diff --git a/client/src/App.tsx b/client/src/App.tsx
index 759613c..e423f29 100644
--- a/client/src/App.tsx
+++ b/client/src/App.tsx
@@ -4,6 +4,7 @@ import Inventory from './pages/Inventory.tsx';
 import Users from './pages/Users.tsx';
 import { BrowserRouter, Routes, Route, Navigate } from 'react-router';
 import { RequireAuth } from '@features/auth/RequireAuth';
+import { RequireAdmin } from '@features/auth/RequireAdmin';
 
 const App = () => {
     return (
@@ -24,7 +25,14 @@ const App = () => {
                         element={<Navigate to="inventory" replace />}
                     />
                     <Route path="inventory" element={<Inventory />} />
-                    <Route path="users" element={<Users />} />
+                    <Route
+                        path="users"
+                        element={
+                            <RequireAdmin>
+                                <Users />
+                            </RequireAdmin>
+                        }
+                    />
                 </Route>
                 <Route path="*" element={<Navigate to="/login" replace />} />
             </Routes>
diff --git a/client/src/features/ChangeUserRoleModal/ChangeUserRoleModal.tsx b/client/src/features/ChangeUserRoleModal/ChangeUserRoleModal.tsx
index 432c9b9..fa1190f 100644
--- a/client/src/features/ChangeUserRoleModal/ChangeUserRoleModal.tsx
+++ b/client/src/features/ChangeUserRoleModal/ChangeUserRoleModal.tsx
@@ -1,5 +1,5 @@
 import { useState } from 'react';
-import type { UserResource, UpdateUserResponse } from '@foodstoragemanager/schema';
+import { toRole, type UserResource, type UpdateUserResponse, type Role } from '@foodstoragemanager/schema';
 import { getSchemaClient } from '@lib/schemaClient';
 
 interface ChangeUserRoleModalProps {
@@ -9,8 +9,8 @@ interface ChangeUserRoleModalProps {
 }
 
 export const ChangeUserRoleModal = ({ user, onRoleChanged, onCancel }: ChangeUserRoleModalProps) => {
-    const currentRole = user.role?.[0] ?? '';
-    const [selectedRole, setSelectedRole] = useState<string>(currentRole);
+    const currentRole: Role = toRole(user.role);
+    const [selectedRole, setSelectedRole] = useState<Role>(currentRole);
     const [isSubmitting, setIsSubmitting] = useState(false);
     const [error, setError] = useState<string | null>(null);
 
@@ -28,7 +28,7 @@ export const ChangeUserRoleModal = ({ user, onRoleChanged, onCancel }: ChangeUse
 
             const client = getSchemaClient();
             const payload: UpdateUserResponse = await client.updateUser(user._id, {
-                role: selectedRole === '' ? undefined : (selectedRole as 'admin' | 'staff' | 'volunteer'),
+                role: selectedRole,
             });
 
             if ('error' in payload) {
@@ -45,9 +45,7 @@ export const ChangeUserRoleModal = ({ user, onRoleChanged, onCancel }: ChangeUse
         }
     };
 
-    const currentRoleDisplay = currentRole
-        ? currentRole[0].toUpperCase() + currentRole.slice(1).toLowerCase()
-        : 'No Role';
+    const currentRoleDisplay = `${currentRole[0].toUpperCase()}${currentRole.slice(1).toLowerCase()}`;
 
     return (
         <div className="p-6 bg-white rounded-lg shadow-md max-w-md w-full">
@@ -75,12 +73,11 @@ export const ChangeUserRoleModal = ({ user, onRoleChanged, onCancel }: ChangeUse
                     <select
                         id="role-select"
                         value={selectedRole}
-                        onChange={(e) => setSelectedRole(e.target.value)}
+                        onChange={(e) => setSelectedRole(toRole(e.target.value))}
                         className="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-blue-500"
                         required
                         disabled={isSubmitting}
                     >
-                        <option value="">No Role</option>
                         <option value="admin">Admin</option>
                         <option value="staff">Staff</option>
                         <option value="volunteer">Volunteer</option>
diff --git a/client/src/features/CreateUserForm/CreateUserForm.tsx b/client/src/features/CreateUserForm/CreateUserForm.tsx
index 1e1324a..abb89a7 100644
--- a/client/src/features/CreateUserForm/CreateUserForm.tsx
+++ b/client/src/features/CreateUserForm/CreateUserForm.tsx
@@ -1,5 +1,6 @@
 import { useState } from 'react';
-import type { CreateUserResponse } from '@foodstoragemanager/schema';
+import type { CreateUserResponse, Role } from '@foodstoragemanager/schema';
+import { toRole } from '@foodstoragemanager/schema';
 import { getSchemaClient } from '@lib/schemaClient';
 
 type FormInputs = {
@@ -7,6 +8,7 @@ type FormInputs = {
     email: string;
     password: string;
     confirmPassword: string;
+    role: Role;
 };
 
 type CreateUserFormProps = {
@@ -19,6 +21,7 @@ const initialForm: FormInputs = {
     email: '',
     password: '',
     confirmPassword: '',
+    role: 'volunteer',
 };
 
 export const CreateUserForm = ({ onUserCreated, onCancel }: CreateUserFormProps) => {
@@ -30,7 +33,7 @@ export const CreateUserForm = ({ onUserCreated, onCancel }: CreateUserFormProps)
     const handleInputChange = (field: keyof FormInputs, value: string) => {
         setFormData((prev) => ({
             ...prev,
-            [field]: value,
+            [field]: field === 'role' ? (toRole(value) as Role) : value,
         }));
     };
 
@@ -58,6 +61,7 @@ export const CreateUserForm = ({ onUserCreated, onCancel }: CreateUserFormProps)
                 name: formData.name.trim(),
                 email: formData.email.trim(),
                 password: formData.password,
+                role: formData.role,
             });
 
             if ('error' in payload) {
@@ -114,6 +118,7 @@ export const CreateUserForm = ({ onUserCreated, onCancel }: CreateUserFormProps)
                         type="text"
                         value={formData.name}
                         onChange={(event) => handleInputChange('name', event.target.value)}
+                        autoComplete="name"
                         className="w-full rounded-md border border-gray-300 px-3 py-2 focus:outline-none focus:ring-2 focus:ring-blue-500"
                         required
                     />
@@ -131,6 +136,7 @@ export const CreateUserForm = ({ onUserCreated, onCancel }: CreateUserFormProps)
                         type="email"
                         value={formData.email}
                         onChange={(event) => handleInputChange('email', event.target.value)}
+                        autoComplete="username"
                         className="w-full rounded-md border border-gray-300 px-3 py-2 focus:outline-none focus:ring-2 focus:ring-blue-500"
                         required
                     />
@@ -148,6 +154,7 @@ export const CreateUserForm = ({ onUserCreated, onCancel }: CreateUserFormProps)
                         type="password"
                         value={formData.password}
                         onChange={(event) => handleInputChange('password', event.target.value)}
+                        autoComplete="new-password"
                         className="w-full rounded-md border border-gray-300 px-3 py-2 focus:outline-none focus:ring-2 focus:ring-blue-500"
                         required
                     />
@@ -165,11 +172,32 @@ export const CreateUserForm = ({ onUserCreated, onCancel }: CreateUserFormProps)
                         type="password"
                         value={formData.confirmPassword}
                         onChange={(event) => handleInputChange('confirmPassword', event.target.value)}
+                        autoComplete="new-password"
                         className="w-full rounded-md border border-gray-300 px-3 py-2 focus:outline-none focus:ring-2 focus:ring-blue-500"
                         required
                     />
                 </div>
 
+                <div>
+                    <label
+                        htmlFor="role"
+                        className="mb-1 block text-sm font-medium text-gray-700"
+                    >
+                        Role *
+                    </label>
+                    <select
+                        id="role"
+                        value={formData.role}
+                        onChange={(event) => handleInputChange('role', event.target.value)}
+                        className="w-full rounded-md border border-gray-300 px-3 py-2 focus:outline-none focus:ring-2 focus:ring-blue-500"
+                        required
+                    >
+                        <option value="admin">Admin</option>
+                        <option value="staff">Staff</option>
+                        <option value="volunteer">Volunteer</option>
+                    </select>
+                </div>
+
                 <div className="flex flex-wrap gap-3 pt-2">
                     {onCancel && (
                         <button
diff --git a/client/src/features/UsersList/UserItem.tsx b/client/src/features/UsersList/UserItem.tsx
index 14a8ebc..b572e4d 100644
--- a/client/src/features/UsersList/UserItem.tsx
+++ b/client/src/features/UsersList/UserItem.tsx
@@ -1,5 +1,5 @@
 import { useMemo } from 'react';
-import type { UserResource } from '@foodstoragemanager/schema';
+import { toRole, type UserResource } from '@foodstoragemanager/schema';
 import { BiSolidUser, BiSolidPencil, BiSolidTrash } from 'react-icons/bi';
 
 type UserItemProps = {
@@ -10,10 +10,8 @@ type UserItemProps = {
 
 export const UserItem = ({ user, onEditUser, onDeleteUser }: UserItemProps) => {
     const role = useMemo(() => {
-        const currentRole = user.role?.[0];
-        if (!currentRole) return '';
-
-        return currentRole[0].toUpperCase() + currentRole.slice(1).toLowerCase();
+        const normalized = toRole(user.role);
+        return `${normalized[0].toUpperCase()}${normalized.slice(1).toLowerCase()}`;
     }, [user.role]);
 
     const handleEditClick = () => {
diff --git a/client/src/features/auth/AuthContext.tsx b/client/src/features/auth/AuthContext.tsx
index 2af004f..0984055 100644
--- a/client/src/features/auth/AuthContext.tsx
+++ b/client/src/features/auth/AuthContext.tsx
@@ -10,7 +10,9 @@ import {
 import type {
     AuthenticateUserResponse,
     UserResource,
+    Role,
 } from '@foodstoragemanager/schema';
+import { toRole } from '@foodstoragemanager/schema';
 import { getSchemaClient } from '@lib/schemaClient';
 
 type AuthResult = { ok: true } | { ok: false; error: string };
@@ -26,10 +28,22 @@ const STORAGE_KEY = 'fsm:auth:user';
 
 const AuthContext = createContext<AuthContextValue | undefined>(undefined);
 
+const normalizeUserRole = (user: UserResource | null): UserResource | null => {
+    if (!user) return null;
+
+    const rawRole: unknown = Array.isArray((user as unknown as { role?: unknown }).role)
+        ? (user as unknown as { role?: unknown[] }).role?.[0]
+        : (user as unknown as { role?: unknown }).role;
+
+    const role: Role = toRole(rawRole);
+    return { ...user, role };
+};
+
 const readStoredUser = (): UserResource | null => {
     try {
         const raw = localStorage.getItem(STORAGE_KEY);
-        return raw ? (JSON.parse(raw) as UserResource) : null;
+        const parsed = raw ? (JSON.parse(raw) as UserResource) : null;
+        return normalizeUserRole(parsed);
     } catch (error) {
         console.warn("Failed to read stored user session", error);
         return null;
@@ -38,12 +52,13 @@ const readStoredUser = (): UserResource | null => {
 
 const writeStoredUser = (user: UserResource | null) => {
     try {
+        const normalized = normalizeUserRole(user);
         if (!user) {
             localStorage.removeItem(STORAGE_KEY);
             return;
         }
 
-        localStorage.setItem(STORAGE_KEY, JSON.stringify(user));
+        localStorage.setItem(STORAGE_KEY, JSON.stringify(normalized));
     } catch (error) {
         console.warn("Failed to persist user session", error);
     }
@@ -71,8 +86,9 @@ export const AuthProvider = ({ children }: { children: ReactNode }) => {
                     return { ok: false, error: payload.error.message };
                 }
 
-                setUser(payload.user);
-                writeStoredUser(payload.user);
+                const normalizedUser = normalizeUserRole(payload.user);
+                setUser(normalizedUser);
+                writeStoredUser(normalizedUser);
                 return { ok: true };
             } catch (error) {
                 const message =
diff --git a/client/src/features/auth/RequireAdmin.tsx b/client/src/features/auth/RequireAdmin.tsx
new file mode 100644
index 0000000..9e5d9b3
--- /dev/null
+++ b/client/src/features/auth/RequireAdmin.tsx
@@ -0,0 +1,26 @@
+import type { ReactNode } from 'react';
+import { Navigate, useLocation } from 'react-router';
+import { useAuth } from './AuthContext';
+
+export const RequireAdmin = ({ children }: { children: ReactNode }) => {
+    const { user, loading } = useAuth();
+    const location = useLocation();
+
+    if (loading) {
+        return (
+            <div className="flex min-h-screen items-center justify-center text-neutral-700">
+                Checking your permissions...
+            </div>
+        );
+    }
+
+    if (!user) {
+        return <Navigate to="/login" replace state={{ from: location }} />;
+    }
+
+    if (user.role !== 'admin') {
+        return <Navigate to="/app/inventory" replace state={{ from: location, reason: 'forbidden' }} />;
+    }
+
+    return <>{children}</>;
+};
diff --git a/client/src/features/ui/NavBar/NavBar.tsx b/client/src/features/ui/NavBar/NavBar.tsx
index dc3686c..449d221 100644
--- a/client/src/features/ui/NavBar/NavBar.tsx
+++ b/client/src/features/ui/NavBar/NavBar.tsx
@@ -14,7 +14,7 @@ export const NavBar = () => {
         <div className="flex h-16 w-full items-center bg-neutral-900 text-neutral-50">
             <nav className="flex flex-1 items-center justify-around">
                 <NavLink to={'/app/inventory'}>Inventory</NavLink>
-                <NavLink to={'/app/users'}>Users</NavLink>
+                {user?.role === 'admin' && <NavLink to={'/app/users'}>Users</NavLink>}
             </nav>
             <div className="flex items-center gap-3 pr-6">
                 {user && (
diff --git a/schema/src/client.ts b/schema/src/client.ts
index 701b82a..bd833f2 100644
--- a/schema/src/client.ts
+++ b/schema/src/client.ts
@@ -4,31 +4,34 @@ import {
   type CreateAuditResponse,
   type CreateItemResponse,
   type CreateLocationResponse,
-  type CreateUserResponse,
-  type DeleteUserResponse,
   type DeleteItemResponse,
-  type AuthenticateUserPayload,
-  type AuthenticateUserResponse,
   type InventoryLotDraft,
   type InventoryLotResource,
   type ItemDraft,
   type ItemResource,
   type ListItemsResponse,
   type ListLocationsResponse,
-  type ListUsersResponse,
   type LocationDraft,
   type LocationResource,
   type RecordStockTransactionResponse,
   type StockTransactionDraft,
   type StockTransactionResource,
   type UpdateItemResponse,
-  type UpdateUserResponse,
   type UpsertInventoryLotResponse,
-  type UserDraft,
-  type UserResource,
   type ApiErrorPayload,
 } from "./types";
 
+import {
+  type AuthenticateUserPayload,
+  type AuthenticateUserResponse,
+  type CreateUserResponse,
+  type DeleteUserResponse,
+  type ListUsersResponse,
+  type UpdateUserResponse,
+  type UserDraft,
+  type UserResource,
+} from "./user";
+
 type FetchLike = typeof fetch;
 
 export interface ClientInit {
diff --git a/schema/src/index.ts b/schema/src/index.ts
index c68a033..0dbed02 100644
--- a/schema/src/index.ts
+++ b/schema/src/index.ts
@@ -5,4 +5,6 @@ export {
   type SchemaClient,
 } from "./client";
 
+export { toRole } from "./user";
 export type * from "./types";
+export type * from "./user";
diff --git a/schema/src/types.ts b/schema/src/types.ts
index 1447167..7a9410f 100644
--- a/schema/src/types.ts
+++ b/schema/src/types.ts
@@ -182,30 +182,3 @@ export interface AuditResource {
 }
 
 export type CreateAuditResponse = ApiResponse<{ audit: AuditResource }>;
-
-export interface UserDraft {
-  email: string;
-  name: string;
-  password: string;
-  role?: "admin" | "staff" | "volunteer";
-}
-
-export interface UserResource {
-  _id: ObjectIdString;
-  email: string;
-  name: string;
-  role: ["admin" | "staff" | "volunteer"];
-  enabled: boolean;
-  createdAt: ISODateString;
-}
-
-export interface AuthenticateUserPayload {
-  email: string;
-  password: string;
-}
-
-export type AuthenticateUserResponse = ApiResponse<{ user: UserResource }>;
-export type CreateUserResponse = ApiResponse<{ user: UserResource }>;
-export type UpdateUserResponse = ApiResponse<{ user: UserResource }>;
-export type DeleteUserResponse = ApiResponse<{ deleted: boolean }>;
-export type ListUsersResponse = ApiResponse<{ users: UserResource[] }>;
diff --git a/schema/src/user.ts b/schema/src/user.ts
new file mode 100644
index 0000000..d9cc33d
--- /dev/null
+++ b/schema/src/user.ts
@@ -0,0 +1,37 @@
+import type { ApiResponse, ISODateString, ObjectIdString } from "./types";
+
+const allowedRoles = ["admin", "staff", "volunteer"] as const;
+export type Role = (typeof allowedRoles)[number];
+
+export function toRole(value: unknown): Role {
+  return typeof value === "string" && allowedRoles.includes(value as Role)
+    ? (value as Role)
+    : "volunteer";
+}
+
+export interface UserDraft {
+  email: string;
+  name: string;
+  password: string;
+  role?: Role;
+}
+
+export interface UserResource {
+  _id: ObjectIdString;
+  email: string;
+  name: string;
+  role: Role;
+  enabled: boolean;
+  createdAt: ISODateString;
+}
+
+export interface AuthenticateUserPayload {
+  email: string;
+  password: string;
+}
+
+export type AuthenticateUserResponse = ApiResponse<{ user: UserResource }>;
+export type CreateUserResponse = ApiResponse<{ user: UserResource }>;
+export type UpdateUserResponse = ApiResponse<{ user: UserResource }>;
+export type DeleteUserResponse = ApiResponse<{ deleted: boolean }>;
+export type ListUsersResponse = ApiResponse<{ users: UserResource[] }>;
\ No newline at end of file
diff --git a/server/postman/backend.postman_collection.json b/server/postman/backend.postman_collection.json
index 4132499..1d3bf52 100644
--- a/server/postman/backend.postman_collection.json
+++ b/server/postman/backend.postman_collection.json
@@ -415,7 +415,7 @@
                   "const json = pm.response.json();",
                   "pm.test('user id unchanged', () => pm.expect(json.user._id).to.eql(pm.collectionVariables.get('userId')));",
                   "pm.test('name updated', () => pm.expect(json.user.name).to.eql(pm.collectionVariables.get('updatedUserName')));",
-                  "pm.test('role is admin', () => pm.expect(json.user.role).to.include('admin'));"
+                  "pm.test('role is admin', () => pm.expect(json.user.role).to.eql('admin'));"
                 ]
               }
             }
diff --git a/server/src/server.ts b/server/src/server.ts
index 2130e59..0cf009c 100644
--- a/server/src/server.ts
+++ b/server/src/server.ts
@@ -17,7 +17,7 @@ for (const candidate of envPaths) {
   if (fs.existsSync(candidate)) {
     dotenv.config({
       path: candidate,
-      override: true,
+      override: false,
     });
     break;
   }
diff --git a/server/src/user.ts b/server/src/user.ts
index fcb1e2e..8a9f315 100644
--- a/server/src/user.ts
+++ b/server/src/user.ts
@@ -9,10 +9,9 @@ import {
   sanitizeObjectId,
 } from "./validation.js";
 import { handleDatabaseError, sendError, sendSuccess } from "./responses.js";
-import type { UserResource } from "@foodstoragemanager/schema";
+import { toRole, type Role, type UserResource } from "@foodstoragemanager/schema";
 
 const COLLECTION = "users";
-const ALLOWED_ROLES = new Set(["admin", "staff", "volunteer"]);
 
 function formatNow(): string {
   return new Date().toISOString();
@@ -26,34 +25,28 @@ function toIsoString(value: unknown): string | undefined {
   } else return undefined;
 }
 
-function sanitizeRoles(value: unknown): string | undefined {
-  if (Array.isArray(value) && value.length > 0) {
-    const role = typeof value[0] === "string" ? value[0] : undefined;
-    const normalized = role?.trim().toLowerCase();
-    return normalized && ALLOWED_ROLES.has(normalized) ? normalized : undefined;
-  }
-
-  if (typeof value === "string") {
-    const normalized = value.trim().toLowerCase();
-    return ALLOWED_ROLES.has(normalized) ? normalized : undefined;
-  }
+const ensureRole = (value: unknown): Role => {
+  const candidate = Array.isArray(value) && value.length > 0 ? value[0] : value;
+  const normalizedCandidate =
+    typeof candidate === "string" ? candidate.trim().toLowerCase() : candidate;
 
-  return undefined;
-}
+  // toRole will coerce/validate and fall back to "volunteer" for anything invalid.
+  return toRole(normalizedCandidate);
+};
 
-function serializeUser(doc: Record<string, unknown>): UserResource {
-  const role = sanitizeRoles(doc.roles ?? doc.role) ?? "volunteer";
+const serializeUser = (doc: Record<string, unknown>): UserResource => {
+  const role = ensureRole(doc.roles ?? doc.role);
   const createdAt: string = toIsoString(doc.createdAt) ?? formatNow();
 
   return {
     _id: String(doc._id),
     email: String(doc.email),
     name: doc.name ? String(doc.name) : "",
-    role: [role as "admin" | "staff" | "volunteer"],
+    role,
     enabled: typeof doc.enabled === "boolean" ? doc.enabled : true,
     createdAt: createdAt,
   };
-}
+};
 
 async function getUsers(db: Connection): Promise<UserResource[]> {
   const collection = db.collection(COLLECTION);
@@ -121,9 +114,10 @@ export const createUser: ApiHandler = async (req, res, db) => {
     const enabled = typeof draft.enabled === "boolean" ? draft.enabled : true;
 
     const now = new Date();
+    const normalizedRole = ensureRole(role);
     document = {
       email,
-      roles: role && ALLOWED_ROLES.has(role) ? [role] : ["volunteer"],
+      role: normalizedRole,
       enabled,
       createdAt: now,
       updatedAt: now,
@@ -219,34 +213,27 @@ export const updateUser: ApiHandler = async (req, res, db) => {
   }
 
   const draft = payload.user as Record<string, unknown>;
-  const update: Record<string, unknown> = {};
+  const updateSet: Record<string, unknown> = {};
+  const updateUnset: Record<string, "" | 0 | true> = {};
 
   try {
     if (draft.name !== undefined) {
       const name = sanitizeString(draft.name, "user.name");
-      update.name = name || null;
+      updateSet.name = name || null;
     }
 
     if (draft.role !== undefined) {
-      // Convert single role to roles array for database
-      const role =
-        typeof draft.role === "string"
-          ? draft.role.trim().toLowerCase()
-          : undefined;
-
-      if (role && ALLOWED_ROLES.has(role)) {
-        update.roles = [role];
-      } else if (role === null || role === undefined || role === "") {
-        update.roles = [];
-      } else {
-        throw new Error(
-          `Invalid role: ${role}. Allowed roles are: admin, staff, volunteer.`
-        );
+      const roleValue = sanitizeString(draft.role, "user.role", {
+        lowercase: true,
+      });
+      if (roleValue !== undefined) {
+        updateSet.role = ensureRole(roleValue);
+        updateUnset.roles = "";
       }
     }
 
     if (draft.enabled !== undefined) {
-      update.enabled =
+      updateSet.enabled =
         typeof draft.enabled === "boolean" ? draft.enabled : true;
     }
   } catch (error) {
@@ -263,7 +250,18 @@ export const updateUser: ApiHandler = async (req, res, db) => {
       return sendError(res, StatusCodes.NOT_FOUND, "User not found.");
     }
 
-    await collection.updateOne({ _id: userId }, { $set: update });
+    // Ensure the stored role complies with the new schema and migrate any legacy "roles" arrays.
+    updateSet.role = ensureRole(
+      updateSet.role ?? (existing as Record<string, unknown>).role ?? (existing as Record<string, unknown>).roles
+    );
+    updateUnset.roles = "";
+
+    const updateOps: Record<string, unknown> = { $set: updateSet };
+    if (Object.keys(updateUnset).length > 0) {
+      updateOps.$unset = updateUnset;
+    }
+
+    await collection.updateOne({ _id: userId }, updateOps);
     const updated = await collection.findOne({ _id: userId });
 
     if (!updated) {