diff --git a/management/server/http/api/openapi.yml b/management/server/http/api/openapi.yml
index 783e1421b..f886ccd32 100644
--- a/management/server/http/api/openapi.yml
+++ b/management/server/http/api/openapi.yml
@@ -47,16 +47,16 @@ components:
     UserRequest:
       type: object
       properties:
+        role:
+          description: User's NetBird account role
+          type: string
         auto_groups:
           description: Groups to auto-assign to peers registered by this user
           type: array
           items:
             type: string
       required:
-        - name
-        - type
-        - expires_in
-        - revoked
+        - role
         - auto_groups
     PeerMinimum:
       type: object
diff --git a/management/server/http/api/types.gen.go b/management/server/http/api/types.gen.go
index d2ba729b9..7a3b6ae5e 100644
--- a/management/server/http/api/types.gen.go
+++ b/management/server/http/api/types.gen.go
@@ -376,6 +376,9 @@ type User struct {
 type UserRequest struct {
 	// Groups to auto-assign to peers registered by this user
 	AutoGroups []string `json:"auto_groups"`
+
+	// User's NetBird account role
+	Role string `json:"role"`
 }
 
 // PostApiGroupsJSONBody defines parameters for PostApiGroups.
diff --git a/management/server/http/users.go b/management/server/http/users.go
index 93b614a14..83b253824 100644
--- a/management/server/http/users.go
+++ b/management/server/http/users.go
@@ -45,7 +45,7 @@ func (h *UserHandler) UpdateUser(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	userID := vars["id"]
 	if len(userID) == 0 {
-		http.Error(w, "invalid key Id", http.StatusBadRequest)
+		http.Error(w, "invalid user ID", http.StatusBadRequest)
 		return
 	}
 
@@ -56,8 +56,15 @@ func (h *UserHandler) UpdateUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	userRole := server.StrRoleToUserRole(req.Role)
+	if userRole == server.UserRoleUnknown {
+		http.Error(w, "invalid user role", http.StatusBadRequest)
+		return
+	}
+
 	newUser, err := h.accountManager.SaveUser(account.Id, &server.User{
 		Id:         userID,
+		Role:       userRole,
 		AutoGroups: req.AutoGroups,
 	})
 	if err != nil {
diff --git a/management/server/user.go b/management/server/user.go
index e1032198c..391debfb8 100644
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -11,10 +11,23 @@ import (
 )
 
 const (
-	UserRoleAdmin UserRole = "admin"
-	UserRoleUser  UserRole = "user"
+	UserRoleAdmin   UserRole = "admin"
+	UserRoleUser    UserRole = "user"
+	UserRoleUnknown UserRole = "unknown"
 )
 
+// StrRoleToUserRole returns UserRole for a given strRole or UserRoleUnknown if the specified role is unknown
+func StrRoleToUserRole(strRole string) UserRole {
+	switch strings.ToLower(strRole) {
+	case "admin":
+		return UserRoleAdmin
+	case "user":
+		return UserRoleUser
+	default:
+		return UserRoleUnknown
+	}
+}
+
 // UserRole is the role of the User
 type UserRole string
 
@@ -116,6 +129,7 @@ func (am *DefaultAccountManager) SaveUser(accountID string, update *User) (*User
 	// only auto groups, revoked status, and name can be updated for now
 	newUser := oldUser.Copy()
 	newUser.AutoGroups = update.AutoGroups
+	newUser.Role = update.Role
 
 	account.Users[newUser.Id] = newUser