diff --git a/src/apps.js b/src/apps.js
index 4762048d7..5afa7c6e0 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -135,6 +135,12 @@ exports = module.exports = {
     HEALTH_ERROR: 'error',
     HEALTH_DEAD: 'dead',
 
+    // app access levels
+    ACCESS_LEVEL_ADMIN: 'admin',
+    ACCESS_LEVEL_OPERATOR: 'operator',
+    ACCESS_LEVEL_USER: 'user',
+    ACCESS_LEVEL_NONE: '',
+
     // exported for testing
     _checkForPortBindingConflict: checkForPortBindingConflict,
     _validatePorts: validatePorts,
@@ -802,9 +808,9 @@ function canAccess(app, user) {
 }
 
 function accessLevel(app, user) {
-    if (isAdmin(user)) return 'admin';
-    if (isOperator(app, user)) return 'operator';
-    return canAccess(app, user) ? 'user' : null;
+    if (isAdmin(user)) return exports.ACCESS_LEVEL_ADMIN;
+    if (isOperator(app, user)) return exports.ACCESS_LEVEL_OPERATOR;
+    return canAccess(app, user) ? exports.ACCESS_LEVEL_USER : exports.ACCESS_LEVEL_NONE;
 }
 
 async function checkForPortBindingConflict(portBindings, options) {
diff --git a/src/test/apps-test.js b/src/test/apps-test.js
index 26a336356..1c27e7cc2 100644
--- a/src/test/apps-test.js
+++ b/src/test/apps-test.js
@@ -11,7 +11,8 @@ const apps = require('../apps.js'),
     common = require('./common.js'),
     expect = require('expect.js'),
     Location = require('../location.js'),
-    safe = require('safetydance');
+    safe = require('safetydance'),
+    users = require('../users.js');
 
 describe('Apps', function () {
     const { domainSetup, cleanup, app, admin, user , domain } = common;
@@ -158,8 +159,8 @@ describe('Apps', function () {
     });
 
     describe('canAccess', function () {
-        const someuser = { id: 'someuser', groupIds: [], role: 'user' };
-        const adminuser = { id: 'adminuser', groupIds: [ 'groupie' ], role: 'admin' };
+        const someuser = { id: 'someuser', groupIds: [], role: users.ROLE_USER };
+        const adminuser = { id: 'adminuser', groupIds: [ 'groupie' ], role: users.ROLE_ADMIN };
 
         it('returns true for unrestricted access', function () {
             expect(apps.canAccess({ accessRestriction: null }, someuser)).to.be(true);
@@ -196,7 +197,7 @@ describe('Apps', function () {
 
     describe('isOperator', function () {
         const someuser = { id: 'someuser', groupIds: [], role: 'user' };
-        const adminuser = { id: 'adminuser', groupIds: [ 'groupie' ], role: 'admin' };
+        const adminuser = { id: 'adminuser', groupIds: [ 'groupie' ], role: users.ROLE_ADMIN };
 
         it('returns false for unrestricted access', function () {
             expect(apps.isOperator({ operators: null }, someuser)).to.be(false);
@@ -232,22 +233,22 @@ describe('Apps', function () {
     });
 
     describe('accessLevel', function () {
-        const someuser = { id: 'someuser', groupIds: [ 'ops' ], role: 'user' };
-        const adminuser = { id: 'adminuser', groupIds: [ 'groupie' ], role: 'admin' };
+        const someuser = { id: 'someuser', groupIds: [ 'ops' ], role: users.ROLE_USER };
+        const adminuser = { id: 'adminuser', groupIds: [ 'groupie' ], role: users.ROLE_ADMIN };
 
         it('return user for normal user', function () {
-            expect(apps.accessLevel({ accessRestriction: null, operators: null }, someuser)).to.be('user');
-            expect(apps.accessLevel({ accessRestriction: null, operators: { users: [ ], groups: [ 'groupie' ] } }, someuser)).to.be('user');
+            expect(apps.accessLevel({ accessRestriction: null, operators: null }, someuser)).to.be(apps.ACCESS_LEVEL_USER);
+            expect(apps.accessLevel({ accessRestriction: null, operators: { users: [ ], groups: [ 'groupie' ] } }, someuser)).to.be(apps.ACCESS_LEVEL_USER);
         });
 
         it('returns operator for operator user', function () {
-            expect(apps.accessLevel({ accessRestriction: null, operators: { users: [ 'someuser' ], groups: [ 'groupie' ] } }, someuser)).to.be('operator');
-            expect(apps.accessLevel({ accessRestriction: null, operators: { users: [], groups: [ 'ops' ] } }, someuser)).to.be('operator');
+            expect(apps.accessLevel({ accessRestriction: null, operators: { users: [ 'someuser' ], groups: [ 'groupie' ] } }, someuser)).to.be(apps.ACCESS_LEVEL_OPERATOR);
+            expect(apps.accessLevel({ accessRestriction: null, operators: { users: [], groups: [ 'ops' ] } }, someuser)).to.be(apps.ACCESS_LEVEL_OPERATOR);
         });
 
         it('returns admin for admin user', function () {
-            expect(apps.accessLevel({ accessRestriction: null, operators: null }, adminuser)).to.be('admin');
-            expect(apps.accessLevel({ accessRestriction: null, operators: { users: [], groups: [] } }, adminuser)).to.be('admin');
+            expect(apps.accessLevel({ accessRestriction: null, operators: null }, adminuser)).to.be(apps.ACCESS_LEVEL_ADMIN);
+            expect(apps.accessLevel({ accessRestriction: null, operators: { users: [], groups: [] } }, adminuser)).to.be(apps.ACCESS_LEVEL_ADMIN);
         });
     });