diff --git a/graphql/schema/schema.graphql b/graphql/schema/schema.graphql
index f4a71a3f8..12ac5a472 100644
--- a/graphql/schema/schema.graphql
+++ b/graphql/schema/schema.graphql
@@ -269,7 +269,8 @@ type Query {
   allStudios: [Studio!]! @deprecated(reason: "Use findStudios instead")
   allMovies: [Movie!]! @deprecated(reason: "Use findGroups instead")
 
-  # Get everything with minimal metadata
+  """Returns currently authenticated user"""
+  me: User
 
   # Version
   version: Version!
@@ -588,6 +589,11 @@ type Mutation {
   addTempDLNAIP(input: AddTempDLNAIPInput!): Boolean! @hasRole(role: ADMIN)
   "Removes an IP address from the temporary DLNA whitelist"
   removeTempDLNAIP(input: RemoveTempDLNAIPInput!): Boolean! @hasRole(role: ADMIN)
+
+  userCreate(input: UserCreateInput!): User @hasRole(role: ADMIN)
+  userUpdate(input: UserUpdateInput!): User @hasRole(role: ADMIN)
+  userDestroy(input: UserDestroyInput!): Boolean! @hasRole(role: ADMIN)
+  changePassword(input: UserChangePasswordInput!): Boolean!
 }
 
 type Subscription {
diff --git a/graphql/schema/types/user.graphql b/graphql/schema/types/user.graphql
index 65ca618d1..6226f061b 100644
--- a/graphql/schema/types/user.graphql
+++ b/graphql/schema/types/user.graphql
@@ -5,3 +5,37 @@ enum RoleEnum {
 }
 
 directive @hasRole(role: RoleEnum!) on FIELD_DEFINITION
+directive @isUserOwner on FIELD_DEFINITION
+
+type User {
+  name: String!
+  """Should not be visible to other users"""
+  roles: [RoleEnum!] @isUserOwner
+  """Should not be visible to other users"""
+  api_key: String @isUserOwner
+}
+
+input UserCreateInput {
+  name: String!
+  """Password in plain text"""
+  password: String!
+  roles: [RoleEnum!]!
+}
+
+input UserUpdateInput {
+  name: String
+  """Password in plain text"""
+  password: String
+  roles: [RoleEnum!]
+}
+
+input UserDestroyInput {
+    id: ID!
+}
+
+input UserChangePasswordInput {
+  """Password in plain text"""
+  existing_password: String
+  new_password: String!
+  reset_key: String
+}
\ No newline at end of file