diff --git a/app/assets/stylesheets/application.css b/app/assets/stylesheets/application.css
index 5bcb52f..7ff4439 100644
--- a/app/assets/stylesheets/application.css
+++ b/app/assets/stylesheets/application.css
@@ -32,13 +32,17 @@ body {
   margin: 0 0.5rem;
 }
 
-input {
+/* blue - target for interaction with pointer */
+/* gray - target for interaction with keyboard */
+input,
+select {
   background-color: white;
   border: 1px solid;
   border-radius: 0.2rem;
   border-color: #cccccc;
 }
-input:not([type=checkbox]) {
+input:not([type=checkbox]),
+select {
   font-size: 0.9rem;
   padding: 0.2rem 0.4rem;
 }
@@ -51,8 +55,17 @@ input[type=checkbox] {
   width: 1.1rem;
   -webkit-appearance: none;
 }
+input:hover,
+select:hover {
+  border-color: #009ade;
+  outline: #009ade solid 1px;
+}
+select:hover {
+  cursor: pointer;
+}
 input:focus-visible,
-input:hover {
+select:focus-within,
+select:focus-visible {
   accent-color: #006c9b;
   background-color: #f3f3f3;
 }
@@ -313,7 +326,12 @@ table.items button {
   margin-right: 0.25rem;
   padding: 0.25rem;
 }
+table.items select:not(:hover),
 table.items button:not(:hover) {
   border-color: #dddddd;
   color: #909090;
 }
+table.items select:focus-within,
+table.items select:focus-visible {
+  color: black;
+}
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index c026731..b1deef4 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,7 +1,7 @@
 class UsersController < ApplicationController
   helper_method :allow_disguise?
 
-  before_action :find_user, only: [:show, :disguise]
+  before_action :find_user, only: [:show, :update, :disguise]
   before_action except: :revert do
     raise AccessForbidden unless current_user.at_least(:admin)
   end
@@ -16,8 +16,12 @@ class UsersController < ApplicationController
   def show
   end
 
+  def update
+    @user.update!(params.require(:user).permit(:status))
+  end
+
   def disguise
-    raise ActionController::BadRequest unless allow_disguise?(@user)
+    raise ArgumentError unless allow_disguise?(@user)
     session[:revert_to_id] = current_user.id
     bypass_sign_in(@user)
     redirect_to root_url
@@ -29,8 +33,6 @@ class UsersController < ApplicationController
     redirect_to users_url
   end
 
-  # TODO: add #update to change user status
-
   # NOTE: limited actions availabe to :admin by design. Users are meant to
   # manage their accounts by themselves through registrations. In future :admin
   # may be allowed to sing-in as user and make changes there.
diff --git a/app/views/users/index.html.erb b/app/views/users/index.html.erb
index 9b3e093..1445f9d 100644
--- a/app/views/users/index.html.erb
+++ b/app/views/users/index.html.erb
@@ -12,16 +12,24 @@
     <% @users.each do |user| %>
       <tr>
         <td><%= link_to user.email, user_path(user) %></td>
-        <td><%= user.status %></td>
-        <td class="svg">
-          <%= svg_tag "pictograms/checkbox-marked-outline" if user.confirmed_at.present? %>
-        </td>
-        <td><%= user.created_at.to_fs(:db_without_sec) %></td>
-        <td class="actions">
-          <% if allow_disguise?(user) %>
-            <%= image_button_to t(".disguise"), "incognito", disguise_user_path(user) %>
+        <td>
+          <% if user == current_user %>
+            <%= user.status %>
+          <% else %>
+            <%= form_for user do |u| %>
+              <%= u.select :status, User.statuses.keys, {}, onchange: "this.form.submit();" %>
+            <% end %>
           <% end %>
         </td>
+      <td class="svg">
+        <%= svg_tag "pictograms/checkbox-marked-outline" if user.confirmed_at.present? %>
+      </td>
+      <td><%= user.created_at.to_fs(:db_without_sec) %></td>
+      <td class="actions">
+        <% if allow_disguise?(user) %>
+          <%= image_button_to t(".disguise"), "incognito", disguise_user_path(user) %>
+        <% end %>
+      </td>
       </tr>
     <% end %>
   </tbody>
diff --git a/config/application.rb.dist b/config/application.rb.dist
index e496cd7..adce1d6 100644
--- a/config/application.rb.dist
+++ b/config/application.rb.dist
@@ -32,6 +32,7 @@ module FixinMe
     # config.eager_load_paths << Rails.root.join("extras")
 
     config.action_dispatch.rescue_responses['ApplicationController::AccessForbidden'] = :forbidden
+    config.action_dispatch.rescue_responses['ArgumentError'] = :bad_request
 
     # SETUP: Below settings need to be updated on a per-installation basis.
     #
diff --git a/config/routes.rb b/config/routes.rb
index 4514ed7..db463e0 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -2,7 +2,7 @@ Rails.application.routes.draw do
   devise_for :users, path: '', path_names: {registration: 'profile'},
     controllers: {registrations: :registrations}
 
-  resources :users, only: [:index, :show] do
+  resources :users, only: [:index, :show, :update] do
     member do
       post :disguise
     end