diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc
index c6edc990ea..b04c57724e 100644
--- a/src/acl/AclManager.cc
+++ b/src/acl/AclManager.cc
@@ -83,7 +83,7 @@ AclManager::AclManager(
         string error_str;
 
         // Users in group USERS can create standard resources
-        // @1 VM+IMAGE+TEMPLATE+DOCUMENT/* CREATE *
+        // @1 VM+IMAGE+TEMPLATE+DOCUMENT+SECGROUP+VMGROUP/* CREATE *
         add_rule(AclRule::GROUP_ID |
                     1,
                  AclRule::ALL_ID |
@@ -91,7 +91,8 @@ AclManager::AclManager(
                     PoolObjectSQL::IMAGE |
                     PoolObjectSQL::TEMPLATE |
                     PoolObjectSQL::DOCUMENT |
-                    PoolObjectSQL::SECGROUP,
+                    PoolObjectSQL::SECGROUP |
+                    PoolObjectSQL::VMGROUP,
                  AuthRequest::CREATE,
                  AclRule::ALL_ID,
                  error_str);
diff --git a/src/acl/AclRule.cc b/src/acl/AclRule.cc
index 9a8dbb72b5..646261ab87 100644
--- a/src/acl/AclRule.cc
+++ b/src/acl/AclRule.cc
@@ -28,7 +28,7 @@ const long long AclRule::CLUSTER_ID     = 0x0000000800000000LL;
 
 const long long AclRule::NONE_ID        = 0x1000000000000000LL;
 
-const int AclRule::num_pool_objects = 16;
+const int AclRule::num_pool_objects = 17;
 const PoolObjectSQL::ObjectType AclRule::pool_objects[] = {
             PoolObjectSQL::VM,
             PoolObjectSQL::HOST,
@@ -45,7 +45,8 @@ const PoolObjectSQL::ObjectType AclRule::pool_objects[] = {
             PoolObjectSQL::VDC,
             PoolObjectSQL::VROUTER,
             PoolObjectSQL::MARKETPLACE,
-            PoolObjectSQL::MARKETPLACEAPP
+            PoolObjectSQL::MARKETPLACEAPP,
+            PoolObjectSQL::VMGROUP
 };
 
 const int AclRule::num_auth_operations = 4;
@@ -61,7 +62,8 @@ const long long AclRule::INVALID_CLUSTER_OBJECTS =
         PoolObjectSQL::TEMPLATE | PoolObjectSQL::GROUP | PoolObjectSQL::ACL |
         PoolObjectSQL::CLUSTER | PoolObjectSQL::DOCUMENT | PoolObjectSQL::ZONE |
         PoolObjectSQL::SECGROUP | PoolObjectSQL::VDC | PoolObjectSQL::VROUTER |
-        PoolObjectSQL::MARKETPLACE | PoolObjectSQL::MARKETPLACEAPP;
+        PoolObjectSQL::MARKETPLACE | PoolObjectSQL::MARKETPLACEAPP |
+        PoolObjectSQL::VMGROUP;
 
 const long long AclRule::INVALID_GROUP_OBJECTS =
         PoolObjectSQL::HOST | PoolObjectSQL::GROUP | PoolObjectSQL::CLUSTER |
@@ -237,7 +239,7 @@ bool AclRule::malformed(string& error_str) const
         oss << "[resource] type is missing";
     }
 
-    if ( (resource & 0xFFE0000000000000LL) != 0 )
+    if ( (resource & 0xFFC0000000000000LL) != 0 )
     {
         if ( error )
         {
diff --git a/src/cli/etc/oneacl.yaml b/src/cli/etc/oneacl.yaml
index f08817d68b..035116f78f 100644
--- a/src/cli/etc/oneacl.yaml
+++ b/src/cli/etc/oneacl.yaml
@@ -9,9 +9,9 @@
   :size: 8
   :right: true
 
-:RES_VHNIUTGDCOZSvRMA:
+:RES_VHNIUTGDCOZSvRMAP:
   :desc: Which resource the rule applies to
-  :size: 20
+  :size: 21
 
 :RID:
   :desc: Resource ID
@@ -31,7 +31,7 @@
 :default:
 - :ID
 - :USER
-- :RES_VHNIUTGDCOZSvRMA
+- :RES_VHNIUTGDCOZSvRMAP
 - :RID
 - :OPE_UMAC
 - :ZONE
diff --git a/src/cli/one_helper/oneacl_helper.rb b/src/cli/one_helper/oneacl_helper.rb
index bad52a9e4f..8c1ed2dfb0 100644
--- a/src/cli/one_helper/oneacl_helper.rb
+++ b/src/cli/one_helper/oneacl_helper.rb
@@ -44,7 +44,7 @@ private
     def self.resource_mask(str)
         resource_type=str.split("/")[0]
 
-        mask = "----------------"
+        mask = "-----------------"
 
         resource_type.split("+").each{|type|
             case type
@@ -80,6 +80,8 @@ private
                     mask[14] = "M"
                 when "MARKETPLACEAPP"
                     mask[15] = "A"
+                when "VMGROUP"
+                    mask[16] = "P"
             end
         }
         mask
@@ -119,8 +121,8 @@ private
                 d['STRING'].split(" ")[0]
             end
 
-            column :RES_VHNIUTGDCOZSvRMA, "Resource to which the rule applies",
-                            :size => 20 do |d|
+            column :RES_VHNIUTGDCOZSvRMAP, "Resource to which the rule applies",
+                            :size => 21 do |d|
                OneAclHelper::resource_mask d['STRING'].split(" ")[1]
             end
 
@@ -137,7 +139,7 @@ private
                 OneAclHelper::right_mask d['STRING'].split(" ")[2]
             end
 
-            default :ID, :USER, :RES_VHNIUTGDCOZSvRMA, :RID, :OPE_UMAC, :ZONE
+            default :ID, :USER, :RES_VHNIUTGDCOZSvRMAP, :RID, :OPE_UMAC, :ZONE
         end
 
         table
diff --git a/src/oca/ruby/opennebula/acl.rb b/src/oca/ruby/opennebula/acl.rb
index 57e07fe1e0..9d54b12f88 100644
--- a/src/oca/ruby/opennebula/acl.rb
+++ b/src/oca/ruby/opennebula/acl.rb
@@ -36,6 +36,7 @@ module OpenNebula
     #                  VROUTER
     #                  MARKETPLACE
     #                  MARKETPLACEAPP
+    #                  VMGROUP
     #     RIGHTS    -> + separated list
     #                  USE
     #                  MANAGE
@@ -67,7 +68,8 @@ module OpenNebula
             "VDC"           =>  0x2000000000000,
             "VROUTER"       =>  0x4000000000000,
             "MARKETPLACE"   =>  0x8000000000000,
-            "MARKETPLACEAPP"=> 0x10000000000000
+            "MARKETPLACEAPP"=> 0x10000000000000,
+            "VMGROUP"       => 0x20000000000000
         }
 
         RIGHTS =