diff --git a/.github/ISSUE_TEMPLATE/release_cleanup.md b/.github/ISSUE_TEMPLATE/release_cleanup.md
index 63cf1b86..7b623c80 100644
--- a/.github/ISSUE_TEMPLATE/release_cleanup.md
+++ b/.github/ISSUE_TEMPLATE/release_cleanup.md
@@ -20,13 +20,14 @@ TBA
 - [ ] Review code style and cleanup if needed
 - [ ] Review and update doc entries if needed
 - [ ] Ensure all relevant updates are in `CHANGELOG` and major changes doc
-- [ ] Ensure new version is in `CORE_API_ALLOWED_VERSIONS`
+- [ ] Ensure REST API versions are up to date and documented
 - [ ] Upgrade version number of pypi package references in `README` and docs
 - [ ] Upgrade docs config version number (usually at `x.y.z-WIP` when developing)
 - [ ] Update latest version info in `codemeta.json`
 - [ ] Update version number and date in `CHANGELOG`
 - [ ] Update version number and date in `Major Changes` doc
 - [ ] Ensure docs can be built without errors
+- [ ] Ensure `generateschema` runs without errors or warnings (until in CI)
 
 ## Notes
 
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 98f5b549..adddbc6a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -7,12 +7,12 @@ jobs:
     strategy:
       matrix:
         python-version:
-          - '3.8'
           - '3.9'
           - '3.10'
+          - '3.11'
     services:
       postgres:
-        image: postgres:11
+        image: postgres:16
         env:
           POSTGRES_DB: sodar_core
           POSTGRES_USER: sodar_core
@@ -44,7 +44,7 @@ jobs:
         run: git fetch --prune --unshallow
       - name: Install project Python dependencies
         run: |
-          pip install "wheel>=0.38.4, <0.39"
+          pip install "wheel>=0.42.0, <0.43"
           pip install -r requirements/local.txt
           pip install -r requirements/test.txt
       - name: Download icons
@@ -58,13 +58,13 @@ jobs:
           coverage report
       - name: Check linting
         run: flake8 .
-        if: ${{ matrix.python-version == '3.8' }}
+        if: ${{ matrix.python-version == '3.11' }}
       - name: Check formatting
         run: make black arg=--check
-        if: ${{ matrix.python-version == '3.8' }}
+        if: ${{ matrix.python-version == '3.11' }}
       - name: Report coverage with Coveralls
         uses: coverallsapp/github-action@master
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           path-to-lcov: './coverage.lcov'
-        if: ${{ matrix.python-version == '3.8' }}
+        if: ${{ matrix.python-version == '3.11' }}
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 978559aa..50ff3302 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,7 +1,7 @@
-image: python:3.8
+image: python:3.11
 
 services:
-  - postgres:11
+  - postgres:16
 
 variables:
   POSTGRES_DB: sodar_core
diff --git a/.readthedocs.yaml b/.readthedocs.yaml
index efde0f22..39db7786 100644
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@@ -8,7 +8,7 @@ version: 2
 build:
   os: ubuntu-20.04
   tools:
-    python: '3.8'
+    python: '3.11'
 
 # Build documentation in the docs/ directory with Sphinx
 sphinx:
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 6e2562aa..10a76842 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -5,6 +5,150 @@ Changelog for the **SODAR Core** Django app package. Loosely follows the
 `Keep a Changelog <http://keepachangelog.com/en/1.0.0/>`_ guidelines.
 
 
+v1.0.0 (2024-07-19)
+===================
+
+Added
+-----
+
+- **General**
+    - Python v3.11 support (#1157)
+    - Flake8 rule in ``Makefile`` (#1387)
+    - OpenID Connect (OIDC) authentication support (#1367)
+- **Adminalerts**
+    - Admin alert email sending (#415)
+    - ``notify_email_alert`` app setting (#415)
+- **Filesfolders**
+    - Optional pagination for REST API list views (#1313)
+- **Projectroles**
+    - ``full_title`` field in ``ProjectSerializer`` and API views (#1314)
+    - Custom password argument in ``createdevusers`` management command (#1393)
+    - ``PluginObjectLink`` data class in plugins (#1343)
+    - ``PluginSearchResult`` data class in plugins (#1399)
+    - Target user ``sodar_uuid`` updating in remote sync (#1316, #1317)
+    - Update local user data in remote sync (#1407)
+    - ``USER`` scope settings in remote sync (#1322)
+    - ``AppLinkContent`` utility class (#1380, #1381)
+    - ``checkusers`` management command (#1410)
+    - ``SODARPageNumberPagination`` pagination class (#1313)
+    - Optional pagination for REST API list views (#1313)
+    - Email notification opt-out settings (#1417, #1418)
+    - CC and BCC field support in sending generic emails (#415)
+    - ``SODARUserAdditionalEmail`` model (#874)
+    - ``is_source_site()`` and ``is_target_site()`` rule predicates
+    - ``settings_link`` kwarg in ``send_generic_email()`` (#1418)
+    - ``addremotesite`` and ``syncgroups`` command tests (#352)
+    - ``RemoteSite.owner_modifiable`` field (#817)
+    - ``assert_displayed()`` UI test helper
+    - ``RemoteProjectAccessAjaxView`` Ajax view (#1358)
+    - Remote project access status updating in project detail view (#1358)
+    - ``SidebarContentAjaxView`` for sidebar and project dropdown content retrieval (#1366)
+    - ``UserDropdownContentAjaxView`` for user dropdown content retrieval (#1366, #1392)
+    - ``SODARUser.get_auth_type()`` helper (#1367)
+    - ``ProjectInvite.is_ldap()`` helper (#1367)
+    - ``AppSettingAPI.is_set()`` helper (#1450)
+    - ``checks`` module for Django checks (#504)
+    - Django check for enabled auth methods (#1451)
+- **Timeline**
+    - ``sodar_uuid`` field in ``TimelineEventObjectRef`` model (#1415)
+    - REST API views (#1350)
+    - ``get_project()`` helpers in ``TimelineEvent`` and ``TimelineEventObjectRef`` (#1350)
+    - Optional pagination for REST API list views (#1313)
+- **Userprofile**
+    - Additional email address management and verification (#874)
+
+Changed
+-------
+
+- **General**
+    - Upgrade to Django v4.2 (#880)
+    - Upgrade minimum PostgreSQL version to v12 (#1074)
+    - Upgrade to PostgreSQL v16 in CI (#1074)
+    - Upgrade general Python dependencies (#1374)
+    - Reformat with black v24.3.0 (#1374)
+    - Update download URL in ``get_chromedriver_url.py`` (#1385)
+    - Add ``AUTH_LDAP_USER_SEARCH_BASE`` as a Django setting (#1410)
+    - Change ``ATOMIC_REQUESTS`` recommendation and default to ``True`` (#1281)
+    - Add OpenAPI dependencies (#1444)
+    - Squash migrations (#1446)
+- **Filesfolders**
+    - Add migration required by Django v4.2 (#1396)
+    - Add app specific media type and versioning (#1278)
+- **Projectroles**
+    - Rename ``AppSettingAPI`` ``app_name`` arguments to ``plugin_name`` (#1285)
+    - Default password in ``createdevusers`` management command (#1390)
+    - Deprecate ``local`` in app settings, use ``global`` instead (#1319)
+    - Enforce optional handling of app settings ``global`` attributes (#1395)
+    - Expect ``get_object_link()`` plugin methods to return ``PluginObjectLink`` (#1343)
+    - Deprecate returning ``dict`` from ``get_object_link()`` (#1343)
+    - Expect ``search()`` plugin methods to return list of ``PluginSearchResult`` objects (#1399)
+    - Deprecate returning ``dict`` from ``search()`` (#1399)
+    - Update core API view media type and versioning (#1278, #1406)
+    - Separate projectroles and remote sync API media types and versioning (#1278)
+    - Rename base test classes for consistency (#1259)
+    - Prevent setting global user app settings on target site in ``AppSettingAPI`` (#1329)
+    - Move project app link logic in ``AppLinkContent`` (#1380)
+    - Move user dropdown link logic in ``AppLinkContent`` (#1381, #1413)
+    - Do not recreate ``AppSetting`` objects on remote sync update (#1409)
+    - Enforce project and site uniqueness in ``RemoteProject`` model (#1433)
+    - Remove redundant permission check in ``project_detail.html`` (#1438)
+    - Move sidebar, project dropdown and user dropdown creation to ``utils`` (#1366)
+    - Refactor ``ProjectInviteProcessMixin.get_invite_type()`` into ``ProjectInvite.is_ldap()`` (#1367)
+- **Sodarcache**
+    - Rewrite REST API views (#498, #1389)
+    - Raise ``update_cache()`` exception for ``synccache`` in debug mode (#1375)
+- **Timeline**
+    - Update ``get_object_link()`` usage for ``PluginObjectLink`` return data (#1343)
+    - Rename ``ProjectEvent*`` models to ``TimelineEvent*`` (#1414)
+    - Move event name from separate column into badge (#1370)
+    - Use constants for event status types (#973)
+- **Userprofile**
+    - Disable global user settings on target site in ``UserSettingsForm`` (#1329)
+
+Fixed
+-----
+
+- **General**
+    - ``README.rst`` badge rendering (#1402)
+- **Filesfolders**
+    - OpenAPI ``generateschema`` errors and warnings (#1442)
+- **Projectroles**
+    - ``SODARUser.update_full_name()`` not working with existing name (#1371)
+    - Legacy public guest access in child category breaks category updating (#1404)
+    - Incorrect DAL widget highlight colour after upgrade (#1412)
+    - ``ProjectStarringAjaxView`` creating redundant database objects (#1416)
+    - ``addremotesite`` crash in ``TimelineAPI.add_event()`` (#1425)
+    - ``addremotesite`` allows creation of site with mode identical to host (#1426)
+    - Public guest access field not correctly hidden in project form (#1429)
+    - Revoked remote projects displayed in project detail view (#1432)
+    - Invalid URLs for remote peer projects in project detail view (#1435)
+    - Redundant ``Project.get_source_site()`` calls in project detail view (#1436)
+    - ``RemoteSite.get_access_date()`` invalid date sorting (#1437)
+    - OpenAPI ``generateschema`` compatibility (#1440, #1442)
+    - ``ProjectCreateView`` allows ``POST`` with disabled target project creation (#1448)
+    - Plugin existence not explicitly checked in ``AppSettingAPI.set()`` update query (#1452)
+    - ``search_advanced.html`` header layout (#1453)
+- **Sodarcache**
+    - REST API set view ``app_name`` incorrectly set (#1405)
+- **Timeline**
+    - OpenAPI ``generateschema`` warnings (#1442)
+
+Removed
+-------
+
+- **General**
+    - SAML support (#1368)
+    - Python v3.8 support (#1382)
+- **Projectroles**
+    - ``PROJECTROLES_HIDE_APP_LINKS`` setting (#1143)
+    - ``CORE_API_*`` Django settings (#1278)
+    - Project starring timeline event creation (#1294)
+    - ``user_email_additional`` app setting (#874)
+    - ``get_visible_projects()`` template tag (#1432)
+    - App setting value max length limit (#1443)
+    - Redundant project permission in ``UserSettingRetrieveAPIView`` (#1449)
+
+
 v0.13.4 (2024-02-16)
 ====================
 
diff --git a/Makefile b/Makefile
index 0c199696..723dd00c 100644
--- a/Makefile
+++ b/Makefile
@@ -4,6 +4,7 @@ define USAGE=
 @echo -e
 @echo -e "Usage:"
 @echo -e "\tmake black [arg=--<arg>]                 -- black formatting"
+@echo -e "\tmake flake                               -- run flake8"
 @echo -e "\tmake celery                              -- start celery worker"
 @echo -e "\tmake serve                               -- start source server"
 @echo -e "\tmake serve_target                        -- start target server"
@@ -25,6 +26,11 @@ black:
 	black . -l 80 --skip-string-normalization --exclude ".git|.venv|.tox|build|env|src|docs|migrations|versioneer.py" $(arg)
 
 
+.PHONY: flake
+flake:
+	flake8 .
+
+
 .PHONY: celery
 celery:
 	celery -A config worker -l info --beat
diff --git a/README.rst b/README.rst
index ea5ed9dd..6964883d 100644
--- a/README.rst
+++ b/README.rst
@@ -1,28 +1,30 @@
 SODAR Core
 ^^^^^^^^^^
 
-.. image:: https://badge.fury.io/py/django-sodar-core.svg
+.. |b1| image:: https://badge.fury.io/py/django-sodar-core.svg
     :target: https://badge.fury.io/py/django-sodar-core
 
-.. image:: https://github.com/bihealth/sodar-core/actions/workflows/build.yml/badge.svg
+.. |b2| image:: https://github.com/bihealth/sodar-core/actions/workflows/build.yml/badge.svg
     :target: https://github.com/bihealth/sodar-core/actions?query=workflow%3ABuild
 
-.. image:: https://coveralls.io/repos/github/bihealth/sodar-core/badge.svg?branch=main
+.. |b3| image:: https://coveralls.io/repos/github/bihealth/sodar-core/badge.svg?branch=main
     :target: https://coveralls.io/github/bihealth/sodar-core?branch=main
 
-.. image:: https://img.shields.io/badge/License-MIT-green.svg
+.. |b4| image:: https://img.shields.io/badge/License-MIT-green.svg
     :target: https://opensource.org/licenses/MIT
 
-.. image:: https://img.shields.io/badge/code%20style-black-000000.svg
+.. |b5| image:: https://img.shields.io/badge/code%20style-black-000000.svg
     :target: https://github.com/ambv/black
 
-.. image:: https://readthedocs.org/projects/sodar-core/badge/?version=latest
+.. |b6| image:: https://readthedocs.org/projects/sodar-core/badge/?version=latest
     :target: https://sodar-core.readthedocs.io/en/latest/?badge=latest
     :alt: Documentation Status
 
-.. image:: https://zenodo.org/badge/DOI/10.5281/zenodo.4269346.svg
+.. |b7| image:: https://zenodo.org/badge/DOI/10.5281/zenodo.4269346.svg
     :target: https://doi.org/10.5281/zenodo.4269346
 
+|b1| |b2| |b3| |b4| |b5| |b6| |b7|
+
 SODAR Core is a framework for Django web application development.
 
 It was conceived to facilitate the creation of scientific data management and
@@ -115,7 +117,7 @@ and breaking changes are possible.
 
 .. code-block:: console
 
-    pip install django-sodar-core==0.13.4
+    pip install django-sodar-core==1.0.0
 
 For installing a development version you can point your dependency to a specific
 commit ID in GitHub. Note that these versions may not be stable.
diff --git a/adminalerts/forms.py b/adminalerts/forms.py
index b0e5f637..cf6f341b 100644
--- a/adminalerts/forms.py
+++ b/adminalerts/forms.py
@@ -9,9 +9,20 @@
 from adminalerts.models import AdminAlert
 
 
+# Local constants
+EMAIL_HELP_CREATE = 'Send alert as email to all users on this site'
+EMAIL_HELP_UPDATE = 'Send updated alert as email to all users on this site'
+
+
 class AdminAlertForm(SODARModelForm):
     """Form for AdminAlert creation/updating"""
 
+    send_email = forms.BooleanField(
+        initial=True,
+        label='Send alert as email',
+        required=False,
+    )
+
     class Meta:
         model = AdminAlert
         fields = [
@@ -19,6 +30,7 @@ class Meta:
             'date_expire',
             'active',
             'require_auth',
+            'send_email',
             'description',
         ]
 
@@ -40,13 +52,17 @@ def __init__(self, current_user=None, *args, **kwargs):
 
         # Creation
         if not self.instance.pk:
-            self.fields[
-                'date_expire'
-            ].initial = timezone.now() + timezone.timedelta(days=1)
+            self.initial['date_expire'] = timezone.now() + timezone.timedelta(
+                days=1
+            )
+            self.fields['send_email'].help_text = EMAIL_HELP_CREATE
         # Updating
         else:  # self.instance.pk
             # Set description value as raw markdown
             self.initial['description'] = self.instance.description.raw
+            self.fields['send_email'].help_text = EMAIL_HELP_UPDATE
+            # Sending email for update should be false by default
+            self.initial['send_email'] = False
 
     def clean(self):
         """Custom form validation and cleanup"""
diff --git a/adminalerts/migrations/0001_squashed_0006_adminalert_require_auth.py b/adminalerts/migrations/0001_squashed_0006_adminalert_require_auth.py
new file mode 100644
index 00000000..f2ee5eda
--- /dev/null
+++ b/adminalerts/migrations/0001_squashed_0006_adminalert_require_auth.py
@@ -0,0 +1,113 @@
+# Generated by Django 4.2.14 on 2024-07-16 09:17
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import markupfield.fields
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    replaces = [
+        ('adminalerts', '0001_initial'),
+        ('adminalerts', '0002_adminalert_user'),
+        ('adminalerts', '0003_auto_20180802_1558'),
+        ('adminalerts', '0004_rename_uuid'),
+        ('adminalerts', '0005_update_uuid'),
+        ('adminalerts', '0006_adminalert_require_auth'),
+    ]
+
+    initial = True
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='AdminAlert',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'message',
+                    models.CharField(
+                        help_text='Alert message to be shown for users', max_length=255
+                    ),
+                ),
+                (
+                    'description',
+                    markupfield.fields.MarkupField(
+                        blank=True,
+                        help_text='Full description of alert (optional, will be shown on a separate page)',
+                        null=True,
+                        rendered_field=True,
+                    ),
+                ),
+                (
+                    'date_created',
+                    models.DateTimeField(
+                        auto_now_add=True, help_text='Alert creation timestamp'
+                    ),
+                ),
+                (
+                    'date_expire',
+                    models.DateTimeField(help_text='Alert expiration timestamp'),
+                ),
+                (
+                    'active',
+                    models.BooleanField(
+                        default=True,
+                        help_text='Alert status (for disabling the alert before expiration)',
+                    ),
+                ),
+                (
+                    'sodar_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='Adminalerts SODAR UUID',
+                        unique=True,
+                    ),
+                ),
+                (
+                    'user',
+                    models.ForeignKey(
+                        help_text='Superuser who has set the alert',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='alerts',
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+                ('_description_rendered', models.TextField(editable=False, null=True)),
+                (
+                    'description_markup_type',
+                    models.CharField(
+                        choices=[
+                            ('', '--'),
+                            ('html', 'HTML'),
+                            ('plain', 'Plain'),
+                            ('markdown', 'Markdown'),
+                            ('restructuredtext', 'Restructured Text'),
+                        ],
+                        default='markdown',
+                        editable=False,
+                        max_length=30,
+                    ),
+                ),
+                (
+                    'require_auth',
+                    models.BooleanField(
+                        default=True, help_text='Require authorization to view alert'
+                    ),
+                ),
+            ],
+        ),
+    ]
diff --git a/adminalerts/models.py b/adminalerts/models.py
index 851e829c..1770a99a 100644
--- a/adminalerts/models.py
+++ b/adminalerts/models.py
@@ -73,9 +73,11 @@ class AdminAlert(models.Model):
     def __str__(self):
         return '{}{}'.format(
             self.message,
-            ' [ACTIVE]'
-            if (self.active and self.date_expire > timezone.now())
-            else '',
+            (
+                ' [ACTIVE]'
+                if (self.active and self.date_expire > timezone.now())
+                else ''
+            ),
         )
 
     def __repr__(self):
diff --git a/adminalerts/plugins.py b/adminalerts/plugins.py
index 22d941e8..0e48682e 100644
--- a/adminalerts/plugins.py
+++ b/adminalerts/plugins.py
@@ -4,12 +4,17 @@
 from django.utils import timezone
 
 # Projectroles dependency
+from projectroles.models import SODAR_CONSTANTS
 from projectroles.plugins import SiteAppPluginPoint
 
 from adminalerts.models import AdminAlert
 from adminalerts.urls import urlpatterns
 
 
+# SODAR constants
+APP_SETTING_SCOPE_USER = SODAR_CONSTANTS['APP_SETTING_SCOPE_USER']
+
+
 class SiteAppPlugin(SiteAppPluginPoint):
     """Projectroles plugin for registering the app"""
 
@@ -22,6 +27,22 @@ class SiteAppPlugin(SiteAppPluginPoint):
     #: UI URLs
     urls = urlpatterns
 
+    #: App settings definition
+    app_settings = {
+        'notify_email_alert': {
+            'scope': APP_SETTING_SCOPE_USER,
+            'type': 'BOOLEAN',
+            'default': True,
+            'label': 'Receive email for admin alerts',
+            'description': (
+                'Receive email for important administrator alerts regarding '
+                'e.g. site downtime.'
+            ),
+            'user_modifiable': True,
+            'global': False,
+        }
+    }
+
     #: Iconify icon
     icon = 'mdi:alert'
 
diff --git a/adminalerts/tests/test_permissions.py b/adminalerts/tests/test_permissions.py
index 48d73ef6..46d16336 100644
--- a/adminalerts/tests/test_permissions.py
+++ b/adminalerts/tests/test_permissions.py
@@ -4,12 +4,12 @@
 from django.urls import reverse
 
 # Projectroles dependency
-from projectroles.tests.test_permissions import TestSiteAppPermissionBase
+from projectroles.tests.test_permissions import SiteAppPermissionTestBase
 
 from adminalerts.tests.test_models import AdminAlertMixin
 
 
-class AdminalertsPermissionTestBase(AdminAlertMixin, TestSiteAppPermissionBase):
+class AdminalertsPermissionTestBase(AdminAlertMixin, SiteAppPermissionTestBase):
     """Base test class for adminalerts UI view permission tests"""
 
     def setUp(self):
diff --git a/adminalerts/tests/test_permissions_ajax.py b/adminalerts/tests/test_permissions_ajax.py
index 9c2bb9e7..d16e55d2 100644
--- a/adminalerts/tests/test_permissions_ajax.py
+++ b/adminalerts/tests/test_permissions_ajax.py
@@ -4,13 +4,13 @@
 from django.urls import reverse
 
 # Projectroles dependency
-from projectroles.tests.test_permissions import TestSiteAppPermissionBase
+from projectroles.tests.test_permissions import SiteAppPermissionTestBase
 
 from adminalerts.tests.test_models import AdminAlertMixin
 
 
 class TestAdminAlertActiveToggleAjaxView(
-    AdminAlertMixin, TestSiteAppPermissionBase
+    AdminAlertMixin, SiteAppPermissionTestBase
 ):
     """Permission tests for AdminAlertActiveToggleAjaxView"""
 
diff --git a/adminalerts/tests/test_ui.py b/adminalerts/tests/test_ui.py
index c97bc8b3..9dce5b9f 100644
--- a/adminalerts/tests/test_ui.py
+++ b/adminalerts/tests/test_ui.py
@@ -7,12 +7,12 @@
 from selenium.webdriver.common.by import By
 
 # Projectroles dependency
-from projectroles.tests.test_ui import TestUIBase
+from projectroles.tests.test_ui import UITestBase
 
 from adminalerts.tests.test_models import AdminAlertMixin
 
 
-class TestAlertUIBase(AdminAlertMixin, TestUIBase):
+class AdminAlertUITestBase(AdminAlertMixin, UITestBase):
     def setUp(self):
         super().setUp()
         # Create users
@@ -30,7 +30,7 @@ def setUp(self):
         )
 
 
-class TestAlertMessage(TestAlertUIBase):
+class TestAlertMessage(AdminAlertUITestBase):
     """Tests for the admin alert message"""
 
     def test_message(self):
@@ -78,7 +78,7 @@ def test_message_login_no_auth(self):
         )
 
 
-class TestListView(TestAlertUIBase):
+class TestListView(AdminAlertUITestBase):
     """Tests for the admin alert list view"""
 
     def test_list_items(self):
diff --git a/adminalerts/tests/test_views.py b/adminalerts/tests/test_views.py
index 54490fab..9143ead5 100644
--- a/adminalerts/tests/test_views.py
+++ b/adminalerts/tests/test_views.py
@@ -1,15 +1,49 @@
 """Tests for UI views in the adminalerts app"""
+
+from django.conf import settings
+from django.core import mail
 from django.urls import reverse
 from django.utils import timezone
 
 from test_plus.test import TestCase
 
+# Projectroles dependency
+from projectroles.app_settings import AppSettingAPI
+from projectroles.tests.test_models import SODARUserAdditionalEmailMixin
+
 from adminalerts.models import AdminAlert
 from adminalerts.tests.test_models import AdminAlertMixin
+from adminalerts.views import EMAIL_SUBJECT
+
+
+app_settings = AppSettingAPI()
 
 
-class TestViewsBase(AdminAlertMixin, TestCase):
-    """Base class for view testing"""
+# Local constants
+APP_NAME = 'adminalerts'
+ALERT_MSG = 'New alert'
+ALERT_MSG_UPDATED = 'Updated alert'
+ALERT_DESC = 'Description'
+ALERT_DESC_UPDATED = 'Updated description'
+ALERT_DESC_MARKDOWN = '## Description'
+EMAIL_DESC_LEGEND = 'Additional details'
+ADD_EMAIL = 'add1@example.com'
+ADD_EMAIL2 = 'add2@example.com'
+
+
+class AdminalertsViewTestBase(
+    AdminAlertMixin, SODARUserAdditionalEmailMixin, TestCase
+):
+    """Base class for adminalerts view testing"""
+
+    def _make_alert(self):
+        return self.make_alert(
+            message=ALERT_MSG,
+            user=self.superuser,
+            description=ALERT_DESC,
+            active=True,
+            require_auth=True,
+        )
 
     def setUp(self):
         # Create users
@@ -17,27 +51,23 @@ def setUp(self):
         self.superuser.is_superuser = True
         self.superuser.is_staff = True
         self.superuser.save()
-        self.regular_user = self.make_user('regular_user')
+        self.user_regular = self.make_user('user_regular')
         # No user
         self.anonymous = None
-        # Create alert
-        self.alert = self.make_alert(
-            message='alert',
-            user=self.superuser,
-            description='description',
-            active=True,
-            require_auth=True,
-        )
         self.expiry_str = (
             timezone.now() + timezone.timedelta(days=1)
         ).strftime('%Y-%m-%d')
 
 
-class TestAdminAlertListView(TestViewsBase):
-    """Tests for the alert list view"""
+class TestAdminAlertListView(AdminalertsViewTestBase):
+    """Tests for AdminAlertListView"""
 
-    def test_render(self):
-        """Test rendering of the alert list view"""
+    def setUp(self):
+        super().setUp()
+        self.alert = self._make_alert()
+
+    def test_get(self):
+        """Test AdminAlertListView GET"""
         with self.login(self.superuser):
             response = self.client.get(reverse('adminalerts:list'))
         self.assertEqual(response.status_code, 200)
@@ -45,11 +75,15 @@ def test_render(self):
         self.assertEqual(response.context['object_list'][0].pk, self.alert.pk)
 
 
-class TestAdminAlertDetailView(TestViewsBase):
-    """Tests for the alert detail view"""
+class TestAdminAlertDetailView(AdminalertsViewTestBase):
+    """Tests for AdminAlertDetailView"""
+
+    def setUp(self):
+        super().setUp()
+        self.alert = self._make_alert()
 
-    def test_render(self):
-        """Test rendering of the alert detail view"""
+    def test_get(self):
+        """Test AdminAlertDetailView GET"""
         with self.login(self.superuser):
             response = self.client.get(
                 reverse(
@@ -61,146 +95,314 @@ def test_render(self):
         self.assertEqual(response.context['object'], self.alert)
 
 
-class TestAdminAlertCreateView(TestViewsBase):
-    """Tests for the alert creation view"""
+class TestAdminAlertCreateView(AdminalertsViewTestBase):
+    """Tests for AdminAlertCreateView"""
 
-    def test_render(self):
-        """Test rendering of the alert creation view"""
+    def _get_post_data(self, **kwargs):
+        ret = {
+            'message': ALERT_MSG,
+            'description': ALERT_DESC,
+            'date_expire': self.expiry_str,
+            'active': True,
+            'require_auth': True,
+            'send_email': True,
+        }
+        ret.update(**kwargs)
+        return ret
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse('adminalerts:create')
+
+    def test_get(self):
+        """Test AdminAlertCreateView GET"""
         with self.login(self.superuser):
-            response = self.client.get(reverse('adminalerts:create'))
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
 
-    def test_create(self):
-        """Test creating an admin alert"""
-        self.assertEqual(AdminAlert.objects.all().count(), 1)
-        post_data = {
-            'message': 'new alert',
-            'description': 'description',
-            'date_expire': self.expiry_str,
-            'active': 1,
-            'require_auth': 1,
-        }
+    def test_post(self):
+        """Test POST"""
+        self.assertEqual(AdminAlert.objects.all().count(), 0)
+        self.assertEqual(len(mail.outbox), 0)
+        data = self._get_post_data()
         with self.login(self.superuser):
-            response = self.client.post(
-                reverse('adminalerts:create'), post_data
-            )
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.url, reverse('adminalerts:list'))
-        self.assertEqual(AdminAlert.objects.all().count(), 2)
-
-    def test_create_expired(self):
-        """Test creating an admin alert with and old date_expiry (should fail)"""
         self.assertEqual(AdminAlert.objects.all().count(), 1)
-        expiry_fail = (timezone.now() + timezone.timedelta(days=-1)).strftime(
-            '%Y-%m-%d'
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn(
+            EMAIL_SUBJECT.format(state='New', message=ALERT_MSG),
+            mail.outbox[0].subject,
         )
-        post_data = {
-            'message': 'new alert',
-            'description': 'description',
-            'date_expire': expiry_fail,
-            'active': 1,
-            'require_auth': 1,
-        }
+        self.assertEqual(
+            mail.outbox[0].recipients(),
+            [settings.EMAIL_SENDER, self.user_regular.email],
+        )
+        self.assertEqual(mail.outbox[0].to, [settings.EMAIL_SENDER])
+        self.assertEqual(mail.outbox[0].bcc, [self.user_regular.email])
+        self.assertIn(ALERT_MSG, mail.outbox[0].body)
+        self.assertIn(EMAIL_DESC_LEGEND, mail.outbox[0].body)
+        self.assertIn(ALERT_DESC, mail.outbox[0].body)
+
+    def test_post_no_description(self):
+        """Test POST with no description"""
+        self.assertEqual(len(mail.outbox), 0)
+        data = self._get_post_data(description='')
         with self.login(self.superuser):
-            response = self.client.post(
-                reverse('adminalerts:create'), post_data
-            )
-        self.assertEqual(response.status_code, 200)
-        self.assertEqual(AdminAlert.objects.all().count(), 1)
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn(ALERT_MSG, mail.outbox[0].body)
+        self.assertNotIn(EMAIL_DESC_LEGEND, mail.outbox[0].body)
 
+    def test_post_markdown_description(self):
+        """Test POST with markdown description"""
+        self.assertEqual(len(mail.outbox), 0)
+        data = self._get_post_data(description=ALERT_DESC_MARKDOWN)
+        with self.login(self.superuser):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn(ALERT_MSG, mail.outbox[0].body)
+        self.assertIn(EMAIL_DESC_LEGEND, mail.outbox[0].body)
+        # Description should be provided in raw format
+        self.assertIn(ALERT_DESC_MARKDOWN, mail.outbox[0].body)
 
-class TestAdminAlertUpdateView(TestViewsBase):
-    """Tests for the alert update view"""
+    def test_post_no_email(self):
+        """Test POST with no email to be sent"""
+        self.assertEqual(len(mail.outbox), 0)
+        data = self._get_post_data(send_email=False)
+        with self.login(self.superuser):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 0)
 
-    def test_render(self):
-        """Test rendering of the alert update view"""
+    def test_post_inactive(self):
+        """Test POST with inactive state"""
+        self.assertEqual(len(mail.outbox), 0)
+        data = self._get_post_data(active=False)
         with self.login(self.superuser):
-            response = self.client.get(
-                reverse(
-                    'adminalerts:update',
-                    kwargs={'adminalert': self.alert.sodar_uuid},
-                )
-            )
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_post_multiple_users(self):
+        """Test POST with multiple users"""
+        user_new = self.make_user('user_new')
+        self.assertEqual(len(mail.outbox), 0)
+        data = self._get_post_data()
+        with self.login(self.superuser):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(
+            mail.outbox[0].recipients(),
+            [settings.EMAIL_SENDER, user_new.email, self.user_regular.email],
+        )
+        self.assertIn(ALERT_MSG, mail.outbox[0].body)
+        self.assertIn(EMAIL_DESC_LEGEND, mail.outbox[0].body)
+        self.assertIn(ALERT_DESC, mail.outbox[0].body)
+
+    def test_post_add_email_regular_user(self):
+        """Test POST with additional emails on regular user"""
+        self.make_email(self.user_regular, ADD_EMAIL)
+        self.make_email(self.user_regular, ADD_EMAIL2)
+        self.assertEqual(len(mail.outbox), 0)
+        data = self._get_post_data()
+        with self.login(self.superuser):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(
+            mail.outbox[0].recipients(),
+            [
+                settings.EMAIL_SENDER,
+                self.user_regular.email,
+                ADD_EMAIL,
+                ADD_EMAIL2,
+            ],
+        )
+
+    def test_post_add_email_regular_user_unverified(self):
+        """Test POST with additional and unverified emails on regular user"""
+        self.make_email(self.user_regular, ADD_EMAIL)
+        self.make_email(self.user_regular, ADD_EMAIL2, verified=False)
+        self.assertEqual(len(mail.outbox), 0)
+        data = self._get_post_data()
+        with self.login(self.superuser):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(
+            mail.outbox[0].recipients(),
+            [
+                settings.EMAIL_SENDER,
+                self.user_regular.email,
+                ADD_EMAIL,
+            ],
+        )
+
+    def test_post_add_email_superuser(self):
+        """Test POST with additional emails on superuser"""
+        self.make_email(self.superuser, ADD_EMAIL)
+        self.make_email(self.superuser, ADD_EMAIL2)
+        self.assertEqual(len(mail.outbox), 0)
+        data = self._get_post_data()
+        with self.login(self.superuser):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 1)
+        # Superuser additional emails should not be included
+        self.assertEqual(
+            mail.outbox[0].recipients(),
+            [settings.EMAIL_SENDER, self.user_regular.email],
+        )
+
+    def test_post_email_disable(self):
+        """Test POST with email notifications disabled"""
+        app_settings.set(
+            APP_NAME, 'notify_email_alert', False, user=self.user_regular
+        )
+        self.assertEqual(len(mail.outbox), 0)
+        data = self._get_post_data()
+        with self.login(self.superuser):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_post_expired(self):
+        """Test POST with old expiry date (should fail)"""
+        self.assertEqual(AdminAlert.objects.all().count(), 0)
+        expire_fail = (timezone.now() + timezone.timedelta(days=-1)).strftime(
+            '%Y-%m-%d'
+        )
+        data = self._get_post_data(date_expire=expire_fail)
+        with self.login(self.superuser):
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 200)
+        self.assertEqual(AdminAlert.objects.all().count(), 0)
 
-    def test_update(self):
-        """Test updating an admin alert"""
-        self.assertEqual(AdminAlert.objects.all().count(), 1)
 
-        post_data = {
-            'message': 'updated alert',
-            'description': 'updated description',
+class TestAdminAlertUpdateView(AdminalertsViewTestBase):
+    """Tests for AdminAlertUpdateView"""
+
+    def _get_post_data(self, **kwargs):
+        ret = {
+            'message': ALERT_MSG_UPDATED,
+            'description': ALERT_DESC_UPDATED,
             'date_expire': self.expiry_str,
-            'active': '',
+            'active': False,
+            'require_auth': True,
+            'send_email': False,
         }
+        ret.update(kwargs)
+        return ret
+
+    def setUp(self):
+        super().setUp()
+        self.alert = self._make_alert()
+        self.url = reverse(
+            'adminalerts:update',
+            kwargs={'adminalert': self.alert.sodar_uuid},
+        )
+
+    def test_get(self):
+        """Test AdminAlertUpdateView GET"""
         with self.login(self.superuser):
-            response = self.client.post(
-                reverse(
-                    'adminalerts:update',
-                    kwargs={'adminalert': self.alert.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
 
+    def test_post(self):
+        """Test POST"""
+        self.assertEqual(AdminAlert.objects.all().count(), 1)
+        self.assertEqual(len(mail.outbox), 0)
+        data = self._get_post_data()
+        with self.login(self.superuser):
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.url, reverse('adminalerts:list'))
         self.assertEqual(AdminAlert.objects.all().count(), 1)
         self.alert.refresh_from_db()
-        self.assertEqual(self.alert.message, 'updated alert')
-        self.assertEqual(self.alert.description.raw, 'updated description')
+        self.assertEqual(self.alert.message, ALERT_MSG_UPDATED)
+        self.assertEqual(self.alert.description.raw, ALERT_DESC_UPDATED)
         self.assertEqual(self.alert.active, False)
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_post_email(self):
+        """Test POST with email update enabled"""
+        self.assertEqual(len(mail.outbox), 0)
+        data = self._get_post_data(active=True, send_email=True)
+        with self.login(self.superuser):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn(
+            EMAIL_SUBJECT.format(state='Updated', message=ALERT_MSG_UPDATED),
+            mail.outbox[0].subject,
+        )
+        self.assertEqual(
+            mail.outbox[0].recipients(),
+            [settings.EMAIL_SENDER, self.user_regular.email],
+        )
+
+    def test_post_email_inactive(self):
+        """Test POST with email update enabled and inactive alert"""
+        self.assertEqual(len(mail.outbox), 0)
+        data = self._get_post_data(send_email=True)
+        with self.login(self.superuser):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 0)  # No email for inactive event
 
-    def test_update_user(self):
-        """Test updating an admin alert with a different user"""
+    def test_post_email_disable(self):
+        """Test POST with disabled email notifications"""
+        app_settings.set(
+            APP_NAME, 'notify_email_alert', False, user=self.user_regular
+        )
+        self.assertEqual(len(mail.outbox), 0)
+        data = self._get_post_data(active=True, send_email=True)
+        with self.login(self.superuser):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_post_user(self):
+        """Test POST by different user"""
         superuser2 = self.make_user('superuser2')
         superuser2.is_superuser = True
         superuser2.save()
-
-        post_data = {
-            'message': 'updated alert',
-            'description': 'updated description',
-            'date_expire': self.expiry_str,
-            'active': '',
-        }
+        data = self._get_post_data()
         with self.login(superuser2):
-            response = self.client.post(
-                reverse(
-                    'adminalerts:update',
-                    kwargs={'adminalert': self.alert.sodar_uuid},
-                ),
-                post_data,
-            )
-
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.url, reverse('adminalerts:list'))
         self.alert.refresh_from_db()
         self.assertEqual(self.alert.user, superuser2)
 
 
-class TestAdminAlertDeleteView(TestViewsBase):
-    """Tests for the alert deletion view"""
+class TestAdminAlertDeleteView(AdminalertsViewTestBase):
+    """Tests for AdminAlertDeleteView"""
 
-    def test_render(self):
-        """Test rendering of the alert deletion view"""
+    def setUp(self):
+        super().setUp()
+        self.alert = self._make_alert()
+        self.url = reverse(
+            'adminalerts:delete',
+            kwargs={'adminalert': self.alert.sodar_uuid},
+        )
+
+    def test_get(self):
+        """Test AdminAlertDeleteView GET"""
         with self.login(self.superuser):
-            response = self.client.get(
-                reverse(
-                    'adminalerts:delete',
-                    kwargs={'adminalert': self.alert.sodar_uuid},
-                )
-            )
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
 
-    def test_delete(self):
-        """Test deleting an admin alert"""
+    def test_post(self):
+        """Test POST"""
         self.assertEqual(AdminAlert.objects.all().count(), 1)
         with self.login(self.superuser):
-            response = self.client.post(
-                reverse(
-                    'adminalerts:delete',
-                    kwargs={'adminalert': self.alert.sodar_uuid},
-                )
-            )
+            response = self.client.post(self.url)
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.url, reverse('adminalerts:list'))
         self.assertEqual(AdminAlert.objects.all().count(), 0)
diff --git a/adminalerts/tests/test_views_ajax.py b/adminalerts/tests/test_views_ajax.py
index 575d351d..6e6473df 100644
--- a/adminalerts/tests/test_views_ajax.py
+++ b/adminalerts/tests/test_views_ajax.py
@@ -4,44 +4,38 @@
 
 from django.urls import reverse
 
-from adminalerts.tests.test_views import TestViewsBase
+from adminalerts.tests.test_views import AdminalertsViewTestBase
 
 
-class TestAdminAlertActiveToggleAjaxView(TestViewsBase):
-    """Tests for the AdminAlert activation toggling Ajax view"""
+class TestAdminAlertActiveToggleAjaxView(AdminalertsViewTestBase):
+    """Tests for AdminAlertActiveToggleAjaxView"""
 
-    def test_deactivate_alert(self):
-        """Test alert deactivation"""
-        self.assertTrue(self.alert.active)
+    def setUp(self):
+        super().setUp()
+        self.alert = self._make_alert()
+        self.url = reverse(
+            'adminalerts:ajax_active_toggle',
+            kwargs={'adminalert': self.alert.sodar_uuid},
+        )
 
+    def test_post_deactivate(self):
+        """Test AdminAlertActiveToggleAjaxView POST to deactivate alert"""
+        self.assertTrue(self.alert.active)
         with self.login(self.superuser):
-            response = self.client.post(
-                reverse(
-                    'adminalerts:ajax_active_toggle',
-                    kwargs={'adminalert': self.alert.sodar_uuid},
-                ),
-            )
+            response = self.client.post(self.url)
         self.assertEqual(response.status_code, 200)
-
         data = json.loads(response.content)
         self.alert.refresh_from_db()
         self.assertFalse(self.alert.active)
         self.assertFalse(data['is_active'])
 
-    def test_activate_alert(self):
-        """Test alert activation"""
+    def test_post_activate(self):
+        """Test POST to activate alert"""
         self.alert.active = False
         self.alert.save()
-
         with self.login(self.superuser):
-            response = self.client.post(
-                reverse(
-                    'adminalerts:ajax_active_toggle',
-                    kwargs={'adminalert': self.alert.sodar_uuid},
-                ),
-            )
+            response = self.client.post(self.url)
         self.assertEqual(response.status_code, 200)
-
         data = json.loads(response.content)
         self.alert.refresh_from_db()
         self.assertTrue(self.alert.active)
diff --git a/adminalerts/views.py b/adminalerts/views.py
index 0b46b8f9..adb12f32 100644
--- a/adminalerts/views.py
+++ b/adminalerts/views.py
@@ -1,7 +1,10 @@
 """UI views for the adminalerts app"""
 
+import logging
+
 from django.conf import settings
 from django.contrib import messages
+from django.contrib.auth import get_user_model
 from django.shortcuts import redirect
 from django.urls import reverse
 from django.views.generic import (
@@ -14,6 +17,8 @@
 from django.views.generic.edit import ModelFormMixin
 
 # Projectroles dependency
+from projectroles.app_settings import AppSettingAPI
+from projectroles.email import get_email_user, get_user_addr, send_generic_mail
 from projectroles.views import (
     LoggedInPermissionMixin,
     HTTPRefererMixin,
@@ -25,7 +30,26 @@
 from adminalerts.models import AdminAlert
 
 
+app_settings = AppSettingAPI()
+logger = logging.getLogger(__name__)
+User = get_user_model()
+
+
+# Local constants
+APP_NAME = 'adminalerts'
 DEFAULT_PAGINATION = 15
+EMAIL_SUBJECT = '{state} admin alert: {message}'
+EMAIL_BODY = r'''
+An admin alert has been {action}d by {issuer}:
+
+{message}
+'''.lstrip()
+EMAIL_BODY_DESCRIPTION = r'''
+Additional details:
+----------------------------------------
+{description}
+----------------------------------------
+'''
 
 
 # Listing/details views --------------------------------------------------------
@@ -63,10 +87,80 @@ class AdminAlertDetailView(
 
 
 class AdminAlertModifyMixin(ModelFormMixin):
+    """Common modification methods for AdminAlert create/update views"""
+
+    @classmethod
+    def _get_email_recipients(cls, alert):
+        """
+        Return list of email addresses for alert email recipients, excluding the
+        alert issuer.
+        """
+        ret = []
+        users = User.objects.exclude(sodar_uuid=alert.user.sodar_uuid).order_by(
+            'email'
+        )
+        for u in users:
+            if not app_settings.get(APP_NAME, 'notify_email_alert', user=u):
+                continue
+            if not u.email:
+                logger.warning('No email set for user: {}'.format(u.username))
+                continue
+            user_emails = get_user_addr(u)
+            ret += [e for e in user_emails if e not in ret]
+        return ret
+
+    def _send_email(self, alert, action):
+        """
+        Send email alerts to all users except for the alert issuer.
+
+        :param alert: AdminAlert object
+        :param action: "create" or "update" (string)
+        """
+        subject = EMAIL_SUBJECT.format(
+            state='New' if action == 'create' else 'Updated',
+            message=alert.message,
+        )
+        body = EMAIL_BODY.format(
+            action=action,
+            issuer=get_email_user(alert.user),
+            message=alert.message,
+        )
+        if alert.description:
+            body += EMAIL_BODY_DESCRIPTION.format(
+                description=alert.description.raw
+            )
+        recipients = self._get_email_recipients(alert)
+        # NOTE: Recipients go under bcc
+        # NOTE: If we have no recipients in bcc we cancel sending
+        if len(recipients) == 0:
+            return 0
+        return send_generic_mail(
+            subject,
+            body,
+            [settings.EMAIL_SENDER],
+            self.request,
+            reply_to=None,
+            bcc=recipients,
+        )
+
     def form_valid(self, form):
-        form.save()
         form_action = 'update' if self.object else 'create'
-        messages.success(self.request, 'Alert {}d.'.format(form_action))
+        self.object = form.save()
+        email_count = 0
+        email_msg_suffix = ''
+        if (
+            form.cleaned_data['send_email']
+            and self.object.active
+            and settings.PROJECTROLES_SEND_EMAIL
+        ):
+            email_count = self._send_email(form.instance, form_action)
+        if email_count > 0:
+            email_msg_suffix = ', {} email{} sent'.format(
+                email_count, 's' if email_count != 1 else ''
+            )
+        messages.success(
+            self.request, 'Alert {}d{}.'.format(form_action, email_msg_suffix)
+        )
         return redirect(reverse('adminalerts:list'))
 
 
diff --git a/appalerts/plugins.py b/appalerts/plugins.py
index 643fa304..d0c7fb19 100644
--- a/appalerts/plugins.py
+++ b/appalerts/plugins.py
@@ -1,6 +1,5 @@
 """Plugins for the appalerts app"""
 
-
 # Projectroles dependency
 from projectroles.plugins import SiteAppPluginPoint, BackendPluginPoint
 
diff --git a/appalerts/tests/test_permissions.py b/appalerts/tests/test_permissions.py
index bce409d7..04e408d8 100644
--- a/appalerts/tests/test_permissions.py
+++ b/appalerts/tests/test_permissions.py
@@ -4,12 +4,12 @@
 from django.urls import reverse
 
 # Projectroles dependency
-from projectroles.tests.test_permissions import TestSiteAppPermissionBase
+from projectroles.tests.test_permissions import SiteAppPermissionTestBase
 
 from appalerts.tests.test_models import AppAlertMixin
 
 
-class AppalertsPermissionTestBase(AppAlertMixin, TestSiteAppPermissionBase):
+class AppalertsPermissionTestBase(AppAlertMixin, SiteAppPermissionTestBase):
     """Base test class for appalerts view permission tests"""
 
     def setUp(self):
diff --git a/appalerts/tests/test_ui.py b/appalerts/tests/test_ui.py
index eca42d6a..8f88286f 100644
--- a/appalerts/tests/test_ui.py
+++ b/appalerts/tests/test_ui.py
@@ -10,13 +10,13 @@
 from selenium.webdriver.support.ui import WebDriverWait
 
 # Projectroles dependency
-from projectroles.tests.test_ui import TestUIBase
+from projectroles.tests.test_ui import UITestBase
 
 from appalerts.models import AppAlert
 from appalerts.tests.test_models import AppAlertMixin
 
 
-class TestAlertUIBase(AppAlertMixin, TestUIBase):
+class AlertUITestBase(AppAlertMixin, UITestBase):
     def setUp(self):
         super().setUp()
         # Create users
@@ -37,7 +37,7 @@ def setUp(self):
         )
 
 
-class TestListView(TestAlertUIBase):
+class TestListView(AlertUITestBase):
     """Tests for app alert list view"""
 
     def _find_alert_element(self, alert):
@@ -205,7 +205,7 @@ def test_alert_reload(self):
         )
 
 
-class TestTitlebarBadge(TestAlertUIBase):
+class TestTitlebarBadge(AlertUITestBase):
     """Tests for the site titlebar badge"""
 
     def test_render(self):
diff --git a/appalerts/tests/test_views.py b/appalerts/tests/test_views.py
index f67ae4cf..19bb51b1 100644
--- a/appalerts/tests/test_views.py
+++ b/appalerts/tests/test_views.py
@@ -7,7 +7,7 @@
 from appalerts.tests.test_models import AppAlertMixin
 
 
-class TestViewsBase(AppAlertMixin, TestCase):
+class ViewTestBase(AppAlertMixin, TestCase):
     """Base class for appalerts view testing"""
 
     def setUp(self):
@@ -26,7 +26,7 @@ def setUp(self):
         )
 
 
-class TestAppAlertListView(TestViewsBase):
+class TestAppAlertListView(ViewTestBase):
     """Tests for the alert list view"""
 
     def test_render_superuser(self):
@@ -54,7 +54,7 @@ def test_render_no_alert_user(self):
             self.assertEqual(response.context['object_list'].count(), 0)
 
 
-class TestAppAlertRedirectView(TestViewsBase):
+class TestAppAlertRedirectView(ViewTestBase):
     """Tests for the alert redirect view"""
 
     list_url = reverse('appalerts:list')
@@ -102,7 +102,7 @@ def test_redirect_no_alert_user(self):
         self.assertEqual(self.alert.active, True)
 
 
-class TestAppAlertStatusAjaxView(TestViewsBase):
+class TestAppAlertStatusAjaxView(ViewTestBase):
     """Tests for the alert status ajax view"""
 
     def test_get_user_with_alerts(self):
@@ -120,7 +120,7 @@ def test_get_user_no_alerts(self):
         self.assertEqual(response.data['alerts'], 0)
 
 
-class TestAppAlertDismissAjaxView(TestViewsBase):
+class TestAppAlertDismissAjaxView(ViewTestBase):
     """Tests for the alert dismissal ajax view"""
 
     def test_post_superuser(self):
diff --git a/bgjobs/migrations/0001_squashed_0006_auto_20200526_1657.py b/bgjobs/migrations/0001_squashed_0006_auto_20200526_1657.py
new file mode 100644
index 00000000..5f72aaa5
--- /dev/null
+++ b/bgjobs/migrations/0001_squashed_0006_auto_20200526_1657.py
@@ -0,0 +1,148 @@
+# Generated by Django 4.2.14 on 2024-07-16 09:22
+
+from django.conf import settings
+from django.db import migrations, models
+import django.utils.timezone
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    replaces = [
+        ('bgjobs', '0001_initial'),
+        ('bgjobs', '0002_backgroundjoblogentry'),
+        ('bgjobs', '0003_backgroundjob_date_created'),
+        ('bgjobs', '0004_backgroundjob_user'),
+        ('bgjobs', '0005_auto_20190128_1210'),
+        ('bgjobs', '0006_auto_20200526_1657'),
+    ]
+
+    initial = True
+
+    dependencies = [
+        ('projectroles', '0005_update_uuid'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='BackgroundJob',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'date_modified',
+                    models.DateTimeField(
+                        auto_now=True, help_text='DateTime of last modification'
+                    ),
+                ),
+                (
+                    'sodar_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4, help_text='BG Job SODAR UUID', unique=True
+                    ),
+                ),
+                (
+                    'job_type',
+                    models.CharField(help_text='Type of the job', max_length=512),
+                ),
+                ('name', models.CharField(max_length=512)),
+                ('description', models.TextField()),
+                (
+                    'status',
+                    models.CharField(
+                        choices=[
+                            ('initial', 'initial'),
+                            ('running', 'running'),
+                            ('done', 'done'),
+                            ('failed', 'failed'),
+                        ],
+                        default='initial',
+                        max_length=50,
+                    ),
+                ),
+                (
+                    'project',
+                    models.ForeignKey(
+                        help_text='Project in which this objects belongs',
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to='projectroles.project',
+                    ),
+                ),
+                (
+                    'date_created',
+                    models.DateTimeField(
+                        auto_now_add=True,
+                        default=django.utils.timezone.now,
+                        help_text='DateTime of creation',
+                    ),
+                ),
+                (
+                    'user',
+                    models.ForeignKey(
+                        default=1,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='background_jobs',
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                'ordering': ['-date_created'],
+            },
+        ),
+        migrations.CreateModel(
+            name='BackgroundJobLogEntry',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'date_created',
+                    models.DateTimeField(
+                        auto_now_add=True, help_text='DateTime of creation'
+                    ),
+                ),
+                (
+                    'level',
+                    models.CharField(
+                        choices=[
+                            ('debug', 'debug'),
+                            ('info', 'info'),
+                            ('warning', 'warning'),
+                            ('error', 'error'),
+                        ],
+                        help_text='Level of log entry',
+                        max_length=50,
+                    ),
+                ),
+                ('message', models.TextField(help_text='Log level\'s message')),
+                (
+                    'job',
+                    models.ForeignKey(
+                        help_text='Owning background job',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='log_entries',
+                        to='bgjobs.backgroundjob',
+                    ),
+                ),
+            ],
+            options={
+                'ordering': ['date_created'],
+            },
+        ),
+    ]
diff --git a/bgjobs/views.py b/bgjobs/views.py
index f1378f16..92021aed 100644
--- a/bgjobs/views.py
+++ b/bgjobs/views.py
@@ -100,7 +100,7 @@ def post(self, _request, **_kwargs):
                     description='Clearing {} background jobs'.format(
                         'user-owned' if self.which_jobs != 'all' else 'all'
                     ),
-                    status_type='OK',
+                    status_type=timeline.TL_STATUS_OK,
                 )
             messages.success(
                 self.request, 'Removed {} background jobs.'.format(bg_job_count)
diff --git a/codemeta.json b/codemeta.json
index ee04b1c7..6a15681c 100644
--- a/codemeta.json
+++ b/codemeta.json
@@ -42,10 +42,10 @@
   "codeRepository": "https://github.com/bihealth/sodar-core",
   "datePublished": "2023-12-06",
   "dateModified": "2023-12-06",
-  "dateCreated": "2024-02-16",
+  "dateCreated": "2024-07-19",
   "description": "SODAR Core: A Django-based framework for scientific data management and analysis web apps",
   "keywords": "Python, Django, scientific data managmenent, software library",
   "license": "MIT",
   "title": "SODAR Core",
-  "version": "v0.13.4"
+  "version": "v1.0.0"
 }
diff --git a/config/settings/base.py b/config/settings/base.py
index bef23cfd..16118f19 100644
--- a/config/settings/base.py
+++ b/config/settings/base.py
@@ -2,12 +2,14 @@
 Django settings for the SODAR Core Example Site project.
 
 For more information on this file, see
-https://docs.djangoproject.com/en/dev/topics/settings/
+https://docs.djangoproject.com/en/4.2/topics/settings/
 
 For the full list of settings and their values, see
-https://docs.djangoproject.com/en/3.2/ref/settings/
+https://docs.djangoproject.com/en/4.2/ref/settings/
 """
+
 import environ
+import itertools
 import os
 
 from projectroles.constants import get_sodar_constants
@@ -22,7 +24,7 @@
 env = environ.Env()
 
 # .env file, should load only in development environment
-READ_DOT_ENV_FILE = env.bool('DJANGO_READ_DOT_ENV_FILE', default=False)
+READ_DOT_ENV_FILE = env.bool('DJANGO_READ_DOT_ENV_FILE', False)
 
 if READ_DOT_ENV_FILE:
     # Operating System Environment variables have precedence over variables
@@ -60,12 +62,12 @@
     'markupfield',  # For markdown
     'rest_framework',  # For API views
     'knox',  # For token auth
+    'social_django',  # For OIDC authentication
     'docs',  # For the online user documentation/manual
     'db_file_storage',  # For filesfolders
     'dal',  # For user search combo box
     'dal_select2',
     'dj_iconify.apps.DjIconifyConfig',  # Iconify for SVG icons
-    'django_saml2_auth',  # SAML2 support
 ]
 
 # Project apps
@@ -143,18 +145,16 @@
     for x in env.list('ADMINS', default=['Admin User:admin@example.com'])
 ]
 
-# See: https://docs.djangoproject.com/en/3.2/ref/settings/#managers
+# See: https://docs.djangoproject.com/en/4.2/ref/settings/#managers
 MANAGERS = ADMINS
 
 # DATABASE CONFIGURATION
 # ------------------------------------------------------------------------------
-# See: https://docs.djangoproject.com/en/3.2/ref/settings/#databases
+# See: https://docs.djangoproject.com/en/4.2/ref/settings/#databases
 # Uses django-environ to accept uri format
 # See: https://django-environ.readthedocs.io/en/latest/#supported-types
-DATABASES = {
-    'default': env.db('DATABASE_URL', default='postgres:///sodar_core')
-}
-DATABASES['default']['ATOMIC_REQUESTS'] = False
+DATABASES = {'default': env.db('DATABASE_URL', 'postgres:///sodar_core')}
+DATABASES['default']['ATOMIC_REQUESTS'] = True
 
 # Set default auto field (for Django 3.2+)
 DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'
@@ -171,24 +171,24 @@
 # In a Windows environment this must be set to your system time zone.
 TIME_ZONE = 'Europe/Berlin'
 
-# See: https://docs.djangoproject.com/en/3.2/ref/settings/#language-code
+# See: https://docs.djangoproject.com/en/4.2/ref/settings/#language-code
 LANGUAGE_CODE = 'en-us'
 
-# See: https://docs.djangoproject.com/en/3.2/ref/settings/#site-id
+# See: https://docs.djangoproject.com/en/4.2/ref/settings/#site-id
 SITE_ID = 1
 
-# See: https://docs.djangoproject.com/en/3.2/ref/settings/#use-i18n
+# See: https://docs.djangoproject.com/en/4.2/ref/settings/#use-i18n
 USE_I18N = False
 
-# See: https://docs.djangoproject.com/en/3.2/ref/settings/#use-l10n
+# See: https://docs.djangoproject.com/en/4.2/ref/settings/#use-l10n
 USE_L10N = True
 
-# See: https://docs.djangoproject.com/en/3.2/ref/settings/#use-tz
+# See: https://docs.djangoproject.com/en/4.2/ref/settings/#use-tz
 USE_TZ = True
 
 # TEMPLATE CONFIGURATION
 # ------------------------------------------------------------------------------
-# See: https://docs.djangoproject.com/en/3.2/ref/settings/#templates
+# See: https://docs.djangoproject.com/en/4.2/ref/settings/#templates
 TEMPLATES = [
     {
         'BACKEND': 'django.template.backends.django.DjangoTemplates',
@@ -316,15 +316,24 @@
 CELERYD_TASK_SOFT_TIME_LIMIT = 60
 
 
-# Django REST framework default auth classes
+# Django REST framework
+# ------------------------------------------------------------------------------
+
 REST_FRAMEWORK = {
     'DEFAULT_AUTHENTICATION_CLASSES': (
         'rest_framework.authentication.BasicAuthentication',
         'rest_framework.authentication.SessionAuthentication',
         'knox.auth.TokenAuthentication',
-    )
+    ),
+    'DEFAULT_PAGINATION_CLASS': (
+        'rest_framework.pagination.PageNumberPagination'
+    ),
+    'PAGE_SIZE': env.int('SODAR_API_PAGE_SIZE', 100),
 }
 
+# Additional authentication settings
+# ------------------------------------------------------------------------------
+
 # Knox settings
 TOKEN_TTL = None
 
@@ -344,7 +353,6 @@
 LDAP_ALT_DOMAINS = env.list('LDAP_ALT_DOMAINS', None, default=[])
 
 if ENABLE_LDAP:
-    import itertools
     import ldap
     from django_auth_ldap.config import LDAPSearch
 
@@ -366,15 +374,16 @@
     AUTH_LDAP_CA_CERT_FILE = env.str('AUTH_LDAP_CA_CERT_FILE', None)
     AUTH_LDAP_CONNECTION_OPTIONS = {**LDAP_DEFAULT_CONN_OPTIONS}
     if AUTH_LDAP_CA_CERT_FILE:
-        AUTH_LDAP_CONNECTION_OPTIONS[
-            ldap.OPT_X_TLS_CACERTFILE
-        ] = AUTH_LDAP_CA_CERT_FILE
+        AUTH_LDAP_CONNECTION_OPTIONS[ldap.OPT_X_TLS_CACERTFILE] = (
+            AUTH_LDAP_CA_CERT_FILE
+        )
         AUTH_LDAP_CONNECTION_OPTIONS[ldap.OPT_X_TLS_NEWCTX] = 0
     AUTH_LDAP_USER_FILTER = env.str(
         'AUTH_LDAP_USER_FILTER', '(sAMAccountName=%(user)s)'
     )
+    AUTH_LDAP_USER_SEARCH_BASE = env.str('AUTH_LDAP_USER_SEARCH_BASE', None)
     AUTH_LDAP_USER_SEARCH = LDAPSearch(
-        env.str('AUTH_LDAP_USER_SEARCH_BASE', None),
+        AUTH_LDAP_USER_SEARCH_BASE,
         ldap.SCOPE_SUBTREE,
         AUTH_LDAP_USER_FILTER,
     )
@@ -399,15 +408,18 @@
         AUTH_LDAP2_CA_CERT_FILE = env.str('AUTH_LDAP2_CA_CERT_FILE', None)
         AUTH_LDAP2_CONNECTION_OPTIONS = {**LDAP_DEFAULT_CONN_OPTIONS}
         if AUTH_LDAP2_CA_CERT_FILE:
-            AUTH_LDAP2_CONNECTION_OPTIONS[
-                ldap.OPT_X_TLS_CACERTFILE
-            ] = AUTH_LDAP2_CA_CERT_FILE
+            AUTH_LDAP2_CONNECTION_OPTIONS[ldap.OPT_X_TLS_CACERTFILE] = (
+                AUTH_LDAP2_CA_CERT_FILE
+            )
             AUTH_LDAP2_CONNECTION_OPTIONS[ldap.OPT_X_TLS_NEWCTX] = 0
         AUTH_LDAP2_USER_FILTER = env.str(
             'AUTH_LDAP2_USER_FILTER', '(sAMAccountName=%(user)s)'
         )
+        AUTH_LDAP2_USER_SEARCH_BASE = env.str(
+            'AUTH_LDAP2_USER_SEARCH_BASE', None
+        )
         AUTH_LDAP2_USER_SEARCH = LDAPSearch(
-            env.str('AUTH_LDAP2_USER_SEARCH_BASE', None),
+            AUTH_LDAP2_USER_SEARCH_BASE,
             ldap.SCOPE_SUBTREE,
             AUTH_LDAP2_USER_FILTER,
         )
@@ -424,80 +436,40 @@
         )
 
 
-# SAML configuration
+# OpenID Connect (OIDC) configuration
 # ------------------------------------------------------------------------------
 
+ENABLE_OIDC = env.bool('ENABLE_OIDC', False)
 
-ENABLE_SAML = env.bool('ENABLE_SAML', False)
-SAML2_AUTH = {
-    # Required setting
-    # Pysaml2 Saml client settings
-    # See: https://pysaml2.readthedocs.io/en/latest/howto/config.html
-    'SAML_CLIENT_SETTINGS': {
-        # Optional entity ID string to be passed in the 'Issuer' element of
-        # authn request, if required by the IDP.
-        'entityid': env.str('SAML_CLIENT_ENTITY_ID', 'SODARcore'),
-        'entitybaseurl': env.str(
-            'SAML_CLIENT_ENTITY_URL', 'https://localhost:8000'
-        ),
-        # The auto(dynamic) metadata configuration URL of SAML2
-        'metadata': {
-            'local': [
-                env.str('SAML_CLIENT_METADATA_FILE', 'metadata.xml'),
-            ],
-        },
-        'service': {
-            'sp': {
-                'idp': env.str(
-                    'SAML_CLIENT_IPD',
-                    'https://sso.hpc.bihealth.org/auth/realms/cubi',
-                ),
-                # Keycloak expects client signature
-                'authn_requests_signed': 'true',
-                # Enforce POST binding which is required by keycloak
-                'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-            },
-        },
-        'key_file': env.str('SAML_CLIENT_KEY_FILE', 'key.pem'),
-        'cert_file': env.str('SAML_CLIENT_CERT_FILE', 'cert.pem'),
-        'xmlsec_binary': env.str('SAML_CLIENT_XMLSEC1', '/usr/bin/xmlsec1'),
-        'encryption_keypairs': [
-            {
-                'key_file': env.str('SAML_CLIENT_KEY_FILE', 'key.pem'),
-                'cert_file': env.str('SAML_CLIENT_CERT_FILE', 'cert.pem'),
-            }
-        ],
-    },
-    # Custom target redirect URL after the user get logged in.
-    # Defaults to /admin if not set. This setting will be overwritten if you
-    # have parameter ?next= specificed in the login URL.
-    'DEFAULT_NEXT_URL': '/',
-    # # Optional settings below
-    # 'NEW_USER_PROFILE': {
-    #     'USER_GROUPS': [],  # The default group name when a new user logs in
-    #     'ACTIVE_STATUS': True,  # The default active status for new users
-    #     'STAFF_STATUS': True,  # The staff status for new users
-    #     'SUPERUSER_STATUS': False,  # The superuser status for new users
-    # },
-    # 'ATTRIBUTES_MAP': env.dict(
-    #     'SAML_ATTRIBUTES_MAP',
-    #     default={
-    #         Change values to corresponding SAML2 userprofile attributes.
-    #         'email': 'Email',
-    #         'username': 'UserName',
-    #         'first_name': 'FirstName',
-    #         'last_name': 'LastName',
-    #     }
-    # ),
-    # 'TRIGGER': {
-    #     'FIND_USER': 'path.to.your.find.user.hook.method',
-    #     'NEW_USER': 'path.to.your.new.user.hook.method',
-    #     'CREATE_USER': 'path.to.your.create.user.hook.method',
-    #     'BEFORE_LOGIN': 'path.to.your.login.hook.method',
-    # },
-    # Custom URL to validate incoming SAML requests against
-    # 'ASSERTION_URL': 'https://your.url.here',
-}
+if ENABLE_OIDC:
+    AUTHENTICATION_BACKENDS = tuple(
+        itertools.chain(
+            ('social_core.backends.open_id_connect.OpenIdConnectAuth',),
+            AUTHENTICATION_BACKENDS,
+        )
+    )
+    TEMPLATES[0]['OPTIONS']['context_processors'] += [
+        'social_django.context_processors.backends',
+        'social_django.context_processors.login_redirect',
+    ]
+    SOCIAL_AUTH_JSONFIELD_ENABLED = True
+    SOCIAL_AUTH_JSONFIELD_CUSTOM = 'django.db.models.JSONField'
+    SOCIAL_AUTH_USER_MODEL = AUTH_USER_MODEL
+    SOCIAL_AUTH_ADMIN_USER_SEARCH_FIELDS = [
+        'username',
+        'name',
+        'first_name',
+        'last_name',
+        'email',
+    ]
+    SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env.str(
+        'SOCIAL_AUTH_OIDC_OIDC_ENDPOINT', None
+    )
+    SOCIAL_AUTH_OIDC_KEY = env.str('SOCIAL_AUTH_OIDC_KEY', 'CHANGEME')
+    SOCIAL_AUTH_OIDC_SECRET = env.str('SOCIAL_AUTH_OIDC_SECRET', 'CHANGEME')
+    SOCIAL_AUTH_OIDC_USERNAME_KEY = env.str(
+        'SOCIAL_AUTH_OIDC_USERNAME_KEY', 'username'
+    )
 
 
 # Logging
@@ -584,9 +556,11 @@ def set_logging(level=None):
 )
 
 # SODAR API settings
+# DEPRECATED: To be removed in SODAR Core v1.1 (see #1401)
 SODAR_API_DEFAULT_VERSION = '0.1'
 SODAR_API_ALLOWED_VERSIONS = [SODAR_API_DEFAULT_VERSION]
 SODAR_API_MEDIA_TYPE = 'application/your.application+json'
+# SODAR API host URL
 SODAR_API_DEFAULT_HOST = env.url(
     'SODAR_API_DEFAULT_HOST', 'http://0.0.0.0:8000'
 )
@@ -641,10 +615,10 @@ def set_logging(level=None):
     'PROJECTROLES_SEARCH_OMIT_APPS', None, []
 )
 PROJECTROLES_TARGET_SYNC_ENABLE = env.bool(
-    'PROJECTROLES_TARGET_SYNC_ENABLE', default=False
+    'PROJECTROLES_TARGET_SYNC_ENABLE', False
 )
 PROJECTROLES_TARGET_SYNC_INTERVAL = env.int(
-    'PROJECTROLES_TARGET_SYNC_INTERVAL', default=5
+    'PROJECTROLES_TARGET_SYNC_INTERVAL', 5
 )
 
 # Optional projectroles settings
@@ -662,8 +636,6 @@ def set_logging(level=None):
 PROJECTROLES_HIDE_PROJECT_APPS = env.list(
     'PROJECTROLES_HIDE_PROJECT_APPS', None, []
 )
-# NOTE: This setting has been deprecated and will be removed in v0.14
-PROJECTROLES_HIDE_APP_LINKS = env.list('PROJECTROLES_HIDE_APP_LINKS', None, [])
 
 # Set limit for delegate roles per project (if 0, no limit is applied)
 PROJECTROLES_DELEGATE_LIMIT = env.int('PROJECTROLES_DELEGATE_LIMIT', 1)
diff --git a/config/settings/local.py b/config/settings/local.py
index 6e751a1c..57423f09 100644
--- a/config/settings/local.py
+++ b/config/settings/local.py
@@ -21,7 +21,7 @@
 
 # DEBUG
 # ------------------------------------------------------------------------------
-DEBUG = env.bool('DJANGO_DEBUG', default=True)
+DEBUG = env.bool('DJANGO_DEBUG', True)
 TEMPLATES[0]['OPTIONS']['debug'] = DEBUG
 
 # SECRET CONFIGURATION
@@ -49,7 +49,7 @@
 
 # django-debug-toolbar
 # ------------------------------------------------------------------------------
-ENABLE_DEBUG_TOOLBAR = env.bool('ENABLE_DEBUG_TOOLBAR', default=True)
+ENABLE_DEBUG_TOOLBAR = env.bool('ENABLE_DEBUG_TOOLBAR', True)
 
 if ENABLE_DEBUG_TOOLBAR:
     MIDDLEWARE += ['debug_toolbar.middleware.DebugToolbarMiddleware']
diff --git a/config/settings/local_target.py b/config/settings/local_target.py
index dfec48f1..78baa1f2 100644
--- a/config/settings/local_target.py
+++ b/config/settings/local_target.py
@@ -5,7 +5,7 @@
 
 # DATABASE CONFIGURATION
 # ------------------------------------------------------------------------------
-# See: https://docs.djangoproject.com/en/3.2/ref/settings/#databases
+# See: https://docs.djangoproject.com/en/4.2/ref/settings/#databases
 # Uses django-environ to accept uri format
 # See: https://django-environ.readthedocs.io/en/latest/#supported-types
 DATABASES['default']['NAME'] = 'sodar_core_target'
diff --git a/config/settings/local_target2.py b/config/settings/local_target2.py
index 95a86cac..09272985 100644
--- a/config/settings/local_target2.py
+++ b/config/settings/local_target2.py
@@ -5,7 +5,7 @@
 
 # DATABASE CONFIGURATION
 # ------------------------------------------------------------------------------
-# See: https://docs.djangoproject.com/en/3.2/ref/settings/#databases
+# See: https://docs.djangoproject.com/en/4.2/ref/settings/#databases
 # Uses django-environ to accept uri format
 # See: https://django-environ.readthedocs.io/en/latest/#supported-types
 DATABASES['default']['NAME'] = 'sodar_core_target2'
diff --git a/config/settings/test.py b/config/settings/test.py
index 26a56b74..99bd6a76 100644
--- a/config/settings/test.py
+++ b/config/settings/test.py
@@ -23,6 +23,11 @@
 ADMINS = [('Admin User', 'admin@example.com')]
 MANAGERS = ADMINS
 
+# DATABASE CONFIGURATION
+# ------------------------------------------------------------------------------
+# Set False to support parallel testing, see issue #1428
+DATABASES['default']['ATOMIC_REQUESTS'] = False
+
 # Mail settings
 # ------------------------------------------------------------------------------
 EMAIL_HOST = 'localhost'
@@ -31,6 +36,7 @@
 # In-memory email backend stores messages in django.core.mail.outbox
 # for unit testing purposes
 EMAIL_BACKEND = 'django.core.mail.backends.locmem.EmailBackend'
+EMAIL_SENDER = 'noreply@example.com'
 
 # CACHING
 # ------------------------------------------------------------------------------
@@ -64,6 +70,25 @@
     ]
 ]
 
+# Django REST framework
+# ------------------------------------------------------------------------------
+
+# Set pagination page size to 1 for easy testing
+REST_FRAMEWORK['PAGE_SIZE'] = 1
+
+
+# LDAP configuration
+# ------------------------------------------------------------------------------
+
+ENABLE_LDAP = False
+
+
+# OpenID Connect (OIDC) configuration
+# ------------------------------------------------------------------------------
+
+ENABLE_OIDC = False
+
+
 # Logging
 # ------------------------------------------------------------------------------
 
diff --git a/config/urls.py b/config/urls.py
index 6a66b18a..4acec08f 100644
--- a/config/urls.py
+++ b/config/urls.py
@@ -7,7 +7,6 @@
 from django.urls import path
 from django.views import defaults as default_views
 
-import django_saml2_auth.views
 
 # Projectroles dependency
 from projectroles.views import HomeView
@@ -28,6 +27,8 @@
     path('api/auth/', include('knox.urls')),
     # Iconify SVG icons
     path('icons/', include('dj_iconify.urls')),
+    # Social auth for OIDC support
+    path('social/', include('social_django.urls')),
     # Projectroles URLs
     path('project/', include('projectroles.urls')),
     # Admin Alerts URLs
@@ -54,24 +55,8 @@
     path('examples/project/', include('example_project_app.urls')),
     # Example site app URLs
     path('examples/site/', include('example_site_app.urls')),
-    # These are the SAML2 related URLs. You can change "^saml2_auth/" regex to
-    # any path you want, like "^sso_auth/", "^sso_login/", etc. (required)
-    path('saml2_auth/', include('django_saml2_auth.urls')),
-    # The following line will replace the default user login with SAML2 (optional)
-    # If you want to specific the after-login-redirect-URL, use parameter "?next=/the/path/you/want"
-    # with this view.
-    path('sso/login/', django_saml2_auth.views.signin),
-    # The following line will replace the admin login with SAML2 (optional)
-    # If you want to specific the after-login-redirect-URL, use parameter "?next=/the/path/you/want"
-    # with this view.
-    path('sso/admin/login/', django_saml2_auth.views.signin),
-    # The following line will replace the default user logout with the signout page (optional)
-    path('sso/logout/', django_saml2_auth.views.signout),
-    # The following line will replace the default admin user logout with the signout page (optional)
-    path('sso/admin/logout/', django_saml2_auth.views.signout),
 ] + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
 
-
 if settings.DEBUG:
     # This allows the error pages to be debugged during development, just visit
     # these url in browser to see how these error pages look like.
diff --git a/config/wsgi.py b/config/wsgi.py
index 42ae5374..d6df6b04 100644
--- a/config/wsgi.py
+++ b/config/wsgi.py
@@ -13,6 +13,7 @@
 framework.
 
 """
+
 import os
 import sys
 
diff --git a/docs/source/_static/app_adminalerts/alert_form.png b/docs/source/_static/app_adminalerts/alert_form.png
index 6a390ddb..431baeea 100644
Binary files a/docs/source/_static/app_adminalerts/alert_form.png and b/docs/source/_static/app_adminalerts/alert_form.png differ
diff --git a/docs/source/_static/app_projectroles/sodar_login.png b/docs/source/_static/app_projectroles/sodar_login.png
index 4bfcb197..620e1c01 100644
Binary files a/docs/source/_static/app_projectroles/sodar_login.png and b/docs/source/_static/app_projectroles/sodar_login.png differ
diff --git a/docs/source/_static/app_projectroles/sodar_remote_project_links.png b/docs/source/_static/app_projectroles/sodar_remote_project_links.png
new file mode 100644
index 00000000..6bd6326b
Binary files /dev/null and b/docs/source/_static/app_projectroles/sodar_remote_project_links.png differ
diff --git a/docs/source/_static/app_projectroles/sodar_remote_site_form.png b/docs/source/_static/app_projectroles/sodar_remote_site_form.png
new file mode 100644
index 00000000..7af5b044
Binary files /dev/null and b/docs/source/_static/app_projectroles/sodar_remote_site_form.png differ
diff --git a/docs/source/_static/app_timeline/sodar_timeline.png b/docs/source/_static/app_timeline/sodar_timeline.png
index de212143..830f0ce2 100644
Binary files a/docs/source/_static/app_timeline/sodar_timeline.png and b/docs/source/_static/app_timeline/sodar_timeline.png differ
diff --git a/docs/source/_static/saml/keycloak_client_config.png b/docs/source/_static/saml/keycloak_client_config.png
deleted file mode 100644
index e6babb28..00000000
Binary files a/docs/source/_static/saml/keycloak_client_config.png and /dev/null differ
diff --git a/docs/source/_static/saml/keycloak_metadata_download.png b/docs/source/_static/saml/keycloak_metadata_download.png
deleted file mode 100644
index e4958516..00000000
Binary files a/docs/source/_static/saml/keycloak_metadata_download.png and /dev/null differ
diff --git a/docs/source/_static/saml/keycloak_saml_key_download1.png b/docs/source/_static/saml/keycloak_saml_key_download1.png
deleted file mode 100644
index 93815076..00000000
Binary files a/docs/source/_static/saml/keycloak_saml_key_download1.png and /dev/null differ
diff --git a/docs/source/_static/saml/keycloak_saml_key_download2.png b/docs/source/_static/saml/keycloak_saml_key_download2.png
deleted file mode 100644
index 1a3be912..00000000
Binary files a/docs/source/_static/saml/keycloak_saml_key_download2.png and /dev/null differ
diff --git a/docs/source/app_adminalerts.rst b/docs/source/app_adminalerts.rst
index a74907b9..8914f65c 100644
--- a/docs/source/app_adminalerts.rst
+++ b/docs/source/app_adminalerts.rst
@@ -120,6 +120,11 @@ Require Auth
     If set true, this alert will only be shown to users logged in to the site.
     If false, it will also appear in the login screen as well as for anonymous
     users if allowed on the site.
+Send Alert as Email
+    Send alert as email to all users with email notifications enabled, with the
+    exception of the sender. This is enabled by default when creating an alert.
+    When updating an existing alert it is initially disabled to avoid redundant
+    emails when e.g. fixing a typo.
 Description
     A longer description, which can be accessed through the :guilabel:`Details`
     link in the alert element. Markdown syntax is supported.
diff --git a/docs/source/app_filesfolders_api_rest.rst b/docs/source/app_filesfolders_api_rest.rst
index 6ba832fa..fef852cb 100644
--- a/docs/source/app_filesfolders_api_rest.rst
+++ b/docs/source/app_filesfolders_api_rest.rst
@@ -11,6 +11,23 @@ addition to the GUI.
 For general information on REST API usage in SODAR Core, see
 :ref:`app_projectroles_api_rest`.
 
+
+Filesfolders REST API Versioning
+================================
+
+Media Type
+    ``application/vnd.bihealth.sodar-core.filesfolders+json``
+Current Version
+    ``1.0``
+Accepted Versions
+    ``1.0``
+Header Example
+    ``Accept: application/vnd.bihealth.sodar-core.filesfolders+json; version=x.y``
+
+
+Filesfolders REST API Views
+===========================
+
 .. currentmodule:: filesfolders.views_api
 
 .. autoclass:: FolderListCreateAPIView
diff --git a/docs/source/app_projectroles_api_django.rst b/docs/source/app_projectroles_api_django.rst
index d16ef3d7..9385c1e5 100644
--- a/docs/source/app_projectroles_api_django.rst
+++ b/docs/source/app_projectroles_api_django.rst
@@ -106,6 +106,18 @@ General utility functions are stored in ``utils.py``.
     :members:
 
 
+Common Use Ajax Views
+=====================
+
+Ajax views intended to be used in a SODAR Core based site are described here.
+
+.. currentmodule:: projectroles.views_ajax
+
+.. autoclass:: SidebarContentAjaxView
+
+.. autoclass:: UserDropdownContentAjaxView
+
+
 .. _app_projectroles_api_django_rest:
 
 Base REST API View Classes
@@ -152,6 +164,9 @@ Base API View Mixins
 .. autoclass:: ProjectQuerysetMixin
     :members:
 
+.. autoclass:: SODARPageNumberPagination
+    :members:
+
 
 .. _app_projectroles_api_django_ajax:
 
diff --git a/docs/source/app_projectroles_api_rest.rst b/docs/source/app_projectroles_api_rest.rst
index 36aef4f1..43c19a44 100644
--- a/docs/source/app_projectroles_api_rest.rst
+++ b/docs/source/app_projectroles_api_rest.rst
@@ -12,9 +12,10 @@ HTTP API calls in addition to the GUI.
 API Usage
 =========
 
-Usage of the REST API is detailed in this section. These instructions also apply
-to REST APIs in any other application within SODAR Core and are recommended
-as guidelines for API development in your SODAR Core based Django site.
+General information on usage of the REST APIs in SODAR Core is detailed in this
+section. These instructions also apply to REST APIs in any other application
+within SODAR Core. They are recommended as guidelines for API development in
+your SODAR Core based Django site.
 
 Authentication
 --------------
@@ -38,21 +39,14 @@ desired API version in your HTTP requests is optional, it is
 **strongly recommended**. This ensures you will get the appropriate return data
 and avoid running into unexpected incompatibility issues.
 
-To enable versioning, add the ``Accept`` header to your request with the
-following media type and version syntax. Replace the version number with your
-expected version.
+From SODAR Core v1.0 onwards, each application is expected to use its own media
+type and version numbering. To enable versioning, add the ``Accept`` header to
+your request with the app's respective media type and version number. Example
+for the projectroles API:
 
 .. code-block:: console
 
-    Accept: application/vnd.bihealth.sodar-core+json; version=0.13.2
-
-.. note::
-
-    The media type and version for internal SODAR Core apps are by design
-    intended to be different to applications implemented in your Django site.
-    Only use the aforementioned values when calling REST API views in
-    projectroles or other applications installed from the django-sodar-core
-    package.
+    Accept: application/vnd.bihealth.sodar-core.projectroles+json; version=x.y
 
 Model Access and Permissions
 ----------------------------
@@ -108,8 +102,21 @@ For creation views, the ``sodar_uuid`` of the created object is returned
 along with other object fields.
 
 
-API Views
-=========
+Projectroles REST API Versioning
+================================
+
+Media Type
+    ``application/vnd.bihealth.sodar-core.projectroles+json``
+Current Version
+    ``1.0``
+Accepted Versions
+    ``1.0``
+Header Example
+    ``Accept: application/vnd.bihealth.sodar-core.projectroles+json; version=x.y``
+
+
+Projectroles REST API Views
+===========================
 
 .. currentmodule:: projectroles.views_api
 
diff --git a/docs/source/app_projectroles_basics.rst b/docs/source/app_projectroles_basics.rst
index 8769225f..c831d42b 100644
--- a/docs/source/app_projectroles_basics.rst
+++ b/docs/source/app_projectroles_basics.rst
@@ -121,7 +121,7 @@ Among the data which can be synchronized:
 - General project information such as title, description and readme
 - Project category structure
 - User roles in projects
-- User accounts for LDAP/AD users (required for the previous step)
+- User accounts for LDAP/AD and OIDC users (required for the previous step)
 - Information of other Target Sites linking a common project
 
 Target sites read remote project information from the source site. When
diff --git a/docs/source/app_projectroles_integration.rst b/docs/source/app_projectroles_integration.rst
index e47c7eb2..eb835d58 100644
--- a/docs/source/app_projectroles_integration.rst
+++ b/docs/source/app_projectroles_integration.rst
@@ -85,7 +85,7 @@ release tag or commit ID.
 
 .. code-block:: console
 
-    django-sodar-core==0.13.4
+    django-sodar-core==1.0.0
 
 Install the requirements for development:
 
diff --git a/docs/source/app_projectroles_settings.rst b/docs/source/app_projectroles_settings.rst
index 27341534..b7d563fe 100644
--- a/docs/source/app_projectroles_settings.rst
+++ b/docs/source/app_projectroles_settings.rst
@@ -69,16 +69,14 @@ following apps need to be included in the list in order for SODAR Core to work:
 Database
 ========
 
-Under ``DATABASES``, the setting below is recommended:
+Under ``DATABASES``, we recommend setting ``ATOMIC_REQUESTS`` to ``True`` as in
+the following sample. This ensures transactions to be atomic on a view-level.
+It is still possible to ensure atomicity of specific blocks of code with
+Django's ``transaction.atomic`` decorator or context manager.
 
 .. code-block:: python
 
-    DATABASES['default']['ATOMIC_REQUESTS'] = False
-
-.. note::
-
-    If this conflicts with your existing set up, you can modify the code in your
-    other apps to use e.g. ``@transaction.atomic``.
+    DATABASES['default']['ATOMIC_REQUESTS'] = True
 
 
 Templates
@@ -244,9 +242,6 @@ The following projectroles settings are **optional**:
     app views and URLs are still accessible via other links or knowing the URL.
     The names should correspond to the ``name`` property in project app plugins
     (list)
-``PROJECTROLES_HIDE_APP_LINKS``
-    **DEPRECATED**, use ``PROJECTROLES_HIDE_PROJECT_APPS`` instead. This will be
-    removed in v1.0
 ``PROJECTROLES_DELEGATE_LIMIT``
     The number of delegate roles allowed per project. The amount is limited to 1
     per project if not set, unlimited if set to 0. Will be ignored for remote
@@ -333,38 +328,40 @@ information see :ref:`dev_backend_app`.
     ENABLED_BACKEND_PLUGINS = env.list('ENABLED_BACKEND_PLUGINS', None, [])
 
 
-API View Settings (Optional)
+REST API Settings (Optional)
 ============================
 
-If you want to build an API to your site using SODAR Core functionality, it is
-recommended to base your API views on ``projectroles.views.SODARAPIBaseView``.
-Using this base class also allows you to define your API media type, version
-number and allowed versions via Django settings.
+.. warning::
 
-The recommended API setup uses accept header versioning. The
-``SODAR_API_MEDIA_TYPE`` setting should be changed to your organization and API
-identification if API views are introduced. The ``SODAR_API_DEFAULT_HOST``
-setting should post to the externally visible host of your server and be
-configured in your environment settings.
+    General site-based REST API versioning settings have been deprecated in
+    SODAR Core v1.0. They will be removed in v1.1. You are expected to provide
+    your own app-based media type and versioning schema. For more information,
+    see :ref:`dev_project_app_rest_api`.
 
-These settings are **optional**. Default values will be used if they are unset.
+If your site provides a REST API, the ``SODAR_API_DEFAULT_HOST`` setting should
+point to the externally visible host of your server and be configured in your
+environment settings. Example:
 
-Example:
+.. code-block:: python
+
+    SODAR_API_DEFAULT_HOST = env.url('SODAR_API_DEFAULT_HOST', 'http://0.0.0.0:8000')
+
+For enabling page size customization for pagination, it's recommended to set
+``REST_FRAMEWORK['PAGE_SIZE']`` using an environment variable as follows:
 
 .. code-block:: python
 
-    SODAR_API_DEFAULT_VERSION = '0.1'
-    SODAR_API_ACCEPTED_VERSIONS = [SODAR_API_DEFAULT_VERSION]
-    SODAR_API_MEDIA_TYPE = 'application/your.application+json'  # Change this
-    SODAR_API_DEFAULT_HOST = SODAR_API_DEFAULT_HOST = env.url('SODAR_API_DEFAULT_HOST', 'http://0.0.0.0:8000')
+    REST_FRAMEWORK = {
+        'PAGE_SIZE': env.int('SODAR_API_PAGE_SIZE', 100),
+    }
 
 
 LDAP/AD Configuration (Optional)
 ================================
 
 If you want to utilize LDAP/AD user logins as configured by projectroles, you
-can add the following configuration. Make sure to also add the related env
-variables to your configuration.
+can add the following configuration. Make sure to also add the related
+environment variables to your configuration.
 
 This part of the setup is **optional**.
 
@@ -389,6 +386,7 @@ This part of the setup is **optional**.
     ENABLE_LDAP = env.bool('ENABLE_LDAP', False)
     ENABLE_LDAP_SECONDARY = env.bool('ENABLE_LDAP_SECONDARY', False)
     LDAP_DEBUG = env.bool('LDAP_DEBUG', False)
+    LDAP_ALT_DOMAINS = env.list('LDAP_ALT_DOMAINS', None, default=[])
 
     if ENABLE_LDAP:
         import itertools
@@ -409,20 +407,20 @@ This part of the setup is **optional**.
         AUTH_LDAP_SERVER_URI = env.str('AUTH_LDAP_SERVER_URI', None)
         AUTH_LDAP_BIND_DN = env.str('AUTH_LDAP_BIND_DN', None)
         AUTH_LDAP_BIND_PASSWORD = env.str('AUTH_LDAP_BIND_PASSWORD', None)
-        AUTH_LDAP_START_TLS = env.str('AUTH_LDAP_START_TLS', False)
+        AUTH_LDAP_START_TLS = env.bool('AUTH_LDAP_START_TLS', False)
         AUTH_LDAP_CA_CERT_FILE = env.str('AUTH_LDAP_CA_CERT_FILE', None)
         AUTH_LDAP_CONNECTION_OPTIONS = {**LDAP_DEFAULT_CONN_OPTIONS}
-        if AUTH_LDAP_CA_CERT_FILE is not None:
-            AUTH_LDAP_CONNECTION_OPTIONS[
-                ldap.OPT_X_TLS_CACERTFILE
-            ] = AUTH_LDAP_CA_CERT_FILE
+        if AUTH_LDAP_CA_CERT_FILE:
+            AUTH_LDAP_CONNECTION_OPTIONS[ldap.OPT_X_TLS_CACERTFILE] = (
+                AUTH_LDAP_CA_CERT_FILE
+            )
             AUTH_LDAP_CONNECTION_OPTIONS[ldap.OPT_X_TLS_NEWCTX] = 0
         AUTH_LDAP_USER_FILTER = env.str(
             'AUTH_LDAP_USER_FILTER', '(sAMAccountName=%(user)s)'
         )
-
+        AUTH_LDAP_USER_SEARCH_BASE = env.str('AUTH_LDAP_USER_SEARCH_BASE', None)
         AUTH_LDAP_USER_SEARCH = LDAPSearch(
-            env.str('AUTH_LDAP_USER_SEARCH_BASE', None),
+            AUTH_LDAP_USER_SEARCH_BASE,
             ldap.SCOPE_SUBTREE,
             AUTH_LDAP_USER_FILTER,
         )
@@ -431,7 +429,6 @@ This part of the setup is **optional**.
         AUTH_LDAP_DOMAIN_PRINTABLE = env.str(
             'AUTH_LDAP_DOMAIN_PRINTABLE', AUTH_LDAP_USERNAME_DOMAIN
         )
-
         AUTHENTICATION_BACKENDS = tuple(
             itertools.chain(
                 ('projectroles.auth_backends.PrimaryLDAPBackend',),
@@ -444,20 +441,22 @@ This part of the setup is **optional**.
             AUTH_LDAP2_SERVER_URI = env.str('AUTH_LDAP2_SERVER_URI', None)
             AUTH_LDAP2_BIND_DN = env.str('AUTH_LDAP2_BIND_DN', None)
             AUTH_LDAP2_BIND_PASSWORD = env.str('AUTH_LDAP2_BIND_PASSWORD', None)
-            AUTH_LDAP2_START_TLS = env.str('AUTH_LDAP2_START_TLS', False)
+            AUTH_LDAP2_START_TLS = env.bool('AUTH_LDAP2_START_TLS', False)
             AUTH_LDAP2_CA_CERT_FILE = env.str('AUTH_LDAP2_CA_CERT_FILE', None)
             AUTH_LDAP2_CONNECTION_OPTIONS = {**LDAP_DEFAULT_CONN_OPTIONS}
-            if AUTH_LDAP2_CA_CERT_FILE is not None:
-                AUTH_LDAP2_CONNECTION_OPTIONS[
-                    ldap.OPT_X_TLS_CACERTFILE
-                ] = AUTH_LDAP2_CA_CERT_FILE
+            if AUTH_LDAP2_CA_CERT_FILE:
+                AUTH_LDAP2_CONNECTION_OPTIONS[ldap.OPT_X_TLS_CACERTFILE] = (
+                    AUTH_LDAP2_CA_CERT_FILE
+                )
                 AUTH_LDAP2_CONNECTION_OPTIONS[ldap.OPT_X_TLS_NEWCTX] = 0
             AUTH_LDAP2_USER_FILTER = env.str(
                 'AUTH_LDAP2_USER_FILTER', '(sAMAccountName=%(user)s)'
             )
-
+            AUTH_LDAP2_USER_SEARCH_BASE = env.str(
+                'AUTH_LDAP2_USER_SEARCH_BASE', None
+            )
             AUTH_LDAP2_USER_SEARCH = LDAPSearch(
-                env.str('AUTH_LDAP2_USER_SEARCH_BASE', None),
+                AUTH_LDAP2_USER_SEARCH_BASE,
                 ldap.SCOPE_SUBTREE,
                 AUTH_LDAP2_USER_FILTER,
             )
@@ -466,7 +465,6 @@ This part of the setup is **optional**.
             AUTH_LDAP2_DOMAIN_PRINTABLE = env.str(
                 'AUTH_LDAP2_DOMAIN_PRINTABLE', AUTH_LDAP2_USERNAME_DOMAIN
             )
-
             AUTHENTICATION_BACKENDS = tuple(
                 itertools.chain(
                     ('projectroles.auth_backends.SecondaryLDAPBackend',),
@@ -475,137 +473,120 @@ This part of the setup is **optional**.
             )
 
 
-SAML SSO Configuration (Optional)
-=================================
+.. _app_projectroles_settings_oidc:
 
-Optional Single Sign-On (SSO) authorization via SAML is also available. To
-enable this feature, set ``ENABLE_SAML=1`` in your environment. Configuring SAML
-for SSO requires proper configuration of the Keycloak SSO server and the SAML
-client library.
+OpenID Connect (OIDC) Configuration (Optional)
+==============================================
 
-Keycloak
---------
+SODAR Core supports single sign-on authentication via OIDC from v1.0 onwards. To
+enable OIDC logins, add the following Django settings and related environment
+variables to your configuration.
 
-Create a new client in Keycloak and configure it as follows. Please note that
-**Client ID** can be chosen however you like, but it must match the setting
-in the client.
+This part of the setup is **optional**.
 
-.. figure:: _static/saml/keycloak_client_config.png
+OIDC support is implemented using the ``social_django`` app. You first need to
+add the app to your ``INSTALLED_APPS``:
 
-To generate the ``metadata.xml`` file required for the client, go to the
-**Realm Settings** page and in the **General** tab, click
-``SAML 2.0 Identity Provider Metadata`` to download the xml data. Save it
-somewhere on the client, the preferred name is ``metadata.xml``.
+.. code-block:: python
 
-.. figure:: _static/saml/keycloak_metadata_download.png
+    THIRD_PARTY_APPS = [
+        # ...
+        'social_django',  # For OIDC authentication
+    ]
+
+Next, you must add the app's URL patterns in ``config/urls.py``:
+
+.. code-block:: python
+
+    urlpatterns = [
+        # ...
+        # Social auth for OIDC support
+        path('social/', include('social_django.urls')),
+    ]
+
+Finally, you should add the following Django settings in your ``base.py``
+settings file:
+
+.. code-block:: python
 
-For the signing of the request send to the Keycloak server you will require a
-certificate and key provided by the Keycloak server and incorporated into the
-configuration of the client. Switch to the ``SAML Keys``. Make sure to select
-``PKCS12`` as **Archive Format**.
+    ENABLE_OIDC = env.bool('ENABLE_OIDC', False)
 
-.. figure:: _static/saml/keycloak_saml_key_download1.png
-.. figure:: _static/saml/keycloak_saml_key_download2.png
+    if ENABLE_OIDC:
+        AUTHENTICATION_BACKENDS = tuple(
+            itertools.chain(
+                ('social_core.backends.open_id_connect.OpenIdConnectAuth',),
+                AUTHENTICATION_BACKENDS,
+            )
+        )
+        TEMPLATES[0]['OPTIONS']['context_processors'] += [
+            'social_django.context_processors.backends',
+            'social_django.context_processors.login_redirect',
+        ]
+        SOCIAL_AUTH_JSONFIELD_ENABLED = True
+        SOCIAL_AUTH_JSONFIELD_CUSTOM = 'django.db.models.JSONField'
+        SOCIAL_AUTH_USER_MODEL = AUTH_USER_MODEL
+        SOCIAL_AUTH_ADMIN_USER_SEARCH_FIELDS = [
+            'username',
+            'name',
+            'first_name',
+            'last_name',
+            'email',
+        ]
+        SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env.str(
+            'SOCIAL_AUTH_OIDC_OIDC_ENDPOINT', None
+        )
+        SOCIAL_AUTH_OIDC_KEY = env.str('SOCIAL_AUTH_OIDC_KEY', 'CHANGEME')
+        SOCIAL_AUTH_OIDC_SECRET = env.str('SOCIAL_AUTH_OIDC_SECRET', 'CHANGEME')
+        SOCIAL_AUTH_OIDC_USERNAME_KEY = env.str(
+            'SOCIAL_AUTH_OIDC_USERNAME_KEY', 'username'
+        )
 
-Convert the archive on the commandline with the follow command and store them in
-some place on your client.
+Critical settings which should be provided through environment variables:
 
-.. code::
+``SOCIAL_AUTH_OIDC_OIDC_ENDPOINT``
+    Endpoint URL for the OIDC provider. The configuration file
+    ``.well-known/openid-configuration`` is expected to be found under this URL.
+``SOCIAL_AUTH_OIDC_KEY``
+    Your client ID in the OIDC provider.
+``SOCIAL_AUTH_OIDC_SECRET``
+    Secret for the OIDC provider.
+``SOCIAL_AUTH_OIDC_USERNAME_KEY``
+    If the username key of the browser is expected to be something other than
+    the default ``username``, it can be configured here. The values in this must
+    be unique and should preferably be human readable. If the OIDC provider does
+    not return such a username directly, it is possible to e.g. use the user
+    email as a unique user name.
 
-    openssl pkcs12 -in keystore.p12 -password "pass:<PASSWORD>" -nodes | openssl x509 -out cert.pem
-    openssl pkcs12 -in keystore.p12 -password "pass:<PASSWORD>" -nodes -nocerts | openssl rsa -out key.pem
+If you want to provide a custom template for directing login to your OIDC
+provider, add it as ``{PROJECTROLES_TEMPLATE_INCLUDE_PATH}/_login_oidc.html``
+(by default: ``your_site/templates/include/_login_oidc.html``). The include will
+be displayed as an element in the login view.
 
-SODAR Core
-----------
+Below is an example of a custom template. You can e.g. change the content of the
+link to the logo of your OIDC provider. Note that the login URL must equal
+``{% url 'social:begin' 'oidc' %}?next={{ oidc_redirect_url|default:'/' }}`` to
+ensure it works in all views.
 
-Make sure that your ``config/settings/base.py`` contains the following
-configuration:
+.. code-block:: django
 
-.. code-block:: python
+    <a role="button" class="btn btn-md btn-info btn-block" id="sodar-login-oidc-link"
+       href="{% url 'social:begin' 'oidc' %}?next={{ oidc_redirect_url|default:'/' }}">
+      <i class="iconify" data-icon="mdi:login-variant"></i> OpenID Connect Login
+    </a>
 
-    ENABLE_SAML = env.bool('ENABLE_SAML', False)
-    SAML2_AUTH = {
-        # Required setting
-        # Pysaml2 Saml client settings
-        # See: https://pysaml2.readthedocs.io/en/latest/howto/config.html
-        'SAML_CLIENT_SETTINGS': {
-            # Optional entity ID string to be passed in the 'Issuer' element of
-            # authn request, if required by the IDP.
-            'entityid': env.str('SAML_CLIENT_ENTITY_ID', 'SODARcore'),
-            'entitybaseurl': env.str(
-                'SAML_CLIENT_ENTITY_URL', 'https://localhost:8000'
-            ),
-            # The auto(dynamic) metadata configuration URL of SAML2
-            'metadata': {
-                'local': [
-                    env.str('SAML_CLIENT_METADATA_FILE', 'metadata.xml'),
-                ],
-            },
-            'service': {
-                'sp': {
-                    'idp': env.str(
-                        'SAML_CLIENT_IPD',
-                        'https://sso.hpc.bihealth.org/auth/realms/cubi',
-                    ),
-                    # Keycloak expects client signature
-                    'authn_requests_signed': 'true',
-                    # Enforce POST binding which is required by keycloak
-                    'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-                },
-            },
-            'key_file': env.str('SAML_CLIENT_KEY_FILE', 'key.pem'),
-            'cert_file': env.str('SAML_CLIENT_CERT_FILE', 'cert.pem'),
-            'xmlsec_binary': env.str('SAML_CLIENT_XMLSEC1', '/usr/bin/xmlsec1'),
-            'encryption_keypairs': [
-                {
-                    'key_file': env.str('SAML_CLIENT_KEY_FILE', 'key.pem'),
-                    'cert_file': env.str('SAML_CLIENT_CERT_FILE', 'cert.pem'),
-                }
-            ],
-        },
-        # Custom target redirect URL after the user get logged in.
-        # Defaults to /admin if not set. This setting will be overwritten if you
-        # have parameter ?next= specified in the login URL.
-        'DEFAULT_NEXT_URL': '/',
-        # # Optional settings below
-        # 'NEW_USER_PROFILE': {
-        #     'USER_GROUPS': [],  # The default group name when a new user logs in
-        #     'ACTIVE_STATUS': True,  # The default active status for new users
-        #     'STAFF_STATUS': True,  # The staff status for new users
-        #     'SUPERUSER_STATUS': False,  # The superuser status for new users
-        # },
-        # 'ATTRIBUTES_MAP': env.dict(
-        #     'SAML_ATTRIBUTES_MAP',
-        #     default={
-        #         Change values to corresponding SAML2 userprofile attributes.
-        #         'email': 'Email',
-        #         'username': 'UserName',
-        #         'first_name': 'FirstName',
-        #         'last_name': 'LastName',
-        #     }
-        # ),
-        # 'TRIGGER': {
-        #     'FIND_USER': 'path.to.your.find.user.hook.method',
-        #     'NEW_USER': 'path.to.your.new.user.hook.method',
-        #     'CREATE_USER': 'path.to.your.create.user.hook.method',
-        #     'BEFORE_LOGIN': 'path.to.your.login.hook.method',
-        # },
-        # Custom URL to validate incoming SAML requests against
-        # 'ASSERTION_URL': 'https://your.url.here',
-    }
 
-Add the following settings to your environment variables:
+SAML SSO Configuration (Removed in v1.0)
+========================================
 
-.. code-block::
+.. note::
 
-    ENABLE_SAML=1
-    SAML_CLIENT_ENTITY_ID=<Entity ID configured in Keycloak>
-    SAML_CLIENT_ENTITY_URL=<Client URL, e.g. https://sodar-core.bihealth.org>
-    SAML_CLIENT_METADATA_FILE=<e.g. metadata.xml>
-    SAML_CLIENT_IPO=<SSO server URL, e.g. https://sso.hpc.bihealth.org/auth/realms/cubi>
-    SAML_CLIENT_KEY_FILE=<e.g. key.pem>
-    SAML_CLIENT_CERT_FILE=<e.g. cert.pem>
-    SAML_CLIENT_XMLSEC1=<e.g. /usr/bin/xmlsec1>
+    SAML support has been removed in SODAR Core v1.0. It has been replaced with
+    the possibility to set up OpenID Connect (OIDC) authentication. The library
+    previously used for SAML in SODAR Core is incompatible with Django v4.x. We
+    are unaware of SODAR Core based projects requiring SAML at this time. If
+    there are specific needs to use SAML on a SODAR Core based site, we are
+    happy to review pull requests to reintroduce it. Please note the
+    implementation has to support Django v4.2+.
 
 
 Global JS/CSS Include Modifications (Optional)
diff --git a/docs/source/app_projectroles_usage.rst b/docs/source/app_projectroles_usage.rst
index 592a8e64..0d5d7253 100644
--- a/docs/source/app_projectroles_usage.rst
+++ b/docs/source/app_projectroles_usage.rst
@@ -25,14 +25,19 @@ Core based Django site.
 
 One can either log in using a local Django user or, if LDAP/AD is enabled, their
 LDAP/AD credentials from a supported site. In the latter case, the user domain
-must be appended to the user name in form of ``user@DOMAIN``. Single sign-on
-with SAML can also be made available.
+must be appended to the user name in form of ``user@DOMAIN``.
+
+If OpenID Connect (OIDC) single-sign on authentication is enabled, an extra
+login element will be displayed next to the standard login controls. This will
+take the user to the login view of the OIDC provider. The element can be
+replaced with a custom template to e.g. use specific graphics recommended by the
+provider.
 
 .. figure:: _static/app_projectroles/sodar_login.png
     :align: center
     :scale: 75%
 
-    SODAR login form
+    SODAR Core login form
 
 
 User Interface
@@ -198,6 +203,16 @@ specifically granting it.
     Public guest access can only be set for projects. Categories will be visible
     for users with access to any category or project under them.
 
+Access on Remote Sites
+----------------------
+
+In the project create/update view, owners and delegates can modify remote site
+access to projects. This is available for sites where these controls have been
+enabled by administrators. The sites will appear as checkboxes as
+:guilabel:`Enable project on {SITE-NAME}`.
+
+For more information, see :ref:`app_projectroles_usage_remote`.
+
 App Settings
 ------------
 
@@ -309,11 +324,12 @@ Invites
 -------
 
 Invites are accepted by the responding user clicking on a link supplied in their
-invite email and either logging in to the site with their LDAP/AD credentials or
-creating a local user. The latter is only allowed if local users are enabled in
-the site's Django settings and the user email domain is not associated with
-configured LDAP domains. Invites expire after a certain time and can be reissued
-or revoked on the **Project Invites** page.
+invite email. Depending on how the site is configured, users can then either
+login to the site using their LDAP/OIDC credentials or create a local user. The
+latter is only allowed if local users are enabled in the site's Django settings
+and the user email domain is not associated with configured LDAP domains.
+Invites expire after a certain time and can be reissued or revoked on the
+:guilabel:`Project Invites` page.
 
 Batch Member Modifications
 --------------------------
@@ -323,6 +339,19 @@ project permissions, or by a site admin using the ``batchupdateroles``
 management command. The latter supports multiple projects in one batch. It is
 also able to send invites to users who have not yet signed up on the site.
 
+User Status Checking
+--------------------
+
+An administrator can check status of external LDAP user accounts using the
+``checkusers`` management command. This will list accounts disabled or locked
+out of the LDAP server. Use the ``-h`` flag to see additional options.
+
+.. code-block:: console
+
+    $ ./manage.py checkusers
+
+
+.. _app_projectroles_usage_remote:
 
 Remote Projects
 ===============
@@ -345,7 +374,8 @@ project data can be provided. A target site can define exactly one source site,
 from which project data can be retrieved from.
 
 To enable remote project data and member synchronization, you must first set up
-either a target or a source site depending on the role of your own SODAR site.
+either a target or a source site depending on the role of your own SODAR Core
+based site.
 
 .. figure:: _static/app_projectroles/sodar_remote_sites.png
     :align: center
@@ -362,10 +392,33 @@ specifying the remote site. A secret string is generated automatically. You
 need to provide this to the administrator of the target site in question for
 accessing your site.
 
-Here you also have the option to hide the remote project link from your users.
-Users viewing the project on the source site then won't see a link to the target
-site. Owners and superusers will still see the link (greyed out). This is most
-commonly used for internal test sites which only needs to be used by admins.
+Fields for target remote site creation:
+
+Name
+    Name of the remote site.
+URL
+    URL for the remote site, e.g. ``https://sodar-core-site.example.com``.
+Description
+    Text description for the site.
+User display
+    If set false, this will hide the remote project links from your users.
+    Users viewing the project on the source site then won't see a link to the
+    target site. Owners and superusers will still see the link (greyed out).
+    This is most commonly used for internal test sites which only needs to be
+    used by admins.
+Owner modifiable
+    If this and :guilabel:`User display` are checked, owners and delegates can
+    control project visibility on this site in the project create/update view.
+Secret
+    Secret token for the project, which must be set to an identical value
+    between source and target sites.
+
+.. figure:: _static/app_projectroles/sodar_remote_site_form.png
+    :align: center
+    :scale: 50%
+
+    Remote site create/update view viewed as a source site
+
 
 Once created, you can access the list of projects on your site in regards to the
 created target site. For each project, you may select an access level, of which
@@ -381,6 +434,15 @@ Revoked Access
     remain in the target site, but only superusers, the project owner or the
     project delegate(s) can access it.
 
+Once desired access to specific projects has been granted and confirmed, the
+target site will sync the data by sending a request to the source site.
+
+.. figure:: _static/app_projectroles/sodar_remote_projects.png
+    :align: center
+    :scale: 50%
+
+    Remote project list viewed as a source site
+
 .. note::
 
     The *read roles* access level also provides metadata of the categories above
@@ -405,15 +467,6 @@ Revoked Access
     explicitly set by the project owner, delegate or a superuser in the
     :guilabel:`Update Project` form.
 
-Once desired access to specific projects has been granted and confirmed, the
-target site will sync the data by sending a request to the source site.
-
-.. figure:: _static/app_projectroles/sodar_remote_projects.png
-    :align: center
-    :scale: 50%
-
-    Remote project list in source mode
-
 As Target Site
 --------------
 
@@ -450,7 +503,29 @@ Alternatively, the following management command can be used:
     If a local user is the owner of a synchronized project on the source site,
     the user defined in the ``PROJECTROLES_DEFAULT_ADMIN`` will be given the
     owner role. Hence you **must** have this setting defined if you are
-    implementing a SODAR site in target mode.
+    implementing a SODAR Core based site in target mode.
+
+.. note::
+
+    Local non-owner users can be granted roles if
+    ``PROJECTROLES_ALLOW_LOCAL_USERS`` is set on the target site. However, local
+    users must be manually created by a target site admin in order for their
+    data and roles to be synchronized.
+
+Project Detail View Links
+-------------------------
+
+Links to the same project on other sites will appear in the
+:guilabel:`Project on Other Sites` card in the project detail view. If the
+remote site has not yet synchronized this project, the link will appear grayed
+out and unclickable. On a remote site, the source project will be labeled as
+such.
+
+.. figure:: _static/app_projectroles/sodar_remote_project_links.png
+    :align: center
+    :scale: 75%
+
+    Remote project links in the project detail view
 
 
 Search
diff --git a/docs/source/app_sodarcache.rst b/docs/source/app_sodarcache.rst
index 54f6383f..062011c3 100644
--- a/docs/source/app_sodarcache.rst
+++ b/docs/source/app_sodarcache.rst
@@ -13,6 +13,7 @@ queries to databases other than the local Django PostgreSQL.
    :maxdepth: 3
    :caption: Contents:
 
-   Installation <app_sodarcache_install>
-   Usage <app_sodarcache_usage>
-   Django API Documentation <app_sodarcache_api_django>
+    Installation <app_sodarcache_install>
+    Usage <app_sodarcache_usage>
+    Django API Documentation <app_sodarcache_api_django>
+    REST API Documentation <app_sodarcache_api_rest>
diff --git a/docs/source/app_sodarcache_api_rest.rst b/docs/source/app_sodarcache_api_rest.rst
new file mode 100644
index 00000000..74ecd4a6
--- /dev/null
+++ b/docs/source/app_sodarcache_api_rest.rst
@@ -0,0 +1,34 @@
+.. _app_sodarcache_api_rest:
+
+
+Sodarcache REST API Documentation
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This document contains the HTTP REST API documentation for the ``sodarcache``
+app.
+
+
+Sodarcache REST API Versioning
+==============================
+
+Media Type
+    ``application/vnd.bihealth.sodar-core.sodarcache+json``
+Current Version
+    ``1.0``
+Accepted Versions
+    ``1.0``
+Header Example
+    ``Accept: application/vnd.bihealth.sodar-core.sodarcache+json; version=x.y``
+
+
+Sodarcache REST API Views
+=========================
+
+.. currentmodule:: sodarcache.views_api
+
+.. autoclass:: CacheItemRetrieveAPIView
+
+.. autoclass:: CacheItemDateRetrieveAPIView
+
+.. autoclass:: CacheItemSetAPIView
+
diff --git a/docs/source/app_timeline.rst b/docs/source/app_timeline.rst
index 69081f43..dc3d78aa 100644
--- a/docs/source/app_timeline.rst
+++ b/docs/source/app_timeline.rst
@@ -27,3 +27,4 @@ the :ref:`timeline usage documentation <app_timeline_usage>`.
    Installation <app_timeline_install>
    Usage <app_timeline_usage>
    Django API Documentation <app_timeline_api_django>
+   REST API Documentation <app_timeline_api_rest>
diff --git a/docs/source/app_timeline_api_rest.rst b/docs/source/app_timeline_api_rest.rst
new file mode 100644
index 00000000..322adf4c
--- /dev/null
+++ b/docs/source/app_timeline_api_rest.rst
@@ -0,0 +1,33 @@
+.. _app_timeline_api_rest:
+
+
+Timeline REST API Documentation
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This document contains the HTTP REST API documentation for the ``timeline``
+app.
+
+
+Timeline REST API Versioning
+============================
+
+Media Type
+    ``application/vnd.bihealth.sodar-core.timeline+json``
+Current Version
+    ``1.0``
+Accepted Versions
+    ``1.0``
+Header Example
+    ``Accept: application/vnd.bihealth.sodar-core.timeline+json; version=x.y``
+
+
+Timeline REST API Views
+=======================
+
+.. currentmodule:: timeline.views_api
+
+.. autoclass:: ProjectTimelineEventListAPIView
+
+.. autoclass:: SiteTimelineEventListAPIView
+
+.. autoclass:: TimelineEventRetrieveAPIView
diff --git a/docs/source/app_timeline_usage.rst b/docs/source/app_timeline_usage.rst
index 0346ce22..4699b688 100644
--- a/docs/source/app_timeline_usage.rst
+++ b/docs/source/app_timeline_usage.rst
@@ -24,15 +24,19 @@ All Timeline Events
 
 .. figure:: _static/app_timeline/sodar_timeline.png
     :align: center
-    :scale: 50%
+    :scale: 65%
 
     Timeline project event list view
 
-The event list layout is practically similar for each view. By clicking on the
-time stamp for each event, you can view the details on different status updates
+The event list layout is mostly similar for each view. By clicking on the
+timestamp for each event, you can view the details on different status updates
 for the execution of the event. This is used e.g. in case of asynchronous
 events.
 
+The event description contains a badge with the event name, which can be used
+to refer to similar events and e.g. search for events of a specific type using
+the site search.
+
 By clicking on the clock icon next to an object link in the event description,
 you can view the event history of that object. The link itself will take you
 to the relevant view for the object on your Django site.
@@ -152,9 +156,9 @@ Defining Status States
     need to pay attention to this functionality right now.
 
 By default, ``timeline.add_event()`` treats events as synchronous and
-automatically saves them with the status of ``OK``. However, in case of e.g.
-asynchronous requests, you can alter this by setting the ``status_type`` and
-(optionally) ``status_desc`` types upon creation.
+automatically saves them with the status of ``TL_STATUS_OK``. However, in case
+of e.g. asynchronous requests, you can alter this by setting the ``status_type``
+and (optionally) ``status_desc`` types upon creation.
 
 .. code-block:: python
 
@@ -164,7 +168,7 @@ asynchronous requests, you can alter this by setting the ``status_type`` and
         user=request.user,
         event_name='some_event',
         description='Description',
-        status_type='SUBMIT',
+        status_type=TL_STATUS_SUBMIT
         status_desc='Just submitted this')
 
 After that, you can add new status states for the event using the object
@@ -172,18 +176,18 @@ returned by ``timeline.add_event()``:
 
 .. code-block:: python
 
-    tl_event.set_status('OK', 'Submission was successful!')
+    tl_event.set_status(timeline.TL_STATUS_SUBMIT, 'Submission was successful!')
 
 Currently supported status types are listed below, some only applicable to async
 events:
 
-- ``OK``: All OK, event successfully performed
-- ``INFO``: Used for events which do not change anything, e.g. viewing something
-  within an app
-- ``INIT``: Initializing the event in progress
-- ``SUBMIT``: Event submitted asynchronously
-- ``FAILED``: Asynchronous event submission failed
-- ``CANCEL``: Event cancelled
+- ``TL_STATUS_OK``: All OK, event successfully performed
+- ``TL_STATUS_INFO``: Used for events which do not change anything, e.g. viewing
+  something within an app
+- ``TL_STATUS_INIT``: Initializing the event in progress
+- ``TL_STATUS_SUBMIT``: Event submitted asynchronously
+- ``TL_STATUS_FAILED``: Asynchronous event submission failed
+- ``TL_STATUS_CANCEL``: Event cancelled
 
 Extra Data
 ----------
diff --git a/docs/source/app_userprofile.rst b/docs/source/app_userprofile.rst
index 633671f5..572318a9 100644
--- a/docs/source/app_userprofile.rst
+++ b/docs/source/app_userprofile.rst
@@ -81,12 +81,40 @@ app plugins.
 User settings defined in the ``projectroles`` app, available for all SODAR Core
 using sites:
 
+Receive Email for Admin Alerts
+    Receive email for :ref:`admin alerts <app_adminalerts>`.
 Display Project UUID Copying Link
     If set true, display a link in the project title bar for copying the project
     UUID into the clipboard.
-Additional Email
-    In addition to the default user email, also send email notifications to
-    these addresses.
+Receive Email for Project Updates
+    Receive email notifications for project or category creation, updating,
+    moving and archiving.
+Receive Email for Project Membership Updates
+    Receive email notifications for project or category membership updates and
+    invitation activity.
 
 In the development setup, the SODAR Core example site apps also provide
 additional settings for demonstrating settings features.
+
+
+Additional Emails
+=================
+
+The user can configure additional emails for their user account in case they
+want to receive automated emails to addresses other than their primary address.
+The user profile view displays additional emails and provides controls for
+managing these addresses.
+
+.. hint::
+
+    Managing addresses is only possible on a source site. On a target site,
+    emails will be visible but not mofifiable.
+
+A new additional email address can be added with a form accessible by clicking
+on the :guilabel:`Add Email` button. After creation, a verification email will
+be sent to the specified address. Opening a link contained in the email and
+logging into the site will verify the email. Only verified email addresses will
+receive automated emails from the site.
+
+For each email address displayed in the list, there are controls to re-send the
+verification email (in case of an unverified email) and deleting the address.
diff --git a/docs/source/conf.py b/docs/source/conf.py
index c0712f2d..f628b7d5 100644
--- a/docs/source/conf.py
+++ b/docs/source/conf.py
@@ -27,9 +27,9 @@
 author = 'BIH Core Unit Bioinformatics'
 
 # The short X.Y version
-version = '0.13'
+version = '1.0'
 # The full version, including alpha/beta/rc tags
-release = '0.13.4'
+release = '1.0.0'
 
 
 # -- General configuration ---------------------------------------------------
diff --git a/docs/source/dev_backend_app.rst b/docs/source/dev_backend_app.rst
index de77e8c2..1f9963d5 100644
--- a/docs/source/dev_backend_app.rst
+++ b/docs/source/dev_backend_app.rst
@@ -90,7 +90,8 @@ Implementing the following is **optional**:
     Return statistics for the siteinfo app. See details in
     :ref:`the siteinfo documentation <app_siteinfo>`.
 ``get_object_link()``
-    Return object link for a Timeline event.
+    Return object link for a Timeline event. Expected to return a
+    ``PluginObjectLink`` object or ``None``.
 ``get_extra_data_link()``
     Return extra data link for a Timeline event.
 
diff --git a/docs/source/dev_core_install.rst b/docs/source/dev_core_install.rst
index 5992aeb5..baeae331 100644
--- a/docs/source/dev_core_install.rst
+++ b/docs/source/dev_core_install.rst
@@ -26,7 +26,8 @@ system of choice.
 System Dependencies
 ===================
 
-To get started, install the OS dependencies, PostgreSQL >=11 and Python >=3.8.
+To get started, install the OS dependencies, Python >=3.9 (3.11 recommended) and
+PostgreSQL >=12 (16 recommended).
 
 .. code-block:: console
 
@@ -59,6 +60,13 @@ Example of the database URL variable as set within an ``.env`` file:
 
     DATABASE_URL=postgres://your-db:your-db@127.0.0.1/your-db
 
+Asynchronous Celery tasks require running a Redis server. For development, you
+can install it with the following script:
+
+.. code-block:: console
+
+    $ sudo utility/install_redis.sh
+
 
 Repository and Environment Setup
 ================================
@@ -134,7 +142,9 @@ Optional Steps
 
 For creating a group of example users for your development site, you can run the
 ``createdevusers`` management command. This creates the users "alice", "bob",
-"carol", "dan" and "erin", all with the password "password".
+"carol", "dan" and "erin". The users will be created with the password
+"sodarpass", unless a custom password is supplied via the ``-p`` or
+``--password`` argument.
 
 .. code-block:: console
 
diff --git a/docs/source/dev_project_app.rst b/docs/source/dev_project_app.rst
index 79118d40..00c32c68 100644
--- a/docs/source/dev_project_app.rst
+++ b/docs/source/dev_project_app.rst
@@ -53,7 +53,7 @@ to set up a fresh app generated in the standard way with
 
 It is also assumed that apps are more or less created according to best
 practices defined by `Two Scoops <https://www.twoscoopspress.com/>`_, with the
-use of `Class-Based Views <https://docs.djangoproject.com/en/3.2/topics/class-based-views//>`_
+use of `Class-Based Views <https://docs.djangoproject.com/en/4.2/topics/class-based-views/>`_
 being a requirement.
 
 
@@ -96,7 +96,7 @@ To provide a unique identifier for objects in the SODAR context, add a
 
     When updating an existing Django model with an existing database, the
     ``sodar_uuid`` field needs to be populated. See
-    `instructions in Django documentation <https://docs.djangoproject.com/en/3.2/howto/writing-migrations/#migrations-that-add-unique-fields>`_
+    `instructions in Django documentation <https://docs.djangoproject.com/en/4.2/howto/writing-migrations/#migrations-that-add-unique-fields>`_
     on how to create the required migrations.
 
 Model Example
@@ -247,12 +247,13 @@ Implementing the following is **optional**:
     List of names for app-specific Django settings to be displayed for
     administrators in the siteinfo app.
 ``get_object_link()``
-    Return object link for a Timeline event.
+    Return object link for a Timeline event. Expected to return a
+    ``PluginObjectLink`` object or ``None``.
 ``get_extra_data_link()``
     Return extra data link for a Timeline event.
 ``search()``
     Function called when searching for data related to the app if search is
-    enabled.
+    enabled. Expected to return a list of ``PluginSearchResult`` objects.
 ``get_statistics()``
     Return statistics for the siteinfo app. See details in
     :ref:`the siteinfo documentation <app_siteinfo>`.
@@ -595,7 +596,7 @@ Project Search API and Template
 ===============================
 
 If you want to implement search in your project app, you need to implement the
-``search()`` method in your plugin as well as a template for displaying the
+``search()`` method in your plugin, as well as a template for displaying the
 results.
 
 .. hint::
@@ -627,29 +628,33 @@ See the signature of ``search()`` in
 
 .. note::
 
-   Within this function, you are expected to verify appropriate access of the
+   Within this method, you are expected to verify appropriate access of the
    searching user yourself!
 
-.. warning::
+The return data is a list of one or more ``PluginSearchResult`` objects. The
+objects are expected to be split between search categories, of which there can
+be one or multiple. This is useful where e.g. the same type of HTML list isn't
+suitable for all returnable types. If only returning one type of data, you can
+use e.g. ``all`` as your only category. Example of a return data:
 
-    The old expected signature of providing a single ``search_term`` argument
-    has been deprecated in v0.9 and will be removed in the next major release!
+.. code-block:: python
 
-The return data is a dictionary, which is split by groups in case your app can
-return multiple different lists for data. This is useful where e.g. the same
-type of HTML list isn't suitable for all returnable types. If only returning one
-type of data, you can just use e.g. ``all`` as your only category. Example of
-the result:
+    from projectroles.plugins import PluginSearchResult
+    # ...
+    return [
+        PluginSearchResult(
+            category='all',  # Category ID to be used in your search template
+            title='List title',  # Title of the result set
+            search_types=[],  # Object types included in this category
+            items=[],  # List or QuerySet of objects returned by search
+        )
+    ]
 
-.. code-block:: python
+.. warning::
+
+    The earlier search implementation expected a ``dict`` as return data. This
+    has been deprecated and support for it will be removed in SODAR Core v1.1.
 
-   return {
-       'all': {                     # 1-N categories to be included
-           'title': 'List title',   # Title of the result list to be displayed
-           'search_types': [],      # Object types included in this category
-           'items': []              # The actual objects returned
-           }
-       }
 
 Search Template
 ---------------
@@ -700,6 +705,8 @@ API Views
 
 API view usage in project apps is detailed in this section.
 
+.. _dev_project_app_rest_api:
+
 Rest API Views
 --------------
 
@@ -713,14 +720,40 @@ methods of authentication: Knox tokens and Django session auth. These can of
 course be modified by overriding/extending the base classes.
 
 For versioning we strongly recommend using accept header versioning, which is
-what is supported by the SODAR Core base classes. For this, supply your custom
-media type and version data using the corresponding ``SODAR_API_*`` settings.
-For details on these, see :ref:`app_projectroles_settings`.
+what is supported by the SODAR Core base classes. From SODAR Core v1.0 onwards,
+each app is expected to use its own media type and API versioning, preferably
+based on semantic versioning. For this, you should supply your own versioning
+mixin to be used in your views. Example:
 
-The base classes provide permission checks via SODAR Core project objects
-similar to UI view mixins.
+.. code-block:: python
 
-Base REST API classes without a project context can also be used in site apps.
+    from rest_framework.renderers import JSONRenderer
+    from rest_framework.versioning import AcceptHeaderVersioning
+    from rest_framework.views import APIView
+    from projectroles.views_api import SODARAPIGenericProjectMixin
+
+    YOURAPP_API_MEDIA_TYPE = application/vnd.yourorg.yoursite.yourapp+json
+    YOURAPP_API_DEFAULT_VERSION = '1.0'
+    YOURAPP_API_ALLOWED_VERSIONS = ['1.0']
+
+    class YourAPIVersioningMixin:
+
+        class YourAPIRenderer(JSONRenderer):
+            media_type = YOURAPP_API_MEDIA_TYPE
+
+        class YourAPIVersioning(AcceptHeaderVersioning):
+            allowed_versions = YOURAPP_API_ALLOWED_VERSIONS
+            default_version = YOURAPP_API_DEFAULT_VERSION
+
+        render_classes = [YourAPIRenderer]
+        versioning_class = YourAPIVersioning
+
+    class YourAPIView(YourAPIVersioningMixin, SODARAPIGenericProjectMixin, APIView):
+        # ...
+
+The base classes provide permission checks via SODAR Core project objects
+similar to UI view mixins. Base REST API classes without a project context can
+also be used in site apps.
 
 See the
 :ref:`base REST API class documentation <app_projectroles_api_django_rest>` for
@@ -732,13 +765,14 @@ An example "hello world" REST API view for SODAR apps is available in
 .. note::
 
     Internal SODAR Core REST API views, specifically ones used in apps provided
-    by the django-sodar-core package, use different media type and versioning
-    from views to be implemented on your site. This is to prevent version number
-    clashes and not require changes from your API when SODAR Core is updated.
+    by the django-sodar-core package, use different media types and versioning
+    from views to be implemented on your site. From SODAR Core v1.0 onwards,
+    each app is expected to provide their own versioning.
 
     For implementing your own API views, make sure to use the ``SODARAPI*``
     base classes, **not** the ``CoreAPI`` classes. Similarly, in testing make
-    sure to use the base class helpers of the site API instead of the core API.
+    sure to use the base class helpers of the general API instead of the core
+    API.
 
 Ajax API Views
 --------------
@@ -871,8 +905,8 @@ with the name of your application as specified in its ``ProjectAppPlugin``.
 
 .. code-block:: python
 
-    from timeline.models import ProjectEvent
-    ProjectEvent.objects.filter(app='app_name').delete()
+    from timeline.models import TimelineEvent
+    TimelineEvent.objects.filter(app='app_name').delete()
 
 Next you should delete existing database objects defined by the models in your
 app. This is also most easily done via the Django shell. Example:
diff --git a/docs/source/dev_resource.rst b/docs/source/dev_resource.rst
index c0b1e8fe..ca91a530 100644
--- a/docs/source/dev_resource.rst
+++ b/docs/source/dev_resource.rst
@@ -306,9 +306,10 @@ The rest of the attributes are listed below:
     Default value for the setting. This is returned if no value has been set.
     Can alternatively be a callable with the signature
     ``callable(project=None, user=None)``.
-``local``
-    Boolean for allowing/disallowing editing in target sites for synchronized
-    projects.
+``global``
+    Boolean for allowing/disallowing editing in target sites for remote
+    projects. Relevant to ``SOURCE`` sites. If set ``True``, the value can not
+    be edited on target sites, the default value being ``False`` (optional).
 ``label``
     Label string to be displayed in forms for ``PROJECT`` and ``USER`` scope
     settings (optional).
@@ -341,7 +342,7 @@ docs, see
 
     from projectroles.app_settings import AppSettingAPI
     app_settings = AppSettingAPI()
-    app_settings.get('app_name', 'setting_name', project_object)  # Etc..
+    app_settings.get('plugin_name', 'setting_name', project_object)  # Etc..
 
 There is no need to separately generate settings for projects or users. If the
 setting object does not exist in the Django database when
diff --git a/docs/source/dev_site_app.rst b/docs/source/dev_site_app.rst
index d09943f1..f6dd0b86 100644
--- a/docs/source/dev_site_app.rst
+++ b/docs/source/dev_site_app.rst
@@ -119,7 +119,8 @@ Implementing the following is **optional**:
     Return statistics for the siteinfo app. See details in
     :ref:`the siteinfo documentation <app_siteinfo>`.
 ``get_object_link()``
-    Return object link for a Timeline event.
+    Return object link for a Timeline event. Expected to return a
+    ``PluginObjectLink`` object or ``None``.
 ``get_extra_data_link()``
     Return extra data link for a Timeline event.
 
diff --git a/docs/source/getting_started.rst b/docs/source/getting_started.rst
index c7704d46..a192bebf 100644
--- a/docs/source/getting_started.rst
+++ b/docs/source/getting_started.rst
@@ -17,7 +17,7 @@ the package is under active development and breaking changes are expected.
 
 .. code-block:: console
 
-    pip install django-sodar-core==0.13.4
+    pip install django-sodar-core==1.0.0
 
 Please note that the django-sodar-core package only installs
 :term:`Django apps<Django App>`, which you need to include in a
@@ -56,9 +56,9 @@ your Django site are listed below. For a complete requirement list, see the
 - Ubuntu (20.04 Focal recommended and supported) / CentOS 7
 - System library requirements (see the ``utility`` directory and/or your own
   Django project)
-- Python >=3.8 (**NOTE:** Python 3.7 no longer supported in SODAR Core v0.10.8+)
-- Django 3.2
-- PostgreSQL >=11 and psycopg2-binary
+- Python 3.9-3.11 (3.11 recommended)
+- Django 4.2
+- PostgreSQL >=12 (16 recommended) and psycopg2-binary
 - Bootstrap 4.x
 - JQuery 3.3.x
 - Shepherd and Tether
diff --git a/docs/source/index.rst b/docs/source/index.rst
index d264491f..1f7be576 100644
--- a/docs/source/index.rst
+++ b/docs/source/index.rst
@@ -79,8 +79,8 @@ Python Programming
   any.
 
 Django Development
-  For learning about Django, head over to the `excellent documentation of the
-  Django Project <https://docs.djangoproject.com/en/3.2/>`_.
+  For learning about Django, head over to the
+  `official Django documentation <https://docs.djangoproject.com/en/4.2/>`_.
 
 HTML / Javascript / CSS / Bootstrap 4
   Together with Django, SODAR Core provides a framework to plug in your own
diff --git a/docs/source/major_changes.rst b/docs/source/major_changes.rst
index 32e52cca..856957be 100644
--- a/docs/source/major_changes.rst
+++ b/docs/source/major_changes.rst
@@ -10,6 +10,314 @@ older SODAR Core version. For a complete list of changes in current and previous
 releases, see the :ref:`full changelog<changelog>`.
 
 
+v1.0.0 (2024-07-19)
+*******************
+
+Release Highlights
+==================
+
+- Upgrade to Django v4.2 and Postgres v16
+- Add Python v3.11 support
+- Add OpenID Connect (OIDC) authentication support
+- Add app specific and semantic REST API versioning
+- Add REST API versioning independent from repo/site versions
+- Add timeline REST API
+- Add optional pagination for REST API list views
+- Add admin alert email sending to all users
+- Add improved additional email address management and verification
+- Add user opt-out settings for email notifications
+- Add remote sync controls for owners and delegates in project form
+- Add target site user UUID updating in remote sync
+- Add remote sync of existing target local users
+- Add remote sync of USER scope app settings
+- Add checkusers management command
+- Add Ajax views for sidebar, project dropdown and user dropdown retrieval
+- Add CC and BCC field support in sending generic emails
+- Add is_set() helper in AppSettingAPI
+- Rewrite sodarcache REST API views
+- Rewrite user additional email storing
+- Rename AppSettingAPI "app_name" arguments to "plugin_name"
+- Plugin API return data updates and deprecations
+- Rename timeline app models
+- Rename base test classes
+- Remove app setting max length limit
+- Remove Python v3.8 support
+- Remove SAML authentication support
+
+Breaking Changes
+================
+
+Django v4.2 Upgrade
+-------------------
+
+This release updates SODAR Core from Django v3.2 to v4.2. This is a breaking
+change which causes many updates and also requires updating several
+dependencies.
+
+Please update the Django requirement along with your site's other Python
+requirements to match ones in ``requirements/*.txt``. See
+`Django deprecation documentation <https://docs.djangoproject.com/en/dev/internals/deprecation/>`_
+for details about what has been deprecated in Django and which changes are
+mandatory.
+
+Common known issues:
+
+- Minimum version of PostgreSQL has been bumped to v12.
+- Replace ``django.utils.translation.ugettext_lazy`` imports with
+  ``gettext_lazy``.
+- Replace ``django.conf.urls.url`` imports with ``django.urls.re_path``.
+- Calls for ``related_managers`` for unsaved objects raises ``ValueError``. This
+  can be handled by e.g. calling ``model.save(commit=False)`` before trying to
+  access foreign key relations.
+
+System Prerequisites
+--------------------
+
+PostgreSQL
+    The minimum required PostgreSQL version has been bumped to v12. We recommend
+    PostgreSQL v16 which is used in CI for this repo. However, any version from
+    v12 onwards should work with this release. We strongly recommended to make
+    backups of your production databases before upgrading.
+Python v3.11 Support Added
+    Python v3.11 support has been officially added in this version. 3.11 is also
+    the recommended Python version.
+Python v3.8 Support Dropped
+    This release no longer supports Python v3.8.
+General Python Dependencies
+    Third party Python package dependencies have been upgraded. See the
+    ``requirements`` directory for up-to-date package versions and upgrade your
+    project.
+
+REST API Versioning Overhaul
+----------------------------
+
+The REST API versioning system has been overhauled. Before, we used two separate
+accept header versioning systems: 1) API views in SODAR Core apps with
+``CORE_API_MEDIA_TYPE``, and 2) API views of the site built on SODAR Core with
+``SODAR_API_MEDIA_TYPE``. The version number has been expected to match the
+SODAR Core or the site version number, respectively.
+
+In the new system there are two critical changes to this versioning scheme:
+
+1. Each app is expected to provide its own media type and API version number.
+2. Each API should use a version number independent from the site version,
+   ideally following semantic versioning. Versions will start at ``1.0``.
+
+SODAR Core REST APIs are now be provided under the following media types, each
+available initially under version ``1.0``:
+
+:ref:`Projectroles <app_projectroles_api_rest>`
+    ``application/vnd.bihealth.sodar-core.projectroles+json``
+Projectroles Remote Sync (only used internally by SODAR Core sites)
+    ``application/vnd.bihealth.sodar-core.projectroles.sync+json``
+:ref:`Filesfolders <app_filesfolders_api_rest>`
+    ``application/vnd.bihealth.sodar-core.filesfolders+json``
+:ref:`Sodarcache <app_sodarcache_api_rest>`
+    ``application/vnd.bihealth.sodar-core.sodarcache+json``
+:ref:`Timeline <app_timeline_api_rest>`
+    ``application/vnd.bihealth.sodar-core.timeline+json``
+
+If you have previously used the ``SODAR_API_*`` accept header versioning, you
+should update your own views to the new scheme. To do this, you need to provide
+your custom renderer and versioning class for each app providing a REST API. For
+instructions and an example on how to do this, see
+:ref:`dev_project_app_rest_api`.
+
+.. note::
+
+    Legacy ``SODAR_API_*`` is deprecated but will still be supported in this
+    release. Support will be removed in v1.1, after which you will be required
+    to provide your own versioning and rendering classes. Calls to updated API
+    views using legacy versioning will not work with SODAR Core v1.0.
+
+.. warning::
+
+    The legacy API versioning for SODAR Core API views (projectroles and
+    filesfolders) is no longer working as of v1.0. Make sure to update your
+    clients for the new version number and see the API changes below. After this
+    overhaul, we aim to provide backwards compatibility for old API versions
+    whereever possible.
+
+REST API Pagination Support
+---------------------------
+
+This release adds optional pagination support for REST API list views. To
+paginate your results, provide the ``?page=1`` query string in your request.
+If paginated, the results will correspond to the Django Rest Framework
+``PageNumberPagination`` results. For more, see
+`DRF documentation <https://www.django-rest-framework.org/api-guide/pagination/#pagenumberpagination>`_.
+
+Requests to the views without the pagination query string return full results
+as a list as they did in previous releases. Hence, this change should not
+equire breaking changes in clients using the REST API.
+
+To support REST API list view pagination on your site, it is recommended to add
+the following in your Django settings:
+
+.. code-block:: python
+
+    REST_FRAMEWORK = {
+        # ...
+        'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination',
+        'PAGE_SIZE': env.int('SODAR_API_PAGE_SIZE', 100),
+    }
+
+REST API View Changes
+---------------------
+
+The following breaking changes have been made into specific REST API endpoints
+in this release:
+
+``ProjectRetrieveAPIView`` (``project/api/retrieve/<uuid:project>``)
+    Add ``full_title`` field to return data. Also affects list view.
+``ProjectSettingRetrieveAPIView`` (``project/api/settings/retrieve/<uuid:project>``)
+    Rename ``app_name`` parameter to ``plugin_name``.
+``ProjectSettingSetAPIView`` (``project/api/settings/set/<uuid:project>``)
+    Rename ``app_name`` parameter to ``plugin_name``.
+``UserSettingRetrieveAPIView`` (``project/api/settings/retrieve/user``)
+    Rename ``app_name`` parameter to ``plugin_name``.
+``UserSettingSetAPIView`` (``project/api/settings/set/user``)
+    Rename ``app_name`` parameter to ``plugin_name``.
+:ref:`Sodarcache REST API <app_sodarcache_api_rest>`
+    The entire sodarcache REST API has been rewritten to conform to our general
+    REST API conventions regarding URLs and return data. See the API
+    documentation and refactor your client code accordingly.
+
+Timeline Models Renamed
+-----------------------
+
+Models in the timeline app have been renamed from ``ProjectEvent*`` to
+``TimelineEvent*``. This is done to better reflect the fact that events are not
+necessarily tied to projects.
+
+If your site only accesses these models through ``TimelineAPI`` and
+``TimelineAPI.get_model()``, which is the strongly recommended way, no changes
+should be required.
+
+AppSettingAPI Plugin Name Arguments Updated
+-------------------------------------------
+
+In ``AppSettingAPI``, all method arguments called ``app_name`` have been renamed
+into ``plugin_name``. This is to remove confusion as the argument does in fact
+refer specifically to a plugin, not the app name itself. If the argument is
+provided as a kwarg, references to it should be renamed.
+
+App Settings "Local" Attribute Deprecated
+-----------------------------------------
+
+The optional ``local`` attribute in app settings definitions has been
+depreacted. You should instead use ``global`` and the inverse value of your
+existing ``local`` settings. Support for ``local`` will be removed in SODAR Core
+v1.1. This is only relevant to sites being deployed as ``SOURCE`` sites.
+
+Plugin API get_object_link() Changes
+------------------------------------
+
+Implementations of ``get_object_link()`` in app plugins are now expected to
+return a ``PluginObjectLink`` object or ``None``. Returning a ``dict`` has been
+deprecated and support for it will be removed in v1.1.
+
+Furthermore, the return data is now expected to return the object name in the
+``name`` attribute, instead of ``label`` in the old implementation.
+
+Plugin API search() Changes
+---------------------------
+
+Similar to ``get_object_link()``, expected return data for ``search()`` has
+changed. Implementations are now expected to return a list of
+``PluginSearchResult`` objects. Returning a ``dict`` has been deprecated and
+support for it will be removed in v1.1.
+
+Note that a dict using the ``category`` variable as a key will still be
+provided for your app's search template. Hence, modifying the template should
+not be required after updating the method.
+
+User Additional Email Changes
+-----------------------------
+
+The ``user_email_additional`` app setting has been removed. Instead, additional
+user email addresses can be accessed via the ``SODARUserAdditionalEmail`` model
+if needed. Using ``email.get_user_addr()`` to retrieve all user email addresses
+is strongly recommended.
+
+Remote Sync User Update Changes
+-------------------------------
+
+UUIDs Updated to Match Source Site
+    User UUIDs on target sites are now correctly created and updated in remote
+    sync to match the UUIDs of similarly named users on the source site. This
+    should only be a breaking change in case you are storing existing user UUIDs
+    outside your site and using them in e.g. REST API queries. Otherwise this
+    change should require no actions.
+Local User Details Updated on Target Site
+    If local users are enabled, local users are updated to match target site
+    users similar to what was before done for LDAP/AD users. Note that creation
+    of local users must still be done manually: they will not be automatically
+    created by remote sync.
+
+Django Settings Changed
+-----------------------
+
+``AUTH_LDAP*_USER_SEARCH_BASE`` Added
+    The user search base values for primary and secondary LDAP servers have been
+    included as directly accessible Django settings. This is require for the
+    ``checkuser`` management command to work. It is recommended to update your
+    site's LDAP settings accordingly.
+``PROJECTROLES_HIDE_APP_LINKS`` Removed
+    The ``PROJECTROLES_HIDE_APP_LINKS`` Django setting, which was deprecated in
+    v0.13, has been removed. Use ``PROJECTROLES_HIDE_PROJECT_APPS`` instead.
+
+SAML Authentication Support Removed
+-----------------------------------
+
+SAML support has been removed and replaced with the possibility to set up OpenID
+Connect (OIDC) authentication. The library previously used for SAML in SODAR
+Core is incompatible with Django v4.x. We are unaware of SODAR Core based
+projects requiring SAML at this time. If there are specific needs to use SAML on
+a SODAR Core based site, we are happy to review pull requests to reintroduce it.
+Please note the implementation has to support Django v4.2+.
+
+OpenID Connect (OIDC) Authentication Support Added
+--------------------------------------------------
+
+This version adds OIDC support using the ``social_django`` app. In order to
+provide OIDC authentication access to your users, you need to add the app and
+its URLs to your site config along with appropriate Django settings. See
+:ref:`OIDC settings documentation <app_projectroles_settings_oidc>` for
+instructions on how to to configure OIDC on your site.
+
+Login Template Updated
+----------------------
+
+The default login template ``login.html`` has been updated by adding OpenID
+Connect (OIDC) controls and removing SAML controls. If you have overridden the
+login template with your own and wish to use OIDC authentication, make sure to
+update your template accordingly.
+
+Base Test Classes Renamed
+-------------------------
+
+A number of base test classes in the :ref:`Projectroles app <app_projectroles>`
+have been renamed for consistency. If you use these base classes in your site's
+tests, you will have to rename them accordingly. The changes are as follows:
+
+- ``projectroles.tests.test_permissions``
+    * ``TestPermissionBase`` -> ``PermissionTestBase``
+    * ``TestPermissionMixin`` -> ``PermissionTestMixin``
+    * ``TestProjectPermissionBase`` -> ``ProjectPermissionTestBase``
+    * ``TestSiteAppPermissionBase`` -> ``SiteAppPermissionTestBase``
+- ``projectroles.tests.test_permissions_api``
+    * ``TestProjectAPIPermissionBase`` -> ``ProjectAPIPermissionTestBase``
+- ``projectroles.tests.test_templatetags``
+    * ``TestTemplateTagsBase`` -> ``TemplateTagTestBase``
+- ``projectroles.tests.test_ui``
+    * ``TestUIBase`` -> ``UITestBase``
+- ``projectroles.tests.test_views``
+    * ``TestViewsBase`` -> ``ViewTestBase``
+- ``projectroles.tests.test_views_api``
+    * ``TestAPIViewsBase`` -> ``APIViewTestBase``
+
+
 v0.13.4 (2024-02-16)
 ********************
 
diff --git a/docs/source/overview.rst b/docs/source/overview.rst
index 29759cfe..ed321944 100644
--- a/docs/source/overview.rst
+++ b/docs/source/overview.rst
@@ -53,8 +53,8 @@ develop a user friendly system for accessing, browsing and/or manipulating
 research data. The data may belong to several different projects, with different
 research groups or scientists working on it. This data may be confidential in
 nature, so access control is required, preferably using the organization's
-existing LDAP/AD servers. The organization wants to provide a web-based GUI as
-well as programmatic API views.
+existing LDAP/AD servers or single sign-on logins via OpenID Connect (OIDC). The
+organization wants to provide a web-based GUI as well as programmatic API views.
 
 Site Setup
 ----------
@@ -99,13 +99,14 @@ Using the Site
 --------------
 
 The researchers will log in to the site on their web browser, in most cases
-using the standard LDAP credentials provided by their organization. They will
-see the projects they have been granted access to and can use whichever
-applications have been enabled or developed for the site, according to their
-assigned user rights. SODAR Core provides common navigation, overview and search
-views for all enabled apps, including the one(s) developed by the organization.
-The same user access management features are shared for all apps, along with
-possible REST APIs developed by the organization.
+using the standard LDAP credentials provided by their organization or a single
+sign-on OIDC account. They will see the projects they have been granted access
+to and can use whichever applications have been enabled or developed for the
+site, according to their assigned user rights. SODAR Core provides common
+navigation, overview and search views for all enabled apps, including the one(s)
+developed by the organization. The same user access management features are
+shared for all apps, along with possible REST APIs developed by the
+organization.
 
 
 Next Steps
diff --git a/env.example b/env.example
index 0af13c25..815fcd4f 100644
--- a/env.example
+++ b/env.example
@@ -21,9 +21,6 @@ EMAIL_SUBJECT_PREFIX=[SODAR Core Dev]
 # LDAP settings
 ENABLE_LDAP=0
 
-# SAML settings
-ENABLE_SAML=0
-
 # Projectroles settings
 PROJECTROLES_ENABLE_PROFILING=True
 PROJECTROLES_SITE_MODE=SOURCE
diff --git a/example_project_app/plugins.py b/example_project_app/plugins.py
index 749a6608..d6b7a4c4 100644
--- a/example_project_app/plugins.py
+++ b/example_project_app/plugins.py
@@ -103,7 +103,7 @@ class ProjectAppPlugin(ProjectModifyPluginMixin, ProjectAppPluginPoint):
             'default': False,
             'description': 'Example global boolean project setting',
             'user_modifiable': True,
-            'local': False,
+            'global': True,
         },
         'project_json_setting': {
             'scope': SODAR_CONSTANTS['APP_SETTING_SCOPE_PROJECT'],
@@ -272,7 +272,7 @@ class ProjectAppPlugin(ProjectModifyPluginMixin, ProjectAppPluginPoint):
             'options': get_example_setting_options,
             'description': 'Example callable project user setting with options',
         },
-        'project_category_bool_setting': {
+        'category_bool_setting': {
             'scope': SODAR_CONSTANTS['APP_SETTING_SCOPE_PROJECT'],
             'type': 'BOOLEAN',
             'label': 'Category boolean setting',
diff --git a/example_project_app/tests/test_permissions.py b/example_project_app/tests/test_permissions.py
index 34eedc21..ad6908b1 100644
--- a/example_project_app/tests/test_permissions.py
+++ b/example_project_app/tests/test_permissions.py
@@ -4,14 +4,14 @@
 from django.urls import reverse
 
 # Projectroles dependency
-from projectroles.tests.test_permissions import TestProjectPermissionBase
+from projectroles.tests.test_permissions import ProjectPermissionTestBase
 from projectroles.tests.test_models import AppSettingMixin
 
 # Filesfolders dependency
 from filesfolders.tests.test_models import FolderMixin
 
 
-class TestExampleView(FolderMixin, AppSettingMixin, TestProjectPermissionBase):
+class TestExampleView(FolderMixin, AppSettingMixin, ProjectPermissionTestBase):
     """Permission tests for ExampleView"""
 
     def test_get(self):
diff --git a/example_project_app/tests/test_views.py b/example_project_app/tests/test_views.py
index 1d5eafba..126e690b 100644
--- a/example_project_app/tests/test_views.py
+++ b/example_project_app/tests/test_views.py
@@ -5,7 +5,7 @@
 # Projectroles dependency
 from projectroles.models import SODAR_CONSTANTS
 from projectroles.tests.test_models import ProjectMixin, RoleAssignmentMixin
-from projectroles.tests.test_views import TestViewsBase
+from projectroles.tests.test_views import ViewTestBase
 
 # Filesfolders dependency
 from filesfolders.tests.test_models import FolderMixin
@@ -16,7 +16,7 @@
 
 
 class TestExampleView(
-    FolderMixin, ProjectMixin, RoleAssignmentMixin, TestViewsBase
+    FolderMixin, ProjectMixin, RoleAssignmentMixin, ViewTestBase
 ):
     """Tests for the example view"""
 
diff --git a/example_project_app/urls.py b/example_project_app/urls.py
index 3f3e6d8c..e6778d01 100644
--- a/example_project_app/urls.py
+++ b/example_project_app/urls.py
@@ -1,5 +1,4 @@
-from django.conf.urls import url
-from django.urls import path
+from django.urls import path, re_path
 
 from example_project_app import views, views_api
 
@@ -10,14 +9,14 @@
 # NOTE: If referring to a model from another app, notation is "app__model"
 
 urls = [
-    url(
-        regex=r'^(?P<project>[0-9a-f-]+)$',
+    re_path(
+        r'^(?P<project>[0-9a-f-]+)$',
         view=views.ExampleView.as_view(),
         name='example',
     ),
     # Example view with model from an external app
-    url(
-        regex=r'^ext/(?P<filesfolders__folder>[0-9a-f-]+)$',
+    re_path(
+        r'^ext/(?P<filesfolders__folder>[0-9a-f-]+)$',
         view=views.ExampleView.as_view(),
         name='example_ext_model',
     ),
@@ -36,8 +35,8 @@
 ]
 
 urls_api = [
-    url(
-        regex=r'^api/hello/(?P<project>[0-9a-f-]+)$',
+    re_path(
+        r'^api/hello/(?P<project>[0-9a-f-]+)$',
         view=views_api.HelloExampleProjectAPIView.as_view(),
         name='example_api_hello',
     )
diff --git a/example_project_app/views_api.py b/example_project_app/views_api.py
index 8a90be0c..0f660b24 100644
--- a/example_project_app/views_api.py
+++ b/example_project_app/views_api.py
@@ -1,16 +1,40 @@
 """Example REST API views for SODAR Core"""
 
 from rest_framework import status
+from rest_framework.renderers import JSONRenderer
 from rest_framework.response import Response
+from rest_framework.versioning import AcceptHeaderVersioning
 from rest_framework.views import APIView
 
 # Projectroles dependency
-from projectroles.views_api import (
-    SODARAPIGenericProjectMixin,
-)
+from projectroles.views_api import SODARAPIGenericProjectMixin
 
 
-class HelloExampleProjectAPIView(SODARAPIGenericProjectMixin, APIView):
+EXAMPLE_API_MEDIA_TYPE = 'application/vnd.bihealth.sodar-core.example+json'
+EXAMPLE_API_DEFAULT_VERSION = '1.0'
+EXAMPLE_API_ALLOWED_VERSIONS = ['1.0']
+
+
+class ExampleAPIVersioningMixin:
+    """
+    Example API view versioning mixin for overriding media type and accepted
+    versions.
+    """
+
+    class ExampleAPIRenderer(JSONRenderer):
+        media_type = EXAMPLE_API_MEDIA_TYPE
+
+    class ExampleAPIVersioning(AcceptHeaderVersioning):
+        allowed_versions = EXAMPLE_API_DEFAULT_VERSION
+        default_version = EXAMPLE_API_ALLOWED_VERSIONS
+
+    renderer_classes = [ExampleAPIRenderer]
+    versioning_class = ExampleAPIVersioning
+
+
+class HelloExampleProjectAPIView(
+    ExampleAPIVersioningMixin, SODARAPIGenericProjectMixin, APIView
+):
     """
     Example API view with a project scope.
 
diff --git a/example_site/templates/include/_login_extend.html b/example_site/templates/include/_login_extend.html
index c79ddf82..1f696551 100644
--- a/example_site/templates/include/_login_extend.html
+++ b/example_site/templates/include/_login_extend.html
@@ -1,5 +1,5 @@
 {# Place extended login view content into this template #}
-<div class="col-md-4 mx-auto mt-5">
+<div class="col-md-4 mx-auto mt-4">
   <div class="alert alert-info">
     Extended login view content goes here. Add the template
     <code>include/_login_extend.html</code> to define extended content on your
diff --git a/example_site/templates/include/_login_oidc.html b/example_site/templates/include/_login_oidc.html
new file mode 100644
index 00000000..e2bb3b2c
--- /dev/null
+++ b/example_site/templates/include/_login_oidc.html
@@ -0,0 +1,7 @@
+{# Place custom OpenIDC login link and/or info into this template #}
+
+<a role="button" class="btn btn-md btn-success btn-block"
+   id="sodar-login-oidc-link"
+   href="{% url 'social:begin' 'oidc' %}?next={{ oidc_redirect_url|default:'/' }}">
+  <i class="iconify" data-icon="mdi:login-variant"></i> OpenID Connect Login
+</a>
diff --git a/filesfolders/migrations/0001_squashed_0005_alter_foreignkey_fields.py b/filesfolders/migrations/0001_squashed_0005_alter_foreignkey_fields.py
new file mode 100644
index 00000000..b637a15c
--- /dev/null
+++ b/filesfolders/migrations/0001_squashed_0005_alter_foreignkey_fields.py
@@ -0,0 +1,328 @@
+# Generated by Django 4.2.14 on 2024-07-16 09:26
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    replaces = [
+        ('filesfolders', '0001_initial'),
+        ('filesfolders', '0002_auto_20180411_1758'),
+        ('filesfolders', '0003_rename_uuid'),
+        ('filesfolders', '0004_update_uuid'),
+        ('filesfolders', '0005_alter_foreignkey_fields'),
+    ]
+
+    initial = True
+
+    dependencies = [
+        ('projectroles', '0028_populate_finder_role'),
+        ('projectroles', '0001_initial'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='FileData',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                ('bytes', models.TextField()),
+                ('file_name', models.CharField(max_length=255)),
+                ('content_type', models.CharField(max_length=255)),
+            ],
+        ),
+        migrations.CreateModel(
+            name='Folder',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'name',
+                    models.CharField(help_text='Name for the object', max_length=255),
+                ),
+                (
+                    'date_modified',
+                    models.DateTimeField(
+                        auto_now=True, help_text='DateTime of last modification'
+                    ),
+                ),
+                (
+                    'flag',
+                    models.CharField(
+                        blank=True,
+                        choices=[
+                            ('FLAG', 'Flagged'),
+                            ('FLAG_HEART', 'Flagged (Heart)'),
+                            ('IMPORTANT', 'Important'),
+                            ('REVOKED', 'Revoked'),
+                            ('SUPERSEDED', 'Superseded'),
+                        ],
+                        help_text='Flag for highlighting the item (optional)',
+                        max_length=64,
+                        null=True,
+                    ),
+                ),
+                (
+                    'description',
+                    models.CharField(
+                        blank=True, help_text='Description (optional)', max_length=255
+                    ),
+                ),
+                (
+                    'sodar_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='Filesfolders SODAR UUID',
+                        unique=True,
+                    ),
+                ),
+                (
+                    'folder',
+                    models.ForeignKey(
+                        blank=True,
+                        help_text='Folder under which object exists (null if root folder)',
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='%(app_label)s_%(class)s_children',
+                        to='filesfolders.folder',
+                    ),
+                ),
+                (
+                    'owner',
+                    models.ForeignKey(
+                        help_text='User who owns the object',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+                (
+                    'project',
+                    models.ForeignKey(
+                        help_text='Project in which the object belongs',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='%(app_label)s_%(class)s_objects',
+                        to='projectroles.project',
+                    ),
+                ),
+            ],
+            options={
+                'ordering': ['project', 'name'],
+                'unique_together': {('project', 'folder', 'name')},
+            },
+        ),
+        migrations.CreateModel(
+            name='File',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'name',
+                    models.CharField(help_text='Name for the object', max_length=255),
+                ),
+                (
+                    'date_modified',
+                    models.DateTimeField(
+                        auto_now=True, help_text='DateTime of last modification'
+                    ),
+                ),
+                (
+                    'flag',
+                    models.CharField(
+                        blank=True,
+                        choices=[
+                            ('FLAG', 'Flagged'),
+                            ('FLAG_HEART', 'Flagged (Heart)'),
+                            ('IMPORTANT', 'Important'),
+                            ('REVOKED', 'Revoked'),
+                            ('SUPERSEDED', 'Superseded'),
+                        ],
+                        help_text='Flag for highlighting the item (optional)',
+                        max_length=64,
+                        null=True,
+                    ),
+                ),
+                (
+                    'description',
+                    models.CharField(
+                        blank=True, help_text='Description (optional)', max_length=255
+                    ),
+                ),
+                (
+                    'sodar_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='Filesfolders SODAR UUID',
+                        unique=True,
+                    ),
+                ),
+                (
+                    'file',
+                    models.FileField(
+                        blank=True,
+                        help_text='Uploaded file',
+                        null=True,
+                        upload_to='filesfolders.FileData/bytes/file_name/content_type',
+                    ),
+                ),
+                (
+                    'public_url',
+                    models.BooleanField(
+                        default=False,
+                        help_text='Allow providing a public URL for the file',
+                    ),
+                ),
+                (
+                    'secret',
+                    models.CharField(
+                        help_text='Secret string for creating public URL',
+                        max_length=255,
+                        unique=True,
+                    ),
+                ),
+                (
+                    'folder',
+                    models.ForeignKey(
+                        blank=True,
+                        help_text='Folder under which object exists (null if root folder)',
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='%(app_label)s_%(class)s_children',
+                        to='filesfolders.folder',
+                    ),
+                ),
+                (
+                    'owner',
+                    models.ForeignKey(
+                        help_text='User who owns the object',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+                (
+                    'project',
+                    models.ForeignKey(
+                        help_text='Project in which the object belongs',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='%(app_label)s_%(class)s_objects',
+                        to='projectroles.project',
+                    ),
+                ),
+            ],
+            options={
+                'ordering': ['folder', 'name'],
+                'unique_together': {('project', 'folder', 'name')},
+            },
+        ),
+        migrations.CreateModel(
+            name='HyperLink',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'name',
+                    models.CharField(help_text='Name for the object', max_length=255),
+                ),
+                (
+                    'date_modified',
+                    models.DateTimeField(
+                        auto_now=True, help_text='DateTime of last modification'
+                    ),
+                ),
+                (
+                    'flag',
+                    models.CharField(
+                        blank=True,
+                        choices=[
+                            ('FLAG', 'Flagged'),
+                            ('FLAG_HEART', 'Flagged (Heart)'),
+                            ('IMPORTANT', 'Important'),
+                            ('REVOKED', 'Revoked'),
+                            ('SUPERSEDED', 'Superseded'),
+                        ],
+                        help_text='Flag for highlighting the item (optional)',
+                        max_length=64,
+                        null=True,
+                    ),
+                ),
+                (
+                    'description',
+                    models.CharField(
+                        blank=True, help_text='Description (optional)', max_length=255
+                    ),
+                ),
+                (
+                    'sodar_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='Filesfolders SODAR UUID',
+                        unique=True,
+                    ),
+                ),
+                ('url', models.URLField(help_text='URL for the link', max_length=2000)),
+                (
+                    'folder',
+                    models.ForeignKey(
+                        blank=True,
+                        help_text='Folder under which object exists (null if root folder)',
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='%(app_label)s_%(class)s_children',
+                        to='filesfolders.folder',
+                    ),
+                ),
+                (
+                    'owner',
+                    models.ForeignKey(
+                        help_text='User who owns the object',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+                (
+                    'project',
+                    models.ForeignKey(
+                        help_text='Project in which the object belongs',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='%(app_label)s_%(class)s_objects',
+                        to='projectroles.project',
+                    ),
+                ),
+            ],
+            options={
+                'ordering': ['folder', 'name'],
+                'unique_together': {('project', 'folder', 'name')},
+            },
+        ),
+    ]
diff --git a/filesfolders/migrations/0005_alter_foreignkey_fields.py b/filesfolders/migrations/0005_alter_foreignkey_fields.py
new file mode 100644
index 00000000..42df5aaf
--- /dev/null
+++ b/filesfolders/migrations/0005_alter_foreignkey_fields.py
@@ -0,0 +1,81 @@
+# Generated by Django 4.2.11 on 2024-03-21 12:29
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("projectroles", "0028_populate_finder_role"),
+        ("filesfolders", "0004_update_uuid"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="file",
+            name="folder",
+            field=models.ForeignKey(
+                blank=True,
+                help_text="Folder under which object exists (null if root folder)",
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="%(app_label)s_%(class)s_children",
+                to="filesfolders.folder",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="file",
+            name="project",
+            field=models.ForeignKey(
+                help_text="Project in which the object belongs",
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="%(app_label)s_%(class)s_objects",
+                to="projectroles.project",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="folder",
+            name="folder",
+            field=models.ForeignKey(
+                blank=True,
+                help_text="Folder under which object exists (null if root folder)",
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="%(app_label)s_%(class)s_children",
+                to="filesfolders.folder",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="folder",
+            name="project",
+            field=models.ForeignKey(
+                help_text="Project in which the object belongs",
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="%(app_label)s_%(class)s_objects",
+                to="projectroles.project",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="hyperlink",
+            name="folder",
+            field=models.ForeignKey(
+                blank=True,
+                help_text="Folder under which object exists (null if root folder)",
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="%(app_label)s_%(class)s_children",
+                to="filesfolders.folder",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="hyperlink",
+            name="project",
+            field=models.ForeignKey(
+                help_text="Project in which the object belongs",
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="%(app_label)s_%(class)s_objects",
+                to="projectroles.project",
+            ),
+        ),
+    ]
diff --git a/filesfolders/plugins.py b/filesfolders/plugins.py
index 26167e08..2398e9f4 100644
--- a/filesfolders/plugins.py
+++ b/filesfolders/plugins.py
@@ -3,7 +3,11 @@
 
 # Projectroles dependency
 from projectroles.models import SODAR_CONSTANTS
-from projectroles.plugins import ProjectAppPluginPoint
+from projectroles.plugins import (
+    ProjectAppPluginPoint,
+    PluginObjectLink,
+    PluginSearchResult,
+)
 
 from filesfolders.models import File, Folder, HyperLink
 from filesfolders.urls import urlpatterns
@@ -106,34 +110,34 @@ class ProjectAppPlugin(ProjectAppPluginPoint):
 
     def get_object_link(self, model_str, uuid):
         """
-        Return the URL for referring to a object used by the app, along with a
-        label to be shown to the user for linking.
+        Return URL referring to an object used by the app, along with a name to
+        be shown to the user for linking.
 
         :param model_str: Object class (string)
         :param uuid: sodar_uuid of the referred object
-        :return: Dict or None if not found
+        :return: PluginObjectLink or None if not found
         """
         obj = self.get_object(eval(model_str), uuid)
         if not obj:
             return None
         elif obj.__class__ == File:
-            return {
-                'url': reverse(
+            return PluginObjectLink(
+                url=reverse(
                     'filesfolders:file_serve',
                     kwargs={'file': obj.sodar_uuid, 'file_name': obj.name},
                 ),
-                'label': obj.name,
-                'blank': True,
-            }
+                name=obj.name,
+                blank=True,
+            )
         elif obj.__class__ == Folder:
-            return {
-                'url': reverse(
+            return PluginObjectLink(
+                url=reverse(
                     'filesfolders:list', kwargs={'folder': obj.sodar_uuid}
                 ),
-                'label': obj.name,
-            }
+                name=obj.name,
+            )
         elif obj.__class__ == HyperLink:
-            return {'url': obj.url, 'label': obj.name, 'blank': True}
+            return PluginObjectLink(url=obj.url, name=obj.name, blank=True)
         return None
 
     def search(self, search_terms, user, search_type=None, keywords=None):
@@ -146,10 +150,9 @@ def search(self, search_terms, user, search_type=None, keywords=None):
         :param user: User object for user initiating the search
         :param search_type: String
         :param keywords: List (optional)
-        :return: Dict
+        :return: List of PluginSearchResult objects
         """
         items = []
-
         if not search_type:
             files = File.objects.find(search_terms, keywords)
             folders = Folder.objects.find(search_terms, keywords)
@@ -164,21 +167,19 @@ def search(self, search_terms, user, search_type=None, keywords=None):
             items = HyperLink.objects.find(search_terms, keywords).order_by(
                 'name'
             )
-
         if items:
             items = [
                 x
                 for x in items
                 if user.has_perm('filesfolders.view_data', x.project)
             ]
-
-        return {
-            'all': {
-                'title': 'Files, Folders and Links',
-                'search_types': ['file', 'folder', 'link'],
-                'items': items,
-            }
-        }
+        ret = PluginSearchResult(
+            category='all',
+            title='Files, Folders and Links',
+            search_types=['file', 'folder', 'link'],
+            items=items,
+        )
+        return [ret]
 
     def get_statistics(self):
         return {
diff --git a/filesfolders/templates/filesfolders/_search_results.html b/filesfolders/templates/filesfolders/_search_results.html
index 7da53da0..6c06ddd0 100644
--- a/filesfolders/templates/filesfolders/_search_results.html
+++ b/filesfolders/templates/filesfolders/_search_results.html
@@ -47,8 +47,8 @@
 
 {% if search_results.all.items|length > 0 %}
   {% include 'projectroles/_search_header.html' with search_title=search_results.all.title result_count=search_results.all.items|length %}
-
-  <table class="table table-striped sodar-card-table sodar-search-table" id="sodar-ff-search-table">
+  <table class="table table-striped sodar-card-table sodar-search-table"
+         id="sodar-ff-search-table">
     <thead>
       <tr>
         <th>Name</th>
@@ -66,6 +66,5 @@
       {% endfor %}
     </tbody>
   </table>
-
   {% include 'projectroles/_search_footer.html' %}
 {% endif %}
diff --git a/filesfolders/tests/test_models.py b/filesfolders/tests/test_models.py
index 84f32a4a..b644172d 100644
--- a/filesfolders/tests/test_models.py
+++ b/filesfolders/tests/test_models.py
@@ -102,7 +102,7 @@ def make_hyperlink(
 
 
 class TestFolder(FolderMixin, ProjectMixin, HyperLinkMixin, TestCase):
-    """Tests for model.Folder"""
+    """Tests for Folder"""
 
     def setUp(self):
         # Make owner user
@@ -234,7 +234,7 @@ def test_has_in_path_false(self):
 
 
 class TestFile(FileMixin, FolderMixin, ProjectMixin, TestCase):
-    """Tests for model.File"""
+    """Tests for File"""
 
     def setUp(self):
         # Make owner user
@@ -332,7 +332,7 @@ def test_file_deletion(self):
 class TestHyperLink(
     FileMixin, FolderMixin, ProjectMixin, HyperLinkMixin, TestCase
 ):
-    """Tests for model.File"""
+    """Tests for HyperLink"""
 
     def setUp(self):
         # Make owner user
diff --git a/filesfolders/tests/test_permissions.py b/filesfolders/tests/test_permissions.py
index 7da5cc5f..cabb47ed 100644
--- a/filesfolders/tests/test_permissions.py
+++ b/filesfolders/tests/test_permissions.py
@@ -6,7 +6,7 @@
 # Projectroles dependency
 from projectroles.app_settings import AppSettingAPI
 from projectroles.models import SODAR_CONSTANTS
-from projectroles.tests.test_permissions import TestProjectPermissionBase
+from projectroles.tests.test_permissions import ProjectPermissionTestBase
 
 from filesfolders.tests.test_models import (
     FileMixin,
@@ -78,7 +78,7 @@ def make_test_link(self):
 
 
 class TestProjectFileViewPermissions(
-    FilesfoldersPermissionTestMixin, TestProjectPermissionBase
+    FilesfoldersPermissionTestMixin, ProjectPermissionTestBase
 ):
     """Tests for ProjectFileView permissions"""
 
@@ -138,7 +138,7 @@ def test_get_archive(self):
 
 
 class TestFolderCreateView(
-    FilesfoldersPermissionTestMixin, TestProjectPermissionBase
+    FilesfoldersPermissionTestMixin, ProjectPermissionTestBase
 ):
     """Tests for FolderCreateView view permissions"""
 
@@ -224,7 +224,7 @@ def test_get_category(self):
 
 
 class TestFolderUpdateView(
-    FilesfoldersPermissionTestMixin, TestProjectPermissionBase
+    FilesfoldersPermissionTestMixin, ProjectPermissionTestBase
 ):
     """Tests for FolderUpdateView permissions"""
 
@@ -289,7 +289,7 @@ def test_get_archive(self):
 
 
 class TestFolderDeleteView(
-    FilesfoldersPermissionTestMixin, TestProjectPermissionBase
+    FilesfoldersPermissionTestMixin, ProjectPermissionTestBase
 ):
     """Tests for FolderDeleteView permissions"""
 
@@ -354,9 +354,9 @@ def test_get_archive(self):
 
 
 class TestFileCreateView(
-    FilesfoldersPermissionTestMixin, TestProjectPermissionBase
+    FilesfoldersPermissionTestMixin, ProjectPermissionTestBase
 ):
-    """Tests FileCreateView permissions"""
+    """Tests for FileCreateView permissions"""
 
     def setUp(self):
         super().setUp()
@@ -440,7 +440,7 @@ def test_get_category(self):
 
 
 class TestFileUpdateView(
-    FilesfoldersPermissionTestMixin, TestProjectPermissionBase
+    FilesfoldersPermissionTestMixin, ProjectPermissionTestBase
 ):
     """Tests for FileUpdateView permissions"""
 
@@ -504,7 +504,7 @@ def test_get_archive(self):
 
 
 class TestFileDeleteView(
-    FilesfoldersPermissionTestMixin, TestProjectPermissionBase
+    FilesfoldersPermissionTestMixin, ProjectPermissionTestBase
 ):
     """Tests for FileDeleteView permissions"""
 
@@ -568,7 +568,7 @@ def test_get_archive(self):
 
 
 class TestFilePublicLinkView(
-    FilesfoldersPermissionTestMixin, TestProjectPermissionBase
+    FilesfoldersPermissionTestMixin, ProjectPermissionTestBase
 ):
     """Tests for FilePublicLinkView permissions"""
 
@@ -635,7 +635,7 @@ def test_get_archive(self):
 
 
 class TestFileServeView(
-    FilesfoldersPermissionTestMixin, TestProjectPermissionBase
+    FilesfoldersPermissionTestMixin, ProjectPermissionTestBase
 ):
     """Tests for FileServeView permissions"""
 
@@ -696,7 +696,7 @@ def test_get_archive(self):
 
 
 class TestFileServePublicView(
-    FilesfoldersPermissionTestMixin, TestProjectPermissionBase
+    FilesfoldersPermissionTestMixin, ProjectPermissionTestBase
 ):
     """Tests for FileServePublicView permissions"""
 
@@ -782,7 +782,7 @@ def test_get_disabled(self):
 
 
 class TestHyperLinkCreateView(
-    FilesfoldersPermissionTestMixin, TestProjectPermissionBase
+    FilesfoldersPermissionTestMixin, ProjectPermissionTestBase
 ):
     """Tests for HyperLinkCreateView permissions"""
 
@@ -868,7 +868,7 @@ def test_get_category(self):
 
 
 class TestHyperLinkUpdateView(
-    FilesfoldersPermissionTestMixin, TestProjectPermissionBase
+    FilesfoldersPermissionTestMixin, ProjectPermissionTestBase
 ):
     """Tests for HyperLinkUpdateView permissions"""
 
@@ -933,7 +933,7 @@ def test_get_archive(self):
 
 
 class TestHyperLinkDeleteView(
-    FilesfoldersPermissionTestMixin, TestProjectPermissionBase
+    FilesfoldersPermissionTestMixin, ProjectPermissionTestBase
 ):
     """Tests for HyperLinkDeleteView permissions"""
 
@@ -998,7 +998,7 @@ def test_get_archive(self):
 
 
 class TestBatchEditView(
-    FilesfoldersPermissionTestMixin, TestProjectPermissionBase
+    FilesfoldersPermissionTestMixin, ProjectPermissionTestBase
 ):
     """Tests for BatchEditView permissions"""
 
diff --git a/filesfolders/tests/test_permissions_api.py b/filesfolders/tests/test_permissions_api.py
index 0e902bd7..5d0f4098 100644
--- a/filesfolders/tests/test_permissions_api.py
+++ b/filesfolders/tests/test_permissions_api.py
@@ -7,13 +7,14 @@
 from django.urls import reverse
 
 # Projectroles dependency
-from projectroles.tests.test_permissions_api import (
-    TestCoreProjectAPIPermissionBase,
-)
+from projectroles.tests.test_permissions_api import ProjectAPIPermissionTestBase
 
 from filesfolders.models import File, HyperLink
-
 from filesfolders.tests.test_permissions import FilesfoldersPermissionTestMixin
+from filesfolders.views_api import (
+    FILESFOLDERS_API_MEDIA_TYPE,
+    FILESFOLDERS_API_DEFAULT_VERSION,
+)
 
 
 # Local constants
@@ -23,10 +24,17 @@
 OBJ_UUID = uuid.uuid4()
 
 
-class TestFolderListCreateAPIView(
-    FilesfoldersPermissionTestMixin, TestCoreProjectAPIPermissionBase
+class FilesfoldersAPIPermissionTestBase(
+    FilesfoldersPermissionTestMixin, ProjectAPIPermissionTestBase
 ):
-    """Tests FolderListCreateAPIView permissions"""
+    """Base class for filesfolders REST API view permission tests"""
+
+    media_type = FILESFOLDERS_API_MEDIA_TYPE
+    api_version = FILESFOLDERS_API_DEFAULT_VERSION
+
+
+class TestFolderListCreateAPIView(FilesfoldersAPIPermissionTestBase):
+    """Tests for FolderListCreateAPIView permissions"""
 
     def setUp(self):
         super().setUp()
@@ -183,10 +191,8 @@ def test_post_archive(self):
         )
 
 
-class TestFolderRetrieveUpdateDestroyAPIView(
-    FilesfoldersPermissionTestMixin, TestCoreProjectAPIPermissionBase
-):
-    """Tests FolderRetrieveUpdateDestroyAPIView permissions"""
+class TestFolderRetrieveUpdateDestroyAPIView(FilesfoldersAPIPermissionTestBase):
+    """Tests for FolderRetrieveUpdateDestroyAPIView permissions"""
 
     def _make_folder(self):
         folder = self.make_test_folder()
@@ -494,10 +500,8 @@ def test_delete_archive(self):
         )
 
 
-class TestFileListCreateAPIView(
-    FilesfoldersPermissionTestMixin, TestCoreProjectAPIPermissionBase
-):
-    """Tests FileListCreateAPIView permissions"""
+class TestFileListCreateAPIView(FilesfoldersAPIPermissionTestBase):
+    """Tests for FileListCreateAPIView permissions"""
 
     def _make_post_data(self):
         self.post_data = {
@@ -724,10 +728,8 @@ def test_post_archive(self):
         )
 
 
-class TestFileRetrieveUpdateDestroyAPIView(
-    FilesfoldersPermissionTestMixin, TestCoreProjectAPIPermissionBase
-):
-    """Tests FileRetrieveUpdateDestroyAPIView permissions"""
+class TestFileRetrieveUpdateDestroyAPIView(FilesfoldersAPIPermissionTestBase):
+    """Tests for FileRetrieveUpdateDestroyAPIView permissions"""
 
     def _make_file(self):
         file = self.make_test_file()
@@ -1142,10 +1144,8 @@ def test_delete_archive(self):
         )
 
 
-class TestFileServeAPIView(
-    FilesfoldersPermissionTestMixin, TestCoreProjectAPIPermissionBase
-):
-    """Tests FileServeAPIView permissions"""
+class TestFileServeAPIView(FilesfoldersAPIPermissionTestBase):
+    """Tests for FileServeAPIView permissions"""
 
     def setUp(self):
         super().setUp()
@@ -1204,10 +1204,8 @@ def test_get_archive(self):
         self.assert_response_api(self.url, self.user_no_roles, 200)
 
 
-class TestHyperLinkListCreateAPIView(
-    FilesfoldersPermissionTestMixin, TestCoreProjectAPIPermissionBase
-):
-    """Tests HyperLinkListCreateAPIView permissions"""
+class TestHyperLinkListCreateAPIView(FilesfoldersAPIPermissionTestBase):
+    """Tests for HyperLinkListCreateAPIView permissions"""
 
     @classmethod
     def _cleanup(cls):
@@ -1383,9 +1381,9 @@ def test_post_archive(self):
 
 
 class TestHyperLinkRetrieveUpdateDestroyAPIView(
-    FilesfoldersPermissionTestMixin, TestCoreProjectAPIPermissionBase
+    FilesfoldersAPIPermissionTestBase
 ):
-    """Tests HyperLinkRetrieveUpdateDestroyAPIView permissions"""
+    """Tests for HyperLinkRetrieveUpdateDestroyAPIView permissions"""
 
     def _make_link(self):
         link = self.make_test_link()
diff --git a/filesfolders/tests/test_plugins.py b/filesfolders/tests/test_plugins.py
index 81f93c73..a727d7b1 100644
--- a/filesfolders/tests/test_plugins.py
+++ b/filesfolders/tests/test_plugins.py
@@ -3,11 +3,12 @@
 import uuid
 
 from django.urls import reverse
+
 from test_plus.test import TestCase
 
 # Projectroles dependency
 from projectroles.models import SODAR_CONSTANTS
-from projectroles.plugins import ProjectAppPluginPoint
+from projectroles.plugins import ProjectAppPluginPoint, PluginObjectLink
 from projectroles.tests.test_models import (
     ProjectMixin,
     RoleMixin,
@@ -47,7 +48,7 @@ class TestPlugins(
     RoleAssignmentMixin,
     TestCase,
 ):
-    """Test filesfolders plugin"""
+    """Tests for filesfolders project plugin"""
 
     def setUp(self):
         # Init superuser
@@ -118,9 +119,10 @@ def test_get_object_link_file(self):
             kwargs={'file': self.file.sodar_uuid, 'file_name': self.file.name},
         )
         ret = plugin.get_object_link('File', self.file.sodar_uuid)
-        self.assertEqual(ret['url'], url)
-        self.assertEqual(ret['label'], self.file.name)
-        self.assertEqual(ret['blank'], True)
+        self.assertIsInstance(ret, PluginObjectLink)
+        self.assertEqual(ret.url, url)
+        self.assertEqual(ret.name, self.file.name)
+        self.assertEqual(ret.blank, True)
 
     def test_get_object_link_folder(self):
         """Test get_object_link() for a Folder object"""
@@ -129,16 +131,17 @@ def test_get_object_link_folder(self):
             'filesfolders:list', kwargs={'folder': self.folder.sodar_uuid}
         )
         ret = plugin.get_object_link('Folder', self.folder.sodar_uuid)
-        self.assertEqual(ret['url'], url)
-        self.assertEqual(ret['label'], self.folder.name)
+        self.assertEqual(ret.url, url)
+        self.assertEqual(ret.name, self.folder.name)
+        self.assertEqual(ret.blank, False)
 
     def test_get_object_link_hyperlink(self):
         """Test get_object_link() for a HyperLink object"""
         plugin = ProjectAppPluginPoint.get_plugin(PLUGIN_NAME)
         ret = plugin.get_object_link('HyperLink', self.hyperlink.sodar_uuid)
-        self.assertEqual(ret['url'], self.hyperlink.url)
-        self.assertEqual(ret['label'], self.hyperlink.name)
-        self.assertEqual(ret['blank'], True)
+        self.assertEqual(ret.url, self.hyperlink.url)
+        self.assertEqual(ret.name, self.hyperlink.name)
+        self.assertEqual(ret.blank, True)
 
     def test_get_object_link_fail(self):
         """Test get_object_link() with a non-existent object"""
diff --git a/filesfolders/tests/test_ui.py b/filesfolders/tests/test_ui.py
index 1411b268..6e408943 100644
--- a/filesfolders/tests/test_ui.py
+++ b/filesfolders/tests/test_ui.py
@@ -7,7 +7,7 @@
 # Projectroles dependency
 from projectroles.app_settings import AppSettingAPI
 from projectroles.models import AppSetting, SODAR_CONSTANTS
-from projectroles.tests.test_ui import TestUIBase
+from projectroles.tests.test_ui import UITestBase
 from projectroles.utils import build_secret
 
 from filesfolders.tests.test_models import (
@@ -32,8 +32,8 @@
 APP_NAME = 'filesfolders'
 
 
-class TestListView(FolderMixin, FileMixin, HyperLinkMixin, TestUIBase):
-    """Tests for filesfolders main file list view UI"""
+class TestProjectFileView(FolderMixin, FileMixin, HyperLinkMixin, UITestBase):
+    """Tests for ProjectFileView UI"""
 
     def setUp(self):
         super().setUp()
@@ -388,7 +388,7 @@ def test_item_flags(self):
         )
 
 
-class TestSearch(FolderMixin, FileMixin, HyperLinkMixin, TestUIBase):
+class TestSearch(FolderMixin, FileMixin, HyperLinkMixin, UITestBase):
     """Tests for the project search UI functionalities"""
 
     def setUp(self):
@@ -561,7 +561,7 @@ def test_search_type_nonexisting(self):
         self.assert_element_count(expected, url, 'sodar-ff-search-item')
 
 
-class TestHomeView(TestUIBase):
+class TestHomeView(UITestBase):
     """Tests for appearance of filesfolders specific data in the home view"""
 
     def test_project_list(self):
diff --git a/filesfolders/tests/test_views.py b/filesfolders/tests/test_views.py
index 044f0e77..f109ce56 100644
--- a/filesfolders/tests/test_views.py
+++ b/filesfolders/tests/test_views.py
@@ -44,9 +44,10 @@
 ZIP_PATH = TEST_DATA_PATH + 'unpack_test.zip'
 ZIP_PATH_NO_FILES = TEST_DATA_PATH + 'no_files.zip'
 INVALID_UUID = '11111111-1111-1111-1111-111111111111'
+EMPTY_FILE_MSG = 'The submitted file is empty.'
 
 
-class TestViewsBaseMixin(
+class FilesfoldersViewTestMixin(
     ProjectMixin,
     RoleMixin,
     RoleAssignmentMixin,
@@ -111,18 +112,18 @@ def setUp(self):
         )
 
 
-class TestViewsBase(TestViewsBaseMixin, TestCase):
-    """Base class for view testing"""
+class ViewTestBase(FilesfoldersViewTestMixin, TestCase):
+    """Base class for filesfolders view testing"""
 
 
-# List View --------------------------------------------------------------------
+# Project Files View -----------------------------------------------------------
 
 
-class TestListView(TestViewsBase):
-    """Tests for the file list view"""
+class TestProjectFileView(ViewTestBase):
+    """Tests for ProjectFileView"""
 
-    def test_render(self):
-        """Test rendering project root view"""
+    def test_get_root(self):
+        """Test ProjectFileView GET in root"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
@@ -131,13 +132,13 @@ def test_render(self):
                 )
             )
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.context['project'].pk, self.project.pk)
+        self.assertEqual(response.context['project'], self.project)
         self.assertIsNotNone(response.context['folders'])
         self.assertIsNotNone(response.context['files'])
         self.assertIsNotNone(response.context['links'])
 
-    def test_render_not_found(self):
-        """Test rendering with invalid project UUID"""
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid project UUID"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
@@ -147,8 +148,8 @@ def test_render_not_found(self):
             )
         self.assertEqual(response.status_code, 404)
 
-    def test_render_in_folder(self):
-        """Test rendering folder view within the project"""
+    def test_get_folder(self):
+        """Test GET under folder"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
@@ -157,13 +158,13 @@ def test_render_in_folder(self):
                 )
             )
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.context['project'].pk, self.project.pk)
+        self.assertEqual(response.context['project'], self.project)
         self.assertIsNotNone(response.context['folder_breadcrumb'])
         self.assertIsNotNone(response.context['files'])
         self.assertIsNotNone(response.context['links'])
 
-    def test_render_with_readme_txt(self):
-        """Test rendering with a plaintext readme file"""
+    def test_get_readme_txt(self):
+        """Test GET with plaintext readme file"""
         self.readme_file = self.make_file(
             name='readme.txt',
             file_name='readme.txt',
@@ -188,69 +189,219 @@ def test_render_with_readme_txt(self):
         self.assertEqual(response.context['readme_mime'], 'text/plain')
 
 
-# File Views -------------------------------------------------------------------
+# Folder Views -----------------------------------------------------------------
 
 
-class TestFileCreateView(TestViewsBase):
-    """Tests for the File create view"""
+class TestFolderCreateView(ViewTestBase):
+    """Tests for FolderCreateView"""
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'filesfolders:folder_create',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+        self.url_folder = reverse(
+            'filesfolders:folder_create',
+            kwargs={'folder': self.folder.sodar_uuid},
+        )
 
-    def test_render(self):
-        """Test rendering File create view"""
+    def test_get(self):
+        """Test FolderCreateView GET"""
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:file_create',
-                    kwargs={'project': self.project.sodar_uuid},
-                )
-            )
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.context['project'].pk, self.project.pk)
+        self.assertEqual(response.context['project'], self.project)
 
-    def test_render_in_folder(self):
-        """Test rendering under a folder"""
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid project UUID"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
-                    'filesfolders:file_create',
-                    kwargs={'folder': self.folder.sodar_uuid},
+                    'filesfolders:folder_create',
+                    kwargs={'project': INVALID_UUID},
                 )
             )
-            self.assertEqual(response.status_code, 200)
-            self.assertEqual(response.context['project'].pk, self.project.pk)
-            self.assertEqual(response.context['folder'].pk, self.folder.pk)
+        self.assertEqual(response.status_code, 404)
+
+    def test_get_folder(self):
+        """Test GET under folder"""
+        with self.login(self.user):
+            response = self.client.get(self.url_folder)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.context['project'], self.project)
+        self.assertEqual(response.context['folder'], self.folder)
+
+    def test_post(self):
+        """Test POST to create folder"""
+        self.assertEqual(Folder.objects.all().count(), 1)
+        post_data = {
+            'name': 'new_folder',
+            'folder': '',
+            'description': '',
+            'flag': '',
+        }
+        with self.login(self.user):
+            response = self.client.post(self.url, post_data)
+
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(
+            response.url,
+            reverse(
+                'filesfolders:list',
+                kwargs={'project': self.project.sodar_uuid},
+            ),
+        )
+        self.assertEqual(Folder.objects.all().count(), 2)
+
+    def test_post_folder(self):
+        """Test POST under folder"""
+        self.assertEqual(Folder.objects.all().count(), 1)
+        post_data = {
+            'name': 'new_folder',
+            'folder': self.folder.sodar_uuid,
+            'description': '',
+            'flag': '',
+        }
+        with self.login(self.user):
+            response = self.client.post(self.url, post_data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(
+            response.url,
+            reverse(
+                'filesfolders:list',
+                kwargs={'folder': self.folder.sodar_uuid},
+            ),
+        )
+        self.assertEqual(Folder.objects.all().count(), 2)
 
-    def test_render_not_found(self):
-        """Test rendering with invalid project UUID"""
+    def test_post_existing(self):
+        """Test POST with existing folder (should fail)"""
+        self.assertEqual(Folder.objects.all().count(), 1)
+        post_data = {
+            'name': 'folder',
+            'folder': '',
+            'description': '',
+            'flag': '',
+        }
+        with self.login(self.user):
+            response = self.client.post(self.url, post_data)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(Folder.objects.all().count(), 1)
+
+
+class TestFolderUpdateView(ViewTestBase):
+    """Tests for FolderUpdateView"""
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'filesfolders:folder_update',
+            kwargs={'item': self.folder.sodar_uuid},
+        )
+
+    def test_get(self):
+        """Test FolderUpdateView GET"""
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.context['object'], self.folder)
+
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid folder UUID"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
-                    'filesfolders:file_create',
-                    kwargs={'project': INVALID_UUID},
+                    'filesfolders:folder_update',
+                    kwargs={'item': INVALID_UUID},
                 )
             )
         self.assertEqual(response.status_code, 404)
 
-    def test_create(self):
-        """Test file creation"""
-        self.assertEqual(File.objects.all().count(), 1)
+    def test_post(self):
+        """Test POST to update folder"""
+        self.assertEqual(Folder.objects.all().count(), 1)
+        post_data = {
+            'name': 'renamed_folder',
+            'folder': '',
+            'description': 'updated description',
+            'flag': '',
+        }
+        with self.login(self.user):
+            response = self.client.post(self.url, post_data)
+
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(
+            response.url,
+            reverse(
+                'filesfolders:list',
+                kwargs={'project': self.project.sodar_uuid},
+            ),
+        )
+        self.assertEqual(Folder.objects.all().count(), 1)
+        self.folder.refresh_from_db()
+        self.assertEqual(self.folder.name, 'renamed_folder')
+        self.assertEqual(self.folder.description, 'updated description')
+
+    def test_post_existing(self):
+        """Test POST with existing folder name (should fail)"""
+        self.make_folder(
+            name='folder2',
+            project=self.project,
+            folder=None,
+            owner=self.user,
+            description='',
+        )
+        self.assertEqual(Folder.objects.all().count(), 2)
 
         post_data = {
-            'name': 'new_file.txt',
-            'file': SimpleUploadedFile('new_file.txt', self.file_content),
+            'name': 'folder2',
             'folder': '',
             'description': '',
             'flag': '',
-            'public_url': False,
         }
         with self.login(self.user):
-            response = self.client.post(
+            response = self.client.post(self.url, post_data)
+
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(Folder.objects.all().count(), 2)
+        self.folder.refresh_from_db()
+        self.assertEqual(self.folder.name, 'folder')
+
+
+class TestFolderDeleteView(ViewTestBase):
+    """Tests for FolderDeleteView"""
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'filesfolders:folder_delete',
+            kwargs={'item': self.folder.sodar_uuid},
+        )
+
+    def test_get(self):
+        """Test FolderDeleteView GET"""
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.context['object'], self.folder)
+
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid folder UUID"""
+        with self.login(self.user):
+            response = self.client.get(
                 reverse(
-                    'filesfolders:file_create',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
+                    'filesfolders:folder_delete',
+                    kwargs={'item': INVALID_UUID},
+                )
             )
+        self.assertEqual(response.status_code, 404)
 
+    def test_post(self):
+        """Test POST to delete folder"""
+        self.assertEqual(Folder.objects.all().count(), 1)
+        with self.login(self.user):
+            response = self.client.post(self.url)
         self.assertEqual(response.status_code, 302)
         self.assertEqual(
             response.url,
@@ -259,12 +410,81 @@ def test_create(self):
                 kwargs={'project': self.project.sodar_uuid},
             ),
         )
-        self.assertEqual(File.objects.all().count(), 2)
+        self.assertEqual(Folder.objects.all().count(), 0)
 
-    def test_create_empty(self):
-        """Test empty file creation (should fail)"""
+
+# File Views -------------------------------------------------------------------
+
+
+class TestFileCreateView(ViewTestBase):
+    """Tests for FileCreateView"""
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'filesfolders:file_create',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+        self.url_folder = reverse(
+            'filesfolders:file_create',
+            kwargs={'folder': self.folder.sodar_uuid},
+        )
+        self.url_list = reverse(
+            'filesfolders:list',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+        self.url_list_folder = reverse(
+            'filesfolders:list',
+            kwargs={'folder': self.folder.sodar_uuid},
+        )
+
+    def test_get(self):
+        """Test FileCreateView GET"""
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.context['project'], self.project)
+
+    def test_get_folder(self):
+        """Test GET under folder"""
+        with self.login(self.user):
+            response = self.client.get(self.url_folder)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.context['project'], self.project)
+        self.assertEqual(response.context['folder'], self.folder)
+
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid project UUID"""
+        with self.login(self.user):
+            response = self.client.get(
+                reverse(
+                    'filesfolders:file_create',
+                    kwargs={'project': INVALID_UUID},
+                )
+            )
+        self.assertEqual(response.status_code, 404)
+
+    def test_post(self):
+        """Test POST to create file"""
         self.assertEqual(File.objects.all().count(), 1)
+        post_data = {
+            'name': 'new_file.txt',
+            'file': SimpleUploadedFile('new_file.txt', self.file_content),
+            'folder': '',
+            'description': '',
+            'flag': '',
+            'public_url': False,
+        }
+        with self.login(self.user):
+            response = self.client.post(self.url, post_data)
 
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, self.url_list)
+        self.assertEqual(File.objects.all().count(), 2)
+
+    def test_post_empty(self):
+        """Test POST with empty file (should fail)"""
+        self.assertEqual(File.objects.all().count(), 1)
         post_data = {
             'name': 'new_file.txt',
             'file': SimpleUploadedFile(
@@ -276,28 +496,15 @@ def test_create_empty(self):
             'public_url': False,
         }
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:file_create',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
 
         self.assertEqual(response.status_code, 200)
-        self.assertTrue(
-            bytes(
-                '<p id="error_1_id_file" class="invalid-feedback"><strong>'
-                'The submitted file is empty.</strong></p>'.encode('utf-8')
-            )
-            in response.content
-        )
+        self.assertIn(EMPTY_FILE_MSG, response.content.decode('utf-8'))
         self.assertEqual(File.objects.all().count(), 1)
 
-    def test_create_in_folder(self):
-        """Test file creation within a folder"""
+    def test_post_folder(self):
+        """Test POST under folder"""
         self.assertEqual(File.objects.all().count(), 1)
-
         post_data = {
             'name': 'new_file.txt',
             'file': SimpleUploadedFile('new_file.txt', self.file_content),
@@ -307,28 +514,15 @@ def test_create_in_folder(self):
             'public_url': False,
         }
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:file_create',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url_folder, post_data)
 
         self.assertEqual(response.status_code, 302)
-        self.assertEqual(
-            response.url,
-            reverse(
-                'filesfolders:list',
-                kwargs={'folder': self.folder.sodar_uuid},
-            ),
-        )
+        self.assertEqual(response.url, self.url_list_folder)
         self.assertEqual(File.objects.all().count(), 2)
 
-    def test_create_existing(self):
-        """Test file create with an existing file name (should fail)"""
+    def test_post_existing(self):
+        """Test POST with existing file name (should fail)"""
         self.assertEqual(File.objects.all().count(), 1)
-
         post_data = {
             'name': 'file.txt',
             'file': SimpleUploadedFile('file.txt', self.file_content_alt),
@@ -338,18 +532,12 @@ def test_create_existing(self):
             'public_url': False,
         }
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:file_create',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
         self.assertEqual(response.status_code, 200)
         self.assertEqual(File.objects.all().count(), 1)
 
-    def test_unpack_archive(self):
-        """Test uploading a zip file to be unpacked"""
+    def test_post_unpack_archive(self):
+        """Test POST with zip archive to be unpacked"""
         self.assertEqual(File.objects.all().count(), 1)
         self.assertEqual(Folder.objects.all().count(), 1)
 
@@ -364,22 +552,10 @@ def test_unpack_archive(self):
                 'unpack_archive': True,
             }
             with self.login(self.user):
-                response = self.client.post(
-                    reverse(
-                        'filesfolders:file_create',
-                        kwargs={'project': self.project.sodar_uuid},
-                    ),
-                    post_data,
-                )
+                response = self.client.post(self.url, post_data)
 
         self.assertEqual(response.status_code, 302)
-        self.assertEqual(
-            response.url,
-            reverse(
-                'filesfolders:list',
-                kwargs={'project': self.project.sodar_uuid},
-            ),
-        )
+        self.assertEqual(response.url, self.url_list)
         self.assertEqual(File.objects.all().count(), 3)
         self.assertEqual(Folder.objects.all().count(), 3)
 
@@ -391,8 +567,8 @@ def test_unpack_archive(self):
         self.assertEqual(new_file2.folder, new_folder2)
         self.assertEqual(new_folder2.folder, new_folder1)
 
-    def test_unpack_archive_overwrite(self):
-        """Test unpacking a zip file with existing file (should fail)"""
+    def test_post_unpack_archive_overwrite(self):
+        """Test POST to unpack archive with existing file (should fail)"""
         ow_folder = self.make_folder(
             name='dir1',
             project=self.project,
@@ -425,20 +601,14 @@ def test_unpack_archive_overwrite(self):
                 'unpack_archive': True,
             }
             with self.login(self.user):
-                response = self.client.post(
-                    reverse(
-                        'filesfolders:file_create',
-                        kwargs={'project': self.project.sodar_uuid},
-                    ),
-                    post_data,
-                )
+                response = self.client.post(self.url, post_data)
 
         self.assertEqual(response.status_code, 200)
         self.assertEqual(File.objects.all().count(), 2)
         self.assertEqual(Folder.objects.all().count(), 2)
 
-    def test_unpack_archive_empty(self):
-        """Test unpacking a zip file with an empty archive (should fail)"""
+    def test_post_unpack_archive_empty(self):
+        """Test POST with empty archive (should fail)"""
         with open(ZIP_PATH_NO_FILES, 'rb') as zip_file:
             post_data = {
                 'name': 'no_files.zip',
@@ -450,17 +620,11 @@ def test_unpack_archive_empty(self):
                 'unpack_archive': True,
             }
             with self.login(self.user):
-                response = self.client.post(
-                    reverse(
-                        'filesfolders:file_create',
-                        kwargs={'project': self.project.sodar_uuid},
-                    ),
-                    post_data,
-                )
+                response = self.client.post(self.url, post_data)
         self.assertEqual(response.status_code, 200)
 
-    def test_upload_archive_existing(self):
-        """Test uploading a zip file with existing file (no unpack)"""
+    def test_post_archive_existing(self):
+        """Test POST to upload archive with existing file (no unpack)"""
         ow_folder = self.make_folder(
             name='dir1',
             project=self.project,
@@ -493,36 +657,40 @@ def test_upload_archive_existing(self):
                 'unpack_archive': False,
             }
             with self.login(self.user):
-                response = self.client.post(
-                    reverse(
-                        'filesfolders:file_create',
-                        kwargs={'project': self.project.sodar_uuid},
-                    ),
-                    post_data,
-                )
+                response = self.client.post(self.url, post_data)
 
         self.assertEqual(response.status_code, 302)
         self.assertEqual(File.objects.all().count(), 3)
         self.assertEqual(Folder.objects.all().count(), 2)
 
 
-class TestFileUpdateView(TestViewsBase):
-    """Tests for the File update view"""
+class TestFileUpdateView(ViewTestBase):
+    """Tests for FileUpdateView"""
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'filesfolders:file_update',
+            kwargs={'item': self.file.sodar_uuid},
+        )
+        self.url_list = reverse(
+            'filesfolders:list',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+        self.url_list_folder = reverse(
+            'filesfolders:list',
+            kwargs={'folder': self.folder.sodar_uuid},
+        )
 
-    def test_render(self):
-        """Test rendering of the File update view"""
+    def test_get(self):
+        """Test FileUpdateView GET"""
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:file_update',
-                    kwargs={'item': self.file.sodar_uuid},
-                )
-            )
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.context['object'].pk, self.file.pk)
+        self.assertEqual(response.context['object'], self.file)
 
-    def test_render_not_found(self):
-        """Test rendering with invalid file UUID"""
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid file UUID"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
@@ -532,8 +700,8 @@ def test_render_not_found(self):
             )
         self.assertEqual(response.status_code, 404)
 
-    def test_update(self):
-        """Test file update with different content"""
+    def test_post(self):
+        """Test POST to update file"""
         self.assertEqual(File.objects.all().count(), 1)
         self.assertEqual(self.file.file.read(), self.file_content)
 
@@ -546,28 +714,16 @@ def test_update(self):
             'public_url': False,
         }
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:file_update',
-                    kwargs={'item': self.file.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
 
         self.assertEqual(response.status_code, 302)
-        self.assertEqual(
-            response.url,
-            reverse(
-                'filesfolders:list',
-                kwargs={'project': self.project.sodar_uuid},
-            ),
-        )
+        self.assertEqual(response.url, self.url_list)
         self.assertEqual(File.objects.all().count(), 1)
         self.file.refresh_from_db()
         self.assertEqual(self.file.file.read(), self.file_content_alt)
 
-    def test_update_empty(self):
-        """Test file update with empty content"""
+    def test_post_empty(self):
+        """Test POST with empty file content"""
         self.assertEqual(File.objects.all().count(), 1)
         self.assertEqual(self.file.file.read(), self.file_content)
 
@@ -580,28 +736,16 @@ def test_update_empty(self):
             'public_url': False,
         }
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:file_update',
-                    kwargs={'item': self.file.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
 
         self.assertEqual(response.status_code, 200)
-        self.assertTrue(
-            bytes(
-                '<p id="error_1_id_file" class="invalid-feedback"><strong>'
-                'The submitted file is empty.</strong></p>'.encode('utf-8')
-            )
-            in response.content
-        )
+        self.assertIn(EMPTY_FILE_MSG, response.content.decode('utf-8'))
         self.assertEqual(File.objects.all().count(), 1)
         self.file.refresh_from_db()
         self.assertEqual(self.file.file.read(), self.file_content)
 
-    def test_update_existing(self):
-        """Test file update with file name that already exists (should fail)"""
+    def test_post_existing(self):
+        """Test POST with existing file name (should fail)"""
         self.make_file(
             name='file2.txt',
             file_name='file2.txt',
@@ -624,21 +768,15 @@ def test_update_existing(self):
             'public_url': False,
         }
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:file_update',
-                    kwargs={'item': self.file.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
 
         self.assertEqual(response.status_code, 200)
         self.assertEqual(File.objects.all().count(), 2)
         self.file.refresh_from_db()
         self.assertEqual(self.file.file.read(), self.file_content)
 
-    def test_update_folder(self):
-        """Test moving file to a different folder"""
+    def test_post_move_folder(self):
+        """Test POST to move file to another folder"""
         post_data = {
             'name': 'file.txt',
             'folder': self.folder.sodar_uuid,
@@ -647,27 +785,15 @@ def test_update_folder(self):
             'public_url': False,
         }
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:file_update',
-                    kwargs={'item': self.file.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
 
         self.assertEqual(response.status_code, 302)
-        self.assertEqual(
-            response.url,
-            reverse(
-                'filesfolders:list',
-                kwargs={'folder': self.folder.sodar_uuid},
-            ),
-        )
+        self.assertEqual(response.url, self.url_list_folder)
         self.file.refresh_from_db()
         self.assertEqual(self.file.folder, self.folder)
 
-    def test_update_folder_existing(self):
-        """Test overwriting file in a different folder (should fail)"""
+    def test_post_move_folder_existing(self):
+        """Test POST to overwrite file in another folder (should fail)"""
         # Create file with same name in the target folder
         self.make_file(
             name='file.txt',
@@ -689,13 +815,7 @@ def test_update_folder_existing(self):
             'public_url': False,
         }
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:file_update',
-                    kwargs={'item': self.file.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
 
         self.assertEqual(response.status_code, 200)
         self.assertEqual(File.objects.all().count(), 2)
@@ -703,480 +823,203 @@ def test_update_folder_existing(self):
         self.assertEqual(self.file.folder, None)
 
 
-class TestFileDeleteView(TestViewsBase):
-    """Tests for the File delete view"""
-
-    def test_render(self):
-        """Test rendering of the File delete view"""
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:file_delete',
-                    kwargs={'item': self.file.sodar_uuid},
-                )
-            )
-        self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.context['object'].pk, self.file.pk)
-
-    def test_render_not_found(self):
-        """Test rendering with invalid file UUID"""
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:file_delete',
-                    kwargs={'item': INVALID_UUID},
-                )
-            )
-        self.assertEqual(response.status_code, 404)
-
-    def test_post(self):
-        """Test deleting a File"""
-        self.assertEqual(File.objects.all().count(), 1)
-        with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:file_delete',
-                    kwargs={'item': self.file.sodar_uuid},
-                )
-            )
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(
-            response.url,
-            reverse(
-                'filesfolders:list',
-                kwargs={'project': self.project.sodar_uuid},
-            ),
-        )
-        self.assertEqual(File.objects.all().count(), 0)
-
-
-class TestFileServeView(TestViewsBase):
-    """Tests for the File serving view"""
-
-    def test_render(self):
-        """Test rendering of the File serving view"""
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:file_serve',
-                    kwargs={
-                        'file': self.file.sodar_uuid,
-                        'file_name': self.file.name,
-                    },
-                )
-            )
-        self.assertEqual(response.status_code, 200)
-
-    def test_render_not_found(self):
-        """Test rendering of the File serving view"""
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:file_serve',
-                    kwargs={
-                        'file': INVALID_UUID,
-                        'file_name': self.file.name,
-                    },
-                )
-            )
-        self.assertEqual(response.status_code, 404)
-
-
-class TestFileServePublicView(TestViewsBase):
-    """Tests for the File public serving view"""
-
-    def test_render(self):
-        """Test rendering of the File public serving view"""
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:file_serve_public',
-                    kwargs={'secret': SECRET, 'file_name': self.file.name},
-                )
-            )
-        self.assertEqual(response.status_code, 200)
-
-    def test_bad_request_setting(self):
-        """Test bad request response if public linking is disabled"""
-        app_settings.set(
-            APP_NAME, 'allow_public_links', False, project=self.project
-        )
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:file_serve_public',
-                    kwargs={'secret': SECRET, 'file_name': self.file.name},
-                )
-            )
-        self.assertEqual(response.status_code, 400)
-
-    def test_bad_request_file_flag(self):
-        """Test bad request response if file can not be served publicly"""
-        self.file.public_url = False
-        self.file.save()
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:file_serve_public',
-                    kwargs={'secret': SECRET, 'file_name': self.file.name},
-                )
-            )
-        self.assertEqual(response.status_code, 400)
-
-    def test_bad_request_no_file(self):
-        """Test bad request response if file has been deleted"""
-        file_name = self.file.name
-        self.file.delete()
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:file_serve_public',
-                    kwargs={'secret': SECRET, 'file_name': file_name},
-                )
-            )
-        self.assertEqual(response.status_code, 400)
-
-
-class TestFilePublicLinkView(TestViewsBase):
-    """Tests for the File public link view"""
-
-    def test_render(self):
-        """Test rendering File public link view"""
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:file_public_link',
-                    kwargs={'file': self.file.sodar_uuid},
-                )
-            )
-        self.assertEqual(response.status_code, 200)
-        self.assertEqual(
-            response.context['public_url'],
-            build_public_url(
-                self.file,
-                self.req_factory.get(
-                    'file_public_link',
-                    kwargs={'file': self.file.sodar_uuid},
-                ),
-            ),
-        )
-
-    def test_render_not_found(self):
-        """Test rendering with invalid file UUID"""
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:file_public_link',
-                    kwargs={'file': INVALID_UUID},
-                )
-            )
-        self.assertEqual(response.status_code, 404)
-
-    def test_redirect_setting(self):
-        """Test redirecting if public linking is disabled via settings"""
-        app_settings.set(
-            APP_NAME, 'allow_public_links', False, project=self.project
-        )
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:file_public_link',
-                    kwargs={'file': self.file.sodar_uuid},
-                )
-            )
-        self.assertEqual(response.status_code, 302)
-
-    def test_render_no_file(self):
-        """Test rendering if the file has been deleted"""
-        file_uuid = self.file.sodar_uuid
-        self.file.delete()
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:file_public_link', kwargs={'file': file_uuid}
-                )
-            )
-        self.assertEqual(response.status_code, 404)
-
-
-# Folder Views -----------------------------------------------------------------
-
-
-class TestFolderCreateView(TestViewsBase):
-    """Tests for the File create view"""
-
-    def test_render(self):
-        """Test rendering Folder create view"""
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:folder_create',
-                    kwargs={'project': self.project.sodar_uuid},
-                )
-            )
-        self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.context['project'].pk, self.project.pk)
-
-    def test_render_not_found(self):
-        """Test rendering with invalid project UUID"""
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:folder_create',
-                    kwargs={'project': INVALID_UUID},
-                )
-            )
-        self.assertEqual(response.status_code, 404)
-
-    def test_render_in_folder(self):
-        """Test rendering Folder create view under a folder"""
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:folder_create',
-                    kwargs={'folder': self.folder.sodar_uuid},
-                )
-            )
-        self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.context['project'].pk, self.project.pk)
-        self.assertEqual(response.context['folder'].pk, self.folder.pk)
-
-    def test_create(self):
-        """Test folder creation"""
-        self.assertEqual(Folder.objects.all().count(), 1)
-
-        post_data = {
-            'name': 'new_folder',
-            'folder': '',
-            'description': '',
-            'flag': '',
-        }
-        with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:folder_create',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
-            )
+class TestFileDeleteView(ViewTestBase):
+    """Tests for FileDeleteView"""
 
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(
-            response.url,
-            reverse(
-                'filesfolders:list',
-                kwargs={'project': self.project.sodar_uuid},
-            ),
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'filesfolders:file_delete',
+            kwargs={'item': self.file.sodar_uuid},
         )
-        self.assertEqual(Folder.objects.all().count(), 2)
 
-    def test_create_in_folder(self):
-        """Test folder creation within a folder"""
-        self.assertEqual(Folder.objects.all().count(), 1)
+    def test_get(self):
+        """Test FileDeleteView GET"""
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.context['object'], self.file)
 
-        post_data = {
-            'name': 'new_folder',
-            'folder': self.folder.sodar_uuid,
-            'description': '',
-            'flag': '',
-        }
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid file UUID"""
         with self.login(self.user):
-            response = self.client.post(
+            response = self.client.get(
                 reverse(
-                    'filesfolders:folder_create',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
+                    'filesfolders:file_delete',
+                    kwargs={'item': INVALID_UUID},
+                )
             )
+        self.assertEqual(response.status_code, 404)
 
+    def test_post(self):
+        """Test POST to delete file"""
+        self.assertEqual(File.objects.all().count(), 1)
+        with self.login(self.user):
+            response = self.client.post(self.url)
         self.assertEqual(response.status_code, 302)
         self.assertEqual(
             response.url,
             reverse(
                 'filesfolders:list',
-                kwargs={'folder': self.folder.sodar_uuid},
+                kwargs={'project': self.project.sodar_uuid},
             ),
         )
-        self.assertEqual(Folder.objects.all().count(), 2)
-
-    def test_create_existing(self):
-        """Test folder creation with existing folder (should fail)"""
-        self.assertEqual(Folder.objects.all().count(), 1)
-        post_data = {
-            'name': 'folder',
-            'folder': '',
-            'description': '',
-            'flag': '',
-        }
-        with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:folder_create',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
-            )
-        self.assertEqual(response.status_code, 200)
-        self.assertEqual(Folder.objects.all().count(), 1)
+        self.assertEqual(File.objects.all().count(), 0)
 
 
-class TestFolderUpdateView(TestViewsBase):
-    """Tests for the Folder update view"""
+class TestFileServeView(ViewTestBase):
+    """Tests for FileServeView"""
 
-    def test_render(self):
-        """Test rendering Folder update view"""
+    def test_get(self):
+        """Test FileServeView GET"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
-                    'filesfolders:folder_update',
-                    kwargs={'item': self.folder.sodar_uuid},
+                    'filesfolders:file_serve',
+                    kwargs={
+                        'file': self.file.sodar_uuid,
+                        'file_name': self.file.name,
+                    },
                 )
             )
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.context['object'].pk, self.folder.pk)
 
-    def test_render_not_found(self):
-        """Test rendering with invalid folder UUID"""
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid UUID"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
-                    'filesfolders:folder_update',
-                    kwargs={'item': INVALID_UUID},
+                    'filesfolders:file_serve',
+                    kwargs={
+                        'file': INVALID_UUID,
+                        'file_name': self.file.name,
+                    },
                 )
             )
         self.assertEqual(response.status_code, 404)
 
-    def test_update(self):
-        """Test folder update"""
-        self.assertEqual(Folder.objects.all().count(), 1)
 
-        post_data = {
-            'name': 'renamed_folder',
-            'folder': '',
-            'description': 'updated description',
-            'flag': '',
-        }
-        with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:folder_update',
-                    kwargs={'item': self.folder.sodar_uuid},
-                ),
-                post_data,
-            )
+class TestFileServePublicView(ViewTestBase):
+    """Tests for FileServePublicView"""
 
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(
-            response.url,
-            reverse(
-                'filesfolders:list',
-                kwargs={'project': self.project.sodar_uuid},
-            ),
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'filesfolders:file_serve_public',
+            kwargs={'secret': SECRET, 'file_name': self.file.name},
         )
-        self.assertEqual(Folder.objects.all().count(), 1)
-        self.folder.refresh_from_db()
-        self.assertEqual(self.folder.name, 'renamed_folder')
-        self.assertEqual(self.folder.description, 'updated description')
 
-    def test_update_existing(self):
-        """Test folder update with name that already exists (should fail)"""
-        self.make_folder(
-            name='folder2',
-            project=self.project,
-            folder=None,
-            owner=self.user,
-            description='',
+    def test_get(self):
+        """Test FileServePublicView GET"""
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+
+    def test_get_link_disabled(self):
+        """Test GET with disabled public link setting (should fail)"""
+        app_settings.set(
+            APP_NAME, 'allow_public_links', False, project=self.project
         )
-        self.assertEqual(Folder.objects.all().count(), 2)
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 400)
 
-        post_data = {
-            'name': 'folder2',
-            'folder': '',
-            'description': '',
-            'flag': '',
-        }
+    def test_get_public_url_disabled(self):
+        """Test GET with file public_url set to False (should fail)"""
+        self.file.public_url = False
+        self.file.save()
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:folder_update',
-                    kwargs={'item': self.folder.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 400)
 
-        self.assertEqual(response.status_code, 200)
-        self.assertEqual(Folder.objects.all().count(), 2)
-        self.folder.refresh_from_db()
-        self.assertEqual(self.folder.name, 'folder')
+    def test_get_deleted_file(self):
+        """Test GET with deleted file (should fail)"""
+        self.file.delete()
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 400)
 
 
-class TestFolderDeleteView(TestViewsBase):
-    """Tests for the File delete view"""
+class TestFilePublicLinkView(ViewTestBase):
+    """Tests for FilePublicLinkView"""
 
-    def test_render(self):
-        """Test rendering Folder delete view"""
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'filesfolders:file_public_link',
+            kwargs={'file': self.file.sodar_uuid},
+        )
+
+    def test_get(self):
+        """Test FilePublicLinkView GET"""
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:folder_delete',
-                    kwargs={'item': self.folder.sodar_uuid},
-                )
-            )
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.context['object'].pk, self.folder.pk)
+        self.assertEqual(
+            response.context['public_url'],
+            build_public_url(
+                self.file,
+                self.req_factory.get(
+                    'file_public_link',
+                    kwargs={'file': self.file.sodar_uuid},
+                ),
+            ),
+        )
 
-    def test_render_not_found(self):
-        """Test rendering Folder delete view"""
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid file UUID"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
-                    'filesfolders:folder_delete',
-                    kwargs={'item': INVALID_UUID},
+                    'filesfolders:file_public_link',
+                    kwargs={'file': INVALID_UUID},
                 )
             )
         self.assertEqual(response.status_code, 404)
 
-    def test_post(self):
-        """Test deleting a Folder"""
-        self.assertEqual(Folder.objects.all().count(), 1)
+    def test_get_public_links_disabled(self):
+        """Test GET with disabled public linking (should fail)"""
+        app_settings.set(
+            APP_NAME, 'allow_public_links', False, project=self.project
+        )
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:folder_delete',
-                    kwargs={'item': self.folder.sodar_uuid},
-                )
-            )
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 302)
-        self.assertEqual(
-            response.url,
-            reverse(
-                'filesfolders:list',
-                kwargs={'project': self.project.sodar_uuid},
-            ),
-        )
-        self.assertEqual(Folder.objects.all().count(), 0)
+
+    def test_get_deleted_file(self):
+        """Test GET with deleted file (should fail)"""
+        self.file.delete()
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 404)
 
 
 # HyperLink Views --------------------------------------------------------------
 
 
-class TestHyperLinkCreateView(TestViewsBase):
-    """Tests for the HyperLink create view"""
+class TestHyperLinkCreateView(ViewTestBase):
+    """Tests for HyperLinkCreateView"""
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'filesfolders:hyperlink_create',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+        self.url_folder = reverse(
+            'filesfolders:hyperlink_create',
+            kwargs={'folder': self.folder.sodar_uuid},
+        )
 
-    def test_render(self):
-        """Test rendering HyperLink create view"""
+    def test_get(self):
+        """Test HyperLinkCreateView GET"""
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:hyperlink_create',
-                    kwargs={'project': self.project.sodar_uuid},
-                )
-            )
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.context['project'].pk, self.project.pk)
+        self.assertEqual(response.context['project'], self.project)
 
-    def test_render_not_found(self):
-        """Test rendering with invalid project UUID"""
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid project UUID"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
@@ -1186,21 +1029,16 @@ def test_render_not_found(self):
             )
         self.assertEqual(response.status_code, 404)
 
-    def test_render_in_folder(self):
-        """Test rendering under a folder"""
+    def test_get_folder(self):
+        """Test GET under folder"""
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:hyperlink_create',
-                    kwargs={'folder': self.folder.sodar_uuid},
-                )
-            )
+            response = self.client.get(self.url_folder)
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.context['project'].pk, self.project.pk)
-        self.assertEqual(response.context['folder'].pk, self.folder.pk)
+        self.assertEqual(response.context['project'], self.project)
+        self.assertEqual(response.context['folder'], self.folder)
 
-    def test_create(self):
-        """Test hyperlink creation"""
+    def test_post(self):
+        """Test POST to create hyperlink"""
         self.assertEqual(HyperLink.objects.all().count(), 1)
         post_data = {
             'name': 'new link',
@@ -1210,13 +1048,7 @@ def test_create(self):
             'flag': '',
         }
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:hyperlink_create',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
         self.assertEqual(response.status_code, 302)
         self.assertEqual(
             response.url,
@@ -1227,8 +1059,8 @@ def test_create(self):
         )
         self.assertEqual(HyperLink.objects.all().count(), 2)
 
-    def test_create_in_folder(self):
-        """Test folder creation within a folder"""
+    def test_post_folder(self):
+        """Test POST under folder"""
         self.assertEqual(HyperLink.objects.all().count(), 1)
         post_data = {
             'name': 'new link',
@@ -1238,13 +1070,7 @@ def test_create_in_folder(self):
             'flag': '',
         }
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:hyperlink_create',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url_folder, post_data)
         self.assertEqual(response.status_code, 302)
         self.assertEqual(
             response.url,
@@ -1255,8 +1081,8 @@ def test_create_in_folder(self):
         )
         self.assertEqual(HyperLink.objects.all().count(), 2)
 
-    def test_create_existing(self):
-        """Test hyperlink creation with an existing file (should fail)"""
+    def test_post_existing(self):
+        """Test POST with existing file (should fail)"""
         self.assertEqual(HyperLink.objects.all().count(), 1)
         post_data = {
             'name': 'Link',
@@ -1266,34 +1092,30 @@ def test_create_existing(self):
             'flag': '',
         }
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:hyperlink_create',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
         self.assertEqual(response.status_code, 200)
         self.assertEqual(HyperLink.objects.all().count(), 1)
 
 
-class TestHyperLinkUpdateView(TestViewsBase):
-    """Tests for the HyperLink update view"""
+class TestHyperLinkUpdateView(ViewTestBase):
+    """Tests for HyperLinkUpdateView("""
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'filesfolders:hyperlink_update',
+            kwargs={'item': self.hyperlink.sodar_uuid},
+        )
 
-    def test_render(self):
-        """Test rendering HyperLink update view"""
+    def test_get(self):
+        """Test HyperLinkUpdateView GET"""
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:hyperlink_update',
-                    kwargs={'item': self.hyperlink.sodar_uuid},
-                )
-            )
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.context['object'].pk, self.hyperlink.pk)
+        self.assertEqual(response.context['object'], self.hyperlink)
 
-    def test_render_not_found(self):
-        """Test rendering with invalid UUID"""
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid UUID"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
@@ -1303,8 +1125,8 @@ def test_render_not_found(self):
             )
         self.assertEqual(response.status_code, 404)
 
-    def test_update(self):
-        """Test hyperlink update"""
+    def test_post(self):
+        """Test POST to update hyperlink"""
         self.assertEqual(HyperLink.objects.all().count(), 1)
         post_data = {
             'name': 'Renamed Link',
@@ -1314,13 +1136,7 @@ def test_update(self):
             'flag': '',
         }
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:hyperlink_update',
-                    kwargs={'item': self.hyperlink.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
         self.assertEqual(response.status_code, 302)
         self.assertEqual(
             response.url,
@@ -1335,8 +1151,8 @@ def test_update(self):
         self.assertEqual(self.hyperlink.url, 'http://updated.com')
         self.assertEqual(self.hyperlink.description, 'updated description')
 
-    def test_update_existing(self):
-        """Test hyperlink update with a name that already exists (should fail)"""
+    def test_post_existing(self):
+        """Test POST with existing name (should fail)"""
         self.make_hyperlink(
             name='Link2',
             url='http://url2.com',
@@ -1355,13 +1171,7 @@ def test_update_existing(self):
             'flag': '',
         }
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:hyperlink_update',
-                    kwargs={'item': self.hyperlink.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
 
         self.assertEqual(response.status_code, 200)
         self.assertEqual(HyperLink.objects.all().count(), 2)
@@ -1369,23 +1179,25 @@ def test_update_existing(self):
         self.assertEqual(self.hyperlink.name, 'Link')
 
 
-class TestHyperLinkDeleteView(TestViewsBase):
-    """Tests for the HyperLink delete view"""
+class TestHyperLinkDeleteView(ViewTestBase):
+    """Tests for HyperLinkDeleteView"""
 
-    def test_render(self):
-        """Test rendering File delete view"""
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'filesfolders:hyperlink_delete',
+            kwargs={'item': self.hyperlink.sodar_uuid},
+        )
+
+    def test_get(self):
+        """Test HyperLinkDeleteView GET"""
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'filesfolders:hyperlink_delete',
-                    kwargs={'item': self.hyperlink.sodar_uuid},
-                )
-            )
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.context['object'].pk, self.hyperlink.pk)
+        self.assertEqual(response.context['object'], self.hyperlink)
 
-    def test_render_not_found(self):
-        """Test rendering with invalid UUID"""
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid UUID"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
@@ -1396,15 +1208,10 @@ def test_render_not_found(self):
         self.assertEqual(response.status_code, 404)
 
     def test_post(self):
-        """Test deleting a HyperLink"""
+        """Test POST to delete hyperlink"""
         self.assertEqual(HyperLink.objects.all().count(), 1)
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:hyperlink_delete',
-                    kwargs={'item': self.hyperlink.sodar_uuid},
-                )
-            )
+            response = self.client.post(self.url)
         self.assertEqual(response.status_code, 302)
         self.assertEqual(
             response.url,
@@ -1419,11 +1226,18 @@ def test_post(self):
 # Batch Editing View -----------------------------------------------------------
 
 
-class TestBatchEditView(TestViewsBase):
-    """Tests for the batch editing view"""
+class TestBatchEditView(ViewTestBase):
+    """Tests for BatchEditView"""
 
-    def test_render_delete(self):
-        """Test rendering of the batch editing view when deleting"""
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'filesfolders:batch_edit',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+
+    def test_get_delete(self):
+        """Test BatchEditView GET with deleting"""
         post_data = {'batch-action': 'delete', 'user-confirmed': '0'}
         post_data['batch_item_File_{}'.format(self.file.sodar_uuid)] = 1
         post_data['batch_item_Folder_{}'.format(self.folder.sodar_uuid)] = 1
@@ -1431,34 +1245,22 @@ def test_render_delete(self):
             'batch_item_HyperLink_{}'.format(self.hyperlink.sodar_uuid)
         ] = 1
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:batch_edit',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
         self.assertEqual(response.status_code, 200)
 
-    def test_render_move(self):
-        """Test rendering of the batch editing view when moving"""
+    def test_get_move(self):
+        """Test GET when moving"""
         post_data = {'batch-action': 'move', 'user-confirmed': '0'}
         post_data['batch_item_File_{}'.format(self.file.sodar_uuid)] = 1
         post_data[
             'batch_item_HyperLink_{}'.format(self.hyperlink.sodar_uuid)
         ] = 1
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:batch_edit',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
         self.assertEqual(response.status_code, 200)
 
-    def test_deletion(self):
-        """Test batch object deletion"""
+    def test_post_delete(self):
+        """Test POST for batch object deletion"""
         self.assertEqual(File.objects.all().count(), 1)
         self.assertEqual(Folder.objects.all().count(), 1)
         self.assertEqual(HyperLink.objects.all().count(), 1)
@@ -1469,23 +1271,16 @@ def test_deletion(self):
         post_data[
             'batch_item_HyperLink_{}'.format(self.hyperlink.sodar_uuid)
         ] = 1
-
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:batch_edit',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
 
         self.assertEqual(response.status_code, 302)
         self.assertEqual(File.objects.all().count(), 0)
         self.assertEqual(Folder.objects.all().count(), 0)
         self.assertEqual(HyperLink.objects.all().count(), 0)
 
-    def test_deletion_non_empty_folder(self):
-        """Test batch deletion with non-empty folder (should not be deleted)"""
+    def test_post_delete_non_empty_folder(self):
+        """Test POST for deletion with non-empty folder (should not be deleted)"""
         new_folder = self.make_folder(
             'new_folder', self.project, None, self.user, ''
         )
@@ -1507,23 +1302,16 @@ def test_deletion_non_empty_folder(self):
         post_data['batch_item_File_{}'.format(self.file.sodar_uuid)] = 1
         post_data['batch_item_Folder_{}'.format(self.folder.sodar_uuid)] = 1
         post_data['batch_item_Folder_{}'.format(new_folder.sodar_uuid)] = 1
-
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:batch_edit',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
 
         self.assertEqual(response.status_code, 302)
         # The new folder and file should be left
         self.assertEqual(File.objects.all().count(), 1)
         self.assertEqual(Folder.objects.all().count(), 1)
 
-    def test_moving(self):
-        """Test batch object moving"""
+    def test_post_move(self):
+        """Test POST for batch object moving"""
         target_folder = self.make_folder(
             'target_folder', self.project, None, self.user, ''
         )
@@ -1537,31 +1325,22 @@ def test_moving(self):
         post_data[
             'batch_item_HyperLink_{}'.format(self.hyperlink.sodar_uuid)
         ] = 1
-
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:batch_edit',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
 
         self.assertEqual(response.status_code, 302)
         self.assertEqual(
-            File.objects.get(pk=self.file.pk).folder.pk, target_folder.pk
+            File.objects.get(pk=self.file.pk).folder, target_folder
         )
         self.assertEqual(
-            Folder.objects.get(pk=self.folder.pk).folder.pk,
-            target_folder.pk,
+            Folder.objects.get(pk=self.folder.pk).folder, target_folder
         )
         self.assertEqual(
-            HyperLink.objects.get(pk=self.hyperlink.pk).folder.pk,
-            target_folder.pk,
+            HyperLink.objects.get(pk=self.hyperlink.pk).folder, target_folder
         )
 
-    def test_moving_name_exists(self):
-        """Test batch moving with name existing in target (should not be moved)"""
+    def test_post_move_name_exists(self):
+        """Test POST for moving with name existing in target (should not be moved)"""
         target_folder = self.make_folder(
             'target_folder', self.project, None, self.user, ''
         )
@@ -1587,25 +1366,15 @@ def test_moving_name_exists(self):
         post_data[
             'batch_item_HyperLink_{}'.format(self.hyperlink.sodar_uuid)
         ] = 1
-
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'filesfolders:batch_edit',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                post_data,
-            )
+            response = self.client.post(self.url, post_data)
 
         self.assertEqual(response.status_code, 302)
+        # Not moved
+        self.assertEqual(File.objects.get(pk=self.file.pk).folder, None)
         self.assertEqual(
-            File.objects.get(pk=self.file.pk).folder, None
-        )  # Not moved
-        self.assertEqual(
-            Folder.objects.get(pk=self.folder.pk).folder.pk,
-            target_folder.pk,
+            Folder.objects.get(pk=self.folder.pk).folder, target_folder
         )
         self.assertEqual(
-            HyperLink.objects.get(pk=self.hyperlink.pk).folder.pk,
-            target_folder.pk,
+            HyperLink.objects.get(pk=self.hyperlink.pk).folder, target_folder
         )
diff --git a/filesfolders/tests/test_views_api.py b/filesfolders/tests/test_views_api.py
index b07a2838..717146a7 100644
--- a/filesfolders/tests/test_views_api.py
+++ b/filesfolders/tests/test_views_api.py
@@ -9,14 +9,17 @@
 # Projectroles dependency
 from projectroles.models import SODAR_CONSTANTS
 from projectroles.tests.test_views_api import SODARAPIViewTestMixin
-from projectroles.views_api import (
-    CORE_API_MEDIA_TYPE,
-    CORE_API_DEFAULT_VERSION,
-    INVALID_PROJECT_TYPE_MSG,
-)
+from projectroles.views_api import INVALID_PROJECT_TYPE_MSG
 
-from filesfolders.tests.test_views import ZIP_PATH_NO_FILES, TestViewsBaseMixin
+from filesfolders.tests.test_views import (
+    ZIP_PATH_NO_FILES,
+    FilesfoldersViewTestMixin,
+)
 from filesfolders.models import Folder, File, HyperLink
+from filesfolders.views_api import (
+    FILESFOLDERS_API_MEDIA_TYPE,
+    FILESFOLDERS_API_DEFAULT_VERSION,
+)
 
 
 # SODAR constants
@@ -26,13 +29,13 @@
 INVALID_UUID = '11111111-1111-1111-1111-111111111111'
 
 
-class TestFilesfoldersAPIViewsBase(
-    TestViewsBaseMixin, SODARAPIViewTestMixin, APITestCase
+class FilesfoldersAPIViewTestBase(
+    FilesfoldersViewTestMixin, SODARAPIViewTestMixin, APITestCase
 ):
     """Base class for filesfolders API tests"""
 
-    media_type = CORE_API_MEDIA_TYPE
-    api_version = CORE_API_DEFAULT_VERSION
+    media_type = FILESFOLDERS_API_MEDIA_TYPE
+    api_version = FILESFOLDERS_API_DEFAULT_VERSION
 
     def setUp(self):
         super().setUp()
@@ -40,8 +43,8 @@ def setUp(self):
         self.knox_token = self.get_token(self.user)
 
 
-class TestFolderListCreateAPIView(TestFilesfoldersAPIViewsBase):
-    """Tests for the FolderListCreateAPIView class"""
+class TestFolderListCreateAPIView(FilesfoldersAPIViewTestBase):
+    """Tests for FolderListCreateAPIView"""
 
     def setUp(self):
         super().setUp()
@@ -50,49 +53,63 @@ def setUp(self):
             'flag': 'IMPORTANT',
             'description': 'Folder\'s description',
         }
-
-    def test_list_superuser(self):
-        """Test GET request listing folders"""
-        response = self.request_knox(
-            reverse(
-                'filesfolders:api_folder_list_create',
-                kwargs={'project': self.project.sodar_uuid},
-            )
+        self.url = reverse(
+            'filesfolders:api_folder_list_create',
+            kwargs={'project': self.project.sodar_uuid},
         )
+
+    def test_get_list(self):
+        """Test FolderListCreateAPIView GET to list folders"""
+        response = self.request_knox(self.url)
+        self.assertEqual(response.status_code, 200, msg=response.data)
+        expected = {
+            'name': self.folder.name,
+            'folder': None,
+            'owner': self.get_serialized_user(self.folder.owner),
+            'project': str(self.folder.project.sodar_uuid),
+            'flag': self.folder.flag,
+            'description': self.folder.description,
+            'date_modified': self.get_drf_datetime(self.folder.date_modified),
+            'sodar_uuid': str(self.folder.sodar_uuid),
+        }
+        self.assertEqual(json.loads(response.content), [expected])
+
+    def test_get_pagination(self):
+        """Test GET with pagination"""
+        url = self.url + '?page=1'
+        response = self.request_knox(url)
         self.assertEqual(response.status_code, 200, msg=response.data)
-        expected = [
-            {
-                'name': self.folder.name,
-                'folder': None,
-                'owner': self.get_serialized_user(self.folder.owner),
-                'project': str(self.folder.project.sodar_uuid),
-                'flag': self.folder.flag,
-                'description': self.folder.description,
-                'date_modified': self.get_drf_datetime(
-                    self.folder.date_modified
-                ),
-                'sodar_uuid': str(self.folder.sodar_uuid),
-            }
-        ]
+        expected = {
+            'count': 1,
+            'next': None,
+            'previous': None,
+            'results': [
+                {
+                    'name': self.folder.name,
+                    'folder': None,
+                    'owner': self.get_serialized_user(self.folder.owner),
+                    'project': str(self.folder.project.sodar_uuid),
+                    'flag': self.folder.flag,
+                    'description': self.folder.description,
+                    'date_modified': self.get_drf_datetime(
+                        self.folder.date_modified
+                    ),
+                    'sodar_uuid': str(self.folder.sodar_uuid),
+                }
+            ],
+        }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_create_in_root(self):
-        """Test creation of new folder in root"""
+    def test_post_create_root(self):
+        """Test POST to create folder in root"""
         response = self.request_knox(
-            reverse(
-                'filesfolders:api_folder_list_create',
-                kwargs={'project': self.project.sodar_uuid},
-            ),
-            method='POST',
-            data=self.folder_data,
+            self.url, method='POST', data=self.folder_data
         )
-
         self.assertEqual(response.status_code, 201, msg=response.data)
         new_folder = Folder.objects.filter(
             sodar_uuid=response.data['sodar_uuid']
         ).first()
         self.assertIsNotNone(new_folder)
-
         expected = {
             **self.folder_data,
             'folder': None,
@@ -103,27 +120,18 @@ def test_create_in_root(self):
         }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_create_in_folder(self):
-        """Test creation of new folder below other"""
+    def test_post_create_folder(self):
+        """Test POST to create folder under folder"""
         folder_data = {
             **self.folder_data,
             'folder': str(self.folder.sodar_uuid),
         }
-        response = self.request_knox(
-            reverse(
-                'filesfolders:api_folder_list_create',
-                kwargs={'project': self.project.sodar_uuid},
-            ),
-            method='POST',
-            data=folder_data,
-        )
-
+        response = self.request_knox(self.url, method='POST', data=folder_data)
         self.assertEqual(response.status_code, 201, msg=response.data)
         new_folder = Folder.objects.filter(
             sodar_uuid=response.data['sodar_uuid']
         ).first()
         self.assertIsNotNone(new_folder)
-
         expected = {
             **folder_data,
             'owner': self.get_serialized_user(self.user),
@@ -133,8 +141,8 @@ def test_create_in_folder(self):
         }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_create_in_category(self):
-        """Test creation of new folder in a category (should fail)"""
+    def test_post_create_category(self):
+        """Test POST to create folder in category (should fail)"""
         category = self.make_project(
             'TestCategory', PROJECT_TYPE_CATEGORY, None
         )
@@ -154,17 +162,19 @@ def test_create_in_category(self):
         )
 
 
-class TestFolderRetrieveUpdateDestroyAPIView(TestFilesfoldersAPIViewsBase):
-    """Tests for the FolderRetrieveUpdateDestroyAPIView class"""
+class TestFolderRetrieveUpdateDestroyAPIView(FilesfoldersAPIViewTestBase):
+    """Tests for FolderRetrieveUpdateDestroyAPIView"""
 
-    def test_retrieve(self):
-        """Test retrieval of Folder model through API"""
-        response = self.request_knox(
-            reverse(
-                'filesfolders:api_folder_retrieve_update_destroy',
-                kwargs={'folder': self.folder.sodar_uuid},
-            )
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'filesfolders:api_folder_retrieve_update_destroy',
+            kwargs={'folder': self.folder.sodar_uuid},
         )
+
+    def test_get_retrieve(self):
+        """Test FolderRetrieveUpdateDestroyAPIView GET to retrieve folder"""
+        response = self.request_knox(self.url)
         self.assertEqual(response.status_code, 200, msg=response.data)
         expected = {
             'name': self.folder.name,
@@ -178,8 +188,8 @@ def test_retrieve(self):
         }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_retrieve_not_found(self):
-        """Test retrieval of Folder with invalid UUID"""
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid UUID"""
         response = self.request_knox(
             reverse(
                 'filesfolders:api_folder_retrieve_update_destroy',
@@ -188,21 +198,14 @@ def test_retrieve_not_found(self):
         )
         self.assertEqual(response.status_code, 404)
 
-    def test_update(self):
-        """Test update of Folder model through API"""
+    def test_put_update(self):
+        """Test PUT to update folder"""
         folder_data = {
             'name': 'UPDATED Folder',
             'flag': 'FLAG',
             'description': 'UPDATED Description',
         }
-        response = self.request_knox(
-            reverse(
-                'filesfolders:api_folder_retrieve_update_destroy',
-                kwargs={'folder': self.folder.sodar_uuid},
-            ),
-            method='PUT',
-            data=folder_data,
-        )
+        response = self.request_knox(self.url, method='PUT', data=folder_data)
         self.assertEqual(response.status_code, 200, msg=response.data)
         self.folder.refresh_from_db()
         expected = {
@@ -215,15 +218,9 @@ def test_update(self):
         }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_destroy(self):
-        """Test destruction of Folder model through API"""
-        response = self.request_knox(
-            reverse(
-                'filesfolders:api_folder_retrieve_update_destroy',
-                kwargs={'folder': self.folder.sodar_uuid},
-            ),
-            method='DELETE',
-        )
+    def test_delete(self):
+        """Test DELETE to remove folder"""
+        response = self.request_knox(self.url, method='DELETE')
         self.assertEqual(response.status_code, 204, msg=response.data)
         self.assertIsNone(response.data)
         with self.assertRaises(Folder.DoesNotExist):
@@ -232,8 +229,8 @@ def test_destroy(self):
             )
 
 
-class TestFileListCreateAPIView(TestFilesfoldersAPIViewsBase):
-    """Tests for the FileListCreateAPIView class"""
+class TestFileListCreateAPIView(FilesfoldersAPIViewTestBase):
+    """Tests for FileListCreateAPIView"""
 
     def setUp(self):
         super().setUp()
@@ -245,55 +242,72 @@ def setUp(self):
             'public_url': True,
             'file': open(ZIP_PATH_NO_FILES, 'rb'),
         }
+        self.url = reverse(
+            'filesfolders:api_file_list_create',
+            kwargs={'project': self.project.sodar_uuid},
+        )
 
     def tearDown(self):
         self.file_data['file'].close()
         super().tearDown()
 
-    def test_list_superuser(self):
-        """Test GET request listing files"""
-        response = self.request_knox(
-            reverse(
-                'filesfolders:api_file_list_create',
-                kwargs={'project': self.project.sodar_uuid},
-            )
-        )
+    def test_get_list(self):
+        """Test FileListCreateAPIView GET to list files"""
+        response = self.request_knox(self.url)
+        self.assertEqual(response.status_code, 200, msg=response.data)
+        expected = {
+            'name': self.file.name,
+            'folder': None,
+            'owner': self.get_serialized_user(self.file.owner),
+            'project': str(self.file.project.sodar_uuid),
+            'flag': self.file.flag,
+            'description': self.file.description,
+            'secret': self.file.secret,
+            'public_url': self.file.public_url,
+            'date_modified': self.get_drf_datetime(self.file.date_modified),
+            'sodar_uuid': str(self.file.sodar_uuid),
+        }
+        self.assertEqual(json.loads(response.content), [expected])
+
+    def test_get_pagination(self):
+        """Test GET with pagination"""
+        url = self.url + '?page=1'
+        response = self.request_knox(url)
         self.assertEqual(response.status_code, 200, msg=response.data)
-        expected = [
-            {
-                'name': self.file.name,
-                'folder': None,
-                'owner': self.get_serialized_user(self.file.owner),
-                'project': str(self.file.project.sodar_uuid),
-                'flag': self.file.flag,
-                'description': self.file.description,
-                'secret': self.file.secret,
-                'public_url': self.file.public_url,
-                'date_modified': self.get_drf_datetime(self.file.date_modified),
-                'sodar_uuid': str(self.file.sodar_uuid),
-            }
-        ]
+        expected = {
+            'count': 1,
+            'next': None,
+            'previous': None,
+            'results': [
+                {
+                    'name': self.file.name,
+                    'folder': None,
+                    'owner': self.get_serialized_user(self.file.owner),
+                    'project': str(self.file.project.sodar_uuid),
+                    'flag': self.file.flag,
+                    'description': self.file.description,
+                    'secret': self.file.secret,
+                    'public_url': self.file.public_url,
+                    'date_modified': self.get_drf_datetime(
+                        self.file.date_modified
+                    ),
+                    'sodar_uuid': str(self.file.sodar_uuid),
+                }
+            ],
+        }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_create_in_root(self):
-        """Test creation of new file in root"""
+    def test_post_create_root(self):
+        """Test POST to create file in root"""
         response = self.request_knox(
-            reverse(
-                'filesfolders:api_file_list_create',
-                kwargs={'project': self.project.sodar_uuid},
-            ),
-            method='POST',
-            format='multipart',
-            data=self.file_data,
+            self.url, method='POST', format='multipart', data=self.file_data
         )
-
         self.assertEqual(response.status_code, 201, msg=response.data)
         new_file = File.objects.filter(
             sodar_uuid=response.data['sodar_uuid']
         ).first()
         self.assertIsNotNone(new_file)
         self.assertNotEqual(new_file.file.file.size, 0)
-
         expected = {
             **self.file_data,
             'folder': None,
@@ -307,17 +321,11 @@ def test_create_in_root(self):
         expected.pop('file')
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_create_in_folder(self):
-        """Test creation of a file inside a folder"""
+    def test_post_create_folder(self):
+        """Test POST to create file under folder"""
         file_data = {**self.file_data, 'folder': str(self.folder.sodar_uuid)}
         response = self.request_knox(
-            reverse(
-                'filesfolders:api_file_list_create',
-                kwargs={'project': self.project.sodar_uuid},
-            ),
-            method='POST',
-            format='multipart',
-            data=file_data,
+            self.url, method='POST', format='multipart', data=file_data
         )
         self.assertEqual(response.status_code, 201, msg=response.data)
         new_file = File.objects.filter(
@@ -337,8 +345,8 @@ def test_create_in_folder(self):
         expected.pop('file')
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_create_in_category(self):
-        """Test creation of new file in a category (should fail)"""
+    def test_post_create_category(self):
+        """Test POST to create file in category (should fail)"""
         category = self.make_project(
             'TestCategory', PROJECT_TYPE_CATEGORY, None
         )
@@ -359,8 +367,8 @@ def test_create_in_category(self):
         )
 
 
-class TestFileRetrieveUpdateDestroyAPIView(TestFilesfoldersAPIViewsBase):
-    """Tests for the FileRetrieveUpdateDestroyAPIView class"""
+class TestFileRetrieveUpdateDestroyAPIView(FilesfoldersAPIViewTestBase):
+    """Tests for FileRetrieveUpdateDestroyAPIView"""
 
     def setUp(self):
         super().setUp()
@@ -372,19 +380,18 @@ def setUp(self):
             'public_url': False,
             'file': open(ZIP_PATH_NO_FILES, 'rb'),
         }
+        self.url = reverse(
+            'filesfolders:api_file_retrieve_update_destroy',
+            kwargs={'file': self.file.sodar_uuid},
+        )
 
     def tearDown(self):
         self.file_data['file'].close()
         super().tearDown()
 
-    def test_retrieve(self):
-        """Test retrieval of File model through API"""
-        response = self.request_knox(
-            reverse(
-                'filesfolders:api_file_retrieve_update_destroy',
-                kwargs={'file': self.file.sodar_uuid},
-            )
-        )
+    def test_get_retrieve(self):
+        """Test FileRetrieveUpdateDestroyAPIView GET to retrieve file"""
+        response = self.request_knox(self.url)
         self.assertEqual(response.status_code, 200, msg=response.data)
         expected = {
             'name': self.file.name,
@@ -400,8 +407,8 @@ def test_retrieve(self):
         }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_retrieve_not_found(self):
-        """Test retrieval of File with invalid UUID"""
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid UUID"""
         response = self.request_knox(
             reverse(
                 'filesfolders:api_file_retrieve_update_destroy',
@@ -410,18 +417,11 @@ def test_retrieve_not_found(self):
         )
         self.assertEqual(response.status_code, 404)
 
-    def test_update(self):
-        """Test update of File model through API"""
+    def test_put_update(self):
+        """Test PUT to update file"""
         response = self.request_knox(
-            reverse(
-                'filesfolders:api_file_retrieve_update_destroy',
-                kwargs={'file': self.file.sodar_uuid},
-            ),
-            method='PUT',
-            format='multipart',
-            data=self.file_data,
+            self.url, method='PUT', format='multipart', data=self.file_data
         )
-
         self.assertEqual(response.status_code, 200, msg=response.data)
         old_secret = self.file.secret
         self.file.refresh_from_db()
@@ -433,7 +433,6 @@ def test_update(self):
             old_secret,
             msg='Secret should change when public_url flag changes',
         )
-
         expected = {
             **self.file_data,
             'folder': None,
@@ -447,15 +446,9 @@ def test_update(self):
         expected.pop('file')
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_destroy(self):
-        """Test destruction of File model through API"""
-        response = self.request_knox(
-            reverse(
-                'filesfolders:api_file_retrieve_update_destroy',
-                kwargs={'file': self.file.sodar_uuid},
-            ),
-            method='DELETE',
-        )
+    def test_delete(self):
+        """Test DELETE"""
+        response = self.request_knox(self.url, method='DELETE')
         self.assertEqual(response.status_code, 204, msg=response.data)
         self.assertIsNone(response.data)
         with self.assertRaises(File.DoesNotExist):
@@ -464,11 +457,11 @@ def test_destroy(self):
             )
 
 
-class TestFileServeAPIView(TestFilesfoldersAPIViewsBase):
-    """Tests for the FileServeAPIView class"""
+class TestFileServeAPIView(FilesfoldersAPIViewTestBase):
+    """Tests for FileServeAPIView"""
 
     def test_get(self):
-        """Test download of file content"""
+        """Test FileServeAPIView GET to download file"""
         response = self.request_knox(
             reverse(
                 'filesfolders:api_file_serve',
@@ -480,7 +473,7 @@ def test_get(self):
         self.assertEqual(response.content, expected)
 
     def test_get_not_found(self):
-        """Test download with invalid UUID"""
+        """Test GET with invalid UUID"""
         response = self.request_knox(
             reverse(
                 'filesfolders:api_file_serve',
@@ -490,8 +483,8 @@ def test_get_not_found(self):
         self.assertEqual(response.status_code, 404)
 
 
-class TestHyperLinkListCreateAPIView(TestFilesfoldersAPIViewsBase):
-    """Tests for the HyperLinkListCreateAPIView class"""
+class TestHyperLinkListCreateAPIView(FilesfoldersAPIViewTestBase):
+    """Tests for HyperLinkListCreateAPIView"""
 
     def setUp(self):
         super().setUp()
@@ -501,50 +494,67 @@ def setUp(self):
             'description': 'HyperLink\'s description',
             'url': 'http://www.cubi.bihealth.org',
         }
-
-    def test_list_superuser(self):
-        """Test GET request listing hyperlinks"""
-        response = self.request_knox(
-            reverse(
-                'filesfolders:api_hyperlink_list_create',
-                kwargs={'project': self.project.sodar_uuid},
-            )
+        self.url = reverse(
+            'filesfolders:api_hyperlink_list_create',
+            kwargs={'project': self.project.sodar_uuid},
         )
+
+    def test_get_list(self):
+        """Test HyperLinkListCreateAPIView GET to list hyperlinks"""
+        response = self.request_knox(self.url)
+        self.assertEqual(response.status_code, 200, msg=response.data)
+        expected = {
+            'name': self.hyperlink.name,
+            'folder': None,
+            'owner': self.get_serialized_user(self.hyperlink.owner),
+            'project': str(self.hyperlink.project.sodar_uuid),
+            'flag': self.hyperlink.flag,
+            'description': self.hyperlink.description,
+            'url': self.hyperlink.url,
+            'date_modified': self.get_drf_datetime(
+                self.hyperlink.date_modified
+            ),
+            'sodar_uuid': str(self.hyperlink.sodar_uuid),
+        }
+        self.assertEqual(json.loads(response.content), [expected])
+
+    def test_get_pagination(self):
+        """Test GET with pagination"""
+        url = self.url + '?page=1'
+        response = self.request_knox(url)
         self.assertEqual(response.status_code, 200, msg=response.data)
-        expected = [
-            {
-                'name': self.hyperlink.name,
-                'folder': None,
-                'owner': self.get_serialized_user(self.hyperlink.owner),
-                'project': str(self.hyperlink.project.sodar_uuid),
-                'flag': self.hyperlink.flag,
-                'description': self.hyperlink.description,
-                'url': self.hyperlink.url,
-                'date_modified': self.get_drf_datetime(
-                    self.hyperlink.date_modified
-                ),
-                'sodar_uuid': str(self.hyperlink.sodar_uuid),
-            }
-        ]
+        expected = {
+            'count': 1,
+            'next': None,
+            'previous': None,
+            'results': [
+                {
+                    'name': self.hyperlink.name,
+                    'folder': None,
+                    'owner': self.get_serialized_user(self.hyperlink.owner),
+                    'project': str(self.hyperlink.project.sodar_uuid),
+                    'flag': self.hyperlink.flag,
+                    'description': self.hyperlink.description,
+                    'url': self.hyperlink.url,
+                    'date_modified': self.get_drf_datetime(
+                        self.hyperlink.date_modified
+                    ),
+                    'sodar_uuid': str(self.hyperlink.sodar_uuid),
+                }
+            ],
+        }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_create_in_root(self):
-        """Test creation of new hyperlink in root"""
+    def test_post_root(self):
+        """Test POST to create hyperlink in root"""
         response = self.request_knox(
-            reverse(
-                'filesfolders:api_hyperlink_list_create',
-                kwargs={'project': self.project.sodar_uuid},
-            ),
-            method='POST',
-            data=self.hyperlink_data,
+            self.url, method='POST', data=self.hyperlink_data
         )
-
         self.assertEqual(response.status_code, 201, msg=response.data)
         new_link = HyperLink.objects.filter(
             sodar_uuid=response.data['sodar_uuid']
         ).first()
         self.assertIsNotNone(new_link)
-
         expected = {
             **self.hyperlink_data,
             'folder': None,
@@ -555,19 +565,14 @@ def test_create_in_root(self):
         }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_create_in_folder(self):
-        """Test creation of new hyperlink below another"""
+    def test_post_folder(self):
+        """Test POST to create hyperlink under folder"""
         hyperlink_data = {
             **self.hyperlink_data,
             'folder': str(self.folder.sodar_uuid),
         }
         response = self.request_knox(
-            reverse(
-                'filesfolders:api_hyperlink_list_create',
-                kwargs={'project': self.project.sodar_uuid},
-            ),
-            method='POST',
-            data=hyperlink_data,
+            self.url, method='POST', data=hyperlink_data
         )
         self.assertEqual(response.status_code, 201, msg=response.data)
         new_link = HyperLink.objects.filter(
@@ -583,8 +588,8 @@ def test_create_in_folder(self):
         }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_create_in_category(self):
-        """Test creation of new hyperlink in a category (should fail)"""
+    def test_post_category(self):
+        """Test POST to create hyperlink in category (should fail)"""
         category = self.make_project(
             'TestCategory', PROJECT_TYPE_CATEGORY, None
         )
@@ -604,17 +609,19 @@ def test_create_in_category(self):
         )
 
 
-class TestHyperLinkRetrieveUpdateDestroyAPIView(TestFilesfoldersAPIViewsBase):
-    """Tests for the HyperLinkRetrieveUpdateDestroyAPIView class"""
+class TestHyperLinkRetrieveUpdateDestroyAPIView(FilesfoldersAPIViewTestBase):
+    """Tests for HyperLinkRetrieveUpdateDestroyAPIView"""
 
-    def test_retrieve(self):
-        """Test retrieval of HyperLink model through API"""
-        response = self.request_knox(
-            reverse(
-                'filesfolders:api_hyperlink_retrieve_update_destroy',
-                kwargs={'hyperlink': self.hyperlink.sodar_uuid},
-            )
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'filesfolders:api_hyperlink_retrieve_update_destroy',
+            kwargs={'hyperlink': self.hyperlink.sodar_uuid},
         )
+
+    def test_get_retrieve(self):
+        """Test HyperLinkRetrieveUpdateDestroyAPIView to retrieve hyperlink"""
+        response = self.request_knox(self.url)
         self.assertEqual(response.status_code, 200, msg=response.data)
         expected = {
             'name': self.hyperlink.name,
@@ -631,8 +638,8 @@ def test_retrieve(self):
         }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_retrieve_not_found(self):
-        """Test retrieval of HyperLink with invalid UUID"""
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid UUID"""
         response = self.request_knox(
             reverse(
                 'filesfolders:api_hyperlink_retrieve_update_destroy',
@@ -641,8 +648,8 @@ def test_retrieve_not_found(self):
         )
         self.assertEqual(response.status_code, 404)
 
-    def test_update(self):
-        """Test update of HyperLink model through API"""
+    def test_put_update(self):
+        """Test PUT to update hyperlink"""
         hyperlink_data = {
             'name': 'UPDATED HyperLink',
             'flag': 'FLAG',
@@ -650,12 +657,7 @@ def test_update(self):
             'url': 'http://www.bihealth.org',
         }
         response = self.request_knox(
-            reverse(
-                'filesfolders:api_hyperlink_retrieve_update_destroy',
-                kwargs={'hyperlink': self.hyperlink.sodar_uuid},
-            ),
-            method='PUT',
-            data=hyperlink_data,
+            self.url, method='PUT', data=hyperlink_data
         )
         self.assertEqual(response.status_code, 200, msg=response.data)
         self.hyperlink.refresh_from_db()
@@ -676,14 +678,8 @@ def test_update(self):
         }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_destroy(self):
-        """Test destruction of HyperLink model through API"""
-        response = self.request_knox(
-            reverse(
-                'filesfolders:api_hyperlink_retrieve_update_destroy',
-                kwargs={'hyperlink': self.hyperlink.sodar_uuid},
-            ),
-            method='DELETE',
-        )
+    def test_delete(self):
+        """Test DELETE"""
+        response = self.request_knox(self.url, method='DELETE')
         self.assertEqual(response.status_code, 204, msg=response.data)
         self.assertIsNone(response.data)
diff --git a/filesfolders/views.py b/filesfolders/views.py
index 55e6bea2..e894e9a0 100644
--- a/filesfolders/views.py
+++ b/filesfolders/views.py
@@ -132,7 +132,7 @@ def add_item_modify_event(
             event_name='{}_{}'.format(obj_type, view_action),
             description=tl_desc,
             extra_data=extra_data,
-            status_type='OK',
+            status_type=timeline.TL_STATUS_OK,
         )
         tl_event.add_object(
             obj=obj,
@@ -207,14 +207,16 @@ def get_success_url(self):
                 user=self.request.user,
                 event_name='{}_delete'.format(obj_type),
                 description='delete {} {{{}}}'.format(obj_type, obj_type),
-                status_type='OK',
+                status_type=timeline.TL_STATUS_OK,
             )
             tl_event.add_object(
                 obj=self.object,
                 label=obj_type,
-                name=self.object.get_path()
-                if isinstance(self.object, Folder)
-                else self.object.name,
+                name=(
+                    self.object.get_path()
+                    if isinstance(self.object, Folder)
+                    else self.object.name
+                ),
             )
 
         messages.success(
@@ -281,7 +283,7 @@ def get(self, *args, **kwargs):
                     event_name='file_serve',
                     description='serve file {file}',
                     classified=True,
-                    status_type='INFO',
+                    status_type=timeline.TL_STATUS_INFO,
                 )
                 tl_event.add_object(file, 'file', file.name)
         return response
@@ -546,7 +548,7 @@ def form_valid(self, form):
                     'new_folders': [f.name for f in new_folders],
                     'new_files': [f.name for f in new_files],
                 },
-                status_type='OK',
+                status_type=timeline.TL_STATUS_OK,
             )
 
         messages.success(
@@ -843,15 +845,23 @@ def _finalize_edit(self, edit_count, target_folder, **kwargs):
                     self.batch_action,
                     edit_count,
                     edit_suffix,
-                    '({} failed)'.format(len(self.failed))
-                    if len(self.failed) > 0
-                    else '',
-                    'to {target_folder}'
-                    if self.batch_action == 'move' and target_folder
-                    else '',
+                    (
+                        '({} failed)'.format(len(self.failed))
+                        if len(self.failed) > 0
+                        else ''
+                    ),
+                    (
+                        'to {target_folder}'
+                        if self.batch_action == 'move' and target_folder
+                        else ''
+                    ),
                 ),
                 extra_data=extra_data,
-                status_type='OK' if edit_count > 0 else 'FAILED',
+                status_type=(
+                    timeline.TL_STATUS_OK
+                    if edit_count > 0
+                    else timeline.TL_STATUS_FAILED
+                ),
             )
             if self.batch_action == 'move' and target_folder:
                 tl_event.add_object(
diff --git a/filesfolders/views_api.py b/filesfolders/views_api.py
index bfc75175..4be42c01 100644
--- a/filesfolders/views_api.py
+++ b/filesfolders/views_api.py
@@ -5,11 +5,17 @@
     RetrieveUpdateDestroyAPIView,
     GenericAPIView,
 )
+from rest_framework.renderers import JSONRenderer
+from rest_framework.schemas.openapi import AutoSchema
+from rest_framework.versioning import AcceptHeaderVersioning
 
 # Projectroles dependency
 from projectroles.models import SODAR_CONSTANTS
 from projectroles.plugins import get_backend_api
-from projectroles.views_api import CoreAPIGenericProjectMixin
+from projectroles.views_api import (
+    CoreAPIGenericProjectMixin,
+    SODARPageNumberPagination,
+)
 
 from filesfolders.models import Folder
 from filesfolders.serializers import (
@@ -28,10 +34,34 @@
 # SODAR constants
 PROJECT_TYPE_PROJECT = SODAR_CONSTANTS['PROJECT_TYPE_PROJECT']
 
+# Local constants
+FILESFOLDERS_API_MEDIA_TYPE = (
+    'application/vnd.bihealth.sodar-core.filesfolders+json'
+)
+FILESFOLDERS_API_DEFAULT_VERSION = '1.0'
+FILESFOLDERS_API_ALLOWED_VERSIONS = ['1.0']
+
 
 # Base Classes and Mixins ------------------------------------------------------
 
 
+class FilesfoldersAPIVersioningMixin:
+    """
+    Filesfolders API view versioning mixin for overriding media type and
+    accepted versions.
+    """
+
+    class FilesfoldersAPIRenderer(JSONRenderer):
+        media_type = FILESFOLDERS_API_MEDIA_TYPE
+
+    class FilesfoldersAPIVersioning(AcceptHeaderVersioning):
+        allowed_versions = FILESFOLDERS_API_ALLOWED_VERSIONS
+        default_version = FILESFOLDERS_API_DEFAULT_VERSION
+
+    renderer_classes = [FilesfoldersAPIRenderer]
+    versioning_class = FilesfoldersAPIVersioning
+
+
 class ListCreateAPITimelineMixin(FilesfoldersTimelineMixin):
     """
     Mixin that ties ListCreateAPIView:s to the SODAR timeline for filesfolders.
@@ -92,14 +122,16 @@ def perform_destroy(self, instance):
                 user=self.request.user,
                 event_name='{}_delete'.format(obj_type),
                 description='delete {} {{{}}}'.format(obj_type, obj_type),
-                status_type='OK',
+                status_type=timeline.TL_STATUS_OK,
             )
             tl_event.add_object(
                 obj=instance,
                 label=obj_type,
-                name=instance.get_path()
-                if isinstance(instance, Folder)
-                else instance.name,
+                name=(
+                    instance.get_path()
+                    if isinstance(instance, Folder)
+                    else instance.name
+                ),
             )
 
 
@@ -136,16 +168,25 @@ def get_permission_required(self):
 class FolderListCreateAPIView(
     ListCreateAPITimelineMixin,
     ListCreatePermissionMixin,
+    FilesfoldersAPIVersioningMixin,
     CoreAPIGenericProjectMixin,
     ListCreateAPIView,
 ):
     """
     List folders or create a folder.
 
+    Supports optional pagination for listing by providing the ``page`` query
+    string. This will return results in the Django Rest Framework
+    ``PageNumberPagination`` format.
+
     **URL:** ``/files/api/folder/list-create/{Project.sodar_uuid}``
 
     **Methods:** ``GET``, ``POST``
 
+    **Parameters for GET:**
+
+    - ``page``: Page number for paginated results (int, optional)
+
     **Parameters for POST:**
 
     - ``name``: Folder name (string)
@@ -155,13 +196,16 @@ class FolderListCreateAPIView(
     - ``description``: Folder description (string, optional)
     """
 
+    pagination_class = SODARPageNumberPagination
     project_type = PROJECT_TYPE_PROJECT
+    schema = AutoSchema(operation_id_base='ListCreateFolder')
     serializer_class = FolderSerializer
 
 
 class FolderRetrieveUpdateDestroyAPIView(
     RetrieveUpdateDestroyAPITimelineMixin,
     RetrieveUpdateDestroyPermissionMixin,
+    FilesfoldersAPIVersioningMixin,
     CoreAPIGenericProjectMixin,
     RetrieveUpdateDestroyAPIView,
 ):
@@ -184,12 +228,14 @@ class FolderRetrieveUpdateDestroyAPIView(
     lookup_field = 'sodar_uuid'
     lookup_url_kwarg = 'folder'
     project_type = PROJECT_TYPE_PROJECT
+    schema = AutoSchema(operation_id_base='UpdateDestroyFolder')
     serializer_class = FolderSerializer
 
 
 class FileListCreateAPIView(
     ListCreateAPITimelineMixin,
     ListCreatePermissionMixin,
+    FilesfoldersAPIVersioningMixin,
     CoreAPIGenericProjectMixin,
     ListCreateAPIView,
 ):
@@ -197,10 +243,18 @@ class FileListCreateAPIView(
     List files or upload a file. For uploads, the request must be made in the
     ``multipart`` format.
 
+    Supports optional pagination for listing by providing the ``page`` query
+    string. This will return results in the Django Rest Framework
+    ``PageNumberPagination`` format.
+
     **URL:** ``/files/api/file/list-create/{Project.sodar_uuid}``
 
     **Methods:** ``GET``, ``POST``
 
+    **Parameters for GET:**
+
+    - ``page``: Page number for paginated results (int, optional)
+
     **Parameters for POST:**
 
     - ``name``: Folder name (string)
@@ -212,13 +266,16 @@ class FileListCreateAPIView(
     - ``file``: File to be uploaded
     """
 
+    pagination_class = SODARPageNumberPagination
     project_type = PROJECT_TYPE_PROJECT
+    schema = AutoSchema(operation_id_base='ListCreateFile')
     serializer_class = FileSerializer
 
 
 class FileRetrieveUpdateDestroyAPIView(
     RetrieveUpdateDestroyAPITimelineMixin,
     RetrieveUpdateDestroyPermissionMixin,
+    FilesfoldersAPIVersioningMixin,
     CoreAPIGenericProjectMixin,
     RetrieveUpdateDestroyAPIView,
 ):
@@ -243,11 +300,15 @@ class FileRetrieveUpdateDestroyAPIView(
     lookup_field = 'sodar_uuid'
     lookup_url_kwarg = 'file'
     project_type = PROJECT_TYPE_PROJECT
+    schema = AutoSchema(operation_id_base='UpdateDestroyFile')
     serializer_class = FileSerializer
 
 
 class FileServeAPIView(
-    CoreAPIGenericProjectMixin, FileServeMixin, GenericAPIView
+    FilesfoldersAPIVersioningMixin,
+    CoreAPIGenericProjectMixin,
+    FileServeMixin,
+    GenericAPIView,
 ):
     """
     Serve the file content.
@@ -260,21 +321,31 @@ class FileServeAPIView(
     lookup_field = 'sodar_uuid'
     lookup_url_kwarg = 'file'
     permission_required = 'filesfolders.view_data'
+    schema = None
 
 
 class HyperLinkListCreateAPIView(
     ListCreateAPITimelineMixin,
     ListCreatePermissionMixin,
+    FilesfoldersAPIVersioningMixin,
     CoreAPIGenericProjectMixin,
     ListCreateAPIView,
 ):
     """
     List hyperlinks or create a hyperlink.
 
+    Supports optional pagination for listing by providing the ``page`` query
+    string. This will return results in the Django Rest Framework
+    ``PageNumberPagination`` format.
+
     **URL:** ``/files/api/hyperlink/list-create/{Project.sodar_uuid}``
 
     **Methods:** ``GET``, ``POST``
 
+    **Parameters for GET:**
+
+    - ``page``: Page number for paginated results (int, optional)
+
     **Parameters for POST:**
 
     - ``name``: Folder name (string)
@@ -285,13 +356,16 @@ class HyperLinkListCreateAPIView(
     - ``url``: URL for the link (string)
     """
 
+    pagination_class = SODARPageNumberPagination
     project_type = PROJECT_TYPE_PROJECT
+    schema = AutoSchema(operation_id_base='ListCreateHyperLink')
     serializer_class = HyperLinkSerializer
 
 
 class HyperLinkRetrieveUpdateDestroyAPIView(
     RetrieveUpdateDestroyAPITimelineMixin,
     RetrieveUpdateDestroyPermissionMixin,
+    FilesfoldersAPIVersioningMixin,
     CoreAPIGenericProjectMixin,
     RetrieveUpdateDestroyAPIView,
 ):
@@ -315,4 +389,5 @@ class HyperLinkRetrieveUpdateDestroyAPIView(
     lookup_field = 'sodar_uuid'
     lookup_url_kwarg = 'hyperlink'
     project_type = PROJECT_TYPE_PROJECT
+    schema = AutoSchema(operation_id_base='UpdateDestroyHyperLink')
     serializer_class = HyperLinkSerializer
diff --git a/projectroles/_version.py b/projectroles/_version.py
index af370468..d95d9576 100644
--- a/projectroles/_version.py
+++ b/projectroles/_version.py
@@ -5,7 +5,7 @@
 # that just contains the computed version number.
 
 # This file is released into the public domain.
-# Generated by versioneer-0.28
+# Generated by versioneer-0.29
 # https://github.com/python-versioneer/python-versioneer
 
 """Git implementation of _version.py."""
@@ -15,11 +15,11 @@
 import re
 import subprocess
 import sys
-from typing import Callable, Dict
+from typing import Any, Callable, Dict, List, Optional, Tuple
 import functools
 
 
-def get_keywords():
+def get_keywords() -> Dict[str, str]:
     """Get the keywords needed to look up the version information."""
     # these strings will be replaced by git during git-archive.
     # setup.py/versioneer.py will grep for the variable names, so they must
@@ -35,8 +35,15 @@ def get_keywords():
 class VersioneerConfig:
     """Container for Versioneer configuration parameters."""
 
+    VCS: str
+    style: str
+    tag_prefix: str
+    parentdir_prefix: str
+    versionfile_source: str
+    verbose: bool
 
-def get_config():
+
+def get_config() -> VersioneerConfig:
     """Create, populate and return the VersioneerConfig() object."""
     # these strings are filled in when 'setup.py versioneer' creates
     # _version.py
@@ -58,10 +65,10 @@ class NotThisMethod(Exception):
 HANDLERS: Dict[str, Dict[str, Callable]] = {}
 
 
-def register_vcs_handler(vcs, method):  # decorator
+def register_vcs_handler(vcs: str, method: str) -> Callable:  # decorator
     """Create decorator to mark a method as the handler of a VCS."""
 
-    def decorate(f):
+    def decorate(f: Callable) -> Callable:
         """Store f in HANDLERS[vcs][method]."""
         if vcs not in HANDLERS:
             HANDLERS[vcs] = {}
@@ -72,13 +79,18 @@ def decorate(f):
 
 
 def run_command(
-    commands, args, cwd=None, verbose=False, hide_stderr=False, env=None
-):
+    commands: List[str],
+    args: List[str],
+    cwd: Optional[str] = None,
+    verbose: bool = False,
+    hide_stderr: bool = False,
+    env: Optional[Dict[str, str]] = None,
+) -> Tuple[Optional[str], Optional[int]]:
     """Call the given command(s)."""
     assert isinstance(commands, list)
     process = None
 
-    popen_kwargs = {}
+    popen_kwargs: Dict[str, Any] = {}
     if sys.platform == "win32":
         # This hides the console window if pythonw.exe is used
         startupinfo = subprocess.STARTUPINFO()
@@ -98,8 +110,7 @@ def run_command(
                 **popen_kwargs,
             )
             break
-        except OSError:
-            e = sys.exc_info()[1]
+        except OSError as e:
             if e.errno == errno.ENOENT:
                 continue
             if verbose:
@@ -119,7 +130,11 @@ def run_command(
     return stdout, process.returncode
 
 
-def versions_from_parentdir(parentdir_prefix, root, verbose):
+def versions_from_parentdir(
+    parentdir_prefix: str,
+    root: str,
+    verbose: bool,
+) -> Dict[str, Any]:
     """Try to determine the version from the parent directory name.
 
     Source tarballs conventionally unpack into a directory that includes both
@@ -150,13 +165,13 @@ def versions_from_parentdir(parentdir_prefix, root, verbose):
 
 
 @register_vcs_handler("git", "get_keywords")
-def git_get_keywords(versionfile_abs):
+def git_get_keywords(versionfile_abs: str) -> Dict[str, str]:
     """Extract version information from the given file."""
     # the code embedded in _version.py can just fetch the value of these
     # keywords. When used from setup.py, we don't want to import _version.py,
     # so we do it with a regexp instead. This function is not used from
     # _version.py.
-    keywords = {}
+    keywords: Dict[str, str] = {}
     try:
         with open(versionfile_abs, "r") as fobj:
             for line in fobj:
@@ -178,7 +193,11 @@ def git_get_keywords(versionfile_abs):
 
 
 @register_vcs_handler("git", "keywords")
-def git_versions_from_keywords(keywords, tag_prefix, verbose):
+def git_versions_from_keywords(
+    keywords: Dict[str, str],
+    tag_prefix: str,
+    verbose: bool,
+) -> Dict[str, Any]:
     """Get version information from git keywords."""
     if "refnames" not in keywords:
         raise NotThisMethod("Short version file found")
@@ -249,7 +268,9 @@ def git_versions_from_keywords(keywords, tag_prefix, verbose):
 
 
 @register_vcs_handler("git", "pieces_from_vcs")
-def git_pieces_from_vcs(tag_prefix, root, verbose, runner=run_command):
+def git_pieces_from_vcs(
+    tag_prefix: str, root: str, verbose: bool, runner: Callable = run_command
+) -> Dict[str, Any]:
     """Get version from 'git describe' in the root of the source tree.
 
     This only gets called if the git-archive 'subst' keywords were *not*
@@ -299,7 +320,7 @@ def git_pieces_from_vcs(tag_prefix, root, verbose, runner=run_command):
         raise NotThisMethod("'git rev-parse' failed")
     full_out = full_out.strip()
 
-    pieces = {}
+    pieces: Dict[str, Any] = {}
     pieces["long"] = full_out
     pieces["short"] = full_out[:7]  # maybe improved later
     pieces["error"] = None
@@ -397,14 +418,14 @@ def git_pieces_from_vcs(tag_prefix, root, verbose, runner=run_command):
     return pieces
 
 
-def plus_or_dot(pieces):
+def plus_or_dot(pieces: Dict[str, Any]) -> str:
     """Return a + if we don't already have one, else return a ."""
     if "+" in pieces.get("closest-tag", ""):
         return "."
     return "+"
 
 
-def render_pep440(pieces):
+def render_pep440(pieces: Dict[str, Any]) -> str:
     """Build up version string, with post-release "local version identifier".
 
     Our goal: TAG[+DISTANCE.gHEX[.dirty]] . Note that if you
@@ -428,7 +449,7 @@ def render_pep440(pieces):
     return rendered
 
 
-def render_pep440_branch(pieces):
+def render_pep440_branch(pieces: Dict[str, Any]) -> str:
     """TAG[[.dev0]+DISTANCE.gHEX[.dirty]] .
 
     The ".dev0" means not master branch. Note that .dev0 sorts backwards
@@ -457,7 +478,7 @@ def render_pep440_branch(pieces):
     return rendered
 
 
-def pep440_split_post(ver):
+def pep440_split_post(ver: str) -> Tuple[str, Optional[int]]:
     """Split pep440 version string at the post-release segment.
 
     Returns the release segments before the post-release and the
@@ -467,7 +488,7 @@ def pep440_split_post(ver):
     return vc[0], int(vc[1] or 0) if len(vc) == 2 else None
 
 
-def render_pep440_pre(pieces):
+def render_pep440_pre(pieces: Dict[str, Any]) -> str:
     """TAG[.postN.devDISTANCE] -- No -dirty.
 
     Exceptions:
@@ -494,7 +515,7 @@ def render_pep440_pre(pieces):
     return rendered
 
 
-def render_pep440_post(pieces):
+def render_pep440_post(pieces: Dict[str, Any]) -> str:
     """TAG[.postDISTANCE[.dev0]+gHEX] .
 
     The ".dev0" means dirty. Note that .dev0 sorts backwards
@@ -521,7 +542,7 @@ def render_pep440_post(pieces):
     return rendered
 
 
-def render_pep440_post_branch(pieces):
+def render_pep440_post_branch(pieces: Dict[str, Any]) -> str:
     """TAG[.postDISTANCE[.dev0]+gHEX[.dirty]] .
 
     The ".dev0" means not master branch.
@@ -550,7 +571,7 @@ def render_pep440_post_branch(pieces):
     return rendered
 
 
-def render_pep440_old(pieces):
+def render_pep440_old(pieces: Dict[str, Any]) -> str:
     """TAG[.postDISTANCE[.dev0]] .
 
     The ".dev0" means dirty.
@@ -572,7 +593,7 @@ def render_pep440_old(pieces):
     return rendered
 
 
-def render_git_describe(pieces):
+def render_git_describe(pieces: Dict[str, Any]) -> str:
     """TAG[-DISTANCE-gHEX][-dirty].
 
     Like 'git describe --tags --dirty --always'.
@@ -592,7 +613,7 @@ def render_git_describe(pieces):
     return rendered
 
 
-def render_git_describe_long(pieces):
+def render_git_describe_long(pieces: Dict[str, Any]) -> str:
     """TAG-DISTANCE-gHEX[-dirty].
 
     Like 'git describe --tags --dirty --always -long'.
@@ -612,7 +633,7 @@ def render_git_describe_long(pieces):
     return rendered
 
 
-def render(pieces, style):
+def render(pieces: Dict[str, Any], style: str) -> Dict[str, Any]:
     """Render the given version pieces into the requested style."""
     if pieces["error"]:
         return {
@@ -654,7 +675,7 @@ def render(pieces, style):
     }
 
 
-def get_versions():
+def get_versions() -> Dict[str, Any]:
     """Get version information or return default if unable to do so."""
     # I am in _version.py, which lives at ROOT/VERSIONFILE_SOURCE. If we have
     # __file__, we can work backwards from there to the root. Some
diff --git a/projectroles/app_settings.py b/projectroles/app_settings.py
index a6b50d14..6fe38362 100644
--- a/projectroles/app_settings.py
+++ b/projectroles/app_settings.py
@@ -7,6 +7,7 @@
 
 from projectroles.models import AppSetting, APP_SETTING_TYPES, SODAR_CONSTANTS
 from projectroles.plugins import get_app_plugin, get_active_plugins
+from projectroles.utils import get_display_name
 
 
 logger = logging.getLogger(__name__)
@@ -22,9 +23,10 @@
 PROJECT_TYPE_PROJECT = SODAR_CONSTANTS['PROJECT_TYPE_PROJECT']
 PROJECT_TYPE_CATEGORY = SODAR_CONSTANTS['PROJECT_TYPE_CATEGORY']
 SITE_MODE_SOURCE = SODAR_CONSTANTS['SITE_MODE_SOURCE']
+SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
 
 # Local constants
-APP_SETTING_LOCAL_DEFAULT = True
+APP_SETTING_GLOBAL_DEFAULT = False
 APP_SETTING_SCOPES = [
     APP_SETTING_SCOPE_PROJECT,
     APP_SETTING_SCOPE_USER,
@@ -44,7 +46,17 @@
     APP_SETTING_SCOPE_SITE: {'project': False, 'user': False},
 }
 DELETE_SCOPE_ERR_MSG = 'Argument "{arg}" must be set for {scope} scope setting'
-OVERRIDE_ERR_MSG = 'Overriding global settings for remote projects not allowed'
+GLOBAL_PROJECT_ERR_MSG = (
+    'Overriding global settings for remote projects not allowed'
+)
+GLOBAL_USER_ERR_MSG = (
+    'Overriding global user settings on target site not allowed'
+)
+# TODO: Remove in v1.1 (see #1394)
+LOCAL_DEPRECATE_MSG = (
+    'The "local" argument for app settings has been deprecated and will be '
+    'removed in SODAR Core v1.1: use "global" instead'
+)
 
 
 # Define App Settings for projectroles app
@@ -63,7 +75,8 @@
     #:         'options': ['example', 'example2'],  # Optional, only for
     #:                    settings of type STRING or INTEGER
     #:         'user_modifiable': True,  # Optional, show/hide in forms
-    #:         'local': False,  # Allow editing in target site forms if True
+    #:         'global': True,  # Only allow editing on target sites if False
+    #:                          # (optional, default True)
     #:         'project_types': [PROJECT_TYPE_PROJECT],  # Optional, list may
     #:          contain PROJECT_TYPE_CATEGORY and/or PROJECT_TYPE_PROJECT
     #:     }
@@ -74,7 +87,7 @@
         'label': 'IP restrict',
         'description': 'Restrict project access by an allowed IP list',
         'user_modifiable': True,
-        'local': False,
+        'global': True,
     },
     'ip_allowlist': {
         'scope': APP_SETTING_SCOPE_PROJECT,
@@ -83,27 +96,49 @@
         'label': 'IP allow list',
         'description': 'List of allowed IPs for project access',
         'user_modifiable': True,
-        'local': False,
-    },
-    'user_email_additional': {
-        'scope': APP_SETTING_SCOPE_USER,
-        'type': 'STRING',
-        'default': '',
-        'placeholder': 'email1@example.com;email2@example.com',
-        'label': 'Additional email',
-        'description': 'Also send user emails to these addresses. Separate '
-        'multiple emails with semicolon.',
-        'user_modifiable': True,
-        'local': False,
-        'project_types': [PROJECT_TYPE_PROJECT],
+        'global': True,
     },
     'project_star': {
         'scope': APP_SETTING_SCOPE_PROJECT_USER,
         'type': 'BOOLEAN',
         'default': False,
-        'local': True,
+        'global': False,
         'project_types': [PROJECT_TYPE_PROJECT, PROJECT_TYPE_CATEGORY],
     },
+    'notify_email_project': {
+        'scope': APP_SETTING_SCOPE_USER,
+        'type': 'BOOLEAN',
+        'default': True,
+        'label': 'Receive email for {} updates'.format(
+            get_display_name(PROJECT_TYPE_PROJECT)
+        ),
+        'description': (
+            'Receive email notifications for {} or {} creation, updating, '
+            'moving and archiving.'.format(
+                get_display_name(PROJECT_TYPE_CATEGORY),
+                get_display_name(PROJECT_TYPE_PROJECT),
+            )
+        ),
+        'user_modifiable': True,
+        'global': True,
+    },
+    'notify_email_role': {
+        'scope': APP_SETTING_SCOPE_USER,
+        'type': 'BOOLEAN',
+        'default': True,
+        'label': 'Receive email for {} membership updates'.format(
+            get_display_name(PROJECT_TYPE_PROJECT)
+        ),
+        'description': (
+            'Receive email notifications for {} or {} membership updates and '
+            'invitation activity.'.format(
+                get_display_name(PROJECT_TYPE_CATEGORY),
+                get_display_name(PROJECT_TYPE_PROJECT),
+            )
+        ),
+        'user_modifiable': True,
+        'global': True,
+    },
 }
 
 
@@ -200,38 +235,50 @@ def _check_value_in_options(
                 )
             )
 
+    # TODO: Remove in v1.1 (see #1394)
     @classmethod
-    def _get_app_plugin(cls, app_name):
+    def _check_local_attr(cls, setting_def):
+        """
+        Warn if the deprecated "local" attribute is included in a settings
+        definition instead of the new "global" attribute.
+
+        :param setting_def: Dict
+        """
+        if 'local' in setting_def:
+            logger.warning(LOCAL_DEPRECATE_MSG)
+
+    @classmethod
+    def _get_app_plugin(cls, plugin_name):
         """
         Return app plugin by name.
 
-        :param app_name: Name of the app plugin (string or None)
+        :param plugin_name: Name of the app plugin (string)
         :return: App plugin object
         :raise: ValueError if plugin is not found with the name
         """
-        plugin = get_app_plugin(app_name)
+        plugin = get_app_plugin(plugin_name)
         if not plugin:
             raise ValueError(
-                'Plugin not found with app name "{}"'.format(app_name)
+                'Plugin not found with name "{}"'.format(plugin_name)
             )
         return plugin
 
     @classmethod
-    def _get_defs(cls, plugin=None, app_name=None):
+    def _get_defs(cls, plugin=None, plugin_name=None):
         """
         Ensure valid argument values for a settings def query.
 
         :param plugin: Plugin object or None
-        :param app_name: Name of the app plugin (string or None)
+        :param plugin_name: Name of the app plugin (string or None)
         :return: Dict
         :raise: ValueError if args are not valid or plugin is not found
         """
-        if not plugin and not app_name:
-            raise ValueError('Plugin and app name both unset')
-        if app_name == 'projectroles':
+        if not plugin and not plugin_name:
+            raise ValueError('Plugin object and name both unset')
+        if plugin_name == 'projectroles':
             return cls.get_projectroles_defs()
         if not plugin:
-            plugin = cls._get_app_plugin(app_name)
+            plugin = cls._get_app_plugin(plugin_name)
         return plugin.app_settings
 
     @classmethod
@@ -250,9 +297,8 @@ def _get_json_value(cls, value):
         try:
             if isinstance(value, str):
                 return json.loads(value)
-            else:
-                json.dumps(value)  # Ensure this is valid
-                return value
+            json.dumps(value)  # Ensure this is valid
+            return value
         except Exception:
             raise ValueError('Value is not valid JSON: {}'.format(value))
 
@@ -276,13 +322,13 @@ def _compare_value(cls, obj, input_value):
 
     @classmethod
     def _log_set_debug(
-        cls, action, app_name, setting_name, value, project, user
+        cls, action, plugin_name, setting_name, value, project, user
     ):
         """
         Helper method for logging setting changes in set() method.
 
         :param action: Action string (string)
-        :param app_name: Plugin app name (string)
+        :param plugin_name: App plugin name (string)
         :param setting_name: Setting name (string)
         :param value: Setting value (string)
         :param project: Project object
@@ -296,7 +342,7 @@ def _log_set_debug(
         logger.debug(
             '{} app setting: {}.{} = "{}"{}'.format(
                 action,
-                app_name,
+                plugin_name,
                 setting_name,
                 value,
                 ' ({})'.format('; '.join(extra_data)) if extra_data else '',
@@ -305,12 +351,12 @@ def _log_set_debug(
 
     @classmethod
     def get_default(
-        cls, app_name, setting_name, project=None, user=None, post_safe=False
+        cls, plugin_name, setting_name, project=None, user=None, post_safe=False
     ):
         """
         Get default setting value from an app plugin.
 
-        :param app_name: App name (string, must equal "name" in app plugin)
+        :param plugin_name: App plugin name (string, equals "name" in plugin)
         :param setting_name: Setting name (string)
         :param project: Project object (optional)
         :param user: User object (optional)
@@ -319,55 +365,58 @@ def get_default(
         :raise: ValueError if app plugin is not found
         :raise: KeyError if nothing is found with setting_name
         """
-        if app_name == 'projectroles':
+        if plugin_name == 'projectroles':
             app_settings = cls.get_projectroles_defs()
         else:
-            app_plugin = get_app_plugin(app_name)
+            app_plugin = get_app_plugin(plugin_name)
             if not app_plugin:
-                raise ValueError('App plugin not found: "{}"'.format(app_name))
+                raise ValueError(
+                    'App plugin not found: "{}"'.format(plugin_name)
+                )
             app_settings = app_plugin.app_settings
+        if setting_name not in app_settings:
+            raise KeyError(
+                'Setting "{}" not found in app plugin "{}"'.format(
+                    setting_name, plugin_name
+                )
+            )
 
-        if setting_name in app_settings:
-            if callable(app_settings[setting_name].get('default')):
-                try:
-                    callable_setting = app_settings[setting_name]['default']
-                    return callable_setting(project, user)
-                except Exception:
-                    logger.error(
-                        'Error in callable setting "{}" for app "{}"'.format(
-                            setting_name, app_name
-                        )
+        # TODO: Remove _check_local_attr() in v1.1 (see #1394)
+        cls._check_local_attr(app_settings[setting_name])
+        if callable(app_settings[setting_name].get('default')):
+            try:
+                callable_setting = app_settings[setting_name]['default']
+                return callable_setting(project, user)
+            except Exception:
+                logger.error(
+                    'Error in callable setting "{}" for plugin "{}"'.format(
+                        setting_name, plugin_name
                     )
-                    return APP_SETTING_DEFAULT_VALUES[
-                        app_settings[setting_name]['type']
-                    ]
-            elif app_settings[setting_name]['type'] == 'JSON':
-                json_default = app_settings[setting_name].get('default')
-                if not json_default:
-                    if isinstance(json_default, dict):
-                        return {}
-                    elif isinstance(json_default, list):
-                        return []
+                )
+                return APP_SETTING_DEFAULT_VALUES[
+                    app_settings[setting_name]['type']
+                ]
+        elif app_settings[setting_name]['type'] == 'JSON':
+            json_default = app_settings[setting_name].get('default')
+            if not json_default:
+                if isinstance(json_default, dict):
                     return {}
-                if post_safe:
-                    return json.dumps(app_settings[setting_name]['default'])
-            return app_settings[setting_name]['default']
-
-        raise KeyError(
-            'Setting "{}" not found in app plugin "{}"'.format(
-                setting_name, app_name
-            )
-        )
+                elif isinstance(json_default, list):
+                    return []
+                return {}
+            if post_safe:
+                return json.dumps(app_settings[setting_name]['default'])
+        return app_settings[setting_name]['default']
 
     @classmethod
     def get(
-        cls, app_name, setting_name, project=None, user=None, post_safe=False
+        cls, plugin_name, setting_name, project=None, user=None, post_safe=False
     ):
         """
         Return app setting value for a project or a user. If not set, return
         default.
 
-        :param app_name: App name (string, must equal "name" in app plugin)
+        :param plugin_name: App plugin name (string, equals "name" in plugin)
         :param setting_name: Setting name (string)
         :param project: Project object (optional)
         :param user: User object (optional)
@@ -378,11 +427,11 @@ def get(
         if not user or user.is_authenticated:
             try:
                 val = AppSetting.objects.get_setting_value(
-                    app_name, setting_name, project=project, user=user
+                    plugin_name, setting_name, project=project, user=user
                 )
             except AppSetting.DoesNotExist:
                 val = cls.get_default(
-                    app_name,
+                    plugin_name,
                     setting_name,
                     project=project,
                     user=user,
@@ -390,7 +439,7 @@ def get(
                 )
         else:  # Anonymous user
             val = cls.get_default(
-                app_name,
+                plugin_name,
                 setting_name,
                 project=project,
                 user=user,
@@ -428,7 +477,7 @@ def get_all(cls, project=None, user=None, post_safe=False):
                 )
 
         p_settings = cls.get_definitions(
-            APP_SETTING_SCOPE_PROJECT, app_name='projectroles'
+            APP_SETTING_SCOPE_PROJECT, plugin_name='projectroles'
         )
         for s_key in p_settings:
             ret['settings.{}.{}'.format('projectroles', s_key)] = cls.get(
@@ -454,33 +503,33 @@ def get_defaults(cls, scope, project=None, user=None, post_safe=False):
         for plugin in app_plugins:
             p_settings = cls.get_definitions(scope, plugin=plugin)
             for s_key in p_settings:
-                ret[
-                    'settings.{}.{}'.format(plugin.name, s_key)
-                ] = cls.get_default(
-                    plugin.name,
+                ret['settings.{}.{}'.format(plugin.name, s_key)] = (
+                    cls.get_default(
+                        plugin.name,
+                        s_key,
+                        project=project,
+                        user=user,
+                        post_safe=post_safe,
+                    )
+                )
+
+        p_settings = cls.get_definitions(scope, plugin_name='projectroles')
+        for s_key in p_settings:
+            ret['settings.{}.{}'.format('projectroles', s_key)] = (
+                cls.get_default(
+                    'projectroles',
                     s_key,
                     project=project,
                     user=user,
                     post_safe=post_safe,
                 )
-
-        p_settings = cls.get_definitions(scope, app_name='projectroles')
-        for s_key in p_settings:
-            ret[
-                'settings.{}.{}'.format('projectroles', s_key)
-            ] = cls.get_default(
-                'projectroles',
-                s_key,
-                project=project,
-                user=user,
-                post_safe=post_safe,
             )
         return ret
 
     @classmethod
     def set(
         cls,
-        app_name,
+        plugin_name,
         setting_name,
         value,
         project=None,
@@ -491,7 +540,7 @@ def set(
         Set value of an existing project or user settings. Creates the object if
         not found.
 
-        :param app_name: App name (string, must equal "name" in app plugin)
+        :param plugin_name: App plugin name (string, equals "name" in plugin)
         :param setting_name: Setting name (string)
         :param value: Value to be set
         :param project: Project object (optional)
@@ -503,7 +552,7 @@ def set(
         :raise: ValueError if neither project nor user are set
         :raise: KeyError if setting name is not found in plugin specification
         """
-        s_def = cls.get_definition(name=setting_name, app_name=app_name)
+        s_def = cls.get_definition(name=setting_name, plugin_name=plugin_name)
         cls._check_scope(s_def.get('scope', None))
         cls._check_project_and_user(s_def.get('scope', None), project, user)
         # Check project type
@@ -520,19 +569,23 @@ def set(
                     project.type, setting_name
                 )
             )
-        # Prevent updating global setting on remote project
-        # TODO: Prevent editing global USER settings (#1329)
-        if (
-            not s_def.get('local', APP_SETTING_LOCAL_DEFAULT)
-            and project
-            and project.is_remote()
-        ):
-            raise ValueError(OVERRIDE_ERR_MSG)
+        # Prevent updating global setting on target site
+        if cls.get_global_value(s_def):
+            if project and project.is_remote():
+                raise ValueError(GLOBAL_PROJECT_ERR_MSG)
+            if (
+                user
+                and not project
+                and settings.PROJECTROLES_SITE_MODE == SITE_MODE_TARGET
+            ):
+                raise ValueError(GLOBAL_USER_ERR_MSG)
 
         try:  # Update existing setting
             q_kwargs = {'name': setting_name, 'project': project, 'user': user}
-            if not app_name == 'projectroles':
-                q_kwargs['app_plugin__name'] = app_name
+            if not plugin_name == 'projectroles':
+                q_kwargs['app_plugin__name'] = plugin_name
+            else:
+                q_kwargs['app_plugin'] = None
             setting = AppSetting.objects.get(**q_kwargs)
             if cls._compare_value(setting, value):
                 return False
@@ -550,16 +603,16 @@ def set(
                 setting.value = value
             setting.save()
             cls._log_set_debug(
-                'Set', app_name, setting_name, value, project, user
+                'Set', plugin_name, setting_name, value, project, user
             )
             return True
 
         except AppSetting.DoesNotExist:  # Create new
             s_type = s_def['type']
-            if app_name == 'projectroles':
+            if plugin_name == 'projectroles':
                 app_plugin_model = None
             else:
-                app_plugin = get_app_plugin(app_name)
+                app_plugin = get_app_plugin(plugin_name)
                 app_plugin_model = app_plugin.get_model()
             if validate:
                 v = cls._get_json_value(value) if s_type == 'JSON' else value
@@ -589,23 +642,46 @@ def set(
                 s_vals['value'] = value
             AppSetting.objects.create(**s_vals)
             cls._log_set_debug(
-                'Create', app_name, setting_name, value, project, user
+                'Create', plugin_name, setting_name, value, project, user
             )
             return True
 
     @classmethod
-    def delete(cls, app_name, setting_name, project=None, user=None):
+    def is_set(cls, plugin_name, setting_name, project=None, user=None):
+        """
+        Return True if the setting has been set, instead of retrieving the
+        default value from the definition.
+
+        NOTE: Also returns True if the current set value equals the default.
+
+        :param plugin_name: App plugin name (string, equals "name" in plugin)
+        :param setting_name: Setting name (string)
+        :param project: Project object (optional)
+        :param user: User object (optional)
+        :return: Boolean
+        """
+        s_def = cls.get_definition(name=setting_name, plugin_name=plugin_name)
+        cls._check_project_and_user(s_def.get('scope', None), project, user)
+        q_kwargs = {'name': setting_name, 'project': project, 'user': user}
+        if not plugin_name == 'projectroles':
+            q_kwargs['app_plugin__name'] = plugin_name
+        else:
+            q_kwargs['app_plugin'] = None
+        return AppSetting.objects.filter(**q_kwargs).exists()
+
+    @classmethod
+    def delete(cls, plugin_name, setting_name, project=None, user=None):
         """
         Delete one or more app setting objects. In case of a PROJECT_USER
         setting, can be used to delete all settings related to project.
 
-        :param app_name: App name (string, must equal "name" in app plugin)
+        :param plugin_name: App plugin name (string, equals "name" in plugin)
         :param setting_name: Setting name (string)
         :param project: Project object to delete setting from (optional)
         :param user: User object to delete setting from (optional)
         :raise: ValueError with invalid project/user args
         """
-        setting_def = cls.get_definition(setting_name, app_name=app_name)
+        setting_def = cls.get_definition(setting_name, plugin_name=plugin_name)
         if setting_def['scope'] != APP_SETTING_SCOPE_PROJECT_USER:
             cls._check_project_and_user(
                 setting_def.get('scope', None), project, user
@@ -623,7 +699,7 @@ def delete(cls, app_name, setting_name, project=None, user=None):
             q_kwargs['project'] = project
         logger.debug(
             'Delete app setting: {}.{} ({})'.format(
-                app_name, setting_name, '; '.join(q_kwargs)
+                plugin_name, setting_name, '; '.join(q_kwargs)
             )
         )
         app_settings = AppSetting.objects.filter(**q_kwargs)
@@ -654,11 +730,11 @@ def delete_by_scope(
             raise ValueError('Scope must be set')
         cls._check_scope(scope)
         cls._check_project_and_user(scope, project, user)
-        for app_name, app_settings in cls.get_all_defs().items():
+        for plugin_name, app_settings in cls.get_all_defs().items():
             for setting_name, setting_def in app_settings.items():
                 if setting_def['scope'] == scope:
                     cls.delete(
-                        app_name,
+                        plugin_name,
                         setting_name,
                         project=project,
                         user=user,
@@ -720,23 +796,23 @@ def validate(
         return True
 
     @classmethod
-    def get_definition(cls, name, plugin=None, app_name=None):
+    def get_definition(cls, name, plugin=None, plugin_name=None):
         """
         Return definition for a single app setting, either based on an app name
         or the plugin object.
 
         :param name: Setting name
         :param plugin: Plugin object or None
-        :param app_name: Name of the app plugin (string or None)
+        :param plugin_name: Name of the app plugin (string or None)
         :return: Dict
-        :raise: ValueError if neither app_name nor plugin are set or if setting
-                is not found in plugin
+        :raise: ValueError if neither plugin_name nor plugin are set, or if
+                setting is not found in plugin
         """
-        defs = cls._get_defs(plugin, app_name)
+        defs = cls._get_defs(plugin, plugin_name)
         if name not in defs:
             raise ValueError(
-                'App setting not found in app "{}" with name "{}"'.format(
-                    app_name or plugin.name, name
+                'App setting not found in plugin "{}" with name "{}"'.format(
+                    plugin_name or plugin.name, name
                 )
             )
         ret = defs[name]
@@ -749,7 +825,7 @@ def get_definitions(
         cls,
         scope,
         plugin=None,
-        app_name=None,
+        plugin_name=None,
         user_modifiable=False,
     ):
         """
@@ -757,15 +833,15 @@ def get_definitions(
 
         :param scope: PROJECT, USER or PROJECT_USER
         :param plugin: Plugin object or None
-        :param app_name: Name of the app plugin (string or None)
+        :param plugin_name: App plugin name (string, equals "name" in plugin)
         :param user_modifiable: Only return non-superuser modifiable settings if
                                 True (boolean)
         :return: Dict
-        :raise: ValueError if scope is invalid or if neither app_name nor
+        :raise: ValueError if scope is invalid or if neither plugin_name nor
                 plugin are set
         """
         cls._check_scope(scope)
-        defs = cls._get_defs(plugin, app_name)
+        defs = cls._get_defs(plugin, plugin_name)
         ret = {
             k: v
             for k, v in defs.items()
@@ -802,12 +878,6 @@ def get_projectroles_defs(cls):
             )
         except AttributeError:
             app_settings = PROJECTROLES_APP_SETTINGS
-        for k, v in app_settings.items():
-            if 'local' not in v:
-                raise ValueError(
-                    'Attribute "local" is missing in projectroles app '
-                    'setting definition "{}"'.format(k)
-                )
         return app_settings
 
     @classmethod
@@ -828,6 +898,20 @@ def get_all_defs(cls):
             ret[p.name] = p.app_settings
         return ret
 
+    @classmethod
+    def get_global_value(cls, setting_def):
+        """
+        Get the "global" value of a settings definition. If the deprecated
+        "local" value is still used, return that and log a warning.
+
+        :param setting_def: Dict
+        :return: Boolean
+        """
+        if 'local' in setting_def:  # TODO: Remove in v1.1 (see #1394)
+            logger.warning(LOCAL_DEPRECATE_MSG)
+            return not setting_def['local']  # Inverse value
+        return setting_def.get('global', APP_SETTING_GLOBAL_DEFAULT)
+
 
 def get_example_setting_default(project=None, user=None):
     """
diff --git a/projectroles/apps.py b/projectroles/apps.py
index 3118ab5d..01206489 100644
--- a/projectroles/apps.py
+++ b/projectroles/apps.py
@@ -5,4 +5,5 @@ class ProjectrolesConfig(AppConfig):
     name = 'projectroles'
 
     def ready(self):
+        import projectroles.checks  # noqa
         import projectroles.signals  # noqa
diff --git a/projectroles/checks.py b/projectroles/checks.py
new file mode 100644
index 00000000..c98ed831
--- /dev/null
+++ b/projectroles/checks.py
@@ -0,0 +1,31 @@
+"""Django checks for the projectroles app"""
+
+from django.conf import settings
+from django.core.checks import Warning, register
+
+
+# Local constants
+W001_SETTINGS = [
+    'ENABLE_LDAP',
+    'ENABLE_OIDC',
+    'PROJECTROLES_ALLOW_ANONYMOUS',
+    'PROJECTROLES_ALLOW_LOCAL_USERS',
+    'PROJECTROLES_KIOSK_MODE',
+]
+W001_MSG = (
+    'No authentication methods enabled, only superusers can access the site. '
+    'Set one or more of the following: {}'.format(', '.join(W001_SETTINGS))
+)
+W001 = Warning(W001_MSG, obj=settings, id='projectroles.W001')
+
+
+@register()
+def check_auth_methods(app_configs, **kwargs):
+    """
+    Check for enabled authentication schemes. Raise error if no users other than
+    superusers are able to log in with the current settings).
+    """
+    ret = []
+    if not any([getattr(settings, a, False) for a in W001_SETTINGS]):
+        ret.append(W001)
+    return ret
diff --git a/projectroles/constants.py b/projectroles/constants.py
index def85f57..156a4d3e 100644
--- a/projectroles/constants.py
+++ b/projectroles/constants.py
@@ -1,6 +1,5 @@
 """SODAR constants definition and helper functions"""
 
-
 # Global SODAR constants
 SODAR_CONSTANTS = {
     # Project roles
@@ -42,8 +41,13 @@
         'CATEGORY': {'default': 'category', 'plural': 'categories'},
         'PROJECT': {'default': 'project', 'plural': 'projects'},
     },
+    # User types
+    'AUTH_TYPE_LOCAL': 'LOCAL',
+    'AUTH_TYPE_LDAP': 'LDAP',
+    'AUTH_TYPE_OIDC': 'OIDC',
     # System user group
     'SYSTEM_USER_GROUP': 'system',
+    'OIDC_USER_GROUP': 'oidc',
     # Project modification
     'PROJECT_ACTION_CREATE': 'CREATE',
     'PROJECT_ACTION_UPDATE': 'UPDATE',
diff --git a/projectroles/context_processors.py b/projectroles/context_processors.py
index eda947ea..2232faf0 100644
--- a/projectroles/context_processors.py
+++ b/projectroles/context_processors.py
@@ -6,6 +6,7 @@
 
 from projectroles.plugins import get_active_plugins, get_backend_api
 from projectroles.urls import urlpatterns
+from projectroles.utils import ROLE_URLS
 
 
 SIDEBAR_ICON_MIN_SIZE = 18
@@ -16,16 +17,7 @@ def urls_processor(request):
     """Context processor for providing projectroles URLs for the sidebar"""
     return {
         'projectroles_urls': urlpatterns,
-        'role_urls': [
-            'roles',
-            'role_create',
-            'role_update',
-            'role_delete',
-            'invites',
-            'invite_create',
-            'invite_resend',
-            'invite_revoke',
-        ],
+        'role_urls': ROLE_URLS,
     }
 
 
diff --git a/projectroles/email.py b/projectroles/email.py
index 69361055..8bfa7be0 100644
--- a/projectroles/email.py
+++ b/projectroles/email.py
@@ -10,6 +10,8 @@
 from django.utils.timezone import localtime
 
 from projectroles.app_settings import AppSettingAPI
+from projectroles.models import SODARUserAdditionalEmail
+from projectroles.plugins import get_app_plugin
 from projectroles.utils import build_invite_url, get_display_name
 
 
@@ -25,6 +27,7 @@
 SITE_TITLE = settings.SITE_INSTANCE_TITLE
 
 # Local constants
+APP_NAME = 'projectroles'
 EMAIL_RE = re.compile(r'(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)')
 
 
@@ -52,6 +55,11 @@
 contact {admin_name} ({admin_email}).
 '''
 
+SETTINGS_LINK = r'''
+You can manage receiving of automated emails in your user settings:
+{url}
+'''
+
 
 # Role Change Template ---------------------------------------------------------
 
@@ -275,23 +283,33 @@ def get_email_header(header):
     return getattr(settings, 'PROJECTROLES_EMAIL_HEADER', None) or header
 
 
-def get_email_footer():
+def get_email_footer(request, settings_link=True):
     """
     Return the email footer.
 
+    :param request: HttpRequest object
+    :param settings_link: Include link to user settings if True (optional)
     :return: string
     """
+    footer = ''
     custom_footer = getattr(settings, 'PROJECTROLES_EMAIL_FOOTER', None)
-    if custom_footer:
-        return '\n' + custom_footer
     admin_recipient = settings.ADMINS[0] if settings.ADMINS else None
-    if admin_recipient:
-        return MESSAGE_FOOTER.format(
+    if custom_footer:
+        footer += '\n' + custom_footer
+    elif admin_recipient:
+        footer += MESSAGE_FOOTER.format(
             site_title=SITE_TITLE,
             admin_name=admin_recipient[0],
             admin_email=admin_recipient[1],
         )
-    return ''
+    # Add user settings link if enabled and userprofile app is active
+    if request and settings_link and get_app_plugin('userprofile'):
+        footer += SETTINGS_LINK.format(
+            url=request.build_absolute_uri(
+                reverse('userprofile:settings_update')
+            )
+        )
+    return footer
 
 
 def get_invite_subject(project):
@@ -329,7 +347,7 @@ def get_role_change_subject(change_type, project):
 
 
 def get_role_change_body(
-    change_type, project, user_name, role_name, issuer, project_url
+    change_type, project, user_name, role_name, issuer, request
 ):
     """
     Return role change email body.
@@ -339,9 +357,12 @@ def get_role_change_body(
     :param user_name: Name of target user
     :param role_name: Name of role as string
     :param issuer: User object for issuing user
-    :param project_url: URL for the project
+    :param request: HttpRequest object
     :return: String
     """
+    project_url = request.build_absolute_uri(
+        reverse('projectroles:detail', kwargs={'project': project.sodar_uuid})
+    )
     body = get_email_header(
         MESSAGE_HEADER.format(recipient=user_name, site_title=SITE_TITLE)
     )
@@ -373,49 +394,48 @@ def get_role_change_body(
         )
     if not issuer.email and not settings.PROJECTROLES_EMAIL_SENDER_REPLY:
         body += NO_REPLY_NOTE
-    body += get_email_footer()
+    body += get_email_footer(request)
     return body
 
 
 def get_user_addr(user):
     """
-    Return all the email addresses for a user as a list. Emails set with
-    user_email_additional are included. If a user has no main email set but
-    additional emails exist, the latter are returned.
+    Return all the email addresses for a user as a list. Verified emails set as
+    SODARUserAdditionalEmail objects are included. If a user has no main email
+    set but additional emails exist, the latter are returned.
 
     :param user: User object
     :return: list
     """
-
-    def _validate(user, email):
-        if re.match(EMAIL_RE, email):
-            return True
-        logger.error(
-            'Invalid email for user {}: {}'.format(user.username, email)
-        )
-
     ret = []
-    if user.email and _validate(user, user.email):
+    if user.email:
         ret.append(user.email)
-    add_email = app_settings.get(
-        'projectroles', 'user_email_additional', user=user
-    )
-    if add_email:
-        for e in add_email.strip().split(';'):
-            if _validate(user, e):
-                ret.append(e)
+    for e in SODARUserAdditionalEmail.objects.filter(
+        user=user, verified=True
+    ).order_by('email'):
+        ret.append(e.email)
     return ret
 
 
-def send_mail(subject, message, recipient_list, request=None, reply_to=None):
+def send_mail(
+    subject,
+    message,
+    recipient_list,
+    request=None,
+    reply_to=None,
+    cc=None,
+    bcc=None,
+):
     """
     Wrapper for send_mail() with logging and error messaging.
 
     :param subject: Message subject (string)
     :param message: Message body (string)
     :param recipient_list: Recipients of email (list)
-    :param request: Request object (optional)
+    :param request: HttpRequest object (optional)
     :param reply_to: List of emails for the "reply-to" header (optional)
+    :param cc: List of emails for "cc" field (optional)
+    :param bcc: List of emails for "bcc" field (optional)
     :return: Amount of sent email (int)
     """
     try:
@@ -425,6 +445,8 @@ def send_mail(subject, message, recipient_list, request=None, reply_to=None):
             from_email=EMAIL_SENDER,
             to=recipient_list,
             reply_to=reply_to if isinstance(reply_to, list) else [],
+            cc=cc if isinstance(cc, list) else [],
+            bcc=bcc if isinstance(bcc, list) else [],
         )
         ret = e.send(fail_silently=False)
         logger.debug(
@@ -433,7 +455,6 @@ def send_mail(subject, message, recipient_list, request=None, reply_to=None):
             )
         )
         return ret
-
     except Exception as ex:
         error_msg = 'Error sending email: {}'.format(str(ex))
         logger.error(error_msg)
@@ -455,12 +476,9 @@ def send_role_change_mail(change_type, project, user, role, request):
     :param project: Project object
     :param user: User object
     :param role: Role object (can be None for deletion)
-    :param request: HTTP request
+    :param request: HttpRequest object
     :return: Amount of sent email (int)
     """
-    project_url = request.build_absolute_uri(
-        reverse('projectroles:detail', kwargs={'project': project.sodar_uuid})
-    )
     subject = get_role_change_subject(change_type, project)
     message = get_role_change_body(
         change_type=change_type,
@@ -468,7 +486,7 @@ def send_role_change_mail(change_type, project, user, role, request):
         user_name=user.get_full_name(),
         role_name=role.name if role else '',
         issuer=request.user,
-        project_url=project_url,
+        request=request,
     )
     issuer_emails = get_user_addr(request.user)
     return send_mail(
@@ -481,7 +499,7 @@ def send_invite_mail(invite, request):
     Send an email invitation to user not yet registered in the system.
 
     :param invite: ProjectInvite object
-    :param request: HTTP request
+    :param request: HttpRequest object
     :return: Amount of sent email (int)
     """
     invite_url = build_invite_url(invite, request)
@@ -495,7 +513,7 @@ def send_invite_mail(invite, request):
         ),
     )
     message += get_invite_message(invite.message)
-    message += get_email_footer()
+    message += get_email_footer(request, settings_link=False)
     subject = get_invite_subject(invite.project)
     issuer_emails = get_user_addr(invite.issuer)
     return send_mail(subject, message, [invite.email], request, issuer_emails)
@@ -507,7 +525,7 @@ def send_accept_note(invite, request, user):
     accepts the invitation.
 
     :param invite: ProjectInvite object
-    :param request: HTTP request
+    :param request: HttpRequest object
     :param user: User invited
     :return: Amount of sent email (int)
     """
@@ -531,7 +549,7 @@ def send_accept_note(invite, request, user):
 
     if not settings.PROJECTROLES_EMAIL_SENDER_REPLY:
         message += NO_REPLY_NOTE
-    message += get_email_footer()
+    message += get_email_footer(request)
     return send_mail(subject, message, get_user_addr(invite.issuer), request)
 
 
@@ -541,7 +559,7 @@ def send_expiry_note(invite, request, user_name):
     attempts to accept an expired invitation.
 
     :param invite: ProjectInvite object
-    :param request: HTTP request
+    :param request: HttpRequest object
     :param user_name: User name of invited user
     :return: Amount of sent email (int)
     """
@@ -565,7 +583,7 @@ def send_expiry_note(invite, request, user_name):
 
     if not settings.PROJECTROLES_EMAIL_SENDER_REPLY:
         message += NO_REPLY_NOTE
-    message += get_email_footer()
+    message += get_email_footer(request)
     return send_mail(subject, message, get_user_addr(invite.issuer), request)
 
 
@@ -575,7 +593,7 @@ def send_project_create_mail(project, request):
     they are a different user than the project creator.
 
     :param project: Project object for the newly created project
-    :param request: Request object
+    :param request: HttpRequest object
     :return: Amount of sent email (int)
     """
     parent = project.parent
@@ -606,7 +624,7 @@ def send_project_create_mail(project, request):
             )
         ),
     )
-    message += get_email_footer()
+    message += get_email_footer(request)
     return send_mail(
         subject,
         message,
@@ -622,7 +640,7 @@ def send_project_move_mail(project, request):
     they are a different user than the project creator.
 
     :param project: Project object for the newly created project
-    :param request: Request object
+    :param request: HttpRequest object
     :return: Amount of sent email (int)
     """
     parent = project.parent
@@ -653,7 +671,7 @@ def send_project_move_mail(project, request):
             )
         ),
     )
-    message += get_email_footer()
+    message += get_email_footer(request)
     return send_mail(
         subject,
         message,
@@ -669,11 +687,16 @@ def send_project_archive_mail(project, action, request):
 
     :param project: Project object
     :param action: String ("archive" or "unarchive")
-    :param request: HTTP request
+    :param request: HttpRequest object
     :return: Amount of sent email (int)
     """
     user = request.user
-    project_users = [a.user for a in project.get_roles() if a.user != user]
+    project_users = [
+        a.user
+        for a in project.get_roles()
+        if a.user != user
+        and app_settings.get(APP_NAME, 'notify_email_project', user=a.user)
+    ]
     project_users = list(set(project_users))  # Remove possible dupes (see #710)
     if not project_users:
         return 0
@@ -711,23 +734,33 @@ def send_project_archive_mail(project, action, request):
         message += body_final
         if not settings.PROJECTROLES_EMAIL_SENDER_REPLY:
             message += NO_REPLY_NOTE
-        message += get_email_footer()
+        message += get_email_footer(request)
         mail_count += send_mail(subject, message, get_user_addr(user), request)
     return mail_count
 
 
 def send_generic_mail(
-    subject_body, message_body, recipient_list, request=None, reply_to=None
+    subject_body,
+    message_body,
+    recipient_list,
+    request=None,
+    reply_to=None,
+    cc=None,
+    bcc=None,
+    settings_link=True,
 ):
     """
-    Send a notification email to the issuer of an invitation when a user
-    attempts to accept an expired invitation.
+    Send a generic mail with standard header and footer and no-reply
+    notifications.
 
     :param subject_body: Subject body without prefix (string)
     :param message_body: Message body before header or footer (string)
     :param recipient_list: Recipients (list of User objects or email strings)
+    :param request: HttpRequest object (optional)
     :param reply_to: List of emails for the "reply-to" header (optional)
-    :param request: Request object (optional)
+    :param cc: List of emails for "cc" field (optional)
+    :param bcc: List of emails for "bcc" field (optional)
+    :param settings_link: Include link to user settings if True (optional)
     :return: Amount of mail sent (int)
     """
     subject = SUBJECT_PREFIX + subject_body
@@ -745,6 +778,8 @@ def send_generic_mail(
         message += message_body
         if not reply_to and not settings.PROJECTROLES_EMAIL_SENDER_REPLY:
             message += NO_REPLY_NOTE
-        message += get_email_footer()
-        ret += send_mail(subject, message, recp_addr, request, reply_to)
+        message += get_email_footer(request, settings_link)
+        ret += send_mail(
+            subject, message, recp_addr, request, reply_to, cc, bcc
+        )
     return ret
diff --git a/projectroles/forms.py b/projectroles/forms.py
index fcbd4ff6..e734076e 100644
--- a/projectroles/forms.py
+++ b/projectroles/forms.py
@@ -21,9 +21,9 @@
     RoleAssignment,
     ProjectInvite,
     RemoteSite,
+    RemoteProject,
     SODAR_CONSTANTS,
     ROLE_RANKING,
-    APP_SETTING_VAL_MAXLENGTH,
     CAT_DELIMITER,
     CAT_DELIMITER_ERROR_MSG,
 )
@@ -34,7 +34,7 @@
     get_user_display_name,
     build_secret,
 )
-from projectroles.app_settings import AppSettingAPI, APP_SETTING_LOCAL_DEFAULT
+from projectroles.app_settings import AppSettingAPI
 
 
 User = auth.get_user_model()
@@ -50,6 +50,7 @@
 SITE_MODE_SOURCE = SODAR_CONSTANTS['SITE_MODE_SOURCE']
 SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
 APP_SETTING_SCOPE_PROJECT = SODAR_CONSTANTS['APP_SETTING_SCOPE_PROJECT']
+REMOTE_LEVEL_READ_ROLES = SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES']
 
 # Local constants
 APP_NAME = 'projectroles'
@@ -62,10 +63,12 @@
     ),
     (PROJECT_TYPE_PROJECT, get_display_name(PROJECT_TYPE_PROJECT, title=True)),
 ]
-SETTING_CUSTOM_VALIDATE_ERROR = (
+SETTING_DISABLE_LABEL = '[DISABLED]'
+SETTING_CUSTOM_VALIDATE_MSG = (
     'Exception in custom app setting validation for plugin "{plugin}": '
     '{exception}'
 )
+SETTING_SOURCE_ONLY_MSG = '[Only editable on source site]'
 
 
 # Base Classes and Mixins ------------------------------------------------------
@@ -357,29 +360,113 @@ def _get_parent_choices(cls, instance, user):
         ret += [(c.sodar_uuid, c.full_title) for c in categories]
         return sorted(ret, key=lambda x: x[1])
 
-    def _set_app_setting_widget(self, app_name, s_field, s_key, s_val):
+    def _init_remote_sites(self):
         """
-        Internal helper for setting app setting widget and value.
+        Initialize remote site fields in the form.
+        """
+        p_display = get_display_name(PROJECT_TYPE_PROJECT)
+        for site in RemoteSite.objects.filter(
+            mode=SITE_MODE_TARGET, user_display=True, owner_modifiable=True
+        ).order_by('name'):
+            f_name = 'remote_site.{}'.format(site.sodar_uuid)
+            f_label = 'Enable {} on {}'.format(p_display, site.name)
+            f_help = 'Make {} available on remote site "{}" ({})'.format(
+                p_display, site.name, site.url
+            )
+            f_initial = False
+            if self.instance.pk:
+                rp = RemoteProject.objects.filter(
+                    site=site, project=self.instance
+                ).first()
+                # NOTE: Only "read roles" is supported at the moment
+                f_initial = rp and rp.level == REMOTE_LEVEL_READ_ROLES
+            self.fields[f_name] = forms.BooleanField(
+                label=f_label,
+                help_text=f_help,
+                initial=f_initial,
+                required=False,
+            )
+
+    def _set_app_setting_field(self, plugin_name, s_field, s_key, s_val):
+        """
+        Internal helper for setting app setting field, widget and value.
 
-        :param app_name: App name
+        :param plugin_name: App plugin name
         :param s_field: Form field name
         :param s_key: Setting key
         :param s_val: Setting value
         """
         s_widget_attrs = s_val.get('widget_attrs') or {}
-
-        # Set project type
         s_project_types = s_val.get('project_types') or [PROJECT_TYPE_PROJECT]
         s_widget_attrs['data-project-types'] = ','.join(s_project_types).lower()
-
         if 'placeholder' in s_val:
             s_widget_attrs['placeholder'] = s_val.get('placeholder')
         setting_kwargs = {
             'required': False,
-            'label': s_val.get('label') or '{}.{}'.format(app_name, s_key),
+            'label': s_val.get('label') or '{}.{}'.format(plugin_name, s_key),
             'help_text': s_val['description'],
         }
-        if s_val['type'] == 'JSON':
+
+        # Option
+        if (
+            s_val.get('options')
+            and callable(s_val['options'])
+            and self.instance.pk
+        ):
+            values = s_val['options'](project=self.instance)
+            self.fields[s_field] = forms.ChoiceField(
+                choices=[
+                    (
+                        (str(value[0]), str(value[1]))
+                        if isinstance(value, tuple)
+                        else (str(value), str(value))
+                    )
+                    for value in values
+                ],
+                **setting_kwargs
+            )
+        elif (
+            s_val.get('options')
+            and callable(s_val['options'])
+            and not self.instance.pk
+        ):
+            values = s_val['options'](project=None)
+            self.fields[s_field] = forms.ChoiceField(
+                choices=[
+                    (
+                        (str(value[0]), str(value[1]))
+                        if isinstance(value, tuple)
+                        else (str(value), str(value))
+                    )
+                    for value in values
+                ],
+                **setting_kwargs
+            )
+        elif s_val.get('options'):
+            self.fields[s_field] = forms.ChoiceField(
+                choices=[
+                    (
+                        (int(option), int(option))
+                        if s_val['type'] == 'INTEGER'
+                        else (option, option)
+                    )
+                    for option in s_val['options']
+                ],
+                **setting_kwargs
+            )
+        # Other types
+        elif s_val['type'] == 'STRING':
+            self.fields[s_field] = forms.CharField(
+                widget=forms.TextInput(attrs=s_widget_attrs), **setting_kwargs
+            )
+        elif s_val['type'] == 'INTEGER':
+            self.fields[s_field] = forms.IntegerField(
+                widget=forms.NumberInput(attrs=s_widget_attrs), **setting_kwargs
+            )
+        elif s_val['type'] == 'BOOLEAN':
+            self.fields[s_field] = forms.BooleanField(**setting_kwargs)
+        # JSON
+        elif s_val['type'] == 'JSON':
             # NOTE: Attrs MUST be supplied here (#404)
             if 'class' in s_widget_attrs:
                 s_widget_attrs['class'] += ' sodar-json-input'
@@ -388,84 +475,19 @@ def _set_app_setting_widget(self, app_name, s_field, s_key, s_val):
             self.fields[s_field] = forms.CharField(
                 widget=forms.Textarea(attrs=s_widget_attrs), **setting_kwargs
             )
-            if self.instance.pk:
-                json_data = self.app_settings.get(
-                    app_name=app_name,
-                    setting_name=s_key,
-                    project=self.instance,
-                )
-            else:
-                json_data = self.app_settings.get_default(
-                    app_name=app_name,
-                    setting_name=s_key,
-                    project=None,
-                )
-            self.initial[s_field] = json.dumps(json_data)
-        else:
-            if s_val.get('options'):
-                if callable(s_val['options']) and self.instance.pk:
-                    values = s_val['options'](project=self.instance)
-                    self.fields[s_field] = forms.ChoiceField(
-                        choices=[
-                            (str(value[0]), str(value[1]))
-                            if isinstance(value, tuple)
-                            else (str(value), str(value))
-                            for value in values
-                        ],
-                        **setting_kwargs
-                    )
-                elif callable(s_val['options']) and not self.instance.pk:
-                    values = s_val['options'](project=None)
-                    self.fields[s_field] = forms.ChoiceField(
-                        choices=[
-                            (str(value[0]), str(value[1]))
-                            if isinstance(value, tuple)
-                            else (str(value), str(value))
-                            for value in values
-                        ],
-                        **setting_kwargs
-                    )
-                else:
-                    self.fields[s_field] = forms.ChoiceField(
-                        choices=[
-                            (int(option), int(option))
-                            if s_val['type'] == 'INTEGER'
-                            else (option, option)
-                            for option in s_val['options']
-                        ],
-                        **setting_kwargs
-                    )
-            elif s_val['type'] == 'STRING':
-                self.fields[s_field] = forms.CharField(
-                    max_length=APP_SETTING_VAL_MAXLENGTH,
-                    widget=forms.TextInput(attrs=s_widget_attrs),
-                    **setting_kwargs
-                )
-            elif s_val['type'] == 'INTEGER':
-                self.fields[s_field] = forms.IntegerField(
-                    widget=forms.NumberInput(attrs=s_widget_attrs),
-                    **setting_kwargs
-                )
-            elif s_val['type'] == 'BOOLEAN':
-                self.fields[s_field] = forms.BooleanField(**setting_kwargs)
 
-            # Add optional attributes from plugin (#404)
-            # NOTE: Experimental! Use at your own risk!
-            self.fields[s_field].widget.attrs.update(s_widget_attrs)
-
-            # Set initial value
-            if self.instance.pk:
-                self.initial[s_field] = self.app_settings.get(
-                    app_name=app_name,
-                    setting_name=s_key,
-                    project=self.instance,
-                )
-            else:
-                self.initial[s_field] = self.app_settings.get_default(
-                    app_name=app_name,
-                    setting_name=s_key,
-                    project=None,
-                )
+        # Add optional attributes from plugin (#404)
+        # NOTE: Experimental! Use at your own risk!
+        self.fields[s_field].widget.attrs.update(s_widget_attrs)
+        # Set initial value
+        value = self.app_settings.get(
+            plugin_name=plugin_name,
+            setting_name=s_key,
+            project=self.instance if self.instance.pk else None,
+        )
+        if s_val['type'] == 'JSON':
+            value = json.dumps(value)
+        self.initial[s_field] = value
 
     def _set_app_setting_notes(self, s_field, s_val, plugin):
         """
@@ -478,12 +500,10 @@ def _set_app_setting_notes(self, s_field, s_val, plugin):
         if s_val.get('user_modifiable') is False:
             self.fields[s_field].label += ' [HIDDEN]'
             self.fields[s_field].help_text += ' [HIDDEN FROM USERS]'
-        if s_val.get('local', APP_SETTING_LOCAL_DEFAULT) is False:
+        if self.app_settings.get_global_value(s_val):
             if self.instance.is_remote():
-                self.fields[s_field].label += ' [DISABLED]'
-                self.fields[
-                    s_field
-                ].help_text += ' [Only editable on source site]'
+                self.fields[s_field].label += ' ' + SETTING_DISABLE_LABEL
+                self.fields[s_field].help_text += ' ' + SETTING_SOURCE_ONLY_MSG
                 self.fields[s_field].disabled = True
             else:
                 self.fields[
@@ -494,6 +514,9 @@ def _set_app_setting_notes(self, s_field, s_val, plugin):
         )
 
     def _init_app_settings(self):
+        """
+        Initialize app settings fields in the form.
+        """
         # Set up setting query kwargs
         self.p_kwargs = {}
         # Show unmodifiable settings to superusers
@@ -503,21 +526,21 @@ def _init_app_settings(self):
         self.app_plugins = sorted(get_active_plugins(), key=lambda x: x.name)
         for plugin in self.app_plugins + [None]:  # Projectroles has no plugin
             if plugin:
-                app_name = plugin.name
+                plugin_name = plugin.name
                 p_settings = self.app_settings.get_definitions(
                     APP_SETTING_SCOPE_PROJECT, plugin=plugin, **self.p_kwargs
                 )
             else:
-                app_name = APP_NAME
+                plugin_name = APP_NAME
                 p_settings = self.app_settings.get_definitions(
                     APP_SETTING_SCOPE_PROJECT,
-                    app_name=app_name,
+                    plugin_name=plugin_name,
                     **self.p_kwargs
                 )
             for s_key, s_val in p_settings.items():
-                s_field = 'settings.{}.{}'.format(app_name, s_key)
-                # Set widget and value
-                self._set_app_setting_widget(app_name, s_field, s_key, s_val)
+                s_field = 'settings.{}.{}'.format(plugin_name, s_key)
+                # Set field, widget and value
+                self._set_app_setting_field(plugin_name, s_field, s_key, s_val)
                 # Set label notes
                 self._set_app_setting_notes(s_field, s_val, plugin)
 
@@ -538,7 +561,7 @@ def _validate_app_settings(
                 def_kwarg = {'plugin': plugin}
             else:
                 p_name = 'projectroles'
-                def_kwarg = {'app_name': p_name}
+                def_kwarg = {'plugin_name': p_name}
             p_defs = app_settings.get_definitions(
                 APP_SETTING_SCOPE_PROJECT, **{**p_kwargs, **def_kwarg}
             )
@@ -580,7 +603,7 @@ def _validate_app_settings(
                             f_name = '.'.join(['settings', p_name, field])
                             errors.append((f_name, error))
                 except Exception as ex:
-                    err_msg = SETTING_CUSTOM_VALIDATE_ERROR.format(
+                    err_msg = SETTING_CUSTOM_VALIDATE_MSG.format(
                         plugin=p_name, exception=ex
                     )
                     errors.append((None, err_msg))
@@ -595,12 +618,18 @@ def __init__(self, project=None, current_user=None, *args, **kwargs):
         # Get current user for checking permissions for form items
         if current_user:
             self.current_user = current_user
-        # Add settings fields
-        self._init_app_settings()
         # Access parent project if present
         parent_project = None
         if project:
             parent_project = Project.objects.filter(sodar_uuid=project).first()
+        # Add remote site fields if on source site
+        if settings.PROJECTROLES_SITE_MODE == SITE_MODE_SOURCE and (
+            parent_project
+            or (self.instance.pk and self.instance.type == PROJECT_TYPE_PROJECT)
+        ):
+            self._init_remote_sites()
+        # Add settings fields
+        self._init_app_settings()
 
         # Update help texts to match DISPLAY_NAMES
         self.fields['title'].help_text = 'Title'
@@ -662,9 +691,9 @@ def __init__(self, project=None, current_user=None, *args, **kwargs):
                 self.initial['owner'] = parent_project.get_owner().user
             else:
                 self.initial['owner'] = self.current_user
-            self.fields[
-                'owner'
-            ].label_from_instance = lambda x: x.get_form_label(email=True)
+            self.fields['owner'].label_from_instance = (
+                lambda x: x.get_form_label(email=True)
+            )
             # Hide owner select widget for regular users
             if not self.current_user.is_superuser:
                 self.fields['owner'].widget = forms.HiddenInput()
@@ -697,8 +726,8 @@ def __init__(self, project=None, current_user=None, *args, **kwargs):
     def clean(self):
         """Function for custom form validation and cleanup"""
         self.instance_owner_as = (
-            self.instance.get_owner() if self.instance else None
-        )
+            self.instance.get_owner() if self.instance.pk else None
+        )  # Must check pk, get_owner() with unsaved model fails in Django v4+
         disable_categories = getattr(
             settings, 'PROJECTROLES_DISABLE_CATEGORIES', False
         )
@@ -771,7 +800,7 @@ def clean(self):
                 'Public guest access is not allowed for categories',
             )
 
-        # Verify settings fields
+        # Verify remote site fields
         cleaned_data, errors = self._validate_app_settings(
             self.cleaned_data,
             self.app_plugins,
@@ -1115,7 +1144,7 @@ def clean(self):
             ]
             if (
                 not settings.PROJECTROLES_ALLOW_LOCAL_USERS
-                and not settings.ENABLE_SAML
+                and not settings.ENABLE_OIDC
                 and domain
                 not in [
                     x.lower() for x in getattr(settings, 'LDAP_ALT_DOMAINS', [])
@@ -1125,8 +1154,8 @@ def clean(self):
             ):
                 self.add_error(
                     'email',
-                    'Local users not allowed, email domain {} not recognized '
-                    'for LDAP users'.format(domain),
+                    'Local/OIDC users not allowed, email domain {} not'
+                    'recognized for LDAP users'.format(domain),
                 )
 
         # Delegate checks
@@ -1176,7 +1205,14 @@ class RemoteSiteForm(SODARModelForm):
 
     class Meta:
         model = RemoteSite
-        fields = ['name', 'url', 'description', 'user_display', 'secret']
+        fields = [
+            'name',
+            'url',
+            'description',
+            'user_display',
+            'owner_modifiable',
+            'secret',
+        ]
 
     def __init__(self, current_user=None, *args, **kwargs):
         """Override for form initialization"""
@@ -1194,8 +1230,10 @@ def __init__(self, current_user=None, *args, **kwargs):
         if settings.PROJECTROLES_SITE_MODE == SITE_MODE_SOURCE:
             self.fields['secret'].widget.attrs['readonly'] = True
             self.fields['user_display'].widget = forms.CheckboxInput()
+            self.fields['owner_modifiable'].widget = forms.CheckboxInput()
         elif settings.PROJECTROLES_SITE_MODE == SITE_MODE_TARGET:
             self.fields['user_display'].widget = forms.HiddenInput()
+            self.fields['owner_modifiable'].widget = forms.HiddenInput()
         self.fields['user_display'].initial = True
 
         # Creation
diff --git a/projectroles/management/commands/addremotesite.py b/projectroles/management/commands/addremotesite.py
index 3ba233d7..066c276a 100644
--- a/projectroles/management/commands/addremotesite.py
+++ b/projectroles/management/commands/addremotesite.py
@@ -6,9 +6,9 @@
 import re
 import sys
 
+from django.conf import settings
 from django.contrib import auth
 from django.core.management.base import BaseCommand
-from django.db import transaction
 
 from projectroles.management.logging import ManagementCommandLogger
 from projectroles.models import RemoteSite, SODAR_CONSTANTS
@@ -81,6 +81,16 @@ def add_arguments(self, parser):
             type=bool,
             help='User display of the remote site',
         )
+        parser.add_argument(
+            '-o',
+            '--owner-modifiable',
+            dest='owner_modifiable',
+            default=True,
+            required=False,
+            type=bool,
+            help='Allow owners and delegates to modify project access for this '
+            'site',
+        )
         # Additional Arguments
         parser.add_argument(
             '-s',
@@ -93,10 +103,12 @@ def add_arguments(self, parser):
         )
 
     def handle(self, *args, **options):
+        timeline = get_backend_api('timeline_backend')
         logger.info('Creating remote site..')
         name = options['name']
         url = options['url']
-        # Validate url
+
+        # Validate URL
         if not url.startswith('http://') and not url.startswith('https://'):
             url = ''.join(['http://', url])
         pattern = re.compile(r'(http|https)://.*\..*')
@@ -104,54 +116,54 @@ def handle(self, *args, **options):
             logger.error('Invalid URL "{}"'.format(url))
             sys.exit(1)
 
-        mode = options['mode'].upper()
-        # Validate mode
-        if mode not in [SITE_MODE_SOURCE, SITE_MODE_TARGET]:
-            if mode in [SITE_MODE_PEER]:
-                logger.error('Creating PEER sites is not allowed')
-            else:
-                logger.error('Unkown mode "{}"'.format(mode))
+        # Validate site mode
+        site_mode = options['mode'].upper()
+        host_mode = settings.PROJECTROLES_SITE_MODE
+        if site_mode not in [SITE_MODE_SOURCE, SITE_MODE_TARGET]:
+            logger.error('Invalid mode "{}"'.format(site_mode))
+            sys.exit(1)
+        if site_mode == host_mode:
+            logger.error('Attempting to create site with the same mode as host')
             sys.exit(1)
-
-        description = options['description']
-        secret = options['secret']
-        user_diplsay = options['user_display']
-        suppress_error = options['suppress_error']
 
         # Validate whether site exists
-        name_exists = bool(len(RemoteSite.objects.filter(name=name)))
-        url_exists = bool(len(RemoteSite.objects.filter(url=url)))
+        name_exists = RemoteSite.objects.filter(name=name).count()
+        url_exists = RemoteSite.objects.filter(url=url).count()
         if name_exists or url_exists:
             err_msg = 'Remote site exists with {} "{}"'.format(
                 'name' if name_exists else 'URL', name if name_exists else url
             )
-            if not suppress_error:
+            if not options['suppress_error']:
                 logger.error(err_msg)
                 sys.exit(1)
             else:
                 logger.info(err_msg)
                 sys.exit(0)
 
-        with transaction.atomic():
-            create_values = {
-                'name': name,
-                'url': url,
-                'mode': mode,
-                'description': description,
-                'secret': secret,
-                'user_display': user_diplsay,
-            }
-            site = RemoteSite.objects.create(**create_values)
-
-        timeline = get_backend_api('timeline_backend')
-        timeline.add_event(
-            project=None,
-            app_name='projectroles',
-            event_name='remote_site_create',
-            description=description,
-            classified=True,
-            status_type='OK',
-        )
+        create_kw = {
+            'name': name,
+            'url': url,
+            'mode': site_mode,
+            'description': options['description'],
+            'secret': options['secret'],
+            'user_display': options['user_display'],
+            'owner_modifiable': options['owner_modifiable'],
+        }
+        site = RemoteSite.objects.create(**create_kw)
+
+        if timeline:
+            tl_event = timeline.add_event(
+                project=None,
+                app_name='projectroles',
+                user=None,
+                event_name='{}_site_create'.format(site_mode.lower()),
+                description='create {} remote site {{{}}} via management '
+                'command'.format(site_mode.lower(), 'remote_site'),
+                classified=True,
+                status_type=timeline.TL_STATUS_OK,
+                extra_data=create_kw,
+            )
+            tl_event.add_object(obj=site, label='remote_site', name=site.name)
         logger.info(
             'Created remote site "{}" with mode {}'.format(site.name, site.mode)
         )
diff --git a/projectroles/management/commands/batchupdateroles.py b/projectroles/management/commands/batchupdateroles.py
index cc73434a..b16ec99c 100644
--- a/projectroles/management/commands/batchupdateroles.py
+++ b/projectroles/management/commands/batchupdateroles.py
@@ -36,7 +36,7 @@ class MockRequest(HttpRequest):
     def mock_scheme(self, host):
         self.scheme = host.scheme
 
-    def scheme(self):
+    def scheme(self):  # noqa
         return self.scheme
 
 
diff --git a/projectroles/management/commands/checkusers.py b/projectroles/management/commands/checkusers.py
new file mode 100644
index 00000000..0b0dfeaf
--- /dev/null
+++ b/projectroles/management/commands/checkusers.py
@@ -0,0 +1,191 @@
+"""
+Checkusers management command for checking user status and reporting disabled or
+removed users.
+"""
+
+import ldap
+import sys
+
+from django.conf import settings
+from django.contrib.auth import get_user_model
+from django.core.management.base import BaseCommand
+from django.db.models import Q
+
+from projectroles.management.logging import ManagementCommandLogger
+
+
+logger = ManagementCommandLogger(__name__)
+User = get_user_model()
+
+
+# Local constants
+# UserAccountControl flags for disabled accounts
+# TODO: Can we get these from python-ldap and print out exact status?
+UAC_DISABLED_VALUES = [
+    2,
+    514,
+    546,
+    66050,
+    66082,
+    262658,
+    262690,
+    328194,
+    328226,
+]
+UAC_LOCKED_VALUE = 16
+# Messages
+USER_DISABLED_MSG = 'Disabled'
+USER_LOCKED_MSG = 'Locked'
+USER_NOT_FOUND_MSG = 'Not found'
+USER_OK_MSG = 'OK'
+
+
+class Command(BaseCommand):
+    help = (
+        'Check user status and report disabled or removed users. Prints out '
+        'user name, real name, email and status as semicolon-separated values.'
+    )
+
+    @classmethod
+    def _print_result(cls, django_user, msg):
+        print(
+            '{};{};{};{}'.format(
+                django_user.username,
+                django_user.get_full_name(),
+                django_user.email,
+                msg,
+            )
+        )
+
+    @classmethod
+    def _get_setting_prefix(cls, primary):
+        return 'AUTH_LDAP{}_'.format('' if primary else '2')
+
+    def _check_search_base_setting(self, primary):
+        pf = self._get_setting_prefix(primary)
+        s_name = pf + 'USER_SEARCH_BASE'
+        if not hasattr(settings, s_name):
+            logger.error(s_name + ' not in Django settings')
+            sys.exit(1)
+
+    def _check_ldap_users(self, users, primary, all_users):
+        """
+        Check and print out user status for a specific LDAP server.
+
+        :param users: QuerySet of SODARUser objects
+        :param primary: Whether to check for primary or secondary server (bool)
+        :param all_users: Display status for all users (bool)
+        """
+
+        def _get_s(name):
+            pf = self._get_setting_prefix(primary)
+            return getattr(settings, pf + name)
+
+        domain = _get_s('USERNAME_DOMAIN')
+        domain_users = users.filter(username__endswith='@' + domain.upper())
+        server_uri = _get_s('SERVER_URI')
+        server_str = '{} LDAP server at "{}"'.format(
+            'primary' if primary else 'secondary', server_uri
+        )
+        if not domain_users:
+            logger.debug('No users found for {}, skipping'.format(server_str))
+            return
+
+        bind_dn = _get_s('BIND_DN')
+        bind_pw = _get_s('BIND_PASSWORD')
+        start_tls = _get_s('START_TLS')
+        options = _get_s('CONNECTION_OPTIONS')
+        user_filter = _get_s('USER_FILTER')
+        search_base = _get_s('USER_SEARCH_BASE')
+
+        # Enable debug if set in env
+        if settings.LDAP_DEBUG:
+            ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
+
+        # Connect to LDAP
+        lc = ldap.initialize(server_uri)
+        for k, v in options.items():
+            lc.set_option(k, v)
+        if start_tls:
+            lc.protocol_version = 3
+            lc.start_tls_s()
+        try:
+            lc.simple_bind_s(bind_dn, bind_pw)
+        except Exception as ex:
+            logger.error(
+                'Exception connecting to {}: {}'.format(server_str, ex)
+            )
+            return
+
+        for d_user in domain_users:
+            r = lc.search(
+                search_base,
+                ldap.SCOPE_SUBTREE,
+                user_filter.replace('%(user)s', d_user.username.split('@')[0]),
+            )
+            _, l_user = lc.result(r, 60)
+            if len(l_user) > 0:
+                name, attrs = l_user[0]
+                user_ok = True
+                # logger.debug('Result: {}; {}'.format(name, attrs))
+                if (
+                    'userAccountControl' in attrs
+                    and len(attrs['userAccountControl']) > 0
+                ):
+                    val = int(attrs['userAccountControl'][0].decode('utf-8'))
+                    if val in UAC_DISABLED_VALUES:
+                        self._print_result(d_user, USER_DISABLED_MSG)
+                        user_ok = False
+                    elif val == UAC_LOCKED_VALUE:
+                        self._print_result(d_user, USER_LOCKED_MSG)
+                        user_ok = False
+                if all_users and user_ok:
+                    self._print_result(d_user, USER_OK_MSG)
+            else:  # Not found
+                self._print_result(d_user, USER_NOT_FOUND_MSG)
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            '-a',
+            '--all',
+            dest='all',
+            action='store_true',
+            required=False,
+            help='Display results for all users even if status is OK',
+        )
+        parser.add_argument(
+            '-l',
+            '--limit',
+            dest='limit',
+            required=False,
+            help='Limit search to "ldap1" or "ldap2".',
+        )
+
+    def handle(self, *args, **options):
+        if not settings.ENABLE_LDAP:
+            logger.info('LDAP not enabled, nothing to do')
+            return
+        self._check_search_base_setting(primary=True)
+        self._check_search_base_setting(primary=False)
+        u_query = Q(
+            username__endswith='@{}'.format(
+                settings.AUTH_LDAP_USERNAME_DOMAIN.upper()
+            )
+        )
+        if settings.ENABLE_LDAP_SECONDARY:
+            q_secondary = Q(
+                username__endswith='@{}'.format(
+                    settings.AUTH_LDAP2_USERNAME_DOMAIN.upper()
+                )
+            )
+            u_query.add(q_secondary, Q.OR)
+        users = User.objects.filter(u_query).order_by('username')
+        limit = options.get('limit')
+        if not limit or limit == 'ldap1':
+            self._check_ldap_users(
+                users, primary=True, all_users=options.get('all', False)
+            )
+        if settings.ENABLE_LDAP_SECONDARY and (not limit or limit == 'ldap2'):
+            self._check_ldap_users(
+                users, primary=False, all_users=options.get('all', False)
+            )
diff --git a/projectroles/management/commands/cleanappsettings.py b/projectroles/management/commands/cleanappsettings.py
index 3f3c5ba9..f1f1a3f0 100644
--- a/projectroles/management/commands/cleanappsettings.py
+++ b/projectroles/management/commands/cleanappsettings.py
@@ -28,9 +28,11 @@ def get_setting_str(db_setting):
     return '.'.join(
         [
             'settings',
-            'projectroles'
-            if db_setting.app_plugin is None
-            else db_setting.app_plugin.name,
+            (
+                'projectroles'
+                if db_setting.app_plugin is None
+                else db_setting.app_plugin.name
+            ),
             db_setting.name,
         ]
     )
@@ -50,7 +52,7 @@ def handle(self, *args, **options):
             if s.app_plugin:
                 def_kwargs['plugin'] = s.app_plugin.get_plugin()
             else:
-                def_kwargs['app_name'] = 'projectroles'
+                def_kwargs['plugin_name'] = 'projectroles'
             try:
                 definition = app_settings.get_definition(**def_kwargs)
             except ValueError:
diff --git a/projectroles/management/commands/createdevusers.py b/projectroles/management/commands/createdevusers.py
index c56f697b..297354fa 100644
--- a/projectroles/management/commands/createdevusers.py
+++ b/projectroles/management/commands/createdevusers.py
@@ -20,23 +20,36 @@
 DEV_USER_NAMES = ['alice', 'bob', 'carol', 'dan', 'erin']
 LAST_NAME = 'Example'
 EMAIL_DOMAIN = 'example.com'
-PASSWORD = 'password'
+DEFAULT_PASSWORD = 'sodarpass'
 
 
 class Command(BaseCommand):
-    help = (
-        'Create fictitious local user accounts for development. The password '
-        'for each user will be set as "password".'
-    )
+    help = 'Create fictitious local user accounts for development.'
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            '-p',
+            '--password',
+            dest='password',
+            type=str,
+            required=False,
+            help='Password to use for created dev users. If not given, the '
+            'default password "{}" will be used'.format(DEFAULT_PASSWORD),
+        )
 
     def handle(self, *args, **options):
         if not settings.DEBUG:
             logger.error(
                 'DEBUG not enabled, cancelling. Are you attempting to create '
-                'development users on a production site?'
+                'development users on a production instance?'
             )
             sys.exit(1)
-        password = make_password(PASSWORD)
+        pw = (
+            DEFAULT_PASSWORD
+            if not options.get('password')
+            else options['password']
+        )
+        password = make_password(pw)
         for u in DEV_USER_NAMES:
             if User.objects.filter(username=u).first():
                 logger.info('User "{}" already exists'.format(u))
diff --git a/projectroles/management/commands/syncgroups.py b/projectroles/management/commands/syncgroups.py
index e3db91d6..8503add8 100644
--- a/projectroles/management/commands/syncgroups.py
+++ b/projectroles/management/commands/syncgroups.py
@@ -2,7 +2,6 @@
 
 from django.contrib import auth
 from django.core.management.base import BaseCommand
-from django.db import transaction
 
 from projectroles.management.logging import ManagementCommandLogger
 
@@ -14,24 +13,17 @@
 class Command(BaseCommand):
     help = 'Synchronizes user groups based on user name'
 
-    def add_arguments(self, parser):
-        pass
-
     def handle(self, *args, **options):
         logger.info('Synchronizing user groups..')
-        with transaction.atomic():
-            for user in User.objects.all():
-                user.groups.clear()
-                user.save()  # Group is updated during save
-
-                if user.groups.count() > 0:
-                    logger.info(
-                        'Group set: {} -> {}'.format(
-                            user.username, user.groups.first().name
-                        )
+        for user in User.objects.all().order_by('username'):
+            user.groups.clear()
+            user.save()  # Group is updated during save
+            if user.groups.count() > 0:
+                logger.info(
+                    'Group set: {} -> {}'.format(
+                        user.username, user.groups.first().name
                     )
+                )
         logger.info(
-            'Synchronized groups for {} users'.format(
-                User.objects.all().count()
-            )
+            'Synchronized groups for {} users'.format(User.objects.count())
         )
diff --git a/projectroles/migrations/0001_squashed_0032_alter_appsetting_value.py b/projectroles/migrations/0001_squashed_0032_alter_appsetting_value.py
new file mode 100644
index 00000000..77b7bf79
--- /dev/null
+++ b/projectroles/migrations/0001_squashed_0032_alter_appsetting_value.py
@@ -0,0 +1,1224 @@
+# Generated by Django 4.2.14 on 2024-07-15 14:46
+
+from django.conf import settings
+import django.contrib.postgres.fields
+from django.db import migrations, models
+import django.db.models.deletion
+import markupfield.fields
+import projectroles.models
+import random
+import string
+import uuid
+
+
+def populate_roles(apps, schema_editor):
+    """Populate Role objects"""
+    Role = apps.get_model('projectroles', 'Role')
+
+    def save_role(name, description):
+        role = Role(name=name, description=description)
+        role.save()
+
+    # Owner
+    save_role(
+        'project owner',
+        'The project owner has full access to project data; rights to add, '
+        'modify and remove project members; right to assign a project '
+        'delegate. Each project must have exactly one owner.',
+    )
+    # Delegate
+    save_role(
+        'project delegate',
+        'The project delegate has all the rights of a project owner with the '
+        'exception of assigning a delegate. A maximum of one delegate can be '
+        'set per project. A delegate role can be set by project owner.',
+    )
+    # Contributor
+    save_role(
+        'project contributor',
+        'A project member with ability to view and add project data. Can edit '
+        'their own data.',
+    )
+    # Guest
+    save_role(
+        'project guest',
+        'Read-only access to a project. Can view data in project, can not add '
+        'or edit.',
+    )
+
+
+def fix_remote_project_keys(apps, schema_editor):
+    """Fix missing RemoteProject.project foreign keys (issue #197)"""
+    RemoteProject = apps.get_model('projectroles', 'RemoteProject')
+    Project = apps.get_model('projectroles', 'Project')
+    for rp in RemoteProject.objects.all():
+        if not rp.project:
+            rp.project = Project.objects.filter(
+                sodar_uuid=rp.project_uuid
+            ).first()
+            rp.save()
+
+
+def populate_project_full_title(apps, schema_editor):
+    """Populate the new full_title field in the Project model"""
+
+    def get_project_parents(obj):
+        if not obj.parent:
+            return None
+        ret = []
+        parent = obj.parent
+        while parent:
+            ret.append(parent)
+            parent = parent.parent
+        return reversed(ret)
+
+    def get_project_full_title(obj):
+        parents = get_project_parents(obj)
+        ret = ' / '.join([p.title for p in parents]) + ' / ' if parents else ''
+        ret += obj.title
+        return ret
+
+    Project = apps.get_model('projectroles', 'Project')
+    for project in Project.objects.all():
+        project.full_title = get_project_full_title(project)
+        project.save()
+
+
+def populate_public_children(apps, schema_editor):
+    """Populate the new has_public_children field in the Project model"""
+
+    def get_public_children(obj):
+        for child in obj.children.all():
+            if child.public_guest_access:
+                return True
+            ret = get_public_children(child)
+            if ret:
+                return True
+        return False
+
+    Project = apps.get_model('projectroles', 'Project')
+    for project in Project.objects.all():
+        project.has_public_children = get_public_children(project)
+        project.save()
+
+
+def set_role_ranks(apps, schema_editor):
+    """Set rank values for existing roles"""
+    role_ranking = {
+        'project owner': 10,
+        'project delegate': 20,
+        'project contributor': 30,
+        'project guest': 40,
+    }
+    Role = apps.get_model('projectroles', 'Role')
+    for role in Role.objects.all():
+        if role.name in role_ranking:
+            role.rank = role_ranking[role.name]
+            role.save()
+
+
+def migrate_project_stars(apps, schema_editor):
+    """Create project_star AppSettings from ProjectUserTag objects"""
+    ProjectUserTag = apps.get_model('projectroles', 'ProjectUserTag')
+    AppSetting = apps.get_model('projectroles', 'AppSetting')
+    for tag in ProjectUserTag.objects.filter(name='STARRED'):
+        AppSetting.objects.get_or_create(
+            project=tag.project,
+            user=tag.user,
+            value=True,
+            name='project_star',
+        )
+
+
+def delete_category_app_settings(apps, schema_editor):
+    """Delete app settings assigned to categories"""
+    from projectroles.app_settings import AppSettingAPI
+
+    app_settings = AppSettingAPI()
+    AppSetting = apps.get_model('projectroles', 'AppSetting')
+    # Find all app settings whith a project
+    pr_settings = AppSetting.objects.exclude(project=None)
+    for app_setting in pr_settings:
+        try:
+            plugin_name = (
+                app_setting.app_plugin.name
+                if app_setting.app_plugin
+                else 'projectroles'
+            )
+            setting_def = app_settings.get_definition(
+                plugin_name=plugin_name, name=app_setting.name
+            )
+        except ValueError:
+            app_setting.delete()
+            continue
+        if app_setting.project.type not in setting_def.get(
+            'project_types', ['PROJECT']
+        ):
+            # Delete app setting if it is not restricted to any project types
+            app_setting.delete()
+
+
+def populate_finder_role(apps, schema_editor):
+    """Populate project finder role"""
+    Role = apps.get_model('projectroles', 'Role')
+    role = Role(
+        name='project finder',
+        rank=50,
+        project_types=['CATEGORY'],
+        description='The project finder is able to see certain details of all '
+        'categories and projects under a category for this role is given. '
+        'They will not have access to the apps or data of those subprojects or '
+        'categories until assigned a higher role. This role can only be '
+        'assigned for categories.',
+    )
+    role.save()
+
+
+def reverse_finder_role(apps, schema_editor):
+    """Reverse code for project finder role populating"""
+    Role = apps.get_model('projectroles', 'Role')
+    role = Role.objects.filter(name='project finder').first()
+    if role:
+        role.delete()
+
+
+def populate_additional_email_model(apps, schema_editor):
+    """
+    Move existing additional email app settings into the
+    SODARUserAdditionalEmail model as verified emais. Delete the settings
+    objects.
+    """
+    AppSetting = apps.get_model('projectroles', 'AppSetting')
+    SODARUserAdditionalEmail = apps.get_model(
+        'projectroles', 'SODARUserAdditionalEmail'
+    )
+    for a in AppSetting.objects.filter(
+        app_plugin=None, name='user_email_additional'
+    ):
+        for v in a.value.split(';'):
+            secret = ''.join(
+                random.SystemRandom().choice(
+                    string.ascii_lowercase + string.digits
+                )
+                for _ in range(32)
+            )
+            try:
+                SODARUserAdditionalEmail.objects.create(
+                    user=a.user, email=v, verified=True, secret=secret
+                )
+            except Exception:
+                pass
+        a.delete()
+
+
+class Migration(migrations.Migration):
+
+    replaces = [
+        ('projectroles', '0001_initial'),
+        ('projectroles', '0002_auto_20180411_1758'),
+        ('projectroles', '0003_populate_roles'),
+        ('projectroles', '0004_rename_uuid'),
+        ('projectroles', '0005_update_uuid'),
+        ('projectroles', '0006_add_remote_projects'),
+        ('projectroles', '0007_fix_remoteproject_foreign_key'),
+        ('projectroles', '0008_auto_20190426_0606'),
+        ('projectroles', '0009_rename_projectsetting'),
+        ('projectroles', '0010_update_appsetting'),
+        ('projectroles', '0011_remove_indexes'),
+        ('projectroles', '0012_update_remotesite'),
+        ('projectroles', '0013_update_appsetting_type'),
+        ('projectroles', '0014_update_appsetting_value_json'),
+        ('projectroles', '0015_fix_appsetting_constraint'),
+        ('projectroles', '0016_app_plugin_field_none'),
+        ('projectroles', '0017_project_full_title'),
+        ('projectroles', '0018_update_jsonfield'),
+        ('projectroles', '0019_project_public_guest_access'),
+        ('projectroles', '0020_project_has_public_children'),
+        ('projectroles', '0021_remove_project_submit_status'),
+        ('projectroles', '0022_role_rank'),
+        ('projectroles', '0023_project_archive'),
+        ('projectroles', '0024_project_star_app_setting'),
+        ('projectroles', '0025_delete_projectusertag'),
+        ('projectroles', '0026_delete_category_settings'),
+        ('projectroles', '0027_role_project_type'),
+        ('projectroles', '0028_populate_finder_role'),
+        ('projectroles', '0029_sodaruseradditionalemail'),
+        ('projectroles', '0030_populate_sodaruseradditionalemail'),
+        ('projectroles', '0031_remotesite_owner_modifiable'),
+        ('projectroles', '0032_alter_appsetting_value'),
+    ]
+
+    initial = True
+
+    dependencies = [
+        ('djangoplugins', '0001_initial'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Project',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'title',
+                    models.CharField(help_text='Project title', max_length=255),
+                ),
+                (
+                    'type',
+                    models.CharField(
+                        choices=[
+                            ('CATEGORY', 'Category'),
+                            ('PROJECT', 'Project'),
+                        ],
+                        default='PROJECT',
+                        help_text='Type of project ("CATEGORY", "PROJECT")',
+                        max_length=64,
+                    ),
+                ),
+                (
+                    'description',
+                    models.CharField(
+                        help_text='Short project description', max_length=512
+                    ),
+                ),
+                (
+                    'readme',
+                    markupfield.fields.MarkupField(
+                        blank=True,
+                        help_text='Project README (optional, supports markdown)',
+                        null=True,
+                        rendered_field=True,
+                    ),
+                ),
+                (
+                    'readme_markup_type',
+                    models.CharField(
+                        choices=[
+                            ('', '--'),
+                            ('html', 'HTML'),
+                            ('plain', 'Plain'),
+                            ('markdown', 'Markdown'),
+                            ('restructuredtext', 'Restructured Text'),
+                        ],
+                        default='markdown',
+                        editable=False,
+                        max_length=30,
+                    ),
+                ),
+                (
+                    'submit_status',
+                    models.CharField(
+                        default='OK',
+                        help_text='Status of project creation',
+                        max_length=64,
+                    ),
+                ),
+                (
+                    '_readme_rendered',
+                    models.TextField(editable=False, null=True),
+                ),
+                (
+                    'omics_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='Project Omics UUID',
+                        unique=True,
+                    ),
+                ),
+                (
+                    'parent',
+                    models.ForeignKey(
+                        blank=True,
+                        help_text='Parent category if nested',
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='children',
+                        to='projectroles.project',
+                    ),
+                ),
+            ],
+            options={
+                'ordering': ['parent__title', 'title'],
+                'unique_together': {('title', 'parent')},
+            },
+        ),
+        migrations.CreateModel(
+            name='Role',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'name',
+                    models.CharField(
+                        help_text='Name of role', max_length=64, unique=True
+                    ),
+                ),
+                ('description', models.TextField(help_text='Role description')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='ProjectUserTag',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'name',
+                    models.CharField(
+                        default='STARRED',
+                        help_text='Name of tag to be assigned',
+                        max_length=64,
+                    ),
+                ),
+                (
+                    'omics_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='ProjectUserTag Omics UUID',
+                        unique=True,
+                    ),
+                ),
+                (
+                    'project',
+                    models.ForeignKey(
+                        help_text='Project in which the tag is assigned',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='tags',
+                        to='projectroles.project',
+                    ),
+                ),
+                (
+                    'user',
+                    models.ForeignKey(
+                        help_text='User for whom the tag is assigned',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='project_tags',
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                'ordering': ['project__title', 'user__username', 'name'],
+            },
+        ),
+        migrations.CreateModel(
+            name='ProjectInvite',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'email',
+                    models.EmailField(
+                        help_text='Email address of the person to be invited',
+                        max_length=254,
+                    ),
+                ),
+                (
+                    'date_created',
+                    models.DateTimeField(
+                        auto_now_add=True,
+                        help_text='DateTime of invite creation',
+                    ),
+                ),
+                (
+                    'date_expire',
+                    models.DateTimeField(
+                        help_text='Expiration of invite as DateTime'
+                    ),
+                ),
+                (
+                    'message',
+                    models.TextField(
+                        blank=True,
+                        help_text='Message to be included in the invite email (optional)',
+                    ),
+                ),
+                (
+                    'secret',
+                    models.CharField(
+                        help_text='Secret token provided to user with the invite',
+                        max_length=255,
+                        unique=True,
+                    ),
+                ),
+                (
+                    'active',
+                    models.BooleanField(
+                        default=True,
+                        help_text='Status of the invite (False if claimed or revoked)',
+                    ),
+                ),
+                (
+                    'omics_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='ProjectInvite Omics UUID',
+                        unique=True,
+                    ),
+                ),
+                (
+                    'issuer',
+                    models.ForeignKey(
+                        help_text='User who issued the invite',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='issued_invites',
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+                (
+                    'project',
+                    models.ForeignKey(
+                        help_text='Project to which the person is invited',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='invites',
+                        to='projectroles.project',
+                    ),
+                ),
+                (
+                    'role',
+                    models.ForeignKey(
+                        help_text='Role assigned to the person',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to='projectroles.role',
+                    ),
+                ),
+            ],
+            options={
+                'ordering': ['project__title', 'email', 'role__name'],
+            },
+        ),
+        migrations.CreateModel(
+            name='RoleAssignment',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'omics_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='RoleAssignment Omics UUID',
+                        unique=True,
+                    ),
+                ),
+                (
+                    'project',
+                    models.ForeignKey(
+                        help_text='Project in which role is assigned',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='roles',
+                        to='projectroles.project',
+                    ),
+                ),
+                (
+                    'role',
+                    models.ForeignKey(
+                        help_text='Role to be assigned',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='assignments',
+                        to='projectroles.role',
+                    ),
+                ),
+                (
+                    'user',
+                    models.ForeignKey(
+                        help_text='User for whom role is assigned',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='roles',
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                'ordering': [
+                    'project__parent__title',
+                    'project__title',
+                    'role__name',
+                    'user__username',
+                ],
+                'indexes': [
+                    models.Index(
+                        fields=['project'],
+                        name='projectrole_project_b13795_idx',
+                    ),
+                    models.Index(
+                        fields=['user'], name='projectrole_user_id_0e46f7_idx'
+                    ),
+                ],
+            },
+        ),
+        migrations.CreateModel(
+            name='ProjectSetting',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'name',
+                    models.CharField(
+                        help_text='Name of the setting', max_length=255
+                    ),
+                ),
+                (
+                    'type',
+                    models.CharField(
+                        choices=[
+                            ('BOOLEAN', 'Boolean'),
+                            ('INTEGER', 'Integer'),
+                            ('STRING', 'String'),
+                        ],
+                        help_text='Type of the setting',
+                        max_length=64,
+                    ),
+                ),
+                (
+                    'value',
+                    models.CharField(
+                        blank=True,
+                        help_text='Value of the setting',
+                        max_length=255,
+                        null=True,
+                    ),
+                ),
+                (
+                    'omics_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='ProjectSetting Omics UUID',
+                        unique=True,
+                    ),
+                ),
+                (
+                    'app_plugin',
+                    models.ForeignKey(
+                        help_text='App to which the setting belongs',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='settings',
+                        to='djangoplugins.plugin',
+                    ),
+                ),
+                (
+                    'project',
+                    models.ForeignKey(
+                        help_text='Project to which the setting belongs',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='settings',
+                        to='projectroles.project',
+                    ),
+                ),
+            ],
+            options={
+                'ordering': ['project__title', 'app_plugin__name', 'name'],
+                'unique_together': {('project', 'app_plugin', 'name')},
+            },
+        ),
+        migrations.RunPython(
+            code=populate_roles,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.RenameField(
+            model_name='project',
+            old_name='omics_uuid',
+            new_name='sodar_uuid',
+        ),
+        migrations.RenameField(
+            model_name='projectinvite',
+            old_name='omics_uuid',
+            new_name='sodar_uuid',
+        ),
+        migrations.RenameField(
+            model_name='projectsetting',
+            old_name='omics_uuid',
+            new_name='sodar_uuid',
+        ),
+        migrations.RenameField(
+            model_name='projectusertag',
+            old_name='omics_uuid',
+            new_name='sodar_uuid',
+        ),
+        migrations.RenameField(
+            model_name='roleassignment',
+            old_name='omics_uuid',
+            new_name='sodar_uuid',
+        ),
+        migrations.AlterField(
+            model_name='project',
+            name='sodar_uuid',
+            field=models.UUIDField(
+                default=uuid.uuid4, help_text='Project SODAR UUID', unique=True
+            ),
+        ),
+        migrations.AlterField(
+            model_name='projectinvite',
+            name='sodar_uuid',
+            field=models.UUIDField(
+                default=uuid.uuid4,
+                help_text='ProjectInvite SODAR UUID',
+                unique=True,
+            ),
+        ),
+        migrations.AlterField(
+            model_name='projectsetting',
+            name='sodar_uuid',
+            field=models.UUIDField(
+                default=uuid.uuid4,
+                help_text='ProjectSetting SODAR UUID',
+                unique=True,
+            ),
+        ),
+        migrations.AlterField(
+            model_name='projectusertag',
+            name='sodar_uuid',
+            field=models.UUIDField(
+                default=uuid.uuid4,
+                help_text='ProjectUserTag SODAR UUID',
+                unique=True,
+            ),
+        ),
+        migrations.AlterField(
+            model_name='roleassignment',
+            name='sodar_uuid',
+            field=models.UUIDField(
+                default=uuid.uuid4,
+                help_text='RoleAssignment SODAR UUID',
+                unique=True,
+            ),
+        ),
+        migrations.AlterField(
+            model_name='project',
+            name='description',
+            field=models.CharField(
+                blank=True,
+                help_text='Short project description',
+                max_length=512,
+                null=True,
+            ),
+        ),
+        migrations.CreateModel(
+            name='RemoteSite',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'name',
+                    models.CharField(
+                        help_text='Site name', max_length=255, unique=True
+                    ),
+                ),
+                ('url', models.URLField(help_text='Site URL', max_length=2000)),
+                (
+                    'mode',
+                    models.CharField(
+                        default='TARGET', help_text='Site mode', max_length=64
+                    ),
+                ),
+                ('description', models.TextField(help_text='Site description')),
+                (
+                    'secret',
+                    models.CharField(
+                        help_text='Secret token for connecting to the source site',
+                        max_length=255,
+                    ),
+                ),
+                (
+                    'sodar_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='RemoteSite relation UUID (local)',
+                        unique=True,
+                    ),
+                ),
+            ],
+            options={
+                'ordering': ['name'],
+                'unique_together': {('url', 'mode', 'secret')},
+            },
+        ),
+        migrations.CreateModel(
+            name='RemoteProject',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'project_uuid',
+                    models.UUIDField(default=None, help_text='Project UUID'),
+                ),
+                (
+                    'level',
+                    models.CharField(
+                        default='NONE',
+                        help_text='Project access level',
+                        max_length=255,
+                    ),
+                ),
+                (
+                    'date_access',
+                    models.DateTimeField(
+                        help_text='DateTime of last access from/to remote site',
+                        null=True,
+                    ),
+                ),
+                (
+                    'sodar_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='RemoteProject relation UUID (local)',
+                        unique=True,
+                    ),
+                ),
+                (
+                    'project',
+                    models.ForeignKey(
+                        blank=True,
+                        help_text='Related project object (if created locally)',
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='remotes',
+                        to='projectroles.project',
+                    ),
+                ),
+                (
+                    'site',
+                    models.ForeignKey(
+                        help_text='Remote SODAR site',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='projects',
+                        to='projectroles.remotesite',
+                    ),
+                ),
+            ],
+            options={
+                'ordering': ['site__name', 'project_uuid'],
+            },
+        ),
+        migrations.RunPython(
+            code=fix_remote_project_keys,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.AddField(
+            model_name='projectsetting',
+            name='user',
+            field=models.ForeignKey(
+                blank=True,
+                help_text='User to which the setting belongs',
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name='user_settings',
+                to=settings.AUTH_USER_MODEL,
+            ),
+        ),
+        migrations.AlterField(
+            model_name='projectsetting',
+            name='project',
+            field=models.ForeignKey(
+                blank=True,
+                help_text='Project to which the setting belongs',
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name='settings',
+                to='projectroles.project',
+            ),
+        ),
+        migrations.CreateModel(
+            name='AppSetting',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'name',
+                    models.CharField(
+                        help_text='Name of the setting', max_length=255
+                    ),
+                ),
+                (
+                    'type',
+                    models.CharField(
+                        choices=[
+                            ('BOOLEAN', 'Boolean'),
+                            ('INTEGER', 'Integer'),
+                            ('STRING', 'String'),
+                        ],
+                        help_text='Type of the setting',
+                        max_length=64,
+                    ),
+                ),
+                (
+                    'value',
+                    models.CharField(
+                        blank=True,
+                        help_text='Value of the setting',
+                        max_length=255,
+                        null=True,
+                    ),
+                ),
+                (
+                    'sodar_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='AppSetting SODAR UUID',
+                        unique=True,
+                    ),
+                ),
+                (
+                    'app_plugin',
+                    models.ForeignKey(
+                        help_text='App to which the setting belongs',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='settings',
+                        to='djangoplugins.plugin',
+                    ),
+                ),
+                (
+                    'project',
+                    models.ForeignKey(
+                        blank=True,
+                        help_text='Project to which the setting belongs',
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='settings',
+                        to='projectroles.project',
+                    ),
+                ),
+                (
+                    'user',
+                    models.ForeignKey(
+                        blank=True,
+                        help_text='User to which the setting belongs',
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='user_settings',
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+                (
+                    'user_modifiable',
+                    models.BooleanField(
+                        default=True, help_text='Setting visibility in forms'
+                    ),
+                ),
+                (
+                    'value_json',
+                    django.contrib.postgres.fields.jsonb.JSONField(
+                        default=dict,
+                        help_text='Optional JSON value for the setting',
+                    ),
+                ),
+            ],
+            options={
+                'ordering': ['project__title', 'app_plugin__name', 'name'],
+                # 'unique_together': {('project', 'app_plugin', 'name')},
+            },
+        ),
+        migrations.DeleteModel(
+            name='ProjectSetting',
+        ),
+        migrations.RemoveIndex(
+            model_name='roleassignment',
+            name='projectrole_project_b13795_idx',
+        ),
+        migrations.RemoveIndex(
+            model_name='roleassignment',
+            name='projectrole_user_id_0e46f7_idx',
+        ),
+        migrations.AddField(
+            model_name='remotesite',
+            name='user_display',
+            field=models.BooleanField(
+                default=True, help_text='RemoteSite visibility to users'
+            ),
+        ),
+        migrations.AlterField(
+            model_name='remotesite',
+            name='secret',
+            field=models.CharField(
+                help_text='Secret token for connecting to the source site',
+                max_length=255,
+                null=True,
+            ),
+        ),
+        migrations.AlterField(
+            model_name='appsetting',
+            name='type',
+            field=models.CharField(
+                help_text='Type of the setting', max_length=64
+            ),
+        ),
+        migrations.AlterField(
+            model_name='appsetting',
+            name='value_json',
+            field=django.contrib.postgres.fields.jsonb.JSONField(
+                default=dict,
+                help_text='Optional JSON value for the setting',
+                null=True,
+            ),
+        ),
+        migrations.AlterUniqueTogether(
+            name='appsetting',
+            unique_together={('project', 'user', 'app_plugin', 'name')},
+        ),
+        migrations.AlterField(
+            model_name='appsetting',
+            name='app_plugin',
+            field=models.ForeignKey(
+                help_text='App to which the setting belongs',
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name='settings',
+                to='djangoplugins.plugin',
+            ),
+        ),
+        migrations.AddField(
+            model_name='project',
+            name='full_title',
+            field=models.CharField(
+                help_text='Full project title with parent path (auto-generated)',
+                max_length=4096,
+                null=True,
+            ),
+        ),
+        migrations.RunPython(
+            code=populate_project_full_title,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.AlterField(
+            model_name='appsetting',
+            name='value_json',
+            field=models.JSONField(
+                default=dict,
+                help_text='Optional JSON value for the setting',
+                null=True,
+            ),
+        ),
+        migrations.AddField(
+            model_name='project',
+            name='public_guest_access',
+            field=models.BooleanField(
+                default=False,
+                help_text='Allow public guest access for the project, also including unauthenticated users if allowed on the site',
+            ),
+        ),
+        migrations.AddField(
+            model_name='project',
+            name='has_public_children',
+            field=models.BooleanField(
+                default=False,
+                help_text='Whether project has children with public access (auto-generated)',
+            ),
+        ),
+        migrations.RunPython(
+            code=populate_public_children,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.RemoveField(
+            model_name='project',
+            name='submit_status',
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='rank',
+            field=models.IntegerField(
+                default=0, help_text='Role rank for determining role hierarchy'
+            ),
+        ),
+        migrations.RunPython(
+            code=set_role_ranks,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.AddField(
+            model_name='project',
+            name='archive',
+            field=models.BooleanField(
+                default=False, help_text='Project is archived (read-only)'
+            ),
+        ),
+        migrations.RunPython(
+            code=migrate_project_stars,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.DeleteModel(
+            name='ProjectUserTag',
+        ),
+        migrations.RunPython(
+            code=delete_category_app_settings,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='project_types',
+            field=django.contrib.postgres.fields.ArrayField(
+                base_field=models.CharField(max_length=64),
+                default=projectroles.models.get_role_project_type_default,
+                help_text='Allowed project types for the role',
+                size=None,
+            ),
+        ),
+        migrations.AlterField(
+            model_name='roleassignment',
+            name='project',
+            field=models.ForeignKey(
+                help_text='Project in which role is assigned',
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name='local_roles',
+                to='projectroles.project',
+            ),
+        ),
+        migrations.RunPython(
+            code=populate_finder_role,
+            reverse_code=reverse_finder_role,
+        ),
+        migrations.CreateModel(
+            name='SODARUserAdditionalEmail',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'email',
+                    models.EmailField(
+                        help_text='Email address', max_length=254
+                    ),
+                ),
+                (
+                    'verified',
+                    models.BooleanField(
+                        default=False, help_text='Email verification status'
+                    ),
+                ),
+                (
+                    'secret',
+                    models.CharField(
+                        help_text='Secret token for email verification',
+                        max_length=255,
+                        unique=True,
+                    ),
+                ),
+                (
+                    'date_created',
+                    models.DateTimeField(
+                        auto_now_add=True, help_text='DateTime of creation'
+                    ),
+                ),
+                (
+                    'date_modified',
+                    models.DateTimeField(
+                        auto_now=True, help_text='DateTime of last modification'
+                    ),
+                ),
+                (
+                    'sodar_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='SODARUserAdditionalEmail SODAR UUID',
+                        unique=True,
+                    ),
+                ),
+                (
+                    'user',
+                    models.ForeignKey(
+                        help_text='User for whom the email is assigned',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='additional_emails',
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                'ordering': ['user__username', 'email'],
+                'unique_together': {('user', 'email')},
+            },
+        ),
+        migrations.RunPython(
+            code=populate_additional_email_model,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.AddField(
+            model_name='remotesite',
+            name='owner_modifiable',
+            field=models.BooleanField(
+                default=True,
+                help_text='Allow owners and delegates to modify project access for this site',
+            ),
+        ),
+        migrations.AlterField(
+            model_name='remotesite',
+            name='user_display',
+            field=models.BooleanField(
+                default=True, help_text='Display site to users'
+            ),
+        ),
+        migrations.AlterField(
+            model_name='appsetting',
+            name='value',
+            field=models.CharField(
+                blank=True, help_text='Value of the setting', null=True
+            ),
+        ),
+    ]
diff --git a/projectroles/migrations/0026_delete_category_settings.py b/projectroles/migrations/0026_delete_category_settings.py
index c21635e5..d753bac1 100644
--- a/projectroles/migrations/0026_delete_category_settings.py
+++ b/projectroles/migrations/0026_delete_category_settings.py
@@ -12,13 +12,13 @@ def clean_up_app_settings(apps, schema_editor):
     pr_settings = AppSetting.objects.exclude(project=None)
     for app_setting in pr_settings:
         try:
-            app_name = (
+            plugin_name = (
                 app_setting.app_plugin.name
                 if app_setting.app_plugin
                 else 'projectroles'
             )
             setting_def = app_settings.get_definition(
-                app_name=app_name, name=app_setting.name
+                plugin_name=plugin_name, name=app_setting.name
             )
         except ValueError:
             app_setting.delete()
diff --git a/projectroles/migrations/0029_sodaruseradditionalemail.py b/projectroles/migrations/0029_sodaruseradditionalemail.py
new file mode 100644
index 00000000..e870777e
--- /dev/null
+++ b/projectroles/migrations/0029_sodaruseradditionalemail.py
@@ -0,0 +1,79 @@
+# Generated by Django 4.2.11 on 2024-04-25 11:48
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ("projectroles", "0028_populate_finder_role"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="SODARUserAdditionalEmail",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                ("email", models.EmailField(help_text="Email address", max_length=254)),
+                (
+                    "verified",
+                    models.BooleanField(
+                        default=False, help_text="Email verification status"
+                    ),
+                ),
+                (
+                    "secret",
+                    models.CharField(
+                        help_text="Secret token for email verification",
+                        max_length=255,
+                        unique=True,
+                    ),
+                ),
+                (
+                    "date_created",
+                    models.DateTimeField(
+                        auto_now_add=True, help_text="DateTime of creation"
+                    ),
+                ),
+                (
+                    "date_modified",
+                    models.DateTimeField(
+                        auto_now=True, help_text="DateTime of last modification"
+                    ),
+                ),
+                (
+                    "sodar_uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text="SODARUserAdditionalEmail SODAR UUID",
+                        unique=True,
+                    ),
+                ),
+                (
+                    "user",
+                    models.ForeignKey(
+                        help_text="User for whom the email is assigned",
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="additional_emails",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                "ordering": ["user__username", "email"],
+                "unique_together": {("user", "email")},
+            },
+        ),
+    ]
diff --git a/projectroles/migrations/0030_populate_sodaruseradditionalemail.py b/projectroles/migrations/0030_populate_sodaruseradditionalemail.py
new file mode 100644
index 00000000..5fe21b16
--- /dev/null
+++ b/projectroles/migrations/0030_populate_sodaruseradditionalemail.py
@@ -0,0 +1,48 @@
+# Generated by Django 4.2.11 on 2024-04-25 13:14
+
+import random
+import string
+
+from django.db import migrations
+
+
+def populate_model(apps, schema_editor):
+    """
+    Move existing additional email app settings into the
+    SODARUserAdditionalEmail model as verified emais. Delete the settings
+    objects.
+    """
+    AppSetting = apps.get_model('projectroles', 'AppSetting')
+    SODARUserAdditionalEmail = apps.get_model(
+        'projectroles', 'SODARUserAdditionalEmail'
+    )
+    for a in AppSetting.objects.filter(
+        app_plugin=None, name='user_email_additional'
+    ):
+        for v in a.value.split(';'):
+            secret = ''.join(
+                random.SystemRandom().choice(
+                    string.ascii_lowercase + string.digits
+                )
+                for _ in range(32)
+            )
+            try:
+                SODARUserAdditionalEmail.objects.create(
+                    user=a.user, email=v, verified=True, secret=secret
+                )
+            except Exception:
+                pass
+        a.delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("projectroles", "0029_sodaruseradditionalemail"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            populate_model, reverse_code=migrations.RunPython.noop
+        )
+    ]
diff --git a/projectroles/migrations/0031_remotesite_owner_modifiable.py b/projectroles/migrations/0031_remotesite_owner_modifiable.py
new file mode 100644
index 00000000..4519763d
--- /dev/null
+++ b/projectroles/migrations/0031_remotesite_owner_modifiable.py
@@ -0,0 +1,26 @@
+# Generated by Django 4.2.11 on 2024-06-11 14:30
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("projectroles", "0030_populate_sodaruseradditionalemail"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="remotesite",
+            name="owner_modifiable",
+            field=models.BooleanField(
+                default=True,
+                help_text="Allow owners and delegates to modify project access for this site",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="remotesite",
+            name="user_display",
+            field=models.BooleanField(default=True, help_text="Display site to users"),
+        ),
+    ]
diff --git a/projectroles/migrations/0032_alter_appsetting_value.py b/projectroles/migrations/0032_alter_appsetting_value.py
new file mode 100644
index 00000000..455396cb
--- /dev/null
+++ b/projectroles/migrations/0032_alter_appsetting_value.py
@@ -0,0 +1,20 @@
+# Generated by Django 4.2.13 on 2024-06-20 14:31
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("projectroles", "0031_remotesite_owner_modifiable"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="appsetting",
+            name="value",
+            field=models.CharField(
+                blank=True, help_text="Value of the setting", null=True
+            ),
+        ),
+    ]
diff --git a/projectroles/models.py b/projectroles/models.py
index 290e4342..01602443 100644
--- a/projectroles/models.py
+++ b/projectroles/models.py
@@ -1,7 +1,6 @@
 """Models for the projectroles app"""
 
 import logging
-import re
 import uuid
 
 from django.apps import apps
@@ -12,7 +11,7 @@
 from django.db import models
 from django.db.models import Q
 from django.urls import reverse
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _
 
 from djangoplugins.models import Plugin
 from markupfield.fields import MarkupField
@@ -34,6 +33,9 @@
 PROJECT_ROLE_GUEST = SODAR_CONSTANTS['PROJECT_ROLE_GUEST']
 PROJECT_ROLE_FINDER = SODAR_CONSTANTS['PROJECT_ROLE_FINDER']
 APP_SETTING_SCOPE_SITE = SODAR_CONSTANTS['APP_SETTING_SCOPE_SITE']
+AUTH_TYPE_LOCAL = SODAR_CONSTANTS['AUTH_TYPE_LOCAL']
+AUTH_TYPE_LDAP = SODAR_CONSTANTS['AUTH_TYPE_LDAP']
+AUTH_TYPE_OIDC = SODAR_CONSTANTS['AUTH_TYPE_OIDC']
 
 # Local constants
 ROLE_RANKING = {
@@ -51,7 +53,6 @@
     ('STRING', 'String'),
     ('JSON', 'Json'),
 ]
-APP_SETTING_VAL_MAXLENGTH = 255
 PROJECT_SEARCH_TYPES = ['project']
 PROJECT_TAG_STARRED = 'STARRED'
 CAT_DELIMITER = ' / '
@@ -61,6 +62,12 @@
 ROLE_PROJECT_TYPE_ERROR_MSG = (
     'Invalid project type "{project_type}" for ' 'role "{role_name}"'
 )
+CAT_PUBLIC_ACCESS_MSG = 'Public guest access is not allowed for categories'
+ADD_EMAIL_ALREADY_SET_MSG = 'Email already set as {email_type} email for user'
+REMOTE_PROJECT_UNIQUE_MSG = (
+    'RemoteProject with the same project UUID and site anready exists'
+)
+AUTH_PROVIDER_OIDC = 'oidc'
 
 
 # Project ----------------------------------------------------------------------
@@ -107,7 +114,7 @@ class Project(models.Model):
     type = models.CharField(
         max_length=64,
         choices=PROJECT_TYPE_CHOICES,
-        default=SODAR_CONSTANTS['PROJECT_TYPE_PROJECT'],
+        default=PROJECT_TYPE_PROJECT,
         help_text='Type of project ("CATEGORY", "PROJECT")',
     )
 
@@ -197,13 +204,16 @@ def save(self, *args, **kwargs):
         self._validate_archive()
         # Update full title of self and children
         self.full_title = self._get_full_title()
+        # TODO: Save with commit=False with other args to avoid double save()?
+        super().save(*args, **kwargs)
         if self.type == PROJECT_TYPE_CATEGORY:
             for child in self.children.all():
                 child.save()
         # Update public children
         # NOTE: Parents will be updated in ProjectModifyMixin.modify_project()
-        self.has_public_children = self._has_public_children()
-        super().save(*args, **kwargs)
+        if self._has_public_children():
+            self.has_public_children = True
+            super().save(*args, **kwargs)
 
     def _validate_parent(self):
         """
@@ -214,23 +224,21 @@ def _validate_parent(self):
 
     def _validate_parent_type(self):
         """Validate parent value to ensure parent can not be a project"""
-        if (
-            self.parent
-            and self.parent.type == SODAR_CONSTANTS['PROJECT_TYPE_PROJECT']
-        ):
+        if self.parent and self.parent.type == PROJECT_TYPE_PROJECT:
             raise ValidationError(
                 'Subprojects are only allowed within categories'
             )
 
     def _validate_public_guest_access(self):
-        """Validate public guest access to ensure it is not set on categories"""
-        if (
-            self.public_guest_access
-            and self.type == SODAR_CONSTANTS['PROJECT_TYPE_CATEGORY']
-        ):
-            raise ValidationError(
-                'Public guest access is not allowed for categories'
-            )
+        """
+        Validate public guest access to ensure it is not set on categories.
+
+        NOTE: Does not prevent saving but forces the value to be False, see
+              issue #1404.
+        """
+        if self.type == PROJECT_TYPE_CATEGORY and self.public_guest_access:
+            logger.warning(CAT_PUBLIC_ACCESS_MSG + ', setting to False')
+            self.public_guest_access = False
 
     def _validate_title(self):
         """
@@ -250,10 +258,7 @@ def _validate_archive(self):
         Validate archive status against project type to ensure archiving is only
         applied to projects.
         """
-        if (
-            self.archive
-            and self.type != SODAR_CONSTANTS['PROJECT_TYPE_PROJECT']
-        ):
+        if self.archive and self.type != PROJECT_TYPE_PROJECT:
             raise ValidationError(
                 'Archiving a category is not currently supported'
             )
@@ -653,6 +658,9 @@ def is_revoked(self):
     def set_public(self, public=True):
         """Helper for setting value of public_guest_access"""
         if public != self.public_guest_access:
+            # NOTE: Validation no longer raises an exception (see ¤1404)
+            if self.type == PROJECT_TYPE_CATEGORY and public:
+                raise ValidationError(CAT_PUBLIC_ACCESS_MSG)
             self.public_guest_access = public
             self.save()
             self._update_public_children()  # Update for parents
@@ -852,14 +860,14 @@ class AppSettingManager(models.Manager):
     """Manager for custom table-level AppSetting queries"""
 
     def get_setting_value(
-        self, app_name, setting_name, project=None, user=None
+        self, plugin_name, setting_name, project=None, user=None
     ):
         """
-        Return value of setting_name for app_name in project or for user.
+        Return value of setting_name for plugin_name in project or for user.
 
         Note that project and/or user must be set.
 
-        :param app_name: App plugin name (string)
+        :param plugin_name: App plugin name (string)
         :param setting_name: Name of setting (string)
         :param project: Project object or pk
         :param user: User object or pk
@@ -871,8 +879,8 @@ def get_setting_value(
             'project': project,
             'user': user,
         }
-        if not app_name == 'projectroles':
-            query_parameters['app_plugin__name'] = app_name
+        if not plugin_name == 'projectroles':
+            query_parameters['app_plugin__name'] = plugin_name
         setting = super().get_queryset().get(**query_parameters)
         return setting.get_value()
 
@@ -929,7 +937,6 @@ class AppSetting(models.Model):
 
     #: Value of the setting
     value = models.CharField(
-        max_length=APP_SETTING_VAL_MAXLENGTH,
         unique=False,
         null=True,
         blank=True,
@@ -1094,6 +1101,31 @@ def __repr__(self):
         values = (self.project.title, self.email, self.role.name, self.active)
         return 'ProjectInvite({})'.format(', '.join(repr(v) for v in values))
 
+    # Custom row-level functions
+
+    def is_ldap(self):
+        """
+        Return True if invite is intended for an LDAP user.
+
+        :return: Boolean
+        """
+        # Only consider LDAP if enabled in Django settings
+        if not settings.ENABLE_LDAP:
+            return False
+        # Check if domain is associated with LDAP
+        domain = self.email.split('@')[1].lower()
+        domain_no_tld = domain.split('.')[0].lower()
+        ldap_domains = [
+            getattr(settings, 'AUTH_LDAP_USERNAME_DOMAIN', '').lower(),
+            getattr(settings, 'AUTH_LDAP2_USERNAME_DOMAIN', '').lower(),
+        ]
+        alt_domains = [
+            a.lower() for a in getattr(settings, 'LDAP_ALT_DOMAINS', [])
+        ]
+        if domain_no_tld in ldap_domains or domain in alt_domains:
+            return True
+        return False
+
 
 # RemoteSite -------------------------------------------------------------------
 
@@ -1141,6 +1173,19 @@ class RemoteSite(models.Model):
         help_text='Secret token for connecting to the source site',
     )
 
+    #: RemoteSite visibilty to users
+    user_display = models.BooleanField(
+        default=True, unique=False, help_text='Display site to users'
+    )
+
+    #: RemoteSite project access modifiability for owners and delegates
+    owner_modifiable = models.BooleanField(
+        default=True,
+        unique=False,
+        help_text='Allow owners and delegates to modify project access for '
+        'this site',
+    )
+
     #: RemoteSite relation UUID (local)
     sodar_uuid = models.UUIDField(
         default=uuid.uuid4,
@@ -1148,11 +1193,6 @@ class RemoteSite(models.Model):
         help_text='RemoteSite relation UUID (local)',
     )
 
-    #: RemoteSite's link visibilty for users
-    user_display = models.BooleanField(
-        default=True, unique=False, help_text='RemoteSite visibility to users'
-    )
-
     class Meta:
         ordering = ['name']
         unique_together = ['url', 'mode', 'secret']
@@ -1180,8 +1220,10 @@ def _validate_mode(self):
 
     def get_access_date(self):
         """Return date of latest project access by remote site"""
-        projects = RemoteProject.objects.filter(site=self).order_by(
-            '-date_access'
+        projects = (
+            RemoteProject.objects.filter(site=self)
+            .exclude(date_access__isnull=True)
+            .order_by('-date_access')
         )
         if projects.count() > 0:
             return projects.first().date_access
@@ -1250,6 +1292,15 @@ class RemoteProject(models.Model):
     class Meta:
         ordering = ['site__name', 'project_uuid']
 
+    def save(self, *args, **kwargs):
+        # NOTE: Can't use unique constraint with foreign key relation
+        rp = self.__class__.objects.filter(
+            project_uuid=self.project_uuid, site=self.site
+        ).first()
+        if rp and rp.id != self.id:
+            raise ValidationError(REMOTE_PROJECT_UNIQUE_MSG)
+        super().save(*args, **kwargs)
+
     def __str__(self):
         return '{}: {} ({})'.format(
             self.site.name, str(self.project_uuid), self.site.mode
@@ -1269,7 +1320,7 @@ def get_project(self):
         )
 
 
-# Abstract User Model ----------------------------------------------------------
+# User Models ------------------------------------------------------------------
 
 
 class SODARUser(AbstractUser):
@@ -1320,20 +1371,60 @@ def get_form_label(self, email=False):
             ret += ' <{}>'.format(self.email)
         return ret
 
+    def get_auth_type(self):
+        """
+        Return user authentication type: OIDC, LDAP or local.
+
+        :return: String which may equal AUTH_TYPE_OIDC, AUTH_TYPE_LDAP or
+                 AUTH_TYPE_LOCAL.
+        """
+        groups = [g.name for g in self.groups.all()]
+        if 'oidc' in groups:
+            return AUTH_TYPE_OIDC
+        elif (
+            self.username.find('@') != -1
+            and self.username.split('@')[1].lower() in groups
+        ):
+            return AUTH_TYPE_LDAP
+        return AUTH_TYPE_LOCAL
+
+    def is_local(self):
+        """
+        Return True if user is of type AUTH_TYPE_LOCAL.
+
+        :return: Boolean
+        """
+        return self.get_auth_type() == AUTH_TYPE_LOCAL
+
     def set_group(self):
-        """Set user group based on user name."""
-        if self.username.find('@') != -1:
+        """Set user group based on user name or social auth provider"""
+        social_auth = getattr(self, 'social_auth', None)
+        if social_auth:
+            social_auth = social_auth.first()
+        ldap_domains = [
+            getattr(settings, 'AUTH_LDAP_USERNAME_DOMAIN', '').upper(),
+            getattr(settings, 'AUTH_LDAP2_USERNAME_DOMAIN', '').upper(),
+        ]
+        # OIDC user group
+        if social_auth and social_auth.provider == AUTH_PROVIDER_OIDC:
+            group_name = AUTH_PROVIDER_OIDC
+        # LDAP domain user groups
+        elif (
+            self.username.find('@') != -1
+            and self.username.split('@')[1] in ldap_domains
+        ):
             group_name = self.username.split('@')[1].lower()
+        # System user group for local users
         else:
             group_name = SODAR_CONSTANTS['SYSTEM_USER_GROUP']
         group, created = Group.objects.get_or_create(name=group_name)
         if group not in self.groups.all():
             group.user_set.add(self)
+            logger.info(
+                'Set user group "{}" for {}'.format(group_name, self.username)
+            )
             return group_name
 
-    def is_local(self):
-        return not bool(re.search('@[A-Za-z0-9._-]+$', self.username))
-
     def update_full_name(self):
         """
         Update full name of user.
@@ -1341,11 +1432,19 @@ def update_full_name(self):
         :return: String
         """
         # Save user name from first_name and last_name into name
-        if self.name in ['', None] and self.first_name != '':
-            self.name = self.first_name + (
+        full_name = ''
+        if self.first_name != '':
+            full_name = self.first_name + (
                 ' ' + self.last_name if self.last_name != '' else ''
             )
-        self.save()
+        if self.name != full_name:
+            self.name = full_name
+            self.save()
+            logger.info(
+                'Full name updated for user {}: {}'.format(
+                    self.username, self.name
+                )
+            )
         return self.name
 
     def update_ldap_username(self):
@@ -1363,3 +1462,89 @@ def update_ldap_username(self):
             self.username = u_split[0] + '@' + u_split[1].upper()
             self.save()
         return self.username
+
+
+class SODARUserAdditionalEmail(models.Model):
+    """
+    Model representing an additional email address for a user. Stores
+    information for email verification.
+    """
+
+    #: User for whom the email is assigned
+    user = models.ForeignKey(
+        AUTH_USER_MODEL,
+        related_name='additional_emails',
+        help_text='User for whom the email is assigned',
+        on_delete=models.CASCADE,
+    )
+
+    #: Email address
+    email = models.EmailField(
+        unique=False,
+        null=False,
+        blank=False,
+        help_text='Email address',
+    )
+
+    #: Email verification status
+    verified = models.BooleanField(
+        default=False, help_text='Email verification status'
+    )
+
+    #: Secret token for email verification
+    secret = models.CharField(
+        max_length=255,
+        unique=True,
+        blank=False,
+        null=False,
+        help_text='Secret token for email verification',
+    )
+
+    #: DateTime of creation
+    date_created = models.DateTimeField(
+        auto_now_add=True, help_text='DateTime of creation'
+    )
+
+    #: DateTime of last modification
+    date_modified = models.DateTimeField(
+        auto_now=True, help_text='DateTime of last modification'
+    )
+
+    #: SODARUserAdditionalEmail SODAR UUID
+    sodar_uuid = models.UUIDField(
+        default=uuid.uuid4,
+        unique=True,
+        help_text='SODARUserAdditionalEmail SODAR UUID',
+    )
+
+    class Meta:
+        ordering = ['user__username', 'email']
+        unique_together = ['user', 'email']
+
+    def __str__(self):
+        return '{}: {}'.format(self.user.username, self.email)
+
+    def __repr__(self):
+        values = (
+            self.user.username,
+            self.email,
+            str(self.verified),
+            self.secret,
+            str(self.sodar_uuid),
+        )
+        return 'SODARUserAdditionalEmail({})'.format(
+            ', '.join(repr(v) for v in values)
+        )
+
+    def _validate_email_unique(self):
+        """
+        Assert the same email has not yet been set for the user.
+        """
+        if self.email == self.user.email:
+            raise ValidationError(
+                ADD_EMAIL_ALREADY_SET_MSG.format(email_type='primary')
+            )
+
+    def save(self, *args, **kwargs):
+        self._validate_email_unique()
+        super().save(*args, **kwargs)
diff --git a/projectroles/plugins.py b/projectroles/plugins.py
index b5cbb4b9..c1dba387 100644
--- a/projectroles/plugins.py
+++ b/projectroles/plugins.py
@@ -165,7 +165,7 @@ def perform_project_sync(self, project):
 
     def perform_project_setting_update(
         self,
-        app_name,
+        plugin_name,
         setting_name,
         value,
         old_value,
@@ -176,8 +176,8 @@ def perform_project_setting_update(
         Perform additional actions when updating a single app setting with
         PROJECT scope.
 
-        :param app_name: Name of app plugin for the setting, "projectroles" is
-                         used for projectroles settings (string)
+        :param plugin_name: Name of app plugin for the setting, "projectroles"
+                            is used for projectroles settings (string)
         :param setting_name: Setting name (string)
         :param value: New value for setting
         :param old_value: Previous value for setting
@@ -189,7 +189,7 @@ def perform_project_setting_update(
 
     def revert_project_setting_update(
         self,
-        app_name,
+        plugin_name,
         setting_name,
         value,
         old_value,
@@ -200,8 +200,8 @@ def revert_project_setting_update(
         Revert updating a single app setting with PROJECT scope if errors have
         occurred in other apps.
 
-        :param app_name: Name of app plugin for the setting, "projectroles" is
-                         used for projectroles settings (string)
+        :param plugin_name: Name of app plugin for the setting, "projectroles"
+                            is used for projectroles settings (string)
         :param setting_name: Setting name (string)
         :param value: New value for setting
         :param old_value: Previous value for setting
@@ -356,12 +356,12 @@ def get_object(self, model, uuid):
 
     def get_object_link(self, model_str, uuid):
         """
-        Return URL referring to an object used by the app, along with a label to
+        Return URL referring to an object used by the app, along with a name to
         be shown to the user for linking.
 
         :param model_str: Object class (string)
         :param uuid: sodar_uuid of the referred object
-        :return: Dict or None if not found
+        :return: PluginObjectLink or None if not found
         """
         obj = self.get_object(eval(model_str), uuid)
         if not obj:
@@ -384,17 +384,11 @@ def search(self, search_terms, user, search_type=None, keywords=None):
         :param user: User object for user initiating the search
         :param search_type: String
         :param keywords: List (optional)
-        :return: Dict
+        :return: List of PluginSearchResult objects
         """
         # TODO: Implement this in your app plugin
         # TODO: Implement display of results in the app's search template
-        return {
-            'all': {  # You can add 1-N lists of result items
-                'title': 'Title to be displayed',
-                'search_types': [],
-                'items': [],
-            }
-        }
+        return []
 
     def update_cache(self, name=None, project=None, user=None):
         """
@@ -497,12 +491,12 @@ def get_object(self, model, uuid):
 
     def get_object_link(self, model_str, uuid):
         """
-        Return URL referring to an object used by the app, along with a label to
+        Return URL referring to an object used by the app, along with a name to
         be shown to the user for linking.
 
         :param model_str: Object class (string)
         :param uuid: sodar_uuid of the referred object
-        :return: Dict or None if not found
+        :return: PluginObjectLink or None if not found
         """
         obj = self.get_object(eval(model_str), uuid)
         if not obj:
@@ -604,12 +598,12 @@ def get_object(self, model, uuid):
 
     def get_object_link(self, model_str, uuid):
         """
-        Return URL referring to an object used by the app, along with a label to
+        Return URL referring to an object used by the app, along with a name to
         be shown to the user for linking.
 
         :param model_str: Object class (string)
         :param uuid: sodar_uuid of the referred object
-        :return: Dict or None if not found
+        :return: PluginObjectLink or None if not found
         """
         obj = self.get_object(eval(model_str), uuid)
         if not obj:
@@ -634,6 +628,73 @@ def validate_form_app_settings(self, app_settings, user=None):
         return None
 
 
+# Data Classes -----------------------------------------------------------------
+
+
+class PluginObjectLink:
+    """
+    Class representing a hyperlink to an object used by the app. Expected to be
+    returned from get_object_link() implementations.
+    """
+
+    #: URL to the object (string)
+    url = None
+    #: Name of the object to be displayed in link (string, formerly "label")
+    name = None
+    #: Open the link in a blank browser tab (boolean, default=False)
+    blank = False
+
+    def __init__(self, url, name, blank=False):
+        """
+        Initialize PluginObjectLink.
+
+        :param url: URL to the object (string)
+        :param name: Name of the object to be displayed in link (string,
+                     formerly "label")
+        :param blank: Open the link in a blank browser tab (boolean,
+                      default=False)
+        """
+        self.url = url
+        self.name = name
+        self.blank = blank
+
+
+class PluginSearchResult:
+    """
+    Class representing a list of search results from a specific plugin for one
+    or more search types. Expected to be returned from search() implementations.
+    """
+
+    #: Category of the result set, used in templates (string)
+    category = None
+    #: Title to be displayed for this set of search results in the UI (string)
+    title = None
+    #: List of one or more search type keywords for these results
+    search_types = []
+    #: List or QuerySet of result objects
+    items = []
+
+    def __init__(self, category, title, search_types, items):
+        """
+        Initialize PluginSearchResult.
+
+        :param category: Category of the result set, used in templates (string)
+        :param title: Title to be displayed for this set of search results in
+                      the UI (string)
+        :param search_types: List of one or more search type keywords for the
+                             results
+        :param items: List or QuerySet of result objects
+        """
+        self.category = category
+        self.title = title
+        self.search_types = search_types
+        if not isinstance(search_types, list) or len(search_types) < 1:
+            raise ValueError(
+                'At least one type keyword must be provided in search_types'
+            )
+        self.items = items
+
+
 # Plugin API -------------------------------------------------------------------
 
 
@@ -667,9 +728,11 @@ def get_active_plugins(plugin_type='project_app', custom_order=False):
         ]
         return sorted(
             ret,
-            key=lambda x: x.plugin_ordering
-            if custom_order and plugin_type == 'project_app'
-            else x.name,
+            key=lambda x: (
+                x.plugin_ordering
+                if custom_order and plugin_type == 'project_app'
+                else x.name
+            ),
         )
     return None
 
diff --git a/projectroles/remote_projects.py b/projectroles/remote_projects.py
index d39d9cf4..3bf2e7d3 100644
--- a/projectroles/remote_projects.py
+++ b/projectroles/remote_projects.py
@@ -6,7 +6,6 @@
 import urllib
 
 from copy import deepcopy
-from packaging import version
 
 from django.conf import settings
 from django.contrib import auth
@@ -20,7 +19,7 @@
 
 from projectroles.app_settings import (
     AppSettingAPI,
-    APP_SETTING_LOCAL_DEFAULT,
+    APP_SETTING_GLOBAL_DEFAULT,
 )
 from projectroles.models import (
     Project,
@@ -28,6 +27,7 @@
     RoleAssignment,
     RemoteProject,
     RemoteSite,
+    SODARUserAdditionalEmail,
     SODAR_CONSTANTS,
     AppSetting,
 )
@@ -47,15 +47,16 @@
 SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
 SITE_MODE_SOURCE = SODAR_CONSTANTS['SITE_MODE_SOURCE']
 SITE_MODE_PEER = SODAR_CONSTANTS['SITE_MODE_PEER']
-
 REMOTE_LEVEL_NONE = SODAR_CONSTANTS['REMOTE_LEVEL_NONE']
 REMOTE_LEVEL_REVOKED = SODAR_CONSTANTS['REMOTE_LEVEL_REVOKED']
 REMOTE_LEVEL_VIEW_AVAIL = SODAR_CONSTANTS['REMOTE_LEVEL_VIEW_AVAIL']
 REMOTE_LEVEL_READ_INFO = SODAR_CONSTANTS['REMOTE_LEVEL_READ_INFO']
 REMOTE_LEVEL_READ_ROLES = SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES']
+SYSTEM_USER_GROUP = SODAR_CONSTANTS['SYSTEM_USER_GROUP']
 
 # Local constants
 APP_NAME = 'projectroles'
+NO_LOCAL_USERS_MSG = 'Local users not allowed'
 
 
 class RemoteProjectAPI:
@@ -80,6 +81,9 @@ def __init__(self):
         #: Updated parent projects in current sync operation
         self.updated_parents = []
 
+        #: User name/UUID lookup
+        self.user_lookup = {}
+
     # Internal Source Site Functions -------------------------------------------
 
     @classmethod
@@ -105,9 +109,9 @@ def _add_parent_categories(cls, sync_data, category, project_level):
             cat_data = {
                 'title': category.title,
                 'type': PROJECT_TYPE_CATEGORY,
-                'parent_uuid': str(category.parent.sodar_uuid)
-                if category.parent
-                else None,
+                'parent_uuid': (
+                    str(category.parent.sodar_uuid) if category.parent else None
+                ),
                 'description': category.description,
                 'readme': category.readme.raw,
             }
@@ -156,59 +160,84 @@ def _add_user(cls, sync_data, user):
         if user.username not in [
             u['username'] for u in sync_data['users'].values()
         ]:
+            add_emails = SODARUserAdditionalEmail.objects.filter(
+                user=user, verified=True
+            )
             sync_data['users'][str(user.sodar_uuid)] = {
                 'username': user.username,
                 'name': user.name,
                 'first_name': user.first_name,
                 'last_name': user.last_name,
                 'email': user.email,
+                'additional_emails': [e.email for e in add_emails],
                 'groups': [g.name for g in user.groups.all()],
+                'sodar_uuid': str(user.sodar_uuid),
             }
         return sync_data
 
     @classmethod
-    def _add_app_setting(cls, sync_data, app_setting, all_defs, add_user_name):
+    def _add_app_setting(cls, sync_data, app_setting, all_defs):
         """
         Add app setting to sync data on source site.
 
         :param sync_data: Sync data to be updated (dict)
         :param app_setting: AppSetting object
         :param all_defs: All settings defs
-        :param add_user_name: Add user_name to sync data (boolean)
         :return: Updated sync_data (dict)
         """
         if app_setting.app_plugin:
             plugin_name = app_setting.app_plugin.name
         else:
             plugin_name = 'projectroles'
-        local = (
-            all_defs.get(plugin_name, {})
-            .get(app_setting.name, {})
-            .get('local', APP_SETTING_LOCAL_DEFAULT)
+        global_val = app_settings.get_global_value(
+            all_defs.get(plugin_name, {}).get(app_setting.name, {})
         )
-        # TODO: Remove user_name once #1316 and #1317 are implemented
+        # NOTE: Provide user_name in case of local target users
         sync_data['app_settings'][str(app_setting.sodar_uuid)] = {
             'name': app_setting.name,
             'type': app_setting.type,
             'value': app_setting.value,
             'value_json': app_setting.value_json,
-            'app_plugin': app_setting.app_plugin.name
-            if app_setting.app_plugin
-            else None,
-            'project_uuid': str(app_setting.project.sodar_uuid)
-            if app_setting.project
-            else None,
-            'user_uuid': str(app_setting.user.sodar_uuid)
-            if app_setting.user
-            else None,
-            'local': local,
+            'app_plugin': (
+                app_setting.app_plugin.name if app_setting.app_plugin else None
+            ),
+            'project_uuid': (
+                str(app_setting.project.sodar_uuid)
+                if app_setting.project
+                else None
+            ),
+            'user_uuid': (
+                str(app_setting.user.sodar_uuid) if app_setting.user else None
+            ),
+            'user_name': (
+                app_setting.user.username if app_setting.user else None
+            ),
+            'global': global_val,
         }
-        if add_user_name:
-            sync_data['app_settings'][str(app_setting.sodar_uuid)][
-                'user_name'
-            ] = (app_setting.user.username if app_setting.user else None)
         return sync_data
 
+    @classmethod
+    def _get_app_setting_error(cls, app_setting, exception):
+        """
+        Return app setting error message to be logged.
+
+        :param app_setting: AppSetting object
+        :param exception: Exception object
+        :return: String
+        """
+        return (
+            'Failed to add app setting "{}.settings.{}" (UUID={}): {} '
+        ).format(
+            (
+                app_setting.app_plugin.name
+                if app_setting.app_plugin
+                else 'projectroles'
+            ),
+            app_setting.name,
+            app_setting.sodar_uuid,
+            exception,
+        )
+
     # Source Site API functions ------------------------------------------------
 
     def get_source_data(self, target_site, req_version=None):
@@ -220,13 +249,6 @@ def get_source_data(self, target_site, req_version=None):
         :param req_version: Request version (string)
         :return: Dict
         """
-        # TODO: Remove user_name workaround when API backwards compatibility to
-        #       <0.13.3 is removed
-        if not req_version:
-            from projectroles.views_api import CORE_API_DEFAULT_VERSION
-
-            req_version = CORE_API_DEFAULT_VERSION
-        add_user_name = version.parse(req_version) >= version.parse('0.13.3')
         sync_data = {
             'users': {},
             'projects': {},
@@ -250,24 +272,11 @@ def get_source_data(self, target_site, req_version=None):
             ]
 
             # Get and add app settings for project
-            # NOTE: Also provide global settings in case they are not yet set
             for a in AppSetting.objects.filter(project=project):
                 try:
-                    sync_data = self._add_app_setting(
-                        sync_data, a, all_defs, add_user_name
-                    )
+                    sync_data = self._add_app_setting(sync_data, a, all_defs)
                 except Exception as ex:
-                    logger.error(
-                        'Failed to add app setting "{}.settings.{}" '
-                        '(UUID={}): {} '.format(
-                            a.app_plugin.name
-                            if a.app_plugin
-                            else 'projectroles',
-                            a.name,
-                            a.sodar_uuid,
-                            ex,
-                        )
-                    )
+                    logger.error(self._get_app_setting_error(a, ex))
 
             # RemoteSite data to create objects on target site
             for site in remote_sites:
@@ -314,6 +323,13 @@ def get_source_data(self, target_site, req_version=None):
                         }
                         sync_data = self._add_user(sync_data, role_as.user)
             sync_data['projects'][str(rp.project_uuid)] = project_data
+
+        # Sync USER scope settings
+        for a in AppSetting.objects.filter(project=None).exclude(user=None):
+            try:
+                sync_data = self._add_app_setting(sync_data, a, all_defs)
+            except Exception as ex:
+                logger.error(self._get_app_setting_error(a, ex))
         return sync_data
 
     def get_remote_data(self, site):
@@ -325,8 +341,8 @@ def get_remote_data(self, site):
         :return: remote data (dict)
         """
         from projectroles.views_api import (
-            CORE_API_MEDIA_TYPE,
-            CORE_API_DEFAULT_VERSION,
+            SYNC_API_MEDIA_TYPE,
+            SYNC_API_DEFAULT_VERSION,
         )
 
         api_url = site.get_url() + reverse(
@@ -338,7 +354,7 @@ def get_remote_data(self, site):
             api_req.add_header(
                 'accept',
                 '{}; version={}'.format(
-                    CORE_API_MEDIA_TYPE, CORE_API_DEFAULT_VERSION
+                    SYNC_API_MEDIA_TYPE, SYNC_API_DEFAULT_VERSION
                 ),
             )
             response = urllib.request.urlopen(api_req)
@@ -358,6 +374,19 @@ def get_remote_data(self, site):
 
     # Internal Target Site Functions -------------------------------------------
 
+    @staticmethod
+    def _is_local_user(user_data):
+        """
+        Return True if user data denotes a local user.
+
+        :param user_data: Dict
+        :return: Boolean
+        """
+        return (
+            not user_data.get('groups')
+            or SYSTEM_USER_GROUP in user_data['groups']
+        )
+
     @staticmethod
     def _update_obj(obj, obj_data, fields):
         """
@@ -401,18 +430,31 @@ def _check_local_categories(self, uuid):
 
     def _sync_user(self, uuid, user_data):
         """
-        Synchronize LDAP user on target site.
+        Synchronize user on target site. For local users, will only update an
+        existing user object. Local users must be manually created. If local
+        users are not allowed, data is not synchronized.
 
         :param uuid: User UUID (string)
         :param user_data: User sync data (dict)
         """
+        # Don't sync local users if disallowed
+        allow_local = getattr(settings, 'PROJECTROLES_ALLOW_LOCAL_USERS', False)
+        if self._is_local_user(user_data) and not allow_local:
+            logger.info(NO_LOCAL_USERS_MSG)
+            return
+        # Add UUID to user_data to ensure it gets synced
+        user_data['sodar_uuid'] = uuid
+        # Pop additional emails
+        # TODO: Simply omit this from object creation/update instead?
+        add_emails = user_data.pop('additional_emails')
+
         # Update existing user
         try:
             user = User.objects.get(username=user_data['username'])
             updated_fields = []
             for k, v in user_data.items():
                 if (
-                    k not in ['groups', 'sodar_uuid']
+                    k != 'groups'
                     and hasattr(user, k)
                     and str(getattr(user, k)) != str(v)
                 ):
@@ -452,6 +494,14 @@ def _sync_user(self, uuid, user_data):
 
         # Create new user
         except User.DoesNotExist:
+            if self._is_local_user(user_data):
+                logger.warning(
+                    'Local user "{}" not found: local users must '
+                    'be manually created before they can be synced'.format(
+                        user_data['username']
+                    )
+                )
+                return
             create_values = {
                 k: v for k, v in user_data.items() if k != 'groups'
             }
@@ -468,6 +518,29 @@ def _sync_user(self, uuid, user_data):
                     )
                 )
 
+        # Sync additional emails
+        deleted_emails = SODARUserAdditionalEmail.objects.filter(
+            user=user
+        ).exclude(email__in=add_emails)
+        for e in deleted_emails:
+            e.delete()
+            logger.info(
+                'Deleted user {} additional email "{}"'.format(
+                    user.username, e.email
+                )
+            )
+        for e in add_emails:
+            email_obj = SODARUserAdditionalEmail.objects.create(
+                user=user, email=e, verified=True
+            )
+            logger.info(
+                'Created user {} additional email "{}"'.format(
+                    user.username, email_obj.email
+                )
+            )
+        # HACK: Re-add additional emails
+        user_data['additional_emails'] = add_emails
+
     def _handle_user_error(self, error_msg, project, role_uuid):
         """
         Handle user sync error on target site.
@@ -545,7 +618,7 @@ def _update_project(self, project, project_data, parent):
                     user=self.tl_user,
                     event_name='remote_project_update',
                     description=tl_desc,
-                    status_type='OK',
+                    status_type=self.timeline.TL_STATUS_OK,
                 )
                 tl_event.add_object(
                     self.source_site, 'site', self.source_site.name
@@ -598,7 +671,7 @@ def _create_project(self, uuid, project_data, parent):
                 user=self.tl_user,
                 event_name='remote_project_create',
                 description='create project from remote site {site}',
-                status_type='OK',
+                status_type=self.timeline.TL_STATUS_OK,
             )
             # TODO: Add extra_data
             tl_event.add_object(self.source_site, 'site', self.source_site.name)
@@ -668,8 +741,11 @@ def _update_roles(self, project, project_data):
                 continue
 
             # Ensure the user is valid
+            local_user = self._is_local_user(
+                self.remote_data['users'][self.user_lookup[r['user']]]
+            )
             if (
-                '@' not in r['user']
+                local_user
                 and not allow_local
                 and r['role'] != PROJECT_ROLE_OWNER
             ):
@@ -679,10 +755,9 @@ def _update_roles(self, project, project_data):
                 )
                 self._handle_user_error(error_msg, project, r_uuid)
                 continue
-
             # If local user, ensure they exist
             elif (
-                '@' not in r['user']
+                local_user
                 and allow_local
                 and r['role'] != PROJECT_ROLE_OWNER
                 and not User.objects.filter(username=r['user']).first()
@@ -693,21 +768,20 @@ def _update_roles(self, project, project_data):
                 )
                 self._handle_user_error(error_msg, project, r_uuid)
                 continue
-
-            # Use the default owner, if owner role for a non-LDAP user and local
+            # Use the default owner, if owner role is for local user and local
             # users are not allowed
             if (
-                r['role'] == PROJECT_ROLE_OWNER
+                local_user
+                and r['role'] == PROJECT_ROLE_OWNER
                 and (
                     not allow_local
                     or not User.objects.filter(username=r['user']).first()
                 )
-                and '@' not in r['user']
             ):
                 role_user = self.default_owner
                 # Notify of assigning role to default owner
                 status_msg = (
-                    'Non-LDAP/AD user "{}" set as owner, assigning role '
+                    'Local user "{}" set as owner, assigning role '
                     'to user "{}"'.format(
                         r['user'], self.default_owner.username
                     )
@@ -756,7 +830,7 @@ def _update_roles(self, project, project_data):
                         user=self.tl_user,
                         event_name='remote_role_update',
                         description=tl_desc,
-                        status_type='OK',
+                        status_type=self.timeline.TL_STATUS_OK,
                     )
                     tl_event.add_object(role_user, 'user', role_user.username)
                     tl_event.add_object(
@@ -793,7 +867,7 @@ def _update_roles(self, project, project_data):
                         user=self.tl_user,
                         event_name='remote_role_create',
                         description=tl_desc,
-                        status_type='OK',
+                        status_type=self.timeline.TL_STATUS_OK,
                     )
                     tl_event.add_object(role_user, 'user', role_user.username)
                     tl_event.add_object(
@@ -846,7 +920,7 @@ def _remove_deleted_roles(self, project, project_data):
                         user=self.tl_user,
                         event_name='remote_role_delete',
                         description=tl_desc,
-                        status_type='OK',
+                        status_type=timeline.TL_STATUS_OK,
                     )
                     tl_event.add_object(del_user, 'user', del_user.username)
                     tl_event.add_object(
@@ -945,7 +1019,6 @@ def _sync_project(self, uuid, project_data):
         ]:
             return
         # Create/update roles
-        # NOTE: Only update AD/LDAP user roles and local owner roles
         if project_data['level'] == REMOTE_LEVEL_READ_ROLES:
             self._update_roles(project, project_data)
         # Remove deleted user roles (also for REVOKED projects)
@@ -1037,8 +1110,7 @@ def _remove_revoked_peers(cls, uuid, project_data):
                 )
             )
 
-    @classmethod
-    def _sync_app_setting(cls, uuid, set_data):
+    def _sync_app_setting(self, uuid, set_data):
         """
         Create or update an AppSetting on a target site.
 
@@ -1047,37 +1119,42 @@ def _sync_app_setting(cls, uuid, set_data):
         """
         ad = deepcopy(set_data)
         app_plugin = None
-        project = None
         user = None
+        user_name = ad.get('user_name')
+        user_uuid = ad.get('user_uuid')
+        project = None
+        obj = None
+        skip_msg = 'Skipping setting "{}": '.format(ad['name'])
 
         # Get app plugin (skip the rest if not found on target server)
         if ad['app_plugin']:
             app_plugin = Plugin.objects.filter(name=ad['app_plugin']).first()
             if not app_plugin:
                 logger.debug(
-                    'Skipping setting "{}": App plugin not found with name '
-                    '"{}"'.format(ad['name'], ad['app_plugin'])
+                    skip_msg + 'App plugin not found with name '
+                    '"{}"'.format(ad['app_plugin'])
                 )
                 return
-
-        if ad['project_uuid']:
-            project = Project.objects.get(sodar_uuid=ad['project_uuid'])
-        # TODO: Use UUID for LDAP users once #1316 and #1317 are implemented
-        if ad.get('user_name'):
+        if user_name:
+            local_user = self._is_local_user(
+                self.remote_data['users'][user_uuid]
+            )
+            allow_local = getattr(
+                settings, 'PROJECTROLES_ALLOW_LOCAL_USERS', False
+            )
+            if local_user and not allow_local:
+                logger.info(skip_msg + NO_LOCAL_USERS_MSG)
+                return
+            user = User.objects.filter(sodar_uuid=user_uuid).first()
             # User may not be found if e.g. local users allowed but not created
-            user = User.objects.filter(username=ad['user_name']).first()
             if not user:
                 logger.info(
-                    'Skipping setting {}: User not found'.format(ad['name'])
+                    'Skipping setting "{}": User not found (user_name={}; '
+                    'user_uuid={})'.format(ad['name'], user_name, user_uuid)
                 )
                 return
-        # Skip for now, as UUIDs have not been correctly synced
-        # TODO: Remove skip after #1316 and #1317
-        elif ad['user_uuid']:
-            logger.info(
-                'Skipping setting {}: user_name not present'.format(ad['name'])
-            )
-            return
+        if ad['project_uuid']:
+            project = Project.objects.get(sodar_uuid=ad['project_uuid'])
 
         try:
             obj = AppSetting.objects.get(
@@ -1087,7 +1164,7 @@ def _sync_app_setting(cls, uuid, set_data):
                 user=user,
             )
             # Keep target instance of local app setting if available
-            if ad.get('local', APP_SETTING_LOCAL_DEFAULT):
+            if not ad.get('global', APP_SETTING_GLOBAL_DEFAULT):
                 logger.info('Keeping local setting {}'.format(ad['name']))
                 set_data['status'] = 'skipped'
                 return
@@ -1100,16 +1177,16 @@ def _sync_app_setting(cls, uuid, set_data):
                 )
                 set_data['status'] = 'skipped'
                 return
-            # Else update existing value by recreating object
+            # Else update existing value
             action_str = 'updating'
-            obj.delete()
         except ObjectDoesNotExist:
             action_str = 'creating'
 
         # Remove keys that are not available in the model
-        ad.pop('local', None)
+        ad.pop('global', None)
+        ad.pop('local', None)  # TODO: Remove in v1.1 (see #1394)
         ad.pop('project_uuid', None)
-        ad.pop('user_name', None)  # TODO: Remove once user UUID support added
+        ad.pop('user_name', None)
         ad.pop('user_uuid', None)
         # Add keys required for the model
         ad['project'] = project
@@ -1118,9 +1195,13 @@ def _sync_app_setting(cls, uuid, set_data):
         if app_plugin:
             ad['app_plugin'] = app_plugin
 
-        # Create new app setting
-        obj = AppSetting(**ad)
         logger.info('{} setting {}'.format(action_str.capitalize(), str(obj)))
+        logger.debug('Setting data: {}'.format(ad))
+        if action_str == 'updating' and obj:  # Update existing setting object
+            for k, v in ad.items():
+                setattr(obj, k, v)
+        else:  # Create new setting object
+            obj = AppSetting(**ad)
         obj.save()
         set_data['status'] = action_str.replace('ing', 'ed')
 
@@ -1206,14 +1287,12 @@ def sync_remote_data(self, site, remote_data, request=None):
             logger.info('No new Peer Sites to sync')
 
         # Users
-        logger.info('Synchronizing LDAP/AD users..')
-        # NOTE: only sync LDAP/AD users
-        for u_uuid, u_data in {
-            k: v
-            for k, v in self.remote_data['users'].items()
-            if '@' in v['username']
-        }.items():
+        logger.info('Synchronizing users..')
+        # NOTE: Add all users here, only update local users within _sync_user()
+        for u_uuid, u_data in self.remote_data['users'].items():
             self._sync_user(u_uuid, u_data)
+            # HACK: Populate user lookup
+            self.user_lookup[u_data['username']] = u_uuid
         logger.info('User sync OK')
 
         # Categories and Projects
@@ -1236,9 +1315,11 @@ def sync_remote_data(self, site, remote_data, request=None):
             except Exception as ex:
                 logger.error(
                     'Failed to set app setting "{}.setting.{}" ({}): {}'.format(
-                        a_data['app_plugin']
-                        if a_data['app_plugin']
-                        else 'projectroles',
+                        (
+                            a_data['app_plugin']
+                            if a_data['app_plugin']
+                            else 'projectroles'
+                        ),
                         a_data['name'],
                         a_uuid,
                         ex,
diff --git a/projectroles/rules.py b/projectroles/rules.py
index e634cec8..37a30fbb 100644
--- a/projectroles/rules.py
+++ b/projectroles/rules.py
@@ -142,6 +142,18 @@ def is_allowed_anonymous(user):
     return False
 
 
+@rules.predicate
+def is_source_site():
+    """Return True if PROJECTROLES_SITE_MODE is set to SITE_MODE_PROJECT"""
+    return settings.PROJECTROLES_SITE_MODE == SITE_MODE_SOURCE
+
+
+@rules.predicate
+def is_target_site():
+    """Return True if PROJECTROLES_SITE_MODE is set to SITE_MODE_TARGET"""
+    return settings.PROJECTROLES_SITE_MODE == SITE_MODE_TARGET
+
+
 # Combined predicates ----------------------------------------------------------
 
 
diff --git a/projectroles/serializers.py b/projectroles/serializers.py
index 7048b6b3..b459cfe1 100644
--- a/projectroles/serializers.py
+++ b/projectroles/serializers.py
@@ -14,6 +14,7 @@
     RoleAssignment,
     ProjectInvite,
     AppSetting,
+    SODARUserAdditionalEmail,
     SODAR_CONSTANTS,
     ROLE_RANKING,
     CAT_DELIMITER,
@@ -147,9 +148,26 @@ def to_representation(self, instance):
 class SODARUserSerializer(SODARModelSerializer):
     """Serializer for the user model used in SODAR Core based sites"""
 
+    additional_emails = serializers.SerializerMethodField()
+
     class Meta:
         model = User
-        fields = ['username', 'name', 'email', 'is_superuser', 'sodar_uuid']
+        fields = [
+            'username',
+            'name',
+            'email',
+            'additional_emails',
+            'is_superuser',
+            'sodar_uuid',
+        ]
+
+    def get_additional_emails(self, obj):
+        return [
+            e.email
+            for e in SODARUserAdditionalEmail.objects.filter(
+                user=obj, verified=True
+            ).order_by('email')
+        ]
 
 
 # Projectroles Serializers -----------------------------------------------------
@@ -367,10 +385,12 @@ class Meta:
             'readme',
             'public_guest_access',
             'archive',
+            'full_title',
             'owner',
             'roles',
             'sodar_uuid',
         ]
+        read_only_fields = ['full_title']
 
     def _validate_parent(self, parent, attrs, current_user, disable_categories):
         """Validate parent field"""
@@ -546,7 +566,7 @@ def to_representation(self, instance):
             title=ret['title'],
             **{'parent__sodar_uuid': parent} if parent else {},
         )
-        # Return only title and UUID for projects with finder role
+        # Return only title, full title and UUID for projects with finder role
         user = self.context['request'].user
         if (
             project.type == PROJECT_TYPE_PROJECT
@@ -560,6 +580,7 @@ def to_representation(self, instance):
             ):
                 return {
                     'title': project.title,
+                    'full_title': project.full_title,
                     'sodar_uuid': str(project.sodar_uuid),
                 }
         # Else return full serialization
@@ -575,6 +596,8 @@ def to_representation(self, instance):
                 ret['roles'][k]['inherited'] = (
                     True if role_as.project != project else False
                 )
+        # Set full_title manually
+        ret['full_title'] = project.full_title
         return ret
 
 
@@ -585,13 +608,13 @@ class AppSettingSerializer(SODARProjectModelSerializer):
     directly is not the intended way to set/get app settings.
     """
 
-    app_name = serializers.CharField(read_only=True)
+    plugin_name = serializers.CharField(read_only=True)
     user = SODARUserSerializer(read_only=True)
 
     class Meta:
         model = AppSetting
         fields = [
-            'app_name',
+            'plugin_name',
             'project',
             'user',
             'name',
@@ -605,8 +628,8 @@ def to_representation(self, instance):
         """Override to clean up data for serialization"""
         ret = super().to_representation(instance)
         if instance.app_plugin:
-            ret['app_name'] = instance.app_plugin.name
+            ret['plugin_name'] = instance.app_plugin.name
         else:
-            ret['app_name'] = 'projectroles'
+            ret['plugin_name'] = 'projectroles'
         ret['value'] = instance.get_value()
         return ret
diff --git a/projectroles/signals.py b/projectroles/signals.py
index 9808f9e5..13444b4c 100644
--- a/projectroles/signals.py
+++ b/projectroles/signals.py
@@ -9,6 +9,8 @@
     user_login_failed,
 )
 
+from projectroles.models import AUTH_PROVIDER_OIDC
+
 
 logger = logging.getLogger(__name__)
 
@@ -20,6 +22,7 @@ def handle_ldap_login(sender, user, **kwargs):
     """Signal for LDAP login handling"""
     try:
         if hasattr(user, 'ldap_username'):
+            logger.debug('Updating LDAP user..')
             user.update_full_name()
             user.update_ldap_username()
     except Exception as ex:
@@ -28,6 +31,22 @@ def handle_ldap_login(sender, user, **kwargs):
             raise ex
 
 
+def handle_oidc_login(sender, user, **kwargs):
+    """Signal for OIDC login handling"""
+    social_auth = getattr(user, 'social_auth', None)
+    if not social_auth:
+        return
+    try:
+        social_auth = social_auth.first()
+        if social_auth and social_auth.provider == AUTH_PROVIDER_OIDC:
+            logger.debug('Updating OIDC user..')
+            user.update_full_name()
+    except Exception as ex:
+        logger.error('Exception in handle_oidc_login(): {}'.format(ex))
+        if settings.DEBUG:
+            raise ex
+
+
 def assign_user_group(sender, user, **kwargs):
     """Signal for user group assignment"""
     try:
@@ -55,6 +74,7 @@ def log_user_login_failure(sender, credentials, **kwargs):
 
 
 user_logged_in.connect(handle_ldap_login)
+user_logged_in.connect(handle_oidc_login)
 user_logged_in.connect(assign_user_group)
 user_logged_in.connect(log_user_login)
 user_logged_out.connect(log_user_logout)
diff --git a/projectroles/static/projectroles/css/projectroles.css b/projectroles/static/projectroles/css/projectroles.css
index a9431f1a..5d14e241 100644
--- a/projectroles/static/projectroles/css/projectroles.css
+++ b/projectroles/static/projectroles/css/projectroles.css
@@ -392,6 +392,10 @@ dl dd {
   border-radius: .25rem;
 }
 
+/* Fix for incorrect highlight color after DAL upgrade (#1412) */
+.select2-results__option--highlighted {
+  color: #ffffff !important;
+}
 
 /* HACK for Bootstrap v4 button group alignment with dropdown enabled */
 .btn {
@@ -406,6 +410,12 @@ dl dd {
   height: 2.35em;
 }
 
+/* Enable disabling button-style anchors */
+a.btn[disabled='disabled'] {
+  pointer-events: none;
+  opacity: 75%;
+}
+
 .sodar-list-btn-group {
   height: 1.65em;
 }
@@ -435,6 +445,7 @@ a.sodar-pr-btn-copy-secret i {
 
 .sodar-pr-sidebar-nav-item a {
   padding-bottom: 2px !important;
+  word-break: break-word;
 }
 
 .sodar-pr-sidebar-alt-btn {
@@ -634,6 +645,9 @@ span.select2-selection__rendered {
 
 /* Misc --------------------------------------------------------------------- */
 
+hr {
+  border-color: #dfdfdf;
+}
 
 img.sodar-navbar-logo {
   height: 36px;
diff --git a/projectroles/static/projectroles/js/project_detail.js b/projectroles/static/projectroles/js/project_detail.js
new file mode 100644
index 00000000..51dc2b4f
--- /dev/null
+++ b/projectroles/static/projectroles/js/project_detail.js
@@ -0,0 +1,40 @@
+/* Project detail view specific JQuery */
+
+/* Update target/peer remote project links once accessed */
+var updateRemoteProjectLinks = function() {
+    var linkUuids = [];
+    $('.sodar-pr-link-remote').each(function() {
+      if (!$(this).hasClass('sodar-pr-link-remote-source')
+          && $(this).attr('disabled') === 'disabled') {
+        linkUuids.push($(this).attr('data-uuid'));
+      }
+    });
+    if (linkUuids.length > 0) {
+        var queryParams = []
+        for (var i = 0; i < linkUuids.length; i++) {
+          queryParams.push(['rp', linkUuids[i]])
+        }
+        $.ajax({
+            url: window.remoteLinkUrl + '?' + new URLSearchParams(queryParams),
+            method: 'GET',
+            dataType: 'JSON',
+        }).done(function (data) {
+          for (var k in data) {
+            var elem = $('a[data-uuid="' +k + '"]');
+            if (elem.attr('disabled') === 'disabled' && data[k] === true) {
+                elem.removeAttr('disabled');
+            }
+          }
+      });
+    }};
+
+$(document).ready(function() {
+  // Set up remote project link updating, omit categories
+  if ($('div#sodar-pr-page-container-detail').attr(
+          'data-project-type') === 'PROJECT') {
+      updateRemoteProjectLinks();
+      setInterval(function () {
+          updateRemoteProjectLinks();
+      }, 5000);
+  }
+});
diff --git a/projectroles/static/projectroles/js/project_form.js b/projectroles/static/projectroles/js/project_form.js
index 4a3acdb8..b6e8a974 100644
--- a/projectroles/static/projectroles/js/project_form.js
+++ b/projectroles/static/projectroles/js/project_form.js
@@ -1,83 +1,64 @@
 $(document).ready(function() {
     // Hide settings fields by default
     $('div[id^="div_id_settings"]').hide();
-
-    // Temporary solution for hiding the public_guest_access field
+    // Hide public_guest_access field by default
     $('#div_id_public_guest_access').hide();
+    // Hide remote sites by default
+    $('div[id^="div_id_remote_site"]').hide();
 
     // Check if it's category/project update and show corresponding fields
     if ($('#sodar-pr-project-form-title').attr('data-project-type') === 'PROJECT') {
         $('div[id^="div_id_settings"]').each(function () {
             var $parentDiv = $(this);
-            var $projectElements = $parentDiv.find('select[data-project-types="project"]')
-                .add($parentDiv.find('input[data-project-types="project"]'))
-                .add($parentDiv.find('textarea[data-project-types="project"]'))
-                .add($parentDiv.find('select[data-project-types="project,category"]'))
-                .add($parentDiv.find('input[data-project-types="project,category"]'))
-                .add($parentDiv.find('textarea[data-project-types="project,category"]'));
-            if ($projectElements.length > 0) {
-                $parentDiv.show();
-            } else {
-                $parentDiv.hide();
-            }
+            var $projectElements = $parentDiv.find('[data-project-types="project"]')
+                .add($parentDiv.find('[data-project-types="project,category"]'));
+            if ($projectElements.length > 0) $parentDiv.show();
+            else $parentDiv.hide();
         });
-
-        // Temporary solution for hiding the public_guest_access field
         $('#div_id_public_guest_access').show();
+        $('div[id^="div_id_remote_site"]').show();
     }
-
     if ($('#sodar-pr-project-form-title').attr('data-project-type') === 'CATEGORY') {
         $('div[id^="div_id_settings"]').each(function () {
             var $parentDiv = $(this);
-            var $categoryElements = $parentDiv.find('select[data-project-types="category"]')
-                .add($parentDiv.find('input[data-project-types="category"]'))
-                .add($parentDiv.find('textarea[data-project-types="category"]'))
-                .add($parentDiv.find('select[data-project-types="project,category"]'))
-                .add($parentDiv.find('input[data-project-types="project,category"]'))
-                .add($parentDiv.find('textarea[data-project-types="project,category"]'));
-            if ($categoryElements.length > 0) {
-                $parentDiv.show();
-            } else {
-                $parentDiv.hide();
-            }
+            var $categoryElements = $parentDiv.find('[data-project-types="category"]')
+                .add($parentDiv.find('[data-project-types="project,category"]'));
+            if ($categoryElements.length > 0) $parentDiv.show();
+            else $parentDiv.hide();
         });
     }
-
     // Show settings fields if selected type is project/category in update form
     $('#div_id_type .form-control').change(function() {
-        if ($('#div_id_type .form-control').val() == 'PROJECT') {
+        if ($('#div_id_type .form-control').val() === 'PROJECT') {
             $('div[id^="div_id_settings"]').each(function () {
                 var $parentDiv = $(this);
-                var $projectElements = $parentDiv.find('select[data-project-types="project"]')
-                    .add($parentDiv.find('input[data-project-types="project"]'))
-                    .add($parentDiv.find('textarea[data-project-types="project"]'))
-                    .add($parentDiv.find('select[data-project-types="project,category"]'))
-                    .add($parentDiv.find('input[data-project-types="project,category"]'))
-                    .add($parentDiv.find('textarea[data-project-types="project,category"]'));
-                if ($projectElements.length > 0) {
-                    $parentDiv.show();
-                } else {
-                    $parentDiv.hide();
-                }
-
-                // Temporary solution for hiding the public_guest_access field
+                var $projectElements = $parentDiv.find('[data-project-types="project"]')
+                    .add($parentDiv.find('[data-project-types="project,category"]'));
+                if ($projectElements.length > 0) $parentDiv.show();
+                else $parentDiv.hide();
                 $('#div_id_public_guest_access').show();
+                $('div[id^="div_id_remote_site"]').show();
             });
-        } else if ($('#div_id_type .form-control').val() == 'CATEGORY') {
+        } else if ($('#div_id_type .form-control').val() === 'CATEGORY') {
             $('div[id^="div_id_settings"]').each(function () {
                 var $parentDiv = $(this);
-                var $categoryElements = $parentDiv.find('select[data-project-types="category"]')
-                    .add($parentDiv.find('input[data-project-types="category"]'))
-                    .add($parentDiv.find('textarea[data-project-types="category"]'))
-                    .add($parentDiv.find('select[data-project-types="project,category"]'))
-                    .add($parentDiv.find('input[data-project-types="project,category"]'))
-                    .add($parentDiv.find('textarea[data-project-types="project,category"]'));
-                if ($categoryElements.length > 0) {
-                    $parentDiv.show();
-                } else {
-                    $parentDiv.hide();
-                }
+                var $categoryElements = $parentDiv.find('[data-project-types="category"]')
+                    .add($parentDiv.find('[data-project-types="project,category"]'));
+                if ($categoryElements.length > 0) $parentDiv.show();
+                else $parentDiv.hide();
+                $('#div_id_public_guest_access').hide();
+                $('div[id^="div_id_remote_site"]').hide();
             });
         }
     });
+
+    // Warn user of revoking remote site access
+    $('input[id^="id_remote_site"]').change(function() {
+        if (!$(this).is(':checked') && $(this).prop('defaultChecked')) {
+            const confirmMsg = 'This will revoke access to the project on ' +
+                'the site. Are you sure you want to proceed?'
+            if (!confirm(confirmMsg)) $(this).prop('checked', true);
+            else $(this).prop('checked', false);
+        }
+    });
 })
diff --git a/projectroles/templates/projectroles/_login_oidc.html b/projectroles/templates/projectroles/_login_oidc.html
new file mode 100644
index 00000000..2c31f8da
--- /dev/null
+++ b/projectroles/templates/projectroles/_login_oidc.html
@@ -0,0 +1,14 @@
+{# Display custom or default OIDC login element #}
+{% load projectroles_common_tags %}
+
+{% template_exists template_include_path|add:'/_login_oidc.html' as tpl_oidc %}
+
+{% if tpl_oidc %}
+  {% include template_include_path|add:'/_login_oidc.html' %}
+{% else %}
+  <a role="button" class="btn btn-md btn-info btn-block"
+     id="sodar-login-oidc-link"
+     href="{% url 'social:begin' 'oidc' %}?next={{ oidc_redirect_url|default:'/' }}">
+    <i class="iconify" data-icon="mdi:login-variant"></i> OpenID Connect Login
+  </a>
+{% endif %}
diff --git a/projectroles/templates/projectroles/_project_menu_btn.html b/projectroles/templates/projectroles/_project_menu_btn.html
index e14829aa..48fe74af 100644
--- a/projectroles/templates/projectroles/_project_menu_btn.html
+++ b/projectroles/templates/projectroles/_project_menu_btn.html
@@ -20,82 +20,14 @@
       <i class="iconify" data-icon="mdi:home"></i> Home
     </a>
 
-    {# Project stuff #}
-    {% if project %}
-
-      {# Overview #}
-      <a class="dropdown-item {% get_pr_link_state projectroles_urls request 'detail' %}"
-          href="{% url 'projectroles:detail' project=project.sodar_uuid %}"
-          title="Overview"
-          id="sodar-pr-alt-link-overview">
-        {% if project.type == PROJECT_TYPE_CATEGORY %}
-          <i class="iconify" data-icon="mdi:rhombus-split"></i>
-        {% else %}
-          <i class="iconify" data-icon="mdi:cube"></i>
-        {% endif %}
-        Overview
+    {% get_project_app_links request project as dropdown_links %}
+    {% for link in dropdown_links %}
+      <a class="dropdown-item{% if link.active %} active{% endif %}"
+          href="{{ link.url }}"
+          title="{{ link.title }}"
+          id="sodar-pr-alt-link-{{ link.name }}">
+        <i class="iconify" data-icon="{{ link.icon }}"></i> {{ link.label }}
       </a>
-
-      {# App plugins #}
-      {% for plugin in app_plugins %}
-        {% is_app_visible plugin project request.user as app_link_visible %}
-        {% if app_link_visible %}
-          <a class="dropdown-item {% get_app_link_state plugin request.resolver_match.app_name request.resolver_match.url_name %}"
-             href="{% url plugin.entry_point_url_id project=project.sodar_uuid %}"
-             title="{{ plugin.title }}"
-             id="sodar-pr-alt-link-app-plugin-{{ plugin.name }}">
-            <i class="iconify" data-icon="{{ plugin.icon }}"></i> {{ plugin.title }}
-          </a>
-        {% endif %}
-      {% endfor %}
-
-      {# Role and project editing #}
-      {% if can_view_roles %}
-        <a class="dropdown-item {% get_pr_link_state projectroles_urls request role_urls %}"
-           href="{% url 'projectroles:roles' project=project.sodar_uuid %}"
-           title="Members"
-           id="sodar-pr-alt-link-project-roles">
-         <i class="iconify" data-icon="mdi:account-multiple"></i> Members
-        </a>
-      {% endif %}
-      {% if can_update_project %}
-        <a class="dropdown-item {% get_pr_link_state projectroles_urls request 'update' %}"
-           href="{% url 'projectroles:update' project=project.sodar_uuid %}"
-           title="Update {% get_display_name 'PROJECT' title=True %}"
-           id="sodar-pr-alt-link-project-update">
-          <i class="iconify" data-icon="mdi:lead-pencil"></i> Update {% get_display_name project.type title=True %}
-        </a>
-     {% endif %}
-
-   {% endif %}
-
-    {# Project and Category Creation #}
-
-    {% if project and project.type == 'CATEGORY' %}
-      {% has_perm 'projectroles.create_project' request.user project as can_create_project %}
-      {% if allow_creation and can_create_project and not project.is_remote %}
-         <a class="dropdown-item"
-            href="{% url 'projectroles:create' project=project.sodar_uuid %}"
-            id="sodar-pr-alt-link-project-create">
-           <i class="iconify" data-icon="mdi:plus-thick"></i> Create {% get_display_name 'PROJECT' title=True %} or {% get_display_name 'CATEGORY' title=True %}
-         </a>
-      {% endif %}
-    {% elif disable_categories and request.user.is_superuser %} {# Allow project creation under root #}
-      <a class="dropdown-item"
-         href="{% url 'projectroles:create' %}"
-         id="sodar-pr-alt-link-project-create">
-       <i class="iconify" data-icon="mdi:plus-thick"></i> Create {% get_display_name 'PROJECT' title=True %}
-     </a>
-    {% elif request.resolver_match.url_name == 'home' or request.resolver_match.url_name == 'create' and not project %}
-      {% has_perm 'projectroles.create_project' request.user as can_create_project %}
-      {% if allow_creation and can_create_project %}
-        <a class="dropdown-item"
-           href="{% url 'projectroles:create' %}"
-           id="sodar-pr-alt-link-home-create">
-          <i class="iconify" data-icon="mdi:plus-thick"></i> Create {% get_display_name 'CATEGORY' title=True %}
-        </a>
-      {% endif %}
-    {% endif %}
-
- </div>
+    {% endfor %}
+  </div>
 </div>
diff --git a/projectroles/templates/projectroles/_project_sidebar.html b/projectroles/templates/projectroles/_project_sidebar.html
index 7cd20d72..6a24c7d9 100644
--- a/projectroles/templates/projectroles/_project_sidebar.html
+++ b/projectroles/templates/projectroles/_project_sidebar.html
@@ -1,146 +1,19 @@
-{% load rules %}
 {% load projectroles_tags %}
-{% load projectroles_common_tags %}
-
-{% sodar_constant 'PROJECT_TYPE_PROJECT' as PROJECT_TYPE_PROJECT %}
-{% sodar_constant 'PROJECT_TYPE_CATEGORY' as PROJECT_TYPE_CATEGORY %}
-{% allow_project_creation as allow_creation %}
-{% get_django_setting 'PROJECTROLES_DISABLE_CATEGORIES' as disable_categories %}
-{% get_display_name 'PROJECT' title=True as project_display %}
-{% get_display_name 'CATEGORY' title=True as category_display %}
 
 {# Project nav #}
-
-{% if project %}
-  {% has_perm 'projectroles.view_project' request.user project as can_view_project %}
-  {% has_perm 'projectroles.view_project_roles' request.user project as can_view_roles %}
-  {% has_perm 'projectroles.update_project' request.user project as can_update_project %}
-
-  {# Overview #}
-
-  <li id="sodar-pr-nav-project-detail"
-      class="nav-item sodar-pr-sidebar-nav-item {% get_pr_link_state projectroles_urls request 'detail' %}">
-    <a class="nav-link sodar-pr-sidebar-nav-link"
-       href="{% url 'projectroles:detail' project=project.sodar_uuid %}"
-       id="sodar-pr-link-project-detail">
-      <span class="sodar-pr-sidebar-icon">
-        {% if project.type == PROJECT_TYPE_CATEGORY %}
-          <i class="iconify"
-             data-icon="mdi:rhombus-split"
-             data-height="{{ sidebar_icon_size }}"></i>
-        {% else %}
-          <i class="iconify"
-             data-icon="mdi:cube"
-             data-height="{{ sidebar_icon_size }}"></i>
-        {% endif %}
-      </span>
-      <br />{% get_display_name project.type title=True %}<br />Overview
-    </a>
-  </li>
-
-  {# App plugins #}
-  {% for plugin in app_plugins %}
-    {% is_app_visible plugin project request.user as app_link_visible %}
-    {% if app_link_visible %}
-      {% get_sidebar_app_legend plugin.title as app_legend %}
-      <li id="sodar-pr-nav-app-plugin-{{ plugin.name }}"
-          class="nav-item sodar-pr-sidebar-nav-item {% get_app_link_state plugin request.resolver_match.app_name request.resolver_match.url_name %}">
-        <a class="nav-link"
-           href="{% url plugin.entry_point_url_id project=project.sodar_uuid %}"
-           id="sodar-pr-link-app-plugin-{{ plugin.name }}">
-         <span class="sodar-pr-sidebar-icon">
-           <i class="iconify"
-              data-icon="{{ plugin.icon }}"
-              data-height="{{ sidebar_icon_size }}"></i>
-         </span>
-         <br />{{ app_legend | safe }}
-        </a>
-      </li>
-    {% endif %}
-  {% endfor %}
-
-  {# Role and project editing #}
-  {% if can_view_roles %}
-    <li id="sodar-pr-nav-project-roles"
-        class="nav-item sodar-pr-sidebar-nav-item {% get_pr_link_state projectroles_urls request role_urls %}">
-      <a class="nav-link"
-         href="{% url 'projectroles:roles' project=project.sodar_uuid %}"
-         id="sodar-pr-link-project-roles">
-        <span class="sodar-pr-sidebar-icon">
-          <i class="iconify"
-             data-icon="mdi:account-multiple"
-             data-height="{{ sidebar_icon_size }}"></i>
-          <br />Members
-        </span>
-      </a>
-    </li>
-  {% endif %}
-  {% if can_update_project %}
-    <li id="sodar-pr-nav-project-update"
-        class="nav-item sodar-pr-sidebar-nav-item {% get_pr_link_state projectroles_urls request 'update' %}">
-      <a class="nav-link"
-         href="{% url 'projectroles:update' project=project.sodar_uuid %}"
-         id="sodar-pr-link-project-update">
-        <span class="sodar-pr-sidebar-icon">
-          <i class="iconify"
-             data-icon="mdi:lead-pencil"
-             data-height="{{ sidebar_icon_size }}"></i>
-          <br />Update<br />{% get_display_name project.type title=True %}
-        </span>
-      </a>
-    </li>
-  {% endif %}
-
-{% endif %}
-
-{# Project and Category Creation #}
-{% if project and project.type == 'CATEGORY' %}
-  {% has_perm 'projectroles.create_project' request.user project as can_create_project %}
-  {% if allow_creation and can_create_project and not project.is_remote %}
-    <li id="sodar-pr-nav-project-create"
-        class="nav-item sodar-pr-sidebar-nav-item {% get_pr_link_state projectroles_urls request 'create' %}">
-      <a class="nav-link"
-         href="{% url 'projectroles:create' project=project.sodar_uuid %}"
-         id="sodar-pr-link-project-create">
-        <span class="sodar-pr-sidebar-icon">
-          <i class="iconify"
-             data-icon="mdi:plus-thick"
-             data-height="{{ sidebar_icon_size }}"></i>
-        </span>
-        <br />Create<br />{{ project_display }} or<br />{{ category_display }}
-      </a>
-    </li>
-  {% endif %}
-{# Allow project creation under root #}
-{% elif disable_categories and request.user.is_superuser %}
-  <li id="sodar-pr-nav-project-create"
-      class="nav-item sodar-pr-sidebar-nav-item {% get_pr_link_state projectroles_urls request 'create' %}">
+{% get_project_app_links request project as sidebar_links %}
+{% for link in sidebar_links %}
+  <li id="sodar-pr-nav-{{ link.name }}"
+      class="nav-item sodar-pr-sidebar-nav-item {% if link.active %}active{% endif %}">
     <a class="nav-link"
-       href="{% url 'projectroles:create' %}"
-       id="sodar-pr-link-project-create">
+      href="{{ link.url }}"
+      id="sodar-pr-link-{{ link.name }}">
       <span class="sodar-pr-sidebar-icon">
         <i class="iconify"
-           data-icon="mdi:plus-thick"
+           data-icon="{{ link.icon }}"
            data-height="{{ sidebar_icon_size }}"></i>
       </span>
-      <br />Create<br />{{ project_display }}
+      <br />{{ link.label }}
     </a>
   </li>
-{% elif request.resolver_match.url_name == 'home' or request.resolver_match.app_name == 'projectroles' and not project %}
-  {% has_perm 'projectroles.create_project' request.user as can_create_project %}
-  {% if allow_creation and can_create_project %}
-    <li id="sodar-pr-nav-project-create"
-        class="nav-item sodar-pr-sidebar-nav-item {% get_pr_link_state projectroles_urls request 'create' %}">
-      <a class="nav-link"
-         href="{% url 'projectroles:create' %}"
-         id="sodar-pr-home-link-create">
-        <span class="sodar-pr-sidebar-icon">
-          <i class="iconify"
-             data-icon="mdi:plus-thick"
-             data-height="{{ sidebar_icon_size }}"></i>
-        </span>
-        <br />Create<br />{{ category_display }}
-      </a>
-    </li>
-  {% endif %}
-{% endif %}
+{% endfor %}
diff --git a/projectroles/templates/projectroles/_remote_project_link.html b/projectroles/templates/projectroles/_remote_project_link.html
new file mode 100644
index 00000000..ef493081
--- /dev/null
+++ b/projectroles/templates/projectroles/_remote_project_link.html
@@ -0,0 +1,17 @@
+{% load projectroles_common_tags %}
+
+<a class="btn {% if site.user_display %}btn-info{% else %}btn-secondary{% endif %}
+          mr-1 mb-1 sodar-pr-link-remote sodar-pr-link-remote-{{ site.mode|lower }}"
+   href="{{ site.get_url }}{% url 'projectroles:detail' project=object.sodar_uuid %}"
+   data-uuid="{{ rp.sodar_uuid }}"
+   role="button"
+   {% if site.description %}title="{{ site.description }}" data-toggle="tooltip"{% endif %}
+   {% if site.mode != 'SOURCE' and not site.get_access_date %}
+     disabled="disabled"
+   {% endif %}
+   target="_blank">
+  <i class="iconify" data-icon="mdi:cloud-outline"></i> {{ site.name }}
+  {% if site.mode == 'SOURCE' %}
+    (Source {% get_display_name object.type title=True %})
+  {% endif %}
+</a>
diff --git a/projectroles/templates/projectroles/_site_titlebar_dropdown.html b/projectroles/templates/projectroles/_site_titlebar_dropdown.html
index 3251a871..9bc7920f 100644
--- a/projectroles/templates/projectroles/_site_titlebar_dropdown.html
+++ b/projectroles/templates/projectroles/_site_titlebar_dropdown.html
@@ -5,49 +5,16 @@
 {% get_django_setting 'PROJECTROLES_KIOSK_MODE' as kiosk_mode %}
 
 {# Responsive replacement for user dropdown #}
-
-{# Admin link #}
-{% if request.user.is_superuser %}
-  <li class="nav-item sodar-navbar-alt-item">
-    <a class="nav-link" href="{% url 'admin:index' %}"
-       id="sodar-navbar-link-admin" target="_blank">
-      <i class="iconify" data-icon="mdi:cogs"></i> Admin
+{% get_user_links request as dropdown_links %}
+{% for link in dropdown_links %}
+  <li class="nav-item sodar-navbar-alt-item {% if link.active %}active{% endif %}">
+    <a class="nav-link {% if link.name == 'sign-out' %}text-danger{% endif %}
+              {% if link.name == 'sign-in' %}text-white{% endif %}"
+       href="{{ link.url }}"
+       id="sodar-navbar-nav-link-{{ link.name }}">
+      <i class="iconify" data-icon="{{ link.icon }}"></i> {{ link.label }}
     </a>
-  </li>
-{% endif %}
-
-{# Site-wide apps #}
-{% for plugin in site_apps %}
-  {% has_perm plugin.app_permission request.user as can_view_app %}
-  {% if not plugin.app_permission or can_view_app %}
-    <li class="nav-item sodar-navbar-alt-item {% get_app_link_state plugin request.resolver_match.app_name request.resolver_match.url_name %}">
-      <a class="nav-link"
-         href="{% url plugin.entry_point_url_id %}"
-         id="sodar-navbar-siteapp-link-{{ plugin.name }}">
-        <i class="iconify" data-icon="{{ plugin.icon }}"></i> {{ plugin.title }}</a>
-    </li>
-  {% endif %}
 {% endfor %}
-
-{# Log out link #}
-{% if request.user.is_authenticated %}
-  <li class="nav-item sodar-navbar-alt-item">
-    <a class="nav-link text-danger"
-       href="{% url 'logout' %}"
-       id="sodar-alt-nav-link-sign-out">
-      <i class="iconify" data-icon="mdi:logout-variant"></i> Logout
-    </a>
-  </li>
-{% elif not kiosk_mode %}
-  <li class="nav-item sodar-navbar-alt-item">
-    <a class="nav-link text-white"
-       href="{% url 'login' %}"
-       id="sodar-alt-nav-link-sign-in">
-      <i class="iconify" data-icon="mdi:login-variant"></i> Login
-    </a>
-  </li>
-{% endif %}
-
 {# Actual user dropdown #}
 
 <li class="nav-item sodar-navbar-user-dropdown">
@@ -75,45 +42,18 @@
     </div>
     <div class="dropdown-divider"></div>
 
-    {# Site-wide apps #}
-    {% for plugin in site_apps %}
-      {% has_perm plugin.app_permission request.user as can_view_app %}
-      {% if not plugin.app_permission or can_view_app %}
-        <a class="dropdown-item {% get_app_link_state plugin request.resolver_match.app_name request.resolver_match.url_name %}"
-           href="{% url plugin.entry_point_url_id %}"
-           id="sodar-navbar-siteapp-link-{{ plugin.name }}">
-          <i class="iconify" data-icon="{{ plugin.icon }}"></i> {{ plugin.title }}
-        </a>
+    {% get_user_links request as dropdown_links %}
+    {% for link in dropdown_links %}
+      {% if link.name == 'admin' or link.name == 'sign-out' or link.name == 'sign-in' %}
+        <div class="dropdown-divider"></div>
       {% endif %}
-    {% endfor %}
-    {% if site_apps|length > 0 %}
-      <div class="dropdown-divider"></div>
-    {% endif %}
-
-    {# Admin link #}
-    {% if request.user.is_superuser %}
-      <a class="dropdown-item"
-         href="#"
-         id="sodar-navbar-link-admin-warning"
-         data-toggle="modal" data-target="#sodar-modal">
-        <i class="iconify" data-icon="mdi:cogs"></i> Django Admin
-      </a>
-      <div class="dropdown-divider"></div>
-    {% endif %}
-
-    {# Log out / log in links #}
-    {% if request.user.is_authenticated %}
-      <a class="dropdown-item text-danger"
-         href="{% url 'logout' %}"
-         id="sodar-navbar-link-logout">
-        <i class="iconify" data-icon="mdi:logout-variant"></i> Logout
+      <a class="dropdown-item {% if link.active %}active{% endif %}
+                {% if link.name == 'sign-out' %}text-danger{% endif %}
+                {% if link.name == 'sign-in' %}text-primary{% endif %}"
+         href="{{ link.url }}"
+         id="sodar-navbar-link-{{ link.name }}">
+        <i class="iconify" data-icon="{{ link.icon }}"></i> {{ link.label }}
       </a>
-    {% else %}
-      <a class="dropdown-item text-primary"
-         href="{% url 'login' %}"
-         id="sodar-navbar-link-login">
-        <i class="iconify" data-icon="mdi:login-variant"></i> Login
-      </a>
-    {% endif %}
+    {% endfor %}
   </div>
 </li>
diff --git a/projectroles/templates/projectroles/login.html b/projectroles/templates/projectroles/login.html
index 2e97b207..62cc4876 100644
--- a/projectroles/templates/projectroles/login.html
+++ b/projectroles/templates/projectroles/login.html
@@ -7,6 +7,7 @@
 {% block title %}Login{% endblock title %}
 
 {% block content %}
+{% get_django_setting 'PROJECTROLES_TEMPLATE_INCLUDE_PATH' as template_include_path %}
 
 <div class="container-fluid">
   {# Django messages / site app messages #}
@@ -26,7 +27,6 @@
 
   <div class="col-md-4 mx-auto mt-5">
     <h2 class="sodar-pr-content-title">Login</h2>
-
     {% autoescape off %}
       {% get_login_info %}
     {% endautoescape %}
@@ -46,18 +46,17 @@ <h2 class="sodar-pr-content-title">Login</h2>
         <i class="iconify" data-icon="mdi:login-variant"></i> Login
       </button>
     </form>
-    {% get_django_setting 'ENABLE_SAML' as enable_saml %}
-    {% if enable_saml %}
-      <hr class="my-3" />
-      <p>To log in with your SSO provider, please click below.</p>
-      <a href="/sso/login" class="btn btn-md btn-info btn-block">
-        <i class="iconify" data-icon="mdi:login-variant"></i> Single Sign-On
-      </a>
-    {% endif %}
   </div>
 
+  {# OpenID Connect (OIDC) auth #}
+  {% get_django_setting 'ENABLE_OIDC' as enable_oidc %}
+  {% if enable_oidc %}
+    <div class="col-md-4 mx-auto mt-4">
+      {% include 'projectroles/_login_oidc.html' %}
+    </div>
+  {% endif %}
+
   {# Optional template for additional login page HTML #}
-  {% get_django_setting 'PROJECTROLES_TEMPLATE_INCLUDE_PATH' as template_include_path %}
   {% template_exists template_include_path|add:'/_login_extend.html' as login_extend %}
   {% if login_extend %}
     {% include template_include_path|add:'/_login_extend.html' %}
diff --git a/projectroles/templates/projectroles/project_detail.html b/projectroles/templates/projectroles/project_detail.html
index 821109a5..feac3c16 100644
--- a/projectroles/templates/projectroles/project_detail.html
+++ b/projectroles/templates/projectroles/project_detail.html
@@ -9,145 +9,122 @@
 
 {% block projectroles %}
 
-{% has_perm 'projectroles.view_project' request.user object as can_view_project %}
 {% has_perm 'projectroles.update_project' request.user object as can_update_project %}
-{% has_perm 'projectroles.view_hidden_projects' request.user object as can_view_hidden_projects %}
 {% sodar_constant 'PROJECT_TYPE_CATEGORY' as PROJECT_TYPE_CATEGORY %}
 
-{% if can_view_project %}
-  {% include 'projectroles/_project_header.html' %}
+{% include 'projectroles/_project_header.html' %}
 
-  <div class="container-fluid sodar-page-container">
-    {# Links to remote projects #}
-    {% if object.type == 'PROJECT' %}
-      {% get_visible_projects target_projects can_view_hidden_projects as visible_target_projects %}
-      {% if visible_target_projects %}
-        <div class="card" id="sodar-pr-details-card-remote">
-          <div class="card-header">
-            <h4>
-              <i class="iconify" data-icon="mdi:cloud"></i>
-              {% get_display_name object.type title=True %} on Other Sites
-            </h4>
-          </div>
-          <div class="card-body pb-2 mr-2">
-            {% for rp in visible_target_projects %}
-              <a class="btn {% if rp.site.user_display %}btn-info{% else %}btn-secondary{% endif %} mr-1 mb-1"
-                href="{{ rp.site.get_url }}{% url 'projectroles:detail' project=object.sodar_uuid %}"
-                role="button"
-                title="{% if rp.site.description %}{{ rp.site.description }}{% endif %}"
-                data-toggle="tooltip"
-                target="_blank">
-                <i class="iconify" data-icon="mdi:cloud-outline"></i> {{ rp.site.name }}
-              </a>
-            {% endfor %}
-          </div>
+<div class="container-fluid sodar-page-container"
+     id="sodar-pr-page-container-detail"
+     data-project-type="{{ object.type }}">
+  {# Links to remote projects #}
+  {% if object.type == 'PROJECT' %}
+    {% if target_projects %}
+      <div class="card" id="sodar-pr-details-card-remote">
+        <div class="card-header">
+          <h4>
+            <i class="iconify" data-icon="mdi:cloud"></i>
+            {% get_display_name object.type title=True %} on Other Sites
+          </h4>
         </div>
-
-      {% elif object.is_remote %}
-        <div class="card" id="sodar-pr-details-card-remote">
-          <div class="card-header">
-            <h4><i class="iconify" data-icon="mdi:cloud"></i> {% get_display_name object.type title=True %} on Other Sites</h4>
-          </div>
-          <div class="card-body pb-2 mr-2">
-            <a class="btn btn-info mb-1 sodar-pr-link-remote sodar-pr-link-remote-master"
-                href="{{ object.get_source_site.get_url }}{% url 'projectroles:detail' project=object.sodar_uuid %}"
-                role="button"
-                title="{% if object.get_source_site.description %}{{ object.get_source_site.description }}{% endif %}"
-                data-toggle="tooltip"
-                target="_blank">
-              <i class="iconify" data-icon="mdi:cloud-outline"></i> {{ object.get_source_site.name }} (Master Project)
-            </a>
-            {% get_visible_projects peer_projects can_view_hidden_projects as visible_peer_projects %}
-            {% for peer_p in visible_peer_projects %}
-              <a class="btn btn-info mb-1 sodar-pr-link-remote sodar-pr-link-remote-peer"
-                  href="{{ peer_p.site.get_url }}{% url 'projectroles:detail' project=peer_p.sodar_uuid %}"
-                  role="button"
-                  title="{% if peer_p.site.description %}{{ peer_p.site.description }}{% endif %}"
-                  data-toggle="tooltip"
-                  target="_blank">
-                <i class="iconify" data-icon="mdi:cloud-outline"></i> {{ peer_p.site.name }}
-              </a>
-            {% endfor %}
-          </div>
+        <div class="card-body pb-2 mr-2">
+          {% for rp in target_projects %}
+            {% include 'projectroles/_remote_project_link.html' with site=rp.site %}
+          {% endfor %}
         </div>
-      {% endif %}
-    {% endif %}
-
-    {# README #}
-    <div class="card" id="sodar-pr-details-card-readme">
-      <div class="card-header">
-        <h4><i class="iconify" data-icon="mdi:book-open-page-variant"></i> ReadMe</h4>
       </div>
-      <div class="card-body">
-        {% if object.readme.rendered|length > 0 %}
-          {% autoescape off %}
-            {% render_markdown object.readme.raw %}
-          {% endautoescape %}
-        {% else %}
-          <p>
-            No ReadMe is currently set for this {% get_display_name object.type title=False %}.
-            {% if can_update_project %}
-             <a href="{% url 'projectroles:update' project=object.sodar_uuid %}#div_id_readme">You can update the ReadMe here</a>.
-            {% endif %}
-          </p>
-        {% endif %}
+    {% elif object.is_remote %}
+      <div class="card" id="sodar-pr-details-card-remote">
+        <div class="card-header">
+          <h4>
+            <i class="iconify" data-icon="mdi:cloud"></i>
+            {% get_display_name object.type title=True %} on Other Sites
+          </h4>
+        </div>
+        <div class="card-body pb-2 mr-2">
+          {% include 'projectroles/_remote_project_link.html' with site=object.get_source_site %}
+          {% for rp in peer_projects %}
+            {% include 'projectroles/_remote_project_link.html' with site=rp.site %}
+          {% endfor %}
+        </div>
       </div>
-    </div>
-
-    {# Subprojects #}
-    {% if object.type == 'CATEGORY' %}
-      {% include 'projectroles/_project_list.html' with parent=object %}
     {% endif %}
+  {% endif %}
 
-    {# App Plugin Cards #}
-    {% for plugin in app_plugins %}
-      {% is_app_visible plugin project request.user as app_visible %}
-      {% if app_visible %}
-        <div class="card sodar-pr-app-card" id="sodar-pr-app-item-{{ plugin.name }}">
-          <div class="card-header">
-            <h4>
-              <i class="iconify" data-icon="{{ plugin.icon }}"></i>
-              {% if plugin.details_title %}
-                {{ plugin.details_title }}
-              {% else %}
-                {{ plugin.title }}
-              {% endif %}
-              <span class="pull-right">
-                {% get_info_link plugin.description as info_link %}
-                {{ info_link | safe }}
-              </span>
-            </h4>
-          </div>
-          {% if plugin.details_template %}
-            <div class="card-body p-0">
-              {% include plugin.details_template %}
-            </div>
-          {% else %}
-            <div class="card-body text-center">
-              <p class="text-danger"><em>No app card template found</em></p>
-            </div>
+  {# README #}
+  <div class="card" id="sodar-pr-details-card-readme">
+    <div class="card-header">
+      <h4><i class="iconify" data-icon="mdi:book-open-page-variant"></i> ReadMe</h4>
+    </div>
+    <div class="card-body">
+      {% if object.readme.rendered|length > 0 %}
+        {% autoescape off %}
+          {% render_markdown object.readme.raw %}
+        {% endautoescape %}
+      {% else %}
+        <p>
+          No ReadMe is currently set for this {% get_display_name object.type title=False %}.
+          {% if can_update_project %}
+           <a href="{% url 'projectroles:update' project=object.sodar_uuid %}#div_id_readme">You can update the ReadMe here</a>.
           {% endif %}
-        </div>
+        </p>
       {% endif %}
-    {% endfor %}
+    </div>
   </div>
 
-{% else %}
-  <div class="alert alert-danger" role="alert">
-    Insufficient permissions for viewing {% get_display_name 'PROJECT' title=False %}!
-  </div>
-{% endif %}
+  {# Subprojects #}
+  {% if object.type == 'CATEGORY' %}
+    {% include 'projectroles/_project_list.html' with parent=object %}
+  {% endif %}
+
+  {# App Plugin Cards #}
+  {% for plugin in app_plugins %}
+    {% is_app_visible plugin project request.user as app_visible %}
+    {% if app_visible %}
+      <div class="card sodar-pr-app-card" id="sodar-pr-app-item-{{ plugin.name }}">
+        <div class="card-header">
+          <h4>
+            <i class="iconify" data-icon="{{ plugin.icon }}"></i>
+            {% if plugin.details_title %}
+              {{ plugin.details_title }}
+            {% else %}
+              {{ plugin.title }}
+            {% endif %}
+            <span class="pull-right">
+              {% get_info_link plugin.description as info_link %}
+              {{ info_link | safe }}
+            </span>
+          </h4>
+        </div>
+        {% if plugin.details_template %}
+          <div class="card-body p-0">
+            {% include plugin.details_template %}
+          </div>
+        {% else %}
+          <div class="card-body text-center">
+            <p class="text-danger"><em>No app card template found</em></p>
+          </div>
+        {% endif %}
+      </div>
+    {% endif %}
+  {% endfor %}
+</div>
 
 {% endblock projectroles %}
 
 {% block javascript %}
   {{ block.super }}
+  <script type="text/javascript">
+    window.remoteLinkUrl = "{% url 'projectroles:ajax_remote_access' project=object.sodar_uuid %}";
+  </script>
   {% if object.type == 'CATEGORY' %}
     <!-- Project list -->
     <script type="text/javascript" src="{% static 'projectroles/js/project_list.js' %}"></script>
   {% endif %}
   <!-- Project starring -->
   <script type="text/javascript" src="{% static 'projectroles/js/project_star.js' %}"></script>
+  <!-- Project detail view specific -->
+  <script type="text/javascript" src="{% static 'projectroles/js/project_detail.js' %}"></script>
 
   <!-- Tour content -->
   <script type="text/javascript">
diff --git a/projectroles/templates/projectroles/search_advanced.html b/projectroles/templates/projectroles/search_advanced.html
index 313ce19f..28861670 100644
--- a/projectroles/templates/projectroles/search_advanced.html
+++ b/projectroles/templates/projectroles/search_advanced.html
@@ -12,9 +12,7 @@
 {% block projectroles %}
 
 <div class="row sodar-pr-content-title">
-  <h2 class="sodar-pr-content-title">
-    <i class="iconify" data-icon="mdi:layers-search"></i> Advanced Search
-  </h2>
+  <h2 class="sodar-pr-content-title pt-2">Advanced Search</h2>
 </div>
 
 <div class="container-fluid sodar-page-container">
diff --git a/projectroles/templates/projectroles/user_form.html b/projectroles/templates/projectroles/user_form.html
index 8994dd98..62fd4e26 100644
--- a/projectroles/templates/projectroles/user_form.html
+++ b/projectroles/templates/projectroles/user_form.html
@@ -5,19 +5,32 @@
 {% load crispy_forms_filters %}
 
 {% block title %}
+  {% get_django_setting 'ENABLE_OIDC' as enable_oidc %}
+  {% if invite and enable_oidc %}Login or{% endif %}
   {% if object %}Update{% else %}Create{% endif %} Local User
 {% endblock title %}
 
 {% block projectroles %}
+{% get_django_setting 'ENABLE_OIDC' as enable_oidc %}
+{% get_django_setting 'PROJECTROLES_TEMPLATE_INCLUDE_PATH' as template_include_path %}
 
 <div class="container-fluid sodar-subtitle-container">
   <h2>
     <i class="iconify" data-icon="mdi:account"></i>
+    {% if invite and enable_oidc %}Login or{% endif %}
     {% if object %}Update{% else %}Create{% endif %} Local User
   </h2>
 </div>
 
 <div class="container-fluid sodar-page-container">
+  {% if invite and enable_oidc %}
+    <div class="col-md-4 mt-1 mb-4 ml-0 pl-0">
+      <p>Please log in if you have a single sign-on account.</p>
+      {% url 'projectroles:invite_process_login' secret=invite.secret as oidc_redirect_url %}
+      {% include 'projectroles/_login_oidc.html' %}
+    </div>
+    <hr />
+  {% endif %}
   <form method="post">
     {% csrf_token %}
     {{ form | crispy }}
diff --git a/projectroles/templatetags/projectroles_common_tags.py b/projectroles/templatetags/projectroles_common_tags.py
index 8e9937a2..96930c39 100644
--- a/projectroles/templatetags/projectroles_common_tags.py
+++ b/projectroles/templatetags/projectroles_common_tags.py
@@ -88,9 +88,9 @@ def get_django_setting(name, default=None, js=False):
 
 
 @register.simple_tag
-def get_app_setting(app_name, setting_name, project=None, user=None):
+def get_app_setting(plugin_name, setting_name, project=None, user=None):
     """Get a project/user specific app setting from AppSettingAPI"""
-    return app_settings.get(app_name, setting_name, project, user)
+    return app_settings.get(plugin_name, setting_name, project, user)
 
 
 @register.simple_tag
@@ -292,17 +292,6 @@ def get_remote_icon(project, request):
     return ''
 
 
-@register.simple_tag
-def get_visible_projects(projects, can_view_hidden_projects=False):
-    """
-    Return all projects that are either visible by user display or by view
-    hidden permission.
-    """
-    return [
-        p for p in projects if p.site.user_display or can_view_hidden_projects
-    ]
-
-
 @register.simple_tag
 def render_markdown(raw_markdown):
     """Markdown field rendering helper"""
diff --git a/projectroles/templatetags/projectroles_tags.py b/projectroles/templatetags/projectroles_tags.py
index c9ad55e0..160b7236 100644
--- a/projectroles/templatetags/projectroles_tags.py
+++ b/projectroles/templatetags/projectroles_tags.py
@@ -6,15 +6,13 @@
 from django.utils import timezone
 
 from projectroles.app_settings import AppSettingAPI
-from projectroles.models import (
-    RoleAssignment,
-    RemoteProject,
-    SODAR_CONSTANTS,
-)
+from projectroles.models import RemoteProject, SODAR_CONSTANTS
 from projectroles.plugins import get_active_plugins
+from projectroles.utils import AppLinkContent
 
 
 register = template.Library()
+app_links = AppLinkContent()
 app_settings = AppSettingAPI()
 
 
@@ -89,9 +87,6 @@ def is_app_visible(plugin, project, user):
     app_hidden = False
     if plugin.name in getattr(settings, 'PROJECTROLES_HIDE_PROJECT_APPS', []):
         app_hidden = True
-    # TODO: Remove this in SODAR Core v1.0 (see issue #1143)
-    elif plugin.name in getattr(settings, 'PROJECTROLES_HIDE_APP_LINKS', []):
-        app_hidden = True
     if (
         can_view_app
         and not app_hidden
@@ -157,20 +152,6 @@ def get_help_highlight(user):
     return ''
 
 
-@register.simple_tag
-def get_role_import_action(source_as, dest_project):
-    """Return label for role import action based on existing assignment"""
-    try:
-        target_as = RoleAssignment.objects.get(
-            project=dest_project, user=source_as.user
-        )
-        if target_as.role == source_as.role:
-            return 'No action'
-        return 'Update'
-    except RoleAssignment.DoesNotExist:
-        return 'Import'
-
-
 @register.simple_tag
 def get_login_info():
     """Return HTML info for the login page"""
@@ -288,3 +269,28 @@ def get_admin_warning():
         '</a></p>'.format(reverse('admin:index'))
     )
     return ret
+
+
+@register.simple_tag
+def get_user_links(request):
+    """Return user dropdown links"""
+    if isinstance(request, str):
+        return []
+    return app_links.get_user_links(
+        request.user,
+        app_name=request.resolver_match.app_name,
+        url_name=request.resolver_match.url_name,
+    )
+
+
+@register.simple_tag
+def get_project_app_links(request, project=None):
+    """Return sidebar links"""
+    if isinstance(request, str):
+        return []
+    return app_links.get_project_app_links(
+        request.user,
+        project,
+        app_name=request.resolver_match.app_name,
+        url_name=request.resolver_match.url_name,
+    )
diff --git a/projectroles/tests/test_app_settings.py b/projectroles/tests/test_app_settings.py
index bdeff7df..a9262872 100644
--- a/projectroles/tests/test_app_settings.py
+++ b/projectroles/tests/test_app_settings.py
@@ -4,13 +4,14 @@
 
 from test_plus.test import TestCase
 
-from projectroles.models import Role, AppSetting, SODAR_CONSTANTS
-from projectroles.plugins import get_app_plugin
 from projectroles.app_settings import (
     AppSettingAPI,
     get_example_setting_default,
     get_example_setting_options,
+    LOCAL_DEPRECATE_MSG,
 )
+from projectroles.models import Role, AppSetting, SODAR_CONSTANTS
+from projectroles.plugins import get_app_plugin
 from projectroles.tests.test_models import (
     ProjectMixin,
     RoleAssignmentMixin,
@@ -45,6 +46,15 @@
 EXAMPLE_APP_NAME = 'example_project_app'
 INVALID_SETTING_VALUE = 'INVALID VALUE'
 INVALID_SETTING_MSG = 'INVALID_SETTING_VALUE detected'
+APP_SETTINGS_TEST = {
+    'project_star': {
+        'scope': APP_SETTING_SCOPE_PROJECT_USER,
+        'type': 'BOOLEAN',
+        'default': False,
+        'local': True,  # Deprecated
+        'project_types': [PROJECT_TYPE_PROJECT, PROJECT_TYPE_CATEGORY],
+    },
+}
 
 
 class AppSettingInitMixin:
@@ -55,7 +65,7 @@ def init_app_settings(self):
         # TODO: Rename these to match the settings in example_project_app
         # Init test project settings
         self.project_str_setting = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'project': self.project,
             'name': 'project_str_setting',
             'setting_type': 'STRING',
@@ -64,7 +74,7 @@ def init_app_settings(self):
             'non_valid_value': False,
         }
         self.project_int_setting = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'project': self.project,
             'name': 'project_int_setting',
             'setting_type': 'INTEGER',
@@ -73,7 +83,7 @@ def init_app_settings(self):
             'non_valid_value': 'Nan',
         }
         self.project_str_setting_options = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'project': self.project,
             'name': 'project_str_setting_options',
             'setting_type': 'STRING',
@@ -83,7 +93,7 @@ def init_app_settings(self):
             'non_valid_value': 'string3',
         }
         self.project_int_setting_options = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'project': self.project,
             'name': 'project_int_setting_options',
             'setting_type': 'INTEGER',
@@ -93,7 +103,7 @@ def init_app_settings(self):
             'non_valid_value': 2,
         }
         self.project_bool_settings = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'project': self.project,
             'name': 'project_bool_setting',
             'setting_type': 'BOOLEAN',
@@ -102,7 +112,7 @@ def init_app_settings(self):
             'non_valid_value': 170,
         }
         self.project_json_setting = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'project': self.project,
             'name': 'project_json_setting',
             'setting_type': 'JSON',
@@ -116,7 +126,7 @@ def init_app_settings(self):
         }
         # Init test user settings
         self.user_str_setting = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'user': self.user,
             'name': 'user_str_setting',
             'setting_type': 'STRING',
@@ -125,7 +135,7 @@ def init_app_settings(self):
             'non_valid_value': False,
         }
         self.user_int_setting = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'user': self.user,
             'name': 'user_int_setting',
             'setting_type': 'INTEGER',
@@ -134,7 +144,7 @@ def init_app_settings(self):
             'non_valid_value': 'Nan',
         }
         self.user_str_setting_options = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'user': self.user,
             'name': 'user_str_setting_options',
             'setting_type': 'STRING',
@@ -144,7 +154,7 @@ def init_app_settings(self):
             'non_valid_value': False,
         }
         self.user_int_setting_options = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'user': self.user,
             'name': 'user_int_setting_options',
             'setting_type': 'INTEGER',
@@ -154,7 +164,7 @@ def init_app_settings(self):
             'non_valid_value': 'Nan',
         }
         self.user_bool_setting = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'user': self.user,
             'name': 'user_bool_setting',
             'setting_type': 'BOOLEAN',
@@ -163,7 +173,7 @@ def init_app_settings(self):
             'non_valid_value': 170,
         }
         self.user_json_setting = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'user': self.user,
             'name': 'user_json_setting',
             'setting_type': 'JSON',
@@ -177,7 +187,7 @@ def init_app_settings(self):
         }
         # Init test PROJECT_USER settings
         self.project_user_str_setting = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'project': self.project,
             'user': self.user,
             'name': 'project_user_str_setting',
@@ -187,7 +197,7 @@ def init_app_settings(self):
             'non_valid_value': False,
         }
         self.project_user_int_setting = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'project': self.project,
             'user': self.user,
             'name': 'project_user_int_setting',
@@ -197,7 +207,7 @@ def init_app_settings(self):
             'non_valid_value': 'Nan',
         }
         self.project_user_bool_setting = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'project': self.project,
             'user': self.user,
             'name': 'project_user_bool_setting',
@@ -207,7 +217,7 @@ def init_app_settings(self):
             'non_valid_value': 170,
         }
         self.project_user_json_setting = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'project': self.project,
             'user': self.user,
             'name': 'project_user_json_setting',
@@ -241,7 +251,7 @@ def init_app_settings(self):
         ]
         for s in self.settings:
             kwargs = {
-                'app_name': s['app_name'],
+                'plugin_name': s['plugin_name'],
                 'name': s['name'],
                 'setting_type': s['setting_type'],
                 'value': s['value'] if s['setting_type'] != 'JSON' else '',
@@ -285,7 +295,7 @@ def test_get(self):
         """Test get()"""
         for setting in self.settings:
             data = {
-                'app_name': setting['app_name'],
+                'plugin_name': setting['plugin_name'],
                 'setting_name': setting['name'],
             }
             if 'project' in setting:
@@ -300,17 +310,17 @@ def test_get_with_default(self):
         app_plugin = get_app_plugin(EXAMPLE_APP_NAME)
         default_val = app_plugin.app_settings[EXISTING_SETTING]['default']
         val = app_settings.get(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             setting_name=EXISTING_SETTING,
             project=self.project,
         )
         self.assertEqual(val, default_val)
 
     def test_get_with_nonexisting(self):
-        """Test get_() with non-existing setting"""
+        """Test get() with non-existing setting"""
         with self.assertRaises(KeyError):
             app_settings.get(
-                app_name=EXAMPLE_APP_NAME,
+                plugin_name=EXAMPLE_APP_NAME,
                 setting_name='NON-EXISTING SETTING',
                 project=self.project,
             )
@@ -318,18 +328,89 @@ def test_get_with_nonexisting(self):
     def test_get_with_post_safe(self):
         """Test get() with JSON setting and post_safe=True"""
         val = app_settings.get(
-            app_name=self.project_json_setting['app_name'],
+            plugin_name=self.project_json_setting['plugin_name'],
             setting_name=self.project_json_setting['name'],
             project=self.project_json_setting['project'],
             post_safe=True,
         )
         self.assertEqual(type(val), str)
 
+    def test_is_set_no_object(self):
+        """Test is_set() with no setting object set"""
+        n = 'project_star'
+        kw = {'project': self.project, 'user': self.user}
+        self.assertFalse(
+            AppSetting.objects.filter(app_plugin=None, name=n, **kw).exists()
+        )
+        self.assertFalse(
+            app_settings.is_set(
+                plugin_name='projectroles', setting_name=n, **kw
+            )
+        )
+
+    def test_is_set_object_exists(self):
+        """Test is_set() with existing setting object"""
+        n = 'project_star'
+        kw = {'project': self.project, 'user': self.user}
+        app_settings.set(
+            plugin_name='projectroles', setting_name=n, value=True, **kw
+        )
+        self.assertTrue(
+            AppSetting.objects.filter(app_plugin=None, name=n, **kw).exists()
+        )
+        self.assertTrue(
+            app_settings.is_set(
+                plugin_name='projectroles', setting_name=n, **kw
+            )
+        )
+
+    def test_is_set_default_value(self):
+        """Test is_set() with existing setting object and default value"""
+        n = 'project_star'
+        kw = {'project': self.project, 'user': self.user}
+        app_settings.set(
+            plugin_name='projectroles', setting_name=n, value=False, **kw
+        )
+        self.assertTrue(
+            AppSetting.objects.filter(app_plugin=None, name=n, **kw).exists()
+        )
+        self.assertTrue(
+            app_settings.is_set(
+                plugin_name='projectroles', setting_name=n, **kw
+            )
+        )
+
+    def test_is_set_plugin(self):
+        """Test is_set() with plugin setting"""
+        n = 'project_str_setting'
+        kw = {'project': self.project}
+        # NOTE: Already created in setUp()
+        self.assertTrue(
+            AppSetting.objects.filter(
+                app_plugin__name=EXAMPLE_APP_NAME, name=n, **kw
+            ).exists()
+        )
+        self.assertTrue(
+            app_settings.is_set(
+                plugin_name=EXAMPLE_APP_NAME, setting_name=n, **kw
+            )
+        )
+
+    def test_is_set_invalid_user(self):
+        """Test is_set() with invalid user arg"""
+        with self.assertRaises(ValueError):
+            app_settings.is_set(
+                plugin_name='projectroles',
+                setting_name='project_star',
+                project=self.project,
+                user=None,
+            )
+
     def test_set(self):
         """Test set()"""
         for setting in self.settings:
             data = {
-                'app_name': setting['app_name'],
+                'plugin_name': setting['plugin_name'],
                 'setting_name': setting['name'],
             }
             if 'project' in setting:
@@ -348,7 +429,7 @@ def test_set_unchanged(self):
         """Test set() with unchanged value"""
         for setting in self.settings:
             data = {
-                'app_name': setting['app_name'],
+                'plugin_name': setting['plugin_name'],
                 'setting_name': setting['name'],
             }
             if 'project' in setting:
@@ -364,7 +445,7 @@ def test_set_unchanged(self):
                 ret,
                 False,
                 msg='setting={}.{}'.format(
-                    setting['app_name'], setting['name']
+                    setting['plugin_name'], setting['name']
                 ),
             )
             val = app_settings.get(**data)
@@ -372,7 +453,7 @@ def test_set_unchanged(self):
                 val,
                 setting['value'],
                 msg='setting={}.{}'.format(
-                    setting['app_name'], setting['name']
+                    setting['plugin_name'], setting['name']
                 ),
             )
 
@@ -386,14 +467,14 @@ def test_set_new(self):
         self.assertEqual(bool(int(val)), False)
 
         ret = app_settings.set(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             setting_name=EXISTING_SETTING,
             value=True,
             project=self.project,
         )
         self.assertEqual(ret, True)
         val = app_settings.get(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             setting_name=EXISTING_SETTING,
             project=self.project,
         )
@@ -409,7 +490,7 @@ def test_set_undefined(self):
         """Test set() with undefined setting (should fail)"""
         with self.assertRaises(ValueError):
             app_settings.set(
-                app_name=EXAMPLE_APP_NAME,
+                plugin_name=EXAMPLE_APP_NAME,
                 setting_name='new_setting',
                 value='new',
                 project=self.project,
@@ -420,7 +501,7 @@ def test_set_multi_project_user(self):
         # Set up second user
         new_user = self.make_user('new_user')
         ret = app_settings.set(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             setting_name='project_user_str_setting',
             project=self.project,
             user=self.user,
@@ -428,7 +509,7 @@ def test_set_multi_project_user(self):
         )
         self.assertEqual(ret, True)
         ret = app_settings.set(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             setting_name='project_user_str_setting',
             project=self.project,
             user=new_user,
@@ -438,11 +519,11 @@ def test_set_multi_project_user(self):
 
     def test_set_invalid_project_types(self):
         """Test set() with invalid project types scope"""
-        # Should fail because project_category_bool_setting has CATEGORY scope
+        # Should fail because category_bool_setting has CATEGORY scope
         with self.assertRaises(ValueError):
             app_settings.set(
-                app_name=EXAMPLE_APP_NAME,
-                setting_name='project_category_bool_setting',
+                plugin_name=EXAMPLE_APP_NAME,
+                setting_name='category_bool_setting',
                 project=self.project,
                 value=True,
             )
@@ -457,7 +538,6 @@ def test_set_target_local(self):
         app_settings.set(EXAMPLE_APP_NAME, n, v, project=self.project)
         self.assertEqual(AppSetting.objects.filter(**args).count(), 1)
 
-    # TODO: Test local setting on remote project
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
     def test_set_target_local_remote(self):
         """Test setting local setting on target site and remote project"""
@@ -507,6 +587,24 @@ def test_set_target_global_remote(self):
             app_settings.set(EXAMPLE_APP_NAME, n, True, project=self.project)
         self.assertEqual(AppSetting.objects.filter(name=n, value=1).count(), 0)
 
+    def test_set_user_global(self):
+        """Test setting global user setting on source site"""
+        n = 'notify_email_project'
+        v = '0'
+        self.assertEqual(AppSetting.objects.filter(name=n, value=v).count(), 0)
+        app_settings.set('projectroles', n, False, user=self.user)
+        self.assertEqual(AppSetting.objects.filter(name=n, value=v).count(), 1)
+
+    @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
+    def test_set_user_global_target(self):
+        """Test setting global user setting on target site"""
+        n = 'notify_email_project'
+        v = '0'
+        self.assertEqual(AppSetting.objects.filter(name=n, value=v).count(), 0)
+        with self.assertRaises(ValueError):
+            app_settings.set('projectroles', n, False, user=self.user)
+        self.assertEqual(AppSetting.objects.filter(name=n, value=v).count(), 0)
+
     def test_validate_boolean(self):
         """Test validate() with type BOOLEAN"""
         for setting in self.settings:
@@ -540,8 +638,8 @@ def test_validate_invalid(self):
         with self.assertRaises(ValueError):
             app_settings.validate('INVALID_TYPE', 'value', None)
 
-    def test_get_def_plugin(self):
-        """Test get_def() with plugin"""
+    def test_get_definition_plugin(self):
+        """Test get_definition() with plugin"""
         app_plugin = get_app_plugin(EXAMPLE_APP_NAME)
         expected = {
             'scope': APP_SETTING_SCOPE_PROJECT,
@@ -557,8 +655,8 @@ def test_get_def_plugin(self):
         )
         self.assertEqual(s_def, expected)
 
-    def test_get_def_app_name(self):
-        """Test get_def() with app name"""
+    def test_get_definition_app_name(self):
+        """Test get_definition() with app name"""
         expected = {
             'scope': APP_SETTING_SCOPE_PROJECT,
             'type': 'STRING',
@@ -569,12 +667,12 @@ def test_get_def_app_name(self):
             'user_modifiable': True,
         }
         s_def = app_settings.get_definition(
-            'project_str_setting', app_name=EXAMPLE_APP_NAME
+            'project_str_setting', plugin_name=EXAMPLE_APP_NAME
         )
         self.assertEqual(s_def, expected)
 
-    def test_get_def_user(self):
-        """Test get_def() with user setting"""
+    def test_get_definition_user(self):
+        """Test get_definition() with user setting"""
         expected = {
             'scope': APP_SETTING_SCOPE_USER,
             'type': 'STRING',
@@ -585,26 +683,26 @@ def test_get_def_user(self):
             'user_modifiable': True,
         }
         s_def = app_settings.get_definition(
-            'user_str_setting', app_name=EXAMPLE_APP_NAME
+            'user_str_setting', plugin_name=EXAMPLE_APP_NAME
         )
         self.assertEqual(s_def, expected)
 
-    def test_get_invalid(self):
-        """Test get_def() with innvalid input"""
+    def test_get_definition_invalid(self):
+        """Test get_definition() with innvalid input"""
         with self.assertRaises(ValueError):
             app_settings.get_definition(
-                'non_existing_setting', app_name=EXAMPLE_APP_NAME
+                'non_existing_setting', plugin_name=EXAMPLE_APP_NAME
             )
         with self.assertRaises(ValueError):
             app_settings.get_definition(
-                'project_str_setting', app_name='non_existing_app_name'
+                'project_str_setting', plugin_name='non_existing_app_name'
             )
         # Both app_name and plugin unset
         with self.assertRaises(ValueError):
             app_settings.get_definition('project_str_setting')
 
-    def test_get_defs_project(self):
-        """Test get_defs() with PROJECT scope"""
+    def test_get_definitions_project(self):
+        """Test get_definitions() with PROJECT scope"""
         expected = {
             'project_str_setting': {
                 'scope': APP_SETTING_SCOPE_PROJECT,
@@ -659,7 +757,7 @@ def test_get_defs_project(self):
                 'default': False,
                 'description': 'Example global boolean project setting',
                 'user_modifiable': True,
-                'local': False,
+                'global': True,
             },
             'project_json_setting': {
                 'scope': APP_SETTING_SCOPE_PROJECT,
@@ -705,7 +803,7 @@ def test_get_defs_project(self):
                 'description': 'Example callable project setting with options',
                 'user_modifiable': True,
             },
-            'project_category_bool_setting': {
+            'category_bool_setting': {
                 'scope': SODAR_CONSTANTS['APP_SETTING_SCOPE_PROJECT'],
                 'type': 'BOOLEAN',
                 'label': 'Category boolean setting',
@@ -716,12 +814,12 @@ def test_get_defs_project(self):
             },
         }
         defs = app_settings.get_definitions(
-            APP_SETTING_SCOPE_PROJECT, app_name=EXAMPLE_APP_NAME
+            APP_SETTING_SCOPE_PROJECT, plugin_name=EXAMPLE_APP_NAME
         )
         self.assertEqual(defs, expected)
 
-    def test_get_defs_user(self):
-        """Test get_defs() with USER scope"""
+    def test_get_definitions_user(self):
+        """Test get_definitions() with USER scope"""
         expected = {
             'user_str_setting': {
                 'scope': APP_SETTING_SCOPE_USER,
@@ -807,12 +905,12 @@ def test_get_defs_user(self):
             },
         }
         defs = app_settings.get_definitions(
-            APP_SETTING_SCOPE_USER, app_name=EXAMPLE_APP_NAME
+            APP_SETTING_SCOPE_USER, plugin_name=EXAMPLE_APP_NAME
         )
         self.assertEqual(defs, expected)
 
-    def test_get_defs_project_user(self):
-        """Test get_defs() with PROJECT_USER scope"""
+    def test_get_definitions_project_user(self):
+        """Test get_definitions() with PROJECT_USER scope"""
         expected = {
             'project_user_str_setting': {
                 'scope': SODAR_CONSTANTS['APP_SETTING_SCOPE_PROJECT_USER'],
@@ -853,16 +951,17 @@ def test_get_defs_project_user(self):
                 'type': 'STRING',
                 'default': get_example_setting_default,
                 'options': get_example_setting_options,
-                'description': 'Example callable project user setting with options',
+                'description': 'Example callable project user setting with '
+                'options',
             },
         }
         defs = app_settings.get_definitions(
-            APP_SETTING_SCOPE_PROJECT_USER, app_name=EXAMPLE_APP_NAME
+            APP_SETTING_SCOPE_PROJECT_USER, plugin_name=EXAMPLE_APP_NAME
         )
         self.assertEqual(defs, expected)
 
-    def test_get_defs_site(self):
-        """Test get_defs() with SITE scope"""
+    def test_get_definitions_site(self):
+        """Test get_definitions() with SITE scope"""
         expected = {
             'site_bool_setting': {
                 'scope': SODAR_CONSTANTS['APP_SETTING_SCOPE_SITE'],
@@ -874,28 +973,28 @@ def test_get_defs_site(self):
             }
         }
         defs = app_settings.get_definitions(
-            APP_SETTING_SCOPE_SITE, app_name=EXAMPLE_APP_NAME
+            APP_SETTING_SCOPE_SITE, plugin_name=EXAMPLE_APP_NAME
         )
         self.assertEqual(defs, expected)
 
-    def test_get_defs_modifiable(self):
-        """Test get_defs() with user_modifiable arg"""
+    def test_get_definitions_modifiable(self):
+        """Test get_definitions() with user_modifiable arg"""
         defs = app_settings.get_definitions(
-            APP_SETTING_SCOPE_PROJECT, app_name=EXAMPLE_APP_NAME
+            APP_SETTING_SCOPE_PROJECT, plugin_name=EXAMPLE_APP_NAME
         )
         self.assertEqual(len(defs), 12)
         defs = app_settings.get_definitions(
             APP_SETTING_SCOPE_PROJECT,
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             user_modifiable=True,
         )
         self.assertEqual(len(defs), 10)
 
-    def test_get_defs_invalid_scope(self):
-        """Test get_defs() with invalid scope"""
+    def test_get_definitions_invalid_scope(self):
+        """Test get_definitions() with invalid scope"""
         with self.assertRaises(ValueError):
             app_settings.get_definitions(
-                'Ri4thai8aez5ooRa', app_name=EXAMPLE_APP_NAME
+                'Ri4thai8aez5ooRa', plugin_name=EXAMPLE_APP_NAME
             )
 
     def test_get_defaults_project(self):
@@ -1095,6 +1194,37 @@ def test_delete_by_scope_param_user(self):
                 user=self.user,
             )
 
+    def test_get_global_value(self):
+        """Test get_global_value() with set value"""
+        s_def = app_settings.get_definition(
+            'project_global_setting', plugin_name=EXAMPLE_APP_NAME
+        )
+        self.assertEqual(app_settings.get_global_value(s_def), True)
+
+    def test_get_global_value_unset(self):
+        """Test get_global_value() with unset value"""
+        s_def = app_settings.get_definition(
+            'project_str_setting', plugin_name=EXAMPLE_APP_NAME
+        )
+        self.assertEqual(app_settings.get_global_value(s_def), False)  # Default
+
+    # TODO: Remove in v1.1 (see #1394)
+    @override_settings(PROJECTROLES_APP_SETTINGS_TEST=APP_SETTINGS_TEST)
+    def test_get_global_value_local(self):
+        """Test get_global_value() with deprecated local value"""
+        s_def = app_settings.get_definition(
+            'project_star', plugin_name='projectroles'
+        )
+        # Should be inverse of "local" value
+        with self.assertLogs(
+            logger='projectroles.app_settings', level='WARNING'
+        ) as log:
+            self.assertEqual(app_settings.get_global_value(s_def), False)
+            self.assertIn(
+                'WARNING:projectroles.app_settings:' + LOCAL_DEPRECATE_MSG,
+                log.output,
+            )
+
     def test_validate_form_app_settings(self):
         """Test validate_form_app_settings() with valid project setting value"""
         app_plugin = get_app_plugin(EXAMPLE_APP_NAME)
diff --git a/projectroles/tests/test_checks.py b/projectroles/tests/test_checks.py
new file mode 100644
index 00000000..85ab567f
--- /dev/null
+++ b/projectroles/tests/test_checks.py
@@ -0,0 +1,26 @@
+"""Tests for Django checks in the projectroles app"""
+
+from django.test import override_settings
+
+from test_plus.test import TestCase
+
+import projectroles.checks as checks
+from projectroles.apps import ProjectrolesConfig
+
+
+# Local constants
+AC = [ProjectrolesConfig]
+
+
+class TestCheckAuthMethods(TestCase):
+    """Tests for check_auth_methods()"""
+
+    def test_check(self):
+        """Test check_auth_methods() with default test settings"""
+        self.assertEqual(checks.check_auth_methods(AC), [])
+
+    @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=False)
+    def test_check_disabled_auth(self):
+        """Test check_auth_methods() with disabled auth settings"""
+        # NOTE: Other settings are already false in the test config
+        self.assertEqual(checks.check_auth_methods(AC), [checks.W001])
diff --git a/projectroles/tests/test_commands.py b/projectroles/tests/test_commands.py
index 43eb92fc..fc16d625 100644
--- a/projectroles/tests/test_commands.py
+++ b/projectroles/tests/test_commands.py
@@ -7,11 +7,18 @@
 from django.contrib.auth import get_user_model
 from django.core import mail
 from django.core.management import call_command
+from django.forms.models import model_to_dict
 from django.test import override_settings
 from djangoplugins.models import Plugin
 
 from test_plus.test import TestCase
 
+# Timeline dependency
+from timeline.models import TimelineEvent
+
+from projectroles.management.commands.addremotesite import (
+    Command as AddRemoteSiteCommand,
+)
 from projectroles.management.commands.batchupdateroles import (
     Command as BatchUpdateRolesCommand,
 )
@@ -24,11 +31,18 @@
     DELETE_PROJECT_TYPE_MSG,
     DELETE_SCOPE_MSG,
 )
-from projectroles.management.commands.createdevusers import DEV_USER_NAMES
+from projectroles.management.commands.createdevusers import (
+    DEV_USER_NAMES,
+    DEFAULT_PASSWORD,
+)
+from projectroles.management.commands.syncgroups import (
+    Command as SyncGroupsCommand,
+)
 
 from projectroles.models import (
     RoleAssignment,
     ProjectInvite,
+    RemoteSite,
     AppSetting,
     SODAR_CONSTANTS,
 )
@@ -38,7 +52,9 @@
     RoleAssignmentMixin,
     ProjectInviteMixin,
     AppSettingMixin,
+    RemoteSiteMixin,
 )
+from projectroles.utils import build_secret
 
 
 User = get_user_model()
@@ -51,25 +67,163 @@
 PROJECT_ROLE_GUEST = SODAR_CONSTANTS['PROJECT_ROLE_GUEST']
 PROJECT_TYPE_CATEGORY = SODAR_CONSTANTS['PROJECT_TYPE_CATEGORY']
 PROJECT_TYPE_PROJECT = SODAR_CONSTANTS['PROJECT_TYPE_PROJECT']
+SITE_MODE_SOURCE = SODAR_CONSTANTS['SITE_MODE_SOURCE']
+SITE_MODE_PEER = SODAR_CONSTANTS['SITE_MODE_PEER']
+SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
+SYSTEM_USER_GROUP = SODAR_CONSTANTS['SYSTEM_USER_GROUP']
 
 # Local constants
 EXAMPLE_APP_NAME = 'example_project_app'
 CLEAN_LOG_PREFIX = 'INFO:projectroles.management.commands.cleanappsettings:'
+CUSTOM_PASSWORD = 'custompass'
+REMOTE_SITE_NAME = 'Test Site'
+REMOTE_SITE_URL = 'https://example.com'
+REMOTE_SITE_SECRET = build_secret(32)
+LDAP_DOMAIN = 'EXAMPLE'
 
 
-class BatchUpdateRolesMixin:
-    """Helpers for batchupdateroles testing"""
+class TestAddRemoteSite(
+    ProjectMixin,
+    RoleMixin,
+    RoleAssignmentMixin,
+    RemoteSiteMixin,
+    TestCase,
+):
+    """Tests for addremotesite command"""
 
-    file = None
+    def setUp(self):
+        self.user = self.make_user('superuser')
+        self.user.is_superuser = True
+        self.user.save()
+        self.command = AddRemoteSiteCommand()
+        self.options = {
+            'name': REMOTE_SITE_NAME,
+            'url': REMOTE_SITE_URL,
+            'mode': SITE_MODE_TARGET,
+            'description': '',
+            'secret': REMOTE_SITE_SECRET,
+            'user_display': True,
+            'owner_modifiable': False,
+            'suppress_error': False,
+        }
 
-    def write_file(self, data):
-        """Write data to temporary CSV file"""
-        if not isinstance(data[0], list):
-            data = [data]
-        self.file.write(
-            bytes('\n'.join([';'.join(r) for r in data]), encoding='utf-8')
-        )
-        self.file.close()
+    def test_add(self):
+        """Test adding new remote site"""
+        tl_kwargs = {'event_name': 'target_site_create'}
+        self.assertEqual(RemoteSite.objects.count(), 0)
+        self.assertEqual(TimelineEvent.objects.filter(**tl_kwargs).count(), 0)
+        self.command.handle(**self.options)
+
+        self.assertEqual(RemoteSite.objects.count(), 1)
+        site = RemoteSite.objects.first()
+        expected = {
+            'id': site.pk,
+            'name': REMOTE_SITE_NAME,
+            'url': REMOTE_SITE_URL,
+            'mode': SITE_MODE_TARGET,
+            'description': '',
+            'secret': REMOTE_SITE_SECRET,
+            'sodar_uuid': site.sodar_uuid,
+            'user_display': True,
+            'owner_modifiable': False,
+        }
+        self.assertEqual(model_to_dict(site), expected)
+        self.assertEqual(TimelineEvent.objects.filter(**tl_kwargs).count(), 1)
+
+    @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
+    def test_add_source_on_target(self):
+        """Test adding source site on target site"""
+        tl_kwargs = {'event_name': 'source_site_create'}
+        self.options['mode'] = SITE_MODE_SOURCE
+        self.assertEqual(RemoteSite.objects.count(), 0)
+        self.assertEqual(TimelineEvent.objects.filter(**tl_kwargs).count(), 0)
+        self.command.handle(**self.options)
+        self.assertEqual(RemoteSite.objects.count(), 1)
+        self.assertEqual(TimelineEvent.objects.filter(**tl_kwargs).count(), 1)
+
+    def test_add_source_on_source(self):
+        """Test adding source site on source site (should fail)"""
+        self.options['mode'] = SITE_MODE_SOURCE
+        self.assertEqual(RemoteSite.objects.count(), 0)
+        with self.assertRaises(SystemExit) as cm:
+            self.command.handle(**self.options)
+        self.assertEqual(cm.exception.code, 1)
+        self.assertEqual(RemoteSite.objects.count(), 0)
+
+    @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
+    def test_add_target_on_target(self):
+        """Test adding target site on target site (should fail)"""
+        self.assertEqual(RemoteSite.objects.count(), 0)
+        with self.assertRaises(SystemExit) as cm:
+            self.command.handle(**self.options)
+        self.assertEqual(cm.exception.code, 1)
+        self.assertEqual(RemoteSite.objects.count(), 0)
+
+    def test_add_peer_on_source(self):
+        """Test adding peer site on source site (should fail)"""
+        self.options['mode'] = SITE_MODE_PEER
+        self.assertEqual(RemoteSite.objects.count(), 0)
+        with self.assertRaises(SystemExit) as cm:
+            self.command.handle(**self.options)
+        self.assertEqual(cm.exception.code, 1)
+        self.assertEqual(RemoteSite.objects.count(), 0)
+
+    @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
+    def test_add_peer_on_target(self):
+        """Test adding peer site on target site (should fail)"""
+        self.options['mode'] = SITE_MODE_PEER
+        self.assertEqual(RemoteSite.objects.count(), 0)
+        with self.assertRaises(SystemExit) as cm:
+            self.command.handle(**self.options)
+        self.assertEqual(cm.exception.code, 1)
+        self.assertEqual(RemoteSite.objects.count(), 0)
+
+    def test_add_second_target(self):
+        """Test adding second target site"""
+        self.make_site('Existing Site', 'https://another.site.org')
+        self.assertEqual(RemoteSite.objects.count(), 1)
+        self.command.handle(**self.options)
+        self.assertEqual(RemoteSite.objects.count(), 2)
+
+    def test_add_second_target_existing_name(self):
+        """Test adding second target site with existing name (should fail)"""
+        self.make_site(REMOTE_SITE_NAME, 'https://another.site.org')
+        self.assertEqual(RemoteSite.objects.count(), 1)
+        with self.assertRaises(SystemExit) as cm:
+            self.command.handle(**self.options)
+        self.assertEqual(cm.exception.code, 1)
+        self.assertEqual(RemoteSite.objects.count(), 1)
+
+    def test_add_second_target_existing_url(self):
+        """Test adding second target site with existing URL (should fail)"""
+        self.make_site('Existing Site', REMOTE_SITE_URL)
+        self.assertEqual(RemoteSite.objects.count(), 1)
+        with self.assertRaises(SystemExit) as cm:
+            self.command.handle(**self.options)
+        self.assertEqual(cm.exception.code, 1)
+        self.assertEqual(RemoteSite.objects.count(), 1)
+
+    def test_add_second_target_existing_url_suppress(self):
+        """Test adding second target site with suppressed error"""
+        self.options['suppress_error'] = True
+        self.make_site('Existing Site', REMOTE_SITE_URL)
+        self.assertEqual(RemoteSite.objects.count(), 1)
+        with self.assertRaises(SystemExit) as cm:
+            self.command.handle(**self.options)
+        self.assertEqual(cm.exception.code, 0)  # No error
+        self.assertEqual(RemoteSite.objects.count(), 1)
+
+    @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
+    def test_add_second_source(self):
+        """Test adding second source site (should fail)"""
+        self.make_site(
+            'Existing Site', 'https://another.site.org', mode=SITE_MODE_SOURCE
+        )
+        self.assertEqual(RemoteSite.objects.count(), 1)
+        with self.assertRaises(SystemExit) as cm:
+            self.command.handle(**self.options)
+        self.assertEqual(cm.exception.code, 1)
+        self.assertEqual(RemoteSite.objects.count(), 1)
 
 
 class TestBatchUpdateRoles(
@@ -77,11 +231,19 @@ class TestBatchUpdateRoles(
     RoleMixin,
     RoleAssignmentMixin,
     ProjectInviteMixin,
-    BatchUpdateRolesMixin,
     TestCase,
 ):
     """Tests for batchupdateroles command"""
 
+    def _write_file(self, data):
+        """Write data to temporary CSV file"""
+        if not isinstance(data[0], list):
+            data = [data]
+        self.file.write(
+            bytes('\n'.join([';'.join(r) for r in data]), encoding='utf-8')
+        )
+        self.file.close()
+
     def setUp(self):
         super().setUp()
         # Init roles
@@ -126,7 +288,7 @@ def test_invite(self):
         email = 'new@example.com'
         self.assertEqual(ProjectInvite.objects.count(), 0)
 
-        self.write_file([self.project_uuid, email, PROJECT_ROLE_GUEST])
+        self._write_file([self.project_uuid, email, PROJECT_ROLE_GUEST])
         self.command.handle(
             **{'file': self.file.name, 'issuer': self.user_owner.username}
         )
@@ -145,7 +307,7 @@ def test_invite_existing(self):
         self.make_invite(email, self.project, self.role_guest, self.user_owner)
         self.assertEqual(ProjectInvite.objects.count(), 1)
 
-        self.write_file([self.project_uuid, email, PROJECT_ROLE_GUEST])
+        self._write_file([self.project_uuid, email, PROJECT_ROLE_GUEST])
         self.command.handle(
             **{'file': self.file.name, 'issuer': self.user_owner.username}
         )
@@ -163,7 +325,7 @@ def test_invite_multi_user(self):
             [self.project_uuid, email, PROJECT_ROLE_GUEST],
             [self.project_uuid, email2, PROJECT_ROLE_GUEST],
         ]
-        self.write_file(fd)
+        self._write_file(fd)
         self.command.handle(
             **{'file': self.file.name, 'issuer': self.user_owner.username}
         )
@@ -180,7 +342,7 @@ def test_invite_multi_project(self):
             [self.category_uuid, email, PROJECT_ROLE_GUEST],
             [self.project_uuid, email, PROJECT_ROLE_GUEST],
         ]
-        self.write_file(fd)
+        self._write_file(fd)
         # NOTE: Using user_owner_cat as they have perms for both projects
         self.command.handle(
             **{'file': self.file.name, 'issuer': self.user_owner_cat.username}
@@ -196,7 +358,7 @@ def test_invite_multi_project(self):
 
     def test_invite_owner(self):
         """Test inviting an owner (should fail)"""
-        self.write_file(
+        self._write_file(
             [self.project_uuid, 'new@example.com', PROJECT_ROLE_OWNER]
         )
         self.command.handle(
@@ -207,7 +369,7 @@ def test_invite_owner(self):
 
     def test_invite_delegate(self):
         """Test inviting a delegate"""
-        self.write_file(
+        self._write_file(
             [self.project_uuid, 'new@example.com', PROJECT_ROLE_DELEGATE]
         )
         self.command.handle(
@@ -221,7 +383,7 @@ def test_invite_delegate_no_perms(self):
         """Test inviting a delegate without perms (should fail)"""
         user_delegate = self.make_user('delegate')
         self.make_assignment(self.project, user_delegate, self.role_delegate)
-        self.write_file(
+        self._write_file(
             [self.project_uuid, 'new@example.com', PROJECT_ROLE_DELEGATE]
         )
         self.command.handle(
@@ -234,7 +396,7 @@ def test_invite_delegate_limit(self):
         """Test inviting a delegate with limit reached (should fail)"""
         user_delegate = self.make_user('delegate')
         self.make_assignment(self.project, user_delegate, self.role_delegate)
-        self.write_file(
+        self._write_file(
             [self.project_uuid, 'new@example.com', PROJECT_ROLE_DELEGATE]
         )
         self.command.handle(
@@ -251,7 +413,7 @@ def test_role_add(self):
         user_new.save()
         self.assertEqual(ProjectInvite.objects.count(), 0)
 
-        self.write_file([self.project_uuid, email, PROJECT_ROLE_GUEST])
+        self._write_file([self.project_uuid, email, PROJECT_ROLE_GUEST])
         self.command.handle(
             **{'file': self.file.name, 'issuer': self.user_owner.username}
         )
@@ -277,7 +439,7 @@ def test_role_update(self):
             1,
         )
 
-        self.write_file([self.project_uuid, email, PROJECT_ROLE_CONTRIBUTOR])
+        self._write_file([self.project_uuid, email, PROJECT_ROLE_CONTRIBUTOR])
         self.command.handle(
             **{'file': self.file.name, 'issuer': self.user_owner.username}
         )
@@ -293,7 +455,7 @@ def test_role_update_owner(self):
         self.user_owner.email = email
         self.user_owner.save()
 
-        self.write_file([self.project_uuid, email, PROJECT_ROLE_CONTRIBUTOR])
+        self._write_file([self.project_uuid, email, PROJECT_ROLE_CONTRIBUTOR])
         self.command.handle(
             **{'file': self.file.name, 'issuer': self.user_owner.username}
         )
@@ -320,7 +482,7 @@ def test_role_update_delegate_no_perms(self):
         user_delegate = self.make_user('delegate')
         self.make_assignment(self.project, user_delegate, self.role_delegate)
 
-        self.write_file([self.project_uuid, email, PROJECT_ROLE_DELEGATE])
+        self._write_file([self.project_uuid, email, PROJECT_ROLE_DELEGATE])
         self.command.handle(
             **{'file': self.file.name, 'issuer': user_delegate.username}
         )
@@ -340,7 +502,7 @@ def test_role_update_delegate_limit(self):
         user_delegate = self.make_user('delegate')
         self.make_assignment(self.project, user_delegate, self.role_delegate)
 
-        self.write_file([self.project_uuid, email, PROJECT_ROLE_DELEGATE])
+        self._write_file([self.project_uuid, email, PROJECT_ROLE_DELEGATE])
         self.command.handle(
             **{'file': self.file.name, 'issuer': self.user_owner.username}
         )
@@ -352,7 +514,7 @@ def test_role_update_delegate_limit(self):
 
     def test_role_add_inherited_owner(self):
         """Test adding role with inherited owner rank (should fail)"""
-        self.write_file(
+        self._write_file(
             [
                 self.project_uuid,
                 self.user_owner_cat.email,
@@ -378,7 +540,7 @@ def test_role_add_inherited_higher(self):
         user_new.email = 'user_new@example.com'
         self.make_assignment(self.category, user_new, self.role_guest)
 
-        self.write_file(
+        self._write_file(
             [
                 self.project_uuid,
                 user_new.email,
@@ -404,7 +566,7 @@ def test_role_add_inherited_equal(self):
         user_new.email = 'user_new@example.com'
         self.make_assignment(self.category, user_new, self.role_contributor)
 
-        self.write_file(
+        self._write_file(
             [
                 self.project_uuid,
                 user_new.email,
@@ -430,7 +592,9 @@ def test_role_add_inherited_lower(self):
         user_new.email = 'user_new@example.com'
         self.make_assignment(self.category, user_new, self.role_contributor)
 
-        self.write_file([self.project_uuid, user_new.email, PROJECT_ROLE_GUEST])
+        self._write_file(
+            [self.project_uuid, user_new.email, PROJECT_ROLE_GUEST]
+        )
         self.command.handle(
             **{'file': self.file.name, 'issuer': self.user_owner.username}
         )
@@ -457,7 +621,7 @@ def test_invite_and_update(self):
             [self.project_uuid, email, PROJECT_ROLE_GUEST],
             [self.project_uuid, email2, PROJECT_ROLE_GUEST],
         ]
-        self.write_file(fd)
+        self._write_file(fd)
         self.command.handle(
             **{'file': self.file.name, 'issuer': self.user_owner.username}
         )
@@ -477,7 +641,7 @@ def test_command_no_issuer(self):
         admin.is_superuser = True
         admin.save()
         email = 'new@example.com'
-        self.write_file([self.project_uuid, email, PROJECT_ROLE_GUEST])
+        self._write_file([self.project_uuid, email, PROJECT_ROLE_GUEST])
         self.command.handle(**{'file': self.file.name, 'issuer': None})
         invite = ProjectInvite.objects.first()
         self.assertEqual(invite.issuer, admin)
@@ -486,7 +650,7 @@ def test_command_no_perms(self):
         """Test invite with issuer who lacks permissions for a project"""
         issuer = self.make_user('issuer')
         email = 'new@example.com'
-        self.write_file([self.project_uuid, email, PROJECT_ROLE_GUEST])
+        self._write_file([self.project_uuid, email, PROJECT_ROLE_GUEST])
         self.command.handle(
             **{'file': self.file.name, 'issuer': issuer.username}
         )
@@ -525,7 +689,7 @@ def setUp(self):
 
         # Init test setting
         self.setting_str_values = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'project': self.project,
             'name': 'project_str_setting',
             'setting_type': 'STRING',
@@ -534,7 +698,7 @@ def setUp(self):
             'non_valid_value': False,
         }
         self.setting_int_values = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'project': self.project,
             'name': 'project_int_setting',
             'setting_type': 'INTEGER',
@@ -543,7 +707,7 @@ def setUp(self):
             'non_valid_value': 'Nan',
         }
         self.setting_bool_values = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'project': self.project,
             'name': 'project_bool_setting',
             'setting_type': 'BOOLEAN',
@@ -552,7 +716,7 @@ def setUp(self):
             'non_valid_value': 170,
         }
         self.setting_json_values = {
-            'app_name': EXAMPLE_APP_NAME,
+            'plugin_name': EXAMPLE_APP_NAME,
             'project': self.project,
             'name': 'project_json_setting',
             'setting_type': 'JSON',
@@ -565,7 +729,7 @@ def setUp(self):
             'non_valid_value': self.project,
         }
         self.setting_iprestrict_values = {
-            'app_name': 'projectroles',
+            'plugin_name': 'projectroles',
             'project': self.project,
             'name': 'ip_restrict',
             'setting_type': 'BOOLEAN',
@@ -582,7 +746,7 @@ def setUp(self):
         ]
         for s in self.settings:
             self.make_setting(
-                app_name=s['app_name'],
+                plugin_name=s['plugin_name'],
                 name=s['name'],
                 setting_type=s['setting_type'],
                 value=s['value'] if s['setting_type'] != 'JSON' else '',
@@ -713,6 +877,57 @@ def test_command_project_user_scope(self):
             )
 
 
+class TestSyncGroups(TestCase):
+    """Tests for syncgroups command"""
+
+    def setUp(self):
+        self.command = SyncGroupsCommand()
+
+    def test_sync_system(self):
+        """Test sync with system username"""
+        user = self.make_user('user')
+        user.groups.all().delete()  # Remove groups
+        self.assertEqual(user.groups.count(), 0)
+        self.command.handle()
+        self.assertEqual(user.groups.count(), 1)
+        group = user.groups.first()
+        self.assertIsNotNone(group)
+        self.assertEqual(group.name, SYSTEM_USER_GROUP)
+
+    def test_sync_system_existing(self):
+        """Test sync with system username and existing group"""
+        user = self.make_user('user')
+        self.assertEqual(user.groups.count(), 1)
+        self.command.handle()
+        self.assertEqual(user.groups.count(), 1)
+        group = user.groups.first()
+        self.assertIsNotNone(group)
+        self.assertEqual(group.name, SYSTEM_USER_GROUP)
+
+    @override_settings(AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN)
+    def test_sync_ldap(self):
+        """Test sync with LDAP user"""
+        user = self.make_user('user@' + LDAP_DOMAIN)
+        user.groups.all().delete()
+        self.assertEqual(user.groups.count(), 0)
+        self.command.handle()
+        self.assertEqual(user.groups.count(), 1)
+        group = user.groups.first()
+        self.assertIsNotNone(group)
+        self.assertEqual(group.name, LDAP_DOMAIN.lower())
+
+    @override_settings(AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN)
+    def test_sync_ldap_existing(self):
+        """Test sync with LDAP user and existing group"""
+        user = self.make_user('user@' + LDAP_DOMAIN)
+        self.assertEqual(user.groups.count(), 1)
+        self.command.handle()
+        self.assertEqual(user.groups.count(), 1)
+        group = user.groups.first()
+        self.assertIsNotNone(group)
+        self.assertEqual(group.name, LDAP_DOMAIN.lower())
+
+
 @override_settings(DEBUG=True)
 class TestCreateDevUsers(TestCase):
     """Tests for createdevusers command"""
@@ -731,6 +946,14 @@ def test_create(self):
                 email='{}@example.com'.format(u),
             ).first()
             self.assertIsNotNone(user)
+            self.assertEqual(user.check_password(DEFAULT_PASSWORD), True)
+
+    def test_create_custom_password(self):
+        """Test creating users with custom password"""
+        call_command('createdevusers', password=CUSTOM_PASSWORD)
+        for u in DEV_USER_NAMES:
+            user = User.objects.filter(username=u).first()
+            self.assertEqual(user.check_password(CUSTOM_PASSWORD), True)
 
     def test_create_existing(self):
         """Test creating users with existing user in list"""
diff --git a/projectroles/tests/test_email.py b/projectroles/tests/test_email.py
index b819502f..4eeaabc3 100644
--- a/projectroles/tests/test_email.py
+++ b/projectroles/tests/test_email.py
@@ -16,11 +16,13 @@
     get_email_user,
     get_user_addr,
     get_email_footer,
+    SETTINGS_LINK,
 )
 from projectroles.tests.test_models import (
     ProjectMixin,
     RoleMixin,
     RoleAssignmentMixin,
+    SODARUserAdditionalEmailMixin,
 )
 
 
@@ -46,9 +48,24 @@
 USER_ADD_EMAIL2 = 'user2@example.com'
 
 
-class TestEmailSending(ProjectMixin, RoleMixin, RoleAssignmentMixin, TestCase):
+class TestEmailSending(
+    ProjectMixin,
+    RoleMixin,
+    RoleAssignmentMixin,
+    SODARUserAdditionalEmailMixin,
+    TestCase,
+):
+    """Tests for email sending"""
+
+    def _get_settings_link(self):
+        """Return message footer settings link"""
+        return SETTINGS_LINK.format(
+            url=self.request.build_absolute_uri(
+                reverse('userprofile:settings_update')
+            )
+        )
+
     def setUp(self):
-        self.factory = RequestFactory()
         # Init roles
         self.init_roles()
         # Init users
@@ -76,152 +93,126 @@ def setUp(self):
         self.user_as = self.make_assignment(
             self.project, self.user, self.role_contributor
         )
+        # Set up request factory and default request
+        self.factory = RequestFactory()
+        self.request = self.factory.get(reverse('home'))
+        self.request.user = self.user_owner
 
     def test_role_create_mail(self):
         """Test role creation mail sending"""
-        with self.login(self.user_owner):
-            request = self.factory.get(reverse('home'))
-            request.user = self.user_owner
-            email_sent = send_role_change_mail(
-                change_type='create',
-                project=self.project,
-                user=self.user,
-                role=self.user_as.role,
-                request=request,
-            )
-            self.assertEqual(email_sent, 1)
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual(len(mail.outbox[0].to), 1)
-            self.assertEqual(mail.outbox[0].to[0], self.user.email)
-            self.assertEqual(len(mail.outbox[0].reply_to), 1)
-            self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
+        email_sent = send_role_change_mail(
+            change_type='create',
+            project=self.project,
+            user=self.user,
+            role=self.user_as.role,
+            request=self.request,
+        )
+        self.assertEqual(email_sent, 1)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(len(mail.outbox[0].to), 1)
+        self.assertEqual(mail.outbox[0].to[0], self.user.email)
+        self.assertEqual(len(mail.outbox[0].reply_to), 1)
+        self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
 
     def test_role_create_mail_additional(self):
         """Test role creation with additional sender emails"""
-        app_settings.set(
-            'projectroles',
-            'user_email_additional',
-            '{};{}'.format(USER_ADD_EMAIL, USER_ADD_EMAIL2),
+        self.make_email(self.user, USER_ADD_EMAIL)
+        self.make_email(self.user, USER_ADD_EMAIL2)
+        email_sent = send_role_change_mail(
+            change_type='create',
+            project=self.project,
             user=self.user,
+            role=self.user_as.role,
+            request=self.request,
         )
-        with self.login(self.user_owner):
-            request = self.factory.get(reverse('home'))
-            request.user = self.user_owner
-            email_sent = send_role_change_mail(
-                change_type='create',
-                project=self.project,
-                user=self.user,
-                role=self.user_as.role,
-                request=request,
-            )
-            self.assertEqual(email_sent, 1)
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual(len(mail.outbox[0].to), 3)
-            self.assertEqual(
-                mail.outbox[0].to,
-                [self.user.email, USER_ADD_EMAIL, USER_ADD_EMAIL2],
-            )
-            self.assertEqual(len(mail.outbox[0].reply_to), 1)
-            self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
+        self.assertEqual(email_sent, 1)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(len(mail.outbox[0].to), 3)
+        self.assertEqual(
+            mail.outbox[0].to,
+            [self.user.email, USER_ADD_EMAIL, USER_ADD_EMAIL2],
+        )
+        self.assertEqual(len(mail.outbox[0].reply_to), 1)
+        self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
 
     def test_role_create_mail_additional_no_default(self):
         """Test role creation with additional sender emails but no default email"""
-        app_settings.set(
-            'projectroles',
-            'user_email_additional',
-            '{};{}'.format(USER_ADD_EMAIL, USER_ADD_EMAIL2),
-            user=self.user,
-        )
+        self.make_email(self.user, USER_ADD_EMAIL)
+        self.make_email(self.user, USER_ADD_EMAIL2)
         self.user.email = ''
         self.user.save()
-        with self.login(self.user_owner):
-            request = self.factory.get(reverse('home'))
-            request.user = self.user_owner
-            email_sent = send_role_change_mail(
-                change_type='create',
-                project=self.project,
-                user=self.user,
-                role=self.user_as.role,
-                request=request,
-            )
-            self.assertEqual(email_sent, 1)
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual(len(mail.outbox[0].to), 2)
-            self.assertEqual(
-                mail.outbox[0].to,
-                [USER_ADD_EMAIL, USER_ADD_EMAIL2],
-            )
-            self.assertEqual(len(mail.outbox[0].reply_to), 1)
-            self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
+        email_sent = send_role_change_mail(
+            change_type='create',
+            project=self.project,
+            user=self.user,
+            role=self.user_as.role,
+            request=self.request,
+        )
+        self.assertEqual(email_sent, 1)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(len(mail.outbox[0].to), 2)
+        self.assertEqual(
+            mail.outbox[0].to,
+            [USER_ADD_EMAIL, USER_ADD_EMAIL2],
+        )
+        self.assertEqual(len(mail.outbox[0].reply_to), 1)
+        self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
 
     def test_role_create_mail_additional_reply(self):
         """Test role creation with additional reply-to emails"""
-        app_settings.set(
-            'projectroles',
-            'user_email_additional',
-            '{};{}'.format(USER_ADD_EMAIL, USER_ADD_EMAIL2),
-            user=self.user_owner,
-        )
-        with self.login(self.user_owner):
-            request = self.factory.get(reverse('home'))
-            request.user = self.user_owner
-            email_sent = send_role_change_mail(
-                change_type='create',
-                project=self.project,
-                user=self.user,
-                role=self.user_as.role,
-                request=request,
-            )
-            self.assertEqual(email_sent, 1)
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual(len(mail.outbox[0].to), 1)
-            self.assertEqual(
-                mail.outbox[0].to,
-                [self.user.email],
-            )
-            self.assertEqual(len(mail.outbox[0].reply_to), 3)
-            self.assertEqual(
-                mail.outbox[0].reply_to,
-                [self.user_owner.email, USER_ADD_EMAIL, USER_ADD_EMAIL2],
-            )
+        self.make_email(self.user_owner, USER_ADD_EMAIL)
+        self.make_email(self.user_owner, USER_ADD_EMAIL2)
+        email_sent = send_role_change_mail(
+            change_type='create',
+            project=self.project,
+            user=self.user,
+            role=self.user_as.role,
+            request=self.request,
+        )
+        self.assertEqual(email_sent, 1)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(len(mail.outbox[0].to), 1)
+        self.assertEqual(
+            mail.outbox[0].to,
+            [self.user.email],
+        )
+        self.assertEqual(len(mail.outbox[0].reply_to), 3)
+        self.assertEqual(
+            mail.outbox[0].reply_to,
+            [self.user_owner.email, USER_ADD_EMAIL, USER_ADD_EMAIL2],
+        )
 
     def test_role_update_mail(self):
         """Test role updating mail sending"""
-        with self.login(self.user_owner):
-            request = self.factory.get(reverse('home'))
-            request.user = self.user_owner
-            email_sent = send_role_change_mail(
-                change_type='update',
-                project=self.project,
-                user=self.user,
-                role=self.user_as.role,
-                request=request,
-            )
-            self.assertEqual(email_sent, 1)
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual(len(mail.outbox[0].to), 1)
-            self.assertEqual(mail.outbox[0].to[0], self.user.email)
-            self.assertEqual(len(mail.outbox[0].reply_to), 1)
-            self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
+        email_sent = send_role_change_mail(
+            change_type='update',
+            project=self.project,
+            user=self.user,
+            role=self.user_as.role,
+            request=self.request,
+        )
+        self.assertEqual(email_sent, 1)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(len(mail.outbox[0].to), 1)
+        self.assertEqual(mail.outbox[0].to[0], self.user.email)
+        self.assertEqual(len(mail.outbox[0].reply_to), 1)
+        self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
 
     def test_role_delete_mail(self):
         """Test role deletion mail sending"""
-        with self.login(self.user_owner):
-            request = self.factory.get(reverse('home'))
-            request.user = self.user_owner
-            email_sent = send_role_change_mail(
-                change_type='delete',
-                project=self.project,
-                user=self.user,
-                role=None,
-                request=request,
-            )
-            self.assertEqual(email_sent, 1)
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual(len(mail.outbox[0].to), 1)
-            self.assertEqual(mail.outbox[0].to[0], self.user.email)
-            self.assertEqual(len(mail.outbox[0].reply_to), 1)
-            self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
+        email_sent = send_role_change_mail(
+            change_type='delete',
+            project=self.project,
+            user=self.user,
+            role=None,
+            request=self.request,
+        )
+        self.assertEqual(email_sent, 1)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(len(mail.outbox[0].to), 1)
+        self.assertEqual(mail.outbox[0].to[0], self.user.email)
+        self.assertEqual(len(mail.outbox[0].reply_to), 1)
+        self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
 
     def test_project_create_mail(self):
         """Test project creation mail sending"""
@@ -229,147 +220,129 @@ def test_project_create_mail(self):
             'New Project', PROJECT_TYPE_PROJECT, self.category
         )
         self.make_assignment(new_project, self.user, self.role_owner)
-
-        with self.login(self.user):
-            request = self.factory.get(reverse('home'))
-            request.user = self.user
-            email_sent = send_project_create_mail(
-                project=new_project,
-                request=request,
-            )
-            self.assertEqual(email_sent, 1)
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual(len(mail.outbox[0].to), 1)
-            self.assertEqual(mail.outbox[0].to[0], self.user_owner.email)
-            self.assertEqual(len(mail.outbox[0].reply_to), 1)
-            self.assertEqual(mail.outbox[0].reply_to[0], self.user.email)
+        self.request.user = self.user
+        email_sent = send_project_create_mail(
+            project=new_project,
+            request=self.request,
+        )
+        self.assertEqual(email_sent, 1)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(len(mail.outbox[0].to), 1)
+        self.assertEqual(mail.outbox[0].to[0], self.user_owner.email)
+        self.assertEqual(len(mail.outbox[0].reply_to), 1)
+        self.assertEqual(mail.outbox[0].reply_to[0], self.user.email)
 
     def test_generic_mail_user(self):
         """Test send_generic_mail() with a User recipient"""
-        with self.login(self.user_owner):
-            request = self.factory.get(reverse('home'))
-            request.user = self.user_owner
-            email_sent = send_generic_mail(
-                subject_body=SUBJECT_BODY,
-                message_body=MESSAGE_BODY,
-                recipient_list=[self.user],
-                request=request,
-                reply_to=[self.user_owner.email],
-            )
-            self.assertEqual(email_sent, 1)
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual(len(mail.outbox[0].to), 1)
-            self.assertEqual(mail.outbox[0].to[0], self.user.email)
-            self.assertEqual(len(mail.outbox[0].reply_to), 1)
-            self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
+        email_sent = send_generic_mail(
+            subject_body=SUBJECT_BODY,
+            message_body=MESSAGE_BODY,
+            recipient_list=[self.user],
+            request=self.request,
+            reply_to=[self.user_owner.email],
+        )
+        self.assertEqual(email_sent, 1)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(len(mail.outbox[0].to), 1)
+        self.assertEqual(mail.outbox[0].to[0], self.user.email)
+        self.assertEqual(len(mail.outbox[0].reply_to), 1)
+        self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
 
     def test_generic_mail_user_additional(self):
         """Test send_generic_mail() with a User and additional emails"""
-        app_settings.set(
-            'projectroles',
-            'user_email_additional',
-            '{};{}'.format(USER_ADD_EMAIL, USER_ADD_EMAIL2),
-            user=self.user,
+        self.make_email(self.user, USER_ADD_EMAIL)
+        self.make_email(self.user, USER_ADD_EMAIL2)
+        email_sent = send_generic_mail(
+            subject_body=SUBJECT_BODY,
+            message_body=MESSAGE_BODY,
+            recipient_list=[self.user],
+            request=self.request,
+            reply_to=[self.user_owner.email],
         )
-        with self.login(self.user_owner):
-            request = self.factory.get(reverse('home'))
-            request.user = self.user_owner
-            email_sent = send_generic_mail(
-                subject_body=SUBJECT_BODY,
-                message_body=MESSAGE_BODY,
-                recipient_list=[self.user],
-                request=request,
-                reply_to=[self.user_owner.email],
-            )
-            self.assertEqual(email_sent, 1)
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual(len(mail.outbox[0].to), 3)
-            self.assertEqual(
-                mail.outbox[0].to,
-                [self.user.email, USER_ADD_EMAIL, USER_ADD_EMAIL2],
-            )
-            self.assertEqual(len(mail.outbox[0].reply_to), 1)
-            self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
+        self.assertEqual(email_sent, 1)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(len(mail.outbox[0].to), 3)
+        self.assertEqual(
+            mail.outbox[0].to,
+            [self.user.email, USER_ADD_EMAIL, USER_ADD_EMAIL2],
+        )
+        self.assertEqual(len(mail.outbox[0].reply_to), 1)
+        self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
 
     def test_generic_mail_str(self):
         """Test send_generic_mail() with an email string recipient"""
-        with self.login(self.user_owner):
-            request = self.factory.get(reverse('home'))
-            request.user = self.user_owner
-            email_sent = send_generic_mail(
-                subject_body=SUBJECT_BODY,
-                message_body=MESSAGE_BODY,
-                recipient_list=[self.user.email],
-                request=request,
-                reply_to=[self.user_owner.email],
-            )
-            self.assertEqual(email_sent, 1)
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual(len(mail.outbox[0].to), 1)
-            self.assertEqual(mail.outbox[0].to[0], self.user.email)
-            self.assertEqual(len(mail.outbox[0].reply_to), 1)
-            self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
+        email_sent = send_generic_mail(
+            subject_body=SUBJECT_BODY,
+            message_body=MESSAGE_BODY,
+            recipient_list=[self.user.email],
+            request=self.request,
+            reply_to=[self.user_owner.email],
+        )
+        self.assertEqual(email_sent, 1)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(len(mail.outbox[0].to), 1)
+        self.assertEqual(mail.outbox[0].to[0], self.user.email)
+        self.assertEqual(len(mail.outbox[0].reply_to), 1)
+        self.assertEqual(mail.outbox[0].reply_to[0], self.user_owner.email)
 
     def test_generic_mail_multiple(self):
         """Test send_generic_mail() with multiple recipients"""
-
-        # Init new user
         user_new = self.make_user('newuser')
-
-        with self.login(self.user_owner):
-            request = self.factory.get(reverse('home'))
-            request.user = self.user_owner
-            email_sent = send_generic_mail(
-                subject_body=SUBJECT_BODY,
-                message_body=MESSAGE_BODY,
-                recipient_list=[self.user_owner, user_new],
-                request=request,
-            )
-            self.assertEqual(email_sent, 2)
-            self.assertEqual(len(mail.outbox), 2)
+        email_sent = send_generic_mail(
+            subject_body=SUBJECT_BODY,
+            message_body=MESSAGE_BODY,
+            recipient_list=[self.user_owner, user_new],
+            request=self.request,
+        )
+        self.assertEqual(email_sent, 2)
+        self.assertEqual(len(mail.outbox), 2)
 
     def test_get_email_footer(self):
         """Test get_email_footer() with default admin"""
-        footer = get_email_footer()
+        footer = get_email_footer(self.request)
         self.assertIn(settings.ADMINS[0][0], footer)
         self.assertIn(settings.ADMINS[0][1], footer)
+        self.assertIn(self._get_settings_link(), footer)
 
     @override_settings(ADMINS=[])
     def test_get_email_footer_no_admin(self):
         """Test get_email_footer() with empty admin list"""
-        self.assertEqual(get_email_footer(), '')
+        self.assertEqual(
+            get_email_footer(self.request), self._get_settings_link()
+        )
+
+    def test_get_email_footer_no_settings(self):
+        """Test get_email_footer() with no settings link"""
+        footer = get_email_footer(self.request, settings_link=False)
+        self.assertIn(settings.ADMINS[0][0], footer)
+        self.assertIn(settings.ADMINS[0][1], footer)
+        self.assertNotIn(self._get_settings_link(), footer)
 
     @override_settings(PROJECTROLES_EMAIL_HEADER=CUSTOM_HEADER)
     def test_custom_header(self):
         """Test send_generic_mail() with custom header"""
-        with self.login(self.user_owner):
-            request = self.factory.get(reverse('home'))
-            request.user = self.user_owner
-            send_generic_mail(
-                subject_body=SUBJECT_BODY,
-                message_body=MESSAGE_BODY,
-                recipient_list=[self.user_owner.email],
-                request=request,
-                reply_to=[self.user_owner.email],
-            )
-            self.assertIn(CUSTOM_HEADER, mail.outbox[0].body)
-            self.assertNotIn(CUSTOM_FOOTER, mail.outbox[0].body)
+        send_generic_mail(
+            subject_body=SUBJECT_BODY,
+            message_body=MESSAGE_BODY,
+            recipient_list=[self.user_owner.email],
+            request=self.request,
+            reply_to=[self.user_owner.email],
+        )
+        self.assertIn(CUSTOM_HEADER, mail.outbox[0].body)
+        self.assertNotIn(CUSTOM_FOOTER, mail.outbox[0].body)
 
     @override_settings(PROJECTROLES_EMAIL_FOOTER=CUSTOM_FOOTER)
     def test_custom_footer(self):
         """Test send_generic_mail() with custom footer"""
-        with self.login(self.user_owner):
-            request = self.factory.get(reverse('home'))
-            request.user = self.user_owner
-            send_generic_mail(
-                subject_body=SUBJECT_BODY,
-                message_body=MESSAGE_BODY,
-                recipient_list=[self.user_owner.email],
-                request=request,
-                reply_to=[self.user_owner.email],
-            )
-            self.assertNotIn(CUSTOM_HEADER, mail.outbox[0].body)
-            self.assertIn(CUSTOM_FOOTER, mail.outbox[0].body)
+        send_generic_mail(
+            subject_body=SUBJECT_BODY,
+            message_body=MESSAGE_BODY,
+            recipient_list=[self.user_owner.email],
+            request=self.request,
+            reply_to=[self.user_owner.email],
+        )
+        self.assertNotIn(CUSTOM_HEADER, mail.outbox[0].body)
+        self.assertIn(CUSTOM_FOOTER, mail.outbox[0].body)
 
     def test_get_email_user(self):
         """Test get_email_user()"""
@@ -405,44 +378,26 @@ def test_get_user_addr(self):
 
     def test_get_user_addr_additional(self):
         """Test get_user_addr() with additional user emails"""
-        app_settings.set(
-            'projectroles',
-            'user_email_additional',
-            '{};{}'.format(USER_ADD_EMAIL, USER_ADD_EMAIL2),
-            user=self.user,
-        )
+        self.make_email(self.user, USER_ADD_EMAIL)
+        self.make_email(self.user, USER_ADD_EMAIL2)
         self.assertEqual(
             get_user_addr(self.user),
             [self.user.email, USER_ADD_EMAIL, USER_ADD_EMAIL2],
         )
 
+    def test_get_user_addr_additional_unverified(self):
+        """Test get_user_addr() with additional and unverified user emails"""
+        self.make_email(self.user, USER_ADD_EMAIL)
+        self.make_email(self.user, USER_ADD_EMAIL2, verified=False)
+        self.assertEqual(
+            get_user_addr(self.user), [self.user.email, USER_ADD_EMAIL]
+        )
+
     def test_get_user_addr_additional_no_default(self):
         """Test get_user_addr() with additional user emails and no default"""
-        app_settings.set(
-            'projectroles',
-            'user_email_additional',
-            '{};{}'.format(USER_ADD_EMAIL, USER_ADD_EMAIL2),
-            user=self.user,
-        )
+        self.make_email(self.user, USER_ADD_EMAIL)
+        self.make_email(self.user, USER_ADD_EMAIL2)
         self.user.email = ''
         self.assertEqual(
             get_user_addr(self.user), [USER_ADD_EMAIL, USER_ADD_EMAIL2]
         )
-
-    def test_get_user_addr_invalid(self):
-        """Test get_user_addr() with invalid user email"""
-        self.user.email = INVALID_EMAIL
-        self.assertEqual(get_user_addr(self.user), [])
-
-    def test_get_user_addr_additional_invalid(self):
-        """Test get_user_addr() with invalid additional email"""
-        app_settings.set(
-            'projectroles',
-            'user_email_additional',
-            '{};{}'.format(USER_ADD_EMAIL, INVALID_EMAIL),
-            user=self.user,
-        )
-        self.assertEqual(
-            get_user_addr(self.user),
-            [self.user.email, USER_ADD_EMAIL],
-        )
diff --git a/projectroles/tests/test_models.py b/projectroles/tests/test_models.py
index 17ac68f0..b080b469 100644
--- a/projectroles/tests/test_models.py
+++ b/projectroles/tests/test_models.py
@@ -3,6 +3,7 @@
 import uuid
 
 from django.conf import settings
+from django.contrib.auth.models import Group
 from django.core.exceptions import ValidationError
 from django.forms.models import model_to_dict
 from django.urls import reverse
@@ -19,6 +20,7 @@
     AppSetting,
     RemoteSite,
     RemoteProject,
+    SODARUserAdditionalEmail,
     SODAR_CONSTANTS,
     ROLE_RANKING,
     CAT_DELIMITER,
@@ -37,6 +39,13 @@
 PROJECT_TYPE_PROJECT = SODAR_CONSTANTS['PROJECT_TYPE_PROJECT']
 SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
 SITE_MODE_SOURCE = SODAR_CONSTANTS['SITE_MODE_SOURCE']
+REMOTE_LEVEL_VIEW_AVAIL = SODAR_CONSTANTS['REMOTE_LEVEL_VIEW_AVAIL']
+REMOTE_LEVEL_READ_ROLES = SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES']
+REMOTE_LEVEL_REVOKED = SODAR_CONSTANTS['REMOTE_LEVEL_REVOKED']
+AUTH_TYPE_LOCAL = SODAR_CONSTANTS['AUTH_TYPE_LOCAL']
+AUTH_TYPE_LDAP = SODAR_CONSTANTS['AUTH_TYPE_LDAP']
+AUTH_TYPE_OIDC = SODAR_CONSTANTS['AUTH_TYPE_OIDC']
+OIDC_USER_GROUP = SODAR_CONSTANTS['OIDC_USER_GROUP']
 
 # Local constants
 SECRET = 'rsd886hi8276nypuvw066sbvv0rb2a6x'
@@ -45,6 +54,9 @@
 REMOTE_SITE_URL = 'https://sodar.example.org'
 REMOTE_SITE_SECRET = build_secret()
 REMOTE_SITE_USER_DISPLAY = True
+ADD_EMAIL = 'additional@example.com'
+ADD_EMAIL_SECRET = build_secret()
+LDAP_DOMAIN = 'EXAMPLE'
 
 
 class ProjectMixin:
@@ -62,7 +74,7 @@ def make_project(
         archive=False,
         sodar_uuid=None,
     ):
-        """Make and save a Project"""
+        """Create a Project object"""
         values = {
             'title': title,
             'type': type,
@@ -109,7 +121,7 @@ class RoleAssignmentMixin:
 
     @classmethod
     def make_assignment(cls, project, user, role):
-        """Make and save a RoleAssignment"""
+        """Create a RoleAssignment object"""
         values = {'project': project, 'user': user, 'role': role}
         result = RoleAssignment(**values)
         result.save()
@@ -130,19 +142,21 @@ def make_invite(
         date_expire=None,
         secret=None,
     ):
-        """Make and save a ProjectInvite"""
+        """Create a ProjectInvite object"""
         values = {
             'email': email,
             'project': project,
             'role': role,
             'issuer': issuer,
             'message': message,
-            'date_expire': date_expire
-            if date_expire
-            else (
-                timezone.now()
-                + timezone.timedelta(
-                    days=settings.PROJECTROLES_INVITE_EXPIRY_DAYS
+            'date_expire': (
+                date_expire
+                if date_expire
+                else (
+                    timezone.now()
+                    + timezone.timedelta(
+                        days=settings.PROJECTROLES_INVITE_EXPIRY_DAYS
+                    )
                 )
             ),
             'secret': secret or SECRET,
@@ -159,7 +173,7 @@ class AppSettingMixin:
     @classmethod
     def make_setting(
         cls,
-        app_name,
+        plugin_name,
         name,
         setting_type,
         value,
@@ -169,11 +183,13 @@ def make_setting(
         user=None,
         sodar_uuid=None,
     ):
-        """Make and save a AppSetting"""
+        """Create an AppSetting object"""
         values = {
-            'app_plugin': None
-            if app_name == 'projectroles'
-            else get_app_plugin(app_name).get_model(),
+            'app_plugin': (
+                None
+                if plugin_name == 'projectroles'
+                else get_app_plugin(plugin_name).get_model()
+            ),
             'project': project,
             'name': name,
             'type': setting_type,
@@ -198,11 +214,13 @@ def make_site(
         name,
         url,
         user_display=REMOTE_SITE_USER_DISPLAY,
+        owner_modifiable=True,
         mode=SODAR_CONSTANTS['SITE_MODE_TARGET'],
         description='',
         secret=build_secret(),
+        sodar_uuid=None,
     ):
-        """Make and save a RemoteSite"""
+        """Create a RemoteSite object"""
         values = {
             'name': name,
             'url': url,
@@ -210,6 +228,8 @@ def make_site(
             'description': description,
             'secret': secret,
             'user_display': user_display,
+            'owner_modifiable': owner_modifiable,
+            'sodar_uuid': sodar_uuid or uuid.uuid4(),
         }
         site = RemoteSite(**values)
         site.save()
@@ -223,7 +243,7 @@ class RemoteProjectMixin:
     def make_remote_project(
         cls, project_uuid, site, level, date_access=None, project=None
     ):
-        """Make and save a RemoteProject"""
+        """Create a RemoteProject object"""
         if isinstance(project_uuid, str):
             project_uuid = uuid.UUID(project_uuid)
         values = {
@@ -231,9 +251,11 @@ def make_remote_project(
             'site': site,
             'level': level,
             'date_access': date_access,
-            'project': project
-            if project
-            else Project.objects.filter(sodar_uuid=project_uuid).first(),
+            'project': (
+                project
+                if project
+                else Project.objects.filter(sodar_uuid=project_uuid).first()
+            ),
         }
         remote_project = RemoteProject(**values)
         remote_project.save()
@@ -260,14 +282,14 @@ def set_up_as_target(cls, projects):
                     project_uuid=project.sodar_uuid,
                     project=project,
                     site=source_site,
-                    level=SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES'],
+                    level=REMOTE_LEVEL_READ_ROLES,
                 )
             )
         return source_site, remote_projects
 
 
 class SODARUserMixin:
-    """Helper mixin for LDAP SodarUser creation"""
+    """Helper mixin for SodarUser creation"""
 
     def make_sodar_user(
         self,
@@ -279,6 +301,7 @@ def make_sodar_user(
         sodar_uuid=None,
         password='password',
     ):
+        """Create a SODARUser object"""
         user = self.make_user(username, password)
         user.name = name
         user.first_name = first_name
@@ -291,8 +314,23 @@ def make_sodar_user(
         return user
 
 
+class SODARUserAdditionalEmailMixin:
+    """Helper mixin for SODARUserAdditionalEmail creation"""
+
+    def make_email(self, user, email, verified=True, secret=None):
+        values = {
+            'user': user,
+            'email': email,
+            'verified': verified,
+            'secret': secret or build_secret(32),
+        }
+        email = SODARUserAdditionalEmail(**values)
+        email.save()
+        return email
+
+
 class TestProject(ProjectMixin, RoleMixin, RoleAssignmentMixin, TestCase):
-    """Tests for model.Project"""
+    """Tests for Project"""
 
     def setUp(self):
         # Set up category and project
@@ -381,14 +419,20 @@ def test_validate_parent_type(self):
             )
 
     def test_validate_public_guest_access(self):
-        """Test public guest access validation with project"""
+        """Test _validate_public_guest_access() with project"""
+        self.assertEqual(self.project.public_guest_access, False)
         # Test with project
         self.project.public_guest_access = True
         self.project.save()
-        # Test with category
-        with self.assertRaises(ValidationError):
-            self.category.public_guest_access = True
-            self.category.save()
+        self.assertEqual(self.project.public_guest_access, True)
+
+    def test_validate_public_guest_access_category(self):
+        """Test _validate_public_guest_access() with category"""
+        # NOTE: Does not raise error but forces value to be False, see #1404
+        self.assertEqual(self.category.public_guest_access, False)
+        self.category.public_guest_access = True
+        self.category.save()
+        self.assertEqual(self.category.public_guest_access, False)
 
     def test_get_absolute_url(self):
         """Test get_absolute_url()"""
@@ -399,41 +443,41 @@ def test_get_absolute_url(self):
         self.assertEqual(self.project.get_absolute_url(), expected_url)
 
     def test_get_children_category(self):
-        """Test children getting function for top category"""
+        """Test get_children() with top category"""
         children = self.category.get_children()
         self.assertEqual(children[0], self.project)
 
     def test_get_children_project(self):
-        """Test children getting function for sub project"""
+        """Test get_children() with sub project"""
         children = self.project.get_children()
         self.assertEqual(children.count(), 0)
 
     def test_get_depth_category(self):
-        """Test project depth getting function for top category"""
+        """Test get_depth() with top category"""
         self.assertEqual(self.category.get_depth(), 0)
 
     def test_get_depth_project(self):
-        """Test children getting function for sub project"""
+        """Test get_depth() with sub project"""
         self.assertEqual(self.project.get_depth(), 1)
 
     def test_get_parents_category(self):
-        """Test get parents function for top category"""
+        """Test get_parents() with top category"""
         self.assertEqual(self.category.get_parents(), [])
 
     def test_get_parents_project(self):
-        """Test get parents function for sub project"""
+        """Test get_parents() with sub project"""
         self.assertEqual(list(self.project.get_parents()), [self.category])
 
     def test_is_remote(self):
-        """Test Project.is_remote() without remote projects"""
+        """Test is_remote() without remote projects"""
         self.assertEqual(self.project.is_remote(), False)
 
     def test_is_revoked(self):
-        """Test Project.is_revoked() without remote projects"""
+        """Test is_revoked() without remote projects"""
         self.assertEqual(self.project.is_revoked(), False)
 
     def test_set_public(self):
-        """Test Project.set_public()"""
+        """Test set_public()"""
         self.assertFalse(self.project.public_guest_access)
         self.project.set_public()  # Default = True
         self.assertTrue(self.project.public_guest_access)
@@ -441,9 +485,11 @@ def test_set_public(self):
         self.assertFalse(self.project.public_guest_access)
         self.project.set_public(True)
         self.assertTrue(self.project.public_guest_access)
+        with self.assertRaises(ValidationError):
+            self.category.set_public(True)
 
     def test_set_archive(self):
-        """Test Project.set_archive()"""
+        """Test set_archive()"""
         self.assertFalse(self.project.archive)
         self.project.set_archive()  # Default = True
         self.assertTrue(self.project.archive)
@@ -453,13 +499,13 @@ def test_set_archive(self):
         self.assertTrue(self.project.archive)
 
     def test_set_archive_category(self):
-        """Test Project.set_archive() for a category (should fail)"""
+        """Test set_archive() with category (should fail)"""
         self.assertFalse(self.category.archive)
         with self.assertRaises(ValidationError):
             self.category.set_archive()
 
     def test_get_log_title(self):
-        """Test Project.get_log_title()"""
+        """Test get_log_title()"""
         expected = '"{}" ({})'.format(
             self.project.title, self.project.sodar_uuid
         )
@@ -477,7 +523,7 @@ def test_get_role(self):
         self.assertEqual(self.project.get_role(self.user_bob), project_as)
 
     def test_get_role_inherit_only(self):
-        """Test get_role() with only an inherited role"""
+        """Test get_role() with only inherited role"""
         self.assertEqual(
             self.project.get_role(self.user_alice), self.owner_as_cat
         )
@@ -740,7 +786,7 @@ def test_has_role_public(self):
 
 
 class TestRole(RoleMixin, TestCase):
-    """Tests for models.Role"""
+    """Tests for Role"""
 
     def setUp(self):
         self.init_roles()
@@ -781,7 +827,7 @@ def test__repr__(self):
 class TestRoleAssignment(
     ProjectMixin, RoleMixin, RoleAssignmentMixin, TestCase
 ):
-    """Tests for model.RoleAssignment"""
+    """Tests for RoleAssignment"""
 
     def setUp(self):
         # Set up category and project
@@ -941,6 +987,43 @@ def test__repr__(self):
         )
         self.assertEqual(repr(self.invite), expected)
 
+    def test_is_ldap_not_enabled(self):
+        """Test is_ldap() with LDAP not enabled"""
+        self.assertEqual(self.invite.is_ldap(), False)
+
+    @override_settings(ENABLE_LDAP=True, AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN)
+    def test_is_ldap_enabled(self):
+        """Test is_ldap() with LDAP enabled"""
+        self.assertEqual(self.invite.is_ldap(), True)
+
+    @override_settings(ENABLE_LDAP=False, AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN)
+    def test_is_ldap_not_enabled_domain(self):
+        """Test is_ldap() with domain in email but LDAP not enabled"""
+        self.assertEqual(self.invite.is_ldap(), False)
+
+    @override_settings(ENABLE_LDAP=True, AUTH_LDAP_USERNAME_DOMAIN='xyz')
+    def test_is_ldap_non_ldap_domain(self):
+        """Test is_ldap() with non-LDAP domain in email"""
+        self.assertEqual(self.invite.is_ldap(), False)
+
+    @override_settings(
+        ENABLE_LDAP=True,
+        AUTH_LDAP_USERNAME_DOMAIN='xyz',
+        AUTH_LDAP2_USERNAME_DOMAIN=LDAP_DOMAIN,
+    )
+    def test_is_ldap_secondary(self):
+        """Test is_ldap() with email in secondary domain"""
+        self.assertEqual(self.invite.is_ldap(), True)
+
+    @override_settings(
+        ENABLE_LDAP=True,
+        AUTH_LDAP_USERNAME_DOMAIN='xyz',
+        LDAP_ALT_DOMAINS=[LDAP_DOMAIN + '.com'],
+    )
+    def test_is_ldap_alt_domain(self):
+        """Test is_ldap() with alt domain in email"""
+        self.assertEqual(self.invite.is_ldap(), True)
+
 
 class TestProjectManager(ProjectMixin, RoleAssignmentMixin, TestCase):
     """Tests for ProjectManager"""
@@ -959,8 +1042,8 @@ def setUp(self):
             description='YYY',
         )
 
-    def test_find_all(self):
-        """Test find() with any project type"""
+    def test_find(self):
+        """Test find()"""
         result = Project.objects.find(['test'], project_type=None)
         self.assertEqual(len(result), 2)
         result = Project.objects.find(['ThisFails'], project_type=None)
@@ -1016,10 +1099,10 @@ def test_find_multi_fields(self):
         self.assertEqual(len(result), 2)
 
 
-class TestProjectSetting(
+class TestProjectAppSetting(
     ProjectMixin, RoleAssignmentMixin, AppSettingMixin, TestCase
 ):
-    """Tests for model.AppSetting with user == None"""
+    """Tests for AppSetting with PROJECT scope"""
 
     def setUp(self):
         # Init project
@@ -1036,7 +1119,7 @@ def setUp(self):
 
         # Init test setting
         self.setting_str = self.make_setting(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             name='str_setting',
             setting_type='STRING',
             value='test',
@@ -1044,7 +1127,7 @@ def setUp(self):
         )
         # Init integer setting
         self.setting_int = self.make_setting(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             name='int_setting',
             setting_type='INTEGER',
             value=170,
@@ -1052,7 +1135,7 @@ def setUp(self):
         )
         # Init boolean setting
         self.setting_bool = self.make_setting(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             name='bool_setting',
             setting_type='BOOLEAN',
             value=True,
@@ -1060,7 +1143,7 @@ def setUp(self):
         )
         # Init JSON setting
         self.setting_json = self.make_setting(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             name='json_setting',
             setting_type='JSON',
             value=None,
@@ -1154,7 +1237,7 @@ def test_get_value_json(self):
         self.assertEqual(val, {'Testing': 'good'})
 
 
-class TestUserSetting(
+class TestUserAppSetting(
     ProjectMixin, RoleAssignmentMixin, AppSettingMixin, TestCase
 ):
     """Tests for AppSetting with USER scope"""
@@ -1164,28 +1247,28 @@ def setUp(self):
         self.user = self.make_user('owner')
         # Init settings
         self.setting_str = self.make_setting(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             name='str_setting',
             setting_type='STRING',
             value='test',
             user=self.user,
         )
         self.setting_int = self.make_setting(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             name='int_setting',
             setting_type='INTEGER',
             value=170,
             user=self.user,
         )
         self.setting_bool = self.make_setting(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             name='bool_setting',
             setting_type='BOOLEAN',
             value=True,
             user=self.user,
         )
         self.setting_json = self.make_setting(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             name='json_setting',
             setting_type='JSON',
             value=None,
@@ -1278,9 +1361,13 @@ def test_get_value_json(self):
 
 
 class TestRemoteSite(
-    ProjectMixin, RoleAssignmentMixin, RemoteSiteMixin, TestCase
+    ProjectMixin,
+    RoleAssignmentMixin,
+    RemoteSiteMixin,
+    RemoteProjectMixin,
+    TestCase,
 ):
-    """Tests for model.RemoteSite"""
+    """Tests for RemoteSite"""
 
     def setUp(self):
         # Init project
@@ -1315,6 +1402,7 @@ def test_initialization(self):
             'secret': REMOTE_SITE_SECRET,
             'sodar_uuid': self.site.sodar_uuid,
             'user_display': REMOTE_SITE_USER_DISPLAY,
+            'owner_modifiable': True,
         }
         self.assertEqual(model_to_dict(self.site), expected)
 
@@ -1335,7 +1423,7 @@ def test__repr__(self):
         self.assertEqual(repr(self.site), expected)
 
     def test_validate_mode(self):
-        """Test _validate_mode() with an invalid mode (should fail)"""
+        """Test _validate_mode() with invalid mode (should fail)"""
         with self.assertRaises(ValidationError):
             self.make_site(
                 name='New site',
@@ -1343,6 +1431,53 @@ def test_validate_mode(self):
                 mode='uGaj9eicQueib1th',
             )
 
+    def test_get_access_date_no_projects(self):
+        """Test get_access_date() with no remote projects"""
+        self.assertEqual(self.site.get_access_date(), None)
+
+    def test_get_access_date_not_accessed(self):
+        """Test get_access_date() with non-accessed project"""
+        self.make_remote_project(
+            project_uuid=self.project.sodar_uuid,
+            site=self.site,
+            level=REMOTE_LEVEL_READ_ROLES,
+            project=self.project,
+            date_access=None,
+        )
+        self.assertEqual(self.site.get_access_date(), None)
+
+    def test_get_access_date_accessed(self):
+        """Test get_access_date() with accessed project"""
+        date_access = timezone.now()
+        self.make_remote_project(
+            project_uuid=self.project.sodar_uuid,
+            site=self.site,
+            level=REMOTE_LEVEL_READ_ROLES,
+            project=self.project,
+            date_access=date_access,
+        )
+        self.assertEqual(self.site.get_access_date(), date_access)
+
+    def test_get_access_date_both_access_types(self):
+        """Test get_access_date() with accessed and non-accessed projects"""
+        date_access = timezone.now()
+        self.make_remote_project(
+            project_uuid=self.project.sodar_uuid,
+            site=self.site,
+            level=REMOTE_LEVEL_READ_ROLES,
+            project=self.project,
+            date_access=date_access,
+        )
+        project2 = self.make_project('Project2', PROJECT_TYPE_PROJECT, None)
+        self.make_remote_project(
+            project_uuid=project2.sodar_uuid,
+            site=self.site,
+            level=REMOTE_LEVEL_READ_ROLES,
+            project=project2,
+            date_access=None,
+        )
+        self.assertEqual(self.site.get_access_date(), date_access)
+
 
 class TestRemoteProject(
     ProjectMixin,
@@ -1351,7 +1486,7 @@ class TestRemoteProject(
     RemoteProjectMixin,
     TestCase,
 ):
-    """Tests for model.RemoteProject"""
+    """Tests for RemoteProject"""
 
     def setUp(self):
         # Init project
@@ -1381,7 +1516,7 @@ def setUp(self):
         self.remote_project = self.make_remote_project(
             project_uuid=self.project.sodar_uuid,
             site=self.site,
-            level=SODAR_CONSTANTS['REMOTE_LEVEL_VIEW_AVAIL'],
+            level=REMOTE_LEVEL_VIEW_AVAIL,
             project=self.project,
         )
 
@@ -1392,7 +1527,7 @@ def test_initialization(self):
             'project_uuid': self.project.sodar_uuid,
             'project': self.project.pk,
             'site': self.site.pk,
-            'level': SODAR_CONSTANTS['REMOTE_LEVEL_VIEW_AVAIL'],
+            'level': REMOTE_LEVEL_VIEW_AVAIL,
             'date_access': None,
             'sodar_uuid': self.remote_project.sodar_uuid,
         }
@@ -1440,23 +1575,21 @@ def test_is_revoked_target(self):
         self.site.mode = SITE_MODE_SOURCE
         self.site.save()
         self.assertEqual(self.project.is_revoked(), False)
-        self.remote_project.level = SODAR_CONSTANTS['REMOTE_LEVEL_REVOKED']
+        self.remote_project.level = REMOTE_LEVEL_REVOKED
         self.remote_project.save()
         self.assertEqual(self.project.is_revoked(), True)
 
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
     @override_settings(PROJECTROLES_DELEGATE_LIMIT=1)
     def test_validate_remote_delegates(self):
-        """Test delegate validation: can add for remote project with limit"""
+        """Test remot project delegate validation"""
         self.site.mode = SITE_MODE_SOURCE
         self.site.save()
         self.make_assignment(self.project, self.user_bob, self.role_delegate)
-        try:
-            self.make_assignment(
-                self.project, self.user_alice, self.role_delegate
-            )
-        except ValidationError as e:
-            self.fail(e)
+        remote_as = self.make_assignment(
+            self.project, self.user_alice, self.role_delegate
+        )
+        self.assertIsNotNone(remote_as)
 
     def test_get_project(self):
         """Test get_project() with project and project_uuid"""
@@ -1468,15 +1601,25 @@ def test_get_project_no_foreign_key(self):
         self.remote_project.save()
         self.assertEqual(self.remote_project.get_project(), self.project)
 
+    def test_create_duplicate(self):
+        """Test creating duplicate remote project for site (should fail)"""
+        with self.assertRaises(ValidationError):
+            self.make_remote_project(
+                project_uuid=self.project.sodar_uuid,
+                site=self.site,
+                level=REMOTE_LEVEL_READ_ROLES,
+                project=self.project,
+            )
+
 
 class TestSODARUser(TestCase):
-    """Tests for the SODARUser class"""
+    """Tests for SODARUser"""
 
     def setUp(self):
         self.user = self.make_user()
 
     def test__str__(self):
-        """Test __str__()"""
+        """Test SODARUser __str__()"""
         self.assertEqual(
             self.user.__str__(), 'testuser'
         )  # This is the default username for self.make_user()
@@ -1509,6 +1652,29 @@ def test_get_form_label_first_last(self):
             'Full Name (testuser) <testuser@example.com>',
         )
 
+    def test_get_auth_type_local(self):
+        """Test get_auth_type() with local user"""
+        self.assertEqual(self.user.get_auth_type(), AUTH_TYPE_LOCAL)
+
+    @override_settings(AUTH_LDAP_USERNAME_DOMAIN='TEST')
+    def test_get_auth_type_ldap(self):
+        """Test get_auth_type() with LDAP user"""
+        self.user.username = 'testuser@TEST'
+        self.user.save()  # NOTE: set_group() is called on user save()
+        self.assertEqual(self.user.get_auth_type(), AUTH_TYPE_LDAP)
+
+    def test_get_auth_type_ldap_no_group(self):
+        """Test get_auth_type() with LDAP username but no user group"""
+        self.user.username = 'testuser@TEST'
+        self.user.save()
+        self.assertEqual(self.user.get_auth_type(), AUTH_TYPE_LOCAL)
+
+    def test_get_auth_type_oidc(self):
+        """Test get_auth_type() with OIDC user"""
+        group, _ = Group.objects.get_or_create(name=OIDC_USER_GROUP)
+        group.user_set.add(self.user)
+        self.assertEqual(self.user.get_auth_type(), AUTH_TYPE_OIDC)
+
     def test_update_full_name(self):
         """Test update_full_name()"""
         self.assertEqual(self.user.name, '')
@@ -1517,8 +1683,69 @@ def test_update_full_name(self):
         self.user.update_full_name()
         self.assertEqual(self.user.name, 'Full Name')
 
+    def test_update_full_name_non_empty(self):
+        """Test update_full_name() with previously non-empty name"""
+        self.user.first_name = 'Old'
+        self.user.last_name = 'Placeholder'
+        self.user.update_full_name()
+        self.assertEqual(self.user.name, 'Old Placeholder')
+        self.user.first_name = 'Full'
+        self.user.last_name = 'Name'
+        self.user.update_full_name()
+        self.assertEqual(self.user.name, 'Full Name')
+
     def test_update_ldap_username(self):
         """Test update_ldap_username()"""
         self.user.username = 'user@example'
         self.user.update_ldap_username()
         self.assertEqual(self.user.username, 'user@EXAMPLE')
+
+
+class TestSODARUserAdditionalEmail(SODARUserAdditionalEmailMixin, TestCase):
+    """Tests for SODARUserAdditionalEmail"""
+
+    def setUp(self):
+        self.user = self.make_user('user')
+        self.email = self.make_email(
+            user=self.user,
+            email=ADD_EMAIL,
+            verified=True,
+            secret=ADD_EMAIL_SECRET,
+        )
+
+    def test_initialization(self):
+        """Test SODARUserAdditionalEmail initialization"""
+        expected = {
+            'id': self.email.pk,
+            'user': self.user.pk,
+            'email': ADD_EMAIL,
+            'verified': True,
+            'secret': ADD_EMAIL_SECRET,
+            'sodar_uuid': self.email.sodar_uuid,
+        }
+        self.assertEqual(model_to_dict(self.email), expected)
+
+    def test__str__(self):
+        """Test SODARUserAdditionalEmail __str__()"""
+        self.assertEqual(self.email.__str__(), 'user: additional@example.com')
+
+    def test__repr__(self):
+        """Test SODARUserAdditionalEmail __repr__()"""
+        expected = 'SODARUserAdditionalEmail(\'{}\')'.format(
+            '\', \''.join(
+                [
+                    self.email.user.username,
+                    self.email.email,
+                    str(self.email.verified),
+                    self.email.secret,
+                    str(self.email.sodar_uuid),
+                ]
+            )
+        )
+        self.assertEqual(self.email.__repr__(), expected)
+
+    def test_validate_email_unique(self):
+        """Test _validate_email_unique()"""
+        with self.assertRaises(ValidationError):
+            self.email.email = self.user.email
+            self.email.save()
diff --git a/projectroles/tests/test_permissions.py b/projectroles/tests/test_permissions.py
index aded328e..d64309ad 100644
--- a/projectroles/tests/test_permissions.py
+++ b/projectroles/tests/test_permissions.py
@@ -37,7 +37,7 @@
 REMOTE_SITE_SECRET = build_secret()
 
 
-class TestPermissionMixin:
+class PermissionTestMixin:
     """Helper class for permission tests"""
 
     def send_request(self, url, method, req_kwargs):
@@ -117,7 +117,7 @@ class IPAllowMixin(AppSettingMixin):
     def setup_ip_allowing(self, ip_list):
         # Init IP restrict setting
         self.make_setting(
-            app_name='projectroles',
+            plugin_name='projectroles',
             name='ip_restrict',
             setting_type='BOOLEAN',
             value=True,
@@ -125,7 +125,7 @@ def setup_ip_allowing(self, ip_list):
         )
         # Init IP allowlist setting
         self.make_setting(
-            app_name='projectroles',
+            plugin_name='projectroles',
             name='ip_allowlist',
             setting_type='JSON',
             value=None,
@@ -134,7 +134,7 @@ def setup_ip_allowing(self, ip_list):
         )
 
 
-class TestPermissionBase(TestPermissionMixin, TestCase):
+class PermissionTestBase(PermissionTestMixin, TestCase):
     """
     Base class for permission tests for UI views.
 
@@ -142,12 +142,12 @@ class TestPermissionBase(TestPermissionMixin, TestCase):
     """
 
 
-class TestProjectPermissionBase(
+class ProjectPermissionTestBase(
     ProjectMixin,
     RoleMixin,
     RoleAssignmentMixin,
     ProjectInviteMixin,
-    TestPermissionBase,
+    PermissionTestBase,
 ):
     """
     Base class for testing project permissions.
@@ -220,12 +220,12 @@ def setUp(self):
         )
 
 
-class TestSiteAppPermissionBase(
+class SiteAppPermissionTestBase(
     ProjectMixin,
     RoleMixin,
     RoleAssignmentMixin,
     ProjectInviteMixin,
-    TestPermissionBase,
+    PermissionTestBase,
 ):
     """Base class for testing site app permissions"""
 
@@ -240,7 +240,7 @@ def setUp(self):
         self.anonymous = None
 
 
-class TestGeneralViews(TestProjectPermissionBase):
+class TestGeneralViews(ProjectPermissionTestBase):
     """Tests for general non-project UI view permissions"""
 
     def test_get_home(self):
@@ -459,7 +459,7 @@ def test_get_admin_anon(self):
         )
 
 
-class TestProjectDetailView(TestProjectPermissionBase):
+class TestProjectDetailView(ProjectPermissionTestBase):
     """Tests for ProjectDetailView permissions"""
 
     def setUp(self):
@@ -571,7 +571,7 @@ def test_get_category_anon(self):
         self.assert_response(self.url_cat, bad_users, 302)
 
 
-class TestProjectCreateView(TestProjectPermissionBase):
+class TestProjectCreateView(ProjectPermissionTestBase):
     """Tests for ProjectCreateView permissions"""
 
     def setUp(self):
@@ -642,7 +642,7 @@ def test_get_sub_anon(self):
         )
 
 
-class TestProjectUpdateView(TestProjectPermissionBase):
+class TestProjectUpdateView(ProjectPermissionTestBase):
     """Tests for ProjectUpdateView permissions"""
 
     def setUp(self):
@@ -740,7 +740,7 @@ def test_get_category_anon(self):
         )
 
 
-class TestProjectArchiveView(TestProjectPermissionBase):
+class TestProjectArchiveView(ProjectPermissionTestBase):
     """Tests for ProjectArchiveView permissions"""
 
     def setUp(self):
@@ -847,7 +847,7 @@ def test_get_category_anon(self):
         self.assert_response(self.url_cat, self.user_no_roles, 302)
 
 
-class TestProjectRoleView(TestProjectPermissionBase):
+class TestProjectRoleView(ProjectPermissionTestBase):
     """Tests for ProjectRoleView permissions"""
 
     def setUp(self):
@@ -931,7 +931,7 @@ def test_get_category(self):
             self.category.set_public()
 
 
-class TestRoleAssignmentCreateView(TestProjectPermissionBase):
+class TestRoleAssignmentCreateView(ProjectPermissionTestBase):
     """Tests for RoleAssignmentCreateView permissions"""
 
     def setUp(self):
@@ -1024,7 +1024,7 @@ def test_get_category(self):
             self.category.set_public()
 
 
-class TestRoleAssignmentUpdateView(TestProjectPermissionBase):
+class TestRoleAssignmentUpdateView(ProjectPermissionTestBase):
     """Tests for RoleAssignmentUpdateView permissions"""
 
     def setUp(self):
@@ -1185,7 +1185,7 @@ def test_get_delegate(self):
         self.assert_response(url, self.user_no_roles, 302)
 
 
-class TestRoleAssignmentDeleteView(TestProjectPermissionBase):
+class TestRoleAssignmentDeleteView(ProjectPermissionTestBase):
     """Tests for RoleAssignmentDeleteView permissions"""
 
     def setUp(self):
@@ -1347,7 +1347,7 @@ def test_get_delegate(self):
         self.assert_response(url, self.user_no_roles, 302)
 
 
-class TestRoleAssignmentOwnerTransferView(TestProjectPermissionBase):
+class TestRoleAssignmentOwnerTransferView(ProjectPermissionTestBase):
     """Tests for RoleAssignmentOwnerTransferView permissions"""
 
     def setUp(self):
@@ -1413,7 +1413,7 @@ def test_get_archive(self):
         self.assert_response(self.url, self.user_no_roles, 302)
 
 
-class TestProjectInviteView(TestProjectPermissionBase):
+class TestProjectInviteView(ProjectPermissionTestBase):
     """Tests for ProjectInviteView permissions"""
 
     def setUp(self):
@@ -1500,12 +1500,12 @@ def test_get_category(self):
         ]
         self.assert_response(self.url_cat, good_users, 200)
         self.assert_response(self.url_cat, bad_users, 302)
-        # public guest access is temporally disabled for categories
+        # Public guest access is temporally disabled for categories
         with self.assertRaises(ValidationError):
             self.category.set_public()
 
 
-class TestProjectInviteCreateView(TestProjectPermissionBase):
+class TestProjectInviteCreateView(ProjectPermissionTestBase):
     """Tests for ProjectInviteCreateView permissions"""
 
     def setUp(self):
@@ -1598,7 +1598,7 @@ def test_get_category(self):
         self.assert_response(self.url_cat, self.user_no_roles, 302)
 
 
-class TestProjectInviteResendView(TestProjectPermissionBase):
+class TestProjectInviteResendView(ProjectPermissionTestBase):
     """Tests for ProjectInviteResendView permissions"""
 
     def setUp(self):
@@ -1688,7 +1688,7 @@ def test_get_archive(self):
         self.assert_response(self.url, self.user_no_roles, 302)
 
 
-class TestProjectInviteRevokeView(TestProjectPermissionBase):
+class TestProjectInviteRevokeView(ProjectPermissionTestBase):
     """Tests for ProjectInviteRevokeView permissions"""
 
     def setUp(self):
@@ -1762,7 +1762,7 @@ def test_get_archive(self):
         self.assert_response(self.url, self.user_no_roles, 302)
 
 
-class TestRemoteSiteViews(RemoteSiteMixin, TestSiteAppPermissionBase):
+class TestRemoteSiteViews(RemoteSiteMixin, SiteAppPermissionTestBase):
     """Tests for UI view permissions in remote site views"""
 
     def setUp(self):
@@ -1838,7 +1838,7 @@ def test_get_remote_project_batch_update(self):
 
 @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
 class TestTargetSiteViews(
-    RemoteSiteMixin, RemoteProjectMixin, TestProjectPermissionBase
+    RemoteSiteMixin, RemoteProjectMixin, ProjectPermissionTestBase
 ):
     """Tests for UI view permissions on target site"""
 
@@ -1999,7 +1999,7 @@ def test_get_project_create_disallowed(self):
             self.user_no_roles,
             self.anonymous,
         ]
-        self.assert_response(url, bad_users, 302)
+        self.assert_response(url, bad_users, 302, redirect_anon=reverse('home'))
 
     def test_get_role_create(self):
         """Test RoleAssignmentCreateView GET"""
@@ -2156,7 +2156,7 @@ def test_get_project_invite_list(self):
 
 @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
 class TestRevokedRemoteProjectViews(
-    RemoteSiteMixin, RemoteProjectMixin, TestProjectPermissionBase
+    RemoteSiteMixin, RemoteProjectMixin, ProjectPermissionTestBase
 ):
     """
     Tests for UI view permissions with revoked remote project on target site.
@@ -2233,7 +2233,7 @@ def test_get_project_roles(self):
         self.assert_response(url, bad_users, 302)
 
 
-class TestIPAllowing(IPAllowMixin, TestProjectPermissionBase):
+class TestIPAllowing(IPAllowMixin, ProjectPermissionTestBase):
     """Tests for IP allow list permissions with ProjectDetailView"""
 
     def setUp(self):
@@ -2520,7 +2520,7 @@ def test_get_remote_addr_not_in_list_network(self):
 
 @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
 class TestIPAllowingTargetSite(
-    IPAllowMixin, RemoteSiteMixin, RemoteProjectMixin, TestProjectPermissionBase
+    IPAllowMixin, RemoteSiteMixin, RemoteProjectMixin, ProjectPermissionTestBase
 ):
     """Tests for IP allow list permissions on target site"""
 
diff --git a/projectroles/tests/test_permissions_ajax.py b/projectroles/tests/test_permissions_ajax.py
index 3f936301..b9c14d73 100644
--- a/projectroles/tests/test_permissions_ajax.py
+++ b/projectroles/tests/test_permissions_ajax.py
@@ -4,8 +4,8 @@
 from django.urls import reverse
 
 from projectroles.models import SODAR_CONSTANTS
-from projectroles.tests.test_permissions import TestProjectPermissionBase
-
+from projectroles.tests.test_models import RemoteSiteMixin, RemoteProjectMixin
+from projectroles.tests.test_permissions import ProjectPermissionTestBase
 
 # SODAR constants
 PROJECT_ROLE_OWNER = SODAR_CONSTANTS['PROJECT_ROLE_OWNER']
@@ -14,9 +14,11 @@
 PROJECT_ROLE_GUEST = SODAR_CONSTANTS['PROJECT_ROLE_GUEST']
 PROJECT_TYPE_CATEGORY = SODAR_CONSTANTS['PROJECT_TYPE_CATEGORY']
 PROJECT_TYPE_PROJECT = SODAR_CONSTANTS['PROJECT_TYPE_PROJECT']
+SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
+REMOTE_LEVEL_READ_ROLES = SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES']
 
 
-class TestProjectListAjaxViews(TestProjectPermissionBase):
+class TestProjectListAjaxViews(ProjectPermissionTestBase):
     """Tests for project list Ajax view permissions"""
 
     def test_get_project_list(self):
@@ -169,7 +171,7 @@ def test_get_project_list_role_anon(self):
         )
 
 
-class TestProjectStarringAjaxView(TestProjectPermissionBase):
+class TestProjectStarringAjaxView(ProjectPermissionTestBase):
     """Tests for ProjectStarringAjaxView permissions"""
 
     def setUp(self):
@@ -237,7 +239,185 @@ def test_get_category_anon(self):
         self.assert_response(self.url_cat, self.anonymous, 401, method='POST')
 
 
-class TestUserAjaxViews(TestProjectPermissionBase):
+class TestRemoteProjectAccessAjaxView(
+    RemoteSiteMixin, RemoteProjectMixin, ProjectPermissionTestBase
+):
+    """Tests for RemoteProjectAccessAjaxView permissions"""
+
+    def setUp(self):
+        super().setUp()
+        self.remote_site = self.make_site(
+            name='RemoteSite',
+            url='https://remote.site',
+            mode=SITE_MODE_TARGET,
+        )
+        self.remote_project = self.make_remote_project(
+            project_uuid=self.project.sodar_uuid,
+            site=self.remote_site,
+            level=REMOTE_LEVEL_READ_ROLES,
+            project=self.project,
+        )
+        self.url = reverse(
+            'projectroles:ajax_remote_access',
+            kwargs={'project': self.project.sodar_uuid},
+        ) + '?rp={}'.format(self.remote_project.sodar_uuid)
+
+    def test_get(self):
+        """Test RemoteProjectAccessAjaxView GET"""
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+        ]
+        bad_users = [self.user_finder_cat, self.user_no_roles, self.anonymous]
+        self.assert_response(self.url, good_users, 200)
+        self.assert_response(self.url, bad_users, 403)
+        self.project.set_public()
+        self.assert_response(self.url, self.user_no_roles, 200)
+
+    @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True)
+    def test_get_anon(self):
+        """Test GET with anonymous access"""
+        self.project.set_public()
+        self.assert_response(self.url, self.anonymous, 200)
+
+    def test_get_archive(self):
+        """Test GET with archived project"""
+        self.project.set_archive()
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+        ]
+        bad_users = [self.user_finder_cat, self.user_no_roles, self.anonymous]
+        self.assert_response(self.url, good_users, 200)
+        self.assert_response(self.url, bad_users, 403)
+
+
+class TestSidebarContentAjaxView(ProjectPermissionTestBase):
+    """Tests for SidebarContentAjaxView permissions"""
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'projectroles:ajax_sidebar',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+        self.url_cat = reverse(
+            'projectroles:ajax_sidebar',
+            kwargs={'project': self.category.sodar_uuid},
+        )
+
+    def test_get(self):
+        """Test SidebarContentAjaxView GET"""
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+        ]
+        bad_users = [self.user_finder_cat, self.user_no_roles, self.anonymous]
+        self.assert_response(self.url, good_users, 200)
+        self.assert_response(self.url, bad_users, 403)
+        self.project.set_public()
+        self.assert_response(self.url, self.user_no_roles, 200)
+
+    @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True)
+    def test_get_anon(self):
+        """Test GET with anonymous access"""
+        self.project.set_public()
+        self.assert_response(self.url, self.anonymous, 200)
+
+    def test_get_archive(self):
+        """Test GET with archived project"""
+        self.project.set_archive()
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+        ]
+        bad_users = [self.user_finder_cat, self.user_no_roles, self.anonymous]
+        self.assert_response(self.url, good_users, 200)
+        self.assert_response(self.url, bad_users, 403)
+
+    def test_get_category(self):
+        """Test GET with category"""
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_finder_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+        ]
+        bad_users = [self.user_no_roles, self.anonymous]
+        self.assert_response(self.url_cat, good_users, 200)
+        self.assert_response(self.url_cat, bad_users, 403)
+        self.project.set_public()
+        self.assert_response(self.url_cat, self.user_no_roles, 200)
+
+    @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True)
+    def test_get_category_anon(self):
+        """Test GET with category and anonymous access"""
+        self.project.set_public()
+        self.assert_response(self.url_cat, self.anonymous, 200)
+
+
+class TestUserDropdownContentAjaxView(ProjectPermissionTestBase):
+    """Tests for UserDropdownContentAjaxView permissions"""
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse('projectroles:ajax_user_dropdown')
+
+    def test_get(self):
+        """Test UserDropdownContentAjaxView GET"""
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+            self.user_finder_cat,
+            self.user_no_roles,
+        ]
+        bad_users = [self.anonymous]
+        self.assert_response(self.url, good_users, 200)
+        self.assert_response(self.url, bad_users, 403)
+
+
+class TestUserAjaxViews(ProjectPermissionTestBase):
     """Tests for user Ajax view permissions"""
 
     def test_get_current_user(self):
diff --git a/projectroles/tests/test_permissions_api.py b/projectroles/tests/test_permissions_api.py
index 01a31122..c82f8386 100644
--- a/projectroles/tests/test_permissions_api.py
+++ b/projectroles/tests/test_permissions_api.py
@@ -11,9 +11,12 @@
     ProjectInvite,
     SODAR_CONSTANTS,
 )
-from projectroles.tests.test_permissions import TestProjectPermissionBase
+from projectroles.tests.test_permissions import ProjectPermissionTestBase
 from projectroles.tests.test_views_api import SODARAPIViewTestMixin
-from projectroles.views_api import CORE_API_MEDIA_TYPE, CORE_API_DEFAULT_VERSION
+from projectroles.views_api import (
+    PROJECTROLES_API_MEDIA_TYPE,
+    PROJECTROLES_API_DEFAULT_VERSION,
+)
 
 from rest_framework.test import APITestCase
 
@@ -103,27 +106,23 @@ def _send_request():
                 cleanup_method(**cleanup_kwargs)
 
 
-class TestProjectAPIPermissionBase(
-    SODARAPIPermissionTestMixin, APITestCase, TestProjectPermissionBase
+class ProjectAPIPermissionTestBase(
+    SODARAPIPermissionTestMixin, APITestCase, ProjectPermissionTestBase
 ):
     """Base class for testing project permissions in SODAR API views"""
 
 
-class TestCoreProjectAPIPermissionBase(
-    SODARAPIPermissionTestMixin, APITestCase, TestProjectPermissionBase
-):
-    """
-    Base class for testing project permissions in internal SODAR Core API views
-    """
+class ProjectrolesAPIPermissionTestBase(ProjectAPIPermissionTestBase):
+    """Base class for testing projectroles app REST API view permissions"""
 
-    media_type = CORE_API_MEDIA_TYPE
-    api_version = CORE_API_DEFAULT_VERSION
+    media_type = PROJECTROLES_API_MEDIA_TYPE
+    api_version = PROJECTROLES_API_DEFAULT_VERSION
 
 
 # Tests ------------------------------------------------------------------------
 
 
-class TestProjectListAPIView(TestCoreProjectAPIPermissionBase):
+class TestProjectListAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for ProjectListAPIView permissions"""
 
     def test_get(self):
@@ -147,7 +146,7 @@ def test_get(self):
         self.assert_response_api(url, good_users, 200, knox=True)
 
 
-class TestProjectRetrieveAPIView(TestCoreProjectAPIPermissionBase):
+class TestProjectRetrieveAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for ProjectRetrieveAPIView permissions"""
 
     def setUp(self):
@@ -209,7 +208,7 @@ def test_get_archive(self):
         self.assert_response_api(self.url, self.user_no_roles, 200)
 
 
-class TestProjectCreateAPIView(TestCoreProjectAPIPermissionBase):
+class TestProjectCreateAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for ProjectCreateAPIView permissions"""
 
     def _cleanup(self):
@@ -372,7 +371,7 @@ def test_post_parent_anon(self):
         )
 
 
-class TestProjectUpdateAPIView(TestCoreProjectAPIPermissionBase):
+class TestProjectUpdateAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for ProjectUpdateAPIView permissions"""
 
     def setUp(self):
@@ -493,7 +492,7 @@ def test_put_archive(self):
         )
 
 
-class TestRoleAssignmentCreateAPIView(TestCoreProjectAPIPermissionBase):
+class TestRoleAssignmentCreateAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for RoleAssignmentCreateAPIView permissions"""
 
     def _cleanup(self):
@@ -639,7 +638,7 @@ def test_post_archive(self):
         )
 
 
-class TestRoleAssignmentUpdateAPIView(TestCoreProjectAPIPermissionBase):
+class TestRoleAssignmentUpdateAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for RoleAssignmentUpdateAPIView permissions"""
 
     def setUp(self):
@@ -761,7 +760,7 @@ def test_put_archive(self):
         )
 
 
-class TestRoleAssignmentDestroyAPIView(TestCoreProjectAPIPermissionBase):
+class TestRoleAssignmentDestroyAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for RoleAssignmentDestroyAPIView permissions"""
 
     def _make_as(self):
@@ -873,7 +872,7 @@ def test_delete_archive(self):
         )
 
 
-class TestRoleAssignmentOwnerTransferAPIView(TestCoreProjectAPIPermissionBase):
+class TestRoleAssignmentOwnerTransferAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for RoleAssignmentOwnerTransferAPIView permissions"""
 
     def _cleanup(self):
@@ -1023,7 +1022,7 @@ def test_post_archive(self):
         )
 
 
-class TestProjectInviteListAPIView(TestCoreProjectAPIPermissionBase):
+class TestProjectInviteListAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for ProjectInviteListAPIView permissions"""
 
     def setUp(self):
@@ -1089,7 +1088,7 @@ def test_get_archive(self):
         self.assert_response_api(self.url, self.user_no_roles, 403)
 
 
-class TestProjectInviteCreateAPIView(TestCoreProjectAPIPermissionBase):
+class TestProjectInviteCreateAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for ProjectInviteCreateAPIView permissions"""
 
     def _cleanup(self):
@@ -1231,7 +1230,7 @@ def test_post_archive(self):
         )
 
 
-class TestProjectInviteRevokeAPIView(TestCoreProjectAPIPermissionBase):
+class TestProjectInviteRevokeAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for ProjectInviteRevokeAPIView( permissions"""
 
     def _cleanup(self):
@@ -1343,7 +1342,7 @@ def test_post_archive(self):
         )
 
 
-class TestProjectInviteResendAPIView(TestCoreProjectAPIPermissionBase):
+class TestProjectInviteResendAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for ProjectInviteResendAPIView permissions"""
 
     def setUp(self):
@@ -1437,7 +1436,7 @@ def test_post_archive(self):
         )
 
 
-class TestProjectSettingRetrieveAPIView(TestCoreProjectAPIPermissionBase):
+class TestProjectSettingRetrieveAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for ProjectSettingRetrieveAPIView permissions"""
 
     def setUp(self):
@@ -1448,7 +1447,7 @@ def setUp(self):
         )
         # GET data for PROJECT setting, others defined within tests
         self.get_data = {
-            'app_name': 'example_project_app',
+            'plugin_name': 'example_project_app',
             'setting_name': 'project_str_setting',
         }
 
@@ -1540,7 +1539,7 @@ def test_get_project_setting_archive(self):
     def test_get_project_user_setting(self):
         """Test GET with PROJECT_USER scope"""
         get_data = {
-            'app_name': 'example_project_app',
+            'plugin_name': 'example_project_app',
             'setting_name': 'project_user_str_setting',
             'user': str(self.user_owner.sodar_uuid),
         }
@@ -1578,7 +1577,7 @@ def test_get_project_user_setting(self):
         )
 
 
-class TestProjectSettingSetAPIView(TestCoreProjectAPIPermissionBase):
+class TestProjectSettingSetAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for ProjectSettingSetAPIView permissions"""
 
     def setUp(self):
@@ -1589,7 +1588,7 @@ def setUp(self):
         )
         # POST data for PROJECT setting, others defined within tests
         self.post_data = {
-            'app_name': 'example_project_app',
+            'plugin_name': 'example_project_app',
             'setting_name': 'project_str_setting',
             'value': 'value',
         }
@@ -1720,7 +1719,7 @@ def test_post_project_setting_archive(self):
     def test_post_project_user_setting(self):
         """Test POST with PROJECT_USER scope"""
         post_data = {
-            'app_name': 'example_project_app',
+            'plugin_name': 'example_project_app',
             'setting_name': 'project_user_str_setting',
             'value': 'value',
             'user': str(self.user_owner.sodar_uuid),
@@ -1767,14 +1766,14 @@ def test_post_project_user_setting(self):
         )
 
 
-class TestUserSettingRetrieveAPIView(TestCoreProjectAPIPermissionBase):
+class TestUserSettingRetrieveAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for UserSettingRetrieveAPIView permissions"""
 
     def setUp(self):
         super().setUp()
         self.url = reverse('projectroles:api_user_setting_retrieve')
         self.get_data = {
-            'app_name': 'example_project_app',
+            'plugin_name': 'example_project_app',
             'setting_name': 'user_str_setting',
         }
 
@@ -1813,14 +1812,14 @@ def test_get_anon(self):
         )
 
 
-class TestUserSettingSetAPIView(TestCoreProjectAPIPermissionBase):
+class TestUserSettingSetAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for UserSettingSetAPIView permissions"""
 
     def setUp(self):
         super().setUp()
         self.url = reverse('projectroles:api_user_setting_set')
         self.post_data = {
-            'app_name': 'example_project_app',
+            'plugin_name': 'example_project_app',
             'setting_name': 'user_str_setting',
             'value': 'value',
         }
@@ -1867,7 +1866,7 @@ def test_post_anon(self):
         )
 
 
-class TestUserListAPIView(TestCoreProjectAPIPermissionBase):
+class TestUserListAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for UserSettingSetAPIView permissions"""
 
     def setUp(self):
@@ -1899,7 +1898,7 @@ def test_get_anon(self):
         self.assert_response_api(self.url, [self.anonymous], 401)
 
 
-class TestCurrentUserRetrieveAPIView(TestCoreProjectAPIPermissionBase):
+class TestCurrentUserRetrieveAPIView(ProjectrolesAPIPermissionTestBase):
     """Tests for CurrentUserRetrieveAPIView permissions"""
 
     def setUp(self):
diff --git a/projectroles/tests/test_remote_projects_api.py b/projectroles/tests/test_remote_project_api.py
similarity index 84%
rename from projectroles/tests/test_remote_projects_api.py
rename to projectroles/tests/test_remote_project_api.py
index 6848e3a7..de047f9b 100644
--- a/projectroles/tests/test_remote_projects_api.py
+++ b/projectroles/tests/test_remote_project_api.py
@@ -1,4 +1,4 @@
-"""Tests for the remote projects API in the projectroles app"""
+"""Tests for RemoteProjectAPI in the projectroles app"""
 
 import uuid
 
@@ -16,9 +16,11 @@
     RoleAssignment,
     RemoteProject,
     RemoteSite,
+    SODARUserAdditionalEmail,
     SODAR_CONSTANTS,
     AppSetting,
 )
+from projectroles.plugins import get_app_plugin
 from projectroles.remote_projects import RemoteProjectAPI
 from projectroles.tests.test_models import (
     ProjectMixin,
@@ -28,6 +30,8 @@
     RemoteProjectMixin,
     SODARUserMixin,
     AppSettingMixin,
+    SODARUserAdditionalEmailMixin,
+    ADD_EMAIL,
 )
 from projectroles.utils import build_secret
 
@@ -49,6 +53,7 @@
 REMOTE_LEVEL_READ_INFO = SODAR_CONSTANTS['REMOTE_LEVEL_READ_INFO']
 REMOTE_LEVEL_READ_ROLES = SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES']
 REMOTE_LEVEL_REVOKED = SODAR_CONSTANTS['REMOTE_LEVEL_REVOKED']
+SYSTEM_USER_GROUP = SODAR_CONSTANTS['SYSTEM_USER_GROUP']
 
 # Local constants
 SOURCE_SITE_NAME = 'Test source site'
@@ -128,9 +133,11 @@
 SET_IP_ALLOWLIST_UUID = str(uuid.uuid4())
 SET_STAR_UUID = str(uuid.uuid4())
 
+EXAMPLE_APP_NAME = 'example_project_app'
 
-class RemoteProjectsAPITestBase(RoleMixin, TestCase):
-    """Base class for remote project API tests"""
+
+class RemoteProjectAPITestBase(RoleMixin, TestCase):
+    """Base class for RemoteProjectAPI tests"""
 
     def assert_app_setting(self, uuid, expected):
         """
@@ -151,6 +158,7 @@ def setUp(self):
         self.init_roles()
 
 
+@override_settings(AUTH_LDAP_USERNAME_DOMAIN=SOURCE_USER_DOMAIN)
 class TestGetSourceData(
     ProjectMixin,
     RoleAssignmentMixin,
@@ -158,7 +166,7 @@ class TestGetSourceData(
     RemoteProjectMixin,
     SODARUserMixin,
     AppSettingMixin,
-    RemoteProjectsAPITestBase,
+    RemoteProjectAPITestBase,
 ):
     """Tests for get_source_data()"""
 
@@ -330,6 +338,7 @@ def test_get_read_info_nested(self):
 
     def test_get_read_roles(self):
         """Test getting data with READ_ROLES level"""
+        self.maxDiff = None
         self.make_remote_project(
             project_uuid=self.project.sodar_uuid,
             site=self.target_site,
@@ -349,7 +358,9 @@ def test_get_read_roles(self):
                     'first_name': self.user_source.first_name,
                     'last_name': self.user_source.last_name,
                     'email': self.user_source.email,
+                    'additional_emails': [],
                     'groups': [SOURCE_USER_GROUP],
+                    'sodar_uuid': str(self.user_source.sodar_uuid),
                 }
             },
             'projects': {
@@ -447,14 +458,14 @@ def test_get_settings(self):
         self.make_assignment(local_project, self.user_source, self.role_owner)
         # Init settings for synced project
         set_ip_restrict = self.make_setting(
-            app_name='projectroles',
+            plugin_name='projectroles',
             name='ip_restrict',
             setting_type='BOOLEAN',
             value=True,
             project=self.project,
         )
         set_ip_allowlist = self.make_setting(
-            app_name='projectroles',
+            plugin_name='projectroles',
             name='ip_allowlist',
             setting_type='JSON',
             value=None,
@@ -462,7 +473,7 @@ def test_get_settings(self):
             project=self.project,
         )
         set_star = self.make_setting(
-            app_name='projectroles',
+            plugin_name='projectroles',
             name='project_star',
             setting_type='BOOLEAN',
             value=True,
@@ -471,7 +482,7 @@ def test_get_settings(self):
         )
         # Init setting for local project (should not be synced)
         set_local = self.make_setting(
-            app_name='projectroles',
+            plugin_name='projectroles',
             name='project_star',
             setting_type='BOOLEAN',
             value=True,
@@ -492,7 +503,7 @@ def test_get_settings(self):
             'project_uuid': str(self.project.sodar_uuid),
             'user_uuid': None,
             'user_name': None,
-            'local': False,
+            'global': True,
         }
         self.assertEqual(set_data, expected)
         set_data = sync_data['app_settings'][str(set_ip_allowlist.sodar_uuid)]
@@ -505,7 +516,7 @@ def test_get_settings(self):
             'project_uuid': str(self.project.sodar_uuid),
             'user_uuid': None,
             'user_name': None,
-            'local': False,
+            'global': True,
         }
         self.assertEqual(set_data, expected)
         set_data = sync_data['app_settings'][str(set_star.sodar_uuid)]
@@ -518,44 +529,64 @@ def test_get_settings(self):
             'project_uuid': str(self.project.sodar_uuid),
             'user_uuid': str(self.user_source.sodar_uuid),
             'user_name': self.user_source.username,
-            'local': True,
+            'global': False,
         }
         self.assertEqual(set_data, expected)
 
-    def test_get_settings_legacy(self):
-        """Test getting data with legacy SODAR Core version"""
-        # See issue #1355
-        self.make_remote_project(
-            project_uuid=self.project.sodar_uuid,
-            site=self.target_site,
-            level=REMOTE_LEVEL_READ_ROLES,
-        )
-        set_star = self.make_setting(
-            app_name='projectroles',
-            name='project_star',
+    def test_get_settings_user(self):
+        """Test getting user app settings"""
+        user_global_setting = self.make_setting(
+            plugin_name='projectroles',
+            name='notify_email_project',
             setting_type='BOOLEAN',
-            value=True,
-            project=self.project,
+            value=False,
+            user=self.user_source,
+        )
+        user_local_setting = self.make_setting(
+            plugin_name=EXAMPLE_APP_NAME,
+            name='user_str_setting',
+            setting_type='STRING',
+            value='Local value',
             user=self.user_source,
         )
-        sync_data = self.remote_api.get_source_data(
-            self.target_site, req_version='0.13.2'
+        self.assertEqual(
+            AppSetting.objects.filter(project=None).exclude(user=None).count(),
+            2,
         )
+        sync_data = self.remote_api.get_source_data(self.target_site)
 
-        self.assertEqual(len(sync_data['app_settings']), 1)
-        set_data = sync_data['app_settings'][str(set_star.sodar_uuid)]
+        # NOTE: Local setting should also be included
+        self.assertEqual(len(sync_data['app_settings']), 2)
         expected = {
-            'name': set_star.name,
-            'type': set_star.type,
-            'value': '1',
+            'name': 'notify_email_project',
+            'type': 'BOOLEAN',
+            'value': '0',
             'value_json': {},
             'app_plugin': None,
-            'project_uuid': str(self.project.sodar_uuid),
+            'project_uuid': None,
             'user_uuid': str(self.user_source.sodar_uuid),
-            'local': True,
+            'user_name': SOURCE_USER_USERNAME,
+            'global': True,
         }
-        self.assertEqual(set_data, expected)
-        self.assertNotIn('user_name', set_data)  # No user_name here
+        self.assertEqual(
+            sync_data['app_settings'][str(user_global_setting.sodar_uuid)],
+            expected,
+        )
+        expected = {
+            'name': 'user_str_setting',
+            'type': 'STRING',
+            'value': 'Local value',
+            'value_json': {},
+            'app_plugin': EXAMPLE_APP_NAME,
+            'project_uuid': None,
+            'user_uuid': str(self.user_source.sodar_uuid),
+            'user_name': SOURCE_USER_USERNAME,
+            'global': False,
+        }
+        self.assertEqual(
+            sync_data['app_settings'][str(user_local_setting.sodar_uuid)],
+            expected,
+        )
 
     def test_get_revoked(self):
         """Test getting data with REVOKED level"""
@@ -580,7 +611,9 @@ def test_get_revoked(self):
                     'first_name': self.user_source.first_name,
                     'last_name': self.user_source.last_name,
                     'email': self.user_source.email,
+                    'additional_emails': [],
                     'groups': [SOURCE_USER_GROUP],
+                    'sodar_uuid': str(self.user_source.sodar_uuid),
                 }
             },
             'projects': {
@@ -633,7 +666,7 @@ class SyncRemoteDataTestBase(
     RemoteProjectMixin,
     SODARUserMixin,
     AppSettingMixin,
-    RemoteProjectsAPITestBase,
+    RemoteProjectAPITestBase,
 ):
     """Base class for tests for sync_remote_data()"""
 
@@ -664,6 +697,7 @@ def setUp(self):
                     'first_name': SOURCE_USER_FIRST_NAME,
                     'last_name': SOURCE_USER_LAST_NAME,
                     'email': SOURCE_USER_EMAIL,
+                    'additional_emails': [],
                     'groups': [SOURCE_USER_GROUP],
                 },
             },
@@ -715,7 +749,7 @@ def setUp(self):
                     'app_plugin': None,  # None is for 'projectroles' app
                     'project_uuid': SOURCE_PROJECT_UUID,
                     'user_uuid': None,
-                    'local': False,
+                    'global': True,
                 },
                 SET_IP_ALLOWLIST_UUID: {
                     'name': 'ip_allowlist',
@@ -725,7 +759,7 @@ def setUp(self):
                     'app_plugin': None,  # None is for 'projectroles' app
                     'project_uuid': SOURCE_PROJECT_UUID,
                     'user_uuid': None,
-                    'local': False,
+                    'global': True,
                 },
                 SET_STAR_UUID: {
                     'name': 'project_star',
@@ -736,7 +770,7 @@ def setUp(self):
                     'project_uuid': SOURCE_PROJECT_UUID,
                     'user_uuid': SOURCE_USER_UUID,
                     'user_name': SOURCE_USER_USERNAME,
-                    'local': True,
+                    'global': False,
                 },
             },
         }
@@ -763,6 +797,7 @@ def test_create(self):
                     'first_name': SOURCE_USER2_FIRST_NAME,
                     'last_name': SOURCE_USER2_LAST_NAME,
                     'email': SOURCE_USER2_EMAIL,
+                    'additional_emails': [],
                     'groups': [SOURCE_USER2_GROUP],
                 },
                 SOURCE_USER3_UUID: {
@@ -772,6 +807,7 @@ def test_create(self):
                     'first_name': SOURCE_USER3_FIRST_NAME,
                     'last_name': SOURCE_USER3_LAST_NAME,
                     'email': SOURCE_USER3_EMAIL,
+                    'additional_emails': [],
                     'groups': [SOURCE_USER3_GROUP],
                 },
                 SOURCE_USER4_UUID: {
@@ -781,6 +817,7 @@ def test_create(self):
                     'first_name': SOURCE_USER4_FIRST_NAME,
                     'last_name': SOURCE_USER4_LAST_NAME,
                     'email': SOURCE_USER4_EMAIL,
+                    'additional_emails': [],
                     'groups': [SOURCE_USER4_GROUP],
                 },
             }
@@ -998,6 +1035,7 @@ def test_create(self):
             'secret': None,
             'sodar_uuid': uuid.UUID(PEER_SITE_UUID),
             'user_display': PEER_SITE_USER_DISPLAY,
+            'owner_modifiable': True,
         }
         peer_site_dict = model_to_dict(peer_site_obj)
         peer_site_dict.pop('id')
@@ -1088,12 +1126,11 @@ def test_create(self):
         expected['app_settings'][SET_STAR_UUID]['status'] = 'created'
         self.assertEqual(self.default_data, expected)
 
-    # TODO: Update once local settings updating is fixed
     def test_create_app_setting_local(self):
         """Test sync with local app setting"""
         remote_data = self.default_data
-        remote_data['app_settings'][SET_IP_RESTRICT_UUID]['local'] = True
-        remote_data['app_settings'][SET_IP_ALLOWLIST_UUID]['local'] = True
+        remote_data['app_settings'][SET_IP_RESTRICT_UUID]['global'] = False
+        remote_data['app_settings'][SET_IP_ALLOWLIST_UUID]['global'] = False
         expected = deepcopy(remote_data)
         self.remote_api.sync_remote_data(self.source_site, remote_data)
 
@@ -1204,6 +1241,7 @@ def test_create_local_owner(self):
 
         remote_data = self.default_data
         remote_data['users'][SOURCE_USER_UUID]['username'] = 'source_admin'
+        remote_data['users'][SOURCE_USER_UUID]['groups'] = [SYSTEM_USER_GROUP]
         remote_data['projects'][SOURCE_CATEGORY_UUID]['roles'][
             SOURCE_CATEGORY_ROLE_UUID
         ]['user'] = 'source_admin'
@@ -1258,6 +1296,8 @@ def test_create_inherited(self):
             'name': 'Some Name',
             'first_name': 'Some',
             'last_name': 'Name',
+            'email': 'some@example.com',
+            'additional_emails': [],
             'groups': [SOURCE_USER_GROUP],
         }
         remote_data['projects'][SOURCE_CATEGORY_UUID]['roles'][
@@ -1306,12 +1346,14 @@ def test_create_local_user(self):
             'first_name': SOURCE_USER_FIRST_NAME,
             'last_name': SOURCE_USER_LAST_NAME,
             'email': SOURCE_USER_EMAIL,
-            'groups': ['system'],
+            'additional_emails': [],
+            'groups': [SYSTEM_USER_GROUP],
         }
         remote_data['projects'][SOURCE_PROJECT_UUID]['roles'][role_uuid] = {
             'user': local_user_username,
             'role': self.role_contributor.name,
         }
+        self.assertEqual(User.objects.all().count(), 1)
         self.remote_api.sync_remote_data(self.source_site, remote_data)
 
         # Assert database status (the new user and role should not be created)
@@ -1321,7 +1363,6 @@ def test_create_local_user(self):
         self.assertEqual(RemoteProject.objects.all().count(), 3)
         self.assertEqual(RemoteSite.objects.all().count(), 2)
 
-    @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
     @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=True)
     def test_create_local_user_allow(self):
         """Test sync with local user with local users allowed"""
@@ -1329,7 +1370,6 @@ def test_create_local_user_allow(self):
         local_user_uuid = str(uuid.uuid4())
         role_uuid = str(uuid.uuid4())
         remote_data = self.default_data
-        # Create user on target site
         self.make_user(local_user_username)
         remote_data['users'][local_user_uuid] = {
             'sodar_uuid': local_user_uuid,
@@ -1338,12 +1378,14 @@ def test_create_local_user_allow(self):
             'first_name': SOURCE_USER_FIRST_NAME,
             'last_name': SOURCE_USER_LAST_NAME,
             'email': SOURCE_USER_EMAIL,
-            'groups': ['system'],
+            'additional_emails': [],
+            'groups': [SYSTEM_USER_GROUP],
         }
         remote_data['projects'][SOURCE_PROJECT_UUID]['roles'][role_uuid] = {
             'user': local_user_username,
             'role': self.role_contributor.name,
         }
+        self.assertEqual(User.objects.all().count(), 2)
         self.remote_api.sync_remote_data(self.source_site, remote_data)
 
         self.assertEqual(Project.objects.all().count(), 2)
@@ -1366,7 +1408,8 @@ def test_create_local_user_allow_unavailable(self):
             'first_name': SOURCE_USER_FIRST_NAME,
             'last_name': SOURCE_USER_LAST_NAME,
             'email': SOURCE_USER_EMAIL,
-            'groups': ['system'],
+            'additional_emails': [],
+            'groups': [SYSTEM_USER_GROUP],
         }
         remote_data['projects'][SOURCE_PROJECT_UUID]['roles'][role_uuid] = {
             'user': local_user_username,
@@ -1396,7 +1439,8 @@ def test_create_local_owner_allow(self):
             'first_name': SOURCE_USER_FIRST_NAME,
             'last_name': SOURCE_USER_LAST_NAME,
             'email': SOURCE_USER_EMAIL,
-            'groups': ['system'],
+            'additional_emails': [],
+            'groups': [SYSTEM_USER_GROUP],
         }
         remote_data['projects'][SOURCE_PROJECT_UUID]['roles'] = {
             role_uuid: {
@@ -1430,7 +1474,8 @@ def test_create_local_owner_allow_unavailable(self):
             'first_name': SOURCE_USER_FIRST_NAME,
             'last_name': SOURCE_USER_LAST_NAME,
             'email': SOURCE_USER_EMAIL,
-            'groups': ['system'],
+            'additional_emails': [],
+            'groups': [SYSTEM_USER_GROUP],
         }
         remote_data['projects'][SOURCE_PROJECT_UUID]['roles'] = {
             role_uuid: {
@@ -1448,9 +1493,101 @@ def test_create_local_owner_allow_unavailable(self):
         new_project = Project.objects.get(sodar_uuid=SOURCE_PROJECT_UUID)
         self.assertEqual(new_project.get_owner().user, self.admin_user)
 
+    def test_create_settings_user(self):
+        """Test sync with USER scope settings"""
+        self.assertEqual(AppSetting.objects.count(), 0)
+        remote_data = self.default_data
+        global_set_uuid = str(uuid.uuid4())
+        local_set_uuid = str(uuid.uuid4())
+        remote_data['app_settings'][global_set_uuid] = {
+            'name': 'notify_email_project',
+            'type': 'BOOLEAN',
+            'value': '0',
+            'value_json': {},
+            'app_plugin': None,
+            'project_uuid': None,
+            'user_uuid': SOURCE_USER_UUID,
+            'user_name': SOURCE_USER_USERNAME,
+            'global': True,
+        }
+        remote_data['app_settings'][local_set_uuid] = {
+            'name': 'user_str_setting',
+            'type': 'STRING',
+            'value': 'Local value',
+            'value_json': {},
+            'app_plugin': EXAMPLE_APP_NAME,
+            'project_uuid': None,
+            'user_uuid': SOURCE_USER_UUID,
+            'user_name': SOURCE_USER_USERNAME,
+            'global': False,
+        }
+
+        self.remote_api.sync_remote_data(self.source_site, remote_data)
+        self.assertEqual(AppSetting.objects.count(), 5)
+        target_user = User.objects.get(username=SOURCE_USER_USERNAME)
+
+        obj = AppSetting.objects.get(
+            app_plugin=None, name='notify_email_project'
+        )
+        expected = {
+            'id': obj.pk,
+            'app_plugin': None,
+            'project': None,
+            'name': 'notify_email_project',
+            'type': 'BOOLEAN',
+            'user': target_user.pk,
+            'value': '0',
+            'value_json': {},
+            'user_modifiable': True,
+            'sodar_uuid': obj.sodar_uuid,
+        }
+        self.assertEqual(model_to_dict(obj), expected)
+        app_plugin = get_app_plugin(EXAMPLE_APP_NAME).get_model()
+
+        obj = AppSetting.objects.get(
+            app_plugin=app_plugin, name='user_str_setting'
+        )
+        expected = {
+            'id': obj.pk,
+            'app_plugin': app_plugin.pk,
+            'project': None,
+            'name': 'user_str_setting',
+            'type': 'STRING',
+            'user': target_user.pk,
+            'value': 'Local value',
+            'value_json': {},
+            'user_modifiable': True,
+            'sodar_uuid': obj.sodar_uuid,
+        }
+        self.assertEqual(model_to_dict(obj), expected)
+        # Assert sync data
+        self.assertEqual(
+            remote_data['app_settings'][global_set_uuid]['status'], 'created'
+        )
+        self.assertEqual(
+            remote_data['app_settings'][local_set_uuid]['status'], 'created'
+        )
+
+    def test_create_user_add_email(self):
+        """Test sync with additional email on user"""
+        self.assertEqual(SODARUserAdditionalEmail.objects.count(), 0)
+        remote_data = self.default_data
+        remote_data['users'][SOURCE_USER_UUID]['additional_emails'] = [
+            ADD_EMAIL
+        ]
+        self.remote_api.sync_remote_data(self.source_site, remote_data)
+        self.assertEqual(SODARUserAdditionalEmail.objects.count(), 1)
+        email = SODARUserAdditionalEmail.objects.first()
+        target_user = User.objects.get(sodar_uuid=SOURCE_USER_UUID)
+        self.assertEqual(email.user, target_user)
+        self.assertEqual(email.email, ADD_EMAIL)
+        self.assertEqual(email.verified, True)
+
 
 @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
-class TestSyncRemoteDataUpdate(SyncRemoteDataTestBase):
+class TestSyncRemoteDataUpdate(
+    SODARUserAdditionalEmailMixin, SyncRemoteDataTestBase
+):
     """Tests for project updating with sync_remote_data()"""
 
     def setUp(self):
@@ -1480,6 +1617,7 @@ def setUp(self):
             first_name='NewFirstName',
             last_name='NewLastName',
             email='newemail@example.com',
+            sodar_uuid=SOURCE_USER_UUID,
         )
         self.c_owner_obj = self.make_assignment(
             self.category_obj, self.user_target, self.role_owner
@@ -1523,7 +1661,7 @@ def setUp(self):
 
         # Init app settings
         self.make_setting(
-            app_name='projectroles',
+            plugin_name='projectroles',
             name='ip_restrict',
             setting_type='BOOLEAN',
             value=False,
@@ -1531,7 +1669,7 @@ def setUp(self):
             sodar_uuid=SET_IP_RESTRICT_UUID,
         )
         self.make_setting(
-            app_name='projectroles',
+            plugin_name='projectroles',
             name='ip_allowlist',
             setting_type='JSON',
             value=None,
@@ -1540,7 +1678,7 @@ def setUp(self):
             sodar_uuid=SET_IP_ALLOWLIST_UUID,
         )
         self.make_setting(
-            app_name='projectroles',
+            plugin_name='projectroles',
             name='project_star',
             setting_type='BOOLEAN',
             value=False,
@@ -1576,6 +1714,8 @@ def test_update(self):
             'name': 'Some Name',
             'first_name': 'Some',
             'last_name': 'Name',
+            'email': 'some@example.com',
+            'additional_emails': [],
             'groups': [SOURCE_USER_GROUP],
         }
         remote_data['projects'][SOURCE_PROJECT_UUID]['roles'][new_role_uuid] = {
@@ -1710,6 +1850,7 @@ def test_update(self):
             'description': NEW_PEER_DESC,
             'secret': None,
             'user_display': NEW_PEER_USER_DISPLAY,
+            'owner_modifiable': True,
         }
         peer_site_dict = model_to_dict(peer_site_obj)
         peer_site_dict.pop('id')
@@ -1783,6 +1924,75 @@ def test_update(self):
         expected['app_settings'][SET_STAR_UUID]['status'] = 'skipped'
         self.assertEqual(remote_data, expected)
 
+    def test_update_user_uuid_ldap(self):
+        """Test sync with legacy UUID for LDAP user"""
+        # Set different UUID for target user
+        target_uuid = str(uuid.uuid4())
+        self.assertNotEqual(SOURCE_USER_UUID, target_uuid)
+        self.user_target.sodar_uuid = target_uuid
+        self.user_target.save()
+        self.assertEqual(User.objects.all().count(), 2)
+        self.remote_api.sync_remote_data(self.source_site, self.default_data)
+        self.assertEqual(User.objects.all().count(), 2)
+        self.user_target.refresh_from_db()
+        self.assertEqual(str(self.user_target.sodar_uuid), SOURCE_USER_UUID)
+
+    @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=True)
+    def test_update_user_uuid_local_allow(self):
+        """Test sync with legacy UUID for local user with local users allowed"""
+        local_username = 'localusername'
+        local_name = 'Local User'
+        user_local = self.make_user(local_username)
+        local_uuid_target = str(user_local.sodar_uuid)
+        local_uuid_source = str(uuid.uuid4())
+        self.assertNotEqual(local_uuid_target, local_uuid_source)
+        self.assertNotEqual(user_local.name, local_name)
+        remote_data = self.default_data
+        remote_data['users'][local_uuid_source] = {
+            'username': local_username,
+            'name': local_name,
+            'first_name': local_name.split(' ')[0],
+            'last_name': local_name.split(' ')[1],
+            'email': 'some@example.com',
+            'additional_emails': [],
+            'groups': [SOURCE_USER_GROUP],
+        }
+        self.assertEqual(User.objects.all().count(), 3)
+        self.remote_api.sync_remote_data(self.source_site, remote_data)
+        self.assertEqual(User.objects.all().count(), 3)
+        user_local.refresh_from_db()
+        self.assertEqual(str(user_local.sodar_uuid), local_uuid_source)
+        self.assertEqual(user_local.name, local_name)
+        self.assertEqual(user_local.first_name, local_name.split(' ')[0])
+        self.assertEqual(user_local.last_name, local_name.split(' ')[1])
+
+    @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=False)
+    def test_update_user_uuid_local_disallow(self):
+        """Test sync with legacy UUID for local user with local users disallowed (should fail)"""
+        local_username = 'localusername'
+        local_name = 'Local User'
+        user_local = self.make_user(local_username)
+        local_uuid_target = str(user_local.sodar_uuid)
+        local_uuid_source = str(uuid.uuid4())  # Source UUID
+        self.assertNotEqual(local_uuid_target, local_uuid_source)
+        self.assertNotEqual(user_local.name, local_name)
+        remote_data = self.default_data
+        remote_data['users'][local_uuid_source] = {
+            'username': local_username,
+            'name': local_name,
+            'first_name': local_name.split(' ')[0],
+            'last_name': local_name.split(' ')[1],
+            'email': 'some@example.com',
+            'additional_emails': [],
+            'groups': [SYSTEM_USER_GROUP],
+        }
+        self.assertEqual(User.objects.all().count(), 3)
+        self.remote_api.sync_remote_data(self.source_site, remote_data)
+        self.assertEqual(User.objects.all().count(), 3)
+        user_local.refresh_from_db()
+        self.assertEqual(str(user_local.sodar_uuid), local_uuid_target)
+        self.assertNotEqual(user_local.name, local_name)
+
     def test_update_inherited(self):
         """Test sync with existing project data and inherited contributor"""
         self.assertEqual(User.objects.all().count(), 2)
@@ -1797,6 +2007,8 @@ def test_update_inherited(self):
             'name': 'Some Name',
             'first_name': 'Some',
             'last_name': 'Name',
+            'email': 'some@example.com',
+            'additional_emails': [],
             'groups': [SOURCE_USER_GROUP],
         }
         remote_data['projects'][SOURCE_CATEGORY_UUID]['roles'][
@@ -1813,11 +2025,11 @@ def test_update_inherited(self):
             self.role_contributor,
         )
 
-    def test_update_app_settings_local(self):
+    def test_update_settings_local(self):
         """Test update with local app settings (should not be updated)"""
         remote_data = self.default_data
-        remote_data['app_settings'][SET_IP_RESTRICT_UUID]['local'] = True
-        remote_data['app_settings'][SET_IP_ALLOWLIST_UUID]['local'] = True
+        remote_data['app_settings'][SET_IP_RESTRICT_UUID]['global'] = False
+        remote_data['app_settings'][SET_IP_ALLOWLIST_UUID]['global'] = False
         remote_data['app_settings'][SET_IP_RESTRICT_UUID]['value'] = True
         remote_data['app_settings'][SET_IP_ALLOWLIST_UUID]['value_json'] = [
             '192.168.1.1'
@@ -1867,7 +2079,7 @@ def test_update_app_settings_local(self):
         og_data['app_settings'][SET_STAR_UUID]['status'] = 'skipped'
         self.assertEqual(remote_data, og_data)
 
-    def test_update_app_setting_no_app(self):
+    def test_update_settings_no_app(self):
         """Test update with app setting for app not present on target site"""
         self.assertEqual(AppSetting.objects.count(), 3)
         remote_data = self.default_data
@@ -1882,12 +2094,73 @@ def test_update_app_setting_no_app(self):
             'app_plugin': 'NOT_A_VALID_APP',
             'project_uuid': SOURCE_PROJECT_UUID,
             'user_uuid': None,
-            'local': False,
+            'global': True,
         }
         self.remote_api.sync_remote_data(self.source_site, remote_data)
         # Make sure setting was not set
         self.assertIsNone(AppSetting.objects.filter(name=setting_name).first())
 
+    def test_update_settings_user(self):
+        """Test update with USER scope settings"""
+        # Create target settings
+        target_global_setting = self.make_setting(
+            plugin_name='projectroles',
+            name='notify_email_project',
+            setting_type='BOOLEAN',
+            value=True,
+            user=self.user_target,
+        )
+        target_local_setting = self.make_setting(
+            plugin_name=EXAMPLE_APP_NAME,
+            name='user_str_setting',
+            setting_type='STRING',
+            value='Target value',
+            user=self.user_target,
+        )
+        self.assertEqual(AppSetting.objects.count(), 5)
+
+        remote_data = self.default_data
+        global_set_uuid = str(uuid.uuid4())
+        local_set_uuid = str(uuid.uuid4())
+        remote_data['app_settings'][global_set_uuid] = {
+            'name': 'notify_email_project',
+            'type': 'BOOLEAN',
+            'value': '0',
+            'value_json': {},
+            'app_plugin': None,
+            'project_uuid': None,
+            'user_uuid': SOURCE_USER_UUID,
+            'user_name': SOURCE_USER_USERNAME,
+            'global': True,
+        }
+        remote_data['app_settings'][local_set_uuid] = {
+            'name': 'user_str_setting',
+            'type': 'STRING',
+            'value': 'Source value',
+            'value_json': {},
+            'app_plugin': EXAMPLE_APP_NAME,
+            'project_uuid': None,
+            'user_uuid': SOURCE_USER_UUID,
+            'user_name': SOURCE_USER_USERNAME,
+            'global': False,
+        }
+        self.remote_api.sync_remote_data(self.source_site, remote_data)
+
+        self.assertEqual(AppSetting.objects.count(), 5)
+        # Global setting should be updated
+        target_global_setting.refresh_from_db()
+        self.assertEqual(target_global_setting.value, '0')
+        # Local setting value should remain as is
+        target_local_setting.refresh_from_db()
+        self.assertEqual(target_local_setting.value, 'Target value')
+        # Assert sync data
+        self.assertEqual(
+            remote_data['app_settings'][global_set_uuid]['status'], 'updated'
+        )
+        self.assertEqual(
+            remote_data['app_settings'][local_set_uuid]['status'], 'skipped'
+        )
+
     def test_update_revoke(self):
         """Test sync with existing project data and REVOKED access"""
         new_user_username = 'newuser@' + SOURCE_USER_DOMAIN
@@ -2086,6 +2359,7 @@ def test_update_no_changes(self):
             'secret': None,
             'sodar_uuid': uuid.UUID(PEER_SITE_UUID),
             'user_display': PEER_SITE_USER_DISPLAY,
+            'owner_modifiable': True,
         }
         peer_site_dict = model_to_dict(peer_site_obj)
         peer_site_dict.pop('id')
@@ -2108,3 +2382,27 @@ def test_update_no_changes(self):
         og_data['app_settings'][SET_IP_ALLOWLIST_UUID]['status'] = 'skipped'
         og_data['app_settings'][SET_STAR_UUID]['status'] = 'skipped'
         self.assertEqual(og_data, remote_data)
+
+    def test_update_user_add_email(self):
+        """Test sync with new additional email on user"""
+        self.assertEqual(SODARUserAdditionalEmail.objects.count(), 0)
+        remote_data = self.default_data
+        remote_data['users'][SOURCE_USER_UUID]['additional_emails'] = [
+            ADD_EMAIL
+        ]
+        self.remote_api.sync_remote_data(self.source_site, remote_data)
+        self.assertEqual(SODARUserAdditionalEmail.objects.count(), 1)
+        email = SODARUserAdditionalEmail.objects.first()
+        target_user = User.objects.get(sodar_uuid=SOURCE_USER_UUID)
+        self.assertEqual(email.user, target_user)
+        self.assertEqual(email.email, ADD_EMAIL)
+        self.assertEqual(email.verified, True)
+
+    def test_update_user_add_email_delete(self):
+        """Test sync with deleting existing additional email on user"""
+        self.make_email(self.user_target, ADD_EMAIL)
+        self.assertEqual(SODARUserAdditionalEmail.objects.count(), 1)
+        remote_data = self.default_data
+        remote_data['users'][SOURCE_USER_UUID]['additional_emails'] = []
+        self.remote_api.sync_remote_data(self.source_site, remote_data)
+        self.assertEqual(SODARUserAdditionalEmail.objects.count(), 0)
diff --git a/projectroles/tests/test_tasks.py b/projectroles/tests/test_tasks.py
index 83730896..5f29871f 100644
--- a/projectroles/tests/test_tasks.py
+++ b/projectroles/tests/test_tasks.py
@@ -94,7 +94,7 @@ def test_sync_change_settings_task(self):
         """
         sync_remote_site_task()
         app_settings.set(
-            app_name='projectroles',
+            plugin_name='projectroles',
             setting_name='ip_restrict',
             project=self.project_source,
             value=True,
@@ -106,7 +106,7 @@ def test_sync_change_settings_task(self):
         self.assertEqual(RemoteProject.objects.all().count(), 2)
         self.assertEqual(
             app_settings.get(
-                app_name='projectroles',
+                plugin_name='projectroles',
                 setting_name='ip_restrict',
                 project=self.project_source,
             ),
diff --git a/projectroles/tests/test_templatetags.py b/projectroles/tests/test_templatetags.py
index caba7462..73297dfa 100644
--- a/projectroles/tests/test_templatetags.py
+++ b/projectroles/tests/test_templatetags.py
@@ -7,19 +7,13 @@
 
 from django.conf import settings
 from django.test import override_settings, RequestFactory
-from django.urls import reverse
+from django.urls import reverse, resolve
 
 from test_plus.test import TestCase
 
 import projectroles
 from projectroles.app_settings import AppSettingAPI
-from projectroles.models import (
-    Project,
-    RemoteProject,
-    RemoteSite,
-    AppSetting,
-    SODAR_CONSTANTS,
-)
+from projectroles.models import AppSetting, SODAR_CONSTANTS
 from projectroles.plugins import get_app_plugin, get_active_plugins
 from projectroles.templatetags import (
     projectroles_common_tags as c_tags,
@@ -56,7 +50,7 @@
 TEMPLATE_PATH = 'projectroles/home.html'
 
 
-class TestTemplateTagsBase(
+class TemplateTagTestBase(
     ProjectMixin, RoleMixin, RoleAssignmentMixin, ProjectInviteMixin, TestCase
 ):
     """Base class for testing template tags"""
@@ -66,6 +60,9 @@ def setUp(self):
         self.init_roles()
         # Init users
         self.user = self.make_user('user_owner')
+        self.superuser = self.make_user('user_superuser')
+        self.superuser.is_superuser = True
+        self.superuser.save()
         # Init category
         self.category = self.make_project(
             title='TestCategoryTop', type=PROJECT_TYPE_CATEGORY, parent=None
@@ -95,9 +92,11 @@ def setUp(self):
             app_plugin__name='filesfolders',
             name='allow_public_links',
         )
+        # Init request factory
+        self.req_factory = RequestFactory()
 
 
-class TestProjectrolesCommonTags(TestTemplateTagsBase):
+class TestProjectrolesCommonTags(TemplateTagTestBase):
     """Test for template tags in projectroles_common_tags"""
 
     def test_site_version(self):
@@ -180,13 +179,12 @@ def test_template_exists(self):
 
     def test_get_full_url(self):
         """Test get_full_url()"""
-        req_factory = RequestFactory()
         url = reverse(
             'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
         )
 
         with self.login(self.user):
-            request = req_factory.get(url)
+            request = self.req_factory.get(url)
             self.assertEqual(
                 c_tags.get_full_url(request, url),
                 'http://testserver/project/{}'.format(self.project.sodar_uuid),
@@ -299,48 +297,6 @@ def test_get_info_link(self):
 
     # TODO: Test get_remote_icon() (need to set up remote projects)
 
-    def test_get_visible_projects(self):
-        """Test get_visible_projects()"""
-        # Setup projects
-        create_values = {'title': 'TestProject'}
-        project = Project.objects.create(**create_values)
-
-        # Setup sites
-        create_values = {
-            'name': 'VisibleSite',
-            'url': 'visible.site',
-            'mode': SITE_MODE_TARGET,
-            'user_display': True,
-        }
-        visible_site = RemoteSite.objects.create(**create_values)
-
-        create_values = {
-            'name': 'InvisibleSite',
-            'url': 'invisible.site',
-            'mode': SITE_MODE_TARGET,
-            'user_display': False,
-        }
-        invisible_site = RemoteSite.objects.create(**create_values)
-
-        # Setup remote projects
-        create_values = {
-            'project_uuid': project.sodar_uuid,
-            'project': project,
-            'site': visible_site,
-            'level': REMOTE_LEVEL_READ_ROLES,
-        }
-        visible_project = RemoteProject.objects.create(**create_values)
-
-        create_values['site'] = invisible_site
-        invisible_project = RemoteProject.objects.create(**create_values)
-
-        # Test returned peer projects
-        peer_projects = c_tags.get_visible_projects(
-            [visible_project, invisible_project]
-        )
-
-        self.assertEqual(peer_projects, [visible_project])
-
     def test_render_markdown(self):
         """Test render_markdown()"""
         raw_md = '**Some markdown**'
@@ -389,12 +345,12 @@ def test_include_invalid_url(self):
         # TODO: Replace with get_app_plugin once implemented for backend plugins
         backend_plugin = get_active_plugins('backend')[0]
 
-        type(
-            backend_plugin
-        ).javascript_url = 'example_backend_app/js/NOT_EXISTING_JS.js'
-        type(
-            backend_plugin
-        ).css_url = 'example_backend_app/css/NOT_EXISTING_CSS.css'
+        type(backend_plugin).javascript_url = (
+            'example_backend_app/js/NOT_EXISTING_JS.js'
+        )
+        type(backend_plugin).css_url = (
+            'example_backend_app/css/NOT_EXISTING_CSS.css'
+        )
 
         self.assertEqual(
             c_tags.get_backend_include(backend_plugin.name, 'js'), ''
@@ -408,9 +364,9 @@ def test_get_backend_include(self):
         # TODO: Replace with get_app_plugin once implemented for backend plugins
         backend_plugin = get_active_plugins('backend')[0]
 
-        type(
-            backend_plugin
-        ).javascript_url = 'example_backend_app/js/greeting.js'
+        type(backend_plugin).javascript_url = (
+            'example_backend_app/js/greeting.js'
+        )
         type(backend_plugin).css_url = 'example_backend_app/css/greeting.css'
 
         self.assertEqual(
@@ -425,7 +381,7 @@ def test_get_backend_include(self):
         )
 
 
-class TestProjectrolesRoleTags(TestTemplateTagsBase):
+class TestProjectrolesRoleTags(TemplateTagTestBase):
     """Test for template tags in projectroles_role_tags"""
 
     def test_get_role_icon(self):
@@ -516,7 +472,7 @@ def test_get_inactive_role(self):
         )
 
 
-class TestProjectrolesTags(TestTemplateTagsBase):
+class TestProjectrolesTags(TemplateTagTestBase):
     """Test for template tags in projectroles_tags"""
 
     def test_sodar_constant(self):
@@ -618,3 +574,279 @@ def test_get_sidebar_app_legend(self):
         self.assertEqual(
             tags.get_sidebar_app_legend('Update Project'), 'Update<br />Project'
         )
+
+    def test_get_sidebar_links_home(self):
+        """Test get_sidebar_links() on the home view"""
+        url = reverse('home')
+        request = self.req_factory.get(url)
+        request.resolver_match = resolve(url)
+        request.user = self.user
+        self.assertEqual(
+            tags.get_project_app_links(request),
+            [],
+        )
+
+    def test_get_sidebar_links_project_detail_view(self):
+        """Test get_sidebar_links() on project detail view"""
+        url = reverse(
+            'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
+        )
+        request = self.req_factory.get(url)
+        request.resolver_match = resolve(url)
+        request.user = self.user
+        self.assertEqual(
+            tags.get_project_app_links(request, self.project),
+            [
+                {
+                    'name': 'project-detail',
+                    'url': f'/project/{self.project.sodar_uuid}',
+                    'label': 'Project Overview',
+                    'icon': 'mdi:cube',
+                    'active': True,
+                },
+                {
+                    'name': 'app-plugin-bgjobs',
+                    'url': f'/bgjobs/list/{self.project.sodar_uuid}',
+                    'label': 'Background Jobs',
+                    'icon': 'mdi:server',
+                    'active': False,
+                },
+                {
+                    'name': 'app-plugin-example_project_app',
+                    'url': f'/examples/project/{self.project.sodar_uuid}',
+                    'label': 'Example Project App',
+                    'icon': 'mdi:rocket-launch',
+                    'active': False,
+                },
+                {
+                    'name': 'app-plugin-filesfolders',
+                    'url': f'/files/{self.project.sodar_uuid}',
+                    'label': 'Files',
+                    'icon': 'mdi:file',
+                    'active': False,
+                },
+                {
+                    'name': 'app-plugin-timeline',
+                    'url': f'/timeline/{self.project.sodar_uuid}',
+                    'label': 'Timeline',
+                    'icon': 'mdi:clock-time-eight',
+                    'active': False,
+                },
+                {
+                    'name': 'project-roles',
+                    'url': f'/project/members/{self.project.sodar_uuid}',
+                    'label': 'Members',
+                    'icon': 'mdi:account-multiple',
+                    'active': False,
+                },
+                {
+                    'name': 'project-update',
+                    'url': f'/project/update/{self.project.sodar_uuid}',
+                    'label': 'Update Project',
+                    'icon': 'mdi:lead-pencil',
+                    'active': False,
+                },
+            ],
+        )
+
+    def test_get_sidebar_links_role_view(self):
+        """Test get_sidebar_links() on the role view"""
+        url = reverse(
+            'projectroles:roles', kwargs={'project': self.project.sodar_uuid}
+        )
+        request = self.req_factory.get(url)
+        request.resolver_match = resolve(url)
+        request.user = self.user
+        for app in tags.get_project_app_links(request, self.project):
+            if app['name'] == 'project-roles':
+                self.assertEqual(app['active'], True)
+            else:
+                self.assertEqual(app['active'], False)
+
+    def test_get_sidebar_links_timeline_view(self):
+        """Test get_sidebar_links() on the timeline view"""
+        url = reverse(
+            'timeline:list_project', kwargs={'project': self.project.sodar_uuid}
+        )
+        request = self.req_factory.get(url)
+        request.resolver_match = resolve(url)
+        request.user = self.user
+        for app in tags.get_project_app_links(request, self.project):
+            if app['name'] == 'app-plugin-timeline':
+                self.assertEqual(app['active'], True)
+            else:
+                self.assertEqual(app['active'], False)
+
+    def test_get_links_home_user(self):
+        """Test get_user_links() on the home view"""
+        url = reverse('home')
+        request = self.req_factory.get(url)
+        request.resolver_match = resolve(url)
+        request.user = self.user
+        self.assertEqual(
+            tags.get_user_links(request),
+            [
+                {
+                    'name': 'appalerts',
+                    'url': '/alerts/app/list',
+                    'label': 'App Alerts',
+                    'icon': 'mdi:alert-octagram',
+                    'active': False,
+                },
+                {
+                    'name': 'example_site_app',
+                    'url': '/examples/site/example',
+                    'label': 'Example Site App',
+                    'icon': 'mdi:rocket-launch-outline',
+                    'active': False,
+                },
+                {
+                    'name': 'timeline_site',
+                    'url': '/timeline/site',
+                    'label': 'Site-Wide Events',
+                    'icon': 'mdi:clock-time-eight-outline',
+                    'active': False,
+                },
+                {
+                    'name': 'tokens',
+                    'url': '/tokens/',
+                    'label': 'API Tokens',
+                    'icon': 'mdi:key-chain-variant',
+                    'active': False,
+                },
+                {
+                    'name': 'userprofile',
+                    'url': '/user/profile',
+                    'label': 'User Profile',
+                    'icon': 'mdi:account-details',
+                    'active': False,
+                },
+                {
+                    'name': 'sign-out',
+                    'url': '/logout/',
+                    'label': 'Logout',
+                    'icon': 'mdi:logout-variant',
+                    'active': False,
+                },
+            ],
+        )
+
+    def test_get_links_home_superuser(self):
+        """Test get_user_links() on the home view as superuser"""
+        url = reverse('home')
+        request = self.req_factory.get(url)
+        request.resolver_match = resolve(url)
+        request.user = self.superuser
+        self.assertEqual(
+            tags.get_user_links(request),
+            [
+                {
+                    'name': 'adminalerts',
+                    'url': '/alerts/adm/list',
+                    'label': 'Admin Alerts',
+                    'icon': 'mdi:alert',
+                    'active': False,
+                },
+                {
+                    'name': 'appalerts',
+                    'url': '/alerts/app/list',
+                    'label': 'App Alerts',
+                    'icon': 'mdi:alert-octagram',
+                    'active': False,
+                },
+                {
+                    'name': 'bgjobs_site',
+                    'url': '/bgjobs/list',
+                    'label': 'Site Background Jobs',
+                    'icon': 'mdi:server',
+                    'active': False,
+                },
+                {
+                    'name': 'example_site_app',
+                    'url': '/examples/site/example',
+                    'label': 'Example Site App',
+                    'icon': 'mdi:rocket-launch-outline',
+                    'active': False,
+                },
+                {
+                    'name': 'remotesites',
+                    'url': '/project/remote/sites',
+                    'label': 'Remote Site Access',
+                    'icon': 'mdi:cloud-sync',
+                    'active': False,
+                },
+                {
+                    'name': 'siteinfo',
+                    'url': '/siteinfo/info',
+                    'label': 'Site Info',
+                    'icon': 'mdi:bar-chart',
+                    'active': False,
+                },
+                {
+                    'name': 'timeline_site',
+                    'url': '/timeline/site',
+                    'label': 'Site-Wide Events',
+                    'icon': 'mdi:clock-time-eight-outline',
+                    'active': False,
+                },
+                {
+                    'name': 'timeline_site_admin',
+                    'url': '/timeline/site/all',
+                    'label': 'All Timeline Events',
+                    'icon': 'mdi:web-clock',
+                    'active': False,
+                },
+                {
+                    'name': 'tokens',
+                    'url': '/tokens/',
+                    'label': 'API Tokens',
+                    'icon': 'mdi:key-chain-variant',
+                    'active': False,
+                },
+                {
+                    'name': 'userprofile',
+                    'url': '/user/profile',
+                    'label': 'User Profile',
+                    'icon': 'mdi:account-details',
+                    'active': False,
+                },
+                {
+                    'name': 'admin',
+                    'url': '/admin/',
+                    'label': 'Django Admin',
+                    'icon': 'mdi:cogs',
+                    'active': False,
+                },
+                {
+                    'name': 'sign-out',
+                    'url': '/logout/',
+                    'label': 'Logout',
+                    'icon': 'mdi:logout-variant',
+                    'active': False,
+                },
+            ],
+        )
+
+    def test_get_user_links_userprofile(self):
+        """Test get_user_links() on the user profile view"""
+        url = reverse('userprofile:detail')
+        request = self.req_factory.get(url)
+        request.resolver_match = resolve(url)
+        request.user = self.user
+        for app in tags.get_user_links(request):
+            if app['name'] == 'userprofile':
+                self.assertEqual(app['active'], True)
+            else:
+                self.assertEqual(app['active'], False)
+
+    def test_get_user_links_remote_site(self):
+        """Test get_user_links() on the remote site view"""
+        url = reverse('projectroles:remote_site_create')
+        request = self.req_factory.get(url)
+        request.resolver_match = resolve(url)
+        request.user = self.user
+        for app in tags.get_user_links(request):
+            if app['name'] == 'remote_site_app':
+                self.assertEqual(app['active'], True)
+            else:
+                self.assertEqual(app['active'], False)
diff --git a/projectroles/tests/test_ui.py b/projectroles/tests/test_ui.py
index 300cdb14..f610585d 100644
--- a/projectroles/tests/test_ui.py
+++ b/projectroles/tests/test_ui.py
@@ -2,6 +2,7 @@
 
 import socket
 import time
+import uuid
 
 from urllib.parse import urlencode
 
@@ -15,11 +16,13 @@
 from django.contrib.sessions.backends.db import SessionStore
 from django.test import LiveServerTestCase, override_settings
 from django.urls import reverse
+from django.utils import timezone
 
 from selenium import webdriver
 from selenium.common.exceptions import (
     NoSuchElementException,
     StaleElementReferenceException,
+    TimeoutException,
 )
 from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec
@@ -54,6 +57,8 @@
 SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
 SITE_MODE_SOURCE = SODAR_CONSTANTS['SITE_MODE_SOURCE']
 SITE_MODE_PEER = SODAR_CONSTANTS['SITE_MODE_PEER']
+REMOTE_LEVEL_READ_ROLES = SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES']
+REMOTE_LEVEL_REVOKED = SODAR_CONSTANTS['REMOTE_LEVEL_REVOKED']
 
 # Local constants
 PROJECT_LINK_IDS = [
@@ -68,6 +73,14 @@
 REMOTE_SITE_URL = 'https://sodar.bihealth.org'
 REMOTE_SITE_DESC = 'New description'
 REMOTE_SITE_SECRET = build_secret()
+PROJECT_SELECT_CSS = 'div[id="div_id_type"] div select[id="id_type"]'
+PROJECT_SETTING_ID = 'div_id_settings.example_project_app.project_int_setting'
+CATEGORY_SETTING_ID = (
+    'div_id_settings.example_project_app.category_bool_setting'
+)
+PUBLIC_ACCESS_ID = 'id_public_guest_access'
+REMOTE_SITE_UUID = uuid.uuid4()
+REMOTE_SITE_ID = 'id_remote_site.{}'.format(REMOTE_SITE_UUID)
 
 
 class LiveUserMixin:
@@ -90,7 +103,7 @@ def make_user(cls, user_name, superuser=False):
         return user
 
 
-class TestUIBase(
+class UITestBase(
     LiveUserMixin,
     ProjectMixin,
     RoleMixin,
@@ -124,7 +137,7 @@ def setUp(self):
         options = webdriver.ChromeOptions()
         for arg in self.chrome_options:
             options.add_argument(arg)
-        self.selenium = webdriver.Chrome(chrome_options=options)
+        self.selenium = webdriver.Chrome(options=options)
         # Prevent ElementNotVisibleException
         self.selenium.set_window_size(self.window_size[0], self.window_size[1])
 
@@ -204,6 +217,9 @@ def login_and_redirect(
 
         :param user: User object
         :param url: URL to redirect to (string)
+        :param wait_elem: Wait for existence of an element (string, optional)
+        :param wait_loc: Locator of optional wait element (string, corresponds
+                         to selenium "By" class members)
         """
         # Legacy login mode
         if getattr(settings, 'PROJECTROLES_TEST_UI_LEGACY_LOGIN', False):
@@ -449,8 +465,19 @@ def assert_element_active(
             self.assertIsNotNone(element)
             self.assertNotIn('active', element.get_attribute('class'))
 
+    def assert_displayed(self, by, value, expected):
+        """
+        Assert element is or isn't displayed. Assumes user to be logged in.
 
-class TestBaseTemplate(TestUIBase):
+        :param by: Selenium By selector
+        :param value: Value for selecting element
+        :param expected: Boolean
+        """
+        elem = self.selenium.find_element(by, value)
+        self.assertEqual(elem.is_displayed(), expected)
+
+
+class TestBaseTemplate(UITestBase):
     """Tests for the base project template"""
 
     def test_admin_link(self):
@@ -474,7 +501,7 @@ def test_admin_link(self):
         self.assert_element_exists(expected_false, url, elem_id, False)
 
 
-class TestHomeView(TestUIBase):
+class TestHomeView(UITestBase):
     """Tests for the home view and project list UI"""
 
     #: Home view URL
@@ -630,7 +657,7 @@ def test_project_list_filter_trim(self):
     def test_project_list_star(self):
         """Test project list star filter"""
         app_settings.set(
-            app_name='projectroles',
+            plugin_name='projectroles',
             setting_name='project_star',
             value=True,
             project=self.project,
@@ -677,10 +704,10 @@ def test_link_create_toplevel(self):
             self.user_no_roles,
         ]
         self.assert_element_exists(
-            expected_true, self.url, 'sodar-pr-home-link-create', True
+            expected_true, self.url, 'sodar-pr-link-home-project-create', True
         )
         self.assert_element_exists(
-            expected_false, self.url, 'sodar-pr-home-link-create', False
+            expected_false, self.url, 'sodar-pr-link-home-project-create', False
         )
 
     @override_settings(PROJECTROLES_INLINE_HEAD_INCLUDE=HEAD_INCLUDE)
@@ -698,7 +725,7 @@ def test_inline_head_include_disabled(self):
             self.selenium.find_element(By.XPATH, '//meta[@name="keywords"]')
 
 
-class TestProjectSidebar(ProjectInviteMixin, RemoteTargetMixin, TestUIBase):
+class TestProjectSidebar(ProjectInviteMixin, RemoteTargetMixin, UITestBase):
     """Tests for the project sidebar"""
 
     def setUp(self):
@@ -1091,7 +1118,7 @@ def test_link_active_update(self):
         )
 
 
-class TestProjectSearchResultsView(TestUIBase):
+class TestProjectSearchResultsView(UITestBase):
     """Tests for ProjectSearchResultsView UI"""
 
     def test_search_results(self):
@@ -1197,7 +1224,7 @@ def test_search_project_findable_link(self):
         )
 
 
-class TestProjectDetailView(RemoteSiteMixin, RemoteProjectMixin, TestUIBase):
+class TestProjectDetailView(RemoteSiteMixin, RemoteProjectMixin, UITestBase):
     """Tests for ProjectDetailView UI"""
 
     @classmethod
@@ -1205,8 +1232,11 @@ def _get_pr_links(cls, *args):
         """Return full IDs of project links"""
         return ['sodar-pr-link-project-' + x for x in args]
 
-    def _setup_remote_project(
-        self, site_mode=SITE_MODE_TARGET, user_visibility=True
+    def _setup_remotes(
+        self,
+        site_mode=SITE_MODE_TARGET,
+        level=REMOTE_LEVEL_READ_ROLES,
+        user_visibility=True,
     ):
         """Create remote site and project with given user_visibility setting"""
         self.remote_site = self.make_site(
@@ -1217,13 +1247,21 @@ def _setup_remote_project(
             secret=REMOTE_SITE_SECRET,
             user_display=user_visibility,
         )
-
-        # Setup remote project pointing to local object
         self.remote_project = self.make_remote_project(
             project_uuid=self.project.sodar_uuid,
             site=self.remote_site,
-            level=SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES'],
+            level=level,
             project=self.project,
+            date_access=timezone.now(),
+        )
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
+        )
+        self.url_cat = reverse(
+            'projectroles:detail', kwargs={'project': self.category.sodar_uuid}
         )
 
     def test_project_links(self):
@@ -1245,10 +1283,7 @@ def test_project_links(self):
             (self.user_contributor, self._get_pr_links('roles', 'star')),
             (self.user_guest, self._get_pr_links('roles', 'star')),
         ]
-        url = reverse(
-            'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
-        )
-        self.assert_element_set(expected, PROJECT_LINK_IDS, url)
+        self.assert_element_set(expected, PROJECT_LINK_IDS, self.url)
 
     def test_project_links_category(self):
         """Test visibility of top level category links"""
@@ -1276,10 +1311,7 @@ def test_project_links_category(self):
             (self.user_contributor, self._get_pr_links('star')),
             (self.user_guest, self._get_pr_links('star')),
         ]
-        url = reverse(
-            'projectroles:detail', kwargs={'project': self.category.sodar_uuid}
-        )
-        self.assert_element_set(expected, PROJECT_LINK_IDS, url)
+        self.assert_element_set(expected, PROJECT_LINK_IDS, self.url_cat)
 
     def test_copy_uuid_visibility_default(self):
         """Test default UUID copy button visibility (should not be visible)"""
@@ -1295,48 +1327,38 @@ def test_copy_uuid_visibility_default(self):
             self.user_contributor,
             self.user_guest,
         ]
-        url = reverse(
-            'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
-        )
         for user in users:
-            self.login_and_redirect(user, url)
+            self.login_and_redirect(user, self.url)
             with self.assertRaises(NoSuchElementException):
                 self.selenium.find_element(By.ID, 'sodar-pr-btn-copy-uuid')
 
     def test_copy_uuid_visibility_enabled(self):
         """Test UUID copy button visibility with setting enabled"""
         app_settings.set(
-            app_name='userprofile',
+            plugin_name='userprofile',
             setting_name='enable_project_uuid_copy',
             value=True,
             user=self.user_owner,
         )
-        url = reverse(
-            'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
-        )
         self.assert_element_exists(
-            [self.user_owner], url, 'sodar-pr-btn-copy-uuid', True
+            [self.user_owner], self.url, 'sodar-pr-btn-copy-uuid', True
         )
 
     def test_plugin_links(self):
         """Test visibility of app plugin links"""
         expected = [(self.superuser, len(get_active_plugins()))]
-        url = reverse(
-            'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
+        self.assert_element_count(
+            expected, self.url, 'sodar-pr-link-app-plugin'
         )
-        self.assert_element_count(expected, url, 'sodar-pr-link-app-plugin')
 
     def test_plugin_cards(self):
         """Test visibility of app plugin cards"""
         expected = [(self.superuser, len(get_active_plugins()))]
-        url = reverse(
-            'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
-        )
-        self.assert_element_count(expected, url, 'sodar-pr-app-item')
+        self.assert_element_count(expected, self.url, 'sodar-pr-app-item')
 
-    def test_remote_project_visible(self):
-        """Test project card for enabled visbility for all users"""
-        self._setup_remote_project(user_visibility=True)
+    def test_remote_project(self):
+        """Test remote project visbility for all users"""
+        self._setup_remotes()
         users = [
             self.superuser,
             self.user_owner_cat,
@@ -1348,51 +1370,93 @@ def test_remote_project_visible(self):
             self.user_contributor,
             self.user_guest,
         ]
-        url = reverse(
-            'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
-        )
-        # Visibile for all users
         for user in users:
-            self.login_and_redirect(user, url)
-            project_details = self.selenium.find_element(
-                By.ID, 'sodar-pr-details-card-remote'
+            self.login_and_redirect(user, self.url)
+            elem = self.selenium.find_element(
+                By.CLASS_NAME, 'sodar-pr-link-remote-target'
             )
-            remote_project = project_details.find_element(
-                By.CLASS_NAME, 'btn-info'
-            )
-            self.assertEqual(remote_project.text, REMOTE_SITE_NAME)
+            self.assertIn('btn-info', elem.get_attribute('class'))
+            if user == self.superuser:  # No need to test these for all users
+                self.assertEqual(elem.text, REMOTE_SITE_NAME)
+                self.assertEqual(
+                    elem.get_attribute('href'), self.remote_site.url + self.url
+                )
+                self.assertIsNone(elem.get_attribute('disabled'))
 
-    def test_remote_project_invisible(self):
-        """Test project card for disabled visibility for different users"""
-        self._setup_remote_project(user_visibility=False)
+    def test_remote_project_user_visibility_disabled(self):
+        """Test remote project visibility with user_visibility=False"""
+        self._setup_remotes(user_visibility=False)
         users = [self.user_delegate, self.user_contributor, self.user_guest]
-        url = reverse(
-            'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
-        )
-        # Invisible for basic users
         for user in users:
-            self.login_and_redirect(user, url)
+            self.login_and_redirect(user, self.url)
             with self.assertRaises(NoSuchElementException):
                 self.selenium.find_element(
                     By.ID, 'sodar-pr-details-card-remote'
                 )
         # Greyed out for superuser and owner
         for user in [self.superuser, self.user_owner]:
-            self.login_and_redirect(user, url)
-            project_details = self.selenium.find_element(
-                By.ID, 'sodar-pr-details-card-remote'
+            self.login_and_redirect(user, self.url)
+            elem = self.selenium.find_element(
+                By.CLASS_NAME, 'sodar-pr-link-remote-target'
             )
-            remote_project = project_details.find_element(
-                By.CLASS_NAME, 'btn-secondary'
-            )
-            self.assertEqual(remote_project.text, REMOTE_SITE_NAME)
+            self.assertIn('btn-secondary', elem.get_attribute('class'))
 
-    def test_peer_project_source_invisible(self):
-        """Test visibility of peer projects on SOURCE site"""
-        self._setup_remote_project(site_mode=SITE_MODE_PEER)
-        url = reverse(
-            'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
+    def test_remote_project_revoked(self):
+        """Test remote project with REVOKED level"""
+        self._setup_remotes(level=REMOTE_LEVEL_REVOKED)
+        users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+        ]
+        for user in users:
+            self.login_and_redirect(user, self.url)
+            with self.assertRaises(NoSuchElementException):
+                self.selenium.find_element(
+                    By.ID, 'sodar-pr-details-card-remote'
+                )
+
+    def test_remote_project_not_accessed(self):
+        """Test non-accessed remote project"""
+        self._setup_remotes()
+        self.remote_project.date_access = None
+        self.remote_project.save()
+        self.login_and_redirect(self.superuser, self.url)
+        elem = self.selenium.find_element(
+            By.CLASS_NAME, 'sodar-pr-link-remote-target'
+        )
+        self.assertEqual(elem.get_attribute('disabled'), 'true')
+
+    def test_remote_project_update(self):
+        """Test non-accessed remote project with client side update"""
+        self._setup_remotes()
+        self.remote_project.date_access = None
+        self.remote_project.save()
+        self.login_and_redirect(self.superuser, self.url)
+        elem = self.selenium.find_element(
+            By.CLASS_NAME, 'sodar-pr-link-remote-target'
+        )
+        self.assertEqual(elem.get_attribute('disabled'), 'true')
+        self.remote_project.date_access = timezone.now()
+        self.remote_project.save()
+        xp = (
+            '//a[contains(@class, "sodar-pr-link-remote-target") '
+            'and not(@disabled)]'
         )
+        WebDriverWait(self.selenium, 15).until(
+            ec.presence_of_element_located((By.XPATH, xp))
+        )
+        self.assertEqual(elem.get_attribute('disabled'), None)
+
+    def test_peer_project_source(self):
+        """Test visibility of peer projects on SOURCE site"""
+        self._setup_remotes(site_mode=SITE_MODE_PEER)
         users = [
             self.superuser,
             self.user_owner_cat,
@@ -1406,16 +1470,16 @@ def test_peer_project_source_invisible(self):
             self.user_guest,
         ]
         for user in users:
-            self.login_and_redirect(user, url)
+            self.login_and_redirect(user, self.url)
             with self.assertRaises(NoSuchElementException):
                 self.selenium.find_element(
                     By.ID, 'sodar-pr-details-card-remote'
                 )
 
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
-    def test_peer_project_target_visible(self):
-        """Test visibility of peer projects on TARGET site (user_display=False)"""
-        # There needs to be a source mode remote project as master project,
+    def test_peer_project(self):
+        """Test peer projects on TARGET site with user_display=True"""
+        # There needs to be a source mode remote project as source project,
         # otherwise peer project logic wont be reached
         source_site = self.make_site(
             name='Second Remote Site',
@@ -1428,14 +1492,12 @@ def test_peer_project_target_visible(self):
         self.make_remote_project(
             project_uuid=self.project.sodar_uuid,
             site=source_site,
-            level=SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES'],
+            level=REMOTE_LEVEL_READ_ROLES,
             project=self.project,
+            date_access=timezone.now(),
         )
-        self._setup_remote_project(site_mode=SITE_MODE_PEER)
+        self._setup_remotes(site_mode=SITE_MODE_PEER)
 
-        url = reverse(
-            'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
-        )
         users = [
             self.superuser,
             self.user_owner_cat,
@@ -1447,27 +1509,28 @@ def test_peer_project_target_visible(self):
             self.user_contributor,
             self.user_guest,
         ]
-
         for user in users:
-            self.login_and_redirect(user, url)
-            remote_links = self.selenium.find_elements(
+            self.login_and_redirect(user, self.url)
+            elems = self.selenium.find_elements(
                 By.CLASS_NAME, 'sodar-pr-link-remote'
             )
-            self.assertEqual(len(remote_links), 2)
+            self.assertEqual(len(elems), 2)
             self.assertIn(
-                'sodar-pr-link-remote-master',
-                remote_links[0].get_attribute('class'),
+                'sodar-pr-link-remote-source', elems[0].get_attribute('class')
             )
             self.assertIn(
-                'sodar-pr-link-remote-peer',
-                remote_links[1].get_attribute('class'),
+                'sodar-pr-link-remote-peer', elems[1].get_attribute('class')
             )
+            if user == self.superuser:
+                self.assertEqual(
+                    elems[1].get_attribute('href'),
+                    self.remote_site.url + self.url,
+                )
+                self.assertIsNone(elems[1].get_attribute('disabled'))
 
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
-    def test_peer_project_target_invisible(self):
-        """Test invisibility of peer projects on TARGET site for users (user_display=False)"""
-        # There needs to be a source mode remote project as master project,
-        # otherwise peer project logic wont be reached
+    def test_peer_project_user_visibility_disabled(self):
+        """Test peer projects on TARGET site with user_display=False"""
         source_site = self.make_site(
             name='Second Remote Site',
             url='second_remote.site',
@@ -1479,16 +1542,11 @@ def test_peer_project_target_invisible(self):
         self.make_remote_project(
             project_uuid=self.project.sodar_uuid,
             site=source_site,
-            level=SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES'],
+            level=REMOTE_LEVEL_READ_ROLES,
             project=self.project,
         )
-        self._setup_remote_project(
-            site_mode=SITE_MODE_PEER, user_visibility=False
-        )
+        self._setup_remotes(site_mode=SITE_MODE_PEER, user_visibility=False)
 
-        url = reverse(
-            'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
-        )
         expected_true = [self.superuser, self.user_owner_cat, self.user_owner]
         expected_false = [
             self.user_delegate_cat,
@@ -1498,31 +1556,67 @@ def test_peer_project_target_invisible(self):
             self.user_contributor,
             self.user_guest,
         ]
-
         for user in expected_true:
-            self.login_and_redirect(user, url)
-            remote_links = self.selenium.find_elements(
+            self.login_and_redirect(user, self.url)
+            elems = self.selenium.find_elements(
                 By.CLASS_NAME, 'sodar-pr-link-remote'
             )
-            self.assertEqual(len(remote_links), 2)
+            self.assertEqual(len(elems), 2)
             self.assertIn(
-                'sodar-pr-link-remote-master',
-                remote_links[0].get_attribute('class'),
+                'sodar-pr-link-remote-source', elems[0].get_attribute('class')
             )
             self.assertIn(
-                'sodar-pr-link-remote-peer',
-                remote_links[1].get_attribute('class'),
+                'sodar-pr-link-remote-peer', elems[1].get_attribute('class')
             )
-
         for user in expected_false:
-            self.login_and_redirect(user, url)
-            remote_links = self.selenium.find_elements(
+            self.login_and_redirect(user, self.url)
+            elems = self.selenium.find_elements(
+                By.CLASS_NAME, 'sodar-pr-link-remote'
+            )
+            self.assertEqual(len(elems), 1)
+            self.assertIn(
+                'sodar-pr-link-remote-source', elems[0].get_attribute('class')
+            )
+
+    @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
+    def test_peer_project_revoked(self):
+        """Test peer project with REVOKED level"""
+        source_site = self.make_site(
+            name='Second Remote Site',
+            url='second_remote.site',
+            mode=SITE_MODE_SOURCE,
+            description='',
+            secret=build_secret(),
+            user_display=False,
+        )
+        self.make_remote_project(
+            project_uuid=self.project.sodar_uuid,
+            site=source_site,
+            level=REMOTE_LEVEL_READ_ROLES,
+            project=self.project,
+        )
+        self._setup_remotes(
+            site_mode=SITE_MODE_PEER, level=REMOTE_LEVEL_REVOKED
+        )
+        users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_owner,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+        ]
+        for user in users:
+            self.login_and_redirect(user, self.url)
+            elems = self.selenium.find_elements(
                 By.CLASS_NAME, 'sodar-pr-link-remote'
             )
-            self.assertEqual(len(remote_links), 1)
+            self.assertEqual(len(elems), 1)
             self.assertIn(
-                'sodar-pr-link-remote-master',
-                remote_links[0].get_attribute('class'),
+                'sodar-pr-link-remote-source', elems[0].get_attribute('class')
             )
 
     def test_archive_visibility_default(self):
@@ -1539,11 +1633,8 @@ def test_archive_visibility_default(self):
             self.user_contributor,
             self.user_guest,
         ]
-        url = reverse(
-            'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
-        )
         for user in users:
-            self.login_and_redirect(user, url)
+            self.login_and_redirect(user, self.url)
             with self.assertRaises(NoSuchElementException):
                 self.selenium.find_element(
                     By.ID, 'sodar-pr-header-icon-archive'
@@ -1565,11 +1656,8 @@ def test_archive_visibility_archived(self):
             self.user_contributor,
             self.user_guest,
         ]
-        url = reverse(
-            'projectroles:detail', kwargs={'project': self.project.sodar_uuid}
-        )
         for user in users:
-            self.login_and_redirect(user, url)
+            self.login_and_redirect(user, self.url)
             self.assertIsNotNone(
                 self.selenium.find_element(By.ID, 'sodar-pr-alert-archive')
             )
@@ -1580,127 +1668,116 @@ def test_archive_visibility_archived(self):
             )
 
 
-class TestProjectCreateView(TestUIBase):
+class TestProjectCreateView(RemoteSiteMixin, UITestBase):
     """Tests for ProjectCreateView UI"""
 
+    def setUp(self):
+        super().setUp()
+        self.remote_site = self.make_site(
+            name=REMOTE_SITE_NAME,
+            url=REMOTE_SITE_URL,
+            mode=SITE_MODE_TARGET,
+            description='',
+            secret=REMOTE_SITE_SECRET,
+            user_display=True,
+            sodar_uuid=REMOTE_SITE_UUID,
+        )
+        self.url = reverse(
+            'projectroles:create', kwargs={'project': self.category.sodar_uuid}
+        )
+        self.url_top = reverse('projectroles:create')
+
     def test_owner_widget_top(self):
         """Test rendering the owner widget on the top level"""
-        url = reverse('projectroles:create')
-        self.assert_element_exists([self.superuser], url, 'div_id_owner', True)
+        self.assert_element_exists(
+            [self.superuser], self.url_top, 'div_id_owner', True
+        )
 
     def test_owner_widget_sub(self):
         """Test rendering the owner widget under a category"""
         # Add new user, make them a contributor in category
         new_user = self.make_user('new_user')
         self.make_assignment(self.category, new_user, self.role_contributor)
-        url = reverse(
-            'projectroles:create', kwargs={'project': self.category.sodar_uuid}
+        self.assert_element_exists(
+            [self.superuser], self.url, 'div_id_owner', True
         )
-        self.assert_element_exists([self.superuser], url, 'div_id_owner', True)
         self.assert_element_exists(
-            [self.user_owner, new_user], url, 'div_id_owner', False
+            [self.user_owner, new_user], self.url, 'div_id_owner', False
         )
 
     def test_archive_button(self):
         """Test rendering form without archive button"""
-        url = reverse('projectroles:create')
         self.assert_element_exists(
-            [self.superuser], url, 'sodar-pr-btn-archive', False
+            [self.superuser], self.url_top, 'sodar-pr-btn-archive', False
         )
 
-    def test_settings_fields_default(self):
-        """Test rendering of app settings fields for default view"""
-        url = reverse('projectroles:create')
-        self.login_and_redirect(
-            self.superuser, url, wait_elem=None, wait_loc='ID'
-        )
-        element = self.selenium.find_element(
-            By.ID, 'div_id_settings.example_project_app.project_int_setting'
-        )
-        self.assertFalse(element.is_displayed())
+    def test_fields_top(self):
+        """Test rendering of dynamic fields for top level creation view"""
+        self.login_and_redirect(self.superuser, self.url_top)
+        self.assert_displayed(By.ID, PUBLIC_ACCESS_ID, False)
+        with self.assertRaises(NoSuchElementException):
+            self.selenium.find_element(By.ID, REMOTE_SITE_ID)
+        self.assert_displayed(By.ID, PROJECT_SETTING_ID, False)
+        self.assert_displayed(By.ID, CATEGORY_SETTING_ID, True)
 
-    def test_settings_fields_project(self):
-        """Test rendering of app settings fields for project creation"""
-        url = reverse(
-            'projectroles:create', kwargs={'project': self.category.sodar_uuid}
-        )
-        self.login_and_redirect(
-            self.superuser, url, wait_elem=None, wait_loc='ID'
-        )
-        element = self.selenium.find_element(
-            By.ID, 'div_id_settings.example_project_app.project_int_setting'
-        )
-        self.assertFalse(element.is_displayed())
+    def test_fields_project(self):
+        """Test rendering of dynamic fields for project creation"""
+        self.login_and_redirect(self.superuser, self.url)
+        self.assert_displayed(By.ID, PUBLIC_ACCESS_ID, False)
+        self.assert_displayed(By.ID, REMOTE_SITE_ID, False)
+        self.assert_displayed(By.ID, PROJECT_SETTING_ID, False)
+        self.assert_displayed(By.ID, CATEGORY_SETTING_ID, False)
         select = Select(
-            self.selenium.find_element(
-                By.CSS_SELECTOR,
-                'div[id="div_id_type"] div select[id="id_type"]',
-            )
+            self.selenium.find_element(By.CSS_SELECTOR, PROJECT_SELECT_CSS)
         )
-        select.select_by_value('PROJECT')
+        select.select_by_value(PROJECT_TYPE_PROJECT)
         self.assertEqual(select.first_selected_option.text, 'Project')
-        WebDriverWait(self.selenium, 10)
-        element = self.selenium.find_element(
-            By.ID, 'div_id_settings.example_project_app.project_int_setting'
+        WebDriverWait(self.selenium, 10).until(
+            ec.visibility_of_element_located((By.ID, PUBLIC_ACCESS_ID))
         )
-        self.assertTrue(element.is_displayed())
+        self.assert_displayed(By.ID, REMOTE_SITE_ID, True)
+        self.assert_displayed(By.ID, PROJECT_SETTING_ID, True)
+        self.assert_displayed(By.ID, CATEGORY_SETTING_ID, False)
 
-    def test_settings_fields_category(self):
-        """Test rendering of app settings fields for category creation"""
-        url = reverse(
-            'projectroles:create', kwargs={'project': self.category.sodar_uuid}
-        )
-        self.login_and_redirect(
-            self.superuser, url, wait_elem=None, wait_loc='ID'
-        )
-        element = self.selenium.find_element(
-            By.ID, 'div_id_settings.example_project_app.project_int_setting'
-        )
-        self.assertFalse(element.is_displayed())
+    def test_fields_category(self):
+        """Test rendering of dynamic fields for category creation"""
+        self.login_and_redirect(self.superuser, self.url)
+        self.assert_displayed(By.ID, PUBLIC_ACCESS_ID, False)
+        self.assert_displayed(By.ID, REMOTE_SITE_ID, False)
+        self.assert_displayed(By.ID, PROJECT_SETTING_ID, False)
+        self.assert_displayed(By.ID, CATEGORY_SETTING_ID, False)
         select = Select(
-            self.selenium.find_element(
-                By.CSS_SELECTOR,
-                'div[id="div_id_type"] div select[id="id_type"]',
-            )
+            self.selenium.find_element(By.CSS_SELECTOR, PROJECT_SELECT_CSS)
         )
-        select.select_by_value('CATEGORY')
+        select.select_by_value(PROJECT_TYPE_CATEGORY)
         self.assertEqual(select.first_selected_option.text, 'Category')
-        WebDriverWait(self.selenium, 10)
-        element = self.selenium.find_element(
-            By.ID, 'div_id_settings.example_project_app.project_int_setting'
+        WebDriverWait(self.selenium, 10).until(
+            ec.visibility_of_element_located((By.ID, CATEGORY_SETTING_ID))
         )
-        self.assertFalse(element.is_displayed())
+        self.assert_displayed(By.ID, PUBLIC_ACCESS_ID, False)
+        self.assert_displayed(By.ID, REMOTE_SITE_ID, False)
+        self.assert_displayed(By.ID, PROJECT_SETTING_ID, False)
+        self.assert_displayed(By.ID, CATEGORY_SETTING_ID, True)
 
     def test_settings_label_icon(self):
         """Test rendering of app settings icon for project creation"""
-        url = reverse(
-            'projectroles:create', kwargs={'project': self.category.sodar_uuid}
+        self.login_and_redirect(self.superuser, self.url)
+        select = Select(
+            self.selenium.find_element(By.CSS_SELECTOR, PROJECT_SELECT_CSS)
         )
-        self.login_and_redirect(
-            self.superuser, url, wait_elem=None, wait_loc='ID'
+        select.select_by_value(PROJECT_TYPE_PROJECT)
+        WebDriverWait(self.selenium, 10).until(
+            ec.presence_of_element_located((By.TAG_NAME, 'svg'))
         )
-        select = Select(
-            self.selenium.find_element(
-                By.CSS_SELECTOR,
-                'div[id="div_id_type"] div select[id="id_type"]',
-            )
+        find_args = (By.CSS_SELECTOR, 'div[id="{}"]'.format(PROJECT_SETTING_ID))
+        logo = self.selenium.find_element(*find_args).find_element(
+            By.TAG_NAME, 'svg'
         )
-        select.select_by_value('PROJECT')
-        WebDriverWait(self.selenium, 10)
-        logo = self.selenium.find_element(
-            By.CSS_SELECTOR,
-            'div[id="div_id_settings.example_project_app.project_int_setting"]',
-        ).find_element(By.TAG_NAME, 'svg')
         self.assertTrue(logo.is_displayed())
 
     def test_submit_button(self):
         """Test rendering of submit button"""
-        url = reverse(
-            'projectroles:create', kwargs={'project': self.category.sodar_uuid}
-        )
-        self.login_and_redirect(
-            self.superuser, url, wait_elem=None, wait_loc='ID'
-        )
+        self.login_and_redirect(self.superuser, self.url)
         element = self.selenium.find_element(
             By.CLASS_NAME, 'sodar-btn-submit-once'
         )
@@ -1715,67 +1792,114 @@ def test_submit_button(self):
                 if element.is_enabled() and i < max_retries - 1:
                     time.sleep(retry_interval)
                 else:
-                    self.fail(
-                        'Element did not become enabled within the timeout'
-                    )
+                    self.fail('Element not enabled within timeout')
             except StaleElementReferenceException:
                 break
 
 
-class TestProjectUpdateView(TestUIBase):
+class TestProjectUpdateView(RemoteSiteMixin, RemoteProjectMixin, UITestBase):
     """Tests for ProjectUpdateView UI"""
 
-    def test_archive_button(self):
-        """Test rendering of archive button"""
-        url = reverse(
+    def setUp(self):
+        super().setUp()
+        self.remote_site = self.make_site(
+            name=REMOTE_SITE_NAME,
+            url=REMOTE_SITE_URL,
+            mode=SITE_MODE_TARGET,
+            description='',
+            secret=REMOTE_SITE_SECRET,
+            user_display=True,
+            sodar_uuid=REMOTE_SITE_UUID,
+        )
+        self.url = reverse(
             'projectroles:update', kwargs={'project': self.project.sodar_uuid}
         )
+        self.url_cat = reverse(
+            'projectroles:update', kwargs={'project': self.category.sodar_uuid}
+        )
+
+    def test_archive_button(self):
+        """Test rendering archive button"""
         self.assert_element_exists(
-            [self.superuser], url, 'sodar-pr-btn-archive', True
+            [self.superuser], self.url, 'sodar-pr-btn-archive', True
         )
         element = self.selenium.find_element(By.ID, 'sodar-pr-btn-archive')
         self.assertEqual(element.text, 'Archive')
 
     def test_archive_button_archived(self):
-        """Test rendering of archive button with archived project"""
+        """Test rendering archive button with archived project"""
         self.project.set_archive()
-        url = reverse(
-            'projectroles:update', kwargs={'project': self.project.sodar_uuid}
-        )
         self.assert_element_exists(
-            [self.superuser], url, 'sodar-pr-btn-archive', True
+            [self.superuser], self.url, 'sodar-pr-btn-archive', True
         )
         element = self.selenium.find_element(By.ID, 'sodar-pr-btn-archive')
         self.assertEqual(element.text, 'Unarchive')
 
-    def test_settings_fields_project_update(self):
-        """Test rendering of app settings fields for project update view"""
-        url = reverse(
-            'projectroles:update', kwargs={'project': self.project.sodar_uuid}
-        )
-        self.login_and_redirect(
-            self.superuser, url, wait_elem=None, wait_loc='ID'
-        )
-        element = self.selenium.find_element(
-            By.ID, 'div_id_settings.example_project_app.project_int_setting'
-        )
-        self.assertTrue(element.is_displayed())
+    def test_fields_project(self):
+        """Test field visibility for project update"""
+        self.login_and_redirect(self.superuser, self.url)
+        self.assert_displayed(By.ID, PUBLIC_ACCESS_ID, True)
+        self.assert_displayed(By.ID, REMOTE_SITE_ID, True)
+        self.assert_displayed(By.ID, PROJECT_SETTING_ID, True)
+        self.assert_displayed(By.ID, CATEGORY_SETTING_ID, False)
+
+    def test_fields_category(self):
+        """Test field visibility for category update"""
+        self.login_and_redirect(self.superuser, self.url_cat)
+        self.assert_displayed(By.ID, PUBLIC_ACCESS_ID, False)
+        with self.assertRaises(NoSuchElementException):
+            self.selenium.find_element(By.ID, REMOTE_SITE_ID)
+        self.assert_displayed(By.ID, PROJECT_SETTING_ID, False)
+        self.assert_displayed(By.ID, CATEGORY_SETTING_ID, True)
 
-    def test_settings_fields_category_update(self):
-        """Test rendering of app settings fields for category update view"""
-        url = reverse(
-            'projectroles:update', kwargs={'project': self.category.sodar_uuid}
-        )
-        self.login_and_redirect(
-            self.superuser, url, wait_elem=None, wait_loc='ID'
+    def test_remote_field_enable(self):
+        """Test enabling remote site field"""
+        self.login_and_redirect(self.superuser, self.url)
+        elem = self.selenium.find_element(By.ID, REMOTE_SITE_ID)
+        self.assertEqual(elem.is_selected(), False)
+        elem.click()
+        with self.assertRaises(TimeoutException):
+            WebDriverWait(self.selenium, 3).until(ec.alert_is_present())
+        self.assertEqual(elem.is_selected(), True)
+        elem.click()  # Disable again
+        with self.assertRaises(TimeoutException):
+            WebDriverWait(self.selenium, 3).until(ec.alert_is_present())
+        self.assertEqual(elem.is_selected(), False)
+
+    def test_remote_field_disable(self):
+        """Test disabling previously enabled remote site field"""
+        self.remote_project = self.make_remote_project(
+            project_uuid=self.project.sodar_uuid,
+            site=self.remote_site,
+            level=REMOTE_LEVEL_READ_ROLES,
+            project=self.project,
         )
-        element = self.selenium.find_element(
-            By.ID, 'div_id_settings.example_project_app.project_int_setting'
+        self.login_and_redirect(self.superuser, self.url)
+        elem = self.selenium.find_element(By.ID, REMOTE_SITE_ID)
+        self.assertEqual(elem.is_selected(), True)
+        elem.click()
+        WebDriverWait(self.selenium, 3).until(ec.alert_is_present())
+        self.selenium.switch_to.alert.accept()
+        self.assertEqual(elem.is_selected(), False)
+
+    def test_remote_field_disable_cancel(self):
+        """Test canceling the disabling of previously enabled remote site field"""
+        self.remote_project = self.make_remote_project(
+            project_uuid=self.project.sodar_uuid,
+            site=self.remote_site,
+            level=REMOTE_LEVEL_READ_ROLES,
+            project=self.project,
         )
-        self.assertFalse(element.is_displayed())
+        self.login_and_redirect(self.superuser, self.url)
+        elem = self.selenium.find_element(By.ID, REMOTE_SITE_ID)
+        self.assertEqual(elem.is_selected(), True)
+        elem.click()
+        WebDriverWait(self.selenium, 3).until(ec.alert_is_present())
+        self.selenium.switch_to.alert.dismiss()
+        self.assertEqual(elem.is_selected(), True)
 
 
-class TestProjectArchiveView(TestUIBase):
+class TestProjectArchiveView(UITestBase):
     """Tests for ProjectArchiveView UI"""
 
     def test_archive_button(self):
@@ -1798,7 +1922,7 @@ def test_archive_button_archived(self):
         )
 
 
-class TestProjectRoleView(RemoteTargetMixin, TestUIBase):
+class TestProjectRoleView(RemoteTargetMixin, UITestBase):
     """Tests for ProjectRoleView UI"""
 
     def _get_role_dropdown(self, user, owner=False):
@@ -2008,7 +2132,7 @@ def test_role_dropdown_guest_inherited(self):
             elem.find_element(By.CLASS_NAME, 'sodar-pr-role-item-delete')
 
 
-class TestRoleAssignmentCreateView(TestUIBase):
+class TestRoleAssignmentCreateView(UITestBase):
     """Tests for RoleAssignmentCreateView UI"""
 
     def test_role_preview(self):
@@ -2060,7 +2184,7 @@ def test_widget_user_options(self):
         )
 
 
-class TestRoleAssignmentDeleteView(TestUIBase):
+class TestRoleAssignmentDeleteView(UITestBase):
     """Tests for RoleAssignmentDeleteView UI"""
 
     def test_render(self):
@@ -2139,7 +2263,7 @@ def test_render_children_inherit(self):
             )
 
 
-class TestProjectInviteView(ProjectInviteMixin, TestUIBase):
+class TestProjectInviteView(ProjectInviteMixin, UITestBase):
     """Tests for ProjectInviteView UI"""
 
     def test_invite_ops(self):
@@ -2214,7 +2338,7 @@ def test_invite_dropdown(self):
         )
 
 
-class TestProjectInviteCreateView(TestUIBase):
+class TestProjectInviteCreateView(UITestBase):
     """Tests for ProjectInviteCreateView UI"""
 
     def test_invite_preview(self):
@@ -2237,7 +2361,50 @@ def test_invite_preview(self):
         )
 
 
-class TestRemoteSiteListView(RemoteSiteMixin, TestUIBase):
+class TestProjectInviteProcessLocalView(ProjectInviteMixin, UITestBase):
+    """Tests for ProjectInviteProcessLocalView UI"""
+
+    def setUp(self):
+        super().setUp()
+        self.invite = self.make_invite(
+            email='test@example.com',
+            project=self.project,
+            role=self.role_contributor,
+            issuer=self.user_owner,
+            message='',
+        )
+        self.url = self.build_selenium_url(
+            reverse(
+                'projectroles:invite_process_new_user',
+                kwargs={'secret': self.invite.secret},
+            )
+        )
+
+    def test_get(self):
+        """Test ProjectInviteProcessLocalView GET"""
+        # NOTE: No login
+        self.selenium.get(self.url)
+        with self.assertRaises(NoSuchElementException):
+            self.selenium.find_element(By.ID, 'sodar-login-oidc-link')
+        elem = self.selenium.find_element(
+            By.CLASS_NAME, 'sodar-btn-submit-once'
+        )
+        self.assertEqual(elem.text, 'Create')
+
+    @override_settings(ENABLE_OIDC=True)
+    def test_get_oidc(self):
+        """Test GET with OIDC authentication enabled"""
+        self.selenium.get(self.url)
+        self.assertIsNotNone(
+            self.selenium.find_element(By.ID, 'sodar-login-oidc-link')
+        )
+        elem = self.selenium.find_element(
+            By.CLASS_NAME, 'sodar-btn-submit-once'
+        )
+        self.assertEqual(elem.text, 'Create')
+
+
+class TestRemoteSiteListView(RemoteSiteMixin, UITestBase):
     """Tests for RemoteSiteListView UI"""
 
     def test_source_user_display(self):
@@ -2304,7 +2471,7 @@ def test_target_list_user_display(self):
             )
 
 
-class TestRemoteSiteCreateView(RemoteSiteMixin, TestUIBase):
+class TestRemoteSiteCreateView(RemoteSiteMixin, UITestBase):
     """Tests for RemoteSiteCreateView UI"""
 
     def test_source_user_toggle(self):
@@ -2319,6 +2486,4 @@ def test_target_user_toggle(self):
         """Test site create form user display toggle on target site"""
         url = reverse('projectroles:remote_site_create')
         self.login_and_redirect(self.superuser, url)
-        self.assertFalse(
-            self.selenium.find_element(By.ID, 'id_user_display').is_displayed()
-        )
+        self.assert_displayed(By.ID, 'id_user_display', False)
diff --git a/projectroles/tests/test_views.py b/projectroles/tests/test_views.py
index a029b67d..5a94f0ea 100644
--- a/projectroles/tests/test_views.py
+++ b/projectroles/tests/test_views.py
@@ -1,6 +1,7 @@
 """UI view tests for the projectroles app"""
 
 import json
+import uuid
 
 from urllib.parse import urlencode
 
@@ -16,13 +17,25 @@
 from test_plus.test import TestCase
 
 # Timeline dependency
-from timeline.models import ProjectEvent
+from timeline.models import TimelineEvent
 from timeline.tests.test_models import (
-    ProjectEventMixin,
-    ProjectEventStatusMixin,
+    TimelineEventMixin,
+    TimelineEventStatusMixin,
 )
 
 from projectroles.app_settings import AppSettingAPI
+from projectroles.email import (
+    get_email_user,
+    SUBJECT_PROJECT_CREATE,
+    SUBJECT_PROJECT_MOVE,
+    SUBJECT_PROJECT_ARCHIVE,
+    SUBJECT_PROJECT_UNARCHIVE,
+    SUBJECT_ROLE_CREATE,
+    SUBJECT_ROLE_UPDATE,
+    SUBJECT_ROLE_DELETE,
+    SUBJECT_ACCEPT,
+    SUBJECT_EXPIRY,
+)
 from projectroles.forms import get_role_option, EMPTY_CHOICE_LABEL
 from projectroles.models import (
     Project,
@@ -54,15 +67,17 @@
     RemoteTargetMixin,
 )
 from projectroles.views import (
-    MSG_FORM_INVALID,
-    MSG_PROJECT_WELCOME,
-    MSG_USER_PROFILE_LDAP,
-    MSG_INVITE_LDAP_LOCAL_VIEW,
-    MSG_INVITE_LOCAL_NOT_ALLOWED,
-    MSG_INVITE_LOGGED_IN_ACCEPT,
-    MSG_INVITE_USER_NOT_EQUAL,
-    MSG_INVITE_USER_EXISTS,
-    MSG_LOGIN,
+    ProjectInviteProcessMixin,
+    FORM_INVALID_MSG,
+    PROJECT_WELCOME_MSG,
+    USER_PROFILE_LDAP_MSG,
+    INVITE_LDAP_LOCAL_VIEW_MSG,
+    INVITE_LOCAL_NOT_ALLOWED_MSG,
+    INVITE_LOGGED_IN_ACCEPT_MSG,
+    INVITE_USER_NOT_EQUAL_MSG,
+    INVITE_USER_EXISTS_MSG,
+    LOGIN_MSG,
+    TARGET_CREATE_DISABLED_MSG,
 )
 from projectroles.context_processors import (
     SIDEBAR_ICON_MIN_SIZE,
@@ -81,8 +96,13 @@
 PROJECT_ROLE_GUEST = SODAR_CONSTANTS['PROJECT_ROLE_GUEST']
 PROJECT_TYPE_CATEGORY = SODAR_CONSTANTS['PROJECT_TYPE_CATEGORY']
 PROJECT_TYPE_PROJECT = SODAR_CONSTANTS['PROJECT_TYPE_PROJECT']
-SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
 SITE_MODE_SOURCE = SODAR_CONSTANTS['SITE_MODE_SOURCE']
+SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
+SITE_MODE_PEER = SODAR_CONSTANTS['SITE_MODE_PEER']
+REMOTE_LEVEL_NONE = SODAR_CONSTANTS['REMOTE_LEVEL_NONE']
+REMOTE_LEVEL_REVOKED = SODAR_CONSTANTS['REMOTE_LEVEL_REVOKED']
+REMOTE_LEVEL_READ_INFO = SODAR_CONSTANTS['REMOTE_LEVEL_READ_INFO']
+REMOTE_LEVEL_READ_ROLES = SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES']
 APP_SETTING_SCOPE_PROJECT = SODAR_CONSTANTS['APP_SETTING_SCOPE_PROJECT']
 APP_SETTING_SCOPE_USER = SODAR_CONSTANTS['APP_SETTING_SCOPE_USER']
 APP_SETTING_SCOPE_PROJECT_USER = SODAR_CONSTANTS[
@@ -90,6 +110,7 @@
 ]
 
 # Local constants
+APP_NAME = 'projectroles'
 INVITE_EMAIL = 'test@example.com'
 SECRET = 'rsd886hi8276nypuvw066sbvv0rb2a6x'
 TASKFLOW_SECRET_INVALID = 'Not a valid secret'
@@ -98,13 +119,17 @@
 REMOTE_SITE_DESC = 'description'
 REMOTE_SITE_SECRET = build_secret()
 REMOTE_SITE_USER_DISPLAY = True
+REMOTE_SITE_OWNER_MODIFY = True
 REMOTE_SITE_NEW_NAME = 'New name'
 REMOTE_SITE_NEW_URL = 'https://new.url'
 REMOTE_SITE_NEW_DESC = 'New description'
 REMOTE_SITE_NEW_SECRET = build_secret()
+REMOTE_SITE_UUID = uuid.uuid4()
+REMOTE_SITE_FIELD = 'remote_site.{}'.format(REMOTE_SITE_UUID)
 EXAMPLE_APP_NAME = 'example_project_app'
 INVALID_UUID = '11111111-1111-1111-1111-111111111111'
 INVALID_SETTING_VALUE = 'INVALID VALUE'
+LDAP_DOMAIN = 'EXAMPLE'
 
 HIDDEN_PROJECT_SETTINGS = [
     'settings.example_project_app.project_hidden_setting',
@@ -113,7 +138,7 @@
 UPDATED_HIDDEN_SETTING = 'Updated value'
 UPDATED_HIDDEN_JSON_SETTING = {'updated': 'value'}
 
-PROJECTROLES_APP_SETTINGS_TEST_LOCAL = {
+APP_SETTINGS_TEST = {
     'test_setting': {
         'scope': APP_SETTING_SCOPE_PROJECT,  # PROJECT/USER
         'type': 'BOOLEAN',  # STRING/INTEGER/BOOLEAN
@@ -121,7 +146,7 @@
         'label': 'Test setting',  # Optional, defaults to name/key
         'description': 'Test setting',  # Optional
         'user_modifiable': True,  # Optional, show/hide in forms
-        'local': False,
+        'global': True,
     },
     'test_setting_local': {
         'scope': APP_SETTING_SCOPE_PROJECT,  # PROJECT/USER
@@ -130,13 +155,13 @@
         'label': 'Test setting',  # Optional, defaults to name/key
         'description': 'Test setting',  # Optional
         'user_modifiable': True,  # Optional, show/hide in forms
-        'local': True,
+        'global': False,
     },
     'project_star': {  # NOTE: We have to include this for view tests
         'scope': APP_SETTING_SCOPE_PROJECT_USER,
         'type': 'BOOLEAN',
         'default': False,
-        'local': False,
+        'global': True,
     },
 }
 
@@ -152,7 +177,7 @@
 ]
 
 
-class TestViewsBase(RoleMixin, TestCase):
+class ViewTestBase(RoleMixin, TestCase):
     """Base class for view testing"""
 
     def setUp(self):
@@ -168,7 +193,7 @@ def setUp(self):
 # General view tests -----------------------------------------------------------
 
 
-class TestHomeView(ProjectMixin, RoleAssignmentMixin, TestViewsBase):
+class TestHomeView(ProjectMixin, RoleAssignmentMixin, ViewTestBase):
     """Tests for HomeView"""
 
     def setUp(self):
@@ -269,9 +294,9 @@ def test_get_context_sidebar_padding_min(self):
 class TestProjectSearchResultsView(
     ProjectMixin,
     RoleAssignmentMixin,
-    TestViewsBase,
-    ProjectEventMixin,
-    ProjectEventStatusMixin,
+    ViewTestBase,
+    TimelineEventMixin,
+    TimelineEventStatusMixin,
 ):
     """Tests for ProjectSearchResultsView"""
 
@@ -361,14 +386,14 @@ def test_get_finder(self):
 
     def test_post_advanced(self):
         """Test POST from ProjectAdvancedSearchView"""
-        new_project = self.make_project(
+        project_new = self.make_project(
             'AnotherProject',
             PROJECT_TYPE_PROJECT,
             self.category,
             description='xxx',
         )
         self.cat_owner_as = self.make_assignment(
-            new_project, self.user, self.role_owner
+            project_new, self.user, self.role_owner
         )
         with self.login(self.user):
             response = self.client.post(
@@ -385,14 +410,14 @@ def test_post_advanced(self):
 
     def test_post_advanced_short_input(self):
         """Test POST with short term (< 3 characters)"""
-        new_project = self.make_project(
+        project_new = self.make_project(
             'AnotherProject',
             PROJECT_TYPE_PROJECT,
             self.category,
             description='xxx',
         )
         self.cat_owner_as = self.make_assignment(
-            new_project, self.user, self.role_owner
+            project_new, self.user, self.role_owner
         )
         with self.login(self.user):
             response = self.client.post(
@@ -405,14 +430,14 @@ def test_post_advanced_short_input(self):
 
     def test_post_advanced_empty_input(self):
         """Test POST with empty term (should be ignored)"""
-        new_project = self.make_project(
+        project_new = self.make_project(
             'AnotherProject',
             PROJECT_TYPE_PROJECT,
             self.category,
             description='xxx',
         )
         self.cat_owner_as = self.make_assignment(
-            new_project, self.user, self.role_owner
+            project_new, self.user, self.role_owner
         )
         with self.login(self.user):
             response = self.client.post(
@@ -479,7 +504,7 @@ def test_get_omit_app(self):
 
 
 class TestProjectAdvancedSearchView(
-    ProjectMixin, RoleAssignmentMixin, TestViewsBase
+    ProjectMixin, RoleAssignmentMixin, ViewTestBase
 ):
     """Tests for ProjectAdvancedSearchView"""
 
@@ -497,7 +522,7 @@ def test_get_disabled(self):
             self.assertRedirects(response, reverse('home'))
 
 
-class TestProjectDetailView(ProjectMixin, RoleAssignmentMixin, TestViewsBase):
+class TestProjectDetailView(ProjectMixin, RoleAssignmentMixin, ViewTestBase):
     """Tests for ProjectDetailView"""
 
     def setUp(self):
@@ -533,12 +558,50 @@ def test_get_not_found(self):
         self.assertEqual(response.status_code, 404)
 
 
-class TestProjectCreateView(ProjectMixin, RoleAssignmentMixin, TestViewsBase):
+class TestProjectCreateView(
+    ProjectMixin, RoleAssignmentMixin, RemoteSiteMixin, ViewTestBase
+):
     """Tests for ProjectCreateView"""
 
+    @classmethod
+    def _get_post_data(cls, title, project_type, parent, owner):
+        """Return POST data for project creation"""
+        ret = {
+            'title': title,
+            'type': project_type,
+            'parent': parent.sodar_uuid if parent else '',
+            'owner': owner.sodar_uuid,
+            'description': 'description',
+            'public_guest_access': False,
+            REMOTE_SITE_FIELD: False,
+        }
+        # Add settings values
+        ret.update(
+            app_settings.get_defaults(APP_SETTING_SCOPE_PROJECT, post_safe=True)
+        )
+        return ret
+
     def setUp(self):
         super().setUp()
+        self.category = self.make_project(
+            'TestCategory', PROJECT_TYPE_CATEGORY, None
+        )
+        self.owner_as_cat = self.make_assignment(
+            self.category, self.user, self.role_owner
+        )
+        self.remote_site = self.make_site(
+            name=REMOTE_SITE_NAME,
+            url=REMOTE_SITE_URL,
+            mode=SITE_MODE_TARGET,
+            description='',
+            secret=REMOTE_SITE_SECRET,
+            user_display=True,
+            sodar_uuid=REMOTE_SITE_UUID,
+        )
         self.app_alert_model = get_backend_api('appalerts_backend').get_model()
+        self.url = reverse(
+            'projectroles:create', kwargs={'project': self.category.sodar_uuid}
+        )
 
     def test_get_top(self):
         """Test ProjectCreateView GET with top level category creation form"""
@@ -551,6 +614,7 @@ def test_get_top(self):
         self.assertIsInstance(form.fields['type'].widget, HiddenInput)
         self.assertIsInstance(form.fields['parent'].widget, HiddenInput)
         self.assertEqual(form.initial['owner'], self.user)
+        self.assertNotIn(REMOTE_SITE_FIELD, form.fields)
 
     @override_settings(PROJECTROLES_DISABLE_CATEGORIES=True)
     def test_get_top_disable_categories(self):
@@ -564,25 +628,30 @@ def test_get_top_disable_categories(self):
         self.assertIsInstance(form.fields['type'].widget, HiddenInput)
         self.assertIsInstance(form.fields['parent'].widget, HiddenInput)
         self.assertEqual(form.initial['owner'], self.user)
+        self.assertNotIn(REMOTE_SITE_FIELD, form.fields)
+
+    @override_settings(PROJECTROLES_SITE_MODE='TARGET')
+    def test_get_top_target(self):
+        """Test GET with top level category as target site"""
+        with self.login(self.user):
+            response = self.client.get(reverse('projectroles:create'))
+        self.assertEqual(response.status_code, 200)
+
+    @override_settings(PROJECTROLES_SITE_MODE='TARGET')
+    @override_settings(PROJECTROLES_TARGET_CREATE=False)
+    def test_get_top_target_disabled(self):
+        """Test GET with top level category and target creation disabled"""
+        with self.login(self.user):
+            response = self.client.get(reverse('projectroles:create'))
+        self.assertEqual(response.status_code, 302)
 
     def test_get_sub(self):
         """Test GET under category"""
-        category = self.make_project(
-            'TestCategory', PROJECT_TYPE_CATEGORY, None
-        )
-        self.make_assignment(category, self.user, self.role_owner)
         # Create another user to enable checking for owner selection
         self.make_user('user_new')
-
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'projectroles:create',
-                    kwargs={'project': category.sodar_uuid},
-                )
-            )
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
-
         form = response.context['form']
         self.assertIsNotNone(form)
         self.assertEqual(
@@ -601,27 +670,53 @@ def test_get_sub(self):
         )
         self.assertIsInstance(form.fields['parent'].widget, HiddenInput)
         self.assertEqual(form.initial['owner'], self.user)
+        self.assertIn(REMOTE_SITE_FIELD, form.fields)
+        self.assertEqual(form.fields[REMOTE_SITE_FIELD].initial, False)
+
+    @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
+    def test_get_sub_target_remote(self):
+        """Test GET under category as target with remote sites"""
+        self.remote_site.mode = SITE_MODE_SOURCE
+        self.remote_site.save()
+        # Create peer site
+        peer_site = self.make_site(
+            name='peer_site',
+            url='https://peer.site',
+            mode=SITE_MODE_PEER,
+        )
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        form = response.context['form']
+        self.assertNotIn(REMOTE_SITE_FIELD, form.fields)
+        self.assertNotIn(
+            'remote_site.{}'.format(peer_site.sodar_uuid), form.fields
+        )
+
+    @override_settings(PROJECTROLES_SITE_MODE='TARGET')
+    @override_settings(PROJECTROLES_TARGET_CREATE=False)
+    def test_get_sub_target_disabled(self):
+        """Test GET under category with target creation disabled"""
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(
+            list(get_messages(response.wsgi_request))[0].message,
+            TARGET_CREATE_DISABLED_MSG,
+        )
 
     def test_get_cat_member(self):
         """Test GET under category as category non-owner"""
-        category = self.make_project(
-            'TestCategory', PROJECT_TYPE_CATEGORY, None
-        )
-        self.make_assignment(category, self.user, self.role_owner)
-        new_user = self.make_user('user_new')
-        self.make_assignment(category, new_user, self.role_contributor)
+        user_new = self.make_user('user_new')
+        self.make_assignment(self.category, user_new, self.role_contributor)
 
-        with self.login(new_user):
-            response = self.client.get(
-                reverse(
-                    'projectroles:create',
-                    kwargs={'project': category.sodar_uuid},
-                )
-            )
+        with self.login(user_new):
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
         form = response.context['form']
         # Current user should be the initial value for owner
-        self.assertEqual(form.initial['owner'], new_user)
+        self.assertEqual(form.initial['owner'], user_new)
+        self.assertIn(REMOTE_SITE_FIELD, form.fields)
 
     def test_get_project(self):
         """Test GET under project (should fail)"""
@@ -650,133 +745,104 @@ def test_get_not_found(self):
 
     def test_get_parent_owner(self):
         """Test GET with parent owner as initial value"""
-        category = self.make_project(
-            'TestCategory', PROJECT_TYPE_CATEGORY, None
-        )
         user_new = self.make_user('user_new')
-        self.make_assignment(category, user_new, self.role_owner)
+        # self.make_assignment(category, user_new, self.role_owner)
+        self.owner_as_cat.user = user_new
+        self.owner_as_cat.save()
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'projectroles:create',
-                    kwargs={'project': category.sodar_uuid},
-                )
-            )
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
         form = response.context['form']
         self.assertEqual(form.initial['owner'], user_new)
 
     def test_post_top_level_category(self):
         """Test POST for top level category"""
-        self.assertEqual(Project.objects.all().count(), 0)
-        values = {
-            'title': 'TestCategory',
-            'type': PROJECT_TYPE_CATEGORY,
-            'parent': '',
-            'owner': self.user.sodar_uuid,
-            'description': 'description',
-            'public_guest_access': False,
-        }
-        # Add settings values
-        values.update(
-            app_settings.get_defaults(APP_SETTING_SCOPE_PROJECT, post_safe=True)
+        self.assertEqual(Project.objects.count(), 1)
+        self.assertEqual(RemoteProject.objects.count(), 0)
+        data = self._get_post_data(
+            title='NewTestCategory',
+            project_type=PROJECT_TYPE_CATEGORY,
+            parent=None,
+            owner=self.user,
         )
         with self.login(self.user):
-            response = self.client.post(reverse('projectroles:create'), values)
+            response = self.client.post(reverse('projectroles:create'), data)
 
         self.assertEqual(response.status_code, 302)
-        self.assertEqual(Project.objects.all().count(), 1)
-        project = Project.objects.first()
-        self.assertIsNotNone(project)
-        # Same user so no alerts or emails
-        self.assertEqual(self.app_alert_model.objects.count(), 0)
-        self.assertEqual(len(mail.outbox), 0)
+        self.assertEqual(Project.objects.count(), 2)
+        category = Project.objects.filter(title='NewTestCategory').first()
+        self.assertIsNotNone(category)
 
         expected = {
-            'id': project.pk,
-            'title': 'TestCategory',
+            'id': category.pk,
+            'title': 'NewTestCategory',
             'type': PROJECT_TYPE_CATEGORY,
             'parent': None,
             'description': 'description',
             'public_guest_access': False,
             'archive': False,
-            'full_title': 'TestCategory',
+            'full_title': 'NewTestCategory',
             'has_public_children': False,
-            'sodar_uuid': project.sodar_uuid,
+            'sodar_uuid': category.sodar_uuid,
         }
-        model_dict = model_to_dict(project)
+        model_dict = model_to_dict(category)
         model_dict.pop('readme', None)
         self.assertEqual(model_dict, expected)
 
-        # Assert settings comparison
-        settings = AppSetting.objects.filter(project=project)
+        # Assert remote projects
+        self.assertEqual(RemoteProject.objects.count(), 0)
+        # Assert settings
+        settings = AppSetting.objects.filter(project=category)
         self.assertEqual(settings.count(), 1)
         setting = settings.first()
-        self.assertEqual(setting.name, 'project_category_bool_setting')
+        self.assertEqual(setting.name, 'category_bool_setting')
 
         # Assert owner role assignment
         owner_as = RoleAssignment.objects.get(
-            project=project, role=self.role_owner
+            project=category, role=self.role_owner
         )
         expected = {
             'id': owner_as.pk,
-            'project': project.pk,
+            'project': category.pk,
             'role': self.role_owner.pk,
             'user': self.user.pk,
             'sodar_uuid': owner_as.sodar_uuid,
         }
         self.assertEqual(model_to_dict(owner_as), expected)
+
         # Assert redirect
         with self.login(self.user):
             self.assertRedirects(
                 response,
                 reverse(
                     'projectroles:detail',
-                    kwargs={'project': project.sodar_uuid},
+                    kwargs={'project': category.sodar_uuid},
                 ),
             )
+        # Same user so no alerts or emails
+        self.assertEqual(self.app_alert_model.objects.count(), 0)
+        self.assertEqual(len(mail.outbox), 0)
 
     def test_post_project(self):
         """Test POST for project creation"""
-        category = self.make_project(
-            'TestCategory', PROJECT_TYPE_CATEGORY, None
-        )
-        self.make_assignment(category, self.user, self.role_owner)
-
-        # Create project
-        values = {
-            'title': 'TestProject',
-            'type': PROJECT_TYPE_PROJECT,
-            'parent': category.sodar_uuid,
-            'owner': self.user.sodar_uuid,
-            'description': 'description',
-            'public_guest_access': False,
-        }
-        # Add settings values
-        values.update(
-            app_settings.get_defaults(APP_SETTING_SCOPE_PROJECT, post_safe=True)
+        data = self._get_post_data(
+            title='TestProject',
+            project_type=PROJECT_TYPE_PROJECT,
+            parent=self.category,
+            owner=self.user,
         )
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'projectroles:create',
-                    kwargs={'project': category.sodar_uuid},
-                ),
-                values,
-            )
+            response = self.client.post(self.url, data)
 
         self.assertEqual(response.status_code, 302)
-        self.assertEqual(Project.objects.all().count(), 2)
+        self.assertEqual(Project.objects.count(), 2)
         project = Project.objects.get(type=PROJECT_TYPE_PROJECT)
-        # No alerts or emails should be sent as the same user triggered this
-        self.assertEqual(self.app_alert_model.objects.count(), 0)
-        self.assertEqual(len(mail.outbox), 0)
 
         expected = {
             'id': project.pk,
             'title': 'TestProject',
             'type': PROJECT_TYPE_PROJECT,
-            'parent': category.pk,
+            'parent': self.category.pk,
             'description': 'description',
             'public_guest_access': False,
             'archive': False,
@@ -788,7 +854,7 @@ def test_post_project(self):
         model_dict.pop('readme', None)
         self.assertEqual(model_dict, expected)
 
-        # Assert settings comparison
+        self.assertEqual(RemoteProject.objects.count(), 0)
         project_settings = [
             'project_bool_setting',
             'project_callable_setting',
@@ -810,7 +876,6 @@ def test_post_project(self):
         for setting in settings:
             self.assertIn(setting.name, project_settings)
 
-        # Assert owner role assignment
         owner_as = RoleAssignment.objects.get(
             project=project, role=self.role_owner
         )
@@ -822,77 +887,184 @@ def test_post_project(self):
             'sodar_uuid': owner_as.sodar_uuid,
         }
         self.assertEqual(model_to_dict(owner_as), expected)
+        self.assertEqual(self.app_alert_model.objects.count(), 0)
+        self.assertEqual(len(mail.outbox), 0)
 
-    def test_post_project_cat_member(self):
-        """Test POST for project as category member"""
-        # Create category and add new user as member
-        category = self.make_project(
-            title='TestCategory', type=PROJECT_TYPE_CATEGORY, parent=None
+    def test_post_project_different_owner(self):
+        """Test POST for project with different owner"""
+        user_new = self.make_user('user_new')
+        self.make_assignment(self.category, user_new, self.role_contributor)
+        data = self._get_post_data(
+            title='TestProject',
+            project_type=PROJECT_TYPE_PROJECT,
+            parent=self.category,
+            owner=user_new,
+        )
+        with self.login(self.user):  # Post as category owner
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(Project.objects.all().count(), 2)
+        project = Project.objects.get(type=PROJECT_TYPE_PROJECT)
+        self.assertEqual(project.get_owner().user, user_new)
+        # Alert and email for new user should be created
+        self.assertEqual(self.app_alert_model.objects.count(), 1)
+        self.assertEqual(self.app_alert_model.objects.first().user, user_new)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn(
+            SUBJECT_ROLE_CREATE.format(
+                project_label='project', project=project.title
+            ),
+            mail.outbox[0].subject,
         )
-        self.make_assignment(category, self.user, self.role_owner)
-        new_user = self.make_user('user_new')
-        self.make_assignment(category, new_user, self.role_contributor)
 
-        values = {
-            'title': 'TestProject',
-            'type': PROJECT_TYPE_PROJECT,
-            'parent': category.sodar_uuid,
-            'owner': new_user.sodar_uuid,
-            'description': 'description',
-            'public_guest_access': False,
-        }
-        values.update(
-            app_settings.get_defaults(APP_SETTING_SCOPE_PROJECT, post_safe=True)
-        )
-        with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'projectroles:create',
-                    kwargs={'project': category.sodar_uuid},
-                ),
-                values,
-            )
+    def test_post_project_different_owner_disable_email(self):
+        """Test POST for project with different owner and disabled email"""
+        user_new = self.make_user('user_new')
+        self.make_assignment(self.category, user_new, self.role_contributor)
+        app_settings.set(APP_NAME, 'notify_email_role', False, user=user_new)
+        data = self._get_post_data(
+            title='TestProject',
+            project_type=PROJECT_TYPE_PROJECT,
+            parent=self.category,
+            owner=user_new,
+        )
+        with self.login(self.user):  # Post as category owner
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(Project.objects.all().count(), 2)
+        project = Project.objects.get(type=PROJECT_TYPE_PROJECT)
+        self.assertEqual(project.get_owner().user, user_new)
+        # Alert should be created but no mail should be sent
+        self.assertEqual(self.app_alert_model.objects.count(), 1)
+        self.assertEqual(self.app_alert_model.objects.first().user, user_new)
+        self.assertEqual(len(mail.outbox), 0)
 
+    def test_post_project_cat_member(self):
+        """Test POST for project as category member"""
+        user_new = self.make_user('user_new')
+        self.make_assignment(self.category, user_new, self.role_contributor)
+        data = self._get_post_data(
+            title='TestProject',
+            project_type=PROJECT_TYPE_PROJECT,
+            parent=self.category,
+            owner=user_new,
+        )
+        with self.login(user_new):
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 302)
         self.assertEqual(Project.objects.all().count(), 2)
         project = Project.objects.get(type=PROJECT_TYPE_PROJECT)
-        self.assertEqual(project.get_owner().user, new_user)
+        self.assertEqual(project.get_owner().user, user_new)
         # Alert and email for parent owner should be created
         self.assertEqual(self.app_alert_model.objects.count(), 1)
+        self.assertEqual(self.app_alert_model.objects.first().user, self.user)
         self.assertEqual(len(mail.outbox), 1)
+        self.assertIn(
+            SUBJECT_PROJECT_CREATE.format(
+                project_type='Project',
+                project=project.title,
+                user=user_new.username,
+            ),
+            mail.outbox[0].subject,
+        )
 
-    def test_post_project_title_delimiter(self):
-        """Test POST for project with category delimiter in title (should fail)"""
-        category = self.make_project(
-            'TestCategory', PROJECT_TYPE_CATEGORY, None
+    def test_post_project_cat_member_disable_email(self):
+        """Test POST for project as category member with disabled email"""
+        user_new = self.make_user('user_new')
+        self.make_assignment(self.category, user_new, self.role_contributor)
+        app_settings.set(
+            APP_NAME, 'notify_email_project', False, user=self.user
         )
-        self.make_assignment(category, self.user, self.role_owner)
+        data = self._get_post_data(
+            title='TestProject',
+            project_type=PROJECT_TYPE_PROJECT,
+            parent=self.category,
+            owner=user_new,
+        )
+        with self.login(user_new):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        project = Project.objects.get(type=PROJECT_TYPE_PROJECT)
+        self.assertEqual(project.get_owner().user, user_new)
+        self.assertEqual(self.app_alert_model.objects.count(), 1)
+        self.assertEqual(self.app_alert_model.objects.first().user, self.user)
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_post_project_title_delimiter(self):
+        """Test POST with category delimiter in title (should fail)"""
         self.assertEqual(Project.objects.all().count(), 1)
-        values = {
-            'title': 'Test{}Project'.format(CAT_DELIMITER),
-            'type': PROJECT_TYPE_PROJECT,
-            'parent': category.sodar_uuid,
-            'owner': self.user.sodar_uuid,
-            'description': 'description',
-            'public_guest_access': False,
-        }
-        values.update(
-            app_settings.get_defaults(APP_SETTING_SCOPE_PROJECT, post_safe=True)
+        data = self._get_post_data(
+            title='Test{}Project'.format(CAT_DELIMITER),
+            project_type=PROJECT_TYPE_PROJECT,
+            parent=self.category,
+            owner=self.user,
         )
         with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'projectroles:create',
-                    kwargs={'project': category.sodar_uuid},
-                ),
-                values,
-            )
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 200)
         self.assertEqual(Project.objects.all().count(), 1)
 
+    def test_post_remote(self):
+        """Test POST with added remote project"""
+        self.assertEqual(RemoteProject.objects.count(), 0)
+        data = self._get_post_data(
+            title='TestProject',
+            project_type=PROJECT_TYPE_PROJECT,
+            parent=self.category,
+            owner=self.user,
+        )
+        data[REMOTE_SITE_FIELD] = True
+        with self.login(self.user):
+            response = self.client.post(self.url, data)
+
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(Project.objects.count(), 2)
+        project = Project.objects.get(type=PROJECT_TYPE_PROJECT)
+        self.assertEqual(RemoteProject.objects.count(), 1)
+        rp = RemoteProject.objects.first()
+        self.assertEqual(rp.project_uuid, project.sodar_uuid)
+        self.assertEqual(rp.project, project)
+        self.assertEqual(rp.site, self.remote_site)
+        self.assertEqual(rp.level, REMOTE_LEVEL_READ_ROLES)
+
+    @override_settings(PROJECTROLES_SITE_MODE='TARGET')
+    def test_post_project_target(self):
+        """Test POST with project as target site"""
+        self.assertEqual(Project.objects.count(), 1)
+        data = self._get_post_data(
+            title='TestProject',
+            project_type=PROJECT_TYPE_PROJECT,
+            parent=self.category,
+            owner=self.user,
+        )
+        with self.login(self.user):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(Project.objects.count(), 2)
+
+    @override_settings(PROJECTROLES_SITE_MODE='TARGET')
+    @override_settings(PROJECTROLES_TARGET_CREATE=False)
+    def test_post_project_target_disabled(self):
+        """Test POST with project as target with target creation disabled"""
+        self.assertEqual(Project.objects.count(), 1)
+        data = self._get_post_data(
+            title='TestProject',
+            project_type=PROJECT_TYPE_PROJECT,
+            parent=self.category,
+            owner=self.user,
+        )
+        with self.login(self.user):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(
+            list(get_messages(response.wsgi_request))[0].message,
+            TARGET_CREATE_DISABLED_MSG,
+        )
+        self.assertEqual(Project.objects.count(), 1)
+
 
 class TestProjectUpdateView(
-    ProjectMixin, RoleAssignmentMixin, RemoteTargetMixin, TestViewsBase
+    ProjectMixin, RoleAssignmentMixin, RemoteTargetMixin, ViewTestBase
 ):
     """Tests for ProjectUpdateView"""
 
@@ -910,12 +1082,12 @@ def _get_post_app_settings(cls, project, user):
         ps['settings.example_project_app.project_str_setting'] = 'test'
         ps['settings.example_project_app.project_bool_setting'] = True
         ps['settings.example_project_app.project_json_setting'] = '{}'
-        ps[
-            'settings.example_project_app.project_callable_setting'
-        ] = 'No project or user for callable'
-        ps[
-            'settings.example_project_app.project_callable_setting_options'
-        ] = str(project.sodar_uuid)
+        ps['settings.example_project_app.project_callable_setting'] = (
+            'No project or user for callable'
+        )
+        ps['settings.example_project_app.project_callable_setting_options'] = (
+            str(project.sodar_uuid)
+        )
         ps['settings.projectroles.ip_restrict'] = True
         ps['settings.projectroles.ip_allowlist'] = '["192.168.1.1"]'
         return ps
@@ -953,6 +1125,15 @@ def setUp(self):
         self.owner_as = self.make_assignment(
             self.project, self.user, self.role_owner
         )
+        self.remote_site = self.make_site(
+            name=REMOTE_SITE_NAME,
+            url=REMOTE_SITE_URL,
+            mode=SITE_MODE_TARGET,
+            description='',
+            secret=REMOTE_SITE_SECRET,
+            user_display=True,
+            sodar_uuid=REMOTE_SITE_UUID,
+        )
         self.app_alert_model = get_backend_api('appalerts_backend').get_model()
         self.url = reverse(
             'projectroles:update',
@@ -962,6 +1143,7 @@ def setUp(self):
             'projectroles:update',
             kwargs={'project': self.category.sodar_uuid},
         )
+        self.timeline = get_backend_api('timeline_backend')
 
     def test_get_project(self):
         """Test GET with project"""
@@ -973,6 +1155,70 @@ def test_get_project(self):
         self.assertIsInstance(form.fields['type'].widget, HiddenInput)
         self.assertNotIsInstance(form.fields['parent'].widget, HiddenInput)
         self.assertIsInstance(form.fields['owner'].widget, HiddenInput)
+        self.assertEqual(form.fields[REMOTE_SITE_FIELD].initial, None)
+
+    def test_get_remote_site_user_display_disabled(self):
+        """Test GET with user_display disabled on remote site"""
+        self.remote_site.user_display = False
+        self.remote_site.save()
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        form = response.context['form']
+        self.assertNotIn(REMOTE_SITE_FIELD, form.fields)
+
+    def test_get_remote_site_owner_modifiable_disabled(self):
+        """Test GET with owner_modifiable disabled on remote site"""
+        self.remote_site.owner_modifiable = False
+        self.remote_site.save()
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        form = response.context['form']
+        self.assertNotIn(REMOTE_SITE_FIELD, form.fields)
+
+    def test_get_remote_project(self):
+        """Test GET with remote target project and READ_ROLES perm"""
+        self.make_remote_project(
+            project_uuid=self.project.sodar_uuid,
+            site=self.remote_site,
+            level=REMOTE_LEVEL_READ_ROLES,
+            project=self.project,
+        )
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        form = response.context['form']
+        self.assertEqual(form.fields[REMOTE_SITE_FIELD].initial, True)
+
+    def test_get_remote_projcet_revoked(self):
+        """Test GET with remote target project and REVOKED perm"""
+        self.make_remote_project(
+            project_uuid=self.project.sodar_uuid,
+            site=self.remote_site,
+            level=REMOTE_LEVEL_REVOKED,
+            project=self.project,
+        )
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        form = response.context['form']
+        self.assertEqual(form.fields[REMOTE_SITE_FIELD].initial, False)
+
+    def test_get_remote_project_read_info(self):
+        """Test GET with remote target project and READ_INFO perm"""
+        self.make_remote_project(
+            project_uuid=self.project.sodar_uuid,
+            site=self.remote_site,
+            level=REMOTE_LEVEL_READ_INFO,
+            project=self.project,
+        )
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        form = response.context['form']
+        # NOTE: READ_INFO and VIEW_AVAIL are not currently supported
+        self.assertEqual(form.fields[REMOTE_SITE_FIELD].initial, False)
 
     def test_get_no_parent_role(self):
         """Test GET for current parent selectability without parent role"""
@@ -985,49 +1231,117 @@ def test_get_no_parent_role(self):
             'TestCategory2', PROJECT_TYPE_CATEGORY, None
         )
         self.make_assignment(category2, user_new, self.role_owner)
-
         with self.login(user_new):
             response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
         form = response.context['form']
-        self.assertIsNotNone(form)
         # Ensure self.category (with no user_new rights) is initial
         self.assertEqual(form.initial['parent'], self.category.sodar_uuid)
         self.assertEqual(len(form.fields['parent'].choices), 2)
 
+    def test_get_category(self):
+        """Test GET with category"""
+        with self.login(self.user):
+            response = self.client.get(self.url_cat)
+        self.assertEqual(response.status_code, 200)
+        form = response.context['form']
+        self.assertIsInstance(form.fields['type'].widget, HiddenInput)
+        self.assertNotIsInstance(form.fields['parent'].widget, HiddenInput)
+        self.assertIsInstance(form.fields['owner'].widget, HiddenInput)
+        self.assertNotIn(REMOTE_SITE_FIELD, form.fields)
+
+    @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
+    def test_get_remote_as_target(self):
+        """Test GET with remote project as target"""
+        self.set_up_as_target(projects=[self.category, self.project])
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        form = response.context['form']
+        self.assertIsInstance(form.fields['title'].widget, HiddenInput)
+        self.assertIsInstance(form.fields['type'].widget, HiddenInput)
+        self.assertIsInstance(form.fields['parent'].widget, HiddenInput)
+        self.assertIsInstance(form.fields['description'].widget, HiddenInput)
+        self.assertIsInstance(form.fields['readme'].widget, HiddenInput)
+        self.assertNotIn(REMOTE_SITE_FIELD, form.fields)
+        self.assertNotIsInstance(
+            form.fields[
+                'settings.example_project_app.project_str_setting'
+            ].widget,
+            HiddenInput,
+        )
+        self.assertNotIsInstance(
+            form.fields[
+                'settings.example_project_app.project_int_setting'
+            ].widget,
+            HiddenInput,
+        )
+        self.assertNotIsInstance(
+            form.fields[
+                'settings.example_project_app.project_bool_setting'
+            ].widget,
+            HiddenInput,
+        )
+        self.assertNotIsInstance(
+            form.fields[
+                'settings.example_project_app.project_callable_setting'
+            ].widget,
+            HiddenInput,
+        )
+        self.assertNotIsInstance(
+            form.fields[
+                'settings.example_project_app.project_callable_setting_options'
+            ].widget,
+            HiddenInput,
+        )
+        self.assertTrue(
+            form.fields['settings.projectroles.ip_restrict'].disabled
+        )
+        self.assertTrue(
+            form.fields['settings.projectroles.ip_allowlist'].disabled
+        )
+
+    def test_get_not_found(self):
+        """Test GET with invalid project UUID"""
+        with self.login(self.user):
+            response = self.client.get(
+                reverse(
+                    'projectroles:update',
+                    kwargs={'project': INVALID_UUID},
+                )
+            )
+        self.assertEqual(response.status_code, 404)
+
     def test_post_project_superuser(self):
         """Test POST for project as superuser"""
-        timeline = get_backend_api('timeline_backend')
-        new_category = self.make_project('NewCat', PROJECT_TYPE_CATEGORY, None)
-        self.make_assignment(new_category, self.user, self.role_owner)
+        category_new = self.make_project('NewCat', PROJECT_TYPE_CATEGORY, None)
+        self.make_assignment(category_new, self.user, self.role_owner)
         self.assertEqual(Project.objects.all().count(), 3)
-
-        values = model_to_dict(self.project)
-        values['title'] = 'updated title'
-        values['description'] = 'updated description'
-        values['parent'] = new_category.sodar_uuid  # NOTE: Updated parent
-        values['owner'] = self.user.sodar_uuid  # NOTE: Must add owner
+        self.assertEqual(RemoteProject.objects.count(), 0)
+
+        data = model_to_dict(self.project)
+        data['title'] = 'updated title'
+        data['description'] = 'updated description'
+        data['parent'] = category_new.sodar_uuid  # NOTE: Updated parent
+        data['owner'] = self.user.sodar_uuid  # NOTE: Must add owner
+        data[REMOTE_SITE_FIELD] = False
         # Add settings values
         ps = self._get_post_app_settings(self.project, self.user)
-        values.update(ps)
+        data.update(ps)
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
 
         self.assertEqual(Project.objects.all().count(), 3)
         self.project.refresh_from_db()
-        # No alert or mail, because the owner has not changed
-        self.assertEqual(self.app_alert_model.objects.count(), 0)
-        self.assertEqual(len(mail.outbox), 0)
-
         expected = {
             'id': self.project.pk,
             'title': 'updated title',
             'type': PROJECT_TYPE_PROJECT,
-            'parent': new_category.pk,
+            'parent': category_new.pk,
             'description': 'updated description',
             'public_guest_access': False,
             'archive': False,
-            'full_title': new_category.title + CAT_DELIMITER + 'updated title',
+            'full_title': category_new.title + CAT_DELIMITER + 'updated title',
             'has_public_children': False,
             'sodar_uuid': self.project.sodar_uuid,
         }
@@ -1035,6 +1349,8 @@ def test_post_project_superuser(self):
         model_dict.pop('readme', None)
         self.assertEqual(model_dict, expected)
 
+        # Assert remote projects
+        self.assertEqual(RemoteProject.objects.count(), 0)
         # Assert settings
         self._assert_app_settings(ps)
         # Assert hidden settings
@@ -1062,12 +1378,19 @@ def test_post_project_superuser(self):
             )
         # Assert timeline event
         tl_event = (
-            timeline.get_project_events(self.project).order_by('-pk').first()
+            self.timeline.get_project_events(self.project)
+            .order_by('-pk')
+            .first()
         )
         self.assertEqual(tl_event.event_name, 'project_update')
         self.assertIn('title', tl_event.extra_data)
         self.assertIn('description', tl_event.extra_data)
         self.assertIn('parent', tl_event.extra_data)
+        self.assertNotIn('remote_sites', tl_event.description)
+        self.assertNotIn('remote_sites', tl_event.extra_data)
+        # No alert or mail, because the owner has not changed
+        self.assertEqual(self.app_alert_model.objects.count(), 0)
+        self.assertEqual(len(mail.outbox), 0)
 
     def test_post_project_regular_user(self):
         """Test POST as regular user"""
@@ -1089,19 +1412,21 @@ def test_post_project_regular_user(self):
             project=self.project,
         )
         # Make new category
-        new_category = self.make_project('NewCat', PROJECT_TYPE_CATEGORY, None)
-        self.make_assignment(new_category, user_new, self.role_owner)
+        category_new = self.make_project('NewCat', PROJECT_TYPE_CATEGORY, None)
+        self.make_assignment(category_new, user_new, self.role_owner)
         self.assertEqual(Project.objects.all().count(), 3)
-
-        values = model_to_dict(self.project)
-        values['title'] = 'updated title'
-        values['description'] = 'updated description'
-        values['parent'] = new_category.sodar_uuid
-        values['owner'] = user_new.sodar_uuid
+        self.assertEqual(RemoteProject.objects.count(), 0)
+
+        data = model_to_dict(self.project)
+        data['title'] = 'updated title'
+        data['description'] = 'updated description'
+        data['parent'] = category_new.sodar_uuid
+        data['owner'] = user_new.sodar_uuid
+        data[REMOTE_SITE_FIELD] = False
         ps = self._get_post_app_settings(self.project, user_new)
-        values.update(ps)
+        data.update(ps)
         with self.login(user_new):
-            self.client.post(self.url, values)
+            self.client.post(self.url, data)
 
         self.assertEqual(Project.objects.all().count(), 3)
         self.project.refresh_from_db()
@@ -1109,11 +1434,11 @@ def test_post_project_regular_user(self):
             'id': self.project.pk,
             'title': 'updated title',
             'type': PROJECT_TYPE_PROJECT,
-            'parent': new_category.pk,
+            'parent': category_new.pk,
             'description': 'updated description',
             'public_guest_access': False,
             'archive': False,
-            'full_title': new_category.title + CAT_DELIMITER + 'updated title',
+            'full_title': category_new.title + CAT_DELIMITER + 'updated title',
             'has_public_children': False,
             'sodar_uuid': self.project.sodar_uuid,
         }
@@ -1121,6 +1446,7 @@ def test_post_project_regular_user(self):
         model_dict.pop('readme', None)
         self.assertEqual(model_dict, expected)
 
+        self.assertEqual(RemoteProject.objects.count(), 0)
         self._assert_app_settings(ps)
         # Hidden settings should remain as they were not changed
         hidden_val = app_settings.get(
@@ -1135,41 +1461,37 @@ def test_post_project_regular_user(self):
             project=self.project,
         )
         self.assertEqual(hidden_json, UPDATED_HIDDEN_JSON_SETTING)
+        self.assertEqual(self.app_alert_model.objects.count(), 0)
+        self.assertEqual(len(mail.outbox), 0)
 
     def test_post_project_title_delimiter(self):
         """Test POST with category delimiter in title (should fail)"""
-        # TODO: Add values getter as a helper
-        values = model_to_dict(self.project)
-        values['parent'] = self.category.sodar_uuid
-        values['owner'] = self.user.sodar_uuid
-        values['title'] = 'Project{}Title'.format(CAT_DELIMITER)
-        # Add settings values
-        values.update(
-            app_settings.get_all(project=self.project, post_safe=True)
-        )
+        data = model_to_dict(self.project)
+        data['parent'] = self.category.sodar_uuid
+        data['owner'] = self.user.sodar_uuid
+        data['title'] = 'Project{}Title'.format(CAT_DELIMITER)
+        data.update(app_settings.get_all(project=self.project, post_safe=True))
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 200)
         self.project.refresh_from_db()
         self.assertEqual(self.project.title, 'TestProject')
 
     def test_post_project_custom_validation(self):
         """Test POST with custom validation and invalid value (should fail)"""
-        values = model_to_dict(self.project)
-        values['parent'] = self.category.sodar_uuid
-        values['owner'] = self.user.sodar_uuid
-        values.update(
-            app_settings.get_all(project=self.project, post_safe=True)
+        data = model_to_dict(self.project)
+        data['parent'] = self.category.sodar_uuid
+        data['owner'] = self.user.sodar_uuid
+        data.update(app_settings.get_all(project=self.project, post_safe=True))
+        data['settings.example_project_app.project_str_setting'] = (
+            INVALID_SETTING_VALUE
         )
-        values[
-            'settings.example_project_app.project_str_setting'
-        ] = INVALID_SETTING_VALUE
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 200)
         self.assertEqual(
             list(get_messages(response.wsgi_request))[0].message,
-            MSG_FORM_INVALID,
+            FORM_INVALID_MSG,
         )
         self.assertEqual(
             app_settings.get(
@@ -1183,15 +1505,13 @@ def test_post_project_public_access(self):
         self.assertEqual(self.project.public_guest_access, False)
         self.assertEqual(self.category.has_public_children, False)
 
-        values = model_to_dict(self.project)
-        values['public_guest_access'] = True
-        values['parent'] = self.category.sodar_uuid  # NOTE: Must add parent
-        values['owner'] = self.user.sodar_uuid  # NOTE: Must add owner
-        values.update(
-            app_settings.get_all(project=self.project, post_safe=True)
-        )
+        data = model_to_dict(self.project)
+        data['public_guest_access'] = True
+        data['parent'] = self.category.sodar_uuid  # NOTE: Must add parent
+        data['owner'] = self.user.sodar_uuid  # NOTE: Must add owner
+        data.update(app_settings.get_all(project=self.project, post_safe=True))
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
 
         self.assertEqual(response.status_code, 302)
         self.project.refresh_from_db()
@@ -1200,39 +1520,22 @@ def test_post_project_public_access(self):
         # Assert the parent category has_public_children is set true
         self.assertEqual(self.category.has_public_children, True)
 
-    def test_get_category(self):
-        """Test GET with category"""
-        with self.login(self.user):
-            response = self.client.get(self.url_cat)
-        self.assertEqual(response.status_code, 200)
-        form = response.context['form']
-        self.assertIsNotNone(form)
-        self.assertIsInstance(form.fields['type'].widget, HiddenInput)
-        self.assertNotIsInstance(form.fields['parent'].widget, HiddenInput)
-        self.assertIsInstance(form.fields['owner'].widget, HiddenInput)
-
     def test_post_category(self):
         """Test POST with category"""
         self.assertEqual(Project.objects.all().count(), 2)
-        values = model_to_dict(self.category)
-        values['title'] = 'updated title'
-        values['description'] = 'updated description'
-        values['owner'] = self.user.sodar_uuid  # NOTE: Must add owner
-        values['parent'] = ''
-        # Add settings values
-        values.update(
-            app_settings.get_all(project=self.category, post_safe=True)
-        )
-        with self.login(self.user):
-            response = self.client.post(self.url_cat, values)
+        data = model_to_dict(self.category)
+        data['title'] = 'updated title'
+        data['description'] = 'updated description'
+        data['owner'] = self.user.sodar_uuid  # NOTE: Must add owner
+        data['parent'] = ''
+        data.update(app_settings.get_all(project=self.category, post_safe=True))
+        with self.login(self.user):
+            response = self.client.post(self.url_cat, data)
         self.assertEqual(response.status_code, 302)
 
         self.assertEqual(Project.objects.all().count(), 2)
         self.category.refresh_from_db()
         self.assertIsNotNone(self.category)
-        # Ensure no alert or email (owner not updated)
-        self.assertEqual(self.app_alert_model.objects.count(), 0)
-        self.assertEqual(len(mail.outbox), 0)
 
         expected = {
             'id': self.category.pk,
@@ -1254,7 +1557,7 @@ def test_post_category(self):
         settings = AppSetting.objects.filter(project=self.category)
         self.assertEqual(settings.count(), 1)
         setting = settings.first()
-        self.assertEqual(setting.name, 'project_category_bool_setting')
+        self.assertEqual(setting.name, 'category_bool_setting')
         # Assert redirect
         with self.login(self.user):
             self.assertRedirects(
@@ -1264,156 +1567,244 @@ def test_post_category(self):
                     kwargs={'project': self.category.sodar_uuid},
                 ),
             )
+        # Assert no alert or email (owner not updated)
+        self.assertEqual(self.app_alert_model.objects.count(), 0)
+        self.assertEqual(len(mail.outbox), 0)
 
     def test_post_category_parent(self):
         """Test POST with updated category parent"""
-        new_category = self.make_project(
+        category_new = self.make_project(
             'NewCategory', PROJECT_TYPE_CATEGORY, None
         )
-        self.make_assignment(new_category, self.user, self.role_owner)
+        self.make_assignment(category_new, self.user, self.role_owner)
         self.assertEqual(
             self.category.full_title,
             self.category.title,
         )
         self.assertEqual(
             self.project.full_title,
-            self.category.title + ' / ' + self.project.title,
+            self.category.title + CAT_DELIMITER + self.project.title,
         )
 
-        values = model_to_dict(self.category)
-        values['title'] = self.category.title
-        values['description'] = self.category.description
-        values['owner'] = self.user.sodar_uuid  # NOTE: Must add owner
-        values['parent'] = new_category.sodar_uuid  # Updated category
-        # Add settings values
-        values.update(
-            app_settings.get_all(project=self.category, post_safe=True)
-        )
+        data = model_to_dict(self.category)
+        data['title'] = self.category.title
+        data['description'] = self.category.description
+        data['owner'] = self.user.sodar_uuid  # NOTE: Must add owner
+        data['parent'] = category_new.sodar_uuid  # Updated category
+        data.update(app_settings.get_all(project=self.category, post_safe=True))
         with self.login(self.user):
-            response = self.client.post(self.url_cat, values)
+            response = self.client.post(self.url_cat, data)
 
         self.assertEqual(response.status_code, 302)
         # Assert category state and project title after update
         self.category.refresh_from_db()
         self.project.refresh_from_db()
-        self.assertEqual(self.category.parent, new_category)
+        self.assertEqual(self.category.parent, category_new)
         self.assertEqual(
             self.category.full_title,
-            new_category.title + ' / ' + self.category.title,
+            category_new.title + CAT_DELIMITER + self.category.title,
         )
         self.assertEqual(
             self.project.full_title,
-            new_category.title
-            + ' / '
+            category_new.title
+            + CAT_DELIMITER
             + self.category.title
-            + ' / '
+            + CAT_DELIMITER
             + self.project.title,
         )
+        # Assert no alert or email (same parent owner)
+        self.assertEqual(self.app_alert_model.objects.count(), 0)
+        self.assertEqual(len(mail.outbox), 0)
 
-    @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
-    def test_get_remote(self):
-        """Test GET with remote project as target"""
-        self.set_up_as_target(projects=[self.category, self.project])
+    def test_post_parent_different_owner(self):
+        """Test POST with updated project parent and different parent owner"""
+        user_new = self.make_user('user_new')
+        self.owner_as_cat.user = user_new
+        self.owner_as_cat.save()
+        category_new = self.make_project(
+            'NewCategory', PROJECT_TYPE_CATEGORY, None
+        )
+        self.make_assignment(category_new, user_new, self.role_owner)
+
+        data = model_to_dict(self.project)
+        data['owner'] = self.user.sodar_uuid  # NOTE: Must add owner
+        data['parent'] = category_new.sodar_uuid  # Updated category
+        data.update(app_settings.get_all(project=self.project, post_safe=True))
         with self.login(self.user):
-            response = self.client.get(self.url)
+            response = self.client.post(self.url, data)
 
-        self.assertEqual(response.status_code, 200)
-        form = response.context['form']
-        self.assertIsNotNone(form)
-        self.assertIsInstance(form.fields['title'].widget, HiddenInput)
-        self.assertIsInstance(form.fields['type'].widget, HiddenInput)
-        self.assertIsInstance(form.fields['parent'].widget, HiddenInput)
-        self.assertIsInstance(form.fields['description'].widget, HiddenInput)
-        self.assertIsInstance(form.fields['readme'].widget, HiddenInput)
-        self.assertNotIsInstance(
-            form.fields[
-                'settings.example_project_app.project_str_setting'
-            ].widget,
-            HiddenInput,
+        self.assertEqual(response.status_code, 302)
+        # Assert alert and email (different parent owner)
+        self.assertEqual(self.app_alert_model.objects.count(), 1)
+        self.assertEqual(self.app_alert_model.objects.first().user, user_new)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn(
+            SUBJECT_PROJECT_MOVE.format(
+                project_type='Project',
+                project=self.project.title,
+                user=self.user.username,
+            ),
+            mail.outbox[0].subject,
         )
-        self.assertNotIsInstance(
-            form.fields[
-                'settings.example_project_app.project_int_setting'
-            ].widget,
-            HiddenInput,
+
+    def test_post_parent_different_owner_disable_email(self):
+        """Test POST with updated parent and different parent owner with disabled email"""
+        user_new = self.make_user('user_new')
+        self.owner_as_cat.user = user_new
+        self.owner_as_cat.save()
+        category_new = self.make_project(
+            'NewCategory', PROJECT_TYPE_CATEGORY, None
         )
-        self.assertNotIsInstance(
-            form.fields[
-                'settings.example_project_app.project_bool_setting'
-            ].widget,
-            HiddenInput,
+        self.make_assignment(category_new, user_new, self.role_owner)
+        app_settings.set(APP_NAME, 'notify_email_project', False, user=user_new)
+
+        data = model_to_dict(self.project)
+        data['owner'] = self.user.sodar_uuid  # NOTE: Must add owner
+        data['parent'] = category_new.sodar_uuid  # Updated category
+        data.update(app_settings.get_all(project=self.project, post_safe=True))
+        with self.login(self.user):
+            response = self.client.post(self.url, data)
+
+        self.assertEqual(response.status_code, 302)
+        # Assert alert but no email
+        self.assertEqual(self.app_alert_model.objects.count(), 1)
+        self.assertEqual(self.app_alert_model.objects.first().user, user_new)
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_post_remote(self):
+        """Test POST with enabled remote project"""
+        self.assertEqual(RemoteProject.objects.count(), 0)
+        data = model_to_dict(self.project)
+        data['parent'] = self.category.sodar_uuid
+        data['owner'] = self.user.sodar_uuid
+        data[REMOTE_SITE_FIELD] = True
+        ps = self._get_post_app_settings(self.project, self.user)
+        data.update(ps)
+        with self.login(self.user):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(RemoteProject.objects.count(), 1)
+        rp = RemoteProject.objects.first()
+        self.assertEqual(rp.project_uuid, self.project.sodar_uuid)
+        self.assertEqual(rp.project, self.project)
+        self.assertEqual(rp.site, self.remote_site)
+        self.assertEqual(rp.level, REMOTE_LEVEL_READ_ROLES)
+        tl_event = (
+            self.timeline.get_project_events(self.project)
+            .order_by('-pk')
+            .first()
         )
-        self.assertNotIsInstance(
-            form.fields[
-                'settings.example_project_app.project_callable_setting'
-            ].widget,
-            HiddenInput,
+        self.assertIn('remote_sites', tl_event.description)
+        self.assertEqual(
+            tl_event.extra_data['remote_sites'],
+            {str(self.remote_site.sodar_uuid): True},
         )
-        self.assertNotIsInstance(
-            form.fields[
-                'settings.example_project_app.project_callable_setting_options'
-            ].widget,
-            HiddenInput,
+
+    def test_post_remote_revoke(self):
+        """Test POST to revoke existing remote project"""
+        rp = self.make_remote_project(
+            project_uuid=self.project.sodar_uuid,
+            site=self.remote_site,
+            level=REMOTE_LEVEL_READ_ROLES,
+            project=self.project,
         )
-        self.assertTrue(
-            form.fields['settings.projectroles.ip_restrict'].disabled
+        self.assertEqual(RemoteProject.objects.count(), 1)
+        data = model_to_dict(self.project)
+        data['parent'] = self.category.sodar_uuid
+        data['owner'] = self.user.sodar_uuid
+        data[REMOTE_SITE_FIELD] = False
+        ps = self._get_post_app_settings(self.project, self.user)
+        data.update(ps)
+        with self.login(self.user):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(RemoteProject.objects.count(), 1)
+        rp.refresh_from_db()
+        self.assertEqual(rp.level, REMOTE_LEVEL_REVOKED)
+        tl_event = (
+            self.timeline.get_project_events(self.project)
+            .order_by('-pk')
+            .first()
         )
-        self.assertTrue(
-            form.fields['settings.projectroles.ip_allowlist'].disabled
+        self.assertIn('remote_sites', tl_event.description)
+        self.assertEqual(
+            tl_event.extra_data['remote_sites'],
+            {str(self.remote_site.sodar_uuid): False},
+        )
+
+    def test_post_remote_enable_revoked(self):
+        """Test POST to re-enable revoked remote project"""
+        rp = self.make_remote_project(
+            project_uuid=self.project.sodar_uuid,
+            site=self.remote_site,
+            level=REMOTE_LEVEL_REVOKED,
+            project=self.project,
+        )
+        self.assertEqual(RemoteProject.objects.count(), 1)
+        data = model_to_dict(self.project)
+        data['parent'] = self.category.sodar_uuid
+        data['owner'] = self.user.sodar_uuid
+        data[REMOTE_SITE_FIELD] = True
+        ps = self._get_post_app_settings(self.project, self.user)
+        data.update(ps)
+        with self.login(self.user):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(RemoteProject.objects.count(), 1)
+        rp.refresh_from_db()
+        self.assertEqual(rp.level, REMOTE_LEVEL_READ_ROLES)
+        tl_event = (
+            self.timeline.get_project_events(self.project)
+            .order_by('-pk')
+            .first()
+        )
+        self.assertIn('remote_sites', tl_event.description)
+        self.assertEqual(
+            tl_event.extra_data['remote_sites'],
+            {str(self.remote_site.sodar_uuid): True},
         )
 
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
-    def test_post_remote(self):
+    def test_post_target_remote(self):
         """Test POST with remote project as target"""
         self.set_up_as_target(projects=[self.category, self.project])
-        values = model_to_dict(self.project)
-        values['owner'] = self.user.sodar_uuid
-        values['parent'] = self.category.sodar_uuid
-        values['settings.example_project_app.project_int_setting'] = 0
-        values['settings.example_project_app.project_int_setting_options'] = 0
-        values['settings.example_project_app.project_str_setting'] = 'test'
-        values[
-            'settings.example_project_app.project_str_setting_options'
-        ] = 'string1'
-        values['settings.example_project_app.project_bool_setting'] = True
-        values[
-            'settings.example_project_app.project_callable_setting'
-        ] = 'No project or user for callable'
-        values[
+        data = model_to_dict(self.project)
+        data['owner'] = self.user.sodar_uuid
+        data['parent'] = self.category.sodar_uuid
+        data['settings.example_project_app.project_int_setting'] = 0
+        data['settings.example_project_app.project_int_setting_options'] = 0
+        data['settings.example_project_app.project_str_setting'] = 'test'
+        data['settings.example_project_app.project_str_setting_options'] = (
+            'string1'
+        )
+        data['settings.example_project_app.project_bool_setting'] = True
+        data['settings.example_project_app.project_callable_setting'] = (
+            'No project or user for callable'
+        )
+        data[
             'settings.example_project_app.project_callable_setting_options'
         ] = str(self.project.sodar_uuid)
-        values['settings.projectroles.ip_restrict'] = True
-        values['settings.projectroles.ip_allowlist'] = '["192.168.1.1"]'
+        data['settings.projectroles.ip_restrict'] = True
+        data['settings.projectroles.ip_allowlist'] = '["192.168.1.1"]'
         self.assertEqual(Project.objects.all().count(), 2)
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 302)
         self.assertEqual(Project.objects.all().count(), 2)
 
-    def test_get_not_found(self):
-        """Test GET with invalid project UUID"""
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'projectroles:update',
-                    kwargs={'project': INVALID_UUID},
-                )
-            )
-        self.assertEqual(response.status_code, 404)
-
 
 class TestProjectArchiveView(
-    ProjectMixin, RoleAssignmentMixin, RemoteTargetMixin, TestViewsBase
+    ProjectMixin, RoleAssignmentMixin, RemoteTargetMixin, ViewTestBase
 ):
     """Tests for ProjectArchiveView"""
 
     @classmethod
     def _get_tl(cls):
-        return ProjectEvent.objects.filter(event_name='project_archive')
+        return TimelineEvent.objects.filter(event_name='project_archive')
 
     @classmethod
     def _get_tl_un(cls):
-        return ProjectEvent.objects.filter(event_name='project_unarchive')
+        return TimelineEvent.objects.filter(event_name='project_unarchive')
 
     def _get_alerts(self):
         return self.app_alert_model.objects.filter(alert_name='project_archive')
@@ -1478,9 +1869,8 @@ def test_post(self):
         self.assertEqual(self._get_alerts_un().count(), 0)
         self.assertEqual(len(mail.outbox), 0)
 
-        values = {'status': True}
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, {'status': True})
             self.assertRedirects(
                 response,
                 reverse(
@@ -1498,6 +1888,14 @@ def test_post(self):
         self.assertEqual(self._get_alerts_un().count(), 0)
         self.assertEqual(self._get_alerts().first().user, self.user_contributor)
         self.assertEqual(len(mail.outbox), 1)
+        self.assertIn(
+            SUBJECT_PROJECT_ARCHIVE.format(
+                project_label_title='Project',
+                project=self.project.title,
+                user=self.user.username,
+            ),
+            mail.outbox[0].subject,
+        )
 
     def test_post_unarchive(self):
         """Test POST to unarchiving project"""
@@ -1508,9 +1906,8 @@ def test_post_unarchive(self):
         self.assertEqual(self._get_alerts_un().count(), 0)
         self.assertEqual(len(mail.outbox), 0)
 
-        values = {'status': False}
         with self.login(self.user):
-            self.client.post(self.url, values)
+            self.client.post(self.url, {'status': False})
 
         self.project.refresh_from_db()
         self.assertEqual(self.project.archive, False)
@@ -1522,6 +1919,42 @@ def test_post_unarchive(self):
             self._get_alerts_un().first().user, self.user_contributor
         )
         self.assertEqual(len(mail.outbox), 1)
+        self.assertIn(
+            SUBJECT_PROJECT_UNARCHIVE.format(
+                project_label_title='Project',
+                project=self.project.title,
+                user=self.user.username,
+            ),
+            mail.outbox[0].subject,
+        )
+
+    def test_post_disable_email(self):
+        """Test POST with disabled email"""
+        app_settings.set(
+            APP_NAME, 'notify_email_project', False, user=self.user_contributor
+        )
+        self.assertEqual(self.project.archive, False)
+        self.assertEqual(self._get_tl().count(), 0)
+        self.assertEqual(self._get_alerts().count(), 0)
+        self.assertEqual(len(mail.outbox), 0)
+
+        with self.login(self.user):
+            response = self.client.post(self.url, {'status': True})
+            self.assertRedirects(
+                response,
+                reverse(
+                    'projectroles:detail',
+                    kwargs={'project': self.project.sodar_uuid},
+                ),
+            )
+
+        self.project.refresh_from_db()
+        self.assertEqual(self.project.archive, True)
+        self.assertEqual(self._get_tl().count(), 1)
+        # Alert but no email for contributor
+        self.assertEqual(self._get_alerts().count(), 1)
+        self.assertEqual(self._get_alerts().first().user, self.user_contributor)
+        self.assertEqual(len(mail.outbox), 0)
 
     def test_post_project_archived(self):
         """Test POST with already archived project"""
@@ -1529,9 +1962,8 @@ def test_post_project_archived(self):
         self.assertEqual(self._get_tl().count(), 0)
         self.assertEqual(self._get_tl_un().count(), 0)
         self.assertEqual(len(mail.outbox), 0)
-        values = {'status': True}
         with self.login(self.user):
-            self.client.post(self.url, values)
+            self.client.post(self.url, {'status': True})
         self.project.refresh_from_db()
         self.assertEqual(self.project.archive, True)
         self.assertEqual(self._get_tl().count(), 0)
@@ -1543,9 +1975,8 @@ def test_post_category(self):
         self.assertEqual(self.category.archive, False)
         self.assertEqual(self._get_tl().count(), 0)
         self.assertEqual(len(mail.outbox), 0)
-        values = {'status': True}
         with self.login(self.user):
-            response = self.client.post(self.url_cat, values)
+            response = self.client.post(self.url_cat, {'status': True})
             self.assertRedirects(
                 response,
                 reverse(
@@ -1561,7 +1992,7 @@ def test_post_category(self):
 
 
 class TestProjectForm(
-    AppSettingMixin, TestViewsBase, ProjectMixin, RoleAssignmentMixin
+    AppSettingMixin, ViewTestBase, ProjectMixin, RoleAssignmentMixin
 ):
     """Tests for ProjectForm"""
 
@@ -1650,7 +2081,7 @@ def test_post(self):
             [],
         )
 
-        values = {
+        data = {
             'settings.example_project_app.project_str_setting': 'updated',
             'settings.example_project_app.project_int_setting': 170,
             'settings.example_project_app.'
@@ -1668,7 +2099,7 @@ def test_post(self):
             'type': PROJECT_TYPE_PROJECT,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
 
         # Assert redirect
         with self.login(self.user):
@@ -1739,7 +2170,7 @@ class TestProjectFormTarget(
     RemoteSiteMixin,
     RemoteProjectMixin,
     AppSettingMixin,
-    TestViewsBase,
+    ViewTestBase,
     ProjectMixin,
     RoleAssignmentMixin,
 ):
@@ -1828,7 +2259,7 @@ def test_post(self):
             {'Example': 'Value', 'list': [1, 2, 3, 4, 5], 'level_6': False},
         )
 
-        values = {
+        data = {
             'settings.example_project_app.project_str_setting': 'updated',
             'settings.example_project_app.project_int_setting': 170,
             'settings.example_project_app.'
@@ -1846,7 +2277,7 @@ def test_post(self):
             'type': PROJECT_TYPE_PROJECT,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
 
         # Assert redirect
         with self.login(self.user):
@@ -1918,13 +2349,13 @@ def test_post(self):
 
 @override_settings(
     PROJECTROLES_SITE_MODE=SITE_MODE_TARGET,
-    PROJECTROLES_APP_SETTINGS_TEST=PROJECTROLES_APP_SETTINGS_TEST_LOCAL,
+    PROJECTROLES_APP_SETTINGS_TEST=APP_SETTINGS_TEST,
 )
 class TestProjectFormTargetLocal(
     RemoteSiteMixin,
     RemoteProjectMixin,
     AppSettingMixin,
-    TestViewsBase,
+    ViewTestBase,
     ProjectMixin,
     RoleAssignmentMixin,
 ):
@@ -2023,7 +2454,7 @@ def test_post(self):
             False,
         )
 
-        values = {
+        data = {
             'settings.example_project_app.project_str_setting': 'updated',
             'settings.example_project_app.project_int_setting': 170,
             'settings.example_project_app.'
@@ -2042,7 +2473,7 @@ def test_post(self):
             'type': PROJECT_TYPE_PROJECT,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
 
         # Assert redirect
         with self.login(self.user):
@@ -2124,7 +2555,7 @@ def test_post(self):
         )
 
 
-class TestProjectRoleView(ProjectMixin, RoleAssignmentMixin, TestViewsBase):
+class TestProjectRoleView(ProjectMixin, RoleAssignmentMixin, ViewTestBase):
     """Tests for ProjectRoleView"""
 
     def setUp(self):
@@ -2200,7 +2631,7 @@ def test_get_not_found(self):
 
 
 class TestRoleAssignmentCreateView(
-    ProjectMixin, RoleAssignmentMixin, TestViewsBase
+    ProjectMixin, RoleAssignmentMixin, ViewTestBase
 ):
     """Tests for RoleAssignmentCreateView and related helper views"""
 
@@ -2243,15 +2674,11 @@ def test_get(self):
         self.assertIsInstance(form.fields['project'].widget, HiddenInput)
         self.assertEqual(form.initial['project'], self.project.sodar_uuid)
         # Assert user with previously added role in project is not selectable
-        self.assertNotIn(
-            [
-                (
-                    self.user_owner.sodar_uuid,
-                    get_user_display_name(self.user_owner, True),
-                )
-            ],
-            form.fields['user'].choices,
+        choice = (
+            self.user_owner.sodar_uuid,
+            get_user_display_name(self.user_owner, True),
         )
+        self.assertNotIn([choice], form.fields['user'].choices)
         # Assert owner role is not selectable
         self.assertNotIn(
             get_role_option(self.project, self.role_owner),
@@ -2277,15 +2704,11 @@ def test_get_category(self):
         self.assertIsInstance(form.fields['project'].widget, HiddenInput)
         self.assertEqual(form.initial['project'], self.category.sodar_uuid)
         # Assert user with previously added role in project is not selectable
-        self.assertNotIn(
-            [
-                (
-                    self.user_owner_cat.sodar_uuid,
-                    get_user_display_name(self.user_owner_cat, True),
-                )
-            ],
-            form.fields['user'].choices,
+        choice = (
+            self.user_owner_cat.sodar_uuid,
+            get_user_display_name(self.user_owner_cat, True),
         )
+        self.assertNotIn([choice], form.fields['user'].choices)
         self.assertNotIn(
             get_role_option(self.category, self.role_owner),
             form.fields['role'].choices,
@@ -2311,200 +2734,45 @@ def test_get_not_found(self):
             )
         self.assertEqual(response.status_code, 404)
 
-    def test_post(self):
-        """Test RoleAssignmentCreateView POST"""
-        self.assertEqual(RoleAssignment.objects.all().count(), 2)
-        self.assertEqual(
-            self.app_alert_model.objects.filter(
-                alert_name='role_create'
-            ).count(),
-            0,
-        )
-
-        values = {
-            'project': self.project.sodar_uuid,
-            'user': self.user_new.sodar_uuid,
-            'role': self.role_guest.pk,
-        }
-        with self.login(self.user):
-            response = self.client.post(self.url, values)
-
-        self.assertEqual(RoleAssignment.objects.all().count(), 3)
-        role_as = RoleAssignment.objects.get(
-            project=self.project, user=self.user_new
-        )
-        expected = {
-            'id': role_as.pk,
-            'project': self.project.pk,
-            'user': self.user_new.pk,
-            'role': self.role_guest.pk,
-            'sodar_uuid': role_as.sodar_uuid,
-        }
-        self.assertEqual(model_to_dict(role_as), expected)
-        self.assertEqual(
-            self.app_alert_model.objects.filter(
-                alert_name='role_create'
-            ).count(),
-            1,
-        )
-        with self.login(self.user):
-            self.assertRedirects(
-                response,
-                reverse(
-                    'projectroles:roles',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-            )
-
-    def test_post_delegate(self):
-        """Test POST with project delegate role"""
-        self.assertEqual(RoleAssignment.objects.all().count(), 2)
-        values = {
-            'project': self.project.sodar_uuid,
-            'user': self.user_new.sodar_uuid,
-            'role': self.role_delegate.pk,
-        }
-        with self.login(self.user):
-            response = self.client.post(self.url, values)
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(RoleAssignment.objects.all().count(), 3)
-        role_as = RoleAssignment.objects.get(
-            project=self.project, user=self.user_new
-        )
-        expected = {
-            'id': role_as.pk,
-            'project': self.project.pk,
-            'user': self.user_new.pk,
-            'role': self.role_delegate.pk,
-            'sodar_uuid': role_as.sodar_uuid,
-        }
-        self.assertEqual(model_to_dict(role_as), expected)
-
-    def test_post_delegate_limit_reached(self):
-        """Test POST with reached delegate limit"""
-        del_user = self.make_user('new_del_user')
-        self.make_assignment(self.project, del_user, self.role_delegate)
-        self.assertEqual(RoleAssignment.objects.all().count(), 3)
-        values = {
-            'project': self.project.sodar_uuid,
-            'user': self.user_new.sodar_uuid,
-            'role': self.role_delegate.pk,
-        }
-        with self.login(self.user):
-            response = self.client.post(self.url, values)
-        self.assertEqual(response.status_code, 200)
-        self.assertEqual(RoleAssignment.objects.all().count(), 3)
-        self.assertIsNone(
-            RoleAssignment.objects.filter(
-                project=self.project, user=self.user_new
-            ).first()
-        )
-
-    @override_settings(PROJECTROLES_DELEGATE_LIMIT=2)
-    def test_post_delegate_limit_increased(self):
-        """Test POST with delegate limit > 1"""
-        del_user = self.make_user('new_del_user')
-        self.make_assignment(self.project, del_user, self.role_delegate)
-        self.assertEqual(RoleAssignment.objects.all().count(), 3)
-        values = {
-            'project': self.project.sodar_uuid,
-            'user': self.user_new.sodar_uuid,
-            'role': self.role_delegate.pk,
-        }
-        with self.login(self.user):
-            response = self.client.post(self.url, values)
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(RoleAssignment.objects.all().count(), 4)
-        self.assertIsNotNone(
-            RoleAssignment.objects.filter(
-                project=self.project, user=self.user_new
-            ).first()
-        )
-
-    def test_post_delegate_limit_inherited(self):
-        """Test POST with existing delegate role for inherited owner"""
-        self.make_assignment(
-            self.project, self.user_owner_cat, self.role_delegate
-        )
-        self.assertEqual(RoleAssignment.objects.all().count(), 3)
-        values = {
-            'project': self.project.sodar_uuid,
-            'user': self.user_new.sodar_uuid,
-            'role': self.role_delegate.pk,
-        }
-        with self.login(self.user):
-            response = self.client.post(self.url, values)
-        # NOTE: Limit should be reached, but inherited owner role is disregarded
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(RoleAssignment.objects.all().count(), 4)
-        self.assertIsNotNone(
-            RoleAssignment.objects.filter(
-                project=self.project, user=self.user_new
-            ).first()
-        )
-
-    def test_post_autocomplete_redirect_to_invite(self):
-        """Test POST for redirecting to ProjectInviteCreateView"""
-        values = {
-            'project': self.project.sodar_uuid,
-            'role': self.role_guest.pk,
-            'text': 'test@example.com',
-        }
-        with self.login(self.user):
-            response = self.client.post(
-                reverse('projectroles:ajax_autocomplete_user_redirect'), values
-            )
-        self.assertEqual(response.status_code, 200)
-        with self.login(self.user):
-            data = json.loads(response.content)
-            self.assertEqual(data['success'], True)
-            self.assertEqual(
-                data['redirect_url'],
-                reverse(
-                    'projectroles:invite_create',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-            )
-
     def test_get_autocomplete_display_options(self):
         """Test GET for displaying options by SODARUserRedirectWidget"""
-        values = {
+        data = {
             'project': self.project.sodar_uuid,
             'role': self.role_guest.pk,
             'q': 'test@example.com',
         }
         with self.login(self.user):
             response = self.client.get(
-                reverse('projectroles:ajax_autocomplete_user_redirect'), values
+                reverse('projectroles:ajax_autocomplete_user_redirect'), data
             )
         self.assertEqual(response.status_code, 200)
-        new_option = {
+        option_new = {
             'id': 'test@example.com',
             'text': 'Send an invite to "test@example.com"',
             'create_id': True,
         }
         data = json.loads(response.content)
-        self.assertIn(new_option, data['results'])
+        self.assertIn(option_new, data['results'])
 
     def test_get_autocomplete_display_options_invalid_email(self):
         """Test GET for displaying options with invalid email"""
-        values = {
+        data = {
             'project': self.project.sodar_uuid,
             'role': self.role_guest.pk,
             'q': 'test@example',
         }
         with self.login(self.user):
             response = self.client.get(
-                reverse('projectroles:ajax_autocomplete_user_redirect'), values
+                reverse('projectroles:ajax_autocomplete_user_redirect'), data
             )
         self.assertEqual(response.status_code, 200)
-        new_option = {
+        option_new = {
             'id': 'test@example.com',
             'text': 'Send an invite to "test@example"',
             'create_id': True,
         }
         data = json.loads(response.content)
-        self.assertNotIn(new_option, data['results'])
+        self.assertNotIn(option_new, data['results'])
 
     def test_get_promote(self):
         """Test GET with inherited role promotion"""
@@ -2549,7 +2817,6 @@ def test_get_promote_local_role(self):
                     },
                 )
             )
-            self.assertEqual(response.status_code, 302)
             self.assertRedirects(
                 response,
                 reverse(
@@ -2600,7 +2867,7 @@ def test_get_promote_delegate(self):
         self.assertEqual(response.status_code, 302)
 
     def test_get_promote_owner(self):
-        """Test GET for promotion with ownere role (should fail)"""
+        """Test GET for promotion with owner role (should fail)"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
@@ -2613,10 +2880,9 @@ def test_get_promote_owner(self):
             )
         self.assertEqual(response.status_code, 302)
 
-    def test_post_promote(self):
-        """Test POST for promoting inherited role"""
-        self.make_assignment(self.category, self.user_new, self.role_guest)
-        self.assertEqual(RoleAssignment.objects.all().count(), 3)
+    def test_post(self):
+        """Test RoleAssignmentCreateView POST"""
+        self.assertEqual(RoleAssignment.objects.all().count(), 2)
         self.assertEqual(
             self.app_alert_model.objects.filter(
                 alert_name='role_create'
@@ -2624,16 +2890,22 @@ def test_post_promote(self):
             0,
         )
 
-        values = {
+        data = {
             'project': self.project.sodar_uuid,
             'user': self.user_new.sodar_uuid,
-            'role': self.role_contributor.pk,
-            'promote': True,
+            'role': self.role_guest.pk,
         }
         with self.login(self.user):
-            self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
+            self.assertRedirects(
+                response,
+                reverse(
+                    'projectroles:roles',
+                    kwargs={'project': self.project.sodar_uuid},
+                ),
+            )
 
-        self.assertEqual(RoleAssignment.objects.all().count(), 4)
+        self.assertEqual(RoleAssignment.objects.all().count(), 3)
         role_as = RoleAssignment.objects.get(
             project=self.project, user=self.user_new
         )
@@ -2641,63 +2913,241 @@ def test_post_promote(self):
             'id': role_as.pk,
             'project': self.project.pk,
             'user': self.user_new.pk,
-            'role': self.role_contributor.pk,
+            'role': self.role_guest.pk,
             'sodar_uuid': role_as.sodar_uuid,
         }
         self.assertEqual(model_to_dict(role_as), expected)
-
-
-class TestRoleAssignmentUpdateView(
-    ProjectMixin, RoleAssignmentMixin, TestViewsBase
-):
-    """Tests for RoleAssignmentUpdateView"""
-
-    def setUp(self):
-        super().setUp()
-        # Set up category and project
-        self.category = self.make_project(
-            'TestCategory', PROJECT_TYPE_CATEGORY, None
-        )
-        self.user_owner_cat = self.make_user('owner_cat')
-        self.owner_as_cat = self.make_assignment(
-            self.category, self.user_owner_cat, self.role_owner
+        self.assertEqual(
+            self.app_alert_model.objects.filter(
+                alert_name='role_create'
+            ).count(),
+            1,
         )
-        self.project = self.make_project(
-            'TestProject', PROJECT_TYPE_PROJECT, self.category
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn(
+            SUBJECT_ROLE_CREATE.format(
+                project_label='project',
+                project=self.project.title,
+            ),
+            mail.outbox[0].subject,
         )
-        self.user_owner = self.make_user('user_owner')
-        self.owner_as = self.make_assignment(
-            self.project, self.user_owner, self.role_owner
+
+    def test_post_disable_email(self):
+        """Test POST with disabled email notifications"""
+        app_settings.set(
+            APP_NAME, 'notify_email_role', False, user=self.user_new
         )
-        # Create guest user and role
-        self.user_guest = self.make_user('user_guest')
-        self.role_as = self.make_assignment(
-            self.project, self.user_guest, self.role_guest
+        data = {
+            'project': self.project.sodar_uuid,
+            'user': self.user_new.sodar_uuid,
+            'role': self.role_guest.pk,
+        }
+        with self.login(self.user):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(
+            self.app_alert_model.objects.filter(
+                alert_name='role_create'
+            ).count(),
+            1,
         )
-        # Set up helpers
-        self.app_alert_model = get_backend_api('appalerts_backend').get_model()
-        self.url = reverse(
-            'projectroles:role_update',
-            kwargs={'roleassignment': self.role_as.sodar_uuid},
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_post_delegate(self):
+        """Test POST with project delegate role"""
+        self.assertEqual(RoleAssignment.objects.all().count(), 2)
+        data = {
+            'project': self.project.sodar_uuid,
+            'user': self.user_new.sodar_uuid,
+            'role': self.role_delegate.pk,
+        }
+        with self.login(self.user):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(RoleAssignment.objects.all().count(), 3)
+        role_as = RoleAssignment.objects.get(
+            project=self.project, user=self.user_new
         )
+        expected = {
+            'id': role_as.pk,
+            'project': self.project.pk,
+            'user': self.user_new.pk,
+            'role': self.role_delegate.pk,
+            'sodar_uuid': role_as.sodar_uuid,
+        }
+        self.assertEqual(model_to_dict(role_as), expected)
 
-    def test_get(self):
-        """Test RoleAssignmentUpdateView GET"""
+    def test_post_delegate_limit_reached(self):
+        """Test POST with reached delegate limit"""
+        user_del = self.make_user('new_del_user')
+        self.make_assignment(self.project, user_del, self.role_delegate)
+        self.assertEqual(RoleAssignment.objects.all().count(), 3)
+        data = {
+            'project': self.project.sodar_uuid,
+            'user': self.user_new.sodar_uuid,
+            'role': self.role_delegate.pk,
+        }
         with self.login(self.user):
-            response = self.client.get(self.url)
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 200)
-        form = response.context['form']
-        self.assertIsNotNone(form)
-        self.assertIsInstance(form.fields['project'].widget, HiddenInput)
-        self.assertEqual(form.initial['project'], self.project.sodar_uuid)
-        self.assertIsInstance(form.fields['user'].widget, HiddenInput)
-        self.assertEqual(form.initial['user'], self.user_guest.sodar_uuid)
-        # Assert owner role is not selectable
-        self.assertNotIn(
-            get_role_option(self.project, self.role_owner),
-            form.fields['role'].choices,
-        )
-        # Assert delegate role is selectable
+        self.assertEqual(RoleAssignment.objects.all().count(), 3)
+        self.assertIsNone(
+            RoleAssignment.objects.filter(
+                project=self.project, user=self.user_new
+            ).first()
+        )
+
+    @override_settings(PROJECTROLES_DELEGATE_LIMIT=2)
+    def test_post_delegate_limit_increased(self):
+        """Test POST with delegate limit > 1"""
+        user_del = self.make_user('new_del_user')
+        self.make_assignment(self.project, user_del, self.role_delegate)
+        self.assertEqual(RoleAssignment.objects.all().count(), 3)
+        data = {
+            'project': self.project.sodar_uuid,
+            'user': self.user_new.sodar_uuid,
+            'role': self.role_delegate.pk,
+        }
+        with self.login(self.user):
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(RoleAssignment.objects.all().count(), 4)
+        self.assertIsNotNone(
+            RoleAssignment.objects.filter(
+                project=self.project, user=self.user_new
+            ).first()
+        )
+
+    def test_post_delegate_limit_inherited(self):
+        """Test POST with existing delegate role for inherited owner"""
+        self.make_assignment(
+            self.project, self.user_owner_cat, self.role_delegate
+        )
+        self.assertEqual(RoleAssignment.objects.all().count(), 3)
+        data = {
+            'project': self.project.sodar_uuid,
+            'user': self.user_new.sodar_uuid,
+            'role': self.role_delegate.pk,
+        }
+        with self.login(self.user):
+            response = self.client.post(self.url, data)
+        # NOTE: Limit should be reached, but inherited owner role is disregarded
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(RoleAssignment.objects.all().count(), 4)
+        self.assertIsNotNone(
+            RoleAssignment.objects.filter(
+                project=self.project, user=self.user_new
+            ).first()
+        )
+
+    def test_post_autocomplete_redirect_to_invite(self):
+        """Test POST for redirecting to ProjectInviteCreateView"""
+        data = {
+            'project': self.project.sodar_uuid,
+            'role': self.role_guest.pk,
+            'text': 'test@example.com',
+        }
+        with self.login(self.user):
+            response = self.client.post(
+                reverse('projectroles:ajax_autocomplete_user_redirect'), data
+            )
+        self.assertEqual(response.status_code, 200)
+        with self.login(self.user):
+            data = json.loads(response.content)
+            self.assertEqual(data['success'], True)
+            self.assertEqual(
+                data['redirect_url'],
+                reverse(
+                    'projectroles:invite_create',
+                    kwargs={'project': self.project.sodar_uuid},
+                ),
+            )
+
+    def test_post_promote(self):
+        """Test POST for promoting inherited role"""
+        self.make_assignment(self.category, self.user_new, self.role_guest)
+        self.assertEqual(RoleAssignment.objects.all().count(), 3)
+        self.assertEqual(
+            self.app_alert_model.objects.filter(
+                alert_name='role_create'
+            ).count(),
+            0,
+        )
+
+        data = {
+            'project': self.project.sodar_uuid,
+            'user': self.user_new.sodar_uuid,
+            'role': self.role_contributor.pk,
+            'promote': True,
+        }
+        with self.login(self.user):
+            self.client.post(self.url, data)
+
+        self.assertEqual(RoleAssignment.objects.all().count(), 4)
+        role_as = RoleAssignment.objects.get(
+            project=self.project, user=self.user_new
+        )
+        expected = {
+            'id': role_as.pk,
+            'project': self.project.pk,
+            'user': self.user_new.pk,
+            'role': self.role_contributor.pk,
+            'sodar_uuid': role_as.sodar_uuid,
+        }
+        self.assertEqual(model_to_dict(role_as), expected)
+
+
+class TestRoleAssignmentUpdateView(
+    ProjectMixin, RoleAssignmentMixin, ViewTestBase
+):
+    """Tests for RoleAssignmentUpdateView"""
+
+    def setUp(self):
+        super().setUp()
+        # Set up category and project
+        self.category = self.make_project(
+            'TestCategory', PROJECT_TYPE_CATEGORY, None
+        )
+        self.user_owner_cat = self.make_user('owner_cat')
+        self.owner_as_cat = self.make_assignment(
+            self.category, self.user_owner_cat, self.role_owner
+        )
+        self.project = self.make_project(
+            'TestProject', PROJECT_TYPE_PROJECT, self.category
+        )
+        self.user_owner = self.make_user('user_owner')
+        self.owner_as = self.make_assignment(
+            self.project, self.user_owner, self.role_owner
+        )
+        # Create guest user and role
+        self.user_guest = self.make_user('user_guest')
+        self.role_as = self.make_assignment(
+            self.project, self.user_guest, self.role_guest
+        )
+        # Set up helpers
+        self.app_alert_model = get_backend_api('appalerts_backend').get_model()
+        self.url = reverse(
+            'projectroles:role_update',
+            kwargs={'roleassignment': self.role_as.sodar_uuid},
+        )
+
+    def test_get(self):
+        """Test RoleAssignmentUpdateView GET"""
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        form = response.context['form']
+        self.assertIsNotNone(form)
+        self.assertIsInstance(form.fields['project'].widget, HiddenInput)
+        self.assertEqual(form.initial['project'], self.project.sodar_uuid)
+        self.assertIsInstance(form.fields['user'].widget, HiddenInput)
+        self.assertEqual(form.initial['user'], self.user_guest.sodar_uuid)
+        # Assert owner role is not selectable
+        self.assertNotIn(
+            get_role_option(self.project, self.role_owner),
+            form.fields['role'].choices,
+        )
+        # Assert delegate role is selectable
         self.assertIn(
             get_role_option(self.project, self.role_delegate),
             form.fields['role'].choices,
@@ -2740,6 +3190,23 @@ def test_get_category(self):
             form.fields['role'].choices,
         )
 
+    def test_get_inactive_local_role(self):
+        """Test GET with inherited role overriding local inactive role"""
+        # Set user as category contributor
+        self.make_assignment(
+            self.category, self.user_guest, self.role_contributor
+        )
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        form = response.context['form']
+        # Assert only delegate role is selectable
+        self.assertEqual(len(form.fields['role'].choices), 1)
+        self.assertEqual(
+            form.fields['role'].choices[0],
+            get_role_option(self.project, self.role_delegate),
+        )
+
     def test_get_not_found(self):
         """Test GET with invalid assignment UUID"""
         with self.login(self.user):
@@ -2761,13 +3228,20 @@ def test_post(self):
             0,
         )
 
-        values = {
+        data = {
             'project': self.role_as.project.sodar_uuid,
             'user': self.user_guest.sodar_uuid,
             'role': self.role_contributor.pk,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
+            self.assertRedirects(
+                response,
+                reverse(
+                    'projectroles:roles',
+                    kwargs={'project': self.project.sodar_uuid},
+                ),
+            )
 
         self.assertEqual(RoleAssignment.objects.all().count(), 3)
         role_as = RoleAssignment.objects.get(
@@ -2787,25 +3261,45 @@ def test_post(self):
             ).count(),
             1,
         )
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn(
+            SUBJECT_ROLE_UPDATE.format(
+                project_label='project', project=self.project.title
+            ),
+            mail.outbox[0].subject,
+        )
+
+    def test_post_disable_email(self):
+        """Test POST with disabled email notifications"""
+        app_settings.set(
+            APP_NAME, 'notify_email_role', False, user=self.user_guest
+        )
+        data = {
+            'project': self.role_as.project.sodar_uuid,
+            'user': self.user_guest.sodar_uuid,
+            'role': self.role_contributor.pk,
+        }
         with self.login(self.user):
-            self.assertRedirects(
-                response,
-                reverse(
-                    'projectroles:roles',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-            )
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(
+            self.app_alert_model.objects.filter(
+                alert_name='role_update'
+            ).count(),
+            1,
+        )
+        self.assertEqual(len(mail.outbox), 0)
 
     def test_post_delegate(self):
         """Test POST to update RoleAssignment to delegate"""
         self.assertEqual(RoleAssignment.objects.all().count(), 3)
-        values = {
+        data = {
             'project': self.role_as.project.sodar_uuid,
             'user': self.user_guest.sodar_uuid,
             'role': self.role_delegate.pk,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
 
         self.assertEqual(response.status_code, 302)
         self.assertEqual(RoleAssignment.objects.all().count(), 3)
@@ -2826,13 +3320,13 @@ def test_post_delegate_limit_reached(self):
         del_user = self.make_user('new_del_user')
         self.make_assignment(self.project, del_user, self.role_delegate)
         self.assertEqual(RoleAssignment.objects.all().count(), 4)
-        values = {
+        data = {
             'project': self.project.sodar_uuid,
             'user': self.user_guest.sodar_uuid,
             'role': self.role_delegate.pk,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 200)
         self.assertEqual(RoleAssignment.objects.all().count(), 4)
         self.assertEqual(
@@ -2855,13 +3349,13 @@ def test_post_delegate_limit_increased(self):
             ).count(),
             1,
         )
-        values = {
+        data = {
             'project': self.project.sodar_uuid,
             'user': self.user_guest.sodar_uuid,
             'role': self.role_delegate.pk,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 302)
         self.assertEqual(
             RoleAssignment.objects.filter(
@@ -2881,13 +3375,13 @@ def test_post_delegate_limit_inherited(self):
             ).count(),
             1,
         )
-        values = {
+        data = {
             'project': self.project.sodar_uuid,
             'user': self.user_guest.sodar_uuid,
             'role': self.role_delegate.pk,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
         # NOTE: Limit should be reached, but inherited owner role is disregarded
         self.assertEqual(response.status_code, 302)
         self.assertEqual(
@@ -2897,26 +3391,9 @@ def test_post_delegate_limit_inherited(self):
             2,
         )
 
-    def test_get_inactive_local_role(self):
-        """Test GET with inherited role overriding local inactive role"""
-        # Set user as category contributor
-        self.make_assignment(
-            self.category, self.user_guest, self.role_contributor
-        )
-        with self.login(self.user):
-            response = self.client.get(self.url)
-        self.assertEqual(response.status_code, 200)
-        form = response.context['form']
-        # Assert only delegate role is selectable
-        self.assertEqual(len(form.fields['role'].choices), 1)
-        self.assertEqual(
-            form.fields['role'].choices[0],
-            get_role_option(self.project, self.role_delegate),
-        )
-
 
 class TestRoleAssignmentDeleteView(
-    ProjectMixin, RoleAssignmentMixin, TestViewsBase
+    ProjectMixin, RoleAssignmentMixin, ViewTestBase
 ):
     """Tests for RoleAssignmentDeleteView"""
 
@@ -3052,6 +3529,38 @@ def test_post(self):
         alert.refresh_from_db()
         self.assertEqual(alert.active, False)
         self.assertEqual(len(mail.outbox), 1)
+        self.assertIn(
+            SUBJECT_ROLE_DELETE.format(
+                project_label='project', project=self.project.title
+            ),
+            mail.outbox[0].subject,
+        )
+
+    def test_post_disable_email(self):
+        """Test POST with disabled email notifications"""
+        app_settings.set(
+            APP_NAME, 'notify_email_role', False, user=self.user_contrib
+        )
+        alert = self.app_alerts.add_alert(
+            'projectroles',
+            'test_alert',
+            self.user_contrib,
+            'test',
+            project=self.project,
+        )
+        self.assertEqual(alert.active, True)
+        with self.login(self.user):
+            response = self.client.post(self.url)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(
+            self.app_alert_model.objects.filter(
+                alert_name='role_delete'
+            ).count(),
+            1,
+        )
+        alert.refresh_from_db()
+        self.assertEqual(alert.active, False)
+        self.assertEqual(len(mail.outbox), 0)
 
     def test_post_owner(self):
         """Test POST for RoleAssignment owner deletion (should fail)"""
@@ -3150,7 +3659,7 @@ def test_post_app_settings_contributor(self):
         """Test post with PROJECT_USER app settings after contributor deletion"""
         self.assertEqual(RoleAssignment.objects.all().count(), 3)
         app_settings.set(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             setting_name='project_user_bool_setting',
             project=self.project,
             user=self.user,
@@ -3182,7 +3691,7 @@ def test_post_app_settings_inherit(self):
         self.make_assignment(self.category, self.user_contrib, self.role_guest)
         self.assertEqual(RoleAssignment.objects.all().count(), 4)
         app_settings.set(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             setting_name='project_user_bool_setting',
             project=self.project,
             user=self.user,
@@ -3216,7 +3725,7 @@ def test_post_app_settings_children(self):
         )
         self.assertEqual(RoleAssignment.objects.all().count(), 4)
         app_settings.set(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             setting_name='project_user_bool_setting',
             project=self.project,
             user=self.user,
@@ -3250,7 +3759,7 @@ def test_post_app_settings_children(self):
 
 
 class TestRoleAssignmentOwnerTransferView(
-    ProjectMixin, RoleAssignmentMixin, TestViewsBase
+    ProjectMixin, RoleAssignmentMixin, ViewTestBase
 ):
     """Tests for RoleAssignmentOwnerTransferView"""
 
@@ -3376,12 +3885,51 @@ def test_post(self):
             self.role_guest,
         )
         self.assertEqual(self.app_alert_model.objects.count(), 2)
+        self.assertEqual(
+            self.app_alert_model.objects.filter(
+                alert_name='role_update', user=self.user_owner
+            ).count(),
+            1,
+        )
+        self.assertEqual(
+            self.app_alert_model.objects.filter(
+                alert_name='role_update', user=self.user_guest
+            ).count(),
+            1,
+        )
         self.assertEqual(len(mail.outbox), 2)
+        for m in mail.outbox:
+            self.assertIn(
+                SUBJECT_ROLE_UPDATE.format(
+                    project_label='project', project=self.project.title
+                ),
+                m.subject,
+            )
 
-    def test_post_as_old_owner(self):
-        """Test POST as old owner"""
-        with self.login(self.user_owner):
-            response = self.client.post(
+    def test_post_disable_email(self):
+        """Test POST with disabled email notifications"""
+        app_settings.set(
+            APP_NAME, 'notify_email_role', False, user=self.user_owner
+        )
+        self.assertEqual(self.app_alert_model.objects.count(), 0)
+        self.assertEqual(len(mail.outbox), 0)
+        with self.login(self.user):
+            response = self.client.post(
+                self.url,
+                data={
+                    'project': self.project.sodar_uuid,
+                    'new_owner': self.user_guest.sodar_uuid,
+                    'old_owner_role': self.role_guest.pk,
+                },
+            )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(self.app_alert_model.objects.count(), 2)
+        self.assertEqual(len(mail.outbox), 1)
+
+    def test_post_as_old_owner(self):
+        """Test POST as old owner"""
+        with self.login(self.user_owner):
+            response = self.client.post(
                 self.url,
                 data={
                     'project': self.project.sodar_uuid,
@@ -3399,6 +3947,12 @@ def test_post_as_old_owner(self):
         )
         # Should only create one alert/mail for new owner
         self.assertEqual(self.app_alert_model.objects.count(), 1)
+        self.assertEqual(
+            self.app_alert_model.objects.filter(
+                alert_name='role_update', user=self.user_guest
+            ).count(),
+            1,
+        )
         self.assertEqual(len(mail.outbox), 1)
 
     def test_post_old_inherited_member(self):
@@ -3533,7 +4087,7 @@ def test_post_new_local_role(self):
 
 
 class TestProjectInviteCreateView(
-    ProjectMixin, RoleAssignmentMixin, ProjectInviteMixin, TestViewsBase
+    ProjectMixin, RoleAssignmentMixin, ProjectInviteMixin, ViewTestBase
 ):
     """Tests for ProjectInviteCreateView"""
 
@@ -3566,12 +4120,12 @@ def test_get(self):
 
     def test_get_from_roleassignment(self):
         """Test GET with forwarded values from RoleAssignment Form"""
-        values = {
+        data = {
             'e': 'test@example.com',
             'r': self.role_contributor.pk,
         }
         with self.login(self.user):
-            response = self.client.get(self.url, values)
+            response = self.client.get(self.url, data)
         self.assertEqual(response.status_code, 200)
         form = response.context['form']
         self.assertIsNotNone(form)
@@ -3600,13 +4154,13 @@ def test_get_not_found(self):
     def test_post(self):
         """Test ProjectInviteCreateView POST"""
         self.assertEqual(ProjectInvite.objects.all().count(), 0)
-        values = {
+        data = {
             'email': INVITE_EMAIL,
             'project': self.project.pk,
             'role': self.role_contributor.pk,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
 
         self.assertEqual(ProjectInvite.objects.all().count(), 1)
         invite = ProjectInvite.objects.get(
@@ -3636,35 +4190,45 @@ def test_post(self):
                 ),
             )
 
-    @override_settings(
-        PROJECTROLES_ALLOW_LOCAL_USERS=False,
-        ENABLE_SAML=False,
-    )
+    @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=False)
     def test_post_local_users_not_allowed(self):
-        """Test POST for local user with local users not allowed"""
-        values = {
+        """Test POST for local/OIDC user with local users not allowed"""
+        data = {
             'email': INVITE_EMAIL,
             'project': self.project.pk,
             'role': self.role_contributor.pk,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 200)
         self.assertEqual(ProjectInvite.objects.all().count(), 0)
 
-    @override_settings(
-        PROJECTROLES_ALLOW_LOCAL_USERS=True,
-        ENABLE_SAML=False,
-    )
     def test_post_local_users_allowed(self):
-        """Test POST for local user with local users allowed"""
-        values = {
+        """Test POST for local/OIDC user with local users allowed"""
+        data = {
             'email': INVITE_EMAIL,
             'project': self.project.pk,
             'role': self.role_contributor.pk,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        invite = ProjectInvite.objects.get(
+            project=self.project, email=INVITE_EMAIL, active=True
+        )
+        self.assertIsNotNone(invite)
+
+    @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=False)
+    @override_settings(ENABLE_OIDC=True)
+    def test_post_oidc_users_allowed(self):
+        """Test POST with for local/OIDC user with OIDC users allowed"""
+        data = {
+            'email': INVITE_EMAIL,
+            'project': self.project.pk,
+            'role': self.role_contributor.pk,
+        }
+        with self.login(self.user):
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 302)
         invite = ProjectInvite.objects.get(
             project=self.project, email=INVITE_EMAIL, active=True
@@ -3673,19 +4237,18 @@ def test_post_local_users_allowed(self):
 
     @override_settings(
         PROJECTROLES_ALLOW_LOCAL_USERS=False,
-        ENABLE_SAML=False,
         ENABLE_LDAP=True,
-        AUTH_LDAP_USERNAME_DOMAIN='EXAMPLE',
+        AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN,
     )
     def test_post_local_users_email_domain(self):
         """Test POST for local user with email domain in AUTH_LDAP_USERNAME_DOMAIN"""
-        values = {
+        data = {
             'email': INVITE_EMAIL,
             'project': self.project.pk,
             'role': self.role_contributor.pk,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 302)
         invite = ProjectInvite.objects.get(
             project=self.project, email=INVITE_EMAIL, active=True
@@ -3694,19 +4257,18 @@ def test_post_local_users_email_domain(self):
 
     @override_settings(
         PROJECTROLES_ALLOW_LOCAL_USERS=False,
-        ENABLE_SAML=False,
         ENABLE_LDAP=True,
         LDAP_ALT_DOMAINS=['example.com'],
     )
     def test_post_local_users_email_domain_ldap(self):
         """Test POST for local user with email domain in LDAP_ALT_DOMAINS"""
-        values = {
+        data = {
             'email': INVITE_EMAIL,
             'project': self.project.pk,
             'role': self.role_contributor.pk,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 302)
         invite = ProjectInvite.objects.get(
             project=self.project, email=INVITE_EMAIL, active=True
@@ -3715,7 +4277,11 @@ def test_post_local_users_email_domain_ldap(self):
 
 
 class TestProjectInviteAcceptView(
-    ProjectMixin, RoleAssignmentMixin, ProjectInviteMixin, TestViewsBase
+    ProjectMixin,
+    RoleAssignmentMixin,
+    ProjectInviteMixin,
+    ProjectInviteProcessMixin,
+    ViewTestBase,
 ):
     """Tests for ProjectInviteAcceptView and related helper views"""
 
@@ -3728,631 +4294,464 @@ def setUp(self):
             self.project, self.user, self.role_owner
         )
         self.user_new = self.make_user('user_new')
-        self.project_url = reverse(
-            'projectroles:detail',
-            kwargs={'project': self.project.sodar_uuid},
-        )
-
-    @override_settings(ENABLE_LDAP=True, AUTH_LDAP_USERNAME_DOMAIN='EXAMPLE')
-    def test_get_ldap(self):
-        """Test ProjectInviteAcceptView GET with LDAP invite"""
-        invite = self.make_invite(
+        self.invite = self.make_invite(
             email=INVITE_EMAIL,
             project=self.project,
             role=self.role_contributor,
             issuer=self.user,
             message='',
         )
+        self.url = reverse(
+            'projectroles:invite_accept',
+            kwargs={'secret': self.invite.secret},
+        )
+        self.url_process_login = reverse(
+            'projectroles:invite_process_login',
+            kwargs={'secret': self.invite.secret},
+        )
+        self.url_process_new = reverse(
+            'projectroles:invite_process_new_user',
+            kwargs={'secret': self.invite.secret},
+        )
+        self.url_project = reverse(
+            'projectroles:detail',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+
+    @override_settings(ENABLE_LDAP=True, AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN)
+    def test_get_ldap(self):
+        """Test ProjectInviteAcceptView GET with LDAP invite"""
+        # NOTE: Adding sanity checks for invite type in these tests
+        self.assertEqual(self.invite.is_ldap(), True)
         self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
-        self.assertEqual(
+        self.assertFalse(
             RoleAssignment.objects.filter(
-                project=self.project,
-                user=self.user_new,
-                role=self.role_contributor,
-            ).count(),
-            0,
+                project=self.project, user=self.user_new
+            ).exists()
         )
+        self.assertEqual(len(mail.outbox), 0)
 
         with self.login(self.user_new):
-            response = self.client.get(
-                reverse(
-                    'projectroles:invite_accept',
-                    kwargs={'secret': invite.secret},
-                ),
-                follow=True,
-            )
+            response = self.client.get(self.url, follow=True)
         self.assertListEqual(
             response.redirect_chain,
-            [
-                (
-                    reverse(
-                        'projectroles:invite_process_ldap',
-                        kwargs={'secret': invite.secret},
-                    ),
-                    302,
-                ),
-                (self.project_url, 302),
-            ],
+            [(self.url_process_login, 302), (self.url_project, 302)],
         )
         self.assertEqual(
             list(get_messages(response.wsgi_request))[0].message,
-            MSG_PROJECT_WELCOME.format(
+            PROJECT_WELCOME_MSG.format(
                 project_type='project',
                 project_title='TestProject',
                 role='project contributor',
             ),
         )
         self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 0)
-        self.assertEqual(
+        self.assertTrue(
             RoleAssignment.objects.filter(
-                project=self.project,
-                user=self.user_new,
-                role=self.role_contributor,
-            ).count(),
-            1,
+                project=self.project, user=self.user_new
+            ).exists()
+        )
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn(
+            SUBJECT_ACCEPT.format(
+                user=get_email_user(self.user_new),
+                project_label='project',
+                project=self.project.title,
+            ),
+            mail.outbox[0].subject,
         )
 
+    @override_settings(ENABLE_LDAP=True, AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN)
+    def test_get_ldap_disable_email(self):
+        """Test GET with LDAP invite and disabled email notifications"""
+        self.assertEqual(self.invite.is_ldap(), True)
+        app_settings.set(APP_NAME, 'notify_email_role', False, user=self.user)
+        with self.login(self.user_new):
+            self.client.get(self.url)
+        self.assertEqual(len(mail.outbox), 0)
+
     @override_settings(
-        AUTH_LDAP_USERNAME_DOMAIN='EXAMPLE',
+        AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN,
         ENABLE_LDAP=True,
         LDAP_ALT_DOMAINS=['alt.org'],
         PROJECTROLES_ALLOW_LOCAL_USERS=False,
     )
     def test_get_ldap_alt_domain(self):
         """Test GET with LDAP invite and email in LDAP_ALT_DOMAINS"""
-        alt_email = 'user@alt.org'
-        invite = self.make_invite(
-            email=alt_email,
-            project=self.project,
-            role=self.role_contributor,
-            issuer=self.user,
-            message='',
-        )
+        self.invite.email = 'user@alt.org'
+        self.invite.save()
+        self.assertEqual(self.invite.is_ldap(), True)
         self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
-        self.assertEqual(
+        self.assertFalse(
             RoleAssignment.objects.filter(
-                project=self.project,
-                user=self.user_new,
-                role=self.role_contributor,
-            ).count(),
-            0,
+                project=self.project, user=self.user_new
+            ).exists()
         )
-
         with self.login(self.user_new):
-            response = self.client.get(
-                reverse(
-                    'projectroles:invite_accept',
-                    kwargs={'secret': invite.secret},
-                ),
-                follow=True,
-            )
+            response = self.client.get(self.url, follow=True)
         self.assertListEqual(
             response.redirect_chain,
-            [
-                (
-                    reverse(
-                        'projectroles:invite_process_ldap',
-                        kwargs={'secret': invite.secret},
-                    ),
-                    302,
-                ),
-                (self.project_url, 302),
-            ],
+            [(self.url_process_login, 302), (self.url_project, 302)],
         )
         self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 0)
-        self.assertEqual(
+        self.assertTrue(
             RoleAssignment.objects.filter(
-                project=self.project,
-                user=self.user_new,
-                role=self.role_contributor,
-            ).count(),
-            1,
+                project=self.project, user=self.user_new
+            ).exists()
         )
 
     @override_settings(
-        AUTH_LDAP_USERNAME_DOMAIN='EXAMPLE',
         ENABLE_LDAP=True,
-        LDAP_ALT_DOMAINS=[],
+        AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN,
         PROJECTROLES_ALLOW_LOCAL_USERS=False,
     )
     def test_get_ldap_email_not_listed(self):
         """Test GET with LDAP invite and email not in LDAP_ALT_DOMAINS"""
-        alt_email = 'user@alt.org'
-        invite = self.make_invite(
-            email=alt_email,
-            project=self.project,
-            role=self.role_contributor,
-            issuer=self.user,
-            message='',
-        )
+        self.invite.email = 'user@alt.org'
+        self.invite.save()
+        self.assertEqual(self.invite.is_ldap(), False)
         self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
-        self.assertEqual(
+        self.assertFalse(
             RoleAssignment.objects.filter(
-                project=self.project,
-                user=self.user_new,
-                role=self.role_contributor,
-            ).count(),
-            0,
+                project=self.project, user=self.user_new
+            ).exists()
         )
-
         with self.login(self.user_new):
-            response = self.client.get(
-                reverse(
-                    'projectroles:invite_accept',
-                    kwargs={'secret': invite.secret},
-                ),
-                follow=True,
-            )
+            response = self.client.get(self.url, follow=True)
         self.assertListEqual(response.redirect_chain, [(reverse('home'), 302)])
         self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
-        self.assertEqual(
+        self.assertFalse(
             RoleAssignment.objects.filter(
-                project=self.project,
-                user=self.user_new,
-                role=self.role_contributor,
-            ).count(),
-            0,
+                project=self.project, user=self.user_new
+            ).exists()
         )
 
-    @override_settings(AUTH_LDAP_USERNAME_DOMAIN='EXAMPLE', ENABLE_LDAP=True)
+    @override_settings(ENABLE_LDAP=True, AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN)
     def test_get_ldap_expired(self):
         """Test GET with expired LDAP invite"""
-        invite = self.make_invite(
-            email=INVITE_EMAIL,
-            project=self.project,
-            role=self.role_contributor,
-            issuer=self.user,
-            message='',
-            date_expire=timezone.now(),
-        )
+        self.invite.date_expire = timezone.now()
+        self.invite.save()
         self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
-        self.assertEqual(
+        self.assertFalse(
             RoleAssignment.objects.filter(
-                project=self.project,
-                user=self.user_new,
-                role=self.role_contributor,
-            ).count(),
-            0,
+                project=self.project, user=self.user_new
+            ).exists()
         )
+        self.assertEqual(len(mail.outbox), 0)
 
         with self.login(self.user_new):
-            response = self.client.get(
-                reverse(
-                    'projectroles:invite_accept',
-                    kwargs={'secret': invite.secret},
-                ),
-                follow=True,
-            )
+            response = self.client.get(self.url, follow=True)
         self.assertListEqual(
             response.redirect_chain,
-            [
-                (
-                    reverse(
-                        'projectroles:invite_process_ldap',
-                        kwargs={'secret': invite.secret},
-                    ),
-                    302,
-                ),
-                (reverse('home'), 302),
-            ],
+            [(self.url_process_login, 302), (reverse('home'), 302)],
         )
         self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 0)
-        self.assertEqual(
+        self.assertFalse(
             RoleAssignment.objects.filter(
-                project=self.project,
-                user=self.user_new,
-                role=self.role_contributor,
-            ).count(),
-            0,
-        )
-
-    @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=True)
-    def test_get_local(self):
-        """Test GET with local invite and nonexistent user with no user logged in"""
-        invite = self.make_invite(
-            email=INVITE_EMAIL,
-            project=self.project,
-            role=self.role_contributor,
-            issuer=self.user,
-            message='',
-        )
-        self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
-
-        response = self.client.get(
-            reverse(
-                'projectroles:invite_accept',
-                kwargs={'secret': invite.secret},
-            ),
-            follow=True,
+                project=self.project, user=self.user_new
+            ).exists()
         )
-        self.assertRedirects(
-            response,
-            reverse(
-                'projectroles:invite_process_local',
-                kwargs={'secret': invite.secret},
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn(
+            SUBJECT_EXPIRY.format(
+                user_name=self.user_new.username,
+                project=self.project.title,
             ),
+            mail.outbox[0].subject,
         )
 
-        response = self.client.get(
-            reverse(
-                'projectroles:invite_process_local',
-                kwargs={'secret': invite.secret},
-            ),
-        )
-        email = response.context['form']['email'].value()
-        username = response.context['form']['username'].value()
-        self.assertEqual(email, invite.email)
-        self.assertEqual(username, invite.email.split('@')[0])
-        self.assertEqual(User.objects.count(), 2)
+    @override_settings(ENABLE_LDAP=True, AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN)
+    def test_get_ldap_expired_disable_email(self):
+        """Test GET with expired LDAP invite and disabled email notifications"""
+        app_settings.set(APP_NAME, 'notify_email_role', False, user=self.user)
+        self.invite.date_expire = timezone.now()
+        self.invite.save()
+        with self.login(self.user_new):
+            self.client.get(self.url, follow=True)
+        self.assertEqual(len(mail.outbox), 0)
 
-        # NOTE: We must face HTTP_REFERER here for it to be included
-        response = self.client.post(
-            reverse(
-                'projectroles:invite_process_local',
-                kwargs={'secret': invite.secret},
-            ),
-            data={
-                'first_name': 'First',
-                'last_name': 'Last',
-                'username': username,
-                'email': email,
-                'password': 'asd',
-                'password_confirm': 'asd',
-            },
-            follow=True,
-            HTTP_REFERER=reverse(
-                'projectroles:invite_process_local',
-                kwargs={'secret': invite.secret},
-            ),
+    def test_get_local(self):
+        """Test GET with local invite for nonexistent user with no user logged in"""
+        response = self.client.get(self.url, follow=True)
+        self.assertRedirects(response, self.url_process_new)
+
+    def test_get_expired_local(self):
+        """Test GET with expired local invite"""
+        self.invite.date_expire = timezone.now()
+        self.invite.save()
+        self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
+        self.assertFalse(
+            RoleAssignment.objects.filter(
+                project=self.project, user=self.user_new
+            ).exists()
         )
+        response = self.client.get(self.url, follow=True)
         self.assertListEqual(
             response.redirect_chain,
             [
-                (self.project_url, 302),
-                (reverse('login') + '?next=' + self.project_url, 302),
+                (self.url_process_new, 302),
+                (reverse('home'), 302),
+                (reverse('login') + '?next=/', 302),
             ],
         )
-        self.assertEqual(
-            list(get_messages(response.wsgi_request))[1].message, MSG_LOGIN
-        )
-        user = User.objects.get(username=username)
         self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 0)
-        self.assertEqual(
+        self.assertFalse(
             RoleAssignment.objects.filter(
-                project=self.project,
-                user=user,
-                role=self.role_contributor,
-            ).count(),
-            1,
+                project=self.project, user=self.user_new
+            ).exists()
         )
-        with self.login(user, password='asd'):
-            response = self.client.get(self.project_url)
-        self.assertEqual(response.status_code, 200)
 
-    @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=True)
-    def test_get_expired_local(self):
-        """Test GET with expired local invite"""
-        invite = self.make_invite(
-            email=INVITE_EMAIL,
-            project=self.project,
-            role=self.role_contributor,
-            issuer=self.user,
-            message='',
-            date_expire=timezone.now(),
+    def test_get_role_exists(self):
+        """Test GET for user with roles in project"""
+        invited_user = self.make_user(INVITE_EMAIL.split('@')[0])
+        invited_user.email = INVITE_EMAIL
+        invited_user.save()
+        self.make_assignment(self.project, invited_user, self.role_guest)
+        self.assertTrue(self.invite.active)
+        self.assertIsNone(
+            TimelineEvent.objects.filter(event_name='invite_accept').first()
         )
-        self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
-        self.assertEqual(
-            RoleAssignment.objects.filter(
-                project=self.project,
-                user=self.user_new,
-                role=self.role_contributor,
-            ).count(),
-            0,
+        with self.login(invited_user):
+            response = self.client.get(self.url, follow=True)
+        self.assertRedirects(response, self.url_project)
+        self.invite.refresh_from_db()
+        self.assertFalse(self.invite.active)
+        # No timeline event should be created
+        self.assertIsNone(
+            TimelineEvent.objects.filter(event_name='invite_accept').first()
         )
 
-        response = self.client.get(
-            reverse(
-                'projectroles:invite_accept',
-                kwargs={'secret': invite.secret},
-            ),
-            follow=True,
+    @override_settings(ENABLE_OIDC=True, PROJECTROLES_ALLOW_LOCAL_USERS=False)
+    def test_get_oidc_enabled(self):
+        """Test GET with local/OIDC invite, logged in user and local users enabled"""
+        # NOTE: This is for OIDC redirects from the user form
+        response = self.client.get(self.url, follow=True)
+        # Should redirect to logged in handler view via login
+        self.assertRedirects(
+            response, reverse('login') + '?next=' + self.url_process_login
         )
+
+    @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=False)
+    def test_get_oidc_disabled_local_disabled(self):
+        """Test GET with OIDC and local users disabled"""
+        response = self.client.get(self.url, follow=True)
         self.assertListEqual(
             response.redirect_chain,
-            [
-                (
-                    reverse(
-                        'projectroles:invite_process_local',
-                        kwargs={'secret': invite.secret},
-                    ),
-                    302,
-                ),
-                (reverse('home'), 302),
-                (reverse('login') + '?next=/', 302),
-            ],
-        )
-        self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 0)
-        self.assertEqual(
-            RoleAssignment.objects.filter(
-                project=self.project,
-                user=self.user_new,
-                role=self.role_contributor,
-            ).count(),
-            0,
+            [(reverse('home'), 302), (reverse('login') + '?next=/', 302)],
         )
 
-    @override_settings(
-        ENABLE_LDAP=True,
-        PROJECTROLES_ALLOW_LOCAL_USERS=True,
-        AUTH_LDAP_USERNAME_DOMAIN='EXAMPLE',
-        AUTH_LDAP_DOMAIN_PRINTABLE='EXAMPLE',
-    )
-    def test_get_process_ldap_wrong_type_local(self):
-        """Test ProjectInviteProcessLDAPView GET with local invite"""
-        invite = self.make_invite(
-            email='test@different.com',
+
+class TestProjectInviteProcessLoginView(
+    ProjectMixin, RoleAssignmentMixin, ProjectInviteMixin, ViewTestBase
+):
+    """Tests for ProjectInviteProcessLoginView"""
+
+    def setUp(self):
+        super().setUp()
+        self.project = self.make_project(
+            'TestProject', PROJECT_TYPE_PROJECT, None
+        )
+        self.owner_as = self.make_assignment(
+            self.project, self.user, self.role_owner
+        )
+        self.user_new = self.make_user('user_new')
+        self.invite = self.make_invite(
+            email=INVITE_EMAIL,
             project=self.project,
             role=self.role_contributor,
             issuer=self.user,
             message='',
         )
-        self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
-        response = self.client.get(
-            reverse(
-                'projectroles:invite_process_ldap',
-                kwargs={'secret': invite.secret},
-            ),
-        )
-        # LDAP expects user to be logged in
-        self.assertRedirects(
-            response,
-            reverse('login')
-            + '?next='
-            + reverse(
-                'projectroles:invite_process_ldap',
-                kwargs={'secret': invite.secret},
-            ),
+        self.url = reverse(
+            'projectroles:invite_process_login',
+            kwargs={'secret': self.invite.secret},
         )
 
     @override_settings(
         ENABLE_LDAP=True,
-        PROJECTROLES_ALLOW_LOCAL_USERS=True,
-        AUTH_LDAP_USERNAME_DOMAIN='EXAMPLE',
+        AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN,
         AUTH_LDAP_DOMAIN_PRINTABLE='EXAMPLE',
     )
-    def test_get_process_local_wrong_type_ldap(self):
-        """Test ProjectInviteProcessLocalView GET with LDAP invite"""
-        invite = self.make_invite(
+    def test_get_wrong_type_local(self):
+        """Test ProjectInviteProcessLoginView GET with local invite"""
+        self.invite.email = 'test@different.com'
+        self.invite.save()
+        self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
+        response = self.client.get(self.url)
+        # LDAP expects user to be logged in
+        self.assertRedirects(response, reverse('login') + '?next=' + self.url)
+
+
+class TestProjectInviteProcessNewUserView(
+    ProjectMixin, RoleAssignmentMixin, ProjectInviteMixin, ViewTestBase
+):
+    """Tests for ProjectInviteProcessNewUserView"""
+
+    def setUp(self):
+        super().setUp()
+        self.project = self.make_project(
+            'TestProject', PROJECT_TYPE_PROJECT, None
+        )
+        self.owner_as = self.make_assignment(
+            self.project, self.user, self.role_owner
+        )
+        self.user_new = self.make_user('user_new')
+        self.invite = self.make_invite(
             email=INVITE_EMAIL,
             project=self.project,
             role=self.role_contributor,
             issuer=self.user,
             message='',
         )
-        self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
-        response = self.client.get(
-            reverse(
-                'projectroles:invite_process_local',
-                kwargs={'secret': invite.secret},
-            ),
-            follow=True,
+        self.url = reverse(
+            'projectroles:invite_process_new_user',
+            kwargs={'secret': self.invite.secret},
+        )
+        self.url_project = reverse(
+            'projectroles:detail',
+            kwargs={'project': self.project.sodar_uuid},
         )
+
+    def test_get(self):
+        """Test ProjectInviteProcessNewUserView GET"""
+        self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
+        response = self.client.get(self.url)
+        self.assertEqual(response.context['invite'], self.invite)
+        email = response.context['form']['email'].value()
+        username = response.context['form']['username'].value()
+        self.assertEqual(email, self.invite.email)
+        self.assertEqual(username, self.invite.email.split('@')[0])
+
+    @override_settings(
+        ENABLE_LDAP=True,
+        AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN,
+        AUTH_LDAP_DOMAIN_PRINTABLE='EXAMPLE',
+    )
+    def test_get_wrong_type_ldap(self):
+        """Test GET with LDAP invite"""
+        self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
+        response = self.client.get(self.url, follow=True)
         self.assertRedirects(
             response, reverse('login') + '?next=' + reverse('home')
         )
         self.assertEqual(
             list(get_messages(response.wsgi_request))[0].message,
-            MSG_INVITE_LDAP_LOCAL_VIEW,
+            INVITE_LDAP_LOCAL_VIEW_MSG,
         )
 
     @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=False)
-    def test_get_local_user_disabled(self):
+    def test_get_local_users_disabled(self):
         """Test GET with local users disabled"""
-        invite = self.make_invite(
-            email=INVITE_EMAIL,
-            project=self.project,
-            role=self.role_contributor,
-            issuer=self.user,
-            message='',
-        )
         self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
-        response = self.client.get(
-            reverse(
-                'projectroles:invite_accept',
-                kwargs={'secret': invite.secret},
-            ),
-            follow=True,
-        )
-        self.assertListEqual(
-            response.redirect_chain,
-            [(reverse('home'), 302), (reverse('login') + '?next=/', 302)],
-        )
-
-    @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=False)
-    def test_get_process_local_disabled(self):
-        """Test ProjectInviteProcessLocalView GET with local users disabled"""
-        invite = self.make_invite(
-            email=INVITE_EMAIL,
-            project=self.project,
-            role=self.role_contributor,
-            issuer=self.user,
-            message='',
-        )
-        self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
-        response = self.client.get(
-            reverse(
-                'projectroles:invite_process_local',
-                kwargs={'secret': invite.secret},
-            ),
-            follow=True,
-        )
+        response = self.client.get(self.url, follow=True)
         self.assertRedirects(
             response, reverse('login') + '?next=' + reverse('home')
         )
         self.assertEqual(
             list(get_messages(response.wsgi_request))[0].message,
-            MSG_INVITE_LOCAL_NOT_ALLOWED,
+            INVITE_LOCAL_NOT_ALLOWED_MSG,
         )
 
-    @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=True)
-    def test_get_process_local_no_user_different_user_logged(self):
-        """Test ProjectInviteProcessLocalView GET with nonexistent user and different user logged in"""
-        invite = self.make_invite(
-            email=INVITE_EMAIL,
-            project=self.project,
-            role=self.role_contributor,
-            issuer=self.user,
-            message='',
-        )
+    def test_get_no_user_different_user_logged(self):
+        """Test GET with nonexistent user and different user logged in"""
         self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'projectroles:invite_process_local',
-                    kwargs={'secret': invite.secret},
-                ),
-                follow=True,
-            )
+            response = self.client.get(self.url, follow=True)
         self.assertRedirects(response, reverse('home'))
         self.assertEqual(
             list(get_messages(response.wsgi_request))[0].message,
-            MSG_INVITE_LOGGED_IN_ACCEPT,
+            INVITE_LOGGED_IN_ACCEPT_MSG,
         )
 
-    @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=True)
-    def test_get_process_local_user_exists_different_user_logged(self):
-        """Test ProjectInviteProcessLocalView GET with existing user and different user logged in"""
+    def test_get_user_exists_different_user_logged(self):
+        """Test GET with existing user and different user logged in"""
         invited_user = self.make_user(INVITE_EMAIL.split('@')[0])
         invited_user.email = INVITE_EMAIL
         invited_user.save()
-        invite = self.make_invite(
-            email=INVITE_EMAIL,
-            project=self.project,
-            role=self.role_contributor,
-            issuer=self.user,
-            message='',
-        )
         self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'projectroles:invite_process_local',
-                    kwargs={'secret': invite.secret},
-                ),
-                follow=True,
-            )
+            response = self.client.get(self.url, follow=True)
         self.assertRedirects(response, reverse('home'))
         self.assertEqual(
             list(get_messages(response.wsgi_request))[0].message,
-            MSG_INVITE_USER_NOT_EQUAL,
+            INVITE_USER_NOT_EQUAL_MSG,
         )
 
-    @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=True)
-    def test_get_process_local_user_exists_is_logged(self):
-        """Test ProjectInviteProcessLocalView GET with with existing and logged in user"""
+    def test_get_user_exists_not_logged(self):
+        """Test GET with existing user and no user logged in"""
         invited_user = self.make_user(INVITE_EMAIL.split('@')[0])
         invited_user.email = INVITE_EMAIL
         invited_user.save()
-        invite = self.make_invite(
-            email=INVITE_EMAIL,
-            project=self.project,
-            role=self.role_contributor,
-            issuer=self.user,
-            message='',
+        self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
+        response = self.client.get(self.url, follow=True)
+        self.assertRedirects(response, reverse('login') + '?next=' + self.url)
+        self.assertEqual(
+            list(get_messages(response.wsgi_request))[0].message,
+            INVITE_USER_EXISTS_MSG,
         )
+
+    def test_get_user_exists_is_logged(self):
+        """Test GET with with existing and logged in user"""
+        invited_user = self.make_user(INVITE_EMAIL.split('@')[0])
+        invited_user.email = INVITE_EMAIL
+        invited_user.save()
         self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
         with self.login(invited_user):
-            response = self.client.get(
-                reverse(
-                    'projectroles:invite_process_local',
-                    kwargs={'secret': invite.secret},
-                ),
-                follow=True,
-            )
-        self.assertRedirects(response, self.project_url)
+            response = self.client.get(self.url, follow=True)
+        self.assertRedirects(response, self.url_project)
         self.assertEqual(
             list(get_messages(response.wsgi_request))[0].message,
-            MSG_PROJECT_WELCOME.format(
+            PROJECT_WELCOME_MSG.format(
                 project_type='project',
                 project_title='TestProject',
                 role='project contributor',
             ),
         )
 
-    @override_settings(PROJECTROLES_ALLOW_LOCAL_USERS=True)
-    def test_get_process_local_user_exists_not_logged(self):
-        """Test ProjectInviteProcessLocalView GET with existing user and no user logged in"""
-        invited_user = self.make_user(INVITE_EMAIL.split('@')[0])
-        invited_user.email = INVITE_EMAIL
-        invited_user.save()
-        invite = self.make_invite(
-            email=INVITE_EMAIL,
-            project=self.project,
-            role=self.role_contributor,
-            issuer=self.user,
-            message='',
+    def test_post(self):
+        """Test POST"""
+        self.assertFalse(
+            RoleAssignment.objects.filter(
+                project=self.project, user=self.user_new
+            ).exists()
         )
-        self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 1)
-        response = self.client.get(
-            reverse(
-                'projectroles:invite_process_local',
-                kwargs={'secret': invite.secret},
-            ),
+        # NOTE: We must set HTTP_REFERER here for it to be included
+        response = self.client.post(
+            self.url,
+            data={
+                'first_name': 'First',
+                'last_name': 'Last',
+                'username': 'test',
+                'email': INVITE_EMAIL,
+                'password': 'asd',
+                'password_confirm': 'asd',
+            },
             follow=True,
+            HTTP_REFERER=self.url,
         )
-        self.assertRedirects(
-            response,
-            reverse(
-                'login',
-            )
-            + '?next='
-            + reverse(
-                'projectroles:invite_process_local',
-                kwargs={'secret': invite.secret},
-            ),
+        self.assertListEqual(
+            response.redirect_chain,
+            [
+                (self.url_project, 302),
+                (reverse('login') + '?next=' + self.url_project, 302),
+            ],
         )
         self.assertEqual(
-            list(get_messages(response.wsgi_request))[0].message,
-            MSG_INVITE_USER_EXISTS,
+            list(get_messages(response.wsgi_request))[1].message, LOGIN_MSG
         )
-
-    def test_get_role_exists(self):
-        """Test GET for user with roles in project"""
-        invited_user = self.make_user(INVITE_EMAIL.split('@')[0])
-        invited_user.email = INVITE_EMAIL
-        invited_user.save()
-        invite = self.make_invite(
-            email=INVITE_EMAIL,
-            project=self.project,
-            role=self.role_contributor,
-            issuer=self.user,
-            message='',
-        )
-        self.make_assignment(self.project, invited_user, self.role_guest)
-        self.assertTrue(invite.active)
-        self.assertIsNone(
-            ProjectEvent.objects.filter(event_name='invite_accept').first()
-        )
-
-        with self.login(invited_user):
-            response = self.client.get(
-                reverse(
-                    'projectroles:invite_accept',
-                    kwargs={'secret': invite.secret},
-                ),
-                follow=True,
-            )
-        self.assertRedirects(response, self.project_url)
-        invite.refresh_from_db()
-        self.assertFalse(invite.active)
-        # No timeline event should be created
-        self.assertIsNone(
-            ProjectEvent.objects.filter(event_name='invite_accept').first()
+        user = User.objects.get(username='test')
+        self.assertEqual(ProjectInvite.objects.filter(active=True).count(), 0)
+        self.assertTrue(
+            RoleAssignment.objects.filter(
+                project=self.project,
+                user=user,
+                role=self.role_contributor,
+            ).exists()
         )
 
 
 class TestProjectInviteListView(
-    ProjectMixin, RoleAssignmentMixin, ProjectInviteMixin, TestViewsBase
+    ProjectMixin, RoleAssignmentMixin, ProjectInviteMixin, ViewTestBase
 ):
     """Tests for ProjectInviteListView"""
 
@@ -4396,7 +4795,7 @@ def test_get_not_found(self):
 
 
 class TestProjectInviteRevokeView(
-    ProjectMixin, RoleAssignmentMixin, ProjectInviteMixin, TestViewsBase
+    ProjectMixin, RoleAssignmentMixin, ProjectInviteMixin, ViewTestBase
 ):
     """Tests for ProjectInviteRevokeView"""
 
@@ -4470,7 +4869,7 @@ def test_post_delegate_no_perms(self):
 # Remote view tests ------------------------------------------------------------
 
 
-class TestRemoteSiteListView(RemoteSiteMixin, TestViewsBase):
+class TestRemoteSiteListView(RemoteSiteMixin, ViewTestBase):
     """Tests for RemoteSiteListView"""
 
     def setUp(self):
@@ -4509,7 +4908,7 @@ def test_get_disable_categories(self):
             self.assertRedirects(response, reverse('home'))
 
 
-class TestRemoteSiteCreateView(RemoteSiteMixin, TestViewsBase):
+class TestRemoteSiteCreateView(RemoteSiteMixin, ViewTestBase):
     """Tests for RemoteSiteCreateView"""
 
     def setUp(self):
@@ -4556,20 +4955,21 @@ def test_post_source(self):
         """Test RemoteSiteCreateView POST as source site"""
         self.assertEqual(
             0,
-            ProjectEvent.objects.filter(
+            TimelineEvent.objects.filter(
                 event_name='target_site_create'
             ).count(),
         )
         self.assertEqual(RemoteSite.objects.all().count(), 0)
-        values = {
+        data = {
             'name': REMOTE_SITE_NAME,
             'url': REMOTE_SITE_URL,
             'description': REMOTE_SITE_DESC,
             'secret': REMOTE_SITE_SECRET,
             'user_display': REMOTE_SITE_USER_DISPLAY,
+            'owner_modifiable': REMOTE_SITE_OWNER_MODIFY,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
 
         self.assertEqual(RemoteSite.objects.all().count(), 1)
         site = RemoteSite.objects.first()
@@ -4582,11 +4982,12 @@ def test_post_source(self):
             'secret': REMOTE_SITE_SECRET,
             'sodar_uuid': site.sodar_uuid,
             'user_display': REMOTE_SITE_USER_DISPLAY,
+            'owner_modifiable': REMOTE_SITE_OWNER_MODIFY,
         }
         model_dict = model_to_dict(site)
         self.assertEqual(model_dict, expected)
 
-        tl_event = ProjectEvent.objects.filter(
+        tl_event = TimelineEvent.objects.filter(
             event_name='target_site_create'
         ).first()
         self.assertEqual(tl_event.event_name, 'target_site_create')
@@ -4598,18 +4999,19 @@ def test_post_target(self):
         """Test POST as target"""
         self.assertEqual(
             0,
-            ProjectEvent.objects.filter(event_name='source_site_set').count(),
+            TimelineEvent.objects.filter(event_name='source_site_set').count(),
         )
         self.assertEqual(RemoteSite.objects.all().count(), 0)
-        values = {
+        data = {
             'name': REMOTE_SITE_NAME,
             'url': REMOTE_SITE_URL,
             'description': REMOTE_SITE_DESC,
             'secret': REMOTE_SITE_SECRET,
             'user_display': REMOTE_SITE_USER_DISPLAY,
+            'owner_modifiable': REMOTE_SITE_OWNER_MODIFY,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
             self.assertRedirects(response, reverse('projectroles:remote_sites'))
 
         self.assertEqual(RemoteSite.objects.all().count(), 1)
@@ -4623,11 +5025,12 @@ def test_post_target(self):
             'secret': REMOTE_SITE_SECRET,
             'sodar_uuid': site.sodar_uuid,
             'user_display': REMOTE_SITE_USER_DISPLAY,
+            'owner_modifiable': REMOTE_SITE_OWNER_MODIFY,
         }
         model_dict = model_to_dict(site)
         self.assertEqual(model_dict, expected)
 
-        tl_event = ProjectEvent.objects.filter(
+        tl_event = TimelineEvent.objects.filter(
             event_name='source_site_set'
         ).first()
         self.assertEqual(tl_event.event_name, 'source_site_set')
@@ -4643,7 +5046,7 @@ def test_post_source_existing_name(self):
         )
         self.assertEqual(RemoteSite.objects.all().count(), 1)
 
-        values = {
+        data = {
             'name': REMOTE_SITE_NAME,  # Old name
             'url': REMOTE_SITE_NEW_URL,
             'description': REMOTE_SITE_NEW_DESC,
@@ -4651,12 +5054,12 @@ def test_post_source_existing_name(self):
             'user_display': REMOTE_SITE_USER_DISPLAY,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
         self.assertEqual(response.status_code, 200)
         self.assertEqual(RemoteSite.objects.all().count(), 1)
 
 
-class TestRemoteSiteUpdateView(RemoteSiteMixin, TestViewsBase):
+class TestRemoteSiteUpdateView(RemoteSiteMixin, ViewTestBase):
     """Tests for RemoteSiteUpdateView"""
 
     def setUp(self):
@@ -4703,20 +5106,21 @@ def test_post(self):
         """Test RemoteSiteUpdateView POST as source"""
         self.assertEqual(
             0,
-            ProjectEvent.objects.filter(
+            TimelineEvent.objects.filter(
                 event_name='target_site_update'
             ).count(),
         )
         self.assertEqual(RemoteSite.objects.all().count(), 1)
-        values = {
+        data = {
             'name': REMOTE_SITE_NEW_NAME,
             'url': REMOTE_SITE_NEW_URL,
             'description': REMOTE_SITE_NEW_DESC,
             'secret': REMOTE_SITE_SECRET,
             'user_display': REMOTE_SITE_USER_DISPLAY,
+            'owner_modifiable': REMOTE_SITE_OWNER_MODIFY,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
 
         self.assertEqual(RemoteSite.objects.all().count(), 1)
         site = RemoteSite.objects.first()
@@ -4729,11 +5133,12 @@ def test_post(self):
             'secret': REMOTE_SITE_SECRET,
             'sodar_uuid': site.sodar_uuid,
             'user_display': REMOTE_SITE_USER_DISPLAY,
+            'owner_modifiable': REMOTE_SITE_OWNER_MODIFY,
         }
         model_dict = model_to_dict(site)
         self.assertEqual(model_dict, expected)
 
-        tl_event = ProjectEvent.objects.filter(
+        tl_event = TimelineEvent.objects.filter(
             event_name='target_site_update'
         ).first()
         self.assertEqual(tl_event.event_name, 'target_site_update')
@@ -4742,7 +5147,7 @@ def test_post(self):
 
     def test_post_existing_name(self):
         """Test POST with existing name (should fail)"""
-        new_target_site = self.make_site(
+        target_site_new = self.make_site(
             name=REMOTE_SITE_NEW_NAME,
             url=REMOTE_SITE_NEW_URL,
             mode=SITE_MODE_TARGET,
@@ -4750,7 +5155,7 @@ def test_post_existing_name(self):
             secret=REMOTE_SITE_NEW_SECRET,
         )
         self.assertEqual(RemoteSite.objects.all().count(), 2)
-        values = {
+        data = {
             'name': REMOTE_SITE_NAME,  # Old name
             'url': REMOTE_SITE_NEW_URL,
             'description': REMOTE_SITE_NEW_DESC,
@@ -4761,15 +5166,15 @@ def test_post_existing_name(self):
             response = self.client.post(
                 reverse(
                     'projectroles:remote_site_update',
-                    kwargs={'remotesite': new_target_site.sodar_uuid},
+                    kwargs={'remotesite': target_site_new.sodar_uuid},
                 ),
-                values,
+                data,
             )
         self.assertEqual(response.status_code, 200)
         self.assertEqual(RemoteSite.objects.all().count(), 2)
 
 
-class TestRemoteSiteDeleteView(RemoteSiteMixin, TestViewsBase):
+class TestRemoteSiteDeleteView(RemoteSiteMixin, ViewTestBase):
     """Tests for RemoteSiteDeleteView"""
 
     def setUp(self):
@@ -4808,7 +5213,7 @@ def test_post(self):
         """Test RemoteSiteDeleteView POST"""
         self.assertEqual(
             0,
-            ProjectEvent.objects.filter(
+            TimelineEvent.objects.filter(
                 event_name='target_site_delete'
             ).count(),
         )
@@ -4816,7 +5221,7 @@ def test_post(self):
         with self.login(self.user):
             response = self.client.post(self.url)
             self.assertRedirects(response, reverse('projectroles:remote_sites'))
-        tl_event = ProjectEvent.objects.filter(
+        tl_event = TimelineEvent.objects.filter(
             event_name='target_site_delete'
         ).first()
         self.assertEqual(tl_event.event_name, 'target_site_delete')
@@ -4828,7 +5233,7 @@ class TestRemoteProjectBatchUpdateView(
     RoleAssignmentMixin,
     RemoteSiteMixin,
     RemoteProjectMixin,
-    TestViewsBase,
+    ViewTestBase,
 ):
     """Tests for RemoteProjectBatchUpdateView"""
 
@@ -4860,12 +5265,12 @@ def setUp(self):
     def test_post_confirm(self):
         """Test RemoteProjectBatchUpdateView POST in confirm mode"""
         access_field = 'remote_access_{}'.format(self.project.sodar_uuid)
-        values = {access_field: SODAR_CONSTANTS['REMOTE_LEVEL_READ_INFO']}
+        data = {access_field: SODAR_CONSTANTS['REMOTE_LEVEL_READ_INFO']}
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
         self.assertEqual(
             0,
-            ProjectEvent.objects.filter(
+            TimelineEvent.objects.filter(
                 event_name='remote_access_update'
             ).count(),
         )
@@ -4876,9 +5281,9 @@ def test_post_confirm(self):
     def test_post_confirm_no_change(self):
         """Test POST without changes (should redirect)"""
         access_field = 'remote_access_{}'.format(self.project.sodar_uuid)
-        values = {access_field: SODAR_CONSTANTS['REMOTE_LEVEL_NONE']}
+        data = {access_field: SODAR_CONSTANTS['REMOTE_LEVEL_NONE']}
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
             self.assertRedirects(
                 response,
                 reverse(
@@ -4889,7 +5294,7 @@ def test_post_confirm_no_change(self):
 
         self.assertEqual(
             0,
-            ProjectEvent.objects.filter(
+            TimelineEvent.objects.filter(
                 event_name='remote_access_update'
             ).count(),
         )
@@ -4898,18 +5303,18 @@ def test_post_create(self):
         """Test POST to create new RemoteProject"""
         self.assertEqual(
             0,
-            ProjectEvent.objects.filter(
+            TimelineEvent.objects.filter(
                 event_name='remote_batch_update'
             ).count(),
         )
         self.assertEqual(RemoteProject.objects.all().count(), 0)
         access_field = 'remote_access_{}'.format(self.project.sodar_uuid)
-        values = {
+        data = {
             access_field: SODAR_CONSTANTS['REMOTE_LEVEL_READ_INFO'],
             'update-confirmed': 1,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
             self.assertRedirects(
                 response,
                 reverse(
@@ -4923,7 +5328,7 @@ def test_post_create(self):
         self.assertEqual(rp.project_uuid, self.project.sodar_uuid)
         self.assertEqual(rp.level, SODAR_CONSTANTS['REMOTE_LEVEL_READ_INFO'])
 
-        tl_event = ProjectEvent.objects.filter(
+        tl_event = TimelineEvent.objects.filter(
             event_name='remote_batch_update'
         ).first()
         self.assertEqual(tl_event.event_name, 'remote_batch_update')
@@ -4932,7 +5337,7 @@ def test_post_update(self):
         """Test POST to update existing RemoteProject"""
         self.assertEqual(
             0,
-            ProjectEvent.objects.filter(
+            TimelineEvent.objects.filter(
                 event_name='remote_batch_update'
             ).count(),
         )
@@ -4944,12 +5349,12 @@ def test_post_update(self):
         self.assertEqual(RemoteProject.objects.all().count(), 1)
 
         access_field = 'remote_access_{}'.format(self.project.sodar_uuid)
-        values = {
+        data = {
             access_field: SODAR_CONSTANTS['REMOTE_LEVEL_READ_INFO'],
             'update-confirmed': 1,
         }
         with self.login(self.user):
-            response = self.client.post(self.url, values)
+            response = self.client.post(self.url, data)
             self.assertRedirects(
                 response,
                 reverse(
@@ -4963,7 +5368,7 @@ def test_post_update(self):
         self.assertEqual(rp.project_uuid, self.project.sodar_uuid)
         self.assertEqual(rp.level, SODAR_CONSTANTS['REMOTE_LEVEL_READ_INFO'])
 
-        tl_event = ProjectEvent.objects.filter(
+        tl_event = TimelineEvent.objects.filter(
             event_name='remote_batch_update'
         ).first()
         self.assertEqual(tl_event.event_name, 'remote_batch_update')
@@ -4977,7 +5382,7 @@ class TestUserUpdateView(TestCase):
 
     def setUp(self):
         self.user_local = self.make_user('local_user')
-        self.user_ldap = self.make_user('ldap_user@EXAMPLE')
+        self.user_ldap = self.make_user('ldap_user@' + LDAP_DOMAIN)
         self.url = reverse('projectroles:user_update')
 
     def test_get_local_user(self):
@@ -4986,6 +5391,7 @@ def test_get_local_user(self):
             response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
 
+    @override_settings(AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN)
     def test_get_ldap_user(self):
         """Test GET with LDAP user"""
         with self.login(self.user_ldap):
@@ -4993,7 +5399,7 @@ def test_get_ldap_user(self):
         self.assertRedirects(response, reverse('home'))
         self.assertEqual(
             list(get_messages(response.wsgi_request))[0].message,
-            MSG_USER_PROFILE_LDAP,
+            USER_PROFILE_LDAP_MSG,
         )
 
     def test_post_local_user(self):
diff --git a/projectroles/tests/test_views_ajax.py b/projectroles/tests/test_views_ajax.py
index 4b0e70dc..1cd6acca 100644
--- a/projectroles/tests/test_views_ajax.py
+++ b/projectroles/tests/test_views_ajax.py
@@ -4,16 +4,20 @@
 
 from django.test import override_settings
 from django.urls import reverse
+from django.utils import timezone
 
 from test_plus.test import TestCase
 
 from projectroles.app_settings import AppSettingAPI
+from projectroles.models import AppSetting, SODAR_CONSTANTS
 from projectroles.tests.test_models import (
     ProjectMixin,
     RoleAssignmentMixin,
+    RemoteSiteMixin,
+    RemoteProjectMixin,
 )
 from projectroles.tests.test_views import (
-    TestViewsBase,
+    ViewTestBase,
     PROJECT_TYPE_CATEGORY,
     PROJECT_TYPE_PROJECT,
 )
@@ -23,7 +27,15 @@
 app_settings = AppSettingAPI()
 
 
-class TestProjectListAjaxView(ProjectMixin, RoleAssignmentMixin, TestViewsBase):
+# SODAR constants
+SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
+REMOTE_LEVEL_READ_ROLES = SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES']
+
+# Local constants
+INVALID_UUID = '11111111-1111-1111-1111-111111111111'
+
+
+class TestProjectListAjaxView(ProjectMixin, RoleAssignmentMixin, ViewTestBase):
     """Tests for ProjectListAjaxView"""
 
     def setUp(self):
@@ -241,7 +253,7 @@ def test_get_finder_other_branch(self):
 
 
 class TestProjectListColumnAjaxView(
-    ProjectMixin, RoleAssignmentMixin, TestViewsBase
+    ProjectMixin, RoleAssignmentMixin, ViewTestBase
 ):
     """Tests for ProjectListColumnAjaxView"""
 
@@ -320,7 +332,7 @@ def test_post_no_permission(self):
 
 
 class TestProjectListRoleAjaxView(
-    ProjectMixin, RoleAssignmentMixin, TestViewsBase
+    ProjectMixin, RoleAssignmentMixin, ViewTestBase
 ):
     """Tests for ProjectListRoleAjaxView"""
 
@@ -409,10 +421,16 @@ def test_post_no_access(self):
 
 
 class TestProjectStarringAjaxView(
-    ProjectMixin, RoleAssignmentMixin, TestViewsBase
+    ProjectMixin, RoleAssignmentMixin, ViewTestBase
 ):
     """Tests for ProjectStarringAjaxView"""
 
+    def _assert_setting_count(self, count):
+        qs = AppSetting.objects.filter(
+            app_plugin=None, project=self.project, name='project_star'
+        )
+        self.assertEqual(qs.count(), count)
+
     def setUp(self):
         super().setUp()
         self.project = self.make_project(
@@ -424,6 +442,7 @@ def setUp(self):
 
     def test_project_star(self):
         """Test Starring a Project"""
+        self._assert_setting_count(0)
         with self.login(self.user):
             response = self.client.post(
                 reverse(
@@ -432,6 +451,7 @@ def test_project_star(self):
                 )
             )
         self.assertEqual(response.status_code, 200)
+        self._assert_setting_count(1)
         star = app_settings.get(
             'projectroles', 'project_star', self.project, self.user
         )
@@ -448,9 +468,549 @@ def test_project_star(self):
         star = app_settings.get(
             'projectroles', 'project_star', self.project, self.user
         )
+        self._assert_setting_count(1)
         self.assertEqual(star, False)
 
 
+class TestRemoteProjectAccessAjaxView(
+    ProjectMixin,
+    RoleAssignmentMixin,
+    RemoteSiteMixin,
+    RemoteProjectMixin,
+    ViewTestBase,
+):
+    """Tests for RemoteProjectAccessAjaxView"""
+
+    @classmethod
+    def _get_query_string(cls, *args):
+        """Get query string for GET requests"""
+        return '?' + '&'.join(['rp={}'.format(rp.sodar_uuid) for rp in args])
+
+    def setUp(self):
+        super().setUp()
+        self.category = self.make_project(
+            'TestCategory', PROJECT_TYPE_CATEGORY, None
+        )
+        self.owner_as_cat = self.make_assignment(
+            self.category, self.user, self.role_owner
+        )
+        self.project = self.make_project(
+            'TestProject', PROJECT_TYPE_PROJECT, self.category
+        )
+        self.owner_as = self.make_assignment(
+            self.project, self.user, self.role_owner
+        )
+        self.remote_site = self.make_site(
+            name='RemoteSite',
+            url='https://remote.site',
+            mode=SITE_MODE_TARGET,
+        )
+        self.remote_project = self.make_remote_project(
+            project_uuid=self.project.sodar_uuid,
+            site=self.remote_site,
+            level=REMOTE_LEVEL_READ_ROLES,
+            project=self.project,
+        )
+        self.rp_uuid = str(self.remote_project.sodar_uuid)
+        self.remote_site2 = self.make_site(
+            name='RemoteSite2',
+            url='https://remote.site2',
+            mode=SITE_MODE_TARGET,
+        )
+        self.remote_project2 = self.make_remote_project(
+            project_uuid=self.project.sodar_uuid,
+            site=self.remote_site2,
+            level=REMOTE_LEVEL_READ_ROLES,
+            project=self.project,
+        )
+        self.rp_uuid2 = str(self.remote_project2.sodar_uuid)
+        self.query_string = self._get_query_string(
+            self.remote_project, self.remote_project2
+        )
+        self.url = reverse(
+            'projectroles:ajax_remote_access',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+
+    def test_get(self):
+        """Test RemoteProjectAccessAjaxView GET"""
+        with self.login(self.user):
+            response = self.client.get(self.url + self.query_string)
+        self.assertEqual(response.status_code, 200)
+        expected = {self.rp_uuid: False, self.rp_uuid2: False}
+        self.assertEqual(response.data, expected)
+
+    def test_get_accessed(self):
+        """Test GET with one remote project accessed"""
+        self.remote_project.date_access = timezone.now()
+        self.remote_project.save()
+        with self.login(self.user):
+            response = self.client.get(self.url + self.query_string)
+        self.assertEqual(response.status_code, 200)
+        expected = {self.rp_uuid: True, self.rp_uuid2: False}
+        self.assertEqual(response.data, expected)
+
+    def test_get_accessed_multiple(self):
+        """Test GET with multiple remote projects accessed"""
+        self.remote_project.date_access = timezone.now()
+        self.remote_project.save()
+        self.remote_project2.date_access = timezone.now()
+        self.remote_project2.save()
+        with self.login(self.user):
+            response = self.client.get(self.url + self.query_string)
+        self.assertEqual(response.status_code, 200)
+        expected = {self.rp_uuid: True, self.rp_uuid2: True}
+        self.assertEqual(response.data, expected)
+
+    def test_get_wrong_project(self):
+        """Test GET with remote project for a different project"""
+        new_project = self.make_project(
+            'NewProject', PROJECT_TYPE_PROJECT, self.category
+        )
+        new_rp = self.make_remote_project(
+            new_project.sodar_uuid,
+            self.remote_site,
+            REMOTE_LEVEL_READ_ROLES,
+            project=new_project,
+        )
+        with self.login(self.user):
+            response = self.client.get(
+                self.url + self._get_query_string(new_rp)
+            )
+        self.assertEqual(response.status_code, 400)
+
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid remote project UUID"""
+        with self.login(self.user):
+            response = self.client.get(self.url + '?rp=' + INVALID_UUID)
+        self.assertEqual(response.status_code, 404)
+
+
+class TestSidebarContentAjaxView(
+    ProjectMixin, RoleAssignmentMixin, ViewTestBase
+):
+    """Tests for SidebarContentAjaxView"""
+
+    def setUp(self):
+        super().setUp()
+        self.category = self.make_project(
+            'TestCategory', PROJECT_TYPE_CATEGORY, None
+        )
+        self.owner_as_cat = self.make_assignment(
+            self.category, self.user, self.role_owner
+        )
+        self.project = self.make_project(
+            'TestProject', PROJECT_TYPE_PROJECT, self.category
+        )
+        self.owner_as = self.make_assignment(
+            self.project, self.user, self.role_owner
+        )
+
+    def test_get(self):
+        """Test sidebar content retrieval"""
+        with self.login(self.user):
+            response = self.client.get(
+                reverse(
+                    'projectroles:ajax_sidebar',
+                    kwargs={'project': self.project.sodar_uuid},
+                )
+            )
+        self.assertEqual(response.status_code, 200)
+        expected = {
+            'links': [
+                {
+                    'name': 'project-detail',
+                    'url': f'/project/{self.project.sodar_uuid}',
+                    'label': 'Project Overview',
+                    'icon': 'mdi:cube',
+                    'active': False,
+                },
+                {
+                    'name': 'app-plugin-bgjobs',
+                    'url': f'/bgjobs/list/{self.project.sodar_uuid}',
+                    'label': 'Background Jobs',
+                    'icon': 'mdi:server',
+                    'active': False,
+                },
+                {
+                    'name': 'app-plugin-example_project_app',
+                    'url': f'/examples/project/{self.project.sodar_uuid}',
+                    'label': 'Example Project App',
+                    'icon': 'mdi:rocket-launch',
+                    'active': False,
+                },
+                {
+                    'name': 'app-plugin-filesfolders',
+                    'url': f'/files/{self.project.sodar_uuid}',
+                    'label': 'Files',
+                    'icon': 'mdi:file',
+                    'active': False,
+                },
+                {
+                    'name': 'app-plugin-timeline',
+                    'url': f'/timeline/{self.project.sodar_uuid}',
+                    'label': 'Timeline',
+                    'icon': 'mdi:clock-time-eight',
+                    'active': False,
+                },
+                {
+                    'name': 'project-roles',
+                    'url': f'/project/members/{self.project.sodar_uuid}',
+                    'label': 'Members',
+                    'icon': 'mdi:account-multiple',
+                    'active': False,
+                },
+                {
+                    'name': 'project-update',
+                    'url': f'/project/update/{self.project.sodar_uuid}',
+                    'label': 'Update Project',
+                    'icon': 'mdi:lead-pencil',
+                    'active': False,
+                },
+            ],
+        }
+        self.assertEqual(response.json(), expected)
+
+    def test_get_app_links(self):
+        """Test sidebar content retrieval with specific app links"""
+        with self.login(self.user):
+            response = self.client.get(
+                reverse(
+                    'projectroles:ajax_sidebar',
+                    kwargs={'project': self.project.sodar_uuid},
+                )
+                + '?app_name=filesfolders'
+            )
+        self.assertEqual(response.status_code, 200)
+        expected = {
+            'links': [
+                {
+                    'name': 'project-detail',
+                    'url': f'/project/{self.project.sodar_uuid}',
+                    'label': 'Project Overview',
+                    'icon': 'mdi:cube',
+                    'active': False,
+                },
+                {
+                    'name': 'app-plugin-bgjobs',
+                    'url': f'/bgjobs/list/{self.project.sodar_uuid}',
+                    'label': 'Background Jobs',
+                    'icon': 'mdi:server',
+                    'active': False,
+                },
+                {
+                    'name': 'app-plugin-example_project_app',
+                    'url': f'/examples/project/{self.project.sodar_uuid}',
+                    'label': 'Example Project App',
+                    'icon': 'mdi:rocket-launch',
+                    'active': False,
+                },
+                {
+                    'name': 'app-plugin-filesfolders',
+                    'url': f'/files/{self.project.sodar_uuid}',
+                    'label': 'Files',
+                    'icon': 'mdi:file',
+                    'active': True,
+                },
+                {
+                    'name': 'app-plugin-timeline',
+                    'url': f'/timeline/{self.project.sodar_uuid}',
+                    'label': 'Timeline',
+                    'icon': 'mdi:clock-time-eight',
+                    'active': False,
+                },
+                {
+                    'name': 'project-roles',
+                    'url': f'/project/members/{self.project.sodar_uuid}',
+                    'label': 'Members',
+                    'icon': 'mdi:account-multiple',
+                    'active': False,
+                },
+                {
+                    'name': 'project-update',
+                    'url': f'/project/update/{self.project.sodar_uuid}',
+                    'label': 'Update Project',
+                    'icon': 'mdi:lead-pencil',
+                    'active': False,
+                },
+            ],
+        }
+        self.assertEqual(response.json(), expected)
+
+    def test_get_no_access(self):
+        """Test sidebar content retrieval with no access"""
+        new_user = self.make_user('new_user')
+        with self.login(new_user):
+            response = self.client.get(
+                reverse(
+                    'projectroles:ajax_sidebar',
+                    kwargs={'project': self.project.sodar_uuid},
+                )
+            )
+        self.assertEqual(response.status_code, 403)
+
+
+class TestUserDropdownContentAjaxView(ViewTestBase):
+    """Tests for UserDropdownContentAjaxView"""
+
+    def setUp(self):
+        super().setUp()
+        self.user = self.make_user('user')
+        self.user.is_superuser = True
+        self.user.save()
+        self.reg_user = self.make_user('reg_user')
+
+    def test_regular_user(self):
+        """Test UserDropdownContentAjaxView with regular user"""
+        with self.login(self.reg_user):
+            response = self.client.get(
+                reverse('projectroles:ajax_user_dropdown')
+            )
+        self.assertEqual(response.status_code, 200)
+        expected = {
+            'links': [
+                {
+                    'name': 'appalerts',
+                    'url': '/alerts/app/list',
+                    'label': 'App Alerts',
+                    'icon': 'mdi:alert-octagram',
+                    'active': False,
+                },
+                {
+                    'name': 'example_site_app',
+                    'url': '/examples/site/example',
+                    'label': 'Example Site App',
+                    'icon': 'mdi:rocket-launch-outline',
+                    'active': False,
+                },
+                {
+                    'name': 'timeline_site',
+                    'url': '/timeline/site',
+                    'label': 'Site-Wide Events',
+                    'icon': 'mdi:clock-time-eight-outline',
+                    'active': False,
+                },
+                {
+                    'name': 'tokens',
+                    'url': '/tokens/',
+                    'label': 'API Tokens',
+                    'icon': 'mdi:key-chain-variant',
+                    'active': False,
+                },
+                {
+                    'name': 'userprofile',
+                    'url': '/user/profile',
+                    'label': 'User Profile',
+                    'icon': 'mdi:account-details',
+                    'active': False,
+                },
+                {
+                    'name': 'sign-out',
+                    'url': '/logout/',
+                    'label': 'Logout',
+                    'icon': 'mdi:logout-variant',
+                    'active': False,
+                },
+            ]
+        }
+        self.assertEqual(response.json(), expected)
+
+    def test_superuser(self):
+        """Test UserDropdownContentAjaxView with superuser"""
+        with self.login(self.user):
+            response = self.client.get(
+                reverse('projectroles:ajax_user_dropdown')
+            )
+        self.assertEqual(response.status_code, 200)
+        expected = {
+            'links': [
+                {
+                    'name': 'adminalerts',
+                    'url': '/alerts/adm/list',
+                    'label': 'Admin Alerts',
+                    'icon': 'mdi:alert',
+                    'active': False,
+                },
+                {
+                    'name': 'appalerts',
+                    'url': '/alerts/app/list',
+                    'label': 'App Alerts',
+                    'icon': 'mdi:alert-octagram',
+                    'active': False,
+                },
+                {
+                    'name': 'bgjobs_site',
+                    'url': '/bgjobs/list',
+                    'label': 'Site Background Jobs',
+                    'icon': 'mdi:server',
+                    'active': False,
+                },
+                {
+                    'name': 'example_site_app',
+                    'url': '/examples/site/example',
+                    'label': 'Example Site App',
+                    'icon': 'mdi:rocket-launch-outline',
+                    'active': False,
+                },
+                {
+                    'name': 'remotesites',
+                    'url': '/project/remote/sites',
+                    'label': 'Remote Site Access',
+                    'icon': 'mdi:cloud-sync',
+                    'active': False,
+                },
+                {
+                    'name': 'siteinfo',
+                    'url': '/siteinfo/info',
+                    'label': 'Site Info',
+                    'icon': 'mdi:bar-chart',
+                    'active': False,
+                },
+                {
+                    'name': 'timeline_site',
+                    'url': '/timeline/site',
+                    'label': 'Site-Wide Events',
+                    'icon': 'mdi:clock-time-eight-outline',
+                    'active': False,
+                },
+                {
+                    'name': 'timeline_site_admin',
+                    'url': '/timeline/site/all',
+                    'label': 'All Timeline Events',
+                    'icon': 'mdi:web-clock',
+                    'active': False,
+                },
+                {
+                    'name': 'tokens',
+                    'url': '/tokens/',
+                    'label': 'API Tokens',
+                    'icon': 'mdi:key-chain-variant',
+                    'active': False,
+                },
+                {
+                    'name': 'userprofile',
+                    'url': '/user/profile',
+                    'label': 'User Profile',
+                    'icon': 'mdi:account-details',
+                    'active': False,
+                },
+                {
+                    'name': 'admin',
+                    'url': '/admin/',
+                    'label': 'Django Admin',
+                    'icon': 'mdi:cogs',
+                    'active': False,
+                },
+                {
+                    'name': 'sign-out',
+                    'url': '/logout/',
+                    'label': 'Logout',
+                    'icon': 'mdi:logout-variant',
+                    'active': False,
+                },
+            ]
+        }
+        self.assertEqual(response.json(), expected)
+
+    def test_superuser_app_links(self):
+        """Test UserDropdownContentAjaxView with superuser"""
+        with self.login(self.user):
+            response = self.client.get(
+                reverse('projectroles:ajax_user_dropdown')
+                + '?app_name=example_site_app'
+            )
+        self.assertEqual(response.status_code, 200)
+        expected = {
+            'links': [
+                {
+                    'name': 'adminalerts',
+                    'url': '/alerts/adm/list',
+                    'label': 'Admin Alerts',
+                    'icon': 'mdi:alert',
+                    'active': False,
+                },
+                {
+                    'name': 'appalerts',
+                    'url': '/alerts/app/list',
+                    'label': 'App Alerts',
+                    'icon': 'mdi:alert-octagram',
+                    'active': False,
+                },
+                {
+                    'name': 'bgjobs_site',
+                    'url': '/bgjobs/list',
+                    'label': 'Site Background Jobs',
+                    'icon': 'mdi:server',
+                    'active': False,
+                },
+                {
+                    'name': 'example_site_app',
+                    'url': '/examples/site/example',
+                    'label': 'Example Site App',
+                    'icon': 'mdi:rocket-launch-outline',
+                    'active': True,
+                },
+                {
+                    'name': 'remotesites',
+                    'url': '/project/remote/sites',
+                    'label': 'Remote Site Access',
+                    'icon': 'mdi:cloud-sync',
+                    'active': False,
+                },
+                {
+                    'name': 'siteinfo',
+                    'url': '/siteinfo/info',
+                    'label': 'Site Info',
+                    'icon': 'mdi:bar-chart',
+                    'active': False,
+                },
+                {
+                    'name': 'timeline_site',
+                    'url': '/timeline/site',
+                    'label': 'Site-Wide Events',
+                    'icon': 'mdi:clock-time-eight-outline',
+                    'active': False,
+                },
+                {
+                    'name': 'timeline_site_admin',
+                    'url': '/timeline/site/all',
+                    'label': 'All Timeline Events',
+                    'icon': 'mdi:web-clock',
+                    'active': False,
+                },
+                {
+                    'name': 'tokens',
+                    'url': '/tokens/',
+                    'label': 'API Tokens',
+                    'icon': 'mdi:key-chain-variant',
+                    'active': False,
+                },
+                {
+                    'name': 'userprofile',
+                    'url': '/user/profile',
+                    'label': 'User Profile',
+                    'icon': 'mdi:account-details',
+                    'active': False,
+                },
+                {
+                    'name': 'admin',
+                    'url': '/admin/',
+                    'label': 'Django Admin',
+                    'icon': 'mdi:cogs',
+                    'active': False,
+                },
+                {
+                    'name': 'sign-out',
+                    'url': '/logout/',
+                    'label': 'Logout',
+                    'icon': 'mdi:logout-variant',
+                    'active': False,
+                },
+            ]
+        }
+        self.assertEqual(response.json(), expected)
+
+
 class TestCurrentUserRetrieveAjaxView(SerializedObjectMixin, TestCase):
     """Tests for CurrentUserRetrieveAjaxView"""
 
diff --git a/projectroles/tests/test_views_api.py b/projectroles/tests/test_views_api.py
index 3fa334a0..99ab2114 100644
--- a/projectroles/tests/test_views_api.py
+++ b/projectroles/tests/test_views_api.py
@@ -16,7 +16,7 @@
 from test_plus.test import APITestCase
 
 # Timeline dependency
-from timeline.models import ProjectEvent
+from timeline.models import TimelineEvent
 
 from projectroles import views_api
 from projectroles.app_settings import AppSettingAPI
@@ -25,6 +25,7 @@
     RoleAssignment,
     ProjectInvite,
     AppSetting,
+    SODARUserAdditionalEmail,
     SODAR_CONSTANTS,
     CAT_DELIMITER,
 )
@@ -38,9 +39,11 @@
     RemoteSiteMixin,
     RemoteProjectMixin,
     AppSettingMixin,
+    SODARUserAdditionalEmailMixin,
+    ADD_EMAIL,
 )
 from projectroles.tests.test_views import (
-    TestViewsBase,
+    ViewTestBase,
     REMOTE_SITE_NAME,
     REMOTE_SITE_URL,
     REMOTE_SITE_DESC,
@@ -64,6 +67,8 @@
 SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
 
 # Local constants
+CORE_API_MEDIA_TYPE_LEGACY = 'application/vnd.bihealth.sodar-core+json'
+CORE_API_DEFAULT_VERSION_LEGACY = '0.13.4'
 CORE_API_MEDIA_TYPE_INVALID = 'application/vnd.bihealth.invalid'
 CORE_API_VERSION_INVALID = '9.9.9'
 
@@ -82,6 +87,8 @@
 EMPTY_KNOX_TOKEN = '__EmpTy_KnoX_tOkEn_FoR_tEsT_oNlY_0xDEADBEEF__'
 
 EX_APP_NAME = 'example_project_app'
+TEST_SERVER_URL = 'http://testserver'
+LDAP_DOMAIN = 'EXAMPLE'
 
 
 # Base Classes -----------------------------------------------------------------
@@ -100,7 +107,11 @@ def get_serialized_user(cls, user):
         :param user: User object
         :return: Dict
         """
+        add_emails = SODARUserAdditionalEmail.objects.filter(
+            user=user, verified=True
+        ).order_by('email')
         return {
+            'additional_emails': [e.email for e in add_emails],
             'email': user.email,
             'is_superuser': user.is_superuser,
             'name': user.name,
@@ -116,7 +127,8 @@ class SODARAPIViewTestMixin(SerializedObjectMixin):
     """
 
     # Default API header parameters are for external SODAR site APIs
-    # Override these for testing SODAR Core API views
+    # DEPRECATED: To be removed in SODAR Core v1.1 (see #1401)
+    # Instead, provide a media type and version specific to your app
     media_type = settings.SODAR_API_MEDIA_TYPE
     api_version = settings.SODAR_API_DEFAULT_VERSION
 
@@ -229,7 +241,7 @@ def request_knox(
         return req_method(url, **req_kwargs)
 
 
-class TestAPIViewsBase(
+class APIViewTestBase(
     ProjectMixin,
     RoleMixin,
     RoleAssignmentMixin,
@@ -270,25 +282,26 @@ def setUp(self):
         self.knox_token = self.get_token(self.user)
 
 
-class TestCoreAPIViewsBase(TestAPIViewsBase):
-    """Override of TestAPIViewsBase to be used with SODAR Core API views"""
+class ProjectrolesAPIViewTestBase(APIViewTestBase):
+    """Override of APIViewTestBase to be used with Projectroles API views"""
 
-    media_type = views_api.CORE_API_MEDIA_TYPE
-    api_version = views_api.CORE_API_DEFAULT_VERSION
+    media_type = views_api.PROJECTROLES_API_MEDIA_TYPE
+    api_version = views_api.PROJECTROLES_API_DEFAULT_VERSION
 
 
 # Tests ------------------------------------------------------------------------
 
 
-class TestProjectListAPIView(TestCoreAPIViewsBase):
+class TestProjectListAPIView(ProjectrolesAPIViewTestBase):
     """Tests for ProjectListAPIView"""
 
-    def test_get(self):
-        """Test ProjectListAPIView get() as superuser"""
-        url = reverse('projectroles:api_project_list')
-        response = self.request_knox(url)
+    def setUp(self):
+        super().setUp()
+        self.url = reverse('projectroles:api_project_list')
 
-        # Assert response
+    def test_get(self):
+        """Test ProjectListAPIView GET as superuser"""
+        response = self.request_knox(self.url)
         self.assertEqual(response.status_code, 200)
         response_data = json.loads(response.content)
         self.assertEqual(len(response_data), 2)
@@ -301,6 +314,7 @@ def test_get(self):
                 'readme': '',
                 'public_guest_access': False,
                 'archive': False,
+                'full_title': self.category.full_title,
                 'roles': {
                     str(self.owner_as_cat.sodar_uuid): {
                         'user': self.get_serialized_user(self.user_owner_cat),
@@ -319,6 +333,7 @@ def test_get(self):
                 'readme': '',
                 'public_guest_access': False,
                 'archive': False,
+                'full_title': self.project.full_title,
                 'roles': {
                     str(self.owner_as_cat.sodar_uuid): {
                         'user': self.get_serialized_user(self.user_owner_cat),
@@ -339,19 +354,19 @@ def test_get(self):
         self.assertEqual(response_data, expected)
 
     def test_get_cat_owner(self):
-        """Test ProjectListAPIView get() as category owner"""
-        url = reverse('projectroles:api_project_list')
+        """Test GET as category owner"""
         response = self.request_knox(
-            url, token=self.get_token(self.user_owner_cat)
+            self.url, token=self.get_token(self.user_owner_cat)
         )
         self.assertEqual(response.status_code, 200)
         response_data = json.loads(response.content)
         self.assertEqual(len(response_data), 2)
 
     def test_get_owner(self):
-        """Test ProjectListAPIView get() as project owner"""
-        url = reverse('projectroles:api_project_list')
-        response = self.request_knox(url, token=self.get_token(self.user_owner))
+        """Test GET as project owner"""
+        response = self.request_knox(
+            self.url, token=self.get_token(self.user_owner)
+        )
         self.assertEqual(response.status_code, 200)
         response_data = json.loads(response.content)
         self.assertEqual(len(response_data), 1)
@@ -360,20 +375,18 @@ def test_get_owner(self):
         )
 
     def test_get_no_roles(self):
-        """Test ProjectListAPIView get() without roles"""
+        """Test GET without roles"""
         user_new = self.make_user('user_new')
-        url = reverse('projectroles:api_project_list')
-        response = self.request_knox(url, token=self.get_token(user_new))
+        response = self.request_knox(self.url, token=self.get_token(user_new))
         self.assertEqual(response.status_code, 200)
         response_data = json.loads(response.content)
         self.assertEqual(len(response_data), 0)
 
     def test_get_member(self):
-        """Test ProjectListAPIView get() with only local role"""
+        """Test GET with only local role"""
         user_new = self.make_user('user_new')
         self.make_assignment(self.project, user_new, self.role_contributor)
-        url = reverse('projectroles:api_project_list')
-        response = self.request_knox(url, token=self.get_token(user_new))
+        response = self.request_knox(self.url, token=self.get_token(user_new))
         self.assertEqual(response.status_code, 200)
         response_data = json.loads(response.content)
         self.assertEqual(len(response_data), 1)
@@ -382,7 +395,7 @@ def test_get_member(self):
         )
 
     def test_get_inherited_member(self):
-        """Test ProjectListAPIView get() with inherited member role"""
+        """Test GET with inherited member role"""
         sub_category = self.make_project(
             'SubCategory', PROJECT_TYPE_CATEGORY, self.category
         )
@@ -393,18 +406,16 @@ def test_get_inherited_member(self):
         self.make_assignment(sub_project, self.user_owner, self.role_owner)
         user_new = self.make_user('user_new')
         self.make_assignment(self.category, user_new, self.role_contributor)
-        url = reverse('projectroles:api_project_list')
-        response = self.request_knox(url, token=self.get_token(user_new))
+        response = self.request_knox(self.url, token=self.get_token(user_new))
         self.assertEqual(response.status_code, 200)
         response_data = json.loads(response.content)
         self.assertEqual(len(response_data), 4)
 
     def test_get_finder(self):
-        """Test ProjectListAPIView get() with finder"""
+        """Test GET with finder"""
         user_new = self.make_user('user_new')
         self.make_assignment(self.category, user_new, self.role_finder)
-        url = reverse('projectroles:api_project_list')
-        response = self.request_knox(url, token=self.get_token(user_new))
+        response = self.request_knox(self.url, token=self.get_token(user_new))
         self.assertEqual(response.status_code, 200)
         response_data = json.loads(response.content)
         self.assertEqual(len(response_data), 2)
@@ -418,17 +429,17 @@ def test_get_finder(self):
             response_data[1],
             {
                 'title': self.project.title,
+                'full_title': self.project.full_title,
                 'sodar_uuid': str(self.project.sodar_uuid),
             },
         )
 
     def test_get_public_guest_access(self):
-        """Test ProjectListAPIView get() with public guest access"""
+        """Test GET with public guest access"""
         self.project.public_guest_access = True
         self.project.save()
         user_new = self.make_user('user_new')
-        url = reverse('projectroles:api_project_list')
-        response = self.request_knox(url, token=self.get_token(user_new))
+        response = self.request_knox(self.url, token=self.get_token(user_new))
         self.assertEqual(response.status_code, 200)
         response_data = json.loads(response.content)
         self.assertEqual(len(response_data), 1)
@@ -436,12 +447,48 @@ def test_get_public_guest_access(self):
             response_data[0]['sodar_uuid'], str(self.project.sodar_uuid)
         )
 
+    def test_get_pagination(self):
+        """Test GET with pagination"""
+        url = self.url + '?page=1'
+        response = self.request_knox(url)
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        expected = {
+            'count': 2,
+            'next': TEST_SERVER_URL + self.url + '?page=2',
+            'previous': None,
+            'results': [
+                {
+                    'title': self.category.title,
+                    'type': self.category.type,
+                    'parent': None,
+                    'description': self.category.description,
+                    'readme': '',
+                    'public_guest_access': False,
+                    'archive': False,
+                    'full_title': self.category.full_title,
+                    'roles': {
+                        str(self.owner_as_cat.sodar_uuid): {
+                            'user': self.get_serialized_user(
+                                self.user_owner_cat
+                            ),
+                            'role': PROJECT_ROLE_OWNER,
+                            'inherited': False,
+                            'sodar_uuid': str(self.owner_as_cat.sodar_uuid),
+                        }
+                    },
+                    'sodar_uuid': str(self.category.sodar_uuid),
+                }
+            ],
+        }
+        self.assertEqual(response_data, expected)
+
 
-class TestProjectRetrieveAPIView(AppSettingMixin, TestCoreAPIViewsBase):
+class TestProjectRetrieveAPIView(AppSettingMixin, ProjectrolesAPIViewTestBase):
     """Tests for ProjectRetrieveAPIView"""
 
     def test_get_category(self):
-        """Test ProjectRetrieveAPIView get() with a category"""
+        """Test ProjectRetrieveAPIView GET with category"""
         url = reverse(
             'projectroles:api_project_retrieve',
             kwargs={'project': self.category.sodar_uuid},
@@ -458,6 +505,7 @@ def test_get_category(self):
             'readme': '',
             'public_guest_access': False,
             'archive': False,
+            'full_title': self.category.full_title,
             'roles': {
                 str(self.owner_as_cat.sodar_uuid): {
                     'user': self.get_serialized_user(self.user_owner_cat),
@@ -471,7 +519,7 @@ def test_get_category(self):
         self.assertEqual(response_data, expected)
 
     def test_get_project(self):
-        """Test ProjectRetrieveAPIView get() with project"""
+        """Test GET with project"""
         url = reverse(
             'projectroles:api_project_retrieve',
             kwargs={'project': self.project.sodar_uuid},
@@ -488,6 +536,7 @@ def test_get_project(self):
             'readme': '',
             'public_guest_access': False,
             'archive': False,
+            'full_title': self.project.full_title,
             'roles': {
                 str(self.owner_as_cat.sodar_uuid): {
                     'user': self.get_serialized_user(self.user_owner_cat),
@@ -507,7 +556,7 @@ def test_get_project(self):
         self.assertEqual(response_data, expected)
 
     def test_get_not_found(self):
-        """Test ProjectRetrieveAPIView get() with invalid UUID"""
+        """Test GET with invalid UUID"""
         url = reverse(
             'projectroles:api_project_retrieve',
             kwargs={'project': INVALID_UUID},
@@ -516,7 +565,7 @@ def test_get_not_found(self):
         self.assertEqual(response.status_code, 404)
 
     def test_get_inherited_member(self):
-        """Test ProjectRetrieveAPIView get() with inherited member"""
+        """Test GET with inherited member"""
         user_new = self.make_user('user_new')
         self.make_assignment(self.category, user_new, self.role_contributor)
         url = reverse(
@@ -530,15 +579,17 @@ def test_get_inherited_member(self):
 
 
 class TestProjectCreateAPIView(
-    RemoteSiteMixin, RemoteProjectMixin, TestCoreAPIViewsBase
+    RemoteSiteMixin, RemoteProjectMixin, ProjectrolesAPIViewTestBase
 ):
     """Tests for ProjectCreateAPIView"""
 
-    def test_create_category(self):
-        """Test creating root category"""
-        self.assertEqual(Project.objects.count(), 2)
+    def setUp(self):
+        super().setUp()
+        self.url = reverse('projectroles:api_project_create')
 
-        url = reverse('projectroles:api_project_create')
+    def test_post_category(self):
+        """Test ProjectCreateAPIView POST for root category"""
+        self.assertEqual(Project.objects.count(), 2)
         post_data = {
             'title': NEW_CATEGORY_TITLE,
             'type': PROJECT_TYPE_CATEGORY,
@@ -548,7 +599,7 @@ def test_create_category(self):
             'public_guest_access': False,
             'owner': str(self.user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 201, msg=response.content)
         self.assertEqual(Project.objects.count(), 3)
@@ -585,15 +636,14 @@ def test_create_category(self):
             'description': new_category.description,
             'readme': new_category.readme.raw,
             'public_guest_access': False,
+            'full_title': new_category.full_title,
             'sodar_uuid': str(new_category.sodar_uuid),
         }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_create_category_nested(self):
-        """Test creating category under existing category"""
+    def test_post_category_nested(self):
+        """Test POST for category under existing category"""
         self.assertEqual(Project.objects.count(), 2)
-
-        url = reverse('projectroles:api_project_create')
         post_data = {
             'title': NEW_CATEGORY_TITLE,
             'type': PROJECT_TYPE_CATEGORY,
@@ -603,7 +653,7 @@ def test_create_category_nested(self):
             'public_guest_access': False,
             'owner': str(self.user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 201, msg=response.content)
         self.assertEqual(Project.objects.count(), 3)
@@ -619,7 +669,9 @@ def test_create_category_nested(self):
             'readme': new_category.readme.raw,
             'public_guest_access': False,
             'archive': False,
-            'full_title': self.category.title + ' / ' + new_category.title,
+            'full_title': self.category.title
+            + CAT_DELIMITER
+            + new_category.title,
             'has_public_children': False,
             'sodar_uuid': new_category.sodar_uuid,
         }
@@ -637,15 +689,14 @@ def test_create_category_nested(self):
             'description': new_category.description,
             'readme': new_category.readme.raw,
             'public_guest_access': False,
+            'full_title': new_category.full_title,
             'sodar_uuid': str(new_category.sodar_uuid),
         }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_create_project(self):
-        """Test creating project under existing category"""
+    def test_post_project(self):
+        """Test POST for project under existing category"""
         self.assertEqual(Project.objects.count(), 2)
-
-        url = reverse('projectroles:api_project_create')
         post_data = {
             'title': NEW_PROJECT_TITLE,
             'type': PROJECT_TYPE_PROJECT,
@@ -655,7 +706,7 @@ def test_create_project(self):
             'public_guest_access': False,
             'owner': str(self.user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 201, msg=response.content)
         self.assertEqual(Project.objects.count(), 3)
@@ -671,7 +722,9 @@ def test_create_project(self):
             'readme': new_project.readme.raw,
             'public_guest_access': False,
             'archive': False,
-            'full_title': self.category.title + ' / ' + new_project.title,
+            'full_title': self.category.title
+            + CAT_DELIMITER
+            + new_project.title,
             'has_public_children': False,
             'sodar_uuid': new_project.sodar_uuid,
         }
@@ -689,14 +742,14 @@ def test_create_project(self):
             'description': new_project.description,
             'readme': new_project.readme.raw,
             'public_guest_access': False,
+            'full_title': new_project.full_title,
             'sodar_uuid': str(new_project.sodar_uuid),
         }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_create_project_root(self):
-        """Test creating project in root (should fail)"""
+    def test_post_project_root(self):
+        """Test POST for project in root (should fail)"""
         self.assertEqual(Project.objects.count(), 2)
-        url = reverse('projectroles:api_project_create')
         post_data = {
             'title': NEW_PROJECT_TITLE,
             'type': PROJECT_TYPE_PROJECT,
@@ -706,15 +759,14 @@ def test_create_project_root(self):
             'public_guest_access': False,
             'owner': str(self.user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400)
         self.assertEqual(Project.objects.count(), 2)
 
     @override_settings(PROJECTROLES_DISABLE_CATEGORIES=True)
-    def test_create_project_disable_categories(self):
-        """Test creating project in root with disabled categories"""
+    def test_post_project_disable_categories(self):
+        """Test POST for project in root with disabled categories"""
         self.assertEqual(Project.objects.count(), 2)
-        url = reverse('projectroles:api_project_create')
         post_data = {
             'title': NEW_PROJECT_TITLE,
             'type': PROJECT_TYPE_PROJECT,
@@ -724,14 +776,13 @@ def test_create_project_disable_categories(self):
             'public_guest_access': False,
             'owner': str(self.user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 201, msg=response.content)
         self.assertEqual(Project.objects.count(), 3)
 
-    def test_create_project_duplicate_title(self):
-        """Test creating project with title already in category (should fail)"""
+    def test_post_project_duplicate_title(self):
+        """Test POST for project with title already in category (should fail)"""
         self.assertEqual(Project.objects.count(), 2)
-        url = reverse('projectroles:api_project_create')
         post_data = {
             'title': self.project.title,
             'type': PROJECT_TYPE_PROJECT,
@@ -741,14 +792,13 @@ def test_create_project_duplicate_title(self):
             'public_guest_access': False,
             'owner': str(self.user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400)
         self.assertEqual(Project.objects.count(), 2)
 
-    def test_create_project_title_delimiter(self):
-        """Test creating project with category delimiter in title (should fail)"""
+    def test_post_project_title_delimiter(self):
+        """Test POST for project with category delimiter in title (should fail)"""
         self.assertEqual(Project.objects.count(), 2)
-        url = reverse('projectroles:api_project_create')
         post_data = {
             'title': 'New{}Project'.format(CAT_DELIMITER),
             'type': PROJECT_TYPE_PROJECT,
@@ -758,14 +808,13 @@ def test_create_project_title_delimiter(self):
             'public_guest_access': False,
             'owner': str(self.user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400)
         self.assertEqual(Project.objects.count(), 2)
 
-    def test_create_project_unknown_user(self):
-        """Test creating project with non-existent user (should fail)"""
+    def test_post_project_unknown_user(self):
+        """Test POST for project with non-existent user (should fail)"""
         self.assertEqual(Project.objects.count(), 2)
-        url = reverse('projectroles:api_project_create')
         post_data = {
             'title': NEW_PROJECT_TITLE,
             'type': PROJECT_TYPE_PROJECT,
@@ -775,14 +824,13 @@ def test_create_project_unknown_user(self):
             'public_guest_access': False,
             'owner': INVALID_UUID,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400)
         self.assertEqual(Project.objects.count(), 2)
 
-    def test_create_project_unknown_parent(self):
-        """Test creating project with non-existent parent (should fail)"""
+    def test_post_project_unknown_parent(self):
+        """Test POST for project with non-existent parent (should fail)"""
         self.assertEqual(Project.objects.count(), 2)
-        url = reverse('projectroles:api_project_create')
         post_data = {
             'title': NEW_PROJECT_TITLE,
             'type': PROJECT_TYPE_PROJECT,
@@ -792,14 +840,13 @@ def test_create_project_unknown_parent(self):
             'public_guest_access': False,
             'owner': str(self.user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400)
         self.assertEqual(Project.objects.count(), 2)
 
-    def test_create_project_invalid_parent(self):
-        """Test creating project with project as parent (should fail)"""
+    def test_post_project_invalid_parent(self):
+        """Test POST for project with project as parent (should fail)"""
         self.assertEqual(Project.objects.count(), 2)
-        url = reverse('projectroles:api_project_create')
         post_data = {
             'title': NEW_PROJECT_TITLE,
             'type': PROJECT_TYPE_PROJECT,
@@ -809,15 +856,14 @@ def test_create_project_invalid_parent(self):
             'public_guest_access': False,
             'owner': str(self.user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400)
         self.assertEqual(Project.objects.count(), 2)
 
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
-    def test_create_project_target_enabled(self):
-        """Test creating project as TARGET with target creation allowed"""
+    def test_post_project_target_enabled(self):
+        """Test POST for project as TARGET with target creation allowed"""
         self.assertEqual(Project.objects.count(), 2)
-        url = reverse('projectroles:api_project_create')
         post_data = {
             'title': NEW_PROJECT_TITLE,
             'type': PROJECT_TYPE_PROJECT,
@@ -827,13 +873,13 @@ def test_create_project_target_enabled(self):
             'public_guest_access': False,
             'owner': str(self.user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 201, msg=response.content)
         self.assertEqual(Project.objects.count(), 3)
 
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
-    def test_create_project_target_remote(self):
-        """Test creating project as TARGET under remote category (should fail)"""
+    def test_post_project_target_remote(self):
+        """Test POST for project as TARGET under remote category (should fail)"""
         # Create source site
         source_site = self.make_site(
             name=REMOTE_SITE_NAME,
@@ -851,7 +897,6 @@ def test_create_project_target_remote(self):
         )
         self.assertEqual(Project.objects.count(), 2)
 
-        url = reverse('projectroles:api_project_create')
         post_data = {
             'title': NEW_PROJECT_TITLE,
             'type': PROJECT_TYPE_PROJECT,
@@ -861,7 +906,7 @@ def test_create_project_target_remote(self):
             'public_guest_access': False,
             'owner': str(self.user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 403, msg=response.content)
         self.assertEqual(Project.objects.count(), 2)
@@ -870,8 +915,8 @@ def test_create_project_target_remote(self):
         PROJECTROLES_SITE_MODE=SITE_MODE_TARGET,
         PROJECTROLES_TARGET_CREATE=False,
     )
-    def test_create_project_target_disabled(self):
-        """Test creating project as TARGET with target creation disallowed (should fail)"""
+    def test_post_project_target_disabled(self):
+        """Test POST for project as TARGET with target creation disallowed (should fail)"""
         self.assertEqual(Project.objects.count(), 2)
         url = reverse('projectroles:api_project_create')
         post_data = {
@@ -889,18 +934,24 @@ def test_create_project_target_disabled(self):
 
 
 class TestProjectUpdateAPIView(
-    RemoteSiteMixin, RemoteProjectMixin, TestCoreAPIViewsBase
+    RemoteSiteMixin, RemoteProjectMixin, ProjectrolesAPIViewTestBase
 ):
     """Tests for ProjectUpdateAPIView"""
 
-    def test_put_category(self):
-        """Test put() for category updating"""
-        self.assertEqual(Project.objects.count(), 2)
-
-        url = reverse(
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'projectroles:api_project_update',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+        self.url_cat = reverse(
             'projectroles:api_project_update',
             kwargs={'project': self.category.sodar_uuid},
         )
+
+    def test_put_category(self):
+        """Test ProjectUpdateAPIView PUT with category"""
+        self.assertEqual(Project.objects.count(), 2)
         put_data = {
             'title': UPDATED_TITLE,
             'type': PROJECT_TYPE_CATEGORY,
@@ -909,7 +960,7 @@ def test_put_category(self):
             'readme': UPDATED_README,
             'public_guest_access': False,
         }
-        response = self.request_knox(url, method='PUT', data=put_data)
+        response = self.request_knox(self.url_cat, method='PUT', data=put_data)
 
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(Project.objects.count(), 2)
@@ -940,6 +991,7 @@ def test_put_category(self):
             'readme': UPDATED_README,
             'public_guest_access': False,
             'archive': False,
+            'full_title': UPDATED_TITLE,
             'roles': {
                 str(self.category.get_owner().sodar_uuid): {
                     'role': PROJECT_ROLE_OWNER,
@@ -953,11 +1005,7 @@ def test_put_category(self):
         self.assertEqual(json.loads(response.content), expected)
 
     def test_put_public_guest_access_category(self):
-        """Test setting public guest access for category"""
-        url = reverse(
-            'projectroles:api_project_update',
-            kwargs={'project': self.category.sodar_uuid},
-        )
+        """Test PUT to set public guest access for category (should fail)"""
         put_data = {
             'title': UPDATED_TITLE,
             'type': PROJECT_TYPE_CATEGORY,
@@ -966,17 +1014,12 @@ def test_put_public_guest_access_category(self):
             'readme': UPDATED_README,
             'public_guest_access': True,
         }
-        response = self.request_knox(url, method='PUT', data=put_data)
+        response = self.request_knox(self.url_cat, method='PUT', data=put_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
     def test_put_project(self):
-        """Test put() for project updating"""
+        """Test PUT with project"""
         self.assertEqual(Project.objects.count(), 2)
-
-        url = reverse(
-            'projectroles:api_project_update',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         put_data = {
             'title': UPDATED_TITLE,
             'type': PROJECT_TYPE_PROJECT,
@@ -985,7 +1028,7 @@ def test_put_project(self):
             'readme': UPDATED_README,
             'public_guest_access': True,
         }
-        response = self.request_knox(url, method='PUT', data=put_data)
+        response = self.request_knox(self.url, method='PUT', data=put_data)
 
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(Project.objects.count(), 2)
@@ -1002,7 +1045,7 @@ def test_put_project(self):
             'readme': UPDATED_README,
             'public_guest_access': True,
             'archive': False,
-            'full_title': self.category.title + ' / ' + UPDATED_TITLE,
+            'full_title': self.category.title + CAT_DELIMITER + UPDATED_TITLE,
             'has_public_children': False,
             'sodar_uuid': self.project.sodar_uuid,
         }
@@ -1016,6 +1059,7 @@ def test_put_project(self):
             'readme': UPDATED_README,
             'public_guest_access': True,
             'archive': False,
+            'full_title': self.category.title + CAT_DELIMITER + UPDATED_TITLE,
             'roles': {
                 str(self.category.get_owner().sodar_uuid): {
                     'role': PROJECT_ROLE_OWNER,
@@ -1035,19 +1079,16 @@ def test_put_project(self):
         self.assertEqual(json.loads(response.content), expected)
 
     def test_patch_category(self):
-        """Test patch() for updating category metadata"""
+        """Test PATCH with category"""
         self.assertEqual(Project.objects.count(), 2)
-
-        url = reverse(
-            'projectroles:api_project_update',
-            kwargs={'project': self.category.sodar_uuid},
-        )
         patch_data = {
             'title': UPDATED_TITLE,
             'description': UPDATED_DESC,
             'readme': UPDATED_README,
         }
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(
+            self.url_cat, method='PATCH', data=patch_data
+        )
 
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(Project.objects.count(), 2)
@@ -1079,6 +1120,7 @@ def test_patch_category(self):
             'readme': UPDATED_README,
             'public_guest_access': False,
             'archive': False,
+            'full_title': UPDATED_TITLE,
             'roles': {
                 str(self.category.get_owner().sodar_uuid): {
                     'role': PROJECT_ROLE_OWNER,
@@ -1092,20 +1134,15 @@ def test_patch_category(self):
         self.assertEqual(json.loads(response.content), expected)
 
     def test_patch_project(self):
-        """Test patch() for updating project metadata"""
+        """Test PATCH with project"""
         self.assertEqual(Project.objects.count(), 2)
-
-        url = reverse(
-            'projectroles:api_project_update',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         patch_data = {
             'title': UPDATED_TITLE,
             'description': UPDATED_DESC,
             'readme': UPDATED_README,
             'public_guest_access': True,
         }
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
 
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(Project.objects.count(), 2)
@@ -1122,7 +1159,7 @@ def test_patch_project(self):
             'readme': UPDATED_README,
             'public_guest_access': True,
             'archive': False,
-            'full_title': self.category.title + ' / ' + UPDATED_TITLE,
+            'full_title': self.category.title + CAT_DELIMITER + UPDATED_TITLE,
             'has_public_children': False,
             'sodar_uuid': self.project.sodar_uuid,
         }
@@ -1137,6 +1174,7 @@ def test_patch_project(self):
             'readme': UPDATED_README,
             'public_guest_access': True,
             'archive': False,
+            'full_title': self.category.title + CAT_DELIMITER + UPDATED_TITLE,
             'roles': {
                 str(self.category.get_owner().sodar_uuid): {
                     'role': PROJECT_ROLE_OWNER,
@@ -1156,43 +1194,30 @@ def test_patch_project(self):
         self.assertEqual(json.loads(response.content), expected)
 
     def test_patch_project_title_delimiter(self):
-        """Test patch() with category delimiter in title (should fail)"""
-        url = reverse(
-            'projectroles:api_project_update',
-            kwargs={'project': self.project.sodar_uuid},
-        )
+        """Test PATCH with category delimiter in project title (should fail)"""
         patch_data = {'title': 'New{}Project'.format(CAT_DELIMITER)}
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
     def test_patch_project_owner(self):
-        """Test patch() for updating project owner (should fail)"""
+        """Test PATCH for updating project owner (should fail)"""
         new_owner = self.make_user('new_owner')
-        url = reverse(
-            'projectroles:api_project_update',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         patch_data = {'owner': str(new_owner.sodar_uuid)}
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
     def test_patch_project_move(self):
-        """Test patch() for moving project under different category"""
+        """Test PATCH for moving project under different category"""
         self.assertEqual(
             self.project.full_title,
-            self.category.title + ' / ' + self.project.title,
+            self.category.title + CAT_DELIMITER + self.project.title,
         )
-
         new_category = self.make_project(
             'NewCategory', PROJECT_TYPE_CATEGORY, None
         )
         self.make_assignment(new_category, self.user_owner_cat, self.role_owner)
-        url = reverse(
-            'projectroles:api_project_update',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         patch_data = {'parent': str(new_category.sodar_uuid)}
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
 
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.project.refresh_from_db()
@@ -1205,98 +1230,75 @@ def test_patch_project_move(self):
         # Assert child project full title update
         self.assertEqual(
             self.project.full_title,
-            new_category.title + ' / ' + self.project.title,
+            new_category.title + CAT_DELIMITER + self.project.title,
         )
         self.assertEqual(
             json.loads(response.content)['parent'], str(new_category.sodar_uuid)
         )
 
     def test_patch_project_move_unallowed(self):
-        """Test patch() for moving project without permissions (should fail)"""
+        """Test PATCH for moving project without permissions (should fail)"""
         new_category = self.make_project(
             'NewCategory', PROJECT_TYPE_CATEGORY, None
         )
         new_owner = self.make_user('new_owner')
         self.make_assignment(new_category, new_owner, self.role_owner)
-        url = reverse(
-            'projectroles:api_project_update',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         patch_data = {'parent': str(new_category.sodar_uuid)}
         # Disable superuser status from self.user and perform request
         self.user.is_superuser = False
         self.user.save()
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
         self.assertEqual(response.status_code, 403, msg=response.content)
 
     def test_patch_project_move_root(self):
-        """Test patch() for moving project without permissions (should fail)"""
+        """Test PATCH for moving project without permissions (should fail)"""
         new_category = self.make_project(
             'NewCategory', PROJECT_TYPE_CATEGORY, None
         )
         new_owner = self.make_user('new_owner')
         self.make_assignment(new_category, new_owner, self.role_owner)
-        url = reverse(
-            'projectroles:api_project_update',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         patch_data = {'parent': ''}
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
 
     def test_patch_project_move_root_unallowed(self):
-        """Test patch() for moving project to root without permissions (should fail)"""
+        """Test PATCH for moving project to root without permissions (should fail)"""
         new_category = self.make_project(
             'NewCategory', PROJECT_TYPE_CATEGORY, None
         )
         new_owner = self.make_user('new_owner')
         self.make_assignment(new_category, new_owner, self.role_owner)
-        url = reverse(
-            'projectroles:api_project_update',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         patch_data = {'parent': ''}
         # Disable superuser status from self.user and perform request
         self.user.is_superuser = False
         self.user.save()
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
         self.assertEqual(response.status_code, 403, msg=response.content)
 
     def test_patch_project_move_child(self):
-        """Test patch() for moving category inside its child (should fail)"""
+        """Test PATCH for moving category inside its child (should fail)"""
         new_category = self.make_project(
             'NewCategory', PROJECT_TYPE_CATEGORY, self.category
         )
         self.make_assignment(new_category, self.user, self.role_owner)
-        url = reverse(
-            'projectroles:api_project_update',
-            kwargs={'project': self.category.sodar_uuid},
-        )
         patch_data = {'parent': str(new_category.sodar_uuid)}
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(
+            self.url_cat, method='PATCH', data=patch_data
+        )
         self.assertEqual(response.status_code, 400, msg=response.content)
 
     def test_patch_project_type_change(self):
-        """Test patch() with changed project type (should fail)"""
-        url = reverse(
-            'projectroles:api_project_update',
-            kwargs={'project': self.project.sodar_uuid},
-        )
+        """Test PATCH with changed project type (should fail)"""
         patch_data = {'type': PROJECT_TYPE_CATEGORY}
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
     def test_patch_project_public(self):
-        """Test patch() with changed public guest access"""
+        """Test PATCH with changed public guest access"""
         self.assertEqual(self.project.public_guest_access, False)
         self.assertEqual(self.category.has_public_children, False)
-
-        url = reverse(
-            'projectroles:api_project_update',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         patch_data = {'public_guest_access': True}
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
 
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.project.refresh_from_db()
@@ -1307,7 +1309,7 @@ def test_patch_project_public(self):
 
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
     def test_patch_project_remote(self):
-        """Test patch() for updating remote project metadata (should fail)"""
+        """Test PATCH with remote project (should fail)"""
         # Create source site and remote project
         source_site = self.make_site(
             name=REMOTE_SITE_NAME,
@@ -1322,42 +1324,42 @@ def test_patch_project_remote(self):
             site=source_site,
             level=SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES'],
         )
-        url = reverse(
-            'projectroles:api_project_update',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         patch_data = {
             'title': UPDATED_TITLE,
             'description': UPDATED_DESC,
             'readme': UPDATED_README,
         }
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
 
 class TestRoleAssignmentCreateAPIView(
-    RemoteSiteMixin, RemoteProjectMixin, TestCoreAPIViewsBase
+    RemoteSiteMixin, RemoteProjectMixin, ProjectrolesAPIViewTestBase
 ):
     """Tests for RoleAssignmentCreateAPIView"""
 
     def setUp(self):
         super().setUp()
         self.assign_user = self.make_user('assign_user')
+        self.url = reverse(
+            'projectroles:api_role_create',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+        self.url_cat = reverse(
+            'projectroles:api_role_create',
+            kwargs={'project': self.category.sodar_uuid},
+        )
 
-    def test_create_contributor(self):
-        """Test creating contributor role for user"""
+    def test_post_contributor(self):
+        """Test RoleAssignmentCreateAPIView POST with contributor role"""
         self.assertEqual(
             RoleAssignment.objects.filter(project=self.project).count(), 1
         )
-        url = reverse(
-            'projectroles:api_role_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'role': PROJECT_ROLE_CONTRIBUTOR,
             'user': str(self.assign_user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 201, msg=response.content)
         self.assertEqual(
@@ -1377,34 +1379,26 @@ def test_create_contributor(self):
         }
         self.assertEqual(json.loads(response.content), expected)
 
-    def test_create_owner(self):
-        """Test creating owner role (should fail)"""
-        url = reverse(
-            'projectroles:api_role_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
+    def test_post_owner(self):
+        """Test POST with owner role (should fail)"""
         post_data = {
             'role': PROJECT_ROLE_OWNER,
             'user': str(self.assign_user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
-    def test_create_delegate(self):
-        """Test creating delegate role for user as owner"""
+    def test_post_delegate(self):
+        """Test POST with delegate role as owner"""
         self.assertEqual(
             RoleAssignment.objects.filter(project=self.project).count(), 1
         )
-        url = reverse(
-            'projectroles:api_role_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'role': PROJECT_ROLE_DELEGATE,
             'user': str(self.assign_user.sodar_uuid),
         }
         response = self.request_knox(
-            url,
+            self.url,
             method='POST',
             data=post_data,
             token=self.get_token(self.user_owner),
@@ -1419,58 +1413,45 @@ def test_create_delegate(self):
         ).first()
         self.assertIsNotNone(role_as)
 
-    def test_create_delegate_unauthorized(self):
-        """Test creating delegate role without authorization (should fail)"""
+    def test_post_delegate_unauthorized(self):
+        """Test POST with delegate role without authorization (should fail)"""
         # Create new user and grant delegate role
         new_user = self.make_user('new_user')
         self.make_assignment(self.project, new_user, self.role_contributor)
         new_user_token = self.get_token(new_user)
-        url = reverse(
-            'projectroles:api_role_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'role': PROJECT_ROLE_DELEGATE,
             'user': str(self.assign_user.sodar_uuid),
         }
         response = self.request_knox(
-            url, method='POST', data=post_data, token=new_user_token
+            self.url, method='POST', data=post_data, token=new_user_token
         )
         self.assertEqual(response.status_code, 403, msg=response.content)
 
-    def test_create_delegate_limit(self):
-        """Test creating delegate role with limit reached (should fail)"""
-        # Create new user and grant delegate role
+    def test_post_delegate_limit(self):
+        """Test POST with delegate role and limit reached (should fail)"""
         new_user = self.make_user('new_user')
         self.make_assignment(self.project, new_user, self.role_delegate)
-        url = reverse(
-            'projectroles:api_role_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'role': PROJECT_ROLE_DELEGATE,
             'user': str(self.assign_user.sodar_uuid),
         }
         # NOTE: Post as owner
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
-    def test_create_delegate_limit_inherit(self):
-        """Test creating delegate role existing role for inherited owner"""
+    def test_post_delegate_limit_inherit(self):
+        """Test POST with delegate role and existing role for inherited owner"""
         # Set up category owner
         new_user = self.make_user('new_user')
         self.owner_as_cat.user = new_user
 
-        url = reverse(
-            'projectroles:api_role_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'role': PROJECT_ROLE_DELEGATE,
             'user': str(self.assign_user.sodar_uuid),
         }
         # NOTE: Post as owner
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 201, msg=response.content)
         self.assertEqual(
@@ -1481,34 +1462,28 @@ def test_create_delegate_limit_inherit(self):
         ).first()
         self.assertIsNotNone(role_as)
 
-    def test_create_delegate_category(self):
-        """Test creating non-owner role for category"""
-        url = reverse(
-            'projectroles:api_role_create',
-            kwargs={'project': self.category.sodar_uuid},
-        )
+    def test_post_delegate_category(self):
+        """Test POST with non-owner role for category"""
         post_data = {
             'role': PROJECT_ROLE_DELEGATE,
             'user': str(self.assign_user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(
+            self.url_cat, method='POST', data=post_data
+        )
         self.assertEqual(response.status_code, 201, msg=response.content)
 
-    def test_create_finder_project(self):
-        """Test creating finder role for project (should fail)"""
+    def test_post_finder_project(self):
+        """Test POST with finder role for project (should fail)"""
         self.assertEqual(
             RoleAssignment.objects.filter(project=self.project).count(), 1
         )
-        url = reverse(
-            'projectroles:api_role_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'role': PROJECT_ROLE_FINDER,
             'user': str(self.assign_user.sodar_uuid),
         }
         response = self.request_knox(
-            url,
+            self.url,
             method='POST',
             data=post_data,
             token=self.get_token(self.user_owner),
@@ -1518,21 +1493,17 @@ def test_create_finder_project(self):
             RoleAssignment.objects.filter(project=self.project).count(), 1
         )
 
-    def test_create_finder_category(self):
-        """Test creating finder role for category"""
+    def test_post_finder_category(self):
+        """Test POST with finder role for category"""
         self.assertEqual(
             RoleAssignment.objects.filter(project=self.category).count(), 1
         )
-        url = reverse(
-            'projectroles:api_role_create',
-            kwargs={'project': self.category.sodar_uuid},
-        )
         post_data = {
             'role': PROJECT_ROLE_FINDER,
             'user': str(self.assign_user.sodar_uuid),
         }
         response = self.request_knox(
-            url,
+            self.url_cat,
             method='POST',
             data=post_data,
             token=self.get_token(self.user_owner_cat),
@@ -1546,21 +1517,16 @@ def test_create_finder_category(self):
         ).first()
         self.assertIsNotNone(role_as)
 
-    def test_create_role_existing(self):
-        """Test creating role for user already in the project"""
+    def test_post_existing(self):
+        """Test POST with role for user with existing role in project"""
         self.assertEqual(
             RoleAssignment.objects.filter(project=self.project).count(), 1
         )
-
-        url = reverse(
-            'projectroles:api_role_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'role': PROJECT_ROLE_CONTRIBUTOR,
             'user': str(self.assign_user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 201, msg=response.content)
         self.assertEqual(
@@ -1570,15 +1536,15 @@ def test_create_role_existing(self):
             'role': PROJECT_ROLE_GUEST,
             'user': str(self.assign_user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(
             RoleAssignment.objects.filter(project=self.project).count(), 2
         )
 
-    def test_create_inherited_promote(self):
-        """Test creating promoted role for user with inherited role"""
+    def test_post_inherited_promote(self):
+        """Test POST for user with inherited role"""
         # Create category role for user
         self.make_assignment(self.category, self.assign_user, self.role_guest)
         self.assertEqual(
@@ -1588,15 +1554,11 @@ def test_create_inherited_promote(self):
             RoleAssignment.objects.filter(project=self.project).count(), 1
         )
 
-        url = reverse(
-            'projectroles:api_role_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'role': PROJECT_ROLE_CONTRIBUTOR,
             'user': str(self.assign_user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 201, msg=response.content)
         self.assertEqual(
@@ -1612,8 +1574,8 @@ def test_create_inherited_promote(self):
         ).first()
         self.assertIsNotNone(role_as)
 
-    def test_create_inherited_equal(self):
-        """Test creating equal role for user with inherited role"""
+    def test_post_inherited_equal(self):
+        """Test POST with equal role for user with inherited role"""
         self.make_assignment(
             self.category, self.assign_user, self.role_contributor
         )
@@ -1624,15 +1586,11 @@ def test_create_inherited_equal(self):
             RoleAssignment.objects.filter(project=self.project).count(), 1
         )
 
-        url = reverse(
-            'projectroles:api_role_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'role': PROJECT_ROLE_CONTRIBUTOR,
             'user': str(self.assign_user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 201, msg=response.content)
         self.assertEqual(
@@ -1648,8 +1606,8 @@ def test_create_inherited_equal(self):
         ).first()
         self.assertIsNotNone(role_as)
 
-    def test_create_inherited_demote(self):
-        """Test creating demoted role for user with inherited role (should fail)"""
+    def test_post_inherited_demote(self):
+        """Test POST with demoted role for user with inherited role (should fail)"""
         self.make_assignment(
             self.category, self.assign_user, self.role_delegate
         )
@@ -1660,15 +1618,11 @@ def test_create_inherited_demote(self):
             RoleAssignment.objects.filter(project=self.project).count(), 1
         )
 
-        url = reverse(
-            'projectroles:api_role_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'role': PROJECT_ROLE_CONTRIBUTOR,
             'user': str(self.assign_user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(
@@ -1679,8 +1633,8 @@ def test_create_inherited_demote(self):
         )
 
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
-    def test_create_remote(self):
-        """Test creating role for remote project (should fail)"""
+    def test_post_remote(self):
+        """Test POST for role in remote project (should fail)"""
         # Create source site and remote project
         source_site = self.make_site(
             name=REMOTE_SITE_NAME,
@@ -1699,15 +1653,11 @@ def test_create_remote(self):
             RoleAssignment.objects.filter(project=self.project).count(), 1
         )
 
-        url = reverse(
-            'projectroles:api_role_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'role': PROJECT_ROLE_CONTRIBUTOR,
             'user': str(self.assign_user.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(
@@ -1716,7 +1666,7 @@ def test_create_remote(self):
 
 
 class TestRoleAssignmentUpdateAPIView(
-    RemoteSiteMixin, RemoteProjectMixin, TestCoreAPIViewsBase
+    RemoteSiteMixin, RemoteProjectMixin, ProjectrolesAPIViewTestBase
 ):
     """Tests for RoleAssignmentUpdateAPIView"""
 
@@ -1726,21 +1676,19 @@ def setUp(self):
         self.update_as = self.make_assignment(
             self.project, self.assign_user, self.role_contributor
         )
-
-    def test_put_role(self):
-        """Test put() for role assignment updating"""
-        self.assertEqual(RoleAssignment.objects.count(), 3)
-
-        url = reverse(
+        self.url = reverse(
             'projectroles:api_role_update',
             kwargs={'roleassignment': self.update_as.sodar_uuid},
         )
+
+    def test_put(self):
+        """Test RoleAssignmentUpdateAPIView PUT"""
+        self.assertEqual(RoleAssignment.objects.count(), 3)
         put_data = {
             'role': PROJECT_ROLE_GUEST,
             'user': str(self.assign_user.sodar_uuid),
         }
-        response = self.request_knox(url, method='PUT', data=put_data)
-
+        response = self.request_knox(self.url, method='PUT', data=put_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(RoleAssignment.objects.count(), 3)
 
@@ -1764,17 +1712,12 @@ def test_put_role(self):
         self.assertEqual(json.loads(response.content), expected)
 
     def test_put_delegate(self):
-        """Test put() for delegate role assignment"""
-        url = reverse(
-            'projectroles:api_role_update',
-            kwargs={'roleassignment': self.update_as.sodar_uuid},
-        )
+        """Test PUT with delegate role assignment"""
         put_data = {
             'role': PROJECT_ROLE_DELEGATE,
             'user': str(self.assign_user.sodar_uuid),
         }
-        response = self.request_knox(url, method='PUT', data=put_data)
-
+        response = self.request_knox(self.url, method='PUT', data=put_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
 
         self.update_as.refresh_from_db()
@@ -1797,42 +1740,29 @@ def test_put_delegate(self):
         self.assertEqual(json.loads(response.content), expected)
 
     def test_put_owner(self):
-        """Test put() for owner role assignment (should fail)"""
-        url = reverse(
-            'projectroles:api_role_update',
-            kwargs={'roleassignment': self.update_as.sodar_uuid},
-        )
+        """Test PUT with owner role assignment (should fail)"""
         put_data = {
             'role': PROJECT_ROLE_OWNER,
             'user': str(self.assign_user.sodar_uuid),
         }
-        response = self.request_knox(url, method='PUT', data=put_data)
+        response = self.request_knox(self.url, method='PUT', data=put_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
     def test_put_change_user(self):
-        """Test put() with different user (should fail)"""
+        """Test PUT with different user than one in assignment (should fail)"""
         new_user = self.make_user('new_user')
-        url = reverse(
-            'projectroles:api_role_update',
-            kwargs={'roleassignment': self.update_as.sodar_uuid},
-        )
         put_data = {
             'role': PROJECT_ROLE_GUEST,
             'user': str(new_user.sodar_uuid),
         }
-        response = self.request_knox(url, method='PUT', data=put_data)
+        response = self.request_knox(self.url, method='PUT', data=put_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
-    def test_patch_role(self):
-        """Test patch() for role assignment updating"""
+    def test_patch(self):
+        """Test PATCH to update role assignment"""
         self.assertEqual(RoleAssignment.objects.count(), 3)
-
-        url = reverse(
-            'projectroles:api_role_update',
-            kwargs={'roleassignment': self.update_as.sodar_uuid},
-        )
         patch_data = {'role': PROJECT_ROLE_GUEST}
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
 
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(RoleAssignment.objects.count(), 3)
@@ -1855,18 +1785,14 @@ def test_patch_role(self):
         self.assertEqual(json.loads(response.content), expected)
 
     def test_patch_role_finder_project(self):
-        """Test patch() for finder role updating in project (should fail)"""
+        """Test PATCH for finder role in project (should fail)"""
         self.assertEqual(RoleAssignment.objects.count(), 3)
-        url = reverse(
-            'projectroles:api_role_update',
-            kwargs={'roleassignment': self.update_as.sodar_uuid},
-        )
         patch_data = {'role': PROJECT_ROLE_FINDER}
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
     def test_patch_role_finder_category(self):
-        """Test patch() for finder role updating in categody"""
+        """Test PATCH for finder role in categody"""
         user_new = self.make_user('user_new')
         new_as = self.make_assignment(self.category, user_new, self.role_finder)
         self.assertEqual(RoleAssignment.objects.count(), 4)
@@ -1882,19 +1808,13 @@ def test_patch_role_finder_category(self):
         self.assertEqual(new_as.role, self.role_finder)
 
     def test_patch_role_inherited_promote(self):
-        """Test patch() with promoted role for inherited user"""
+        """Test PATCH with promoted role for inherited user"""
         self.make_assignment(
             self.category, self.assign_user, self.role_contributor
         )
         self.assertEqual(RoleAssignment.objects.count(), 4)
-
-        url = reverse(
-            'projectroles:api_role_update',
-            kwargs={'roleassignment': self.update_as.sodar_uuid},
-        )
         patch_data = {'role': PROJECT_ROLE_DELEGATE}
-        response = self.request_knox(url, method='PATCH', data=patch_data)
-
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(RoleAssignment.objects.count(), 4)
         expected = {
@@ -1906,19 +1826,13 @@ def test_patch_role_inherited_promote(self):
         self.assertEqual(json.loads(response.content), expected)
 
     def test_patch_role_inherited_equal(self):
-        """Test patch() with equal role for inherited user"""
+        """Test PATCH with equal role for inherited user"""
         self.make_assignment(
             self.category, self.assign_user, self.role_contributor
         )
         self.assertEqual(RoleAssignment.objects.count(), 4)
-
-        url = reverse(
-            'projectroles:api_role_update',
-            kwargs={'roleassignment': self.update_as.sodar_uuid},
-        )
         patch_data = {'role': PROJECT_ROLE_CONTRIBUTOR}
-        response = self.request_knox(url, method='PATCH', data=patch_data)
-
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(RoleAssignment.objects.count(), 4)
         expected = {
@@ -1930,19 +1844,13 @@ def test_patch_role_inherited_equal(self):
         self.assertEqual(json.loads(response.content), expected)
 
     def test_patch_role_inherited_demote(self):
-        """Test patch() with demoted role for inherited user (should fail)"""
+        """Test PATCH with demoted role for inherited user (should fail)"""
         self.make_assignment(
             self.category, self.assign_user, self.role_contributor
         )
         self.assertEqual(RoleAssignment.objects.count(), 4)
-
-        url = reverse(
-            'projectroles:api_role_update',
-            kwargs={'roleassignment': self.update_as.sodar_uuid},
-        )
         patch_data = {'role': PROJECT_ROLE_GUEST}
-        response = self.request_knox(url, method='PATCH', data=patch_data)
-
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(RoleAssignment.objects.count(), 4)
         self.update_as.refresh_from_db()
@@ -1950,7 +1858,7 @@ def test_patch_role_inherited_demote(self):
 
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
     def test_patch_role_remote(self):
-        """Test patch() for updating role in remote project (should fail)"""
+        """Test PATCH for updating role in remote project (should fail)"""
         # Create source site and remote project
         source_site = self.make_site(
             name=REMOTE_SITE_NAME,
@@ -1965,28 +1873,20 @@ def test_patch_role_remote(self):
             site=source_site,
             level=SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES'],
         )
-        url = reverse(
-            'projectroles:api_role_update',
-            kwargs={'roleassignment': self.update_as.sodar_uuid},
-        )
         patch_data = {'role': PROJECT_ROLE_GUEST}
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
     def test_patch_user(self):
-        """Test patch() with different user (should fail)"""
+        """Test PATCH with different user (should fail)"""
         new_user = self.make_user('new_user')
-        url = reverse(
-            'projectroles:api_role_update',
-            kwargs={'roleassignment': self.update_as.sodar_uuid},
-        )
         patch_data = {'user': str(new_user.sodar_uuid)}
-        response = self.request_knox(url, method='PATCH', data=patch_data)
+        response = self.request_knox(self.url, method='PATCH', data=patch_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
 
 class TestRoleAssignmentDestroyAPIView(
-    RemoteSiteMixin, RemoteProjectMixin, TestCoreAPIViewsBase
+    RemoteSiteMixin, RemoteProjectMixin, ProjectrolesAPIViewTestBase
 ):
     """Tests for RoleAssignmentDestroyAPIView"""
 
@@ -1997,8 +1897,8 @@ def setUp(self):
             self.project, self.assign_user, self.role_contributor
         )
 
-    def test_delete_role(self):
-        """Test delete for role assignment deletion"""
+    def test_delete(self):
+        """Test RoleAssignmentDestroyAPIView DELETE"""
         self.assertEqual(RoleAssignment.objects.count(), 3)
         url = reverse(
             'projectroles:api_role_destroy',
@@ -2015,7 +1915,7 @@ def test_delete_role(self):
         )
 
     def test_delete_delegate_unauthorized(self):
-        """Test delete for delegate deletion without perms (should fail)"""
+        """Test DELETE with delegate role without perms (should fail)"""
         new_user = self.make_user('new_user')
         delegate_as = self.make_assignment(
             self.project, new_user, self.role_delegate
@@ -2032,7 +1932,7 @@ def test_delete_delegate_unauthorized(self):
         self.assertEqual(RoleAssignment.objects.count(), 4)
 
     def test_delete_owner(self):
-        """Test delete for owner deletion (should fail)"""
+        """Test DELETE with owner role (should fail)"""
         self.assertEqual(RoleAssignment.objects.count(), 3)
         url = reverse(
             'projectroles:api_role_destroy',
@@ -2044,7 +1944,7 @@ def test_delete_owner(self):
 
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
     def test_delete_remote(self):
-        """Test delete for remote project (should fail)"""
+        """Test DELETE with remote project (should fail)"""
         # Create source site and remote project
         source_site = self.make_site(
             name=REMOTE_SITE_NAME,
@@ -2070,7 +1970,7 @@ def test_delete_remote(self):
 
 
 class TestRoleAssignmentOwnerTransferAPIView(
-    RemoteSiteMixin, RemoteProjectMixin, TestCoreAPIViewsBase
+    RemoteSiteMixin, RemoteProjectMixin, ProjectrolesAPIViewTestBase
 ):
     """Tests for RoleAssignmentOwnerTransferAPIView"""
 
@@ -2081,132 +1981,116 @@ def setUp(self):
             self.project, self.user_guest, self.role_guest
         )
         self.user_new = self.make_user('user_new')
+        self.url = reverse(
+            'projectroles:api_role_owner_transfer',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+        self.url_cat = reverse(
+            'projectroles:api_role_owner_transfer',
+            kwargs={'project': self.category.sodar_uuid},
+        )
 
-    def test_transfer(self):
-        """Test transferring ownership for project"""
+    def test_post(self):
+        """Test RoleAssignmentOwnerTransferAPIView POST"""
         # Assign role to new user
         self.make_assignment(self.project, self.user_new, self.role_contributor)
         self.assertEqual(self.project.get_owner().user, self.user_owner)
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_new.username,
             'old_owner_role': PROJECT_ROLE_CONTRIBUTOR,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(self.project.get_owner().user, self.user_new)
 
-    def test_transfer_category(self):
-        """Test transferring ownership for category"""
+    def test_post_category(self):
+        """Test POST with category"""
         self.make_assignment(
             self.category, self.user_new, self.role_contributor
         )
         self.assertEqual(self.category.get_owner().user, self.user_owner_cat)
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.category.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_new.username,
             'old_owner_role': PROJECT_ROLE_CONTRIBUTOR,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(
+            self.url_cat, method='POST', data=post_data
+        )
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(self.category.get_owner().user, self.user_new)
 
-    def test_transfer_finder_project(self):
-        """Test transfer with finder role in project (should fail)"""
+    def test_post_finder_project(self):
+        """Test POST with finder role in project (should fail)"""
         self.make_assignment(self.project, self.user_new, self.role_contributor)
         self.assertEqual(self.project.get_owner().user, self.user_owner)
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_new.username,
             'old_owner_role': PROJECT_ROLE_FINDER,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(self.project.get_owner().user, self.user_owner)
 
-    def test_transfer_finder_category(self):
-        """Test transfer with finder role in category"""
+    def test_post_finder_category(self):
+        """Test POST with finder role in category"""
         self.make_assignment(
             self.category, self.user_new, self.role_contributor
         )
         self.assertEqual(self.category.get_owner().user, self.user_owner_cat)
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.category.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_new.username,
             'old_owner_role': PROJECT_ROLE_FINDER,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(
+            self.url_cat, method='POST', data=post_data
+        )
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(self.category.get_owner().user, self.user_new)
 
-    def test_transfer_old_inherited_member(self):
-        """Test transfer from old owner with inherited non-owner role"""
+    def test_post_old_inherited_member(self):
+        """Test POST to transfer from old owner with inherited non-owner role"""
         self.make_assignment(
             self.category, self.user_owner, self.role_contributor
         )
         self.assertEqual(self.project.get_role(self.user_owner), self.owner_as)
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_guest.username,
             'old_owner_role': PROJECT_ROLE_CONTRIBUTOR,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(self.project.get_owner().user, self.user_guest)
         self.owner_as.refresh_from_db()
         self.assertEqual(self.project.get_role(self.user_owner), self.owner_as)
         self.assertEqual(self.owner_as.role, self.role_contributor)
 
-    def test_transfer_old_inherited_member_demote(self):
-        """Test transfer demoting inherited non-owner (should fail)"""
+    def test_post_old_inherited_member_demote(self):
+        """Test POST with demoting inherited non-owner (should fail)"""
         self.make_assignment(
             self.category, self.user_owner, self.role_contributor
         )
         self.assertEqual(self.project.get_role(self.user_owner), self.owner_as)
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_guest.username,
             'old_owner_role': PROJECT_ROLE_GUEST,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(self.project.get_owner().user, self.user_owner)
         self.assertEqual(
             self.project.get_role(self.user_guest).role, self.role_guest
         )
 
-    def test_transfer_old_inherited_owner(self):
-        """Test transfer from old owner with inherited owner role"""
+    def test_post_old_inherited_owner(self):
+        """Test POST to transfer from old owner with inherited owner role"""
         self.owner_as_cat.user = self.user_owner
         self.owner_as_cat.save()
         self.assertEqual(self.project.get_role(self.user_owner), self.owner_as)
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_guest.username,
             'old_owner_role': PROJECT_ROLE_OWNER,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(self.project.get_owner().user, self.user_guest)
         self.assertIsNone(
@@ -2219,28 +2103,24 @@ def test_transfer_old_inherited_owner(self):
         )
         self.assertEqual(self.owner_as.role, self.role_owner)
 
-    def test_transfer_old_inherited_owner_demote(self):
-        """Test transfer demoting inherited owner (should fail)"""
+    def test_post_old_inherited_owner_demote(self):
+        """Test POST demoting inherited owner (should fail)"""
         self.owner_as_cat.user = self.user_owner
         self.owner_as_cat.save()
         self.assertEqual(self.project.get_role(self.user_owner), self.owner_as)
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_guest.username,
             'old_owner_role': PROJECT_ROLE_DELEGATE,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(self.project.get_owner().user, self.user_owner)
         self.assertEqual(
             self.project.get_role(self.user_guest).role, self.role_guest
         )
 
-    def test_transfer_new_inherited_member(self):
-        """Test transfer to new owner with inherited non-owner role"""
+    def test_post_new_inherited_member(self):
+        """Test POST for transfer to new owner with inherited non-owner role"""
         self.make_assignment(
             self.category, self.user_new, self.role_contributor
         )
@@ -2248,37 +2128,29 @@ def test_transfer_new_inherited_member(self):
             self.project.get_owners(inherited_only=True)[0].user,
             self.user_owner_cat,
         )
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_new.username,
             'old_owner_role': PROJECT_ROLE_CONTRIBUTOR,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(self.project.get_owner().user, self.user_new)
         self.owner_as.refresh_from_db()
         self.assertEqual(self.project.get_role(self.user_owner), self.owner_as)
         self.assertEqual(self.owner_as.role, self.role_contributor)
 
-    def test_transfer_new_inherited_owner(self):
-        """Test transfer to new owner with inherited owner role"""
+    def test_post_new_inherited_owner(self):
+        """Test POST for transfer to new owner with inherited owner role"""
         self.assertEqual(self.project.get_owner().user, self.user_owner)
         self.assertEqual(
             self.project.get_owners(inherited_only=True)[0].user,
             self.user_owner_cat,
         )
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_owner_cat.username,
             'old_owner_role': PROJECT_ROLE_CONTRIBUTOR,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(self.project.get_owner().user, self.user_owner_cat)
         self.owner_as.refresh_from_db()
@@ -2293,79 +2165,63 @@ def test_transfer_new_inherited_owner(self):
             ),
         )
 
-    def test_transfer_no_roles(self):
-        """Test transfer to user with no existing roles (should fail)"""
+    def test_post_no_roles(self):
+        """Test POST to transfer to user with no existing roles (should fail)"""
         # NOTE: No role given to user
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_new.username,
             'old_owner_role': PROJECT_ROLE_CONTRIBUTOR,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
-    def test_transfer_inherit_promote(self):
-        """Test transfer with promoted inherited role for old owner"""
+    def test_post_inherit_promote(self):
+        """Test post with promoted inherited role for old owner"""
         self.make_assignment(self.project, self.user_new, self.role_contributor)
         # Set category role for project owner
         self.make_assignment(self.category, self.user_owner, self.role_guest)
         self.assertEqual(self.project.get_owner().user, self.user_owner)
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_new.username,
             'old_owner_role': PROJECT_ROLE_CONTRIBUTOR,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(self.project.get_owner().user, self.user_new)
         self.assertEqual(
             self.project.get_role(self.user_owner).role, self.role_contributor
         )
 
-    def test_transfer_inherit_equal(self):
-        """Test transfer with equal inherited role for old owner"""
+    def test_post_inherit_equal(self):
+        """Test POST with equal inherited role for old owner"""
         self.make_assignment(self.project, self.user_new, self.role_contributor)
         # Set category role for project owner
         self.make_assignment(
             self.category, self.user_owner, self.role_contributor
         )
         self.assertEqual(self.project.get_owner().user, self.user_owner)
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_new.username,
             'old_owner_role': PROJECT_ROLE_CONTRIBUTOR,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(self.project.get_owner().user, self.user_new)
         self.assertEqual(
             self.project.get_role(self.user_owner).role, self.role_contributor
         )
 
-    def test_transfer_inherit_demote(self):
-        """Test transfer with demoted role for old owner (should fail)"""
+    def test_post_inherit_demote(self):
+        """Test POST with demoted role for old owner (should fail)"""
         self.make_assignment(self.project, self.user_new, self.role_contributor)
         # Set category role for project owner
         self.make_assignment(self.category, self.user_owner, self.role_delegate)
         self.assertEqual(self.project.get_owner().user, self.user_owner)
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_new.username,
             'old_owner_role': PROJECT_ROLE_CONTRIBUTOR,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(self.project.get_owner().user, self.user_owner)
         self.assertEqual(
@@ -2373,8 +2229,8 @@ def test_transfer_inherit_demote(self):
         )
 
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
-    def test_transfer_remote(self):
-        """Test transferring ownership for remote project (should fail)"""
+    def test_post_remote(self):
+        """Test POST with remote project (should fail)"""
         # Create source site and remote project
         source_site = self.make_site(
             name=REMOTE_SITE_NAME,
@@ -2393,20 +2249,18 @@ def test_transfer_remote(self):
         self.make_assignment(self.project, self.user_new, self.role_contributor)
         self.assertEqual(self.project.get_owner().user, self.user_owner)
 
-        url = reverse(
-            'projectroles:api_role_owner_transfer',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'new_owner': self.user_new.username,
             'old_owner_role': PROJECT_ROLE_CONTRIBUTOR,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(self.project.get_owner().user, self.user_owner)
 
 
-class TestProjectInviteListAPIView(ProjectInviteMixin, TestCoreAPIViewsBase):
+class TestProjectInviteListAPIView(
+    ProjectInviteMixin, ProjectrolesAPIViewTestBase
+):
     """Tests for ProjectInviteListAPIView"""
 
     def setUp(self):
@@ -2428,15 +2282,14 @@ def setUp(self):
             message=INVITE_MESSAGE,
             secret=build_secret(),
         )
-
-    def test_get(self):
-        """Test ProjectInviteListAPIView get()"""
-        url = reverse(
+        self.url = reverse(
             'projectroles:api_invite_list',
             kwargs={'project': self.project.sodar_uuid},
         )
-        response = self.request_knox(url, token=self.get_token(self.user))
 
+    def test_get(self):
+        """Test ProjectInviteListAPIView GET"""
+        response = self.request_knox(self.url, token=self.get_token(self.user))
         self.assertEqual(response.status_code, 200)
         response_data = json.loads(response.content)
         self.assertEqual(len(response_data), 2)
@@ -2467,15 +2320,10 @@ def test_get(self):
         self.assertEqual(response_data, expected)
 
     def test_get_inactive(self):
-        """Test get() with inactive invite"""
+        """Test GET with inactive invite"""
         self.invite.active = False
         self.invite.save()
-
-        url = reverse(
-            'projectroles:api_invite_list',
-            kwargs={'project': self.project.sodar_uuid},
-        )
-        response = self.request_knox(url, token=self.get_token(self.user))
+        response = self.request_knox(self.url, token=self.get_token(self.user))
 
         self.assertEqual(response.status_code, 200)
         response_data = json.loads(response.content)
@@ -2496,28 +2344,59 @@ def test_get_inactive(self):
         ]
         self.assertEqual(response_data, expected)
 
+    def test_get_pagination(self):
+        """Test GET with pagination"""
+        url = self.url + '?page=1'
+        response = self.request_knox(url, token=self.get_token(self.user))
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        expected = {
+            'count': 2,
+            'next': TEST_SERVER_URL + self.url + '?page=2',
+            'previous': None,
+            'results': [
+                {
+                    'email': INVITE_USER_EMAIL,
+                    'project': str(self.project.sodar_uuid),
+                    'role': PROJECT_ROLE_GUEST,
+                    'issuer': self.get_serialized_user(self.user),
+                    'date_created': self.get_drf_datetime(
+                        self.invite.date_created
+                    ),
+                    'date_expire': self.get_drf_datetime(
+                        self.invite.date_expire
+                    ),
+                    'message': '',
+                    'sodar_uuid': str(self.invite.sodar_uuid),
+                }
+            ],
+        }
+        self.assertEqual(response_data, expected)
+
 
 class TestProjectInviteCreateAPIView(
-    RemoteSiteMixin, RemoteProjectMixin, TestCoreAPIViewsBase
+    RemoteSiteMixin, RemoteProjectMixin, ProjectrolesAPIViewTestBase
 ):
     """Tests for ProjectInviteCreateAPIView"""
 
-    def test_create(self):
-        """Test creating contributor invite for user"""
-        self.assertEqual(
-            ProjectInvite.objects.filter(project=self.project).count(), 0
-        )
-
-        url = reverse(
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
             'projectroles:api_invite_create',
             kwargs={'project': self.project.sodar_uuid},
         )
+
+    def test_post(self):
+        """Test ProjectInviteCreateAPIView POST"""
+        self.assertEqual(
+            ProjectInvite.objects.filter(project=self.project).count(), 0
+        )
         post_data = {
             'email': INVITE_USER_EMAIL,
             'role': PROJECT_ROLE_CONTRIBUTOR,
             'message': INVITE_MESSAGE,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 201, msg=response.content)
         self.assertEqual(
@@ -2542,46 +2421,34 @@ def test_create(self):
         self.assertEqual(json.loads(response.content), expected)
         self.assertEqual(len(mail.outbox), 1)
 
-    def test_create_owner(self):
-        """Test creating invite for owner role (should fail)"""
+    def test_post_owner(self):
+        """Test POST with owner role (should fail)"""
         self.assertEqual(
             ProjectInvite.objects.filter(project=self.project).count(), 0
         )
-
-        url = reverse(
-            'projectroles:api_invite_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'email': INVITE_USER_EMAIL,
             'role': PROJECT_ROLE_OWNER,
             'message': INVITE_MESSAGE,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
-
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(
             ProjectInvite.objects.filter(project=self.project).count(), 0
         )
         self.assertEqual(len(mail.outbox), 0)
 
-    def test_create_delegate(self):
-        """Test creating invite for delegate role"""
+    def test_post_delegate(self):
+        """Test POST with delegate role"""
         self.assertEqual(
             ProjectInvite.objects.filter(project=self.project).count(), 0
         )
-
-        url = reverse(
-            'projectroles:api_invite_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'email': INVITE_USER_EMAIL,
             'role': PROJECT_ROLE_DELEGATE,
             'message': INVITE_MESSAGE,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
-
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 201, msg=response.content)
         self.assertEqual(
             ProjectInvite.objects.filter(project=self.project).count(), 1
@@ -2591,101 +2458,80 @@ def test_create_delegate(self):
         self.assertEqual(len(mail.outbox), 1)
 
     @override_settings(PROJECTROLES_DELEGATE_LIMIT=2)
-    def test_create_delegate_no_perms(self):
-        """Test creating delegate invite without perms (should fail)"""
+    def test_post_delegate_no_perms(self):
+        """Test POST for delegate without perms (should fail)"""
         del_user = self.make_user('delegate')
         self.make_assignment(self.project, del_user, self.role_delegate)
         self.assertEqual(
             ProjectInvite.objects.filter(project=self.project).count(), 0
         )
-
-        url = reverse(
-            'projectroles:api_invite_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'email': INVITE_USER_EMAIL,
             'role': PROJECT_ROLE_DELEGATE,
             'message': INVITE_MESSAGE,
         }
         response = self.request_knox(
-            url, method='POST', data=post_data, token=self.get_token(del_user)
+            self.url,
+            method='POST',
+            data=post_data,
+            token=self.get_token(del_user),
         )
-
         self.assertEqual(response.status_code, 403, msg=response.content)
         self.assertEqual(
             ProjectInvite.objects.filter(project=self.project).count(), 0
         )
         self.assertEqual(len(mail.outbox), 0)
 
-    def test_create_delegate_limit(self):
-        """Test creating delegate invite with exceeded limit (should fail)"""
+    def test_post_delegate_limit(self):
+        """Test POST for delegate with exceeded limit (should fail)"""
         del_user = self.make_user('delegate')
         self.make_assignment(self.project, del_user, self.role_delegate)
         self.assertEqual(
             ProjectInvite.objects.filter(project=self.project).count(), 0
         )
-
-        url = reverse(
-            'projectroles:api_invite_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'email': INVITE_USER_EMAIL,
             'role': PROJECT_ROLE_DELEGATE,
             'message': INVITE_MESSAGE,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
-
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(
             ProjectInvite.objects.filter(project=self.project).count(), 0
         )
         self.assertEqual(len(mail.outbox), 0)
 
-    def test_create_invalid_email(self):
-        """Test creating invite with invalid email (should fail)"""
+    def test_post_invalid_email(self):
+        """Test POST with invalid email (should fail)"""
         self.assertEqual(
             ProjectInvite.objects.filter(project=self.project).count(), 0
         )
-
-        url = reverse(
-            'projectroles:api_invite_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'email': 'NOT_AN_EMAIL!',
             'role': PROJECT_ROLE_CONTRIBUTOR,
             'message': INVITE_MESSAGE,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
-
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(
             ProjectInvite.objects.filter(project=self.project).count(), 0
         )
         self.assertEqual(len(mail.outbox), 0)
 
-    def test_create_existing_user(self):
-        """Test creating invite for existing user (should fail)"""
+    def test_post_existing_user(self):
+        """Test POST with existing user (should fail)"""
         user = self.make_user('new_user')
         user.email = INVITE_USER_EMAIL
         user.save()
         self.assertEqual(
             ProjectInvite.objects.filter(project=self.project).count(), 0
         )
-
-        url = reverse(
-            'projectroles:api_invite_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'email': INVITE_USER_EMAIL,
             'role': PROJECT_ROLE_CONTRIBUTOR,
             'message': INVITE_MESSAGE,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
-
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(
             ProjectInvite.objects.filter(project=self.project).count(), 0
@@ -2693,8 +2539,8 @@ def test_create_existing_user(self):
         self.assertEqual(len(mail.outbox), 0)
 
     @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
-    def test_create_remote(self):
-        """Test creating invite for remote project (should fail)"""
+    def test_post_remote(self):
+        """Test POST with remote project (should fail)"""
         # Set up remote site and project
         source_site = self.make_site(
             name=REMOTE_SITE_NAME,
@@ -2713,16 +2559,12 @@ def test_create_remote(self):
             ProjectInvite.objects.filter(project=self.project).count(), 0
         )
 
-        url = reverse(
-            'projectroles:api_invite_create',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
             'email': INVITE_USER_EMAIL,
             'role': PROJECT_ROLE_CONTRIBUTOR,
             'message': INVITE_MESSAGE,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(
@@ -2731,7 +2573,9 @@ def test_create_remote(self):
         self.assertEqual(len(mail.outbox), 0)
 
 
-class TestProjectInviteRevokeAPIView(ProjectInviteMixin, TestCoreAPIViewsBase):
+class TestProjectInviteRevokeAPIView(
+    ProjectInviteMixin, ProjectrolesAPIViewTestBase
+):
     """Tests for ProjectInviteRevokeAPIView"""
 
     def setUp(self):
@@ -2743,62 +2587,50 @@ def setUp(self):
             role=self.role_contributor,
             issuer=self.user,
         )
-
-    def test_revoke(self):
-        """Test revoking invite"""
-        self.assertEqual(self.invite.active, True)
-        url = reverse(
+        self.url = reverse(
             'projectroles:api_invite_revoke',
             kwargs={'projectinvite': self.invite.sodar_uuid},
         )
-        response = self.request_knox(url, method='POST')
+
+    def test_post(self):
+        """Test ProjectInviteRevokeAPIView POST"""
+        self.assertEqual(self.invite.active, True)
+        response = self.request_knox(self.url, method='POST')
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.invite.refresh_from_db()
         self.assertEqual(self.invite.active, False)
 
-    def test_revoke_inactive(self):
-        """Test revoking already inactive invite (should fail)"""
+    def test_post_inactive(self):
+        """Test POST with inactive invite (should fail)"""
         self.invite.active = False
         self.invite.save()
-        url = reverse(
-            'projectroles:api_invite_revoke',
-            kwargs={'projectinvite': self.invite.sodar_uuid},
-        )
-        response = self.request_knox(url, method='POST')
+        response = self.request_knox(self.url, method='POST')
         self.assertEqual(response.status_code, 400, msg=response.content)
 
-    def test_revoke_delegate(self):
-        """Test revoking delegate invite with sufficient perms"""
+    def test_post_delegate(self):
+        """Test POST for delegate invite with sufficient perms"""
         self.invite.role = self.role_delegate
         self.invite.save()
-        url = reverse(
-            'projectroles:api_invite_revoke',
-            kwargs={'projectinvite': self.invite.sodar_uuid},
-        )
-        response = self.request_knox(url, method='POST')
+        response = self.request_knox(self.url, method='POST')
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.invite.refresh_from_db()
         self.assertEqual(self.invite.active, False)
 
-    def test_revoke_delegate_no_perms(self):
-        """Test revoking delegate invite without perms (should fail)"""
+    def test_post_delegate_no_perms(self):
+        """Test POST for delegate invite without perms (should fail)"""
         self.invite.role = self.role_delegate
         self.invite.save()
         delegate = self.make_user('delegate')
         self.make_assignment(self.project, delegate, self.role_delegate)
-        url = reverse(
-            'projectroles:api_invite_revoke',
-            kwargs={'projectinvite': self.invite.sodar_uuid},
-        )
         response = self.request_knox(
-            url, method='POST', token=self.get_token(delegate)
+            self.url, method='POST', token=self.get_token(delegate)
         )
         self.assertEqual(response.status_code, 403, msg=response.content)
         self.invite.refresh_from_db()
         self.assertEqual(self.invite.active, True)
 
-    def test_revoke_not_found(self):
-        """Test revoking invite with invalid UUID"""
+    def test_post_not_found(self):
+        """Test POST with invalid UUID"""
         url = reverse(
             'projectroles:api_invite_revoke',
             kwargs={'projectinvite': INVALID_UUID},
@@ -2807,7 +2639,9 @@ def test_revoke_not_found(self):
         self.assertEqual(response.status_code, 404)
 
 
-class TestProjectInviteResendAPIView(ProjectInviteMixin, TestCoreAPIViewsBase):
+class TestProjectInviteResendAPIView(
+    ProjectInviteMixin, ProjectrolesAPIViewTestBase
+):
     """Tests for ProjectInviteResendAPIView"""
 
     def setUp(self):
@@ -2819,61 +2653,48 @@ def setUp(self):
             role=self.role_contributor,
             issuer=self.user,
         )
-
-    def test_resend(self):
-        """Test resending invite"""
-        self.assertEqual(len(mail.outbox), 0)
-        url = reverse(
+        self.url = reverse(
             'projectroles:api_invite_resend',
             kwargs={'projectinvite': self.invite.sodar_uuid},
         )
-        response = self.request_knox(url, method='POST')
+
+    def test_post(self):
+        """Test ProjectInviteResendAPIView POST"""
+        self.assertEqual(len(mail.outbox), 0)
+        response = self.request_knox(self.url, method='POST')
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(len(mail.outbox), 1)
 
-    def test_resend_inactive(self):
-        """Test resending inactive invite (should fail)"""
+    def test_post_inactive(self):
+        """Test POST with inactive invite (should fail)"""
         self.invite.active = False
         self.invite.save()
-        url = reverse(
-            'projectroles:api_invite_resend',
-            kwargs={'projectinvite': self.invite.sodar_uuid},
-        )
-        response = self.request_knox(url, method='POST')
+        response = self.request_knox(self.url, method='POST')
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(len(mail.outbox), 0)
 
-    def test_resend_delegate(self):
-        """Test resending delegate invite with sufficient perms"""
+    def test_post_delegate(self):
+        """Test POST for delegate invite with sufficient perms"""
         self.invite.role = self.role_delegate
         self.invite.save()
-        url = reverse(
-            'projectroles:api_invite_resend',
-            kwargs={'projectinvite': self.invite.sodar_uuid},
-        )
-        response = self.request_knox(url, method='POST')
+        response = self.request_knox(self.url, method='POST')
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(len(mail.outbox), 1)
 
-    def test_resend_delegate_no_perms(self):
-        """Test resending delegate invite without perms (should fail)"""
+    def test_post_delegate_no_perms(self):
+        """Test POST for delegate invite without perms (should fail)"""
         self.invite.role = self.role_delegate
         self.invite.save()
         delegate = self.make_user('delegate')
         self.make_assignment(self.project, delegate, self.role_delegate)
-
-        url = reverse(
-            'projectroles:api_invite_resend',
-            kwargs={'projectinvite': self.invite.sodar_uuid},
-        )
         response = self.request_knox(
-            url, method='POST', token=self.get_token(delegate)
+            self.url, method='POST', token=self.get_token(delegate)
         )
         self.assertEqual(response.status_code, 403, msg=response.content)
         self.assertEqual(len(mail.outbox), 0)
 
-    def test_resend_not_found(self):
-        """Test resending invite with invalid UUID"""
+    def test_post_invalid_uuid(self):
+        """Test POST with invalid UUID"""
         url = reverse(
             'projectroles:api_invite_resend',
             kwargs={'projectinvite': INVALID_UUID},
@@ -2883,28 +2704,27 @@ def test_resend_not_found(self):
 
 
 class TestProjectSettingRetrievePIView(
-    AppSettingMixin, AppSettingInitMixin, TestCoreAPIViewsBase
+    AppSettingMixin, AppSettingInitMixin, ProjectrolesAPIViewTestBase
 ):
     """Tests for ProjectSettingRetrieveAPIView"""
 
     def setUp(self):
         super().setUp()
         self.settings = self.init_app_settings()
-
-    def test_retrieve_project(self):
-        """Test retrieving app setting with PROJECT scope"""
-        setting_name = 'project_str_setting'
-        url = reverse(
+        self.url = reverse(
             'projectroles:api_project_setting_retrieve',
             kwargs={'project': self.project.sodar_uuid},
         )
-        get_data = {'app_name': EX_APP_NAME, 'setting_name': setting_name}
-        response = self.request_knox(url, data=get_data)
 
+    def test_get_project(self):
+        """Test ProjectSettingRetrieveAPIView GET with PROJECT scope setting"""
+        setting_name = 'project_str_setting'
+        get_data = {'plugin_name': EX_APP_NAME, 'setting_name': setting_name}
+        response = self.request_knox(self.url, data=get_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         response_data = json.loads(response.content)
         expected = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'project': str(self.project.sodar_uuid),
             'user': None,
             'name': setting_name,
@@ -2914,8 +2734,8 @@ def test_retrieve_project(self):
         }
         self.assertEqual(response_data, expected)
 
-    def test_retrieve_project_unset(self):
-        """Test retrieving unset PROJECT setting (should return default)"""
+    def test_get_project_unset(self):
+        """Test GET with unset PROJECT setting (should return default)"""
         setting_name = 'project_str_setting'
         default_value = app_settings.get_default(EX_APP_NAME, setting_name)
         q_kwargs = {
@@ -2924,18 +2744,13 @@ def test_retrieve_project_unset(self):
             'project': self.project,
         }
         AppSetting.objects.get(**q_kwargs).delete()
-
-        url = reverse(
-            'projectroles:api_project_setting_retrieve',
-            kwargs={'project': self.project.sodar_uuid},
-        )
-        get_data = {'app_name': EX_APP_NAME, 'setting_name': setting_name}
-        response = self.request_knox(url, data=get_data)
+        get_data = {'plugin_name': EX_APP_NAME, 'setting_name': setting_name}
+        response = self.request_knox(self.url, data=get_data)
 
         self.assertEqual(response.status_code, 200, msg=response.content)
         response_data = json.loads(response.content)
         expected = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'project': str(self.project.sodar_uuid),
             'user': None,
             'name': setting_name,
@@ -2946,24 +2761,20 @@ def test_retrieve_project_unset(self):
         self.assertEqual(response_data, expected)
         self.assertIsInstance(AppSetting.objects.get(**q_kwargs), AppSetting)
 
-    def test_retrieve_project_user(self):
-        """Test retrieving app setting with PROJECT_USER scope"""
+    def test_get_project_user(self):
+        """Test GET with PROJECT_USER scope setting"""
         setting_name = 'project_user_str_setting'
-        url = reverse(
-            'projectroles:api_project_setting_retrieve',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         get_data = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'setting_name': setting_name,
             'user': str(self.user.sodar_uuid),
         }
-        response = self.request_knox(url, data=get_data)
+        response = self.request_knox(self.url, data=get_data)
 
         self.assertEqual(response.status_code, 200, msg=response.content)
         response_data = json.loads(response.content)
         expected = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'project': str(self.project.sodar_uuid),
             'user': self.get_serialized_user(self.user),
             'name': setting_name,
@@ -2973,8 +2784,8 @@ def test_retrieve_project_user(self):
         }
         self.assertEqual(response_data, expected)
 
-    def test_retrieve_project_user_unset(self):
-        """Test retrieving unset PROJECT_USER setting"""
+    def test_get_project_user_unset(self):
+        """Test GET with unset PROJECT_USER setting"""
         setting_name = 'project_user_str_setting'
         default_value = app_settings.get_default(EX_APP_NAME, setting_name)
         q_kwargs = {
@@ -2984,22 +2795,17 @@ def test_retrieve_project_user_unset(self):
             'user': self.user,
         }
         AppSetting.objects.get(**q_kwargs).delete()
-
-        url = reverse(
-            'projectroles:api_project_setting_retrieve',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         get_data = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'setting_name': setting_name,
             'user': str(self.user.sodar_uuid),
         }
-        response = self.request_knox(url, data=get_data)
+        response = self.request_knox(self.url, data=get_data)
 
         self.assertEqual(response.status_code, 200, msg=response.content)
         response_data = json.loads(response.content)
         expected = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'project': str(self.project.sodar_uuid),
             'user': self.get_serialized_user(self.user),
             'name': setting_name,
@@ -3010,31 +2816,23 @@ def test_retrieve_project_user_unset(self):
         self.assertEqual(response_data, expected)
         self.assertIsInstance(AppSetting.objects.get(**q_kwargs), AppSetting)
 
-    def test_retrieve_project_user_no_user(self):
-        """Test retrieving PROJECT_USER setting without user (should fail)"""
+    def test_get_project_user_no_user(self):
+        """Test GET with PROJECT_USER setting and no user (should fail)"""
         setting_name = 'project_user_str_setting'
-        url = reverse(
-            'projectroles:api_project_setting_retrieve',
-            kwargs={'project': self.project.sodar_uuid},
-        )
-        get_data = {'app_name': EX_APP_NAME, 'setting_name': setting_name}
-        response = self.request_knox(url, data=get_data)
+        get_data = {'plugin_name': EX_APP_NAME, 'setting_name': setting_name}
+        response = self.request_knox(self.url, data=get_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
-    def test_retrieve_json(self):
-        """Test retrieving JSON app setting"""
+    def test_get_json(self):
+        """Test GET with JSON app setting"""
         setting_name = 'project_json_setting'
-        url = reverse(
-            'projectroles:api_project_setting_retrieve',
-            kwargs={'project': self.project.sodar_uuid},
-        )
-        get_data = {'app_name': EX_APP_NAME, 'setting_name': setting_name}
-        response = self.request_knox(url, data=get_data)
+        get_data = {'plugin_name': EX_APP_NAME, 'setting_name': setting_name}
+        response = self.request_knox(self.url, data=get_data)
 
         self.assertEqual(response.status_code, 200, msg=response.content)
         response_data = json.loads(response.content)
         expected = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'project': str(self.project.sodar_uuid),
             'user': None,
             'name': setting_name,
@@ -3044,20 +2842,15 @@ def test_retrieve_json(self):
         }
         self.assertEqual(response_data, expected)
 
-    def test_retrieve_non_modifiable(self):
-        """Test retrieving non-modifiable app setting"""
+    def test_get_non_modifiable(self):
+        """Test GET with non-modifiable app setting"""
         setting_name = 'project_hidden_setting'
-        url = reverse(
-            'projectroles:api_project_setting_retrieve',
-            kwargs={'project': self.project.sodar_uuid},
-        )
-        get_data = {'app_name': EX_APP_NAME, 'setting_name': setting_name}
-        response = self.request_knox(url, data=get_data)
-
+        get_data = {'plugin_name': EX_APP_NAME, 'setting_name': setting_name}
+        response = self.request_knox(self.url, data=get_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         response_data = json.loads(response.content)
         expected = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'project': str(self.project.sodar_uuid),
             'user': None,
             'name': setting_name,
@@ -3067,264 +2860,211 @@ def test_retrieve_non_modifiable(self):
         }
         self.assertEqual(response_data, expected)
 
-    def test_retrieve_invalid_app_name(self):
-        """Test setting app setting with invalid app name (should fail)"""
+    def test_get_invalid_app_name(self):
+        """Test GET with invalid app name (should fail)"""
         setting_name = 'project_str_setting'
-        url = reverse(
-            'projectroles:api_project_setting_retrieve',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         get_data = {
-            'app_name': 'NON-EXISTING-APP',
+            'plugin_name': 'NON-EXISTING-APP',
             'setting_name': setting_name,
         }
-        response = self.request_knox(url, data=get_data)
+        response = self.request_knox(self.url, data=get_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
-    def test_retrieve_invalid_scope(self):
-        """Test setting app setting with invalid scope (should fail)"""
+    def test_get_invalid_scope(self):
+        """Test GET with invalid scope (should fail)"""
         setting_name = 'user_str_setting'
-        url = reverse(
-            'projectroles:api_project_setting_retrieve',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         get_data = {
             'setting_name': setting_name,
             'user': str(self.user.sodar_uuid),
         }
-        response = self.request_knox(url, data=get_data)
+        response = self.request_knox(self.url, data=get_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
 
-class TestProjectSettingSetAPIView(TestCoreAPIViewsBase):
+class TestProjectSettingSetAPIView(ProjectrolesAPIViewTestBase):
     """Tests for ProjectSettingSetAPIView"""
 
     def setUp(self):
         super().setUp()
         # Set project owner token as default token
         self.knox_token = self.get_token(self.user_owner)
+        self.url = reverse(
+            'projectroles:api_project_setting_set',
+            kwargs={'project': self.project.sodar_uuid},
+        )
 
-    def test_set_project(self):
-        """Test setting app setting value with PROJECT scope"""
+    def test_post_project(self):
+        """Test TestProjectSettingSetAPIView POST with PROJECT scope setting"""
         self.assertEqual(AppSetting.objects.count(), 0)
         self.assertIsNone(
-            ProjectEvent.objects.filter(
+            TimelineEvent.objects.filter(
                 event_name='app_setting_set_api'
             ).first()
         )
-
         setting_name = 'project_str_setting'
-        url = reverse(
-            'projectroles:api_project_setting_set',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'setting_name': setting_name,
             'value': 'value',
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(AppSetting.objects.count(), 1)
         obj = AppSetting.objects.get(name=setting_name, project=self.project)
         self.assertEqual(obj.get_value(), 'value')
-        tl_event = ProjectEvent.objects.filter(
+        tl_event = TimelineEvent.objects.filter(
             event_name='app_setting_set_api'
         ).first()
         self.assertIsNotNone(tl_event)
         self.assertEqual(tl_event.classified, True)
         self.assertEqual(tl_event.extra_data, {'value': 'value'})
 
-    def test_set_project_user(self):
-        """Test setting app setting value with PROJECT_USER scope"""
+    def test_post_project_user(self):
+        """Test POST with PROJECT_USER scope"""
         self.assertEqual(AppSetting.objects.count(), 0)
         setting_name = 'project_user_str_setting'
-        url = reverse(
-            'projectroles:api_project_setting_set',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'setting_name': setting_name,
             'value': 'value',
             'user': str(self.user_owner.sodar_uuid),
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(AppSetting.objects.count(), 1)
         obj = AppSetting.objects.get(name=setting_name, project=self.project)
         self.assertEqual(obj.get_value(), 'value')
 
-    def test_set_project_no_user(self):
+    def test_post_project_no_user(self):
         """Test setting PROJECT_USER setting with no user (should fail)"""
         setting_name = 'project_user_str_setting'
-        url = reverse(
-            'projectroles:api_project_setting_set',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'setting_name': setting_name,
             'value': 'value',
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(AppSetting.objects.count(), 0)
 
-    def test_set_non_modifiable(self):
-        """Test setting non-modifiable app setting (should fail)"""
+    def test_post_non_modifiable(self):
+        """Test POST with non-modifiable app setting (should fail)"""
         setting_name = 'project_hidden_setting'
-        url = reverse(
-            'projectroles:api_project_setting_set',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'setting_name': setting_name,
             'value': 'value',
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 403, msg=response.content)
         self.assertEqual(AppSetting.objects.count(), 0)
 
-    def test_set_invalid_app_name(self):
-        """Test setting app setting with invalid app name (should fail)"""
+    def test_post_invalid_app_name(self):
+        """Test POST with invalid app name (should fail)"""
         setting_name = 'project_str_setting'
-        url = reverse(
-            'projectroles:api_project_setting_set',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
-            'app_name': 'NON-EXISTING-APP',
+            'plugin_name': 'NON-EXISTING-APP',
             'setting_name': setting_name,
             'value': 'value',
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(AppSetting.objects.count(), 0)
 
-    def test_set_invalid_scope(self):
-        """Test setting app setting with invalid scope (should fail)"""
+    def test_post_invalid_scope(self):
+        """Test POST with invalid scope (should fail)"""
         setting_name = 'user_str_setting'
-        url = reverse(
-            'projectroles:api_project_setting_set',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'setting_name': setting_name,
             'value': 'value',
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(AppSetting.objects.count(), 0)
 
-    def test_set_invalid_project_type(self):
-        """Test setting app setting with the wrong project type (should fail)"""
-        setting_name = 'project_category_bool_setting'
-        url = reverse(
-            'projectroles:api_project_setting_set',
-            kwargs={'project': self.project.sodar_uuid},
-        )
+    def test_post_invalid_project_type(self):
+        """Test POST with unaccepted project type (should fail)"""
+        setting_name = 'category_bool_setting'
         post_data = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'setting_name': setting_name,
             'value': True,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(AppSetting.objects.count(), 0)
 
-    def test_set_no_value(self):
-        """Test setting without value (should fail)"""
+    def test_post_no_value(self):
+        """Test POST without value (should fail)"""
         self.assertEqual(AppSetting.objects.count(), 0)
         setting_name = 'project_str_setting'
-        url = reverse(
-            'projectroles:api_project_setting_set',
-            kwargs={'project': self.project.sodar_uuid},
-        )
-        post_data = {
-            'app_name': EX_APP_NAME,
-            'setting_name': setting_name,
-        }
-        response = self.request_knox(url, method='POST', data=post_data)
+        post_data = {'plugin_name': EX_APP_NAME, 'setting_name': setting_name}
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(AppSetting.objects.count(), 0)
 
-    def test_set_integer(self):
-        """Test setting integer value"""
+    def test_post_integer(self):
+        """Test POST with integer value"""
         setting_name = 'project_int_setting'
-        url = reverse(
-            'projectroles:api_project_setting_set',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'setting_name': setting_name,
             'value': '170',
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         obj = AppSetting.objects.get(name=setting_name, project=self.project)
         self.assertEqual(obj.get_value(), 170)
 
-    def test_set_boolean(self):
-        """Test setting boolean value"""
+    def test_post_boolean(self):
+        """Test POST with boolean value"""
         setting_name = 'project_bool_setting'
-        url = reverse(
-            'projectroles:api_project_setting_set',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'setting_name': setting_name,
             'value': True,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         obj = AppSetting.objects.get(name=setting_name, project=self.project)
         self.assertEqual(obj.get_value(), True)
 
-    def test_set_json(self):
-        """Test setting JSON value"""
+    def test_post_json(self):
+        """Test POST with JSON value"""
         setting_name = 'project_json_setting'
         value = {'key': 'value'}
-        url = reverse(
-            'projectroles:api_project_setting_set',
-            kwargs={'project': self.project.sodar_uuid},
-        )
         post_data = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'setting_name': setting_name,
             'value': value,
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         obj = AppSetting.objects.get(name=setting_name, project=self.project)
         self.assertEqual(obj.get_value(), value)
 
 
 class TestUserSettingRetrievePIView(
-    AppSettingMixin, AppSettingInitMixin, TestCoreAPIViewsBase
+    AppSettingMixin, AppSettingInitMixin, ProjectrolesAPIViewTestBase
 ):
     """Tests for UserSettingRetrieveAPIView"""
 
     def setUp(self):
         super().setUp()
         self.settings = self.init_app_settings()
+        self.url = reverse('projectroles:api_user_setting_retrieve')
 
-    def test_retrieve(self):
-        """Test retrieving app setting with USER scope"""
+    def test_get(self):
+        """Test UserSettingRetrieveAPIView GET"""
         setting_name = 'user_str_setting'
-        url = reverse('projectroles:api_user_setting_retrieve')
-        get_data = {'app_name': EX_APP_NAME, 'setting_name': setting_name}
-        response = self.request_knox(url, data=get_data)
-
+        get_data = {'plugin_name': EX_APP_NAME, 'setting_name': setting_name}
+        response = self.request_knox(self.url, data=get_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         response_data = json.loads(response.content)
         expected = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'project': None,
             'user': self.get_serialized_user(self.user),
             'name': setting_name,
@@ -3334,8 +3074,8 @@ def test_retrieve(self):
         }
         self.assertEqual(response_data, expected)
 
-    def test_retrieve_unset(self):
-        """Test retrieving unset USER setting (should return default)"""
+    def test_get_unset(self):
+        """Test GET with unset setting (should return default)"""
         setting_name = 'user_str_setting'
         default_value = app_settings.get_default(EX_APP_NAME, setting_name)
         q_kwargs = {
@@ -3344,18 +3084,12 @@ def test_retrieve_unset(self):
             'user': self.user,
         }
         AppSetting.objects.get(**q_kwargs).delete()
-
-        url = reverse('projectroles:api_user_setting_retrieve')
-        get_data = {
-            'app_name': EX_APP_NAME,
-            'setting_name': setting_name,
-        }
-        response = self.request_knox(url, data=get_data)
-
+        get_data = {'plugin_name': EX_APP_NAME, 'setting_name': setting_name}
+        response = self.request_knox(self.url, data=get_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         response_data = json.loads(response.content)
         expected = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'project': None,
             'user': self.get_serialized_user(self.user),
             'name': setting_name,
@@ -3366,17 +3100,15 @@ def test_retrieve_unset(self):
         self.assertEqual(response_data, expected)
         self.assertIsInstance(AppSetting.objects.get(**q_kwargs), AppSetting)
 
-    def test_retrieve_non_modifiable(self):
-        """Test retrieving non-modifiable USER app setting"""
+    def test_get_non_modifiable(self):
+        """Test GET with non-modifiable USER app setting"""
         setting_name = 'user_hidden_setting'
-        url = reverse('projectroles:api_user_setting_retrieve')
-        get_data = {'app_name': EX_APP_NAME, 'setting_name': setting_name}
-        response = self.request_knox(url, data=get_data)
-
+        get_data = {'plugin_name': EX_APP_NAME, 'setting_name': setting_name}
+        response = self.request_knox(self.url, data=get_data)
         self.assertEqual(response.status_code, 200, msg=response.content)
         response_data = json.loads(response.content)
         expected = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'project': None,
             'user': self.get_serialized_user(self.user),
             'name': setting_name,
@@ -3386,137 +3118,128 @@ def test_retrieve_non_modifiable(self):
         }
         self.assertEqual(response_data, expected)
 
-    def test_retrieve_invalid_app_name(self):
-        """Test retrieving USER setting with invalid app name (should fail)"""
-        setting_name = 'user_str_setting'
-        url = reverse('projectroles:api_user_setting_retrieve')
+    def test_get_invalid_app_name(self):
+        """Test GET with invalid app name (should fail)"""
         get_data = {
-            'app_name': 'NON-EXISTING-APP',
-            'setting_name': setting_name,
+            'plugin_name': 'NON-EXISTING-APP',
+            'setting_name': 'user_str_setting',
         }
-        response = self.request_knox(url, data=get_data)
+        response = self.request_knox(self.url, data=get_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
-    def test_retrieve_invalid_scope(self):
-        """Test retrieving USER setting with invalid scope (should fail)"""
-        setting_name = 'project_str_setting'
-        url = reverse('projectroles:api_user_setting_retrieve')
+    def test_get_invalid_scope(self):
+        """Test GET with invalid scope (should fail)"""
         get_data = {
-            'setting_name': setting_name,
+            'setting_name': 'project_str_setting',
             'project': str(self.project.sodar_uuid),
         }
-        response = self.request_knox(url, data=get_data)
+        response = self.request_knox(self.url, data=get_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
 
 
-class TestUserSettingSetAPIView(TestCoreAPIViewsBase):
+class TestUserSettingSetAPIView(ProjectrolesAPIViewTestBase):
     """Tests for UserSettingSetAPIView"""
 
-    def test_set(self):
-        """Test setting app setting value"""
+    def setUp(self):
+        super().setUp()
+        self.url = reverse('projectroles:api_user_setting_set')
+
+    def test_post(self):
+        """Test UserSettingSetAPIView POST"""
         self.assertEqual(AppSetting.objects.count(), 0)
         self.assertIsNone(
-            ProjectEvent.objects.filter(
+            TimelineEvent.objects.filter(
                 event_name='app_setting_set_api'
             ).first()
         )
-
         setting_name = 'user_str_setting'
-        url = reverse('projectroles:api_user_setting_set')
         post_data = {
-            'app_name': EX_APP_NAME,
+            'plugin_name': EX_APP_NAME,
             'setting_name': setting_name,
             'value': 'value',
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 200, msg=response.content)
         self.assertEqual(AppSetting.objects.count(), 1)
         obj = AppSetting.objects.get(name=setting_name, user=self.user)
         self.assertEqual(obj.get_value(), 'value')
         self.assertIsNone(
-            ProjectEvent.objects.filter(
+            TimelineEvent.objects.filter(
                 event_name='app_setting_set_api'
             ).first()
         )
 
-    def test_set_invalid_app_name(self):
-        """Test setting with invalid app name (should fail)"""
-        setting_name = 'NON-EXISTING-APP'
-        url = reverse('projectroles:api_user_setting_set')
+    def test_post_invalid_app_name(self):
+        """Test POST with invalid app name (should fail)"""
         post_data = {
-            'app_name': EX_APP_NAME,
-            'setting_name': setting_name,
+            'plugin_name': 'NON-EXISTING-APP',
+            'setting_name': 'user_str_setting',
             'value': 'value',
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(AppSetting.objects.count(), 0)
 
-    def test_set_invalid_scope_project(self):
-        """Test setting with PROJECT scope (should fail)"""
-        setting_name = 'project_str_setting'
-        url = reverse('projectroles:api_user_setting_set')
+    def test_post_invalid_scope_project(self):
+        """Test POST with PROJECT scope (should fail)"""
         post_data = {
-            'app_name': EX_APP_NAME,
-            'setting_name': setting_name,
+            'plugin_name': EX_APP_NAME,
+            'setting_name': 'project_str_setting',
             'value': 'value',
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(AppSetting.objects.count(), 0)
 
-    def test_set_invalid_scope_project_user(self):
-        """Test setting with PROJECT_USER scope (should fail)"""
-        setting_name = 'project_user_str_setting'
-        url = reverse('projectroles:api_user_setting_set')
+    def test_post_invalid_scope_project_user(self):
+        """Test POST with PROJECT_USER scope (should fail)"""
         post_data = {
-            'app_name': EX_APP_NAME,
-            'setting_name': setting_name,
+            'plugin_name': EX_APP_NAME,
+            'setting_name': 'project_user_str_setting',
             'value': 'value',
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(AppSetting.objects.count(), 0)
 
-    def test_set_no_value(self):
-        """Test setting without value (should fail)"""
+    def test_post_no_value(self):
+        """Test POST without value (should fail)"""
         self.assertEqual(AppSetting.objects.count(), 0)
-        setting_name = 'user_str_setting'
-        url = reverse('projectroles:api_user_setting_set')
         post_data = {
-            'app_name': EX_APP_NAME,
-            'setting_name': setting_name,
+            'plugin_name': EX_APP_NAME,
+            'setting_name': 'user_str_setting',
         }
-        response = self.request_knox(url, method='POST', data=post_data)
+        response = self.request_knox(self.url, method='POST', data=post_data)
         self.assertEqual(response.status_code, 400, msg=response.content)
         self.assertEqual(AppSetting.objects.count(), 0)
 
 
-class TestUserListAPIView(TestCoreAPIViewsBase):
+@override_settings(AUTH_LDAP_USERNAME_DOMAIN=LDAP_DOMAIN)
+class TestUserListAPIView(ProjectrolesAPIViewTestBase):
     """Tests for UserListAPIView"""
 
     def setUp(self):
         super().setUp()
         # Create additional users
-        self.domain_user = self.make_user('domain_user@domain')
+        self.user_ldap = self.make_user('user_ldap@' + LDAP_DOMAIN)
+        # TODO: Add OIDC user to tests
+        self.url = reverse('projectroles:api_user_list')
 
     def test_get(self):
-        """Test UserListAPIView get() as regular user"""
-        url = reverse('projectroles:api_user_list')
+        """Test UserListAPIView GET as regular user"""
         response = self.request_knox(
-            url, token=self.get_token(self.domain_user)
+            self.url, token=self.get_token(self.user_ldap)
         )
         self.assertEqual(response.status_code, 200)
         response_data = json.loads(response.content)
         self.assertEqual(len(response_data), 1)  # System users not returned
-        expected = [self.get_serialized_user(self.domain_user)]
+        expected = [self.get_serialized_user(self.user_ldap)]
         self.assertEqual(response_data, expected)
 
     def test_get_superuser(self):
-        """Test UserListAPIView get() as superuser"""
-        url = reverse('projectroles:api_user_list')
-        response = self.request_knox(url)  # Default token is for superuser
+        """Test GET as superuser"""
+        response = self.request_knox(self.url)  # Default token is for superuser
         self.assertEqual(response.status_code, 200)
         response_data = json.loads(response.content)
         self.assertEqual(len(response_data), 4)
@@ -3524,53 +3247,88 @@ def test_get_superuser(self):
             self.get_serialized_user(self.user),
             self.get_serialized_user(self.user_owner_cat),
             self.get_serialized_user(self.user_owner),
-            self.get_serialized_user(self.domain_user),
+            self.get_serialized_user(self.user_ldap),
         ]
         self.assertEqual(response_data, expected)
 
+    def test_get_pagination(self):
+        """Test GET with pagination"""
+        url = self.url + '?page=1'
+        response = self.request_knox(url)
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        expected = {
+            'count': 4,
+            'next': TEST_SERVER_URL + self.url + '?page=2',
+            'previous': None,
+            'results': [self.get_serialized_user(self.user)],
+        }
+        self.assertEqual(response_data, expected)
+
 
-class TestCurrentUserRetrieveAPIView(TestCoreAPIViewsBase):
+class TestCurrentUserRetrieveAPIView(
+    SODARUserAdditionalEmailMixin, ProjectrolesAPIViewTestBase
+):
     """Tests for CurrentUserRetrieveAPIView"""
 
     def setUp(self):
         super().setUp()
         # Create additional users
-        self.domain_user = self.make_user('domain_user@domain')
+        self.user_ldap = self.make_user('user_ldap@' + LDAP_DOMAIN)
+        self.url = reverse('projectroles:api_user_current')
 
     def test_get(self):
-        """Test CurrentUserRetrieveAPIView get() as regular user"""
-        url = reverse('projectroles:api_user_current')
+        """Test CurrentUserRetrieveAPIView GET as LDAP user"""
         response = self.request_knox(
-            url, token=self.get_token(self.domain_user)
+            self.url, token=self.get_token(self.user_ldap)
         )
         self.assertEqual(response.status_code, 200)
         response_data = json.loads(response.content)
         expected = {
-            'username': self.domain_user.username,
-            'name': self.domain_user.name,
-            'email': self.domain_user.email,
+            'username': self.user_ldap.username,
+            'name': self.user_ldap.name,
+            'email': self.user_ldap.email,
+            'additional_emails': [],
             'is_superuser': False,
-            'sodar_uuid': str(self.domain_user.sodar_uuid),
+            'sodar_uuid': str(self.user_ldap.sodar_uuid),
         }
         self.assertEqual(response_data, expected)
 
     def test_get_superuser(self):
-        """Test CurrentUserRetrieveAPIView get() as superuser"""
-        url = reverse('projectroles:api_user_current')
-        response = self.request_knox(url)
+        """Test GET as superuser"""
+        response = self.request_knox(self.url)
         self.assertEqual(response.status_code, 200)
         response_data = json.loads(response.content)
         expected = {
             'username': self.user.username,
             'name': self.user.name,
             'email': self.user.email,
+            'additional_emails': [],
             'is_superuser': True,
             'sodar_uuid': str(self.user.sodar_uuid),
         }
         self.assertEqual(response_data, expected)
 
+    def test_get_additional_email(self):
+        """Test CurrentUserRetrieveAPIView GET with additional email"""
+        self.make_email(self.user_ldap, ADD_EMAIL)
+        response = self.request_knox(
+            self.url, token=self.get_token(self.user_ldap)
+        )
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        expected = {
+            'username': self.user_ldap.username,
+            'name': self.user_ldap.name,
+            'email': self.user_ldap.email,
+            'additional_emails': [ADD_EMAIL],
+            'is_superuser': False,
+            'sodar_uuid': str(self.user_ldap.sodar_uuid),
+        }
+        self.assertEqual(response_data, expected)
+
 
-class TestAPIVersioning(TestCoreAPIViewsBase):
+class TestAPIVersioning(ProjectrolesAPIViewTestBase):
     """Tests for REST API view versioning using ProjectRetrieveAPIView"""
 
     def setUp(self):
@@ -3581,29 +3339,38 @@ def setUp(self):
         )
 
     def test_api_versioning(self):
-        """Test SODAR API Access with correct version headers"""
+        """Test projectroles API with correct version headers"""
         response = self.request_knox(
             self.url,
-            media_type=views_api.CORE_API_MEDIA_TYPE,
-            version=views_api.CORE_API_DEFAULT_VERSION,
+            media_type=views_api.PROJECTROLES_API_MEDIA_TYPE,
+            version=views_api.PROJECTROLES_API_DEFAULT_VERSION,
         )
         self.assertEqual(response.status_code, 200)
 
+    def test_api_versioning_legacy(self):
+        """Test projectroles API with legacy version (should fail)"""
+        response = self.request_knox(
+            self.url,
+            media_type=CORE_API_MEDIA_TYPE_LEGACY,
+            version=CORE_API_DEFAULT_VERSION_LEGACY,
+        )
+        self.assertEqual(response.status_code, 406)
+
     def test_api_versioning_invalid_version(self):
-        """Test SODAR API Access with unsupported version (should fail)"""
+        """Test projectroles API with unsupported version (should fail)"""
         response = self.request_knox(
             self.url,
-            media_type=views_api.CORE_API_MEDIA_TYPE,
+            media_type=views_api.PROJECTROLES_API_MEDIA_TYPE,
             version=CORE_API_VERSION_INVALID,
         )
         self.assertEqual(response.status_code, 406)
 
     def test_api_versioning_invalid_media_type(self):
-        """Test SODAR API Access with unsupported media type (should fail)"""
+        """Test projectroles API with unsupported media type (should fail)"""
         response = self.request_knox(
             self.url,
             media_type=CORE_API_MEDIA_TYPE_INVALID,
-            version=views_api.CORE_API_DEFAULT_VERSION,
+            version=CORE_API_DEFAULT_VERSION_LEGACY,
         )
         self.assertEqual(response.status_code, 406)
 
@@ -3616,12 +3383,12 @@ class TestRemoteProjectGetAPIView(
     RemoteProjectMixin,
     AppSettingMixin,
     SODARAPIViewTestMixin,
-    TestViewsBase,
+    ViewTestBase,
 ):
     """Tests for remote project getting API view"""
 
-    media_type = views_api.CORE_API_MEDIA_TYPE
-    api_version = views_api.CORE_API_DEFAULT_VERSION
+    media_type = views_api.SYNC_API_MEDIA_TYPE
+    api_version = views_api.SYNC_API_DEFAULT_VERSION
 
     def setUp(self):
         super().setUp()
@@ -3680,11 +3447,13 @@ def test_get_invalid_secret(self):
         )
         self.assertEqual(response.status_code, 401)
 
+    # TODO: Update test once we have a supported legacy version for this API
+    '''
     def test_get_legacy_version(self):
         """Test retrieving project data with legacy target site version"""
         # See issue #1355
         set_star = self.make_setting(
-            app_name='projectroles',
+            plugin_name='projectroles',
             name='project_star',
             setting_type='BOOLEAN',
             value=True,
@@ -3707,6 +3476,7 @@ def test_get_legacy_version(self):
         # Assert user_name is not present in PROJECT_USER setting
         set_data = response_dict['app_settings'][str(set_star.sodar_uuid)]
         self.assertNotIn('user_name', set_data)
+    '''
 
     def test_get_unsupported_version(self):
         """Test retrieving project data with legacy target site version"""
@@ -3724,7 +3494,7 @@ def test_get_unsupported_version(self):
 # IP Allowing Tests ------------------------------------------------------------
 
 
-class TestIPAllowing(AppSettingMixin, TestCoreAPIViewsBase):
+class TestIPAllowing(AppSettingMixin, ProjectrolesAPIViewTestBase):
     """Tests for IP allowing settings using ProjectRetrieveAPIView"""
 
     def _setup_ip_allowing(self, ip_list, role_suffix):
@@ -3744,7 +3514,7 @@ def _setup_ip_allowing(self, ip_list, role_suffix):
             )
         # Init IP restrict setting
         self.make_setting(
-            app_name='projectroles',
+            plugin_name='projectroles',
             name='ip_restrict',
             setting_type='BOOLEAN',
             value=True,
@@ -3752,7 +3522,7 @@ def _setup_ip_allowing(self, ip_list, role_suffix):
         )
         # Init IP allowlist setting
         self.make_setting(
-            app_name='projectroles',
+            plugin_name='projectroles',
             name='ip_allowlist',
             setting_type='JSON',
             value=None,
diff --git a/projectroles/urls.py b/projectroles/urls.py
index ebb29720..407f109d 100644
--- a/projectroles/urls.py
+++ b/projectroles/urls.py
@@ -12,22 +12,22 @@
         name='detail',
     ),
     path(
-        route='project/update/<uuid:project>',
+        route='update/<uuid:project>',
         view=views.ProjectUpdateView.as_view(),
         name='update',
     ),
     path(
-        route='project/create',
+        route='create',
         view=views.ProjectCreateView.as_view(),
         name='create',
     ),
     path(
-        route='project/create/<uuid:project>',
+        route='create/<uuid:project>',
         view=views.ProjectCreateView.as_view(),
         name='create',
     ),
     path(
-        route='project/archive/<uuid:project>',
+        route='archive/<uuid:project>',
         view=views.ProjectArchiveView.as_view(),
         name='archive',
     ),
@@ -95,14 +95,14 @@
         name='invite_accept',
     ),
     path(
-        route='invites/process/ldap/<str:secret>',
-        view=views.ProjectInviteProcessLDAPView.as_view(),
-        name='invite_process_ldap',
+        route='invites/process/login/<str:secret>',
+        view=views.ProjectInviteProcessLoginView.as_view(),
+        name='invite_process_login',
     ),
     path(
-        route='invites/process/local/<str:secret>',
-        view=views.ProjectInviteProcessLocalView.as_view(),
-        name='invite_process_local',
+        route='invites/process/new-user/<str:secret>',
+        view=views.ProjectInviteProcessNewUserView.as_view(),
+        name='invite_process_new_user',
     ),
     path(
         route='invites/resend/<uuid:projectinvite>',
@@ -179,6 +179,21 @@
         view=views_ajax.ProjectStarringAjaxView.as_view(),
         name='ajax_star',
     ),
+    path(
+        route='ajax/remote/access/<uuid:project>',
+        view=views_ajax.RemoteProjectAccessAjaxView.as_view(),
+        name='ajax_remote_access',
+    ),
+    path(
+        route='ajax/sidebar/<uuid:project>',
+        view=views_ajax.SidebarContentAjaxView.as_view(),
+        name='ajax_sidebar',
+    ),
+    path(
+        route='ajax/dropdown',
+        view=views_ajax.UserDropdownContentAjaxView.as_view(),
+        name='ajax_user_dropdown',
+    ),
     path(
         route='ajax/user/current',
         view=views_ajax.CurrentUserRetrieveAjaxView.as_view(),
diff --git a/projectroles/utils.py b/projectroles/utils.py
index 0e2157d1..d52645d3 100644
--- a/projectroles/utils.py
+++ b/projectroles/utils.py
@@ -5,15 +5,30 @@
 from django.urls import reverse
 from django.utils import timezone
 
-from projectroles.constants import get_sodar_constants
-
+from projectroles.plugins import get_active_plugins
+from projectroles.models import SODAR_CONSTANTS
 
 # Settings
 SECRET_LENGTH = getattr(settings, 'PROJECTROLES_SECRET_LENGTH', 32)
 INVITE_EXPIRY_DAYS = settings.PROJECTROLES_INVITE_EXPIRY_DAYS
 
 # SODAR constants
-SODAR_CONSTANTS = get_sodar_constants()
+PROJECT_TYPE_PROJECT = SODAR_CONSTANTS['PROJECT_TYPE_PROJECT']
+PROJECT_TYPE_CATEGORY = SODAR_CONSTANTS['PROJECT_TYPE_CATEGORY']
+
+# Local constants
+SIDEBAR_ICON_MIN_SIZE = 18
+SIDEBAR_ICON_MAX_SIZE = 42
+ROLE_URLS = [
+    'roles',
+    'role_create',
+    'role_update',
+    'role_delete',
+    'invites',
+    'invite_create',
+    'invite_resend',
+    'invite_revoke',
+]
 
 
 def get_display_name(key, title=False, count=1, plural=False):
@@ -95,3 +110,269 @@ def get_app_names():
             else:
                 ret.append(s[0])
     return sorted(ret)
+
+
+class AppLinkContent:
+    """Class for generating application links for the UI"""
+
+    def _is_active_projectroles(
+        self, app_name=None, url_name=None, link_names=None
+    ):
+        """Check if current URL is active under the projectroles app."""
+        if not app_name and not url_name:
+            return False
+        # HACK: Avoid circular import
+        from projectroles.urls import urlpatterns
+
+        if app_name != 'projectroles':
+            return False
+        return url_name in [u.name for u in urlpatterns] and (
+            not link_names or url_name in link_names
+        )
+
+    def _is_active_plugin(self, app_plugin, app_name=None, url_name=None):
+        """
+        Check if current URL is active for a specific app plugin.
+        """
+        if not app_name and not url_name:
+            return False
+        if app_plugin.name.startswith(app_name) and (
+            not url_name
+            or url_name in [u.name for u in getattr(app_plugin, 'urls', [])]
+        ):
+            return True
+        # HACK for remote site views, see issue #1336
+        if (
+            app_name == 'projectroles'
+            and app_plugin.name == 'remotesites'
+            and url_name.startswith('remote_')
+        ):
+            return True
+        return False
+
+    def _is_app_visible(self, plugin, project, user):
+        """Check if app should be visible for user in a specific project."""
+        can_view_app = user.has_perm(plugin.app_permission, project)
+        app_hidden = False
+        if plugin.name in getattr(
+            settings, 'PROJECTROLES_HIDE_PROJECT_APPS', []
+        ):
+            app_hidden = True
+        if (
+            can_view_app
+            and not app_hidden
+            and (project.type == PROJECT_TYPE_PROJECT or plugin.category_enable)
+        ):
+            return True
+        return False
+
+    def _allow_project_creation(self):
+        """Check whether creating a project is allowed on the site."""
+        if (
+            settings.PROJECTROLES_SITE_MODE
+            == SODAR_CONSTANTS['SITE_MODE_TARGET']
+            and not settings.PROJECTROLES_TARGET_CREATE
+        ):
+            return False
+        return True
+
+    def get_project_app_links(
+        self, user, project=None, app_name=None, url_name=None
+    ):
+        """Return project app links based on the current project and user."""
+        ret = []
+        # Add project related links
+        if project:
+            project_display_name = get_display_name(project.type, title=True)
+            # Add project overview link
+            ret.append(
+                {
+                    'name': 'project-detail',
+                    'url': reverse(
+                        'projectroles:detail',
+                        kwargs={'project': project.sodar_uuid},
+                    ),
+                    'label': f'{project_display_name} Overview',
+                    'icon': (
+                        'mdi:rhombus-split'
+                        if project.type == PROJECT_TYPE_CATEGORY
+                        else 'mdi:cube'
+                    ),
+                    'active': self._is_active_projectroles(
+                        link_names=['detail'],
+                        app_name=app_name,
+                        url_name=url_name,
+                    ),
+                }
+            )
+            # Add app plugins links
+            app_plugins = get_active_plugins()
+            for plugin in app_plugins:
+                if self._is_app_visible(plugin, project, user):
+                    ret.append(
+                        {
+                            'name': "app-plugin-" + plugin.name,
+                            'url': reverse(
+                                plugin.entry_point_url_id,
+                                kwargs={'project': project.sodar_uuid},
+                            ),
+                            'label': ' '.join(plugin.title.split(' ')),
+                            'icon': plugin.icon,
+                            'active': self._is_active_plugin(
+                                plugin, app_name=app_name, url_name=url_name
+                            ),
+                        }
+                    )
+            # Add role editing link
+            if user.has_perm('projectroles.view_project_roles', project):
+                ret.append(
+                    {
+                        'name': 'project-roles',
+                        'url': reverse(
+                            'projectroles:roles',
+                            kwargs={'project': project.sodar_uuid},
+                        ),
+                        'label': 'Members',
+                        'icon': 'mdi:account-multiple',
+                        'active': self._is_active_projectroles(
+                            link_names=ROLE_URLS,
+                            app_name=app_name,
+                            url_name=url_name,
+                        ),
+                    }
+                )
+            # Add project update link
+            if user.has_perm('projectroles.update_project', project):
+                ret.append(
+                    {
+                        'name': 'project-update',
+                        'url': reverse(
+                            'projectroles:update',
+                            kwargs={'project': project.sodar_uuid},
+                        ),
+                        'label': f'Update {project_display_name}',
+                        'icon': 'mdi:lead-pencil',
+                        'active': self._is_active_projectroles(
+                            link_names=['update'],
+                            app_name=app_name,
+                            url_name=url_name,
+                        ),
+                    }
+                )
+
+        # Add project and category creation links
+        if (
+            project
+            and project.type == PROJECT_TYPE_CATEGORY
+            and user.has_perm('projectroles.create_project', project)
+            and self._allow_project_creation()
+            and not project.is_remote()
+        ):
+            ret.append(
+                {
+                    'name': 'project-create',
+                    'url': reverse(
+                        'projectroles:create',
+                        kwargs={'project': project.sodar_uuid},
+                    ),
+                    'label': 'Create '
+                    f'{get_display_name(PROJECT_TYPE_PROJECT, title=True)} '
+                    f'or {get_display_name(PROJECT_TYPE_CATEGORY, title=True)}',
+                    'icon': 'mdi:plus-thick',
+                    'active': self._is_active_projectroles(
+                        link_names=['create'],
+                        app_name=app_name,
+                        url_name=url_name,
+                    ),
+                }
+            )
+        elif (
+            getattr(settings, 'PROJECTROLES_DISABLE_CATEGORIES', False)
+            and user.is_superuser
+        ):
+            ret.append(
+                {
+                    'name': 'project-create',
+                    'url': reverse('projectroles:create'),
+                    'label': 'Create '
+                    f'{get_display_name(PROJECT_TYPE_PROJECT, title=True)}',
+                    'icon': 'mdi:plus-thick',
+                    'active': self._is_active_projectroles(
+                        link_names=['create'],
+                        app_name=app_name,
+                        url_name=url_name,
+                    ),
+                }
+            )
+        elif (
+            (url_name == 'home' or app_name == 'projectroles' and not project)
+            and user.has_perm('projectroles.create_project')
+            and self._allow_project_creation()
+        ):
+            ret.append(
+                {
+                    'name': 'home-project-create',
+                    'url': reverse('projectroles:create'),
+                    'label': 'Create '
+                    f'{get_display_name(PROJECT_TYPE_CATEGORY, title=True)}',
+                    'icon': 'mdi:plus-thick',
+                    'active': self._is_active_projectroles(
+                        link_names=['create'],
+                        app_name=app_name,
+                        url_name=url_name,
+                    ),
+                }
+            )
+        return ret
+
+    def get_user_links(self, user, app_name=None, url_name=None):
+        """Return user links for the user dropdown"""
+        ret = []
+        # Add site-wide apps links
+        site_apps = get_active_plugins('site_app')
+        for app in site_apps:
+            if not app.app_permission or user.has_perm(app.app_permission):
+                ret.append(
+                    {
+                        'name': app.name,
+                        'url': reverse(app.entry_point_url_id),
+                        'label': app.title,
+                        'icon': app.icon,
+                        'active': self._is_active_plugin(
+                            app, app_name=app_name, url_name=url_name
+                        ),
+                    }
+                )
+        # Add admin link
+        if user.is_superuser:
+            ret.append(
+                {
+                    'name': 'admin',
+                    'url': reverse('admin:index'),
+                    'label': 'Django Admin',
+                    'icon': 'mdi:cogs',
+                    'active': False,
+                }
+            )
+        # Add log out / sign in link
+        if user.is_authenticated:
+            ret.append(
+                {
+                    'name': 'sign-out',
+                    'url': reverse('logout'),
+                    'label': 'Logout',
+                    'icon': 'mdi:logout-variant',
+                    'active': False,
+                }
+            )
+        elif not getattr(settings, 'PROJECTROLES_KIOSK_MODE', False):
+            ret.append(
+                {
+                    'name': 'sign-in',
+                    'url': reverse('login'),
+                    'label': 'Login',
+                    'icon': 'mdi:login-variant',
+                    'active': False,
+                }
+            )
+        return ret
diff --git a/projectroles/views.py b/projectroles/views.py
index 22df03b4..7bea9e9e 100644
--- a/projectroles/views.py
+++ b/projectroles/views.py
@@ -33,7 +33,7 @@
 from rules.contrib.views import PermissionRequiredMixin, redirect_to_login
 
 from projectroles import email
-from projectroles.app_settings import AppSettingAPI, APP_SETTING_LOCAL_DEFAULT
+from projectroles.app_settings import AppSettingAPI
 from projectroles.forms import (
     ProjectForm,
     RoleAssignmentForm,
@@ -80,6 +80,7 @@
 REMOTE_LEVEL_VIEW_AVAIL = SODAR_CONSTANTS['REMOTE_LEVEL_VIEW_AVAIL']
 REMOTE_LEVEL_READ_INFO = SODAR_CONSTANTS['REMOTE_LEVEL_READ_INFO']
 REMOTE_LEVEL_READ_ROLES = SODAR_CONSTANTS['REMOTE_LEVEL_READ_ROLES']
+REMOTE_LEVEL_REVOKED = SODAR_CONSTANTS['REMOTE_LEVEL_REVOKED']
 APP_SETTING_SCOPE_PROJECT = SODAR_CONSTANTS['APP_SETTING_SCOPE_PROJECT']
 APP_SETTING_SCOPE_PROJECT_USER = SODAR_CONSTANTS[
     'APP_SETTING_SCOPE_PROJECT_USER'
@@ -91,37 +92,44 @@
 APP_NAME = 'projectroles'
 SEND_EMAIL = settings.PROJECTROLES_SEND_EMAIL
 PROJECT_COLUMN_COUNT = 2  # Default columns
-MSG_LOGIN = 'Please log in.'
-MSG_NO_AUTH = 'User not authorized for requested action.'
-MSG_NO_AUTH_LOGIN = 'Authentication required, please log in.'
-MSG_FORM_INVALID = 'Form submission failed, see the form for details.'
-MSG_PROJECT_WELCOME = (
+LOGIN_MSG = 'Please log in.'
+NO_AUTH_MSG = 'User not authorized for requested action.'
+NO_AUTH_LOGIN_MSG = 'Authentication required, please log in.'
+FORM_INVALID_MSG = 'Form submission failed, see the form for details.'
+PROJECT_WELCOME_MSG = (
     'Welcome to {project_type} "{project_title}". You have been assigned the '
     'role of {role}.'
 )
-MSG_ARCHIVE_ERR_CAT = 'Setting archival is not allowed for {}.'.format(
+CAT_ARCHIVE_ERR_MSG = 'Setting archival is not allowed for {}.'.format(
     get_display_name(PROJECT_TYPE_CATEGORY, plural=True)
 )
-MSG_USER_PROFILE_UPDATE = 'User profile updated, please log in again.'
-MSG_USER_PROFILE_LDAP = 'Error: Profile editing not allowed for LDAP users.'
-MSG_INVITE_LDAP_LOCAL_VIEW = (
-    'Error: Invite was issued for LDAP user, but local invite view '
-    'was requested.'
+USER_PROFILE_UPDATE_MSG = 'User profile updated, please log in again.'
+USER_PROFILE_LDAP_MSG = 'Profile editing not allowed for LDAP users.'
+INVITE_NOT_FOUND_MSG = 'Invite not found.'
+INVITE_LDAP_LOCAL_VIEW_MSG = (
+    'Invite was issued for LDAP user, but local invite view was requested.'
 )
-MSG_INVITE_LOCAL_NOT_ALLOWED = (
-    'Error: Invite of non-LDAP user, but local users are not allowed.'
+INVITE_LOCAL_NOT_ALLOWED_MSG = 'Local users are not allowed.'
+
+INVITE_LOGGED_IN_ACCEPT_MSG = (
+    'Logged in user is not allowed to accept invites for other users.'
+)
+INVITE_USER_NOT_EQUAL_MSG = (
+    'Invited user exists, but logged in user is not invited user.'
 )
-MSG_INVITE_LOGGED_IN_ACCEPT = (
-    'Error: Logged in user is not allowed to accept invites for other users.'
+INVITE_USER_EXISTS_MSG = (
+    'User with that email already exists. Please login to accept the invite.'
 )
-MSG_INVITE_USER_NOT_EQUAL = (
-    'Error: Invited user exists, but logged in user is not invited user.'
+ROLE_CREATE_MSG = 'Membership granted with the role of "{role}".'
+ROLE_UPDATE_MSG = 'Member role changed to "{role}".'
+SEARCH_DICT_DEPRECATE_MSG = (
+    'Results from search() as a dict have been deprecated and support will be '
+    'removed in v1.1. Provide results as a list of PluginSearchResult objects '
+    'instead.'
 )
-MSG_INVITE_USER_EXISTS = (
-    'A user with that email already exists. Please login to accept the invite.'
+TARGET_CREATE_DISABLED_MSG = (
+    'PROJECTROLES_TARGET_CREATE=False, creation not allowed.'
 )
-ALERT_MSG_ROLE_CREATE = 'Membership granted with the role of "{role}".'
-ALERT_MSG_ROLE_UPDATE = 'Member role changed to "{role}".'
 
 
 # General UI view mixins -------------------------------------------------------
@@ -185,9 +193,9 @@ def add_no_perm_message(self):
         if self.no_perm_message:
             msg = self.no_perm_message
         elif self.request.user.is_authenticated:
-            msg = MSG_NO_AUTH
+            msg = NO_AUTH_MSG
         else:
-            msg = MSG_NO_AUTH_LOGIN
+            msg = NO_AUTH_LOGIN_MSG
         msg_method(self.request, msg)
 
     def handle_no_permission(self):
@@ -420,7 +428,7 @@ class InvalidFormMixin:
 
     def form_invalid(self, form, **kwargs):
         """Override form_invalid() to add Django message on form failure"""
-        messages.error(self.request, MSG_FORM_INVALID)
+        messages.error(self.request, FORM_INVALID_MSG)
         return super().form_invalid(form, **kwargs)
 
 
@@ -460,10 +468,10 @@ def handle_no_permission(self):
             )
             return redirect(reverse('home'))
         elif self.request.user.is_authenticated:
-            messages.error(self.request, MSG_NO_AUTH)
+            messages.error(self.request, NO_AUTH_MSG)
             return redirect(reverse('home'))
         else:
-            messages.error(self.request, MSG_NO_AUTH_LOGIN)
+            messages.error(self.request, NO_AUTH_LOGIN_MSG)
             return redirect_to_login(self.request.get_full_path())
 
 
@@ -587,7 +595,7 @@ def add_no_perm_message(self):
         referer_path = urlparse(referer_url).path
         resolved_path = resolve(referer_path)
         if resolved_path.url_name.startswith('invite_process_'):
-            messages.info(self.request, MSG_LOGIN)
+            messages.info(self.request, LOGIN_MSG)
             return
         super().add_no_perm_message()
 
@@ -610,13 +618,22 @@ def get_context_data(self, *args, **kwargs):
         else:
             context['role'] = None
 
+        # Remote projects
+        q_kwargs = {
+            'project_uuid': self.object.sodar_uuid,
+            'level': REMOTE_LEVEL_READ_ROLES,
+        }
+        if not self.request.user.has_perm(
+            'projectroles.view_hidden_projects', self.object
+        ):
+            q_kwargs['site__user_display'] = True
         if settings.PROJECTROLES_SITE_MODE == SITE_MODE_SOURCE:
             context['target_projects'] = RemoteProject.objects.filter(
-                project_uuid=self.object.sodar_uuid, site__mode=SITE_MODE_TARGET
+                site__mode=SITE_MODE_TARGET, **q_kwargs
             ).order_by('site__name')
         elif settings.PROJECTROLES_SITE_MODE == SITE_MODE_TARGET:
             context['peer_projects'] = RemoteProject.objects.filter(
-                project_uuid=self.object.sodar_uuid, site__mode=SITE_MODE_PEER
+                site__mode=SITE_MODE_PEER, **q_kwargs
             ).order_by('site__name')
         return context
 
@@ -669,14 +686,32 @@ def _get_app_results(
             }
             try:
                 search_res['results'] = plugin.search(**search_kwargs)
-                for v in search_res['results'].values():
-                    items = v.get('items')
-                    if items and (
-                        (isinstance(items, QuerySet) and items.count() > 0)
-                        or (isinstance(items, list) and len(items) > 0)
-                    ):
-                        search_res['has_results'] = True
-                        break
+                if isinstance(search_res['results'], dict):
+                    # TODO: Remove in v1.1 (see #1400)
+                    logger.warning(SEARCH_DICT_DEPRECATE_MSG)
+                    for v in search_res['results'].values():
+                        items = v.get('items')
+                        if items and (
+                            (isinstance(items, QuerySet) and items.count() > 0)
+                            or (isinstance(items, list) and len(items) > 0)
+                        ):
+                            search_res['has_results'] = True
+                            break
+                else:
+                    for r in search_res['results']:
+                        if r.items and (
+                            (
+                                isinstance(r.items, QuerySet)
+                                and r.items.count() > 0
+                            )
+                            or (isinstance(r.items, list) and len(r.items) > 0)
+                        ):
+                            search_res['has_results'] = True
+                            break
+                    # Build results into dict for easier use in templates
+                    search_res['results'] = {
+                        r.category: r for r in search_res['results']
+                    }
             except Exception as ex:
                 if settings.DEBUG:
                     raise ex
@@ -713,16 +748,24 @@ def _get_not_found(self, search_type, project_results, app_results):
         for results in [a['results'] for a in app_results]:
             if not results:
                 continue
-            for k, result in results.items():
-                type_match = True if search_type else False
-                if (
-                    not type_match
-                    and 'search_type' in result
-                    and search_type in result['search_types']
-                ):
-                    type_match = True
-                if (type_match or not search_type) and (not result['items']):
-                    ret.append(result['title'])
+            for k, r in results.items():
+                if isinstance(r, dict):
+                    # TODO: Remove in v1.1 (see #1400)
+                    type_match = True if search_type else False
+                    if (
+                        not type_match
+                        and 'search_types' in r
+                        and search_type in r['search_types']
+                    ):
+                        type_match = True
+                    if (type_match or not search_type) and (not r['items']):
+                        ret.append(r['title'])
+                else:
+                    type_match = True if search_type else False
+                    if not type_match and search_type in r.search_types:
+                        type_match = True
+                    if (type_match or not search_type) and (not r.items):
+                        ret.append(r.title)
         return ret
 
     def dispatch(self, request, *args, **kwargs):
@@ -739,6 +782,14 @@ class ProjectSearchResultsView(
 
     template_name = 'projectroles/search_results.html'
 
+    def _handle_context(self, request, *args, **kwargs):
+        """Handle context and render to response in GET/POST requests"""
+        context = self.get_context_data(*args, **kwargs)
+        if not context['search_terms']:
+            messages.error(request, 'No search terms provided.')
+            return redirect(reverse('home'))
+        return super().render_to_response(context)
+
     def get_context_data(self, *args, **kwargs):
         context = super().get_context_data(**kwargs)
         search_input = ''
@@ -767,7 +818,6 @@ def get_context_data(self, *args, **kwargs):
                     search_term += ' ' + s.lower()
             if search_term:
                 search_terms = [search_term]
-
         search_terms = list(dict.fromkeys(search_terms))  # Remove dupes
 
         for s in keyword_input:
@@ -811,18 +861,10 @@ def get_context_data(self, *args, **kwargs):
         return context
 
     def get(self, request, *args, **kwargs):
-        context = self.get_context_data(*args, **kwargs)
-        if not context['search_terms']:
-            messages.error(request, 'No search terms provided.')
-            return redirect(reverse('home'))
-        return super().render_to_response(context)
+        return self._handle_context(request, *args, *kwargs)
 
     def post(self, request, *args, **kwargs):
-        context = self.get_context_data(*args, **kwargs)
-        if not context['search_terms']:
-            messages.error(request, 'No search terms provided.')
-            return redirect(reverse('home'))
-        return super().render_to_response(context)
+        return self._handle_context(request, *args, *kwargs)
 
 
 class ProjectAdvancedSearchView(
@@ -901,8 +943,12 @@ def call_project_modify_api(cls, method_name, revert_name, method_args):
 class ProjectModifyMixin(ProjectModifyPluginViewMixin):
     """Mixin for Project creation/updating in UI and API views"""
 
+    #: Remote site fields
+    site_fields = {}
+
     @staticmethod
     def _get_old_project_data(project):
+        """Get existing data from project fields"""
         return {
             'title': project.title,
             'parent': project.parent,
@@ -912,6 +958,21 @@ def _get_old_project_data(project):
             'public_guest_access': project.public_guest_access,
         }
 
+    @classmethod
+    def _get_remote_project_data(cls, project):
+        """Return existing remote project data"""
+        ret = {}
+        existing_sites = []
+        for rp in RemoteProject.objects.filter(project=project):
+            ret[str(rp.site.sodar_uuid)] = rp.level == REMOTE_LEVEL_READ_ROLES
+            existing_sites.append(rp.site.sodar_uuid)
+        # Sites not yet added
+        for rs in RemoteSite.objects.filter(
+            mode=SITE_MODE_TARGET, user_display=True, owner_modifiable=True
+        ).exclude(sodar_uuid__in=existing_sites):
+            ret[str(rs.sodar_uuid)] = False
+        return ret
+
     @staticmethod
     def _get_app_settings(data, instance, user):
         """
@@ -938,7 +999,7 @@ def _get_app_settings(data, instance, user):
             else:
                 name = 'projectroles'
                 p_settings = app_settings.get_definitions(
-                    APP_SETTING_SCOPE_PROJECT, app_name=name, **p_kwargs
+                    APP_SETTING_SCOPE_PROJECT, plugin_name=name, **p_kwargs
                 )
 
             for s_key, s_val in p_settings.items():
@@ -962,8 +1023,9 @@ def _get_app_settings(data, instance, user):
                     project_settings[s_name] = s_data
         return project_settings
 
-    @staticmethod
-    def _get_project_update_data(old_data, project, project_settings):
+    def _get_project_update_data(
+        self, old_data, project, old_sites, sites, project_settings
+    ):
         extra_data = {}
         upd_fields = []
         if old_data['title'] != project.title:
@@ -982,12 +1044,27 @@ def _get_project_update_data(old_data, project, project_settings):
             extra_data['public_guest_access'] = project.public_guest_access
             upd_fields.append('public_guest_access')
 
+        # Remote projects
+        if (
+            settings.PROJECTROLES_SITE_MODE == SITE_MODE_SOURCE
+            and project.type == PROJECT_TYPE_PROJECT
+        ):
+            for s in [f.split('.')[1] for f in self.site_fields]:
+                if 'remote_sites' not in upd_fields and (
+                    s not in old_sites or bool(old_sites[s]) != bool(sites[s])
+                ):
+                    upd_fields.append('remote_sites')
+            if 'remote_sites' in upd_fields:
+                extra_data['remote_sites'] = {
+                    k: bool(v) for k, v in sites.items()
+                }
+
         # Settings
         for k, v in project_settings.items():
-            a_name = k.split('.')[1]
+            p_name = k.split('.')[1]
             s_name = k.split('.')[2]
-            s_def = app_settings.get_definition(s_name, app_name=a_name)
-            old_v = app_settings.get(a_name, s_name, project)
+            s_def = app_settings.get_definition(s_name, plugin_name=p_name)
+            old_v = app_settings.get(p_name, s_name, project)
             if s_def['type'] == 'JSON':
                 v = json.loads(v)
             if old_v != v:
@@ -995,9 +1072,84 @@ def _get_project_update_data(old_data, project, project_settings):
                 upd_fields.append(k)
         return extra_data, upd_fields
 
+    @staticmethod
+    def _get_timeline_ok_status():
+        timeline = get_backend_api('timeline_backend')
+        if not timeline:
+            raise ImproperlyConfigured('Timeline backend not found')
+        else:
+            return timeline.TL_STATUS_OK
+
+    def _update_remote_sites(self, project, data):
+        """Update project for remote sites"""
+        ret = {}
+        for f in self.site_fields:
+            site_uuid = f.split('.')[1]
+            site = RemoteSite.objects.filter(sodar_uuid=site_uuid).first()
+            # TODO: Validate site here
+            value = data[f]
+            rp = RemoteProject.objects.filter(
+                site=site, project=project
+            ).first()
+            modify = None
+            if rp and (
+                (value and rp.level != REMOTE_LEVEL_READ_ROLES)
+                or (not value and rp.level == REMOTE_LEVEL_READ_ROLES)
+            ):
+                rp.level = (
+                    REMOTE_LEVEL_READ_ROLES if value else REMOTE_LEVEL_REVOKED
+                )
+                rp.save()
+                modify = 'Updated'
+            elif not rp and value:  # Only create if value is True
+                rp = RemoteProject.objects.create(
+                    project_uuid=project.sodar_uuid,
+                    project=project,
+                    site=site,
+                    level=REMOTE_LEVEL_READ_ROLES,
+                )
+                modify = 'Created'
+            if modify:
+                logger.debug(
+                    '{} RemoteProject for site "{}" ({}): {}'.format(
+                        modify, site.name, site.sodar_uuid, rp.level
+                    )
+                )
+            ret[site_uuid] = rp and rp.level == REMOTE_LEVEL_READ_ROLES
+        return ret
+
     @classmethod
+    def _update_settings(cls, project, project_settings):
+        """Update project settings"""
+        is_remote = project.is_remote()
+        for k, v in project_settings.items():
+            _, plugin_name, setting_name = k.split('.', 3)
+            # Skip updating global settings on target site
+            if is_remote:
+                # TODO: Optimize (this can require a lot of queries)
+                s_def = app_settings.get_definition(
+                    setting_name, plugin_name=plugin_name
+                )
+                if app_settings.get_global_value(s_def):
+                    continue
+            app_settings.set(
+                plugin_name=k.split('.')[1],
+                setting_name=k.split('.')[2],
+                value=v,
+                project=project,
+                validate=True,
+            )
+
     def _create_timeline_event(
-        cls, project, action, owner, old_data, project_settings, request
+        self,
+        project,
+        action,
+        owner,
+        old_data,
+        old_sites,
+        sites,
+        project_settings,
+        request,
     ):
         timeline = get_backend_api('timeline_backend')
         if not timeline:
@@ -1014,17 +1166,17 @@ def _create_timeline_event(
             }
             # Add settings to extra data
             for k, v in project_settings.items():
-                a_name = k.split('.')[1]
+                p_name = k.split('.')[1]
                 s_name = k.split('.')[2]
-                s_def = app_settings.get_definition(s_name, app_name=a_name)
+                s_def = app_settings.get_definition(s_name, plugin_name=p_name)
                 if s_def['type'] == 'JSON':
                     v = json.loads(v)
                 extra_data[k] = v
 
         else:  # Update
             tl_desc = 'update ' + type_str.lower()
-            extra_data, upd_fields = cls._get_project_update_data(
-                old_data, project, project_settings
+            extra_data, upd_fields = self._get_project_update_data(
+                old_data, project, old_sites, sites, project_settings
             )
             if extra_data.get('parent'):  # Convert parent object into UUID
                 extra_data['parent'] = str(extra_data['parent'].sodar_uuid)
@@ -1043,28 +1195,6 @@ def _create_timeline_event(
             tl_event.add_object(owner, 'owner', owner.username)
         return tl_event
 
-    @classmethod
-    def _update_settings(cls, project, project_settings):
-        """Update project settings"""
-        is_remote = project.is_remote()
-        for k, v in project_settings.items():
-            _, app_name, setting_name = k.split('.', 3)
-            # Skip updating global settings on target site
-            if is_remote:
-                # TODO: Optimize (this can require a lot of queries)
-                s_def = app_settings.get_definition(
-                    setting_name, app_name=app_name
-                )
-                if not s_def.get('local', APP_SETTING_LOCAL_DEFAULT):
-                    continue
-            app_settings.set(
-                app_name=k.split('.')[1],
-                setting_name=k.split('.')[2],
-                value=v,
-                project=project,
-                validate=True,
-            )
-
     @classmethod
     def _notify_users(cls, project, action, owner, old_parent, request):
         """
@@ -1083,7 +1213,7 @@ def _notify_users(cls, project, action, owner, old_parent, request):
                     app_name=APP_NAME,
                     alert_name='role_create',
                     user=owner,
-                    message=ALERT_MSG_ROLE_CREATE.format(
+                    message=ROLE_CREATE_MSG.format(
                         project=project.title, role=owner_as.role.name
                     ),
                     url=reverse(
@@ -1092,7 +1222,9 @@ def _notify_users(cls, project, action, owner, old_parent, request):
                     ),
                     project=project,
                 )
-            if SEND_EMAIL:
+            if SEND_EMAIL and app_settings.get(
+                APP_NAME, 'notify_email_role', user=owner
+            ):
                 email.send_role_change_mail(
                     action.lower(),
                     project,
@@ -1107,6 +1239,10 @@ def _notify_users(cls, project, action, owner, old_parent, request):
             and project.parent.get_owner().user != request.user
         ):
             parent_owner = project.parent.get_owner().user
+            parent_owner_email = app_settings.get(
+                APP_NAME, 'notify_email_project', user=parent_owner
+            )
+
             if action == PROJECT_ACTION_CREATE and request.user != parent_owner:
                 if app_alerts:
                     app_alerts.add_alert(
@@ -1125,7 +1261,7 @@ def _notify_users(cls, project, action, owner, old_parent, request):
                         ),
                         project=project,
                     )
-                if SEND_EMAIL:
+                if SEND_EMAIL and parent_owner_email:
                     email.send_project_create_mail(project, request)
 
             elif old_parent and request.user != parent_owner:
@@ -1145,7 +1281,7 @@ def _notify_users(cls, project, action, owner, old_parent, request):
                     ),
                     project=project,
                 )
-                if SEND_EMAIL:
+                if SEND_EMAIL and parent_owner_email:
                     email.send_project_move_mail(project, request)
 
     @transaction.atomic
@@ -1197,6 +1333,18 @@ def modify_project(self, data, request, instance=None):
         if not owner and old_project:  # In case of a PATCH request
             owner = old_project.get_owner().user
 
+        # Create/update RemoteProject objects
+        old_sites = {}
+        sites = {}
+        if (
+            settings.PROJECTROLES_SITE_MODE == SITE_MODE_SOURCE
+            and project.type == PROJECT_TYPE_PROJECT
+        ):
+            self.site_fields = [f for f in data if f.startswith('remote_site.')]
+            old_sites = self._get_remote_project_data(project)
+            sites = self._update_remote_sites(project, data)
+
+        # Get app settings, store old settings
         project_settings = self._get_app_settings(data, project, request.user)
         old_settings = None
         if action == PROJECT_ACTION_UPDATE:
@@ -1204,7 +1352,14 @@ def modify_project(self, data, request, instance=None):
 
         # Create timeline event
         tl_event = self._create_timeline_event(
-            project, action, owner, old_data, project_settings, request
+            project,
+            action,
+            owner,
+            old_data,
+            old_sites,
+            sites,
+            project_settings,
+            request,
         )
         # Get old parent for project moving
         old_parent = (
@@ -1252,7 +1407,7 @@ def modify_project(self, data, request, instance=None):
 
         # Once all is done, update timeline event, create alerts and emails
         if tl_event:
-            tl_event.set_status('OK')
+            tl_event.set_status(self._get_timeline_ok_status())
         self._notify_users(project, action, owner, old_parent, request)
         return project
 
@@ -1351,21 +1506,19 @@ def get_form_kwargs(self):
         kwargs.update(self.kwargs)
         return kwargs
 
-    def get(self, request, *args, **kwargs):
-        """Override get() to limit project creation under other projects"""
+    def dispatch(self, request, *args, **kwargs):
+        """Override dispatch() for target site check"""
         # If site is in target mode and target creation is not allowed, redirect
         if (
             settings.PROJECTROLES_SITE_MODE == SITE_MODE_TARGET
             and not settings.PROJECTROLES_TARGET_CREATE
         ):
-            messages.error(
-                request,
-                'Creating local {} is not allowed.'.format(
-                    get_display_name(PROJECT_TYPE_PROJECT, plural=True)
-                ),
-            )
+            messages.error(request, TARGET_CREATE_DISABLED_MSG)
             return redirect(reverse('home'))
+        return super().dispatch(request, *args, **kwargs)
 
+    def get(self, request, *args, **kwargs):
+        """Override get() to limit project creation under other projects"""
         if 'project' in self.kwargs:
             project = Project.objects.get(sodar_uuid=self.kwargs['project'])
             if project.type != PROJECT_TYPE_CATEGORY:
@@ -1454,7 +1607,7 @@ def get(self, request, *args, **kwargs):
         """Override get() to check project type"""
         project = self.get_project()
         if project.type != PROJECT_TYPE_PROJECT:
-            messages.error(request, MSG_ARCHIVE_ERR_CAT)
+            messages.error(request, CAT_ARCHIVE_ERR_MSG)
             return redirect(
                 reverse(
                     'projectroles:detail',
@@ -1473,7 +1626,7 @@ def post(self, request, **kwargs):
             'projectroles:detail', kwargs={'project': project.sodar_uuid}
         )
         if project.type == PROJECT_TYPE_CATEGORY:
-            messages.error(request, MSG_ARCHIVE_ERR_CAT)
+            messages.error(request, CAT_ARCHIVE_ERR_MSG)
             return redirect(redirect_url)
 
         status = request.POST.get('status')
@@ -1523,11 +1676,11 @@ def post(self, request, **kwargs):
                     user=request.user,
                     event_name='project_{}'.format(action),
                     description='{} project'.format(action),
-                    status_type='OK',
+                    status_type=timeline.TL_STATUS_OK,
                 )
             # Alert users and send email
             self._alert_users(project, action, request.user)
-            if SEND_EMAIL:
+            if SEND_EMAIL:  # NOTE: Opt-out settings checked in email method
                 email.send_project_archive_mail(project, action, request)
         except Exception as ex:
             messages.error(request, 'Failed to alert users: {}'.format(ex))
@@ -1635,9 +1788,9 @@ def modify_assignment(
         if request.user != user:
             if app_alerts:
                 if action == PROJECT_ACTION_CREATE:
-                    alert_msg = ALERT_MSG_ROLE_CREATE
+                    alert_msg = ROLE_CREATE_MSG
                 else:  # Update
-                    alert_msg = ALERT_MSG_ROLE_UPDATE
+                    alert_msg = ROLE_UPDATE_MSG
                 app_alerts.add_alert(
                     app_name=APP_NAME,
                     alert_name='role_' + action.lower(),
@@ -1651,7 +1804,9 @@ def modify_assignment(
                     ),
                     project=project,
                 )
-            if SEND_EMAIL:
+            if SEND_EMAIL and app_settings.get(
+                APP_NAME, 'notify_email_role', user=user
+            ):
                 email.send_role_change_mail(
                     'update' if promote else action.lower(),
                     project,
@@ -1682,12 +1837,7 @@ def get_context_data(self, *args, **kwargs):
                 user_name='{user_name}',
                 issuer=self.request.user,
                 role_name='{role_name}',
-                project_url=self.request.build_absolute_uri(
-                    reverse(
-                        'projectroles:detail',
-                        kwargs={'project': project.sodar_uuid},
-                    )
-                ),
+                request=self.request,
             ).replace('\n', '\\n')
         return context
 
@@ -1740,7 +1890,7 @@ def _update_app_alerts(self, app_alerts, project, user, inh_as):
         :param inh_as: RoleAssignment object for inherited assignment or None
         """
         if inh_as:
-            message = ALERT_MSG_ROLE_UPDATE.format(
+            message = ROLE_UPDATE_MSG.format(
                 project=project.title, role=inh_as.role.name
             )
         else:
@@ -1814,15 +1964,20 @@ def delete_assignment(self, request, instance):
 
         inh_as = project.get_role(user, inherited_only=True)
         if tl_event:
-            tl_event.set_status('OK')
+            tl_event.set_status(timeline.TL_STATUS_OK)
         if app_alerts:
             self._update_app_alerts(app_alerts, project, user, inh_as)
-        if SEND_EMAIL and inh_as:
-            email.send_role_change_mail(
-                'update', project, user, inh_as.role, request
-            )
-        elif SEND_EMAIL:
-            email.send_role_change_mail('delete', project, user, None, request)
+        if SEND_EMAIL and app_settings.get(
+            APP_NAME, 'notify_email_role', user=user
+        ):
+            if inh_as:
+                email.send_role_change_mail(
+                    'update', project, user, inh_as.role, request
+                )
+            else:
+                email.send_role_change_mail(
+                    'delete', project, user, None, request
+                )
         return instance
 
 
@@ -1904,7 +2059,6 @@ class RoleAssignmentDeleteView(
     RolePermissionMixin,
     ProjectModifyPermissionMixin,
     ProjectContextMixin,
-    CurrentUserFormMixin,
     RoleAssignmentDeleteMixin,
     DeleteView,
 ):
@@ -1985,6 +2139,20 @@ class RoleAssignmentOwnerTransferMixin(ProjectModifyPluginViewMixin):
     #: Owner role object
     role_owner = None
 
+    def _get_timeline_ok_status(self):
+        timeline = get_backend_api('timeline_backend')
+        if not timeline:
+            return None
+        else:
+            return timeline.TL_STATUS_OK
+
+    def _get_timeline_failed_status(self):
+        timeline = get_backend_api('timeline_backend')
+        if not timeline:
+            return None
+        else:
+            return timeline.TL_STATUS_FAILED
+
     def _create_timeline_event(self, old_owner, new_owner, project):
         timeline = get_backend_api('timeline_backend')
         # Init Timeline event
@@ -2090,18 +2258,18 @@ def transfer_owner(self, project, new_owner, old_owner_as, old_owner_role):
             )
         except Exception as ex:
             if tl_event:
-                tl_event.set_status('FAILED', str(ex))
+                tl_event.set_status(self._get_timeline_failed_status(), str(ex))
             raise ex
 
         if tl_event:
-            tl_event.set_status('OK')
+            tl_event.set_status(self._get_timeline_ok_status())
         if not old_inh_owner and self.request.user != old_owner:
             if app_alerts:
                 app_alerts.add_alert(
                     app_name=APP_NAME,
                     alert_name='role_update',
                     user=old_owner,
-                    message=ALERT_MSG_ROLE_UPDATE.format(
+                    message=ROLE_UPDATE_MSG.format(
                         project=project.title, role=old_owner_role.name
                     ),
                     url=reverse(
@@ -2110,7 +2278,9 @@ def transfer_owner(self, project, new_owner, old_owner_as, old_owner_role):
                     ),
                     project=project,
                 )
-            if SEND_EMAIL:
+            if SEND_EMAIL and app_settings.get(
+                APP_NAME, 'notify_email_role', user=old_owner
+            ):
                 email.send_role_change_mail(
                     'update', project, old_owner, old_owner_role, self.request
                 )
@@ -2120,7 +2290,7 @@ def transfer_owner(self, project, new_owner, old_owner_as, old_owner_role):
                     app_name=APP_NAME,
                     alert_name='role_update',
                     user=new_owner,
-                    message=ALERT_MSG_ROLE_UPDATE.format(
+                    message=ROLE_UPDATE_MSG.format(
                         project=project.title, role=self.role_owner.name
                     ),
                     url=reverse(
@@ -2129,7 +2299,9 @@ def transfer_owner(self, project, new_owner, old_owner_as, old_owner_role):
                     ),
                     project=project,
                 )
-            if SEND_EMAIL:
+            if SEND_EMAIL and app_settings.get(
+                APP_NAME, 'notify_email_role', user=new_owner
+            ):
                 email.send_role_change_mail(
                     'update',
                     project,
@@ -2197,7 +2369,13 @@ def form_valid(self, form):
                 'Successfully transferred ownership from '
                 '{} to {}.'.format(old_owner.username, new_owner.username)
             )
-            if SEND_EMAIL:
+            old_owner_email = app_settings.get(
+                APP_NAME, 'notify_email_role', user=old_owner
+            )
+            new_owner_email = app_settings.get(
+                APP_NAME, 'notify_email_role', user=new_owner
+            )
+            if SEND_EMAIL and (old_owner_email or new_owner_email):
                 success_msg += ' Notification(s) have been sent by email.'
             messages.success(self.request, success_msg)
         return redirect(redirect_url)
@@ -2221,18 +2399,18 @@ def handle_invite(cls, invite, request, resend=False, add_message=True):
         """
         timeline = get_backend_api('timeline_backend')
         send_str = 'resend' if resend else 'send'
-        status_type = 'OK'
+        status_type = timeline.TL_STATUS_OK
         status_desc = None
 
         if SEND_EMAIL:
             sent_mail = email.send_invite_mail(invite, request)
             if sent_mail == 0:
-                status_type = 'FAILED'
+                status_type = timeline.TL_STATUS_FAILED
                 status_desc = 'Email sending failed'
         else:
-            status_type = 'FAILED'
+            status_type = timeline.TL_STATUS_FAILED
             status_desc = 'PROJECTROLES_SEND_EMAIL not True'
-        if status_type != 'OK' and not resend:
+        if status_type != timeline.TL_STATUS_OK and not resend:
             status_desc += ', invite not created'
 
         # Add event in Timeline
@@ -2249,7 +2427,7 @@ def handle_invite(cls, invite, request, resend=False, add_message=True):
                 status_desc=status_desc,
             )
 
-        if add_message and status_type == 'OK':
+        if add_message and status_type == timeline.TL_STATUS_OK:
             messages.success(
                 request,
                 'Invite for "{}" role in {} sent to {}, expires on {}.'.format(
@@ -2281,7 +2459,11 @@ def revoke_invite(cls, invite, project, request):
                 description='revoke invite sent to "{}"'.format(
                     invite.email if invite else 'N/A'
                 ),
-                status_type='OK' if invite else 'FAILED',
+                status_type=(
+                    timeline.TL_STATUS_OK
+                    if invite
+                    else timeline.TL_STATUS_FAILED
+                ),
             )
         return invite
 
@@ -2337,9 +2519,9 @@ def get_context_data(self, *args, **kwargs):
         context['preview_message'] = email.get_invite_message(
             '{message}'
         ).replace('\n', '\\n')
-        context['preview_footer'] = email.get_email_footer().replace(
-            '\n', '\\n'
-        )
+        context['preview_footer'] = email.get_email_footer(
+            self.request
+        ).replace('\n', '\\n')
         return context
 
     def get_form_kwargs(self):
@@ -2366,27 +2548,6 @@ def form_valid(self, form):
 class ProjectInviteProcessMixin(ProjectModifyPluginViewMixin):
     """Mixin for accepting and processing project invites"""
 
-    @classmethod
-    def get_invite_type(cls, invite):
-        """Return invite type ("ldap", "local" or "error")"""
-        # Check if domain is associated with LDAP
-        domain = invite.email.split('@')[1].lower()
-        domain_no_tld = domain.split('.')[0].lower()
-        ldap_domains = [
-            getattr(settings, 'AUTH_LDAP_USERNAME_DOMAIN', '').lower(),
-            getattr(settings, 'AUTH_LDAP2_USERNAME_DOMAIN', '').lower(),
-        ]
-        alt_domains = [
-            a.lower() for a in getattr(settings, 'LDAP_ALT_DOMAINS', [])
-        ]
-        if settings.ENABLE_LDAP and (
-            domain_no_tld in ldap_domains or domain in alt_domains
-        ):
-            return 'ldap'
-        elif settings.PROJECTROLES_ALLOW_LOCAL_USERS:
-            return 'local'
-        return 'error'
-
     @classmethod
     def revoke_invite(
         cls, invite, user=None, failed=True, fail_desc='', timeline=None
@@ -2402,7 +2563,7 @@ def revoke_invite(
                 user=user,
                 event_name='invite_accept',
                 description='accept project invite',
-                status_type='FAILED',
+                status_type=timeline.TL_STATUS_FAILED,
                 status_desc=fail_desc,
             )
 
@@ -2447,7 +2608,9 @@ def is_invite_expired(self, invite, user=None):
                 '{} ({})'.format(invite.issuer.name, invite.issuer.email),
             )
             # Send notification of expiry to issuer
-            if SEND_EMAIL:
+            if SEND_EMAIL and app_settings.get(
+                APP_NAME, 'notify_email_role', user=invite.issuer
+            ):
                 email.send_expiry_note(
                     invite,
                     self.request,
@@ -2488,7 +2651,7 @@ def create_assignment(self, invite, user, timeline=None):
             )
         role_as.save()
         if tl_event:
-            tl_event.set_status('OK')
+            tl_event.set_status(timeline.TL_STATUS_OK)
 
         # Notify the issuer by alert and email
         if app_alerts:
@@ -2506,33 +2669,45 @@ def create_assignment(self, invite, user, timeline=None):
                 ),
                 project=invite.project,
             )
-        if SEND_EMAIL:
+        if SEND_EMAIL and app_settings.get(
+            APP_NAME, 'notify_email_role', user=invite.issuer
+        ):
             email.send_accept_note(invite, self.request, user)
 
         # Deactivate the invite
         self.revoke_invite(invite, user, failed=False, timeline=timeline)
-
         # Finally, redirect user to the project front page
         messages.success(
             self.request,
-            MSG_PROJECT_WELCOME.format(
+            PROJECT_WELCOME_MSG.format(
                 project_type=get_display_name(invite.project.type),
                 project_title=invite.project.title,
                 role=invite.role.name,
             ),
         )
-        return True
+
+    def redirect_error(self, msg=None):
+        if msg:
+            messages.error(self.request, msg)
+        return redirect(reverse('home'))
 
 
 class ProjectInviteAcceptView(ProjectInviteProcessMixin, View):
     """View to handle accepting a project invite"""
 
+    def _redirect_process(self, login=True):
+        """Redirect to the proper process view"""
+        url = 'projectroles:invite_process_{}'.format(
+            'login' if login else 'new_user'
+        )
+        kw = {'secret': self.kwargs.get('secret')}
+        return redirect(reverse(url, kwargs=kw))
+
     def get(self, *args, **kwargs):
         invite = self.get_invite(secret=kwargs['secret'])
         if not invite:
-            return redirect(reverse('home'))
+            return self.redirect_error(INVITE_NOT_FOUND_MSG)
         user = self.request.user
-
         if (
             not user.is_anonymous
             and user.is_authenticated
@@ -2545,49 +2720,33 @@ def get(self, *args, **kwargs):
                     kwargs={'project': invite.project.sodar_uuid},
                 )
             )
-
-        invite_type = self.get_invite_type(invite)
-        if invite_type == 'ldap':
-            return redirect(
-                reverse(
-                    'projectroles:invite_process_ldap',
-                    kwargs={'secret': kwargs['secret']},
-                )
-            )
-        elif invite_type == 'local':
-            return redirect(
-                reverse(
-                    'projectroles:invite_process_local',
-                    kwargs={'secret': kwargs['secret']},
-                )
-            )
-        # Error
-        messages.error(
-            self.request, 'Local users are not allowed on this site.'
+        if (settings.ENABLE_LDAP and invite.is_ldap()) or (
+            settings.ENABLE_OIDC and not settings.PROJECTROLES_ALLOW_LOCAL_USERS
+        ):
+            return self._redirect_process()
+        elif settings.PROJECTROLES_ALLOW_LOCAL_USERS:
+            return self._redirect_process(False)
+        return self.redirect_error(
+            'Local or OIDC users are not enabled on this site.'
         )
-        return redirect(reverse('home'))
 
 
-class ProjectInviteProcessLDAPView(
+class ProjectInviteProcessLoginView(
     LoginRequiredMixin, ProjectInviteProcessMixin, View
 ):
-    """View to handle accepting a project LDAP invite"""
+    """
+    View for processing project invite with a logged in LDAP/OIDC user. Requires
+    login and then creates project assignment for the invited user.
+    """
 
     def get(self, *args, **kwargs):
         invite = self.get_invite(kwargs['secret'])
         if not invite:
-            return redirect(reverse('home'))
+            return self.redirect_error(INVITE_NOT_FOUND_MSG)
         timeline = get_backend_api('timeline_backend')
-        # Check if invite has correct type
-        if self.get_invite_type(invite) == 'local':
-            messages.error(
-                self.request,
-                'Invite was issued for local user, but LDAP invite view was '
-                'requested.',
-            )
-            return redirect(reverse('home'))
-        # Check if user already accepted the invite
+        # Check if user has already accepted the invite
         if self.user_role_exists(invite, self.request.user):
+            # NOTE: No message, simply redirect
             return redirect(
                 reverse(
                     'projectroles:detail',
@@ -2596,12 +2755,12 @@ def get(self, *args, **kwargs):
             )
         # Check if invite expired
         if self.is_invite_expired(invite, self.request.user):
-            return redirect(reverse('home'))
-        # If we get this far, create RoleAssignment..
-        if not self.create_assignment(
-            invite, self.request.user, timeline=timeline
-        ):
-            return redirect(reverse('home'))
+            return self.redirect_error()
+        # Create RoleAssignment
+        try:
+            self.create_assignment(invite, self.request.user, timeline=timeline)
+        except Exception as ex:
+            return self.redirect_error(ex)
         return redirect(
             reverse(
                 'projectroles:detail',
@@ -2610,72 +2769,75 @@ def get(self, *args, **kwargs):
         )
 
 
-class ProjectInviteProcessLocalView(ProjectInviteProcessMixin, FormView):
-    """View to handle accepting a project local invite"""
+class ProjectInviteProcessNewUserView(ProjectInviteProcessMixin, FormView):
+    """
+    View for processing a local/OIDC project invite as a newly created user.
+    Also provides an OIDC login element to login instead of creating a local
+    user account.
+    """
 
     form_class = LocalUserForm
     template_name = 'projectroles/user_form.html'
 
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        context['invite'] = self.get_invite(self.kwargs['secret'])
+        return context
+
     def get(self, *args, **kwargs):
         invite = self.get_invite(self.kwargs['secret'])
         if not invite:
-            return redirect(reverse('home'))
+            return self.redirect_error(INVITE_NOT_FOUND_MSG)
         timeline = get_backend_api('timeline_backend')
-        # Check if local users are enabled
-        if not settings.PROJECTROLES_ALLOW_LOCAL_USERS:
-            messages.error(self.request, MSG_INVITE_LOCAL_NOT_ALLOWED)
-            return redirect(reverse('home'))
+        # Redirect to login process view if OIDC is enabled but local isn't
+        if settings.ENABLE_OIDC and not settings.PROJECTROLES_ALLOW_LOCAL_USERS:
+            return redirect(
+                reverse(
+                    'projectroles:invite_process_login',
+                    kwargs={'secret': invite.secret},
+                )
+            )
+        # If local users are not allowed but OIDC is, redirect to home
+        elif not settings.PROJECTROLES_ALLOW_LOCAL_USERS:
+            return self.redirect_error(INVITE_LOCAL_NOT_ALLOWED_MSG)
         # Check invite for correct type
-        if self.get_invite_type(invite) == 'ldap':
-            messages.error(self.request, MSG_INVITE_LDAP_LOCAL_VIEW)
-            return redirect(reverse('home'))
-
+        if invite.is_ldap():
+            return self.redirect_error(INVITE_LDAP_LOCAL_VIEW_MSG)
         # Check if invited user exists
         user = User.objects.filter(email=invite.email).first()
         # Check if invite has expired
         if self.is_invite_expired(invite, user):
-            return redirect(reverse('home'))
+            return self.redirect_error()  # Error message already added
 
         # A user is not logged in
         if self.request.user.is_anonymous:
-            # Redirect to login if user exists and
+            # Redirect to login if user exists
             if user:
-                messages.info(
-                    self.request,
-                    MSG_INVITE_USER_EXISTS,
-                )
+                messages.info(self.request, INVITE_USER_EXISTS_MSG)
                 return redirect(
                     reverse('login')
                     + '?next='
                     + reverse(
-                        'projectroles:invite_process_local',
+                        'projectroles:invite_process_new_user',
                         kwargs={'secret': invite.secret},
                     )
                 )
-            # Show form if user doesn't exists and no user is logged in
+            # Show form if user doesn't exist and no user is logged in
             return super().get(*args, **kwargs)
         # Logged in but the invited user does not exist yet
         if not user:
-            messages.error(
-                self.request,
-                MSG_INVITE_LOGGED_IN_ACCEPT,
-            )
-            return redirect(reverse('home'))
+            return self.redirect_error(INVITE_LOGGED_IN_ACCEPT_MSG)
         # Logged in user is not invited user
-        if not self.request.user == user:
-            messages.error(
-                self.request,
-                MSG_INVITE_USER_NOT_EQUAL,
-            )
-            return redirect(reverse('home'))
+        if self.request.user != user:
+            return self.redirect_error(INVITE_USER_NOT_EQUAL_MSG)
         # User exists but is not local
         if not user.is_local():
-            messages.error(self.request, 'User exists, but is not local.')
-            return redirect(reverse('home'))
-        # Create role if user exists
-        if not self.create_assignment(invite, user, timeline=timeline):
-            return redirect(reverse('home'))
-
+            return self.redirect_error('User exists, but is not local.')
+        # Create RoleAssignment
+        try:
+            self.create_assignment(invite, self.request.user, timeline=timeline)
+        except Exception as ex:
+            return self.redirect_error(ex)
         return redirect(
             reverse(
                 'projectroles:detail',
@@ -2710,26 +2872,21 @@ def form_valid(self, form):
 
         # Check if local users are allowed
         if not settings.PROJECTROLES_ALLOW_LOCAL_USERS:
-            messages.error(
-                self.request,
+            return self.redirect_error(
                 'Invite was issued to non-LDAP user, but local users are not '
-                'allowed.',
+                'allowed.'
             )
-            return redirect(reverse('home'))
-
         # Check invite for correct type
-        if self.get_invite_type(invite) == 'ldap':
-            messages.error(
-                self.request,
+        if invite.is_ldap():
+            return self.redirect_error(
                 'Invite was issued for LDAP user, but local invite view was '
-                'requested.',
+                'requested.'
             )
-            return redirect(reverse('home'))
-
         # Check if invite is expired
         if self.is_invite_expired(invite):
-            return redirect(reverse('home'))
+            return self.redirect_error()
 
+        # Create user and RoleAssignment
         user = User.objects.create_user(
             form.cleaned_data['username'],
             email=form.cleaned_data['email'],
@@ -2744,11 +2901,11 @@ def form_valid(self, form):
                     kwargs={'project': invite.project.sodar_uuid},
                 )
             )
-
-        # If we get this far, create RoleAssignment..
-        if not self.create_assignment(invite, user, timeline=timeline):
+        try:
+            self.create_assignment(invite, user, timeline=timeline)
+        except Exception as ex:
             user.delete()
-            redirect(reverse('home'))
+            return self.redirect_error(ex)
         return redirect(
             reverse(
                 'projectroles:detail',
@@ -2770,7 +2927,7 @@ def get(self, *args, **kwargs):
                 sodar_uuid=self.kwargs['projectinvite'], active=True
             )
         except ProjectInvite.DoesNotExist:
-            messages.error(self.request, 'Invite not found.')
+            messages.error(self.request, INVITE_NOT_FOUND_MSG)
             return redirect(
                 reverse(
                     'projectroles:invites',
@@ -2861,12 +3018,12 @@ def get_object(self, **kwargs):
 
     def get(self, *args, **kwargs):
         if not self.request.user.is_local():
-            messages.error(self.request, MSG_USER_PROFILE_LDAP)
+            messages.error(self.request, USER_PROFILE_LDAP_MSG)
             return redirect(reverse('home'))
         return super().get(*args, **kwargs)
 
     def get_success_url(self):
-        messages.success(self.request, MSG_USER_PROFILE_UPDATE)
+        messages.success(self.request, USER_PROFILE_UPDATE_MSG)
         return reverse('home')
 
 
@@ -2914,32 +3071,20 @@ def get(self, request, *args, **kwargs):
 
 
 class RemoteSiteModifyMixin(ModelFormMixin):
-    def form_valid(self, form):
-        timeline = get_backend_api('timeline_backend')
-        if self.object:
-            form_action = 'updated'
-        elif settings.PROJECTROLES_SITE_MODE == 'TARGET':
-            form_action = 'set'
-        else:
-            form_action = 'created'
-        self.object = form.save()
-        # Create timeline event
-        if timeline:
-            self.create_timeline_event(
-                self.object, self.request.user, form_action, timeline=timeline
-            )
-        messages.success(
-            self.request,
-            '{} site "{}" {}.'.format(
-                self.object.mode.capitalize(), self.object.name, form_action
-            ),
-        )
-        return redirect(reverse('projectroles:remote_sites'))
+    """Helpers for remote site modification"""
 
-    def create_timeline_event(
-        self, remote_site, user, form_action, timeline=None
-    ):
-        """Create timeline event for remote site creation/update"""
+    def _create_timeline_event(self, remote_site, user, form_action):
+        """
+        Create timeline event for remote site creation/update.
+
+        :param remote_site: RemoteSite object
+        :param user: SODARUser object
+        :param form_action: String
+        :param form_action:
+        """
+        timeline = get_backend_api('timeline_backend')
+        if not timeline:
+            return
         status = form_action if form_action == 'set' else form_action[0:-1]
         if remote_site.mode == SITE_MODE_SOURCE:
             event_name = 'source_site_{}'.format(status)
@@ -2966,12 +3111,31 @@ def create_timeline_event(
                 'user display': remote_site.user_display,
                 'secret': remote_site.secret,
             },
-            status_type='OK',
+            status_type=timeline.TL_STATUS_OK,
         )
         tl_event.add_object(
             obj=remote_site, label='remote_site', name=remote_site.name
         )
 
+    def form_valid(self, form):
+        """Override form_valid() to save timeline event and handle UI"""
+        if self.object:
+            form_action = 'updated'
+        elif settings.PROJECTROLES_SITE_MODE == 'TARGET':
+            form_action = 'set'
+        else:
+            form_action = 'created'
+        self.object = form.save()
+        # Create timeline event
+        self._create_timeline_event(self.object, self.request.user, form_action)
+        messages.success(
+            self.request,
+            '{} site "{}" {}.'.format(
+                self.object.mode.capitalize(), self.object.name, form_action
+            ),
+        )
+        return redirect(reverse('projectroles:remote_sites'))
+
 
 class RemoteSiteCreateView(
     LoginRequiredMixin,
@@ -3023,21 +3187,17 @@ class RemoteSiteUpdateView(
 class RemoteSiteDeleteView(
     LoginRequiredMixin,
     LoggedInPermissionMixin,
-    RemoteSiteModifyMixin,
     HTTPRefererMixin,
-    CurrentUserFormMixin,
     DeleteView,
 ):
     """RemoteSite deletion view"""
 
     model = RemoteSite
-    form_class = RemoteSiteForm
     permission_required = 'projectroles.update_remote'
     slug_url_kwarg = 'remotesite'
     slug_field = 'sodar_uuid'
 
     def get_success_url(self):
-        """Override get_success_url() to add message"""
         timeline = get_backend_api('timeline_backend')
         if timeline:
             event_name = '{}_site_delete'.format(
@@ -3051,7 +3211,7 @@ def get_success_url(self):
                 event_name=event_name,
                 description=tl_desc,
                 classified=True,
-                status_type='OK',
+                status_type=timeline.TL_STATUS_OK,
             )
             tl_event.add_object(
                 obj=self.object, label='remote_site', name=self.object.name
@@ -3150,9 +3310,11 @@ def post(self, request, *args, **kwargs):
                             'project': Project.objects.get(
                                 sodar_uuid=project_uuid
                             ),
-                            'old_level': REMOTE_LEVEL_NONE
-                            if not remote_obj
-                            else remote_obj.level,
+                            'old_level': (
+                                REMOTE_LEVEL_NONE
+                                if not remote_obj
+                                else remote_obj.level
+                            ),
                             'new_level': v,
                         }
                     )
@@ -3193,9 +3355,9 @@ def post(self, request, *args, **kwargs):
             modifying_access.append(
                 {
                     'project': project.get_log_title(),
-                    'old_level': REMOTE_LEVEL_NONE
-                    if not old_level
-                    else old_level,
+                    'old_level': (
+                        REMOTE_LEVEL_NONE if not old_level else old_level
+                    ),
                     'new_level': v,
                 }
             )
@@ -3212,7 +3374,7 @@ def post(self, request, *args, **kwargs):
                     event_name='remote_project_update',
                     description=tl_desc,
                     classified=True,
-                    status_type='OK',
+                    status_type=timeline.TL_STATUS_OK,
                 )
                 tl_event.add_object(site, 'remote_site', site.name)
 
@@ -3226,7 +3388,7 @@ def post(self, request, *args, **kwargs):
                 description=tl_desc,
                 extra_data={'modifying_access': modifying_access},
                 classified=True,
-                status_type='OK',
+                status_type=timeline.TL_STATUS_OK,
             )
             tl_event.add_object(obj=site, label='remote_site', name=site.name)
 
@@ -3346,7 +3508,7 @@ def get(self, request, *args, **kwargs):
                 event_name='remote_project_sync',
                 description=tl_desc,
                 classified=True,
-                status_type='OK',
+                status_type=timeline.TL_STATUS_OK,
             )
             tl_event.add_object(
                 obj=source_site, label='remote_site', name=source_site.name
diff --git a/projectroles/views_ajax.py b/projectroles/views_ajax.py
index 1f54074d..adbe6c57 100644
--- a/projectroles/views_ajax.py
+++ b/projectroles/views_ajax.py
@@ -22,17 +22,14 @@
 from projectroles.models import (
     Project,
     RoleAssignment,
+    RemoteProject,
     SODAR_CONSTANTS,
     CAT_DELIMITER,
     ROLE_RANKING,
 )
-from projectroles.plugins import get_active_plugins, get_backend_api
-from projectroles.utils import get_display_name
-from projectroles.views import (
-    ProjectAccessMixin,
-    APP_NAME,
-    User,
-)
+from projectroles.plugins import get_active_plugins
+from projectroles.utils import get_display_name, AppLinkContent
+from projectroles.views import ProjectAccessMixin, User
 from projectroles.views_api import (
     SODARAPIProjectPermission,
     CurrentUserRetrieveAPIView,
@@ -49,6 +46,7 @@
 PROJECT_ROLE_OWNER = SODAR_CONSTANTS['PROJECT_ROLE_OWNER']
 PROJECT_ROLE_FINDER = SODAR_CONSTANTS['PROJECT_ROLE_FINDER']
 SYSTEM_USER_GROUP = SODAR_CONSTANTS['SYSTEM_USER_GROUP']
+SITE_MODE_SOURCE = SODAR_CONSTANTS['SITE_MODE_SOURCE']
 
 
 # Base Classes and Mixins ------------------------------------------------------
@@ -66,6 +64,7 @@ class instead of SODARBaseAjaxView is needed.
     allow_anonymous = False
     authentication_classes = [SessionAuthentication]
     renderer_classes = [JSONRenderer]
+    schema = None
 
     @property
     def permission_classes(self):
@@ -418,38 +417,109 @@ def post(self, request, *args, **kwargs):
         # HACK: Manually refuse access to anonymous as this view is an exception
         if request.user.is_anonymous:
             return Response({'detail': 'Anonymous access denied'}, status=401)
-
         project = self.get_project()
         user = request.user
-        timeline = get_backend_api('timeline_backend')
         project_star = app_settings.get(
             'projectroles', 'project_star', project, user
         )
-        action_str = '{}star'.format('un' if project_star else '')
-        if project_star:
-            app_settings.delete('projectroles', 'project_star', project, user)
-        else:
-            app_settings.set(
-                app_name='projectroles',
-                setting_name='project_star',
-                value=True,
-                project=project,
-                user=user,
-                validate=False,
-            )
+        value = False if project_star else True
+        app_settings.set(
+            plugin_name='projectroles',
+            setting_name='project_star',
+            value=value,
+            project=project,
+            user=user,
+            validate=False,
+        )
+        return Response(1 if value else 0, status=200)
 
-        # Add event in Timeline
-        if timeline:
-            timeline.add_event(
-                project=project,
-                app_name=APP_NAME,
-                user=user,
-                event_name='project_{}'.format(action_str),
-                description='{} project'.format(action_str),
-                classified=True,
-                status_type='INFO',
-            )
-        return Response(0 if project_star else 1, status=200)
+
+class RemoteProjectAccessAjaxView(SODARBaseProjectAjaxView):
+    """View to check whether a remote project has been accessed by sync"""
+
+    permission_required = 'projectroles.view_project'
+
+    def get(self, request, *args, **kwargs):
+        project = self.get_project()
+        rp_uuids = request.GET.getlist('rp')
+        ret = {}
+        for u in rp_uuids:
+            rp = RemoteProject.objects.filter(sodar_uuid=u).first()
+            if not rp:
+                return Response(
+                    {'detail': 'RemoteProject not found'}, status=404
+                )
+            if (
+                rp.project_uuid != project.sodar_uuid
+                or rp.site.mode == SITE_MODE_SOURCE
+            ):
+                return Response({'detail': 'Invalid RemoteProject'}, status=400)
+            ret[str(rp.sodar_uuid)] = rp.date_access is not None
+        return Response(ret, status=200)
+
+
+class SidebarContentAjaxView(SODARBaseProjectAjaxView):
+    """
+    Return sidebar and project dropdown links to be displayed in a client-side
+    application. This can be used as an alternative to rendering server-side
+    sidebar and project dropdonwn elements.
+
+    All returned links are inactive by default. To get correct "active"
+    attribute for each of the links, you must provide the app_name as GET
+    parameter. The app_name refers to the current app name
+    (request.resolver_match.app_name).
+
+    Return data (for each link):
+
+    - ``name``: Internal ID (string)
+    - ``url``: View URL (string)
+    - ``label``: Text label to be displayed for link (string)
+    - ``icon``: Icon namespace and ID (string, example: "mdi:cube")
+    - ``active``: Whether link is currently active (boolean)
+    """
+
+    permission_required = 'projectroles.view_project'
+
+    def get(self, request, *args, **kwargs):
+        project = self.get_project()
+        app_name = request.GET.get('app_name')
+        # Get the content for the sidebar
+        app_link_content = AppLinkContent()
+        sidebar_links = app_link_content.get_project_app_links(
+            request.user, project, app_name=app_name
+        )
+        return JsonResponse({'links': sidebar_links})
+
+
+class UserDropdownContentAjaxView(SODARBaseAjaxView):
+    """
+    Return user dropdown links to be displayed in a client-side application.
+    This can be used as an alternative to rendering the server-side dropdown.
+
+    All returned links are inactive by default. To get correct "active"
+    attribute for each of the links, you must provide the app_name as GET
+    parameter. The app_name refers to the current app name
+    (request.resolver_match.app_name).
+
+    Return data (for each link):
+
+    - ``name``: Internal ID (string)
+    - ``url``: View URL (string)
+    - ``label``: Text label to be displayed for link (string)
+    - ``icon``: Icon namespace and ID (string, example: "mdi:cube")
+    - ``active``: Whether link is currently active (boolean)
+    """
+
+    permission_classes = [IsAuthenticated]
+
+    def get(self, request, *args, **kwargs):
+        app_name = request.GET.get('app_name')
+        # Get the content for the user dropdown
+        app_link_content = AppLinkContent()
+        user_dropdown_links = app_link_content.get_user_links(
+            request.user, app_name=app_name
+        )
+        return JsonResponse({'links': user_dropdown_links})
 
 
 class CurrentUserRetrieveAjaxView(
diff --git a/projectroles/views_api.py b/projectroles/views_api.py
index 54fbf1a8..4130e700 100644
--- a/projectroles/views_api.py
+++ b/projectroles/views_api.py
@@ -1,6 +1,6 @@
 """REST API views for the projectroles app"""
 
-import re
+import sys
 
 from ipaddress import ip_address, ip_network
 
@@ -23,6 +23,7 @@
     UpdateAPIView,
     DestroyAPIView,
 )
+from rest_framework.pagination import PageNumberPagination
 from rest_framework.permissions import (
     BasePermission,
     AllowAny,
@@ -30,10 +31,10 @@
 )
 from rest_framework.renderers import JSONRenderer
 from rest_framework.response import Response
+from rest_framework.schemas.openapi import AutoSchema
 from rest_framework.versioning import AcceptHeaderVersioning
 from rest_framework.views import APIView
 
-from projectroles import __version__ as core_version
 from projectroles.app_settings import AppSettingAPI
 from projectroles.models import (
     Project,
@@ -85,6 +86,7 @@
 ]
 
 # API constants for external SODAR Core sites
+# DEPRECATED: To be removed in SODAR Core v1.1 (see #1401)
 SODAR_API_MEDIA_TYPE = getattr(
     settings, 'SODAR_API_MEDIA_TYPE', 'application/UNDEFINED+json'
 )
@@ -94,11 +96,18 @@
 SODAR_API_ALLOWED_VERSIONS = getattr(
     settings, 'SODAR_API_ALLOWED_VERSIONS', [SODAR_API_DEFAULT_VERSION]
 )
-CORE_API_MEDIA_TYPE = 'application/vnd.bihealth.sodar-core+json'
-CORE_API_DEFAULT_VERSION = re.match(
-    r'^([0-9.]+)(?:[+|\-][\S]+)?$', core_version
-)[1]
-CORE_API_ALLOWED_VERSIONS = ['0.13.0', '0.13.1', '0.13.2', '0.13.3', '0.13.4']
+
+# API constants for projectroles APIs
+PROJECTROLES_API_MEDIA_TYPE = (
+    'application/vnd.bihealth.sodar-core.projectroles+json'
+)
+PROJECTROLES_API_DEFAULT_VERSION = '1.0'
+PROJECTROLES_API_ALLOWED_VERSIONS = ['1.0']
+SYNC_API_MEDIA_TYPE = (
+    'application/vnd.bihealth.sodar-core.projectroles.sync+json'
+)
+SYNC_API_DEFAULT_VERSION = '1.0'
+SYNC_API_ALLOWED_VERSIONS = ['1.0']
 
 # Local constants
 INVALID_PROJECT_TYPE_MSG = (
@@ -204,18 +213,27 @@ def has_permission(self, request, view):
         return request.user.has_perm(perm, project)
 
 
+# TODO: Remove in v1.1 (see #1401)
 class SODARAPIVersioning(AcceptHeaderVersioning):
-    """Accept header versioning class for SODAR API views"""
+    """
+    Accept header versioning class for SODAR API views.
+
+    DEPRECATED: To be removed in SODAR Core v1.1 (see #1401). You need to
+    provide version identifiers specific to your API providing app.
+    """
 
     allowed_versions = SODAR_API_ALLOWED_VERSIONS
     default_version = SODAR_API_DEFAULT_VERSION
-    version_param = 'version'
 
 
+# TODO: Remove in v1.1 (see #1401)
 class SODARAPIRenderer(JSONRenderer):
     """
     SODAR API JSON renderer with a site-specific media type retrieved from
     Django settings.
+
+    DEPRECATED: To be removed in SODAR Core v1.1 (see #1401). You must define
+    a media type specific for your API providing app.
     """
 
     media_type = SODAR_API_MEDIA_TYPE
@@ -224,13 +242,20 @@ class SODARAPIRenderer(JSONRenderer):
 # Base API View Mixins ---------------------------------------------------------
 
 
+# TODO: Remove in v1.1 (see #1401)
 class SODARAPIBaseMixin:
-    """Base SODAR API mixin to be used by external SODAR Core based sites"""
+    """
+    Base SODAR API mixin to be used by external SODAR Core based sites.
+
+    DEPRECATED: To be removed in SODAR Core v1.1 (see #1401). You must define
+    a base renderer and a versioning class specific to your API providing app.
+    """
 
     renderer_classes = [SODARAPIRenderer]
     versioning_class = SODARAPIVersioning
 
 
+# TODO: Remove SODARAPIBaseMixin inheritance in v1.1 (see #1401)
 class SODARAPIBaseProjectMixin(ProjectAccessMixin, SODARAPIBaseMixin):
     """
     API view mixin for the base DRF ``APIView`` class with project permission
@@ -239,6 +264,8 @@ class SODARAPIBaseProjectMixin(ProjectAccessMixin, SODARAPIBaseMixin):
     Project type can be restricted to ``PROJECT_TYPE_CATEGORY`` or
     ``PROJECT_TYPE_PROJECT``, as defined in SODAR constants, by setting the
     ``project_type`` attribute in the view.
+
+    NOTE: The SODARAPIBaseMixin inheritance will be removed in v1.1 (see #1401).
     """
 
     permission_classes = [SODARAPIProjectPermission]
@@ -257,6 +284,8 @@ class APIProjectContextMixin(ProjectAccessMixin):
 
     def get_serializer_context(self, *args, **kwargs):
         context = super().get_serializer_context(*args, **kwargs)
+        if sys.argv[1:2] == ['generateschema']:
+            return context
         context['project'] = self.get_project(request=context['request'])
         return context
 
@@ -304,30 +333,29 @@ def get_queryset(self):
         return Project.objects.all()
 
 
-# SODAR Core Base Views and Mixins ---------------------------------------------
-
+class SODARPageNumberPagination(PageNumberPagination):
+    """
+    Override of PageNumberPagination to provide optional pagination.
 
-class CoreAPIVersioning(AcceptHeaderVersioning):
-    allowed_versions = CORE_API_ALLOWED_VERSIONS
-    default_version = CORE_API_DEFAULT_VERSION
-    version_param = 'version'
+    If the "page" query string is not present, results will be provided as a
+    full unpaginated list.
 
+    If the "page" query string is included, results will be presented in the
+    default ``PageNumberPagination`` dict format.
 
-class CoreAPIRenderer(JSONRenderer):
-    media_type = CORE_API_MEDIA_TYPE
+    See: https://www.django-rest-framework.org/api-guide/pagination/#pagenumberpagination
+    """
 
+    def paginate_queryset(self, queryset, request, view=None):
+        if not request.query_params.get('page'):
+            return None
+        return super().paginate_queryset(queryset, request, view)
 
-class CoreAPIBaseMixin:
-    """
-    SODAR Core API view mixin, which overrides versioning and renderer classes
-    with ones intended for use with internal SODAR Core API views.
-    """
 
-    renderer_classes = [CoreAPIRenderer]
-    versioning_class = CoreAPIVersioning
+# SODAR Core Base Views and Mixins ---------------------------------------------
 
 
-class CoreAPIBaseProjectMixin(ProjectAccessMixin, CoreAPIBaseMixin):
+class CoreAPIBaseProjectMixin(ProjectAccessMixin):
     """
     SODAR Core API view mixin for the base DRF ``APIView`` class with project
     permission checking, but without serializers and other generic view
@@ -347,7 +375,38 @@ class CoreAPIGenericProjectMixin(
     queryset_project_field = 'project'  # Replace if no direct project relation
 
 
-# Projectroles Specific Base Views and Mixins ----------------------------------
+class ProjectrolesAPIVersioningMixin:
+    """
+    Projectroles API view versioning mixin for overriding media type
+    and accepted versions.
+    """
+
+    class ProjectrolesAPIVersioning(AcceptHeaderVersioning):
+        allowed_versions = PROJECTROLES_API_ALLOWED_VERSIONS
+        default_version = PROJECTROLES_API_DEFAULT_VERSION
+
+    class ProjectrolesAPIRenderer(JSONRenderer):
+        media_type = PROJECTROLES_API_MEDIA_TYPE
+
+    renderer_classes = [ProjectrolesAPIRenderer]
+    versioning_class = ProjectrolesAPIVersioning
+
+
+class RemoteSyncAPIVersioningMixin:
+    """
+    Projectroles remote sync API view versioning mixin for overriding media type
+    and accepted versions.
+    """
+
+    class RemoteSyncAPIRenderer(JSONRenderer):
+        media_type = SYNC_API_MEDIA_TYPE
+
+    class RemoteSyncAPIVersioning(AcceptHeaderVersioning):
+        allowed_versions = SYNC_API_ALLOWED_VERSIONS
+        default_version = SYNC_API_DEFAULT_VERSION
+
+    renderer_classes = [RemoteSyncAPIRenderer]
+    versioning_class = RemoteSyncAPIVersioning
 
 
 class ProjectCreatePermission(ProjectAccessMixin, BasePermission):
@@ -375,34 +434,48 @@ def has_permission(self, request, view):
 # API Views --------------------------------------------------------------------
 
 
-class ProjectListAPIView(APIView):
+class ProjectListAPIView(ProjectrolesAPIVersioningMixin, ListAPIView):
     """
     List all projects and categories for which the requesting user has access.
 
+    Supports optional pagination by providing the ``page`` query string. This
+    will return results in the Django Rest Framework ``PageNumberPagination``
+    format.
+
     **URL:** ``/project/api/list``
 
     **Methods:** ``GET``
 
+    **Parameters:**
+
+    - ``page``: Page number for paginated results (int, optional)
+
     **Returns:**
 
-    List of project details (see ``ProjectRetrieveAPIView``). For project finder
-    role, only lists title and UUID of projects.
+    List of ``Project`` objects (see ``ProjectRetrieveAPIView``). For project
+    finder role, only lists title and UUID of projects.
     """
 
+    pagination_class = SODARPageNumberPagination
     permission_classes = [IsAuthenticated]
-    renderer_classes = [CoreAPIRenderer]
-    versioning_class = CoreAPIVersioning
+    serializer_class = ProjectSerializer
 
-    def get(self, request, *args, **kwargs):
+    def get_queryset(self):
+        """
+        Override get_queryset() to return categories and projects to which the
+        user has access. NOTE: Returns a list, not a QuerySet.
+
+        :return: List of Project objects
+        """
         projects_all = Project.objects.all().order_by('full_title')
-        if request.user.is_superuser:
-            ret = projects_all
+        if self.request.user.is_superuser:
+            qs = projects_all
         else:
-            ret = []
+            qs = []
             role_cats = []
             projects_local = [
                 a.project
-                for a in RoleAssignment.objects.filter(user=request.user)
+                for a in RoleAssignment.objects.filter(user=self.request.user)
             ]
             for p in projects_all:
                 local_role = p in projects_local
@@ -411,17 +484,17 @@ def get(self, request, *args, **kwargs):
                     or p.public_guest_access
                     or any(p.full_title.startswith(c) for c in role_cats)
                 ):
-                    ret.append(p)
+                    qs.append(p)
                 if local_role and p.type == PROJECT_TYPE_CATEGORY:
                     role_cats.append(p.full_title + CAT_DELIMITER)
-        serializer = ProjectSerializer(
-            ret, many=True, context={'request': request}
-        )
-        return Response(serializer.data, status=200)
+        return qs
 
 
 class ProjectRetrieveAPIView(
-    ProjectQuerysetMixin, CoreAPIGenericProjectMixin, RetrieveAPIView
+    ProjectQuerysetMixin,
+    ProjectrolesAPIVersioningMixin,
+    CoreAPIGenericProjectMixin,
+    RetrieveAPIView,
 ):
     """
     Retrieve a project or category by its UUID.
@@ -446,7 +519,9 @@ class ProjectRetrieveAPIView(
     serializer_class = ProjectSerializer
 
 
-class ProjectCreateAPIView(ProjectAccessMixin, CreateAPIView):
+class ProjectCreateAPIView(
+    ProjectrolesAPIVersioningMixin, ProjectAccessMixin, CreateAPIView
+):
     """
     Create a project or a category.
 
@@ -466,13 +541,14 @@ class ProjectCreateAPIView(ProjectAccessMixin, CreateAPIView):
     """
 
     permission_classes = [ProjectCreatePermission]
-    renderer_classes = [CoreAPIRenderer]
     serializer_class = ProjectSerializer
-    versioning_class = CoreAPIVersioning
 
 
 class ProjectUpdateAPIView(
-    ProjectQuerysetMixin, CoreAPIGenericProjectMixin, UpdateAPIView
+    ProjectQuerysetMixin,
+    ProjectrolesAPIVersioningMixin,
+    CoreAPIGenericProjectMixin,
+    UpdateAPIView,
 ):
     """
     Update the metadata of a project or a category.
@@ -502,6 +578,8 @@ class ProjectUpdateAPIView(
 
     def get_serializer_context(self, *args, **kwargs):
         context = super().get_serializer_context(*args, **kwargs)
+        if sys.argv[1:2] == ['generateschema']:
+            return context
         project = self.get_project(request=context['request'])
         context['parent'] = (
             str(project.parent.sodar_uuid) if project.parent else None
@@ -509,7 +587,9 @@ def get_serializer_context(self, *args, **kwargs):
         return context
 
 
-class RoleAssignmentCreateAPIView(CoreAPIGenericProjectMixin, CreateAPIView):
+class RoleAssignmentCreateAPIView(
+    ProjectrolesAPIVersioningMixin, CoreAPIGenericProjectMixin, CreateAPIView
+):
     """
     Create a role assignment in a project.
 
@@ -527,7 +607,9 @@ class RoleAssignmentCreateAPIView(CoreAPIGenericProjectMixin, CreateAPIView):
     serializer_class = RoleAssignmentSerializer
 
 
-class RoleAssignmentUpdateAPIView(CoreAPIGenericProjectMixin, UpdateAPIView):
+class RoleAssignmentUpdateAPIView(
+    ProjectrolesAPIVersioningMixin, CoreAPIGenericProjectMixin, UpdateAPIView
+):
     """
     Update the role assignment for a user in a project.
 
@@ -549,7 +631,10 @@ class RoleAssignmentUpdateAPIView(CoreAPIGenericProjectMixin, UpdateAPIView):
 
 
 class RoleAssignmentDestroyAPIView(
-    RoleAssignmentDeleteMixin, CoreAPIGenericProjectMixin, DestroyAPIView
+    RoleAssignmentDeleteMixin,
+    ProjectrolesAPIVersioningMixin,
+    CoreAPIGenericProjectMixin,
+    DestroyAPIView,
 ):
     """
     Destroy a role assignment.
@@ -590,7 +675,10 @@ def perform_destroy(self, instance):
 
 
 class RoleAssignmentOwnerTransferAPIView(
-    RoleAssignmentOwnerTransferMixin, CoreAPIBaseProjectMixin, APIView
+    RoleAssignmentOwnerTransferMixin,
+    ProjectrolesAPIVersioningMixin,
+    CoreAPIBaseProjectMixin,
+    APIView,
 ):
     """
     Trensfer project ownership to another user with a role in the project.
@@ -708,19 +796,28 @@ def validate(self, invite, request, **kwargs):
             raise serializers.ValidationError('Invite is not active')
 
 
-class ProjectInviteListAPIView(CoreAPIBaseProjectMixin, ListAPIView):
+class ProjectInviteListAPIView(
+    ProjectrolesAPIVersioningMixin, CoreAPIBaseProjectMixin, ListAPIView
+):
     """
     List user invites for a project.
 
+    Supports optional pagination by providing the ``page`` query string. This
+    will return results in the Django Rest Framework ``PageNumberPagination``
+    format.
+
     **URL:** ``/project/api/invites/list/{Project.sodar_uuid}``
 
     **Methods:** ``GET``
 
-    **Returns:** List of project invite details
+    **Parameters:**
+
+    - ``page``: Page number for paginated results (int, optional)
+
+    **Returns:** List or paginated dict of project invite details
     """
 
-    # lookup_field = 'project__sodar_uuid'
-    # lookup_url_kwarg = 'projectinvite'
+    pagination_class = SODARPageNumberPagination
     permission_required = 'projectroles.invite_users'
     serializer_class = ProjectInviteSerializer
 
@@ -730,7 +827,9 @@ def get_queryset(self):
         ).order_by('pk')
 
 
-class ProjectInviteCreateAPIView(CoreAPIGenericProjectMixin, CreateAPIView):
+class ProjectInviteCreateAPIView(
+    ProjectrolesAPIVersioningMixin, CoreAPIGenericProjectMixin, CreateAPIView
+):
     """
     Create a project invite.
 
@@ -749,7 +848,11 @@ class ProjectInviteCreateAPIView(CoreAPIGenericProjectMixin, CreateAPIView):
 
 
 class ProjectInviteRevokeAPIView(
-    ProjectInviteMixin, ProjectInviteAPIMixin, CoreAPIBaseProjectMixin, APIView
+    ProjectInviteMixin,
+    ProjectInviteAPIMixin,
+    ProjectrolesAPIVersioningMixin,
+    CoreAPIBaseProjectMixin,
+    APIView,
 ):
     """
     Revoke a project invite.
@@ -780,7 +883,11 @@ def post(self, request, *args, **kwargs):
 
 
 class ProjectInviteResendAPIView(
-    ProjectInviteMixin, ProjectInviteAPIMixin, CoreAPIBaseProjectMixin, APIView
+    ProjectInviteMixin,
+    ProjectInviteAPIMixin,
+    ProjectrolesAPIVersioningMixin,
+    CoreAPIBaseProjectMixin,
+    APIView,
 ):
     """
     Resend email for a project invite.
@@ -814,17 +921,17 @@ class AppSettingMixin:
     """Helpers for app setting API views"""
 
     @classmethod
-    def get_and_validate_def(cls, app_name, setting_name, allowed_scopes):
+    def get_and_validate_def(cls, plugin_name, setting_name, allowed_scopes):
         """
         Return settings definition or raise a validation error.
 
-        :param app_name: Name of app plugin for the setting (string)
+        :param plugin_name: Name of app plugin for the setting (string)
         :param setting_name: Setting name (string)
         :param allowed_scopes: Allowed scopes for the setting (list)
         """
         try:
             s_def = app_settings.get_definition(
-                name=setting_name, app_name=app_name
+                name=setting_name, plugin_name=plugin_name
             )
         except Exception as ex:
             raise serializers.ValidationError(ex)
@@ -876,11 +983,13 @@ def check_project_perms(
                 )
 
     @classmethod
-    def _get_setting_obj(cls, app_name, setting_name, project=None, user=None):
+    def _get_setting_obj(
+        cls, plugin_name, setting_name, project=None, user=None
+    ):
         """
         Return the database object for a setting. Returns None if not available.
 
-        :param app_name: Name of the app plugin (string or None)
+        :param plugin_name: Name of the app plugin (string or None)
         :param setting_name: Setting name (string)
         :param project: Project object or None
         :param user: User object or None
@@ -893,48 +1002,53 @@ def _get_setting_obj(cls, app_name, setting_name, project=None, user=None):
             'project': project,
             'user': user,
         }
-        if app_name == 'projectroles':
+        if plugin_name == 'projectroles':
             q_kwargs['app_plugin'] = None
         else:
-            q_kwargs['app_plugin__name'] = app_name
+            q_kwargs['app_plugin__name'] = plugin_name
         return AppSetting.objects.get(**q_kwargs)
 
     @classmethod
     def get_setting_for_api(
-        cls, app_name, setting_name, project=None, user=None
+        cls, plugin_name, setting_name, project=None, user=None
     ):
         """
         Return the database object for a setting for API serving. Will create
         the object if not yet created.
 
-        :param app_name: Name of the app plugin (string or None)
+        :param plugin_name: Name of the app plugin (string or None)
         :param setting_name: Setting name (string)
         :param project: Project object or None
         :param user: User object or None
         :return: AppSetting object
         """
         try:
-            return cls._get_setting_obj(app_name, setting_name, project, user)
+            return cls._get_setting_obj(
+                plugin_name, setting_name, project, user
+            )
         except AppSetting.DoesNotExist:
             try:
                 app_settings.set(
-                    app_name=app_name,
+                    plugin_name=plugin_name,
                     setting_name=setting_name,
                     value=app_settings.get_default(
-                        app_name, setting_name, project=project, user=user
+                        plugin_name, setting_name, project=project, user=user
                     ),
                     project=project,
                     user=user,
                 )
                 return cls._get_setting_obj(
-                    app_name, setting_name, project, user
+                    plugin_name, setting_name, project, user
                 )
             except Exception as ex:
                 raise serializers.ValidationError(ex)
 
 
 class ProjectSettingRetrieveAPIView(
-    CoreAPIBaseProjectMixin, AppSettingMixin, RetrieveAPIView
+    ProjectrolesAPIVersioningMixin,
+    CoreAPIBaseProjectMixin,
+    AppSettingMixin,
+    RetrieveAPIView,
 ):
     """
     API view for retrieving an app setting with the PROJECT or PROJECT_USER
@@ -946,22 +1060,23 @@ class ProjectSettingRetrieveAPIView(
 
     **Parameters:**
 
-    - ``app_name``: Name of app plugin for the setting, use "projectroles" for projectroles settings (string)
+    - ``plugin_name``: Name of app plugin for the setting, use "projectroles" for projectroles settings (string)
     - ``setting_name``: Setting name (string)
     - ``user``: User UUID for a PROJECT_USER setting (string or None, optional)
     """
 
     # NOTE: Update project settings perm is checked manually
     permission_required = 'projectroles.view_project'
+    schema = AutoSchema(operation_id_base='AppSettingProject')
     serializer_class = AppSettingSerializer
 
     def get_object(self):
-        app_name = self.request.GET.get('app_name')
+        plugin_name = self.request.GET.get('plugin_name')
         setting_name = self.request.GET.get('setting_name')
 
         # Get and validate definition
         s_def = self.get_and_validate_def(
-            app_name,
+            plugin_name,
             setting_name,
             [APP_SETTING_SCOPE_PROJECT, APP_SETTING_SCOPE_PROJECT_USER],
         )
@@ -979,11 +1094,12 @@ def get_object(self):
 
         # Return new object with default setting if not set
         return self.get_setting_for_api(
-            app_name, setting_name, project, setting_user
+            plugin_name, setting_name, project, setting_user
         )
 
 
 class ProjectSettingSetAPIView(
+    ProjectrolesAPIVersioningMixin,
     CoreAPIBaseProjectMixin,
     AppSettingMixin,
     ProjectModifyPluginViewMixin,
@@ -999,7 +1115,7 @@ class ProjectSettingSetAPIView(
 
     **Parameters:**
 
-    - ``app_name``: Name of app plugin for the setting, use "projectroles" for projectroles settings (string)
+    - ``plugin_name``: Name of app plugin for the setting, use "projectroles" for projectroles settings (string)
     - ``setting_name``: Setting name (string)
     - ``value``: Setting value (string, may contain JSON for JSON settings)
     - ``user``: User UUID for a PROJECT_USER setting (string or None, optional)
@@ -1012,12 +1128,12 @@ class ProjectSettingSetAPIView(
     @transaction.atomic
     def post(self, request, *args, **kwargs):
         timeline = get_backend_api('timeline_backend')
-        app_name = request.data.get('app_name')
+        plugin_name = request.data.get('plugin_name')
         setting_name = request.data.get('setting_name')
 
         # Get and validate definition
         s_def = self.get_and_validate_def(
-            app_name,
+            plugin_name,
             setting_name,
             [APP_SETTING_SCOPE_PROJECT, APP_SETTING_SCOPE_PROJECT_USER],
         )
@@ -1038,10 +1154,10 @@ def post(self, request, *args, **kwargs):
         # Set setting value with validation, return possible errors
         try:
             old_value = app_settings.get(
-                app_name, setting_name, project=project, user=setting_user
+                plugin_name, setting_name, project=project, user=setting_user
             )
             app_settings.set(
-                app_name=app_name,
+                plugin_name=plugin_name,
                 setting_name=setting_name,
                 value=value,
                 project=project,
@@ -1054,7 +1170,7 @@ def post(self, request, *args, **kwargs):
                 False,
             ):
                 args = [
-                    app_name,
+                    plugin_name,
                     setting_name,
                     value,
                     old_value,
@@ -1071,12 +1187,12 @@ def post(self, request, *args, **kwargs):
 
         if timeline:
             tl_desc = 'set value of {}.settings.{}'.format(
-                app_name, setting_name
+                plugin_name, setting_name
             )
             if setting_user:
                 tl_desc += ' for user {{{}}}'.format('user')
             setting_obj = self._get_setting_obj(
-                app_name, setting_name, project, setting_user
+                plugin_name, setting_name, project, setting_user
             )
             tl_extra_data = {'value': setting_obj.get_value()}
             tl_event = timeline.add_event(
@@ -1087,7 +1203,7 @@ def post(self, request, *args, **kwargs):
                 description=tl_desc,
                 classified=True,
                 extra_data=tl_extra_data,
-                status_type='OK',
+                status_type=timeline.TL_STATUS_OK,
             )
             if setting_user:
                 tl_event.add_object(setting_user, 'user', setting_user.username)
@@ -1095,7 +1211,7 @@ def post(self, request, *args, **kwargs):
             {
                 'detail': 'Set value of {}.settings.{} '
                 '(project={}; user={})'.format(
-                    app_name,
+                    plugin_name,
                     setting_name,
                     project.sodar_uuid,
                     setting_user.sodar_uuid if setting_user else None,
@@ -1106,7 +1222,7 @@ def post(self, request, *args, **kwargs):
 
 
 class UserSettingRetrieveAPIView(
-    CoreAPIBaseMixin, AppSettingMixin, RetrieveAPIView
+    ProjectrolesAPIVersioningMixin, AppSettingMixin, RetrieveAPIView
 ):
     """
     API view for retrieving an app setting with the USER scope.
@@ -1117,30 +1233,31 @@ class UserSettingRetrieveAPIView(
 
     **Parameters:**
 
-    - ``app_name``: Name of app plugin for the setting, use "projectroles" for projectroles settings (string)
+    - ``plugin_name``: Name of app plugin for the setting, use "projectroles" for projectroles settings (string)
     - ``setting_name``: Setting name (string)
     """
 
-    # NOTE: Update project settings perm is checked manually
-    permission_required = 'projectroles.view_project'
+    schema = AutoSchema(operation_id_base='AppSettingUser')
     serializer_class = AppSettingSerializer
 
     def get_object(self):
         if not self.request.user.is_authenticated:
             raise PermissionDenied(ANON_ACCESS_MSG)
-        app_name = self.request.GET.get('app_name')
+        plugin_name = self.request.GET.get('plugin_name')
         setting_name = self.request.GET.get('setting_name')
         # Get and validate definition
         self.get_and_validate_def(
-            app_name, setting_name, [APP_SETTING_SCOPE_USER]
+            plugin_name, setting_name, [APP_SETTING_SCOPE_USER]
         )
         # Return new object with default setting if not set
         return self.get_setting_for_api(
-            app_name, setting_name, user=self.request.user
+            plugin_name, setting_name, user=self.request.user
         )
 
 
-class UserSettingSetAPIView(CoreAPIBaseMixin, AppSettingMixin, APIView):
+class UserSettingSetAPIView(
+    ProjectrolesAPIVersioningMixin, AppSettingMixin, APIView
+):
     """
     API view for setting the value of an app setting with the USER scope. Only
     allows the user to set the value of their own settings.
@@ -1151,7 +1268,7 @@ class UserSettingSetAPIView(CoreAPIBaseMixin, AppSettingMixin, APIView):
 
     **Parameters:**
 
-    - ``app_name``: Name of app plugin for the setting, use "projectroles" for projectroles settings (string)
+    - ``plugin_name``: Name of app plugin for the setting, use "projectroles" for projectroles settings (string)
     - ``setting_name``: Setting name (string)
     - ``value``: Setting value (string, may contain JSON for JSON settings)
     """
@@ -1161,10 +1278,10 @@ class UserSettingSetAPIView(CoreAPIBaseMixin, AppSettingMixin, APIView):
     def post(self, request, *args, **kwargs):
         if not request.user.is_authenticated:
             raise PermissionDenied(ANON_ACCESS_MSG)
-        app_name = request.data.get('app_name')
+        plugin_name = request.data.get('plugin_name')
         setting_name = request.data.get('setting_name')
         s_def = self.get_and_validate_def(
-            app_name, setting_name, [APP_SETTING_SCOPE_USER]
+            plugin_name, setting_name, [APP_SETTING_SCOPE_USER]
         )
         if s_def.get('user_modifiable') is False:
             raise PermissionDenied(USER_MODIFIABLE_MSG)
@@ -1172,7 +1289,7 @@ def post(self, request, *args, **kwargs):
 
         try:
             app_settings.set(
-                app_name=app_name,
+                plugin_name=plugin_name,
                 setting_name=setting_name,
                 value=value,
                 user=request.user,
@@ -1182,26 +1299,35 @@ def post(self, request, *args, **kwargs):
         return Response(
             {
                 'detail': 'Set value of {}.settings.{}'.format(
-                    app_name, setting_name
+                    plugin_name, setting_name
                 )
             },
             status=200,
         )
 
 
-class UserListAPIView(CoreAPIBaseMixin, ListAPIView):
+class UserListAPIView(ProjectrolesAPIVersioningMixin, ListAPIView):
     """
     Return a list of all users on the site. Excludes system users, unless called
     with superuser access.
 
+    Supports optional pagination by providing the ``page`` query string. This
+    will return results in the Django Rest Framework ``PageNumberPagination``
+    format.
+
     **URL:** ``/project/api/users/list``
 
     **Methods:** ``GET``
 
-    **Returns**: List of serializers users (see ``CurrentUserRetrieveAPIView``)
+    **Parameters:**
+
+    - ``page``: Page number for paginated results (int, optional)
+
+    **Returns**: List or paginated dict of serializers users (see ``CurrentUserRetrieveAPIView``)
     """
 
     lookup_field = 'project__sodar_uuid'
+    pagination_class = SODARPageNumberPagination
     permission_classes = [IsAuthenticated]
     serializer_class = SODARUserSerializer
 
@@ -1216,7 +1342,9 @@ def get_queryset(self):
         return qs.exclude(groups__name=SODAR_CONSTANTS['SYSTEM_USER_GROUP'])
 
 
-class CurrentUserRetrieveAPIView(CoreAPIBaseMixin, RetrieveAPIView):
+class CurrentUserRetrieveAPIView(
+    ProjectrolesAPIVersioningMixin, RetrieveAPIView
+):
     """
     Return information on the user making the request.
 
@@ -1228,6 +1356,7 @@ class CurrentUserRetrieveAPIView(CoreAPIBaseMixin, RetrieveAPIView):
 
     For current user:
 
+    - ``additional_emails``: Additional verified email addresses for user (list of strings)
     - ``email``: Email address of the user (string)
     - ``is_superuser``: Superuser status (boolean)
     - ``name``: Full name of the user (string)
@@ -1243,7 +1372,7 @@ def get_object(self):
 
 
 # TODO: Update this for new API base classes
-class RemoteProjectGetAPIView(CoreAPIBaseMixin, APIView):
+class RemoteProjectGetAPIView(RemoteSyncAPIVersioningMixin, APIView):
     """API view for retrieving remote projects from a source site"""
 
     permission_classes = (AllowAny,)  # We check the secret in get()
@@ -1262,7 +1391,7 @@ def get(self, request, *args, **kwargs):
         if accept_header and 'version=' in accept_header:
             req_version = accept_header[accept_header.find('version=') + 8 :]
         else:
-            req_version = CORE_API_DEFAULT_VERSION
+            req_version = SYNC_API_DEFAULT_VERSION
         sync_data = remote_api.get_source_data(target_site, req_version)
         # Update access date for target site remote projects
         target_site.projects.all().update(date_access=timezone.now())
diff --git a/requirements/base.txt b/requirements/base.txt
index 7e04ef50..7ae06abb 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -1,86 +1,85 @@
 # Wheel
-wheel>=0.40.0, <0.41
+wheel>=0.42.0, <0.43
 
 # Setuptools
-setuptools>=67.6.0, <67.7
+setuptools>=70.0.0, <70.1
 
 # Packaging
-packaging>=23.0, <24.0
+packaging>=23.2, <24.0
 
 # Django
-django>=3.2.24, <3.3
+django>=4.2.14, <5.0
 
 # Configuration
-django-environ>=0.10.0, <0.11
+django-environ>=0.11.2, <0.12
 
 # Forms
-django-crispy-forms>=2.0, <2.1
-crispy-bootstrap4==2022.1
+django-crispy-forms>=2.1, <2.2
+crispy-bootstrap4==2024.1
 
 # Models
-django-model-utils>=4.3.1, <4.4
+django-model-utils>=4.4.0, <4.5
 
 # Password storage
 argon2-cffi>=21.3.0, <21.4
 
 # Python-PostgreSQL Database Adapter
-psycopg2-binary>=2.9.5, <2.10
+psycopg2-binary>=2.9.9, <2.10
 
 # Unicode slugification
 awesome-slugify>=1.6.5, <1.7
 
 # Time zones support
-pytz>=2022.7.1
+pytz>=2024.1
 
 # SVG icon support
-django-iconify==0.1.1  # NOTE: v0.3 crashes, see issue
+django-iconify==0.3  # NOTE: v0.4 requires Python>=3.10
+
+# OpenID Connect (OIDC) authentication support
+social-auth-app-django>=5.4.0, <5.5
 
 # Online documentation via django-docs
-docutils==0.18.1  # NOTE: sphinx-rtd-theme 1.2 requires <0.19
-Sphinx==6.2.1  # NOTE: sphinx-rtd-theme v1.2.2 forces <7
+docutils==0.20.1
+Sphinx==7.2.6
 django-docs==0.3.3
-sphinx-rtd-theme==1.2.2
+sphinx-rtd-theme==2.0.0
 
 # Versioning
-versioneer==0.28
+versioneer==0.29
 
 ######################
 # Project app imports
 ######################
 
-# Django-plugins (with Django v3.0+ support)
-django-plugins-bihealth==0.4.0
+# Django-plugins (with Django v4.2 support)
+django-plugins-bihealth==0.5.2
 
 # Rules for permissions
 rules>=3.3, <3.4
 
 # REST framework
-djangorestframework>=3.14.0, <3.15
+djangorestframework>=3.15.2, <3.16
 
 # Keyed list addon for DRF
-drf-keyed-list-bihealth==0.1.1
+drf-keyed-list-bihealth==0.2.1
 
 # Token authentication
 django-rest-knox>=4.2.0, <4.3
 
 # Markdown field support
-markdown==3.4.1
+markdown==3.5.2
 django-markupfield>=2.0.1, <2.1
 django-pagedown>=2.2.1, <2.3
-mistune>=2.0.5, <2.1
+mistune>=3.0.2, <3.1
 
 # Database file storage for filesfolders
-django-db-file-storage==0.5.5
+django-db-file-storage==0.5.6.1
 
 # Celery dependency
-redis>=4.4.4
+redis>=5.0.2
 
 # Backround Jobs requirements
-celery>=5.2.7, <5.3
+celery>=5.3.6, <5.4
 
 # Django autocomplete light (DAL)
-# NOTE: 3.9.5 causes crash with Whitenoise (see issue #1224)
-django-autocomplete-light==3.9.4
-
-# SAML2 support for SSO
-django-saml2-auth-ai>=2.1.6, <2.2
+django-autocomplete-light==3.11.0  # See issue #1224
diff --git a/requirements/local.txt b/requirements/local.txt
index 252fd81b..7940606d 100644
--- a/requirements/local.txt
+++ b/requirements/local.txt
@@ -1,10 +1,15 @@
 # Local development dependencies go here
 -r base.txt
 
-django-extensions==3.2.1
+django-extensions==3.2.3
 Werkzeug>=3.0.1, <3.1
 
-django-debug-toolbar>=3.8.1, <3.9
+django-debug-toolbar>=4.3.0, <4.4
 
 # improved REPL
 ipdb>=0.13.13, <0.14
+
+# OpenAPI support
+inflection>=0.5.1, <0.6
+pyyaml>=6.0.1, <6.1
+uritemplate>=4.1.1, <4.2
diff --git a/requirements/test.txt b/requirements/test.txt
index 51aa2663..72f35c25 100644
--- a/requirements/test.txt
+++ b/requirements/test.txt
@@ -1,27 +1,27 @@
 # Test dependencies go here.
 -r base.txt
 
-flake8==6.0.0
-django-test-plus==2.2.1
-factory-boy==3.2.1
+flake8==7.0.0
+django-test-plus==2.2.3
+factory-boy==3.3.0
 coverage==6.5.0  # NOTE: coveralls 3.3.1 requires <7.0
-django-coverage-plugin==3.0.0
+django-coverage-plugin==3.1.0
 
 # pytest
-pytest-django==4.5.2
-pytest-sugar==0.9.6
+pytest-django==4.8.0
+pytest-sugar==1.0.0
 
 # Selenium for UI testing
-selenium==4.8.2
+selenium==4.18.1
 
 # Tblib for tracebacks
-tblib==1.7.0
+tblib==3.0.0
 
 # BeautifulSoup for HTML testing
-beautifulsoup4==4.11.2
+beautifulsoup4==4.12.3
 
 # Black for formatting
-black==23.1.0
+black==24.3.0
 
 # Coveralls for coverage reporting
 coveralls==3.3.1
diff --git a/setup.py b/setup.py
index 6ca0c7d5..596b46c6 100755
--- a/setup.py
+++ b/setup.py
@@ -83,11 +83,11 @@ def is_requirement(line):
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
         'Programming Language :: Python :: 3',
-        'Programming Language :: Python :: 3.8',
         'Programming Language :: Python :: 3.9',
         'Programming Language :: Python :: 3.10',
+        'Programming Language :: Python :: 3.11',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Internet :: WWW/HTTP :: Dynamic Content',
     ],
-    python_requires='>=3.8',
+    python_requires='>=3.9',
 )
diff --git a/siteinfo/tests/test_permissions.py b/siteinfo/tests/test_permissions.py
index 675b96ef..0abce3e4 100644
--- a/siteinfo/tests/test_permissions.py
+++ b/siteinfo/tests/test_permissions.py
@@ -4,10 +4,10 @@
 from django.urls import reverse
 
 # Projectroles dependency
-from projectroles.tests.test_permissions import TestSiteAppPermissionBase
+from projectroles.tests.test_permissions import SiteAppPermissionTestBase
 
 
-class TestSiteInfoViewPermissions(TestSiteAppPermissionBase):
+class TestSiteInfoViewPermissions(SiteAppPermissionTestBase):
     """Tests for SiteInfoView permissions"""
 
     def setUp(self):
diff --git a/siteinfo/tests/test_views.py b/siteinfo/tests/test_views.py
index db9ff54d..b213f951 100644
--- a/siteinfo/tests/test_views.py
+++ b/siteinfo/tests/test_views.py
@@ -5,8 +5,8 @@
 from test_plus.test import TestCase
 
 
-class TestViewsBase(TestCase):
-    """Base class for view testing"""
+class TestSiteInfoView(TestCase):
+    """Tests for SiteInfoView"""
 
     def setUp(self):
         # Create users
@@ -18,16 +18,12 @@ def setUp(self):
         # No user
         self.anonymous = None
 
-
-class TestSiteInfoView(TestViewsBase):
-    """Tests for the site info view"""
-
-    def test_render(self):
-        """Test rendering of the site info view"""
+    def test_get(self):
+        """Test SiteInfoView GET"""
         with self.login(self.superuser):
             response = self.client.get(reverse('siteinfo:info'))
-            self.assertEqual(response.status_code, 200)
-            self.assertIsNotNone(response.context['project_plugins'])
-            self.assertIsNotNone(response.context['site_plugins'])
-            self.assertIsNotNone(response.context['backend_plugins'])
-            self.assertIsNotNone(response.context['settings_core'])
+        self.assertEqual(response.status_code, 200)
+        self.assertIsNotNone(response.context['project_plugins'])
+        self.assertIsNotNone(response.context['site_plugins'])
+        self.assertIsNotNone(response.context['backend_plugins'])
+        self.assertIsNotNone(response.context['settings_core'])
diff --git a/siteinfo/views.py b/siteinfo/views.py
index cfd18e09..0acb9da7 100644
--- a/siteinfo/views.py
+++ b/siteinfo/views.py
@@ -27,11 +27,13 @@
     'AUTH_LDAP_DOMAIN_PRINTABLE',
     'AUTH_LDAP_SERVER_URI',
     'AUTH_LDAP_START_TLS',
+    'AUTH_LDAP_USER_SEARCH_BASE',
     'AUTH_LDAP_USERNAME_DOMAIN',
     'AUTH_LDAP2_CA_CERT_FILE',
     'AUTH_LDAP2_DOMAIN_PRINTABLE',
     'AUTH_LDAP2_SERVER_URI',
     'AUTH_LDAP2_START_TLS',
+    'AUTH_LDAP_USER_SEARCH_BASE',
     'AUTH_LDAP2_USERNAME_DOMAIN',
     'DEBUG',
     'EMAIL_BACKEND',
@@ -40,7 +42,7 @@
     'EMAIL_SENDER',
     'ENABLE_LDAP',
     'ENABLE_LDAP_SECONDARY',
-    'ENABLE_SAML',
+    'ENABLE_OIDC',
     'ENABLED_BACKEND_PLUGINS',
     'ICONIFY_JSON_ROOT',
     'INSTALLED_APPS',
@@ -65,7 +67,6 @@
     'PROJECTROLES_ENABLE_PROFILING',
     'PROJECTROLES_ENABLE_SEARCH',
     'PROJECTROLES_HELP_HIGHLIGHT_DAYS',
-    'PROJECTROLES_HIDE_APP_LINKS',  # TODO: Remove in v1.0 (see issue #1143)
     'PROJECTROLES_HIDE_PROJECT_APPS',
     'PROJECTROLES_INLINE_HEAD_INCLUDE',
     'PROJECTROLES_INVITE_EXPIRY_DAYS',
@@ -84,6 +85,9 @@
     'SITE_TITLE',
     'SITE_SUBTITLE',
     'SITE_INSTANCE_TITLE',
+    'SOCIAL_AUTH_OIDC_OIDC_ENDPOINT',
+    'SOCIAL_AUTH_OIDC_KEY',
+    'SOCIAL_AUTH_OIDC_USERNAME_KEY',
     'SODAR_API_ALLOWED_VERSIONS',
     'SODAR_API_DEFAULT_VERSION',
     'SODAR_API_DEFAULT_HOST',
@@ -194,5 +198,5 @@ def get_context_data(self, *args, **kwargs):
 
         # Core settings
         context['settings_core'] = self._get_settings(CORE_SETTINGS)
-        # TODO: Add LDAP/SAML settings?
+        # TODO: Add LDAP settings?
         return context
diff --git a/sodarcache/management/commands/deletecache.py b/sodarcache/management/commands/deletecache.py
index efd99ce8..140b4c86 100644
--- a/sodarcache/management/commands/deletecache.py
+++ b/sodarcache/management/commands/deletecache.py
@@ -61,8 +61,10 @@ def handle(self, *args, **options):
             'Deleted {} cached data item{} from {}'.format(
                 item_count,
                 's' if item_count != 1 else '',
-                'project {}'.format(project.get_log_title())
-                if project
-                else 'all projects',
+                (
+                    'project {}'.format(project.get_log_title())
+                    if project
+                    else 'all projects'
+                ),
             )
         )
diff --git a/sodarcache/management/commands/synccache.py b/sodarcache/management/commands/synccache.py
index 5815ce19..9fdd5492 100644
--- a/sodarcache/management/commands/synccache.py
+++ b/sodarcache/management/commands/synccache.py
@@ -70,6 +70,8 @@ def handle(self, *args, **options):
                         plugin.name, ex
                     )
                 )
+                if settings.DEBUG:
+                    raise ex
                 errors = True
         logger.info(
             'Cache synchronization {}'.format(
diff --git a/sodarcache/migrations/0001_squashed_0004_update_jsonfield.py b/sodarcache/migrations/0001_squashed_0004_update_jsonfield.py
new file mode 100644
index 00000000..92adc4b0
--- /dev/null
+++ b/sodarcache/migrations/0001_squashed_0004_update_jsonfield.py
@@ -0,0 +1,95 @@
+# Generated by Django 4.2.14 on 2024-07-16 09:29
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    replaces = [
+        ('sodarcache', '0001_initial'),
+        ('sodarcache', '0002_make_user_optional'),
+        ('sodarcache', '0003_add_index'),
+        ('sodarcache', '0004_update_jsonfield'),
+    ]
+
+    initial = True
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('projectroles', '0006_add_remote_projects'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='JSONCacheItem',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                ('app_name', models.CharField(help_text='App name', max_length=255)),
+                (
+                    'name',
+                    models.CharField(
+                        help_text='Name or title of the item given by the data setting app',
+                        max_length=255,
+                    ),
+                ),
+                (
+                    'date_modified',
+                    models.DateTimeField(
+                        auto_now_add=True, help_text='DateTime of the update'
+                    ),
+                ),
+                (
+                    'sodar_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4, help_text='Item SODAR UUID', unique=True
+                    ),
+                ),
+                (
+                    'data',
+                    models.JSONField(default=dict, help_text='Cached data as JSON'),
+                ),
+                (
+                    'project',
+                    models.ForeignKey(
+                        blank=True,
+                        help_text='Project in which the item belongs (optional)',
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='cached_items',
+                        to='projectroles.project',
+                    ),
+                ),
+                (
+                    'user',
+                    models.ForeignKey(
+                        blank=True,
+                        help_text='User who updated the item (optional)',
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                'abstract': False,
+                'unique_together': {('project', 'app_name', 'name')},
+                'indexes': [
+                    models.Index(
+                        fields=['project', 'app_name', 'name'],
+                        name='sodarcache__project_e54b84_idx',
+                    )
+                ],
+            },
+        ),
+    ]
diff --git a/sodarcache/serializers.py b/sodarcache/serializers.py
new file mode 100644
index 00000000..a3cdff56
--- /dev/null
+++ b/sodarcache/serializers.py
@@ -0,0 +1,27 @@
+"""Serializers for the sodarcache app REST API"""
+
+# Projectroles dependency
+from projectroles.serializers import (
+    SODARProjectModelSerializer,
+    SODARUserSerializer,
+)
+
+from sodarcache.models import JSONCacheItem
+
+
+class JSONCacheItemSerializer(SODARProjectModelSerializer):
+    """Serializer for the JSONCacheItem model"""
+
+    user = SODARUserSerializer(read_only=True)
+
+    class Meta:
+        model = JSONCacheItem
+        fields = [
+            'project',
+            'app_name',
+            'name',
+            'date_modified',
+            'user',
+            'data',
+        ]  # NOTE: No UUID returned as these should not be referred to directly
+        read_only_fields = ['date_modified']
diff --git a/sodarcache/tests/test_api.py b/sodarcache/tests/test_api.py
index 5e68698e..f123a9ec 100644
--- a/sodarcache/tests/test_api.py
+++ b/sodarcache/tests/test_api.py
@@ -9,8 +9,8 @@
 
 from sodarcache.models import JSONCacheItem
 from sodarcache.tests.test_models import (
-    TestJsonCacheItemBase,
-    JsonCacheItemMixin,
+    JSONCacheItemTestBase,
+    JSONCacheItemMixin,
 )
 
 
@@ -27,7 +27,7 @@
 INVALID_APP_NAME = 'timeline'  # Valid app name but but no data is created
 
 
-class TestSodarCacheAPI(JsonCacheItemMixin, TestJsonCacheItemBase):
+class TestSodarCacheAPI(JSONCacheItemMixin, JSONCacheItemTestBase):
     """Testing sodarcache API class"""
 
     def setUp(self):
diff --git a/sodarcache/tests/test_models.py b/sodarcache/tests/test_models.py
index 31a4b192..dc3ae49c 100644
--- a/sodarcache/tests/test_models.py
+++ b/sodarcache/tests/test_models.py
@@ -26,7 +26,7 @@
 TEST_APP_NAME = 'sodarcache'
 
 
-class JsonCacheItemMixin:
+class JSONCacheItemMixin:
     """Helper mixin for JSONCacheItem creation"""
 
     @classmethod
@@ -43,7 +43,7 @@ def make_item(cls, project, app_name, name, user, data):
         return result
 
 
-class TestJsonCacheItemBase(
+class JSONCacheItemTestBase(
     ProjectMixin, RoleMixin, RoleAssignmentMixin, TestCase
 ):
     def setUp(self):
@@ -60,7 +60,7 @@ def setUp(self):
         )
 
 
-class TestJsonCacheItem(JsonCacheItemMixin, TestJsonCacheItemBase):
+class TestJSONCacheItem(JSONCacheItemMixin, JSONCacheItemTestBase):
     def setUp(self):
         super().setUp()
         self.item = self.make_item(
diff --git a/sodarcache/tests/test_permissions_api.py b/sodarcache/tests/test_permissions_api.py
new file mode 100644
index 00000000..e1b540b8
--- /dev/null
+++ b/sodarcache/tests/test_permissions_api.py
@@ -0,0 +1,285 @@
+"""REST API view permission tests for the sodarcache app"""
+
+from django.test import override_settings
+from django.urls import reverse
+
+# Projectroles dependency
+from projectroles.plugins import get_backend_api
+from projectroles.tests.test_permissions_api import ProjectAPIPermissionTestBase
+
+from sodarcache.tests.test_views_api import (
+    TEST_APP_NAME,
+    ITEM_NAME,
+    DATA_KEY,
+    DATA_VAL,
+)
+from sodarcache.views_api import (
+    SODARCACHE_API_MEDIA_TYPE,
+    SODARCACHE_API_DEFAULT_VERSION,
+)
+
+
+class SodarcacheAPIPermissionTestBase(ProjectAPIPermissionTestBase):
+    """Base class for sodarcache REST API view permission tests"""
+
+    media_type = SODARCACHE_API_MEDIA_TYPE
+    api_version = SODARCACHE_API_DEFAULT_VERSION
+
+    def setUp(self):
+        super().setUp()
+        self.cache_backend = get_backend_api('sodar_cache')
+
+
+class TestCacheItemRetrieveAPIView(SodarcacheAPIPermissionTestBase):
+    """Test CacheItemRetrieveAPIView permissions"""
+
+    def setUp(self):
+        super().setUp()
+        # Init cache item
+        self.item = self.cache_backend.set_cache_item(
+            project=self.project,
+            app_name=TEST_APP_NAME,
+            user=self.user_owner,
+            name=ITEM_NAME,
+            data={DATA_KEY: DATA_VAL},
+        )
+        self.url = reverse(
+            'sodarcache:api_retrieve',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': TEST_APP_NAME,
+                'item_name': ITEM_NAME,
+            },
+        )
+
+    def test_get(self):
+        """Test CacheItemRetrieveAPIView GET"""
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+        ]
+        bad_users = [self.user_finder_cat, self.user_no_roles]
+        self.assert_response_api(self.url, good_users, 200)
+        self.assert_response_api(self.url, bad_users, 403)
+        self.assert_response_api(self.url, self.anonymous, 401)
+        self.assert_response_api(self.url, good_users, 200, knox=True)
+        self.project.set_public()
+        self.assert_response_api(self.url, self.user_no_roles, 200)
+
+    @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True)
+    def test_get_anon(self):
+        """Test GET with anonymous access"""
+        self.project.set_public()
+        self.assert_response_api(self.url, self.anonymous, 200)
+
+    def test_get_archive(self):
+        """Test GET with archived project"""
+        self.project.set_archive()
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+        ]
+        bad_users = [self.user_finder_cat, self.user_no_roles]
+        self.assert_response_api(self.url, good_users, 200)
+        self.assert_response_api(self.url, bad_users, 403)
+        self.assert_response_api(self.url, self.anonymous, 401)
+        self.assert_response_api(self.url, good_users, 200, knox=True)
+        self.project.set_public()
+        self.assert_response_api(self.url, self.user_no_roles, 200)
+
+
+class TestCacheItemDateRetrieveAPIView(SodarcacheAPIPermissionTestBase):
+    """Test CacheItemDateRetrieveAPIView permissions"""
+
+    def setUp(self):
+        super().setUp()
+        # Init cache item
+        self.item = self.cache_backend.set_cache_item(
+            project=self.project,
+            app_name=TEST_APP_NAME,
+            user=self.user_owner,
+            name=ITEM_NAME,
+            data={DATA_KEY: DATA_VAL},
+        )
+        self.url = reverse(
+            'sodarcache:api_retrieve_date',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': TEST_APP_NAME,
+                'item_name': ITEM_NAME,
+            },
+        )
+
+    def test_get(self):
+        """Test CacheItemDateRetrieveAPIView GET"""
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+        ]
+        bad_users = [self.user_finder_cat, self.user_no_roles]
+        self.assert_response_api(self.url, good_users, 200)
+        self.assert_response_api(self.url, bad_users, 403)
+        self.assert_response_api(self.url, self.anonymous, 401)
+        self.assert_response_api(self.url, good_users, 200, knox=True)
+        self.project.set_public()
+        self.assert_response_api(self.url, self.user_no_roles, 200)
+
+    @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True)
+    def test_get_anon(self):
+        """Test GET with anonymous access"""
+        self.project.set_public()
+        self.assert_response_api(self.url, self.anonymous, 200)
+
+    def test_get_archive(self):
+        """Test GET with archived project"""
+        self.project.set_archive()
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+        ]
+        bad_users = [self.user_finder_cat, self.user_no_roles]
+        self.assert_response_api(self.url, good_users, 200)
+        self.assert_response_api(self.url, bad_users, 403)
+        self.assert_response_api(self.url, self.anonymous, 401)
+        self.assert_response_api(self.url, good_users, 200, knox=True)
+        self.project.set_public()
+        self.assert_response_api(self.url, self.user_no_roles, 200)
+
+
+class TestCacheItemSetAPIView(SodarcacheAPIPermissionTestBase):
+    """Test CacheItemSetAPIView permissions"""
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'sodarcache:api_set',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': TEST_APP_NAME,
+                'item_name': ITEM_NAME,
+            },
+        )
+        self.post_data = {'data': {DATA_KEY: DATA_VAL}}
+
+    def test_post(self):
+        """Test CacheItemSetAPIView POST"""
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+        ]
+        bad_users = [
+            self.user_guest_cat,
+            self.user_finder_cat,
+            self.user_guest,
+            self.user_no_roles,
+        ]
+        self.assert_response_api(
+            self.url, good_users, 200, method='POST', data=self.post_data
+        )
+        self.assert_response_api(
+            self.url, bad_users, 403, method='POST', data=self.post_data
+        )
+        self.assert_response_api(
+            self.url, self.anonymous, 401, method='POST', data=self.post_data
+        )
+        self.assert_response_api(
+            self.url,
+            good_users,
+            200,
+            method='POST',
+            data=self.post_data,
+            knox=True,
+        )
+        self.project.set_public()
+        self.assert_response_api(
+            self.url,
+            self.user_no_roles,
+            403,
+            method='POST',
+            data=self.post_data,
+        )
+
+    @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True)
+    def test_get_anon(self):
+        """Test GET with anonymous access"""
+        self.project.set_public()
+        self.assert_response_api(
+            self.url, self.anonymous, 401, method='POST', data=self.post_data
+        )
+
+    def test_get_archive(self):
+        """Test GET with archived project"""
+        self.project.set_archive()
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+        ]
+        bad_users = [
+            self.user_guest_cat,
+            self.user_finder_cat,
+            self.user_guest,
+            self.user_no_roles,
+        ]
+        self.assert_response_api(
+            self.url, good_users, 200, method='POST', data=self.post_data
+        )
+        self.assert_response_api(
+            self.url, bad_users, 403, method='POST', data=self.post_data
+        )
+        self.assert_response_api(
+            self.url, self.anonymous, 401, method='POST', data=self.post_data
+        )
+        self.assert_response_api(
+            self.url,
+            good_users,
+            200,
+            method='POST',
+            data=self.post_data,
+            knox=True,
+        )
+        self.project.set_public()
+        self.assert_response_api(
+            self.url,
+            self.user_no_roles,
+            403,
+            method='POST',
+            data=self.post_data,
+        )
diff --git a/sodarcache/tests/test_views_api.py b/sodarcache/tests/test_views_api.py
index ca038fc7..bad279f4 100644
--- a/sodarcache/tests/test_views_api.py
+++ b/sodarcache/tests/test_views_api.py
@@ -1,18 +1,28 @@
-"""Tests for API views in the sodarcache app"""
+"""Tests for REST API views in the sodarcache app"""
 
 import json
 
-from django.urls import reverse
+from django.conf import settings
 from django.forms.models import model_to_dict
+from django.test import override_settings
+from django.urls import reverse
+
+from test_plus.test import APITestCase
 
 # Projectroles dependency
 from projectroles.models import SODAR_CONSTANTS
 from projectroles.plugins import get_backend_api
+from projectroles.tests.test_models import (
+    ProjectMixin,
+    RoleMixin,
+    RoleAssignmentMixin,
+)
+from projectroles.tests.test_views_api import SODARAPIViewTestMixin
 
 from sodarcache.models import JSONCacheItem
-from sodarcache.tests.test_models import (
-    TestJsonCacheItemBase,
-    JsonCacheItemMixin,
+from sodarcache.views_api import (
+    SODARCACHE_API_MEDIA_TYPE,
+    SODARCACHE_API_DEFAULT_VERSION,
 )
 
 
@@ -25,166 +35,273 @@
 PROJECT_TYPE_PROJECT = SODAR_CONSTANTS['PROJECT_TYPE_PROJECT']
 
 # Local constants
-TEST_APP_NAME = 'sodarcache'
+TEST_APP_NAME = 'example_project_app'
+ITEM_NAME = 'test_item'
+DATA_KEY = 'test_key'
+DATA_VAL = 'test_val'
+DATA_VAL_UPDATED = 'test_val_updated'
+BACKEND_PLUGINS_NO_CACHE = settings.ENABLED_BACKEND_PLUGINS.copy()
+BACKEND_PLUGINS_NO_CACHE.remove('sodar_cache')
 
 
-class TestViewsBase(JsonCacheItemMixin, TestJsonCacheItemBase):
-    """Base class for sodarcache view testing"""
+class SodarcacheAPIViewTestBase(
+    ProjectMixin,
+    RoleMixin,
+    RoleAssignmentMixin,
+    SODARAPIViewTestMixin,
+    APITestCase,
+):
+    """Base class for sodarcache REST API view testing"""
+
+    media_type = SODARCACHE_API_MEDIA_TYPE
+    api_version = SODARCACHE_API_DEFAULT_VERSION
 
     def setUp(self):
         super().setUp()
+        # Get cache backend
         self.cache_backend = get_backend_api('sodar_cache')
-        # Init superuser
+        # Init roles
+        self.init_roles()
+        # Init users
         self.user = self.make_user('superuser')
         self.user.is_staff = True
         self.user.is_superuser = True
         self.user.save()
+        self.user_owner = self.make_user('owner')
         # Init project
         self.project = self.make_project(
             'TestProject', PROJECT_TYPE_PROJECT, None
         )
         self.owner_as = self.make_assignment(
-            self.project, self.user, self.role_owner
+            self.project, self.user_owner, self.role_owner
         )
         # Init cache item
         self.item = self.cache_backend.set_cache_item(
             project=self.project,
             app_name=TEST_APP_NAME,
             user=self.user_owner,
-            name='test_item',
-            data={'test_key': 'test_val'},
+            name=ITEM_NAME,
+            data={DATA_KEY: DATA_VAL},
         )
+        # Get knox token for self.user
+        self.knox_token = self.get_token(self.user)
 
 
-class TestSodarCacheGetAPIView(TestViewsBase):
-    """Tests for the sodarcache item getting API view"""
+class TestCacheItemRetrieveAPIView(SodarcacheAPIViewTestBase):
+    """Tests for CacheItemRetrieveAPIView"""
 
-    def test_get_wrong_item(self):
-        values = {'app_name': TEST_APP_NAME, 'name': 'not_test_item'}
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'sodarcache:cache_get',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                values,
-            )
+    def test_get(self):
+        """Test CacheItemRetrieveAPIView GET"""
+        url = reverse(
+            'sodarcache:api_retrieve',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': TEST_APP_NAME,
+                'item_name': ITEM_NAME,
+            },
+        )
+        response = self.request_knox(url)
+        self.assertEqual(response.status_code, 200)
+        expected = {
+            'project': str(self.project.sodar_uuid),
+            'app_name': TEST_APP_NAME,
+            'name': ITEM_NAME,
+            'user': self.get_serialized_user(self.user_owner),
+            'data': {DATA_KEY: DATA_VAL},
+            'date_modified': self.get_drf_datetime(self.item.date_modified),
+        }
+        self.assertEqual(json.loads(response.content), expected)
+
+    def test_get_no_user(self):
+        """Test GET with no user for item"""
+        self.item.user = None
+        self.item.save()
+        url = reverse(
+            'sodarcache:api_retrieve',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': TEST_APP_NAME,
+                'item_name': ITEM_NAME,
+            },
+        )
+        response = self.request_knox(url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(json.loads(response.content)['user'], None)
+
+    def test_get_no_item(self):
+        """Test GET with non-existing item"""
+        url = reverse(
+            'sodarcache:api_retrieve',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': TEST_APP_NAME,
+                'item_name': 'INVALID_ITEM_NAME',
+            },
+        )
+        response = self.request_knox(url)
         self.assertEqual(response.status_code, 404)
 
-    def test_get_item(self):
-        values = {'app_name': TEST_APP_NAME, 'name': 'test_item'}
+    def test_get_invalid_app_name(self):
+        """Test GET with invalid app name"""
+        url = reverse(
+            'sodarcache:api_retrieve',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': 'INVALID_APP_NAME',
+                'item_name': ITEM_NAME,
+            },
+        )
+        response = self.request_knox(url)
+        self.assertEqual(response.status_code, 400)
 
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'sodarcache:cache_get',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                values,
-            )
+    @override_settings(ENABLED_BACKEND_PLUGINS=BACKEND_PLUGINS_NO_CACHE)
+    def test_get_backend_disabled(self):
+        """Test GET with disabled sodarcache backend"""
+        url = reverse(
+            'sodarcache:api_retrieve',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': TEST_APP_NAME,
+                'item_name': ITEM_NAME,
+            },
+        )
+        response = self.request_knox(url)
+        self.assertEqual(response.status_code, 503)
 
-        expected = {
-            'project_uuid': str(self.project.sodar_uuid),
-            'user_uuid': str(self.user_owner.sodar_uuid),
-            'name': 'test_item',
-            'data': {'test_key': 'test_val'},
-            'sodar_uuid': str(self.item.sodar_uuid),
-        }
+
+class TestCacheItemDateRetrieveAPIView(SodarcacheAPIViewTestBase):
+    """Tests for CacheItemDateRetrieveAPIView"""
+
+    def test_get(self):
+        """Test CacheItemDateRetrieveAPIView GET"""
+        url = reverse(
+            'sodarcache:api_retrieve_date',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': TEST_APP_NAME,
+                'item_name': ITEM_NAME,
+            },
+        )
+        with self.login(self.user):
+            response = self.client.get(url)
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.data, expected)
+        expected = self.cache_backend.get_update_time(
+            app_name=TEST_APP_NAME, name=ITEM_NAME
+        )
+        self.assertEqual(response.data['update_time'], expected)
 
+    def test_get_no_item(self):
+        """Test GET with non-existing item"""
+        url = reverse(
+            'sodarcache:api_retrieve_date',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': TEST_APP_NAME,
+                'item_name': 'INVALID_ITEM_NAME',
+            },
+        )
+        response = self.request_knox(url)
+        self.assertEqual(response.status_code, 404)
 
-class TestSodarCacheSetAPIView(TestViewsBase):
-    """Tests for the sodarcache item setting API view"""
+    def test_get_invalid_app_name(self):
+        """Test GET with invalid app name"""
+        url = reverse(
+            'sodarcache:api_retrieve_date',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': 'INVALID_APP_NAME',
+                'item_name': ITEM_NAME,
+            },
+        )
+        response = self.request_knox(url)
+        self.assertEqual(response.status_code, 400)
 
-    def test_set_item(self):
-        """Test creating a new cache item"""
-        values = {
-            'app_name': TEST_APP_NAME,
-            'name': 'new_test_item',
-            'data': json.dumps({'test_key': 'test_val'}),
-        }
-        self.assertEqual(JSONCacheItem.objects.all().count(), 1)
+    @override_settings(ENABLED_BACKEND_PLUGINS=BACKEND_PLUGINS_NO_CACHE)
+    def test_get_backend_disabled(self):
+        """Test GET with disabled sodarcache backend"""
+        url = reverse(
+            'sodarcache:api_retrieve_date',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': TEST_APP_NAME,
+                'item_name': ITEM_NAME,
+            },
+        )
+        response = self.request_knox(url)
+        self.assertEqual(response.status_code, 503)
 
-        with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'sodarcache:cache_set',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                values,
-            )
+
+class TestCacheItemSetAPIView(SodarcacheAPIViewTestBase):
+    """Tests for CacheItemSetAPIView"""
+
+    def test_post_create(self):
+        """Test CacheItemSetAPIView POST to create item"""
+        url = reverse(
+            'sodarcache:api_set',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': TEST_APP_NAME,
+                'item_name': 'new_test_item',
+            },
+        )
+        post_data = {'data': json.dumps({DATA_KEY: DATA_VAL})}
+        self.assertEqual(JSONCacheItem.objects.all().count(), 1)
+        response = self.request_knox(url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 200)
         self.assertEqual(JSONCacheItem.objects.all().count(), 2)
         item = JSONCacheItem.objects.get(name='new_test_item')
-        self.assertIsNotNone(item)
         expected = {
             'id': item.pk,
             'project': self.project.pk,
             'app_name': TEST_APP_NAME,
             'user': self.user.pk,
             'name': 'new_test_item',
-            'data': json.dumps({'test_key': 'test_val'}),
+            'data': json.dumps({DATA_KEY: DATA_VAL}),
             'sodar_uuid': item.sodar_uuid,
         }
         model_dict = model_to_dict(item)
         self.assertEqual(model_dict, expected)
 
-    def test_update_item(self):
-        """Test updating a cache item"""
-        values = {
-            'app_name': TEST_APP_NAME,
-            'name': 'test_item',
-            'data': json.dumps({'test_key': 'test_val_updated'}),
-        }
-        self.assertEqual(JSONCacheItem.objects.all().count(), 1)
-
-        with self.login(self.user):
-            response = self.client.post(
-                reverse(
-                    'sodarcache:cache_set',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                values,
-            )
+    def test_post_update(self):
+        """Test POST to update item"""
+        url = reverse(
+            'sodarcache:api_set',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': TEST_APP_NAME,
+                'item_name': ITEM_NAME,
+            },
+        )
+        post_data = {'data': json.dumps({DATA_KEY: DATA_VAL_UPDATED})}
+        response = self.request_knox(url, method='POST', data=post_data)
 
         self.assertEqual(response.status_code, 200)
         self.assertEqual(JSONCacheItem.objects.all().count(), 1)
-        item = JSONCacheItem.objects.get(name='test_item')
-        self.assertIsNotNone(item)
+        item = JSONCacheItem.objects.get(name=ITEM_NAME)
         expected = {
             'id': item.pk,
             'project': self.project.pk,
             'app_name': TEST_APP_NAME,
             'user': self.user.pk,
-            'name': 'test_item',
-            'data': json.dumps({'test_key': 'test_val_updated'}),
+            'name': ITEM_NAME,
+            'data': json.dumps({DATA_KEY: DATA_VAL_UPDATED}),
             'sodar_uuid': item.sodar_uuid,
         }
         model_dict = model_to_dict(item)
         self.assertEqual(model_dict, expected)
 
-
-class TestSodarCacheGetDateAPIView(TestViewsBase):
-    """Tests for the sodarcache item update time getting API view"""
-
-    def test_get_time(self):
-        """Test retrieving cache item update time"""
-        self.assertEqual(JSONCacheItem.objects.all().count(), 1)
-        values = {'app_name': TEST_APP_NAME, 'name': 'test_item'}
-
-        with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'sodarcache:cache_get_date',
-                    kwargs={'project': self.project.sodar_uuid},
-                ),
-                values,
-            )
-
-        expected = self.cache_backend.get_update_time(
-            app_name=TEST_APP_NAME, name='test_item'
+    @override_settings(ENABLED_BACKEND_PLUGINS=BACKEND_PLUGINS_NO_CACHE)
+    def test_post_backend_disabled(self):
+        """Test POST with disabled sodarcache backend"""
+        url = reverse(
+            'sodarcache:api_set',
+            kwargs={
+                'project': self.project.sodar_uuid,
+                'app_name': TEST_APP_NAME,
+                'item_name': ITEM_NAME,
+            },
         )
-        self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.data['update_time'], expected)
+        post_data = {'data': json.dumps({DATA_KEY: DATA_VAL_UPDATED})}
+        response = self.request_knox(url, method='POST', data=post_data)
+        self.assertEqual(response.status_code, 503)
diff --git a/sodarcache/urls.py b/sodarcache/urls.py
index 5d07a190..18721eb5 100644
--- a/sodarcache/urls.py
+++ b/sodarcache/urls.py
@@ -6,18 +6,18 @@
 
 urlpatterns = [
     path(
-        route='api/set/<uuid:project>',
-        view=views_api.SodarCacheSetAPIView.as_view(),
-        name='cache_set',
+        route='api/retrieve/<uuid:project>/<str:app_name>/<str:item_name>',
+        view=views_api.CacheItemRetrieveAPIView.as_view(),
+        name='api_retrieve',
     ),
     path(
-        route='api/get/<uuid:project>',
-        view=views_api.SodarCacheGetAPIView.as_view(),
-        name='cache_get',
+        route='api/retrieve/date/<uuid:project>/<str:app_name>/<str:item_name>',
+        view=views_api.CacheItemDateRetrieveAPIView.as_view(),
+        name='api_retrieve_date',
     ),
     path(
-        route='api/get/date/<uuid:project>',
-        view=views_api.SodarCacheGetDateAPIView.as_view(),
-        name='cache_get_date',
+        route='api/set/<uuid:project>/<str:app_name>/<str:item_name>',
+        view=views_api.CacheItemSetAPIView.as_view(),
+        name='api_set',
     ),
 ]
diff --git a/sodarcache/views_api.py b/sodarcache/views_api.py
index fa770d6d..771982de 100644
--- a/sodarcache/views_api.py
+++ b/sodarcache/views_api.py
@@ -1,81 +1,181 @@
-"""API views for the sodarcache app"""
+"""REST API views for the sodarcache app"""
 
+from rest_framework.exceptions import APIException, NotFound, ParseError
+from rest_framework.generics import RetrieveAPIView
+from rest_framework.renderers import JSONRenderer
 from rest_framework.response import Response
+from rest_framework.versioning import AcceptHeaderVersioning
 from rest_framework.views import APIView
 
 # Projectroles dependency
+from projectroles.models import SODAR_CONSTANTS
 from projectroles.plugins import get_backend_api
-from projectroles.views_api import CoreAPIBaseProjectMixin
+from projectroles.views_api import CoreAPIGenericProjectMixin
 
+from sodarcache.serializers import JSONCacheItemSerializer
+
+# SODAR constants
+PROJECT_TYPE_PROJECT = SODAR_CONSTANTS['PROJECT_TYPE_PROJECT']
+
+# Local constants
 APP_NAME = 'sodarcache'
+SODARCACHE_API_MEDIA_TYPE = (
+    'application/vnd.bihealth.sodar-core.sodarcache+json'
+)
+SODARCACHE_API_DEFAULT_VERSION = '1.0'
+SODARCACHE_API_ALLOWED_VERSIONS = ['1.0']
 
 
-# TODO: Refactor views and URLs to match SODAR conventions in v0.9 (see #498)
+# Base Classes and Mixins ------------------------------------------------------
 
 
-class SodarCacheSetAPIView(CoreAPIBaseProjectMixin, APIView):
-    """API View for creating or updating the value of a cache item"""
+class SodarcacheAPIViewMixin:
+    """
+    Sodarcache API view versioning mixin for overriding media type and
+    accepted versions, as well as providing helpers
+    """
 
-    permission_required = 'sodarcache.set_cache_value'
+    class SodarcacheAPIRenderer(JSONRenderer):
+        media_type = SODARCACHE_API_MEDIA_TYPE
 
-    def post(self, request, *args, **kwargs):
+    class SodarcacheAPIVersioning(AcceptHeaderVersioning):
+        allowed_versions = SODARCACHE_API_ALLOWED_VERSIONS
+        default_version = SODARCACHE_API_DEFAULT_VERSION
+
+    class BackendUnavailable(APIException):
+        status_code = 503
+        default_detail = 'Cache backend not enabled'
+        default_code = 'service_unavailable'
+
+    renderer_classes = [SodarcacheAPIRenderer]
+    versioning_class = SodarcacheAPIVersioning
+
+    @classmethod
+    def get_backend(cls):
+        """
+        Return sodarcache backend or raise 503 if not enabled.
+
+        :Return: SodarCacheAPI object
+        """
         cache_backend = get_backend_api('sodar_cache')
-        project = self.get_project()
+        if not cache_backend:
+            raise cls.BackendUnavailable()
+        return cache_backend
+
+
+# API Views --------------------------------------------------------------------
+
+
+class CacheItemRetrieveAPIView(
+    SodarcacheAPIViewMixin, CoreAPIGenericProjectMixin, RetrieveAPIView
+):
+    """
+    Retrieve a cache item along with its data. Returns 404 if cache item is not
+    set.
+
+    **URL:** ``/cache/api/retrieve/{Project.sodar_uuid}/{app_name}/{item_name}``
+
+    **Methods:** ``GET``
+
+    **Returns:**
+
+    - ``project``: Project UUID (string)
+    - ``app_name``: Name of app to which the item belongs (string)
+    - ``name``: Item name (string)
+    - ``data``: Item data (JSON)
+    - ``date_modified``: Item modification datetime (YYYY-MM-DDThh:mm:ssZ)
+    - ``user``: User who created the item (SODARUserSerializer dict or None)
+    """
+
+    permission_required = 'sodarcache.get_cache_value'
+    project_type = PROJECT_TYPE_PROJECT
+    serializer_class = JSONCacheItemSerializer
+
+    def get_object(self):
+        """
+        Override get_object() to return object by project, app name and name.
+        """
+        cache_backend = self.get_backend()
         try:
-            cache_backend.set_cache_item(
-                name=request.data['name'],
-                app_name=APP_NAME,
-                user=self.request.user,
-                data=request.data['data'],
-                data_type='json',
-                project=project,
+            item = cache_backend.get_cache_item(
+                app_name=self.kwargs.get('app_name'),
+                name=self.kwargs.get('item_name'),
+                project=self.get_project(),
             )
         except Exception as ex:
-            return Response({'message': str(ex)}, status=500)
-        return Response({'message': 'ok'}, status=200)
+            raise ParseError(ex)
+        if not item:
+            raise NotFound()
+        return item
 
 
-class SodarCacheGetAPIView(CoreAPIBaseProjectMixin, APIView):
-    """API View for retrieving the value of a cache item"""
+class CacheItemDateRetrieveAPIView(
+    SodarcacheAPIViewMixin, CoreAPIGenericProjectMixin, APIView
+):
+    """
+    Retrieve timestamp of the last update to a cache item. Returns 404 if cache
+    item is not set.
+
+    **URL:** ``/cache/api/retrieve/date/{Project.sodar_uuid}/{app_name}/{item_name}``
+
+    **Methods:** ``GET``
+
+    **Returns:**
+
+    - ``update_time``: Update timestamp in seconds since epoch (integer)
+    """
 
     permission_required = 'sodarcache.get_cache_value'
+    project_type = PROJECT_TYPE_PROJECT
+    http_method_names = ['get']
 
     def get(self, request, *args, **kwargs):
-        cache_backend = get_backend_api('sodar_cache')
-        project = self.get_project()
+        cache_backend = self.get_backend()
         try:
-            item = cache_backend.get_cache_item(
-                app_name=request.GET.get('app_name'),
-                name=request.GET.get('name'),
-                project=project,
+            update_time = cache_backend.get_update_time(
+                app_name=self.kwargs.get('app_name'),
+                name=self.kwargs.get('item_name'),
+                project=self.get_project(),
             )
-            if not item:
-                return Response({'message': 'Not found'}, status=404)
-            ret_data = {
-                'sodar_uuid': str(item.sodar_uuid),
-                'project_uuid': str(item.project.sodar_uuid),
-                'user_uuid': str(item.user.sodar_uuid) if item.user else None,
-                'name': item.name,
-                'data': item.data,
-            }
-            return Response(ret_data, status=200)
         except Exception as ex:
-            return Response({'message': str(ex)}, status=500)
+            raise ParseError(ex)
+        if not update_time:
+            raise NotFound()
+        return Response({'update_time': update_time}, status=200)
 
 
-class SodarCacheGetDateAPIView(CoreAPIBaseProjectMixin, APIView):
-    """API View for retrieving the update date of a cache item"""
+class CacheItemSetAPIView(
+    SodarcacheAPIViewMixin, CoreAPIGenericProjectMixin, APIView
+):
+    """
+    Create or update a cache item. Replaces an existing item with the same
+    project, app name and item name if previously set. Returns 200 on both a
+    successful creation and update.
 
-    permission_required = 'sodarcache.get_cache_value'
+    **URL:** ``/cache/api/set/{Project.sodar_uuid}/{app_name}/{item_name}``
 
-    def get(self, request, *args, **kwargs):
-        cache_backend = get_backend_api('sodar_cache')
-        project = self.get_project()
-        update_time = cache_backend.get_update_time(
-            request.GET.get('app_name'),
-            request.GET.get('name'),
-            project=project,
-        )
-        if update_time:
-            return Response({'update_time': update_time}, status=200)
-        return Response({'message': 'Not found'}, status=404)
+    **Methods:** ``POST``
+
+    **Parameters:**
+
+    - ``data``: Full item data to be set (JSON)
+    """
+
+    permission_required = 'sodarcache.set_cache_value'
+    project_type = PROJECT_TYPE_PROJECT
+    http_method_names = ['post']
+
+    def post(self, request, *args, **kwargs):
+        cache_backend = self.get_backend()
+        try:
+            cache_backend.set_cache_item(
+                app_name=self.kwargs.get('app_name'),
+                name=self.kwargs.get('item_name'),
+                user=self.request.user,
+                data=request.data['data'],
+                data_type='json',
+                project=self.get_project(),
+            )
+        except Exception as ex:
+            raise APIException(ex)
+        return Response({'detail': 'ok'}, status=200)
diff --git a/timeline/admin.py b/timeline/admin.py
index c58d1227..44efb3e4 100644
--- a/timeline/admin.py
+++ b/timeline/admin.py
@@ -1,8 +1,8 @@
 from django.contrib import admin
 
-from .models import ProjectEvent, ProjectEventObjectRef, ProjectEventStatus
+from .models import TimelineEvent, TimelineEventObjectRef, TimelineEventStatus
 
 
-admin.site.register(ProjectEvent)
-admin.site.register(ProjectEventObjectRef)
-admin.site.register(ProjectEventStatus)
+admin.site.register(TimelineEvent)
+admin.site.register(TimelineEventObjectRef)
+admin.site.register(TimelineEventStatus)
diff --git a/timeline/api.py b/timeline/api.py
index 1c1a36a0..e0be027d 100644
--- a/timeline/api.py
+++ b/timeline/api.py
@@ -10,15 +10,21 @@
 
 # Projectroles dependency
 from projectroles.models import Project, RemoteSite
-from projectroles.plugins import get_app_plugin
+from projectroles.plugins import get_app_plugin, PluginObjectLink
 from projectroles.templatetags.projectroles_common_tags import get_user_html
 from projectroles.utils import get_app_names
 
 from timeline.models import (
-    ProjectEvent,
-    ProjectEventObjectRef,
+    TimelineEvent,
+    TimelineEventObjectRef,
     EVENT_STATUS_TYPES,
     OBJ_REF_UNNAMED,
+    TL_STATUS_OK,
+    TL_STATUS_INIT,
+    TL_STATUS_SUBMIT,
+    TL_STATUS_FAILED,
+    TL_STATUS_INFO,
+    TL_STATUS_CANCEL,
 )
 
 
@@ -31,11 +37,24 @@
 LABEL_MAX_WIDTH = 32
 UNKNOWN_LABEL = '(unknown)'
 PLUGIN_NOT_FOUND_MSG = 'Plugin not found: {plugin_name}'
+DEPRECATE_LINK_DICT_MSG = (
+    'Returning dicts from get_object_link() has been deprecated and will no '
+    'longer be supported in v1.1. Return a PluginObjectLink object instead.'
+)
 
 
 class TimelineAPI:
     """Timeline backend API to be used by Django apps."""
 
+    # Attributes --------------------------------------------------------------
+
+    TL_STATUS_OK = TL_STATUS_OK
+    TL_STATUS_INIT = TL_STATUS_INIT
+    TL_STATUS_SUBMIT = TL_STATUS_SUBMIT
+    TL_STATUS_FAILED = TL_STATUS_FAILED
+    TL_STATUS_INFO = TL_STATUS_INFO
+    TL_STATUS_CANCEL = TL_STATUS_CANCEL
+
     # Internal Helpers ---------------------------------------------------------
 
     @classmethod
@@ -119,7 +138,7 @@ def _get_ref_description(cls, event, ref_label, app_plugin, request):
         Get reference object description for event description, or unknown label
         if not found.
 
-        :param event: ProjectEvent object
+        :param event: TimelineEvent object
         :param ref_label: Label for the reference object (string)
         :param app_plugin: App plugin or None
         :param request: Request object or None
@@ -132,10 +151,10 @@ def _get_ref_description(cls, event, ref_label, app_plugin, request):
 
         # Get object reference
         try:
-            obj_ref = ProjectEventObjectRef.objects.get(
+            obj_ref = TimelineEventObjectRef.objects.get(
                 event=event, label=ref_label
             )
-        except ProjectEventObjectRef.DoesNotExist:
+        except TimelineEventObjectRef.DoesNotExist:
             return UNKNOWN_LABEL
 
         # Special case: User model
@@ -163,7 +182,7 @@ def _get_ref_description(cls, event, ref_label, app_plugin, request):
         # Apps with plugins
         else:
             try:
-                link_data = app_plugin.get_object_link(
+                link = app_plugin.get_object_link(
                     obj_ref.object_model, obj_ref.object_uuid
                 )
             except Exception as ex:
@@ -174,23 +193,27 @@ def _get_ref_description(cls, event, ref_label, app_plugin, request):
                 )
                 if settings.DEBUG:
                     raise ex
-                link_data = None
-            if link_data:
-                if not link_data['label']:
+                link = None
+            if link:
+                # TODO: Remove in v1.1 (see #1398)
+                if isinstance(link, dict):
+                    logger.warning(DEPRECATE_LINK_DICT_MSG)
+                    link = PluginObjectLink(
+                        url=link['url'],
+                        name=link['label'],
+                        blank=link['blank'],
+                    )
+                if not link.name:
                     logger.warning(
-                        'Empty label returned by plugin "{}" for object '
+                        'Empty name returned by plugin "{}" for object '
                         'reference "{}" ({})"'.format(
                             app_plugin.name, obj_ref, obj_ref.object_uuid
                         )
                     )
                 return '<a href="{}" {}>{}</a> {}'.format(
-                    link_data['url'],
-                    (
-                        'target="_blank"'
-                        if 'blank' in link_data and link_data['blank'] is True
-                        else ''
-                    ),
-                    cls._get_ref_label(link_data['label']),
+                    link.url,
+                    'target="_blank"' if link.blank else '',
+                    cls._get_ref_label(link.name),
                     cls._get_history_link(obj_ref),
                 )
             else:
@@ -230,7 +253,7 @@ def add_event(
         :param status_extra_data: Extra data for initial status (dict, optional)
         :param plugin_name: Name of plugin to which the event is related
             (optional, plugin with the name of the app is assumed if unset)
-        :return: ProjectEvent object
+        :return: TimelineEvent object
         :raise: ValueError if app_name or status_type is invalid
         """
         if app_name not in APP_NAMES:
@@ -250,7 +273,7 @@ def add_event(
         if user and user.is_anonymous:
             user = None
 
-        event = ProjectEvent()
+        event = TimelineEvent()
         event.project = project
         event.app = app_name
         event.plugin = plugin_name
@@ -263,8 +286,8 @@ def add_event(
         event.save()
 
         # Always add "INIT" status when creating, except for "INFO"
-        if status_type not in ['INFO', 'INIT']:
-            event.set_status('INIT')
+        if status_type not in [TL_STATUS_INFO, TL_STATUS_INIT]:
+            event.set_status(TL_STATUS_INIT)
         # Add additional status if set (use if e.g. event is immediately "OK")
         if status_type:
             event.set_status(status_type, status_desc, status_extra_data)
@@ -279,7 +302,7 @@ def get_project_events(cls, project, classified=False):
         :param classified: Include classified (boolean)
         :return: QuerySet
         """
-        events = ProjectEvent.objects.filter(project=project)
+        events = TimelineEvent.objects.filter(project=project)
         if not classified:
             events = events.filter(classified=False)
         return events
@@ -289,7 +312,7 @@ def get_event_description(cls, event, plugin_lookup=None, request=None):
         """
         Return the description of a timeline event as HTML.
 
-        :param event: ProjectEvent object
+        :param event: TimelineEvent object
         :param plugin_lookup: App plugin lookup dict (optional)
         :param request: Request object (optional)
         :return: String (contains HTML)
@@ -368,8 +391,8 @@ def get_object_link(cls, obj, project=None):
     @classmethod
     def get_models(cls):
         """
-        Return project event model classes for custom/advanced queries.
+        Return timeline event model classes for custom/advanced queries.
 
-        :return: ProjectEvent, ProjectEventObjectRef
+        :return: TimelineEvent, TimelineEventObjectRef
         """
-        return ProjectEvent, ProjectEventObjectRef
+        return TimelineEvent, TimelineEventObjectRef
diff --git a/timeline/migrations/0001_squashed_0015_make_uuid_unique.py b/timeline/migrations/0001_squashed_0015_make_uuid_unique.py
new file mode 100644
index 00000000..186d6293
--- /dev/null
+++ b/timeline/migrations/0001_squashed_0015_make_uuid_unique.py
@@ -0,0 +1,303 @@
+# Generated by Django 4.2.14 on 2024-07-16 09:30
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+def populate_event_status_uuid(apps, schema_editor):
+    """Populate ProjectEventStatus sodar_uuid fields"""
+    ProjectEventStatus = apps.get_model('timeline', 'ProjectEventStatus')
+    for status in ProjectEventStatus.objects.all():
+        status.sodar_uuid = uuid.uuid4()
+        status.save(update_fields=['sodar_uuid'])
+
+
+def populate_object_ref_uuid(apps, schema_editor):
+    """Populate TimelineEventObjectRef sodar_uuid fields"""
+    TimelineEventObjectRef = apps.get_model(
+        'timeline', 'TimelineEventObjectRef'
+    )
+    for status in TimelineEventObjectRef.objects.all():
+        status.sodar_uuid = uuid.uuid4()
+        status.save(update_fields=['sodar_uuid'])
+
+
+# Functions from the following migrations need manual copying.
+# Move them and any dependencies into this file, then update the
+# RunPython operations to refer to the local versions:
+# timeline.migrations.0010_populate_uuid
+# timeline.migrations.0014_populate_uuid
+
+
+class Migration(migrations.Migration):
+
+    replaces = [
+        ('timeline', '0001_initial'),
+        ('timeline', '0002_projectevent_user'),
+        ('timeline', '0003_rename_uuid'),
+        ('timeline', '0004_update_uuid'),
+        ('timeline', '0005_update_jsonfield'),
+        ('timeline', '0006_update_user_optional'),
+        ('timeline', '0007_allow_null_project'),
+        ('timeline', '0008_projectevent_plugin'),
+        ('timeline', '0009_create_status_uuid'),
+        ('timeline', '0010_populate_uuid'),
+        ('timeline', '0011_make_uuid_unique'),
+        ('timeline', '0012_rename_models'),
+        ('timeline', '0013_timelineeventobjectref_sodar_uuid'),
+        ('timeline', '0014_populate_uuid'),
+        ('timeline', '0015_make_uuid_unique'),
+    ]
+
+    initial = True
+
+    dependencies = [
+        ('projectroles', '0028_populate_finder_role'),
+        ('projectroles', '0001_initial'),
+        ('projectroles', '0019_project_public_guest_access'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ProjectEvent',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'app',
+                    models.CharField(
+                        help_text='App from which the event was triggered',
+                        max_length=255,
+                    ),
+                ),
+                (
+                    'event_name',
+                    models.CharField(
+                        help_text='Event ID string', max_length=255
+                    ),
+                ),
+                (
+                    'description',
+                    models.TextField(
+                        help_text='Description of status change (may include {object label} references)'
+                    ),
+                ),
+                (
+                    'extra_data',
+                    models.JSONField(
+                        default=dict, help_text='Additional event data as JSON'
+                    ),
+                ),
+                (
+                    'classified',
+                    models.BooleanField(
+                        default=False,
+                        help_text='Event is classified (only viewable by user levels specified in rules)',
+                    ),
+                ),
+                (
+                    'sodar_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='Event SODAR UUID',
+                        unique=True,
+                    ),
+                ),
+                (
+                    'project',
+                    models.ForeignKey(
+                        help_text='Project to which the event belongs (null for no project)',
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='events',
+                        to='projectroles.project',
+                    ),
+                ),
+                (
+                    'user',
+                    models.ForeignKey(
+                        help_text='User who initiated the event (optional)',
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+                (
+                    'plugin',
+                    models.CharField(
+                        blank=True,
+                        help_text='Plugin to which the event is related (optional, if unset plugin with the name of the app is assumed)',
+                        max_length=255,
+                        null=True,
+                    ),
+                ),
+            ],
+        ),
+        migrations.CreateModel(
+            name='ProjectEventObjectRef',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'label',
+                    models.CharField(
+                        help_text='Label for the object related to the event',
+                        max_length=255,
+                    ),
+                ),
+                (
+                    'name',
+                    models.CharField(
+                        help_text='Name or title of the object', max_length=255
+                    ),
+                ),
+                (
+                    'object_model',
+                    models.CharField(
+                        help_text='Object model as string', max_length=255
+                    ),
+                ),
+                (
+                    'object_uuid',
+                    models.UUIDField(
+                        blank=True, help_text='Object SODAR UUID', null=True
+                    ),
+                ),
+                (
+                    'extra_data',
+                    models.JSONField(
+                        default=dict,
+                        help_text='Additional data related to the object as JSON',
+                    ),
+                ),
+                (
+                    'event',
+                    models.ForeignKey(
+                        help_text='Event to which the object belongs',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='event_objects',
+                        to='timeline.projectevent',
+                    ),
+                ),
+            ],
+        ),
+        migrations.CreateModel(
+            name='ProjectEventStatus',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                (
+                    'timestamp',
+                    models.DateTimeField(
+                        auto_now_add=True,
+                        help_text='DateTime of the status change',
+                    ),
+                ),
+                (
+                    'status_type',
+                    models.CharField(
+                        help_text='Type of the status change', max_length=64
+                    ),
+                ),
+                (
+                    'description',
+                    models.TextField(
+                        blank=True,
+                        help_text='Description of status change (optional)',
+                    ),
+                ),
+                (
+                    'extra_data',
+                    models.JSONField(
+                        default=dict, help_text='Additional status data as JSON'
+                    ),
+                ),
+                (
+                    'event',
+                    models.ForeignKey(
+                        help_text='Event to which the status change belongs',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name='status_changes',
+                        to='timeline.projectevent',
+                    ),
+                ),
+                (
+                    'sodar_uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        help_text='Status SODAR UUID',
+                        null=True,
+                    ),
+                ),
+            ],
+        ),
+        migrations.RunPython(
+            code=populate_event_status_uuid,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.AlterField(
+            model_name='projecteventstatus',
+            name='sodar_uuid',
+            field=models.UUIDField(
+                default=uuid.uuid4, help_text='Status SODAR UUID', unique=True
+            ),
+        ),
+        migrations.RenameModel(
+            old_name='ProjectEvent',
+            new_name='TimelineEvent',
+        ),
+        migrations.RenameModel(
+            old_name='ProjectEventObjectRef',
+            new_name='TimelineEventObjectRef',
+        ),
+        migrations.RenameModel(
+            old_name='ProjectEventStatus',
+            new_name='TimelineEventStatus',
+        ),
+        migrations.AddField(
+            model_name='timelineeventobjectref',
+            name='sodar_uuid',
+            field=models.UUIDField(
+                default=uuid.uuid4,
+                help_text='Object reference SODAR UUID',
+                null=True,
+            ),
+        ),
+        migrations.RunPython(
+            code=populate_object_ref_uuid,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.AlterField(
+            model_name='timelineeventobjectref',
+            name='sodar_uuid',
+            field=models.UUIDField(
+                default=uuid.uuid4,
+                help_text='Object reference SODAR UUID',
+                unique=True,
+            ),
+        ),
+    ]
diff --git a/timeline/migrations/0012_rename_models.py b/timeline/migrations/0012_rename_models.py
new file mode 100644
index 00000000..1316e6ff
--- /dev/null
+++ b/timeline/migrations/0012_rename_models.py
@@ -0,0 +1,28 @@
+# Generated by Django 4.2.11 on 2024-04-17 15:55
+
+from django.conf import settings
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("projectroles", "0028_populate_finder_role"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ("timeline", "0011_make_uuid_unique"),
+    ]
+
+    operations = [
+        migrations.RenameModel(
+            old_name="ProjectEvent",
+            new_name="TimelineEvent",
+        ),
+        migrations.RenameModel(
+            old_name="ProjectEventObjectRef",
+            new_name="TimelineEventObjectRef",
+        ),
+        migrations.RenameModel(
+            old_name="ProjectEventStatus",
+            new_name="TimelineEventStatus",
+        ),
+    ]
diff --git a/timeline/migrations/0013_timelineeventobjectref_sodar_uuid.py b/timeline/migrations/0013_timelineeventobjectref_sodar_uuid.py
new file mode 100644
index 00000000..fd0b5649
--- /dev/null
+++ b/timeline/migrations/0013_timelineeventobjectref_sodar_uuid.py
@@ -0,0 +1,21 @@
+# Generated by Django 4.2.11 on 2024-04-18 08:18
+
+from django.db import migrations, models
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("timeline", "0012_rename_models"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="timelineeventobjectref",
+            name="sodar_uuid",
+            field=models.UUIDField(
+                default=uuid.uuid4, help_text="Object reference SODAR UUID", null=True
+            ),
+        ),
+    ]
diff --git a/timeline/migrations/0014_populate_uuid.py b/timeline/migrations/0014_populate_uuid.py
new file mode 100644
index 00000000..fe595901
--- /dev/null
+++ b/timeline/migrations/0014_populate_uuid.py
@@ -0,0 +1,21 @@
+# Generated by Django 4.2.11 on 2024-04-18 08:18
+
+import uuid
+
+from django.db import migrations
+
+def gen_uuid(apps, schema_editor):
+    TimelineEventObjectRef = apps.get_model('timeline', 'TimelineEventObjectRef')
+    for status in TimelineEventObjectRef.objects.all():
+        status.sodar_uuid = uuid.uuid4()
+        status.save(update_fields=['sodar_uuid'])
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("timeline", "0013_timelineeventobjectref_sodar_uuid"),
+    ]
+
+    operations = [
+        migrations.RunPython(gen_uuid, reverse_code=migrations.RunPython.noop),
+    ]
diff --git a/timeline/migrations/0015_make_uuid_unique.py b/timeline/migrations/0015_make_uuid_unique.py
new file mode 100644
index 00000000..f9c72034
--- /dev/null
+++ b/timeline/migrations/0015_make_uuid_unique.py
@@ -0,0 +1,23 @@
+# Generated by Django 4.2.11 on 2024-04-18 08:24
+
+import uuid
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("timeline", "0014_populate_uuid"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="timelineeventobjectref",
+            name="sodar_uuid",
+            field=models.UUIDField(
+                default=uuid.uuid4, help_text="Object reference SODAR UUID",
+                unique=True
+            ),
+        ),
+    ]
diff --git a/timeline/models.py b/timeline/models.py
index 100cecf7..fd68fc1c 100644
--- a/timeline/models.py
+++ b/timeline/models.py
@@ -12,25 +12,37 @@
 
 
 logger = logging.getLogger(__name__)
-
-
 # Access Django user model
 AUTH_USER_MODEL = getattr(settings, 'AUTH_USER_MODEL', 'auth.User')
-# Event status types
-EVENT_STATUS_TYPES = ['OK', 'INIT', 'SUBMIT', 'FAILED', 'INFO', 'CANCEL']
+
+# Local constants
+TL_STATUS_OK = 'OK'
+TL_STATUS_INIT = 'INIT'
+TL_STATUS_SUBMIT = 'SUBMIT'
+TL_STATUS_FAILED = 'FAILED'
+TL_STATUS_INFO = 'INFO'
+TL_STATUS_CANCEL = 'CANCEL'
+EVENT_STATUS_TYPES = [
+    TL_STATUS_OK,
+    TL_STATUS_INIT,
+    TL_STATUS_SUBMIT,
+    TL_STATUS_FAILED,
+    TL_STATUS_INFO,
+    TL_STATUS_CANCEL,
+]
 DEFAULT_MESSAGES = {
-    'OK': 'All OK',
-    'INIT': 'Event initialized',
-    'SUBMIT': 'Job submitted asynchronously',
-    'FAILED': 'Failed (unknown problem)',
-    'INFO': 'Info level action',
-    'CANCEL': 'Action cancelled',
+    TL_STATUS_OK: 'All OK',
+    TL_STATUS_INIT: 'Event initialized',
+    TL_STATUS_SUBMIT: 'Job submitted asynchronously',
+    TL_STATUS_FAILED: 'Failed (unknown problem)',
+    TL_STATUS_INFO: 'Info level action',
+    TL_STATUS_CANCEL: 'Action cancelled',
 }
 OBJ_REF_UNNAMED = '(unnamed)'
 
 
-class ProjectEventManager(models.Manager):
-    """Manager for custom table-level ProjectEvent queries"""
+class TimelineEventManager(models.Manager):
+    """Manager for custom table-level TimelineEvent queries"""
 
     def get_object_events(
         self, project, object_model, object_uuid, order_by='-pk'
@@ -44,7 +56,7 @@ def get_object_events(
         :param order_by: Ordering (default = pk descending)
         :return: QuerySet
         """
-        return ProjectEvent.objects.filter(
+        return TimelineEvent.objects.filter(
             project=project,
             event_objects__object_model=object_model,
             event_objects__object_uuid=object_uuid,
@@ -56,7 +68,7 @@ def find(self, search_terms, keywords=None):
 
         :param search_terms: Search terms (list of strings)
         :param keywords: Optional search keywords as key/value pairs (dict)
-        :return: QuerySet of ProjectEvent objects
+        :return: QuerySet of TimelineEvent objects
         """
         search_limit = getattr(settings, 'TIMELINE_SEARCH_LIMIT', 250)
         term_query = Q()
@@ -73,7 +85,7 @@ def find(self, search_terms, keywords=None):
         return items[:search_limit]
 
 
-class ProjectEvent(models.Model):
+class TimelineEvent(models.Model):
     """
     Class representing a Project event. Can also be a site-wide event not linked
     to a specific project.
@@ -137,7 +149,7 @@ class ProjectEvent(models.Model):
     )
 
     # Set manager for custom queries
-    objects = ProjectEventManager()
+    objects = TimelineEventManager()
 
     def __str__(self):
         return '{}{}{}'.format(
@@ -147,7 +159,7 @@ def __str__(self):
         )
 
     def __repr__(self):
-        return 'ProjectEvent({})'.format(
+        return 'TimelineEvent({})'.format(
             ', '.join(repr(v) for v in self.get_repr_values())
         )
 
@@ -172,6 +184,10 @@ def get_status_changes(self, reverse=False):
             '{}pk'.format('-' if reverse else '')
         )
 
+    def get_project(self):
+        """Return the project for the event"""
+        return self.project
+
     def add_object(self, obj, label, name, extra_data=None):
         """
         Add object reference to an event.
@@ -180,9 +196,9 @@ def add_object(self, obj, label, name, extra_data=None):
         :param label: Label for the object in the event description (string)
         :param name: Name or title of the object (string)
         :param extra_data: Additional data related to object (dict, optional)
-        :return: ProjectEventObjectRef object
+        :return: TimelineEventObjectRef object
         """
-        ref = ProjectEventObjectRef()
+        ref = TimelineEventObjectRef()
         ref.event = self
         ref.label = label
         if not name:
@@ -207,7 +223,7 @@ def set_status(self, status_type, status_desc=None, extra_data=None):
         :param status_type: Status type string (see EVENT_STATUS_TYPES)
         :param status_desc: Description string (optional)
         :param extra_data: Extra data for the status (dict, optional)
-        :return: ProjectEventStatus object
+        :return: TimelineEventStatus object
         :raise: TypeError if status_type is invalid
         """
         if status_type not in EVENT_STATUS_TYPES:
@@ -217,7 +233,7 @@ def set_status(self, status_type, status_desc=None, extra_data=None):
                 )
             )
 
-        status = ProjectEventStatus()
+        status = TimelineEventStatus()
         status.event = self
         status.status_type = status_type
         status.description = (
@@ -229,13 +245,15 @@ def set_status(self, status_type, status_desc=None, extra_data=None):
         return status
 
 
-class ProjectEventObjectRef(models.Model):
-    """Class representing a reference to an object (existing or removed)
-    related to a Timeline event status"""
+class TimelineEventObjectRef(models.Model):
+    """
+    Class representing a reference to an object (existing or removed)
+    related to a timeline event status.
+    """
 
     #: Event to which the object belongs
     event = models.ForeignKey(
-        ProjectEvent,
+        TimelineEvent,
         related_name='event_objects',
         help_text='Event to which the object belongs',
         on_delete=models.CASCADE,
@@ -275,6 +293,11 @@ class ProjectEventObjectRef(models.Model):
         default=dict, help_text='Additional data related to the object as JSON'
     )
 
+    #: UUID for this object reference
+    sodar_uuid = models.UUIDField(
+        default=uuid.uuid4, unique=True, help_text='Object reference SODAR UUID'
+    )
+
     def __str__(self):
         return '{} ({})'.format(
             self.event.__str__(),
@@ -283,17 +306,21 @@ def __str__(self):
 
     def __repr__(self):
         values = self.event.get_repr_values() + [self.name]
-        return 'ProjectEventObjectRef({})'.format(
+        return 'TimelineEventObjectRef({})'.format(
             ', '.join(repr(v) for v in values)
         )
 
+    def get_project(self):
+        """Return the project for the event"""
+        return self.event.project
+
 
-class ProjectEventStatus(models.Model):
-    """Class representing a Timeline event status"""
+class TimelineEventStatus(models.Model):
+    """Class representing a timeline event status"""
 
     #: Event to which the status change belongs
     event = models.ForeignKey(
-        ProjectEvent,
+        TimelineEvent,
         related_name='status_changes',
         help_text='Event to which the status change belongs',
         on_delete=models.CASCADE,
@@ -335,7 +362,7 @@ def __str__(self):
 
     def __repr__(self):
         values = self.event.get_repr_values() + [self.status_type]
-        return 'ProjectEventStatus({})'.format(
+        return 'TimelineEventStatus({})'.format(
             ', '.join(repr(v) for v in values)
         )
 
diff --git a/timeline/plugins.py b/timeline/plugins.py
index ce222cf2..62eef774 100644
--- a/timeline/plugins.py
+++ b/timeline/plugins.py
@@ -6,11 +6,12 @@
     ProjectAppPluginPoint,
     BackendPluginPoint,
     SiteAppPluginPoint,
+    PluginSearchResult,
 )
 from projectroles.utils import get_display_name
 
 from timeline.api import TimelineAPI
-from timeline.models import ProjectEvent
+from timeline.models import TimelineEvent
 from timeline.urls import urls_ui_project, urls_ui_site, urls_ui_admin
 
 
@@ -72,7 +73,7 @@ def get_statistics(self):
         return {
             'event_count': {
                 'label': 'Events',
-                'value': ProjectEvent.objects.all().count(),
+                'value': TimelineEvent.objects.all().count(),
             }
         }
 
@@ -101,24 +102,19 @@ def search(self, search_terms, user, search_type=None, keywords=None):
         :param user: User object for user initiating the search
         :param search_type: String
         :param keywords: List (optional)
-        :return: Dict
+        :return: List of PluginSearchResult objects
         """
         items = []
         if not search_type or search_type == 'timeline':
-            events = ProjectEvent.objects.find(search_terms, keywords)
-        if events:
-            items = [
-                event
-                for event in list(events)
-                if self.check_permission(user, event)
-            ]
-        return {
-            'all': {
-                'title': 'Timeline Events',
-                'search_types': ['timeline'],
-                'items': items,
-            }
-        }
+            events = list(TimelineEvent.objects.find(search_terms, keywords))
+            items = [e for e in events if self.check_permission(user, e)]
+        ret = PluginSearchResult(
+            category='all',
+            title='Timeline Event',
+            search_types=['timeline'],
+            items=items,
+        )
+        return [ret]
 
 
 class BackendPlugin(BackendPluginPoint):
diff --git a/timeline/serializers.py b/timeline/serializers.py
new file mode 100644
index 00000000..2819cbdc
--- /dev/null
+++ b/timeline/serializers.py
@@ -0,0 +1,114 @@
+"""Django Rest Framework serializers for the timeline app"""
+
+from rest_framework import serializers
+
+# Projectroles dependency
+from projectroles.serializers import (
+    SODARModelSerializer,
+    SODARProjectModelSerializer,
+    SODARUserSerializer,
+)
+
+from timeline.models import (
+    TimelineEvent,
+    TimelineEventStatus,
+    TimelineEventObjectRef,
+)
+
+
+class ExtraDataRepresentationMixin:
+    """Mixin for controlling extra data visibility to users"""
+
+    def to_representation(self, instance):
+        ret = super().to_representation(instance)
+        user = self.context['request'].user
+        project = instance.get_project()
+        if (
+            project
+            and not user.has_perm('timeline.view_event_extra_data', project)
+            and not user.is_superuser
+        ):
+            ret.pop('extra_data')
+        elif not project and not user.is_superuser:
+            ret.pop('extra_data')
+        return ret
+
+
+class TimelineEventObjectRefSerializer(
+    ExtraDataRepresentationMixin, serializers.ModelSerializer
+):
+    """
+    Serializer for the TimelineEventObjectRef model. All fields are set to
+    read-only.
+    """
+
+    event = serializers.SlugRelatedField(
+        slug_field='sodar_uuid', read_only=True
+    )
+
+    class Meta:
+        model = TimelineEventObjectRef
+        fields = [
+            'event',
+            'label',
+            'name',
+            'object_model',
+            'object_uuid',
+            'extra_data',
+            'sodar_uuid',
+        ]
+        read_only_fields = fields
+
+
+class TimelineEventStatusSerializer(
+    ExtraDataRepresentationMixin, SODARModelSerializer
+):
+    """
+    Serializer for the TimelineEventStatus model. All fields are set to
+    read-only.
+    """
+
+    event = serializers.SlugRelatedField(
+        slug_field='sodar_uuid', read_only=True
+    )
+
+    class Meta:
+        model = TimelineEventStatus
+        fields = [
+            'event',
+            'timestamp',
+            'status_type',
+            'description',
+            'extra_data',
+            'sodar_uuid',
+        ]
+        read_only_fields = fields
+
+
+class TimelineEventSerializer(
+    ExtraDataRepresentationMixin, SODARProjectModelSerializer
+):
+    """
+    Serializer for the TimelineEvent model. All fields are set to read-only.
+    """
+
+    user = SODARUserSerializer(read_only=True)
+    status_changes = TimelineEventStatusSerializer(many=True, read_only=True)
+    event_objects = TimelineEventObjectRefSerializer(many=True, read_only=True)
+
+    class Meta:
+        model = TimelineEvent
+        fields = [
+            'project',
+            'app',
+            'plugin',
+            'user',
+            'event_name',
+            'description',
+            'extra_data',
+            'classified',
+            'status_changes',
+            'event_objects',
+            'sodar_uuid',
+        ]
+        read_only_fields = fields
diff --git a/timeline/static/timeline/css/timeline.css b/timeline/static/timeline/css/timeline.css
index 4096066e..45430444 100644
--- a/timeline/static/timeline/css/timeline.css
+++ b/timeline/static/timeline/css/timeline.css
@@ -3,19 +3,14 @@ table#sodar-tl-table {
   display: inline-table;
 }
 table#sodar-tl-table tbody tr td:nth-child(1),
-table#sodar-tl-table tbody tr td:nth-child(2),
-table#sodar-tl-table tbody tr td:nth-child(3) {
+table#sodar-tl-table tbody tr td:nth-child(2) {
   white-space: nowrap;
 }
 table#sodar-tl-table tbody tr td:nth-child(2) {
-  width: 200px;
-  max-width: 200px;
-}
-table#sodar-tl-table tbody tr td:nth-child(3) {
   width: 220px;
   max-width: 220px;
 }
-table#sodar-tl-table tbody tr td:nth-child(4) {
+table#sodar-tl-table tbody tr td:nth-child(3) {
   width: 100%;
 }
 
@@ -49,25 +44,30 @@ a.sodar-tl-link-status-extra-data:hover {
   font-size: 100%; /* Fix for Bootstrap 4.4 */
 }
 
-/* Responsive modifications */
-@media screen and (max-width: 1300px) {
-  .table#sodar-tl-table thead tr th:nth-child(2),
-  .table#sodar-tl-table tbody tr td:nth-child(2) {
-    display: none;
-  }
+span.sodar-tl-event-badge {
+  vertical-align: top;
+  margin-top: 2px;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  max-width: 300px;
 }
-@media screen and (max-width: 1100px) {
+span.sodar-tl-event-badge a {
+  color: inherit;
+}
+
+/* Responsive modifications */
+@media screen and (max-width: 1000px) {
   .table#sodar-tl-table tbody tr td:nth-child(1) {
     white-space: normal;
   }
-  .table#sodar-tl-table thead tr th:nth-child(3),
-  .table#sodar-tl-table tbody tr td:nth-child(3) {
+  .table#sodar-tl-table thead tr th:nth-child(2),
+  .table#sodar-tl-table tbody tr td:nth-child(2) {
     display: none;
   }
 }
 @media screen and (max-width: 700px) {
-  .table#sodar-tl-table thead tr th:nth-child(5),
-  .table#sodar-tl-table tbody tr td:nth-child(5) {
+  .table#sodar-tl-table thead tr th:nth-child(4),
+  .table#sodar-tl-table tbody tr td:nth-child(4) {
       display: none;
   }
 }
diff --git a/timeline/templates/timeline/_details_card.html b/timeline/templates/timeline/_details_card.html
index 133a098b..ecba7de6 100644
--- a/timeline/templates/timeline/_details_card.html
+++ b/timeline/templates/timeline/_details_card.html
@@ -20,7 +20,7 @@
         {% endfor %}
       {% else %}
         <tr>
-          <td class="bg-faded font-italic text-center" colspan="5">
+          <td class="bg-faded font-italic text-center" colspan="4">
             No events found
           </td>
         </tr>
diff --git a/timeline/templates/timeline/_list_header.html b/timeline/templates/timeline/_list_header.html
index 62f77455..4acb82b5 100644
--- a/timeline/templates/timeline/_list_header.html
+++ b/timeline/templates/timeline/_list_header.html
@@ -1,6 +1,5 @@
 <tr>
   <th id="sodar-tl-header-timestamp">Timestamp</th>
-  <th>Event</th>
   <th>User</th>
   <th>Description</th>
   <th>Status</th>
diff --git a/timeline/templates/timeline/_list_item.html b/timeline/templates/timeline/_list_item.html
index da757ecd..dc88afa1 100644
--- a/timeline/templates/timeline/_list_item.html
+++ b/timeline/templates/timeline/_list_item.html
@@ -10,23 +10,16 @@
     {% get_timestamp event as event_time %}
     {% if event.project %}
       <a class="sodar-tl-link-detail text-primary"
-         data-url="{% url 'timeline:ajax_detail_project' projectevent=event.sodar_uuid %}">
+         data-url="{% url 'timeline:ajax_detail_project' timelineevent=event.sodar_uuid %}">
         {{ event_time }}
       </a>
     {% else %}
       <a class="sodar-tl-link-detail text-primary"
-         data-url="{% url 'timeline:ajax_detail_site' projectevent=event.sodar_uuid %}">
+         data-url="{% url 'timeline:ajax_detail_site' timelineevent=event.sodar_uuid %}">
         {{ event_time }}
       </a>
     {% endif %}
   </td>
-  <td class="sodar-tl-item-name">
-    <div class="sodar-overflow-container">
-      {% get_app_icon_html event plugin_lookup as event_icon %}
-      {{ event_icon|safe }}
-      {{ event.event_name }}
-    </div>
-  </td>
   <td class="sodar-tl-item-user {% if not event.user %}text-muted{% endif %}">
     {% if event.user %}
       <div class="sodar-overflow-container">
@@ -38,6 +31,11 @@
     {% endif %}
   </td>
   <td class="sodar-tl-item-desc">
+    {% get_app_icon_html event plugin_lookup as event_icon %}
+    <span class="badge bg-secondary text-white mr-1 sodar-tl-event-badge">
+      {{ event_icon|safe }}
+      {{ event.event_name }}
+    </span>
     {% if event.project and user.is_superuser and timeline_mode == 'admin' %}
       {% include 'projectroles/_project_badge.html' with project=event.project color='info' can_view=True %}
     {% endif %}
@@ -46,14 +44,14 @@
     {% if not details_card_mode and event.extra_data %}
       {% if event.project and can_view_extra_data %}
         <a class="sodar-tl-link-extra-data text-primary pull-right"
-           data-url="{% url 'timeline:ajax_extra_project' projectevent=event.sodar_uuid %}">
+           data-url="{% url 'timeline:ajax_extra_project' timelineevent=event.sodar_uuid %}">
           <i class="iconify" data-icon="mdi:text-box" title="Extra Data"
              data-toggle="tooltip" data-placement="right">
           </i>
         </a>
       {% elif not event.project and user.is_superuser %}
         <a class="sodar-tl-link-extra-data text-primary pull-right"
-           data-url="{% url 'timeline:ajax_extra_site' projectevent=event.sodar_uuid %}">
+           data-url="{% url 'timeline:ajax_extra_site' timelineevent=event.sodar_uuid %}">
           <i class="iconify" data-icon="mdi:text-box" title="Extra Data"
              data-toggle="tooltip" data-placement="right">
           </i>
diff --git a/timeline/templates/timeline/_list_tour.html b/timeline/templates/timeline/_list_tour.html
index b8e3be21..f04639da 100644
--- a/timeline/templates/timeline/_list_tour.html
+++ b/timeline/templates/timeline/_list_tour.html
@@ -24,12 +24,12 @@
           showCancelLink: true
       });
   }
-  if ($('.sodar-tl-item-name').length) {
+  if ($('.sodar-tl-event-badge').length) {
       tour.addStep('event_name', {
           title: 'Event Name',
-          text: 'The event name is displayed in this column. Event with the ' +
-                'name may be searched using the site search.',
-          attachTo: '.sodar-tl-item-name top',
+          text: 'The event name is displayed in these badges. Events may be ' +
+                'searched by name using the site search.',
+          attachTo: '.sodar-tl-event-badge top',
           advanceOn: '.docs-link click',
           showCancelLink: true
       });
diff --git a/timeline/templates/timeline/_search_results.html b/timeline/templates/timeline/_search_results.html
index 69e386e1..13bb6388 100644
--- a/timeline/templates/timeline/_search_results.html
+++ b/timeline/templates/timeline/_search_results.html
@@ -10,11 +10,9 @@
   .table#sodar-tl-search-table tbody tr td:nth-child(3) {
     white-space: nowrap;
   }
-
   .table#sodar-tl-search-table tbody tr td:nth-child(4) {
     width: 100%;
   }
-
   /* Responsive modifications */
   @media screen and (max-width: 1200px) {
     .table#sodar-tl-search-table tr th:nth-child(3),
@@ -22,15 +20,13 @@
       display: none;
     }
   }
-
   @media screen and (max-width: 850px) {
     .table#sodar-tl-search-table tr th:nth-child(2),
     .table#sodar-tl-search-table tr td:nth-child(2) {
       display: none;
     }
   }
-
-    @media screen and (max-width: 650px) {
+  @media screen and (max-width: 650px) {
     .table#sodar-tl-search-table tr th:nth-child(1),
     .table#sodar-tl-search-table tr td:nth-child(1) {
       display: none;
diff --git a/timeline/templates/timeline/timeline.html b/timeline/templates/timeline/timeline.html
index dd27190b..e7e4ee40 100644
--- a/timeline/templates/timeline/timeline.html
+++ b/timeline/templates/timeline/timeline.html
@@ -50,7 +50,7 @@ <h3>
                 {% include 'timeline/_list_item.html' %}
               {% endfor %}
             {% else %}
-              <td class="bg-faded font-italic text-center" colspan="5">
+              <td class="bg-faded font-italic text-center" colspan="4">
                 No timeline events found for this
                 {% if timeline_mode == 'project' %}
                   {% get_display_name 'PROJECT' %}.
diff --git a/timeline/templates/timeline/timeline_site.html b/timeline/templates/timeline/timeline_site.html
index 6c097113..7c8cf982 100644
--- a/timeline/templates/timeline/timeline_site.html
+++ b/timeline/templates/timeline/timeline_site.html
@@ -56,7 +56,7 @@ <h2>
               {% include 'timeline/_list_item.html' %}
             {% endfor %}
           {% else %}
-            <td class="bg-faded font-italic text-center" colspan="5">
+            <td class="bg-faded font-italic text-center" colspan="4">
               No {% if timeline_mode == 'site' %}site-wide{% endif %} timeline
               events found{% if timeline_mode == 'object' %} for this object{% endif %}.
             </td>
diff --git a/timeline/templatetags/timeline_tags.py b/timeline/templatetags/timeline_tags.py
index 0e58c45d..017fa2b2 100644
--- a/timeline/templatetags/timeline_tags.py
+++ b/timeline/templatetags/timeline_tags.py
@@ -9,7 +9,7 @@
 from projectroles.plugins import ProjectAppPluginPoint
 
 from timeline.api import TimelineAPI
-from timeline.models import ProjectEvent
+from timeline.models import TimelineEvent
 
 
 logger = logging.getLogger(__name__)
@@ -37,7 +37,7 @@ def get_timestamp(event):
     """Return printable timestamp of event in local timezone"""
     try:
         return localtime(event.get_timestamp()).strftime('%Y-%m-%d %H:%M:%S')
-    except Exception:  # Handle error cases where ProjectEventStatus is missing
+    except Exception:  # Handle error cases where TimelineEventStatus is missing
         return 'N/A'
 
 
@@ -51,7 +51,7 @@ def get_event_description(event, plugin_lookup, request=None):
 def get_details_events(project, view_classified=False):
     """Return recent events for card on project details page"""
     c_kwargs = {'classified': False} if not view_classified else {}
-    return ProjectEvent.objects.filter(project=project, **c_kwargs).order_by(
+    return TimelineEvent.objects.filter(project=project, **c_kwargs).order_by(
         '-pk'
     )[:5]
 
diff --git a/timeline/tests/test_api.py b/timeline/tests/test_api.py
index e262c73d..d1fe93e5 100644
--- a/timeline/tests/test_api.py
+++ b/timeline/tests/test_api.py
@@ -17,18 +17,19 @@
 # Filesfolders dependency
 from filesfolders.tests.test_models import FolderMixin
 
-from timeline.tests.test_models import (
-    TestProjectEventBase,
-    ProjectEventMixin,
-    ProjectEventStatusMixin,
-)
 from timeline.models import (
-    ProjectEvent,
-    ProjectEventStatus,
-    ProjectEventObjectRef,
+    TimelineEvent,
+    TimelineEventStatus,
+    TimelineEventObjectRef,
     DEFAULT_MESSAGES,
 )
 from timeline.templatetags import timeline_tags as tags
+from timeline.tests.test_models import (
+    TimelineEventTestBase,
+    TimelineEventMixin,
+    TimelineEventStatusMixin,
+    EXTRA_DATA,
+)
 
 
 # Global constants from settings
@@ -55,11 +56,11 @@ def get_request(cls, user, project):
 
 class TestTimelineAPI(
     TimelineAPIMixin,
-    ProjectEventMixin,
-    ProjectEventStatusMixin,
+    TimelineEventMixin,
+    TimelineEventStatusMixin,
     RemoteSiteMixin,
     FolderMixin,
-    TestProjectEventBase,
+    TimelineEventTestBase,
 ):
     def setUp(self):
         super().setUp()
@@ -70,8 +71,8 @@ def setUp(self):
 
     def test_add_event(self):
         """Test adding an event"""
-        self.assertEqual(ProjectEvent.objects.all().count(), 0)
-        self.assertEqual(ProjectEventStatus.objects.all().count(), 0)
+        self.assertEqual(TimelineEvent.objects.all().count(), 0)
+        self.assertEqual(TimelineEventStatus.objects.all().count(), 0)
 
         event = self.timeline.add_event(
             project=self.project,
@@ -79,11 +80,11 @@ def test_add_event(self):
             user=self.user_owner,
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
 
-        self.assertEqual(ProjectEvent.objects.all().count(), 1)
-        self.assertEqual(ProjectEventStatus.objects.all().count(), 1)  # Init
+        self.assertEqual(TimelineEvent.objects.all().count(), 1)
+        self.assertEqual(TimelineEventStatus.objects.all().count(), 1)  # Init
 
         expected = {
             'id': event.pk,
@@ -94,7 +95,7 @@ def test_add_event(self):
             'event_name': 'test_event',
             'description': 'description',
             'classified': False,
-            'extra_data': {'test_key': 'test_val'},
+            'extra_data': EXTRA_DATA,
             'sodar_uuid': event.sodar_uuid,
         }
         self.assertEqual(model_to_dict(event), expected)
@@ -103,8 +104,8 @@ def test_add_event(self):
         expected_status = {
             'id': status.pk,
             'event': event.pk,
-            'status_type': 'INIT',
-            'description': DEFAULT_MESSAGES['INIT'],
+            'status_type': self.timeline.TL_STATUS_INIT,
+            'description': DEFAULT_MESSAGES[self.timeline.TL_STATUS_INIT],
             'extra_data': {},
             'sodar_uuid': status.sodar_uuid,
         }
@@ -112,8 +113,8 @@ def test_add_event(self):
 
     def test_add_event_with_status(self):
         """Test adding an event with status"""
-        self.assertEqual(ProjectEvent.objects.all().count(), 0)
-        self.assertEqual(ProjectEventStatus.objects.all().count(), 0)
+        self.assertEqual(TimelineEvent.objects.all().count(), 0)
+        self.assertEqual(TimelineEventStatus.objects.all().count(), 0)
 
         event = self.timeline.add_event(
             project=self.project,
@@ -121,15 +122,15 @@ def test_add_event_with_status(self):
             user=self.user_owner,
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
-            status_type='OK',
-            status_desc='OK',
+            extra_data=EXTRA_DATA,
+            status_type=self.timeline.TL_STATUS_OK,
+            status_desc=self.timeline.TL_STATUS_OK,
             status_extra_data={},
         )
 
         status = event.get_status()
-        self.assertEqual(ProjectEvent.objects.all().count(), 1)
-        self.assertEqual(ProjectEventStatus.objects.all().count(), 2)
+        self.assertEqual(TimelineEvent.objects.all().count(), 1)
+        self.assertEqual(TimelineEventStatus.objects.all().count(), 2)
 
         expected_event = {
             'id': event.pk,
@@ -140,7 +141,7 @@ def test_add_event_with_status(self):
             'event_name': 'test_event',
             'description': 'description',
             'classified': False,
-            'extra_data': {'test_key': 'test_val'},
+            'extra_data': EXTRA_DATA,
             'sodar_uuid': event.sodar_uuid,
         }
         self.assertEqual(model_to_dict(event), expected_event)
@@ -148,8 +149,8 @@ def test_add_event_with_status(self):
         expected_status = {
             'id': status.pk,
             'event': event.pk,
-            'status_type': 'OK',
-            'description': 'OK',
+            'status_type': self.timeline.TL_STATUS_OK,
+            'description': self.timeline.TL_STATUS_OK,
             'extra_data': {},
             'sodar_uuid': status.sodar_uuid,
         }
@@ -158,8 +159,8 @@ def test_add_event_with_status(self):
     def test_add_event_custom_init(self):
         """Test adding an event with custom INIT status"""
         custom_init_desc = 'Custom init'
-        self.assertEqual(ProjectEvent.objects.all().count(), 0)
-        self.assertEqual(ProjectEventStatus.objects.all().count(), 0)
+        self.assertEqual(TimelineEvent.objects.all().count(), 0)
+        self.assertEqual(TimelineEventStatus.objects.all().count(), 0)
 
         event = self.timeline.add_event(
             project=self.project,
@@ -167,19 +168,19 @@ def test_add_event_custom_init(self):
             user=self.user_owner,
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
-            status_type='INIT',
+            extra_data=EXTRA_DATA,
+            status_type=self.timeline.TL_STATUS_INIT,
             status_desc=custom_init_desc,
         )
 
-        self.assertEqual(ProjectEvent.objects.all().count(), 1)
-        self.assertEqual(ProjectEventStatus.objects.all().count(), 1)  # Init
+        self.assertEqual(TimelineEvent.objects.all().count(), 1)
+        self.assertEqual(TimelineEventStatus.objects.all().count(), 1)  # Init
 
         status = event.get_status()
         expected_status = {
             'id': status.pk,
             'event': event.pk,
-            'status_type': 'INIT',
+            'status_type': self.timeline.TL_STATUS_INIT,
             'description': custom_init_desc,
             'extra_data': {},
             'sodar_uuid': status.sodar_uuid,
@@ -188,8 +189,8 @@ def test_add_event_custom_init(self):
 
     def test_add_event_no_user(self):
         """Test adding an event with no user"""
-        self.assertEqual(ProjectEvent.objects.all().count(), 0)
-        self.assertEqual(ProjectEventStatus.objects.all().count(), 0)
+        self.assertEqual(TimelineEvent.objects.all().count(), 0)
+        self.assertEqual(TimelineEventStatus.objects.all().count(), 0)
 
         event = self.timeline.add_event(
             project=self.project,
@@ -197,11 +198,11 @@ def test_add_event_no_user(self):
             user=None,
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
 
-        self.assertEqual(ProjectEvent.objects.all().count(), 1)
-        self.assertEqual(ProjectEventStatus.objects.all().count(), 1)
+        self.assertEqual(TimelineEvent.objects.all().count(), 1)
+        self.assertEqual(TimelineEventStatus.objects.all().count(), 1)
 
         expected = {
             'id': event.pk,
@@ -212,15 +213,15 @@ def test_add_event_no_user(self):
             'event_name': 'test_event',
             'description': 'description',
             'classified': False,
-            'extra_data': {'test_key': 'test_val'},
+            'extra_data': EXTRA_DATA,
             'sodar_uuid': event.sodar_uuid,
         }
         self.assertEqual(model_to_dict(event), expected)
 
     def test_add_event_anon_user(self):
         """Test adding an event with AnonymousUser"""
-        self.assertEqual(ProjectEvent.objects.all().count(), 0)
-        self.assertEqual(ProjectEventStatus.objects.all().count(), 0)
+        self.assertEqual(TimelineEvent.objects.all().count(), 0)
+        self.assertEqual(TimelineEventStatus.objects.all().count(), 0)
 
         event = self.timeline.add_event(
             project=self.project,
@@ -228,17 +229,17 @@ def test_add_event_anon_user(self):
             user=AnonymousUser(),
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
 
-        self.assertEqual(ProjectEvent.objects.all().count(), 1)
-        self.assertEqual(ProjectEventStatus.objects.all().count(), 1)
+        self.assertEqual(TimelineEvent.objects.all().count(), 1)
+        self.assertEqual(TimelineEventStatus.objects.all().count(), 1)
         self.assertIsNone(event.user)
 
     def test_add_event_invalid_app(self):
         """Test adding an event with an invalid app name (should fail)"""
-        self.assertEqual(ProjectEvent.objects.all().count(), 0)
-        self.assertEqual(ProjectEventStatus.objects.all().count(), 0)
+        self.assertEqual(TimelineEvent.objects.all().count(), 0)
+        self.assertEqual(TimelineEventStatus.objects.all().count(), 0)
 
         with self.assertRaises(ValueError):
             self.timeline.add_event(
@@ -247,16 +248,16 @@ def test_add_event_invalid_app(self):
                 user=self.user_owner,
                 event_name='test_event',
                 description='description',
-                extra_data={'test_key': 'test_val'},
+                extra_data=EXTRA_DATA,
             )
 
-        self.assertEqual(ProjectEvent.objects.all().count(), 0)
-        self.assertEqual(ProjectEventStatus.objects.all().count(), 0)
+        self.assertEqual(TimelineEvent.objects.all().count(), 0)
+        self.assertEqual(TimelineEventStatus.objects.all().count(), 0)
 
     def test_add_event_invalid_status(self):
         """Test adding an event with an invalid status type"""
-        self.assertEqual(ProjectEvent.objects.all().count(), 0)
-        self.assertEqual(ProjectEventStatus.objects.all().count(), 0)
+        self.assertEqual(TimelineEvent.objects.all().count(), 0)
+        self.assertEqual(TimelineEventStatus.objects.all().count(), 0)
 
         with self.assertRaises(ValueError):
             self.timeline.add_event(
@@ -266,15 +267,15 @@ def test_add_event_invalid_status(self):
                 event_name='test_event',
                 description='description',
                 status_type='NON-EXISTING STATUS TYPE',
-                extra_data={'test_key': 'test_val'},
+                extra_data=EXTRA_DATA,
             )
 
-        self.assertEqual(ProjectEvent.objects.all().count(), 0)
-        self.assertEqual(ProjectEventStatus.objects.all().count(), 0)
+        self.assertEqual(TimelineEvent.objects.all().count(), 0)
+        self.assertEqual(TimelineEventStatus.objects.all().count(), 0)
 
     def test_add_object(self):
         """Test adding an object to an event"""
-        self.assertEqual(ProjectEventObjectRef.objects.all().count(), 0)
+        self.assertEqual(TimelineEventObjectRef.objects.all().count(), 0)
 
         event = self.timeline.add_event(
             project=self.project,
@@ -282,17 +283,17 @@ def test_add_object(self):
             user=self.user_owner,
             event_name='test_event',
             description='event with {obj}',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
         temp_obj = self.project.get_owner()
         ref = event.add_object(
             obj=temp_obj,
             label='obj',
             name='assignment',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
 
-        self.assertEqual(ProjectEventObjectRef.objects.all().count(), 1)
+        self.assertEqual(TimelineEventObjectRef.objects.all().count(), 1)
         expected = {
             'id': ref.pk,
             'event': event.pk,
@@ -300,7 +301,8 @@ def test_add_object(self):
             'name': 'assignment',
             'object_model': temp_obj.__class__.__name__,
             'object_uuid': temp_obj.sodar_uuid,
-            'extra_data': {'test_key': 'test_val'},
+            'extra_data': EXTRA_DATA,
+            'sodar_uuid': ref.sodar_uuid,
         }
         self.assertEqual(model_to_dict(ref), expected)
 
@@ -312,7 +314,7 @@ def test_get_project_events(self):
             user=self.user_owner,
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
         event_classified = self.timeline.add_event(
             project=self.project,
@@ -321,7 +323,7 @@ def test_get_project_events(self):
             event_name='test_event',
             description='description',
             classified=True,
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
 
         events = self.timeline.get_project_events(
@@ -393,7 +395,7 @@ def test_get_event_description(self):
             user=self.user_owner,
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
         self.assertEqual(
             self.timeline.get_event_description(event), event.description
diff --git a/timeline/tests/test_models.py b/timeline/tests/test_models.py
index 22e3c7a1..d60dca0f 100644
--- a/timeline/tests/test_models.py
+++ b/timeline/tests/test_models.py
@@ -13,10 +13,12 @@
 )
 
 from timeline.models import (
-    ProjectEvent,
-    ProjectEventObjectRef,
-    ProjectEventStatus,
+    TimelineEvent,
+    TimelineEventObjectRef,
+    TimelineEventStatus,
     OBJ_REF_UNNAMED,
+    TL_STATUS_OK,
+    TL_STATUS_FAILED,
 )
 
 
@@ -29,8 +31,12 @@
 PROJECT_TYPE_PROJECT = SODAR_CONSTANTS['PROJECT_TYPE_PROJECT']
 
 
-class ProjectEventMixin:
-    """Helper mixin for ProjectEvent creation"""
+# Local constants
+EXTRA_DATA = {'test_key': 'test_val'}
+
+
+class TimelineEventMixin:
+    """Helper mixin for TimelineEvent creation"""
 
     @classmethod
     def make_event(
@@ -54,13 +60,13 @@ def make_event(
             'extra_data': extra_data or {},
             'plugin': plugin,
         }
-        result = ProjectEvent(**values)
+        result = TimelineEvent(**values)
         result.save()
         return result
 
 
-class ProjectEventObjectRefMixin:
-    """Helper mixin for ProjectEventObjectRef creation"""
+class TimelineEventObjectRefMixin:
+    """Helper mixin for TimelineEventObjectRef creation"""
 
     @classmethod
     def make_object_ref(cls, event, obj, label, name, uuid, extra_data=None):
@@ -72,13 +78,13 @@ def make_object_ref(cls, event, obj, label, name, uuid, extra_data=None):
             'object_uuid': uuid,
             'extra_data': extra_data or {},
         }
-        result = ProjectEventObjectRef(**values)
+        result = TimelineEventObjectRef(**values)
         result.save()
         return result
 
 
-class ProjectEventStatusMixin:
-    """Helper mixin for ProjectEventStatus creation"""
+class TimelineEventStatusMixin:
+    """Helper mixin for TimelineEventStatus creation"""
 
     @classmethod
     def make_event_status(
@@ -90,12 +96,12 @@ def make_event_status(
             'description': description,
             'extra_data': extra_data or {'test': 'test'},
         }
-        result = ProjectEventStatus(**values)
+        result = TimelineEventStatus(**values)
         result.save()
         return result
 
 
-class TestProjectEventBase(
+class TimelineEventTestBase(
     ProjectMixin, RoleMixin, RoleAssignmentMixin, TestCase
 ):
     def setUp(self):
@@ -112,11 +118,11 @@ def setUp(self):
         )
 
 
-class TestProjectEvent(
-    ProjectEventMixin,
-    ProjectEventStatusMixin,
-    TestProjectEventBase,
-    ProjectEventObjectRefMixin,
+class TestTimelineEvent(
+    TimelineEventMixin,
+    TimelineEventStatusMixin,
+    TimelineEventObjectRefMixin,
+    TimelineEventTestBase,
 ):
     def setUp(self):
         super().setUp()
@@ -127,7 +133,7 @@ def setUp(self):
             event_name='test_event',
             description='description',
             classified=False,
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
 
         self.obj_ref = self.make_object_ref(
@@ -136,11 +142,11 @@ def setUp(self):
             label='test_label',
             name='test_object_name',
             uuid=self.assignment_owner.sodar_uuid,
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
 
     def test_initialization(self):
-        """Test ProjectEvent initialization"""
+        """Test TimelineEvent initialization"""
         expected = {
             'id': self.event.pk,
             'project': self.project.pk,
@@ -150,13 +156,13 @@ def test_initialization(self):
             'event_name': 'test_event',
             'description': 'description',
             'classified': False,
-            'extra_data': {'test_key': 'test_val'},
+            'extra_data': EXTRA_DATA,
             'sodar_uuid': self.event.sodar_uuid,
         }
         self.assertEqual(model_to_dict(self.event), expected)
 
     def test_initialization_no_project(self):
-        """Test ProjectEvent initialization with no project"""
+        """Test TimelineEvent initialization with no project"""
         self.event = self.make_event(
             project=None,
             app='projectroles',
@@ -164,7 +170,7 @@ def test_initialization_no_project(self):
             event_name='test_event',
             description='description',
             classified=False,
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
         expected = {
             'id': self.event.pk,
@@ -175,13 +181,13 @@ def test_initialization_no_project(self):
             'event_name': 'test_event',
             'description': 'description',
             'classified': False,
-            'extra_data': {'test_key': 'test_val'},
+            'extra_data': EXTRA_DATA,
             'sodar_uuid': self.event.sodar_uuid,
         }
         self.assertEqual(model_to_dict(self.event), expected)
 
     def test_initialization_no_user(self):
-        """Test ProjectEvent initialization with no user"""
+        """Test TimelineEvent initialization with no user"""
         self.event = self.make_event(
             project=self.project,
             app='projectroles',
@@ -189,7 +195,7 @@ def test_initialization_no_user(self):
             event_name='test_event',
             description='description',
             classified=False,
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
         expected = {
             'id': self.event.pk,
@@ -200,13 +206,13 @@ def test_initialization_no_user(self):
             'event_name': 'test_event',
             'description': 'description',
             'classified': False,
-            'extra_data': {'test_key': 'test_val'},
+            'extra_data': EXTRA_DATA,
             'sodar_uuid': self.event.sodar_uuid,
         }
         self.assertEqual(model_to_dict(self.event), expected)
 
     def test_initialization_plugin(self):
-        """Test ProjectEvent initialization with specific plugin name"""
+        """Test TimelineEvent initialization with specific plugin name"""
         self.event = self.make_event(
             project=None,
             app='projectroles',
@@ -215,7 +221,7 @@ def test_initialization_plugin(self):
             event_name='test_event',
             description='description',
             classified=False,
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
         expected = {
             'id': self.event.pk,
@@ -226,32 +232,32 @@ def test_initialization_plugin(self):
             'event_name': 'test_event',
             'description': 'description',
             'classified': False,
-            'extra_data': {'test_key': 'test_val'},
+            'extra_data': EXTRA_DATA,
             'sodar_uuid': self.event.sodar_uuid,
         }
         self.assertEqual(model_to_dict(self.event), expected)
 
     def test_str(self):
-        """Test ProjectEvent __str__()"""
+        """Test TimelineEvent __str__()"""
         expected = 'TestProject: test_event/owner'
         self.assertEqual(str(self.event), expected)
 
     def test_str_no_user(self):
-        """Test ProjectEvent __str__() with no user"""
+        """Test TimelineEvent __str__() with no user"""
         self.event.user = None
         self.event.save()
         expected = 'TestProject: test_event'
         self.assertEqual(str(self.event), expected)
 
     def test_str_no_project(self):
-        """Test ProjectEvent __str__() with no project"""
+        """Test TimelineEvent __str__() with no project"""
         self.event.project = None
         self.event.save()
         expected = 'test_event/owner'
         self.assertEqual(str(self.event), expected)
 
     def test_str_no_project_no_user(self):
-        """Test ProjectEvent __str__() with no project or user"""
+        """Test TimelineEvent __str__() with no project or user"""
         self.event.project = None
         self.event.user = None
         self.event.save()
@@ -259,30 +265,30 @@ def test_str_no_project_no_user(self):
         self.assertEqual(str(self.event), expected)
 
     def test_repr(self):
-        """Test ProjectEventStatus __repr__()"""
-        expected = "ProjectEvent('TestProject', 'test_event', 'owner')"
+        """Test TimelineEvent __repr__()"""
+        expected = "TimelineEvent('TestProject', 'test_event', 'owner')"
         self.assertEqual(repr(self.event), expected)
 
     def test_repr_no_user(self):
-        """Test ProjectEventStatus __repr__() with no user"""
+        """Test TimelineEvent __repr__() with no user"""
         self.event.user = None
         self.event.save()
-        expected = "ProjectEvent('TestProject', 'test_event', 'N/A')"
+        expected = "TimelineEvent('TestProject', 'test_event', 'N/A')"
         self.assertEqual(repr(self.event), expected)
 
     def test_repr_no_project(self):
-        """Test ProjectEventStatus __repr__() with no project"""
+        """Test TimelineEvent __repr__() with no project"""
         self.event.project = None
         self.event.save()
-        expected = "ProjectEvent('N/A', 'test_event', 'owner')"
+        expected = "TimelineEvent('N/A', 'test_event', 'owner')"
         self.assertEqual(repr(self.event), expected)
 
     def test_repr_no_project_no_user(self):
-        """Test ProjectEventStatus __repr__() with no project or user"""
+        """Test TimelineEvent __repr__() with no project or user"""
         self.event.project = None
         self.event.user = None
         self.event.save()
-        expected = "ProjectEvent('N/A', 'test_event', 'N/A')"
+        expected = "TimelineEvent('N/A', 'test_event', 'N/A')"
         self.assertEqual(repr(self.event), expected)
 
     def test_add_object(self):
@@ -303,6 +309,7 @@ def test_add_object(self):
             'object_uuid': new_as.sodar_uuid,
             'object_model': 'RoleAssignment',
             'extra_data': {},
+            'sodar_uuid': new_obj.sodar_uuid,
         }
         self.assertEqual(model_to_dict(new_obj), expected)
 
@@ -316,31 +323,31 @@ def test_add_object_no_name(self):
         self.assertEqual(new_obj.name, OBJ_REF_UNNAMED)
 
     def test_find_name(self):
-        """Test ProjectEvent.find() with event name"""
-        objects = ProjectEvent.objects.find(['test_event'])
+        """Test TimelineEvent.find() with event name"""
+        objects = TimelineEvent.objects.find(['test_event'])
         self.assertEqual(len(objects), 1)
         self.assertEqual(objects[0], self.event)
 
     def test_find_description(self):
-        """Test ProjectEvent.find() with event description"""
-        objects = ProjectEvent.objects.find(['description'])
+        """Test TimelineEvent.find() with event description"""
+        objects = TimelineEvent.objects.find(['description'])
         self.assertEqual(len(objects), 1)
         self.assertEqual(objects[0], self.event)
 
     def test_find_object(self):
-        """Test ProjectEvent.find() with object reference"""
-        objects = ProjectEvent.objects.find(['test_object_name'])
+        """Test TimelineEvent.find() with object reference"""
+        objects = TimelineEvent.objects.find(['test_object_name'])
         self.assertEqual(len(objects), 1)
         self.assertEqual(objects[0], self.event)
 
     def test_find_fail(self):
-        """Test ProjectEvent.find() with no matches"""
-        objects = ProjectEvent.objects.find(['asdfasdfafasdf'])
+        """Test TimelineEvent.find() with no matches"""
+        objects = TimelineEvent.objects.find(['asdfasdfafasdf'])
         self.assertEqual(len(objects), 0)
 
 
-class TestProjectEventObjectRef(
-    ProjectEventMixin, ProjectEventObjectRefMixin, TestProjectEventBase
+class TestTimelineEventObjectRef(
+    TimelineEventMixin, TimelineEventObjectRefMixin, TimelineEventTestBase
 ):
     def setUp(self):
         super().setUp()
@@ -351,7 +358,7 @@ def setUp(self):
             event_name='test_event',
             description='description',
             classified=False,
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
         self.obj_ref = self.make_object_ref(
             event=self.event,
@@ -359,11 +366,11 @@ def setUp(self):
             label='test_label',
             name='test_name',
             uuid=self.assignment_owner.sodar_uuid,
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
 
     def test_initialization(self):
-        """Test ProjectEventObject initialization"""
+        """Test TimelineEventObjectRef initialization"""
         expected = {
             'id': self.obj_ref.pk,
             'event': self.event.pk,
@@ -371,26 +378,27 @@ def test_initialization(self):
             'name': 'test_name',
             'object_model': 'RoleAssignment',
             'object_uuid': self.assignment_owner.sodar_uuid,
-            'extra_data': {'test_key': 'test_val'},
+            'extra_data': EXTRA_DATA,
+            'sodar_uuid': self.obj_ref.sodar_uuid,
         }
         self.assertEqual(model_to_dict(self.obj_ref), expected)
 
     def test__str__(self):
-        """Test ProjectEventObject __str__()"""
+        """Test TimelineEventObjectRef __str__()"""
         expected = 'TestProject: test_event/owner (test_name)'
         self.assertEqual(str(self.obj_ref), expected)
 
     def test__repr__(self):
-        """Test ProjectEventObject __repr__()"""
+        """Test TimelineEventObjectRef __repr__()"""
         expected = (
-            "ProjectEventObjectRef('TestProject', 'test_event', "
+            "TimelineEventObjectRef('TestProject', 'test_event', "
             "'owner', 'test_name')"
         )
         self.assertEqual(repr(self.obj_ref), expected)
 
     def test_get_object_events(self):
-        """Test get_object_events() in ProjectEventManager"""
-        events = ProjectEvent.objects.get_object_events(
+        """Test get_object_events() in TimelineEventManager"""
+        events = TimelineEvent.objects.get_object_events(
             project=self.project,
             object_model=self.obj_ref.object_model,
             object_uuid=self.obj_ref.object_uuid,
@@ -399,8 +407,8 @@ def test_get_object_events(self):
         self.assertEqual(events[0], self.event)
 
 
-class TestProjectEventStatus(
-    ProjectEventMixin, ProjectEventStatusMixin, TestProjectEventBase
+class TestTimelineEventStatus(
+    TimelineEventMixin, TimelineEventStatusMixin, TimelineEventTestBase
 ):
     def setUp(self):
         super().setUp()
@@ -411,42 +419,42 @@ def setUp(self):
             event_name='test_event',
             description='description',
             classified=False,
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
         self.event_status_submit = self.make_event_status(
             event=self.event,
             status_type='SUBMIT',
             description='SUBMIT',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
         self.event_status_ok = self.make_event_status(
             event=self.event,
-            status_type='OK',
-            description='OK',
-            extra_data={'test_key': 'test_val'},
+            status_type=TL_STATUS_OK,
+            description=TL_STATUS_OK,
+            extra_data=EXTRA_DATA,
         )
 
     def test_initialization(self):
-        """Test ProjectEventStatus init"""
+        """Test TimelineEventStatus init"""
         expected = {
             'id': self.event_status_ok.pk,
             'sodar_uuid': self.event_status_ok.sodar_uuid,
             'event': self.event.pk,
-            'status_type': 'OK',
-            'description': 'OK',
-            'extra_data': {'test_key': 'test_val'},
+            'status_type': TL_STATUS_OK,
+            'description': TL_STATUS_OK,
+            'extra_data': EXTRA_DATA,
         }
         self.assertEqual(model_to_dict(self.event_status_ok), expected)
 
     def test_initialization_no_user(self):
-        """Test ProjectEventStatus without user"""
+        """Test TimelineEventStatus without user"""
         expected = {
             'id': self.event_status_ok.pk,
             'sodar_uuid': self.event_status_ok.sodar_uuid,
             'event': self.event.pk,
-            'status_type': 'OK',
-            'description': 'OK',
-            'extra_data': {'test_key': 'test_val'},
+            'status_type': TL_STATUS_OK,
+            'description': TL_STATUS_OK,
+            'extra_data': EXTRA_DATA,
         }
         self.event = self.make_event(
             project=self.project,
@@ -455,80 +463,78 @@ def test_initialization_no_user(self):
             event_name='test_event',
             description='description',
             classified=False,
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
         self.assertEqual(model_to_dict(self.event_status_ok), expected)
 
     def test__str__(self):
-        """Test ProjectEventStatus __str__()"""
-        expected = 'TestProject: test_event/owner (OK)'
+        """Test TimelineEventStatus __str__()"""
+        expected = f'TestProject: test_event/owner ({TL_STATUS_OK})'
         self.assertEqual(str(self.event_status_ok), expected)
 
     def test__str__no_user(self):
         """Test __str__() with no user"""
         self.event.user = None
         self.event.save()
-        expected = 'TestProject: test_event (OK)'
+        expected = f'TestProject: test_event ({TL_STATUS_OK})'
         self.assertEqual(str(self.event_status_ok), expected)
 
     def test__repr__(self):
-        """Test ProjectEventStatus __repr__()"""
-        expected = (
-            "ProjectEventStatus('TestProject', 'test_event', 'owner', 'OK')"
-        )
+        """Test TimelineEventStatus __repr__()"""
+        expected = f"TimelineEventStatus('TestProject', 'test_event', 'owner', '{TL_STATUS_OK}')"
         self.assertEqual(repr(self.event_status_ok), expected)
 
     def test__repr__no_user(self):
         """Test __repr__() with no user"""
         self.event.user = None
         self.event.save()
-        expected = (
-            "ProjectEventStatus('TestProject', 'test_event', 'N/A', 'OK')"
-        )
+        expected = f"TimelineEventStatus('TestProject', 'test_event', 'N/A', '{TL_STATUS_OK}')"
         self.assertEqual(repr(self.event_status_ok), expected)
 
     def test_get_status(self):
-        """Test the get_status() function of ProjectEvent"""
+        """Test TimelineEventStatus get_status()"""
         status = self.event.get_status()
         expected = {
             'id': status.pk,
             'sodar_uuid': self.event_status_ok.sodar_uuid,
             'event': self.event.pk,
-            'status_type': 'OK',
-            'description': 'OK',
-            'extra_data': {'test_key': 'test_val'},
+            'status_type': TL_STATUS_OK,
+            'description': TL_STATUS_OK,
+            'extra_data': EXTRA_DATA,
         }
         self.assertEqual(model_to_dict(status), expected)
 
     def test_get_timestamp(self):
-        """Test the get_timestamp() function of ProjectEvent"""
+        """Test TimelineEventStatus get_timestamp()"""
         timestamp = self.event.get_timestamp()
         self.assertEqual(timestamp, self.event_status_ok.timestamp)
 
     def test_get_status_changes(self):
-        """Test the get_status_changes() function of ProjectEvent"""
+        """Test TimelineEventStatus get_status_changes()"""
         status_changes = self.event.get_status_changes()
         self.assertEqual(status_changes.count(), 2)
         self.assertEqual(status_changes[0], self.event_status_submit)
 
     def test_get_status_changes_reverse(self):
-        """Test the get_status_changes() function of ProjectEvent with
+        """Test the get_status_changes() function of TimelineEvent with
         reverse=True"""
         status_changes = self.event.get_status_changes(reverse=True)
         self.assertEqual(status_changes.count(), 2)
         self.assertEqual(status_changes[0], self.event_status_ok)
 
     def test_set_status(self):
-        """Test the set_status() function of ProjectEvent"""
+        """Test TimelineEventStatus set_status()"""
         new_status = self.event.set_status(
-            'FAILED', status_desc='FAILED', extra_data={'test_key': 'test_val'}
+            TL_STATUS_FAILED,
+            status_desc=TL_STATUS_FAILED,
+            extra_data=EXTRA_DATA,
         )
         expected = {
             'id': new_status.pk,
             'sodar_uuid': new_status.sodar_uuid,
             'event': self.event.pk,
-            'status_type': 'FAILED',
-            'description': 'FAILED',
-            'extra_data': {'test_key': 'test_val'},
+            'status_type': TL_STATUS_FAILED,
+            'description': TL_STATUS_FAILED,
+            'extra_data': EXTRA_DATA,
         }
         self.assertEqual(model_to_dict(new_status), expected)
diff --git a/timeline/tests/test_permissions.py b/timeline/tests/test_permissions.py
index 68d0f5b4..52204fab 100644
--- a/timeline/tests/test_permissions.py
+++ b/timeline/tests/test_permissions.py
@@ -4,10 +4,10 @@
 from django.urls import reverse
 
 # Projectroles dependency
-from projectroles.tests.test_permissions import TestProjectPermissionBase
+from projectroles.tests.test_permissions import ProjectPermissionTestBase
 
 
-class TestProjectTimelineView(TestProjectPermissionBase):
+class TestProjectTimelineView(ProjectPermissionTestBase):
     """Tests for ProjectTimelineView permissions"""
 
     def setUp(self):
@@ -64,7 +64,7 @@ def test_get_archive(self):
         self.assert_response(self.url, self.anonymous, 302)
 
 
-class TestSiteTimelineView(TestProjectPermissionBase):
+class TestSiteTimelineView(ProjectPermissionTestBase):
     """Tests for SiteTimelineView permissions"""
 
     def setUp(self):
@@ -95,7 +95,7 @@ def test_get_anon(self):
         self.assert_response(self.url, self.anonymous, 302)
 
 
-class TestAdminTimelineView(TestProjectPermissionBase):
+class TestAdminTimelineView(ProjectPermissionTestBase):
     """Tests for AdminTimelineView permissions"""
 
     def setUp(self):
@@ -127,7 +127,7 @@ def test_get_anon(self):
         self.assert_response(self.url, self.anonymous, 302)
 
 
-class TestProjectObjectTimelineView(TestProjectPermissionBase):
+class TestProjectObjectTimelineView(ProjectPermissionTestBase):
     """Tests for ProjectObjectTimelineView permissions"""
 
     def setUp(self):
@@ -189,7 +189,7 @@ def test_get_archive(self):
         self.assert_response(self.url, self.anonymous, 302)
 
 
-class TestSiteObjectTimelineView(TestProjectPermissionBase):
+class TestSiteObjectTimelineView(ProjectPermissionTestBase):
     """Tests for SiteObjectTimelineView permissions"""
 
     def setUp(self):
diff --git a/timeline/tests/test_permissions_ajax.py b/timeline/tests/test_permissions_ajax.py
index 52de8811..b72f8885 100644
--- a/timeline/tests/test_permissions_ajax.py
+++ b/timeline/tests/test_permissions_ajax.py
@@ -4,16 +4,16 @@
 from django.urls import reverse
 
 # Projectroles dependency
-from projectroles.tests.test_permissions import TestProjectPermissionBase
+from projectroles.tests.test_permissions import ProjectPermissionTestBase
 
 from timeline.tests.test_models import (
-    ProjectEventMixin,
-    ProjectEventStatusMixin,
+    TimelineEventMixin,
+    TimelineEventStatusMixin,
 )
 
 
 class TestProjectEventDetailAjaxView(
-    ProjectEventMixin, ProjectEventStatusMixin, TestProjectPermissionBase
+    TimelineEventMixin, TimelineEventStatusMixin, ProjectPermissionTestBase
 ):
     """Tests for ProjectEventDetailAjaxView permissions"""
 
@@ -25,7 +25,7 @@ def setUp(self):
         self.make_event_status(self.event, 'OK')
         self.url = reverse(
             'timeline:ajax_detail_project',
-            kwargs={'projectevent': self.event.sodar_uuid},
+            kwargs={'timelineevent': self.event.sodar_uuid},
         )
 
     def test_get(self):
@@ -116,7 +116,7 @@ def test_get_classified_anon(self):
 
 
 class TestSiteEventDetailAjaxView(
-    ProjectEventMixin, ProjectEventStatusMixin, TestProjectPermissionBase
+    TimelineEventMixin, TimelineEventStatusMixin, ProjectPermissionTestBase
 ):
     """Tests for SiteEventDetailAjaxView permissions"""
 
@@ -129,7 +129,7 @@ def setUp(self):
         self.regular_user = self.make_user('regular_user')
         self.url = reverse(
             'timeline:ajax_detail_site',
-            kwargs={'projectevent': self.event.sodar_uuid},
+            kwargs={'timelineevent': self.event.sodar_uuid},
         )
 
     def test_get(self):
@@ -160,7 +160,7 @@ def test_get_classified_anon(self):
 
 
 class TestProjectEventExtraAjaxView(
-    ProjectEventMixin, ProjectEventStatusMixin, TestProjectPermissionBase
+    TimelineEventMixin, TimelineEventStatusMixin, ProjectPermissionTestBase
 ):
     """Tests for ProjectEventExtraAjaxView permissions"""
 
@@ -172,7 +172,7 @@ def setUp(self):
         self.make_event_status(self.event, 'OK')
         self.url = reverse(
             'timeline:ajax_extra_project',
-            kwargs={'projectevent': self.event.sodar_uuid},
+            kwargs={'timelineevent': self.event.sodar_uuid},
         )
 
     def test_get(self):
@@ -263,7 +263,7 @@ def test_get_classified_anon(self):
 
 
 class TestSiteEventExtraAjaxView(
-    ProjectEventMixin, ProjectEventStatusMixin, TestProjectPermissionBase
+    TimelineEventMixin, TimelineEventStatusMixin, ProjectPermissionTestBase
 ):
     """Tests for SiteEventExtraAjaxView permissions"""
 
@@ -280,7 +280,7 @@ def setUp(self):
         self.regular_user = self.make_user('regular_user')
         self.url = reverse(
             'timeline:ajax_extra_site',
-            kwargs={'projectevent': self.event.sodar_uuid},
+            kwargs={'timelineevent': self.event.sodar_uuid},
         )
 
     def test_get(self):
@@ -310,7 +310,7 @@ def test_get_classified_anon(self):
 
 
 class TestEventStatusExtraAjaxViewProject(
-    ProjectEventMixin, ProjectEventStatusMixin, TestProjectPermissionBase
+    TimelineEventMixin, TimelineEventStatusMixin, ProjectPermissionTestBase
 ):
     """Tests for EventStatusExtraAjaxView permissions with a project event"""
 
@@ -391,7 +391,7 @@ def test_get_classified_anon(self):
 
 
 class TestEventStatusExtraAjaxViewSite(
-    ProjectEventMixin, ProjectEventStatusMixin, TestProjectPermissionBase
+    TimelineEventMixin, TimelineEventStatusMixin, ProjectPermissionTestBase
 ):
     """Tests for EventStatusExtraAjaxView permissions with a site event"""
 
diff --git a/timeline/tests/test_permissions_api.py b/timeline/tests/test_permissions_api.py
new file mode 100644
index 00000000..b957d5de
--- /dev/null
+++ b/timeline/tests/test_permissions_api.py
@@ -0,0 +1,238 @@
+"""REST API view permission tests for the timeline app"""
+
+from django.test import override_settings
+from django.urls import reverse
+
+# Projectroles dependency
+from projectroles.tests.test_permissions_api import ProjectAPIPermissionTestBase
+
+from timeline.tests.test_models import TimelineEventMixin
+from timeline.tests.test_views_api import (
+    EVENT_NAME,
+    EVENT_DESC,
+    EXTRA_DATA,
+)
+from timeline.views_api import (
+    TIMELINE_API_MEDIA_TYPE,
+    TIMELINE_API_DEFAULT_VERSION,
+)
+
+
+class TimelineAPIPermissionTestBase(ProjectAPIPermissionTestBase):
+    """Base class for timeline REST API view permission tests"""
+
+    media_type = TIMELINE_API_MEDIA_TYPE
+    api_version = TIMELINE_API_DEFAULT_VERSION
+
+
+class TestProjectTimelineEventListAPIView(TimelineAPIPermissionTestBase):
+    """Tests for ProjectTimelineEventListAPIView"""
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'timeline:api_list_project',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+
+    def test_get(self):
+        """Test ProjectTimelineEventListAPIView GET"""
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+        ]
+        bad_users = [self.user_finder_cat, self.user_no_roles]
+        self.assert_response_api(self.url, good_users, 200)
+        self.assert_response_api(self.url, bad_users, 403)
+        self.assert_response_api(self.url, self.anonymous, 401)
+        self.assert_response_api(self.url, good_users, 200, knox=True)
+        self.project.set_public()
+        self.assert_response_api(self.url, self.user_no_roles, 200)
+
+    @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True)
+    def test_get_anon(self):
+        """Test GET with anonymous access"""
+        self.project.set_public()
+        self.assert_response_api(self.url, self.anonymous, 200)
+
+    def test_get_archive(self):
+        """Test GET with archived project"""
+        self.project.set_archive()
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+        ]
+        bad_users = [self.user_finder_cat, self.user_no_roles]
+        self.assert_response_api(self.url, good_users, 200)
+        self.assert_response_api(self.url, bad_users, 403)
+        self.assert_response_api(self.url, self.anonymous, 401)
+        self.assert_response_api(self.url, good_users, 200, knox=True)
+        self.project.set_public()
+        self.assert_response_api(self.url, self.user_no_roles, 200)
+
+
+class TestSiteTimelineEventListAPIView(TimelineAPIPermissionTestBase):
+    """Tests for SiteTimelineEventListAPIView"""
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse('timeline:api_list_site')
+
+    def test_get(self):
+        """Test SiteTimelineEventListAPIView GET"""
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+            self.user_finder_cat,
+            self.user_no_roles,
+        ]
+        self.assert_response_api(self.url, good_users, 200)
+        self.assert_response_api(self.url, self.anonymous, 401)
+        self.assert_response_api(self.url, good_users, 200, knox=True)
+
+    @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True)
+    def test_get_anon(self):
+        """Test GET with anonymous access"""
+        self.assert_response_api(self.url, self.anonymous, 401)
+
+
+class TestTimelineEventRetrieveAPIView(
+    TimelineEventMixin, TimelineAPIPermissionTestBase
+):
+    """Tests for TimelineEventRetrieveAPIView"""
+
+    def setUp(self):
+        super().setUp()
+        self.event = self.make_event(
+            project=self.project,
+            app='projectroles',
+            user=self.user_owner,
+            event_name=EVENT_NAME,
+            description=EVENT_DESC,
+            classified=False,
+            extra_data=EXTRA_DATA,
+        )
+        self.url = reverse(
+            'timeline:api_retrieve',
+            kwargs={'timelineevent': self.event.sodar_uuid},
+        )
+
+    def test_get_project_event(self):
+        """Test TimelineEventRetrieveAPIView GET with project event"""
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+        ]
+        bad_users = [self.user_finder_cat, self.user_no_roles]
+        self.assert_response_api(self.url, good_users, 200)
+        self.assert_response_api(self.url, bad_users, 403)
+        self.assert_response_api(self.url, self.anonymous, 401)
+        self.assert_response_api(self.url, good_users, 200, knox=True)
+
+    @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True)
+    def test_get_project_event_anon(self):
+        """Test GET with project event and anonymous access"""
+        self.assert_response_api(self.url, self.anonymous, 401)
+
+    def test_get_project_event_classified(self):
+        """Test GET with classified project event"""
+        self.event.classified = True
+        self.event.save()
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_owner,
+            self.user_delegate,
+        ]
+        bad_users = [
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_finder_cat,
+            self.user_contributor,
+            self.user_guest,
+            self.user_no_roles,
+        ]
+        self.assert_response_api(self.url, good_users, 200)
+        self.assert_response_api(self.url, bad_users, 403)
+        self.assert_response_api(self.url, self.anonymous, 401)
+        self.assert_response_api(self.url, good_users, 200, knox=True)
+
+    def test_get_site_event(self):
+        """Test GET with site-wide event"""
+        self.event.project = None
+        self.event.save()
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+            self.user_finder_cat,
+            self.user_no_roles,
+        ]
+        self.assert_response_api(self.url, good_users, 200)
+        self.assert_response_api(self.url, self.anonymous, 401)
+        self.assert_response_api(self.url, good_users, 200, knox=True)
+
+    @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True)
+    def test_get_site_event_anon(self):
+        """Test GET with site event and anonymous access"""
+        self.event.project = None
+        self.event.save()
+        self.assert_response_api(self.url, self.anonymous, 401)
+
+    def test_get_site_event_classified(self):
+        """Test GET with classified site event"""
+        self.event.project = None
+        self.event.classified = True
+        self.event.save()
+        good_users = [self.superuser]
+        bad_users = [
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_finder_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+            self.user_no_roles,
+        ]
+        self.assert_response_api(self.url, good_users, 200)
+        self.assert_response_api(self.url, bad_users, 403)
+        self.assert_response_api(self.url, self.anonymous, 401)
+        self.assert_response_api(self.url, good_users, 200, knox=True)
diff --git a/timeline/tests/test_templatetags.py b/timeline/tests/test_templatetags.py
index 4d5bd3b4..fa45aed5 100644
--- a/timeline/tests/test_templatetags.py
+++ b/timeline/tests/test_templatetags.py
@@ -8,14 +8,14 @@
 # Projectroles dependency
 from projectroles.plugins import get_app_plugin, get_backend_api
 
-from timeline.models import ProjectEvent, DEFAULT_MESSAGES
+from timeline.models import TimelineEvent, DEFAULT_MESSAGES
 from timeline.templatetags import timeline_tags as tags
 from timeline.tests.test_api import TimelineAPIMixin
 from timeline.tests.test_models import (
-    TestProjectEventBase,
-    ProjectEventMixin,
-    ProjectEventStatusMixin,
-    ProjectEventObjectRefMixin,
+    TimelineEventTestBase,
+    TimelineEventMixin,
+    TimelineEventStatusMixin,
+    TimelineEventObjectRefMixin,
 )
 
 
@@ -26,10 +26,10 @@
 
 class TestTemplateTags(
     TimelineAPIMixin,
-    ProjectEventMixin,
-    ProjectEventStatusMixin,
-    ProjectEventObjectRefMixin,
-    TestProjectEventBase,
+    TimelineEventMixin,
+    TimelineEventStatusMixin,
+    TimelineEventObjectRefMixin,
+    TimelineEventTestBase,
 ):
     """Tests for timeline template tags"""
 
@@ -86,7 +86,7 @@ def test_get_event_description_no_request(self):
 
     def test_get_details_events(self):
         """Test get_details_events()"""
-        self.assertEqual(ProjectEvent.objects.count(), 1)
+        self.assertEqual(TimelineEvent.objects.count(), 1)
         self.assertEqual(len(tags.get_details_events(self.project)), 1)
         # Create 5 additional events for a total of 6
         for _ in range(5):
@@ -102,7 +102,7 @@ def test_get_details_events(self):
                 status_type='OK',
                 description=DEFAULT_MESSAGES['OK'],
             )
-        self.assertEqual(ProjectEvent.objects.count(), 6)
+        self.assertEqual(TimelineEvent.objects.count(), 6)
         self.assertEqual(len(tags.get_details_events(self.project)), 5)
 
     def test_get_details_events_classified_disabled(self):
@@ -121,7 +121,7 @@ def test_get_details_events_classified_disabled(self):
             status_type='OK',
             description=DEFAULT_MESSAGES['OK'],
         )
-        self.assertEqual(ProjectEvent.objects.count(), 2)
+        self.assertEqual(TimelineEvent.objects.count(), 2)
         self.assertEqual(len(tags.get_details_events(self.project)), 1)
 
     def test_get_details_events_classified_enabled(self):
diff --git a/timeline/tests/test_ui.py b/timeline/tests/test_ui.py
index 2acc07b4..d0f07ff4 100644
--- a/timeline/tests/test_ui.py
+++ b/timeline/tests/test_ui.py
@@ -1,4 +1,5 @@
 """UI tests for the timeline app"""
+
 import json
 
 from django.urls import reverse
@@ -12,11 +13,12 @@
 # Projectroles dependency
 from projectroles.models import SODAR_CONSTANTS
 from projectroles.plugins import get_backend_api
-from projectroles.tests.test_ui import TestUIBase
+from projectroles.tests.test_ui import UITestBase
 
 from timeline.tests.test_models import (
-    ProjectEventMixin,
-    ProjectEventStatusMixin,
+    TimelineEventMixin,
+    TimelineEventStatusMixin,
+    EXTRA_DATA,
 )
 
 
@@ -30,7 +32,7 @@
 
 
 class TestProjectListView(
-    ProjectEventMixin, ProjectEventStatusMixin, TestUIBase
+    TimelineEventMixin, TimelineEventStatusMixin, UITestBase
 ):
     """Tests for the timeline project list view UI"""
 
@@ -45,8 +47,8 @@ def setUp(self):
             user=self.superuser,
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
-            status_type='OK',
+            extra_data=EXTRA_DATA,
+            status_type=self.timeline.TL_STATUS_OK,
         )
 
         # Init classified event
@@ -56,7 +58,7 @@ def setUp(self):
             user=self.superuser,
             event_name='classified_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
             classified=True,
         )
 
@@ -146,7 +148,9 @@ def test_render_details(self):
         self.assert_element_count(expected, url, 'sodar-tl-list-event')
 
 
-class TestSiteListView(ProjectEventMixin, ProjectEventStatusMixin, TestUIBase):
+class TestSiteListView(
+    TimelineEventMixin, TimelineEventStatusMixin, UITestBase
+):
     """Tests for the timeline site-wide list view UI"""
 
     def setUp(self):
@@ -160,8 +164,8 @@ def setUp(self):
             user=self.superuser,
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
-            status_type='OK',
+            extra_data=EXTRA_DATA,
+            status_type=self.timeline.TL_STATUS_OK,
         )
 
         # Init classified event
@@ -171,7 +175,7 @@ def setUp(self):
             user=self.superuser,
             event_name='classified_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
             classified=True,
         )
 
@@ -242,7 +246,9 @@ def test_object_button(self):
             pass
 
 
-class TestAdminListView(ProjectEventMixin, ProjectEventStatusMixin, TestUIBase):
+class TestAdminListView(
+    TimelineEventMixin, TimelineEventStatusMixin, UITestBase
+):
     """Test for the timeline view of all events in UI"""
 
     def setUp(self):
@@ -256,8 +262,8 @@ def setUp(self):
             user=self.superuser,
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
-            status_type='OK',
+            extra_data=EXTRA_DATA,
+            status_type=self.timeline.TL_STATUS_OK,
         )
         # Init default site event
         self.site_event = self.timeline.add_event(
@@ -266,8 +272,8 @@ def setUp(self):
             user=self.superuser,
             event_name='test_site_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
-            status_type='OK',
+            extra_data=EXTRA_DATA,
+            status_type=self.timeline.TL_STATUS_OK,
         )
         # Init classified event
         self.classified_event = self.timeline.add_event(
@@ -276,7 +282,7 @@ def setUp(self):
             user=self.superuser,
             event_name='classified_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
             classified=True,
         )
 
@@ -293,7 +299,7 @@ def test_badge(self):
         self.assertIsNotNone(self.selenium.find_element(By.CLASS_NAME, 'badge'))
 
 
-class TestModals(ProjectEventMixin, ProjectEventStatusMixin, TestUIBase):
+class TestModals(TimelineEventMixin, TimelineEventStatusMixin, UITestBase):
     """Test UI of modals in timeline event list"""
 
     def setUp(self):
@@ -307,11 +313,11 @@ def setUp(self):
             user=self.superuser,
             event_name='test_event',
             description='description',
-            extra_data=json.dumps({'test_key': 'test_val'}),
-            status_type='OK',
+            extra_data=json.dumps(EXTRA_DATA),
+            status_type=self.timeline.TL_STATUS_OK,
         )
         self.event_status_init = self.event.set_status(
-            'INIT',
+            self.timeline.TL_STATUS_INIT,
             'Event initialized',
             extra_data={'example_data': 'example_extra_data'},
         )
@@ -366,7 +372,7 @@ def test_status_extra_modal(self):
         )
 
     def test_details_content(self):
-        """Test details modal's content"""
+        """Test details modal content"""
         url = reverse(
             'timeline:list_project', kwargs={'project': self.project.sodar_uuid}
         )
@@ -385,13 +391,18 @@ def test_details_content(self):
         )
         title = self.selenium.find_element(By.CLASS_NAME, 'modal-title')
         self.assertIn('Event Details: ', title.text)
-        table = self.selenium.find_element(By.CLASS_NAME, 'table')
-        check_list = ['Timestamp', 'Event', 'Description', 'Status', 'INIT']
-        for check in check_list:
-            self.assertIn(check, table.text)
+        table = self.selenium.find_element(By.ID, 'sodar-tl-table-detail')
+        expected = [
+            'Timestamp',
+            'Description',
+            'Status',
+            self.timeline.TL_STATUS_INIT,
+        ]
+        for e in expected:
+            self.assertIn(e, table.text)
 
     def test_extra_content(self):
-        """Test extra data modal's content"""
+        """Test extra data modal content"""
         url = reverse(
             'timeline:list_project', kwargs={'project': self.project.sodar_uuid}
         )
@@ -429,7 +440,7 @@ def test_copy_button(self):
         btn.click()
 
 
-class TestSearch(ProjectEventMixin, ProjectEventStatusMixin, TestUIBase):
+class TestSearch(TimelineEventMixin, TimelineEventStatusMixin, UITestBase):
     """Tests for the project search UI functionalities"""
 
     def setUp(self):
@@ -443,15 +454,15 @@ def setUp(self):
             user=self.superuser,
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
-            status_type='OK',
+            extra_data=EXTRA_DATA,
+            status_type=self.timeline.TL_STATUS_OK,
         )
 
         self.make_event_status(
             event=self.event,
-            status_type='SUBMIT',
-            description='SUBMIT',
-            extra_data={'test_key': 'test_val'},
+            status_type=self.timeline.TL_STATUS_SUBMIT,
+            description=self.timeline.TL_STATUS_SUBMIT,
+            extra_data=EXTRA_DATA,
         )
 
         # Init default site event
@@ -461,15 +472,15 @@ def setUp(self):
             user=self.superuser,
             event_name='test_site_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
-            status_type='OK',
+            extra_data=EXTRA_DATA,
+            status_type=self.timeline.TL_STATUS_OK,
         )
 
         self.make_event_status(
             event=self.site_event,
-            status_type='SUBMIT',
-            description='SUBMIT',
-            extra_data={'test_key': 'test_val'},
+            status_type=self.timeline.TL_STATUS_SUBMIT,
+            description=self.timeline.TL_STATUS_SUBMIT,
+            extra_data=EXTRA_DATA,
         )
 
         # Init classified event
@@ -479,15 +490,15 @@ def setUp(self):
             user=self.superuser,
             event_name='classified_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
             classified=True,
         )
 
         self.make_event_status(
             event=self.classified_event,
-            status_type='SUBMIT',
-            description='SUBMIT',
-            extra_data={'test_key': 'test_val'},
+            status_type=self.timeline.TL_STATUS_SUBMIT,
+            description=self.timeline.TL_STATUS_SUBMIT,
+            extra_data=EXTRA_DATA,
         )
 
         self.classified_site_event = self.timeline.add_event(
@@ -496,15 +507,15 @@ def setUp(self):
             user=self.superuser,
             event_name='classified_site_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
             classified=True,
         )
 
         self.make_event_status(
             event=self.classified_site_event,
-            status_type='SUBMIT',
-            description='SUBMIT',
-            extra_data={'test_key': 'test_val'},
+            status_type=self.timeline.TL_STATUS_SUBMIT,
+            description=self.timeline.TL_STATUS_SUBMIT,
+            extra_data=EXTRA_DATA,
         )
 
     def test_search_results(self):
diff --git a/timeline/tests/test_views.py b/timeline/tests/test_views.py
index 17e04acb..2f39cc32 100644
--- a/timeline/tests/test_views.py
+++ b/timeline/tests/test_views.py
@@ -7,9 +7,10 @@
 from projectroles.plugins import get_backend_api
 
 from timeline.tests.test_models import (
-    TestProjectEventBase,
-    ProjectEventMixin,
-    ProjectEventStatusMixin,
+    TimelineEventTestBase,
+    TimelineEventMixin,
+    TimelineEventStatusMixin,
+    EXTRA_DATA,
 )
 
 
@@ -22,8 +23,8 @@
 PROJECT_TYPE_PROJECT = SODAR_CONSTANTS['PROJECT_TYPE_PROJECT']
 
 
-class TestViewsBase(
-    ProjectEventMixin, ProjectEventStatusMixin, TestProjectEventBase
+class ViewTestBase(
+    TimelineEventMixin, TimelineEventStatusMixin, TimelineEventTestBase
 ):
     """Base class for timeline view testing"""
 
@@ -57,15 +58,15 @@ def setUp(self):
             user=self.user,
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
 
 
-class TestProjectEventListView(TestViewsBase):
-    """Tests for the timeline project event list view"""
+class TestProjectTimelineView(ViewTestBase):
+    """Tests for ProjectTimelineView"""
 
-    def test_render(self):
-        """Test rendering the list view for a project"""
+    def test_get(self):
+        """Test ProjectTimelineView GET"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
@@ -73,14 +74,12 @@ def test_render(self):
                     kwargs={'project': self.project.sodar_uuid},
                 )
             )
-            self.assertEqual(response.status_code, 200)
-            self.assertEqual(len(response.context['object_list']), 1)
-            self.assertEqual(
-                response.context['object_list'].first(), self.event
-            )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.context['object_list']), 1)
+        self.assertEqual(response.context['object_list'].first(), self.event)
 
-    def test_render_category(self):
-        """Test rendering the list view for a category"""
+    def test_get_category(self):
+        """Test GET with category"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
@@ -88,11 +87,11 @@ def test_render_category(self):
                     kwargs={'project': self.category.sodar_uuid},
                 )
             )
-            self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.status_code, 200)
 
 
-class TestProjectObjectListView(TestViewsBase):
-    """Tests for the timeline project object list view"""
+class TestProjectObjectTimelineView(ViewTestBase):
+    """Tests for ProjectObjectTimelineView"""
 
     def setUp(self):
         super().setUp()
@@ -101,8 +100,8 @@ def setUp(self):
             obj=self.user, label='user', name=self.user.username
         )
 
-    def test_render(self):
-        """Test to ensure the view renders correctly"""
+    def test_get(self):
+        """Test ProjectObjectTimelineView GET"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
@@ -114,11 +113,11 @@ def test_render(self):
                     },
                 )
             )
-            self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.status_code, 200)
 
 
-class TestSiteEventListView(TestViewsBase):
-    """Tests for the timeline site-wide event list view"""
+class TestSiteTimelineView(ViewTestBase):
+    """Tests for SiteTimelineView"""
 
     def setUp(self):
         super().setUp()
@@ -128,26 +127,22 @@ def setUp(self):
             user=self.user,
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
 
-    def test_render(self):
-        """Test rendering the site-wide list view"""
+    def test_get(self):
+        """Test SiteTimelineView GET"""
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'timeline:list_site',
-                )
-            )
-            self.assertEqual(response.status_code, 200)
-            self.assertEqual(len(response.context['object_list']), 1)
-            self.assertEqual(
-                response.context['object_list'].first(), self.event_site
-            )
+            response = self.client.get(reverse('timeline:list_site'))
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.context['object_list']), 1)
+        self.assertEqual(
+            response.context['object_list'].first(), self.event_site
+        )
 
 
-class TestSiteObjectListView(TestViewsBase):
-    """Tests for the timeline site-wide objectlist view"""
+class TestSiteObjectTimelineView(ViewTestBase):
+    """Tests for SiteObjectTimelineView"""
 
     def setUp(self):
         super().setUp()
@@ -157,15 +152,14 @@ def setUp(self):
             user=self.user,
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
-        # Add user as an object reference
         self.obj_ref = self.event_site.add_object(
             obj=self.user, label='user', name=self.user.username
         )
 
-    def test_render(self):
-        """Test rendering the site-wide list view"""
+    def test_get(self):
+        """Test SiteObjectTimelineView GET"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
@@ -176,15 +170,15 @@ def test_render(self):
                     },
                 )
             )
-            self.assertEqual(response.status_code, 200)
-            self.assertEqual(len(response.context['object_list']), 1)
-            self.assertEqual(
-                response.context['object_list'].first(), self.event_site
-            )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.context['object_list']), 1)
+        self.assertEqual(
+            response.context['object_list'].first(), self.event_site
+        )
 
 
-class TestAdminEventListView(TestViewsBase):
-    """Tests for the admin timeline list view"""
+class TestAdminTimelineView(ViewTestBase):
+    """Tests for AdminTimelineView"""
 
     def setUp(self):
         super().setUp()
@@ -194,11 +188,11 @@ def setUp(self):
             user=self.user,
             event_name='test_event',
             description='description',
-            extra_data={'test_key': 'test_val'},
+            extra_data=EXTRA_DATA,
         )
 
-    def test_render(self):
-        """Test rendering the admin list view"""
+    def test_get(self):
+        """Test AdminTimelineView GET"""
         with self.login(self.user):
             response = self.client.get(reverse('timeline:list_admin'))
         self.assertEqual(response.status_code, 200)
diff --git a/timeline/tests/test_views_ajax.py b/timeline/tests/test_views_ajax.py
index fc102926..907987ad 100644
--- a/timeline/tests/test_views_ajax.py
+++ b/timeline/tests/test_views_ajax.py
@@ -4,12 +4,9 @@
 from django.utils.timezone import localtime
 
 # Projectroles dependency
-from projectroles.tests.test_models import (
-    ProjectMixin,
-    RoleAssignmentMixin,
-)
+from projectroles.tests.test_models import ProjectMixin, RoleAssignmentMixin
 from projectroles.tests.test_views import (
-    TestViewsBase,
+    ViewTestBase,
     PROJECT_TYPE_CATEGORY,
     PROJECT_TYPE_PROJECT,
 )
@@ -17,11 +14,11 @@
 from timeline.models import DEFAULT_MESSAGES
 from timeline.views_ajax import EventExtraDataMixin
 from timeline.templatetags.timeline_tags import get_status_style
-from timeline.tests.test_models import ProjectEventMixin
+from timeline.tests.test_models import TimelineEventMixin
 
 
-class TestEventAjaxViewsBase(
-    ProjectMixin, RoleAssignmentMixin, ProjectEventMixin, TestViewsBase
+class TimelineAjaxViewTestBase(
+    ProjectMixin, RoleAssignmentMixin, TimelineEventMixin, ViewTestBase
 ):
     """Base class for timeline Ajax API view tests"""
 
@@ -46,7 +43,7 @@ def setUp(self):
         )
 
 
-class TestProjectEventDetailAjaxView(TestEventAjaxViewsBase):
+class TestProjectEventDetailAjaxView(TimelineAjaxViewTestBase):
     """Tests for ProjectEventDetailAjaxView"""
 
     def setUp(self):
@@ -60,17 +57,15 @@ def setUp(self):
         self.event_status_ok = self.event.set_status(
             'OK', DEFAULT_MESSAGES['OK'], extra_data={'test': 'test'}
         )
+        self.url = reverse(
+            'timeline:ajax_detail_project',
+            kwargs={'timelineevent': self.event.sodar_uuid},
+        )
 
     def test_get(self):
-        """Test project event detail retrieval"""
-
+        """Test ProjectEventDetailAjaxView GET"""
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'timeline:ajax_detail_project',
-                    kwargs={'projectevent': self.event.sodar_uuid},
-                ),
-            )
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
         expected = {
             'app': self.event.app,
@@ -106,21 +101,16 @@ def test_get(self):
         self.assertEqual(response.data, expected)
 
     def test_get_no_user(self):
-        """Test project event detail retrieval with no user for event"""
+        """Test GET for event with no user"""
         self.event.user = None
         self.event.save()
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'timeline:ajax_detail_project',
-                    kwargs={'projectevent': self.event.sodar_uuid},
-                ),
-            )
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.data['user'], 'N/A')
 
 
-class TestProjectEventExtraAjaxView(TestEventAjaxViewsBase):
+class TestProjectEventExtraAjaxView(TimelineAjaxViewTestBase):
     """Tests for ProjectEventExtraAjaxView"""
 
     def setUp(self):
@@ -138,16 +128,15 @@ def setUp(self):
         self.event_status_ok = self.event.set_status(
             'OK', DEFAULT_MESSAGES['OK']
         )
+        self.url = reverse(
+            'timeline:ajax_extra_project',
+            kwargs={'timelineevent': self.event.sodar_uuid},
+        )
 
     def test_get(self):
-        """Test project event detail retrieval"""
+        """Test ProjectEventExtraAjaxView GET"""
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'timeline:ajax_extra_project',
-                    kwargs={'projectevent': self.event.sodar_uuid},
-                ),
-            )
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
         expected = {
             'app': self.event.app,
@@ -159,21 +148,16 @@ def test_get(self):
         self.assertIn(expected['extra']['example_data'], str(response.data))
 
     def test_get_no_user(self):
-        """Test project event detail retrieval with no user for event"""
+        """Test GET for event with no user"""
         self.event.user = None
         self.event.save()
         with self.login(self.user):
-            response = self.client.get(
-                reverse(
-                    'timeline:ajax_extra_project',
-                    kwargs={'projectevent': self.event.sodar_uuid},
-                ),
-            )
+            response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.data['user'], 'N/A')
 
 
-class TestSiteEventDetailAjaxView(TestEventAjaxViewsBase):
+class TestSiteEventDetailAjaxView(TimelineAjaxViewTestBase):
     """Tests for SiteEventDetailAjaxView"""
 
     def setUp(self):
@@ -189,13 +173,12 @@ def setUp(self):
         )
 
     def test_get(self):
-        """Test site event detail retrieval"""
-
+        """Test SiteEventDetailAjaxView GET"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
                     'timeline:ajax_detail_site',
-                    kwargs={'projectevent': self.event.sodar_uuid},
+                    kwargs={'timelineevent': self.event.sodar_uuid},
                 ),
             )
         self.assertEqual(response.status_code, 200)
@@ -233,7 +216,7 @@ def test_get(self):
         self.assertEqual(response.data, expected)
 
 
-class TestSiteEventExtraAjaxView(TestEventAjaxViewsBase):
+class TestSiteEventExtraAjaxView(TimelineAjaxViewTestBase):
     """Tests for SiteEventExtraAjaxView"""
 
     def setUp(self):
@@ -253,12 +236,12 @@ def setUp(self):
         )
 
     def test_get(self):
-        """Test site event detail retrieval"""
+        """Test SiteEventExtraAjaxView GET"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
                     'timeline:ajax_extra_site',
-                    kwargs={'projectevent': self.event.sodar_uuid},
+                    kwargs={'timelineevent': self.event.sodar_uuid},
                 ),
             )
         self.assertEqual(response.status_code, 200)
@@ -273,7 +256,9 @@ def test_get(self):
         self.assertIn(expected['user'], str(response.data))
 
 
-class TestEventStatusExtraAjaxView(TestEventAjaxViewsBase, EventExtraDataMixin):
+class TestEventStatusExtraAjaxView(
+    TimelineAjaxViewTestBase, EventExtraDataMixin
+):
     """Tests for EventStatusExtraAjaxView"""
 
     def setUp(self):
@@ -295,9 +280,8 @@ def setUp(self):
             extra_data={'test': 'test'},
         )
 
-    def test_get(self):
-        """Test event status extra data retrieval"""
-
+    def test_get_project(self):
+        """Test EventStatusExtraAjaxView GET with project event"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
@@ -318,8 +302,7 @@ def test_get(self):
         self.assertEqual(response.data, expected)
 
     def test_get_site(self):
-        """Test site event status extra data retrieval"""
-
+        """Test GET with site event"""
         with self.login(self.user):
             response = self.client.get(
                 reverse(
diff --git a/timeline/tests/test_views_api.py b/timeline/tests/test_views_api.py
new file mode 100644
index 00000000..65cfe0a0
--- /dev/null
+++ b/timeline/tests/test_views_api.py
@@ -0,0 +1,471 @@
+"""REST API view tests for the timeline app"""
+
+import json
+import uuid
+
+from django.urls import reverse
+
+from test_plus.test import APITestCase
+
+# Projectroles dependency
+from projectroles.models import SODAR_CONSTANTS
+from projectroles.tests.test_models import (
+    ProjectMixin,
+    RoleMixin,
+    RoleAssignmentMixin,
+)
+from projectroles.tests.test_views_api import (
+    SODARAPIViewTestMixin,
+    TEST_SERVER_URL,
+)
+
+from timeline.tests.test_models import (
+    TimelineEventMixin,
+    TimelineEventStatusMixin,
+    TimelineEventObjectRefMixin,
+    EXTRA_DATA,
+)
+from timeline.views_api import (
+    TIMELINE_API_MEDIA_TYPE,
+    TIMELINE_API_DEFAULT_VERSION,
+)
+
+
+# SODAR constants
+PROJECT_TYPE_PROJECT = SODAR_CONSTANTS['PROJECT_TYPE_PROJECT']
+PROJECT_TYPE_CATEGORY = SODAR_CONSTANTS['PROJECT_TYPE_CATEGORY']
+
+EVENT_NAME = 'test_event'
+EVENT_NAME_CLASSIFIED = 'test_event_classified'
+EVENT_DESC = 'description'
+OBJ_REF_LABEL = 'test_label'
+OBJ_REF_NAME = 'test_obj_name'
+
+
+class TimelineAPIViewTestBase(
+    ProjectMixin,
+    RoleMixin,
+    RoleAssignmentMixin,
+    TimelineEventMixin,
+    TimelineEventStatusMixin,
+    TimelineEventObjectRefMixin,
+    SODARAPIViewTestMixin,
+    APITestCase,
+):
+    """Base class for timeline API view tests"""
+
+    media_type = TIMELINE_API_MEDIA_TYPE
+    api_version = TIMELINE_API_DEFAULT_VERSION
+
+    def setUp(self):
+        self.maxDiff = None
+        # Init roles
+        self.init_roles()
+        # Init users
+        self.superuser = self.make_user('superuser')
+        self.superuser.is_staff = True
+        self.superuser.is_superuser = True
+        self.superuser.save()
+        self.user_owner = self.make_user('user_owner')
+        self.user_delegate = self.make_user('user_delegate')
+        self.user_contributor = self.make_user('user_contributor')
+        # Init category and project
+        self.category = self.make_project(
+            'TestCategory', PROJECT_TYPE_CATEGORY, None
+        )
+        self.owner_as_cat = self.make_assignment(
+            self.category, self.user_owner, self.role_owner
+        )
+        # Init project
+        self.project = self.make_project(
+            'TestProject', PROJECT_TYPE_PROJECT, self.category
+        )
+        self.owner_as = self.make_assignment(
+            self.project, self.user_owner, self.role_owner
+        )
+        self.delegate_as = self.make_assignment(
+            self.project, self.user_delegate, self.role_delegate
+        )
+        self.contrib_as = self.make_assignment(
+            self.project, self.user_contributor, self.role_contributor
+        )
+        # Get knox token for self.user
+        self.knox_token = self.get_token(self.superuser)
+
+
+class TestProjectTimelineEventListAPIView(TimelineAPIViewTestBase):
+    """Tests for ProjectTimelineEventListAPIView"""
+
+    def setUp(self):
+        super().setUp()
+        self.event = self.make_event(
+            project=self.project,
+            app='projectroles',
+            user=self.user_owner,
+            event_name=EVENT_NAME,
+            description=EVENT_DESC,
+            classified=False,
+            extra_data=EXTRA_DATA,
+        )
+        self.event_classified = self.make_event(
+            project=self.project,
+            app='projectroles',
+            user=self.user_owner,
+            event_name=EVENT_NAME_CLASSIFIED,
+            description=EVENT_DESC,
+            classified=True,
+            extra_data=EXTRA_DATA,
+        )
+        self.url = reverse(
+            'timeline:api_list_project',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+
+    def test_get_superuser(self):
+        """Test ProjectTimelineEventListAPIView GET as superuser"""
+        response = self.request_knox(
+            self.url, token=self.get_token(self.superuser)
+        )
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        self.assertEqual(len(response_data), 2)
+        expected = {
+            'project': str(self.project.sodar_uuid),
+            'app': 'projectroles',
+            'plugin': None,
+            'user': self.get_serialized_user(self.user_owner),
+            'event_name': EVENT_NAME,
+            'description': EVENT_DESC,
+            'extra_data': EXTRA_DATA,
+            'classified': False,
+            'status_changes': [],
+            'event_objects': [],
+            'sodar_uuid': str(self.event.sodar_uuid),
+        }
+        self.assertEqual(response_data[1], expected)
+        expected = {
+            'project': str(self.project.sodar_uuid),
+            'app': 'projectroles',
+            'plugin': None,
+            'user': self.get_serialized_user(self.user_owner),
+            'event_name': EVENT_NAME_CLASSIFIED,
+            'description': EVENT_DESC,
+            'extra_data': EXTRA_DATA,
+            'classified': True,
+            'status_changes': [],
+            'event_objects': [],
+            'sodar_uuid': str(self.event_classified.sodar_uuid),
+        }
+        self.assertEqual(response_data[0], expected)
+
+    def test_get_pagination(self):
+        """Test GET with pagination"""
+        url = self.url + '?page=1'
+        response = self.request_knox(url, token=self.get_token(self.superuser))
+        self.assertEqual(response.status_code, 200)
+        expected = {
+            'count': 2,
+            'next': TEST_SERVER_URL + self.url + '?page=2',
+            'previous': None,
+            'results': [
+                {
+                    'project': str(self.project.sodar_uuid),
+                    'app': 'projectroles',
+                    'plugin': None,
+                    'user': self.get_serialized_user(self.user_owner),
+                    'event_name': EVENT_NAME_CLASSIFIED,
+                    'description': EVENT_DESC,
+                    'extra_data': EXTRA_DATA,
+                    'classified': True,
+                    'status_changes': [],
+                    'event_objects': [],
+                    'sodar_uuid': str(self.event_classified.sodar_uuid),
+                }
+            ],
+        }
+        self.assertEqual(json.loads(response.content), expected)
+
+    def test_get_owner(self):
+        """Test GET as owner"""
+        response = self.request_knox(
+            self.url, token=self.get_token(self.user_owner)
+        )
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        self.assertEqual(len(response_data), 2)
+        self.assertEqual(response_data[0]['extra_data'], EXTRA_DATA)
+        self.assertEqual(response_data[1]['extra_data'], EXTRA_DATA)
+
+    def test_get_delegate(self):
+        """Test GET as delegate"""
+        response = self.request_knox(
+            self.url, token=self.get_token(self.user_delegate)
+        )
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        self.assertEqual(len(response_data), 2)
+        self.assertEqual(response_data[0]['extra_data'], EXTRA_DATA)
+        self.assertEqual(response_data[1]['extra_data'], EXTRA_DATA)
+
+    def test_get_contributor(self):
+        """Test GET as contributor"""
+        response = self.request_knox(
+            self.url, token=self.get_token(self.user_contributor)
+        )
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        self.assertEqual(len(response_data), 1)
+        self.assertEqual(
+            response_data[0]['sodar_uuid'], str(self.event.sodar_uuid)
+        )
+        self.assertNotIn('extra_data', response_data[0])
+
+    def test_get_object_ref_owner(self):
+        """Test GET with object reference as owner"""
+        obj_ref = self.make_object_ref(
+            event=self.event,
+            obj=self.user_owner,
+            label=OBJ_REF_LABEL,
+            name=OBJ_REF_NAME,
+            uuid=self.user_owner.sodar_uuid,
+            extra_data=EXTRA_DATA,
+        )
+        response = self.request_knox(
+            self.url, token=self.get_token(self.user_owner)
+        )
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        expected = [
+            {
+                'event': str(self.event.sodar_uuid),
+                'label': OBJ_REF_LABEL,
+                'name': OBJ_REF_NAME,
+                'object_model': 'User',
+                'object_uuid': str(self.user_owner.sodar_uuid),
+                'extra_data': EXTRA_DATA,
+                'sodar_uuid': str(obj_ref.sodar_uuid),
+            }
+        ]
+        self.assertEqual(response_data[1]['event_objects'], expected)
+
+    def test_get_object_ref_delegate(self):
+        """Test GET with object reference as delegate"""
+        self.make_object_ref(
+            event=self.event,
+            obj=self.user_owner,
+            label=OBJ_REF_LABEL,
+            name=OBJ_REF_NAME,
+            uuid=self.user_owner.sodar_uuid,
+            extra_data=EXTRA_DATA,
+        )
+        response = self.request_knox(
+            self.url, token=self.get_token(self.user_delegate)
+        )
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        self.assertEqual(len(response_data[1]['event_objects']), 1)
+        self.assertEqual(
+            response_data[1]['event_objects'][0]['extra_data'], EXTRA_DATA
+        )
+
+    def test_get_object_ref_contributor(self):
+        """Test GET with object reference as contributor"""
+        self.make_object_ref(
+            event=self.event,
+            obj=self.user_owner,
+            label=OBJ_REF_LABEL,
+            name=OBJ_REF_NAME,
+            uuid=self.user_owner.sodar_uuid,
+            extra_data=EXTRA_DATA,
+        )
+        response = self.request_knox(
+            self.url, token=self.get_token(self.user_contributor)
+        )
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        self.assertEqual(len(response_data[0]['event_objects']), 1)
+        # No extra data should be returned for contributors and below
+        self.assertNotIn('extra_data', response_data[0]['event_objects'][0])
+
+    def test_get_status_owner(self):
+        """Test GET with status changes as owner"""
+        status_init = self.make_event_status(
+            event=self.event,
+            status_type='INIT',
+            description='INIT',
+            extra_data=EXTRA_DATA,
+        )
+        status_ok = self.make_event_status(
+            event=self.event,
+            status_type='OK',
+            description='OK',
+            extra_data=EXTRA_DATA,
+        )
+        response = self.request_knox(
+            self.url, token=self.get_token(self.user_owner)
+        )
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        expected = [
+            {
+                'event': str(self.event.sodar_uuid),
+                'timestamp': self.get_drf_datetime(status_init.timestamp),
+                'status_type': 'INIT',
+                'description': 'INIT',
+                'extra_data': EXTRA_DATA,
+                'sodar_uuid': str(status_init.sodar_uuid),
+            },
+            {
+                'event': str(self.event.sodar_uuid),
+                'timestamp': self.get_drf_datetime(status_ok.timestamp),
+                'status_type': 'OK',
+                'description': 'OK',
+                'extra_data': EXTRA_DATA,
+                'sodar_uuid': str(status_ok.sodar_uuid),
+            },
+        ]
+        self.assertEqual(response_data[1]['status_changes'], expected)
+
+    def test_get_status_delegate(self):
+        """Test GET with status changes as delegate"""
+        self.make_event_status(
+            event=self.event,
+            status_type='INIT',
+            description='INIT',
+            extra_data=EXTRA_DATA,
+        )
+        response = self.request_knox(
+            self.url, token=self.get_token(self.user_delegate)
+        )
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        self.assertEqual(
+            response_data[1]['status_changes'][0]['extra_data'], EXTRA_DATA
+        )
+
+    def test_get_status_contributor(self):
+        """Test GET with status changes as contributor"""
+        self.make_event_status(
+            event=self.event,
+            status_type='INIT',
+            description='INIT',
+            extra_data=EXTRA_DATA,
+        )
+        response = self.request_knox(
+            self.url, token=self.get_token(self.user_contributor)
+        )
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        self.assertNotIn('extra_data', response_data[0]['status_changes'][0])
+
+
+class TestSiteTimelineEventListAPIView(TimelineAPIViewTestBase):
+    """Tests for SiteTimelineEventListAPIView"""
+
+    def setUp(self):
+        super().setUp()
+        self.project_event = self.make_event(
+            project=self.project,
+            app='projectroles',
+            user=self.user_owner,
+            event_name=EVENT_NAME,
+            description=EVENT_DESC,
+            classified=False,
+            extra_data=EXTRA_DATA,
+        )
+        self.site_event = self.make_event(
+            project=None,
+            app='projectroles',
+            user=self.user_owner,
+            event_name=EVENT_NAME,
+            description=EVENT_DESC,
+            classified=False,
+            extra_data=EXTRA_DATA,
+        )
+        self.site_event_classified = self.make_event(
+            project=None,
+            app='projectroles',
+            user=self.user_owner,
+            event_name=EVENT_NAME_CLASSIFIED,
+            description=EVENT_DESC,
+            classified=True,
+            extra_data=EXTRA_DATA,
+        )
+        self.url = reverse('timeline:api_list_site')
+
+    def test_get_superuser(self):
+        """Test SiteTimelineEventListAPIView GET as superuser"""
+        response = self.request_knox(
+            self.url, token=self.get_token(self.superuser)
+        )
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        self.assertEqual(len(response_data), 2)
+        self.assertEqual(
+            response_data[0]['sodar_uuid'],
+            str(self.site_event_classified.sodar_uuid),
+        )
+        self.assertEqual(
+            response_data[1]['sodar_uuid'], str(self.site_event.sodar_uuid)
+        )
+
+    def test_get_regular_user(self):
+        """Test GET as regular_user"""
+        response = self.request_knox(
+            self.url, token=self.get_token(self.user_owner)
+        )
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        self.assertEqual(len(response_data), 1)
+        self.assertEqual(
+            response_data[0]['sodar_uuid'], str(self.site_event.sodar_uuid)
+        )
+
+
+class TestTimelineEventRetrieveAPIView(TimelineAPIViewTestBase):
+    """Tests for TimelineEventRetrieveAPIView"""
+
+    def setUp(self):
+        super().setUp()
+        self.event = self.make_event(
+            project=self.project,
+            app='projectroles',
+            user=self.user_owner,
+            event_name=EVENT_NAME,
+            description=EVENT_DESC,
+            classified=False,
+            extra_data=EXTRA_DATA,
+        )
+
+    def test_get(self):
+        """Test TimelineEventRetrieveAPIView GET"""
+        url = reverse(
+            'timeline:api_retrieve',
+            kwargs={'timelineevent': self.event.sodar_uuid},
+        )
+        response = self.request_knox(url, token=self.get_token(self.superuser))
+        self.assertEqual(response.status_code, 200)
+        expected = {
+            'project': str(self.project.sodar_uuid),
+            'app': 'projectroles',
+            'plugin': None,
+            'user': self.get_serialized_user(self.user_owner),
+            'event_name': EVENT_NAME,
+            'description': EVENT_DESC,
+            'extra_data': EXTRA_DATA,
+            'classified': False,
+            'status_changes': [],
+            'event_objects': [],
+            'sodar_uuid': str(self.event.sodar_uuid),
+        }
+        self.assertEqual(json.loads(response.content), expected)
+
+    def test_get_not_found(self):
+        """Test GET with invalid UUID"""
+        invalid_uuid = uuid.uuid4()
+        self.assertNotEqual(self.event.sodar_uuid, invalid_uuid)
+        url = reverse(
+            'timeline:api_retrieve', kwargs={'timelineevent': invalid_uuid}
+        )
+        response = self.request_knox(url, token=self.get_token(self.superuser))
+        self.assertEqual(response.status_code, 404)
diff --git a/timeline/urls.py b/timeline/urls.py
index 287fa50d..506c5b14 100644
--- a/timeline/urls.py
+++ b/timeline/urls.py
@@ -2,7 +2,7 @@
 
 from django.urls import path
 
-from timeline import views, views_ajax
+from timeline import views, views_ajax, views_api
 
 
 app_name = 'timeline'
@@ -43,22 +43,22 @@
 # Ajax API views
 urls_ajax = [
     path(
-        route='ajax/detail/<uuid:projectevent>',
+        route='ajax/detail/<uuid:timelineevent>',
         view=views_ajax.ProjectEventDetailAjaxView.as_view(),
         name='ajax_detail_project',
     ),
     path(
-        route='ajax/detail/site/<uuid:projectevent>',
+        route='ajax/detail/site/<uuid:timelineevent>',
         view=views_ajax.SiteEventDetailAjaxView.as_view(),
         name='ajax_detail_site',
     ),
     path(
-        route='ajax/extra/<uuid:projectevent>',
+        route='ajax/extra/<uuid:timelineevent>',
         view=views_ajax.ProjectEventExtraAjaxView.as_view(),
         name='ajax_extra_project',
     ),
     path(
-        route='ajax/extra/site/<uuid:projectevent>',
+        route='ajax/extra/site/<uuid:timelineevent>',
         view=views_ajax.SiteEventExtraAjaxView.as_view(),
         name='ajax_extra_site',
     ),
@@ -69,4 +69,25 @@
     ),
 ]
 
-urlpatterns = urls_ui_project + urls_ui_site + urls_ui_admin + urls_ajax
+# REST API views
+urls_api = [
+    path(
+        route='api/list/<uuid:project>',
+        view=views_api.ProjectTimelineEventListAPIView.as_view(),
+        name='api_list_project',
+    ),
+    path(
+        route='api/list/site',
+        view=views_api.SiteTimelineEventListAPIView.as_view(),
+        name='api_list_site',
+    ),
+    path(
+        route='api/retrieve/<uuid:timelineevent>',
+        view=views_api.TimelineEventRetrieveAPIView.as_view(),
+        name='api_retrieve',
+    ),
+]
+
+urlpatterns = (
+    urls_ui_project + urls_ui_site + urls_ui_admin + urls_ajax + urls_api
+)
diff --git a/timeline/views.py b/timeline/views.py
index 109dea19..5aa47824 100644
--- a/timeline/views.py
+++ b/timeline/views.py
@@ -13,7 +13,7 @@
     ProjectPermissionMixin,
 )
 
-from timeline.models import ProjectEvent
+from timeline.models import TimelineEvent
 
 
 # Local variables
@@ -50,7 +50,7 @@ def get_queryset(self):
             )
         ) or (not project_uuid and not self.request.user.is_superuser):
             set_kwargs['classified'] = False
-        return ProjectEvent.objects.filter(**set_kwargs).order_by('-pk')
+        return TimelineEvent.objects.filter(**set_kwargs).order_by('-pk')
 
 
 class ProjectTimelineView(
@@ -65,7 +65,7 @@ class ProjectTimelineView(
 
     permission_required = 'timeline.view_timeline'
     template_name = 'timeline/timeline.html'
-    model = ProjectEvent
+    model = TimelineEvent
     paginate_by = getattr(settings, 'TIMELINE_PAGINATION', DEFAULT_PAGINATION)
 
 
@@ -76,7 +76,7 @@ class SiteTimelineView(
 
     permission_required = 'timeline.view_site_timeline'
     template_name = 'timeline/timeline_site.html'
-    model = ProjectEvent
+    model = TimelineEvent
     paginate_by = getattr(settings, 'TIMELINE_PAGINATION', DEFAULT_PAGINATION)
 
 
@@ -90,11 +90,11 @@ def get_context_data(self, *args, **kwargs):
         return context
 
     def get_queryset(self):
-        return ProjectEvent.objects.order_by('-pk')
+        return TimelineEvent.objects.order_by('-pk')
 
     permission_required = 'timeline.view_site_admin'
     template_name = 'timeline/timeline_site.html'
-    model = ProjectEvent
+    model = TimelineEvent
     paginate_by = getattr(settings, 'TIMELINE_PAGINATION', DEFAULT_PAGINATION)
 
 
@@ -117,7 +117,7 @@ def get_queryset(self):
                 sodar_uuid=self.kwargs['project']
             ).first()
             classified_perm = 'timeline.view_classified_event'
-        queryset = ProjectEvent.objects.get_object_events(
+        queryset = TimelineEvent.objects.get_object_events(
             project=project,
             object_model=self.kwargs['object_model'],
             object_uuid=self.kwargs['object_uuid'],
diff --git a/timeline/views_ajax.py b/timeline/views_ajax.py
index 8b56892e..314e51c3 100644
--- a/timeline/views_ajax.py
+++ b/timeline/views_ajax.py
@@ -1,4 +1,5 @@
 """Ajax API views for the timeline app"""
+
 import html
 
 from django.http import HttpResponseForbidden
@@ -14,7 +15,7 @@
     SODARBaseAjaxView,
 )
 
-from timeline.models import ProjectEvent, ProjectEventStatus
+from timeline.models import TimelineEvent, TimelineEventStatus
 from timeline.templatetags.timeline_tags import get_status_style
 
 
@@ -27,19 +28,16 @@ def form_status_extra_url(self, status, request):
             'timeline.view_event_extra_data', status.event.project
         ):
             return None
-        else:
-            return reverse(
-                'timeline:ajax_extra_status',
-                kwargs={
-                    'eventstatus': status.sodar_uuid,
-                },
-            )
+        return reverse(
+            'timeline:ajax_extra_status',
+            kwargs={'eventstatus': status.sodar_uuid},
+        )
 
     def get_event_details(self, event, request):
         """
         Return event details.
 
-        :param event: ProjectEvent object
+        :param event: TimelineEvent object
         :param request: Django request object
         :return: Dict
         """
@@ -153,8 +151,8 @@ def _html_print_array(self, array, str_list, indent):
     def get_event_extra(self, event, status=None):
         """
         Return event extra data.
-        :param event: ProjectEvent object
-        :param status: ProjectEventStatus object
+        :param event: TimelineEvent object
+        :param status: TimelineEventStatus object
         :return: JSON-serializable dict
         """
         extra = status.extra_data if status else event.extra_data
@@ -177,8 +175,8 @@ class ProjectEventDetailAjaxView(EventDetailMixin, SODARBaseProjectAjaxView):
     permission_required = 'timeline.view_timeline'
 
     def get(self, request, *args, **kwargs):
-        event = ProjectEvent.objects.filter(
-            sodar_uuid=self.kwargs['projectevent']
+        event = TimelineEvent.objects.filter(
+            sodar_uuid=self.kwargs['timelineevent']
         ).first()
         if event.classified and not request.user.has_perm(
             'timeline.view_classified_event', event.project
@@ -193,14 +191,13 @@ class ProjectEventExtraAjaxView(EventExtraDataMixin, SODARBaseProjectAjaxView):
     permission_required = 'timeline.view_event_extra_data'
 
     def get(self, request, *args, **kwargs):
-        event = ProjectEvent.objects.filter(
-            sodar_uuid=self.kwargs['projectevent']
+        event = TimelineEvent.objects.filter(
+            sodar_uuid=self.kwargs['timelineevent']
         ).first()
         if event.classified and not request.user.has_perm(
             'timeline.view_classified_event', event.project
         ):
             return HttpResponseForbidden()
-
         return Response(self.get_event_extra(event), status=200)
 
 
@@ -210,8 +207,8 @@ class SiteEventDetailAjaxView(EventDetailMixin, SODARBasePermissionAjaxView):
     permission_required = 'timeline.view_site_timeline'
 
     def get(self, request, *args, **kwargs):
-        event = ProjectEvent.objects.filter(
-            sodar_uuid=self.kwargs['projectevent']
+        event = TimelineEvent.objects.filter(
+            sodar_uuid=self.kwargs['timelineevent']
         ).first()
         if event.classified and not request.user.has_perm(
             'timeline.view_classified_site_event'
@@ -226,8 +223,8 @@ class SiteEventExtraAjaxView(EventExtraDataMixin, SODARBasePermissionAjaxView):
     permission_required = 'timeline.view_event_extra_data'
 
     def get(self, request, *args, **kwargs):
-        event = ProjectEvent.objects.filter(
-            sodar_uuid=self.kwargs['projectevent']
+        event = TimelineEvent.objects.filter(
+            sodar_uuid=self.kwargs['timelineevent']
         ).first()
         if event.classified and not request.user.has_perm(
             'timeline.view_classified_site_event'
@@ -240,33 +237,17 @@ class EventStatusExtraAjaxView(EventExtraDataMixin, SODARBaseAjaxView):
     """Ajax view for retrieving event status extra data for events"""
 
     def get(self, request, *args, **kwargs):
-        status = ProjectEventStatus.objects.filter(
+        status = TimelineEventStatus.objects.filter(
             sodar_uuid=self.kwargs['eventstatus']
         ).first()
         event = status.event
-        if event.project:
-            if (
-                not event.classified
-                and not request.user.has_perm(
-                    'timeline.view_event_extra_data', event.project
-                )
-                or event.classified
-                and not request.user.has_perm(
-                    'timeline.view_classified_event', event.project
-                )
-            ):
-                return HttpResponseForbidden()
+        if event.classified and event.project:
+            perm = 'view_classified_event'
+        elif event.classified:
+            perm = 'view_classified_site_event'
         else:
-            if (
-                not event.classified
-                and not request.user.has_perm('timeline.view_event_extra_data')
-                or event.classified
-                and not request.user.has_perm(
-                    'timeline.view_classified_site_event'
-                )
-            ):
-                return HttpResponseForbidden()
-        return Response(
-            self.get_event_extra(status.event, status),
-            status=200,
-        )
+            perm = 'view_event_extra_data'
+        project = getattr(event, 'project', None)
+        if not request.user.has_perm('timeline.' + perm, project):
+            return HttpResponseForbidden()
+        return Response(self.get_event_extra(status.event, status), status=200)
diff --git a/timeline/views_api.py b/timeline/views_api.py
new file mode 100644
index 00000000..7b3a3ebe
--- /dev/null
+++ b/timeline/views_api.py
@@ -0,0 +1,171 @@
+"""REST API views for the timeline app"""
+
+from rest_framework.exceptions import NotFound, PermissionDenied
+from rest_framework.generics import ListAPIView, RetrieveAPIView
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.renderers import JSONRenderer
+from rest_framework.schemas.openapi import AutoSchema
+from rest_framework.versioning import AcceptHeaderVersioning
+
+# Projectroles dependency
+from projectroles.views_api import (
+    CoreAPIGenericProjectMixin,
+    SODARPageNumberPagination,
+)
+
+from timeline.models import TimelineEvent
+from timeline.serializers import TimelineEventSerializer
+
+
+# Local constants
+TIMELINE_API_MEDIA_TYPE = 'application/vnd.bihealth.sodar-core.timeline+json'
+TIMELINE_API_DEFAULT_VERSION = '1.0'
+TIMELINE_API_ALLOWED_VERSIONS = ['1.0']
+
+
+class TimelineAPIVersioningMixin:
+    """
+    Timeline API view versioning mixin for overriding media type and
+    accepted versions.
+    """
+
+    class TimelineAPIRenderer(JSONRenderer):
+        media_type = TIMELINE_API_MEDIA_TYPE
+
+    class TimelineAPIVersioning(AcceptHeaderVersioning):
+        allowed_versions = TIMELINE_API_ALLOWED_VERSIONS
+        default_version = TIMELINE_API_DEFAULT_VERSION
+
+    renderer_classes = [TimelineAPIRenderer]
+    versioning_class = TimelineAPIVersioning
+
+
+class ProjectTimelineEventListAPIView(
+    TimelineAPIVersioningMixin, CoreAPIGenericProjectMixin, ListAPIView
+):
+    """
+    List ``TimelineEvent`` objects belonging in a category or project. Events
+    are ordered from newest to oldest.
+
+    Supports optional pagination by providing the ``page`` query string. This
+    will return results in the Django Rest Framework PageNumberPagination
+    format.
+
+    **URL:** ``/timeline/api/list/{Project.sodar_uuid}``
+
+    **Methods:** ``GET``
+
+    **Parameters:**
+
+    - ``page``: Page number for paginated results (int, optional)
+
+    **Returns:** List or paginated dict of ``TimelineEvent`` objects (see ``TimelineEventRetrieveAPIView``)
+    """
+
+    pagination_class = SODARPageNumberPagination
+    permission_required = 'timeline.view_timeline'
+    schema = AutoSchema(operation_id_base='ListTimelineEvent')
+    serializer_class = TimelineEventSerializer
+
+    def get_queryset(self):
+        project = self.get_project()
+        user = self.request.user
+        q_kwargs = {'project': project}
+        if not user.is_superuser and not project.is_owner_or_delegate(user):
+            q_kwargs['classified'] = False
+        return TimelineEvent.objects.filter(**q_kwargs).order_by('-pk')
+
+
+class SiteTimelineEventListAPIView(TimelineAPIVersioningMixin, ListAPIView):
+    """
+    List site-wide ``TimelineEvent`` objects. Events are ordered from newest to
+    oldest.
+
+    Supports optional pagination by providing the ``page`` query string. This
+    will return results in the Django Rest Framework ``PageNumberPagination``
+    format.
+
+    **URL:** ``/timeline/api/list/site``
+
+    **Methods:** ``GET``
+
+    **Parameters:**
+
+    - ``page``: Page number for paginated results (int, optional)
+
+    **Returns:** List or paginated dict of ``TimelineEvent`` objects (see ``TimelineEventRetrieveAPIView``)
+    """
+
+    pagination_class = SODARPageNumberPagination
+    permission_classes = [IsAuthenticated]
+    serializer_class = TimelineEventSerializer
+
+    def get_queryset(self):
+        user = self.request.user
+        q_kwargs = {'project': None}
+        if not user.is_superuser:
+            q_kwargs['classified'] = False
+        return TimelineEvent.objects.filter(**q_kwargs).order_by('-pk')
+
+
+class TimelineEventRetrieveAPIView(TimelineAPIVersioningMixin, RetrieveAPIView):
+    """
+    Retrieve ``TimelineEvent`` object.
+
+    Extra data is only returned for users with sufficient permissions
+    (superusers, project owners and delegates).
+
+    **URL:** ``/timeline/api/retrieve/{TimelineEvent.sodar_uuid}``
+
+    **Methods:** ``GET``
+
+    **Returns:**
+
+    - ``project``: Project UUID (string or None)
+    - ``app``: App name (string)
+    - ``user``: Serialized user (JSON, see ``CurrentUserRetrieveAPIView``)
+    - ``event_name``: Event name (string)
+    - ``description``: Event description (string)
+    - ``extra_data``: Event extra data (JSON or None)
+    - ``classified``: Whether event is classified (boolean)
+    - ``status_changes``: List of TimelineEventStatus objects (JSON)
+        - ``event``: TimelineEvent UUID (string)
+        - ``timestamp``: Status datetime (YYYY-MM-DDThh:mm:ssZ)
+        - ``status_type``: Status type (string)
+        - ``description``: Status description (string)
+        - ``extra_data``: Status extra data (JSON or None)
+        - ``sodar_uuid``: Status UUID (string)
+    - ``event_objects``: List of TimelineEventObjectRef objects (JSON)
+        - ``event``: TimelineEvent UUID (string)
+        - ``label``: Object label as given in event description (string)
+        - ``name``: Name for identifying the object (string)
+        - ``object_uuid``: UUID of the referred object (string)
+        - ``extra_data``: Object reference extra data (JSON or None)
+        - ``sodar_uuid``: Object reference UUID (string)
+    - ``sodar_uuid``: TimelineEvent UUID (string)
+    """
+
+    permission_classes = [IsAuthenticated]  # Perms checked in get_object()
+    serializer_class = TimelineEventSerializer
+
+    def get_object(self):
+        obj = TimelineEvent.objects.filter(
+            sodar_uuid=self.kwargs.get('timelineevent')
+        ).first()
+        if not obj:
+            raise NotFound()
+        user = self.request.user
+        if obj.project and not user.has_perm(
+            'timeline.view_timeline', obj.project
+        ):
+            raise PermissionDenied()
+        if obj.classified:
+            if (
+                obj.project
+                and not user.is_superuser
+                and not obj.project.is_owner_or_delegate(user)
+            ):
+                raise PermissionDenied()
+            elif not obj.project and not user.is_superuser:
+                raise PermissionDenied()
+        return obj
diff --git a/tokens/tests/test_permissions.py b/tokens/tests/test_permissions.py
index 19a1c583..dca73266 100644
--- a/tokens/tests/test_permissions.py
+++ b/tokens/tests/test_permissions.py
@@ -6,10 +6,10 @@
 from knox.models import AuthToken
 
 # Projectroles dependency
-from projectroles.tests.test_permissions import TestSiteAppPermissionBase
+from projectroles.tests.test_permissions import SiteAppPermissionTestBase
 
 
-class TestTokenPermissions(TestSiteAppPermissionBase):
+class TestTokenPermissions(SiteAppPermissionTestBase):
     """Tests for token view permissions"""
 
     def test_get_list(self):
diff --git a/tokens/tests/test_ui.py b/tokens/tests/test_ui.py
index cb61573c..68e93e0b 100644
--- a/tokens/tests/test_ui.py
+++ b/tokens/tests/test_ui.py
@@ -9,10 +9,10 @@
 from selenium.webdriver.common.by import By
 
 # Projectroles dependency
-from projectroles.tests.test_ui import TestUIBase
+from projectroles.tests.test_ui import UITestBase
 
 
-class TestTokenList(TestUIBase):
+class TestTokenList(UITestBase):
     """Tests for token list"""
 
     def setUp(self):
@@ -31,17 +31,18 @@ def setUp(self):
         self.token_no_expiry = AuthToken.objects.create(
             self.regular_user, None
         )[0]
+        self.url = reverse('tokens:list')
 
     def test_list_items(self):
         """Test visibility of items in token list"""
         expected = [(self.superuser, 0), (self.regular_user, 2)]
-        url = reverse('tokens:list')
-        self.assert_element_count(expected, url, 'sodar-tk-list-item', 'class')
+        self.assert_element_count(
+            expected, self.url, 'sodar-tk-list-item', 'class'
+        )
 
     def test_list_expiry(self):
         """Test token expiry dates in token list"""
-        url = reverse('tokens:list')
-        self.login_and_redirect(self.regular_user, url)
+        self.login_and_redirect(self.regular_user, self.url)
         items = self.selenium.find_elements(By.CLASS_NAME, 'sodar-tk-list-item')
         self.assertEqual(len(items), 2)
         expiry_time = timezone.localtime(self.token.expiry).strftime(
diff --git a/tokens/tests/test_views.py b/tokens/tests/test_views.py
index da8dc268..a523da8b 100644
--- a/tokens/tests/test_views.py
+++ b/tokens/tests/test_views.py
@@ -2,6 +2,7 @@
 
 from django.contrib.messages import get_messages
 from django.urls import reverse
+from django.utils import timezone
 
 from knox.models import AuthToken
 
@@ -13,64 +14,75 @@
 class TestUserTokenListView(TestCase):
     """Tests for UserTokenListView"""
 
-    def setUp(self):
-        self.user = self.make_user()
-
     def _make_token(self):
         self.tokens = [AuthToken.objects.create(self.user, None)]
 
-    def test_list_empty(self):
-        """Test rendering the list view without tokens"""
-        with self.login(self.user):
-            response = self.get('tokens:list')
-        self.assertEqual(response.status_code, 200)
-        self.assertEqual(len(response.context['object_list']), 0)
+    def setUp(self):
+        self.user = self.make_user()
+        self.url = reverse('tokens:list')
 
-    def test_list_one(self):
-        """Test rendering the list view with one token"""
+    def test_get(self):
+        """Test UserTokenListView GET with a token"""
         self._make_token()
         with self.login(self.user):
-            response = self.get('tokens:list')
+            response = self.get(self.url)
         self.assertEqual(response.status_code, 200)
         self.assertEqual(len(response.context['object_list']), 1)
 
+    def test_get_no_tokens(self):
+        """Test GET with no tokens"""
+        with self.login(self.user):
+            response = self.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.context['object_list']), 0)
+
 
 class TestUserTokenCreateView(TestCase):
     """Tests for UserTokenCreateView"""
 
     def setUp(self):
         self.user = self.make_user()
+        self.url = reverse('tokens:create')
 
     def test_get(self):
-        """Test rendering the creation form"""
+        """Test UserTokenCreateView GET"""
         with self.login(self.user):
-            response = self.get('tokens:create')
+            response = self.get(self.url)
         self.assertEqual(response.status_code, 200)
-        self.assertIsNotNone(response.context["form"])
+        self.assertIsNotNone(response.context['form'])
 
     def test_post_no_ttl(self):
-        """Test creating an authentication token with TTL=0"""
+        """Test POST with TTL=0"""
         self.assertEqual(AuthToken.objects.count(), 0)
         with self.login(self.user):
-            response = self.post('tokens:create', data={'ttl': 0})
+            response = self.post(self.url, data={'ttl': 0})
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(AuthToken.objects.count(), 1)
         self.assertEqual(
             list(get_messages(response.wsgi_request))[0].message,
             TOKEN_CREATE_MSG,
         )
+        self.assertEqual(AuthToken.objects.count(), 1)
+        self.assertEqual(AuthToken.objects.first().expiry, None)
 
     def test_post_ttl(self):
-        """Test creating an authentication token with TTL != 0"""
+        """Test POST with TTL != 0"""
         self.assertEqual(AuthToken.objects.count(), 0)
         with self.login(self.user):
-            response = self.post('tokens:create', data={'ttl': 10})
+            response = self.post(self.url, data={'ttl': 10})
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(AuthToken.objects.count(), 1)
         self.assertEqual(
             list(get_messages(response.wsgi_request))[0].message,
             TOKEN_CREATE_MSG,
         )
+        self.assertEqual(AuthToken.objects.count(), 1)
+        self.assertEqual(
+            AuthToken.objects.first().expiry.replace(
+                minute=0, second=0, microsecond=0
+            ),
+            (timezone.now() + timezone.timedelta(hours=10)).replace(
+                minute=0, second=0, microsecond=0
+            ),
+        )
 
 
 class TestUserTokenDeleteView(TestCase):
@@ -78,25 +90,25 @@ class TestUserTokenDeleteView(TestCase):
 
     def setUp(self):
         self.user = self.make_user()
-        AuthToken.objects.create(user=self.user)
-        self.token = AuthToken.objects.first()
+        self.token = AuthToken.objects.create(user=self.user)[0]
+        self.url = reverse('tokens:delete', kwargs={'pk': self.token.pk})
 
     def test_get(self):
-        """Test rendering the deletion form"""
+        """Test UserTokenDeleteView GET"""
         with self.login(self.user):
-            response = self.get('tokens:delete', pk=self.token.pk)
+            response = self.get(self.url)
         self.assertEqual(response.status_code, 200)
 
     def test_post(self):
         """Test token deletion"""
         self.assertEqual(AuthToken.objects.count(), 1)
         with self.login(self.user):
-            response = self.post('tokens:delete', pk=self.token.pk)
-        self.response_302(response)
-        self.assertRedirects(
-            response, reverse('tokens:list'), fetch_redirect_response=False
-        )
+            response = self.post(self.url)
+            self.assertRedirects(
+                response, reverse('tokens:list'), fetch_redirect_response=False
+            )
         self.assertEqual(
             list(get_messages(response.wsgi_request))[0].message,
             TOKEN_DELETE_MSG,
         )
+        self.assertEqual(AuthToken.objects.count(), 0)
diff --git a/userprofile/forms.py b/userprofile/forms.py
index f3a0d585..6b3be21a 100644
--- a/userprofile/forms.py
+++ b/userprofile/forms.py
@@ -1,12 +1,24 @@
 import json
 
 from django import forms
+from django.conf import settings
 
 # Projectroles dependency
 from projectroles.app_settings import AppSettingAPI
-from projectroles.forms import SODARForm, SETTING_CUSTOM_VALIDATE_ERROR
-from projectroles.models import APP_SETTING_VAL_MAXLENGTH, SODAR_CONSTANTS
+from projectroles.forms import (
+    SODARForm,
+    SODARModelForm,
+    SETTING_CUSTOM_VALIDATE_MSG,
+    SETTING_DISABLE_LABEL,
+    SETTING_SOURCE_ONLY_MSG,
+)
+from projectroles.models import (
+    SODARUserAdditionalEmail,
+    SODAR_CONSTANTS,
+    ADD_EMAIL_ALREADY_SET_MSG,
+)
 from projectroles.plugins import get_active_plugins
+from projectroles.utils import build_secret
 
 
 app_settings = AppSettingAPI()
@@ -14,14 +26,94 @@
 
 # SODAR Constants
 SITE_MODE_SOURCE = SODAR_CONSTANTS['SITE_MODE_SOURCE']
+SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
 APP_SETTING_SCOPE_USER = SODAR_CONSTANTS['APP_SETTING_SCOPE_USER']
 
 
-# User Settings Form -----------------------------------------------------------
-
-
 class UserSettingsForm(SODARForm):
-    """The form for configuring user settings."""
+    """Form for configuring user settings"""
+
+    def _set_app_setting_field(self, plugin_name, s_field, s_key, s_val):
+        """
+        Set user app setting field, widget and value.
+
+        :param plugin_name: App plugin name
+        :param s_field: Form field name
+        :param s_key: Setting key
+        :param s_val: Setting value
+        """
+        s_widget_attrs = s_val.get('widget_attrs') or {}
+        if 'placeholder' in s_val:
+            s_widget_attrs['placeholder'] = s_val.get('placeholder')
+        setting_kwargs = {
+            'required': False,
+            'label': s_val.get('label') or '{}.{}'.format(plugin_name, s_key),
+            'help_text': s_val.get('description'),
+        }
+        # Disable global user settings if on target site
+        if (
+            app_settings.get_global_value(s_val)
+            and settings.PROJECTROLES_SITE_MODE == SITE_MODE_TARGET
+        ):
+            setting_kwargs['label'] += ' ' + SETTING_DISABLE_LABEL
+            setting_kwargs['help_text'] += ' ' + SETTING_SOURCE_ONLY_MSG
+            setting_kwargs['disabled'] = True
+
+        if s_val.get('options') and callable(s_val['options']):
+            self.fields[s_field] = forms.ChoiceField(
+                choices=[
+                    (
+                        (str(value[0]), str(value[1]))
+                        if isinstance(value, tuple)
+                        else (str(value), str(value))
+                    )
+                    for value in s_val['options'](user=self.user)
+                ],
+                **setting_kwargs,
+            )
+        elif s_val.get('options'):
+            self.fields[s_field] = forms.ChoiceField(
+                choices=[
+                    (
+                        (int(option), int(option))
+                        if s_val['type'] == 'INTEGER'
+                        else (option, option)
+                    )
+                    for option in s_val['options']
+                ],
+                **setting_kwargs,
+            )
+        elif s_val['type'] == 'STRING':
+            self.fields[s_field] = forms.CharField(
+                widget=forms.TextInput(attrs=s_widget_attrs),
+                **setting_kwargs,
+            )
+        elif s_val['type'] == 'INTEGER':
+            self.fields[s_field] = forms.IntegerField(
+                widget=forms.NumberInput(attrs=s_widget_attrs),
+                **setting_kwargs,
+            )
+        elif s_val['type'] == 'BOOLEAN':
+            self.fields[s_field] = forms.BooleanField(**setting_kwargs)
+        elif s_val['type'] == 'JSON':
+            # NOTE: Attrs MUST be supplied here (#404)
+            if 'class' in s_widget_attrs:
+                s_widget_attrs['class'] += ' sodar-json-input'
+            else:
+                s_widget_attrs['class'] = 'sodar-json-input'
+            self.fields[s_field] = forms.CharField(
+                widget=forms.Textarea(attrs=s_widget_attrs),
+                **setting_kwargs,
+            )
+
+        # Modify initial value and attributes
+        self.fields[s_field].widget.attrs.update(s_widget_attrs)
+        value = app_settings.get(
+            plugin_name=plugin_name, setting_name=s_key, user=self.user
+        )
+        if s_val['type'] == 'JSON':
+            value = json.dumps(value)
+        self.initial[s_field] = value
 
     def __init__(self, *args, **kwargs):
         self.user = kwargs.pop('current_user')
@@ -40,96 +132,16 @@ def __init__(self, *args, **kwargs):
             else:
                 name = 'projectroles'
                 p_defs = app_settings.get_definitions(
-                    APP_SETTING_SCOPE_USER, app_name=name, user_modifiable=True
+                    APP_SETTING_SCOPE_USER,
+                    plugin_name=name,
+                    user_modifiable=True,
                 )
-
             for s_key, s_val in p_defs.items():
                 s_field = 'settings.{}.{}'.format(name, s_key)
-                s_widget_attrs = s_val.get('widget_attrs') or {}
-                if 'placeholder' in s_val:
-                    s_widget_attrs['placeholder'] = s_val.get('placeholder')
-                setting_kwargs = {
-                    'required': False,
-                    'label': s_val.get('label') or '{}.{}'.format(name, s_key),
-                    'help_text': s_val.get('description'),
-                }
-
-                if s_val['type'] == 'STRING':
-                    if 'options' in s_val:
-                        if callable(s_val['options']):
-                            self.fields[s_field] = forms.ChoiceField(
-                                choices=[
-                                    (str(value[0]), str(value[1]))
-                                    if isinstance(value, tuple)
-                                    else (str(value), str(value))
-                                    for value in s_val['options'](
-                                        user=self.user
-                                    )
-                                ],
-                                **setting_kwargs,
-                            )
-                        else:
-                            self.fields[s_field] = forms.ChoiceField(
-                                choices=[
-                                    (option, option)
-                                    for option in s_val['options']
-                                ],
-                                **setting_kwargs,
-                            )
-                    else:
-                        self.fields[s_field] = forms.CharField(
-                            max_length=APP_SETTING_VAL_MAXLENGTH,
-                            widget=forms.TextInput(attrs=s_widget_attrs),
-                            **setting_kwargs,
-                        )
-                elif s_val['type'] == 'INTEGER':
-                    if 'options' in s_val:
-                        self.fields[s_field] = forms.ChoiceField(
-                            choices=[
-                                (int(option), int(option))
-                                for option in s_val['options']
-                            ],
-                            **setting_kwargs,
-                        )
-                    else:
-                        self.fields[s_field] = forms.IntegerField(
-                            widget=forms.NumberInput(attrs=s_widget_attrs),
-                            **setting_kwargs,
-                        )
-                elif s_val['type'] == 'BOOLEAN':
-                    self.fields[s_field] = forms.BooleanField(**setting_kwargs)
-                elif s_val['type'] == 'JSON':
-                    # NOTE: Attrs MUST be supplied here (#404)
-                    if 'class' in s_widget_attrs:
-                        s_widget_attrs['class'] += ' sodar-json-input'
-                    else:
-                        s_widget_attrs['class'] = 'sodar-json-input'
-                    self.fields[s_field] = forms.CharField(
-                        widget=forms.Textarea(attrs=s_widget_attrs),
-                        **setting_kwargs,
-                    )
-
-                # Modify initial value and attributes
-                if s_val['type'] != 'JSON':
-                    # Add optional attributes from plugin (#404)
-                    # NOTE: Experimental! Use at your own risk!
-                    self.fields[s_field].widget.attrs.update(s_widget_attrs)
-
-                    self.initial[s_field] = app_settings.get(
-                        app_name=name, setting_name=s_key, user=self.user
-                    )
-                else:
-                    self.initial[s_field] = json.dumps(
-                        app_settings.get(
-                            app_name=name,
-                            setting_name=s_key,
-                            user=self.user,
-                        )
-                    )
+                self._set_app_setting_field(name, s_field, s_key, s_val)
                 self.fields[s_field].label = self.get_app_setting_label(
                     plugin, self.fields[s_field].label
                 )
-                # TODO: Disable editing global USER settings (#1329)
 
     def clean(self):
         """Function for custom form validation and cleanup"""
@@ -140,7 +152,7 @@ def clean(self):
                 p_kwargs['plugin'] = plugin
             else:
                 p_name = 'projectroles'
-                p_kwargs['app_name'] = p_name
+                p_kwargs['plugin_name'] = p_name
             p_defs = app_settings.get_definitions(
                 APP_SETTING_SCOPE_USER, **p_kwargs
             )
@@ -184,8 +196,43 @@ def clean(self):
                 except Exception as ex:
                     self.add_error(
                         None,
-                        SETTING_CUSTOM_VALIDATE_ERROR.format(
+                        SETTING_CUSTOM_VALIDATE_MSG.format(
                             plugin=p_name, exception=ex
                         ),
                     )
         return self.cleaned_data
+
+
+class UserEmailForm(SODARModelForm):
+    """Form for creating additional email addresses for user"""
+
+    class Meta:
+        model = SODARUserAdditionalEmail
+        fields = ['email', 'user', 'secret']
+
+    def __init__(self, current_user=None, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        if current_user:
+            self.current_user = current_user
+        self.fields['user'].widget = forms.HiddenInput()
+        self.initial['user'] = current_user
+        self.fields['secret'].widget = forms.HiddenInput()
+        self.initial['secret'] = build_secret(32)
+
+    def clean(self):
+        if self.cleaned_data['email'] == self.current_user.email:
+            self.add_error(
+                'email', ADD_EMAIL_ALREADY_SET_MSG.format(email_type='primary')
+            )
+            return self.cleaned_data
+        if (
+            SODARUserAdditionalEmail.objects.filter(
+                user=self.current_user, email=self.cleaned_data['email']
+            ).count()
+            > 0
+        ):
+            self.add_error(
+                'email',
+                ADD_EMAIL_ALREADY_SET_MSG.format(email_type='additional'),
+            )
+        return self.cleaned_data
diff --git a/userprofile/rules.py b/userprofile/rules.py
index 6ae2f366..d7640a37 100644
--- a/userprofile/rules.py
+++ b/userprofile/rules.py
@@ -1,10 +1,15 @@
 import rules
 
+# Projectroles dependency
+from projectroles import rules as pr_rules  # To access common predicates
+
 
 # Predicates -------------------------------------------------------------
 
 
-# None needed right now
+@rules.predicate
+def can_delete_email(user, obj):
+    return obj.user == user
 
 
 # Rules ------------------------------------------------------------------
@@ -18,3 +23,13 @@
 
 # Allow viewing user detail
 rules.add_perm('userprofile.view_detail', rules.is_authenticated)
+
+# Allow creating additional email
+rules.add_perm(
+    'userprofile.create_email', pr_rules.is_source_site & rules.is_authenticated
+)
+
+# Allow deleting additional email
+rules.add_perm(
+    'userprofile.delete_email', pr_rules.is_source_site & can_delete_email
+)
diff --git a/userprofile/templates/userprofile/detail.html b/userprofile/templates/userprofile/detail.html
index c7d3a0d1..147fb603 100644
--- a/userprofile/templates/userprofile/detail.html
+++ b/userprofile/templates/userprofile/detail.html
@@ -4,6 +4,31 @@
 
 {% block title %}User Profile for {{ request.user.get_full_name }}{% endblock %}
 
+{% block css %}
+  {{ block.super }}
+  <style type="text/css">
+    .table#sodar-user-email-table tr td:nth-child(1) {
+      width: 100%;
+    }
+    .table#sodar-user-email-table tr td:nth-child(5) {
+      width: 80px;
+    }
+    /* Responsive modifications */
+    @media screen and (max-width: 900px) {
+      .table#sodar-user-email-table tr th:nth-child(3),
+      .table#sodar-user-email-table tr td:nth-child(3) {
+        display: none;
+      }
+    }
+    @media screen and (max-width: 700px) {
+      .table#sodar-user-email-table tr th:nth-child(4),
+      .table#sodar-user-email-table tr td:nth-child(4) {
+        display: none;
+      }
+    }
+  </style>
+{% endblock %}
+
 {% block projectroles %}
 
 <div class="row sodar-pr-content-title pt-2">
@@ -18,7 +43,7 @@ <h2 class="sodar-pr-content-title">{{ request.user.get_full_name }}</h2>
     <div class="card-header">
       <h4>
         <i class="iconify" data-icon="mdi:account-details"></i> Details
-        {% if local_user %}
+        {% if request.user.is_local %}
           <span class="sodar-header-input-group pull-right">
             <a role="button"
                class="btn btn-primary"
@@ -91,6 +116,82 @@ <h4>
       </dl>
     </div>
   </div>
+
+  {% get_django_setting 'PROJECTROLES_SEND_EMAIL' as send_email %}
+  {% get_django_setting 'PROJECTROLES_SITE_MODE' as site_mode %}
+  {% if send_email %}
+    <div class="card" id="sodar-user-email-card">
+      <div class="card-header">
+        <h4>
+          <i class="iconify" data-icon="mdi:email-multiple"></i>
+          Additional Email Addresses
+          {% if site_mode == 'SOURCE' %}
+            <span class="sodar-header-input-group pull-right">
+              <a role="button"
+                 class="btn btn-primary"
+                 id="sodar-user-btn-email-add"
+                 href="{% url 'userprofile:email_create' %}">
+                <i class="iconify" data-icon="mdi:plus-thick"></i> Add Email
+              </a>
+            </span>
+          {% endif %}
+        </h4>
+      </div>
+      <div class="card-body p-0">
+        <table class="table table-striped sodar-card-table"
+               id="sodar-user-email-table">
+          <thead>
+            <tr>
+              <th>Address</th>
+              <th>Status</th>
+              <th>Created</th>
+              <th>Modified</th>
+              <th></th>
+            </tr>
+          </thead>
+          <tbody>
+            {% if add_emails.count > 0 %}
+              {% for email in add_emails %}
+                <tr class="sodar-user-email-table-row">
+                  <td><a href="mailto:{{ email.email }}">{{ email.email }}</a></td>
+                  <td class="text-nowrap text-{% if email.verified %}success{% else %}danger{% endif %}">
+                    {% if email.verified %}Verified{% else %}Unverified{% endif %}
+                  </td>
+                  <td class="text-nowrap">{{ email.date_created | date:'Y-m-d H:i'}}</td>
+                  <td class="text-nowrap">{{ email.date_modified | date:'Y-m-d H:i'}}</td>
+                  <td class="text-right">
+                    {% if site_mode == 'SOURCE' %}
+                      <button class="btn btn-secondary dropdown-toggle sodar-list-dropdown"
+                              type="button" data-toggle="dropdown"
+                              aria-haspopup="true" aria-expanded="false">
+                        <i class="iconify" data-icon="mdi:gear"></i>
+                      </button>
+                      <div class="dropdown-menu dropdown-menu-right sodar-user-email-dropdown">
+                        <a class="dropdown-item sodar-user-email-resend {% if email.verified %}disabled{% endif %}"
+                           href="{% url 'userprofile:email_verify_resend' sodaruseradditionalemail=email.sodar_uuid %}">
+                          <i class="iconify" data-icon="mdi:send"></i> Resend Verification Mail
+                        </a>
+                        <a class="dropdown-item sodar-user-email-delete text-danger"
+                           href="{% url 'userprofile:email_delete' sodaruseradditionalemail=email.sodar_uuid %}">
+                          <i class="iconify" data-icon="mdi:close-thick"></i> Delete Address
+                        </a>
+                      </div>
+                    {% endif %}
+                  </td>
+                </tr>
+              {% endfor %}
+            {% else %}
+              <tr id="sodar-user-email-table-not-found">
+                <td class="bg-faded font-italic text-center" colspan="5">
+                  No additional email addresses set.
+                </td>
+              </tr>
+            {% endif %}
+          </tbody>
+        </table>
+      </div>
+    </div>
+  {% endif %}
 </div>
 
 {% endblock projectroles %}
@@ -143,5 +244,23 @@ <h4>
               showCancelLink: true
           });
       }
+      tour.addStep('additional_email', {
+          title: 'Additional Email Addresses Card',
+          text: 'This card displays additional email addresses set for the ' +
+                'user and the ability to manage those addresses.',
+          attachTo: '#sodar-user-email-card top',
+          advanceOn: '.docs-link click',
+          showCancelLink: true
+      });
+      tour.addStep('additional_email_add', {
+          title: 'Add Email',
+          text: 'If you want email notifications sent to one or more ' +
+                'addresses other than your primary address, add those here. ' +
+                'Addresses must be validated by following a link received in ' +
+                'the initial email.',
+          attachTo: '#sodar-user-btn-email-add left',
+          advanceOn: '.docs-link click',
+          showCancelLink: true
+      });
   </script>
 {% endblock javascript %}
diff --git a/userprofile/templates/userprofile/email_confirm_delete.html b/userprofile/templates/userprofile/email_confirm_delete.html
new file mode 100644
index 00000000..dd5c38ba
--- /dev/null
+++ b/userprofile/templates/userprofile/email_confirm_delete.html
@@ -0,0 +1,44 @@
+{% extends 'projectroles/base.html' %}
+
+{% load crispy_forms_filters %}
+
+{% block title %}
+  Delete Email Address
+{% endblock title %}
+
+{% block projectroles %}
+
+<div class="row sodar-pr-content-title pt-2">
+  <h2 class="sodar-pr-content-title">{{ request.user.get_full_name }}</h2>
+  <div class="sodar-pr-content-title-secondary text-muted">User Profile</div>
+</div>
+
+<div class="row sodar-subtitle-container">
+  <h3>Delete Email Address {{ object.email }}</h3>
+</div>
+
+<div class="container-fluid sodar-page-container">
+  <div class="alert alert-warning">
+    Are you sure you want to delete the additional email address
+    <a href="mailto:{{ object.email }}">{{ object.email }}</a>? Deleting the
+    address means it will no longer receive automated emails from this site. This
+    can only be undone by adding and re-verifying the address.
+  </div>
+  <form method="post">
+    {% csrf_token %}
+    {{ form | crispy }}
+    <div class="row">
+      <div class="btn-group ml-auto" role="group">
+        <a role="button" class="btn btn-secondary"
+           href="{% url 'userprofile:detail' %}">
+          <i class="iconify" data-icon="mdi:arrow-left-circle"></i> Cancel
+        </a>
+        <button type="submit" class="btn btn-danger">
+          <i class="iconify" data-icon="mdi:close-thick"></i> Delete
+        </button>
+      </div>
+    </div>
+  </form>
+</div>
+
+{% endblock projectroles %}
diff --git a/userprofile/templates/userprofile/email_form.html b/userprofile/templates/userprofile/email_form.html
new file mode 100644
index 00000000..8326ff94
--- /dev/null
+++ b/userprofile/templates/userprofile/email_form.html
@@ -0,0 +1,38 @@
+{% extends 'projectroles/base.html' %}
+
+{% load crispy_forms_filters %}
+
+{% block title %}
+  Add Email Address
+{% endblock title %}
+
+{% block projectroles %}
+
+<div class="row sodar-pr-content-title pt-2">
+  <h2 class="sodar-pr-content-title">{{ request.user.get_full_name }}</h2>
+  <div class="sodar-pr-content-title-secondary text-muted">User Profile</div>
+</div>
+
+<div class="row sodar-subtitle-container">
+  <h3>Add Email Address</h3>
+</div>
+
+<div class="container-fluid sodar-page-container">
+  <form method="post">
+    {% csrf_token %}
+    {{ form | crispy }}
+    <div class="row">
+      <div class="btn-group ml-auto" role="group">
+        <a role="button" class="btn btn-secondary"
+           href="{% url 'userprofile:detail' %}">
+          <i class="iconify" data-icon="mdi:arrow-left-circle"></i> Cancel
+        </a>
+        <button type="submit" class="btn btn-primary">
+          <i class="iconify" data-icon="mdi:plus-thick"></i> Add
+        </button>
+      </div>
+    </div>
+  </form>
+</div>
+
+{% endblock projectroles %}
diff --git a/userprofile/tests/test_permissions.py b/userprofile/tests/test_permissions.py
index aadceec4..374dccf7 100644
--- a/userprofile/tests/test_permissions.py
+++ b/userprofile/tests/test_permissions.py
@@ -4,12 +4,27 @@
 from django.urls import reverse
 
 # Projectroles dependency
-from projectroles.tests.test_permissions import TestSiteAppPermissionBase
+from projectroles.models import SODAR_CONSTANTS
+from projectroles.tests.test_models import (
+    SODARUserAdditionalEmailMixin,
+    ADD_EMAIL,
+)
+from projectroles.tests.test_permissions import SiteAppPermissionTestBase
 
 
-class TestUserProfilePermissions(TestSiteAppPermissionBase):
+# SODAR constants
+SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
+
+
+class TestUserProfilePermissions(
+    SODARUserAdditionalEmailMixin, SiteAppPermissionTestBase
+):
     """Tests for userprofile view permissions"""
 
+    def setUp(self):
+        super().setUp()
+        self.regular_user2 = self.make_user('regular_user2')
+
     def test_get_profile(self):
         """Test UserDetailView GET"""
         url = reverse('userprofile:detail')
@@ -35,3 +50,57 @@ def test_get_settings_update_anon(self):
         url = reverse('userprofile:settings_update')
         self.assert_response(url, [self.superuser, self.regular_user], 200)
         self.assert_response(url, self.anonymous, 302)
+
+    def test_get_email_create(self):
+        """Test UserEmailCreateView GET"""
+        url = reverse('userprofile:email_create')
+        self.assert_response(url, [self.superuser, self.regular_user], 200)
+        self.assert_response(url, self.anonymous, 302)
+
+    @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True)
+    def test_get_email_create_anon(self):
+        """Test UserEmailCreateView GET with anonymous access"""
+        url = reverse('userprofile:email_create')
+        self.assert_response(url, [self.superuser, self.regular_user], 200)
+        self.assert_response(url, self.anonymous, 302)
+
+    @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
+    def test_get_email_create_target(self):
+        """Test UserEmailCreateView GET as target site"""
+        url = reverse('userprofile:email_create')
+        self.assert_response(url, self.superuser, 200)
+        self.assert_response(url, [self.regular_user, self.anonymous], 302)
+
+    def test_get_email_delete(self):
+        """Test UserEmailDeleteView GET"""
+        email = self.make_email(self.regular_user, ADD_EMAIL)
+        url = reverse(
+            'userprofile:email_delete',
+            kwargs={'sodaruseradditionalemail': email.sodar_uuid},
+        )
+        self.assert_response(url, [self.superuser, self.regular_user], 200)
+        self.assert_response(url, [self.regular_user2, self.anonymous], 302)
+
+    @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True)
+    def test_get_email_delete_anon(self):
+        """Test UserEmailDeleteView GET with anonymous access"""
+        email = self.make_email(self.regular_user, ADD_EMAIL)
+        url = reverse(
+            'userprofile:email_delete',
+            kwargs={'sodaruseradditionalemail': email.sodar_uuid},
+        )
+        self.assert_response(url, [self.superuser, self.regular_user], 200)
+        self.assert_response(url, [self.regular_user2, self.anonymous], 302)
+
+    @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
+    def test_get_email_delete_target(self):
+        """Test UserEmailDeleteView GET as target site"""
+        email = self.make_email(self.regular_user, ADD_EMAIL)
+        url = reverse(
+            'userprofile:email_delete',
+            kwargs={'sodaruseradditionalemail': email.sodar_uuid},
+        )
+        self.assert_response(url, [self.superuser], 200)
+        self.assert_response(
+            url, [self.regular_user, self.regular_user2, self.anonymous], 302
+        )
diff --git a/userprofile/tests/test_ui.py b/userprofile/tests/test_ui.py
index 7a66146c..9299e20c 100644
--- a/userprofile/tests/test_ui.py
+++ b/userprofile/tests/test_ui.py
@@ -2,15 +2,23 @@
 
 from django.test import override_settings
 from django.urls import reverse
+
 from selenium.webdriver.common.by import By
 from selenium.webdriver.support.ui import WebDriverWait
 
 # Projectroles dependency
-from projectroles.tests.test_ui import TestUIBase
+from projectroles.forms import SETTING_DISABLE_LABEL
+from projectroles.models import SODAR_CONSTANTS
+from projectroles.tests.test_models import SODARUserAdditionalEmailMixin
+from projectroles.tests.test_ui import UITestBase
+
+
+# SODAR constants
+SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
 
 
 @override_settings(AUTH_LDAP_USERNAME_DOMAIN='EXAMPLE')
-class TestUserDetails(TestUIBase):
+class TestUserDetails(SODARUserAdditionalEmailMixin, UITestBase):
     """Tests for user details page"""
 
     def setUp(self):
@@ -18,15 +26,113 @@ def setUp(self):
         # Create users
         self.local_user = self.make_user('local_user', False)
         self.ldap_user = self.make_user('user@EXAMPLE', False)
+        self.url = reverse('userprofile:detail')
 
     def test_update_button(self):
         """Test existence of user update button"""
-        url = reverse('userprofile:detail')
         expected = [(self.local_user, 1), (self.ldap_user, 0)]
-        self.assert_element_count(expected, url, 'sodar-user-btn-update')
+        self.assert_element_count(expected, self.url, 'sodar-user-btn-update')
+
+    def test_additional_email_unset(self):
+        """Test existence of additional email elements without email"""
+        self.assert_element_exists(
+            [self.local_user],
+            self.url,
+            'sodar-user-btn-email-add',
+            True,
+        )
+        self.assert_element_count(
+            [(self.local_user, 0)],
+            self.url,
+            'sodar-user-email-table-row',
+            'class',
+        )
+        self.assert_element_count(
+            [(self.local_user, 0)],
+            self.url,
+            'sodar-user-email-dropdown',
+            'class',
+        )
+        self.assert_element_exists(
+            [self.local_user],
+            self.url,
+            'sodar-user-email-table-not-found',
+            True,
+        )
+
+    def test_additional_email_set(self):
+        """Test existence of additional email elements with email"""
+        self.make_email(self.local_user, 'add1@example.com')
+        self.make_email(self.local_user, 'add2@example.com', verified=False)
+        # Another user, should not be visible
+        self.make_email(self.ldap_user, 'add3@example.com')
+        self.assert_element_exists(
+            [self.local_user],
+            self.url,
+            'sodar-user-btn-email-add',
+            True,
+        )
+        self.assert_element_count(
+            [(self.local_user, 2)],
+            self.url,
+            'sodar-user-email-table-row',
+            'class',
+        )
+        self.assert_element_count(
+            [(self.local_user, 2)],
+            self.url,
+            'sodar-user-email-dropdown',
+            'class',
+        )
+        self.assert_element_exists(
+            [self.local_user],
+            self.url,
+            'sodar-user-email-table-not-found',
+            False,
+        )
 
+    @override_settings(PROJECTROLES_SEND_EMAIL=False)
+    def test_additional_email_disabled(self):
+        """Test existence of email card with PROJECTROLES_SEND_EMAIL=False"""
+        self.assert_element_exists(
+            [self.local_user],
+            self.url,
+            'sodar-user-email-card',
+            False,
+        )
 
-class TestUserSettings(TestUIBase):
+    @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
+    def test_additional_email_target(self):
+        """Test existence of additional email elements as target site"""
+        self.make_email(self.local_user, 'add1@example.com')
+        self.make_email(self.local_user, 'add2@example.com', verified=False)
+        self.assert_element_exists(
+            [self.local_user],
+            self.url,
+            'sodar-user-btn-email-add',
+            False,
+        )
+        self.assert_element_count(
+            [(self.local_user, 2)],
+            self.url,
+            'sodar-user-email-table-row',
+            'class',
+        )
+        self.assert_element_count(
+            [(self.local_user, 0)],
+            self.url,
+            'sodar-user-email-dropdown',
+            'class',
+        )
+        self.assert_element_exists(
+            [self.local_user],
+            self.url,
+            'sodar-user-email-table-not-found',
+            False,
+        )
+
+
+class TestUserSettings(UITestBase):
     """Tests for user settings page"""
 
     def setUp(self):
@@ -34,13 +140,11 @@ def setUp(self):
         # Create users
         self.local_user = self.make_user('local_user', False)
         self.ldap_user = self.make_user('user@EXAMPLE', False)
+        self.url = reverse('userprofile:settings_update')
 
     def test_settings_label_icon(self):
         """Test existence of settings label icon"""
-        url = reverse('userprofile:settings_update')
-        self.login_and_redirect(
-            self.superuser, url, wait_elem=None, wait_loc='ID'
-        )
+        self.login_and_redirect(self.superuser, self.url)
         WebDriverWait(self.selenium, 15).until(
             lambda x: x.find_element(
                 By.CSS_SELECTOR,
@@ -59,3 +163,44 @@ def test_settings_label_icon(self):
         )
         icon = label.find_element(By.TAG_NAME, 'svg')
         self.assertTrue(icon.is_displayed())
+
+    def test_global_setting_source(self):
+        """Test global user setting on source site"""
+        self.login_and_redirect(self.superuser, self.url)
+        WebDriverWait(self.selenium, 15).until(
+            lambda x: x.find_element(
+                By.CSS_SELECTOR,
+                'div[id="div_id_settings.projectroles.notify_email_project"]',
+            )
+        )
+        input_elem = self.selenium.find_element(
+            By.CSS_SELECTOR,
+            'input[id="id_settings.projectroles.notify_email_project"]',
+        )
+        self.assertIsNone(input_elem.get_attribute('disabled'))
+        label = self.selenium.find_element(
+            By.CSS_SELECTOR,
+            'div[id="div_id_settings.projectroles.notify_email_project"] label',
+        )
+        self.assertNotIn(SETTING_DISABLE_LABEL, label.text)
+
+    @override_settings(PROJECTROLES_SITE_MODE=SITE_MODE_TARGET)
+    def test_global_setting_target(self):
+        """Test global user setting on target site"""
+        self.login_and_redirect(self.superuser, self.url)
+        WebDriverWait(self.selenium, 15).until(
+            lambda x: x.find_element(
+                By.CSS_SELECTOR,
+                'div[id="div_id_settings.projectroles.notify_email_project"]',
+            )
+        )
+        input_elem = self.selenium.find_element(
+            By.CSS_SELECTOR,
+            'input[id="id_settings.projectroles.notify_email_project"]',
+        )
+        self.assertIsNotNone(input_elem.get_attribute('disabled'))
+        label = self.selenium.find_element(
+            By.CSS_SELECTOR,
+            'div[id="div_id_settings.projectroles.notify_email_project"] label',
+        )
+        self.assertIn(SETTING_DISABLE_LABEL, label.text)
diff --git a/userprofile/tests/test_views.py b/userprofile/tests/test_views.py
index aecbf204..4ec1e532 100644
--- a/userprofile/tests/test_views.py
+++ b/userprofile/tests/test_views.py
@@ -1,27 +1,54 @@
 """Tests for views in the userprofile Django app"""
 
+import uuid
+
 from django.contrib import auth
 from django.contrib.messages import get_messages
+from django.core import mail
+from django.forms.models import model_to_dict
+from django.test import override_settings
 from django.urls import reverse
 
 from test_plus.test import TestCase
 
+# Timeline dependency
+from timeline.models import TimelineEvent
+
 # Projectroles dependency
 from projectroles.app_settings import AppSettingAPI
-from projectroles.tests.test_models import EXAMPLE_APP_NAME, AppSettingMixin
-from projectroles.views import MSG_FORM_INVALID
+from projectroles.models import SODARUserAdditionalEmail, SODAR_CONSTANTS
+from projectroles.tests.test_models import (
+    EXAMPLE_APP_NAME,
+    AppSettingMixin,
+    SODARUserAdditionalEmailMixin,
+)
+from projectroles.views import FORM_INVALID_MSG
+from projectroles.utils import build_secret
 
-from userprofile.views import SETTING_UPDATE_MSG
+from userprofile.views import (
+    SETTING_UPDATE_MSG,
+    EMAIL_NOT_FOUND_MSG,
+    EMAIL_ALREADY_VERIFIED_MSG,
+    EMAIL_VERIFIED_MSG,
+    EMAIL_VERIFY_RESEND_MSG,
+)
 
 
 app_settings = AppSettingAPI()
 User = auth.get_user_model()
 
 
-INVALID_SETTING_VALUE = 'INVALID VALUE'
+# SODAR constants
+SITE_MODE_TARGET = SODAR_CONSTANTS['SITE_MODE_TARGET']
 
+# Local constants
+INVALID_VALUE = 'INVALID VALUE'
+ADD_EMAIL = 'add1@example.com'
+ADD_EMAIL2 = 'add2@example.com'
+ADD_EMAIL_SECRET = build_secret(32)
 
-class UserViewsTestBase(TestCase):
+
+class UserViewTestBase(TestCase):
     """Base class for view testing"""
 
     def setUp(self):
@@ -35,7 +62,7 @@ def setUp(self):
 # View tests -------------------------------------------------------------------
 
 
-class TestUserDetailView(UserViewsTestBase):
+class TestUserDetailView(SODARUserAdditionalEmailMixin, UserViewTestBase):
     """Tests for UserDetailView"""
 
     def test_get(self):
@@ -44,9 +71,20 @@ def test_get(self):
             response = self.client.get(reverse('userprofile:detail'))
         self.assertEqual(response.status_code, 200)
         self.assertIsNotNone(response.context['user_settings'])
+        self.assertEqual(response.context['add_emails'].count(), 0)
+
+    def test_get_additional_email(self):
+        """Test GET with additional email"""
+        self.make_email(self.user, 'add@example.com')
+        self.make_email(self.user, 'add_unverified@example.com', verified=False)
+        with self.login(self.user):
+            response = self.client.get(reverse('userprofile:detail'))
+        self.assertEqual(response.status_code, 200)
+        self.assertIsNotNone(response.context['user_settings'])
+        self.assertEqual(response.context['add_emails'].count(), 2)
 
 
-class TestUserSettingsView(AppSettingMixin, UserViewsTestBase):
+class TestUserSettingsView(AppSettingMixin, UserViewTestBase):
     """Tests for UserSettingsView"""
 
     def _get_setting(self, name):
@@ -56,7 +94,7 @@ def setUp(self):
         super().setUp()
         # Init test setting
         self.setting_str = self.make_setting(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             name='user_str_setting',
             setting_type='STRING',
             value='test',
@@ -64,7 +102,7 @@ def setUp(self):
         )
         # Init integer setting
         self.setting_int = self.make_setting(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             name='user_int_setting',
             setting_type='INTEGER',
             value=170,
@@ -72,7 +110,7 @@ def setUp(self):
         )
         # Init test setting with options
         self.setting_str_options = self.make_setting(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             name='user_str_setting_options',
             setting_type='STRING',
             value='string1',
@@ -80,7 +118,7 @@ def setUp(self):
         )
         # Init integer setting with options
         self.setting_int_options = self.make_setting(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             name='user_int_setting_options',
             setting_type='INTEGER',
             value=0,
@@ -88,7 +126,7 @@ def setUp(self):
         )
         # Init boolean setting
         self.setting_bool = self.make_setting(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             name='user_bool_setting',
             setting_type='BOOLEAN',
             value=True,
@@ -96,7 +134,7 @@ def setUp(self):
         )
         # Init json setting
         self.setting_json = self.make_setting(
-            app_name=EXAMPLE_APP_NAME,
+            plugin_name=EXAMPLE_APP_NAME,
             name='user_json_setting',
             setting_type='JSON',
             value=None,
@@ -199,8 +237,7 @@ def test_post(self):
     def test_post_custom_validation(self):
         """Test POST with custom validation and invalid value"""
         values = {
-            'settings.example_project_app.'
-            'user_str_setting': INVALID_SETTING_VALUE,
+            'settings.example_project_app.' 'user_str_setting': INVALID_VALUE,
             'settings.example_project_app.user_int_setting': '170',
             'settings.example_project_app.user_str_setting_options': 'string1',
             'settings.example_project_app.user_int_setting_options': '0',
@@ -219,6 +256,287 @@ def test_post_custom_validation(self):
         self.assertEqual(response.status_code, 200)
         self.assertEqual(
             list(get_messages(response.wsgi_request))[0].message,
-            MSG_FORM_INVALID,
+            FORM_INVALID_MSG,
         )
         self.assertEqual(self._get_setting('user_str_setting'), 'test')
+
+
+class TestUserEmailCreateView(SODARUserAdditionalEmailMixin, UserViewTestBase):
+    """Tests for UserEmailCreateView"""
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse('userprofile:email_create')
+        self.url_redirect = reverse('userprofile:detail')
+
+    def test_get(self):
+        """Test UserEmailCreateView GET"""
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        self.assertIsNotNone(response.context['form'])
+
+    @override_settings(PROJECTROLES_SEND_EMAIL=False)
+    def test_get_email_disabled(self):
+        """Test GET with disabled email sending"""
+        with self.login(self.user):
+            response = self.client.get(self.url)
+            self.assertRedirects(response, self.url_redirect)
+
+    def test_post(self):
+        """Test POST"""
+        self.assertEqual(SODARUserAdditionalEmail.objects.count(), 0)
+        self.assertEqual(
+            TimelineEvent.objects.filter(event_name='email_create').count(), 0
+        )
+        self.assertEqual(len(mail.outbox), 0)
+        with self.login(self.user):
+            data = {
+                'user': self.user.pk,
+                'email': ADD_EMAIL,
+                'secret': ADD_EMAIL_SECRET,
+            }
+            response = self.client.post(self.url, data)
+            self.assertRedirects(response, self.url_redirect)
+        self.assertEqual(SODARUserAdditionalEmail.objects.count(), 1)
+        email = SODARUserAdditionalEmail.objects.first()
+        expected = {
+            'id': email.pk,
+            'user': self.user.pk,
+            'email': ADD_EMAIL,
+            'secret': ADD_EMAIL_SECRET,
+            'verified': False,
+            'sodar_uuid': email.sodar_uuid,
+        }
+        self.assertEqual(model_to_dict(email), expected)
+        self.assertEqual(
+            TimelineEvent.objects.filter(event_name='email_create').count(), 1
+        )
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].recipients(), [ADD_EMAIL])
+        verify_url = reverse(
+            'userprofile:email_verify', kwargs={'secret': email.secret}
+        )
+        self.assertIn(verify_url, mail.outbox[0].body)
+
+    def test_post_existing_primary(self):
+        """Test POST with email used as primary email for user"""
+        self.assertEqual(SODARUserAdditionalEmail.objects.count(), 0)
+        self.assertEqual(
+            TimelineEvent.objects.filter(event_name='email_create').count(), 0
+        )
+        self.assertEqual(len(mail.outbox), 0)
+        with self.login(self.user):
+            data = {
+                'user': self.user.pk,
+                'email': self.user.email,
+                'secret': ADD_EMAIL_SECRET,
+            }
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(SODARUserAdditionalEmail.objects.count(), 0)
+        self.assertEqual(
+            TimelineEvent.objects.filter(event_name='email_create').count(), 0
+        )
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_post_existing_additional(self):
+        """Test POST with email used as additional email for user"""
+        self.make_email(self.user, ADD_EMAIL)
+        with self.login(self.user):
+            data = {
+                'user': self.user.pk,
+                'email': ADD_EMAIL,
+                'secret': ADD_EMAIL_SECRET,
+            }
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 200)
+
+    def test_post_multiple(self):
+        """Test POST with different existing additional email"""
+        self.make_email(self.user, ADD_EMAIL)
+        self.assertEqual(SODARUserAdditionalEmail.objects.count(), 1)
+        self.assertEqual(len(mail.outbox), 0)
+        with self.login(self.user):
+            data = {
+                'user': self.user.pk,
+                'email': ADD_EMAIL2,
+                'secret': ADD_EMAIL_SECRET,
+            }
+            response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(SODARUserAdditionalEmail.objects.count(), 2)
+        self.assertEqual(len(mail.outbox), 1)
+
+
+class TestUserEmailVerifyView(SODARUserAdditionalEmailMixin, UserViewTestBase):
+    """Tests for UserEmailVerifyView"""
+
+    def setUp(self):
+        super().setUp()
+        self.url_redirect = reverse('userprofile:detail')
+        self.email = self.make_email(self.user, ADD_EMAIL, verified=False)
+        self.url = reverse(
+            'userprofile:email_verify', kwargs={'secret': self.email.secret}
+        )
+
+    def test_get(self):
+        """Test UserEmailVerifyView GET"""
+        self.assertEqual(self.email.verified, False)
+        with self.login(self.user):
+            response = self.client.get(self.url)
+            self.assertRedirects(response, self.url_redirect)
+        self.email.refresh_from_db()
+        self.assertEqual(self.email.verified, True)
+        self.assertEqual(
+            list(get_messages(response.wsgi_request))[0].message,
+            EMAIL_VERIFIED_MSG.format(email=self.email.email),
+        )
+
+    def test_get_invalid_secret(self):
+        """Test GET with invalid secret"""
+        self.assertEqual(self.email.verified, False)
+        with self.login(self.user):
+            response = self.client.get(
+                reverse(
+                    'userprofile:email_verify',
+                    kwargs={'secret': build_secret(32)},
+                )
+            )
+        self.assertEqual(response.status_code, 302)
+        self.email.refresh_from_db()
+        self.assertEqual(self.email.verified, False)
+        self.assertEqual(
+            list(get_messages(response.wsgi_request))[0].message,
+            EMAIL_NOT_FOUND_MSG,
+        )
+
+    def test_get_wrong_user(self):
+        """Test GET with wrong user"""
+        user_new = self.make_user('user_new')
+        self.assertEqual(self.email.verified, False)
+        with self.login(user_new):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 302)
+        self.email.refresh_from_db()
+        self.assertEqual(self.email.verified, False)
+        self.assertEqual(
+            list(get_messages(response.wsgi_request))[0].message,
+            EMAIL_NOT_FOUND_MSG,
+        )
+
+    def test_get_verified(self):
+        """Test GET with verified email"""
+        self.email.verified = True
+        self.email.save()
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 302)
+        self.email.refresh_from_db()
+        self.assertEqual(self.email.verified, True)
+        self.assertEqual(
+            list(get_messages(response.wsgi_request))[0].message,
+            EMAIL_ALREADY_VERIFIED_MSG,
+        )
+
+
+class TestUserEmailVerifyResendView(
+    SODARUserAdditionalEmailMixin, UserViewTestBase
+):
+    """Tests for UserEmailVerifyResendView"""
+
+    def setUp(self):
+        super().setUp()
+        self.url_redirect = reverse('userprofile:detail')
+        self.email = self.make_email(self.user, ADD_EMAIL, verified=False)
+        self.url = reverse(
+            'userprofile:email_verify_resend',
+            kwargs={'sodaruseradditionalemail': self.email.sodar_uuid},
+        )
+
+    def test_get(self):
+        """Test UserEmailVerifyResendView GET"""
+        self.assertEqual(len(mail.outbox), 0)
+        with self.login(self.user):
+            response = self.client.get(self.url)
+            self.assertRedirects(response, self.url_redirect)
+        self.email.refresh_from_db()
+        self.assertEqual(
+            list(get_messages(response.wsgi_request))[0].message,
+            EMAIL_VERIFY_RESEND_MSG.format(email=self.email.email),
+        )
+        self.assertEqual(len(mail.outbox), 1)
+
+    def test_get_invalid_uuid(self):
+        """Test GET with invalid UUID"""
+        self.assertEqual(self.email.verified, False)
+        with self.login(self.user):
+            response = self.client.get(
+                reverse(
+                    'userprofile:email_verify_resend',
+                    kwargs={'sodaruseradditionalemail': uuid.uuid4()},
+                )
+            )
+        self.assertEqual(response.status_code, 302)
+        self.email.refresh_from_db()
+        self.assertEqual(self.email.verified, False)
+        self.assertEqual(
+            list(get_messages(response.wsgi_request))[0].message,
+            EMAIL_NOT_FOUND_MSG,
+        )
+
+    def test_get_wrong_user(self):
+        """Test GET with wrong user"""
+        user_new = self.make_user('user_new')
+        self.assertEqual(self.email.verified, False)
+        with self.login(user_new):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 302)
+        self.email.refresh_from_db()
+        self.assertEqual(self.email.verified, False)
+        self.assertEqual(
+            list(get_messages(response.wsgi_request))[0].message,
+            EMAIL_NOT_FOUND_MSG,
+        )
+
+    def test_get_verified(self):
+        """Test GET with verified email"""
+        self.email.verified = True
+        self.email.save()
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 302)
+        self.email.refresh_from_db()
+        self.assertEqual(self.email.verified, True)
+        self.assertEqual(
+            list(get_messages(response.wsgi_request))[0].message,
+            EMAIL_ALREADY_VERIFIED_MSG,
+        )
+
+
+class TestUserEmailDeleteView(SODARUserAdditionalEmailMixin, UserViewTestBase):
+    """Tests for UserEmailDeleteView"""
+
+    def setUp(self):
+        super().setUp()
+        self.url_redirect = reverse('userprofile:detail')
+        self.email = self.make_email(self.user, ADD_EMAIL, verified=False)
+        self.url = reverse(
+            'userprofile:email_delete',
+            kwargs={'sodaruseradditionalemail': self.email.sodar_uuid},
+        )
+
+    def test_get(self):
+        """Test UserEmailDeleteView GET"""
+        with self.login(self.user):
+            response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.context['object'], self.email)
+
+    def test_post(self):
+        """Test POST"""
+        self.assertEqual(SODARUserAdditionalEmail.objects.count(), 1)
+        with self.login(self.user):
+            response = self.client.post(self.url)
+            self.assertRedirects(response, self.url_redirect)
+        self.assertEqual(SODARUserAdditionalEmail.objects.count(), 0)
diff --git a/userprofile/urls.py b/userprofile/urls.py
index a7bd9492..8229e7ee 100644
--- a/userprofile/urls.py
+++ b/userprofile/urls.py
@@ -11,8 +11,28 @@
         name='detail',
     ),
     path(
-        route='profile/settings/update',
+        route='settings/update',
         view=views.UserSettingsView.as_view(),
         name='settings_update',
     ),
+    path(
+        route='email/create',
+        view=views.UserEmailCreateView.as_view(),
+        name='email_create',
+    ),
+    path(
+        route='email/verify/<str:secret>',
+        view=views.UserEmailVerifyView.as_view(),
+        name='email_verify',
+    ),
+    path(
+        route='email/resend/<uuid:sodaruseradditionalemail>',
+        view=views.UserEmailVerifyResendView.as_view(),
+        name='email_verify_resend',
+    ),
+    path(
+        route='email/delete/<uuid:sodaruseradditionalemail>',
+        view=views.UserEmailDeleteView.as_view(),
+        name='email_delete',
+    ),
 ]
diff --git a/userprofile/views.py b/userprofile/views.py
index 5dfbea1e..3f95688f 100644
--- a/userprofile/views.py
+++ b/userprofile/views.py
@@ -1,21 +1,31 @@
 """UI views for the userprofile app"""
 
+from django.conf import settings
 from django.contrib import auth, messages
 from django.contrib.auth.mixins import LoginRequiredMixin
-from django.urls import reverse_lazy
-from django.views.generic import TemplateView, FormView
+from django.shortcuts import redirect
+from django.urls import reverse, reverse_lazy
+from django.views.generic import (
+    TemplateView,
+    FormView,
+    CreateView,
+    DeleteView,
+    View,
+)
 
 # Projectroles dependency
 from projectroles.app_settings import AppSettingAPI
-from projectroles.models import SODAR_CONSTANTS
-from projectroles.plugins import get_active_plugins
+from projectroles.email import send_generic_mail, get_email_user
+from projectroles.models import SODARUserAdditionalEmail, SODAR_CONSTANTS
+from projectroles.plugins import get_active_plugins, get_backend_api
 from projectroles.views import (
     LoggedInPermissionMixin,
     HTTPRefererMixin,
     InvalidFormMixin,
+    CurrentUserFormMixin,
 )
 
-from userprofile.forms import UserSettingsForm
+from userprofile.forms import UserSettingsForm, UserEmailForm
 
 
 User = auth.get_user_model()
@@ -27,7 +37,25 @@
 APP_SETTING_SCOPE_USER = SODAR_CONSTANTS['APP_SETTING_SCOPE_USER']
 
 # Local Constants
+APP_NAME = 'userprofile'
 SETTING_UPDATE_MSG = 'User settings updated.'
+VERIFY_EMAIL_SUBJECT = 'Verify your additional email address for {site}'
+VERIFY_EMAIL_BODY = r'''
+{user} has added this address to their
+additional emails on {site}.
+
+Once verified, the site may use this email to send automated email for
+notifications as configured in user settings.
+
+Please verify this email address by following this URL:
+{url}
+
+If this was not requested by you, this message can be ignored.
+'''.lstrip()
+EMAIL_NOT_FOUND_MSG = 'No email found.'
+EMAIL_ALREADY_VERIFIED_MSG = 'Email already verified.'
+EMAIL_VERIFIED_MSG = 'Email "{email}" verified.'
+EMAIL_VERIFY_RESEND_MSG = 'Verification message to "{email}" resent.'
 
 
 class UserDetailView(LoginRequiredMixin, LoggedInPermissionMixin, TemplateView):
@@ -49,7 +77,9 @@ def _get_user_settings(self):
             else:
                 name = 'projectroles'
                 p_settings = app_settings.get_definitions(
-                    APP_SETTING_SCOPE_USER, app_name=name, user_modifiable=True
+                    APP_SETTING_SCOPE_USER,
+                    plugin_name=name,
+                    user_modifiable=True,
                 )
             for k, v in p_settings.items():
                 yield {
@@ -61,7 +91,9 @@ def _get_user_settings(self):
     def get_context_data(self, **kwargs):
         result = super().get_context_data(**kwargs)
         result['user_settings'] = list(self._get_user_settings())
-        result['local_user'] = self.request.user.is_local()
+        result['add_emails'] = SODARUserAdditionalEmail.objects.filter(
+            user=self.request.user
+        ).order_by('email')
         return result
 
 
@@ -88,10 +120,152 @@ def form_valid(self, form):
         result = super().form_valid(form)
         for k, v in form.cleaned_data.items():
             if k.startswith('settings.'):
-                _, app_name, setting_name = k.split('.', 3)
+                _, plugin_name, setting_name = k.split('.', 3)
                 # TODO: Omit global USER settings (#1329)
                 app_settings.set(
-                    app_name, setting_name, v, user=self.request.user
+                    plugin_name, setting_name, v, user=self.request.user
                 )
         messages.success(self.request, SETTING_UPDATE_MSG)
         return result
+
+
+class UserEmailMixin:
+    """Mixin for user email helpers"""
+
+    def send_verify_email(self, email, resend=False):
+        """
+        Send verification message to additional email address.
+
+        :param email: SODARUserAdditionalEmail object
+        """
+        subject = VERIFY_EMAIL_SUBJECT.format(site=settings.SITE_INSTANCE_TITLE)
+        body = VERIFY_EMAIL_BODY.format(
+            user=get_email_user(email.user),
+            site=settings.SITE_INSTANCE_TITLE,
+            url=self.request.build_absolute_uri(
+                reverse(
+                    'userprofile:email_verify', kwargs={'secret': email.secret}
+                )
+            ),
+        )
+        try:
+            send_generic_mail(subject, body, [email.email], self.request)
+            if resend:
+                messages.success(
+                    self.request,
+                    EMAIL_VERIFY_RESEND_MSG.format(email=email.email),
+                )
+            else:
+                messages.success(
+                    self.request,
+                    'Email added. A verification message has been sent to the '
+                    'address. Follow the received verification link to '
+                    'activate the address.',
+                )
+        except Exception as ex:
+            messages.error(
+                self.request, 'Failed to send verification mail: {}'.format(ex)
+            )
+
+
+class UserEmailCreateView(
+    LoginRequiredMixin,
+    LoggedInPermissionMixin,
+    CurrentUserFormMixin,
+    UserEmailMixin,
+    CreateView,
+):
+    """User additional email creation view"""
+
+    form_class = UserEmailForm
+    permission_required = 'userprofile.create_email'
+    template_name = 'userprofile/email_form.html'
+
+    def get_success_url(self):
+        timeline = get_backend_api('timeline_backend')
+        self.send_verify_email(self.object)
+        if timeline:
+            timeline.add_event(
+                project=None,
+                app_name=APP_NAME,
+                user=self.request.user,
+                event_name='email_create',
+                description='create additional email "{}"'.format(
+                    self.object.email
+                ),
+                classified=True,
+                status_type=timeline.TL_STATUS_OK,
+            )
+        return reverse('userprofile:detail')
+
+    def get(self, *args, **kwargs):
+        if not settings.PROJECTROLES_SEND_EMAIL:
+            messages.warning(
+                self.request,
+                'Email sending disabled, adding email addresses is not '
+                'allowed.',
+            )
+            return redirect(reverse('userprofile:detail'))
+        return super().get(*args, **kwargs)
+
+
+class UserEmailVerifyView(LoginRequiredMixin, LoggedInPermissionMixin, View):
+    """View for verifying a created additional email address"""
+
+    http_method_names = ['get']
+    permission_required = 'userprofile.create_email'
+
+    def get(self, request, *args, **kwargs):
+        secret = self.kwargs.get('secret')
+        email = SODARUserAdditionalEmail.objects.filter(
+            user=request.user, secret=secret
+        ).first()
+        if not email:
+            messages.error(request, EMAIL_NOT_FOUND_MSG)
+        elif email.verified:
+            messages.info(request, EMAIL_ALREADY_VERIFIED_MSG)
+        else:
+            email.verified = True
+            email.save()
+            messages.success(
+                request, EMAIL_VERIFIED_MSG.format(email=email.email)
+            )
+        return redirect(reverse('userprofile:detail'))
+
+
+class UserEmailVerifyResendView(
+    LoginRequiredMixin, LoggedInPermissionMixin, UserEmailMixin, View
+):
+    """View for resending additional email verification message"""
+
+    http_method_names = ['get']
+    permission_required = 'userprofile.create_email'
+
+    def get(self, request, *args, **kwargs):
+        email_uuid = self.kwargs.get('sodaruseradditionalemail')
+        email = SODARUserAdditionalEmail.objects.filter(
+            user=request.user, sodar_uuid=email_uuid
+        ).first()
+        if not email:
+            messages.error(request, EMAIL_NOT_FOUND_MSG)
+        elif email.verified:
+            messages.info(request, EMAIL_ALREADY_VERIFIED_MSG)
+        else:
+            self.send_verify_email(email, resend=True)
+        return redirect(reverse('userprofile:detail'))
+
+
+class UserEmailDeleteView(
+    LoginRequiredMixin, LoggedInPermissionMixin, DeleteView
+):
+    """View for deleting additional email"""
+
+    model = SODARUserAdditionalEmail
+    permission_required = 'userprofile.delete_email'
+    slug_url_kwarg = 'sodaruseradditionalemail'
+    slug_field = 'sodar_uuid'
+    template_name = 'userprofile/email_confirm_delete.html'
+
+    def get_success_url(self):
+        messages.success(self.request, 'Email address deleted.')
+        return reverse('userprofile:detail')
diff --git a/utility/get_chromedriver_url.py b/utility/get_chromedriver_url.py
index deb7fa1a..a27c550e 100644
--- a/utility/get_chromedriver_url.py
+++ b/utility/get_chromedriver_url.py
@@ -17,7 +17,7 @@
     'last-known-good-versions.json'
 )
 DL_URL = (
-    'https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/'
+    'https://storage.googleapis.com/chrome-for-testing-public/'
     '{driver_version}/{platform}/chromedriver-linux64.zip'
 )
 PLATFORM = 'linux64'
diff --git a/utility/install_os_gitlab.sh b/utility/install_os_gitlab.sh
index 8f0e0465..8f1e9f69 100755
--- a/utility/install_os_gitlab.sh
+++ b/utility/install_os_gitlab.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Install OS dependencies for Docker image python:3.8 used in Gitlab CI
+# Install OS dependencies for Docker image python used in Gitlab CI
 
 echo "***********************************************"
 echo "Apt-get update"
diff --git a/utility/install_postgres.sh b/utility/install_postgres.sh
index db10302c..209c792a 100755
--- a/utility/install_postgres.sh
+++ b/utility/install_postgres.sh
@@ -1,9 +1,9 @@
 #!/usr/bin/env bash
 
 echo "***********************************************"
-echo "Installing PostgreSQL v11"
+echo "Installing PostgreSQL v16"
 echo "***********************************************"
 add-apt-repository -y "deb http://apt.postgresql.org/pub/repos/apt/ $(lsb_release -cs)-pgdg main"
 wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
 apt-get -y update
-apt-get -y install postgresql-11
+apt-get -y install postgresql-16
diff --git a/utility/install_python.sh b/utility/install_python.sh
index d74cf554..2cab6db3 100755
--- a/utility/install_python.sh
+++ b/utility/install_python.sh
@@ -1,9 +1,9 @@
 #!/usr/bin/env bash
 
 echo "***********************************************"
-echo "Installing Python 3.8"
+echo "Installing Python 3.11"
 echo "***********************************************"
 add-apt-repository -y ppa:deadsnakes/ppa
 apt-get -y update
-apt-get -y install python3.8 python3.8-dev python3.8-venv
-curl https://bootstrap.pypa.io/get-pip.py | sudo -H python3.8
+apt-get -y install python3.11 python3.11-dev python3.11-venv
+curl https://bootstrap.pypa.io/get-pip.py | sudo -H python3.11
diff --git a/utility/install_python_dependencies.sh b/utility/install_python_dependencies.sh
index a8f94497..7e39d83c 100755
--- a/utility/install_python_dependencies.sh
+++ b/utility/install_python_dependencies.sh
@@ -22,7 +22,7 @@ if [ -z "$VIRTUAL_ENV" ]; then
     echo >&2 -e "\n"
     exit 1;
 else
-    pip install "wheel>=0.40.0, <0.41"
+    pip install "wheel>=0.42.0, <0.43"
     pip install -r $PROJECT_DIR/requirements/local.txt
     pip install -r $PROJECT_DIR/requirements/test.txt
     pip install -r $PROJECT_DIR/requirements.txt
diff --git a/versioneer.py b/versioneer.py
index 18e34c2f..1e3753e6 100644
--- a/versioneer.py
+++ b/versioneer.py
@@ -1,5 +1,5 @@
 
-# Version: 0.28
+# Version: 0.29
 
 """The Versioneer - like a rocketeer, but for versions.
 
@@ -10,7 +10,7 @@
 * https://github.com/python-versioneer/python-versioneer
 * Brian Warner
 * License: Public Domain (Unlicense)
-* Compatible with: Python 3.7, 3.8, 3.9, 3.10 and pypy3
+* Compatible with: Python 3.7, 3.8, 3.9, 3.10, 3.11 and pypy3
 * [![Latest Version][pypi-image]][pypi-url]
 * [![Build Status][travis-image]][travis-url]
 
@@ -316,7 +316,8 @@
 import subprocess
 import sys
 from pathlib import Path
-from typing import Callable, Dict
+from typing import Any, Callable, cast, Dict, List, Optional, Tuple, Union
+from typing import NoReturn
 import functools
 
 have_tomllib = True
@@ -332,8 +333,16 @@
 class VersioneerConfig:
     """Container for Versioneer configuration parameters."""
 
+    VCS: str
+    style: str
+    tag_prefix: str
+    versionfile_source: str
+    versionfile_build: Optional[str]
+    parentdir_prefix: Optional[str]
+    verbose: Optional[bool]
 
-def get_root():
+
+def get_root() -> str:
     """Get the project root directory.
 
     We require that all commands are run from the project root, i.e. the
@@ -341,13 +350,23 @@ def get_root():
     """
     root = os.path.realpath(os.path.abspath(os.getcwd()))
     setup_py = os.path.join(root, "setup.py")
+    pyproject_toml = os.path.join(root, "pyproject.toml")
     versioneer_py = os.path.join(root, "versioneer.py")
-    if not (os.path.exists(setup_py) or os.path.exists(versioneer_py)):
+    if not (
+        os.path.exists(setup_py)
+        or os.path.exists(pyproject_toml)
+        or os.path.exists(versioneer_py)
+    ):
         # allow 'python path/to/setup.py COMMAND'
         root = os.path.dirname(os.path.realpath(os.path.abspath(sys.argv[0])))
         setup_py = os.path.join(root, "setup.py")
+        pyproject_toml = os.path.join(root, "pyproject.toml")
         versioneer_py = os.path.join(root, "versioneer.py")
-    if not (os.path.exists(setup_py) or os.path.exists(versioneer_py)):
+    if not (
+        os.path.exists(setup_py)
+        or os.path.exists(pyproject_toml)
+        or os.path.exists(versioneer_py)
+    ):
         err = ("Versioneer was unable to run the project root directory. "
                "Versioneer requires setup.py to be executed from "
                "its immediate directory (like 'python setup.py COMMAND'), "
@@ -372,23 +391,24 @@ def get_root():
     return root
 
 
-def get_config_from_root(root):
+def get_config_from_root(root: str) -> VersioneerConfig:
     """Read the project setup.cfg file to determine Versioneer config."""
     # This might raise OSError (if setup.cfg is missing), or
     # configparser.NoSectionError (if it lacks a [versioneer] section), or
     # configparser.NoOptionError (if it lacks "VCS="). See the docstring at
     # the top of versioneer.py for instructions on writing your setup.cfg .
-    root = Path(root)
-    pyproject_toml = root / "pyproject.toml"
-    setup_cfg = root / "setup.cfg"
-    section = None
+    root_pth = Path(root)
+    pyproject_toml = root_pth / "pyproject.toml"
+    setup_cfg = root_pth / "setup.cfg"
+    section: Union[Dict[str, Any], configparser.SectionProxy, None] = None
     if pyproject_toml.exists() and have_tomllib:
         try:
             with open(pyproject_toml, 'rb') as fobj:
                 pp = tomllib.load(fobj)
             section = pp['tool']['versioneer']
-        except (tomllib.TOMLDecodeError, KeyError):
-            pass
+        except (tomllib.TOMLDecodeError, KeyError) as e:
+            print(f"Failed to load config from {pyproject_toml}: {e}")
+            print("Try to load it from setup.cfg")
     if not section:
         parser = configparser.ConfigParser()
         with open(setup_cfg) as cfg_file:
@@ -397,16 +417,25 @@ def get_config_from_root(root):
 
         section = parser["versioneer"]
 
+    # `cast`` really shouldn't be used, but its simplest for the
+    # common VersioneerConfig users at the moment. We verify against
+    # `None` values elsewhere where it matters
+
     cfg = VersioneerConfig()
     cfg.VCS = section['VCS']
     cfg.style = section.get("style", "")
-    cfg.versionfile_source = section.get("versionfile_source")
+    cfg.versionfile_source = cast(str, section.get("versionfile_source"))
     cfg.versionfile_build = section.get("versionfile_build")
-    cfg.tag_prefix = section.get("tag_prefix")
+    cfg.tag_prefix = cast(str, section.get("tag_prefix"))
     if cfg.tag_prefix in ("''", '""', None):
         cfg.tag_prefix = ""
     cfg.parentdir_prefix = section.get("parentdir_prefix")
-    cfg.verbose = section.get("verbose")
+    if isinstance(section, configparser.SectionProxy):
+        # Make sure configparser translates to bool
+        cfg.verbose = section.getboolean("verbose")
+    else:
+        cfg.verbose = section.get("verbose")
+
     return cfg
 
 
@@ -419,22 +448,28 @@ class NotThisMethod(Exception):
 HANDLERS: Dict[str, Dict[str, Callable]] = {}
 
 
-def register_vcs_handler(vcs, method):  # decorator
+def register_vcs_handler(vcs: str, method: str) -> Callable:  # decorator
     """Create decorator to mark a method as the handler of a VCS."""
-    def decorate(f):
+    def decorate(f: Callable) -> Callable:
         """Store f in HANDLERS[vcs][method]."""
         HANDLERS.setdefault(vcs, {})[method] = f
         return f
     return decorate
 
 
-def run_command(commands, args, cwd=None, verbose=False, hide_stderr=False,
-                env=None):
+def run_command(
+    commands: List[str],
+    args: List[str],
+    cwd: Optional[str] = None,
+    verbose: bool = False,
+    hide_stderr: bool = False,
+    env: Optional[Dict[str, str]] = None,
+) -> Tuple[Optional[str], Optional[int]]:
     """Call the given command(s)."""
     assert isinstance(commands, list)
     process = None
 
-    popen_kwargs = {}
+    popen_kwargs: Dict[str, Any] = {}
     if sys.platform == "win32":
         # This hides the console window if pythonw.exe is used
         startupinfo = subprocess.STARTUPINFO()
@@ -450,8 +485,7 @@ def run_command(commands, args, cwd=None, verbose=False, hide_stderr=False,
                                        stderr=(subprocess.PIPE if hide_stderr
                                                else None), **popen_kwargs)
             break
-        except OSError:
-            e = sys.exc_info()[1]
+        except OSError as e:
             if e.errno == errno.ENOENT:
                 continue
             if verbose:
@@ -479,7 +513,7 @@ def run_command(commands, args, cwd=None, verbose=False, hide_stderr=False,
 # that just contains the computed version number.
 
 # This file is released into the public domain.
-# Generated by versioneer-0.28
+# Generated by versioneer-0.29
 # https://github.com/python-versioneer/python-versioneer
 
 """Git implementation of _version.py."""
@@ -489,11 +523,11 @@ def run_command(commands, args, cwd=None, verbose=False, hide_stderr=False,
 import re
 import subprocess
 import sys
-from typing import Callable, Dict
+from typing import Any, Callable, Dict, List, Optional, Tuple
 import functools
 
 
-def get_keywords():
+def get_keywords() -> Dict[str, str]:
     """Get the keywords needed to look up the version information."""
     # these strings will be replaced by git during git-archive.
     # setup.py/versioneer.py will grep for the variable names, so they must
@@ -509,8 +543,15 @@ def get_keywords():
 class VersioneerConfig:
     """Container for Versioneer configuration parameters."""
 
+    VCS: str
+    style: str
+    tag_prefix: str
+    parentdir_prefix: str
+    versionfile_source: str
+    verbose: bool
+
 
-def get_config():
+def get_config() -> VersioneerConfig:
     """Create, populate and return the VersioneerConfig() object."""
     # these strings are filled in when 'setup.py versioneer' creates
     # _version.py
@@ -532,9 +573,9 @@ class NotThisMethod(Exception):
 HANDLERS: Dict[str, Dict[str, Callable]] = {}
 
 
-def register_vcs_handler(vcs, method):  # decorator
+def register_vcs_handler(vcs: str, method: str) -> Callable:  # decorator
     """Create decorator to mark a method as the handler of a VCS."""
-    def decorate(f):
+    def decorate(f: Callable) -> Callable:
         """Store f in HANDLERS[vcs][method]."""
         if vcs not in HANDLERS:
             HANDLERS[vcs] = {}
@@ -543,13 +584,19 @@ def decorate(f):
     return decorate
 
 
-def run_command(commands, args, cwd=None, verbose=False, hide_stderr=False,
-                env=None):
+def run_command(
+    commands: List[str],
+    args: List[str],
+    cwd: Optional[str] = None,
+    verbose: bool = False,
+    hide_stderr: bool = False,
+    env: Optional[Dict[str, str]] = None,
+) -> Tuple[Optional[str], Optional[int]]:
     """Call the given command(s)."""
     assert isinstance(commands, list)
     process = None
 
-    popen_kwargs = {}
+    popen_kwargs: Dict[str, Any] = {}
     if sys.platform == "win32":
         # This hides the console window if pythonw.exe is used
         startupinfo = subprocess.STARTUPINFO()
@@ -565,8 +612,7 @@ def run_command(commands, args, cwd=None, verbose=False, hide_stderr=False,
                                        stderr=(subprocess.PIPE if hide_stderr
                                                else None), **popen_kwargs)
             break
-        except OSError:
-            e = sys.exc_info()[1]
+        except OSError as e:
             if e.errno == errno.ENOENT:
                 continue
             if verbose:
@@ -586,7 +632,11 @@ def run_command(commands, args, cwd=None, verbose=False, hide_stderr=False,
     return stdout, process.returncode
 
 
-def versions_from_parentdir(parentdir_prefix, root, verbose):
+def versions_from_parentdir(
+    parentdir_prefix: str,
+    root: str,
+    verbose: bool,
+) -> Dict[str, Any]:
     """Try to determine the version from the parent directory name.
 
     Source tarballs conventionally unpack into a directory that includes both
@@ -611,13 +661,13 @@ def versions_from_parentdir(parentdir_prefix, root, verbose):
 
 
 @register_vcs_handler("git", "get_keywords")
-def git_get_keywords(versionfile_abs):
+def git_get_keywords(versionfile_abs: str) -> Dict[str, str]:
     """Extract version information from the given file."""
     # the code embedded in _version.py can just fetch the value of these
     # keywords. When used from setup.py, we don't want to import _version.py,
     # so we do it with a regexp instead. This function is not used from
     # _version.py.
-    keywords = {}
+    keywords: Dict[str, str] = {}
     try:
         with open(versionfile_abs, "r") as fobj:
             for line in fobj:
@@ -639,7 +689,11 @@ def git_get_keywords(versionfile_abs):
 
 
 @register_vcs_handler("git", "keywords")
-def git_versions_from_keywords(keywords, tag_prefix, verbose):
+def git_versions_from_keywords(
+    keywords: Dict[str, str],
+    tag_prefix: str,
+    verbose: bool,
+) -> Dict[str, Any]:
     """Get version information from git keywords."""
     if "refnames" not in keywords:
         raise NotThisMethod("Short version file found")
@@ -703,7 +757,12 @@ def git_versions_from_keywords(keywords, tag_prefix, verbose):
 
 
 @register_vcs_handler("git", "pieces_from_vcs")
-def git_pieces_from_vcs(tag_prefix, root, verbose, runner=run_command):
+def git_pieces_from_vcs(
+    tag_prefix: str,
+    root: str,
+    verbose: bool,
+    runner: Callable = run_command
+) -> Dict[str, Any]:
     """Get version from 'git describe' in the root of the source tree.
 
     This only gets called if the git-archive 'subst' keywords were *not*
@@ -743,7 +802,7 @@ def git_pieces_from_vcs(tag_prefix, root, verbose, runner=run_command):
         raise NotThisMethod("'git rev-parse' failed")
     full_out = full_out.strip()
 
-    pieces = {}
+    pieces: Dict[str, Any] = {}
     pieces["long"] = full_out
     pieces["short"] = full_out[:7]  # maybe improved later
     pieces["error"] = None
@@ -835,14 +894,14 @@ def git_pieces_from_vcs(tag_prefix, root, verbose, runner=run_command):
     return pieces
 
 
-def plus_or_dot(pieces):
+def plus_or_dot(pieces: Dict[str, Any]) -> str:
     """Return a + if we don't already have one, else return a ."""
     if "+" in pieces.get("closest-tag", ""):
         return "."
     return "+"
 
 
-def render_pep440(pieces):
+def render_pep440(pieces: Dict[str, Any]) -> str:
     """Build up version string, with post-release "local version identifier".
 
     Our goal: TAG[+DISTANCE.gHEX[.dirty]] . Note that if you
@@ -867,7 +926,7 @@ def render_pep440(pieces):
     return rendered
 
 
-def render_pep440_branch(pieces):
+def render_pep440_branch(pieces: Dict[str, Any]) -> str:
     """TAG[[.dev0]+DISTANCE.gHEX[.dirty]] .
 
     The ".dev0" means not master branch. Note that .dev0 sorts backwards
@@ -897,7 +956,7 @@ def render_pep440_branch(pieces):
     return rendered
 
 
-def pep440_split_post(ver):
+def pep440_split_post(ver: str) -> Tuple[str, Optional[int]]:
     """Split pep440 version string at the post-release segment.
 
     Returns the release segments before the post-release and the
@@ -907,7 +966,7 @@ def pep440_split_post(ver):
     return vc[0], int(vc[1] or 0) if len(vc) == 2 else None
 
 
-def render_pep440_pre(pieces):
+def render_pep440_pre(pieces: Dict[str, Any]) -> str:
     """TAG[.postN.devDISTANCE] -- No -dirty.
 
     Exceptions:
@@ -931,7 +990,7 @@ def render_pep440_pre(pieces):
     return rendered
 
 
-def render_pep440_post(pieces):
+def render_pep440_post(pieces: Dict[str, Any]) -> str:
     """TAG[.postDISTANCE[.dev0]+gHEX] .
 
     The ".dev0" means dirty. Note that .dev0 sorts backwards
@@ -958,7 +1017,7 @@ def render_pep440_post(pieces):
     return rendered
 
 
-def render_pep440_post_branch(pieces):
+def render_pep440_post_branch(pieces: Dict[str, Any]) -> str:
     """TAG[.postDISTANCE[.dev0]+gHEX[.dirty]] .
 
     The ".dev0" means not master branch.
@@ -987,7 +1046,7 @@ def render_pep440_post_branch(pieces):
     return rendered
 
 
-def render_pep440_old(pieces):
+def render_pep440_old(pieces: Dict[str, Any]) -> str:
     """TAG[.postDISTANCE[.dev0]] .
 
     The ".dev0" means dirty.
@@ -1009,7 +1068,7 @@ def render_pep440_old(pieces):
     return rendered
 
 
-def render_git_describe(pieces):
+def render_git_describe(pieces: Dict[str, Any]) -> str:
     """TAG[-DISTANCE-gHEX][-dirty].
 
     Like 'git describe --tags --dirty --always'.
@@ -1029,7 +1088,7 @@ def render_git_describe(pieces):
     return rendered
 
 
-def render_git_describe_long(pieces):
+def render_git_describe_long(pieces: Dict[str, Any]) -> str:
     """TAG-DISTANCE-gHEX[-dirty].
 
     Like 'git describe --tags --dirty --always -long'.
@@ -1049,7 +1108,7 @@ def render_git_describe_long(pieces):
     return rendered
 
 
-def render(pieces, style):
+def render(pieces: Dict[str, Any], style: str) -> Dict[str, Any]:
     """Render the given version pieces into the requested style."""
     if pieces["error"]:
         return {"version": "unknown",
@@ -1085,7 +1144,7 @@ def render(pieces, style):
             "date": pieces.get("date")}
 
 
-def get_versions():
+def get_versions() -> Dict[str, Any]:
     """Get version information or return default if unable to do so."""
     # I am in _version.py, which lives at ROOT/VERSIONFILE_SOURCE. If we have
     # __file__, we can work backwards from there to the root. Some
@@ -1133,13 +1192,13 @@ def get_versions():
 
 
 @register_vcs_handler("git", "get_keywords")
-def git_get_keywords(versionfile_abs):
+def git_get_keywords(versionfile_abs: str) -> Dict[str, str]:
     """Extract version information from the given file."""
     # the code embedded in _version.py can just fetch the value of these
     # keywords. When used from setup.py, we don't want to import _version.py,
     # so we do it with a regexp instead. This function is not used from
     # _version.py.
-    keywords = {}
+    keywords: Dict[str, str] = {}
     try:
         with open(versionfile_abs, "r") as fobj:
             for line in fobj:
@@ -1161,7 +1220,11 @@ def git_get_keywords(versionfile_abs):
 
 
 @register_vcs_handler("git", "keywords")
-def git_versions_from_keywords(keywords, tag_prefix, verbose):
+def git_versions_from_keywords(
+    keywords: Dict[str, str],
+    tag_prefix: str,
+    verbose: bool,
+) -> Dict[str, Any]:
     """Get version information from git keywords."""
     if "refnames" not in keywords:
         raise NotThisMethod("Short version file found")
@@ -1225,7 +1288,12 @@ def git_versions_from_keywords(keywords, tag_prefix, verbose):
 
 
 @register_vcs_handler("git", "pieces_from_vcs")
-def git_pieces_from_vcs(tag_prefix, root, verbose, runner=run_command):
+def git_pieces_from_vcs(
+    tag_prefix: str,
+    root: str,
+    verbose: bool,
+    runner: Callable = run_command
+) -> Dict[str, Any]:
     """Get version from 'git describe' in the root of the source tree.
 
     This only gets called if the git-archive 'subst' keywords were *not*
@@ -1265,7 +1333,7 @@ def git_pieces_from_vcs(tag_prefix, root, verbose, runner=run_command):
         raise NotThisMethod("'git rev-parse' failed")
     full_out = full_out.strip()
 
-    pieces = {}
+    pieces: Dict[str, Any] = {}
     pieces["long"] = full_out
     pieces["short"] = full_out[:7]  # maybe improved later
     pieces["error"] = None
@@ -1357,7 +1425,7 @@ def git_pieces_from_vcs(tag_prefix, root, verbose, runner=run_command):
     return pieces
 
 
-def do_vcs_install(versionfile_source, ipy):
+def do_vcs_install(versionfile_source: str, ipy: Optional[str]) -> None:
     """Git-specific installation logic for Versioneer.
 
     For Git, this means creating/changing .gitattributes to mark _version.py
@@ -1395,7 +1463,11 @@ def do_vcs_install(versionfile_source, ipy):
     run_command(GITS, ["add", "--"] + files)
 
 
-def versions_from_parentdir(parentdir_prefix, root, verbose):
+def versions_from_parentdir(
+    parentdir_prefix: str,
+    root: str,
+    verbose: bool,
+) -> Dict[str, Any]:
     """Try to determine the version from the parent directory name.
 
     Source tarballs conventionally unpack into a directory that includes both
@@ -1420,7 +1492,7 @@ def versions_from_parentdir(parentdir_prefix, root, verbose):
 
 
 SHORT_VERSION_PY = """
-# This file was generated by 'versioneer.py' (0.28) from
+# This file was generated by 'versioneer.py' (0.29) from
 # revision-control system data, or from the parent directory name of an
 # unpacked source archive. Distribution tarballs contain a pre-generated copy
 # of this file.
@@ -1437,7 +1509,7 @@ def get_versions():
 """
 
 
-def versions_from_file(filename):
+def versions_from_file(filename: str) -> Dict[str, Any]:
     """Try to determine the version from _version.py if present."""
     try:
         with open(filename) as f:
@@ -1454,9 +1526,8 @@ def versions_from_file(filename):
     return json.loads(mo.group(1))
 
 
-def write_to_version_file(filename, versions):
+def write_to_version_file(filename: str, versions: Dict[str, Any]) -> None:
     """Write the given version number to the given _version.py file."""
-    os.unlink(filename)
     contents = json.dumps(versions, sort_keys=True,
                           indent=1, separators=(",", ": "))
     with open(filename, "w") as f:
@@ -1465,14 +1536,14 @@ def write_to_version_file(filename, versions):
     print("set %s to '%s'" % (filename, versions["version"]))
 
 
-def plus_or_dot(pieces):
+def plus_or_dot(pieces: Dict[str, Any]) -> str:
     """Return a + if we don't already have one, else return a ."""
     if "+" in pieces.get("closest-tag", ""):
         return "."
     return "+"
 
 
-def render_pep440(pieces):
+def render_pep440(pieces: Dict[str, Any]) -> str:
     """Build up version string, with post-release "local version identifier".
 
     Our goal: TAG[+DISTANCE.gHEX[.dirty]] . Note that if you
@@ -1497,7 +1568,7 @@ def render_pep440(pieces):
     return rendered
 
 
-def render_pep440_branch(pieces):
+def render_pep440_branch(pieces: Dict[str, Any]) -> str:
     """TAG[[.dev0]+DISTANCE.gHEX[.dirty]] .
 
     The ".dev0" means not master branch. Note that .dev0 sorts backwards
@@ -1527,7 +1598,7 @@ def render_pep440_branch(pieces):
     return rendered
 
 
-def pep440_split_post(ver):
+def pep440_split_post(ver: str) -> Tuple[str, Optional[int]]:
     """Split pep440 version string at the post-release segment.
 
     Returns the release segments before the post-release and the
@@ -1537,7 +1608,7 @@ def pep440_split_post(ver):
     return vc[0], int(vc[1] or 0) if len(vc) == 2 else None
 
 
-def render_pep440_pre(pieces):
+def render_pep440_pre(pieces: Dict[str, Any]) -> str:
     """TAG[.postN.devDISTANCE] -- No -dirty.
 
     Exceptions:
@@ -1561,7 +1632,7 @@ def render_pep440_pre(pieces):
     return rendered
 
 
-def render_pep440_post(pieces):
+def render_pep440_post(pieces: Dict[str, Any]) -> str:
     """TAG[.postDISTANCE[.dev0]+gHEX] .
 
     The ".dev0" means dirty. Note that .dev0 sorts backwards
@@ -1588,7 +1659,7 @@ def render_pep440_post(pieces):
     return rendered
 
 
-def render_pep440_post_branch(pieces):
+def render_pep440_post_branch(pieces: Dict[str, Any]) -> str:
     """TAG[.postDISTANCE[.dev0]+gHEX[.dirty]] .
 
     The ".dev0" means not master branch.
@@ -1617,7 +1688,7 @@ def render_pep440_post_branch(pieces):
     return rendered
 
 
-def render_pep440_old(pieces):
+def render_pep440_old(pieces: Dict[str, Any]) -> str:
     """TAG[.postDISTANCE[.dev0]] .
 
     The ".dev0" means dirty.
@@ -1639,7 +1710,7 @@ def render_pep440_old(pieces):
     return rendered
 
 
-def render_git_describe(pieces):
+def render_git_describe(pieces: Dict[str, Any]) -> str:
     """TAG[-DISTANCE-gHEX][-dirty].
 
     Like 'git describe --tags --dirty --always'.
@@ -1659,7 +1730,7 @@ def render_git_describe(pieces):
     return rendered
 
 
-def render_git_describe_long(pieces):
+def render_git_describe_long(pieces: Dict[str, Any]) -> str:
     """TAG-DISTANCE-gHEX[-dirty].
 
     Like 'git describe --tags --dirty --always -long'.
@@ -1679,7 +1750,7 @@ def render_git_describe_long(pieces):
     return rendered
 
 
-def render(pieces, style):
+def render(pieces: Dict[str, Any], style: str) -> Dict[str, Any]:
     """Render the given version pieces into the requested style."""
     if pieces["error"]:
         return {"version": "unknown",
@@ -1719,7 +1790,7 @@ class VersioneerBadRootError(Exception):
     """The project root directory is unknown or missing key files."""
 
 
-def get_versions(verbose=False):
+def get_versions(verbose: bool = False) -> Dict[str, Any]:
     """Get the project version from whatever source is available.
 
     Returns dict with two keys: 'version' and 'full'.
@@ -1734,7 +1805,7 @@ def get_versions(verbose=False):
     assert cfg.VCS is not None, "please set [versioneer]VCS= in setup.cfg"
     handlers = HANDLERS.get(cfg.VCS)
     assert handlers, "unrecognized VCS '%s'" % cfg.VCS
-    verbose = verbose or cfg.verbose
+    verbose = verbose or bool(cfg.verbose)  # `bool()` used to avoid `None`
     assert cfg.versionfile_source is not None, \
         "please set versioneer.versionfile_source"
     assert cfg.tag_prefix is not None, "please set versioneer.tag_prefix"
@@ -1795,12 +1866,12 @@ def get_versions(verbose=False):
             "date": None}
 
 
-def get_version():
+def get_version() -> str:
     """Get the short version string for this project."""
     return get_versions()["version"]
 
 
-def get_cmdclass(cmdclass=None):
+def get_cmdclass(cmdclass: Optional[Dict[str, Any]] = None):
     """Get the custom setuptools subclasses used by Versioneer.
 
     If the package uses a different cmdclass (e.g. one from numpy), it
@@ -1828,16 +1899,16 @@ def get_cmdclass(cmdclass=None):
 
     class cmd_version(Command):
         description = "report generated version string"
-        user_options = []
-        boolean_options = []
+        user_options: List[Tuple[str, str, str]] = []
+        boolean_options: List[str] = []
 
-        def initialize_options(self):
+        def initialize_options(self) -> None:
             pass
 
-        def finalize_options(self):
+        def finalize_options(self) -> None:
             pass
 
-        def run(self):
+        def run(self) -> None:
             vers = get_versions(verbose=True)
             print("Version: %s" % vers["version"])
             print(" full-revisionid: %s" % vers.get("full-revisionid"))
@@ -1867,12 +1938,12 @@ def run(self):
 
     # we override different "build_py" commands for both environments
     if 'build_py' in cmds:
-        _build_py = cmds['build_py']
+        _build_py: Any = cmds['build_py']
     else:
         from setuptools.command.build_py import build_py as _build_py
 
     class cmd_build_py(_build_py):
-        def run(self):
+        def run(self) -> None:
             root = get_root()
             cfg = get_config_from_root(root)
             versions = get_versions()
@@ -1891,12 +1962,12 @@ def run(self):
     cmds["build_py"] = cmd_build_py
 
     if 'build_ext' in cmds:
-        _build_ext = cmds['build_ext']
+        _build_ext: Any = cmds['build_ext']
     else:
         from setuptools.command.build_ext import build_ext as _build_ext
 
     class cmd_build_ext(_build_ext):
-        def run(self):
+        def run(self) -> None:
             root = get_root()
             cfg = get_config_from_root(root)
             versions = get_versions()
@@ -1923,7 +1994,7 @@ def run(self):
     cmds["build_ext"] = cmd_build_ext
 
     if "cx_Freeze" in sys.modules:  # cx_freeze enabled?
-        from cx_Freeze.dist import build_exe as _build_exe
+        from cx_Freeze.dist import build_exe as _build_exe  # type: ignore
         # nczeczulin reports that py2exe won't like the pep440-style string
         # as FILEVERSION, but it can be used for PRODUCTVERSION, e.g.
         # setup(console=[{
@@ -1932,7 +2003,7 @@ def run(self):
         #   ...
 
         class cmd_build_exe(_build_exe):
-            def run(self):
+            def run(self) -> None:
                 root = get_root()
                 cfg = get_config_from_root(root)
                 versions = get_versions()
@@ -1956,12 +2027,12 @@ def run(self):
 
     if 'py2exe' in sys.modules:  # py2exe enabled?
         try:
-            from py2exe.setuptools_buildexe import py2exe as _py2exe
+            from py2exe.setuptools_buildexe import py2exe as _py2exe  # type: ignore
         except ImportError:
-            from py2exe.distutils_buildexe import py2exe as _py2exe
+            from py2exe.distutils_buildexe import py2exe as _py2exe  # type: ignore
 
         class cmd_py2exe(_py2exe):
-            def run(self):
+            def run(self) -> None:
                 root = get_root()
                 cfg = get_config_from_root(root)
                 versions = get_versions()
@@ -1984,12 +2055,12 @@ def run(self):
 
     # sdist farms its file list building out to egg_info
     if 'egg_info' in cmds:
-        _egg_info = cmds['egg_info']
+        _egg_info: Any = cmds['egg_info']
     else:
         from setuptools.command.egg_info import egg_info as _egg_info
 
     class cmd_egg_info(_egg_info):
-        def find_sources(self):
+        def find_sources(self) -> None:
             # egg_info.find_sources builds the manifest list and writes it
             # in one shot
             super().find_sources()
@@ -2021,12 +2092,12 @@ def find_sources(self):
 
     # we override different "sdist" commands for both environments
     if 'sdist' in cmds:
-        _sdist = cmds['sdist']
+        _sdist: Any = cmds['sdist']
     else:
         from setuptools.command.sdist import sdist as _sdist
 
     class cmd_sdist(_sdist):
-        def run(self):
+        def run(self) -> None:
             versions = get_versions()
             self._versioneer_generated_versions = versions
             # unless we update this, the command will keep using the old
@@ -2034,7 +2105,7 @@ def run(self):
             self.distribution.metadata.version = versions["version"]
             return _sdist.run(self)
 
-        def make_release_tree(self, base_dir, files):
+        def make_release_tree(self, base_dir: str, files: List[str]) -> None:
             root = get_root()
             cfg = get_config_from_root(root)
             _sdist.make_release_tree(self, base_dir, files)
@@ -2099,7 +2170,7 @@ def make_release_tree(self, base_dir, files):
 """
 
 
-def do_setup():
+def do_setup() -> int:
     """Do main VCS-independent setup function for installing Versioneer."""
     root = get_root()
     try:
@@ -2126,6 +2197,7 @@ def do_setup():
 
     ipy = os.path.join(os.path.dirname(cfg.versionfile_source),
                        "__init__.py")
+    maybe_ipy: Optional[str] = ipy
     if os.path.exists(ipy):
         try:
             with open(ipy, "r") as f:
@@ -2146,16 +2218,16 @@ def do_setup():
             print(" %s unmodified" % ipy)
     else:
         print(" %s doesn't exist, ok" % ipy)
-        ipy = None
+        maybe_ipy = None
 
     # Make VCS-specific changes. For git, this means creating/changing
     # .gitattributes to mark _version.py for export-subst keyword
     # substitution.
-    do_vcs_install(cfg.versionfile_source, ipy)
+    do_vcs_install(cfg.versionfile_source, maybe_ipy)
     return 0
 
 
-def scan_setup_py():
+def scan_setup_py() -> int:
     """Validate the contents of setup.py against Versioneer's expectations."""
     found = set()
     setters = False
@@ -2192,7 +2264,7 @@ def scan_setup_py():
     return errors
 
 
-def setup_command():
+def setup_command() -> NoReturn:
     """Set up Versioneer and exit with appropriate error code."""
     errors = do_setup()
     errors += scan_setup_py()