diff --git a/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2 b/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
index 1b320dc..897b8a5 100644
--- a/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
@@ -9,26 +9,29 @@ entries:
       "redirect_uri": "https://grafana."~ domain ~"/login/generic_oauth",
       "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
       "client_secret": auth_grafana_client_secret,
-      "group": "Services",
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
     },
     "Gitea": {
       "redirect_uri": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
       "icon": "https://gitea."~ domain ~"/assets/img/logo.svg",
       "client_secret": auth_gitea_client_secret,
-      "group": "Apps",
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
     },
     "Nextcloud": {
       "redirect_uri": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
       "icon": "https://nc."~ domain ~"/apps/theming/favicon",
       "client_secret": auth_nextcloud_client_secret,
-      "group": "Apps",
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
     },
   } -%}
   {% for app in apps.keys() -%}
   - identifiers:
       name: {{ app }}
     model: authentik_providers_oauth2.oauth2provider
-    id: {{ app | lower }}
+    id: {{ app }}
     attrs:
       authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
       invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
@@ -46,13 +49,23 @@ entries:
   - identifiers:
       slug: {{ app | lower }}
     model: authentik_core.application
+    id: app-{{ app }}
     attrs:
       name: {{ app }}
-      group: "{{ apps[app]["group"] }}"
+      group: "{{ apps[app]["ui_group"] }}"
       meta_description: "Hello, I'm {{ app }}!"
       meta_publisher: Alpina
       icon: "{{ apps[app]["icon"] }}"
       open_in_new_tab: true
-      provider: !KeyOf {{ app | lower }}
+      provider: !KeyOf {{ app }}
+
+  {% for group in apps[app]["allowed_for_groups"] -%}
+  - identifiers:
+      group: !Find [authentik_core.group, [name, {{ group }}]]
+      target: !KeyOf app-{{ app }}
+    model: authentik_policies.policybinding
+    attrs:
+      order: 10
+  {% endfor %}
 
   {% endfor %}