diff --git a/control-api/openapispec.yaml b/control-api/openapispec.yaml
new file mode 100644
index 0000000..7c6558b
--- /dev/null
+++ b/control-api/openapispec.yaml
@@ -0,0 +1,26 @@
+openapi: "3.0.2"
+info:
+  title: CRD
+  version: 1.0.0
+components:
+  schemas:
+    CRD:
+      type: object
+      properties:
+        spec:
+          type: object
+          properties:
+            displayName:
+              type: string
+            username:
+              type: string
+            email:
+              type: string
+            defaultOrganizationRef:
+              type: string
+paths:
+  /:
+    get:
+      responses:
+        "200":
+          description: OK
diff --git a/control-api/rbac-test.yaml b/control-api/rbac-test.yaml
new file mode 100644
index 0000000..94c1372
--- /dev/null
+++ b/control-api/rbac-test.yaml
@@ -0,0 +1,47 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: d9050409-b5a2-4058-815e-b5dbead893ed-owner
+rules:
+  - apiGroups: ["appuio.io"]
+    resources: ["users"]
+    resourceNames: ["d9050409-b5a2-4058-815e-b5dbead893ed"]
+    verbs: ["get", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: d9050409-b5a2-4058-815e-b5dbead893ed-owner
+subjects:
+  - kind: User
+    name: appuio#d9050409-b5a2-4058-815e-b5dbead893ed
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: d9050409-b5a2-4058-815e-b5dbead893ed-owner
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: acme-corp-members-viewer
+rules:
+  - apiGroups: ["appuio.io"]
+    resources: ["users"]
+    resourceNames:
+      - d9050409-b5a2-4058-815e-b5dbead893ed
+      - bec0d928-2ae2-4cec-94a0-5f72f12b8b39
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: acme-corp-members
+subjects:
+  - kind: Group
+    name: developer
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: acme-corp-members-viewer
+  apiGroup: rbac.authorization.k8s.io
diff --git a/control-api/user-xrd.yaml b/control-api/user-xrd.yaml
new file mode 100644
index 0000000..34c46cc
--- /dev/null
+++ b/control-api/user-xrd.yaml
@@ -0,0 +1,28 @@
+apiVersion: apiextensions.crossplane.io/v1
+kind: CompositeResourceDefinition
+metadata:
+  name: users.appuio.io
+spec:
+  group: appuio.io
+  names:
+    kind: User
+    plural: users
+  versions:
+    - name: v1
+      served: true
+      referenceable: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                displayName:
+                  type: string
+                username:
+                  type: string
+                email:
+                  type: string
+                defaultOrganizationRef:
+                  type: string
diff --git a/control-api/users.yaml b/control-api/users.yaml
new file mode 100644
index 0000000..690f8e1
--- /dev/null
+++ b/control-api/users.yaml
@@ -0,0 +1,19 @@
+apiVersion: appuio.io/v1
+kind: User
+metadata:
+  name: bec0d928-2ae2-4cec-94a0-5f72f12b8b39
+spec:
+  displayName: Kate Demo
+  username: kate.demo
+  email: kate@demo.com
+  defaultOrganizationRef: acme-corp
+---
+apiVersion: appuio.io/v1
+kind: User
+metadata:
+  name: d9050409-b5a2-4058-815e-b5dbead893ed
+spec:
+  displayName: Fredi Hinz
+  username: fredi.hinz
+  email: fredi@demo.com
+  defaultOrganizationRef: acme-corp