diff --git a/doc/Sphinx/source/img/image1institutional.png b/doc/Sphinx/source/img/image1institutional.png
deleted file mode 100755
index 39852ea1c23..00000000000
Binary files a/doc/Sphinx/source/img/image1institutional.png and /dev/null differ
diff --git a/doc/Sphinx/source/img/image2institutional.png b/doc/Sphinx/source/img/image2institutional.png
deleted file mode 100755
index a14fded0cc3..00000000000
Binary files a/doc/Sphinx/source/img/image2institutional.png and /dev/null differ
diff --git a/doc/Sphinx/source/img/image3institutional.png b/doc/Sphinx/source/img/image3institutional.png
deleted file mode 100755
index bc213a656f9..00000000000
Binary files a/doc/Sphinx/source/img/image3institutional.png and /dev/null differ
diff --git a/doc/Sphinx/source/img/image4institutional.png b/doc/Sphinx/source/img/image4institutional.png
deleted file mode 100755
index 40f1c03d1d7..00000000000
Binary files a/doc/Sphinx/source/img/image4institutional.png and /dev/null differ
diff --git a/doc/shib/shib.md b/doc/shib/shib.md
index 5d2b3a55858..f29f9cc485e 100644
--- a/doc/shib/shib.md
+++ b/doc/shib/shib.md
@@ -6,8 +6,6 @@ FIXME: merge with what's in the Installation Guide: http://guides.dataverse.org/
 
 ## Set up a valid SSL cert
 
-See also notes on setting up the SSL cert for https://apitest.dataverse.org at https://github.com/IQSS/dataverse/tree/master/scripts/deploy/apitest.dataverse.org
-
 ### Create a private key
 
     [root@dvn-vm3 ~]# openssl genrsa -out /root/cert/shibtest.dataverse.org.key 2048
diff --git a/doc/sphinx-guides/source/admin/index.rst b/doc/sphinx-guides/source/admin/index.rst
index e7dfb0bf46a..28a46cf58e5 100755
--- a/doc/sphinx-guides/source/admin/index.rst
+++ b/doc/sphinx-guides/source/admin/index.rst
@@ -13,9 +13,8 @@ These "superuser" tasks are managed via the new page called the Dashboard. A use
 Contents:
 
 .. toctree::
-   :maxdepth: 2
 
-  harvestclients
-  harvestserver
-  metadataexport
-  timers
+   harvestclients
+   harvestserver
+   metadataexport
+   timers
diff --git a/doc/sphinx-guides/source/api/dataaccess.rst b/doc/sphinx-guides/source/api/dataaccess.rst
index 7bb2805b99a..66ea551d446 100755
--- a/doc/sphinx-guides/source/api/dataaccess.rst
+++ b/doc/sphinx-guides/source/api/dataaccess.rst
@@ -60,11 +60,11 @@ Multiple File ("bundle") download
 Returns the files listed, zipped. 
 
 Parameters: 
-~~~~~~~~~~
+~~~~~~~~~~~
 none.
 
 "All Formats" bundled access for Tabular Files. 
-----------------------------------------------
+-----------------------------------------------
 
 ``/api/access/datafile/bundle/$id``
 
@@ -78,7 +78,7 @@ It returns a zipped bundle that contains the data in the following formats:
 * File citation, in Endnote and RIS formats. 
 
 Parameters: 
-~~~~~~~~~~
+~~~~~~~~~~~
 none.
 
 Data Variable Metadata Access
diff --git a/doc/sphinx-guides/source/api/index.rst b/doc/sphinx-guides/source/api/index.rst
index 152ea180236..b9d30d20e91 100755
--- a/doc/sphinx-guides/source/api/index.rst
+++ b/doc/sphinx-guides/source/api/index.rst
@@ -11,16 +11,15 @@ interoperate with the Dataverse to utilize our
 APIs. In 4.0, we require to get a token, by simply registering for a Dataverse account, before using our APIs 
 (We are considering making some of the APIs completely public in the future - no token required - if you use it only a few times).
 
-Rather than using a production installation of Dataverse, API users should use http://apitest.dataverse.org for testing.
+Rather than using a production installation of Dataverse, API users are welcome to use http://demo.dataverse.org for testing.
 
 Contents:
 
 .. toctree::
-   :maxdepth: 2
 
-  sword
-  search
-  dataaccess
-  native-api
-  client-libraries
-  apps
+   sword
+   search
+   dataaccess
+   native-api
+   client-libraries
+   apps
diff --git a/doc/sphinx-guides/source/api/native-api.rst b/doc/sphinx-guides/source/api/native-api.rst
index 59af4f00eee..8b686df66cd 100644
--- a/doc/sphinx-guides/source/api/native-api.rst
+++ b/doc/sphinx-guides/source/api/native-api.rst
@@ -89,7 +89,7 @@ Publish the Dataverse pointed by ``identifier``, which can either by the dataver
 Datasets
 ~~~~~~~~
 
-**Note** Creation of new datasets is done by ``POST``ing them onto dataverses. See dataverse section.
+**Note** Creation of new datasets is done with a ``POST`` onto dataverses. See dataverse section.
 
 **Note** In all commands below, dataset versions can be referred to as:
 
@@ -125,12 +125,12 @@ List versions of the dataset::
 Show a version of the dataset. The Dataset also include any metadata blocks the data might have::
 
   GET http://$SERVER/api/datasets/$id/versions/$versionNumber?key=$apiKey
-  
-      
+
+
 Export the metadata of the current published version of a dataset in various formats see Note below::
 
     GET http://$SERVER/api/datasets/export?exporter=ddi&persistentId=$persistentId
-  
+
     Note: Supported exporters (export formats) are ddi, oai_ddi, dcterms, oai_dc, and dataverse_json.
 
 
@@ -163,9 +163,9 @@ To revert to the default logic, use ``:publicationDate`` as the ``$datasetFieldT
 Note that the dataset field used has to be a date field::
 
     PUT http://$SERVER/api/datasets/$id/citationdate?key=$apiKey
-    
+
 Restores the default logic of the field type to be used as the citation date. Same as ``PUT`` with ``:publicationDate`` body::
-    
+
     DELETE http://$SERVER/api/datasets/$id/citationdate?key=$apiKey
 
 List all the role assignments at the given dataset::
@@ -185,7 +185,7 @@ Delete a Private URL from a dataset (if it exists)::
     DELETE http://$SERVER/api/datasets/$id/privateUrl?key=$apiKey
 
 Builtin Users
-~~~~~
+~~~~~~~~~~~~~
 
 This endopint deals with users of the built-in authentication provider. Note that users may come from other authentication services as well, such as Shibboleth.
 For this service to work, the setting ``BuiltinUsers.KEY`` has to be set, and its value passed as ``key`` to
@@ -368,18 +368,29 @@ Toggles superuser mode on the ``AuthenticatedUser`` whose ``identifier`` (withou
 
     POST http://$SERVER/api/admin/superuser/$identifier
 
+List all role assignments of a role assignee (i.e. a user or a group)::
+
+    GET http://$SERVER/api/admin/assignments/assignees/$identifier
+
+Note that ``identifier`` can contain slashes (e.g. ``&ip/localhost-users``).
+
 IpGroups
 ^^^^^^^^
 
-List all the ip groups::
+Lists all the ip groups::
 
   GET http://$SERVER/api/admin/groups/ip
 
-Adds a new ip group. POST data should specify the group in JSON format. Examples are available at ``data/ipGroup1.json``. ::
+Adds a new ip group. POST data should specify the group in JSON format. Examples are available at the ``data`` folder. Using this method, an IP Group is always created, but its ``alias`` might be different than the one appearing in the
+JSON file, to ensure it is unique. ::
 
   POST http://$SERVER/api/admin/groups/ip
 
-Returns a the group in a JSON format. ``groupIdtf`` can either be the group id in the database (in case it is numeric), or the group alias. ::
+Creates or updates the ip group ``$groupAlias``. ::
+
+    POST http://$SERVER/api/admin/groups/ip/$groupAlias
+
+Returns a the group in a JSON format. ``$groupIdtf`` can either be the group id in the database (in case it is numeric), or the group alias. ::
 
   GET http://$SERVER/api/admin/groups/ip/$groupIdtf
 
diff --git a/doc/sphinx-guides/source/api/search.rst b/doc/sphinx-guides/source/api/search.rst
index 84f202a5b83..2f7090a327b 100755
--- a/doc/sphinx-guides/source/api/search.rst
+++ b/doc/sphinx-guides/source/api/search.rst
@@ -20,11 +20,11 @@ Parameters
 ==============  =======  ===========
 Name            Type     Description
 ==============  =======  ===========
-q               string   The search term or terms. Using "title:data" will search only the "title" field. "*" can be used as a wildcard either alone or adjacent to a term (i.e. "bird*"). For example, https://apitest.dataverse.org/api/search?q=title:data
-type            string   Can be either "dataverse", "dataset", or "file". Multiple "type" parameters can be used to include multiple types (i.e. ``type=dataset&type=file``). If omitted, all types will be returned.  For example, https://apitest.dataverse.org/api/search?q=*&type=dataset
-subtree         string   The identifier of the dataverse to which the search should be narrowed. The subtree of this dataverse and all its children will be searched.  For example, https://apitest.dataverse.org/api/search?q=data&subtree=birds
+q               string   The search term or terms. Using "title:data" will search only the "title" field. "*" can be used as a wildcard either alone or adjacent to a term (i.e. "bird*"). For example, https://demo.dataverse.org/api/search?q=title:data
+type            string   Can be either "dataverse", "dataset", or "file". Multiple "type" parameters can be used to include multiple types (i.e. ``type=dataset&type=file``). If omitted, all types will be returned.  For example, https://demo.dataverse.org/api/search?q=*&type=dataset
+subtree         string   The identifier of the dataverse to which the search should be narrowed. The subtree of this dataverse and all its children will be searched.  For example, https://demo.dataverse.org/api/search?q=data&subtree=birds
 sort            string   The sort field. Supported values include "name" and "date". See example under "order".
-order           string   The order in which to sort. Can either be "asc" or "desc".  For example, https://apitest.dataverse.org/api/search?q=data&sort=name&order=asc
+order           string   The order in which to sort. Can either be "asc" or "desc".  For example, https://demo.dataverse.org/api/search?q=data&sort=name&order=asc
 per_page        int      The number of results to return per request. The default is 10. The max is 1000. See :ref:`iteration example <iteration-example>`.
 start           int      A cursor for paging through search results. See :ref:`iteration example <iteration-example>`.
 show_relevance  boolean  Whether or not to show details of which fields were matched by the query. False by default. See :ref:`advanced search example <advancedsearch-example>`.
@@ -35,7 +35,7 @@ fq              string   A filter query on the search term. Multiple "fq" parame
 Basic Search Example
 --------------------
 
-https://apitest.dataverse.org/api/search?q=trees
+https://demo.dataverse.org/api/search?q=trees
 
 .. code-block:: json
 
@@ -52,8 +52,8 @@ https://apitest.dataverse.org/api/search?q=trees
                 {
                     "name":"Trees",
                     "type":"dataverse",
-                    "url":"https://apitest.dataverse.org/dataverse/trees",
-                    "image_url":"https://apitest.dataverse.org/api/access/dvCardImage/7",
+                    "url":"https://demo.dataverse.org/dataverse/trees",
+                    "image_url":"https://demo.dataverse.org/api/access/dvCardImage/7",
                     "identifier":"trees",
                     "description":"A tree dataverse with some birds",
                     "published_at":"2016-05-10T12:53:38Z"
@@ -61,8 +61,8 @@ https://apitest.dataverse.org/api/search?q=trees
                 {
                     "name":"Chestnut Trees",
                     "type":"dataverse",
-                    "url":"https://apitest.dataverse.org/dataverse/chestnuttrees",
-                    "image_url":"https://apitest.dataverse.org/api/access/dvCardImage/9",
+                    "url":"https://demo.dataverse.org/dataverse/chestnuttrees",
+                    "image_url":"https://demo.dataverse.org/api/access/dvCardImage/9",
                     "identifier":"chestnuttrees",
                     "description":"A dataverse with chestnut trees and an oriole",
                     "published_at":"2016-05-10T12:52:38Z"
@@ -70,8 +70,8 @@ https://apitest.dataverse.org/api/search?q=trees
                 {
                     "name":"trees.png",
                     "type":"file",
-                    "url":"https://apitest.dataverse.org/api/access/datafile/12",
-                    "image_url":"https://apitest.dataverse.org/api/access/fileCardImage/12",
+                    "url":"https://demo.dataverse.org/api/access/datafile/12",
+                    "image_url":"https://demo.dataverse.org/api/access/fileCardImage/12",
                     "file_id":"12",
                     "description":"",
                     "published_at":"2016-05-10T12:53:39Z",
@@ -84,8 +84,8 @@ https://apitest.dataverse.org/api/search?q=trees
                 {
                     "name":"Birds",
                     "type":"dataverse",
-                    "url":"https://apitest.dataverse.org/dataverse/birds",
-                    "image_url":"https://apitest.dataverse.org/api/access/dvCardImage/2",
+                    "url":"https://demo.dataverse.org/dataverse/birds",
+                    "image_url":"https://demo.dataverse.org/api/access/dvCardImage/2",
                     "identifier":"birds",
                     "description":"A bird dataverse with some trees",
                     "published_at":"2016-05-10T12:57:27Z"
@@ -100,7 +100,7 @@ https://apitest.dataverse.org/api/search?q=trees
 Advanced Search Example
 -----------------------
 
-https://apitest.dataverse.org/api/search?q=finch&show_relevance=true&show_facets=true&fq=publicationDate:2016&subtree=birds
+https://demo.dataverse.org/api/search?q=finch&show_relevance=true&show_facets=true&fq=publicationDate:2016&subtree=birds
 
 In this example, ``show_relevance=true`` matches per field are shown. Available facets are shown with ``show_facets=true`` and of the facets is being used with ``fq=publication_date_s:2015``. The search is being narrowed to the dataverse with the identifier "birds" with the parameter ``subtree=birds``.
 
@@ -118,8 +118,8 @@ In this example, ``show_relevance=true`` matches per field are shown. Available
                 {
                     "name":"Finches",
                     "type":"dataverse",
-                    "url":"https://apitest.dataverse.org/dataverse/finches",
-                    "image_url":"https://apitest.dataverse.org/api/access/dvCardImage/3",
+                    "url":"https://demo.dataverse.org/dataverse/finches",
+                    "image_url":"https://demo.dataverse.org/api/access/dvCardImage/3",
                     "identifier":"finches",
                     "description":"A dataverse with finches",
                     "published_at":"2016-05-10T12:57:38Z",
@@ -145,7 +145,7 @@ In this example, ``show_relevance=true`` matches per field are shown. Available
                     "name":"Darwin's Finches",
                     "type":"dataset",
                     "url":"http://dx.doi.org/10.5072/FK2/G2VPE7",
-                    "image_url":"https://apitest.dataverse.org/api/access/dsCardImage/2",
+                    "image_url":"https://demo.dataverse.org/api/access/dsCardImage/2",
                     "global_id":"doi:10.5072/FK2/G2VPE7",
                     "description": "Darwin's finches (also known as the Galápagos finches) are a group of about fifteen species of passerine birds.",
                     "published_at":"2016-05-10T12:57:45Z",
@@ -224,7 +224,7 @@ Be default, up to 10 results are returned with every request (though this can be
     #!/usr/bin/env python
     import urllib2
     import json
-    base = 'https://apitest.dataverse.org'
+    base = 'https://demo.dataverse.org'
     rows = 10
     start = 0
     page = 1
diff --git a/doc/sphinx-guides/source/conf.py b/doc/sphinx-guides/source/conf.py
index e9c09e0c61b..ca7b40d4dc6 100755
--- a/doc/sphinx-guides/source/conf.py
+++ b/doc/sphinx-guides/source/conf.py
@@ -14,6 +14,7 @@
 
 import sys
 import os
+from datetime import datetime
 sys.path.insert(0, os.path.abspath('../../'))
 import sphinx_bootstrap_theme
 
@@ -56,16 +57,16 @@
 
 # General information about the project.
 project = u'Dataverse'
-copyright = u'2016, The President & Fellows of Harvard College'
+copyright = u'%d, The President & Fellows of Harvard College' % datetime.now().year
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
 # built documents.
 #
 # The short X.Y version.
-version = '4.5'
+version = '4.5.1'
 # The full version, including alpha/beta/rc tags.
-release = '4.5'
+release = '4.5.1'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
@@ -358,7 +359,7 @@
 epub_title = u'Dataverse'
 epub_author = u'Dataverse Team'
 epub_publisher = u'Dataverse Team'
-epub_copyright = u'2014, Dataverse Team'
+epub_copyright = u'%d, The President & Fellows of Harvard College' % datetime.now().year
 
 # The basename for the epub file. It defaults to the project name.
 #epub_basename = u'Consilience Documentation'
diff --git a/doc/sphinx-guides/source/developers/dev-environment.rst b/doc/sphinx-guides/source/developers/dev-environment.rst
index d3871380f52..532f2f75d7a 100755
--- a/doc/sphinx-guides/source/developers/dev-environment.rst
+++ b/doc/sphinx-guides/source/developers/dev-environment.rst
@@ -7,7 +7,7 @@ Development Environment
 Assumptions
 -----------
 
-This guide assumes you are using a Mac but we do have pages for :doc:`/developers/windows` and :doc:`/developers/ubuntu`.
+This guide assumes you are using a Mac. If you are using Windows or Linux, please reach out to other developers at https://groups.google.com/forum/#!forum/dataverse-dev
 
 Requirements
 ------------
diff --git a/doc/sphinx-guides/source/developers/index.rst b/doc/sphinx-guides/source/developers/index.rst
index 9225d00dcd6..a9daa12b16c 100755
--- a/doc/sphinx-guides/source/developers/index.rst
+++ b/doc/sphinx-guides/source/developers/index.rst
@@ -9,17 +9,14 @@ Developer Guide
 Contents:
 
 .. toctree::
-   :maxdepth: 2
-
-  intro
-  dev-environment
-  branching-strategy
-  testing
-  documentation
-  debugging
-  coding-style
-  making-releases
-  tools
-  unf/index
-
 
+   intro
+   dev-environment
+   branching-strategy
+   testing
+   documentation
+   debugging
+   coding-style
+   making-releases
+   tools
+   unf/index
diff --git a/doc/sphinx-guides/source/developers/ubuntu.rst b/doc/sphinx-guides/source/developers/ubuntu.rst
deleted file mode 100755
index 9204a6171eb..00000000000
--- a/doc/sphinx-guides/source/developers/ubuntu.rst
+++ /dev/null
@@ -1,51 +0,0 @@
-======
-Ubuntu
-======
-
-Requirements
-------------
-
-Tested on Ubuntu 14.04.
-
-Java 8
-~~~~~~
-
-- ``sudo apt-get install openjdk-8-jdk openjdk-8-jre``
-
-
-Maven
-~~~~~
-
-- ``sudo apt-get install maven``
-
-
-Glassfish
-~~~~~~~~~
-
-- ``wget http://download.java.net/glassfish/4.1/release/glassfish-4.1.zip``
-
-- ``unzip glassfish-4.1*zip``
-
-
-PostgreSQL
-~~~~~~~~~~
-
-- ``sudo apt-get install postgresql postgresql-contrib``
-
-
-jq
-~~
-
-- ``sudo apt-get install jq``
-
-
-Curl
-~~~~
-
-- ``sudo apt-get install curl``
-
-
-Recommendations and Dev Environment
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Please visit :doc:`/developers/dev-environment/`
diff --git a/doc/sphinx-guides/source/developers/unf/index.rst b/doc/sphinx-guides/source/developers/unf/index.rst
index 3980909fc0b..dc2f37d0ba9 100644
--- a/doc/sphinx-guides/source/developers/unf/index.rst
+++ b/doc/sphinx-guides/source/developers/unf/index.rst
@@ -1,17 +1,17 @@
 .. _unf:
 
-====================================
+=====================================
 Universal Numerical Fingerprint (UNF)
-====================================
+=====================================
 
 Contents:
 
 .. toctree::
    :maxdepth: 2
 
-  unf-v3
-  unf-v5
-  unf-v6
+   unf-v3
+   unf-v5
+   unf-v6
 
 .. figure:: ./img/unf-diagram.png
     :align: center
diff --git a/doc/sphinx-guides/source/developers/unf/unf-v5.rst b/doc/sphinx-guides/source/developers/unf/unf-v5.rst
index 8606ff06ebc..4fb160c20ea 100644
--- a/doc/sphinx-guides/source/developers/unf/unf-v5.rst
+++ b/doc/sphinx-guides/source/developers/unf/unf-v5.rst
@@ -10,6 +10,3 @@ UNF Version 5
 **To address this, the Project is about to release UNF Version 6. The release date is still being discussed. It may coincide with the release of Dataverse 4.0. Alternatively, the production version of DVN 3.6.3 may get upgraded to use UNF v6 prior to that. This will be announced shortly. In the process, we are solving another problem with UNF v5 - this time we've made an effort to offer very implementer-friendly documentation that describes the algorithm fully and unambiguously. So if you are interested in implementing your own version of a UNF calculator, (something we would like to encourage!) please proceed directly to the Version 6 documentation.**
 
 **Going forward, we are going to offer a preserved version of the Version 5 library and, possibly, an online UNF v5 calculator, for the purposes of validating vectors and data sets for which published Version 5 UNFs exist.**
-
------
-
diff --git a/doc/sphinx-guides/source/developers/windows.rst b/doc/sphinx-guides/source/developers/windows.rst
deleted file mode 100755
index 9ed6f10dcd5..00000000000
--- a/doc/sphinx-guides/source/developers/windows.rst
+++ /dev/null
@@ -1,5 +0,0 @@
-=======
-Windows
-=======
-
-Developers using Windows who have trouble setting up their :doc:`/developers/dev-environment/` should reach out to over Dataverse developers per https://github.com/IQSS/dataverse/blob/master/CONTRIBUTING.md
diff --git a/doc/sphinx-guides/source/index.rst b/doc/sphinx-guides/source/index.rst
index 1c3a88dcdef..8fd7056c032 100755
--- a/doc/sphinx-guides/source/index.rst
+++ b/doc/sphinx-guides/source/index.rst
@@ -3,10 +3,10 @@
    You can adapt this file completely to your liking, but it should at least
    contain the root `toctree` directive.
 
-Dataverse 4.5 Guides
+Dataverse 4.5.1 Guides
 ======================
 
-These guides are for the most recent version of Dataverse. For the guides for **version 4.3.1** please go `here <http://guides.dataverse.org/en/4.3.1/>`_.
+These guides are for the most recent version of Dataverse. For the guides for **version 4.5** please go `here <http://guides.dataverse.org/en/4.5/>`_.
 
 .. toctree::
   :glob:
diff --git a/doc/sphinx-guides/source/installation/administration.rst b/doc/sphinx-guides/source/installation/administration.rst
index 6c665cbb650..59cf11652a3 100644
--- a/doc/sphinx-guides/source/installation/administration.rst
+++ b/doc/sphinx-guides/source/installation/administration.rst
@@ -72,6 +72,17 @@ User Administration
 
 There isn't much in the way of user administration tools built in to Dataverse.
 
+Confirm Email
++++++++++++++
+
+Dataverse encourages builtin/local users to verify their email address upon signup or email change so that sysadmins can be assured that users can be contacted.
+
+The app will send a standard welcome email with a URL the user can click, which, when activated, will store a ``lastconfirmed`` timestamp in the ``authenticateduser`` table of the database. Any time this is "null" for a user (immediately after signup and/or changing of their Dataverse email address), their current email on file is considered to not be verified. The link that is sent expires after a time (the default is 24 hours), but this is configurable by a superuser via the ``:MinutesUntilConfirmEmailTokenExpires`` config option.
+
+Should users' URL token expire, they will see a "Verify Email" button on the account information page to send another URL.
+
+Sysadmins can determine which users have verified their email addresses by looking for the presence of the value ``emailLastConfirmed`` in the JSON output from listing users (see the "Admin" section of the :doc:`/api/native-api`). The email addresses for Shibboleth users are re-confirmed on every login.
+
 Deleting an API Token
 +++++++++++++++++++++
 
diff --git a/doc/sphinx-guides/source/installation/config.rst b/doc/sphinx-guides/source/installation/config.rst
index 142e69ff3e3..2ebed65457f 100644
--- a/doc/sphinx-guides/source/installation/config.rst
+++ b/doc/sphinx-guides/source/installation/config.rst
@@ -90,7 +90,7 @@ Persistent identifiers are a required and integral part of the Dataverse platfor
 
 JVM Options: :ref:`doi.baseurlstring`, :ref:`doi.username`, :ref:`doi.password`
 
-Database Settings: :ref:`:DoiProvider`, :ref:`:Protocol`, :ref:`:Authority`, :ref:`:DoiSeparator`
+Database Settings: :ref:`:DoiProvider <:DoiProvider>`, :ref:`:Protocol <:Protocol>`, :ref:`:Authority <:Authority>`, :ref:`:DoiSeparator <:DoiSeparator>`
 
 Please note that any datasets creating using the test configuration cannot be directly migrated and would need to be created again once a valid DOI namespace is configured.
 
@@ -104,8 +104,9 @@ Once this configuration is complete, your Dataverse installation should be ready
 JVM Options
 -----------
 
-JVM stands Java Virtual Machine and as a Java application, Glassfish can read JVM options when it is started. A number of JVM options are configured by the installer below is a complete list of the Dataverse-specific JVM options. You can inspect the configured options by running ``asadmin list-jvm-options | egrep 'dataverse|doi'
-``.
+JVM stands Java Virtual Machine and as a Java application, Glassfish can read JVM options when it is started. A number of JVM options are configured by the installer below is a complete list of the Dataverse-specific JVM options. You can inspect the configured options by running:
+
+``asadmin list-jvm-options | egrep 'dataverse|doi'``
 
 When changing values these values with ``asadmin``, you'll need to delete the old value before adding a new one, like this:
 
@@ -188,9 +189,11 @@ dataverse.dataAccess.thumbnail.pdf.limit
 
 For limiting the size of thumbnail images generated from files.
 
+.. _doi.baseurlstring:
+
 doi.baseurlstring
 +++++++++++++++++
-.. _doi.baseurlstring:
+
 As of this writing "https://ezid.cdlib.org" and "https://mds.datacite.org" are the only valid values. See also these related database settings below:
 
 - :DoiProvider
@@ -198,14 +201,18 @@ As of this writing "https://ezid.cdlib.org" and "https://mds.datacite.org" are t
 - :Authority
 - :DoiSeparator
 
+.. _doi.username:
+
 doi.username
 ++++++++++++
-.. _doi.username:
+
 Used in conjuction with ``doi.baseurlstring``.
 
+.. _doi.password:
+
 doi.password
 ++++++++++++
-.. _doi.password:
+
 Used in conjuction with ``doi.baseurlstring``.
 
 dataverse.handlenet.admcredfile
@@ -265,30 +272,45 @@ This is the email address that "system" emails are sent from such as password re
 
 ``curl -X PUT -d "Support <support@example.edu>" http://localhost:8080/api/admin/settings/:SystemEmail``
 
+:FooterCopyright
+++++++++++++++++
+
+By default the footer says "Copyright © [YYYY]" but you can add text after the year, as in the example below.
+
+``curl -X PUT -d ", The President &#38; Fellows of Harvard College" http://localhost:8080/api/admin/settings/:FooterCopyright``
+
+.. _:DoiProvider:
+
 :DoiProvider
 ++++++++++++
-.. _:DoiProvider:
+
 As of this writing "EZID" and "DataCite" are the only valid options.
 
 ``curl -X PUT -d EZID http://localhost:8080/api/admin/settings/:DoiProvider``
 
+.. _:Protocol:
+
 :Protocol
 +++++++++
-.. _:Protocol:
+
 As of this writing "doi" is the only valid option for the protocol for a persistent ID.
 
 ``curl -X PUT -d doi http://localhost:8080/api/admin/settings/:Protocol``
 
+.. _:Authority:
+
 :Authority
 ++++++++++
-.. _:Authority:
+
 Use the DOI authority assigned to you by your DoiProvider.
 
 ``curl -X PUT -d 10.xxxx http://localhost:8080/api/admin/settings/:Authority``
 
+.. _:DoiSeparator:
+
 :DoiSeparator
 +++++++++++++
-.. _:DoiSeparator:
+
 It is recommended that you keep this as a slash ("/").
 
 ``curl -X PUT -d "/" http://localhost:8080/api/admin/settings/:DoiSeparator``
@@ -370,7 +392,9 @@ Limit the number of files in a zip that Dataverse will accept.
 :GoogleAnalyticsCode
 ++++++++++++++++++++
 
-For setting up Google Analytics for your Dataverse installation.
+Set your Google Analytics Tracking ID thusly:
+
+``curl -X PUT -d 'trackingID' http://localhost:8080/api/admin/settings/:GoogleAnalyticsCode``
 
 :SolrHostColonPort
 ++++++++++++++++++
@@ -392,7 +416,7 @@ The relative path URL to which users will be sent after signup. The default sett
 The location of your TwoRavens installation.  Activation of TwoRavens also requires the setting below, ``TwoRavensTabularView``
 
 :TwoRavensTabularView
-+++++++++++++++++++
++++++++++++++++++++++
 
 Set ``TwoRavensTabularView`` to true to allow a user to view tabular files via the TwoRavens application. This boolean affects whether a user will see the "Explore" button.
 
@@ -445,6 +469,11 @@ Set ``SearchHighlightFragmentSize`` to override the default value of 100 from ht
 
 Allow for migration of non-conformant data (especially dates) from DVN 3.x to Dataverse 4.
 
+:MinutesUntilConfirmEmailTokenExpires
++++++++++++++++++++++++++++++++++++++
+
+The duration in minutes before "Confirm Email" URLs expire. The default is 1440 minutes (24 hours).  See also :doc:`/installation/administration`.
+
 :ShibEnabled
 ++++++++++++
 
@@ -454,3 +483,21 @@ This setting is experimental per :doc:`/installation/shibboleth`.
 ++++++++++++
 
 Set to false to disallow local accounts to be created if you are using :doc:`shibboleth` but not for production use until https://github.com/IQSS/dataverse/issues/2838 has been fixed.
+
+:PiwikAnalyticsId
+++++++++++++++++++++
+
+Site identifier created in your Piwik instance. Example:
+
+``curl -X PUT -d 42 http://localhost:8080/api/admin/settings/:PiwikAnalyticsId``
+
+:PiwikAnalyticsHost
+++++++++++++++++++++
+
+Host FQDN or URL of your Piwik instance before the ``/piwik.php``. Examples:
+
+``curl -X PUT -d stats.domain.tld http://localhost:8080/api/admin/settings/:PiwikAnalyticsHost``
+
+or
+
+``curl -X PUT -d hostname.domain.tld/stats http://localhost:8080/api/admin/settings/:PiwikAnalyticsHost``
diff --git a/doc/sphinx-guides/source/installation/index.rst b/doc/sphinx-guides/source/installation/index.rst
index ba2992c5ec4..b418370f908 100755
--- a/doc/sphinx-guides/source/installation/index.rst
+++ b/doc/sphinx-guides/source/installation/index.rst
@@ -9,15 +9,13 @@ Installation Guide
 Contents:
 
 .. toctree::
-   :titlesonly:
-   :maxdepth: 2
 
-  intro
-  prep
-  prerequisites
-  installation-main
-  config
-  administration
-  upgrading
-  r-rapache-tworavens
-  shibboleth
+   intro
+   prep
+   prerequisites
+   installation-main
+   config
+   administration
+   upgrading
+   r-rapache-tworavens
+   shibboleth
diff --git a/doc/sphinx-guides/source/installation/installer-script.rst b/doc/sphinx-guides/source/installation/installer-script.rst
deleted file mode 100644
index 72881587917..00000000000
--- a/doc/sphinx-guides/source/installation/installer-script.rst
+++ /dev/null
@@ -1 +0,0 @@
-This content has been moved to :doc:`/installation/installation-main`.
diff --git a/doc/sphinx-guides/source/installation/prerequisites.rst b/doc/sphinx-guides/source/installation/prerequisites.rst
index 9530860dce9..4a30c5b9a12 100644
--- a/doc/sphinx-guides/source/installation/prerequisites.rst
+++ b/doc/sphinx-guides/source/installation/prerequisites.rst
@@ -98,7 +98,7 @@ The standard init script that ships RHEL 6 and similar should work fine. Enable
 
 
 Configuring Database Access for the Dataverse Application (and the Dataverse Installer) 
-=====================================================================================
+=======================================================================================
 
 - The application and the installer script will be connecting to PostgreSQL over TCP/IP, using password authentication. In this section we explain how to configure PostgreSQL to accept these connections.
 
diff --git a/doc/sphinx-guides/source/installation/r-rapache-tworavens.rst b/doc/sphinx-guides/source/installation/r-rapache-tworavens.rst
index 44cd29570b9..a88ffa114d2 100644
--- a/doc/sphinx-guides/source/installation/r-rapache-tworavens.rst
+++ b/doc/sphinx-guides/source/installation/r-rapache-tworavens.rst
@@ -5,8 +5,8 @@ R, rApache and TwoRavens
 Eventually, this document may be split into several parts, dedicated to individual components - 
 such as R, rApache and the TwoRavens applications. Particularly, if the TwoRavens team creates an "official" distribution with their own installation manual. 
 
-0. PREREQUISITS
-+++++++++++++++
+0. PREREQUISITES
+++++++++++++++++
 
 a. httpd (Apache): 
 ------------------
@@ -43,6 +43,13 @@ yum install R R-devel
 
 (EPEL distribution recommended; version 3.* required; 3.1.* recommended as of writing this)
 
+To pick up any needed dependencies, CentOS users may simply install the epel-release RPM.
+
+RHEL users will want to log in to their organization's respective RHN interface, find the particular machine in question and:
+
+• click on "Subscribed Channels: Alter Channel Subscriptions"
+• enable EPEL, Server Extras, Server Optional
+
 c. rApache: 
 -----------
 
@@ -57,19 +64,14 @@ If you are using RHEL/CentOS 7, you can `download an experimental rapache-1.2.7-
 
 	rpm -ivh rapache-1.2.7-rpm0.x86_64.rpm
 
-d. Install libcurl-devel:
--------------------------
-
-(provides /usr/bin/curl-config, needed by some 3rd-party R packages; package installation *will fail silently* if it's not found!): 
-
-``yum install libcurl-devel``
+d. Install system depencies:
+----------------------------
 
-Make sure you have the standard GNU compilers installed (needed for 3rd-party R packages to build themselves). 
+The r-setup.sh script launches child processes which log to RINSTALL.* files. Once the script exits, search these files for the word "error" and be sure to install any missing dependencies and run the script again. At present, at minimum it needs:
 
-**Update**: As of Aug. 4 2015, it appears the following rpms had to be installed: 
+``yum install libcurl-devel openssl-devel libxml2-devel ed libX11-devel libpng-devel mesa-libGL-devel mesa-libGLU-devel libpqxx-devel``
 
-``yum install openssl-devel``
-``yum install xml2-devel``
+Make sure you have the standard GNU compilers installed (needed for 3rd-party R packages to build themselves). CentOS 6 users will need gcc-fortran 4.6 or greater, available from the CentOS devtools repo. 
 
 Again, without these rpms, R package devtools was failing to install, silently or with a non-informative error message. 
 Note: this package ``devtools`` has proven to be very flaky; it is being very actively maintained, new dependencies are being constantly added and new bugs introduced... however, it is only needed to install the package ``Zelig``, the main R workhorse behind TwoRavens. It cannot be installed from CRAN, like all the other 3rd party packages we use - becase TwoRavens requires version 5, which is still in beta. So devtools is needed to build it from sources downloaded directly from github. Once Zelig 5 is released, we'll be able to drop the requirement for devtools - and that will make this process much simpler. For now, be prepared for it to be somewhat of an adventure. 
@@ -82,7 +84,7 @@ R is used both by the Dataverse application, directly, and the TwoRavens compani
 
 Two distinct interfaces are used to access R: Dataverse uses Rserve; and TwoRavens sends jobs to R running under rApache using Rook interface. 
 
-We provide a shell script (``conf/R/r-setup.sh`` in the Dataverse source tree; you will need the other 3 files in that directory as well - `https://github.com/IQSS/dataverse/conf/R/ <https://github.com/IQSS/dataverseconf/R/>`__) that will attempt to install the required 3rd party packages; it will also configure Rserve and rserve user. rApache configuration will be addressed in its own section.
+We provide a shell script (``conf/R/r-setup.sh`` in the Dataverse source tree; you will need the other 3 files in that directory as well - `https://github.com/IQSS/dataverse/tree/master/conf/R <https://github.com/IQSS/dataverse/tree/master/conf/R>`__) that will attempt to install the required 3rd party packages; it will also configure Rserve and rserve user. rApache configuration will be addressed in its own section.
 
 The script will attempt to download the packages from CRAN (or a mirror) and GitHub, so the system must have access to the internet. On a server fully firewalled from the world, packages can be installed from downloaded sources. This is left as an exercise for the reader. Consult the script for insight.
 
@@ -192,7 +194,7 @@ Note that some of these packages have their own dependencies, and additional ins
 install.pl script:
 ++++++++++++++++++
 
-I. Configure the TwoRavens web (Javascript) application.
+I. Configure the TwoRavens web (Javascript) application
 -------------------------------------------------------
 
 Edit the file ``/var/www/html/dataexplore/app_ddi.js``.
diff --git a/doc/sphinx-guides/source/user/data-exploration/index.rst b/doc/sphinx-guides/source/user/data-exploration/index.rst
index b6be872249c..708f774bb46 100755
--- a/doc/sphinx-guides/source/user/data-exploration/index.rst
+++ b/doc/sphinx-guides/source/user/data-exploration/index.rst
@@ -9,10 +9,6 @@ Data Exploration Guide
 Contents:
 
 .. toctree::
-   :titlesonly:
-   :maxdepth: 2
-
-  tworavens
-  worldmap
-
 
+   tworavens
+   worldmap
diff --git a/doc/sphinx-guides/source/user/dataset-management.rst b/doc/sphinx-guides/source/user/dataset-management.rst
index 0a6200583e5..d0259286af9 100755
--- a/doc/sphinx-guides/source/user/dataset-management.rst
+++ b/doc/sphinx-guides/source/user/dataset-management.rst
@@ -89,8 +89,8 @@ For example, if these files were included within a .zip, the “Map Data” butt
 * subway_line.dbf
 
 Once you publish your dataset with your shape files, you will be able to use the "Map Data" button using `GeoConnect <https://github.com/IQSS/geoconnect>`_ to visualize and manipulate these files
-for users to Explore this geospatial data using the `WorldMap <http://worldmap.harvard.edu/>`_ interface.
-Please note: In order to map your data file, a copy will be sent to Harvard's `WorldMap <http://worldmap.harvard.edu/>`_ platform. You have the ability to delete any maps, and associated data, from the Harvard WorldMap platform, at any time.
+for users to Explore this geospatial data using the `WorldMap <http://worldmap.harvard.edu/>`__ interface.
+Please note: In order to map your data file, a copy will be sent to Harvard's `WorldMap <http://worldmap.harvard.edu/>`__ platform. You have the ability to delete any maps, and associated data, from the Harvard WorldMap platform, at any time.
 
 Astronomy (FITS)
 --------------------
@@ -222,7 +222,7 @@ The file permissions page has two sections: Users/Groups and Files.
 
 To give someone access to your restricted files, click on the Grant Access to Users/Groups button in the Users/Groups section. 
 
-.. _widgets:
+.. _dataset-widgets:
 
 Widgets
 =============================
@@ -310,7 +310,8 @@ a file, your dataset will automatically be bumped up to a major version (example
 
 |image3|
 
-**Dataset Versions Tab**
+Version Details
+-------------------------------------
 
 To view what has exactly changed starting from the originally published version to any subsequent published versions: click on the Versions tab on the dataset page to see all versions and changes made for that particular dataset. Once you have more than one version (can be version 1 and a draft), you can click the Show Details link in the Versions tab to learn more about the metadata fields and files that were either added or edited. 
 
@@ -334,6 +335,6 @@ If you deaccession the most recently published version of the dataset but not al
    :class: img-responsive
 .. |image2| image:: ./img/data-download.png
    :class: img-responsive
-.. |image3| image:: http://static.projects.iq.harvard.edu/files/styles/os_files_xxlarge/public/datascience/files/data_publishing_version_workflow.png?itok=8Z0PM-QC
+.. |image3| image:: ./img/data_publishing_version_workflow.png
    :class: img-responsive
 
diff --git a/doc/sphinx-guides/source/user/dataverse-management.rst b/doc/sphinx-guides/source/user/dataverse-management.rst
index 6d45a055ecf..bac42305119 100755
--- a/doc/sphinx-guides/source/user/dataverse-management.rst
+++ b/doc/sphinx-guides/source/user/dataverse-management.rst
@@ -35,12 +35,13 @@ Edit Dataverse
 To edit your dataverse, navigate to your dataverse homepage and select the "Edit Dataverse" button, 
 where you will be presented with the following editing options: 
 
-- :ref:`General Information <general-information>` : edit name, identifier, category, contact email, affiliation, description, Metadata Elements, and facets for your dataverse.
-- :ref:`Theme + Widgets <theme-widgets>` : upload a logo for your dataverse, add a link to your department or personal website, and select colors for your dataverse in order to brand it. Also, you can get code to add to your website to have your dataverse display on it.
-- :ref:`Permissions <dataverse-permissions>` : give Dataverse users permissions to your dataverse, i.e.-can edit datasets, and see which users already have which permissions for your dataverse
-- :ref:`Dataset Templates <dataset-templates>` : these are useful when you have several datasets that have the same information in multiple metadata fields that you would prefer not to have to keep manually typing in
-- :ref:`Dataset Guestbooks <dataset-guestbooks>` : allows you to collect data about who is downloading the files from your datasets
-- :ref:`Featured Dataverses <featured-dataverses>` : if you have one or more dataverses, you can use this option to show them at the top of your dataverse page to help others easily find interesting or important dataverses
+- :ref:`General Information <general-information>`: edit name, identifier, category, contact email, affiliation, description, Metadata Elements, and facets for your dataverse
+- :ref:`Theme <theme>`: upload a logo for your dataverse, add a link to your department or personal website, and select colors for your dataverse in order to brand it
+- :ref:`Widgets <dataverse-widgets>`: get code to add to your website to have your dataverse display on it
+- :ref:`Permissions <dataverse-permissions>`: give Dataverse users permissions to your dataverse, i.e.-can edit datasets, and see which users already have which permissions for your dataverse
+- :ref:`Dataset Templates <dataset-templates>`: these are useful when you have several datasets that have the same information in multiple metadata fields that you would prefer not to have to keep manually typing in
+- :ref:`Dataset Guestbooks <dataset-guestbooks>`: allows you to collect data about who is downloading the files from your datasets
+- :ref:`Featured Dataverses <featured-dataverses>`: if you have one or more dataverses, you can use this option to show them at the top of your dataverse page to help others easily find interesting or important dataverses
 - **Delete Dataverse**: you are able to delete your dataverse as long as it is not published and does not have any draft datasets 
 
 .. _general-information:
@@ -52,14 +53,14 @@ The General Information page is how you edit the information you filled in while
 
 Tip: The metadata fields you select as required, will appear on the Create Dataset form when someone goes to add a dataset to the dataverse. 
 
-.. _widgets:
+.. _theme:
 
 Theme 
 ====================================================
 
 The Theme feature provides you with a way to customize the look of your dataverse. You can decide either to use the customization from the dataverse above yours or upload your own image file. Supported image types are JPEG, TIFF, or PNG and should be no larger than 500 KB. The maximum display size for an image file in a dataverse's theme is 940 pixels wide by 120 pixels high. Additionally, you can select the colors for the header of your dataverse and the text that appears in your dataverse. You can also add a link to your personal website, the website for your organization or institution, your department, journal, etc.
 
-.. _widgets:
+.. _dataverse-widgets:
 
 Widgets
 =================================================
diff --git a/doc/sphinx-guides/source/user/img/data_publishing_version_workflow.png b/doc/sphinx-guides/source/user/img/data_publishing_version_workflow.png
new file mode 100644
index 00000000000..6ef11f31750
Binary files /dev/null and b/doc/sphinx-guides/source/user/img/data_publishing_version_workflow.png differ
diff --git a/doc/sphinx-guides/source/user/index.rst b/doc/sphinx-guides/source/user/index.rst
index 604ad4c2071..9d231cb5f6d 100755
--- a/doc/sphinx-guides/source/user/index.rst
+++ b/doc/sphinx-guides/source/user/index.rst
@@ -9,12 +9,11 @@ User Guide
 Contents:
 
 .. toctree::
-   :maxdepth: 2
 
-  account
-  find-use-data
-  dataverse-management
-  dataset-management
-  tabulardataingest/index
-  data-exploration/index
-  appendix
+   account
+   find-use-data
+   dataverse-management
+   dataset-management
+   tabulardataingest/index
+   data-exploration/index
+   appendix
diff --git a/doc/sphinx-guides/source/user/super-user.rst b/doc/sphinx-guides/source/user/super-user.rst
deleted file mode 100755
index 3586d0ea827..00000000000
--- a/doc/sphinx-guides/source/user/super-user.rst
+++ /dev/null
@@ -1,6 +0,0 @@
-Super User
-+++++++++++++++++++++++
-
-[Note: Documentation to be added about features available for super admins of 
-the Dataverse, which provides several options for configuring and
-customizing your application.] 
diff --git a/doc/sphinx-guides/source/user/tabulardataingest/index.rst b/doc/sphinx-guides/source/user/tabulardataingest/index.rst
index 0ca316502e7..a190710bdab 100755
--- a/doc/sphinx-guides/source/user/tabulardataingest/index.rst
+++ b/doc/sphinx-guides/source/user/tabulardataingest/index.rst
@@ -9,15 +9,11 @@ Tabular Data File Ingest
 Contents:
 
 .. toctree::
-   :titlesonly:
-   :maxdepth: 2
-
-  supportedformats
-  ingestprocess
-  spss
-  stata
-  rdata
-  excel
-  csv
-
 
+   supportedformats
+   ingestprocess
+   spss
+   stata
+   rdata
+   excel
+   csv
diff --git a/doc/sphinx-guides/source/user/tabulardataingest/rdata.rst b/doc/sphinx-guides/source/user/tabulardataingest/rdata.rst
index b5d9311d603..ae2cc6cf7fe 100644
--- a/doc/sphinx-guides/source/user/tabulardataingest/rdata.rst
+++ b/doc/sphinx-guides/source/user/tabulardataingest/rdata.rst
@@ -92,10 +92,10 @@ the latter reserved for longer, descriptive text.
 With variables ingested from R data frames the variable name will be
 used for both the "name" and the "label".
 
-| *Optional R packages exist for providing descriptive variable labels;
- in one of the future versions support may be added for such a
- mechanism. It would of course work only for R files that were
- created with such optional packages*.
+*Optional R packages exist for providing descriptive variable labels;
+in one of the future versions support may be added for such a
+mechanism. It would of course work only for R files that were
+created with such optional packages*.
 
 Similarly, R categorical values (factors) lack descriptive labels too.
 **Note:** This is potentially confusing, since R factors do
@@ -132,7 +132,7 @@ value: unless the time zone was explicitly defined, R will adjust the
 value to the current time zone. The resulting behavior is often
 counter-intuitive: if you create a time value, for example:
 
-		   timevalue<-as.POSIXct("03/19/2013 12:57:00", format = "%m/%d/%Y %H:%M:%OS");
+``timevalue<-as.POSIXct("03/19/2013 12:57:00", format = "%m/%d/%Y %H:%M:%OS");``
 
 on a computer configured for the San Francisco time zone, the value
 will be differently displayed on computers in different time zones;
@@ -143,9 +143,11 @@ If it is important that the values are always displayed the same way,
 regardless of the current time zones, it is recommended that the time
 zone is explicitly defined. For example: 
 
-     attr(timevalue,"tzone")<-"PST"
+``attr(timevalue,"tzone")<-"PST"``
+
 or 
-   timevalue<-as.POSIXct("03/19/2013 12:57:00", format = "%m/%d/%Y %H:%M:%OS", tz="PST");
+
+``timevalue<-as.POSIXct("03/19/2013 12:57:00", format = "%m/%d/%Y %H:%M:%OS", tz="PST");``
 
 Now the value will always be displayed as "15:57 PST", regardless of
 the time zone that is current for the OS ... **BUT ONLY** if the OS
@@ -189,7 +191,7 @@ wasn't defined explicitly, it implicitly becomes a time value in the
 "UTC" zone!), this means that it is **impossible** to have 2 time
 value vectors, in Stata/SPSS and R, that produce the same UNF.
 
-| **A pro tip:** if it is important to produce SPSS/Stata and R versions of
+**A pro tip:** if it is important to produce SPSS/Stata and R versions of
 the same data set that result in the same UNF when ingested, you may
 define the time variables as **strings** in the R data frame, and use
 the "YYYY-MM-DD HH:mm:ss" formatting notation. This is the formatting used by the UNF
@@ -198,4 +200,4 @@ the same UNF as the vector of the same time values in Stata.
 
 Note: date values (dates only, without time) should be handled the
 exact same way as those in SPSS and Stata, and should produce the same
-UNFs.
\ No newline at end of file
+UNFs.
diff --git a/doc/sphinx-guides/source/user/tabulardataingest/stata.rst b/doc/sphinx-guides/source/user/tabulardataingest/stata.rst
new file mode 100644
index 00000000000..764bc815a2f
--- /dev/null
+++ b/doc/sphinx-guides/source/user/tabulardataingest/stata.rst
@@ -0,0 +1,9 @@
+Stata
+++++++++
+
+Of all the third party statistical software providers, Stata does the best job at documenting the internal format of their files, by far. And at making that documentation freely and easily available to developers (yes, we are looking at you, SPSS). Because of that, Stata is the best supported format for tabular data ingest.  
+
+
+**New in Dataverse 4.0:** support for Stata v.13 has been added.
+
+
diff --git a/doc/sphinx_bootstrap_theme/bootstrap/layout.html b/doc/sphinx_bootstrap_theme/bootstrap/layout.html
index 3478e807b30..2193b142bb9 100755
--- a/doc/sphinx_bootstrap_theme/bootstrap/layout.html
+++ b/doc/sphinx_bootstrap_theme/bootstrap/layout.html
@@ -133,7 +133,7 @@
       {%- if hasdoc('copyright') %}
         {% trans path=pathto('copyright'), copyright=copyright|e %}&copy; <a href="{{ path }}">Copyright</a> {{ copyright }}.{% endtrans %}<br/>
       {%- else %}
-        {% trans copyright=copyright|e %}<a href="http://datascience.iq.harvard.edu/" target="_blank">Data Science</a> at <a href="http://www.iq.harvard.edu/" target="_blank">The Institute for Quantitative Social Science</a>  &nbsp;|&nbsp;  Code available at <a href="https://github.com/IQSS/dataverse" title="Dataverse on GitHub" target="_blank"><img src="_static/images/githubicon.png" width="20" alt="Dataverse on GitHub"/></a> &nbsp;|&nbsp; Created using <a href="http://sphinx.pocoo.org/" target="_blank">Sphinx</a> {{ sphinx_version }}<br/>Version {{ version }} &nbsp;|&nbsp; Last updated on {{ last_updated }}<br/>&copy; Copyright {{ copyright }} {% endtrans %}<br/>
+        {% trans copyright=copyright|e %}<a href="http://datascience.iq.harvard.edu/" target="_blank">Data Science</a> at <a href="http://www.iq.harvard.edu/" target="_blank">The Institute for Quantitative Social Science</a>  &nbsp;|&nbsp;  Code available at <a href="https://github.com/IQSS/dataverse" title="Dataverse on GitHub" target="_blank"><img src="/en/latest/_static/images/githubicon.png" width="20" alt="Dataverse on GitHub"/></a> &nbsp;|&nbsp; Created using <a href="http://sphinx.pocoo.org/" target="_blank">Sphinx</a> {{ sphinx_version }}<br/>Version {{ version }} &nbsp;|&nbsp; Last updated on {{ last_updated }}<br/>&copy; Copyright {{ copyright }} {% endtrans %}<br/>
       {%- endif %}
     {%- endif %}
     </p>
diff --git a/doc/sphinx_bootstrap_theme/bootstrap/static/images/githubicon.png b/doc/sphinx_bootstrap_theme/bootstrap/static/images/githubicon.png
index 468574c26a9..65581c832f1 100644
Binary files a/doc/sphinx_bootstrap_theme/bootstrap/static/images/githubicon.png and b/doc/sphinx_bootstrap_theme/bootstrap/static/images/githubicon.png differ
diff --git a/pom.xml b/pom.xml
index 56edef4f9d8..7812b866812 100644
--- a/pom.xml
+++ b/pom.xml
@@ -4,7 +4,7 @@
 
     <groupId>edu.harvard.iq</groupId>
     <artifactId>dataverse</artifactId>
-    <version>4.5</version>
+    <version>4.5.1</version>
     <packaging>war</packaging>
 
     <name>dataverse</name>
@@ -41,7 +41,7 @@
         </repository>
         <repository>
             <id>dataone.org</id>
-            <url>http://dev-testing.dataone.org/maven</url>
+            <url>http://maven.dataone.org</url>
             <releases>
                 <enabled>true</enabled>
             </releases>
diff --git a/scripts/api/data/ipGroup-all-ipv4.json b/scripts/api/data/ipGroup-all-ipv4.json
new file mode 100644
index 00000000000..c5ff32def44
--- /dev/null
+++ b/scripts/api/data/ipGroup-all-ipv4.json
@@ -0,0 +1,5 @@
+{
+  "alias":"all-ipv4",
+  "name":"IP group to match all IPv4 addresses",
+  "ranges" : [["0.0.0.0", "255.255.255.255"]]
+}
diff --git a/scripts/api/data/ipGroup3.json b/scripts/api/data/ipGroup-all.json
similarity index 100%
rename from scripts/api/data/ipGroup3.json
rename to scripts/api/data/ipGroup-all.json
diff --git a/scripts/api/data/ipGroup-localhost.json b/scripts/api/data/ipGroup-localhost.json
index 4a5f7facfef..4f8d2f708b2 100644
--- a/scripts/api/data/ipGroup-localhost.json
+++ b/scripts/api/data/ipGroup-localhost.json
@@ -1,6 +1,5 @@
 {
   "alias":"localhost",
   "name":"Localhost connections",
-  "ranges" : [["127.0.0.1", "127.0.0.1"],
-              ["::1", "::1"]]
+  "addresses": [ "::1", "127.0.0.1" ]
 }
diff --git a/scripts/api/data/ipGroup-single-IPv4.json b/scripts/api/data/ipGroup-single-IPv4.json
new file mode 100644
index 00000000000..515c512bcd1
--- /dev/null
+++ b/scripts/api/data/ipGroup-single-IPv4.json
@@ -0,0 +1,5 @@
+{
+  "alias":"singleIPv4",
+  "name":"Single IPv4",
+  "addresses" : ["128.0.0.7"]
+}
diff --git a/scripts/api/data/ipGroup-single-IPv6.json b/scripts/api/data/ipGroup-single-IPv6.json
new file mode 100644
index 00000000000..73eaa8e60a1
--- /dev/null
+++ b/scripts/api/data/ipGroup-single-IPv6.json
@@ -0,0 +1,5 @@
+{
+  "alias":"singleIPv6",
+  "name":"Single IPv6",
+  "addresses" : ["aa:bb:cc:dd:ee:ff::1"]
+}
diff --git a/scripts/api/data/ipGroupDuplicate-v1.json b/scripts/api/data/ipGroupDuplicate-v1.json
new file mode 100644
index 00000000000..eda0c8eb49b
--- /dev/null
+++ b/scripts/api/data/ipGroupDuplicate-v1.json
@@ -0,0 +1,7 @@
+{
+  "alias":"ipGroup-dup",
+  "name":"IP Group with duplicate files (1)",
+  "description":"This is the FIRST version of the group",
+  "ranges" : [["60.0.0.0", "60.0.0.255"],
+              ["60::1", "60::ffff"]]
+}
diff --git a/scripts/api/data/ipGroupDuplicate-v2.json b/scripts/api/data/ipGroupDuplicate-v2.json
new file mode 100644
index 00000000000..8db88e97fe7
--- /dev/null
+++ b/scripts/api/data/ipGroupDuplicate-v2.json
@@ -0,0 +1,7 @@
+{
+  "alias":"ipGroup-dup",
+  "name":"IP Group with duplicate files-v2",
+  "description":"This is the second version of the group",
+  "ranges" : [["70.0.0.0", "70.0.0.255"],
+              ["70::1", "70::ffff"]]
+}
diff --git a/scripts/api/setup-optional-harvard.sh b/scripts/api/setup-optional-harvard.sh
index 52caa31c1e0..3433e823014 100755
--- a/scripts/api/setup-optional-harvard.sh
+++ b/scripts/api/setup-optional-harvard.sh
@@ -22,6 +22,7 @@ curl -s -X PUT -d true "$SERVER/admin/settings/:GeoconnectCreateEditMaps"
 curl -s -X PUT -d true "$SERVER/admin/settings/:GeoconnectViewMaps"
 echo  "- Setting system email"
 curl -X PUT -d "Dataverse Support <support@dataverse.org>" http://localhost:8080/api/admin/settings/:SystemEmail
+curl -X PUT -d ", The President &#38; Fellows of Harvard College" http://localhost:8080/api/admin/settings/:FooterCopyright
 echo "- Setting up the Harvard Shibboleth institutional group"
 curl -s -X POST -H 'Content-type:application/json' --upload-file data/shibGroupHarvard.json "$SERVER/admin/groups/shib?key=$adminKey"
 echo
diff --git a/scripts/database/upgrades/upgrade_v4.5_to_v4.5.1.sql b/scripts/database/upgrades/upgrade_v4.5_to_v4.5.1.sql
new file mode 100644
index 00000000000..6296fca8a5f
--- /dev/null
+++ b/scripts/database/upgrades/upgrade_v4.5_to_v4.5.1.sql
@@ -0,0 +1 @@
+ALTER TABLE authenticateduser ADD COLUMN emailconfirmed timestamp without time zone;
diff --git a/scripts/deploy/apitest.dataverse.org/deploy b/scripts/deploy/apitest.dataverse.org/deploy
deleted file mode 100755
index bf27864daaf..00000000000
--- a/scripts/deploy/apitest.dataverse.org/deploy
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-scripts/deploy/apitest.dataverse.org/prep
-sudo /home/jenkins/dataverse/scripts/deploy/apitest.dataverse.org/rebuild
-scripts/deploy/apitest.dataverse.org/post
diff --git a/scripts/deploy/apitest.dataverse.org/dv-root.json b/scripts/deploy/apitest.dataverse.org/dv-root.json
deleted file mode 100644
index 8d0b4ecab19..00000000000
--- a/scripts/deploy/apitest.dataverse.org/dv-root.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "alias": "root",
-  "name": "API Test",
-  "permissionRoot": false,
-  "facetRoot": true,
-  "description": "Welcome! This is a playground for Dataverse API users. (Data will be deleted periodically.) Please see <a href=\"http://guides.dataverse.org/en/latest/api\">http://guides.dataverse.org/en/latest/api</a> to get started and <a href=\"http://community.dataverse.org/community-groups/api.html\">http://community.dataverse.org/community-groups/api.html</a> to join the community!",
-  "dataverseSubjects": [
-      "Other"
-  ],
-  "dataverseContacts": [
-    {
-      "contactEmail": "root@mailinator.com"
-}
-  ]
-}
diff --git a/scripts/deploy/apitest.dataverse.org/post b/scripts/deploy/apitest.dataverse.org/post
deleted file mode 100755
index 9b29be3a408..00000000000
--- a/scripts/deploy/apitest.dataverse.org/post
+++ /dev/null
@@ -1,13 +0,0 @@
-#/bin/sh
-cd scripts/api
-./setup-all.sh | tee /tmp/setup-all.sh.out
-cd ../..
-psql -U dvnapp dvndb -f scripts/database/reference_data.sql
-scripts/search/tests/publish-dataverse-root
-git checkout scripts/api/data/dv-root.json
-scripts/search/tests/grant-authusers-add-on-root
-scripts/search/populate-users
-scripts/search/create-users
-scripts/search/tests/create-all-and-test
-scripts/search/tests/publish-spruce1-and-test
-java -jar downloads/schemaSpy_5.0.0.jar -t pgsql -host localhost -db dvndb -u postgres -p secret -s public -dp scripts/installer/pgdriver/postgresql-9.1-902.jdbc4.jar -o /usr/local/glassfish4/glassfish/domains/domain1/docroot/guides/developers/database/schemaspy
diff --git a/scripts/deploy/apitest.dataverse.org/prep b/scripts/deploy/apitest.dataverse.org/prep
deleted file mode 100755
index b7c181357b2..00000000000
--- a/scripts/deploy/apitest.dataverse.org/prep
+++ /dev/null
@@ -1,2 +0,0 @@
-#/bin/bash -x
-cp scripts/deploy/apitest.dataverse.org/dv-root.json scripts/api/data/dv-root.json
diff --git a/scripts/deploy/apitest.dataverse.org/rebuild b/scripts/deploy/apitest.dataverse.org/rebuild
deleted file mode 100755
index aca38a56ab4..00000000000
--- a/scripts/deploy/apitest.dataverse.org/rebuild
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/sh
-/usr/local/glassfish4/glassfish/bin/asadmin undeploy dataverse-4.0
-/usr/local/glassfish4/glassfish/bin/asadmin stop-domain
-rm -rf /usr/local/glassfish4/glassfish/domains/domain1/files
-psql -U dvnapp -c 'DROP DATABASE "dvndb"' template1
-echo $?
-curl http://localhost:8983/solr/update/json?commit=true -H "Content-type: application/json" -X POST -d "{\"delete\": { \"query\":\"*:*\"}}"
-psql -U dvnapp -c 'CREATE DATABASE "dvndb" WITH OWNER = "dvnapp"' template1
-echo $?
-/usr/local/glassfish4/glassfish/bin/asadmin start-domain
-/usr/local/glassfish4/glassfish/bin/asadmin deploy /tmp/dataverse-4.0.war
diff --git a/scripts/deploy/apitest.dataverse.org/cert.md b/scripts/deploy/phoenix.dataverse.org/cert.md
similarity index 67%
rename from scripts/deploy/apitest.dataverse.org/cert.md
rename to scripts/deploy/phoenix.dataverse.org/cert.md
index 3b8084825d5..d68910fa15c 100644
--- a/scripts/deploy/apitest.dataverse.org/cert.md
+++ b/scripts/deploy/phoenix.dataverse.org/cert.md
@@ -1,13 +1,13 @@
 Note that `-sha256` is used but the important thing is making sure SHA-1 is not selected when uploading the CSR to https://cert-manager.com/customer/InCommon
 
-    openssl genrsa -out apitest.dataverse.org.key 2048
+    openssl genrsa -out phoenix.dataverse.org.key 2048
 
-    openssl req -new -sha256 -key apitest.dataverse.org.key -out apitest.dataverse.org.csr
+    openssl req -new -sha256 -key phoenix.dataverse.org.key -out phoenix.dataverse.org.csr
 
     Country Name (2 letter code) [XX]:US
     State or Province Name (full name) []:Massachusetts
     Locality Name (eg, city) [Default City]:Cambridge
     Organization Name (eg, company) [Default Company Ltd]:Harvard College
     Organizational Unit Name (eg, section) []:IQSS
-    Common Name (eg, your name or your server's hostname) []:apitest.dataverse.org
+    Common Name (eg, your name or your server's hostname) []:phoenix.dataverse.org
     Email Address []:support@dataverse.org
diff --git a/scripts/deploy/phoenix.dataverse.org/rebuild b/scripts/deploy/phoenix.dataverse.org/rebuild
index b59a46f4466..ca92ef59b9e 100755
--- a/scripts/deploy/phoenix.dataverse.org/rebuild
+++ b/scripts/deploy/phoenix.dataverse.org/rebuild
@@ -5,6 +5,8 @@ OLD_WAR=$(echo $LIST_APP | awk '{print $1}')
 NEW_WAR=/tmp/dataverse.war
 /usr/local/glassfish4/glassfish/bin/asadmin undeploy $OLD_WAR
 /usr/local/glassfish4/glassfish/bin/asadmin stop-domain
+# blow away "generated" directory to avoid EJB Timer Service is not available" https://github.com/IQSS/dataverse/issues/3336
+rm -rf /usr/local/glassfish4/glassfish/domains/domain1/generated
 rm -rf /usr/local/glassfish4/glassfish/domains/domain1/files
 #psql -U postgres -c "CREATE ROLE dvnapp UNENCRYPTED PASSWORD 'secret' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN" template1
 psql -U dvnapp -c 'DROP DATABASE "dvndb"' template1
diff --git a/scripts/issues/1380/01-add.localhost.sh b/scripts/issues/1380/01-add.localhost.sh
new file mode 100755
index 00000000000..331011d5fa2
--- /dev/null
+++ b/scripts/issues/1380/01-add.localhost.sh
@@ -0,0 +1,2 @@
+# Add the localhost group to the system.
+curl -X POST -H"Content-Type:application/json" -d@../../api/data/ipGroup-localhost.json  localhost:8080/api/admin/groups/ip
diff --git a/scripts/issues/1380/02-build-dv-structure.sh b/scripts/issues/1380/02-build-dv-structure.sh
new file mode 100755
index 00000000000..f0936e3cf69
--- /dev/null
+++ b/scripts/issues/1380/02-build-dv-structure.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+echo Run this after running setup-users.sh, and making Pete an
+echo admin on the root dataverse.
+
+
+PETE=$(grep :result: users.out | grep Pete | cut -f4 -d: | tr -d \ )
+UMA=$(grep :result: users.out | grep Uma | cut -f4 -d: | tr -d \ )
+
+pushd ../../api
+./setup-dvs.sh $PETE $UMA
+popd
diff --git a/scripts/issues/1380/add-ip-group.sh b/scripts/issues/1380/add-ip-group.sh
new file mode 100755
index 00000000000..2fba944807c
--- /dev/null
+++ b/scripts/issues/1380/add-ip-group.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Add the passed group to the system.
+curl -X POST -H"Content-Type:application/json" -d@../../api/data/$1  localhost:8080/api/admin/groups/ip
diff --git a/scripts/issues/1380/add-user b/scripts/issues/1380/add-user
new file mode 100755
index 00000000000..1781181bb79
--- /dev/null
+++ b/scripts/issues/1380/add-user
@@ -0,0 +1,3 @@
+#!/bin/bash
+# add-user dv group user api-token
+curl -H "Content-type:application/json" -X POST -d"[$3]" localhost:8080/api/dataverses/$1/groups/$2/roleAssignees?key=$4
diff --git a/scripts/issues/1380/data/3-eg1.json b/scripts/issues/1380/data/3-eg1.json
new file mode 100644
index 00000000000..a874d69a2e8
--- /dev/null
+++ b/scripts/issues/1380/data/3-eg1.json
@@ -0,0 +1 @@
+["&explicit/3-eg1"]
diff --git a/scripts/issues/1380/data/guest.json b/scripts/issues/1380/data/guest.json
new file mode 100644
index 00000000000..3e4188a7167
--- /dev/null
+++ b/scripts/issues/1380/data/guest.json
@@ -0,0 +1 @@
+[":guest"]
diff --git a/scripts/issues/1380/data/locals.json b/scripts/issues/1380/data/locals.json
new file mode 100644
index 00000000000..8bb5e3e4162
--- /dev/null
+++ b/scripts/issues/1380/data/locals.json
@@ -0,0 +1 @@
+["&ip/localhost"]
diff --git a/scripts/issues/1380/data/pete.json b/scripts/issues/1380/data/pete.json
new file mode 100644
index 00000000000..298e813d2bc
--- /dev/null
+++ b/scripts/issues/1380/data/pete.json
@@ -0,0 +1 @@
+["@pete"]
diff --git a/scripts/issues/1380/data/uma.json b/scripts/issues/1380/data/uma.json
new file mode 100644
index 00000000000..3caf8c5c9cc
--- /dev/null
+++ b/scripts/issues/1380/data/uma.json
@@ -0,0 +1 @@
+["@uma"]
diff --git a/scripts/issues/1380/db-list-dvs b/scripts/issues/1380/db-list-dvs
new file mode 100755
index 00000000000..4161f7fdd03
--- /dev/null
+++ b/scripts/issues/1380/db-list-dvs
@@ -0,0 +1 @@
+psql dvndb -c "select dvobject.id, name, alias, owner_id from dvobject inner join dataverse on dvobject.id = dataverse.id"
diff --git a/scripts/issues/1380/delete-ip-group b/scripts/issues/1380/delete-ip-group
new file mode 100755
index 00000000000..b6138d95024
--- /dev/null
+++ b/scripts/issues/1380/delete-ip-group
@@ -0,0 +1,9 @@
+#/bin/bahx
+if [ $# -eq 0 ]
+  then
+    echo "Please provide IP group id"
+    echo "e.g $0 845"
+    exit 1
+fi
+
+curl -X DELETE http://localhost:8080/api/admin/groups/ip/$1
diff --git a/scripts/issues/1380/dvs.gv b/scripts/issues/1380/dvs.gv
new file mode 100644
index 00000000000..526066000a2
--- /dev/null
+++ b/scripts/issues/1380/dvs.gv
@@ -0,0 +1,19 @@
+digraph {
+d1[label="Root"]
+d2[label="Top dataverse of Pete"]
+d3[label="Pete's public place"]
+d4[label="Pete's restricted data"]
+d5[label="Pete's secrets"]
+d6[label="Top dataverse of Uma"]
+d7[label="Uma's first"]
+d8[label="Uma's restricted"]
+
+d1 -> d2
+d2 -> d3
+d2 -> d4
+d2 -> d5
+d1 -> d6
+d6 -> d7
+d6 -> d8
+
+}
diff --git a/scripts/issues/1380/dvs.pdf b/scripts/issues/1380/dvs.pdf
new file mode 100644
index 00000000000..5169f449420
Binary files /dev/null and b/scripts/issues/1380/dvs.pdf differ
diff --git a/scripts/issues/1380/explicitGroup1.json b/scripts/issues/1380/explicitGroup1.json
new file mode 100644
index 00000000000..337a0b62dcb
--- /dev/null
+++ b/scripts/issues/1380/explicitGroup1.json
@@ -0,0 +1,5 @@
+{
+ "description":"Sample Explicit Group",
+ "displayName":"Close Collaborators",
+ "aliasInOwner":"eg1"
+}
diff --git a/scripts/issues/1380/explicitGroup2.json b/scripts/issues/1380/explicitGroup2.json
new file mode 100644
index 00000000000..fbac263665c
--- /dev/null
+++ b/scripts/issues/1380/explicitGroup2.json
@@ -0,0 +1,5 @@
+{
+ "description":"Sample Explicit Group",
+ "displayName":"Not-So-Close Collaborators",
+ "aliasInOwner":"eg2"
+}
diff --git a/scripts/issues/1380/keys.txt b/scripts/issues/1380/keys.txt
new file mode 100644
index 00000000000..9dc47d356c1
--- /dev/null
+++ b/scripts/issues/1380/keys.txt
@@ -0,0 +1,3 @@
+Keys for P e t e and U m a. Produced by running setup-all.sh from the /scripts/api folder.
+Pete:757a6493-456a-4bf0-943e-9b559d551a3f
+Uma:8797f19b-b8aa-4f96-a789-1b99506f2eab
diff --git a/scripts/issues/1380/list-groups-for b/scripts/issues/1380/list-groups-for
new file mode 100755
index 00000000000..063b92c9b6a
--- /dev/null
+++ b/scripts/issues/1380/list-groups-for
@@ -0,0 +1,2 @@
+#!/bin/bash
+curl -s -X GET http://localhost:8080/api/test/explicitGroups/$1 | jq .
diff --git a/scripts/issues/1380/list-ip-groups.sh b/scripts/issues/1380/list-ip-groups.sh
new file mode 100755
index 00000000000..fba29cced4e
--- /dev/null
+++ b/scripts/issues/1380/list-ip-groups.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+curl -X GET http://localhost:8080/api/admin/groups/ip | jq .
diff --git a/scripts/issues/1380/truth-table.numbers b/scripts/issues/1380/truth-table.numbers
new file mode 100644
index 00000000000..86f67386fbb
Binary files /dev/null and b/scripts/issues/1380/truth-table.numbers differ
diff --git a/scripts/issues/1380/users.out b/scripts/issues/1380/users.out
new file mode 100644
index 00000000000..337b9e2ce01
--- /dev/null
+++ b/scripts/issues/1380/users.out
@@ -0,0 +1,6 @@
+{"status":"OK","data":{"user":{"id":4,"firstName":"Gabbi","lastName":"Guest","userName":"gabbi","affiliation":"low","position":"A Guest","email":"gabbi@malinator.com"},"authenticatedUser":{"id":4,"identifier":"@gabbi","displayName":"Gabbi Guest","firstName":"Gabbi","lastName":"Guest","email":"gabbi@malinator.com","superuser":false,"affiliation":"low","position":"A Guest","persistentUserId":"gabbi","authenticationProviderId":"builtin"},"apiToken":"d1940786-c315-491e-9812-a8ff809289cc"}}
+{"status":"OK","data":{"user":{"id":5,"firstName":"Cathy","lastName":"Collaborator","userName":"cathy","affiliation":"mid","position":"Data Scientist","email":"cathy@malinator.com"},"authenticatedUser":{"id":5,"identifier":"@cathy","displayName":"Cathy Collaborator","firstName":"Cathy","lastName":"Collaborator","email":"cathy@malinator.com","superuser":false,"affiliation":"mid","position":"Data Scientist","persistentUserId":"cathy","authenticationProviderId":"builtin"},"apiToken":"0ddfcb1e-fb51-4ce7-88ab-308b23e13e9a"}}
+{"status":"OK","data":{"user":{"id":6,"firstName":"Nick","lastName":"NSA","userName":"nick","affiliation":"gov","position":"Signals Intelligence","email":"nick@malinator.com"},"authenticatedUser":{"id":6,"identifier":"@nick","displayName":"Nick NSA","firstName":"Nick","lastName":"NSA","email":"nick@malinator.com","superuser":false,"affiliation":"gov","position":"Signals Intelligence","persistentUserId":"nick","authenticationProviderId":"builtin"},"apiToken":"6d74745d-1733-459a-ae29-422110056ec0"}}
+reporting API keys
+:result: Pete's key is: 757a6493-456a-4bf0-943e-9b559d551a3f
+:result: Uma's key is: 8797f19b-b8aa-4f96-a789-1b99506f2eab
\ No newline at end of file
diff --git a/scripts/issues/2438/download.R b/scripts/issues/2438/download.R
index 2d31ed0865b..eea7f185137 100644
--- a/scripts/issues/2438/download.R
+++ b/scripts/issues/2438/download.R
@@ -13,7 +13,7 @@ download.dataverse.file <- function(url) {
   # look up the id of the file. As of this writing the easiest way is via SWORD:
   # https://github.com/IQSS/dataverse/issues/1837#issuecomment-121736332
   #
-  # url.to.download = 'https://apitest.dataverse.org/api/v1/access/datafile/91'
+  # url.to.download = 'https://demo.dataverse.org/api/v1/access/datafile/91'
   url.to.download = url
   tsvfile = 'file.tsv'
   download.file(url = url.to.download, destfile =
@@ -23,4 +23,4 @@ download.dataverse.file <- function(url) {
   unlink(tsvfile)
 }
 
-download.dataverse.file(arg)
\ No newline at end of file
+download.dataverse.file(arg)
diff --git a/scripts/search/tests/ipgroup-add b/scripts/search/tests/ipgroup-add
index 8033b277258..d41679fd188 100755
--- a/scripts/search/tests/ipgroup-add
+++ b/scripts/search/tests/ipgroup-add
@@ -1,5 +1,5 @@
 #!/bin/sh
 . scripts/search/export-keys
-OUTPUT=`curl -s -X POST -d @scripts/api/data/ipGroup3.json http://localhost:8080/api/admin/groups/ip -H "Content-type:application/json"`
+OUTPUT=`curl -s -X POST -d @scripts/api/data/ipGroup-all.json http://localhost:8080/api/admin/groups/ip -H "Content-type:application/json"`
 echo $OUTPUT
 echo $OUTPUT | jq .
diff --git a/src/main/java/Bundle.properties b/src/main/java/Bundle.properties
index bc39855adc6..ca19a51533e 100755
--- a/src/main/java/Bundle.properties
+++ b/src/main/java/Bundle.properties
@@ -1,8 +1,10 @@
 dataverse=Dataverse
 newDataverse=New Dataverse
 hostDataverse=Host Dataverse
+dataverses=Dataverses
 passwd=Password
 dataset=Dataset
+datasets=Datasets
 newDataset=New Dataset
 files=Files
 file=File
@@ -90,7 +92,7 @@ footer.dataverseOnGitHub=Dataverse On GitHub
 footer.dataverseProjectOn=Dataverse Project on
 footer.Twitter=Twitter
 footer.dataScienceIQSS=Developed at the <a href="http://www.iq.harvard.edu/" title="Institute for Quantitative Social Science" target="_blank">Institute for Quantitative Social Science</a>
-footer.copyright=Copyright &#169; 2016, The President &#38; Fellows of Harvard College
+footer.copyright=Copyright &#169; {0}
 footer.widget.datastored=Data is stored at {0}.
 footer.widget.login=Log in to
 footer.privacyPolicy=Privacy Policy
@@ -138,7 +140,8 @@ wasPublished=, was published in
 wasReturnedByReviewer=, was returned by the curator of 
 toReview=Don't forget to publish it or send it back to the contributor!
 worldMap.added=dataset had a WorldMap layer data added to it.
-notification.welcome=Welcome to {0} Dataverse! Get started by adding or finding data. Have questions? Check out the {1}. Want to test out Dataverse features? Use our {2}.
+# Bundle file editors, please note that "notification.welcome" is used in a unit test.
+notification.welcome=Welcome to {0} Dataverse! Get started by adding or finding data. Have questions? Check out the {1}. Want to test out Dataverse features? Use our {2}. Also, check for your welcome email to verify your address.
 notification.demoSite=Demo Site
 notification.requestFileAccess=File access requested for dataset: {0}.
 notification.grantFileAccess=Access granted for files in dataset: {0}.
@@ -204,6 +207,16 @@ login.builtin.invalidUsernameEmailOrPassword=The username, email address, or pas
 # how do we exercise login.error? Via a password upgrade failure? See https://github.com/IQSS/dataverse/pull/2922
 login.error=Error validating the username, email address, or password. Please try again. If the problem persists, contact an administrator.
 
+#confirmemail.xhtml
+confirmEmail.pageTitle=Email Verification
+confirmEmail.submitRequest=Verify Email
+confirmEmail.submitRequest.success=A verification email has been sent to {0}. Note, the verify link will expire after {1}.
+confirmEmail.details.success=Email address verified!
+confirmEmail.details.failure=We were unable to verify your email address. Please navigate to your Account Information page and click the "Verify Email" button.
+confirmEmail.details.goToAccountPageButton=Go to Account Information
+confirmEmail.notVerified=Not Verified
+confirmEmail.verified=Verified
+
 #shib.xhtml
 shib.btn.convertAccount=Convert Account
 shib.btn.createAccount=Create Account
@@ -420,9 +433,12 @@ notification.email.returned.dataset.subject=Dataverse: Your dataset has been ret
 notification.email.create.account.subject=Dataverse: Your account has been created 
 notification.email.assign.role.subject=Dataverse: You have been assigned a role
 notification.email.revoke.role.subject=Dataverse: Your role has been revoked
+notification.email.verifyEmail.subject=Dataverse: Verify your email address
 
 notification.email.greeting=Hello, \n
+# Bundle file editors, please note that "notification.email.welcome" is used in a unit test
 notification.email.welcome=Welcome to Dataverse! Get started by adding or finding data. Have questions? Check out the User Guide at {0}/{1}/user/ or contact Dataverse Support for assistance. Want to test out Dataverse features? Use our Demo Site at https://demo.dataverse.org
+notification.email.welcomeConfirmEmailAddOn=\n\nPlease verify your email address at {0}. Note, the verify link will expire after {1}. Send another verification email by visiting your account page.
 notification.email.requestFileAccess=File access requested for dataset: {0}. Manage permissions at {1}.
 notification.email.grantFileAccess=Access granted for files in dataset: {0} (view at {1}).
 notification.email.rejectFileAccess=Access rejected for requested files in dataset: {0} (view at {1}).
@@ -437,6 +453,11 @@ notification.email.worldMap.added={0} (view at {1}) had WorldMap layer data adde
 notification.email.closing=\n\nThank you,\nThe Dataverse Project
 notification.email.assignRole=You are now {0} for the {1} "{2}" (view at {3}).
 notification.email.revokeRole=One of your roles for the {0} "{1}" has been revoked (view at {2}).
+notification.email.changeEmail=Hello, {0}.{1}\n\nPlease contact us if you did not intend this change or if you need assistance.
+hours=hours
+hour=hour
+minutes=minutes
+minute=minute
 
 # passwordreset.xhtml
 
@@ -717,11 +738,11 @@ dataverse.permissions.roles.copy=Copy Role
 
 # permissions-manage-files.xhtml
 
-dataverse.permissionsFiles.title=File Permissions
+dataverse.permissionsFiles.title=Restricted File Permissions
 
 dataverse.permissionsFiles.usersOrGroups=Users/Groups
 dataverse.permissionsFiles.usersOrGroups.assignBtn=Grant Access to Users/Groups
-dataverse.permissionsFiles.usersOrGroups.description=All the users and groups that have access to files in this dataset.
+dataverse.permissionsFiles.usersOrGroups.description=All the users and groups that have access to restricted files in this dataset.
 dataverse.permissionsFiles.usersOrGroups.tabHeader.userOrGroup=User/Group Name (Affiliation)
 dataverse.permissionsFiles.usersOrGroups.tabHeader.id=ID
 dataverse.permissionsFiles.usersOrGroups.tabHeader.email=Email
@@ -731,7 +752,8 @@ dataverse.permissionsFiles.usersOrGroups.file=File
 dataverse.permissionsFiles.usersOrGroups.files=Files
 dataverse.permissionsFiles.usersOrGroups.invalidMsg=There are no users or groups with access to the restricted files in this dataset.
 
-dataverse.permissionsFiles.files=Files
+dataverse.permissionsFiles.files=Restricted Files
+dataverse.permissionsFiles.files.label={0, choice, 0#Restricted Files|1#Restricted File|2#Restricted Files}
 dataverse.permissionsFiles.files.description=All the restricted files in this dataset.
 dataverse.permissionsFiles.files.tabHeader.fileName=File Name
 dataverse.permissionsFiles.files.tabHeader.roleAssignees=Users/Groups
@@ -743,8 +765,11 @@ dataverse.permissionsFiles.files.public=Public
 dataverse.permissionsFiles.files.restricted=Restricted
 dataverse.permissionsFiles.files.roleAssignee=User/Group
 dataverse.permissionsFiles.files.roleAssignees=Users/Groups
+dataverse.permissionsFiles.files.roleAssignees.label={0, choice, 0#Users/Groups|1#User/Group|2#Users/Groups}
 dataverse.permissionsFiles.files.assignBtn=Assign Access
 dataverse.permissionsFiles.files.invalidMsg=There are no restricted files in this dataset.
+dataverse.permissionsFiles.files.requested=Requested Files
+dataverse.permissionsFiles.files.selected=Selecting {0} of {1} {2}
 
 dataverse.permissionsFiles.viewRemoveDialog.header=File Access
 dataverse.permissionsFiles.viewRemoveDialog.removeBtn=Remove Access
@@ -752,12 +777,11 @@ dataverse.permissionsFiles.viewRemoveDialog.removeBtn.confirmation=Are you sure
 
 dataverse.permissionsFiles.assignDialog.header=Grant File Access
 dataverse.permissionsFiles.assignDialog.description=Grant file access to users and groups.
-dataverse.permissionsFiles.assignDialog.userOrGroup=User/Group
-dataverse.permissionsFiles.assignDialog.userOrGroup.title=User/Group
+dataverse.permissionsFiles.assignDialog.userOrGroup=Users/Groups
 dataverse.permissionsFiles.assignDialog.userOrGroup.enterName=Enter User/Group Name
 dataverse.permissionsFiles.assignDialog.userOrGroup.invalidMsg=No matches found.
 dataverse.permissionsFiles.assignDialog.userOrGroup.requiredMsg=Please select at least one user or group.
-dataverse.permissionsFiles.assignDialog.file=File
+dataverse.permissionsFiles.assignDialog.fileName=File Name
 dataverse.permissionsFiles.assignDialog.grantBtn=Grant
 dataverse.permissionsFiles.assignDialog.rejectBtn=Reject
 
@@ -779,11 +803,12 @@ dataverse.permissions.Q2.answer.curator.description=- Edit metadata, upload file
 
 dataverse.permissions.usersOrGroups.assignDialog.header=Assign Role
 dataverse.permissions.usersOrGroups.assignDialog.description=Grant permissions to users and groups by assigning them a role.
-dataverse.permissions.usersOrGroups.assignDialog.userOrGroup=User/Group
+dataverse.permissions.usersOrGroups.assignDialog.userOrGroup=Users/Groups
 dataverse.permissions.usersOrGroups.assignDialog.userOrGroup.enterName=Enter User/Group Name
 dataverse.permissions.usersOrGroups.assignDialog.userOrGroup.invalidMsg=No matches found.
 dataverse.permissions.usersOrGroups.assignDialog.userOrGroup.requiredMsg=Please select at least one user or group.
 dataverse.permissions.usersOrGroups.assignDialog.role.description=These are the permissions associated with the selected role.
+dataverse.permissions.usersOrGroups.assignDialog.role.warning=Assigning the {0} role means the user(s) will also have the {0} role applied to all {1} within this {2}.
 dataverse.permissions.usersOrGroups.assignDialog.role.requiredMsg=Please select a role to assign.
 
 # roles-edit.xhtml
@@ -804,6 +829,7 @@ dataverse.permissions.explicitGroupEditDialog.title.new=Create Group
 dataverse.permissions.explicitGroupEditDialog.title.edit=Edit Group {0}
 dataverse.permissions.explicitGroupEditDialog.help=Add users or other groups to this group.
 dataverse.permissions.explicitGroupEditDialog.groupIdentifier=Group Identifier
+dataverse.permissions.explicitGroupEditDialog.groupIdentifier.tip=Short name used for the ID of this group.
 dataverse.permissions.explicitGroupEditDialog.groupIdentifier.required=Group identifier cannot be empty
 dataverse.permissions.explicitGroupEditDialog.groupIdentifier.invalid=Group identifier can contain only letters, digits, underscores (_) and dashes (-)
 dataverse.permissions.explicitGroupEditDialog.groupIdentifier.helpText=Consists of letters, digits, underscores (_) and dashes (-)
@@ -978,6 +1004,8 @@ dataset.editBtn.itemLabel.terms=Terms
 dataset.editBtn.itemLabel.permissions=Permissions
 dataset.editBtn.itemLabel.widgets=Widgets
 dataset.editBtn.itemLabel.privateUrl=Private URL
+dataset.editBtn.itemLabel.permissionsDataset=Dataset
+dataset.editBtn.itemLabel.permissionsFile=Restricted Files
 dataset.editBtn.itemLabel.deleteDataset=Delete Dataset
 dataset.editBtn.itemLabel.deleteDraft=Delete Draft Version
 dataset.editBtn.itemLabel.deaccession=Deaccession Dataset
@@ -1125,10 +1153,11 @@ file.noSelectedFiles.tip=There are no selected files to display.
 file.noUploadedFiles.tip=Files you upload will appear here.
 file.delete=Delete
 file.metadata=Metadata
-file.deleted.success=Files {0} will be permanently deleted from this version of this dataset once you click on the Save Changes button.
+file.deleted.success=Files "{0}" will be permanently deleted from this version of this dataset once you click on the Save Changes button.
+file.editAccess=Edit Access
 file.restrict=Restrict
 file.unrestrict=Unrestrict
-file.restricted.success=The file(s) {0} will be restricted after you click on the Save Changes button on the bottom of this page.
+file.restricted.success=Files "{0}" will be restricted once you click on the Save Changes button.
 file.download.header=Download
 file.preview=Preview:
 file.fileName=File Name
diff --git a/src/main/java/edu/harvard/iq/dataverse/BibtexCitation.java b/src/main/java/edu/harvard/iq/dataverse/BibtexCitation.java
index 742c86c70b8..0a6a930a94e 100644
--- a/src/main/java/edu/harvard/iq/dataverse/BibtexCitation.java
+++ b/src/main/java/edu/harvard/iq/dataverse/BibtexCitation.java
@@ -71,7 +71,7 @@ public String getPublisher() {
     public String toString() {
         StringBuilder citation = new StringBuilder("@data{");
         citation.append(persistentId.getIdentifier() + "_" + year + "," + "\r\n");
-        citation.append("author = {").append(String.join("; ", authors)).append("},\r\n");
+        citation.append("author = {").append(String.join(" and ", authors)).append("},\r\n");
         citation.append("publisher = {").append(publisher).append("},\r\n");
         citation.append("title = {").append(title).append("},\r\n");        
         citation.append("year = {").append(year).append("},\r\n");        
diff --git a/src/main/java/edu/harvard/iq/dataverse/DataFile.java b/src/main/java/edu/harvard/iq/dataverse/DataFile.java
index 24c01e3b107..057faf4211e 100644
--- a/src/main/java/edu/harvard/iq/dataverse/DataFile.java
+++ b/src/main/java/edu/harvard/iq/dataverse/DataFile.java
@@ -16,6 +16,7 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.nio.file.Files;
+import java.util.Comparator;
 import javax.persistence.Entity;
 import javax.persistence.OneToMany;
 import javax.persistence.OneToOne;
@@ -44,7 +45,7 @@
 		, @Index(columnList="md5")
 		, @Index(columnList="contenttype")
 		, @Index(columnList="restricted")})
-public class DataFile extends DvObject {
+public class DataFile extends DvObject implements Comparable {
     private static final long serialVersionUID = 1L;
     
     public static final char INGEST_STATUS_NONE = 65;
@@ -228,6 +229,11 @@ public String getOriginalFileFormat() {
         return null;
     }
 
+    @Override
+    public boolean isAncestorOf( DvObject other ) {
+        return equals(other);
+    }
+    
     /*
      * A user-friendly version of the "original format":
      */
@@ -604,6 +610,13 @@ public String getDisplayName() {
         return getLatestFileMetadata().getLabel();
     }
     
+    @Override
+    public int compareTo(Object o) {
+        DataFile other = (DataFile) o;
+        return this.getDisplayName().toUpperCase().compareTo(other.getDisplayName().toUpperCase());
+
+    }
+    
     /**
      * Check if the Geospatial Tag has been assigned to this file
      * @return 
@@ -619,4 +632,4 @@ public boolean hasGeospatialTag(){
         }
         return false;
     }
-}
+}
\ No newline at end of file
diff --git a/src/main/java/edu/harvard/iq/dataverse/Dataset.java b/src/main/java/edu/harvard/iq/dataverse/Dataset.java
index 0acf76dc00e..39a953d0de7 100644
--- a/src/main/java/edu/harvard/iq/dataverse/Dataset.java
+++ b/src/main/java/edu/harvard/iq/dataverse/Dataset.java
@@ -654,5 +654,9 @@ public String getDisplayName() {
     protected boolean isPermissionRoot() {
         return false;
     }
-
+    
+    @Override
+    public boolean isAncestorOf( DvObject other ) {
+        return equals(other) || equals(other.getOwner());
+    }
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/DatasetPage.java b/src/main/java/edu/harvard/iq/dataverse/DatasetPage.java
index 882608dff45..55811ac8b1a 100644
--- a/src/main/java/edu/harvard/iq/dataverse/DatasetPage.java
+++ b/src/main/java/edu/harvard/iq/dataverse/DatasetPage.java
@@ -83,7 +83,6 @@
 
 import javax.faces.event.AjaxBehaviorEvent;
 
-import javax.faces.context.ExternalContext;
 import org.apache.commons.lang.StringEscapeUtils;
 
 import org.primefaces.component.tabview.TabView;
@@ -187,7 +186,6 @@ public enum DisplayMode {
     private List<Template> dataverseTemplates = new ArrayList();
     private Template defaultTemplate;
     private Template selectedTemplate;
-    private String globalId;
     private String persistentId;
     private String version;
     private String protocol = "";
@@ -322,11 +320,7 @@ public Long getMaxFileUploadSizeInBytes(){
     }
     
     public boolean isUnlimitedUploadFileSize(){
-        
-        if (this.maxFileUploadSizeInBytes == null){
-            return true;
-        }
-        return false;
+        return (this.maxFileUploadSizeInBytes == null);
     }
 
     public boolean isMetadataExportEnabled() {
@@ -455,9 +449,8 @@ public boolean isNoDVsRemaining() {
      * Convenience method for "Download File" button display logic
      * 
      * Used by the dataset.xhtml render logic when listing files
-     *       > Assume user already has view access to the file list 
-     *         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^!!!
-     * 
+     * <b>Assumes user already has view access to the file list.</b>
+     *         
      * @param fileMetadata
      * @return boolean
      */
@@ -498,29 +491,13 @@ public boolean canDownloadFile(FileMetadata fileMetadata){
         }
         
         // --------------------------------------------------------------------
-        // Conditions (2) through (4) are for Restricted files
+        // Conditions (2) through (3) are for Restricted files
         // --------------------------------------------------------------------
         
         // --------------------------------------------------------------------
-        // (2) In Dataverse 4.3 and earlier we required that users be authenticated
-        // to download files, but in developing the Private URL feature, we have
-        // added a new subclass of "User" called "PrivateUrlUser" that returns false
-        // for isAuthenticated but that should be able to download restricted files
-        // when given the Member role (which includes the DownloadFile permission).
-        // This is consistent with how Builtin and Shib users (both are
-        // AuthenticatedUsers) can download restricted files when they are granted
-        // the Member role. For this reason condition 2 has been changed. Previously,
-        // we required isSessionUserAuthenticated to return true. Now we require
-        // that the User is not an instance of GuestUser, which is similar in
-        // spirit to the previous check.
-        // --------------------------------------------------------------------
-        if (session.getUser() instanceof GuestUser){
-            this.fileDownloadPermissionMap.put(fid, false);
-            return false;
-        }
-        
-        // --------------------------------------------------------------------
-        // (3) Does the User have DownloadFile Permission at the **Dataset** level 
+        // (2) Does the User have DownloadFile Permission at the **Dataset** level 
+        // Michael: Leaving this in for now, but shouldn't this be alredy resolved
+        //          by the premission system, given that files are never permission roots?
         // --------------------------------------------------------------------
         if (this.doesSessionUserHaveDataSetPermission(Permission.DownloadFile)){
             // Yes, save answer and return true
@@ -529,7 +506,7 @@ public boolean canDownloadFile(FileMetadata fileMetadata){
         }
   
         // --------------------------------------------------------------------
-        // (4) Does the user has DownloadFile permission on the DataFile            
+        // (3) Does the user has DownloadFile permission on the DataFile            
         // --------------------------------------------------------------------
         if (this.permissionService.on(fileMetadata.getDataFile()).has(Permission.DownloadFile)){
             this.fileDownloadPermissionMap.put(fid, true);
@@ -537,7 +514,7 @@ public boolean canDownloadFile(FileMetadata fileMetadata){
         }
         
         // --------------------------------------------------------------------
-        // (6) No download....
+        // (4) No download for you! Come back with permissions!
         // --------------------------------------------------------------------
         this.fileDownloadPermissionMap.put(fid, false);
        
@@ -558,7 +535,7 @@ public boolean isThumbnailAvailable(FileMetadata fileMetadata) {
     
     // Another convenience method - to cache Update Permission on the dataset: 
     public boolean canUpdateDataset() {
-        return permissionsWrapper.canUpdateDataset(this.session.getUser(), this.dataset);
+        return permissionsWrapper.canUpdateDataset(dvRequestService.getDataverseRequest(), this.dataset);
     }
     
     public boolean canPublishDataverse() {
@@ -579,13 +556,9 @@ public boolean canPublishDataverse() {
     //}
     
     public boolean canViewUnpublishedDataset() {
-        return permissionsWrapper.canViewUnpublishedDataset(this.session.getUser(), this.dataset);
-        //return doesSessionUserHaveDataSetPermission(Permission.ViewUnpublishedDataset);
+        return permissionsWrapper.canViewUnpublishedDataset( dvRequestService.getDataverseRequest(), dataset);
     }
     
-    private Boolean sessionUserAuthenticated = null;
-    
-    
     /* 
      * 4.2.1 optimization. 
      * HOWEVER, this doesn't appear to be saving us anything! 
@@ -593,28 +566,7 @@ public boolean canViewUnpublishedDataset() {
      * every time; it doesn't do any new db lookups. 
     */
     public boolean isSessionUserAuthenticated() {
-        logger.fine("entering isSessionUserAuthenticated;");
-        if (sessionUserAuthenticated != null) {
-            logger.fine("using cached isSessionUserAuthenticated;");
-            
-            return sessionUserAuthenticated;
-        }
-        
-        if (session == null) {
-            return false;
-        }
-        
-        if (session.getUser() == null) {
-            return false;
-        }
-        
-        if (session.getUser().isAuthenticated()) {
-            sessionUserAuthenticated = true; 
-            return true;
-        }
-        
-        sessionUserAuthenticated = false;
-        return false;
+        return session.getUser().isAuthenticated();
     }
     
     /**
diff --git a/src/main/java/edu/harvard/iq/dataverse/Dataverse.java b/src/main/java/edu/harvard/iq/dataverse/Dataverse.java
index cb04cfb0d9a..44f0a7a77b4 100644
--- a/src/main/java/edu/harvard/iq/dataverse/Dataverse.java
+++ b/src/main/java/edu/harvard/iq/dataverse/Dataverse.java
@@ -32,7 +32,6 @@
 import javax.validation.constraints.Size;
 import org.hibernate.validator.constraints.NotBlank;
 import org.hibernate.validator.constraints.NotEmpty;
-import org.hibernate.validator.constraints.URL;
 
 /**
  *
@@ -734,6 +733,14 @@ public boolean isPermissionRoot() {
     public void setPermissionRoot(boolean permissionRoot) {
         this.permissionRoot = permissionRoot;
     }
-       
+      
+    @Override
+    public boolean isAncestorOf( DvObject other ) {
+        while ( other != null ) {
+            if ( equals(other) ) return true;
+            other = other.getOwner();
+        }
+        return false;
+    }
 
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/DataversePage.java b/src/main/java/edu/harvard/iq/dataverse/DataversePage.java
index cfb2fcc252a..3d35e548347 100644
--- a/src/main/java/edu/harvard/iq/dataverse/DataversePage.java
+++ b/src/main/java/edu/harvard/iq/dataverse/DataversePage.java
@@ -58,12 +58,10 @@ public class DataversePage implements java.io.Serializable {
     private static final Logger logger = Logger.getLogger(DataversePage.class.getCanonicalName());
 
     public enum EditMode {
-
         CREATE, INFO, FEATURED
     }
     
     public enum LinkMode {
-
         SAVEDSEARCH,  LINKDATAVERSE
     }
 
@@ -111,8 +109,8 @@ public enum LinkMode {
     private LinkMode linkMode;
 
     private Long ownerId;
-    private DualListModel<DatasetFieldType> facets = new DualListModel<>(new ArrayList<DatasetFieldType>(), new ArrayList<DatasetFieldType>());
-    private DualListModel<Dataverse> featuredDataverses = new DualListModel<>(new ArrayList<Dataverse>(), new ArrayList<Dataverse>());
+    private DualListModel<DatasetFieldType> facets = new DualListModel<>(new ArrayList<>(), new ArrayList<>());
+    private DualListModel<Dataverse> featuredDataverses = new DualListModel<>(new ArrayList<>(), new ArrayList<>());
     private List<Dataverse> dataversesForLinking;
     private Long linkingDataverseId;
     private List<SelectItem> linkingDVSelectItems;
@@ -173,10 +171,8 @@ public void setDataverseSubjectControlledVocabularyValues(List<ControlledVocabul
     private void updateDataverseSubjectSelectItems() {
         DatasetFieldType subjectDatasetField = datasetFieldService.findByName(DatasetFieldConstant.subject);
         setDataverseSubjectControlledVocabularyValues(controlledVocabularyValueServiceBean.findByDatasetFieldTypeId(subjectDatasetField.getId()));
-
     }
     
-    
     public LinkMode getLinkMode() {
         return linkMode;
     }
@@ -185,7 +181,6 @@ public void setLinkMode(LinkMode linkMode) {
         this.linkMode = linkMode;
     }
     
-    
     public void setupLinkingPopup (String popupSetting){
         if (popupSetting.equals("link")){
             setLinkMode(LinkMode.LINKDATAVERSE);           
@@ -242,7 +237,6 @@ public void updateLinkableDataverses() {
     public void updateSelectedLinkingDV(ValueChangeEvent event) {
         linkingDataverseId = (Long) event.getNewValue();
     }
-//    private TreeNode treeWidgetRootNode = new DefaultTreeNode("Root", null);
 
     public Dataverse getDataverse() {
         return dataverse;
@@ -268,13 +262,6 @@ public void setOwnerId(Long ownerId) {
         this.ownerId = ownerId;
     }
 
-//    public TreeNode getTreeWidgetRootNode() {
-//        return treeWidgetRootNode;
-//    }
-//
-//    public void setTreeWidgetRootNode(TreeNode treeWidgetRootNode) {
-//        this.treeWidgetRootNode = treeWidgetRootNode;
-//    }
     public String init() {
         if (dataverse.getAlias() != null || dataverse.getId() != null || ownerId == null) {// view mode for a dataverse
             if (dataverse.getAlias() != null) {
diff --git a/src/main/java/edu/harvard/iq/dataverse/DataverseRequestServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/DataverseRequestServiceBean.java
index 50274753a6b..e193b535412 100644
--- a/src/main/java/edu/harvard/iq/dataverse/DataverseRequestServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/DataverseRequestServiceBean.java
@@ -6,7 +6,6 @@
 import javax.inject.Inject;
 import javax.inject.Named;
 import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
 
 /**
  * The service bean to go to when one needs the current {@link DataverseRequest}.
@@ -19,16 +18,16 @@ public class DataverseRequestServiceBean {
     @Inject
     DataverseSession dataverseSessionSvc;
     
-    @Context
-    HttpServletRequest httpRequest;
+    @Inject
+    private HttpServletRequest request;
     
-    private DataverseRequest dataverseRequest;
+   private DataverseRequest dataverseRequest;
     
     @PostConstruct
     protected void setup() {
-        dataverseRequest = new DataverseRequest(dataverseSessionSvc.getUser(), httpRequest);
+        dataverseRequest = new DataverseRequest(dataverseSessionSvc.getUser(), request);
     }
-
+    
     public DataverseRequest getDataverseRequest() {
         return dataverseRequest;
     }
diff --git a/src/main/java/edu/harvard/iq/dataverse/DataverseSession.java b/src/main/java/edu/harvard/iq/dataverse/DataverseSession.java
index 3770c54750a..54945a64cbd 100644
--- a/src/main/java/edu/harvard/iq/dataverse/DataverseSession.java
+++ b/src/main/java/edu/harvard/iq/dataverse/DataverseSession.java
@@ -4,7 +4,6 @@
 import edu.harvard.iq.dataverse.PermissionServiceBean.StaticPermissionQuery;
 import edu.harvard.iq.dataverse.actionlogging.ActionLogRecord;
 import edu.harvard.iq.dataverse.actionlogging.ActionLogServiceBean;
-import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
 import edu.harvard.iq.dataverse.authorization.users.GuestUser;
 import edu.harvard.iq.dataverse.authorization.users.User;
 import java.io.Serializable;
diff --git a/src/main/java/edu/harvard/iq/dataverse/DvObject.java b/src/main/java/edu/harvard/iq/dataverse/DvObject.java
index 89c27d3d4f4..47d4878f4cc 100644
--- a/src/main/java/edu/harvard/iq/dataverse/DvObject.java
+++ b/src/main/java/edu/harvard/iq/dataverse/DvObject.java
@@ -283,6 +283,13 @@ public Dataverse getDataverseContext() {
         return null;
     }    
     
+    /**
+     * 
+     * @param other 
+     * @return {@code true} iff {@code other} is {@code this} or below {@code this} in the containment hierarchy.
+     */
+    public abstract boolean isAncestorOf( DvObject other );
+    
     @OneToMany(mappedBy = "definitionPoint",cascade={ CascadeType.REMOVE, CascadeType.MERGE,CascadeType.PERSIST}, orphanRemoval=true)
     List<RoleAssignment> roleAssignments;
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/EditDatafilesPage.java b/src/main/java/edu/harvard/iq/dataverse/EditDatafilesPage.java
index a86374185e8..851fc5a50cc 100644
--- a/src/main/java/edu/harvard/iq/dataverse/EditDatafilesPage.java
+++ b/src/main/java/edu/harvard/iq/dataverse/EditDatafilesPage.java
@@ -550,7 +550,7 @@ public void restrictFiles(boolean restricted) {
                 if (fileNames == null) {
                     fileNames = fmd.getLabel();
                 } else {
-                    fileNames = fileNames.concat(fmd.getLabel());
+                    fileNames = fileNames.concat(", " + fmd.getLabel());
                 }
             }
             fmd.setRestricted(restricted);
@@ -590,7 +590,7 @@ public void restrictFilesDP(boolean restricted) {
                     if (fileNames == null) {
                         fileNames = fmd.getLabel();
                     } else {
-                        fileNames = fileNames.concat(fmd.getLabel());
+                        fileNames = fileNames.concat(", " + fmd.getLabel());
                     }
                 }
                 if (fmd.getDataFile().equals(fmw.getDataFile())) {
@@ -628,7 +628,7 @@ public void deleteFiles() {
             if (fileNames == null) {
                 fileNames = fmd.getLabel();
             } else {
-                fileNames = fileNames.concat(fmd.getLabel());
+                fileNames = fileNames.concat(", " + fmd.getLabel());
             }
         }
 
diff --git a/src/main/java/edu/harvard/iq/dataverse/MailServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/MailServiceBean.java
index f82b7a3e666..0893909a6c0 100644
--- a/src/main/java/edu/harvard/iq/dataverse/MailServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/MailServiceBean.java
@@ -9,6 +9,7 @@
 import edu.harvard.iq.dataverse.authorization.groups.Group;
 import edu.harvard.iq.dataverse.authorization.groups.GroupServiceBean;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailServiceBean;
 import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
 import edu.harvard.iq.dataverse.settings.SettingsServiceBean.Key;
 import edu.harvard.iq.dataverse.util.BundleUtil;
@@ -62,6 +63,8 @@ public class MailServiceBean implements java.io.Serializable {
     PermissionServiceBean permissionService;
     @EJB
     GroupServiceBean groupService;
+    @EJB
+    ConfirmEmailServiceBean confirmEmailService;
     
     private static final Logger logger = Logger.getLogger(MailServiceBean.class.getCanonicalName());
     
@@ -426,6 +429,9 @@ private String getMessageTextBasedOnNotification(UserNotification userNotificati
                         systemConfig.getGuidesBaseUrl(),
                         systemConfig.getVersion()
                 ));
+                String optionalConfirmEmailAddon = confirmEmailService.optionalConfirmEmailAddonMsg(userNotification.getUser());
+                accountCreatedMessage += optionalConfirmEmailAddon;
+                logger.info("accountCreatedMessage: " + accountCreatedMessage);
                 return messageText += accountCreatedMessage;
         }
         
diff --git a/src/main/java/edu/harvard/iq/dataverse/ManageFilePermissionsPage.java b/src/main/java/edu/harvard/iq/dataverse/ManageFilePermissionsPage.java
index f37b568d333..db25987694b 100644
--- a/src/main/java/edu/harvard/iq/dataverse/ManageFilePermissionsPage.java
+++ b/src/main/java/edu/harvard/iq/dataverse/ManageFilePermissionsPage.java
@@ -26,6 +26,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.TreeMap;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.ejb.EJB;
@@ -37,6 +38,9 @@
 import javax.persistence.EntityManager;
 import javax.persistence.PersistenceContext;
 import org.apache.commons.lang.StringUtils;
+import org.primefaces.event.SelectEvent;
+import org.primefaces.event.ToggleSelectEvent;
+import org.primefaces.event.UnselectEvent;
 
 /**
  *
@@ -80,9 +84,9 @@ public class ManageFilePermissionsPage implements java.io.Serializable {
     DataverseSession session;
 
     Dataset dataset = new Dataset(); 
-    private final Map<RoleAssignee,List<RoleAssignmentRow>> roleAssigneeMap = new HashMap<>();
-    private final Map<DataFile,List<RoleAssignmentRow>> fileMap = new HashMap<>();
-    private final Map<AuthenticatedUser,List<DataFile>> fileAccessRequestMap = new HashMap<>();    
+    private final TreeMap<RoleAssignee,List<RoleAssignmentRow>> roleAssigneeMap = new TreeMap<>();
+    private final TreeMap<DataFile,List<RoleAssignmentRow>> fileMap = new TreeMap<>();
+    private final TreeMap<AuthenticatedUser,List<DataFile>> fileAccessRequestMap = new TreeMap<>();    
 
     public Dataset getDataset() {
         return dataset;
@@ -92,19 +96,19 @@ public void setDataset(Dataset dataset) {
         this.dataset = dataset;
     }
     
-    public Map<RoleAssignee, List<RoleAssignmentRow>> getRoleAssigneeMap() {
+    public TreeMap<RoleAssignee, List<RoleAssignmentRow>> getRoleAssigneeMap() {
         return roleAssigneeMap;
     }
 
-    public Map<DataFile, List<RoleAssignmentRow>> getFileMap() {
+    public TreeMap<DataFile, List<RoleAssignmentRow>> getFileMap() {
         return fileMap;
     }
 
-    public Map<AuthenticatedUser, List<DataFile>> getFileAccessRequestMap() {
+    public TreeMap<AuthenticatedUser, List<DataFile>> getFileAccessRequestMap() {
         return fileAccessRequestMap;
     }
-   
-
+    
+    
     public String init() {
         if (dataset.getId() != null) {
             dataset = datasetService.find(dataset.getId());
@@ -118,9 +122,7 @@ public String init() {
         if (!permissionService.on(dataset).has(Permission.ManageDatasetPermissions)) {
             return permissionsWrapper.notAuthorized();
         }
-        
         initMaps();
-        
         return "";
     }
     
@@ -229,6 +231,7 @@ public void setSelectedRoleAssignmentRows(List<RoleAssignmentRow> selectedRoleAs
     }
     
     public void initViewRemoveDialogByFile(DataFile file, List<RoleAssignmentRow> raRows) {
+        setSelectedRoleAssignmentRows(new ArrayList());
         this.selectedFile = file;
         this.selectedRoleAssignee = null;
         this.roleAssignments = raRows;
@@ -236,6 +239,7 @@ public void initViewRemoveDialogByFile(DataFile file, List<RoleAssignmentRow> ra
     }
     
     public void initViewRemoveDialogByRoleAssignee(RoleAssignee ra, List<RoleAssignmentRow> raRows) {
+        setSelectedRoleAssignmentRows(new ArrayList());
         this.selectedFile = null;
         this.selectedRoleAssignee = ra;
         this.roleAssignments = raRows;
@@ -311,7 +315,7 @@ public void initAssignDialogForFileRequester(AuthenticatedUser au) {
         fileRequester = au;
         selectedRoleAssignees = null;
         selectedFiles.clear();
-        selectedFiles.addAll(fileAccessRequestMap.get(au));       
+        selectedFiles.addAll(fileAccessRequestMap.get(au));    
         showUserGroupMessages();
     }     
     
@@ -369,7 +373,7 @@ private void grantAccessToRequests(AuthenticatedUser au, List<DataFile> files) {
         }
         if (actionPerformed) {
             JsfHelper.addSuccessMessage("File Access request by " + au.getDisplayInfo().getTitle() + " was granted.");                        
-            userNotificationService.sendNotification(au, new Timestamp(new Date().getTime()), UserNotification.Type.GRANTFILEACCESS, dataset.getId());        
+            userNotificationService.sendNotification(au, new Timestamp(new Date().getTime()), UserNotification.Type.GRANTFILEACCESS, dataset.getId()); 
             initMaps();
         }
 
@@ -408,7 +412,9 @@ private boolean assignRole(RoleAssignee ra,  DataFile file, DataverseRole r) {
             JH.addMessage(FacesMessage.SEVERITY_ERROR, "The role was not able to be assigned.", "Permissions " + ex.getRequiredPermissions().toString() + " missing.");
             return false;
         } catch (CommandException ex) {
-            JH.addMessage(FacesMessage.SEVERITY_FATAL, "The role was not able to be assigned.");
+            //JH.addMessage(FacesMessage.SEVERITY_FATAL, "The role was not able to be assigned.");
+            String message = r.getName() + " role could NOT be assigned to " + ra.getDisplayInfo().getTitle() + " for " + file.getDisplayName() + ".";
+            JsfHelper.addErrorMessage(message);
             logger.log(Level.SEVERE, "Error assiging role: " + ex.getMessage(), ex);
             return false;
         }
@@ -449,7 +455,6 @@ public void setRenderFileMessages(boolean renderFileMessages) {
 
 
 
-
     // inner class used fordisplay of role assignments
     public static class RoleAssignmentRow {
 
diff --git a/src/main/java/edu/harvard/iq/dataverse/ManageGroupsPage.java b/src/main/java/edu/harvard/iq/dataverse/ManageGroupsPage.java
index 1452f802cf6..e5751216ddb 100644
--- a/src/main/java/edu/harvard/iq/dataverse/ManageGroupsPage.java
+++ b/src/main/java/edu/harvard/iq/dataverse/ManageGroupsPage.java
@@ -1,8 +1,3 @@
-/*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
- */
 package edu.harvard.iq.dataverse;
 
 import edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean;
@@ -12,7 +7,6 @@
 import edu.harvard.iq.dataverse.authorization.groups.GroupServiceBean;
 import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroup;
 import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroupServiceBean;
-import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
 import edu.harvard.iq.dataverse.authorization.users.User;
 import edu.harvard.iq.dataverse.engine.command.exception.CommandException;
 import edu.harvard.iq.dataverse.engine.command.impl.CreateExplicitGroupCommand;
@@ -23,7 +17,6 @@
 import java.util.ArrayList;
 import java.util.LinkedList;
 import java.util.List;
-import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.regex.Pattern;
@@ -41,8 +34,6 @@
 import org.apache.commons.lang.StringUtils;
 
 /**
- * TODO: should we add groups to dataverse obj?
- * TODO: add support for logical groups.
  * @author michaelsuo
  */
 @ViewScoped
@@ -94,21 +85,15 @@ public String init() {
         if (editDv == null) {
             return permissionsWrapper.notFound();
         }
-
+        
         Boolean hasPermissions = permissionsWrapper.canIssueCommand(editDv, CreateExplicitGroupCommand.class);
         hasPermissions |= permissionsWrapper.canIssueCommand(editDv, DeleteExplicitGroupCommand.class);
         hasPermissions |= permissionsWrapper.canIssueCommand(editDv, UpdateExplicitGroupCommand.class);
         if (!hasPermissions) {
             return permissionsWrapper.notAuthorized();
         } 
-        explicitGroups = new LinkedList<>();
+        explicitGroups = new LinkedList<>(explicitGroupService.findByOwner(getDataverseId()));
 
-        List <ExplicitGroup> explicitGroupsForThisDataverse =
-                explicitGroupService.findByOwner(getDataverseId());
-
-        for (ExplicitGroup g : explicitGroupsForThisDataverse) {
-            getExplicitGroups().add(g);
-        }
         return null;
     }
 
@@ -160,7 +145,7 @@ public void deleteGroup() {
         }
     }
 
-    private List<RoleAssignee> selectedGroupRoleAssignees = new LinkedList<>();
+    private List<RoleAssignee> selectedGroupRoleAssignees = new ArrayList<>();
 
     public void setSelectedGroupRoleAssignees(List<RoleAssignee> newSelectedGroupRoleAssignees) {
         this.selectedGroupRoleAssignees = newSelectedGroupRoleAssignees;
@@ -184,26 +169,19 @@ public void viewSelectedGroup(ExplicitGroup selectedGroup) {
         this.selectedGroup = selectedGroup;
 
         // initialize member list for autocomplete interface
-        setSelectedGroupAddRoleAssignees(new LinkedList<RoleAssignee>());
+        setSelectedGroupAddRoleAssignees(new LinkedList<>());
         setSelectedGroupRoleAssignees(getExplicitGroupMembers(selectedGroup));
     }
 
     /**
      * Return the set of all role assignees for an explicit group.
      * Does not traverse subgroups.
-     * TODO right now only checks for authenticated users and explicit groups.
      * @param eg The explicit group to check.
      * @return The set of role assignees belonging to explicit group.
      */
     public List<RoleAssignee> getExplicitGroupMembers(ExplicitGroup eg) {
-        if (eg != null) {
-            List<RoleAssignee> ras = new LinkedList<>();
-            ras.addAll(eg.getContainedAuthenticatedUsers());
-            ras.addAll(eg.getContainedExplicitGroups());
-            return ras;
-        } else {
-            return null;
-        }
+        return (eg != null) ? 
+                new ArrayList(eg.getDirectMembers()) : null;
     }
 
     /**
@@ -223,8 +201,15 @@ public String getRoleAssigneeTypeString(RoleAssignee ra) {
     }
 
     public String getMembershipString(ExplicitGroup eg) {
-        long userCount = getGroupAuthenticatedUserCount(eg);
-        long groupCount = getGroupGroupCount(eg);
+        long userCount = 0;
+        long groupCount = 0;
+        for ( RoleAssignee ra : eg.getDirectMembers() ) {
+            if ( ra instanceof User ) {
+                userCount++;
+            } else {
+                groupCount++;
+            }
+        }
 
         if (userCount == 0 && groupCount == 0) {
             return "No members";
@@ -246,28 +231,6 @@ public String getMembershipString(ExplicitGroup eg) {
         return memberString;
     }
 
-    /**
-     * Returns the number of authenticated users in an {@code ExplicitGroup}.
-     * Does not traverse subgroups.
-     * @param group The {@code ExplicitGroup} to get the user count for
-     * @return User count as long
-     */
-    public long getGroupAuthenticatedUserCount(ExplicitGroup eg) {
-        Set<AuthenticatedUser> aus = eg.getContainedAuthenticatedUsers();
-        return aus.size();
-    }
-
-    /**
-     * Returns the number of explicit groups in an {@code ExplicitGroup}.
-     * Does not traverse subgroups.
-     * @param group The {@code ExplicitGroup} to get the group count for
-     * @return Group count as long
-     */
-    public long getGroupGroupCount(ExplicitGroup eg) {
-        Set<ExplicitGroup> egs = eg.getContainedExplicitGroups();
-        return egs.size();
-    }
-
     public void removeMemberFromSelectedGroup(RoleAssignee ra) {
         selectedGroup.remove(ra);
     }
@@ -308,7 +271,7 @@ public void initExplicitGroupDialog(ActionEvent ae) {
         setExplicitGroupName("");
         setExplicitGroupIdentifier("");
         setNewExplicitGroupDescription("");
-        setNewExplicitGroupRoleAssignees(new LinkedList<RoleAssignee>());
+        setNewExplicitGroupRoleAssignees(new LinkedList<>());
         FacesContext context = FacesContext.getCurrentInstance();
         setSelectedGroupRoleAssignees(null);
     }
diff --git a/src/main/java/edu/harvard/iq/dataverse/ManagePermissionsPage.java b/src/main/java/edu/harvard/iq/dataverse/ManagePermissionsPage.java
index 48724e1f97d..8446599c1e8 100644
--- a/src/main/java/edu/harvard/iq/dataverse/ManagePermissionsPage.java
+++ b/src/main/java/edu/harvard/iq/dataverse/ManagePermissionsPage.java
@@ -2,10 +2,10 @@
 
 import edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean;
 import edu.harvard.iq.dataverse.authorization.DataverseRole;
+import edu.harvard.iq.dataverse.authorization.DataverseRolePermissionHelper;
 import edu.harvard.iq.dataverse.authorization.Permission;
 import edu.harvard.iq.dataverse.authorization.RoleAssignee;
 import edu.harvard.iq.dataverse.authorization.RoleAssigneeDisplayInfo;
-import edu.harvard.iq.dataverse.authorization.groups.Group;
 import edu.harvard.iq.dataverse.authorization.groups.GroupServiceBean;
 import edu.harvard.iq.dataverse.authorization.groups.impl.builtin.AuthenticatedUsers;
 import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroup;
@@ -27,6 +27,7 @@
 import java.util.Date;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.ResourceBundle;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -39,7 +40,6 @@
 import javax.persistence.EntityManager;
 import javax.persistence.PersistenceContext;
 import org.apache.commons.lang.StringEscapeUtils;
-import org.apache.commons.lang.StringUtils;
 
 /**
  *
@@ -80,15 +80,22 @@ public class ManagePermissionsPage implements java.io.Serializable {
 
     @Inject
     DataverseSession session;
+    
+    private DataverseRolePermissionHelper dataverseRolePermissionHelper;
+        private List<DataverseRole> roleList;
 
     DvObject dvObject = new Dataverse(); // by default we use a Dataverse, but this will be overridden in init by the findById
-
+    
     public DvObject getDvObject() {
         return dvObject;
     }
 
     public void setDvObject(DvObject dvObject) {
         this.dvObject = dvObject;
+        /*
+        SEK 09/15/2016 - may need to do something here if permissions are transmitted/inherited from dataverse to dataverse
+        */
+        
         /*if (dvObject instanceof DvObjectContainer) {
          inheritAssignments = !((DvObjectContainer) dvObject).isPermissionRoot();
          }*/
@@ -115,6 +122,9 @@ public String init() {
         if (dvObject instanceof Dataverse) {
             initAccessSettings();
         }
+        roleList = roleService.findAll();
+        roleAssignments = initRoleAssignments();
+        dataverseRolePermissionHelper = new DataverseRolePermissionHelper(roleList);  
         return "";
     }
 
@@ -131,9 +141,19 @@ public RoleAssignment getSelectedRoleAssignment() {
 
     public void setSelectedRoleAssignment(RoleAssignment selectedRoleAssignment) {
         this.selectedRoleAssignment = selectedRoleAssignment;
-    }    
-  
+    }   
+    
+    private List<RoleAssignmentRow> roleAssignments;
+
     public List<RoleAssignmentRow> getRoleAssignments() {
+        return roleAssignments;
+    }
+
+    public void setRoleAssignments(List<RoleAssignmentRow> roleAssignments) {
+        this.roleAssignments = roleAssignments;
+    }
+  
+    public List<RoleAssignmentRow> initRoleAssignments() {
         List<RoleAssignmentRow> raList = null;
         if (dvObject != null && dvObject.getId() != null) {
             Set<RoleAssignment> ras = roleService.rolesAssignments(dvObject);
@@ -159,7 +179,7 @@ public void removeRoleAssignment() {
         if (dvObject instanceof Dataverse) {
             initAccessSettings(); // in case the revoke was for the AuthenticatedUsers group
         }        
-
+        roleAssignments = initRoleAssignments();
         showAssignmentMessages();        
     }
     
@@ -291,6 +311,7 @@ public void saveConfiguration(ActionEvent e) {
                 }
             }
         }
+        roleAssignments = initRoleAssignments();
         showConfigureMessages();
     }    
 
@@ -362,6 +383,47 @@ public DataverseRole getAssignedRole() {
         }
         return null;
     }
+    
+    public String getAssignedRoleObjectTypes(){
+        String retString = "";
+        if (selectedRoleId != null) {
+            /* SEK 09/15/2016 SEK commenting out for now 
+                because permissions are not inherited
+            
+            if (dataverseRolePermissionHelper.hasDataversePermissions(selectedRoleId) && dvObject instanceof Dataverse){
+                String dvLabel = ResourceBundle.getBundle("Bundle").getString("dataverses");
+                retString = dvLabel;
+            }
+            */
+            if (dataverseRolePermissionHelper.hasDatasetPermissions(selectedRoleId) && dvObject instanceof Dataverse){
+                String dsLabel = ResourceBundle.getBundle("Bundle").getString("datasets");
+                if(!retString.isEmpty()) {
+                    retString +=", " +  dsLabel;
+                } else {
+                   retString = dsLabel; 
+                }
+                
+            }
+            if (dataverseRolePermissionHelper.hasFilePermissions(selectedRoleId)){
+                String filesLabel = ResourceBundle.getBundle("Bundle").getString("files");
+                if(!retString.isEmpty()) {
+                    retString +=", " + filesLabel;
+                } else {
+                   retString = filesLabel; 
+                }                
+            }
+            return retString;
+        }
+        return null;        
+    }
+    
+    public String getDefinitionLevelString(){
+        if (dvObject != null){
+            if (dvObject instanceof Dataverse) return ResourceBundle.getBundle("Bundle").getString("dataverse");
+            if (dvObject instanceof Dataset) return ResourceBundle.getBundle("Bundle").getString("dataset");
+        }
+        return null;
+    }
 
     public void assignRole(ActionEvent evt) {        
         logger.info("Got to assignRole");
@@ -373,6 +435,7 @@ public void assignRole(ActionEvent evt) {
         for (RoleAssignee roleAssignee : selectedRoleAssigneesList) {
             assignRole(roleAssignee, roleService.find(selectedRoleId));
         }
+        roleAssignments = initRoleAssignments();  
     }
 
     /**
@@ -409,10 +472,12 @@ private void assignRole(RoleAssignee ra, DataverseRole r) {
         } catch (PermissionException ex) {
             JH.addMessage(FacesMessage.SEVERITY_ERROR, "The role was not able to be assigned.", "Permissions " + ex.getRequiredPermissions().toString() + " missing.");
         } catch (CommandException ex) {
-            JH.addMessage(FacesMessage.SEVERITY_FATAL, "The role was not able to be assigned.");
+            String message = r.getName() + " role could NOT be assigned to " + ra.getDisplayInfo().getTitle() + " for " + StringEscapeUtils.escapeHtml(dvObject.getDisplayName()) + ".";
+            JsfHelper.addErrorMessage(message);
+            //JH.addMessage(FacesMessage.SEVERITY_FATAL, "The role was not able to be assigned.");
             logger.log(Level.SEVERE, "Error assiging role: " + ex.getMessage(), ex);
         }
-        
+  
         showAssignmentMessages();
     }
 
@@ -471,6 +536,15 @@ public void updateRole(ActionEvent e) {
         }
         showRoleMessages();
     }
+    
+    
+    public DataverseRolePermissionHelper getDataverseRolePermissionHelper() {
+        return dataverseRolePermissionHelper;
+    }
+
+    public void setDataverseRolePermissionHelper(DataverseRolePermissionHelper dataverseRolePermissionHelper) {
+        this.dataverseRolePermissionHelper = dataverseRolePermissionHelper;
+    }
 
     /* 
     ============================================================================
diff --git a/src/main/java/edu/harvard/iq/dataverse/PermissionServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/PermissionServiceBean.java
index 82019c3db85..ef6ab430c8d 100644
--- a/src/main/java/edu/harvard/iq/dataverse/PermissionServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/PermissionServiceBean.java
@@ -1,6 +1,5 @@
 package edu.harvard.iq.dataverse;
 
-import edu.harvard.iq.dataverse.api.datadeposit.SwordAuth;
 import edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean;
 import edu.harvard.iq.dataverse.authorization.DataverseRole;
 import edu.harvard.iq.dataverse.authorization.providers.builtin.BuiltinUserServiceBean;
@@ -10,7 +9,6 @@
 import edu.harvard.iq.dataverse.authorization.groups.Group;
 import edu.harvard.iq.dataverse.authorization.groups.GroupServiceBean;
 import edu.harvard.iq.dataverse.authorization.groups.GroupUtil;
-import edu.harvard.iq.dataverse.authorization.groups.impl.builtin.AuthenticatedUsers;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
 import edu.harvard.iq.dataverse.authorization.users.User;
 import edu.harvard.iq.dataverse.engine.command.Command;
@@ -28,7 +26,10 @@
 import javax.persistence.PersistenceContext;
 import static edu.harvard.iq.dataverse.engine.command.CommandHelper.CH;
 import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
+import java.util.Arrays;
 import java.util.LinkedList;
+import java.util.logging.Level;
+import java.util.stream.Collectors;
 import javax.persistence.Query;
 
 /**
@@ -45,15 +46,10 @@ public class PermissionServiceBean {
 
     private static final Logger logger = Logger.getLogger(PermissionServiceBean.class.getName());
     
-    private static final EnumSet<Permission> PERMISSIONS_FOR_AUTHENTICATED_USERS_ONLY = EnumSet.noneOf( Permission.class );
-    
-    static {
-        for ( Permission p : Permission.values() ) {
-            if ( p.requiresAuthenticatedUser() ) {
-                PERMISSIONS_FOR_AUTHENTICATED_USERS_ONLY.add(p);
-            }
-        }
-    }
+    private static final Set<Permission> PERMISSIONS_FOR_AUTHENTICATED_USERS_ONLY = 
+           EnumSet.copyOf(Arrays.asList(Permission.values()).stream()
+                    .filter( Permission::requiresAuthenticatedUser )
+                    .collect( Collectors.toList() ));
     
     @EJB
     BuiltinUserServiceBean userService;
@@ -210,9 +206,11 @@ public Set<Permission> permissionsFor( DataverseRequest req, DvObject dvo ) {
         // Add permissions specifically given to the user
         permissions.addAll( permissionsForSingleRoleAssignee(req.getUser(),dvo) );
         Set<Group> groups = groupService.groupsFor(req,dvo);
+        
         // Add permissions gained from groups
         for ( Group g : groups ) {
-            permissions.addAll( permissionsForSingleRoleAssignee(g,dvo) );
+            final Set<Permission> groupPremissions = permissionsForSingleRoleAssignee(g,dvo);
+            permissions.addAll(groupPremissions);
         }
         
         if ( ! req.getUser().isAuthenticated() ) {
@@ -253,14 +251,16 @@ public Set<Permission> permissionsFor(RoleAssignee ra, DvObject dvo) {
     
     private Set<Permission> permissionsForSingleRoleAssignee(RoleAssignee ra, DvObject d) {
         // super user check
-        // @todo for 4.0, we are allowing superusers all permissions
+        // for 4.0, we are allowing superusers all permissions
         // for secure data, we may need to restrict some of the permissions
         if (ra instanceof AuthenticatedUser && ((AuthenticatedUser) ra).isSuperuser()) {
             return EnumSet.allOf(Permission.class);
         }
-
+        
+        // Start with no permissions, build from there.
         Set<Permission> retVal = EnumSet.noneOf(Permission.class);
 
+        // File special case.
         if (d instanceof DataFile) {
             // unrestricted files that are part of a release dataset 
             // automatically get download permission for everybody:
@@ -274,6 +274,7 @@ private Set<Permission> permissionsForSingleRoleAssignee(RoleAssignee ra, DvObje
                         for (FileMetadata fm : df.getOwner().getReleasedVersion().getFileMetadatas()) {
                             if (df.equals(fm.getDataFile())) {
                                 retVal.add(Permission.DownloadFile);
+                                break;
                             }
                         }
                     }
@@ -281,10 +282,14 @@ private Set<Permission> permissionsForSingleRoleAssignee(RoleAssignee ra, DvObje
             }
         }
         
-        for (RoleAssignment asmnt : assignmentsFor(ra, d)) {
-            retVal.addAll(asmnt.getRole().permissions());
-        }
+        // Direct assignments to ra on d
+        assignmentsFor(ra, d).forEach( 
+                asmnt -> retVal.addAll(asmnt.getRole().permissions())
+        );
         
+        // Recurse up the group containment hierarchy.
+        groupService.groupsFor(ra, d).forEach(
+                grp -> retVal.addAll(permissionsForSingleRoleAssignee(grp, d)));
         return retVal;
     }
 
@@ -386,7 +391,7 @@ public List<Dataverse> getDataversesUserHasPermissionOn(AuthenticatedUser user,
          * query?
          */
         String query = "SELECT id FROM dvobject WHERE dtype = 'Dataverse' and id in (select definitionpoint_id from roleassignment where assigneeidentifier in (" + identifiers + "));";
-        logger.fine("query: " + query);
+        logger.log(Level.FINE, "query: {0}", query);
         Query nativeQuery = em.createNativeQuery(query);
         List<Integer> dataverseIdsToCheck = nativeQuery.getResultList();
         List<Dataverse> dataversesUserHasPermissionOn = new LinkedList<>();
diff --git a/src/main/java/edu/harvard/iq/dataverse/PermissionsWrapper.java b/src/main/java/edu/harvard/iq/dataverse/PermissionsWrapper.java
index 9a60f71d0df..3261cf1287c 100644
--- a/src/main/java/edu/harvard/iq/dataverse/PermissionsWrapper.java
+++ b/src/main/java/edu/harvard/iq/dataverse/PermissionsWrapper.java
@@ -8,6 +8,7 @@
 import edu.harvard.iq.dataverse.authorization.Permission;
 import edu.harvard.iq.dataverse.authorization.users.User;
 import edu.harvard.iq.dataverse.engine.command.Command;
+import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import edu.harvard.iq.dataverse.engine.command.impl.*;
 import java.util.HashMap;
 import java.util.Map;
@@ -42,7 +43,9 @@ public class PermissionsWrapper implements java.io.Serializable {
     /**
      * Check if the current Dataset can Issue Commands
      *
-     * @param commandName
+     * @param dvo Target dataverse object.
+     * @param command The command to execute
+     * @return {@code true} if the user can issue the command on the object.
      */
     public boolean canIssueCommand(DvObject dvo, Class<? extends Command> command) {
         if ((dvo==null) || (dvo.getId()==null)){
@@ -118,7 +121,7 @@ public boolean canManageDataversePermissions(User u, Dataverse dv) {
         if (u==null){            
             return false;
         }
-        return permissionService.userOn(u, dv).has(Permission.ManageDataversePermissions);
+        return permissionService.requestOn(dvRequestService.getDataverseRequest(), dv).has(Permission.ManageDataversePermissions);
     }
     
     public boolean canManageDatasetPermissions(User u, Dataset ds) {
@@ -128,15 +131,15 @@ public boolean canManageDatasetPermissions(User u, Dataset ds) {
         if (u==null){            
             return false;
         }
-        return permissionService.userOn(u, ds).has(Permission.ManageDatasetPermissions);
+        return permissionService.requestOn(dvRequestService.getDataverseRequest(), ds).has(Permission.ManageDatasetPermissions);
     }
 
-    public boolean canViewUnpublishedDataset(User user, Dataset dataset) {
-        return doesSessionUserHaveDataSetPermission(user, dataset, Permission.ViewUnpublishedDataset);
+    public boolean canViewUnpublishedDataset(DataverseRequest dr, Dataset dataset) {
+        return doesSessionUserHaveDataSetPermission(dr, dataset, Permission.ViewUnpublishedDataset);
     }
     
-    public boolean canUpdateDataset(User user, Dataset dataset) {
-        return doesSessionUserHaveDataSetPermission(user, dataset, Permission.EditDataset);
+    public boolean canUpdateDataset(DataverseRequest dr, Dataset dataset) {
+        return doesSessionUserHaveDataSetPermission(dr, dataset, Permission.EditDataset);
     }
     
             
@@ -147,12 +150,12 @@ public boolean canUpdateDataset(User user, Dataset dataset) {
      * 
      * Check Dataset related permissions
      * 
-     * @param user
+     * @param req
      * @param dataset
      * @param permissionToCheck
      * @return 
      */
-    public boolean doesSessionUserHaveDataSetPermission(User user, Dataset dataset, Permission permissionToCheck){
+    public boolean doesSessionUserHaveDataSetPermission(DataverseRequest req, Dataset dataset, Permission permissionToCheck){
         if (permissionToCheck == null){
             return false;
         }
@@ -167,8 +170,7 @@ public boolean doesSessionUserHaveDataSetPermission(User user, Dataset dataset,
         }
         
         // Check the permission
-        //
-        boolean hasPermission = this.permissionService.userOn(user, dataset).has(permissionToCheck);
+        boolean hasPermission = this.permissionService.requestOn(req, dataset).has(permissionToCheck);
 
         // Save the permission
         this.datasetPermissionMap.put(permName, hasPermission);
@@ -196,17 +198,16 @@ public boolean hasDownloadFilePermission(DvObject dvo){
 
         // Check permissions
         //
-        if (this.permissionService.on(dvo).has(Permission.DownloadFile)){
+        if ( permissionService.on(dvo).has(Permission.DownloadFile) ){
 
             // Yes, has permission, store result
-            //
-            this.fileDownloadPermissionMap.put(dvo.getId(), true);
+            fileDownloadPermissionMap.put(dvo.getId(), true);
             return true;
-        }else {
+            
+        } else {
         
             // No permission, store result
-            //
-            this.fileDownloadPermissionMap.put(dvo.getId(), false);
+            fileDownloadPermissionMap.put(dvo.getId(), false);
             return false;
         }
     }
diff --git a/src/main/java/edu/harvard/iq/dataverse/RoleAssigneeServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/RoleAssigneeServiceBean.java
index 76601774000..7c413d98e68 100644
--- a/src/main/java/edu/harvard/iq/dataverse/RoleAssigneeServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/RoleAssigneeServiceBean.java
@@ -11,6 +11,8 @@
 import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroupServiceBean;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
 import edu.harvard.iq.dataverse.authorization.users.GuestUser;
+import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
+import edu.harvard.iq.dataverse.mydata.MyDataFilterParams;
 import edu.harvard.iq.dataverse.privateurl.PrivateUrlUtil;
 import java.util.ArrayList;
 import java.util.List;
@@ -18,6 +20,7 @@
 import java.util.Set;
 import java.util.TreeMap;
 import java.util.logging.Logger;
+import java.util.stream.Collectors;
 import javax.annotation.PostConstruct;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
@@ -51,10 +54,10 @@ public class RoleAssigneeServiceBean {
     @EJB
     DataverseRoleServiceBean dataverseRoleService;
 
-    Map<String, RoleAssignee> predefinedRoleAssignees = new TreeMap<>();
+    protected Map<String, RoleAssignee> predefinedRoleAssignees = new TreeMap<>();
 
     @PostConstruct
-    void setup() {
+    protected void setup() {
         GuestUser gu = GuestUser.get();
         predefinedRoleAssignees.put(gu.getIdentifier(), gu);
         predefinedRoleAssignees.put(AuthenticatedUsers.get().getIdentifier(), AuthenticatedUsers.get());
@@ -126,15 +129,21 @@ private String getRoleIdListClause(List<Long> roleIdList) {
         return " AND r.role_id IN (" + StringUtils.join(outputList, ",") + ")";
     }
 
-    public List<DataverseRole> getAssigneeDataverseRoleFor(AuthenticatedUser au) {
-        String roleAssigneeIdentifier = "@" + au.getUserIdentifier();
-        if (roleAssigneeIdentifier == null) {
+    public List<DataverseRole> getAssigneeDataverseRoleFor(DataverseRequest dataverseRequest) {
+        
+        if (dataverseRequest == null){
+            throw new NullPointerException("dataverseRequest cannot be null!");
+        }
+        AuthenticatedUser au = dataverseRequest.getAuthenticatedUser();
+        if (au.getUserIdentifier() == null){
             return null;
         }
+        String roleAssigneeIdentifier = "@" + au.getUserIdentifier();
+
         List<DataverseRole> retList = new ArrayList();
         roleAssigneeIdentifier = roleAssigneeIdentifier.replaceAll("\\s", "");   // remove spaces from string
-        List<String> userGroups = getUserExplicitGroups(roleAssigneeIdentifier.replace("@", ""));
-        List<String> userRunTimeGroups = getUserRuntimeGroups(au);
+        List<String> userGroups = getUserExplicitGroups(au);
+        List<String> userRunTimeGroups = getUserRuntimeGroups(dataverseRequest);
         String identifierClause = " WHERE r.assigneeIdentifier= '" + roleAssigneeIdentifier + "'";
         if (userGroups != null || userRunTimeGroups != null) {
 
@@ -153,16 +162,25 @@ public List<DataverseRole> getAssigneeDataverseRoleFor(AuthenticatedUser au) {
         return retList;
     }
 
-    public List<Object[]> getAssigneeAndRoleIdListFor(AuthenticatedUser au, List<Long> roleIdList) {
-
-        String roleAssigneeIdentifier = "@" + au.getUserIdentifier();
-
-        if (roleAssigneeIdentifier == null) {
+    public List<Object[]> getAssigneeAndRoleIdListFor(MyDataFilterParams filterParams) {
+         
+        if (filterParams == null){
+            throw new NullPointerException("Cannot be null! filterParams must be an instance of MyDataFilterParams");
+        }
+        
+        AuthenticatedUser au = filterParams.getAuthenticatedUser();
+        List<Long> roleIdList = filterParams.getRoleIds();
+                        //filterParams.getAuthenticatedUser()
+                //                       , this.filterParams.getRoleIds());
+        
+        if (au.getUserIdentifier() == null) {
             return null;
         }
+        String roleAssigneeIdentifier = "@" + au.getUserIdentifier();
+        
         roleAssigneeIdentifier = roleAssigneeIdentifier.replaceAll("\\s", "");   // remove spaces from string
-        List<String> userExplicitGroups = getUserExplicitGroups(roleAssigneeIdentifier.replace("@", ""));
-        List<String> userRunTimeGroups = getUserRuntimeGroups(au);
+        List<String> userExplicitGroups = getUserExplicitGroups(au);
+        List<String> userRunTimeGroups = getUserRuntimeGroups(filterParams.getDataverseRequest());
         String identifierClause = " WHERE r.assigneeIdentifier= '" + roleAssigneeIdentifier + "'";
         if (userExplicitGroups != null || userRunTimeGroups != null) {
             identifierClause = getGroupIdentifierClause(roleAssigneeIdentifier, userExplicitGroups, userRunTimeGroups);
@@ -179,14 +197,18 @@ public List<Object[]> getAssigneeAndRoleIdListFor(AuthenticatedUser au, List<Lon
 
     }
 
-    public List<Long> getRoleIdListForGivenAssigneeDvObject(AuthenticatedUser au, List<Long> roleIdList, Long defPointId) {
-        String roleAssigneeIdentifier = "@" + au.getUserIdentifier();
-        if (roleAssigneeIdentifier == null) {
+    public List<Long> getRoleIdListForGivenAssigneeDvObject(DataverseRequest dataverseRequest, List<Long> roleIdList, Long defPointId) {
+        if (dataverseRequest == null){
+            throw new NullPointerException("dataverseRequest cannot be null!");
+        }
+        AuthenticatedUser au = dataverseRequest.getAuthenticatedUser();
+        if (au.getUserIdentifier() == null){
             return null;
         }
+        String roleAssigneeIdentifier = "@" + au.getUserIdentifier();
         roleAssigneeIdentifier = roleAssigneeIdentifier.replaceAll("\\s", "");   // remove spaces from string
-        List<String> userGroups = getUserExplicitGroups(roleAssigneeIdentifier.replace("@", ""));
-        List<String> userRunTimeGroups = getUserRuntimeGroups(au);
+        List<String> userGroups = getUserExplicitGroups(au);
+        List<String> userRunTimeGroups = getUserRuntimeGroups(dataverseRequest);
         String identifierClause = " WHERE r.assigneeIdentifier= '" + roleAssigneeIdentifier + "'";
         if (userGroups != null || userRunTimeGroups != null) {
             identifierClause = getGroupIdentifierClause(roleAssigneeIdentifier, userGroups, userRunTimeGroups);
@@ -245,15 +267,19 @@ private String getGroupIdentifierClause(String roleAssigneeIdentifier, List<Stri
 
     }
 
-    public List<Object[]> getRoleIdsFor(AuthenticatedUser au, List<Long> dvObjectIdList) {
-        String roleAssigneeIdentifier = "@" + au.getUserIdentifier();
-        if (roleAssigneeIdentifier == null) {
+    public List<Object[]> getRoleIdsFor(DataverseRequest dataverseRequest, List<Long> dvObjectIdList) {
+        if (dataverseRequest == null){
+            throw new NullPointerException("dataverseRequest cannot be null!");
+        }
+        AuthenticatedUser au = dataverseRequest.getAuthenticatedUser();
+        if (au.getUserIdentifier() == null){
             return null;
         }
+        String roleAssigneeIdentifier = "@" + au.getUserIdentifier();
 
         roleAssigneeIdentifier = roleAssigneeIdentifier.replaceAll("\\s", "");   // remove spaces from string
-        List<String> userGroups = getUserExplicitGroups(roleAssigneeIdentifier.replace("@", ""));
-        List<String> userRunTimeGroups = getUserRuntimeGroups(au);
+        List<String> userGroups = getUserExplicitGroups(au);
+        List<String> userRunTimeGroups = getUserRuntimeGroups(dataverseRequest);
         String identifierClause = " WHERE r.assigneeIdentifier= '" + roleAssigneeIdentifier + "'";
         if (userGroups != null || userRunTimeGroups != null) {
             identifierClause = getGroupIdentifierClause(roleAssigneeIdentifier, userGroups, userRunTimeGroups);
@@ -289,36 +315,35 @@ private String getDvObjectIdListClause(List<Long> dvObjectIdList) {
     }
 
     /**
-     * @todo Support groups within groups:
-     * https://github.com/IQSS/dataverse/issues/3056
+     * @param ra
+     * @todo Support groups within groups: https://github.com/IQSS/dataverse/issues/3056
+     * @return List of aliases of all explicit groups {@code ra} is in.
      */
-    public List<String> getUserExplicitGroups(String roleAssigneeIdentifier) {
-
-        String qstr = "select  groupalias from explicitgroup";
-        qstr += " where id in ";
-        qstr += " (select explicitgroup_id from explicitgroup_authenticateduser where containedauthenticatedusers_id = ";
-        qstr += " (select id from authenticateduser where useridentifier ='" + roleAssigneeIdentifier + "'";
-        qstr += "));";
-        //msg("qstr: " + qstr);
-
-        return em.createNativeQuery(qstr)
-                .getResultList();
+    public List<String> getUserExplicitGroups(RoleAssignee ra) {
+        return explicitGroupSvc.findGroups(ra).stream()
+                               .map( g -> g.getAlias())
+                               .collect(Collectors.toList());
     }
 
-    private List<String> getUserRuntimeGroups(AuthenticatedUser au) {
+    private List<String> getUserRuntimeGroups(DataverseRequest dataverseRequest) {
         List<String> retVal = new ArrayList();
 
-        Set<Group> groups = groupSvc.groupsFor(au, null);
-        StringBuilder sb = new StringBuilder();
+        //Set<Group> groups = groupSvc.groupsFor(dataverseRequest, null);
+        Set<Group> groups = groupSvc.collectAncestors(groupSvc.groupsFor(dataverseRequest));
         for (Group group : groups) {
             logger.fine("found group " + group.getIdentifier() + " with alias " + group.getAlias());
-            if (group.getGroupProvider().getGroupProviderAlias().equals("shib") || group.getGroupProvider().getGroupProviderAlias().equals("ip")) {
+           // if (group.getGroupProvider().getGroupProviderAlias().equals("shib") || group.getGroupProvider().getGroupProviderAlias().equals("ip")) {
                 String groupAlias = group.getAlias();
                 if (groupAlias != null && !groupAlias.isEmpty()) {
-                    retVal.add('&' + groupAlias);
+                    if( group instanceof ExplicitGroup){
+                        retVal.add("&explicit/" + groupAlias);
+                    } else{
+                        retVal.add('&' + groupAlias);
+                    }
                 }
-            }
+            //}
         }
+        logger.fine("retVal: " + retVal);
         return retVal;
     }
 
diff --git a/src/main/java/edu/harvard/iq/dataverse/Shib.java b/src/main/java/edu/harvard/iq/dataverse/Shib.java
index 3046a90fbbf..0fbf2929dfa 100644
--- a/src/main/java/edu/harvard/iq/dataverse/Shib.java
+++ b/src/main/java/edu/harvard/iq/dataverse/Shib.java
@@ -295,6 +295,10 @@ public String confirmAndCreateAccount() {
         if (au != null) {
             logger.fine("created user " + au.getIdentifier());
             logInUserAndSetShibAttributes(au);
+            /**
+             * @todo Move this to
+             * AuthenticationServiceBean.createAuthenticatedUser
+             */
             userNotificationService.sendNotification(au,
                     new Timestamp(new Date().getTime()),
                     UserNotification.Type.CREATEACC, null);
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/AbstractApiBean.java b/src/main/java/edu/harvard/iq/dataverse/api/AbstractApiBean.java
index 2b2cb6f03fd..6068a2c6e1e 100644
--- a/src/main/java/edu/harvard/iq/dataverse/api/AbstractApiBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/api/AbstractApiBean.java
@@ -13,6 +13,7 @@
 import edu.harvard.iq.dataverse.MetadataBlockServiceBean;
 import edu.harvard.iq.dataverse.PermissionServiceBean;
 import edu.harvard.iq.dataverse.RoleAssigneeServiceBean;
+import edu.harvard.iq.dataverse.UserNotificationServiceBean;
 import edu.harvard.iq.dataverse.UserServiceBean;
 import edu.harvard.iq.dataverse.actionlogging.ActionLogServiceBean;
 import edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean;
@@ -22,6 +23,7 @@
 import edu.harvard.iq.dataverse.authorization.users.GuestUser;
 import edu.harvard.iq.dataverse.authorization.users.PrivateUrlUser;
 import edu.harvard.iq.dataverse.authorization.users.User;
+import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailServiceBean;
 import edu.harvard.iq.dataverse.engine.command.Command;
 import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import edu.harvard.iq.dataverse.engine.command.exception.CommandException;
@@ -175,11 +177,17 @@ String getWrappedMessageWhenJson() {
     @EJB
     protected PrivateUrlServiceBean privateUrlSvc;
 
+    @EJB
+    protected ConfirmEmailServiceBean confirmEmailSvc;
+
+    @EJB
+    protected UserNotificationServiceBean userNotificationSvc;
+
 	@PersistenceContext(unitName = "VDCNet-ejbPU")
 	protected EntityManager em;
     
     @Context
-    HttpServletRequest httpRequest;
+    protected HttpServletRequest httpRequest;
 	
     /**
      * For pretty printing (indenting) of JSON output.
@@ -480,4 +488,4 @@ public T get() {
     public T get()  {
         return ref.get();
     }
-}
\ No newline at end of file
+}
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/Access.java b/src/main/java/edu/harvard/iq/dataverse/api/Access.java
index 13246042cc8..11746a19c04 100644
--- a/src/main/java/edu/harvard/iq/dataverse/api/Access.java
+++ b/src/main/java/edu/harvard/iq/dataverse/api/Access.java
@@ -10,11 +10,11 @@
 import edu.harvard.iq.dataverse.DataFile;
 import edu.harvard.iq.dataverse.FileMetadata;
 import edu.harvard.iq.dataverse.DataFileServiceBean;
-import edu.harvard.iq.dataverse.Dataset;
 import edu.harvard.iq.dataverse.DatasetVersion;
 import edu.harvard.iq.dataverse.DatasetVersionServiceBean;
 import edu.harvard.iq.dataverse.DatasetServiceBean;
 import edu.harvard.iq.dataverse.Dataverse;
+import edu.harvard.iq.dataverse.DataverseRequestServiceBean;
 import edu.harvard.iq.dataverse.DataverseServiceBean;
 import edu.harvard.iq.dataverse.DataverseSession;
 import edu.harvard.iq.dataverse.DataverseTheme;
@@ -36,7 +36,6 @@
 import edu.harvard.iq.dataverse.util.SystemConfig;
 import edu.harvard.iq.dataverse.worldmapauth.WorldMapTokenServiceBean;
 
-import java.util.List;
 import java.util.logging.Logger;
 import javax.ejb.EJB;
 import java.io.InputStream;
@@ -47,6 +46,7 @@
 import java.io.OutputStream;
 import java.util.ArrayList;
 import java.util.Properties;
+import java.util.logging.Level;
 import javax.inject.Inject;
 
 import javax.ws.rs.GET;
@@ -111,7 +111,10 @@ public class Access extends AbstractApiBean {
     DataverseSession session;
     @EJB
     WorldMapTokenServiceBean worldMapTokenServiceBean;
-
+    @Inject
+    DataverseRequestServiceBean dvRequestService;
+    
+    
     private static final String API_KEY_HEADER = "X-Dataverse-key";    
 
     //@EJB
@@ -938,7 +941,6 @@ private boolean isAccessAuthorized(DataFile df, String apiToken) {
             }
         }
         
-        
         if (!restricted) {
             // And if they are not published, they can still be downloaded, if the user
             // has the permission to view unpublished versions! (this case will 
@@ -992,7 +994,7 @@ private boolean isAccessAuthorized(DataFile df, String apiToken) {
                 logger.fine("calling apiTokenUser = findUserOrDie()...");
                 apiTokenUser = findUserOrDie();
             } catch (WrappedResponse wr) {
-                logger.fine("Message from findUserOrDie(): " + wr.getMessage());
+                logger.log(Level.FINE, "Message from findUserOrDie(): {0}", wr.getMessage());
             }
             
             if (apiTokenUser == null) {
@@ -1008,22 +1010,31 @@ private boolean isAccessAuthorized(DataFile df, String apiToken) {
             // If the file is not published, they can still download the file, if the user
             // has the permission to view unpublished versions:
             
-            if (permissionService.userOn(user, df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
-                if (user != null) {
+            if ( user != null ) {
+                // used in JSF context
+                if (permissionService.requestOn(dvRequestService.getDataverseRequest(), df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
                     // it's not unthinkable, that a null user (i.e., guest user) could be given
                     // the ViewUnpublished permission!
-                    logger.fine("Session-based auth: user " + user.getIdentifier() + " has access rights on the non-restricted, unpublished datafile.");
+                    logger.log(Level.FINE, "Session-based auth: user {0} has access rights on the non-restricted, unpublished datafile.", user.getIdentifier());
+                    return true;
                 }
-                return true;
             }
             
             if (apiTokenUser != null) {
-                if (permissionService.userOn(apiTokenUser, df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
-                    logger.fine("Session-based auth: user " + apiTokenUser.getIdentifier() + " has access rights on the non-restricted, unpublished datafile.");
+                // used in an API context
+                if (permissionService.requestOn( createDataverseRequest(apiTokenUser), df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
+                    logger.log(Level.FINE, "Session-based auth: user {0} has access rights on the non-restricted, unpublished datafile.", apiTokenUser.getIdentifier());
                     return true;
                 }
             }
             
+            // last option - guest user in either contexts
+            // Guset user is impled by the code above.
+            if ( permissionService.requestOn(dvRequestService.getDataverseRequest(), df.getOwner()).has(Permission.ViewUnpublishedDataset) ) {
+                return true;
+            }
+                    
+            
             // We don't want to return false just yet. 
             // If all else fails, we'll want to use the special WorldMapAuth 
             // token authentication before we give up. 
@@ -1040,7 +1051,7 @@ private boolean isAccessAuthorized(DataFile df, String apiToken) {
             // User from the Session object, just like in the code fragment 
             // above. That's why it's not passed along as an argument.
                 hasAccessToRestrictedBySession = true; 
-            } else if (apiTokenUser != null && permissionService.userOn(apiTokenUser, df).has(Permission.DownloadFile)) {
+            } else if (apiTokenUser != null && permissionService.requestOn(createDataverseRequest(apiTokenUser), df).has(Permission.DownloadFile)) {
                 hasAccessToRestrictedByToken = true; 
             }
             
@@ -1048,33 +1059,34 @@ private boolean isAccessAuthorized(DataFile df, String apiToken) {
                 if (published) {
                     if (hasAccessToRestrictedBySession) {
                         if (user != null) {
-                            logger.fine("Session-based auth: user " + user.getIdentifier() + " is granted access to the restricted, published datafile.");
+                            logger.log(Level.FINE, "Session-based auth: user {0} is granted access to the restricted, published datafile.", user.getIdentifier());
                         } else {
                             logger.fine("Session-based auth: guest user is granted access to the restricted, published datafile.");
                         }
                     } else {
-                        logger.fine("Token-based auth: user " + apiTokenUser.getIdentifier() + " is granted access to the restricted, published datafile.");
+                        logger.log(Level.FINE, "Token-based auth: user {0} is granted access to the restricted, published datafile.", apiTokenUser.getIdentifier());
                     }
                     return true;
                 } else {
                     // if the file is NOT published, we will let them download the 
                     // file ONLY if they also have the permission to view 
-                    // unpublished verions:
+                    // unpublished versions:
                     // Note that the code below does not allow a case where it is the
                     // session user that has the permission on the file, and the API token 
                     // user with the ViewUnpublished permission, or vice versa!
                     if (hasAccessToRestrictedBySession) {
                         if (permissionService.on(df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
                             if (user != null) {
-                                logger.fine("Session-based auth: user " + user.getIdentifier() + " is granted access to the restricted, unpublished datafile.");
+                                logger.log(Level.FINE, "Session-based auth: user {0} is granted access to the restricted, unpublished datafile.", user.getIdentifier());
                             } else {
                                 logger.fine("Session-based auth: guest user is granted access to the restricted, unpublished datafile.");
                             }
                             return true;
                         } 
                     } else {
-                        if (apiTokenUser != null && permissionService.userOn(apiTokenUser, df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
-                            logger.fine("Token-based auth: user " + apiTokenUser.getIdentifier() + " is granted access to the restricted, unpublished datafile.");
+                        if (apiTokenUser != null && permissionService.requestOn(createDataverseRequest(apiTokenUser), df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
+                            logger.log(Level.FINE, "Token-based auth: user {0} is granted access to the restricted, unpublished datafile.", apiTokenUser.getIdentifier());
+                            return true;
                         }
                     }
                 }
@@ -1111,7 +1123,7 @@ private boolean isAccessAuthorized(DataFile df, String apiToken) {
                 logger.fine("calling user = findUserOrDie()...");
                 user = findUserOrDie();
             } catch (WrappedResponse wr) {
-                logger.fine("Message from findUserOrDie(): " + wr.getMessage());
+                logger.log(Level.FINE, "Message from findUserOrDie(): {0}", wr.getMessage());
             }
             
             if (user == null) {
@@ -1119,34 +1131,34 @@ private boolean isAccessAuthorized(DataFile df, String apiToken) {
                 return false;
             } 
             
-            if (permissionService.userOn(user, df).has(Permission.DownloadFile)) { 
+        if (permissionService.requestOn(createDataverseRequest(user), df).has(Permission.DownloadFile)) { 
                 if (published) {
-                    logger.fine("API token-based auth: User " + user.getIdentifier() + " has rights to access the datafile.");
+                    logger.log(Level.FINE, "API token-based auth: User {0} has rights to access the datafile.", user.getIdentifier());
                     return true; 
                 } else {
                     // if the file is NOT published, we will let them download the 
                     // file ONLY if they also have the permission to view 
-                    // unpublished verions:
-                    if (permissionService.userOn(user, df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
-                        logger.fine("API token-based auth: User " + user.getIdentifier() + " has rights to access the (unpublished) datafile.");
+                    // unpublished versions:
+                    if (permissionService.requestOn(createDataverseRequest(user), df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
+                        logger.log(Level.FINE, "API token-based auth: User {0} has rights to access the (unpublished) datafile.", user.getIdentifier());
                         return true;
                     } else {
-                        logger.fine("API token-based auth: User " + user.getIdentifier() + " is not authorized to access the (unpublished) datafile.");
+                        logger.log(Level.FINE, "API token-based auth: User {0} is not authorized to access the (unpublished) datafile.", user.getIdentifier());
                     }
                 }
             } else {
-                logger.fine("API token-based auth: User " + user.getIdentifier() + " is not authorized to access the datafile.");
+                logger.log(Level.FINE, "API token-based auth: User {0} is not authorized to access the datafile.", user.getIdentifier());
             }
             
             return false;
         } 
         
         if (user != null) {
-            logger.fine("Session-based auth: user " + user.getIdentifier() + " has NO access rights on the requested datafile.");
+            logger.log(Level.FINE, "Session-based auth: user {0} has NO access rights on the requested datafile.", user.getIdentifier());
         } 
         
         if (apiTokenUser != null) {
-            logger.fine("Token-based auth: user " + apiTokenUser.getIdentifier() + " has NO access rights on the requested datafile.");
+            logger.log(Level.FINE, "Token-based auth: user {0} has NO access rights on the requested datafile.", apiTokenUser.getIdentifier());
         } 
         
         if (user == null && apiTokenUser == null) {
@@ -1154,7 +1166,6 @@ private boolean isAccessAuthorized(DataFile df, String apiToken) {
         }
         
         return false; 
-    }
-    
+    }   
             
 }
\ No newline at end of file
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/Admin.java b/src/main/java/edu/harvard/iq/dataverse/api/Admin.java
index 0026ec85a6b..ac1128d3aeb 100644
--- a/src/main/java/edu/harvard/iq/dataverse/api/Admin.java
+++ b/src/main/java/edu/harvard/iq/dataverse/api/Admin.java
@@ -3,7 +3,6 @@
 import edu.harvard.iq.dataverse.Dataverse;
 import edu.harvard.iq.dataverse.EMailValidator;
 import edu.harvard.iq.dataverse.actionlogging.ActionLogRecord;
-import static edu.harvard.iq.dataverse.api.AbstractApiBean.errorResponse;
 import edu.harvard.iq.dataverse.api.dto.RoleDTO;
 import edu.harvard.iq.dataverse.authorization.AuthenticatedUserDisplayInfo;
 import edu.harvard.iq.dataverse.authorization.AuthenticationProvider;
@@ -18,6 +17,9 @@
 import edu.harvard.iq.dataverse.authorization.providers.shib.ShibServiceBean;
 import edu.harvard.iq.dataverse.authorization.providers.shib.ShibUtil;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailData;
+import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailException;
+import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailInitResponse;
 import edu.harvard.iq.dataverse.engine.command.impl.PublishDataverseCommand;
 import edu.harvard.iq.dataverse.settings.Setting;
 import javax.json.Json;
@@ -34,6 +36,7 @@
 import static edu.harvard.iq.dataverse.util.json.NullSafeJsonBuilder.jsonObjectBuilder;
 import static edu.harvard.iq.dataverse.util.json.JsonPrinter.*;
 import java.io.StringReader;
+import java.util.List;
 import java.util.Map;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -45,6 +48,7 @@
 import javax.validation.ConstraintViolationException;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.Response.Status;
+import static edu.harvard.iq.dataverse.api.AbstractApiBean.errorResponse;
 /**
  * Where the secure, setup API calls live.
  * @author michael
@@ -64,9 +68,8 @@ public class Admin extends AbstractApiBean {
     @GET
     public Response listAllSettings() {
         JsonObjectBuilder bld = jsonObjectBuilder();
-        for ( Setting s : settingsSvc.listAll() ) {
-            bld.add(s.getName(), s.getContent());
-        }
+        settingsSvc.listAll().forEach(
+            s -> bld.add(s.getName(), s.getContent())); 
         return okResponse(bld);
     }
     
@@ -528,6 +531,50 @@ public Response validate() {
         return okResponse(msg);
     }
 
+    /**
+     * This method is used in integration tests.
+     *
+     * @param userId The database id of an AuthenticatedUser.
+     * @return The confirm email token.
+     */
+    @Path("confirmEmail/{userId}")
+    @GET
+    public Response getConfirmEmailToken(@PathParam("userId") long userId) {
+        AuthenticatedUser user = authSvc.findByID(userId);
+        if (user != null) {
+            ConfirmEmailData confirmEmailData = confirmEmailSvc.findSingleConfirmEmailDataByUser(user);
+            if (confirmEmailData != null) {
+                return okResponse(Json.createObjectBuilder().add("token", confirmEmailData.getToken()));
+            }
+        }
+        return errorResponse(Status.BAD_REQUEST, "Could not find confirm email token for user " + userId);
+    }
+
+    /**
+     * This method is used in integration tests.
+     *
+     * @param userId The database id of an AuthenticatedUser.
+     */
+    @Path("confirmEmail/{userId}")
+    @POST
+    public Response startConfirmEmailProcess(@PathParam("userId") long userId) {
+        AuthenticatedUser user = authSvc.findByID(userId);
+        if (user != null) {
+            try {
+                ConfirmEmailInitResponse confirmEmailInitResponse = confirmEmailSvc.beginConfirm(user);
+                ConfirmEmailData confirmEmailData = confirmEmailInitResponse.getConfirmEmailData();
+                return okResponse(
+                        Json.createObjectBuilder()
+                        .add("tokenCreated", confirmEmailData.getCreated().toString())
+                        .add("identifier", user.getUserIdentifier()
+                        ));
+            } catch (ConfirmEmailException ex) {
+                return errorResponse(Status.BAD_REQUEST, "Could not start confirm email process for user " + userId + ": " + ex.getLocalizedMessage());
+            }
+        }
+        return errorResponse(Status.BAD_REQUEST, "Could not find user based on " + userId);
+    }
+
     /**
      * This method is used by an integration test in UsersIT.java to exercise
      * bug https://github.com/IQSS/dataverse/issues/3287 . Not for use by users!
@@ -538,10 +585,22 @@ public Response convertUserFromBcryptToSha1(String json) {
         JsonReader jsonReader = Json.createReader(new StringReader(json));
         JsonObject object = jsonReader.readObject();
         jsonReader.close();
-        BuiltinUser builtinUser  = builtinUserService.find(new Long(object.getInt("builtinUserId")));
+        BuiltinUser builtinUser = builtinUserService.find(new Long(object.getInt("builtinUserId")));
         builtinUser.updateEncryptedPassword("4G7xxL9z11/JKN4jHPn4g9iIQck=", 0); // password is "sha-1Pass", 0 means SHA-1
         BuiltinUser savedUser = builtinUserService.save(builtinUser);
         return okResponse("foo: " + savedUser);
+
     }
 
+    
+    
+    @Path("assignments/assignees/{raIdtf: .*}")
+    @GET
+    public Response getAssignmentsFor( @PathParam("raIdtf") String raIdtf ) {
+        
+        JsonArrayBuilder arr = Json.createArrayBuilder();
+        roleAssigneeSvc.getAssignmentsFor(raIdtf).forEach( a -> arr.add(json(a)));
+        
+        return okResponse(arr);
+    }
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/BuiltinUsers.java b/src/main/java/edu/harvard/iq/dataverse/api/BuiltinUsers.java
index 1460e11f6be..2709e17387e 100644
--- a/src/main/java/edu/harvard/iq/dataverse/api/BuiltinUsers.java
+++ b/src/main/java/edu/harvard/iq/dataverse/api/BuiltinUsers.java
@@ -1,5 +1,6 @@
 package edu.harvard.iq.dataverse.api;
 
+import edu.harvard.iq.dataverse.UserNotification;
 import edu.harvard.iq.dataverse.actionlogging.ActionLogRecord;
 import edu.harvard.iq.dataverse.authorization.UserRecordIdentifier;
 import edu.harvard.iq.dataverse.authorization.providers.builtin.BuiltinAuthenticationProvider;
@@ -8,7 +9,6 @@
 import edu.harvard.iq.dataverse.authorization.providers.builtin.PasswordEncryption;
 import edu.harvard.iq.dataverse.authorization.users.ApiToken;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
-import edu.harvard.iq.dataverse.util.json.JsonPrinter;
 import java.sql.Timestamp;
 import java.util.Calendar;
 import java.util.logging.Level;
@@ -24,8 +24,9 @@
 import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.Status;
-import static edu.harvard.iq.dataverse.util.json.JsonPrinter.json;
 import static edu.harvard.iq.dataverse.util.json.JsonPrinter.jsonForAuthUser;
+import static edu.harvard.iq.dataverse.util.json.JsonPrinter.json;
+import java.util.Date;
 
 /**
  * REST API bean for managing {@link BuiltinUser}s.
@@ -123,6 +124,15 @@ private Response internalSave(BuiltinUser user, String password, String key) {
                     user.getUserName(), 
                     user.getDisplayInfo(),
                     false);
+
+            /**
+             * @todo Move this to
+             * AuthenticationServiceBean.createAuthenticatedUser
+             */
+            userNotificationSvc.sendNotification(au,
+                    new Timestamp(new Date().getTime()),
+                    UserNotification.Type.CREATEACC, null);
+
             ApiToken token = new ApiToken();
 
             token.setTokenString(java.util.UUID.randomUUID().toString());
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/Dataverses.java b/src/main/java/edu/harvard/iq/dataverse/api/Dataverses.java
index 2c0322e719c..3c676f5d665 100644
--- a/src/main/java/edu/harvard/iq/dataverse/api/Dataverses.java
+++ b/src/main/java/edu/harvard/iq/dataverse/api/Dataverses.java
@@ -79,6 +79,7 @@
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.Status;
 import static edu.harvard.iq.dataverse.util.json.JsonPrinter.json;
+import static edu.harvard.iq.dataverse.util.json.JsonPrinter.toJsonArray;
 
 /**
  * A REST API for dataverses.
@@ -322,7 +323,9 @@ public Response setMetadataRoot( @PathParam("identifier")String dvIdtf, String b
     @Path("{identifier}/facets/")
     public Response listFacets( @PathParam("identifier") String dvIdtf ) {
         try {
-            return okResponse( json(execCommand(new ListFacetsCommand(createDataverseRequest(findUserOrDie()), findDataverseOrDie(dvIdtf)) )));
+            return okResponse(
+                        execCommand(new ListFacetsCommand(createDataverseRequest(findUserOrDie()), findDataverseOrDie(dvIdtf)) )
+                            .stream().map(f->json(f).build()).collect(toJsonArray()));
         } catch (WrappedResponse wr) {
             return wr.getResponse();
         }
@@ -538,7 +541,12 @@ public Response createExplicitGroup( ExplicitGroupDTO dto, @PathParam("identifie
     @Path("{identifier}/groups/") 
     public Response listGroups( @PathParam("identifier") String dvIdtf, @QueryParam("key") String apiKey ) {
         try {
-            return okResponse( json(execCommand(new ListExplicitGroupsCommand(createDataverseRequest(findUserOrDie()), findDataverseOrDie(dvIdtf)) )));
+            JsonArrayBuilder arr = Json.createArrayBuilder();
+            execCommand(new ListExplicitGroupsCommand(createDataverseRequest(findUserOrDie()), findDataverseOrDie(dvIdtf)))
+                        .stream().map( eg->json(eg))
+                    .forEach( arr::add );
+            return okResponse( arr );
+            
         } catch (WrappedResponse wr) {
             return wr.getResponse();
         }
@@ -599,6 +607,7 @@ public Response deleteGroup(@PathParam("identifier") String dvIdtf,
     
     @POST
     @Path("{identifier}/groups/{aliasInOwner}/roleAssignees") 
+    @Consumes("application/json")
     public Response addRoleAssingees(List<String> roleAssingeeIdentifiers, 
                                 @PathParam("identifier") String dvIdtf,
                                 @PathParam("aliasInOwner") String grpAliasInOwner)
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/Groups.java b/src/main/java/edu/harvard/iq/dataverse/api/Groups.java
index bbec80b5bc6..ec6815405d9 100644
--- a/src/main/java/edu/harvard/iq/dataverse/api/Groups.java
+++ b/src/main/java/edu/harvard/iq/dataverse/api/Groups.java
@@ -12,6 +12,7 @@
 import static edu.harvard.iq.dataverse.util.json.JsonPrinter.*;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import java.util.regex.Pattern;
 import javax.annotation.PostConstruct;
 import javax.json.Json;
 import javax.json.JsonArrayBuilder;
@@ -19,7 +20,9 @@
 import javax.json.JsonString;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.POST;
+import javax.ws.rs.PUT;
 import javax.ws.rs.PathParam;
+
 /**
  *
  * @author michael
@@ -32,22 +35,30 @@ public class Groups extends AbstractApiBean {
     private IpGroupProvider ipGroupPrv;
     private ShibGroupProvider shibGroupPrv;
     
+    Pattern legalGroupName = Pattern.compile("^[-_a-zA-Z0-9]+$");
+    
     @PostConstruct
     void postConstruct() {
         ipGroupPrv = groupSvc.getIpGroupProvider();
         shibGroupPrv = groupSvc.getShibGroupProvider();
     }
     
+    /**
+     * Creates a new {@link IpGroup}. The name of the group is based on the 
+     * {@code alias:} field, but might be changed to ensure uniqueness.
+     * @param dto 
+     * @return Response describing the created group or the error that prevented
+     *         that group from being created.
+     */
     @POST
     @Path("ip")
-    public Response createIpGroups( JsonObject dto ){
+    public Response postIpGroup( JsonObject dto ){
         try {
-           IpGroup grp = new JsonParser(null,null,null).parseIpGroup(dto);
-            
-            if ( grp.getPersistedGroupAlias()== null ) {
-                return errorResponse(Response.Status.BAD_REQUEST, "Must provide valid group alias");
-            }
-            grp.setProvider( groupSvc.getIpGroupProvider() );
+           IpGroup grp = new JsonParser().parseIpGroup(dto);
+            grp.setGroupProvider( ipGroupPrv );
+            grp.setPersistedGroupAlias(
+                    ipGroupPrv.findAvailableName( 
+                            grp.getPersistedGroupAlias()==null ? "ipGroup" : grp.getPersistedGroupAlias()));
             
             grp = ipGroupPrv.store(grp);
             return createdResponse("/groups/ip/" + grp.getPersistedGroupAlias(), json(grp) );
@@ -59,6 +70,35 @@ public Response createIpGroups( JsonObject dto ){
         }
     }
     
+    /**
+     * Creates or updates the {@link IpGroup} named {@code groupName}.
+     * @param groupName Name of the group.
+     * @param dto data of the group.
+     * @return Response describing the created group or the error that prevented
+     *         that group from being created.
+     */
+    @PUT
+    @Path("ip/{groupName}")
+    public Response putIpGroups( @PathParam("groupName") String groupName, JsonObject dto ){
+        try {
+            if ( groupName == null || groupName.trim().isEmpty() ) {
+                return badRequest("Group name cannot be empty");
+            }
+            if ( ! legalGroupName.matcher(groupName).matches() ) {
+                return badRequest("Group name can contain only letters, digits, and the chars '-' and '_'");
+            }
+            IpGroup grp = new JsonParser().parseIpGroup(dto);
+            grp.setGroupProvider( ipGroupPrv );
+            grp.setPersistedGroupAlias( groupName );
+            grp = ipGroupPrv.store(grp);
+            return createdResponse("/groups/ip/" + grp.getPersistedGroupAlias(), json(grp) );
+        
+        } catch ( Exception e ) {
+            logger.log( Level.WARNING, "Error while storing a new IP group: " + e.getMessage(), e);
+            return errorResponse(Response.Status.INTERNAL_SERVER_ERROR, "Error: " + e.getMessage() );
+            
+        }
+    }
     
     @GET
     @Path("ip")
@@ -99,8 +139,18 @@ public Response deleteIpGroup( @PathParam("groupIdtf") String groupIdtf ) {
         try {
             ipGroupPrv.deleteGroup(grp);
             return okResponse("Group " + grp.getAlias() + " deleted.");
-        } catch ( IllegalArgumentException ex ) {
-            return errorResponse(Response.Status.BAD_REQUEST, ex.getMessage());
+        } catch ( Exception topExp ) {
+            // get to the cause (unwraps EJB exception wrappers).
+            Throwable e = topExp;
+            while ( e.getCause() != null ) {
+                e = e.getCause();
+            }
+            
+            if ( e instanceof IllegalArgumentException ) {
+                return errorResponse(Response.Status.BAD_REQUEST, e.getMessage());
+            } else {
+                throw topExp;
+            }
         }
     }
     
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/Index.java b/src/main/java/edu/harvard/iq/dataverse/api/Index.java
index 6ccc228cf32..e217b146dd6 100644
--- a/src/main/java/edu/harvard/iq/dataverse/api/Index.java
+++ b/src/main/java/edu/harvard/iq/dataverse/api/Index.java
@@ -572,7 +572,7 @@ public Response searchDebug(
         int numResultsPerPage = Integer.MAX_VALUE;
         SolrQueryResponse solrQueryResponse;
         try {
-            solrQueryResponse = searchService.search(user, subtreeScope, query, filterQueries, sortField, sortOrder, paginationStart, dataRelatedToMe, numResultsPerPage);
+            solrQueryResponse = searchService.search(createDataverseRequest(user), subtreeScope, query, filterQueries, sortField, sortOrder, paginationStart, dataRelatedToMe, numResultsPerPage);
         } catch (SearchException ex) {
             return errorResponse(Response.Status.INTERNAL_SERVER_ERROR, ex.getLocalizedMessage() + ": " + ex.getCause().getLocalizedMessage());
         }
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/MetadataBlocks.java b/src/main/java/edu/harvard/iq/dataverse/api/MetadataBlocks.java
index 599d8635afa..e0376f71412 100644
--- a/src/main/java/edu/harvard/iq/dataverse/api/MetadataBlocks.java
+++ b/src/main/java/edu/harvard/iq/dataverse/api/MetadataBlocks.java
@@ -11,6 +11,8 @@
 import static edu.harvard.iq.dataverse.util.json.JsonPrinter.json;
 import javax.ws.rs.PathParam;
 import static edu.harvard.iq.dataverse.util.json.JsonPrinter.json;
+import static edu.harvard.iq.dataverse.util.json.JsonPrinter.json;
+import static edu.harvard.iq.dataverse.util.json.JsonPrinter.json;
 
 /**
  * Api bean for managing metadata blocks.
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/Search.java b/src/main/java/edu/harvard/iq/dataverse/api/Search.java
index c65084cedb7..9b8dfeb2045 100644
--- a/src/main/java/edu/harvard/iq/dataverse/api/Search.java
+++ b/src/main/java/edu/harvard/iq/dataverse/api/Search.java
@@ -110,7 +110,7 @@ public Response search(
             SolrQueryResponse solrQueryResponse;
             try {
                 solrQueryResponse = searchService.search(
-                        user,
+                        createDataverseRequest(user),
                         subtree,
                         query,
                         filterQueries,
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/TestApi.java b/src/main/java/edu/harvard/iq/dataverse/api/TestApi.java
index 3483a0c790c..0cebd7dd716 100644
--- a/src/main/java/edu/harvard/iq/dataverse/api/TestApi.java
+++ b/src/main/java/edu/harvard/iq/dataverse/api/TestApi.java
@@ -2,6 +2,12 @@
 
 import edu.harvard.iq.dataverse.DvObject;
 import edu.harvard.iq.dataverse.authorization.RoleAssignee;
+import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroup;
+import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroupServiceBean;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.IpGroup;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.IpGroupsServiceBean;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IPv4Address;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddress;
 import edu.harvard.iq.dataverse.authorization.providers.builtin.PasswordEncryption;
 import edu.harvard.iq.dataverse.authorization.users.User;
 import javax.ejb.Stateless;
@@ -10,8 +16,11 @@
 import javax.ws.rs.PathParam;
 import javax.ws.rs.core.Response;
 import static edu.harvard.iq.dataverse.util.json.JsonPrinter.*;
+import edu.harvard.iq.dataverse.util.json.NullSafeJsonBuilder;
+import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import javax.ejb.EJB;
 import javax.json.Json;
 import javax.json.JsonObjectBuilder;
 import javax.ws.rs.QueryParam;
@@ -33,6 +42,12 @@
 public class TestApi extends AbstractApiBean {
     private static final Logger logger = Logger.getLogger(TestApi.class.getName());
     
+    @EJB
+    ExplicitGroupServiceBean explicitGroups;
+    
+    @EJB
+    IpGroupsServiceBean ipGroupsSvc;
+    
     @Path("echo/{whatever}")
     @GET
     public Response echo( @PathParam("whatever") String body ) {
@@ -97,4 +112,36 @@ public Response testUserLookup() {
             return ex.getResponse();
         }
     }
+    
+    @Path("explicitGroups/{identifier: .*}")
+    @GET
+    public Response explicitGroupMembership( @PathParam("identifier") String idtf) {
+        final RoleAssignee roleAssignee = roleAssigneeSvc.getRoleAssignee(idtf);
+        if (roleAssignee==null ) {
+            return notFound("Can't find a role assignee with identifier " + idtf);
+        }
+        Set<ExplicitGroup> groups = explicitGroups.findGroups(roleAssignee);
+        logger.log(Level.INFO, "Groups for {0}: {1}", new Object[]{roleAssignee, groups});
+        return okResponse( groups.stream().map( g->json(g).build()).collect(toJsonArray()) );
+    }
+    
+    @Path("ipGroups/containing/{address}")
+    @GET
+    public Response getIpGroupsContaining( @PathParam("address") String addrStr ) {
+        try {
+            IpAddress addr = IpAddress.valueOf(addrStr);
+            
+            JsonObjectBuilder r = NullSafeJsonBuilder.jsonObjectBuilder();
+            r.add( "address", addr.toString() );
+            r.add( "addressRaw", (addr instanceof IPv4Address) ? ((IPv4Address)addr).toBigInteger().toString(): null);
+            r.add("groups", ipGroupsSvc.findAllIncludingIp(addr).stream()
+                    .map( IpGroup::toString )
+                    .collect(stringsToJsonArray()));
+            return okResponse( r );
+            
+        } catch ( IllegalArgumentException iae ) {
+            return badRequest(addrStr + " is not a valid address: " + iae.getMessage());
+        }
+    }
+    
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/AuthenticationServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/authorization/AuthenticationServiceBean.java
index af826e622d9..c716129dc29 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/AuthenticationServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/AuthenticationServiceBean.java
@@ -18,6 +18,8 @@
 import edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider;
 import edu.harvard.iq.dataverse.authorization.users.ApiToken;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailData;
+import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailServiceBean;
 import edu.harvard.iq.dataverse.passwordreset.PasswordResetData;
 import edu.harvard.iq.dataverse.passwordreset.PasswordResetServiceBean;
 import java.sql.SQLException;
@@ -74,6 +76,9 @@ public class AuthenticationServiceBean {
     @EJB
     UserNotificationServiceBean userNotificationService;
 
+    @EJB
+    ConfirmEmailServiceBean confirmEmailService;
+    
     @EJB
     PasswordResetServiceBean passwordResetServiceBean;
 
@@ -214,17 +219,23 @@ public void removeApiToken(AuthenticatedUser user){
      * assignments, etc.
      * 
      * Longer term, the intention is to have a "disableAuthenticatedUser"
-     * method/command.
+     * method/command. See https://github.com/IQSS/dataverse/issues/2419
      */
     public void deleteAuthenticatedUser(Object pk) {
         AuthenticatedUser user = em.find(AuthenticatedUser.class, pk);
-        
-        
-        if (user!=null) {
+
+        if (user != null) {
             ApiToken apiToken = findApiTokenByUser(user);
             if (apiToken != null) {
                 em.remove(apiToken);
             }
+            ConfirmEmailData confirmEmailData = confirmEmailService.findSingleConfirmEmailDataByUser(user);
+            if (confirmEmailData != null) {
+                /**
+                 * @todo This could probably be a cascade delete instead.
+                 */
+                em.remove(confirmEmailData);
+            }
             for (UserNotification notification : userNotificationService.findByUser(user.getId())) {
                 userNotificationService.delete(notification);
             }
@@ -445,7 +456,20 @@ public AuthenticatedUser createAuthenticatedUser(UserRecordIdentifier userRecord
         AuthenticatedUserLookup auusLookup = userRecordId.createAuthenticatedUserLookup(authenticatedUser);
         em.persist( auusLookup );
         authenticatedUser.setAuthenticatedUserLookup(auusLookup);
-        
+
+        if (ShibAuthenticationProvider.PROVIDER_ID.equals(auusLookup.getAuthenticationProviderId())) {
+            Timestamp emailConfirmedNow = new Timestamp(new Date().getTime());
+            // Email addresses for Shib users are confirmed by the Identity Provider.
+            authenticatedUser.setEmailConfirmed(emailConfirmedNow);
+            authenticatedUser = save(authenticatedUser);
+        } else {
+            /**
+             * @todo Rather than creating a token directly here it might be
+             * better to do something like "startConfirmEmailProcessForNewUser".
+             */
+            confirmEmailService.createToken(authenticatedUser);
+        }
+
         actionLogSvc.log( new ActionLogRecord(ActionLogRecord.ActionType.Auth, "createUser")
             .setInfo(authenticatedUser.getIdentifier()));
 
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/MyDataQueryHelper.java b/src/main/java/edu/harvard/iq/dataverse/authorization/MyDataQueryHelper.java
deleted file mode 100644
index 3a06c0a02a1..00000000000
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/MyDataQueryHelper.java
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
- */
-package edu.harvard.iq.dataverse.authorization;
-
-import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
-import java.util.ArrayList;
-
-/**
- *
- * @author skraffmiller
- */
-public class MyDataQueryHelper {
-
-    private AuthenticatedUser user;
-    private ArrayList<String> dvObjectTypes;
-    private ArrayList<Long> directIds;
-    private ArrayList<Long> parentIds;
-    private final MyDataQueryHelperServiceBean myDataQueryHelperService;
-
-    public MyDataQueryHelper(AuthenticatedUser user, MyDataQueryHelperServiceBean injectedBean) {
-        this.user = user;
-        myDataQueryHelperService = injectedBean;
-        initializeLists();
-    }
-
-    private void initializeLists() {
-        initializeParentIds();
-        initializeDirectIds();
-    }
-
-    private void initializeParentIds() {
-        parentIds = new ArrayList();
-        parentIds.addAll(myDataQueryHelperService.getParentIds("Dataverse", "DataFile",  this.user));
-        parentIds.addAll(myDataQueryHelperService.getParentIds("Dataset", "DataFile",  this.user));
-        parentIds.addAll(myDataQueryHelperService.getParentIds("Dataverse", "Dataset",  this.user));
-    }
-
-    private void initializeDirectIds() {
-        directIds = new ArrayList();
-        directIds.addAll(myDataQueryHelperService.getDirectQuery(this.user).getResultList());
-    }
-
-    public String getSolrQueryString() {
-        /*(entityId:(20 11 592 7 17 24 14 15 21 18 25 19 22 23 12 2 8 3 16 4 9 5 13 6 10))*/
-
-        String retPrimaryString = "entityId:(";
-        if (this.directIds != null && !this.directIds.isEmpty()) {
-            for (Object id : this.directIds) {
-                Integer r1 = (Integer) id;
-                retPrimaryString += " " + r1;
-            }
-        }
-        retPrimaryString += ")";
-
-        String retParentString;
-
-        if (!getParentIds().isEmpty()) {
-            retParentString = "parentId:(";
-
-            for (Long id : getParentIds()) {
-                retParentString += " " + id;
-            }
-            retParentString += ")";
-            return "" + retPrimaryString + " OR " + retParentString + "";
-        }
-        return "" + retPrimaryString;
-    }
-
-    public AuthenticatedUser getUser() {
-        return user;
-    }
-
-    public void setUser(AuthenticatedUser user) {
-        this.user = user;
-    }
-
-    public ArrayList<String> getDvObjectTypes() {
-        return dvObjectTypes;
-    }
-
-    public void setDvObjectTypes(ArrayList<String> dvObjectTypes) {
-        this.dvObjectTypes = dvObjectTypes;
-    }
-
-    public ArrayList<Long> getParentIds() {
-        return parentIds;
-    }
-
-    public void setParentIds(ArrayList<Long> parentIds) {
-        this.parentIds = parentIds;
-    }
-
-}
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/MyDataQueryHelperServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/authorization/MyDataQueryHelperServiceBean.java
deleted file mode 100644
index 2bd577ceb5d..00000000000
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/MyDataQueryHelperServiceBean.java
+++ /dev/null
@@ -1,198 +0,0 @@
-/*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
- */
-package edu.harvard.iq.dataverse.authorization;
-
-import edu.harvard.iq.dataverse.DataverseRoleServiceBean;
-import edu.harvard.iq.dataverse.DvObject;
-import edu.harvard.iq.dataverse.DvObjectServiceBean;
-import edu.harvard.iq.dataverse.RoleAssigneeServiceBean;
-import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
-import edu.harvard.iq.dataverse.mydata.MyDataFinder;
-import java.util.ArrayList;
-import java.util.List;
-import javax.ejb.EJB;
-import javax.ejb.Stateless;
-import javax.persistence.EntityManager;
-import javax.persistence.PersistenceContext;
-import javax.persistence.Query;
-import org.apache.commons.lang.StringUtils;
-
-/**
- *
- * @author skraffmi
- */
-@Stateless
-public class MyDataQueryHelperServiceBean {
-    
-    
-    @PersistenceContext(unitName = "VDCNet-ejbPU")
-    private EntityManager em;
-
-    @EJB
-    DataverseRoleServiceBean roleService;
-    
-    @EJB
-    DvObjectServiceBean dvObjectService;
-    
-    @EJB
-    DataverseRoleServiceBean dataverseRoleService;
-    
-    @EJB
-    RoleAssigneeServiceBean roleAssigneeService;
-    
-    public Query getDirectQuery( AuthenticatedUser user) {
-        return em.createNativeQuery("SELECT id FROM dvobject WHERE "
-                + " id in (select definitionpoint_id from roleassignment where assigneeidentifier in ('" + user.getIdentifier() + "'));");
-    }
-
-    public List<Long> getParentIds(String dtypeParent, String dtypeChild, AuthenticatedUser user) {
-        
-        List<DataverseRole> roleList = roleService.findAll();
-
-        DataverseRolePermissionHelper rolePermissionHelper = new DataverseRolePermissionHelper(roleList);
-        List<Long> retVal = new ArrayList();
-        List<Object[]> results = em.createNativeQuery("Select distinct role.role_id, dvo.id FROM dvobject dvo, roleassignment role WHERE  "
-                + " dtype = '" + dtypeParent + "'"
-                + " and dvo.id = role.definitionpoint_id"
-                + " and role.role_id in (select role_id from roleassignment where assigneeidentifier in ('" + user.getIdentifier() + "') "
-                + ");").getResultList();
-        for (Object[] result : results) {
-            Long role_id = (Long) result[0];
-            
-            if (dtypeParent.equals("Dataverse") && dtypeChild.equals("Dataset") && rolePermissionHelper.hasDatasetPermissions(role_id)) {
-                Integer r1 = (Integer) result[1];
-                retVal.add(r1.longValue());
-            }
-
-            if (dtypeParent.equals("Dataverse") && dtypeChild.equals("DataFile") && rolePermissionHelper.hasFilePermissions(role_id)) {
-                List<Object> dsIds = em.createNativeQuery("Select id from dvobject where dtype = 'Dataset' and owner_id = " + (Integer) result[1] + ";").getResultList();
-                for (Object dsId : dsIds) {
-                    Integer r1 = (Integer) dsId;
-                    retVal.add(r1.longValue());
-                }
-            }
-
-            if (dtypeParent.equals("Dataset")) {
-                if (rolePermissionHelper.hasFilePermissions(role_id)) {
-                    Integer r1 = (Integer) result[1];
-                    retVal.add(r1.longValue());
-                }
-            }
-        }
-        return retVal;
-    }
-    
-     private String getRoleIdListClause(List<Long> roleIdList){
-        if (roleIdList == null){
-            return "";
-        }
-        List<String> outputList = new ArrayList<>();
-        
-        for(Long r : roleIdList){
-            if (r != null){
-                outputList.add(r.toString());
-            }
-        }
-        if (outputList.isEmpty()){
-            return "";
-        }        
-        return " AND role.role_id IN (" + StringUtils.join(outputList, ",") + ")";        
-    }
-    
-    public List<String> getRolesOnDVO(AuthenticatedUser user, Long dvoId, List<Long> roleIdList, MyDataFinder finder) {
-
-        List<String> retVal = new ArrayList();
-
-        DvObject objectIn = dvObjectService.findDvObject(dvoId);
-        List idsForSelect = new ArrayList();
-        
-        for (Long roleId : roleIdList) {
-
-            if (objectIn.isInstanceofDataverse()){
-                idsForSelect.add(roleId);
-            }
-            if (objectIn.isInstanceofDataset() && (finder.getRolePermissionHelper().hasDatasetPermissions(roleId) || finder.getRolePermissionHelper().hasFilePermissions(roleId))){
-                idsForSelect.add(roleId);
-            }
-            if (objectIn.isInstanceofDataFile() &&  finder.getRolePermissionHelper().hasFilePermissions(roleId)){
-                idsForSelect.add(roleId);
-            }
-
-        }
-        
-        List<Long> roles = roleAssigneeService.getRoleIdListForGivenAssigneeDvObject(user, idsForSelect, dvoId);
-        
-       /* List<Object> results = em.createNativeQuery("Select distinct role.role_id FROM roleassignment role WHERE  "
-                + " role.definitionpoint_id = " + dvoId + " "
-                + " and role.role_id in (select role_id from roleassignment where assigneeidentifier in ('" + user.getIdentifier() + "') "
-                + ")"
-                + roleClause
-                + ";").getResultList();*/
-        if (roles != null && !roles.isEmpty()) {
-            for (Object result : roles) {
-                Long role_id = (Long) result;
-                DataverseRole role = roleService.find(role_id);
-                if (!retVal.contains(role.getName())) {
-                    retVal.add(role.getName());
-                }
-            }
-        }
-        //If there are roles on the object return
-        //else continue to parent
-        if (!retVal.isEmpty()){
-            return retVal;
-        }
-        
-        Object parentObj = em.createNativeQuery("Select owner_id from dvobject where id = " + dvoId).getSingleResult();
-        Long parentId = (Long) parentObj;
-        /*
-        List<Object> resultsParent = em.createNativeQuery("Select distinct role.role_id FROM roleassignment role WHERE  "
-                + " role.definitionpoint_id = " + parentId + " "
-                + " and role.role_id in (select role_id from roleassignment where assigneeidentifier in ('" + user.getIdentifier() + "') "
-                + ")"
-                + roleClause
-                + ";").getResultList();*/
-        List<Long> resultsParent = roleAssigneeService.getRoleIdListForGivenAssigneeDvObject(user, idsForSelect, parentId);
-        if (resultsParent != null && !resultsParent.isEmpty()) {
-            for (Object result : resultsParent) {
-                Long role_id = (Long) result;
-                DataverseRole role = roleService.find(role_id);
-                if (!retVal.contains(role.getName())) {
-                    retVal.add(role.getName());
-                }
-            }
-        }
-        //If there are roles on the parent return
-        //else continue to grandparent
-        if (!retVal.isEmpty()){
-            return retVal;
-        }
-        
-        Object GrandParentObj = em.createNativeQuery("Select owner_id from dvobject where id = " + parentId).getSingleResult();
-        Long grandParentId = (Long) GrandParentObj;
-        /*
-        List<Object> resultsGrandParent = em.createNativeQuery("Select distinct role.role_id FROM roleassignment role WHERE  "
-                + " role.definitionpoint_id = " + grandParentId + " "
-                + " and role.role_id in (select role_id from roleassignment where assigneeidentifier in ('" + user.getIdentifier() + "') "
-                + ")"
-                + roleClause
-                + ";").getResultList();
-                */
-        List<Long> resultsGrandParent = roleAssigneeService.getRoleIdListForGivenAssigneeDvObject(user, idsForSelect, grandParentId);
-        if (resultsGrandParent != null && !resultsGrandParent.isEmpty()) {
-            for (Object result : resultsGrandParent) {
-                Long role_id = (Long) result;
-                DataverseRole role = roleService.find(role_id);
-                if (!retVal.contains(role.getName())) {
-                    retVal.add(role.getName());
-                }
-            }
-        }
-
-        return retVal;
-    }
-
-}
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/RoleAssignee.java b/src/main/java/edu/harvard/iq/dataverse/authorization/RoleAssignee.java
index 3fbf810e9ea..cd0f3bf11ad 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/RoleAssignee.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/RoleAssignee.java
@@ -12,7 +12,7 @@
  * 
  * @author michael
  */
-public interface RoleAssignee {
+public interface RoleAssignee extends Comparable<RoleAssignee> {
 
     /**
      * A unique identifier of the role assignee within the installation. This 
@@ -24,5 +24,14 @@ public interface RoleAssignee {
     public String getIdentifier();
 
     public RoleAssigneeDisplayInfo getDisplayInfo();
+    
+    default String getSortByString(){
+        return this.getDisplayInfo().getTitle();
+    }
+       
+    @Override
+    default  int compareTo(RoleAssignee o) {
+        return this.getSortByString().toUpperCase().compareTo(o.getSortByString().toUpperCase());
+    }
 
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/Group.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/Group.java
index bc31b77d8fc..10a398e1513 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/Group.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/Group.java
@@ -37,6 +37,7 @@ public interface Group extends RoleAssignee {
      */
     public String getDisplayName();
     
+    
     /**
      * @return Description of this group
      */
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/GroupProvider.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/GroupProvider.java
index 9029d2947b1..84dd944191a 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/GroupProvider.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/GroupProvider.java
@@ -29,19 +29,20 @@ public interface GroupProvider<T extends Group> {
     
     /**
      * Looks up the groups this provider has for a dataverse request, in the context of a {@link DvObject}.
-     * @param req The request whose group memberships we evaluate
-     * @param dvo the DvObject which is the context for the groups. May be {@code null}
+     * @param req The request whose group memberships we evaluate.
+     * @param dvo the DvObject which is the context for the groups. May be {@code null}.
      * @return The set of groups the user is member of.
      */
     public Set<T> groupsFor( DataverseRequest req, DvObject dvo );
     
     /**
      * Looks up the groups this provider has for a role assignee, in the context of a {@link DvObject}.
-     * This method should be used for group management. Groups for actual requests should be determined
-     * by calling {@link #groupsFor(edu.harvard.iq.dataverse.engine.command.DataverseRequest, edu.harvard.iq.dataverse.DvObject)}.
+     * <B>This method should be used for group management. Groups for actual requests should be determined
+     * by calling {@link #groupsFor(edu.harvard.iq.dataverse.engine.command.DataverseRequest, edu.harvard.iq.dataverse.DvObject)}.</B>
      * @param ra 
      * @param dvo the DvObject which is the context for the groups. May be {@code null}
      * @return The set of groups the role assignee is a member of.
+     * @see #groupsFor(edu.harvard.iq.dataverse.engine.command.DataverseRequest, edu.harvard.iq.dataverse.DvObject)
      */
     public Set<T> groupsFor( RoleAssignee ra, DvObject dvo );
     
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/GroupServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/GroupServiceBean.java
index 5f494757d66..2ee8c55daa6 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/GroupServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/GroupServiceBean.java
@@ -13,12 +13,15 @@
 import edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
 import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import static java.util.stream.Collectors.toSet;
+import java.util.stream.Stream;
 import javax.annotation.PostConstruct;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
@@ -76,14 +79,19 @@ public ShibGroupProvider getShibGroupProvider() {
         return shibGroupProvider;
     }
     
+    /**
+     * Finds all the groups {@code req} is part of in {@code dvo}'s context.
+     * Recurses upwards in {@link ExplicitGroup}s, as needed.
+     * @param req The request whose group memberships we seek.
+     * @param dvo The {@link DvObject} we determining the context fo the membership.
+     * @return The groups {@code req} is part of under {@code dvo}.
+     */
     public Set<Group> groupsFor( DataverseRequest req, DvObject dvo ) {
-        Set<Group> groups = new HashSet<>();
-         // first, get all groups the user directly belongs to
-        for ( GroupProvider gp : groupProviders.values() ) {
-            groups.addAll( gp.groupsFor(req, dvo) );
-        }
-        
-        return groupTransitiveClosure(groups, dvo);
+        return groupTransitiveClosure(
+                groupProviders.values().stream()
+                              .flatMap(gp->(Stream<Group>)gp.groupsFor(req, dvo).stream())
+                              .collect(toSet()),
+                dvo);
     }
     
     /**
@@ -94,14 +102,11 @@ public Set<Group> groupsFor( DataverseRequest req, DvObject dvo ) {
      * @return 
      */
     public Set<Group> groupsFor( RoleAssignee ra, DvObject dvo ) {
-        Set<Group> groups = new HashSet<>();
-        
-        // first, get all groups the user directly belongs to
-        for ( GroupProvider gp : groupProviders.values() ) {
-            groups.addAll( gp.groupsFor(ra, dvo) );
-        }
-        
-        return groupTransitiveClosure(groups, dvo);
+        return groupTransitiveClosure(
+                groupProviders.values().stream()
+                              .flatMap(gp->(Stream<Group>)gp.groupsFor(ra, dvo).stream())
+                              .collect( toSet() ),
+                dvo);
     }
 
     /**
@@ -109,36 +114,106 @@ public Set<Group> groupsFor( RoleAssignee ra, DvObject dvo ) {
      * groups a Role assignee belongs to as advertised but this method comes
      * closer.
      *
-     * @todo Determine if this method works with IP Groups.
-     *
      * @param au An AuthenticatedUser.
      * @return As many groups as we can find for the AuthenticatedUser.
+     * 
+     * @deprecated Does not look into IP Groups. Use {@link #groupsFor(edu.harvard.iq.dataverse.engine.command.DataverseRequest)}
      */
+    @Deprecated
     public Set<Group> groupsFor(AuthenticatedUser au) {
         Set<Group> groups = new HashSet<>();
         groups.addAll(groupsFor(au, null));
         String identifier = au.getIdentifier();
-        String identifierWithoutAtSign = null;
         if (identifier != null) {
             try {
-                identifierWithoutAtSign = identifier.substring(1);
+                groups.addAll( explicitGroupService.findGroups(au) );
             } catch (IndexOutOfBoundsException ex) {
-                logger.info("Couldn't trim first character (@ sign) from identifier: " + identifier);
+                logger.log(Level.INFO, "Couldn''t trim first character (@ sign) from identifier: {0}", identifier);
             }
         }
-        if (identifierWithoutAtSign != null) {
-            roleAssigneeSvc.getUserExplicitGroups(identifierWithoutAtSign).stream().forEach((groupAlias) -> {
-                ExplicitGroup explicitGroup = explicitGroupProvider.get(groupAlias);
-                if (explicitGroup != null) {
-                    groups.add(explicitGroup);
-                } else {
-                    logger.info("Couldn't find group based on alias " + groupAlias);
+
+        return groups;
+    }
+
+    
+    public Set<Group> groupsFor( DataverseRequest dr ) {
+        Set<Group> groups = new HashSet<>();
+        
+        // get the global groups
+        groups.addAll( groupsFor(dr,null) );
+        
+        // add the explicit groups
+        groups.addAll( explicitGroupService.findGroups(dr.getUser()) );
+        
+        return groups;
+    }
+    
+    /**
+     * Collections of groups may include {@link ExplicitGroup}s, which have a 
+     * recursive structure (more precisely, a Composite Pattern}. This has many 
+     * advantages, but it makes answering the question "which groups are 
+     * contained in this group" non-trivial. This method deals with this issue by
+     * providing a "flat list" of the groups contained in the groups at the 
+     * passed collection.
+     * 
+     * The resultant stream is distinct - groups appear in it only once, even if
+     * some of them are members of multiple groups.
+     * 
+     * @param groups A collection of groups
+     * @return A distinct stream of groups who are members of, or are 
+     * descendants of members of the groups in {@code groups}.
+     */
+    public Stream<Group> flattenGroupsCollection( Collection<Group> groups ) {
+        Stream.Builder<Group> out = Stream.builder();
+        groups.forEach( g -> {
+            out.accept(g);
+            if ( g instanceof ExplicitGroup ) {
+                collectGroupContent((ExplicitGroup) g, out);
+            } 
+        });
+        return out.build().distinct();
+    }
+    
+    private void collectGroupContent( ExplicitGroup eg, Stream.Builder<Group> out ) {
+        eg.getContainedRoleAssgineeIdentifiers().stream()
+                .map( idtf -> roleAssigneeSvc.getRoleAssignee(idtf) )
+                .filter( asn -> asn instanceof Group )
+                .forEach( group ->  out.accept((Group)group) );
+        
+        eg.getContainedExplicitGroups().forEach( meg -> {
+            out.accept(meg);
+            collectGroupContent(meg, out);
+        });
+    }
+    
+    /**
+     * Returns all the groups that are in, of are ancestors of a group in
+     * the passed group collection.
+     * 
+     * @param groups 
+     * @return {@code groups} and their ancestors.
+     */
+    public Set<Group> collectAncestors( Collection<Group> groups ) {
+        // Ancestors will be collected here.
+        Set<Group> retVal = new HashSet<>(); 
+        
+         // Groups whose ancestors were not collected yet.
+        Set<Group> perimeter = new HashSet(groups);
+        
+        while ( ! perimeter.isEmpty() ) {
+            Group next = perimeter.iterator().next();
+            retVal.add(next);
+            perimeter.remove(next);
+            explicitGroupService.findDirectlyContainingGroups(next).forEach( g -> {
+                if ( ! retVal.contains(g) ) {
+                    perimeter.add( g );
                 }
             });
         }
-        return groups;
+        
+        return retVal;
     }
-
+    
     /**
      * Given a set of groups and a DV object, return all the groups that are
      * reachable from the set. Effectively, if the initial set has an {@link ExplicitGroup},
@@ -153,11 +228,9 @@ private Set<Group> groupTransitiveClosure(Set<Group> groups, DvObject dvo) {
         Set<ExplicitGroup> perimeter = new HashSet<>();
         Set<ExplicitGroup> visited = new HashSet<>();
         
-        for ( Group g : groups ) {
-            if ( g instanceof ExplicitGroup ) {
-                perimeter.add((ExplicitGroup) g);
-            }
-        }
+        groups.stream()
+              .filter((g) -> ( g instanceof ExplicitGroup ))
+              .forEachOrdered((g) -> perimeter.add((ExplicitGroup) g));
         visited.addAll(perimeter);
         
         while ( ! perimeter.isEmpty() ) {
@@ -179,9 +252,8 @@ private Set<Group> groupTransitiveClosure(Set<Group> groups, DvObject dvo) {
     
     public Set<Group> findGlobalGroups() {
         Set<Group> groups = new HashSet<>();
-        for ( GroupProvider gp : groupProviders.values() ) {
-            groups.addAll( gp.findGlobalGroups() );
-        }
+        groupProviders.values().forEach( 
+                gp-> groups.addAll( gp.findGlobalGroups() ));
         return groups;
     }
     
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/PersistedGlobalGroup.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/PersistedGlobalGroup.java
index beb28ba7452..52785d5c7e2 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/PersistedGlobalGroup.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/PersistedGlobalGroup.java
@@ -31,7 +31,7 @@ public abstract class PersistedGlobalGroup implements Group, Serializable {
     private Long id;
     
     /**
-     * A unique alias within the persisted group table. 
+     * A unique alias within the Dataverse system installation.
      */
     @Column(unique = true)
     private String persistedGroupAlias;
@@ -92,4 +92,6 @@ public String getIdentifier() {
     public String toString() {
         return "[PersistedGlobalGroup " + getIdentifier() + "]";
     }
+    
+
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/builtin/AllUsers.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/builtin/AllUsers.java
index 1b92a416eb7..d12e8fbd510 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/builtin/AllUsers.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/builtin/AllUsers.java
@@ -1,5 +1,6 @@
 package edu.harvard.iq.dataverse.authorization.groups.impl.builtin;
 
+import edu.harvard.iq.dataverse.authorization.RoleAssignee;
 import edu.harvard.iq.dataverse.authorization.RoleAssigneeDisplayInfo;
 import edu.harvard.iq.dataverse.authorization.groups.Group;
 import edu.harvard.iq.dataverse.authorization.groups.GroupProvider;
@@ -21,6 +22,8 @@ public final class AllUsers implements Group {
        
     private final String identifier = ":AllUsers";
     
+    private final String displayInfo = "Everyone (including guests)";
+    
     public static final AllUsers get() { return instance; }
     
     /**
@@ -50,7 +53,7 @@ public String getIdentifier() {
 
     @Override
     public RoleAssigneeDisplayInfo getDisplayInfo() {
-        return new RoleAssigneeDisplayInfo("Everyone (including guests)", null);
+        return new RoleAssigneeDisplayInfo(displayInfo, null);
     }
 
     @Override
@@ -72,4 +75,5 @@ public String getDescription() {
     public String toString() {
         return "[AllUsers " + getIdentifier() + "]";
     }
+    
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/builtin/AuthenticatedUsers.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/builtin/AuthenticatedUsers.java
index 14b4227e042..7923c312741 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/builtin/AuthenticatedUsers.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/builtin/AuthenticatedUsers.java
@@ -59,4 +59,6 @@ public String getDescription() {
     public String toString() {
         return "[AuthenticatedUsers " + getIdentifier() + "]";
     }
+
+
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/builtin/BuiltInGroupsProvider.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/builtin/BuiltInGroupsProvider.java
index 27fcfec3a73..cb6da272dda 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/builtin/BuiltInGroupsProvider.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/builtin/BuiltInGroupsProvider.java
@@ -5,6 +5,7 @@
 import edu.harvard.iq.dataverse.authorization.groups.Group;
 import edu.harvard.iq.dataverse.authorization.groups.GroupProvider;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import edu.harvard.iq.dataverse.authorization.users.User;
 import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import java.util.Collections;
 import java.util.Set;
@@ -44,9 +45,13 @@ public Set<Group> groupsFor(DataverseRequest req, DvObject dvo ) {
 
     @Override
     public Set<Group> groupsFor( RoleAssignee ra, DvObject dvo ) {
-        return (Set<Group>) ((ra instanceof AuthenticatedUser)
-                ? CollectionHelper.asSet(AllUsers.get(), AuthenticatedUsers.get())
-                : Collections.singleton(AllUsers.get()));
+        if ( ra instanceof User) {
+            return (Set<Group>) ((ra instanceof AuthenticatedUser)
+                    ? CollectionHelper.asSet(AllUsers.get(), AuthenticatedUsers.get())
+                    : Collections.singleton(AllUsers.get()));
+        } else {
+            return Collections.emptySet();
+        }
     }
     
     @Override
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/explicit/ExplicitGroup.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/explicit/ExplicitGroup.java
index d8b55e7e932..33a29971906 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/explicit/ExplicitGroup.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/explicit/ExplicitGroup.java
@@ -7,6 +7,7 @@
 import edu.harvard.iq.dataverse.authorization.RoleAssigneeDisplayInfo;
 import edu.harvard.iq.dataverse.authorization.users.User;
 import edu.harvard.iq.dataverse.authorization.groups.GroupException;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddress;
 import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import java.util.HashSet;
 import java.util.Objects;
@@ -56,12 +57,21 @@
                       +"WHERE eg.owner.id=:ownerId AND ceg.id=:subExGroupId"),
     @NamedQuery( name="ExplicitGroup.findByOwnerAndRAIdtf",
                  query="SELECT eg FROM ExplicitGroup eg join eg.containedRoleAssignees ra "
-                      +"WHERE eg.owner.id=:ownerId AND ra=:raIdtf")
+                      +"WHERE eg.owner.id=:ownerId AND ra=:raIdtf"),
+    @NamedQuery( name="ExplicitGroup.findByAuthenticatedUserIdentifier",
+                 query="SELECT eg FROM ExplicitGroup eg JOIN eg.containedAuthenticatedUsers au "
+                     + "WHERE au.userIdentifier=:authenticatedUserIdentifier"),
+    @NamedQuery( name="ExplicitGroup.findByRoleAssgineeIdentifier",
+                 query="SELECT eg FROM ExplicitGroup eg JOIN eg.containedRoleAssignees cra "
+                     + "WHERE cra=:roleAssigneeIdentifier"),
+    @NamedQuery( name="ExplicitGroup.findByContainedExplicitGroupId",
+                 query="SELECT eg FROM ExplicitGroup eg join eg.containedExplicitGroups ceg "
+                      +"WHERE ceg.id=:containedExplicitGroupId")
+        
 })
 @Entity
-@Table(indexes = {@Index(columnList="owner_id")
-		//, @Index(columnList="groupalias") //@unique takes care of this
-		, @Index(columnList="groupaliasinowner")})
+@Table(indexes = {@Index(columnList="owner_id"),
+                  @Index(columnList="groupaliasinowner")})
 public class ExplicitGroup implements Group, java.io.Serializable {
     
     @Id
@@ -149,7 +159,8 @@ public void add( User u ) {
      * Adds the {@link RoleAssignee} to {@code this} group. 
      * 
      * @param ra the role assignee to be added to this group.
-     * @throws GroupException if {@code ra} is a group, and is an ancestor of {@code this}.
+     * @throws GroupException if {@code ra} is a group, and is either an ancestor of {@code this},
+     *         or is defined in a dataverse that is not an ancestor of {@code this.owner}.
      */
     public void add( RoleAssignee ra ) throws GroupException {
         
@@ -164,10 +175,14 @@ public void add( RoleAssignee ra ) throws GroupException {
             if ( ra instanceof ExplicitGroup ) {
                 // validate no circular deps
                 ExplicitGroup g = (ExplicitGroup) ra;
-                if ( g.contains(this) ) {
+                if ( g.structuralContains(this) ) {
                     throw new GroupException(this, "A group cannot be added to one of its childs.");
                 }
-                containedExplicitGroups.add( g );
+                if ( g.owner.isAncestorOf(owner) ) {
+                    containedExplicitGroups.add( g );
+                } else {
+                    throw new GroupException(this, "Cannot add " + g + ", as it is not defined in " + owner + " or one of its ancestors.");
+                }
             } else {
                 containedRoleAssignees.add( ra.getIdentifier() );
             }
@@ -219,6 +234,26 @@ public void removeByRoleAssgineeIdentifier( String idtf ) {
         }
     }
     
+    /**
+     * Returns a set of all direct members of the group, including 
+     * logical role assignees.
+     * @return members of the group.
+     */
+    public Set<RoleAssignee> getDirectMembers() {
+        Set<RoleAssignee> res = new HashSet<>();
+        
+        res.addAll( containedExplicitGroups );
+        res.addAll( containedAuthenticatedUsers );
+        for ( String idtf : containedRoleAssignees ) {
+            RoleAssignee ra = provider.findRoleAssignee(idtf);
+            if ( ra != null ) {
+                res.add(ra);
+            }
+        }
+        
+        return res;
+    }
+    
     @Override
     public String getDescription() {
         return description;
@@ -230,42 +265,89 @@ public void setDescription(String description) {
 
     @Override
     public boolean contains(DataverseRequest req) {
-        return contains( req.getUser() );
-    }
-    
-    public boolean contains(RoleAssignee ra) {
-        return containsDirectly(ra) || containsIndirectly(ra);
+        return containsDirectly(req) || containsIndirectly(req);
     }
     
-    protected boolean containsDirectly( RoleAssignee ra ) {
+    /**
+     * Looks at structural containment: whether {@code ra} is part of the
+     * group's structure. It mostly the same as {@link #contains(edu.harvard.iq.dataverse.engine.command.DataverseRequest)},
+     * except for logical containment. So if an ExplicitGroup contains {@link AuthenticatedUsers} but not
+     * a specific {@link AuthenticatedUser} {@code u}, {@code structuralContains(u)}
+     * would return {@code false} while {@code contains( request(u, ...) )} would return true;
+     * 
+     * @param ra
+     * @return {@code true} iff the role assignee is structurally a part of the group.
+     */
+    public boolean structuralContains(RoleAssignee ra) {
+        // direct containment
         if ( ra instanceof AuthenticatedUser ) {
-            AuthenticatedUser au = (AuthenticatedUser) ra;
-            return containedAuthenticatedUsers.contains(au);
+            if ( containedAuthenticatedUsers.contains((AuthenticatedUser)ra) ) {
+                return true;
+            }
             
         } else if ( ra instanceof ExplicitGroup ) {
-            ExplicitGroup eg = (ExplicitGroup) ra;
-            return containedExplicitGroups.contains(eg);
+            if ( containedExplicitGroups.contains((ExplicitGroup)ra) ) { 
+                return true;
+            }
             
         } else {
-           return containedRoleAssignees.contains( ra.getIdentifier() );
+            if ( containedRoleAssignees.contains(ra.getIdentifier()) ) {
+                return true;
+            }
         }
-    }
-
-    private boolean containsIndirectly(RoleAssignee ra) {
-        for ( ExplicitGroup ceg : containedExplicitGroups ) {
-            if ( ceg.contains(ra) ) {
+        
+        // no direct containment. Recurse.
+        for ( ExplicitGroup eg: containedExplicitGroups ) {
+            if ( eg.structuralContains(ra) ) {
                 return true;
             }
         }
         
-        for ( String containedRAIdtf : containedRoleAssignees ) {
-            RoleAssignee containedRa = provider.findRoleAssignee(containedRAIdtf);
-            if ( containedRa != null ) {
-                if ( containedRa instanceof ExplicitGroup ) {
-                    if (((ExplicitGroup)containedRa).contains(ra)) {
+        return false;
+        
+    }
+    
+    /**
+     * @param req
+     * @return {@code true} iff the request is contained in the group or in an included non-explicit group.
+     */
+    protected boolean containsDirectly( DataverseRequest req ) {
+        User ra = req.getUser();
+        if ( ra instanceof AuthenticatedUser ) {
+            AuthenticatedUser au = (AuthenticatedUser) ra;
+            if ( containedAuthenticatedUsers.contains(au) ) {
+                return true;
+            }    
+        } 
+        
+        if ( containedRoleAssignees.contains(ra.getIdentifier()) ) {
+            return true;
+        }
+        
+        for ( String craIdtf : containedRoleAssignees ) {
+            // Need to retrieve the actual role assingee, and let it's logic decide.
+            RoleAssignee cra = provider.findRoleAssignee(craIdtf);
+            if ( cra != null ) {
+                if ( cra instanceof Group ) {
+                    Group cgrp = (Group) cra;
+                    if ( cgrp.contains(req) ) {
                         return true;
                     }
-                }
+                } // if cra is a user, we would have returned after the .contains() test.
+            } 
+        }
+       // If we get here, the request is not in this group.
+       return false;
+    }
+
+    /**
+     * @param req
+     * @return {@code true} iff the request if contained in an explicit group that's a member of this group.
+     */
+    private boolean containsIndirectly(DataverseRequest req) {
+        for ( ExplicitGroup ceg : containedExplicitGroups ) {
+            if ( ceg.contains(req) ) {
+                return true;
             }
         }
         return false;
@@ -393,4 +475,5 @@ Set<String> getContainedRoleAssignees() {
     public String toString() {
         return "[ExplicitGroup " + groupAlias + "]";
     }
+
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/explicit/ExplicitGroupServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/explicit/ExplicitGroupServiceBean.java
index e6435ef6431..51174e24ba9 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/explicit/ExplicitGroupServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/explicit/ExplicitGroupServiceBean.java
@@ -10,6 +10,7 @@
 import java.util.List;
 import java.util.Set;
 import java.util.TreeSet;
+import java.util.stream.Collectors;
 import javax.annotation.PostConstruct;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
@@ -17,7 +18,6 @@
 import javax.persistence.EntityManager;
 import javax.persistence.NoResultException;
 import javax.persistence.PersistenceContext;
-import org.jboss.logging.Logger;
 
 /**
  * A bean providing the {@link ExplicitGroupProvider}s with container services,
@@ -115,15 +115,74 @@ public Set<ExplicitGroup> findAvailableFor( DvObject d ) {
     }
     
     /**
-     * Finds all the groups {@code ra} belongs to in the context of {@code o}. In effect,
+     * Finds all the explicit groups {@code ra} is a member of.
+     * @param ra the role assignee whose membership list we seek
+     * @return set of the explicit groups that contain {@code ra}.
+     */
+    public Set<ExplicitGroup> findGroups( RoleAssignee ra ) {
+        return findClosure(findDirectlyContainingGroups(ra));
+    }
+    
+    /**
+     * Finds all the explicit groups {@code ra} is <b>directly</b> a member of.
+     * To find all these groups and the groups the contain them (recursively upwards),
+     * consider using {@link #findGroups(edu.harvard.iq.dataverse.authorization.RoleAssignee)}
+     * @param ra the role assignee whose membership list we seek
+     * @return set of the explicit groups that contain {@code ra} directly.
+     * @see #findGroups(edu.harvard.iq.dataverse.authorization.RoleAssignee)
+     */
+    public Set<ExplicitGroup> findDirectlyContainingGroups( RoleAssignee ra ) {
+        if ( ra instanceof AuthenticatedUser ) {
+            return provider.updateProvider(
+                    new HashSet<>(
+                            em.createNamedQuery("ExplicitGroup.findByAuthenticatedUserIdentifier", ExplicitGroup.class)
+                              .setParameter("authenticatedUserIdentifier", ra.getIdentifier().substring(1))
+                              .getResultList()
+                  ));
+        } else if ( ra instanceof ExplicitGroup ) {
+            return provider.updateProvider(
+                    new HashSet<>(
+                            em.createNamedQuery("ExplicitGroup.findByContainedExplicitGroupId", ExplicitGroup.class)
+                              .setParameter("containedExplicitGroupId", ((ExplicitGroup) ra).getId())
+                              .getResultList()
+                  ));
+        } else {
+            return provider.updateProvider(
+                    new HashSet<>(
+                            em.createNamedQuery("ExplicitGroup.findByRoleAssgineeIdentifier", ExplicitGroup.class)
+                              .setParameter("roleAssigneeIdentifier", ra.getIdentifier())
+                              .getResultList()
+                  ));
+        }
+    }
+
+    /**
+     * Finds all the groups {@code ra} is a member of, in the context of {@code o}.
+     * This includes both direct and indirect memberships.
+     * @param ra The role assignee whose memberships we seek.
+     * @param o The {@link DvObject} whose context we search.
+     * @return All the groups in {@code o}'s context that {@code ra} is a member of.
+     */
+    public Set<ExplicitGroup> findGroups( RoleAssignee ra, DvObject o ) {
+        Set<ExplicitGroup> directGroups = findDirectGroups(ra, o);
+        Set<ExplicitGroup> closure = findClosure(directGroups);
+        return closure.stream()
+                .filter( g -> g.owner.isAncestorOf(o) )
+                .collect( Collectors.toSet() );
+    }
+    
+    /**
+     * Finds all the groups {@code ra} directly belongs to in the context of {@code o}. In effect,
      * collects all the groups {@code ra} belongs to and that are defined at {@code o}
-     * or one of its ancestors. Does not take group containment into account.
+     * or one of its ancestors.
+     * 
+     * <B>Does not take group containment into account.</B> Use
      * 
      * @param ra The role assignee that belongs to the groups
      * @param o the DvObject that defines the context of the search.
      * @return All the groups ra belongs to in the context of o.
      */
-    public Set<ExplicitGroup> findGroups( RoleAssignee ra, DvObject o ) {
+    public Set<ExplicitGroup> findDirectGroups( RoleAssignee ra, DvObject o ) {
         if ( o == null ) return Collections.emptySet();
         List<ExplicitGroup> groupList = new LinkedList<>();
         
@@ -155,4 +214,31 @@ public Set<ExplicitGroup> findGroups( RoleAssignee ra, DvObject o ) {
         return provider.updateProvider( new HashSet<>(groupList) );
     }
     
+    /**
+     * 
+     * Finds all the groups that contain the groups in {@code seed} (including {@code seed}), and the
+     * groups that contain these groups, an so on.
+     * 
+     * @param seed the initial set of groups.
+     * @return Transitive closure (based on group  containment) of the groups in {@code seed}.
+     */
+    protected Set<ExplicitGroup> findClosure( Set<ExplicitGroup> seed ) {
+        Set result = new HashSet<>();
+        
+        // The set of groups whose parents were not visited yet.
+        Set<ExplicitGroup> fringe = new HashSet<>(seed);
+        while ( ! fringe.isEmpty() ) {
+           ExplicitGroup g = fringe.iterator().next();
+           fringe.remove(g);
+           result.add(g);
+           
+           // add all of g's parents to the fringe, unless already visited.
+           findDirectlyContainingGroups(g).stream()
+                   .filter( eg -> !(result.contains(eg)||fringe.contains(eg) ))
+                   .forEach( fringe::add );
+        }
+
+        return result;
+    }
+    
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroup.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroup.java
index 8396cb2168a..d6ee006bc52 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroup.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroup.java
@@ -1,6 +1,5 @@
 package edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress;
 
-import edu.harvard.iq.dataverse.authorization.users.User;
 import edu.harvard.iq.dataverse.authorization.groups.GroupProvider;
 import edu.harvard.iq.dataverse.authorization.groups.impl.PersistedGlobalGroup;
 import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IPv4Address;
@@ -9,7 +8,9 @@
 import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddress;
 import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddressRange;
 import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
+import java.util.Collection;
 import java.util.HashSet;
+import java.util.Objects;
 import java.util.Set;
 import javax.persistence.CascadeType;
 import javax.persistence.Entity;
@@ -27,32 +28,31 @@
 @Entity
 public class IpGroup extends PersistedGlobalGroup {
     
-    @OneToMany(mappedBy = "owner", cascade=CascadeType.ALL)
+    @OneToMany(mappedBy = "owner", cascade=CascadeType.ALL, orphanRemoval = true)
     private Set<IPv6Range> ipv6Ranges;
 
-    @OneToMany(mappedBy = "owner", cascade=CascadeType.ALL)
+    @OneToMany(mappedBy = "owner", cascade=CascadeType.ALL, orphanRemoval = true)
     private Set<IPv4Range> ipv4Ranges;
     
     @Transient
     private IpGroupProvider provider;
     
-    public IpGroup() {
-        
-    }
+    public IpGroup() {}
     
     public IpGroup(IpGroupProvider provider) {
         this.provider = provider;
     }
     
     @Override
-    public boolean contains(DataverseRequest rq) {
+    public boolean contains( DataverseRequest rq ) {
         IpAddress addr = rq.getSourceAddress();
+        if ( addr == null ) return false;
+        
         for ( IpAddressRange r : ((addr instanceof IPv4Address) ? ipv4Ranges : ipv6Ranges) ) {
            Boolean containment =  r.contains(addr);
            if ( (containment != null) && containment ) {
                return true;
            }
-               
         }
         return false;
     }
@@ -80,9 +80,14 @@ public boolean isEditable() {
         return true;
     }
     
-    public void setProvider( IpGroupProvider prv ) {
+    public void setGroupProvider( IpGroupProvider prv ) {
         provider = prv;
     }
+    
+    @Override
+    public GroupProvider getGroupProvider() {
+        return provider;
+    }
 
     /**
      * Returns a <strong>read only</strong> set of all the ranges  in the group,
@@ -95,11 +100,6 @@ public Set<IpAddressRange> getRanges() {
         ranges.addAll( getIpv6Ranges() );
         return ranges;
     }
-    
-    @Override
-    public GroupProvider getGroupProvider() {
-        return provider;
-    }
 
     /**
      * Low-level JPA accessor
@@ -116,6 +116,7 @@ public Set<IPv6Range> getIpv6Ranges() {
      */
     public void setIpv6Ranges(Set<IPv6Range> ipv6Ranges) {
         this.ipv6Ranges = ipv6Ranges;
+        updateRangeOwnership(ipv6Ranges);
     }
     /**
      * Low-level JPA accessor
@@ -128,7 +129,37 @@ public Set<IPv4Range> getIpv4Ranges() {
 
     public void setIpv4Ranges(Set<IPv4Range> ipv4Ranges) {
         this.ipv4Ranges = ipv4Ranges;
+        updateRangeOwnership(ipv4Ranges);
     }
     
+    @Override
+    public boolean equals( Object o ) {
+        if ( o == null ) return false;
+        if ( o == this ) return true;
+        if ( ! (o instanceof IpGroup) ) return false;
+        
+        IpGroup other = (IpGroup) o;
+        
+        if ( ! Objects.equals(getId(), other.getId()) ) return false;
+        if ( ! Objects.equals(getDescription(), other.getDescription()) ) return false;
+        if ( ! Objects.equals(getDisplayName(), other.getDisplayName()) ) return false;
+        if ( ! Objects.equals(getPersistedGroupAlias(), other.getPersistedGroupAlias()) ) return false;
+        return getRanges().equals( other.getRanges() );
+    }
+
+    @Override
+    public int hashCode() {
+        return getPersistedGroupAlias().hashCode();
+    }
+    
+    @Override
+    public String toString() {
+        return "[IpGroup alias:" + getPersistedGroupAlias() +" id:" + getId() + " ranges:" + getIpv4Ranges() + "," + getIpv6Ranges() + "]";
+    }
     
+    private void updateRangeOwnership( Collection<? extends IpAddressRange> ranges ) {
+        for ( IpAddressRange rng : ranges ) {
+            rng.setOwner(this);
+        }
+    }
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroupProvider.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroupProvider.java
index efce422d5d6..7cf1b6818cb 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroupProvider.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroupProvider.java
@@ -3,12 +3,10 @@
 import edu.harvard.iq.dataverse.DvObject;
 import edu.harvard.iq.dataverse.authorization.RoleAssignee;
 import edu.harvard.iq.dataverse.authorization.groups.GroupProvider;
-import edu.harvard.iq.dataverse.authorization.users.User;
 import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
-import java.util.logging.Logger;
 
 /**
  * Creates {@link IpGroup}s.
@@ -16,8 +14,6 @@
  */
 public class IpGroupProvider implements GroupProvider<IpGroup> {
     
-    private static final Logger logger = Logger.getLogger(IpGroupProvider.class.getCanonicalName());
-
     private final IpGroupsServiceBean ipGroupsService;
     
     public IpGroupProvider(IpGroupsServiceBean ipGroupsService) {
@@ -63,23 +59,48 @@ public Set<IpGroup> findGlobalGroups() {
     }
     
     private IpGroup setProvider( IpGroup g ) {
-        g.setProvider(this);
+        if ( g != null ) {
+            g.setGroupProvider(this);
+        }
         return g;
     }
     
     private Set<IpGroup> updateProvider( Set<IpGroup> groups ) {
-        for ( IpGroup g : groups ) {
-            g.setProvider(this);
-        }
+        groups.forEach( g -> g.setGroupProvider(this) );
         return groups;
     }
     
     public IpGroup store(IpGroup grp) {
-        grp.setProvider(this);
-        return ipGroupsService.store(grp);
+        grp.setGroupProvider(this);
+        final IpGroup storedGroup = ipGroupsService.store(grp);
+        storedGroup.setGroupProvider(this); // The storage might un-set the provider, e.g. for when a group is updated.
+        return storedGroup;
     }
 
     public void deleteGroup(IpGroup grp) {
         ipGroupsService.deleteGroup(grp);
     }
+    
+    /**
+     * Finds an available name for an IP group. The name is based on the {@code base}
+     * parameter, but may be changed in case there's already a group with that name.
+     * 
+     * <strong>
+     * Note: This method might fail under very heavy loads. But we do not expect
+     * heavy creation of IP groups at this point.
+     * </strong>
+     *      
+     * @param base A base name.
+     * @return An available group name.
+     */
+    public String findAvailableName( String base ) {
+        if ( ipGroupsService.getByGroupName(base) == null ) {
+            return base;
+        }
+        int i=1;
+        while ( ipGroupsService.getByGroupName(base + "-" + i) != null ) {
+            i++;
+        }
+        return base + "-" + i;
+    }
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroupsServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroupsServiceBean.java
index d135d97796e..b1380b552a4 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroupsServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroupsServiceBean.java
@@ -38,6 +38,11 @@ public class IpGroupsServiceBean {
     @EJB
     RoleAssigneeServiceBean roleAssigneeSvc;
     
+    /**
+     * Stores (inserts/updates) the passed IP group.
+     * @param grp The group to store.
+     * @return Managed version of the group. The provider might be un-set.
+     */
     public IpGroup store( IpGroup grp ) {
         ActionLogRecord alr = new ActionLogRecord(ActionLogRecord.ActionType.GlobalGroups, "ipCreate");
         if ( grp.getGroupProvider() != null ) {
@@ -57,13 +62,12 @@ public IpGroup store( IpGroup grp ) {
                     return grp;
                     
                 } else {
-                    logger.log(Level.INFO, "Updating ip group {0}", grp.getPersistedGroupAlias());
                     existing.setDescription(grp.getDescription());
-                    existing.setDisplayName( grp.getDisplayName() );
-                    existing.setIpv4Ranges( grp.getIpv4Ranges() );
-                    existing.setIpv6Ranges( grp.getIpv6Ranges() );
+                    existing.setDisplayName(grp.getDisplayName());
+                    existing.setIpv4Ranges(grp.getIpv4Ranges());
+                    existing.setIpv6Ranges(grp.getIpv6Ranges());
                     actionLogSvc.log( alr.setActionSubType("ipUpdate") );
-                    return em.merge(existing);
+                    return existing;
                 }
             } else {
                 actionLogSvc.log( alr );
@@ -71,7 +75,7 @@ public IpGroup store( IpGroup grp ) {
                 return grp;
             }
         } else {
-             actionLogSvc.log( alr.setActionSubType("ipUpdate") );
+            actionLogSvc.log( alr.setActionSubType("ipUpdate") );
             return em.merge(grp);
         }
     }
@@ -98,7 +102,7 @@ public Set<IpGroup> findAllIncludingIp( IpAddress ipa ) {
         if ( ipa instanceof IPv4Address ) {
             IPv4Address ip4 = (IPv4Address) ipa;
             List<IpGroup> groupList = em.createNamedQuery("IPv4Range.findGroupsContainingAddressAsLong", IpGroup.class)
-                    .setParameter("addressAsLong", ip4.toLong()).getResultList();
+                    .setParameter("addressAsLong", ip4.toBigInteger()).getResultList();
             return new HashSet<>(groupList);
             
         } else if ( ipa instanceof IPv6Address ) {
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv4Address.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv4Address.java
index e5255a19d7d..147ade9ddb1 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv4Address.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv4Address.java
@@ -1,5 +1,6 @@
 package edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip;
 
+import java.math.BigInteger;
 import java.util.Arrays;
 
 /**
@@ -33,6 +34,10 @@ public IPv4Address( int a, int b, int c, int d ) {
         this( new short[]{(short)a,(short)b,(short)c,(short)d} );
     }
     
+    public IPv4Address( BigInteger bits ) {
+        this( bits.longValue() );
+    }
+    
     public IPv4Address( long l ) {
         bytes[0] = (short)((l >>> 24) & 0xFF);
         bytes[1] = (short)((l >>> 16) & 0xFF);
@@ -59,7 +64,16 @@ public short[] getBytes() {
     }
     
     public long toLong() {
-        return (get(0)<<24) + (get(1)<<16) + (get(2)<<8) + get(3);
+        return (get(0)<<24) | (get(1)<<16) | (get(2)<<8) | get(3);
+    }
+    
+    public BigInteger toBigInteger() {
+        BigInteger res = BigInteger.ZERO;
+        for ( int i=0; i<3; i++ ) {
+            res = res.add(BigInteger.valueOf(get(i)))
+                     .shiftLeft(8);
+        }
+        return res.add(BigInteger.valueOf(get(3)));
     }
     
     @Override
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv4Range.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv4Range.java
index 3b6348737ed..3ecd7689e1c 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv4Range.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv4Range.java
@@ -1,5 +1,6 @@
 package edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip;
 
+import java.math.BigInteger;
 import javax.persistence.Entity;
 import javax.persistence.GeneratedValue;
 import javax.persistence.Id;
@@ -31,16 +32,16 @@ public class IPv4Range extends IpAddressRange implements java.io.Serializable {
     Long id;
     
     /** The most significant bits of {@code this} range's top address, i.e the first two numbers of the IP address */
-    long topAsLong;
+    BigInteger topAsLong;
     
     /** The least significant bits, i.e the last tow numbers of the IP address */
-    long bottomAsLong;
+    BigInteger bottomAsLong;
     
     public IPv4Range(){}
     
     public IPv4Range(IPv4Address bottom, IPv4Address top) {
-        topAsLong = top.toLong();
-        bottomAsLong = bottom.toLong(); 
+        topAsLong = top.toBigInteger();
+        bottomAsLong = bottom.toBigInteger(); 
     }
     
     @Override
@@ -49,7 +50,7 @@ public IPv4Address getTop() {
     }
     
     public void setTop( IPv4Address aNewTop ) {
-        setTopAsLong( aNewTop.toLong() );
+        setTopAsLong( aNewTop.toBigInteger() );
     }
     
     @Override
@@ -58,27 +59,28 @@ public IPv4Address getBottom() {
     }
     
     public void setBottom( IPv4Address aNewBottom ) {
-        setTopAsLong( aNewBottom.toLong() );
+        setTopAsLong( aNewBottom.toBigInteger() );
     }
     
-    public long getTopAsLong() {
+    public BigInteger getTopAsLong() {
         return topAsLong;
     }
 
-    public void setTopAsLong(long topAsLong) {
+    public void setTopAsLong(BigInteger topAsLong) {
         this.topAsLong = topAsLong;
     }
 
-    public long getBottomAsLong() {
+    public BigInteger getBottomAsLong() {
         return bottomAsLong;
     }
 
-    public void setBottomAsLong(long bottomAsLong) {
+    public void setBottomAsLong(BigInteger bottomAsLong) {
         this.bottomAsLong = bottomAsLong;
     }
 
     @Override
     public Boolean contains(IpAddress anAddress) {
+        if ( anAddress == null ) return null;
         if ( anAddress instanceof IPv4Address ) {
             IPv4Address adr = (IPv4Address) anAddress;
             return getBottom().compareTo(adr)<=0 && getTop().compareTo(adr)>=0;
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv6Range.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv6Range.java
index 5beaead8bd9..d1301d550c7 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv6Range.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv6Range.java
@@ -48,6 +48,7 @@ public IPv6Range() {}
     
     @Override
     public Boolean contains(IpAddress anAddress) {
+        if ( anAddress == null ) return null;
         if ( anAddress instanceof IPv6Address ) {
             IPv6Address adr = (IPv6Address) anAddress;
             return getBottom().compareTo(adr)<=0 && getTop().compareTo(adr)>=0;
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IpAddressRange.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IpAddressRange.java
index c2d1029b44d..5c6c9d548a4 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IpAddressRange.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IpAddressRange.java
@@ -63,6 +63,10 @@ public boolean equals(Object obj) {
                 && Objects.equals(this.getTop(), other.getTop());
     }
 
+    public boolean isSingleAddress() {
+        return getTop().equals(getBottom());
+    }
+    
     @Override
     public String toString() {
         return "[IpAddressRange " + getTop() + "-" + getBottom() + ']';
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/shib/ShibGroup.java b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/shib/ShibGroup.java
index 8643eb34d70..3beb8dadedb 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/shib/ShibGroup.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/shib/ShibGroup.java
@@ -1,5 +1,6 @@
 package edu.harvard.iq.dataverse.authorization.groups.impl.shib;
 
+import edu.harvard.iq.dataverse.authorization.RoleAssignee;
 import edu.harvard.iq.dataverse.authorization.RoleAssigneeDisplayInfo;
 import edu.harvard.iq.dataverse.authorization.groups.Group;
 import edu.harvard.iq.dataverse.authorization.groups.GroupProvider;
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/providers/builtin/BuiltinUserPage.java b/src/main/java/edu/harvard/iq/dataverse/authorization/providers/builtin/BuiltinUserPage.java
index 1093b39cdbd..5dddaf6432f 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/providers/builtin/BuiltinUserPage.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/providers/builtin/BuiltinUserPage.java
@@ -27,16 +27,23 @@
 import edu.harvard.iq.dataverse.authorization.groups.Group;
 import edu.harvard.iq.dataverse.authorization.groups.GroupServiceBean;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailData;
+import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailException;
+import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailInitResponse;
+import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailServiceBean;
+import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailUtil;
 import edu.harvard.iq.dataverse.mydata.MyDataPage;
 import edu.harvard.iq.dataverse.passwordreset.PasswordValidator;
 import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
 import edu.harvard.iq.dataverse.util.BundleUtil;
 import edu.harvard.iq.dataverse.util.JsfHelper;
 import static edu.harvard.iq.dataverse.util.JsfHelper.JH;
+import edu.harvard.iq.dataverse.util.SystemConfig;
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.sql.Timestamp;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
 import java.util.Set;
@@ -89,6 +96,10 @@ public enum EditMode {
     @EJB
     AuthenticationServiceBean authenticationService;
     @EJB
+    ConfirmEmailServiceBean confirmEmailService;
+    @EJB
+    SystemConfig systemConfig;    
+    @EJB
     GroupServiceBean groupService;
     @Inject
     SettingsWrapper settingsWrapper;
@@ -407,7 +418,8 @@ public void validateNewPassword(FacesContext context, UIComponent toValidate, Ob
             context.addMessage(toValidate.getClientId(context), message);
         }
     }
-
+    
+    
 
     public void updatePassword(String userName) {
         String plainTextPassword = PasswordEncryption.generateRandomPassword();
@@ -421,6 +433,7 @@ public void updatePassword(String userName) {
 
     public String save() {
         boolean passwordChanged = false;
+        boolean emailChanged = false;
         if (editMode == EditMode.CREATE || editMode == EditMode.CHANGE_PASSWORD) {
             if (inputPassword != null) {
                 builtinUser.updateEncryptedPassword(PasswordEncryption.get().encrypt(inputPassword), PasswordEncryption.getLatestVersionNumber());
@@ -472,13 +485,34 @@ public String save() {
             
             
         } else {
-            authSvc.updateAuthenticatedUser(currentUser, builtinUser.getDisplayInfo());
+            String emailBeforeUpdate = currentUser.getEmail();
+            AuthenticatedUser savedUser = authSvc.updateAuthenticatedUser(currentUser, builtinUser.getDisplayInfo());
+            String emailAfterUpdate = savedUser.getEmail();
+            if (!emailBeforeUpdate.equals(emailAfterUpdate)) {
+                emailChanged = true;
+            }
             editMode = null;
             String msg = "Your account information has been successfully updated.";
             if (passwordChanged) {
                 msg = "Your account password has been successfully changed.";
             }
-            JsfHelper.addFlashMessage(msg);
+            if (emailChanged) {
+                ConfirmEmailUtil confirmEmailUtil = new ConfirmEmailUtil();
+                String expTime = confirmEmailUtil.friendlyExpirationTime(systemConfig.getMinutesUntilConfirmEmailTokenExpires());
+                msg = msg + " Your email address has changed and must be re-verified. Please check your inbox at " + currentUser.getEmail() + " and follow the link we've sent. \n\nAlso, please note that the link will only work for the next " + expTime + " before it has expired.";
+                boolean sendEmail = true;
+                // delete unexpired token, if it exists (clean slate)
+                confirmEmailService.deleteTokenForUser(currentUser);
+                try {
+                    ConfirmEmailInitResponse confirmEmailInitResponse = confirmEmailService.beginConfirm(currentUser);
+                } catch (ConfirmEmailException ex) {
+                    logger.info("Unable to send email confirmation link to user id " + savedUser.getId());
+                }
+                session.setUser(currentUser);
+                JsfHelper.addSuccessMessage(msg);
+            } else {
+                JsfHelper.addFlashMessage(msg);
+            }
             return null;            
         }
     }
@@ -592,4 +626,51 @@ public void displayNotification() {
             }
         }
     }
+    
+    public void sendConfirmEmail() {
+        logger.fine("called sendConfirmEmail()");
+        String userEmail = currentUser.getEmail();
+        ConfirmEmailUtil confirmEmailUtil = new ConfirmEmailUtil();
+        
+        try {
+            confirmEmailService.beginConfirm(currentUser);
+            List<String> args = Arrays.asList(
+                    userEmail,
+                    confirmEmailUtil.friendlyExpirationTime(systemConfig.getMinutesUntilConfirmEmailTokenExpires()));
+            JsfHelper.addSuccessMessage(BundleUtil.getStringFromBundle("confirmEmail.submitRequest.success", args));
+        } catch (ConfirmEmailException ex) {
+            Logger.getLogger(BuiltinUserPage.class.getName()).log(Level.SEVERE, null, ex);
+        }
+    }
+    
+    public boolean showVerifyEmailButton() {
+        /**
+         * Determines whether the button to send a verification email appears on user page
+         */
+        if (confirmEmailService.findSingleConfirmEmailDataByUser(currentUser) == null
+                && currentUser.getEmailConfirmed() == null) {
+            return true;
+        }
+        return false;
+    }
+
+    public boolean isEmailIsVerified() {
+        if (currentUser.getEmailConfirmed() != null && confirmEmailService.findSingleConfirmEmailDataByUser(currentUser) == null) {
+            return true;
+         } else return false;
+    }
+    
+    public boolean isEmailNotVerified() {
+        if (currentUser.getEmailConfirmed() == null || confirmEmailService.findSingleConfirmEmailDataByUser(currentUser) != null) {
+            return true;
+        } else return false;
+    }
+    
+    public boolean isEmailGrandfathered() {
+        ConfirmEmailUtil confirmEmailUtil = new ConfirmEmailUtil();
+        if (currentUser.getEmailConfirmed() == confirmEmailUtil.getGrandfatheredTime()) {
+            return true;
+        } else return false;
+    }
+
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/users/AuthenticatedUser.java b/src/main/java/edu/harvard/iq/dataverse/authorization/users/AuthenticatedUser.java
index c8b07966f4e..646605831b3 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/users/AuthenticatedUser.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/users/AuthenticatedUser.java
@@ -74,6 +74,8 @@ public class AuthenticatedUser implements User, Serializable {
     private String position;
     private String lastName;
     private String firstName;
+    @Column(nullable = true)
+    private Timestamp emailConfirmed;
     private boolean superuser;
 
     /**
@@ -122,7 +124,6 @@ public void applyDisplayInfo( AuthenticatedUserDisplayInfo inf ) {
         setEmail(inf.getEmailAddress());
         setAffiliation( inf.getAffiliation() );
         setPosition( inf.getPosition());
-
     }
     
     @Override
@@ -188,6 +189,14 @@ public void setFirstName(String firstName) {
         this.firstName = firstName;
     }
 
+    public Timestamp getEmailConfirmed() {
+        return emailConfirmed;
+    }
+
+    public void setEmailConfirmed(Timestamp emailConfirmed) {
+        this.emailConfirmed = emailConfirmed;
+    }
+
     @Override
     public boolean isSuperuser() {
         return superuser;
@@ -246,4 +255,13 @@ public void setShibIdentityProvider(String shibIdentityProvider) {
         this.shibIdentityProvider = shibIdentityProvider;
     }
     
+    @Override
+    public String toString() {
+        return "[AuthenticatedUser identifier:" + getIdentifier() + "]";
+    }
+    
+    public String getSortByString() {
+        return this.getLastName() + " " + this.getFirstName() + " " + this.getUserIdentifier();
+    }
+    
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/users/GuestUser.java b/src/main/java/edu/harvard/iq/dataverse/authorization/users/GuestUser.java
index 45177beace5..b2fd3194f70 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/users/GuestUser.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/users/GuestUser.java
@@ -42,7 +42,12 @@ public boolean isSuperuser() {
     public boolean equals( Object o ) {
         return (o instanceof GuestUser);
     }
-
+    
+    @Override
+    public String toString() {
+        return "[GuestUser :guest]";
+    }
+    
     @Override
     public int hashCode() {
         return 7;
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/users/PrivateUrlUser.java b/src/main/java/edu/harvard/iq/dataverse/authorization/users/PrivateUrlUser.java
index 947468fab11..88e1f8ffc83 100644
--- a/src/main/java/edu/harvard/iq/dataverse/authorization/users/PrivateUrlUser.java
+++ b/src/main/java/edu/harvard/iq/dataverse/authorization/users/PrivateUrlUser.java
@@ -61,4 +61,6 @@ public RoleAssigneeDisplayInfo getDisplayInfo() {
         return new RoleAssigneeDisplayInfo(title, null);
     }
 
+
+
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailAttemptResponse.java b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailAttemptResponse.java
new file mode 100644
index 00000000000..c1d60c101b4
--- /dev/null
+++ b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailAttemptResponse.java
@@ -0,0 +1,31 @@
+package edu.harvard.iq.dataverse.confirmemail;
+
+/**
+ *
+ * @author bsilverstein
+ */
+public class ConfirmEmailAttemptResponse {
+
+    private final boolean confirmed;
+    private final String messageSummary;
+    private final String messageDetail;
+
+    public ConfirmEmailAttemptResponse(boolean confirmed, String messageSummary, String messageDetail) {
+        this.confirmed = confirmed;
+        this.messageSummary = messageSummary;
+        this.messageDetail = messageDetail;
+    }
+
+    public boolean isConfirmed() {
+        return confirmed;
+    }
+
+    public String getMessageSummary() {
+        return messageSummary;
+    }
+
+    public String getMessageDetail() {
+        return messageDetail;
+    }
+
+}
diff --git a/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailData.java b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailData.java
new file mode 100644
index 00000000000..c751b62a3a0
--- /dev/null
+++ b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailData.java
@@ -0,0 +1,107 @@
+package edu.harvard.iq.dataverse.confirmemail;
+
+import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import java.io.Serializable;
+import java.sql.Timestamp;
+import java.util.Date;
+import java.util.UUID;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Index;
+import javax.persistence.JoinColumn;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.OneToOne;
+import javax.persistence.Table;
+
+/**
+ *
+ * @author bsilverstein
+ */
+@Table(indexes = {
+    @Index(columnList = "token"),
+    @Index(columnList = "authenticateduser_id")})
+@NamedQueries({
+    @NamedQuery(name = "ConfirmEmailData.findAll",
+            query = "SELECT prd FROM ConfirmEmailData prd"),
+    @NamedQuery(name = "ConfirmEmailData.findByUser",
+            query = "SELECT prd FROM ConfirmEmailData prd WHERE prd.authenticatedUser = :user"),
+    @NamedQuery(name = "ConfirmEmailData.findByToken",
+            query = "SELECT prd FROM ConfirmEmailData prd WHERE prd.token = :token")
+})
+@Entity
+public class ConfirmEmailData implements Serializable {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @Column(nullable = true)
+    private String token;
+
+    @OneToOne
+    @JoinColumn(nullable = false, unique = true)
+    private AuthenticatedUser authenticatedUser;
+
+    @Column(nullable = false)
+    private Timestamp created;
+
+    @Column(nullable = false)
+    private Timestamp expires;
+
+    public ConfirmEmailData(AuthenticatedUser anAuthenticatedUser, long minutesUntilConfirmEmailTokenExpires) {
+        authenticatedUser = anAuthenticatedUser;
+        token = UUID.randomUUID().toString();
+        long nowInMilliseconds = new Date().getTime();
+        created = new Timestamp(nowInMilliseconds);
+        long ONE_MINUTE_IN_MILLISECONDS = 60000;
+        long futureInMilliseconds = nowInMilliseconds + (minutesUntilConfirmEmailTokenExpires * ONE_MINUTE_IN_MILLISECONDS);
+        expires = new Timestamp(new Date(futureInMilliseconds).getTime());
+    }
+
+    public boolean isExpired() {
+        if (this.expires == null) {
+            return true;
+        }
+        long expiresInMilliseconds = this.expires.getTime();
+        long nowInMilliseconds = new Date().getTime();
+        return nowInMilliseconds > expiresInMilliseconds;
+    }
+
+    public String getToken() {
+        return token;
+    }
+
+    public AuthenticatedUser getAuthenticatedUser() {
+        return authenticatedUser;
+    }
+
+    public Timestamp getCreated() {
+        return created;
+    }
+
+    public Timestamp getExpires() {
+        return expires;
+    }
+
+    public Long getId() {
+        return id;
+    }
+
+    public void setId(Long id) {
+        this.id = id;
+    }
+
+    /**
+     * This is only here because it has to be: "The class should have a no-arg,
+     * public or protected constructor." Please use the constructor that takes
+     * arguments.
+     */
+    @Deprecated
+    public ConfirmEmailData() {
+    }
+
+}
diff --git a/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailException.java b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailException.java
new file mode 100644
index 00000000000..add7cd922fb
--- /dev/null
+++ b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailException.java
@@ -0,0 +1,17 @@
+package edu.harvard.iq.dataverse.confirmemail;
+
+/**
+ *
+ * @author bsilverstein
+ */
+public class ConfirmEmailException extends Exception {
+
+    public ConfirmEmailException(String message) {
+        super(message);
+    }
+
+    public ConfirmEmailException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+}
diff --git a/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailExecResponse.java b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailExecResponse.java
new file mode 100644
index 00000000000..aaeb1b90e79
--- /dev/null
+++ b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailExecResponse.java
@@ -0,0 +1,29 @@
+package edu.harvard.iq.dataverse.confirmemail;
+
+/**
+ *
+ * @author bsilverstein
+ */
+public class ConfirmEmailExecResponse {
+
+    private String tokenQueried;
+    private ConfirmEmailData confirmEmailData;
+
+    public ConfirmEmailExecResponse(String tokenQueried, ConfirmEmailData confirmEmailData) {
+        this.tokenQueried = tokenQueried;
+        this.confirmEmailData = confirmEmailData;
+    }
+
+    public String getTokenQueried() {
+        return tokenQueried;
+    }
+
+    public ConfirmEmailData getConfirmEmailData() {
+        return confirmEmailData;
+    }
+
+    public void setConfirmEmailData(ConfirmEmailData confirmEmailData) {
+        this.confirmEmailData = confirmEmailData;
+    }
+
+}
diff --git a/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailInitResponse.java b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailInitResponse.java
new file mode 100644
index 00000000000..87ed1c3a58f
--- /dev/null
+++ b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailInitResponse.java
@@ -0,0 +1,34 @@
+package edu.harvard.iq.dataverse.confirmemail;
+
+/**
+ *
+ * @author bsilverstein
+ */
+public class ConfirmEmailInitResponse {
+
+    private boolean userFound;
+    private String confirmUrl;
+    private ConfirmEmailData confirmEmailData;
+
+    public ConfirmEmailInitResponse(boolean userFound) {
+        this.userFound = userFound;
+    }
+
+    public ConfirmEmailInitResponse(boolean userFound, ConfirmEmailData confirmEmailData, String confirmUrl) {
+        this.userFound = userFound;
+        this.confirmEmailData = confirmEmailData;
+        this.confirmUrl = confirmUrl;
+    }
+
+    public boolean isUserFound() {
+        return userFound;
+    }
+
+    public String getConfirmUrl() {
+        return confirmUrl;
+    }
+
+    public ConfirmEmailData getConfirmEmailData() {
+        return confirmEmailData;
+    }
+}
diff --git a/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailPage.java b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailPage.java
new file mode 100644
index 00000000000..823d2c111f2
--- /dev/null
+++ b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailPage.java
@@ -0,0 +1,111 @@
+package edu.harvard.iq.dataverse.confirmemail;
+
+import edu.harvard.iq.dataverse.DataverseSession;
+import edu.harvard.iq.dataverse.actionlogging.ActionLogServiceBean;
+import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import edu.harvard.iq.dataverse.util.BundleUtil;
+import edu.harvard.iq.dataverse.util.JsfHelper;
+import java.util.logging.Logger;
+import javax.ejb.EJB;
+import javax.faces.view.ViewScoped;
+import javax.inject.Inject;
+import javax.inject.Named;
+
+/**
+ *
+ * @author bsilverstein
+ */
+@ViewScoped
+@Named("ConfirmEmailPage")
+public class ConfirmEmailPage implements java.io.Serializable {
+
+    private static final Logger logger = Logger.getLogger(ConfirmEmailPage.class.getCanonicalName());
+
+    @EJB
+    ConfirmEmailServiceBean confirmEmailService;
+    @Inject
+    DataverseSession session;
+
+    @EJB
+    ActionLogServiceBean actionLogSvc;
+
+    /**
+     * The unique string used to look up a user and continue the email
+     * confirmation.
+     */
+    String token;
+
+    /**
+     * The user looked up by the token who will be confirming their email.
+     */
+    AuthenticatedUser user;
+
+    /**
+     * The link that is emailed to the user to confirm the email that contains a
+     * token.
+     */
+    String confirmEmailUrl;
+
+    ConfirmEmailData confirmEmailData;
+
+    public String init() {
+        if (token != null) {
+            ConfirmEmailExecResponse confirmEmailExecResponse = confirmEmailService.processToken(token);
+            confirmEmailData = confirmEmailExecResponse.getConfirmEmailData();
+            if (confirmEmailData != null) {
+                user = confirmEmailData.getAuthenticatedUser();
+                session.setUser(user);
+                JsfHelper.addSuccessMessage(BundleUtil.getStringFromBundle("confirmEmail.details.success"));
+                return "/dataverse.xhtml?faces-redirect=true";
+            }
+        }
+        JsfHelper.addErrorMessage(BundleUtil.getStringFromBundle("confirmEmail.details.failure"));
+        /**
+         * @todo It would be nice to send a 404 response but if we enable this
+         * then the user sees the contents of 404.xhtml rather than the contents
+         * of JsfHelper.addErrorMessage above!
+         */
+//        try {
+//            FacesContext.getCurrentInstance().getExternalContext().responseSendError(HttpServletResponse.SC_NOT_FOUND, null);
+//        } catch (IOException ex) {
+//        }
+        return null;
+    }
+
+    public String getToken() {
+        return token;
+    }
+
+    public void setToken(String token) {
+        this.token = token;
+    }
+
+    public AuthenticatedUser getUser() {
+        return user;
+    }
+
+    public String getConfirmEmailUrl() {
+        return confirmEmailUrl;
+    }
+
+    public ConfirmEmailData getConfirmEmailData() {
+        return confirmEmailData;
+    }
+
+    public void setConfirmEmailData(ConfirmEmailData confirmEmailData) {
+        this.confirmEmailData = confirmEmailData;
+    }
+
+    public boolean isInvalidToken() {
+        if (confirmEmailData == null) {
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    public String getRedirectToAccountInfoTab() {
+        return "/dataverseuser.xhtml?selectTab=accountInfo&faces-redirect=true";
+    }
+
+}
diff --git a/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailServiceBean.java
new file mode 100644
index 00000000000..e21ba1f98b3
--- /dev/null
+++ b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailServiceBean.java
@@ -0,0 +1,245 @@
+package edu.harvard.iq.dataverse.confirmemail;
+
+import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean;
+import edu.harvard.iq.dataverse.MailServiceBean;
+import edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider;
+import edu.harvard.iq.dataverse.util.BundleUtil;
+import edu.harvard.iq.dataverse.util.SystemConfig;
+import java.sql.Timestamp;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import javax.ejb.EJB;
+import javax.ejb.Stateless;
+import javax.persistence.EntityManager;
+import javax.persistence.NoResultException;
+import javax.persistence.NonUniqueResultException;
+import javax.persistence.PersistenceContext;
+import javax.persistence.TypedQuery;
+
+/**
+ *
+ * @author bsilverstein
+ */
+@Stateless
+public class ConfirmEmailServiceBean {
+
+    private static final Logger logger = Logger.getLogger(ConfirmEmailServiceBean.class.getCanonicalName());
+
+    @EJB
+    AuthenticationServiceBean dataverseUserService;
+
+    @EJB
+    MailServiceBean mailService;
+
+    @EJB
+    SystemConfig systemConfig;
+
+    @PersistenceContext(unitName = "VDCNet-ejbPU")
+    private EntityManager em;
+
+    /**
+     * Initiate the email confirmation process.
+     *
+     * @param user
+     * @return {@link ConfirmEmailInitResponse}
+     */
+    public ConfirmEmailInitResponse beginConfirm(AuthenticatedUser user) throws ConfirmEmailException {
+        deleteAllExpiredTokens();
+        if (user != null) {
+            return sendConfirm(user, true);
+        } else {
+            return new ConfirmEmailInitResponse(false);
+        }
+    }
+
+    private ConfirmEmailInitResponse sendConfirm(AuthenticatedUser aUser, boolean sendEmail) throws ConfirmEmailException {
+        // delete old tokens for the user
+        ConfirmEmailData oldToken = findSingleConfirmEmailDataByUser(aUser);
+        if (oldToken != null) {
+            em.remove(oldToken);
+        }
+
+        aUser.setEmailConfirmed(null);
+        aUser = em.merge(aUser);
+        // create a fresh token for the user iff they don't have an existing token
+        ConfirmEmailData confirmEmailData = new ConfirmEmailData(aUser, systemConfig.getMinutesUntilConfirmEmailTokenExpires());
+        try {
+            /**
+             * @todo This "persist" is causing lots of noise in Glassfish's
+             * server.log if a token already exists (i.e. it isn't expired and
+             * wasn't deleted above). Exercise this bug by running
+             * ConfirmEmailIT.
+             */
+            em.persist(confirmEmailData);
+            ConfirmEmailInitResponse confirmEmailInitResponse = new ConfirmEmailInitResponse(true, confirmEmailData, optionalConfirmEmailAddonMsg(aUser));
+            if (sendEmail) {
+                sendLinkOnEmailChange(aUser, confirmEmailInitResponse.getConfirmUrl());
+            }
+
+            return confirmEmailInitResponse;
+        } catch (Exception ex) {
+            String msg = "Unable to save token for " + aUser.getEmail();
+            throw new ConfirmEmailException(msg, ex);
+        }
+
+    }
+
+    /**
+     * @todo: We expect to send two messages. One at signup and another at email
+     * change.
+     */
+    private void sendLinkOnEmailChange(AuthenticatedUser aUser, String confirmationUrl) throws ConfirmEmailException {
+        ConfirmEmailUtil confirmEmailUtil = new ConfirmEmailUtil();
+        String messageBody = BundleUtil.getStringFromBundle("notification.email.changeEmail", Arrays.asList(
+                aUser.getFirstName(),
+                confirmationUrl,
+                confirmEmailUtil.friendlyExpirationTime(systemConfig.getMinutesUntilConfirmEmailTokenExpires())
+        ));
+        logger.fine("messageBody:" + messageBody);
+
+        try {
+            String toAddress = aUser.getEmail();
+            /**
+             * @todo Move this to Bundle.properties.
+             */
+            String subject = BundleUtil.getStringFromBundle("notification.email.verifyEmail.subject");
+            mailService.sendSystemEmail(toAddress, subject, messageBody);
+        } catch (Exception ex) {
+            /**
+             * @todo get more specific about the exception that's thrown when
+             * `asadmin create-javamail-resource` (or equivalent) hasn't been
+             * run.
+             */
+            throw new ConfirmEmailException("Problem sending email confirmation link possibily due to mail server not being configured.");
+        }
+        logger.log(Level.FINE, "attempted to send mail to {0}", aUser.getEmail());
+    }
+
+    /**
+     * Process the email confirmation token, allowing the user to confirm the
+     * email address or report on a invalid token.
+     *
+     * @param tokenQueried
+     */
+    public ConfirmEmailExecResponse processToken(String tokenQueried) {
+        deleteAllExpiredTokens();
+        ConfirmEmailExecResponse tokenUnusable = new ConfirmEmailExecResponse(tokenQueried, null);
+        ConfirmEmailData confirmEmailData = findSingleConfirmEmailDataByToken(tokenQueried);
+        if (confirmEmailData != null) {
+            if (confirmEmailData.isExpired()) {
+                // shouldn't reach here since tokens are being expired above
+                return tokenUnusable;
+            } else {
+                ConfirmEmailExecResponse goodTokenCanProceed = new ConfirmEmailExecResponse(tokenQueried, confirmEmailData);
+                if (confirmEmailData == null) {
+                    logger.fine("Invalid token.");
+                    return null;
+                }
+                long nowInMilliseconds = new Date().getTime();
+                Timestamp emailConfirmed = new Timestamp(nowInMilliseconds);
+                AuthenticatedUser authenticatedUser = confirmEmailData.getAuthenticatedUser();
+                authenticatedUser.setEmailConfirmed(emailConfirmed);
+                em.remove(confirmEmailData);
+                return goodTokenCanProceed;
+            }
+        } else {
+            return tokenUnusable;
+        }
+    }
+
+    /**
+     * @param token
+     * @return Null or a single row of email confirmation data.
+     */
+    private ConfirmEmailData findSingleConfirmEmailDataByToken(String token) {
+        ConfirmEmailData confirmEmailData = null;
+        TypedQuery<ConfirmEmailData> typedQuery = em.createNamedQuery("ConfirmEmailData.findByToken", ConfirmEmailData.class);
+        typedQuery.setParameter("token", token);
+        try {
+            confirmEmailData = typedQuery.getSingleResult();
+        } catch (NoResultException | NonUniqueResultException ex) {
+            logger.fine("When looking up " + token + " caught " + ex);
+        }
+        return confirmEmailData;
+    }
+
+    public ConfirmEmailData findSingleConfirmEmailDataByUser(AuthenticatedUser user) {
+        ConfirmEmailData confirmEmailData = null;
+        TypedQuery<ConfirmEmailData> typedQuery = em.createNamedQuery("ConfirmEmailData.findByUser", ConfirmEmailData.class);
+        typedQuery.setParameter("user", user);
+        try {
+            confirmEmailData = typedQuery.getSingleResult();
+        } catch (NoResultException | NonUniqueResultException ex) {
+            logger.fine("When looking up user " + user + " caught " + ex);
+        }
+        return confirmEmailData;
+    }
+
+    public List<ConfirmEmailData> findAllConfirmEmailData() {
+        TypedQuery<ConfirmEmailData> typedQuery = em.createNamedQuery("ConfirmEmailData.findAll", ConfirmEmailData.class);
+        List<ConfirmEmailData> confirmEmailDatas = typedQuery.getResultList();
+        return confirmEmailDatas;
+    }
+
+    /**
+     * @return The number of tokens deleted.
+     */
+    private long deleteAllExpiredTokens() {
+        long numDeleted = 0;
+        List<ConfirmEmailData> allData = findAllConfirmEmailData();
+        for (ConfirmEmailData data : allData) {
+            if (data.isExpired()) {
+                em.remove(data);
+                numDeleted++;
+            }
+        }
+        return numDeleted;
+    }
+
+    /**
+     * @param authenticatedUser
+     * @return True if token is deleted. False otherwise.
+     */
+    public boolean deleteTokenForUser(AuthenticatedUser authenticatedUser) {
+        ConfirmEmailData confirmEmailData = findSingleConfirmEmailDataByUser(authenticatedUser);
+        if (confirmEmailData != null) {
+            em.remove(confirmEmailData);
+            return true;
+        }
+        return false;
+    }
+
+    public ConfirmEmailData createToken(AuthenticatedUser au) {
+        ConfirmEmailData confirmEmailData = new ConfirmEmailData(au, systemConfig.getMinutesUntilConfirmEmailTokenExpires());
+        em.persist(confirmEmailData);
+        return confirmEmailData;
+    }
+
+    public String optionalConfirmEmailAddonMsg(AuthenticatedUser user) {
+        ConfirmEmailUtil confirmEmailUtil = new ConfirmEmailUtil();
+        final String emptyString = "";
+        if (user == null) {
+            logger.info("Can't return confirm email message. AuthenticatedUser was null!");
+            return emptyString;
+        }
+        if (ShibAuthenticationProvider.PROVIDER_ID.equals(user.getAuthenticatedUserLookup().getAuthenticationProviderId())) {
+            // Shib users don't have to confirm their email address.
+            return emptyString;
+        }
+        ConfirmEmailData confirmEmailData = findSingleConfirmEmailDataByUser(user);
+        if (confirmEmailData == null) {
+            logger.info("Can't return confirm email message. No ConfirmEmailData for user id " + user.getId());
+            return emptyString;
+        }
+        String expTime = confirmEmailUtil.friendlyExpirationTime(systemConfig.getMinutesUntilConfirmEmailTokenExpires());
+        String confirmEmailUrl = systemConfig.getDataverseSiteUrl() + "/confirmemail.xhtml?token=" + confirmEmailData.getToken();
+        List<String> args = Arrays.asList(confirmEmailUrl, expTime);
+        String optionalConfirmEmailMsg = BundleUtil.getStringFromBundle("notification.email.welcomeConfirmEmailAddOn", args);
+        return optionalConfirmEmailMsg;
+    }
+
+}
diff --git a/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailUtil.java b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailUtil.java
new file mode 100644
index 00000000000..d2f84b956df
--- /dev/null
+++ b/src/main/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailUtil.java
@@ -0,0 +1,50 @@
+package edu.harvard.iq.dataverse.confirmemail;
+
+import edu.harvard.iq.dataverse.util.BundleUtil;
+import java.sql.Timestamp;
+import java.util.Date;
+
+public class ConfirmEmailUtil {
+
+    public static Timestamp getGrandfatheredTime() {
+        /**
+         * Currently set to Y2K as an easter egg to easily set apart
+         * grandfathered accounts from post-launch accounts.
+         */
+        Timestamp grandfatheredTime = Timestamp.valueOf("2000-01-01 00:00:00.0");
+        return grandfatheredTime;
+    }
+
+    public static String friendlyExpirationTime(int expirationInt) {
+        String measurement;
+        String expirationString;
+        long expirationLong = Long.valueOf(expirationInt);
+        boolean hasDecimal = false;
+        double expirationDouble = Double.valueOf(expirationLong);
+
+        if (expirationLong == 1) {
+            measurement = BundleUtil.getStringFromBundle("minute");
+        } else if (expirationLong < 60) {
+            measurement = BundleUtil.getStringFromBundle("minutes");
+        } else if (expirationLong == 60) {
+            expirationLong = expirationLong / 60;
+            measurement = BundleUtil.getStringFromBundle("hour");
+        } else {
+            if (expirationLong % 60 == 0) {
+                expirationLong = (long) (expirationLong / 60.0);
+            } else {
+                expirationDouble /= 60;
+                hasDecimal = true;
+            }
+            measurement = BundleUtil.getStringFromBundle("hours");
+        }
+        if (hasDecimal == true) {
+            expirationString = String.valueOf(expirationDouble);
+            return expirationString + " " + measurement;
+        } else {
+            expirationString = String.valueOf(expirationLong);
+            return expirationString + " " + measurement;
+        }
+    }
+
+}
diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/DataverseRequest.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/DataverseRequest.java
index f1c628ae0f3..e1d5a34d5f5 100644
--- a/src/main/java/edu/harvard/iq/dataverse/engine/command/DataverseRequest.java
+++ b/src/main/java/edu/harvard/iq/dataverse/engine/command/DataverseRequest.java
@@ -1,9 +1,8 @@
 package edu.harvard.iq.dataverse.engine.command;
 
 import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddress;
+import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
 import edu.harvard.iq.dataverse.authorization.users.User;
-import java.util.logging.Level;
-import java.util.logging.Logger;
 import javax.servlet.http.HttpServletRequest;
 
 /**
@@ -17,52 +16,19 @@ public class DataverseRequest {
     
     private final User user;
     private final IpAddress sourceAddress;
-    private static final Logger logger = Logger.getLogger(DataverseRequest.class.getCanonicalName());
     
     public DataverseRequest(User aUser, HttpServletRequest aHttpServletRequest) {
         this.user = aUser;
-        String remoteAddressStr = null;
-        
-        try {
-            remoteAddressStr = aHttpServletRequest.getRemoteAddr();
-        } catch (Exception _npe) {}
-        
-        /*
-            It was reported earlier, that HttpServletRequest.getRemoteAddr() does 
-            not supply the correct address of the incoming request, when Glassfish 
-            is running behind the Apache proxy. This is NOT true - can be easily 
-            confirmed with the log message below (will be switched to .fine when 
-            released). When this constructor is called by the ApiBlockingFileter, 
-            the remoteAddressStr will correctly show the remote address; whether
-            we are behind a proxy, or not.
-            As of now (4.2.3), this is the ONLY situation where we check the remote
-            IP address for the purposes of Authentication/Authorization. 
-        
-            HOWEVER, this log message below consistently shows NULL when non-API,  
-            page requests are coming in. This is true BOTH with or without the proxy. 
-            So this must mean that when the DataverseRequest object is created 
-            somewhere outside the ApiBlockingFilter, it likely doesn't get the 
-            HttpServletRequest object properly passed to the constructor. 
-            Which further means that in order to enable IP groups, we'll have 
-            to fix that, and make sure the IP address is properly set for such 
-            requests. 
-        
-            But, once again, as of now this sourceAddress is only being used for 
-            determining if an API request is coming from localhost. 
-        
-            (It appears that for all the regular page requests, the DataverseRequest
-            object gets created in DataverseRequestServiceBean.java, like this: 
-                dataverseRequest = new DataverseRequest(dataverseSessionSvc.getUser(), httpRequest);
-            with the httpRequest supplied by the @Context... why this isn't working
-            properly - I don't know)
-    
-            -- L.A. 4.2.3
-        */
-        
-        logger.fine("DataverseRequest: Obtained remote address: "+remoteAddressStr);
-        
-        if ( remoteAddressStr == null ) {
-            remoteAddressStr = "0.0.0.0";
+
+        final String undefined = "0.0.0.0";
+        String saneDefault = undefined;
+        String remoteAddressStr = saneDefault;
+
+        if (aHttpServletRequest != null) {
+            String remoteAddressFromRequest = aHttpServletRequest.getRemoteAddr();
+            if (remoteAddressFromRequest != null) {
+                remoteAddressStr = remoteAddressFromRequest;
+            }
         }
         sourceAddress = IpAddress.valueOf( remoteAddressStr );
     }
@@ -83,12 +49,23 @@ public IpAddress getSourceAddress() {
         return sourceAddress;
     }
 
-    
     @Override
     public String toString() {
-        return "[DataverseRequest user:" + getUser() + "@" + getSourceAddress() + "]";
-                
+        return "[DataverseRequest user:" + getUser() + "@" + getSourceAddress() + "]";                
     }
     
+    /**
+     * Get an AuthenticatedUser or return null
+     * @return 
+     */
+    public AuthenticatedUser getAuthenticatedUser(){
+        
+        User authUser = this.getUser();
+        
+        if (authUser instanceof AuthenticatedUser){
+            return (AuthenticatedUser)authUser;
+        }
+        return null;
+    }
     
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/CreateDatasetVersionCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/CreateDatasetVersionCommand.java
index 060da0565ca..091405daf83 100644
--- a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/CreateDatasetVersionCommand.java
+++ b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/CreateDatasetVersionCommand.java
@@ -91,7 +91,7 @@ public DatasetVersion execute(CommandContext ctxt) throws CommandException {
         final List<DatasetVersion> currentVersions = dataset.getVersions();
         ArrayList<DatasetVersion> dsvs = new ArrayList<>(currentVersions.size());
         dsvs.addAll(currentVersions);
-        dsvs.set(0, newVersion);
+        dsvs.add(0, newVersion);
         dataset.setVersions( dsvs );
         
         // TODO make async
diff --git a/src/main/java/edu/harvard/iq/dataverse/mydata/DataRetrieverAPI.java b/src/main/java/edu/harvard/iq/dataverse/mydata/DataRetrieverAPI.java
index 3744a90241a..73a413ecef4 100644
--- a/src/main/java/edu/harvard/iq/dataverse/mydata/DataRetrieverAPI.java
+++ b/src/main/java/edu/harvard/iq/dataverse/mydata/DataRetrieverAPI.java
@@ -16,9 +16,10 @@
 import edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean;
 import edu.harvard.iq.dataverse.authorization.DataverseRole;
 import edu.harvard.iq.dataverse.authorization.DataverseRolePermissionHelper;
-import edu.harvard.iq.dataverse.authorization.MyDataQueryHelperServiceBean;
+//import edu.harvard.iq.dataverse.authorization.MyDataQueryHelperServiceBean;
 import edu.harvard.iq.dataverse.authorization.groups.GroupServiceBean;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import edu.harvard.iq.dataverse.search.SearchConstants;
 import edu.harvard.iq.dataverse.search.SearchException;
 import edu.harvard.iq.dataverse.search.SearchFields;
@@ -68,8 +69,8 @@ public class DataRetrieverAPI extends AbstractApiBean {
     SearchServiceBean searchService;
     @EJB
     AuthenticationServiceBean authenticationService;
-    @EJB
-    MyDataQueryHelperServiceBean myDataQueryHelperServiceBean;
+    //@EJB
+    //MyDataQueryHelperServiceBean myDataQueryHelperServiceBean;
     @EJB
     GroupServiceBean groupService;
     
@@ -165,9 +166,9 @@ private AuthenticatedUser getUserFromIdentifier(String userIdentifier){
         return authenticationService.getAuthenticatedUser(userIdentifier);
     }
     
-    public Map<String, Long> getTotalCountsFromSolrAsJavaMap(AuthenticatedUser searchUser, MyDataFinder myDataFinder ){
+    public Map<String, Long> getTotalCountsFromSolrAsJavaMap(DataverseRequest dataverseRequest, MyDataFinder myDataFinder ){
         //msgt("getTotalCountsFromSolrAsJavaMap: " + searchUser.getIdentifier());
-        SolrQueryResponse solrQueryResponseForCounts = getTotalCountsFromSolr(searchUser, myDataFinder);
+        SolrQueryResponse solrQueryResponseForCounts = getTotalCountsFromSolr(dataverseRequest, myDataFinder);
         if (solrQueryResponseForCounts == null){
             logger.severe("DataRetrieverAPI.getTotalCountsFromSolrAsJSON: solrQueryResponseForCounts should not be null");
             return null;
@@ -175,9 +176,9 @@ public Map<String, Long> getTotalCountsFromSolrAsJavaMap(AuthenticatedUser searc
         return solrQueryResponseForCounts.getDvObjectCounts();
     }
     
-    public JsonObjectBuilder getTotalCountsFromSolrAsJSON(AuthenticatedUser searchUser, MyDataFinder myDataFinder ){
+    public JsonObjectBuilder getTotalCountsFromSolrAsJSON(DataverseRequest dataverseRequest, MyDataFinder myDataFinder ){
     
-        SolrQueryResponse solrQueryResponseForCounts = getTotalCountsFromSolr(searchUser, myDataFinder);
+        SolrQueryResponse solrQueryResponseForCounts = getTotalCountsFromSolr(dataverseRequest, myDataFinder);
         if (solrQueryResponseForCounts == null){
             logger.severe("DataRetrieverAPI.getTotalCountsFromSolrAsJSON: solrQueryResponseForCounts should not be null");
             return null;
@@ -186,20 +187,20 @@ public JsonObjectBuilder getTotalCountsFromSolrAsJSON(AuthenticatedUser searchUs
     }
     
     
-    private SolrQueryResponse getTotalCountsFromSolr(AuthenticatedUser searchUser, MyDataFinder myDataFinder){
+    private SolrQueryResponse getTotalCountsFromSolr(DataverseRequest dataverseRequest, MyDataFinder myDataFinder){
         //msgt("getTotalCountsFromSolr: " + searchUser.getIdentifier());
 
         if (myDataFinder == null){
             throw new NullPointerException("myDataFinder cannot be null");
         }
-        if (searchUser == null){
-            throw new NullPointerException("searchUser cannot be null");
+        if (dataverseRequest == null){
+            throw new NullPointerException("dataverseRequest cannot be null");
         }
         
         // -------------------------------------------------------
         // Create new filter params that only check by the User 
         // -------------------------------------------------------
-        MyDataFilterParams filterParams = new MyDataFilterParams(searchUser, myDataFinder.getRolePermissionHelper());
+        MyDataFilterParams filterParams = new MyDataFilterParams(dataverseRequest, myDataFinder.getRolePermissionHelper());
         if (filterParams.hasError()){
             logger.severe("getTotalCountsFromSolr. filterParams error: " + filterParams.getErrorMessage());           
             return null;
@@ -232,7 +233,7 @@ private SolrQueryResponse getTotalCountsFromSolr(AuthenticatedUser searchUser, M
         SolrQueryResponse solrQueryResponseForCounts;
         try {
             solrQueryResponseForCounts = searchService.search(
-                    searchUser, //
+                    dataverseRequest,
                     null, // subtree, default it to Dataverse for now
                     "*",  //    Get everything--always
                     filterQueries,//filterQueries,
@@ -288,7 +289,6 @@ public String retrieveMyDataAsJsonString(@QueryParam("dvobject_types") List<Stri
         // For, superusers, the searchUser may differ from the authUser
         //
         AuthenticatedUser searchUser = null;  
-        
 
         if (DEBUG_MODE==true){      // DEBUG: use userIdentifier
             authUser = getUserFromIdentifier(userIdentifier);
@@ -351,7 +351,10 @@ public String retrieveMyDataAsJsonString(@QueryParam("dvobject_types") List<Stri
         // ---------------------------------
         // (1) Initialize filterParams and check for Errors 
         // ---------------------------------
-        MyDataFilterParams filterParams = new MyDataFilterParams(authUser, dtypes, pub_states, roleIds, searchTerm);
+        DataverseRequest dataverseRequest = createDataverseRequest(authUser);
+
+        
+        MyDataFilterParams filterParams = new MyDataFilterParams(dataverseRequest, dtypes, pub_states, roleIds, searchTerm);
         if (filterParams.hasError()){
             return this.getJSONErrorString(filterParams.getErrorMessage(), filterParams.getErrorMessage());
         }
@@ -397,7 +400,7 @@ public String retrieveMyDataAsJsonString(@QueryParam("dvobject_types") List<Stri
 
         try {
                 solrQueryResponse = searchService.search(
-                        searchUser, // 
+                        dataverseRequest,
                         null, // subtree, default it to Dataverse for now
                         filterParams.getSearchTerm(),  //"*", //
                         filterQueries,//filterQueries,
@@ -441,7 +444,7 @@ public String retrieveMyDataAsJsonString(@QueryParam("dvobject_types") List<Stri
                                 paginationStart);
         
         RoleTagRetriever roleTagRetriever = new RoleTagRetriever(this.rolePermissionHelper, this.roleAssigneeSvc, this.dvObjectServiceBean);
-        roleTagRetriever.loadRoles(searchUser, solrQueryResponse);
+        roleTagRetriever.loadRoles(dataverseRequest, solrQueryResponse);
 
                 
         jsonData.add(DataRetrieverAPI.JSON_SUCCESS_FIELD_NAME, true)
diff --git a/src/main/java/edu/harvard/iq/dataverse/mydata/MyDataFilterParams.java b/src/main/java/edu/harvard/iq/dataverse/mydata/MyDataFilterParams.java
index 3b8fc4f1720..b10a37aff5d 100644
--- a/src/main/java/edu/harvard/iq/dataverse/mydata/MyDataFilterParams.java
+++ b/src/main/java/edu/harvard/iq/dataverse/mydata/MyDataFilterParams.java
@@ -11,6 +11,7 @@
 import edu.harvard.iq.dataverse.search.IndexServiceBean;
 import edu.harvard.iq.dataverse.authorization.DataverseRolePermissionHelper;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import edu.harvard.iq.dataverse.search.SearchConstants;
 import edu.harvard.iq.dataverse.search.SearchFields;
 import java.util.ArrayList;
@@ -74,6 +75,7 @@ public class MyDataFilterParams {
     // -----------------------------------
     // Filter parameters
     // -----------------------------------
+    private DataverseRequest dataverseRequest;
     private AuthenticatedUser authenticatedUser;
     private String userIdentifier;
     private List<String> dvObjectTypes;    
@@ -99,14 +101,15 @@ public class MyDataFilterParams {
      * @param authenticatedUser
      * @param userIdentifier 
      */
-    public MyDataFilterParams(AuthenticatedUser authenticatedUser, DataverseRolePermissionHelper roleHelper){
-        if (authenticatedUser==null){
-            throw new NullPointerException("MyDataFilterParams constructor: authenticatedIUser cannot be null ");
+    public MyDataFilterParams(DataverseRequest dataverseRequest, DataverseRolePermissionHelper roleHelper){
+        if (dataverseRequest==null){
+            throw new NullPointerException("MyDataFilterParams constructor: dataverseRequest cannot be null ");
         }
-        this.authenticatedUser = authenticatedUser;
+        this.dataverseRequest = dataverseRequest;
+        this.setAuthenticatedUserFromDataverseRequest(dataverseRequest);
         this.userIdentifier = authenticatedUser.getIdentifier();
 
-         if (roleHelper==null){
+        if (roleHelper==null){
             throw new NullPointerException("MyDataFilterParams constructor: roleHelper cannot be null");
         }
         this.dvObjectTypes = MyDataFilterParams.allDvObjectTypes;
@@ -121,11 +124,12 @@ public MyDataFilterParams(AuthenticatedUser authenticatedUser, DataverseRolePerm
      * @param publicationStatuses 
      * @param searchTerm 
      */    
-    public MyDataFilterParams(AuthenticatedUser authenticatedUser, List<String> dvObjectTypes, List<String> publicationStatuses, List<Long> roleIds, String searchTerm){
-        if (authenticatedUser==null){
-            throw new NullPointerException("MyDataFilterParams constructor: authenticatedIUser cannot be null ");
+    public MyDataFilterParams(DataverseRequest dataverseRequest, List<String> dvObjectTypes, List<String> publicationStatuses, List<Long> roleIds, String searchTerm){
+        if (dataverseRequest==null){
+            throw new NullPointerException("MyDataFilterParams constructor: dataverseRequest cannot be null ");
         }
-        this.authenticatedUser = authenticatedUser;
+        this.dataverseRequest = dataverseRequest;
+        this.setAuthenticatedUserFromDataverseRequest(dataverseRequest);
         this.userIdentifier = authenticatedUser.getIdentifier();
 
         if (dvObjectTypes==null){
@@ -153,6 +157,20 @@ public MyDataFilterParams(AuthenticatedUser authenticatedUser, List<String> dvOb
     }
     
     
+    private void setAuthenticatedUserFromDataverseRequest(DataverseRequest dvRequest){
+        
+        if (dvRequest == null){
+            throw new NullPointerException("MyDataFilterParams getAuthenticatedUserFromDataverseRequest: dvRequest cannot be null");
+        }
+        
+        this.authenticatedUser = dvRequest.getAuthenticatedUser();
+        
+        if (this.authenticatedUser == null){
+            throw new NullPointerException("MyDataFilterParams getAuthenticatedUserFromDataverseRequest: Hold on! dvRequest must be associated with an AuthenticatedUser be null");
+        }
+    }  
+    
+    
     public List<Long> getRoleIds(){
         
         return this.roleIds;
@@ -344,5 +362,8 @@ public static List<String[]> getPublishedStatesForMyDataPage(){
         return publicationStateInfoList;
     }
   
+    public DataverseRequest getDataverseRequest(){
+        return this.dataverseRequest;
+    }
   
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/mydata/MyDataFinder.java b/src/main/java/edu/harvard/iq/dataverse/mydata/MyDataFinder.java
index 548878f5814..7cbd5572550 100644
--- a/src/main/java/edu/harvard/iq/dataverse/mydata/MyDataFinder.java
+++ b/src/main/java/edu/harvard/iq/dataverse/mydata/MyDataFinder.java
@@ -446,10 +446,9 @@ public JsonArrayBuilder getListofSelectedRoles(){
     
     private boolean runStep1RoleAssignments(){
                 
-        List<Object[]> results = this.roleAssigneeService.getAssigneeAndRoleIdListFor(filterParams.getAuthenticatedUser()
-                                        , this.filterParams.getRoleIds());
+        List<Object[]> results = this.roleAssigneeService.getAssigneeAndRoleIdListFor(filterParams);
         
-        //msgt("runStep1RoleAssignments results: " + results.toString());
+        System.out.println("runStep1RoleAssignments results: " + results.toString());
 
         if (results == null){
             this.addErrorMessage("Sorry, the EntityManager isn't working (still).");
@@ -474,6 +473,8 @@ private boolean runStep1RoleAssignments(){
             Long dvId = (Long)ra[0];
             Long roleId = (Long)ra[1];
             
+            
+            
             //----------------------------------
             // Is this is a harvested Dataverse?
             // If so, skip it.
diff --git a/src/main/java/edu/harvard/iq/dataverse/mydata/MyDataPage.java b/src/main/java/edu/harvard/iq/dataverse/mydata/MyDataPage.java
index 3a6979cca89..2cce3b06d82 100644
--- a/src/main/java/edu/harvard/iq/dataverse/mydata/MyDataPage.java
+++ b/src/main/java/edu/harvard/iq/dataverse/mydata/MyDataPage.java
@@ -16,15 +16,17 @@
 import edu.harvard.iq.dataverse.search.SolrQueryResponse;
 import edu.harvard.iq.dataverse.authorization.DataverseRole;
 import edu.harvard.iq.dataverse.authorization.DataverseRolePermissionHelper;
-import edu.harvard.iq.dataverse.authorization.MyDataQueryHelperServiceBean;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.logging.Logger;
 import javax.ejb.EJB;
+import javax.faces.context.FacesContext;
 import javax.faces.view.ViewScoped;
 import javax.inject.Inject;
 import javax.inject.Named;
+import javax.servlet.http.HttpServletRequest;
 
 /*
  * To change this license header, choose License Headers in Project Properties.
@@ -52,8 +54,8 @@ public class MyDataPage implements java.io.Serializable {
     DvObjectServiceBean dvObjectServiceBean;
     @EJB
     SearchServiceBean searchService;
-    @EJB
-    MyDataQueryHelperServiceBean myDataQueryHelperServiceBean;
+//    @EJB
+//    MyDataQueryHelperServiceBean myDataQueryHelperServiceBean;
     @Inject
     PermissionsWrapper permissionsWrapper;
     
@@ -165,12 +167,15 @@ public String init() {
 
         // Initialize a filterParams object to buid the Publication Status checkboxes
         //
-        this.filterParams = new MyDataFilterParams(authUser,  MyDataFilterParams.defaultDvObjectTypes, null, null, null);
+        HttpServletRequest httpServletRequest = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
+
+        DataverseRequest dataverseRequest = new DataverseRequest(authUser, httpServletRequest);
+        this.filterParams = new MyDataFilterParams(dataverseRequest,  MyDataFilterParams.defaultDvObjectTypes, null, null, null);
         
         
         // Temp DataverseRolePermissionHelper -- not in its normal role but for creating initial checkboxes
         //
-        rolePermissionHelper = new DataverseRolePermissionHelper(getRolesUsedToCreateCheckboxes(authUser));
+        rolePermissionHelper = new DataverseRolePermissionHelper(getRolesUsedToCreateCheckboxes(dataverseRequest));
        
         //this.setUserCountTotals(authUser, rolePermissionHelper);
         return null;
@@ -183,10 +188,10 @@ public String getAuthUserIdentifier(){
         return MyDataUtil.formatUserIdentifierForMyDataForm(this.authUser.getIdentifier());
     }
     
-    private List<DataverseRole> getRolesUsedToCreateCheckboxes(AuthenticatedUser authUser){
+    private List<DataverseRole> getRolesUsedToCreateCheckboxes(DataverseRequest dataverseRequest){
 
-        if (authUser==null){
-            throw new NullPointerException("authUser cannot be null");
+        if (dataverseRequest==null){
+            throw new NullPointerException("dataverseRequest cannot be null");
         }
         // Initialize the role checboxes
         //
@@ -198,7 +203,7 @@ private List<DataverseRole> getRolesUsedToCreateCheckboxes(AuthenticatedUser aut
             roleList = dataverseRoleService.findAll();
         }else{
             // (2) For a regular users
-            roleList = roleAssigneeService.getAssigneeDataverseRoleFor(authUser);
+            roleList = roleAssigneeService.getAssigneeDataverseRoleFor(dataverseRequest);
         
             // If there are no assigned roles, show them all?
             // This may not make sense
diff --git a/src/main/java/edu/harvard/iq/dataverse/mydata/RoleTagRetriever.java b/src/main/java/edu/harvard/iq/dataverse/mydata/RoleTagRetriever.java
index 17477dda014..037a5ebc9bd 100644
--- a/src/main/java/edu/harvard/iq/dataverse/mydata/RoleTagRetriever.java
+++ b/src/main/java/edu/harvard/iq/dataverse/mydata/RoleTagRetriever.java
@@ -12,6 +12,7 @@
 import edu.harvard.iq.dataverse.search.SolrSearchResult;
 import edu.harvard.iq.dataverse.authorization.DataverseRolePermissionHelper;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import edu.harvard.iq.dataverse.search.SearchConstants;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -69,7 +70,12 @@ public RoleTagRetriever(DataverseRolePermissionHelper rolePermissionHelper
        this.dvObjectServiceBean = dvObjectServiceBean;
     }
     
-    public void loadRoles(AuthenticatedUser au , SolrQueryResponse solrQueryResponse){
+    public void loadRoles(DataverseRequest dataverseRequest , SolrQueryResponse solrQueryResponse){
+        if (dataverseRequest == null){
+            throw new NullPointerException("RoleTagRetriever.constructor. dataverseRequest cannot be null");
+        }
+        
+        AuthenticatedUser au = dataverseRequest.getAuthenticatedUser();
         
         if (au == null){
             throw new NullPointerException("RoleTagRetriever.constructor. au cannot be null");
@@ -94,7 +100,7 @@ public void loadRoles(AuthenticatedUser au , SolrQueryResponse solrQueryResponse
         findDataverseIdsForFiles();
         
         // (4) Retrieve the role ids
-        retrieveRoleIdsForDvObjects(au);
+        retrieveRoleIdsForDvObjects(dataverseRequest, au);
 
         // (5) Prepare final role lists
         prepareFinalRoleLists();
@@ -349,7 +355,7 @@ private void findDataverseIdsForFiles(){
     }
     
     
-    private boolean retrieveRoleIdsForDvObjects(AuthenticatedUser au ){
+    private boolean retrieveRoleIdsForDvObjects(DataverseRequest dataverseRequest, AuthenticatedUser au){
         
         String userIdentifier = au.getUserIdentifier();
         if (userIdentifier == null){
@@ -366,7 +372,7 @@ private boolean retrieveRoleIdsForDvObjects(AuthenticatedUser au ){
         }
         //msg("dvObjectIdList: " + dvObjectIdList.toString());
 
-        List<Object[]> results = this.roleAssigneeService.getRoleIdsFor(au, dvObjectIdList);
+        List<Object[]> results = this.roleAssigneeService.getRoleIdsFor(dataverseRequest, dvObjectIdList);
         
         //msgt("runStep1RoleAssignments results: " + results.toString());
 
diff --git a/src/main/java/edu/harvard/iq/dataverse/search/SearchFilesServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/search/SearchFilesServiceBean.java
index d32dbe4dfa6..60f35f39159 100644
--- a/src/main/java/edu/harvard/iq/dataverse/search/SearchFilesServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/search/SearchFilesServiceBean.java
@@ -3,12 +3,15 @@
 import edu.harvard.iq.dataverse.DatasetVersion;
 import edu.harvard.iq.dataverse.Dataverse;
 import edu.harvard.iq.dataverse.authorization.users.User;
+import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.logging.Logger;
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
+import javax.faces.context.FacesContext;
 import javax.inject.Named;
+import javax.servlet.http.HttpServletRequest;
 
 @Named
 @Stateless
@@ -40,7 +43,8 @@ public FileView getFileView(DatasetVersion datasetVersion, User user, String use
         int numResultsPerPage = 25;
         SolrQueryResponse solrQueryResponse = null;
         try {
-            solrQueryResponse = searchService.search(user, dataverse, finalQuery, filterQueries, sortField, sortOrder, paginationStart, onlyDataRelatedToMe, numResultsPerPage);
+            HttpServletRequest httpServletRequest = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
+            solrQueryResponse = searchService.search(new DataverseRequest(user, httpServletRequest), dataverse, finalQuery, filterQueries, sortField, sortOrder, paginationStart, onlyDataRelatedToMe, numResultsPerPage);
         } catch (SearchException ex) {
             logger.info(SearchException.class + " searching for files: " + ex);
             return null;
diff --git a/src/main/java/edu/harvard/iq/dataverse/search/SearchIncludeFragment.java b/src/main/java/edu/harvard/iq/dataverse/search/SearchIncludeFragment.java
index 8eab46a3556..7f0cd51cad4 100644
--- a/src/main/java/edu/harvard/iq/dataverse/search/SearchIncludeFragment.java
+++ b/src/main/java/edu/harvard/iq/dataverse/search/SearchIncludeFragment.java
@@ -16,6 +16,7 @@
 import edu.harvard.iq.dataverse.SettingsWrapper;
 import edu.harvard.iq.dataverse.WidgetWrapper;
 import edu.harvard.iq.dataverse.dataaccess.ImageThumbConverter;
+import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Date;
@@ -26,9 +27,11 @@
 import java.util.Set;
 import java.util.logging.Logger;
 import javax.ejb.EJB;
+import javax.faces.context.FacesContext;
 import javax.faces.view.ViewScoped;
 import javax.inject.Inject;
 import javax.inject.Named;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang.StringUtils;
 
 @ViewScoped
@@ -307,10 +310,12 @@ public void search(boolean onlyDataRelatedToMe) {
              * https://github.com/IQSS/dataverse/issues/84
              */
             int numRows = 10;
-            solrQueryResponse = searchService.search(session.getUser(), dataverse, queryToPassToSolr, filterQueriesFinal, sortField, sortOrder.toString(), paginationStart, onlyDataRelatedToMe, numRows, false);
+            HttpServletRequest httpServletRequest = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
+            DataverseRequest dataverseRequest = new DataverseRequest(session.getUser(), httpServletRequest);
+            solrQueryResponse = searchService.search(dataverseRequest, dataverse, queryToPassToSolr, filterQueriesFinal, sortField, sortOrder.toString(), paginationStart, onlyDataRelatedToMe, numRows, false);
             // This 2nd search() is for populating the facets: -- L.A. 
             // TODO: ...
-            solrQueryResponseAllTypes = searchService.search(session.getUser(), dataverse, queryToPassToSolr, filterQueriesFinalAllTypes, sortField, sortOrder.toString(), paginationStart, onlyDataRelatedToMe, numRows, false);
+            solrQueryResponseAllTypes = searchService.search(dataverseRequest, dataverse, queryToPassToSolr, filterQueriesFinalAllTypes, sortField, sortOrder.toString(), paginationStart, onlyDataRelatedToMe, numRows, false);
         } catch (SearchException ex) {
             Throwable cause = ex;
             StringBuilder sb = new StringBuilder();
diff --git a/src/main/java/edu/harvard/iq/dataverse/search/SearchServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/search/SearchServiceBean.java
index 54c06214383..fc7644dfdd1 100644
--- a/src/main/java/edu/harvard/iq/dataverse/search/SearchServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/search/SearchServiceBean.java
@@ -9,7 +9,6 @@
 import edu.harvard.iq.dataverse.Dataverse;
 import edu.harvard.iq.dataverse.DataverseFacet;
 import edu.harvard.iq.dataverse.DataverseServiceBean;
-import edu.harvard.iq.dataverse.DvObject;
 import edu.harvard.iq.dataverse.DvObjectServiceBean;
 import edu.harvard.iq.dataverse.authorization.groups.Group;
 import edu.harvard.iq.dataverse.authorization.groups.GroupServiceBean;
@@ -17,6 +16,7 @@
 import edu.harvard.iq.dataverse.authorization.users.PrivateUrlUser;
 import edu.harvard.iq.dataverse.authorization.users.GuestUser;
 import edu.harvard.iq.dataverse.authorization.users.User;
+import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import edu.harvard.iq.dataverse.util.JsfHelper;
 import edu.harvard.iq.dataverse.util.SystemConfig;
 import java.lang.reflect.Field;
@@ -108,7 +108,7 @@ public void close(){
      * related to permissions
      *
      *
-     * @param user
+     * @param dataverseRequest
      * @param dataverse
      * @param query
      * @param filterQueries
@@ -120,8 +120,8 @@ public void close(){
      * @return
      * @throws SearchException
      */
-    public SolrQueryResponse search(User user, Dataverse dataverse, String query, List<String> filterQueries, String sortField, String sortOrder, int paginationStart, boolean onlyDatatRelatedToMe, int numResultsPerPage) throws SearchException {
-        return search(user, dataverse, query, filterQueries, sortField, sortOrder, paginationStart, onlyDatatRelatedToMe, numResultsPerPage, true);
+    public SolrQueryResponse search(DataverseRequest dataverseRequest, Dataverse dataverse, String query, List<String> filterQueries, String sortField, String sortOrder, int paginationStart, boolean onlyDatatRelatedToMe, int numResultsPerPage) throws SearchException {
+        return search(dataverseRequest, dataverse, query, filterQueries, sortField, sortOrder, paginationStart, onlyDatatRelatedToMe, numResultsPerPage, true);
     }
     
     /**
@@ -145,7 +145,7 @@ public SolrQueryResponse search(User user, Dataverse dataverse, String query, Li
      * @return
      * @throws SearchException
      */
-    public SolrQueryResponse search(User user, Dataverse dataverse, String query, List<String> filterQueries, String sortField, String sortOrder, int paginationStart, boolean onlyDatatRelatedToMe, int numResultsPerPage, boolean retrieveEntities) throws SearchException {
+    public SolrQueryResponse search(DataverseRequest dataverseRequest, Dataverse dataverse, String query, List<String> filterQueries, String sortField, String sortOrder, int paginationStart, boolean onlyDatatRelatedToMe, int numResultsPerPage, boolean retrieveEntities) throws SearchException {
 
         if (paginationStart < 0) {
             throw new IllegalArgumentException("paginationStart must be 0 or greater");
@@ -221,7 +221,7 @@ public SolrQueryResponse search(User user, Dataverse dataverse, String query, Li
         // -----------------------------------
         // PERMISSION FILTER QUERY
         // -----------------------------------
-        String permissionFilterQuery = this.getPermissionFilterQuery(user, solrQuery, dataverse, onlyDatatRelatedToMe);
+        String permissionFilterQuery = this.getPermissionFilterQuery(dataverseRequest, solrQuery, dataverse, onlyDatatRelatedToMe);
         if (permissionFilterQuery != null) {
             solrQuery.addFilterQuery(permissionFilterQuery);
         }
@@ -750,8 +750,9 @@ public String getCapitalizedName(String name) {
      *
      * @return
      */
-    private String getPermissionFilterQuery(User user, SolrQuery solrQuery, Dataverse dataverse, boolean onlyDatatRelatedToMe) {
+    private String getPermissionFilterQuery(DataverseRequest dataverseRequest, SolrQuery solrQuery, Dataverse dataverse, boolean onlyDatatRelatedToMe) {
 
+        User user = dataverseRequest.getUser();
         if (user == null) {
             throw new NullPointerException("user cannot be null");
         }
@@ -776,10 +777,26 @@ private String getPermissionFilterQuery(User user, SolrQuery solrQuery, Datavers
 
         // ----------------------------------------------------
         // (1) Is this a GuestUser?  
-        // Yes, all set, give back "publicOnly" filter string
+        // Yes, see if GuestUser is part of any groups such as IP Groups.
         // ----------------------------------------------------
         if (user instanceof GuestUser) {
-            return publicOnly;
+            String groupsFromProviders = "";
+            Set<Group> groups = groupService.collectAncestors(groupService.groupsFor(dataverseRequest));
+            StringBuilder sb = new StringBuilder();
+            for (Group group : groups) {
+                logger.fine("found group " + group.getIdentifier() + " with alias " + group.getAlias());
+                String groupAlias = group.getAlias();
+                if (groupAlias != null && !groupAlias.isEmpty()) {
+                    sb.append(" OR ");
+                    // i.e. group_builtIn/all-users, ip/ipGroup3
+                    sb.append(IndexServiceBean.getGroupPrefix()).append(groupAlias);
+                }
+            }
+            groupsFromProviders = sb.toString();
+            logger.fine("groupsFromProviders:" + groupsFromProviders);
+            String guestWithGroups = "{!join from=" + SearchFields.DEFINITION_POINT + " to=id}" + SearchFields.DISCOVERABLE_BY + ":(" + IndexServiceBean.getPublicGroupString() + groupsFromProviders + ")";
+            logger.fine(guestWithGroups);
+            return guestWithGroups;
         }
 
         // ----------------------------------------------------
@@ -854,7 +871,7 @@ private String getPermissionFilterQuery(User user, SolrQuery solrQuery, Datavers
          * a given "content document" (dataset version, etc) in Solr.
          */
         String groupsFromProviders = "";
-        Set<Group> groups = groupService.groupsFor(au);
+        Set<Group> groups = groupService.collectAncestors(groupService.groupsFor(dataverseRequest));
         StringBuilder sb = new StringBuilder();
         for (Group group : groups) {
             logger.fine("found group " + group.getIdentifier() + " with alias " + group.getAlias());
diff --git a/src/main/java/edu/harvard/iq/dataverse/search/savedsearch/SavedSearchServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/search/savedsearch/SavedSearchServiceBean.java
index 0694b404098..004e937b425 100644
--- a/src/main/java/edu/harvard/iq/dataverse/search/savedsearch/SavedSearchServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/search/savedsearch/SavedSearchServiceBean.java
@@ -206,7 +206,7 @@ private SolrQueryResponse findHits(SavedSearch savedSearch) throws SearchExcepti
         boolean dataRelatedToMe = false;
         int numResultsPerPage = Integer.MAX_VALUE;
         SolrQueryResponse solrQueryResponse = searchService.search(
-                savedSearch.getCreator(),
+                new DataverseRequest(savedSearch.getCreator(), getHttpServletRequest()),
                 savedSearch.getDefinitionPoint(),
                 savedSearch.getQuery(),
                 savedSearch.getFilterQueriesAsStrings(),
@@ -297,6 +297,22 @@ public static HttpServletRequest getHttpServletRequest() {
          * different from the one the user may have, and quite possibly more
          * privileged. It maybe safest to pass in a null http request at this
          * stage." -- michbarsinai
+         *
+         * When Saved Search was designed, there was no DataverseRequest object
+         * so what is persisted is the id of the AuthenticatedUser. When a Saved
+         * Search is later re-executed via cron, the AuthenticatedUser is used
+         * but Saved Search has no memory of which IP address was used when the
+         * Saved Search was created. The default IP address in the
+         * DataverseRequest constructor is used instead, which as of this
+         * writing is 0.0.0.0 to mean "undefined". Is this a feature or a bug?
+         * What is the expected interplay between Saved Search and IP Groups?
+         * Users might be surprised to see certain DvObjects in the results of
+         * their query when creating the Saved Search and later find that those
+         * DvObjects, which are only visible due to an IP Groups membership, are
+         * not found by Saved Search when executed by cron, for example. As of
+         * this writing Saved Search is a superuser-only feature so perhaps IP
+         * Groups are irrelevant because all DvObjects are discoverable to
+         * superusers.
          */
         return null;
     }
diff --git a/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java
index 65c3278eb8b..9235ab19dab 100644
--- a/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java
@@ -33,6 +33,8 @@ public class SettingsServiceBean {
      * So there.
      */
     public enum Key {
+        FooterCopyright,
+        MinutesUntilConfirmEmailTokenExpires,
         /**
          * Override Solr highlighting "fragsize"
          * https://wiki.apache.org/solr/HighlightingParameters#hl.fragsize
diff --git a/src/main/java/edu/harvard/iq/dataverse/util/BitSet.java b/src/main/java/edu/harvard/iq/dataverse/util/BitSet.java
index 45f787d6ac6..93e01bac551 100644
--- a/src/main/java/edu/harvard/iq/dataverse/util/BitSet.java
+++ b/src/main/java/edu/harvard/iq/dataverse/util/BitSet.java
@@ -11,10 +11,18 @@ public class BitSet implements Serializable {
 
 	private long store = 0l;
 	
-	public static BitSet emptySet() {
+	/**
+     * Creates a new set with all bits set to 0.
+     * @return a new, empty, set.
+     */
+    public static BitSet emptySet() {
 		return new BitSet();
 	}
 	
+    /**
+     * Creates a new set with all bits set to 1.
+     * @return a new, full, set.
+     */
 	public static BitSet fullSet() {
 		return new BitSet( ~0 );
 	}
diff --git a/src/main/java/edu/harvard/iq/dataverse/util/SystemConfig.java b/src/main/java/edu/harvard/iq/dataverse/util/SystemConfig.java
index f03ae885e61..1912642ea9b 100644
--- a/src/main/java/edu/harvard/iq/dataverse/util/SystemConfig.java
+++ b/src/main/java/edu/harvard/iq/dataverse/util/SystemConfig.java
@@ -7,6 +7,8 @@
 import java.io.InputStream;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
+import java.time.Year;
+import java.util.Arrays;
 import java.util.MissingResourceException;
 import java.util.Properties;
 import java.util.ResourceBundle;
@@ -201,9 +203,28 @@ public String getSolrHostColonPort() {
         String solrHostColonPort = settingsService.getValueForKey(SettingsServiceBean.Key.SolrHostColonPort, saneDefaultForSolrHostColonPort);
         return solrHostColonPort;
     }
-    
-    
-    
+
+    public int getMinutesUntilConfirmEmailTokenExpires() {
+        final int minutesInOneDay = 1440;
+        final int reasonableDefault = minutesInOneDay;
+        SettingsServiceBean.Key key = SettingsServiceBean.Key.MinutesUntilConfirmEmailTokenExpires;
+        String valueFromDatabase = settingsService.getValueForKey(key);
+        if (valueFromDatabase != null) {
+            try {
+                int intFromDatabase = Integer.parseInt(valueFromDatabase);
+                if (intFromDatabase > 0) {
+                    return intFromDatabase;
+                } else {
+                    logger.info("Returning " + reasonableDefault + " for " + key + " because value must be greater than zero, not \"" + intFromDatabase + "\".");
+                }
+            } catch (NumberFormatException ex) {
+                logger.info("Returning " + reasonableDefault + " for " + key + " because value must be an integer greater than zero, not \"" + valueFromDatabase + "\".");
+            }
+        }
+        logger.fine("Returning " + reasonableDefault + " for " + key);
+        return reasonableDefault;
+    }
+
     /**
      * The number of minutes for which a password reset token is valid. Can be
      * overridden by {@link #PASSWORD_RESET_TIMEOUT_IN_MINUTES}.
@@ -509,4 +530,8 @@ public boolean isTimerServer() {
         }
         return false;
     }
+
+    public String getFooterCopyrightAndYear() {
+        return BundleUtil.getStringFromBundle("footer.copyright", Arrays.asList(Year.now().getValue() + ""));
+    }
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/util/json/JsonParser.java b/src/main/java/edu/harvard/iq/dataverse/util/json/JsonParser.java
index 3e8a6152558..15961748511 100644
--- a/src/main/java/edu/harvard/iq/dataverse/util/json/JsonParser.java
+++ b/src/main/java/edu/harvard/iq/dataverse/util/json/JsonParser.java
@@ -60,6 +60,10 @@ public JsonParser(DatasetFieldServiceBean datasetFieldSvc, MetadataBlockServiceB
         this.settingsService = settingsService;
     }
 
+    public JsonParser() {
+        this( null,null,null );
+    }
+    
     public boolean isLenient() {
         return lenient;
     }
@@ -186,20 +190,27 @@ public IpGroup parseIpGroup(JsonObject obj) {
         IpGroup retVal = new IpGroup();
 
         if (obj.containsKey("id")) {
-            retVal.setId(Long.valueOf(obj.getString("id")));
+            retVal.setId(Long.valueOf(obj.getInt("id")));
         }
         retVal.setDisplayName(obj.getString("name", null));
         retVal.setDescription(obj.getString("description", null));
         retVal.setPersistedGroupAlias(obj.getString("alias", null));
 
-        JsonArray rangeArray = obj.getJsonArray("ranges");
-        for (JsonValue range : rangeArray) {
-            if (range.getValueType() == JsonValue.ValueType.ARRAY) {
-                JsonArray rr = (JsonArray) range;
-                retVal.add(IpAddressRange.make(IpAddress.valueOf(rr.getString(0)),
-                        IpAddress.valueOf(rr.getString(1))));
-
-            }
+        if ( obj.containsKey("ranges") ) {
+            obj.getJsonArray("ranges").stream()
+                    .filter( jv -> jv.getValueType()==JsonValue.ValueType.ARRAY )
+                    .map( jv -> (JsonArray)jv )
+                    .forEach( rr -> {
+                        retVal.add(
+                            IpAddressRange.make(IpAddress.valueOf(rr.getString(0)),
+                                                IpAddress.valueOf(rr.getString(1))));
+            });
+        }
+        if ( obj.containsKey("addresses") ) {
+            obj.getJsonArray("addresses").stream()
+                    .map( jsVal -> IpAddress.valueOf(((JsonString)jsVal).getString()) )
+                    .map( addr -> IpAddressRange.make(addr, addr) )
+                    .forEach( retVal::add );
         }
 
         return retVal;
diff --git a/src/main/java/edu/harvard/iq/dataverse/util/json/JsonPrinter.java b/src/main/java/edu/harvard/iq/dataverse/util/json/JsonPrinter.java
index f00bee0b140..c3fbb45c4ad 100644
--- a/src/main/java/edu/harvard/iq/dataverse/util/json/JsonPrinter.java
+++ b/src/main/java/edu/harvard/iq/dataverse/util/json/JsonPrinter.java
@@ -23,6 +23,7 @@
 import edu.harvard.iq.dataverse.authorization.RoleAssigneeDisplayInfo;
 import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroup;
 import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.IpGroup;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddress;
 import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddressRange;
 import edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroup;
 import edu.harvard.iq.dataverse.authorization.providers.AuthenticationProviderRow;
@@ -31,6 +32,7 @@
 import edu.harvard.iq.dataverse.privateurl.PrivateUrl;
 import edu.harvard.iq.dataverse.util.DatasetFieldWalker;
 import edu.harvard.iq.dataverse.util.StringUtil;
+import static edu.harvard.iq.dataverse.util.json.NullSafeJsonBuilder.jsonObjectBuilder;
 import java.util.Set;
 import javax.json.Json;
 import javax.json.JsonArrayBuilder;
@@ -39,14 +41,21 @@
 import java.util.List;
 import java.util.TreeSet;
 
-import static edu.harvard.iq.dataverse.util.json.NullSafeJsonBuilder.jsonObjectBuilder;
-import java.math.BigDecimal;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Deque;
+import java.util.EnumSet;
 import java.util.LinkedList;
 import java.util.Map;
+import java.util.function.BiConsumer;
+import java.util.function.BinaryOperator;
+import java.util.function.Function;
+import java.util.function.Supplier;
+import java.util.stream.Collector;
+import static java.util.stream.Collectors.toList;
 import javax.json.JsonArray;
 import javax.json.JsonObject;
+import javax.json.JsonValue;
 
 /**
  * Convert objects to Json.
@@ -91,6 +100,7 @@ public static JsonObjectBuilder jsonForAuthUser(AuthenticatedUser authenticatedU
                 .add("affiliation", authenticatedUser.getAffiliation())
                 .add("position", authenticatedUser.getPosition())
                 .add("persistentUserId", authenticatedUser.getAuthenticatedUserLookup().getPersistentUserId())
+                .add("emailLastConfirmed", authenticatedUser.getEmailConfirmed())
                 .add("authenticationProviderId", authenticatedUser.getAuthenticatedUserLookup().getAuthenticationProviderId());
     }
     
@@ -120,17 +130,33 @@ public static JsonObjectBuilder json( RoleAssigneeDisplayInfo d ) {
     }
 
     public static JsonObjectBuilder json(IpGroup grp) {
-        JsonArrayBuilder rangeBld = Json.createArrayBuilder();
-        for (IpAddressRange r : grp.getRanges()) {
-            rangeBld.add(Json.createArrayBuilder().add(r.getBottom().toString()).add(r.getTop().toString()));
-        }
-        return jsonObjectBuilder()
-                .add("alias", grp.getPersistedGroupAlias())
+         // collect single addresses
+        List<String> singles = grp.getRanges().stream().filter( IpAddressRange::isSingleAddress )
+                                .map( IpAddressRange::getBottom )
+                                .map( IpAddress::toString ).collect(toList());
+        // collect "real" ranges
+        List<List<String>> ranges = grp.getRanges().stream().filter( rng -> !rng.isSingleAddress() )
+                                .map( rng -> Arrays.asList(rng.getBottom().toString(), rng.getTop().toString()) )
+                                .collect(toList());
+
+        JsonObjectBuilder bld = jsonObjectBuilder()
+                .add("alias", grp.getPersistedGroupAlias() )
                 .add("identifier", grp.getIdentifier())
-                .add("id", grp.getId())
-                .add("name", grp.getDisplayName())
-                .add("description", grp.getDescription())
-                .add("ranges", rangeBld);
+                .add("id", grp.getId() )
+                .add("name", grp.getDisplayName() )
+                .add("description", grp.getDescription() );
+       
+        if ( ! singles.isEmpty() ) {
+            bld.add("addresses", asJsonArray(singles) );
+        }
+        
+        if ( ! ranges.isEmpty() ) {
+            JsonArrayBuilder rangesBld = Json.createArrayBuilder();
+            ranges.forEach( r -> rangesBld.add( Json.createArrayBuilder().add(r.get(0)).add(r.get(1))) );
+            bld.add("ranges", rangesBld );
+        }
+        
+        return bld;
     }
 
     public static JsonObjectBuilder json(ShibGroup grp) {
@@ -589,4 +615,75 @@ public static <T> JsonArrayBuilder json(Collection<T> jc) {
         }
         return bld;
     }
+
+        public static Collector<String, JsonArrayBuilder, JsonArrayBuilder> stringsToJsonArray() {
+        return new Collector<String, JsonArrayBuilder, JsonArrayBuilder>() {
+
+            @Override
+            public Supplier<JsonArrayBuilder> supplier() {
+                return () -> Json.createArrayBuilder();
+            }
+
+            @Override
+            public BiConsumer<JsonArrayBuilder, String> accumulator() {
+                return (JsonArrayBuilder b, String s) -> b.add(s);
+            }
+
+            @Override
+            public BinaryOperator<JsonArrayBuilder> combiner() {
+                return (jab1, jab2) -> {
+                    JsonArrayBuilder retVal = Json.createArrayBuilder();
+                    jab1.build().forEach(retVal::add);
+                    jab2.build().forEach(retVal::add);
+                    return retVal;
+                };
+            }
+
+            @Override
+            public Function<JsonArrayBuilder, JsonArrayBuilder> finisher() {
+                return Function.identity();
+            }
+
+            @Override
+            public Set<Collector.Characteristics> characteristics() {
+                return EnumSet.of(Collector.Characteristics.IDENTITY_FINISH);
+            }
+        };
+    }
+
+    public static Collector<JsonValue, JsonArrayBuilder, JsonArrayBuilder> toJsonArray() {
+        return new Collector<JsonValue, JsonArrayBuilder, JsonArrayBuilder>() {
+
+            @Override
+            public Supplier<JsonArrayBuilder> supplier() {
+                return () -> Json.createArrayBuilder();
+            }
+
+            @Override
+            public BiConsumer<JsonArrayBuilder, JsonValue> accumulator() {
+                return (JsonArrayBuilder b, JsonValue s) -> b.add(s);
+            }
+
+            @Override
+            public BinaryOperator<JsonArrayBuilder> combiner() {
+                return (jab1, jab2) -> {
+                    JsonArrayBuilder retVal = Json.createArrayBuilder();
+                    jab1.build().forEach(retVal::add);
+                    jab2.build().forEach(retVal::add);
+                    return retVal;
+                };
+            }
+
+            @Override
+            public Function<JsonArrayBuilder, JsonArrayBuilder> finisher() {
+                return Function.identity();
+            }
+
+            @Override
+            public Set<Collector.Characteristics> characteristics() {
+                return EnumSet.of(Collector.Characteristics.IDENTITY_FINISH);
+            }
+        };
+    }
+
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/util/json/NullSafeJsonBuilder.java b/src/main/java/edu/harvard/iq/dataverse/util/json/NullSafeJsonBuilder.java
index 452a5366576..25c57b5cf7d 100644
--- a/src/main/java/edu/harvard/iq/dataverse/util/json/NullSafeJsonBuilder.java
+++ b/src/main/java/edu/harvard/iq/dataverse/util/json/NullSafeJsonBuilder.java
@@ -1,8 +1,10 @@
 package edu.harvard.iq.dataverse.util.json;
 
 import edu.harvard.iq.dataverse.DatasetField;
+import edu.harvard.iq.dataverse.api.Util;
 import java.math.BigDecimal;
 import java.math.BigInteger;
+import java.sql.Timestamp;
 import javax.json.Json;
 import javax.json.JsonArrayBuilder;
 import javax.json.JsonObject;
@@ -115,6 +117,8 @@ public NullSafeJsonBuilder addStrValue( String name, DatasetField field ) {
 	public JsonObject build() {
 		return delegate.build();
 	}
-	
-	
+
+    public NullSafeJsonBuilder add(String name, Timestamp timestamp) {
+        return (timestamp != null) ? add(name, Util.getDateTimeFormat().format(timestamp)) : this;
+    }
 }
diff --git a/src/main/webapp/confirmemail.xhtml b/src/main/webapp/confirmemail.xhtml
new file mode 100644
index 00000000000..3b7a283382f
--- /dev/null
+++ b/src/main/webapp/confirmemail.xhtml
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml"
+      xmlns:h="http://java.sun.com/jsf/html"
+      xmlns:f="http://java.sun.com/jsf/core"
+      xmlns:ui="http://java.sun.com/jsf/facelets"
+      xmlns:p="http://primefaces.org/ui"
+      xmlns:jsf="http://xmlns.jcp.org/jsf">
+
+    <h:head>
+    </h:head>  
+
+    <h:body>
+        <ui:composition template="/dataverse_template.xhtml">
+            <ui:param name="pageTitle" value="#{bundle['confirmEmail.pageTitle']} - #{dataverseServiceBean.findRootDataverse().name} #{bundle.dataverse}"/>
+            <ui:param name="dataverse" value="#{dataverseServiceBean.findRootDataverse()}"/>
+            <ui:param name="showDataverseHeader" value="false"/>
+            <ui:param name="loginRedirectPage" value="dataverse.xhtml"/>
+            <ui:define name="body">
+                <f:metadata>
+                    <f:viewParam name="token" value="#{ConfirmEmailPage.token}"/>
+                    <f:viewAction action="#{ConfirmEmailPage.init}" />
+                </f:metadata>
+
+                <!--This is just the button. The error message is added via addErrorMessage in the backing bean.-->
+                <h:form styleClass="form-horizontal" rendered="#{ConfirmEmailPage.invalidToken}">
+                    <h:commandButton styleClass="btn btn-default" value="#{bundle['confirmEmail.details.goToAccountPageButton']}" action="/dataverseuser.xhtml?selectTab=accountInfo&amp;faces-redirect=true"/>
+                </h:form>
+
+            </ui:define>
+        </ui:composition>
+    </h:body>
+</html>
\ No newline at end of file
diff --git a/src/main/webapp/dataset.xhtml b/src/main/webapp/dataset.xhtml
index 22079d4576c..eb3db1ffcaf 100755
--- a/src/main/webapp/dataset.xhtml
+++ b/src/main/webapp/dataset.xhtml
@@ -71,13 +71,13 @@
                                             <ul class="dropdown-menu">
                                                 <li>
                                                     <h:link id="managePermissions" styleClass="ui-commandlink ui-widget" outcome="permissions-manage">
-                                                        <h:outputText value="Dataset" />
+                                                        <h:outputText value="#{bundle['dataset.editBtn.itemLabel.permissionsDataset']}" />
                                                         <f:param name="id" value="#{DatasetPage.dataset.id}" />
                                                     </h:link>
                                                 </li>
                                                 <li>
                                                     <h:link id="manageFilePermissions" styleClass="ui-commandlink ui-widget" outcome="permissions-manage-files">
-                                                        <h:outputText value="File" />
+                                                        <h:outputText value="#{bundle['dataset.editBtn.itemLabel.permissionsFile']}" />
                                                         <f:param name="id" value="#{DatasetPage.dataset.id}" />
                                                     </h:link>
                                                 </li>
diff --git a/src/main/webapp/dataverse_footer.xhtml b/src/main/webapp/dataverse_footer.xhtml
index 97141f69b69..285c4408f19 100644
--- a/src/main/webapp/dataverse_footer.xhtml
+++ b/src/main/webapp/dataverse_footer.xhtml
@@ -17,7 +17,7 @@
                         <h:outputText value="#{bundle['footer.dataScienceIQSS']}" escape="false"/> &#160;|&#160; #{bundle['footer.dataverseProjectOn']} <a href="https://twitter.com/dataverseorg" target="_blank" title="#{bundle['footer.dataverseProjectOn']} #{bundle['footer.Twitter']}"><span class="socicon socicon-twitter" title="#{bundle['footer.dataverseProjectOn']} #{bundle['footer.Twitter']}"/></a> &#160;|&#160; #{bundle['footer.codeAvailable']} <a href="https://github.com/IQSS/dataverse" target="_blank" title="#{bundle['footer.dataverseOnGitHub']}"><span class="socicon socicon-github" title="#{bundle['footer.dataverseOnGitHub']}"/></a>
                     </p>
                     <p>
-                        <h:outputText value="#{bundle['footer.copyright']}" escape="false"/> <ui:fragment rendered="#{!empty settingsWrapper.get(':ApplicationPrivacyPolicyUrl')}">&#160;|&#160; <h:outputLink value="#{settingsWrapper.get(':ApplicationPrivacyPolicyUrl')}" target="_blank">#{bundle['footer.privacyPolicy']}</h:outputLink></ui:fragment>
+                        <h:outputText value="#{systemConfig.footerCopyrightAndYear}#{settingsWrapper.get(':FooterCopyright')}" escape="false"/> <ui:fragment rendered="#{!empty settingsWrapper.get(':ApplicationPrivacyPolicyUrl')}">&#160;|&#160; <h:outputLink value="#{settingsWrapper.get(':ApplicationPrivacyPolicyUrl')}" target="_blank">#{bundle['footer.privacyPolicy']}</h:outputLink></ui:fragment>
                     </p>
                 </div>
                 <div class="col-xs-7 small" jsf:rendered="#{widgetView}">
diff --git a/src/main/webapp/dataverse_template.xhtml b/src/main/webapp/dataverse_template.xhtml
index d5e83590a82..fa8b48994e5 100644
--- a/src/main/webapp/dataverse_template.xhtml
+++ b/src/main/webapp/dataverse_template.xhtml
@@ -124,5 +124,6 @@
                     }
         </script>
         <ui:include src="google-analytics-snippet.xhtml"></ui:include>
+        <ui:include src="piwik-analytics-snippet.xhtml"></ui:include>
     </h:body>
 </html>
diff --git a/src/main/webapp/dataverseuser.xhtml b/src/main/webapp/dataverseuser.xhtml
index a9ff9844789..30c726e2e45 100644
--- a/src/main/webapp/dataverseuser.xhtml
+++ b/src/main/webapp/dataverseuser.xhtml
@@ -20,7 +20,7 @@
                 <f:loadBundle basename="Bundle" var="bundle"/>
                 <f:metadata>
                     <f:viewParam name="editMode" value="#{DataverseUserPage.editMode}"/>
-                    <f:viewParam name="redirectPage" value="#{DataverseUserPage.redirectPage}"/>                    
+                    <f:viewParam name="redirectPage" value="#{DataverseUserPage.redirectPage}"/>
                     <f:viewParam name="selectTab" value="#{DataverseUserPage.selectTab}"/>
                     <f:viewAction action="#{DataverseUserPage.init}" />
                     <f:viewAction action="#{dataverseHeaderFragment.initBreadcrumbs(dataverseServiceBean.findRootDataverse(), (DataverseUserPage.editMode == 'CREATE' ? bundle['user.createBtn'] : bundle.account))}"/>
@@ -31,10 +31,10 @@
                         <div class="btn-group pull-right" jsf:rendered="#{!empty DataverseUserPage.builtinUser}">
                             <button type="button" id="editAccount" class="btn btn-default dropdown-toggle" data-toggle="dropdown">
                                 <ui:fragment rendered="#{!empty DataverseUserPage.builtinUser}">
-                                    <span class="glyphicon glyphicon-pencil"/> #{bundle['account.edit']} 
+                                    <span class="glyphicon glyphicon-pencil"/> #{bundle['account.edit']}
                                 </ui:fragment>
                                 <ui:fragment rendered="#{empty DataverseUserPage.builtinUser}">
-                                    #{bundle['account.info']} 
+                                    #{bundle['account.info']}
                                 </ui:fragment>
                                 <span class="caret"></span>
                             </button>
@@ -58,7 +58,7 @@
                     <p:panel rendered="#{DataverseUserPage.editMode == 'FORGOT'}">
                         <h:outputText value="#{bundle['user.lostPasswdTip']}" />
                     </p:panel>
-                        
+
                     <p:tabView id="dataRelatedToMeView" activeIndex="#{DataverseUserPage.activeIndex}" dynamic="true" rendered="#{empty DataverseUserPage.editMode}">
                         <p:ajax event="tabChange" listener="#{DataverseUserPage.onTabChange}" update="@all" oncomplete="javascript:dataverseuser_page_rebind();" />
                         <p:tab id="myData" title="My Data">
@@ -74,46 +74,46 @@
                                             </ui:fragment>
                                             <ui:fragment rendered="#{item.theObject != null}">
                                                 <ui:fragment rendered="#{item.type == 'CREATEACC'}">
-                                                    <i class="icon-dataverse text-icon-inline text-muted"></i>                                        
+                                                    <i class="icon-dataverse text-icon-inline text-muted"></i>
                                                     <h:outputFormat value="#{bundle['notification.welcome']}" escape="false">
                                                         <o:param>
                                                             <h:outputText value="#{dataverseServiceBean.findRootDataverse().name}"/>
-                                                        </o:param>                                                            
+                                                        </o:param>
                                                         <o:param>
-                                                            <a href="#{systemConfig.guidesBaseUrl}/#{systemConfig.version}/user/index.html" title="#{dataverseServiceBean.findRootDataverse().name} #{bundle['dataverse']} #{bundle['header.guides.user']}" target="_blank">#{bundle['header.guides.user']}</a>                                                              
+                                                            <a href="#{systemConfig.guidesBaseUrl}/#{systemConfig.version}/user/index.html" title="#{dataverseServiceBean.findRootDataverse().name} #{bundle['dataverse']} #{bundle['header.guides.user']}" target="_blank">#{bundle['header.guides.user']}</a>
                                                         </o:param>
                                                         <o:param>
-                                                            <a href="https://demo.dataverse.org">#{bundle['notification.demoSite']}</a>                                                         
-                                                        </o:param>         
+                                                            <a href="https://demo.dataverse.org">#{bundle['notification.demoSite']}</a>
+                                                        </o:param>
                                                     </h:outputFormat>
                                                 </ui:fragment>
                                                 <ui:fragment rendered="#{item.type == 'CREATEDV'}">
                                                     <i class="icon-dataverse text-icon-inline text-muted"></i>
                                                     <h:outputFormat value="#{bundle['notification.createDataverse']}" escape="false">
                                                         <o:param>
-                                                            <a href="/dataverse/#{item.theObject.getAlias()}" title="#{item.theObject.getDisplayName()}">#{item.theObject.getDisplayName()}</a> 
-                                                        </o:param>                                                            
+                                                            <a href="/dataverse/#{item.theObject.getAlias()}" title="#{item.theObject.getDisplayName()}">#{item.theObject.getDisplayName()}</a>
+                                                        </o:param>
                                                         <o:param>
-                                                            <a href="/dataverse/#{item.theObject.getOwner().getAlias()}" title="#{item.theObject.getOwner().getDisplayName()}">#{item.theObject.getOwner().getDisplayName()}</a>                                                            
+                                                            <a href="/dataverse/#{item.theObject.getOwner().getAlias()}" title="#{item.theObject.getOwner().getDisplayName()}">#{item.theObject.getOwner().getDisplayName()}</a>
                                                         </o:param>
                                                         <o:param>
-                                                            <a href="#{systemConfig.guidesBaseUrl}/#{systemConfig.version}/user/dataverse-management.html" title="#{bundle['notification.dataverse.management.title']}" target="_blank">#{bundle['header.guides.user']}</a>                                                         
-                                                        </o:param> 
+                                                            <a href="#{systemConfig.guidesBaseUrl}/#{systemConfig.version}/user/dataverse-management.html" title="#{bundle['notification.dataverse.management.title']}" target="_blank">#{bundle['header.guides.user']}</a>
+                                                        </o:param>
                                                     </h:outputFormat>
                                                 </ui:fragment>
                                                 <ui:fragment rendered="#{item.type == 'CREATEDS'}">
                                                     <i class="icon-dataset text-icon-inline text-muted"></i>
                                                     <h:outputFormat value="#{bundle['notification.createDataset']}" escape="false">
                                                         <o:param>
-                                                            <a href="/dataset.xhtml?persistentId=#{item.theObject.getDataset().getGlobalId()}" title="#{item.theObject.getDataset().getDisplayName()}">#{item.theObject.getDataset().getDisplayName()}</a> 
+                                                            <a href="/dataset.xhtml?persistentId=#{item.theObject.getDataset().getGlobalId()}" title="#{item.theObject.getDataset().getDisplayName()}">#{item.theObject.getDataset().getDisplayName()}</a>
                                                         </o:param>
                                                         <o:param>
                                                             <a href="/dataverse/#{item.theObject.getDataset().getOwner().getAlias()}" title="#{item.theObject.getDataset().getOwner().getDisplayName()}">#{item.theObject.getDataset().getOwner().getDisplayName()}</a>
-                                                        </o:param> 
+                                                        </o:param>
                                                         <o:param>
                                                             <a href="#{systemConfig.guidesBaseUrl}/#{systemConfig.version}/user/dataset-management.html" title="#{bundle['notification.dataset.management.title']}" target="_blank">#{bundle['header.guides.user']}</a>
                                                         </o:param>
-                                                    </h:outputFormat>             
+                                                    </h:outputFormat>
                                                 </ui:fragment>
                                                 <ui:fragment rendered="#{item.type == 'SUBMITTEDDS'}">
                                                     <i class="icon-dataset text-icon-inline text-muted"></i>
@@ -135,7 +135,7 @@
                                                         <o:param>
                                                             <a href="/dataverse/#{item.theObject.getDataset().getOwner().getAlias()}" title="#{item.theObject.getDataset().getOwner().getDisplayName()}">#{item.theObject.getDataset().getOwner().getDisplayName()}</a>
                                                         </o:param>
-                                                    </h:outputFormat>                                                  
+                                                    </h:outputFormat>
                                                 </ui:fragment>
                                                 <ui:fragment rendered="#{item.type == 'PUBLISHEDDS'}">
                                                     <i class="icon-dataset text-icon-inline text-muted"></i>
@@ -146,7 +146,7 @@
                                                         <o:param>
                                                             <a href="/dataverse/#{item.theObject.getDataset().getOwner().getAlias()}" title="#{item.theObject.getDataset().getOwner().getDisplayName()}">#{item.theObject.getDataset().getOwner().getDisplayName()}</a>
                                                         </o:param>
-                                                    </h:outputFormat>                                                    
+                                                    </h:outputFormat>
                                                 </ui:fragment>
                                                 <ui:fragment rendered="#{item.type == 'REQUESTFILEACCESS'}">
                                                     <i class="icon-dataset text-icon-inline text-muted"></i>
@@ -171,14 +171,14 @@
                                                             <a href="/dataset.xhtml?persistentId=#{item.theObject.getGlobalId()}" title="#{item.theObject.displayName}">#{item.theObject.displayName}</a>
                                                         </o:param>
                                                     </h:outputFormat>
-                                                </ui:fragment>                                    
+                                                </ui:fragment>
                                                 <ui:fragment rendered="#{item.type == 'MAPLAYERUPDATED'}">
                                                     <i class="icon-dataset text-icon-inline text-muted"></i>
                                                     <h:outputFormat value="#{bundle['notification.worldMap.added']}" escape="false">
                                                         <o:param>
                                                             <a href="/dataset.xhtml?persistentId=#{item.theObject.getDataset().getGlobalId()}" title="#{item.theObject.getDataset().getDisplayName()}">#{item.theObject.getDataset().getDisplayName()}</a>
                                                         </o:param>
-                                                    </h:outputFormat>  
+                                                    </h:outputFormat>
                                                 </ui:fragment>
                                                 <ui:fragment rendered="#{item.type == 'ASSIGNROLE'}">
                                                     <ui:fragment rendered="#{item.theObject.isInstanceofDataverse()}">
@@ -188,11 +188,11 @@
                                                         <o:param>
                                                             <a href="/dataverse/#{item.theObject.getAlias()}" title="#{item.theObject.getDisplayName()}">#{item.theObject.getDisplayName()}</a>
                                                         </o:param>
-                                                    </h:outputFormat> 
+                                                    </h:outputFormat>
                                                     <ui:fragment rendered="#{item.roleString == 'File Downloader'}">
                                                         <h:outputFormat value="#{bundle['notification.access.granted.fileDownloader.additionalDataverse']}" escape="false">
                                                             <f:param value=" "/>
-                                                        </h:outputFormat> 
+                                                        </h:outputFormat>
                                                     </ui:fragment>
                                                     </ui:fragment>
                                                     <ui:fragment rendered="#{item.theObject.isInstanceofDataset()}">
@@ -202,12 +202,12 @@
                                                             <o:param>
                                                                 <a href="/dataset.xhtml?persistentId=#{item.theObject.getGlobalId()}" title="#{item.theObject.getDisplayName()}">#{item.theObject.getDisplayName()}</a>
                                                             </o:param>
-                                                        </h:outputFormat> 
+                                                        </h:outputFormat>
                                                         <ui:fragment rendered="#{item.roleString == 'File Downloader'}">
                                                             <h:outputText value="" />
                                                             <h:outputFormat value="#{bundle['notification.access.granted.fileDownloader.additionalDataset']}" escape="false">
                                                                 <f:param value=" "/>
-                                                            </h:outputFormat> 
+                                                            </h:outputFormat>
                                                     </ui:fragment>
                                                     </ui:fragment>
                                                     <ui:fragment rendered="#{item.theObject.isInstanceofDataFile()}">
@@ -218,7 +218,7 @@
                                                             <o:param>
                                                                 <a href="/dataset.xhtml?persistentId=#{item.theObject.getOwner().getGlobalId()}" title="#{item.theObject.getOwner().getDisplayName()}">#{item.theObject.getOwner().getDisplayName()}</a>
                                                             </o:param>
-                                                    </h:outputFormat>                                                  
+                                                    </h:outputFormat>
                                                     </ui:fragment>
 
                                                 </ui:fragment>
@@ -229,7 +229,7 @@
                                                             <o:param>
                                                                 <a href="/dataverse/#{item.theObject.getAlias()}" title="#{item.theObject.getDisplayName()}">#{item.theObject.getDisplayName()}</a>
                                                             </o:param>
-                                                    </h:outputFormat>  
+                                                    </h:outputFormat>
                                                     </ui:fragment>
                                                     <ui:fragment rendered="#{item.theObject.isInstanceofDataset()}">
                                                     <f:param value="#{item.roleString}"/>
@@ -238,7 +238,7 @@
                                                         <o:param>
                                                                 <a href="/dataset.xhtml?persistentId=#{item.theObject.getGlobalId()}" title="#{item.theObject.getDisplayName()}">#{item.theObject.getDisplayName()}</a>
                                                         </o:param>
-                                                    </h:outputFormat>  
+                                                    </h:outputFormat>
                                                     </ui:fragment>
                                                     <ui:fragment rendered="#{item.theObject.isInstanceofDataFile()}">
                                                     <f:param value="#{item.roleString}"/>
@@ -247,7 +247,7 @@
                                                         <o:param>
                                                               <a href="/dataset.xhtml?persistentId=#{item.theObject.getOwner().getGlobalId()}" title="#{item.theObject.getOwner().getDisplayName()}">#{item.theObject.getOwner().getDisplayName()}</a>
                                                         </o:param>
-                                                    </h:outputFormat>  
+                                                    </h:outputFormat>
                                                     </ui:fragment>
                                                 </ui:fragment>
                                             </ui:fragment>
@@ -314,8 +314,25 @@
                                     <label for="email" class="col-sm-3 control-label">
                                         #{bundle.email}
                                     </label>
-                                    <div class="col-sm-9">
-                                        <p class="form-control-static">#{DataverseUserPage.currentUser.email}</p>
+                                    <div class="col-sm-9 form-col-container">
+                                        <div class="col-sm-4 form-col-container">
+                                            <p class="form-control-static">#{DataverseUserPage.currentUser.email}</p>
+                                        </div>
+                                        <div class="col-sm-2 form-col-container">
+                                            <p class="form-control-static #{DataverseUserPage.emailIsVerified ? 'text-success' : 'text-danger'}">
+                                                <ui:fragment rendered="#{DataverseUserPage.emailNotVerified}">
+                                                    <span class="glyphicon glyphicon-ban-circle"/> Not Verified
+                                                </ui:fragment>
+                                                <ui:fragment rendered="#{!DataverseUserPage.emailNotVerified}">
+                                                    <span class="glyphicon glyphicon-ok"/> Verified
+                                                </ui:fragment>
+                                            </p>
+                                        </div>
+                                        <div class="col-sm-1">
+                                            <h:commandLink rendered="#{DataverseUserPage.showVerifyEmailButton()}" styleClass="btn btn-default" action="#{DataverseUserPage.sendConfirmEmail()}">
+                                                <span class="glyphicon glyphicon-ok"></span> #{bundle['confirmEmail.submitRequest']}
+                                            </h:commandLink>
+                                        </div>
                                     </div>
                                 </div>
                                 <!-- Affiliation -->
@@ -378,8 +395,8 @@
                                     </label>
                                     <div class="col-sm-9">
                                         <p:panelGrid columns="2" styleClass="noBorders">
-                                            <p:inputText id="userName" styleClass="form-control" tabindex="1" 
-                                                            validator="#{DataverseUserPage.validateUserName}" 
+                                            <p:inputText id="userName" styleClass="form-control" tabindex="1"
+                                                            validator="#{DataverseUserPage.validateUserName}"
                                                             value="#{DataverseUserPage.builtinUser.userName}"
                                                             disabled="#{DataverseUserPage.editMode != 'CREATE'}"
                                                             binding="#{DataverseUserPage.usernameField}"/>
@@ -468,7 +485,7 @@
                                     </label>
                                     <div class="col-sm-9">
                                         <p:panelGrid columns="2" styleClass="noBorders">
-                                            <p:inputText id="email" tabindex="6" styleClass="form-control" 
+                                            <p:inputText id="email" tabindex="6" styleClass="form-control"
                                                          validator="#{DataverseUserPage.validateUserEmail}"
                                                          value="#{DataverseUserPage.builtinUser.email}" />
                                             <p:message for="email" display="text" />
diff --git a/src/main/webapp/editFilesFragment.xhtml b/src/main/webapp/editFilesFragment.xhtml
index 8650b50c5e4..3ff3f10f459 100644
--- a/src/main/webapp/editFilesFragment.xhtml
+++ b/src/main/webapp/editFilesFragment.xhtml
@@ -92,7 +92,7 @@
                                      jsf:rendered="#{!empty EditDatafilesPage.fileMetadatas}">
                                     <div class="btn-group">
                                         <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown">
-                                            <span class="glyphicon glyphicon-lock"/> #{bundle['file.restrict']} <span class="caret"></span>
+                                            <span class="glyphicon glyphicon-lock"/> #{bundle['file.editAccess']} <span class="caret"></span>
                                         </button>
                                         <ul class="dropdown-menu multi-level pull-right text-left" role="menu">
                                             <li>
diff --git a/src/main/webapp/explicitGroup-new-dialog.xhtml b/src/main/webapp/explicitGroup-new-dialog.xhtml
index 910ff17cbd1..651c498eaf7 100644
--- a/src/main/webapp/explicitGroup-new-dialog.xhtml
+++ b/src/main/webapp/explicitGroup-new-dialog.xhtml
@@ -4,7 +4,7 @@
     xmlns:p="http://primefaces.org/ui"
     xmlns:iqbs="http://xmlns.jcp.org/jsf/composite/iqbs">
     
-    <p:dialog id="explicitGroupNewDialog" header="#{bundle['dataverse.permissions.explicitGroupEditDialog.title.new']}" widgetVar="explicitGroupForm" modal="true">
+    <p:dialog id="explicitGroupNewDialog" width="65%" header="#{bundle['dataverse.permissions.explicitGroupEditDialog.title.new']}" widgetVar="explicitGroupForm" modal="true">
         <p:fragment id="explicitGroupNewDialogMessages">
             <div class="container messagePanel">
                 <iqbs:messages collapsible="true" />
@@ -14,45 +14,48 @@
             <div class="form-horizontal">
                 <p class="help-block"><span class="glyphicon glyphicon-info-sign"/> #{bundle['dataverse.permissions.explicitGroupEditDialog.help']}</p>
                 <div class="form-group">
-                    <label for="explicitGroupIdentifier" class="col-sm-2 control-label">
-                        #{bundle['dataverse.permissions.explicitGroupEditDialog.groupIdentifier']} <span class="glyphicon glyphicon-asterisk text-danger" title="#{bundle.requiredField}"/>
+                    <label for="explicitGroupName" class="col-sm-3 control-label">
+                        #{bundle['dataverse.permissions.explicitGroupEditDialog.groupName']} <span class="glyphicon glyphicon-asterisk text-danger" title="#{bundle.requiredField}"/>
                     </label>
                     <div class="col-sm-9">
                         <p:panelGrid columns="2" styleClass="noBorders">
-                            <p:inputText id="explicitGroupIdentifier" styleClass="form-control"
-										 value="#{manageGroupsPage.explicitGroupIdentifier}"
+                            <p:inputText id="explicitGroupName" styleClass="form-control" value="#{manageGroupsPage.explicitGroupName}"
                                          required="#{param['DO_GROUP_VALIDATION']}"
-                                         requiredMessage="#{bundle['dataverse.permissions.explicitGroupEditDialog.groupIdentifier.required']}"
-                                         validator="#{manageGroupsPage.validateGroupIdentifier}"
-										binding="#{manageGroupsPage.explicitGroupIdentifierField}"/>
-                            <p:message for="explicitGroupIdentifier"/>
+                                         requiredMessage="#{bundle['dataverse.permissions.explicitGroupEditDialog.groupName.required']}"/>
+                            <p:message for="explicitGroupName"/>
                         </p:panelGrid>
-                        <p class="help-block">#{bundle['dataverse.permissions.explicitGroupEditDialog.groupIdentifier.helpText']}</p>
                     </div>
                 </div>
                 <div class="form-group">
-                    <label for="explicitGroupName" class="col-sm-2 control-label">
-                        #{bundle['dataverse.permissions.explicitGroupEditDialog.groupName']} <span class="glyphicon glyphicon-asterisk text-danger" title="#{bundle.requiredField}"/>
+                    <label for="explicitGroupIdentifier" class="col-sm-3 control-label">
+                        <span data-toggle="tooltip" data-placement="auto right" class="tooltiplabel text-info" data-original-title="#{bundle['dataverse.permissions.explicitGroupEditDialog.groupIdentifier.tip']}">
+                            #{bundle['dataverse.permissions.explicitGroupEditDialog.groupIdentifier']}
+                        </span>
+                        <span class="glyphicon glyphicon-asterisk text-danger" title="#{bundle.requiredField}"/>
                     </label>
                     <div class="col-sm-9">
                         <p:panelGrid columns="2" styleClass="noBorders">
-                            <p:inputText id="explicitGroupName" styleClass="form-control" value="#{manageGroupsPage.explicitGroupName}"
+                            <p:inputText id="explicitGroupIdentifier" styleClass="form-control"
+										 value="#{manageGroupsPage.explicitGroupIdentifier}"
                                          required="#{param['DO_GROUP_VALIDATION']}"
-                                         requiredMessage="#{bundle['dataverse.permissions.explicitGroupEditDialog.groupName.required']}"/>
-                            <p:message for="explicitGroupName"/>
+                                         requiredMessage="#{bundle['dataverse.permissions.explicitGroupEditDialog.groupIdentifier.required']}"
+                                         validator="#{manageGroupsPage.validateGroupIdentifier}"
+										binding="#{manageGroupsPage.explicitGroupIdentifierField}"/>
+                            <p:message for="explicitGroupIdentifier"/>
                         </p:panelGrid>
+                        <p class="help-block">#{bundle['dataverse.permissions.explicitGroupEditDialog.groupIdentifier.helpText']}</p>
                     </div>
                 </div>
                 <div class="form-group">
-                    <label for="newExplicitGroupDescription" class="col-sm-2 control-label">
+                    <label for="newExplicitGroupDescription" class="col-sm-3 control-label">
                         #{bundle['dataverse.permissions.explicitGroupEditDialog.groupDescription']}
                     </label>
-                    <div class="col-sm-5">
+                    <div class="col-sm-6">
                         <h:inputTextarea id="newExplicitGroupDescription" styleClass="form-control" value="#{manageGroupsPage.newExplicitGroupDescription}"/>
                     </div>
                 </div>
                 <div class="form-group">
-                    <label for="roleAssigneeName" class="col-sm-2 control-label">
+                    <label for="roleAssigneeName" class="col-sm-3 control-label">
                         #{bundle['dataverse.permissions.explicitGroupEditDialog.roleAssigneeNames']}
                     </label>
                     <div class="col-sm-9">
diff --git a/src/main/webapp/permissions-manage-files.xhtml b/src/main/webapp/permissions-manage-files.xhtml
index b74c7954dcf..86819aa4b48 100644
--- a/src/main/webapp/permissions-manage-files.xhtml
+++ b/src/main/webapp/permissions-manage-files.xhtml
@@ -48,10 +48,13 @@
                                         </p:commandLink>
                                     </div>
                                     <div>
-                                        <p:fragment id="userGroups">
-                                            <p:dataTable id="fileAccessRequests" styleClass="margin-bottom" var="access" value="#{manageFilePermissionsPage.fileAccessRequestMap.entrySet().toArray()}"
-                                                         rendered="#{!empty manageFilePermissionsPage.fileAccessRequestMap.entrySet().toArray()}">
-                                                <p:column width="30%" headerText="#{bundle['dataverse.permissionsFiles.usersOrGroups.tabHeader.userOrGroup']}">
+                                        <p:fragment id="userGroupsRequests" rendered="#{!empty manageFilePermissionsPage.fileAccessRequestMap.entrySet().toArray()}">
+                                            <p>
+                                                <span class="highlightBold">#{manageFilePermissionsPage.fileAccessRequestMap.size()} Requests</span>
+                                            </p>
+                                            
+                                            <p:dataTable id="fileAccessRequests" styleClass="margin-bottom" var="access" value="#{manageFilePermissionsPage.fileAccessRequestMap.entrySet().toArray()}">
+                                                <p:column width="30%" headerText="#{bundle['dataverse.permissionsFiles.usersOrGroups.tabHeader.userOrGroup']}" >
                                                     <h:outputText value="#{access.key.displayInfo.title}"/>
                                                     <h:outputText value=" (#{access.key.displayInfo.affiliation})" rendered="#{!empty access.key.displayInfo.affiliation}"/>
                                                 </p:column>
@@ -73,17 +76,29 @@
                                                     <div class="btn-group" role="group" aria-label="access">
                                                         <p:commandLink type="button" styleClass="btn btn-default"
                                                                        actionListener="#{manageFilePermissionsPage.grantAccessToAllRequests(access.key)}"
-                                                                       update=":#{p:component('userGroups')} :#{p:component('restrictedFiles')} @([id$=Messages])">
+                                                                       update=":#{p:component('userGroups')} :#{p:component('restrictedFiles')} :#{p:component('fileAccessRequests')}                                                                       
+                                                                       :#{p:component('userGroupsRequests')}
+                                                                       :#{p:component('userGroupMessages')} @([id$=Messages]) "
+                                                                       oncomplete="bind_bsui_components();">
                                                             <span class="glyphicon glyphicon-ok"/> #{bundle['dataverse.permissionsFiles.assignDialog.grantBtn']}
                                                         </p:commandLink>
                                                         <p:commandLink type="button" styleClass="btn btn-default"
                                                                        actionListener="#{manageFilePermissionsPage.rejectAccessToAllRequests(access.key)}"
-                                                                       update=":#{p:component('userGroups')} :#{p:component('restrictedFiles')} @([id$=Messages])">
+                                                                       update=":#{p:component('userGroups')} :#{p:component('restrictedFiles')} :#{p:component('fileAccessRequests')} 
+                                                                       :#{p:component('userGroupsRequests')}
+                                                                       :#{p:component('userGroupMessages')} @([id$=Messages])"
+                                                                       oncomplete="bind_bsui_components();">
                                                             <span class="glyphicon glyphicon-ban-circle"/> #{bundle['dataverse.permissionsFiles.assignDialog.rejectBtn']}
                                                         </p:commandLink>
                                                     </div>
                                                 </p:column>
                                             </p:dataTable>
+                                        </p:fragment>
+                                        <p:fragment id="userGroups">
+                                            <p>
+                                                <span class="highlightBold">#{manageFilePermissionsPage.roleAssigneeMap.size()} Users/Groups</span>
+                                            </p>
+                                            
                                             <p:dataTable id="userGroupsAccess" var="ra" value="#{manageFilePermissionsPage.roleAssigneeMap.entrySet().toArray()}"
                                                          emptyMessage="#{bundle['dataverse.permissionsFiles.usersOrGroups.invalidMsg']}">
                                                 <p:column width="35%" headerText="#{bundle['dataverse.permissionsFiles.usersOrGroups.tabHeader.userOrGroup']}">
@@ -97,7 +112,7 @@
                                                     <p:commandLink id="viewUserGroups"
                                                                    actionListener="#{manageFilePermissionsPage.initViewRemoveDialogByRoleAssignee(ra.key, ra.value)}"
                                                                    update=":#{p:component('viewRemoveDialog')}"
-                                                                   oncomplete="PF('viewRemoveWidget').show();">
+                                                                   oncomplete="PF('viewRemoveWidget').show(); bind_bsui_components();">
                                                         <h:outputText value="#{ra.value.size()} #{ra.value.size() eq 1 ?  bundle['dataverse.permissionsFiles.usersOrGroups.file'] : bundle['dataverse.permissionsFiles.usersOrGroups.files']}"/>
                                                     </p:commandLink>
                                                 </p:column>
@@ -130,6 +145,13 @@
                                             <iqbs:messages  collapsible="true" rendered="#{manageFilePermissionsPage.renderFileMessages}"/>
                                         </div>
                                     </p:fragment>
+                                    
+                                    <p>
+                                        <h:outputFormat styleClass="highlightBold" value="#{manageFilePermissionsPage.fileMap.size()} #{bundle['dataverse.permissionsFiles.files.label']}">
+                                            <f:param value="#{manageFilePermissionsPage.fileMap.size()}"/>
+                                        </h:outputFormat>
+                                    </p>
+                                    
                                     <p:dataTable id="restrictedFiles" var="fileEntry" value="#{manageFilePermissionsPage.fileMap.entrySet().toArray()}"
                                                  emptyMessage="#{bundle['dataverse.permissionsFiles.files.invalidMsg']}">
                                         <p:column width="40%" headerText="#{bundle['dataverse.permissionsFiles.files.tabHeader.fileName']}">
@@ -154,12 +176,13 @@
                                             <h:outputText value="#{bundle['dataverse.permissionsFiles.files.public']}" rendered="#{fileVersion eq dsLatestVersion and !latestVersionRestricted}"/>
                                         </p:column>
                                         <p:column width="18%" class="text-center" headerText="#{bundle['dataverse.permissionsFiles.files.tabHeader.roleAssignees']}">
-                                            <p:commandLink type="button" id="viewUserGroups"
+                                            <p:commandLink type="button" id="viewUserGroups" rendered="#{fileEntry.value.size() > 0}"
                                                            actionListener="#{manageFilePermissionsPage.initViewRemoveDialogByFile(fileEntry.key, fileEntry.value)}"
                                                            update=":#{p:component('viewRemoveDialog')}"
                                                            oncomplete="PF('viewRemoveWidget').show();">
                                                 <h:outputText value="#{fileEntry.value.size()} #{fileEntry.value.size() eq 1 ?  bundle['dataverse.permissionsFiles.files.roleAssignee'] : bundle['dataverse.permissionsFiles.files.roleAssignees']}"/>
                                             </p:commandLink>
+                                            <h:outputText rendered="#{fileEntry.value.size() == 0}" value="#{fileEntry.value.size()} #{bundle['dataverse.permissionsFiles.files.roleAssignees']}"/>
                                         </p:column>
                                         <p:column width="22%" class="text-center" headerText="#{bundle['dataverse.permissionsFiles.files.tabHeader.access']}">
                                             <p:commandLink type="button" styleClass="btn btn-default"
@@ -173,14 +196,30 @@
                         </div>
                     </div>
                     <!-- View / Remove Users/Groups Popup -->
-                    <p:dialog id="viewRemoveDialog" styleClass="largePopUp" header="#{bundle['dataverse.permissionsFiles.viewRemoveDialog.header']}" widgetVar="viewRemoveWidget" modal="true">
+                    <p:dialog id="viewRemoveDialog" width="65%" header="#{bundle['dataverse.permissionsFiles.viewRemoveDialog.header']}" widgetVar="viewRemoveWidget" modal="true">
                         <div>
+                            <p:outputPanel id="selectionRemoveCounter">
+                                <p>
+                                    <h:outputFormat styleClass="highlightBold" value="#{bundle['dataverse.permissionsFiles.files.selected']}">
+                                        <f:param value="#{manageFilePermissionsPage.selectedRoleAssignmentRows.size()}"/>
+                                        <f:param value="#{manageFilePermissionsPage.roleAssignments.size()} "/>
+                                        <f:param value="#{!empty manageFilePermissionsPage.selectedFile ? bundle['dataverse.permissionsFiles.files.roleAssignees'] : bundle['dataverse.permissionsFiles.files']}"/>
+                                    </h:outputFormat>
+                                </p>
+                            </p:outputPanel>
+                            
                             <p:dataTable id="assignedRoles" var="roleAssignment" value="#{manageFilePermissionsPage.roleAssignments}"
-                                         selection="#{manageFilePermissionsPage.selectedRoleAssignmentRows}" rowKey="#{roleAssignment.id}"
+                                         selection="#{manageFilePermissionsPage.selectedRoleAssignmentRows}" rowKey="#{roleAssignment.id}" 
+                                         sortBy="#{!empty manageFilePermissionsPage.selectedFile ? roleAssignment.assigneeDisplayInfo.title : roleAssignment.definitionPoint.displayName}"
                                          scrollable="true" scrollHeight="300" disabledSelection="#{!roleAssignment.definitionPoint.instanceofDataFile}">
-                                <p:column selectionMode="multiple" style="width:2%;text-align:center"  />
+                                
+                                <p:ajax event="rowSelectCheckbox"  update=":rolesPermissionsForm:selectionRemoveCounter" />
+                                <p:ajax event="rowUnselectCheckbox"  update=":rolesPermissionsForm:selectionRemoveCounter" />
+                                <p:ajax event="toggleSelect"  update=":rolesPermissionsForm:selectionRemoveCounter" />
+                                
+                                <p:column selectionMode="multiple" style="width:2%;text-align:center"/>
                                 <p:column width="98%" headerText="#{bundle['dataverse.permissionsFiles.usersOrGroups.tabHeader.userOrGroup']}" rendered="#{!empty manageFilePermissionsPage.selectedFile}">
-                                    <h:outputText value="#{roleAssignment.assigneeDisplayInfo.title}"/>
+                                    <h:outputText value="#{roleAssignment.assigneeDisplayInfo.title}"/> <h:outputText value=" (#{roleAssignment.assigneeDisplayInfo.affiliation})" rendered="#{!empty roleAssignment.assigneeDisplayInfo.affiliation}"/>
                                 </p:column>
                                 <p:column width="98%" headerText="#{bundle['dataverse.permissionsFiles.files.tabHeader.fileName']}" rendered="#{!empty manageFilePermissionsPage.selectedRoleAssignee}">
                                     <h:outputText value="#{roleAssignment.definitionPoint.displayName}"/>
@@ -188,14 +227,16 @@
                             </p:dataTable>
                         </div>
                         <div class="button-block">
-                            <p:commandLink type="button" styleClass="btn btn-default" value="#{bundle['dataverse.permissionsFiles.viewRemoveDialog.removeBtn']}"
-                                           update="userGroups restrictedFiles @([id$=Messages])"
-                                           onclick="PF('confirmation').show()"/>
+                            <p:commandLink type="button" styleClass="btn btn-default"
+                                           update="userGroups restrictedFiles @([id$=Messages])" onclick="PF('confirmation').show()">
+                                <span class="glyphicon glyphicon-remove"/>
+                                <h:outputText value="#{bundle['dataverse.permissionsFiles.viewRemoveDialog.removeBtn']}"/>
+                            </p:commandLink>
                             <button type="button" class="btn btn-default" onclick="PF('viewRemoveWidget').hide()" value="Cancel">#{bundle.cancel}</button>
                         </div>
                     </p:dialog>
                     <!-- Assign Users/Groups Popup -->
-                    <p:dialog id="assignDialog" header="#{bundle['dataverse.permissionsFiles.assignDialog.header']}" widgetVar="assignWidget" modal="true">
+                    <p:dialog id="assignDialog" width="65%" header="#{bundle['dataverse.permissionsFiles.assignDialog.header']}" widgetVar="assignWidget" modal="true">
                         <p:fragment id="assignMessages">
                             <div class="messagePanel">
                                 <iqbs:messages collapsible="true" />
@@ -206,11 +247,9 @@
                                 <p class="help-block"><span class="glyphicon glyphicon-info-sign"/> #{bundle['dataverse.permissionsFiles.assignDialog.description']}</p>
                                 <div class="form-group" jsf:rendered="#{empty manageFilePermissionsPage.fileRequester}">
                                     <label for="userGroupAccessInput" class="col-sm-3 control-label">
-                                        <span data-toggle="tooltip" data-placement="auto right" class="tooltiplabel text-info" data-original-title="#{bundle['dataverse.permissionsFiles.assignDialog.userOrGroup.title']}">
-                                            #{bundle['dataverse.permissionsFiles.assignDialog.userOrGroup']}
-                                        </span>
+                                        #{bundle['dataverse.permissionsFiles.assignDialog.userOrGroup']}
                                     </label>
-                                    <div class="col-sm-9">
+                                    <div class="col-sm-5">
                                         <p:autoComplete id="userGroupNameAssign" placeholder="#{bundle['dataverse.permissionsFiles.assignDialog.userOrGroup.enterName']}"
                                                         multiple="true" scrollHeight="180" forceSelection="true" 
                                                         minQueryLength="2" queryDelay="1000"                                      
@@ -233,35 +272,61 @@
                                         <p:message for="userGroupNameAssign" display="text"/>
                                     </div>
                                 </div>
-                                <div class="form-group">
-                                    <o:importFunctions type="java.util.Arrays" />
-                                    <p:dataTable id="restrictedFilesForAccess" styleClass="col-sm-12" var="file"
-                                                 value="#{empty manageFilePermissionsPage.fileRequester ? Arrays:asList(manageFilePermissionsPage.fileMap.keySet().toArray()) :
-                                                          manageFilePermissionsPage.fileAccessRequestMap.get(manageFilePermissionsPage.fileRequester)}"
-                                                 selection="#{manageFilePermissionsPage.selectedFiles}" rowKey="#{file.id}"
-                                                 scrollable="true" scrollHeight="300">
-                                        <p:column selectionMode="multiple" style="width:2%;text-align:center"/>
-                                        <p:column headerText="#{bundle['dataverse.permissionsFiles.assignDialog.file']}">
-                                            <h:outputText value="#{file.displayName}"/>
-                                        </p:column>
-                                    </p:dataTable>
-                                </div>
+                            </div>
+                            <div>
+                                <p:outputPanel id="selectionCounter">
+                                    <p>
+                                        <h:outputFormat styleClass="highlightBold" value="#{bundle['dataverse.permissionsFiles.files.selected']}">
+                                            <f:param value="#{manageFilePermissionsPage.selectedFiles.size()}"/>
+                                            <f:param value="#{!empty manageFilePermissionsPage.fileRequester ? 
+                                                        manageFilePermissionsPage.fileAccessRequestMap.get(manageFilePermissionsPage.fileRequester).size()
+                                                        :
+                                                        manageFilePermissionsPage.fileMap.size()}"/>
+                                            <f:param value="#{!empty manageFilePermissionsPage.fileRequester ? 
+                                                        bundle['dataverse.permissionsFiles.files.requested']
+                                                        :
+                                                        bundle['dataverse.permissionsFiles.files']}"/>
+                                        </h:outputFormat>
+                                    </p>
+                                </p:outputPanel>
+
+                                <o:importFunctions type="java.util.Arrays" />
+                                <p:dataTable id="restrictedFilesForAccess" var="file"
+                                             value="#{empty manageFilePermissionsPage.fileRequester ? Arrays:asList(manageFilePermissionsPage.fileMap.keySet().toArray()) :
+                                                      manageFilePermissionsPage.fileAccessRequestMap.get(manageFilePermissionsPage.fileRequester)}"
+                                             selection="#{manageFilePermissionsPage.selectedFiles}" rowKey="#{file.id}" sortBy="#{file.displayName}"
+                                             scrollable="true" scrollHeight="300">
+
+                                    <p:ajax event="rowSelectCheckbox"  update=":rolesPermissionsForm:selectionCounter" />
+                                    <p:ajax event="rowUnselectCheckbox" update=":rolesPermissionsForm:selectionCounter" />
+                                    <p:ajax event="toggleSelect"  update=":rolesPermissionsForm:selectionCounter" />
+
+                                    <p:column selectionMode="multiple" style="width:2%;text-align:center"/>
+                                    <p:column headerText="#{bundle['dataverse.permissionsFiles.assignDialog.fileName']}">
+                                        <h:outputText value="#{file.displayName}"/>
+                                    </p:column>
+                                </p:dataTable>
                             </div>
                             <div class="button-block">
                                 <p:commandLink type="button" styleClass="btn btn-default" rendered="#{empty manageFilePermissionsPage.fileRequester}"
-                                               value="#{bundle['dataverse.permissionsFiles.assignDialog.grantBtn']}"
                                                update="assignRoleContent userGroups restrictedFiles @([id$=Messages])"
                                                actionListener="#{manageFilePermissionsPage.grantAccess}" oncomplete="if (args &amp;&amp; !args.validationFailed) PF('assignWidget').hide();">
                                     <f:param name="DO_VALIDATION" value="true"/>
+                                    <span class="glyphicon glyphicon-ok"/>
+                                    <h:outputText value="#{bundle['dataverse.permissionsFiles.assignDialog.grantBtn']}"/>
                                 </p:commandLink>
                                 <p:commandLink type="button" styleClass="btn btn-default" rendered="#{!empty manageFilePermissionsPage.fileRequester}"
-                                               value="#{bundle['dataverse.permissionsFiles.assignDialog.grantBtn']}"
-                                               update="assignRoleContent userGroups restrictedFiles @([id$=Messages])"
-                                               actionListener="#{manageFilePermissionsPage.grantAccessToRequests(manageFilePermissionsPage.fileRequester)}" oncomplete="PF('assignWidget').hide();"/>
+                                               update="assignRoleContent userGroups fileAccessRequests restrictedFiles @([id$=Messages])"
+                                               actionListener="#{manageFilePermissionsPage.grantAccessToRequests(manageFilePermissionsPage.fileRequester)}" oncomplete="PF('assignWidget').hide();">
+                                    <span class="glyphicon glyphicon-ok"/>
+                                    <h:outputText value="#{bundle['dataverse.permissionsFiles.assignDialog.grantBtn']}"/>
+                                </p:commandLink>
                                 <p:commandLink type="button" styleClass="btn btn-default" rendered="#{!empty manageFilePermissionsPage.fileRequester}"
-                                               value="#{bundle['dataverse.permissionsFiles.assignDialog.rejectBtn']}"
-                                               update="assignRoleContent userGroups restrictedFiles @([id$=Messages])"
-                                               actionListener="#{manageFilePermissionsPage.rejectAccessToRequests(manageFilePermissionsPage.fileRequester)}" oncomplete="PF('assignWidget').hide();"/>
+                                               update="assignRoleContent userGroups fileAccessRequests restrictedFiles @([id$=Messages])"
+                                               actionListener="#{manageFilePermissionsPage.rejectAccessToRequests(manageFilePermissionsPage.fileRequester)}" oncomplete="PF('assignWidget').hide();">
+                                    <span class="glyphicon glyphicon-ban-circle"/>
+                                    <h:outputText value="#{bundle['dataverse.permissionsFiles.assignDialog.rejectBtn']}"/>
+                                </p:commandLink>
                                 <button type="button" class="btn btn-default" onclick="PF('assignWidget').hide()" value="Cancel">#{bundle.cancel}</button>
                             </div>
                         </p:fragment>
diff --git a/src/main/webapp/permissions-manage.xhtml b/src/main/webapp/permissions-manage.xhtml
index c354c76a92d..56bf7158611 100644
--- a/src/main/webapp/permissions-manage.xhtml
+++ b/src/main/webapp/permissions-manage.xhtml
@@ -30,7 +30,7 @@
                             <c:if test="#{managePermissionsPage.dvObject.instanceofDataverse}">
                                 <div class="panel panel-default">
                                     <div data-toggle="collapse" data-target="#panelCollapsePermissions" class="panel-heading text-info">
-                                        Permissions <span class="glyphicon glyphicon-chevron-up"/>
+                                        #{bundle['dataverse.permissions.title']} <span class="glyphicon glyphicon-chevron-up"/>
                                         
                                         <span class="text-muted small pull-right"><span class="glyphicon glyphicon-info-sign"/> #{bundle['dataverse.permissions.description']}</span>
                                     </div>
@@ -107,15 +107,21 @@
                                         </p:commandLink>
                                     </div>
                                     <div>
-                                        <p:dataTable id="assignedRoles" var="roleAssignment" value="#{managePermissionsPage.roleAssignments}">
-                                            <p:column width="35%" headerText="#{bundle['dataverse.permissions.usersOrGroups.tabHeader.userOrGroup']}">
+                                        <p>
+                                            <h:outputFormat styleClass="highlightBold" value="#{managePermissionsPage.roleAssignments.size()} #{bundle['dataverse.permissionsFiles.files.roleAssignees.label']}">
+                                                <f:param value="#{managePermissionsPage.roleAssignments.size()}"/>
+                                            </h:outputFormat>
+                                        </p>
+                                        
+                                        <p:dataTable id="assignedRoles" var="roleAssignment" value="#{managePermissionsPage.roleAssignments}" sortBy="#{roleAssignment.assigneeDisplayInfo.title}">
+                                            <p:column width="35%" headerText="#{bundle['dataverse.permissions.usersOrGroups.tabHeader.userOrGroup']}" sortBy="#{roleAssignment.assigneeDisplayInfo.title}">
                                                 <h:outputText value="#{roleAssignment.assigneeDisplayInfo.title}"/>
                                                 <h:outputText value=" (#{roleAssignment.assigneeDisplayInfo.affiliation})" rendered="#{!empty roleAssignment.assigneeDisplayInfo.affiliation}"/>
                                             </p:column>
-                                            <p:column width="15%" headerText="#{bundle['dataverse.permissions.usersOrGroups.tabHeader.id']}">
+                                            <p:column width="15%" headerText="#{bundle['dataverse.permissions.usersOrGroups.tabHeader.id']}" sortBy="#{roleAssignment.roleAssignment.assigneeIdentifier}">
                                                 <h:outputText value="#{roleAssignment.roleAssignment.assigneeIdentifier}"/>
                                             </p:column>
-                                            <p:column width="20%" class="text-center" headerText="#{bundle['dataverse.permissions.usersOrGroups.tabHeader.role']}">
+                                            <p:column width="20%" class="text-center" headerText="#{bundle['dataverse.permissions.usersOrGroups.tabHeader.role']}" sortBy="#{roleAssignment.roleName}">
                                                 <h:outputText value="#{roleAssignment.roleName}"/>
                                             </p:column>
                                             <p:column width="30%" class="text-center" headerText="#{bundle['dataverse.permissions.usersOrGroups.tabHeader.action']}">
@@ -196,7 +202,7 @@
                         <ui:include src="permissions-configure.xhtml"/>
                         <div class="button-block">
                             <p:commandLink value="#{bundle['saveChanges']}" styleClass="btn btn-default"
-                                           update=":#{p:component('configureSettings')} assignedRoles @([id$=Messages])"
+                                           update=":#{p:component('configureSettings')} @([id$=assignedRoles]) assignedRoles @([id$=Messages])"
                                            actionListener="#{managePermissionsPage.saveConfiguration}"
                                            oncomplete="PF('accessForm').hide()"/>
                             <button type="button" class="btn btn-default" onclick="PF('accessForm').hide()" value="#{bundle.cancel}">#{bundle.cancel}</button>
diff --git a/src/main/webapp/piwik-analytics-snippet.xhtml b/src/main/webapp/piwik-analytics-snippet.xhtml
new file mode 100644
index 00000000000..dad71bc43e7
--- /dev/null
+++ b/src/main/webapp/piwik-analytics-snippet.xhtml
@@ -0,0 +1,26 @@
+<ui:composition xmlns="http://www.w3.org/1999/xhtml"
+     xmlns:h="http://java.sun.com/jsf/html"
+     xmlns:f="http://java.sun.com/jsf/core"
+     xmlns:ui="http://java.sun.com/jsf/facelets"
+     xmlns:c="http://java.sun.com/jsp/jstl/core"
+     xmlns:p="http://primefaces.org/ui"
+     xmlns:o="http://omnifaces.org/ui"
+     xmlns:jsf="http://xmlns.jcp.org/jsf">
+     <c:if test="#{(not empty settingsWrapper.get(':PiwikAnalyticsId')) and (not empty settingsWrapper.get(':PiwikAnalyticsHost'))}">
+         <!-- Piwik -->
+         <script type="text/javascript">
+         var _paq = _paq || [];
+         _paq.push(['trackPageView']);
+         _paq.push(['enableLinkTracking']);
+         (function() {
+             var u="//#{settingsWrapper.get(':PiwikAnalyticsHost')}/";
+             _paq.push(['setTrackerUrl', u+'piwik.php']);
+             _paq.push(['setSiteId', #{settingsWrapper.get(':PiwikAnalyticsId')}]);
+             var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
+             g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
+         })();
+         </script>
+         <noscript><p><img src="//#{settingsWrapper.get(':PiwikAnalyticsHost')}/piwik.php?idsite=#{settingsWrapper.get(':PiwikAnalyticsId')}" style="border:0;" alt="" /></p></noscript>
+         <!-- End Piwik Code -->
+    </c:if>
+</ui:composition>
diff --git a/src/main/webapp/resources/css/structure.css b/src/main/webapp/resources/css/structure.css
index fbfb3dbfc68..e191a2b563b 100644
--- a/src/main/webapp/resources/css/structure.css
+++ b/src/main/webapp/resources/css/structure.css
@@ -716,9 +716,9 @@ div.manageTable.ui-datatable div.ui-datatable-tablewrapper, div.manageTable.ui-d
 .ui-blockui.ui-widget-overlay {background:#fff; opacity:.6;}
 div.ui-dialog.ui-widget-content {z-index:100001 !important;}
 
-/* POPUP DROPDOWN MENUS + BLOCK UI */
+/* POPUP DROPDOWN MENUS + TOOLTIPS + BLOCK UI */
 div.ui-selectcheckboxmenu-panel, div.ui-selectonemenu-panel, div.ui-autocomplete-panel,
-.ui-selectonemenu-list, .ui-selectcheckboxmenu-list {z-index:100002 !important;}
+.ui-selectonemenu-list, .ui-selectcheckboxmenu-list, div.tooltip {z-index:100002 !important;}
 
 /* Overwrite Primefaces */
 button.btn-default.ui-button-text-only .ui-button-text {padding:0; font-size:14px;}
diff --git a/src/main/webapp/roles-assign.xhtml b/src/main/webapp/roles-assign.xhtml
index 93d47309e89..7de1536c3df 100644
--- a/src/main/webapp/roles-assign.xhtml
+++ b/src/main/webapp/roles-assign.xhtml
@@ -3,6 +3,7 @@
     xmlns:ui="http://java.sun.com/jsf/facelets"
     xmlns:c="http://java.sun.com/jsp/jstl/core"
     xmlns:p="http://primefaces.org/ui"
+    xmlns:jsf="http://xmlns.jcp.org/jsf"
     xmlns:iqbs="http://xmlns.jcp.org/jsf/composite/iqbs">
     <p:dialog id="userGroupDialog" styleClass="largePopUp" header="#{bundle['dataverse.permissions.usersOrGroups.assignDialog.header']}" widgetVar="userGroupsForm" modal="true">
         <p:fragment id="assignRoleMessages">
@@ -44,8 +45,8 @@
                     <label for="assignRoleRadios" class="col-sm-2 control-label">
                         #{bundle['dataverse.permissions.usersOrGroups.tabHeader.role']} <span class="glyphicon glyphicon-asterisk text-danger" title="#{bundle.requiredField}"/>
                     </label>
-                    <div class="col-sm-9 form-group">
-                        <div class="col-sm-5">
+                    <div class="col-sm-10 form-group">
+                        <div class="col-sm-4">
                             <p:fragment id="availableRoles">
                                 <p:selectOneRadio id="assignRoleRadios" layout="pageDirection"
                                                   value="#{managePermissionsPage.selectedRoleId}"
@@ -57,15 +58,26 @@
                                 <p:message for="assignRoleRadios" display="text"/>
                             </p:fragment>
                         </div>
-                        <div class="col-sm-6 bg-muted">
+                        <div class="col-sm-8 bg-muted">
                             <p:fragment id="roleDetails">
                                 <div id="assignRolePermissionLabels">
                                     <p class="help-block">#{bundle['dataverse.permissions.usersOrGroups.assignDialog.role.description']}</p>
-                                    <span class="highlightBold">#{managePermissionsPage.assignedRole.name}</span>
-                                    <div class="margin-bottom">
-                                        <ui:repeat value="#{managePermissionsPage.assignedRole.permissions().toArray()}" var="prm">
-                                            <span class="label label-default">#{prm}</span>
-                                        </ui:repeat>
+                                    <div jsf:rendered="#{!empty managePermissionsPage.assignedRole.name}">
+                                        <span class="highlightBold">#{managePermissionsPage.assignedRole.name}</span>
+                                        <div class="small" jsf:rendered="#{!empty managePermissionsPage.assignedRole.description}">#{managePermissionsPage.assignedRole.description}</div>
+                                        <div class="margin-bottom">
+                                            <ui:repeat value="#{managePermissionsPage.assignedRole.permissions().toArray()}" var="prm">
+                                                <span class="label label-default">#{prm}</span>
+                                            </ui:repeat>
+                                        </div>
+                                        <p class="help-block">
+                                            <span class="glyphicon glyphicon-warning-sign text-danger"/>
+                                            <h:outputFormat styleClass="text-danger" value=" #{bundle['dataverse.permissions.usersOrGroups.assignDialog.role.warning']}">
+                                                <f:param value="#{managePermissionsPage.assignedRole.name}"/>
+                                                <f:param value="#{managePermissionsPage.assignedRoleObjectTypes}"/>
+                                                <f:param value="#{managePermissionsPage.definitionLevelString}"/>
+                                            </h:outputFormat>
+                                        </p>
                                     </div>
                                 </div>
                             </p:fragment>
@@ -84,4 +96,18 @@
             </div>
         </p:fragment>
     </p:dialog>
+    <p:dialog id="confirmFileDownloader" header="#{bundle['dataverse.permissions.usersOrGroups.assignDialog.header']}" widgetVar="confirmFileDownloader" modal="true">
+        <p class="help-block">
+            <span class="glyphicon glyphicon-warning-sign text-danger"/> <span class="text-danger">#{bundle['dataverse.permissions.usersOrGroups.assignDialog.fileDownloadConfirm']}</span>
+        </p>
+        <div class="button-block">
+            
+            <!-- THIS confirmFileDownloader POPUP HAS YET TO BE WIRED UP -->
+            
+            <p:commandButton value="#{bundle.continue}" styleClass="btn btn-default" onclick="PF('confirmFileDownloader').hide()"
+                             action="#{managePermissionsPage.assignRole}"
+                             update="assignRoleContent assignedRoles @([id$=Messages])" />
+            <button type="button" class="btn btn-default" onclick="PF('confirmFileDownloader').hide()" value="#{bundle.cancel}">#{bundle.cancel}</button>
+        </div>
+    </p:dialog>
 </ui:composition>
diff --git a/src/test/java/edu/harvard/iq/dataverse/api/ConfirmEmailIT.java b/src/test/java/edu/harvard/iq/dataverse/api/ConfirmEmailIT.java
new file mode 100644
index 00000000000..f3dc8b16f1d
--- /dev/null
+++ b/src/test/java/edu/harvard/iq/dataverse/api/ConfirmEmailIT.java
@@ -0,0 +1,132 @@
+package edu.harvard.iq.dataverse.api;
+
+import com.jayway.restassured.RestAssured;
+import static com.jayway.restassured.RestAssured.given;
+import com.jayway.restassured.path.json.JsonPath;
+import com.jayway.restassured.response.Response;
+import java.util.logging.Logger;
+import static junit.framework.Assert.assertEquals;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import static org.hamcrest.CoreMatchers.nullValue;
+import static org.hamcrest.Matchers.startsWith;
+
+/**
+ * @author bsilverstein
+ */
+public class ConfirmEmailIT {
+
+    private static final Logger logger = Logger.getLogger(ConfirmEmailIT.class.getCanonicalName());
+
+    @BeforeClass
+    public static void setUp() {
+        RestAssured.baseURI = UtilIT.getRestAssuredBaseUri();
+    }
+
+    @Test
+    public void testConfirm() {
+
+        Response createUserToConfirm = UtilIT.createRandomUser();
+        createUserToConfirm.prettyPrint();
+        createUserToConfirm.then().assertThat()
+                .statusCode(200);
+
+        long userIdToConfirm = JsonPath.from(createUserToConfirm.body().asString()).getLong("data.authenticatedUser.id");
+        String userToConfirmApiToken = JsonPath.from(createUserToConfirm.body().asString()).getString("data.apiToken");
+        String usernameToConfirm = JsonPath.from(createUserToConfirm.body().asString()).getString("data.user.userName");
+
+        Response createSuperuser = UtilIT.createRandomUser();
+        createSuperuser.then().assertThat()
+                .statusCode(200);
+        String superuserUsername = JsonPath.from(createSuperuser.body().asString()).getString("data.user.userName");
+        String superUserApiToken = JsonPath.from(createUserToConfirm.body().asString()).getString("data.apiToken");
+
+        UtilIT.makeSuperUser(superuserUsername);
+        createSuperuser.then().assertThat()
+                .statusCode(200);
+
+        System.out.println("not confirmed yet");
+        Response getUserWithoutConfirmedEmail = UtilIT.getAuthenticatedUser(usernameToConfirm, superUserApiToken);
+        getUserWithoutConfirmedEmail.prettyPrint();
+        getUserWithoutConfirmedEmail.then().assertThat()
+                .statusCode(200)
+                .body("data.emailLastConfirmed", nullValue());
+
+        Response getToken = given()
+                .get("/api/admin/confirmEmail/" + userIdToConfirm);
+        getToken.prettyPrint();
+        getToken.then().assertThat()
+                .statusCode(200);
+        String confirmEmailToken = JsonPath.from(getToken.body().asString()).getString("data.token");
+
+        String junkToken = "noSuchToken";
+        Response confirmEmailViaBrowserJunkToken = given()
+                .get("/confirmemail.xhtml?token=" + junkToken);
+        boolean pageReturnsProper404Response = false;
+        if (pageReturnsProper404Response) {
+            confirmEmailViaBrowserJunkToken.then().assertThat().statusCode(404);
+        } else {
+            confirmEmailViaBrowserJunkToken.then().assertThat().statusCode(200);
+        }
+
+        boolean exitEarlyToTestManuallyInBrowser = false;
+        if (exitEarlyToTestManuallyInBrowser) {
+            return;
+        }
+
+        Response confirmEmailViaBrowser = given()
+                .get("/confirmemail.xhtml?token=" + confirmEmailToken);
+        confirmEmailViaBrowser.then().assertThat()
+                .statusCode(200);
+
+        Response getUserWithConfirmedEmail = UtilIT.getAuthenticatedUser(usernameToConfirm, superUserApiToken);
+        getUserWithConfirmedEmail.prettyPrint();
+        getUserWithConfirmedEmail.then().assertThat()
+                .statusCode(200)
+                // Checking that it's 2016 or whatever. Not y3k compliant! 
+                .body("data.emailLastConfirmed", startsWith("2"));
+
+        Response getToken2 = given()
+                .get("/api/admin/confirmEmail/" + userIdToConfirm);
+        getToken2.prettyPrint();
+        getToken2.then().assertThat()
+                .statusCode(400);
+
+        Response confirmAgain1 = given()
+                .post("/api/admin/confirmEmail/" + userIdToConfirm);
+        confirmAgain1.prettyPrint();
+        confirmAgain1.then().assertThat()
+                .statusCode(200);
+
+        Response confirmAgain2 = given()
+                .post("/api/admin/confirmEmail/" + userIdToConfirm);
+        confirmAgain2.prettyPrint();
+        confirmAgain2.then().assertThat()
+                .statusCode(400);
+
+    }
+
+    @Test
+    public void testConfirmUserWithTokenCanBeDeleted() {
+
+        Response createUserToConfirm = UtilIT.createRandomUser();
+        createUserToConfirm.prettyPrint();
+        createUserToConfirm.then().assertThat()
+                .statusCode(200);
+
+        long userIdToConfirm = JsonPath.from(createUserToConfirm.body().asString()).getLong("data.authenticatedUser.id");
+        String userToConfirmApiToken = JsonPath.from(createUserToConfirm.body().asString()).getString("data.apiToken");
+        String usernameToConfirm = JsonPath.from(createUserToConfirm.body().asString()).getString("data.user.userName");
+
+        Response attemptToDeleteNonExistentUser = UtilIT.deleteUser("noSuchUser");
+        attemptToDeleteNonExistentUser.then().assertThat()
+                .statusCode(400);
+
+        Response deleteUser = UtilIT.deleteUser(usernameToConfirm);
+        deleteUser.prettyPrint();
+        deleteUser.then().assertThat()
+                .statusCode(200);
+
+    }
+
+}
diff --git a/src/test/java/edu/harvard/iq/dataverse/authorization/groups/GroupServiceBeanTest.java b/src/test/java/edu/harvard/iq/dataverse/authorization/groups/GroupServiceBeanTest.java
new file mode 100644
index 00000000000..ea9f851f9ed
--- /dev/null
+++ b/src/test/java/edu/harvard/iq/dataverse/authorization/groups/GroupServiceBeanTest.java
@@ -0,0 +1,120 @@
+package edu.harvard.iq.dataverse.authorization.groups;
+
+import edu.harvard.iq.dataverse.Dataverse;
+import edu.harvard.iq.dataverse.authorization.groups.impl.builtin.AllUsers;
+import edu.harvard.iq.dataverse.authorization.groups.impl.builtin.AuthenticatedUsers;
+import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroup;
+import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroupProvider;
+import edu.harvard.iq.dataverse.mocks.MockExplicitGroupService;
+import edu.harvard.iq.dataverse.mocks.MockRoleAssigneeServiceBean;
+import edu.harvard.iq.dataverse.mocks.MocksFactory;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import static java.util.stream.Collectors.toList;
+import java.util.stream.Stream;
+import static org.junit.Assert.assertEquals;
+import org.junit.Test;
+import static edu.harvard.iq.dataverse.util.CollectionLiterals.*;
+
+/**
+ *
+ * @author michael
+ */
+public class GroupServiceBeanTest {
+    
+    public GroupServiceBeanTest() {
+    }
+
+    @Test
+    public void testFlattenGroupsCollection() throws GroupException {
+        // Setup
+        MockRoleAssigneeServiceBean roleAssigneeSvc = new MockRoleAssigneeServiceBean();
+        ExplicitGroupProvider prv = new ExplicitGroupProvider(null, roleAssigneeSvc);
+        ExplicitGroup gA = new ExplicitGroup(prv);
+        gA.setDisplayName("A");
+        ExplicitGroup gAa = new ExplicitGroup(prv);
+        gAa.setDisplayName("Aa");
+        ExplicitGroup gAb = new ExplicitGroup(prv);
+        gAb.setDisplayName("Ab");
+        ExplicitGroup gAstar = new ExplicitGroup(prv);
+        gAstar.setDisplayName("A*");
+        Dataverse dv = MocksFactory.makeDataverse();
+        Stream.of( gA, gAa, gAb, gAstar).forEach( g -> {
+            g.setId( MocksFactory.nextId() );
+            g.setOwner(dv);
+            g.setGroupAliasInOwner( g.getDisplayName() );
+            roleAssigneeSvc.add(g);
+            g.updateAlias();
+        });
+        
+        // create some containment hierarchy.
+        gA.add(gAa);
+        gA.add(gAb);
+        gAb.add(gAstar);
+        gAa.add(gAstar);
+        gAa.add( AuthenticatedUsers.get() );
+        
+        // Test
+        GroupServiceBean sut = new GroupServiceBean();
+        sut.roleAssigneeSvc = roleAssigneeSvc;
+        
+        Set<Group> grps = setOf( AllUsers.get(), gA );
+                
+        List<Group> result = sut.flattenGroupsCollection(grps).collect(toList());
+        
+        assertEquals( "Groups should appear only once", result.size(), new HashSet<>(result).size() );
+        
+        grps.addAll( listOf(gAa, gAb, gAstar, AuthenticatedUsers.get()) );
+        assertEquals( "All groups should appear", grps, new HashSet<>(result) );
+        
+    }
+    
+    @Test
+    public void testCollectAncestors() throws GroupException {
+        // Setup
+        MockRoleAssigneeServiceBean roleAssigneeSvc = new MockRoleAssigneeServiceBean();
+        MockExplicitGroupService explicitGroupSvc = new MockExplicitGroupService();
+        ExplicitGroupProvider prv = new ExplicitGroupProvider(null, roleAssigneeSvc);
+        
+        ExplicitGroup gA = new ExplicitGroup(prv);
+        gA.setDisplayName("A");
+        ExplicitGroup gAa = new ExplicitGroup(prv);
+        gAa.setDisplayName("Aa");
+        ExplicitGroup gAb = new ExplicitGroup(prv);
+        gAb.setDisplayName("Ab");
+        ExplicitGroup gAstar = new ExplicitGroup(prv);
+        gAstar.setDisplayName("A*");
+        Dataverse dv = MocksFactory.makeDataverse();
+        Stream.of( gA, gAa, gAb, gAstar).forEach( g -> {
+            g.setId( MocksFactory.nextId() );
+            g.setOwner(dv);
+            g.setGroupAliasInOwner( g.getDisplayName() );
+            g.updateAlias();
+            roleAssigneeSvc.add(g);
+            explicitGroupSvc.registerGroup(g);
+        });
+        
+        // create some containment hierarchy.
+        gA.add(gAa);
+        gA.add(gAb);
+        gAb.add(gAstar);
+        gAa.add(gAstar);
+        gAa.add(AuthenticatedUsers.get());
+        
+        // Test
+        GroupServiceBean sut = new GroupServiceBean();
+        sut.roleAssigneeSvc = roleAssigneeSvc;
+        sut.explicitGroupService = explicitGroupSvc;
+        
+        assertEquals( setOf(gA), sut.collectAncestors(setOf(gA)) );
+        assertEquals( setOf(gA, gAb), sut.collectAncestors(setOf(gAb)) );
+        assertEquals( setOf(gA, gAa, AuthenticatedUsers.get()), 
+                      sut.collectAncestors(setOf(AuthenticatedUsers.get())) );
+        assertEquals( setOf(gA, gAb, gAa, gAstar), 
+                      sut.collectAncestors(setOf(gAstar)) );
+        
+    }
+    
+    
+}
diff --git a/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/explicit/ExplicitGroupTest.java b/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/explicit/ExplicitGroupTest.java
new file mode 100644
index 00000000000..543d3ab1eeb
--- /dev/null
+++ b/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/explicit/ExplicitGroupTest.java
@@ -0,0 +1,216 @@
+/*
+ *  (C) Michael Bar-Sinai
+ */
+package edu.harvard.iq.dataverse.authorization.groups.impl.explicit;
+
+import edu.harvard.iq.dataverse.Dataverse;
+import edu.harvard.iq.dataverse.authorization.groups.GroupException;
+import edu.harvard.iq.dataverse.authorization.groups.impl.builtin.AllUsers;
+import edu.harvard.iq.dataverse.authorization.groups.impl.builtin.AuthenticatedUsers;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.IpGroup;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.IpGroupProvider;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddress;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddressRange;
+import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import edu.harvard.iq.dataverse.authorization.users.GuestUser;
+import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
+import edu.harvard.iq.dataverse.mocks.MockRoleAssigneeServiceBean;
+import static edu.harvard.iq.dataverse.mocks.MocksFactory.*;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+import org.junit.Test;
+
+/**
+ *
+ * @author michael
+ */
+public class ExplicitGroupTest {
+    
+    
+    MockRoleAssigneeServiceBean roleAssigneeSvc = new MockRoleAssigneeServiceBean();
+    ExplicitGroupProvider prv = new ExplicitGroupProvider(null, roleAssigneeSvc);
+    
+    public ExplicitGroupTest() {
+    }
+    
+    @Test( expected=GroupException.class )
+    public void addGroupToSelf() throws Exception {
+        ExplicitGroup sut = new ExplicitGroup();
+        sut.setDisplayName("a group");
+        sut.add( sut );
+        fail("A group cannot be added to itself.");
+    }
+    
+    @Test( expected=GroupException.class )
+    public void addGroupToDescendant() throws GroupException{
+        Dataverse dv = makeDataverse();
+        ExplicitGroup root = new ExplicitGroup(prv);
+        root.setId( nextId() );
+        root.setGroupAliasInOwner("top");
+        ExplicitGroup sub = new ExplicitGroup(prv);
+        sub.setGroupAliasInOwner("sub");
+        sub.setId( nextId() );
+        ExplicitGroup subSub = new ExplicitGroup(prv);
+        subSub.setGroupAliasInOwner("subSub");
+        subSub.setId( nextId() );
+        root.setOwner(dv);
+        sub.setOwner(dv);
+        subSub.setOwner(dv);
+        
+        sub.add( subSub );
+        root.add( sub );
+        subSub.add(root);
+        fail("A group cannot contain its parent");
+    }
+    
+    @Test( expected=GroupException.class )
+    public void addGroupToUnrealtedGroup() throws GroupException {
+        Dataverse dv1 = makeDataverse();
+        Dataverse dv2 = makeDataverse();
+        ExplicitGroup g1 = new ExplicitGroup(prv);
+        ExplicitGroup g2 = new ExplicitGroup(prv);
+        g1.setOwner(dv1);
+        g2.setOwner(dv2);
+        
+        g1.add(g2);
+        fail("An explicit group cannot contain an explicit group defined in "
+                + "a dataverse that's not an ancestor of that group's owner dataverse.");
+        
+    }
+    
+    @Test
+    public void addGroup() throws GroupException {
+        Dataverse dvParent = makeDataverse();
+        Dataverse dvSub = makeDataverse();
+        dvSub.setOwner(dvParent);
+        
+        ExplicitGroup g1 = new ExplicitGroup(prv);
+        ExplicitGroup g2 = new ExplicitGroup(prv);
+        g1.setOwner(dvSub);
+        g2.setOwner(dvParent);
+        
+        g1.add(g2);
+        assertTrue( g1.structuralContains(g2) );
+    }
+    
+    @Test
+    public void adds() throws GroupException {
+        Dataverse dvParent = makeDataverse();
+        ExplicitGroup g1 = new ExplicitGroup(prv);
+        g1.setOwner(dvParent);
+        
+        AuthenticatedUser au1 = makeAuthenticatedUser("Lauren", "Ipsum");
+        g1.add(au1);
+        g1.add( GuestUser.get() );
+        
+        assertTrue( g1.structuralContains(GuestUser.get()) );
+        assertTrue( g1.structuralContains(au1) );
+        assertFalse( g1.structuralContains(makeAuthenticatedUser("Sima", "Kneidle")) );
+        assertFalse( g1.structuralContains(AllUsers.get()) );
+    }
+    
+    
+    @Test
+    public void recursiveStructuralContainment() throws GroupException {
+        Dataverse dvParent = makeDataverse();
+        ExplicitGroup parentGroup     = roleAssigneeSvc.add(makeExplicitGroup(prv));
+        ExplicitGroup childGroup      = roleAssigneeSvc.add(makeExplicitGroup(prv));
+        ExplicitGroup grandChildGroup = roleAssigneeSvc.add(makeExplicitGroup(prv));
+        parentGroup.setOwner(dvParent);
+        childGroup.setOwner(dvParent);
+        grandChildGroup.setOwner(dvParent);
+        
+        childGroup.add(grandChildGroup);
+        parentGroup.add(childGroup);
+        
+        AuthenticatedUser au = roleAssigneeSvc.add(makeAuthenticatedUser("Jane", "Doe"));
+        grandChildGroup.add( au );
+        childGroup.add( GuestUser.get() );
+        
+        assertTrue( grandChildGroup.structuralContains(au) );
+        assertTrue( childGroup.structuralContains(au) );
+        assertTrue( parentGroup.structuralContains(au) );
+        
+        assertTrue( childGroup.structuralContains(GuestUser.get()) );
+        assertTrue( parentGroup.structuralContains(GuestUser.get()) );
+        
+        grandChildGroup.remove(au);
+        
+        assertFalse( grandChildGroup.structuralContains(au) );
+        assertFalse( childGroup.structuralContains(au) );
+        assertFalse( parentGroup.structuralContains(au) );
+        
+        childGroup.add( AuthenticatedUsers.get() );
+        
+        assertFalse( grandChildGroup.structuralContains(au) );
+        assertFalse( childGroup.structuralContains(au) );
+        assertFalse( parentGroup.structuralContains(au) );
+        assertTrue( childGroup.structuralContains(AuthenticatedUsers.get()) );
+
+        final IpGroup ipGroup = new IpGroup(new IpGroupProvider(null));
+        grandChildGroup.add(ipGroup);
+        ipGroup.add( IpAddressRange.make(IpAddress.valueOf("0.0.1.1"), IpAddress.valueOf("0.0.255.255")) );
+        
+        assertTrue( grandChildGroup.structuralContains(ipGroup) );
+        assertTrue( childGroup.structuralContains(ipGroup) );
+        assertTrue( parentGroup.structuralContains(ipGroup) );
+    }
+    
+    @Test
+    public void recursiveLogicalContainment() throws GroupException {
+        Dataverse dvParent = makeDataverse();
+        ExplicitGroup parentGroup     = roleAssigneeSvc.add(makeExplicitGroup("parent", prv));
+        ExplicitGroup childGroup      = roleAssigneeSvc.add(makeExplicitGroup("child", prv));
+        ExplicitGroup grandChildGroup = roleAssigneeSvc.add(makeExplicitGroup("grandChild", prv));
+        parentGroup.setOwner(dvParent);
+        childGroup.setOwner(dvParent);
+        grandChildGroup.setOwner(dvParent);
+        
+        childGroup.add(grandChildGroup);
+        parentGroup.add(childGroup);
+        
+        AuthenticatedUser au = roleAssigneeSvc.add(makeAuthenticatedUser("Jane", "Doe"));
+        grandChildGroup.add( au );
+        childGroup.add( GuestUser.get() );
+        DataverseRequest auReq = makeRequest(au);
+        DataverseRequest guestReq = makeRequest();
+        
+        assertTrue( grandChildGroup.contains(auReq) );
+        assertTrue( childGroup.contains(auReq) );
+        assertTrue( parentGroup.contains(auReq) );
+        
+        assertTrue( childGroup.contains(guestReq) );
+        assertTrue( parentGroup.contains(guestReq) );
+        
+        grandChildGroup.remove(au);
+        
+        assertFalse( grandChildGroup.contains(auReq) );
+        assertFalse( childGroup.contains(auReq) );
+        assertFalse( parentGroup.contains(auReq) );
+        
+        childGroup.add( AuthenticatedUsers.get() );
+        
+        assertFalse( grandChildGroup.contains(auReq) );
+        assertTrue( childGroup.contains(auReq) );
+        assertTrue( parentGroup.contains(auReq) );
+
+        final IpGroup ipGroup = roleAssigneeSvc.add( new IpGroup(new IpGroupProvider(null)) );
+        grandChildGroup.add(ipGroup);
+        ipGroup.add( IpAddressRange.make(IpAddress.valueOf("0.0.1.1"), IpAddress.valueOf("0.0.255.255")) );
+        final IpAddress ip = IpAddress.valueOf("0.0.128.128");
+        final DataverseRequest request = new DataverseRequest(GuestUser.get(), ip);
+        
+        assertTrue( ipGroup.contains(request) ); 
+        assertTrue( grandChildGroup.contains(request) );
+        assertTrue( parentGroup.contains(request) );
+        
+        childGroup.add( GuestUser.get() );
+        assertTrue( childGroup.contains(guestReq) );
+        assertTrue( parentGroup.contains(guestReq) );
+        assertFalse( grandChildGroup.contains(guestReq) );
+        
+    }
+}
+
+
diff --git a/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroupTest.java b/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroupTest.java
new file mode 100644
index 00000000000..b6a3b862435
--- /dev/null
+++ b/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/IpGroupTest.java
@@ -0,0 +1,91 @@
+package edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress;
+
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddress;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddressRange;
+import edu.harvard.iq.dataverse.authorization.users.GuestUser;
+import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
+import edu.harvard.iq.dataverse.mocks.MocksFactory;
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author michael
+ */
+public class IpGroupTest {
+    
+    public IpGroupTest() {
+    }
+
+    /**
+     * Test of contains method, of class IpGroup.
+     */
+    @Test
+    public void testContains() {
+        IpGroup sut = new IpGroup();
+        sut.setId(MocksFactory.nextId());
+        sut.setDescription("A's description");
+        sut.setDisplayName("A");
+        sut.setPersistedGroupAlias("&ip/a");
+        final IpAddressRange allIPv4 = IpAddressRange.make(IpAddress.valueOf("0.0.0.0"), IpAddress.valueOf("255.255.255.255"));
+        final IpAddressRange allIPv6 = IpAddressRange.make(IpAddress.valueOf("0:0:0:0:0:0:0:0"),
+                IpAddress.valueOf("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"));
+        
+        sut.add(allIPv4);
+        sut.add(allIPv6);
+        
+        assertTrue( sut.contains(new DataverseRequest(GuestUser.get(), IpAddress.valueOf("1.2.3.4"))) );
+        assertTrue( sut.contains(new DataverseRequest(GuestUser.get(), IpAddress.valueOf("11::fff"))) );
+        
+        sut.remove( allIPv4 );
+        assertFalse( sut.contains(new DataverseRequest(GuestUser.get(), IpAddress.valueOf("1.2.3.4"))) );
+        
+        sut.remove( allIPv6 );
+        assertFalse( sut.contains(new DataverseRequest(GuestUser.get(), IpAddress.valueOf("11::fff"))) );
+        
+        sut.add( IpAddressRange.make(IpAddress.valueOf("0.0.0.0"), IpAddress.valueOf("168.0.0.0")) );
+        assertFalse( sut.contains(new DataverseRequest(GuestUser.get(), IpAddress.valueOf("169.0.0.0"))) );
+        assertTrue( sut.contains(new DataverseRequest(GuestUser.get(), IpAddress.valueOf("167.0.0.0"))) );
+        
+    }
+
+ 
+    /**
+     * Test of isEditable method, of class IpGroup.
+     */
+    @Test
+    public void testIsEditable() {
+        IpGroup instance = new IpGroup();
+        assertTrue( instance.isEditable() );
+    }
+
+    /**
+     * Test of equals method, of class IpGroup.
+     */
+    @Test
+    public void testEquals() {
+        IpGroup a = new IpGroup();
+        a.setId(MocksFactory.nextId());
+        a.setDescription("A's description");
+        a.setDisplayName("A");
+        a.setPersistedGroupAlias("&ip/a");
+        a.add( IpAddressRange.make(IpAddress.valueOf("0.0.0.0"), IpAddress.valueOf("1.1.1.1")));
+        
+        assertFalse( a.equals("banana") );
+        assertFalse( a.equals( null ) );
+        assertTrue( a.equals( a) );
+        
+        IpGroup aa = new IpGroup();
+        aa.setId(a.getId());
+        aa.setDescription("A's description");
+        aa.setDisplayName("A");
+        aa.setPersistedGroupAlias("&ip/a");
+        aa.add( IpAddressRange.make(IpAddress.valueOf("0.0.0.0"), IpAddress.valueOf("1.1.1.1")));
+        
+        assertTrue( a.equals(aa) );
+        aa.add( IpAddressRange.make(IpAddress.valueOf("9.0.0.0"), IpAddress.valueOf("9.1.1.1")));
+        assertFalse( a.equals(aa) );
+        
+    }
+    
+}
diff --git a/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv4AddressTest.java b/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv4AddressTest.java
index d853dc36f86..d03846a97b4 100644
--- a/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv4AddressTest.java
+++ b/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv4AddressTest.java
@@ -1,6 +1,7 @@
 package edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip;
 
-import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IPv4Address;
+import java.math.BigDecimal;
+import java.math.BigInteger;
 import java.util.Arrays;
 import org.junit.Test;
 import static org.junit.Assert.*;
@@ -57,7 +58,7 @@ public void testComparator() {
     
     @Test
     public void testLongRoundtrip() {
-        for ( IPv4Address addr : Arrays.asList(
+        Arrays.asList(
                 new IPv4Address(127,0,36,255),
                 new IPv4Address(0,0,0,0),
                 new IPv4Address(127,0,0,1),
@@ -67,10 +68,36 @@ public void testLongRoundtrip() {
                 new IPv4Address(128,128,128,128),
                 new IPv4Address(127,127,127,127),
                 new IPv4Address(255,255,255,255),
-                new IPv4Address(255,0,34,1)) ) {
-            assertEquals( addr, new IPv4Address(addr.toLong()) );
-        }
+                new IPv4Address(255,0,34,1)
+        ).forEach( addr -> assertEquals( addr, new IPv4Address(addr.toLong())) );
     }
     
+    @Test
+    public void testBigIntegerRoundtrip() {
+        Arrays.asList(
+                new IPv4Address(0,0,0,0),
+                new IPv4Address(0,0,0,1),
+                new IPv4Address(0,0,1,0),
+                new IPv4Address(0,1,0,0),
+                new IPv4Address(1,0,0,0),
+                new IPv4Address(1,1,1,1),
+                new IPv4Address(0,0,127,1),
+                new IPv4Address(127,0,36,255),
+                new IPv4Address(127,0,0,1),
+                new IPv4Address(128,0,0,1),
+                new IPv4Address(0,0,128,1),
+                new IPv4Address(128,128,128,128),
+                new IPv4Address(127,127,127,127),
+                new IPv4Address(255,255,255,255),
+                new IPv4Address(255,0,34,1)
+        ).forEach( addr -> assertEquals( addr, new IPv4Address(addr.toBigInteger())) );
+    }
     
+    @Test
+    public void toBigInteger() {
+        assertEquals( BigInteger.ZERO, new IPv4Address(0,0,0,0).toBigInteger() );
+        assertEquals( BigInteger.ONE, new IPv4Address(0,0,0,1).toBigInteger() );
+        assertEquals( BigInteger.ONE.shiftLeft(8),
+                        new IPv4Address(0,0,1,0).toBigInteger() );
+    }
 }
diff --git a/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv6AddressTest.java b/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv6AddressTest.java
index 3c51d2dc168..2070dc347e7 100644
--- a/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv6AddressTest.java
+++ b/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IPv6AddressTest.java
@@ -11,204 +11,215 @@
  * @author michael
  */
 public class IPv6AddressTest {
-    
+
     public IPv6AddressTest() {
     }
-    
+
     @Before
     public void setUp() {
     }
-    
+
     @After
     public void tearDown() {
     }
 
     @Test
     public void testValueOfNoExpansion() {
-        int[] expected = new int[]{0x2001,0xdb8,0x85a3,0x0,0x0,0x8a2e,0x370,0x7334};
+        int[] expected = new int[]{0x2001, 0xdb8, 0x85a3, 0x0, 0x0, 0x8a2e, 0x370, 0x7334};
         IPv6Address adr = IPv6Address.valueOf("2001:db8:85a3:0:0:8a2e:370:7334");
-        for ( int i=0; i<8; i++ ) {
+        for (int i = 0; i < 8; i++) {
             assertEquals(expected[i], adr.get(i));
         }
     }
-    
+
     @Test
     public void testValueOfWithExpansion() {
-        int[] expected = new int[]{0x2001,0xdb8,0x85a3,0x0,0,0x8a2e,0x370,0x7334};
+        int[] expected = new int[]{0x2001, 0xdb8, 0x85a3, 0x0, 0, 0x8a2e, 0x370, 0x7334};
         IPv6Address adr = IPv6Address.valueOf("2001:db8:85a3::8a2e:370:7334");
-        for ( int i=0; i<8; i++ ) {
+        for (int i = 0; i < 8; i++) {
             assertEquals("At index " + i + ": expecting " + expected[i] + ", got " + adr.get(i),
-                         expected[i], adr.get(i));
+                    expected[i], adr.get(i));
         }
-        
-        expected = new int[]{0x2001,0xdb8,0x0,0x0,0x0,0x0,0x370,0x7334};
+
+        expected = new int[]{0x2001, 0xdb8, 0x0, 0x0, 0x0, 0x0, 0x370, 0x7334};
         adr = IPv6Address.valueOf("2001:db8::370:7334");
-        for ( int i=0; i<8; i++ ) {
+        for (int i = 0; i < 8; i++) {
             assertEquals("At index " + i + ": expecting " + expected[i] + ", got " + adr.get(i),
-                         expected[i], adr.get(i));
+                    expected[i], adr.get(i));
         }
     }
-    
+
     @Test
     public void testValueOfWithExpansionZerosAtStart() {
-        int[] expected = new int[]{0,0,0,0,0,0x8a2e,0x370,0x7334};
+        int[] expected = new int[]{0, 0, 0, 0, 0, 0x8a2e, 0x370, 0x7334};
         IPv6Address adr = IPv6Address.valueOf("::8a2e:370:7334");
-        for ( int i=0; i<8; i++ ) {
+        for (int i = 0; i < 8; i++) {
             assertEquals("At index " + i + ": expecting " + expected[i] + ", got " + adr.get(i),
-                         expected[i], adr.get(i));
+                    expected[i], adr.get(i));
         }
-        
-        expected = new int[]{0,0,0,0,0,0,0,0x7334};
+
+        expected = new int[]{0, 0, 0, 0, 0, 0, 0, 0x7334};
         adr = IPv6Address.valueOf("::7334");
         System.out.println("adr = " + adr);
-        for ( int i=0; i<8; i++ ) {
+        for (int i = 0; i < 8; i++) {
             assertEquals("At index " + i + ": expecting " + expected[i] + ", got " + adr.get(i),
-                         expected[i], adr.get(i));
+                    expected[i], adr.get(i));
         }
     }
-    
+
     @Test
     public void testValueOfWithExpansionZerosAtEnd() {
-        int[] expected = new int[]{0x2001,0x8a2e,0,0,0,0,0,0};
+        int[] expected = new int[]{0x2001, 0x8a2e, 0, 0, 0, 0, 0, 0};
         IPv6Address adr = IPv6Address.valueOf("2001:8a2e::");
-        for ( int i=0; i<8; i++ ) {
+        for (int i = 0; i < 8; i++) {
             assertEquals("At index " + i + ": expecting " + expected[i] + ", got " + adr.get(i),
-                         expected[i], adr.get(i));
+                    expected[i], adr.get(i));
         }
-        
-        expected = new int[]{0x1337,0,0,0,0,0,0,0};
+
+        expected = new int[]{0x1337, 0, 0, 0, 0, 0, 0, 0};
         adr = IPv6Address.valueOf("1337::");
-        for ( int i=0; i<8; i++ ) {
+        for (int i = 0; i < 8; i++) {
             assertEquals("At index " + i + ": expecting " + expected[i] + ", got " + adr.get(i),
-                         expected[i], adr.get(i));
+                    expected[i], adr.get(i));
         }
     }
-    
-    
+
     @Test
     public void testValueOfWithExpansionSpecialCases() {
-        int[] expected = new int[]{0,0,0,0,0,0,0,0};
+        int[] expected = new int[]{0, 0, 0, 0, 0, 0, 0, 0};
         IPv6Address adr = IPv6Address.valueOf("::");
         System.out.println("adr = " + adr);
-        for ( int i=0; i<8; i++ ) {
+        for (int i = 0; i < 8; i++) {
             assertEquals("At index " + i + ": expecting " + expected[i] + ", got " + adr.get(i),
-                         expected[i], adr.get(i));
+                    expected[i], adr.get(i));
         }
-        
-        expected = new int[]{0,0,0,0,0,0,0,1};
+
+        expected = new int[]{0, 0, 0, 0, 0, 0, 0, 1};
         adr = IPv6Address.valueOf("::1");
-        for ( int i=0; i<8; i++ ) {
+        for (int i = 0; i < 8; i++) {
             assertEquals("At index " + i + ": expecting " + expected[i] + ", got " + adr.get(i),
-                         expected[i], adr.get(i));
+                    expected[i], adr.get(i));
         }
     }
-    
+
     @Test
     public void testLocalhostness() {
-        assertTrue( IPv6Address.valueOf("::1").isLocalhost() );
-        assertFalse( IPv6Address.valueOf("fff::1").isLocalhost() );
+        assertTrue(IPv6Address.valueOf("::1").isLocalhost());
+        assertFalse(IPv6Address.valueOf("fff::1").isLocalhost());
     }
-    
-    @Test( expected=IllegalArgumentException.class )
+
+    @Test(expected = IllegalArgumentException.class)
     public void testIllegalLength() {
         IPv6Address.valueOf("0:1:2:3");
     }
-    
-    @Test( expected=IllegalArgumentException.class )
+
+    @Test(expected = IllegalArgumentException.class)
     public void testIllegalLengthPrefix() {
         IPv6Address.valueOf(":1:2:3");
     }
-    
-    @Test( expected=IllegalArgumentException.class )
+
+    @Test(expected = IllegalArgumentException.class)
     public void testIllegalLengthSuffix() {
         IPv6Address.valueOf("1:2:3:");
     }
-    
-    @Test( expected=IllegalArgumentException.class )
+
+    @Test(expected = IllegalArgumentException.class)
     public void testIllegalNumber() {
         IPv6Address.valueOf("::xxx");
     }
-    
+
     @Test
     public void testCompareTo() {
         IPv6Address[] expected = new IPv6Address[]{
-                IPv6Address.valueOf("::"),
-                IPv6Address.valueOf("::1"),
-                IPv6Address.valueOf("::2"),
-                IPv6Address.valueOf("::1:0"),
-                IPv6Address.valueOf("::1:1"),
-                IPv6Address.valueOf("1::")
+            IPv6Address.valueOf("::"),
+            IPv6Address.valueOf("::1"),
+            IPv6Address.valueOf("::2"),
+            IPv6Address.valueOf("::1:0"),
+            IPv6Address.valueOf("::1:1"),
+            IPv6Address.valueOf("1::")
         };
-        
-        IPv6Address[] scrambled = new IPv6Address[]{expected[5], expected[4], expected[3], expected[2],expected[0],expected[1]};
+
+        IPv6Address[] scrambled = new IPv6Address[]{expected[5], expected[4], expected[3], expected[2], expected[0], expected[1]};
         Arrays.sort(scrambled);
-        assertArrayEquals( expected, scrambled );
+        assertArrayEquals(expected, scrambled);
     }
-    
+
     @Test
     public void testLongRoundTrips() {
-        for ( String s: Arrays.asList("a:b:c:d:e:f::1","::","::1","ff:ff:ff:ff:ff:ff:ff:ff",
+        for (String s : Arrays.asList("a:b:c:d:e:f::1", "::", "::1", "ff:ff:ff:ff:ff:ff:ff:ff",
                 "fe80::8358:c945:7094:2e6c",
-                "fe80::60d0:6eff:fece:7713","ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff") ) {
+                "fe80::60d0:6eff:fece:7713", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff")) {
             IPv6Address addr = IPv6Address.valueOf(s);
             assertEquals("Bad roundtrip on address: " + s,
                     addr, new IPv6Address(addr.toLongArray()));
         }
     }
-    
+
     @Test
     public void testInclusionAbove() {
-        IPv6Range r = new IPv6Range( IPv6Address.valueOf("dd:2:2:2:2:2:2:2"),
-                                     IPv6Address.valueOf("dd:a:a:a:a:a:a:a"));
-        for ( String addr : Arrays.asList("df:a:a:a:a:a:a:a","dd:b:a:a:a:a:a:a",
-                                            "dd:a:b:a:a:a:a:a","dd:a:a:b:a:a:a:a",
-                                            "dd:a:a:a:b:a:a:a","dd:a:a:a:a:b:a:a",
-                                            "dd:a:a:a:a:a:b:a","dd:a:a:a:a:a:a:b") ) {
+        IPv6Range r = new IPv6Range(IPv6Address.valueOf("dd:2:2:2:2:2:2:2"),
+                IPv6Address.valueOf("dd:a:a:a:a:a:a:a"));
+        for (String addr : Arrays.asList("df:a:a:a:a:a:a:a", "dd:b:a:a:a:a:a:a",
+                "dd:a:b:a:a:a:a:a", "dd:a:a:b:a:a:a:a",
+                "dd:a:a:a:b:a:a:a", "dd:a:a:a:a:b:a:a",
+                "dd:a:a:a:a:a:b:a", "dd:a:a:a:a:a:a:b")) {
             IPv6Address ipv6 = IPv6Address.valueOf(addr);
-        assertFalse( r.contains(ipv6) );
-        assertTrue("for address " + ipv6, above(ipv6.toLongArray(),
-                                                r.getTop().toLongArray()));
-        assertFalse("for address " + ipv6, between(r.getBottom().toLongArray(),
-                                                   r.getTop().toLongArray(),
-                                                   ipv6.toLongArray()));
-        
-    }
-   }
-   
+            assertFalse(r.contains(ipv6));
+            assertTrue("for address " + ipv6, above(ipv6.toLongArray(),
+                    r.getTop().toLongArray()));
+            assertFalse("for address " + ipv6, between(r.getBottom().toLongArray(),
+                    r.getTop().toLongArray(),
+                    ipv6.toLongArray()));
+
+        }
+    }
+
     @Test
     public void testInclusionBelow() {
-        IPv6Range r = new IPv6Range( IPv6Address.valueOf("dd:2:2:2:2:2:2:2"),
-                                     IPv6Address.valueOf("dd:a:a:a:a:a:a:a"));
-        for ( String addr : Arrays.asList("dc:2:2:2:2:2:2:2","dd:1:2:2:2:2:2:2",
-                                          "dd:2:1:2:2:2:2:2","dd:2:2:1:2:2:2:2",
-                                          "dd:2:2:2:1:2:2:2","dd:2:2:2:2:1:2:2",
-                                          "dd:2:2:2:2:2:1:2","dd:2:2:2:2:2:2:1") ) {
+        IPv6Range r = new IPv6Range(IPv6Address.valueOf("dd:2:2:2:2:2:2:2"),
+                IPv6Address.valueOf("dd:a:a:a:a:a:a:a"));
+        for (String addr : Arrays.asList("dc:2:2:2:2:2:2:2", "dd:1:2:2:2:2:2:2",
+                "dd:2:1:2:2:2:2:2", "dd:2:2:1:2:2:2:2",
+                "dd:2:2:2:1:2:2:2", "dd:2:2:2:2:1:2:2",
+                "dd:2:2:2:2:2:1:2", "dd:2:2:2:2:2:2:1")) {
             IPv6Address ipv6 = IPv6Address.valueOf(addr);
-        assertFalse( r.contains(ipv6) );
-        
-        long[] bottomArr = r.getBottom().toLongArray();
-        long[] addrArr = ipv6.toLongArray();
-        
-        assertTrue("for address " + ipv6, above(bottomArr, addrArr));
-        assertFalse("for address " + ipv6, between(bottomArr,
-                                                   r.getTop().toLongArray(), addrArr));
-        
-    }
-   }
-    
+            assertFalse(r.contains(ipv6));
+
+            long[] bottomArr = r.getBottom().toLongArray();
+            long[] addrArr = ipv6.toLongArray();
+
+            assertTrue("for address " + ipv6, above(bottomArr, addrArr));
+            assertFalse("for address " + ipv6, between(bottomArr,
+                    r.getTop().toLongArray(), addrArr));
+
+        }
+    }
+
     @Test
     public void testNetworkInterfaceIgnore() {
-        assertEquals( IPv6Address.valueOf("fe80:0:0:0:0:0:0:1%1]]"),
-                      IPv6Address.valueOf("fe80:0:0:0:0:0:0:1"));
+        assertEquals(IPv6Address.valueOf("fe80:0:0:0:0:0:0:1%1]]"),
+                IPv6Address.valueOf("fe80:0:0:0:0:0:0:1"));
     }
     
-    public boolean above( long[] top, long[] addr ) {
-        return top[0]>addr[0]
-                || ( top[0]==addr[0] && top[1]>addr[1] )
-                || ( top[0]==addr[0] && top[1]==addr[1] && top[2]>addr[2] )
-                || ( top[0]==addr[0] && top[1]==addr[1] && top[2]==addr[2] && top[3]>=addr[3] );
-    }
-   public boolean between( long[] bottom, long[] top, long[] addr ) {
-       return above( top, addr ) && above(addr, bottom);
-   }
+    @Test
+    public void testEquals() {
+        IPv6Address sut = IPv6Address.valueOf("ff:ff:12:23:34::0");
+        assertEquals( sut, sut );
+        assertFalse( sut.equals(null) );
+        assertFalse( sut.equals(IPv4Address.valueOf("12.23.34.54")) );
+        assertFalse( sut.equals(IPv6Address.valueOf("1:2:3:4::0")));
+    }
+
+    public boolean above(long[] top, long[] addr) {
+        return top[0] > addr[0]
+                || (top[0] == addr[0] && top[1] > addr[1])
+                || (top[0] == addr[0] && top[1] == addr[1] && top[2] > addr[2])
+                || (top[0] == addr[0] && top[1] == addr[1] && top[2] == addr[2] && top[3] >= addr[3]);
+    }
+
+    public boolean between(long[] bottom, long[] top, long[] addr) {
+        return above(top, addr) && above(addr, bottom);
+    }
+    
+    
 }
diff --git a/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IpAddressRangeTest.java b/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IpAddressRangeTest.java
index fb255692a53..f232b713640 100644
--- a/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IpAddressRangeTest.java
+++ b/src/test/java/edu/harvard/iq/dataverse/authorization/groups/impl/ipaddress/ip/IpAddressRangeTest.java
@@ -1,11 +1,5 @@
 package edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip;
 
-import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IPv4Range;
-import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IPv6Address;
-import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IPv6Range;
-import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddress;
-import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IPv4Address;
-import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddressRange;
 import org.junit.Test;
 import static org.junit.Assert.*;
 
@@ -78,6 +72,15 @@ public void testIPv4NotApplicable() {
                 );
     }
     
+    @Test
+    public void testSingleAddress() {
+        assertTrue( new IPv4Range( IPv4Address.valueOf("127.5.5.5"), IPv4Address.valueOf("127.5.5.5")).isSingleAddress() );
+        assertFalse( new IPv4Range( IPv4Address.valueOf("17.5.5.5"), IPv4Address.valueOf("127.5.5.5")).isSingleAddress() );
+        
+        assertTrue( new IPv6Range( IPv6Address.valueOf("::1:1"), IPv6Address.valueOf("::1:1")).isSingleAddress() );
+        assertFalse( new IPv6Range( IPv6Address.valueOf("::1:1"), IPv6Address.valueOf("::1:2")).isSingleAddress() );
+    }
+    
     public void testRange( Boolean expected, IpAddressRange range, IpAddress... addresses ) {
         for ( IpAddress ipa : addresses ) {
             assertEquals( "Testing " + ipa + " in " + range, expected, range.contains(ipa));
diff --git a/src/test/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailUtilTest.java b/src/test/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailUtilTest.java
new file mode 100644
index 00000000000..5a2a13bbbd9
--- /dev/null
+++ b/src/test/java/edu/harvard/iq/dataverse/confirmemail/ConfirmEmailUtilTest.java
@@ -0,0 +1,42 @@
+package edu.harvard.iq.dataverse.confirmemail;
+
+import java.sql.Timestamp;
+import static org.junit.Assert.assertEquals;
+import org.junit.Test;
+
+public class ConfirmEmailUtilTest {
+
+    @Test
+    public void testFriendlyExpirationTime() {
+        ConfirmEmailUtil confirmEmailUtil = new ConfirmEmailUtil();
+        System.out.println("Friendly expiration timestamp / measurement test");
+        System.out.println("1440 Minutes: " + confirmEmailUtil.friendlyExpirationTime(1440));
+        assertEquals("24 hours", ConfirmEmailUtil.friendlyExpirationTime(1440));
+        System.out.println("60 Minutes: " + confirmEmailUtil.friendlyExpirationTime(60));
+        assertEquals("1 hour", ConfirmEmailUtil.friendlyExpirationTime(60));
+        System.out.println("30 Minutes: " + confirmEmailUtil.friendlyExpirationTime(30));
+        assertEquals("30 minutes", ConfirmEmailUtil.friendlyExpirationTime(30));
+        System.out.println("90 Minutes: " + confirmEmailUtil.friendlyExpirationTime(90));
+        assertEquals("1.5 hours", confirmEmailUtil.friendlyExpirationTime(90));
+        System.out.println("2880 minutes: " + confirmEmailUtil.friendlyExpirationTime(2880));
+        assertEquals("48 hours", confirmEmailUtil.friendlyExpirationTime(2880));
+        System.out.println("150 minutes: " + confirmEmailUtil.friendlyExpirationTime(150));
+        assertEquals("2.5 hours", confirmEmailUtil.friendlyExpirationTime(150));
+        System.out.println("165 minutes: " + confirmEmailUtil.friendlyExpirationTime(165));
+        assertEquals("2.75 hours", confirmEmailUtil.friendlyExpirationTime(165));
+        System.out.println("1 Minute: " + confirmEmailUtil.friendlyExpirationTime(1));
+        assertEquals("1 minute", confirmEmailUtil.friendlyExpirationTime(1));
+        System.out.println();
+    }
+
+    @Test
+    public void testGrandfatheredTime() {
+        ConfirmEmailUtil confirmEmailUtil = new ConfirmEmailUtil();
+        System.out.println();
+        System.out.println("Grandfathered account timestamp test");
+        System.out.println("Grandfathered Time (y2k): " + confirmEmailUtil.getGrandfatheredTime());
+        assertEquals(Timestamp.valueOf("2000-01-01 00:00:00.0"), confirmEmailUtil.getGrandfatheredTime());
+        System.out.println();
+    }
+
+}
diff --git a/src/test/java/edu/harvard/iq/dataverse/engine/command/impl/CreateDataverseCommandTest.java b/src/test/java/edu/harvard/iq/dataverse/engine/command/impl/CreateDataverseCommandTest.java
index f429a4f3815..9db03cb7a99 100644
--- a/src/test/java/edu/harvard/iq/dataverse/engine/command/impl/CreateDataverseCommandTest.java
+++ b/src/test/java/edu/harvard/iq/dataverse/engine/command/impl/CreateDataverseCommandTest.java
@@ -201,7 +201,7 @@ public void testDefaultOptions() throws CommandException {
         dv.setCreator(null);
         dv.setDefaultContributorRole(null);
         dv.setOwner( makeDataverse() );
-        final DataverseRequest request = makeRequest();
+        final DataverseRequest request = makeRequest(makeAuthenticatedUser("jk", "rollin'"));
         
         CreateDataverseCommand sut = new CreateDataverseCommand(dv, request, null, null);
         Dataverse result = engine.submit(sut);
diff --git a/src/test/java/edu/harvard/iq/dataverse/engine/command/impl/UpdatePermissionRootCommandTest.java b/src/test/java/edu/harvard/iq/dataverse/engine/command/impl/UpdatePermissionRootCommandTest.java
index f20a45ac751..c60bac05ee8 100644
--- a/src/test/java/edu/harvard/iq/dataverse/engine/command/impl/UpdatePermissionRootCommandTest.java
+++ b/src/test/java/edu/harvard/iq/dataverse/engine/command/impl/UpdatePermissionRootCommandTest.java
@@ -7,24 +7,10 @@
 import edu.harvard.iq.dataverse.engine.TestCommandContext;
 import edu.harvard.iq.dataverse.engine.TestDataverseEngine;
 import edu.harvard.iq.dataverse.engine.command.exception.CommandException;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
 import org.junit.Before;
 import org.junit.Test;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
 
 /**
  *
diff --git a/src/test/java/edu/harvard/iq/dataverse/mocks/MockExplicitGroupService.java b/src/test/java/edu/harvard/iq/dataverse/mocks/MockExplicitGroupService.java
new file mode 100644
index 00000000000..ba64582fc29
--- /dev/null
+++ b/src/test/java/edu/harvard/iq/dataverse/mocks/MockExplicitGroupService.java
@@ -0,0 +1,32 @@
+package edu.harvard.iq.dataverse.mocks;
+
+import edu.harvard.iq.dataverse.authorization.RoleAssignee;
+import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroup;
+import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroupServiceBean;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+import static java.util.stream.Collectors.toSet;
+
+/**
+ *
+ * @author michael
+ */
+public class MockExplicitGroupService extends ExplicitGroupServiceBean {
+    
+    private Map<Long, ExplicitGroup> groups = new HashMap<>();
+    
+    public ExplicitGroup registerGroup( ExplicitGroup grp ) {
+        groups.put(grp.getId(), grp);
+        return grp;
+    }
+
+    @Override
+    public Set<ExplicitGroup> findDirectlyContainingGroups(RoleAssignee ra) {
+        return groups.values().stream()
+                .filter( g -> g.getDirectMembers().contains(ra) )
+                .collect(toSet());
+    }
+    
+    
+}
diff --git a/src/test/java/edu/harvard/iq/dataverse/mocks/MockRoleAssigneeServiceBean.java b/src/test/java/edu/harvard/iq/dataverse/mocks/MockRoleAssigneeServiceBean.java
new file mode 100644
index 00000000000..07ed882a543
--- /dev/null
+++ b/src/test/java/edu/harvard/iq/dataverse/mocks/MockRoleAssigneeServiceBean.java
@@ -0,0 +1,44 @@
+package edu.harvard.iq.dataverse.mocks;
+
+import edu.harvard.iq.dataverse.RoleAssigneeServiceBean;
+import edu.harvard.iq.dataverse.authorization.RoleAssignee;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ *
+ * @author michael
+ */
+public class MockRoleAssigneeServiceBean extends RoleAssigneeServiceBean {
+    
+    Map<String, RoleAssignee> assignees = new HashMap<>();
+    
+    public <T extends RoleAssignee> T add (T ra ) {
+        assignees.put(ra.getIdentifier(), ra);
+        return ra;
+    }
+    
+    @Override
+    public RoleAssignee getRoleAssignee(String identifier) {
+        if ( predefinedRoleAssignees.isEmpty() ) {
+            setup();
+        }
+        
+        if (identifier == null || identifier.isEmpty()) {
+            throw new IllegalArgumentException("Identifier cannot be null or empty string.");
+        }
+        switch (identifier.charAt(0)) {
+            case ':':
+                return predefinedRoleAssignees.get(identifier);
+            case '@':
+                return assignees.get(identifier);
+            case '&':
+                return assignees.get(identifier);
+            case '#':
+                throw new IllegalArgumentException("private url users not supported in test - it might be easy to add, though.");
+            default:
+                throw new IllegalArgumentException("Unsupported assignee identifier '" + identifier + "'");
+        }
+    }
+    
+}
diff --git a/src/test/java/edu/harvard/iq/dataverse/mocks/MocksFactory.java b/src/test/java/edu/harvard/iq/dataverse/mocks/MocksFactory.java
index 85995ce37f0..82730f92bbf 100644
--- a/src/test/java/edu/harvard/iq/dataverse/mocks/MocksFactory.java
+++ b/src/test/java/edu/harvard/iq/dataverse/mocks/MocksFactory.java
@@ -13,8 +13,12 @@
 import edu.harvard.iq.dataverse.MetadataBlock;
 import edu.harvard.iq.dataverse.authorization.DataverseRole;
 import edu.harvard.iq.dataverse.authorization.Permission;
+import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroup;
+import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroupProvider;
 import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddress;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import edu.harvard.iq.dataverse.authorization.users.GuestUser;
+import edu.harvard.iq.dataverse.authorization.users.User;
 import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import java.sql.Timestamp;
 import java.time.LocalDate;
@@ -22,7 +26,6 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Date;
-import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Random;
@@ -98,8 +101,15 @@ public static AuthenticatedUser makeAuthenticatedUser( String firstName, String
         return user;
     }
     
+    /**
+     * @return A request with a guest user.
+     */
     public static DataverseRequest makeRequest() {
-        return new DataverseRequest( makeAuthenticatedUser("Jane", "Doe"), IpAddress.valueOf("215.0.2.17") );
+        return makeRequest( GuestUser.get() );
+    }
+    
+    public static DataverseRequest makeRequest( User u ) {
+        return new DataverseRequest( u, IpAddress.valueOf("1.2.3.4") );
     }
     
     public static Dataverse makeDataverse() {
@@ -210,4 +220,19 @@ public static DataverseFieldTypeInputLevel makeDataverseFieldTypeInputLevel( Dat
         
         return retVal;
     }
+    
+    public static ExplicitGroup makeExplicitGroup( String name, ExplicitGroupProvider prv ) {
+        long id = nextId();
+        ExplicitGroup eg = new ExplicitGroup(prv);
+        
+        eg.setId(id);
+        eg.setDisplayName( name==null ? "explicitGroup-" + id : name );
+        eg.setGroupAliasInOwner("eg" + id);
+        
+        return eg;
+    }
+    
+    public static ExplicitGroup makeExplicitGroup( ExplicitGroupProvider prv ) {
+        return makeExplicitGroup(null, prv);
+    }
 }
diff --git a/src/test/java/edu/harvard/iq/dataverse/util/BitSetTest.java b/src/test/java/edu/harvard/iq/dataverse/util/BitSetTest.java
index f161774ee4b..5aa37e8b05c 100644
--- a/src/test/java/edu/harvard/iq/dataverse/util/BitSetTest.java
+++ b/src/test/java/edu/harvard/iq/dataverse/util/BitSetTest.java
@@ -4,7 +4,9 @@
 
 package edu.harvard.iq.dataverse.util;
 
+import java.util.Arrays;
 import java.util.EnumSet;
+import java.util.List;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
@@ -53,7 +55,19 @@ public void testSet() {
 			assertTrue( sut.isSet(i) );
 		}
 	}
-
+    
+    @Test
+    public void testSetByParameter() {
+        BitSet tSut = BitSet.emptySet();
+        List<Integer> indices = Arrays.asList(0,1,4,6,7,8,20,31);
+        indices.forEach( i -> assertFalse(tSut.isSet(i)) );
+        indices.forEach( i -> tSut.set(i,true) );
+        indices.forEach( i -> assertTrue(tSut.isSet(i)) );
+        indices.forEach( i -> tSut.set(i,false) );
+        indices.forEach( i -> assertFalse(tSut.isSet(i)) );
+        assertTrue( tSut.isEmpty() );
+    }
+    
 	/**
 	 * Test of unset method, of class BitSet.
 	 */
diff --git a/src/test/java/edu/harvard/iq/dataverse/util/BundleUtilTest.java b/src/test/java/edu/harvard/iq/dataverse/util/BundleUtilTest.java
index bb58deb3030..b5682e82b06 100644
--- a/src/test/java/edu/harvard/iq/dataverse/util/BundleUtilTest.java
+++ b/src/test/java/edu/harvard/iq/dataverse/util/BundleUtilTest.java
@@ -65,7 +65,8 @@ public void testGetStringFromBundleWithArguments() {
                         Arrays.asList(BundleUtil.getStringFromBundle("shib.welcomeExistingUserMessageDefaultInstitution"))));
         assertEquals("Welcome to Root Dataverse! Get started by adding or finding data. "
                 + "Have questions? Check out the <a href=\"http://guides.dataverse.org/en/4.3/user/index.html\">User Guide</a>."
-                + " Want to test out Dataverse features? Use our <a href=\"https://demo.dataverse.org\">Demo Site</a>.",
+                + " Want to test out Dataverse features? Use our <a href=\"https://demo.dataverse.org\">Demo Site</a>."
+                + " Also, check for your welcome email to verify your address.",
                 BundleUtil.getStringFromBundle("notification.welcome",
                         Arrays.asList("Root", "<a href=\"http://guides.dataverse.org/en/4.3/user/index.html\">User Guide</a>", "<a href=\"https://demo.dataverse.org\">Demo Site</a>")));
     }
diff --git a/src/test/java/edu/harvard/iq/dataverse/util/CollectionLiterals.java b/src/test/java/edu/harvard/iq/dataverse/util/CollectionLiterals.java
new file mode 100644
index 00000000000..60f710efbf0
--- /dev/null
+++ b/src/test/java/edu/harvard/iq/dataverse/util/CollectionLiterals.java
@@ -0,0 +1,21 @@
+package edu.harvard.iq.dataverse.util;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * 
+ * @author michael
+ */
+public class CollectionLiterals {
+    
+    public static <T> Set<T> setOf( T... args ) {
+        return new HashSet<>(Arrays.asList(args));
+    }
+    
+    public static <T> List<T> listOf( T... args ) {
+        return Arrays.asList(args);
+    }
+}
diff --git a/src/test/java/edu/harvard/iq/dataverse/util/StringUtilTest.java b/src/test/java/edu/harvard/iq/dataverse/util/StringUtilTest.java
index 981005e85b6..3281c23a74f 100644
--- a/src/test/java/edu/harvard/iq/dataverse/util/StringUtilTest.java
+++ b/src/test/java/edu/harvard/iq/dataverse/util/StringUtilTest.java
@@ -113,4 +113,10 @@ public void testHtml2Text() {
         assertEquals(StringUtil.htmlArray2textArray(Arrays.asList("be <b>bold</b>!")), Arrays.asList("be bold!"));
         assertEquals(StringUtil.htmlArray2textArray(null), Collections.emptyList());
     }
+    
+    @Test
+    public void testNullToEmpty() {
+        assertEquals( "hello", StringUtil.nullToEmpty("hello") );
+        assertEquals( "", StringUtil.nullToEmpty(null) );
+    }
 }
diff --git a/src/test/java/edu/harvard/iq/dataverse/util/json/JsonParserTest.java b/src/test/java/edu/harvard/iq/dataverse/util/json/JsonParserTest.java
index 8a6b945a710..ed5a07f1f11 100644
--- a/src/test/java/edu/harvard/iq/dataverse/util/json/JsonParserTest.java
+++ b/src/test/java/edu/harvard/iq/dataverse/util/json/JsonParserTest.java
@@ -14,8 +14,13 @@
 import edu.harvard.iq.dataverse.DatasetFieldValue;
 import edu.harvard.iq.dataverse.DatasetVersion;
 import edu.harvard.iq.dataverse.Dataverse;
-import edu.harvard.iq.dataverse.DataverseTheme;
 import edu.harvard.iq.dataverse.DataverseTheme.Alignment;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.IpGroup;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.IpGroupProvider;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddress;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.ip.IpAddressRange;
+import edu.harvard.iq.dataverse.authorization.users.GuestUser;
+import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
 import java.io.IOException;
 import java.io.InputStream;
@@ -425,7 +430,92 @@ public void testParseOvercompleteDatasetVersion() throws JsonParseException, IOE
             DatasetVersion actual = sut.parseDatasetVersion(dsJson);
         }
     }
-
+    
+    @Test
+    public void testIpGroupRoundTrip() {
+        
+        IpGroup original = new IpGroup();
+        original.setDescription("Ip group description");
+        original.setDisplayName("Test-ip-group");
+        original.setId(42l);
+        original.setPersistedGroupAlias("test-ip-group");
+        original.setGroupProvider( new IpGroupProvider(null) );
+        
+        original.add( IpAddressRange.make(IpAddress.valueOf("1.2.1.1"), IpAddress.valueOf("1.2.1.10")) );
+        original.add( IpAddressRange.make(IpAddress.valueOf("1.1.1.1"), IpAddress.valueOf("1.1.1.1")) );
+        original.add( IpAddressRange.make(IpAddress.valueOf("1:2:3::4:5"), IpAddress.valueOf("1:2:3::4:5")) );
+        original.add( IpAddressRange.make(IpAddress.valueOf("1:2:3::3:ff"), IpAddress.valueOf("1:2:3::3:5")) );
+        
+        JsonObject serialized = JsonPrinter.json(original).build();
+        
+        System.out.println( serialized.toString() );
+        
+        IpGroup parsed = new JsonParser().parseIpGroup(serialized);
+        
+        assertEquals( original, parsed );
+        
+    }
+    
+    @Test
+    public void testIpGroupRoundTrip_singleIpv4Address() {
+        
+        IpGroup original = new IpGroup();
+        original.setDescription("Ip group description");
+        original.setDisplayName("Test-ip-group");
+        original.setId(42l);
+        original.setPersistedGroupAlias("test-ip-group");
+        original.setGroupProvider( new IpGroupProvider(null) );
+        
+        original.add( IpAddressRange.make(IpAddress.valueOf("1.1.1.1"), IpAddress.valueOf("1.1.1.1")) );
+        
+        JsonObject serialized = JsonPrinter.json(original).build();
+        
+        System.out.println( serialized.toString() );
+        
+        IpGroup parsed = new JsonParser().parseIpGroup(serialized);
+        
+        assertEquals( original, parsed );
+        assertTrue( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("1.1.1.1")) ));
+        assertFalse( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("1.1.1.2")) ));
+        assertFalse( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("1.1.2.1")) ));
+        assertFalse( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("1.1.1.0")) ));
+        assertFalse( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("1.1.1.250")) ));
+        assertFalse( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("1.2.1.1")) ));
+        assertFalse( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("2.1.1.1")) ));
+        assertFalse( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("fe80::22c9:d0ff:fe48:ce61")) ));
+        
+    }
+    
+    @Test
+    public void testIpGroupRoundTrip_singleIpv6Address() {
+        
+        IpGroup original = new IpGroup();
+        original.setDescription("Ip group description");
+        original.setDisplayName("Test-ip-group");
+        original.setId(42l);
+        original.setPersistedGroupAlias("test-ip-group");
+        original.setGroupProvider( new IpGroupProvider(null) );
+        
+        original.add( IpAddressRange.make(IpAddress.valueOf("fe80::22c9:d0ff:fe48:ce61"),
+                                          IpAddress.valueOf("fe80::22c9:d0ff:fe48:ce61")) );
+        
+        JsonObject serialized = JsonPrinter.json(original).build();
+        
+        System.out.println( serialized.toString() );
+        
+        IpGroup parsed = new JsonParser().parseIpGroup(serialized);
+        
+        assertEquals( original, parsed );
+        assertTrue( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("fe80::22c9:d0ff:fe48:ce61")) ));
+        assertFalse( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("fe80::22c9:d0ff:fe48:ce60")) ));
+        assertFalse( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("fe80::22c9:d0ff:fe48:ce62")) ));
+        assertFalse( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("fe80::22c9:d0ff:fe47:ce61")) ));
+        assertFalse( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("fe80::22c9:d0af:fe48:ce61")) ));
+        assertFalse( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("fe79::22c9:d0ff:fe48:ce61")) ));
+        assertFalse( parsed.contains( new DataverseRequest(GuestUser.get(), IpAddress.valueOf("2.1.1.1")) ));
+        
+    }
+    
     JsonObject json( String s ) {
         return Json.createReader( new StringReader(s) ).readObject();
     }