diff --git a/README.md b/README.md
index f4f0a4a..86a8e6f 100644
--- a/README.md
+++ b/README.md
@@ -201,11 +201,15 @@ Either deviceName or deviceCategory can be specified (or both). Wildcards are su
 1. The percent sign % wildcard matches any sequence of zero or more characters.
 2. The underscore _ wildcard matches any single character.
 
+#### Search by device name
+
 GET `/api/secret/retrieve/name/<searchname>`
 
 Search for a secret specified by deviceName using a GET request. 
 Must be logged in to execute this command. Only secrets registered with the current user's RoleId can be retrieved.
 
+#### Search by device category
+
 GET `/api/secret/retrieve/category/<searchname>`
 
 Search for a secret specified by deviceCategory using a GET request. 
@@ -229,4 +233,7 @@ Users with ReadOnly role will receive Forbidden error when calling this API endp
 #### List
 GET `/api/secret/list`
 
-Will generate a list of device names and categories but not secret data.
\ No newline at end of file
+Will generate a list of device names and categories but not secret data.
+
+## Database Schema
+![Diagram](www/database.png)
\ No newline at end of file
diff --git a/main.go b/main.go
index 975d0a2..b70b9fb 100644
--- a/main.go
+++ b/main.go
@@ -237,7 +237,6 @@ func main() {
 	// Register our routes
 	public := router.Group("/api")
 	public.POST("/login", controllers.Login)
-	//public.POST("/unlock", controllers.Unlock)
 
 	// API calls that only an administrator can make
 	adminOnly := router.Group("/api/admin")
@@ -245,11 +244,11 @@ func main() {
 	adminOnly.POST("/user/delete", controllers.DeleteUser)
 	adminOnly.POST("/user/register", controllers.RegisterUser) // TODO deprecate
 	adminOnly.POST("/user/add", controllers.RegisterUser)
+	// TODO
+	//adminOnly.POST("/user/update", controllers.UpdateUser)
 	adminOnly.GET("/roles", controllers.GetRoles)
 	adminOnly.POST("/role/add", controllers.AddRole)
 	adminOnly.GET("/users", controllers.GetUsers)
-
-	// TODO Make unlock an admin only function
 	adminOnly.POST("/unlock", controllers.Unlock)
 
 	// Get secrets
diff --git a/models/setup.go b/models/setup.go
index 871af2f..b51e4aa 100644
--- a/models/setup.go
+++ b/models/setup.go
@@ -20,6 +20,8 @@ const (
 	sqlFile = "smt.db"
 )
 
+// TODO drop LdapGroup column
+
 const createRoles string = `
 	CREATE TABLE IF NOT EXISTS roles (
 		RoleId INTEGER PRIMARY KEY ASC,
@@ -33,24 +35,54 @@ const createRoles string = `
 const createUsers string = `
 	CREATE TABLE IF NOT EXISTS users (
 		UserId INTEGER PRIMARY KEY ASC,
-		RoleId INTEGER,
+		GroupId INTEGER,
 		UserName VARCHAR,
 		Password VARCHAR,
 		LdapUser BOOLEAN DEFAULT 0,
 		LdapDN VARCHAR DEFAULT '',
-		FOREIGN KEY (RoleId) REFERENCES roles(RoleId)
+		FOREIGN KEY (GroupId) REFERENCES groups(GroupId)
+	);
+`
+
+const createSafes string = `
+	CREATE TABLE IF NOT EXSITS safes (
+		SafeId INTEGER PRIMARY KEY ASC,
+		SafeName VARCHAR
+	);
+`
+
+const createGroups string = `
+	CREATE TABLE IF NOT EXISTS groups (
+		GroupId INTEGER PRIMARY KEY ASC,
+		GroupName VARCHAR,
+		LdapGroup BOOLEAN DEFAULT 0,
+		LdapDN VARCHAR DEFAULT ''
+	);
+`
+
+const createPermissions = `
+	CREATE TABLE IF NOT EXISTS permissions (
+		PermissionId INTEGER PRIMARY KEY ASC,
+		RoleId INTEGER,
+		SafeId INTEGER,
+		UserId INTEGER,
+		GroupId INTEGER,
+		FOREIGN KEY (RoleId) REFERENCES roles(RoleId),
+		FOREIGN KEY (SafeId) REFERENCES safes(SafeId),
+		FOREIGN KEY (UserId) REFERENCES users(UserId),
+		FOREIGN KEY (GroupId) REFERENCES groups(GroupId)
 	);
 `
 
 const createSecrets string = `
 	CREATE TABLE IF NOT EXISTS secrets (
 		SecretId INTEGER PRIMARY KEY ASC,
-		RoleId INTEGER,
+		SafeId INTEGER,
 		DeviceName VARCHAR,
 		DeviceCategory VARCHAR,
 		UserName VARCHAR,
 		Secret VARCHAR,
-		FOREIGN KEY (RoleId) REFERENCES roles(RoleId)
+		FOREIGN KEY (SafeId) REFERENCES safes(SafeId)
 	);
 `
 
@@ -143,11 +175,31 @@ func CreateTables() {
 			os.Exit(1)
 		}
 	}
+
+	// Safes table
+	if _, err = db.Exec(createSafes); err != nil {
+		log.Printf("Error checking safes table : '%s'", err)
+		os.Exit(1)
+	}
+
 	// Secrets table
 	if _, err = db.Exec(createSecrets); err != nil {
 		log.Printf("Error checking secrets table : '%s'", err)
 		os.Exit(1)
 	}
+
+	// groups table
+	if _, err = db.Exec(createGroups); err != nil {
+		log.Printf("Error checking groups table : '%s'", err)
+		os.Exit(1)
+	}
+
+	// permissions table
+	if _, err = db.Exec(createPermissions); err != nil {
+		log.Printf("Error checking permissions table : '%s'", err)
+		os.Exit(1)
+	}
+
 	// Schema table should go last so we know if the database has a value in the schema table then everything was created properly
 	if _, err = db.Exec(createSchema); err != nil {
 		log.Printf("Error checking schema table : '%s'", err)
@@ -167,34 +219,47 @@ func CreateTables() {
 		os.Exit(1)
 	}
 
-	// Database updates added after initial version released
-	ldapCheck, _ := CheckColumnExists("roles", "LdapGroup")
-
-	if !ldapCheck {
-		// Add the column for LdapGroup in the roles table
-		_, err := db.Exec("ALTER TABLE roles ADD COLUMN LdapGroup VARCHAR DEFAULT '';")
+	// Remove users RoleId column
+	userRoleIdCheck, _ := CheckColumnExists("users", "RoleId")
+	if userRoleIdCheck {
+		_, err := db.Exec("ALTER TABLE users DROP COLUMN RoleId;")
 		if err != nil {
-			log.Printf("Error altering roles table to add LdapGroup column : '%s'\n", err)
+			log.Printf("Error altering users table to drop RoleId column : '%s'\n", err)
 			os.Exit(1)
 		}
 	}
 
-	// Add the two LDAP columns to the users table if they weren't there
-	ldapUserCheck, _ := CheckColumnExists("users", "LdapUser")
-	if !ldapUserCheck {
-		log.Printf("CreateTables creating ldap columns in user table")
-		_, err := db.Exec("ALTER TABLE users ADD COLUMN LdapUser BOOLEAN DEFAULT 0;")
-		if err != nil {
-			log.Printf("Error altering users table to add LdapUser column : '%s'\n", err)
-			os.Exit(1)
+	/*
+		// Database updates added after initial version released
+		ldapCheck, _ := CheckColumnExists("roles", "LdapGroup")
+
+		if !ldapCheck {
+			// Add the column for LdapGroup in the roles table
+			_, err := db.Exec("ALTER TABLE roles ADD COLUMN LdapGroup VARCHAR DEFAULT '';")
+			if err != nil {
+				log.Printf("Error altering roles table to add LdapGroup column : '%s'\n", err)
+				os.Exit(1)
+			}
 		}
 
-		_, err = db.Exec("ALTER TABLE users ADD COLUMN LdapDN VARCHAR DEFAULT '';")
-		if err != nil {
-			log.Printf("Error altering users table to add LdapDN column : '%s'\n", err)
-			os.Exit(1)
+		// Add the two LDAP columns to the users table if they weren't there
+		ldapUserCheck, _ := CheckColumnExists("users", "LdapUser")
+		if !ldapUserCheck {
+			log.Printf("CreateTables creating ldap columns in user table")
+			_, err := db.Exec("ALTER TABLE users ADD COLUMN LdapUser BOOLEAN DEFAULT 0;")
+			if err != nil {
+				log.Printf("Error altering users table to add LdapUser column : '%s'\n", err)
+				os.Exit(1)
+			}
+
+			_, err = db.Exec("ALTER TABLE users ADD COLUMN LdapDN VARCHAR DEFAULT '';")
+			if err != nil {
+				log.Printf("Error altering users table to add LdapDN column : '%s'\n", err)
+				os.Exit(1)
+			}
 		}
-	}
+	*/
+
 }
 
 // Count the number of records in the sqlite database
diff --git a/www/database.png b/www/database.png
new file mode 100644
index 0000000..c14fa81
Binary files /dev/null and b/www/database.png differ