diff --git a/app/config/staging.default.py b/app/config/staging.default.py
index 36a1f6d2a31e39802a80061dfaf5bd78c5c82100..21bdbcb514f9ab03f87664ec1598c475032c2c4f 100644
--- a/app/config/staging.default.py
+++ b/app/config/staging.default.py
@@ -17,7 +17,7 @@ SERVICE_CONFIG = {
         'app_secret': 'x-blocpower-app-secret'},
     'urls': {
         'app': 'http://staging.app.s.blocpower.us',
-        'user': 'http://staging.user.s.blocpower.us.'
+        'user': 'http://staging.user.s.blocpower.us'
     }
 }
 
diff --git a/app/models/base.py b/app/models/base.py
index c4470e2a51777600a1fd8b3593d8f47910fb40fd..bb0f150b22a70973e0557c3a60a3c210d1536613 100644
--- a/app/models/base.py
+++ b/app/models/base.py
@@ -64,6 +64,10 @@ class User:
     user_modified = db.Column(db.String(64))
 
 
+class UserGroup:
+    user_group = db.Column(db.String(36))
+
+
 class Tracked(object):
     """A mixin to include tracking datetime fields."""
     created = db.Column(columns.Arrow, default=func.now())
diff --git a/app/permissions/authorization.py b/app/permissions/authorization.py
index fcb5a1c706731ad4d587a2912edc202a141c0e43..cc939082c2d429a72600d304f86e033ab4d62a55 100644
--- a/app/permissions/authorization.py
+++ b/app/permissions/authorization.py
@@ -4,7 +4,7 @@ from flask import current_app, g, request
 from werkzeug.exceptions import Unauthorized
 from ..lib.service import services
 
-CRUD_TO_REST = {
+REST_TO_CRUD = {
     'POST': 'create',
     'GET': 'read',
     'PUT': 'update',  # TODO: if no id 'create'
@@ -19,26 +19,27 @@ def secured(f):
         if g.sub is not None:
             current_app.logger.info('{} accessing {}'.format(g.sub, request.endpoint))
 
-            action = CRUD_TO_REST[request.method]
+            action = REST_TO_CRUD[request.method]
             resource = request.endpoint.split(':').pop(0)
             if resource.endswith('View'):
                 resource = resource[:-4]
 
             from flask import session
             auth0_header = current_app.config.get('AUTH0_AUTH_HEADER')
-            headers = {}
-            headers[auth0_header] = request.headers.get(auth0_header)
-            params = {'permissions': 'true'}
+            headers = {auth0_header: request.headers.get(auth0_header)}
+            params = {'expand': ''}
 
-            response = services.user.get('/user/{}'.format(g.sub), params=params, headers=headers)
+            response = services.user.get('/user/{}'.format(g.sub), headers=headers, params=params)
             if not response.status_code == 200:
                 raise Unauthorized
 
             data = response.json()
 
-            permissions = data['data'][g.sub]['permissions']
+            g.user_permissions = data['data'][g.sub]['permissions']
+            g.user_groups = data['data'][g.sub]['groups']
+
             action_resource = '{action}::{resource}'.format(action=action, resource=resource)
-            if action_resource not in permissions:
+            if action_resource not in g.user_permissions:
                 raise Unauthorized
 
         else:
diff --git a/requirements.txt b/requirements.txt
index c8240636794e0261b64b8db173eebcb6d4d24cb7..7f1e1df547049b722a635b9af764ebe097680c24 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,7 +1,7 @@
 arrow==0.7.0
 blessed==1.9.5
 botocore==1.5.48
-git+ssh://git@github.com/Blocp/bpvalve.git@v1.2.0
+git+ssh://git@github.com/Blocp/bpvalve.git@v1.3.0
 cement==2.4.0
 colorama==0.3.3
 docker-py==1.1.0