diff --git a/.settings/org.eclipse.wst.common.component b/.settings/org.eclipse.wst.common.component
index 56c3566..2275b5a 100644
--- a/.settings/org.eclipse.wst.common.component
+++ b/.settings/org.eclipse.wst.common.component
@@ -4,7 +4,7 @@
         <wb-resource deploy-path="/" source-path="/src/main/webapp" tag="defaultRootSource"/>
         <wb-resource deploy-path="/WEB-INF/classes" source-path="/src/main/java"/>
         <wb-resource deploy-path="/WEB-INF/classes" source-path="/src/main/resources"/>
-        <dependent-module archiveName="authorization-control-library-1.0.0-SNAPSHOT.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/authorization-control-library/authorization-control-library">
+        <dependent-module archiveName="authorization-control-library-1.1.0-SNAPSHOT.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/authorization-control-library/authorization-control-library">
             <dependency-type>uses</dependency-type>
         </dependent-module>
         <dependent-module archiveName="storagehub-model-1.0.5.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/storagehub-model/storagehub-model">
diff --git a/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java b/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java
index cbee116..04aaee4 100644
--- a/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java
+++ b/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java
@@ -34,9 +34,11 @@ import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils
 import org.gcube.common.authorization.control.annotations.AuthorizationControl;
 import org.gcube.common.authorization.library.provider.AuthorizationProvider;
 import org.gcube.common.gxrest.response.outbound.GXOutboundErrorResponse;
+import org.gcube.common.scope.api.ScopeProvider;
 import org.gcube.common.storagehub.model.acls.AccessType;
 import org.gcube.common.storagehub.model.exceptions.BackendGenericError;
 import org.gcube.common.storagehub.model.exceptions.InvalidItemException;
+import org.gcube.common.storagehub.model.exceptions.UserNotAuthorizedException;
 import org.gcube.common.storagehub.model.types.NodeProperty;
 import org.gcube.common.storagehub.model.types.PrimaryNodeType;
 import org.gcube.data.access.storagehub.Constants;
@@ -51,6 +53,8 @@ public class GroupManager {
 
 	@Context ServletContext context;
 
+	private static final String VREMANAGER_ROLE = "VRE-Manager";
+	
 	private static final Logger log = LoggerFactory.getLogger(GroupManager.class);
 
 	@Inject 
@@ -59,7 +63,6 @@ public class GroupManager {
 	@GET
 	@Path("")
 	@Produces(MediaType.APPLICATION_JSON)
-	@AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
 	public List<String> getGroups(){
 
 		JackrabbitSession session = null;
@@ -93,14 +96,18 @@ public class GroupManager {
 	@POST
 	@Path("")
 	@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
-	@AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+	@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
 	public String createGroup(@FormParam("group") String group, @FormParam("accessType") AccessType accessType){
 
+				
 		JackrabbitSession session = null;
 		String groupId = null;
 		try {
+			
+			checkGroupValidity(group);
+			
 			session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
-
+						
 			org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
 
 			Group createdGroup = usrManager.createGroup(group);
@@ -122,11 +129,13 @@ public class GroupManager {
 
 	@DELETE
 	@Path("{group}")
-	@AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+	@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
 	public String deleteGroup(@PathParam("group") String group){
 
 		JackrabbitSession session = null;
 		try {
+			
+			checkGroupValidity(group);
 			session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
 
 			org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
@@ -154,12 +163,15 @@ public class GroupManager {
 	@PUT
 	@Path("{id}")
 	@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
-	@AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+	@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
 	public boolean addUserToGroup(@PathParam("id") String groupId, @FormParam("userId") String userId){
 
 		JackrabbitSession session = null;
 		boolean success = false;
 		try {
+			
+			checkGroupValidity(groupId);
+			
 			session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
 
 			org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
@@ -190,12 +202,15 @@ public class GroupManager {
 
 	@DELETE
 	@Path("{groupId}/users/{userId}")
-	@AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+	@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
 	public boolean removeUserFromGroup(@PathParam("groupId") String groupId, @PathParam("userId") String userId){
 
 		JackrabbitSession session = null;
 		boolean success = false;
 		try {
+			
+			checkGroupValidity(groupId);
+			
 			session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
 
 			org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
@@ -233,12 +248,15 @@ public class GroupManager {
 	@GET
 	@Path("{groupId}/users")
 	@Produces(MediaType.APPLICATION_JSON)
-	@AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+	@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
 	public List<String> getUsersOfGroup(@PathParam("groupId") String groupId){
 
 		JackrabbitSession session = null;
 		List<String> users = new ArrayList<>();
 		try {
+			
+			checkGroupValidity(groupId);
+			
 			session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
 
 			org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
@@ -313,4 +331,12 @@ public class GroupManager {
 		return vreFolder;
 	}
 
+	private void checkGroupValidity(String group) throws UserNotAuthorizedException{
+		String currentContext = ScopeProvider.instance.get();
+		String expectedGroupId= currentContext.replace("/", "-").substring(1);
+		if (!group.equals(expectedGroupId)) 
+			throw new UserNotAuthorizedException("only VREManager can execute this operation");	
+
+	}
+	
 }
diff --git a/src/main/java/org/gcube/data/access/storagehub/services/ItemsManager.java b/src/main/java/org/gcube/data/access/storagehub/services/ItemsManager.java
index dce3abd..7444d7b 100644
--- a/src/main/java/org/gcube/data/access/storagehub/services/ItemsManager.java
+++ b/src/main/java/org/gcube/data/access/storagehub/services/ItemsManager.java
@@ -280,7 +280,7 @@ public class ItemsManager {
 
 	@GET
 	@Path("publiclink/{id}")
-	@AuthorizationControl(allowed={"URIResolver"}, exception=MyAuthException.class)
+	@AuthorizationControl(allowedUsers={"URIResolver"}, exception=MyAuthException.class)
 	public Response resolvePublicLink() {
 		InnerMethodName.instance.set("resolvePubliclink");
 
diff --git a/src/main/java/org/gcube/data/access/storagehub/services/UserManager.java b/src/main/java/org/gcube/data/access/storagehub/services/UserManager.java
index 4b59a63..7a86c6c 100644
--- a/src/main/java/org/gcube/data/access/storagehub/services/UserManager.java
+++ b/src/main/java/org/gcube/data/access/storagehub/services/UserManager.java
@@ -43,7 +43,7 @@ import org.slf4j.LoggerFactory;
 public class UserManager {
 
 	@Context ServletContext context;
-
+	
 	private static final Logger log = LoggerFactory.getLogger(UserManager.class);
 
 	@Inject 
@@ -55,7 +55,6 @@ public class UserManager {
 	@GET
 	@Path("")
 	@Produces(MediaType.APPLICATION_JSON)
-	@AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
 	public List<String> getUsers(){
 
 		JackrabbitSession session = null;
@@ -89,7 +88,7 @@ public class UserManager {
 	@POST
 	@Path("")
 	@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
-	@AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+	@AuthorizationControl(allowedUsers={"lucio.lelii"}, exception=MyAuthException.class)
 	public String createUser(@FormParam("user") String user, @FormParam("password") String password){
 
 		JackrabbitSession session = null;
@@ -127,7 +126,7 @@ public class UserManager {
 
 	@DELETE
 	@Path("{id}")
-	@AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+	@AuthorizationControl(allowedUsers={"lucio.lelii"}, exception=MyAuthException.class)
 	public String deleteUser(@PathParam("id") String id){
 
 		JackrabbitSession session = null;
diff --git a/src/main/webapp/WEB-INF/gcube-app.xml b/src/main/webapp/WEB-INF/gcube-app.xml
index e69de29..4f0d8e1 100644
--- a/src/main/webapp/WEB-INF/gcube-app.xml
+++ b/src/main/webapp/WEB-INF/gcube-app.xml
@@ -0,0 +1,7 @@
+<application mode='online'>
+		<name>StorageHub</name>
+		<group>DataAccess</group>
+		<version>1.0.0-SNAPSHOT</version>
+		<description>Storage Hub webapp</description>
+		<local-persistence location='target' />
+</application>
\ No newline at end of file