diff --git a/pillar/__init__.py b/pillar/__init__.py
index c1d0d883..d98cc71e 100644
--- a/pillar/__init__.py
+++ b/pillar/__init__.py
@@ -86,7 +86,7 @@ class PillarServer(BlinkerCompatibleEve):
         # The default roles Pillar uses. Will probably all move to extensions at some point.
         self._user_roles: typing.Set[str] = {
             'demo', 'admin', 'subscriber', 'homeproject',
-            'protected', 'org-subscriber',
+            'protected', 'org-subscriber', 'video-encoder',
             'service', 'badger', 'svner', 'urler',
         }
         self._user_roles_indexable: typing.Set[str] = {'demo', 'admin', 'subscriber'}
diff --git a/pillar/api/file_storage/__init__.py b/pillar/api/file_storage/__init__.py
index 4e98cdc9..30c8f40c 100644
--- a/pillar/api/file_storage/__init__.py
+++ b/pillar/api/file_storage/__init__.py
@@ -26,7 +26,7 @@ from flask import url_for, helpers
 from pillar.api import utils
 from pillar.api.file_storage_backends.gcs import GoogleCloudStorageBucket, \
     GoogleCloudStorageBlob
-from pillar.api.utils import remove_private_keys, authentication
+from pillar.api.utils import remove_private_keys
 from pillar.api.utils.authorization import require_login, user_has_role, \
     user_matches_roles
 from pillar.api.utils.cdn import hash_file_path
@@ -291,8 +291,8 @@ def process_file(bucket: Bucket,
     # TODO: overrule the content type based on file extention & magic numbers.
     mime_category, src_file['format'] = src_file['content_type'].split('/', 1)
 
-    # Prevent video handling for non-admins.
-    if not user_has_role('admin') and mime_category == 'video':
+    # Only allow video encoding when the user has the correct capability.
+    if not current_user.has_cap('encode-video') and mime_category == 'video':
         if src_file['format'].startswith('x-'):
             xified = src_file['format']
         else:
@@ -300,7 +300,7 @@ def process_file(bucket: Bucket,
 
         src_file['content_type'] = 'application/%s' % xified
         mime_category = 'application'
-        log.info('Not processing video file %s for non-admin user', file_id)
+        log.info('Not processing video file %s for non-video-encoding user', file_id)
 
     # Run the required processor, based on the MIME category.
     processors: typing.Mapping[str, typing.Callable] = {
diff --git a/pillar/config.py b/pillar/config.py
index 2a263f25..291787a3 100644
--- a/pillar/config.py
+++ b/pillar/config.py
@@ -205,8 +205,9 @@ CELERY_BEAT_SCHEDULE = {
 USER_CAPABILITIES = defaultdict(**{
     'subscriber': {'subscriber', 'home-project'},
     'demo': {'subscriber', 'home-project'},
-    'admin': {'video-encoding', 'admin',
+    'admin': {'encode-video', 'admin',
               'view-pending-nodes', 'edit-project-node-types', 'create-organization'},
+    'video-encoder': {'encode-video'},
     'org-subscriber': {'subscriber', 'home-project'},
 }, default_factory=frozenset)