diff --git a/include/Ntop.h b/include/Ntop.h
index 4876bde157..f33ef6d65c 100644
--- a/include/Ntop.h
+++ b/include/Ntop.h
@@ -388,10 +388,11 @@ class Ntop {
   bool changeAllowedIfname(char *username, char *allowed_ifname) const;
   bool changeUserHostPool(const char * const username, const char * const host_pool_id) const;
   bool changeUserLanguage(const char * const username, const char * const language) const;
+  bool changeUserPermission(const char * const username, bool allow_pcap_download) const;
   bool existsUser(const char * const username) const;
   bool addUser(char *username, char *full_name, char *password, char *host_role,
 	       char *allowed_networks, char *allowed_ifname, char *host_pool_id,
-	       char *language);
+	       char *language, bool allow_pcap_download);
   bool addUserLifetime(const char * const username, u_int32_t lifetime_secs); /* Captive portal users may expire */
   bool clearUserLifetime(const char * const username);
   bool isCaptivePortalUser(const char * const username);
diff --git a/include/ntop_defines.h b/include/ntop_defines.h
index 63ee359346..06ef414750 100644
--- a/include/ntop_defines.h
+++ b/include/ntop_defines.h
@@ -249,6 +249,7 @@
 #define CONST_STR_USER_ALLOWED_IFNAME  "ntopng.user.%s.allowed_ifname"
 #define CONST_STR_USER_HOST_POOL_ID    "ntopng.user.%s.host_pool_id"
 #define CONST_STR_USER_LANGUAGE        "ntopng.user.%s.language"
+#define CONST_STR_USER_ALLOW_PCAP      "ntopng.user.%s.allow_pcap"
 #define CONST_STR_USER_EXPIRE          "ntopng.user.%s.expire"
 #define CONST_ALLOWED_NETS             "allowed_nets"
 #define CONST_ALLOWED_IFNAME           "allowed_ifname"
diff --git a/scripts/locales/en.lua b/scripts/locales/en.lua
index 712b6f59d3..61e6a0cd6c 100644
--- a/scripts/locales/en.lua
+++ b/scripts/locales/en.lua
@@ -416,6 +416,7 @@ local lang = {
     ["too_many_hosts_description"] = "Trigger an alert when the number of active hosts is too high",
     ["total_alerts"] = "Total Alerts",
     ["trailing_msg"] = "Time Window",
+    ["trailing_msg_compact"] = "Window",
     ["unresponsive_device"] = "Unresponsive Device",
     ["user_activity"] = "User Activity",
     ["user_scripts_calls_drops"] = "User Scripts Calls Dropped",
@@ -2239,6 +2240,8 @@ local lang = {
   ["manage_users"] = {
     ["add_new_user"] = "Add New User",
     ["administrator"] = "Administrator",
+    ["allow_pcap_download"] = "Allow PCAP Download",
+    ["allow_pcap_download_descr"] = "Allow the user to download live traffic and PCAPs",
     ["allowed_interface"] = "Allowed Interface",
     ["allowed_networks"] = "Allowed Networks",
     ["allowed_networks_descr"] = "Comma separated list of networks this user can view. Example:",
diff --git a/scripts/lua/admin/add_user.lua b/scripts/lua/admin/add_user.lua
index 9607c0ea20..a22c6dda1c 100644
--- a/scripts/lua/admin/add_user.lua
+++ b/scripts/lua/admin/add_user.lua
@@ -9,17 +9,18 @@ require "lua_utils"
 sendHTTPContentTypeHeader('text/html')
 
 if(haveAdminPrivileges()) then
-   username = _POST["username"]
-   full_name = _POST["full_name"]
-   password = _POST["password"]
-   confirm_password = _POST["confirm_password"]
-   host_role = _POST["user_role"]
-   networks = _POST["allowed_networks"]
-   allowed_interface = _POST["allowed_interface"]
-   language = _POST["user_language"]
-   host_pool_id = _POST["host_pool_id"]
-   limited_lifetime = _POST["lifetime_limited"]
-   lifetime_secs = tonumber((_POST["lifetime_secs"] or -1))
+   local username = _POST["username"]
+   local full_name = _POST["full_name"]
+   local password = _POST["password"]
+   local confirm_password = _POST["confirm_password"]
+   local host_role = _POST["user_role"]
+   local networks = _POST["allowed_networks"]
+   local allowed_interface = _POST["allowed_interface"]
+   local language = _POST["user_language"]
+   local allow_pcap_download = _POST["allow_pcap_download"]
+   local host_pool_id = _POST["host_pool_id"]
+   local limited_lifetime = _POST["lifetime_limited"]
+   local lifetime_secs = tonumber((_POST["lifetime_secs"] or -1))
 
    if(username == nil or full_name == nil or password == nil or confirm_password == nil or host_role == nil or networks == nil or allowed_interface == nil) then
       print ("{ \"result\" : -1, \"message\" : \"Invalid parameters\" }")
@@ -34,7 +35,12 @@ if(haveAdminPrivileges()) then
    local ret = false
    username = string.lower(username)
 
-   if(ntop.addUser(username, full_name, password, host_role, networks, getInterfaceName(allowed_interface), host_pool_id, language)) then
+   local allow_pcap_download_enabled = false
+   if _POST["allow_pcap_download"] and _POST["allow_pcap_download"] == "1" then
+     allow_pcap_download_enabled = true
+   end
+
+   if(ntop.addUser(username, full_name, password, host_role, networks, getInterfaceName(allowed_interface), host_pool_id, language, allow_pcap_download_enabled)) then
       ret = true
 
       if limited_lifetime and not ntop.addUserLifetime(username, lifetime_secs) then
diff --git a/scripts/lua/admin/change_user_prefs.lua b/scripts/lua/admin/change_user_prefs.lua
index 5236201b8a..fcd02eea4a 100644
--- a/scripts/lua/admin/change_user_prefs.lua
+++ b/scripts/lua/admin/change_user_prefs.lua
@@ -12,6 +12,7 @@ local username  = _POST["username"]
 local host_role = _POST["user_role"]
 local networks  = _POST["allowed_networks"]
 local allowed_interface = _POST["allowed_interface"]
+local allow_pcap_download = _POST["allow_pcap_download"]
 local language  = _POST["user_language"]
 
 -- for captive portal users
@@ -50,11 +51,13 @@ if(networks ~= nil) then
   end
 end
 
-if(allowed_interface ~= nil) then
-   if(not ntop.changeAllowedIfname(username, getInterfaceName(allowed_interface))) then
-      print ("{ \"result\" : -1, \"message\" : \"Error in changing the allowed interface\" }")
-      return
-   end
+local allow_pcap_download_enabled = false
+if allow_pcap_download and allow_pcap_download == "1" then
+  allow_pcap_download_enabled = true;
+end
+if(not ntop.changeUserPermission(username, allow_pcap_download_enabled)) then
+   print ("{ \"result\" : -1, \"message\" : \"Error in changing user permission\" }")
+   return
 end
 
 if(language ~= nil) then
diff --git a/scripts/lua/admin/get_user_info.lua b/scripts/lua/admin/get_user_info.lua
index fde70d9842..bfcbac8ce7 100644
--- a/scripts/lua/admin/get_user_info.lua
+++ b/scripts/lua/admin/get_user_info.lua
@@ -48,6 +48,9 @@ if(haveAdminPrivileges()) then
 	    end
 	 end
 	 print(' "language": "'..value["language"]..'",\n')
+         if value["allow_pcap_download"] then
+           print(' "allow_pcap_download": true,\n')
+         end
 
 	 print(' "username": "'..key..'",\n')
 	 print(' "password": "'..value["password"]..'",\n')
diff --git a/scripts/lua/inc/add_user_dialog.lua b/scripts/lua/inc/add_user_dialog.lua
index 3441126588..d438fb88c1 100644
--- a/scripts/lua/inc/add_user_dialog.lua
+++ b/scripts/lua/inc/add_user_dialog.lua
@@ -66,7 +66,6 @@ print [[
       <input id="confirm_password_input" type="password" name="confirm_password" value="" class="form-control" pattern="]] print(getPasswordInputPattern()) print[[" required>
     </div>
 
-
     <label for="user_role">]] print(i18n("manage_users.user_role")) print[[</label>
     <div class="input-group mb-6">
 	<select id="user_role" name="user_role" class="form-control" style="width:100%;">
@@ -75,9 +74,11 @@ print [[
 	</select>
     </div>
 
-    <label for="allowed_interface">]] print(i18n("manage_users.allowed_interface")) print[[</labe>l
+    <div id="unprivileged_input">
+
+    <label for="allowed_interface_input">]] print(i18n("manage_users.allowed_interface")) print[[</labe>
     <div class="input-group mb-6">
-	<select name="allowed_interface" class="form-control">
+	<select id="allowed_interface_input" name="allowed_interface" class="form-control">
 	  <option value="">]] print(i18n("manage_users.any_interface")) print[[</option>
 ]]
 
@@ -93,6 +94,25 @@ print [[
       <input id="allowed_networks_input" type="text" name="allowed_networks" value="" class="form-control">
       <small>]] print(i18n("manage_users.allowed_networks_descr")) print[[: 192.168.1.0/24,172.16.0.0/16</small>
     </div>
+
+    <!--div class="input-group mb-6">
+      <div class="form-check">
+        <input id="allow_pcap_download_input" type="checkbox" name="allow_pcap_download" value="1" class="form-check-input">
+        <label for="allow_pcap_download_input" class="form-check-label">]] print(i18n("manage_users.allow_pcap_download_descr")) print[[</label>
+      </div>
+    </div-->
+
+    </div>
+
+    <script>
+    $("#user_role").change(function() {
+      if ($(this).val() == "unprivileged")
+        $('#unprivileged_input').show();
+      else
+        $('#unprivileged_input').hide();
+    });
+    $("#user_role").trigger("change");
+    </script>
 ]]
 
 if not ntop.isnEdge() then
diff --git a/scripts/lua/inc/password_dialog.lua b/scripts/lua/inc/password_dialog.lua
index e1b55ea512..6510825c67 100644
--- a/scripts/lua/inc/password_dialog.lua
+++ b/scripts/lua/inc/password_dialog.lua
@@ -121,6 +121,8 @@ print [[
         </select>
   </div>
 
+  <div id="unprivileged_manage_input">
+
   <label for="allowed_interface">]] print(i18n("manage_users.allowed_interface")) print[[</label>
   <div class='input-group mb-6'>
         <select name="allowed_interface" id="allowed_interface" class="form-control">
@@ -139,6 +141,26 @@ print [[
       <input id="networks_input" type="text" name="allowed_networks" value="" class="form-control" required>
       <small>]] print(i18n("manage_users.allowed_networks_descr")) print[[ 192.168.1.0/24,172.16.0.0/16</small>
     </div>
+
+    <!--div class="input-group mb-6">
+      <div class="form-check">
+        <input id="allow_pcap_input" type="checkbox" name="allow_pcap_download" value="1" class="form-check-input">
+        <label for="allow_pcap_input" class="form-check-label">]] print(i18n("manage_users.allow_pcap_download_descr")) print[[</label>
+      </div>
+    </div-->
+
+    </div>
+
+    <script>
+    $("#host_role_select").change(function() {
+      if ($(this).val() == "unprivileged")
+        $('#unprivileged_manage_input').show();
+      else
+        $('#unprivileged_manage_input').hide();
+    });
+    $("#host_role_select").trigger("change");
+    </script>
+
 ]]
 
 if not ntop.isnEdge() then
@@ -288,9 +310,9 @@ function reset_pwd_dialog(user) {
       $('#networks_input').val(data.allowed_nets);
       $('#allowed_interface option[value="' + data.allowed_if_id + '"]').attr('selected','selected');
 
-      if(data.language !== "") {
-      $('#user_language option[value="' + data.language + '"]').attr('selected','selected');
-      }
+      if(data.language !== "")
+        $('#user_language option[value="' + data.language + '"]').attr('selected','selected');
+      $('#allow_pcap_input').prop('checked', data.allow_pcap_download === true ? true : false);
       if(data.host_pool_id) {
         $('#old_host_pool_id').val(data.host_pool_id);
         $('#host_pool_id option[value = '+data.host_pool_id+']').attr('selected','selected');
diff --git a/scripts/lua/modules/http_lint.lua b/scripts/lua/modules/http_lint.lua
index 0f6a2b8193..b67f762bbb 100644
--- a/scripts/lua/modules/http_lint.lua
+++ b/scripts/lua/modules/http_lint.lua
@@ -1064,6 +1064,7 @@ local known_parameters = {
    ["select_keys_clause"]      = validateUnquoted,
    ["select_values_clause"]    = validateUnquoted,
    ["approx_search"]           = validateBool,
+
    ["where_clause"]            = { whereCleanup, validateUnquoted },
    ["where_clause_unck"]       = { whereCleanup, validateUnchecked },
    ["begin_time_clause"]       = validateUnquoted,
@@ -1100,6 +1101,7 @@ local known_parameters = {
    ["confirm_password"]        = { passwordCleanup, validatePassword },              -- Confirm user password
    ["user_role"]               = validateUserRole,              -- User role
    ["user_language"]           = validateUserLanguage,          -- User language
+   ["allow_pcap_download"]     = validateEmptyOr(validateBool),
 
 -- NDPI
    ["application"]             = validateApplication,           -- An nDPI application protocol name
diff --git a/src/LuaEngine.cpp b/src/LuaEngine.cpp
index c13c513311..56a65aebc0 100644
--- a/src/LuaEngine.cpp
+++ b/src/LuaEngine.cpp
@@ -5648,6 +5648,26 @@ static int ntop_change_user_language(lua_State* vm) {
 
 /* ****************************************** */
 
+// ***API***
+static int ntop_change_user_permission(lua_State* vm) {
+  char *username;
+  bool allow_pcap_download = false;
+
+  ntop->getTrace()->traceEvent(TRACE_DEBUG, "%s() called", __FUNCTION__);
+  if(!ntop->isUserAdministrator(vm) || !ntop->isLocalUser(vm)) return(CONST_LUA_ERROR);
+
+  if(ntop_lua_check(vm, __FUNCTION__, 1, LUA_TSTRING) != CONST_LUA_OK) return(CONST_LUA_PARAM_ERROR);
+  if((username = (char*)lua_tostring(vm, 1)) == NULL) return(CONST_LUA_PARAM_ERROR);
+
+  if(ntop_lua_check(vm, __FUNCTION__, 2, LUA_TBOOLEAN) != CONST_LUA_OK) return(CONST_LUA_PARAM_ERROR);
+    allow_pcap_download = lua_toboolean(vm, 2) ? true : false;
+
+  lua_pushboolean(vm, ntop->changeUserPermission(username, allow_pcap_download));
+  return CONST_LUA_OK;
+}
+
+/* ****************************************** */
+
 // ***API***
 static int ntop_post_http_json_data(lua_State* vm) {
   char *username, *password, *url, *json;
@@ -5815,6 +5835,7 @@ static int ntop_send_mail(lua_State* vm) {
 static int ntop_add_user(lua_State* vm) {
   char *username, *full_name, *password, *host_role, *allowed_networks, *allowed_interface;
   char *host_pool_id = NULL, *language = NULL;
+  bool allow_pcap_download = false;
 
   ntop->getTrace()->traceEvent(TRACE_DEBUG, "%s() called", __FUNCTION__);
 
@@ -5844,8 +5865,11 @@ static int ntop_add_user(lua_State* vm) {
   if(lua_type(vm, 8) == LUA_TSTRING)
     if((language = (char*)lua_tostring(vm, 8)) == NULL) return(CONST_LUA_PARAM_ERROR);
 
+  if(lua_type(vm, 9) == LUA_TBOOLEAN)
+    allow_pcap_download = lua_toboolean(vm, 9);
+
   lua_pushboolean(vm, ntop->addUser(username, full_name, password, host_role,
-				    allowed_networks, allowed_interface, host_pool_id, language));
+				    allowed_networks, allowed_interface, host_pool_id, language, allow_pcap_download));
 
   return CONST_LUA_OK;
 }
@@ -11478,6 +11502,7 @@ static const luaL_Reg ntop_reg[] = {
   { "changeAllowedIfname",  ntop_change_allowed_ifname },
   { "changeUserHostPool",   ntop_change_user_host_pool },
   { "changeUserLanguage",   ntop_change_user_language  },
+  { "changeUserPermission", ntop_change_user_permission },
   { "addUser",              ntop_add_user },
   { "addUserLifetime",      ntop_add_user_lifetime },
   { "clearUserLifetime",    ntop_clear_user_lifetime },
diff --git a/src/Ntop.cpp b/src/Ntop.cpp
index 6d1d996029..750ef92421 100644
--- a/src/Ntop.cpp
+++ b/src/Ntop.cpp
@@ -966,6 +966,10 @@ void Ntop::getUsers(lua_State* vm) {
     else
       lua_push_str_table_entry(vm, "language", (char*)"");
 
+    snprintf(key, CONST_MAX_LEN_REDIS_VALUE, CONST_STR_USER_ALLOW_PCAP, username);
+    if(ntop->getRedis()->get(key, val, CONST_MAX_LEN_REDIS_VALUE) >= 0)
+      lua_push_bool_table_entry(vm, "allow_pcap_download", true);
+
     snprintf(key, CONST_MAX_LEN_REDIS_VALUE, CONST_STR_USER_NETS, username);
     if(ntop->getRedis()->get(key, val, CONST_MAX_LEN_REDIS_VALUE) >= 0)
       lua_push_str_table_entry(vm, CONST_ALLOWED_NETS, val);
@@ -1692,14 +1696,35 @@ bool Ntop::changeUserLanguage(const char * const username, const char * const la
   char key[64];
   snprintf(key, sizeof(key), CONST_STR_USER_LANGUAGE, username);
 
-  if(language != NULL && language[0] != '\0') {
+  if(language != NULL && language[0] != '\0')
     return (ntop->getRedis()->set(key, (char*)language, 0) >= 0);
-  } else {
+  else
     ntop->getRedis()->del(key);
-  }
 
   return(true);
 }
+
+/* ******************************************* */
+
+bool Ntop::changeUserPermission(const char * const username, bool allow_pcap_download) const {
+  if (username == NULL || username[0] == '\0')
+    return false;
+
+  ntop->getTrace()->traceEvent(TRACE_DEBUG,
+			       "Changing user permission [allow-pcap-download: %s] for %s",
+			       allow_pcap_download ? "true" : "false", username);
+
+  char key[64];
+  snprintf(key, sizeof(key), CONST_STR_USER_ALLOW_PCAP, username);
+
+  if(allow_pcap_download)
+    return (ntop->getRedis()->set(key, "1", 0) >= 0);
+  else
+    ntop->getRedis()->del(key);
+
+  return(true);
+}
+
 /* ******************************************* */
 
 bool Ntop::existsUser(const char * const username) const {
@@ -1716,7 +1741,7 @@ bool Ntop::existsUser(const char * const username) const {
 
 bool Ntop::addUser(char *username, char *full_name, char *password, char *host_role,
 		   char *allowed_networks, char *allowed_ifname, char *host_pool_id,
-		   char *language) {
+		   char *language, bool allow_pcap_download) {
   char key[CONST_MAX_LEN_REDIS_KEY];
   char password_hash[33];
 
@@ -1741,6 +1766,11 @@ bool Ntop::addUser(char *username, char *full_name, char *password, char *host_r
     ntop->getRedis()->set(key, language, 0);
   }
 
+  if(allow_pcap_download) {
+    snprintf(key, sizeof(key), CONST_STR_USER_ALLOW_PCAP, username);
+    ntop->getRedis()->set(key, "1", 0);
+  }
+
   if(allowed_ifname && allowed_ifname[0] != '\0'){
     ntop->getTrace()->traceEvent(TRACE_DEBUG, "Setting allowed ifname: %s", allowed_ifname);
     snprintf(key, sizeof(key), CONST_STR_USER_ALLOWED_IFNAME, username);
@@ -1843,6 +1873,9 @@ bool Ntop::deleteUser(char *username) {
   snprintf(key, sizeof(key), CONST_STR_USER_LANGUAGE, username);
   ntop->getRedis()->del(key);
 
+  snprintf(key, sizeof(key), CONST_STR_USER_ALLOW_PCAP, username);
+  ntop->getRedis()->del(key);
+
   snprintf(key, sizeof(key), CONST_STR_USER_HOST_POOL_ID, username);
   ntop->getRedis()->del(key);