diff --git a/src/wuttjamaican/db/alembic/versions/6bf900765500_add_user_prevent_edit.py b/src/wuttjamaican/db/alembic/versions/6bf900765500_add_user_prevent_edit.py
new file mode 100644
index 0000000..4b23bce
--- /dev/null
+++ b/src/wuttjamaican/db/alembic/versions/6bf900765500_add_user_prevent_edit.py
@@ -0,0 +1,30 @@
+"""add user.prevent_edit
+
+Revision ID: 6bf900765500
+Revises: ebd75b9feaa7
+Create Date: 2024-11-24 16:52:36.773657
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = '6bf900765500'
+down_revision: Union[str, None] = 'ebd75b9feaa7'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+
+    # user
+    op.add_column('user', sa.Column('prevent_edit', sa.Boolean(), nullable=True))
+
+
+def downgrade() -> None:
+
+    # user
+    op.drop_column('user', 'prevent_edit')
diff --git a/src/wuttjamaican/db/model/auth.py b/src/wuttjamaican/db/model/auth.py
index 18ca366..44e71b4 100644
--- a/src/wuttjamaican/db/model/auth.py
+++ b/src/wuttjamaican/db/model/auth.py
@@ -188,6 +188,11 @@ class User(Base):
     The default auth logic will prevent login for "inactive" user accounts.
     """)
 
+    prevent_edit = sa.Column(sa.Boolean(), nullable=True, doc="""
+    If set, this user account can only be edited by root.  User cannot
+    change their own password.
+    """)
+
     role_refs = orm.relationship(
         'UserRole',
         back_populates='user',