Resolves #34. Removed old VC controllers; updated VC access controllers;
updated tests.

Change-Id: Ica147150c7de06273c6058e7891a0585c002029c
diff --git a/full/Changes b/full/Changes
index 14a3e5e..1a147fc 100644
--- a/full/Changes
+++ b/full/Changes
@@ -1,3 +1,8 @@
+# version 0.62
+28/02/2019
+   - Removed old VC controllers and updated tests (margaretha, issue #34)
+   - Updated VC access controllers (margaretha)
+
 # version 0.61.6
 04/02/2019
    - Fixed SQL data and merged oauth2_client_url and oauth2_client (margaretha)
diff --git a/full/pom.xml b/full/pom.xml
index 5a13cc5..0cf2ec3 100644
--- a/full/pom.xml
+++ b/full/pom.xml
@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>de.ids_mannheim.korap</groupId>
 	<artifactId>Kustvakt-full</artifactId>
-	<version>0.61.6</version>
+	<version>0.62</version>
 	<properties>
 		<java.version>1.8</java.version>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/full/src/main/java/de/ids_mannheim/korap/dao/VirtualCorpusAccessDao.java b/full/src/main/java/de/ids_mannheim/korap/dao/VirtualCorpusAccessDao.java
index 80cdf3b..db49626 100644
--- a/full/src/main/java/de/ids_mannheim/korap/dao/VirtualCorpusAccessDao.java
+++ b/full/src/main/java/de/ids_mannheim/korap/dao/VirtualCorpusAccessDao.java
@@ -108,24 +108,16 @@
         TypedQuery<VirtualCorpusAccess> q = entityManager.createQuery(query);
         return q.getResultList();
     }
-
-    // for system admins
-    @Deprecated
-    public List<VirtualCorpusAccess> retrieveAllAccessByVC (int vcId)
+    
+    public List<VirtualCorpusAccess> retrieveAllAccess ()
             throws KustvaktException {
-        ParameterChecker.checkIntegerValue(vcId, "vcId");
 
         CriteriaBuilder builder = entityManager.getCriteriaBuilder();
         CriteriaQuery<VirtualCorpusAccess> query =
                 builder.createQuery(VirtualCorpusAccess.class);
-
         Root<VirtualCorpusAccess> access =
                 query.from(VirtualCorpusAccess.class);
-        Join<VirtualCorpusAccess, VirtualCorpus> accessVC =
-                access.join(VirtualCorpusAccess_.virtualCorpus);
-
         query.select(access);
-        query.where(builder.equal(accessVC.get(VirtualCorpus_.id), vcId));
         TypedQuery<VirtualCorpusAccess> q = entityManager.createQuery(query);
         return q.getResultList();
     }
diff --git a/full/src/main/java/de/ids_mannheim/korap/dto/VirtualCorpusAccessDto.java b/full/src/main/java/de/ids_mannheim/korap/dto/VirtualCorpusAccessDto.java
index 5e8a6e7..d79b7d3 100644
--- a/full/src/main/java/de/ids_mannheim/korap/dto/VirtualCorpusAccessDto.java
+++ b/full/src/main/java/de/ids_mannheim/korap/dto/VirtualCorpusAccessDto.java
@@ -19,4 +19,11 @@
     private String vcName;
     private int userGroupId;
     private String userGroupName;
+
+    @Override
+    public String toString () {
+        return "accessId=" + accessId + ", createdBy=" + createdBy + " , vcId="
+                + vcId + ", vcName=" + vcName + ", userGroupId=" + userGroupId
+                + ", userGroupName=" + userGroupName;
+    }
 }
diff --git a/full/src/main/java/de/ids_mannheim/korap/service/UserGroupService.java b/full/src/main/java/de/ids_mannheim/korap/service/UserGroupService.java
index ef44901..e094c33 100644
--- a/full/src/main/java/de/ids_mannheim/korap/service/UserGroupService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/service/UserGroupService.java
@@ -23,6 +23,7 @@
 import de.ids_mannheim.korap.dao.UserGroupMemberDao;
 import de.ids_mannheim.korap.dto.UserGroupDto;
 import de.ids_mannheim.korap.dto.converter.UserGroupConverter;
+import de.ids_mannheim.korap.encryption.RandomCodeGenerator;
 import de.ids_mannheim.korap.entity.Role;
 import de.ids_mannheim.korap.entity.UserGroup;
 import de.ids_mannheim.korap.entity.UserGroupMember;
@@ -61,7 +62,9 @@
     private FullConfiguration config;
     @Autowired
     private MailService mailService;
-
+    @Autowired
+    private RandomCodeGenerator random;
+    
     private static Set<Role> memberRoles;
 
     /**
@@ -75,14 +78,20 @@
      * 
      * @see {@link PredefinedRole}
      */
-    public List<UserGroupDto> retrieveUserGroup (String username)
+    public List<UserGroup> retrieveUserGroup (String username)
             throws KustvaktException {
 
         List<UserGroup> userGroups =
                 userGroupDao.retrieveGroupByUserId(username);
         Collections.sort(userGroups);
+        return userGroups;
+    }
+    
+    public List<UserGroupDto> retrieveUserGroupDto (String username)
+            throws KustvaktException {
+        List<UserGroup> userGroups = retrieveUserGroup(username);
+        
         ArrayList<UserGroupDto> dtos = new ArrayList<>(userGroups.size());
-
         UserGroupMember userAsMember;
         List<UserGroupMember> members;
         UserGroupDto groupDto;
@@ -96,6 +105,7 @@
         }
 
         return dtos;
+
     }
 
     private List<UserGroupMember> retrieveMembers (int groupId, String username)
@@ -118,6 +128,11 @@
             throws KustvaktException {
         return userGroupDao.retrieveGroupById(groupId);
     }
+    
+    public UserGroup retrieveUserGroupByName (String groupName)
+            throws KustvaktException {
+        return userGroupDao.retrieveGroupByName(groupName);
+    }
 
     public UserGroup retrieveHiddenUserGroupByVC (int vcId)
             throws KustvaktException {
@@ -257,7 +272,8 @@
     }
 
     public int createAutoHiddenGroup (int vcId) throws KustvaktException {
-        String groupName = "auto-hidden-group";
+        String code = random.createRandomCode();
+        String groupName = "auto-"+code;
         int groupId = userGroupDao.createGroup(groupName, "system",
                 UserGroupStatus.HIDDEN);
 
diff --git a/full/src/main/java/de/ids_mannheim/korap/service/VirtualCorpusService.java b/full/src/main/java/de/ids_mannheim/korap/service/VirtualCorpusService.java
index 8628328..556c2e4 100644
--- a/full/src/main/java/de/ids_mannheim/korap/service/VirtualCorpusService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/service/VirtualCorpusService.java
@@ -77,8 +77,19 @@
     @Autowired
     private VirtualCorpusAccessConverter accessConverter;
 
-    public List<VirtualCorpusDto> listOwnerVC (String username)
+    private void verifyUsername (String contextUsername, String pathUsername)
             throws KustvaktException {
+        if (!contextUsername.equals(pathUsername)
+                && !adminDao.isAdmin(contextUsername)) {
+            throw new KustvaktException(StatusCodes.AUTHORIZATION_FAILED,
+                    "Unauthorized operation for user: " + contextUsername,
+                    contextUsername);
+        }
+    }
+
+    public List<VirtualCorpusDto> listOwnerVC (String username, String vcCreator)
+            throws KustvaktException {
+        verifyUsername(username, vcCreator);
         List<VirtualCorpus> vcList = vcDao.retrieveOwnerVC(username);
         return createVCDtos(vcList);
     }
@@ -210,22 +221,18 @@
         }
     }
 
-    @Deprecated
-    public void editVC (VirtualCorpusJson vcJson, String username)
-            throws KustvaktException {
-        ParameterChecker.checkIntegerValue(vcJson.getId(), "id");
-        VirtualCorpus vc = vcDao.retrieveVCById(vcJson.getId());
-        editVC(vc, vcJson, vcJson.getName(), username);
-    }
+//    @Deprecated
+//    public void editVC (VirtualCorpusJson vcJson, String username)
+//            throws KustvaktException {
+//        ParameterChecker.checkIntegerValue(vcJson.getId(), "id");
+//        VirtualCorpus vc = vcDao.retrieveVCById(vcJson.getId());
+//        editVC(vc, vcJson, vcJson.getName(), username);
+//    }
 
     public void handlePutRequest (String username, String vcCreator,
             String vcName, VirtualCorpusJson vcJson) throws KustvaktException {
-        if (!username.equals(vcCreator)) {
-            throw new KustvaktException(StatusCodes.INVALID_ARGUMENT,
-                    "VC creator verification failed. Path parameter vcCreator "
-                            + "must be the same as the authenticated username.");
-        }
         
+        verifyUsername(username, vcCreator);
         VirtualCorpus vc = vcDao.retrieveVCByName(vcName, vcCreator);
         if (vc == null) {
             storeVC(vcJson, vcName, username);
@@ -416,23 +423,18 @@
         return (numberOfDoc > 0) ? true : false;
     }
 
-    @Deprecated
-    public List<VirtualCorpusAccess> retrieveAllVCAccess (int vcId)
-            throws KustvaktException {
-        return accessDao.retrieveAllAccessByVC(vcId);
-    }
 
-    public void shareVC (String username, int vcId, int groupId)
-            throws KustvaktException {
+    public void shareVC (String username, String createdBy, String vcName,
+            String groupName) throws KustvaktException {
 
-        VirtualCorpus vc = vcDao.retrieveVCById(vcId);
+        VirtualCorpus vc = vcDao.retrieveVCByName(vcName, createdBy);
         if (!username.equals(vc.getCreatedBy())
                 && !adminDao.isAdmin(username)) {
             throw new KustvaktException(StatusCodes.AUTHORIZATION_FAILED,
                     "Unauthorized operation for user: " + username, username);
         }
 
-        UserGroup userGroup = userGroupService.retrieveUserGroupById(groupId);
+        UserGroup userGroup = userGroupService.retrieveUserGroupByName(groupName);
 
         if (!isVCAccessAdmin(userGroup, username)
                 && !adminDao.isAdmin(username)) {
@@ -491,28 +493,25 @@
     // }
     // }
 
-    @Deprecated
-    public List<VirtualCorpusAccessDto> listVCAccessByVC (String username,
-            int vcId) throws KustvaktException {
-
-        List<VirtualCorpusAccess> accessList;
+    
+    public List<VirtualCorpusAccessDto> listVCAccessByUsername (String username)
+            throws KustvaktException {
+        List<VirtualCorpusAccess> accessList = new ArrayList<>();
         if (adminDao.isAdmin(username)) {
-            accessList = accessDao.retrieveAllAccessByVC(vcId);
+            accessList = accessDao.retrieveAllAccess();
         }
         else {
-            accessList = accessDao.retrieveActiveAccessByVC(vcId);
-            List<VirtualCorpusAccess> filteredAccessList = new ArrayList<>();
-            for (VirtualCorpusAccess access : accessList) {
-                UserGroup userGroup = access.getUserGroup();
-                if (isVCAccessAdmin(userGroup, username)) {
-                    filteredAccessList.add(access);
-                }
+            List<UserGroup> groups = userGroupService.retrieveUserGroup(username);
+            for (UserGroup g: groups){
+                if (isVCAccessAdmin(g, username)){
+                    accessList.addAll(accessDao.retrieveActiveAccessByGroup(g.getId()));
+                }   
             }
-            accessList = filteredAccessList;
         }
         return accessConverter.createVCADto(accessList);
     }
-
+    
+    
     public List<VirtualCorpusAccessDto> listVCAccessByVC (String username,
             String vcCreator, String vcName) throws KustvaktException {
 
@@ -534,6 +533,7 @@
         return accessConverter.createVCADto(accessList);
     }
 
+    @Deprecated
     public List<VirtualCorpusAccessDto> listVCAccessByGroup (String username,
             int groupId) throws KustvaktException {
         UserGroup userGroup = userGroupService.retrieveUserGroupById(groupId);
@@ -552,6 +552,24 @@
 
         return accessConverter.createVCADto(accessList);
     }
+    
+    public List<VirtualCorpusAccessDto> listVCAccessByGroup (String username,
+            String groupName) throws KustvaktException {
+        UserGroup userGroup = userGroupService.retrieveUserGroupByName(groupName);
+
+        List<VirtualCorpusAccess> accessList;
+        if (adminDao.isAdmin(username)) {
+            accessList = accessDao.retrieveAllAccessByGroup(userGroup.getId());
+        }
+        else if (isVCAccessAdmin(userGroup, username)) {
+            accessList = accessDao.retrieveActiveAccessByGroup(userGroup.getId());
+        }
+        else {
+            throw new KustvaktException(StatusCodes.AUTHORIZATION_FAILED,
+                    "Unauthorized operation for user: " + username, username);
+        }
+        return accessConverter.createVCADto(accessList);
+    }
 
     public void deleteVCAccess (int accessId, String username)
             throws KustvaktException {
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/UserGroupController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/UserGroupController.java
index e287be6..75fd96c 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/UserGroupController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/UserGroupController.java
@@ -80,7 +80,7 @@
                 (TokenContext) securityContext.getUserPrincipal();
         try {
             scopeService.verifyScope(context, OAuth2Scope.USER_GROUP_INFO);
-            return service.retrieveUserGroup(context.getUsername());
+            return service.retrieveUserGroupDto(context.getUsername());
         }
         catch (KustvaktException e) {
             throw kustvaktResponseHandler.throwit(e);
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/VirtualCorpusController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/VirtualCorpusController.java
index a2aa625..60beaea 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/VirtualCorpusController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/VirtualCorpusController.java
@@ -4,7 +4,6 @@
 
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
-import javax.ws.rs.FormParam;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
 import javax.ws.rs.PUT;
@@ -23,7 +22,6 @@
 import com.sun.jersey.spi.container.ResourceFilters;
 
 import de.ids_mannheim.korap.constant.OAuth2Scope;
-import de.ids_mannheim.korap.constant.VirtualCorpusAccessStatus;
 import de.ids_mannheim.korap.constant.VirtualCorpusType;
 import de.ids_mannheim.korap.dto.VirtualCorpusAccessDto;
 import de.ids_mannheim.korap.dto.VirtualCorpusDto;
@@ -67,72 +65,27 @@
     private OAuth2ScopeService scopeService;
 
     /**
-     * Creates a user virtual corpus, also for system admins
+     * Updates a vc according to the given VirtualCorpusJson, if the
+     * VC exists, otherwise creates a new VC with the given VC creator
+     * and VC name specified as the path parameters. The vc creator
+     * must be the same as the authenticated username.
      * 
-     * @see VirtualCorpusJson
+     * VC name cannot be updated.
      * 
      * @param securityContext
-     * @param vc
-     *            a JSON object describing the virtual corpus
-     * @return HTTP Response OK if successful
-     */
-    @POST
-    @Path("create")
-    @Consumes("application/json")
-    @Deprecated
-    public Response createVC (@Context SecurityContext securityContext,
-            VirtualCorpusJson vc) {
-        try {
-            // get user info
-            TokenContext context =
-                    (TokenContext) securityContext.getUserPrincipal();
-
-            scopeService.verifyScope(context, OAuth2Scope.CREATE_VC);
-            service.storeVC(vc, vc.getName(), context.getUsername());
-        }
-        catch (KustvaktException e) {
-            throw kustvaktResponseHandler.throwit(e);
-        }
-        return Response.ok().build();
-    }
-
-    /**
-     * Edits a virtual corpus attributes including name, type and
-     * corpus query. Only the virtual corpus owner and system admins
-     * can edit a virtual corpus.
-     * 
-     * @see VirtualCorpusJson
-     * 
-     * @param securityContext
-     * @param vc
-     *            a JSON object describing the virtual corpus
-     * @return HTTP Response OK if successful
+     * @param vcCreator
+     *            the username of the vc creator, must be the same
+     *            as the authenticated username
+     * @param vcName
+     *           the vc name
+     * @param vc a json object describing the VC
+     * @return
      * @throws KustvaktException
      */
-    @POST
-    @Path("edit")
-    @Consumes("application/json")
-    @Deprecated
-    public Response editVC (@Context SecurityContext securityContext,
-            VirtualCorpusJson vc) throws KustvaktException {
-        TokenContext context =
-                (TokenContext) securityContext.getUserPrincipal();
-
-        try {
-            scopeService.verifyScope(context, OAuth2Scope.EDIT_VC);
-            service.editVC(vc, context.getUsername());
-        }
-        catch (KustvaktException e) {
-            throw kustvaktResponseHandler.throwit(e);
-        }
-        return Response.ok().build();
-    }
-
-    // EM: changing vc name is disabled
     @PUT
     @Path("/{vcCreator}/{vcName}")
     @Consumes(MediaType.APPLICATION_JSON + ";charset=utf-8")
-    public Response editVC (@Context SecurityContext securityContext,
+    public Response createUpdateVC (@Context SecurityContext securityContext,
             @PathParam("vcCreator") String vcCreator,
             @PathParam("vcName") String vcName,
             VirtualCorpusJson vc) throws KustvaktException {
@@ -150,32 +103,6 @@
     }
 
     /**
-     * Searches for a specific VC given the VC id.
-     * 
-     * @param securityContext
-     * @param vcId
-     *            a virtual corpus id
-     * @return a list of virtual corpora
-     */
-    @GET
-    @Path("{vcId}")
-    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
-    @Deprecated
-    public VirtualCorpusDto retrieveVC (
-            @Context SecurityContext securityContext,
-            @PathParam("vcId") int vcId) {
-        TokenContext context =
-                (TokenContext) securityContext.getUserPrincipal();
-        try {
-            scopeService.verifyScope(context, OAuth2Scope.VC_INFO);
-            return service.searchVCById(context.getUsername(), vcId);
-        }
-        catch (KustvaktException e) {
-            throw kustvaktResponseHandler.throwit(e);
-        }
-    }
-
-    /**
      * Returns the virtual corpus with the given name and creator.
      * 
      * @param securityContext
@@ -214,24 +141,12 @@
      * available for other users. Thus, username parameter is optional
      * and must be identical to the authenticated username.
      * 
-     * 
-     * 
      * @param securityContext
      * @param username
      *            a username (optional)
      * @return a list of virtual corpora
      */
     @GET
-    @Path("list")
-    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
-    @Deprecated
-    public List<VirtualCorpusDto> listVCByUser (
-            @Context SecurityContext securityContext,
-            @QueryParam("username") String username) {
-        return listAvailableVC(securityContext, username);
-    }
-
-    @GET
     @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
     public List<VirtualCorpusDto> listAvailableVC (
             @Context SecurityContext securityContext,
@@ -248,25 +163,29 @@
         }
     }
 
-    // EM: TODO: change path to @Path("{createdBy}"), currently
-    // conflicted with /{vcId}
     /**
-     * Lists all virtual corpora created by a user
+     * Lists all virtual corpora created by a user. This list is only
+     * available to the owner of the vc. Users, except system-admins, 
+     * are not allowed to list vc created by other users. 
+     * 
+     * Thus, the path parameter "createdBy" must be the same as the
+     * authenticated username. 
      * 
      * @param securityContext
      * @return a list of virtual corpora created by the user
      *         in the security context.
      */
     @GET
-    @Path("list/user")
+    @Path("{createdBy}")
     @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
     public List<VirtualCorpusDto> listUserVC (
+            @PathParam("createdBy") String createdBy, 
             @Context SecurityContext securityContext) {
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
         try {
             scopeService.verifyScope(context, OAuth2Scope.VC_INFO);
-            return service.listOwnerVC(context.getUsername());
+            return service.listOwnerVC(context.getUsername(), createdBy);
         }
         catch (KustvaktException e) {
             throw kustvaktResponseHandler.throwit(e);
@@ -291,7 +210,7 @@
     @GET
     @Path("list/system-admin")
     @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
-    public List<VirtualCorpusDto> listVCByStatus (
+    public List<VirtualCorpusDto> listVCByType (
             @Context SecurityContext securityContext,
             @QueryParam("createdBy") String createdBy,
             @QueryParam("type") VirtualCorpusType type) {
@@ -306,32 +225,6 @@
         }
     }
 
-    /**
-     * Only the VC owner and system admins can delete VC. VCA admins
-     * can delete VC-accesses e.g. of project VC, but not the VC
-     * themselves.
-     * 
-     * @param securityContext
-     * @param vcId
-     *            the id of the virtual corpus
-     * @return HTTP status 200, if successful
-     */
-    @DELETE
-    @Path("delete/{vcId}")
-    @Deprecated
-    public Response deleteVC (@Context SecurityContext securityContext,
-            @PathParam("vcId") int vcId) {
-        TokenContext context =
-                (TokenContext) securityContext.getUserPrincipal();
-        try {
-            scopeService.verifyScope(context, OAuth2Scope.DELETE_VC);
-            service.deleteVC(context.getUsername(), vcId);
-        }
-        catch (KustvaktException e) {
-            throw kustvaktResponseHandler.throwit(e);
-        }
-        return Response.ok().build();
-    }
 
     /**
      * Only the VC owner and system admins can delete VC. VCA admins
@@ -362,7 +255,6 @@
         return Response.ok().build();
     }
 
-    // EM: TODO: replace vcId with vcCreator and vcUsername
     /**
      * VC can only be shared with a group, not individuals.
      * Only VCA admins are allowed to share VC and the VC must have
@@ -372,22 +264,25 @@
      * Not allowed via third-party apps.
      * 
      * @param securityContext
-     * @param vcId
-     *            a virtual corpus id
-     * @param groupId
-     *            a user group id
+     * @param vcCreator
+     *            the username of the vc creator
+     * @param vcName
+     *            the name of the vc
+     * @param groupName
+     *            the name of the group to share
      * @return HTTP status 200, if successful
      */
     @POST
-    @Path("access/share")
-    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+    @Path("{vcCreator}/{vcName}/share/{groupName}")
     public Response shareVC (@Context SecurityContext securityContext,
-            @FormParam("vcId") int vcId, @FormParam("groupId") int groupId) {
+            @PathParam("vcCreator") String vcCreator,
+            @PathParam("vcName") String vcName, 
+            @PathParam("groupName") String groupName) {
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
         try {
             scopeService.verifyScope(context, OAuth2Scope.SHARE_VC);
-            service.shareVC(context.getUsername(), vcId, groupId);
+            service.shareVC(context.getUsername(), vcCreator, vcName, groupName);
         }
         catch (KustvaktException e) {
             throw kustvaktResponseHandler.throwit(e);
@@ -407,14 +302,6 @@
      * @return
      */
     @DELETE
-    @Path("access/delete/{accessId}")
-    @Deprecated
-    public Response deleteVCAccess (@Context SecurityContext securityContext,
-            @PathParam("accessId") int accessId) {
-        return deleteVCAccessById(securityContext, accessId);
-    }
-
-    @DELETE
     @Path("access/{accessId}")
     public Response deleteVCAccessById (
             @Context SecurityContext securityContext,
@@ -432,105 +319,34 @@
     }
 
     /**
-     * Lists active VC accesses to the specified VC.
-     * Only available to VCA and system admins.
-     * For system admins, lists all VCA of the VC.
-     * 
-     * <br /><br />
-     * Not allowed via third-party apps.
-     * 
-     * @see VirtualCorpusAccessStatus
-     * 
-     * @param securityContext
-     * @param vcId
-     *            virtual corpus id
-     * @return a list of access to the specified virtual corpus
-     */
-    @GET
-    @Path("access/list")
-    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
-    @Deprecated
-    public List<VirtualCorpusAccessDto> listVCAccess (
-            @Context SecurityContext securityContext,
-            @QueryParam("vcId") int vcId) {
-        TokenContext context =
-                (TokenContext) securityContext.getUserPrincipal();
-        try {
-            scopeService.verifyScope(context, OAuth2Scope.VC_ACCESS_INFO);
-            return service.listVCAccessByVC(context.getUsername(), vcId);
-        }
-        catch (KustvaktException e) {
-            throw kustvaktResponseHandler.throwit(e);
-        }
-    }
-
-    /**
-     * Lists active VC-accesses available to a given VC or user-group.
+     * Lists active VC-accesses available to user.
      * 
      * Only available to VCA and system admins.
-     * For system admins, list all VCA for the group.
+     * For system admins, list all VCA regardless of status.
      * 
      * @param securityContext
-     * @param vcCreator
-     *            the username of a VC creator
-     * @param vcName
-     *            the name of a VC
-     * @param groupId
-     *            a group id number
-     * @return
+     * @return a list of VC accesses
      */
     @GET
     @Path("access")
     @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
     public List<VirtualCorpusAccessDto> listVCAccesses (
             @Context SecurityContext securityContext,
-            @QueryParam("vcCreator") String vcCreator,
-            @QueryParam("vcName") String vcName,
-            @QueryParam("groupId") int groupId) {
+            @QueryParam("groupName") String groupName) {
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
         try {
             scopeService.verifyScope(context, OAuth2Scope.VC_ACCESS_INFO);
-            if (groupId > 0) {
-                return service.listVCAccessByGroup(context.getUsername(),
-                        groupId);
+            if (groupName!=null && !groupName.isEmpty()){
+                return service.listVCAccessByGroup(context.getUsername(), groupName);
             }
-            return service.listVCAccessByVC(context.getUsername(), vcCreator,
-                    vcName);
+            else {
+                return service.listVCAccessByUsername(context.getUsername());
+            }
         }
         catch (KustvaktException e) {
             throw kustvaktResponseHandler.throwit(e);
         }
     }
 
-    /**
-     * Lists active VC-accesses available for a user-group.
-     * Only available to VCA and system admins.
-     * For system admins, list all VCA for the group.
-     * 
-     * <br /><br />
-     * Not allowed via third-party apps.
-     * 
-     * @param securityContext
-     * @param groupId
-     *            a group id
-     * @return a list of VC-access
-     */
-    @GET
-    @Path("access/list/byGroup")
-    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
-    @Deprecated
-    public List<VirtualCorpusAccessDto> listVCAccessByGroup (
-            @Context SecurityContext securityContext,
-            @QueryParam("groupId") int groupId) {
-        TokenContext context =
-                (TokenContext) securityContext.getUserPrincipal();
-        try {
-            scopeService.verifyScope(context, OAuth2Scope.VC_ACCESS_INFO);
-            return service.listVCAccessByGroup(context.getUsername(), groupId);
-        }
-        catch (KustvaktException e) {
-            throw kustvaktResponseHandler.throwit(e);
-        }
-    }
 }
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/input/VirtualCorpusJson.java b/full/src/main/java/de/ids_mannheim/korap/web/input/VirtualCorpusJson.java
index 419eff4..1f14f9c 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/input/VirtualCorpusJson.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/input/VirtualCorpusJson.java
@@ -17,19 +17,13 @@
 @Getter
 @Setter
 public class VirtualCorpusJson {
-    // required
+    // default false
     private boolean isCached;
     
     // required in creating VCs
-    @Deprecated
-    private String name;
     private VirtualCorpusType type;
     private String corpusQuery;
     
-    // required in editing VCs
-    @Deprecated
-    private int id;
-    
     // optional
     private String definition;
     private String description;
diff --git a/full/src/test/java/de/ids_mannheim/korap/service/VirtualCorpusServiceTest.java b/full/src/test/java/de/ids_mannheim/korap/service/VirtualCorpusServiceTest.java
index a7f5df6..89483d6 100644
--- a/full/src/test/java/de/ids_mannheim/korap/service/VirtualCorpusServiceTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/service/VirtualCorpusServiceTest.java
@@ -1,6 +1,7 @@
 package de.ids_mannheim.korap.service;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 
 import java.util.List;
 
@@ -13,11 +14,11 @@
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
 import de.ids_mannheim.korap.constant.UserGroupStatus;
-import de.ids_mannheim.korap.constant.VirtualCorpusAccessStatus;
 import de.ids_mannheim.korap.constant.VirtualCorpusType;
+import de.ids_mannheim.korap.dto.VirtualCorpusAccessDto;
 import de.ids_mannheim.korap.dto.VirtualCorpusDto;
 import de.ids_mannheim.korap.entity.UserGroup;
-import de.ids_mannheim.korap.entity.VirtualCorpusAccess;
+import de.ids_mannheim.korap.entity.VirtualCorpus;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.web.input.VirtualCorpusJson;
 
@@ -27,6 +28,8 @@
 
     @Autowired
     private VirtualCorpusService vcService;
+    @Autowired
+    private UserGroupService groupService;
 
     @Rule
     public ExpectedException thrown = ExpectedException.none();
@@ -36,37 +39,51 @@
         thrown.expect(KustvaktException.class);
         // EM: message differs depending on the database used
         // for testing. The message below is from sqlite.
-//        thrown.expectMessage("A UNIQUE constraint failed "
-//                + "(UNIQUE constraint failed: virtual_corpus.name, "
-//                + "virtual_corpus.created_by)");
+        // thrown.expectMessage("A UNIQUE constraint failed "
+        // + "(UNIQUE constraint failed: virtual_corpus.name, "
+        // + "virtual_corpus.created_by)");
 
         VirtualCorpusJson vc = new VirtualCorpusJson();
         vc.setCorpusQuery("corpusSigle=GOE");
-        vc.setName("dory VC");
         vc.setType(VirtualCorpusType.PRIVATE);
-        vcService.storeVC(vc, vc.getName(), "dory");
+        vcService.storeVC(vc, "dory VC", "dory");
     }
 
     @Test
     public void createDeletePublishVC () throws KustvaktException {
-        String username = "VirtualCorpusServiceTest";
+        String vcName = "new published vc";
 
         VirtualCorpusJson vc = new VirtualCorpusJson();
         vc.setCorpusQuery("corpusSigle=GOE");
-        vc.setName("new published vc");
         vc.setType(VirtualCorpusType.PUBLISHED);
-        int vcId = vcService.storeVC(vc,vc.getName(), "VirtualCorpusServiceTest");
+        String username = "VirtualCorpusServiceTest";
+        vcService.storeVC(vc, vcName, username );
 
-        List<VirtualCorpusAccess> accesses =
-                vcService.retrieveAllVCAccess(vcId);
-        assertEquals(1, accesses.size());
+        List<VirtualCorpusAccessDto> accesses =
+                vcService.listVCAccessByUsername("admin");
+        int size = accesses.size();
 
-        VirtualCorpusAccess access = accesses.get(0);
-        assertEquals(VirtualCorpusAccessStatus.HIDDEN, access.getStatus());
+        VirtualCorpusAccessDto dto = accesses.get(accesses.size() - 1);
+        assertEquals(vcName, dto.getVcName());
+        assertEquals("system", dto.getCreatedBy());
+        assertTrue(dto.getUserGroupName().startsWith("auto"));
 
-        vcService.deleteVC(username, vcId);
-        accesses = vcService.retrieveAllVCAccess(vcId);
-        assertEquals(0, accesses.size());
+        // check hidden group
+        int groupId = dto.getUserGroupId();
+        UserGroup group = groupService.retrieveUserGroupById(groupId);
+        assertEquals(UserGroupStatus.HIDDEN, group.getStatus());
+
+        //delete vc
+        vcService.deleteVCByName(username, vcName, username);
+        
+        // check hidden access
+        accesses = vcService.listVCAccessByUsername("admin");
+        assertEquals(size-1, accesses.size());
+        
+        // check hidden group
+        thrown.expect(KustvaktException.class);
+        group = groupService.retrieveUserGroupById(groupId);
+        thrown.expectMessage("Group with id "+groupId+" is not found");
     }
 
     @Test
@@ -74,38 +91,40 @@
         String username = "dory";
         int vcId = 2;
 
+        String vcName = "group VC";
+        VirtualCorpus existingVC =
+                vcService.searchVCByName(username, vcName, username);
         VirtualCorpusJson vcJson = new VirtualCorpusJson();
-        vcJson.setId(vcId);
-        vcJson.setName("group VC published");
         vcJson.setType(VirtualCorpusType.PUBLISHED);
 
-        vcService.editVC(vcJson, username);
+        vcService.editVC(existingVC, vcJson, vcName, username);
 
         // check VC
         VirtualCorpusDto vcDto = vcService.searchVCById("dory", vcId);
-        assertEquals("group VC published", vcDto.getName());
+        assertEquals(vcName, vcDto.getName());
         assertEquals(VirtualCorpusType.PUBLISHED.displayName(),
                 vcDto.getType());
 
         // check access
-        List<VirtualCorpusAccess> accesses =
-                vcService.retrieveAllVCAccess(vcId);
-        assertEquals(2, accesses.size());
-
-        VirtualCorpusAccess access = accesses.get(1);
-        assertEquals(VirtualCorpusAccessStatus.HIDDEN, access.getStatus());
+        List<VirtualCorpusAccessDto> accesses =
+                vcService.listVCAccessByUsername("admin");
+        int size = accesses.size();
+        VirtualCorpusAccessDto dto = accesses.get(accesses.size() - 1);
+        assertEquals(vcName, dto.getVcName());
+        assertEquals("system", dto.getCreatedBy());
+        assertTrue(dto.getUserGroupName().startsWith("auto"));
 
         // check auto hidden group
-        UserGroup autoHiddenGroup = access.getUserGroup();
-        assertEquals(UserGroupStatus.HIDDEN, autoHiddenGroup.getStatus());
+        int groupId = dto.getUserGroupId();
+        UserGroup group = groupService.retrieveUserGroupById(groupId);
+        assertEquals(UserGroupStatus.HIDDEN, group.getStatus());
 
         // 2nd edit (withdraw from publication)
+
         vcJson = new VirtualCorpusJson();
-        vcJson.setId(vcId);
-        vcJson.setName("group VC");
         vcJson.setType(VirtualCorpusType.PROJECT);
 
-        vcService.editVC(vcJson, username);
+        vcService.editVC(existingVC, vcJson, vcName, username);
 
         // check VC
         vcDto = vcService.searchVCById("dory", vcId);
@@ -113,8 +132,12 @@
         assertEquals(VirtualCorpusType.PROJECT.displayName(), vcDto.getType());
 
         // check access
-        accesses = vcService.retrieveAllVCAccess(vcId);
-        assertEquals(1, accesses.size());
+        accesses = vcService.listVCAccessByUsername("admin");
+        assertEquals(size - 1, accesses.size());
+
+        thrown.expect(KustvaktException.class);
+        group = groupService.retrieveUserGroupById(groupId);
+        thrown.expectMessage("Group with id 5 is not found");
     }
 
 }
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
index 0136868..b6a2a2c 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
@@ -71,7 +71,7 @@
                 .contains(OAuth2Scope.VC_INFO.toString()));
 
         // test list vc using the token
-        response = resource().path(API_VERSION).path("vc").path("list")
+        response = resource().path(API_VERSION).path("vc")
                 .header(Attributes.AUTHORIZATION, "Bearer " + token)
                 .get(ClientResponse.class);
 
@@ -114,7 +114,7 @@
     private void testScopeNotAuthorize2 (String accessToken)
             throws KustvaktException {
         ClientResponse response =
-                resource().path(API_VERSION).path("vc").path("access").path("list")
+                resource().path(API_VERSION).path("vc").path("access")
                         .header(Attributes.AUTHORIZATION,
                                 "Bearer " + accessToken)
                         .get(ClientResponse.class);
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerAdminTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerAdminTest.java
index 84d6659..90ab155 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerAdminTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerAdminTest.java
@@ -3,7 +3,6 @@
 import static org.junit.Assert.assertEquals;
 
 import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.MultivaluedMap;
 
 import org.apache.http.entity.ContentType;
 import org.junit.Test;
@@ -14,11 +13,9 @@
 import com.sun.jersey.api.client.ClientResponse;
 import com.sun.jersey.api.client.ClientResponse.Status;
 import com.sun.jersey.api.client.UniformInterfaceException;
-import com.sun.jersey.core.util.MultivaluedMapImpl;
 
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.SpringJerseyTest;
 import de.ids_mannheim.korap.constant.VirtualCorpusType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.utils.JsonUtils;
@@ -35,7 +32,8 @@
     @Test
     public void testSearchPrivateVC () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
-        ClientResponse response = resource().path(API_VERSION).path("vc").path("1")
+        ClientResponse response = resource().path(API_VERSION).path("vc")
+                .path("dory").path("dory VC")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(admin, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -54,7 +52,8 @@
     public void testSearchProjectVC () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
 
-        ClientResponse response = resource().path(API_VERSION).path("vc").path("2")
+        ClientResponse response = resource().path(API_VERSION).path("vc")
+                .path("dory").path("group VC")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(admin, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -72,7 +71,7 @@
     @Test
     public void testListDoryVC () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
-        ClientResponse response = resource().path(API_VERSION).path("vc").path("list")
+        ClientResponse response = resource().path(API_VERSION).path("vc")
                 .queryParam("username", "dory")
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
@@ -88,8 +87,8 @@
 
     private JsonNode testListSystemVC () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
-        ClientResponse response = resource().path(API_VERSION).path("vc").path("list")
-                .path("system-admin").queryParam("type", "SYSTEM")
+        ClientResponse response = resource().path(API_VERSION).path("vc")
+                .path("list").path("system-admin").queryParam("type", "SYSTEM")
                 .queryParam("createdBy", admin)
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
@@ -104,30 +103,29 @@
 
     @Test
     public void testCreateSystemVC () throws KustvaktException {
-        String json = "{\"name\": \"new system vc\",\"type\": \"SYSTEM\","
+        String json = "{\"type\": \"SYSTEM\","
                 + "\"corpusQuery\": \"creationDate since 1820\"}";
 
-        ClientResponse response = resource().path(API_VERSION).path("vc").path("create")
+        ClientResponse response = resource().path(API_VERSION).path("vc")
+                .path(admin).path("new system vc")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(admin, "pass"))
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .entity(json).post(ClientResponse.class);
+                .entity(json).put(ClientResponse.class);
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
         JsonNode node = testListSystemVC();
         assertEquals(1, node.size());
 
-        String vcId = node.at("/0/id").asText();
-
-        testDeleteSystemVC(vcId);
+        testDeleteSystemVC(admin, "new system vc");
     }
 
-    private void testDeleteSystemVC (String vcId)
+    private void testDeleteSystemVC (String vcCreator, String vcName)
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
-        ClientResponse response = resource().path(API_VERSION).path("vc").path("delete")
-                .path(vcId)
+        ClientResponse response = resource().path(API_VERSION).path("vc")
+                .path(vcCreator).path(vcName)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(admin, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -142,30 +140,33 @@
     @Test
     public void testPrivateVC () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
-        String json = "{\"name\": \"new vc\",\"type\": \"PRIVATE\","
+        String json = "{\"type\": \"PRIVATE\","
                 + "\"corpusQuery\": \"corpusSigle=GOE\"}";
 
-        ClientResponse response = resource().path(API_VERSION).path("vc").path("create")
+        String vcName = "new vc";
+        ClientResponse response = resource().path(API_VERSION).path("vc")
+                .path(username).path(vcName)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .post(ClientResponse.class, json);
+                .put(ClientResponse.class, json);
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
-        JsonNode node = testListUserVC();
+        JsonNode node = testListUserVC(username);
         assertEquals(1, node.size());
 
-        String vcId = node.at("/0/id").asText();
-        testEditPrivateVC(vcId);
-        testDeletePrivateVC(vcId);
+        testEditPrivateVC(username, vcName);
+        testDeletePrivateVC(username, vcName);
     }
 
-    private JsonNode testListUserVC () throws UniformInterfaceException,
-            ClientHandlerException, KustvaktException {
-        ClientResponse response = resource().path(API_VERSION).path("vc").path("list")
-                .path("system-admin").queryParam("createdBy", username)
+    private JsonNode testListUserVC (String username)
+            throws UniformInterfaceException, ClientHandlerException,
+            KustvaktException {
+        ClientResponse response = resource().path(API_VERSION).path("vc")
+                .path("list").path("system-admin")
+                .queryParam("createdBy", username)
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(admin, "pass"))
@@ -177,30 +178,31 @@
         return JsonUtils.readTree(entity);
     }
 
-    private void testEditPrivateVC (String vcId)
+    private void testEditPrivateVC (String vcCreator, String vcName)
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
 
-        String json = "{\"id\": \"" + vcId + "\", \"name\": \"edited vc\"}";
+        String json = "{\"description\": \"edited vc\"}";
 
-        ClientResponse response = resource().path(API_VERSION).path("vc").path("edit")
+        ClientResponse response = resource().path(API_VERSION).path("vc")
+                .path(vcCreator).path(vcName)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(admin, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .post(ClientResponse.class, json);
+                .put(ClientResponse.class, json);
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
-        JsonNode node = testListUserVC();
-        assertEquals("edited vc", node.at("/0/name").asText());
+        JsonNode node = testListUserVC(username);
+        assertEquals("edited vc", node.at("/0/description").asText());
     }
 
-    private void testDeletePrivateVC (String vcId)
+    private void testDeletePrivateVC (String vcCreator, String vcName)
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
-        ClientResponse response = resource().path(API_VERSION).path("vc").path("delete")
-                .path(vcId)
+        ClientResponse response = resource().path(API_VERSION).path("vc")
+                .path(vcCreator).path(vcName)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(admin, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -208,37 +210,39 @@
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
-        JsonNode node = testListUserVC();
+        JsonNode node = testListUserVC(vcCreator);
         assertEquals(0, node.size());
     }
 
+//    @Deprecated
+//    private String testlistAccessByVC (String groupName) throws KustvaktException {
+//        ClientResponse response = resource().path(API_VERSION).path("vc")
+//                .path("access")
+//                .queryParam("groupName", groupName)
+//                .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
+//                        .createBasicAuthorizationHeaderValue(admin, "pass"))
+//                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
+//                .get(ClientResponse.class);
+//
+//        String entity = response.getEntity(String.class);
+//        JsonNode node = JsonUtils.readTree(entity);
+//        assertEquals(1, node.size());
+//        node = node.get(0);
+//
+//        assertEquals(admin, node.at("/createdBy").asText());
+//        assertEquals(5, node.at("/vcId").asInt());
+//        assertEquals("marlin VC", node.at("/vcName").asText());
+//        assertEquals(1, node.at("/userGroupId").asInt());
+//        assertEquals("marlin group", node.at("/userGroupName").asText());
+//
+//        return node.at("/accessId").asText();
+//    }
 
-    private String testlistAccessByVC (String vcId) throws KustvaktException {
-        ClientResponse response = resource().path(API_VERSION).path("vc").path("access")
-                .path("list").queryParam("vcId", vcId)
-                .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
-                        .createBasicAuthorizationHeaderValue(admin, "pass"))
-                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
-                .get(ClientResponse.class);
-
-        String entity = response.getEntity(String.class);
-        JsonNode node = JsonUtils.readTree(entity);
-        assertEquals(1, node.size());
-        node = node.get(0);
-
-        assertEquals(admin, node.at("/createdBy").asText());
-        assertEquals(5, node.at("/vcId").asInt());
-        assertEquals("marlin VC", node.at("/vcName").asText());
-        assertEquals(1, node.at("/userGroupId").asInt());
-        assertEquals("marlin group", node.at("/userGroupName").asText());
-
-        return node.at("/accessId").asText();
-    }
-
-    private void testlistAccessByGroup (String groupId)
+    private JsonNode testlistAccessByGroup (String groupName)
             throws KustvaktException {
-        ClientResponse response = resource().path(API_VERSION).path("vc").path("access")
-                .path("list").path("byGroup").queryParam("groupId", groupId)
+        ClientResponse response = resource().path(API_VERSION).path("vc")
+                .path("access")
+                .queryParam("groupName", groupName)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(admin, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -246,40 +250,36 @@
         String entity = response.getEntity(String.class);
         JsonNode node = JsonUtils.readTree(entity);
         assertEquals(2, node.size());
+        return node.get(node.size()-1);
     }
 
     @Test
     public void testVCSharing () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
+        String vcCreator = "marlin";
+        String vcName = "marlin VC";
+        String groupName = "marlin group";
 
-        String vcId = "5";
-        String groupId = "1";
+        testCreateVCAccess(vcCreator, vcName, groupName);
+        JsonNode node = testlistAccessByGroup(groupName);
 
-        testCreateVCAccess(vcId, groupId);
-        testlistAccessByGroup(groupId);
-
-        String accessId = testlistAccessByVC(vcId);
+        String accessId = node.at("/accessId").asText();
         testDeleteVCAccess(accessId);
-        
-        testEditVCType(admin, vcId, VirtualCorpusType.PRIVATE);
-    }
-    
-    private void testCreateVCAccess (String vcId, String groupId)
-            throws UniformInterfaceException, ClientHandlerException,
-            KustvaktException {
-        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
-        // marlin vc
-        form.add("vcId", vcId);
-        // marlin group
-        form.add("groupId", groupId);
 
+        testEditVCType(admin, vcCreator, vcName, VirtualCorpusType.PRIVATE);
+    }
+
+    private void testCreateVCAccess (String vcCreator, String vcName,
+            String groupName) throws UniformInterfaceException,
+            ClientHandlerException, KustvaktException {
         ClientResponse response;
         // share VC
-        response = resource().path(API_VERSION).path("vc").path("access").path("share")
+        response = resource().path(API_VERSION).path("vc").path(vcCreator)
+                .path(vcName).path("share").path(groupName)
                 .type(MediaType.APPLICATION_FORM_URLENCODED)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(admin, "pass"))
-                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32").entity(form)
+                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .post(ClientResponse.class);
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
@@ -290,8 +290,8 @@
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
 
-        ClientResponse response = resource().path(API_VERSION).path("vc").path("access")
-                .path("delete").path(accessId)
+        ClientResponse response = resource().path(API_VERSION).path("vc")
+                .path("access").path(accessId)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue("dory", "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
index a2dd94c..0cce338 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
@@ -11,9 +11,6 @@
 import java.util.Map.Entry;
 import java.util.Set;
 
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.MultivaluedMap;
-
 import org.apache.http.HttpStatus;
 import org.apache.http.entity.ContentType;
 import org.junit.Test;
@@ -24,7 +21,6 @@
 import com.sun.jersey.api.client.ClientResponse;
 import com.sun.jersey.api.client.ClientResponse.Status;
 import com.sun.jersey.api.client.UniformInterfaceException;
-import com.sun.jersey.core.util.MultivaluedMapImpl;
 import com.sun.jersey.spi.container.ContainerRequest;
 
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
@@ -33,7 +29,6 @@
 import de.ids_mannheim.korap.constant.VirtualCorpusType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
-import de.ids_mannheim.korap.service.VirtualCorpusServiceTest;
 import de.ids_mannheim.korap.utils.JsonUtils;
 
 /**
@@ -64,7 +59,6 @@
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("list")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -81,7 +75,7 @@
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("list").path("user")
+                .path(username)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -95,23 +89,22 @@
         return JsonUtils.readTree(entity);
     }
 
-    private void testDeleteVC (String vcId, String username)
+    private void testDeleteVC (String vcName, String username)
             throws KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("delete").path(vcId)
+                .path(username).path(vcName)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
-
                 .delete(ClientResponse.class);
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
     }
 
-    private JsonNode testlistAccessByVC (String username, String vcId)
+    private JsonNode testlistAccessByGroup (String username, String groupName)
             throws KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("access").path("list").queryParam("vcId", vcId)
+                .path("access").queryParam("groupName", groupName)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -123,31 +116,31 @@
     }
 
     @Test
-    public void testSearchSystemVC () throws UniformInterfaceException,
+    public void testRetrieveSystemVCInfo () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
 
-        JsonNode node = testSearchVC("VirtualCorpusControllerTest", "3");
+        JsonNode node = testSearchVC("VirtualCorpusControllerTest", "system", "system VC");
         assertEquals("system VC", node.at("/name").asText());
         assertEquals(VirtualCorpusType.SYSTEM.displayName(),
                 node.at("/type").asText());
     }
 
     @Test
-    public void testSearchOwnerPrivateVC () throws UniformInterfaceException,
+    public void testRetrieveOwnerPrivateVCInfo () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
 
-        JsonNode node = testSearchVC("dory", "1");
+        JsonNode node = testSearchVC("dory", "dory", "dory VC");
         assertEquals("dory VC", node.at("/name").asText());
         assertEquals(VirtualCorpusType.PRIVATE.displayName(),
                 node.at("/type").asText());
     }
 
     @Test
-    public void testSearchPrivateVCUnauthorized ()
+    public void testRetrievePrivateVCInfoUnauthorized ()
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("1")
+                .path("dory").path("dory VC")
                 .header(Attributes.AUTHORIZATION,
                         HttpAuthorizationHandler
                                 .createBasicAuthorizationHeaderValue(
@@ -167,22 +160,22 @@
     }
 
     @Test
-    public void testSearchProjectVC () throws UniformInterfaceException,
+    public void testRetrieveProjectVCInfo () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
 
-        JsonNode node = testSearchVC("nemo", "2");
+        JsonNode node = testSearchVC("nemo", "dory", "group VC");
         assertEquals("group VC", node.at("/name").asText());
         assertEquals(VirtualCorpusType.PROJECT.displayName(),
                 node.at("/type").asText());
     }
 
     @Test
-    public void testSearchProjectVCNonActiveMember ()
+    public void testRetrieveProjectVCInfoByNonActiveMember ()
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
 
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("2")
+                .path("dory").path("group VC")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue("marlin", "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -199,20 +192,33 @@
     }
 
     @Test
-    public void testSearchPublishedVC () throws UniformInterfaceException,
+    public void testRetrievePublishedVCInfo () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
 
-        JsonNode node = testSearchVC("gill", "4");
+        JsonNode node = testSearchVC("gill", "marlin", "published VC");
         assertEquals("published VC", node.at("/name").asText());
         assertEquals(VirtualCorpusType.PUBLISHED.displayName(),
                 node.at("/type").asText());
+        
+        // check gill in the hidden group of the vc
+        ClientResponse response = resource().path(API_VERSION).path("group").path("list")
+                .path("system-admin").queryParam("status", "HIDDEN")
+                .header(Attributes.AUTHORIZATION,
+                        HttpAuthorizationHandler
+                                .createBasicAuthorizationHeaderValue(
+                                        "admin", "pass"))
+                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
+                .get(ClientResponse.class);
 
-        // EM: need admin to check if VirtualCorpusControllerTest is
-        // added to the hidden group
+        assertEquals(Status.OK.getStatusCode(), response.getStatus());
+        String entity = response.getEntity(String.class);
+        node = JsonUtils.readTree(entity);
+        assertEquals(3, node.at("/0/id").asInt());
+        assertEquals("gill", node.at("/0/members/1/userId").asText());
     }
 
     @Test
-    public void testListNemoVC () throws UniformInterfaceException,
+    public void testListAvailableVCNemo () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
         JsonNode node = testListVC("nemo");
         assertEquals(3, node.size());
@@ -220,7 +226,7 @@
     }
 
     @Test
-    public void testListPearlVC () throws UniformInterfaceException,
+    public void testListAvailableVCPearl () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
         JsonNode node = testListVC("pearl");
         assertEquals(2, node.size());
@@ -228,25 +234,24 @@
     }
 
     @Test
-    public void testListDoryVC () throws UniformInterfaceException,
+    public void testListAvailableVCDory () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
         JsonNode node = testListVC("dory");
         assertEquals(4, node.size());
-
     }
 
     @Test
-    public void testListVCByOtherUser () throws UniformInterfaceException,
+    public void testListAvailableVCByOtherUser () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("list").queryParam("username", "dory")
+                .path("dory")
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue("pearl", "pass"))
                 .get(ClientResponse.class);
         String entity = response.getEntity(String.class);
         JsonNode node = JsonUtils.readTree(entity);
-
+        
         assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
         assertEquals(StatusCodes.AUTHORIZATION_FAILED,
                 node.at("/errors/0/0").asInt());
@@ -257,10 +262,10 @@
     }
 
     @Test
-    public void testListVCByGuest () throws UniformInterfaceException,
+    public void testListAvailableVCByGuest () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("list").header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
+                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .get(ClientResponse.class);
         String entity = response.getEntity(String.class);
         JsonNode node = JsonUtils.readTree(entity);
@@ -276,18 +281,18 @@
 
     @Test
     public void testCreatePrivateVC () throws KustvaktException {
-        String json = "{\"name\": \"new vc\",\"type\": \"PRIVATE\","
+        String json = "{\"type\": \"PRIVATE\","
                 + "\"corpusQuery\": \"corpusSigle=GOE\"}";
 
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("create")
+                .path("VirtualCorpusControllerTest").path("new vc")
                 .header(Attributes.AUTHORIZATION,
                         HttpAuthorizationHandler
                                 .createBasicAuthorizationHeaderValue(
                                         "VirtualCorpusControllerTest", "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .post(ClientResponse.class, json);
+                .put(ClientResponse.class, json);
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
@@ -296,11 +301,8 @@
         assertEquals(2, node.size());
         assertEquals("new vc", node.get(1).get("name").asText());
 
-        String vcId = null;
-        vcId = node.get(1).get("id").asText();
-
         // delete new VC
-        testDeleteVC(vcId, "VirtualCorpusControllerTest");
+        testDeleteVC("new vc", "VirtualCorpusControllerTest");
 
         // list VC
         node = testListVC("VirtualCorpusControllerTest");
@@ -309,32 +311,34 @@
 
     @Test
     public void testCreatePublishedVC () throws KustvaktException {
-        String json = "{\"name\": \"new published vc\",\"type\": \"PUBLISHED\""
+        String json = "{\"type\": \"PUBLISHED\""
                 + ",\"corpusQuery\": \"corpusSigle=GOE\"}";
+        
+        String vcName = "new published vc";
+        
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("create")
+                .path("VirtualCorpusControllerTest").path(vcName)
                 .header(Attributes.AUTHORIZATION,
                         HttpAuthorizationHandler
                                 .createBasicAuthorizationHeaderValue(
                                         "VirtualCorpusControllerTest", "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .post(ClientResponse.class, json);
+                .put(ClientResponse.class, json);
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
         // test list owner vc
         JsonNode node = testListOwnerVC("VirtualCorpusControllerTest");
         assertEquals(1, node.size());
-        assertEquals("new published vc", node.get(0).get("name").asText());
-
-        String vcId = node.get(0).get("id").asText();
+        assertEquals(vcName, node.get(0).get("name").asText());
 
         // EM: check hidden access
-        node = testlistAccessByVC("admin", vcId).get(0);
+        node = testlistAccessByGroup("admin","");
+        node = node.get(node.size()-1);
         assertEquals("system", node.at("/createdBy").asText());
-        assertEquals(vcId, node.at("/vcId").asText());
-        assertEquals("auto-hidden-group", node.at("/userGroupName").asText());
+        assertEquals(vcName, node.at("/vcName").asText());
+        assertTrue(node.at("/userGroupName").asText().startsWith("auto"));
         assertEquals("new published vc", node.at("/vcName").asText());
 
         String groupId = node.at("/userGroupId").asText();
@@ -344,7 +348,7 @@
         assertEquals("HIDDEN", node.at("/status").asText());
 
         // EM: delete vc
-        testDeleteVC(vcId, "VirtualCorpusControllerTest");
+        testDeleteVC(vcName, "VirtualCorpusControllerTest");
 
         // EM: check if the hidden groups are deleted as well
         node = testCheckHiddenGroup(groupId);
@@ -371,7 +375,7 @@
     @Test
     public void testCreateVCWithInvalidToken ()
             throws IOException, KustvaktException {
-        String json = "{\"name\": \"new vc\",\"type\": \"PRIVATE\","
+        String json = "{\"type\": \"PRIVATE\","
                 + "\"corpusQuery\": \"corpusSigle=GOE\"}";
 
         InputStream is = getClass().getClassLoader()
@@ -384,13 +388,13 @@
         }
 
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("create")
+                .path("VirtualCorpusControllerTest").path("new vc")
                 .header(Attributes.AUTHORIZATION,
                         AuthenticationScheme.API.displayName() + " "
                                 + authToken)
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .entity(json).post(ClientResponse.class);
+                .entity(json).put(ClientResponse.class);
         String entity = response.getEntity(String.class);
 
         assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
@@ -407,7 +411,7 @@
     @Test
     public void testCreateVCWithExpiredToken ()
             throws IOException, KustvaktException {
-        String json = "{\"name\": \"new vc\",\"type\": \"PRIVATE\","
+        String json = "{\"type\": \"PRIVATE\","
                 + "\"corpusQuery\": \"corpusSigle=GOE\"}";
 
         String authToken = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0VXNlci"
@@ -416,13 +420,13 @@
                 + "CuYAfytr_LWqY8woJs";
 
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("create")
+                .path("VirtualCorpusControllerTest").path("new vc")
                 .header(Attributes.AUTHORIZATION,
                         AuthenticationScheme.API.displayName() + " "
                                 + authToken)
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .entity(json).post(ClientResponse.class);
+                .entity(json).put(ClientResponse.class);
 
         String entity = response.getEntity(String.class);
         assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
@@ -437,17 +441,17 @@
 
     @Test
     public void testCreateSystemVC () throws KustvaktException {
-        String json = "{\"name\": \"new vc\",\"type\": \"SYSTEM\","
+        String json = "{\"type\": \"SYSTEM\","
                 + "\"corpusQuery\": \"creationDate since 1820\"}";
 
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("create")
+                .path("VirtualCorpusControllerTest").path("new vc")
                 .header(Attributes.AUTHORIZATION,
                         HttpAuthorizationHandler
                                 .createBasicAuthorizationHeaderValue(
                                         "VirtualCorpusControllerTest", "pass"))
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .entity(json).post(ClientResponse.class);
+                .entity(json).put(ClientResponse.class);
 
         assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
 
@@ -464,17 +468,17 @@
 
     @Test
     public void testCreateVCInvalidName () throws KustvaktException {
-        String json = "{\"name\": \"new $vc\",\"type\": \"PRIVATE\","
+        String json = "{\"type\": \"PRIVATE\","
                 + "\"corpusQuery\": \"creationDate since 1820\"}";
 
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("create")
+                .path("VirtualCorpusControllerTest").path("new $vc")
                 .header(Attributes.AUTHORIZATION,
                         HttpAuthorizationHandler
                                 .createBasicAuthorizationHeaderValue(
                                         "VirtualCorpusControllerTest", "pass"))
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .entity(json).post(ClientResponse.class);
+                .entity(json).put(ClientResponse.class);
         String entity = response.getEntity(String.class);
         assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
 
@@ -485,13 +489,13 @@
 
     @Test
     public void testCreateVCUnauthorized () throws KustvaktException {
-        String json = "{\"name\": \"new vc\",\"type\": \"PRIVATE\","
+        String json = "{\"type\": \"PRIVATE\","
                 + "\"corpusQuery\": \"creationDate since 1820\"}";
 
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("create")
+                .path("VirtualCorpusControllerTest").path("new vc")
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .entity(json).post(ClientResponse.class);
+                .entity(json).put(ClientResponse.class);
 
         assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
 
@@ -507,16 +511,16 @@
 
     @Test
     public void testCreateVCWithoutcorpusQuery () throws KustvaktException {
-        String json = "{\"name\": \"new vc\",\"type\": \"PRIVATE\"}";
+        String json = "{\"type\": \"PRIVATE\"}";
 
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("create")
+                .path("VirtualCorpusControllerTest").path("new vc")
                 .header(Attributes.AUTHORIZATION,
                         HttpAuthorizationHandler
                                 .createBasicAuthorizationHeaderValue(
                                         "VirtualCorpusControllerTest", "pass"))
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .entity(json).post(ClientResponse.class);
+                .entity(json).put(ClientResponse.class);
         String entity = response.getEntity(String.class);
         // System.out.println(entity);
         assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
@@ -530,17 +534,17 @@
 
     @Test
     public void testCreateVCWithoutType () throws KustvaktException {
-        String json = "{\"name\": \"new vc\",\"corpusQuery\": "
+        String json = "{\"corpusQuery\": "
                 + "\"creationDate since 1820\"}";
 
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("create")
+                .path("VirtualCorpusControllerTest").path("new vc")
                 .header(Attributes.AUTHORIZATION,
                         HttpAuthorizationHandler
                                 .createBasicAuthorizationHeaderValue(
                                         "VirtualCorpusControllerTest", "pass"))
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .entity(json).post(ClientResponse.class);
+                .entity(json).put(ClientResponse.class);
         String entity = response.getEntity(String.class);
         // System.out.println(entity);
         assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
@@ -554,17 +558,17 @@
 
     @Test
     public void testCreateVCWithWrongType () throws KustvaktException {
-        String json = "{\"name\": \"new vc\",\"type\": \"PRIVAT\","
+        String json = "{\"type\": \"PRIVAT\","
                 + "\"corpusQuery\": \"creationDate since 1820\"}";
 
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("create")
+                .path("VirtualCorpusControllerTest").path("new vc")
                 .header(Attributes.AUTHORIZATION,
                         HttpAuthorizationHandler
                                 .createBasicAuthorizationHeaderValue(
                                         "VirtualCorpusControllerTest", "pass"))
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .entity(json).post(ClientResponse.class);
+                .entity(json).put(ClientResponse.class);
         String entity = response.getEntity(String.class);
         // System.out.println(entity);
         assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
@@ -581,7 +585,7 @@
     @Test
     public void testDeleteVCUnauthorized () throws KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("delete").path("1")
+                .path("dory").path("dory VC")
                 .header(Attributes.AUTHORIZATION,
                         HttpAuthorizationHandler
                                 .createBasicAuthorizationHeaderValue(
@@ -607,54 +611,55 @@
     public void testEditVC () throws KustvaktException {
 
         // 1st edit
-        String json = "{\"id\": \"1\", \"name\": \"edited vc\"}";
+        String json = "{\"description\": \"edited vc\"}";
 
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("edit")
+                .path("dory").path("dory VC")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue("dory", "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .post(ClientResponse.class, json);
+                .put(ClientResponse.class, json);
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
         // check VC
         JsonNode node = testListVC("dory");
-        assertEquals("edited vc", node.get(0).get("name").asText());
+        assertEquals("edited vc", node.get(0).get("description").asText());
 
         // 2nd edit
-        json = "{\"id\": \"1\", \"name\": \"dory VC\"}";
+        json = "{\"description\": \"test vc\"}";
 
-        response = resource().path(API_VERSION).path("vc").path("edit")
+        response = resource().path(API_VERSION).path("vc")
+                .path("dory").path("dory VC")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue("dory", "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .post(ClientResponse.class, json);
+                .put(ClientResponse.class, json);
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
         // check VC
         node = testListVC("dory");
-        assertEquals("dory VC", node.get(0).get("name").asText());
+        assertEquals("test vc", node.get(0).get("description").asText());
     }
 
     @Test
     public void testEditVCNotOwner () throws KustvaktException {
-        String json = "{\"id\": \"1\", \"name\": \"edited vc\"}";
+        String json = "{\"description\": \"edited vc\"}";
 
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("edit")
+                .path("dory").path("dory VC")
                 .header(Attributes.AUTHORIZATION,
                         HttpAuthorizationHandler
                                 .createBasicAuthorizationHeaderValue(
                                         "VirtualCorpusControllerTest", "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .post(ClientResponse.class, json);
+                .put(ClientResponse.class, json);
         String entity = response.getEntity(String.class);
-        // System.out.println(entity);
+
         JsonNode node = JsonUtils.readTree(entity);
         assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
         assertEquals(StatusCodes.AUTHORIZATION_FAILED,
@@ -666,29 +671,25 @@
         checkWWWAuthenticateHeader(response);
     }
 
-    /**
-     * @see VirtualCorpusServiceTest
-     * @throws KustvaktException
-     */
     @Test
     public void testPublishProjectVC () throws KustvaktException {
 
-        String vcId = "2";
+        String vcName= "group VC";
         
         // check the vc type
-        JsonNode node = testSearchVC("dory", vcId);
+        JsonNode node = testSearchVC("dory", "dory", vcName);
         assertEquals(VirtualCorpusType.PROJECT.displayName(),
                 node.get("type").asText());
         
         // edit vc
-        String json = "{\"id\": \"" + vcId + "\", \"type\": \"PUBLISHED\"}";
+        String json = "{\"type\": \"PUBLISHED\"}";
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("edit")
+                .path("dory").path(vcName)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue("dory", "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .post(ClientResponse.class, json);
+                .put(ClientResponse.class, json);
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
         // check VC
@@ -698,18 +699,23 @@
                 n.get("type").asText());
 
         // check hidden VC access
-        node = testlistAccessByVC("admin", vcId);
-        assertEquals(2, node.size());
+        node = testlistAccessByGroup("admin", "");
+        assertEquals(4, node.size());
+        node = node.get(node.size()-1);
+        assertEquals(vcName, node.at("/vcName").asText());
+        assertEquals("system", node.at("/createdBy").asText());
+        assertTrue(node.at("/userGroupName").asText().startsWith("auto"));
 
         // edit 2nd
-        json = "{\"id\": \"2\", \"type\": \"PROJECT\"}";
+        json = "{\"type\": \"PROJECT\"}";
 
-        response = resource().path(API_VERSION).path("vc").path("edit")
+        response = resource().path(API_VERSION).path("vc")
+                .path("dory").path("group VC")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue("dory", "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .post(ClientResponse.class, json);
+                .put(ClientResponse.class, json);
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
@@ -718,39 +724,42 @@
                 node.get(1).get("type").asText());
 
         // check VC access
-        node = testlistAccessByVC("admin", vcId);
-        assertEquals(1, node.size());
+        node = testlistAccessByGroup("admin", "");
+        assertEquals(3, node.size());
     }
 
     @Test
-    public void testlistAccessNonVCAAdmin () throws KustvaktException {
-        JsonNode node = testlistAccessByVC("nemo", "2");
-        assertEquals(0, node.size());
-    }
-
-    @Test
-    public void testlistAccessMissingId () throws KustvaktException {
-        ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("access").path("list")
-                .header(Attributes.AUTHORIZATION,
-                        HttpAuthorizationHandler
-                                .createBasicAuthorizationHeaderValue(
-                                        "VirtualCorpusControllerTest", "pass"))
-                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
-                .get(ClientResponse.class);
-        String entity = response.getEntity(String.class);
-        JsonNode node = JsonUtils.readTree(entity);
-        assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
-        assertEquals(StatusCodes.MISSING_PARAMETER,
+    public void testlistAccessByNonVCAAdmin () throws KustvaktException {
+        JsonNode node = testlistAccessByGroup("nemo", "dory group");
+        assertEquals(StatusCodes.AUTHORIZATION_FAILED,
                 node.at("/errors/0/0").asInt());
-        assertEquals("vcId", node.at("/errors/0/1").asText());
+        assertEquals("Unauthorized operation for user: nemo",
+                node.at("/errors/0/1").asText());
     }
 
+//    @Test
+//    public void testlistAccessMissingId () throws KustvaktException {
+//        ClientResponse response = resource().path(API_VERSION).path("vc")
+//                .path("access")
+//                .header(Attributes.AUTHORIZATION,
+//                        HttpAuthorizationHandler
+//                                .createBasicAuthorizationHeaderValue(
+//                                        "VirtualCorpusControllerTest", "pass"))
+//                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
+//                .get(ClientResponse.class);
+//        String entity = response.getEntity(String.class);
+//        JsonNode node = JsonUtils.readTree(entity);
+//        assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
+//        assertEquals(StatusCodes.MISSING_PARAMETER,
+//                node.at("/errors/0/0").asInt());
+//        assertEquals("vcId", node.at("/errors/0/1").asText());
+//    }
+
     @Test
     public void testlistAccessByGroup () throws KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("access").path("list").path("byGroup")
-                .queryParam("groupId", "2")
+                .path("access")
+                .queryParam("groupName", "dory group")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue("dory", "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -762,6 +771,7 @@
         assertEquals(2, node.at("/0/vcId").asInt());
         assertEquals("group VC", node.at("/0/vcName").asText());
         assertEquals(2, node.at("/0/userGroupId").asInt());
+        
         assertEquals("dory group", node.at("/0/userGroupName").asText());
     }
 
@@ -769,32 +779,33 @@
     public void testCreateDeleteAccess () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
 
-        String vcId = "5";
+        String vcName = "marlin VC";
+        String groupName = "marlin group";
         
         // check the vc type
-        JsonNode node = testSearchVC("marlin", vcId);
-        assertEquals("marlin VC", node.at("/name").asText());
+        JsonNode node = testSearchVC("marlin", "marlin", vcName);
+        assertEquals(vcName, node.at("/name").asText());
         assertEquals("private", node.at("/type").asText());
         
-        ClientResponse response = testShareVC(vcId);
+        ClientResponse response = testShareVCByCreator("marlin", vcName, groupName);
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
         // check the vc type
-        node = testSearchVC("marlin", vcId);
+        node = testSearchVC("marlin", "marlin", vcName);
         assertEquals("project", node.at("/type").asText());
         
         // list vc access by marlin
-        node = testlistAccessByVC("marlin", vcId);
-        assertEquals(1, node.size());
-        node = node.get(0);
+        node = testlistAccessByGroup("marlin", groupName);
+        assertEquals(2, node.size());
+        node = node.get(1);
         assertEquals(5, node.at("/vcId").asInt());
-        assertEquals("marlin VC", node.at("/vcName").asText());
+        assertEquals(vcName, node.at("/vcName").asText());
         assertEquals(1, node.at("/userGroupId").asInt());
-        assertEquals("marlin group", node.at("/userGroupName").asText());
+        assertEquals(groupName, node.at("/userGroupName").asText());
 
         String accessId = node.at("/accessId").asText();
 
-        testCreateNonUniqueAccess(vcId);
+        testShareVCNonUniqueAccess("marlin", vcName, groupName);
         testDeleteAccessUnauthorized(accessId);
 
         // delete access by vc-admin
@@ -802,35 +813,29 @@
         testDeleteAccess("dory", accessId);
 
         // list vc access by dory
-        node = testlistAccessByVC("dory", vcId);
-        assertEquals(0, node.size());
+        node = testlistAccessByGroup("dory", groupName);
+        assertEquals(1, node.size());
         
-        testEditVCType("marlin", vcId, VirtualCorpusType.PRIVATE);
+        testEditVCType("marlin", "marlin", vcName, VirtualCorpusType.PRIVATE);
     }
 
 
-    private ClientResponse testShareVC (String vcId)
+    private ClientResponse testShareVCByCreator (String vcCreator, String vcName, String groupName)
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
 
-        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
-        // marlin vc
-        form.add("vcId", vcId);
-        // marlin group
-        form.add("groupId", "1");
-
-        return resource().path(API_VERSION).path("vc").path("access")
-                .path("share").type(MediaType.APPLICATION_FORM_URLENCODED)
+        return resource().path(API_VERSION).path("vc").path(vcCreator)
+                .path(vcName).path("share").path(groupName)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
-                        .createBasicAuthorizationHeaderValue("marlin", "pass"))
-                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32").entity(form)
+                        .createBasicAuthorizationHeaderValue(vcCreator, "pass"))
+                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .post(ClientResponse.class);
     }
 
-    private void testCreateNonUniqueAccess (String vcId)
+    private void testShareVCNonUniqueAccess (String vcCreator, String vcName, String groupName)
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
-        ClientResponse response = testShareVC(vcId);
+        ClientResponse response = testShareVCByCreator(vcCreator, vcName, groupName);
         JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
         assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatus());
         assertEquals(StatusCodes.DB_INSERT_FAILED,
@@ -843,24 +848,16 @@
     }
 
     @Test
-    public void testCreateAccessByVCAButNotVCOwner ()
+    public void testShareVCByVCAAdmin ()
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
 
-        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
-        // marlin vc
-        form.add("vcId", "5");
-        // marlin group
-        form.add("groupId", "1");
-
-        // share VC
         // dory is VCA in marlin group
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("access").path("share")
-                .type(MediaType.APPLICATION_FORM_URLENCODED)
+                .path("marlin").path("marlin VC").path("share").path("marlin group")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue("dory", "pass"))
-                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32").entity(form)
+                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .post(ClientResponse.class);
 
         String entity = response.getEntity(String.class);
@@ -873,23 +870,15 @@
     }
 
     @Test
-    public void testCreateAccessByNonVCA () throws UniformInterfaceException,
+    public void testShareVCByNonVCAAdmin () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
 
-        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
-        // nemo vc
-        form.add("vcId", "6");
-        // marlin group
-        form.add("groupId", "1");
-
-        // share VC
         // nemo is not VCA in marlin group
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("access").path("share")
-                .type(MediaType.APPLICATION_FORM_URLENCODED)
+                .path("nemo").path("nemo VC").path("share").path("marlin group")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue("nemo", "pass"))
-                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32").entity(form)
+                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .post(ClientResponse.class);
 
         String entity = response.getEntity(String.class);
@@ -905,7 +894,7 @@
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("access").path("delete").path(accessId)
+                .path("access").path(accessId)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -918,7 +907,7 @@
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("access").path("delete").path(accessId)
+                .path("access").path(accessId)
                 .header(Attributes.AUTHORIZATION,
                         HttpAuthorizationHandler
                                 .createBasicAuthorizationHeaderValue(
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusTestBase.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusTestBase.java
index b773135..0ce1834 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusTestBase.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusTestBase.java
@@ -8,8 +8,8 @@
 import com.google.common.net.HttpHeaders;
 import com.sun.jersey.api.client.ClientHandlerException;
 import com.sun.jersey.api.client.ClientResponse;
-import com.sun.jersey.api.client.UniformInterfaceException;
 import com.sun.jersey.api.client.ClientResponse.Status;
+import com.sun.jersey.api.client.UniformInterfaceException;
 
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
 import de.ids_mannheim.korap.config.Attributes;
@@ -20,11 +20,11 @@
 
 public abstract class VirtualCorpusTestBase extends SpringJerseyTest{
     
-    protected JsonNode testSearchVC (String username, String vcId)
+    protected JsonNode testSearchVC (String username, String vcCreator, String vcName)
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path(vcId)
+                .path(vcCreator).path(vcName)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -36,21 +36,22 @@
         return JsonUtils.readTree(entity);
     }
     
-    protected void testEditVCType (String username, String vcId,
-            VirtualCorpusType type) throws KustvaktException {
-        String json = "{\"id\": \"" + vcId + "\", \"type\": \"" + type + "\"}";
+    protected void testEditVCType (String username, String vcCreator,
+            String vcName, VirtualCorpusType type)
+            throws KustvaktException {
+        String json = "{\"type\": \"" + type + "\"}";
 
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("edit")
+                .path(vcCreator).path(vcName)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
-                .post(ClientResponse.class, json);
+                .put(ClientResponse.class, json);
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
-        JsonNode node = testSearchVC(username, vcId);
+        JsonNode node = testSearchVC(username, vcCreator, vcName);
         assertEquals(type.displayName(), node.at("/type").asText());
     }
 }