diff --git a/data/config.ini b/data/config.ini
index c2d767dd..0e3e4310 100644
--- a/data/config.ini
+++ b/data/config.ini
@@ -80,10 +80,12 @@ registerAccount=anonymous
 ;registerAccount=nobody
 
 listPosts=anonymous
+listPosts.safe=anonymous
 listPosts.sketchy=registered
 listPosts.unsafe=registered
 listPosts.hidden=moderator
 viewPost=anonymous
+viewPost.safe=anonymous
 viewPost.sketchy=registered
 viewPost.unsafe=registered
 viewPost.hidden=moderator
@@ -118,8 +120,8 @@ flagPost=registered
 
 listUsers=registered
 viewUser=registered
-viewUserEmail.all=admin
 viewUserEmail.own=registered
+viewUserEmail.all=admin
 editUserPassword.own=registered
 editUserPassword.all=admin
 editUserEmail.own=registered
@@ -127,8 +129,8 @@ editUserEmail.all=admin
 editUserEmailNoConfirm=admin
 editUserAccessRank=admin
 editUserName=moderator
-editUserSettings.all=nobody
 editUserSettings.own=registered
+editUserSettings.all=nobody
 acceptUserRegistration=moderator
 banUser.own=nobody
 banUser.all=admin
diff --git a/public_html/media/css/static-api.css b/public_html/media/css/static-api.css
index f3ac8d7b..2a31b85a 100644
--- a/public_html/media/css/static-api.css
+++ b/public_html/media/css/static-api.css
@@ -1,5 +1,18 @@
-pre {
+#content pre {
 	background: ghostwhite;
 	padding: 0.5em;
 	border-left: 0.2em solid silver;
 }
+
+#content table {
+	border-spacing: 0;
+	border-collapse: collapsue;
+}
+#content th,
+#content td {
+	text-align: left;
+	padding: 0.2em 0.5em;
+}
+#content tbody:nth-child(2n) {
+	background: #fafafa;
+}
diff --git a/src/Access.php b/src/Access.php
index e29b0904..574f9eb0 100644
--- a/src/Access.php
+++ b/src/Access.php
@@ -12,19 +12,18 @@ class Access
 			if (strpos($key, '.') === false)
 				$key .= '.';
 			list ($privilegeName, $subPrivilegeName) = explode('.', $key);
-
-			$key = rtrim($privilegeName . '.' . $subPrivilegeName, '.');
+			$minAccessRank = new AccessRank(TextHelper::resolveConstant($minAccessRankName, 'AccessRank'));
 
 			if (!in_array($privilegeName, Privilege::getAllConstants()))
 				throw new Exception('Invalid privilege name in config: ' . $privilegeName);
 
-			$minAccessRank = TextHelper::resolveConstant($minAccessRankName, 'AccessRank');
-			self::$privileges[$key] = $minAccessRank;
-
 			if (!isset(self::$privileges[$privilegeName]))
 			{
-				self::$privileges[$privilegeName] = $minAccessRank;
+				self::$privileges[$privilegeName] = [];
+				self::$privileges[$privilegeName][null] = $minAccessRank;
 			}
+
+			self::$privileges[$privilegeName][$subPrivilegeName] = $minAccessRank;
 		}
 
 		//todo: move to scripts etc.
@@ -40,18 +39,15 @@ class Access
 		if ($user === null)
 			$user = Auth::getCurrentUser();
 
-		$minAccessRank = AccessRank::Nobody;
+		$minAccessRank = new AccessRank(AccessRank::Nobody);
 
-		$key = $privilege->toString();
-		$privilege->secondary = null;
-		$key2 = $privilege->toString();
+		if (isset(self::$privileges[$privilege->primary][$privilege->secondary]))
+			$minAccessRank = self::$privileges[$privilege->primary][$privilege->secondary];
 
-		if (isset(self::$privileges[$key]))
-			$minAccessRank = self::$privileges[$key];
-		elseif (isset(self::$privileges[$key2]))
-			$minAccessRank = self::$privileges[$key2];
+		elseif (isset(self::$privileges[$privilege->primary][null]))
+			$minAccessRank = self::$privileges[$privilege->primary][null];
 
-		return $user->getAccessRank()->toInteger() >= $minAccessRank;
+		return $user->getAccessRank()->toInteger() >= $minAccessRank->toInteger();
 	}
 
 	public static function checkEmailConfirmation($user = null)
@@ -109,6 +105,13 @@ class Access
 		});
 	}
 
+	public static function getAllDefinedSubPrivileges($privilege)
+	{
+		if (!isset(self::$privileges[$privilege]))
+			return null;
+		return self::$privileges[$privilege];
+	}
+
 	public static function disablePrivilegeChecking()
 	{
 		self::$checkPrivileges = false;
diff --git a/src/Views/static/static-api.phtml b/src/Views/static/static-api.phtml
index 3342a362..66f7a5cc 100644
--- a/src/Views/static/static-api.phtml
+++ b/src/Views/static/static-api.phtml
@@ -56,8 +56,8 @@ encoding.</p>
 
 <h3>Handling errors</h3>
 
-<p>When errors occur all errors are logged to <code>message</code> field and changes done with request is rolled
-back.</p>
+<p>Normally all jobs return <code>200 OK</code>. However, when an error occurs, its reason is logged to
+<code>message</code> field, changes are rolled back and API returns <code>400 Bad Request</code>.</p>
 
 <hr/>
 
@@ -69,32 +69,51 @@ back.</p>
 	<thead>
 		<tr>
 			<th>Privilege</th>
+			<th>Sub privilege</th>
 			<th>Minimum access rank</th>
 		</tr>
 	</thead>
-	<tbody>
-		<?php  foreach (Core::getConfig()->privileges as $privilege => $minAccessRank): ?>
-			<tr>
-				<td><?= $privilege ?></td>
-				<td><?= $minAccessRank ?></td>
-			</tr>
-		<?php endforeach ?>
-	</tbody>
+	<?php  foreach (Privilege::getAllConstants() as $privilege): ?>
+		<?php $i = 0 ?>
+		<tbody>
+			<?php foreach (Access::getAllDefinedSubPrivileges($privilege) as $subPrivilege => $minAccessRank): ?>
+				<?php if ($i == 0): ?>
+					<tr id="privilege-<?= $privilege ?>">
+				<?php else: ?>
+					<tr>
+				<?php endif ?>
+					<td><?= $privilege ?></td>
+					<td><?= $subPrivilege ?: '&mdash;' ?></td>
+					<td><?= $minAccessRank->toDisplayString() ?></td>
+				</tr>
+				<?php $i ++ ?>
+			<?php endforeach ?>
+		</tbody>
+	<?php endforeach ?>
 </table>
 
 <hr/>
 
 <h2>Full list of available jobs</h2>
 
+<p>Some jobs execute other jobs. Such relations are listed under &bdquo;chained jobs&rdquo; sections. This means you
+shouldn't be too surprised if <code>add-user</code> doesn't require any arguments&nbsp;&ndash; they're enforced in its
+chained jobs.</p>
+
 <?php
 $jobClassNames = Api::getAllJobClassNames();
 natcasesort($jobClassNames);
+$jobClassNames = array_values($jobClassNames);
 
-foreach ($jobClassNames as $className)
+foreach ($jobClassNames as $i => $className)
 {
 	$job = new $className;
 ?>
 
+	<?php if ($i != 0): ?>
+		<hr/>
+	<?php endif ?>
+
 	<h3 id="job-<?= $job->getName() ?>">
 		<a href="#job-<?= $job->getName() ?>"><?= $job->getName() ?></a>
 	</h3>
@@ -125,17 +144,47 @@ foreach ($jobClassNames as $className)
 		};
 	?>
 
-	<p>Required arguments: <?= $showArgs($job->getRequiredArguments()) ?></p>
-	<p>Requires e-mail confirmation: <?= $job->isConfirmedEmailRequired() ? 'yes' : 'no' ?></p>
-	<p>Requires authentication: <?= $job->isAuthenticationRequired() ? 'yes' : 'no' ?></p>
-	<?php if (!empty($job->getSubJobs())): ?>
-	<p>Sub jobs: <?= implode(', ', array_map(function($job)
-		{
-			return '<a href="#job-' . $job->getName() . '">' . $job->getName() . '</a>';
-		}, $job->getSubJobs())); ?></p>
-	<?php endif ?>
+	<p>
+		Required arguments:
+		<?php if ($job->getRequiredArguments()): ?>
+			<?= $showArgs($job->getRequiredArguments()) ?>
+		<?php else: ?>
+			none
+		<?php endif ?>
+	</p>
 
-	<hr/>
+	<p>
+		Required privilege:
+		<?php if ($job->getRequiredMainPrivilege()): ?>
+			<a href="#privilege-<?= $job->getRequiredMainPrivilege() ?>">
+				<?= $job->getRequiredMainPrivilege() ?>
+			</a>
+		<?php else: ?>
+			none
+		<?php endif ?>
+	</p>
+
+	<p>
+		Requires e-mail confirmation:
+		<?= $job->isConfirmedEmailRequired() ? 'yes' : 'no' ?>
+	</p>
+
+	<p>
+		Requires authentication:
+		<?= $job->isAuthenticationRequired() ? 'yes' : 'no' ?>
+	</p>
+
+	<?php if (!empty($job->getSubJobs())): ?>
+		<p>
+			Chained jobs:
+			<?php
+				echo implode(', ', array_map(function($job)
+				{
+					return '<a href="#job-' . $job->getName() . '">' . $job->getName() . '</a>';
+				}, $job->getSubJobs()));
+			?>
+		</p>
+	<?php endif ?>
 <?php
 }
 ?>