help;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+//import com.att.aft.dme2.internal.jetty.http.HttpStatus;
+//TODO: Gabe [JUnit] Import missing
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Help {
+	
+//	private static AAFcli cli;
+//	private static Help help;
+//	
+//	@Mock
+//	private static List<Cmd> cmds;
+//	
+//	@BeforeClass
+//	public static void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException {
+//		cli = JU_AAFCli.getAAfCli();
+//		cmds = new ArrayList<>();
+//		help = new Help(cli, cmds);
+//	}
+//	
+//	@Test
+//	public void exec_HTTP_200() {
+//		try {
+//			assertEquals(help._exec(1, "helps"), HttpStatus.OK_200);
+//		} catch (CadiException | APIException | LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+//	
+//	@Test
+//	public void exec_HTTP_200_1() {
+//		try {
+//			assertEquals(help._exec(1, "helps","help"), HttpStatus.OK_200);
+//		} catch (CadiException | APIException | LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+//	
+//	@Test
+//	public void detailhelp() {
+//		boolean hasError=false;
+//		try {
+//			help.detailedHelp(2, new StringBuilder("detail help test"));
+//		} catch (Exception e) {
+//			hasError=true;
+//		}
+//		assertEquals(hasError,false);
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_Version.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_Version.java
new file mode 100644
index 00000000..dddd4944
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/JU_Version.java
@@ -0,0 +1,64 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Version;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+//import com.att.aft.dme2.internal.jetty.http.HttpStatus;
+//TODO: Gabe [JUnit] Import missing
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Version {
+	
+//	private static AAFcli cli;
+//	private static Version version;
+//	
+//	@BeforeClass
+//	public static void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException {
+//		cli = JU_AAFCli.getAAfCli();
+//		version = new Version(cli);
+//	}
+//	
+//	@Test
+//	public void exec_HTTP_200() throws CadiException, APIException, LocatorException {
+//		assertEquals(version._exec(0, "Version"), HttpStatus.OK_200);
+//
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/mgmt/JU_Clear.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/mgmt/JU_Clear.java
new file mode 100644
index 00000000..078d84e8
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/mgmt/JU_Clear.java
@@ -0,0 +1,61 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.mgmt;
+
+import static org.mockito.Mockito.mock;
+import static org.junit.Assert.assertEquals;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.mgmt.Clear;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Clear {
+	
+	private static Clear clr;
+	
+	@BeforeClass
+	public static void setUp() {
+		clr = mock(Clear.class);
+	}
+	
+	@Test
+	public void exec() {
+		try {
+			assertEquals(clr._exec(0, "clear"), 0);
+		} catch (CadiException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (APIException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (LocatorException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/mgmt/JU_Log.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/mgmt/JU_Log.java
new file mode 100644
index 00000000..6a8a2848
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/mgmt/JU_Log.java
@@ -0,0 +1,61 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.mgmt;
+
+import static org.mockito.Mockito.mock;
+import static org.junit.Assert.assertEquals;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.mgmt.Log;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Log {
+	
+	private static Log log;
+	
+	@BeforeClass
+	public static void setUp() {
+		log = mock(Log.class);
+	}
+	
+	@Test
+	public void exec() {
+		try {
+			assertEquals(log._exec(0, "session clear"), 0);
+		} catch (CadiException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (APIException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (LocatorException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/mgmt/JU_SessClear.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/mgmt/JU_SessClear.java
new file mode 100644
index 00000000..ca2cba61
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/mgmt/JU_SessClear.java
@@ -0,0 +1,61 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.mgmt;
+
+import static org.mockito.Mockito.mock;
+import static org.junit.Assert.assertEquals;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.mgmt.SessClear;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_SessClear {
+	
+	private static SessClear sessclr;
+	
+	@BeforeClass
+	public static void setUp() {
+		sessclr = mock(SessClear.class);
+	}
+	
+	@Test
+	public void exec() {
+		try {
+			assertEquals(sessclr._exec(0, "session clear"), 0);
+		} catch (CadiException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (APIException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (LocatorException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Admin.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Admin.java
new file mode 100644
index 00000000..c8b85fd3
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Admin.java
@@ -0,0 +1,71 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.ns;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.ns.Admin;
+import org.onap.aaf.auth.cmd.ns.NS;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Admin {
+
+//	private static Admin admin;
+//
+//	@BeforeClass
+//	public static void setUp() throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = org.onap.aaf.auth.cmd.test.JU_AAFCli.getAAfCli();
+//		NS ns = new NS(cli);
+//		admin = new Admin(ns);
+//	}
+//
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(admin._exec(0, "add", "del", "reset", "extend"), 500);
+//		} catch (Exception e) {
+//			assertEquals(e.getMessage(), "java.net.UnknownHostException: DME2RESOLVE");
+//		}
+//	}
+//
+//	@Test
+//	public void detailedHelp() {
+//		boolean hasNoError = true;
+//		try {
+//			admin.detailedHelp(1, new StringBuilder("test"));
+//		} catch (Exception e) {
+//			hasNoError = false;
+//		}
+//		assertEquals(hasNoError, true);
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Attrib.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Attrib.java
new file mode 100644
index 00000000..ff6a8f84
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Attrib.java
@@ -0,0 +1,72 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.ns;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.ns.Attrib;
+import org.onap.aaf.auth.cmd.ns.NS;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Attrib {
+
+//	private static Attrib attrib;
+//
+//	@BeforeClass
+//	public static void setUp() throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		NS ns = new NS(cli);
+//		attrib = new Attrib(ns);
+//	}
+//
+//	@Test
+//	public void exec() {
+//		try {
+//			attrib._exec(0, "add", "del", "reset", "extend");
+//		} catch (Exception e) {
+//			assertEquals(e.getMessage(), "java.net.UnknownHostException: DME2RESOLVE");
+//		}
+//	}
+//
+//	@Test
+//	public void detailedHelp() {
+//		boolean hasNoError = true;
+//		try {
+//			attrib.detailedHelp(1, new StringBuilder("test"));
+//		} catch (Exception e) {
+//			hasNoError = false;
+//		}
+//		assertEquals(hasNoError, true);
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Create.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Create.java
new file mode 100644
index 00000000..b0822cd1
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Create.java
@@ -0,0 +1,72 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.ns;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.ns.Create;
+import org.onap.aaf.auth.cmd.ns.NS;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Create {
+
+	private static Create create;//might need to replace import with org.onap.aaf.auth.cmd.perm
+
+//	@BeforeClass
+//	public static void setUp() throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		NS ns = new NS(cli);
+//		create = new Create(ns);
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+
+	@Test
+	public void exec() {
+		try {
+			assertEquals(create._exec(0, "add", "del", "reset", "extend"), 500);
+		} catch (Exception e) {
+			assertEquals(e.getMessage(), "java.net.UnknownHostException: DME2RESOLVE");
+		}
+	}
+
+	@Test
+	public void detailedHelp() {
+		boolean hasNoError = true;
+		try {
+			create.detailedHelp(1, new StringBuilder("test"));
+		} catch (Exception e) {
+			hasNoError = false;
+		}
+		assertEquals(hasNoError, true);
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Delete.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Delete.java
new file mode 100644
index 00000000..fecca0b0
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Delete.java
@@ -0,0 +1,76 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.ns;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.ns.Delete;
+import org.onap.aaf.auth.cmd.ns.NS;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+public class JU_Delete {
+
+//	private static Delete delete;//import may be org.onap.aaf.auth.cmd.perm
+//
+//	@BeforeClass
+//	public static void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		NS ns = new NS(cli);
+//		delete = new Delete(ns);
+//
+//	}
+//
+//	@Test
+//	public void exec() {
+//		try {
+//			delete._exec(0, "del", "del", "del");
+//		} catch (Exception e) {
+//			assertEquals(e.getMessage(), "java.net.UnknownHostException: DME2RESOLVE");
+//		}
+//	}
+//
+//	@Test
+//	public void detailedHelp() {
+//		boolean hasNoError = true;
+//		try {
+//			delete.detailedHelp(1, new StringBuilder("test"));
+//		} catch (Exception e) {
+//			hasNoError = false;
+//		}
+//		assertEquals(hasNoError, true);
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Describe.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Describe.java
new file mode 100644
index 00000000..4d4deb1b
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Describe.java
@@ -0,0 +1,77 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.ns;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+import static org.mockito.Mockito.CALLS_REAL_METHODS;
+import static org.mockito.Mockito.mock;
+
+import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.ns.Describe;
+import org.onap.aaf.auth.cmd.ns.NS;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Describe {
+	
+//	private static Describe desc;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		NS ns = new NS(cli);
+//		desc = new Describe(ns);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(desc._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
+
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListActivity.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListActivity.java
new file mode 100644
index 00000000..64328887
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListActivity.java
@@ -0,0 +1,74 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.ns;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.ns.List;
+import org.onap.aaf.auth.cmd.ns.ListActivity;
+import org.onap.aaf.auth.cmd.ns.NS;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListActivity {
+	
+//	private static ListActivity lsActivity;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		NS ns = new NS(cli);
+//		List ls = new List(ns);
+//		lsActivity = new ListActivity(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsActivity._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
+
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListAdminResponsible.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListAdminResponsible.java
new file mode 100644
index 00000000..064bade2
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListAdminResponsible.java
@@ -0,0 +1,75 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.ns;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.ns.List;
+import org.onap.aaf.auth.cmd.ns.ListAdminResponsible;
+import org.onap.aaf.auth.cmd.ns.NS;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListAdminResponsible {
+	
+//	private static ListAdminResponsible lsAdminRes;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		NS ns = new NS(cli);
+//		List ls = new List(ns);
+//		lsAdminRes = new ListAdminResponsible(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			//TODO: Gabe [JUnit] Not visible for junit
+//			assertEquals(lsAdminRes._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
+
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListByName.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListByName.java
new file mode 100644
index 00000000..69e081ab
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListByName.java
@@ -0,0 +1,74 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.ns;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.ns.List;
+import org.onap.aaf.auth.cmd.ns.ListByName;
+import org.onap.aaf.auth.cmd.ns.NS;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListByName {
+	
+//	private static ListByName lsByName;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		NS ns = new NS(cli);
+//		List ls = new List(ns);
+//		lsByName = new ListByName(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsByName._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
+
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListChildren.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListChildren.java
new file mode 100644
index 00000000..c13a52f8
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListChildren.java
@@ -0,0 +1,74 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.ns;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.ns.List;
+import org.onap.aaf.auth.cmd.ns.ListChildren;
+import org.onap.aaf.auth.cmd.ns.NS;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListChildren {
+//	
+//	private static ListChildren lsChildren;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		NS ns = new NS(cli);
+//		List ls = new List(ns);
+//		lsChildren = new ListChildren(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsChildren._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
+
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListNsKeysByAttrib.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListNsKeysByAttrib.java
new file mode 100644
index 00000000..ac00c256
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListNsKeysByAttrib.java
@@ -0,0 +1,74 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.ns;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.ns.List;
+import org.onap.aaf.auth.cmd.ns.ListNsKeysByAttrib;
+import org.onap.aaf.auth.cmd.ns.NS;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListNsKeysByAttrib {
+	
+//	private static ListNsKeysByAttrib lsNsKeys;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		NS ns = new NS(cli);
+//		List ls = new List(ns);
+//		lsNsKeys = new ListNsKeysByAttrib(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsNsKeys._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
+
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListUsersInRole.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListUsersInRole.java
new file mode 100644
index 00000000..704f6e4d
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListUsersInRole.java
@@ -0,0 +1,76 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.ns;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.ns.List;
+import org.onap.aaf.auth.cmd.ns.ListUsers;
+import org.onap.aaf.auth.cmd.ns.ListUsersInRole;
+import org.onap.aaf.auth.cmd.ns.NS;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListUsersInRole {
+
+//	private static ListUsersInRole lsUserinRole;
+//
+//	@BeforeClass
+//	public static void setUp() throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		NS ns = new NS(cli);
+//		List ls = new List(ns);//possible wrong import, remove import org.onap.aaf.auth.cmd.ns to see other options
+//		ListUsers lsU = new ListUsers(ls);
+//		lsUserinRole = new ListUsersInRole(lsU);
+//	}
+//
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsUserinRole._exec(0, "add", "del", "reset", "extend"), 500);
+//		} catch (Exception e) {
+//			assertEquals(e.getMessage(), "java.net.UnknownHostException: DME2RESOLVE");
+//		}
+//	}
+//
+//	@Test
+//	public void detailedHelp() {
+//		boolean hasNoError = true;
+//		try {
+//			lsUserinRole.detailedHelp(1, new StringBuilder("test"));
+//		} catch (Exception e) {
+//			hasNoError = false;
+//		}
+//		assertEquals(hasNoError, true);
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListUsersWithPerm.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListUsersWithPerm.java
new file mode 100644
index 00000000..06e9cf01
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_ListUsersWithPerm.java
@@ -0,0 +1,76 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.ns;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.ns.List;
+import org.onap.aaf.auth.cmd.ns.ListUsers;
+import org.onap.aaf.auth.cmd.ns.ListUsersWithPerm;
+import org.onap.aaf.auth.cmd.ns.NS;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListUsersWithPerm {
+
+//	private static ListUsersWithPerm lsUserWithPerm;
+//
+//	@BeforeClass
+//	public static void setUp() throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		NS ns = new NS(cli);
+//		List ls = new List(ns);//possible wrong import, remove import org.onap.aaf.auth.cmd.ns to see other option
+//		ListUsers lsU = new ListUsers(ls);
+//		lsUserWithPerm = new ListUsersWithPerm(lsU);
+//	}
+//
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsUserWithPerm._exec(0, "add", "del", "reset", "extend"), 500);
+//		} catch (Exception e) {
+//			assertEquals(e.getMessage(), "java.net.UnknownHostException: DME2RESOLVE");
+//		}
+//	}
+//
+//	@Test
+//	public void detailedHelp() {
+//		boolean hasNoError = true;
+//		try {
+//			lsUserWithPerm.detailedHelp(1, new StringBuilder("test"));
+//		} catch (Exception e) {
+//			hasNoError = false;
+//		}
+//		assertEquals(hasNoError, true);
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Responsible.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Responsible.java
new file mode 100644
index 00000000..ccb4b025
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_Responsible.java
@@ -0,0 +1,74 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.ns;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+public class JU_Responsible {
+
+//	private static Responsible responsible;//TODO: Gabe[JUnit] check with Jonathan
+//
+//	@BeforeClass
+//	public static void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		NS ns = new NS(cli);
+//		responsible = new Responsible(ns);
+//
+//	}
+//
+//	@Test
+//	public void exec1() {
+//		try {
+//			responsible._exec(0, "del", "del", "del");
+//		} catch (Exception e) {
+//			assertEquals(e.getMessage(), "java.net.UnknownHostException: DME2RESOLVE");
+//		}
+//	}
+//
+//	@Test
+//	public void detailedHelp() {
+//		boolean hasNoError = true;
+//		try {
+//			responsible.detailedHelp(1, new StringBuilder("test"));
+//		} catch (Exception e) {
+//			hasNoError = false;
+//		}
+//		assertEquals(hasNoError, true);
+//	}
+	
+	@Test
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Create.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Create.java
new file mode 100644
index 00000000..4ae99bed
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Create.java
@@ -0,0 +1,73 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.perm;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.perm.Create;
+import org.onap.aaf.auth.cmd.perm.Perm;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Create {
+	
+//	private static Create create;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		Perm perm = new Perm(role);
+//		create = new Create(perm);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(create._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Delete.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Delete.java
new file mode 100644
index 00000000..ed59013c
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Delete.java
@@ -0,0 +1,73 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.perm;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.perm.Delete;
+import org.onap.aaf.auth.cmd.perm.Perm;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Delete {
+	
+//	private static Delete del;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		Perm perm = new Perm(role);
+//		del = new Delete(perm);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(del._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Describe.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Describe.java
new file mode 100644
index 00000000..8861e6f1
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Describe.java
@@ -0,0 +1,73 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.perm;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.perm.Describe;
+import org.onap.aaf.auth.cmd.perm.Perm;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Describe {
+//	
+//	private static Describe desc;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		Perm perm = new Perm(role);
+//		desc = new Describe(perm);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(desc._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Grant.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Grant.java
new file mode 100644
index 00000000..9bfa3f4a
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Grant.java
@@ -0,0 +1,73 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.perm;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.perm.Grant;
+import org.onap.aaf.auth.cmd.perm.Perm;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Grant {
+	
+//	private static Grant grant;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		Perm perm = new Perm(role);
+//		grant = new Grant(perm);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(grant._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListActivity.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListActivity.java
new file mode 100644
index 00000000..fd4e08b7
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListActivity.java
@@ -0,0 +1,75 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.perm;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.perm.List;
+import org.onap.aaf.auth.cmd.perm.ListActivity;
+import org.onap.aaf.auth.cmd.perm.Perm;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListActivity {
+	
+//	private static ListActivity lsActivity;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		Perm perm = new Perm(role);
+//		List ls = new List(perm);
+//		lsActivity = new ListActivity(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsActivity._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListByNS.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListByNS.java
new file mode 100644
index 00000000..fc4b6913
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListByNS.java
@@ -0,0 +1,75 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.perm;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.perm.List;
+import org.onap.aaf.auth.cmd.perm.ListByNS;
+import org.onap.aaf.auth.cmd.perm.Perm;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListByNS {
+	
+//	private static ListByNS lsByNS;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		Perm perm = new Perm(role);
+//		List ls = new List(perm);
+//		lsByNS = new ListByNS(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsByNS._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListByName.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListByName.java
new file mode 100644
index 00000000..7e65dfc0
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListByName.java
@@ -0,0 +1,75 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.perm;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.perm.List;
+import org.onap.aaf.auth.cmd.perm.ListByName;
+import org.onap.aaf.auth.cmd.perm.Perm;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListByName {
+	
+//	private static ListByName lsByName;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		Perm perm = new Perm(role);
+//		List ls = new List(perm);
+//		lsByName = new ListByName(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsByName._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListByRole.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListByRole.java
new file mode 100644
index 00000000..d2d89783
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListByRole.java
@@ -0,0 +1,75 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.perm;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.perm.List;
+import org.onap.aaf.auth.cmd.perm.ListByRole;
+import org.onap.aaf.auth.cmd.perm.Perm;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListByRole {
+	
+//	private static ListByRole lsByRole;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		Perm perm = new Perm(role);
+//		List ls = new List(perm);
+//		lsByRole = new ListByRole(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsByRole._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListByUser.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListByUser.java
new file mode 100644
index 00000000..675a02aa
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_ListByUser.java
@@ -0,0 +1,75 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.perm;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.perm.List;
+import org.onap.aaf.auth.cmd.perm.ListByUser;
+import org.onap.aaf.auth.cmd.perm.Perm;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListByUser {
+	
+//	private static ListByUser lsByName;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		Perm perm = new Perm(role);
+//		List ls = new List(perm);
+//		lsByName = new ListByUser(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsByName._exec(0, "add","del","reset","extend"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Rename.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Rename.java
new file mode 100644
index 00000000..39263f1b
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/perm/JU_Rename.java
@@ -0,0 +1,73 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.perm;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.perm.Perm;
+import org.onap.aaf.auth.cmd.perm.Rename;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Rename {
+	
+//	private static Rename rename;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		Perm perm = new Perm(role);
+//		rename = new Rename(perm);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(rename._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_CreateDelete.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_CreateDelete.java
new file mode 100644
index 00000000..c19bd5c2
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_CreateDelete.java
@@ -0,0 +1,71 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.role;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.role.CreateDelete;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_CreateDelete {
+	
+//	private static CreateDelete createDel;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		createDel = new CreateDelete(role);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(createDel._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_Describe.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_Describe.java
new file mode 100644
index 00000000..8dd9558e
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_Describe.java
@@ -0,0 +1,71 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.role;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.role.Describe;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Describe {
+	
+//	private static Describe desc;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		desc = new Describe(role);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(desc._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListActivity.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListActivity.java
new file mode 100644
index 00000000..79f8d681
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListActivity.java
@@ -0,0 +1,73 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.role;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.role.List;
+import org.onap.aaf.auth.cmd.role.ListActivity;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListActivity {
+//	
+//	private static ListActivity lsActivity;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		List ls = new List(role);
+//		lsActivity = new ListActivity(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsActivity._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByNS.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByNS.java
new file mode 100644
index 00000000..5eb188d3
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByNS.java
@@ -0,0 +1,73 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.role;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.role.List;
+import org.onap.aaf.auth.cmd.role.ListByNS;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListByNS {
+	
+//	private static ListByNS lsByNS;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		List ls = new List(role);
+//		lsByNS = new ListByNS(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsByNS._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByNameOnly.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByNameOnly.java
new file mode 100644
index 00000000..a87101d0
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByNameOnly.java
@@ -0,0 +1,73 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.role;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.role.List;
+import org.onap.aaf.auth.cmd.role.ListByNameOnly;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListByNameOnly {
+//	
+//	private static ListByNameOnly lsByName;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		List ls = new List(role);
+//		lsByName = new ListByNameOnly(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsByName._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByPerm.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByPerm.java
new file mode 100644
index 00000000..6be99ab0
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByPerm.java
@@ -0,0 +1,73 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.role;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.role.List;
+import org.onap.aaf.auth.cmd.role.ListByPerm;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListByPerm {
+	
+//	private static ListByPerm lsByPerm;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		List ls = new List(role);
+//		lsByPerm = new ListByPerm(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsByPerm._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByRole.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByRole.java
new file mode 100644
index 00000000..5739208a
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByRole.java
@@ -0,0 +1,73 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.role;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.role.List;
+import org.onap.aaf.auth.cmd.role.ListByRole;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListByRole {
+	
+//	private static ListByRole lsByRole;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		List ls = new List(role);
+//		lsByRole = new ListByRole(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsByRole._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByUser.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByUser.java
new file mode 100644
index 00000000..be11e1f7
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_ListByUser.java
@@ -0,0 +1,73 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.role;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.role.List;
+import org.onap.aaf.auth.cmd.role.ListByUser;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListByUser {
+//	
+//	private static ListByUser lsByUser;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		List ls = new List(role);
+//		lsByUser = new ListByUser(ls);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsByUser._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_User.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_User.java
new file mode 100644
index 00000000..37cfb304
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/role/JU_User.java
@@ -0,0 +1,72 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.role;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.perm.Perm;
+import org.onap.aaf.auth.cmd.role.Role;
+import org.onap.aaf.auth.cmd.role.User;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_User {
+	
+//	private static User user;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		Role role = new Role(cli);
+//		user = new User(role);
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(user._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			// TODO Auto-generated catch block
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_Cred.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_Cred.java
new file mode 100644
index 00000000..f191ef65
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_Cred.java
@@ -0,0 +1,124 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.user;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.io.FileNotFoundException;
+import java.io.PrintWriter;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mockito;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cmd.user.Cred;
+import org.onap.aaf.auth.cmd.user.User;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Cred {
+
+	private static Cred testCred;
+	private static User testUser;
+	private static AuthzEnv env;
+
+
+	@BeforeClass
+	public static void setUp() throws FileNotFoundException, APIException {
+		
+		testCred = mock(Cred.class);
+		testUser = mock(User.class);
+		env = mock(AuthzEnv.class);
+		Mockito.when(env.getProperty(Cmd.STARTDATE,null)).thenReturn(null);
+		Mockito.when(env.getProperty(Cmd.ENDDATE,null)).thenReturn(null);
+		
+	}
+
+	@Test
+	public void exec() throws CadiException, APIException, LocatorException, FileNotFoundException {
+		boolean isNullpointer=false;
+		AAFcli aaFcli=	new AAFcli(env, new PrintWriter("temp"), null, null, null);
+	User user= new User(aaFcli);
+	 Cred testCred= new Cred(user);
+	try {
+		testCred._exec(0, "add", "del", "reset", "extend");
+	} catch (Exception e) {
+		isNullpointer=true;
+	} 
+	assertEquals(isNullpointer, true);
+	}
+
+
+	@Test
+	public void exec_add() {		
+		try {
+			assertNotNull(testCred._exec(0, "zeroed","add","del","reset","extend"));
+		} catch (CadiException | APIException | LocatorException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+
+	}
+
+	@Test
+	public void exec_del() {		
+		try {
+			assertNotNull(testCred._exec(1, "zeroed","add","del","reset","extend"));
+		} catch (CadiException | APIException | LocatorException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+
+	}
+
+	@Test
+	public void exec_reset() {		
+		try {
+			assertNotNull(testCred._exec(2, "zeroed","add","del","reset","extend"));
+		} catch (CadiException | APIException | LocatorException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+
+	}
+
+	@Test
+	public void exec_extend() {		
+		try {
+			assertNotNull(testCred._exec(3, "zeroed","add","del","reset","extend"));
+		} catch (CadiException | APIException | LocatorException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+
+	}
+
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_Delg.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_Delg.java
new file mode 100644
index 00000000..f129149d
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_Delg.java
@@ -0,0 +1,79 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.user;
+
+import static org.mockito.Mockito.mock;
+import static org.junit.Assert.*;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.user.Delg;
+import org.onap.aaf.auth.cmd.user.User;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Delg {
+	
+	private static User testUser;
+	private static Delg delg;
+	
+	@BeforeClass
+	public static void setUp() throws APIException {
+		testUser = mock(User.class);
+		delg = mock(Delg.class);
+	}
+	
+	@Test
+	public void exec_add() {
+		try {
+			assertEquals(delg._exec(0, "zero","add","upd","del"), 0);
+		} catch (CadiException | APIException | LocatorException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+	
+	@Test
+	public void exec_upd() {
+		try {
+			assertEquals(delg._exec(1, "zero","add","upd","del"), 0);
+		} catch (CadiException | APIException | LocatorException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+	
+	@Test
+	public void exec_del() {
+		try {
+			assertEquals(delg._exec(2, "zero","add","upd","del"), 0);
+		} catch (CadiException | APIException | LocatorException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+	
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListActivity.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListActivity.java
new file mode 100644
index 00000000..5f1cfb3b
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListActivity.java
@@ -0,0 +1,74 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.user;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.auth.cmd.user.List;
+import org.onap.aaf.auth.cmd.user.ListActivity;
+import org.onap.aaf.auth.cmd.user.User;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListActivity {
+	
+//	private static ListActivity lsActivity;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		User usr = new User(cli);
+//		List parent = new List(usr);
+//		lsActivity = new ListActivity(parent);
+//		
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsActivity._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListApprovals.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListApprovals.java
new file mode 100644
index 00000000..196cd028
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListApprovals.java
@@ -0,0 +1,74 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.user;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.auth.cmd.user.List;
+import org.onap.aaf.auth.cmd.user.ListApprovals;
+import org.onap.aaf.auth.cmd.user.User;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListApprovals {
+	
+//	private static ListApprovals lsApprovals;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		User usr = new User(cli);
+//		List parent = new List(usr);
+//		lsApprovals = new ListApprovals(parent);
+//		
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsApprovals._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListDelegates.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListDelegates.java
new file mode 100644
index 00000000..3e11357f
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListDelegates.java
@@ -0,0 +1,74 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.user;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.auth.cmd.user.List;
+import org.onap.aaf.auth.cmd.user.ListDelegates;
+import org.onap.aaf.auth.cmd.user.User;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListDelegates {
+	
+//	private static ListDelegates lsDelegates;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		User usr = new User(cli);
+//		List parent = new List(usr);
+//		lsDelegates = new ListDelegates(parent);
+//		
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsDelegates._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListForCreds.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListForCreds.java
new file mode 100644
index 00000000..cdd8fe87
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListForCreds.java
@@ -0,0 +1,74 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.user;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.auth.cmd.user.List;
+import org.onap.aaf.auth.cmd.user.ListForCreds;
+import org.onap.aaf.auth.cmd.user.User;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListForCreds {
+//	
+//	private static ListForCreds lsForCreds;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		User usr = new User(cli);
+//		List parent = new List(usr);
+//		lsForCreds = new ListForCreds(parent);
+//		
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsForCreds._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListForPermission.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListForPermission.java
new file mode 100644
index 00000000..7d6af44b
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListForPermission.java
@@ -0,0 +1,74 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.user;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.auth.cmd.user.List;
+import org.onap.aaf.auth.cmd.user.ListForPermission;
+import org.onap.aaf.auth.cmd.user.User;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListForPermission {
+//	
+//	private static ListForPermission lsForPermission;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		User usr = new User(cli);
+//		List parent = new List(usr);
+//		lsForPermission = new ListForPermission(parent);
+//		
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsForPermission._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListForRoles.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListForRoles.java
new file mode 100644
index 00000000..74f57cfc
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_ListForRoles.java
@@ -0,0 +1,74 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.user;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.auth.cmd.user.List;
+import org.onap.aaf.auth.cmd.user.ListForRoles;
+import org.onap.aaf.auth.cmd.user.User;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_ListForRoles {
+	
+//	private static ListForRoles lsForRoles;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		User usr = new User(cli);
+//		List parent = new List(usr);
+//		lsForRoles = new ListForRoles(parent);
+//		
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(lsForRoles._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_Role.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_Role.java
new file mode 100644
index 00000000..230be45e
--- /dev/null
+++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/user/JU_Role.java
@@ -0,0 +1,72 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.cmd.test.user;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.auth.cmd.user.Role;
+import org.onap.aaf.auth.cmd.user.User;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.misc.env.APIException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_Role {
+	
+//	private static Role role;
+//	
+//	@BeforeClass
+//	public static void setUp () throws NoSuchFieldException, SecurityException, Exception, IllegalAccessException {
+//		AAFcli cli = JU_AAFCli.getAAfCli();
+//		User usr = new User(cli);
+//		role = new Role(usr);
+//		
+//	}
+//	
+//	@Test
+//	public void exec() {
+//		try {
+//			assertEquals(role._exec(0, "add","del","reset","extend","clear", "rename", "create"),500);
+//		} catch (CadiException e) {
+//			
+//			e.printStackTrace();
+//		} catch (APIException e) {
+//			
+//			e.printStackTrace();
+//		} catch (LocatorException e) {
+//			
+//			e.printStackTrace();
+//		}
+//	}
+	
+	@Test						//TODO: Temporary fix AAF-111
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-core/.gitignore b/auth/auth-core/.gitignore
new file mode 100644
index 00000000..8f0ac9b9
--- /dev/null
+++ b/auth/auth-core/.gitignore
@@ -0,0 +1,5 @@
+/.settings
+/bin
+/target
+/.classpath
+/.project
diff --git a/auth/auth-core/pom.xml b/auth/auth-core/pom.xml
new file mode 100644
index 00000000..a8002024
--- /dev/null
+++ b/auth/auth-core/pom.xml
@@ -0,0 +1,104 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.onap.aaf.auth</groupId>
+		<artifactId>parent</artifactId>
+		<version>2.1.0-SNAPSHOT</version>
+		<relativePath>../pom.xml</relativePath>
+	</parent>
+
+	<artifactId>aaf-auth-core</artifactId>
+	<name>AAF Auth Core</name>
+	<description>Core Library for AAF Auth Components</description>
+	<packaging>jar</packaging>
+
+	<developers>
+		<developer>
+			<name>Jonathan Gathman</name>
+			<email>jonathan.gathman@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Architect</role>
+				<role>Lead Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Gabe Maurer</name>
+			<email>gabe.maurer@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Ian Howell</name>
+			<email>ian.howell@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+	</developers>
+
+
+	<dependencies>
+		<dependency>
+			<groupId>org.onap.aaf.misc</groupId>
+			<artifactId>aaf-misc-env</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-aaf</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>javax.servlet</groupId>
+			<artifactId>servlet-api</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.misc</groupId>
+			<artifactId>aaf-misc-log4j</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-core</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.eclipse.jetty</groupId>
+			<artifactId>jetty-servlet</artifactId>
+			<scope>compile</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>org.eclipse.jetty</groupId>
+			<artifactId>jetty-jmx</artifactId>
+			<scope>compile</scope>
+		</dependency>
+	</dependencies>
+</project>
+
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/cache/Cache.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/cache/Cache.java
new file mode 100644
index 00000000..17368031
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/cache/Cache.java
@@ -0,0 +1,200 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cache;
+
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.Timer;
+import java.util.TimerTask;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.logging.Level;
+
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Trans;
+
+/**
+ * Create and maintain a Map of Maps used for Caching
+ * 
+ * @author Jonathan
+ *
+ * @param <TRANS>
+ * @param <DATA>
+ */
+public class Cache<TRANS extends Trans, DATA> {
+	private static Clean clean;
+	private static Timer cleanseTimer;
+
+	public static final String CACHE_HIGH_COUNT = "CACHE_HIGH_COUNT";
+	public static final String CACHE_CLEAN_INTERVAL = "CACHE_CLEAN_INTERVAL";
+//	public static final String CACHE_MIN_REFRESH_INTERVAL = "CACHE_MIN_REFRESH_INTERVAL";
+
+	private static final Map<String,Map<String,Dated>> cacheMap;
+
+	static {
+		cacheMap = new HashMap<String,Map<String,Dated>>();
+	}
+
+	/**
+	 * Dated Class - store any Data with timestamp
+	 * 
+	 * @author Jonathan
+	 *
+	 */
+	public final static class Dated { 
+		public Date timestamp;
+		public List<?> data;
+		private long expireIn;
+		
+		public Dated(List<?> data, long expireIn) {
+			timestamp = new Date(System.currentTimeMillis()+expireIn);
+			this.data = data;
+			this.expireIn = expireIn;
+		}
+
+		public <T> Dated(T t, long expireIn) {
+			timestamp = new Date(System.currentTimeMillis()+expireIn);
+			ArrayList<T> al = new ArrayList<T>(1);
+			al.add(t);
+			data = al;
+			this.expireIn = expireIn;
+		}
+
+		public void touch() {
+			timestamp = new Date(System.currentTimeMillis()+expireIn);
+		}
+	}
+	
+	public static Map<String,Dated> obtain(String key) {
+		Map<String, Dated> m = cacheMap.get(key);
+		if(m==null) {
+			m = new ConcurrentHashMap<String, Dated>();
+			synchronized(cacheMap) {
+				cacheMap.put(key, m);
+			}
+		}
+		return m;
+	}
+
+	/**
+	 * Clean will examine resources, and remove those that have expired.
+	 * 
+	 * If "highs" have been exceeded, then we'll expire 10% more the next time.  This will adjust after each run
+	 * without checking contents more than once, making a good average "high" in the minimum speed.
+	 * 
+	 * @author Jonathan
+	 *
+	 */
+	private final static class Clean extends TimerTask {
+		private final Env env;
+		private Set<String> set;
+		
+		// The idea here is to not be too restrictive on a high, but to Expire more items by 
+		// shortening the time to expire.  This is done by judiciously incrementing "advance"
+		// when the "highs" are exceeded.  This effectively reduces numbers of cached items quickly.
+		private final int high;
+		private long advance;
+		private final long timeInterval;
+		
+		public Clean(Env env, long cleanInterval, int highCount) {
+			this.env = env;
+			high = highCount;
+			timeInterval = cleanInterval;
+			advance = 0;
+			set = new HashSet<String>();
+		}
+		
+		public synchronized void add(String key) {
+			set.add(key);
+		}
+
+		public void run() {
+			int count = 0;
+			int total = 0;
+			// look at now.  If we need to expire more by increasing "now" by "advance"
+			Date now = new Date(System.currentTimeMillis() + advance);
+			
+			
+			for(String name : set) {
+				Map<String,Dated> map = cacheMap.get(name);
+				if(map!=null) for(Map.Entry<String,Dated> me : map.entrySet()) {
+					++total;
+					if(me.getValue().timestamp.before(now)) {
+						map.remove(me.getKey());
+						++count;
+					}
+				}
+//				if(count>0) {
+//					env.info().log(Level.INFO, "Cache removed",count,"expired",name,"Elements");
+//				}
+			}
+			
+			if(count>0) {
+				env.info().log(Level.INFO, "Cache removed",count,"expired Cached Elements out of", total);
+			}
+
+			// If High (total) is reached during this period, increase the number of expired services removed for next time.
+			// There's no point doing it again here, as there should have been cleaned items.
+			if(total>high) {
+				// advance cleanup by 10%, without getting greater than timeInterval.
+				advance = Math.min(timeInterval, advance+(timeInterval/10));
+			} else {
+				// reduce advance by 10%, without getting lower than 0.
+				advance = Math.max(0, advance-(timeInterval/10));
+			}
+		}
+	}
+
+	public static synchronized void startCleansing(Env env, String ... keys) {
+		if(cleanseTimer==null) {
+			cleanseTimer = new Timer("Cache Cleanup Timer");
+			int cleanInterval = Integer.parseInt(env.getProperty(CACHE_CLEAN_INTERVAL,"60000")); // 1 minute clean cycles 
+			int highCount = Integer.parseInt(env.getProperty(CACHE_HIGH_COUNT,"5000"));
+			cleanseTimer.schedule(clean = new Clean(env, cleanInterval, highCount), cleanInterval, cleanInterval);
+		}
+		
+		for(String key : keys) {
+			clean.add(key);
+		}
+	}
+
+	public static void stopTimer() {
+		if(cleanseTimer!=null) {
+			cleanseTimer.cancel();
+			cleanseTimer = null;
+		}
+	}
+
+	public static void addShutdownHook() {
+		Runtime.getRuntime().addShutdownHook(new Thread() {
+			@Override
+			public void run() {
+				Cache.stopTimer();
+			}
+		}); 
+	}
+
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java
new file mode 100644
index 00000000..6f0ea084
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java
@@ -0,0 +1,82 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.common;
+
+import java.util.Map.Entry;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.config.Config;
+
+public class Define {
+	private static String ROOT_NS = null;
+	private static String ROOT_COMPANY = null;
+
+	private final static String MSG = ".set(Access access) must be called before use";
+	public static final CharSequence ROOT_NS_TAG = "AAF_NS"; // use for certain Replacements in Location
+	private static final String ROOT_NS_TAG_DOT = ROOT_NS_TAG +".";
+
+	public static String ROOT_NS() {
+		if(ROOT_NS==null) {
+			throw new RuntimeException(Define.class.getName() + MSG);
+		}
+		return ROOT_NS;
+	}
+	
+	public static String ROOT_COMPANY() {
+		if(ROOT_NS==null) {
+			throw new RuntimeException(Define.class.getName() + MSG);
+		}
+		return ROOT_COMPANY;
+	}
+	
+	public static void set(Access access) throws CadiException {
+		ROOT_NS = access.getProperty(Config.AAF_ROOT_NS,"org.onap.aaf");
+		ROOT_COMPANY = access.getProperty(Config.AAF_ROOT_COMPANY,null);
+		if(ROOT_COMPANY==null) {
+			int last = ROOT_NS.lastIndexOf('.');
+			if(last>=0) {
+				ROOT_COMPANY = ROOT_NS.substring(0, last);
+			} else {
+				throw new CadiException(Config.AAF_ROOT_COMPANY + " or " + Config.AAF_ROOT_NS + " property with 3 positions is required.");
+			}
+		}
+		
+		for( Entry<Object, Object> es : access.getProperties().entrySet()) {
+			if(es.getKey().toString().startsWith(ROOT_NS_TAG_DOT)) {
+				access.getProperties().setProperty(es.getKey().toString(),varReplace(es.getValue().toString()));
+			}
+		}
+		
+		access.printf(Level.INIT,"AAF Root NS is %s, and AAF Company Root is %s",ROOT_NS,ROOT_COMPANY);
+	}
+
+	public static String varReplace(final String potential) {
+		if(potential.startsWith(ROOT_NS_TAG_DOT)) {
+			return ROOT_NS + potential.substring(6);
+		} else {
+			return potential;
+		}
+	}
+	
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzEnv.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzEnv.java
new file mode 100644
index 00000000..0bbe079e
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzEnv.java
@@ -0,0 +1,310 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.env;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Properties;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.PropAccess.LogIt;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Decryptor;
+import org.onap.aaf.misc.env.Encryptor;
+import org.onap.aaf.misc.env.impl.Log4JLogTarget;
+import org.onap.aaf.misc.env.log4j.LogFileNamer;
+import org.onap.aaf.misc.rosetta.env.RosettaEnv;
+
+
+/**
+ * AuthzEnv is the Env tailored to Authz Service
+ * 
+ * Most of it is derived from RosettaEnv, but it also implements Access, which
+ * is an Interface that Allows CADI to interact with Container Logging
+ * 
+ * @author Jonathan
+ *
+ */
+public class AuthzEnv extends RosettaEnv implements Access {
+	private long[] times = new long[20];
+	private int idx = 0;
+	private PropAccess access;
+
+	public AuthzEnv() {
+		super();
+		_init(new PropAccess());
+	}
+
+	public AuthzEnv(String ... args) {
+		super();
+		_init(new PropAccess(args));
+	}
+
+	public AuthzEnv(Properties props) {
+		super();
+		_init(new PropAccess(props));
+	}
+	
+
+	public AuthzEnv(PropAccess pa) {
+		super();
+		_init(pa);
+	}
+	
+	private final void _init(PropAccess pa) { 
+		access = pa;
+		times = new long[20];
+		idx = 0;
+	}
+	
+	private class Log4JLogit implements LogIt {
+		
+		@Override
+		public void push(Level level, Object... elements) {
+			switch(level) {
+				case AUDIT:
+					audit.log(elements);
+					break;
+				case DEBUG:
+					debug.log(elements);
+					break;
+				case ERROR:
+					error.log(elements);
+					break;
+				case INFO:
+					info.log(elements);
+					break;
+				case INIT:
+					init.log(elements);
+					break;
+				case NONE:
+					break;
+				case WARN:
+					warn.log(elements);
+					break;
+			}
+			
+		}
+		
+	}
+
+	@Override
+	public AuthzTransImpl newTrans() {
+		synchronized(this) {
+			times[idx]=System.currentTimeMillis();
+			if(++idx>=times.length)idx=0;
+		}
+		return new AuthzTransImpl(this);
+	}
+
+	/**
+	 *  Create a Trans, but do not include in Weighted Average
+	 * @return
+	 */
+	public AuthzTrans newTransNoAvg() {
+		return new AuthzTransImpl(this);
+	}
+
+	public long transRate() {
+		int count = 0;
+		long pot = 0;
+		long prev = 0;
+		for(int i=idx;i<times.length;++i) {
+			if(times[i]>0) {
+				if(prev>0) {
+					++count;
+		pot += times[i]-prev;
+				}
+				prev = times[i]; 
+			}
+		}
+		for(int i=0;i<idx;++i) {
+			if(times[i]>0) {
+				if(prev>0) {
+					++count;
+					pot += times[i]-prev;
+				}
+				prev = times[i]; 
+			}
+		}
+
+		return count==0?300000L:pot/count; // Return Weighted Avg, or 5 mins, if none avail.
+	}
+	
+	@Override
+	public ClassLoader classLoader() {
+		return getClass().getClassLoader();
+	}
+
+	@Override
+	public void load(InputStream is) throws IOException {
+		access.load(is);
+	}
+
+	@Override
+	public void log(Level lvl, Object... msgs) {
+		access.log(lvl, msgs);
+	}
+
+	@Override
+	public void log(Exception e, Object... msgs) {
+		access.log(e,msgs);
+	}
+
+	@Override
+	public void printf(Level level, String fmt, Object... elements) {
+		access.printf(level, fmt, elements);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.cadi.Access#willLog(org.onap.aaf.cadi.Access.Level)
+	 */
+	@Override
+	public boolean willLog(Level level) {
+		return access.willLog(level);
+	}
+
+	@Override
+	public void setLogLevel(Level level) {
+		access.setLogLevel(level);
+	}
+
+	public void setLog4JNames(String path, String root, String _service, String _audit, String _init, String _trace) throws APIException {
+		LogFileNamer lfn = new LogFileNamer(root);
+		if(_service==null) {
+			throw new APIException("AuthzEnv.setLog4JNames \"_service\" required (as default).  Others can be null");
+		}
+		String service=_service=lfn.setAppender(_service); // when name is split, i.e. authz|service, the Appender is "authz", and "service"
+		String audit=_audit==null?service:lfn.setAppender(_audit);     // is part of the log-file name
+		String init=_init==null?service:lfn.setAppender(_init);
+		String trace=_trace==null?service:lfn.setAppender(_trace);
+		//TODO Validate path on Classpath
+		lfn.configure(path);
+		super.fatal = new Log4JLogTarget(service,org.apache.log4j.Level.FATAL);
+		super.error = new Log4JLogTarget(service,org.apache.log4j.Level.ERROR);
+		super.warn = new Log4JLogTarget(service,org.apache.log4j.Level.WARN);
+		super.audit = new Log4JLogTarget(audit,org.apache.log4j.Level.WARN);
+		super.init = new Log4JLogTarget(init,org.apache.log4j.Level.WARN);
+		super.info = new Log4JLogTarget(service,org.apache.log4j.Level.INFO);
+		super.debug = new Log4JLogTarget(service,org.apache.log4j.Level.DEBUG);
+		super.trace = new Log4JLogTarget(trace,org.apache.log4j.Level.TRACE);
+		
+		access.set(new Log4JLogit());
+	}
+	
+	private static final byte[] ENC="enc:".getBytes();
+	public String decrypt(String encrypted, final boolean anytext) throws IOException {
+		if(encrypted==null) {
+			throw new IOException("Password to be decrypted is null");
+		}
+		if(anytext || encrypted.startsWith("enc:")) {
+			if(decryptor.equals(Decryptor.NULL) && getProperty(Config.CADI_KEYFILE)!=null) {
+				final Symm s;
+				try {
+					s = Symm.obtain(this);
+				} catch (CadiException e1) {
+					throw new IOException(e1);
+				}
+				decryptor = new Decryptor() {
+					private Symm symm = s;
+					@Override
+					public String decrypt(String encrypted) {
+						try {
+							return (encrypted!=null && (anytext || encrypted.startsWith(Symm.ENC)))
+									? symm.depass(encrypted)
+									: encrypted;
+						} catch (IOException e) {
+							return "";
+						}
+					}
+				};
+				encryptor = new Encryptor() {
+					@Override
+					public String encrypt(String data) {
+						ByteArrayOutputStream baos = new ByteArrayOutputStream();
+						try {
+							baos.write(ENC);
+							return "enc:"+s.enpass(data);
+						} catch (IOException e) {
+							return "";
+						}
+					}
+	
+				};
+			}
+			return decryptor.decrypt(encrypted);
+		} else {
+			return encrypted;
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.misc.env.impl.BasicEnv#getProperty(java.lang.String)
+	 */
+	@Override
+	public String getProperty(String key) {
+		return access.getProperty(key);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.misc.env.impl.BasicEnv#getProperties(java.lang.String[])
+	 */
+	@Override
+	public Properties getProperties(String... filter) {
+		return access.getProperties();
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.misc.env.impl.BasicEnv#getProperty(java.lang.String, java.lang.String)
+	 */
+	@Override
+	public String getProperty(String key, String defaultValue) {
+		return access.getProperty(key, defaultValue);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.misc.env.impl.BasicEnv#setProperty(java.lang.String, java.lang.String)
+	 */
+	@Override
+	public String setProperty(String key, String value) {
+		access.setProperty(key, value);
+		return value;
+	}
+
+	public PropAccess access() {
+		return access;
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.cadi.Access#getProperties()
+	 */
+	@Override
+	public Properties getProperties() {
+		return access.getProperties();
+	};
+	
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTrans.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTrans.java
new file mode 100644
index 00000000..a38a3e20
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTrans.java
@@ -0,0 +1,78 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.env;
+
+import java.util.Date;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.cadi.Lur;
+import org.onap.aaf.cadi.Permission;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.misc.env.LogTarget;
+import org.onap.aaf.misc.env.TransStore;
+
+public interface AuthzTrans extends TransStore {
+	public enum REQD_TYPE {future(1),force(2),move(4),ns(8);
+		public final int bit;
+
+		REQD_TYPE(int bit) {
+			this.bit = bit;
+		}
+	};
+	
+	public abstract AuthzTrans set(HttpServletRequest req);
+
+	public abstract String user();
+
+	public abstract void setUser(TaggedPrincipal p);
+	
+	public abstract TaggedPrincipal getUserPrincipal();
+
+	public abstract String ip();
+
+	public abstract int port();
+
+	public abstract String meth();
+
+	public abstract String path();
+
+	public abstract String agent();
+	
+	public abstract AuthzEnv env();
+
+	public abstract void setLur(Lur lur);
+
+	public abstract boolean fish(Permission p);
+	
+	public abstract Organization org();
+
+	public abstract boolean requested(REQD_TYPE requested);
+	
+	public void requested(REQD_TYPE requested, boolean b);
+	
+	public abstract void logAuditTrail(LogTarget lt);
+	
+	public abstract Date now();
+
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTransFilter.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTransFilter.java
new file mode 100644
index 00000000..a25c5f31
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTransFilter.java
@@ -0,0 +1,181 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.env;
+
+import java.security.Principal;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.rserv.TransFilter;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Connector;
+import org.onap.aaf.cadi.TrustChecker;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.cadi.principal.TrustPrincipal;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.LogTarget;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans.Metric;
+
+public class AuthzTransFilter extends TransFilter<AuthzTrans> {
+	private AuthzEnv env;
+	public Metric serviceMetric;
+	public static Slot transIDslot,specialLogSlot;
+
+	public static final String TRANS_ID_SLOT = "TRANS_ID_SLOT";
+	public static final String SPECIAL_LOG_SLOT = "SPECIAL_LOG_SLOT";
+
+	public static final int BUCKETSIZE = 2;
+	
+	public AuthzTransFilter(AuthzEnv env, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException {
+		super(env.access(),con, tc, additionalTafLurs);
+		this.env = env;
+		serviceMetric = new Metric();
+		serviceMetric.buckets = new float[BUCKETSIZE];
+		if(transIDslot==null) {
+			transIDslot = env.slot(TRANS_ID_SLOT);
+		}
+		if(specialLogSlot==null) {
+			specialLogSlot = env.slot(SPECIAL_LOG_SLOT);
+		}
+	}
+	
+	@Override
+	protected AuthzTrans newTrans() {
+		AuthzTrans at = env.newTrans();
+		at.setLur(getLur());
+		return at;
+	}
+
+	@Override
+	protected TimeTaken start(AuthzTrans trans, ServletRequest request) {
+		trans.set((HttpServletRequest)request);
+		return trans.start("Trans " + //(context==null?"n/a":context.toString()) +
+		" IP: " + trans.ip() +
+		" Port: " + trans.port()
+		, Env.SUB);
+	}
+
+	@Override
+	protected void authenticated(AuthzTrans trans, Principal p) {
+		trans.setUser((TaggedPrincipal)p); // We only work with TaggedPrincipals in Authz
+	}
+
+	@Override
+	protected void tallyHo(AuthzTrans trans) {
+		Boolean b = trans.get(specialLogSlot, false);
+		LogTarget lt = b?trans.warn():trans.info();
+		
+		if(lt.isLoggable()) {
+			// Transaction is done, now post full Audit Trail
+			StringBuilder sb = new StringBuilder("AuditTrail\n");
+			// We'll grabAct sub-metrics for Remote Calls and JSON
+			// IMPORTANT!!! if you add more entries here, change "BUCKETSIZE"!!!
+			Metric m = trans.auditTrail(lt,1, sb, Env.REMOTE,Env.JSON);
+
+			// Add current Metrics to total metrics
+			serviceMetric.total+= m.total;
+			for(int i=0;i<serviceMetric.buckets.length;++i) {
+				serviceMetric.buckets[i]+=m.buckets[i];
+			}
+			
+			Long tsi;
+			if((tsi=trans.get(transIDslot, null))!=null) {
+				sb.append("  TraceID=");
+				sb.append(Long.toHexString(tsi));
+				sb.append('\n');
+			}
+			// Log current info
+			sb.append("  Total: ");
+			sb.append(m.total);
+			sb.append(" Remote: ");
+			sb.append(m.buckets[0]);
+			sb.append(" JSON: ");
+			sb.append(m.buckets[1]);
+			lt.log(sb);
+		} else {
+			// Single Line entry
+			// IMPORTANT!!! if you add more entries here, change "BUCKETSIZE"!!!
+			StringBuilder content = new StringBuilder(); 
+			Metric m = trans.auditTrail(lt,1, content, Env.REMOTE,Env.JSON);
+			// Add current Metrics to total metrics
+			serviceMetric.total+= m.total;
+			for(int i=0;i<serviceMetric.buckets.length;++i) {
+				serviceMetric.buckets[i]+=m.buckets[i];
+			}
+			
+			StringBuilder sb = new StringBuilder();
+			sb.append("user=");
+			Principal p = trans.getUserPrincipal();
+			if(p==null) {
+				sb.append("n/a");
+			} else {
+				sb.append(p.getName());
+				if(p instanceof TrustPrincipal) {
+					sb.append('(');
+					sb.append(((TrustPrincipal)p).personalName()); // UserChain
+					sb.append(')');
+				} else { 
+					sb.append('[');
+					if(p instanceof TaggedPrincipal) {
+						sb.append(((TaggedPrincipal)p).tag());
+					} else {
+						sb.append(p.getClass().getSimpleName());
+					}
+					sb.append(']');
+				}
+			}
+			sb.append(",ip=");
+			sb.append(trans.ip());
+			sb.append(",port=");
+			sb.append(trans.port());
+//			Current code won't ever get here... Always does a Full Audit Trail
+//			Long tsi;
+//			if((tsi=trans.get(transIDslot, null))!=null) {
+//				sb.append(",TraceID=");
+//				sb.append(Long.toHexString(tsi));
+//			}
+			sb.append(",ms=");
+			sb.append(m.total);
+			sb.append(",meth=");
+			sb.append(trans.meth());
+			sb.append(",path=");
+			sb.append(trans.path());
+
+			if(content.length()>0) {
+				sb.append(",msg=\"");
+				int start = content.lastIndexOf(",msg=\"");
+				if(start>=0) {
+					sb.append(content,start+6,content.length()-1);
+				} else {
+					sb.append(content);
+				}
+				sb.append('"');
+			}
+			
+			trans.warn().log(sb);
+		}
+	}
+
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTransImpl.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTransImpl.java
new file mode 100644
index 00000000..2ca8dfd7
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTransImpl.java
@@ -0,0 +1,216 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.env;
+
+import java.util.Date;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationFactory;
+import org.onap.aaf.cadi.Lur;
+import org.onap.aaf.cadi.Permission;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.misc.env.LogTarget;
+import org.onap.aaf.misc.env.impl.BasicTrans;
+
+public class AuthzTransImpl extends BasicTrans implements AuthzTrans {
+	private TaggedPrincipal user;
+	private String ip,agent,meth,path;
+	private int port;
+	private Lur lur;
+	private Organization org;
+	private int mask;
+	private Date now;
+	public AuthzTransImpl(AuthzEnv env) {
+		super(env);
+		ip="n/a";
+		org=null;
+		mask=0;
+	}
+
+	/**
+	 * @see org.onap.aaf.auth.env.test.AuthTrans#set(javax.servlet.http.HttpServletRequest)
+	 */
+	@Override
+	public AuthzTrans set(HttpServletRequest req) {
+		user = (TaggedPrincipal)req.getUserPrincipal();
+		ip = req.getRemoteAddr();
+		port = req.getRemotePort();
+		agent = req.getHeader("User-Agent");
+		meth = req.getMethod();
+		path = req.getPathInfo();
+		
+		for(REQD_TYPE rt : REQD_TYPE.values()) {
+			requested(rt,req);
+		}
+		// Handle alternate "request" for "future"
+		String request = req.getParameter("request");
+		if(request!=null) {
+			requested(REQD_TYPE.future,(request.length()==0 || "true".equalsIgnoreCase(request)));
+		}
+
+		org=null;
+		return this;
+	}
+	
+	@Override
+	public void setUser(TaggedPrincipal p) {
+		user = p;
+	}
+
+	/**
+	 * @see org.onap.aaf.auth.env.test.AuthTrans#user()
+	 */
+	@Override
+	public String user() {
+		return user==null?"n/a":user.getName();
+	}
+	
+	/**
+	 * @see org.onap.aaf.auth.env.test.AuthTrans#getUserPrincipal()
+	 */
+	@Override
+	public TaggedPrincipal getUserPrincipal() {
+		return user;
+	}
+
+	/**
+	 * @see org.onap.aaf.auth.env.test.AuthTrans#ip()
+	 */
+	@Override
+	public String ip() {
+		return ip;
+	}
+
+	/**
+	 * @see org.onap.aaf.auth.env.test.AuthTrans#port()
+	 */
+	@Override
+	public int port() {
+		return port;
+	}
+
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.env.test.AuthzTrans#meth()
+	 */
+	@Override
+	public String meth() {
+		return meth;
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.env.test.AuthzTrans#path()
+	 */
+	@Override
+	public String path() {
+		return path;
+	}
+
+	/**
+	 * @see org.onap.aaf.auth.env.test.AuthTrans#agent()
+	 */
+	@Override
+	public String agent() {
+		return agent;
+	}
+
+	@Override
+	public AuthzEnv env() {
+		return (AuthzEnv)delegate;
+	}
+	
+	@Override
+	public boolean requested(REQD_TYPE requested) {
+		return (mask&requested.bit)==requested.bit;
+	}
+	
+	public void requested(REQD_TYPE requested, boolean b) {
+		if(b) {
+			mask|=requested.bit;
+		} else {
+			mask&=~requested.bit;
+		}
+	}
+	
+	private void requested(REQD_TYPE reqtype, HttpServletRequest req) {
+		String p = req.getParameter(reqtype.name());
+		if(p!=null) {
+			requested(reqtype,p.length()==0 || "true".equalsIgnoreCase(p));
+		}
+	}
+
+	@Override
+	public void setLur(Lur lur) {
+		this.lur = lur;
+	}
+	
+	@Override
+	public boolean fish(Permission p) {
+		if(lur!=null) {
+			return lur.fish(user, p);
+		}
+		return false;
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.env.test.AuthzTrans#org()
+	 */
+	@Override
+	public Organization org() {
+		if(org==null) {
+			try {
+				if((org = OrganizationFactory.obtain(env(), user()))==null) {
+					org = Organization.NULL;
+				}
+			} catch (Exception e) {
+				
+				org = Organization.NULL;
+			}
+		} 
+		return org;
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.env.test.AuthzTrans#logAuditTrailOnly(com.att.inno.env.LogTarget)
+	 */
+	@Override
+	public void logAuditTrail(LogTarget lt) {
+		if(lt.isLoggable()) {
+			StringBuilder sb = new StringBuilder();
+			auditTrail(1, sb);
+			lt.log(sb);
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.env.test.AuthzTrans#now()
+	 */
+	@Override
+	public Date now() {
+		if(now==null) {
+			now = new Date();
+		}
+		return now;
+	}
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTransOnlyFilter.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTransOnlyFilter.java
new file mode 100644
index 00000000..2488cc7e
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTransOnlyFilter.java
@@ -0,0 +1,86 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.env;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.rserv.TransOnlyFilter;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans.Metric;
+
+public class AuthzTransOnlyFilter extends TransOnlyFilter<AuthzTrans> {
+	private AuthzEnv env;
+	public Metric serviceMetric;
+
+	public static final int BUCKETSIZE = 2;
+
+	public AuthzTransOnlyFilter(AuthzEnv env) {
+		this.env = env;
+		serviceMetric = new Metric();
+		serviceMetric.buckets = new float[BUCKETSIZE]; 
+	}
+	
+	@Override
+	protected AuthzTrans newTrans() {
+		return env.newTrans();
+	}
+
+	@Override
+	protected TimeTaken start(AuthzTrans trans, ServletRequest request) {
+		trans.set((HttpServletRequest)request);
+		return trans.start("Trans " + //(context==null?"n/a":context.toString()) +
+		" IP: " + trans.ip() +
+		" Port: " + trans.port()
+		, Env.SUB);
+	}
+
+	@Override
+	protected void authenticated(AuthzTrans trans, TaggedPrincipal p) {
+		trans.setUser(p);
+	}
+
+	@Override
+	protected void tallyHo(AuthzTrans trans) {
+		// Transaction is done, now post
+		StringBuilder sb = new StringBuilder("AuditTrail\n");
+		// We'll grab sub-metrics for Remote Calls and JSON
+		// IMPORTANT!!! if you add more entries here, change "BUCKETSIZE"!!!
+		Metric m = trans.auditTrail(1, sb, Env.REMOTE,Env.JSON);
+		// Add current Metrics to total metrics
+		serviceMetric.total+= m.total;
+		for(int i=0;i<serviceMetric.buckets.length;++i) {
+			serviceMetric.buckets[i]+=m.buckets[i];
+		}
+		// Log current info
+		sb.append("  Total: ");
+		sb.append(m.total);
+		sb.append(" Remote: ");
+		sb.append(m.buckets[0]);
+		sb.append(" JSON: ");
+		sb.append(m.buckets[1]);
+		trans.info().log(sb);
+	}
+
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/env/NullTrans.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/env/NullTrans.java
new file mode 100644
index 00000000..13f6551b
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/env/NullTrans.java
@@ -0,0 +1,234 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.env;
+
+import java.util.Date;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.cadi.Lur;
+import org.onap.aaf.cadi.Permission;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.misc.env.Decryptor;
+import org.onap.aaf.misc.env.Encryptor;
+import org.onap.aaf.misc.env.LogTarget;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.StaticSlot;
+import org.onap.aaf.misc.env.TimeTaken;
+
+/**
+ * A NULL implementation of AuthzTrans, for use in DirectAAF Taf/Lurs
+ */
+public class NullTrans implements AuthzTrans {
+	private static final AuthzTrans singleton = new NullTrans();
+	
+	public static final AuthzTrans singleton() {
+		return singleton;
+	}
+
+	private Date now;
+	
+	public void checkpoint(String text) {}
+	public void checkpoint(String text, int additionalFlag) {}
+	public Metric auditTrail(int indent, StringBuilder sb, int... flag) {return null;}
+
+	@Override
+	public Metric auditTrail(LogTarget lt, int indent, StringBuilder sb, int... flag) {
+		return null;
+	}
+
+	public LogTarget fatal() {
+		return LogTarget.NULL;
+	}
+
+	public LogTarget error() {
+		return LogTarget.NULL;
+	}
+
+	public LogTarget audit() {
+		return LogTarget.NULL;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.env.Env#init()
+	 */
+	@Override
+	public LogTarget init() {
+		return LogTarget.NULL;
+	}
+
+	public LogTarget warn() {
+		return LogTarget.NULL;
+	}
+
+	public LogTarget info() {
+		return LogTarget.NULL;
+	}
+
+	public LogTarget debug() {
+		return LogTarget.NULL;
+	}
+
+	public LogTarget trace() {
+		return LogTarget.NULL;
+	}
+
+	public TimeTaken start(String name, int flag) {
+		return new TimeTaken(name,flag) {
+			public void output(StringBuilder sb) {
+				sb.append(name);
+				sb.append(' ');
+				sb.append(millis());
+				sb.append("ms");
+			}
+		};
+	}
+
+	@Override
+	public String setProperty(String tag, String value) {
+		return value;
+	}
+
+	@Override
+	public String getProperty(String tag) {
+		return tag;
+	}
+
+	@Override
+	public String getProperty(String tag, String deflt) {
+		return deflt;
+	}
+
+	@Override
+	public Decryptor decryptor() {
+		return null;
+	}
+
+	@Override
+	public Encryptor encryptor() {
+		return null;
+	}
+	@Override
+	public AuthzTrans set(HttpServletRequest req) {
+		return null;
+	}
+
+	@Override
+	public String user() {
+		return null;
+	}
+
+	@Override
+	public TaggedPrincipal getUserPrincipal() {
+		return null;
+	}
+
+	@Override
+	public void setUser(TaggedPrincipal p) {
+	}
+	
+	@Override
+	public String ip() {
+		return null;
+	}
+
+	@Override
+	public int port() {
+		return 0;
+	}
+	@Override
+	public String meth() {
+		return null;
+	}
+
+	@Override
+	public String path() {
+		return null;
+	}
+
+	@Override
+	public void put(Slot slot, Object value) {
+	}
+	@Override
+	public <T> T get(Slot slot, T deflt) {
+		return null;
+	}
+	@Override
+	public <T> T get(StaticSlot slot, T dflt) {
+		return null;
+	}
+	@Override
+	public Slot slot(String name) {
+		return null;
+	}
+	@Override
+	public AuthzEnv env() {
+		return null;
+	}
+	@Override
+	public String agent() {
+		return null;
+	}
+
+	@Override
+	public void setLur(Lur lur) {
+	}
+
+	@Override
+	public boolean fish(Permission p) {
+		return false;
+	}
+
+	@Override
+	public Organization org() {
+		return Organization.NULL;
+	}
+
+	@Override
+	public void logAuditTrail(LogTarget lt) {
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.env.test.AuthzTrans#requested(org.onap.aaf.auth.env.test.AuthzTrans.REQD_TYPE)
+	 */
+	@Override
+	public boolean requested(REQD_TYPE requested) {
+		return false;
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.env.test.AuthzTrans#requested(org.onap.aaf.auth.env.test.AuthzTrans.REQD_TYPE, boolean)
+	 */
+	@Override
+	public void requested(REQD_TYPE requested, boolean b) {
+	}
+
+	@Override
+	public Date now() {
+		if(now==null) {
+			now = new Date();
+		}
+		return now;
+	}
+}
+
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/layer/DirectIntrospectImpl.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/layer/DirectIntrospectImpl.java
new file mode 100644
index 00000000..41f0e74a
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/layer/DirectIntrospectImpl.java
@@ -0,0 +1,26 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.layer;
+
+public class DirectIntrospectImpl {
+
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/layer/FacadeImpl.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/layer/FacadeImpl.java
new file mode 100644
index 00000000..81fc1e26
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/layer/FacadeImpl.java
@@ -0,0 +1,42 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.layer;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.Data.TYPE;
+
+
+
+public abstract class FacadeImpl {
+	protected static final String IN = "in";
+
+	protected void setContentType(HttpServletResponse response, TYPE type) {
+		response.setContentType(type==Data.TYPE.JSON?"application/json":"text.xml");
+	}
+	
+	protected void setCacheControlOff(HttpServletResponse response) {
+		response.setHeader("Cache-Control", "no-store");
+		response.setHeader("Pragma", "no-cache");
+	}
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/layer/Result.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/layer/Result.java
new file mode 100644
index 00000000..e61cf2e8
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/layer/Result.java
@@ -0,0 +1,328 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.layer;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.Set;
+
+
+/**
+ * It would be nice if Java Enums were extensible, but they're not.
+ * 
+ * @author Jonathan
+ *
+ */
+public class Result<RV> {
+    private static final String SUCCESS = "Success";
+    public static final String[] EMPTY_VARS = new String[0];
+
+	public final static int OK=0,
+							ERR_Security 				= 1,
+							ERR_Denied 					= 2,
+							ERR_Policy 					= 3,
+							ERR_BadData 				= 4,
+							ERR_NotImplemented 			= 5,
+    	    				ERR_NotFound 				= 6,
+    						ERR_ConflictAlreadyExists 	= 7,
+    						ERR_ActionNotCompleted 		= 8,
+							ERR_Backend					= 9,
+							ERR_General					= 20;
+							
+	public final RV value;
+	public final int status;
+	public final String details;
+	public final String[] variables;
+	
+	protected Result(RV value, int status, String details, String[] variables) {
+		this.value = value;
+	    if(value==null) {
+		specialCondition|=EMPTY_LIST;
+	    }
+	    this.status = status;
+	    this.details = details;
+	    if(variables==null) {
+		    this.variables = EMPTY_VARS;
+	    } else {
+	    	this.variables=variables;
+	    }
+	}
+	
+    /**
+     * Create a Result class with "OK" status and "Success" for details
+     * 
+     * This is the easiest to use
+     * 
+     * @param value
+     * @param status
+     * @return
+     */
+    public static<R> Result<R> ok(R value) {
+    	return new Result<R>(value,OK,SUCCESS,null);
+    }
+
+    /**
+     * Accept Arrays and mark as empty or not
+     * @param value
+     * @return
+     */
+    public static<R> Result<R[]> ok(R value[]) {
+    	return new Result<R[]>(value,OK,SUCCESS,null).emptyList(value.length==0);
+    }
+
+    /**
+     * Accept Sets and mark as empty or not
+     * @param value
+     * @return
+     */
+    public static<R> Result<Set<R>> ok(Set<R> value) {
+    	return new Result<Set<R>>(value,OK,SUCCESS,null).emptyList(value.size()==0);
+    }
+
+    /**
+     * Accept Lists and mark as empty or not
+     * @param value
+     * @return
+     */
+    public static<R> Result<List<R>> ok(List<R> value) {
+    	return new Result<List<R>>(value,OK,SUCCESS,null).emptyList(value.size()==0);
+    }
+
+    /**
+     * Accept Collections and mark as empty or not
+     * @param value
+     * @return
+     */
+    public static<R> Result<Collection<R>> ok(Collection<R> value) {
+    	return new Result<Collection<R>>(value,OK,SUCCESS,null).emptyList(value.size()==0);
+    }
+
+
+    /**
+     * Special Case for Void Type
+     * @return
+     */
+    public static Result<Void> ok() {
+    	return new Result<Void>(null,OK,SUCCESS,null);
+    }
+
+    /**
+     * Create a Status (usually non OK, with a details statement 
+     * @param value
+     * @param status
+     * @param details
+     * @return
+     */
+//    public static<R> Result<R> err(int status, String details) {
+//    	return new Result<R>(null,status,details,null);
+//    }
+    
+    /**
+     * Create a Status (usually non OK, with a details statement and variables supported
+     * @param status
+     * @param details
+     * @param variables
+     * @return
+     */
+    public static<R> Result<R> err(int status, String details, String ... variables) {
+    	return new Result<R>(null,status,details,variables);
+    }
+
+    /**
+     * Create Error from status and Details of previous Result (and not data)
+     * @param pdr
+     * @return
+     */
+    public static<R> Result<R> err(Result<?> pdr) {
+		return new Result<R>(null,pdr.status,pdr.details,pdr.variables);
+	}
+
+    /**
+     * Create General Error from Exception
+     * @param e
+     * @return
+     */
+	public static<R> Result<R> err(Exception e) {
+		return new Result<R>(null,ERR_General,e.getMessage(),EMPTY_VARS);
+	}
+
+	/**
+     * Create a Status (usually non OK, with a details statement 
+     * @param value
+     * @param status
+     * @param details
+     * @return
+     */
+    public static<R> Result<R> create(R value, int status, String details, String ... vars) {
+    	return new Result<R>(value,status,details,vars);
+    }
+
+    /**
+     * Create a Status from a previous status' result/details 
+     * @param value
+     * @param status
+     * @param details
+     * @return
+     */
+    public static<R> Result<R> create(R value, Result<?> result) {
+    	return new Result<R>(value,result.status,result.details,result.variables);
+    }
+
+    private static final int PARTIAL_CONTENT = 0x001;
+    private static final int EMPTY_LIST = 0x002;
+    
+    /**
+	 * AAF Specific problems, etc 
+	 * 
+	 * @author Jonathan
+	 *
+	 */
+
+    /**
+     * specialCondition  is a bit field to enable multiple conditions, e.g. PARTIAL_CONTENT
+     */
+    private      int  specialCondition = 0;
+
+
+    /**
+     * Is result set only partial results, i.e. the DAO clipped the real result set to a smaller number.
+     * @return  true iff result returned PARTIAL_CONTENT
+     */
+    public boolean partialContent() {
+        return (specialCondition & PARTIAL_CONTENT) == PARTIAL_CONTENT;
+    }
+
+    /**
+     * Set fact that result set only returned partial results, i.e. the DAO clipped the real result set to a smaller number.
+     * @param hasPartialContent         set true iff result returned PARTIAL_CONTENT
+     * @return   this Result object, so you can chain calls, in builder style
+     */
+    public Result<RV> partialContent(boolean hasPartialContent) {
+        if (hasPartialContent) {
+	    specialCondition |= PARTIAL_CONTENT;
+	} else {
+	    specialCondition &= (~PARTIAL_CONTENT);
+	}
+        return this;
+    }
+
+    /**
+     * When Result is a List, you can check here to see if it's empty instead of looping
+     * 
+     * @return
+     */
+    public boolean isEmpty() {
+    	return (specialCondition & EMPTY_LIST) == EMPTY_LIST;
+    }
+
+    /**
+     * A common occurrence is that data comes back, but list is empty.  If set, you can skip looking
+     * at list at the outset.
+     * 
+     * @param emptyList
+     * @return
+     */
+    public Result<RV> emptyList(boolean emptyList) {
+    	if (emptyList) {
+    		specialCondition |= EMPTY_LIST;
+    	} else {
+    		specialCondition &= (~EMPTY_LIST);
+    	}
+        return this;
+    }
+
+    
+    /** 
+     * Convenience function.  Checks OK, and also if List is not Empty
+     * Not valid if Data is not a List
+     * @return
+     */
+    public boolean isOK() {
+    	return status == OK;
+    }
+
+    /** 
+     * Convenience function.  Checks OK, and also if List is not Empty
+     * Not valid if Data is not a List
+     * @return
+     */
+    public boolean notOK() {
+    	return status != OK;
+    }
+
+    /** 
+     * Convenience function.  Checks OK, and also if List is not Empty
+     * Not valid if Data is not a List
+     * @return
+     */
+    public boolean isOKhasData() {
+    	return status == OK && (specialCondition & EMPTY_LIST) != EMPTY_LIST;
+    }
+
+
+    /** 
+     * Convenience function.  Checks OK, and also if List is not Empty
+     * Not valid if Data is not a List
+     * @return
+     */
+    public boolean notOKorIsEmpty() {
+    	return status != OK || (specialCondition & EMPTY_LIST) == EMPTY_LIST;
+    }
+
+    @Override
+    public String toString() {
+    	if(status==0) {
+    		return details;
+    	} else {
+	    	StringBuilder sb = new StringBuilder();
+	    	sb.append(status);
+	    	sb.append(':');
+	    	sb.append(String.format(details,((Object[])variables)));
+	    	if(isEmpty()) {
+	    		sb.append("{empty}");
+	    	}
+	    	if(value!=null) {
+		    	sb.append('-');
+		    	sb.append(value.toString());
+	    	}
+	    	return sb.toString();
+    	}
+    }
+    
+    public String errorString() {
+    	StringBuilder sb = new StringBuilder();
+    	switch(status) {
+    		case 1: sb.append("Security"); break;
+    		case 2: sb.append("Denied"); break;
+    		case 3: sb.append("Policy"); break;
+    		case 4: sb.append("BadData"); break;
+    		case 5: sb.append("NotImplemented"); break;
+    		case 6: sb.append("NotFound"); break;
+    		case 7: sb.append("AlreadyExists"); break;
+    		case 8: sb.append("ActionNotComplete"); break;
+    		default: sb.append("Error");
+    	}
+    	sb.append(" - ");
+    	sb.append(String.format(details, (Object[])variables));
+    	return sb.toString();
+    }
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/local/AbsData.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/local/AbsData.java
new file mode 100644
index 00000000..40e0b22c
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/local/AbsData.java
@@ -0,0 +1,206 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.local;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.RandomAccessFile;
+import java.util.Iterator;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.local.DataFile.Token;
+import org.onap.aaf.auth.local.DataFile.Token.Field;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+
+public abstract class AbsData implements Iterable<String> {
+	protected DataFile data;
+	protected TextIndex ti;
+	private File dataf,idxf,lockf;
+	private String name;
+	private char delim;
+	private int maxLineSize;
+	private int fieldOffset;
+	private int skipLines;
+
+	public AbsData(File dataf,char sepChar, int maxLineSize, int fieldOffset) {
+		File dir = dataf.getParentFile();
+		int dot = dataf.getName().lastIndexOf('.');
+		name = dataf.getName().substring(0,dot);
+
+		this.dataf=dataf;
+		this.delim = sepChar;
+		this.maxLineSize = maxLineSize;
+		this.fieldOffset = fieldOffset;
+		idxf = new File(dir,name.concat(".idx"));
+		lockf = new File(dir,name.concat(".lock"));
+		
+		
+		data = new DataFile(dataf,"r");
+		ti = new TextIndex(idxf);
+		skipLines=0;
+	}
+	
+	public void skipLines(int lines) {
+		skipLines=lines;
+	}
+	
+	public String name() {
+		return name;
+	}
+	
+	public void open(AuthzTrans trans, long timeout) throws IOException {
+		TimeTaken tt = trans.start("Open Data File", Env.SUB);
+		boolean opened = false, first = true;
+		try {
+				if(!dataf.exists()) {
+					throw new FileNotFoundException("Data File Missing:" + dataf.getCanonicalPath());
+				}
+				long begin = System.currentTimeMillis();
+				long end = begin+timeout;
+				boolean exists;
+				while((exists=lockf.exists()) && begin<end) {
+					if(first) {
+						trans.warn().log("Waiting for",lockf.getCanonicalPath(),"to close");
+						first = false;
+					} 
+					try {
+						Thread.sleep(200);
+					} catch (InterruptedException e) {
+						break;
+					}
+					begin = System.currentTimeMillis();
+				}
+				if(exists) {
+					throw new IOException(lockf.getCanonicalPath() + "exists.  May not open Datafile");
+				}
+				data.open();
+				try {
+					ensureIdxGood(trans);
+				} catch (IOException e) {
+					data.close();
+					throw e;
+				}
+				ti.open();
+				opened = true;
+			
+		} finally {
+			tt.done();
+		}
+		if(!opened) {
+			throw new IOException("DataFile pair for " + name + " was not able to be opened in " + timeout + "ms");
+		}
+	}
+	
+	private synchronized void ensureIdxGood(AuthzTrans trans) throws IOException {
+		if(!idxf.exists() || idxf.length()==0 || dataf.lastModified()>idxf.lastModified()) {
+			trans.warn().log(idxf.getAbsolutePath(),"is missing, empty or out of date, creating");
+			RandomAccessFile raf = new RandomAccessFile(lockf, "rw");
+			try {
+				ti.create(trans, data, maxLineSize, delim, fieldOffset, skipLines);
+				if(!idxf.exists() || (idxf.length()==0 && dataf.length()!=0)) {
+					throw new IOException("Data Index File did not create correctly");
+				}
+			} finally {
+				raf.close();
+				lockf.delete();
+			}
+		}
+	}
+
+	public void close(AuthzTrans trans) throws IOException {
+		ti.close();
+		data.close();
+	}
+	
+	public class Reuse {
+		public Token tokenData;
+		private Field fieldData;
+
+		private Reuse(int size,char delim) {
+			tokenData = data.new Token(size);
+			fieldData = tokenData.new Field(delim);
+		}
+		
+		public void reset() {
+			getFieldData().reset();
+		}
+
+		public void pos(int rec) {
+			getFieldData().reset();
+			tokenData.pos(rec);
+		}
+
+		public String next() {
+			return getFieldData().next();
+		}
+		
+		public String at(int field) {
+			return getFieldData().at(field);
+		}
+
+		public String atToEnd(int field) {
+			return getFieldData().atToEnd(field);
+		}
+
+		public Field getFieldData() {
+			return fieldData;
+		}
+	}
+	
+	public Reuse reuse() {
+		return new Reuse(maxLineSize,delim);
+	}
+
+	public Iter iterator() {
+		return new Iter();
+	}
+	
+	public class Iter implements Iterator<String> {
+		private Reuse reuse;
+		private org.onap.aaf.auth.local.TextIndex.Iter tii;
+
+		public Iter() {
+			reuse = reuse();
+			tii = ti.new Iter();
+		}
+
+		@Override
+		public boolean hasNext() {
+			return tii.hasNext();
+		}
+
+		@Override
+		public String next() {
+			reuse.reset();
+			int rec = tii.next();
+			reuse.pos(rec);
+			return reuse.at(0);
+		}
+
+		@Override
+		public void remove() {
+			// read only
+		}
+	}
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/local/DataFile.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/local/DataFile.java
new file mode 100644
index 00000000..bb9fb1fd
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/local/DataFile.java
@@ -0,0 +1,190 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.local;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.RandomAccessFile;
+import java.nio.ByteBuffer;
+import java.nio.IntBuffer;
+import java.nio.MappedByteBuffer;
+import java.nio.channels.FileChannel;
+import java.nio.channels.FileChannel.MapMode;
+
+public class DataFile {
+	private RandomAccessFile rafile;
+	private FileChannel channel;
+	public MappedByteBuffer mapBuff;
+	private final File file;
+	private final String access;
+	
+	public DataFile(File file, String access)  {
+		this.file = file;
+		this.access = access;
+	}
+	public void open() throws IOException {
+		if(!file.exists()) throw new FileNotFoundException();
+		rafile = new RandomAccessFile(file,access);
+		channel = rafile.getChannel();
+		mapBuff = channel.map("r".equals(access)?MapMode.READ_ONLY:MapMode.READ_WRITE,0,channel.size());
+	}
+	public boolean isOpened() {
+		return mapBuff!=null;
+	}
+	public void close() throws IOException {
+		if(channel!=null){
+			channel.close();
+		}
+		if(rafile!=null) {
+			rafile.close();
+		}
+		mapBuff = null;
+	}
+
+	public long size() throws IOException {
+		return channel==null?0:channel.size();
+	}
+
+	private synchronized int load(Token t) {
+		int len = Math.min(mapBuff.limit()-t.next,t.buff.length);
+		if(len>0) {
+			mapBuff.position(t.next);
+			mapBuff.get(t.buff,0,len);
+		}
+		return len<0?0:len;
+	}
+	
+	public class Token {
+		private byte[] buff;
+		int pos, next, end;
+		
+		public Token(int size) {
+			buff = new byte[size];
+			pos = next = end = 0;
+		}
+		
+		public boolean pos(int to) {
+			pos = next = to;
+			return (end=load(this))>0;
+		}
+		
+		public boolean nextLine() {
+			end = load(this);
+			pos = next;
+			for(int i=0;i<end;++i) {
+				if(buff[i]=='\n') {
+					end = i;
+					next += i+1;
+					return true;
+				}
+			}
+			return false;
+		}
+		
+		public IntBuffer getIntBuffer() {
+			return ByteBuffer.wrap(buff).asIntBuffer();
+		}
+
+		public String toString() {
+			return new String(buff,0,end);
+		}
+		
+		public class Field {
+			char delim;
+			int idx;
+			ByteBuffer bb;
+
+			public Field(char delimiter) {
+				delim = delimiter;
+				idx = 0;
+				bb = null;
+			}
+			
+			public Field reset() {
+				idx = 0;
+				return this;
+			}
+			
+			public String next() {
+				if(idx>=end)return null;
+				int start = idx;
+				byte c=0;
+				int endStr = -1;
+				while(idx<end && idx<buff.length && (c=buff[idx])!=delim && c!='\n') { // for DOS
+					if(c=='\r')endStr=idx;
+					++idx;
+				}
+				
+				if(endStr<0) {
+					endStr=idx-start;
+				} else {
+					endStr=endStr-start;
+				}
+				++idx;
+				return new String(buff,start,endStr);
+			}
+
+			public String at(int fieldOffset) {
+				int start;
+				byte c=0;
+				for(int count = idx = start = 0; idx<end && idx<buff.length; ++idx) {
+					if((c=buff[idx])==delim || c=='\n') {
+						if(count++ == fieldOffset) {
+							break;
+						}
+						start = idx+1;
+					}
+				}
+				return new String(buff,start,(idx-start-(c=='\r'?1:0)));
+			}
+			
+			public String atToEnd(int fieldOffset) {
+				int start;
+				byte c=0;
+				for(int count = idx = start = 0; idx<end && idx<buff.length; ++idx) {
+					if((c=buff[idx])==delim || c=='\n') {
+						if(count++ == fieldOffset) {
+							break;
+						}
+						start = idx+1;
+					}
+				}
+				
+				for(; idx<end && idx<buff.length && (c=buff[idx])!='\n'; ++idx) {
+					++idx;
+				}
+				return new String(buff,start,(idx-start-((c=='\r' || idx>=end)?1:0)));
+			}
+
+		}
+
+		public int pos() {
+			return pos;
+		}
+	}
+
+	public File file() {
+		return file;
+	}
+	
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/local/TextIndex.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/local/TextIndex.java
new file mode 100644
index 00000000..5169cf88
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/local/TextIndex.java
@@ -0,0 +1,256 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.local;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.RandomAccessFile;
+import java.nio.ByteBuffer;
+import java.nio.IntBuffer;
+import java.nio.channels.FileChannel;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+
+import org.onap.aaf.auth.local.DataFile.Token;
+import org.onap.aaf.auth.local.DataFile.Token.Field;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+public class TextIndex {
+	private static final int REC_SIZE=8;
+	
+	private File file;
+	private DataFile dataFile=null;
+	
+	public TextIndex(File theFile) {
+		file = theFile;
+	}
+	
+	public void open() throws IOException {
+		dataFile = new DataFile(file,"r");
+		dataFile.open();
+	}
+	
+	public void close() throws IOException {
+		if(dataFile!=null) {
+			dataFile.close();
+			dataFile=null;
+		}
+	}
+
+	public int find(Object key, AbsData.Reuse reuse, int offset) throws IOException {
+		return find(key,reuse.tokenData,reuse.getFieldData(),offset);
+	}
+	
+	public int find(Object key, DataFile.Token dtok, Field df, int offset) throws IOException {
+		if(dataFile==null) {
+			throw new IOException("File not opened");
+		}
+		long hash = hashToLong(key.hashCode());
+		int min=0, max = (int)(dataFile.size()/REC_SIZE);
+		Token ttok = dataFile.new Token(REC_SIZE);
+		IntBuffer tib = ttok.getIntBuffer();
+		long lhash;
+		int curr;
+		while((max-min)>100) {
+			ttok.pos((curr=(min+(max-min)/2))*REC_SIZE);
+			tib.rewind();
+			lhash = hashToLong(tib.get());
+			if(lhash<hash) {
+				min=curr+1;
+			} else if(lhash>hash) {
+				max=curr-1;
+			} else {
+				min=curr-40;
+				max=curr+40;
+				break;
+			}
+		}
+		
+		List<Integer> entries = new ArrayList<Integer>();
+		for(int i=min;i<=max;++i) {
+			ttok.pos(i*REC_SIZE);
+			tib.rewind();
+			lhash = hashToLong(tib.get());
+			if(lhash==hash) {
+				entries.add(tib.get());
+			} else if(lhash>hash) {
+				break;
+			}
+		}
+		
+		for(Integer i : entries) {
+			dtok.pos(i);
+			if(df.at(offset).equals(key)) {
+				return i;
+			}
+		}
+		return -1;
+	}
+	
+
+	/*
+	 * Have to change Bytes into a Long, to avoid the inevitable signs in the Hash
+	 */
+	private static long hashToLong(int hash) {
+		long rv;
+		if(hash<0) {
+			rv = 0xFFFFFFFFL & hash;
+		} else {
+			rv = hash;
+		}
+		return rv;
+	}
+	
+	public void create(final Trans trans,final DataFile data, int maxLine, char delim, int fieldOffset, int skipLines) throws IOException {
+		RandomAccessFile raf;
+		FileChannel fos;
+		
+		List<Idx> list = new LinkedList<Idx>(); // Some hashcodes will double... DO NOT make a set
+		TimeTaken tt2 = trans.start("Open Files", Env.SUB);
+		try {
+			raf = new RandomAccessFile(file,"rw");
+			raf.setLength(0L);
+			fos = raf.getChannel();
+		} finally {
+			tt2.done();
+		}
+		
+		try {
+			
+			Token t = data.new Token(maxLine);  
+			Field f = t.new Field(delim);
+			
+			int count = 0;
+			if(skipLines>0) {
+				trans.info().log("Skipping",skipLines,"line"+(skipLines==1?" in":"s in"),data.file().getName());
+			}
+			for(int i=0;i<skipLines;++i) {
+				t.nextLine();
+			}
+			tt2 = trans.start("Read", Env.SUB);
+			try {
+				while(t.nextLine()) {
+					list.add(new Idx(f.at(fieldOffset),t.pos()));
+					++count;
+				}
+			} finally {
+				tt2.done();
+			}
+			trans.checkpoint("    Read " + count + " records");
+			tt2 = trans.start("Sort List", Env.SUB);
+			Collections.sort(list);
+			tt2.done();
+			tt2 = trans.start("Write Idx", Env.SUB);
+			try {
+				ByteBuffer bb = ByteBuffer.allocate(8*1024);
+				IntBuffer ib = bb.asIntBuffer();
+				for(Idx idx : list) {
+					if(!ib.hasRemaining()) {
+						fos.write(bb);
+						ib.clear();
+						bb.rewind();
+					}
+					ib.put(idx.hash);
+					ib.put(idx.pos);
+				}
+				bb.limit(4*ib.position());
+				fos.write(bb);
+			} finally {
+				tt2.done();
+			}
+		} finally {
+			fos.close();
+			raf.close();
+		}
+	}
+	
+	public class Iter {
+		private int idx;
+		private Token t;
+		private long end;
+		private IntBuffer ib;
+
+
+		public Iter() {
+			try {
+				idx = 0;
+				end = dataFile.size();
+				t  = dataFile.new Token(REC_SIZE);
+				ib = t.getIntBuffer();
+
+			} catch (IOException e) {
+				end = -1L;
+			}
+		}
+		
+		public int next() {
+			t.pos(idx);
+			ib.clear();
+			ib.get();
+			int rec = ib.get();
+			idx += REC_SIZE;
+			return rec;
+		}
+
+		public boolean hasNext() {
+			return idx<end;
+		}
+	}
+	
+	private static class Idx implements Comparable<Idx> {
+		public int hash, pos;
+		public Idx(Object obj, int pos) {
+			hash = obj.hashCode();
+			this.pos = pos;
+		}
+		
+		@Override
+		public int compareTo(Idx ib) {
+			long a = hashToLong(hash);
+			long b = hashToLong(ib.hash);
+			return a>b?1:a<b?-1:0;
+		}
+
+		/* (non-Javadoc)
+		 * @see java.lang.Object#equals(java.lang.Object)
+		 */
+		@Override
+		public boolean equals(Object o) {
+			if(o!=null && o instanceof Idx) {
+				return hash == ((Idx)o).hash;
+			}
+			return false;
+		}
+
+		/* (non-Javadoc)
+		 * @see java.lang.Object#hashCode()
+		 */
+		@Override
+		public int hashCode() {
+			return hash;
+		}
+	}
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/org/EmailWarnings.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/EmailWarnings.java
new file mode 100644
index 00000000..8360ffcb
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/EmailWarnings.java
@@ -0,0 +1,33 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.org;
+
+public interface EmailWarnings
+{
+    public long credExpirationWarning();
+    public long roleExpirationWarning();
+    public long credEmailInterval();
+    public long roleEmailInterval();
+    public long apprEmailInterval();
+    public long emailUrgentWarning();
+
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Executor.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Executor.java
new file mode 100644
index 00000000..a839ae73
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Executor.java
@@ -0,0 +1,34 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.org;
+
+public interface Executor {
+	// remove User from user/Role
+	// remove user from Admins
+	// if # of Owners > 1, remove User from Owner
+	// if # of Owners = 1, changeOwner to X  Remove Owner????
+	boolean hasPermission(String user, String ns, String type, String instance, String action); 
+	boolean inRole(String name);
+	
+	public String namespace() throws Exception;
+	public String id();
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java
new file mode 100644
index 00000000..6d7a3586
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java
@@ -0,0 +1,515 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.org;
+
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+
+/**
+ * Organization
+ * 
+ * There is Organizational specific information required which we have extracted to a plugin
+ * 
+ * It supports using Company Specific User Directory lookups, as well as supporting an
+ * Approval/Validation Process to simplify control of Roles and Permissions for large organizations
+ * in lieu of direct manipulation by a set of Admins. 
+ *  
+ * @author Jonathan
+ *
+ */
+public interface Organization {
+	public static final String N_A = "n/a";
+
+	public interface Identity {
+		public String id();
+		public String fullID() throws OrganizationException; // Fully Qualified ID (includes Domain of Organization)
+		public String type(); 				// Must be one of "IdentityTypes", see below
+		public Identity responsibleTo() throws OrganizationException; 		// Chain of Command, or Application ID Sponsor
+		public List<String> delegate(); 		// Someone who has authority to act on behalf of Identity
+		public String email();
+		public String fullName();
+		public String firstName();
+		/**
+		 * If Responsible entity, then String returned is "null"  meaning "no Objection".  
+		 * If String exists, it is the Policy objection text setup by the entity.
+		 * @return
+		 */
+		public String mayOwn();			// Is id passed belong to a person suitable to be Responsible for content Management
+		public boolean isFound();				// Is Identity found in Identity stores
+		public boolean isPerson();				// Whether a Person or a Machine (App)
+		public Organization org(); 				// Organization of Identity
+
+	}
+
+
+	/**
+	 * Name of Organization, suitable for Logging
+	 * @return
+	 */
+	public String getName();
+
+	/**
+	 * Realm, for use in distinguishing IDs from different systems/Companies
+	 * @return
+	 */
+	public String getRealm();
+
+	String getDomain();
+
+	/**
+	 * Get Identity information based on userID
+	 * 
+	 * @param id
+	 * @return
+	 */
+	public Identity getIdentity(AuthzTrans trans, String id) throws OrganizationException;
+	
+
+	/**
+	 * Does the ID pass Organization Standards
+	 * 
+	 * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of 
+	 * reasons why it fails
+	 * 
+	 * @param id
+	 * @return
+	 */
+	public String isValidID(AuthzTrans trans, String id);
+
+	/**
+	 * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of 
+	 * reasons why it fails
+	 *  
+	 *  Identity is passed in to allow policies regarding passwords that are the same as user ID
+	 *  
+	 *  any entries for "prev" imply a reset
+	 *  
+	 * @param id
+	 * @param password
+	 * @return
+	 */
+	public String isValidPassword(final AuthzTrans trans, final String id, final String password, final String ... prev);
+
+    /**
+	 * Return a list of Strings denoting Organization Password Rules, suitable for posting on a WebPage with <p>
+	 */
+	public String[] getPasswordRules();
+
+	/**
+	 * 
+	 * @param id
+	 * @return
+	 */
+	public boolean isValidCred(final AuthzTrans trans, final String id);
+
+	/**
+	 * If response is Null, then it is valid.  Otherwise, the Organization specific reason is returned.
+	 *  
+	 * @param trans
+	 * @param policy
+	 * @param executor
+	 * @param vars
+	 * @return
+	 * @throws OrganizationException
+	 */
+	public String validate(AuthzTrans trans, Policy policy, Executor executor, String ... vars) throws OrganizationException;
+
+	/**
+	 * Does your Company distinguish essential permission structures by kind of Identity?
+	 * i.e. Employee, Contractor, Vendor 
+	 * @return
+	 */
+	public Set<String> getIdentityTypes();
+
+	public enum Notify {
+		Approval(1),
+		PasswordExpiration(2),
+        RoleExpiration(3);
+
+		final int id;
+		Notify(int id) {this.id = id;}
+		public int getValue() {return id;}
+		public static Notify from(int type) {
+			for(Notify t : Notify.values()) {
+				if(t.id==type) {
+					return t;
+				}
+			}
+			return null;
+		}
+	}
+
+	public enum Response{
+		OK,
+		ERR_NotImplemented,
+		ERR_UserNotExist,
+		ERR_NotificationFailure,
+		};
+		
+	public enum Expiration {
+		Password,
+		TempPassword, 
+		Future,
+		UserInRole,
+		UserDelegate, 
+		ExtendPassword
+	}
+	
+	public enum Policy {
+		CHANGE_JOB, 
+		LEFT_COMPANY, 
+		CREATE_MECHID, 
+		CREATE_MECHID_BY_PERM_ONLY,
+		OWNS_MECHID,
+		AS_RESPONSIBLE, 
+		MAY_EXTEND_CRED_EXPIRES,
+		MAY_APPLY_DEFAULT_REALM
+	}
+	
+	/**
+	 * Notify a User of Action or Info
+	 * 
+	 * @param type
+	 * @param url
+	 * @param users (separated by commas)
+	 * @param ccs (separated by commas)
+	 * @param summary
+	 */
+
+    public Response notify(AuthzTrans trans, Notify type, String url, String ids[], String ccs[], String summary, Boolean urgent);
+
+	/**
+	 * (more) generic way to send an email
+	 * 
+	 * @param toList
+	 * @param ccList
+	 * @param subject
+	 * @param body
+	 * @param urgent
+	 */
+
+	public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList, String subject, String body, Boolean urgent) throws OrganizationException;
+
+	/**
+	 * whenToValidate
+	 * 
+	 * Authz support services will ask the Organization Object at startup when it should
+	 * kickoff Validation processes given particular types. 
+	 * 
+	 * This allows the Organization to express Policy
+	 * 
+	 * Turn off Validation behavior by returning "null"
+	 * 
+	 */
+	public Date whenToValidate(Notify type, Date lastValidated);
+
+	
+	/**
+	 * Expiration
+	 * 
+	 * Given a Calendar item of Start (or now), set the Expiration Date based on the Policy
+	 * based on type.
+	 * 
+	 * For instance, "Passwords expire in 3 months"
+	 * 
+	 * The Extra Parameter is used by certain Orgs.
+	 * 
+	 * For Password, the extra is UserID, so it can check the User Type
+	 * 
+	 * @param gc
+	 * @param exp
+	 * @return
+	 */
+	public GregorianCalendar expiration(GregorianCalendar gc, Expiration exp, String ... extra);
+	
+	/**
+	 * Get Email Warning timing policies
+	 * @return
+	 */
+	public EmailWarnings emailWarningPolicy();
+
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @return
+	 */
+	public List<Identity> getApprovers(AuthzTrans trans, String user) throws OrganizationException ;
+	
+	/*
+	 * 
+	 * @param user
+	 * @param type
+	 * @param users
+	 * @return
+	public Response notifyRequest(AuthzTrans trans, String user, Approval type, List<User> approvers);
+	*/
+	
+	/**
+	 * 
+	 * @return
+	 */
+	public String getApproverType();
+
+	/*
+	 * startOfDay - define for company what hour of day business starts (specifically for password and other expiration which
+	 *   were set by Date only.)
+	 *    
+	 * @return
+	 */
+	public int startOfDay();
+
+    /**
+     * implement this method to support any IDs that can have multiple entries in the cred table
+     * NOTE: the combination of ID/expiration date/(encryption type when implemented) must be unique.
+     * 		 Since expiration date is based on startOfDay for your company, you cannot create many
+     * 		 creds for the same ID in the same day.
+     * @param id
+     * @return
+     */
+    public boolean canHaveMultipleCreds(String id);
+    
+    boolean isTestEnv();
+
+	public void setTestMode(boolean dryRun);
+
+	public static final Organization NULL = new Organization() 
+	{
+		private final GregorianCalendar gc = new GregorianCalendar(1900, 1, 1);
+		private final List<Identity> nullList = new ArrayList<Identity>();
+		private final Set<String> nullStringSet = new HashSet<String>();
+		private String[] nullStringArray = new String[0];
+		private final Identity nullIdentity = new Identity() {
+			List<String> nullUser = new ArrayList<String>();
+			@Override
+			public String type() {
+				return N_A;
+			}
+
+			@Override
+			public String mayOwn() {
+				return N_A; // negative case
+			}
+			
+			@Override
+			public boolean isFound() {
+				return false;
+			}
+			
+			@Override
+			public String id() {
+				return N_A;
+			}
+			
+			@Override
+			public String fullID() {
+				return N_A;
+			}
+			
+			@Override
+			public String email() {
+				return N_A;
+			}
+			
+			@Override
+			public List<String> delegate() {
+				return nullUser;
+			}
+			@Override
+			public String fullName() {
+				return N_A;
+			}
+			@Override
+			public Organization org() {
+				return NULL;
+			}
+			@Override
+			public String firstName() {
+				return N_A;
+			}
+			@Override
+			public boolean isPerson() {
+				return false;
+			}
+
+			@Override
+			public Identity responsibleTo() {
+				return null;
+			}
+		};
+		@Override
+		public String getName() {
+			return N_A;
+		}
+	
+		@Override
+		public String getRealm() {
+			return N_A;
+		}
+	
+		@Override
+		public String getDomain() {
+			return N_A;
+		}
+	
+		@Override
+		public Identity getIdentity(AuthzTrans trans, String id) {
+			return nullIdentity;
+		}
+	
+		@Override
+		public String isValidID(final AuthzTrans trans, String id) {
+			return N_A;
+		}
+	
+		@Override
+		public String isValidPassword(final AuthzTrans trans, final String user, final String password, final String... prev) {
+			return N_A;
+		}
+	
+		@Override
+		public Set<String> getIdentityTypes() {
+			return nullStringSet;
+		}
+	
+		@Override
+		public Response notify(AuthzTrans trans, Notify type, String url,
+				String[] users, String[] ccs, String summary, Boolean urgent) {
+			return Response.ERR_NotImplemented;
+		}
+	
+		@Override
+		public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList,
+				String subject, String body, Boolean urgent) throws OrganizationException {
+			return 0;
+		}
+	
+		@Override
+		public Date whenToValidate(Notify type, Date lastValidated) {
+			return gc.getTime();
+		}
+	
+		@Override
+		public GregorianCalendar expiration(GregorianCalendar gc,
+				Expiration exp, String... extra) {
+			return gc;
+		}
+	
+		@Override
+		public List<Identity> getApprovers(AuthzTrans trans, String user)
+				throws OrganizationException {
+			return nullList;
+		}
+	
+		@Override
+		public String getApproverType() {
+			return "";
+		}
+	
+		@Override
+		public int startOfDay() {
+			return 0;
+		}
+	
+		@Override
+		public boolean canHaveMultipleCreds(String id) {
+			return false;
+		}
+	
+		@Override
+		public boolean isValidCred(final AuthzTrans trans, final String id) {
+			return false;
+		}
+	
+		@Override
+		public String validate(AuthzTrans trans, Policy policy, Executor executor, String ... vars)
+				throws OrganizationException {
+			return "Null Organization rejects all Policies";
+		}
+	
+		@Override
+		public boolean isTestEnv() {
+			return false;
+		}
+	
+		@Override
+		public void setTestMode(boolean dryRun) {
+		}
+
+		@Override
+		public EmailWarnings emailWarningPolicy() {
+			return new EmailWarnings() {
+
+				@Override
+			    public long credEmailInterval()
+			    {
+			        return 604800000L; // 7 days in millis 1000 * 86400 * 7
+			    }
+			    
+				@Override
+			    public long roleEmailInterval()
+			    {
+			        return 604800000L; // 7 days in millis 1000 * 86400 * 7
+			    }
+				
+				@Override
+				public long apprEmailInterval() {
+			        return 259200000L; // 3 days in millis 1000 * 86400 * 3
+				}
+			    
+				@Override
+			    public long  credExpirationWarning()
+			    {
+			        return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30  in milliseconds
+			    }
+			    
+				@Override
+			    public long roleExpirationWarning()
+			    {
+			        return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30  in milliseconds
+			    }
+
+				@Override
+			    public long emailUrgentWarning()
+			    {
+			        return( 1209600000L ); // Two weeks, in milliseconds 1000 * 86400 * 14  in milliseconds
+			    }
+
+			};
+		}
+
+		@Override
+		public String[] getPasswordRules() {
+			return nullStringArray; 
+		}
+
+	};
+
+}
+
+
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/org/OrganizationException.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/OrganizationException.java
new file mode 100644
index 00000000..ed1d398b
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/OrganizationException.java
@@ -0,0 +1,52 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.org;
+
+public class OrganizationException extends Exception {
+
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = 1L;
+
+	public OrganizationException() {
+		super();
+	}
+
+	public OrganizationException(String message) {
+		super(message);
+	}
+
+	public OrganizationException(Throwable cause) {
+		super(cause);
+	}
+
+	public OrganizationException(String message, Throwable cause) {
+		super(message, cause);
+	}
+
+	public OrganizationException(String message, Throwable cause, boolean enableSuppression,
+			boolean writableStackTrace) {
+		super(message, cause, enableSuppression, writableStackTrace);
+	}
+
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/org/OrganizationFactory.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/OrganizationFactory.java
new file mode 100644
index 00000000..36efb5dc
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/OrganizationFactory.java
@@ -0,0 +1,125 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.org;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.cadi.util.FQI;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.impl.BasicEnv;
+
+/**
+ * Organization Plugin Mechanism
+ * 
+ * Define a NameSpace for the company (i.e. com.att), and put in Properties as 
+ * "Organization.[your NS" and assign the supporting Class.  
+ * 
+ * Example:
+ * Organization.com.att=org.onap.aaf.auth.org.test.att.ATT
+ *
+ * @author Pavani, Jonathan
+ *
+ */
+public class OrganizationFactory {
+	private static final String ORGANIZATION_DOT = "Organization.";
+	private static Organization defaultOrg = null;
+	private static Map<String,Organization> orgs = new ConcurrentHashMap<String,Organization>();
+	public static Organization init(BasicEnv env) throws OrganizationException {
+		int idx = ORGANIZATION_DOT.length();
+		Organization org,firstOrg = null;
+		
+		for(Entry<Object, Object> es : env.getProperties().entrySet()) {
+			String key = es.getKey().toString();
+			if(key.startsWith(ORGANIZATION_DOT)) {
+				org = obtain(env,key.substring(idx));
+				if(firstOrg==null) {
+					firstOrg = org;
+				}
+			}
+		}
+		if(defaultOrg == null) {
+			defaultOrg = firstOrg;
+		}
+		return defaultOrg;
+	}
+	public static Organization obtain(Env env,final String theNS) throws OrganizationException {
+		String orgNS;
+		if(theNS.indexOf('@')>=0) {
+			orgNS=FQI.reverseDomain(theNS);
+		} else {
+			orgNS=theNS;
+		}
+		Organization org = orgs.get(orgNS);
+		if(org == null) {
+			String orgClass = env.getProperty(ORGANIZATION_DOT+orgNS);
+			if(orgClass == null) {
+				env.warn().log("There is no Organization." + orgNS + " property");
+			} else {
+				for(Organization o : orgs.values()) {
+					if(orgClass.equals(o.getClass().getName())) {
+						org = o;
+					}
+				}
+				if(org==null) {
+					try {
+						@SuppressWarnings("unchecked")
+						Class<Organization> cls = (Class<Organization>) Class.forName(orgClass);
+						Constructor<Organization> cnst = cls.getConstructor(Env.class,String.class);
+						org = cnst.newInstance(env,orgNS);
+					} catch (ClassNotFoundException | NoSuchMethodException | SecurityException | 
+							InstantiationException | IllegalAccessException | IllegalArgumentException | 
+							InvocationTargetException e) {
+						env.error().log(e, "Error on Organization Construction");
+						throw new OrganizationException(e);
+					}
+				}
+				orgs.put(orgNS, org);
+				if("true".equalsIgnoreCase(env.getProperty(orgNS+".default"))) {
+					defaultOrg = org;
+				}
+
+			}
+			if(org==null) {
+				if(defaultOrg!=null) {
+					org=defaultOrg;
+					orgs.put(orgNS, org);
+				}
+			}
+		}
+		
+		return org;
+	}
+
+	public static Organization get(AuthzTrans trans) throws OrganizationException {
+		String domain = FQI.reverseDomain(trans.user());
+		Organization org = orgs.get(domain);
+		if(org==null) {
+			org = defaultOrg; // can be null, btw, unless set.
+		}
+		return org;
+	}
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Acceptor.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Acceptor.java
new file mode 100644
index 00000000..1953694b
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Acceptor.java
@@ -0,0 +1,169 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+
+import org.onap.aaf.misc.env.Trans;
+
+/**
+ * Find Acceptable Paths and place them where TypeCode can evaluate.
+ * 
+ * If there are more than one, TypeCode will choose based on "q" value
+ * @author Jonathan
+ *
+ * @param <TRANS>
+ */
+class Acceptor<TRANS extends Trans>  {
+	private List<Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>>> types;
+	List<Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>>> acceptable;
+	
+	public Acceptor(List<Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>>> types) {
+		this.types = types;
+		acceptable = new ArrayList<Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>>>();
+	}
+	
+	private boolean eval(HttpCode<TRANS,?> code, String str, List<String> props) {
+//		int plus = str.indexOf('+');
+//		if(plus<0) {
+		boolean ok = false;
+		boolean any = false;
+		for(Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>> type : types) {
+			ok = true;
+			if(type.x.equals(str)) {
+				for(Iterator<String> iter = props.iterator();ok && iter.hasNext();) {
+					ok = props(type,iter.next(),iter.next());
+				}
+				if(ok) {
+					any = true;
+					acceptable.add(type);
+				}
+			}
+		}
+//		} else { // Handle Accepts with "+" as in application/xaml+xml
+//			int prev = str.indexOf('/')+1;
+//			String first = str.substring(0,prev);
+//			String nstr;
+//			while(prev!=0) {
+//				nstr = first + (plus<0?str.substring(prev):str.substring(prev,plus));
+//				
+//				for(Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>> type : types) {
+//					if(type.x.equals(nstr)) {
+//						acceptable.add(type);
+//						return type;
+//					}
+//				}
+//				prev = plus+1;
+//				plus=str.indexOf('+', prev);
+//			};
+//		}
+		return any;
+	}
+
+	/**
+	 * Evaluate Properties
+	 * @param type
+	 * @param tag
+	 * @param value
+	 * @return
+	 */
+	private boolean props(Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>> type, String tag, String value) {
+		boolean rv = false;
+		if(type.y!=null) {
+			for(Pair<String,Object> prop : type.y.y){
+				if(tag.equals(prop.x)) {
+					if(tag.equals("charset")) {
+						return prop.x==null?false:prop.y.equals(value.toLowerCase()); // return True if Matched
+					} else if(tag.equals("version")) {
+						return prop.y.equals(new Version(value)); // Note: Version Class knows Minor Version encoding
+					} else if(tag.equals(Content.Q)) { // replace Q value
+						try {
+							type.y.y.get(0).y=Float.parseFloat(value);
+						} catch (NumberFormatException e) {
+							rv=false; // need to do something to make Sonar happy. But nothing to do.
+						}
+						return true;
+					} else {
+						return value.equals(prop.y);
+					}
+				}
+			}
+		}
+		return rv;
+	}
+
+	/**
+	 * parse 
+	 * 
+	 * Note: I'm processing by index to avoid lots of memory creation, which speeds things
+	 * up for this time critical section of code. 
+	 * @param code
+	 * @param cntnt
+	 * @return
+	 */
+	protected boolean parse(HttpCode<TRANS, ?> code, String cntnt) {
+		byte bytes[] = cntnt.getBytes();
+		
+		int cis,cie=-1,cend;
+		int sis,sie,send;
+		String name;
+		ArrayList<String> props = new ArrayList<String>();
+		do {
+			// Clear these in case more than one Semi
+			props.clear(); // on loop, do not want mixed properties
+			name=null;
+			
+			cis = cie+1; // find comma start
+			while(cis<bytes.length && Character.isSpaceChar(bytes[cis]))++cis;
+			cie = cntnt.indexOf(',',cis); // find comma end
+			cend = cie<0?bytes.length:cie; // If no comma, set comma end to full length, else cie
+			while(cend>cis && Character.isSpaceChar(bytes[cend-1]))--cend;
+			// Start SEMIS
+			sie=cis-1; 
+			do {
+				sis = sie+1;  // semi start is one after previous end
+				while(sis<bytes.length && Character.isSpaceChar(bytes[sis]))++sis;	
+				sie = cntnt.indexOf(';',sis);
+				send = sie>cend || sie<0?cend:sie;  // if the Semicolon is after the comma, or non-existent, use comma end, else keep
+				while(send>sis && Character.isSpaceChar(bytes[send-1]))--send;
+				if(name==null) { // first entry in Comma set is the name, not a property
+					name = new String(bytes,sis,send-sis);
+				} else { // We've looped past the first Semi, now process as properties
+					// If there are additional elements (more entities within Semi Colons)
+					// apply Properties
+					int eq = cntnt.indexOf('=',sis);
+					if(eq>sis && eq<send) {
+						props.add(new String(bytes,sis,eq-sis));
+						props.add(new String(bytes,eq+1,send-(eq+1)));
+					}
+				}
+				// End Property
+			} while(sie<=cend && sie>=cis); // End SEMI processing
+			// Now evaluate Comma set and return if true
+			if(eval(code,name,props))return true; // else loop again to check next comma
+		} while(cie>=0); // loop to next comma
+		return false; // didn't get even one match
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java
new file mode 100644
index 00000000..7bb276a2
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java
@@ -0,0 +1,564 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.io.Writer;
+import java.nio.ByteBuffer;
+import java.nio.channels.FileChannel;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.NavigableMap;
+import java.util.Set;
+import java.util.Timer;
+import java.util.TimerTask;
+import java.util.TreeMap;
+import java.util.concurrent.ConcurrentSkipListMap;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.EnvJAXB;
+import org.onap.aaf.misc.env.LogTarget;
+import org.onap.aaf.misc.env.Store;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+/*
+ * CachingFileAccess
+ * 
+ * Author: Jonathan Gathman, Gathsys 2010
+ *  
+ */
+public class CachingFileAccess<TRANS extends Trans> extends HttpCode<TRANS, Void> {
+	public static void setEnv(Store store, String[] args) {
+		for(int i=0;i<args.length-1;i+=2) { // cover two parms required for each 
+			if(CFA_WEB_PATH.equals(args[i])) {
+				store.put(store.staticSlot(CFA_WEB_PATH), args[i+1]); 
+			} else if(CFA_CACHE_CHECK_INTERVAL.equals(args[i])) {
+				store.put(store.staticSlot(CFA_CACHE_CHECK_INTERVAL), Long.parseLong(args[i+1]));
+			} else if(CFA_MAX_SIZE.equals(args[i])) {
+				store.put(store.staticSlot(CFA_MAX_SIZE), Integer.parseInt(args[i+1]));
+			}
+		}
+	}
+	
+	private static String MAX_AGE = "max-age=3600"; // 1 hour Caching
+	private final Map<String,String> typeMap;
+	private final NavigableMap<String,Content> content;
+	private final Set<String> attachOnly;
+	public final static String CFA_WEB_PATH = "aaf_cfa_web_path";
+	// when to re-validate from file
+	// Re validating means comparing the Timestamp on the disk, and seeing it has changed.  Cache is not marked
+	// dirty unless file has changed, but it still makes File IO, which for some kinds of cached data, i.e. 
+	// deployed GUI elements is unnecessary, and wastes time.
+	// This parameter exists to cover the cases where data can be more volatile, so the user can choose how often the
+	// File IO will be accessed, based on probability of change.  "0", of course, means, check every time.
+	private final static String CFA_CACHE_CHECK_INTERVAL = "aaf_cfa_cache_check_interval";
+	private final static String CFA_MAX_SIZE = "aaf_cfa_max_size"; // Cache size limit
+	private final static String CFA_CLEAR_COMMAND = "aaf_cfa_clear_command";
+
+	// Note: can be null without a problem, but included
+	// to tie in with existing Logging.
+	public LogTarget logT = null;
+	public long checkInterval; // = 600000L; // only check if not hit in 10 mins by default
+	public int maxItemSize; // = 512000; // max file 500k
+	private Timer timer;
+	private String web_path;
+	// A command key is set in the Properties, preferably changed on deployment.
+	// it is compared at the beginning of the path, and if so, it is assumed to issue certain commands
+	// It's purpose is to protect, to some degree the command, even though it is HTTP, allowing 
+	// local batch files to, for instance, clear caches on resetting of files.
+	private String clear_command;
+	
+	public CachingFileAccess(EnvJAXB env, String ... args) throws IOException {
+		super(null,"Caching File Access");
+		setEnv(env,args);
+		content = new ConcurrentSkipListMap<String,Content>(); // multi-thread changes possible
+
+		attachOnly = new HashSet<String>();     // short, unchanged
+
+		typeMap = new TreeMap<String,String>(); // Structure unchanged after Construction
+		typeMap.put("ico","image/icon");
+		typeMap.put("html","text/html");
+		typeMap.put("css","text/css");
+		typeMap.put("js","text/javascript");
+		typeMap.put("txt","text/plain");
+		typeMap.put("xml","text/xml");
+		typeMap.put("xsd","text/xml");
+		attachOnly.add("xsd");
+		typeMap.put("crl", "application/x-pkcs7-crl");
+		typeMap.put("appcache","text/cache-manifest");
+
+		typeMap.put("json","text/json");
+		typeMap.put("ogg", "audio/ogg");
+		typeMap.put("jpg","image/jpeg");
+		typeMap.put("gif","image/gif");
+		typeMap.put("png","image/png");
+		typeMap.put("svg","image/svg+xml");
+		typeMap.put("jar","application/x-java-applet");
+		typeMap.put("jnlp", "application/x-java-jnlp-file");
+		typeMap.put("class", "application/java");
+		typeMap.put("props", "text/plain");
+		typeMap.put("jks", "application/octet-stream");
+		
+		timer = new Timer("Caching Cleanup",true);
+		timer.schedule(new Cleanup(content,500),60000,60000);
+		
+		// Property params
+		web_path = env.get(env.staticSlot(CFA_WEB_PATH));
+		env.init().log("CachingFileAccess path: " + new File(web_path).getCanonicalPath());
+		Object obj;
+		obj = env.get(env.staticSlot(CFA_CACHE_CHECK_INTERVAL),600000L);  // Default is 10 mins
+		if(obj instanceof Long) {checkInterval=(Long)obj;
+		} else {checkInterval=Long.parseLong((String)obj);}
+		
+		obj = env.get(env.staticSlot(CFA_MAX_SIZE), 512000);    // Default is max file 500k
+		if(obj instanceof Integer) {maxItemSize=(Integer)obj;
+		} else {maxItemSize =Integer.parseInt((String)obj);}
+	 	 	
+	 	clear_command = env.getProperty(CFA_CLEAR_COMMAND,null);
+	}
+
+	
+
+	@Override
+	public void handle(TRANS trans, HttpServletRequest req, HttpServletResponse resp) throws IOException {
+		String key = pathParam(req, ":key");
+		String cmd = pathParam(req,":cmd");
+		System.out.print(key + clear_command);
+		if(key.equals(clear_command)) {
+			resp.setHeader("Content-Type",typeMap.get("txt"));
+			if("clear".equals(cmd)) {
+				content.clear();
+				resp.setStatus(200/*HttpStatus.OK_200*/);
+			} else {
+				resp.setStatus(400/*HttpStatus.BAD_REQUEST_400 */);
+			}
+			return;
+		}
+		Content c = load(logT , web_path,cmd!=null && cmd.length()>0?key+'/'+cmd:key, null, checkInterval);
+		if(c.attachmentOnly) {
+			resp.setHeader("Content-disposition", "attachment");
+		}
+		c.setHeader(resp);
+		c.write(resp.getOutputStream());
+		trans.checkpoint(req.getPathInfo());
+	}
+
+
+	public String webPath() {
+		return web_path;
+	}
+	
+	/**
+	 * Reset the Cleanup size and interval
+	 * 
+	 * The size and interval when started are 500 items (memory size unknown) checked every minute in a background thread.
+	 * 
+	 * @param size
+	 * @param interval
+	 */
+	public void cleanupParams(int size, long interval) {
+		timer.cancel();
+		timer = new Timer();
+		timer.schedule(new Cleanup(content,size), interval, interval);
+	}
+	
+
+	
+	/**
+	 * Load a file, first checking cache
+	 * 
+	 * 
+	 * @param logTarget - logTarget can be null (won't log)
+	 * @param dataRoot - data root storage directory
+	 * @param key - relative File Path
+	 * @param mediaType - what kind of file is it.  If null, will check via file extension
+	 * @param timeCheck - "-1" will take system default - Otherwise, will compare "now" + timeCheck(Millis) before looking at File mod
+	 * @return
+	 * @throws IOException
+	 */
+	public Content load(LogTarget logTarget, String dataRoot, String key, String mediaType, long _timeCheck) throws IOException {
+	    long timeCheck = _timeCheck;
+		if(timeCheck<0) {
+			timeCheck=checkInterval; // if time < 0, then use default
+		}
+		boolean isRoot;
+		String fileName;
+		if("-".equals(key)) {
+			fileName = dataRoot;
+			isRoot = true;
+		} else {
+			fileName=dataRoot + '/' + key;
+			isRoot = false;
+		}
+		Content c = content.get(key);
+		long systime = System.currentTimeMillis(); 
+		File f=null;
+		if(c!=null) {
+			// Don't check every hit... only after certain time value
+			if(c.date < systime + timeCheck) {
+				f = new File(fileName);
+				if(f.lastModified()>c.date) {
+					c=null;
+				}
+			}
+		}
+		if(c==null) {	
+			if(logTarget!=null) {
+				logTarget.log("File Read: ",key);
+			}
+			
+			if(f==null){
+				f = new File(fileName);
+			}
+			boolean cacheMe;
+			if(f.exists()) {
+				if(f.isDirectory()) {
+					cacheMe = false;
+					c = new DirectoryContent(f,isRoot);
+				} else {
+					if(f.length() > maxItemSize) {
+						c = new DirectFileContent(f);
+						cacheMe = false;
+					} else {
+						c = new CachedContent(f);
+						cacheMe = checkInterval>0;
+					}
+					
+					if(mediaType==null) { // determine from file Ending
+						int idx = key.lastIndexOf('.');
+						String subkey = key.substring(++idx);
+						if((c.contentType = idx<0?null:typeMap.get(subkey))==null) {
+							// if nothing else, just set to default type...
+							c.contentType = "application/octet-stream";
+						}
+						c.attachmentOnly = attachOnly.contains(subkey);
+					} else {
+						c.contentType=mediaType;
+						c.attachmentOnly = false;
+					}
+					
+					c.date = f.lastModified();
+					
+					if(cacheMe) {
+						content.put(key, c);
+					}
+				}
+			} else {
+				c=NULL;
+			}
+		} else {
+			if(logTarget!=null)logTarget.log("Cache Read: ",key);
+		}
+
+		// refresh hit time
+		c.access = systime;
+		return c;
+	}
+	
+	public Content loadOrDefault(Trans trans, String targetDir, String targetFileName, String sourcePath, String mediaType) throws IOException {
+		try {
+			return load(trans.info(),targetDir,targetFileName,mediaType,0);
+		} catch(FileNotFoundException e) {
+			String targetPath = targetDir + '/' + targetFileName;
+			TimeTaken tt = trans.start("File doesn't exist; copy " + sourcePath + " to " + targetPath, Env.SUB);
+			try {
+				FileInputStream sourceFIS = new FileInputStream(sourcePath);
+				FileChannel sourceFC = sourceFIS.getChannel();
+				File targetFile = new File(targetPath);
+				targetFile.getParentFile().mkdirs(); // ensure directory exists
+				FileOutputStream targetFOS = new FileOutputStream(targetFile);
+				try {
+					ByteBuffer bb = ByteBuffer.allocate((int)sourceFC.size());
+					sourceFC.read(bb);
+					bb.flip();  // ready for reading
+					targetFOS.getChannel().write(bb);
+				} finally {
+					sourceFIS.close();
+					targetFOS.close();
+				}
+			} finally {
+				tt.done();
+			}
+			return load(trans.info(),targetDir,targetFileName,mediaType,0);
+		}
+	}
+
+	public void invalidate(String key) {
+		content.remove(key);
+	}
+	
+	private static final Content NULL=new Content() {
+		
+		@Override
+		public void setHeader(HttpServletResponse resp) {
+			resp.setStatus(404/*NOT_FOUND_404*/);
+			resp.setHeader("Content-type","text/plain");
+		}
+
+		@Override
+		public void write(Writer writer) throws IOException {
+		}
+
+		@Override
+		public void write(OutputStream os) throws IOException {
+		}
+		
+	};
+
+	private static abstract class Content {
+		private long date;   // date of the actual artifact (i.e. File modified date)
+		private long access; // last accessed
+		
+		protected String  contentType;
+		protected boolean attachmentOnly;
+		
+		public void setHeader(HttpServletResponse resp) {
+			resp.setStatus(200/*OK_200*/);
+			resp.setHeader("Content-Type",contentType);
+			resp.setHeader("Cache-Control", MAX_AGE);
+		}
+		
+		public abstract void write(Writer writer) throws IOException;
+		public abstract void write(OutputStream os) throws IOException;
+
+	}
+
+	private static class DirectFileContent extends Content {
+		private File file; 
+		public DirectFileContent(File f) {
+			file = f;
+		}
+		
+		public String toString() {
+			return file.getName();
+		}
+		
+		public void write(Writer writer) throws IOException {
+			FileReader fr = new FileReader(file);
+			char[] buff = new char[1024];
+			try {
+				int read;
+				while((read = fr.read(buff,0,1024))>=0) {
+					writer.write(buff,0,read);
+				}
+			} finally {
+				fr.close();
+			}
+		}
+
+		public void write(OutputStream os) throws IOException {
+			FileInputStream fis = new FileInputStream(file);
+			byte[] buff = new byte[1024];
+			try {
+				int read;
+				while((read = fis.read(buff,0,1024))>=0) {
+					os.write(buff,0,read);
+				}
+			} finally {
+				fis.close();
+			}
+		}
+
+	}
+	private static class DirectoryContent extends Content {
+		private static final Pattern A_NUMBER = Pattern.compile("\\d");
+		private static final String H1 = "<html><head><title>AAF Fileserver</title></head><body><h1>AAF Fileserver</h1><h2>";
+		private static final String H2 = "</h2><ul>\n";
+		private static final String F = "\n</ul></body></html>";
+		private File[] files;
+		private String name;
+		private boolean notRoot;
+
+		public DirectoryContent(File directory, boolean isRoot) {
+			notRoot = !isRoot;
+		
+			files = directory.listFiles();
+			Arrays.sort(files,new Comparator<File>() {
+				@Override
+				public int compare(File f1, File f2) {
+					// See if there are Numbers in the name
+					Matcher m1 = A_NUMBER.matcher(f1.getName());
+					Matcher m2 = A_NUMBER.matcher(f2.getName());
+					if(m1.find() && m2.find()) {
+						// if numbers, are the numbers in the same start position
+						int i1 = m1.start();
+						int i2 = m2.start();
+						
+						// If same start position and the text is the same, then reverse sort
+						if(i1==i2 && f1.getName().startsWith(f2.getName().substring(0,i1))) {
+							// reverse sort files that start similarly, but have numbers in them
+							return f2.compareTo(f1);
+						}
+					}
+					return f1.compareTo(f2);
+				}
+				
+			});
+			name = directory.getName();
+			attachmentOnly = false;
+			contentType = "text/html";
+		}
+		
+	
+		@Override
+		public void write(Writer w) throws IOException {
+			w.append(H1);
+			w.append(name);
+			w.append(H2);
+			for (File f : files) {
+				w.append("<li><a href=\"");
+				if(notRoot) {
+					w.append(name);
+					w.append('/');
+				}
+				w.append(f.getName());
+				w.append("\">");
+				w.append(f.getName());
+				w.append("</a></li>\n");
+			}
+			w.append(F);
+			w.flush();
+		}
+	
+		@Override
+		public void write(OutputStream os) throws IOException {
+			write(new OutputStreamWriter(os));
+		}
+	
+	}
+
+	private static class CachedContent extends Content {
+		private byte[] data;
+		private int end;
+		private char[] cdata; 
+		
+		public CachedContent(File f) throws IOException {
+			// Read and Cache
+			ByteBuffer bb = ByteBuffer.allocate((int)f.length());
+			FileInputStream fis = new FileInputStream(f);
+			try {
+				fis.getChannel().read(bb);
+			} finally {
+				fis.close();
+			}
+
+			data = bb.array();
+			end = bb.position();
+			cdata=null;
+		}
+		
+		public String toString() {
+			return data.toString();
+		}
+		
+		public void write(Writer writer) throws IOException {
+			synchronized(this) {
+				// do the String Transformation once, and only if actually used
+				if(cdata==null) {
+					cdata = new char[end];
+					new String(data).getChars(0, end, cdata, 0);
+				}
+			}
+			writer.write(cdata,0,end);
+		}
+		public void write(OutputStream os) throws IOException {
+			os.write(data,0,end);
+		}
+
+	}
+
+	public void setEnv(LogTarget env) {
+		logT = env;
+	}
+
+	/**
+	 * Cleanup thread to remove older items if max Cache is reached.
+	 * @author Jonathan
+	 *
+	 */
+	private static class Cleanup extends TimerTask {
+		private int maxSize;
+		private NavigableMap<String, Content> content;
+		
+		public Cleanup(NavigableMap<String, Content> content, int size) {
+			maxSize = size;
+			this.content = content;
+		}
+		
+		private class Comp implements Comparable<Comp> {
+			public Map.Entry<String, Content> entry;
+			
+			public Comp(Map.Entry<String, Content> en) {
+				entry = en;
+			}
+			
+			@Override
+			public int compareTo(Comp o) {
+				return (int)(entry.getValue().access-o.entry.getValue().access);
+			}
+			
+		}
+		@SuppressWarnings("unchecked")
+		@Override
+		public void run() {
+			int size = content.size();
+			if(size>maxSize) {
+				ArrayList<Comp> scont = new ArrayList<Comp>(size);
+				Object[] entries = content.entrySet().toArray();
+				for(int i=0;i<size;++i) {
+					scont.add(i, new Comp((Map.Entry<String,Content>)entries[i]));
+				}
+				Collections.sort(scont);
+				int end = size - ((maxSize/4)*3); // reduce to 3/4 of max size
+				System.out.println("------ Cleanup Cycle ------ " + new Date().toString() + " -------");
+				for(int i=0;i<end;++i) {
+					Entry<String, Content> entry = scont.get(i).entry;
+					content.remove(entry.getKey());
+					System.out.println("removed Cache Item " + entry.getKey() + "/" + new Date(entry.getValue().access).toString());
+				}
+				for(int i=end;i<size;++i) {
+					Entry<String, Content> entry = scont.get(i).entry;
+					System.out.println("remaining Cache Item " + entry.getKey() + "/" + new Date(entry.getValue().access).toString());
+				}
+			}
+		}
+	}
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CodeSetter.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CodeSetter.java
new file mode 100644
index 00000000..6ea8880b
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CodeSetter.java
@@ -0,0 +1,52 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.misc.env.Trans;
+
+// Package on purpose.  only want between RServlet and Routes
+class CodeSetter<TRANS extends Trans> {
+	private HttpCode<TRANS,?> code;
+	private TRANS trans;
+	private HttpServletRequest req;
+	private HttpServletResponse resp;
+	public CodeSetter(TRANS trans, HttpServletRequest req, HttpServletResponse resp) {
+		this.trans = trans;
+		this.req = req;
+		this.resp = resp;
+				
+	}
+	public boolean matches(Route<TRANS> route) throws IOException, ServletException {
+		// Find best Code in Route based on "Accepts (Get) or Content-Type" (if exists)
+		return (code = route.getCode(trans, req, resp))!=null;
+	}
+	
+	public HttpCode<TRANS,?> code() {
+		return code;
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Content.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Content.java
new file mode 100644
index 00000000..ae329ce2
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Content.java
@@ -0,0 +1,115 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+import java.util.List;
+
+import org.onap.aaf.misc.env.Trans;
+
+
+
+/**
+ * A Class to hold Service "ContentTypes", and to match incoming "Accept" types from HTTP.
+ * 
+ * This is a multi-use class built to use the same Parser for ContentTypes and Accept.
+ * 
+ * Thus, you would create and use "Content.Type" within your service, and use it to match
+ * Accept Strings.  What is returned is an Integer (for faster processing), which can be
+ * used in a switch statement to act on match different Actions.  The server should
+ * know which behaviors match.
+ * 
+ * "bestMatch" returns an integer for the best match, or -1 if no matches.
+ *
+ * @author Jonathan
+ *
+ */
+public abstract class Content<TRANS extends Trans> {
+	public static final String Q = "q";
+	protected abstract Pair<String,Pair<HttpCode<TRANS,?>,List<Pair<String,Object>>>> types(HttpCode<TRANS,?> code, String str);
+	protected abstract boolean props(Pair<String, Pair<HttpCode<TRANS,?>,List<Pair<String,Object>>>> type, String tag, String value);
+
+	/**
+	 * Parse a Content-Type/Accept.  As found, call "types" and "props", which do different
+	 * things depending on if it's a Content-Type or Accepts. 
+	 * 
+	 * For Content-Type, it builds a tree suitable for Comparison
+	 * For Accepts, it compares against the tree, and builds an acceptable type list
+	 * 
+	 * Since this parse code is used for every incoming HTTP transaction, I have removed the implementation
+	 * that uses String.split, and replaced with integers evaluating the Byte array.  This results
+	 * in only the necessary strings created, resulting in 1/3 better speed, and less 
+	 * Garbage collection.
+	 * 
+	 * @param trans
+	 * @param code
+	 * @param cntnt
+	 * @return
+	 */
+	protected boolean parse(HttpCode<TRANS,?> code, String cntnt) {
+		byte bytes[] = cntnt.getBytes();
+		boolean contType=false,contProp=true;
+		int cis,cie=-1,cend;
+		int sis,sie,send;
+		do {
+			cis = cie+1;
+			cie = cntnt.indexOf(',',cis);
+			cend = cie<0?bytes.length:cie;
+			// Start SEMIS
+			sie=cis-1;
+			Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>> me = null;
+			do {
+				sis = sie+1;
+				sie = cntnt.indexOf(';',sis);
+				send = sie>cend || sie<0?cend:sie;
+				if(me==null) {
+					String semi = new String(bytes,sis,send-sis);
+					// trans.checkpoint(semi);
+					// Look at first entity within comma group
+					// Is this an acceptable Type?
+					me=types(code, semi);
+					if(me==null) {
+						sie=-1; // skip the rest of the processing... not a type
+					} else {
+						contType=true;
+					}
+				} else { // We've looped past the first Semi, now process as properties
+					// If there are additional elements (more entities within Semi Colons)
+					// apply Propertys
+					int eq = cntnt.indexOf('=',sis);
+					if(eq>sis && eq<send) {
+						String tag = new String(bytes,sis,eq-sis);
+						String value = new String(bytes,eq+1,send-(eq+1));
+						// trans.checkpoint("    Prop " + tag + "=" + value);
+						boolean bool =  props(me,tag,value);
+						if(!bool) {
+							contProp=false;
+						}
+					}
+				}
+				// End Property
+			} while(sie<=cend && sie>=cis);
+			// End SEMIS
+		} while(cie>=0);
+		return contType && contProp; // for use in finds, True if a type found AND all props matched
+	}
+	
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/HttpCode.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/HttpCode.java
new file mode 100644
index 00000000..0bfe310a
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/HttpCode.java
@@ -0,0 +1,118 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.misc.env.Trans;
+
+/**
+ * HTTP Code element, which responds to the essential "handle Method".
+ * 
+ * Use Native HttpServletRe[quest|sponse] calls for questions like QueryParameters (getParameter, etc)
+ * 
+ * Use local "pathParam" method to obtain in an optimized manner the path parameter, which must be interpreted by originating string
+ * 
+ * i.e. my/path/:id/:other/*
+ * 
+ * @author Jonathan
+ *
+ * @param <TRANS>
+ * @param <T>
+ */
+public abstract class HttpCode<TRANS extends Trans, CONTEXT> {
+	protected CONTEXT context;
+	private String desc;
+	protected String [] roles;
+	private boolean all;
+	
+	// Package by design... Set by Route when linked
+	Match match;
+	
+	public HttpCode(CONTEXT context, String description, String ... roles) {
+		this.context = context;
+		desc = description;
+		
+		// Evaluate for "*" once...
+		all = false;
+		for(String srole : roles) {
+			if("*".equals(srole)) {
+				all = true;
+				break;
+			}
+		}
+		this.roles = all?null:roles;
+	}
+	
+	public abstract void handle(TRANS trans, HttpServletRequest req, HttpServletResponse resp) throws Exception;
+	
+	public String desc() {
+		return desc;
+	}
+	
+	/**
+	 * Get the variable element out of the Path Parameter, as set by initial Code
+	 * 
+	 * @param req
+	 * @param key
+	 * @return
+	 */
+	public String pathParam(HttpServletRequest req, String key) {
+		String rv = match.param(req.getPathInfo(), key);
+		if(rv!=null) {
+			rv = rv.trim();
+			if(rv.endsWith("/")) {
+				rv = rv.substring(0, rv.length()-1);
+			}
+		}
+		return rv;
+	}
+
+	// Note: get Query Params from Request
+	
+	/**
+	 * Check for Authorization when set.
+	 * 
+	 * If no Roles set, then accepts all users
+	 * 
+	 * @param req
+	 * @return
+	 */
+	public boolean isAuthorized(HttpServletRequest req) {
+		if(all)return true;
+		if(roles!=null) {
+			for(String srole : roles) {
+				if(req.isUserInRole(srole)) return true;
+			}
+		}
+		return false;
+	}
+	
+	public boolean no_cache() {
+		return false;
+	}
+	
+	public String toString() {
+		return desc;
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/HttpMethods.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/HttpMethods.java
new file mode 100644
index 00000000..4dbaf17b
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/HttpMethods.java
@@ -0,0 +1,29 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+public enum HttpMethods {
+	POST,
+	GET,
+	PUT,
+	DELETE
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Match.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Match.java
new file mode 100644
index 00000000..ac8b31c1
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Match.java
@@ -0,0 +1,211 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * This path matching algorithm avoids using split strings during the critical transactional run-time.  By pre-analyzing the
+ * content at "set Param" time, and storing data in an array-index model which presumably is done once and at the beginning, 
+ * we can match in much less time when it actually counts.
+ * 
+ * @author Jonathan
+ *
+ */
+public class Match {
+	private Map<String, Integer> params;
+	private byte[] 	values[];
+	private Integer vars[];
+	private boolean wildcard;
+
+	
+	/*
+	 * These two methods are pairs of searching performance for variables Spark Style.
+	 * setParams evaluates the target path, and sets a HashMap that will return an Integer.
+	 * the Keys are both :key and key so that there will be no string operations during
+	 * a transaction
+	 * 
+	 * For the Integer, if the High Order is 0, then it is just one value.  If High Order >0, then it is 
+	 * a multi-field option, i.e. ending with a wild-card.
+	 */
+	public Match(String path) {
+		// IF DEBUG: System.out.print("\n[" + path + "]");
+		params = new HashMap<String,Integer>();
+		if(path!=null) {
+			String[] pa = path.split("/");
+			values = new byte[pa.length][];
+			vars = new Integer[pa.length];
+			
+			int val = 0;
+			String key;
+			for(int i=0;i<pa.length && !wildcard;++i) {
+				if(pa[i].startsWith(":")) {
+					if(pa[i].endsWith("*")) {
+						val = i | pa.length<<16; // load end value in high order bits
+						key = pa[i].substring(0, pa[i].length()-1);// remove *
+						wildcard = true;
+					} else {
+						val = i;
+						key = pa[i];
+					}
+					params.put(key,val); //put in :key 
+					params.put(key.substring(1,key.length()), val); // put in just key, better than adding a missing one, like Spark
+					// values[i]=null; // null stands for Variable
+					vars[i]=val;
+				} else {
+					values[i]=pa[i].getBytes();
+					if(pa[i].endsWith("*")) {
+						wildcard = true;
+						if(pa[i].length()>1) {
+							/* remove * from value */
+							int newlength = values[i].length-1;
+							byte[] real = new byte[newlength];
+							System.arraycopy(values[i],0,real,0,newlength);
+							values[i]=real;
+						} else {
+							vars[i]=0; // this is actually a variable, if it only contains a "*"
+						}
+					}
+					// vars[i]=null;
+				}
+			}
+		}
+	}
+
+	/*
+	 * This is the second of the param evaluation functions.  First, we look up to see if there is
+	 * any reference by key in the params Map created by the above.
+	 * 
+	 * The resulting Integer, if not null, is split high/low order into start and end.
+	 * We evaluate the string for '/', rather than splitting into  String[] to avoid the time/mem needed
+	 * We traverse to the proper field number for slash, evaluate the end (whether wild card or no), 
+	 * and return the substring.  
+	 * 
+	 * The result is something less than .003 milliseconds per evaluation
+	 * 
+	 */
+	public String param(String path,String key) {
+		Integer val = params.get(key); // :key or key
+		if(val!=null) {
+			int start = val & 0xFFFF;
+			int end = (val >> 16) & 0xFFFF;
+			int idx = -1;
+			int i;
+			for(i=0;i<start;++i) {
+				idx = path.indexOf('/',idx+1);
+				if(idx<0)break;
+			}
+			if(i==start) { 
+				++idx;
+				if(end==0) {
+					end = path.indexOf('/',idx);
+					if(end<0)end=path.length();
+				} else {
+					end=path.length();
+				}
+				return path.substring(idx,end);
+			} else if(i==start-1) { // if last spot was left blank, i.e. :key*
+				return "";
+			}
+		}
+		return null;
+	}
+	
+	public boolean match(String path) {
+		if(path==null|| path.length()==0 || "/".equals(path) ) {
+			if(values==null)return true;
+			switch(values.length) {
+				case 0: return true;
+				case 1: return values[0].length==0;
+				default: return false;
+			}
+		}			
+		boolean rv = true;
+		byte[] pabytes = path.getBytes();
+		int field=0;
+		int fieldIdx = 0;
+
+		int lastField = values.length;
+		int lastByte = pabytes.length;
+		boolean fieldMatched = false; // = lastByte>0?(pabytes[0]=='/'):false;
+		// IF DEBUG: System.out.println("\n -- " + path + " --");
+		for(int i=0;rv && i<lastByte;++i) {
+			if(field>=lastField) { // checking here allows there to be a non-functional ending /
+				rv = false;
+				break;
+			}
+			if(values[field]==null) { // it's a variable, just look for /s
+				if(wildcard && field==lastField-1) return true;// we've made it this far.  We accept all remaining characters
+				Integer val = vars[field];
+				int start = val & 0xFFFF;
+				int end = (val >> 16) & 0xFFFF;
+				if(end==0)end=start+1;
+				int k = i;
+				for(int j=start; j<end && k<lastByte; ++k) {
+					// IF DEBUG: System.out.print((char)pabytes[k]);
+					if(pabytes[k]=='/') {
+						++field;
+						++j;
+					}
+				}
+				
+				if(k==lastByte && pabytes[k-1]!='/')++field;
+				if(k>i)i=k-1; // if we've incremented, have to accommodate the outer for loop incrementing as well
+				fieldMatched = false; // reset
+				fieldIdx = 0;
+			} else {
+				// IF DEBUG: System.out.print((char)pabytes[i]);
+				if(pabytes[i]=='/') { // end of field, eval if Field is matched
+					// if double slash, check if supposed to be empty
+					if(fieldIdx==0 && values[field].length==0) {
+						fieldMatched = true;
+					}
+					rv = fieldMatched && ++field<lastField;
+					// reset
+					fieldMatched = false; 
+					fieldIdx = 0;
+				} else if(values[field].length==0) {
+					// double slash in path, but content in field.  We check specially here to avoid 
+					// Array out of bounds issues.
+					rv = false;
+				} else {
+					if(fieldMatched) {
+						rv =false; // field is already matched, now there's too many bytes
+					} else {
+						rv = pabytes[i]==values[field][fieldIdx++]; // compare expected (pabytes[i]) with value for particular field
+						fieldMatched=values[field].length==fieldIdx; // are all the bytes match in the field?
+						if(fieldMatched && (i==lastByte-1 || (wildcard && field==lastField-1)))
+							return true; // last field info
+					}
+				}
+			}
+		}
+		if(field!=lastField || pabytes.length!=lastByte) rv = false; // have we matched all the fields and all the bytes?
+		return rv;
+	}
+	
+	public Set<String> getParamNames() {
+		return params.keySet();
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Pair.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Pair.java
new file mode 100644
index 00000000..810f9129
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Pair.java
@@ -0,0 +1,44 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+/**
+ * A pair of generic Objects.  
+ * 
+ * @author Jonathan
+ *
+ * @param <X>
+ * @param <Y>
+ */
+public class Pair<X,Y> {
+	public X x;
+	public Y y;
+	
+	public Pair(X x, Y y) {
+		this.x = x;
+		this.y = y;
+	}
+	
+	public String toString() {
+		return "X: " + x.toString() + "-->" + y.toString();
+	}
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/RServlet.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/RServlet.java
new file mode 100644
index 00000000..4ae0f882
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/RServlet.java
@@ -0,0 +1,154 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+import java.io.IOException;
+import java.util.List;
+
+import javax.servlet.Servlet;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+public abstract class RServlet<TRANS extends Trans> implements Servlet {
+	private Routes<TRANS> routes = new Routes<TRANS>();
+
+	private ServletConfig config;
+
+	@Override
+	public void init(ServletConfig config) throws ServletException {
+		this.config = config;
+	}
+
+	@Override
+	public ServletConfig getServletConfig() {
+		return config;
+	}
+
+	public void route(Env env, HttpMethods meth, String path, HttpCode<TRANS, ?> code, String ... moreTypes) {
+		Route<TRANS> r = routes.findOrCreate(meth,path);
+		r.add(code,moreTypes);
+		env.init().log(r.report(code),code);
+	}
+	
+	@Override
+	public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {
+		HttpServletRequest request = (HttpServletRequest)req;
+		HttpServletResponse response = (HttpServletResponse)res;
+		
+		@SuppressWarnings("unchecked")
+		TRANS trans = (TRANS)req.getAttribute(TransFilter.TRANS_TAG);
+		if(trans==null) {
+			response.setStatus(404); // Not Found, because it didn't go through TransFilter
+			return;
+		}
+		
+		Route<TRANS> route;
+		HttpCode<TRANS,?> code=null;
+		String ct = req.getContentType();
+		TimeTaken tt = trans.start("Resolve to Code", Env.SUB);
+		try {
+			// routes have multiple code sets.  This object picks the best code set
+			// based on Accept or Content-Type
+			CodeSetter<TRANS> codesetter = new CodeSetter<TRANS>(trans,request,response);
+			// Find declared route
+			route = routes.derive(request, codesetter);
+			if(route==null) {
+				String method = request.getMethod();
+				trans.checkpoint("No Route matches "+ method + ' ' + request.getPathInfo());
+				response.setStatus(404); // Not Found
+			} else {
+				// Find best Code in Route based on "Accepts (Get) or Content-Type" (if exists)
+				code = codesetter.code();// route.getCode(trans, request, response);
+			}
+		} finally {
+			tt.done();
+		}
+		
+		if(route!=null && code!=null) {
+			StringBuilder sb = new StringBuilder(72);
+			sb.append(route.auditText);
+			sb.append(',');
+			sb.append(code.desc());
+			if(ct!=null) {
+				sb.append(", ContentType: ");
+				sb.append(ct);
+			}
+			tt = trans.start(sb.toString(),Env.SUB);
+			try {
+				/*obj = */
+				code.handle(trans, request, response);
+				response.flushBuffer();
+			} catch (ServletException e) {
+				trans.error().log(e);
+				throw e;
+			} catch (Exception e) {
+				trans.error().log(e,request.getMethod(),request.getPathInfo());
+				throw new ServletException(e);
+			} finally {
+				tt.done();
+			}
+		}
+	}
+	
+	@Override
+	public String getServletInfo() {
+		return "RServlet for Jetty";
+	}
+
+	@Override
+	public void destroy() {
+	}
+
+	public String applicationJSON(Class<?> cls, String version) {
+		StringBuilder sb = new StringBuilder();
+		sb.append("application/");
+		sb.append(cls.getSimpleName());
+		sb.append("+json");
+		sb.append(";charset=utf-8");
+		sb.append(";version=");
+		sb.append(version);
+		return sb.toString();
+	}
+
+	public String applicationXML(Class<?> cls, String version) {
+		StringBuilder sb = new StringBuilder();
+		sb.append("application/");
+		sb.append(cls.getSimpleName());
+		sb.append("+xml");
+		sb.append(";charset=utf-8");
+		sb.append(";version=");
+		sb.append(version);
+		return sb.toString();
+	}
+
+	public List<RouteReport> routeReport() {
+		return routes.routeReport();
+	}
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Route.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Route.java
new file mode 100644
index 00000000..9ae202a2
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Route.java
@@ -0,0 +1,141 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+import java.io.IOException;
+import java.util.List;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+public class Route<TRANS extends Trans> {
+	public final String auditText;
+	public final HttpMethods meth;
+	public final String path;
+	
+	private Match match;
+	// package on purpose
+	private final TypedCode<TRANS> content;
+	private final boolean isGet;
+	
+	public Route(HttpMethods meth, String path) {
+		this.path = path;
+		auditText = meth.name() + ' ' + path;
+		this.meth = meth; // Note: Using Spark def for now.
+		isGet = meth.compareTo(HttpMethods.GET) == 0;
+		match = new Match(path);
+		content = new TypedCode<TRANS>();
+	}
+	
+	public void add(HttpCode<TRANS,?> code, String ... others) {
+		code.match = match;
+		content.add(code, others);
+	}
+	
+//	public void add(HttpCode<TRANS,?> code, Class<?> cls, String version, String ... others) {
+//		code.match = match;
+//		content.add(code, cls, version, others);
+//	}
+//
+	public HttpCode<TRANS,?> getCode(TRANS trans, HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+		// Type is associated with Accept for GET (since it is what is being returned
+		// We associate the rest with ContentType.
+		// FYI, thought about this a long time before implementing this way.
+		String compare;
+//		String special[]; // todo, expose Charset (in special) to outside
+		if(isGet) {
+			compare = req.getHeader("Accept"); // Accept is used for read, as we want to agree on what caller is ready to handle
+		} else {
+			compare = req.getContentType(); // Content type used to declare what data is being created, updated or deleted (might be used for key)
+		}
+
+		Pair<String, Pair<HttpCode<TRANS, ?>, List<Pair<String, Object>>>> hl = content.prep(trans, compare);
+		if(hl==null) {
+			resp.setStatus(406); // NOT_ACCEPTABLE
+		} else {
+			if(isGet) { // Set Content Type to expected content
+				if("*".equals(hl.x) || "*/*".equals(hl.x)) {// if wild-card, then choose first kind of type
+					resp.setContentType(content.first());
+				} else {
+					resp.setContentType(hl.x);
+				}
+			}
+			return hl.y.x;
+		}
+		return null;
+	}
+	
+	public Route<TRANS> matches(String method, String path) {
+		return meth.name().equalsIgnoreCase(method) && match.match(path)?this:null;
+	}
+	
+	public TimeTaken start(Trans trans, String auditText, HttpCode<TRANS,?> code, String type) {
+		StringBuilder sb = new StringBuilder(auditText);
+		sb.append(", ");
+		sb.append(code.desc());
+		sb.append(", Content: ");
+		sb.append(type);
+		return trans.start(sb.toString(), Env.SUB);
+	}
+
+	// Package on purpose.. for "find/Create" routes only
+	boolean resolvesTo(HttpMethods hm, String p) {
+		return(path.equals(p) && hm.equals(meth));
+	}
+	
+	public String toString() {
+		return auditText + ' ' + content; 
+	}
+
+	public String report(HttpCode<TRANS, ?> code) {
+		StringBuilder sb = new StringBuilder();
+		sb.append(auditText);
+		sb.append(' ');
+		content.relatedTo(code, sb);
+		return sb.toString();
+	}
+
+	public RouteReport api() {
+		RouteReport tr = new RouteReport();
+		tr.meth = meth;
+		tr.path = path;
+		content.api(tr);
+		return tr;
+	}
+
+
+	/**
+	 * contentRelatedTo (For reporting) list routes that will end up at a specific Code
+	 * @return
+	 */
+	public String contentRelatedTo(HttpCode<TRANS, ?> code) {
+		StringBuilder sb = new StringBuilder(path);
+		sb.append(' ');
+		content.relatedTo(code, sb);
+		return sb.toString();
+	}
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/RouteReport.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/RouteReport.java
new file mode 100644
index 00000000..5de2ebe3
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/RouteReport.java
@@ -0,0 +1,33 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class RouteReport {
+	public HttpMethods meth;
+	public String path;
+	public String desc;
+	public final List<String> contextTypes = new ArrayList<String>();
+
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Routes.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Routes.java
new file mode 100644
index 00000000..fefb8f3c
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Routes.java
@@ -0,0 +1,89 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.misc.env.Trans;
+
+
+public class Routes<TRANS extends Trans> {
+	// Since this must be very, very fast, and only needs one creation, we'll use just an array.
+	private Route<TRANS>[] routes;
+	private int end;
+	
+
+	@SuppressWarnings("unchecked")
+	public Routes() {
+		routes = new Route[10];
+		end = 0;
+	}
+	
+	// This method for setup of Routes only...
+	// Package on purpose
+	synchronized Route<TRANS> findOrCreate(HttpMethods  meth, String path) {
+		Route<TRANS> rv = null;
+		for(int i=0;i<end;++i) {
+			if(routes[i].resolvesTo(meth,path))rv = routes[i];
+		}
+		
+		if(rv==null) {
+			if(end>=routes.length) {
+				@SuppressWarnings("unchecked")
+				Route<TRANS>[] temp = new Route[end+10];
+				System.arraycopy(routes, 0, temp, 0, routes.length);
+				routes = temp;
+			}
+			
+			routes[end++]=rv=new Route<TRANS>(meth,path);
+		}
+		return rv;
+	}
+	
+	public Route<TRANS> derive(HttpServletRequest req, CodeSetter<TRANS> codeSetter)  throws IOException, ServletException {
+		Route<TRANS> rv = null;
+		String path = req.getPathInfo();
+		String meth = req.getMethod();
+		//TODO a TREE would be better
+		for(int i=0;rv==null && i<end; ++i) {
+			rv = routes[i].matches(meth,path);
+			if(rv!=null && !codeSetter.matches(rv)) { // potential match, check if has Code 
+				rv = null; // not quite, keep going
+			}
+		}
+		//TODO a Default?
+		return rv;
+	}
+	
+	public List<RouteReport> routeReport() {
+		ArrayList<RouteReport> ltr = new ArrayList<RouteReport>();
+		for(int i=0;i<end;++i) {
+			ltr.add(routes[i].api());
+		}
+		return ltr;
+	}
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/TransFilter.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/TransFilter.java
new file mode 100644
index 00000000..1011767a
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/TransFilter.java
@@ -0,0 +1,156 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.CadiWrap;
+import org.onap.aaf.cadi.Connector;
+import org.onap.aaf.cadi.Lur;
+import org.onap.aaf.cadi.TrustChecker;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.filter.CadiHTTPManip;
+import org.onap.aaf.cadi.taf.TafResp;
+import org.onap.aaf.cadi.taf.TafResp.RESP;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.TransStore;
+import org.onap.aaf.misc.env.util.Split;
+
+/**
+ * Create a new Transaction Object for each and every incoming Transaction
+ * 
+ * Attach to Request.  User "FilterHolder" mechanism to retain single instance.
+ * 
+ * TransFilter includes CADIFilter as part of the package, so that it can
+ * set User Data, etc, as necessary.
+ * 
+ * @author Jonathan
+ *
+ */
+public abstract class TransFilter<TRANS extends TransStore> implements Filter {
+	public static final String TRANS_TAG = "__TRANS__";
+	
+	private CadiHTTPManip cadi;
+
+	private final String[] no_authn;
+	
+	public TransFilter(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException {
+		cadi = new CadiHTTPManip(access, con, tc, additionalTafLurs);
+		String no = access.getProperty(Config.CADI_NOAUTHN, null);
+		if(no!=null) {
+			no_authn = Split.split(':', no);
+		} else {
+			no_authn=null;
+		}
+	}
+
+	@Override
+	public void init(FilterConfig filterConfig) throws ServletException {
+	}
+	
+	protected Lur getLur() {
+		return cadi.getLur();
+	}
+
+	protected abstract TRANS newTrans();
+	protected abstract TimeTaken start(TRANS trans, ServletRequest request);
+	protected abstract void authenticated(TRANS trans, Principal p);
+	protected abstract void tallyHo(TRANS trans);
+	
+	@Override
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+		TRANS trans = newTrans();
+		
+		TimeTaken overall = start(trans,request);
+		try {
+			request.setAttribute(TRANS_TAG, trans);
+			
+			HttpServletRequest req = (HttpServletRequest)request;
+			HttpServletResponse res = (HttpServletResponse)response;
+			
+			if(no_authn!=null) {
+				for(String prefix : no_authn) {
+					if(req.getPathInfo().startsWith(prefix)) {
+						chain.doFilter(request, response);
+						return;
+					}
+				}
+			}
+
+			TimeTaken security = trans.start("CADI Security", Env.SUB);
+			TafResp resp;
+			RESP r;
+			CadiWrap cw = null;
+			try {
+				resp = cadi.validate(req,res,trans);
+				switch(r=resp.isAuthenticated()) {
+					case IS_AUTHENTICATED:
+						cw = new CadiWrap(req,resp,cadi.getLur());
+						authenticated(trans, cw.getUserPrincipal());
+						break;
+					default:
+						break;
+				}
+			} finally {
+				security.done();
+			}
+			
+			if(r==RESP.IS_AUTHENTICATED) {
+				trans.checkpoint(resp.desc());
+				if(cadi.notCadi(cw, res)) {
+					chain.doFilter(cw, response);
+				}
+			} else {
+				//TODO this is a good place to check if too many checks recently
+				// Would need Cached Counter objects that are cleaned up on 
+				// use
+				trans.checkpoint(resp.desc(),Env.ALWAYS);
+				if(resp.isFailedAttempt())
+						trans.audit().log(resp.desc());
+			}
+		} catch(Exception e) {
+			trans.error().log(e);
+			trans.checkpoint("Error: " + e.getClass().getSimpleName() + ": " + e.getMessage());
+			throw new ServletException(e);
+		} finally {
+			overall.done();
+			tallyHo(trans);
+		}
+	}
+
+	@Override
+	public void destroy() {
+	};
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/TransOnlyFilter.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/TransOnlyFilter.java
new file mode 100644
index 00000000..e0f7512d
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/TransOnlyFilter.java
@@ -0,0 +1,77 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.TransStore;
+
+/**
+ * Create a new Transaction Object for each and every incoming Transaction
+ * 
+ * Attach to Request.  User "FilterHolder" mechanism to retain single instance.
+ * 
+ * TransFilter includes CADIFilter as part of the package, so that it can
+ * set User Data, etc, as necessary.
+ * 
+ * @author Jonathan
+ *
+ */
+public abstract class TransOnlyFilter<TRANS extends TransStore> implements Filter {
+	@Override
+	public void init(FilterConfig filterConfig) throws ServletException {
+	}
+	
+
+
+	protected abstract TRANS newTrans();
+	protected abstract TimeTaken start(TRANS trans, ServletRequest request);
+	protected abstract void authenticated(TRANS trans, TaggedPrincipal p);
+	protected abstract void tallyHo(TRANS trans);
+	
+	@Override
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+		TRANS trans = newTrans();
+		
+		TimeTaken overall = start(trans,request);
+		try {
+			request.setAttribute(TransFilter.TRANS_TAG, trans);
+			chain.doFilter(request, response);
+		} finally {
+			overall.done();
+		}
+		tallyHo(trans);
+	}
+
+	@Override
+	public void destroy() {
+	};
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/TypedCode.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/TypedCode.java
new file mode 100644
index 00000000..82b291c7
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/TypedCode.java
@@ -0,0 +1,269 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+
+import javax.servlet.ServletException;
+
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+
+/**
+ * TypedCode organizes implementation code based on the Type and Version of code it works with so that it can
+ * be located quickly at runtime based on the "Accept" HTTP Header.
+ *
+ * FYI: For those in the future wondering why I would create a specialized set of "Pair" for the data content:
+ *   1) TypeCode is used in Route, and this code is used for every transaction... it needs to be blazingly fast
+ *   2) The actual number of objects accessed is quite small and built at startup.  Arrays are best
+ *   3) I needed a small, well defined tree where each level is a different Type.  Using a "Pair" Generic definitions, 
+ *      I created type-safety at each level, which you can't get from a TreeSet, etc.
+ *   4) Chaining through the Network is simply object dereferencing, which is as fast as Java can go.
+ *   5) The drawback is that in your code is that all the variables are named "x" and "y", which can be a bit hard to
+ *   	read both in code, and in the debugger.  However, TypeSafety allows your IDE (Eclipse) to help you make the 
+ *      choices.  Also, make sure you have a good "toString()" method on each object so you can see what's happening
+ *      in the IDE Debugger.
+ *   
+ * Empirically, this method of obtaining routes proved to be much faster than the HashSet implementations available in otherwise
+ * competent Open Source.
+ *   
+ * @author Jonathan
+ *
+ * @param <TRANS>
+ */
+public class TypedCode<TRANS extends Trans> extends Content<TRANS> {
+		private List<Pair<String, Pair<HttpCode<TRANS,?>,List<Pair<String, Object>>>>> types;
+
+		public TypedCode() {
+			types = new ArrayList<Pair<String,Pair<HttpCode<TRANS,?>,List<Pair<String,Object>>>>>();
+		}
+		
+		/**
+		 * Construct Typed Code based on ContentType parameters passed in
+		 * 
+		 * @param code
+		 * @param others
+		 * @return
+		 */
+		public TypedCode<TRANS> add(HttpCode<TRANS,?> code, String ... others) {
+			StringBuilder sb = new StringBuilder();
+			boolean first = true;
+			for(String str : others) {
+				if(first) {
+					first = false; 
+				} else {
+					sb.append(',');
+				}
+				sb.append(str);
+			}
+			parse(code, sb.toString());
+			
+			return this;
+		}
+		
+		@Override
+		protected Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>> types(HttpCode<TRANS,?> code, String str) {
+			Pair<String, Pair<HttpCode<TRANS,?>,List<Pair<String, Object>>>> type = null;
+			ArrayList<Pair<String, Object>> props = new ArrayList<Pair<String,Object>>();
+			// Want Q percentage is to be first in the array everytime.  If not listed, 1.0 is default
+			props.add(new Pair<String,Object>(Q,1f));
+			Pair<HttpCode<TRANS,?>, List<Pair<String,Object>>> cl = new Pair<HttpCode<TRANS,?>, List<Pair<String,Object>>>(code, props);
+//			// breakup "plus" stuff, i.e. application/xaml+xml
+//			int plus = str.indexOf('+');
+//			if(plus<0) {
+				type = new Pair<String, Pair<HttpCode<TRANS,?>,List<Pair<String,Object>>>>(str, cl);
+				types.add(type);
+				return type;
+//			} else {
+//				int prev = str.indexOf('/')+1;
+//				String first = str.substring(0,prev);
+//				String nstr;
+//				while(prev!=0) {
+//					nstr = first + (plus>-1?str.substring(prev,plus):str.substring(prev));
+//					type = new Pair<String, Pair<HttpCode<TRANS,?>,List<Pair<String,Object>>>>(nstr, cl);
+//					types.add(type);
+//					prev = plus+1;
+//					plus = str.indexOf('+',prev);
+//				}
+//			return type;
+//			}
+		}
+
+		@Override
+		protected boolean props(Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>> type, String tag, String value) {
+			if(tag.equals(Q)) { // reset the Q value (first in array)
+				boolean rv = true;
+				try {
+					type.y.y.get(0).y=Float.parseFloat(value);
+					return rv;
+				} catch (NumberFormatException e) {
+					rv=false; // Note: this awkward syntax forced by Sonar, which doesn't like doing nothing with Exception
+							  // which is what should happen
+				}
+			}
+			return type.y.y.add(new Pair<String,Object>(tag,"version".equals(tag)?new Version(value):value));
+		}
+		
+		public Pair<String, Pair<HttpCode<TRANS, ?>, List<Pair<String, Object>>>> prep(TRANS trans, String compare) throws IOException, ServletException {
+			Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>> c,rv=null;
+			if(types.size()==1 && "".equals((c=types.get(0)).x)) { // if there are no checks for type, skip
+				rv = c;
+			} else {
+				if(compare==null || compare.length()==0) {
+					rv = types.get(0); // first code is used
+				} else {
+					Acceptor<TRANS> acc = new Acceptor<TRANS>(types);
+					boolean accepted;
+					TimeTaken tt = trans.start(compare, Env.SUB);
+					try {
+						accepted = acc.parse(null, compare);
+					} finally {
+						tt.done();
+					}
+					if(accepted) {
+						switch(acc.acceptable.size()) {
+							case 0:	
+//								// TODO best Status Code?
+//								resp.setStatus(HttpStatus.NOT_ACCEPTABLE_406);
+								break;
+							case 1: 
+								rv = acc.acceptable.get(0);
+								break;
+							default: // compare Q values to get Best Match
+								float bestQ = -1.0f;
+								Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>> bestT = null;
+								for(Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>> type : acc.acceptable) {
+									Float f = (Float)type.y.y.get(0).y; // first property is always Q
+									if(f>bestQ) {
+										bestQ=f;
+										bestT = type;
+									}
+								}
+								if(bestT!=null) {
+									// When it is a GET, the matched type is what is returned, so set ContentType
+//									if(isGet)resp.setContentType(bestT.x); // set ContentType of Code<TRANS,?>
+//									rv = bestT.y.x;
+									rv = bestT;
+								}
+						}
+					} else {
+						trans.checkpoint("No Match found for Accept");
+					}
+				}
+			}
+			return rv;
+		}
+		
+		/**
+		 * Print on String Builder content related to specific Code
+		 * 
+		 * This is for Reporting and Debugging purposes, so the content is not cached.
+		 * 
+		 * If code is "null", then all content is matched
+		 * 
+		 * @param code
+		 * @return
+		 */
+		public StringBuilder relatedTo(HttpCode<TRANS, ?> code, StringBuilder sb) {
+			boolean first = true;
+			for(Pair<String, Pair<HttpCode<TRANS, ?>, List<Pair<String, Object>>>> pair : types) {
+				if(code==null || pair.y.x == code) {
+					if(first) {
+						first = false;
+					} else {
+						sb.append(',');
+					}
+					sb.append(pair.x);
+					for(Pair<String,Object> prop : pair.y.y) {
+						// Don't print "Q".  it's there for internal use, but it is only meaningful for "Accepts"
+						if(!prop.x.equals(Q) || !prop.y.equals(1f) ) {
+							sb.append(';');
+							sb.append(prop.x);
+							sb.append('=');
+							sb.append(prop.y);
+						}
+					}
+				}
+			}
+			return sb;
+		}
+		
+		public List<Pair<String, Object>> getContent(HttpCode<TRANS,?> code) {
+			for(Pair<String, Pair<HttpCode<TRANS, ?>, List<Pair<String, Object>>>> pair : types) {
+				if(pair.y.x == code) {
+					return pair.y.y;
+				}
+			}
+			return null;
+		}
+	
+		public String toString() {
+			return relatedTo(null,new StringBuilder()).toString();
+		}
+		
+		public void api(RouteReport tr) {
+			// Need to build up a map, because Prop entries can be in several places.
+			HashMap<HttpCode<?,?>,StringBuilder> psb = new HashMap<HttpCode<?,?>,StringBuilder>();
+			StringBuilder temp;
+			tr.desc = null;
+			
+			// Read through Code/TypeCode trees for all accepted Typecodes
+			for(Pair<String, Pair<HttpCode<TRANS, ?>, List<Pair<String, Object>>>> tc : types) {
+				// If new, then it's new Code set, create prefix content
+				if((temp=psb.get(tc.y.x))==null) {
+					psb.put(tc.y.x,temp=new StringBuilder());
+					if(tr.desc==null) {
+						tr.desc = tc.y.x.desc();
+					}
+				} else {
+					temp.append(',');
+				}
+				temp.append(tc.x);
+
+				// add all properties
+				for(Pair<String, Object> props : tc.y.y) {
+					temp.append(';');
+					temp.append(props.x);
+					temp.append('=');
+					temp.append(props.y);
+				}
+			}
+			// Gather all ContentType possibilities for the same code together
+			
+			for(StringBuilder sb : psb.values()) {
+				tr.contextTypes.add(sb.toString());
+			}
+		}
+
+		public String first() {
+			if(types.size()>0) {
+				return types.get(0).x;
+			}
+			return null;
+		}
+		
+	}
+\ No newline at end of file
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Version.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Version.java
new file mode 100644
index 00000000..ce0981fe
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/Version.java
@@ -0,0 +1,93 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv;
+
+
+/**
+ * Analyze and hold Version information for Code
+ * 
+ * @author Jonathan
+ *
+ */
+public class Version {
+	private Object[] parts;
+
+	public Version(String v) {
+		String sparts[] = v.split("\\.");
+		parts = new Object[sparts.length];
+		System.arraycopy(sparts, 0, parts, 0, sparts.length);
+		if(parts.length>1) { // has at least a minor
+		  try {
+			  parts[1]=Integer.decode(sparts[1]); // minor elements need to be converted to Integer for comparison
+		  } catch (NumberFormatException e) {
+			  // it's ok, leave it as a string
+			  parts[1]=sparts[1]; // This useless piece of code forced by Sonar which calls empty Exceptions "Blockers".
+		  }
+		}
+	}
+
+	public boolean equals(Object obj) {
+		if(obj instanceof Version) {
+			Version ver = (Version)obj;
+			int length = Math.min(parts.length, ver.parts.length);
+			for(int i=0;i<length;++i) { // match on declared parts
+				if(i==1) {
+					if(parts[1] instanceof Integer && ver.parts[1] instanceof Integer) {
+						// Match on Minor version if this Version is less than Version to be checked
+						if(((Integer)parts[1])<((Integer)ver.parts[1])) {
+							return false;
+						}
+						continue; // don't match next line
+					}
+				}
+				if(!parts[i].equals(ver.parts[i])) {
+					return false; // other spots exact match
+				}
+			}
+			return true;
+		}
+		return false;
+	}
+	
+	
+	/* (non-Javadoc)
+	 * @see java.lang.Object#hashCode()
+	 */
+	@Override
+	public int hashCode() {
+		return super.hashCode();
+	}
+
+	public String toString() {
+		StringBuilder sb = new StringBuilder();
+		boolean first = true;
+		for(Object obj : parts) {
+			if(first) {
+				first = false;
+			} else {
+				sb.append('.');
+			}
+			sb.append(obj.toString());
+		}
+		return sb.toString();
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/doc/ApiDoc.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/doc/ApiDoc.java
new file mode 100644
index 00000000..e2914752
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/doc/ApiDoc.java
@@ -0,0 +1,40 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.rserv.doc;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import org.onap.aaf.auth.rserv.HttpMethods;
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ElementType.METHOD})
+public @interface ApiDoc {
+	HttpMethods method();
+	String path();
+	int expectedCode();
+	int[] errorCodes();
+	String[] text();
+	/** Format with name|type|[true|false] */
+	String[] params();
+	
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java
new file mode 100644
index 00000000..e1c01718
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java
@@ -0,0 +1,156 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.server;
+
+import java.security.NoSuchAlgorithmException;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.servlet.Filter;
+
+import org.onap.aaf.auth.common.Define;
+import org.onap.aaf.auth.rserv.RServlet;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.http.HTransferSS;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.cadi.register.Registrant;
+import org.onap.aaf.cadi.util.Split;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.env.impl.BasicEnv;
+
+public abstract class AbsService<ENV extends BasicEnv, TRANS extends Trans> extends RServlet<TRANS> {
+	public final Access access;
+	public final ENV env;
+	private AAFConHttp aafCon;
+
+	public final String app_name;
+	public final String app_version;
+	public final String app_interface_version;
+	public final String ROOT_NS;
+
+    public AbsService(final Access access, final ENV env) throws CadiException {
+    		Define.set(access);
+    		ROOT_NS = Define.ROOT_NS();
+		this.access = access;
+		this.env = env;
+
+		String component = access.getProperty(Config.AAF_COMPONENT, null);
+		final String[] locator_deploy;
+		
+		if(component == null) {
+			locator_deploy = null;
+		} else {
+			locator_deploy = Split.splitTrim(':', component);
+		}
+			
+		if(component == null || locator_deploy==null || locator_deploy.length<2) {
+			throw new CadiException("AAF Component must include the " + Config.AAF_COMPONENT + " property, <fully qualified service name>:<full deployed version (i.e. 2.1.3.13)");
+		}
+		final String[] version = Split.splitTrim('.', locator_deploy[1]);
+		if(version==null || version.length<2) {
+			throw new CadiException("AAF Component Version must have at least Major.Minor version");
+		}
+    		app_name = Define.varReplace(locator_deploy[0]);
+    		app_version = locator_deploy[1];
+    		app_interface_version = version[0]+'.'+version[1];
+    		
+		// Print Cipher Suites Available
+		if(access.willLog(Level.DEBUG)) {
+			SSLContext context;
+			try {
+				context = SSLContext.getDefault();
+			} catch (NoSuchAlgorithmException e) {
+				throw new CadiException("SSLContext issue",e);
+			}
+			SSLSocketFactory sf = context.getSocketFactory();
+			StringBuilder sb = new StringBuilder("Available Cipher Suites: ");
+			boolean first = true;
+			int count=0;
+			for( String cs : sf.getSupportedCipherSuites()) {
+				if(first)first = false;
+				else sb.append(',');
+				sb.append(cs);
+				if(++count%4==0){sb.append('\n');}
+			}
+			access.log(Level.DEBUG,sb);
+		}
+    }
+
+	public abstract Filter[] filters() throws CadiException,  LocatorException;
+
+
+    public abstract Registrant<ENV>[] registrants(final int port) throws CadiException, LocatorException;
+
+	// Lazy Instantiation
+    public synchronized AAFConHttp aafCon() throws CadiException, LocatorException {
+	    	if(aafCon==null) {
+		    	if(access.getProperty(Config.AAF_URL,null)!=null) {
+		    		aafCon = _newAAFConHttp();
+		    	} else {
+		    		throw new CadiException("AAFCon cannot be constructed without " + Config.AAF_URL);
+		    	}
+	    	}
+	    	return aafCon;
+    }
+    
+    /**
+     * Allow to be over ridden for special cases
+     * @return
+     * @throws LocatorException 
+     */
+    protected synchronized AAFConHttp _newAAFConHttp() throws CadiException, LocatorException {
+		try {
+			if(aafCon==null) {
+				aafCon = new AAFConHttp(access);
+			} 
+			return aafCon;
+		} catch (APIException e) {
+			throw new CadiException(e);
+		}
+    }
+    
+    // This is a method, so we can overload for AAFAPI
+    public String aaf_url() {
+    		return access.getProperty(Config.AAF_URL, null);
+    }
+    
+	public Rcli<?> client() throws CadiException {
+		return aafCon.client(Config.AAF_DEFAULT_VERSION);
+	}
+
+	public Rcli<?> clientAsUser(TaggedPrincipal p) throws CadiException {
+		return aafCon.client(Config.AAF_DEFAULT_VERSION).forUser(
+				new HTransferSS(p,app_name, aafCon.securityInfo()));
+	}
+
+	public<RET> RET clientAsUser(TaggedPrincipal p,Retryable<RET> retryable) throws APIException, LocatorException, CadiException  {
+			return aafCon.hman().best(new HTransferSS(p,app_name, aafCon.securityInfo()), retryable);
+	}
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java
new file mode 100644
index 00000000..1a6c54d7
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java
@@ -0,0 +1,95 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.server;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.OrganizationFactory;
+import org.onap.aaf.auth.rserv.RServlet;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.register.Registrant;
+import org.onap.aaf.cadi.register.Registrar;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.rosetta.env.RosettaEnv;
+
+public abstract class AbsServiceStarter<ENV extends RosettaEnv, TRANS extends Trans> implements ServiceStarter {
+	private Registrar<ENV> registrar;
+	private boolean do_register;
+	protected AbsService<ENV,TRANS> service;
+
+
+	public AbsServiceStarter(final AbsService<ENV,TRANS> service) {
+		this.service = service;
+		try {
+			OrganizationFactory.init(service.env);
+		} catch (OrganizationException e) {
+			service.access.log(e, "Missing defined Organzation Plugins");
+			System.exit(3);
+		}
+		// do_register - this is used for specialty Debug Situations.  Developer can create an Instance for a remote system
+		// for Debugging purposes without fear that real clients will start to call your debug instance
+		do_register = !"TRUE".equalsIgnoreCase(access().getProperty("aaf_locate_no_register",null));
+		_propertyAdjustment();
+	}
+	
+	public abstract void _start(RServlet<TRANS> rserv) throws Exception;
+	public abstract void _propertyAdjustment();
+	
+	public ENV env() {
+		return service.env;
+	}
+	
+	public Access access() {
+		return service.access;
+	}
+
+	@Override
+	public final void start() throws Exception {
+		_start(service);
+		Runtime.getRuntime().addShutdownHook(new Thread() {
+			@Override
+			public void run() {
+				shutdown();
+			}
+		});
+	}
+
+	@SafeVarargs
+	public final synchronized void register(final Registrant<ENV> ... registrants) {
+		if(do_register) {
+			if(registrar==null) {
+				registrar = new Registrar<ENV>(env(),false);
+			}
+			for(Registrant<ENV> r : registrants) {
+				registrar.register(r);
+			}
+		}
+	}
+
+	@Override
+    public void shutdown() {
+		if(registrar!=null) {
+			registrar.close(env());
+			registrar=null;
+		} 
+		if(service!=null) {
+			service.destroy();
+		}
+    }
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/JettyServiceStarter.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/JettyServiceStarter.java
new file mode 100644
index 00000000..dbf24cc6
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/JettyServiceStarter.java
@@ -0,0 +1,255 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.server;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.util.Properties;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpVersion;
+import org.eclipse.jetty.server.HttpConfiguration;
+import org.eclipse.jetty.server.HttpConnectionFactory;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.SecureRequestCustomizer;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.SslConnectionFactory;
+import org.eclipse.jetty.server.handler.AbstractHandler;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.rserv.RServlet;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.config.SecurityInfo;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.env.util.Split;
+import org.onap.aaf.misc.rosetta.env.RosettaEnv;
+
+
+public class JettyServiceStarter<ENV extends RosettaEnv, TRANS extends Trans> extends AbsServiceStarter<ENV,TRANS> {
+
+	private boolean secure;
+
+	public JettyServiceStarter(final AbsService<ENV,TRANS> service) throws OrganizationException {
+		super(service);
+		secure = true;
+	}
+	
+	/**
+	 * Specifically set this Service starter to Insecure (HTTP) Mode. 
+	 * @return
+	 */
+	public JettyServiceStarter<ENV,TRANS> insecure() {
+		secure = false;
+		return this;
+	}
+
+//	@Override
+//	public void _propertyAdjustment() {
+//		Properties props = access().getProperties();
+//		Object temp = null;
+//		// Critical - if no Security Protocols set, then set it.  We'll just get messed up if not
+//		if((temp=props.get(Config.CADI_PROTOCOLS))==null) {
+//			if((temp=props.get(Config.HTTPS_PROTOCOLS))==null) {
+//				props.put(Config.CADI_PROTOCOLS, SecurityInfo.HTTPS_PROTOCOLS_DEFAULT);
+//			} else {
+//				props.put(Config.CADI_PROTOCOLS, temp);
+//			}
+//		}
+//	
+//		if("1.7".equals(System.getProperty("java.specification.version"))) {
+//			System.setProperty(Config.HTTPS_CIPHER_SUITES, Config.HTTPS_CIPHER_SUITES_DEFAULT);
+//		}
+//		System.setProperty(Config.HTTPS_CIPHER_SUITES, temp.toString());
+//	}
+
+	@Override
+	public void _propertyAdjustment() {
+//		System.setProperty("com.sun.management.jmxremote.port", "8081");
+		Properties props = access().getProperties();
+		Object httpproto = null;
+		// Critical - if no Security Protocols set, then set it.  We'll just get messed up if not
+		if((httpproto=props.get(Config.CADI_PROTOCOLS))==null) {
+			if((httpproto=props.get(Config.HTTPS_PROTOCOLS))==null) {
+				props.put(Config.CADI_PROTOCOLS, (httpproto=SecurityInfo.HTTPS_PROTOCOLS_DEFAULT));
+			} else {
+				props.put(Config.CADI_PROTOCOLS, httpproto);
+			}
+		}
+	
+		if("1.7".equals(System.getProperty("java.specification.version")) && (httpproto==null || (httpproto instanceof String && ((String)httpproto).contains("TLSv1.2")))) {
+			System.setProperty(Config.HTTPS_CIPHER_SUITES, Config.HTTPS_CIPHER_SUITES_DEFAULT);
+		}
+	}
+
+	@Override
+	public void _start(RServlet<TRANS> rserv) throws Exception {
+		final String hostname = access().getProperty(Config.HOSTNAME, "localhost");
+		final int port = Integer.parseInt(access().getProperty("port","0"));
+		final String keystore = access().getProperty(Config.CADI_KEYSTORE, null);
+		final int IDLE_TIMEOUT = Integer.parseInt(access().getProperty(Config.AAF_CONN_IDLE_TIMEOUT, Config.AAF_CONN_IDLE_TIMEOUT_DEF));
+		Server server = new Server();
+		
+		ServerConnector conn;
+		String protocol;
+		if(!secure || keystore==null) {
+			conn = new ServerConnector(server);
+			protocol = "http";
+		} else {
+			protocol = "https";
+
+			String keystorePassword = access().getProperty(Config.CADI_KEYSTORE_PASSWORD, null);
+			if(keystorePassword==null) {
+				throw new CadiException("No Keystore Password configured for " + keystore);
+			}
+			SslContextFactory sslContextFactory = new SslContextFactory();
+			sslContextFactory.setKeyStorePath(keystore);
+			String temp;
+			sslContextFactory.setKeyStorePassword(temp=access().decrypt(keystorePassword, true)); // don't allow unencrypted
+			sslContextFactory.setKeyManagerPassword(temp);
+			temp=null; // don't leave lying around
+			
+			String truststore = access().getProperty(Config.CADI_TRUSTSTORE, null);
+			if(truststore!=null) {
+				String truststorePassword = access().getProperty(Config.CADI_TRUSTSTORE_PASSWORD, null);
+				if(truststorePassword==null) {
+					throw new CadiException("No Truststore Password configured for " + truststore);
+				}
+				sslContextFactory.setTrustStorePath(truststore);
+				sslContextFactory.setTrustStorePassword(access().decrypt(truststorePassword, true)); 
+			}
+			// Be able to accept only certain protocols, i.e. TLSv1.1+
+			final String[] protocols = Split.splitTrim(',', access().getProperty(Config.CADI_PROTOCOLS, SecurityInfo.HTTPS_PROTOCOLS_DEFAULT));
+			sslContextFactory.setIncludeProtocols(protocols);
+			
+			// Want to use Client Certificates, if they exist.
+			sslContextFactory.setWantClientAuth(true);
+			
+			// Optional future checks.
+			//   sslContextFactory.setValidateCerts(true);
+			//	 sslContextFactory.setValidatePeerCerts(true);
+			//	 sslContextFactory.setEnableCRLDP(false);
+			//	 sslContextFactory.setEnableOCSP(false);
+			String certAlias = access().getProperty(Config.CADI_ALIAS, null);
+			if(certAlias!=null) {
+				sslContextFactory.setCertAlias(certAlias);
+			}
+			
+			HttpConfiguration httpConfig = new HttpConfiguration();
+			httpConfig.setSecureScheme(protocol);
+			httpConfig.setSecurePort(port);
+			httpConfig.addCustomizer(new SecureRequestCustomizer());
+			//  httpConfig.setOutputBufferSize(32768);  Not sure why take this setting
+			
+			conn = new ServerConnector(server,
+				new SslConnectionFactory(sslContextFactory,HttpVersion.HTTP_1_1.asString()),
+					new HttpConnectionFactory(httpConfig)
+				);
+		}
+		
+		// Setup JMX 
+		// TODO trying to figure out how to set up/log ports
+//		MBeanServer mbeanServer = ManagementFactory.getPlatformMBeanServer();
+//		MBeanContainer mbContainer=new MBeanContainer(mbeanServer);
+//		server.addEventListener(mbContainer);
+//		server.addBean(mbContainer);
+		
+		// Add loggers MBean to server (will be picked up by MBeanContainer above)
+//		server.addBean(Log.getLog());
+	
+		conn.setHost(hostname);
+		conn.setPort(port);
+		conn.setIdleTimeout(IDLE_TIMEOUT);
+		server.addConnector(conn);
+		
+		server.setHandler(new AbstractHandler() {
+				private FilterChain fc = buildFilterChain(service,new FilterChain() {
+					@Override
+					public void doFilter(ServletRequest req, ServletResponse resp) throws IOException, ServletException {
+						rserv.service(req, resp);
+					}
+				});
+				
+				@Override
+				public void handle(String target, Request baseRequest, HttpServletRequest hreq, HttpServletResponse hresp) throws IOException, ServletException {
+					try {
+						fc.doFilter(hreq,hresp);
+					} catch (Exception e) {
+						service.access.log(e, "Error Processing " + target);
+						hresp.setStatus(500 /* Service Error */);
+					}
+			        baseRequest.setHandled(true);
+				}
+			}
+		);
+		
+		try {
+			access().printf(Level.INIT, "Starting service on %s:%d (%s)",hostname,port,InetAddress.getLocalHost().getHostAddress());
+			server.start();
+			access().log(Level.INIT,server.dump());
+		} catch (Exception e) {
+			access().log(e,"Error starting " + service.app_name);
+			System.exit(1);
+		}
+		try {
+			register(service.registrants(port));
+			access().printf(Level.INIT, "Starting Jetty Service for %s, version %s, on %s://%s:%d", service.app_name,service.app_version,protocol,hostname,port);
+		} catch(Exception e) {
+			access().log(e,"Error registering " + service.app_name);
+			// Question: Should Registered Services terminate?
+		}
+		server.join();
+	}
+
+	private FilterChain buildFilterChain(final AbsService<?,?> as, final FilterChain doLast) throws CadiException, LocatorException {
+		Filter[] filters = as.filters();
+		FilterChain fc = doLast;
+		for(int i=filters.length-1;i>=0;--i) {
+			fc = new FCImpl(filters[i],fc);
+		}
+		return fc;
+	}
+	
+	private class FCImpl implements FilterChain {
+		private Filter f;
+		private FilterChain next;
+		
+		public FCImpl(final Filter f, final FilterChain fc) {
+			this.f=f;
+			next = fc;
+			
+		}
+		@Override
+		public void doFilter(ServletRequest req, ServletResponse resp) throws IOException, ServletException {
+			f.doFilter(req,resp, next);
+		}
+	}
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/ServiceStarter.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/ServiceStarter.java
new file mode 100644
index 00000000..529d2d35
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/ServiceStarter.java
@@ -0,0 +1,26 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.server;
+
+public interface ServiceStarter {
+	public void start() throws Exception;
+	public void shutdown();
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/validation/Validator.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/validation/Validator.java
new file mode 100644
index 00000000..16c0d3ba
--- /dev/null
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/validation/Validator.java
@@ -0,0 +1,204 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.validation;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.regex.Pattern;
+
+import org.onap.aaf.auth.layer.Result;
+
+
+public class Validator {
+	private static final String ESSENTIAL = "\\x25\\x28\\x29\\x2C-\\x2E\\x30-\\x39\\x3D\\x40-\\x5A\\x5F\\x61-\\x7A";
+	private static final Pattern ESSENTIAL_CHARS = Pattern.compile("["+ESSENTIAL+"]+");
+	public static final Pattern ACTION_CHARS = Pattern.compile(
+				"["+ESSENTIAL+"]+" +	// All AlphaNumeric+
+				"|\\*"						// Just Star
+				);
+	public static final Pattern INST_CHARS = Pattern.compile(
+				"["+ESSENTIAL+"]+[\\*]*" +				// All AlphaNumeric+ possibly ending with *
+				"|\\*" +								// Just Star
+				"|(([:/]\\*)|([:/][!]{0,1}["+ESSENTIAL+"]+[\\*]*[:/]*))+"	// Key :asdf:*:sdf*:sdk
+				);
+	public static final Pattern ID_CHARS = Pattern.compile("[\\w.-]+@[\\w.-]+");
+	public static final Pattern NAME_CHARS = Pattern.compile("[\\w.-]+");
+	public static final Pattern DESC_CHAR = Pattern.compile("["+ESSENTIAL+"\\x20]+");
+	public static List<String> nsKeywords;
+	protected final Pattern actionChars;
+	protected final Pattern instChars;
+	private StringBuilder msgs;
+
+	static {
+		nsKeywords = new ArrayList<String>();
+		nsKeywords.add(".access");
+		nsKeywords.add(".owner");
+		nsKeywords.add(".admin");
+		nsKeywords.add(".member");
+		nsKeywords.add(".perm");
+		nsKeywords.add(".role");
+		nsKeywords.add(".ns");
+		nsKeywords.add(".cred");
+	}
+
+	public Validator() {
+		actionChars = ACTION_CHARS;
+		instChars = INST_CHARS;
+	}
+	
+	public final String errs() {
+		return msgs.toString();
+	}
+
+	public final Validator nullOrBlank(String name, String str) {
+		if(str==null) {
+			msg(name + " is null.");
+		} else if(str.length()==0) {
+			msg(name + " is blank.");
+		}
+		return this;
+	}
+
+	public final Validator isNull(String name, Object o) {
+		if(o==null) {
+			msg(name + " is null.");
+		}
+		return this;
+	}
+
+	protected final boolean noMatch(String str, Pattern p) {
+		return !p.matcher(str).matches();
+	}
+	protected final boolean nob(String str, Pattern p) {
+		return str==null || !p.matcher(str).matches(); 
+	}
+
+	protected final void msg(String ... strs) {
+		if(msgs==null) {
+			msgs=new StringBuilder();
+		}
+		for(String str : strs) {
+			msgs.append(str);
+		}
+		msgs.append('\n');
+	}
+
+	public final boolean err() {
+		return msgs!=null;
+	}
+
+	public final Validator notOK(Result<?> res) {
+		if(res==null) {
+			msgs.append("Result object is blank");
+		} else if(res.notOK()) {
+			msgs.append(res.getClass().getSimpleName() + " is not OK");
+		}
+		return this;
+	}
+
+	protected Validator intRange(String text, int target, int start, int end) {
+		if(target<start || target>end) {
+			msg(text + " is out of range (" + start + '-' + end + ')');
+		}
+		return this;
+	}
+
+	protected Validator floatRange(String text, float target, float start, float end) {
+		if(target<start || target>end) {
+			msg(text + " is out of range (" + start + '-' + end + ')');
+		}
+		return this;
+	}
+
+	protected Validator description(String type, String description) {
+		if(description!=null) {
+			if(noMatch(description, DESC_CHAR)) {
+				msg(type + " Description is invalid.");
+			}
+		}
+		return this;
+	}
+
+	public final Validator permType(String type) {
+		if(nob(type,NAME_CHARS)) {
+			msg("Perm Type [" +type + "] is invalid.");
+		}
+		return this;
+	}
+
+	public final Validator permType(String type, String ns) {
+		if(nob(type,NAME_CHARS)) {
+			msg("Perm Type [" + (ns==null?"":ns+(type.length()==0?"":'.'))+type + "] is invalid.");
+		}
+		return this;
+	}
+
+	public final Validator permInstance(String instance) {
+		if(nob(instance,instChars)) {
+			msg("Perm Instance [" + instance + "] is invalid.");
+		}
+		return this;
+	}
+
+	public final Validator permAction(String action) {
+		// TODO check for correct Splits?  Type|Instance|Action ?
+		if(nob(action, actionChars)) {
+			msg("Perm Action [" + action + "] is invalid.");
+		}
+		return this;
+	}
+
+	public final Validator role(String role) {
+		if(nob(role, NAME_CHARS)) {
+			msg("Role [" + role + "] is invalid.");
+		}
+		return this;
+	}
+
+	public final Validator ns(String ns) {
+		if(nob(ns,NAME_CHARS)){
+			msg("NS [" + ns + "] is invalid.");
+		} 
+		for(String s : nsKeywords) {
+			if(ns.endsWith(s)) {
+				msg("NS [" + ns + "] may not be named with NS keywords");
+				break;
+			}
+		}
+		return this;
+	}
+
+	public final Validator key(String key) {
+		if(nob(key,NAME_CHARS)) {
+			msg("NS Prop Key [" + key + "] is invalid");
+		}
+		return this;
+	}
+
+	public final Validator value(String value) {
+		if(nob(value,ESSENTIAL_CHARS)) {
+			msg("NS Prop value [" + value + "] is invalid");
+		}
+		return this;
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/common/test/JU_Define.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/common/test/JU_Define.java
new file mode 100644
index 00000000..89e1aa94
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/common/test/JU_Define.java
@@ -0,0 +1,66 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.common.test;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.misc.env.Env;
+import static org.junit.Assert.*;
+
+//import com.att.authz.common.Define;
+import org.powermock.api.mockito.PowerMockito;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+//TODO: Gabe [JUnit] class path/ class Define is missing, com.att.authz.common also missing
+public class JU_Define {
+	//Define define;
+	public static String ROOT_NS="NS.Not.Set";
+	public static String ROOT_COMPANY=ROOT_NS;
+	
+	@Mock 
+	Env envMock;
+	
+	
+//	@Before
+//	public void setUp(){
+//		define = new Define();
+//	}
+//
+//	@Test
+//	public void testSet() throws CadiException {
+//		PowerMockito.when(envMock.getProperty(Config.AAF_ROOT_NS)).thenReturn("aaf_root_ns");
+//		PowerMockito.when(envMock.getProperty(Config.AAF_ROOT_COMPANY)).thenReturn("aaf_root_company");
+//		//PowerMockito.when(envMock.init().log()).thenReturn(null);
+//		//PowerMockito.doNothing().doThrow(new CadiException()).when(envMock).init().log(Matchers.anyString());
+//		//define.set(envMock);
+//	}
+
+	@Test
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_AuthzEnv.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_AuthzEnv.java
new file mode 100644
index 00000000..1117fce7
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_AuthzEnv.java
@@ -0,0 +1,174 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.env.test;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.mock;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Properties;
+import org.onap.aaf.cadi.Access;
+import static org.mockito.Mockito.when;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.misc.env.APIException;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+import junit.framework.Assert;
+
+@RunWith(PowerMockRunner.class)
+public class JU_AuthzEnv {
+	private static final org.onap.aaf.cadi.Access.Level DEBUG = null;
+	AuthzEnv authzEnv;
+	enum Level {DEBUG, INFO, AUDIT, INIT, WARN, ERROR};
+	
+	@Before
+	public void setUp(){
+		PropAccess access = null;
+		Properties props = null;
+		authzEnv = new AuthzEnv();
+		AuthzEnv authzEnv1 = new AuthzEnv("Test");
+		AuthzEnv authzEnv2 = new AuthzEnv(props);
+		AuthzEnv authzEnv3 = new AuthzEnv(access);
+	}
+
+	@Test
+	public void testTransRate() {
+	Long Result =	authzEnv.transRate();
+	System.out.println("value of result " +Result); //Expected 300000
+	assertNotNull(Result);		
+	}
+	
+	@Test
+	public void checkNewTransNoAvg() {
+		
+		Assert.assertNotNull(authzEnv.newTransNoAvg());
+	}
+	
+	@Test
+	public void checkNewTrans() {
+		Assert.assertNotNull(authzEnv.newTrans());
+	}
+	
+	@Test
+	public void checkPropAccess() {
+		Assert.assertNotNull(authzEnv.access());
+	}
+	
+	@Test
+	public void checkgetProperties() { //TODO:[GABE]No setter for this, add?
+		Assert.assertNotNull(authzEnv.getProperties());
+		Assert.assertNotNull(authzEnv.getProperties("test"));
+	}
+	
+	@Test(expected = APIException.class)
+	public void checkSetLog4JNames() throws APIException {//TODO: Find better way to test instead of just seeing if strings pass
+		authzEnv.setLog4JNames("path", "root","service","audit","init","trace");
+		authzEnv.setLog4JNames("path", "root",null,"audit","init","trace");
+	}
+	
+	@Test
+	public void checkPropertyGetters(){
+		authzEnv.setProperty("key","value");
+		Assert.assertEquals(authzEnv.getProperty("key"), "value");
+		Assert.assertEquals(authzEnv.getProperty("key","value"), "value");
+	}
+	
+	@Test
+	public void checkPropertySetters(){
+		Assert.assertEquals(authzEnv.getProperty("key","value"), authzEnv.setProperty("key","value"));
+	}
+	
+	@Test(expected = IOException.class)
+	public void testDecryptException() throws IOException{
+		String encrypted = "enc:";
+		authzEnv.setProperty(Config.CADI_KEYFILE, "test");//TODO: Figure out setter for this
+		authzEnv.decrypt(encrypted, true);
+		authzEnv.decrypt("", false);
+	}
+	
+	@Test
+	public void testDecrypt() throws IOException{
+		String encrypted = "encrypted";
+		String Result = authzEnv.decrypt(encrypted, true);
+		System.out.println("value of res " +Result);
+		assertEquals("encrypted",Result);
+	}
+	
+	@Test
+	public void testClassLoader() {
+		ClassLoader cLoad = mock(ClassLoader.class);
+		cLoad = authzEnv.classLoader();
+		Assert.assertNotNull(cLoad);
+	}
+	
+	@Test
+	public void testLoad() throws IOException {
+		InputStream is = mock(InputStream.class);
+		authzEnv.load(is);
+	}
+	
+	@Test
+	public void testLog() {
+		Access.Level lvl = Access.Level.DEBUG;
+		Object msgs = null;
+		authzEnv.log(lvl, msgs);
+	}
+	
+	@Test
+	public void testLog1() {
+		Exception e = new Exception();
+		Object msgs = null;
+		authzEnv.log(e, msgs);
+	}
+	
+	@Test
+	public void testPrintf() {
+		Access.Level lvl = Access.Level.DEBUG;
+		Object msgs = null;
+		authzEnv.printf(lvl, "Test", msgs);
+	}
+	
+	@Test
+	public void testWillLog() {
+		Access.Level lvl = Access.Level.DEBUG;
+		Access.Level lvl1 = Access.Level.AUDIT;
+		boolean test = authzEnv.willLog(lvl);
+		Assert.assertFalse(test);
+		test = authzEnv.willLog(lvl1);
+		Assert.assertTrue(test);
+		
+	}
+	
+	@Test
+	public void testSetLogLevel() {
+		Access.Level lvl = Access.Level.DEBUG;
+		authzEnv.setLogLevel(lvl);
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_AuthzTransFilter.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_AuthzTransFilter.java
new file mode 100644
index 00000000..f874e9d0
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_AuthzTransFilter.java
@@ -0,0 +1,130 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.env.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import static org.mockito.Matchers.any;
+import static org.mockito.Matchers.anyInt;
+import static org.mockito.Mockito.*;
+import org.mockito.Mock;
+import java.security.Principal;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.AuthzTransFilter;
+import org.onap.aaf.auth.env.AuthzTransImpl;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Connector;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.TrustChecker;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.misc.env.LogTarget;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.Trans.Metric;
+import org.powermock.api.mockito.PowerMockito;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)  
+public class JU_AuthzTransFilter {
+AuthzTransFilter authzTransFilter;
+AuthzEnv authzEnvMock = mock(AuthzEnv.class);
+Connector connectorMock = mock(Connector.class);
+TrustChecker trustCheckerMock = mock(TrustChecker.class);
+AuthzTrans authzTransMock = mock(AuthzTrans.class);
+Object additionalTafLurs = mock(Object.class);
+
+	@Before
+	public void setUp() throws CadiException{
+		when(authzEnvMock.access()).thenReturn(new PropAccess());
+		//when(authzEnvMock.newTrans()).thenReturn(new AuthzTransImpl(authzEnvMock));
+		authzTransFilter = new AuthzTransFilter(authzEnvMock, connectorMock, trustCheckerMock, additionalTafLurs);
+		
+		
+	}
+
+/*	@Test
+	public void testTallyHo(){
+		PowerMockito.when(authzTransMock.info().isLoggable()).thenReturn(true);
+		//TODO: Gabe [JUnit] Not visible for junit
+		//if(trans.info().isLoggable())
+		//authzTransFilter.tallyHo(authzTransMock);
+		
+	}*/
+
+	/*@Test
+	public void testProtected() throws NoSuchMethodException, SecurityException, IllegalAccessException, IllegalArgumentException, InvocationTargetException {
+		Method newTransMethod = AuthzTransFilter.class.getDeclaredMethod("newTrans");
+		newTransMethod.setAccessible(true);
+		
+		newTransMethod.invoke(authzTransFilter);
+	}*/
+	
+	@Test
+	public void testAuthenticated() throws IllegalAccessException, IllegalArgumentException, InvocationTargetException, NoSuchMethodException, SecurityException, CadiException {
+		Principal p = mock(Principal.class);
+		AuthzTransFilter aTF = new AuthzTransFilter(authzEnvMock, connectorMock, trustCheckerMock, null);
+		Class c = aTF.getClass();
+		Class[] cArg = new Class[2];
+		cArg[0] = AuthzTrans.class;
+		cArg[1] = Principal.class;		//Steps to test a protected method
+		Method authenticatedMethod = c.getDeclaredMethod("authenticated", cArg);
+		authenticatedMethod.setAccessible(true);
+		authenticatedMethod.invoke(aTF,authzTransMock, null);
+	}
+	
+	@Test
+	public void testTallyHo() throws CadiException, NoSuchMethodException, SecurityException, IllegalAccessException, IllegalArgumentException, InvocationTargetException {
+		Slot specialLogSlot = authzEnvMock.slot("SPECIAL_LOG_SLOT");
+		LogTarget lt = mock(LogTarget.class);
+		AuthzTransFilter aTF = new AuthzTransFilter(authzEnvMock, connectorMock, trustCheckerMock, additionalTafLurs);
+		TaggedPrincipal tPrin = mock(TaggedPrincipal.class);
+		Metric met = new Metric();
+		met.total = 199.33F;
+		met.entries = 15;
+		met.buckets = new float[] {199.33F,99.33F};
+		Class c = aTF.getClass();
+		Class[] cArg = new Class[1];
+		cArg[0] = AuthzTrans.class;		//Steps to test a protected method
+		Method tallyHoMethod = c.getDeclaredMethod("tallyHo", cArg);
+		StringBuilder sb = new StringBuilder("AuditTrail\n");
+		when(authzTransMock.auditTrail(((LogTarget)any()), anyInt(),(StringBuilder)any(),anyInt(),anyInt())).thenReturn(met);
+		tallyHoMethod.setAccessible(true);
+		when(authzTransMock.get(specialLogSlot, false)).thenReturn(false);
+		when(authzTransMock.warn()).thenReturn(lt);
+		when(authzTransMock.info()).thenReturn(lt);
+		tallyHoMethod.invoke(aTF,authzTransMock);
+		when(authzTransMock.getUserPrincipal()).thenReturn(tPrin);
+		tallyHoMethod.invoke(aTF,authzTransMock);
+		
+	}
+	
+	
+	
+	
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_AuthzTransImpl.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_AuthzTransImpl.java
new file mode 100644
index 00000000..c646e52e
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_AuthzTransImpl.java
@@ -0,0 +1,169 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.env.test;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.security.Principal;
+import java.util.Date;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTransImpl;
+import org.onap.aaf.auth.env.AuthzTrans.REQD_TYPE;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationFactory;
+import org.onap.aaf.cadi.Lur;
+import org.onap.aaf.cadi.Permission;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.LogTarget;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+import junit.framework.Assert;
+
+@RunWith(PowerMockRunner.class)
+public class JU_AuthzTransImpl {
+
+	AuthzTransImpl authzTransImpl;
+	@Mock
+	AuthzEnv authzEnvMock;
+	AuthzTransImpl trans1;
+	
+	private Organization org=null;
+	private AuthzTransImpl mockAuthzTransImpl;
+	private static HttpServletRequest req;
+	private static HttpServletResponse res;
+	private Lur lur1 = mock(Lur.class);
+	
+	@Before
+	public void setUp(){
+		authzTransImpl = new AuthzTransImpl(authzEnvMock);
+		req = mock(HttpServletRequest.class);
+		authzTransImpl.set(req);
+		when(req.getParameter("request")).thenReturn("NotNull");
+		authzTransImpl.set(req);
+		when(req.getParameter("request")).thenReturn("");
+		authzTransImpl.set(req);	
+	}
+	
+	@Test
+	public void testOrg() {
+		Organization result=null;
+		result = authzTransImpl.org();
+		OrganizationFactory test = mock(OrganizationFactory.class);
+		//result = OrganizationFactory.obtain(authzTransImpl.env(), authzTransImpl.user());
+		authzTransImpl.org();
+		//when(test).thenReturn(null);
+		//assertTrue(true);	
+	}
+	
+	@Mock
+	LogTarget logTargetMock;
+	
+	@Test
+	public void testLogAuditTrail(){
+		
+		when(logTargetMock.isLoggable()).thenReturn(false);
+		authzTransImpl.logAuditTrail(logTargetMock);
+		when(logTargetMock.isLoggable()).thenReturn(true);
+		Env delegate = mock(Env.class);
+		//when(logTargetMock.isLoggable()).thenReturn(true);//TODO: Figure this out
+		//authzTransImpl.logAuditTrail(logTargetMock);
+	}
+	
+//	@Test							//TODO:Fix this AAF-111
+//	public void testSetUser() {
+//		Principal user = mock(Principal.class);
+//		authzTransImpl.setUser(user);
+//		Principal user1 = authzTransImpl.getUserPrincipal();
+//		String username = user1.getName();
+//		Assert.assertNotNull(user1);
+//	}
+	
+//	@Test							//TODO:Fix this AAF-111
+//	public void testUser() {
+//		Assert.assertEquals("n/a", authzTransImpl.user());
+//		Principal user = mock(Principal.class); //Unsure how to modify name
+//		when(user.toString()).thenReturn("name");
+//		when(user.getName()).thenReturn("name");
+//		authzTransImpl.setUser(user);
+//		Assert.assertEquals("name", authzTransImpl.user());
+//	}
+//	
+	@Test
+	public void testRequested() {
+		REQD_TYPE user = REQD_TYPE.move;
+		REQD_TYPE user1 = REQD_TYPE.future;
+		HttpServletRequest req = mock(HttpServletRequest.class);
+		String p = user1.name();
+		boolean boolUser = authzTransImpl.requested(user);
+		Assert.assertEquals(false, boolUser);
+		Assert.assertNotNull(p);
+		authzTransImpl.requested(user,true);
+		when(authzTransImpl.requested(user)).thenReturn(null);
+		Assert.assertEquals(true, authzTransImpl.requested(user));
+	/*	String p1 = req.getParameter(user1.name());  //unable to access private method call in all instances
+		when(req.getParameter(user1.name())).thenReturn("test");
+		authzTransImpl.requested(user,false);
+		*/
+		
+		
+	}
+	
+	@Test
+	public void testFish() {
+		mockAuthzTransImpl = mock(AuthzTransImpl.class);
+		Permission p = mock(Permission.class);
+		authzTransImpl.fish(p);
+		String str = "Test";
+		lur1.createPerm(str);
+		when(p.match(p)).thenReturn(true);
+		authzTransImpl.setLur(lur1);
+		authzTransImpl.fish(p);
+	}
+	
+	@Test
+	public void testSetVariables() { //TODO: refactor this better
+		Assert.assertNull(authzTransImpl.agent());
+		Assert.assertNull(authzTransImpl.ip());
+		Assert.assertNull(authzTransImpl.path());
+		Assert.assertNotNull(authzTransImpl.port());
+		Assert.assertNull(authzTransImpl.meth());
+		Assert.assertNull(authzTransImpl.getUserPrincipal());
+		Assert.assertNotNull(authzTransImpl.user());
+	}
+	
+	@Test
+	public void testNow() {
+		Date date = new Date();
+		Assert.assertEquals(date,authzTransImpl.now());
+		when(authzTransImpl.now()).thenReturn(null);
+	}
+	
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_AuthzTransOnlyFilter.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_AuthzTransOnlyFilter.java
new file mode 100644
index 00000000..b29e716a
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_AuthzTransOnlyFilter.java
@@ -0,0 +1,121 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.env.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import static org.mockito.Mockito.*;
+import javax.servlet.http.HttpServletRequest;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+
+import javax.servlet.ServletRequest;
+
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.misc.env.Env;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.AuthzTransFilter;
+import org.onap.aaf.auth.env.AuthzTransOnlyFilter;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Connector;
+import org.onap.aaf.cadi.TrustChecker;
+import org.onap.aaf.misc.env.LogTarget;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.env.Trans.Metric;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_AuthzTransOnlyFilter {
+	AuthzTransFilter authzTransFilter;
+	AuthzEnv authzEnvMock = mock(AuthzEnv.class);
+	Connector connectorMock = mock(Connector.class);
+	TrustChecker trustCheckerMock = mock(TrustChecker.class);
+	AuthzTrans authzTransMock = mock(AuthzTrans.class);
+	Object additionalTafLurs = mock(Object.class);
+	ServletRequest servletRequestMock = mock(ServletRequest.class);
+	AuthzTransOnlyFilter authzTransOnlyFilter;
+	
+	@Before
+	public void setUp(){
+		authzTransOnlyFilter = new AuthzTransOnlyFilter(authzEnvMock);
+	}
+	
+	/*@Test
+	public void testProtected() throws NoSuchMethodException, SecurityException, IllegalAccessException, IllegalArgumentException, InvocationTargetException {
+		Method newTransMethod = AuthzTransFilter.class.getDeclaredMethod("newTrans");
+		newTransMethod.setAccessible(true);
+		
+		newTransMethod.invoke(authzTransFilter);
+	}*/
+	
+	@Test
+	public void testStart() throws NoSuchMethodException, SecurityException, IllegalAccessException, IllegalArgumentException, InvocationTargetException {
+		AuthzTransOnlyFilter aTF = new AuthzTransOnlyFilter(authzEnvMock);
+		Class c = aTF.getClass();
+		Class[] cArg = new Class[2];
+		cArg[0] = AuthzTrans.class;
+		cArg[1] = ServletRequest.class;		//Steps to test a protected method
+		Method startMethod = c.getDeclaredMethod("start", cArg);
+		startMethod.setAccessible(true);
+		//startMethod.invoke(aTF, authzTransMock, servletRequestMock);
+	}
+
+	@Test
+	public void testAuthenticated() throws IllegalAccessException, IllegalArgumentException, InvocationTargetException, NoSuchMethodException, SecurityException, CadiException {
+		TaggedPrincipal p = mock(TaggedPrincipal.class);
+		AuthzTransOnlyFilter aTF = new AuthzTransOnlyFilter(authzEnvMock);
+		Class c = aTF.getClass();
+		Class[] cArg = new Class[2];
+		cArg[0] = AuthzTrans.class;
+		cArg[1] = TaggedPrincipal.class;		//Steps to test a protected method
+		Method authenticatedMethod = c.getDeclaredMethod("authenticated", cArg);
+		authenticatedMethod.setAccessible(true);
+		authenticatedMethod.invoke(aTF,authzTransMock, null);
+	}
+	
+	@Test
+	public void testTallyHo() throws CadiException, NoSuchMethodException, SecurityException, IllegalAccessException, IllegalArgumentException, InvocationTargetException {
+		AuthzTransOnlyFilter aTF = new AuthzTransOnlyFilter(authzEnvMock);
+		LogTarget log = mock(LogTarget.class);
+		Metric met = new Metric();
+		met.total = 199.33F;
+		met.entries = 15;
+		met.buckets = new float[] {199.33F,99.33F};
+		Class c = aTF.getClass();
+		Class[] cArg = new Class[1];
+		cArg[0] = AuthzTrans.class;		//Steps to test a protected method
+		StringBuilder sb = new StringBuilder("AuditTrail\n");
+		when(authzTransMock.auditTrail(anyInt(),(StringBuilder)any(),anyInt(),anyInt())).thenReturn(met);
+		when(authzTransMock.info()).thenReturn(log);
+		doNothing().when(log).log((StringBuilder)any());
+		Method tallyHoMethod = c.getDeclaredMethod("tallyHo", cArg);
+		tallyHoMethod.setAccessible(true);
+		tallyHoMethod.invoke(aTF,authzTransMock);
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_NullTrans.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_NullTrans.java
new file mode 100644
index 00000000..e82aa163
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/env/test/JU_NullTrans.java
@@ -0,0 +1,273 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.env.test;
+
+import static org.junit.Assert.*;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.NullTrans;
+import org.onap.aaf.auth.env.AuthzTrans.REQD_TYPE;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.cadi.Permission;
+import org.onap.aaf.misc.env.Decryptor;
+import org.onap.aaf.misc.env.Encryptor;
+import org.onap.aaf.misc.env.LogTarget;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.security.Principal;
+import java.util.Date;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_NullTrans {
+	NullTrans nullTrans;
+	
+	@Before
+	public void setUp(){
+		nullTrans = new NullTrans();
+	}
+	
+	@Test
+	public void testAuditTrail() {
+		Assert.assertNull(nullTrans.auditTrail(0, null, 0));
+	}
+	
+	@Test
+	public void testSingleton() {
+		AuthzTrans single = nullTrans.singleton();
+		Assert.assertTrue(single instanceof AuthzTrans);
+	}
+	
+	@Test
+	public void testCheckpoints() {
+		nullTrans.checkpoint("Test");
+		nullTrans.checkpoint(null, 0);
+	}
+	
+	@Test
+	public void testFatal() {
+		LogTarget log = nullTrans.fatal();
+		Assert.assertEquals(LogTarget.NULL, log);
+	}
+	
+	@Test
+	public void testError() {
+		LogTarget log = nullTrans.error();
+		Assert.assertEquals(LogTarget.NULL, log);
+	}
+	
+	@Test
+	public void testAudit() {
+		LogTarget log = nullTrans.audit();
+		Assert.assertEquals(LogTarget.NULL, log);
+	}
+	
+	@Test
+	public void testInit() {
+		LogTarget log = nullTrans.init();
+		Assert.assertEquals(LogTarget.NULL, log);
+	}
+	
+	@Test
+	public void testWarn() {
+		LogTarget log = nullTrans.warn();
+		Assert.assertEquals(LogTarget.NULL, log);
+	}
+	
+	@Test
+	public void testInfo() {
+		LogTarget log = nullTrans.info();
+		Assert.assertEquals(LogTarget.NULL, log);
+	}
+	
+	@Test
+	public void testDebug() {
+		LogTarget log = nullTrans.debug();
+		Assert.assertEquals(LogTarget.NULL, log);
+	}
+
+	@Test
+	public void testTrace() {
+		LogTarget log = nullTrans.trace();
+		Assert.assertEquals(LogTarget.NULL, log);
+	}
+	
+	@Test
+	public void testStart() {
+		TimeTaken test = nullTrans.start("test", 1);
+		StringBuilder sb = new StringBuilder();
+		test.output(sb);
+		StringBuilder sb1 = new StringBuilder();
+		sb1.append(test);
+		String s = sb.toString();
+		String s1 = sb1.toString();
+		s1 = s1.trim();
+		Assert.assertEquals(s,s1);
+	}
+	
+	@Test
+	public void testSetProperty() {
+		String tag = "tag";
+		String value = "value";
+		nullTrans.setProperty(tag, value);
+		String expected = nullTrans.getProperty(tag, value);
+		Assert.assertEquals(expected, value);
+		String expectedTag = nullTrans.getProperty(tag);
+		Assert.assertEquals(expectedTag, tag);
+	}
+	
+	@Test
+	public void testDecryptor() {
+		Decryptor decry = nullTrans.decryptor();
+		Assert.assertNull(decry);
+	}
+	
+	@Test
+	public void testEncryptor() {
+		Encryptor encry = nullTrans.encryptor();
+		Assert.assertNull(encry);
+	}
+	
+	@Test
+	public void testSet() {
+		HttpServletRequest req = mock(HttpServletRequest.class);
+		AuthzTrans set = nullTrans.set(req);
+		Assert.assertNull(set);
+	}
+	
+	@Test
+	public void testUser() {
+		String user = nullTrans.user();
+		Assert.assertNull(user);
+	}
+	
+	@Test
+	public void testGetUserPrincipal() {
+		Principal principal = nullTrans.getUserPrincipal();
+		Assert.assertNull(principal);
+	}
+	
+	@Test
+	public void testIp() {
+		String ip = nullTrans.ip();
+		Assert.assertNull(ip);
+	}
+	
+	@Test
+	public void testMeth() {
+		String meth = nullTrans.meth();
+		Assert.assertNull(meth);
+	}
+	
+	@Test
+	public void testPort() {
+		int port = nullTrans.port();
+		Assert.assertEquals(port,0);
+	}
+	
+	@Test
+	public void testPath() {
+		String path = nullTrans.path();
+		Assert.assertNull(path);
+	}
+	
+	@Test
+	public void testPut() {
+		nullTrans.put(null, nullTrans);
+	}
+	
+	@Test
+	public void testSetUser() {
+		Principal principal = mock(Principal.class);
+		//nullTrans.setUser(principal);
+	}
+	
+	@Test
+	public void testSlot() {
+		Slot slot = nullTrans.slot(null);
+		Assert.assertNull(slot);
+	}
+	
+	@Test
+	public void testEnv() {
+		AuthzEnv env = nullTrans.env();
+		Assert.assertNull(env);
+	}
+	
+	@Test
+	public void testAgent() {
+		String agent = nullTrans.agent();
+		Assert.assertNull(agent);
+	}
+	
+	@Test
+	public void testSetLur() {
+		nullTrans.setLur(null);
+	}
+	
+	@Test
+	public void testFish() {
+		Permission perm = mock(Permission.class);
+		Boolean fish = nullTrans.fish(perm);
+		Assert.assertFalse(fish);
+	}
+	
+	@Test
+	public void testOrg() {
+		Organization org = nullTrans.org();
+		Assert.assertEquals(Organization.NULL, org);
+	}
+	
+	@Test
+	public void testLogAuditTrail() {
+		LogTarget lt = mock(LogTarget.class);
+		nullTrans.logAuditTrail(lt);
+	}
+	
+	@Test
+	public void testRequested() {
+		Boolean reqd = nullTrans.requested(null);
+		Assert.assertFalse(reqd);
+		nullTrans.requested(null, true);
+	}
+	
+	@Test
+	public void testNow() {
+		Date date = new Date();
+		Assert.assertEquals(date,nullTrans.now());
+		//when(nullTrans.now()).thenReturn(null);
+	}
+	
+	
+	
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/layer/test/JU_Result.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/layer/test/JU_Result.java
new file mode 100644
index 00000000..fc812a2c
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/layer/test/JU_Result.java
@@ -0,0 +1,58 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.layer.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mock;
+import org.onap.aaf.auth.layer.Result;
+
+public class JU_Result {
+	Result result;
+//	@Mock
+//	RV value;
+	int status=0;
+	String details = "details"; 
+	String[] variables;
+	
+	@SuppressWarnings({ "unchecked", "rawtypes" })
+	@Before
+	public void setUp(){
+		//TODO: Gabe [JUnit] Not visible for junit
+		//result = new Result(result, status, details, variables);
+	}
+
+//	@Test
+//	public void testPartialContent() {
+//		Result Res = result.partialContent(true);
+//		System.out.println("Res" +Res);
+//		assertEquals(details,Res.toString());
+//		
+//	}
+	
+	@Test
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/local/test/JU_DataFile.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/local/test/JU_DataFile.java
new file mode 100644
index 00000000..a7ea2953
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/local/test/JU_DataFile.java
@@ -0,0 +1,70 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.local.test;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import static org.junit.Assert.*;
+import org.junit.AfterClass;
+import org.junit.Test;
+import org.onap.aaf.auth.local.DataFile;
+import org.onap.aaf.auth.local.DataFile.Token;
+import org.onap.aaf.auth.local.DataFile.Token.Field;
+
+public class JU_DataFile {
+
+	@AfterClass
+	public static void tearDownAfterClass() throws Exception {
+	}
+
+	@Test
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+	
+//	@Test
+//	public void test() throws Exception {
+//		File file = new File("../authz-batch/data/v1.dat");
+//		DataFile df = new DataFile(file,"r");
+//		int count = 0;
+//		List<String> list = new ArrayList<String>();
+//		try {
+//			df.open();
+//			Token tok = df.new Token(1024000);
+//			Field fld = tok.new Field('|');
+//	
+//			while(tok.nextLine()) {
+//				++count;
+//				fld.reset();
+//				list.add(fld.at(0));
+//			}
+////			Collections.sort(list);
+//			for(String s: list) {
+//				System.out.println(s);
+//
+//			}
+//		} finally {
+//			System.out.printf("%15s:%12d\n","Total",count);
+//		}
+//	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/local/test/JU_TextIndex.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/local/test/JU_TextIndex.java
new file mode 100644
index 00000000..613d2a80
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/local/test/JU_TextIndex.java
@@ -0,0 +1,76 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.local.test;
+
+import static org.junit.Assert.*;
+import static org.mockito.Matchers.*;
+import static org.mockito.Mockito.*;
+
+import java.io.BufferedWriter;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStreamWriter;
+import java.io.Writer;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.local.DataFile;
+import org.onap.aaf.auth.local.TextIndex;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_TextIndex {
+	TextIndex textIndex;
+	Trans trans;
+	DataFile datefile;
+	@Mock
+	File file;
+	
+	@Before
+	public void setUp() throws IOException{			//TODO: AAF-111 fix once actual input is known.
+		char character = 'a';
+		String filePath = "test/output_key";
+		File keyfile = new File(filePath);
+		FileOutputStream is = new FileOutputStream(keyfile);
+        OutputStreamWriter osw = new OutputStreamWriter(is);    
+        Writer w = new BufferedWriter(osw);
+        w.write("asdfasdfasdf");
+        w.close();
+		datefile = new DataFile(keyfile, "test");
+		trans = mock(Trans.class);
+		textIndex = new TextIndex(keyfile);
+		//textIndex.create(trans, datefile, 20, character, 2, 2);
+		keyfile.delete();
+	}
+
+	@Test
+	public void testOpen() throws IOException {
+		//textIndex.open();
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/org/test/JU_OrganizationException.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/org/test/JU_OrganizationException.java
new file mode 100644
index 00000000..01b8256f
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/org/test/JU_OrganizationException.java
@@ -0,0 +1,48 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.org.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class JU_OrganizationException {
+	
+	OrganizationException organizationException;
+	
+	@Before
+	public void setUp(){
+		organizationException = new OrganizationException();
+	}
+	
+
+	@Test
+	public void test() {
+		assertTrue(true);
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/org/test/JU_OrganizationFactory.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/org/test/JU_OrganizationFactory.java
new file mode 100644
index 00000000..2136e786
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/org/test/JU_OrganizationFactory.java
@@ -0,0 +1,64 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.org.test;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import static org.mockito.Mockito.mock;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.OrganizationFactory;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.impl.BasicEnv;
+import org.powermock.api.mockito.PowerMockito;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class JU_OrganizationFactory {
+	private static final String ORG_SLOT = null;
+	OrganizationFactory organizationFactory;
+	BasicEnv bEnv;
+	@Mock
+	AuthzEnv authzEnvMock;
+	String orgClass="orgclass";
+	String orgNS="orgns";
+	@Before
+	public void setUp(){
+		organizationFactory = new OrganizationFactory();
+		bEnv = new BasicEnv();
+	}
+
+	@SuppressWarnings("static-access")
+	@Test(expected = APIException.class)
+	public void testInit() throws OrganizationException {
+		organizationFactory.init(bEnv);
+	}
+	
+//	@SuppressWarnings("static-access")				TODO:Fix this AAF-111
+//	@Test(expected = OrganizationException.class)
+//	public void testObtain() throws OrganizationException{
+//		PowerMockito.when(authzEnvMock.getProperty("Organization."+orgNS)).thenReturn("notnull");
+//		organizationFactory.obtain(authzEnvMock, orgNS);
+//	}
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/CredCompare.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/CredCompare.java
new file mode 100644
index 00000000..cac26a88
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/CredCompare.java
@@ -0,0 +1,64 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.request.test;
+
+import static junit.framework.Assert.*;
+
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.misc.env.util.Chrono;
+
+import aaf.v2_0.CredRequest;
+
+public class CredCompare extends RosettaCompare<CredRequest>  {
+	public CredCompare() {
+		super(CredRequest.class);
+	}
+	
+	public static CredRequest create() {
+		CredRequest rr = new CredRequest();
+		String in = instance();
+		rr.setId("m888"+ in + "@ns.att.com");
+		rr.setPassword("Bogus0"+in);
+		rr.setType(200);
+		GregorianCalendar gc = new GregorianCalendar();
+		rr.setStart(Chrono.timeStamp(gc));
+		gc.add(GregorianCalendar.MONTH, 1);
+		rr.setEnd(Chrono.timeStamp(gc));
+		return rr;
+	}
+	
+	@Override
+	public void compare(CredRequest t1, CredRequest t2) {
+		assertEquals(t1.getId(),t2.getId());
+		assertEquals(t1.getPassword(),t2.getPassword());
+		assertEquals(t1.getType(),t2.getType());
+		assertEquals(t1.getStart(),t2.getStart());
+		assertEquals(t1.getEnd(),t2.getEnd());
+	}
+
+
+	@Override
+	public CredRequest newOne() {
+		return create();
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/JU_RequestCheck.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/JU_RequestCheck.java
new file mode 100644
index 00000000..38bd51fc
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/JU_RequestCheck.java
@@ -0,0 +1,42 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.request.test;
+
+import org.junit.Test;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.rosetta.env.RosettaEnv;
+
+public class JU_RequestCheck {
+	
+	@Test
+	public void testNSRequest() throws APIException {
+		RosettaEnv env = new RosettaEnv();
+		new NSCompare().run(env);
+		new NSAttribCompare().run(env);
+		new RoleCompare().run(env);
+		new PermCompare().run(env);
+		new CredCompare().run(env);
+		new UserRoleCompare().run(env);
+		new RolePermCompare().run(env);
+		new MultiCompare().run(env);
+	};
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/MultiCompare.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/MultiCompare.java
new file mode 100644
index 00000000..5450bf55
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/MultiCompare.java
@@ -0,0 +1,69 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.request.test;
+
+import static junit.framework.Assert.assertEquals;
+
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.misc.env.util.Chrono;
+
+import aaf.v2_0.MultiRequest;
+
+public class MultiCompare extends RosettaCompare<MultiRequest>  {
+	public MultiCompare() {
+		super(MultiRequest.class);
+	}
+	
+	@Override
+	public MultiRequest newOne() {
+		MultiRequest multi = new MultiRequest();
+		multi.setNsRequest(NSCompare.create());
+		multi.getNsAttribRequest().add(NSAttribCompare.create());
+		multi.getNsAttribRequest().add(NSAttribCompare.create());
+		multi.getRoleRequest().add(RoleCompare.create());
+		multi.getRoleRequest().add(RoleCompare.create());
+		multi.getPermRequest().add(PermCompare.create());
+		multi.getPermRequest().add(PermCompare.create());
+		multi.getCredRequest().add(CredCompare.create());
+		multi.getCredRequest().add(CredCompare.create());
+		multi.getUserRoleRequest().add(UserRoleCompare.create());
+		multi.getUserRoleRequest().add(UserRoleCompare.create());
+		multi.getRolePermRequest().add(RolePermCompare.create());
+		multi.getRolePermRequest().add(RolePermCompare.create());
+		
+		
+		GregorianCalendar gc = new GregorianCalendar();
+		multi.setStart(Chrono.timeStamp(gc));
+		gc.add(GregorianCalendar.MONTH, 1);
+		multi.setEnd(Chrono.timeStamp(gc));
+		return multi;
+	}
+	
+	public void compare(MultiRequest t1, MultiRequest t2) {
+		new NSCompare().compare(t1.getNsRequest(), t2.getNsRequest());
+		// Will have to find by key for others.
+		
+		assertEquals(t1.getStart(),t2.getStart());
+		assertEquals(t1.getEnd(),t2.getEnd());
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/NSAttribCompare.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/NSAttribCompare.java
new file mode 100644
index 00000000..9f6ce21e
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/NSAttribCompare.java
@@ -0,0 +1,93 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.request.test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertTrue;
+
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.misc.env.util.Chrono;
+
+import aaf.v2_0.NsAttribRequest;
+import aaf.v2_0.NsAttribRequest.Attrib;
+
+public class NSAttribCompare extends RosettaCompare<NsAttribRequest>  {
+	public NSAttribCompare() {
+		super(NsAttribRequest.class);
+	}
+	
+	public static NsAttribRequest create() {
+		NsAttribRequest nar = new NsAttribRequest();
+		String in = instance();
+		
+		nar.setNs("org.osaaf.ns"+in);
+		Attrib attrib = new Attrib();
+		attrib.setKey("swm");
+		attrib.setValue("v"+instance());
+		nar.getAttrib().add(attrib);
+		attrib = new Attrib();
+		attrib.setKey("scamp");
+		attrib.setValue("v"+instance());
+		nar.getAttrib().add(attrib);
+		GregorianCalendar gc = new GregorianCalendar();
+		nar.setStart(Chrono.timeStamp(gc));
+		gc.add(GregorianCalendar.MONTH, 1);
+		nar.setEnd(Chrono.timeStamp(gc));
+		return nar;
+	}
+	
+	@Override
+	public void compare(NsAttribRequest t1, NsAttribRequest t2) {
+		assertEquals(t1.getNs(),t2.getNs());
+		for(Attrib a1 : t1.getAttrib()) {
+			boolean ok = false;
+			for(Attrib a2 : t2.getAttrib()) {
+				if(a1.getKey().equals(a2.getKey()) &&
+					a1.getValue().equals(a2.getValue())) {
+					ok = true;
+					break;
+				}
+			}
+			assertTrue("a2 Attribs in a1",ok);
+		}
+		for(Attrib a2 : t2.getAttrib()) {
+			boolean ok = false;
+			for(Attrib a1 : t1.getAttrib()) {
+				if(a1.getKey().equals(a2.getKey()) &&
+					a1.getValue().equals(a2.getValue())) {
+					ok = true;
+					break;
+				}
+			}
+			assertTrue("a2 Attribs in a1",ok);
+		}
+		assertEquals(t1.getStart(),t2.getStart());
+		assertEquals(t1.getEnd(),t2.getEnd());
+	}
+
+
+	@Override
+	public NsAttribRequest newOne() {
+		return create();
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/NSCompare.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/NSCompare.java
new file mode 100644
index 00000000..b7fc28cc
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/NSCompare.java
@@ -0,0 +1,75 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.request.test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertTrue;
+
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.misc.env.util.Chrono;
+
+import aaf.v2_0.NsRequest;
+
+public class NSCompare extends RosettaCompare<NsRequest>  {
+	public NSCompare() {
+		super(NsRequest.class);
+	}
+	
+	public static NsRequest create() {
+		NsRequest nsr = new NsRequest();
+		String in = instance();
+		nsr.setName("org.osaaf.ns"+in);
+		nsr.setDescription("Hello World"+in);
+		nsr.getAdmin().add("Fred"+in);
+		nsr.getAdmin().add("Barney"+in);
+		nsr.getResponsible().add("Wilma"+in);
+		nsr.getResponsible().add("Betty"+in);
+		nsr.setType("Hello"+in);
+		GregorianCalendar gc = new GregorianCalendar();
+		nsr.setStart(Chrono.timeStamp(gc));
+		gc.add(GregorianCalendar.MONTH, 1);
+		nsr.setEnd(Chrono.timeStamp(gc));
+		return nsr;
+	}
+	
+	@Override
+	public void compare(NsRequest t1, NsRequest t2) {
+		assertEquals(t1.getName(),t2.getName());
+		assertEquals(t1.getDescription(),t2.getDescription());
+		for(String s : t1.getAdmin()) {
+			assertTrue(t2.getAdmin().contains(s));
+		}
+		for(String s : t2.getAdmin()) {
+			assertTrue(t1.getAdmin().contains(s));
+		}
+		assertEquals(t1.getType(),t2.getType());
+		assertEquals(t1.getStart(),t2.getStart());
+		assertEquals(t1.getEnd(),t2.getEnd());
+	}
+
+
+	@Override
+	public NsRequest newOne() {
+		return create();
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/PermCompare.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/PermCompare.java
new file mode 100644
index 00000000..3d9a9fdb
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/PermCompare.java
@@ -0,0 +1,66 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.request.test;
+
+import static junit.framework.Assert.*;
+
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.misc.env.util.Chrono;
+
+import aaf.v2_0.PermRequest;
+
+public class PermCompare extends RosettaCompare<PermRequest>  {
+	public PermCompare() {
+		super(PermRequest.class);
+	}
+	
+	public static PermRequest create() {
+		PermRequest pr = new PermRequest();
+		String in = instance();
+		pr.setType("org.osaaf.ns.perm"+in);
+		pr.setInstance("instance"+in);
+		pr.setAction("read");
+		pr.setDescription("Hello World, Perm"+in);
+		GregorianCalendar gc = new GregorianCalendar();
+		pr.setStart(Chrono.timeStamp(gc));
+		gc.add(GregorianCalendar.MONTH, 1);
+		pr.setEnd(Chrono.timeStamp(gc));
+		return pr;
+	}
+	
+	@Override
+	public void compare(PermRequest t1, PermRequest t2) {
+		assertEquals(t1.getType(),t2.getType());
+		assertEquals(t1.getInstance(),t2.getInstance());
+		assertEquals(t1.getAction(),t2.getAction());
+		assertEquals(t1.getDescription(),t2.getDescription());
+		assertEquals(t1.getStart(),t2.getStart());
+		assertEquals(t1.getEnd(),t2.getEnd());
+	}
+
+
+	@Override
+	public PermRequest newOne() {
+		return create();
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/RoleCompare.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/RoleCompare.java
new file mode 100644
index 00000000..35bd3370
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/RoleCompare.java
@@ -0,0 +1,62 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.request.test;
+
+import static junit.framework.Assert.*;
+
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.misc.env.util.Chrono;
+
+import aaf.v2_0.RoleRequest;
+
+public class RoleCompare extends RosettaCompare<RoleRequest>  {
+	public RoleCompare() {
+		super(RoleRequest.class);
+	}
+	
+	public static RoleRequest create() {
+		RoleRequest rr = new RoleRequest();
+		String in = instance();
+		rr.setName("org.osaaf.ns.role"+in);
+		rr.setDescription("Hello World, Role"+in);
+		GregorianCalendar gc = new GregorianCalendar();
+		rr.setStart(Chrono.timeStamp(gc));
+		gc.add(GregorianCalendar.MONTH, 1);
+		rr.setEnd(Chrono.timeStamp(gc));
+		return rr;
+	}
+	
+	@Override
+	public void compare(RoleRequest t1, RoleRequest t2) {
+		assertEquals(t1.getName(),t2.getName());
+		assertEquals(t1.getDescription(),t2.getDescription());
+		assertEquals(t1.getStart(),t2.getStart());
+		assertEquals(t1.getEnd(),t2.getEnd());
+	}
+
+
+	@Override
+	public RoleRequest newOne() {
+		return create();
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/RolePermCompare.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/RolePermCompare.java
new file mode 100644
index 00000000..d6ea98b9
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/RolePermCompare.java
@@ -0,0 +1,69 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.request.test;
+
+import static junit.framework.Assert.assertEquals;
+
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.misc.env.util.Chrono;
+
+import aaf.v2_0.Pkey;
+import aaf.v2_0.RolePermRequest;
+
+public class RolePermCompare extends RosettaCompare<RolePermRequest>  {
+	public RolePermCompare() {
+		super(RolePermRequest.class);
+	}
+	
+	public static RolePermRequest create() {
+		RolePermRequest urr = new RolePermRequest();
+		String in = instance();
+		urr.setRole("org.osaaf.ns.role"+in);
+		Pkey pkey = new Pkey();
+		pkey.setType("org.osaaf.ns.myType"+in);
+		pkey.setInstance("myInstance"+in);
+		pkey.setAction("myAction"+in);
+		urr.setPerm(pkey);
+		GregorianCalendar gc = new GregorianCalendar();
+		urr.setStart(Chrono.timeStamp(gc));
+		gc.add(GregorianCalendar.MONTH, 1);
+		urr.setEnd(Chrono.timeStamp(gc));
+		return urr;
+	}
+	
+	@Override
+	public void compare(RolePermRequest t1, RolePermRequest t2) {
+		assertEquals(t1.getRole(),t2.getRole());
+		assertEquals(t1.getPerm().getType(),t1.getPerm().getType());
+		assertEquals(t1.getPerm().getInstance(),t1.getPerm().getInstance());
+		assertEquals(t1.getPerm().getAction(),t1.getPerm().getAction());
+		assertEquals(t1.getStart(),t2.getStart());
+		assertEquals(t1.getEnd(),t2.getEnd());
+	}
+
+
+	@Override
+	public RolePermRequest newOne() {
+		return create();
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/RosettaCompare.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/RosettaCompare.java
new file mode 100644
index 00000000..5130f8cb
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/RosettaCompare.java
@@ -0,0 +1,66 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.request.test;
+
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.Data.TYPE;
+import org.onap.aaf.misc.rosetta.env.RosettaDF;
+import org.onap.aaf.misc.rosetta.env.RosettaData;
+import org.onap.aaf.misc.rosetta.env.RosettaEnv;
+
+public abstract class RosettaCompare<T> {
+	protected Class<T> cls;
+	private static int count = 0;
+	
+	public RosettaCompare(Class<T> cls) {
+		this.cls = cls;
+	}
+	
+	public void run(RosettaEnv env) throws APIException {
+		RosettaDF<T> nsrDF = env.newDataFactory(cls);
+		compare(nsrDF.newData().option(Data.PRETTY),newOne(),this);
+	}
+	
+	private void compare(RosettaData<T> rdt, T t, RosettaCompare<T> comp) throws APIException {
+		System.out.println("########### Testing " + cls.getName() + " ##############");
+		String s = rdt.load(t).out(TYPE.JSON).asString();
+		System.out.println(s);
+		T t2 = rdt.in(TYPE.JSON).load(s).asObject();
+		comp.compare(t, t2);
+		
+		System.out.println();
+		
+		s = rdt.load(t).out(TYPE.XML).asString();
+		System.out.println(s);
+		t2 = rdt.in(TYPE.XML).load(s).asObject();
+		comp.compare(t, t2);
+	}
+	
+	public synchronized static String instance() {
+		return "_"+ ++count;
+	}
+	
+	public abstract void compare(T t1, T t2);
+	public abstract T newOne();
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/UserRoleCompare.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/UserRoleCompare.java
new file mode 100644
index 00000000..542ddeb7
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/request/test/UserRoleCompare.java
@@ -0,0 +1,62 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.request.test;
+
+import static junit.framework.Assert.*;
+
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.misc.env.util.Chrono;
+
+import aaf.v2_0.UserRoleRequest;
+
+public class UserRoleCompare extends RosettaCompare<UserRoleRequest>  {
+	public UserRoleCompare() {
+		super(UserRoleRequest.class);
+	}
+	
+	public static UserRoleRequest create() {
+		UserRoleRequest urr = new UserRoleRequest();
+		String in = instance();
+		urr.setUser("m125"+in + "@ns.att.com");
+		urr.setRole("org.osaaf.ns.role"+in);
+		GregorianCalendar gc = new GregorianCalendar();
+		urr.setStart(Chrono.timeStamp(gc));
+		gc.add(GregorianCalendar.MONTH, 1);
+		urr.setEnd(Chrono.timeStamp(gc));
+		return urr;
+	}
+	
+	@Override
+	public void compare(UserRoleRequest t1, UserRoleRequest t2) {
+		assertEquals(t1.getUser(),t2.getUser());
+		assertEquals(t1.getRole(),t2.getRole());
+		assertEquals(t1.getStart(),t2.getStart());
+		assertEquals(t1.getEnd(),t2.getEnd());
+	}
+
+
+	@Override
+	public UserRoleRequest newOne() {
+		return create();
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_BetterMatch.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_BetterMatch.java
new file mode 100644
index 00000000..af1d289e
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_BetterMatch.java
@@ -0,0 +1,173 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.rserv.test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertFalse;
+import static junit.framework.Assert.assertTrue;
+
+import java.util.Set;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.onap.aaf.auth.rserv.Match;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.env.impl.EnvFactory;
+
+
+public class JU_BetterMatch {
+
+	@Test
+	public void test() {
+		Trans trans = EnvFactory.newTrans();
+		// Bad Match
+		Match bm = new Match("/req/1.0.0/:var");
+
+		assertTrue(bm.match("/req/1.0.0/fred"));
+		assertTrue(bm.match("/req/1.0.0/wilma"));
+		assertTrue(bm.match("/req/1.0.0/wilma/"));
+		assertFalse(bm.match("/req/1.0.0/wilma/bambam"));
+		assertFalse(bm.match("/not/valid/234"));
+		assertFalse(bm.match(""));
+		
+		TimeTaken tt = trans.start("A", Env.SUB);
+		TimeTaken tt2;
+		int i = 0;
+		try {
+			bm = new Match(null);
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match(""));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match(null));
+			tt2.done();
+		} finally {
+			tt.done();
+		}
+		
+	
+		tt = trans.start("B", Env.SUB);
+		i = 0;
+		try {
+			bm = new Match("/req/1.0.0/:urn/:ref");
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match("/req/1.0.0/urn:fsdb,1.0,req,newreq/0x12345"));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertFalse(bm.match("/req/1.0.0/urn"));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match("/req/1.0.0/urn:fsdb,1.0,req,newreq/0x12345/"));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertFalse(bm.match("/req/1.0.0/urn:fsdb,1.0,req,newreq/0x12345/x"));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertFalse(bm.match("/req/1.0.0/urn:fsdb,1.0,req,newreq/0x12345/xyx"));
+		} finally {
+			tt2.done();
+			tt.done();	
+		}
+		
+		tt = trans.start("C", Env.SUB);
+		i = 0;
+		try {
+			String url = "/req/1.0.0/";
+			bm = new Match(url+":urn*");
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			String value = "urn:fsdb,1.0,req,newreq/0x12345";
+			
+			assertTrue(bm.match(url+value));
+			assertEquals("urn:fsdb,1.0,req,newreq/0x12345",bm.param(url+value, ":urn"));
+		} finally {
+			tt2.done();
+			tt.done();	
+		}
+
+		tt = trans.start("D", Env.SUB);
+		i = 0;
+		try {
+			bm = new Match("/req/1.0.0/:urn/:ref*");
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match("/req/1.0.0/urn:fsdb,1.0,req,newreq/0x12345"));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertFalse(bm.match("/req/1.0.0/urn:fsdb,1.0,req,newreq/"));
+		} finally {
+			tt2.done();
+			tt.done();	
+		}
+
+		tt = trans.start("E", Env.SUB);
+		i = 0;
+		try {
+			bm = new Match("this*");
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match("this"));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match("thisandthat"));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match("this/1.0.0/urn:fsdb,1.0,req,newreq/0x12345/"));
+		} finally {
+			tt2.done();
+			tt.done();	
+		}
+
+		tt = trans.start("F", Env.SUB);
+		i = 0;
+		try {
+			bm = new Match("*");
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match("<pass>/this"));
+		} finally {
+			tt2.done();
+			tt.done();	
+		}
+		
+		StringBuilder sb = new StringBuilder();
+		trans.auditTrail(0, sb);
+		System.out.println(sb);
+		
+	}
+	
+	@Test
+	public void specialTest() {
+		Match match = new Match("/sample");
+		assertTrue(match.match("/sample"));
+		
+		match = new Match("/lpeer//lpeer/:key/:item*");
+		assertTrue(match.match("/lpeer//lpeer/x/y"));
+		assertFalse(match.match("/lpeer/x/lpeer/x/y"));
+
+	}
+
+	@Test
+	public void testGetParamNames() {
+		Match bm = new Match("/req/1.0.0/:var");
+		Set s = bm.getParamNames();
+		Assert.assertNotNull(s);
+	}
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_BetterMatch1.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_BetterMatch1.java
new file mode 100644
index 00000000..e104009a
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_BetterMatch1.java
@@ -0,0 +1,164 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv.test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertFalse;
+import static junit.framework.Assert.assertTrue;
+
+import org.junit.Test;
+import org.onap.aaf.auth.rserv.Match;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.env.impl.EnvFactory;
+
+
+public class JU_BetterMatch1 {
+
+	@Test
+	public void test() {
+		Trans trans = EnvFactory.newTrans();
+		// Bad Match
+		Match bm = new Match("/req/1.0.0/:var");
+
+		assertTrue(bm.match("/req/1.0.0/fred"));
+		assertTrue(bm.match("/req/1.0.0/wilma"));
+		assertTrue(bm.match("/req/1.0.0/wilma/"));
+		assertFalse(bm.match("/req/1.0.0/wilma/bambam"));
+		assertFalse(bm.match("/not/valid/234"));
+		assertFalse(bm.match(""));
+		
+		TimeTaken tt = trans.start("A", Env.SUB);
+		TimeTaken tt2;
+		int i = 0;
+		try {
+			bm = new Match(null);
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match(""));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match(null));
+			tt2.done();
+		} finally {
+			tt.done();
+		}
+		
+	
+		tt = trans.start("B", Env.SUB);
+		i = 0;
+		try {
+			bm = new Match("/req/1.0.0/:urn/:ref");
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match("/req/1.0.0/urn:fsdb,1.0,req,newreq/0x12345"));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertFalse(bm.match("/req/1.0.0/urn"));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match("/req/1.0.0/urn:fsdb,1.0,req,newreq/0x12345/"));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertFalse(bm.match("/req/1.0.0/urn:fsdb,1.0,req,newreq/0x12345/x"));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertFalse(bm.match("/req/1.0.0/urn:fsdb,1.0,req,newreq/0x12345/xyx"));
+		} finally {
+			tt2.done();
+			tt.done();	
+		}
+		
+		tt = trans.start("C", Env.SUB);
+		i = 0;
+		try {
+			String url = "/req/1.0.0/";
+			bm = new Match(url+":urn*");
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			String value = "urn:fsdb,1.0,req,newreq/0x12345";
+			
+			assertTrue(bm.match(url+value));
+			assertEquals("urn:fsdb,1.0,req,newreq/0x12345",bm.param(url+value, ":urn"));
+		} finally {
+			tt2.done();
+			tt.done();	
+		}
+
+		tt = trans.start("D", Env.SUB);
+		i = 0;
+		try {
+			bm = new Match("/req/1.0.0/:urn/:ref*");
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match("/req/1.0.0/urn:fsdb,1.0,req,newreq/0x12345"));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertFalse(bm.match("/req/1.0.0/urn:fsdb,1.0,req,newreq/"));
+		} finally {
+			tt2.done();
+			tt.done();	
+		}
+
+		tt = trans.start("E", Env.SUB);
+		i = 0;
+		try {
+			bm = new Match("this*");
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match("this"));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match("thisandthat"));
+			tt2.done();
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match("this/1.0.0/urn:fsdb,1.0,req,newreq/0x12345/"));
+		} finally {
+			tt2.done();
+			tt.done();	
+		}
+
+		tt = trans.start("F", Env.SUB);
+		i = 0;
+		try {
+			bm = new Match("*");
+			tt2 = trans.start(Integer.toString(++i), Env.SUB);
+			assertTrue(bm.match("whatever/this"));
+		} finally {
+			tt2.done();
+			tt.done();	
+		}
+		
+		StringBuilder sb = new StringBuilder();
+		trans.auditTrail(0, sb);
+		System.out.println(sb);
+		
+	}
+	
+	@Test
+	public void specialTest() {
+		Match match = new Match("/sample");
+		assertTrue(match.match("/sample"));
+		
+		match = new Match("/lpeer//lpeer/:key/:item*");
+		assertTrue(match.match("/lpeer//lpeer/x/y"));
+		assertFalse(match.match("/lpeer/x/lpeer/x/y"));
+
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_BetterRoute.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_BetterRoute.java
new file mode 100644
index 00000000..d98cf5ce
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_BetterRoute.java
@@ -0,0 +1,33 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv.test;
+
+import org.junit.Test;
+
+public class JU_BetterRoute {
+
+	@Test
+	public void test() {
+		
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_CachingFileAccess.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_CachingFileAccess.java
new file mode 100644
index 00000000..26e9717f
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_CachingFileAccess.java
@@ -0,0 +1,184 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.rserv.test;
+
+import static org.junit.Assert.*;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.*;
+import static org.mockito.Matchers.*;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.RandomAccessFile;
+import java.lang.reflect.Field;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.NavigableMap;
+import java.util.concurrent.ConcurrentSkipListMap;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.mockito.Mock;
+import org.mockito.invocation.InvocationOnMock;
+import org.mockito.stubbing.Answer;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.onap.aaf.auth.rserv.CachingFileAccess;
+import org.onap.aaf.auth.rserv.HttpCode;
+import org.onap.aaf.auth.rserv.Match;
+
+//import org.onap.aaf.auth.rserv.CachingFileAccess.Content;
+import java.util.NavigableMap;
+import org.onap.aaf.misc.env.EnvJAXB;
+import org.onap.aaf.misc.env.LogTarget;
+import org.onap.aaf.misc.env.StaticSlot;
+import org.onap.aaf.misc.env.Store;
+import org.onap.aaf.misc.env.Trans;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+import junit.framework.Assert;
+
+
+@RunWith(PowerMockRunner.class)
+public class JU_CachingFileAccess {
+	CachingFileAccess cachingFileAccess;
+	HttpCode httpCode;
+	EnvJAXB envJ;
+	Trans trans;
+	
+	
+	@Before
+	public void setUp() throws IOException{
+		trans = mock(Trans.class);
+		HttpCode hCode = mock(HttpCode.class);
+		envJ = mock(EnvJAXB.class);
+		LogTarget log = mock(LogTarget.class);
+		Long lng = (long) 1234134;
+		when(envJ.get(envJ.staticSlot("aaf_cfa_cache_check_interval"),600000L)).thenReturn(lng);
+		when(envJ.get(envJ.staticSlot("aaf_cfa_max_size"), 512000)).thenReturn(512000);
+		when(envJ.get(envJ.staticSlot("aaf_cfa_web_path"))).thenReturn("TEST");
+		when(envJ.getProperty("aaf_cfa_clear_command",null)).thenReturn("null");
+		when(envJ.init()).thenReturn(log);
+		doNothing().when(log).log((String)any());
+		cachingFileAccess = new CachingFileAccess(envJ,"test");
+
+
+		
+	}
+
+	@Test
+	public void testSetEnv() {
+		Store store = mock(Store.class);
+		Store store1 = mock(Store.class);
+		Store store2 = mock(Store.class);
+		String test[] = {"aaf_cfa_web_path","aaf_cfa_cache_check_interval","aaf_cfa_max_size"};
+		String test1[] = {"aaf_cfa_cache_check_interval"};
+		String test2[] = {"aaf_cfa_max_size"};
+		cachingFileAccess.setEnv(store, test);
+		cachingFileAccess.setEnv(store1, test1); //These don't reach all the branches for some reason
+		cachingFileAccess.setEnv(store2, test2);
+	}
+	
+	@Test
+	public void testHandle() throws IOException, NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException {
+		HttpServletRequest req = mock(HttpServletRequest.class);
+		Trans trans = mock(Trans.class);
+		HttpServletResponse resp = mock(HttpServletResponse.class);
+		when(req.getPathInfo()).thenReturn("path/to/file");
+		
+		Field matchField = HttpCode.class.getDeclaredField("match");
+		matchField.setAccessible(true);
+		Match match = mock(Match.class);
+		when(match.param(anyString(), anyString())).thenReturn("null/");
+		matchField.set(cachingFileAccess, match);
+		cachingFileAccess.handle(trans, req, resp);
+		when(match.param(anyString(), anyString())).thenReturn("clear");
+		cachingFileAccess.handle(trans, req, resp);
+	}
+	
+	@Test
+	public void testWebPath() {
+		EnvJAXB envJ = mock(EnvJAXB.class);
+		String web_path_test = "TEST";
+		Assert.assertEquals(web_path_test, cachingFileAccess.webPath());
+	}
+	
+	@Test
+	public void testCleanupParams() {
+		NavigableMap<String,org.onap.aaf.auth.rserv.Content> content = new ConcurrentSkipListMap<String,org.onap.aaf.auth.rserv.Content>();
+		cachingFileAccess.cleanupParams(50, 500); //TODO: find right input	
+	}
+	
+	@Test
+	public void testLoad() throws IOException {
+		cachingFileAccess.load(null, null, "1220227200L/1220227200L", null, 1320227200L );
+		String filePath = "test/output_key";
+		File keyfile = new File(filePath);
+		RandomAccessFile randFile = new RandomAccessFile (keyfile,"rw");
+		
+		String dPath = "test/";
+		File directoryPath = new File(dPath);
+		directoryPath.mkdir();
+		cachingFileAccess.load(null, dPath, "-", null, -1);
+		randFile.setLength(1024 * 1024 * 8);
+		cachingFileAccess.load(null, filePath, "-", null, -1);
+		keyfile.delete();
+		directoryPath.delete();
+		String filePath1 = "test/output_key";
+		File keyfile1 = new File(filePath1);
+		keyfile1.createNewFile();
+		cachingFileAccess.load(null, filePath1, "-", "test", -1);
+		keyfile1.delete();
+	}
+	
+	@Test
+	public void testLoadOrDefault() throws IOException, NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException, ClassNotFoundException, InstantiationException {
+		String filePath = "test/output_key";
+		File keyfile = new File(filePath);
+		cachingFileAccess.loadOrDefault(trans, filePath, "-", null, null);
+		keyfile.delete();
+		
+		Trans trans = mock(Trans.class);
+
+		String filePath1 = "test/output_key.txt";
+		//File keyfile1 = new File(filePath1);
+		doAnswer(new Answer<Void>() {
+		    public Void answer(InvocationOnMock invocation) throws FileNotFoundException {
+		       throw new FileNotFoundException();
+		    }
+		}).when(trans).info();
+		//cachingFileAccess.loadOrDefault(trans, "bs", "also bs", "test", null);	//TODO: Needs more testing AAF-111
+		//keyfile1.delete();
+	}
+	
+	@Test
+	public void testInvalidate() {
+		//NavigableMap<String,org.onap.aaf.auth.rserv.Content> content = new ConcurrentSkipListMap<String,org.onap.aaf.auth.rserv.Content>();
+		//Content con = mock(Content.class);
+		//content.put("hello", con);
+		cachingFileAccess.invalidate("hello");
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_CodeSetter.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_CodeSetter.java
new file mode 100644
index 00000000..75d1df8f
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_CodeSetter.java
@@ -0,0 +1,73 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.rserv.test;
+
+import static org.junit.Assert.*;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+//import org.onap.aaf.auth.rserv.CodeSetter;
+import org.onap.aaf.auth.rserv.Route;
+import org.onap.aaf.misc.env.Trans;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class JU_CodeSetter {
+	//TODO: Gabe [JUnit] Not visible for junit
+	//CodeSetter codeSetter;
+	@Mock
+	Trans transMock;
+	@Mock
+	HttpServletRequest reqMock;
+	@Mock
+	HttpServletResponse respMock;
+	
+//	@Before									//TODO: Fix this AAF-111
+//	public void setUp(){
+//		codeSetter = new CodeSetter(transMock, reqMock, respMock);
+//	}
+//	
+//	@SuppressWarnings("rawtypes")
+//	@Mock
+//	Route routeMock;
+//	
+//	@Test
+//	public void testMatches() throws IOException, ServletException{
+//		boolean result = codeSetter.matches(routeMock);
+//		System.out.println("value of res " + codeSetter.matches(routeMock));
+//		assertFalse(result);
+//	}
+	
+	@Test
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Content.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Content.java
new file mode 100644
index 00000000..c2be2eb1
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Content.java
@@ -0,0 +1,661 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.rserv.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.Test;
+import org.onap.aaf.auth.rserv.HttpCode;
+import org.onap.aaf.auth.rserv.TypedCode;
+import org.onap.aaf.misc.env.TransJAXB;
+import org.onap.aaf.misc.env.impl.EnvFactory;
+
+
+/**
+ * Test the functioning of the "Content" class, which holds, and routes to the right code based on Accept values
+ */
+public class JU_Content {
+	
+
+	@Test
+	public void test() throws Exception {
+		final String BOOL = "Boolean";
+		final String XML = "XML";
+		TransJAXB trans = EnvFactory.newTrans();
+		try {
+		HttpCode<TransJAXB, String> cBool = new HttpCode<TransJAXB,String>(BOOL,"Standard String") {
+			@Override
+			public void handle(TransJAXB trans, HttpServletRequest req, HttpServletResponse resp) {
+				try {
+					resp.getOutputStream().write(context.getBytes());
+				} catch (IOException e) {
+				}
+			}
+		};
+
+		HttpCode<TransJAXB,String> cXML = new HttpCode<TransJAXB,String>(XML, "Standard String") {
+			@Override
+			public void handle(TransJAXB trans, HttpServletRequest req, HttpServletResponse resp) {
+				try {
+					resp.getOutputStream().write(context.getBytes());
+				} catch (IOException e) {
+				}
+			}
+		};
+
+		TypedCode<TransJAXB> ct = new TypedCode<TransJAXB>()
+				.add(cBool,"application/" + Boolean.class.getName()+"+xml;charset=utf8;version=1.1")
+				.add(cXML,"application/xml;q=.9");
+		String expected = "application/java.lang.Boolean+xml;charset=utf8;version=1.1,application/xml;q=0.9";
+		assertEquals(expected,ct.toString());
+
+		//BogusReq req = new BogusReq();
+		//expected = (expected);
+		//HttpServletResponse resp = new BogusResp();
+		
+		assertNotNull("Same Content String and Accept String",ct.prep(trans,expected));
+
+		//expects Null (not run)
+		// A Boolean xml that must have charset utf8 and match version 1.2 or greater
+		expected = ("application/java.lang.Boolean+xml;charset=utf8;version=1.2");
+		assertNull("Accept Minor Version greater than Content Minor Version",ct.prep(trans,expected));
+
+		// Same with (too many) spaces
+		expected = (" application/java.lang.Boolean+xml ; charset = utf8 ; version = 1.2   ");
+		assertNull("Accept Minor Version greater than Content Minor Version",ct.prep(trans,expected));
+
+		//expects Null (not run)
+		expected = ("application/java.lang.Boolean+xml;charset=utf8;version=2.1");
+		assertNull("Major Versions not the same",ct.prep(trans,expected));
+
+		expected = ("application/java.lang.Boolean+xml;charset=utf8;version=1.0");
+		assertNotNull("Content Minor Version is greater than Accept Minor Version",ct.prep(trans,expected));
+
+		expected = "application/java.lang.Squid+xml;charset=utf8;version=1.0,application/xml;q=.9";
+		assertNotNull("2nd one will have to do...",ct.prep(trans,expected));
+
+		expected = "application/java.lang.Boolean+xml;charset=UTF8;version=1.0";
+		assertNotNull("Minor Charset in Caps acceptable",ct.prep(trans,expected));
+
+		// expects no run 
+		expected="application/java.lang.Boolean+xml;charset=MyType;version=1.0";
+		assertNull("Unknown Minor Charset",ct.prep(trans,expected));
+
+		expected="";
+		assertNotNull("Blank Acceptance",ct.prep(trans,expected));
+		
+		expected=null;
+		assertNotNull("Null Acceptance",ct.prep(trans,expected));	
+
+		expected = ("text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+		assertNotNull("Matches application/xml, and other content not known",ct.prep(trans,expected));
+		
+		// No SemiColon
+		expected = ("i/am/bogus,application/xml");
+		assertNotNull("Match second entry, with no Semis",ct.prep(trans,expected));
+
+ 		} finally {	
+			StringBuilder sb = new StringBuilder();
+			trans.auditTrail(0, sb);
+			System.out.println(sb);
+		}
+	}
+//	
+//	Original API used HTTPServletRequest and HTTPServletResponse.  Due to the fact that sometimes we use Accept, and others Content-TYpe
+//	I changed it to simply accept a string
+//	
+//	Jonathan 3/8/2013
+//	
+//	@SuppressWarnings("rawtypes")
+//	class BogusReq implements HttpServletRequest {
+//		private String accept;
+//
+//		public void accept(String accept) {
+//			this.accept = accept;
+//		}
+//
+//		@Override
+//		public Object getAttribute(String name) {
+//			return accept;
+//		}
+//
+//
+//		@Override
+//		public Enumeration getAttributeNames() {
+//			return null;
+//		}
+//
+//		@Override
+//		public String getCharacterEncoding() {
+//			return null;
+//		}
+//
+//		@Override
+//		public void setCharacterEncoding(String env)
+//				throws UnsupportedEncodingException {
+//			
+//
+//		}
+//
+//		@Override
+//		public int getContentLength() {
+//			
+//			return 0;
+//		}
+//
+//		@Override
+//		public String getContentType() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public ServletInputStream getInputStream() throws IOException {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getParameter(String name) {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public Enumeration getParameterNames() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String[] getParameterValues(String name) {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public Map getParameterMap() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getProtocol() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getScheme() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getServerName() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public int getServerPort() {
+//			
+//			return 0;
+//		}
+//
+//		@Override
+//		public BufferedReader getReader() throws IOException {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getRemoteAddr() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getRemoteHost() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public void setAttribute(String name, Object o) {
+//			
+//
+//		}
+//
+//		@Override
+//		public void removeAttribute(String name) {
+//			
+//
+//		}
+//
+//		@Override
+//		public Locale getLocale() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public Enumeration getLocales() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public boolean isSecure() {
+//			
+//			return false;
+//		}
+//
+//		@Override
+//		public RequestDispatcher getRequestDispatcher(String path) {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getRealPath(String path) {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public int getRemotePort() {
+//			
+//			return 0;
+//		}
+//
+//		@Override
+//		public String getLocalName() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getLocalAddr() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public int getLocalPort() {
+//			
+//			return 0;
+//		}
+//
+//		@Override
+//		public String getAuthType() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public Cookie[] getCookies() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public long getDateHeader(String name) {
+//			
+//			return 0;
+//		}
+//
+//		@Override
+//		public String getHeader(String name) {
+//			return accept;
+//		}
+//
+//		@Override
+//		public Enumeration getHeaders(String name) {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public Enumeration getHeaderNames() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public int getIntHeader(String name) {
+//			
+//			return 0;
+//		}
+//
+//		@Override
+//		public String getMethod() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getPathInfo() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getPathTranslated() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getContextPath() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getQueryString() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getRemoteUser() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public boolean isUserInRole(String role) {
+//			
+//			return false;
+//		}
+//
+//		@Override
+//		public Principal getUserPrincipal() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getRequestedSessionId() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getRequestURI() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public StringBuffer getRequestURL() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public String getServletPath() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public HttpSession getSession(boolean create) {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public HttpSession getSession() {
+//			
+//			return null;
+//		}
+//
+//		@Override
+//		public boolean isRequestedSessionIdValid() {
+//			
+//			return false;
+//		}
+//
+//		@Override
+//		public boolean isRequestedSessionIdFromCookie() {
+//			
+//			return false;
+//		}
+//
+//		@Override
+//		public boolean isRequestedSessionIdFromURL() {
+//			
+//			return false;
+//		}
+//
+//		@Override
+//		public boolean isRequestedSessionIdFromUrl() {
+//			
+//			return false;
+//		}
+//	}
+//	
+//	public class BogusResp implements HttpServletResponse {
+//		public String contentType;
+//
+//		@Override
+//		public String getCharacterEncoding() {
+//		
+//			return null;
+//		}
+//
+//		@Override
+//		public String getContentType() {
+//			return contentType;
+//		}
+//
+//		@Override
+//		public ServletOutputStream getOutputStream() throws IOException {
+//		
+//			return null;
+//		}
+//
+//		@Override
+//		public PrintWriter getWriter() throws IOException {
+//		
+//			return null;
+//		}
+//
+//		@Override
+//		public void setCharacterEncoding(String charset) {
+//		
+//			
+//		}
+//
+//		@Override
+//		public void setContentLength(int len) {
+//		
+//			
+//		}
+//
+//		@Override
+//		public void setContentType(String type) {
+//			contentType = type;
+//		}
+//
+//		@Override
+//		public void setBufferSize(int size) {
+//		
+//			
+//		}
+//
+//		@Override
+//		public int getBufferSize() {
+//		
+//			return 0;
+//		}
+//
+//		@Override
+//		public void flushBuffer() throws IOException {
+//		
+//			
+//		}
+//
+//		@Override
+//		public void resetBuffer() {
+//		
+//			
+//		}
+//
+//		@Override
+//		public boolean isCommitted() {
+//		
+//			return false;
+//		}
+//
+//		@Override
+//		public void reset() {
+//		
+//			
+//		}
+//
+//		@Override
+//		public void setLocale(Locale loc) {
+//		
+//			
+//		}
+//
+//		@Override
+//		public Locale getLocale() {
+//		
+//			return null;
+//		}
+//
+//		@Override
+//		public void addCookie(Cookie cookie) {
+//		
+//			
+//		}
+//
+//		@Override
+//		public boolean containsHeader(String name) {
+//		
+//			return false;
+//		}
+//
+//		@Override
+//		public String encodeURL(String url) {
+//		
+//			return null;
+//		}
+//
+//		@Override
+//		public String encodeRedirectURL(String url) {
+//		
+//			return null;
+//		}
+//
+//		@Override
+//		public String encodeUrl(String url) {
+//		
+//			return null;
+//		}
+//
+//		@Override
+//		public String encodeRedirectUrl(String url) {
+//		
+//			return null;
+//		}
+//
+//		@Override
+//		public void sendError(int sc, String msg) throws IOException {
+//		
+//			
+//		}
+//
+//		@Override
+//		public void sendError(int sc) throws IOException {
+//		
+//			
+//		}
+//
+//		@Override
+//		public void sendRedirect(String location) throws IOException {
+//		
+//			
+//		}
+//
+//		@Override
+//		public void setDateHeader(String name, long date) {
+//		
+//			
+//		}
+//
+//		@Override
+//		public void addDateHeader(String name, long date) {
+//		
+//			
+//		}
+//
+//		@Override
+//		public void setHeader(String name, String value) {
+//		
+//			
+//		}
+//
+//		@Override
+//		public void addHeader(String name, String value) {
+//		
+//			
+//		}
+//
+//		@Override
+//		public void setIntHeader(String name, int value) {
+//		
+//			
+//		}
+//
+//		@Override
+//		public void addIntHeader(String name, int value) {
+//		
+//			
+//		}
+//
+//		@Override
+//		public void setStatus(int sc) {
+//		
+//			
+//		}
+//
+//		@Override
+//		public void setStatus(int sc, String sm) {
+//		
+//			
+//		}
+//		
+//	}
+//
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Content1.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Content1.java
new file mode 100644
index 00000000..4d640d09
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Content1.java
@@ -0,0 +1,130 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.rserv.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.Test;
+import org.onap.aaf.auth.rserv.HttpCode;
+import org.onap.aaf.auth.rserv.TypedCode;
+import org.onap.aaf.misc.env.TransJAXB;
+import org.onap.aaf.misc.env.impl.EnvFactory;
+
+
+/**
+ * Test the functioning of the "Content" class, which holds, and routes to the right code based on Accept values
+ */
+public class JU_Content1 {
+	
+
+	@Test
+	public void test() throws Exception {
+		final String BOOL = "Boolean";
+		final String XML = "XML";
+		TransJAXB trans = EnvFactory.newTrans();
+		try {
+		HttpCode<TransJAXB, String> cBool = new HttpCode<TransJAXB,String>(BOOL,"Standard String") {
+			@Override
+			public void handle(TransJAXB trans, HttpServletRequest req, HttpServletResponse resp) {
+				try {
+					resp.getOutputStream().write(context.getBytes());
+				} catch (IOException e) {
+				}
+			}
+		};
+
+		HttpCode<TransJAXB,String> cXML = new HttpCode<TransJAXB,String>(XML, "Standard String") {
+			@Override
+			public void handle(TransJAXB trans, HttpServletRequest req, HttpServletResponse resp) {
+				try {
+					resp.getOutputStream().write(context.getBytes());
+				} catch (IOException e) {
+				}
+			}
+		};
+
+		TypedCode<TransJAXB> ct = new TypedCode<TransJAXB>()
+				.add(cBool,"application/" + Boolean.class.getName()+"+xml;charset=utf8;version=1.1")
+				.add(cXML,"application/xml;q=.9");
+		String expected = "application/java.lang.Boolean+xml;charset=utf8;version=1.1,application/xml;q=0.9";
+		assertEquals(expected,ct.toString());
+
+		//BogusReq req = new BogusReq();
+		//expected = (expected);
+		//HttpServletResponse resp = new BogusResp();
+		
+		assertNotNull("Same Content String and Accept String",ct.prep(trans,expected));
+
+		//expects Null (not run)
+		// A Boolean xml that must have charset utf8 and match version 1.2 or greater
+		expected = ("application/java.lang.Boolean+xml;charset=utf8;version=1.2");
+		assertNull("Accept Minor Version greater than Content Minor Version",ct.prep(trans,expected));
+
+		// Same with (too many) spaces
+		expected = (" application/java.lang.Boolean+xml ; charset = utf8 ; version = 1.2   ");
+		assertNull("Accept Minor Version greater than Content Minor Version",ct.prep(trans,expected));
+
+		//expects Null (not run)
+		expected = ("application/java.lang.Boolean+xml;charset=utf8;version=2.1");
+		assertNull("Major Versions not the same",ct.prep(trans,expected));
+
+		expected = ("application/java.lang.Boolean+xml;charset=utf8;version=1.0");
+		assertNotNull("Content Minor Version is greater than Accept Minor Version",ct.prep(trans,expected));
+
+		expected = "application/java.lang.Squid+xml;charset=utf8;version=1.0,application/xml;q=.9";
+		assertNotNull("2nd one will have to do...",ct.prep(trans,expected));
+
+		expected = "application/java.lang.Boolean+xml;charset=UTF8;version=1.0";
+		assertNotNull("Minor Charset in Caps acceptable",ct.prep(trans,expected));
+
+		// expects no run 
+		expected="application/java.lang.Boolean+xml;charset=MyType;version=1.0";
+		assertNull("Unknown Minor Charset",ct.prep(trans,expected));
+
+		expected="";
+		assertNotNull("Blank Acceptance",ct.prep(trans,expected));
+		
+		expected=null;
+		assertNotNull("Null Acceptance",ct.prep(trans,expected));	
+
+		expected = ("text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+		assertNotNull("Matches application/xml, and other content not known",ct.prep(trans,expected));
+		
+		// No SemiColon
+		expected = ("i/am/bogus,application/xml");
+		assertNotNull("Match second entry, with no Semis",ct.prep(trans,expected));
+
+ 		} finally {	
+			StringBuilder sb = new StringBuilder();
+			trans.auditTrail(0, sb);
+			System.out.println(sb);
+		}
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Pair.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Pair.java
new file mode 100644
index 00000000..557c7ec5
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Pair.java
@@ -0,0 +1,47 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.rserv.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.onap.aaf.auth.rserv.Pair;
+
+import junit.framework.Assert;
+
+public class JU_Pair {
+	Pair<Integer, Integer> pair;
+	Integer x;
+	Integer y;
+	
+	@Before
+	public void setUp(){
+		pair = new Pair<Integer, Integer>(1, 2);
+	}
+
+	@Test
+	public void testToString() {
+		String result = pair.toString();
+		Assert.assertEquals("X: " + pair.x.toString() + "-->" + pair.y.toString(), result);
+	}
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Route.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Route.java
new file mode 100644
index 00000000..d5953b10
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Route.java
@@ -0,0 +1,38 @@
+package org.onap.aaf.auth.rserv.test;
+
+import static org.junit.Assert.*;
+import org.junit.Before;
+import static org.mockito.Matchers.*;
+import static org.mockito.Mockito.*;
+import org.junit.Test;
+import org.mockito.Matchers;
+import org.onap.aaf.auth.rserv.Route;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.auth.rserv.*;
+
+public class JU_Route {
+	Route route;
+	HttpCode httpCode;
+	HttpMethods httpMethod;
+	Trans trans;
+	
+	@Before
+	public void setUp() {		//TODO: AAF-111 complete when actual input is provided
+		//httpMethod = Matchers.any(HttpMethods.class);
+		//when(httpMethod.name()).thenReturn("test");
+	//	route = new Route(null,"path/to/place");
+	}
+	
+	
+	@Test
+	public void testAdd() {
+	//	route.add(httpCode, "path/to/place");
+	}
+	
+	@Test
+	public void testStart() {
+	//	trans = mock(Trans.class);
+	//	route.start(trans, "test", httpCode, "test");
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_RouteReport.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_RouteReport.java
new file mode 100644
index 00000000..a9fdff60
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_RouteReport.java
@@ -0,0 +1,40 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.rserv.test;
+
+import static org.junit.Assert.*;
+import org.onap.aaf.auth.rserv.RouteReport;
+
+import junit.framework.Assert;
+
+import org.junit.Test;
+
+public class JU_RouteReport {
+
+	@Test
+	public void test() {
+		RouteReport report;
+		report = new RouteReport();
+		Assert.assertNotNull(report);
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Routes.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Routes.java
new file mode 100644
index 00000000..2ed08841
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Routes.java
@@ -0,0 +1,72 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.rserv.test;
+
+import static org.junit.Assert.*;
+
+import java.io.IOException;
+import java.util.List;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import static org.mockito.Mockito.*;
+//import org.onap.aaf.auth.rserv.CodeSetter;
+import org.onap.aaf.auth.rserv.Route;
+import org.onap.aaf.auth.rserv.Routes;
+import org.onap.aaf.misc.env.Trans;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class JU_Routes {
+	Routes routes;
+	@Mock
+	HttpServletRequest reqMock;
+	//TODO: Gabe [JUnit] Not visible to junit
+	//CodeSetter<Trans> codeSetterMock;
+	Route<Trans> routeObj;
+	
+	@Before
+	public void setUp(){
+		routes = new Routes();
+	}
+	
+	@Test
+	public void testRouteReport(){
+		List listVal = routes.routeReport(); 
+		assertNotNull(listVal);
+	}
+	
+	@Test
+	public void testDerive() throws IOException, ServletException{
+		routeObj = routes.derive(reqMock, null);
+		
+	}
+	
+	
+	
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_TypedCode.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_TypedCode.java
new file mode 100644
index 00000000..d5b57de0
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_TypedCode.java
@@ -0,0 +1,106 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.rserv.test;
+
+import static org.junit.Assert.*;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.mockito.Matchers.anyString;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+//import org.onap.aaf.auth.rserv.Acceptor;
+import org.onap.aaf.auth.rserv.HttpCode;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.auth.rserv.RouteReport;
+import org.onap.aaf.auth.rserv.TypedCode;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Trans;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class JU_TypedCode {
+	TypedCode typedCode;
+	@Mock
+	RouteReport routeReportMock;
+	
+	@Before
+	public void setUp(){
+		typedCode = new TypedCode();
+	}
+	
+	@Test
+	public void testFirst(){
+		String returnVal = typedCode.first();
+		assertNull(returnVal);
+	}
+	
+	@Test
+	public void testAdd() {
+		HttpCode<?, ?> code = mock(HttpCode.class);
+		typedCode.add(code , "test", "test1", "test2");
+	}
+	
+	@Test
+	public void testPrep() throws IOException, ServletException, ClassNotFoundException {
+		Trans trans = mock(Trans.class);
+		TimeTaken time = new TimeTaken("yell", 2) {
+			@Override
+			public void output(StringBuilder sb) {
+				// TODO Auto-generated method stub	
+			}
+		};
+		when(trans.start(";na=me;,prop", 8)).thenReturn(time);
+		HttpCode<?, ?> code = mock(HttpCode.class);
+		code.pathParam(null, null);
+		code.isAuthorized(null); //Testing httpcode, currently not working
+		code.no_cache();
+		code.toString();
+		
+		typedCode.add(code , "");
+		typedCode.prep(null , "q");
+		
+		typedCode.add(code , "t");
+		typedCode.prep(trans , null);
+		
+		typedCode.add(code , "t");
+		typedCode.prep(trans , "");
+		
+		typedCode.add(code, "POST /authn/validate application/CredRequest+json;charset=utf-8;version=2.0,application/json;version=2.0,*/*");
+		//typedCode.prep(trans , "POST /authn/validate application/CredRequest+json;charset=utf-8;version=2.0,application/json;version=2.0,*/*");		
+	}
+	
+	@Test
+	public void testRelatedTo() {
+		HttpCode<?, ?> code = mock(HttpCode.class);
+		StringBuilder sb = new StringBuilder();
+		typedCode.relatedTo(code, sb);
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Version.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Version.java
new file mode 100644
index 00000000..617fa259
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/rserv/test/JU_Version.java
@@ -0,0 +1,70 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.rserv.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Matchers;
+import org.mockito.Mock;
+import org.onap.aaf.auth.rserv.Version;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class JU_Version {
+	Version version;
+	Version versionTest;
+
+	
+	@Before
+	public void setUp(){
+		version = new Version("first\\.123");
+		versionTest = new Version("first\\.124");
+	}
+
+	@Test
+	public void testEquals(){		
+		version.equals(versionTest);
+		versionTest.equals(version);
+		versionTest = new Version("fail\\.124");
+		version.equals(versionTest);
+		version.equals("This is not an object of version");
+		versionTest = new Version("NoVersion\\.number");
+		version.equals(versionTest);
+		
+		
+	}
+	
+	@Test
+	public void testToString(){
+		String strVal = version.toString();
+		assertNotNull(strVal);
+	}
+	
+	@Test
+	public void testHashCode() {
+		Assert.assertNotNull(version.hashCode());
+	}
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/server/test/JU_JettyServiceStarter.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/server/test/JU_JettyServiceStarter.java
new file mode 100644
index 00000000..463d558d
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/server/test/JU_JettyServiceStarter.java
@@ -0,0 +1,95 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.server.test;
+
+import static org.junit.Assert.*;
+
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.server.AbsService;
+import org.onap.aaf.auth.server.JettyServiceStarter;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.register.Registrant;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.env.impl.BasicEnv;
+import org.onap.aaf.misc.rosetta.env.RosettaEnv;
+import org.junit.Test;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import javax.servlet.Filter;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+
+public class JU_JettyServiceStarter {
+	private PropAccess propAccess = new PropAccess();
+	private JettyServiceStarter<AuthzEnv,AuthzTrans> jss;
+	class TestService extends AbsService{
+
+		public TestService(Access access, BasicEnv env) throws CadiException {
+			super(access, env);
+			// TODO Auto-generated constructor stub
+		}
+
+		@Override
+		public Filter[] filters() throws CadiException, LocatorException {
+			// TODO Auto-generated method stub
+			return null;
+		}
+
+		@Override
+		public Registrant[] registrants(int port) throws CadiException, LocatorException {
+			// TODO Auto-generated method stub
+			return null;
+		}
+		
+	}
+	@SuppressWarnings("unchecked")
+	@Before
+	public void setUp() throws OrganizationException, CadiException {
+		Access access = mock(Access.class);
+		
+		BasicEnv bEnv = mock(BasicEnv.class);
+		Trans trans = mock(Trans.class);  //TODO: Fix this once Gabe has services running to see correct output without mock
+		//TestService testService = new TestService(access, bEnv);
+		//jss = new JettyServiceStarter<AuthzEnv,AuthzTrans>(testService);
+	}
+	
+	@Test
+	public void netYetTested() {
+		fail("Tests not yet implemented");
+	}
+	
+	@Test
+	public void testPropertyAdjustment() {
+		//jss._propertyAdjustment();
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/util/test/JU_Mask.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/util/test/JU_Mask.java
new file mode 100644
index 00000000..535664bd
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/util/test/JU_Mask.java
@@ -0,0 +1,71 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.util.test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.net.InetAddress;
+
+import org.junit.Test;
+import org.onap.aaf.cadi.util.MaskFormatException;
+import org.onap.aaf.cadi.util.NetMask;
+
+import junit.framework.Assert;
+
+public class JU_Mask {
+
+	@Test
+	public void test() throws Exception {
+		InetAddress ia = InetAddress.getLocalHost();
+		NetMask mask = new NetMask(ia.getAddress());
+		assertTrue(mask.isInNet(ia.getAddress()));
+		
+		mask = new NetMask("192.168.1/24");
+		assertTrue(mask.isInNet("192.168.1.20"));
+		assertTrue(mask.isInNet("192.168.1.255"));
+		assertFalse(mask.isInNet("192.168.2.20"));
+		
+		mask = new NetMask("192.168.1/31");
+		assertFalse(mask.isInNet("192.168.2.20"));
+		assertFalse(mask.isInNet("192.168.1.20"));
+		assertTrue(mask.isInNet("192.168.1.1"));
+		assertFalse(mask.isInNet("192.168.1.2"));
+
+		mask = new NetMask("192/8");
+		assertTrue(mask.isInNet("192.168.1.1"));
+		assertTrue(mask.isInNet("192.1.1.1"));
+		assertFalse(mask.isInNet("193.168.1.1"));
+		
+		mask = new NetMask("/0");
+		assertTrue(mask.isInNet("193.168.1.1"));
+		
+		String msg = "Should throw " + MaskFormatException.class.getSimpleName();
+		try {
+			mask = new NetMask("256.256.256.256");
+			Assert.assertTrue(msg,false);
+		} catch (MaskFormatException e) {
+			Assert.assertTrue(msg,true);
+		}
+	}
+
+}
diff --git a/auth/auth-core/src/test/java/org/onap/aaf/auth/validation/test/JU_Validator.java b/auth/auth-core/src/test/java/org/onap/aaf/auth/validation/test/JU_Validator.java
new file mode 100644
index 00000000..fb59a54d
--- /dev/null
+++ b/auth/auth-core/src/test/java/org/onap/aaf/auth/validation/test/JU_Validator.java
@@ -0,0 +1,204 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.validation.test;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.*;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.regex.Pattern;
+
+import static org.mockito.Matchers.*;
+import org.mockito.Mock;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.Test;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.AuthzTransOnlyFilter;
+import org.onap.aaf.auth.validation.Validator;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+
+public class JU_Validator {
+	
+	Validator validator;
+	
+	@Before
+	public void setUp() {
+		validator = new Validator();
+	}
+	
+	@Test
+	public void testNullOrBlank() {
+		validator.nullOrBlank(null, "str");
+		validator.nullOrBlank("test", "");
+		validator.nullOrBlank("test", null);
+	}
+	
+	@Test
+	public void testIsNull() {
+		Object o = new Object();
+		validator.isNull(null, null);
+		validator.isNull(null, o);
+	}
+	
+	@Test
+	public void testDescription() throws NoSuchMethodException, SecurityException, IllegalAccessException, IllegalArgumentException, InvocationTargetException {
+		Class c = validator.getClass();
+		Class[] cArg = new Class[2];
+		cArg[0] = String.class;
+		cArg[1] = String.class;		//Steps to test a protected method
+		Method descriptionMethod = c.getDeclaredMethod("description", cArg);
+		descriptionMethod.setAccessible(true);
+		descriptionMethod.invoke(validator,"test", "test1");
+		descriptionMethod.invoke(validator,null, null);
+		descriptionMethod.invoke(validator,null, "[\\\\x25\\\\x28\\\\x29\\\\x2C-\\\\x2E\\\\x30-\\\\x39\\\\x3D\\\\x40-\\\\x5A\\\\x5F\\\\x61-\\\\x7A\\\\x20]+");
+
+		
+	}
+
+	@Test
+	public void test() {
+		assertTrue(Validator.ACTION_CHARS.matcher("HowdyDoody").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher("Howd?yDoody").matches());
+		assertTrue(Validator.ACTION_CHARS.matcher("_HowdyDoody").matches());
+		assertTrue(Validator.INST_CHARS.matcher("HowdyDoody").matches());
+		assertFalse(Validator.INST_CHARS.matcher("Howd?yDoody").matches());
+		assertTrue(Validator.INST_CHARS.matcher("_HowdyDoody").matches());
+
+		//		
+		assertTrue(Validator.ACTION_CHARS.matcher("*").matches());
+		assertTrue(Validator.INST_CHARS.matcher("*").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher(":*").matches());
+		assertTrue(Validator.INST_CHARS.matcher(":*").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher(":*:*").matches());
+		assertTrue(Validator.INST_CHARS.matcher(":*:*").matches());
+		
+		assertFalse(Validator.ACTION_CHARS.matcher(":hello").matches());
+		assertTrue(Validator.INST_CHARS.matcher(":hello").matches());
+		assertFalse(Validator.INST_CHARS.matcher("hello:").matches());
+		assertFalse(Validator.INST_CHARS.matcher("hello:d").matches());
+
+		assertFalse(Validator.ACTION_CHARS.matcher(":hello:*").matches());
+		assertTrue(Validator.INST_CHARS.matcher(":hello:*").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher(":hello:d*:*").matches());
+		assertFalse(Validator.INST_CHARS.matcher(":hello:d*d:*").matches());
+		assertTrue(Validator.INST_CHARS.matcher(":hello:d*:*").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher("HowdyDoody*").matches());
+		assertFalse(Validator.INST_CHARS.matcher("Howdy*Doody").matches());
+		assertTrue(Validator.INST_CHARS.matcher("HowdyDoody*").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher("*HowdyDoody").matches());
+		assertFalse(Validator.INST_CHARS.matcher("*HowdyDoody").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher(":h*").matches());
+		assertFalse(Validator.INST_CHARS.matcher(":h*h*").matches());
+		assertTrue(Validator.INST_CHARS.matcher(":h*").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher(":h:h*:*").matches());
+		assertTrue(Validator.INST_CHARS.matcher(":h:h*:*").matches());
+		assertFalse(Validator.INST_CHARS.matcher(":h:h*h:*").matches());
+		assertFalse(Validator.INST_CHARS.matcher(":h:h*h*:*").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher(":h:*:*h").matches());
+		assertFalse(Validator.INST_CHARS.matcher(":h:*:*h").matches());
+		assertTrue(Validator.INST_CHARS.matcher(":com.test.*:ns:*").matches());
+
+		
+		assertFalse(Validator.ACTION_CHARS.matcher("1234+235gd").matches());
+		assertTrue(Validator.ACTION_CHARS.matcher("1234-235gd").matches());
+		assertTrue(Validator.ACTION_CHARS.matcher("1234-23_5gd").matches());
+		assertTrue(Validator.ACTION_CHARS.matcher("1234-235g,d").matches());
+		assertTrue(Validator.ACTION_CHARS.matcher("1234-235gd(Version12)").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher("123#4-23@5g:d").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher("123#4-23@5g:d").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher("1234-23 5gd").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher("1234-235gd ").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher(" 1234-235gd").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher("").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher(" ").matches());
+
+		// Allow % and =   (Needed for Escaping & Base64 usages) jg 
+		assertTrue(Validator.ACTION_CHARS.matcher("1234%235g=d").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher(":1234%235g=d").matches());
+		assertTrue(Validator.INST_CHARS.matcher("1234%235g=d").matches());
+		assertTrue(Validator.INST_CHARS.matcher(":1234%235g=d").matches());
+		assertTrue(Validator.INST_CHARS.matcher(":1234%235g=d:%20==").matches());
+		assertTrue(Validator.INST_CHARS.matcher(":1234%235g=d:==%20:=%23").matches());
+		assertTrue(Validator.INST_CHARS.matcher(":1234%235g=d:*:=%23").matches());
+		assertTrue(Validator.INST_CHARS.matcher(":1234%235g=d:==%20:*").matches());
+		assertTrue(Validator.INST_CHARS.matcher(":*:==%20:*").matches());
+
+		// Allow / instead of :  (more natural instance expression) jg 
+		assertFalse(Validator.INST_CHARS.matcher("1234/a").matches());
+		assertTrue(Validator.INST_CHARS.matcher("/1234/a").matches());
+		assertTrue(Validator.INST_CHARS.matcher("/1234/*/a/").matches());
+		assertTrue(Validator.INST_CHARS.matcher("/1234//a").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher("1234/a").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher("/1234/*/a/").matches());
+		assertFalse(Validator.ACTION_CHARS.matcher("1234//a").matches());
+
+
+		assertFalse(Validator.INST_CHARS.matcher("1234+235gd").matches());
+		assertTrue(Validator.INST_CHARS.matcher("1234-235gd").matches());
+		assertTrue(Validator.INST_CHARS.matcher("1234-23_5gd").matches());
+		assertTrue(Validator.INST_CHARS.matcher("1234-235g,d").matches());
+		assertTrue(Validator.INST_CHARS.matcher("m1234@shb.dd.com").matches());
+		assertTrue(Validator.INST_CHARS.matcher("1234-235gd(Version12)").matches());
+		assertFalse(Validator.INST_CHARS.matcher("123#4-23@5g:d").matches());
+		assertFalse(Validator.INST_CHARS.matcher("123#4-23@5g:d").matches());
+		assertFalse(Validator.INST_CHARS.matcher("").matches());
+
+		
+		for( char c=0x20;c<0x7F;++c) {
+			boolean b;
+			switch(c) {
+				case '?':
+				case '|':
+				case '*':
+					continue; // test separately
+				case '~':
+				case ',':
+					b = false;
+					break;
+				default:
+					b=true;
+			}
+		}
+		
+		assertFalse(Validator.ID_CHARS.matcher("abc").matches());
+		assertFalse(Validator.ID_CHARS.matcher("").matches());
+		assertTrue(Validator.ID_CHARS.matcher("abc@att.com").matches());
+		assertTrue(Validator.ID_CHARS.matcher("ab-me@att.com").matches());
+		assertTrue(Validator.ID_CHARS.matcher("ab-me_.x@att._-com").matches());
+		
+		assertFalse(Validator.NAME_CHARS.matcher("ab-me_.x@att._-com").matches());
+		assertTrue(Validator.NAME_CHARS.matcher("ab-me").matches());
+		assertTrue(Validator.NAME_CHARS.matcher("ab-me_.xatt._-com").matches());
+
+		
+		// 7/22/2016
+		assertTrue(Validator.INST_CHARS.matcher(
+				"/!com.att.*/role/write").matches());
+		assertTrue(Validator.INST_CHARS.matcher(
+				":!com.att.*:role:write").matches());
+
+	}
+
+}
diff --git a/auth/auth-core/test/sample.identities.dat b/auth/auth-core/test/sample.identities.dat
new file mode 100644
index 00000000..39d18a12
--- /dev/null
+++ b/auth/auth-core/test/sample.identities.dat
@@ -0,0 +1,27 @@
+#
+# Sample Identities.dat
+# This file is for use with the "Default Organization". It is a simple mechanism to have a basic ILM structure to use with
+# out-of-the-box tire-kicking, or even for Small companies
+#
+# For Larger Companies, you will want to create a new class implementing the "Organization" interface, making calls to your ILM, or utilizing
+# batch feeds, as is appropriate for your company.
+#
+# Example Field Layout.  note, in this example, Application IDs and People IDs are mixed.  You may want to split
+# out AppIDs, choose your own status indicators, or whatever you use.
+#  0 - unique ID
+#  1 - full name
+#  2 - first name
+#  3 - last name
+#  4 - phone
+#  5 - official email
+#  6 - employment status e=employee, c=contractor, a=application, n=no longer with company
+#  7 - responsible to (i.e Supervisor for People, or AppOwner, if it's an App ID)
+#
+
+iowna|Ima D. Owner|Ima|Owner|314-123-2000|ima.d.owner@osaaf.com|e|
+mmanager|Mark D. Manager|Mark|Manager|314-123-1234|mark.d.manager@osaaf.com|e|iowna
+bdevl|Robert D. Developer|Bob|Developer|314-123-1235|bob.d.develper@osaaf.com|e|mmanager
+mmarket|Mary D. Marketer|Mary|Marketer|314-123-1236|mary.d.marketer@osaaf.com|e|mmanager
+ccontra|Clarice D. Contractor|Clarice|Contractor|314-123-1237|clarice.d.contractor@osaaf.com|c|mmanager
+iretired|Ira Lee M. Retired|Ira|Retired|314-123-1238|clarice.d.contractor@osaaf.com|n|mmanager
+osaaf|ID of AAF|||||a|bdevl
diff --git a/auth/auth-deforg/.gitignore b/auth/auth-deforg/.gitignore
new file mode 100644
index 00000000..ad5605e4
--- /dev/null
+++ b/auth/auth-deforg/.gitignore
@@ -0,0 +1,5 @@
+/bin/
+/target/
+/.classpath
+/.project
+/.settings
diff --git a/auth/auth-deforg/pom.xml b/auth/auth-deforg/pom.xml
new file mode 100644
index 00000000..29de4fd3
--- /dev/null
+++ b/auth/auth-deforg/pom.xml
@@ -0,0 +1,184 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<artifactId>parent</artifactId>
+		<relativePath>../pom.xml</relativePath>
+		<groupId>org.onap.aaf.auth</groupId>
+		<version>2.1.0-SNAPSHOT</version>
+	</parent>
+
+	<artifactId>aaf-auth-deforg</artifactId>
+	<name>AAF Auth Default Organization</name>
+	<description>Example Organization Module</description>
+	<packaging>jar</packaging>
+
+	<developers>
+		<developer>
+			<name>Jonathan Gathman</name>
+			<email>jonathan.gathman@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Architect</role>
+				<role>Lead Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Gabe Maurer</name>
+			<email>gabe.maurer@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Ian Howell</name>
+			<email>ian.howell@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+	</developers>
+
+
+	<properties>
+		<maven.test.failure.ignore>false</maven.test.failure.ignore>
+	</properties>
+
+
+	<dependencies>
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-core</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-core</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>javax.mail</groupId>
+			<artifactId>mail</artifactId>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<pluginManagement>
+			<plugins>
+				<plugin>
+					<groupId>org.apache.maven.plugins</groupId>
+					<artifactId>maven-javadoc-plugin</artifactId>
+					<version>2.10.4</version>
+					<configuration>
+						<failOnError>false</failOnError>
+					</configuration>
+					<executions>
+						<execution>
+							<id>attach-javadocs</id>
+							<goals>
+								<goal>jar</goal>
+							</goals>
+						</execution>
+					</executions>
+				</plugin>
+				<plugin>
+					<groupId>org.sonatype.plugins</groupId>
+					<artifactId>nexus-staging-maven-plugin</artifactId>
+					<version>1.6.7</version>
+					<extensions>true</extensions>
+					<configuration>
+						<nexusUrl>${nexusproxy}</nexusUrl>
+						<stagingProfileId>176c31dfe190a</stagingProfileId>
+						<serverId>ecomp-staging</serverId>
+					</configuration>
+				</plugin>
+				<plugin>
+					<groupId>org.jacoco</groupId>
+					<artifactId>jacoco-maven-plugin</artifactId>
+					<version>${jacoco.version}</version>
+					<configuration>
+						<excludes>
+							<exclude>**/gen/**</exclude>
+							<exclude>**/generated-sources/**</exclude>
+							<exclude>**/yang-gen/**</exclude>
+							<exclude>**/pax/**</exclude>
+						</excludes>
+					</configuration>
+					<executions>
+
+						<execution>
+							<id>pre-unit-test</id>
+							<goals>
+								<goal>prepare-agent</goal>
+							</goals>
+							<configuration>
+								<destFile>${project.build.directory}/code-coverage/jacoco-ut.exec</destFile>
+								<propertyName>surefireArgLine</propertyName>
+							</configuration>
+						</execution>
+
+
+						<execution>
+							<id>post-unit-test</id>
+							<phase>test</phase>
+							<goals>
+								<goal>report</goal>
+							</goals>
+							<configuration>
+								<dataFile>${project.build.directory}/code-coverage/jacoco-ut.exec</dataFile>
+								<outputDirectory>${project.reporting.outputDirectory}/jacoco-ut</outputDirectory>
+							</configuration>
+						</execution>
+						<execution>
+							<id>pre-integration-test</id>
+							<phase>pre-integration-test</phase>
+							<goals>
+								<goal>prepare-agent</goal>
+							</goals>
+							<configuration>
+								<destFile>${project.build.directory}/code-coverage/jacoco-it.exec</destFile>
+								<propertyName>failsafeArgLine</propertyName>
+							</configuration>
+						</execution>
+
+						<execution>
+							<id>post-integration-test</id>
+							<phase>post-integration-test</phase>
+							<goals>
+								<goal>report</goal>
+							</goals>
+							<configuration>
+								<dataFile>${project.build.directory}/code-coverage/jacoco-it.exec</dataFile>
+								<outputDirectory>${project.reporting.outputDirectory}/jacoco-it</outputDirectory>
+							</configuration>
+						</execution>
+					</executions>
+				</plugin>
+			</plugins>
+		</pluginManagement>
+	</build>
+
+</project>
diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java
new file mode 100644
index 00000000..63e83901
--- /dev/null
+++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java
@@ -0,0 +1,666 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.org;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+import javax.mail.Address;
+import javax.mail.Message;
+import javax.mail.MessagingException;
+import javax.mail.Session;
+import javax.mail.Transport;
+import javax.mail.internet.InternetAddress;
+import javax.mail.internet.MimeMessage;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.org.EmailWarnings;
+import org.onap.aaf.auth.org.Executor;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.cadi.util.FQI;
+import org.onap.aaf.misc.env.Env;
+
+public class DefaultOrg implements Organization {
+	private static final String AAF_DATA_DIR = "aaf_data_dir";
+	private static final String PROPERTY_IS_REQUIRED = " property is Required";
+	// Package on Purpose
+	final String domain;
+	final String atDomain;
+	final String realm;
+	
+	private final String NAME,mailHost,mailFrom;
+
+	public DefaultOrg(Env env, String realm) throws OrganizationException {
+		this.realm = realm;
+		domain=FQI.reverseDomain(realm);
+		atDomain = '@'+domain;
+		String s;
+		NAME=env.getProperty(realm + ".name","Default Organization");
+		mailHost = env.getProperty(s=(realm + ".mailHost"), null);
+		if(mailHost==null) {
+			throw new OrganizationException(s + PROPERTY_IS_REQUIRED);
+		}
+		mailFrom = env.getProperty(s=(realm + ".mailFrom"), null);
+		if(mailFrom==null) {
+			throw new OrganizationException(s + PROPERTY_IS_REQUIRED);
+		}
+		
+		System.getProperties().setProperty("mail.smtp.host",mailHost);
+		System.getProperties().setProperty("mail.user", mailFrom);
+		// Get the default Session object.
+		session = Session.getDefaultInstance(System.getProperties());
+
+		try {
+			String defFile;
+			String temp=env.getProperty(defFile = (getClass().getName()+".file"));
+			File fIdentities=null;
+			if(temp==null) {
+				temp = env.getProperty(AAF_DATA_DIR);
+				if(temp!=null) {
+					env.warn().log(defFile, "is not defined. Using default: ",temp+"/identities.dat");
+					File dir = new File(temp);
+					fIdentities=new File(dir,"identities.dat");
+					if(!fIdentities.exists()) {
+						env.warn().log("No",fIdentities.getCanonicalPath(),"exists.  Creating.");
+						if(!dir.exists()) {
+							dir.mkdirs();
+						}
+						fIdentities.createNewFile();
+					}
+				}
+			} else {
+				fIdentities = new File(temp);
+				if(!fIdentities.exists()) {
+					String dataDir = env.getProperty(AAF_DATA_DIR);
+					if(dataDir!=null) {
+						fIdentities = new File(dataDir,temp);
+					}
+				}
+			}
+			
+			if(fIdentities!=null && fIdentities.exists()) {
+				identities = new Identities(fIdentities);
+			} else {
+				throw new OrganizationException(fIdentities.getCanonicalPath() + " does not exist.");
+			}
+		} catch (IOException e) {
+			throw new OrganizationException(e);
+		}
+	}
+	
+	// Implement your own Delegation System
+	static final List<String> NULL_DELEGATES = new ArrayList<String>();
+
+	public Identities identities;
+	private boolean dryRun;
+	private Session session;
+	public enum Types {Employee, Contractor, Application, NotActive};
+	private final static Set<String> typeSet;
+	
+	static {
+		typeSet = new HashSet<String>();
+		for(Types t : Types.values()) {
+			typeSet.add(t.name());
+		}
+	}
+	
+	private static final EmailWarnings emailWarnings = new DefaultOrgWarnings();
+
+	@Override
+	public String getName() {
+		return NAME;
+	}
+
+	@Override
+	public String getRealm() {
+		return realm;
+	}
+
+	@Override
+	public String getDomain() {
+		return domain;
+	}
+
+	@Override
+	public DefaultOrgIdentity getIdentity(AuthzTrans trans, String id) throws OrganizationException {
+		int at = id.indexOf('@');
+		return new DefaultOrgIdentity(trans,at<0?id:id.substring(0, at),this);
+	}
+
+	// Note: Return a null if found; return a String Message explaining why not found. 
+	@Override
+	public String isValidID(final AuthzTrans trans, final String id) {
+		try {
+			DefaultOrgIdentity u = getIdentity(trans,id);
+			return (u==null||!u.isFound())?id + "is not an Identity in " + getName():null;
+		} catch (OrganizationException e) {
+			return getName() + " could not lookup " + id + ": " + e.getLocalizedMessage();
+		}
+	}
+	// Possible ID Pattern
+	//	private static final Pattern ID_PATTERN=Pattern.compile("([\\w.-]+@[\\w.-]+).{4-13}");
+	// Another one: ID_PATTERN = "(a-z[a-z0-9]{5-8}@.*).{4-13}";
+
+	@Override
+	public boolean isValidCred(final AuthzTrans trans, final String id) {
+		// have domain?
+		int at = id.indexOf('@');
+		String sid;
+		if(at > 0) {
+			// Use this to prevent passwords to any but THIS domain.
+//			if(!id.regionMatches(at+1, domain, 0, id.length()-at-1)) {
+//				return false;
+//			}
+			sid = id.substring(0,at); 
+		} else {
+			sid = id;
+		}
+		// We'll validate that it exists, rather than check patterns.
+		
+		return isValidID(trans, sid)==null;
+		// Check Pattern (if checking existing is too long)
+		//		if(id.endsWith(SUFFIX) && ID_PATTERN.matcher(id).matches()) {
+		//			return true;
+		//		}
+		//		return false; 
+	}
+
+	private static final String SPEC_CHARS = "!@#$%^*-+?/,:;.";
+	private static final Pattern PASS_PATTERN=Pattern.compile("((?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[" + SPEC_CHARS +"]).{6,20})");
+	/**
+	 *  Attribution: from mkyong.com
+	 *  (				# Start of group
+	 *  (?=.*\d)			#   must contains one digit from 0-9
+	 *  (?=.*[a-z])		#   must contains one lowercase characters
+	 *  (?=.*[A-Z])		#   must contains one uppercase characters
+	 *  (?=.*[@#$%])		#   must contains one special symbols in the list SPEC_CHARS
+	 *        	.		#     match anything with previous condition checking
+	 *          {6,20}	#        length at least 6 characters and maximum of 20
+	 *  )				# End of group
+	 */
+	@Override
+	public String isValidPassword(final AuthzTrans trans, final String user, final String password, final String... prev) {
+		for(String p : prev) {
+			if(password.contains(p)) { // A more sophisticated algorithm might be better.
+				return "Password too similar to previous passwords";
+			}
+		}
+		// If you have an Organization user/Password scheme, replace the following
+		if(PASS_PATTERN.matcher(password).matches()) {
+			return "";
+		}
+		return "Password does not match " + NAME + " Password Standards";
+	}
+
+	private static final String[] rules = new String[] {
+			"Passwords must contain one digit from 0-9",
+			"Passwords must contain one lowercase character",
+			"Passwords must contain one uppercase character",
+			"Passwords must contain one special symbols in the list \""+ SPEC_CHARS + '"',
+			"Passwords must be between 6 and 20 chars in length"
+	};
+
+	@Override
+	public String[] getPasswordRules() {
+		return rules;
+	}
+
+	@Override
+	public Set<String> getIdentityTypes() {
+		return typeSet;
+	}
+
+	@Override
+	public Response notify(AuthzTrans trans, Notify type, String url, String[] identities, String[] ccs, String summary, Boolean urgent) {
+		String system = trans.getProperty("CASS_ENV", "");
+
+		ArrayList<String> toList = new ArrayList<String>();
+		Identity identity;
+		if (identities != null) {
+			for (String user : identities) {
+				try {
+					identity = getIdentity(trans, user);
+					if (identity == null) {
+						trans.error().log(
+								"Failure to obtain User " + user + " for "
+										+ getName());
+					} else {
+						toList.add(identity.email());
+					}
+				} catch (Exception e) {
+					trans.error().log(
+							e,
+							"Failure to obtain User " + user + " for "
+									+ getName());
+				}
+			}
+		}
+
+		if (toList.isEmpty()) {
+			trans.error().log("No Users listed to email");
+			return Response.ERR_NotificationFailure;
+		}
+
+		ArrayList<String> ccList = new ArrayList<String>();
+
+		// If we're sending an urgent email, CC the user's supervisor
+		//
+		if (urgent) {
+			trans.info().log("urgent msg for: " + identities[0]);
+			try {
+				List<Identity> supervisors = getApprovers(trans, identities[0]);
+				for (Identity us : supervisors) {
+					trans.info().log("supervisor: " + us.email());
+					ccList.add(us.email());
+				}
+			} catch (Exception e) {
+				trans.error().log(e,
+						"Failed to find supervisor for  " + identities[0]);
+			}
+		}
+
+		if (ccs != null) {
+			for (String user : ccs) {
+				try {
+					identity = getIdentity(trans, user);
+					ccList.add(identity.email());
+				} catch (Exception e) {
+					trans.error().log(
+							e,
+							"Failure to obtain User " + user + " for "
+									+ getName());
+				}
+			}
+		}
+
+		if (summary == null) {
+			summary = "";
+		}
+
+		switch (type) {
+		case Approval:
+			try {
+				sendEmail(trans, toList, ccList,
+						"AAF Approval Notification "
+								+ (system.length() == 0 ? "" : "(ENV: "
+										+ system + ")"),
+						"AAF is the "
+						+ NAME
+						+ "System for Fine-Grained Authorizations.  You are being asked to Approve"
+								+ (system.length() == 0 ? "" : " in the "
+										+ system + " environment")
+								+ " before AAF Actions can be taken.\n\n"
+								+ "Please follow this link: \n\n\t" + url
+								+ "\n\n" + summary, urgent);
+			} catch (Exception e) {
+				trans.error().log(e, "Failure to send Email");
+				return Response.ERR_NotificationFailure;
+			}
+			break;
+		case PasswordExpiration:
+			try {
+				sendEmail(trans,
+						toList,
+						ccList,
+						"AAF Password Expiration Warning "
+								+ (system.length() == 0 ? "" : "(ENV: "
+										+ system + ")"),
+						"AAF is the "
+						+ NAME
+						+ " System for Authorizations.\n\nOne or more passwords will expire soon or have expired"
+								+ (system.length() == 0 ? "" : " in the "
+										+ system + " environment")
+								+ ".\n\nPasswords expired for more than 30 days without action are subject to deletion.\n\n"
+								+ "Please follow each link to add a New Password with Expiration Date. Either are valid until expiration. "
+								+ "Use this time to change the passwords on your system. If issues, reply to this email.\n\n"
+								+ summary, urgent);
+			} catch (Exception e) {
+				trans.error().log(e, "Failure to send Email");
+				return Response.ERR_NotificationFailure;
+			}
+			break;
+
+		case RoleExpiration:
+			try {
+				sendEmail(
+						trans,
+						toList,
+						ccList,
+						"AAF Role Expiration Warning "
+								+ (system.length() == 0 ? "" : "(ENV: "
+										+ system + ")"),
+						"AAF is the "
+						+ NAME
+						+ " System for Authorizations. One or more roles will expire soon"
+								+ (system.length() == 0 ? "" : " in the "
+										+ system + " environment")
+								+ ".\n\nRoles expired for more than 30 days are subject to deletion."
+								+ "Please follow this link the GUI Command line, and either 'extend' or 'del' the user in the role.\n"
+								+ "If issues, reply to this email.\n\n\t" + url
+								+ "\n\n" + summary, urgent);
+			} catch (Exception e) {
+				trans.error().log(e, "Failure to send Email");
+				return Response.ERR_NotificationFailure;
+			}
+			break;
+		default:
+			return Response.ERR_NotImplemented;
+		}
+		return Response.OK;
+	}
+
+	@Override
+	public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList, String subject, String body,
+			Boolean urgent) throws OrganizationException {
+		int status = 1;
+		
+		List<String> to = new ArrayList<String>();
+		for(String em : toList) {
+			if(em.indexOf('@')<0) {
+				to.add(new DefaultOrgIdentity(trans, em, this).email());
+			} else {
+				to.add(em);
+			}
+		}
+		
+		List<String> cc = new ArrayList<String>();
+		if(ccList!=null && !ccList.isEmpty()) {
+			for(String em : ccList) {
+				if(em.indexOf('@')<0) {
+					cc.add(new DefaultOrgIdentity(trans, em, this).email());
+				} else {
+					cc.add(em);
+				}
+			}
+		}
+		
+	
+		// for now, I want all emails so we can see what goes out. Remove later
+		if (!ccList.contains(mailFrom)) {
+			ccList.add(mailFrom);
+		}
+
+		try {
+			// Create a default MimeMessage object.
+			MimeMessage message = new MimeMessage(session);
+
+			// Set From: header field of the header.
+			message.setFrom(new InternetAddress(mailFrom));
+
+			if (!dryRun) {
+				// Set To: header field of the header. This is a required field
+				// and calling module should make sure that it is not null or
+				// blank
+				message.addRecipients(Message.RecipientType.TO,getAddresses(to));
+
+				// Set CC: header field of the header.
+				if ((ccList != null) && (ccList.size() > 0)) {
+					message.addRecipients(Message.RecipientType.CC,getAddresses(cc));
+				}
+
+				// Set Subject: header field
+				message.setSubject(subject);
+
+				if (urgent) {
+					message.addHeader("X-Priority", "1");
+				}
+
+				// Now set the actual message
+				message.setText(body);
+			} else {
+				// override recipients
+				message.addRecipients(Message.RecipientType.TO,
+						InternetAddress.parse(mailFrom));
+
+				// Set Subject: header field
+				message.setSubject("[TESTMODE] " + subject);
+
+				if (urgent) {
+					message.addHeader("X-Priority", "1");
+				}
+
+				ArrayList<String> newBody = new ArrayList<String>();
+
+				Address temp[] = getAddresses(to);
+				String headerString = "TO:\t" + InternetAddress.toString(temp) + "\n";
+
+				temp = getAddresses(cc);
+				headerString += "CC:\t" + InternetAddress.toString(temp) + "\n";
+
+				newBody.add(headerString);
+
+				newBody.add("Text: \n");
+
+				newBody.add(body);
+				String outString = "";
+				for (String s : newBody) {
+					outString += s + "\n";
+				}
+
+				message.setText(outString);
+			}
+			// Send message
+			Transport.send(message);
+			status = 0;
+
+		} catch (MessagingException mex) {
+			throw new OrganizationException("Exception send email message "
+					+ mex.getMessage());
+		}
+
+		return status;	
+	}
+
+	/**
+	 * Default Policy is to set to 6 Months for Notification Types.
+	 * add others/change as required
+	 */
+	@Override
+	public Date whenToValidate(Notify type, Date lastValidated) {
+		switch(type) {
+			case Approval:
+			case PasswordExpiration:
+				return null;
+			default:
+				GregorianCalendar gc = new GregorianCalendar();
+				gc.setTime(lastValidated);
+				gc.add(GregorianCalendar.MONTH, 6);  // 6 month policy
+				return gc.getTime();
+		}
+	}
+
+	@Override
+	public GregorianCalendar expiration(GregorianCalendar gc, Expiration exp, String... extra) {
+        GregorianCalendar now = new GregorianCalendar();
+        GregorianCalendar rv = gc==null?now:(GregorianCalendar)gc.clone();
+		switch (exp) {
+			case ExtendPassword:
+				// Extending Password give 5 extra days, max 8 days from now
+				rv.add(GregorianCalendar.DATE, 5);
+				now.add(GregorianCalendar.DATE, 8);
+				if(rv.after(now)) {
+					rv = now;
+				}
+				break;
+			case Future:
+				// Future requests last 15 days.
+				now.add(GregorianCalendar.DATE, 15);
+				rv = now;
+				break;
+			case Password:
+				// Passwords expire in 90 days
+				now.add(GregorianCalendar.DATE, 90);
+				rv = now;
+				break;
+			case TempPassword:
+				// Temporary Passwords last for 12 hours.
+				now.add(GregorianCalendar.DATE, 90);
+				rv = now;
+				break;
+			case UserDelegate:
+				// Delegations expire max in 2 months, renewable to 3
+				rv.add(GregorianCalendar.MONTH, 2);
+				now.add(GregorianCalendar.MONTH, 3);
+				if(rv.after(now)) {
+					rv = now;
+				}
+				break;
+			case UserInRole:
+				// Roles expire in 6 months
+				now.add(GregorianCalendar.MONTH, 6);
+				rv = now;
+				break;
+			default:
+				// Unless other wise set, 6 months is default
+				now.add(GregorianCalendar.MONTH, 6);
+				rv = now;
+				break;
+		}
+		return rv;
+	}
+
+	@Override
+	public EmailWarnings emailWarningPolicy() {
+		return emailWarnings;
+	}
+
+	/**
+	 * Assume the Supervisor is the Approver.
+	 */
+	@Override
+	public List<Identity> getApprovers(AuthzTrans trans, String user) throws OrganizationException {
+		Identity orgIdentity = getIdentity(trans, user);
+		List<Identity> orgIdentitys = new ArrayList<Identity>();
+		if(orgIdentity!=null) {
+			Identity supervisor = orgIdentity.responsibleTo();
+			if(supervisor!=null) {
+				orgIdentitys.add(supervisor);
+			}
+		}
+		return orgIdentitys;	
+	}
+
+	@Override
+	public String getApproverType() {
+		return "supervisor";
+	}
+
+	@Override
+	public int startOfDay() {
+		// TODO Auto-generated method stub
+		return 0;
+	}
+
+	@Override
+	public boolean canHaveMultipleCreds(String id) {
+		// External entities are likely mono-password... if you change it, it is a global change.
+		// This is great for people, but horrible for Applications.  
+		//
+		// AAF's Password can have multiple Passwords, each with their own Expiration Date.
+		// For Default Org, we'll assume true for all, but when you add your external
+		// Identity stores, you need to return "false" if they cannot support multiple Passwords like AAF
+		return true;
+	}
+
+	@Override
+	public String validate(AuthzTrans trans, Policy policy, Executor executor, String... vars) throws OrganizationException {
+		switch(policy) {
+			case OWNS_MECHID:
+			case CREATE_MECHID:
+				if(vars.length>0) {
+					DefaultOrgIdentity thisID = getIdentity(trans,vars[0]);
+					if("a".equals(thisID.identity.status)) { // MechID
+						DefaultOrgIdentity requestor = getIdentity(trans, trans.user());
+						if(requestor!=null) {
+							Identity mechid = getIdentity(trans, vars[0]);
+							if(mechid!=null) {
+								Identity sponsor = mechid.responsibleTo();
+								if(sponsor!=null && requestor.equals(sponsor.fullID())) {
+									return null;
+								} else {
+									return trans.user() + " is not the Sponsor of MechID " + vars[0];
+								}
+							}
+						}
+					}
+				}
+				return null;
+				
+			case CREATE_MECHID_BY_PERM_ONLY:
+				return getName() + " only allows sponsors to create MechIDs";
+				
+			default:
+				return policy.name() + " is unsupported at " + getName();
+		}	
+	}
+
+	@Override
+	public boolean isTestEnv() {
+		return false;
+	}
+
+	@Override
+	public void setTestMode(boolean dryRun) {
+		this.dryRun = dryRun;
+	}
+
+	/**
+	 * Convert the delimiter String into Internet addresses with the default
+	 * delimiter of ";"
+	 * @param strAddress
+	 * @return
+	 */
+	private Address[] getAddresses(List<String> strAddress) throws OrganizationException {
+		return this.getAddresses(strAddress,";");
+	}
+	/**
+	 * Convert the delimiter String into Internet addresses with the 
+	 * delimiter of provided
+	 * @param strAddress
+	 * @param delimiter
+	 * @return
+	 */
+	private Address[] getAddresses(List<String> strAddresses, String delimiter) throws OrganizationException {
+		Address[] addressArray = new Address[strAddresses.size()];
+		int count = 0;
+		for (String addr : strAddresses)
+		{
+            try{
+            	addressArray[count] = new InternetAddress(addr);
+            	count++;
+            }catch(Exception e){
+            	throw new OrganizationException("Failed to parse the email address "+ addr +": "+e.getMessage());
+            }
+        }
+        return addressArray;
+	}
+
+			
+	}
diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java
new file mode 100644
index 00000000..6d9003fd
--- /dev/null
+++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java
@@ -0,0 +1,170 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.org;
+
+import java.io.IOException;
+import java.util.List;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.local.AbsData.Reuse;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.org.Identities.Data;
+
+/**
+ * Org Users are essential representations of Identities within the Org.  Since this is a highly individual 
+ * thing for most Orgs, i.e. some use LDAP, some need feed, some use something else, this object will allow
+ * the Organization to connect to their own Identity systems...
+ * 
+ *
+ */
+public class DefaultOrgIdentity implements Identity {
+	private static final String CONTRACTOR = "c";
+	private static final String EMPLOYEE = "e";
+	private static final String APPLICATION = "a";
+    private static final String NON_ACTIVE = "n";
+
+	private final static int TIMEOUT = Integer.parseInt(Config.AAF_CONN_TIMEOUT_DEF);
+	
+	private DefaultOrg org;
+	//package on purpose
+	Data identity;
+	private AuthzTrans trans;
+
+	public DefaultOrgIdentity(AuthzTrans trans, String key, DefaultOrg dorg) throws OrganizationException {
+		this.trans = trans;
+		org = dorg;
+		identity=null;
+		try {
+			org.identities.open(trans, TIMEOUT);
+			try {
+				Reuse r = org.identities.reuse();
+				int at = key.indexOf(dorg.atDomain);
+				String search;
+				if(at>=0) {
+					search = key.substring(0,at);
+				} else {
+					search = key;
+				}
+				identity = org.identities.find(search, r);
+				if(identity==null) {
+					identity = Identities.NO_DATA;
+				}
+			} finally {
+				org.identities.close(trans);
+			}
+		} catch (IOException e) {
+			throw new OrganizationException(e);
+		}
+	}
+	
+	@Override
+	public boolean equals(Object b) {
+		if(b instanceof DefaultOrgIdentity) {
+			return identity.id.equals(((DefaultOrgIdentity)b).identity.id);
+		}
+		return false;
+	}
+
+	@Override
+	public String id() {
+		return identity.id;
+	}
+
+	@Override
+	public String fullID() {
+		return identity.id+'@'+org.getDomain();
+	}
+
+	@Override
+	public String type() {
+		switch(identity.status) {
+			case EMPLOYEE: return DefaultOrg.Types.Employee.name();
+			case CONTRACTOR: return DefaultOrg.Types.Contractor.name();
+			case APPLICATION: return DefaultOrg.Types.Application.name();
+			case NON_ACTIVE: return DefaultOrg.Types.NotActive.name();
+			default:
+				return "Unknown";
+		}
+	}
+
+	@Override
+	public Identity responsibleTo() throws OrganizationException {
+		if("".equals(identity.responsibleTo) && isFound()) { // cover the situation of Top Dog... reports to no-one.
+			return this;
+		} else {
+			return org.getIdentity(trans, identity.responsibleTo);
+		}
+	}
+
+	@Override
+	public List<String> delegate() {
+		//NOTE:  implement Delegate system, if desired
+		return DefaultOrg.NULL_DELEGATES;
+	}
+
+	@Override
+	public String email() {
+		return identity.email;
+	}
+
+	@Override
+	public String fullName() {
+		return identity.name;
+	}
+
+	@Override
+	public String firstName() {
+		return identity.fname;
+	}
+
+	@Override
+	public String mayOwn() {
+		// Assume only Employees are responsible for Resources.
+		if(identity.status==null|| identity.status.length()==0) {
+			return "Identity must have valid status";
+		} else if(EMPLOYEE.equals(identity.status)) {
+			return null; // This is "Yes, is Responsible"
+		} else {
+			return "Reponsible Party must be an Employee";
+		}
+	}
+
+	@Override
+	public boolean isFound() {
+		return identity!=Identities.NO_DATA; // yes, object comparison intended
+	}
+
+	@Override
+	public boolean isPerson() {
+		return !identity.status.equals(APPLICATION);
+	}
+
+	@Override
+	public Organization org() {
+		return org;
+	}
+
+
+}
diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgWarnings.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgWarnings.java
new file mode 100644
index 00000000..c04707ee
--- /dev/null
+++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgWarnings.java
@@ -0,0 +1,63 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.org;
+
+import org.onap.aaf.auth.org.EmailWarnings;
+
+public class DefaultOrgWarnings implements EmailWarnings {
+
+	@Override
+    public long credEmailInterval()
+    {
+        return 604800000L; // 7 days in millis 1000 * 86400 * 7
+    }
+    
+	@Override
+    public long roleEmailInterval()
+    {
+        return 604800000L; // 7 days in millis 1000 * 86400 * 7
+    }
+	
+	@Override
+	public long apprEmailInterval() {
+        return 259200000L; // 3 days in millis 1000 * 86400 * 3
+	}
+    
+	@Override
+    public long  credExpirationWarning()
+    {
+        return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30  in milliseconds
+    }
+    
+	@Override
+    public long roleExpirationWarning()
+    {
+        return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30  in milliseconds
+    }
+
+	@Override
+    public long emailUrgentWarning()
+    {
+        return( 1209600000L ); // Two weeks, in milliseconds 1000 * 86400 * 14  in milliseconds
+    }
+
+}
diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/Identities.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/Identities.java
new file mode 100644
index 00000000..f3067fe6
--- /dev/null
+++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/Identities.java
@@ -0,0 +1,143 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.org;
+
+import java.io.File;
+import java.io.IOException;
+
+import org.onap.aaf.auth.local.AbsData;
+import org.onap.aaf.auth.local.DataFile.Token.Field;
+
+/*
+ * Example User Data file, which can be modified for many different kinds of Data Feeds.
+ * 
+ * Note: This has shown to be extremely effective in AT&T, an acknowledged very large organizations, 
+ * 	     because there is no need to synchronize records.  AAF simply receives a Data Feed in Organization
+ * 		 defined intervals.  (You might want to check for validity, such as size, etc), then is copied into
+ * 		 Data Directory.  You will want to do so first creating a "lock" file.  Assuming the File name is "users.dat",
+ * 		 the Lock File is "users.lock".  
+ * 
+ * 		 After the movement of the Datafile into place, it is best to remove the Index File, then remove the lock file.
+ * 
+ * 		 Note, Any AAF Programs needing this data WILL wait on the Lock file, so you should get fresh Data files
+ *       in a "stage" directory, from WEB, or wherever, and then, after it is correct, do the following as fast as feasible.
+ *       
+ *       	a) lock
+ *          b) copy from stage
+ *          c) remove idx
+ *          d) unlock
+ * 
+ * 	     If the Index File is either non-existent or out of date from the Data File, it will be reindexed, which
+ * 		 has proven to be a very quick function, even with large numbers of entries.
+ * 
+ * This Sample Feed is set for a file with delimiter of "|".  512 is maximum expected line length. The "0" is the
+ *       field offset for the "key" to the record,  which, for user, should be the unique Organization Identity.
+ *       
+ */
+public class Identities extends AbsData {
+	public final static Data NO_DATA = new Data();
+	
+	public Identities(File users) {
+		super(users,'|',512,0);
+	}
+
+	/*
+	 * Example Field Layout.  note, in this example, Application IDs and People IDs are mixed.  You may want to split
+	 *   out AppIDs, choose your own status indicators, or whatever you use.
+	 * 0 - unique ID
+	 * 1 - full name
+	 * 2 - first name
+	 * 3 - last name
+	 * 4 - phone
+	 * 5 - official email
+	 * 6 - employment status e=employee, c=contractor, a=application, n=no longer with company
+	 * 7 - responsible to (i.e Supervisor for People, or AppOwner, if it's an App ID)
+	 */
+	public static class Data {
+		public final String id;
+		public final String name;
+		public final String fname;
+		public final String lname;
+		public final String phone;
+		public final String email;
+		public final String status;
+		public final String responsibleTo;
+		
+		private Data(Field f) {
+			f.reset();
+			id=f.next();
+			name=f.next();
+			fname=f.next();
+			lname=f.next();
+			phone=f.next();
+			email=f.next();
+			status=f.next();
+			responsibleTo =f.next();
+		}
+		
+		private Data() {
+			id = name = fname = lname =
+			phone = email = status = responsibleTo 
+			= "";
+		}
+
+		public String toString() {
+			return  id + '|' +
+					name + '|' +
+					lname + '|' +
+					fname + '|' +
+					phone + '|' +
+					email + '|' +
+					status + '|' +
+					responsibleTo;
+		}
+		
+		// Here, make up your own Methods which help you easily determine your Organization's structure
+		// in your Organization Object
+        public boolean hasStatus(String possible) {
+            return possible.contains(status);
+	    }
+
+	    public boolean isEmployee() {
+	            return "e".equals(status);
+	    }
+	
+	    public boolean isContractor() {
+	            return "c".equals(status);
+	    }
+	
+	    public boolean isApplication() {
+	            return "a".equals(status);
+	    }
+	}
+	
+    public Data find(Object key,Reuse r) throws IOException {
+        r.reset();
+        // These are new, to allow for Thread Safety
+        int rec = ti.find(key,r,0);
+        if(rec<0) {
+            return null;
+        }
+        r.pos(rec);
+		return new Data(r.getFieldData());
+    }
+}
diff --git a/auth/auth-deforg/src/test/java/org/onap/aaf/org/test/JU_DefaultOrg.java b/auth/auth-deforg/src/test/java/org/onap/aaf/org/test/JU_DefaultOrg.java
new file mode 100644
index 00000000..72b15480
--- /dev/null
+++ b/auth/auth-deforg/src/test/java/org/onap/aaf/org/test/JU_DefaultOrg.java
@@ -0,0 +1,139 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.org.test;
+
+import static org.junit.Assert.*;
+
+import java.io.File;
+import java.util.Set;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Matchers;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.org.DefaultOrg;
+import org.powermock.api.mockito.PowerMockito;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class JU_DefaultOrg {
+
+	DefaultOrg defaultOrg;
+	//private DefaultOrg defaultOrgMock;
+	@Mock
+	AuthzEnv authzEnvMock;
+
+	@Mock
+	AuthzTrans authzTransMock;
+
+	@Mock
+	File fIdentitiesMock;
+
+	private static final String PROPERTY_IS_REQUIRED = " property is Required";
+	private static final String DOMAIN = "osaaf.com";
+	private static final String REALM = "com.osaaf";
+	private static final String NAME = "Default Organization";
+	private static final String NO_PASS = NAME + " does not support Passwords.  Use AAF";
+	String mailHost,mailFromUserId,supportAddress;
+	private String SUFFIX;
+	String s;
+	String defFile;
+
+	@Before
+	public void setUp() throws OrganizationException{
+		MockitoAnnotations.initMocks(this);
+		PowerMockito.when(authzEnvMock.getProperty(s=(REALM + ".mailHost"), null)).thenReturn("hello");
+		PowerMockito.when(authzEnvMock.getProperty(s=(REALM + ".supportEmail"), null)).thenReturn("notnull");
+		PowerMockito.when(authzEnvMock.getProperty(Matchers.anyString())).thenReturn("src" + File.separator + "test" + File.separator + "resources" + File.separator + "test.txt");
+		PowerMockito.when(fIdentitiesMock.exists()).thenReturn(true);
+		//PowerMockito.when((fIdentitiesMock!=null && fIdentitiesMock.exists())).thenReturn(true);
+		defaultOrg = new DefaultOrg(authzEnvMock, REALM);
+	}
+
+	@Test    //(expected=OrganizationException.class)
+	public void test() throws OrganizationException{
+		//PowerMockito.when(authzEnvMock.getProperty(Matchers.anyString())).thenReturn(" ");
+		//defaultOrg = new DefaultOrg(authzEnvMock);
+		assertTrue(defaultOrg != null);
+	}
+
+
+	@Test    //(expected=OrganizationException.class)
+	public void testMultipleCreds() throws OrganizationException{
+		String id = "test";
+		//PowerMockito.when(authzEnvMock.getProperty(Matchers.anyString())).thenReturn(" ");
+		//defaultOrg = new DefaultOrg(authzEnvMock);
+		boolean canHaveMultipleCreds;
+		canHaveMultipleCreds = defaultOrg.canHaveMultipleCreds(id );
+		System.out.println("value of canHaveMultipleCreds:  " + canHaveMultipleCreds);
+		assertTrue(canHaveMultipleCreds);
+	}
+
+
+	@Test   
+	public void testGetIdentityTypes() throws OrganizationException{
+		Set<String> identityTypes = defaultOrg.getIdentityTypes();
+		System.out.println("value of IdentityTypes:  " + identityTypes);
+		assertTrue(identityTypes.size() == 4);
+	}
+
+
+	@Test   
+	public void testGetRealm() throws OrganizationException{
+		String realmTest = defaultOrg.getRealm();
+		System.out.println("value of realm:  " + realmTest);
+		assertTrue(realmTest == REALM);
+	}
+
+	@Test   
+	public void testGetName() throws OrganizationException{
+		String testName = defaultOrg.getName();
+		System.out.println("value of name:  " + testName);
+		assertTrue(testName == NAME);
+	}
+
+
+	@Test   
+	public void testGetDomain() throws OrganizationException{
+		String testDomain = defaultOrg.getDomain();
+		System.out.println("value of domain:  " + testDomain);
+		assertTrue(testDomain == DOMAIN);
+	}
+
+	// @Test
+	// public void testIsValidID(){	
+	// 	String Result = defaultOrg.isValidID(Matchers.anyString());
+	// 	System.out.println("value of res " +Result);
+	// 	assertNotNull(Result);	
+	// }
+
+	@Test
+	public void notYetImplemented() {
+		fail("Tests in this file should not be trusted");
+	}
+
+}
diff --git a/auth/auth-deforg/src/test/java/org/onap/aaf/org/test/JU_DefaultOrgIdentity.java b/auth/auth-deforg/src/test/java/org/onap/aaf/org/test/JU_DefaultOrgIdentity.java
new file mode 100644
index 00000000..1577d9e6
--- /dev/null
+++ b/auth/auth-deforg/src/test/java/org/onap/aaf/org/test/JU_DefaultOrgIdentity.java
@@ -0,0 +1,96 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.org.test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.org.DefaultOrg;
+import org.onap.aaf.org.DefaultOrgIdentity;
+import org.onap.aaf.org.Identities.Data;
+import org.powermock.api.mockito.PowerMockito;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class JU_DefaultOrgIdentity {
+
+	private DefaultOrgIdentity defaultOrgIdentity;
+	private DefaultOrgIdentity defaultOrgIdentityMock;
+	
+	@Mock
+	AuthzTrans authzTransMock;
+	
+	String key="key";
+	
+	@Mock
+	private DefaultOrg defaultOrgMock;
+	@Mock
+	private Data dataMock;
+	@Mock
+	private Identity identityMock;
+	
+	@Before
+	public void setUp() throws OrganizationException{
+		MockitoAnnotations.initMocks(this);
+		defaultOrgIdentityMock = PowerMockito.mock(DefaultOrgIdentity.class);
+	}
+	
+	@Test
+	public void testEquals(){
+		Object b = null;
+		Boolean res = defaultOrgIdentityMock.equals(b);
+		System.out.println("value of res " +res);
+	}
+	
+	
+	@Test
+	public void testIsFound(){
+		defaultOrgIdentityMock.isFound();
+		System.out.println("value of found " +defaultOrgIdentityMock.isFound());
+		assertFalse(defaultOrgIdentityMock.isFound());
+	}
+	
+	@Test
+	public void testIsResponsible(){
+		defaultOrgIdentityMock.mayOwn();
+		System.out.println("value of res " +defaultOrgIdentityMock.mayOwn());
+		assertNull(defaultOrgIdentityMock.mayOwn());
+	}
+	
+	@Test
+	public void testFullName(){
+		String fullName = defaultOrgIdentityMock.fullName();
+		System.out.println("value of fullname " +fullName);
+		assertTrue(fullName == null);
+	}
+	
+	
+}
diff --git a/auth/auth-deforg/src/test/java/org/onap/aaf/org/test/JU_DefaultOrgWarnings.java b/auth/auth-deforg/src/test/java/org/onap/aaf/org/test/JU_DefaultOrgWarnings.java
new file mode 100644
index 00000000..3b4d5543
--- /dev/null
+++ b/auth/auth-deforg/src/test/java/org/onap/aaf/org/test/JU_DefaultOrgWarnings.java
@@ -0,0 +1,83 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.org.test;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.MockitoAnnotations;
+import org.onap.aaf.org.DefaultOrgWarnings;
+import org.powermock.api.mockito.PowerMockito;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class JU_DefaultOrgWarnings {
+	
+	private DefaultOrgWarnings defaultOrgWarningsMock;
+	private DefaultOrgWarnings defaultOrgWarnings;
+	
+	
+	@Before
+	public void setUp(){
+		MockitoAnnotations.initMocks(this);
+		
+		defaultOrgWarningsMock = PowerMockito.mock(DefaultOrgWarnings.class);
+		
+		defaultOrgWarnings = new DefaultOrgWarnings();
+	}
+
+	
+	@Test
+	public void testApprEmailInterval() {
+		
+		assertEquals(259200000, defaultOrgWarnings.apprEmailInterval() );
+	}
+	
+	@Test
+	public void testCredEmailInterval() {
+		assertEquals(604800000, defaultOrgWarnings.credEmailInterval());
+		
+	}
+	
+	@Test
+	public void testCredExpirationWarning() {
+		assertEquals(2592000000L, defaultOrgWarnings.credExpirationWarning());
+	}
+	
+	@Test
+	public void testEmailUrgentWarning() {
+		assertEquals(1209600000L, defaultOrgWarnings.emailUrgentWarning());
+	}
+	
+	@Test
+	public void testRoleEmailInterval() {
+		assertEquals(604800000L, defaultOrgWarnings.roleEmailInterval());
+	}
+	
+	@Test
+	public void testRoleExpirationWarning() {
+		assertEquals(2592000000L, defaultOrgWarnings.roleExpirationWarning());
+	}
+
+}
diff --git a/auth/auth-deforg/src/test/java/org/onap/aaf/org/test/JU_Identities.java b/auth/auth-deforg/src/test/java/org/onap/aaf/org/test/JU_Identities.java
new file mode 100644
index 00000000..e32ce844
--- /dev/null
+++ b/auth/auth-deforg/src/test/java/org/onap/aaf/org/test/JU_Identities.java
@@ -0,0 +1,110 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+/**
+ * 
+ */
+package org.onap.aaf.org.test;
+
+import java.io.File;
+import java.io.IOException;
+
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.local.AbsData.Reuse;
+import org.onap.aaf.org.Identities;
+import org.onap.aaf.org.Identities.Data;
+
+/**
+ *
+ */
+public class JU_Identities {
+
+	private static final String DATA_IDENTITIES = "/opt/app/onap/data/identities.dat";
+	private static File fids;
+	private static Identities ids;
+	private static AuthzEnv env;
+
+	/**
+	 * @throws java.lang.Exception
+	 */
+	@BeforeClass
+	public static void setUpBeforeClass() throws Exception {
+		env = new AuthzEnv();
+		AuthzTrans trans = env.newTransNoAvg();
+		// Note: utilize TimeTaken, from trans.start if you want to time.
+		fids = new File(DATA_IDENTITIES);
+		if(fids.exists()) {
+			ids = new Identities(fids);
+			ids.open(trans, 5000);
+		} else {
+			
+			throw new Exception("Data File for Tests, \"" + DATA_IDENTITIES 
+					+ "\" must exist before test can run. (Current dir is " + System.getProperty("user.dir") + ")");
+		}
+	}
+
+	/**
+	 * @throws java.lang.Exception
+	 */
+	@AfterClass
+	public static void tearDownAfterClass() throws Exception {
+		AuthzTrans trans = env.newTransNoAvg();
+		if(ids!=null) {
+			ids.close(trans);
+		}
+	}
+
+	/**
+	 * @throws java.lang.Exception
+	 */
+	@Before
+	public void setUp() throws Exception {
+	}
+
+	/**
+	 * @throws java.lang.Exception
+	 */
+	@After
+	public void tearDown() throws Exception {
+	}
+ 
+	@Test
+	public void test() throws IOException {
+		Reuse reuse = ids.reuse(); // this object can be reused within the same thread.
+		Data id = ids.find("osaaf",reuse);
+		Assert.assertNotNull(id);
+		System.out.println(id);
+
+		id = ids.find("mmanager",reuse);
+		Assert.assertNotNull(id);
+		System.out.println(id);
+
+		//TODO Fill out JUnit with Tests of all Methods in "Data id"
+	}
+
+}
diff --git a/auth/auth-deforg/src/test/resources/test.txt b/auth/auth-deforg/src/test/resources/test.txt
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/auth/auth-deforg/src/test/resources/test.txt
diff --git a/auth/auth-fs/.gitignore b/auth/auth-fs/.gitignore
new file mode 100644
index 00000000..d3881782
--- /dev/null
+++ b/auth/auth-fs/.gitignore
@@ -0,0 +1,7 @@
+/target/
+/.classpath
+/.settings
+/.project
+/Dockerfile
+/dbuild
+/drun
diff --git a/auth/auth-fs/pom.xml b/auth/auth-fs/pom.xml
new file mode 100644
index 00000000..11582b4b
--- /dev/null
+++ b/auth/auth-fs/pom.xml
@@ -0,0 +1,122 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.onap.aaf.auth</groupId>
+		<artifactId>parent</artifactId>
+		<version>2.1.0-SNAPSHOT</version>
+		<relativePath>../pom.xml</relativePath>
+	</parent>
+
+	<artifactId>aaf-auth-fs</artifactId>
+	<name>AAF Auth File Server (http)</name>
+	<description>Independent FileServer Component via HTTP (not S) for Public Files (i.e. CRLs) for AAF Auth</description>
+
+	<properties>
+		<maven.test.failure.ignore>true</maven.test.failure.ignore>
+	</properties>
+
+	<developers>
+		<developer>
+			<name>Jonathan Gathman</name>
+			<email>jonathan.gathman@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Architect</role>
+				<role>Lead Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Gabe Maurer</name>
+			<email>gabe.maurer@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Ian Howell</name>
+			<email>ian.howell@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+	</developers>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-core</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-core</artifactId>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-deploy-plugin</artifactId>
+				<configuration>
+					<skip>true</skip>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.codehaus.mojo</groupId>
+				<artifactId>appassembler-maven-plugin</artifactId>
+				<configuration>
+					<programs>
+						<program>
+							<mainClass>org.onap.aaf.auth.fs.AAF_FS</mainClass>
+							<name>fs</name>
+							<commandLineArguments>
+								<commandLineArgument>cadi_prop_files=${project.conf_dir}/org.osaaf.fs.props</commandLineArgument>
+							</commandLineArguments>
+						</program>
+					</programs>
+				</configuration>
+			</plugin>
+		</plugins>
+		<pluginManagement>
+			<plugins />
+		</pluginManagement>
+	</build>
+
+	<distributionManagement>
+		<repository>
+			<id>nexus</id>
+			<name>attarch-releases</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-releases</url>
+		</repository>
+		<snapshotRepository>
+			<id>nexus</id>
+			<name>attarch-snapshots</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-snapshots</url>
+		</snapshotRepository>
+	</distributionManagement>
+</project>
diff --git a/auth/auth-fs/src/main/config/.gitignore b/auth/auth-fs/src/main/config/.gitignore
new file mode 100644
index 00000000..e53ef90a
--- /dev/null
+++ b/auth/auth-fs/src/main/config/.gitignore
@@ -0,0 +1 @@
+/log4j.properties
diff --git a/auth/auth-fs/src/main/config/FileServer.props b/auth/auth-fs/src/main/config/FileServer.props
new file mode 100644
index 00000000..9c123307
--- /dev/null
+++ b/auth/auth-fs/src/main/config/FileServer.props
@@ -0,0 +1,23 @@
+##
+## AUTHZ API (authz-service) Properties
+##
+
+hostname=_HOSTNAME_
+
+## DISCOVERY (DME2) Parameters on the Command Line
+AFT_LATITUDE=_AFT_LATITUDE_
+AFT_LONGITUDE=_AFT_LONGITUDE_
+AFT_ENVIRONMENT=_AFT_ENVIRONMENT_
+DEPLOYED_VERSION=_ARTIFACT_VERSION_
+
+cadi_prop_files=/opt/app/aaf/common/com.att.aaf.common.props:/opt/app/aaf/common/com.att.aaf.props
+
+DMEServiceName=service=com.att.authz.authz-fs/version=_MAJOR_VER_._MINOR_VER_._PATCH_VER_/envContext=_ENV_CONTEXT_/routeOffer=_ROUTE_OFFER_
+AFT_DME2_PORT_RANGE=_AUTHZ_FS_PORT_RANGE_
+AFT_DME2_SSL_ENABLE=false
+AFT_DME2_DISABLE_PERSISTENT_CACHE=true
+
+CFA_WebPath=/opt/app/aaf/public
+CFA_ClearCommand=FmzYPpMY918MwE1hyacoiFSt
+CFA_MaxSize=2000000
+
diff --git a/auth/auth-fs/src/main/data/favicon.ico b/auth/auth-fs/src/main/data/favicon.ico
new file mode 100644
index 00000000..3aea2722
--- /dev/null
+++ b/auth/auth-fs/src/main/data/favicon.ico
diff --git a/auth/auth-fs/src/main/data/test.html b/auth/auth-fs/src/main/data/test.html
new file mode 100644
index 00000000..ec50246c
--- /dev/null
+++ b/auth/auth-fs/src/main/data/test.html
@@ -0,0 +1,20 @@
+<html>
+  <head>                                 <!-- begin head -->
+    <meta charset="utf-8">
+    <title>AT&amp;T Authentication/Authorization Tool</title>
+    <!-- 
+    <link rel="stylesheet" href="_AUTHZ_GUI_URL_/theme/aaf5.css">
+    <script type="text/javascript" src="_AUTHZ_GUI_URL_/theme/comm.js"></script>
+    <script type="text/javascript" src="_AUTHZ_GUI_URL_/theme/console.js"></script>
+    <script type="text/javascript" src="_AUTHZ_GUI_URL_/theme/common.js"></script>
+    <link rel="stylesheet" href="_AUTHZ_GUI_URL_/theme/aaf5Desktop.css">
+     -->
+  </head>                                <!-- end head -->
+  <body>                                 <!-- begin body -->
+    <header>                             <!-- begin header -->
+            <h1>AT&amp;T Auth Tool on _ENV_CONTEXT_</h1>
+      <p id="version">AAF Version: _ARTIFACT_VERSION_</p>
+    </header>
+  <h1>Success for File Server Access</h1>
+  </body>
+</html>
diff --git a/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java b/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java
new file mode 100644
index 00000000..50791393
--- /dev/null
+++ b/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java
@@ -0,0 +1,115 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.fs;
+
+import static org.onap.aaf.auth.rserv.HttpMethods.GET;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.AuthzTransOnlyFilter;
+import org.onap.aaf.auth.rserv.CachingFileAccess;
+import org.onap.aaf.auth.rserv.HttpCode;
+import org.onap.aaf.auth.server.AbsService;
+import org.onap.aaf.auth.server.JettyServiceStarter;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.register.Registrant;
+import org.onap.aaf.cadi.register.RemoteRegistrant;
+import org.onap.aaf.misc.env.APIException;
+
+
+public class AAF_FS extends AbsService<AuthzEnv, AuthzTrans>  {
+
+	public AAF_FS(final AuthzEnv env) throws APIException, IOException, CadiException {
+		super(env.access(),env);
+		try {
+			///////////////////////  
+			// File Server 
+			///////////////////////
+			// creates StaticSlot, needed for CachingFileAccess, and sets to public Dir
+			env.staticSlot(CachingFileAccess.CFA_WEB_PATH,"aaf_public_dir");
+
+			CachingFileAccess<AuthzTrans> cfa = new CachingFileAccess<AuthzTrans>(env);
+			route(env,GET,"/:key", cfa); 
+			route(env,GET,"/:key/:cmd", cfa);
+			final String aaf_locate_url = access.getProperty(Config.AAF_LOCATE_URL, null);
+			if(aaf_locate_url == null) {
+				access.printf(Level.WARN, "Redirection requires property %s",Config.AAF_LOCATE_URL);
+			} else {
+				route(env,GET,"/", new Redirect(this,aaf_locate_url));
+			}
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+	}
+	
+	private static class Redirect extends HttpCode<AuthzTrans, AAF_FS> {
+		private final String url;
+
+		public Redirect(AAF_FS context,String url) {
+			super(context, "Redirect to HTTP/S");
+			this.url = url;
+		}
+
+		@Override
+		public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+			trans.info().printf("Redirecting %s to HTTP/S %s", req.getRemoteAddr(), req.getLocalAddr());
+			resp.sendRedirect(url);
+		}
+	};
+	
+	@Override
+	public Filter[] filters() throws CadiException, LocatorException {
+		return new Filter[] {
+			new AuthzTransOnlyFilter(env)
+		};
+	}
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public Registrant<AuthzEnv>[] registrants(final int port) throws CadiException, LocatorException {
+		return new Registrant[] {
+			new RemoteRegistrant<AuthzEnv>(aafCon(),app_name,app_version,port)
+		};
+	}
+	
+	public static void main(final String[] args) {
+		PropAccess propAccess = new PropAccess(args);
+		try {
+ 			AAF_FS service = new AAF_FS(new AuthzEnv(propAccess));
+//			env.setLog4JNames("log4j.properties","authz","fs","audit","init",null);
+			JettyServiceStarter<AuthzEnv,AuthzTrans> jss = new JettyServiceStarter<AuthzEnv,AuthzTrans>(service);
+			jss.insecure().start();
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+	}
+}
diff --git a/auth/auth-fs/src/test/java/org/onap/aaf/auth/fs/test/JU_FileServer.java b/auth/auth-fs/src/test/java/org/onap/aaf/auth/fs/test/JU_FileServer.java
new file mode 100644
index 00000000..6e24f6dc
--- /dev/null
+++ b/auth/auth-fs/src/test/java/org/onap/aaf/auth/fs/test/JU_FileServer.java
@@ -0,0 +1,81 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.fs.test;
+
+import static org.junit.Assert.*;
+import static org.onap.aaf.auth.rserv.HttpMethods.GET;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URL;
+import java.util.Properties;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Matchers;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.fs.*;
+import org.onap.aaf.auth.rserv.CachingFileAccess;
+import org.onap.aaf.misc.env.APIException;
+import org.powermock.api.mockito.PowerMockito;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(MockitoJUnitRunner.class)
+public class JU_FileServer {	
+	@Mock
+	AuthzEnv authzEnvMock;
+	AuthzEnv authzEnv = new AuthzEnv();
+	
+	@Before
+	public void setUp() throws APIException, IOException{
+
+	}
+	
+	@SuppressWarnings("static-access")
+	@Test
+	public void testMain() throws Exception{
+		
+		String[] args = null;
+		Properties props = new Properties();
+		ClassLoader classLoader = getClass().getClassLoader();
+		File file = new File(classLoader.getResource("FileServer.props").getFile());
+
+//PowerMockito.whenNew(Something.class).withArguments(argument).thenReturn(mockSomething);
+		//			env.setLog4JNames("log4j.properties","authz","fs","audit","init",null);
+    // PowerMockito.whenNew(AuthzEnv.class).withArguments(props).thenReturn(authzEnvMock);
+   //  PowerMockito.doNothing().when(authzEnvMock.setLog4JNames(Matchers.anyString(), Matchers.anyString(), Matchers.anyString(), Matchers.anyString(), Matchers.anyString(), Matchers.anyString()));
+  // PowerMockito.when(new AuthzEnv(props)).thenReturn(authzEnvMock);
+		//PowerMockito.doNothing().when(authzEnv).setLog4JNames(Matchers.anyString(), Matchers.anyString(), Matchers.anyString(), Matchers.anyString(), Matchers.anyString(), Matchers.anyString());
+	//PowerMockito.doNothing().when(authzEnvMock).setLog4JNames(" "," "," "," "," "," ");
+
+		AAF_FS.main(args);
+		//assertTrue(true);
+		
+	}
+	
+}
diff --git a/auth/auth-gui/.gitignore b/auth/auth-gui/.gitignore
new file mode 100644
index 00000000..a95a15c4
--- /dev/null
+++ b/auth/auth-gui/.gitignore
@@ -0,0 +1,8 @@
+/.settings
+/logs
+/target
+/.classpath
+/conf
+/bin/
+/tokens/
+/.project
diff --git a/auth/auth-gui/pom.xml b/auth/auth-gui/pom.xml
new file mode 100644
index 00000000..d2253009
--- /dev/null
+++ b/auth/auth-gui/pom.xml
@@ -0,0 +1,142 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.onap.aaf.auth</groupId>
+		<artifactId>parent</artifactId>
+		<version>2.1.0-SNAPSHOT</version>
+		<relativePath>../pom.xml</relativePath>
+	</parent>
+
+	<artifactId>aaf-auth-gui</artifactId>
+	<name>AAF Auth GUI</name>
+	<description>GUI Component for AAF Auth Management</description>
+
+	<properties>
+		<maven.test.failure.ignore>true</maven.test.failure.ignore>
+	</properties>
+
+
+	<dependencies>
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-core</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-client</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-cmd</artifactId>
+		</dependency>
+
+		<!-- Add the Organizations you wish to support. You can delete ONAP if 
+			you have something else Match with Property Entry: Organization.<root ns>, 
+			i.e. Organization.onap.org=org.onap.org.DefaultOrg -->
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-deforg</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-aaf</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-client</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.misc</groupId>
+			<artifactId>aaf-misc-xgen</artifactId>
+		</dependency>
+
+
+
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-jar-plugin</artifactId>
+				<configuration>
+					<includes>
+						<include>**/*.class</include>
+					</includes>
+				</configuration>
+				<version>2.3.1</version>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-deploy-plugin</artifactId>
+				<configuration>
+					<skip>true</skip>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.codehaus.mojo</groupId>
+				<artifactId>appassembler-maven-plugin</artifactId>
+				<configuration>
+					<programs>
+						<program>
+							<mainClass>org.onap.aaf.auth.gui.AAF_GUI</mainClass>
+							<name>gui</name>
+							<commandLineArguments>
+								<commandLineArgument>cadi_prop_files=${project.conf_dir}/org.osaaf.gui.props</commandLineArgument>
+							</commandLineArguments>
+							<jvmSettings>
+								<extraArguments>
+									<extraArgument>-Daaf_cfa_web_path=$BASEDIR/theme/onap</extraArgument>
+								</extraArguments>
+							</jvmSettings>
+						</program>
+					</programs>
+					<copyConfigurationDirectory>true</copyConfigurationDirectory>
+					<configurationDirectory>theme</configurationDirectory>
+					<configurationSourceDirectory>theme</configurationSourceDirectory>
+				</configuration>
+				
+			</plugin>
+		</plugins>
+	</build>
+
+	<distributionManagement>
+		<repository>
+			<id>nexus</id>
+			<name>attarch-releases</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-releases</url>
+		</repository>
+		<snapshotRepository>
+			<id>nexus</id>
+			<name>attarch-snapshots</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-snapshots</url>
+		</snapshotRepository>
+	</distributionManagement>
+</project>
diff --git a/auth/auth-gui/src/main/config/.gitignore b/auth/auth-gui/src/main/config/.gitignore
new file mode 100644
index 00000000..04cdc540
--- /dev/null
+++ b/auth/auth-gui/src/main/config/.gitignore
@@ -0,0 +1,2 @@
+/authGUI.props
+/log4j.properties
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/cui/CUI.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/cui/CUI.java
new file mode 100644
index 00000000..29e36505
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/cui/CUI.java
@@ -0,0 +1,93 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.cui;
+
+import java.io.PrintWriter;
+
+import javax.servlet.ServletInputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.rserv.HttpCode;
+import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
+import org.onap.aaf.cadi.http.HTransferSS;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+
+public class CUI extends HttpCode<AuthzTrans, Void> {
+	private final AAF_GUI gui;
+	public CUI(AAF_GUI gui) {
+		super(null,"Command Line");
+		this.gui = gui;
+	}
+
+	@Override
+	public void handle(AuthzTrans trans, HttpServletRequest req,HttpServletResponse resp) throws Exception {
+		ServletInputStream isr = req.getInputStream();
+		PrintWriter pw = resp.getWriter();
+		int c;
+		StringBuilder cmd = new StringBuilder();
+
+		while((c=isr.read())>=0) {
+			cmd.append((char)c);
+		}
+
+		TimeTaken tt = trans.start("Execute AAFCLI", Env.REMOTE);
+		try {
+			TaggedPrincipal p = trans.getUserPrincipal();
+			// Access needs to be set after overall construction.  Thus, the lazy create.
+			AAFcli aafcli;
+			AAFConHttp aafcon = gui.aafCon();
+			aafcli= new AAFcli(gui.access,gui.env, pw, 
+					aafcon.hman(), 
+					aafcon.securityInfo(), 
+					new HTransferSS(p,AAF_GUI.app,
+					aafcon.securityInfo()));
+			aafcli.verbose(false);
+			aafcli.gui(true);
+
+			String cmdStr = cmd.toString();
+			if (!cmdStr.contains("--help")) {
+				cmdStr = cmdStr.replaceAll("help", "--help");
+			}
+			if (!cmdStr.contains("--version")) {
+				cmdStr = cmdStr.replaceAll("version", "--version");
+			}
+			try {
+				aafcli.eval(cmdStr);
+				pw.flush();
+			} catch (Exception e) {
+				pw.flush();
+				pw.println(e.getMessage());
+			} finally {
+				aafcli.close();
+			}
+		} finally {
+			tt.done();
+		}
+		
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/AAF_GUI.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/AAF_GUI.java
new file mode 100644
index 00000000..be93d63c
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/AAF_GUI.java
@@ -0,0 +1,267 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui;
+
+import static org.onap.aaf.auth.rserv.HttpMethods.GET;
+import static org.onap.aaf.auth.rserv.HttpMethods.POST;
+import static org.onap.aaf.auth.rserv.HttpMethods.PUT;
+
+import javax.servlet.Filter;
+
+import org.onap.aaf.auth.cmd.Cmd;
+import org.onap.aaf.auth.cui.CUI;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.AuthzTransFilter;
+import org.onap.aaf.auth.gui.pages.ApiDocs;
+import org.onap.aaf.auth.gui.pages.ApiExample;
+import org.onap.aaf.auth.gui.pages.ApprovalAction;
+import org.onap.aaf.auth.gui.pages.ApprovalForm;
+import org.onap.aaf.auth.gui.pages.CMArtiChangeAction;
+import org.onap.aaf.auth.gui.pages.CMArtiChangeForm;
+import org.onap.aaf.auth.gui.pages.CMArtifactShow;
+import org.onap.aaf.auth.gui.pages.CredDetail;
+import org.onap.aaf.auth.gui.pages.Home;
+import org.onap.aaf.auth.gui.pages.LoginLanding;
+import org.onap.aaf.auth.gui.pages.LoginLandingAction;
+import org.onap.aaf.auth.gui.pages.NsDetail;
+import org.onap.aaf.auth.gui.pages.NsHistory;
+import org.onap.aaf.auth.gui.pages.NsInfoAction;
+import org.onap.aaf.auth.gui.pages.NsInfoForm;
+import org.onap.aaf.auth.gui.pages.NssShow;
+import org.onap.aaf.auth.gui.pages.PassChangeAction;
+import org.onap.aaf.auth.gui.pages.PassChangeForm;
+import org.onap.aaf.auth.gui.pages.PassDeleteAction;
+import org.onap.aaf.auth.gui.pages.PendingRequestsShow;
+import org.onap.aaf.auth.gui.pages.PermDetail;
+import org.onap.aaf.auth.gui.pages.PermGrantAction;
+import org.onap.aaf.auth.gui.pages.PermGrantForm;
+import org.onap.aaf.auth.gui.pages.PermHistory;
+import org.onap.aaf.auth.gui.pages.PermsShow;
+import org.onap.aaf.auth.gui.pages.RequestDetail;
+import org.onap.aaf.auth.gui.pages.RoleDetail;
+import org.onap.aaf.auth.gui.pages.RoleDetailAction;
+import org.onap.aaf.auth.gui.pages.RoleHistory;
+import org.onap.aaf.auth.gui.pages.RolesShow;
+import org.onap.aaf.auth.gui.pages.UserRoleExtend;
+import org.onap.aaf.auth.gui.pages.UserRoleRemove;
+import org.onap.aaf.auth.gui.pages.WebCommand;
+import org.onap.aaf.auth.rserv.CachingFileAccess;
+import org.onap.aaf.auth.server.AbsService;
+import org.onap.aaf.auth.server.JettyServiceStarter;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
+import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
+import org.onap.aaf.cadi.aaf.v2_0.AAFTrustChecker;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.http.HTransferSS;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.cadi.register.Registrant;
+import org.onap.aaf.cadi.register.RemoteRegistrant;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.StaticSlot;
+import org.onap.aaf.misc.env.util.Split;
+import org.onap.aaf.misc.rosetta.env.RosettaDF;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+import org.onap.aaf.misc.xgen.html.State;
+
+import certman.v1_0.Artifacts;
+import certman.v1_0.CertInfo;
+
+public class AAF_GUI extends AbsService<AuthzEnv, AuthzTrans> implements State<Env>{
+	private static final String AAF_GUI_THEME = "aaf_gui_theme";
+	public static final String AAF_GUI_COPYRIGHT = "aaf_gui_copyright";
+	public static final String HTTP_SERVLET_REQUEST = "HTTP_SERVLET_REQUEST";
+	public static final int TIMEOUT = 60000;
+	public static final String app = "AAF GUI";
+	
+	// AAF API
+	
+	// Certificate manager API
+	public RosettaDF<Artifacts> artifactsDF;
+	public RosettaDF<CertInfo>  certInfoDF;
+
+	private final AAFConHttp cmCon;
+	public final AAFConHttp aafCon;
+	public final AAFLurPerm lur;
+	
+	public final Slot slot_httpServletRequest;
+	protected final String deployedVersion;
+	private StaticSlot sTheme;
+	public final String theme;
+
+
+	public AAF_GUI(final AuthzEnv env) throws Exception {
+		super(env.access(), env);
+		sTheme = env.staticSlot(CachingFileAccess.CFA_WEB_PATH,access.getProperty(CachingFileAccess.CFA_WEB_PATH,null)==null?AAF_GUI_THEME:CachingFileAccess.CFA_WEB_PATH);
+		theme = env.getProperty(AAF_GUI_THEME);
+
+		//OrganizationFactory.setDefaultOrg(env, "org.osaaf.authz.org.att.ATT");
+
+		slot_httpServletRequest = env.slot(HTTP_SERVLET_REQUEST);
+		String[] component = Split.split(':', access.getProperty(Config.AAF_COMPONENT, "N/A:2.x"));
+		if(component.length>1) {
+			deployedVersion =component[1];
+		} else {
+			deployedVersion = "2.x";
+		}
+
+		// Certificate Manager
+		cmCon =  new AAFConHttp(env.access(),Config.CM_URL);
+		artifactsDF = env.newDataFactory(Artifacts.class);
+		certInfoDF  = env.newDataFactory(CertInfo.class);
+		
+
+		/////////////////////////
+		// Screens
+		/////////////////////////
+		// Start Screen
+		final Page start = new Display(this, GET, new Home(this)).page();
+
+		// MyPerms Screens
+		final Page myPerms = new Display(this, GET, new PermsShow(this, start)).page();
+		Page permDetail = new Display(this, GET, new PermDetail(this, start, myPerms)).page();
+							new Display(this, GET, new PermHistory(this,start,myPerms,permDetail));
+
+		// MyRoles Screens
+		final Page myRoles = new Display(this, GET, new RolesShow(this, start)).page();
+		Page roleDetail = new Display(this, GET, new RoleDetail(this, start, myRoles)).page();
+						  new Display(this, POST, new RoleDetailAction(this,start,myRoles,roleDetail));
+						  new Display(this, GET, new RoleHistory(this,start,myRoles,roleDetail));
+							
+		// MyNameSpace
+		final Page myNamespaces = new Display(this, GET, new NssShow(this, start)).page();
+		Page nsDetail  = new Display(this, GET, new NsDetail(this, start, myNamespaces)).page();
+			   		  	 new Display(this, GET, new NsHistory(this, start,myNamespaces,nsDetail));
+		Page crdDetail = new Display(this, GET, new CredDetail(this, start, myNamespaces, nsDetail)).page();
+		Page artiShow  = new Display(this, GET, new CMArtifactShow(this, start, myNamespaces, nsDetail, crdDetail)).page();
+		Page artiCForm = new Display(this, GET, new CMArtiChangeForm(this, start, myNamespaces, nsDetail, crdDetail,artiShow)).page();
+						 new Display(this, POST, new CMArtiChangeAction(this, start,artiShow,artiCForm));
+							 
+		// Password Change Screens
+		final Page pwc = new Display(this, GET, new PassChangeForm(this, start,crdDetail)).page();
+						 new Display(this, POST, new PassChangeAction(this, start, pwc));
+						 
+		// Password Delete Screen
+						 new Display(this, GET, new PassDeleteAction(this, start,crdDetail));
+
+		// Validation Change Screens
+		final Page validate = new Display(this, GET, new ApprovalForm(this, start)).page();
+							  new Display(this, POST, new ApprovalAction(this, start, validate));
+							
+		// Onboard, Detailed Edit Screens
+		final Page onb = new Display(this, GET, new NsInfoForm(this, start)).page();
+						 new Display(this, POST, new NsInfoAction(this, start, onb));
+
+		// Web Command Screens
+		/* final Page webCommand =*/ new Display(this, GET, new WebCommand(this, start)).page();
+		
+		// API Docs
+		final Page apidocs = new Display(this, GET, new ApiDocs(this, start)).page();
+							 new Display(this, GET, new ApiExample(this,start, apidocs)).page();
+		
+		// Permission Grant Page
+		final Page permGrant = 	new Display(this, GET, new PermGrantForm(this, start)).page();
+							 	new Display(this, POST, new PermGrantAction(this, start, permGrant)).page();
+							 	
+		// Login Landing if no credentials detected
+		final Page loginLanding = new Display(this, GET, new LoginLanding(this, start)).page();
+								  new Display(this, POST, new LoginLandingAction(this, start, loginLanding));
+								  
+		// User Role Request Extend and Remove
+		new Display(this, GET, new UserRoleExtend(this, start,myRoles)).page();
+		new Display(this, GET, new UserRoleRemove(this, start,myRoles)).page();
+		
+		// See my Pending Requests
+		final Page requestsShow = new Display(this, GET, new PendingRequestsShow(this, start)).page();
+								  new Display(this, GET, new RequestDetail(this, start, requestsShow));
+								  
+		// Command line Mechanism
+		route(env, PUT, "/gui/cui", new CUI(this),"text/plain;charset=utf-8","*/*");
+		
+		///////////////////////  
+		// WebContent Handler
+		///////////////////////
+		route(env,GET,"/"+env.get(sTheme)+"/:key", new CachingFileAccess<AuthzTrans>(env));
+		///////////////////////
+		aafCon = aafCon();
+		lur = aafCon.newLur();
+	}
+	
+	public<T> RosettaDF<T> getDF(Class<T> cls) throws APIException {
+		return Cmd.getDF(env,cls);
+	}
+	
+	public void writeError(AuthzTrans trans, Future<?> fp, HTMLGen hgen, int indent) {
+		if(hgen!=null) {
+			String msg = aafCon.readableErrMsg(fp);
+			hgen.incr(HTMLGen.P,"style=text-indent:"+indent*10+"px")
+				.text("<font color=\"red\"><i>Error</i>:</font> ")
+				.text(msg)
+				.end();
+			trans.checkpoint(msg);
+		}
+	}
+
+	public<RET> RET cmClientAsUser(TaggedPrincipal p,Retryable<RET> retryable) throws APIException, LocatorException, CadiException  {
+			return cmCon.hman().best(new HTransferSS(p,app, aafCon.securityInfo()), retryable);
+	}
+	@Override
+	public Filter[] filters() throws CadiException, LocatorException {
+		try {
+			return new Filter[] {
+					new XFrameFilter(XFrameFilter.TYPE.none),
+					new AuthzTransFilter(env,aafCon(),
+		        			new AAFTrustChecker((Env)env)),
+					new OrgLookupFilter()
+				};
+		} catch (NumberFormatException e) {
+			throw new CadiException("Invalid Property information", e);
+		}
+	}
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public Registrant<AuthzEnv>[] registrants(final int port) throws CadiException, LocatorException {
+		return new Registrant[] {
+			new RemoteRegistrant<AuthzEnv>(aafCon(),app_name,app_version,port)
+		};
+	}
+
+	public static void main(final String[] args) {
+		PropAccess propAccess = new PropAccess(args);
+		try {
+ 			AAF_GUI service = new AAF_GUI(new AuthzEnv(propAccess));
+//			env.setLog4JNames("log4j.properties","authz","gui","audit","init","trace ");
+			JettyServiceStarter<AuthzEnv,AuthzTrans> jss = new JettyServiceStarter<AuthzEnv,AuthzTrans>(service);
+			jss.start();
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/BreadCrumbs.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/BreadCrumbs.java
new file mode 100644
index 00000000..4602184f
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/BreadCrumbs.java
@@ -0,0 +1,90 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui;
+
+import static org.onap.aaf.misc.xgen.html.HTMLGen.A;
+import static org.onap.aaf.misc.xgen.html.HTMLGen.LI;
+import static org.onap.aaf.misc.xgen.html.HTMLGen.UL;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.TransStore;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+public class BreadCrumbs extends NamedCode {
+	private Page[] breadcrumbs;
+
+	public BreadCrumbs(Page ... pages) {
+		super(false,"breadcrumbs");
+		breadcrumbs = pages;
+	}
+	
+	@Override
+	public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+		// BreadCrumbs
+		Mark mark = new Mark();
+		hgen.incr(mark, UL);
+			cache.dynamic(hgen, new DynamicCode<HTMLGen, AAF_GUI, TransStore>() {
+				@Override
+				public void code(AAF_GUI gui, TransStore trans, final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+					HttpServletRequest req = trans.get(gui.slot_httpServletRequest, null);
+					StringBuilder key = new StringBuilder();
+					String value, hidden;
+					for(Page p : breadcrumbs) {
+						hidden="";
+						// Add keys for page from commandline, where possible.
+						if(p.fields().length>0) {
+							boolean first = true;
+							key.setLength(0);
+							for(String field : p.fields()) {
+								if((value=req.getParameter(field))==null) {
+									hidden="style=display:none;";
+									break;
+								}
+								if(first) {
+									first = false;
+									key.append('?');
+								} else {
+									key.append("&amp;");
+								}
+								key.append(field);
+								key.append('=');
+								key.append(value);
+							}
+							hgen.incr(LI,true,hidden);
+							hgen.leaf(A,"href="+p.url()+key.toString(),hidden).text(p.name()).end(2);
+						} else {
+							hgen.incr(LI,true);
+							hgen.leaf(A,"href="+p.url(),hidden).text(p.name()).end(2);
+						}
+					}
+				}
+			});
+		hgen.end(mark);
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/ContentCode.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/ContentCode.java
new file mode 100644
index 00000000..d3c24dc2
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/ContentCode.java
@@ -0,0 +1,36 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui;
+
+import org.onap.aaf.misc.xgen.Code;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+/**
+ * Interface for which Page, etc can get Attributes, determine whether cached, etc
+ * @author Jonathan
+ *
+ */
+public interface ContentCode extends Code<HTMLGen> {
+	public String[] idattrs();
+	public void addAttr(boolean first, String attr);
+	public boolean no_cache();
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Controls.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Controls.java
new file mode 100644
index 00000000..5b582f38
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Controls.java
@@ -0,0 +1,45 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui;
+
+import java.io.IOException;
+
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+public class Controls extends NamedCode {
+	public Controls() {
+		super(false,"controls");
+	}
+	
+	@Override
+	public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+		hgen.incr("form","method=post")
+			.incr("input", true, "type=checkbox", "name=vehicle", "value=Bike").text("I have a bike").end()
+			.text("Password: ")
+			.incr("input", true, "type=password", "id=password1").end()
+			.tagOnly("input", "type=submit", "value=Submit")
+			.end();
+	}
+
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Display.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Display.java
new file mode 100644
index 00000000..ad43d3fb
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Display.java
@@ -0,0 +1,140 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui;
+
+import java.util.Enumeration;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.rserv.HttpCode;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.misc.env.Slot;
+
+public class Display {
+	private final Page get;
+	public Display(final AAF_GUI gui, final HttpMethods meth, final Page page) {
+		get = page;
+		final String[] fields = page.fields();
+		final Slot slots[] = new Slot[fields.length];
+		String prefix = page.name() + '.';
+		for(int i=0;i<slots.length;++i) {
+			slots[i] = gui.env.slot(prefix + fields[i]);
+		}
+
+		/*
+		 * We handle all the "Form POST" calls here with a naming convention that allows us to create arrays from strings.
+		 * 
+		 * On the HTTP side, elements concatenate their name with their Index number (if multiple).  In this code, 
+		 * we turn such names into arrays with same index number.  Then, we place them in the Transaction "Properties" so that 
+		 * it can be transferred to subclasses easily.
+		 */ 
+		if(meth.equals(HttpMethods.POST)) {
+			// Here, we'll expect FORM URL Encoded Data, which we need to get from the body
+			gui.route(gui.env, meth, page.url(), 
+				new HttpCode<AuthzTrans,AAF_GUI>(gui,page.name()) {
+					@Override
+					public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+						trans.put(gui.slot_httpServletRequest, req);
+						for(int i=0; i<fields.length;++i) {
+							int idx = fields[i].indexOf("[]");
+							if(idx<0) { // single value
+								trans.put(slots[i], req.getParameter(fields[i])); // assume first value
+							} else { // multi value - Expect Values to be set with Field root name "field.<int>" corresponding to an array of types
+								String field=fields[i].substring(0, idx)+'.';
+								String[] array = new String[16];
+								for(Enumeration<String> names = req.getParameterNames(); names.hasMoreElements();) {
+									String key = names.nextElement();
+									if(key.startsWith(field)) {
+										try {
+											int x = Integer.parseInt(key.substring(field.length()));
+											if(x>=array.length) {
+												String[] temp = new String[x+10];
+												System.arraycopy(temp, 0, temp, 0, array.length);
+												array = temp;
+											}
+											array[x]=req.getParameter(key);
+										} catch (NumberFormatException e) {
+											trans.debug().log(e);
+										}
+									}
+								}
+								trans.put(slots[i], array);
+							}
+						}
+						page.replay(context,trans,resp.getOutputStream(),"general");
+					}
+				}, "application/x-www-form-urlencoded","*/*");
+
+		} else {
+			// Transfer whether Page shouldn't be cached to local Final var.
+			final boolean no_cache = page.no_cache;
+			
+			gui.route(gui.env, meth, page.url(), 
+				new HttpCode<AuthzTrans,AAF_GUI>(gui,page.name()) {
+					@Override
+					public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+						trans.put(gui.slot_httpServletRequest, req);
+						for(int i=0; i<slots.length;++i) {
+							int idx = fields[i].indexOf("[]");
+							if(idx<0) { // single value
+								trans.put(slots[i], req.getParameter(fields[i]));
+							} else { // multi value
+								String[] array = new String[30];
+								String field=fields[i].substring(0, idx);
+								
+								for(Enumeration<String> mm = req.getParameterNames();mm.hasMoreElements();) {
+									String key = mm.nextElement();
+									if(key.startsWith(field)) {
+										try {
+											int x = Integer.parseInt(key.substring(field.length()));
+											if(x>=array.length) {
+												String[] temp = new String[x+10];
+												System.arraycopy(temp, 0, temp, 0, array.length);
+												array = temp;
+											}
+											array[x]=req.getParameter(key);
+										} catch (NumberFormatException e) {
+											trans.debug().log(e);
+										}
+									}
+								}
+								trans.put(slots[i], array);
+							}
+						}
+						page.replay(context,trans,resp.getOutputStream(),"general");
+					}
+					
+					@Override
+					public boolean no_cache() {
+						return no_cache;
+					}
+				}, "text/html","*/*");
+		}
+
+	}
+	
+	public Page page() { 
+		return get;
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Form.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Form.java
new file mode 100644
index 00000000..7011395c
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Form.java
@@ -0,0 +1,68 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui;
+
+import java.io.IOException;
+
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+public class Form extends NamedCode {
+	private String preamble;
+	private NamedCode content;
+	
+	public Form(boolean no_cache, NamedCode content) {
+		super(no_cache,content);
+		this.content = content;
+		preamble=null;
+	}
+	
+	public Form preamble(String preamble) {
+		this.preamble = preamble;
+		return this;
+	}
+	
+
+	@Override
+	public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+		if(preamble!=null) {
+			hgen.incr("p","class=preamble").text(preamble).end();
+		}
+		hgen.incr("form","method=post");
+	
+		content.code(cache, hgen);
+		
+		hgen.tagOnly("input", "type=submit", "value=Submit")
+			.tagOnly("input", "type=reset", "value=Reset")
+		.end();
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.gui.NamedCode#idattrs()
+	 */
+	@Override
+	public String[] idattrs() {
+		return content.idattrs();
+	}
+
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/NamedCode.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/NamedCode.java
new file mode 100644
index 00000000..e4bd6c7d
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/NamedCode.java
@@ -0,0 +1,67 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui;
+
+public abstract class NamedCode implements ContentCode {
+	private final boolean no_cache;
+	private String name;
+	private String[] idattrs;
+	
+	/*
+	 *  Mark whether this code should not be cached, and any attributes 
+	 */
+	public NamedCode(final boolean no_cache, final String name) {
+		this.name = name;
+		idattrs = new String[] {name};
+		this.no_cache = no_cache;
+	}
+	
+	public NamedCode(boolean no_cache, NamedCode content) {
+		this.no_cache = no_cache;
+		name=content.name;
+		idattrs = content.idattrs;
+	}
+
+	/**
+	 * Return ID and Any Attributes needed to create a "div" section of this code
+	 * @return
+	 */
+	public String[] idattrs() {
+		return idattrs;
+	}
+	
+	public void addAttr(boolean first, String attr) {
+		String[] temp = new String[idattrs.length+1];
+		if(first) {
+			temp[0] = attr;
+			System.arraycopy(idattrs, 0, temp, 1, idattrs.length);
+		} else {
+			temp[idattrs.length] = attr;
+			System.arraycopy(idattrs, 0, temp, 0, idattrs.length);
+		}
+		idattrs = temp;
+	}
+
+	public boolean no_cache() {
+		return no_cache;
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/OrgLookupFilter.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/OrgLookupFilter.java
new file mode 100644
index 00000000..411ecdb8
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/OrgLookupFilter.java
@@ -0,0 +1,58 @@
+package org.onap.aaf.auth.gui;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.auth.rserv.TransFilter;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+
+public class OrgLookupFilter implements Filter {
+	
+	@Override
+	public void init(FilterConfig arg0) throws ServletException {
+	}
+
+	@Override
+	public void doFilter(ServletRequest req, ServletResponse resp, FilterChain fc) throws IOException, ServletException {
+		final AuthzTrans trans = (AuthzTrans) req.getAttribute(TransFilter.TRANS_TAG);
+		if(req instanceof HttpServletRequest) {
+			Principal p = ((HttpServletRequest)req).getUserPrincipal();
+			if(p instanceof TaggedPrincipal) {
+				((TaggedPrincipal)p).setTagLookup(new TaggedPrincipal.TagLookup() {
+					@Override
+					public String lookup() throws CadiException {
+						Identity id;
+						try {
+							id = trans.org().getIdentity(trans, p.getName());
+							if(id.isFound()) {
+								return id.firstName();
+							}
+						} catch (OrganizationException e) {
+							throw new CadiException(e);
+						}
+						return p.getName();
+					}
+				});
+			}
+			fc.doFilter(req, resp);
+		}
+		
+	}
+
+
+	@Override
+	public void destroy() {
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Page.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Page.java
new file mode 100644
index 00000000..436b37a0
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Page.java
@@ -0,0 +1,402 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui;
+
+import static org.onap.aaf.misc.xgen.html.HTMLGen.A;
+import static org.onap.aaf.misc.xgen.html.HTMLGen.H1;
+import static org.onap.aaf.misc.xgen.html.HTMLGen.LI;
+import static org.onap.aaf.misc.xgen.html.HTMLGen.TITLE;
+import static org.onap.aaf.misc.xgen.html.HTMLGen.UL;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.common.Define;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.rserv.CachingFileAccess;
+import org.onap.aaf.cadi.Permission;
+import org.onap.aaf.cadi.aaf.AAFPermission;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.StaticSlot;
+import org.onap.aaf.misc.env.util.Split;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.CacheGen;
+import org.onap.aaf.misc.xgen.Code;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLCacheGen;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+import org.onap.aaf.misc.xgen.html.Imports;
+
+/**
+ * A Base "Mobile First" Page 
+ * 
+ * @author Jonathan
+ *
+ */
+public class Page extends HTMLCacheGen {
+	public static final String AAFURL_TOOLS = "aaf_url.tools";
+	public static final String AAF_URL_TOOL_DOT = "aaf_url.tool.";
+	public static final String AAF_URL_CUIGUI = "aaf_url.cuigui"; // link to help
+	public static final String AAF_URL_GUI_ONBOARD = "aaf_url.gui_onboard";
+	public static final String AAF_URL_AAF_HELP = "aaf_url.aaf_help";
+	public static final String AAF_URL_CADI_HELP = "aaf_url.cadi_help";
+	public static final String PERM_CA_TYPE = Define.ROOT_NS() + ".ca";
+
+	public static enum BROWSER {iPhone,html5,ie,ieOld};
+	
+	public static final int MAX_LINE=20;
+
+	protected static final String[] NO_FIELDS = new String[0];
+
+	private static final String BROWSER_TYPE = "BROWSER_TYPE";
+
+	private final String bcName, bcUrl;
+	private final String[] fields;
+
+	public final boolean no_cache;
+
+	// Note: Only access is synchronized in "getPerm"
+	private final static Map<String,Map<String,Permission>> perms = new HashMap<String,Map<String,Permission>>();
+
+	public String name() {
+		return bcName;
+	}
+	
+	public String url() {
+		return bcUrl;
+	}
+	
+	public String[] fields() {
+		return fields;
+	}
+	
+	public Page(AuthzEnv env, String name, String url, Enum<?>[] en, final NamedCode ...content) throws APIException, IOException {
+		super(CacheGen.PRETTY, new PageCode(env, 1, content));
+		fields = new String[en.length];
+		int i=-1;
+		for(Enum<?> p : en) {
+			fields[++i]=p.name();
+		}
+
+		bcName = name;
+		bcUrl = url;
+		// Mark which fields must be "no_cache"
+		boolean no_cacheTemp=false;
+		for(NamedCode nc : content) {
+			if(nc.no_cache()) { 
+				no_cacheTemp=true;
+				break;
+			}
+		}
+		no_cache=no_cacheTemp;
+	}
+	public Page(AuthzEnv env, String name, String url, String [] fields, final NamedCode ... content) throws APIException,IOException {
+		this(env,name,url,1,fields,content);
+	}
+	
+	public Page(AuthzEnv env, String name, String url, int backdots, String [] fields, final NamedCode ... content) throws APIException,IOException {
+		super(CacheGen.PRETTY, new PageCode(env, backdots, content));
+		if(fields==null) {
+			this.fields = new String[0];
+		} else {
+			this.fields = fields;
+		}
+		bcName = name;
+		bcUrl = url;
+		// Mark which fields must be "no_cache"
+		boolean no_cacheTemp=false;
+		for(NamedCode nc : content) {
+			if(nc.no_cache()) { 
+				no_cacheTemp=true;
+				break;
+			}
+		}
+		no_cache=no_cacheTemp;
+	}
+	
+	
+	private static class PageCode implements Code<HTMLGen> {
+			private static final String AAF_GUI_TITLE = "aaf_gui_title";
+			
+			private final ContentCode[] content;
+			private final Slot browserSlot;
+			private final int backdots;
+			protected AuthzEnv env;
+			private StaticSlot sTheme;
+
+			public PageCode(AuthzEnv env, int backdots, final ContentCode[] content) {
+				this.content = content;
+				this.backdots = backdots;
+				browserSlot = env.slot(BROWSER_TYPE);
+				sTheme = env.staticSlot(CachingFileAccess.CFA_WEB_PATH);
+				this.env = env;
+			}
+			
+			@Override
+			public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+				// Note: I found that App Storage saves everything about the page, or not.  Thus, if you declare the page uncacheable, none of the 
+				// Artifacts, like JPGs are stored, which makes this feature useless for Server driven elements
+				cache.dynamic(hgen,  new DynamicCode<HTMLGen,AAF_GUI,AuthzTrans>() {
+					@Override
+					public void code(AAF_GUI state, AuthzTrans trans, final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+						switch(browser(trans,browserSlot)) {
+							case ieOld:
+							case ie:
+								hgen.directive("!DOCTYPE html");
+								hgen.directive("meta", "http-equiv=X-UA-Compatible","content=IE=11");
+							default:
+						}
+					}
+				});
+				hgen.html();
+				final String title = env.getProperty(AAF_GUI_TITLE,"Authentication/Authorization Framework");
+				final String theme = env.get(sTheme); 
+				Mark head = hgen.head();
+					hgen.leaf(TITLE).text(title).end();
+					hgen.imports(new Imports(backdots).css(theme + "/aaf5.css")
+								 			   	.js(theme + "/comm.js")
+												.js(theme + "/console.js")
+												.js(theme + "/common.js"));
+					cache.dynamic(hgen, new DynamicCode<HTMLGen,AAF_GUI,AuthzTrans>() {
+						@Override
+						public void code(AAF_GUI state, AuthzTrans trans, final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+							switch(browser(trans,browserSlot)) {
+								case iPhone:
+									hgen.imports(new Imports(backdots).css(theme + "/aaf5iPhone.css"));
+									break;
+								case ie:
+								case ieOld:
+									hgen.js().text("document.createElement('header');")
+											.text("document.createElement('nav');")
+											.done();
+								case html5:
+									hgen.imports(new Imports(backdots).css(theme + "/aaf5Desktop.css"));
+									break;
+							}
+						}
+					});
+					hgen.end(head);
+					
+				Mark body = hgen.body();
+					Mark header = hgen.header();
+					cache.dynamic(hgen, new DynamicCode<HTMLGen,AAF_GUI,AuthzTrans>() {
+						@Override
+						public void code(AAF_GUI state, AuthzTrans trans,Cache<HTMLGen> cache, HTMLGen xgen)
+								throws APIException, IOException {
+							// Obtain Server Info, and print
+							// AT&T Only
+							String env = trans.getProperty(Config.AAF_ENV,"N/A");
+							xgen.leaf(H1).text(title + " on " + env).end();
+							xgen.leaf("p","id=version").text("AAF Version: " + state.deployedVersion).end();
+							
+							// Obtain User Info, and print
+							TaggedPrincipal p = trans.getUserPrincipal();
+							String user,secured;
+							if(p==null) {
+								user = "please choose a Login Authority";
+								secured = "NOT Secure!";
+							} else {
+								user = p.personalName();
+								secured = p.tag();
+							}
+							xgen.leaf("p","id=welcome").text("Welcome, ")
+								.text(user)
+								.text("<sup>")
+								.text(secured)
+								.text("</sup>").end();
+							
+							switch(browser(trans,browserSlot)) {
+								case ieOld:
+								case ie:
+									xgen.incr("h5").text("This app is Mobile First HTML5.  Internet Explorer " 
+											+ " does not support all HTML5 standards. Old, non TSS-Standard versions may not function correctly.").br()
+											.text("  For best results, use a highly compliant HTML5 browser like Firefox.")
+										.end();
+									break;
+								default:
+							}
+						}
+					});
+					
+					hgen.hr();
+					
+					int cIdx;
+					ContentCode nc;
+					// If BreadCrumbs, put here
+					if(content.length>0 && content[0] instanceof BreadCrumbs) {
+						nc = content[0];
+						Mark ctnt = hgen.divID(nc.idattrs());
+						nc.code(cache, hgen);
+						hgen.end(ctnt);
+						cIdx = 1;
+					} else {
+						cIdx = 0;
+					}
+					
+					hgen.end(header);
+					
+					Mark inner = hgen.divID("inner");
+						// Content
+						for(int i=cIdx;i<content.length;++i) {
+							nc = content[i];
+							Mark ctnt = hgen.divID(nc.idattrs());
+							nc.code(cache, hgen);
+							hgen.end(ctnt);
+						}
+
+					hgen.end(inner);	
+					
+					// Navigation - Using older Nav to work with decrepit  IE versions
+					
+					Mark nav = hgen.divID("nav");
+					hgen.incr("h2").text("Related Links").end();
+					hgen.incr(UL);
+					String aaf_help = env.getProperty(AAF_URL_AAF_HELP,null);
+					if(aaf_help!=null) {
+						hgen.leaf(LI).leaf(A,"href="+env.getProperty(AAF_URL_AAF_HELP),"target=_blank").text("AAF WIKI").end(2);
+						String sub = env.getProperty(AAF_URL_AAF_HELP+".sub");
+						if(sub!=null) {
+							hgen.incr(UL,"style=margin-left:5%");
+							for(String s : Split.splitTrim(',', sub)) {
+								hgen.leaf(LI).leaf(A,"href="+env.getProperty(AAF_URL_AAF_HELP+".sub."+s),"target=_blank").text(s.replace('+', ' ')).end(2);
+							}
+							hgen.end();
+						}
+					}
+					aaf_help = env.getProperty(AAF_URL_CADI_HELP,null);
+					if(aaf_help!=null) {
+						hgen.leaf(LI).leaf(A,"href="+aaf_help,"target=_blank").text("CADI WIKI").end(2);
+					}
+					String tools = env.getProperty(AAFURL_TOOLS);
+					if(tools!=null) {
+						hgen.hr()
+							.incr(HTMLGen.UL,"style=margin-left:5%")
+						 	.leaf(HTMLGen.H3).text("Related Tools").end();
+
+						for(String tool : Split.splitTrim(',',tools)) {
+							hgen.leaf(LI).leaf(A,"href="+env.getProperty(AAF_URL_TOOL_DOT+tool),"target=_blank").text(tool.replace('+', ' ')).end(2);
+						}
+						hgen.end();
+					}
+					hgen.end();
+					
+					hgen.hr();
+					
+					hgen.end(nav);
+					// Footer - Using older Footer to work with decrepit IE versions
+					Mark footer = hgen.divID("footer");
+						hgen.textCR(1, env.getProperty(AAF_GUI.AAF_GUI_COPYRIGHT))
+						.end(footer);
+						
+					hgen.end(body);
+				hgen.endAll();
+		}
+	}
+
+	public static String getBrowserType() {
+		return BROWSER_TYPE;
+	}
+	
+	/**
+	 * It's IE if int >=0
+	 * 
+	 * Use int found in "ieVersion"
+	 * 
+	 * Official IE 7
+	 * 		Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; 
+	 * 		.NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
+	 * Official IE 8
+	 * 		Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; 
+	 * 		.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ATT)
+	 * 
+	 * IE 11 Compatibility
+	 * 		Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; 
+	 * 		.NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; InfoPath.3; HVD; ATT)
+	 * 
+	 * IE 11 (not Compatiblity)
+	 * 		Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; 
+	 * 		.NET CLR 3.5.30729; .NET CLR 3.0.30729;	Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; InfoPath.3; HVD; ATT)
+	 * 
+	 * @param trans
+	 * @return
+	 */
+	public static BROWSER browser(AuthzTrans trans, Slot slot) {
+		BROWSER br = trans.get(slot, null);
+		if(br==null) {
+			String agent = trans.agent();
+			int msie; 
+			if(agent.contains("iPhone") /* other phones? */) {
+				br=BROWSER.iPhone;
+			} else if ((msie = agent.indexOf("MSIE"))>=0) {
+				msie+=5;
+				int end = agent.indexOf(";",msie);
+				float ver;
+				try {
+					ver = Float.valueOf(agent.substring(msie,end));
+					br = ver<8f?BROWSER.ieOld:BROWSER.ie;
+				} catch (Exception e) {
+					br = BROWSER.ie;
+				}
+			} else {
+				br = BROWSER.html5;
+			}
+			trans.put(slot,br);
+		}
+		return br;
+	}
+	
+	/*
+	 * Get, rather than create each time, permissions for validations
+	 */
+	protected static synchronized Permission getPerm(String instance, String action) {
+		Map<String,Permission> msp = perms.get(instance);
+		Permission p;
+		if(msp==null) {
+			msp = new HashMap<String,Permission>();
+			perms.put(instance, msp);
+			p=null;
+		} else {
+			p = msp.get(instance);
+		}
+		if(p==null) {
+			p=new AAFPermission(PERM_CA_TYPE,instance,action);
+			msp.put(action, p);
+		}
+		return p;
+ 	}
+
+	protected static String getSingleParam(HttpServletRequest req, String tag) {
+		String values[] = req.getParameterValues(tag);
+		return values.length<1?null:values[0];
+	}
+
+
+}
+
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/SlotCode.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/SlotCode.java
new file mode 100644
index 00000000..b457fc9b
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/SlotCode.java
@@ -0,0 +1,49 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui;
+
+import org.onap.aaf.misc.env.EnvStore;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TransStore;
+
+public abstract class SlotCode<TRANS extends TransStore> extends NamedCode {
+	private Slot[] slots;
+
+	public SlotCode(boolean no_cache,EnvStore<?> env, String root, Enum<?> ... params) {
+		super(no_cache,root);
+		slots = new Slot[params.length];
+		for(int i=0;i<params.length;++i) {
+			slots[i] = env.slot(root + '.' + params[i].name());
+		}
+	}
+
+	public<T> T get(TRANS trans,Enum<?> en, T dflt) {
+		return get(trans,en.ordinal(),dflt);
+	}
+	
+	public<T> T get(TRANS trans,int idx, T dflt) {
+		if(idx>slots.length) {
+			return dflt;
+		}
+		return trans.get(slots[idx],dflt);
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Table.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Table.java
new file mode 100644
index 00000000..6839a9ab
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Table.java
@@ -0,0 +1,229 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui;
+
+import static org.onap.aaf.misc.xgen.html.HTMLGen.TABLE;
+import static org.onap.aaf.misc.xgen.html.HTMLGen.TD;
+import static org.onap.aaf.misc.xgen.html.HTMLGen.TR;
+
+import java.io.IOException;
+import java.util.ArrayList;
+
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.env.TransStore;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.Code;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+import org.onap.aaf.misc.xgen.html.State;
+
+public class Table<S extends State<Env>, TRANS extends TransStore> extends NamedCode {
+	private final Slot ROW_MSG_SLOT, EMPTY_TABLE_SLOT;
+	private final String title;
+	private final String[] columns;
+	private final Rows rows;
+	private Code<HTMLGen> other;
+//	private DynamicCode<HTMLGen, AuthGUI, AuthzTrans> prefix,postfix;
+
+	public Table(String title, TRANS trans, Data<S,TRANS> data, Code<HTMLGen> other, String name, String ... attrs)  {
+		this(title,trans,data,name, attrs);
+		this.other = other;
+	}
+	
+	public Table(String title, TRANS trans, Data<S,TRANS> data, String name, String ... attrs)  {
+		super(true,name);
+//		prefix=postfix=null;
+		for(String a : attrs) {
+			addAttr(false, a);
+		}
+		ROW_MSG_SLOT=trans.slot("TABLE_ROW_MSG");
+		EMPTY_TABLE_SLOT=trans.slot("TABLE_EMPTY");
+		this.columns = data.headers();
+		boolean alt = false;
+		for(String s : attrs) {
+			if("class=std".equals(s) || "class=stdform".equals(s)) {
+				alt=true;
+			}
+		}
+		rows = new Rows(data,alt?1:0);
+		this.title = title;
+		// Derive an ID from title (from no spaces, etc), and prepend to IDAttributes (Protected from NamedCode)
+		addAttr(true,title(trans).replaceAll("\\s",""));
+		
+		other = null;
+	}
+
+	@Override
+	public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+		cache.dynamic(hgen, new DynamicCode<HTMLGen,S,TRANS>() {
+			@Override
+			public void code(S state, TRANS trans, Cache<HTMLGen> cache, HTMLGen xgen) throws APIException, IOException {
+				rows.data.prefix(state, trans, cache, xgen);
+			}
+		});
+		Mark table = new Mark();
+		Mark tr = new Mark();
+		
+		hgen.incr(table,TABLE);
+		if(title==null) {
+			cache.dynamic(hgen, new DynamicCode<HTMLGen,S,TRANS>() {
+				@Override
+				public void code(S state, TRANS trans, final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {			
+					hgen.leaf("caption", "class=title").text(title(trans)).end();
+				}
+			});
+		} else {
+			hgen.leaf("caption", "class=title").text(title).end();
+		}
+		hgen.incr(tr,TR);
+				for(String column : columns) {
+					hgen.leaf("th").text(column).end();
+				}
+			hgen.end(tr);
+				
+		// Load Rows Dynamically
+		cache.dynamic(hgen, rows);
+		// End Table
+		hgen.end(table); 
+		
+		if(other!=null) {
+			other.code(cache,hgen);
+		}
+			
+		// Print Message from Row Gathering, if available
+		cache.dynamic(hgen, new DynamicCode<HTMLGen,S,TRANS>() {
+			@Override
+			public void code(S state, TRANS trans, final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+				String msg;
+				if((msg = trans.get(EMPTY_TABLE_SLOT, null))!=null) {
+					hgen.incr("style").text("#inner tr,caption,input,p.preamble {display: none;}#inner p.notfound {margin: 0px 0px 0px 20px}").end();
+					hgen.incr(HTMLGen.P,"class=notfound").text(msg).end().br();
+				} else if((msg=trans.get(ROW_MSG_SLOT,null))!=null) { 
+					hgen.p(msg).br();
+				}
+			}
+		});
+		cache.dynamic(hgen, new DynamicCode<HTMLGen,S,TRANS>() {
+			@Override
+			public void code(S state, TRANS trans, Cache<HTMLGen> cache, HTMLGen xgen) throws APIException, IOException {
+				rows.data.postfix(state, trans, cache, xgen);
+			}
+		});
+
+	}
+
+	protected String title(TRANS trans) {
+		return title;
+	}
+
+	public static class Cells {
+		public static final Cells EMPTY = new Cells();
+		private Cells() {
+			cells = new AbsCell[0][0];
+			msg = "No Data Found";
+		}
+		
+		public Cells(ArrayList<AbsCell[]> arrayCells, String msg) {
+			cells = new AbsCell[arrayCells.size()][];
+			arrayCells.toArray(cells);
+			this.msg = msg;
+		}
+		public AbsCell[][] cells;
+		public String msg;
+		
+	}
+	
+	public interface Data<S extends State<Env>, TRANS extends Trans> {
+		// Note: Trans is not first to avoid Method Name Collision
+		public void prefix(S state, TRANS trans, final Cache<HTMLGen> cache, final HTMLGen hgen);
+		public Cells get(TRANS trans,S state);
+		public void postfix(S state, TRANS trans, final Cache<HTMLGen> cache, final HTMLGen hgen);
+		public String[] headers();
+	}
+
+	private class Rows extends DynamicCode<HTMLGen,S,TRANS> {
+		private Data<S,TRANS> data;
+		private int alt;
+		
+		public Rows(Data<S,TRANS> data, int alt) {
+			this.data = data;
+			this.alt = alt;
+		}
+		
+		@Override
+		public void code(final S state, final TRANS trans, final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+			Mark tr = new Mark();
+			Mark td = new Mark();
+			
+			int alt = this.alt;
+			Cells cells = data.get(trans,state);
+			if(cells.cells.length>0) {
+				for(AbsCell[] row : cells.cells) {
+					if(row.length==0) {
+						hgen.text("</table>")
+							.hr()
+							.text("<table>");
+					} else {
+						switch(alt) {
+							case 1:
+								alt=2;
+							case 0:
+								hgen.incr(tr,TR);
+								break;
+							default:
+								alt=1;
+								hgen.incr(tr,TR,"class=alt");
+						}
+						for(AbsCell cell :row) {
+							hgen.leaf(td, TD,cell.attrs());
+							cell.write(hgen);
+							hgen.end(td);
+						}
+						hgen.end(tr);
+					}
+				}
+				// Pass Msg back to Table code, in order to place after Table Complete
+				if(cells.msg!=null) {
+					trans.put(ROW_MSG_SLOT,cells.msg);
+				}
+			} else {
+				trans.put(EMPTY_TABLE_SLOT,cells.msg);
+			}
+		}
+	}
+
+//	public Table<S,TRANS> setPrefix(DynamicCode<HTMLGen, AuthGUI, AuthzTrans> dynamicCode) {
+//		prefix = dynamicCode;
+//		return this;
+//	}
+//	
+//	public Table<S,TRANS> setPostfix(DynamicCode<HTMLGen, AuthGUI, AuthzTrans> dynamicCode) {
+//		postfix = dynamicCode;
+//		return this;
+//	}
+
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/XFrameFilter.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/XFrameFilter.java
new file mode 100644
index 00000000..ae71d5bf
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/XFrameFilter.java
@@ -0,0 +1,73 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.gui;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+public class XFrameFilter implements Filter {
+	enum TYPE {none,self};
+	// Note: Content-Security Params need to be worked out for GUI before activating.
+	private final String xframe;//,csp;
+	
+	public XFrameFilter(TYPE type) {
+		switch(type) {
+		case self:
+			xframe="SAMEORIGIN";
+//			csp="default-src 'self'";
+			break;
+		case none:
+		default:
+			xframe="DENY";
+//			csp="default-src 'none'";
+			break;
+		
+		}
+	}
+	
+	@Override
+	public void doFilter(ServletRequest req, ServletResponse resp, FilterChain fc) throws IOException, ServletException {
+		if(resp instanceof HttpServletResponse) {
+			@SuppressWarnings("unused")
+			HttpServletResponse hresp = (HttpServletResponse)resp;
+			((HttpServletResponse)resp).addHeader("X-Frame-Options", xframe);
+//			((HttpServletResponse)resp).addHeader("Content-Security-Policy",csp);
+		}
+		fc.doFilter(req, resp);
+	}
+
+	@Override
+	public void init(FilterConfig fc) throws ServletException {
+	}
+
+	@Override
+	public void destroy() {
+	}
+
+
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApiDocs.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApiDocs.java
new file mode 100644
index 00000000..05ee21b0
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApiDocs.java
@@ -0,0 +1,334 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Comparator;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.auth.gui.table.TextCell;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.Api;
+import aaf.v2_0.Api.Route;
+
+public class ApiDocs extends Page {
+	// Package on purpose
+	private static final String HREF = "/gui/api";
+	private static final String NAME = "AAF RESTful API";
+	private static final String fields[] = {};
+	private static final String ERROR_LINK = "<a href=\"./example/"
+			+ "YXBwbGljYXRpb24vRXJyb3IranNvbg=="
+//			+ Symm.base64noSplit().encode("application/Error+json") 
+			+ "\">JSON</a> "
+			+ "<a href=\"./example/"
+			+ "YXBwbGljYXRpb24vRXJyb3IreG1s"
+//			+ Symm.base64noSplit().encode("application/Error+xml") 
+			+ "\">XML</a> ";
+
+	
+	public ApiDocs(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,NAME,HREF, fields,
+			new BreadCrumbs(breadcrumbs),
+			new Preamble(gui),
+			new Table<AAF_GUI,AuthzTrans>("AAF API Reference",gui.env.newTransNoAvg(),new Model(), "class=std")
+			);
+	}
+	
+	private static class Preamble extends NamedCode {
+
+		private static final String I = "i";
+		private final String fs_url;
+
+		public Preamble(AAF_GUI gui) {
+			super(false, "preamble");
+			fs_url = gui.access.getProperty("fs_url", "");
+		}
+
+		@Override
+		public void code(Cache<HTMLGen> cache, HTMLGen xgen) throws APIException, IOException {
+			xgen.leaf(HTMLGen.H1).text("AAF 2.0 RESTful interface").end()
+				.hr();
+			xgen.leaf(HTMLGen.H2).text("Accessing RESTful").end();
+			xgen.incr(HTMLGen.UL)
+					.leaf(HTMLGen.LI).text("AAF RESTful service is secured by the following:").end()
+					.incr(HTMLGen.UL)
+						.leaf(HTMLGen.LI).text("The Client must utilize HTTP/S. Non Secure HTTP is not acceptable").end()
+						.leaf(HTMLGen.LI).text("The Client MUST supply an Identity validated by one of the following mechanisms").end()
+						.incr(HTMLGen.UL)
+							.leaf(HTMLGen.LI).text("Valid Global Login Cookie (CSP)").end()
+							.leaf(HTMLGen.LI).text("BASIC AUTH protocol using CSO Registered MechID, provisioned in AAF").end()
+							.leaf(HTMLGen.LI).text("BASIC AUTH protocol using ATTUID@csp.att.com, Global Login Password").end()
+							.leaf(HTMLGen.LI).text("(Available 3rd Qtr 2015) Valid tGuard Login Cookie").end()
+							.leaf(HTMLGen.LI).text("(Near Future) Application level Certificate").end()
+						.end()
+					.end()
+					.leaf(HTMLGen.LI).text("Responses").end()
+					.incr(HTMLGen.UL)
+						.leaf(HTMLGen.LI).text("Each API Entity listed shows what structure will be accepted by service (ContentType) "
+								+ "or responded with by service (Accept). Therefore, use these in making your call. Critical for PUT/POST.").end()
+						.leaf(HTMLGen.LI).text("Each API call may respond with JSON or XML.  Choose the ContentType/Accept that has "
+								+ "+json after the type for JSON or +xml after the Type for XML").end()
+						.leaf(HTMLGen.LI).text("XSDs for Versions").end()
+						.incr(HTMLGen.UL)
+							.leaf(HTMLGen.LI).leaf(HTMLGen.A,"href=" + fs_url + "/aaf_2_0.xsd").text("API 2.0").end().end()
+						.end()
+						.leaf(HTMLGen.LI).text("AAF can support multiple Versions of the API.  Choose the ContentType/Accept that has "
+								+ "the appropriate version=?.?").end()
+						.leaf(HTMLGen.LI).text("All Errors coming from AAF return AT&T Standard Error Message as a String: " + ERROR_LINK 
+								+ " (does not apply to errors from Container)").end()
+					.end()
+					.leaf(HTMLGen.LI).text("Character Restrictions").end()
+					.incr(HTMLGen.UL)
+						.leaf(HTMLGen.LI).text("Character Restrictions must depend on the Enforcement Point used").end()
+						.leaf(HTMLGen.LI).text("Most AAF usage will be AAF Enforcement Point Characters for Instance and Action are:")
+							.br().br().leaf(I).text("a-zA-Z0-9,.()_-=%").end()
+							.br().br().text("For Instance, you may declare a multi-dimensional key with : (colon) separator, example:").end()
+							.br().leaf(I).text(":myCluster:myKeyspace").end()
+							.br().br().text("The * (asterix) may be used as a wild-card by itself or within the multi-dimensional key, example:")
+							.br().leaf(I).text(":myCluster:*").end()
+							.br().br().text("The % (percent) character can be used as an Escape Character. Applications can use % followed by 2 hexadecimal "
+									+ "digits to cover odd keys.  It is their code, however, which must translate.")
+							.br().br().text("The = (equals) is allowed so that Applications can pass Base64 encodations of binary keys").end()
+						.leaf(HTMLGen.LI).text("Ask for a Consultation on how these are typically used, or, if your tool is the only Enforcement Point, if set may be expanded").end()
+					.end()
+				.end();
+			/*
+			
+			The Content is defined in the AAF XSD - TODO Add aaf.xsd”;
+			Character Restrictions
+
+			URLs impose restrictions on characters which have specific meanings. This means you cannot have these characters in the Field Content you send
+			“#” is a “Fragment URL”, or anchor. Content after this Character is not sent. AAF cannot do anything about this… don’t use it.
+			“?=&”. These are used to delineate Parameters.
+			“/“ is used to separate fields
+			*/
+		}
+		
+	};
+	/**
+	 * Implement the Table Content for Permissions by User
+	 * 
+	 * @author Jonathan
+	 *
+	 */
+	private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+		public static final String[] HEADERS = new String[] {"Entity","Method","Path Info","Description"};
+		private static final TextCell BLANK = new TextCell("");
+	
+		@Override
+		public String[] headers() {
+			return HEADERS;
+		}
+		
+		
+		@Override
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			final ArrayList<AbsCell[]> ns = new ArrayList<AbsCell[]>();
+			final ArrayList<AbsCell[]> perms = new ArrayList<AbsCell[]>();
+			final ArrayList<AbsCell[]> roles = new ArrayList<AbsCell[]>();
+			final ArrayList<AbsCell[]> user = new ArrayList<AbsCell[]>();
+			final ArrayList<AbsCell[]> aafOnly = new ArrayList<AbsCell[]>();
+			final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+			
+	
+			final TimeTaken tt = trans.start("AAF APIs",Env.REMOTE);
+			try {
+				gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+					@SuppressWarnings("unchecked")
+					@Override
+					public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+						Future<Api> fa = client.read("/api",gui.getDF(Api.class));
+						if(fa.get(5000)) {
+							tt.done();
+							TimeTaken tt2 = trans.start("Load Data", Env.SUB);
+							try {
+								if(fa.value!=null)for(Route r : fa.value.getRoute()) {
+									String path = r.getPath();
+									// Build info
+									StringBuilder desc = new StringBuilder();
+			
+									desc.append("<p class=double>");
+									desc.append(r.getDesc());
+									
+									if(r.getComments().size()>0) {
+										for(String ct : r.getComments()) {
+											desc.append("</p><p class=api_comment>");
+											desc.append(ct);
+										}
+									}
+			
+									if(r.getParam().size()>0) {
+										desc.append("<hr><p class=api_label>Parameters</p>");
+										
+										for(String params : r.getParam()) {
+											String param[] = params.split("\\s*\\|\\s*");
+											desc.append("</p><p class=api_contentType>");
+											desc.append(param[0]);
+											desc.append(" : ");
+											desc.append(param[1]);
+											if("true".equalsIgnoreCase(param[2])) {
+												desc.append(" (Required)");
+											}
+										}
+									}
+			
+			
+									if(r.getExpected()!=0) {
+										desc.append("</p><p class=api_label>Expected HTTP Code</p><p class=api_comment>");
+										desc.append(r.getExpected());
+									} 
+			
+									if(r.getExplicitErr().size()!=0) {
+										desc.append("</p><p class=api_label>Explicit HTTP Error Codes</p><p class=api_comment>");
+										boolean first = true;
+										for(int ee : r.getExplicitErr()) {
+											if(first) {
+												first = false;
+											} else {
+												desc.append(", ");
+											}
+											desc.append(ee);
+										}
+									}
+			
+									desc.append("</p><p class=api_label>");
+									desc.append("GET".equals(r.getMeth())?"Accept:":"ContentType:");
+									Collections.sort(r.getContentType());
+									if(r.getPath().startsWith("/authn/basicAuth")) {
+										desc.append("</p><p class=api_contentType>text/plain");
+									}
+									for(String ct : r.getContentType()) {
+										if(ct.contains("version=2")) {
+											desc.append("</p><p class=api_contentType><a href=\"./example/");
+											try {
+												desc.append(Symm.base64noSplit.encode(ct));
+											} catch (IOException e) {
+												throw new CadiException(e);
+											}
+											desc.append("\"/>");
+											desc.append(ct);
+											desc.append("</a>");
+										}
+									}
+									desc.append("</p>");
+									
+									
+									AbsCell[] sa = new AbsCell[] {
+										null,
+										new TextCell(r.getMeth(),"class=right"),
+										new TextCell(r.getPath()),
+										new TextCell(desc.toString()),
+									};
+			
+									if(path.startsWith("/authz/perm")) {
+										sa[0] = perms.size()==0?new TextCell("PERMISSION"):BLANK;
+										perms.add(sa);
+									} else if(path.startsWith("/authz/role") || path.startsWith("/authz/userRole")) {
+										sa[0] = roles.size()==0?new TextCell("ROLE"):BLANK;
+										roles.add(sa);
+									} else if(path.startsWith("/authz/ns")) {
+										sa[0] = ns.size()==0?new TextCell("NAMESPACE"):BLANK;
+										ns.add(sa);
+									} else if(path.startsWith("/authn/basicAuth") 
+										|| path.startsWith("/authn/validate")
+										|| path.startsWith("/authz/user")) {
+										sa[0] = user.size()==0?new TextCell("USER"):BLANK;
+										user.add(sa);
+									} else {
+										sa[0] = aafOnly.size()==0?new TextCell("AAF ONLY"):BLANK;
+										aafOnly.add(sa);
+									}
+								}
+								//TODO if(trans.fish(p))
+								prepare(rv, perms,roles,ns,user);
+							} finally {
+								tt2.done();
+							}
+						} else {
+							gui.writeError(trans, fa, null, 0);
+						}
+						return null;
+					}
+				});
+			} catch (Exception e) {
+				trans.error().log(e.getMessage());
+			} finally {
+				tt.done();
+			}
+			
+			return new Cells(rv,null);
+		}
+
+		@SuppressWarnings("unchecked")
+		private void prepare(ArrayList<AbsCell[]> rv, ArrayList<AbsCell[]> ... all) {
+			AbsCell lead;
+			AbsCell[] row;
+			for(ArrayList<AbsCell[]> al : all) {
+				if(al.size()>1) {
+					row = al.get(0);
+					lead = row[0];
+					row[0]=BLANK;
+					al.get(0).clone()[0]=BLANK;
+					Collections.sort(al, new Comparator<AbsCell[]>() {
+						@Override
+						public int compare(AbsCell[] ca1, AbsCell[] ca2) {
+							int meth = ((TextCell)ca1[2]).name.compareTo(
+									   ((TextCell)ca2[2]).name);
+							if(meth == 0) {
+								return (HttpMethods.valueOf(((TextCell)ca1[1]).name).compareTo(
+										HttpMethods.valueOf(((TextCell)ca2[1]).name)));
+							} else { 
+								return meth;
+							}
+						}
+					});
+					// set new first row
+					al.get(0)[0]=lead;
+
+					rv.addAll(al);
+				}
+			}
+		}
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApiExample.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApiExample.java
new file mode 100644
index 00000000..a98a16ca
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApiExample.java
@@ -0,0 +1,133 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+/**
+ * Detail Page for Permissions
+ * 
+ * @author Jonathan
+ *
+ */
+public class ApiExample extends Page {
+	public static final String HREF = "/gui/example/:tc";
+	public static final String NAME = "APIExample";
+
+	public ApiExample(final AAF_GUI gui, Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env, NAME, HREF, 2/*backdots*/, new String[] {"API Code Example"},
+				new BreadCrumbs(breadcrumbs),
+				new Model(NAME)
+				);
+	}
+	
+	private static class Model extends NamedCode {
+		private static final String WITH_OPTIONAL_PARAMETERS = "\n\n////////////\n  Data with Optional Parameters \n////////////\n\n";
+
+		public Model(String name) {
+			super(false,name);
+		}
+
+		@Override
+		public void code(Cache<HTMLGen> cache, HTMLGen xgen) throws APIException, IOException {
+			Mark inner = xgen.divID("inner");
+			xgen.divID("example","class=std");
+			cache.dynamic(xgen, new DynamicCode<HTMLGen,AAF_GUI,AuthzTrans>() {
+				@Override
+				public void code(final AAF_GUI gui, final AuthzTrans trans, Cache<HTMLGen> cache, HTMLGen xgen) throws APIException, IOException {
+					TimeTaken tt = trans.start("Code Example",Env.REMOTE);
+					try {
+						final String typecode;
+						int prefix = trans.path().lastIndexOf('/')+1;
+						String encoded = trans.path().substring(prefix);
+						typecode = Symm.base64noSplit.decode(encoded);
+						Future<String> fp = gui.client().read("/api/example/" + encoded,
+								"application/Void+json"
+								);
+						Future<String> fs2;
+						if(typecode.contains("Request+")) {
+							fs2 = gui.client().read("/api/example/" + encoded+"?optional=true",
+									"application/Void+json"
+									);
+						} else {
+							fs2=null;
+						}
+						
+						
+						if(fp.get(5000)) {
+								xgen.incr(HTMLGen.H1).text("Sample Code").end()
+								.incr(HTMLGen.H5).text(typecode).end();
+								xgen.incr("pre");
+								if(typecode.contains("+xml")) {
+									xgen.xml(fp.body());
+									if(fs2!=null && fs2.get(5000)) {
+										xgen.text(WITH_OPTIONAL_PARAMETERS);
+										xgen.xml(fs2.body());
+									}
+								} else {
+									xgen.text(fp.body());
+									if(fs2!=null && fs2.get(5000)) {
+										xgen.text(WITH_OPTIONAL_PARAMETERS);
+										xgen.text(fs2.body());
+									}
+								}
+								xgen.end();
+						} else {
+							xgen.incr(HTMLGen.H3)
+								.textCR(2,"Error from AAF Service")
+								.end();
+							gui.writeError(trans, fp, xgen, 0);
+						}
+
+					} catch (APIException e) {
+						throw e;
+					} catch (IOException e) {
+						throw e;
+					} catch (Exception e) {
+						throw new APIException(e);
+					}finally {
+						tt.done();
+					}
+				}
+					
+			});
+			xgen.end(inner);
+		}
+	}
+
+}		
+		
+\ No newline at end of file
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApprovalAction.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApprovalAction.java
new file mode 100644
index 00000000..2797cd66
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApprovalAction.java
@@ -0,0 +1,121 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.Approval;
+import aaf.v2_0.Approvals;
+
+public class ApprovalAction extends Page {
+	public ApprovalAction(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,"Approvals",ApprovalForm.HREF, ApprovalForm.FIELDS,
+			new BreadCrumbs(breadcrumbs),
+			new NamedCode(true,"content") {
+				final Slot sAppr = gui.env.slot(ApprovalForm.NAME+'.'+ApprovalForm.FIELDS[0]);
+				final Slot sUser = gui.env.slot(ApprovalForm.NAME+'.'+ApprovalForm.FIELDS[1]);
+				
+				@Override
+				public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {				
+					cache.dynamic(hgen, new DynamicCode<HTMLGen,AAF_GUI, AuthzTrans>() {
+						@Override
+						public void code(final AAF_GUI gui, final AuthzTrans trans,final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+							String[] appr = trans.get(sAppr,null);
+							String user = trans.get(sUser,null);
+							String lastPage = ApprovalForm.HREF;
+							if (user != null) {
+								lastPage += "?user="+user;
+							}
+							
+							if(appr==null) {
+								hgen.p("No Approvals have been selected.");
+							} else {
+								Approval app;
+								final Approvals apps = new Approvals();
+								int count = 0;
+								for(String a : appr) {
+									if(a!=null) {
+										int idx = a.indexOf('|');
+										if(idx>=0) {
+											app = new Approval();
+											app.setStatus(a.substring(0,idx));
+											app.setTicket(a.substring(++idx));
+											app.setApprover(trans.getUserPrincipal().getName());
+											apps.getApprovals().add(app);
+											++count;
+										}
+									}
+								}
+								if(apps.getApprovals().isEmpty()) {
+									hgen.p("No Approvals have been sent.");
+								} else {
+									TimeTaken tt = trans.start("AAF Update Approvals",Env.REMOTE);
+									try {
+										final int total = count;
+										gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Boolean>() {
+											@Override
+											public Boolean code(Rcli<?> client) throws APIException, CadiException  {
+												boolean fail2 = true;
+												Future<Approvals> fa = client.update("/authz/approval",gui.getDF(Approvals.class),apps);
+												if(fa.get(AAF_GUI.TIMEOUT)) {
+													// Do Remote Call
+													fail2 = false;
+													hgen.p(total + (total==1?" Approval has":" Approvals have") + " been Saved");
+												} else {
+													gui.writeError(trans, fa, hgen, 0);
+												}
+												return fail2;
+											}
+										});
+									} catch (Exception e) {
+										e.printStackTrace();
+									} finally {
+										tt.done();
+									}
+								}
+
+							hgen.br();
+							hgen.incr("a",true,"class=greenbutton","href="+lastPage).text("Back").end();
+						}
+					}
+				});
+			}
+		});
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApprovalForm.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApprovalForm.java
new file mode 100644
index 00000000..da552aeb
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApprovalForm.java
@@ -0,0 +1,299 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.List;
+
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.Form;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.ButtonCell;
+import org.onap.aaf.auth.gui.table.RadioCell;
+import org.onap.aaf.auth.gui.table.RefCell;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.auth.gui.table.TextAndRefCell;
+import org.onap.aaf.auth.gui.table.TextCell;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationFactory;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.Approval;
+import aaf.v2_0.Approvals;
+
+public class ApprovalForm extends Page {
+	// Package on purpose
+	static final String NAME="Approvals";
+	static final String HREF = "/gui/approve";
+	static final String[] FIELDS = new String[] {"line[]","user"};
+	
+	
+	public ApprovalForm(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,NAME,HREF, FIELDS,
+
+			new BreadCrumbs(breadcrumbs),
+			new NamedCode(false, "filterByUser") {
+				@Override
+				public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+					cache.dynamic(hgen, new DynamicCode<HTMLGen, AAF_GUI, AuthzTrans>() {
+						@Override
+						public void code(final AAF_GUI gui, final AuthzTrans trans,	final Cache<HTMLGen> cache, final HTMLGen hgen)	throws APIException, IOException {
+							String user = trans.get(trans.env().slot(NAME+".user"),"");
+							hgen.incr("p", "class=userFilter")
+								.text("Filter by User:")
+								.tagOnly("input", "type=text", "value="+user, "id=userTextBox")
+								.tagOnly("input", "type=button", "onclick=userFilter('"+HREF+"');", "value=Go!")
+								.end();
+								}
+					});
+				}
+			},
+			new Form(true,new Table<AAF_GUI,AuthzTrans>("Approval Requests", gui.env.newTransNoAvg(),new Model(gui.env),"class=stdform"))
+				.preamble("The following requires your Approval to proceed in the AAF System.</p><p class=subtext>Hover on Identity for Name; click for WebPhone; If Deny is the only option, User is no longer valid."),
+			new NamedCode(false, "selectAlljs") {
+				@Override
+				public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+					Mark jsStart = new Mark();
+					hgen.js(jsStart);
+					hgen.text("function selectAll(radioClass) {");
+					hgen.text("var radios = document.querySelectorAll(\".\"+radioClass);");
+					hgen.text("for (i = 0; i < radios.length; i++) {");
+					hgen.text("radios[i].checked = true;");
+					hgen.text("}");
+					hgen.text("}");
+					hgen.end(jsStart);
+				}
+			});
+		
+	}
+	
+	/**
+	 * Implement the Table Content for Approvals
+	 * 
+	 * @author Jonathan
+	 *
+	 */
+	private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+		//TODO come up with a generic way to do ILM Info (people page)
+		private static final String TODO_ILM_INFO = "TODO: ILM Info";
+		private static final String DOMAIN_OF_USER = "@DOMAIN";
+		
+		private static final String[] headers = new String[] {"Identity","Request","Approve","Deny"};
+		private Slot sUser;
+		
+		public Model(AuthzEnv env) {
+			sUser = env.slot(NAME+".user");
+		}
+		
+		@Override
+		public String[] headers() {
+			return headers;
+		}
+		
+		@Override
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			final String userParam = trans.get(sUser, null);
+			ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+			String msg = null;
+			TimeTaken tt = trans.start("AAF Get Approvals for Approver",Env.REMOTE);
+			try {
+				final List<Approval> pendingApprovals = new ArrayList<Approval>();
+				final List<Integer> beginIndicesPerApprover = new ArrayList<Integer>();
+				int numLeft = gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Integer>() {
+					@Override
+					public Integer code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+						Future<Approvals> fa = client.read("/authz/approval/approver/"+trans.user(),gui.getDF(Approvals.class));
+						int numLeft = 0;
+						if(fa.get(AAF_GUI.TIMEOUT)) {
+							
+							if(fa.value!=null) {
+								for (Approval appr : fa.value.getApprovals()) {
+									if (appr.getStatus().equals("pending")) {
+										if (userParam!=null) {
+											if (!appr.getUser().equalsIgnoreCase(userParam)) {
+												numLeft++;
+												continue;
+											}
+										}
+										pendingApprovals.add(appr);
+									}
+								}
+							}
+							
+							String prevApprover = null;
+							int overallIndex = 0;
+								
+							for (Approval appr : pendingApprovals) {
+								String currApprover = appr.getApprover();
+								if (!currApprover.equals(prevApprover)) {
+									prevApprover = currApprover;
+									beginIndicesPerApprover.add(overallIndex);
+								}
+								overallIndex++;
+							}
+						}
+						return numLeft;
+					}
+				});
+				
+				if (pendingApprovals.size() > 0) {
+					// Only add select all links if we have approvals
+					AbsCell[] selectAllRow = new AbsCell[] {
+							AbsCell.Null,
+							AbsCell.Null,
+							new ButtonCell("all", "onclick=selectAll('approve')", "class=selectAllButton"),
+							new ButtonCell("all", "onclick=selectAll('deny')", "class=selectAllButton")
+						};
+					rv.add(selectAllRow);
+				}
+						
+				int line=-1;
+				
+				while (beginIndicesPerApprover.size() > 0) {
+					int beginIndex = beginIndicesPerApprover.remove(0);
+					int endIndex = (beginIndicesPerApprover.isEmpty()?pendingApprovals.size():beginIndicesPerApprover.get(0));
+					List<Approval> currApproverList = pendingApprovals.subList(beginIndex, endIndex);
+					
+					String currApproverFull = currApproverList.get(0).getApprover();
+					String currApproverShort = currApproverFull.substring(0,currApproverFull.indexOf('@'));
+					String currApprover = (trans.user().indexOf('@')<0?currApproverShort:currApproverFull);
+					if (!currApprover.equals(trans.user())) {
+						AbsCell[] approverHeader;
+						if (currApproverFull.substring(currApproverFull.indexOf('@')).equals(DOMAIN_OF_USER)) {
+							approverHeader = new AbsCell[] { 
+									new TextAndRefCell("Approvals Delegated to Me by ", currApprover,
+											TODO_ILM_INFO + currApproverShort, 
+											true,
+											new String[] {"colspan=4", "class=head"})
+							};
+						} else {
+							approverHeader = new AbsCell[] { 
+									new TextCell("Approvals Delegated to Me by " + currApprover,
+											new String[] {"colspan=4", "class=head"})
+							};
+						}
+						rv.add(approverHeader);
+					}
+					
+					// Sort by User Requesting
+					Collections.sort(currApproverList, new Comparator<Approval>() {
+						@Override
+						public int compare(Approval a1, Approval a2) {
+							return a1.getUser().compareTo(a2.getUser());
+						}
+					});
+					
+					String prevUser = null;
+					boolean userOK=true;
+
+					for (Approval appr : currApproverList) {
+						if(++line<MAX_LINE) { // limit number displayed at one time.
+							AbsCell userCell;
+							String user = appr.getUser();
+							if(user.equals(prevUser)) {
+								userCell = AbsCell.Null; 
+							} else if (user.endsWith(DOMAIN_OF_USER)){
+								userOK=true;
+								String title;
+								Organization org = OrganizationFactory.obtain(trans.env(), user);
+								if(org==null) {
+									title="";
+								} else {
+									Identity au = org.getIdentity(trans, user);
+									if(au!=null) {
+										if(au.type().equals("MECHID")) {
+											Identity managedBy = au.responsibleTo();
+											if(managedBy==null) {
+												title ="title=" + au.type();
+											} else {
+												title="title=Sponsor is " + managedBy.fullName();												
+											}
+										} else {
+											title="title=" + au.fullName();
+										}
+									} else {
+										userOK=false;
+										title="title=Not a User at " + org.getName();
+									}
+								}
+								userCell = new RefCell(prevUser=user, 
+									TODO_ILM_INFO+user.substring(0, user.length()-DOMAIN_OF_USER.length()),
+									true,
+									title);
+							} else {
+								userCell = new TextCell(prevUser=user);
+							}
+							AbsCell[] sa = new AbsCell[] {
+								userCell,
+								new TextCell(appr.getMemo()),
+								userOK?new RadioCell("line."+ line,"approve", "approved|"+appr.getTicket()):new TextCell(""),
+								new RadioCell("line."+ line,"deny", "denied|"+appr.getTicket())
+							};
+							rv.add(sa);
+						} else {
+							++numLeft;
+						}
+					}
+				}
+				if(numLeft>0) {
+					msg = "After these, there will be " + numLeft + " approvals left to process";
+				}
+				if(rv.size()==0) {
+					if (numLeft>0) {
+						msg = "No Approvals to process at this time for user " + userParam +". You have " 
+							+ numLeft + " other approvals to process.";
+					} else {
+						msg = "No Approvals to process at this time";
+					}
+				}
+			} catch (Exception e) {
+				trans.error().log(e);
+			} finally {
+				tt.done();
+			}
+		return new Cells(rv,msg);
+		}
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtiChangeAction.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtiChangeAction.java
new file mode 100644
index 00000000..1bf0ed76
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtiChangeAction.java
@@ -0,0 +1,219 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Holder;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.util.Vars;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.Data.TYPE;
+import org.onap.aaf.misc.env.util.IPValidator;
+import org.onap.aaf.misc.env.util.Split;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.Error;
+import certman.v1_0.Artifacts;
+import certman.v1_0.Artifacts.Artifact;
+
+public class CMArtiChangeAction extends Page {
+	public CMArtiChangeAction(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,CMArtiChangeForm.NAME,CMArtiChangeForm.HREF, CMArtiChangeForm.fields,
+			new BreadCrumbs(breadcrumbs),
+			new NamedCode(true,"content") {
+				final Slot sID = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[0]);
+				final Slot sMachine = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[1]);
+				final Slot sNS = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[2]);
+				final Slot sDirectory = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[3]);
+				final Slot sCA = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[4]);
+				final Slot sOSUser = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[5]);
+				final Slot sRenewal = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[6]);
+				final Slot sNotify = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[7]);
+				final Slot sCmd = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[8]);
+				final Slot sOther = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[9]);
+				final Slot sType = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[10]);
+				final Slot sSans = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[11]);
+				
+				@Override
+				public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+					cache.dynamic(hgen, new DynamicCode<HTMLGen,AAF_GUI, AuthzTrans>() {
+						@Override
+						public void code(final AAF_GUI gui, final AuthzTrans trans,final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+trans.info().log("Step 1");
+							final Artifact arti = new Artifact();
+							final String machine = trans.get(sMachine,null);
+							final String ca = trans.get(sCA, null);
+							final String sans = ((String)trans.get(sSans,null));
+							if(sans!=null) {
+								for(String s: Split.splitTrim(',', sans)) {
+									arti.getSans().add(s);
+								}
+							}
+							// Disallow IP entries, except by special Permission
+							if(!trans.fish(getPerm(ca,"ip"))) {
+								boolean ok=true;
+								if(IPValidator.ip(machine)) {
+									ok=false;
+								}
+								if(ok) {
+									for(String s: arti.getSans()) {
+										if(IPValidator.ip(s)) {
+											ok=false;
+											break;
+										}
+									}
+								}
+								if(!ok) {
+									hgen.p("Policy Failure: IPs in certificates are only allowed by Exception.");
+									return;
+								}
+							}
+							
+							// Disallow Domain based Definitions without exception
+							if(machine.startsWith("*")) { // Domain set
+								if(!trans.fish(getPerm(ca, "domain"))) {
+									hgen.p("Policy Failure: Domain Artifact Declarations are only allowed by Exception.");
+									return;
+								}
+							}
+							
+							arti.setMechid((String)trans.get(sID,null));
+							arti.setMachine(machine);
+							arti.setNs((String)trans.get(sNS,null));
+							arti.setDir((String)trans.get(sDirectory,null));
+							arti.setCa(ca);
+							arti.setOsUser((String)trans.get(sOSUser, null));
+							arti.setRenewDays(Integer.parseInt((String)trans.get(sRenewal, null)));
+							arti.setNotification((String)trans.get(sNotify, null));
+							String[] checkbox = trans.get(sType,null);
+							for(int i=0;i<CMArtiChangeForm.types.length;++i) {
+								if("on".equals(checkbox[i])) {
+									arti.getType().add(CMArtiChangeForm.types[i]);
+								}
+							}
+
+							// Run Validations
+							if (arti.getMechid()==null || arti.getMechid().indexOf('@')<=0) {
+								hgen.p("Data Entry Failure: Please enter a valid ID, including domain.");
+							// VALIDATE OTHERS?
+							} else { // everything else is checked by Server
+								
+								try {
+									final Artifacts artifacts = new Artifacts();
+									artifacts.getArtifact().add(arti);
+									final Holder<Boolean> ok = new Holder<Boolean>(false); 
+									final Holder<Boolean> deleted = new Holder<Boolean>(false);
+									Future<?> f = gui.cmClientAsUser(trans.getUserPrincipal(), new Retryable<Future<?>>() {
+										@Override
+										public Future<?> code(Rcli<?> client)throws CadiException, ConnectException, APIException {
+											Future<?> rv = null;
+											switch((String)trans.get(sCmd, "")) {
+												case CMArtiChangeForm.CREATE:
+													Future<Artifacts> fc;
+													rv = fc = client.create("/cert/artifacts", gui.artifactsDF, artifacts);
+													if(fc.get(AAFcli.timeout())) {
+														hgen.p("Created Artifact " + arti.getMechid() + " on " + arti.getMachine());
+														ok.set(true);
+													}
+													break;
+												case CMArtiChangeForm.UPDATE:
+													Future<Artifacts> fu = client.update("/cert/artifacts", gui.artifactsDF, artifacts);
+													if((rv=fu).get(AAFcli.timeout())) {
+														hgen.p("Artifact " + arti.getMechid() + " on " + arti.getMachine() + " is updated");
+														ok.set(true);
+													}
+													break;
+												case CMArtiChangeForm.COPY:
+													Future<Artifacts> future = client.read("/cert/artifacts/"+arti.getMechid()+'/'+arti.getMachine(), gui.artifactsDF);
+													rv = future;
+													if(future.get(AAFcli.timeout())) {
+														for(Artifact a : future.value.getArtifact()) { // only one, because these two are key
+															for(String newMachine :Split.split(',', trans.get(sOther, ""))) {
+																a.setMachine(newMachine);
+																Future<Artifacts> fup = client.update("/cert/artifacts", gui.artifactsDF, future.value);
+																if(fup.get(AAFcli.timeout())) {
+																	hgen.p("Copied to " + newMachine);
+																	ok.set(true);
+																}
+															}
+														}
+													}
+													break;
+												case CMArtiChangeForm.DELETE:
+													Future<Void> fv;
+													rv = fv = client.delete("/cert/artifacts/"+arti.getMechid()+"/"+arti.getMachine(),"application/json");
+													if(fv.get(AAFcli.timeout())) {
+														hgen.p("Deleted " + arti.getMechid() + " on " + arti.getMachine());
+														ok.set(true);
+														deleted.set(true);
+													}
+													break;
+											}
+											return rv;
+										}
+									});
+									if(!ok.get()) {
+										if(f==null) {
+											hgen.p("Unknown Command");
+										} else {
+											if(f.body().contains("%")) {
+												Error err = gui.getDF(Error.class).newData().in(TYPE.JSON).load(f.body()).asObject();
+												hgen.p(Vars.convert(err.getText(),err.getVariables()));
+											} else {
+												hgen.p(arti.getMechid() + " on " + arti.getMachine() + ": " + f.body());
+											}
+										}
+									}
+									hgen.br().leaf(HTMLGen.A,"class=greenbutton","href="+(deleted.get()?CMArtifactShow.HREF:CMArtiChangeForm.HREF)+
+											"?id="+arti.getMechid()+
+											"&amp;machine="+arti.getMachine() +
+											"&amp;ns="+arti.getNs())
+									.text("Back")
+									.end();
+
+							} catch (Exception e) {
+								hgen.p("Unknown Error");
+								e.printStackTrace();
+							}
+								
+						}
+						hgen.br();
+					}
+				});
+			}
+		});
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtiChangeForm.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtiChangeForm.java
new file mode 100644
index 00000000..c65e7db5
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtiChangeForm.java
@@ -0,0 +1,256 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import static org.onap.aaf.misc.xgen.html.HTMLGen.TABLE;
+
+import java.io.IOException;
+import java.net.ConnectException;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.OrganizationFactory;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.util.FQI;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import certman.v1_0.Artifacts;
+import certman.v1_0.Artifacts.Artifact;
+
+public class CMArtiChangeForm extends Page {
+	private static final String COPY_ARTIFACT = "copyArtifact";
+	private static final String DELETE_ARTIFACT = "deleteArtifact";
+	
+	// Package on purpose
+	static final String HREF = "/gui/artichange";
+	static final String NAME = "ArtifactChange";
+	static final String fields[] = {"id","machine","ns","directory","ca","osuser","renewal","notify","cmd","others","types[]","sans"};
+	
+	static final String types[] = {"jks","file","script"};
+	static final String UPDATE = "Update";
+	static final String CREATE = "Create";
+	static final String COPY = "Copy";
+	static final String DELETE = "Delete";
+	
+	public CMArtiChangeForm(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,NAME,HREF, fields,
+			new BreadCrumbs(breadcrumbs),
+			new NamedCode(true,"content") {
+			private final Slot sID = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[0]);
+			private final Slot sMach = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[1]);
+			private final Slot sNS = gui.env.slot(CMArtiChangeForm.NAME+'.'+CMArtiChangeForm.fields[2]);
+			
+			@Override
+			public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+				Mark js = new Mark();
+				Mark fn = new Mark();
+				hgen.js(js).function(fn,COPY_ARTIFACT)
+					.text("f=document.getElementById('"+fields[9]+"')")
+					.text("s=document.getElementById('theButton')")
+					.text("cmd=document.getElementById('"+fields[8]+"')")
+					.text("ins=document.getElementById('instruct')")
+					.text("c=document.getElementById('cbcopy')")
+					.text("trd=document.getElementById('trdelete')")
+					.li("if (c.checked==true) {" ,
+							"f.style.display=ins.style.display='block'",
+							"trd.style.display='none'",
+							"s.orig=s.value;",
+							"s.value='Copy'",
+							"cmd.setAttribute('value',s.value)",
+						  "} else {",
+							"f.style.display=ins.style.display='none';",
+							"trd.style.display='block'",
+							"s.value=s.orig",
+							"cmd.setAttribute('value',s.orig)",
+							"}"
+							)
+					.end(fn)
+					.function(fn, DELETE_ARTIFACT)
+						.text("d=document.getElementById('cbdelete')")
+						.text("trc=document.getElementById('trcopy')")
+						.text("s=document.getElementById('theButton')")
+						.text("cmd=document.getElementById('"+fields[8]+"')")
+						.li("if (d.checked==true) {",
+							  "s.orig=s.value;",
+							  "s.value='Delete';",
+							  "trc.style.display='none';",
+							  "cmd.setAttribute('value',s.value);",
+							"} else {",
+							  "s.value=s.orig;",
+							  "trc.style.display='block';",
+							  "cmd.setAttribute('value',s.orig);",
+							"}"
+							)
+					.end(js);
+
+				hgen.leaf(HTMLGen.TITLE).text("Certificate Artifact Form").end();
+				Mark form = new Mark();
+				hgen.incr(form, "form","action="+HREF,"method=post");
+				
+				cache.dynamic(hgen, new DynamicCode<HTMLGen, AAF_GUI, AuthzTrans>() {
+					@Override
+					public void code(final AAF_GUI gui, final AuthzTrans trans,	final Cache<HTMLGen> cache, final HTMLGen hgen)	throws APIException, IOException {
+
+						final String incomingMach = trans.get(sMach,"");
+						String incomingNS = trans.get(sNS,"");
+						String id= trans.get(sID, "");
+					final String incomingID = id.indexOf('@')>=0?id:id+'@'+FQI.reverseDomain(incomingNS);
+
+						String submitText=UPDATE;
+						boolean delete=true;
+						try {
+							Artifact arti =gui.cmClientAsUser(trans.getUserPrincipal(), new Retryable<Artifact>() {
+								@Override
+								public Artifact code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+									Future<Artifacts> fa = client.read("/cert/artifacts/"+incomingID+'/'+incomingMach, gui.artifactsDF);
+									if(fa.get(AAFcli.timeout())) {
+										for(Artifact arti : fa.value.getArtifact()) {
+											return arti; // just need the first one
+										}
+									}
+									return null;
+								}
+							});
+							if(arti==null) {
+								Organization org = OrganizationFactory.get(trans);
+								Identity user = org.getIdentity(trans, incomingID);
+								if(user==null) {
+									hgen.p("The mechID you typed, \"" + incomingID + "\", is not a valid " + org.getName() + " ID");
+									return;
+								}
+								arti = new Artifact();
+								arti.setMechid(incomingID);
+								Identity managedBy = user.responsibleTo();
+								if(managedBy == null) {
+									arti.setSponsor("Unknown Sponsor");
+								} else {
+									arti.setSponsor(managedBy.fullID());
+								}
+								arti.setMachine(incomingMach);
+								arti.setNs(incomingNS);
+								arti.setDir("");
+								arti.setCa("aaf");
+								arti.setOsUser("");
+								arti.setRenewDays(30);
+								arti.setNotification("mailto:"+user.email());
+								arti.getType().add(types[0]);
+								arti.getType().add(types[2]);
+								submitText = CREATE;
+								delete = false;
+							} else {
+								if(arti.getNotification()==null) {
+									Organization org = OrganizationFactory.get(trans);
+									Identity user = org.getIdentity(trans, incomingID);
+									arti.setNotification("mailto:"+user.email());
+								}
+							}
+							// CSO Approval no longer required for SAN use
+//							final String mechID = arti.getMechid();
+//							boolean maySans=gui.lur.fish(new Principal() {
+//								@Override
+//								public String getName() {
+//									return mechID;
+//								}},getPerm(arti.getCa(),"san"));
+//							if(!maySans) {
+//								arti.getSans().clear();
+//							}
+							Mark table = new Mark(TABLE);
+							hgen.incr(table)
+								.input(fields[0],"MechID*",true,"value="+arti.getMechid())
+								.input("sponsor", "Sponsor",false,"value="+arti.getSponsor(),"readonly","style=border:none;background-color:white;")
+								.input(fields[1],"Machine*",true,"value="+arti.getMachine(),"style=width:130%;");
+//							if(maySans) {
+								hgen.incr(HTMLGen.TR).incr(HTMLGen.TD).end()
+									.incr(HTMLGen.TD,"class=subtext").text("Use full machine names, ");
+									if(!trans.fish(getPerm(arti.getCa(),"ip"))) {
+										hgen.text("NO ");
+									}
+								StringBuilder sb = null;
+								for(String s: arti.getSans()) {
+									if(sb==null) {
+										sb = new StringBuilder();
+									} else {
+										sb.append(", ");
+									}
+									sb.append(s);
+								}
+								
+								hgen.text("IPs allowed, separated by commas.").end()
+									.input(fields[11], "SANs", false, "value="+(sb==null?"":sb.toString()),"style=width:180%;");
+//							}
+							hgen.input(fields[2],"Namespace",true,"value="+arti.getNs(),"style=width:180%;")
+								.input(fields[3],"Directory", true, "value="+arti.getDir(),"style=width:180%;")
+								.input(fields[4],"Certificate Authority",true,"value="+arti.getCa(),"style=width:180%;")
+								.input(fields[5],"O/S User",true,"value="+arti.getOsUser())
+								.input(fields[6],"Renewal Days before Expiration", true, "value="+arti.getRenewDays(),"style=width:20%;")
+								.input(fields[7],"Notification",true,"value="+arti.getNotification())
+								.incr(HTMLGen.TR)
+								.incr(HTMLGen.TD).leaf("label","for=types","required").text("Artifact Types").end(2)
+								.incr(HTMLGen.TD);
+							for(int i=0;i<types.length;++i) {
+								hgen.leaf("input","type=checkbox","name=types."+i,arti.getType().contains(types[i])?"checked":"").text(types[i]).end().br();
+							}
+							
+							Mark tr = new Mark();
+							hgen.incr(tr,HTMLGen.TR).incr(HTMLGen.TD,"id=trcopy")
+									.leaf("input","id=cbcopy","type=checkbox","onclick="+COPY_ARTIFACT+"()").text("Copy Artifact").end(2)
+								.incr(HTMLGen.TD,"id=tdcopy","style:display:none;")
+									.incr("label","id=instruct","style=font-style:italic;font-size:80%;display:none;")
+										.text("Add full machine names, separated by commas.").end()
+									.tagOnly("input","id="+fields[9],"name="+fields[9],"style=display:none;width:150%;").end(2)
+								.end(tr);
+							hgen.incr(tr,HTMLGen.TR,"id=trdelete").incr(HTMLGen.TD,"id=tddelete")
+								.leaf("input","id=cbdelete","type=checkbox","onclick="+DELETE_ARTIFACT+"()",delete?"style:display:none;":"").text("Delete Artifact").end(2)
+								.end(tr);
+							hgen.end(table);
+							
+							hgen.tagOnly("input","id="+fields[8],"name="+fields[8],"value="+submitText,"style=display:none;");
+							hgen.tagOnly("input","id=theButton","type=submit", "orig="+submitText,"value="+submitText);
+							
+						} catch(CadiException | LocatorException | OrganizationException e) {
+							throw new APIException(e);
+						}
+					}
+
+					});
+				hgen.end(form);
+				}
+			});
+		
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtifactShow.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtifactShow.java
new file mode 100644
index 00000000..0ad73649
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtifactShow.java
@@ -0,0 +1,251 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.net.ConnectException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Date;
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.SlotCode;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.TextCell;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.util.FQI;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import certman.v1_0.Artifacts;
+import certman.v1_0.Artifacts.Artifact;
+import certman.v1_0.CertInfo;
+
+public class CMArtifactShow extends Page {
+	
+	public static final String HREF = "/gui/cmarti";
+	public static final String NAME = "ArtifactsShow";
+	private static ArtiTable arti;
+	public static SlotCode<AuthzTrans> slotCode;
+	private enum Params{id,ns};
+
+
+	public CMArtifactShow(final AAF_GUI gui, Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env, NAME, HREF, Params.values() , 
+				new BreadCrumbs(breadcrumbs),
+				arti = new ArtiTable(gui.env)
+				);
+		// Setting so we can get access to HTMLGen clone and Slots
+		arti.set(this,slotCode);
+	}
+	
+	private static class ArtiTable extends Table<AAF_GUI, AuthzTrans> {
+		private static Model model;
+		private SlotCode<AuthzTrans> sc;
+		enum Params {id,ns};
+		public ArtiTable(AuthzEnv env) {
+			super((String)null,env.newTransNoAvg(),model = new Model(),
+					slotCode = new SlotCode<AuthzTrans>(false,env,NAME,Params.values()) {
+						@Override
+						public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+							cache.dynamic(hgen, new DynamicCode<HTMLGen,AAF_GUI,AuthzTrans>() {
+							@Override
+							public void code(AAF_GUI state, AuthzTrans trans, final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+								Mark js = new Mark();
+								hgen.js(js).function("newArtifact")
+								.text("machine=document.getElementById('machine');")
+							    .text("window.open('"
+							    		+CMArtiChangeForm.HREF+
+										"?id="+get(trans, Params.id,"")+
+										"&ns="+get(trans, Params.ns,"")+
+										"&machine='+machine.value,'_self');"
+							    	).end(js);
+								hgen.leaf("input","id=machine","style=margin:1em 1em 1em 1em;width:30%").end();
+								hgen.leaf(HTMLGen.A,"class=greenbutton","href=javascript:newArtifact()","style=color:white;").text("New Machine").end();
+							}
+						});
+						}
+					},"class=std");
+		}
+		
+
+		public void set(CMArtifactShow cmArtifactShow, SlotCode<AuthzTrans> sc) {
+			this.sc = sc;
+			model.set(cmArtifactShow,sc);
+		}
+		
+		@Override
+		protected String title(AuthzTrans trans) {
+			StringBuilder sb = new StringBuilder("X509 Certificates");
+			if(sc!=null) { // initialized
+				sb.append(" for ");
+				String id = sc.get(trans,Params.id,"");
+				sb.append(id);
+				if(id.indexOf('@')<0) {
+					sb.append('@');
+					sb.append(FQI.reverseDomain(sc.get(trans, Params.ns,"missingDomain")));
+				}
+			}
+			return sb.toString();
+		}
+	}
+	/**
+	 * Implement the table content for Cred Detail
+	 * 
+	 * @author Jeremiah
+	 *
+	 */
+	private static class Model implements Table.Data<AAF_GUI,AuthzTrans> {
+		private CMArtifactShow cas;
+		private SlotCode<AuthzTrans> sc;
+
+		// Covering for Constructor Order
+		private void set(CMArtifactShow cas, SlotCode<AuthzTrans> sc) {
+			this.cas = cas;
+			this.sc = sc;
+		}
+
+		private static final String[] headers = new String[]{"Machine","Directory","CA","Renews","Expires",""};
+		@Override
+		public String[] headers() {
+			return headers;
+		}
+		
+		@Override
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			String str = sc.get(trans,Params.id, null);
+			if(str==null) {
+				return Cells.EMPTY;
+			}
+			final String id = str.indexOf('@')>=0?str:str + '@' + FQI.reverseDomain(sc.get(trans,Params.ns, ""));
+			final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+			final TimeTaken tt = trans.start("AAF X509 Details",Env.REMOTE);
+			try {
+				gui.cmClientAsUser(trans.getUserPrincipal(),new Retryable<Void>() {
+					@Override
+					public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+						Future<CertInfo>  fuCI = client.read("/cert/id/"+id,gui.certInfoDF);
+						Future<Artifacts> fuArt = client.read("/cert/artifacts?mechid="+id, gui.artifactsDF);
+						
+						X509Certificate[] lc;
+						if(fuCI.get(AAFcli.timeout())) {
+							TimeTaken tt1 = trans.start("x509Certificate", Env.SUB);
+							try {
+								Collection<? extends Certificate> xcs = Factory.toX509Certificate(fuCI.value.getCerts());
+								 lc = new X509Certificate[xcs.size()];
+								xcs.toArray(lc);
+							} catch (CertificateException e) {
+								trans.error().log(e,"Bad Certificate entry");
+								throw new CadiException(e);
+							} finally {
+								tt1.done();
+							}
+						} else {
+							lc = null;
+							trans.error().log("Cannot retrieve Certificates for " + id);
+						}
+						if(fuArt.get(AAFcli.timeout())) {
+							for(Artifact arti : fuArt.value.getArtifact()) {
+								StringWriter sw = new StringWriter();
+								HTMLGen hgen = cas.clone(sw);
+								Mark mark = new Mark();
+								hgen.leaf(HTMLGen.A,"class=button",
+										"href="+CMArtiChangeForm.HREF+"?id="+arti.getMechid() +"&machine="+arti.getMachine()+"&ns="+arti.getNs())
+										.text("Details")
+									.end(mark);
+								Date last = null;
+								if(lc!=null) {
+									for(X509Certificate xc : lc) {
+										if(xc.getSubjectDN().getName().contains("CN="+arti.getMachine())) {
+											if(last==null || last.before(xc.getNotAfter())) {
+												last = xc.getNotAfter();
+											}
+										}
+									}
+								}
+								GregorianCalendar renew;
+								if(last!=null) {
+									renew = new GregorianCalendar();
+									renew.setTime(last);
+									renew.add(GregorianCalendar.DAY_OF_MONTH,arti.getRenewDays()*-1);
+								} else {
+									renew = null;
+								}
+
+								rv.add(new AbsCell[] {
+									new TextCell(arti.getMachine(),"style=width:20%;"), 
+									new TextCell(arti.getDir(),"style=width:25%;"),
+									new TextCell(arti.getCa(),"style=width:2%;text-align:center;"),
+									new TextCell(renew==null?
+											arti.getRenewDays().toString() + " days before Exp":
+											Chrono.dateOnlyStamp(renew),"style=width:6%;text-align:center;"),
+									new TextCell(last==null?"None Deployed":Chrono.dateOnlyStamp(last),"style=width:5%;text-align:center;"),
+									new TextCell(sw.toString(),"style=width:10%;text-align:center;")
+								});
+							}
+						} else {
+							rv.add(new AbsCell[] {new TextCell("*** Data Unavailable ***")});
+						}
+						return null;
+					}
+				});
+			} catch (Exception e) {
+				e.printStackTrace();
+			} finally {
+				tt.done();
+			}
+			return new Cells(rv,null);
+		}
+
+		@Override
+		public void prefix(AAF_GUI state, AuthzTrans trans, final Cache<HTMLGen> cache, final HTMLGen hgen) {
+		}
+
+		@Override
+		public void postfix(AAF_GUI state, AuthzTrans trans, final Cache<HTMLGen> cache, final HTMLGen hgen) {
+		}
+
+	}
+	
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CredDetail.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CredDetail.java
new file mode 100644
index 00000000..8c7c8763
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CredDetail.java
@@ -0,0 +1,352 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.net.ConnectException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Set;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.SlotCode;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.auth.gui.table.TextCell;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.util.FQI;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.Users;
+import aaf.v2_0.Users.User;
+import certman.v1_0.Artifacts;
+import certman.v1_0.Artifacts.Artifact;
+
+public class CredDetail extends Page {
+	
+	public static final String HREF = "/gui/creddetail";
+	public static final String NAME = "CredDetail";
+	private static Model model;
+	private static SlotCode<AuthzTrans> slotCode;
+	enum Params {id,ns};
+
+
+	public CredDetail(final AAF_GUI gui, Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env, NAME, HREF, Params.values(), 
+				new BreadCrumbs(breadcrumbs),
+				new Table<AAF_GUI,AuthzTrans>("Cred Details",gui.env.newTransNoAvg(),model = new Model(),
+				slotCode = new SlotCode<AuthzTrans>(false,gui.env,NAME,Params.values()) {
+					@Override
+					public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+						cache.dynamic(hgen, new DynamicCode<HTMLGen,AAF_GUI,AuthzTrans>() {
+						@Override
+						public void code(AAF_GUI state, AuthzTrans trans, final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+							String ns = get(trans, Params.ns,"");
+							String domain = FQI.reverseDomain(ns);
+							Mark js = new Mark(), fn=new Mark();
+							hgen.js(js).function(fn,"newArtifact")
+							.text("id=document.getElementById('id');")
+							.text("if(id.value=='') {alert('Enter the id in box');} else {")
+						    .text("window.open('"+CMArtiChangeForm.HREF+"?id='+id.value+'&ns="+ns+"','_self');}"
+						    	)
+						    .end(fn)
+						    .function("newPassword")
+						    .text("id=document.getElementById('id');")
+							.text("if(id.value=='') {alert('Enter the id in box');} else {")
+						    .text("window.open('"+PassChangeForm.HREF+"?id='+id.value+'@"+domain+"&ns="+ns+"','_self');}"
+						    	)
+						    .end(js);
+							hgen.leaf("i","style=margin:1em 0em 1em 1em;").text("ID:").end()
+								.leaf("input","id=id","style=width:10%;").end().text("@").text(domain).br()
+								.leaf(HTMLGen.A,"class=greenbutton","href=javascript:newArtifact()","style=color:white;margin:1.2em 0em 1em 1em;").text("As Cert Artifact").end()
+								.leaf(HTMLGen.A,"class=greenbutton","href=javascript:newPassword()","style=color:white;margin:1.2em 0em 1em 1em;").text("w/Password").end()
+								;
+						}
+					});
+					}
+				},"class=std")
+				
+				);
+		// Setting so we can get access to HTMLGen clone
+		model.set(this,slotCode);
+	}
+
+
+
+	/**
+	 * Implement the table content for Cred Detail
+	 * 
+	 * @author Jeremiah
+	 *
+	 */
+	private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+		private static final String STYLE_WIDTH_5 = "style=width:5%;";
+		private static final String STYLE_WIDTH_10 = "style=width:10%;";
+		private static final String STYLE_WIDTH_15 = "style=width:15%;";
+		private static final String STYLE_WIDTH_20 = "style=width:20%;";
+		private static final String STYLE_WIDTH_70 = "style=width:70%;";
+		private SlotCode<AuthzTrans> sc;
+		private CredDetail cd;
+		// Covering for Constructor Order
+		private void set(CredDetail credDetail, SlotCode<AuthzTrans> slotCode) {
+			cd = credDetail;
+			sc = slotCode;
+		}
+		
+		@Override
+		public void prefix(AAF_GUI state, AuthzTrans trans, final Cache<HTMLGen> cache, final HTMLGen hgen) {
+		}
+
+		@Override
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			final String ns = sc.get(trans, Params.ns, "");
+			final String id = sc.get(trans, Params.id, "");
+			if(ns==null) {
+				return Cells.EMPTY;
+			}
+			final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+			final TimeTaken tt = trans.start("AAF Cred Details",Env.REMOTE);
+			List<Artifact> la; 
+			try {
+					la = gui.cmClientAsUser(trans.getUserPrincipal(), new Retryable<List<Artifact>>() {
+					@Override
+					public List<Artifact> code(Rcli<?> client)throws CadiException, ConnectException, APIException {
+						Future<Artifacts> fa = client.read("/cert/artifacts?ns="+ns,gui.artifactsDF);
+						if(fa.get(AAFcli.timeout())) {
+							return fa.value.getArtifact();
+						} else {
+							return null;
+						}
+					}
+
+				});
+				final Set<String> lns = new HashSet<String>();
+				if(la!=null) {
+					for(Artifact a : la){
+						lns.add(a.getMechid());
+					}
+				}
+				gui.clientAsUser(trans.getUserPrincipal(),new Retryable<Void>() {
+					@Override
+					public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+						Future<Users> fu = client.read("/authn/creds/ns/"+ns,gui.getDF(Users.class));
+						if(fu.get(AAFcli.timeout())) {
+							// Organize User entries
+							Map<String,List<Map<Integer,List<User>>>> users = new HashMap<String,List<Map<Integer,List<User>>>>();
+		
+							List<Map<Integer,List<User>>> lmu=null;
+							Map<Integer, List<User>> mu = null;
+							List<User> lu = null;
+							
+							for (User u : fu.value.getUser()) {
+								if(u.getType() == 200) {
+									lns.remove(u.getId());
+								}
+								lmu = users.get(u.getId());
+								if(lmu==null) {
+									users.put(u.getId(),lmu=new ArrayList<Map<Integer,List<User>>>());
+								}
+								mu=null;
+								for(Map<Integer,List<User>> xmu : lmu) {
+									if(xmu.containsKey(u.getType())) {
+										mu = xmu;
+									}
+								}
+								
+								if(mu==null) {
+									lmu.add(mu=new HashMap<Integer,List<User>>());
+								}
+								
+								lu = mu.get(u.getType());
+								if(lu==null) {
+									mu.put(u.getType(),lu = new ArrayList<User>());
+								}
+								lu.add(u);
+							}
+
+							int count=0;
+							for (Entry<String, List<Map<Integer, List<User>>>> ulm : users.entrySet()) {
+								String key = "cred_"+count++;
+								StringWriter buttons = new StringWriter();
+								HTMLGen hgen = cd.clone(buttons);
+								hgen.leaf("button","onclick=divVisibility('"+key+"');","class=button").text("Expand").end();
+								
+								StringWriter creds = new StringWriter();
+								hgen = cd.clone(creds);
+								Mark div = hgen.divID(key,ulm.getKey().equals(id)?"":"style=display:none;");
+									for(Map<Integer, List<User>> miu : ulm.getValue()) {
+										Mark utable = new Mark();
+										hgen.leaf(utable,HTMLGen.TABLE);
+
+										Mark uRow = new Mark();
+										String cls;
+										boolean first = true;
+										
+										for( Entry<Integer, List<User>> es : miu.entrySet()) {
+											Collections.sort(es.getValue(),new Comparator<User>() {
+												@Override
+												public int compare(User u1, User u2) {
+													int rv = u1.getType().compareTo(u2.getType());
+													return rv==0?u2.getExpires().compare(u1.getExpires()):rv;
+												}
+											});
+											int xcnt = 0;
+											XMLGregorianCalendar oldest=null, newest=null;
+											String id = null;
+											for(User u: es.getValue()) {
+												if(id==null) {
+													id = u.getId();
+												}
+												// Need to compile entries for Certificates on this screen
+												if(es.getKey()==200) {
+													++xcnt;
+													if(oldest==null || oldest.compare(u.getExpires())<0) {
+														oldest = u.getExpires();
+													}
+													if(newest==null || newest.compare(u.getExpires())<0) {
+														newest = u.getExpires();
+													}
+												} else {
+													hgen.leaf(uRow,HTMLGen.TR);
+													if(first) {
+														hgen.leaf(HTMLGen.TD,cls="class=detailFirst",STYLE_WIDTH_10);
+														switch(es.getKey()) {
+															case 1:   
+															case 2:	  hgen.text("Password"); 
+																	break;
+															case 10:  hgen.text("Certificate"); break;
+														}
+													} else {
+														hgen.leaf(HTMLGen.TD,cls="class=detail",STYLE_WIDTH_10+"text-align:center;").text("\"");
+													}
+													hgen.end();
+													hgen.incr(HTMLGen.TD,cls,STYLE_WIDTH_20);
+													
+													hgen.leaf(HTMLGen.A,
+															"class=button",
+															"href="+PassDeleteAction.HREF+
+																"?id="+id+
+																"&amp;ns="+ns+
+																"&amp;date="+u.getExpires().toXMLFormat() +
+																"&amp;type="+u.getType())
+														.text("Delete").end();
+													if(first && es.getKey()<10) { // Change Password Screen
+														hgen.leaf(HTMLGen.A,"class=button","href="+PassChangeForm.HREF+"?id="+id+"&amp;ns="+ns)
+															.text("Add")
+															.end();
+													}
+													first=false;
+													hgen.end().leaf(HTMLGen.TD,cls,STYLE_WIDTH_70)
+														.text(Chrono.niceDateStamp(u.getExpires()))
+														.end();
+										
+													hgen.end(uRow);
+												}
+											}
+											if(xcnt>0) { // print compilations, if any, of Certificate
+												hgen.leaf(uRow,HTMLGen.TR)
+													.leaf(HTMLGen.TD,cls="class=detailFirst",STYLE_WIDTH_10).text("x509").end()
+													.leaf(HTMLGen.TD, cls,STYLE_WIDTH_20)
+														.leaf(HTMLGen.A,"class=button","href="+CMArtifactShow.HREF+"?id="+id+"&amp;ns="+ns)
+															.text("View All")
+															.end(2)
+													.leaf(HTMLGen.TD, cls,STYLE_WIDTH_70).text(String.format(
+															xcnt>0?"%d Certificate%s, ranging from %s to %s"
+																  :"%d Certificate%s",
+															xcnt,
+															xcnt==1?"":"s",
+															Chrono.niceDateStamp(oldest),
+															Chrono.niceDateStamp(newest)))
+													.end(uRow);
+													
+											}
+										}
+										hgen.end(utable);
+									}
+									
+								hgen.end(div);
+
+								rv.add(new AbsCell[] {
+										new TextCell(ulm.getKey(),STYLE_WIDTH_15), 
+										new TextCell(buttons.toString(),STYLE_WIDTH_5),
+										new TextCell(creds.toString(),STYLE_WIDTH_70)
+									});
+							}
+							for(String missing : lns) {
+								StringWriter buttons = new StringWriter();
+								HTMLGen hgen = cd.clone(buttons);
+								hgen.leaf(HTMLGen.A,"class=button","href="+CMArtifactShow.HREF+"?id="+missing+"&amp;ns="+ns)
+									.text("View All")
+									.end(2);
+								rv.add(new AbsCell[] {
+										new TextCell(missing,STYLE_WIDTH_15),
+										new TextCell(buttons.toString(),STYLE_WIDTH_5),
+										new TextCell("No X509 Credential Instantiated")
+								});
+							}
+
+						} else {
+							rv.add(new AbsCell[] {new TextCell("*** Data Unavailable ***")});
+						}
+						return null;
+					}
+				});
+			} catch (Exception e) {
+				e.printStackTrace();
+			} finally {
+				tt.done();
+			}
+			return new Cells(rv,null);
+		}
+
+		@Override
+		public void postfix(AAF_GUI state, AuthzTrans trans, final Cache<HTMLGen> cache, final HTMLGen hgen) {
+		}
+
+
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/Home.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/Home.java
new file mode 100644
index 00000000..caad42b5
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/Home.java
@@ -0,0 +1,77 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import static org.onap.aaf.misc.xgen.html.HTMLGen.A;
+import static org.onap.aaf.misc.xgen.html.HTMLGen.H3;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+
+public class Home extends Page {
+	public static final String HREF = "/gui/home";
+	public Home(final AAF_GUI gui) throws APIException, IOException {
+		super(gui.env,"Home",HREF, NO_FIELDS, new NamedCode(false,"content") {
+			@Override
+			public void code(final Cache<HTMLGen> cache, final HTMLGen xgen) throws APIException, IOException {
+//				// TEMP
+//				JSGen jsg = xgen.js();
+//				jsg.function("httpPost","sURL","sParam")
+//					.text("var oURL = new java.net.URL(sURL)")
+//					.text("var oConn = oURL.openConnection();")
+//					.text("oConn.setDoInput(true);")
+//					.text("oConn.setDoOutpu(true);")
+//					.text("oConn.setUseCaches(false);")
+//					.text("oConn.setRequestProperty(\"Content-Type\",\"application/x-www-form-urlencoded\");")
+//					.text(text)
+//				jsg.done();
+				// TEMP
+				final Mark pages = xgen.divID("Pages");
+				xgen.leaf(H3).text("Choose from the following:").end()
+					.leaf(A,"href=myperms").text("My Permissions").end()
+					.leaf(A,"href=myroles").text("My Roles").end()
+				//	TODO: uncomment when on cassandra 2.1.2 for MyNamespace GUI page
+					.leaf(A,"href=ns").text("My Namespaces").end()
+					.leaf(A,"href=approve").text("My Approvals").end()
+					.leaf(A, "href=myrequests").text("My Pending Requests").end()
+					// Enable later
+//					.leaf(A, "href=onboard").text("Onboarding").end()
+				// Password Change.  If logged in as CSP/GSO, go to their page
+					.leaf(A,"href=passwd").text("Password Management").end()
+					.leaf(A,"href=cui").text("Command Prompt").end()
+					.leaf(A,"href=api").text("AAF API").end()
+					;
+				
+				xgen.end(pages);
+			}
+		});
+	}
+
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/LoginLanding.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/LoginLanding.java
new file mode 100644
index 00000000..7dcc65aa
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/LoginLanding.java
@@ -0,0 +1,115 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.URLDecoder;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+public class LoginLanding extends Page {
+	public static final String HREF = "/login";
+	static final String NAME = "Login";
+	static final String fields[] = {"id","password","environment"};
+	static final String envs[] = {"DEV","TEST","PROD"};
+	
+	public LoginLanding(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env, NAME,HREF, fields, new NamedCode(true, "content") {
+			@Override
+			public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+				hgen.leaf("p").text("No login credentials are found in your current session. " +
+					     "Choose your preferred login option to continue.").end();
+				
+				Mark loginPaths = hgen.divID("Pages");
+				
+				cache.dynamic(hgen, new DynamicCode<HTMLGen, AAF_GUI, AuthzTrans>() {
+					@Override
+					public void code(AAF_GUI authGUI, AuthzTrans trans, Cache<HTMLGen> cache, HTMLGen xgen) throws APIException, IOException {
+						HttpServletRequest req = trans.get(gui.slot_httpServletRequest, null);
+						if(req!=null) {
+							String query = req.getQueryString();
+							if(query!=null) {
+								for(String qs : query.split("&")) {
+									int equals = qs.indexOf('=');
+									xgen.leaf(HTMLGen.A, "href="+URLDecoder.decode(qs.substring(equals+1),Config.UTF_8)).text(qs.substring(0,equals).replace('_', ' ')).end();
+								}
+							}
+						}
+						xgen.leaf(HTMLGen.A, "href=gui/home?Authentication=BasicAuth").text("AAF Basic Auth").end();
+					}
+				});
+//				hgen.leaf("a", "href=#","onclick=divVisibility('cso');").text("Global Login").end()
+//					.incr("p", "id=cso","style=display:none").text("this will redirect to global login").end()
+//					.leaf("a", "href=#","onclick=divVisibility('tguard');").text("tGuard").end()
+//					.incr("p", "id=tguard","style=display:none").text("this will redirect to tGuard login").end()
+//				hgen.leaf("a", "href=#","onclick=divVisibility('basicauth');").text("AAF Basic Auth").end();
+				hgen.end(loginPaths);
+				
+//					hgen.incr("form","method=post","style=display:none","id=basicauth","gui/home?Authentication=BasicAuth");
+//					Mark table = new Mark(TABLE);
+//					hgen.incr(table);
+//					cache.dynamic(hgen, new DynamicCode<HTMLGen, AuthGUI, AuthzTrans>() {
+//						@Override
+//						public void code(final AuthGUI gui, final AuthzTrans trans,	final Cache<HTMLGen> cache, final HTMLGen hgen)	
+//								throws APIException, IOException {
+//							hgen
+//							.input(fields[0],"Username",true)
+//							.input(fields[1],"Password",true, "type=password");
+//						Mark selectRow = new Mark();
+//						hgen
+//						.incr(selectRow, "tr")
+//						.incr("td")
+//						.incr("label", "for=envs", "required").text("Environment").end()
+//						.end()
+//						.incr("td")
+//						.incr("select", "name=envs", "id=envs", "required")
+//						.incr("option", "value=").text("Select Environment").end();
+//						for (String env : envs) {
+//							hgen.incr("option", "value="+env).text(env).end();
+//						}
+//						hgen			
+//						.end(selectRow) 
+							
+//						hgen.end();
+//						}
+//					});
+//					hgen.end();
+//					hgen.tagOnly("input", "type=submit", "value=Submit")
+//						.tagOnly("input", "type=reset", "value=Reset")
+//					.end();
+			
+
+			}
+		});
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/LoginLandingAction.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/LoginLandingAction.java
new file mode 100644
index 00000000..9ab3fa71
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/LoginLandingAction.java
@@ -0,0 +1,65 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+public class LoginLandingAction extends Page {
+	public LoginLandingAction(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,"Login",LoginLanding.HREF, LoginLanding.fields,
+			new BreadCrumbs(breadcrumbs),
+			new NamedCode(true,"content") {
+				final Slot sID = gui.env.slot(LoginLanding.NAME+'.'+LoginLanding.fields[0]);
+//				final Slot sPassword = gui.env.slot(LoginLanding.NAME+'.'+LoginLanding.fields[1]);
+				
+				@Override
+				public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+					cache.dynamic(hgen, new DynamicCode<HTMLGen,AAF_GUI, AuthzTrans>() {
+						@Override
+						public void code(final AAF_GUI gui, final AuthzTrans trans,final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+							String username = trans.get(sID,null);
+//							String password = trans.get(sPassword,null);
+
+							hgen.p("User: "+username);
+							hgen.p("Pass: ********");
+							
+							// TODO: clarification from JG
+							// put in request header?
+							// then pass through authn/basicAuth call?
+							
+						}
+					});
+				}
+		});
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NsDetail.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NsDetail.java
new file mode 100644
index 00000000..5df050bf
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NsDetail.java
@@ -0,0 +1,247 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.net.ConnectException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.RefCell;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.auth.gui.table.TextCell;
+import org.onap.aaf.auth.validation.Validator;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.Nss;
+import aaf.v2_0.Nss.Ns;
+import aaf.v2_0.Perm;
+import aaf.v2_0.Perms;
+import aaf.v2_0.Role;
+import aaf.v2_0.Roles;
+
+public class NsDetail extends Page {
+	
+	public static final String HREF = "/gui/nsdetail";
+	public static final String NAME = "NsDetail";
+	static final String WEBPHONE = "http://webphone.att.com/cgi-bin/webphones.pl?id=";
+	public static enum NS_FIELD { OWNERS, ADMINS, ROLES, PERMISSIONS, CREDS};
+	private static final String BLANK = "";
+	private static Slot keySlot;
+	private static Model model;
+	private static String gw_url;
+
+
+	public NsDetail(final AAF_GUI gui, Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env, NAME, HREF, new String[] {"ns"}, 
+				new BreadCrumbs(breadcrumbs),
+				new Table<AAF_GUI,AuthzTrans>("Namespace Details",gui.env.newTransNoAvg(),model=new Model(),"class=detail")
+				);
+		model.set(this);
+		keySlot = gui.env.slot(NAME+".ns");
+		gw_url = gui.env.getProperty(Config.GW_URL);
+		if(gw_url==null) {
+			gw_url="";
+		} else {
+			gw_url+="/aaf/2.0";
+		}
+	}
+
+	/**
+	 * Implement the table content for Namespace Detail
+	 * 
+	 * @author Jeremiah
+	 *
+	 */
+	private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+		private static final String CSP_ATT_COM = "@csp.att.com";
+		private NsDetail nd;
+
+		public void set(NsDetail nsDetail) {
+			nd=nsDetail;
+		}
+
+		@Override
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			final String nsName = trans.get(keySlot, null);
+			Validator v = new Validator();
+			v.ns(nsName);
+			if(v.err()) {
+				trans.warn().printf("Error in NsDetail Request: %s", v.errs());
+				return Cells.EMPTY;
+			}
+
+			if(nsName==null) {
+				return Cells.EMPTY;
+			}
+			final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+			rv.add(new AbsCell[]{new TextCell("Name:"),new TextCell(nsName)});
+
+			final TimeTaken tt = trans.start("AAF Namespace Details",Env.REMOTE);
+			try {
+				gui.clientAsUser(trans.getUserPrincipal(),new Retryable<Void>() {
+					@Override
+					public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+						Future<Nss> fn = client.read("/authz/nss/"+nsName,gui.getDF(Nss.class));
+
+						if(fn.get(AAF_GUI.TIMEOUT)) {
+							tt.done();
+							try {
+//								TimeTaken tt = trans.start("Load Data", Env.SUB);
+								
+								for(Ns n : fn.value.getNs()) {
+									String desc = (n.getDescription()!=null?n.getDescription():BLANK);
+									rv.add(new AbsCell[]{new TextCell("Description:"),new TextCell(desc)});
+									
+									addField(trans, nsName, rv, n.getAdmin(), NS_FIELD.ADMINS);
+									addField(trans, nsName, rv, n.getResponsible(), NS_FIELD.OWNERS);
+
+									StringWriter sw = new StringWriter();
+									HTMLGen hgen = nd.clone(sw);
+									hgen.leaf(HTMLGen.A, "class=greenbutton","href="+CredDetail.HREF+"?ns="+nsName).text("Cred Details").end();
+									rv.add(new AbsCell[] {
+											new TextCell("Credentials"),
+											new TextCell(sw.toString())
+										});
+									
+			
+									Future<Roles> fr = client.read(
+													"/authz/roles/ns/"+nsName, 
+													gui.getDF(Roles.class)
+													);
+									List<String> roles = new ArrayList<String>();
+									if(fr.get(AAFcli.timeout())) {
+										for (Role r : fr.value.getRole()) {
+											roles.add(r.getName());
+										}
+									}
+									addField(trans, nsName, rv, roles, NS_FIELD.ROLES);
+									
+									
+									Future<Perms> fp = client.read(
+													"/authz/perms/ns/"+nsName, 
+													gui.getDF(Perms.class)
+													);
+									List<String> perms = new ArrayList<String>();
+			
+									if(fp.get(AAFcli.timeout())) {
+										for (Perm p : fp.value.getPerm()) {
+											perms.add(p.getType() + "|" + p.getInstance() + "|" + p.getAction());
+										}
+									}
+									addField(trans, nsName, rv, perms, NS_FIELD.PERMISSIONS);
+								}
+								String historyLink = NsHistory.HREF 
+										+ "?name=" + nsName;
+								rv.add(new AbsCell[] {new RefCell("See History",historyLink,false)});
+							} finally {
+								tt.done();
+							}
+						} else {
+							rv.add(new AbsCell[] {new TextCell("*** Data Unavailable ***")});
+						}
+						return null;
+					}
+				});
+			} catch (Exception e) {
+				e.printStackTrace();
+			} finally {
+				tt.done();
+			}
+			return new Cells(rv,null);
+		}
+
+		private void addField(AuthzTrans trans, String ns, List<AbsCell[]> rv, List<String> values, NS_FIELD field) {
+			if (!values.isEmpty()) {
+				switch(field) {
+				case OWNERS:
+				case ADMINS:
+				case CREDS:
+					for (int i=0; i< values.size(); i++) {
+						AbsCell label = (i==0?new TextCell(sentenceCase(field)+":"):AbsCell.Null);
+						String user = values.get(i);
+						AbsCell userCell = (user.endsWith(CSP_ATT_COM)?
+								new RefCell(user,WEBPHONE + user.substring(0,user.indexOf('@')),true):new TextCell(user));
+						rv.add(new AbsCell[] {
+								label, 
+								userCell
+						});
+					}
+					break;
+				case ROLES:
+					for (int i=0; i< values.size(); i++) {
+						String role = values.get(i);
+						AbsCell label = (i==0?new TextCell(sentenceCase(field)+":"):AbsCell.Null);
+						rv.add(new AbsCell[] {
+								label,
+								new RefCell(role,RoleDetail.HREF+"?role="+role+"&ns="+ns,false)
+						});
+					}
+					break;
+				case PERMISSIONS:
+					for (int i=0; i< values.size(); i++) {
+						AbsCell label = (i==0?new TextCell(sentenceCase(field)+":","style=width:20%"):AbsCell.Null);
+						String perm = values.get(i);
+						String[] fields = perm.split("\\|");
+						String grantLink = gw_url  
+								+ PermGrantForm.HREF
+								+ "?type=" + fields[0].trim()
+								+ "&amp;instance=" + fields[1].trim()
+								+ "&amp;action=" + fields[2].trim();
+						
+						rv.add(new AbsCell[] {
+								label, 
+								new TextCell(perm,"style=width:60%;"),
+								new RefCell("Grant", grantLink,false,"class=button","style=width:20%;")
+						});
+					}
+					break;
+				}
+
+			}
+		}
+
+		private String sentenceCase(NS_FIELD field) {
+			String sField = field.toString();
+			return sField.substring(0, 1).toUpperCase() + sField.substring(1).toLowerCase();
+		}
+	
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NsHistory.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NsHistory.java
new file mode 100644
index 00000000..414f992f
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NsHistory.java
@@ -0,0 +1,230 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.util.ArrayList;
+import java.util.Calendar;
+import java.util.Comparator;
+import java.util.List;
+
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.RefCell;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.auth.gui.table.TextCell;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.History;
+import aaf.v2_0.History.Item;
+
+public class NsHistory extends Page {
+	static final String NAME="NsHistory";
+	static final String HREF = "/gui/nsHistory";
+	static final String FIELDS[] = {"name","dates"};
+	static final String WEBPHONE = "http://webphone.att.com/cgi-bin/webphones.pl?id=";
+	static enum Month { JANUARY, FEBRUARY, MARCH, APRIL, MAY, JUNE, JULY, 
+							AUGUST, SEPTEMBER, OCTOBER, NOVEMBER, DECEMBER };
+	
+	public NsHistory(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,NAME,HREF, FIELDS,
+			new BreadCrumbs(breadcrumbs),
+			new Table<AAF_GUI,AuthzTrans>("History", gui.env.newTransNoAvg(),new Model(gui.env),"class=std"),
+			new NamedCode(true, "content") {
+				@Override
+				public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+					final Slot name = gui.env.slot(NAME+".name");
+					cache.dynamic(hgen, new DynamicCode<HTMLGen, AAF_GUI, AuthzTrans>() {
+						@Override
+						public void code(final AAF_GUI gui, final AuthzTrans trans,	final Cache<HTMLGen> cache, final HTMLGen hgen)	throws APIException, IOException {
+							String obName = trans.get(name, null);
+							
+							// Use Javascript to make the table title more descriptive
+							hgen.js()
+							.text("var caption = document.querySelector(\".title\");")
+							.text("caption.innerHTML='History for Namespace [ " + obName + " ]';")						
+							.done();
+							
+							// Use Javascript to change Link Target to our last visited Detail page
+							String lastPage = NsDetail.HREF + "?name=" + obName;
+							hgen.js()
+								.text("alterLink('nsdetail', '"+lastPage + "');")							
+								.done();
+							
+							hgen.br();
+							hgen.leaf("a","href=#advanced_search","onclick=divVisibility('advanced_search');").text("Advanced Search").end()
+								.divID("advanced_search", "style=display:none");
+							hgen.incr("table");
+								
+							addDateRow(hgen,"Start Date");
+							addDateRow(hgen,"End Date");
+							hgen.incr("tr").incr("td");
+							hgen.tagOnly("input", "type=button","value=Get History",
+									"onclick=datesURL('"+HREF+"?name=" + obName+"');");
+							hgen.end().end();
+							hgen.end();
+							hgen.end();
+								
+						}
+					});
+				}
+			}
+
+			);
+	}
+
+	private static void addDateRow(HTMLGen hgen, String s) {
+		hgen
+			.incr("tr")
+			.incr("td")
+			.incr("label", "for=month", "required").text(s+"*").end()
+			.end()
+			.incr("td")
+			.incr("select", "name=month"+s.substring(0, s.indexOf(' ')), "id=month"+s.substring(0, s.indexOf(' ')), "required")
+			.incr("option", "value=").text("Month").end();
+		for (Month m : Month.values()) {
+			if (Calendar.getInstance().get(Calendar.MONTH) == m.ordinal()) {
+				hgen.incr("option", "selected", "value="+(m.ordinal()+1)).text(m.name()).end();
+			} else {
+				hgen.incr("option", "value="+(m.ordinal()+1)).text(m.name()).end();
+			}
+		}
+		hgen.end()
+			.end()
+			.incr("td")
+			.tagOnly("input","type=number","id=year"+s.substring(0, s.indexOf(' ')),"required",
+					"value="+Calendar.getInstance().get(Calendar.YEAR), "min=1900", 
+					"max="+Calendar.getInstance().get(Calendar.YEAR),
+					"placeholder=Year").end()
+			.end();
+	}
+		
+
+	
+	
+	/**
+	 * Implement the Table Content for History
+	 * 
+	 * @author Jeremiah
+	 *
+	 */
+	private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+		private static final String CSP_ATT_COM = "@csp.att.com";
+		private static final String[] headers = new String[] {"Date","User","Memo"};
+		private Slot name;
+		private Slot dates;
+		
+		public Model(AuthzEnv env) {
+			name = env.slot(NAME+".name");
+			dates = env.slot(NAME+".dates");
+		}
+		
+		@Override
+		public String[] headers() {
+			return headers;
+		}
+		
+		@Override
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			final String oName = trans.get(name,null);
+			final String oDates = trans.get(dates,null);
+			
+			if(oName==null) {
+				return Cells.EMPTY;
+			}
+			
+			final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+			String msg = null;
+			final TimeTaken tt = trans.start("AAF Get History for Namespace ["+oName+"]",Env.REMOTE);
+			try {
+				gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+					@Override
+					public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+						if (oDates != null) {
+							client.setQueryParams("yyyymm="+oDates);
+						}
+						Future<History> fh = client.read("/authz/hist/ns/"+oName,gui.getDF(History.class));
+						if (fh.get(AAF_GUI.TIMEOUT)) {
+							tt.done();
+							TimeTaken tt2 = trans.start("Load History Data", Env.SUB);
+							try {
+								List<Item> histItems = fh.value.getItem();
+								
+								java.util.Collections.sort(histItems, new Comparator<Item>() {
+									@Override
+									public int compare(Item o1, Item o2) {
+										return o2.getTimestamp().compare(o1.getTimestamp());
+									}
+								});
+								
+								for (Item i : histItems) {
+									String user = i.getUser();
+									AbsCell userCell = (user.endsWith(CSP_ATT_COM)?
+											new RefCell(user,WEBPHONE + user.substring(0,user.indexOf('@')),true):new TextCell(user));
+									
+									rv.add(new AbsCell[] {
+											new TextCell(i.getTimestamp().toGregorianCalendar().getTime().toString()),
+											userCell,
+											new TextCell(i.getMemo())
+									});
+								}
+							} finally {
+								tt2.done();
+							}
+						} else {
+							if (fh.code()==403) {
+								rv.add(new AbsCell[] {new TextCell("You may not view History of Namespace [" + oName + "]", "colspan = 3", "class=center")});
+							} else {
+								rv.add(new AbsCell[] {new TextCell("*** Data Unavailable ***", "colspan = 3", "class=center")});
+							}
+						}
+						return null;
+					}
+				});
+			} catch (Exception e) {
+				trans.error().log(e);
+			} finally {
+				tt.done();
+			}
+		return new Cells(rv,msg);
+		}
+	}
+
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NsInfoAction.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NsInfoAction.java
new file mode 100644
index 00000000..4328653e
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NsInfoAction.java
@@ -0,0 +1,158 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.text.ParseException;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.CredRequest;
+
+public class NsInfoAction extends Page {
+	public NsInfoAction(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,"Onboard",PassChangeForm.HREF, PassChangeForm.fields,
+			new BreadCrumbs(breadcrumbs),
+			new NamedCode(true,"content") {
+				final Slot sID = gui.env.slot(PassChangeForm.NAME+'.'+PassChangeForm.fields[0]);
+				final Slot sCurrPass = gui.env.slot(PassChangeForm.NAME+'.'+PassChangeForm.fields[1]);
+				final Slot sPassword = gui.env.slot(PassChangeForm.NAME+'.'+PassChangeForm.fields[2]);
+				final Slot sPassword2 = gui.env.slot(PassChangeForm.NAME+'.'+PassChangeForm.fields[3]);
+				final Slot startDate = gui.env.slot(PassChangeForm.NAME+'.'+PassChangeForm.fields[4]);
+				
+				@Override
+				public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+					cache.dynamic(hgen, new DynamicCode<HTMLGen,AAF_GUI, AuthzTrans>() {
+						@Override
+						public void code(final AAF_GUI gui, final AuthzTrans trans,final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+							String id = trans.get(sID,null);
+							String currPass = trans.get(sCurrPass,null);
+							final String password = trans.get(sPassword,null);
+							String password2 = trans.get(sPassword2,null);
+							
+							// Run Validations
+							boolean fail = true;
+							
+							if (id==null || id.indexOf('@')<=0) {
+								hgen.p("Data Entry Failure: Please enter a valid ID, including domain.");
+							} else if(password == null || password2 == null || currPass == null) {
+								hgen.p("Data Entry Failure: Both Password Fields need entries.");
+							} else if(!password.equals(password2)) {
+								hgen.p("Data Entry Failure: Passwords do not match.");
+							} else { // everything else is checked by Server
+								final CredRequest cred = new CredRequest();
+								cred.setId(id);
+								cred.setPassword(currPass);
+								try {
+									fail = gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Boolean>() {
+										@Override
+										public Boolean code(Rcli<?> client)throws CadiException, ConnectException, APIException {
+											TimeTaken tt = trans.start("Check Current Password",Env.REMOTE);
+											try {
+												Future<CredRequest> fcr = client.create( // Note: Need "Post", because of hiding password in SSL Data
+															"/authn/validate",
+															gui.getDF(CredRequest.class),
+															cred
+														);
+												boolean go;
+												boolean fail = true;
+												fcr.get(5000);
+												if(fcr.code() == 200) {
+													hgen.p("Current Password validated");
+													go = true;
+												} else {
+													hgen.p(String.format("Invalid Current Password: %d %s",fcr.code(),fcr.body()));
+													go = false;
+												}
+												if(go) {
+													tt.done();
+													tt = trans.start("AAF Change Password",Env.REMOTE);
+													try {
+														// Change over Cred to reset mode
+														cred.setPassword(password);
+														String start = trans.get(startDate, null);
+														if(start!=null) {
+															try {
+																cred.setStart(Chrono.timeStamp(Chrono.dateOnlyFmt.parse(start)));
+															} catch (ParseException e) {
+																throw new CadiException(e);
+															}
+														}
+														
+														fcr = client.create(
+																"/authn/cred",
+																gui.getDF(CredRequest.class),
+																cred
+																);
+					
+														if(fcr.get(5000)) {
+															// Do Remote Call
+															hgen.p("New Password has been added.");
+															fail = false;
+														} else {
+															gui.writeError(trans, fcr, hgen, 0);
+														}
+													} finally {
+														tt.done();
+													}
+												}
+ 												return fail;
+											} finally {
+												tt.done();
+											}
+										}
+									});
+
+								} catch (Exception e) {
+									hgen.p("Unknown Error");
+									e.printStackTrace();
+								}
+							}
+						hgen.br();
+						if(fail) {
+							hgen.incr("a",true,"href="+PassChangeForm.HREF+"?id="+id).text("Try again").end();
+						} else {
+							hgen.incr("a",true,"href="+Home.HREF).text("Home").end(); 
+						}
+					}
+				});
+			}
+		});
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NsInfoForm.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NsInfoForm.java
new file mode 100644
index 00000000..173b9500
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NsInfoForm.java
@@ -0,0 +1,162 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import static org.onap.aaf.misc.xgen.html.HTMLGen.A;
+import static org.onap.aaf.misc.xgen.html.HTMLGen.TABLE;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.util.List;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.Nss;
+import aaf.v2_0.Nss.Ns;
+
+public class NsInfoForm extends Page {
+
+	// Package on purpose
+	static final String HREF = "/gui/onboard";
+	static final String NAME = "Onboarding";
+	static final String fields[] = {"ns","description","mots","owners","admins"};
+	
+	public NsInfoForm(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,NAME,HREF, fields,
+			new BreadCrumbs(breadcrumbs),
+			new NamedCode(true,"content") {
+
+			private final Slot sID = gui.env.slot(NsInfoForm.NAME+'.'+NsInfoForm.fields[0]);
+			@Override
+			public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+				// p tags not closing right using .p() - causes issues in IE8 password form - so using leaf for the moment
+				hgen.leaf(HTMLGen.H2).text("Namespace Info").end()
+				     .leaf("p").text("Hover over Fields for Tool Tips, or click ")
+				     	.leaf(A,"href="+gui.env.getProperty(AAF_URL_GUI_ONBOARD,"")).text("Here").end()
+				     	.text(" for more information")
+				     .end()
+					.incr("form","method=post");
+				Mark table = new Mark(TABLE);
+				hgen.incr(table);
+				cache.dynamic(hgen, new DynamicCode<HTMLGen, AAF_GUI, AuthzTrans>() {
+					@SuppressWarnings("unchecked")
+					@Override
+					public void code(final AAF_GUI gui, final AuthzTrans trans, final Cache<HTMLGen> cache, final HTMLGen hgen)	throws APIException, IOException {
+						final String incomingID= trans.get(sID, "");
+						final String[] info = new String[fields.length];
+						final Object own_adm[] = new Object[2]; 
+						for(int i=0;i<info.length;++i) {
+							info[i]="";
+						}
+						if(incomingID.length()>0) {
+							TimeTaken tt = trans.start("AAF Namespace Info",Env.REMOTE);
+							try {
+								gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+									@Override
+									public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+										Future<Nss> fn = client.read("/authz/nss/"+incomingID,gui.getDF(Nss.class));
+										if(fn.get(AAF_GUI.TIMEOUT)) {
+											for(Ns ns : fn.value.getNs()) {
+												info[0]=ns.getName();
+												info[1]=ns.getDescription();
+												for(Ns.Attrib attr: ns.getAttrib()) {
+													switch(attr.getKey()) {
+														case "mots":
+															info[2]=attr.getValue();
+														default:
+													}
+												}
+												own_adm[0]=ns.getResponsible();
+												own_adm[1]=ns.getAdmin();
+											}
+										} else {
+											trans.error().log(fn.body());
+										}
+										return null;
+									}
+								});
+							} catch (Exception e) {
+								trans.error().log("Unable to access AAF for NS Info",incomingID);
+								e.printStackTrace();
+							} finally {
+								tt.done();
+							}
+						}
+						hgen.input(fields[0],"Namespace",false,"value="+info[0],"title=AAF Namespace")
+							.input(fields[1],"Description*",true,"value="+info[1],"title=Full Application Name, Tool Name or Group")
+							.input(fields[2],"MOTS ID",false,"value="+info[2],"title=MOTS ID if this is an Application, and has MOTS");
+						Mark endTD = new Mark(),endTR=new Mark();
+						// Owners
+						hgen.incr(endTR,HTMLGen.TR)
+								.incr(endTD,HTMLGen.TD)
+									.leaf("label","for="+fields[3]).text("Responsible Party")
+								.end(endTD)
+								.incr(endTD,HTMLGen.TD)
+									.tagOnly("input","id="+fields[3],"title=Owner of App, must be an Non-Bargained Employee");
+									if(own_adm[0]!=null) {
+										for(String s : (List<String>)own_adm[0]) {
+											hgen.incr("label",true).text(s).end();
+										}
+									}
+							hgen.end(endTR);
+
+							// Admins
+							hgen.incr(endTR,HTMLGen.TR)
+								.incr(endTD,HTMLGen.TD)
+									.leaf("label","for="+fields[4]).text("Administrators")
+								.end(endTD)
+								.incr(endTD,HTMLGen.TD)
+									.tagOnly("input","id="+fields[4],"title=Admins may be employees, contractors or mechIDs");
+									if(own_adm[1]!=null) {
+										for(String s : (List<String>)own_adm[1]) {
+											hgen.incr(HTMLGen.P,true).text(s).end();
+										}
+									}
+								hgen.end(endTR)
+						.end();
+					}
+				});
+				hgen.end();
+				hgen.tagOnly("input", "type=submit", "value=Submit")
+					.end();
+
+			}
+		});
+	}
+
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NssShow.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NssShow.java
new file mode 100644
index 00000000..02aedc5a
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/NssShow.java
@@ -0,0 +1,142 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.List;
+
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.RefCell;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+
+import aaf.v2_0.Nss;
+import aaf.v2_0.Nss.Ns;
+
+public class NssShow extends Page {
+	public static final String HREF = "/gui/ns";
+
+	public NssShow(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env, "MyNamespaces",HREF, NO_FIELDS,
+				new BreadCrumbs(breadcrumbs), 
+				new Table<AAF_GUI,AuthzTrans>("Namespaces I administer",gui.env.newTransNoAvg(),new Model(true,"Administrator",gui.env), 
+						"class=std", "style=display: inline-block; width: 45%; margin: 10px;"),
+				new Table<AAF_GUI,AuthzTrans>("Namespaces I own",gui.env.newTransNoAvg(),new Model(false,"Owner",gui.env),
+						"class=std", "style=display: inline-block; width: 45%; margin: 10px;"));
+	}
+	
+	private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+		private String[] headers;
+		private String privilege = null;
+		public final Slot sNssByUser;
+		private boolean isAdmin;
+
+		public Model(boolean admin, String privilege,AuthzEnv env) {
+			super();
+			headers = new String[] {privilege};
+			this.privilege = privilege;
+			isAdmin = admin;
+			sNssByUser = env.slot("NSS_SHOW_MODEL_DATA");
+		}
+
+		@Override
+		public String[] headers() {
+			return headers;
+		}
+		
+		@Override
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+			List<Ns> nss = trans.get(sNssByUser, null);
+			if(nss==null) {
+				TimeTaken tt = trans.start("AAF Nss by User for " + privilege,Env.REMOTE);
+				try {
+					nss = gui.clientAsUser(trans.getUserPrincipal(), new Retryable<List<Ns>>() {
+						@Override
+						public List<Ns> code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+							List<Ns> nss = null;
+							Future<Nss> fp = client.read("/authz/nss/either/" + trans.user(),gui.getDF(Nss.class));
+							if(fp.get(AAF_GUI.TIMEOUT)) {
+								TimeTaken tt = trans.start("Load Data for " + privilege, Env.SUB);
+								try {
+									if(fp.value!=null) {
+										nss = fp.value.getNs();
+										Collections.sort(nss, new Comparator<Ns>() {
+											public int compare(Ns ns1, Ns ns2) {
+												return ns1.getName().compareToIgnoreCase(ns2.getName());
+											}
+										});
+										trans.put(sNssByUser,nss);
+									} 
+								} finally {
+									tt.done();
+								}
+							}else {
+								gui.writeError(trans, fp, null,0);
+							}
+							return nss;
+						}
+					});
+				} catch (Exception e) {
+					trans.error().log(e);
+				} finally {
+					tt.done();
+				}
+			}
+			
+			if(nss!=null) {
+				for(Ns n : nss) {
+					if((isAdmin && !n.getAdmin().isEmpty())
+					  || (!isAdmin && !n.getResponsible().isEmpty())) {
+						AbsCell[] sa = new AbsCell[] {
+							new RefCell(n.getName(),NsDetail.HREF
+									+"?ns="+n.getName(),false),
+						};
+						rv.add(sa);
+					}
+				}
+			}
+
+			return new Cells(rv,null);
+		}
+	}
+	
+
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PassChangeAction.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PassChangeAction.java
new file mode 100644
index 00000000..d0d03a7a
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PassChangeAction.java
@@ -0,0 +1,211 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.text.ParseException;
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.cmd.user.Cred;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.OrganizationFactory;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.CredRequest;
+import aaf.v2_0.Users;
+
+public class PassChangeAction extends Page {
+
+	public PassChangeAction(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,PassChangeForm.NAME,PassChangeForm.HREF, PassChangeForm.fields,
+			new BreadCrumbs(breadcrumbs),
+			new NamedCode(true,"content") {
+				final Slot sID = gui.env.slot(PassChangeForm.NAME+'.'+PassChangeForm.fields[0]);
+				final Slot sCurrPass = gui.env.slot(PassChangeForm.NAME+'.'+PassChangeForm.fields[1]);
+				final Slot sPassword = gui.env.slot(PassChangeForm.NAME+'.'+PassChangeForm.fields[2]);
+				final Slot sPassword2 = gui.env.slot(PassChangeForm.NAME+'.'+PassChangeForm.fields[3]);
+				final Slot startDate = gui.env.slot(PassChangeForm.NAME+'.'+PassChangeForm.fields[4]);
+				final Slot sNS = gui.env.slot(PassChangeForm.NAME+'.'+PassChangeForm.fields[5]);
+				
+				@Override
+				public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+					cache.dynamic(hgen, new DynamicCode<HTMLGen,AAF_GUI, AuthzTrans>() {
+						@Override
+						public void code(final AAF_GUI gui, final AuthzTrans trans,final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+							final String id = trans.get(sID,null);
+							final String currPass = trans.get(sCurrPass,null);
+							final String password = trans.get(sPassword,null);
+							final String password2 = trans.get(sPassword2,null);
+							final String ns = trans.get(sNS, null);
+							
+							// Run Validations
+							boolean fail = true;
+							
+							if (id==null || id.indexOf('@')<=0) {
+								hgen.p("Data Entry Failure: Please enter a valid ID, including domain.");
+							} else if(password == null || password2 == null) {
+								hgen.p("Data Entry Failure: Both Password Fields need entries.");
+							} else if(!password.equals(password2)) {
+								hgen.p("Data Entry Failure: Passwords do not match.");
+							} else { // everything else is checked by Server
+								final CredRequest cred = new CredRequest();
+								cred.setId(id);
+								cred.setPassword("".equals(currPass)?null:currPass);
+								try {
+									fail = gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Boolean>() {
+										@Override
+										public Boolean code(Rcli<?> client)throws CadiException, ConnectException, APIException {
+											boolean fail = true;
+											boolean go = false;
+											try {
+												Organization org = OrganizationFactory.obtain(trans.env(), id);
+												if(org!=null) {
+													go = PassChangeForm.skipCurrent(trans, org.getIdentity(trans, id));
+												}
+											} catch(OrganizationException e) {
+												trans.error().log(e);
+											}
+
+											if(cred.getPassword()==null) {
+												try {
+													if(!go) {
+														go=gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Boolean>() {
+															@Override
+															public Boolean code(Rcli<?> client)	throws CadiException, ConnectException, APIException {
+																Future<Users> fc = client.read("/authn/creds/id/"+id,gui.getDF(Users.class));
+																if(fc.get(AAFcli.timeout())) {
+																	GregorianCalendar now = new GregorianCalendar();
+																	for(aaf.v2_0.Users.User u : fc.value.getUser()) {
+																		if(u.getType()<10 && u.getExpires().toGregorianCalendar().after(now)) {
+																			return false; // an existing, non expired, password type exists
+																		}
+																	}
+																	return true; // no existing, no expired password
+																} else {
+																	if(fc.code()==404) { // not found... 
+																		return true;
+																	} else {
+																		trans.error().log(gui.aafCon.readableErrMsg(fc));
+																	}
+																}
+																return false;
+															}
+														});
+													}
+													if(!go) {
+														hgen.p("Current Password required").br();
+													}
+												} catch (LocatorException e) {
+													trans.error().log(e);
+												}
+
+											} else {
+												TimeTaken tt = trans.start("Check Current Password",Env.REMOTE);
+												try {
+													// Note: Need "Post", because of hiding password in SSL Data
+													Future<CredRequest> fcr = client.create("/authn/validate",gui.getDF(CredRequest.class),cred);
+													fcr.get(5000);
+													if(fcr.code() == 200) {
+														hgen.p("Current Password validated").br();
+														go = true;
+													} else {
+														hgen.p(Cred.ATTEMPT_FAILED_SPECIFICS_WITHELD).br();
+														trans.info().log("Failed Validation",fcr.code(),fcr.body());
+														go = false;
+													}
+												} finally {
+													tt.done();
+												}
+											}
+											if(go) {
+												TimeTaken tt = trans.start("AAF Change Password",Env.REMOTE);
+												try {
+													// Change over Cred to reset mode
+													cred.setPassword(password);
+													String start = trans.get(startDate, null);
+													if(start!=null) {
+														try {
+															cred.setStart(Chrono.timeStamp(Chrono.dateOnlyFmt.parse(start)));
+														} catch (ParseException e) {
+															throw new CadiException(e);
+														}
+													}
+													
+													Future<CredRequest> fcr = gui.clientAsUser(trans.getUserPrincipal()).create("/authn/cred",gui.getDF(CredRequest.class),cred);
+													if(fcr.get(AAFcli.timeout())) {
+														// Do Remote Call
+														hgen.p("New Password has been added.  The previous one is still valid until Expiration.");
+														fail = false;
+													} else {
+														hgen.p(Cred.ATTEMPT_FAILED_SPECIFICS_WITHELD).br();
+														trans.info().log("Failed Validation",fcr.code(),fcr.body());
+													}
+												} finally {
+													tt.done();
+												}
+											} 
+											return fail;
+										}
+										
+									});
+							} catch (Exception e) {
+								hgen.p("Unknown Error");
+								e.printStackTrace();
+							}
+								
+						}
+						hgen.br();
+						if(fail) {
+							hgen.incr(HTMLGen.A,true,"class=greenbutton","href="+PassChangeForm.HREF+"?id="+id).text("Try again").end();
+						} else {
+							if(ns==null) {
+								hgen.incr(HTMLGen.A,true,"class=greenbutton","href="+Home.HREF).text("Back").end();
+							} else {
+								hgen.incr(HTMLGen.A,true,"class=greenbutton","href="+CredDetail.HREF+"?id="+id+"&ns="+ns).text("Back").end();
+							}
+						}
+					}
+				});
+			}
+		});
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PassChangeForm.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PassChangeForm.java
new file mode 100644
index 00000000..897796d6
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PassChangeForm.java
@@ -0,0 +1,205 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import static org.onap.aaf.misc.xgen.html.HTMLGen.TABLE;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.OrganizationFactory;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.Users;
+
+public class PassChangeForm extends Page {
+	// Package on purpose
+	static final String HREF = "/gui/passwd";
+	static final String NAME = "PassChange";
+	static final String fields[] = {"id","current","password","password2","startDate","ns"};
+	
+	public PassChangeForm(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,NAME,HREF, fields,
+			new BreadCrumbs(breadcrumbs),
+			new NamedCode(true,NAME) {	
+				private final Slot sID = gui.env.slot(PassChangeForm.NAME+'.'+PassChangeForm.fields[0]);
+				@Override
+				public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+					
+					// p tags not closing right using .p() - causes issues in IE8 password form - so using leaf for the moment
+					hgen.incr(HTMLGen.H4,true,"style=margin: 0em 0em .4em 0em")
+						.text("You are <i>adding</i> a New Password in the AAF System.")
+						.end();
+
+					Mark form = new Mark();
+					hgen.incr(form,"form","method=post");
+					
+					Mark table = new Mark(TABLE);
+					hgen.incr(table);
+
+					cache.dynamic(hgen, new DynamicCode<HTMLGen, AAF_GUI, AuthzTrans>() {
+						@Override
+						public void code(final AAF_GUI gui, final AuthzTrans trans,	final Cache<HTMLGen> cache, final HTMLGen hgen)	throws APIException, IOException {
+							String incomingID= trans.get(sID, "");
+							boolean skipCurrent = false;
+							if(incomingID.length()>0) {
+								try {
+									Organization org = OrganizationFactory.obtain(trans.env(), incomingID);
+									if(org==null) {
+										hgen.incr(HTMLGen.H4,"style=color:red;").text("Error: There is no supported company for ").text(incomingID).end();
+									} else {
+										Identity user = org.getIdentity(trans, incomingID);
+										if(user==null) {
+											int at = incomingID.indexOf('@');
+											hgen.incr(HTMLGen.H4,"style=color:red;").text("Error: You are not the sponsor of '").text(at<0?incomingID:incomingID.substring(0,at))
+												.text("' defined at ").text(org.getName()).end();
+											incomingID = "";
+										} else {
+											// Owners/or the IDs themselves are allowed to reset password without previous one
+											skipCurrent=skipCurrent(trans, user);
+											
+											if(!skipCurrent) {
+												final String id = incomingID;
+												try {
+													skipCurrent=gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Boolean>() {
+														@Override
+														public Boolean code(Rcli<?> client)	throws CadiException, ConnectException, APIException {
+															Future<Users> fc = client.read("/authn/creds/id/"+id,gui.getDF(Users.class));
+															if(fc.get(AAFcli.timeout())) {
+																GregorianCalendar now = new GregorianCalendar();
+																for(aaf.v2_0.Users.User u : fc.value.getUser()) {
+																	if(u.getType()<10 && u.getType()>=1 && u.getExpires().toGregorianCalendar().after(now)) {
+																		return false; // an existing, non expired, password type exists
+																	}
+																}
+																return true; // no existing, no expired password
+															} else {
+																if(fc.code()==404) { // not found... 
+																	return true;
+																} else {
+																	trans.error().log(gui.aafCon.readableErrMsg(fc));
+																}
+															}
+															return false;
+														}
+													});
+												} catch (LocatorException | CadiException e) {
+													trans.error().log(e);
+												}
+											}
+										}
+									}									
+								} catch (OrganizationException e) {
+									hgen.incr(HTMLGen.H4,"style=color:red;").text("Error: ")
+										.text(e.getMessage()).end();
+								}
+							}
+							
+							hgen.input(fields[0],"ID*",true,"value="+incomingID,(incomingID.length()==0?"":"readonly"));
+							if(!skipCurrent) {
+								hgen.input(fields[1],"Current Password*",true,"type=password");
+							}
+							if(skipCurrent) {
+								hgen.input(fields[1],"",false,"type=hidden", "value=").end();
+							}
+
+							hgen.input(fields[2],"New Password*",true, "type=password")
+								.input(fields[3], "Reenter New Password*",true, "type=password")
+			//						.input(fields[3],"Start Date",false,"type=date", "value="+
+			//								Chrono.dateOnlyFmt.format(new Date(System.currentTimeMillis()))
+			//								)
+								.end(table);
+
+						}
+
+					});
+					hgen.tagOnly("input", "type=submit", "value=Submit")
+						.end(form)
+						.br()
+					    .p("All AAF Passwords continue to be valid until their listed expiration dates.  ",
+					       "This allows you to migrate services to this new password until the old ones expire.").br().br()
+					    .p("Note: You must be an Admin of the Namespace where the MechID is defined.").br()
+					    ;
+					
+					Mark div = hgen.divID("passwordRules");
+					cache.dynamic(hgen, new DynamicCode<HTMLGen, AAF_GUI, AuthzTrans>() {
+						@Override
+						public void code(final AAF_GUI gui, final AuthzTrans trans,	final Cache<HTMLGen> cache, final HTMLGen hgen)	throws APIException, IOException {
+							try {
+								Organization org = OrganizationFactory.obtain(trans.env(),trans.getUserPrincipal().getName());
+								if(org!=null) {
+									hgen.incr(HTMLGen.H4).text("Password Rules for ").text(org.getName()).end()
+									    .incr(HTMLGen.UL);
+									for(String line : org.getPasswordRules()) {
+										hgen.leaf(HTMLGen.LI).text(line).end();
+									}
+									hgen.end();
+								}
+							} catch (OrganizationException e) {
+								hgen.p("No Password Rules can be found for company of ID ",trans.getUserPrincipal().getName()).br();
+							}
+						}
+					});
+					hgen.end(div);
+				}
+			}
+		);
+	}
+
+	// Package on Purpose
+	static boolean skipCurrent(AuthzTrans trans, Identity user) throws OrganizationException {
+		if(user!=null) {
+			// Should this be an abstractable Policy?
+			String tuser = trans.user();
+			if(user.fullID().equals(trans.user())) {
+				return true;
+			} else {
+				Identity manager = user.responsibleTo();
+				if(tuser.equals(user.fullID()) || manager.isFound()) {
+					return true;
+				}
+			}
+		}
+		return false;
+	}
+
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PassDeleteAction.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PassDeleteAction.java
new file mode 100644
index 00000000..49daf022
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PassDeleteAction.java
@@ -0,0 +1,88 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+
+import org.onap.aaf.auth.cmd.AAFcli;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.SlotCode;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.CredRequest;
+
+public class PassDeleteAction extends Page {
+	public static final String NAME = "PassDeleteAction";
+	public static final String HREF = "/gui/passdelete";
+	private static enum Params{id,date,ns,type};
+	
+	public PassDeleteAction(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,NAME,HREF,Params.values(),
+			new BreadCrumbs(breadcrumbs),
+			new SlotCode<AuthzTrans>(true,gui.env,NAME,Params.values()) {
+				@Override
+				public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+					cache.dynamic(hgen, new DynamicCode<HTMLGen,AAF_GUI, AuthzTrans>() {
+						@Override
+						public void code(final AAF_GUI gui, final AuthzTrans trans,final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+							final CredRequest cr = new CredRequest();
+							cr.setId(get(trans,Params.id, ""));
+							cr.setType(Integer.parseInt(get(trans,Params.type, "0")));
+							cr.setEntry(get(trans,Params.date,"1960-01-01"));
+							try {
+								String err = gui.clientAsUser(trans.getUserPrincipal(), new Retryable<String>() {
+									@Override
+									public String code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+										Future<CredRequest> fcr = client.delete("/authn/cred", gui.getDF(CredRequest.class),cr);
+										if(!fcr.get(AAFcli.timeout())) {
+											return gui.aafCon.readableErrMsg(fcr);
+										}
+										return null;
+									}
+								});
+								if(err==null) {
+									hgen.p("Password " + cr.getId() + ", " + cr.getEntry() + " is Deleted");
+								} else {
+									hgen.p(err);
+								}
+							} catch (LocatorException | CadiException e) {
+								throw new APIException(e);
+							}
+						}
+					});
+				}
+			}
+		);
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PendingRequestsShow.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PendingRequestsShow.java
new file mode 100644
index 00000000..e55d803c
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PendingRequestsShow.java
@@ -0,0 +1,193 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.List;
+import java.util.UUID;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.RefCell;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.auth.gui.table.TextCell;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.Approval;
+import aaf.v2_0.Approvals;
+
+public class PendingRequestsShow extends Page {
+	public static final String HREF = "/gui/myrequests";
+	public static final String NAME = "MyRequests";
+	static final String WEBPHONE = "http://webphone.att.com/cgi-bin/webphones.pl?id=";
+	private static DateFormat createdDF = new SimpleDateFormat("yyyy-MM-dd");
+	
+	public PendingRequestsShow(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env, NAME,HREF, NO_FIELDS,
+			new BreadCrumbs(breadcrumbs), 
+			new NamedCode(true,"expedite") {
+			@Override
+			public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+				cache.dynamic(hgen, new DynamicCode<HTMLGen, AAF_GUI, AuthzTrans>() {
+					@Override
+					public void code(final AAF_GUI gui, final AuthzTrans trans,	final Cache<HTMLGen> cache, final HTMLGen hgen)	throws APIException, IOException {
+						hgen
+							.leaf("p", "class=expedite_request").text("These are your submitted Requests that are awaiting Approval. ")
+							.br()
+							.text("To Expedite a Request: ")
+							.leaf("a","href=#expedite_directions","onclick=divVisibility('expedite_directions');")
+								.text("Click Here").end()
+							.divID("expedite_directions", "style=display:none");
+						hgen
+							.incr(HTMLGen.OL)
+							.incr(HTMLGen.LI)
+							.leaf("a","href="+ApprovalForm.HREF+"?user="+trans.user(), "id=userApprove")
+							.text("Copy This Link")
+							.end()
+							.end()
+							.incr(HTMLGen.LI)
+							.text("Send it to the Approver Listed")
+							.end()
+							.end()
+							.text("NOTE: Using this link, the Approver will only see your requests. You only need to send this link once!")
+							.end()
+							.end();
+					}
+				});
+			}
+		},
+			new Table<AAF_GUI,AuthzTrans>("Pending Requests",gui.env.newTransNoAvg(),new Model(), "class=std")
+		);
+					
+
+	}
+
+	/**
+	 * Implement the Table Content for Requests by User
+	 * 
+	 * @author Jeremiah
+	 *
+	 */
+	private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+		private static final String CSP_ATT_COM = "@csp.att.com";
+		final long NUM_100NS_INTERVALS_SINCE_UUID_EPOCH = 0x01b21dd213814000L;
+		private static final String[] headers = new String[] {"Request Date","Status","Memo","Approver"};
+
+		@Override
+		public String[] headers() {
+			return headers;
+		}
+		
+		@Override
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+			try {
+				gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+					@Override
+					public Void code(Rcli<?> client)throws CadiException, ConnectException, APIException {
+						TimeTaken tt = trans.start("AAF Get Approvals by User",Env.REMOTE);
+						try {
+							Future<Approvals> fa = client.read("/authz/approval/user/"+trans.user(),gui.getDF(Approvals.class));
+							if(fa.get(5000)) {
+								tt.done();
+								tt = trans.start("Load Data", Env.SUB);
+								if(fa.value!=null) {
+									List<Approval> approvals = fa.value.getApprovals();
+									Collections.sort(approvals, new Comparator<Approval>() {
+										@Override
+										public int compare(Approval a1, Approval a2) {
+											UUID id1 = UUID.fromString(a1.getId());
+											UUID id2 = UUID.fromString(a2.getId());
+											return id1.timestamp()<=id2.timestamp()?1:-1;
+										}
+									});
+									
+									String prevTicket = null;
+									for(Approval a : approvals) {
+										String approver = a.getApprover();
+										String approverShort = approver.substring(0,approver.indexOf('@'));
+										
+										AbsCell tsCell = null;
+										String ticket = a.getTicket();
+										if (ticket==null || ticket.equals(prevTicket)) {
+											tsCell = AbsCell.Null;
+										} else {
+											UUID id = UUID.fromString(a.getId());
+											tsCell = new RefCell(createdDF.format((id.timestamp() - NUM_100NS_INTERVALS_SINCE_UUID_EPOCH)/10000),
+													RequestDetail.HREF + "?ticket=" + ticket,false);
+											prevTicket = ticket;
+										}
+										
+										AbsCell approverCell = null;
+										if (approver.endsWith(CSP_ATT_COM)) {
+											approverCell = new RefCell(approver, WEBPHONE + approverShort,true);
+										} else {
+											approverCell = new TextCell(approver);
+										}
+										AbsCell[] sa = new AbsCell[] {
+											tsCell,
+											new TextCell(a.getStatus()),
+											new TextCell(a.getMemo()),
+											approverCell
+										};
+										rv.add(sa);
+									}
+								}
+							} else {
+								gui.writeError(trans, fa, null, 0);
+							}
+						} finally {
+							tt.done();
+						}
+
+
+						return null;
+					}
+				});
+			} catch (Exception e) {
+				trans.error().log(e);
+			}
+			return new Cells(rv,null);
+		}
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermDetail.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermDetail.java
new file mode 100644
index 00000000..822d0bf4
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermDetail.java
@@ -0,0 +1,160 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.RefCell;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.auth.gui.table.TextCell;
+import org.onap.aaf.auth.validation.Validator;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+
+import aaf.v2_0.Perm;
+import aaf.v2_0.Perms;
+
+/**
+ * Detail Page for Permissions
+ * 
+ * @author Jonathan
+ *
+ */
+public class PermDetail extends Page {
+	public static final String HREF = "/gui/permdetail";
+	public static final String NAME = "PermDetail";
+	private static final String BLANK = "";
+
+	public PermDetail(final AAF_GUI gui, Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env, NAME, HREF, new String[] {"type","instance","action"},
+				new BreadCrumbs(breadcrumbs),
+				new Table<AAF_GUI,AuthzTrans>("Permission Details",gui.env.newTransNoAvg(),new Model(gui.env),"class=detail")
+				);
+	}
+
+	/**
+	 * Implement the table content for Permissions Detail
+	 * 
+	 * @author Jonathan
+	 *
+	 */
+	private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+		private Slot type, instance, action;
+		public Model(AuthzEnv env) {
+			type = env.slot(NAME+".type");
+			instance = env.slot(NAME+".instance");
+			action = env.slot(NAME+".action");
+		}
+
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			final String pType = trans.get(type, null);
+			final String pInstance = trans.get(instance, null);
+			final String pAction = trans.get(action, null);
+			Validator v = new Validator();
+			v.permType(pType)
+			 .permInstance(pInstance)
+			 .permAction(pAction);
+			
+			if(v.err()) {
+				trans.warn().printf("Error in PermDetail Request: %s", v.errs());
+				return Cells.EMPTY;
+			}
+			final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+			rv.add(new AbsCell[]{new TextCell("Type:"),new TextCell(pType)});
+			rv.add(new AbsCell[]{new TextCell("Instance:"),new TextCell(pInstance)});
+			rv.add(new AbsCell[]{new TextCell("Action:"),new TextCell(pAction)});
+			try {
+				gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+					@Override
+					public Void code(Rcli<?> client)throws CadiException, ConnectException, APIException {
+						TimeTaken tt = trans.start("AAF Perm Details",Env.REMOTE);
+						try {
+							Future<Perms> fp= client.read("/authz/perms/"+pType + '/' + pInstance + '/' + pAction,gui.getDF(Perms.class));
+					
+							if(fp.get(AAF_GUI.TIMEOUT)) {
+								tt.done();
+								tt = trans.start("Load Data", Env.SUB);
+								List<Perm> ps = fp.value.getPerm();
+								if(!ps.isEmpty()) {
+									Perm perm = fp.value.getPerm().get(0);
+									String desc = (perm.getDescription()!=null?perm.getDescription():BLANK);
+									rv.add(new AbsCell[]{new TextCell("Description:"),new TextCell(desc)});
+									boolean first=true;
+									for(String r : perm.getRoles()) {
+										if(first){
+											first=false;
+											rv.add(new AbsCell[] {
+													new TextCell("Associated Roles:"),
+													new TextCell(r)
+												});
+										} else {
+											rv.add(new AbsCell[] {
+												AbsCell.Null,
+												new TextCell(r)
+											});
+										}
+									}
+								}
+								String historyLink = PermHistory.HREF 
+										+ "?type=" + pType + "&instance=" + pInstance + "&action=" + pAction;
+								
+								rv.add(new AbsCell[] {new RefCell("See History",historyLink,false)});
+							} else {
+								rv.add(new AbsCell[] {new TextCell(
+									fp.code()==HttpStatus.NOT_FOUND_404?
+										"*** Implicit Permission ***":
+										"*** Data Unavailable ***"
+										)});
+							}
+						} finally {
+							tt.done();
+						}
+
+						return null;
+					}
+				});
+			} catch (Exception e) {
+				e.printStackTrace();
+			}
+			return new Cells(rv,null);
+		}
+	}
+}		
+		
+\ No newline at end of file
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermGrantAction.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermGrantAction.java
new file mode 100644
index 00000000..dd854660
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermGrantAction.java
@@ -0,0 +1,135 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.Pkey;
+import aaf.v2_0.RolePermRequest;
+
+public class PermGrantAction extends Page {
+	
+	
+	public PermGrantAction(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,PermGrantForm.NAME, PermGrantForm.HREF, PermGrantForm.fields,
+			new BreadCrumbs(breadcrumbs),
+			new NamedCode(true,"content") {
+				final Slot sType = gui.env.slot(PermGrantForm.NAME+'.'+PermGrantForm.fields[0]);
+				final Slot sInstance = gui.env.slot(PermGrantForm.NAME+'.'+PermGrantForm.fields[1]);
+				final Slot sAction = gui.env.slot(PermGrantForm.NAME+'.'+PermGrantForm.fields[2]);
+				final Slot sRole = gui.env.slot(PermGrantForm.NAME+'.'+PermGrantForm.fields[3]);
+				
+				@Override
+				public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+					cache.dynamic(hgen, new DynamicCode<HTMLGen,AAF_GUI, AuthzTrans>() {
+						@Override
+						public void code(final AAF_GUI gui, final AuthzTrans trans,final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+
+							String type = trans.get(sType,null);
+							String instance = trans.get(sInstance,null);
+							String action = trans.get(sAction,null);
+							String role = trans.get(sRole,null);
+							
+							String lastPage = PermGrantForm.HREF 
+									+ "?type=" + type + "&instance=" + instance + "&action=" + action;
+							
+							// Run Validations
+							boolean fail = true;
+						
+							TimeTaken tt = trans.start("AAF Grant Permission to Role",Env.REMOTE);
+							try {
+								
+								final RolePermRequest grantReq = new RolePermRequest();
+								Pkey pkey = new Pkey();
+								pkey.setType(type);
+								pkey.setInstance(instance);
+								pkey.setAction(action);
+								grantReq.setPerm(pkey);
+								grantReq.setRole(role);
+								
+								fail = gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Boolean>() {
+									@Override
+									public Boolean code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+										boolean fail = true;
+										Future<RolePermRequest> fgrant = client.create(
+												"/authz/role/perm",
+												gui.getDF(RolePermRequest.class),
+												grantReq
+												);
+
+										if(fgrant.get(5000)) {
+											hgen.p("Permission has been granted to role.");
+											fail = false;
+										} else {
+											if (202==fgrant.code()) {
+												hgen.p("Permission Grant Request sent, but must be Approved before actualizing");
+												fail = false;
+											} else {
+												gui.writeError(trans, fgrant, hgen, 0);
+											}
+										}
+										return fail;
+									}
+								});
+							} catch (Exception e) {
+								hgen.p("Unknown Error");
+								e.printStackTrace();
+							} finally {
+								tt.done();
+							}
+								
+							hgen.br();
+							hgen.incr("a",true,"href="+lastPage);
+							if (fail) {
+								hgen.text("Try again");
+							} else {
+								hgen.text("Grant this Permission to Another Role");
+							}
+							hgen.end();
+							hgen.js()
+								.text("alterLink('permgrant', '"+lastPage + "');")							
+								.done();
+
+						}
+					});
+				}
+			});
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermGrantForm.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermGrantForm.java
new file mode 100644
index 00000000..1c5bc4c1
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermGrantForm.java
@@ -0,0 +1,157 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import static org.onap.aaf.misc.xgen.html.HTMLGen.TABLE;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.Role;
+import aaf.v2_0.Roles;
+
+public class PermGrantForm extends Page {
+	static final String HREF = "/gui/permgrant";
+	static final String NAME = "Permission Grant";
+	static final String fields[] = {"type","instance","action","role"};
+	
+	public PermGrantForm(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,NAME,HREF, fields,
+			new BreadCrumbs(breadcrumbs),
+			new NamedCode(true,"content") {
+			@Override
+			public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+				final Slot type = gui.env.slot(NAME+".type");
+				final Slot instance = gui.env.slot(NAME+".instance");
+				final Slot action = gui.env.slot(NAME+".action");
+				final Slot role = gui.env.slot(NAME+".role");
+				// p tags not closing right using .p() - causes issues in IE8 password form - so using leaf for the moment
+				hgen.leaf("p").text("Choose a role to grant to this permission").end()
+					.incr("form","method=post");
+				Mark table = new Mark(TABLE);
+				hgen.incr(table);
+				cache.dynamic(hgen, new DynamicCode<HTMLGen, AAF_GUI, AuthzTrans>() {
+					@Override
+					public void code(final AAF_GUI gui, final AuthzTrans trans,	final Cache<HTMLGen> cache, final HTMLGen hgen)	throws APIException, IOException {
+						
+						Mark copyRoleJS = new Mark();
+						hgen.js(copyRoleJS);
+						hgen.text("function copyRole(role) {");
+						hgen.text("var txtRole = document.querySelector(\"#role\");");
+//						hgen.text("if (role==;");
+						hgen.text("txtRole.value=role;");
+						hgen.text("}");
+						hgen.end(copyRoleJS);
+						
+						String typeValue = trans.get(type, "");
+						String instanceValue = trans.get(instance, "");
+						String actionValue = trans.get(action, "");
+						String roleValue = trans.get(role,null);
+						List<String> myRoles = getMyRoles(gui, trans);
+						hgen
+						.input(fields[0],"Perm Type",true,"value="+typeValue,"disabled")
+						.input(fields[1],"Perm Instance",true,"value="+instanceValue,"disabled")
+						.input(fields[2],"Perm Action",true,"value="+actionValue,"disabled");
+						
+						// select & options are not an input type, so we must create table row & cell tags
+						Mark selectRow = new Mark();
+						hgen
+						.incr(selectRow, "tr")
+						.incr("td")
+						.incr("label", "for=myroles", "required").text("My Roles").end()
+						.end()
+						.incr("td")
+						.incr("select", "name=myroles", "id=myroles", "onchange=copyRole(this.value)")
+						.incr("option", "value=").text("Select one of my roles").end();
+						for (String role : myRoles) {
+							hgen.incr("option", "value="+role).text(role).end();
+						}
+						hgen
+						.incr("option", "value=").text("Other").end()					
+						.end(selectRow);
+						if(roleValue==null) {
+							hgen.input(fields[3],"Role", true, "placeholder=or type a role here");
+						} else {
+							hgen.input(fields[3],"Role",true, "value="+roleValue);
+						}
+						hgen.end();
+					}
+				});
+				hgen.end();
+				hgen.tagOnly("input", "type=submit", "value=Submit")
+				.end();
+
+			}
+		});
+	}
+		
+	private static List<String> getMyRoles(final AAF_GUI gui, final AuthzTrans trans) {
+		final List<String> myRoles = new ArrayList<String>();
+		try {
+			gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+				@Override
+				public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+					TimeTaken tt = trans.start("AAF get my roles",Env.REMOTE);
+					try {
+						Future<Roles> fr = client.read("/authz/roles/user/"+trans.user(),gui.getDF(Roles.class));
+						if(fr.get(5000)) {
+							tt.done();
+							tt = trans.start("Load Data", Env.SUB);
+							if (fr.value != null) for (Role r : fr.value.getRole()) {
+								myRoles.add(r.getName());
+							}
+						} else {
+							gui.writeError(trans, fr, null, 0);
+						}
+					} finally {
+						tt.done();
+					}
+					return null;
+				}
+			});
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+
+		return myRoles;
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermHistory.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermHistory.java
new file mode 100644
index 00000000..45f8b22e
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermHistory.java
@@ -0,0 +1,243 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.util.ArrayList;
+import java.util.Calendar;
+import java.util.Comparator;
+import java.util.List;
+
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.RefCell;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.auth.gui.table.TextCell;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.History;
+import aaf.v2_0.History.Item;
+
+
+public class PermHistory extends Page {
+	static final String NAME="PermHistory";
+	static final String HREF = "/gui/permHistory";
+	static final String FIELDS[] = {"type","instance","action","dates"};
+	static final String WEBPHONE = "http://webphone.att.com/cgi-bin/webphones.pl?id=";
+	static enum Month { JANUARY, FEBRUARY, MARCH, APRIL, MAY, JUNE, JULY, 
+		AUGUST, SEPTEMBER, OCTOBER, NOVEMBER, DECEMBER };
+	
+	public PermHistory(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,NAME,HREF, FIELDS,
+			new BreadCrumbs(breadcrumbs),
+			new Table<AAF_GUI,AuthzTrans>("History", gui.env.newTransNoAvg(),new Model(gui.env),"class=std"),
+			new NamedCode(true, "content") {
+				@Override
+				public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+					final Slot sType = gui.env.slot(NAME+".type");
+					final Slot sInstance = gui.env.slot(NAME+".instance");
+					final Slot sAction = gui.env.slot(NAME+".action");
+					cache.dynamic(hgen, new DynamicCode<HTMLGen, AAF_GUI, AuthzTrans>() {
+						@Override
+						public void code(final AAF_GUI gui, final AuthzTrans trans,	final Cache<HTMLGen> cache, final HTMLGen hgen)	throws APIException, IOException {
+							String type = trans.get(sType, null);
+							String instance = trans.get(sInstance,null);
+							String action = trans.get(sAction,null);
+							
+							// Use Javascript to make the table title more descriptive
+							hgen.js()
+							.text("var caption = document.querySelector(\".title\");")
+							.text("caption.innerHTML='History for Permission [ " + type + " ]';")						
+							.done();
+							
+							// Use Javascript to change Link Target to our last visited Detail page
+							String lastPage = PermDetail.HREF + "?type=" + type
+									+ "&instance=" + instance
+									+ "&action=" + action;
+							hgen.js()
+								.text("alterLink('permdetail', '"+lastPage + "');")							
+								.done();
+							
+							hgen.br();
+							hgen.leaf("a", "href=#advanced_search", "onclick=divVisibility('advanced_search');").text("Advanced Search").end()
+								.divID("advanced_search", "style=display:none");
+							hgen.incr("table");
+								
+							addDateRow(hgen,"Start Date");
+							addDateRow(hgen,"End Date");
+							hgen.incr("tr").incr("td");
+							hgen.tagOnly("input", "type=button","value=Get History",
+									"onclick=datesURL('"+HREF+"?type=" + type
+									+ "&instance=" + instance
+									+ "&action=" + action+"');");
+							hgen.end().end();
+							hgen.end();
+							hgen.end();
+						}
+					});
+				}
+			}
+
+			);
+		
+	}
+	
+	private static void addDateRow(HTMLGen hgen, String s) {
+		hgen
+			.incr("tr")
+			.incr("td")
+			.incr("label", "for=month", "required").text(s+"*").end()
+			.end()
+			.incr("td")
+			.incr("select", "name=month"+s.substring(0, s.indexOf(' ')), "id=month"+s.substring(0, s.indexOf(' ')), "required")
+			.incr("option", "value=").text("Month").end();
+		for (Month m : Month.values()) {
+			if (Calendar.getInstance().get(Calendar.MONTH) == m.ordinal()) {
+				hgen.incr("option", "selected", "value="+(m.ordinal()+1)).text(m.name()).end();
+			} else {
+				hgen.incr("option", "value="+(m.ordinal()+1)).text(m.name()).end();
+			}
+		}
+		hgen.end()
+			.end()
+			.incr("td")
+			.tagOnly("input","type=number","id=year"+s.substring(0, s.indexOf(' ')),"required",
+					"value="+Calendar.getInstance().get(Calendar.YEAR), "min=1900", 
+					"max="+Calendar.getInstance().get(Calendar.YEAR),
+					"placeholder=Year").end()
+			.end();
+	}
+	
+	/**
+	 * Implement the Table Content for History
+	 * 
+	 * @author Jeremiah
+	 *
+	 */
+	private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+		private static final String CSP_ATT_COM = "@csp.att.com";
+		private static final String[] headers = new String[] {"Date","User","Memo"};
+		private Slot sType;
+		private Slot sDates;
+		
+		public Model(AuthzEnv env) {
+			sType = env.slot(NAME+".type");
+			sDates = env.slot(NAME+".dates");
+		}
+		
+		@Override
+		public String[] headers() {
+			return headers;
+		}
+		
+		@Override
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			final String oName = trans.get(sType,null);
+			final String oDates = trans.get(sDates,null);
+			
+			if(oName==null) {
+				return Cells.EMPTY;
+			}
+			
+			final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+			String msg = null;
+			try {
+				gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+					@Override
+					public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+						TimeTaken tt = trans.start("AAF Get History for Permission ["+oName+"]",Env.REMOTE);
+						try {
+							if (oDates != null) {
+								client.setQueryParams("yyyymm="+oDates);
+							}
+							Future<History> fh = client.read(
+								"/authz/hist/perm/"+oName,
+								gui.getDF(History.class)
+								);
+							
+							
+							if (fh.get(AAF_GUI.TIMEOUT)) {
+								tt.done();
+								tt = trans.start("Load History Data", Env.SUB);
+								List<Item> histItems = fh.value.getItem();
+								
+								java.util.Collections.sort(histItems, new Comparator<Item>() {
+									@Override
+									public int compare(Item o1, Item o2) {
+										return o2.getTimestamp().compare(o1.getTimestamp());
+									}
+								});
+								
+								for (Item i : histItems) {
+									String user = i.getUser();
+									AbsCell userCell = (user.endsWith(CSP_ATT_COM)?
+											new RefCell(user,WEBPHONE + user.substring(0,user.indexOf('@')),true):new TextCell(user));
+									
+									rv.add(new AbsCell[] {
+											new TextCell(i.getTimestamp().toGregorianCalendar().getTime().toString()),
+											userCell,
+											new TextCell(i.getMemo())
+									});
+								}
+								
+							} else {
+								if (fh.code()==403) {
+									rv.add(new AbsCell[] {new TextCell("You may not view History of Permission [" + oName + "]", "colspan = 3", "class=center")});
+								} else {
+									rv.add(new AbsCell[] {new TextCell("*** Data Unavailable ***", "colspan = 3", "class=center")});
+								}
+							}
+						} finally {
+							tt.done();
+						}
+
+						return null;
+					}
+				});
+				
+			} catch (Exception e) {
+				trans.error().log(e);
+			}
+		return new Cells(rv,msg);
+		}
+	}
+
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermsShow.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermsShow.java
new file mode 100644
index 00000000..5f5c2874
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermsShow.java
@@ -0,0 +1,121 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.util.ArrayList;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.RefCell;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.auth.gui.table.TextCell;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+
+import aaf.v2_0.Perm;
+import aaf.v2_0.Perms;
+
+/**
+ * Page content for My Permissions
+ * 
+ * @author Jonathan
+ *
+ */
+public class PermsShow extends Page {
+	public static final String HREF = "/gui/myperms";
+	
+	public PermsShow(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env, "MyPerms",HREF, NO_FIELDS,
+			new BreadCrumbs(breadcrumbs), 
+			new Table<AAF_GUI,AuthzTrans>("Permissions",gui.env.newTransNoAvg(),new Model(), "class=std"));
+	}
+
+	/**
+	 * Implement the Table Content for Permissions by User
+	 * 
+	 * @author Jonathan
+	 *
+	 */
+	private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+		private static final String[] headers = new String[] {"Type","Instance","Action"};
+
+		@Override
+		public String[] headers() {
+			return headers;
+		}
+		
+		@Override
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+			TimeTaken tt = trans.start("AAF Perms by User",Env.REMOTE);
+			try {
+				gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+					@Override
+					public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+						Future<Perms> fp = client.read("/authz/perms/user/"+trans.user(), gui.getDF(Perms.class));
+						if(fp.get(5000)) {
+							TimeTaken ttld = trans.start("Load Data", Env.SUB);
+							try {
+								if(fp.value!=null) {	
+									for(Perm p : fp.value.getPerm()) {
+										AbsCell[] sa = new AbsCell[] {
+											new RefCell(p.getType(),PermDetail.HREF
+													+"?type="+p.getType()
+													+"&amp;instance="+p.getInstance()
+													+"&amp;action="+p.getAction(),
+													false),
+											new TextCell(p.getInstance()),
+											new TextCell(p.getAction())
+										};
+										rv.add(sa);
+									}
+								} else {
+									gui.writeError(trans, fp, null,0);
+								}
+							} finally {
+								ttld.done();
+							}
+						}
+						return null;
+					}
+				});
+			} catch (Exception e) {
+				trans.error().log(e);
+			} finally {
+				tt.done();
+			}
+			return new Cells(rv,null);
+		}
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RequestDetail.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RequestDetail.java
new file mode 100644
index 00000000..852bbd44
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RequestDetail.java
@@ -0,0 +1,190 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.UUID;
+
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.RefCell;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.auth.gui.table.TextCell;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+
+import aaf.v2_0.Approval;
+import aaf.v2_0.Approvals;
+
+public class RequestDetail extends Page {
+	public static final String HREF = "/gui/requestdetail";
+	public static final String NAME = "RequestDetail";
+	private static final String DATE_TIME_FORMAT = "yyyy-MM-dd HH:mm:ss";
+	public static final String[] FIELDS = {"ticket"};
+
+	public RequestDetail(final AAF_GUI gui, Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env, NAME, HREF, FIELDS,
+				new BreadCrumbs(breadcrumbs),
+				new Table<AAF_GUI,AuthzTrans>("Request Details",gui.env.newTransNoAvg(),new Model(gui.env),"class=detail")
+				);
+	}
+
+	/**
+	 * Implement the table content for Request Detail
+	 * 
+	 * @author Jeremiah
+	 *
+	 */
+	private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+		static final String WEBPHONE = "http://webphone.att.com/cgi-bin/webphones.pl?id=";
+		private static final String CSP_ATT_COM = "@csp.att.com";
+		final long NUM_100NS_INTERVALS_SINCE_UUID_EPOCH = 0x01b21dd213814000L;
+		private Slot sTicket;
+		public Model(AuthzEnv env) {
+			sTicket = env.slot(NAME+".ticket");
+		}
+
+		@Override
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			Cells rv=Cells.EMPTY;
+			final String ticket = trans.get(sTicket, null);
+			if(ticket!=null) {
+				try {
+					rv = gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Cells>() {
+						@Override
+						public Cells code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+							TimeTaken tt = trans.start("AAF Approval Details",Env.REMOTE);
+							ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+							try {
+								Future<Approvals> fa = client.read(
+									"/authz/approval/ticket/"+ticket, 
+									gui.getDF(Approvals.class)
+									);
+								
+								if(fa.get(AAF_GUI.TIMEOUT)) {
+									if (!trans.user().equals(fa.value.getApprovals().get(0).getUser())) {
+										return Cells.EMPTY;
+									}
+									tt.done();
+									tt = trans.start("Load Data", Env.SUB);
+									boolean first = true;
+									for ( Approval approval : fa.value.getApprovals()) {
+										AbsCell[] approverLine = new AbsCell[4];
+										// only print common elements once
+										if (first) {
+											DateFormat createdDF = new SimpleDateFormat(DATE_TIME_FORMAT);
+											UUID id = UUID.fromString(approval.getId());
+											
+											rv.add(new AbsCell[]{new TextCell("Ticket ID:"),new TextCell(approval.getTicket(),"colspan=3")});
+											rv.add(new AbsCell[]{new TextCell("Memo:"),new TextCell(approval.getMemo(),"colspan=3")});
+											rv.add(new AbsCell[]{new TextCell("Requested On:"), 
+													new TextCell(createdDF.format((id.timestamp() - NUM_100NS_INTERVALS_SINCE_UUID_EPOCH)/10000),"colspan=3")
+											});
+											rv.add(new AbsCell[]{new TextCell("Operation:"),new TextCell(decodeOp(approval.getOperation()),"colspan=3")});
+											String user = approval.getUser();
+											if (user.endsWith(CSP_ATT_COM)) {
+												rv.add(new AbsCell[]{new TextCell("User:"),
+														new RefCell(user,WEBPHONE + user.substring(0, user.indexOf("@")),true,"colspan=3")});
+											} else {
+												rv.add(new AbsCell[]{new TextCell("User:"),new TextCell(user,"colspan=3")});
+											}
+											
+											// headers for listing each approver
+											rv.add(new AbsCell[]{new TextCell(" ","colspan=4","class=blank_line")});
+											rv.add(new AbsCell[]{AbsCell.Null,
+													new TextCell("Approver","class=bold"), 
+													new TextCell("Type","class=bold"), 
+													new TextCell("Status","class=bold")});
+											approverLine[0] = new TextCell("Approvals:");
+											
+											first = false;
+										} else {
+										    approverLine[0] = AbsCell.Null;
+										}
+										
+										String approver = approval.getApprover();
+										String approverShort = approver.substring(0,approver.indexOf('@'));
+										
+										if (approver.endsWith(CSP_ATT_COM)) {
+											approverLine[1] = new RefCell(approver, WEBPHONE + approverShort,true);
+										} else {
+											approverLine[1] = new TextCell(approval.getApprover());
+										}
+										
+										String type = approval.getType();
+										if ("owner".equalsIgnoreCase(type)) {
+											type = "resource owner";
+										}
+										
+										approverLine[2] = new TextCell(type);
+										approverLine[3] = new TextCell(approval.getStatus());
+										rv.add(approverLine);
+									
+									}
+								} else {
+									rv.add(new AbsCell[] {new TextCell("*** Data Unavailable ***")});
+								}
+							} finally {
+								tt.done();
+							}
+							return new Cells(rv,null);
+						}
+					});
+				} catch (Exception e) {
+					trans.error().log(e);
+				}
+			}
+			return rv;
+		}
+
+		private String decodeOp(String operation) {
+			if ("C".equalsIgnoreCase(operation)) {
+				return "Create";
+			} else if ("D".equalsIgnoreCase(operation)) {
+				return "Delete";
+			} else if ("U".equalsIgnoreCase(operation)) {
+				return "Update";
+			} else if ("G".equalsIgnoreCase(operation)) {
+				return "Grant";
+			} else if ("UG".equalsIgnoreCase(operation)) {
+				return "Un-Grant";
+			}
+			return operation;
+		}
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RoleDetail.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RoleDetail.java
new file mode 100644
index 00000000..37526b86
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RoleDetail.java
@@ -0,0 +1,295 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.CheckBoxCell;
+import org.onap.aaf.auth.gui.table.CheckBoxCell.ALIGN;
+import org.onap.aaf.auth.gui.table.RefCell;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.auth.gui.table.TextCell;
+import org.onap.aaf.auth.gui.table.TextInputCell;
+import org.onap.aaf.auth.validation.Validator;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.aaf.AAFPermission;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.Pkey;
+import aaf.v2_0.Role;
+import aaf.v2_0.Roles;
+import aaf.v2_0.UserRole;
+import aaf.v2_0.UserRoles;
+
+/**
+ * Detail Page for Permissions
+ * 
+ * @author Jonathan
+ *
+ */
+public class RoleDetail extends Page {
+	public static final String HREF = "/gui/roledetail";
+	public static final String NAME = "RoleDetail";
+	private static final String BLANK = "";
+
+	public RoleDetail(final AAF_GUI gui, Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env, NAME, HREF, new String[] {"role","ns"},
+				new BreadCrumbs(breadcrumbs),
+				new Table<AAF_GUI,AuthzTrans>("Role Details",gui.env.newTransNoAvg(),
+						new Model(gui.env),"class=detail")
+			);
+	}
+
+	/**
+	 * Implement the table content for Permissions Detail
+	 * 
+	 * @author Jonathan
+	 *
+	 */
+	private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+		private Slot sRoleName,sRole,sUserRole,sMayWrite,sMayApprove,sMark,sNS;
+		public Model(AuthzEnv env) {
+			sRoleName = env.slot(NAME+".role");
+			sRole = env.slot(NAME+".data.role");
+			sUserRole = env.slot(NAME+".data.userrole");
+			sMayWrite = env.slot(NAME+"mayWrite");
+			sMayApprove = env.slot(NAME+"mayApprove");
+			sMark = env.slot(NAME+"mark");
+			sNS = env.slot(NAME+".ns");
+		}
+
+		/* (non-Javadoc)
+		 * @see org.onap.aaf.auth.gui.table.TableData#prefix(org.onap.aaf.misc.xgen.html.State, com.att.inno.env.Trans, org.onap.aaf.misc.xgen.Cache, org.onap.aaf.misc.xgen.html.HTMLGen)
+		 */
+		@Override
+		public void prefix(final AAF_GUI gui, final AuthzTrans trans, final Cache<HTMLGen> cache, final HTMLGen hgen) {
+			final String pRole = trans.get(sRoleName, null);
+			Validator v = new Validator();
+			v.role(pRole);
+			if(v.err()) {
+				trans.warn().printf("Error in PermDetail Request: %s", v.errs());
+				return;
+			}
+
+		
+			try { 
+				gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Boolean>() {
+					@Override
+					public Boolean code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+						TimeTaken tt = trans.start("AAF Role Details",Env.REMOTE);
+						try {
+							Future<Roles> fr = client.read("/authz/roles/"+pRole+"?ns",gui.getDF(Roles.class));
+							Future<UserRoles> fur = client.read("/authz/userRoles/role/"+pRole,gui.getDF(UserRoles.class));
+							if(fr.get(AAF_GUI.TIMEOUT)) {
+								Role role = fr.value.getRole().get(0);
+								trans.put(sRole, role);
+								Boolean mayWrite = trans.fish(new AAFPermission(role.getNs()+".access",":role:"+role.getName(),"write"));
+								trans.put(sMayWrite,mayWrite);
+								Boolean mayApprove = trans.fish(new AAFPermission(role.getNs()+".access",":role:"+role.getName(),"approve"));
+								trans.put(sMayApprove, mayApprove);
+								
+								if(mayWrite || mayApprove) {
+									Mark js = new Mark();
+									Mark fn = new Mark();
+									hgen.js(js)
+										.function(fn,"touchedDesc")
+										.li("d=document.getElementById('descText');",
+											"if (d.orig == undefined ) {",
+											"  d.orig = d.value;",
+											"  d.addEventListener('keyup',changedDesc);",
+											"  d.removeEventListener('keypress',touchedDesc);",
+											"}").end(fn)
+										.function(fn,"changedDesc")
+										.li(
+											"dcb=document.getElementById('descCB');",
+											"d=document.getElementById('descText');",
+											"dcb.checked= (d.orig != d.value)"
+										).end(fn)
+										.end(js);
+
+									Mark mark = new Mark();
+									hgen.incr(mark,"form","method=post");
+									trans.put(sMark, mark);
+								}
+							} else {
+								trans.error().printf("Error calling AAF for Roles in GUI, Role Detail %d: %s",fr.code(),fr.body());
+								return false;
+							}
+							
+							if(fur.get(AAF_GUI.TIMEOUT)) {
+								trans.put(sUserRole, fur.value.getUserRole());
+							} else {
+								trans.error().printf("Error calling AAF for UserRoles in GUI, Role Detail %d: %s",fr.code(),fr.body());
+								return false;
+							}
+
+							return true;
+						} finally {
+							tt.done();
+						}
+					}
+				});
+			} catch (Exception e) {
+				trans.error().log(e);
+			}
+		}
+
+		@Override
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			final String pRole = trans.get(sRoleName, null);
+			final Role role = trans.get(sRole,null);
+			ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+			
+			if(role!=null) {
+				boolean mayWrite = trans.get(sMayWrite, false);
+				boolean mayApprove = trans.get(sMayApprove, false);
+
+				String desc = (role.getDescription()!=null?role.getDescription():BLANK);
+				rv.add(new AbsCell[]{
+						new TextCell("Role:","width=45%"),
+						new TextCell(pRole)});
+				if(mayWrite) {
+					rv.add(new AbsCell[]{
+							new TextCell("Description:","width=45%"),
+							new TextInputCell("description","textInput",desc,"id=descText","onkeypress=touchedDesc()"),
+							new CheckBoxCell("desc",ALIGN.left, "changed","id=descCB", "style=visibility: hidden"),
+							});
+					rv.add(AbsCell.HLINE);
+					rv.add(new AbsCell[] {
+							new TextCell("Associated Permissions:","width=25%"),
+							new TextCell("UnGrant","width=10%"),
+						});
+				} else {
+					rv.add(new AbsCell[]{
+							new TextCell("Description:","width=45%"),
+							new TextCell(desc)});
+				}
+				boolean protectedRole = role.getName().endsWith(".owner") ||
+										role.getName().endsWith(".admin");
+				boolean first = true;
+				for(Pkey r : role.getPerms()) {
+					String key=r.getType() + '|' + r.getInstance() + '|' + r.getAction();
+					if(mayWrite) {
+						rv.add(new AbsCell[] {
+							AbsCell.Null,
+							protectedRole && r.getType().endsWith(".access")
+								?new TextCell("protected","class=protected") // Do not allow ungranting of basic NS perms
+								:new CheckBoxCell("perm.ungrant",key),
+							new TextCell("","width=10%"),
+							new TextCell(key)
+						});
+					} else {
+						if(first) {
+							rv.add(new AbsCell[] {
+									new TextCell("Associated Permissions:","width=45%"),
+									new TextCell(key)
+								});
+							first=false;
+						} else {
+							rv.add(new AbsCell[] {
+									AbsCell.Null,
+									new TextCell(key)
+							});
+						}
+					}
+				}
+						
+				if(mayApprove) {
+					rv.add(AbsCell.HLINE);
+
+					// 
+					rv.add(new AbsCell[] {
+							new TextCell("Users in Role:","width=25%"),
+							new TextCell("Delete","width=10%"),
+							new TextCell("Extend","width=10%")
+						});
+
+					List<UserRole> userroles = trans.get(sUserRole,null);
+					if(userroles!=null) {
+						for(UserRole ur : userroles) {
+							String tag = "userrole";
+							
+							rv.add(new AbsCell[] {
+								AbsCell.Null,
+								new CheckBoxCell(tag+".delete", ur.getUser()),
+								new CheckBoxCell(tag+".extend", ur.getUser()),
+								new TextCell(ur.getUser()),
+								new TextCell(Chrono.dateOnlyStamp(ur.getExpires())
+							)});
+						}
+					}
+				}
+						
+				// History 
+				rv.add(new AbsCell[] {
+						new RefCell("See History",RoleHistory.HREF + "?role=" + pRole,false)
+					});
+			} else {
+				rv.add(new AbsCell[]{
+						new TextCell("Role:"),
+						new TextCell(pRole)});
+
+				rv.add(new AbsCell[] {new TextCell("*** Data Unavailable ***")});
+			}
+			return new Cells(rv, null);
+		}
+
+		/* (non-Javadoc)
+		 * @see org.onap.aaf.auth.gui.table.TableData#postfix(org.onap.aaf.misc.xgen.html.State, com.att.inno.env.Trans, org.onap.aaf.misc.xgen.Cache, org.onap.aaf.misc.xgen.html.HTMLGen)
+		 */
+		@Override
+		public void postfix(AAF_GUI state, AuthzTrans trans, final Cache<HTMLGen> cache, final HTMLGen hgen) {
+			final Mark mark = trans.get(sMark, null);
+			if(mark!=null) {
+				hgen.tagOnly("input", "type=submit", "value=Submit");
+				final String pNS = trans.get(sNS, null);
+				if(pNS!=null && pNS.length()>0) {
+					hgen.leaf(mark,HTMLGen.A,"href="+NsDetail.HREF+"?ns="+pNS,"class=greenbutton").text("Back").end(mark);
+				}
+				hgen.end(mark);
+			}
+
+		}
+	}
+}		
+		
+\ No newline at end of file
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RoleDetailAction.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RoleDetailAction.java
new file mode 100644
index 00000000..f2d2c01f
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RoleDetailAction.java
@@ -0,0 +1,188 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.util.Split;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.Pkey;
+import aaf.v2_0.RolePermRequest;
+import aaf.v2_0.RoleRequest;
+
+public class RoleDetailAction extends Page {
+	public RoleDetailAction(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,RoleDetail.NAME, RoleDetail.HREF, TableData.headers,
+			new BreadCrumbs(breadcrumbs),
+			new NamedCode(true,"content") {
+				final Slot sReq = gui.env.slot(AAF_GUI.HTTP_SERVLET_REQUEST);
+				
+				@Override
+				public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+					cache.dynamic(hgen, new DynamicCode<HTMLGen,AAF_GUI, AuthzTrans>() {
+						@Override
+						public void code(final AAF_GUI gui, final AuthzTrans trans,final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+							final HttpServletRequest req = trans.get(sReq, null);
+							final String role = getSingleParam(req,"role");
+							if(role==null) {
+								hgen.text("Parameter 'role' is required").end(); 
+							} else {
+								// Run Validations
+//								boolean fail;
+								try {
+									/*fail =*/ gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Boolean>() {
+										@Override
+										public Boolean code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+											List<TypedFuture> ltf = new ArrayList<TypedFuture>();
+											String text;
+											Map<String, String[]> pm = (Map<String, String[]>)req.getParameterMap();
+											for(final Entry<String, String[]> es : pm.entrySet()) {
+												for(final String v : es.getValue()) {
+													TimeTaken tt = null; 
+													try {
+														switch(es.getKey()) {
+															case "desc": // Check box set
+																String desc = getSingleParam(req, "description");
+																if(desc!=null) {
+																	text = "Setting Description on " + role + " to " + desc;
+																	tt = trans.start(text, Env.REMOTE);
+																	RoleRequest rr = new RoleRequest();
+																	rr.setName(role);
+																	rr.setDescription(desc);
+																	ltf.add(new TypedFuture(ActionType.desc, text, 
+																			client.update("/authz/role",
+																					gui.getDF(RoleRequest.class),rr
+																		)));
+																}
+																break;
+															case "perm.ungrant":
+																text = "Ungranting Permission '" + v + "' from '" + role + '\'';
+																tt = trans.start(text, Env.REMOTE);
+																String[] pf = Split.splitTrim('|', v);
+																if(pf.length==3) {
+																	Pkey perm = new Pkey();
+																	perm.setType(pf[0]);
+																	perm.setInstance(pf[1]);
+																	perm.setAction(pf[2]);
+																	RolePermRequest rpr = new RolePermRequest();
+																	rpr.setPerm(perm);
+																	rpr.setRole(role);
+																	ltf.add(new TypedFuture(ActionType.ungrant,text,
+																			client.delete("/authz/role/" + role + "/perm", 
+																				gui.getDF(RolePermRequest.class),rpr
+																			)));
+																} else {
+																	hgen.p(v + " is not a valid Perm for ungranting");
+																}
+																break;
+															case "userrole.extend":
+																text = "Extending " + v + " in " + role;
+																tt = trans.start(text, Env.REMOTE);
+																ltf.add(new TypedFuture(ActionType.extendUR,text,
+																		client.update("/authz/userRole/extend/" + v + '/' + role)));
+																break;
+															case "userrole.delete":
+																text = "Deleting " + v + " from " + role;
+																tt = trans.start(text, Env.REMOTE);
+																ltf.add(new TypedFuture(ActionType.deleteUR,text,
+																		client.delete("/authz/userRole/" + v + '/' + role, Void.class)));
+																break;
+
+															default:
+//																System.out.println(es.getKey() + "=" + v);
+														}
+													} finally {
+														if(tt!=null) {
+															tt.done();
+															tt=null;
+														}
+													}
+												}
+											}
+											
+											if(ltf.isEmpty()) {
+												hgen.p("No Changes");
+											} else {
+												for(TypedFuture tf : ltf) {
+													if(tf.future.get(5000)) {
+														hgen.p("<font color=\"green\"><i>Success</i>:</font> " + tf.text);
+													} else {
+														// Note: if handling of special Error codes is required, use 
+														// switch(tf.type) {
+														// }
+														hgen.p(tf.text);
+														gui.writeError(trans, tf.future, hgen,4);
+													}
+												}
+											}
+											return true;
+										}
+									});
+								} catch (Exception e) {
+									hgen.p("Unknown Error");
+									e.printStackTrace();
+								}
+							}
+						}
+
+					});
+				}
+			});
+	}
+	
+	enum ActionType {desc, ungrant, deleteUR, extendUR};
+	private static class TypedFuture {
+//		public final ActionType type;
+		public final Future<?> future;
+		public final String text;
+		
+		public TypedFuture(ActionType type, String text, Future<?> future) {
+//			this.type = type;
+			this.future = future;
+			this.text = text;
+		}
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RoleHistory.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RoleHistory.java
new file mode 100644
index 00000000..e80a5917
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RoleHistory.java
@@ -0,0 +1,228 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.util.ArrayList;
+import java.util.Calendar;
+import java.util.Comparator;
+import java.util.List;
+
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.RefCell;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.auth.gui.table.TextCell;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+import aaf.v2_0.History;
+import aaf.v2_0.History.Item;
+
+
+public class RoleHistory extends Page {
+	static final String NAME="RoleHistory";
+	static final String HREF = "/gui/roleHistory";
+	static final String FIELDS[] = {"role","dates"};
+	static final String WEBPHONE = "http://webphone.att.com/cgi-bin/webphones.pl?id=";
+	static enum Month { JANUARY, FEBRUARY, MARCH, APRIL, MAY, JUNE, JULY, 
+		AUGUST, SEPTEMBER, OCTOBER, NOVEMBER, DECEMBER };
+	
+	public RoleHistory(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,NAME,HREF, FIELDS,
+			new BreadCrumbs(breadcrumbs),
+			new Table<AAF_GUI,AuthzTrans>("History", gui.env.newTransNoAvg(),new Model(gui.env),"class=std"),
+			new NamedCode(true, "content") {
+				@Override
+				public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+					final Slot role = gui.env.slot(NAME+".role");
+					cache.dynamic(hgen, new DynamicCode<HTMLGen, AAF_GUI, AuthzTrans>() {
+						@Override
+						public void code(final AAF_GUI gui, final AuthzTrans trans,	final Cache<HTMLGen> cache, final HTMLGen hgen)	throws APIException, IOException {
+							String obRole = trans.get(role, null);
+							
+							// Use Javascript to make the table title more descriptive
+							hgen.js()
+							.text("var caption = document.querySelector(\".title\");")
+							.text("caption.innerHTML='History for Role [ " + obRole + " ]';")						
+							.done();
+							
+							// Use Javascript to change Link Target to our last visited Detail page
+							String lastPage = RoleDetail.HREF + "?role=" + obRole;
+							hgen.js()
+								.text("alterLink('roledetail', '"+lastPage + "');")							
+								.done();
+							
+							hgen.br();
+							hgen.leaf("a", "href=#advanced_search","onclick=divVisibility('advanced_search');").text("Advanced Search").end()
+								.divID("advanced_search", "style=display:none");
+							hgen.incr("table");
+								
+							addDateRow(hgen,"Start Date");
+							addDateRow(hgen,"End Date");
+							hgen.incr("tr").incr("td");
+							hgen.tagOnly("input", "type=button","value=Get History",
+									"onclick=datesURL('"+HREF+"?role=" + obRole+"');");
+							hgen.end().end();
+							hgen.end();
+							hgen.end();
+						}
+					});
+				}
+			}
+
+			);
+		
+	}
+	
+	private static void addDateRow(HTMLGen hgen, String s) {
+		hgen
+			.incr("tr")
+			.incr("td")
+			.incr("label", "for=month", "required").text(s+"*").end()
+			.end()
+			.incr("td")
+			.incr("select", "name=month"+s.substring(0, s.indexOf(' ')), "id=month"+s.substring(0, s.indexOf(' ')), "required")
+			.incr("option", "value=").text("Month").end();
+		for (Month m : Month.values()) {
+			if (Calendar.getInstance().get(Calendar.MONTH) == m.ordinal()) {
+				hgen.incr("option", "selected", "value="+(m.ordinal()+1)).text(m.name()).end();
+			} else {
+				hgen.incr("option", "value="+(m.ordinal()+1)).text(m.name()).end();
+			}
+		}
+		hgen.end()
+			.end()
+			.incr("td")
+			.tagOnly("input","type=number","id=year"+s.substring(0, s.indexOf(' ')),"required",
+					"value="+Calendar.getInstance().get(Calendar.YEAR), "min=1900", 
+					"max="+Calendar.getInstance().get(Calendar.YEAR),
+					"placeholder=Year").end()
+			.end();
+	}
+	
+	
+	/**
+	 * Implement the Table Content for History
+	 * 
+	 * @author Jeremiah
+	 *
+	 */
+	private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+		private static final String CSP_ATT_COM = "@csp.att.com";
+		private static final String[] headers = new String[] {"Date","User","Memo"};
+		private Slot role;
+		private Slot dates;
+		
+		public Model(AuthzEnv env) {
+			role = env.slot(NAME+".role");
+			dates = env.slot(NAME+".dates");
+		}
+		
+		@Override
+		public String[] headers() {
+			return headers;
+		}
+		
+		@Override
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			final String oName = trans.get(role,null);
+			final String oDates = trans.get(dates,null);
+			
+			Cells rv = Cells.EMPTY;
+			if(oName!=null) {
+				
+				try {
+					rv = gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Cells>() {
+						@Override
+						public Cells code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+							ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+							TimeTaken tt = trans.start("AAF Get History for Namespace ["+oName+"]",Env.REMOTE);
+							String msg = null;
+							try {
+								if (oDates != null) {
+									client.setQueryParams("yyyymm="+oDates);
+								}
+								Future<History> fh = client.read("/authz/hist/role/"+oName,gui.getDF(History.class));
+								if (fh.get(AAF_GUI.TIMEOUT)) {
+									tt.done();
+									tt = trans.start("Load History Data", Env.SUB);
+									List<Item> histItems = fh.value.getItem();
+									
+									java.util.Collections.sort(histItems, new Comparator<Item>() {
+										@Override
+										public int compare(Item o1, Item o2) {
+											return o2.getTimestamp().compare(o1.getTimestamp());
+										}
+									});
+									
+									for (Item i : histItems) {
+										String user = i.getUser();
+										AbsCell userCell = (user.endsWith(CSP_ATT_COM)?
+												new RefCell(user,WEBPHONE + user.substring(0,user.indexOf('@')),false):new TextCell(user));
+										
+										rv.add(new AbsCell[] {
+												new TextCell(i.getTimestamp().toGregorianCalendar().getTime().toString()),
+												userCell,
+												new TextCell(i.getMemo())
+										});
+									}
+								} else {
+									if (fh.code()==403) {
+										rv.add(new AbsCell[] {new TextCell("You may not view History of Permission [" + oName + "]", "colspan = 3", "class=center")});
+									} else {
+										rv.add(new AbsCell[] {new TextCell("*** Data Unavailable ***", "colspan = 3", "class=center")});
+									}
+								}
+							} finally {
+								tt.done();
+							}	
+							return new Cells(rv,msg);
+						}
+					});
+				} catch (Exception e) {
+					trans.error().log(e);
+				}
+			}
+			return rv;
+		}
+	}
+
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RolesShow.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RolesShow.java
new file mode 100644
index 00000000..071666d0
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RolesShow.java
@@ -0,0 +1,144 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.auth.gui.Table.Cells;
+import org.onap.aaf.auth.gui.table.AbsCell;
+import org.onap.aaf.auth.gui.table.RefCell;
+import org.onap.aaf.auth.gui.table.TableData;
+import org.onap.aaf.auth.gui.table.TextCell;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import aaf.v2_0.UserRole;
+import aaf.v2_0.UserRoles;
+
+
+/**
+ * Page content for My Roles
+ * 
+ * @author Jonathan
+ *
+ */
+public class RolesShow extends Page {
+	public static final String HREF = "/gui/myroles";
+	private static final String DATE_TIME_FORMAT = "yyyy-MM-dd";
+	private static SimpleDateFormat expiresDF;
+	
+	static {
+		expiresDF = new SimpleDateFormat(DATE_TIME_FORMAT);
+	}
+	
+	public RolesShow(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env, "MyRoles",HREF, NO_FIELDS,
+			new BreadCrumbs(breadcrumbs), 
+			new Table<AAF_GUI,AuthzTrans>("Roles",gui.env.newTransNoAvg(),new Model(), "class=std"));
+	}
+
+	/**
+	 * Implement the Table Content for Permissions by User
+	 * 
+	 * @author Jonathan
+	 *
+	 */
+	private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+		private static final String[] headers = new String[] {"Role","Expires","Remediation","Actions"};
+
+		@Override
+		public String[] headers() {
+			return headers;
+		}
+		
+		@Override
+		public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
+			Cells rv = Cells.EMPTY;
+
+			try {
+				rv = gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Cells>() {
+					@Override
+					public Cells code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+						ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+						TimeTaken tt = trans.start("AAF Roles by User",Env.REMOTE);
+						try {
+							Future<UserRoles> fur = client.read("/authz/userRoles/user/"+trans.user(),gui.getDF(UserRoles.class));
+							if (fur.get(5000)) {
+								if(fur.value != null) for (UserRole u : fur.value.getUserRole()) {
+									if(u.getExpires().compare(Chrono.timeStamp()) < 0) {
+										AbsCell[] sa = new AbsCell[] {
+												new TextCell(u.getRole() + "*", "class=expired"),
+												new TextCell(expiresDF.format(u.getExpires().toGregorianCalendar().getTime()),"class=expired"),
+												new RefCell("Extend",
+														UserRoleExtend.HREF + "?user="+trans.user()+"&role="+u.getRole(),
+														false,
+														new String[]{"class=expired"}),
+												new RefCell("Remove",
+													UserRoleRemove.HREF + "?user="+trans.user()+"&role="+u.getRole(),
+													false,
+													new String[]{"class=expired"})
+														
+											};
+											rv.add(sa);
+									} else {
+										AbsCell[] sa = new AbsCell[] {
+												new RefCell(u.getRole(),
+														RoleDetail.HREF+"?role="+u.getRole(),
+														false),
+												new TextCell(expiresDF.format(u.getExpires().toGregorianCalendar().getTime())),
+												AbsCell.Null,
+												new RefCell("Remove",
+														UserRoleRemove.HREF + "?user="+trans.user()+"&role="+u.getRole(),
+														false)
+											};
+											rv.add(sa);
+									}
+								}
+							}
+							
+						} finally {
+							tt.done();
+						}
+						return new Cells(rv,null);
+					}
+				});
+			} catch (Exception e) {
+				trans.error().log(e);
+			}
+			return rv;
+		}
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/UserRoleExtend.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/UserRoleExtend.java
new file mode 100644
index 00000000..c0ba16da
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/UserRoleExtend.java
@@ -0,0 +1,99 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+public class UserRoleExtend extends Page {
+	public static final String HREF = "/gui/urExtend";
+	static final String NAME = "Extend User Role";
+	static final String fields[] = {"user","role"};
+
+	public UserRoleExtend(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,NAME, HREF, fields,
+				new BreadCrumbs(breadcrumbs),
+				new NamedCode(true, "content") {
+			@Override
+			public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+				final Slot sUser = gui.env.slot(NAME+".user");
+				final Slot sRole = gui.env.slot(NAME+".role");
+				
+				
+				cache.dynamic(hgen, new DynamicCode<HTMLGen, AAF_GUI, AuthzTrans>() {
+					@Override
+					public void code(final AAF_GUI gui, final AuthzTrans trans,	final Cache<HTMLGen> cache, final HTMLGen hgen)	throws APIException, IOException {						
+						final String user = trans.get(sUser, "");
+						final String role = trans.get(sRole, "");
+
+						TimeTaken tt = trans.start("Request to extend user role",Env.REMOTE);
+						try {
+							gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+								@Override
+								public Void code(Rcli<?> client)throws CadiException, ConnectException, APIException {
+									Future<Void> fv = client.setQueryParams("request=true").update("/authz/userRole/extend/"+user+"/"+role);
+									if(fv.get(5000)) {
+										// not sure if we'll ever hit this
+										hgen.p("Extended User ["+ user+"] in Role [" +role+"]");
+									} else {
+										if (fv.code() == 202 ) {
+											hgen.p("User ["+ user+"] in Role [" +role+"] Extension sent for Approval");
+										} else {
+											gui.writeError(trans, fv, hgen,0);
+										}
+									}
+									return null;
+								}
+							});
+						} catch (Exception e) {
+							trans.error().log(e);
+							e.printStackTrace();
+						} finally {
+							tt.done();
+						}
+						
+						
+					}
+				});
+			}
+			
+		});
+	}
+}
+
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/UserRoleRemove.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/UserRoleRemove.java
new file mode 100644
index 00000000..5f8adf2d
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/UserRoleRemove.java
@@ -0,0 +1,97 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+import java.net.ConnectException;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Slot;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+public class UserRoleRemove extends Page {
+	public static final String HREF = "/gui/urRemove";
+	static final String NAME = "Remove User Role";
+	static final String fields[] = {"user","role"};
+
+	public UserRoleRemove(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env,NAME, HREF, fields,
+				new BreadCrumbs(breadcrumbs),
+				new NamedCode(true, "content") {
+			@Override
+			public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+				final Slot sUser = gui.env.slot(NAME+".user");
+				final Slot sRole = gui.env.slot(NAME+".role");
+				
+				
+				cache.dynamic(hgen, new DynamicCode<HTMLGen, AAF_GUI, AuthzTrans>() {
+					@Override
+					public void code(final AAF_GUI gui, final AuthzTrans trans,	final Cache<HTMLGen> cache, final HTMLGen hgen)	throws APIException, IOException {						
+						final String user = trans.get(sUser, "");
+						final String role = trans.get(sRole, "");
+
+						TimeTaken tt = trans.start("Request a user role delete",Env.REMOTE);
+						try {
+							gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+								@Override
+								public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+									Future<Void> fv = client.setQueryParams("request=true").delete(
+												"/authz/userRole/"+user+"/"+role,Void.class);
+									
+									if(fv.get(5000)) {
+										// not sure if we'll ever hit this
+										hgen.p("User ["+ user+"] Removed from Role [" +role+"]");
+									} else {
+										if (fv.code() == 202 ) {
+											hgen.p("User ["+ user+"] Removal from Role [" +role+"] sent for Approval");
+										} else {
+											gui.writeError(trans, fv, hgen, 0);
+										}
+									}
+									return null;
+								}
+							});
+						} catch (Exception e) {
+							e.printStackTrace();
+						} finally {
+							tt.done();
+						}
+					}
+				});
+			}
+			
+		});
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/WebCommand.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/WebCommand.java
new file mode 100644
index 00000000..f9c57d0f
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/WebCommand.java
@@ -0,0 +1,118 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.pages;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.gui.AAF_GUI;
+import org.onap.aaf.auth.gui.BreadCrumbs;
+import org.onap.aaf.auth.gui.NamedCode;
+import org.onap.aaf.auth.gui.Page;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.DynamicCode;
+import org.onap.aaf.misc.xgen.Mark;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+public class WebCommand extends Page {
+	public static final String HREF = "/gui/cui";
+	
+	public WebCommand(final AAF_GUI gui, final Page ... breadcrumbs) throws APIException, IOException {
+		super(gui.env, "Web Command Client",HREF, NO_FIELDS,
+				new BreadCrumbs(breadcrumbs),
+				new NamedCode(true, "content") {
+			@Override
+			public void code(final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException {
+				hgen.leaf("p","id=help_msg")
+					.text("Questions about this page? ")
+					.leaf("a", "href="+gui.env.getProperty(AAF_URL_CUIGUI,""), "target=_blank")
+					.text("Click here")
+					.end()
+					.text(". Type 'help' below for a list of AAF commands")
+					.end()
+					
+					.divID("console_and_options");
+				hgen.divID("console_area");				
+				hgen.end(); //console_area
+				
+				hgen.divID("options_link", "class=closed");
+				hgen.img("src=../../"+gui.theme + "/options_down.png", "onclick=handleDivHiding('options',this);", 
+						"id=options_img", "alt=Options", "title=Options")					
+					.end(); //options_link
+				
+				hgen.divID("options");
+				cache.dynamic(hgen, new DynamicCode<HTMLGen,AAF_GUI,AuthzTrans>() {
+					@Override
+					public void code(AAF_GUI state, AuthzTrans trans, Cache<HTMLGen> cache, HTMLGen xgen)
+							throws APIException, IOException {
+						switch(browser(trans,trans.env().slot(getBrowserType()))) {
+							case ie:
+							case ieOld:
+								// IE doesn't support file save
+								break;
+							default:
+								xgen.img("src=../../"+gui.theme+"/AAFdownload.png", "onclick=saveToFile();",
+										"alt=Save log to file", "title=Save log to file");
+						}
+//						xgen.img("src=../../"+gui.theme+"/AAFemail.png", "onclick=emailLog();",
+//								"alt=Email log to me", "title=Email log to me");
+						xgen.img("src=../../"+gui.theme+"/AAF_font_size.png", "onclick=handleDivHiding('text_slider',this);", 
+								"id=fontsize_img", "alt=Change text size", "title=Change text size");
+						xgen.img("src=../../"+gui.theme+"/AAF_details.png", "onclick=selectOption(this,0);", 
+								"id=details_img", "alt=Turn on/off details mode", "title=Turn on/off details mode");
+						xgen.img("src=../../"+gui.theme+"/AAF_maximize.png", "onclick=maximizeConsole(this);",
+								"id=maximize_img", "alt=Maximize Console Window", "title=Maximize Console Window");
+					}	
+				});
+				hgen.divID("text_slider");
+				hgen.tagOnly("input", "type=button", "class=change_font", "onclick=buttonChangeFontSize('dec')", "value=-")
+					.tagOnly("input", "id=text_size_slider", "type=range", "min=75", "max=200", "value=100", 
+						"oninput=changeFontSize(this.value)", "onchange=changeFontSize(this.value)", "title=Change Text Size")
+					.tagOnly("input", "type=button", "class=change_font", "onclick=buttonChangeFontSize('inc')", "value=+")				
+					.end(); //text_slider
+
+				hgen.end(); //options
+				hgen.end(); //console_and_options
+				
+				hgen.divID("input_area");
+				hgen.tagOnly("input", "type=text", "id=command_field", 
+						"autocomplete=off", "autocorrect=off", "autocapitalize=off", "spellcheck=false",
+						"onkeypress=keyPressed()", "placeholder=Type your AAFCLI commands here", "autofocus")
+					.tagOnly("input", "id=submit", "type=button", "value=Submit", 
+							"onclick=http('put','../../gui/cui',getCommand(),callCUI);")
+					.end();
+
+				Mark callCUI = new Mark();
+				hgen.js(callCUI);
+				hgen.text("function callCUI(resp) {")
+					.text("moveCommandToDiv();")
+					.text("printResponse(resp);") 
+					.text("}");
+				hgen.end(callCUI);	
+			
+			}
+		});
+
+	}
+
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/AbsCell.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/AbsCell.java
new file mode 100644
index 00000000..6d95d7d8
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/AbsCell.java
@@ -0,0 +1,48 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.table;
+
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+public abstract class AbsCell {
+	public static final AbsCell[] HLINE =    new AbsCell[0];
+	private static final String[] NONE =     new String[0];
+	protected static final String[] CENTER = new String[]{"class=center"};
+	protected static final String[] LEFT =   new String[]{"class=left"};
+	protected static final String[] RIGHT =  new String[]{"class=right"};
+
+	/**
+	 * Write Cell Data with HTMLGen generator
+	 * @param hgen
+	 */
+	public abstract void write(HTMLGen hgen);
+	
+	public final static AbsCell Null = new AbsCell() {
+		@Override
+		public void write(final HTMLGen hgen) {
+		}
+	};
+	
+	public String[] attrs() {
+		return NONE;
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/ButtonCell.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/ButtonCell.java
new file mode 100644
index 00000000..986c90af
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/ButtonCell.java
@@ -0,0 +1,45 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.table;
+
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+public class ButtonCell extends AbsCell {
+	private String[] attrs;
+	
+	public ButtonCell(String value, String ... attributes) {
+		attrs = new String[2+attributes.length];
+		attrs[0]="type=button";
+		attrs[1]="value="+value;
+		System.arraycopy(attributes, 0, attrs, 2, attributes.length);
+	}
+	@Override
+	public void write(HTMLGen hgen) {
+		hgen.incr("input",true,attrs).end();
+
+	}
+	
+	@Override
+	public String[] attrs() {
+		return AbsCell.CENTER;
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/CheckBoxCell.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/CheckBoxCell.java
new file mode 100644
index 00000000..4c723d4a
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/CheckBoxCell.java
@@ -0,0 +1,66 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.table;
+
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+public class CheckBoxCell extends AbsCell {
+	public enum ALIGN{ left, right, center };
+	private String[] attrs;
+	private ALIGN align;
+	
+	public CheckBoxCell(String name, ALIGN align, String value, String ... attributes) {
+		this.align = align;
+		attrs = new String[3 + attributes.length];
+		attrs[0]="type=checkbox";
+		attrs[1]="name="+name;
+		attrs[2]="value="+value;
+		System.arraycopy(attributes, 0, attrs, 3, attributes.length);
+	}
+
+	public CheckBoxCell(String name, String value, String ... attributes) {
+		this.align = ALIGN.center;
+		attrs = new String[3 + attributes.length];
+		attrs[0]="type=checkbox";
+		attrs[1]="name="+name;
+		attrs[2]="value="+value;
+		System.arraycopy(attributes, 0, attrs, 3, attributes.length);
+	}
+
+	@Override
+	public void write(HTMLGen hgen) {
+		hgen.tagOnly("input",attrs);
+	}
+
+	@Override
+	public String[] attrs() {
+		switch(align) {
+			case left:
+				return AbsCell.LEFT;
+			case right:
+				return AbsCell.RIGHT;
+			case center:
+				default:
+				return AbsCell.CENTER;
+			}
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/RadioCell.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/RadioCell.java
new file mode 100644
index 00000000..9f092105
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/RadioCell.java
@@ -0,0 +1,48 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.table;
+
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+public class RadioCell extends AbsCell {
+	private String[] attrs;
+	
+	public RadioCell(String name, String radioClass, String value, String ... attributes) {
+		attrs = new String[4 + attributes.length];
+		attrs[0]="type=radio";
+		attrs[1]="name="+name;
+		attrs[2]="class="+radioClass;
+		attrs[3]="value="+value;
+		System.arraycopy(attributes, 0, attrs, 4, attributes.length);
+
+	}
+	
+	@Override
+	public void write(HTMLGen hgen) {
+		hgen.tagOnly("input",attrs);
+	}
+
+	@Override
+	public String[] attrs() {
+		return AbsCell.CENTER;
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/RefCell.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/RefCell.java
new file mode 100644
index 00000000..7dc14c81
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/RefCell.java
@@ -0,0 +1,54 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.table;
+
+import static org.onap.aaf.misc.xgen.html.HTMLGen.A;
+
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+/**
+ * Write a Reference Link into a Cell
+ * @author Jonathan
+ *
+ */
+public class RefCell extends AbsCell {
+	public final String name;
+	public final String[] str;
+	
+	public RefCell(String name, String href, boolean newWindow, String... attributes) {
+		this.name = name;
+		if(newWindow) {
+			str = new String[attributes.length+2];
+			str[attributes.length]="target=_blank";
+		} else {
+			str = new String[attributes.length+1];
+		}
+		str[0]="href="+href;
+		System.arraycopy(attributes, 0, str, 1, attributes.length);
+
+	}
+	
+	@Override
+	public void write(HTMLGen hgen) {
+		hgen.leaf(A,str).text(name);
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/TableData.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/TableData.java
new file mode 100644
index 00000000..731d425e
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/TableData.java
@@ -0,0 +1,56 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.table;
+
+import org.onap.aaf.auth.gui.Table;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Trans;
+import org.onap.aaf.misc.xgen.Cache;
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+import org.onap.aaf.misc.xgen.html.State;
+
+public abstract class TableData<S extends State<Env>, TRANS extends Trans> implements Table.Data<S,TRANS>{
+	public static final String[] headers = new String[0];	
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.gui.Table.Data#prefix(org.onap.aaf.misc.xgen.html.State, com.att.inno.env.Trans, org.onap.aaf.misc.xgen.Cache, org.onap.aaf.misc.xgen.html.HTMLGen)
+	 */
+	@Override
+	public void prefix(final S state, final TRANS trans, final Cache<HTMLGen> cache, final HTMLGen hgen) {
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.gui.Table.Data#postfix(org.onap.aaf.misc.xgen.html.State, com.att.inno.env.Trans, org.onap.aaf.misc.xgen.Cache, org.onap.aaf.misc.xgen.html.HTMLGen)
+	 */
+	@Override
+	public void postfix(final S state, final TRANS trans, final Cache<HTMLGen> cache, final HTMLGen hgen) {
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.gui.Table.Data#headers()
+	 */
+	@Override
+	public String[] headers() {
+		return headers;
+	}
+
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/TextAndRefCell.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/TextAndRefCell.java
new file mode 100644
index 00000000..036c8b7f
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/TextAndRefCell.java
@@ -0,0 +1,43 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.table;
+
+import static org.onap.aaf.misc.xgen.html.HTMLGen.A;
+
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+public class TextAndRefCell extends RefCell {
+
+	private String text;
+		
+	public TextAndRefCell(String text, String name, String href, boolean newWindow, String[] attributes) {
+		super(name, href, newWindow, attributes);
+		this.text = text;
+	}
+
+	@Override
+	public void write(HTMLGen hgen) {
+		hgen.text(text);
+		hgen.leaf(A,str).text(name);
+	}
+
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/TextCell.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/TextCell.java
new file mode 100644
index 00000000..e20367a7
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/TextCell.java
@@ -0,0 +1,49 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.table;
+
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+/**
+ * Write Simple Text into a Cell
+ * @author Jonathan
+ *
+ */
+public class TextCell extends AbsCell {
+	public final String name;
+	private String[] attrs;
+	
+	public TextCell(String name, String... attributes) {
+		attrs = attributes;
+		this.name = name;
+	}
+	
+	@Override
+	public void write(HTMLGen hgen) {
+		hgen.text(name);
+	}
+	
+	@Override
+	public String[] attrs() {
+		return attrs;
+	}
+}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/TextInputCell.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/TextInputCell.java
new file mode 100644
index 00000000..4a4f757c
--- /dev/null
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/table/TextInputCell.java
@@ -0,0 +1,54 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.gui.table;
+
+import org.onap.aaf.misc.xgen.html.HTMLGen;
+
+/**
+ * Create an Input Cell for Text
+ * @author Jonathan
+ *
+ */
+public class TextInputCell extends AbsCell {
+	private static final String[] NULL_ATTRS=new String[0];
+	private String[] attrs;
+	
+	public TextInputCell(String name, String textClass, String value, String ... attributes) {
+		attrs = new String[5 + attributes.length];
+		attrs[0]="type=text";
+		attrs[1]="name="+name;
+		attrs[2]="class="+textClass;
+		attrs[3]="value="+value;
+		attrs[4]="style=font-size:100%;";
+		System.arraycopy(attributes, 0, attrs, 5, attributes.length);
+	}
+	
+	@Override
+	public void write(HTMLGen hgen) {
+		hgen.tagOnly("input",attrs);
+	}
+	
+	@Override
+	public String[] attrs() {
+		return NULL_ATTRS;
+	}
+}
diff --git a/auth/auth-gui/theme/onap/AAF_details.png b/auth/auth-gui/theme/onap/AAF_details.png
new file mode 100644
index 00000000..5c187459
--- /dev/null
+++ b/auth/auth-gui/theme/onap/AAF_details.png
diff --git a/auth/auth-gui/theme/onap/AAF_font_size.png b/auth/auth-gui/theme/onap/AAF_font_size.png
new file mode 100644
index 00000000..466cbfbc
--- /dev/null
+++ b/auth/auth-gui/theme/onap/AAF_font_size.png
diff --git a/auth/auth-gui/theme/onap/AAF_maximize.png b/auth/auth-gui/theme/onap/AAF_maximize.png
new file mode 100644
index 00000000..706603bb
--- /dev/null
+++ b/auth/auth-gui/theme/onap/AAF_maximize.png
diff --git a/auth/auth-gui/theme/onap/AAFdownload.png b/auth/auth-gui/theme/onap/AAFdownload.png
new file mode 100644
index 00000000..cebd9522
--- /dev/null
+++ b/auth/auth-gui/theme/onap/AAFdownload.png
diff --git a/auth/auth-gui/theme/onap/AAFemail.png b/auth/auth-gui/theme/onap/AAFemail.png
new file mode 100644
index 00000000..6d487769
--- /dev/null
+++ b/auth/auth-gui/theme/onap/AAFemail.png
diff --git a/auth/auth-gui/theme/onap/LF_Collab_footer_gray.png b/auth/auth-gui/theme/onap/LF_Collab_footer_gray.png
new file mode 100644
index 00000000..abbf4b1a
--- /dev/null
+++ b/auth/auth-gui/theme/onap/LF_Collab_footer_gray.png
diff --git a/auth/auth-gui/theme/onap/LF_Collab_footer_gray_stripe.png b/auth/auth-gui/theme/onap/LF_Collab_footer_gray_stripe.png
new file mode 100644
index 00000000..fb9b37a2
--- /dev/null
+++ b/auth/auth-gui/theme/onap/LF_Collab_footer_gray_stripe.png
diff --git a/auth/auth-gui/theme/onap/LF_Collab_header_gray.png b/auth/auth-gui/theme/onap/LF_Collab_header_gray.png
new file mode 100644
index 00000000..43781fad
--- /dev/null
+++ b/auth/auth-gui/theme/onap/LF_Collab_header_gray.png
diff --git a/auth/auth-gui/theme/onap/ONAP_LOGO.png b/auth/auth-gui/theme/onap/ONAP_LOGO.png
new file mode 100644
index 00000000..55e37188
--- /dev/null
+++ b/auth/auth-gui/theme/onap/ONAP_LOGO.png
diff --git a/auth/auth-gui/theme/onap/aaf5.css b/auth/auth-gui/theme/onap/aaf5.css
new file mode 100644
index 00000000..67f03b27
--- /dev/null
+++ b/auth/auth-gui/theme/onap/aaf5.css
@@ -0,0 +1,588 @@
+/*
+  Standard CSS for AAF
+*/
+
+html {
+	height: 100%;
+}
+
+body {
+	background-image:url('ONAP_LOGO.png');
+	background-color: #FFFFFF;
+	background-repeat:no-repeat;
+	background-position: right top;
+	background-size:15em 4.3em;
+	color:#606060;
+	font-family: Verdana,Arial,Helvetica,sans-serif;
+	overflow: scroll;
+	}
+
+header h1,p {
+	margin: 4px auto;
+}
+
+header h1 {
+	display: inline;
+}
+
+header {
+	display: block;
+	color: #347FA0;
+}
+
+p#version {
+	margin:0;
+	display:inline;
+	font-size: 0.75em;
+	float:center;
+	color: 2B6E9C;
+	padding-right:4.2em;
+}
+
+header hr {
+	margin: 0;
+}
+
+hr {
+	border: 1px solid #C0C0C0;
+}
+
+#breadcrumbs {
+	padding: 5px 0 12px 0;
+}
+
+
+#breadcrumbs ul {
+	color: #DFEFFC;
+	margin: 0;
+	list-style-type:none;
+	padding: 0;
+}
+
+#breadcrumbs li {
+	border-width:2px;
+	margin: 3px 1px;
+	padding: 2px 9px;
+	border-style:solid;
+	border-top-left-radius: .8em;
+	border-bottom-left-radius: .8em;
+	background-color:#80C337;
+	display:inline;
+}
+
+#breadcrumbs a {
+	text-decoration:none;
+	color: white;
+}
+
+caption {
+	color:4BADA9;
+	text-align: center;
+	font-size:1.3em;
+	font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
+}
+
+#Pages {
+	padding: 3px 2px 10px 4px;
+	background: linear-gradient(to right, #147AB3,#FFFFFF);
+}
+
+#Pages h3,h4,h5 {
+	color: #909090;
+}
+
+# SuperScript
+sup {
+	color: #909090;
+	font-size: 70%;
+	vertical-align: super;
+}
+ 
+form {
+	padding: 10px;
+	margin: 4px;
+}
+
+.textInput {
+#	size: 120%;
+}
+
+#form input[id],select#myroles {
+#	margin: 4px 0;
+#	width: 150%;
+#}
+
+form label {
+	margin: 4px 0;
+}
+
+form label[required] {
+	color: red;
+}
+
+form input[type=submit], form input[type=reset] {
+	font-size: 1.0em;
+	margin: 12px 0 0px 0;
+#	color: #347FA0;
+	color: white;
+	background-color: #7FB5C9;
+	border-radius: 15px;
+}
+
+p.preamble, p.notfound,.expedite_request {
+	display: block;
+	margin: 30px 0px 10px 0px;
+	font: italic bold 20px/30px Georgia, serif;
+	font-size: 110%;
+	color: #0079B8;
+}
+.expedite_request {
+	margin-top: 0;
+	color: 4BADA9;
+}
+
+.subtext {
+	margin-left: 10px;
+	font-size: 75%;
+	font-style: italic;
+}
+
+.protected {
+	font-size: 80%;
+	font-style: italic;
+	color: red;
+}
+
+#Pages a {
+	display:block;
+	font-weight:bold;
+	color:#FFFFFF;
+	background-color:#80C337;
+	text-decoration:none;
+	border-top-right-radius: .8em;
+	border-bottom-right-radius: .8em;
+	border-top-left-radius: .2em;
+	border-bottom-left-radius: .2em;
+	padding: 3px 40px 3px 10px;
+	margin: 4px;
+	width: 50%;
+}
+
+#footer {
+	background-color: #2B6E9C;
+	color: #FFFFFF; 
+	text-align:right;
+	font-size: 60%;
+	padding: 5px;
+	position:fixed;
+	bottom: 0px;
+	left: 0px;
+	right: 0px;
+}
+
+/* 
+  Standard Table, with Alternating Colors
+*/
+div.std {
+	vertical-align: top;
+}
+
+div.std table, div.stdform table {
+	position: relative;
+	border-collapse:collapse;
+	table-layout:auto;
+	left: 1.3%;
+	width: 98%;
+	margin-top: 5px;
+	bottom: 4px;
+	border-radius: 4px;
+}
+
+td.detailFirst {
+	border-color:red;
+	border-style:solid none none none;
+}
+
+td.detail {
+  border-style:none;
+ }
+
+
+div.std td, div.stdform td {
+	font-size:.9em;
+	vertical-align:top;
+}
+
+.center {
+	text-align: center;
+}
+
+.right {
+	text-align: right;
+	padding-right: 4px;
+}
+
+.left {
+	text-align: left;
+	padding-left: 4px;
+}
+
+
+p.double {
+	line-height: 2em;
+}
+
+p.api_comment {
+	font-size: .9em;
+	text-indent: 6px;
+}
+
+p.api_contentType {
+	font-size: .8em;
+	text-indent: 6px;
+}
+
+p.api_label {
+	font-size: .9em;
+	font-style: italic;
+}
+
+.button, .greenbutton {
+    text-decoration: none; font: menu;
+    display: inline-block; padding: 2px 8px;
+    background: ButtonFace; color: ButtonText;
+    border-style: solid; border-width: 2px;
+    border-color: ButtonHighlight ButtonShadow ButtonShadow ButtonHighlight;
+	border-radius: 10px;
+	color: black;
+}
+
+.greenbutton {
+	color: white;
+	background-color: #80C337;
+}
+
+div.std h1, div.std h2, div.std h3, div.std h4, div.std h5 {
+	text-indent: 7px;
+}
+	
+div.std td {
+	border:1px solid #A6C9E2;
+}
+	
+div.std th, div.stdform th {
+	background-color:#6FA7D1;
+	color:#FFFFFF;
+	}
+
+div.std tr.alt, div.stdform tr.alt {
+	background-color:#DFEFFC;
+}
+
+div.std th {
+	text-align: left;
+	text-indent: .1em;
+}
+
+#div.std a, div.stdform a {
+#	/*color: #606060;*/
+#	/*color: #147AB3;*/
+#	color: black;
+#}
+
+td.head {
+	font-weight:bold;
+	text-align: center;
+}
+
+td.head a {
+	color:blue;
+}
+
+/* 
+  A Table representing 1 or more columns of text, i.e. Detail lists
+*/
+div.detail table {
+	width: 100%;
+}
+
+div.detail caption {
+	border-bottom: solid 1px #C0C0C0;
+}
+
+
+/*
+	Approval Form select all
+
+*/
+.selectAllButton {
+	background: transparent;
+	border:none;
+	color:blue;
+	text-decoration:underline;
+	font-weight:bold;
+	cursor:pointer;
+}
+
+
+/*
+	Begin Web Command Styling
+*/
+#console_and_options {
+	position:relative;
+}
+
+.maximized {
+	position:absolute;
+	top:0px;
+	bottom:50px;
+	left:0px;
+	right:0px;
+	z-index:1000;
+	background-color:white;
+}
+
+#console_area {
+	-webkit-border-radius: 15px;
+	-moz-border-radius: 15px;
+	border-radius: 15px;
+	background-color: black;
+	color: white;
+	font-family: "Lucida Console", Monaco, monospace;
+	overflow-y: scroll;
+	height: 300px;
+	min-width: 600px;
+	padding: 5px;	
+	resize: vertical;
+}
+
+.command,.bold {
+	font-weight: bold;
+}
+
+.command:before {
+	content: "> ";
+}
+
+.response{
+	font-style: italic;
+	font-size: 150%;
+}
+
+#input_area {
+	margin-top: 10px;	
+	clear: both;
+}
+
+#command_field, #submit {
+	font-size: 125%;
+	background-color: #333333;
+	color: white;
+	font-family: "Lucida Console", Monaco, monospace;
+	-webkit-border-radius: 1em;
+	-moz-border-radius: 1em;
+	border-radius: 1em;
+}
+
+#command_field {
+	width: 75%;
+	padding-left: 1em;
+}
+
+#submit {
+	background-color: #7FB5C9;
+	padding: 0 5%;
+	float: right;
+}
+
+/*
+	Options Menu Styling for Web Command
+*/
+#options_link {
+	-webkit-border-radius: 0 0 20% 20%;
+	-moz-border-radius: 0 0 20% 20%;
+	border-radius: 0 0 20% 20%;
+	-webkit-transition: opacity 0.5s ease-in-out;
+	-moz-transition: opacity 0.5s ease-in-out;
+	-ms-transition: opacity 0.5s ease-in-out;
+	-o-transition: opacity 0.5s ease-in-out;
+	transition: opacity 0.5s ease-in-out;
+}
+
+.closed {
+	opacity: 0.5;
+	filter: alpha(opacity=50);
+}
+
+#options_link:hover, .open {
+	opacity: 1.0;
+	filter: alpha(opacity=100);
+}
+
+#options_link, #options {
+	background: white;
+	position:absolute;
+	top:0;
+	right:2em;
+	padding:0.1em;
+}
+
+#options > img {
+	cursor: pointer;
+	float: right;
+	padding: 0.2em;
+}
+
+.selected {
+	border: 3px solid 2B6E9C;
+}
+
+#options, #text_slider {
+	display:none;
+	padding:0.5em;
+	-webkit-border-radius: 0 0 0 10px;
+	-moz-border-radius: 0 0 0 10px;
+	border-radius: 0 0 0 10px;
+}
+#text_slider {
+	clear:both;
+}
+
+/*
+	Button styling for changing text size
+*/
+.change_font {
+	border-top: 1px solid #96d1f8;
+	background: #65a9d7;
+	background: -webkit-gradient(linear, left top, left bottom, from(#3e779d), to(#65a9d7));
+	background: -webkit-linear-gradient(top, #3e779d, #65a9d7);
+	background: -moz-linear-gradient(top, #3e779d, #65a9d7);
+	background: -ms-linear-gradient(top, #3e779d, #65a9d7);
+	background: -o-linear-gradient(top, #3e779d, #65a9d7);
+	padding: 0 2px;
+	-webkit-border-radius: 50%;
+	-moz-border-radius: 50%;
+	border-radius: 50%;
+	-webkit-box-shadow: rgba(0,0,0,1) 0 1px 0;
+	-moz-box-shadow: rgba(0,0,0,1) 0 1px 0;
+	box-shadow: rgba(0,0,0,1) 0 1px 0;
+	text-shadow: rgba(0,0,0,.4) 0 1px 0;
+	color: white;
+	font-size: 14px;
+	font-family: monospace;
+	text-decoration: none;
+	vertical-align: middle;
+}
+.change_font:hover {
+	border-top-color: #28597a;
+	background: #28597a;
+	color: #ccc;
+}
+
+/*
+	Text Size Slider styling
+*/
+
+input[type=range] {
+  -webkit-appearance: none;
+  width: 60%;
+  margin: 0;
+}
+input[type=range]:focus {
+  outline: none;
+}
+input[type=range]::-webkit-slider-runnable-track {
+  width: 100%;
+  height: 4px;
+  cursor: pointer;
+  box-shadow: 1px 1px 1px #000000, 0px 0px 1px #0d0d0d;
+  background: #3071a9;
+  border-radius: 0.6px;
+  border: 0.5px solid #010101;
+}
+input[type=range]::-webkit-slider-thumb {
+  box-shadow: 1px 1px 1px #000000, 0px 0px 1px #0d0d0d;
+  border: 1px solid #000000;
+  height: 16px;
+  width: 16px;
+  border-radius: 30px;
+  background: #efffff;
+  cursor: pointer;
+  -webkit-appearance: none;
+  margin-top: -7.15px;
+}
+input[type=range]:focus::-webkit-slider-runnable-track {
+  background: #367ebd;
+}
+input[type=range]::-moz-range-track {
+  width: 100%;
+  height: 2.7px;
+  cursor: pointer;
+  box-shadow: 1px 1px 1px #000000, 0px 0px 1px #0d0d0d;
+  background: #3071a9;
+  border-radius: 0.6px;
+  border: 0.5px solid #010101;
+}
+input[type=range]::-moz-range-thumb {
+  box-shadow: 1px 1px 1px #000000, 0px 0px 1px #0d0d0d;
+  border: 1px solid #000000;
+  height: 16px;
+  width: 16px;
+  border-radius: 30px;
+  background: #efffff;
+  cursor: pointer;
+}
+input[type=range]::-ms-track {
+  width: 100%;
+  height: 2.7px;
+  cursor: pointer;
+  background: transparent;
+  border-color: transparent;
+  color: transparent;
+}
+input[type=range]::-ms-fill-lower {
+  background: #2a6495;
+  border: 0.5px solid #010101;
+  border-radius: 1.2px;
+  box-shadow: 1px 1px 1px #000000, 0px 0px 1px #0d0d0d;
+}
+input[type=range]::-ms-fill-upper {
+  background: #3071a9;
+  border: 0.5px solid #010101;
+  border-radius: 1.2px;
+  box-shadow: 1px 1px 1px #000000, 0px 0px 1px #0d0d0d;
+}
+input[type=range]::-ms-thumb {
+  box-shadow: 1px 1px 1px #000000, 0px 0px 1px #0d0d0d;
+  border: 1px solid #000000;
+  height: 16px;
+  width: 16px;
+  border-radius: 30px;
+  background: #efffff;
+  cursor: pointer;
+  height: 2.7px;
+}
+input[type=range]:focus::-ms-fill-lower {
+  background: #3071a9;
+}
+input[type=range]:focus::-ms-fill-upper {
+  background: #367ebd;
+}
+.expired {
+	color: red;
+	background-color: pink;
+}
+.blank_line {
+	padding: 10px;
+}
+#filterByUser input {
+	display: inline;
+}
+
+#PassChange p {
+	font-size: .9em;
+}
+
+#passwordRules li {
+	font-size: .9em;
+}
diff --git a/auth/auth-gui/theme/onap/aaf5Desktop.css b/auth/auth-gui/theme/onap/aaf5Desktop.css
new file mode 100644
index 00000000..affc5122
--- /dev/null
+++ b/auth/auth-gui/theme/onap/aaf5Desktop.css
@@ -0,0 +1,92 @@
+/*
+  Modifications for Desktop
+*/
+body {
+	background-size:23em 4.7em;
+}
+
+
+#breadcrumbs a:visited, #breadcrumbs a:link {
+	transition: padding .5s;
+}
+
+#breadcrumbs a:hover {
+	padding: 2px 2px 2px 30px;
+	transition: padding .5s;
+}
+
+#breadcrumbs, #inner {
+	margin: 3px;
+	width: 77%;
+	float: left;
+	min-width:500px;
+	background-color: #FFFFFF;
+	
+}
+
+#breadcrumbs li {
+	box-shadow: 3px 3px 2px #888888;
+}
+
+#Pages {
+	margin: 20px;
+	filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#2B6E9C', endColorstr='#ffffff',GradientType=1 ); /*linear gradient for IE 6-9*/
+}
+
+#Pages a:visited, #Pages a:link {
+	padding: 3px 40px 3px 10px;
+	transition: padding .5s;
+	margin: 6px;
+	box-shadow: 3px 3px 2px #888888;
+}
+
+#Pages a:hover {
+	padding: 4px 80px 4px 15px;
+	transition: box-shadow padding .5s;
+	box-shadow: 4px 4px 3px #888888;
+}
+
+
+#inner {
+	padding: 7px;
+	background: #FFFFFF;
+	overflow: hidden;
+}
+
+div.std, form {
+	border: solid 2px #D0D0D0;
+	border-radius: 5px;
+	box-shadow: 10px 10px 5px #888888;
+}
+
+div.detail {
+	border: solid 2px #C0C0C0;
+	border-radius: 14px;
+	box-shadow: 10px 10px 5px #888888;
+}
+
+#nav {
+	display: inline-block;
+	position: absolute;
+	right: 2%;
+	left: 81%;
+}
+	
+#nav h2 {
+	color: #2B6E9C;
+	font-size: 1.2em;
+	font-family: Verdana,Arial,Helvetica,sans-serif;
+	font-style: italic;
+	font-weight: normal;
+	
+}
+
+#nav ul {
+	font-style:italic; 
+	font-size: .8em;
+	font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
+	color: #067ab4;
+	list-style-type: square;
+	margin: 0;
+	padding: 0;
+}
diff --git a/auth/auth-gui/theme/onap/aaf5iPhone.css b/auth/auth-gui/theme/onap/aaf5iPhone.css
new file mode 100644
index 00000000..c356983b
--- /dev/null
+++ b/auth/auth-gui/theme/onap/aaf5iPhone.css
@@ -0,0 +1,38 @@
+/*
+  Modifications for iPhone
+*/
+body {
+	zoom: 210%;
+}
+
+#breadcrumbs {
+	font-size: .9em;
+}
+
+
+div.std table {
+	margin: 0 0 20px 0;
+	zoom: 130%
+}
+	
+
+div.stdform th {
+	font-size: 9px;
+}
+
+#content input {
+	font-size: 1.3em;
+}
+
+
+#Pages a {
+	font-size: 1.3em;
+	width: 75%;
+	height:35px;
+}
+
+#nav {
+	display: none; 
+}
+
+
diff --git a/auth/auth-gui/theme/onap/comm.js b/auth/auth-gui/theme/onap/comm.js
new file mode 100644
index 00000000..23309ef4
--- /dev/null
+++ b/auth/auth-gui/theme/onap/comm.js
@@ -0,0 +1,21 @@
+function http(meth, sURL, sInput, func) {
+	if (sInput != "") { 
+		var http;
+		if (window.XMLHttpRequest) {// code for IE7+, Firefox, Chrome, Opera, Safari
+		  http=new XMLHttpRequest();
+		} else {// code for IE6, IE5
+		  http=new ActiveXObject('Microsoft.XMLHTTP');
+		}
+	
+		http.onreadystatechange=function() {
+		  if(http.readyState==4 && http.status == 200) {
+			 func(http.responseText)
+		  }
+		  // Probably want Exception code too.
+		}
+		
+		http.open(meth,sURL,false);
+		http.setRequestHeader('Content-Type','text/plain;charset=UTF-8');
+		http.send(sInput);
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-gui/theme/onap/common.js b/auth/auth-gui/theme/onap/common.js
new file mode 100644
index 00000000..fbe8d083
--- /dev/null
+++ b/auth/auth-gui/theme/onap/common.js
@@ -0,0 +1,101 @@
+Object.defineProperty(Element.prototype, 'outerHeight', {
+    'get': function(){
+        var height = this.clientHeight;
+        height += getStyle(this,'marginTop');
+        height += getStyle(this,'marginBottom');
+        height += getStyle(this,'borderTopWidth');
+        height += getStyle(this,'borderBottomWidth');
+        return height;
+    }
+});
+
+if (document.addEventListener) {
+	document.addEventListener('DOMContentLoaded', function () {
+		var height = document.querySelector("#footer").outerHeight;
+		document.querySelector("#inner").setAttribute("style",
+				"margin-bottom:" + height.toString()+ "px");
+	});
+} else {
+	window.attachEvent("onload", function () {
+		var height = document.querySelector("#footer").outerHeight;
+		document.querySelector("#inner").setAttribute("style",
+				"margin-bottom:" + height.toString()+ "px");
+	});
+}
+
+
+
+function getStyle(el, prop) {
+	var result = el.currentStyle ? el.currentStyle[prop] :
+		document.defaultView.getComputedStyle(el,"")[prop];
+	if (parseInt(result,10))
+		return parseInt(result,10);
+	else
+		return 0;
+}
+
+function divVisibility(divID) {
+	var element = document.querySelector("#"+divID);
+	if (element.style.display=="block")
+		element.style.display="none";
+	else
+		element.style.display="block";
+}
+
+function datesURL(histPage) {
+	var validated=true;
+	var yearStart = document.querySelector('#yearStart').value;
+	var yearEnd = document.querySelector('#yearEnd').value;
+	var monthStart = document.querySelector('#monthStart').value;
+	var monthEnd = document.querySelector('#monthEnd').value;
+	if (monthStart.length == 1) monthStart = 0 + monthStart;
+	if (monthEnd.length == 1) monthEnd = 0 + monthEnd;
+
+	validated &= validateYear(yearStart);
+	validated &= validateYear(yearEnd);
+	validated &= validateMonth(monthStart);
+	validated &= validateMonth(monthEnd);
+	
+	if (validated) window.location=histPage+"&dates="+yearStart+monthStart+"-"+yearEnd+monthEnd;
+	else alert("Please correct your date selections");
+}
+
+function userFilter(approvalPage) {
+	var user = document.querySelector('#userTextBox').value;
+	if (user != "")
+		window.location=approvalPage+"?user="+user;
+	else
+		window.location=approvalPage;
+}
+
+function validateYear(year) {
+	var today = new Date();
+	if (year >= 1900 && year <= today.getFullYear()) return true;
+	else return false;
+}
+
+function validateMonth(month) {
+	if (month) return true;
+	else return false;
+}
+
+function alterLink(breadcrumbToFind, newTarget) {
+	var breadcrumbs = document.querySelector("#breadcrumbs").getElementsByTagName("A");
+	for (var i=0; i< breadcrumbs.length;i++) {
+		var breadcrumbHref = breadcrumbs[i].getAttribute('href');
+		if (breadcrumbHref.indexOf(breadcrumbToFind)>-1) 
+			breadcrumbs[i].setAttribute('href', newTarget);
+	}
+}
+
+// clipBoardData object not cross-browser supported. Only IE it seems
+function copyToClipboard(controlId) { 
+    var control = document.getElementById(controlId); 
+    if (control == null) { 
+    	alert("ERROR - control not found - " + controlId); 
+    } else { 
+    	var controlValue = control.href; 
+    	window.clipboardData.setData("text/plain", controlValue); 
+    	alert("Copied text to clipboard : " + controlValue); 
+    } 
+}
diff --git a/auth/auth-gui/theme/onap/console.js b/auth/auth-gui/theme/onap/console.js
new file mode 100644
index 00000000..dff87548
--- /dev/null
+++ b/auth/auth-gui/theme/onap/console.js
@@ -0,0 +1,272 @@
+function getCommand() {
+	if(typeof String.prototype.trim !== 'function') {
+		String.prototype.trim = function() {
+			return this.replace(/^\s+|\s+$/g, ''); 
+		};
+	}
+
+	var cmds = [];
+	cmds = document.querySelector("#command_field").value.split(" ");
+	var cleanCmd = "";
+	if (document.querySelector("#details_img").getAttribute("class") == "selected") 
+		cleanCmd += "set details=true ";
+	for (var i = 0; i < cmds.length;i++) {
+		var trimmed = cmds[i].trim();
+		if (trimmed != "")
+			cleanCmd += trimmed + " ";
+	}
+	
+	return cleanCmd.trim();
+}
+
+function moveCommandToDiv() {
+
+	var textInput = document.querySelector("#command_field");
+	var content = document.createTextNode(textInput.value);
+	var parContent = document.createElement("p");
+	var consoleDiv = document.querySelector("#console_area");
+	var commandCount = consoleDiv.querySelectorAll(".command").length;
+	parContent.setAttribute("class", "command");
+	parContent.appendChild(content);
+	consoleDiv.appendChild(parContent);
+
+	textInput.value = "";
+}
+
+function printResponse(response) {
+	var parContent = document.createElement("p");
+	parContent.setAttribute("class", "response");
+	var preTag = document.createElement("pre");
+	parContent.appendChild(preTag);
+	var content = document.createTextNode(response);
+	preTag.appendChild(content);
+	var consoleDiv = document.querySelector("#console_area");
+	consoleDiv.appendChild(parContent);
+	
+	consoleDiv.scrollTop = consoleDiv.scrollHeight;
+}
+
+function clearHistory() {
+	var consoleDiv = document.querySelector("#console_area");
+	var curr;
+	while (curr=consoleDiv.firstChild) {
+		consoleDiv.removeChild(curr);
+	}
+	document.querySelector("#command_field").value = "";
+	currentCmd = 0;
+}
+
+function buttonChangeFontSize(direction) {
+	var slider = document.querySelector("#text_size_slider");
+	var currentSize = parseInt(slider.value);
+	var newSize;
+	if (direction == "inc") {
+		newSize = currentSize + 10;
+	} else {
+		newSize = currentSize - 10;
+	}
+	if (newSize > slider.max) newSize = parseInt(slider.max);
+	if (newSize < slider.min) newSize = parseInt(slider.min);
+	slider.value = newSize;
+	changeFontSize(newSize);
+}
+
+function changeFontSize(size) {
+	var consoleDiv = document.querySelector("#console_area");
+	consoleDiv.style.fontSize = size + "%";
+}
+
+function handleDivHiding(id, img) {
+	var options_link = document.querySelector("#options_link");
+	var divHeight = toggleVisibility(document.querySelector("#"+id));
+
+	if (id == 'options') {
+		if (options_link.getAttribute("class") == "open") {
+			changeImg(document.querySelector("#options_img"), "../../theme/onap/options_down.png");
+			options_link.setAttribute("class", "closed");
+		} else {
+			changeImg(document.querySelector("#options_img"), "../../theme/onap/options_up.png");
+			options_link.setAttribute("class", "open");
+		}
+		moveToggleImg(options_link, divHeight);
+	} else { //id=text_slider
+		selectOption(img,divHeight);
+	}
+
+}
+
+function selectOption(img, divHeight) {
+	var options_link = document.querySelector("#options_link");
+	var anySelected;
+	if (img.getAttribute("class") != "selected") {
+		anySelected = document.querySelectorAll(".selected").length>0;
+		if (anySelected == false)
+			divHeight += 4;
+		img.setAttribute("class", "selected");
+	} else {
+		img.setAttribute("class", "");
+		anySelected = document.querySelectorAll(".selected").length>0;
+		if (anySelected == false)
+			divHeight -= 4;
+
+	}
+
+	moveToggleImg(options_link, divHeight);
+}
+
+function toggleVisibility(element) {
+	var divHeight;
+    if(element.style.display == 'block') {
+    	divHeight = 0 - element.clientHeight;
+    	element.style.display = 'none';
+    } else { 
+    	element.style.display = 'block';
+    	divHeight = element.clientHeight;
+    }
+    return divHeight;
+}
+
+function moveToggleImg(element, height) {
+	var curTop = (element.style.top == "" ? 0 : parseInt(element.style.top));
+	element.style.top = curTop + height;   
+}
+
+function changeImg(img, loc) {
+	img.src = loc;
+}
+
+var currentCmd = 0;
+function keyPressed() {
+	document.querySelector("#command_field").onkeyup=function(e) {
+		if (!e) e = window.event;
+		var keyCode = e.which || e.keyCode;
+		if (keyCode == 38 || keyCode == 40 || keyCode == 13 || keyCode == 27) {
+			var cmdHistoryList = document.querySelectorAll(".command");
+			switch (keyCode) {
+			case 13:
+				// press enter 
+
+				if (getCommand().toLowerCase()=="clear") {
+					clearHistory();
+				} else {
+					currentCmd = cmdHistoryList.length + 1;
+					document.querySelector("#submit").click();
+				}
+				break;
+				
+			case 27:
+				//press escape
+				currentCmd = cmdHistoryList.length;
+				document.querySelector("#command_field").value = "";
+				break;
+	
+			case 38:
+				// press arrow up	
+				if (currentCmd != 0)
+					currentCmd -= 1;
+				if (cmdHistoryList.length != 0) 
+					document.querySelector("#command_field").value = cmdHistoryList[currentCmd].innerHTML;
+				break;
+			case 40:
+				// press arrow down
+				var cmdText = "";
+				currentCmd = (currentCmd == cmdHistoryList.length) ? currentCmd : currentCmd + 1;
+				if (currentCmd < cmdHistoryList.length) 
+					cmdText = cmdHistoryList[currentCmd].innerHTML;
+				
+				document.querySelector("#command_field").value = cmdText;
+				break;
+			}
+		}
+	}
+}
+
+function saveToFile() {
+	var commands = document.querySelectorAll(".command");
+	var responses = document.querySelectorAll(".response");
+	var textToWrite = "";
+	for (var i = 0; i < commands.length; i++) {
+		textToWrite += "> " + commands[i].innerHTML + "\r\n";
+		textToWrite += prettyResponse(responses[i].firstChild.innerHTML);
+	}
+	
+    var ie = navigator.userAgent.match(/MSIE\s([\d.]+)/);
+    var ie11 = navigator.userAgent.match(/Trident\/7.0/) && navigator.userAgent.match(/rv:11/);
+    var ieVer=(ie ? ie[1] : (ie11 ? 11 : -1));
+    
+//    if (ie && ieVer<10) {
+//        console.log("No blobs on IE ver<10");
+//        return;
+//    }
+
+	var textFileAsBlob = new Blob([textToWrite], {type:'text/plain'});
+	var fileName = "AAFcommands.log";
+	
+	if (ieVer >= 10) {
+//		window.navigator.msSaveBlob(textFileAsBlob, fileName);
+		window.navigator.msSaveOrOpenBlob(textFileAsBlob, fileName); 
+	} else {
+		var downloadLink = document.createElement("a");
+		downloadLink.download = fileName;
+		downloadLink.innerHTML = "Download File";
+		if (window.webkitURL != null) {
+			// Chrome allows the link to be clicked
+			// without actually adding it to the DOM.
+			downloadLink.href = window.webkitURL.createObjectURL(textFileAsBlob);
+		} else {
+			// Firefox requires the link to be added to the DOM
+			// before it can be clicked.
+			downloadLink.href = window.URL.createObjectURL(textFileAsBlob);
+			downloadLink.onclick = destroyClickedElement;
+			downloadLink.style.display = "none";
+			document.body.appendChild(downloadLink);
+		}
+	
+		downloadLink.click();
+	}
+}
+
+function prettyResponse(response) {
+	var lines = response.split('\n');
+	var cleanResponse = "";
+	for (var i=0; i < lines.length; i++) {
+		cleanResponse += lines[i] + "\r\n";
+	}
+	cleanResponse = cleanResponse.replace(/(&lt;)/g,"<").replace(/(&gt;)/g,">");
+	return cleanResponse;
+}
+
+function destroyClickedElement(event){
+	document.body.removeChild(event.target);
+}
+
+function fakePlaceholder() {
+	document.querySelector("#command_field").setAttribute("value", "Type your AAFCLI commands here");
+}
+
+function maximizeConsole(img) {
+	var footer = document.querySelector("#footer");
+	var console_area = document.querySelector("#console_area");
+	var content = document.querySelector("#content");
+	var input_area = document.querySelector("#input_area");
+	var help_msg = document.querySelector("#help_msg");
+	var console_space = document.documentElement.clientHeight;
+	console_space -= input_area.outerHeight;
+	console_space -= help_msg.outerHeight;
+    var height = getStyle(console_area,'paddingTop') + getStyle(console_area,'paddingBottom');
+	console_space -= height;
+	
+	
+	if (content.getAttribute("class") != "maximized") {
+		content.setAttribute("class", "maximized");
+		footer.style.display="none";
+		console_area.style.resize="none";
+		console_area.style.height=console_space.toString()+"px";
+	} else {
+		content.removeAttribute("class");
+		footer.style.display="";
+		console_area.style.resize="vertical";
+		console_area.style.height="300px";
+	}
+	selectOption(img,0);
+}
diff --git a/auth/auth-gui/theme/onap/favicon.ico b/auth/auth-gui/theme/onap/favicon.ico
new file mode 100644
index 00000000..3aea2722
--- /dev/null
+++ b/auth/auth-gui/theme/onap/favicon.ico
diff --git a/auth/auth-gui/theme/onap/logo_onap.png b/auth/auth-gui/theme/onap/logo_onap.png
new file mode 100644
index 00000000..458e320c
--- /dev/null
+++ b/auth/auth-gui/theme/onap/logo_onap.png
diff --git a/auth/auth-gui/theme/onap/options_down.png b/auth/auth-gui/theme/onap/options_down.png
new file mode 100644
index 00000000..a20e8269
--- /dev/null
+++ b/auth/auth-gui/theme/onap/options_down.png
diff --git a/auth/auth-gui/theme/onap/options_up.png b/auth/auth-gui/theme/onap/options_up.png
new file mode 100644
index 00000000..7414dab5
--- /dev/null
+++ b/auth/auth-gui/theme/onap/options_up.png
diff --git a/auth/auth-hello/.gitignore b/auth/auth-hello/.gitignore
new file mode 100644
index 00000000..daa4ec18
--- /dev/null
+++ b/auth/auth-hello/.gitignore
@@ -0,0 +1,8 @@
+/target/
+/logs/
+/.settings/
+/.classpath
+/tokens/
+
+/bin/
+/.project
diff --git a/auth/auth-hello/pom.xml b/auth/auth-hello/pom.xml
new file mode 100644
index 00000000..bac4537e
--- /dev/null
+++ b/auth/auth-hello/pom.xml
@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- * ============LICENSE_START==================================================== 
+	* org.onap.aaf * =========================================================================== 
+	* Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. * =========================================================================== 
+	* Licensed under the Apache License, Version 2.0 (the "License"); * you may 
+	not use this file except in compliance with the License. * You may obtain 
+	a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * 
+	* Unless required by applicable law or agreed to in writing, software * distributed 
+	under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES 
+	OR CONDITIONS OF ANY KIND, either express or implied. * See the License for 
+	the specific language governing permissions and * limitations under the License. 
+	* ============LICENSE_END==================================================== 
+	* -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.onap.aaf.auth</groupId>
+		<artifactId>parent</artifactId>
+		<version>2.1.0-SNAPSHOT</version>
+		<relativePath>../pom.xml</relativePath>
+	</parent>
+
+	<artifactId>aaf-auth-hello</artifactId>
+	<name>AAF Auth Hello Service</name>
+	<description>Hello Service Component for testing AAF Auth Access</description>
+
+	<properties>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-core</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-aaf</artifactId>
+		</dependency>
+
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-jar-plugin</artifactId>
+				<configuration>
+					<includes>
+						<include>**/*.class</include>
+					</includes>
+				</configuration>
+				<version>2.3.1</version>
+			</plugin>
+
+			<!--This plugin's configuration is used to store Eclipse m2e settings 
+				only. It has no influence on the Maven build itself. -->
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-deploy-plugin</artifactId>
+				<configuration>
+					<skip>true</skip>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.codehaus.mojo</groupId>
+				<artifactId>appassembler-maven-plugin</artifactId>
+				<configuration>
+					<programs>
+						<program>
+							<mainClass>org.onap.aaf.auth.hello.AAF_Hello</mainClass>
+							<name>hello</name>
+							<commandLineArguments>
+								<commandLineArgument>cadi_prop_files=${project.conf_dir}/org.osaaf.hello.props</commandLineArgument>
+							</commandLineArguments>
+						</program>
+					</programs>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+
+	<distributionManagement>
+		<repository>
+			<id>nexus</id>
+			<name>attarch-releases</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-releases</url>
+		</repository>
+		<snapshotRepository>
+			<id>nexus</id>
+			<name>attarch-snapshots</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-snapshots</url>
+		</snapshotRepository>
+	</distributionManagement>
+</project>
diff --git a/auth/auth-hello/src/main/config/.gitignore b/auth/auth-hello/src/main/config/.gitignore
new file mode 100644
index 00000000..b8a5bee8
--- /dev/null
+++ b/auth/auth-hello/src/main/config/.gitignore
@@ -0,0 +1,2 @@
+/log4j.properties
+/logging.properties
diff --git a/auth/auth-hello/src/main/config/hello.props b/auth/auth-hello/src/main/config/hello.props
new file mode 100644
index 00000000..055b15fb
--- /dev/null
+++ b/auth/auth-hello/src/main/config/hello.props
@@ -0,0 +1,29 @@
+##
+## AUTHZ GUI (authz-gui) Properties
+##
+
+hostname=_HOSTNAME_
+
+## DISCOVERY (DME2) Parameters on the Command Line
+AFT_LATITUDE=_AFT_LATITUDE_
+AFT_LONGITUDE=_AFT_LONGITUDE_
+AFT_ENVIRONMENT=_AFT_ENVIRONMENT_
+DEPLOYED_VERSION=_ARTIFACT_VERSION_
+
+## Pull in common/security properties
+
+cadi_prop_files=_COMMON_DIR_/com.att.aaf.common.props:_COMMON_DIR_/com.att.aaf.props
+
+##DME2 related parameters
+DMEServiceName=service=com.att.authz.authz-gui/version=_MAJOR_VER_._MINOR_VER_._PATCH_VER_/envContext=_ENV_CONTEXT_/routeOffer=_ROUTE_OFFER_
+AFT_DME2_PORT_RANGE=_AUTHZ_HELLO_PORT_RANGE_
+
+# Turn on both AAF TAF & LUR 2.0                                                
+aaf_url=https://DME2RESOLVE/service=com.att.authz.AuthorizationService/version=_MAJOR_VER_._MINOR_VER_/envContext=_ENV_CONTEXT_/routeOffer=_ROUTE_OFFER_
+# 1 min cache changes (when left alone)
+aaf_user_expires=60000
+
+# CSP
+csp_domain=PROD
+
+
diff --git a/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/AAF_Hello.java b/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/AAF_Hello.java
new file mode 100644
index 00000000..97448bdd
--- /dev/null
+++ b/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/AAF_Hello.java
@@ -0,0 +1,129 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+
+package org.onap.aaf.auth.hello;
+
+import java.util.Map;
+
+import javax.servlet.Filter;
+
+import org.onap.aaf.auth.cache.Cache.Dated;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.AuthzTransFilter;
+import org.onap.aaf.auth.rserv.HttpCode;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.auth.server.AbsService;
+import org.onap.aaf.auth.server.JettyServiceStarter;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
+import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
+import org.onap.aaf.cadi.aaf.v2_0.AAFTrustChecker;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.register.Registrant;
+import org.onap.aaf.cadi.register.RemoteRegistrant;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+
+public class AAF_Hello extends AbsService<AuthzEnv,AuthzTrans> {
+	public enum API{TOKEN_REQ, TOKEN,INTROSPECT, ERROR,VOID};
+	public Map<String, Dated> cacheUser;
+	public AAFAuthn<?> aafAuthn;
+	public AAFLurPerm aafLurPerm;
+	
+	/**
+	 * Construct AuthzAPI with all the Context Supporting Routes that Authz needs
+	 * 
+	 * @param env
+	 * @param si 
+	 * @param dm 
+	 * @param decryptor 
+	 * @throws APIException 
+	 */
+	public AAF_Hello(final AuthzEnv env) throws Exception {
+		super(env.access(), env);
+		
+		aafLurPerm = aafCon().newLur();
+		// Note: If you need both Authn and Authz construct the following:
+		aafAuthn = aafCon().newAuthn(aafLurPerm);
+
+		String aaf_env = env.getProperty(Config.AAF_ENV);
+		if(aaf_env==null) {
+			throw new APIException("aaf_env needs to be set");
+		}
+		
+		// Initialize Facade for all uses
+		AuthzTrans trans = env.newTrans();
+		StringBuilder sb = new StringBuilder();
+		trans.auditTrail(2, sb);
+		trans.init().log(sb);
+		
+		API_Hello.init(this);
+}
+	
+	/**
+	 * Setup XML and JSON implementations for each supported Version type
+	 * 
+	 * We do this by taking the Code passed in and creating clones of these with the appropriate Facades and properties
+	 * to do Versions and Content switches
+	 * 
+	 */
+	public void route(HttpMethods meth, String path, API api, HttpCode<AuthzTrans, AAF_Hello> code) throws Exception {
+		String version = "1.0";
+		// Get Correct API Class from Mapper
+		route(env,meth,path,code,"text/plain;version="+version,"*/*");
+	}
+	
+	@Override
+	public Filter[] filters() throws CadiException, LocatorException {
+		try {
+			return new Filter[] {
+					new AuthzTransFilter(env,aafCon(),
+		        			new AAFTrustChecker((Env)env))
+				};
+		} catch (NumberFormatException e) {
+			throw new CadiException("Invalid Property information", e);
+		}
+	}
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public Registrant<AuthzEnv>[] registrants(final int port) throws CadiException, LocatorException {
+		return new Registrant[] {
+			new RemoteRegistrant<AuthzEnv>(aafCon(),app_name,app_version,port)
+		};
+	}
+
+	public static void main(final String[] args) {
+		PropAccess propAccess = new PropAccess(args);
+		try {
+ 			AAF_Hello service = new AAF_Hello(new AuthzEnv(propAccess));
+//			env.setLog4JNames("log4j.properties","authz","hello","audit","init","trace");
+			JettyServiceStarter<AuthzEnv,AuthzTrans> jss = new JettyServiceStarter<AuthzEnv,AuthzTrans>(service);
+			jss.start();
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+	}
+}
diff --git a/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java b/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java
new file mode 100644
index 00000000..e2252236
--- /dev/null
+++ b/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java
@@ -0,0 +1,88 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.hello;
+
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.hello.AAF_Hello.API;
+import org.onap.aaf.auth.rserv.HttpCode;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+
+/**
+ * API Apis
+ * @author Jonathan
+ *
+ */
+public class API_Hello {
+
+
+	// Hide Public Constructor
+	private API_Hello() {}
+	
+	/**
+	 * Normal Init level APIs
+	 * 
+	 * @param oauthHello
+	 * @param facade
+	 * @throws Exception
+	 */
+	public static void init(final AAF_Hello oauthHello) throws Exception {
+		////////
+		// Overall APIs
+		///////
+		oauthHello.route(HttpMethods.GET,"/hello/:perm*",API.TOKEN,new HttpCode<AuthzTrans, AAF_Hello>(oauthHello,"Hello OAuth"){
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				resp.setStatus(200 /* OK */);
+				ServletOutputStream os = resp.getOutputStream();
+				os.print("Hello AAF ");
+				String perm = pathParam(req, "perm");
+				if(perm!=null && perm.length()>0) {
+					os.print('(');
+					os.print(req.getUserPrincipal().getName());
+					TimeTaken tt = trans.start("Authorize perm", Env.REMOTE);
+					try {
+						if(req.isUserInRole(perm)) {
+							os.print(" has ");
+						} else {
+							os.print(" does not have ");
+						}
+					} finally {
+						tt.done();
+					}
+					os.print("Permission: ");
+					os.print(perm);
+					os.print(')');
+				}
+				os.println();
+				
+				trans.info().printf("Said 'Hello' to %s, Authentication type: %s",trans.getUserPrincipal().getName(),trans.getUserPrincipal().getClass().getSimpleName());
+			}
+		}); 
+
+	}
+}
diff --git a/auth/auth-hello/src/test/java/org/onap/aaf/auth/hello/test/HelloTester.java b/auth/auth-hello/src/test/java/org/onap/aaf/auth/hello/test/HelloTester.java
new file mode 100644
index 00000000..84625281
--- /dev/null
+++ b/auth/auth-hello/src/test/java/org/onap/aaf/auth/hello/test/HelloTester.java
@@ -0,0 +1,81 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.hello.test;
+
+import java.net.ConnectException;
+import java.net.HttpURLConnection;
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import org.onap.aaf.auth.common.Define;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
+import org.onap.aaf.cadi.aaf.v2_0.AAFLocator;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.config.SecurityInfoC;
+import org.onap.aaf.misc.env.APIException;
+
+public class HelloTester {
+
+	public static void main(String[] args) {
+		// Do Once and ONLY once
+		PropAccess access =  new PropAccess(args);
+		try {
+			Define.set(access);
+			String uriPrefix = access.getProperty("locatorURI","https://aaftest.test.att.com");
+			
+			SecurityInfoC<HttpURLConnection> si = SecurityInfoC.instance(access, HttpURLConnection.class);
+			AAFLocator loc = new AAFLocator(si,new URI(uriPrefix+"/locate/"+Define.ROOT_NS()+".hello:1.0"));
+			AAFConHttp aafcon = new AAFConHttp(access,loc,si);
+			
+			//
+			String pathinfo = "/hello";
+			final int iterations = Integer.parseInt(access.getProperty("iterations","5"));
+			System.out.println("Calling " + loc + " with Path " + pathinfo + ' ' + iterations + " time" + (iterations==1?"":"s"));
+			for(int i=0;i<iterations;++i) {
+				aafcon.best(new Retryable<Void> () {
+					@Override
+					public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+						Future<String> fs = client.read("/hello","text/plain");
+						if(fs.get(5000)) {
+							System.out.print(fs.body());
+						} else {
+							System.err.println("Ooops, missed one: " + fs.code() + ": " + fs.body());
+						}
+						return null;
+
+					}
+				});
+				Thread.sleep(500L);
+			}
+		} catch (CadiException | LocatorException | URISyntaxException | APIException | InterruptedException e) {
+			e.printStackTrace();
+		}
+		
+		
+	}
+
+}
diff --git a/auth/auth-locate/.gitignore b/auth/auth-locate/.gitignore
new file mode 100644
index 00000000..3fea7c64
--- /dev/null
+++ b/auth/auth-locate/.gitignore
@@ -0,0 +1,6 @@
+/target/
+/.classpath
+/logs/
+/.settings/
+/tokens/
+/.project
diff --git a/auth/auth-locate/pom.xml b/auth/auth-locate/pom.xml
new file mode 100644
index 00000000..4fb54db3
--- /dev/null
+++ b/auth/auth-locate/pom.xml
@@ -0,0 +1,113 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.onap.aaf.auth</groupId>
+		<artifactId>parent</artifactId>
+		<version>2.1.0-SNAPSHOT</version>
+		<relativePath>../pom.xml</relativePath>
+	</parent>
+
+	<artifactId>aaf-auth-locate</artifactId>
+	<name>AAF Auth Locate</name>
+	<description>Location Service for AAF Auth Components</description>
+
+	<properties>
+		<maven.test.failure.ignore>true</maven.test.failure.ignore>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-core</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-cass</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-aaf</artifactId>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.jvnet.jaxb2.maven2</groupId>
+				<artifactId>maven-jaxb2-plugin</artifactId>
+				<version>0.8.2</version>
+				<executions>
+					<execution>
+						<goals>
+							<goal>generate</goal>
+						</goals>
+					</execution>
+				</executions>
+				<configuration>
+					<schemaDirectory>src/main/xsd</schemaDirectory>
+				</configuration>
+			</plugin>
+
+
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-deploy-plugin</artifactId>
+				<configuration>
+					<skip>true</skip>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.codehaus.mojo</groupId>
+				<artifactId>appassembler-maven-plugin</artifactId>
+				<configuration>
+					<programs>
+						<program>
+							<mainClass>org.onap.aaf.auth.locate.AAF_Locate</mainClass>
+							<id>locate</id>
+							<commandLineArguments>
+								<commandLineArgument>cadi_prop_files=${project.conf_dir}/org.osaaf.locate.props</commandLineArgument>
+							</commandLineArguments>
+						</program>
+					</programs>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+
+	<distributionManagement>
+		<repository>
+			<id>nexus</id>
+			<name>attarch-releases</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-releases</url>
+		</repository>
+		<snapshotRepository>
+			<id>nexus</id>
+			<name>attarch-snapshots</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-snapshots</url>
+		</snapshotRepository>
+	</distributionManagement>
+</project>
diff --git a/auth/auth-locate/src/main/.gitignore b/auth/auth-locate/src/main/.gitignore
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/auth/auth-locate/src/main/.gitignore
diff --git a/auth/auth-locate/src/main/config/.gitignore b/auth/auth-locate/src/main/config/.gitignore
new file mode 100644
index 00000000..429128d5
--- /dev/null
+++ b/auth/auth-locate/src/main/config/.gitignore
@@ -0,0 +1,2 @@
+/authGW.props
+/log4j.properties
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/AAF_Locate.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/AAF_Locate.java
new file mode 100644
index 00000000..92fc88c7
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/AAF_Locate.java
@@ -0,0 +1,243 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+
+package org.onap.aaf.auth.locate;
+
+import java.net.URI;
+import java.util.Map;
+
+import javax.servlet.Filter;
+
+import org.onap.aaf.auth.cache.Cache;
+import org.onap.aaf.auth.cache.Cache.Dated;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.cass.LocateDAO;
+import org.onap.aaf.auth.direct.DirectLocatorCreator;
+import org.onap.aaf.auth.direct.DirectRegistrar;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.AuthzTransFilter;
+import org.onap.aaf.auth.locate.api.API_AAFAccess;
+import org.onap.aaf.auth.locate.api.API_Api;
+import org.onap.aaf.auth.locate.api.API_Find;
+import org.onap.aaf.auth.locate.api.API_Proxy;
+import org.onap.aaf.auth.locate.facade.LocateFacadeFactory;
+import org.onap.aaf.auth.locate.facade.LocateFacade_1_0;
+import org.onap.aaf.auth.locate.mapper.Mapper.API;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.auth.server.AbsService;
+import org.onap.aaf.auth.server.JettyServiceStarter;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Locator;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
+import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
+import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
+import org.onap.aaf.cadi.aaf.v2_0.AAFTrustChecker;
+import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.register.Registrant;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.Env;
+
+import com.datastax.driver.core.Cluster;
+
+public class AAF_Locate extends AbsService<AuthzEnv, AuthzTrans> {
+	private static final String DOT_LOCATOR = ".locator";
+
+	private static final String USER_PERMS = "userPerms";
+	private LocateFacade_1_0 facade; // this is the default Facade
+	private LocateFacade_1_0 facade_1_0_XML;
+	public Map<String, Dated> cacheUser;
+	public final AAFAuthn<?> aafAuthn;
+	public final AAFLurPerm aafLurPerm;
+	private Locator<URI> gui_locator;
+	public final long expireIn;
+	private final Cluster cluster;
+	public final LocateDAO locateDAO;
+	private Locator<URI> dal;
+	private final String aaf_service_name;
+	private final String aaf_gui_name;
+
+	
+	/**
+	 * Construct AuthzAPI with all the Context Supporting Routes that Authz needs
+	 * 
+	 * @param env
+	 * @param si 
+	 * @param dm 
+	 * @param decryptor 
+	 * @throws APIException 
+	 */
+	public AAF_Locate(final AuthzEnv env) throws Exception {
+		super(env.access(), env);
+		aaf_service_name = app_name.replace(DOT_LOCATOR, ".service");
+		aaf_gui_name = app_name.replace(DOT_LOCATOR, ".gui");
+		
+		expireIn = Long.parseLong(env.getProperty(Config.AAF_USER_EXPIRES, Config.AAF_USER_EXPIRES_DEF));
+
+		// Initialize Facade for all uses
+		AuthzTrans trans = env.newTransNoAvg();
+
+		cluster = org.onap.aaf.auth.dao.CassAccess.cluster(env,null);
+		locateDAO = new LocateDAO(trans,cluster,CassAccess.KEYSPACE);
+
+		// Have AAFLocator object Create DirectLocators for Location needs
+		AbsAAFLocator.setCreator(new DirectLocatorCreator(env, locateDAO));
+
+		aafLurPerm = aafCon().newLur();
+		// Note: If you need both Authn and Authz construct the following:
+		aafAuthn = aafCon().newAuthn(aafLurPerm);
+
+
+		facade = LocateFacadeFactory.v1_0(env,locateDAO,trans,Data.TYPE.JSON);   // Default Facade
+		facade_1_0_XML = LocateFacadeFactory.v1_0(env,locateDAO,trans,Data.TYPE.XML);
+
+		synchronized(env) {
+			if(cacheUser == null) {
+				cacheUser = Cache.obtain(USER_PERMS);
+				Cache.startCleansing(env, USER_PERMS);
+			}
+		}
+
+
+		////////////////////////////////////////////////////////////////////////////
+		// Time Critical
+		//  These will always be evaluated first
+		////////////////////////////////////////////////////////////////////////
+		API_AAFAccess.init(this,facade);
+		API_Find.init(this, facade);
+		API_Proxy.init(this, facade);
+		
+		////////////////////////////////////////////////////////////////////////
+		// Management APIs
+		////////////////////////////////////////////////////////////////////////
+		// There are several APIs around each concept, and it gets a bit too
+		// long in this class to create.  The initialization of these Management
+		// APIs have therefore been pushed to StandAlone Classes with static
+		// init functions
+		API_Api.init(this, facade);
+
+		////////////////////////////////////////////////////////////////////////
+		// Default Function
+		////////////////////////////////////////////////////////////////////////
+		API_AAFAccess.initDefault(this,facade);
+		
+	}
+
+	
+	/**
+	 * Setup XML and JSON implementations for each supported Version type
+	 * 
+	 * We do this by taking the Code passed in and creating clones of these with the appropriate Facades and properties
+	 * to do Versions and Content switches
+	 * 
+	 */
+	public void route(HttpMethods meth, String path, API api, LocateCode code) throws Exception {
+		String version = "1.0";
+		// Get Correct API Class from Mapper
+		Class<?> respCls = facade.mapper().getClass(api); 
+		if(respCls==null) throw new Exception("Unknown class associated with " + api.getClass().getName() + ' ' + api.name());
+		// setup Application API HTML ContentTypes for JSON and Route
+		String application = applicationJSON(respCls, version);
+		route(env,meth,path,code,application,"application/json;version="+version,"*/*","*");
+
+		// setup Application API HTML ContentTypes for XML and Route
+		application = applicationXML(respCls, version);
+		route(env,meth,path,code.clone(facade_1_0_XML,false),application,"text/xml;version="+version);
+		
+		// Add other Supported APIs here as created
+	}
+	
+	public void routeAll(HttpMethods meth, String path, API api, LocateCode code) throws Exception {
+		route(env,meth,path,code,""); // this will always match
+	}
+
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.server.AbsServer#_newAAFConHttp()
+	 */
+	@Override
+	protected AAFConHttp _newAAFConHttp() throws CadiException {
+		try {
+			if(dal==null) {
+				dal = AbsAAFLocator.create(aaf_service_name,Config.AAF_DEFAULT_VERSION);
+			}
+			// utilize pre-constructed DirectAAFLocator
+			return new AAFConHttp(env.access(),dal);
+		} catch (APIException | LocatorException e) {
+			throw new CadiException(e);
+		}
+
+	}
+
+	public Locator<URI> getGUILocator() throws LocatorException {
+		if(gui_locator==null) {
+			gui_locator = AbsAAFLocator.create(aaf_gui_name,Config.AAF_DEFAULT_VERSION);
+		}
+		return gui_locator;
+	}
+
+
+	@Override
+	public Filter[] filters() throws CadiException, LocatorException {
+		try {
+			return new Filter[] {
+				new AuthzTransFilter(env, aafCon(), 
+					new AAFTrustChecker((Env)env)
+				)};
+		} catch (NumberFormatException e) {
+			throw new CadiException("Invalid Property information", e);
+		}
+	}
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public Registrant<AuthzEnv>[] registrants(final int port) throws CadiException {
+		return new Registrant[] {
+			new DirectRegistrar(access,locateDAO,app_name,app_version,port)
+		};
+	}
+
+	@Override
+	public void destroy() {
+		Cache.stopTimer();
+		if(cluster!=null) {
+			cluster.close();
+		}
+		super.destroy();
+	}
+
+	public static void main(final String[] args) {
+		PropAccess propAccess = new PropAccess(args);
+		try {
+ 			AAF_Locate service = new AAF_Locate(new AuthzEnv(propAccess));
+// 			service.env().setLog4JNames("log4j.properties","authz","gw","audit","init","trace");
+			JettyServiceStarter<AuthzEnv,AuthzTrans> jss = new JettyServiceStarter<AuthzEnv,AuthzTrans>(service);
+			jss.start();
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+	}
+}
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/BasicAuthCode.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/BasicAuthCode.java
new file mode 100644
index 00000000..ac348f3f
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/BasicAuthCode.java
@@ -0,0 +1,77 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate;
+
+import java.security.Principal;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.locate.facade.LocateFacade;
+import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
+import org.onap.aaf.cadi.principal.BasicPrincipal;
+import org.onap.aaf.cadi.principal.X509Principal;
+
+public class BasicAuthCode extends LocateCode {
+	private AAFAuthn<?> authn;
+
+	public BasicAuthCode(AAFAuthn<?> authn, LocateFacade facade) {
+		super(facade, "AAF Basic Auth",true);
+		this.authn = authn;
+	}
+
+	@Override
+	public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+		Principal p = trans.getUserPrincipal();
+		if(p == null) {
+			trans.error().log("Transaction not Authenticated... no Principal");
+		} else if (p instanceof BasicPrincipal) {
+			// the idea is that if call is made with this credential, and it's a BasicPrincipal, it's ok
+			// otherwise, it wouldn't have gotten here.
+			resp.setStatus(HttpStatus.OK_200);
+			return;
+		} else if (p instanceof X509Principal) {
+			// Since X509Principal has priority, BasicAuth Info might be there, but not validated.
+			String ba;
+			if((ba=req.getHeader("Authorization"))!=null && ba.startsWith("Basic ")) {
+				ba = Symm.base64noSplit.decode(ba.substring(6));
+				int colon = ba.indexOf(':');
+				if(colon>=0) {
+					String err;
+					if((err=authn.validate(ba.substring(0, colon), ba.substring(colon+1),trans))==null) {
+						resp.setStatus(HttpStatus.OK_200);
+					} else {
+						trans.audit().log(ba.substring(0,colon),": ",err);
+						resp.setStatus(HttpStatus.UNAUTHORIZED_401);
+					}
+					return;
+				}
+			}
+		}
+		trans.checkpoint("Basic Auth Check Failed: This wasn't a Basic Auth Trans");
+		// For Auth Security questions, we don't give any info to client on why failed
+		resp.setStatus(HttpStatus.FORBIDDEN_403);
+	}
+}
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/LocateCode.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/LocateCode.java
new file mode 100644
index 00000000..b1aa23cc
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/LocateCode.java
@@ -0,0 +1,44 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.locate.facade.LocateFacade;
+import org.onap.aaf.auth.rserv.HttpCode;
+
+public abstract class LocateCode extends HttpCode<AuthzTrans, LocateFacade> implements Cloneable {
+	public boolean useJSON;
+
+	public LocateCode(LocateFacade facade, String description, boolean useJSON, String ... roles) {
+		super(facade, description, roles);
+		this.useJSON = useJSON;
+	}
+	
+	public <D extends LocateCode> D clone(LocateFacade facade, boolean useJSON) throws Exception {
+		@SuppressWarnings("unchecked")
+		D d = (D)clone();
+		d.useJSON = useJSON;
+		d.context = facade;
+		return d;
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java
new file mode 100644
index 00000000..9de92d14
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java
@@ -0,0 +1,259 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate.api;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.net.URI;
+import java.security.Principal;
+
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.cache.Cache.Dated;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.locate.AAF_Locate;
+import org.onap.aaf.auth.locate.BasicAuthCode;
+import org.onap.aaf.auth.locate.LocateCode;
+import org.onap.aaf.auth.locate.facade.LocateFacade;
+import org.onap.aaf.auth.locate.mapper.Mapper.API;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Locator;
+import org.onap.aaf.cadi.Locator.Item;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.aaf.AAFPermission;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+
+public class API_AAFAccess {
+//	private static String service, version, envContext; 
+
+	private static final String GET_PERMS_BY_USER = "Get Perms by User";
+	private static final String USER_HAS_PERM ="User Has Perm";
+//	private static final String USER_IN_ROLE ="User Has Role";
+	
+	/**
+	 * Normal Init level APIs
+	 * 
+	 * @param gwAPI
+	 * @param facade
+	 * @throws Exception
+	 */
+	public static void init(final AAF_Locate gwAPI, LocateFacade facade) throws Exception {
+		
+		
+		gwAPI.route(HttpMethods.GET,"/authz/perms/user/:user",API.VOID,new LocateCode(facade,GET_PERMS_BY_USER, true) {
+			@Override
+			public void handle(final AuthzTrans trans, final HttpServletRequest req, final HttpServletResponse resp) throws Exception {
+				TimeTaken tt = trans.start(GET_PERMS_BY_USER, Env.SUB);
+				try {
+					final String accept = req.getHeader("ACCEPT");
+					final String user = pathParam(req,":user");
+					if(!user.contains("@")) {
+						context.error(trans,resp,Result.ERR_BadData,"User [%s] must be fully qualified with domain",user);
+						return;
+					}
+					final String key = trans.user() + user + (accept!=null&&accept.contains("xml")?"-xml":"-json");
+					TimeTaken tt2 = trans.start("Cache Lookup",Env.SUB);
+					Dated d;
+					try {
+						d = gwAPI.cacheUser.get(key);
+					} finally {
+						tt2.done();
+					}
+					
+					if(d==null || d.data.isEmpty()) {
+						tt2 = trans.start("AAF Service Call",Env.REMOTE);
+						try {
+							gwAPI.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+								@Override
+								public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+									Future<String> fp = client.read("/authz/perms/user/"+user,accept);
+									if(fp.get(5000)) {
+										gwAPI.cacheUser.put(key, new Dated(new User(fp.code(),fp.body()),gwAPI.expireIn));
+										resp.setStatus(HttpStatus.OK_200);
+										ServletOutputStream sos;
+										try {
+											sos = resp.getOutputStream();
+											sos.print(fp.value);
+										} catch (IOException e) {
+											throw new CadiException(e);
+										}
+									} else {
+										gwAPI.cacheUser.put(key, new Dated(new User(fp.code(),fp.body()),gwAPI.expireIn));
+										context.error(trans,resp,fp.code(),fp.body());
+									}
+									return null;
+								}
+							});
+						} finally {
+							tt2.done();
+						}
+					} else {
+						User u = (User)d.data.get(0);
+						resp.setStatus(u.code);
+						ServletOutputStream sos = resp.getOutputStream();
+						sos.print(u.resp);
+					}
+				} finally {
+					tt.done();
+				}
+			}
+		});
+
+
+		gwAPI.route(gwAPI.env,HttpMethods.GET,"/authn/basicAuth",new BasicAuthCode(gwAPI.aafAuthn,facade)
+				,"text/plain","*/*","*");
+
+		/**
+		 * Query User Has Perm
+		 */
+		gwAPI.route(HttpMethods.GET,"/ask/:user/has/:type/:instance/:action",API.VOID,new LocateCode(facade,USER_HAS_PERM, true) {
+			@Override
+			public void handle(final AuthzTrans trans, final HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				try {
+					resp.getOutputStream().print(
+							gwAPI.aafLurPerm.fish(new Principal() {
+								public String getName() {
+									return pathParam(req,":user");
+								};
+							}, new AAFPermission(
+								pathParam(req,":type"),
+								pathParam(req,":instance"),
+								pathParam(req,":action"))));
+					resp.setStatus(HttpStatus.OK_200);
+				} catch(Exception e) {
+					context.error(trans, resp, Result.ERR_General, e.getMessage());
+				}
+			}
+		});
+
+		gwAPI.route(HttpMethods.GET,"/gui/:path*",API.VOID,new LocateCode(facade,"Short Access PROD GUI for AAF", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				try {
+					redirect(trans, req, resp, context, 
+							gwAPI.getGUILocator(), 
+							"gui/"+pathParam(req,":path"));
+				} catch (LocatorException e) {
+					context.error(trans, resp, Result.ERR_BadData, e.getMessage());
+				} catch (Exception e) {
+					context.error(trans, resp, Result.ERR_General, e.getMessage());
+				}
+			}
+		});
+
+		gwAPI.route(HttpMethods.GET,"/aaf/:version/:path*",API.VOID,new LocateCode(facade,"Access PROD GUI for AAF", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				try {
+					redirect(trans, req, resp, context, 
+							gwAPI.getGUILocator(), 
+							pathParam(req,":path"));
+				} catch (LocatorException e) {
+					context.error(trans, resp, Result.ERR_BadData, e.getMessage());
+				} catch (Exception e) {
+					context.error(trans, resp, Result.ERR_General, e.getMessage());
+				}
+			}
+		});
+	}
+	
+	public static void initDefault(final AAF_Locate gwAPI, LocateFacade facade) throws Exception {
+
+		/**
+		 * "login" url
+		 */
+		gwAPI.route(HttpMethods.GET,"/login",API.VOID,new LocateCode(facade,"Access Login GUI for AAF", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				try {
+					redirect(trans, req, resp, context, 
+							gwAPI.getGUILocator(),
+							"login");
+				} catch (LocatorException e) {
+					context.error(trans, resp, Result.ERR_BadData, e.getMessage());
+				} catch (Exception e) {
+					context.error(trans, resp, Result.ERR_General, e.getMessage());
+				}
+			}
+		});
+
+		
+		/**
+		 * Default URL
+		 */
+		gwAPI.route(HttpMethods.GET,"/",API.VOID,new LocateCode(facade,"Access GUI for AAF", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				try {
+					redirect(trans, req, resp, context, 
+							gwAPI.getGUILocator(), 
+							"gui/home");
+				} catch (Exception e) {
+					context.error(trans, resp, Result.ERR_General, e.getMessage());
+				}
+			}
+		});
+	}
+
+	private static void redirect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, LocateFacade context, Locator<URI> loc, String path) throws IOException {
+		try {
+			if(loc.hasItems()) {
+				Item item = loc.best();
+				URI uri = loc.get(item);
+				StringBuilder redirectURL = new StringBuilder(uri.toString()); 
+				redirectURL.append('/');
+				redirectURL.append(path);
+				String str = req.getQueryString();
+				if(str!=null) {
+					redirectURL.append('?');
+					redirectURL.append(str);
+				}
+				trans.info().log("Redirect to",redirectURL);
+				resp.sendRedirect(redirectURL.toString());
+			} else {
+				context.error(trans, resp, Result.err(Result.ERR_NotFound,"No Locations found for redirection"));
+			}
+		} catch (LocatorException e) {
+			context.error(trans, resp, Result.err(Result.ERR_NotFound,"No Endpoints found for %s",req.getPathInfo()));
+		}
+	}
+
+	private static class User {
+		public final int code;
+		public final String resp;
+		
+		public User(int code, String resp) {
+			this.code = code;
+			this.resp = resp;
+		}
+	}
+}
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_Api.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_Api.java
new file mode 100644
index 00000000..8e3fab56
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_Api.java
@@ -0,0 +1,97 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate.api;
+
+import static org.onap.aaf.auth.layer.Result.OK;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.locate.AAF_Locate;
+import org.onap.aaf.auth.locate.LocateCode;
+import org.onap.aaf.auth.locate.facade.LocateFacade;
+import org.onap.aaf.auth.locate.mapper.Mapper.API;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.Symm;
+
+/**
+ * API Apis
+ * @author Jonathan
+ *
+ */
+public class API_Api {
+	/**
+	 * Normal Init level APIs
+	 * 
+	 * @param gwAPI
+	 * @param facade
+	 * @throws Exception
+	 */
+	public static void init(final AAF_Locate gwAPI, LocateFacade facade) throws Exception {
+		////////
+		// Overall APIs
+		///////
+		gwAPI.route(HttpMethods.GET,"/api",API.VOID,new LocateCode(facade,"Document API", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.getAPI(trans,resp,gwAPI);
+				switch(r.status) {
+				case OK:
+					resp.setStatus(HttpStatus.OK_200);
+					break;
+				default:
+					context.error(trans,resp,r);
+			}
+
+			}
+		});
+
+		////////
+		// Overall Examples
+		///////
+		gwAPI.route(HttpMethods.GET,"/api/example/*",API.VOID,new LocateCode(facade,"Document API", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				String pathInfo = req.getPathInfo();
+				int question = pathInfo.lastIndexOf('?');
+				
+				pathInfo = pathInfo.substring(13, question<0?pathInfo.length():question);// IMPORTANT, this is size of "/api/example/"
+				String nameOrContextType=Symm.base64noSplit.decode(pathInfo);
+//				String param = req.getParameter("optional");
+				Result<Void> r = context.getAPIExample(trans,resp,nameOrContextType,
+						question>=0 && "optional=true".equalsIgnoreCase(req.getPathInfo().substring(question+1))
+						);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200);
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+	}
+}
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_Find.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_Find.java
new file mode 100644
index 00000000..27bd8c3a
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_Find.java
@@ -0,0 +1,132 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate.api;
+
+import static org.onap.aaf.auth.layer.Result.OK;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.common.Define;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.locate.AAF_Locate;
+import org.onap.aaf.auth.locate.LocateCode;
+import org.onap.aaf.auth.locate.facade.LocateFacade;
+import org.onap.aaf.auth.locate.mapper.Mapper.API;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.misc.env.util.Split;
+
+/**
+ * API Apis.. using Redirect for mechanism
+ * 
+ * @author Jonathan
+ *
+ */
+public class API_Find {
+	/**
+	 * Normal Init level APIs
+	 * 
+	 * @param gwAPI
+	 * @param facade
+	 * @throws Exception
+	 */
+	public static void init(final AAF_Locate gwAPI, LocateFacade facade) throws Exception {
+		////////
+		// Overall APIs
+		///////
+		
+		final LocateCode locationInfo = new LocateCode(facade,"Location Information", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				String service = pathParam(req, ":service");
+				String version = pathParam(req, ":version");
+				String other = pathParam(req, ":other");
+				if(service.indexOf(':')>=0) {
+					String split[] = Split.split(':', service);
+					switch(split.length) {
+						case 3:
+							other=split[2];
+						case 2:
+							version = split[1];
+							service = split[0];
+					}
+				}
+				service=Define.varReplace(service);
+				Result<Void> r = context.getEndpoints(trans,resp,
+					req.getPathInfo(), // use as Key
+					service,version,other					
+				);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200);
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		};
+
+		gwAPI.route(HttpMethods.GET,"/locate/:service/:version",API.ENDPOINTS,locationInfo);
+		gwAPI.route(HttpMethods.GET,"/locate/:service/:version/:other",API.ENDPOINTS,locationInfo);
+		gwAPI.route(HttpMethods.GET,"/locate/:service",API.ENDPOINTS,locationInfo);
+		
+		
+		gwAPI.route(HttpMethods.GET,"/download/agent", API.VOID, new LocateCode(facade,"Redirect to latest Agent",false) {
+			@Override
+			public void handle(AuthzTrans arg0, HttpServletRequest arg1, HttpServletResponse arg2) throws Exception {
+			}
+		});
+
+		gwAPI.route(HttpMethods.PUT,"/registration",API.MGMT_ENDPOINTS,new LocateCode(facade,"Put Location Information", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.putMgmtEndpoints(trans,req,resp);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200);
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+
+			}
+		});
+
+		gwAPI.route(HttpMethods.DELETE,"/registration",API.MGMT_ENDPOINTS,new LocateCode(facade,"Remove Location Information", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.removeMgmtEndpoints(trans,req,resp);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200);
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+
+			}
+		});
+
+	}
+}
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_Proxy.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_Proxy.java
new file mode 100644
index 00000000..d2e4583c
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_Proxy.java
@@ -0,0 +1,163 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate.api;
+
+import java.net.ConnectException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.locate.AAF_Locate;
+import org.onap.aaf.auth.locate.BasicAuthCode;
+import org.onap.aaf.auth.locate.LocateCode;
+import org.onap.aaf.auth.locate.facade.LocateFacade;
+import org.onap.aaf.auth.locate.mapper.Mapper.API;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.oauth.OAuth2Principal;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+
+/**
+ * API Apis.. using Redirect for mechanism
+ * 
+ * @author Jonathan
+ *
+ */
+public class API_Proxy {
+
+	/**
+	 * Normal Init level APIs
+	 * 
+	 * @param gwAPI
+	 * @param facade
+	 * @throws Exception
+	 */
+	public static void init(final AAF_Locate gwAPI, LocateFacade facade) throws Exception {
+		
+		String aafurl = gwAPI.access.getProperty(Config.AAF_URL,null);
+		if(aafurl==null) {
+		} else {
+			////////
+			// Transferring APIs
+			// But DO NOT transfer BasicAuth case... wastes resources.
+			///////
+			final BasicAuthCode bac = new BasicAuthCode(gwAPI.aafAuthn,facade);
+			
+			gwAPI.routeAll(HttpMethods.GET,"/proxy/:path*",API.VOID,new LocateCode(facade,"Proxy GET", true) {
+				@Override
+				public void handle(final AuthzTrans trans, final HttpServletRequest req, final HttpServletResponse resp) throws Exception {
+					if("/proxy/authn/basicAuth".equals(req.getPathInfo()) && !(req.getUserPrincipal() instanceof OAuth2Principal)) {
+						bac.handle(trans, req, resp);
+					} else {
+						TimeTaken tt = trans.start("Forward to AAF Service", Env.REMOTE);
+						try {
+							gwAPI.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+								@Override
+								public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+									Future<Void> ft = client.transfer(req,resp,pathParam(req, ":path"),HttpStatus.OK_200);
+									ft.get(10000); // Covers return codes and err messages
+									return null;
+								}
+							});
+						
+						} catch (CadiException | APIException e) {
+							trans.error().log(e);
+						} finally {
+							tt.done();
+						}
+					}
+				}
+			});
+			
+			gwAPI.routeAll(HttpMethods.POST,"/proxy/:path*",API.VOID,new LocateCode(facade,"Proxy POST", true) {
+				@Override
+				public void handle(final AuthzTrans trans, final HttpServletRequest req, final HttpServletResponse resp) throws Exception {
+					TimeTaken tt = trans.start("Forward to AAF Service", Env.REMOTE);
+					try {
+						gwAPI.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+							@Override
+							public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+								Future<Void> ft = client.transfer(req,resp,pathParam(req, ":path"),HttpStatus.CREATED_201);
+								ft.get(10000); // Covers return codes and err messages
+								return null;
+							}
+						});
+					} catch (CadiException | APIException e) {
+						trans.error().log(e);
+					} finally {
+						tt.done();
+					}
+				}
+			});
+			
+			gwAPI.routeAll(HttpMethods.PUT,"/proxy/:path*",API.VOID,new LocateCode(facade,"Proxy PUT", true) {
+				@Override
+				public void handle(final AuthzTrans trans, final HttpServletRequest req, final HttpServletResponse resp) throws Exception {
+					TimeTaken tt = trans.start("Forward to AAF Service", Env.REMOTE);
+					try {
+						gwAPI.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+							@Override
+							public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+								Future<Void> ft = client.transfer(req,resp,pathParam(req, ":path"),HttpStatus.OK_200);
+								ft.get(10000); // Covers return codes and err messages
+								return null;
+							}
+						});
+					} catch (CadiException | APIException e) {
+						trans.error().log(e);
+					} finally {
+						tt.done();
+					}
+				}
+			});
+			
+			gwAPI.routeAll(HttpMethods.DELETE,"/proxy/:path*",API.VOID,new LocateCode(facade,"Proxy DELETE", true) {
+				@Override
+				public void handle(final AuthzTrans trans, final HttpServletRequest req, final HttpServletResponse resp) throws Exception {
+					TimeTaken tt = trans.start("Forward to AAF Service", Env.REMOTE);
+					try {
+						gwAPI.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
+							@Override
+							public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+								Future<Void> ft = client.transfer(req,resp,pathParam(req, ":path"),HttpStatus.OK_200);
+								ft.get(10000); // Covers return codes and err messages
+								return null;
+							}
+						});
+					} catch (CadiException | APIException e) {
+						trans.error().log(e);
+					} finally {
+						tt.done();
+					}
+				}
+			});
+		}
+	}
+}
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacade.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacade.java
new file mode 100644
index 00000000..817fcc58
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacade.java
@@ -0,0 +1,106 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate.facade;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.rserv.RServlet;
+
+
+/**
+ *   
+ * @author Jonathan
+ *
+ */
+public interface LocateFacade {
+
+/////////////////////  STANDARD ELEMENTS //////////////////
+	/** 
+	 * @param trans
+	 * @param response
+	 * @param result
+	 */
+	void error(AuthzTrans trans, HttpServletResponse response, Result<?> result);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param response
+	 * @param status
+	 */
+	void error(AuthzTrans trans, HttpServletResponse response, int status,	String msg, String ... detail);
+
+
+	/**
+	 * 
+	 * @param trans
+	 * @param resp
+	 * @param rservlet
+	 * @return
+	 */
+	public Result<Void> getAPI(AuthzTrans trans, HttpServletResponse resp, RServlet<AuthzTrans> rservlet);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param resp
+	 * @param typeCode
+	 * @param optional
+	 * @return
+	 */
+	public abstract Result<Void> getAPIExample(AuthzTrans trans, HttpServletResponse resp, String typeCode, boolean optional);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param resp
+	 * @param service
+	 * @param version
+	 * @param other
+	 * @param string 
+	 * @return
+	 */
+	public abstract Result<Void> getEndpoints(AuthzTrans trans, HttpServletResponse resp, String key, 
+			String service, String version, String other);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param req
+	 * @param resp
+	 * @return
+	 */
+	public abstract Result<Void> putMgmtEndpoints(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param req
+	 * @param resp
+	 * @return
+	 */
+	public abstract Result<Void> removeMgmtEndpoints(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+
+}
+\ No newline at end of file
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeFactory.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeFactory.java
new file mode 100644
index 00000000..ea20df5a
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeFactory.java
@@ -0,0 +1,48 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate.facade;
+
+import org.onap.aaf.auth.dao.cass.LocateDAO;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.locate.mapper.Mapper_1_0;
+import org.onap.aaf.auth.locate.service.LocateServiceImpl;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+
+import locate_local.v1_0.Error;
+import locate_local.v1_0.InRequest;
+import locate_local.v1_0.Out;
+
+
+public class LocateFacadeFactory {
+	public static LocateFacade_1_0 v1_0(AuthzEnv env, LocateDAO locateDAO, AuthzTrans trans, Data.TYPE type) throws APIException {
+		return new LocateFacade_1_0(
+				env,
+				new LocateServiceImpl<
+					InRequest,
+					Out,
+					Error>(trans,locateDAO,new Mapper_1_0()),
+				type);  
+	}
+
+}
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java
new file mode 100644
index 00000000..1ce9821f
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java
@@ -0,0 +1,393 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate.facade;
+
+
+import static org.onap.aaf.auth.layer.Result.ERR_ActionNotCompleted;
+import static org.onap.aaf.auth.layer.Result.ERR_BadData;
+import static org.onap.aaf.auth.layer.Result.ERR_ConflictAlreadyExists;
+import static org.onap.aaf.auth.layer.Result.ERR_Denied;
+import static org.onap.aaf.auth.layer.Result.ERR_NotFound;
+import static org.onap.aaf.auth.layer.Result.ERR_NotImplemented;
+import static org.onap.aaf.auth.layer.Result.ERR_Policy;
+import static org.onap.aaf.auth.layer.Result.ERR_Security;
+import static org.onap.aaf.auth.layer.Result.OK;
+
+import java.lang.reflect.Method;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.FacadeImpl;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.locate.mapper.Mapper;
+import org.onap.aaf.auth.locate.mapper.Mapper.API;
+import org.onap.aaf.auth.locate.service.LocateService;
+import org.onap.aaf.auth.locate.service.LocateServiceImpl;
+import org.onap.aaf.auth.rserv.RServlet;
+import org.onap.aaf.auth.rserv.RouteReport;
+import org.onap.aaf.auth.rserv.doc.ApiDoc;
+import org.onap.aaf.cadi.aaf.client.Examples;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Data.TYPE;
+import org.onap.aaf.misc.rosetta.env.RosettaDF;
+import org.onap.aaf.misc.rosetta.env.RosettaData;
+
+import locate_local.v1_0.Api;
+
+/**
+ * AuthzFacade
+ * 
+ * This Service Facade encapsulates the essence of the API Service can do, and provides
+ * a single created object for elements such as RosettaDF.
+ *
+ * The Responsibilities of this class are to:
+ * 1) Interact with the Service Implementation (which might be supported by various kinds of Backend Storage)
+ * 2) Validate incoming data (if applicable)
+ * 3) Convert the Service response into the right Format, and mark the Content Type
+ * 		a) In the future, we may support multiple Response Formats, aka JSON or XML, based on User Request.
+ * 4) Log Service info, warnings and exceptions as necessary
+ * 5) When asked by the API layer, this will create and write Error content to the OutputStream
+ * 
+ * Note: This Class does NOT set the HTTP Status Code.  That is up to the API layer, so that it can be 
+ * clearly coordinated with the API Documentation
+ * 
+ * @author Jonathan
+ *
+ */
+public abstract class LocateFacadeImpl<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR> extends FacadeImpl implements LocateFacade 
+	{
+	private LocateService<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR> service;
+
+	private final RosettaDF<ERROR>	 		errDF;
+	private final RosettaDF<Api>	 			apiDF;
+	private final RosettaDF<ENDPOINTS>		epDF;
+	private final RosettaDF<MGMT_ENDPOINTS>	mepDF;
+
+
+	private static long cacheClear = 0L, emptyCheck=0L;
+	private final static Map<String,String> epsCache = new HashMap<String, String>(); // protected manually, in getEndpoints
+
+	public LocateFacadeImpl(AuthzEnv env, LocateService<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR> service, Data.TYPE dataType) throws APIException {
+		this.service = service;
+		(errDF 				= env.newDataFactory(mapper().getClass(API.ERROR))).in(dataType).out(dataType);
+		(apiDF				= env.newDataFactory(Api.class)).in(dataType).out(dataType);
+		(epDF				= env.newDataFactory(mapper().getClass(API.ENDPOINTS))).in(dataType).out(dataType);
+		(mepDF				= env.newDataFactory(mapper().getClass(API.MGMT_ENDPOINTS))).in(dataType).out(dataType);
+	}
+	
+	public Mapper<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR> mapper() {
+		return service.mapper();
+	}
+		
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#error(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, int)
+	 * 
+	 * Note: Conforms to AT&T TSS RESTful Error Structure
+	 */
+	@Override
+	public void error(AuthzTrans trans, HttpServletResponse response, Result<?> result) {
+		String msg = result.details==null?"":result.details.trim();
+		String[] detail;
+		if(result.variables==null) {
+			detail = new String[1];
+		} else {
+			int l = result.variables.length;
+			detail=new String[l+1];
+			System.arraycopy(result.variables, 0, detail, 1, l);
+		}
+		error(trans, response, result.status,msg,detail);
+	}
+		
+	@Override
+	public void error(AuthzTrans trans, HttpServletResponse response, int status, String msg, String ... _detail) {
+	    	String[] detail = _detail;
+		if(detail.length==0) {
+		    detail=new String[1];
+		}
+		boolean hidemsg = false;
+		String msgId;
+		switch(status) {
+			case 202:
+			case ERR_ActionNotCompleted:
+				msgId = "SVC1202";
+				detail[0] = "Accepted, Action not complete";
+				response.setStatus(/*httpstatus=*/202);
+				break;
+
+			case 403:
+			case ERR_Policy:
+			case ERR_Security:
+			case ERR_Denied:
+				msgId = "SVC1403";
+				detail[0] = "Forbidden";
+				response.setStatus(/*httpstatus=*/403);
+				break;
+				
+			case 404:
+			case ERR_NotFound:
+				msgId = "SVC1404";
+				detail[0] = "Not Found";
+				response.setStatus(/*httpstatus=*/404);
+				break;
+
+			case 406:
+			case ERR_BadData:
+				msgId="SVC1406";
+				detail[0] = "Not Acceptable";
+				response.setStatus(/*httpstatus=*/406);
+				break;
+				
+			case 409:
+			case ERR_ConflictAlreadyExists:
+				msgId = "SVC1409";
+				detail[0] = "Conflict Already Exists";
+				response.setStatus(/*httpstatus=*/409);
+				break;
+			
+			case 501:
+			case ERR_NotImplemented:
+				msgId = "SVC1501";
+				detail[0] = "Not Implemented"; 
+				response.setStatus(/*httpstatus=*/501);
+				break;
+				
+			default:
+				msgId = "SVC1500";
+				detail[0] = "General Service Error";
+				response.setStatus(/*httpstatus=*/500);
+				hidemsg = true;
+				break;
+		}
+
+		try {
+			StringBuilder holder = new StringBuilder();
+			ERROR em = mapper().errorFromMessage(holder,msgId,msg,detail);
+			trans.checkpoint(
+					"ErrResp [" + 
+					msgId +
+					"] " +
+					holder.toString(),
+					Env.ALWAYS);
+			if(hidemsg) {
+				holder.setLength(0);
+				em = mapper().errorFromMessage(holder, msgId, "Server had an issue processing this request");
+			}
+			errDF.newData(trans).load(em).to(response.getOutputStream());
+			
+		} catch (Exception e) {
+			trans.error().log(e,"unable to send response for",msg);
+		}
+	}
+	
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getAPI(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse)
+	 */
+	public final static String API_REPORT = "apiReport";
+	@Override
+	public Result<Void> getAPI(AuthzTrans trans, HttpServletResponse resp, RServlet<AuthzTrans> rservlet) {
+		TimeTaken tt = trans.start(API_REPORT, Env.SUB);
+		try {
+			Api api = new Api();
+			Api.Route ar;
+			Method[] meths = LocateServiceImpl.class.getDeclaredMethods();
+			for(RouteReport rr : rservlet.routeReport()) {
+				api.getRoute().add(ar = new Api.Route());
+				ar.setMeth(rr.meth.name());
+				ar.setPath(rr.path);
+				ar.setDesc(rr.desc);
+				ar.getContentType().addAll(rr.contextTypes);
+				for(Method m : meths) {
+					ApiDoc ad;
+					if((ad = m.getAnnotation(ApiDoc.class))!=null &&
+							rr.meth.equals(ad.method()) &&
+						    rr.path.equals(ad.path())) {
+						for(String param : ad.params()) {
+							ar.getParam().add(param);
+						}
+						for(String text : ad.text()) {
+							ar.getComments().add(text);
+						}
+						ar.setExpected(ad.expectedCode());
+						for(int ec : ad.errorCodes()) {
+							ar.getExplicitErr().add(ec);
+						}
+					}
+				}
+			}
+			apiDF.newData(trans).load(api).to(resp.getOutputStream());
+			setContentType(resp,apiDF.getOutType());
+			return Result.ok();
+
+		} catch (Exception e) {
+			trans.error().log(e,IN,API_REPORT);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	public final static String API_EXAMPLE = "apiExample";
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getAPIExample(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getAPIExample(AuthzTrans trans, HttpServletResponse resp, String nameOrContentType, boolean optional) {
+		TimeTaken tt = trans.start(API_EXAMPLE, Env.SUB);
+		try {
+			String content =Examples.print(apiDF.getEnv(), nameOrContentType, optional); 
+			resp.getOutputStream().print(content);
+			setContentType(resp,content.contains("<?xml")?TYPE.XML:TYPE.JSON);
+			return Result.ok();
+		} catch (Exception e) {
+			trans.error().log(e,IN,API_EXAMPLE);
+			return Result.err(Result.ERR_NotImplemented,e.getMessage());
+		} finally {
+			tt.done();
+		}
+	}
+
+	public final static String GET_ENDPOINTS = "getEndpoints";
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.locate.facade.GwFacade#getEndpoints(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getEndpoints(AuthzTrans trans, HttpServletResponse resp, String key, String service, String version, String other) {
+		TimeTaken tt = trans.start(GET_ENDPOINTS, Env.SUB);
+		try {
+			String output=null;
+			long temp=System.currentTimeMillis();
+			synchronized(GET_ENDPOINTS) {
+				if(cacheClear<temp) {
+					epsCache.clear();
+					cacheClear = temp+1000*60*2; // 2 mins standard cache clear
+				} else {
+					output = epsCache.get(key);
+					if("{}".equals(output) && emptyCheck<temp) {
+						output = null;
+						emptyCheck = temp+5000; // 5 second check  
+					}
+				}
+			}
+			if(output==null) {
+				Result<ENDPOINTS> reps = this.service.getEndPoints(trans,service,version,other);
+				if(reps.notOK()) {
+					return Result.err(reps);
+				} else {
+					output = epDF.newData(trans).load(reps.value).asString();
+					synchronized(GET_ENDPOINTS) {
+						epsCache.put(key, output);
+					}
+				}
+			}
+			resp.getOutputStream().println(output);
+			setContentType(resp,epDF.getOutType());
+			return Result.ok();
+		} catch (Exception e) {
+			trans.error().log(e,IN,API_EXAMPLE);
+			return Result.err(Result.ERR_NotImplemented,e.getMessage());
+		} finally {
+			tt.done();
+		}
+	}
+
+	private static final String PUT_MGMT_ENDPOINTS = "Put Mgmt Endpoints";
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.locate.facade.GwFacade#putMgmtEndpoints(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public Result<Void> putMgmtEndpoints(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(PUT_MGMT_ENDPOINTS, Env.SUB|Env.ALWAYS);
+		try {
+			MGMT_ENDPOINTS rreq;
+			try {
+				RosettaData<MGMT_ENDPOINTS> data = mepDF.newData().load(req.getInputStream());
+				rreq = data.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,PUT_MGMT_ENDPOINTS);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+
+			}
+			Result<Void> rp = service.putMgmtEndPoints(trans, rreq);
+			switch(rp.status) {
+				case OK: 
+					synchronized(GET_ENDPOINTS) {
+						cacheClear = 0L;
+					}
+					setContentType(resp,mepDF.getOutType());
+					return Result.ok();
+				default:
+					return rp;
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,PUT_MGMT_ENDPOINTS);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	private static final String DELETE_MGMT_ENDPOINTS = "Delete Mgmt Endpoints";
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.locate.facade.GwFacade#removeMgmtEndpoints(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public Result<Void> removeMgmtEndpoints(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(DELETE_MGMT_ENDPOINTS, Env.SUB|Env.ALWAYS);
+		try {
+			MGMT_ENDPOINTS rreq;
+			try {
+				RosettaData<MGMT_ENDPOINTS> data = mepDF.newData().load(req.getInputStream());
+				rreq = data.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,DELETE_MGMT_ENDPOINTS);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+
+			}
+			Result<Void> rp = service.removeMgmtEndPoints(trans, rreq);
+			switch(rp.status) {
+				case OK: 
+					synchronized(GET_ENDPOINTS) {
+						cacheClear = 0L;
+					}
+					setContentType(resp,mepDF.getOutType());
+					return Result.ok();
+				default:
+					return rp;
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_MGMT_ENDPOINTS);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacade_1_0.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacade_1_0.java
new file mode 100644
index 00000000..e2d2c9f6
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacade_1_0.java
@@ -0,0 +1,40 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate.facade;
+
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.locate.service.LocateService;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+
+import locate.v1_0.Endpoints;
+import locate.v1_0.MgmtEndpoints;
+import locate_local.v1_0.InRequest;
+import locate_local.v1_0.Out;
+import locate_local.v1_0.Error;
+
+public class LocateFacade_1_0 extends LocateFacadeImpl<InRequest,Out,Endpoints,MgmtEndpoints,Error>
+{
+	public LocateFacade_1_0(AuthzEnv env, LocateService<InRequest,Out,Endpoints,MgmtEndpoints,Error> service, Data.TYPE type) throws APIException {
+		super(env, service, type);
+	}
+}
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/mapper/Mapper.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/mapper/Mapper.java
new file mode 100644
index 00000000..685d096f
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/mapper/Mapper.java
@@ -0,0 +1,41 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate.mapper;
+
+import java.util.List;
+
+import org.onap.aaf.auth.dao.cass.LocateDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+
+import locate.v1_0.MgmtEndpoint;
+
+public interface Mapper<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR>
+{
+	public enum API{IN_REQ,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR,VOID};
+	public Class<?> getClass(API api);
+	public<A> A newInstance(API api);
+
+	public ERROR errorFromMessage(StringBuilder holder, String msgID, String text, String... detail);
+	public Result<ENDPOINTS> endpoints(Result<List<Data>> resultDB, String version, String other);
+	public Data locateData(MgmtEndpoint me);
+
+}
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/mapper/Mapper_1_0.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/mapper/Mapper_1_0.java
new file mode 100644
index 00000000..50839b73
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/mapper/Mapper_1_0.java
@@ -0,0 +1,150 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate.mapper;
+
+import java.util.List;
+
+import org.onap.aaf.auth.dao.cass.LocateDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.util.Vars;
+import org.onap.aaf.misc.env.util.Split;
+
+import locate.v1_0.Endpoint;
+import locate.v1_0.Endpoints;
+import locate.v1_0.MgmtEndpoint;
+import locate.v1_0.MgmtEndpoints;
+import locate_local.v1_0.Error;
+import locate_local.v1_0.InRequest;
+import locate_local.v1_0.Out;
+
+public class Mapper_1_0 implements Mapper<InRequest,Out,Endpoints,MgmtEndpoints,Error> {
+	
+	@Override
+	public Class<?> getClass(API api) {
+		switch(api) {
+			case IN_REQ: return InRequest.class;
+			case OUT: return Out.class;
+			case ERROR: return Error.class;
+			case VOID: return Void.class;
+			case ENDPOINTS: return Endpoints.class;
+			case MGMT_ENDPOINTS: return MgmtEndpoints.class;
+		}
+		return null;
+	}
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public <A> A newInstance(API api) {
+		switch(api) {
+			case IN_REQ: return (A) new InRequest();
+			case OUT: return (A) new Out();
+			case ERROR: return (A)new Error();
+			case ENDPOINTS: return (A) new Endpoints();
+			case MGMT_ENDPOINTS: return (A) new MgmtEndpoints();
+			case VOID: return null;
+		}
+		return null;
+	}
+
+	//////////////  Mapping Functions /////////////
+	@Override
+	public locate_local.v1_0.Error errorFromMessage(StringBuilder holder, String msgID, String text,String... var) {
+		Error err = new Error();
+		err.setMessageId(msgID);
+		// AT&T Restful Error Format requires numbers "%" placements
+		err.setText(Vars.convert(holder, text, var));
+		for(String s : var) {
+			err.getVariables().add(s);
+		}
+		return err;
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.locate.mapper.Mapper#endpoints(org.onap.aaf.auth.layer.test.Result, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public Result<Endpoints> endpoints(Result<List<Data>> resultDB, String version, String other) {
+		if(resultDB.notOK()) {
+			return Result.err(resultDB);
+		}
+		int major=-1, minor=-1, patch=-1, pkg=-1;
+		if(version!=null) {
+			try { 
+				String[] v = Split.split('.',version);
+				if(v.length>0) {major = Integer.parseInt(v[0]);}
+				if(v.length>1) {minor = Integer.parseInt(v[1]);}
+				if(v.length>2) {patch = Integer.parseInt(v[2]);}
+				if(v.length>3) {pkg   = Integer.parseInt(v[3]);}
+			} catch (NumberFormatException e) {
+				return Result.err(Result.ERR_BadData,"Invalid Version String " + version);
+			}
+		}
+		Endpoints eps = new Endpoints();
+		List<Endpoint> leps = eps.getEndpoint();
+		for(Data d : resultDB.value) {
+			if((major<0 || major==d.major) &&
+			   (minor<0 || minor<=d.minor) &&
+			   (patch<0 || patch==d.patch) &&
+			   (pkg<0   || pkg  ==d.pkg)) {
+				Endpoint ep = new Endpoint();
+				ep.setName(d.name);
+				ep.setHostname(d.hostname);
+				ep.setPort(d.port);
+				ep.setMajor(d.major);
+				ep.setMinor(d.minor);
+				ep.setPatch(d.patch);
+				ep.setPkg(d.pkg);
+				ep.setLatitude(d.latitude);
+				ep.setLongitude(d.longitude);
+				ep.setProtocol(d.protocol);
+				for(String s : d.subprotocol(false)) {
+					ep.getSubprotocol().add(s);
+				}
+				leps.add(ep);
+			}
+		}
+		return Result.ok(eps);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.locate.mapper.Mapper#locateData(locate.v1_0.MgmtEndpoint)
+	 */
+	@Override
+	public Data locateData(MgmtEndpoint me) {
+		Data data = new Data();
+		data.name = me.getName();
+		data.port = me.getPort();
+		data.hostname = me.getHostname();
+		data.major = me.getMajor();
+		data.minor = me.getMinor();
+		data.patch = me.getPatch();
+		data.pkg   = me.getPkg();
+		data.latitude = me.getLatitude();
+		data.longitude = me.getLongitude();
+		data.protocol = me.getProtocol();
+		for(String s : me.getSubprotocol()) {
+			data.subprotocol(true).add(s);
+		}
+		return data;
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/service/LocateService.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/service/LocateService.java
new file mode 100644
index 00000000..d2a37348
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/service/LocateService.java
@@ -0,0 +1,33 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate.service;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.locate.mapper.Mapper;
+
+public interface LocateService<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR> {
+	public Mapper<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR> mapper();
+	public Result<ENDPOINTS> getEndPoints(AuthzTrans trans, String service, String version, String other);
+	public Result<Void> putMgmtEndPoints(AuthzTrans trans, MGMT_ENDPOINTS meps);
+	public Result<Void> removeMgmtEndPoints(AuthzTrans trans, MGMT_ENDPOINTS meps);
+}
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/service/LocateServiceImpl.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/service/LocateServiceImpl.java
new file mode 100644
index 00000000..d1a03cdc
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/service/LocateServiceImpl.java
@@ -0,0 +1,122 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate.service;
+
+import java.util.UUID;
+
+import org.onap.aaf.auth.dao.cass.LocateDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.locate.mapper.Mapper;
+import org.onap.aaf.auth.locate.validation.LocateValidator;
+import org.onap.aaf.cadi.aaf.AAFPermission;
+import org.onap.aaf.misc.env.APIException;
+
+import locate.v1_0.Endpoints;
+import locate.v1_0.MgmtEndpoint;
+import locate.v1_0.MgmtEndpoints;
+
+public class LocateServiceImpl<IN,OUT,ERROR> 
+	  implements LocateService<IN,OUT,Endpoints,MgmtEndpoints,ERROR> {
+		private Mapper<IN,OUT,Endpoints,MgmtEndpoints,ERROR> mapper;
+		private LocateDAO locateDAO;
+		private boolean permToRegister;
+	
+		public LocateServiceImpl(AuthzTrans trans, LocateDAO locateDAO, Mapper<IN,OUT,Endpoints,MgmtEndpoints,ERROR> mapper) throws APIException {
+			this.mapper = mapper;
+			this.locateDAO = locateDAO; 
+			permToRegister = false; //TODO Setup a Configuration for this
+		}
+		
+		public Mapper<IN,OUT,Endpoints,MgmtEndpoints,ERROR> mapper() {return mapper;}
+
+		@Override
+		public Result<Endpoints> getEndPoints(AuthzTrans trans, String service, String version, String other) {
+			return mapper.endpoints(locateDAO.readByName(trans, service), version, other);
+		}
+
+		/* (non-Javadoc)
+		 * @see org.onap.aaf.auth.locate.service.GwService#putMgmtEndPoints(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object)
+		 */
+		@Override
+		public Result<Void> putMgmtEndPoints(AuthzTrans trans, MgmtEndpoints meps) {
+			LocateValidator v = new LocateValidator().mgmt_endpoints(meps, false);
+			if(v.err()) {
+				return Result.err(Result.ERR_BadData,v.errs());
+			}
+			int count = 0;
+			for(MgmtEndpoint me : meps.getMgmtEndpoint()) {
+				if(permToRegister) { 
+					int dot = me.getName().lastIndexOf('.'); // Note: Validator checks for NS for getName()
+					AAFPermission p = new AAFPermission(me.getName().substring(0,dot)+".locator",me.getName(),"write"); 
+					if(trans.fish(p)) {
+						LocateDAO.Data data = mapper.locateData(me);
+						locateDAO.update(trans, data, true);
+						++count;
+					} else {
+						return Result.err(Result.ERR_Denied,"May not register service (needs " + p.getKey() + ')');
+					}
+				} else { //TODO if(MechID is part of Namespace) { 
+					LocateDAO.Data data = mapper.locateData(me);
+					locateDAO.update(trans, data, true);
+					++count;
+				}
+			}
+			if(count>0) {
+				return Result.ok();
+			} else {
+				return Result.err(Result.ERR_NotFound, "No endpoints found");
+			}
+		}
+
+		/* (non-Javadoc)
+		 * @see org.onap.aaf.auth.locate.service.GwService#removeMgmtEndPoints(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object)
+		 */
+		@Override
+		public Result<Void> removeMgmtEndPoints(AuthzTrans trans, MgmtEndpoints meps) {
+			LocateValidator v = new LocateValidator().mgmt_endpoint_key(meps);
+			if(v.err()) {
+				return Result.err(Result.ERR_BadData,v.errs());
+			}
+			int count = 0;
+			for(MgmtEndpoint me : meps.getMgmtEndpoint()) {
+				int dot = me.getName().lastIndexOf('.'); // Note: Validator checks for NS for getName()
+				AAFPermission p = new AAFPermission(me.getName().substring(0,dot)+".locator",me.getHostname(),"write"); 
+				if(trans.fish(p)) {
+					LocateDAO.Data data = mapper.locateData(me);
+					data.port_key = UUID.randomUUID();
+					locateDAO.delete(trans, data, false);
+					++count;
+				} else {
+					return Result.err(Result.ERR_Denied,"May not register service (needs " + p.getKey() + ')');
+				}
+			}
+			if(count>0) {
+				return Result.ok();
+			} else {
+				return Result.err(Result.ERR_NotFound, "No endpoints found");
+			}
+		}
+
+
+//////////////// APIs ///////////////////
+};
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/validation/LocateValidator.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/validation/LocateValidator.java
new file mode 100644
index 00000000..89157826
--- /dev/null
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/validation/LocateValidator.java
@@ -0,0 +1,141 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.locate.validation;
+
+import org.onap.aaf.auth.validation.Validator;
+
+import locate.v1_0.Endpoint;
+import locate.v1_0.Endpoints;
+import locate.v1_0.MgmtEndpoint;
+import locate.v1_0.MgmtEndpoint.SpecialPorts;
+import locate.v1_0.MgmtEndpoints;
+
+/**
+ * Validator
+ * Consistently apply content rules for content (incoming)
+ * 
+ * Note: We restrict content for usability in URLs (because RESTful service), and avoid 
+ * issues with Regular Expressions, and other enabling technologies. 
+ * @author Jonathan
+ *
+ */
+public class LocateValidator extends Validator {
+	private LocateValidator endpoint_key(Endpoint e) {
+		if(e==null) {
+			msg("Endpoint Data is null.");
+		} else {
+			nullOrBlank("Endpoint Name", e.getName());
+			if(e.getName()!=null) {
+				int idx = e.getName().indexOf('.');
+				if(idx<=0) {
+					msg("Endpoint Name must prefixed by Namespace");
+				}
+			}
+			nullOrBlank("Endpoint Hostname", e.getHostname());
+			intRange("Endpoint Port",e.getPort(),0,1000000);
+		}
+		return this;
+	}
+
+
+	public LocateValidator endpoint(Endpoint e) {
+		endpoint_key(e);
+		if(e!=null) {
+			intRange("Endpoint Major Version",e.getMajor(),0,2000);
+			intRange("Endpoint Minor Version",e.getMinor(),0,2000);
+			intRange("Endpoint Patch Version",e.getPatch(),0,2000);
+			intRange("Endpoint Pkg Version",e.getPkg(),0,2000);
+			floatRange("Endpoint Latitude",e.getLatitude(),-90f,90f);
+			floatRange("Endpoint Longitude",e.getLongitude(),-180f,180f);
+			nullOrBlank("Endpoint Protocol", e.getProtocol());
+			for(String s : e.getSubprotocol()) {
+				nullOrBlank("Endpoint Subprotocol", s);
+			}
+		}
+		return this;
+	}
+	
+	public LocateValidator endpoints(Endpoints e, boolean emptyNotOK) {
+		if(e==null) {
+			msg("Endpoints Data is null.");
+		} else {
+			if(emptyNotOK && e.getEndpoint().size()==0) {
+				msg("Endpoints contains no endpoints");
+			} else {
+				for(Endpoint ep : e.getEndpoint()) {
+					endpoint(ep);
+				}
+			}
+		}
+		return this;
+	}
+
+	public LocateValidator mgmt_endpoint_key(MgmtEndpoints meps) {
+		if(meps==null) {
+			msg("MgmtEndpoints Data is null.");
+		} else {
+			for(MgmtEndpoint ep : meps.getMgmtEndpoint()) {
+				endpoint_key(ep);
+			}
+		}
+		return this;
+	}
+
+	public LocateValidator mgmt_endpoints(MgmtEndpoints me, boolean emptyOK) {
+		if(me==null) {
+			msg("MgmtEndpoints Data is null.");
+		} else {
+			if(!emptyOK && me.getMgmtEndpoint().size()==0) {
+				msg("MgmtEndpoints contains no data");
+			} else {
+				for(MgmtEndpoint ep : me.getMgmtEndpoint()) {
+					mgmt_endpoint(ep);
+				}
+			}
+		}
+		return this;
+	}
+
+	private LocateValidator mgmt_endpoint(MgmtEndpoint ep) {
+		endpoint(ep);
+		for(SpecialPorts sp : ep.getSpecialPorts()) {
+			specialPorts(sp);
+		}
+		return this;
+	}
+
+	private LocateValidator specialPorts(SpecialPorts sp) {
+		if(sp==null) {
+			msg("Special Ports is null.");
+		} else {
+			nullOrBlank("Special Port Name",sp.getName());
+			nullOrBlank("Special Port Protocol",sp.getProtocol());
+			intRange("Special Port",sp.getPort(),0,1000000);
+			
+			for(String s : sp.getProtocolVersions()) {
+				nullOrBlank("Special Port Protocol Version", s);
+			}
+		}
+		return this;
+	}
+
+}
diff --git a/auth/auth-locate/src/main/xsd/locate_1_0.xsd b/auth/auth-locate/src/main/xsd/locate_1_0.xsd
new file mode 100644
index 00000000..ea7b3cce
--- /dev/null
+++ b/auth/auth-locate/src/main/xsd/locate_1_0.xsd
@@ -0,0 +1,122 @@
+<!-- 
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<xs:schema 
+	xmlns:xs="http://www.w3.org/2001/XMLSchema" 
+	xmlns:locate_local="urn:locate_local:v1_0" 
+	targetNamespace="urn:locate_local:v1_0" 
+	elementFormDefault="qualified">
+	
+
+<!-- 
+	Requests
+ -->
+	<xs:complexType name="Request">
+		<xs:sequence>
+		</xs:sequence>
+	</xs:complexType>
+
+<!-- 
+	In 
+-->	
+	<xs:element name="inRequest">
+		<xs:complexType>
+			<xs:complexContent>
+				<xs:extension base="locate_local:Request">
+					<xs:sequence>
+						<xs:element name="name" type="xs:string"/>
+						<xs:element name="action" type="xs:string"/>
+					</xs:sequence>
+				</xs:extension>
+			</xs:complexContent>
+		</xs:complexType>
+	</xs:element>
+
+
+<!-- 
+	Out 
+-->	
+	<xs:element name="out">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="name" type="xs:string"/>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+
+<!--  **************** STANDARD ELEMENTS ******************* -->
+<!--
+	Errors
+	Note: This Error Structure has been made to conform to the AT&T TSS Policies
+ -->
+	<xs:element name="error">
+		<xs:complexType>
+			<xs:sequence>
+				<!--
+				Unique message identifier of the format ‘ABCnnnn’ where ‘ABC’ is
+					either ‘SVC’ for Service Exceptions or ‘POL’ for Policy Exception.
+					Exception numbers may be in the	range of 0001 to 9999 where :
+					* 0001 to 0199 are reserved for	common exception messages
+					* 0200 to 0999 are reserved for Parlay Web Services specification use
+					* 1000-9999 are available for exceptions 
+				 -->
+				<xs:element name="messageId" type="xs:string" minOccurs="1" maxOccurs="1"/>
+				
+				<!-- 
+				Message text, with replacement
+					variables marked with %n, where n is
+					an index into the list of <variables>
+					elements, starting at 1
+				 -->
+				<xs:element name="text" type="xs:string" minOccurs="1" maxOccurs="1"/>
+				
+				<!-- 
+				List of zero or more strings that
+					represent the contents of the variables
+					used by the message text. -->
+				<xs:element name="variables" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+	
+<!-- 
+	API 
+-->	
+	<xs:element name="api">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="route" minOccurs="0" maxOccurs="unbounded">
+					<xs:complexType>
+						<xs:sequence>
+							<xs:element name="meth" type="xs:string" minOccurs="1" maxOccurs="1"/>
+							<xs:element name="path" type="xs:string" minOccurs="1" maxOccurs="1"/>
+							<xs:element name="param" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+							<xs:element name="desc" type="xs:string" minOccurs="1" maxOccurs="1"/>
+							<xs:element name="comments" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+							<xs:element name="contentType" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+							<xs:element name="expected" type="xs:int" minOccurs="1" maxOccurs="1"/>
+							<xs:element name="explicitErr" type="xs:int" minOccurs="0" maxOccurs="unbounded"/>
+						</xs:sequence>	
+					</xs:complexType>
+				</xs:element>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+</xs:schema>
+\ No newline at end of file
diff --git a/auth/auth-oauth/.gitignore b/auth/auth-oauth/.gitignore
new file mode 100644
index 00000000..418e5b3a
--- /dev/null
+++ b/auth/auth-oauth/.gitignore
@@ -0,0 +1,5 @@
+/target/
+/.classpath
+/bin/
+/.settings
+/.project
diff --git a/auth/auth-oauth/pom.xml b/auth/auth-oauth/pom.xml
new file mode 100644
index 00000000..40ada58a
--- /dev/null
+++ b/auth/auth-oauth/pom.xml
@@ -0,0 +1,108 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.onap.aaf.auth</groupId>
+		<artifactId>parent</artifactId>
+		<version>2.1.0-SNAPSHOT</version>
+		<relativePath>../pom.xml</relativePath>
+	</parent>
+
+	<artifactId>aaf-auth-oauth</artifactId>
+	<name>AAF Auth OAuth Service</name>
+	<description>OAuth Component for AAF Auth</description>
+
+	<properties>
+		<project.swmVersion>25</project.swmVersion>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-core</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-cass</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-aaf</artifactId>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-jar-plugin</artifactId>
+				<configuration>
+					<includes>
+						<include>**/*.class</include>
+					</includes>
+				</configuration>
+				<version>2.3.1</version>
+			</plugin>
+			<!--This plugin's configuration is used to store Eclipse m2e settings 
+				only. It has no influence on the Maven build itself. -->
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-deploy-plugin</artifactId>
+				<configuration>
+					<skip>true</skip>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.codehaus.mojo</groupId>
+				<artifactId>appassembler-maven-plugin</artifactId>
+				<configuration>
+					<programs>
+						<program>
+							<mainClass>org.onap.aaf.auth.oauth.AAF_OAuth</mainClass>
+							<name>oauth</name>
+							<commandLineArguments>
+								<commandLineArgument>cadi_prop_files=${project.conf_dir}/org.osaaf.oauth.props</commandLineArgument>
+							</commandLineArguments>
+						</program>
+					</programs>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+
+	<distributionManagement>
+		<repository>
+			<id>nexus</id>
+			<name>attarch-releases</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-releases</url>
+		</repository>
+		<snapshotRepository>
+			<id>nexus</id>
+			<name>attarch-snapshots</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-snapshots</url>
+		</snapshotRepository>
+	</distributionManagement>
+</project>
diff --git a/auth/auth-oauth/src/main/config/.gitignore b/auth/auth-oauth/src/main/config/.gitignore
new file mode 100644
index 00000000..e53ef90a
--- /dev/null
+++ b/auth/auth-oauth/src/main/config/.gitignore
@@ -0,0 +1 @@
+/log4j.properties
diff --git a/auth/auth-oauth/src/main/config/oauth.props b/auth/auth-oauth/src/main/config/oauth.props
new file mode 100644
index 00000000..cdd382d1
--- /dev/null
+++ b/auth/auth-oauth/src/main/config/oauth.props
@@ -0,0 +1,26 @@
+##
+## AAF OAUTH2 API (authz-oauth) Properties
+##
+
+# Standard AFT for this box
+hostname=_HOSTNAME_
+
+## DISCOVERY (DME2) Parameters on the Command Line
+AFT_LATITUDE=_AFT_LATITUDE_
+AFT_LONGITUDE=_AFT_LONGITUDE_
+AFT_ENVIRONMENT=_AFT_ENVIRONMENT_
+DEPLOYED_VERSION=_ARTIFACT_VERSION_
+
+## Pull in common/security properties
+
+cadi_prop_files=_COMMON_DIR_/com.att.aaf.common.props:_COMMON_DIR_/com.att.aaf.props
+
+##DME2 related parameters
+
+DMEServiceName=service=com.att.authz.oauth/version=_MAJOR_VER_._MINOR_VER_._PATCH_VER_/envContext=_ENV_CONTEXT_/routeOffer=_ROUTE_OFFER_
+AFT_DME2_PORT_RANGE=_AUTHZ_OAUTH_PORT_RANGE_
+
+
+
+
+
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/AAF_OAuth.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/AAF_OAuth.java
new file mode 100644
index 00000000..1dac22fc
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/AAF_OAuth.java
@@ -0,0 +1,196 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+
+package org.onap.aaf.auth.oauth;
+
+import java.util.Map;
+
+import javax.servlet.Filter;
+
+import org.onap.aaf.auth.cache.Cache;
+import org.onap.aaf.auth.cache.Cache.Dated;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.direct.DirectLocatorCreator;
+import org.onap.aaf.auth.direct.DirectRegistrar;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.AuthzTransFilter;
+import org.onap.aaf.auth.oauth.api.API_Token;
+import org.onap.aaf.auth.oauth.facade.OAFacade;
+import org.onap.aaf.auth.oauth.facade.OAFacade1_0;
+import org.onap.aaf.auth.oauth.facade.OAFacadeFactory;
+import org.onap.aaf.auth.oauth.mapper.Mapper.API;
+import org.onap.aaf.auth.oauth.service.OAuthService;
+import org.onap.aaf.auth.rserv.HttpCode;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.auth.server.AbsService;
+import org.onap.aaf.auth.server.JettyServiceStarter;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
+import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
+import org.onap.aaf.cadi.aaf.v2_0.AAFTrustChecker;
+import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.oauth.TokenMgr;
+import org.onap.aaf.cadi.oauth.TokenMgr.TokenPermLoader;
+import org.onap.aaf.cadi.register.Registrant;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.Data.TYPE;
+
+import com.datastax.driver.core.Cluster;
+
+import aafoauth.v2_0.Introspect;
+
+public class AAF_OAuth extends AbsService<AuthzEnv,AuthzTrans> {
+	private static final String DOT_OAUTH = ".oauth";
+	public Map<String, Dated> cacheUser;
+	public AAFAuthn<?> aafAuthn;
+	public AAFLurPerm aafLurPerm;
+	private final OAuthService service;
+	private OAFacade1_0 facade1_0;
+	private final Question question;
+	private TokenPermLoader tpLoader; 
+	private final Cluster cluster;
+	
+	/**
+	 * Construct AuthzAPI with all the Context Supporting Routes that Authz needs
+	 * 
+	 * @param env
+	 * @param si 
+	 * @param dm 
+	 * @param decryptor 
+	 * @throws APIException 
+	 */
+	public AAF_OAuth(final AuthzEnv env) throws Exception {
+		super(env.access(),env);
+		
+		String aaf_env = env.getProperty(Config.AAF_ENV);
+		if(aaf_env==null) {
+			throw new APIException("aaf_env needs to be set");
+		}
+		
+		// Initialize Facade for all uses
+		AuthzTrans trans = env.newTrans();
+		cluster = org.onap.aaf.auth.dao.CassAccess.cluster(env,null);
+		
+		aafLurPerm = aafCon().newLur();
+		// Note: If you need both Authn and Authz construct the following:
+		aafAuthn = aafCon().newAuthn(aafLurPerm);
+
+		// Start Background Processing
+		//	Question question = 
+		question = new Question(trans, cluster, CassAccess.KEYSPACE, true);
+
+		// Have AAFLocator object Create DirectLocators for Location needs
+		AbsAAFLocator.setCreator(new DirectLocatorCreator(env, question.locateDAO));
+
+
+		service = new OAuthService(env.access(),trans,question);
+		facade1_0 = OAFacadeFactory.v1_0(this, trans, service, TYPE.JSON);
+		StringBuilder sb = new StringBuilder();
+		trans.auditTrail(2, sb);
+		trans.init().log(sb);
+		
+		API_Token.init(this, facade1_0);
+	}
+	
+	/**
+	 * Setup XML and JSON implementations for each supported Version type
+	 * 
+	 * We do this by taking the Code passed in and creating clones of these with the appropriate Facades and properties
+	 * to do Versions and Content switches
+	 * 
+	 */
+	public void route(HttpMethods meth, String path, API api, HttpCode<AuthzTrans, OAFacade<Introspect>> code) throws Exception {
+		String version = "1.0";
+		// Get Correct API Class from Mapper
+		Class<?> respCls = facade1_0.mapper().getClass(api); 
+		if(respCls==null) throw new Exception("Unknown class associated with " + api.getClass().getName() + ' ' + api.name());
+		// setup Application API HTML ContentTypes for JSON and Route
+		String application = applicationJSON(respCls, version);
+		if(meth.equals(HttpMethods.POST)) {
+			route(env,meth,path,code,application,"application/json;version="+version,"application/x-www-form-urlencoded","*/*");
+		} else {
+			route(env,meth,path,code,application,"application/json;version="+version,"*/*");
+		}
+	}
+	
+	@Override
+	public Filter[] filters() throws CadiException, LocatorException {
+		try {
+	        DirectOAuthTAF doat;
+			return new Filter[] {new AuthzTransFilter(env,aafCon(),
+	        		new AAFTrustChecker((Env)env),
+	        		doat = new DirectOAuthTAF(env,question,facade1_0),
+	        		doat.directUserPass()
+	        		)};
+		} catch (NumberFormatException | APIException e) {
+			throw new CadiException("Invalid Property information", e);
+		}
+	}
+
+	
+	@SuppressWarnings("unchecked")
+	@Override
+	public Registrant<AuthzEnv>[] registrants(final int port) throws CadiException {
+		return new Registrant[] {
+				new DirectRegistrar(access,question.locateDAO,app_name,app_version,port),
+				new DirectRegistrar(access,question.locateDAO,app_name.replace(DOT_OAUTH, ".token"),app_version,port),
+				new DirectRegistrar(access,question.locateDAO,app_name.replace(DOT_OAUTH, ".introspect"),app_version,port)
+
+		};
+	}
+
+
+	@Override
+	public void destroy() {
+		Cache.stopTimer();
+		if(service!=null) {
+			service.close();
+		}
+		if(cluster!=null) {
+			cluster.close();
+		}
+		super.destroy();
+	}
+	
+	// For use in CADI ONLY
+	public TokenMgr.TokenPermLoader tpLoader() {
+		return tpLoader;
+	}
+
+	public static void main(final String[] args) {
+		PropAccess propAccess = new PropAccess(args);
+		try {
+ 			AAF_OAuth service = new AAF_OAuth(new AuthzEnv(propAccess));
+//			env.setLog4JNames("log4j.properties","authz","oauth","audit","init","trace");
+			JettyServiceStarter<AuthzEnv,AuthzTrans> jss = new JettyServiceStarter<AuthzEnv,AuthzTrans>(service);
+			jss.start();
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+	}
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/DirectOAuthTAF.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/DirectOAuthTAF.java
new file mode 100644
index 00000000..74c9947d
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/DirectOAuthTAF.java
@@ -0,0 +1,224 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.direct.DirectAAFUserPass;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.oauth.facade.DirectIntrospect;
+import org.onap.aaf.auth.rserv.TransFilter;
+import org.onap.aaf.cadi.CachedPrincipal;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Hash;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.CachedPrincipal.Resp;
+import org.onap.aaf.cadi.CredVal.Type;
+import org.onap.aaf.cadi.Taf.LifeForm;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.oauth.OAuth2HttpTafResp;
+import org.onap.aaf.cadi.oauth.OAuth2Principal;
+import org.onap.aaf.cadi.oauth.TokenClient;
+import org.onap.aaf.cadi.oauth.TokenClientFactory;
+import org.onap.aaf.cadi.oauth.TokenMgr;
+import org.onap.aaf.cadi.oauth.TokenPerm;
+import org.onap.aaf.cadi.oauth.TokenMgr.TokenPermLoader;
+import org.onap.aaf.cadi.principal.OAuth2FormPrincipal;
+import org.onap.aaf.cadi.taf.HttpTaf;
+import org.onap.aaf.cadi.taf.TafResp;
+import org.onap.aaf.cadi.taf.TafResp.RESP;
+import org.onap.aaf.cadi.util.Split;
+import org.onap.aaf.misc.env.APIException;
+
+import aafoauth.v2_0.Introspect;
+
+public class DirectOAuthTAF implements HttpTaf {
+	private PropAccess access;
+	private DirectIntrospect<Introspect> oaFacade;
+	private TokenMgr tkMgr;
+	private final DirectAAFUserPass directUserPass;
+	private TokenClient altIntrospectClient;
+
+	public DirectOAuthTAF(AuthzEnv env, Question q,  DirectIntrospect<Introspect> facade) throws APIException, CadiException {
+		access = env.access();
+		oaFacade = facade;
+		tkMgr = TokenMgr.getInstance(access,"dbToken","dbIntrospect");
+		String alt_url = access.getProperty(Config.AAF_ALT_OAUTH2_INTROSPECT_URL,null);
+		TokenClientFactory tcf;
+		if(alt_url!=null) {
+			try {
+				tcf = TokenClientFactory.instance(access);
+				String[] split = Split.split(',', alt_url);
+				int timeout = split.length>1?Integer.parseInt(split[1]):3000;
+				altIntrospectClient = tcf.newClient(split[0], timeout);
+				altIntrospectClient.client_creds(access.getProperty(Config.AAF_ALT_CLIENT_ID,null), 
+										   access.getProperty(Config.AAF_ALT_CLIENT_SECRET,null));
+			} catch (GeneralSecurityException | IOException | LocatorException e) {
+				throw new CadiException(e);
+			}
+		}
+
+		directUserPass = new DirectAAFUserPass(env,q);
+	}
+
+	@Override
+	public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
+		String value;
+		String token;
+		if((value=req.getHeader("Authorization"))!=null && value.startsWith("Bearer ")) {
+			token = value.substring(7);
+		} else {
+			token = null;
+		}
+
+		if("application/x-www-form-urlencoded".equals(req.getContentType())) {
+			Map<String, String[]> map = req.getParameterMap();
+			String client_id=null,client_secret=null,username=null,password=null;
+			for(Map.Entry<String, String[]> es : map.entrySet()) {
+				switch(es.getKey()) {
+					case "client_id":
+						for(String s : es.getValue()) {
+							client_id=s;
+						}
+						break;
+					case "client_secret":
+						for(String s : es.getValue()) {
+							client_secret=s;
+						}
+						break;
+					case "username":
+						for(String s : es.getValue()) {
+							username=s;
+						}
+						break;
+					case "password":
+						for(String s : es.getValue()) {
+							password=s;
+						}
+						break;
+					case "token": 
+						if(token!=null) { // Defined as both Bearer and Form Encoded - Error
+							return new OAuth2HttpTafResp(access, null, "Token Info found as both Bearer Token and Form Info", RESP.FAIL, resp, true);
+						}
+						for(String s : es.getValue()) {
+							token=s;
+						}
+						break;
+					// Ignore others
+				}
+			}
+			
+			if(client_id==null && client_secret==null) {
+				return new OAuth2HttpTafResp(access, null, "client_id and client_secret required", RESP.TRY_ANOTHER_TAF, resp, false);
+			}
+			
+			if(token==null) { // No Token to work with, use only Client_ID and Client_Secret 
+				AuthzTrans trans = (AuthzTrans)req.getAttribute(TransFilter.TRANS_TAG);
+
+				if(directUserPass.validate(client_id, Type.PASSWORD, client_secret.getBytes(), trans)) {
+					// Client_ID is valid
+					if(username==null) { // Validating just the Client_ID
+						return new OAuth2FormHttpTafResp(access,new OAuth2FormPrincipal(client_id,client_id),"OAuth client_id authenticated",RESP.IS_AUTHENTICATED,resp,false);
+					} else {
+						//TODO - Does a clientID need specific Authorization to pair authentication with user name?  At the moment, no.
+						// username is ok.
+						if(password!=null) {
+							if(directUserPass.validate(username, Type.PASSWORD, password.getBytes(), trans)) {
+								return new OAuth2FormHttpTafResp(access,new OAuth2FormPrincipal(client_id, username),"OAuth username authenticated",RESP.IS_AUTHENTICATED,resp,false);
+							} else {
+								return new OAuth2HttpTafResp(access,null,"OAuth username " + username + " not authenticated ",RESP.FAIL,resp,true);
+							}
+						} else { // no Password
+							//TODO Check for Trust Permission, which requires looking up Perms?
+							return new OAuth2HttpTafResp(access,null,"OAuth username " + username + " not authenticated ",RESP.FAIL,resp,true);
+						}
+					}
+				} else {
+					return new OAuth2HttpTafResp(access,null,"OAuth client_id " + client_id + " not authenticated ",RESP.FAIL,resp,true);
+				}
+			}
+		} 
+		
+		// OK, have only a Token to validate
+		if(token!=null) {
+			AuthzTrans trans = (AuthzTrans)req.getAttribute(TransFilter.TRANS_TAG);
+
+			try {
+				Result<Introspect> ri = oaFacade.mappedIntrospect(trans, token);
+				if(ri.isOK()) {
+					TokenPerm tp = tkMgr.putIntrospect(ri.value, Hash.hashSHA256(token.getBytes()));
+					if(tp==null) {
+						return new OAuth2HttpTafResp(access, null, "TokenPerm persistence failure", RESP.FAIL, resp, false);
+					} else {
+						return new OAuth2HttpTafResp(access,new OAuth2Principal(tp,Hash.hashSHA256(token.getBytes())),"Token Authenticated",RESP.IS_AUTHENTICATED,resp,false);
+					}
+				} else {
+					return new OAuth2HttpTafResp(access, null, ri.errorString(), RESP.FAIL, resp, false);
+				}
+			} catch (APIException e) {
+				trans.error().log(e,"Error getting token");
+				return new OAuth2HttpTafResp(access, null, "Error getting token: " + e.getMessage(), RESP.TRY_ANOTHER_TAF, resp, false);
+			} catch (NoSuchAlgorithmException e) {
+				return new OAuth2HttpTafResp(access, null, "Error in security algorithm: " + e.getMessage(), RESP.TRY_ANOTHER_TAF, resp, false);
+			}
+		}
+		return new OAuth2HttpTafResp(access, null, "No OAuth2 Credentials in OAuthForm", RESP.TRY_ANOTHER_TAF, resp, false);
+	}
+
+	@Override
+	public Resp revalidate(CachedPrincipal prin, Object state) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	class ServiceTPL implements TokenPermLoader {
+		private final AuthzTrans trans;
+		public ServiceTPL(AuthzTrans atrans) {
+			trans = atrans;
+		}
+		
+		@Override
+		public org.onap.aaf.cadi.client.Result<TokenPerm> load(String accessToken, byte[] cred) throws APIException, CadiException, LocatorException {
+			Result<Introspect> ri = oaFacade.mappedIntrospect(trans, accessToken);
+			if(ri.notOK()) {
+				//TODO what should the status mapping be?
+				return org.onap.aaf.cadi.client.Result.err(ri.status,ri.errorString());
+			}
+			return org.onap.aaf.cadi.client.Result.ok(200,tkMgr.putIntrospect(ri.value, cred));
+		}
+	}
+
+	public DirectAAFUserPass directUserPass() {
+		return directUserPass;
+	}
+}
+
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OACode.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OACode.java
new file mode 100644
index 00000000..f60c689b
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OACode.java
@@ -0,0 +1,45 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.oauth.facade.OAFacade;
+import org.onap.aaf.auth.rserv.HttpCode;
+
+import aafoauth.v2_0.Introspect;
+
+public abstract class OACode extends HttpCode<AuthzTrans, OAFacade<Introspect>> implements Cloneable {
+	public boolean useJSON;
+
+	public OACode(OAFacade<Introspect> facade, String description, boolean useJSON, String ... roles) {
+		super(facade, description, roles);
+		this.useJSON = useJSON;
+	}
+	
+	public <D extends OACode> D clone(OAFacade<Introspect> facade, boolean useJSON) throws Exception {
+		@SuppressWarnings("unchecked")
+		D d = (D)clone();
+		d.useJSON = useJSON;
+		d.context = facade;
+		return d;
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2Filter.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2Filter.java
new file mode 100644
index 00000000..4442e36f
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2Filter.java
@@ -0,0 +1,64 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.cadi.principal.BearerPrincipal;
+import org.onap.aaf.cadi.util.Split;
+
+public class OAuth2Filter implements Filter {
+
+	@Override
+	public void init(FilterConfig filterConfig) throws ServletException {
+	}
+
+	@Override
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+		HttpServletRequest hreq = (HttpServletRequest)request;
+		Principal p = hreq.getUserPrincipal();
+		if(request.getContentType().equals("application/x-www-form-urlencoded")) {
+			
+		} else if(p instanceof BearerPrincipal) { 
+			for(String authz : Split.splitTrim(';', hreq.getHeader("Authorization"))) {
+				if(authz.startsWith("Bearer ")) {
+					((BearerPrincipal)p).setBearer(authz.substring(7));
+				}
+			}
+		}
+		chain.doFilter(request, response);
+	}
+
+	@Override
+	public void destroy() {
+	}
+
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2FormHttpTafResp.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2FormHttpTafResp.java
new file mode 100644
index 00000000..23d87e3e
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2FormHttpTafResp.java
@@ -0,0 +1,65 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.principal.OAuth2FormPrincipal;
+import org.onap.aaf.cadi.principal.TrustPrincipal;
+import org.onap.aaf.cadi.taf.AbsTafResp;
+import org.onap.aaf.cadi.taf.TafResp;
+
+public class OAuth2FormHttpTafResp extends AbsTafResp implements TafResp {
+	private HttpServletResponse httpResp;
+	private RESP status;
+	private final boolean wasFailed;
+	
+	public OAuth2FormHttpTafResp(Access access, OAuth2FormPrincipal principal, String desc, RESP status, HttpServletResponse resp, boolean wasFailed) {
+		super(access,principal, desc);
+		httpResp = resp;
+		this.status = status; 
+		this.wasFailed = wasFailed;
+	}
+
+	public OAuth2FormHttpTafResp(Access access, TrustPrincipal principal, String desc, RESP status,HttpServletResponse resp) {
+		super(access,principal, desc);
+		httpResp = resp;
+		this.status = status; 
+		wasFailed = true; // if Trust Principal added, must be good
+	}
+
+	public RESP authenticate() throws IOException {
+		httpResp.setStatus(401); // Unauthorized	
+		return RESP.HTTP_REDIRECT_INVOKED;
+	}
+
+	public RESP isAuthenticated() {
+		return status;
+	}
+
+	public boolean isFailedAttempt() {
+		return wasFailed;
+	}
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/api/API_Token.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/api/API_Token.java
new file mode 100644
index 00000000..f2836a7b
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/api/API_Token.java
@@ -0,0 +1,82 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.api;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.oauth.AAF_OAuth;
+import org.onap.aaf.auth.oauth.OACode;
+import org.onap.aaf.auth.oauth.facade.OAFacade;
+import org.onap.aaf.auth.oauth.mapper.Mapper.API;
+import org.onap.aaf.auth.rserv.HttpMethods;
+
+import aafoauth.v2_0.Introspect;
+
+/**
+ * API Apis
+ * @author Jonathan
+ *
+ */
+public class API_Token {
+	// Hide Public Constructor
+	private API_Token() {}
+	
+	/**
+	 * Normal Init level APIs
+	 * 
+	 * @param authzAPI
+	 * @param facade
+	 * @throws Exception
+	 */
+	public static void init(final AAF_OAuth authzAPI, OAFacade<Introspect> facade) throws Exception {
+		////////
+		// Overall APIs
+		///////
+		authzAPI.route(HttpMethods.POST,"/token",API.TOKEN,new OACode(facade,"OAuth Token", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.createBearerToken(trans,req, resp);
+				if(r.isOK()) {
+					resp.setStatus(201/*HttpStatus.CREATED_201*/);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+		
+		authzAPI.route(HttpMethods.POST,"/introspect",API.INTROSPECT,new OACode(facade,"AAF Token Information", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.introspect(trans,req, resp);
+				if(r.isOK()) {
+					resp.setStatus(200 /*HttpStatus.OK_200*/);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+
+	}
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectIntrospect.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectIntrospect.java
new file mode 100644
index 00000000..91423cef
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectIntrospect.java
@@ -0,0 +1,29 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.facade;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+
+public interface DirectIntrospect<INTROSPECT> {
+	Result<INTROSPECT> mappedIntrospect(AuthzTrans trans, String token);
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectIntrospectImpl.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectIntrospectImpl.java
new file mode 100644
index 00000000..91431c34
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectIntrospectImpl.java
@@ -0,0 +1,57 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.facade;
+
+import org.onap.aaf.auth.dao.cass.OAuthTokenDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.FacadeImpl;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.oauth.mapper.MapperIntrospect;
+import org.onap.aaf.auth.oauth.service.OAuthService;
+
+public class DirectIntrospectImpl<INTROSPECT> extends FacadeImpl implements DirectIntrospect<INTROSPECT> {
+	protected OAuthService service;
+	private MapperIntrospect<INTROSPECT> mapper;
+
+	public DirectIntrospectImpl(OAuthService service, MapperIntrospect<INTROSPECT> mapper) {
+		this.service = service;
+		this.mapper = mapper;
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.oauth.facade.OAFacade#mappedIntrospect(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String)
+	 */
+	@Override
+	public Result<INTROSPECT> mappedIntrospect(AuthzTrans trans, String token) {
+		Result<INTROSPECT> rti;
+ 		Result<OAuthTokenDAO.Data> rs = service.introspect(trans,token);
+		if(rs.notOK()) {
+			rti = Result.err(rs);
+		} else if(rs.isEmpty()) {
+			rti = Result.err(Result.ERR_NotFound,"No Token %s found",token);
+		} else {
+			rti = mapper.introspect(rs);
+		}
+		return rti;
+	}
+
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectOAFacadeImpl.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectOAFacadeImpl.java
new file mode 100644
index 00000000..f71f7c15
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectOAFacadeImpl.java
@@ -0,0 +1,28 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.facade;
+
+import org.onap.aaf.auth.layer.FacadeImpl;
+
+public class DirectOAFacadeImpl extends FacadeImpl {
+
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacade.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacade.java
new file mode 100644
index 00000000..52ff38b7
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacade.java
@@ -0,0 +1,67 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.facade;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.oauth.service.OAuthService;
+
+
+/**
+ *   
+ * @author Jonathan
+ *
+ */
+public interface OAFacade<INTROSPECT> {
+
+/////////////////////  STANDARD ELEMENTS //////////////////
+	/** 
+	 * @param trans
+	 * @param response
+	 * @param result
+	 */
+	public void error(AuthzTrans trans, HttpServletResponse response, Result<?> result);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param response
+	 * @param status
+	 */
+	public void error(AuthzTrans trans, HttpServletResponse response, int status,	String msg, String ... detail);
+
+	public Result<Void> createBearerToken(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+
+	public Result<Void> introspect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+
+	public OAuthService service();
+	
+
+/////////////////////  STANDARD ELEMENTS //////////////////
+
+
+
+
+}
+\ No newline at end of file
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacade1_0.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacade1_0.java
new file mode 100644
index 00000000..204a104a
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacade1_0.java
@@ -0,0 +1,47 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.facade;
+
+import org.onap.aaf.auth.oauth.AAF_OAuth;
+import org.onap.aaf.auth.oauth.mapper.Mapper;
+import org.onap.aaf.auth.oauth.service.OAuthService;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+
+import aaf.v2_0.Error;
+import aafoauth.v2_0.Introspect;
+import aafoauth.v2_0.Token;
+import aafoauth.v2_0.TokenRequest;
+
+/**
+ * @author Jonathan
+ *
+ */
+public class OAFacade1_0 extends OAFacadeImpl<TokenRequest,Token,Introspect,Error> {
+	public OAFacade1_0(AAF_OAuth api, 
+					 OAuthService service,
+					 Mapper<TokenRequest,Token,Introspect,Error> mapper, 
+					 Data.TYPE type) throws APIException {
+		super(api, service, mapper, type);
+	}
+
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacadeFactory.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacadeFactory.java
new file mode 100644
index 00000000..ff586007
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacadeFactory.java
@@ -0,0 +1,47 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.facade;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.oauth.AAF_OAuth;
+import org.onap.aaf.auth.oauth.mapper.Mapper1_0;
+import org.onap.aaf.auth.oauth.mapper.MapperIntrospect1_0;
+import org.onap.aaf.auth.oauth.service.OAuthService;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+
+import aafoauth.v2_0.Introspect;
+
+
+public class OAFacadeFactory {
+	public static OAFacade1_0 v1_0(AAF_OAuth certman, AuthzTrans trans, OAuthService service, Data.TYPE type) throws APIException {
+		return new OAFacade1_0(
+				certman,
+				service,
+				new Mapper1_0(),
+				type);  
+	}
+   
+	public static DirectIntrospect<Introspect> directV1_0(OAuthService service) {
+		return new DirectIntrospectImpl<Introspect>(service, new MapperIntrospect1_0());
+	}
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacadeImpl.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacadeImpl.java
new file mode 100644
index 00000000..ee35b8bf
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacadeImpl.java
@@ -0,0 +1,333 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.facade;
+
+import static org.onap.aaf.auth.layer.Result.ERR_ActionNotCompleted;
+import static org.onap.aaf.auth.layer.Result.ERR_BadData;
+import static org.onap.aaf.auth.layer.Result.ERR_ConflictAlreadyExists;
+import static org.onap.aaf.auth.layer.Result.ERR_Denied;
+import static org.onap.aaf.auth.layer.Result.ERR_NotFound;
+import static org.onap.aaf.auth.layer.Result.ERR_NotImplemented;
+import static org.onap.aaf.auth.layer.Result.ERR_Policy;
+import static org.onap.aaf.auth.layer.Result.ERR_Security;
+import static org.onap.aaf.auth.layer.Result.OK;
+
+import java.security.Principal;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.auth.dao.cass.OAuthTokenDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.oauth.AAF_OAuth;
+import org.onap.aaf.auth.oauth.mapper.Mapper;
+import org.onap.aaf.auth.oauth.mapper.Mapper.API;
+import org.onap.aaf.auth.oauth.service.OAuthService;
+import org.onap.aaf.auth.oauth.service.OAuthService.GRANT_TYPE;
+import org.onap.aaf.cadi.client.Holder;
+import org.onap.aaf.cadi.oauth.OAuth2Principal;
+import org.onap.aaf.cadi.principal.OAuth2FormPrincipal;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.rosetta.env.RosettaDF;
+import org.onap.aaf.misc.rosetta.env.RosettaData;
+
+import aaf.v2_0.Perms;
+
+/**
+ * AuthzFacade
+ * 
+ * This Service Facade encapsulates the essence of the API Service can do, and provides
+ * a single created object for elements such as RosettaDF.
+ *
+ * The Responsibilities of this class are to:
+ * 1) Interact with the Service Implementation (which might be supported by various kinds of Backend Storage)
+ * 2) Validate incoming data (if applicable)
+ * 3) Convert the Service response into the right Format, and mark the Content Type
+ * 		a) In the future, we may support multiple Response Formats, aka JSON or XML, based on User Request.
+ * 4) Log Service info, warnings and exceptions as necessary
+ * 5) When asked by the API layer, this will create and write Error content to the OutputStream
+ * 
+ * Note: This Class does NOT set the HTTP Status Code.  That is up to the API layer, so that it can be 
+ * clearly coordinated with the API Documentation
+ * 
+ * @author Jonathan
+ *
+ */
+public abstract class OAFacadeImpl<TOKEN_REQ,TOKEN,INTROSPECT,ERROR> 
+		extends DirectIntrospectImpl<INTROSPECT> implements OAFacade<INTROSPECT> {
+	private static final String INVALID_INPUT = "Invalid Input";
+	private final RosettaDF<TOKEN> tokenDF;
+	private final RosettaDF<TOKEN_REQ> tokenReqDF;
+	private final RosettaDF<INTROSPECT> introspectDF;
+	private final RosettaDF<ERROR> errDF;
+	public final RosettaDF<Perms> permsDF;
+	private final Mapper<TOKEN_REQ, TOKEN, INTROSPECT, ERROR> mapper;
+	
+	public OAFacadeImpl(AAF_OAuth api,
+					  OAuthService service, 
+					  Mapper<TOKEN_REQ,TOKEN,INTROSPECT,ERROR> mapper,
+					  Data.TYPE dataType) throws APIException {
+		super(service, mapper);
+		this.mapper = mapper;
+		AuthzEnv env = api.env;
+		(tokenReqDF 		= env.newDataFactory(mapper.getClass(API.TOKEN_REQ))).in(dataType).out(dataType);
+		(tokenDF 		= env.newDataFactory(mapper.getClass(API.TOKEN))).in(dataType).out(dataType);
+		(introspectDF 	= env.newDataFactory(mapper.getClass(API.INTROSPECT))).in(dataType).out(dataType);
+		(permsDF 		= env.newDataFactory(Perms.class)).in(dataType).out(dataType);
+		(errDF 			= env.newDataFactory(mapper.getClass(API.ERROR))).in(dataType).out(dataType);
+	}
+	
+	///////////////////////////
+	// Tokens
+	///////////////////////////
+	public static final String CREATE_TOKEN = "createToken";
+	public static final String INTROSPECT = "introspect";
+	
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.oauth.facade.OAFacade#getToken(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, org.onap.aaf.auth.oauth.service.OAuthAPI)
+	 */
+	@Override
+	public Result<Void> createBearerToken(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(CREATE_TOKEN, Env.SUB|Env.ALWAYS);
+		try {
+			TOKEN_REQ request;
+			try {
+				request = mapper.tokenReqFromParams(req);
+				if(request==null) {
+					Data<TOKEN_REQ> rd = tokenReqDF.newData().load(req.getInputStream());
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,rd.asString());
+					}
+					request = rd.asObject();
+				}
+			} catch(APIException e) {
+				trans.error().log(INVALID_INPUT,IN,CREATE_TOKEN);
+				return Result.err(Status.ERR_BadData,INVALID_INPUT);
+			}
+
+			// Already validated for Oauth2FormPrincipal
+//			Result<Void> rv = service.validate(trans,mapper.credsFromReq(request));
+//			if(rv.notOK()) {
+//				return rv;
+//			}
+			Holder<GRANT_TYPE> hgt = new Holder<GRANT_TYPE>(GRANT_TYPE.unknown);
+			Result<OAuthTokenDAO.Data> rs = service.createToken(trans,req,mapper.clientTokenReq(request,hgt),hgt);
+			Result<TOKEN> rp;
+			if(rs.isOKhasData()) {
+				rp = mapper.tokenFromData(rs);
+			} else {
+				rp = Result.err(rs);
+			}
+			switch(rp.status) {
+				case OK: 
+					RosettaData<TOKEN> data = tokenDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					resp.getOutputStream().print('\n');
+					setContentType(resp,tokenDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,CREATE_TOKEN);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+
+	}
+
+/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.oauth.facade.OAFacade#Introspect(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public Result<Void> introspect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(INTROSPECT, Env.SUB|Env.ALWAYS);
+		try {
+			Principal p = req.getUserPrincipal();
+			String token=null;
+			if(p != null) {
+				if(p instanceof OAuth2Principal) {
+					RosettaData<INTROSPECT> data = introspectDF.newData(trans).load(mapper.fromPrincipal((OAuth2Principal)p));
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					resp.getOutputStream().print('\n');
+					setContentType(resp,tokenDF.getOutType());
+					return Result.ok();
+				} else if(p instanceof OAuth2FormPrincipal) {
+					token = req.getParameter("token"); 
+				}
+			}
+			
+			if(token==null) {
+				token = req.getParameter("access_token");
+				if(token==null || token.isEmpty()) {
+					token = req.getHeader("Authorization");
+					if(token != null && token.startsWith("Bearer ")) {
+						token = token.substring(7);
+					} else {
+						token = req.getParameter("token");
+						if(token==null) {
+							return Result.err(Result.ERR_Security,"token is required");
+						}
+					}
+				}
+			}
+
+			Result<INTROSPECT> rti = mappedIntrospect(trans,token);
+			switch(rti.status) {
+				case OK: 
+					RosettaData<INTROSPECT> data = introspectDF.newData(trans).load(rti.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					resp.getOutputStream().print('\n');
+					setContentType(resp,tokenDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rti);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,INTROSPECT);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#error(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, int)
+	 * 
+	 * Note: Conforms to AT&T TSS RESTful Error Structure
+	 */
+	@Override
+	public void error(AuthzTrans trans, HttpServletResponse response, Result<?> result) {
+		error(trans, response, result.status,
+				result.details==null?"":result.details.trim(),
+				result.variables==null?new String[0]:result.variables);
+	}
+		
+	@Override
+	public void error(AuthzTrans trans, HttpServletResponse response, int status, final String _msg, final String ... _detail) {
+		String msgId;
+		String prefix;
+		boolean hidemsg=false;
+		switch(status) {
+			case 202:
+			case ERR_ActionNotCompleted:
+				msgId = "SVC1202";
+				prefix = "Accepted, Action not complete";
+				response.setStatus(/*httpstatus=*/202);
+				break;
+
+			case 403:
+			case ERR_Policy:
+			case ERR_Security:
+			case ERR_Denied:
+				msgId = "SVC1403";
+				prefix = "Forbidden";
+				response.setStatus(/*httpstatus=*/403);
+				break;
+				
+			case 404:
+			case ERR_NotFound:
+				msgId = "SVC1404";
+				prefix = "Not Found";
+				response.setStatus(/*httpstatus=*/404);
+				break;
+
+			case 406:
+			case ERR_BadData:
+				msgId="SVC1406";
+				prefix = "Not Acceptable";
+				response.setStatus(/*httpstatus=*/406);
+				break;
+				
+			case 409:
+			case ERR_ConflictAlreadyExists:
+				msgId = "SVC1409";
+				prefix = "Conflict Already Exists";
+				response.setStatus(/*httpstatus=*/409);
+				break;
+			
+			case 501:
+			case ERR_NotImplemented:
+				msgId = "SVC1501";
+				prefix = "Not Implemented"; 
+				response.setStatus(/*httpstatus=*/501);
+				break;
+				
+
+			default:
+				msgId = "SVC1500";
+				prefix = "General Service Error";
+				response.setStatus(/*httpstatus=*/500);
+				hidemsg=true;
+				break;
+		}
+
+		try {
+			StringBuilder holder = new StringBuilder();
+			ERROR em = mapper.errorFromMessage(holder, msgId,prefix + ": " + _msg,_detail);
+			trans.checkpoint(
+					"ErrResp [" + 
+					msgId +
+					"] " +
+					holder.toString(),
+					Env.ALWAYS);
+			if(hidemsg) {
+				holder.setLength(0);
+				em = mapper.errorFromMessage(holder, msgId, "Server had an issue processing this request");
+			}
+			errDF.newData(trans).load(em).to(response.getOutputStream());
+			
+		} catch (Exception e) {
+			trans.error().log(e,"unable to send response for",_msg);
+		}
+	}
+	
+	public Mapper<TOKEN_REQ,TOKEN,INTROSPECT,ERROR> mapper() {
+		return mapper;
+	}
+	
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.oauth.facade.OAFacade#service()
+	 */
+	@Override
+	public OAuthService service() {
+		return service;
+	}
+}
+\ No newline at end of file
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/Mapper.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/Mapper.java
new file mode 100644
index 00000000..55100e21
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/Mapper.java
@@ -0,0 +1,47 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.mapper;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.dao.cass.OAuthTokenDAO;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.oauth.service.OCreds;
+import org.onap.aaf.auth.oauth.service.OAuthService.GRANT_TYPE;
+import org.onap.aaf.cadi.client.Holder;
+import org.onap.aaf.cadi.oauth.OAuth2Principal;
+
+public interface Mapper<TOKEN_REQ,TOKEN,INTROSPECT,ERROR> extends MapperIntrospect<INTROSPECT>
+{	
+	public enum API{TOKEN_REQ, TOKEN,INTROSPECT, ERROR,VOID};
+	
+	public Class<?> getClass(API api);
+	public<A> A newInstance(API api);
+
+	public ERROR errorFromMessage(StringBuilder holder, String msgID, String text, String... detail);
+	public TOKEN_REQ tokenReqFromParams(HttpServletRequest req);
+	public OCreds credsFromReq(TOKEN_REQ tokReq);
+	
+	public OAuthTokenDAO.Data clientTokenReq(TOKEN_REQ tokReq, Holder<GRANT_TYPE> hgt);
+	public Result<TOKEN> tokenFromData(Result<OAuthTokenDAO.Data> rs);
+	public INTROSPECT fromPrincipal(OAuth2Principal p);
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/Mapper1_0.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/Mapper1_0.java
new file mode 100644
index 00000000..ee4237c8
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/Mapper1_0.java
@@ -0,0 +1,225 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.mapper;
+
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Set;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.dao.cass.OAuthTokenDAO;
+import org.onap.aaf.auth.dao.cass.OAuthTokenDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.oauth.service.OAuthService;
+import org.onap.aaf.auth.oauth.service.OCreds;
+import org.onap.aaf.auth.oauth.service.OAuthService.CLIENT_TYPE;
+import org.onap.aaf.auth.oauth.service.OAuthService.GRANT_TYPE;
+import org.onap.aaf.cadi.client.Holder;
+import org.onap.aaf.cadi.oauth.OAuth2Principal;
+import org.onap.aaf.cadi.util.Vars;
+import org.onap.aaf.misc.env.util.Split;
+
+import aaf.v2_0.Error;
+import aafoauth.v2_0.Introspect;
+import aafoauth.v2_0.Token;
+import aafoauth.v2_0.TokenRequest;
+
+
+public class Mapper1_0 extends MapperIntrospect1_0 implements Mapper<TokenRequest,Token,Introspect,Error> {
+	@Override
+	public Class<?> getClass(API api) {
+		switch(api) {
+			case TOKEN_REQ:		return TokenRequest.class; 
+			case TOKEN: 		return Token.class;
+			case INTROSPECT: 	return Introspect.class;
+			case ERROR: 		return Error.class;
+			case VOID: 			return Void.class;
+		}
+		return null;
+	}
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public <A> A newInstance(API api) {
+		switch(api) {
+			case TOKEN_REQ:		return (A)new TokenRequest();
+			case TOKEN: 		return (A)new Token();
+			case INTROSPECT: 	return (A)new Introspect();
+			case ERROR: 		return (A)new Error();
+			case VOID: 			return null;
+		}
+		return null;
+	}
+
+	//////////////  Mapping Functions /////////////
+	@Override
+	public Error errorFromMessage(StringBuilder holder, String msgID, String text, String... var) {
+		Error err = new Error();
+		err.setMessageId(msgID);
+		// AT&T Restful Error Format requires numbers "%" placements
+		err.setText(Vars.convert(holder, text, var));
+		for(String s : var) {
+			err.getVariables().add(s);
+		}
+		return err;
+	}
+
+	@Override
+	public TokenRequest tokenReqFromParams(HttpServletRequest req) {
+		TokenRequest tr = new TokenRequest();
+		boolean data = false;
+		@SuppressWarnings("unchecked")
+		Map<String, String[]> map = req.getParameterMap();
+		for(Entry<String, String[]> es : map.entrySet()) {
+			switch(es.getKey()) {
+				case "client_id":
+					if(es.getValue().length==1) {
+						tr.setClientId(es.getValue()[0]);
+						data = true;
+					}
+					break;
+				case "client_secret":
+					if(es.getValue().length==1) {
+						tr.setClientSecret(es.getValue()[0]);
+						data = true;
+					}
+					break;
+				case "username":
+					if(es.getValue().length==1) {
+						tr.setUsername(es.getValue()[0]);
+						data = true;
+					}
+					break;
+				case "password":
+					if(es.getValue().length==1) {
+						tr.setPassword(es.getValue()[0]);
+						data = true;
+					}
+					break;
+				case "scope":
+					if(es.getValue().length==1) {
+						tr.setScope(es.getValue()[0]);
+						data = true;
+					}
+					break;
+				case "grant_type":
+					if(es.getValue().length==1) {
+						tr.setGrantType(es.getValue()[0]);
+						data = true;
+					}
+					break;
+				case "refresh_token":
+					if(es.getValue().length==1) {
+						tr.setRefreshToken(es.getValue()[0]);
+						data = true;
+					}
+					break;
+
+			}	
+		}
+		return data?tr:null;
+	}
+	
+	
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.oauth.mapper.Mapper#credsFromReq(javax.servlet.http.HttpServletRequest)
+	 */
+	@Override
+	public OCreds credsFromReq(TokenRequest tokReq) {
+		return new OCreds(tokReq.getClientId(),tokReq.getClientSecret(),
+						 tokReq.getUsername(),tokReq.getPassword());
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.oauth.mapper.Mapper#tokenReq(java.lang.Object)
+	 */
+	@Override
+	public Data clientTokenReq(TokenRequest tokReq, Holder<GRANT_TYPE> hgt) {
+		OAuthTokenDAO.Data tdd = new OAuthTokenDAO.Data();
+		tdd.client_id = tokReq.getClientId(); 
+		tdd.user = tokReq.getUsername();
+		if(tokReq.getRefreshToken()!=null) {
+			tdd.refresh=tokReq.getRefreshToken();
+		}
+		
+		for(GRANT_TYPE ttt : GRANT_TYPE.values()) {
+			if(ttt.name().equals(tokReq.getGrantType())) {
+				hgt.set(ttt);
+				break;
+			}
+		}
+		
+		switch(hgt.get()) {
+			case client_credentials:
+			case password:
+			case refresh_token:
+				tdd.type = CLIENT_TYPE.confidential.ordinal();
+				break;
+			default:
+				tdd.type = CLIENT_TYPE.unknown.ordinal();
+				break;
+		}
+		String scopes=tokReq.getScope(); 
+		if(scopes!=null) {
+			Set<String> ss = tdd.scopes(true);
+			for(String s: Split.split(' ', tokReq.getScope())) {
+				ss.add(s);
+			}
+		}
+		
+		tdd.state = tokReq.getState();
+		return tdd;
+	}
+
+	@Override
+	public Result<Token> tokenFromData(Result<Data> rd) {
+		if(rd.notOK()) {
+			return Result.err(rd);
+		}
+		Data d = rd.value;
+		Token token = new Token();
+		if(OAuthService.TOKEN_TYPE.values().length>d.type) {
+			token.setTokenType(OAuthService.TOKEN_TYPE.values()[d.type].name());
+		} else {
+			token.setTokenType("Invalid");
+		}
+		token.setAccessToken(d.id);
+		token.setRefreshToken(d.refresh);
+		token.setExpiresIn((int)(d.exp_sec-(System.currentTimeMillis())/1000));
+		token.setScope(getScopes(d.scopes(false)));
+		token.setState(d.state);
+		return Result.ok(token);
+	}
+
+
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.oauth.mapper.Mapper#fromPrincipal(org.onap.aaf.cadi.oauth.OAuth2Principal)
+	 */
+	@Override
+	public Introspect fromPrincipal(OAuth2Principal p) {
+		return p.tokenPerm().getIntrospect();
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/MapperIntrospect.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/MapperIntrospect.java
new file mode 100644
index 00000000..bf558799
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/MapperIntrospect.java
@@ -0,0 +1,29 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.mapper;
+
+import org.onap.aaf.auth.dao.cass.OAuthTokenDAO;
+import org.onap.aaf.auth.layer.Result;
+
+public interface MapperIntrospect<INTROSPECT> {
+	public Result<INTROSPECT> introspect(Result<OAuthTokenDAO.Data> rs);
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/MapperIntrospect1_0.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/MapperIntrospect1_0.java
new file mode 100644
index 00000000..00a94fdf
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/MapperIntrospect1_0.java
@@ -0,0 +1,74 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.mapper;
+
+import java.util.Set;
+
+import org.onap.aaf.auth.dao.cass.OAuthTokenDAO.Data;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.oauth.service.OAuthService.CLIENT_TYPE;
+
+import aafoauth.v2_0.Introspect;
+
+public class MapperIntrospect1_0 implements MapperIntrospect<Introspect> {
+
+	public Result<Introspect> introspect(Result<Data> rs) {
+		if(rs.isOKhasData()) {
+			Data data = rs.value;
+			Introspect ti = new Introspect();
+			ti.setAccessToken(data.id);
+			ti.setActive(data.active);
+			ti.setClientId(data.client_id);
+			for(CLIENT_TYPE ct : CLIENT_TYPE.values()) {
+				if(data.type==ct.ordinal()) {
+					ti.setClientType(ct.name());
+					break;
+				}
+			}
+			if(ti.getClientType()==null) {
+				ti.setClientType(CLIENT_TYPE.unknown.name());
+			}
+			ti.setActive(data.active);
+			ti.setScope(getScopes(data.scopes(false)));
+			ti.setContent(data.content);
+			ti.setUsername(data.user);
+			ti.setExp(data.exp_sec); // want seconds from Jan 1, 1970
+			return Result.ok(ti);
+		}
+		return Result.err(rs);
+	}
+	
+	protected static String getScopes(Set<String> scopes) {
+		StringBuilder sb = new StringBuilder();
+		boolean start = true;
+		for(String s : scopes) {
+			if(start) {
+				start = false;
+			} else {
+				sb.append(' ');
+			}
+			sb.append(s);
+		}
+		return sb.toString();
+	}
+
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/JSONPermLoader.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/JSONPermLoader.java
new file mode 100644
index 00000000..bf04472b
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/JSONPermLoader.java
@@ -0,0 +1,34 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.service;
+
+import java.util.Set;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.misc.env.APIException;
+
+public interface JSONPermLoader {
+	public Result<String> loadJSONPerms(AuthzTrans trans, String user, Set<String> scopes) throws APIException, CadiException;
+
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/JSONPermLoaderFactory.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/JSONPermLoaderFactory.java
new file mode 100644
index 00000000..ea5c595c
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/JSONPermLoaderFactory.java
@@ -0,0 +1,119 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.service;
+
+import java.util.List;
+import java.util.Set;
+
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.aaf.v2_0.AAFCon;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+
+public class JSONPermLoaderFactory {
+	/**
+	 * Load JSON Perms from AAF Service (Remotely)
+	 * @param aafcon
+	 * @param timeout
+	 * @return
+	 */
+	public static JSONPermLoader remote(final AAFCon<?> aafcon, final int timeout) {
+		return new JSONPermLoader() {
+			public Result<String> loadJSONPerms(AuthzTrans trans, String user, Set<String> scopes) throws APIException, CadiException {
+				Rcli<?> c = aafcon.clientAs(Config.AAF_DEFAULT_VERSION,trans.getUserPrincipal());
+				StringBuilder pathinfo = new StringBuilder("/authz/perms/user/");
+				pathinfo.append(user);
+				pathinfo.append("?scopes=");
+				boolean first = true;
+				for(String s : scopes) {
+					if(first) {
+						first = false;
+					} else {
+						pathinfo.append(':');
+					}
+					pathinfo.append(s);
+				}
+				TimeTaken tt = trans.start("Call AAF Service", Env.REMOTE);
+				try {
+					Future<String> fs = c.read(pathinfo.toString(), "application/Perms+json;charset=utf-8;version=2.0");
+					if(fs.get(timeout)) {
+						return Result.ok(fs.body());
+					} else if(fs.code()==404) {
+						return Result.err(Result.ERR_NotFound,fs.body());
+					} else {
+						return Result.err(Result.ERR_Backend,"Error accessing AAF %s: %s",Integer.toString(fs.code()),fs.body());
+					}
+				} finally {
+					tt.done();
+				}
+			}
+		};
+	}
+	public static JSONPermLoader direct(final Question question) {
+		return new JSONPermLoader() {
+			public Result<String> loadJSONPerms(AuthzTrans trans, String user, Set<String> scopes) throws APIException, CadiException {
+				TimeTaken tt = trans.start("Cached DB Perm lookup", Env.SUB);
+				Result<List<PermDAO.Data>> pd;
+				try {
+					pd = question.getPermsByUser(trans, user, false);
+				} finally {
+					tt.done();
+				}
+				if(pd.notOK()) {
+					return Result.err(pd);
+				}
+				// Since we know it is 
+				StringBuilder sb = new StringBuilder("{\"perm\":[");
+				boolean first = true;
+				for(PermDAO.Data d : pd.value) {
+					if(scopes.contains(d.ns)) {
+						if(first) {
+							first = false;
+						} else {
+							sb.append(',');
+						}
+						sb.append("{\"type\":\"");
+						sb.append(d.ns);
+						sb.append('.');
+						sb.append(d.type);
+						sb.append("\",\"instance\":\"");
+						sb.append(d.instance);
+						sb.append("\",\"action\":\"");
+						sb.append(d.action);
+						sb.append("\"}");
+					}
+				}
+				sb.append("]}");
+				return Result.ok(sb.toString());
+			}
+		};
+	}
+
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OAuthService.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OAuthService.java
new file mode 100644
index 00000000..052b292e
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OAuthService.java
@@ -0,0 +1,301 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.service;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Date;
+import java.util.List;
+import java.util.Set;
+import java.util.UUID;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.dao.DAO;
+import org.onap.aaf.auth.dao.cass.OAuthTokenDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.cass.OAuthTokenDAO.Data;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.direct.DirectAAFUserPass;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.NullTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.CredVal.Type;
+import org.onap.aaf.cadi.client.Holder;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.oauth.AAFToken;
+import org.onap.aaf.cadi.oauth.TokenClient;
+import org.onap.aaf.cadi.oauth.TokenClientFactory;
+import org.onap.aaf.cadi.util.Split;
+import org.onap.aaf.misc.env.APIException;
+
+import aafoauth.v2_0.Introspect;
+
+public class OAuthService {
+	
+	private static final int TOK_EXP = 60*60*1000; // 1 hour, millis.
+
+	public enum TOKEN_TYPE {unknown,bearer,refresh}
+	public enum GRANT_TYPE {unknown,password,client_credentials,refresh_token};
+	public enum CLIENT_TYPE {unknown,confidential};
+	
+	// Additional Expires
+	private final DAO<AuthzTrans, ?>[] daos;
+	public final OAuthTokenDAO tokenDAO;
+	private final DirectAAFUserPass directUserPass;
+	private final TokenClientFactory tcf;
+	private TokenClient altIntrospectClient;
+	private String altDomain;
+	private final JSONPermLoader permLoader;
+
+
+	// If we add more CAs, may want to parameterize
+
+	@SuppressWarnings("unchecked")
+	public OAuthService(final Access access, final AuthzTrans trans, final Question q) throws APIException, IOException {
+		permLoader = JSONPermLoaderFactory.direct(q);
+		tokenDAO = new OAuthTokenDAO(trans, q.historyDAO);
+		daos =(DAO<AuthzTrans, ?>[]) new DAO<?,?>[] {
+			tokenDAO
+		};
+		try {
+			String alt_url = access.getProperty(Config.AAF_ALT_OAUTH2_INTROSPECT_URL,null);
+			if(alt_url!=null) {
+				tcf = TokenClientFactory.instance(access);
+				String[] split = Split.split(',', alt_url);
+				int timeout = split.length>1?Integer.parseInt(split[1]):3000;
+				altIntrospectClient = tcf.newClient(split[0], timeout);
+				altIntrospectClient.client_creds(access.getProperty(Config.AAF_ALT_CLIENT_ID,null), 
+										   access.getProperty(Config.AAF_ALT_CLIENT_SECRET,null));
+				altDomain = '@'+access.getProperty(Config.AAF_ALT_OAUTH2_DOMAIN,null);
+			} else {
+				tcf = null;
+			}
+			directUserPass = new DirectAAFUserPass(trans.env(), q);
+		} catch (GeneralSecurityException | CadiException | LocatorException e) {
+			throw new APIException("Could not construct TokenClientFactory",e);
+		}
+	
+	}
+
+	public Result<Void> validate(AuthzTrans trans, OCreds creds) {
+		if(directUserPass.validate(creds.username, Type.PASSWORD, creds.password, trans)) {
+			return Result.ok();
+		} else {
+			return Result.err(Result.ERR_Security, "Invalid Credential for ",creds.username);
+		}
+	}
+
+	public Result<Data> createToken(AuthzTrans trans, HttpServletRequest req, OAuthTokenDAO.Data odd, Holder<GRANT_TYPE> hgt) {
+		switch(hgt.get()) {
+			case client_credentials:
+			case password:
+				return createBearerToken(trans, odd);
+			case refresh_token:
+				return refreshBearerToken(trans, odd);
+			default:
+				return Result.err(Result.ERR_BadData, "Unknown Grant Type");
+		}
+	}
+	
+	private Result<Data> createBearerToken(AuthzTrans trans, OAuthTokenDAO.Data odd) {
+		if(odd.user==null) {
+			odd.user = trans.user();
+		}
+		odd.id = AAFToken.toToken(UUID.randomUUID());
+		odd.refresh = AAFToken.toToken(UUID.randomUUID());
+		odd.active = true;
+		long exp;
+		odd.expires = new Date(exp=(System.currentTimeMillis()+TOK_EXP));
+		odd.exp_sec = exp/1000;
+		odd.req_ip = trans.ip();
+
+		try {
+			Result<Data> rd = loadToken(trans, odd);
+			if(rd.notOK()) {
+				return rd;
+			}
+		} catch (APIException | CadiException e) {
+			return Result.err(e);
+		}
+		return tokenDAO.create(trans, odd);
+	}
+	
+	private Result<Data> loadToken(AuthzTrans trans, Data odd) throws APIException, CadiException {
+		Result<String> rs = permLoader.loadJSONPerms(trans,odd.user,odd.scopes(false));
+		if(rs.isOK()) {
+			odd.content = rs.value;
+			odd.type = TOKEN_TYPE.bearer.ordinal();
+			return Result.ok(odd);
+		} else if(rs.status == Result.ERR_NotFound || rs.status==Status.ERR_UserRoleNotFound) {
+			odd.type = TOKEN_TYPE.bearer.ordinal();
+			return Result.ok(odd);
+		} else {
+			return Result.err(Result.ERR_Backend,"Error accessing AAF Info: %s",rs.errorString());
+		}
+	}
+	
+	
+
+	private Result<Data> refreshBearerToken(AuthzTrans trans, Data odd) {
+		Result<List<Data>> rld = tokenDAO.readByUser(trans, trans.user());
+		if(rld.notOK()) {
+			return Result.err(rld);
+		}
+		if(rld.isEmpty()) {
+			return Result.err(Result.ERR_NotFound,"Data not Found for %1 %2",trans.user(),odd.refresh==null?"":odd.refresh.toString());
+		}
+		Data token = null;
+		for(Data d : rld.value) {
+			if(d.refresh.equals(odd.refresh)) {
+				token = d;
+				boolean scopesNE = false;
+				Set<String> scopes = odd.scopes(false);
+				if(scopes.size()>0) { // only check if Scopes listed, RFC 6749, Section 6
+					if(scopesNE=!(scopes.size() == d.scopes(false).size())) {
+						for(String s : odd.scopes(false)) {
+							if(!d.scopes(false).contains(s)) {
+								scopesNE=true;
+								break;
+							}
+						}
+					}
+					if(scopesNE) {
+						return Result.err(Result.ERR_BadData,"Requested Scopes do not match existing Token");
+					}
+				}
+				break;
+			}
+		}
+		
+		if(token==null) {
+			trans.audit().printf("Duplicate Refresh Token (%s) attempted for %s. Possible Replay Attack",odd.refresh.toString(),trans.user());
+			return Result.err(Result.ERR_Security,"Invalid Refresh Token");
+		} else {
+			// Got the Result
+			Data deleteMe = new Data();
+			deleteMe.id = token.id;
+			token.id = AAFToken.toToken(UUID.randomUUID());
+			token.client_id = trans.user();
+			token.refresh = AAFToken.toToken(UUID.randomUUID());
+			long exp;
+			token.expires = new Date(exp=(System.currentTimeMillis()+TOK_EXP));
+			token.exp_sec = exp/1000;
+			token.req_ip = trans.ip();
+			Result<Data> rd = tokenDAO.create(trans, token);
+			if(rd.notOK()) {
+				return Result.err(rd);
+			}
+			Result<Void> rv = tokenDAO.delete(trans, deleteMe,false);
+			if(rv.notOK()) {
+				trans.error().log("Unable to delete token", token);
+			}
+		}
+		return Result.ok(token);
+	}
+
+	public Result<OAuthTokenDAO.Data> introspect(AuthzTrans trans, String token) {
+		Result<List<Data>> rld;
+		try {
+			UUID uuid = AAFToken.fromToken(token);
+			if(uuid==null) { // not an AAF Token
+				// Attempt to get Alternative Token
+				if(altIntrospectClient!=null) {
+					 org.onap.aaf.cadi.client.Result<Introspect> rai = altIntrospectClient.introspect(token);
+					 if(rai.isOK()) {
+						 Introspect in = rai.value;
+						 if(in.getExp()==null) {
+							trans.audit().printf("Alt OAuth sent back inactive, empty token: requesting_id,%s,access_token=%s,ip=%s\n",trans.user(),token,trans.ip());
+						 }
+						 long expires = in.getExp()*1000;
+						 if(in.isActive() && expires>System.currentTimeMillis()) {
+							// We have a good Token, modify to be Fully Qualified
+							String fqid = in.getUsername()+altDomain;
+							// read contents
+							rld = tokenDAO.read(trans, token);
+							if(rld.isOKhasData()) {
+								Data td = rld.value.get(0);
+								in.setContent(td.content);
+							} else {
+								Data td = new Data();
+								td.id = token;
+								td.client_id = in.getClientId();
+								td.user = fqid;
+								td.active=true;
+								td.type = TOKEN_TYPE.bearer.ordinal();
+								td.expires = new Date(expires);
+								td.exp_sec = in.getExp();
+								Set<String> scopes = td.scopes(true);
+								if(in.getScope()!=null) {
+									for(String s : Split.split(' ', in.getScope())) {
+										scopes.add(s);
+									}
+								}
+								// td.state = nothing to add at this point
+								td.req_ip = trans.ip();
+								trans.checkpoint(td.user + ':' + td.client_id + ", " + td.id);
+								return loadToken(trans, td);
+							}
+						 }
+//						 System.out.println(rai.value.getClientId());
+					 } else {
+						trans.audit().printf("Alt OAuth rejects: requesting_id,%s,access_token=%s,ip=%s,code=%d,error=%s\n",trans.user(),token,trans.ip(),rai.code,rai.error);
+					 }
+				} else {
+					trans.audit().printf("Bad Token: requesting_id,%s,access_token=%s,ip=%s\n",trans.user(),token,trans.ip());
+				}
+				return Result.err(Result.ERR_Denied,"Bad Token");
+			} else {
+				return dbIntrospect(trans,token);
+			}
+		} catch (CadiException | APIException | LocatorException e) {
+			return Result.err(e);
+		}
+	}
+
+	public Result<Data> dbIntrospect(final AuthzTrans trans, final String token) {
+		Result<List<Data>> rld = tokenDAO.read(trans, token);
+		if(rld.notOKorIsEmpty()) {
+			return Result.err(rld);
+		}
+		OAuthTokenDAO.Data odd = rld.value.get(0);
+		trans.checkpoint(odd.user + ':' + odd.client_id + ", " + odd.id);
+		if(odd.active) {
+			if(odd.expires.before(trans.now())) {
+				return Result.err(Result.ERR_Policy,"Token %1 has expired",token);
+			}
+			return Result.ok(rld.value.get(0)); // ok keyed on id/token.
+		} else {
+			return Result.err(Result.ERR_Denied,"Token %1 is inactive",token);
+		}
+	}
+
+	public void close() {
+		for(DAO<AuthzTrans,?> dao : daos) {
+			dao.close(NullTrans.singleton());
+		}
+	}
+
+}
diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OCreds.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OCreds.java
new file mode 100644
index 00000000..becb746a
--- /dev/null
+++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OCreds.java
@@ -0,0 +1,33 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.oauth.service;
+
+public class OCreds {
+	public final String client_id, username;
+	public final byte[] client_secret, password;
+	public OCreds(String client_id, String client_secret, String username, String password) {
+		this.client_id = client_id;
+		this.client_secret = client_secret==null?null:client_secret.getBytes();
+		this.username = username;
+		this.password = password==null?null:password.getBytes();
+	}
+}
diff --git a/auth/auth-service/.gitignore b/auth/auth-service/.gitignore
new file mode 100644
index 00000000..940e35eb
--- /dev/null
+++ b/auth/auth-service/.gitignore
@@ -0,0 +1,15 @@
+/.settings
+/.classpath
+/bin
+/common
+/logs
+/target/
+/tokens/
+/.project
+/Dockerfile
+/dbuild
+/docker-compose.yaml
+/drun
+/run
+/dbuild.orig
+/dcy
diff --git a/auth/auth-service/pom.xml b/auth/auth-service/pom.xml
new file mode 100644
index 00000000..33560e33
--- /dev/null
+++ b/auth/auth-service/pom.xml
@@ -0,0 +1,144 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.onap.aaf.auth</groupId>
+		<artifactId>parent</artifactId>
+		<version>2.1.0-SNAPSHOT</version>
+		<relativePath>../pom.xml</relativePath>
+	</parent>
+
+	<artifactId>aaf-auth-service</artifactId>
+	<name>AAF Auth Service</name>
+	<description>Core API Component for AAF Auth</description>
+
+	<properties>
+		<maven.test.failure.ignore>true</maven.test.failure.ignore>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-client</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-core</artifactId>
+		</dependency>
+
+		<!-- Add the Organizations you wish to support. You can delete ONAP if 
+			you have something else Match with Property Entry: Organization.<root ns>, 
+			i.e. Organization.onap.org=org.onap.org.DefaultOrg -->
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-deforg</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-cass</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.auth</groupId>
+			<artifactId>aaf-auth-oauth</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.misc</groupId>
+			<artifactId>aaf-misc-rosetta</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.onap.aaf.cadi</groupId>
+			<artifactId>aaf-cadi-aaf</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.eclipse.jetty</groupId>
+			<artifactId>jetty-servlet</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-log4j12</artifactId>
+		</dependency>
+
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-jar-plugin</artifactId>
+				<configuration>
+					<excludes>
+						<exclude>*.properties</exclude>
+					</excludes>
+				</configuration>
+				<version>2.3.1</version>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-deploy-plugin</artifactId>
+				<configuration>
+					<skip>true</skip>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.codehaus.mojo</groupId>
+				<artifactId>appassembler-maven-plugin</artifactId>
+				<configuration>
+					<programs>
+						<program>
+							<mainClass>org.onap.aaf.auth.service.AAF_Service</mainClass>
+							<name>service</name>
+							<commandLineArguments>
+								<commandLineArgument>cadi_prop_files=${project.conf_dir}/org.osaaf.service.props</commandLineArgument>
+							</commandLineArguments>
+						</program>
+					</programs>
+				</configuration>
+			</plugin>
+			<!--  plugin> 
+				<groupId>com.spotify</groupId>
+				<artifactId>docker-maven-plugin</artifactId>
+			</plugin -->	
+		</plugins>
+	</build>
+
+	<distributionManagement>
+		<repository>
+			<id>nexus</id>
+			<name>attarch-releases</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-releases</url>
+		</repository>
+		<snapshotRepository>
+			<id>nexus</id>
+			<name>attarch-snapshots</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-snapshots</url>
+		</snapshotRepository>
+	</distributionManagement>
+</project>
diff --git a/auth/auth-service/src/main/config/.gitignore b/auth/auth-service/src/main/config/.gitignore
new file mode 100644
index 00000000..508486a3
--- /dev/null
+++ b/auth/auth-service/src/main/config/.gitignore
@@ -0,0 +1,2 @@
+/authAPI.props
+/log4j.properties
diff --git a/auth/auth-service/src/main/docker/.gitignore b/auth/auth-service/src/main/docker/.gitignore
new file mode 100644
index 00000000..508486a3
--- /dev/null
+++ b/auth/auth-service/src/main/docker/.gitignore
@@ -0,0 +1,2 @@
+/authAPI.props
+/log4j.properties
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java
new file mode 100644
index 00000000..ad9ccc4a
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java
@@ -0,0 +1,227 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service;
+
+import javax.servlet.Filter;
+
+import org.onap.aaf.auth.cache.Cache;
+import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.direct.DirectAAFLur;
+import org.onap.aaf.auth.direct.DirectAAFUserPass;
+import org.onap.aaf.auth.direct.DirectCertIdentity;
+import org.onap.aaf.auth.direct.DirectLocatorCreator;
+import org.onap.aaf.auth.direct.DirectRegistrar;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.AuthzTransFilter;
+import org.onap.aaf.auth.org.OrganizationFactory;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.auth.server.AbsService;
+import org.onap.aaf.auth.server.JettyServiceStarter;
+import org.onap.aaf.auth.service.api.API_Api;
+import org.onap.aaf.auth.service.api.API_Approval;
+import org.onap.aaf.auth.service.api.API_Creds;
+import org.onap.aaf.auth.service.api.API_Delegate;
+import org.onap.aaf.auth.service.api.API_History;
+import org.onap.aaf.auth.service.api.API_Mgmt;
+import org.onap.aaf.auth.service.api.API_NS;
+import org.onap.aaf.auth.service.api.API_Perms;
+import org.onap.aaf.auth.service.api.API_Roles;
+import org.onap.aaf.auth.service.api.API_User;
+import org.onap.aaf.auth.service.api.API_UserRole;
+import org.onap.aaf.auth.service.facade.AuthzFacadeFactory;
+import org.onap.aaf.auth.service.facade.AuthzFacade_2_0;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.aaf.v2_0.AAFTrustChecker;
+import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.register.Registrant;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.Env;
+
+import com.datastax.driver.core.Cluster;
+
+public class AAF_Service extends AbsService<AuthzEnv,AuthzTrans> {
+
+	private static final String ORGANIZATION = "Organization.";
+	private static final String DOMAIN = "aaf.att.com";
+
+// TODO Add Service Metrics
+//	private Metric serviceMetric;
+	public final Question question;
+//	private final SessionFilter sessionFilter;
+	private AuthzFacade_2_0 facade;
+	private AuthzFacade_2_0 facade_XML;
+	private DirectAAFUserPass directAAFUserPass;
+	private final Cluster cluster;
+	//private final OAuthService oauthService;
+	
+	/**
+	 * Construct AuthzAPI with all the Context Supporting Routes that Authz needs
+	 * 
+	 * @param env
+	 * @param decryptor 
+	 * @throws APIException 
+	 */
+	public AAF_Service( final AuthzEnv env) throws Exception {
+		super(env.access(), env);
+
+		// Initialize Facade for all uses
+		AuthzTrans trans = env.newTrans();
+
+		cluster = org.onap.aaf.auth.dao.CassAccess.cluster(env,null);
+
+		// Need Question for Security purposes (direct User/Authz Query in Filter)
+		// Start Background Processing
+		question = new Question(trans, cluster, CassAccess.KEYSPACE, true);
+		DirectCertIdentity.set(question.certDAO);
+
+		// Have AAFLocator object Create DirectLocators for Location needs
+		AbsAAFLocator.setCreator(new DirectLocatorCreator(env, question.locateDAO));
+		
+		// Initialize Organizations... otherwise, first pass may miss
+		int org_size = ORGANIZATION.length();
+		for(String n : env.existingStaticSlotNames()) {
+			if(n.startsWith(ORGANIZATION)) {
+				OrganizationFactory.obtain(env, n.substring(org_size));
+			}
+		}
+		
+
+		// For direct Introspection needs.
+		//oauthService = new OAuthService(trans, question);
+		
+		facade = AuthzFacadeFactory.v2_0(env,trans,Data.TYPE.JSON,question);
+		facade_XML = AuthzFacadeFactory.v2_0(env,trans,Data.TYPE.XML,question);
+
+		directAAFUserPass = new DirectAAFUserPass(trans.env(),question);
+	
+		// Print results and cleanup
+		StringBuilder sb = new StringBuilder();
+		trans.auditTrail(0, sb);
+		if(sb.length()>0)env.init().log(sb);
+		trans = null;
+		sb = null;
+
+		////////////////////////////////////////////////////////////////////////////
+		// Time Critical
+		//  These will always be evaluated first
+		////////////////////////////////////////////////////////////////////////
+		API_Creds.timeSensitiveInit(env, this, facade,directAAFUserPass);
+		API_Perms.timeSensitiveInit(this, facade);
+		////////////////////////////////////////////////////////////////////////
+		// Service APIs
+		////////////////////////////////////////////////////////////////////////
+		API_Creds.init(this, facade);
+		API_UserRole.init(this, facade);
+		API_Roles.init(this, facade);
+		API_Perms.init(this, facade);
+		API_NS.init(this, facade);
+		API_User.init(this, facade);
+		API_Delegate.init(this,facade);
+		API_Approval.init(this, facade);
+		API_History.init(this, facade);
+
+		////////////////////////////////////////////////////////////////////////
+		// Management APIs
+		////////////////////////////////////////////////////////////////////////
+		// There are several APIs around each concept, and it gets a bit too
+		// long in this class to create.  The initialization of these Management
+		// APIs have therefore been pushed to StandAlone Classes with static
+		// init functions
+		API_Mgmt.init(this, facade);
+		API_Api.init(this, facade);
+		
+	}
+	
+	@Override
+	public Filter[] filters() throws CadiException {
+		try {
+				return new Filter[] {new AuthzTransFilter(env, null /* no connection to AAF... it is AAF */,
+						new AAFTrustChecker((Env)env),
+						new DirectAAFLur(env,question), // Note, this will be assigned by AuthzTransFilter to TrustChecker
+						//new DirectOAuthTAF(env,question,OAFacadeFactory.directV1_0(oauthService)),
+						new BasicHttpTaf(env, directAAFUserPass,
+							DOMAIN,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)),
+							false)
+					)};
+		} catch (NumberFormatException e) {
+			throw new CadiException("Invalid Property information", e);
+		}
+	}
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public Registrant<AuthzEnv>[] registrants(final int port) throws CadiException {
+		return new Registrant[] {
+			new DirectRegistrar(access,question.locateDAO,app_name,app_interface_version,port)
+		};
+	}
+
+	@Override
+	public void destroy() {
+		Cache.stopTimer();
+		if(cluster!=null) {
+			cluster.close();
+		}
+		super.destroy();
+	}
+
+	
+	/**
+	 * Setup XML and JSON implementations for each supported Version type
+	 * 
+	 * We do this by taking the Code passed in and creating clones of these with the appropriate Facades and properties
+	 * to do Versions and Content switches
+	 * 
+	 */
+	public void route(HttpMethods meth, String path, API api, Code code) throws Exception {
+		String version = "2.0";
+		Class<?> respCls = facade.mapper().getClass(api); 
+		if(respCls==null) throw new Exception("Unknown class associated with " + api.getClass().getName() + ' ' + api.name());
+		String application = applicationJSON(respCls, version);
+
+		route(env,meth,path,code,application,"application/json;version=2.0","*/*");
+		application = applicationXML(respCls, version);
+		route(env,meth,path,code.clone(facade_XML,false),application,"text/xml;version=2.0");
+	}
+
+	/**
+	 * Start up AAF_Service as Jetty Service
+	 */
+	public static void main(final String[] args) {
+		PropAccess propAccess = new PropAccess(args);
+		try {
+ 			AAF_Service service = new AAF_Service(new AuthzEnv(propAccess));
+// 			service.env().setLog4JNames("log4j.properties","authz","authz|service","audit","init","trace");
+			JettyServiceStarter<AuthzEnv,AuthzTrans> jss = new JettyServiceStarter<AuthzEnv,AuthzTrans>(service);
+			jss.start();
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+	}
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
new file mode 100644
index 00000000..fa099111
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
@@ -0,0 +1,4245 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service;
+
+import static org.onap.aaf.auth.env.AuthzTrans.REQD_TYPE.force;
+import static org.onap.aaf.auth.env.AuthzTrans.REQD_TYPE.future;
+import static org.onap.aaf.auth.layer.Result.OK;
+import static org.onap.aaf.auth.rserv.HttpMethods.DELETE;
+import static org.onap.aaf.auth.rserv.HttpMethods.GET;
+import static org.onap.aaf.auth.rserv.HttpMethods.POST;
+import static org.onap.aaf.auth.rserv.HttpMethods.PUT;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeMap;
+import java.util.UUID;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.common.Define;
+import org.onap.aaf.auth.dao.DAOException;
+import org.onap.aaf.auth.dao.cass.ApprovalDAO;
+import org.onap.aaf.auth.dao.cass.CertDAO;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.DelegateDAO;
+import org.onap.aaf.auth.dao.cass.FutureDAO;
+import org.onap.aaf.auth.dao.cass.HistoryDAO;
+import org.onap.aaf.auth.dao.cass.Namespace;
+import org.onap.aaf.auth.dao.cass.NsDAO;
+import org.onap.aaf.auth.dao.cass.NsDAO.Data;
+import org.onap.aaf.auth.dao.cass.NsSplit;
+import org.onap.aaf.auth.dao.cass.NsType;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.dao.hl.CassExecutor;
+import org.onap.aaf.auth.dao.hl.Function;
+import org.onap.aaf.auth.dao.hl.Function.FUTURE_OP;
+import org.onap.aaf.auth.dao.hl.Function.Lookup;
+import org.onap.aaf.auth.dao.hl.Function.OP_STATUS;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.dao.hl.Question.Access;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.org.Executor;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.Organization.Expiration;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.auth.org.Organization.Policy;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.rserv.doc.ApiDoc;
+import org.onap.aaf.auth.service.mapper.Mapper;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+import org.onap.aaf.auth.service.validation.ServiceValidator;
+import org.onap.aaf.auth.validation.Validator;
+import org.onap.aaf.cadi.principal.BasicPrincipal;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+import org.onap.aaf.misc.env.util.Split;
+
+import aaf.v2_0.CredRequest;
+
+/**
+ * AuthzCassServiceImpl implements AuthzCassService for 
+ * 
+ * @author Jonathan
+ *
+ * @param <NSS>
+ * @param <PERMS>
+ * @param <PERMKEY>
+ * @param <ROLES>
+ * @param <USERS>
+ * @param <DELGS>
+ * @param <REQUEST>
+ * @param <HISTORY>
+ * @param <ERR>
+ * @param <APPROVALS>
+ */
+public class AuthzCassServiceImpl	<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS>
+	implements AuthzService			<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> {
+	
+	private Mapper					<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> mapper;
+	@Override
+	public Mapper					<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> mapper() {return mapper;}
+	
+	private static final String ASTERIX = "*";
+	private static final String CACHE = "cache";
+	private static final String ROOT_NS = Define.ROOT_NS();
+	private static final String ROOT_COMPANY = Define.ROOT_COMPANY();
+
+	private final Question ques;
+	private final Function func;
+	
+	public AuthzCassServiceImpl(AuthzTrans trans, Mapper<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> mapper,Question question) {
+		this.ques = question;
+		func = new Function(trans, question);
+		this.mapper = mapper;
+		
+	}
+
+/***********************************
+ * NAMESPACE 
+ ***********************************/
+	/**
+	 * createNS
+	 * @throws DAOException 
+	 * @see org.onap.aaf.auth.service.AuthzService#createNS(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String, java.lang.String)
+	 */
+	@ApiDoc( 
+			method = POST,  
+			path = "/authz/ns",
+			params = {},
+			expectedCode = 201,
+			errorCodes = { 403,404,406,409 }, 
+			text = { "Namespace consists of: ",
+					"<ul><li>name - What you want to call this Namespace</li>",
+					"<li>responsible(s) - Person(s) who receive Notifications and approves Requests ",
+					"regarding this Namespace. Companies have Policies as to who may take on ",
+					"this Responsibility. Separate multiple identities with commas</li>",
+					"<li>admin(s) - Person(s) who are allowed to make changes on the namespace, ",
+					"including creating Roles, Permissions and Credentials. Separate multiple ",
+					"identities with commas</li></ul>",
+					"Note: Namespaces are dot-delimited (i.e. com.myCompany.myApp) and must be ",
+					"created with parent credentials (i.e. To create com.myCompany.myApp, you must ",
+					"be an admin of com.myCompany or com"
+					}
+			)
+	@Override
+	public Result<Void> createNS(final AuthzTrans trans, REQUEST from, NsType type) {
+		final Result<Namespace> rnamespace = mapper.ns(trans, from);
+		final ServiceValidator v = new ServiceValidator();
+		if(v.ns(rnamespace).err()) { 
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		final Namespace namespace = rnamespace.value;
+		final Result<NsDAO.Data> parentNs = ques.deriveNs(trans,namespace.name);
+		if(parentNs.notOK()) {
+			return Result.err(parentNs);
+		}
+		
+		if(namespace.name.lastIndexOf('.')<0) { // Root Namespace... Function will check if allowed
+			return func.createNS(trans, namespace, false);
+		}
+		
+		Result<FutureDAO.Data> fd = mapper.future(trans, NsDAO.TABLE,from,namespace,true, 
+				new Mapper.Memo() {
+					@Override
+					public String get() {
+						return "Create Namespace [" + namespace.name + ']';
+					}
+				},
+				new MayChange() {
+					private Result<NsDAO.Data> rnd;
+					@Override
+					public Result<?> mayChange() {
+						if(rnd==null) {
+							rnd = ques.mayUser(trans, trans.user(), parentNs.value,Access.write);
+						}
+						return rnd;
+					}
+				});
+			switch(fd.status) {
+				case OK:
+					Result<String> rfc = func.createFuture(trans, fd.value, namespace.name, trans.user(),parentNs.value, FUTURE_OP.C);
+					if(rfc.isOK()) {
+						return Result.err(Status.ACC_Future, "NS [%s] is saved for future processing",namespace.name);
+					} else { 
+						return Result.err(rfc);
+					}
+				case Status.ACC_Now:
+					return func.createNS(trans, namespace, false);
+				default:
+					return Result.err(fd);
+			}
+	}
+	
+	@ApiDoc(
+			method = POST,  
+			path = "/authz/ns/:ns/admin/:id",
+			params = { 	"ns|string|true",
+						"id|string|true" 
+					},
+			expectedCode = 201,
+			errorCodes = { 403,404,406,409 }, 
+			text = { 	"Add an Identity :id to the list of Admins for the Namespace :ns", 
+						"Note: :id must be fully qualified (i.e. ab1234@csp.att.com)" }
+			)
+	@Override
+	public Result<Void> addAdminNS(AuthzTrans trans, String ns, String id) {
+		return func.addUserRole(trans, id, ns,Question.ADMIN);
+	}
+
+	@ApiDoc(
+			method = DELETE,  
+			path = "/authz/ns/:ns/admin/:id",
+			params = { 	"ns|string|true",
+						"id|string|true" 
+					},
+			expectedCode = 200,
+			errorCodes = { 403,404 }, 
+			text = { 	"Remove an Identity :id from the list of Admins for the Namespace :ns",
+						"Note: :id must be fully qualified (i.e. ab1234@csp.att.com)" }
+			)
+	@Override
+	public Result<Void> delAdminNS(AuthzTrans trans, String ns, String id) {
+		return func.delAdmin(trans,ns,id);
+	}
+
+	@ApiDoc(
+			method = POST,  
+			path = "/authz/ns/:ns/responsible/:id",
+			params = { 	"ns|string|true",
+						"id|string|true" 
+					},
+			expectedCode = 201,
+			errorCodes = { 403,404,406,409 }, 
+			text = { 	"Add an Identity :id to the list of Responsibles for the Namespace :ns",
+						"Note: :id must be fully qualified (i.e. ab1234@csp.att.com)" }
+			)
+	@Override
+	public Result<Void> addResponsibleNS(AuthzTrans trans, String ns, String id) {
+		return func.addUserRole(trans,id,ns,Question.OWNER);
+	}
+
+	@ApiDoc(
+			method = DELETE,  
+			path = "/authz/ns/:ns/responsible/:id",
+			params = { 	"ns|string|true",
+						"id|string|true" 
+					},
+			expectedCode = 200,
+			errorCodes = { 403,404 }, 
+			text = { 	"Remove an Identity :id to the list of Responsibles for the Namespace :ns",
+						"Note: :id must be fully qualified (i.e. ab1234@csp.att.com)",
+						"Note: A namespace must have at least 1 responsible party"
+					}
+			)
+	@Override
+	public Result<Void> delResponsibleNS(AuthzTrans trans, String ns, String id) {
+		return func.delOwner(trans,ns,id);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.service.AuthzService#applyModel(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object)
+	 */
+	@ApiDoc(
+			method = POST,  
+			path = "/authz/ns/:ns/attrib/:key/:value",
+			params = { 	"ns|string|true",
+						"key|string|true",
+						"value|string|true"},
+			expectedCode = 201,
+			errorCodes = { 403,404,406,409 },  
+			text = { 	
+				"Create an attribute in the Namespace",
+				"You must be given direct permission for key by AAF"
+				}
+			)
+	@Override
+	public Result<Void> createNsAttrib(AuthzTrans trans, String ns, String key, String value) {
+		TimeTaken tt = trans.start("Create NsAttrib " + ns + ':' + key + ':' + value, Env.SUB);
+		try {
+			// Check inputs
+			final Validator v = new ServiceValidator();
+			if(v.ns(ns).err() ||
+			   v.key(key).err() ||
+			   v.value(value).err()) {
+				return Result.err(Status.ERR_BadData,v.errs());
+			}
+
+			// Check if exists already
+			Result<List<Data>> rlnsd = ques.nsDAO.read(trans, ns);
+			if(rlnsd.notOKorIsEmpty()) {
+				return Result.err(rlnsd);
+			}
+			NsDAO.Data nsd = rlnsd.value.get(0);
+
+			// Check for Existence
+			if(nsd.attrib.get(key)!=null) {
+				return Result.err(Status.ERR_ConflictAlreadyExists, "NS Property %s:%s exists", ns, key);
+			}
+			
+			// Check if User may put
+			if(!ques.isGranted(trans, trans.user(), ROOT_NS, Question.ATTRIB, 
+					":"+trans.org().getDomain()+".*:"+key, Access.write.name())) {
+				return Result.err(Status.ERR_Denied, "%s may not create NS Attrib [%s:%s]", trans.user(),ns, key);
+			}
+
+			// Add Attrib
+			nsd.attrib.put(key, value);
+			ques.nsDAO.dao().attribAdd(trans,ns,key,value);
+			return Result.ok();
+		} finally {
+			tt.done();
+		}
+	}
+	
+	@ApiDoc(
+			method = GET,  
+			path = "/authz/ns/attrib/:key",
+			params = { 	"key|string|true" },
+			expectedCode = 200,
+			errorCodes = { 403,404 },  
+			text = { 	
+				"Read Attributes for Namespace"
+				}
+			)
+	@Override
+	public Result<KEYS> readNsByAttrib(AuthzTrans trans, String key) {
+		// Check inputs
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("Key",key).err()) {
+			  return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		// May Read
+		if(!ques.isGranted(trans, trans.user(), ROOT_NS, Question.ATTRIB, 
+					":"+trans.org().getDomain()+".*:"+key, Question.READ)) {
+			return Result.err(Status.ERR_Denied,"%s may not read NS by Attrib '%s'",trans.user(),key);
+		}
+
+		Result<Set<String>> rsd = ques.nsDAO.dao().readNsByAttrib(trans, key);
+		if(rsd.notOK()) {
+			return Result.err(rsd);
+		}
+		return mapper().keys(rsd.value);
+	}
+
+
+	@ApiDoc(
+			method = PUT,  
+			path = "/authz/ns/:ns/attrib/:key/:value",
+			params = { 	"ns|string|true",
+						"key|string|true"},
+			expectedCode = 200,
+			errorCodes = { 403,404 },  
+			text = { 	
+				"Update Value on an existing attribute in the Namespace",
+				"You must be given direct permission for key by AAF"
+				}
+			)
+	@Override
+	public Result<?> updateNsAttrib(AuthzTrans trans, String ns, String key, String value) {
+		TimeTaken tt = trans.start("Update NsAttrib " + ns + ':' + key + ':' + value, Env.SUB);
+		try {
+			// Check inputs
+			final Validator v = new ServiceValidator();
+			if(v.ns(ns).err() ||
+			   v.key(key).err() ||
+			   v.value(value).err()) {
+				return Result.err(Status.ERR_BadData,v.errs());
+			}
+
+			// Check if exists already (NS must exist)
+			Result<List<Data>> rlnsd = ques.nsDAO.read(trans, ns);
+			if(rlnsd.notOKorIsEmpty()) {
+				return Result.err(rlnsd);
+			}
+			NsDAO.Data nsd = rlnsd.value.get(0);
+
+			// Check for Existence
+			if(nsd.attrib.get(key)==null) {
+				return Result.err(Status.ERR_NotFound, "NS Property %s:%s exists", ns, key);
+			}
+			
+			// Check if User may put
+			if(!ques.isGranted(trans, trans.user(), ROOT_NS, Question.ATTRIB, 
+					":"+trans.org().getDomain()+".*:"+key, Access.write.name())) {
+				return Result.err(Status.ERR_Denied, "%s may not create NS Attrib [%s:%s]", trans.user(),ns, key);
+			}
+
+			// Add Attrib
+			nsd.attrib.put(key, value);
+
+			return ques.nsDAO.update(trans,nsd);
+ 
+		} finally {
+			tt.done();
+		}
+	}
+
+	@ApiDoc(
+			method = DELETE,  
+			path = "/authz/ns/:ns/attrib/:key",
+			params = { 	"ns|string|true",
+						"key|string|true"},
+			expectedCode = 200,
+			errorCodes = { 403,404 },  
+			text = { 	
+				"Delete an attribute in the Namespace",
+				"You must be given direct permission for key by AAF"
+				}
+			)
+	@Override
+	public Result<Void> deleteNsAttrib(AuthzTrans trans, String ns, String key) {
+		TimeTaken tt = trans.start("Delete NsAttrib " + ns + ':' + key, Env.SUB);
+		try {
+			// Check inputs
+			final Validator v = new ServiceValidator();
+			if(v.nullOrBlank("NS",ns).err() ||
+			   v.nullOrBlank("Key",key).err()) {
+				return Result.err(Status.ERR_BadData,v.errs());
+			}
+
+			// Check if exists already
+			Result<List<Data>> rlnsd = ques.nsDAO.read(trans, ns);
+			if(rlnsd.notOKorIsEmpty()) {
+				return Result.err(rlnsd);
+			}
+			NsDAO.Data nsd = rlnsd.value.get(0);
+
+			// Check for Existence
+			if(nsd.attrib.get(key)==null) {
+				return Result.err(Status.ERR_NotFound, "NS Property [%s:%s] does not exist", ns, key);
+			}
+			
+			// Check if User may del
+			if(!ques.isGranted(trans, trans.user(), ROOT_NS, "attrib", ":" + ROOT_COMPANY + ".*:"+key, Access.write.name())) {
+				return Result.err(Status.ERR_Denied, "%s may not delete NS Attrib [%s:%s]", trans.user(),ns, key);
+			}
+
+			// Add Attrib
+			nsd.attrib.remove(key);
+			ques.nsDAO.dao().attribRemove(trans,ns,key);
+			return Result.ok();
+		} finally {
+			tt.done();
+		}
+	}
+
+	@ApiDoc(
+			method = GET,  
+			path = "/authz/nss/:id",
+			params = { 	"id|string|true" },
+			expectedCode = 200,
+			errorCodes = { 404,406 }, 
+			text = { 	
+				"Lists the Admin(s), Responsible Party(s), Role(s), Permission(s)",
+				"Credential(s) and Expiration of Credential(s) in Namespace :id",
+			}
+			)
+	@Override
+	public Result<NSS> getNSbyName(AuthzTrans trans, String ns) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("NS", ns).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+		Result<List<NsDAO.Data>> rlnd = ques.nsDAO.read(trans, ns);
+		if(rlnd.isOK()) {
+			if(rlnd.isEmpty()) {
+				return Result.err(Status.ERR_NotFound, "No data found for %s",ns);
+			}
+			Result<NsDAO.Data> rnd = ques.mayUser(trans, trans.user(), rlnd.value.get(0), Access.read);
+			if(rnd.notOK()) {
+				return Result.err(rnd); 
+			}
+			
+			
+			Namespace namespace = new Namespace(rnd.value);
+			Result<List<String>> rd = func.getOwners(trans, namespace.name, false);
+			if(rd.isOK()) {
+				namespace.owner = rd.value;
+			}
+			rd = func.getAdmins(trans, namespace.name, false);
+			if(rd.isOK()) {
+				namespace.admin = rd.value;
+			}
+			
+			NSS nss = mapper.newInstance(API.NSS);
+			return mapper.nss(trans, namespace, nss);
+		} else {
+			return Result.err(rlnd);
+		}
+	}
+
+	@ApiDoc(
+			method = GET,  
+			path = "/authz/nss/admin/:id",
+			params = { 	"id|string|true" },
+			expectedCode = 200,
+			errorCodes = { 403,404 }, 
+			text = { 	"Lists all Namespaces where Identity :id is an Admin", 
+						"Note: :id must be fully qualified (i.e. ab1234@csp.att.com)" 
+					}
+			)
+	@Override
+	public Result<NSS> getNSbyAdmin(AuthzTrans trans, String user, boolean full) {
+		final Validator v = new ServiceValidator();
+		if (v.nullOrBlank("User", user).err()) {
+			return Result.err(Status.ERR_BadData, v.errs());
+		}
+		
+		Result<Collection<Namespace>> rn = loadNamepace(trans, user, ".admin", full);
+		if(rn.notOK()) {
+			return Result.err(rn);
+		}
+		if (rn.isEmpty()) {
+			return Result.err(Status.ERR_NotFound, "[%s] is not an admin for any namespaces",user);		
+		}
+		NSS nss = mapper.newInstance(API.NSS);
+		// Note: "loadNamespace" already validates view of Namespace
+		return mapper.nss(trans, rn.value, nss);
+
+	}
+
+	@ApiDoc(
+			method = GET,  
+			path = "/authz/nss/either/:id",
+			params = { 	"id|string|true" },
+			expectedCode = 200,
+			errorCodes = { 403,404 }, 
+			text = { 	"Lists all Namespaces where Identity :id is either an Admin or an Owner", 
+						"Note: :id must be fully qualified (i.e. ab1234@csp.att.com)" 
+					}
+			)
+	@Override
+	public Result<NSS> getNSbyEither(AuthzTrans trans, String user, boolean full) {
+		final Validator v = new ServiceValidator();
+		if (v.nullOrBlank("User", user).err()) {
+			return Result.err(Status.ERR_BadData, v.errs());
+		}
+		
+		Result<Collection<Namespace>> rn = loadNamepace(trans, user, null, full);
+		if(rn.notOK()) {
+			return Result.err(rn);
+		}
+		if (rn.isEmpty()) {
+			return Result.err(Status.ERR_NotFound, "[%s] is not an admin or owner for any namespaces",user);		
+		}
+		NSS nss = mapper.newInstance(API.NSS);
+		// Note: "loadNamespace" already validates view of Namespace
+		return mapper.nss(trans, rn.value, nss);
+	}
+
+	private Result<Collection<Namespace>> loadNamepace(AuthzTrans trans, String user, String endsWith, boolean full) {
+		Result<List<UserRoleDAO.Data>> urd = ques.userRoleDAO.readByUser(trans, user);
+		if(urd.notOKorIsEmpty()) {
+			return Result.err(urd);
+		}
+		Map<String, Namespace> lm = new HashMap<String,Namespace>();
+		Map<String, Namespace> other = full || endsWith==null?null:new TreeMap<String,Namespace>();
+		for(UserRoleDAO.Data urdd : urd.value) {
+			if(full) {
+				if(endsWith==null || urdd.role.endsWith(endsWith)) {
+					RoleDAO.Data rd = RoleDAO.Data.decode(urdd);
+					Result<NsDAO.Data> nsd = ques.mayUser(trans, user, rd, Access.read);
+					if(nsd.isOK()) {
+						Namespace namespace = lm.get(nsd.value.name);
+						if(namespace==null) {
+							namespace = new Namespace(nsd.value);
+							lm.put(namespace.name,namespace);
+						}
+						Result<List<String>> rls = func.getAdmins(trans, namespace.name, false);
+						if(rls.isOK()) {
+							namespace.admin=rls.value;
+						}
+						
+						rls = func.getOwners(trans, namespace.name, false);
+						if(rls.isOK()) {
+							namespace.owner=rls.value;
+						}
+					}
+				}
+			} else { // Shortened version.  Only Namespace Info available from Role.
+				if(Question.ADMIN.equals(urdd.rname) || Question.OWNER.equals(urdd.rname)) {
+					RoleDAO.Data rd = RoleDAO.Data.decode(urdd);
+					Result<NsDAO.Data> nsd = ques.mayUser(trans, user, rd, Access.read);
+					if(nsd.isOK()) {
+						Namespace namespace = lm.get(nsd.value.name);
+						if(namespace==null) {
+							if(other!=null) {
+								namespace = other.remove(nsd.value.name);
+							}
+							if(namespace==null) {
+								namespace = new Namespace(nsd.value);
+								namespace.admin=new ArrayList<String>();
+								namespace.owner=new ArrayList<String>();
+							}
+							if(endsWith==null || urdd.role.endsWith(endsWith)) {
+								lm.put(namespace.name,namespace);
+							} else { 
+								other.put(namespace.name,namespace);
+							}
+						}
+						if(Question.OWNER.equals(urdd.rname)) {
+							namespace.owner.add(urdd.user);
+						} else {
+							namespace.admin.add(urdd.user);
+						}
+					}
+				}
+			}
+		}
+		return Result.ok(lm.values());
+	}
+
+	@ApiDoc(
+			method = GET,  
+			path = "/authz/nss/responsible/:id",
+			params = { 	"id|string|true" },
+			expectedCode = 200,
+			errorCodes = { 403,404 }, 
+			text = { 	"Lists all Namespaces where Identity :id is a Responsible Party", 
+						"Note: :id must be fully qualified (i.e. ab1234@csp.att.com)"
+					}
+			)
+	@Override
+	public Result<NSS> getNSbyResponsible(AuthzTrans trans, String user, boolean full) {
+		final Validator v = new ServiceValidator();
+		if (v.nullOrBlank("User", user).err()) {
+			return Result.err(Status.ERR_BadData, v.errs());
+		}
+		Result<Collection<Namespace>> rn = loadNamepace(trans, user, ".owner",full);
+		if(rn.notOK()) {
+			return Result.err(rn);
+		}
+		if (rn.isEmpty()) {
+			return Result.err(Status.ERR_NotFound, "[%s] is not an owner for any namespaces",user);		
+		}
+		NSS nss = mapper.newInstance(API.NSS);
+		// Note: "loadNamespace" prevalidates
+		return mapper.nss(trans, rn.value, nss);
+	}
+	
+	@ApiDoc(
+			method = GET,  
+			path = "/authz/nss/children/:id",
+			params = { 	"id|string|true" },
+			expectedCode = 200,
+			errorCodes = { 403,404 }, 
+			text = { 	"Lists all Child Namespaces of Namespace :id", 
+						"Note: This is not a cached read"
+					}
+			)
+	@Override
+	public Result<NSS> getNSsChildren(AuthzTrans trans, String parent) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("NS", parent).err())  {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+		Result<NsDAO.Data> rnd = ques.deriveNs(trans, parent);
+		if(rnd.notOK()) {
+			return Result.err(rnd);
+		}
+		rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
+		if(rnd.notOK()) {
+			return Result.err(rnd); 
+		}
+
+		Set<Namespace> lm = new HashSet<Namespace>();
+		Result<List<NsDAO.Data>> rlnd = ques.nsDAO.dao().getChildren(trans, parent);
+		if(rlnd.isOK()) {
+			if(rlnd.isEmpty()) {
+				return Result.err(Status.ERR_NotFound, "No data found for %s",parent);
+			}
+			for(NsDAO.Data ndd : rlnd.value) {
+				Namespace namespace = new Namespace(ndd);
+				Result<List<String>> rls = func.getAdmins(trans, namespace.name, false);
+				if(rls.isOK()) {
+					namespace.admin=rls.value;
+				}
+				
+				rls = func.getOwners(trans, namespace.name, false);
+				if(rls.isOK()) {
+					namespace.owner=rls.value;
+				}
+
+				lm.add(namespace);
+			}
+			NSS nss = mapper.newInstance(API.NSS);
+			return mapper.nss(trans,lm, nss);
+		} else {
+			return Result.err(rlnd);
+		}
+	}
+
+
+	@ApiDoc(
+			method = PUT,  
+			path = "/authz/ns",
+			params = {},
+			expectedCode = 200,
+			errorCodes = { 403,404,406 }, 
+			text = { "Replace the Current Description of a Namespace with a new one"
+					}
+			)
+	@Override
+	public Result<Void> updateNsDescription(AuthzTrans trans, REQUEST from) {
+		final Result<Namespace> nsd = mapper.ns(trans, from);
+		final ServiceValidator v = new ServiceValidator();
+		if(v.ns(nsd).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		if(v.nullOrBlank("description", nsd.value.description).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		Namespace namespace = nsd.value;
+		Result<List<NsDAO.Data>> rlnd = ques.nsDAO.read(trans, namespace.name);
+		
+		if(rlnd.notOKorIsEmpty()) {
+			return Result.err(Status.ERR_NotFound, "Namespace [%s] does not exist",namespace.name);
+		}
+		
+		if (ques.mayUser(trans, trans.user(), rlnd.value.get(0), Access.write).notOK()) {
+			return Result.err(Status.ERR_Denied, "You do not have approval to change %s",namespace.name);
+		}
+
+		Result<Void> rdr = ques.nsDAO.dao().addDescription(trans, namespace.name, namespace.description);
+		if(rdr.isOK()) {
+			return Result.ok();
+		} else {
+			return Result.err(rdr);
+		}
+	}
+	
+	/**
+	 * deleteNS
+	 * @throws DAOException 
+	 * @see org.onap.aaf.auth.service.AuthzService#deleteNS(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String, java.lang.String)
+	 */
+	@ApiDoc(
+			method = DELETE,  
+			path = "/authz/ns/:ns",
+			params = { 	"ns|string|true" },
+			expectedCode = 200,
+			errorCodes = { 403,404,424 }, 
+			text = { 	"Delete the Namespace :ns. Namespaces cannot normally be deleted when there ",
+						"are still credentials associated with them, but they can be deleted by setting ",
+						"the \"force\" property. To do this: Add 'force=true' as a query parameter",
+						"<p>WARNING: Using force will delete all credentials attached to this namespace. Use with care.</p>"
+						+ "if the \"force\" property is set to 'force=move', then Permissions and Roles are not deleted,"
+						+ "but are retained, and assigned to the Parent Namespace.  'force=move' is not permitted "
+						+ "at or below Application Scope"
+						}
+			)
+	@Override
+	public Result<Void> deleteNS(AuthzTrans trans, String ns) {
+		return func.deleteNS(trans, ns);
+	}
+
+
+/***********************************
+ * PERM 
+ ***********************************/
+
+	/*
+	 * (non-Javadoc)
+	 * @see org.onap.aaf.auth.service.AuthzService#createOrUpdatePerm(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object, boolean, java.lang.String, java.lang.String, java.lang.String, java.util.List, java.util.List)
+	 */
+	@ApiDoc( 
+			method = POST,  
+			path = "/authz/perm",
+			params = {},
+			expectedCode = 201,
+			errorCodes = {403,404,406,409}, 
+			text = { "Permission consists of:",
+					 "<ul><li>type - a Namespace qualified identifier specifying what kind of resource "
+					 + "is being protected</li>",
+					 "<li>instance - a key, possibly multi-dimensional, that identifies a specific "
+					 + " instance of the type</li>",
+					 "<li>action - what kind of action is allowed</li></ul>",
+					 "Note: instance and action can be an *"
+					 }
+			)
+	@Override
+	public Result<Void> createPerm(final AuthzTrans trans,REQUEST rreq) {		
+		final Result<PermDAO.Data> newPd = mapper.perm(trans, rreq);
+		final ServiceValidator v = new ServiceValidator();
+		if(v.perm(newPd).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+		Result<FutureDAO.Data> fd = mapper.future(trans, PermDAO.TABLE, rreq, newPd.value,false,
+			new Mapper.Memo() {
+				@Override
+				public String get() {
+					return "Create Permission [" + 
+						newPd.value.fullType() + '|' + 
+						newPd.value.instance + '|' + 
+						newPd.value.action + ']';
+				}
+			},
+			new MayChange() {
+				private Result<NsDAO.Data> nsd;
+				@Override
+				public Result<?> mayChange() {
+					if(nsd==null) {
+						nsd = ques.mayUser(trans, trans.user(), newPd.value, Access.write);
+					}
+					return nsd;
+				}
+			});
+		Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, newPd.value.ns);
+		if(nsr.notOKorIsEmpty()) {
+			return Result.err(nsr);
+		}
+		switch(fd.status) {
+			case OK:
+				Result<String> rfc = func.createFuture(trans,fd.value, 
+						newPd.value.fullType() + '|' + newPd.value.instance + '|' + newPd.value.action,
+						trans.user(),
+						nsr.value.get(0),
+						FUTURE_OP.C);
+				if(rfc.isOK()) {
+					return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing",
+							newPd.value.ns,
+							newPd.value.type,
+							newPd.value.instance,
+							newPd.value.action);
+				} else {
+				    return Result.err(rfc);
+				}
+			case Status.ACC_Now:
+				return func.createPerm(trans, newPd.value, true);
+			default:
+				return Result.err(fd);
+		}	
+	}
+
+	@ApiDoc( 
+			method = GET,  
+			path = "/authz/perms/:type",
+			params = {"type|string|true"},
+			expectedCode = 200,
+			errorCodes = { 404,406 }, 
+			text = { "List All Permissions that match the :type element of the key" }
+			)
+	@Override
+	public Result<PERMS> getPermsByType(AuthzTrans trans, final String permType) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("PermType", permType).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		Result<List<PermDAO.Data>> rlpd = ques.getPermsByType(trans, permType);
+		if(rlpd.notOK()) {
+			return Result.err(rlpd);
+		}
+
+//		We don't have instance & action for mayUserView... do we want to loop through all returned here as well as in mapper?
+//		Result<NsDAO.Data> r;
+//		if((r = ques.mayUserViewPerm(trans, trans.user(), permType)).notOK())return Result.err(r);
+		
+		PERMS perms = mapper.newInstance(API.PERMS);
+		if(!rlpd.isEmpty()) {
+			// Note: Mapper will restrict what can be viewed
+			return mapper.perms(trans, rlpd.value, perms, true);
+		}
+		return Result.ok(perms);
+	}
+	
+	@ApiDoc( 
+			method = GET,  
+			path = "/authz/perms/:type/:instance/:action",
+			params = {"type|string|true",
+					  "instance|string|true",
+					  "action|string|true"},
+			expectedCode = 200,
+			errorCodes = { 404,406 }, 
+			text = { "List Permissions that match key; :type, :instance and :action" }
+			)
+	@Override
+	public Result<PERMS> getPermsByName(AuthzTrans trans, String type, String instance, String action) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("PermType", type).err()
+				|| v.nullOrBlank("PermInstance", instance).err()
+				|| v.nullOrBlank("PermAction", action).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+		Result<List<PermDAO.Data>> rlpd = ques.getPermsByName(trans, type, instance, action);
+		if(rlpd.notOK()) {
+			return Result.err(rlpd);
+		}
+
+		PERMS perms = mapper.newInstance(API.PERMS);
+		if(!rlpd.isEmpty()) {
+			// Note: Mapper will restrict what can be viewed
+			return mapper.perms(trans, rlpd.value, perms, true);
+		}
+		return Result.ok(perms);
+	}
+
+	@ApiDoc( 
+			method = GET,  
+			path = "/authz/perms/user/:user",
+			params = {"user|string|true"},
+			expectedCode = 200,
+			errorCodes = { 404,406 }, 
+			text = { "List All Permissions that match user :user",
+					 "<p>'user' must be expressed as full identity (ex: id@full.domain.com)</p>"}
+			)
+	@Override
+	public Result<PERMS> getPermsByUser(AuthzTrans trans, String user) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("User", user).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		Result<List<PermDAO.Data>> rlpd = ques.getPermsByUser(trans, user, 
+				trans.requested(force));
+		if(rlpd.notOK()) {
+			return Result.err(rlpd);
+		}
+		
+		PERMS perms = mapper.newInstance(API.PERMS);
+		
+		if(rlpd.isEmpty()) {
+			return Result.ok(perms);
+		}
+		// Note: Mapper will restrict what can be viewed
+		//   if user is the same as that which is looked up, no filtering is required
+		return mapper.perms(trans, rlpd.value, 
+				perms, 
+				!user.equals(trans.user()));
+	}
+
+	@ApiDoc( 
+			method = GET,  
+			path = "/authz/perms/user/:user/scope/:scope",
+			params = {"user|string|true","scope|string|true"},
+			expectedCode = 200,
+			errorCodes = { 404,406 }, 
+			text = { "List All Permissions that match user :user, filtered by NS (Scope)",
+					 "<p>'user' must be expressed as full identity (ex: id@full.domain.com)</p>",
+					 "<p>'scope' must be expressed as NSs separated by ':'</p>"
+					}
+			)
+	@Override
+	public Result<PERMS> getPermsByUserScope(AuthzTrans trans, String user, String[] scopes) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("User", user).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		Result<List<PermDAO.Data>> rlpd = ques.getPermsByUser(trans, user, trans.requested(force));
+		if(rlpd.notOK()) {
+			return Result.err(rlpd);
+		}
+		
+		PERMS perms = mapper.newInstance(API.PERMS);
+		
+		if(rlpd.isEmpty()) {
+			return Result.ok(perms);
+		}
+		// Note: Mapper will restrict what can be viewed
+		//   if user is the same as that which is looked up, no filtering is required
+		return mapper.perms(trans, rlpd.value, 
+				perms, 
+				scopes,
+				!user.equals(trans.user()));
+	}
+
+	@ApiDoc( 
+			method = POST,  
+			path = "/authz/perms/user/:user",
+			params = {"user|string|true"},
+			expectedCode = 200,
+			errorCodes = { 404,406 }, 
+			text = { "List All Permissions that match user :user",
+					 "<p>'user' must be expressed as full identity (ex: id@full.domain.com)</p>",
+					 "",
+					 "Present Queries as one or more Permissions (see ContentType Links below for format).",
+					 "",
+					 "If the Caller is Granted this specific Permission, and the Permission is valid",
+					 "  for the User, it will be included in response Permissions, along with",
+					 "  all the normal permissions on the 'GET' version of this call.  If it is not",
+					 "  valid, or Caller does not have permission to see, it will be removed from the list",
+					 "",
+					 "  *Note: This design allows you to make one call for all expected permissions",
+					 " The permission to be included MUST be:",
+					 "     <user namespace>.access|:<ns|role|perm>[:key]|<create|read|write>",
+					 "   examples:",
+					 "     com.att.myns.access|:ns|write",
+					 "     com.att.myns.access|:role:myrole|create",
+					 "     com.att.myns.access|:perm:mytype:myinstance:myaction|read",
+					 ""
+					 }
+			)
+	@Override
+	public Result<PERMS> getPermsByUser(AuthzTrans trans, PERMS _perms, String user) {
+	    	PERMS perms = _perms;
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("User", user).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+		//////////////
+		Result<List<PermDAO.Data>> rlpd = ques.getPermsByUser(trans, user,trans.requested(force));
+		if(rlpd.notOK()) {
+			return Result.err(rlpd);
+		}
+		
+		/*//TODO 
+		  1) See if allowed to query
+		  2) See if User is allowed
+		  */
+		Result<List<PermDAO.Data>> in = mapper.perms(trans, perms);
+		if(in.isOKhasData()) {
+			List<PermDAO.Data> out = rlpd.value;
+			boolean ok;
+			for(PermDAO.Data pdd : in.value) {
+				ok = false;
+				if("access".equals(pdd.type)) {
+					Access access = Access.valueOf(pdd.action);
+					String[] mdkey = Split.splitTrim(':',pdd.instance);
+					if(mdkey.length>1) {
+						String type = mdkey[1];
+						if("role".equals(type)) {
+							if(mdkey.length>2) {
+								RoleDAO.Data rdd = new RoleDAO.Data();
+								rdd.ns=pdd.ns;
+								rdd.name=mdkey[2];
+								ok = ques.mayUser(trans, trans.user(), rdd, Access.read).isOK() && ques.mayUser(trans, user, rdd , access).isOK();
+							}
+						} else if("perm".equals(type)) {
+							if(mdkey.length>4) { // also need instance/action
+								PermDAO.Data p = new PermDAO.Data();
+								p.ns=pdd.ns;
+								p.type=mdkey[2];
+								p.instance=mdkey[3];
+								p.action=mdkey[4];
+								ok = ques.mayUser(trans, trans.user(), p, Access.read).isOK() && ques.mayUser(trans, user, p , access).isOK();
+							}
+						} else if("ns".equals(type)) {
+							NsDAO.Data ndd = new NsDAO.Data();
+							ndd.name=pdd.ns;
+							ok = ques.mayUser(trans, trans.user(), ndd, Access.read).isOK() && ques.mayUser(trans, user, ndd , access).isOK();
+						}
+					}
+				}
+				if(ok) {
+					out.add(pdd);
+				}
+			}
+		}		
+		
+		perms = mapper.newInstance(API.PERMS);
+		if(rlpd.isEmpty()) {
+			return Result.ok(perms);
+		}
+		// Note: Mapper will restrict what can be viewed
+		//   if user is the same as that which is looked up, no filtering is required
+		return mapper.perms(trans, rlpd.value, 
+				perms, 
+				!user.equals(trans.user()));
+	}
+	
+	@ApiDoc( 
+			method = GET,  
+			path = "/authz/perms/role/:role",
+			params = {"role|string|true"},
+			expectedCode = 200,
+			errorCodes = { 404,406 }, 
+			text = { "List All Permissions that are granted to :role" }
+			)
+	@Override
+	public Result<PERMS> getPermsByRole(AuthzTrans trans,String role) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("Role", role).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques,role);
+		if(rrdd.notOK()) {
+			return Result.err(rrdd);
+		}
+
+		Result<NsDAO.Data> r = ques.mayUser(trans, trans.user(), rrdd.value, Access.read);
+		if(r.notOK()) {
+			return Result.err(r);
+		}
+
+		PERMS perms = mapper.newInstance(API.PERMS);
+
+		Result<List<PermDAO.Data>> rlpd = ques.getPermsByRole(trans, role, trans.requested(force));
+		if(rlpd.isOKhasData()) {
+			// Note: Mapper will restrict what can be viewed
+			return mapper.perms(trans, rlpd.value, perms, true);
+		}
+		return Result.ok(perms);
+	}
+
+	@ApiDoc( 
+			method = GET,  
+			path = "/authz/perms/ns/:ns",
+			params = {"ns|string|true"},
+			expectedCode = 200,
+			errorCodes = { 404,406 }, 
+			text = { "List All Permissions that are in Namespace :ns" }
+			)
+	@Override
+	public Result<PERMS> getPermsByNS(AuthzTrans trans,String ns) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("NS", ns).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		Result<NsDAO.Data> rnd = ques.deriveNs(trans, ns);
+		if(rnd.notOK()) {
+			return Result.err(rnd);
+		}
+
+		rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
+		if(rnd.notOK()) {
+			return Result.err(rnd); 	
+		}
+		
+		Result<List<PermDAO.Data>> rlpd = ques.permDAO.readNS(trans, ns);
+		if(rlpd.notOK()) {
+			return Result.err(rlpd);
+		}
+
+		PERMS perms = mapper.newInstance(API.PERMS);
+		if(!rlpd.isEmpty()) {
+			// Note: Mapper will restrict what can be viewed
+			return mapper.perms(trans, rlpd.value,perms, true);
+		}
+		return Result.ok(perms);
+	}
+	
+	@ApiDoc( 
+			method = PUT,  
+			path = 	"/authz/perm/:type/:instance/:action",
+			params = {"type|string|true",
+					  "instance|string|true",
+			  		  "action|string|true"},
+			expectedCode = 200,
+			errorCodes = { 404,406, 409 }, 
+			text = { "Rename the Permission referenced by :type :instance :action, and "
+					+ "rename (copy/delete) to the Permission described in PermRequest" }
+			)
+	@Override
+	public Result<Void> renamePerm(final AuthzTrans trans,REQUEST rreq, String origType, String origInstance, String origAction) {
+		final Result<PermDAO.Data> newPd = mapper.perm(trans, rreq);
+		final ServiceValidator v = new ServiceValidator();
+		if(v.perm(newPd).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		if (ques.mayUser(trans, trans.user(), newPd.value,Access.write).notOK()) {
+			return Result.err(Status.ERR_Denied, "You do not have approval to change Permission [%s.%s|%s|%s]",
+					newPd.value.ns,newPd.value.type,newPd.value.instance,newPd.value.action);
+		}
+		
+		Result<NsSplit> nss = ques.deriveNsSplit(trans, origType);
+		Result<List<PermDAO.Data>> origRlpd = ques.permDAO.read(trans, nss.value.ns, nss.value.name, origInstance, origAction); 
+		
+		if(origRlpd.notOKorIsEmpty()) {
+			return Result.err(Status.ERR_PermissionNotFound, 
+					"Permission [%s|%s|%s] does not exist",
+					origType,origInstance,origAction);
+		}
+		
+		PermDAO.Data origPd = origRlpd.value.get(0);
+
+		if (!origPd.ns.equals(newPd.value.ns)) {
+			return Result.err(Status.ERR_Denied, "Cannot change namespace with rename command. " +
+					"<new type> must start with [" + origPd.ns + "]");
+		}
+		
+		if ( origPd.type.equals(newPd.value.type) && 
+				origPd.action.equals(newPd.value.action) && 
+				origPd.instance.equals(newPd.value.instance) ) {
+			return Result.err(Status.ERR_ConflictAlreadyExists, "New Permission must be different than original permission");
+		}
+		
+		Set<String> origRoles = origPd.roles(false);
+		if (!origRoles.isEmpty()) {
+			Set<String> roles = newPd.value.roles(true);
+			for (String role : origPd.roles) {
+				roles.add(role); 
+			}
+		}	
+		
+		newPd.value.description = origPd.description;
+		
+		Result<Void> rv = null;
+		
+		rv = func.createPerm(trans, newPd.value, false);
+		if (rv.isOK()) {
+			rv = func.deletePerm(trans, origPd, true, false);
+		}
+		return rv;
+	}
+	
+	@ApiDoc( 
+			method = PUT,  
+			path = "/authz/perm",
+			params = {},
+			expectedCode = 200,
+			errorCodes = { 404,406 }, 
+			text = { "Add Description Data to Perm" }
+			)
+	@Override
+	public Result<Void> updatePermDescription(AuthzTrans trans, REQUEST from) {
+		final Result<PermDAO.Data> pd = mapper.perm(trans, from);
+		final ServiceValidator v = new ServiceValidator();
+		if(v.perm(pd).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		if(v.nullOrBlank("description", pd.value.description).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		final PermDAO.Data perm = pd.value;
+		if(ques.permDAO.read(trans, perm.ns, perm.type, perm.instance,perm.action).notOKorIsEmpty()) {
+			return Result.err(Status.ERR_NotFound, "Permission [%s.%s|%s|%s] does not exist",
+				perm.ns,perm.type,perm.instance,perm.action);
+		}
+
+		if (ques.mayUser(trans, trans.user(), perm, Access.write).notOK()) {
+			return Result.err(Status.ERR_Denied, "You do not have approval to change Permission [%s.%s|%s|%s]",
+					perm.ns,perm.type,perm.instance,perm.action);
+		}
+
+		Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, pd.value.ns);
+		if(nsr.notOKorIsEmpty()) {
+			return Result.err(nsr);
+		}
+
+		Result<Void> rdr = ques.permDAO.addDescription(trans, perm.ns, perm.type, perm.instance,
+				perm.action, perm.description);
+		if(rdr.isOK()) {
+			return Result.ok();
+		} else {
+			return Result.err(rdr);
+		}
+
+	}
+	
+    @ApiDoc(
+            method = PUT,
+            path = "/authz/role/perm",
+            params = {},
+            expectedCode = 201,
+            errorCodes = {403,404,406,409},
+            text = { "Set a permission's roles to roles given" }
+           )
+
+	@Override
+	public Result<Void> resetPermRoles(final AuthzTrans trans, REQUEST rreq) {
+		final Result<PermDAO.Data> updt = mapper.permFromRPRequest(trans, rreq);
+		if(updt.notOKorIsEmpty()) {
+			return Result.err(updt);
+		}
+
+		final ServiceValidator v = new ServiceValidator();
+		if(v.perm(updt).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		Result<NsDAO.Data> nsd = ques.mayUser(trans, trans.user(), updt.value, Access.write);
+		if (nsd.notOK()) {
+			return Result.err(nsd);
+		}
+
+		// Read full set to get CURRENT values
+		Result<List<PermDAO.Data>> rcurr = ques.permDAO.read(trans, 
+				updt.value.ns, 
+				updt.value.type, 
+				updt.value.instance, 
+				updt.value.action);
+		
+		if(rcurr.notOKorIsEmpty()) {
+			return Result.err(Status.ERR_PermissionNotFound, 
+					"Permission [%s.%s|%s|%s] does not exist",
+					 updt.value.ns,updt.value.type,updt.value.instance,updt.value.action);
+		}
+		
+		// Create a set of Update Roles, which are in Internal Format
+		Set<String> updtRoles = new HashSet<String>();
+		Result<NsSplit> nss;
+		for(String role : updt.value.roles(false)) {
+			nss = ques.deriveNsSplit(trans, role);
+			if(nss.isOK()) {
+				updtRoles.add(nss.value.ns + '|' + nss.value.name);
+			} else {
+				trans.error().log(nss.errorString());
+			}
+		}
+
+		Result<Void> rv = null;
+		
+		for(PermDAO.Data curr : rcurr.value) {
+			Set<String> currRoles = curr.roles(false);
+			// must add roles to this perm, and add this perm to each role 
+			// in the update, but not in the current			
+			for (String role : updtRoles) {
+				if (!currRoles.contains(role)) {
+					Result<RoleDAO.Data> key = RoleDAO.Data.decode(trans, ques, role);
+					if(key.isOKhasData()) {
+						Result<List<RoleDAO.Data>> rrd = ques.roleDAO.read(trans, key.value);
+						if(rrd.isOKhasData()) {
+							for(RoleDAO.Data r : rrd.value) {
+								rv = func.addPermToRole(trans, r, curr, false);
+								if (rv.notOK() && rv.status!=Result.ERR_ConflictAlreadyExists) {
+									return Result.err(rv);
+								}
+							}
+						} else {
+							return Result.err(rrd);
+						}
+					}
+				}
+			}
+			// similarly, must delete roles from this perm, and delete this perm from each role
+			// in the update, but not in the current
+			for (String role : currRoles) {
+				if (!updtRoles.contains(role)) {
+					Result<RoleDAO.Data> key = RoleDAO.Data.decode(trans, ques, role);
+					if(key.isOKhasData()) {
+						Result<List<RoleDAO.Data>> rdd = ques.roleDAO.read(trans, key.value);
+						if(rdd.isOKhasData()) {
+							for(RoleDAO.Data r : rdd.value) {
+								rv = func.delPermFromRole(trans, r, curr, true);
+								if (rv.notOK() && rv.status!=Status.ERR_PermissionNotFound) {
+									return Result.err(rv);
+								}
+							}
+						}
+					}
+				}
+			}				
+		} 
+		return rv==null?Result.ok():rv;		
+	}
+	
+	@ApiDoc( 
+			method = DELETE,
+			path = "/authz/perm",
+			params = {},
+			expectedCode = 200,
+			errorCodes = { 404,406 }, 
+			text = { "Delete the Permission referenced by PermKey.",
+					"You cannot normally delete a permission which is still granted to roles,",
+					"however the \"force\" property allows you to do just that. To do this: Add",
+					"'force=true' as a query parameter.",
+					"<p>WARNING: Using force will ungrant this permission from all roles. Use with care.</p>" }
+			)
+	@Override
+	public Result<Void> deletePerm(final AuthzTrans trans, REQUEST from) {
+		Result<PermDAO.Data> pd = mapper.perm(trans, from);
+		if(pd.notOK()) {
+			return Result.err(pd);
+		}
+		final ServiceValidator v = new ServiceValidator();
+		if(v.nullOrBlank(pd.value).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		final PermDAO.Data perm = pd.value;
+		if (ques.permDAO.read(trans, perm).notOKorIsEmpty()) {
+			return Result.err(Status.ERR_PermissionNotFound, "Permission [%s.%s|%s|%s] does not exist",
+					perm.ns,perm.type,perm.instance,perm.action	);
+		}
+
+		Result<FutureDAO.Data> fd = mapper.future(trans,PermDAO.TABLE,from,perm,false,
+				new Mapper.Memo() {
+					@Override
+					public String get() {
+						return "Delete Permission [" + perm.fullPerm() + ']';
+					}
+				},
+			new MayChange() {
+				private Result<NsDAO.Data> nsd;
+				@Override
+				public Result<?> mayChange() {
+					if(nsd==null) {
+						nsd = ques.mayUser(trans, trans.user(), perm, Access.write);
+					}
+					return nsd;
+				}
+			});
+		
+		switch(fd.status) {
+		case OK:
+			Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, perm.ns);
+			if(nsr.notOKorIsEmpty()) {
+				return Result.err(nsr);
+			}
+			
+			Result<String> rfc = func.createFuture(trans, fd.value, 
+					perm.encode(), trans.user(),nsr.value.get(0),FUTURE_OP.D);
+			if(rfc.isOK()) {
+				return Result.err(Status.ACC_Future, "Perm Deletion [%s] is saved for future processing",perm.encode());
+			} else { 
+				return Result.err(rfc);
+			}
+		case Status.ACC_Now:
+			return func.deletePerm(trans,perm,trans.requested(force), false);
+		default:
+			return Result.err(fd);
+		}			
+	}	
+	
+	@ApiDoc( 
+			method = DELETE,
+			path = "/authz/perm/:name/:type/:action",
+			params = {"type|string|true",
+					  "instance|string|true",
+	  		  		  "action|string|true"},
+			expectedCode = 200,
+			errorCodes = { 404,406 }, 
+			text = { "Delete the Permission referenced by :type :instance :action",
+					"You cannot normally delete a permission which is still granted to roles,",
+					"however the \"force\" property allows you to do just that. To do this: Add",
+					"'force=true' as a query parameter",
+					"<p>WARNING: Using force will ungrant this permission from all roles. Use with care.</p>"}
+			)
+	@Override
+	public Result<Void> deletePerm(AuthzTrans trans, String type, String instance, String action) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("Type",type)
+			.nullOrBlank("Instance",instance)
+			.nullOrBlank("Action",action)
+			.err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+		Result<PermDAO.Data> pd = ques.permFrom(trans, type, instance, action);
+		if(pd.isOK()) {
+			return func.deletePerm(trans, pd.value, trans.requested(force), false);
+		} else {
+		    return Result.err(pd);
+		}
+	}
+
+/***********************************
+ * ROLE 
+ ***********************************/
+    @ApiDoc(
+            method = POST,
+            path = "/authz/role",
+            params = {},
+            expectedCode = 201,
+            errorCodes = {403,404,406,409},
+            text = {
+
+                "Roles are part of Namespaces",
+                "Examples:",
+                "<ul><li>org.onap.aaf - The team that created and maintains AAF</li>",
+                "Roles do not include implied permissions for an App.  Instead, they contain explicit Granted Permissions by any Namespace in AAF (See Permissions)",
+                "Restrictions on Role Names:",
+                "<ul><li>Must start with valid Namespace name, terminated by . (dot/period)</li>",
+                "<li>Allowed Characters are a-zA-Z0-9._-</li>",
+                "<li>role names are Case Sensitive</li></ul>",
+                "The right questions to ask for defining and populating a Role in AAF, therefore, are:",
+                "<ul><li>'What Job Function does this represent?'</li>",
+                "<li>'Does this person perform this Job Function?'</li></ul>" }
+           )
+
+	@Override
+	public Result<Void> createRole(final AuthzTrans trans, REQUEST from) {
+		final Result<RoleDAO.Data> rd = mapper.role(trans, from);
+		final ServiceValidator v = new ServiceValidator();
+		if(v.role(rd).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		final RoleDAO.Data role = rd.value;
+		if(ques.roleDAO.read(trans, role.ns, role.name).isOKhasData()) {
+			return Result.err(Status.ERR_ConflictAlreadyExists, "Role [" + role.fullName() + "] already exists");
+		}
+
+		Result<FutureDAO.Data> fd = mapper.future(trans,RoleDAO.TABLE,from,role,false,
+			new Mapper.Memo() {
+				@Override
+				public String get() {
+					return "Create Role [" + 
+						rd.value.fullName() + 
+						']';
+				}
+			},
+			new MayChange() {
+				private Result<NsDAO.Data> nsd;
+				@Override
+				public Result<?> mayChange() {
+					if(nsd==null) {
+						nsd = ques.mayUser(trans, trans.user(), role, Access.write);
+					}
+					return nsd;
+				}
+			});
+		
+		Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rd.value.ns);
+		if(nsr.notOKorIsEmpty()) {
+			return Result.err(nsr);
+		}
+
+		switch(fd.status) {
+			case OK:
+				Result<String> rfc = func.createFuture(trans, fd.value, 
+						role.encode(), trans.user(),nsr.value.get(0),FUTURE_OP.C);
+				if(rfc.isOK()) {
+					return Result.err(Status.ACC_Future, "Role [%s.%s] is saved for future processing",
+							rd.value.ns,
+							rd.value.name);
+				} else { 
+					return Result.err(rfc);
+				}
+			case Status.ACC_Now:
+				Result<RoleDAO.Data> rdr = ques.roleDAO.create(trans, role);
+				if(rdr.isOK()) {
+					return Result.ok();
+				} else {
+					return Result.err(rdr);
+				}
+			default:
+				return Result.err(fd);
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.service.AuthzService#getRolesByName(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String)
+	 */
+    @ApiDoc(
+            method = GET,
+            path = "/authz/roles/:role",
+            params = {"role|string|true"}, 
+            expectedCode = 200,
+            errorCodes = {404,406},
+            text = { "List Roles that match :role",
+            		 "Note: You must have permission to see any given role"
+            	   }
+           )
+	@Override
+	public Result<ROLES> getRolesByName(AuthzTrans trans, String role) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("Role", role).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+		// Determine if User can ask this question
+		Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques, role);
+		if(rrdd.isOKhasData()) {
+			Result<NsDAO.Data> r;
+			if((r = ques.mayUser(trans, trans.user(), rrdd.value, Access.read)).notOK()) {
+				return Result.err(r);
+			}
+		} else {
+			return Result.err(rrdd);
+		}
+		
+		// Look up data
+		Result<List<RoleDAO.Data>> rlrd = ques.getRolesByName(trans, role);
+		if(rlrd.isOK()) {
+			// Note: Mapper will restrict what can be viewed
+			ROLES roles = mapper.newInstance(API.ROLES);
+			return mapper.roles(trans, rlrd.value, roles, true);
+		} else {
+			return Result.err(rlrd);
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.service.AuthzService#getRolesByUser(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String)
+	 */
+    @ApiDoc(
+            method = GET,
+            path = "/authz/roles/user/:name",
+            params = {"name|string|true"},
+            expectedCode = 200,
+            errorCodes = {404,406},
+            text = { "List all Roles that match user :name",
+					 "'user' must be expressed as full identity (ex: id@full.domain.com)",
+           		 	"Note: You must have permission to see any given role"
+            }
+           )
+
+	@Override
+	public Result<ROLES> getRolesByUser(AuthzTrans trans, String user) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("User", user).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		ROLES roles = mapper.newInstance(API.ROLES);
+		// Get list of roles per user, then add to Roles as we go
+		Result<List<RoleDAO.Data>> rlrd;
+		Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, user);
+		if(rlurd.isOKhasData()) {
+			for(UserRoleDAO.Data urd : rlurd.value ) {
+				rlrd = ques.roleDAO.read(trans, urd.ns,urd.rname);
+				// Note: Mapper will restrict what can be viewed
+				//   if user is the same as that which is looked up, no filtering is required
+				if(rlrd.isOKhasData()) {
+					mapper.roles(trans, rlrd.value,roles, !user.equals(trans.user()));
+				}
+			}
+		}
+		return Result.ok(roles);
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * @see org.onap.aaf.auth.service.AuthzService#getRolesByNS(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String)
+	 */
+    @ApiDoc(
+            method = GET,
+            path = "/authz/roles/ns/:ns",
+            params = {"ns|string|true"},
+            expectedCode = 200,
+            errorCodes = {404,406},
+            text = { "List all Roles for the Namespace :ns", 
+           		 	 "Note: You must have permission to see any given role"
+            }
+           )
+
+	@Override
+	public Result<ROLES> getRolesByNS(AuthzTrans trans, String ns) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("NS", ns).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+		// check if user is allowed to view NS
+		Result<NsDAO.Data> rnsd = ques.deriveNs(trans, ns); 
+		if(rnsd.notOK()) {
+			return Result.err(rnsd); 	
+		}
+		rnsd = ques.mayUser(trans, trans.user(), rnsd.value, Access.read);
+		if(rnsd.notOK()) {
+			return Result.err(rnsd); 	
+		}
+
+		TimeTaken tt = trans.start("MAP Roles by NS to Roles", Env.SUB);
+		try {
+			ROLES roles = mapper.newInstance(API.ROLES);
+			// Get list of roles per user, then add to Roles as we go
+			Result<List<RoleDAO.Data>> rlrd = ques.roleDAO.readNS(trans, ns);
+			if(rlrd.isOK()) {
+				if(!rlrd.isEmpty()) {
+					// Note: Mapper doesn't need to restrict what can be viewed, because we did it already.
+					mapper.roles(trans,rlrd.value,roles,false);
+				}
+				return Result.ok(roles);
+			} else {
+				return Result.err(rlrd);
+			}
+		} finally {
+			tt.done();
+		}
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * @see org.onap.aaf.auth.service.AuthzService#getRolesByNS(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String)
+	 */
+    @ApiDoc(
+            method = GET,
+            path = "/authz/roles/name/:name",
+            params = {"name|string|true"},
+            expectedCode = 200,
+            errorCodes = {404,406},
+            text = { "List all Roles for only the Name of Role (without Namespace)", 
+           		 	 "Note: You must have permission to see any given role"
+            }
+           )
+	@Override
+	public Result<ROLES> getRolesByNameOnly(AuthzTrans trans, String name) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("Name", name).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+		// User Mapper to make sure user is allowed to view NS
+
+		TimeTaken tt = trans.start("MAP Roles by Name to Roles", Env.SUB);
+		try {
+			ROLES roles = mapper.newInstance(API.ROLES);
+			// Get list of roles per user, then add to Roles as we go
+			Result<List<RoleDAO.Data>> rlrd = ques.roleDAO.readName(trans, name);
+			if(rlrd.isOK()) {
+				if(!rlrd.isEmpty()) {
+					// Note: Mapper will restrict what can be viewed
+					mapper.roles(trans,rlrd.value,roles,true);
+				}
+				return Result.ok(roles);
+			} else {
+				return Result.err(rlrd);
+			}
+		} finally {
+			tt.done();
+		}
+	}
+
+    @ApiDoc(
+            method = GET,
+            path = "/authz/roles/perm/:type/:instance/:action",
+            params = {"type|string|true",
+                      "instance|string|true",
+                      "action|string|true"},
+            expectedCode = 200,
+            errorCodes = {404,406},
+            text = { "Find all Roles containing the given Permission." +
+                     "Permission consists of:",
+                     "<ul><li>type - a Namespace qualified identifier specifying what kind of resource "
+                     + "is being protected</li>",
+                     "<li>instance - a key, possibly multi-dimensional, that identifies a specific "
+                     + " instance of the type</li>",
+                     "<li>action - what kind of action is allowed</li></ul>",
+                     "Notes: instance and action can be an *",
+            		 "       You must have permission to see any given role"
+                     }
+           )
+
+	@Override
+	public Result<ROLES> getRolesByPerm(AuthzTrans trans, String type, String instance, String action) {
+		final Validator v = new ServiceValidator();
+		if(v.permType(type,null)
+			.permInstance(instance)
+			.permAction(action)
+			.err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+		TimeTaken tt = trans.start("Map Perm Roles Roles", Env.SUB);
+		try {
+			ROLES roles = mapper.newInstance(API.ROLES);
+			// Get list of roles per user, then add to Roles as we go
+			Result<NsSplit> nsSplit = ques.deriveNsSplit(trans, type);
+			if(nsSplit.isOK()) {
+				PermDAO.Data pdd = new PermDAO.Data(nsSplit.value, instance, action);
+				Result<?> res;
+				if((res=ques.mayUser(trans, trans.user(), pdd, Question.Access.read)).notOK()) {
+					return Result.err(res);
+				}
+				
+				Result<List<PermDAO.Data>> pdlr = ques.permDAO.read(trans, pdd);
+				if(pdlr.isOK())for(PermDAO.Data pd : pdlr.value) {
+					Result<List<RoleDAO.Data>> rlrd;
+					for(String r : pd.roles) {
+						Result<String[]> rs = RoleDAO.Data.decodeToArray(trans, ques, r);
+						if(rs.isOK()) {
+							rlrd = ques.roleDAO.read(trans, rs.value[0],rs.value[1]);
+							// Note: Mapper will restrict what can be viewed
+							if(rlrd.isOKhasData()) {
+								mapper.roles(trans,rlrd.value,roles,true);
+							}
+						}
+					}
+				}
+			}
+			return Result.ok(roles);
+		} finally {
+			tt.done();
+		}
+	}
+
+    @ApiDoc(
+            method = PUT,
+            path = "/authz/role",
+            params = {},
+            expectedCode = 200,
+            errorCodes = {404,406},
+            text = { "Add Description Data to a Role" }
+           )
+
+	@Override
+	public Result<Void> updateRoleDescription(AuthzTrans trans, REQUEST from) {
+		final Result<RoleDAO.Data> rd = mapper.role(trans, from);
+		final ServiceValidator v = new ServiceValidator();
+		if(v.role(rd).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		} {
+		if(v.nullOrBlank("description", rd.value.description).err()) {
+		    return Result.err(Status.ERR_BadData,v.errs());
+		}
+		}
+		final RoleDAO.Data role = rd.value;
+		if(ques.roleDAO.read(trans, role.ns, role.name).notOKorIsEmpty()) {
+			return Result.err(Status.ERR_NotFound, "Role [" + role.fullName() + "] does not exist");
+		}
+
+		if (ques.mayUser(trans, trans.user(), role, Access.write).notOK()) {
+			return Result.err(Status.ERR_Denied, "You do not have approval to change " + role.fullName());
+		}
+
+		Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rd.value.ns);
+		if(nsr.notOKorIsEmpty()) {
+			return Result.err(nsr);
+		}
+
+		Result<Void> rdr = ques.roleDAO.addDescription(trans, role.ns, role.name, role.description);
+		if(rdr.isOK()) {
+			return Result.ok();
+		} else {
+			return Result.err(rdr);
+		}
+
+	}
+	
+    @ApiDoc(
+            method = POST,
+            path = "/authz/role/perm",
+            params = {},
+            expectedCode = 201,
+            errorCodes = {403,404,406,409},
+            text = { "Grant a Permission to a Role",
+                     "Permission consists of:", 
+                     "<ul><li>type - a Namespace qualified identifier specifying what kind of resource "
+                     + "is being protected</li>",
+                     "<li>instance - a key, possibly multi-dimensional, that identifies a specific "
+                     + " instance of the type</li>",
+                     "<li>action - what kind of action is allowed</li></ul>",
+                     "Note: instance and action can be an *",
+                     "Note: Using the \"force\" property will create the Permission, if it doesn't exist AND the requesting " +
+                     " ID is allowed to create.  It will then grant",
+                     "  the permission to the role in one step. To do this: add 'force=true' as a query parameter."
+					}
+           )
+
+	@Override
+	public Result<Void> addPermToRole(final AuthzTrans trans, REQUEST rreq) {
+		// Translate Request into Perm and Role Objects
+		final Result<PermDAO.Data> rpd = mapper.permFromRPRequest(trans, rreq);
+		if(rpd.notOKorIsEmpty()) {
+			return Result.err(rpd);
+		}
+		final Result<RoleDAO.Data> rrd = mapper.roleFromRPRequest(trans, rreq);
+		if(rrd.notOKorIsEmpty()) {
+			return Result.err(rrd);
+		}
+		
+		// Validate Role and Perm values
+		final ServiceValidator v = new ServiceValidator();
+		if(v.perm(rpd.value)
+			.role(rrd.value)
+			.err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		Result<List<RoleDAO.Data>> rlrd = ques.roleDAO.read(trans, rrd.value.ns, rrd.value.name);
+		if(rlrd.notOKorIsEmpty()) {
+			return Result.err(Status.ERR_RoleNotFound, "Role [%s] does not exist", rrd.value.fullName());
+		}
+		
+		// Check Status of Data in DB (does it exist)
+		Result<List<PermDAO.Data>> rlpd = ques.permDAO.read(trans, rpd.value.ns, 
+				rpd.value.type, rpd.value.instance, rpd.value.action);
+		PermDAO.Data createPerm = null; // if not null, create first
+		if(rlpd.notOKorIsEmpty()) { // Permission doesn't exist
+			if(trans.requested(force)) {
+				// Remove roles from perm data object so we just create the perm here
+				createPerm = rpd.value;
+				createPerm.roles.clear();
+			} else {
+				return Result.err(Status.ERR_PermissionNotFound,"Permission [%s.%s|%s|%s] does not exist", 
+						rpd.value.ns,rpd.value.type,rpd.value.instance,rpd.value.action);
+			}
+		} else {
+			if (rlpd.value.get(0).roles(false).contains(rrd.value.encode())) {
+				return Result.err(Status.ERR_ConflictAlreadyExists,
+						"Permission [%s.%s|%s|%s] already granted to Role [%s.%s]",
+						rpd.value.ns,rpd.value.type,rpd.value.instance,rpd.value.action,
+						rrd.value.ns,rrd.value.name
+					);
+			}
+		}
+
+		
+		Result<FutureDAO.Data> fd = mapper.future(trans, PermDAO.TABLE, rreq, rpd.value,true, // Allow grants to create Approvals
+				new Mapper.Memo() {
+					@Override
+					public String get() {
+						return "Grant Permission [" + rpd.value.fullPerm() + ']' +
+							" to Role [" + rrd.value.fullName() + "]";
+					}
+				},
+				new MayChange() {
+					private Result<NsDAO.Data> nsd;
+					@Override
+					public Result<?> mayChange() {
+						if(nsd==null) {
+							nsd = ques.mayUser(trans, trans.user(), rpd.value, Access.write);
+						}
+						return nsd;
+					}
+				});
+		Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rpd.value.ns);
+		if(nsr.notOKorIsEmpty()) {
+			return Result.err(nsr);
+		}
+		switch(fd.status) {
+		case OK:
+			Result<String> rfc = func.createFuture(trans,fd.value, 
+					rpd.value.fullPerm(),
+					trans.user(),
+					nsr.value.get(0),
+					FUTURE_OP.G);
+			if(rfc.isOK()) {
+				return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing",
+						rpd.value.ns,
+						rpd.value.type,
+						rpd.value.instance,
+						rpd.value.action);
+			} else { 
+				return Result.err(rfc);
+			}
+		case Status.ACC_Now:
+			Result<Void> rv = null;
+			if(createPerm!=null) {// has been validated for creating
+				rv = func.createPerm(trans, createPerm, false);
+			}
+			if(rv==null || rv.isOK()) {
+				rv = func.addPermToRole(trans, rrd.value, rpd.value, false);
+			}
+			return rv;
+		default:
+			return Result.err(fd);
+		}
+		
+	}
+
+	/**
+	 * Delete Perms from Roles (UnGrant)
+	 * @param trans
+	 * @param roleFullName
+	 * @return
+	 */
+    @ApiDoc(
+            method = DELETE,
+            path = "/authz/role/:role/perm",
+            params = {"role|string|true"},
+            expectedCode = 200,
+            errorCodes = {404,406},
+            text = { "Ungrant a permission from Role :role" }
+           )
+
+	@Override
+	public Result<Void> delPermFromRole(final AuthzTrans trans, REQUEST rreq) {
+		final Result<PermDAO.Data> updt = mapper.permFromRPRequest(trans, rreq);
+		if(updt.notOKorIsEmpty()) {
+			return Result.err(updt);
+		}
+		final Result<RoleDAO.Data> rrd = mapper.roleFromRPRequest(trans, rreq);
+		if(rrd.notOKorIsEmpty()) {
+			return Result.err(rrd);
+		}
+
+		final ServiceValidator v = new ServiceValidator();
+		if(v.nullOrBlank(updt.value)
+			.nullOrBlank(rrd.value)
+			.err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		return delPermFromRole(trans, updt.value,rrd.value, rreq);
+    }
+		
+	private Result<Void> delPermFromRole(final AuthzTrans trans, PermDAO.Data pdd, RoleDAO.Data rdd, REQUEST rreq) {		
+		Result<List<PermDAO.Data>> rlpd = ques.permDAO.read(trans, pdd.ns, pdd.type, 
+				pdd.instance, pdd.action);
+		
+		if(rlpd.notOKorIsEmpty()) {
+			return Result.err(Status.ERR_PermissionNotFound, 
+				"Permission [%s.%s|%s|%s] does not exist",
+					pdd.ns,pdd.type,pdd.instance,pdd.action);
+		}
+		
+		Result<FutureDAO.Data> fd = mapper.future(trans, PermDAO.TABLE, rreq, pdd,true, // allow ungrants requests
+				new Mapper.Memo() {
+					@Override
+					public String get() {
+						return "Ungrant Permission [" + pdd.fullPerm() + ']' +
+							" from Role [" + rdd.fullName() + "]";
+					}
+				},
+				new MayChange() {
+					private Result<NsDAO.Data> nsd;
+					@Override
+					public Result<?> mayChange() {
+						if(nsd==null) {
+							nsd = ques.mayUser(trans, trans.user(), pdd, Access.write);
+						}
+						return nsd;
+					}
+				});
+		Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, pdd.ns);
+		if(nsr.notOKorIsEmpty()) {
+			return Result.err(nsr);
+		}
+		switch(fd.status) {
+			case OK:
+				Result<String> rfc = func.createFuture(trans,fd.value, 
+						pdd.fullPerm(),
+						trans.user(),
+						nsr.value.get(0),
+						FUTURE_OP.UG
+						);
+				if(rfc.isOK()) {
+					return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing",
+							pdd.ns,
+							pdd.type,
+							pdd.instance,
+							pdd.action);
+				} else {
+				    return Result.err(rfc);
+				}
+			case Status.ACC_Now:
+				return func.delPermFromRole(trans, rdd, pdd, false);
+			default:
+				return Result.err(fd);
+		}
+	}
+    
+/*
+    @ApiDoc(
+            method = DELETE,
+            path = "/authz/role/:role/perm/:type/:instance/:action",
+            params = {"role|string|true",
+            			 "perm type|string|true",
+            			 "perm instance|string|true",
+            			 "perm action|string|true"
+            	},
+            expectedCode = 200,
+            errorCodes = {404,406},
+            text = { "Ungrant a single permission from Role :role with direct key" }
+           )
+*/
+	@Override
+    public Result<Void> delPermFromRole(AuthzTrans trans, String role, String type, String instance, String action) {
+		Result<Data> rpns = ques.deriveNs(trans, type);
+		if(rpns.notOKorIsEmpty()) {
+			return Result.err(rpns);
+		}
+		
+    		final Validator v = new ServiceValidator();
+		if(v.role(role)
+			.permType(rpns.value.name,rpns.value.parent)
+			.permInstance(instance)
+			.permAction(action)
+			.err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+    		Result<Data> rrns = ques.deriveNs(trans, role);
+    		if(rrns.notOKorIsEmpty()) {
+    			return Result.err(rrns);
+    		}
+    		
+		final Result<List<RoleDAO.Data>> rrd = ques.roleDAO.read(trans, rrns.value.parent, rrns.value.name);
+		if(rrd.notOKorIsEmpty()) {
+			return Result.err(rrd);
+		}
+		
+		final Result<List<PermDAO.Data>> rpd = ques.permDAO.read(trans, rpns.value.parent, rpns.value.name, instance, action);
+		if(rpd.notOKorIsEmpty()) {
+			return Result.err(rpd);
+		}
+
+		
+		return delPermFromRole(trans,rpd.value.get(0), rrd.value.get(0), mapper.ungrantRequest(trans, role, type, instance, action));
+	}
+	
+    @ApiDoc(
+            method = DELETE,
+            path = "/authz/role/:role",
+            params = {"role|string|true"},
+            expectedCode = 200,
+            errorCodes = {404,406},
+            text = { "Delete the Role named :role"}
+           )
+
+	@Override
+	public Result<Void> deleteRole(AuthzTrans trans, String role)  {
+		Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,ques,role);
+		if(rrdd.isOKhasData()) {
+			final ServiceValidator v = new ServiceValidator();
+			if(v.nullOrBlank(rrdd.value).err()) { 
+				return Result.err(Status.ERR_BadData,v.errs());
+			}
+			return func.deleteRole(trans, rrdd.value, false, false);
+		} else {
+			return Result.err(rrdd);
+		}
+	}
+
+    @ApiDoc(
+            method = DELETE,
+            path = "/authz/role",
+            params = {},
+            expectedCode = 200,
+            errorCodes = { 404,406 },
+            text = { "Delete the Role referenced by RoleKey",
+					"You cannot normally delete a role which still has permissions granted or users assigned to it,",
+					"however the \"force\" property allows you to do just that. To do this: Add 'force=true'",
+					"as a query parameter.",
+					"<p>WARNING: Using force will remove all users and permission from this role. Use with care.</p>"}
+           )
+
+	@Override
+	public Result<Void> deleteRole(final AuthzTrans trans, REQUEST from) {
+		final Result<RoleDAO.Data> rd = mapper.role(trans, from);
+		final ServiceValidator v = new ServiceValidator();
+		if(rd==null) {
+			return Result.err(Status.ERR_BadData,"Request does not contain Role");
+		}
+		if(v.nullOrBlank(rd.value).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		final RoleDAO.Data role = rd.value;
+		if(ques.roleDAO.read(trans, role).notOKorIsEmpty() && !trans.requested(force)) {
+			return Result.err(Status.ERR_RoleNotFound, "Role [" + role.fullName() + "] does not exist");
+		}
+
+		Result<FutureDAO.Data> fd = mapper.future(trans,RoleDAO.TABLE,from,role,false,
+				new Mapper.Memo() {
+					@Override
+					public String get() {
+						return "Delete Role [" + role.fullName() + ']' 
+								+ " and all attached user roles";
+					}
+				},
+			new MayChange() {
+				private Result<NsDAO.Data> nsd;
+				@Override
+				public Result<?> mayChange() {
+					if(nsd==null) {
+						nsd = ques.mayUser(trans, trans.user(), role, Access.write);
+					}
+					return nsd;
+				}
+			});
+		
+		switch(fd.status) {
+		case OK:
+			Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rd.value.ns);
+			if(nsr.notOKorIsEmpty()) {
+				return Result.err(nsr);
+			}
+			
+			Result<String> rfc = func.createFuture(trans, fd.value, 
+					role.encode(), trans.user(),nsr.value.get(0),FUTURE_OP.D);
+			if(rfc.isOK()) {
+				return Result.err(Status.ACC_Future, "Role Deletion [%s.%s] is saved for future processing",
+						rd.value.ns,
+						rd.value.name);
+			} else { 
+				return Result.err(rfc);
+			}
+		case Status.ACC_Now:
+			return func.deleteRole(trans,role,trans.requested(force), true /*preapproved*/);
+		default:
+			return Result.err(fd);
+	}
+
+	}
+
+/***********************************
+ * CRED 
+ ***********************************/
+	private class MayCreateCred implements MayChange {
+		private Result<NsDAO.Data> nsd;
+		private AuthzTrans trans;
+		private CredDAO.Data cred;
+		private Executor exec;
+		
+		public MayCreateCred(AuthzTrans trans, CredDAO.Data cred, Executor exec) {
+			this.trans = trans;
+			this.cred = cred;
+			this.exec = exec;
+		}
+
+		@Override
+		public Result<?> mayChange() {
+			if(nsd==null) {
+				nsd = ques.validNSOfDomain(trans, cred.id);
+			}
+			// is Ns of CredID valid?
+			if(nsd.isOK()) {
+				try {
+					// Check Org Policy
+					if(trans.org().validate(trans,Policy.CREATE_MECHID, exec, cred.id)==null) {
+						return Result.ok(); 
+					} else {
+					   Result<?> rmc = ques.mayUser(trans, trans.user(), nsd.value, Access.write);
+					   if(rmc.isOKhasData()) {
+						   return rmc;
+					   }
+					}
+				} catch (Exception e) {
+					trans.warn().log(e);
+				}
+			} else {
+				trans.warn().log(nsd.errorString());
+			}
+			return Result.err(Status.ERR_Denied,"%s is not allowed to create %s in %s",trans.user(),cred.id,cred.ns);
+		}
+	}
+
+	private class MayChangeCred implements MayChange {
+		
+		private Result<NsDAO.Data> nsd;
+		private AuthzTrans trans;
+		private CredDAO.Data cred;
+		public MayChangeCred(AuthzTrans trans, CredDAO.Data cred) {
+			this.trans = trans;
+			this.cred = cred;
+		}
+
+		@Override
+		public Result<?> mayChange() {
+			// User can change himself (but not create)
+			if(trans.user().equals(cred.id)) {
+				return Result.ok();
+			}
+			if(nsd==null) {
+				nsd = ques.validNSOfDomain(trans, cred.id);
+			}
+			// Get the Namespace
+			if(nsd.isOK()) {
+				if(ques.mayUser(trans, trans.user(), nsd.value,Access.write).isOK()) {
+					return Result.ok();
+				}
+				String user[] = Split.split('.',trans.user());
+				if(user.length>2) {
+					String company = user[user.length-1] + '.' + user[user.length-2];
+					if(ques.isGranted(trans, trans.user(), ROOT_NS,"password",company,"reset")) {
+						return Result.ok();
+					}
+				}
+			}
+			return Result.err(Status.ERR_Denied,"%s is not allowed to change %s in %s",trans.user(),cred.id,cred.ns);
+		}
+
+	}
+
+	private final long DAY_IN_MILLIS = 24*3600*1000;
+	
+	@ApiDoc( 
+			method = POST,  
+			path = "/authn/cred",
+			params = {},
+			expectedCode = 201,
+			errorCodes = {403,404,406,409}, 
+			text = { "A credential consists of:",
+					 "<ul><li>id - the ID to create within AAF. The domain is in reverse",
+					 "order of Namespace (i.e. Users of Namespace com.att.myapp would be",
+					 "AB1234@myapp.att.com</li>",
+					 "<li>password - Company Policy Compliant Password</li></ul>",
+					 "Note: AAF does support multiple credentials with the same ID.",
+					 "Check with your organization if you have this implemented."
+					 }
+			)
+	@Override
+	public Result<Void> createUserCred(final AuthzTrans trans, REQUEST from) {
+		final String cmdDescription = ("Create User Credential");
+		TimeTaken tt = trans.start(cmdDescription, Env.SUB);
+		
+		try {
+			Result<CredDAO.Data> rcred = mapper.cred(trans, from, true);
+			if(rcred.isOKhasData()) {
+				byte[] rawCred = rcred.value.cred.array();
+				rcred = ques.userCredSetup(trans, rcred.value);
+				
+				final ServiceValidator v = new ServiceValidator();
+				
+				if(v.cred(trans, trans.org(),rcred,true).err()) { // Note: Creates have stricter Validations 
+					return Result.err(Status.ERR_BadData,v.errs());
+				}
+				
+
+				// 2016-4 Jonathan, New Behavior - If MechID is not registered with Org, deny creation
+				Identity mechID =  null;
+				Organization org = trans.org();
+				try {
+					mechID = org.getIdentity(trans, rcred.value.id);
+				} catch (Exception e1) {
+					trans.error().log(e1,rcred.value.id,"cannot be validated at this time");
+				}
+				if(mechID==null || !mechID.isFound()) { 
+					return Result.err(Status.ERR_Policy,"MechIDs must be registered with %s before provisioning in AAF",org.getName());
+				}
+
+				Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rcred.value.ns);
+				if(nsr.notOKorIsEmpty()) {
+					return Result.err(Status.ERR_NsNotFound,"Cannot provision %s on non-existent Namespace %s",mechID.id(),rcred.value.ns);
+				}
+				
+
+				boolean firstID = false;
+				MayChange mc;
+				
+				CassExecutor exec = new CassExecutor(trans, func);
+				Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, rcred.value.id);
+				if (rlcd.isOKhasData()) {
+					if (!org.canHaveMultipleCreds(rcred.value.id)) {
+						return Result.err(Status.ERR_ConflictAlreadyExists, "Credential exists");
+					}
+					Result<Boolean> rb;
+					for (CredDAO.Data curr : rlcd.value) {
+						// May not use the same password in the list
+						// Note: ASPR specifies character differences, but we don't actually store the
+						// password to validate char differences.
+						
+						rb = ques.userCredCheck(trans, curr, rawCred);
+						if(rb.notOK()) {
+							return Result.err(rb);
+						} else if(rb.value){
+							return Result.err(Status.ERR_Policy, "Credential content cannot be reused.");
+						} else if (Chrono.dateOnlyStamp(curr.expires).equals(Chrono.dateOnlyStamp(rcred.value.expires)) && curr.type==rcred.value.type) {
+							return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists, use 'reset'");
+						}
+					}	
+				} else {
+					try {
+					// 2016-04-12 Jonathan If Caller is the Sponsor and is also an Owner of NS, allow without special Perm
+						String theMechID = rcred.value.id;
+						Boolean otherMechIDs = false;
+						// find out if this is the only mechID.  other MechIDs mean special handling (not automated)
+						for(CredDAO.Data cd : ques.credDAO.readNS(trans,nsr.value.get(0).name).value) {
+							if(!cd.id.equals(theMechID)) {
+								otherMechIDs = true;
+								break;
+							}
+						}
+						String reason;
+						// We can say "ID does not exist" here
+						if((reason=org.validate(trans, Policy.CREATE_MECHID, exec, theMechID,trans.user(),otherMechIDs.toString()))!=null) {
+							return Result.err(Status.ERR_Denied, reason); 
+						}
+						firstID=true;
+					} catch (Exception e) {
+						return Result.err(e);
+					}
+				}
+	
+				mc = new MayCreateCred(trans, rcred.value, exec);
+				
+				final CredDAO.Data cdd = rcred.value;
+				Result<FutureDAO.Data> fd = mapper.future(trans,CredDAO.TABLE,from, rcred.value,false, // may want to enable in future.
+					new Mapper.Memo() {
+						@Override
+						public String get() {
+							return cmdDescription + " [" + 
+								cdd.id + '|' 
+								+ cdd.type + '|' 
+								+ cdd.expires + ']';
+						}
+					},
+					mc);
+				
+				switch(fd.status) {
+					case OK:
+						Result<String> rfc = func.createFuture(trans, fd.value, 
+								rcred.value.id + '|' + rcred.value.type.toString() + '|' + rcred.value.expires,
+								trans.user(), nsr.value.get(0), FUTURE_OP.C);
+						if(rfc.isOK()) {
+							return Result.err(Status.ACC_Future, "Credential Request [%s|%s|%s] is saved for future processing",
+									rcred.value.id,
+									Integer.toString(rcred.value.type),
+									rcred.value.expires.toString());
+						} else { 
+							return Result.err(rfc);
+						}
+					case Status.ACC_Now:
+						try {
+							if(firstID) {
+	//							&& !nsr.value.get(0).isAdmin(trans.getUserPrincipal().getName())) {
+								Result<List<String>> admins = func.getAdmins(trans, nsr.value.get(0).name, false);
+								// OK, it's a first ID, and not by NS Admin, so let's set TempPassword length
+								// Note, we only do this on First time, because of possibility of 
+								// prematurely expiring a production id
+								if(admins.isOKhasData() && !admins.value.contains(trans.user())) {
+									rcred.value.expires = org.expiration(null, Expiration.TempPassword).getTime();
+								}
+							}
+						} catch (Exception e) {
+							trans.error().log(e, "While setting expiration to TempPassword");
+						}
+						Result<?>udr = ques.credDAO.create(trans, rcred.value);
+						if(udr.isOK()) {
+							return Result.ok();
+						}
+						return Result.err(udr);
+					default:
+						return Result.err(fd);
+				}
+
+			} else {
+				return Result.err(rcred);
+			}
+		} finally {
+			tt.done();
+		}
+	}
+
+	@ApiDoc(   
+			method = GET,  
+			path = "/authn/creds/ns/:ns",
+			params = {"ns|string|true"},
+			expectedCode = 200,
+			errorCodes = {403,404,406}, 
+			text = { "Return all IDs in Namespace :ns"
+					 }
+			)
+	@Override
+	public Result<USERS> getCredsByNS(AuthzTrans trans, String ns) {
+		final Validator v = new ServiceValidator();
+		if(v.ns(ns).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+		// check if user is allowed to view NS
+		Result<NsDAO.Data> rnd = ques.deriveNs(trans,ns);
+		if(rnd.notOK()) {
+			return Result.err(rnd); 
+		}
+		rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
+		if(rnd.notOK()) {
+			return Result.err(rnd); 
+		}
+	
+		TimeTaken tt = trans.start("MAP Creds by NS to Creds", Env.SUB);
+		try {			
+			USERS users = mapper.newInstance(API.USERS);
+			Result<List<CredDAO.Data>> rlcd = ques.credDAO.readNS(trans, ns);
+					
+			if(rlcd.isOK()) {
+				if(!rlcd.isEmpty()) {
+					return mapper.cred(rlcd.value, users);
+				}
+				return Result.ok(users);		
+			} else {
+				return Result.err(rlcd);
+			}
+		} finally {
+			tt.done();
+		}
+			
+	}
+
+	@ApiDoc(   
+			method = GET,  
+			path = "/authn/creds/id/:ns",
+			params = {"id|string|true"},
+			expectedCode = 200,
+			errorCodes = {403,404,406}, 
+			text = { "Return all IDs in for ID"
+					,"(because IDs are multiple, due to multiple Expiration Dates)"
+					 }
+			)
+	@Override
+	public Result<USERS> getCredsByID(AuthzTrans trans, String id) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("ID",id).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+		String ns = Question.domain2ns(id);
+		// check if user is allowed to view NS
+		Result<NsDAO.Data> rnd = ques.deriveNs(trans,ns);
+		if(rnd.notOK()) {
+			return Result.err(rnd); 
+		}
+		rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
+		if(rnd.notOK()) {
+			return Result.err(rnd); 
+		}
+	
+		TimeTaken tt = trans.start("MAP Creds by ID to Creds", Env.SUB);
+		try {			
+			USERS users = mapper.newInstance(API.USERS);
+			Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, id);
+					
+			if(rlcd.isOK()) {
+				if(!rlcd.isEmpty()) {
+					return mapper.cred(rlcd.value, users);
+				}
+				return Result.ok(users);		
+			} else {
+				return Result.err(rlcd);
+			}
+		} finally {
+			tt.done();
+		}
+			
+	}
+
+	@ApiDoc(   
+			method = GET,  
+			path = "/authn/certs/id/:id",
+			params = {"id|string|true"},
+			expectedCode = 200,
+			errorCodes = {403,404,406}, 
+			text = { "Return Cert Info for ID"
+				   }
+			)
+	@Override
+	public Result<CERTS> getCertInfoByID(AuthzTrans trans, HttpServletRequest req, String id) {
+		TimeTaken tt = trans.start("Get Cert Info by ID", Env.SUB);
+		try {			
+			CERTS certs = mapper.newInstance(API.CERTS);
+			Result<List<CertDAO.Data>> rlcd = ques.certDAO.readID(trans, id);
+					
+			if(rlcd.isOK()) {
+				if(!rlcd.isEmpty()) {
+					return mapper.cert(rlcd.value, certs);
+				}
+				return Result.ok(certs);		
+			} else { 
+				return Result.err(rlcd);
+			}
+		} finally {
+			tt.done();
+		}
+
+	}
+
+	@ApiDoc( 
+			method = PUT,  
+			path = "/authn/cred",
+			params = {},
+			expectedCode = 200,
+			errorCodes = {300,403,404,406}, 
+			text = { "Reset a Credential Password. If multiple credentials exist for this",
+						"ID, you will need to specify which entry you are resetting in the",
+						"CredRequest object"
+					 }
+			)
+	@Override
+	public Result<Void> changeUserCred(final AuthzTrans trans, REQUEST from) {
+		final String cmdDescription = "Update User Credential";
+		TimeTaken tt = trans.start(cmdDescription, Env.SUB);
+		try {
+			Result<CredDAO.Data> rcred = mapper.cred(trans, from, true);
+			if(rcred.isOKhasData()) {
+				rcred = ques.userCredSetup(trans, rcred.value);
+	
+				final ServiceValidator v = new ServiceValidator();
+				
+				if(v.cred(trans, trans.org(),rcred,false).err()) {// Note: Creates have stricter Validations 
+					return Result.err(Status.ERR_BadData,v.errs());
+				}
+				Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, rcred.value.id);
+				if(rlcd.notOKorIsEmpty()) {
+					return Result.err(Status.ERR_UserNotFound, "Credential does not exist");
+				} 
+				
+				MayChange mc = new MayChangeCred(trans, rcred.value);
+				Result<?> rmc = mc.mayChange(); 
+				if (rmc.notOK()) {
+					return Result.err(rmc);
+				}
+				
+	 			Result<Integer> ri = selectEntryIfMultiple((CredRequest)from, rlcd.value);
+				if(ri.notOK()) {
+					return Result.err(ri);
+				}
+				int entry = ri.value;
+	
+				
+				final CredDAO.Data cred = rcred.value;
+				
+				Result<FutureDAO.Data> fd = mapper.future(trans,CredDAO.TABLE,from, rcred.value,false,
+				new Mapper.Memo() {
+					@Override
+					public String get() {
+						return cmdDescription + " [" + 
+							cred.id + '|' 
+							+ cred.type + '|' 
+							+ cred.expires + ']';
+					}
+				},
+				mc);
+				
+				Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rcred.value.ns);
+				if(nsr.notOKorIsEmpty()) {
+					return Result.err(nsr);
+				}
+	
+				switch(fd.status) {
+					case OK:
+						Result<String> rfc = func.createFuture(trans, fd.value, 
+								rcred.value.id + '|' + rcred.value.type.toString() + '|' + rcred.value.expires,
+								trans.user(), nsr.value.get(0), FUTURE_OP.U);
+						if(rfc.isOK()) {
+							return Result.err(Status.ACC_Future, "Credential Request [%s|%s|%s]",
+									rcred.value.id,
+									Integer.toString(rcred.value.type),
+									rcred.value.expires.toString());
+						} else { 
+							return Result.err(rfc);
+						}
+					case Status.ACC_Now:
+						Result<?>udr = null;
+						// If we are Resetting Password on behalf of someone else (am not the Admin)
+						//  use TempPassword Expiration time.
+						Expiration exp;
+						if(ques.isAdmin(trans, trans.user(), nsr.value.get(0).name)) {
+							exp = Expiration.Password;
+						} else {
+							exp = Expiration.TempPassword;
+						}
+						
+						Organization org = trans.org();
+						CredDAO.Data current = rlcd.value.get(entry);
+						// If user resets password in same day, we will have a primary key conflict, so subtract 1 day
+						if (current.expires.equals(rcred.value.expires) 
+									&& rlcd.value.get(entry).type==rcred.value.type) {
+							GregorianCalendar gc = org.expiration(null, exp,rcred.value.id);
+							gc = Chrono.firstMomentOfDay(gc);
+							gc.set(GregorianCalendar.HOUR_OF_DAY, org.startOfDay());						
+							rcred.value.expires = new Date(gc.getTimeInMillis() - DAY_IN_MILLIS);
+						} else {
+							rcred.value.expires = org.expiration(null,exp).getTime();
+						}
+						// Copy in other fields 10/21/2016
+						rcred.value.notes=current.notes;
+
+						udr = ques.credDAO.create(trans, rcred.value);
+						if(udr.isOK()) {
+							udr = ques.credDAO.delete(trans, rlcd.value.get(entry),false);
+						}
+						if (udr.isOK()) {
+							return Result.ok();
+						}
+	
+						return Result.err(udr);
+					default:
+						return Result.err(fd);
+				}
+			} else {
+				return Result.err(rcred);
+			}
+		} finally {
+			tt.done();
+		}
+	}
+
+	/*
+	 * Codify the way to get Either Choice Needed or actual Integer from Credit Request
+	 */
+	private Result<Integer> selectEntryIfMultiple(final CredRequest cr, List<CredDAO.Data> lcd) {
+		int entry = 0;
+		if (lcd.size() > 1) {
+			String inputOption = cr.getEntry();
+			if (inputOption == null) {
+				String message = selectCredFromList(lcd, false);
+				String[] variables = buildVariables(lcd);
+				return Result.err(Status.ERR_ChoiceNeeded, message, variables);
+			} else {
+			    entry = Integer.parseInt(inputOption) - 1;
+			}
+			if (entry < 0 || entry >= lcd.size()) {
+				return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+			}
+		}
+		return Result.ok(entry);
+	}
+	
+	@ApiDoc( 
+			method = PUT,  
+			path = "/authn/cred/:days",
+			params = {"days|string|true"},
+			expectedCode = 200,
+			errorCodes = {300,403,404,406}, 
+			text = { "Extend a Credential Expiration Date. The intention of this API is",
+						"to avoid an outage in PROD due to a Credential expiring before it",
+						"can be configured correctly. Measures are being put in place ",
+						"so that this is not abused."
+					 }
+			)
+	@Override
+	public Result<Void> extendUserCred(final AuthzTrans trans, REQUEST from, String days) {
+		TimeTaken tt = trans.start("Extend User Credential", Env.SUB);
+		try {
+			Result<CredDAO.Data> cred = mapper.cred(trans, from, false);
+			Organization org = trans.org();
+			final ServiceValidator v = new ServiceValidator();
+			if(v.notOK(cred).err() || 
+			   v.nullOrBlank(cred.value.id, "Invalid ID").err() ||
+			   v.user(org,cred.value.id).err())  {
+				 return Result.err(Status.ERR_BadData,v.errs());
+			}
+			
+			try {
+				String reason;
+				if ((reason=org.validate(trans, Policy.MAY_EXTEND_CRED_EXPIRES, new CassExecutor(trans,func)))!=null) {
+					return Result.err(Status.ERR_Policy,reason);
+				}
+			} catch (Exception e) {
+				String msg;
+				trans.error().log(e, msg="Could not contact Organization for User Validation");
+				return Result.err(Status.ERR_Denied, msg);
+			}
+	
+			// Get the list of Cred Entries
+			Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, cred.value.id);
+			if(rlcd.notOKorIsEmpty()) {
+				return Result.err(Status.ERR_UserNotFound, "Credential does not exist");
+			}
+
+			//Need to do the "Pick Entry" mechanism
+			Result<Integer> ri = selectEntryIfMultiple((CredRequest)from, rlcd.value);
+			if(ri.notOK()) {
+				return Result.err(ri);
+			}
+
+			CredDAO.Data found = rlcd.value.get(ri.value);
+			CredDAO.Data cd = cred.value;
+			// Copy over the cred
+			cd.id = found.id;
+			cd.cred = found.cred;
+			cd.other = found.other;
+			cd.type = found.type;
+			cd.notes = found.notes;
+			cd.ns = found.ns;
+			cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime();
+			
+			cred = ques.credDAO.create(trans, cd);
+			if(cred.isOK()) {
+				return Result.ok();
+			}
+			return Result.err(cred);
+		} finally {
+			tt.done();
+		}
+	}	
+
+	private String[] buildVariables(List<CredDAO.Data> value) {
+		// ensure credentials are sorted so we can fully automate Cred regression test
+		Collections.sort(value, new Comparator<CredDAO.Data>() {
+			@Override
+			public int compare(CredDAO.Data cred1, CredDAO.Data cred2) {
+				return cred1.expires.compareTo(cred2.expires);
+			}			
+		});
+		String [] vars = new String[value.size()+1];
+		vars[0]="Choice";
+		for (int i = 0; i < value.size(); i++) {
+		vars[i+1] = value.get(i).id + "    " + value.get(i).type 
+				+ "    |" + value.get(i).expires;
+		}
+		return vars;
+	}
+	
+	private String selectCredFromList(List<CredDAO.Data> value, boolean isDelete) {
+		StringBuilder errMessage = new StringBuilder();
+		String userPrompt = isDelete?"Select which cred to delete (set force=true to delete all):":"Select which cred to update:";
+		int numSpaces = value.get(0).id.length() - "Id".length();
+		
+		errMessage.append(userPrompt + '\n');
+		errMessage.append("       Id");
+		for (int i = 0; i < numSpaces; i++) {
+		    errMessage.append(' ');
+		}
+		errMessage.append("   Type  Expires" + '\n');
+		for(int i=0;i<value.size();++i) {
+			errMessage.append("    %s\n");
+		}
+		errMessage.append("Run same command again with chosen entry as last parameter");
+		
+		return errMessage.toString();
+		
+	}
+
+	@ApiDoc( 
+			method = DELETE,  
+			path = "/authn/cred",
+			params = {},
+			expectedCode = 200,
+			errorCodes = {300,403,404,406}, 
+			text = { "Delete a Credential. If multiple credentials exist for this",
+					"ID, you will need to specify which entry you are deleting in the",
+					"CredRequest object."
+					 }
+			)
+	@Override
+	public Result<Void> deleteUserCred(AuthzTrans trans, REQUEST from)  {
+		final Result<CredDAO.Data> cred = mapper.cred(trans, from, false);
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("cred", cred.value.id).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+	
+		Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, cred.value.id);
+		if(rlcd.notOKorIsEmpty()) {
+			// Empty Creds should have no user_roles.
+			Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, cred.value.id);
+			if(rlurd.isOK()) {
+				for(UserRoleDAO.Data data : rlurd.value) {
+					ques.userRoleDAO.delete(trans, data, false);
+				}
+			}
+			return Result.err(Status.ERR_UserNotFound, "Credential does not exist");
+		}
+		boolean isLastCred = rlcd.value.size()==1;
+		
+		MayChange mc = new MayChangeCred(trans,cred.value);
+		Result<?> rmc = mc.mayChange(); 
+		if (rmc.notOK()) {
+			return Result.err(rmc);
+		}
+		
+		int entry = 0;
+		if(!trans.requested(force)) {
+			if (rlcd.value.size() > 1) {
+				CredRequest cr = (CredRequest)from;
+				String inputOption = cr.getEntry();
+				if (inputOption == null) {
+					String message = selectCredFromList(rlcd.value, true);
+					String[] variables = buildVariables(rlcd.value);
+					return Result.err(Status.ERR_ChoiceNeeded, message, variables);
+				} else {
+					try {
+						if(inputOption.length()>5) { // should be a date
+							Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime();
+							entry = 0;
+							for(CredDAO.Data cd : rlcd.value) {
+								if(cd.type.equals(cr.getType()) && cd.expires.equals(d)) {
+									break;
+								}
+								++entry;
+							}
+						} else {
+							entry = Integer.parseInt(inputOption) - 1;
+						}
+					} catch(NullPointerException e) {
+						return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry");
+					} catch(NumberFormatException e) {
+						return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+					}
+				}
+				isLastCred = (entry==-1)?true:false;
+			} else {
+				isLastCred = true;
+			}
+			if (entry < -1 || entry >= rlcd.value.size()) {
+				return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+			}
+		}
+		
+		Result<FutureDAO.Data> fd = mapper.future(trans,CredDAO.TABLE,from,cred.value,false, 
+			new Mapper.Memo() {
+				@Override
+				public String get() {
+					return "Delete Credential [" + 
+						cred.value.id + 
+						']';
+				}
+			},
+			mc);
+	
+		Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, cred.value.ns);
+		if(nsr.notOKorIsEmpty()) {
+			return Result.err(nsr);
+		}
+	
+		switch(fd.status) {
+			case OK:
+				Result<String> rfc = func.createFuture(trans, fd.value, cred.value.id,
+						trans.user(), nsr.value.get(0), FUTURE_OP.D);
+	
+				if(rfc.isOK()) {
+					return Result.err(Status.ACC_Future, "Credential Delete [%s] is saved for future processing",cred.value.id);
+				} else { 
+					return Result.err(rfc);
+				}
+			case Status.ACC_Now:
+				Result<?>udr = null;
+				if (!trans.requested(force)) {
+					if(entry<0 || entry >= rlcd.value.size()) {
+						return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id);
+					}
+					udr = ques.credDAO.delete(trans, rlcd.value.get(entry),false);
+				} else {
+					for (CredDAO.Data curr : rlcd.value) {
+						udr = ques.credDAO.delete(trans, curr, false);
+						if (udr.notOK()) {
+							return Result.err(udr);
+						}
+					}
+				}
+				if(isLastCred) {
+					Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, cred.value.id);
+					if(rlurd.isOK()) {
+						for(UserRoleDAO.Data data : rlurd.value) {
+							ques.userRoleDAO.delete(trans, data, false);
+						}
+					}
+				}
+				if (udr.isOK()) {
+					return Result.ok();
+				}
+				return Result.err(udr);
+			default:
+				return Result.err(fd);
+		}
+	
+	}
+
+
+	@Override
+	public Result<Date> doesCredentialMatch(AuthzTrans trans, REQUEST credReq) {
+		TimeTaken tt = trans.start("Does Credential Match", Env.SUB);
+		try {
+			// Note: Mapper assigns RAW type
+			Result<CredDAO.Data> data = mapper.cred(trans, credReq,false);
+			if(data.notOKorIsEmpty()) {
+				return Result.err(data);
+			}
+			CredDAO.Data cred = data.value;	// of the Mapped Cred
+			if(cred.cred==null) {
+				return Result.err(Result.ERR_BadData,"No Password");
+			} else {
+				return ques.doesUserCredMatch(trans, cred.id, cred.cred.array());
+			}
+
+		} catch (DAOException e) {
+			trans.error().log(e,"Error looking up cred");
+			return Result.err(Status.ERR_Denied,"Credential does not match");
+		} finally {
+			tt.done();
+		}
+	}
+
+	@ApiDoc( 
+			method = GET,  
+			path = "/authn/basicAuth",
+			params = {},
+			expectedCode = 200,
+			errorCodes = { 403 }, 
+			text = { "!!!! DEPRECATED without X509 Authentication STOP USING THIS API BY DECEMBER 2017, or use Certificates !!!!\n" 
+					+ "Use /authn/validate instead\n"
+					+ "Note: Validate a Password using BasicAuth Base64 encoded Header. This HTTP/S call is intended as a fast"
+					+ " User/Password lookup for Security Frameworks, and responds 200 if it passes BasicAuth "
+				+ "security, and 403 if it does not." }
+			)
+	private void basicAuth() {
+		// This is a place holder for Documentation.  The real BasicAuth API does not call Service.
+	}
+	
+	@ApiDoc( 
+			method = POST,  
+			path = "/authn/validate",
+			params = {},
+			expectedCode = 200,
+			errorCodes = { 403 }, 
+			text = { "Validate a Credential given a Credential Structure.  This is a more comprehensive validation, can "
+					+ "do more than BasicAuth as Credential types exp" }
+			)
+	@Override
+	public Result<Date> validateBasicAuth(AuthzTrans trans, String basicAuth) {
+		//TODO how to make sure people don't use this in browsers?  Do we care?
+		TimeTaken tt = trans.start("Validate Basic Auth", Env.SUB);
+		try {
+			BasicPrincipal bp = new BasicPrincipal(basicAuth,trans.org().getRealm());
+			Result<Date> rq = ques.doesUserCredMatch(trans, bp.getName(), bp.getCred());
+			// Note: Only want to log problem, don't want to send back to end user
+			if(rq.isOK()) {
+				return rq;
+			} else {
+				trans.audit().log(rq.errorString());
+			}
+		} catch (Exception e) {
+			trans.warn().log(e);
+		} finally {
+			tt.done();
+		}
+		return Result.err(Status.ERR_Denied,"Bad Basic Auth");
+	}
+
+/***********************************
+ * USER-ROLE 
+ ***********************************/
+	@ApiDoc( 
+			method = POST,  
+			path = "/authz/userRole",
+			params = {},
+			expectedCode = 201,
+			errorCodes = {403,404,406,409}, 
+			text = { "Create a UserRole relationship (add User to Role)",
+					 "A UserRole is an object Representation of membership of a Role for limited time.",
+					 "If a shorter amount of time for Role ownership is required, use the 'End' field.",
+					 "** Note: Owners of Namespaces will be required to revalidate users in these roles ",
+					 "before Expirations expire.  Namespace owners will be notified by email."
+				   }
+			)
+	@Override
+	public Result<Void> createUserRole(final AuthzTrans trans, REQUEST from) {
+		TimeTaken tt = trans.start("Create UserRole", Env.SUB);
+		try {
+			Result<UserRoleDAO.Data> urr = mapper.userRole(trans, from);
+			if(urr.notOKorIsEmpty()) {
+				return Result.err(urr);
+			}
+			final UserRoleDAO.Data userRole = urr.value;
+			
+			final ServiceValidator v = new ServiceValidator();
+			if(v.user_role(userRole).err() ||
+			   v.user(trans.org(), userRole.user).err()) {
+				return Result.err(Status.ERR_BadData,v.errs());
+			}
+
+
+			 
+			// Check if user can change first
+			Result<FutureDAO.Data> fd = mapper.future(trans,UserRoleDAO.TABLE,from,urr.value,true, // may request Approvals
+				new Mapper.Memo() {
+					@Override
+					public String get() {
+						return "Add User [" + userRole.user + "] to Role [" + 
+								userRole.role + 
+								']';
+					}
+				},
+				new MayChange() {
+					private Result<NsDAO.Data> nsd;
+					@Override
+					public Result<?> mayChange() {
+						if(nsd==null) {
+							RoleDAO.Data r = RoleDAO.Data.decode(userRole);
+							nsd = ques.mayUser(trans, trans.user(), r, Access.write);
+						}
+						return nsd;
+					}
+				});
+			Result<NsDAO.Data> nsr = ques.deriveNs(trans, userRole.role);
+			if(nsr.notOKorIsEmpty()) {
+				return Result.err(nsr);
+			}
+
+			switch(fd.status) {
+				case OK:
+					Result<String> rfc = func.createFuture(trans, fd.value, userRole.user+'|'+userRole.ns + '.' + userRole.rname, 
+							userRole.user, nsr.value, FUTURE_OP.C);
+					if(rfc.isOK()) {
+						return Result.err(Status.ACC_Future, "UserRole [%s - %s.%s] is saved for future processing",
+								userRole.user,
+								userRole.ns,
+								userRole.rname);
+					} else { 
+						return Result.err(rfc);
+					}
+				case Status.ACC_Now:
+					return func.addUserRole(trans, userRole);
+				default:
+					return Result.err(fd);
+			}
+		} finally {
+			tt.done();
+		}
+	}
+	
+		/**
+		 * getUserRolesByRole
+		 */
+	    @ApiDoc(
+	            method = GET,
+	            path = "/authz/userRoles/role/:role",
+	            params = {"role|string|true"},
+	            expectedCode = 200,
+	            errorCodes = {404,406},
+	            text = { "List all Users that are attached to Role specified in :role",
+	            		}
+	           )
+		@Override
+		public Result<USERROLES> getUserRolesByRole(AuthzTrans trans, String role) {
+			final Validator v = new ServiceValidator();
+			if(v.nullOrBlank("Role",role).err()) {
+				return Result.err(Status.ERR_BadData,v.errs());
+			}
+			
+			Result<RoleDAO.Data> rrdd;
+			rrdd = RoleDAO.Data.decode(trans,ques,role);
+			if(rrdd.notOK()) {
+				return Result.err(rrdd);
+			}
+			// May Requester see result?
+			Result<NsDAO.Data> ns = ques.mayUser(trans,trans.user(), rrdd.value,Access.read);
+			if (ns.notOK()) {
+				return Result.err(ns);
+			}
+	
+	//		boolean filter = true;		
+	//		if (ns.value.isAdmin(trans.user()) || ns.value.isResponsible(trans.user()))
+	//			filter = false;
+			
+			// Get list of roles per user, then add to Roles as we go
+			HashSet<UserRoleDAO.Data> userSet = new HashSet<UserRoleDAO.Data>();
+			Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, role);
+			if(rlurd.isOK()) {
+				for(UserRoleDAO.Data data : rlurd.value) {
+					userSet.add(data);
+				}
+			}
+			
+			@SuppressWarnings("unchecked")
+			USERROLES users = (USERROLES) mapper.newInstance(API.USER_ROLES);
+			// Checked for permission
+			mapper.userRoles(trans, userSet, users);
+			return Result.ok(users);
+		}
+		/**
+		 * getUserRolesByRole
+		 */
+	    @ApiDoc(
+	            method = GET,
+	            path = "/authz/userRoles/user/:user",
+	            params = {"role|string|true"},
+	            expectedCode = 200,
+	            errorCodes = {404,406},
+	            text = { "List all UserRoles for :user",
+	            		}
+	           )
+		@Override
+		public Result<USERROLES> getUserRolesByUser(AuthzTrans trans, String user) {
+			final Validator v = new ServiceValidator();
+			if(v.nullOrBlank("User",user).err()) {
+				return Result.err(Status.ERR_BadData,v.errs());
+			}
+			
+			// Get list of roles per user, then add to Roles as we go
+			Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, user);
+			if(rlurd.notOK()) { 
+				return Result.err(rlurd);
+			}
+			
+			/* Check for
+			 *   1) is User 
+			 *   2) is User's Supervisor
+			 *   3) Has special global access =read permission
+			 *   
+			 *   If none of the 3, then filter results to NSs in which Calling User has Ns.access * read
+			 */
+			boolean mustFilter;
+			String callingUser = trans.getUserPrincipal().getName();
+			NsDAO.Data ndd = new NsDAO.Data();
+
+			if(user.equals(callingUser)) {
+				mustFilter = false;
+			} else {
+				Organization org = trans.org();
+				try {
+					Identity orgID = org.getIdentity(trans, user);
+					Identity manager = orgID==null?null:orgID.responsibleTo();
+					if(orgID!=null && (manager!=null && callingUser.equals(manager.fullID()))) {
+						mustFilter = false;
+					} else if(ques.isGranted(trans, callingUser, ROOT_NS, Question.ACCESS, "*", Access.read.name())) {
+						mustFilter=false;
+					} else {
+						mustFilter = true;
+					}
+				} catch (OrganizationException e) {
+					trans.env().log(e);
+					mustFilter = true;
+				}
+			}
+			
+			List<UserRoleDAO.Data> content;
+			if(mustFilter) {
+				content = new ArrayList<UserRoleDAO.Data>(rlurd.value.size()); // avoid multi-memory redos
+				
+				for(UserRoleDAO.Data data : rlurd.value) {
+					ndd.name=data.ns;
+					Result<Data> mur = ques.mayUser(trans, callingUser, ndd, Access.read);
+					if(mur.isOK()){
+						content.add(data);
+					}
+				}
+				
+			} else {
+				content = rlurd.value;
+			}
+
+
+			@SuppressWarnings("unchecked")
+			USERROLES users = (USERROLES) mapper.newInstance(API.USER_ROLES);
+			// Checked for permission
+			mapper.userRoles(trans, content, users);
+			return Result.ok(users);
+		}
+
+	    
+	@ApiDoc( 
+			method = PUT,  
+			path = "/authz/userRole/user",
+			params = {},
+			expectedCode = 200,
+			errorCodes = {403,404,406}, 
+			text = { "Set a User's roles to the roles specified in the UserRoleRequest object.",
+						"WARNING: Roles supplied will be the ONLY roles attached to this user",
+						"If no roles are supplied, user's roles are reset."
+				   }
+			)
+	@Override
+	public Result<Void> resetRolesForUser(AuthzTrans trans, REQUEST rreq) {
+		Result<UserRoleDAO.Data> rurdd = mapper.userRole(trans, rreq);
+		final ServiceValidator v = new ServiceValidator();
+		if(rurdd.notOKorIsEmpty()) {
+			return Result.err(rurdd);
+		}
+		if (v.user(trans.org(), rurdd.value.user).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		Set<String> currRoles = new HashSet<String>();
+		Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, rurdd.value.user);
+		if(rlurd.isOK()) {
+			for(UserRoleDAO.Data data : rlurd.value) {
+				currRoles.add(data.role);
+			}
+		}
+		
+		Result<Void> rv = null;
+		String[] roles;
+		if(rurdd.value.role==null) {
+			roles = new String[0];
+		} else {
+			roles = rurdd.value.role.split(",");
+		}
+		
+		for (String role : roles) {			
+			if (v.role(role).err()) {
+				return Result.err(Status.ERR_BadData,v.errs());
+			}
+			Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques, role);
+			if(rrdd.notOK()) {
+				return Result.err(rrdd);
+			}
+			
+			rurdd.value.role(rrdd.value);
+			
+			Result<NsDAO.Data> nsd = ques.mayUser(trans, trans.user(), rrdd.value,Access.write);
+			if (nsd.notOK()) {
+				return Result.err(nsd);
+			}
+			Result<NsDAO.Data> nsr = ques.deriveNs(trans, role);
+			if(nsr.notOKorIsEmpty()) {
+				return Result.err(nsr);	
+			}
+			
+			if(currRoles.contains(role)) {
+				currRoles.remove(role);
+			} else {
+				rv = func.addUserRole(trans, rurdd.value);
+				if (rv.notOK()) {
+					return rv;
+				}
+			}
+		}
+		
+		for (String role : currRoles) {
+			rurdd.value.role(trans,ques,role);
+			rv = ques.userRoleDAO.delete(trans, rurdd.value, false);
+			if(rv.notOK()) {
+				trans.info().log(rurdd.value.user,"/",rurdd.value.role, "expected to be deleted, but does not exist");
+				// return rv; // if it doesn't exist, don't error out
+			}
+
+		}
+	
+		return Result.ok();		
+		
+	}
+	
+	@ApiDoc( 
+			method = PUT,  
+			path = "/authz/userRole/role",
+			params = {},
+			expectedCode = 200,
+			errorCodes = {403,404,406}, 
+			text = { "Set a Role's users to the users specified in the UserRoleRequest object.",
+					"WARNING: Users supplied will be the ONLY users attached to this role",
+					"If no users are supplied, role's users are reset."
+			   }
+			)
+	@Override
+	public Result<Void> resetUsersForRole(AuthzTrans trans, REQUEST rreq) {
+		Result<UserRoleDAO.Data> rurdd = mapper.userRole(trans, rreq);
+		if(rurdd.notOKorIsEmpty()) {
+			return Result.err(rurdd);
+		}
+		final ServiceValidator v = new ServiceValidator();
+		if (v.user_role(rurdd.value).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		RoleDAO.Data rd = RoleDAO.Data.decode(rurdd.value);
+
+		Result<NsDAO.Data> nsd = ques.mayUser(trans, trans.user(), rd, Access.write);
+		if (nsd.notOK()) {
+			return Result.err(nsd);
+		}
+
+		Result<NsDAO.Data> nsr = ques.deriveNs(trans, rurdd.value.role);
+		if(nsr.notOKorIsEmpty()) {
+			return Result.err(nsr);	
+		}
+
+		Set<String> currUsers = new HashSet<String>();
+		Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, rurdd.value.role);
+		if(rlurd.isOK()) { 
+			for(UserRoleDAO.Data data : rlurd.value) {
+				currUsers.add(data.user);
+			}
+		}
+	
+		// found when connected remotely to DEVL, can't replicate locally
+		// inconsistent errors with cmd: role user setTo [nothing]
+		// deleteUserRole --> read --> get --> cacheIdx(?)
+		// sometimes returns idx for last added user instead of user passed in
+		// cache bug? 
+		
+		
+		Result<Void> rv = null;
+		String[] users = {};
+		if (rurdd.value.user != null) {
+		    users = rurdd.value.user.split(",");
+		}
+		
+		for (String user : users) {			
+			if (v.user(trans.org(), user).err()) {
+				return Result.err(Status.ERR_BadData,v.errs());
+			}
+			rurdd.value.user = user;
+
+			if(currUsers.contains(user)) {
+				currUsers.remove(user);
+			} else {
+				rv = func.addUserRole(trans, rurdd.value);
+				if (rv.notOK()) { 
+					return rv;
+				}
+			}
+		}
+		
+		for (String user : currUsers) {
+			rurdd.value.user = user; 
+			rv = ques.userRoleDAO.delete(trans, rurdd.value, false);
+			if(rv.notOK()) {
+				trans.info().log(rurdd.value, "expected to be deleted, but not exists");
+				return rv;
+			}
+		}	
+		
+		return Result.ok();			
+	}
+	
+	@ApiDoc(
+	        method = GET,
+	        path = "/authz/userRole/extend/:user/:role",
+	        params = {	"user|string|true",
+	        			"role|string|true"
+	        		},
+	        expectedCode = 200,
+	        errorCodes = {403,404,406},
+	        text = { "Extend the Expiration of this User Role by the amount set by Organization",
+	        		 "Requestor must be allowed to modify the role"
+	        		}
+	       )
+	@Override
+	public Result<Void> extendUserRole(AuthzTrans trans, String user, String role) {
+		Organization org = trans.org();
+		final ServiceValidator v = new ServiceValidator();
+		if(v.user(org, user)
+			.role(role)
+			.err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+	
+		Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,ques,role);
+		if(rrdd.notOK()) {
+			return Result.err(rrdd);
+		}
+		
+		Result<NsDAO.Data> rcr = ques.mayUser(trans, trans.user(), rrdd.value, Access.write);
+		boolean mayNotChange;
+		if((mayNotChange = rcr.notOK()) && !trans.requested(future)) {
+			return Result.err(rcr);
+		}
+		
+		Result<List<UserRoleDAO.Data>> rr = ques.userRoleDAO.read(trans, user,role);
+		if(rr.notOK()) {
+			return Result.err(rr);
+		}
+		for(UserRoleDAO.Data userRole : rr.value) {
+			if(mayNotChange) { // Function exited earlier if !trans.futureRequested
+				FutureDAO.Data fto = new FutureDAO.Data();
+				fto.target=UserRoleDAO.TABLE;
+				fto.memo = "Extend User ["+userRole.user+"] in Role ["+userRole.role+"]";
+				GregorianCalendar now = new GregorianCalendar();
+				fto.start = now.getTime();
+				fto.expires = org.expiration(now, Expiration.Future).getTime();
+				try {
+					fto.construct = userRole.bytify();
+				} catch (IOException e) {
+					trans.error().log(e, "Error while bytifying UserRole for Future");
+					return Result.err(e);
+				}
+
+				Result<String> rfc = func.createFuture(trans, fto, 
+						userRole.user+'|'+userRole.role, userRole.user, rcr.value, FUTURE_OP.U);
+				if(rfc.isOK()) {
+					return Result.err(Status.ACC_Future, "UserRole [%s - %s] is saved for future processing",
+							userRole.user,
+							userRole.role);
+				} else {
+					return Result.err(rfc);
+				}
+			} else {
+				return func.extendUserRole(trans, userRole, false);
+			}
+		}
+		return Result.err(Result.ERR_NotFound,"This user and role doesn't exist");
+	}
+
+	@ApiDoc( 
+			method = DELETE,  
+			path = "/authz/userRole/:user/:role",
+			params = {	"user|string|true",
+						"role|string|true"
+					},
+			expectedCode = 200,
+			errorCodes = {403,404,406}, 
+			text = { "Remove Role :role from User :user."
+				   }
+			)
+	@Override
+	public Result<Void> deleteUserRole(AuthzTrans trans, String usr, String role) {
+		Validator val = new ServiceValidator();
+		if(val.nullOrBlank("User", usr)
+		      .nullOrBlank("Role", role).err()) {
+			return Result.err(Status.ERR_BadData, val.errs());
+		}
+
+		boolean mayNotChange;
+		Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,ques,role);
+		if(rrdd.notOK()) {
+			return Result.err(rrdd);
+		}
+		
+		RoleDAO.Data rdd = rrdd.value;
+		Result<NsDAO.Data> rns = ques.mayUser(trans, trans.user(), rdd, Access.write);
+
+		// Make sure we don't delete the last owner of valid NS
+		if(rns.isOKhasData() && Question.OWNER.equals(rdd.name) && ques.countOwner(trans,rdd.ns)<=1) {
+			return Result.err(Status.ERR_Denied,"You may not delete the last Owner of " + rdd.ns );
+		}
+		
+		if(mayNotChange=rns.notOK()) {
+			if(!trans.requested(future)) {
+				return Result.err(rns);
+			}
+		}
+
+		Result<List<UserRoleDAO.Data>> rulr;
+		if((rulr=ques.userRoleDAO.read(trans, usr, role)).notOKorIsEmpty()) {
+			return Result.err(Status.ERR_UserRoleNotFound, "User [ "+usr+" ] is not "
+					+ "Assigned to the Role [ " + role + " ]");
+		}
+
+		UserRoleDAO.Data userRole = rulr.value.get(0);
+		if(mayNotChange) { // Function exited earlier if !trans.futureRequested
+			FutureDAO.Data fto = new FutureDAO.Data();
+			fto.target=UserRoleDAO.TABLE;
+			fto.memo = "Remove User ["+userRole.user+"] from Role ["+userRole.role+"]";
+			GregorianCalendar now = new GregorianCalendar();
+			fto.start = now.getTime();
+			fto.expires = trans.org().expiration(now, Expiration.Future).getTime();
+
+			Result<String> rfc = func.createFuture(trans, fto, 
+					userRole.user+'|'+userRole.role, userRole.user, rns.value, FUTURE_OP.D);
+			if(rfc.isOK()) {
+				return Result.err(Status.ACC_Future, "UserRole [%s - %s] is saved for future processing", 
+						userRole.user,
+						userRole.role);
+			} else { 
+				return Result.err(rfc);
+			}
+		} else {
+			return ques.userRoleDAO.delete(trans, rulr.value.get(0), false);
+		}
+	}
+
+	@ApiDoc( 
+			method = GET,  
+			path = "/authz/userRole/:user/:role",
+			params = {"user|string|true",
+					  "role|string|true"},
+			expectedCode = 200,
+			errorCodes = {403,404,406}, 
+			text = { "Returns the User (with Expiration date from listed User/Role) if it exists"
+				   }
+			)
+	@Override
+	public Result<USERS> getUserInRole(AuthzTrans trans, String user, String role) {
+		final Validator v = new ServiceValidator();
+		if(v.role(role).nullOrBlank("User", user).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+//		Result<NsDAO.Data> ns = ques.deriveNs(trans, role);
+//		if (ns.notOK()) return Result.err(ns);
+//		
+//		Result<NsDAO.Data> rnd = ques.mayUser(trans, trans.user(), ns.value, Access.write);
+		// May calling user see by virtue of the Role
+		Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques, role);
+		if(rrdd.notOK()) {
+			return Result.err(rrdd);
+		}
+		Result<NsDAO.Data> rnd = ques.mayUser(trans, trans.user(), rrdd.value,Access.read);
+		if(rnd.notOK()) {
+			return Result.err(rnd); 
+		}
+		
+		HashSet<UserRoleDAO.Data> userSet = new HashSet<UserRoleDAO.Data>();
+		Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readUserInRole(trans, user, role);
+		if(rlurd.isOK()) {
+			for(UserRoleDAO.Data data : rlurd.value) {
+				userSet.add(data);
+			}
+		}
+		
+		@SuppressWarnings("unchecked")
+		USERS users = (USERS) mapper.newInstance(API.USERS);
+		mapper.users(trans, userSet, users);
+		return Result.ok(users);
+	}
+
+	@ApiDoc( 
+			method = GET,  
+			path = "/authz/users/role/:role",
+			params = {"user|string|true",
+					  "role|string|true"},
+			expectedCode = 200,
+			errorCodes = {403,404,406}, 
+			text = { "Returns the User (with Expiration date from listed User/Role) if it exists"
+				   }
+			)
+	@Override
+	public Result<USERS> getUsersByRole(AuthzTrans trans, String role) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("Role",role).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+//		Result<NsDAO.Data> ns = ques.deriveNs(trans, role);
+//		if (ns.notOK()) return Result.err(ns);
+//		
+//		Result<NsDAO.Data> rnd = ques.mayUser(trans, trans.user(), ns.value, Access.write);
+		// May calling user see by virtue of the Role
+		Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques, role);
+		if(rrdd.notOK()) {
+			return Result.err(rrdd);
+		}
+		
+		boolean contactOnly = false;
+		// Allow the request of any valid user to find the contact of the NS (Owner)
+		Result<NsDAO.Data> rnd = ques.mayUser(trans, trans.user(), rrdd.value,Access.read);
+		if(rnd.notOK()) {
+			if(Question.OWNER.equals(rrdd.value.name)) {
+				contactOnly = true;
+			} else {
+				return Result.err(rnd);
+			}
+		}
+		
+		HashSet<UserRoleDAO.Data> userSet = new HashSet<UserRoleDAO.Data>();
+		Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, role);
+		if(rlurd.isOK()) { 
+			for(UserRoleDAO.Data data : rlurd.value) {
+				if(contactOnly) { //scrub data
+					// Can't change actual object, or will mess up the cache.
+					UserRoleDAO.Data scrub = new UserRoleDAO.Data();
+					scrub.ns = data.ns;
+					scrub.rname = data.rname;
+					scrub.role = data.role;
+					scrub.user = data.user;
+					userSet.add(scrub);
+				} else {
+					userSet.add(data);
+				}
+			}
+		}
+		
+		@SuppressWarnings("unchecked")
+		USERS users = (USERS) mapper.newInstance(API.USERS);
+		mapper.users(trans, userSet, users);
+		return Result.ok(users);
+	}
+
+	/**
+	 * getUsersByPermission
+	 */
+    @ApiDoc(
+            method = GET,
+            path = "/authz/users/perm/:type/:instance/:action",
+            params = {	"type|string|true",
+            			"instance|string|true",
+            			"action|string|true"
+            		},
+            expectedCode = 200,
+            errorCodes = {404,406},
+            text = { "List all Users that have Permission specified by :type :instance :action",
+            		}
+           )
+	@Override
+	public Result<USERS> getUsersByPermission(AuthzTrans trans, String type, String instance, String action) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("Type",type)
+			.nullOrBlank("Instance",instance)
+			.nullOrBlank("Action",action)			
+			.err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		Result<NsSplit> nss = ques.deriveNsSplit(trans, type);
+		if(nss.notOK()) {
+			return Result.err(nss);
+		}
+		
+		Result<List<NsDAO.Data>> nsd = ques.nsDAO.read(trans, nss.value.ns);
+		if (nsd.notOK()) {
+			return Result.err(nsd);
+		}
+		
+		boolean allInstance = ASTERIX.equals(instance);
+		boolean allAction = ASTERIX.equals(action);
+		// Get list of roles per Permission, 
+		// Then loop through Roles to get Users
+		// Note: Use Sets to avoid processing or responding with Duplicates
+		Set<String> roleUsed = new HashSet<String>();
+		Set<UserRoleDAO.Data> userSet = new HashSet<UserRoleDAO.Data>();
+		
+		if(!nss.isEmpty()) {
+			Result<List<PermDAO.Data>> rlp = ques.permDAO.readByType(trans, nss.value.ns, nss.value.name);
+			if(rlp.isOKhasData()) {
+				for(PermDAO.Data pd : rlp.value) {
+					if((allInstance || pd.instance.equals(instance)) && 
+							(allAction || pd.action.equals(action))) {
+						if(ques.mayUser(trans, trans.user(),pd,Access.read).isOK()) {
+							for(String role : pd.roles) {
+								if(!roleUsed.contains(role)) { // avoid evaluating Role many times
+									roleUsed.add(role);
+									Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, role.replace('|', '.'));
+									if(rlurd.isOKhasData()) {
+									    for(UserRoleDAO.Data urd : rlurd.value) {
+									    	userSet.add(urd);
+									    }
+									}
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+		@SuppressWarnings("unchecked")
+		USERS users = (USERS) mapper.newInstance(API.USERS);
+		mapper.users(trans, userSet, users);
+		return Result.ok(users);
+	}
+
+    /***********************************
+ * HISTORY 
+ ***********************************/	
+	@Override
+	public Result<HISTORY> getHistoryByUser(final AuthzTrans trans, String user, final int[] yyyymm, final int sort) {	
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("User",user).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		Result<NsDAO.Data> rnd;
+		// Users may look at their own data
+		 if(trans.user().equals(user)) {
+				// Users may look at their own data
+		 } else {
+			int at = user.indexOf('@');
+			if(at>=0 && trans.org().getRealm().equals(user.substring(at+1))) {
+				NsDAO.Data nsd  = new NsDAO.Data();
+				nsd.name = Question.domain2ns(user);
+				rnd = ques.mayUser(trans, trans.user(), nsd, Access.read);
+				if(rnd.notOK()) {
+					return Result.err(rnd);
+				}
+			} else {
+				rnd = ques.validNSOfDomain(trans, user);
+				if(rnd.notOK()) {
+					return Result.err(rnd);
+				}
+
+				rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
+				if(rnd.notOK()) {
+					return Result.err(rnd);
+				}
+			}
+		 }
+		Result<List<HistoryDAO.Data>> resp = ques.historyDAO.readByUser(trans, user, yyyymm);
+		if(resp.notOK()) {
+			return Result.err(resp);
+		}
+		return mapper.history(trans, resp.value,sort);
+	}
+
+	@Override
+	public Result<HISTORY> getHistoryByRole(AuthzTrans trans, String role, int[] yyyymm, final int sort) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("Role",role).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques, role);
+		if(rrdd.notOK()) {
+			return Result.err(rrdd);
+		}
+		
+		Result<NsDAO.Data> rnd = ques.mayUser(trans, trans.user(), rrdd.value, Access.read);
+		if(rnd.notOK()) {
+			return Result.err(rnd);
+		}
+		Result<List<HistoryDAO.Data>> resp = ques.historyDAO.readBySubject(trans, role, "role", yyyymm); 
+		if(resp.notOK()) {
+			return Result.err(resp);
+		}
+		return mapper.history(trans, resp.value,sort);
+	}
+
+	@Override
+	public Result<HISTORY> getHistoryByPerm(AuthzTrans trans, String type, int[] yyyymm, final int sort) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("Type",type)
+			.err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		// May user see Namespace of Permission (since it's only one piece... we can't check for "is permission part of")
+		Result<NsDAO.Data> rnd = ques.deriveNs(trans,type);
+		if(rnd.notOK()) {
+			return Result.err(rnd);
+		}
+		
+		rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
+		if(rnd.notOK()) {
+			return Result.err(rnd);	
+		}
+		Result<List<HistoryDAO.Data>> resp = ques.historyDAO.readBySubject(trans, type, "perm", yyyymm);
+		if(resp.notOK()) {
+			return Result.err(resp);
+		}
+		return mapper.history(trans, resp.value,sort);
+	}
+
+	@Override
+	public Result<HISTORY> getHistoryByNS(AuthzTrans trans, String ns, int[] yyyymm, final int sort) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("NS",ns)
+			.err()) { 
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		Result<NsDAO.Data> rnd = ques.deriveNs(trans,ns);
+		if(rnd.notOK()) {
+			return Result.err(rnd);
+		}
+		rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
+		if(rnd.notOK()) {
+			return Result.err(rnd);	
+		}
+
+		Result<List<HistoryDAO.Data>> resp = ques.historyDAO.readBySubject(trans, ns, "ns", yyyymm);
+		if(resp.notOK()) {
+			return Result.err(resp);
+		}
+		return mapper.history(trans, resp.value,sort);
+	}
+
+/***********************************
+ * DELEGATE 
+ ***********************************/
+	@Override
+	public Result<Void> createDelegate(final AuthzTrans trans, REQUEST base) {
+		return createOrUpdateDelegate(trans, base, Question.Access.create);
+	}
+
+	@Override
+	public Result<Void> updateDelegate(AuthzTrans trans, REQUEST base) {
+		return createOrUpdateDelegate(trans, base, Question.Access.write);
+	}
+
+
+	private Result<Void> createOrUpdateDelegate(final AuthzTrans trans, REQUEST base, final Access access) {
+		final Result<DelegateDAO.Data> rd = mapper.delegate(trans, base);
+		final ServiceValidator v = new ServiceValidator();
+		if(v.delegate(trans.org(),rd).err()) { 
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		final DelegateDAO.Data dd = rd.value;
+		
+		Result<List<DelegateDAO.Data>> ddr = ques.delegateDAO.read(trans, dd);
+		if(access==Access.create && ddr.isOKhasData()) {
+			return Result.err(Status.ERR_ConflictAlreadyExists, "[%s] already delegates to [%s]", dd.user, ddr.value.get(0).delegate);
+		} else if(access!=Access.create && ddr.notOKorIsEmpty()) { 
+			return Result.err(Status.ERR_NotFound, "[%s] does not have a Delegate Record to [%s].",dd.user,access.name());
+		}
+		Result<Void> rv = ques.mayUser(trans, dd, access);
+		if(rv.notOK()) {
+			return rv;
+		}
+		
+		Result<FutureDAO.Data> fd = mapper.future(trans,DelegateDAO.TABLE,base, dd, false, 
+			new Mapper.Memo() {
+				@Override
+				public String get() {
+					StringBuilder sb = new StringBuilder();
+					sb.append(access.name());
+					sb.setCharAt(0, Character.toUpperCase(sb.charAt(0)));
+					sb.append("Delegate ");
+					sb.append(access==Access.create?"[":"to [");
+					sb.append(rd.value.delegate);
+					sb.append("] for [");
+					sb.append(rd.value.user);
+					sb.append(']');
+					return sb.toString();
+				}
+			},
+			new MayChange() {
+				@Override
+				public Result<?> mayChange() {
+					return Result.ok(); // Validate in code above
+				}
+			});
+		
+		switch(fd.status) {
+			case OK:
+				Result<String> rfc = func.createFuture(trans, fd.value, 
+						dd.user, trans.user(),null, access==Access.create?FUTURE_OP.C:FUTURE_OP.U);
+				if(rfc.isOK()) { 
+					return Result.err(Status.ACC_Future, "Delegate for [%s]",
+							dd.user);
+				} else { 
+					return Result.err(rfc);
+				}
+			case Status.ACC_Now:
+				if(access==Access.create) {
+					Result<DelegateDAO.Data> rdr = ques.delegateDAO.create(trans, dd);
+					if(rdr.isOK()) {
+						return Result.ok();
+					} else {
+						return Result.err(rdr);
+					}
+				} else {
+					return ques.delegateDAO.update(trans, dd);
+				}
+			default:
+				return Result.err(fd);
+		}
+	}
+
+	@Override
+	public Result<Void> deleteDelegate(AuthzTrans trans, REQUEST base) {
+		final Result<DelegateDAO.Data> rd = mapper.delegate(trans, base);
+		final Validator v = new ServiceValidator();
+		if(v.notOK(rd).nullOrBlank("User", rd.value.user).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+		Result<List<DelegateDAO.Data>> ddl;
+		if((ddl=ques.delegateDAO.read(trans, rd.value)).notOKorIsEmpty()) {
+			return Result.err(Status.ERR_DelegateNotFound,"Cannot delete non-existent Delegate");
+		}
+		final DelegateDAO.Data dd = ddl.value.get(0);
+		Result<Void> rv = ques.mayUser(trans, dd, Access.write);
+		if(rv.notOK()) {
+			return rv;
+		}
+		
+		return ques.delegateDAO.delete(trans, dd, false);
+	}
+
+	@Override
+	public Result<Void> deleteDelegate(AuthzTrans trans, String userName) {
+		DelegateDAO.Data dd = new DelegateDAO.Data();
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("User", userName).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		dd.user = userName;
+		Result<List<DelegateDAO.Data>> ddl;
+		if((ddl=ques.delegateDAO.read(trans, dd)).notOKorIsEmpty()) {
+			return Result.err(Status.ERR_DelegateNotFound,"Cannot delete non-existent Delegate");
+		}
+		dd = ddl.value.get(0);
+		Result<Void> rv = ques.mayUser(trans, dd, Access.write);
+		if(rv.notOK()) {
+			return rv;
+		}
+		
+		return ques.delegateDAO.delete(trans, dd, false);
+	}
+	
+	@Override
+	public Result<DELGS> getDelegatesByUser(AuthzTrans trans, String user) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("User", user).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		DelegateDAO.Data ddd = new DelegateDAO.Data();
+		ddd.user = user;
+		ddd.delegate = null;
+		Result<Void> rv = ques.mayUser(trans, ddd, Access.read);
+		if(rv.notOK()) {
+			return Result.err(rv);
+		}
+		
+		TimeTaken tt = trans.start("Get delegates for a user", Env.SUB);
+
+		Result<List<DelegateDAO.Data>> dbDelgs = ques.delegateDAO.read(trans, user);
+		try {
+			if (dbDelgs.isOKhasData()) {
+				return mapper.delegate(dbDelgs.value);
+			} else {
+				return Result.err(Status.ERR_DelegateNotFound,"No Delegate found for [%s]",user);
+			}
+		} finally {
+			tt.done();
+		}		
+	}
+
+	@Override
+	public Result<DELGS> getDelegatesByDelegate(AuthzTrans trans, String delegate) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("Delegate", delegate).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		DelegateDAO.Data ddd = new DelegateDAO.Data();
+		ddd.user = delegate;
+		Result<Void> rv = ques.mayUser(trans, ddd, Access.read);
+		if(rv.notOK()) {
+			return Result.err(rv);
+		}
+
+		TimeTaken tt = trans.start("Get users for a delegate", Env.SUB);
+
+		Result<List<DelegateDAO.Data>> dbDelgs = ques.delegateDAO.readByDelegate(trans, delegate);
+		try {
+			if (dbDelgs.isOKhasData()) {
+				return mapper.delegate(dbDelgs.value);
+			} else {
+				return Result.err(Status.ERR_DelegateNotFound,"Delegate [%s] is not delegating for anyone.",delegate);
+			}
+		} finally {
+			tt.done();
+		}		
+	}
+
+/***********************************
+ * APPROVAL 
+ ***********************************/
+	private static final String APPR_FMT = "actor=%s, action=%s, operation=\"%s\", requestor=%s, delegator=%s";
+	@Override
+	public Result<Void> updateApproval(AuthzTrans trans, APPROVALS approvals) {
+		Result<List<ApprovalDAO.Data>> rlad = mapper.approvals(approvals);
+		if(rlad.notOK()) {
+			return Result.err(rlad);
+		}
+		int numApprs = rlad.value.size();
+		if(numApprs<1) {
+			return Result.err(Status.ERR_NoApprovals,"No Approvals sent for Updating");
+		}
+		int numProcessed = 0;
+		String user = trans.user();
+		
+		Result<List<ApprovalDAO.Data>> curr;
+		Lookup<List<ApprovalDAO.Data>> apprByTicket=null;
+		for(ApprovalDAO.Data updt : rlad.value) {
+			if(updt.ticket!=null) {
+				curr = ques.approvalDAO.readByTicket(trans, updt.ticket);
+				if(curr.isOKhasData()) {
+					final List<ApprovalDAO.Data> add = curr.value;
+					apprByTicket = new Lookup<List<ApprovalDAO.Data>>() { // Store a Pre-Lookup
+						@Override
+						public List<ApprovalDAO.Data> get(AuthzTrans trans, Object ... noop) {
+							return add;
+						}
+					};
+				}
+			} else if(updt.id!=null) {
+				curr = ques.approvalDAO.read(trans, updt);
+			} else if(updt.approver!=null) {
+				curr = ques.approvalDAO.readByApprover(trans, updt.approver);
+			} else {
+				return Result.err(Status.ERR_BadData,"Approvals need ID, Ticket or Approval data to update");
+			}
+
+			if(curr.isOKhasData()) {
+		    	Map<String, Result<List<DelegateDAO.Data>>> delegateCache = new HashMap<String, Result<List<DelegateDAO.Data>>>();
+		    	Map<UUID, FutureDAO.Data> futureCache = new HashMap<UUID, FutureDAO.Data>();
+		    	FutureDAO.Data hasDeleted = new FutureDAO.Data();
+		    	
+			    for(ApprovalDAO.Data cd : curr.value) {
+			    	if("pending".equals(cd.status)) {
+						// Check for right record.  Need ID, or (Ticket&Trans.User==Appr)
+				    	// If Default ID
+				    	boolean delegatedAction = ques.isDelegated(trans, user, cd.approver, delegateCache);
+				    	String delegator = cd.approver;
+				    	if(updt.id!=null || 
+				    		(updt.ticket!=null && user.equals(cd.approver)) ||
+				    		(updt.ticket!=null && delegatedAction)) {
+				    		if(updt.ticket.equals(cd.ticket)) {
+				    			Changed ch = new Changed();
+				    			cd.id = ch.changed(cd.id,updt.id);
+//				    			cd.ticket = changed(cd.ticket,updt.ticket);
+				    			cd.user = ch.changed(cd.user,updt.user);
+				    			cd.approver = ch.changed(cd.approver,updt.approver);
+				    			cd.type = ch.changed(cd.type,updt.type);
+				    			cd.status = ch.changed(cd.status,updt.status);
+				    			cd.memo = ch.changed(cd.memo,updt.memo);
+				    			cd.operation = ch.changed(cd.operation,updt.operation);
+			    				cd.updated = ch.changed(cd.updated,updt.updated==null?new Date():updt.updated);
+				    			if(updt.status.equals("denied")) {
+				    				cd.last_notified = null;
+				    			}
+				    			if(cd.ticket!=null) {
+					    			FutureDAO.Data fdd = futureCache.get(cd.ticket);
+					    			if(fdd==null) { // haven't processed ticket yet
+					    				Result<FutureDAO.Data> rfdd = ques.futureDAO.readPrimKey(trans, cd.ticket);
+					    				if(rfdd.isOK()) {
+					    					fdd = rfdd.value; // null is ok
+					    				} else {
+					    					fdd = hasDeleted;
+					    				}
+					    				futureCache.put(cd.ticket, fdd); // processed this Ticket... don't do others on this ticket
+					    			}
+					    			if(fdd==hasDeleted) { // YES, by Object
+					    				cd.ticket = null;
+					    				cd.status = "ticketDeleted";
+					    				ch.hasChanged(true);
+					    			} else {
+					    				FUTURE_OP fop = FUTURE_OP.toFO(cd.operation);
+					    				if(fop==null) {
+					    					trans.info().printf("Approval Status %s is not actionable",cd.status);
+					    				} else if(apprByTicket!=null) {
+							    			Result<OP_STATUS> rv = func.performFutureOp(trans, fop, fdd, apprByTicket,func.urDBLookup);
+							    			if (rv.isOK()) {
+							    				switch(rv.value) {
+							    					case E:
+									    				if (delegatedAction) {
+									    					trans.audit().printf(APPR_FMT,user,updt.status,cd.memo,cd.user,delegator);
+									    				}
+									    				futureCache.put(cd.ticket, hasDeleted);
+									    				break;
+							    					case D:
+							    					case L:
+							    						ch.hasChanged(true);
+								    					trans.audit().printf(APPR_FMT,user,rv.value.desc(),cd.memo,cd.user,delegator);
+									    				futureCache.put(cd.ticket, hasDeleted);
+								    					break;
+								    				default:
+							    				}
+							    			} else {
+							    				trans.info().log(rv.toString());
+							    			}
+					    				}
+
+					    			}
+					    			++numProcessed;
+				    			}
+			    				if(ch.hasChanged()) {
+			    					ques.approvalDAO.update(trans, cd, true);
+			    				}
+				    		}
+				    	}
+				    }
+			    }
+			}
+		}
+
+		if(numApprs==numProcessed) {
+			return Result.ok();
+		}
+		return Result.err(Status.ERR_ActionNotCompleted,numProcessed + " out of " + numApprs + " completed");
+
+	}
+	
+	private static class Changed {
+		private boolean hasChanged = false;
+
+		public<T> T changed(T src, T proposed) {
+			if(proposed==null || (src!=null && src.equals(proposed))) {
+			    return src;
+			}
+			hasChanged=true;
+			return proposed;
+		}
+
+		public void hasChanged(boolean b) {
+			hasChanged=b;
+		}
+
+		public boolean hasChanged() {
+			return hasChanged;
+		}
+	}
+
+	@Override
+	public Result<APPROVALS> getApprovalsByUser(AuthzTrans trans, String user) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("User", user).err()) { 
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+
+		Result<List<ApprovalDAO.Data>> rapd = ques.approvalDAO.readByUser(trans, user);
+		if(rapd.isOK()) {
+			return mapper.approvals(rapd.value);
+		} else {
+			return Result.err(rapd);
+		}
+}
+
+	@Override
+	public Result<APPROVALS> getApprovalsByTicket(AuthzTrans trans, String ticket) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("Ticket", ticket).err()) { 
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		UUID uuid;
+		try {
+			uuid = UUID.fromString(ticket);
+		} catch (IllegalArgumentException e) {
+			return Result.err(Status.ERR_BadData,e.getMessage());
+		}
+	
+		Result<List<ApprovalDAO.Data>> rapd = ques.approvalDAO.readByTicket(trans, uuid);
+		if(rapd.isOK()) {
+			return mapper.approvals(rapd.value);
+		} else {
+			return Result.err(rapd);
+		}
+	}
+	
+	@Override
+	public Result<APPROVALS> getApprovalsByApprover(AuthzTrans trans, String approver) {
+		final Validator v = new ServiceValidator();
+		if(v.nullOrBlank("Approver", approver).err()) {
+			return Result.err(Status.ERR_BadData,v.errs());
+		}
+		
+		List<ApprovalDAO.Data> listRapds = new ArrayList<ApprovalDAO.Data>();
+		
+		Result<List<ApprovalDAO.Data>> myRapd = ques.approvalDAO.readByApprover(trans, approver);
+		if(myRapd.notOK()) {
+			return Result.err(myRapd);
+		}
+		
+		listRapds.addAll(myRapd.value);
+		
+		Result<List<DelegateDAO.Data>> delegatedFor = ques.delegateDAO.readByDelegate(trans, approver);
+		if (delegatedFor.isOK()) {
+			for (DelegateDAO.Data dd : delegatedFor.value) {
+				if (dd.expires.after(new Date())) {
+					String delegator = dd.user;
+					Result<List<ApprovalDAO.Data>> rapd = ques.approvalDAO.readByApprover(trans, delegator);
+					if (rapd.isOK()) {
+						for (ApprovalDAO.Data d : rapd.value) { 
+							if (!d.user.equals(trans.user())) {
+								listRapds.add(d);
+							}
+						}
+					}
+				}
+			}
+		}
+		
+		return mapper.approvals(listRapds);
+	}
+	
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.service.AuthzService#clearCache(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String)
+	 */
+	@Override
+	public Result<Void> cacheClear(AuthzTrans trans, String cname) {
+		if(ques.isGranted(trans,trans.user(),ROOT_NS,CACHE,cname,"clear")) {
+			return ques.clearCache(trans,cname);
+		}
+		return Result.err(Status.ERR_Denied, "%s does not have AAF Permission '%s.%s|%s|clear",
+				trans.user(),ROOT_NS,CACHE,cname);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.service.AuthzService#cacheClear(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String, java.lang.Integer)
+	 */
+	@Override
+	public Result<Void> cacheClear(AuthzTrans trans, String cname, int[] segment) {
+		if(ques.isGranted(trans,trans.user(),ROOT_NS,CACHE,cname,"clear")) {
+			Result<Void> v=null;
+			for(int i: segment) {
+				v=ques.cacheClear(trans,cname,i);
+			}
+			if(v!=null) {
+				return v;
+			}
+		}
+		return Result.err(Status.ERR_Denied, "%s does not have AAF Permission '%s.%s|%s|clear",
+				trans.user(),ROOT_NS,CACHE,cname);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.service.AuthzService#dbReset(org.onap.aaf.auth.env.test.AuthzTrans)
+	 */
+	@Override
+	public void dbReset(AuthzTrans trans) {
+		ques.historyDAO.reportPerhapsReset(trans, null);
+	}
+
+}
+
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java
new file mode 100644
index 00000000..01e18510
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java
@@ -0,0 +1,768 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service;
+
+import java.util.Date;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.auth.dao.DAOException;
+import org.onap.aaf.auth.dao.cass.NsType;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.service.mapper.Mapper;
+
+public interface AuthzService<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> {
+	public Mapper<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> mapper();
+	
+/***********************************
+ * NAMESPACE 
+ ***********************************/
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @param ns
+	 * @return
+	 * @throws DAOException 
+	 * @throws  
+	 */
+	public Result<Void> createNS(AuthzTrans trans, REQUEST request, NsType type);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @return
+	 */
+	public Result<Void> addAdminNS(AuthzTrans trans, String ns, String id);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @return
+	 */
+	public Result<Void> delAdminNS(AuthzTrans trans, String ns, String id);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @param id
+	 * @return
+	 */
+	public Result<Void> addResponsibleNS(AuthzTrans trans, String ns, String id);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @param id
+	 * @return
+	 */
+	public Result<Void> delResponsibleNS(AuthzTrans trans, String ns, String id);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @param key
+	 * @param value
+	 * @return
+	 */
+	public Result<Void> createNsAttrib(AuthzTrans trans, String ns, String key, String value);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @param key
+	 * @param value
+	 * @return
+	 */
+	public Result<?> updateNsAttrib(AuthzTrans trans, String ns, String key, String value);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @param key
+	 * @return
+	 */
+	public Result<Void> deleteNsAttrib(AuthzTrans trans, String ns, String key);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @param key
+	 * @return
+	 */
+	public Result<KEYS> readNsByAttrib(AuthzTrans trans, String key);
+
+
+	/**
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @return
+	 */
+	public Result<NSS> getNSbyName(AuthzTrans trans, String ns);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @return
+	 */
+	public Result<NSS> getNSbyAdmin(AuthzTrans trans, String user, boolean full);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @return
+	 */
+	public Result<NSS> getNSbyResponsible(AuthzTrans trans, String user, boolean full);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @return
+	 */
+	public Result<NSS> getNSbyEither(AuthzTrans trans, String user, boolean full);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param parent
+	 * @return
+	 */
+	public Result<NSS> getNSsChildren(AuthzTrans trans, String parent);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param req
+	 * @return
+	 */
+	public Result<Void> updateNsDescription(AuthzTrans trans, REQUEST req);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @param user
+	 * @return
+	 * @throws DAOException
+	 */
+	public Result<Void> deleteNS(AuthzTrans trans, String ns);
+
+/***********************************
+ * PERM 
+ ***********************************/
+	/**
+	 * 
+	 * @param trans
+	 * @param rreq
+	 * @return
+	 * @throws DAOException 
+	 * @throws MappingException
+	 */
+	public Result<Void> createPerm(AuthzTrans trans, REQUEST rreq);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param childPerm
+	 * @return
+	 * @throws DAOException 
+	 */
+	public Result<PERMS> getPermsByType(AuthzTrans trans, String perm);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param type
+	 * @param instance
+	 * @param action
+	 * @return
+	 */
+	public Result<PERMS> getPermsByName(AuthzTrans trans, String type,
+			String instance, String action);
+
+	/**
+	 * Gets all the permissions for a user across all the roles it is assigned to
+	 * @param userName
+	 * @return
+	 * @throws Exception 
+	 * @throws Exception
+	 */
+	public Result<PERMS> getPermsByUser(AuthzTrans trans, String userName);
+
+	/**
+	 * Gets all the permissions for a user across all the roles it is assigned to, filtered by NS (Scope)
+	 * 
+	 * @param trans
+	 * @param user
+	 * @param scopes
+	 * @return
+	 */
+	public Result<PERMS> getPermsByUserScope(AuthzTrans trans, String user, String[] scopes);
+
+
+	/**
+	 * Gets all the permissions for a user across all the roles it is assigned to
+	 * 
+	 * Add AAF Perms representing the "MayUser" calls if
+	 * 	1) Allowed
+	 *  2) User has equivalent permission
+	 * 	
+	 * @param userName
+	 * @return
+	 * @throws Exception 
+	 * @throws Exception
+	 */
+	public Result<PERMS> getPermsByUser(AuthzTrans trans, PERMS perms, String userName);
+
+	/**
+	 * 
+	 * Gets all the permissions for a user across all the roles it is assigned to
+	 * 
+	 * @param roleName
+	 * @return
+	 * @throws Exception
+	 */
+	public Result<PERMS> getPermsByRole(AuthzTrans trans, String roleName);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @return
+	 */
+	public Result<PERMS> getPermsByNS(AuthzTrans trans, String ns);
+
+	/**
+	 * rename permission
+	 * 
+	 * @param trans
+	 * @param rreq
+	 * @param isRename
+	 * @param origType
+	 * @param origInstance
+	 * @param origAction
+	 * @return
+	 */
+	public Result<Void> renamePerm(AuthzTrans trans, REQUEST rreq, String origType, String origInstance, String origAction);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param req
+	 * @return
+	 */
+	public Result<Void> updatePermDescription(AuthzTrans trans, REQUEST req);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param from
+	 * @return
+	 */
+	public Result<Void> resetPermRoles(AuthzTrans trans, REQUEST from);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param from
+	 * @return
+	 * @throws Exception
+	 */
+	public Result<Void> deletePerm(AuthzTrans trans, REQUEST from);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @param perm
+	 * @param type
+	 * @param action
+	 * @return
+	 * @throws Exception
+	 */
+	Result<Void> deletePerm(AuthzTrans trans, String perm, String type, String action);
+
+/***********************************
+ * ROLE 
+ ***********************************/
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @param role
+	 * @param approvers
+	 * @return
+	 * @throws DAOException 
+	 * @throws Exception
+	 */
+	public Result<Void> createRole(AuthzTrans trans, REQUEST req);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param role
+	 * @return
+	 */
+	public Result<ROLES> getRolesByName(AuthzTrans trans, String role);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @return
+	 * @throws DAOException 
+	 */
+	public Result<ROLES> getRolesByUser(AuthzTrans trans, String user);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @return
+	 */
+	public Result<ROLES> getRolesByNS(AuthzTrans trans, String user);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param name
+	 * @return
+	 */
+	public Result<ROLES> getRolesByNameOnly(AuthzTrans trans, String name);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param type
+	 * @param instance
+	 * @param action
+	 * @return
+	 */
+	public Result<ROLES> getRolesByPerm(AuthzTrans trans, String type, String instance, String action);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param req
+	 * @return
+	 */
+	public Result<Void> updateRoleDescription(AuthzTrans trans, REQUEST req);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param rreq
+	 * @return
+	 * @throws DAOException
+	 */
+	public Result<Void> addPermToRole(AuthzTrans trans, REQUEST rreq);
+	
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param rreq
+	 * @return
+	 * @throws DAOException
+	 */
+	Result<Void> delPermFromRole(AuthzTrans trans, REQUEST rreq);
+
+	/**
+	 *  Itemized key delete
+	 * @param trans
+	 * @param role
+	 * @param type
+	 * @param instance
+	 * @param action
+	 * @return
+	 */
+	public Result<Void> delPermFromRole(AuthzTrans trans, String role, String type, String instance, String action);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @param role
+	 * @return
+	 * @throws DAOException 
+	 * @throws MappingException 
+	 */
+	public Result<Void> deleteRole(AuthzTrans trans, String role);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param req
+	 * @return
+	 */
+	public Result<Void> deleteRole(AuthzTrans trans, REQUEST req);
+
+/***********************************
+ * CRED 
+ ***********************************/
+
+	/**
+	 * 
+	 * @param trans
+	 * @param from
+	 * @return
+	 */
+	Result<Void> createUserCred(AuthzTrans trans, REQUEST from);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param from
+	 * @return
+	 */
+	Result<Void> changeUserCred(AuthzTrans trans, REQUEST from);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param from
+	 * @param days
+	 * @return
+	 */
+	Result<Void> extendUserCred(AuthzTrans trans, REQUEST from, String days);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param ns
+	 * @return
+	 */
+	public Result<USERS> getCredsByNS(AuthzTrans trans, String ns);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param id
+	 * @return
+	 */
+	public Result<USERS> getCredsByID(AuthzTrans trans, String id);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param req
+	 * @param id
+	 * @return
+	 */
+	public Result<CERTS> getCertInfoByID(AuthzTrans trans, HttpServletRequest req, String id);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param credReq
+	 * @return
+	 */
+	public Result<Void> deleteUserCred(AuthzTrans trans, REQUEST credReq);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @return
+	 * @throws Exception
+	 */
+	public Result<Date> doesCredentialMatch(AuthzTrans trans, REQUEST credReq);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param basicAuth
+	 * @return
+	 */
+	public Result<Date> validateBasicAuth(AuthzTrans trans, String basicAuth);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param role
+	 * @return
+	 */
+	public Result<USERS> getUsersByRole(AuthzTrans trans, String role);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param role
+	 * @return
+	 */
+	public Result<USERS> getUserInRole(AuthzTrans trans, String user, String role);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param type
+	 * @param instance
+	 * @param action
+	 * @return
+	 */
+	public Result<USERS> getUsersByPermission(AuthzTrans trans,String type, String instance, String action);
+	
+	
+
+
+/***********************************
+ * USER-ROLE 
+ ***********************************/
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @param request
+	 * @return
+	 * @throws Exception
+	 */
+	public Result<Void> createUserRole(AuthzTrans trans, REQUEST request);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param role
+	 * @return
+	 */
+	public Result<USERROLES> getUserRolesByRole(AuthzTrans trans, String role);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param role
+	 * @return
+	 */
+	public Result<USERROLES> getUserRolesByUser(AuthzTrans trans, String user);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param from
+	 * @return
+	 */
+	public Result<Void> resetRolesForUser(AuthzTrans trans, REQUEST from);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param from
+	 * @return
+	 */
+	public Result<Void> resetUsersForRole(AuthzTrans trans, REQUEST from);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @param role
+	 * @return
+	 */
+	public Result<Void> extendUserRole(AuthzTrans trans, String user,
+	String role);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @param usr
+	 * @param role
+	 * @return
+	 * @throws DAOException 
+	 */
+	public Result<Void> deleteUserRole(AuthzTrans trans, String usr, String role);
+
+
+
+/***********************************
+ * HISTORY 
+ ***********************************/	
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @param yyyymm
+	 * @return
+	 */
+	public Result<HISTORY> getHistoryByUser(AuthzTrans trans, String user, int[] yyyymm, int sort);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param subj
+	 * @param yyyymm
+	 * @param sort
+	 * @return
+	 */
+	public Result<HISTORY> getHistoryByRole(AuthzTrans trans, String subj, int[] yyyymm, int sort);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param subj
+	 * @param yyyymm
+	 * @param sort
+	 * @return
+	 */
+	public Result<HISTORY> getHistoryByPerm(AuthzTrans trans, String subj, int[] yyyymm, int sort);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param subj
+	 * @param yyyymm
+	 * @param sort
+	 * @return
+	 */
+	public Result<HISTORY> getHistoryByNS(AuthzTrans trans, String subj, int[] yyyymm, int sort);
+
+/***********************************
+ * DELEGATE 
+ ***********************************/
+	/**
+	 * 
+	 * @param trans
+	 * @param delegates
+	 * @return
+	 * @throws Exception
+	 */
+	public Result<Void> createDelegate(AuthzTrans trans, REQUEST reqDelegate);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param delegates
+	 * @return
+	 * @throws Exception
+	 */
+	public Result<Void> updateDelegate(AuthzTrans trans, REQUEST reqDelegate);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param userName
+	 * @param delegate
+	 * @return
+	 * @throws Exception
+	 */
+	public Result<Void> deleteDelegate(AuthzTrans trans, REQUEST reqDelegate);
+	
+	/**
+	 * 
+	 * @param trans
+	 * @param userName
+	 * @return
+	 */
+	public Result<Void> deleteDelegate(AuthzTrans trans, String userName);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @return
+	 * @throws Exception
+	 */
+	public Result<DELGS> getDelegatesByUser(AuthzTrans trans, String user);
+	
+
+	/**
+	 * 
+	 * @param trans
+	 * @param delegate
+	 * @return
+	 */
+	public Result<DELGS> getDelegatesByDelegate(AuthzTrans trans, String delegate);
+
+/***********************************
+ * APPROVAL 
+ ***********************************/
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @param approver
+	 * @param status
+	 * @return
+	 */
+	public Result<Void> updateApproval(AuthzTrans trans, APPROVALS approvals);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param user
+	 * @return
+	 */
+	public Result<APPROVALS> getApprovalsByUser(AuthzTrans trans, String user);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param ticket
+	 * @return
+	 */
+	public Result<APPROVALS> getApprovalsByTicket(AuthzTrans trans, String ticket);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param approver
+	 * @return
+	 */
+	public Result<APPROVALS> getApprovalsByApprover(AuthzTrans trans, String approver);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param cname
+	 * @return
+	 */
+	public Result<Void> cacheClear(AuthzTrans trans, String cname);
+
+	/**
+	 * 
+	 * @param trans
+	 * @param cname
+	 * @param segment
+	 * @return
+	 */
+	public Result<Void> cacheClear(AuthzTrans trans, String cname, int[] segment);
+
+	/**
+	 * 
+	 * @param trans
+	 */
+	public void dbReset(AuthzTrans trans);
+
+
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/Code.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/Code.java
new file mode 100644
index 00000000..ba6e9d10
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/Code.java
@@ -0,0 +1,44 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.rserv.HttpCode;
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+
+public abstract class Code extends HttpCode<AuthzTrans, AuthzFacade> implements Cloneable {
+	public boolean useJSON;
+
+	public Code(AuthzFacade facade, String description, boolean useJSON, String ... roles) {
+		super(facade, description, roles);
+		this.useJSON = useJSON;
+	}
+	
+	public <D extends Code> D clone(AuthzFacade facade, boolean useJSON) throws Exception {
+		@SuppressWarnings("unchecked")
+		D d = (D)clone();
+		d.useJSON = useJSON;
+		d.context = facade;
+		return d;
+	}
+	
+}
+\ No newline at end of file
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/MayChange.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/MayChange.java
new file mode 100644
index 00000000..7df43a4c
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/MayChange.java
@@ -0,0 +1,33 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service;
+
+import org.onap.aaf.auth.layer.Result;
+
+/**
+ * There are several ways to determine if 
+ * @author Jonathan
+ *
+ */
+public interface MayChange {
+	public Result<?> mayChange();
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Api.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Api.java
new file mode 100644
index 00000000..79dda326
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Api.java
@@ -0,0 +1,92 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.api;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.Code;
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+import org.onap.aaf.cadi.Symm;
+
+/**
+ * API Apis
+ * @author Jonathan
+ *
+ */
+public class API_Api {
+	// Hide Public Constructor
+	private API_Api() {}
+	
+	/**
+	 * Normal Init level APIs
+	 * 
+	 * @param authzAPI
+	 * @param facade
+	 * @throws Exception
+	 */
+	public static void init(final AAF_Service authzAPI, AuthzFacade facade) throws Exception {
+		////////
+		// Overall APIs
+		///////
+		authzAPI.route(HttpMethods.GET,"/api",API.API,new Code(facade,"Document API", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.getAPI(trans,resp,authzAPI);
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+
+		////////
+		// Overall Examples
+		///////
+		authzAPI.route(HttpMethods.GET,"/api/example/*",API.VOID,new Code(facade,"Document API", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				String pathInfo = req.getPathInfo();
+				int question = pathInfo.lastIndexOf('?');
+				
+				pathInfo = pathInfo.substring(13, question<0?pathInfo.length():question);// IMPORTANT, this is size of "/api/example/"
+				String nameOrContextType=Symm.base64noSplit.decode(pathInfo);
+				Result<Void> r = context.getAPIExample(trans,resp,nameOrContextType,
+						question>=0 && "optional=true".equalsIgnoreCase(req.getPathInfo().substring(question+1))
+						);
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+
+	}
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Approval.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Approval.java
new file mode 100644
index 00000000..e0c07684
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Approval.java
@@ -0,0 +1,106 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.api;
+
+import static org.onap.aaf.auth.rserv.HttpMethods.GET;
+import static org.onap.aaf.auth.rserv.HttpMethods.PUT;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.Code;
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+
+public class API_Approval {
+	// Hide Public Constructor
+	private API_Approval() {}
+	
+	public static void init(AAF_Service authzAPI, AuthzFacade facade) throws Exception {
+
+		/**
+		 * Get Approvals by User
+		 */
+		authzAPI.route(GET, "/authz/approval/user/:user",API.APPROVALS,
+				new Code(facade,"Get Approvals by User", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.getApprovalsByUser(trans, resp, pathParam(req,"user"));
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200); 
+				} else {
+					context.error(trans,resp,r);
+				}				
+			}			
+		});
+
+		/**
+		 * Get Approvals by Ticket
+		 */
+		authzAPI.route(GET, "/authz/approval/ticket/:ticket",API.APPROVALS,new Code(facade,"Get Approvals by Ticket ", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.getApprovalsByTicket(trans, resp, pathParam(req,"ticket"));
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					context.error(trans,resp,r);
+				}				
+			}			
+		});
+
+		/**
+		 * Get Approvals by Approver
+		 */
+		authzAPI.route(GET, "/authz/approval/approver/:approver",API.APPROVALS,new Code(facade,"Get Approvals by Approver", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.getApprovalsByApprover(trans, resp, pathParam(req,"approver"));
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+						context.error(trans,resp,r);
+				}				
+			}			
+		});
+
+
+		/**
+		 * Update an approval
+		 */
+		authzAPI.route(PUT, "/authz/approval",API.APPROVALS,new Code(facade,"Update approvals", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.updateApproval(trans, req, resp);
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					context.error(trans,resp,r);
+				}				
+			}			
+		});
+	}
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java
new file mode 100644
index 00000000..d31c9d01
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java
@@ -0,0 +1,285 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.api;
+
+import static org.onap.aaf.auth.rserv.HttpMethods.DELETE;
+import static org.onap.aaf.auth.rserv.HttpMethods.GET;
+import static org.onap.aaf.auth.rserv.HttpMethods.POST;
+import static org.onap.aaf.auth.rserv.HttpMethods.PUT;
+
+import java.security.Principal;
+import java.util.Date;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.direct.DirectAAFUserPass;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.rserv.HttpMethods;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.Code;
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.principal.BasicPrincipal;
+import org.onap.aaf.cadi.principal.X509Principal;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+
+/**
+ * Initialize All Dispatches related to Credentials (AUTHN)
+ * @author Jonathan
+ *
+ */
+public class API_Creds {
+	// Hide Public Interface
+	private API_Creds() {}
+	// needed to validate Creds even when already Authenticated x509
+	/**
+	 * TIME SENSITIVE APIs
+	 * 
+	 * These will be first in the list
+	 * 
+	 * @param env
+	 * @param authzAPI
+	 * @param facade
+	 * @param directAAFUserPass 
+	 * @throws Exception
+	 */
+	public static void timeSensitiveInit(Env env, AAF_Service authzAPI, AuthzFacade facade, final DirectAAFUserPass directAAFUserPass) throws Exception {
+		/**
+		 * Basic Auth, quick Validation
+		 * 
+		 * Responds OK or NotAuthorized
+		 */
+		authzAPI.route(env, HttpMethods.GET, "/authn/basicAuth", new Code(facade,"Is given BasicAuth valid?",true) {
+			@Override
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+
+				Principal p = trans.getUserPrincipal();
+				if (p instanceof BasicPrincipal) {
+					// the idea is that if call is made with this credential, and it's a BasicPrincipal, it's ok
+					// otherwise, it wouldn't have gotten here.
+					resp.setStatus(HttpStatus.OK_200);
+				} else if (p instanceof X509Principal) {
+					// have to check Basic Auth here, because it might be CSP.
+					String authz = req.getHeader("Authorization");
+					if(authz.startsWith("Basic ")) {
+						String decoded = Symm.base64noSplit.decode(authz.substring(6));
+						int colon = decoded.indexOf(':');
+						TimeTaken tt = trans.start("Direct Validation", Env.REMOTE);
+						try {
+							if(directAAFUserPass.validate(
+									decoded.substring(0,colon), 
+									CredVal.Type.PASSWORD , 
+									decoded.substring(colon+1).getBytes(),trans)) {
+								
+								resp.setStatus(HttpStatus.OK_200);
+							} else {
+								// DME2 at this version crashes without some sort of response
+								resp.getOutputStream().print("");
+								resp.setStatus(HttpStatus.FORBIDDEN_403);
+							}
+						} finally {
+							tt.done();
+						}
+					}
+				} else if(p == null) {
+					trans.error().log("Transaction not Authenticated... no Principal");
+					resp.setStatus(HttpStatus.FORBIDDEN_403);
+				} else {
+					trans.checkpoint("Basic Auth Check Failed: This wasn't a Basic Auth Trans");
+					// For Auth Security questions, we don't give any info to client on why failed
+					resp.setStatus(HttpStatus.FORBIDDEN_403);
+				}
+			}
+		},"text/plain","*/*","*");
+		
+		/** 
+		 *  returns whether a given Credential is valid
+		 */
+		authzAPI.route(POST, "/authn/validate", API.CRED_REQ, new Code(facade,"Is given Credential valid?",true) {
+			@Override
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Date> r = context.doesCredentialMatch(trans, req, resp);
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					// For Security, we don't give any info out on why failed, other than forbidden
+					// Can't do "401", because that is on the call itself
+					resp.setStatus(HttpStatus.FORBIDDEN_403);
+				}
+			}
+		});  
+
+		/** 
+		 *  returns whether a given Credential is valid
+		 */
+		authzAPI.route(GET, "/authn/cert/id/:id", API.CERTS, new Code(facade,"Get Cert Info by ID",true) {
+			@Override
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.getCertInfoByID(trans, req, resp, pathParam(req,":id") );
+				if(r.isOK()) {
+						resp.setStatus(HttpStatus.OK_200); 
+				} else {
+						// For Security, we don't give any info out on why failed, other than forbidden
+						resp.setStatus(HttpStatus.FORBIDDEN_403);
+				}
+			}
+		});  
+
+
+
+
+	}
+	
+	/**
+	 * Normal Init level APIs
+	 * 
+	 * @param authzAPI
+	 * @param facade
+	 * @throws Exception
+	 */
+	public static void init(AAF_Service authzAPI, AuthzFacade facade) throws Exception {
+		/**
+		 * Create a new ID/Credential
+		 */
+		authzAPI.route(POST,"/authn/cred",API.CRED_REQ,new Code(facade,"Add a New ID/Credential", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {				Result<Void> r = context.createUserCred(trans, req);
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.CREATED_201);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+		
+		/** 
+		 *  gets all credentials by Namespace
+		 */
+		authzAPI.route(GET, "/authn/creds/ns/:ns", API.USERS, new Code(facade,"Get Creds for a Namespace",true) {
+			@Override
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.getCredsByNS(trans, resp, pathParam(req, "ns"));
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200); 
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+
+		});
+		
+		/** 
+		 *  gets all credentials by ID
+		 */
+		authzAPI.route(GET, "/authn/creds/id/:id", API.USERS, new Code(facade,"Get Creds by ID",true) {
+			@Override
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.getCredsByID(trans, resp, pathParam(req, "id"));
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200); 
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+
+		});
+
+
+		/**
+		 * Update ID/Credential (aka reset)
+		 */
+		authzAPI.route(PUT,"/authn/cred",API.CRED_REQ,new Code(facade,"Update an ID/Credential", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.changeUserCred(trans, req);
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+
+		/**
+		 * Extend ID/Credential
+		 * This behavior will accelerate getting out of P1 outages due to ignoring renewal requests, or
+		 * other expiration issues.
+		 * 
+		 * Scenario is that people who are solving Password problems at night, are not necessarily those who
+		 * know what the passwords are supposed to be.  Also, changing Password, without changing Configurations
+		 * using that password only exacerbates the P1 Issue.
+		 */
+		authzAPI.route(PUT,"/authn/cred/:days",API.CRED_REQ,new Code(facade,"Extend an ID/Credential", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.extendUserCred(trans, req, pathParam(req, "days"));
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+
+		/**
+		 * Delete a ID/Credential by Object
+		 */
+		authzAPI.route(DELETE,"/authn/cred",API.CRED_REQ,new Code(facade,"Delete a Credential", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.deleteUserCred(trans, req);
+				if(r.isOK()) {
+					resp.setStatus(HttpStatus.OK_200);
+				} else {
+					context.error(trans,resp,r);
+				}
+			}
+		});
+
+	}
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Delegate.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Delegate.java
new file mode 100644
index 00000000..067c9192
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Delegate.java
@@ -0,0 +1,152 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.api;
+
+import static org.onap.aaf.auth.layer.Result.OK;
+import static org.onap.aaf.auth.rserv.HttpMethods.DELETE;
+import static org.onap.aaf.auth.rserv.HttpMethods.GET;
+import static org.onap.aaf.auth.rserv.HttpMethods.POST;
+import static org.onap.aaf.auth.rserv.HttpMethods.PUT;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.Code;
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+
+public class API_Delegate {
+	public static void init(AAF_Service authzAPI, AuthzFacade facade) throws Exception {
+		/**
+		 * Add a delegate
+		 */
+		authzAPI.route(POST, "/authz/delegate",API.DELG_REQ,new Code(facade,"Add a Delegate", true) {
+
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.createDelegate(trans, req, resp);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.CREATED_201); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}				
+			}			
+		});
+		
+		/**
+		 * Update a delegate
+		 */
+		authzAPI.route(PUT, "/authz/delegate",API.DELG_REQ,new Code(facade,"Update a Delegate", true) {
+
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.updateDelegate(trans, req, resp);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}				
+			}			
+		});
+		
+		/**
+		 * DELETE delegates for a user
+		 */
+		authzAPI.route(DELETE, "/authz/delegate",API.DELG_REQ,new Code(facade,"Delete delegates for a user", true) {
+
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.deleteDelegate(trans, req, resp);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}				
+			}			
+		});
+		
+		/**
+		 * DELETE a delegate
+		 */
+		authzAPI.route(DELETE, "/authz/delegate/:user_name",API.VOID,new Code(facade,"Delete a Delegate", true) {
+
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.deleteDelegate(trans, pathParam(req, "user_name"));
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}				
+			}			
+		});
+		
+		/**
+		 * Read who is delegating for User
+		 */
+		authzAPI.route(GET, "/authz/delegates/user/:user",API.DELGS,new Code(facade,"Get Delegates by User", true) {
+
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.getDelegatesByUser(trans, pathParam(req, "user"), resp);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}				
+			}			
+		});
+
+		/**
+		 * Read for whom the User is delegating
+		 */
+		authzAPI.route(GET, "/authz/delegates/delegate/:delegate",API.DELGS,new Code(facade,"Get Delegates by Delegate", true) {
+
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.getDelegatesByDelegate(trans, pathParam(req, "delegate"), resp);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}				
+			}			
+		});
+
+	}
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_History.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_History.java
new file mode 100644
index 00000000..9800ca42
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_History.java
@@ -0,0 +1,238 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.api;
+
+import static org.onap.aaf.auth.layer.Result.OK;
+import static org.onap.aaf.auth.rserv.HttpMethods.GET;
+
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Date;
+import java.util.GregorianCalendar;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.Code;
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+
+/**
+ * Pull certain types of History Info
+ * 
+ * Specify yyyymm as 
+ * 	single - 201504
+ *  commas 201503,201504
+ *  ranges 201501-201504
+ *  combinations 201301,201401,201501-201504
+ *  
+ * @author Jonathan
+ *
+ */
+public class API_History {
+	/**
+	 * Normal Init level APIs
+	 * 
+	 * @param authzAPI
+	 * @param facade
+	 * @throws Exception
+	 */
+	public static void init(AAF_Service authzAPI, AuthzFacade facade) throws Exception {
+		/**
+		 * Get History
+		 */
+		authzAPI.route(GET,"/authz/hist/user/:user",API.HISTORY,new Code(facade,"Get History by User", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				int[] years;
+				int descend;
+				try {
+					years = getYears(req);
+					descend = decending(req);
+				} catch(Exception e) {
+					context.error(trans, resp, Result.err(Status.ERR_BadData, e.getMessage()));
+					return;
+				}
+
+				Result<Void> r = context.getHistoryByUser(trans, resp, pathParam(req,":user"),years,descend);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+		/**
+		 * Get History by NS
+		 */
+		authzAPI.route(GET,"/authz/hist/ns/:ns",API.HISTORY,new Code(facade,"Get History by Namespace", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				int[] years;
+				int descend;
+				try {
+					years = getYears(req);
+					descend = decending(req);
+				} catch(Exception e) {
+					context.error(trans, resp, Result.err(Status.ERR_BadData, e.getMessage()));
+					return;
+				}
+				
+				Result<Void> r = context.getHistoryByNS(trans, resp, pathParam(req,":ns"),years,descend);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+		/**
+		 * Get History by Role
+		 */
+		authzAPI.route(GET,"/authz/hist/role/:role",API.HISTORY,new Code(facade,"Get History by Role", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				int[] years;
+				int descend;
+				try {
+					years = getYears(req);
+					descend = decending(req);
+				} catch(Exception e) {
+					context.error(trans, resp, Result.err(Status.ERR_BadData, e.getMessage()));
+					return;
+				}
+
+				Result<Void> r = context.getHistoryByRole(trans, resp, pathParam(req,":role"),years,descend);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+		/**
+		 * Get History by Perm Type
+		 */
+		authzAPI.route(GET,"/authz/hist/perm/:type",API.HISTORY,new Code(facade,"Get History by Perm Type", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				int[] years;
+				int descend;
+				try {
+					years = getYears(req);
+					descend = decending(req);
+				} catch(Exception e) {
+					context.error(trans, resp, Result.err(Status.ERR_BadData, e.getMessage()));
+					return;
+				}
+				
+				Result<Void> r = context.getHistoryByPerm(trans, resp, pathParam(req,":type"),years,descend);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+	}
+
+	// Check if Ascending
+	private static int decending(HttpServletRequest req) {
+		if("true".equalsIgnoreCase(req.getParameter("desc")))return -1;
+		if("true".equalsIgnoreCase(req.getParameter("asc")))return 1;
+		return 0;
+	}
+	
+	// Get Common "yyyymm" parameter, or none
+	private static final SimpleDateFormat FMT = new SimpleDateFormat("yyyyMM");
+	
+	private static int[] getYears(HttpServletRequest req) throws NumberFormatException {
+		String yyyymm = req.getParameter("yyyymm");
+		ArrayList<Integer> ai= new ArrayList<Integer>();
+		if(yyyymm==null) {
+			GregorianCalendar gc = new GregorianCalendar();
+			// three months is the default
+			for(int i=0;i<3;++i) {
+				ai.add(Integer.parseInt(FMT.format(gc.getTime())));
+				gc.add(GregorianCalendar.MONTH, -1);
+			}
+		} else {
+			for(String ym : yyyymm.split(",")) {
+				String range[] = ym.split("\\s*-\\s*");
+				switch(range.length) {
+					case 0:
+						break;
+					case 1:
+						if(!ym.endsWith("-")) {
+							ai.add(getNum(ym));
+							break;
+						} else {
+							range=new String[] {ym.substring(0, 6),FMT.format(new Date())};
+						}
+					default:
+						GregorianCalendar gc = new GregorianCalendar();
+						gc.set(GregorianCalendar.MONTH, Integer.parseInt(range[1].substring(4,6))-1);
+						gc.set(GregorianCalendar.YEAR, Integer.parseInt(range[1].substring(0,4)));
+						int end = getNum(FMT.format(gc.getTime())); 
+						
+						gc.set(GregorianCalendar.MONTH, Integer.parseInt(range[0].substring(4,6))-1);
+						gc.set(GregorianCalendar.YEAR, Integer.parseInt(range[0].substring(0,4)));
+						for(int i=getNum(FMT.format(gc.getTime()));i<=end;gc.add(GregorianCalendar.MONTH, 1),i=getNum(FMT.format(gc.getTime()))) {
+							ai.add(i);
+						}
+
+				}
+			}
+		}
+		if(ai.size()==0) {
+			throw new NumberFormatException(yyyymm + " is an invalid number or range");
+		}
+		Collections.sort(ai);
+		int ym[] = new int[ai.size()];
+		for(int i=0;i<ym.length;++i) {
+			ym[i]=ai.get(i);
+		}
+		return ym;
+	}
+	
+	private static int getNum(String n) {
+		if(n==null || n.length()!=6) throw new NumberFormatException(n + " is not in YYYYMM format");
+		return Integer.parseInt(n);
+	}
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Mgmt.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Mgmt.java
new file mode 100644
index 00000000..7eb9fd7b
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Mgmt.java
@@ -0,0 +1,276 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.api;
+
+import static org.onap.aaf.auth.layer.Result.OK;
+import static org.onap.aaf.auth.rserv.HttpMethods.DELETE;
+import static org.onap.aaf.auth.rserv.HttpMethods.POST;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.common.Define;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.Code;
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf;
+import org.onap.aaf.misc.env.Trans;
+
+/**
+ * User Role APIs
+ * @author Jonathan
+ *
+ */
+public class API_Mgmt {
+
+	private static final String SUCCESS = "SUCCESS";
+	private final static String PERM_DB_POOL_CLEAR=Define.ROOT_NS()+".db|pool|clear";
+	private final static String PERM_DENY_IP = Define.ROOT_NS()+".deny|" + Define.ROOT_COMPANY() + "|ip";
+	private final static String PERM_DENY_ID = Define.ROOT_NS()+".deny|" + Define.ROOT_COMPANY() + "|id";
+	private final static String PERM_LOG_ID = Define.ROOT_NS()+".deny|" + Define.ROOT_COMPANY() + "|id";
+
+	/**
+	 * Normal Init level APIs
+	 * 
+	 * @param authzAPI
+	 * @param facade
+	 * @throws Exception
+	 */
+	public static void init(final AAF_Service authzAPI, AuthzFacade facade) throws Exception {
+
+		/**
+		 * Clear Cache Segment
+		 */
+		authzAPI.route(DELETE,"/mgmt/cache/:area/:segments",API.VOID,new Code(facade,"Clear Cache by Segment", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.cacheClear(trans, pathParam(req,"area"), pathParam(req,"segments"));
+				switch(r.status) {
+					case OK:
+						trans.checkpoint(SUCCESS,Trans.ALWAYS);
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+		
+		/**
+		 * Clear Cache
+		 */
+		authzAPI.route(DELETE,"/mgmt/cache/:area",API.VOID,new Code(facade,"Clear Cache", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r;
+				String area;
+				r = context.cacheClear(trans, area=pathParam(req,"area"));
+				switch(r.status) {
+					case OK:
+						trans.audit().log("Cache " + area + " has been cleared by "+trans.user());
+						trans.checkpoint(SUCCESS,Trans.ALWAYS);
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+		/**
+		 * Clear DB Sessions
+		 */
+		authzAPI.route(DELETE,"/mgmt/dbsession",API.VOID,new Code(facade,"Clear DBSessions", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				try {
+					if(req.isUserInRole(PERM_DB_POOL_CLEAR)) {
+						context.dbReset(trans);
+
+						trans.audit().log("DB Sessions have been cleared by "+trans.user());
+
+						trans.checkpoint(SUCCESS,Trans.ALWAYS);
+						resp.setStatus(HttpStatus.OK_200);
+						return;
+					}
+					context.error(trans,resp,Result.err(Result.ERR_Denied,"%s is not allowed to clear dbsessions",trans.user()));
+				} catch(Exception e) {
+					trans.error().log(e, "clearing dbsession");
+					context.error(trans,resp,Result.err(e));
+				}
+			}
+		});
+
+		/**
+		 * Deny an IP 
+		 */
+		authzAPI.route(POST, "/mgmt/deny/ip/:ip", API.VOID, new Code(facade,"Deny IP",true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				String ip = pathParam(req,":ip");
+				if(req.isUserInRole(PERM_DENY_IP)) {
+					if(DenialOfServiceTaf.denyIP(ip)) {
+						trans.audit().log(ip+" has been set to deny by "+trans.user());
+						trans.checkpoint(SUCCESS,Trans.ALWAYS);
+
+						resp.setStatus(HttpStatus.CREATED_201);
+					} else {
+						context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists, 
+								ip + " is already being denied"));
+					}
+				} else {
+					trans.audit().log(trans.user(),"has attempted to deny",ip,"without authorization");
+					context.error(trans,resp,Result.err(Status.ERR_Denied, 
+						trans.getUserPrincipal().getName() + " is not allowed to set IP Denial"));
+				}
+			}
+		});
+		
+		/**
+		 * Stop Denying an IP
+		 */
+		authzAPI.route(DELETE, "/mgmt/deny/ip/:ip", API.VOID, new Code(facade,"Stop Denying IP",true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				String ip = pathParam(req,":ip");
+				if(req.isUserInRole(PERM_DENY_IP)) {
+					if(DenialOfServiceTaf.removeDenyIP(ip)) {
+						trans.audit().log(ip+" has been removed from denial by "+trans.user());
+						trans.checkpoint(SUCCESS,Trans.ALWAYS);
+						resp.setStatus(HttpStatus.OK_200);
+					} else {
+						context.error(trans,resp,Result.err(Status.ERR_NotFound, 
+								ip + " is not on the denial list"));
+					}
+				} else {
+					trans.audit().log(trans.user(),"has attempted to remove",ip," from being denied without authorization");
+					context.error(trans,resp,Result.err(Status.ERR_Denied, 
+						trans.getUserPrincipal().getName() + " is not allowed to remove IP Denial"));
+				}
+			}
+		});
+
+		/**
+		 * Deny an ID 
+		 */
+		authzAPI.route(POST, "/mgmt/deny/id/:id", API.VOID, new Code(facade,"Deny ID",true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				String id = pathParam(req,":id");
+				if(req.isUserInRole(PERM_DENY_ID)) {
+					if(DenialOfServiceTaf.denyID(id)) {
+						trans.audit().log(id+" has been set to deny by "+trans.user());
+						trans.checkpoint(SUCCESS,Trans.ALWAYS);
+						resp.setStatus(HttpStatus.CREATED_201);
+					} else {
+						context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists, 
+								id + " is already being denied"));
+					}
+				} else {
+					trans.audit().log(trans.user(),"has attempted to deny",id,"without authorization");
+					context.error(trans,resp,Result.err(Status.ERR_Denied, 
+						trans.getUserPrincipal().getName() + " is not allowed to set ID Denial"));
+				}
+			}
+		});
+		
+		/**
+		 * Stop Denying an ID
+		 */
+		authzAPI.route(DELETE, "/mgmt/deny/id/:id", API.VOID, new Code(facade,"Stop Denying ID",true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				String id = pathParam(req,":id");
+				if(req.isUserInRole(PERM_DENY_ID)) {
+					if(DenialOfServiceTaf.removeDenyID(id)) {
+						trans.audit().log(id+" has been removed from denial by " + trans.user());
+						trans.checkpoint(SUCCESS,Trans.ALWAYS);
+						resp.setStatus(HttpStatus.OK_200);
+					} else {
+						context.error(trans,resp,Result.err(Status.ERR_NotFound, 
+								id + " is not on the denial list"));
+					}
+				} else {
+					trans.audit().log(trans.user(),"has attempted to remove",id," from being denied without authorization");
+					context.error(trans,resp,Result.err(Status.ERR_Denied, 
+						trans.getUserPrincipal().getName() + " is not allowed to remove ID Denial"));
+				}
+			}
+		});
+
+		/**
+		 * Deny an ID 
+		 */
+		authzAPI.route(POST, "/mgmt/log/id/:id", API.VOID, new Code(facade,"Special Log ID",true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				String id = pathParam(req,":id");
+				if(req.isUserInRole(PERM_LOG_ID)) {
+					if(Question.specialLogOn(trans,id)) {
+						trans.audit().log(id+" has been set to special Log by "+trans.user());
+						trans.checkpoint(SUCCESS,Trans.ALWAYS);
+						resp.setStatus(HttpStatus.CREATED_201);
+					} else {
+						context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists, 
+								id + " is already being special Logged"));
+					}
+				} else {
+					trans.audit().log(trans.user(),"has attempted to special Log",id,"without authorization");
+					context.error(trans,resp,Result.err(Status.ERR_Denied, 
+						trans.getUserPrincipal().getName() + " is not allowed to set ID special Logging"));
+				}
+			}
+		});
+		
+		/**
+		 * Stop Denying an ID
+		 */
+		authzAPI.route(DELETE, "/mgmt/log/id/:id", API.VOID, new Code(facade,"Stop Special Log ID",true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				String id = pathParam(req,":id");
+				if(req.isUserInRole(PERM_LOG_ID)) {
+					if(Question.specialLogOff(trans,id)) {
+						trans.audit().log(id+" has been removed from special Logging by " + trans.user());
+						trans.checkpoint(SUCCESS,Trans.ALWAYS);
+						resp.setStatus(HttpStatus.OK_200);
+					} else {
+						context.error(trans,resp,Result.err(Status.ERR_NotFound, 
+								id + " is not on the special Logging list"));
+					}
+				} else {
+					trans.audit().log(trans.user(),"has attempted to remove",id," from being special Logged without authorization");
+					context.error(trans,resp,Result.err(Status.ERR_Denied, 
+						trans.getUserPrincipal().getName() + " is not allowed to remove ID special Logging"));
+				}
+			}
+		});
+
+
+	}
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Multi.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Multi.java
new file mode 100644
index 00000000..d3fe4f1f
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Multi.java
@@ -0,0 +1,65 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.api;
+
+import static org.onap.aaf.auth.layer.Result.OK;
+import static org.onap.aaf.auth.rserv.HttpMethods.POST;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.Code;
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+
+public class API_Multi {
+
+	public static void init(AAF_Service authzAPI, AuthzFacade facade) throws Exception {
+	
+		authzAPI.route(POST,"/authz/multi",API.VOID, new Code(facade,"Multiple Request API",true) {
+			@Override
+			public void handle(
+				AuthzTrans trans,
+				HttpServletRequest req, 
+				HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.addResponsibilityForNS(trans, resp, pathParam(req,":ns"), pathParam(req,":id"));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.CREATED_201); 
+							break;
+						case Status.ACC_Future:
+							resp.setStatus(HttpStatus.ACCEPTED_202); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+	}
+
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_NS.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_NS.java
new file mode 100644
index 00000000..1087cd4d
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_NS.java
@@ -0,0 +1,395 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.api;
+
+import static org.onap.aaf.auth.layer.Result.OK;
+import static org.onap.aaf.auth.rserv.HttpMethods.DELETE;
+import static org.onap.aaf.auth.rserv.HttpMethods.GET;
+import static org.onap.aaf.auth.rserv.HttpMethods.POST;
+import static org.onap.aaf.auth.rserv.HttpMethods.PUT;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.dao.cass.NsType;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.Code;
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+
+public class API_NS {
+	private static final String FULL = "full";
+	private static final String TRUE = "true";
+
+	public static void init(AAF_Service authzAPI, AuthzFacade facade) throws Exception {
+		/**
+		 * puts a new Namespace in Authz DB
+		 * 
+		 * TESTCASES: TC_NS1, TC_NSdelete1
+		 */
+		authzAPI.route(POST,"/authz/ns",API.NS_REQ, new Code(facade,"Create a Namespace",true) {
+					@Override
+					public void handle(
+							AuthzTrans trans,
+							HttpServletRequest req, 
+							HttpServletResponse resp) throws Exception {
+						NsType nst = NsType.fromString(req.getParameter("type"));
+						Result<Void> r = context.requestNS(trans, req, resp,nst);
+							
+						switch(r.status) {
+							case OK:
+								resp.setStatus(HttpStatus.CREATED_201); 
+								break;
+							case Status.ACC_Future:
+								resp.setStatus(HttpStatus.ACCEPTED_202); 
+								break;
+							default:
+								context.error(trans,resp,r);
+						}
+					}
+				}
+		);
+		
+		/**
+		 * removes a Namespace from Authz DB
+		 * 
+		 * TESTCASES: TC_NS1, TC_NSdelete1
+		 */
+		authzAPI.route(DELETE,"/authz/ns/:ns",API.VOID, new Code(facade,"Delete a Namespace",true) {
+				@Override
+				public void handle(
+						AuthzTrans trans,
+						HttpServletRequest req, 
+						HttpServletResponse resp) throws Exception {
+					Result<Void> r = context.deleteNS(trans, req, resp, pathParam(req,":ns"));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.OK_200); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+
+		/**
+		 * Add an Admin in NS in Authz DB
+		 * 
+		 * TESTCASES: TC_NS1
+		 */
+		authzAPI.route(POST,"/authz/ns/:ns/admin/:id",API.VOID, new Code(facade,"Add an Admin to a Namespace",true) {
+			@Override
+			public void handle(
+				AuthzTrans trans,
+				HttpServletRequest req, 
+				HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.addAdminToNS(trans, resp, pathParam(req,":ns"), pathParam(req,":id"));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.CREATED_201); 
+							break;
+						case Status.ACC_Future:
+							resp.setStatus(HttpStatus.ACCEPTED_202); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+	
+		/**
+		 * Removes an Admin from Namespace in Authz DB
+		 * 
+		 * TESTCASES: TC_NS1
+		 */
+		authzAPI.route(DELETE,"/authz/ns/:ns/admin/:id",API.VOID, new Code(facade,"Remove an Admin from a Namespace",true) {
+			@Override
+			public void handle(
+				AuthzTrans trans,
+				HttpServletRequest req, 
+				HttpServletResponse resp) throws Exception {
+					Result<Void> r = context.delAdminFromNS(trans, resp, pathParam(req,":ns"), pathParam(req,":id"));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.OK_200); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+
+	/**
+	 * Add an Admin in NS in Authz DB
+	 * 
+	 * TESTCASES: TC_NS1
+	 */
+		authzAPI.route(POST,"/authz/ns/:ns/responsible/:id",API.VOID, new Code(facade,"Add a Responsible Identity to a Namespace",true) {
+			@Override
+			public void handle(
+				AuthzTrans trans,
+				HttpServletRequest req, 
+				HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.addResponsibilityForNS(trans, resp, pathParam(req,":ns"), pathParam(req,":id"));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.CREATED_201); 
+							break;
+						case Status.ACC_Future:
+							resp.setStatus(HttpStatus.ACCEPTED_202); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+
+
+		/**
+		 * 
+		 */
+		authzAPI.route(GET,"/authz/nss/:id",API.NSS, new Code(facade,"Return Information about Namespaces", true) {
+			@Override
+			public void handle(
+				AuthzTrans trans, 
+				HttpServletRequest req, 
+				HttpServletResponse resp) throws Exception {
+					Result<Void> r = context.getNSsByName(trans, resp, pathParam(req,":id"));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.OK_200); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);	
+		
+		/**
+		 * Get all Namespaces where user is an admin
+		 */
+		authzAPI.route(GET,"/authz/nss/admin/:user",API.NSS, new Code(facade,"Return Namespaces where User is an Admin", true) {
+			@Override
+			public void handle(
+				AuthzTrans trans, 
+				HttpServletRequest req, 
+				HttpServletResponse resp) throws Exception {
+					Result<Void> r = context.getNSsByAdmin(trans, resp, pathParam(req,":user"),TRUE.equals(req.getParameter(FULL)));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.OK_200); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+		
+		/**
+		 * Get all Namespaces where user is a responsible party
+		 */
+		authzAPI.route(GET,"/authz/nss/responsible/:user",API.NSS, new Code(facade,"Return Namespaces where User is Responsible", true) {
+			@Override
+			public void handle(
+				AuthzTrans trans, 
+				HttpServletRequest req, 
+				HttpServletResponse resp) throws Exception {
+					Result<Void> r = context.getNSsByResponsible(trans, resp, pathParam(req,":user"),TRUE.equals(req.getParameter(FULL)));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.OK_200); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+
+		/**
+		 * Get all Namespaces where user is an admin or owner
+		 */
+		authzAPI.route(GET,"/authz/nss/either/:user",API.NSS, new Code(facade,"Return Namespaces where User Admin or Owner", true) {
+			@Override
+			public void handle(
+				AuthzTrans trans, 
+				HttpServletRequest req, 
+				HttpServletResponse resp) throws Exception {
+					Result<Void> r = context.getNSsByEither(trans, resp, pathParam(req,":user"),TRUE.equals(req.getParameter(FULL)));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.OK_200); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+
+		/**
+		 * Get all children Namespaces
+		 */
+		authzAPI.route(GET,"/authz/nss/children/:id",API.NSS, new Code(facade,"Return Child Namespaces", true) {
+			@Override
+			public void handle(
+				AuthzTrans trans, 
+				HttpServletRequest req, 
+				HttpServletResponse resp) throws Exception {
+					Result<Void> r = context.getNSsChildren(trans, resp, pathParam(req,":id"));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.OK_200); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+
+		/**
+		 * Set a description of a Namespace
+		 */
+		authzAPI.route(PUT,"/authz/ns",API.NS_REQ,new Code(facade,"Set a Description for a Namespace",true) {
+			@Override
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.updateNsDescription(trans, req, resp);
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});	
+	
+		/**
+		 * Removes an Owner from Namespace in Authz DB
+		 * 
+		 * TESTCASES: TC_NS1
+		 */
+		authzAPI.route(DELETE,"/authz/ns/:ns/responsible/:id",API.VOID, new Code(facade,"Remove a Responsible Identity from Namespace",true) {
+			@Override
+			public void handle(
+				AuthzTrans trans,
+				HttpServletRequest req, 
+				HttpServletResponse resp) throws Exception {
+					Result<Void> r = context.delResponsibilityForNS(trans, resp, pathParam(req,":ns"), pathParam(req,":id"));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.OK_200); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+
+		authzAPI.route(POST,"/authz/ns/:ns/attrib/:key/:value",API.VOID, new Code(facade,"Add an Attribute from a Namespace",true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+					Result<Void> r = context.createAttribForNS(trans, resp, 
+						pathParam(req,":ns"), 
+						pathParam(req,":key"),
+						pathParam(req,":value"));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.CREATED_201); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+
+		authzAPI.route(GET,"/authz/ns/attrib/:key",API.KEYS, new Code(facade,"get Ns Key List From Attribute",true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+					Result<Void> r = context.readNsByAttrib(trans, resp, pathParam(req,":key"));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.OK_200); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+
+		authzAPI.route(PUT,"/authz/ns/:ns/attrib/:key/:value",API.VOID, new Code(facade,"update an Attribute from a Namespace",true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+					Result<Void> r = context.updAttribForNS(trans, resp, 
+						pathParam(req,":ns"), 
+						pathParam(req,":key"),
+						pathParam(req,":value"));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.OK_200); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+		
+		authzAPI.route(DELETE,"/authz/ns/:ns/attrib/:key",API.VOID, new Code(facade,"delete an Attribute from a Namespace",true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+					Result<Void> r = context.delAttribForNS(trans, resp, 
+						pathParam(req,":ns"), 
+						pathParam(req,":key"));
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.OK_200); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+
+	}
+	
+	
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Perms.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Perms.java
new file mode 100644
index 00000000..c9795a5f
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Perms.java
@@ -0,0 +1,297 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.api;
+
+import static org.onap.aaf.auth.layer.Result.OK;
+import static org.onap.aaf.auth.rserv.HttpMethods.DELETE;
+import static org.onap.aaf.auth.rserv.HttpMethods.GET;
+import static org.onap.aaf.auth.rserv.HttpMethods.POST;
+import static org.onap.aaf.auth.rserv.HttpMethods.PUT;
+
+import java.net.URLDecoder;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.Code;
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.misc.env.util.Split;
+
+public class API_Perms {
+	public static void timeSensitiveInit(AAF_Service authzAPI, AuthzFacade facade) throws Exception {
+		/** 
+		 *  gets all permissions by user name
+		 */
+		authzAPI.route(GET, "/authz/perms/user/:user", API.PERMS, new Code(facade,"Get Permissions by User",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				String scopes = req.getParameter("scopes");
+				Result<Void> r;
+				if(scopes==null) {
+					r = context.getPermsByUser(trans, resp, pathParam(req, "user"));
+				} else {
+					r = context.getPermsByUserScope(trans, resp, pathParam(req, "user"),Split.split(':', scopes));
+				}
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+
+		});
+		
+		/** 
+		 *  gets all permissions by user name
+		 */
+		authzAPI.route(POST, "/authz/perms/user/:user", API.PERMS, new Code(facade,"Get Permissions by User, Query AAF Perms",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.getPermsByUserWithAAFQuery(trans, req, resp, pathParam(req, "user"));
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+
+		});
+
+
+	} // end timeSensitiveInit
+
+	public static void init(AAF_Service authzAPI, AuthzFacade facade) throws Exception {
+		/**
+		 * Create a Permission
+		 */
+		authzAPI.route(POST,"/authz/perm",API.PERM_REQ,new Code(facade,"Create a Permission",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.createPerm(trans, req, resp);
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.CREATED_201); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+		/** 
+		 *  get details of Permission
+		 */
+		authzAPI.route(GET, "/authz/perms/:type/:instance/:action", API.PERMS, new Code(facade,"Get Permissions by Key",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.getPermsByName(trans, resp, 
+						pathParam(req, "type"),
+						URLDecoder.decode(pathParam(req, "instance"),Config.UTF_8),
+						pathParam(req, "action"));
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+
+		});
+		
+		/** 
+		 *  get children of Permission
+		 */
+		authzAPI.route(GET, "/authz/perms/:type", API.PERMS, new Code(facade,"Get Permissions by Type",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.getPermsByType(trans, resp, pathParam(req, "type"));
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+
+		});
+
+		
+		/**
+		 * gets all permissions by role name
+		 */
+		authzAPI.route(GET,"/authz/perms/role/:role",API.PERMS,new Code(facade,"Get Permissions by Role",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.getPermsForRole(trans, resp, pathParam(req, "role"));
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+		/**
+		 * gets all permissions by Namespace
+		 */
+		authzAPI.route(GET,"/authz/perms/ns/:ns",API.PERMS,new Code(facade,"Get PermsByNS",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.getPermsByNS(trans, resp, pathParam(req, "ns"));
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+		
+		/**
+		 * Set a perm's description
+		 */
+		authzAPI.route(PUT,"/authz/perm",API.PERM_REQ,new Code(facade,"Set Description for Permission",true) {
+			@Override
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.updatePermDescription(trans, req, resp);
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});	
+		
+		/**
+		 * Update a permission with a rename
+		 */
+		authzAPI.route(PUT,"/authz/perm/:type/:instance/:action",API.PERM_REQ,new Code(facade,"Update a Permission",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.renamePerm(trans, req, resp, pathParam(req, "type"), 
+						pathParam(req, "instance"), pathParam(req, "action"));
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});	
+		
+		/**
+		 * Delete a Permission
+		 */
+		authzAPI.route(DELETE,"/authz/perm",API.PERM_REQ,new Code(facade,"Delete a Permission",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.deletePerm(trans,req, resp);
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+		
+		
+
+		/**
+		 * Delete a Permission
+		 */
+		authzAPI.route(DELETE,"/authz/perm/:name/:type/:action",API.PERM_KEY,new Code(facade,"Delete a Permission",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.deletePerm(trans, resp,
+						pathParam(req, ":name"),
+						pathParam(req, ":type"),
+						pathParam(req, ":action"));
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+	} // end init
+}
+
+
+
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Roles.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Roles.java
new file mode 100644
index 00000000..24259e16
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Roles.java
@@ -0,0 +1,337 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.api;
+
+import static org.onap.aaf.auth.layer.Result.OK;
+import static org.onap.aaf.auth.rserv.HttpMethods.DELETE;
+import static org.onap.aaf.auth.rserv.HttpMethods.GET;
+import static org.onap.aaf.auth.rserv.HttpMethods.POST;
+import static org.onap.aaf.auth.rserv.HttpMethods.PUT;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.Code;
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+
+public class API_Roles {
+	public static void init(AAF_Service authzAPI, AuthzFacade facade) throws Exception {
+		/**
+		 * puts a new role in Authz DB
+		 */
+		authzAPI.route(POST,"/authz/role",API.ROLE_REQ, new Code(facade,"Create Role",true) {
+					@Override
+					public void handle(
+							AuthzTrans trans,
+							HttpServletRequest req, 
+							HttpServletResponse resp) throws Exception {
+						Result<Void> r = context.createRole(trans, req, resp);
+							
+						switch(r.status) {
+							case OK:
+								resp.setStatus(HttpStatus.CREATED_201); 
+								break;
+							case Status.ACC_Future:
+								resp.setStatus(HttpStatus.ACCEPTED_202); 
+								break;
+							default:
+								context.error(trans,resp,r);
+						}
+					}
+				}
+			);
+
+		/** 
+		 *  get Role by name
+		 */
+		authzAPI.route(GET, "/authz/roles/:role", API.ROLES, new Code(facade,"GetRolesByFullName",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.getRolesByName(trans, resp, pathParam(req, "role"));
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+
+		});
+
+
+		/** 
+		 *  gets all Roles by user name
+		 */
+		authzAPI.route(GET, "/authz/roles/user/:name", API.ROLES, new Code(facade,"GetRolesByUser",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.getRolesByUser(trans, resp, pathParam(req, "name"));
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+
+		});
+
+		/** 
+		 *  gets all Roles by Namespace
+		 */
+		authzAPI.route(GET, "/authz/roles/ns/:ns", API.ROLES, new Code(facade,"GetRolesByNS",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.getRolesByNS(trans, resp, pathParam(req, "ns"));
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+		/** 
+		 *  gets all Roles by Name without the Namespace
+		 */
+		authzAPI.route(GET, "/authz/roles/name/:name", API.ROLES, new Code(facade,"GetRolesByNameOnly",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.getRolesByNameOnly(trans, resp, pathParam(req, ":name"));
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+		
+		/**
+		 * Deletes a Role from Authz DB by Object
+		 */
+		authzAPI.route(DELETE,"/authz/role",API.ROLE_REQ, new Code(facade,"Delete Role",true) {
+				@Override
+				public void handle(
+						AuthzTrans trans,
+						HttpServletRequest req, 
+						HttpServletResponse resp) throws Exception {
+					Result<Void> r = context.deleteRole(trans, req, resp);
+					
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.OK_200); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			
+			}
+		);
+	
+
+		
+		/**
+		 * Deletes a Role from Authz DB by Key
+		 */
+		authzAPI.route(DELETE,"/authz/role/:role",API.ROLE, new Code(facade,"Delete Role",true) {
+				@Override
+				public void handle(
+						AuthzTrans trans,
+						HttpServletRequest req, 
+						HttpServletResponse resp) throws Exception {
+					Result<Void> r = context.deleteRole(trans, resp, pathParam(req,":role"));
+						
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.OK_200); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			
+			}
+		);
+	
+
+		/**
+		 * Add a Permission to a Role (Grant)
+		 */
+		authzAPI.route(POST,"/authz/role/perm",API.ROLE_PERM_REQ, new Code(facade,"Add Permission to Role",true) {
+				@Override
+				public void handle(
+						AuthzTrans trans,
+						HttpServletRequest req, 
+						HttpServletResponse resp) throws Exception {
+					
+					Result<Void> r = context.addPermToRole(trans, req, resp);
+						
+					switch(r.status) {
+						case OK:
+							resp.setStatus(HttpStatus.CREATED_201); 
+							break;
+						default:
+							context.error(trans,resp,r);
+					}
+				}
+			}
+		);
+		
+		/**
+		 * Get all Roles by Permission
+		 */
+		authzAPI.route(GET,"/authz/roles/perm/:type/:instance/:action",API.ROLES,new Code(facade,"GetRolesByPerm",true) {
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.getRolesByPerm(trans, resp, 
+						pathParam(req, "type"),
+						pathParam(req, "instance"),
+						pathParam(req, "action"));
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+		
+		/**
+		 * Set a role's description
+		 */
+		authzAPI.route(PUT,"/authz/role",API.ROLE_REQ,new Code(facade,"Set Description for role",true) {
+			@Override
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.updateRoleDescription(trans, req, resp);
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});	
+		
+		/**
+		 * Set a permission's roles to roles given
+		 */
+		authzAPI.route(PUT,"/authz/role/perm",API.ROLE_PERM_REQ,new Code(facade,"Set a Permission's Roles",true) {
+			@Override
+			public void handle(
+					AuthzTrans trans, 
+					HttpServletRequest req,
+					HttpServletResponse resp) throws Exception {
+				
+				Result<Void> r = context.resetPermRoles(trans, req, resp);
+				switch(r.status) {
+					case OK: 
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});	
+		
+		/**
+		 * Delete a Permission from a Role
+		 * With multiple perms
+		 */
+		authzAPI.route(DELETE,"/authz/role/:role/perm",API.ROLE_PERM_REQ, new Code(facade,"Delete Permission from Role",true) {
+			@Override
+			public void handle(
+					AuthzTrans trans,
+					HttpServletRequest req, 
+					HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.delPermFromRole(trans, req, resp);
+					
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+
+		/*
+		 * Delete a Permission from a Role by key only
+		 * /
+		authzAPI.route(DELETE,"/authz/role/:role/perm/:type/:instance/:action",API.ROLE_PERM_REQ, new Code(facade,"Delete Permission from Role",true) {
+			@Override
+			public void handle(
+					AuthzTrans trans,
+					HttpServletRequest req, 
+					HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.delPermFromRole(trans, resp, 
+						pathParam(req,":role"),
+						pathParam(req,":type"),
+						pathParam(req,":instance"),
+						pathParam(req,":action"));
+					
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+		*/
+	}
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_User.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_User.java
new file mode 100644
index 00000000..26be2a07
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_User.java
@@ -0,0 +1,133 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.api;
+
+import static org.onap.aaf.auth.layer.Result.OK;
+import static org.onap.aaf.auth.rserv.HttpMethods.GET;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.Code;
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+
+/**
+ * User Role APIs
+ * @author Jonathan
+ *
+ */
+public class API_User {
+	/**
+	 * Normal Init level APIs
+	 * 
+	 * @param authzAPI
+	 * @param facade
+	 * @throws Exception
+	 */
+	public static void init(final AAF_Service authzAPI, AuthzFacade facade) throws Exception {
+		/**
+		 * get all Users who have Permission X
+		 */
+		authzAPI.route(GET,"/authz/users/perm/:type/:instance/:action",API.USERS,new Code(facade,"Get Users By Permission", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+//				trans.checkpoint(pathParam(req,"type") + " " 
+//						+ pathParam(req,"instance") + " " 
+//						+ pathParam(req,"action"));
+//
+				Result<Void> r = context.getUsersByPermission(trans, resp,
+						pathParam(req, ":type"),
+						pathParam(req, ":instance"),
+						pathParam(req, ":action"));
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+
+		/**
+		 * get all Users who have Role X
+		 */
+		authzAPI.route(GET,"/authz/users/role/:role",API.USERS,new Code(facade,"Get Users By Role", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.getUsersByRole(trans, resp, pathParam(req, ":role"));
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+		
+		/**
+		 * Get User Role if exists
+		 * @deprecated
+		 */
+		authzAPI.route(GET,"/authz/userRole/:user/:role",API.USERS,new Code(facade,"Get if User is In Role", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.getUserInRole(trans, resp, pathParam(req,":user"),pathParam(req,":role"));
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+		/**
+		 * Get User Role if exists
+		 */
+		authzAPI.route(GET,"/authz/users/:user/:role",API.USERS,new Code(facade,"Get if User is In Role", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.getUserInRole(trans, resp, pathParam(req,":user"),pathParam(req,":role"));
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+		
+
+
+	}
+		
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java
new file mode 100644
index 00000000..89550a71
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java
@@ -0,0 +1,181 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.api;
+
+import static org.onap.aaf.auth.layer.Result.OK;
+import static org.onap.aaf.auth.rserv.HttpMethods.DELETE;
+import static org.onap.aaf.auth.rserv.HttpMethods.GET;
+import static org.onap.aaf.auth.rserv.HttpMethods.POST;
+import static org.onap.aaf.auth.rserv.HttpMethods.PUT;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.Code;
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+
+/**
+ * User Role APIs
+ * @author Jonathan
+ *
+ */
+public class API_UserRole {
+	/**
+	 * Normal Init level APIs
+	 * 
+	 * @param authzAPI
+	 * @param facade
+	 * @throws Exception
+	 */
+	public static void init(final AAF_Service authzAPI, AuthzFacade facade) throws Exception {
+		/**
+		 * Request User Role Access
+		 */
+		authzAPI.route(POST,"/authz/userRole",API.USER_ROLE_REQ,new Code(facade,"Request User Role Access", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.requestUserRole(trans, req, resp);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.CREATED_201); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+		
+		
+		/**
+		 * Get UserRoles by Role
+		 */
+		authzAPI.route(GET,"/authz/userRoles/role/:role",API.USER_ROLES,new Code(facade,"Get UserRoles by Role", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.getUserRolesByRole(trans, resp, pathParam(req,":role"));
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+		
+		/**
+		 * Get UserRoles by User
+		 */
+		authzAPI.route(GET,"/authz/userRoles/user/:user",API.USER_ROLES,new Code(facade,"Get UserRoles by User", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.getUserRolesByUser(trans, resp, pathParam(req,":user"));
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+		
+		/**
+		 * Update roles attached to user in path
+		 */
+		authzAPI.route(PUT,"/authz/userRole/user",API.USER_ROLE_REQ,new Code(facade,"Update Roles for a user", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.resetRolesForUser(trans, resp, req);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+		
+		
+		/**
+		 * Update users attached to role in path
+		 */
+		authzAPI.route(PUT,"/authz/userRole/role",API.USER_ROLE_REQ,new Code(facade,"Update Users for a role", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.resetUsersForRole(trans, resp, req);
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+		
+		/**
+		 * Extend Expiration Date (according to Organizational rules)
+		 */
+		authzAPI.route(PUT, "/authz/userRole/extend/:user/:role", API.VOID, new Code(facade,"Extend Expiration", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.extendUserRoleExpiration(trans,resp,pathParam(req,":user"),pathParam(req,":role"));
+				switch(r.status) {
+				case OK:
+					resp.setStatus(HttpStatus.OK_200); 
+					break;
+				default:
+					context.error(trans,resp,r);
+			}
+	
+			}
+			
+		});
+		
+		
+		/**
+		 * Create a new ID/Credential
+		 */
+		authzAPI.route(DELETE,"/authz/userRole/:user/:role",API.VOID,new Code(facade,"Delete User Role", true) {
+			@Override
+			public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+				Result<Void> r = context.deleteUserRole(trans, resp, pathParam(req,":user"),pathParam(req,":role"));
+				switch(r.status) {
+					case OK:
+						resp.setStatus(HttpStatus.OK_200); 
+						break;
+					default:
+						context.error(trans,resp,r);
+				}
+			}
+		});
+
+	}
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java
new file mode 100644
index 00000000..af375199
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java
@@ -0,0 +1,269 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.facade;
+
+import java.util.Date;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.auth.dao.cass.NsType;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.rserv.RServlet;
+
+/**
+ * AuthzFacade
+ *   This layer is responsible for covering the Incoming Messages, be they XML, JSON or just entries on the URL,
+ *   and converting them to data that can be called on the Service Layer.
+ *   
+ *   Upon response, this layer, because it knew the incoming Data Formats (i.e. XML/JSON), the HTTP call types
+ *   are set on "ContentType" on Response.
+ *   
+ *   Finally, we wrap the call in Time Stamps with explanation of what is happing for Audit trails.
+ *   
+ * @author Jonathan
+ *
+ */
+public interface AuthzFacade {
+	public static final int PERM_DEPEND_424 = -1000;
+	public static final int ROLE_DEPEND_424 = -1001;
+
+	/*
+	 * Namespaces
+	 */
+	public abstract Result<Void> requestNS(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, NsType type);
+	
+	public abstract Result<Void> getNSsByName(AuthzTrans trans, HttpServletResponse resp, String ns);
+	
+	public abstract Result<Void> getNSsByAdmin(AuthzTrans trans, HttpServletResponse resp, String user, boolean full);
+	
+	public abstract Result<Void> getNSsByResponsible(AuthzTrans trans, HttpServletResponse resp, String user, boolean full);
+	
+	public abstract Result<Void> getNSsByEither(AuthzTrans trans, HttpServletResponse resp, String user, boolean full);
+
+	public abstract Result<Void> getNSsChildren(AuthzTrans trans, HttpServletResponse resp, String pathParam);
+
+	public abstract Result<Void> addAdminToNS(AuthzTrans trans, HttpServletResponse resp, String ns, String id);
+
+	public abstract Result<Void> delAdminFromNS(AuthzTrans trans, HttpServletResponse resp, String ns, String id);
+
+	public abstract Result<Void> addResponsibilityForNS(AuthzTrans trans, HttpServletResponse resp, String ns, String id);
+
+	public abstract Result<Void> delResponsibilityForNS(AuthzTrans trans, HttpServletResponse resp, String ns, String id);
+	
+	public abstract Result<Void> updateNsDescription(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+
+	public abstract Result<Void> deleteNS(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, String ns);
+
+	// NS Attribs
+	public abstract Result<Void> createAttribForNS(AuthzTrans trans, HttpServletResponse resp, String ns, String key, String value);
+
+	public abstract Result<Void> readNsByAttrib(AuthzTrans trans, HttpServletResponse resp, String key);
+
+	public abstract Result<Void> updAttribForNS(AuthzTrans trans, HttpServletResponse resp, String ns, String key, String value);
+
+	public abstract Result<Void> delAttribForNS(AuthzTrans trans, HttpServletResponse resp, String ns, String key);
+
+	/*
+	 * Permissions
+	 */
+	public abstract Result<Void> createPerm(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);	
+	
+	public abstract Result<Void> getPermsByName(AuthzTrans trans, HttpServletResponse resp, 
+			String type, String instance, String action);
+
+	public abstract Result<Void> getPermsByUser(AuthzTrans trans, HttpServletResponse response, String user);
+
+	public abstract Result<Void> getPermsByUserScope(AuthzTrans trans, HttpServletResponse resp, String user, String[] scopes);
+	
+	public abstract Result<Void> getPermsByUserWithAAFQuery(AuthzTrans trans, HttpServletRequest request, HttpServletResponse response, String user);
+	
+	public abstract Result<Void> getPermsByType(AuthzTrans trans, HttpServletResponse resp, String type);
+
+	public abstract Result<Void> getPermsForRole(AuthzTrans trans, HttpServletResponse response, String roleName);
+
+	public abstract Result<Void> getPermsByNS(AuthzTrans trans, HttpServletResponse response, String ns);
+	
+	public abstract Result<Void> renamePerm(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp,
+			String type, String instance, String action);
+	
+	public abstract Result<Void> updatePermDescription(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+	
+	public abstract Result<Void> resetPermRoles(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+
+	public abstract Result<Void> deletePerm(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+
+	public abstract Result<Void> deletePerm(AuthzTrans trans,	HttpServletResponse resp, 
+			String perm, String type, String action);
+
+	/*
+	 * Roles
+	 */
+	public abstract Result<Void> createRole(AuthzTrans trans, HttpServletRequest req, HttpServletResponse response);
+	
+	public abstract Result<Void> getRolesByName(AuthzTrans trans,HttpServletResponse resp, String name);
+
+	public abstract Result<Void> getRolesByNS(AuthzTrans trans, HttpServletResponse resp, String ns);
+
+	public abstract Result<Void> getRolesByNameOnly(AuthzTrans trans, HttpServletResponse resp, String nameOnly);
+
+	public abstract Result<Void> getRolesByUser(AuthzTrans trans, HttpServletResponse resp, String user);
+
+	public abstract Result<Void> getRolesByPerm(AuthzTrans trans, HttpServletResponse resp, String type, String instance, String action);
+
+	public abstract Result<Void> updateRoleDescription(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+	
+	public abstract Result<Void> addPermToRole(AuthzTrans trans,HttpServletRequest req, HttpServletResponse resp);
+	
+	public abstract Result<Void> delPermFromRole(AuthzTrans trans,HttpServletRequest req, HttpServletResponse resp);
+
+	public abstract Result<Void> delPermFromRole(AuthzTrans trans, HttpServletResponse resp, 
+			String role, String type, String instance, String action);
+
+	public abstract Result<Void> deleteRole(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+
+	public abstract Result<Void> deleteRole(AuthzTrans trans, HttpServletResponse resp, String role);
+
+	/*
+	 * Users
+	 */
+	
+	public abstract Result<Void> getUsersByRole(AuthzTrans trans, HttpServletResponse resp, String role);
+	
+	public abstract Result<Void> getUsersByPermission(AuthzTrans trans, HttpServletResponse resp, 
+			String type, String instance, String action);
+
+
+
+	/*
+	 * Delegates
+	 */
+	public abstract Result<Void> createDelegate(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+	
+	public abstract Result<Void> updateDelegate(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+	
+	public abstract Result<Void> deleteDelegate(AuthzTrans trans,  HttpServletRequest req, HttpServletResponse resp);
+	
+	public abstract Result<Void> deleteDelegate(AuthzTrans trans,  String user);
+	
+	public abstract Result<Void> getDelegatesByUser(AuthzTrans trans, String userName, HttpServletResponse resp);
+
+	public abstract Result<Void> getDelegatesByDelegate(AuthzTrans trans, String userName, HttpServletResponse resp);
+
+	/*
+	 * Credentials
+	 */
+	public abstract Result<Void> createUserCred(AuthzTrans trans, HttpServletRequest req);
+
+	public abstract Result<Void> changeUserCred(AuthzTrans trans, HttpServletRequest req);
+
+	public abstract Result<Void> extendUserCred(AuthzTrans trans, HttpServletRequest req, String days);
+
+	public abstract Result<Void> getCredsByNS(AuthzTrans trans,	HttpServletResponse resp, String ns);
+
+	public abstract Result<Void> getCredsByID(AuthzTrans trans, HttpServletResponse resp, String id);
+
+	public abstract Result<Void> deleteUserCred(AuthzTrans trans, HttpServletRequest req);
+
+	public abstract Result<Void> validBasicAuth(AuthzTrans trans, HttpServletResponse resp, String basicAuth);
+
+	public abstract Result<Date> doesCredentialMatch(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+
+	/*
+	 * Miscellaneous
+	 */
+	/**
+	 * Place Standard Messages based on HTTP Code onto Error Data Structure, and write to OutputStream
+	 * Log message
+	 */
+	public abstract void error(AuthzTrans trans, HttpServletResponse response, Result<?> result);
+
+	/*
+	 * UserRole
+	 */
+	public abstract Result<Void> requestUserRole(AuthzTrans trans,HttpServletRequest req, HttpServletResponse resp);
+	
+	public abstract Result<Void> getUserInRole(AuthzTrans trans, HttpServletResponse resp, String user, String role);
+	
+	public abstract Result<Void> getUserRolesByRole(AuthzTrans trans, HttpServletResponse resp, String role);
+	
+	public abstract Result<Void> getUserRolesByUser(AuthzTrans trans, HttpServletResponse resp, String user);
+
+	public abstract Result<Void> deleteUserRole(AuthzTrans trans, HttpServletResponse resp, String user, String role);
+	
+	public abstract Result<Void> resetUsersForRole(AuthzTrans trans, HttpServletResponse resp, HttpServletRequest req);
+
+	public abstract Result<Void> resetRolesForUser(AuthzTrans trans, HttpServletResponse resp, HttpServletRequest req);
+	
+	public abstract Result<Void> extendUserRoleExpiration(AuthzTrans trans, HttpServletResponse resp, String user,
+	String role);
+
+	/*
+	 * Approval 
+	 */
+	public abstract Result<Void> updateApproval(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+	
+	public abstract Result<Void> getApprovalsByUser(AuthzTrans trans, HttpServletResponse resp, String user);
+	
+	public abstract Result<Void> getApprovalsByTicket(AuthzTrans trans, HttpServletResponse resp, String ticket);
+	
+	public abstract Result<Void> getApprovalsByApprover(AuthzTrans trans, HttpServletResponse resp, String approver);
+
+
+	/*
+	 * History
+	 */
+	public abstract Result<Void> getHistoryByUser(AuthzTrans trans,	HttpServletResponse resp, String user, int[] yyyymm, final int sort);
+	
+	public abstract Result<Void> getHistoryByRole(AuthzTrans trans,	HttpServletResponse resp, String subject, int[] yyyymm, final int sort);
+
+	public abstract Result<Void> getHistoryByPerm(AuthzTrans trans,	HttpServletResponse resp, String subject, int[] yyyymm, final int sort);
+
+	public abstract Result<Void> getHistoryByNS(AuthzTrans trans,	HttpServletResponse resp, String subject, int[] yyyymm, final int sort);
+
+	/*
+	 * Cache 
+	 */
+	public abstract Result<Void> cacheClear(AuthzTrans trans, String pathParam);
+
+	public abstract Result<Void> cacheClear(AuthzTrans trans, String string,String segments);
+	
+	public abstract void dbReset(AuthzTrans trans);
+
+
+
+	/*
+	 * API
+	 */
+	public Result<Void> getAPI(AuthzTrans trans, HttpServletResponse resp, RServlet<AuthzTrans> rservlet);
+
+	public abstract Result<Void> getAPIExample(AuthzTrans trans, HttpServletResponse resp, String typeCode, boolean optional);
+
+	public abstract Result<Void> getCertInfoByID(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, String id);
+
+
+
+
+
+
+}
+\ No newline at end of file
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeFactory.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeFactory.java
new file mode 100644
index 00000000..de8260f1
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeFactory.java
@@ -0,0 +1,55 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.facade;
+
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.service.AuthzCassServiceImpl;
+import org.onap.aaf.auth.service.mapper.Mapper_2_0;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+
+
+public class AuthzFacadeFactory {
+	public static AuthzFacade_2_0 v2_0(AuthzEnv env, AuthzTrans trans, Data.TYPE type, Question question) throws APIException {
+		return new AuthzFacade_2_0(env,
+				new AuthzCassServiceImpl<
+					aaf.v2_0.Nss,
+					aaf.v2_0.Perms,
+					aaf.v2_0.Pkey,
+					aaf.v2_0.Roles,
+					aaf.v2_0.Users,
+					aaf.v2_0.UserRoles,
+					aaf.v2_0.Delgs,
+					aaf.v2_0.Certs,
+					aaf.v2_0.Keys,
+					aaf.v2_0.Request,
+					aaf.v2_0.History,
+					aaf.v2_0.Error,
+					aaf.v2_0.Approvals>
+					(trans,new Mapper_2_0(question),question),
+				type);
+	}
+	
+
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java
new file mode 100644
index 00000000..4895e26f
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java
@@ -0,0 +1,2642 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.facade;
+
+import static org.onap.aaf.auth.dao.cass.Status.ERR_ChoiceNeeded;
+import static org.onap.aaf.auth.dao.cass.Status.ERR_DelegateNotFound;
+import static org.onap.aaf.auth.dao.cass.Status.ERR_DependencyExists;
+import static org.onap.aaf.auth.dao.cass.Status.ERR_FutureNotRequested;
+import static org.onap.aaf.auth.dao.cass.Status.ERR_InvalidDelegate;
+import static org.onap.aaf.auth.dao.cass.Status.ERR_NsNotFound;
+import static org.onap.aaf.auth.dao.cass.Status.ERR_PermissionNotFound;
+import static org.onap.aaf.auth.dao.cass.Status.ERR_RoleNotFound;
+import static org.onap.aaf.auth.dao.cass.Status.ERR_UserNotFound;
+import static org.onap.aaf.auth.dao.cass.Status.ERR_UserRoleNotFound;
+import static org.onap.aaf.auth.layer.Result.ERR_ActionNotCompleted;
+import static org.onap.aaf.auth.layer.Result.ERR_Backend;
+import static org.onap.aaf.auth.layer.Result.ERR_BadData;
+import static org.onap.aaf.auth.layer.Result.ERR_ConflictAlreadyExists;
+import static org.onap.aaf.auth.layer.Result.ERR_Denied;
+import static org.onap.aaf.auth.layer.Result.ERR_NotFound;
+import static org.onap.aaf.auth.layer.Result.ERR_NotImplemented;
+import static org.onap.aaf.auth.layer.Result.ERR_Policy;
+import static org.onap.aaf.auth.layer.Result.ERR_Security;
+import static org.onap.aaf.auth.layer.Result.OK;
+
+import java.io.IOException;
+import java.lang.reflect.Method;
+import java.util.Date;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.auth.dao.cass.NsType;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.FacadeImpl;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.rserv.RServlet;
+import org.onap.aaf.auth.rserv.RouteReport;
+import org.onap.aaf.auth.rserv.doc.ApiDoc;
+import org.onap.aaf.auth.service.AuthzCassServiceImpl;
+import org.onap.aaf.auth.service.AuthzService;
+import org.onap.aaf.auth.service.mapper.Mapper;
+import org.onap.aaf.auth.service.mapper.Mapper.API;
+import org.onap.aaf.cadi.aaf.client.Examples;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.Data.TYPE;
+import org.onap.aaf.misc.env.util.Chrono;
+import org.onap.aaf.misc.rosetta.Marshal;
+import org.onap.aaf.misc.rosetta.env.RosettaDF;
+import org.onap.aaf.misc.rosetta.env.RosettaData;
+
+import aaf.v2_0.Api;
+
+/**
+ * AuthzFacade
+ * 
+ * This Service Facade encapsulates the essence of the API Service can do, and provides
+ * a single created object for elements such as RosettaDF.
+ *
+ * The Responsibilities of this class are to:
+ * 1) Interact with the Service Implementation (which might be supported by various kinds of Backend Storage)
+ * 2) Validate incoming data (if applicable)
+ * 3) Convert the Service response into the right Format, and mark the Content Type
+ * 		a) In the future, we may support multiple Response Formats, aka JSON or XML, based on User Request.
+ * 4) Log Service info, warnings and exceptions as necessary
+ * 5) When asked by the API layer, this will create and write Error content to the OutputStream
+ * 
+ * Note: This Class does NOT set the HTTP Status Code.  That is up to the API layer, so that it can be 
+ * clearly coordinated with the API Documentation
+ * 
+ * @author Pavani & Jonathan
+ *
+ */
+public abstract class AuthzFacadeImpl<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> extends FacadeImpl implements AuthzFacade 
+	{
+	private static final String FORBIDDEN = "Forbidden";
+	private static final String NOT_FOUND = "Not Found";
+	private static final String NOT_ACCEPTABLE = "Not Acceptable";
+	private static final String GENERAL_SERVICE_ERROR = "General Service Error";
+	private static final String NO_DATA = "***No Data***";
+	private AuthzService<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> service = null;
+	private final RosettaDF<NSS> nssDF;
+	private final RosettaDF<PERMS> permsDF;
+	private final RosettaDF<ROLES> roleDF;
+	private final RosettaDF<USERS> usersDF;
+	private final RosettaDF<USERROLES> userrolesDF;
+	private final RosettaDF<CERTS> certsDF;
+	private final RosettaDF<DELGS> delgDF;
+	private final RosettaDF<REQUEST> permRequestDF;
+	private final RosettaDF<REQUEST> roleRequestDF;
+	private final RosettaDF<REQUEST> userRoleRequestDF;
+	private final RosettaDF<REQUEST> rolePermRequestDF;
+	private final RosettaDF<REQUEST> nsRequestDF;
+	private final RosettaDF<REQUEST> credRequestDF;
+	private final RosettaDF<REQUEST> delgRequestDF;
+	private final RosettaDF<HISTORY> historyDF;
+	private final RosettaDF<KEYS>    keysDF;
+
+	private final RosettaDF<ERR> 	 	errDF;
+	private final RosettaDF<APPROVALS>  approvalDF;
+	// Note: Api is not different per Version
+	private final RosettaDF<Api>	 	apiDF;
+
+
+	@SuppressWarnings("unchecked")
+	public AuthzFacadeImpl(AuthzEnv env, AuthzService<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> service, Data.TYPE dataType) throws APIException {
+		this.service = service;
+		(nssDF 				= env.newDataFactory(service.mapper().getClass(API.NSS))).in(dataType).out(dataType);
+		(permRequestDF 		= env.newDataFactory(service.mapper().getClass(API.PERM_REQ))).in(dataType).out(dataType);
+		(permsDF 			= env.newDataFactory(service.mapper().getClass(API.PERMS))).in(dataType).out(dataType);
+//		(permKeyDF			= env.newDataFactory(service.mapper().getClass(API.PERM_KEY))).in(dataType).out(dataType);
+		(roleDF 			= env.newDataFactory(service.mapper().getClass(API.ROLES))).in(dataType).out(dataType);
+		(roleRequestDF 		= env.newDataFactory(service.mapper().getClass(API.ROLE_REQ))).in(dataType).out(dataType);
+		(usersDF 			= env.newDataFactory(service.mapper().getClass(API.USERS))).in(dataType).out(dataType);
+		(userrolesDF 			= env.newDataFactory(service.mapper().getClass(API.USER_ROLES))).in(dataType).out(dataType);
+		(certsDF 			= env.newDataFactory(service.mapper().getClass(API.CERTS))).in(dataType).out(dataType)
+			.rootMarshal((Marshal<CERTS>) service.mapper().getMarshal(API.CERTS));
+		;
+		(userRoleRequestDF 	= env.newDataFactory(service.mapper().getClass(API.USER_ROLE_REQ))).in(dataType).out(dataType);
+		(rolePermRequestDF 	= env.newDataFactory(service.mapper().getClass(API.ROLE_PERM_REQ))).in(dataType).out(dataType);
+		(nsRequestDF 		= env.newDataFactory(service.mapper().getClass(API.NS_REQ))).in(dataType).out(dataType);
+		(credRequestDF 		= env.newDataFactory(service.mapper().getClass(API.CRED_REQ))).in(dataType).out(dataType);
+		(delgRequestDF 		= env.newDataFactory(service.mapper().getClass(API.DELG_REQ))).in(dataType).out(dataType);
+		(historyDF 			= env.newDataFactory(service.mapper().getClass(API.HISTORY))).in(dataType).out(dataType);
+		( keysDF 			= env.newDataFactory(service.mapper().getClass(API.KEYS))).in(dataType).out(dataType);
+		(delgDF 			= env.newDataFactory(service.mapper().getClass(API.DELGS))).in(dataType).out(dataType);
+		(approvalDF 		= env.newDataFactory(service.mapper().getClass(API.APPROVALS))).in(dataType).out(dataType);
+		(errDF 				= env.newDataFactory(service.mapper().getClass(API.ERROR))).in(dataType).out(dataType);
+		(apiDF				= env.newDataFactory(Api.class)).in(dataType).out(dataType);
+	}
+	
+	public Mapper<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> mapper() {
+		return service.mapper();
+	}
+	
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#error(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, int)
+	 * 
+	 * Note: Conforms to AT&T TSS RESTful Error Structure
+	 */
+	@Override
+	public void error(AuthzTrans trans, HttpServletResponse response, Result<?> result) {
+		String msg = result.details==null?"%s":"%s - " + result.details.trim();
+		String msgId;
+		String[] detail;
+		boolean hidemsg = false;
+		if(result.variables==null) {
+			detail = new String[1];
+		} else {
+			int l = result.variables.length;
+			detail=new String[l+1];
+			System.arraycopy(result.variables, 0, detail, 1, l);
+		}
+		//int httpstatus;
+		
+		switch(result.status) {
+			case ERR_ActionNotCompleted:
+				msgId = "SVC1202";
+				detail[0] = "Accepted, Action not complete";
+				response.setStatus(/*httpstatus=*/202);
+				break;
+
+			case ERR_Policy:
+				msgId = "SVC3403";
+				detail[0] = FORBIDDEN;
+				response.setStatus(/*httpstatus=*/403);
+				break;
+			case ERR_Security:
+				msgId = "SVC2403";
+				detail[0] = FORBIDDEN;
+				response.setStatus(/*httpstatus=*/403);
+				break;
+			case ERR_Denied:
+				msgId = "SVC1403";
+				detail[0] = FORBIDDEN;
+				response.setStatus(/*httpstatus=*/403);
+				break;
+			// This is still forbidden to directly impact, but can be Requested when passed
+			// with "request=true" query Param
+			case ERR_FutureNotRequested:
+				msgId = "SVC2403";
+				detail[0] = msg;
+				response.setStatus(/*httpstatus=*/403);
+				break;
+				
+			case ERR_NsNotFound:
+				msgId = "SVC2404";
+				detail[0] = NOT_FOUND;
+				response.setStatus(/*httpstatus=*/404);
+				break;
+			case ERR_RoleNotFound:
+				msgId = "SVC3404";
+				detail[0] = NOT_FOUND;
+				response.setStatus(/*httpstatus=*/404);
+				break;
+			case ERR_PermissionNotFound:
+				msgId = "SVC4404";
+				detail[0] = NOT_FOUND;
+				response.setStatus(/*httpstatus=*/404);
+				break;
+			case ERR_UserNotFound:
+				msgId = "SVC5404";
+				detail[0] = NOT_FOUND;
+				response.setStatus(/*httpstatus=*/404);
+				break;
+			case ERR_UserRoleNotFound:
+				msgId = "SVC6404";
+				detail[0] = NOT_FOUND;
+				response.setStatus(/*httpstatus=*/404);
+				break;
+			case ERR_DelegateNotFound:
+				msgId = "SVC7404";
+				detail[0] = NOT_FOUND;
+				response.setStatus(/*httpstatus=*/404);
+				break;
+			case ERR_NotFound:
+				msgId = "SVC1404";
+				detail[0] = NOT_FOUND;
+				response.setStatus(/*httpstatus=*/404);
+				break;
+
+			case ERR_InvalidDelegate:
+				msgId="SVC2406";
+				detail[0] = NOT_ACCEPTABLE;
+				response.setStatus(/*httpstatus=*/406);
+				break;
+			case ERR_BadData:
+				msgId="SVC1406";
+				detail[0] = NOT_ACCEPTABLE;
+				response.setStatus(/*httpstatus=*/406);
+				break;
+				
+			case ERR_ConflictAlreadyExists:
+				msgId = "SVC1409";
+				detail[0] = "Conflict Already Exists";
+				response.setStatus(/*httpstatus=*/409);
+				break;
+			
+			case ERR_DependencyExists:
+				msgId = "SVC1424";
+				detail[0] = "Failed Dependency";
+				response.setStatus(/*httpstatus=*/424);
+				break;
+			
+			case ERR_NotImplemented:
+				msgId = "SVC1501";
+				detail[0] = "Not Implemented"; 
+				response.setStatus(/*httpstatus=*/501);
+				break;
+				
+			case Status.ACC_Future:
+				msgId = "SVC1202";
+				detail[0] = "Accepted for Future, pending Approvals";
+				response.setStatus(/*httpstatus=*/202);
+				break;
+			case ERR_ChoiceNeeded:
+				msgId = "SVC1300";
+				detail = result.variables;
+				response.setStatus(/*httpstatus=*/300);
+				break;
+			case ERR_Backend: 
+				msgId = "SVC2500";
+				detail[0] = GENERAL_SERVICE_ERROR;
+				response.setStatus(/*httpstatus=*/500);
+				hidemsg = true;
+				break;
+
+			default: 
+				msgId = "SVC1500";
+				detail[0] = GENERAL_SERVICE_ERROR;
+				response.setStatus(/*httpstatus=*/500);
+				hidemsg = true;
+				break;
+		}
+
+		try {
+			StringBuilder holder = new StringBuilder();
+			ERR em = service.mapper().errorFromMessage(holder,msgId,msg,detail);
+			trans.checkpoint(
+					"ErrResp [" + 
+					msgId +
+					"] " +
+					holder.toString(),
+					Env.ALWAYS);
+			if(hidemsg) {
+				holder.setLength(0);
+				em = mapper().errorFromMessage(holder, msgId, "Server had an issue processing this request");
+			}
+			errDF.newData(trans).load(em).to(response.getOutputStream());
+		} catch (Exception e) {
+			trans.error().log(e,"unable to send response for",msg);
+		}
+	}
+	
+	///////////////////////////
+	// Namespace
+	///////////////////////////
+	public static final String CREATE_NS = "createNamespace";
+	public static final String ADD_NS_ADMIN = "addNamespaceAdmin";
+	public static final String DELETE_NS_ADMIN = "delNamespaceAdmin";
+	public static final String ADD_NS_RESPONSIBLE = "addNamespaceResponsible";
+	public static final String DELETE_NS_RESPONSIBLE = "delNamespaceResponsible";
+	public static final String GET_NS_BY_NAME = "getNamespaceByName";
+	public static final String GET_NS_BY_ADMIN = "getNamespaceByAdmin";
+	public static final String GET_NS_BY_RESPONSIBLE = "getNamespaceByResponsible";
+	public static final String GET_NS_BY_EITHER = "getNamespaceByEither";
+	public static final String GET_NS_CHILDREN = "getNamespaceChildren";
+	public static final String UPDATE_NS_DESC = "updateNamespaceDescription";
+	public static final String DELETE_NS = "deleteNamespace";
+	
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#createNS(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public Result<Void> requestNS(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, NsType type) {
+		TimeTaken tt = trans.start(CREATE_NS, Env.SUB|Env.ALWAYS);
+		try {
+			REQUEST request;
+			try {
+				Data<REQUEST> rd = nsRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,rd.asString());
+				}
+				request = rd.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,CREATE_NS);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+			}
+			
+			Result<Void> rp = service.createNS(trans,request,type);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,nsRequestDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,CREATE_NS);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#addAdminToNS(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public Result<Void> addAdminToNS(AuthzTrans trans, HttpServletResponse resp, String ns, String id) {
+		TimeTaken tt = trans.start(ADD_NS_ADMIN + ' ' + ns + ' ' + id, Env.SUB|Env.ALWAYS);
+		try {
+			Result<Void> rp = service.addAdminNS(trans,ns,id);
+			switch(rp.status) {
+				case OK: 
+					//TODO Perms??
+					setContentType(resp,nsRequestDF.getOutType());
+					resp.getOutputStream().println();
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,ADD_NS_ADMIN);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#delAdminFromNS(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public Result<Void> delAdminFromNS(AuthzTrans trans, HttpServletResponse resp, String ns, String id) {
+		TimeTaken tt = trans.start(DELETE_NS_ADMIN + ' ' + ns + ' ' + id, Env.SUB|Env.ALWAYS);
+		try {
+			Result<Void> rp = service.delAdminNS(trans, ns, id);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,nsRequestDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_NS_ADMIN);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#addAdminToNS(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public Result<Void> addResponsibilityForNS(AuthzTrans trans, HttpServletResponse resp, String ns, String id) {
+		TimeTaken tt = trans.start(ADD_NS_RESPONSIBLE + ' ' + ns + ' ' + id, Env.SUB|Env.ALWAYS);
+		try {
+			Result<Void> rp = service.addResponsibleNS(trans,ns,id);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,nsRequestDF.getOutType());
+					resp.getOutputStream().println();
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,ADD_NS_RESPONSIBLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#delAdminFromNS(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public Result<Void> delResponsibilityForNS(AuthzTrans trans, HttpServletResponse resp, String ns, String id) {
+		TimeTaken tt = trans.start(DELETE_NS_RESPONSIBLE + ' ' + ns + ' ' + id, Env.SUB|Env.ALWAYS);
+		try {
+			Result<Void> rp = service.delResponsibleNS(trans, ns, id);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,nsRequestDF.getOutType());
+					resp.getOutputStream().println();
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_NS_RESPONSIBLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getNSsByName(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getNSsByName(AuthzTrans trans, HttpServletResponse resp, String ns) {
+		TimeTaken tt = trans.start(GET_NS_BY_NAME + ' ' + ns, Env.SUB|Env.ALWAYS);
+		try {
+			Result<NSS> rp = service.getNSbyName(trans, ns);
+			switch(rp.status) {
+				case OK: 
+					RosettaData<NSS> data = nssDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,nssDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_NS_BY_NAME);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+//	TODO: uncomment when on cassandra 2.1.2 for MyNamespace GUI page
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getNSsByAdmin(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getNSsByAdmin(AuthzTrans trans, HttpServletResponse resp, String user, boolean full){
+		TimeTaken tt = trans.start(GET_NS_BY_ADMIN + ' ' + user, Env.SUB|Env.ALWAYS);
+		try {
+			Result<NSS> rp = service.getNSbyAdmin(trans, user, full);
+			switch(rp.status) {
+				case OK: 
+					RosettaData<NSS> data = nssDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,nssDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_NS_BY_ADMIN);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+//	TODO: uncomment when on cassandra 2.1.2 for MyNamespace GUI page
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getNSsByResponsible(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getNSsByResponsible(AuthzTrans trans, HttpServletResponse resp, String user, boolean full){
+		TimeTaken tt = trans.start(GET_NS_BY_RESPONSIBLE + ' ' + user, Env.SUB|Env.ALWAYS);
+		try {
+			Result<NSS> rp = service.getNSbyResponsible(trans, user, full);
+			switch(rp.status) {
+				case OK: 
+					RosettaData<NSS> data = nssDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+
+					setContentType(resp,nssDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_NS_BY_RESPONSIBLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getNSsByResponsible(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getNSsByEither(AuthzTrans trans, HttpServletResponse resp, String user, boolean full){
+		TimeTaken tt = trans.start(GET_NS_BY_EITHER + ' ' + user, Env.SUB|Env.ALWAYS);
+		try {
+			Result<NSS> rp = service.getNSbyEither(trans, user, full);
+			
+			switch(rp.status) {
+				case OK: 
+					RosettaData<NSS> data = nssDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+
+					setContentType(resp,nssDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_NS_BY_EITHER);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getNSsByResponsible(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getNSsChildren(AuthzTrans trans, HttpServletResponse resp, String parent){
+		TimeTaken tt = trans.start(GET_NS_CHILDREN + ' ' + parent, Env.SUB|Env.ALWAYS);
+		try {
+			Result<NSS> rp = service.getNSsChildren(trans, parent);
+			switch(rp.status) {
+				case OK: 
+					RosettaData<NSS> data = nssDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,nssDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_NS_CHILDREN);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> updateNsDescription(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(UPDATE_NS_DESC, Env.SUB|Env.ALWAYS);
+		try {
+			REQUEST rreq;
+			try {
+				RosettaData<REQUEST> data = nsRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+				rreq = data.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,UPDATE_NS_DESC);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+
+			}
+			Result<Void> rp = service.updateNsDescription(trans, rreq);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,nsRequestDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,UPDATE_NS_DESC);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#requestNS(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public Result<Void> deleteNS(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, String ns) {
+		TimeTaken tt = trans.start(DELETE_NS + ' ' + ns, Env.SUB|Env.ALWAYS);
+		try {
+			Result<Void> rp = service.deleteNS(trans,ns);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,nsRequestDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_NS);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	private final static String NS_CREATE_ATTRIB = "nsCreateAttrib";
+	private final static String NS_UPDATE_ATTRIB = "nsUpdateAttrib";
+	private final static String READ_NS_BY_ATTRIB = "readNsByAttrib";
+	private final static String NS_DELETE_ATTRIB = "nsDeleteAttrib";
+	
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#createAttribForNS(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public Result<Void> createAttribForNS(AuthzTrans trans, HttpServletResponse resp, String ns, String key, String value) {
+		TimeTaken tt = trans.start(NS_CREATE_ATTRIB + ' ' + ns + ':'+key+':'+value, Env.SUB|Env.ALWAYS);
+		try {
+			Result<?> rp = service.createNsAttrib(trans,ns,key,value);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp, keysDF.getOutType());
+					resp.getOutputStream().println();
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,NS_CREATE_ATTRIB);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#readAttribForNS(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> readNsByAttrib(AuthzTrans trans, HttpServletResponse resp, String key) {
+		TimeTaken tt = trans.start(READ_NS_BY_ATTRIB + ' ' + key, Env.SUB|Env.ALWAYS);
+		try {
+			Result<KEYS> rp = service.readNsByAttrib(trans, key);
+			switch(rp.status) {
+				case OK: 
+					RosettaData<KEYS> data = keysDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,keysDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,READ_NS_BY_ATTRIB);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#updAttribForNS(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public Result<Void> updAttribForNS(AuthzTrans trans, HttpServletResponse resp, String ns, String key, String value) {
+		TimeTaken tt = trans.start(NS_UPDATE_ATTRIB + ' ' + ns + ':'+key+':'+value, Env.SUB|Env.ALWAYS);
+		try {
+			Result<?> rp = service.updateNsAttrib(trans,ns,key,value);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp, keysDF.getOutType());
+					resp.getOutputStream().println();
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,NS_UPDATE_ATTRIB);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#delAttribForNS(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public Result<Void> delAttribForNS(AuthzTrans trans, HttpServletResponse resp, String ns, String key) {
+		TimeTaken tt = trans.start(NS_DELETE_ATTRIB + ' ' + ns + ':'+key, Env.SUB|Env.ALWAYS);
+		try {
+			Result<?> rp = service.deleteNsAttrib(trans,ns,key);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp, keysDF.getOutType());
+					resp.getOutputStream().println();
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,NS_DELETE_ATTRIB);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+//
+// PERMISSION
+//
+	public static final String CREATE_PERMISSION = "createPermission";
+	public static final String GET_PERMS_BY_TYPE = "getPermsByType";
+	public static final String GET_PERMS_BY_NAME = "getPermsByName";
+	public static final String GET_PERMISSIONS_BY_USER = "getPermissionsByUser";
+	public static final String GET_PERMISSIONS_BY_USER_SCOPE = "getPermissionsByUserScope";
+	public static final String GET_PERMISSIONS_BY_USER_WITH_QUERY = "getPermissionsByUserWithQuery";
+	public static final String GET_PERMISSIONS_BY_ROLE = "getPermissionsByRole";
+	public static final String GET_PERMISSIONS_BY_NS = "getPermissionsByNS";
+	public static final String UPDATE_PERMISSION = "updatePermission";
+	public static final String UPDATE_PERM_DESC = "updatePermissionDescription";
+	public static final String SET_PERMISSION_ROLES_TO = "setPermissionRolesTo";
+	public static final String DELETE_PERMISSION = "deletePermission";
+	
+	/*
+	 * (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#createOrUpdatePerm(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, boolean, java.lang.String, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public Result<Void> createPerm(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start( CREATE_PERMISSION, Env.SUB|Env.ALWAYS);	
+		try {
+			REQUEST rreq;
+			try {
+				RosettaData<REQUEST> data = permRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+				rreq = data.asObject();			
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,CREATE_PERMISSION);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+			}
+			
+			Result<Void> rp = service.createPerm(trans,rreq);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,CREATE_PERMISSION);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getChildPerms(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getPermsByType(AuthzTrans trans, HttpServletResponse resp, String perm) {
+		TimeTaken tt = trans.start(GET_PERMS_BY_TYPE + ' ' + perm, Env.SUB|Env.ALWAYS);
+		try {
+			
+			Result<PERMS> rp = service.getPermsByType(trans, perm);
+			switch(rp.status) {
+				case OK:
+					RosettaData<PERMS> data = permsDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,permsDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_PERMS_BY_TYPE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	@Override
+	public Result<Void> getPermsByName(AuthzTrans trans, HttpServletResponse resp, 
+			String type, String instance, String action) {
+		
+		TimeTaken tt = trans.start(GET_PERMS_BY_NAME + ' ' + type
+				+ '|' + instance + '|' + action, Env.SUB|Env.ALWAYS);
+		try {
+			
+			Result<PERMS> rp = service.getPermsByName(trans, type, instance, action);
+			switch(rp.status) {
+				case OK:
+					RosettaData<PERMS> data = permsDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,permsDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_PERMS_BY_TYPE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getPermissionByUser(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getPermsByUser(AuthzTrans trans, HttpServletResponse resp,	String user) {
+		TimeTaken tt = trans.start(GET_PERMISSIONS_BY_USER + ' ' + user, Env.SUB|Env.ALWAYS);
+		try {
+			Result<PERMS> rp = service.getPermsByUser(trans, user);
+			switch(rp.status) {
+				case OK: 
+					RosettaData<PERMS> data = permsDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,permsDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_PERMISSIONS_BY_USER, user);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getPermissionByUser(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getPermsByUserScope(AuthzTrans trans, HttpServletResponse resp, String user, String[] scopes) {
+		TimeTaken tt = trans.start(GET_PERMISSIONS_BY_USER_SCOPE + ' ' + user, Env.SUB|Env.ALWAYS);
+		try {
+			Result<PERMS> rp = service.getPermsByUserScope(trans, user, scopes);
+			switch(rp.status) {
+				case OK: 
+					RosettaData<PERMS> data = permsDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,permsDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_PERMISSIONS_BY_USER_SCOPE, user);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+
+	
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getPermissionByUser(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getPermsByUserWithAAFQuery(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, String user) {
+		TimeTaken tt = trans.start(GET_PERMISSIONS_BY_USER_WITH_QUERY + ' ' + user, Env.SUB|Env.ALWAYS);
+		try {
+			PERMS perms;
+			try {
+				RosettaData<PERMS> data = permsDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+				perms = data.asObject();			
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,GET_PERMISSIONS_BY_USER_WITH_QUERY);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+			}
+
+			Result<PERMS> rp = service.getPermsByUser(trans, perms, user);
+			switch(rp.status) {
+				case OK: 
+					RosettaData<PERMS> data = permsDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,permsDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_PERMISSIONS_BY_USER_WITH_QUERY , user);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getPermissionsForRole(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getPermsForRole(AuthzTrans trans, HttpServletResponse resp,	String roleName) {
+		TimeTaken tt = trans.start(GET_PERMISSIONS_BY_ROLE + ' ' + roleName, Env.SUB|Env.ALWAYS);
+		try {
+			Result<PERMS> rp = service.getPermsByRole(trans, roleName);
+			switch(rp.status) {
+				case OK:
+					RosettaData<PERMS> data = permsDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,permsDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_PERMISSIONS_BY_ROLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	@Override
+	public Result<Void> getPermsByNS(AuthzTrans trans,HttpServletResponse resp,String ns) {
+		TimeTaken tt = trans.start(GET_PERMISSIONS_BY_NS + ' ' + ns, Env.SUB|Env.ALWAYS);
+		try {
+			Result<PERMS> rp = service.getPermsByNS(trans, ns);
+			switch(rp.status) {
+				case OK:
+					RosettaData<PERMS> data = permsDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,permsDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_PERMISSIONS_BY_NS);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#createOrUpdatePerm(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, boolean, java.lang.String, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public Result<Void> renamePerm(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp,
+			String origType, String origInstance, String origAction) {
+		String cmdDescription = UPDATE_PERMISSION;
+		TimeTaken tt = trans.start( cmdDescription	+ ' ' + origType + ' ' + origInstance + ' ' + origAction, Env.SUB|Env.ALWAYS);	
+		try {
+			REQUEST rreq;
+			try {
+				RosettaData<REQUEST> data = permRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+				rreq = data.asObject();			
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,cmdDescription);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+			}
+			
+			Result<Void> rp = service.renamePerm(trans,rreq, origType, origInstance, origAction);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,cmdDescription);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	@Override
+	public Result<Void> updatePermDescription(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(UPDATE_PERM_DESC, Env.SUB|Env.ALWAYS);
+		try {
+			REQUEST rreq;
+			try {
+				RosettaData<REQUEST> data = permRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+				rreq = data.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,UPDATE_PERM_DESC);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+
+			}
+			Result<Void> rp = service.updatePermDescription(trans, rreq);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permRequestDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,UPDATE_PERM_DESC);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	
+	@Override
+	public Result<Void> resetPermRoles(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(SET_PERMISSION_ROLES_TO, Env.SUB|Env.ALWAYS);
+		try {
+			REQUEST rreq;
+			try {
+				RosettaData<REQUEST> data = rolePermRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+				rreq = data.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN, SET_PERMISSION_ROLES_TO);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+			}
+			
+			Result<Void> rp = service.resetPermRoles(trans, rreq);
+			
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,SET_PERMISSION_ROLES_TO);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	@Override
+	public Result<Void> deletePerm(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(DELETE_PERMISSION, Env.SUB|Env.ALWAYS);
+		try {
+			REQUEST rreq;
+			try {
+				RosettaData<REQUEST> data = permRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+				rreq = data.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,DELETE_PERMISSION);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+
+			}
+
+			Result<Void> rp = service.deletePerm(trans,rreq);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_PERMISSION);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> deletePerm(AuthzTrans trans, HttpServletResponse resp, String type, String instance, String action) {
+		TimeTaken tt = trans.start(DELETE_PERMISSION + type + ' ' + instance + ' ' + action, Env.SUB|Env.ALWAYS);
+		try {
+			Result<Void> rp = service.deletePerm(trans,type,instance,action);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_PERMISSION);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	public static final String CREATE_ROLE = "createRole";
+	public static final String GET_ROLES_BY_USER = "getRolesByUser";
+	public static final String GET_ROLES_BY_NS = "getRolesByNS";
+	public static final String GET_ROLES_BY_NAME_ONLY = "getRolesByNameOnly";
+	public static final String GET_ROLES_BY_NAME = "getRolesByName";
+	public static final String GET_ROLES_BY_PERM = "getRolesByPerm";
+	public static final String UPDATE_ROLE_DESC = "updateRoleDescription"; 
+	public static final String ADD_PERM_TO_ROLE = "addPermissionToRole";
+	public static final String DELETE_PERM_FROM_ROLE = "deletePermissionFromRole";
+	public static final String UPDATE_MGTPERM_ROLE = "updateMgtPermRole";
+	public static final String DELETE_ROLE = "deleteRole";
+	public static final String GET_CERT_BY_ID = "getCertByID";
+
+	@Override
+	public Result<Void> createRole(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(CREATE_ROLE, Env.SUB|Env.ALWAYS);
+		try {
+			REQUEST rreq;
+			try {
+				RosettaData<REQUEST> data = roleRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+				rreq = data.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,CREATE_ROLE);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+
+			}
+			Result<Void> rp = service.createRole(trans, rreq);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,roleRequestDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,CREATE_ROLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getRolesByName(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getRolesByName(AuthzTrans trans, HttpServletResponse resp, String role) {
+		TimeTaken tt = trans.start(GET_ROLES_BY_NAME + ' ' + role, Env.SUB|Env.ALWAYS);
+		try {
+			Result<ROLES> rp = service.getRolesByName(trans, role);
+			switch(rp.status) {
+				case OK: 
+					RosettaData<ROLES> data = roleDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,roleDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_ROLES_BY_NAME);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getRolesByUser(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getRolesByUser(AuthzTrans trans,HttpServletResponse resp, String user) {
+		TimeTaken tt = trans.start(GET_ROLES_BY_USER + ' ' + user, Env.SUB|Env.ALWAYS);
+		try {
+			Result<ROLES> rp = service.getRolesByUser(trans, user);
+			switch(rp.status) {
+				case OK: 
+					RosettaData<ROLES> data = roleDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,roleDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_ROLES_BY_USER, user);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getRolesByUser(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getRolesByNS(AuthzTrans trans,HttpServletResponse resp, String ns) {
+		TimeTaken tt = trans.start(GET_ROLES_BY_NS + ' ' + ns, Env.SUB|Env.ALWAYS);
+		try {
+			Result<ROLES> rp = service.getRolesByNS(trans, ns);
+			switch(rp.status) {
+				case OK: 
+					if(!rp.isEmpty()) {
+						RosettaData<ROLES> data = roleDF.newData(trans).load(rp.value);
+						if(Question.willSpecialLog(trans, trans.user())) {
+							Question.logEncryptTrace(trans,data.asString());
+						}
+						data.to(resp.getOutputStream());
+					} else {
+						Question.logEncryptTrace(trans, NO_DATA);
+					}
+					setContentType(resp,roleDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_ROLES_BY_NS);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getRolesByNameOnly(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getRolesByNameOnly(AuthzTrans trans,HttpServletResponse resp, String nameOnly) {
+		TimeTaken tt = trans.start(GET_ROLES_BY_NAME_ONLY + ' ' + nameOnly, Env.SUB|Env.ALWAYS);
+		try {
+			Result<ROLES> rp = service.getRolesByNameOnly(trans, nameOnly);
+			switch(rp.status) {
+				case OK: 
+					if(!rp.isEmpty()) {
+						RosettaData<ROLES> data = roleDF.newData(trans).load(rp.value);
+						if(Question.willSpecialLog(trans, trans.user())) {
+							Question.logEncryptTrace(trans,data.asString());
+						}
+						data.to(resp.getOutputStream());
+					} else {
+						Question.logEncryptTrace(trans, NO_DATA);
+					}
+					setContentType(resp,roleDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_ROLES_BY_NAME_ONLY);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getRolesByUser(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getRolesByPerm(AuthzTrans trans,HttpServletResponse resp, String type, String instance, String action) {
+		TimeTaken tt = trans.start(GET_ROLES_BY_PERM + type +' '+instance+' '+action, Env.SUB|Env.ALWAYS);
+		try {
+			Result<ROLES> rp = service.getRolesByPerm(trans, type,instance,action);
+			switch(rp.status) {
+				case OK: 
+					RosettaData<ROLES> data = roleDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,roleDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_ROLES_BY_PERM);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#updateDescription(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public Result<Void> updateRoleDescription(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(UPDATE_ROLE_DESC, Env.SUB|Env.ALWAYS);
+		try {
+			REQUEST rreq;
+			try {
+				RosettaData<REQUEST> data = roleRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+				rreq = data.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,UPDATE_ROLE_DESC);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+
+			}
+			Result<Void> rp = service.updateRoleDescription(trans, rreq);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,roleRequestDF.getOutType());
+					return Result.ok();
+				default:
+					return rp;
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,UPDATE_ROLE_DESC);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> addPermToRole(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(ADD_PERM_TO_ROLE, Env.SUB|Env.ALWAYS);
+		try {
+			REQUEST rreq;
+			try {
+				RosettaData<REQUEST> data = rolePermRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+				rreq = data.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,ADD_PERM_TO_ROLE);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+
+			}
+			Result<Void> rp = service.addPermToRole(trans, rreq);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permsDF.getOutType());
+					resp.getOutputStream().println();
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,ADD_PERM_TO_ROLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> delPermFromRole(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(DELETE_PERM_FROM_ROLE, Env.SUB|Env.ALWAYS);
+		try {
+			REQUEST rreq;
+			try {
+				RosettaData<REQUEST> data = rolePermRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+				rreq = data.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,DELETE_PERM_FROM_ROLE);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+
+			}
+			Result<Void> rp = service.delPermFromRole(trans, rreq);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permsDF.getOutType());
+					resp.getOutputStream().println();
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_PERM_FROM_ROLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#delPermFromRole(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String, java.lang.String, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public Result<Void> delPermFromRole(AuthzTrans trans, HttpServletResponse resp, String role, String type,
+			String instance, String action) {
+		TimeTaken tt = trans.start(DELETE_PERM_FROM_ROLE, Env.SUB|Env.ALWAYS);
+		try {
+			Result<Void> rp = service.delPermFromRole(trans, role, type, instance, action);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permsDF.getOutType());
+					resp.getOutputStream().println();
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_PERM_FROM_ROLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> deleteRole(AuthzTrans trans, HttpServletResponse resp, String role) {
+		TimeTaken tt = trans.start(DELETE_ROLE + ' ' + role, Env.SUB|Env.ALWAYS);
+		try {
+			Result<Void> rp = service.deleteRole(trans, role);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_ROLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> deleteRole(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(DELETE_ROLE, Env.SUB|Env.ALWAYS);
+		try {
+			REQUEST rreq;
+			try {
+				RosettaData<REQUEST> data = roleRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+				rreq = data.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN,CREATE_ROLE);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+			}
+
+			Result<Void> rp = service.deleteRole(trans, rreq);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_ROLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	public static final String CREATE_CRED = "createUserCred";
+	private static final String GET_CREDS_BY_NS = "getCredsByNS";
+	private static final String GET_CREDS_BY_ID = "getCredsByID";
+	public static final String UPDATE_CRED = "updateUserCred";
+	public static final String EXTEND_CRED = "extendUserCred";
+	public static final String DELETE_CRED = "deleteUserCred";
+	public static final String DOES_CRED_MATCH = "doesCredMatch";
+	public static final String VALIDATE_BASIC_AUTH = "validateBasicAuth";
+
+
+
+	@Override
+	/**
+	 * Create Credential
+	 * 
+	 */
+	public Result<Void> createUserCred(AuthzTrans trans, HttpServletRequest req) {
+		TimeTaken tt = trans.start(CREATE_CRED, Env.SUB|Env.ALWAYS);
+		try {
+			RosettaData<REQUEST> data = credRequestDF.newData().load(req.getInputStream());
+			if(Question.willSpecialLog(trans, trans.user())) {
+				Question.logEncryptTrace(trans,data.asString());
+			}
+			return service.createUserCred(trans, data.asObject());
+		} catch(APIException e) {
+			trans.error().log(e,"Bad Input data");
+			return Result.err(Status.ERR_BadData, e.getLocalizedMessage());
+		} catch (Exception e) {
+			trans.error().log(e,IN,CREATE_CRED);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> changeUserCred(AuthzTrans trans, HttpServletRequest req) {
+		TimeTaken tt = trans.start(UPDATE_CRED, Env.SUB|Env.ALWAYS);
+		try {
+			RosettaData<REQUEST> data = credRequestDF.newData().load(req.getInputStream());
+			if(Question.willSpecialLog(trans, trans.user())) {
+				Question.logEncryptTrace(trans,data.asString());
+			}
+
+			return service.changeUserCred(trans, data.asObject());
+		} catch(APIException e) {
+			trans.error().log(e,"Bad Input data");
+			return Result.err(Status.ERR_BadData, e.getLocalizedMessage());
+		} catch (Exception e) {
+			trans.error().log(e,IN,UPDATE_CRED);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#extendUserCred(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, int)
+	 */
+	@Override
+	public Result<Void> extendUserCred(AuthzTrans trans, HttpServletRequest req, String days) {
+		TimeTaken tt = trans.start(EXTEND_CRED, Env.SUB|Env.ALWAYS);
+		try {
+			RosettaData<REQUEST> data = credRequestDF.newData().load(req.getInputStream());
+			if(Question.willSpecialLog(trans, trans.user())) {
+				Question.logEncryptTrace(trans,data.asString());
+			}
+
+			return service.extendUserCred(trans, data.asObject(), days);
+		} catch(APIException e) {
+			trans.error().log(e,"Bad Input data");
+			return Result.err(Status.ERR_BadData, e.getLocalizedMessage());
+		} catch (Exception e) {
+			trans.error().log(e,IN,EXTEND_CRED);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> getCredsByNS(AuthzTrans trans, HttpServletResponse resp, String ns) {
+		TimeTaken tt = trans.start(GET_CREDS_BY_NS + ' ' + ns, Env.SUB|Env.ALWAYS);
+		
+		try {
+			Result<USERS> ru = service.getCredsByNS(trans,ns);
+			switch(ru.status) {
+				case OK: 
+					RosettaData<USERS> data = usersDF.newData(trans).load(ru.value);
+					if(Question.willSpecialLog(trans,trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,usersDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(ru);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_CREDS_BY_NS);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+		
+	}
+	
+	
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getCredsByID(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getCredsByID(AuthzTrans trans, HttpServletResponse resp, String id) {
+		TimeTaken tt = trans.start(GET_CREDS_BY_ID + ' ' + id, Env.SUB|Env.ALWAYS);
+		
+		try {
+			Result<USERS> ru = service.getCredsByID(trans,id);
+			switch(ru.status) {
+				case OK: 
+					RosettaData<USERS> data = usersDF.newData(trans).load(ru.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,usersDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(ru);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_CREDS_BY_ID);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+		
+	}
+
+	@Override
+	public Result<Void> deleteUserCred(AuthzTrans trans, HttpServletRequest req) {
+		TimeTaken tt = trans.start(DELETE_CRED, Env.SUB|Env.ALWAYS);
+		try {
+			RosettaData<REQUEST> data = credRequestDF.newData().load(req.getInputStream());
+			if(Question.willSpecialLog(trans, trans.user())) {
+				Question.logEncryptTrace(trans,data.asString());
+			}
+
+			return service.deleteUserCred(trans, data.asObject());
+		} catch(APIException e) {
+			trans.error().log(e,"Bad Input data");
+			return Result.err(Status.ERR_BadData, e.getLocalizedMessage());
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_CRED);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}	
+	}
+	
+	
+	@Override
+	public Result<Date> doesCredentialMatch(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(DOES_CRED_MATCH, Env.SUB|Env.ALWAYS);
+		try {
+			RosettaData<REQUEST> data = credRequestDF.newData().load(req.getInputStream());
+			if(Question.willSpecialLog(trans, trans.user())) {
+				Question.logEncryptTrace(trans,data.asString());
+			}
+
+			return service.doesCredentialMatch(trans, data.asObject());
+		} catch(APIException e) {
+			trans.error().log(e,"Bad Input data");
+			return Result.err(Status.ERR_BadData, e.getLocalizedMessage());
+		} catch (IOException e) {
+			trans.error().log(e,IN,DOES_CRED_MATCH);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}	
+	}
+
+
+	@Override
+	public Result<Void> validBasicAuth(AuthzTrans trans, HttpServletResponse resp, String basicAuth) {
+		TimeTaken tt = trans.start(VALIDATE_BASIC_AUTH, Env.SUB|Env.ALWAYS);
+		try {
+			Result<Date> result = service.validateBasicAuth(trans,basicAuth);
+			switch(result.status){
+				case OK:
+					resp.getOutputStream().write(Chrono.utcStamp(result.value).getBytes());
+					return Result.ok();
+			}
+			return Result.err(result);
+		} catch (Exception e) {
+			trans.error().log(e,IN,VALIDATE_BASIC_AUTH);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getCertInfoByID(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getCertInfoByID(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, String id) {
+		TimeTaken tt = trans.start(GET_CERT_BY_ID, Env.SUB|Env.ALWAYS);
+		try {	
+			Result<CERTS> rci = service.getCertInfoByID(trans,req,id);
+			
+			switch(rci.status) {
+				case OK: 
+					if(Question.willSpecialLog(trans, trans.user())) {
+						RosettaData<CERTS> data = certsDF.newData(trans).load(rci.value);
+						Question.logEncryptTrace(trans,data.asString());
+						data.to(resp.getOutputStream());
+					} else {
+						certsDF.direct(trans, rci.value, resp.getOutputStream());
+					}
+					setContentType(resp,certsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rci);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_CERT_BY_ID);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	public static final String CREATE_DELEGATE = "createDelegate";
+	public static final String UPDATE_DELEGATE = "updateDelegate";
+	public static final String DELETE_DELEGATE = "deleteDelegate";
+	public static final String GET_DELEGATE_USER = "getDelegatesByUser";
+	public static final String GET_DELEGATE_DELG = "getDelegatesByDelegate";
+	
+	@Override
+	public Result<Void> createDelegate(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(CREATE_DELEGATE, Env.SUB|Env.ALWAYS);
+		try {	
+			Data<REQUEST> data = delgRequestDF.newData().load(req.getInputStream());
+			if(Question.willSpecialLog(trans, trans.user())) {
+				Question.logEncryptTrace(trans,data.asString());
+			}
+
+			return service.createDelegate(trans, data.asObject());
+		} catch (Exception e) {
+			trans.error().log(e,IN,CREATE_DELEGATE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	@Override
+	public Result<Void> updateDelegate(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(UPDATE_DELEGATE, Env.SUB|Env.ALWAYS);
+		try {	
+			Data<REQUEST> data = delgRequestDF.newData().load(req.getInputStream());
+			if(Question.willSpecialLog(trans, trans.user())) {
+				Question.logEncryptTrace(trans,data.asString());
+			}
+
+			return service.updateDelegate(trans, data.asObject());
+		} catch (Exception e) {
+			trans.error().log(e,IN,UPDATE_DELEGATE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	@Override
+	public Result<Void> deleteDelegate(AuthzTrans trans,  HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(DELETE_DELEGATE, Env.SUB|Env.ALWAYS);
+		try {
+			Data<REQUEST> data = delgRequestDF.newData().load(req.getInputStream());
+			if(Question.willSpecialLog(trans, trans.user())) {
+				Question.logEncryptTrace(trans,data.asString());
+			}
+
+			return service.deleteDelegate(trans, data.asObject());
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_DELEGATE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	@Override
+	public Result<Void> deleteDelegate(AuthzTrans trans, String userName) {
+		TimeTaken tt = trans.start(DELETE_DELEGATE + ' ' + userName, Env.SUB|Env.ALWAYS);
+		try {
+			return service.deleteDelegate(trans, userName);
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_DELEGATE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	@Override
+	public Result<Void> getDelegatesByUser(AuthzTrans trans, String user, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(GET_DELEGATE_USER, Env.SUB|Env.ALWAYS);
+		try {
+			Result<DELGS> rd = service.getDelegatesByUser(trans, user);
+			
+			switch(rd.status) {
+				case OK: 
+					RosettaData<DELGS> data = delgDF.newData(trans).load(rd.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,delgDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rd);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_DELEGATE_USER);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> getDelegatesByDelegate(AuthzTrans trans, String delegate, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(GET_DELEGATE_DELG, Env.SUB|Env.ALWAYS);
+		try {
+			Result<DELGS> rd = service.getDelegatesByDelegate(trans, delegate);
+			switch(rd.status) {
+				case OK: 
+					RosettaData<DELGS> data = delgDF.newData(trans).load(rd.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					setContentType(resp,delgDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rd);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_DELEGATE_DELG);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	private static final String REQUEST_USER_ROLE = "createUserRole";
+	private static final String GET_USERROLES = "getUserRoles";
+	private static final String GET_USERROLES_BY_ROLE = "getUserRolesByRole";
+	private static final String GET_USERROLES_BY_USER = "getUserRolesByUser";
+	private static final String SET_ROLES_FOR_USER = "setRolesForUser";
+	private static final String SET_USERS_FOR_ROLE = "setUsersForRole";
+	private static final String EXTEND_USER_ROLE = "extendUserRole";
+	private static final String DELETE_USER_ROLE = "deleteUserRole";
+	@Override
+	public Result<Void> requestUserRole(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(REQUEST_USER_ROLE, Env.SUB|Env.ALWAYS);
+		try {
+			REQUEST request;
+			try {
+				Data<REQUEST> data = userRoleRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+
+				request = data.asObject();
+			} catch(APIException e) {
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+			}
+			
+			Result<Void> rp = service.createUserRole(trans,request);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,REQUEST_USER_ROLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	@Override
+	public Result<Void> getUserInRole(AuthzTrans trans, HttpServletResponse resp, String user, String role) {
+		TimeTaken tt = trans.start(GET_USERROLES + ' ' + user + '|' + role, Env.SUB|Env.ALWAYS);
+		try {
+			Result<USERS> ru = service.getUserInRole(trans,user,role);
+			switch(ru.status) {
+				case OK: 
+					RosettaData<USERS> data = usersDF.newData(trans).load(ru.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+
+					data.to(resp.getOutputStream());
+					setContentType(resp,usersDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(ru);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_USERROLES);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+
+	}
+
+	@Override
+	public Result<Void> getUserRolesByUser(AuthzTrans trans, HttpServletResponse resp, String user) {
+		TimeTaken tt = trans.start(GET_USERROLES_BY_USER + ' ' + user, Env.SUB|Env.ALWAYS);
+		try {
+			Result<USERROLES> ru = service.getUserRolesByUser(trans,user);
+			switch(ru.status) {
+				case OK: 
+					RosettaData<USERROLES> data = userrolesDF.newData(trans).load(ru.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+
+					data.to(resp.getOutputStream());
+					setContentType(resp,usersDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(ru);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_USERROLES_BY_USER);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+
+	}
+	
+	@Override
+	public Result<Void> getUserRolesByRole(AuthzTrans trans, HttpServletResponse resp, String role) {
+		TimeTaken tt = trans.start(GET_USERROLES_BY_ROLE + ' ' + role, Env.SUB|Env.ALWAYS);
+		try {
+			Result<USERROLES> ru = service.getUserRolesByRole(trans,role);
+			switch(ru.status) {
+				case OK: 
+					RosettaData<USERROLES> data = userrolesDF.newData(trans).load(ru.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+
+					data.to(resp.getOutputStream());
+					setContentType(resp,usersDF.getOutType());
+					setCacheControlOff(resp);
+					return Result.ok();
+				default:
+					return Result.err(ru);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_USERROLES_BY_ROLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+
+	}
+	
+
+	@Override
+	public Result<Void> resetUsersForRole(AuthzTrans trans, HttpServletResponse resp, HttpServletRequest req) {
+		TimeTaken tt = trans.start(SET_USERS_FOR_ROLE, Env.SUB|Env.ALWAYS);
+		try {
+			REQUEST rreq;
+			try {
+				RosettaData<REQUEST> data = userRoleRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+				rreq = data.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN, SET_USERS_FOR_ROLE);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+			}
+			
+			Result<Void> rp = service.resetUsersForRole(trans, rreq);
+			
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,SET_USERS_FOR_ROLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+		
+	}
+
+	@Override
+	public Result<Void> resetRolesForUser(AuthzTrans trans, HttpServletResponse resp, HttpServletRequest req) {
+		TimeTaken tt = trans.start(SET_ROLES_FOR_USER, Env.SUB|Env.ALWAYS);
+		try {
+			REQUEST rreq;
+			try {
+				RosettaData<REQUEST> data = userRoleRequestDF.newData().load(req.getInputStream());
+				if(Question.willSpecialLog(trans, trans.user())) {
+					Question.logEncryptTrace(trans,data.asString());
+				}
+
+				rreq = data.asObject();
+			} catch(APIException e) {
+				trans.error().log("Invalid Input",IN, SET_ROLES_FOR_USER);
+				return Result.err(Status.ERR_BadData,"Invalid Input");
+			}
+			
+			Result<Void> rp = service.resetRolesForUser(trans, rreq);
+			
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,SET_ROLES_FOR_USER);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#extendUserRoleExpiration(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public Result<Void> extendUserRoleExpiration(AuthzTrans trans, HttpServletResponse resp, String user, String role) {
+		TimeTaken tt = trans.start(EXTEND_USER_ROLE + ' ' + user + ' ' + role, Env.SUB|Env.ALWAYS);
+		try {
+			return service.extendUserRole(trans,user,role);
+		} catch (Exception e) {
+			trans.error().log(e,IN,EXTEND_USER_ROLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> deleteUserRole(AuthzTrans trans, HttpServletResponse resp, String user, String role) {
+		TimeTaken tt = trans.start(DELETE_USER_ROLE + ' ' + user + ' ' + role, Env.SUB|Env.ALWAYS);
+		try {
+			Result<Void> rp = service.deleteUserRole(trans,user,role);
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,permsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,DELETE_USER_ROLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	private static final String UPDATE_APPROVAL = "updateApproval";
+	private static final String GET_APPROVALS_BY_USER = "getApprovalsByUser.";
+	private static final String GET_APPROVALS_BY_TICKET = "getApprovalsByTicket.";
+	private static final String GET_APPROVALS_BY_APPROVER = "getApprovalsByApprover.";
+	
+	@Override
+	public Result<Void> updateApproval(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) {
+		TimeTaken tt = trans.start(UPDATE_APPROVAL, Env.SUB|Env.ALWAYS);
+		try {
+			Data<APPROVALS> data = approvalDF.newData().load(req.getInputStream());
+			if(Question.willSpecialLog(trans, trans.user())) {
+				Question.logEncryptTrace(trans,data.asString());
+			}
+
+			Result<Void> rp = service.updateApproval(trans, data.asObject());
+			
+			switch(rp.status) {
+				case OK: 
+					setContentType(resp,approvalDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,UPDATE_APPROVAL);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+	@Override
+	public Result<Void> getApprovalsByUser(AuthzTrans trans, HttpServletResponse resp, String user) {
+		TimeTaken tt = trans.start(GET_APPROVALS_BY_USER + ' ' + user, Env.SUB|Env.ALWAYS);
+		try {
+			Result<APPROVALS> rp = service.getApprovalsByUser(trans, user);
+			switch(rp.status) {
+				case OK: 
+					RosettaData<APPROVALS> data = approvalDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+					data.to(resp.getOutputStream());
+					
+					setContentType(resp,permsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_APPROVALS_BY_USER, user);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> getApprovalsByApprover(AuthzTrans trans, HttpServletResponse resp, String approver) {
+		TimeTaken tt = trans.start(GET_APPROVALS_BY_APPROVER + ' ' + approver, Env.SUB|Env.ALWAYS);
+		try {
+			Result<APPROVALS> rp = service.getApprovalsByApprover(trans, approver);
+			switch(rp.status) {
+				case OK: 
+					RosettaData<APPROVALS> data = approvalDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+
+					data.to(resp.getOutputStream());
+					setContentType(resp,permsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_APPROVALS_BY_APPROVER,approver);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	@Override
+	public Result<Void> getApprovalsByTicket(AuthzTrans trans, HttpServletResponse resp, String ticket) {
+		TimeTaken tt = trans.start(GET_APPROVALS_BY_TICKET, Env.SUB|Env.ALWAYS);
+		try {
+			Result<APPROVALS> rp = service.getApprovalsByTicket(trans, ticket);
+			switch(rp.status) {
+				case OK: 
+					RosettaData<APPROVALS> data = approvalDF.newData(trans).load(rp.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+
+					data.to(resp.getOutputStream());
+					setContentType(resp,permsDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rp);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_APPROVALS_BY_TICKET);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+
+	
+	public static final String GET_USERS_PERMISSION = "getUsersByPermission";
+	public static final String GET_USERS_ROLE = "getUsersByRole";
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getUsersByRole(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getUsersByRole(AuthzTrans trans, HttpServletResponse resp, String role) {
+		TimeTaken tt = trans.start(GET_USERS_ROLE + ' ' + role, Env.SUB|Env.ALWAYS);
+		try {
+			Result<USERS> ru = service.getUsersByRole(trans,role);
+			switch(ru.status) {
+				case OK: 
+					RosettaData<USERS> data = usersDF.newData(trans).load(ru.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+
+					data.to(resp.getOutputStream());
+					setContentType(resp,usersDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(ru);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_USERS_ROLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getUsersByPermission(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getUsersByPermission(AuthzTrans trans, HttpServletResponse resp, 
+			String type, String instance, String action) {
+		TimeTaken tt = trans.start(GET_USERS_PERMISSION + ' ' + type + ' ' + instance + ' ' +action, Env.SUB|Env.ALWAYS);
+		try {
+			Result<USERS> ru = service.getUsersByPermission(trans,type,instance,action);
+			switch(ru.status) {
+				case OK: 
+					RosettaData<USERS> data = usersDF.newData(trans).load(ru.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+
+					data.to(resp.getOutputStream());
+					setContentType(resp,usersDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(ru);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_USERS_PERMISSION);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	
+	public static final String GET_HISTORY_USER = "getHistoryByUser";
+	public static final String GET_HISTORY_ROLE = "getHistoryByRole";
+	public static final String GET_HISTORY_PERM = "getHistoryByPerm";
+	public static final String GET_HISTORY_NS = "getHistoryByNS";
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getHistoryByUser(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public Result<Void> getHistoryByUser(AuthzTrans trans, HttpServletResponse resp, String user, int[] yyyymm, final int sort) {
+		StringBuilder sb = new StringBuilder();
+		sb.append(GET_HISTORY_USER);
+		sb.append(' ');
+		sb.append(user);
+		sb.append(" for ");
+		boolean first = true;
+		for(int i : yyyymm) {
+			if(first) {
+			    first = false;
+			} else {
+			    sb.append(',');
+			}
+			sb.append(i);
+		}
+		TimeTaken tt = trans.start(sb.toString(), Env.SUB|Env.ALWAYS);
+
+		try {
+			Result<HISTORY> rh = service.getHistoryByUser(trans,user,yyyymm,sort);
+			switch(rh.status) {
+				case OK: 
+					RosettaData<HISTORY> data = historyDF.newData(trans).load(rh.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+
+					data.to(resp.getOutputStream());
+					setContentType(resp,historyDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rh);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_HISTORY_USER);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getHistoryByRole(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String, int[])
+	 */
+	@Override
+	public Result<Void> getHistoryByRole(AuthzTrans trans, HttpServletResponse resp, String role, int[] yyyymm, final int sort) {
+		StringBuilder sb = new StringBuilder();
+		sb.append(GET_HISTORY_ROLE);
+		sb.append(' ');
+		sb.append(role);
+		sb.append(" for ");
+		boolean first = true;
+		for(int i : yyyymm) {
+			if(first) {
+			    first = false;
+			} else {
+			    sb.append(',');
+			}
+			sb.append(i);
+		}
+		TimeTaken tt = trans.start(sb.toString(), Env.SUB|Env.ALWAYS);
+		try {
+			Result<HISTORY> rh = service.getHistoryByRole(trans,role,yyyymm,sort);
+			switch(rh.status) {
+				case OK: 
+					RosettaData<HISTORY> data = historyDF.newData(trans).load(rh.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+
+					data.to(resp.getOutputStream());
+					setContentType(resp,historyDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rh);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_HISTORY_ROLE);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getHistoryByNS(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String, int[])
+	 */
+	@Override
+	public Result<Void> getHistoryByNS(AuthzTrans trans, HttpServletResponse resp, String ns, int[] yyyymm, final int sort) {
+		StringBuilder sb = new StringBuilder();
+		sb.append(GET_HISTORY_NS);
+		sb.append(' ');
+		sb.append(ns);
+		sb.append(" for ");
+		boolean first = true;
+		for(int i : yyyymm) {
+			if(first) {
+			    first = false;
+			} else {
+			    sb.append(',');
+			}
+			sb.append(i);
+		}
+		TimeTaken tt = trans.start(sb.toString(), Env.SUB|Env.ALWAYS);
+		try {
+			Result<HISTORY> rh = service.getHistoryByNS(trans,ns,yyyymm,sort);
+			switch(rh.status) {
+				case OK: 
+					RosettaData<HISTORY> data = historyDF.newData(trans).load(rh.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+
+					data.to(resp.getOutputStream());
+					setContentType(resp,historyDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rh);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_HISTORY_NS);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getHistoryByPerm(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String, int[])
+	 */
+	@Override
+	public Result<Void> getHistoryByPerm(AuthzTrans trans, HttpServletResponse resp, String perm, int[] yyyymm, final int sort) {
+		StringBuilder sb = new StringBuilder();
+		sb.append(GET_HISTORY_PERM);
+		sb.append(' ');
+		sb.append(perm);
+		sb.append(" for ");
+		boolean first = true;
+		for(int i : yyyymm) {
+			if(first) {
+			    first = false;
+			} else {
+			    sb.append(',');
+			}
+			sb.append(i);
+		}
+		TimeTaken tt = trans.start(sb.toString(), Env.SUB|Env.ALWAYS);
+		try {
+			Result<HISTORY> rh = service.getHistoryByPerm(trans,perm,yyyymm,sort);
+			switch(rh.status) {
+				case OK: 
+					RosettaData<HISTORY> data = historyDF.newData(trans).load(rh.value);
+					if(Question.willSpecialLog(trans, trans.user())) {
+						Question.logEncryptTrace(trans,data.asString());
+					}
+
+					data.to(resp.getOutputStream());
+					setContentType(resp,historyDF.getOutType());
+					return Result.ok();
+				default:
+					return Result.err(rh);
+			}
+		} catch (Exception e) {
+			trans.error().log(e,IN,GET_HISTORY_PERM);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	public final static String CACHE_CLEAR = "cacheClear "; 
+//	public final static String CACHE_VALIDATE = "validateCache";
+	
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#cacheClear(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String)
+	 */
+	@Override
+	public Result<Void> cacheClear(AuthzTrans trans, String cname) {
+		TimeTaken tt = trans.start(CACHE_CLEAR + cname, Env.SUB|Env.ALWAYS);
+		try {
+			return service.cacheClear(trans,cname);
+		} catch (Exception e) {
+			trans.error().log(e,IN,CACHE_CLEAR);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+ * @see com.att.authz.facade.AuthzFacade#cacheClear(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String, java.lang.Integer)
+ */
+	@Override
+	public Result<Void> cacheClear(AuthzTrans trans, String cname,	String segments) {
+		TimeTaken tt = trans.start(CACHE_CLEAR + cname + ", segments[" + segments + ']', Env.SUB|Env.ALWAYS);
+		try {
+			String[] segs = segments.split("\\s*,\\s*");
+			int isegs[] = new int[segs.length];
+			for(int i=0;i<segs.length;++i) {
+				try {
+					isegs[i] = Integer.parseInt(segs[i]);
+				} catch(NumberFormatException nfe) {
+					isegs[i] = -1;
+				}
+			}
+			return service.cacheClear(trans,cname, isegs);
+		} catch (Exception e) {
+			trans.error().log(e,IN,CACHE_CLEAR);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#dbReset(org.onap.aaf.auth.env.test.AuthzTrans)
+	 */
+	@Override
+	public void dbReset(AuthzTrans trans) {
+		service.dbReset(trans);
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getAPI(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse)
+	 */
+	public final static String API_REPORT = "apiReport";
+	@Override
+	public Result<Void> getAPI(AuthzTrans trans, HttpServletResponse resp, RServlet<AuthzTrans> rservlet) {
+		TimeTaken tt = trans.start(API_REPORT, Env.SUB);
+		try {
+			Api api = new Api();
+			Api.Route ar;
+			Method[] meths = AuthzCassServiceImpl.class.getDeclaredMethods();
+			for(RouteReport rr : rservlet.routeReport()) {
+				api.getRoute().add(ar = new Api.Route());
+				ar.setMeth(rr.meth.name());
+				ar.setPath(rr.path);
+				ar.setDesc(rr.desc);
+				ar.getContentType().addAll(rr.contextTypes);
+				for(Method m : meths) {
+					ApiDoc ad;
+					if((ad = m.getAnnotation(ApiDoc.class))!=null &&
+							rr.meth.equals(ad.method()) &&
+						    rr.path.equals(ad.path())) {
+						for(String param : ad.params()) {
+							ar.getParam().add(param);
+						}
+						for(String text : ad.text()) {
+							ar.getComments().add(text);
+						}
+						ar.setExpected(ad.expectedCode());
+						for(int ec : ad.errorCodes()) {
+							ar.getExplicitErr().add(ec);
+						}
+					}
+				}
+			}
+			RosettaData<Api> data = apiDF.newData(trans).load(api);
+			if(Question.willSpecialLog(trans, trans.user())) {
+				Question.logEncryptTrace(trans,data.asString());
+			}
+
+			data.to(resp.getOutputStream());
+			setContentType(resp,apiDF.getOutType());
+			return Result.ok();
+
+		} catch (Exception e) {
+			trans.error().log(e,IN,API_REPORT);
+			return Result.err(e);
+		} finally {
+			tt.done();
+		}
+	}
+	
+
+	public final static String API_EXAMPLE = "apiExample";
+
+	/* (non-Javadoc)
+	 * @see com.att.authz.facade.AuthzFacade#getAPIExample(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	@Override
+	public Result<Void> getAPIExample(AuthzTrans trans, HttpServletResponse resp, String nameOrContentType, boolean optional) {
+		TimeTaken tt = trans.start(API_EXAMPLE, Env.SUB);
+		try {
+			String content =Examples.print(apiDF.getEnv(), nameOrContentType, optional); 
+			resp.getOutputStream().print(content);
+			setContentType(resp,content.contains("<?xml")?TYPE.XML:TYPE.JSON);
+			return Result.ok();
+		} catch (Exception e) {
+			trans.error().log(e,IN,API_EXAMPLE);
+			return Result.err(Status.ERR_NotImplemented,e.getMessage());
+		} finally {
+			tt.done();
+		}
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade_2_0.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade_2_0.java
new file mode 100644
index 00000000..d6bbc378
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade_2_0.java
@@ -0,0 +1,63 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.facade;
+
+import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.auth.service.AuthzService;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+
+import aaf.v2_0.Approvals;
+import aaf.v2_0.Certs;
+import aaf.v2_0.Delgs;
+import aaf.v2_0.Error;
+import aaf.v2_0.History;
+import aaf.v2_0.Keys;
+import aaf.v2_0.Nss;
+import aaf.v2_0.Perms;
+import aaf.v2_0.Pkey;
+import aaf.v2_0.Request;
+import aaf.v2_0.Roles;
+import aaf.v2_0.UserRoles;
+import aaf.v2_0.Users;
+
+public class AuthzFacade_2_0 extends AuthzFacadeImpl<
+	Nss,
+	Perms,
+	Pkey,
+	Roles,
+	Users,
+	UserRoles,
+	Delgs,
+	Certs,
+	Keys,
+	Request,
+	History,
+	Error,
+	Approvals>
+{
+	public AuthzFacade_2_0(AuthzEnv env,
+			AuthzService<Nss, Perms, Pkey, Roles, Users, UserRoles, Delgs, Certs, Keys, Request, History, Error, Approvals> service,
+			Data.TYPE type) throws APIException {
+		super(env, service, type);
+	}
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper.java
new file mode 100644
index 00000000..e7cedf96
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper.java
@@ -0,0 +1,123 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.mapper;
+
+import java.util.Collection;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.Bytification;
+import org.onap.aaf.auth.dao.cass.ApprovalDAO;
+import org.onap.aaf.auth.dao.cass.CertDAO;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.DelegateDAO;
+import org.onap.aaf.auth.dao.cass.FutureDAO;
+import org.onap.aaf.auth.dao.cass.HistoryDAO;
+import org.onap.aaf.auth.dao.cass.Namespace;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.service.MayChange;
+import org.onap.aaf.misc.rosetta.Marshal;
+
+public interface Mapper<
+	NSS,
+	PERMS,
+	PERMKEY,
+	ROLES,
+	USERS,
+	USERROLES,
+	DELGS,
+	CERTS,
+	KEYS,
+	REQUEST,
+	HISTORY,
+	ERROR,
+	APPROVALS>
+{
+	enum API{NSS,NS_REQ,	
+			 PERMS,PERM_KEY,PERM_REQ,
+			 ROLES,ROLE,ROLE_REQ,ROLE_PERM_REQ,
+			 USERS,USER_ROLE_REQ,USER_ROLES,
+			 CRED_REQ,CERTS,
+			 APPROVALS,
+			 DELGS,DELG_REQ,
+			 KEYS,
+			 HISTORY,
+			 ERROR,
+			 API,
+			 VOID};
+	public Class<?> getClass(API api);
+	public<A> Marshal<A> getMarshal(API api);
+	public<A> A newInstance(API api);
+
+	public Result<PermDAO.Data> permkey(AuthzTrans trans, PERMKEY from);
+	public Result<PermDAO.Data> perm(AuthzTrans trans, REQUEST from);
+	public Result<RoleDAO.Data> role(AuthzTrans trans, REQUEST from);
+	public Result<Namespace> ns(AuthzTrans trans, REQUEST from);
+	public Result<CredDAO.Data> cred(AuthzTrans trans, REQUEST from, boolean requiresPass);
+	public Result<USERS> cred(List<CredDAO.Data> lcred, USERS to);
+	public Result<CERTS> cert(List<CertDAO.Data> lcert, CERTS to);
+	public Result<DelegateDAO.Data> delegate(AuthzTrans trans, REQUEST from);
+	public Result<DELGS> delegate(List<DelegateDAO.Data> lDelg);
+	public Result<APPROVALS> approvals(List<ApprovalDAO.Data> lAppr);
+	public Result<List<ApprovalDAO.Data>> approvals(APPROVALS apprs);
+	public Result<List<PermDAO.Data>> perms(AuthzTrans trans, PERMS perms);
+	
+	public Result<UserRoleDAO.Data> userRole(AuthzTrans trans, REQUEST from);
+	public Result<PermDAO.Data> permFromRPRequest(AuthzTrans trans, REQUEST from);
+	public REQUEST ungrantRequest(AuthzTrans trans, String role, String type, String instance, String action);
+	public Result<RoleDAO.Data> roleFromRPRequest(AuthzTrans trans, REQUEST from);
+	
+	/*
+	 * Check Requests of varying sorts for Future fields set
+	 */
+	public Result<FutureDAO.Data> future(AuthzTrans trans, String table, REQUEST from, Bytification content, boolean enableApproval, Memo memo, MayChange mc);
+
+	public Result<NSS> nss(AuthzTrans trans, Namespace from, NSS to);
+
+	// Note: Prevalidate if NS given is allowed to be seen before calling
+	public Result<NSS> nss(AuthzTrans trans, Collection<Namespace> from, NSS to);
+//	public Result<NSS> ns_attrib(AuthzTrans trans, Set<String> from, NSS to);
+	public Result<PERMS> perms(AuthzTrans trans, List<PermDAO.Data> from, PERMS to, boolean filter);
+	public Result<PERMS> perms(AuthzTrans trans, List<PermDAO.Data> from, PERMS to, String[] scopes, boolean filter);
+	public Result<ROLES> roles(AuthzTrans trans, List<RoleDAO.Data> from, ROLES roles, boolean filter);
+	// Note: Prevalidate if NS given is allowed to be seen before calling
+	public Result<USERS> users(AuthzTrans trans, Collection<UserRoleDAO.Data> from, USERS to);
+	public Result<USERROLES> userRoles(AuthzTrans trans, Collection<UserRoleDAO.Data> from, USERROLES to);
+	public Result<KEYS> keys(Collection<String> from);
+
+	public Result<HISTORY> history(AuthzTrans trans, List<HistoryDAO.Data> history, final int sort);
+	
+	public ERROR errorFromMessage(StringBuilder holder, String msgID, String text, String... detail);
+	
+	/*
+	 * A Memo Creator... Use to avoid creating superfluous Strings until needed.
+	 */
+	public static interface Memo {
+		public String get();
+	}
+
+
+
+}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java
new file mode 100644
index 00000000..8b96172f
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java
@@ -0,0 +1,875 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.mapper;
+
+import java.nio.ByteBuffer;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.List;
+import java.util.UUID;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+
+import org.onap.aaf.auth.dao.Bytification;
+import org.onap.aaf.auth.dao.cass.ApprovalDAO;
+import org.onap.aaf.auth.dao.cass.CertDAO;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.DelegateDAO;
+import org.onap.aaf.auth.dao.cass.FutureDAO;
+import org.onap.aaf.auth.dao.cass.HistoryDAO;
+import org.onap.aaf.auth.dao.cass.Namespace;
+import org.onap.aaf.auth.dao.cass.NsSplit;
+import org.onap.aaf.auth.dao.cass.NsType;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.Status;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.dao.cass.DelegateDAO.Data;
+import org.onap.aaf.auth.dao.hl.Question;
+import org.onap.aaf.auth.dao.hl.Question.Access;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.env.AuthzTrans.REQD_TYPE;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.Organization.Expiration;
+import org.onap.aaf.auth.rserv.Pair;
+import org.onap.aaf.auth.service.MayChange;
+import org.onap.aaf.cadi.aaf.marshal.CertsMarshal;
+import org.onap.aaf.cadi.util.Vars;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+import org.onap.aaf.misc.rosetta.Marshal;
+
+import aaf.v2_0.Api;
+import aaf.v2_0.Approval;
+import aaf.v2_0.Approvals;
+import aaf.v2_0.Certs;
+import aaf.v2_0.Certs.Cert;
+import aaf.v2_0.CredRequest;
+import aaf.v2_0.Delg;
+import aaf.v2_0.DelgRequest;
+import aaf.v2_0.Delgs;
+import aaf.v2_0.Error;
+import aaf.v2_0.History;
+import aaf.v2_0.History.Item;
+import aaf.v2_0.Keys;
+import aaf.v2_0.NsRequest;
+import aaf.v2_0.Nss;
+import aaf.v2_0.Nss.Ns;
+import aaf.v2_0.Perm;
+import aaf.v2_0.PermKey;
+import aaf.v2_0.PermRequest;
+import aaf.v2_0.Perms;
+import aaf.v2_0.Pkey;
+import aaf.v2_0.Request;
+import aaf.v2_0.Role;
+import aaf.v2_0.RolePermRequest;
+import aaf.v2_0.RoleRequest;
+import aaf.v2_0.Roles;
+import aaf.v2_0.UserRole;
+import aaf.v2_0.UserRoleRequest;
+import aaf.v2_0.UserRoles;
+import aaf.v2_0.Users;
+import aaf.v2_0.Users.User;
+
+public class Mapper_2_0 implements Mapper<Nss, Perms, Pkey, Roles, Users, UserRoles, Delgs, Certs, Keys, Request, History, Error, Approvals> {
+	private Question q;
+
+	public Mapper_2_0(Question q) {
+		this.q = q;
+	}
+	
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.service.mapper.Mapper#ns(java.lang.Object, org.onap.aaf.auth.service.mapper.Mapper.Holder)
+	 */
+	@Override
+	public Result<Namespace> ns(AuthzTrans trans, Request base) {
+		NsRequest from = (NsRequest)base;
+		Namespace namespace = new Namespace();
+		namespace.name = from.getName();
+		namespace.admin = from.getAdmin();
+		namespace.owner = from.getResponsible();
+		namespace.description = from.getDescription();
+		trans.checkpoint(namespace.name, Env.ALWAYS);
+		
+		NsType nt = NsType.fromString(from.getType());
+		if(nt.equals(NsType.UNKNOWN)) {
+			String ns = namespace.name;
+			int count = 0;
+			for(int i=ns.indexOf('.');
+					i>=0;
+					i=ns.indexOf('.',i+1)) {
+				++count;
+			}
+			switch(count) {
+				case 0: nt = NsType.ROOT;break;
+				case 1: nt = NsType.COMPANY;break;
+				default: nt = NsType.APP;
+			}
+		}
+		namespace.type = nt.type;
+		
+		return Result.ok(namespace);
+	}
+
+	@Override
+	public Result<Nss> nss(AuthzTrans trans, Namespace from, Nss to) {
+		List<Ns> nss = to.getNs();
+		Ns ns = new Ns();
+		ns.setName(from.name);
+		if(from.admin!=null)ns.getAdmin().addAll(from.admin);
+		if(from.owner!=null)ns.getResponsible().addAll(from.owner);
+		if(from.attrib!=null) {
+			for(Pair<String,String> attrib : from.attrib) {
+				Ns.Attrib toAttrib = new Ns.Attrib();
+				toAttrib.setKey(attrib.x);
+				toAttrib.setValue(attrib.y);
+				ns.getAttrib().add(toAttrib);
+			}
+		}
+
+		ns.setDescription(from.description);
+		nss.add(ns);
+		return Result.ok(to);
+	}
+
+	/**
+	 * Note: Prevalidate if NS given is allowed to be seen before calling
+	 */
+	@Override
+	public Result<Nss> nss(AuthzTrans trans, Collection<Namespace> from, Nss to) {
+		List<Ns> nss = to.getNs();
+		for(Namespace nd : from) {
+			Ns ns = new Ns();
+			ns.setName(nd.name);
+			if(nd.admin!=null) {
+				ns.getAdmin().addAll(nd.admin);
+			}
+			if(nd.owner!=null) {
+				ns.getResponsible().addAll(nd.owner);
+			}
+			ns.setDescription(nd.description);
+			if(nd.attrib!=null) {
+				for(Pair<String,String> attrib : nd.attrib) {
+					Ns.Attrib toAttrib = new Ns.Attrib();
+					toAttrib.setKey(attrib.x);
+					toAttrib.setValue(attrib.y);
+					ns.getAttrib().add(toAttrib);
+				}
+			}
+
+			nss.add(ns);
+		}
+		return Result.ok(to);
+	}
+
+	@Override
+	public Result<Perms> perms(AuthzTrans trans, List<PermDAO.Data> from, Perms to, boolean filter) {
+		List<Perm> perms = to.getPerm();
+		final boolean addNS = trans.requested(REQD_TYPE.ns);
+		TimeTaken tt = trans.start("Filter Perms before return", Env.SUB);
+		try {
+			if(from!=null) {
+				for (PermDAO.Data data : from) {
+					if(!filter || q.mayUser(trans, trans.user(), data, Access.read).isOK()) {
+						Perm perm = new Perm();
+						perm.setType(data.fullType());
+						perm.setInstance(data.instance);
+						perm.setAction(data.action);
+						perm.setDescription(data.description);
+						if(addNS) {
+							perm.setNs(data.ns);
+						}
+						for(String role : data.roles(false)) {
+							perm.getRoles().add(role);
+						}
+						perms.add(perm);
+					}
+				}
+			}
+		} finally {
+			tt.done();
+		}
+		 
+		tt = trans.start("Sort Perms", Env.SUB);
+		try {
+			Collections.sort(perms, new Comparator<Perm>() {
+				@Override
+				public int compare(Perm perm1, Perm perm2) {
+					int typeCompare = perm1.getType().compareToIgnoreCase(perm2.getType());
+					if (typeCompare == 0) {
+						int instanceCompare = perm1.getInstance().compareToIgnoreCase(perm2.getInstance());
+						if (instanceCompare == 0) {
+							return perm1.getAction().compareToIgnoreCase(perm2.getAction());
+						}
+						return instanceCompare;
+					}
+					return typeCompare;
+				}	
+			});
+		} finally {
+			tt.done();
+		}
+		return Result.ok(to);
+	}
+	
+	@Override
+	public Result<Perms> perms(AuthzTrans trans, List<PermDAO.Data> from, Perms to, String[] nss, boolean filter) {
+		List<Perm> perms = to.getPerm();
+		TimeTaken tt = trans.start("Filter Perms before return", Env.SUB);
+		try {
+			if(from!=null) {
+				boolean inNSS;
+				for (PermDAO.Data data : from) {
+					inNSS=false;
+					for(int i=0;!inNSS && i<nss.length;++i) {
+						if(nss[i].equals(data.ns)) {
+							inNSS=true;
+						}
+					}
+					if(inNSS && (!filter || q.mayUser(trans, trans.user(), data, Access.read).isOK())) {
+						Perm perm = new Perm();
+						perm.setType(data.fullType());
+						perm.setInstance(data.instance);
+						perm.setAction(data.action);
+						for(String role : data.roles(false)) {
+							perm.getRoles().add(role);
+						}
+						perm.setDescription(data.description);
+						perms.add(perm);
+					}
+				}
+			}
+		} finally {
+			tt.done();
+		}
+		 
+		tt = trans.start("Sort Perms", Env.SUB);
+		try {
+			Collections.sort(perms, new Comparator<Perm>() {
+				@Override
+				public int compare(Perm perm1, Perm perm2) {
+					int typeCompare = perm1.getType().compareToIgnoreCase(perm2.getType());
+					if (typeCompare == 0) {
+						int instanceCompare = perm1.getInstance().compareToIgnoreCase(perm2.getInstance());
+						if (instanceCompare == 0) {
+							return perm1.getAction().compareToIgnoreCase(perm2.getAction());
+						}
+						return instanceCompare;
+					}
+					return typeCompare;
+				}	
+			});
+		} finally {
+			tt.done();
+		}
+		return Result.ok(to);
+	}
+
+	@Override
+	public Result<List<PermDAO.Data>> perms(AuthzTrans trans, Perms perms) {
+		List<PermDAO.Data> lpd = new ArrayList<PermDAO.Data>();
+		for (Perm p : perms.getPerm()) {
+			Result<NsSplit> nss = q.deriveNsSplit(trans, p.getType());
+			PermDAO.Data pd = new PermDAO.Data();
+			if(nss.isOK()) { 
+				pd.ns=nss.value.ns;
+				pd.type = nss.value.name;
+				pd.instance = p.getInstance();
+				pd.action = p.getAction();
+				for (String role : p.getRoles()) {
+					pd.roles(true).add(role);
+				}
+				lpd.add(pd);
+			} else {
+				return Result.err(nss);
+			}
+		}
+		return Result.ok(lpd);
+	}
+
+	
+	@Override
+	public Result<PermDAO.Data> permkey(AuthzTrans trans, Pkey from) {
+		return q.permFrom(trans, from.getType(),from.getInstance(),from.getAction());
+	}
+	
+	@Override
+	public Result<PermDAO.Data> permFromRPRequest(AuthzTrans trans, Request req) {
+		RolePermRequest from = (RolePermRequest)req;
+		Pkey perm = from.getPerm();
+		if(perm==null)return Result.err(Status.ERR_NotFound, "Permission not found");
+		Result<NsSplit> nss = q.deriveNsSplit(trans, perm.getType());
+		PermDAO.Data pd = new PermDAO.Data();
+		if(nss.isOK()) { 
+			pd.ns=nss.value.ns;
+			pd.type = nss.value.name;
+			pd.instance = from.getPerm().getInstance();
+			pd.action = from.getPerm().getAction();
+			trans.checkpoint(pd.fullPerm(), Env.ALWAYS);
+			
+			String[] roles = {};
+			
+			if (from.getRole() != null) {
+				roles = from.getRole().split(",");
+			}
+			for (String role : roles) { 
+				pd.roles(true).add(role);
+			}
+			return Result.ok(pd);
+		} else {
+			return Result.err(nss);
+		}
+	}
+	
+	@Override
+	public Result<RoleDAO.Data> roleFromRPRequest(AuthzTrans trans, Request req) {
+		RolePermRequest from = (RolePermRequest)req;
+		Result<NsSplit> nss = q.deriveNsSplit(trans, from.getRole());
+		RoleDAO.Data rd = new RoleDAO.Data();
+		if(nss.isOK()) { 
+			rd.ns = nss.value.ns;
+			rd.name = nss.value.name;
+			trans.checkpoint(rd.fullName(), Env.ALWAYS);
+			return Result.ok(rd);
+		} else {
+			return Result.err(nss);
+		}
+	}
+	
+	@Override
+	public Result<PermDAO.Data> perm(AuthzTrans trans, Request req) {
+		PermRequest from = (PermRequest)req;
+		Result<NsSplit> nss = q.deriveNsSplit(trans, from.getType());
+		PermDAO.Data pd = new PermDAO.Data();
+		if(nss.isOK()) { 
+			pd.ns=nss.value.ns;
+			pd.type = nss.value.name;
+			pd.instance = from.getInstance();
+			pd.action = from.getAction();
+			pd.description = from.getDescription();
+			trans.checkpoint(pd.fullPerm(), Env.ALWAYS);
+			return Result.ok(pd);
+		} else {
+			return Result.err(nss);
+		}
+	}
+	
+	@Override
+	public Request ungrantRequest(AuthzTrans trans, String role, String type, String instance, String action) {
+		RolePermRequest rpr = new RolePermRequest();
+		Pkey pkey = new Pkey();
+		pkey.setType(type);
+		pkey.setInstance(instance);
+		pkey.setAction(action);
+		rpr.setPerm(pkey);
+		
+		rpr.setRole(role);
+		return rpr;
+	}
+
+	@Override
+	public Result<RoleDAO.Data> role(AuthzTrans trans, Request base) {
+		RoleRequest from = (RoleRequest)base;
+		Result<NsSplit> nss = q.deriveNsSplit(trans, from.getName());
+		if(nss.isOK()) {
+			RoleDAO.Data to = new RoleDAO.Data();
+			to.ns = nss.value.ns;
+			to.name = nss.value.name;
+			to.description = from.getDescription();
+			trans.checkpoint(to.fullName(), Env.ALWAYS);
+
+			return Result.ok(to);
+		} else {
+			return Result.err(nss);
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.service.mapper.Mapper#roles(java.util.List)
+	 */
+	@Override
+	public Result<Roles> roles(AuthzTrans trans, List<RoleDAO.Data> from, Roles to, boolean filter) {
+		final boolean needNS = trans.requested(REQD_TYPE.ns); 
+		for(RoleDAO.Data frole : from) {
+			// Only Add Data to view if User is allowed to see this Role 
+			//if(!filter || q.mayUserViewRole(trans, trans.user(), frole).isOK()) {
+			if(!filter || q.mayUser(trans, trans.user(), frole,Access.read).isOK()) {
+				Role role = new Role();
+				role.setName(frole.ns + '.' + frole.name);
+				role.setDescription(frole.description);
+				if(needNS) {
+					role.setNs(frole.ns);
+				}
+				for(String p : frole.perms(false)) { // can see any Perms in the Role he has permission for
+					Result<String[]> rpa = PermDAO.Data.decodeToArray(trans,q,p);
+					if(rpa.notOK()) return Result.err(rpa);
+					
+					String[] pa = rpa.value;
+					Pkey pKey = new Pkey();
+					pKey.setType(pa[0]+'.'+pa[1]);
+					pKey.setInstance(pa[2]);
+					pKey.setAction(pa[3]);
+					role.getPerms().add(pKey);
+				}
+				to.getRole().add(role);
+			}
+		}
+		return Result.ok(to);
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * @see org.onap.aaf.auth.service.mapper.Mapper#users(java.util.Collection, java.lang.Object)
+	 * 
+	 * Note: Prevalidate all data for permission to view
+	 */
+	@Override
+	public Result<Users> users(AuthzTrans trans, Collection<UserRoleDAO.Data> from, Users to) {
+		List<User> cu = to.getUser();
+		for(UserRoleDAO.Data urd : from) {
+			User user = new User();
+			user.setId(urd.user);
+			if(urd.expires!=null) {
+				user.setExpires(Chrono.timeStamp(urd.expires));
+			}
+			cu.add(user);
+		}
+		return Result.ok(to);
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * @see org.onap.aaf.auth.service.mapper.Mapper#users(java.util.Collection, java.lang.Object)
+	 * 
+	 * Note: Prevalidate all data for permission to view
+	 */
+	@Override
+	public Result<UserRoles> userRoles(AuthzTrans trans, Collection<UserRoleDAO.Data> from, UserRoles to) {
+		List<UserRole> cu = to.getUserRole();
+		for(UserRoleDAO.Data urd : from) {
+			UserRole ur = new UserRole();
+			ur.setUser(urd.user);
+			ur.setRole(urd.role);
+			ur.setExpires(Chrono.timeStamp(urd.expires));
+			cu.add(ur);
+		}
+		return Result.ok(to);
+	}
+
+	/**
+	 * 
+	 * @param base
+	 * @param start
+	 * @return
+	 */
+	@Override
+	public Result<UserRoleDAO.Data> userRole(AuthzTrans trans, Request base) {
+		try {
+			UserRoleRequest from = (UserRoleRequest)base;
+
+			// Setup UserRoleData, either for immediate placement, or for futureIt i
+			UserRoleDAO.Data to = new UserRoleDAO.Data();
+			if (from.getUser() != null) {
+				String user = from.getUser();
+				to.user = user;
+			}
+			if (from.getRole() != null) {
+				to.role(trans,q,from.getRole());
+			}
+			to.expires = getExpires(trans.org(),Expiration.UserInRole,base,from.getUser());
+			trans.checkpoint(to.toString(), Env.ALWAYS);
+
+			return Result.ok(to);
+		} catch (Exception t) {
+			return Result.err(Status.ERR_BadData,t.getMessage());
+		}
+	}
+
+	@Override
+	public Result<CredDAO.Data> cred(AuthzTrans trans, Request base, boolean requiresPass) {
+		CredRequest from = (CredRequest)base;
+		CredDAO.Data to = new CredDAO.Data();
+		to.id=from.getId();
+		to.ns = Question.domain2ns(to.id);
+		String passwd = from.getPassword();
+		if(requiresPass) {
+			String ok = trans.org().isValidPassword(trans, to.id,passwd);
+			if(ok.length()>0) {
+				return Result.err(Status.ERR_BadData,ok);
+			}
+
+		} else {
+			to.type=0;
+		}
+		if(passwd != null) {
+			to.cred = ByteBuffer.wrap(passwd.getBytes());
+			to.type = CredDAO.RAW; 
+		} else {
+			to.type = 0;
+		}
+		
+		// Note: Ensure requested EndDate created will match Organization Password Rules
+		//  P.S. Do not apply TempPassword rule here. Do that when you know you are doing a Create/Reset (see Service)
+		to.expires = getExpires(trans.org(),Expiration.Password,base,from.getId());
+		trans.checkpoint(to.id, Env.ALWAYS);
+
+		return Result.ok(to);
+	}
+	
+	@Override
+	public Result<Users> cred(List<CredDAO.Data> from, Users to) {
+		List<User> cu = to.getUser();
+		for(CredDAO.Data cred : from) {
+			User user = new User();
+			user.setId(cred.id);
+			user.setExpires(Chrono.timeStamp(cred.expires));
+			user.setType(cred.type);
+			cu.add(user);
+		}
+		return Result.ok(to);
+	}
+	
+	@Override
+	public Result<Certs> cert(List<CertDAO.Data> from, Certs to) {
+		List<Cert> lc = to.getCert();
+		for(CertDAO.Data fcred : from) {
+			Cert cert = new Cert();
+			cert.setId(fcred.id);
+			cert.setX500(fcred.x500);
+			/**TODO - change Interface 
+			 * @deprecated */
+			cert.setFingerprint(fcred.serial.toByteArray());
+			lc.add(cert);
+		}
+		return Result.ok(to);
+	}
+
+	/**
+	 * Analyze whether Requests should be acted on now, or in the future, based on Start Date, and whether the requester
+	 * is allowed to change this value directly
+	 * 
+	 * Returning Result.OK means it should be done in the future.
+	 * Returning Result.ACC_Now means to act on table change now.
+	 */
+	@Override
+	public Result<FutureDAO.Data> future(AuthzTrans trans, String table, Request from, 
+				Bytification content, boolean enableApproval,  Memo memo, MayChange mc) {
+		Result<?> rMayChange;
+		boolean needsAppr = enableApproval?trans.requested(REQD_TYPE.future):false; 
+		if(!needsAppr && (needsAppr = (rMayChange=mc.mayChange()).notOK())) {
+			if(enableApproval) {
+				if(!trans.requested(AuthzTrans.REQD_TYPE.future)) {
+					return Result.err(rMayChange);
+				}
+			} else {
+				return Result.err(rMayChange);
+			}
+		}
+		GregorianCalendar now = new GregorianCalendar(); 
+		GregorianCalendar start = from.getStart()==null?now:from.getStart().toGregorianCalendar();
+		
+		GregorianCalendar expires = trans.org().expiration(start, Expiration.Future);
+		XMLGregorianCalendar xgc;
+		if((xgc=from.getEnd())!=null) {
+			GregorianCalendar fgc = xgc.toGregorianCalendar();
+			expires = expires.before(fgc)?expires:fgc; // Min of desired expiration, and Org expiration
+		}
+		
+		//TODO needs two answers from this.  What's the NSS, and may Change.
+		FutureDAO.Data fto;
+		if(start.after(now) || needsAppr ) {
+			//String user = trans.user();
+			fto = new FutureDAO.Data();
+			fto.target=table;
+			fto.memo = memo.get();
+			fto.start = start.getTime();
+			fto.expires = expires.getTime();
+			if(needsAppr) { // Need to add Approvers...
+				/*
+				Result<Data> rslt = mc.getNsd();
+				if(rslt.notOKorIsEmpty())return Result.err(rslt);
+				appr.addAll(mc.getNsd().value.responsible);
+				try {
+					//Note from 2013 Is this getting Approvers for user only?  What about Delegates?
+					// 3/25/2014.  Approvers are set by Corporate policy.  We don't have to worry here about what that means.
+					// It is important to get Delegates, if necessary, at notification time
+					// If we add delegates now, it will get all confused as to who is actually responsible.
+					for(Organization.User ou : org.getApprovers(trans, user)) {
+						appr.add(ou.email);
+					}
+				} catch (Exception e) {
+					return Result.err(Status.ERR_Policy,org.getName() + " did not respond with Approvers: " + e.getLocalizedMessage());
+				}
+				*/
+			}
+			try {
+				fto.construct = content.bytify();
+			} catch (Exception e) {
+				return Result.err(Status.ERR_BadData,"Data cannot be saved for Future.");
+			}
+		} else {
+			return Result.err(Status.ACC_Now, "Make Data changes now.");
+		}
+		return Result.ok(fto);
+	}
+
+
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.service.mapper.Mapper#history(java.util.List)
+	 */
+	@Override
+	public Result<History> history(AuthzTrans trans, List<HistoryDAO.Data> history, final int sort) {
+		History hist = new History();
+		List<Item> items = hist.getItem();
+		for(HistoryDAO.Data data : history) {
+			History.Item item = new History.Item();
+			item.setYYYYMM(Integer.toString(data.yr_mon));
+			Date date = Chrono.uuidToDate(data.id);
+			item.setTimestamp(Chrono.timeStamp(date));
+			item.setAction(data.action);
+			item.setMemo(data.memo);
+			item.setSubject(data.subject);
+			item.setTarget(data.target);
+			item.setUser(data.user);
+			items.add(item);
+		}
+		
+		if(sort != 0) {
+			TimeTaken tt = trans.start("Sort ", Env.SUB);
+			try {
+				java.util.Collections.sort(items, new Comparator<Item>() {
+					@Override
+					public int compare(Item o1, Item o2) {
+						return sort*(o1.getTimestamp().compare(o2.getTimestamp()));
+					}
+				});
+			} finally {
+				tt.done();
+			}
+		}
+		return Result.ok(hist);
+	}
+
+	@Override
+	public Error errorFromMessage(StringBuilder holder, String msgID, String text, String... var) {
+		Error err = new Error();
+		err.setMessageId(msgID);
+		// AT&T Restful Error Format requires numbers "%" placements
+		err.setText(Vars.convert(holder, text, var));
+		for(String s : var) {
+			err.getVariables().add(s);
+		}
+		return err;
+	}
+	
+	@Override
+	public Class<?> getClass(API api) {
+		switch(api) {
+			case NSS:  return Nss.class;
+			case NS_REQ: return NsRequest.class;
+			case PERMS: return Perms.class;
+			case PERM_KEY: return PermKey.class;
+			case ROLES: return Roles.class;
+			case ROLE: return Role.class;
+			case USERS: return Users.class;
+			case DELGS: return Delgs.class;
+			case CERTS: return Certs.class;
+			case DELG_REQ: return DelgRequest.class;
+			case PERM_REQ: return PermRequest.class;
+			case ROLE_REQ:  return RoleRequest.class;
+			case CRED_REQ:  return CredRequest.class;
+			case USER_ROLE_REQ:  return UserRoleRequest.class;
+			case USER_ROLES: return UserRoles.class;
+			case ROLE_PERM_REQ:  return RolePermRequest.class;
+			case APPROVALS: return Approvals.class;
+			case KEYS: return Keys.class;
+			case HISTORY: return History.class;
+//			case MODEL: return Model.class;
+			case ERROR: return Error.class;
+			case API: return Api.class;
+			case VOID: return Void.class;
+		}
+		return null;
+	}
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public <A> A newInstance(API api) {
+		switch(api) {
+			case NS_REQ: return (A) new NsRequest();
+			case NSS: return (A) new Nss();
+			case PERMS: return (A)new Perms();
+			case PERM_KEY: return (A)new PermKey();
+			case ROLES: return (A)new Roles();
+			case ROLE: return (A)new Role();
+			case USERS: return (A)new Users();
+			case DELGS: return (A)new Delgs();
+			case CERTS: return (A)new Certs();
+			case PERM_REQ: return (A)new PermRequest();
+			case CRED_REQ: return (A)new CredRequest();
+			case ROLE_REQ:  return (A)new RoleRequest();
+			case USER_ROLE_REQ:  return (A)new UserRoleRequest();
+			case USER_ROLES:  return (A)new UserRoles();
+			case ROLE_PERM_REQ:  return (A)new RolePermRequest();
+			case HISTORY: return (A)new History();
+			case KEYS: return (A)new Keys();
+			//case MODEL: return (A)new Model();
+			case ERROR: return (A)new Error();
+			case API: return (A)new Api();
+			case VOID: return null;
+			
+			case APPROVALS:	return (A) new Approvals();
+			case DELG_REQ: return (A) new DelgRequest();
+		}
+		return null;
+	}
+	
+	@SuppressWarnings("unchecked")
+	/**
+	 * Get Typed Marshaler as they are defined
+	 * 
+	 * @param api
+	 * @return
+	 */
+	public <A> Marshal<A> getMarshal(API api) {
+		switch(api) {
+			case CERTS: return (Marshal<A>) new CertsMarshal();
+			default:
+				return null;
+		}
+	}
+
+	@Override
+	public Result<Approvals> approvals(List<ApprovalDAO.Data> lAppr) {
+		Approvals apprs = new Approvals();
+		List<Approval> lappr = apprs.getApprovals();
+		Approval a;
+		for(ApprovalDAO.Data appr : lAppr) {
+			a = new Approval();
+			a.setId(appr.id.toString());
+			if(appr.ticket==null) {
+				a.setTicket(null);
+			} else {
+				a.setTicket(appr.ticket.toString());
+			}
+			a.setUser(appr.user);
+			a.setApprover(appr.approver);
+			a.setType(appr.type);
+			a.setStatus(appr.status);
+			a.setMemo(appr.memo);
+			a.setOperation(appr.operation);
+			a.setUpdated(Chrono.timeStamp(appr.updated));
+			lappr.add(a);
+		}
+		return Result.ok(apprs);
+	}
+	
+	@Override
+	public Result<List<ApprovalDAO.Data>> approvals(Approvals apprs) {
+		List<ApprovalDAO.Data>  lappr = new ArrayList<ApprovalDAO.Data>();
+		for(Approval a : apprs.getApprovals()) {
+			ApprovalDAO.Data ad = new ApprovalDAO.Data();
+			String str = a.getId();
+			if(str!=null)ad.id=UUID.fromString(str);
+			str = a.getTicket();
+			if(str!=null)ad.ticket=UUID.fromString(str);
+			ad.user=a.getUser();
+			ad.approver=a.getApprover();
+			ad.type=a.getType();
+			ad.status=a.getStatus();
+			ad.operation=a.getOperation();
+			ad.memo=a.getMemo();
+			
+			XMLGregorianCalendar xgc = a.getUpdated();
+			if(xgc!=null)ad.updated=xgc.toGregorianCalendar().getTime();
+			lappr.add(ad);
+		}
+		return Result.ok(lappr);
+	}
+
+	@Override
+	public Result<Delgs> delegate(List<DelegateDAO.Data> lDelg) {
+		Delgs delgs = new Delgs();
+		List<Delg> ldelg = delgs.getDelgs();
+		Delg d;
+		for(DelegateDAO.Data del: lDelg) {
+			d = new Delg();
+			d.setUser(del.user);
+			d.setDelegate(del.delegate);
+			if(del.expires!=null)d.setExpires(Chrono.timeStamp(del.expires));
+			ldelg.add(d);
+		}
+		return Result.ok(delgs);
+	}
+
+	@Override
+	public Result<Data> delegate(AuthzTrans trans, Request base) {
+		try {
+			DelgRequest from = (DelgRequest)base;
+			DelegateDAO.Data to = new DelegateDAO.Data();
+			String user = from.getUser();
+			to.user = user;
+			String delegate = from.getDelegate();
+			to.delegate = delegate;
+			to.expires = getExpires(trans.org(),Expiration.UserDelegate,base,from.getUser());
+			trans.checkpoint(to.user+"=>"+to.delegate, Env.ALWAYS);
+
+			return Result.ok(to);
+		} catch (Exception t) {
+			return Result.err(Status.ERR_BadData,t.getMessage());
+		}
+	}
+
+	/*
+	 * We want "Expired" dates to start at a specified time set by the Organization, and consistent wherever
+	 * the date is created from.
+	 */ 
+	private Date getExpires(Organization org, Expiration exp, Request base, String id) {
+		XMLGregorianCalendar end = base.getEnd();
+		GregorianCalendar gc = end==null?new GregorianCalendar():end.toGregorianCalendar();
+		GregorianCalendar orggc;
+		orggc = org.expiration(gc,exp,id); 
+
+		// We'll choose the lesser of dates to ensure Policy Compliance...
+	
+		GregorianCalendar endgc = end==null||gc.after(orggc)?orggc:gc;
+		// Allow the Organization to determine when official "day Start" begins, Specifically when to consider something Expired.
+		endgc = Chrono.firstMomentOfDay(endgc);
+		endgc.set(GregorianCalendar.HOUR_OF_DAY, org.startOfDay());
+		return endgc.getTime();
+	}
+
+
+	@Override
+	public Result<Keys> keys(Collection<String> from) {
+		Keys keys = new Keys();
+		keys.getKey().addAll(from);
+		return Result.ok(keys).emptyList(from.isEmpty());
+	}
+
+}
+\ No newline at end of file
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java
new file mode 100644
index 00000000..446bf46d
--- /dev/null
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java
@@ -0,0 +1,253 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.service.validation;
+
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.dao.cass.DelegateDAO;
+import org.onap.aaf.auth.dao.cass.Namespace;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.rserv.Pair;
+import org.onap.aaf.auth.validation.Validator;
+
+/**
+ * Validator
+ * Consistently apply content rules for content (incoming)
+ * 
+ * Note: We restrict content for usability in URLs (because RESTful service), and avoid 
+ * issues with Regular Expressions, and other enabling technologies. 
+ * @author Jonathan
+ *
+ */
+public class ServiceValidator extends Validator {
+	public ServiceValidator perm(Result<PermDAO.Data> rpd) {
+		if(rpd.notOK()) {
+			msg(rpd.details);
+		} else {
+			perm(rpd.value);
+		}
+		return this;
+	}
+
+
+	public ServiceValidator perm(PermDAO.Data pd) {
+		if(pd==null) {
+			msg("Perm Data is null.");
+		} else {
+			ns(pd.ns);
+			permType(pd.type,pd.ns);
+			permInstance(pd.instance);
+			permAction(pd.action);
+			if(pd.roles!=null) { 
+				for(String role : pd.roles) {
+					role(role);
+				}
+			}
+			if(pd.roles!=null) {
+				for(String r : pd.roles) {
+					role(r);
+				}
+			}
+			description("Perm",pd.description);
+		}
+		return this;
+	}
+
+	public ServiceValidator role(Result<RoleDAO.Data> rrd) {
+		if(rrd.notOK()) {
+			msg(rrd.details);
+		} else {
+			role(rrd.value);
+		}
+		return this;
+	}
+
+	public ServiceValidator role(RoleDAO.Data pd) {
+		if(pd==null) {
+			msg("Role Data is null.");
+		} else {
+			ns(pd.ns);
+			role(pd.name);
+			if(pd.perms!=null) {
+				for(String perm : pd.perms) {
+					String[] ps = perm.split("\\|");
+					if(ps.length!=3) {
+						msg("Perm [" + perm + "] in Role [" + pd.fullName() + "] is not correctly separated with '|'");
+					} else {
+						permType(ps[0],null);
+						permInstance(ps[1]);
+						permAction(ps[2]);
+					}
+				}
+			}
+			description("Role",pd.description);
+		}
+		return this;
+	}
+
+	public ServiceValidator delegate(Organization org, Result<DelegateDAO.Data> rdd) {
+		if(rdd.notOK()) {
+			msg(rdd.details);
+		} else {
+			delegate(org, rdd.value);
+		}
+		return this;
+	}
+
+	public ServiceValidator delegate(Organization org, DelegateDAO.Data dd) {
+		if(dd==null) {
+			msg("Delegate Data is null.");
+		} else {
+			user(org,dd.user);
+			user(org,dd.delegate);
+		}
+		return this;
+	}
+
+
+	public ServiceValidator cred(AuthzTrans trans, Organization org, Result<CredDAO.Data> rcd, boolean isNew) {
+		if(rcd.notOK()) {
+			msg(rcd.details);
+		} else {
+			cred(trans, org,rcd.value,isNew);
+		}
+		return this;
+	}
+
+	public ServiceValidator cred(AuthzTrans trans, Organization org, CredDAO.Data cd, boolean isNew) {
+		if(cd==null) {
+			msg("Cred Data is null.");
+		} else {
+			if(nob(cd.id,ID_CHARS)) {
+				msg("ID [" + cd.id + "] is invalid in " + org.getName());
+			}
+			if(!org.isValidCred(trans, cd.id)) {
+				msg("ID [" + cd.id + "] is invalid for a cred in " + org.getName());
+			}
+			String str = cd.id;
+			int idx = str.indexOf('@');
+			if(idx>0) {
+				str = str.substring(0,idx);
+			}
+			
+			if(cd.id.endsWith(org.getRealm())) {
+				if(isNew && (str=org.isValidID(trans, str)).length()>0) {
+					msg(cd.id,str);
+				}
+			}
+	
+			if(cd.type==null) {
+				msg("Credential Type must be set");
+			} else {
+				switch(cd.type) {
+					case CredDAO.BASIC_AUTH_SHA256:
+						// ok
+						break;
+					default:
+						msg("Credential Type [",Integer.toString(cd.type),"] is invalid");
+				}
+			}
+		}
+		return this;
+	}
+
+
+	public ServiceValidator user(Organization org, String user) {
+		if(nob(user,ID_CHARS)) {
+			msg("User [",user,"] is invalid.");
+		}
+		return this;
+	}
+
+	public ServiceValidator ns(Result<Namespace> nsd) {
+		notOK(nsd);
+		ns(nsd.value);
+		return this;
+	}
+
+	public ServiceValidator ns(Namespace ns) {
+		ns(ns.name);
+		for(String s : ns.admin) {
+			if(nob(s,ID_CHARS)) {
+				msg("Admin [" + s + "] is invalid.");		
+			}
+			
+		}
+		for(String s : ns.owner) {
+			if(nob(s,ID_CHARS)) {
+				msg("Responsible [" + s + "] is invalid.");		
+			}
+			
+		}
+		
+		if(ns.attrib!=null) {
+			for(Pair<String, String> at : ns.attrib) {
+				if(nob(at.x,NAME_CHARS)) {
+					msg("Attribute tag [" + at.x + "] is invalid.");
+				}
+				if(nob(at.x,NAME_CHARS)) {
+					msg("Attribute value [" + at.y + "] is invalid.");
+				}
+			}
+		}
+
+		description("Namespace",ns.description);
+		return this;
+	}
+
+	public ServiceValidator user_role(UserRoleDAO.Data urdd) {
+		if(urdd==null) {
+			msg("UserRole is null");
+		} else {
+			role(urdd.role);
+			nullOrBlank("UserRole.ns",urdd.ns);
+			nullOrBlank("UserRole.rname",urdd.rname);
+		}
+		return this;
+	}
+
+	public ServiceValidator nullOrBlank(PermDAO.Data pd) {
+		if(pd==null) {
+			msg("Permission is null");
+		} else {
+			nullOrBlank("NS",pd.ns).
+			nullOrBlank("Type",pd.type).
+			nullOrBlank("Instance",pd.instance).
+			nullOrBlank("Action",pd.action);
+		}
+		return this;
+	}
+
+	public ServiceValidator nullOrBlank(RoleDAO.Data rd) {
+		if(rd==null) {
+			msg("Role is null");
+		} else {
+			nullOrBlank("NS",rd.ns).
+			nullOrBlank("Name",rd.name);
+		}
+		return this;
+	}
+}
diff --git a/auth/auth-service/src/main/resources/docker-compose/.gitignore b/auth/auth-service/src/main/resources/docker-compose/.gitignore
new file mode 100644
index 00000000..fc7349f7
--- /dev/null
+++ b/auth/auth-service/src/main/resources/docker-compose/.gitignore
@@ -0,0 +1,2 @@
+/docker-compose.yml
+/startupaaf.sh
diff --git a/auth/auth-service/src/main/resources/docker-compose/data/.gitignore b/auth/auth-service/src/main/resources/docker-compose/data/.gitignore
new file mode 100644
index 00000000..41ab7536
--- /dev/null
+++ b/auth/auth-service/src/main/resources/docker-compose/data/.gitignore
@@ -0,0 +1,2 @@
+/identities.dat
+/identities.idx
diff --git a/auth/auth-service/src/main/resources/docker-compose/data/ecomp.cql b/auth/auth-service/src/main/resources/docker-compose/data/ecomp.cql
new file mode 100644
index 00000000..6fddf650
--- /dev/null
+++ b/auth/auth-service/src/main/resources/docker-compose/data/ecomp.cql
@@ -0,0 +1,169 @@
+USE authz;
+
+// Create Root pass
+INSERT INTO cred (id,ns,type,cred,expires)
+  VALUES ('dgl@openecomp.org','org.openecomp',1,0xab3831f27b39d7a039f9a92aa2bbfe51,'2020-12-31');
+
+INSERT INTO cred (id,ns,type,cred,expires)
+  VALUES ('m99751@dmaapBC.openecomp.org','org.openecomp.dmaapBC',1,0xab3831f27b39d7a039f9a92aa2bbfe51,'2020-12-31');
+
+INSERT INTO cred (id,ns,type,cred,expires)
+  VALUES ('m99501@dmaapBC.openecomp.org','org.openecomp.dmaapBC',1,0xab3831f27b39d7a039f9a92aa2bbfe51,'2020-12-31');
+
+
+// Create 'com' root NS
+INSERT INTO ns (name,scope,description,parent,type)
+  VALUES('com',1,'Root Namespace',null,1);
+
+INSERT INTO role(ns, name, perms, description)
+  VALUES('com','admin',{'com.access|*|*'},'Com Admins');
+
+INSERT INTO role(ns, name, perms, description)
+  VALUES('com','owner',{'com.access|*|read'},'Com Owners');
+
+INSERT INTO perm(ns, type, instance, action, roles, description) 
+  VALUES ('com','access','*','read',{'com.owner'},'Com Read Access');
+
+INSERT INTO perm(ns, type, instance, action, roles, description) 
+  VALUES ('com','access','*','*',{'com.admin'},'Com Write Access');
+
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('dgl@openecomp.org','com.owner','2020-12-31','com','owner');
+
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('dgl@openecomp.org','com.admin','2020-12-31','com','admin');
+
+// Create org root NS
+INSERT INTO ns (name,scope,description,parent,type)
+  VALUES('org',1,'Root Namespace Org',null,1);
+
+INSERT INTO ns (name,scope,description,parent,type)
+  VALUES('org.openecomp.dcae',3,'DCAE Namespace Org','org.openecomp',3);
+
+INSERT INTO ns (name,scope,description,parent,type)
+  VALUES('org.openecomp.dmaapBC',3,'DMaaP BC Namespace Org','org.openecomp',3);
+
+INSERT INTO role(ns, name, perms, description)
+  VALUES('org','admin',{'org.access|*|*'},'Com Admins');
+
+INSERT INTO role(ns, name, perms, description)
+  VALUES('org','owner',{'org.access|*|read'},'Com Owners');
+
+INSERT INTO perm(ns, type, instance, action, roles, description) 
+  VALUES ('org','access','*','read',{'org.owner'},'Com Read Access');
+
+INSERT INTO perm(ns, type, instance, action, roles, description) 
+  VALUES ('org','access','*','*',{'org.admin'},'Com Write Access');
+
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('dgl@openecomp.org','org.owner','2020-12-31','org','owner');
+
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('dgl@openecomp.org','org.admin','2020-12-31','org','admin');
+
+
+// Create com.att
+
+INSERT INTO ns (name,scope,description,parent,type)
+  VALUES('com.att',2,'AT&T Namespace','com',2);
+
+INSERT INTO role(ns, name, perms,description)
+  VALUES('com.att','admin',{'com.att.access|*|*'},'AT&T Admins');
+
+INSERT INTO role(ns, name, perms,description)
+  VALUES('com.att','owner',{'com.att.access|*|read'},'AT&T Owners');
+
+INSERT INTO perm(ns, type, instance, action, roles,description) 
+  VALUES ('com.att','access','*','read',{'com.att.owner'},'AT&T Read Access');
+
+INSERT INTO perm(ns, type, instance, action, roles,description) 
+  VALUES ('com.att','access','*','*',{'com.att.admin'},'AT&T Write Access');
+
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('dgl@openecomp.org','com.att.owner','2020-12-31','com.att','owner');
+
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('dgl@openecomp.org','com.att.admin','2020-12-31','com.att','admin');
+
+// Create com.att.aaf
+
+INSERT INTO ns (name,scope,description,parent,type)
+  VALUES('com.att.aaf',3,'Application Authorization Framework','com.att',3);
+
+INSERT INTO role(ns, name, perms, description)
+  VALUES('com.att.aaf','admin',{'com.att.aaf.access|*|*'},'AAF Admins');
+
+INSERT INTO role(ns, name, perms, description)
+  VALUES('com.att.aaf','owner',{'com.att.aaf.access|*|read'},'AAF Owners');
+
+INSERT INTO perm(ns, type, instance, action, roles, description) 
+  VALUES ('com.att.aaf','access','*','read',{'com.att.aaf.owner'},'AAF Read Access');
+
+INSERT INTO perm(ns, type, instance, action, roles, description) 
+  VALUES ('com.att.aaf','access','*','*',{'com.att.aaf.admin'},'AAF Write Access');
+
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('dgl@openecomp.org','com.att.aaf.admin','2020-12-31','com.att.aaf','admin');
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('dgl@openecomp.org','com.att.aaf.owner','2020-12-31','com.att.aaf','owner');
+  
+
+// Create org.openecomp
+INSERT INTO ns (name,scope,description,parent,type)
+  VALUES('org.openecomp',2,'Open EComp NS','com.att',2);
+
+INSERT INTO role(ns, name, perms, description)
+  VALUES('org.openecomp','admin',{'org.openecomp.access|*|*'},'OpenEcomp Admins');
+
+INSERT INTO role(ns, name, perms, description)
+  VALUES('org.openecomp','owner',{'org.openecomp.access|*|read'},'OpenEcomp Owners');
+
+INSERT INTO perm(ns, type, instance, action, roles, description) 
+  VALUES ('org.openecomp','access','*','read',{'org.openecomp.owner'},'OpenEcomp Read Access');
+
+INSERT INTO perm(ns, type, instance, action, roles, description) 
+  VALUES ('org.openecomp','access','*','*',{'org.openecomp.admin'},'OpenEcomp Write Access');
+
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('dgl@openecomp.org','org.openecomp.admin','2020-12-31','org.openecomp','admin');
+
+// Create org.openecomp.dmaapBC
+
+INSERT INTO ns (name,scope,description,parent,type)
+  VALUES('org.openecomp.dmaapBC',3,'Application Authorization Framework','org.openecomp',3);
+
+//INSERT INTO role(ns, name, perms, description)
+//  VALUES('org.openecomp.dmaapBC','admin',{'org.openecomp.dmaapBC.access|*|*'},'AAF Admins');
+
+INSERT INTO role(ns, name, perms, description) 
+VALUES('org.openecomp.dmaapBC','admin',{'org.openecomp.dmaapBC.access|*|*','org.openecomp.dmaapBC.topicFactory|:org.openecomp.dmaapBC.topic:org.openecomp.dmaapBC|create','org.openecomp.dmaapBC.mr.topic|:topic.org.openecomp.dmaapBC.newtopic|sub','org.openecomp.dmaapBC.mr.topic|:topic.org.openecomp.dmaapBC.newtopic|pub'},'AAF Admins');
+
+//INSERT INTO role(ns, name, perms, description) 
+//VALUES('org.openecomp.dmaapBC','admin',{'org.openecomp.dmaapBC.access|*|*','org.openecomp.dmaapBC.mr.topic|:topic.org.openecomp.dmaapBC.newtopic|sub'},'AAF Admins');
+
+//INSERT INTO role(ns, name, perms, description) 
+//VALUES('org.openecomp.dmaapBC','admin',{'org.openecomp.dmaapBC.access|*|*','org.openecomp.dmaapBC.mr.topic|:topic.org.openecomp.dmaapBC.newtopic|pub'},'AAF Admins');
+
+
+
+INSERT INTO role(ns, name, perms, description)
+  VALUES('org.openecomp.dmaapBC','owner',{'org.openecomp.dmaapBC.access|*|read'},'AAF Owners');
+
+INSERT INTO perm(ns, type, instance, action, roles, description) 
+  VALUES ('org.openecomp.dmaapBC','access','*','read',{'org.openecomp.dmaapBC.owner'},'AAF Read Access');
+
+INSERT INTO perm(ns, type, instance, action, roles, description) 
+  VALUES ('org.openecomp.dmaapBC','access','*','*',{'org.openecomp.dmaapBC.admin'},'AAF Write Access');
+
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('dgl@openecomp.org','org.openecomp.dmaapBC.admin','2020-12-31','org.openecomp.dmaapBC','admin');
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('dgl@openecomp.org','org.openecomp.dmaapBC.owner','2020-12-31','org.openecomp.dmaapBC','owner');
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('m99751@dmaapBC.openecomp.org','org.openecomp.dmaapBC.admin','2020-12-31','org.openecomp.dmaapBC','admin');
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('m99751@dmaapBC.openecomp.org','org.openecomp.dmaapBC.owner','2020-12-31','org.openecomp.dmaapBC','owner');
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('m99501@dmaapBC.openecomp.org','org.openecomp.dmaapBC.admin','2020-12-31','org.openecomp.dmaapBC','admin');
+INSERT INTO user_role(user,role,expires,ns,rname)
+  VALUES ('m99501@dmaapBC.openecomp.org','org.openecomp.dmaapBC.owner','2020-12-31','org.openecomp.dmaapBC','owner');
diff --git a/auth/auth-service/src/main/resources/docker-compose/data/init.cql b/auth/auth-service/src/main/resources/docker-compose/data/init.cql
new file mode 100644
index 00000000..81700f83
--- /dev/null
+++ b/auth/auth-service/src/main/resources/docker-compose/data/init.cql
@@ -0,0 +1,242 @@
+// For Developer Machine single instance
+//
+CREATE KEYSPACE authz
+WITH REPLICATION = {'class' : 'SimpleStrategy','replication_factor':1};
+// 
+// From Ravi, 6-17-2014.  User for DEVL->TEST
+//
+// CREATE KEYSPACE authz WITH replication = { 'class': 'NetworkTopologyStrategy', 'HYWRCA02': '2', 'BRHMALDC': '2' };
+// 
+// PROD
+// 
+// CREATE KEYSPACE authz WITH replication = {'class': 'NetworkTopologyStrategy','ALPSGACT': '2','STLSMORC': '2','BRHMALDC': '2' };
+//
+//  create user authz with password '<AUTHZ PASSWORD>' superuser;
+//  grant all on keyspace authz to authz;
+//
+// For TEST (aaf_test)
+// CREATE KEYSPACE authz WITH replication = { 'class': 'NetworkTopologyStrategy', 'BRHMALDC': '1' };
+//
+// DEVL
+// CREATE KEYSPACE authz WITH replication = {'class': 'NetworkTopologyStrategy','STLSMORC': '2' };
+//
+// TEST / PERF
+// CREATE KEYSPACE authz WITH replication = {'class': 'NetworkTopologyStrategy','STLSMORC': '3','KGMTNC20': '3' };
+//
+// IST
+// CREATE KEYSPACE authz WITH replication = {'class': 'NetworkTopologyStrategy','STLSMORC':'3',
+// 'DLLSTXCF':'3','KGMTNC20':'3','SFLDMIBB':'3','HYWRCA02':'3' };
+//
+// with 6 localized with ccm
+// CREATE KEYSPACE authz WITH replication = { 'class': 'NetworkTopologyStrategy', 'dc1': '2', 'dc2': '2' };
+// 
+
+USE authz;
+
+//
+// CORE Table function
+//
+
+// Namespace - establish hierarchical authority to modify
+// Permissions and Roles
+// "scope" is flag to determine Policy.  Typical important scope
+// is "company" (1)
+CREATE TABLE ns (
+  name			varchar,
+  scope			int,  // deprecated 2.0.11
+  description   	varchar,
+  parent 		varchar,
+  type			int,
+  PRIMARY KEY (name)  
+);
+CREATE INDEX ns_parent on ns(parent);
+  
+
+// Oct 2015, not performant.  Made Owner and Attrib first class Roles,
+// April, 2015.  Originally, the plan was to utilize Cassandra 2.1.2, however, other team's preferences were to remain at current levels.
+// Therefore, we are taking the separate table approach.  (coder Jeremiah Rohwedder)
+// We had dropped this by making first class objects of Responsible (Owner) and Admin.  We need this again to mark namespaces
+// as having certain tools, like SWM, etc.
+CREATE TABLE ns_attrib (
+  ns            varchar,
+  key           varchar,
+  value         varchar,
+  PRIMARY KEY (ns,key)
+);
+create index ns_attrib_key on ns_attrib(key);
+
+// Will be cached
+CREATE TABLE role (
+  ns	    varchar,
+  name		varchar,
+  perms		set<varchar>, // Use "Key" of "name|type|action"
+  description varchar,
+  PRIMARY KEY (ns,name)
+);
+CREATE INDEX role_name  ON role(name);
+ 
+// Will be cached
+CREATE TABLE perm (
+  ns	    varchar,
+  type 		varchar,
+  instance	varchar,
+  action	varchar,
+  roles		set<varchar>, // Need to find Roles given Permissions
+  description varchar,
+  PRIMARY KEY (ns,type,instance,action)
+);
+
+// This table is user for Authorization
+CREATE TABLE user_role (
+    user		varchar,
+    role		varchar, // deprecated: change to ns/rname after 2.0.11
+    ns			varchar,
+    rname		varchar,
+    expires		timestamp,
+    PRIMARY KEY(user,role)
+  );
+CREATE INDEX user_role_ns ON user_role(ns);
+CREATE INDEX user_role_role ON user_role(role);
+
+// This table is only for the case where return User Credential (MechID) Authentication
+CREATE TABLE cred (
+    id    varchar,
+    type  int,
+    expires timestamp,  
+    ns    varchar,
+    other int,
+    notes varchar,
+    cred  blob,
+    prev  blob,
+    PRIMARY KEY (id,type,expires)
+  );
+CREATE INDEX cred_ns ON cred(ns);
+
+// Certificate Cross Table
+//   coordinated with CRED type 2
+CREATE TABLE cert (
+    fingerprint blob,
+    id    	varchar,
+    x500	varchar,
+    expires 	timestamp,  
+    PRIMARY KEY (fingerprint)
+  );
+CREATE INDEX cert_id ON cert(id);
+CREATE INDEX cert_x500 ON cert(x500);
+
+CREATE TABLE notify (
+  user text,
+  type int,
+  last timestamp,
+  checksum int,
+  PRIMARY KEY (user,type)
+);
+
+CREATE TABLE x509 (
+  ca     text,
+  serial blob,
+  id     text,
+  x500   text,
+  x509   text,
+  PRIMARY KEY (ca,serial)
+);
+
+
+CREATE INDEX x509_id   ON x509 (id);
+CREATE INDEX x509_x500 ON x509 (x500);
+
+// 
+// Deployment Artifact (for Certman)
+//
+CREATE TABLE artifact (
+  mechid        text,
+  machine       text,
+  type          Set<text>,
+  sponsor       text,
+  ca            text,
+  dir           text,
+  appName       text,
+  os_user       text,
+  notify        text,
+  expires	timestamp,
+  renewDays   int,
+  PRIMARY KEY (mechid,machine)
+);
+CREATE INDEX artifact_machine ON artifact(machine); 
+
+//
+// Non-Critical Table functions
+//
+// Table Info - for Caching
+CREATE TABLE cache (
+   name		varchar,
+   seg		int, 		// cache Segment
+   touched	timestamp,
+   PRIMARY KEY(name,seg)
+);
+
+CREATE TABLE history (
+  id			timeuuid,
+  yr_mon		int,
+  user			varchar,
+  action 		varchar,
+  target		varchar,   // user, user_role, 
+  subject		varchar,   // field for searching main portion of target key
+  memo			varchar,   //description of the action
+  reconstruct 	blob,      //serialized form of the target
+  // detail 	Map<varchar, varchar>,  // additional information
+  PRIMARY KEY (id)
+);
+CREATE INDEX history_yr_mon ON history(yr_mon);
+CREATE INDEX history_user ON history(user); 
+CREATE INDEX history_subject ON history(subject); 
+
+// 
+// A place to hold objects to be created at a future time.
+//
+CREATE TABLE future (
+  id        uuid,  		// uniquify
+  target    varchar,   		// Target Table
+  memo	    varchar,    	// Description
+  start     timestamp, 		// When it should take effect
+  expires   timestamp, 		// When not longer valid
+  construct blob, 		// How to construct this object (like History)
+  PRIMARY KEY(id)
+);
+CREATE INDEX future_idx ON future(target);
+CREATE INDEX future_start_idx ON future(start);
+
+
+CREATE TABLE approval (
+  id	    timeuuid,	      // unique Key
+  ticket    uuid,	      // Link to Future Record
+  user 	    varchar,          // the user who needs to be approved
+  approver  varchar, 	      // user approving
+  type      varchar,          // approver types i.e. Supervisor, Owner
+  status    varchar,          // approval status. pending, approved, denied
+  memo      varchar,          // Text for Approval to know what's going on
+  operation varchar,	      // List operation to perform
+  PRIMARY KEY(id)
+ );
+CREATE INDEX appr_approver_idx ON approval(approver);
+CREATE INDEX appr_user_idx ON approval(user);
+CREATE INDEX appr_ticket_idx ON approval(ticket);
+CREATE INDEX appr_status_idx ON approval(status);
+
+CREATE TABLE delegate (
+  user      varchar,
+  delegate  varchar,
+  expires   timestamp,
+  PRIMARY KEY (user)  
+);
+CREATE INDEX delg_delg_idx ON delegate(delegate);
+
+//
+// Used by authz-batch processes to ensure only 1 runs at a time
+//
+CREATE TABLE run_lock (
+  class text,
+  host text,
+  start timestamp,
+  PRIMARY KEY ((class))
+);
diff --git a/auth/auth-service/src/main/resources/docker-compose/data2/.gitignore b/auth/auth-service/src/main/resources/docker-compose/data2/.gitignore
new file mode 100644
index 00000000..b4e2528b
--- /dev/null
+++ b/auth/auth-service/src/main/resources/docker-compose/data2/.gitignore
@@ -0,0 +1 @@
+/identities.dat
diff --git a/auth/auth-service/src/main/resources/docker-compose/wait_for_host_port.sh b/auth/auth-service/src/main/resources/docker-compose/wait_for_host_port.sh
new file mode 100644
index 00000000..e4e4bf9c
--- /dev/null
+++ b/auth/auth-service/src/main/resources/docker-compose/wait_for_host_port.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+host="$1"
+port="$2"
+shift
+shift
+cmd="$@"
+
+until echo > /dev/tcp/${host}/${port} ; do
+  >&2 echo "${host}:${port} is unavailable - sleeping"
+  sleep 1
+done
+
+>&2 echo "${host}:${port} is up - executing command"
+exec $cmd
diff --git a/auth/auth-service/src/main/resources/docker/.gitignore b/auth/auth-service/src/main/resources/docker/.gitignore
new file mode 100644
index 00000000..746c7bb0
--- /dev/null
+++ b/auth/auth-service/src/main/resources/docker/.gitignore
@@ -0,0 +1,5 @@
+/authAPI.props
+/com.osaaf.common.props
+/com.osaaf.props
+/Dockerfile
+/startup.sh
diff --git a/auth/auth-service/src/main/resources/etc/.gitignore b/auth/auth-service/src/main/resources/etc/.gitignore
new file mode 100644
index 00000000..d7251ce8
--- /dev/null
+++ b/auth/auth-service/src/main/resources/etc/.gitignore
@@ -0,0 +1,3 @@
+/authAPI.props
+/com.osaaf.common.props
+/com.osaaf.props
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/.gitignore b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/.gitignore
new file mode 100644
index 00000000..0417a4bc
--- /dev/null
+++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/.gitignore
@@ -0,0 +1 @@
+/JU_API_Api.java
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Approval.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Approval.java
new file mode 100644
index 00000000..010417c5
--- /dev/null
+++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Approval.java
@@ -0,0 +1,68 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.service.api.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.api.API_Approval;
+
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+
+import org.powermock.modules.junit4.PowerMockRunner;
+@RunWith(PowerMockRunner.class)
+public class JU_API_Approval {
+	API_Approval api_Approval;
+
+	@Mock
+	AAF_Service authzAPI;
+	AuthzFacade facade;
+
+	@Before
+	public void setUp()
+	{
+
+	}
+
+	@SuppressWarnings("static-access")
+	@Test
+	public void testInit() {
+
+		try {
+			api_Approval.init(authzAPI, facade);
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+		//assertTrue(true);
+	}
+
+	@Test
+	public void notYetImplemented() {
+		fail("Tests in this file should not be trusted");
+	}
+
+}
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Creds.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Creds.java
new file mode 100644
index 00000000..9f33f496
--- /dev/null
+++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Creds.java
@@ -0,0 +1,80 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.service.api.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.direct.DirectAAFUserPass;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.api.API_Creds;
+import org.onap.aaf.misc.env.Env;
+
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+
+import org.powermock.modules.junit4.PowerMockRunner;
+@RunWith(PowerMockRunner.class)
+public class JU_API_Creds {
+
+	API_Creds api_Creds;
+	@Mock
+	AAF_Service authzAPI;
+	AuthzFacade facade;
+	Env env;
+	DirectAAFUserPass directAAFUserPass;
+	@Before
+	public void setUp(){
+
+	}
+
+	@SuppressWarnings("static-access")
+	@Test
+	public void testInit(){		
+		try {
+			api_Creds.init(authzAPI, facade);
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}		
+	}
+
+	@SuppressWarnings("static-access")
+	@Test
+	public void testTimeSensitiveInit(){
+
+		try {
+			api_Creds.timeSensitiveInit(env, authzAPI, facade, directAAFUserPass);
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	@Test
+	public void notYetImplemented() {
+		fail("Tests in this file should not be trusted");
+	}
+
+}
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Delegate.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Delegate.java
new file mode 100644
index 00000000..1e4f1441
--- /dev/null
+++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Delegate.java
@@ -0,0 +1,64 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.service.api.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.api.API_Delegate;
+
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+
+import org.powermock.modules.junit4.PowerMockRunner;
+@RunWith(PowerMockRunner.class)
+public class JU_API_Delegate {
+	API_Delegate api_Delegate;
+	@Mock
+	AAF_Service authzAPI;
+	AuthzFacade facade;
+	@Before
+	public void setUp() {
+
+	}
+
+	@SuppressWarnings("static-access")
+	@Test
+	public void testInit(){
+
+		try {
+			api_Delegate.init(authzAPI, facade);
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	@Test
+	public void notYetImplemented() {
+		fail("Tests in this file should not be trusted");
+	}
+
+}
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_History.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_History.java
new file mode 100644
index 00000000..28fca969
--- /dev/null
+++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_History.java
@@ -0,0 +1,67 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.service.api.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.api.API_History;
+
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+
+import org.powermock.modules.junit4.PowerMockRunner;
+@RunWith(PowerMockRunner.class)
+public class JU_API_History {
+	API_History api_History;
+
+	@Mock
+	AAF_Service authzAPI;
+	AuthzFacade facade;
+
+	@Before
+	public void setUp(){
+
+	}
+
+	@SuppressWarnings("static-access")
+	@Test
+	public void testInit(){
+
+		try {
+			api_History.init(authzAPI, facade);
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+		assertTrue(true);
+	}
+
+	@Test
+	public void notYetImplemented() {
+		fail("Tests in this file should not be trusted");
+	}
+
+}
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Mgmt.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Mgmt.java
new file mode 100644
index 00000000..10f08e9d
--- /dev/null
+++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Mgmt.java
@@ -0,0 +1,66 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.service.api.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.api.API_Mgmt;
+
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+
+import org.powermock.modules.junit4.PowerMockRunner;
+@RunWith(PowerMockRunner.class)
+public class JU_API_Mgmt {
+	API_Mgmt api_Mgmt;
+
+	@Mock
+	AAF_Service authzAPI;
+	AuthzFacade facade;
+
+	@Before
+	public void setUp(){
+
+	}
+
+	@SuppressWarnings("static-access")
+	@Test
+	public void testInit(){
+
+		try {
+			api_Mgmt.init(authzAPI, facade);
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	@Test
+	public void notYetImplemented() {
+		fail("Tests in this file should not be trusted");
+	}
+
+}
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_NS.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_NS.java
new file mode 100644
index 00000000..05803414
--- /dev/null
+++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_NS.java
@@ -0,0 +1,59 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.service.api.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.api.API_NS;
+
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+
+import org.powermock.modules.junit4.PowerMockRunner;
+@RunWith(PowerMockRunner.class)
+public class JU_API_NS {
+	API_NS api_Ns;
+	@Mock
+	AAF_Service authzAPI;
+	AuthzFacade facade;
+
+
+	@SuppressWarnings("static-access")
+	@Test
+	public void testInit(){
+		try {
+			api_Ns.init(authzAPI, facade);
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	@Test
+	public void notYetImplemented() {
+		fail("Tests in this file should not be trusted");
+	}
+
+}
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Perms.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Perms.java
new file mode 100644
index 00000000..aa62433b
--- /dev/null
+++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Perms.java
@@ -0,0 +1,75 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.service.api.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.api.API_Perms;
+
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+
+import org.powermock.modules.junit4.PowerMockRunner;
+@RunWith(PowerMockRunner.class)
+public class JU_API_Perms {
+	API_Perms api_Perms;
+	@Mock
+	AAF_Service authzAPI;
+	AuthzFacade facade;
+
+	@Before
+	public void setUp(){
+
+	}
+
+	@SuppressWarnings("static-access")
+	@Test
+	public void testInit(){
+		try {
+			api_Perms.init(authzAPI, facade);
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	@SuppressWarnings("static-access")
+	@Test
+	public void testTimeSensitiveInit(){
+		try {
+			api_Perms.timeSensitiveInit(authzAPI, facade);
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	@Test
+	public void notYetImplemented() {
+		fail("Tests in this file should not be trusted");
+	}
+
+}
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Roles.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Roles.java
new file mode 100644
index 00000000..e890ef5a
--- /dev/null
+++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_Roles.java
@@ -0,0 +1,65 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.service.api.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.api.API_Roles;
+
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+
+import org.powermock.modules.junit4.PowerMockRunner;
+@RunWith(PowerMockRunner.class)
+public class JU_API_Roles {
+	API_Roles api_Roles;
+	@Mock
+	AAF_Service authzAPI;
+	AuthzFacade facade;
+
+
+	@Before
+	public void setUp() {
+		assertTrue(true);
+	}
+
+	@SuppressWarnings("static-access")
+	@Test
+	public void testInit(){
+		try {
+			api_Roles.init(authzAPI, facade);
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	@Test
+	public void notYetImplemented() {
+		fail("Tests in this file should not be trusted");
+	}
+
+}
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_User.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_User.java
new file mode 100644
index 00000000..6c0ca0ce
--- /dev/null
+++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_User.java
@@ -0,0 +1,64 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.service.api.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.api.API_User;
+
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+
+import org.powermock.modules.junit4.PowerMockRunner;
+@RunWith(PowerMockRunner.class)
+public class JU_API_User {
+	API_User api_User;
+	@Mock
+	AAF_Service authzAPI;
+	AuthzFacade facade;
+
+	@Before
+	public void setUp() {
+		//assertTrue(true);
+	}
+
+	@SuppressWarnings("static-access")
+	@Test
+	public void testInit(){
+		try {
+			api_User.init(authzAPI, facade);
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	@Test
+	public void notYetImplemented() {
+		fail("Tests in this file should not be trusted");
+	}
+
+}
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_UserRole.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_UserRole.java
new file mode 100644
index 00000000..72954134
--- /dev/null
+++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/api/test/JU_API_UserRole.java
@@ -0,0 +1,60 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.service.api.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.service.AAF_Service;
+import org.onap.aaf.auth.service.api.API_UserRole;
+
+import org.onap.aaf.auth.service.facade.AuthzFacade;
+
+import org.powermock.modules.junit4.PowerMockRunner;
+@RunWith(PowerMockRunner.class)
+public class JU_API_UserRole {
+	API_UserRole api_UserRole;
+	@Mock
+	AAF_Service authzAPI;
+	AuthzFacade facade;
+
+
+	@SuppressWarnings("static-access")
+	@Test
+	public void testInit(){
+		try {
+			api_UserRole.init(authzAPI, facade);
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	@Test
+	public void notYetImplemented() {
+		fail("Tests in this file should not be trusted");
+	}
+
+}
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/validation/test/JU_ServiceValidator.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/validation/test/JU_ServiceValidator.java
new file mode 100644
index 00000000..a0e5bfa6
--- /dev/null
+++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/validation/test/JU_ServiceValidator.java
@@ -0,0 +1,102 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.auth.service.validation.test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.onap.aaf.auth.dao.cass.PermDAO;
+import org.onap.aaf.auth.dao.cass.RoleDAO;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.service.validation.ServiceValidator;
+import org.onap.aaf.auth.validation.Validator;
+
+public class JU_ServiceValidator {
+
+	ServiceValidator validator;
+
+	@Before
+	public void setUp() {
+		validator = new ServiceValidator();
+	}
+
+	@Test
+	public void permNotOk() {
+
+		Result<PermDAO.Data> rpd = Result.err(1, "ERR_Security");
+
+		validator.perm(rpd);
+		assertTrue(validator.errs().equals("ERR_Security\n"));
+
+	}
+
+	@Test
+	public void permOkNull() {
+
+		Result rpd = Result.ok();
+
+		validator.perm(rpd);
+		assertTrue(validator.errs().equals("Perm Data is null.\n"));
+
+	}
+
+	@Test
+	public void roleOkNull() {
+
+		Result rrd = Result.ok();
+
+		validator.role(rrd);
+		assertTrue(validator.errs().equals("Role Data is null.\n"));
+	}
+
+	@Test
+	public void roleOk() {
+		RoleDAO.Data to = new RoleDAO.Data();
+		to.ns = "namespace";
+		to.name = "name";
+		to.description = "description";
+		Set<String> permissions = new HashSet<String>();
+		permissions.add("perm1");
+		to.perms = permissions;
+
+		Result<RoleDAO.Data> rrd = Result.ok(to);
+
+		validator.role(rrd);
+		assertTrue(
+				validator.errs().equals("Perm [perm1] in Role [namespace.name] is not correctly separated with '|'\n"));
+	}
+
+	@Test
+	public void roleNotOk() {
+
+		Result rrd = Result.err(1, "ERR_Security");
+
+		validator.role(rrd);
+		assertTrue(validator.errs().equals("ERR_Security\n"));
+	}
+
+}
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/authz/service/mapper/JU_Mapper_2_0.java b/auth/auth-service/src/test/java/org/onap/aaf/authz/service/mapper/JU_Mapper_2_0.java
new file mode 100644
index 00000000..b3630c7a
--- /dev/null
+++ b/auth/auth-service/src/test/java/org/onap/aaf/authz/service/mapper/JU_Mapper_2_0.java
@@ -0,0 +1,162 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.authz.service.mapper;
+
+import static org.junit.Assert.*;
+
+import org.junit.Test;
+
+public class JU_Mapper_2_0 {
+
+	@Test
+	public void test() {
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testApprovals(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testCert(){
+		assertTrue(true);
+		
+	}
+	
+	@Test
+	public void testCred(){
+		assertTrue(true);
+		
+	}
+	
+	@Test
+	public void testDelegate(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testErrorFromMessage(){
+		assertTrue(true);
+		
+	}
+	
+	@Test
+	public void testFuture(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testGetClass(){
+		assertTrue(true);
+	}
+
+	@Test
+	public void testGetExpires(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testGetMarshal(){
+		assertTrue(true);
+		
+	}
+	
+	@Test
+	public void testHistory(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testKeys(){
+		assertTrue(true);
+		
+	}
+	
+	@Test
+	public void testNewInstance(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testNs(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testNss(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testPerm(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testPermFromRPRequest(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testPermKey(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testPerms(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testRole(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testRoleFromRPRequest(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testRoles(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testUserRole(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testUserRoles(){
+		assertTrue(true);
+	}
+	
+	@Test
+	public void testUsers(){
+		assertTrue(true);
+	}
+	
+		
+	
+}
diff --git a/auth/docker/Dockerfile b/auth/docker/Dockerfile
new file mode 100644
index 00000000..7dee2eb7
--- /dev/null
+++ b/auth/docker/Dockerfile
@@ -0,0 +1,25 @@
+FROM openjdk:8
+MAINTAINER AAF Team, AT&T 2018
+ENV VERSION=${AAF_VERSION}
+
+LABEL description="aaf ${AAF_COMPONENT}"
+LABEL version=${AAF_VERSION}
+
+
+COPY lib /opt/app/aaf/${AAF_COMPONENT}/lib
+COPY theme /opt/app/aaf/${AAF_COMPONENT}/theme
+COPY bin /opt/app/aaf/${AAF_COMPONENT}/bin
+
+CMD ["bash","/opt/app/aaf/${AAF_COMPONENT}/bin/${AAF_COMPONENT}"]
+
+# For Debugging installation
+# CMD ["bash"]     
+# Java Debugging VM Args
+#     "-Xdebug",\
+#     "-Xnoagent",\
+#     "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000",\
+
+# TLS Debugging VM Args
+#     "-Djavax.net.debug","ssl", \
+     
+
diff --git a/auth/docker/dbash b/auth/docker/dbash
new file mode 100644
index 00000000..da166b5c
--- /dev/null
+++ b/auth/docker/dbash
@@ -0,0 +1 @@
+docker exec -it aaf bash
+\ No newline at end of file
diff --git a/auth/docker/dbuild b/auth/docker/dbuild
new file mode 100644
index 00000000..15bc1b0e
--- /dev/null
+++ b/auth/docker/dbuild
@@ -0,0 +1,22 @@
+# 
+# Docker Building Script.  Reads all the components generated by install, on per-version basis
+#
+
+VERSION=2.1.0-SNAPSHOT
+# TODO add ability to do DEBUG settings
+
+if [ "$1" == "" ]; then
+  AAF_COMPONENTS=`ls ../aaf_*HOT/bin | grep -v '\.'`
+else
+  AAF_COMPONENTS=$1
+fi
+  
+for AAF_COMPONENT in ${AAF_COMPONENTS}; do 
+	sed -e 's/${AAF_VERSION}/'${VERSION}'/g' -e 's/${AAF_COMPONENT}/'${AAF_COMPONENT}'/g' Dockerfile > ../aaf_${VERSION}/Dockerfile
+	cd ..
+	docker build -t onap/aaf/aaf_${AAF_COMPONENT}:${VERSION} aaf_${VERSION}
+	rm aaf_${VERSION}/Dockerfile
+	cd -
+done
+
+
diff --git a/auth/docker/drun b/auth/docker/drun
new file mode 100644
index 00000000..601feaf3
--- /dev/null
+++ b/auth/docker/drun
@@ -0,0 +1,37 @@
+HOSTNAME=meriadoc.mithril.sbc.com
+HOST_IP=172.17.0.3
+CASS_HOST="cass.mithril.sbc.com:172.17.0.3"
+VERSION=2.1.0-SNAPSHOT
+
+if [ "$1" == "" ]; then
+  AAF_COMPONENTS=`ls ../aaf_${VERSION}/bin | grep -v '\.'`
+else
+  AAF_COMPONENTS=$1
+fi
+  
+for AAF_COMPONENT in ${AAF_COMPONENTS}; do 
+	
+	case "$AAF_COMPONENT" in
+		"service") PORTMAP="8100:8100";;
+		"locate") PORTMAP="443:8095";;
+		"oauth") PORTMAP="8140:8140";;
+		"gui") PORTMAP="8200:8200";;
+		"cm") PORTMAP="8150:8150";;
+		"hello") PORTMAP="8130:8130";;
+		"fs") PORTMAP="80:8096";;
+	esac
+	
+#	if [ "`docker container ls | grep aaf_$AAF_COMPONENT:$VERSION`" == "" ]; then 
+		docker run \
+		  --name aaf_$AAF_COMPONENT \
+		  --hostname="$HOSTNAME" \
+		  --add-host="$CASS_HOST" \
+		  --publish $PORTMAP \
+		  --volume=/opt/app/osaaf/etc:/opt/app/osaaf/etc \
+		  --link aaf_cass:cassandra \
+		  aaf_$AAF_COMPONENT:$VERSION
+#	else
+	  #echo docker container start -ia aaf_$AAF_COMPONENT
+#	fi
+done
+#		  --add-host="$HOSTNAME:$HOST_IP" \
diff --git a/auth/pom.xml b/auth/pom.xml
new file mode 100644
index 00000000..d024e110
--- /dev/null
+++ b/auth/pom.xml
@@ -0,0 +1,463 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>org.onap.aaf.auth</groupId>
+	<artifactId>parent</artifactId>
+	<version>2.1.0-SNAPSHOT</version>
+	<name>AAF Auth Parent</name>
+	<packaging>pom</packaging>
+	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<skipTests>true</skipTests>
+		<project.interfaceVersion>2.10-SNAPSHOT</project.interfaceVersion>
+		<project.miscVersion>1.3.0-SNAPSHOT</project.miscVersion>
+		<project.cadiVersion>1.5.0-SNAPSHOT</project.cadiVersion>
+		<!-- >project.jettyVersion>9.3.22.v20171030</project.jettyVersion -->
+		<project.jettyVersion>9.4.8.v20171121</project.jettyVersion>
+		<powermock.version>1.5.1</powermock.version>
+		<project.conf_dir>/opt/app/osaaf/etc</project.conf_dir>
+	</properties>
+
+	<developers>
+		<developer>
+			<name>Jonathan Gathman</name>
+			<email>jonathan.gathman@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Architect</role>
+				<role>Lead Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Gabe Maurer</name>
+			<email>gabe.maurer@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Ian Howell</name>
+			<email>ian.howell@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+	</developers>
+
+	<build>
+		<pluginManagement>
+			<plugins>
+				<plugin>
+					<groupId>org.apache.maven.plugins</groupId>
+					<artifactId>maven-compiler-plugin</artifactId>
+					<version>2.3.2</version>
+					<configuration>
+						<source>1.8</source>
+						<target>1.8</target>
+					</configuration>
+				</plugin>
+				<plugin>
+					<groupId>org.apache.maven.plugins</groupId>
+					<artifactId>maven-deploy-plugin</artifactId>
+					<version>2.6</version>
+					<configuration>
+						<skip>false</skip>
+					</configuration>
+				</plugin>
+
+				<plugin>
+					<groupId>org.apache.maven.plugins</groupId>
+					<artifactId>maven-surefire-plugin</artifactId>
+					<version>2.17</version>
+					<configuration>
+						<skipTests>${skipTests}</skipTests>
+						<includes>
+							<include>**/JU*.java</include>
+						</includes>
+						<excludes>
+						</excludes>
+
+					</configuration>
+				</plugin>
+
+				<plugin>
+					<groupId>org.apache.maven.plugins</groupId>
+					<artifactId>maven-failsafe-plugin</artifactId>
+					<version>2.17</version>
+					<configuration>
+						<skipTests>true</skipTests>
+					</configuration>
+					<executions>
+						<execution>
+							<id>integration-test</id>
+							<goals>
+								<goal>integration-test</goal>
+								<goal>verify</goal>
+							</goals>
+						</execution>
+					</executions>
+				</plugin>
+				
+				<!--  Builds O/S Command line ready jars and scripts, ready to run/zip -->
+				<plugin>
+					<groupId>org.codehaus.mojo</groupId>
+					<artifactId>appassembler-maven-plugin</artifactId>
+					<version>1.10</version>
+					<executions>
+						<execution>
+							<goals>
+								<goal>assemble</goal>
+							</goals>
+							<phase>install</phase>
+						</execution>
+					</executions>
+					<configuration>
+						<programs/> <!-- this set in projects that have programs -->
+						<assembleDirectory>../aaf_${project.version}</assembleDirectory>
+						<copyConfigurationDirectory>false</copyConfigurationDirectory>
+						<configurationDirectory>etc</configurationDirectory>
+						<repositoryName>lib</repositoryName>
+						<repositoryLayout>flat</repositoryLayout>
+					</configuration>
+				</plugin>
+				
+				<!-- Build Docker Image -->
+				<plugin>
+					<groupId>com.spotify</groupId>
+					<artifactId>docker-maven-plugin</artifactId>
+					<version>1.0.0</version>
+					<configuration>
+						<imageName>onap/osaaf/${project.artifactId}</imageName>
+						<!-- <dockerDirectory>${dockerLocation}</dockerDirectory> -->
+						<dockerDirectory>${basedir}/src/main/resources/docker</dockerDirectory>
+						<imageTags>
+							<imageTag>latest</imageTag>
+							<imageTag>${project.docker.latesttagtimestamp.version}</imageTag>
+							<imageTag>${project.docker.latesttag.version}</imageTag>
+						</imageTags>
+						<forceTags>true</forceTags>
+						<!-- <resources> <resource> <targetPath>/</targetPath> <directory>${project.build.directory}/opt</directory> 
+							<filtering>true</filtering> <includes> <include>**/**</include> </includes> 
+							</resource> </resources> -->
+						<resources>
+							<resource>
+								<targetPath>/</targetPath>
+								<directory>${project.build.directory}/opt</directory>
+								<include>${project.build.finalName}.jar</include>
+							</resource>
+							<resource>
+								<targetPath>/</targetPath>
+								<directory>${project.build.directory}</directory>
+								<include>**/**</include>
+							</resource>
+						</resources>
+					</configuration>
+					<executions>
+						<execution>
+							<id>build-image</id>
+							<phase>package</phase>
+							<goals>
+								<goal>build</goal>
+							</goals>
+							<configuration>
+								<skipDockerBuild>${skip.docker.build}</skipDockerBuild>
+							</configuration>
+						</execution>
+				
+						<execution>
+							<id>tag-image-project-version</id>
+							<phase>package</phase>
+							<goals>
+								<goal>tag</goal>
+							</goals>
+							<configuration>
+								<image>onap/osaaf/${project.artifactId}</image>
+								<newName>${docker.push.registry}/onap/osaaf/${project.artifactId}:${project.version}</newName>
+								<skipDockerTag>${skip.docker.push}</skipDockerTag>
+							</configuration>
+						</execution>
+				
+						<execution>
+							<id>tag-image-latest</id>
+							<phase>package</phase>
+							<goals>
+								<goal>tag</goal>
+							</goals>
+							<configuration>
+								<image>onap/aaf/authz-service</image>
+								<newName>${docker.push.registry}/onap/osaaf/${project.artifactId}:latest</newName>
+								<skipDockerTag>${skip.docker.push}</skipDockerTag>
+							</configuration>
+						</execution>
+				
+						<execution>
+							<id>push-image-latest</id>
+							<phase>deploy</phase>
+							<goals>
+								<goal>push</goal>
+							</goals>
+							<configuration>
+								<imageName>${docker.push.registry}/onap/osaaf/${project.artifactId}:${project.version}</imageName>
+								<skipDockerPush>${skip.docker.push}</skipDockerPush>
+							</configuration>
+						</execution>
+				
+						<execution>
+							<id>push-image</id>
+							<phase>deploy</phase>
+							<goals>
+								<goal>push</goal>
+							</goals>
+							<configuration>
+								<imageName>${docker.push.registry}/onap/osaaf/${project.artifactId}:latest</imageName>
+								<skipDockerPush>${skip.docker.push}</skipDockerPush>
+							</configuration>
+						</execution>
+					</executions>
+				</plugin>
+			</plugins>
+		</pluginManagement>
+	</build>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.mockito</groupId>
+			<artifactId>mockito-all</artifactId>
+			<version>1.9.5</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.powermock</groupId>
+			<artifactId>powermock-module-junit4</artifactId>
+			<version>${powermock.version}</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.powermock</groupId>
+			<artifactId>powermock-api-mockito</artifactId>
+			<version>${powermock.version}</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>junit</groupId>
+			<artifactId>junit</artifactId>
+			<version>4.10</version>
+			<scope>test</scope>
+		</dependency>
+
+	</dependencies>
+
+	<modules>
+		<!-- <module>auth-client</module> complile manually with mvn -N independently -->
+		<module>auth-core</module>
+		<module>auth-cass</module>
+		<module>auth-deforg</module>
+
+		<module>auth-service</module>
+		<module>auth-cmd</module>
+		<module>auth-batch</module>
+
+		<module>auth-gui</module>
+		<module>auth-locate</module>
+		<module>auth-oauth</module>
+		<module>auth-certman</module>
+		<module>auth-fs</module>
+		<module>auth-hello</module>
+	</modules>
+
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>org.onap.aaf.misc</groupId>
+				<artifactId>aaf-misc-env</artifactId>
+				<version>${project.miscVersion}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.onap.aaf.misc</groupId>
+				<artifactId>aaf-misc-log4j</artifactId>
+				<version>${project.miscVersion}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.onap.aaf.misc</groupId>
+				<artifactId>aaf-misc-rosetta</artifactId>
+				<version>${project.miscVersion}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.onap.aaf.misc</groupId>
+				<artifactId>aaf-misc-xgen</artifactId>
+				<version>${project.miscVersion}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.onap.aaf.cadi</groupId>
+				<artifactId>aaf-cadi-core</artifactId>
+				<version>${project.cadiVersion}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.onap.aaf.cadi</groupId>
+				<artifactId>aaf-cadi-client</artifactId>
+				<version>${project.cadiVersion}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.onap.aaf.cadi</groupId>
+				<artifactId>aaf-cadi-aaf</artifactId>
+				<version>${project.cadiVersion}</version>
+				<exclusions>
+					<exclusion>
+						<groupId>org.apache.cassandra</groupId>
+						<artifactId>cassandra-all</artifactId>
+					</exclusion>
+				</exclusions>
+			</dependency>
+
+			<dependency>
+				<groupId>org.onap.aaf.auth</groupId>
+				<artifactId>aaf-auth-client</artifactId>
+				<version>${project.interfaceVersion}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.onap.aaf.auth</groupId>
+				<artifactId>aaf-auth-core</artifactId>
+				<version>${project.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.onap.aaf.auth</groupId>
+				<artifactId>aaf-auth-cass</artifactId>
+				<version>${project.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.onap.aaf.auth</groupId>
+				<artifactId>aaf-auth-cmd</artifactId>
+				<version>${project.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.onap.aaf.auth</groupId>
+				<artifactId>aaf-auth-oauth</artifactId>
+				<version>${project.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.onap.aaf.auth</groupId>
+				<artifactId>aaf-auth-deforg</artifactId>
+				<version>${project.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>javax.servlet</groupId>
+				<artifactId>servlet-api</artifactId>
+				<version>3.0</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.eclipse.jetty</groupId>
+				<artifactId>jetty-servlet</artifactId>
+				<version>${project.jettyVersion}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.eclipse.jetty</groupId>
+				<artifactId>jetty-server</artifactId>
+				<version>${project.jettyVersion}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.eclipse.jetty</groupId>
+				<artifactId>jetty-jmx</artifactId>
+				<version>${project.jettyVersion}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>com.datastax.cassandra</groupId>
+				<artifactId>cassandra-all</artifactId>
+				<version>3.3.0</version>
+				<exclusions>
+					<exclusion>
+						<groupId>org.slf4j</groupId>
+						<artifactId>slf4j-log4j12</artifactId>
+					</exclusion>
+					<exclusion>
+						<groupId>log4j</groupId>
+						<artifactId>log4j</artifactId>
+					</exclusion>
+				</exclusions>
+			</dependency>
+			<dependency>
+				<groupId>com.datastax.cassandra</groupId>
+				<artifactId>cassandra-driver-core</artifactId>
+				<!-- version>1.0.3</version -->
+				<!-- version>1.0.5</version -->
+				<version>3.3.0</version>
+				<exclusions>
+					<exclusion>
+						<groupId>org.slf4j</groupId>
+						<artifactId>slf4j-log4j12</artifactId>
+					</exclusion>
+					<exclusion>
+						<groupId>log4j</groupId>
+						<artifactId>log4j</artifactId>
+					</exclusion>
+				</exclusions>
+			</dependency>
+
+			<dependency>
+				<groupId>org.slf4j</groupId>
+				<artifactId>slf4j-log4j12</artifactId>
+				<version>1.7.5</version>
+			</dependency>
+
+			<dependency>
+				<groupId>javax.mail</groupId>
+				<artifactId>mail</artifactId>
+				<version>1.4.5</version>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
+
+
+	<distributionManagement>
+		<repository>
+			<id>nexus</id>
+			<name>attarch-releases</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-releases</url>
+		</repository>
+		<snapshotRepository>
+			<id>nexus</id>
+			<name>attarch-snapshots</name>
+			<url>http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-snapshots</url>
+		</snapshotRepository>
+	</distributionManagement>
+
+</project>
author	Instrumental <jcgmisc@stl.gathman.org>	2018-03-26 13:51:48 -0700
committer	Instrumental <jcgmisc@stl.gathman.org>	2018-03-26 13:52:07 -0700
commit	71037c39a37d3549dcfe31926832a657744fbe05 (patch)
tree	78911b2b5e86e4e44228f7a27b3a8cd954b7f3e2 /auth
parent	a20accc73189d8e5454cd26049c0e6fae75da16f (diff)