diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml
index b0f97bc3be48bbe8330b5e9e05a5683901dfb555..d4108e11b723c7bf5e75435888aed3d03525a23a 100644
--- a/group_vars/all/users.yml
+++ b/group_vars/all/users.yml
@@ -26,3 +26,8 @@ THEHIVE_KIBANA_USER:
   surname: "User"
   roles: '["read", "write"]'
 
+# Special account for user management GUI, configured as admin user in some of the tools
+USER_MGMT_ADMIN_USER:
+  username: "soctools-user-mgmt"
+  DN: "CN=soctools-user-mgmt"
+  CN: "soctools-user-mgmt"
\ No newline at end of file
diff --git a/roles/ca/tasks/main.yml b/roles/ca/tasks/main.yml
index e851761376265268c0ea7af70ae65d47d789a43f..693108e48ac0dc8826c9ac68e37fa5af4315071e 100644
--- a/roles/ca/tasks/main.yml
+++ b/roles/ca/tasks/main.yml
@@ -113,6 +113,7 @@
 - name: Check for existing user certificates
   command: roles/ca/files/easyrsa/easyrsa show-cert {{item.CN | regex_escape()}}
   with_items:
+    - "{{USER_MGMT_ADMIN_USER}}"
     - "{{soctools_users}}"
   environment:
     EASYRSA_BATCH: 1
@@ -123,6 +124,7 @@
 - name: Generate user certificates
   command: roles/ca/files/easyrsa/easyrsa build-client-full {{item.CN | regex_escape()}} nopass
   with_items:
+    - "{{USER_MGMT_ADMIN_USER}}"
     - "{{soctools_users}}"
   environment:
     EASYRSA_BATCH: 1
@@ -138,6 +140,7 @@
     responses:
       Enter Export Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
   with_items:
+    - "{{USER_MGMT_ADMIN_USER}}"
     - "{{soctools_users}}"
   environment:
     EASYRSA_BATCH: 1
@@ -150,3 +153,18 @@
   with_items:
     - "{{soctools_users}}"
 
+#- name: Convert certificate of soctools-user-mgmt user to PEM format (cert)
+#  expect:
+#    command: openssl pkcs12 -in "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.p12" -out "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.crt.pem" -clcerts -nokeys
+#    responses:
+#      Enter Import Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
+#  with_items:
+#    - "{{USER_MGMT_ADMIN_USER}}"
+
+#- name: Convert certificate of soctools-user-mgmt user to PEM format (key)
+#  expect:
+#    command: openssl pkcs12 -in "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.p12" -out "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.key.pem" -nocerts -nodes
+#    responses:
+#      Enter Import Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
+#  with_items:
+#    - "{{USER_MGMT_ADMIN_USER}}"
diff --git a/roles/keycloak/templates/initkeycloakrealm.sh.j2 b/roles/keycloak/templates/initkeycloakrealm.sh.j2
index 1444717fc84aed57192ea89f8d047096d66c5ee6..f114c354ddcf6d65a834c21c6cd6d9ce3977f809 100644
--- a/roles/keycloak/templates/initkeycloakrealm.sh.j2
+++ b/roles/keycloak/templates/initkeycloakrealm.sh.j2
@@ -16,6 +16,7 @@ kcadm.sh update realms/{{openid_realm}} -b '{"browserFlow": "X.509 Browser"}'
 kcadm.sh create realms/{{openid_realm}}/authentication/executions/${BROWSERFORM}/config -b '{"config":{"x509-cert-auth.mapping-source-selection":"Subject'\''s Common Name","x509-cert-auth.canonical-dn-enabled":"true","x509-cert-auth.serialnumber-hex-enabled":false,"x509-cert-auth.regular-expression":"(.*?)(?:$)","x509-cert-auth.mapper-selection":"Custom Attribute Mapper","x509-cert-auth.mapper-selection.user-attribute-name":"CN","x509-cert-auth.timestamp-validation-enabled":"true","x509-cert-auth.crl-checking-enabled":"","x509-cert-auth.crldp-checking-enabled":false,"x509-cert-auth.crl-relative-path":"crl.pem","x509-cert-auth.ocsp-checking-enabled":"","x509-cert-auth.confirmation-page-disallowed":""},"alias":"x509-form-config"}'
 kcadm.sh create realms/{{openid_realm}}/groups -b '{"name":"GN43WP8T31"}'
 
+kcadm.sh create realms/{{openid_realm}}/users -b '{"enabled":true,"attributes":{"DN": ["{{USER_MGMT_ADMIN_USER.DN}}"],"CN": ["{{USER_MGMT_ADMIN_USER.CN}}"]},"username":"{{USER_MGMT_ADMIN_USER.username}}","groups": ["/GN43WP8T31"] }'
 {% for user in soctools_users %}
 kcadm.sh create realms/{{openid_realm}}/users -b '{"enabled":true,"attributes":{"DN": ["{{user.DN}}"],"CN": ["{{user.CN}}"]},"username":"{{user.username}}","emailVerified":"","email":"{{user.email}}","firstName":"{{user.firstname}}","lastName":"{{user.lastname}}","groups": ["/GN43WP8T31"] }'
 kcadm.sh set-password -r {{openid_realm}} --username {{user.username}} --new-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/'+user.CN)}}
diff --git a/roles/nifi/templates/users.xml.j2 b/roles/nifi/templates/users.xml.j2
index a57969859498c5610ab26a83ae05e53ca093d264..242113d25e46b076ac61a3b75357d8b45f7e2f18 100644
--- a/roles/nifi/templates/users.xml.j2
+++ b/roles/nifi/templates/users.xml.j2
@@ -7,8 +7,9 @@
 	{% endfor %}
       </group>
       <group identifier="c78caf19-016f-1000-0000-000000000002" name="Administrators">
+	    <user identifier="c78caf19-016f-1000-0002-000000000001"/>
 	{% for user in soctools_users %}
-	<user identifier="c78caf19-016f-1000-0002-{{'%012d'|format(loop.index) }}"/>
+	<user identifier="c78caf19-016f-1000-0002-{{'%012d'|format(loop.index+1) }}"/>
 	{% endfor %}
       </group>
     </groups>
@@ -16,8 +17,9 @@
 	{% for nifi in groups['nificontainers'] %}
         <user identifier="c78caf19-016f-1000-0001-{{'%012d'|format(loop.index) }}" identity="CN={{ nifi }}"/>
         {% endfor %}
+        <user identifier="c78caf19-016f-1000-0002-000000000001" identity="{{ USER_MGMT_ADMIN_USER.username }}"/>
 	{% for user in soctools_users %}
-        <user identifier="c78caf19-016f-1000-0002-{{'%012d'|format(loop.index) }}" identity="{{ user.username }}"/>
+        <user identifier="c78caf19-016f-1000-0002-{{'%012d'|format(loop.index+1) }}" identity="{{ user.username }}"/>
         {% endfor %}        
     </users>
 </tenants>