diff --git a/xos/tosca/custom_types/xos.yaml b/xos/tosca/custom_types/xos.yaml
index 59cbb77..044f281 100644
--- a/xos/tosca/custom_types/xos.yaml
+++ b/xos/tosca/custom_types/xos.yaml
@@ -230,7 +230,11 @@
 
     tosca.relationships.PIPrivilege:
         derived_from: tosca.relationships.Root
-        valid_target_types: [ tosca.capabilities.xos.Slice, tosca.capabiltys.xos.Site ]
+        valid_target_types: [ tosca.capabiltys.xos.Site ]
+
+    tosca.relationships.TechPrivilege:
+        derived_from: tosca.relationships.Root
+        valid_target_types: [ tosca.capabiltys.xos.Site ]
 
     tosca.capabilities.xos.Service:
         derived_from: tosca.capabilities.Root
diff --git a/xos/tosca/engine.py b/xos/tosca/engine.py
index 5417cbc..a0d917d 100644
--- a/xos/tosca/engine.py
+++ b/xos/tosca/engine.py
@@ -122,7 +122,7 @@
         if nodetemplate.type in resources.resources:
             cls = resources.resources[nodetemplate.type]
             #print "work on", cls.__name__, nodetemplate.name
-            obj = cls(user, nodetemplate)
+            obj = cls(user, nodetemplate, self)
             obj.create_or_update()
 
     def destroy(self, user):
@@ -131,7 +131,7 @@
         for nodetemplate in nodetemplates:
             if nodetemplate.type in resources.resources:
                 cls = resources.resources[nodetemplate.type]
-                obj = cls(user, nodetemplate)
+                obj = cls(user, nodetemplate, self)
                 for model in obj.get_existing_objs():
                     models.append( (obj, model) )
         models.reverse()
@@ -139,3 +139,22 @@
             print "destroying", model
             resource.delete(model)
 
+    def name_to_xos_class(self, user, name):
+        nt = self.nodetemplates_by_name.get(name)
+        if not nt:
+            raise Exception("failed to find nodetemplate %s" % name)
+
+        cls = resources.resources.get(nt.type)
+        if not cls:
+            raise Exception("nodetemplate %s's type does not resolve to a known resource type" % name)
+
+        return (nt, cls, cls.xos_model)
+
+    def name_to_xos_model(self, user, name):
+        (nt, cls, model_class) = self.name_to_xos_class(user, name)
+        obj = cls(user, nt, self)
+        existing_objs = obj.get_existing_objs()
+        if not existing_objs:
+            raise Exception("failed to find xos %s %s" % (cls.__name__, name))
+        return existing_objs[0]
+
diff --git a/xos/tosca/resources/slice.py b/xos/tosca/resources/slice.py
index 054111c..073e205 100644
--- a/xos/tosca/resources/slice.py
+++ b/xos/tosca/resources/slice.py
@@ -5,7 +5,7 @@
 sys.path.append("/opt/tosca")
 from translator.toscalib.tosca_template import ToscaTemplate
 
-from core.models import Slice,User,Site,Network,NetworkSlice
+from core.models import Slice,User,Site,Network,NetworkSlice,SliceRole,SlicePrivilege
 
 from xosresource import XOSResource
 
@@ -27,6 +27,17 @@
                 ns.save()
                 self.info("Added network connection from '%s' to '%s'" % (str(obj), str(net)))
 
+        rolemap = ( ("tosca.relationships.AdminPrivilege", "admin"), ("tosca.relationships.AccessPrivilege", "access"),
+                    ("tosca.relationships.PIPrivilege", "pi"), ("tosca.relationships.TechPrivilege", "tech") )
+        for (rel, role) in rolemap:
+            for email in self.get_requirements(rel):
+                role = self.get_xos_object(SliceRole, role=role)
+                user = self.get_xos_object(User, email=email)
+                if not SlicePrivilege.objects.filter(user=user, role=role, slice=obj):
+                    sp = SlicePrivilege(user=user, role=role, slice=obj)
+                    sp.save()
+                    self.info("Added slice privilege on %s role %s for %s" % (str(obj), str(role), str(user)))
+
     def create(self):
         nodetemplate = self.nodetemplate
         sliceName = nodetemplate.name
diff --git a/xos/tosca/resources/user.py b/xos/tosca/resources/user.py
index 0f0c0a1..125df4f 100644
--- a/xos/tosca/resources/user.py
+++ b/xos/tosca/resources/user.py
@@ -5,7 +5,7 @@
 sys.path.append("/opt/tosca")
 from translator.toscalib.tosca_template import ToscaTemplate
 
-from core.models import User, Site
+from core.models import User, Site, SiteRole, SliceRole, SlicePrivilege, SitePrivilege
 
 from xosresource import XOSResource
 
@@ -32,7 +32,23 @@
         return self.xos_model.objects.filter(email = self.nodetemplate.name)
 
     def postprocess(self, obj):
-        pass
+        rolemap = ( ("tosca.relationships.AdminPrivilege", "admin"), ("tosca.relationships.AccessPrivilege", "access"),
+                    ("tosca.relationships.PIPrivilege", "pi"), ("tosca.relationships.TechPrivilege", "tech") )
+        for (rel, role) in rolemap:
+            for obj_name in self.get_requirements(rel):
+                dest = self.engine.name_to_xos_model(self.user, obj_name)
+                if dest.__class__.__name__ == "Slice":
+                    role_obj = self.get_xos_object(SliceRole, role=role)
+                    if not SlicePrivilege.objects.filter(user=user, role=role_obj, slice=dest):
+                        sp = SlicePrivilege(user=obj, role=role_obj, slice=dest)
+                        sp.save()
+                        self.info("Added slice privilege on %s role %s for %s" % (str(dest), str(role), str(obj)))
+                elif dest.__class__.__name__ == "Site":
+                    role_obj = self.get_xos_object(SiteRole, role=role)
+                    if not SitePrivilege.objects.filter(user=obj, role=role_obj, site=dest):
+                        sp = SitePrivilege(user=obj, role=role_obj, site=dest)
+                        sp.save()
+                        self.info("Added site privilege on %s role %s for %s" % (str(dest), str(role), str(obj)))
 
     def create(self):
         nodetemplate = self.nodetemplate
diff --git a/xos/tosca/resources/xosresource.py b/xos/tosca/resources/xosresource.py
index 756aaf8..a0426cf 100644
--- a/xos/tosca/resources/xosresource.py
+++ b/xos/tosca/resources/xosresource.py
@@ -5,10 +5,11 @@
     xos_model = None
     provides = None
 
-    def __init__(self, user, nodetemplate):
+    def __init__(self, user, nodetemplate, engine):
         self.dirty = False
         self.user = user
         self.nodetemplate = nodetemplate
+        self.engine = engine
 
     def get_all_required_node_names(self):
         results = []
diff --git a/xos/tosca/samples/privileges.yaml b/xos/tosca/samples/privileges.yaml
new file mode 100644
index 0000000..d15f343
--- /dev/null
+++ b/xos/tosca/samples/privileges.yaml
@@ -0,0 +1,60 @@
+tosca_definitions_version: tosca_simple_yaml_1_0
+
+description: Make some network templates
+
+imports:
+   - custom_types/xos.yaml
+
+topology_template:
+  node_templates:
+    mysite:
+      type: tosca.nodes.Site
+
+    johndoe@foo.bar:
+      type: tosca.nodes.User
+      properties:
+          password: letmein
+          firstname: john
+          lastname: doe
+      requirements:
+          - site:
+              node: mysite
+              relationship: tosca.relationships.MemberOfSite
+          # Site privilege must always be specified in user objects, since
+          # user depends on site.
+          - privilege:
+              node: mysite
+              relationship: tosca.relationships.PIPrivilege
+
+    janedoe@foo.bar:
+      type: tosca.nodes.User
+      properties:
+          password: letmein
+          firstname: john
+          lastname: doe
+      requirements:
+          - site:
+              node: mysite
+              relationship: tosca.relationships.MemberOfSite
+          - privilege:
+              node: mysite
+              relationship: tosca.relationships.TechPrivilege
+
+    privsite:
+      type: tosca.nodes.Site
+
+    privsite_slice1:
+      type: tosca.nodes.Slice
+      requirements:
+          - slice:
+                node: privsite
+                relationship: tosca.relationships.MemberOfSite
+          # Slice privileges must always be specified in slice objects, since
+          # slice depends on user.
+          - privilege:
+                node: johndoe@foo.bar
+                relationship: tosca.relationships.AdminPrivilege
+          - privilege:
+                node: janedoe@foo.bar
+                relationship: tosca.relationships.AccessPrivilege
+