diff --git a/uffd/default_config.cfg b/uffd/default_config.cfg
index d616cc5fe22da5b23e1bf8fac9eef9695ee792c1..f6fd34521cc2e7e041e1a7aacd2dfbe88bb30c24 100644
--- a/uffd/default_config.cfg
+++ b/uffd/default_config.cfg
@@ -9,3 +9,6 @@ LDAP_USER_MIN_UID=10000
 LDAP_USER_MAX_UID=18999
 SESSION_LIFETIME_SECONDS=3600
 ACL_LDAP_GROUP_USEREDIT="admins"
+
+ACL_ADMIN_GROUP="admin"
+ACL_SELFSERVICE_GROUP="user"
diff --git a/uffd/selfservice/views.py b/uffd/selfservice/views.py
index 21b01a20aaddb5b24aeacaa029d80972e7211a43..5d18eb6d0e1dee718be61474a26e2fa2517dad8a 100644
--- a/uffd/selfservice/views.py
+++ b/uffd/selfservice/views.py
@@ -13,6 +13,12 @@ bp = Blueprint("selfservice", __name__, template_folder='templates', url_prefix=
 @login_required()
 def self_acl():
 	pass
+	#if not self_acl_check():
+	#	flash('Access denied')
+	#	return redirect(url_for('index'))
+
+def self_acl_check():
+	return is_valid_session() and get_current_user().is_in_group(current_app.config['ACL_SELFSERVICE_GROUP'])
 
 @bp.route("/")
 @register_navbar('Selfservice', icon='portrait', blueprint=bp, visible=is_valid_session)
diff --git a/uffd/user/templates/user_list.html b/uffd/user/templates/user_list.html
index 6635b97a88292e4cb9940e2c885fda8fcb30f581..e897ebb0c5c52435dd88d39a626803b0da955c76 100644
--- a/uffd/user/templates/user_list.html
+++ b/uffd/user/templates/user_list.html
@@ -10,9 +10,11 @@
 					<th scope="col">login name</th>
 					<th scope="col">display name</th>
 					<th scope="col">
-						<a type="button" class="btn btn-primary" href="{{ url_for(".user_show") }}">
-							<i class="fa fa-plus" aria-hidden="true"></i> New
-						</a>
+						<p class="text-right">
+							<a type="button" class="btn btn-primary" href="{{ url_for(".user_show") }}">
+								<i class="fa fa-plus" aria-hidden="true"></i> New
+							</a>
+						</p>
 					</th>
 				</tr>
 			</thead>
@@ -31,12 +33,14 @@
 						{{ user.displayname }}
 					</td>
 					<td>
-						<a href="{{ url_for(".user_show", uid=user.uid) }}" class="btn btn-primary">
-							<i class="fa fa-edit" aria-hidden="true"></i> Edit
-						</a>
-						<a href="{{ url_for(".user_delete", uid=user.uid) }}" class="btn btn-danger">
-							<i class="fa fa-trash" aria-hidden="true"></i> Delete
-						</a>
+						<p class="text-right">
+							<a href="{{ url_for(".user_show", uid=user.uid) }}" class="btn btn-primary">
+								<i class="fa fa-edit" aria-hidden="true"></i> Edit
+							</a>
+							<a href="{{ url_for(".user_delete", uid=user.uid) }}" class="btn btn-danger">
+								<i class="fa fa-trash" aria-hidden="true"></i> Delete
+							</a>
+						</p>
 					</td>
 				</tr>
 				{% endfor %}
diff --git a/uffd/user/views.py b/uffd/user/views.py
index c24ab9facaab06a45e7a079ac6bd13bc363d3d77..03be06e58582267a6368126064001c32ef4cbc08 100644
--- a/uffd/user/views.py
+++ b/uffd/user/views.py
@@ -3,19 +3,23 @@ from flask import Blueprint, render_template, request, url_for, redirect, flash,
 from uffd.navbar import register_navbar
 from uffd.csrf import csrf_protect
 from uffd.ldap import get_conn, escape_filter_chars
-from uffd.session import login_required, is_valid_session
+from uffd.session import login_required, is_valid_session, get_current_user
 
 from .models import User, Group
 
 bp_user = Blueprint("user", __name__, template_folder='templates', url_prefix='/user/')
 @bp_user.before_request
-#@login_required(group=current_app.config('ACL_LDAP_GROUP_USEREDIT'))
 @login_required()
 def user_acl():
-	pass
+	if not user_acl_check():
+		flash('Access denied')
+		return redirect(url_for('index'))
+
+def user_acl_check():
+	return is_valid_session() and get_current_user().is_in_group(current_app.config['ACL_ADMIN_GROUP'])
 
 @bp_user.route("/")
-@register_navbar('Users', icon='users', blueprint=bp_user, visible=is_valid_session)
+@register_navbar('Users', icon='users', blueprint=bp_user, visible=user_acl_check)
 def user_list():
 	conn = get_conn()
 	conn.search(current_app.config["LDAP_BASE_USER"], '(objectclass=person)')
@@ -81,10 +85,12 @@ bp_group = Blueprint("group", __name__, template_folder='templates', url_prefix=
 @bp_group.before_request
 @login_required()
 def group_acl():
-	pass
+	if not user_acl_check():
+		flash('Access denied')
+		return redirect(url_for('index'))
 
 @bp_group.route("/")
-@register_navbar('Groups', icon='layer-group', blueprint=bp_group, visible=is_valid_session)
+@register_navbar('Groups', icon='layer-group', blueprint=bp_group, visible=user_acl_check)
 def group_list():
 	conn = get_conn()
 	conn.search(current_app.config["LDAP_BASE_GROUPS"], '(objectclass=groupOfUniqueNames)')