diff --git a/docs/index.rst b/docs/index.rst
index 9bb4ca0..5cdd801 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -193,7 +193,7 @@ Roles
 -----
 
 Any user has one or more roles in the catalogue.
-The VRE Manager can only assign roles. 
+Only the VRE Manager can assign roles to VRE users. 
  
 
 The catalogue uses the following hierarchic roles:
@@ -213,7 +213,7 @@ The catalogue uses the following hierarchic roles:
 
 Another role that is not in the role hierarchy:
 
-Catalogue-Moderator:
+**Catalogue-Moderator**:
 	A user with such a role is capable of invoking the item moderation APIs.
 
 
diff --git a/src/main/java/org/gcube/gcat/persistence/ckan/CKANPackage.java b/src/main/java/org/gcube/gcat/persistence/ckan/CKANPackage.java
index f0496f6..0903990 100644
--- a/src/main/java/org/gcube/gcat/persistence/ckan/CKANPackage.java
+++ b/src/main/java/org/gcube/gcat/persistence/ckan/CKANPackage.java
@@ -352,7 +352,7 @@ public class CKANPackage extends CKAN implements Moderated {
 		return objectNode;
 	}
 	
-	protected JsonNode validateJso(String json) {
+	protected JsonNode validateJson(String json) {
 		try {
 			// check base information (and set them if needed)
 			ObjectNode objectNode = checkBaseInformation(json);
diff --git a/src/main/java/org/gcube/gcat/persistence/ckan/CKANUser.java b/src/main/java/org/gcube/gcat/persistence/ckan/CKANUser.java
index 39b24aa..c912b50 100644
--- a/src/main/java/org/gcube/gcat/persistence/ckan/CKANUser.java
+++ b/src/main/java/org/gcube/gcat/persistence/ckan/CKANUser.java
@@ -6,6 +6,7 @@ import javax.ws.rs.InternalServerErrorException;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Response.Status;
 
+import org.gcube.com.fasterxml.jackson.databind.node.ArrayNode;
 import org.gcube.com.fasterxml.jackson.databind.node.ObjectNode;
 import org.gcube.common.authorization.utils.manager.SecretManagerProvider;
 import org.gcube.common.authorization.utils.user.User;
@@ -47,6 +48,8 @@ public class CKANUser extends CKAN {
 	
 	private static final String API_KEY = "apikey";
 	
+	public static final String PORTAL_ROLES = "portal_roles";
+	
 	protected Role role;
 	protected Boolean catalogueModerator;
 	
@@ -187,15 +190,32 @@ public class CKANUser extends CKAN {
 		}
 	}
 	
-	protected void parseResult() {
+	protected String parseResult() {
 		name = result.get(NAME).asText();
-		try {
-			apiKey = result.get(API_KEY).asText();
-		}catch (Exception e) {
-			if(name.compareTo(getCKANUsername())==0) {
-				throw e;
+		
+		// Only managers can read Ckan API key
+		if(getRole().ordinal()<Role.MANAGER.ordinal()) {
+			try {
+				apiKey = result.get(API_KEY).asText();
+			}catch (Exception e) {
+				// The user reading its own Ckan profile must be able to read its API key
+				if(name.compareTo(getCKANUsername())==0) {
+					throw e;
+				}
+			}
+		}else {
+			((ObjectNode) result).remove(API_KEY);
+		}
+		
+		if(name.compareTo(getCKANUsername())==0) {
+			ArrayNode roles = ((ObjectNode) result).putArray(PORTAL_ROLES);
+			roles.add(getRole().getPortalRole());
+			if(isCatalogueModerator()) {
+				roles.add(Moderated.CATALOGUE_MODERATOR);
 			}
 		}
+		
+		return getAsString(result);
 	}
 	
 	protected static String getCKANUsername(String username) {
@@ -218,9 +238,21 @@ public class CKANUser extends CKAN {
 		return getCKANUsername(username);
 	}
 	
+	public String create(String json) {
+		super.create(json);
+		String ret = parseResult();
+		return ret;
+	}
+	
 	public String read() {
-		String ret = super.read();
-		parseResult();
+		super.read();
+		String ret = parseResult();
+		return ret;
+	}
+	
+	public String update(String json) {
+		super.update(json);
+		String ret = parseResult();
 		return ret;
 	}
 	
diff --git a/src/main/java/org/gcube/gcat/rest/administration/User.java b/src/main/java/org/gcube/gcat/rest/administration/User.java
index f00e46d..1358fcd 100644
--- a/src/main/java/org/gcube/gcat/rest/administration/User.java
+++ b/src/main/java/org/gcube/gcat/rest/administration/User.java
@@ -99,6 +99,13 @@ public class User extends REST<CKANUser> implements org.gcube.gcat.api.interface
 	}
 	
 	/**
+	 * Read the profile of the user in Ckan
+	 * The <code>apikey</code> to interact directly with Ckan are returned only for Catalogue-Managers
+	 * and only for its own profile.
+	 * 
+	 * The service add the user's role in <code>portal_role</code> property when the user read its own profile.
+	 * See <a href="../docs/index.html#roles">Roles</a> section for more information.
+	 * 
 	 * @pathExample /users/luca_frosini
 	 * @responseExample application/json;charset=UTF-8 classpath:/api-docs-examples/user/read-user-response.json
 	 */