diff --git a/components/Group/Controller/Group.php b/components/Group/Controller/Group.php
index db19544889..7535d0b3d3 100644
--- a/components/Group/Controller/Group.php
+++ b/components/Group/Controller/Group.php
@@ -23,12 +23,12 @@ declare(strict_types = 1);
 
 namespace Component\Group\Controller;
 
+use App\Core\ActorLocalRoles;
 use App\Core\Cache;
 use App\Core\DB\DB;
 use App\Core\Form;
 use function App\Core\I18n\_m;
 use App\Core\Log;
-use App\Core\UserRoles;
 use App\Entity as E;
 use App\Util\Common;
 use App\Util\Exception\ClientException;
@@ -151,7 +151,7 @@ class Group extends FeedController
                 'nickname' => $nickname,
                 'type'     => E\Actor::GROUP,
                 'is_local' => true,
-                'roles'    => UserRoles::BOT,
+                'roles'    => ActorLocalRoles::VISITOR, // Can send direct messages to other actors
             ]));
             DB::persist(LocalGroup::create([
                 'group_id' => $group->getId(),
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index da109f2184..237d96223f 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -51,5 +51,5 @@ security:
     # Easy way to control access for large sections of your site
     # Note: Only the *first* access control that matches will be used
     access_control:
-        - { path: ^/admin, roles: ROLE_ADMIN }
-        - { path: ^/settings, roles: ROLE_USER }
+        - { path: ^/admin, roles: ROLE_OPERATOR }
+        - { path: ^/settings, roles: ROLE_VISITOR }
diff --git a/plugins/ActivityPub/Util/Model/Actor.php b/plugins/ActivityPub/Util/Model/Actor.php
index 6cb4aeede3..c995522bac 100644
--- a/plugins/ActivityPub/Util/Model/Actor.php
+++ b/plugins/ActivityPub/Util/Model/Actor.php
@@ -33,13 +33,13 @@ declare(strict_types = 1);
 namespace Plugin\ActivityPub\Util\Model;
 
 use ActivityPhp\Type\AbstractObject;
+use App\Core\ActorLocalRoles;
 use App\Core\DB\DB;
 use App\Core\Event;
 use App\Core\GSFile;
 use App\Core\HTTPClient;
 use App\Core\Log;
 use App\Core\Router\Router;
-use App\Core\UserRoles;
 use App\Entity\Actor as GSActor;
 use App\Util\Exception\ServerException;
 use App\Util\Formatting;
@@ -93,7 +93,8 @@ class Actor extends Model
             'bio'      => $person->get('summary'),
             'is_local' => false, // duh!
             'type'     => self::$_as2_actor_type_to_gs_actor_type[$person->get('type')],
-            'roles'    => UserRoles::USER,
+            // TODO: Operator may prefer users to start with Visitor and then have them being manually promoted
+            'roles'    => ActorLocalRoles::PARTICIPANT | ActorLocalRoles::VISITOR, // Can view and participate
             'modified' => new DateTime(),
         ];
 
diff --git a/src/Controller/AdminPanel.php b/src/Controller/AdminPanel.php
index c5961204da..6048a82210 100644
--- a/src/Controller/AdminPanel.php
+++ b/src/Controller/AdminPanel.php
@@ -54,7 +54,7 @@ class AdminPanel extends Controller
      */
     public function site(Request $request)
     {
-        $this->denyAccessUnlessGranted('ROLE_ADMIN');
+        $this->denyAccessUnlessGranted('ROLE_OPERATOR');
         $defaults = Common::getConfigDefaults();
         $options  = [];
         foreach ($defaults as $key => $inner) {
diff --git a/src/Controller/Security.php b/src/Controller/Security.php
index 1f4e00e4d8..7c1f42f130 100644
--- a/src/Controller/Security.php
+++ b/src/Controller/Security.php
@@ -4,13 +4,13 @@ declare(strict_types = 1);
 
 namespace App\Controller;
 
+use App\Core\ActorLocalRoles;
 use App\Core\Controller;
 use App\Core\DB\DB;
 use App\Core\Event;
 use App\Core\Form;
 use function App\Core\I18n\_m;
 use App\Core\Log;
-use App\Core\UserRoles;
 use App\Entity\Actor;
 use App\Entity\Feed;
 use App\Entity\LocalUser;
@@ -152,7 +152,8 @@ class Security extends Controller
                     'nickname' => $nickname,
                     'is_local' => true,
                     'type'     => Actor::PERSON,
-                    'roles'    => UserRoles::USER,
+                    // TODO: Operator may prefer users to start with Visitor and then have them being manually promoted
+                    'roles' => ActorLocalRoles::PARTICIPANT | ActorLocalRoles::VISITOR, // Can view and participate
                 ]);
                 $user = LocalUser::create([
                     'nickname'       => $nickname,
diff --git a/src/Core/UserRoles.php b/src/Core/ActorLocalRoles.php
similarity index 71%
rename from src/Core/UserRoles.php
rename to src/Core/ActorLocalRoles.php
index b1c1ea722b..2e4e74890c 100644
--- a/src/Core/UserRoles.php
+++ b/src/Core/ActorLocalRoles.php
@@ -34,12 +34,20 @@ namespace App\Core;
 
 use App\Util\Bitmap;
 
-class UserRoles extends Bitmap
+// The domain of this Bitmap are Actors
+// TODO: role permissions configuration and sandbox system, probably an AffiliationPlugin
+class ActorLocalRoles extends Bitmap
 {
-    public const ADMIN     = 1;
-    public const MODERATOR = 2;
-    public const USER      = 4;
-    public const BOT       = 8;
+    // No permissions at all
+    public const NONE = 0;
+    // Can view and direct messages
+    public const VISITOR = 1;
+    // Can Participate
+    public const PARTICIPANT = 2;
+    // Privileged Access
+    public const MODERATOR = 4;
+    // System Administrator
+    public const OPERATOR = 8;
 
     public const PREFIX = 'ROLE_';
 }
diff --git a/src/Core/VisibilityScope.php b/src/Core/VisibilityScope.php
index 20c4e30bc8..a3889744b3 100644
--- a/src/Core/VisibilityScope.php
+++ b/src/Core/VisibilityScope.php
@@ -21,6 +21,7 @@ declare(strict_types = 1);
 
 namespace App\Core;
 
+// The domain of this enum are Objects
 enum VisibilityScope: int // having an int is just convenient
 {
     case EVERYWHERE = 1;  // Can be shown everywhere (default)
diff --git a/src/DataFixtures/CoreFixtures.php b/src/DataFixtures/CoreFixtures.php
index 7f7831369d..be661c86df 100644
--- a/src/DataFixtures/CoreFixtures.php
+++ b/src/DataFixtures/CoreFixtures.php
@@ -4,7 +4,7 @@ declare(strict_types = 1);
 
 namespace App\DataFixtures;
 
-use App\Core\UserRoles;
+use App\Core\ActorLocalRoles;
 use App\Core\VisibilityScope;
 use App\Entity\Actor;
 use App\Entity\LocalUser;
@@ -25,7 +25,7 @@ class CoreFixtures extends Fixture
         foreach ([
             'taken_user' => [LocalUser::class, 'setId', ['password' => LocalUser::hashPassword('foobar'), 'outgoing_email' => 'email@provider'], []],
             'some_user' => [LocalUser::class, 'setId', [], []],
-            'admin' => [LocalUser::class, 'setId', [], ['roles' => UserRoles::ADMIN | UserRoles::USER]],
+            'admin' => [LocalUser::class, 'setId', [], ['roles' => ActorLocalRoles::OPERATOR | ActorLocalRoles::MODERATOR | ActorLocalRoles::PARTICIPANT | ActorLocalRoles::VISITOR]],
             'local_user_test_user' => [LocalUser::class, 'setId', ['password' => LocalUser::hashPassword('foobar')], []],
             'form_personal_info_test_user' => [LocalUser::class, 'setId', [], []],
             'form_account_test_user' => [LocalUser::class, 'setId', ['password' => LocalUser::hashPassword('some password')], []],
diff --git a/src/Entity/LocalUser.php b/src/Entity/LocalUser.php
index f86a4fe98d..806e90414e 100644
--- a/src/Entity/LocalUser.php
+++ b/src/Entity/LocalUser.php
@@ -26,7 +26,7 @@ namespace App\Entity;
 use App\Core\Cache;
 use App\Core\DB\DB;
 use App\Core\Entity;
-use App\Core\UserRoles;
+use App\Core\ActorLocalRoles;
 use App\Util\Common;
 use App\Util\Exception\NicknameEmptyException;
 use App\Util\Exception\NicknameException;
@@ -379,7 +379,7 @@ class LocalUser extends Entity implements UserInterface, PasswordAuthenticatedUs
      */
     public function getRoles()
     {
-        return UserRoles::toArray($this->getActor()->getRoles());
+        return ActorLocalRoles::toArray($this->getActor()->getRoles());
     }
 
     public static function cacheKeys(mixed $identifier): array