diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc
index fa525a922f..96f8ede4d7 100644
--- a/src/acl/AclManager.cc
+++ b/src/acl/AclManager.cc
@@ -83,22 +83,14 @@ AclManager::AclManager(
         string error_str;
 
         // Users in group USERS can create standard resources
-        // @1 VM+NET+IMAGE+TEMPLATE/* CREATE #<local-zone>
+        // @1 VM+NET+IMAGE+TEMPLATE+DOCUMENT/* CREATE #<local-zone>
         add_rule(AclRule::GROUP_ID |
                     1,
                  AclRule::ALL_ID |
                     PoolObjectSQL::VM |
                     PoolObjectSQL::NET |
                     PoolObjectSQL::IMAGE |
-                    PoolObjectSQL::TEMPLATE,
-                 AuthRequest::CREATE,
-                 AclRule::INDIVIDUAL_ID |
-                     zone_id,
-                 error_str);
-
-        // * DOCUMENT/* CREATE #<local-zone>
-        add_rule(AclRule::ALL_ID,
-                 AclRule::ALL_ID |
+                    PoolObjectSQL::TEMPLATE |
                     PoolObjectSQL::DOCUMENT,
                  AuthRequest::CREATE,
                  AclRule::INDIVIDUAL_ID |
diff --git a/src/oca/ruby/opennebula/group.rb b/src/oca/ruby/opennebula/group.rb
index cebbaa9980..84caa911ac 100644
--- a/src/oca/ruby/opennebula/group.rb
+++ b/src/oca/ruby/opennebula/group.rb
@@ -36,7 +36,7 @@ module OpenNebula
         SELF = -1
 
         # Default resource ACL's for group users (create)
-        GROUP_DEFAULT_ACLS = "VM+IMAGE+NET+TEMPLATE"
+        GROUP_DEFAULT_ACLS = "VM+IMAGE+NET+TEMPLATE+DOCUMENT"
         ALL_CLUSTERS_IN_ZONE = 10
 
         # Creates a Group description with just its identifier