diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
index 2bc7266e0d1..61dca75765d 100644
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -39,6 +39,9 @@ func New(encryptionKey, passwordHash string, logger logging.Logger) (*Authentica
 	[request_definition]
 	r = sub, obj, act
 
+	[role_definition]
+	g = _, _
+
 	[policy_definition]
 	p = sub, obj, act
 
@@ -46,7 +49,7 @@ func New(encryptionKey, passwordHash string, logger logging.Logger) (*Authentica
 	e = some(where (p.eft == allow))
 
 	[matchers]
-	m = r.sub == p.sub && (keyMatch(r.obj, p.obj) || keyMatch(r.obj, '/v1'+p.obj)) && regexMatch(r.act, p.act)`)
+	m = (g(r.sub, p.sub) || r.sub == p.sub) && (keyMatch(r.obj, p.obj) || keyMatch(r.obj, '/v1'+p.obj)) && regexMatch(r.act, p.act)`)
 
 	if err != nil {
 		return nil, err
@@ -289,5 +292,16 @@ func applyPolicies(e *casbin.Enforcer) error {
 		{"consumer", "/stewardship/*", "PUT"},
 	})
 
+	if err != nil {
+		return err
+	}
+
+	// consumer > creator > accountant > maintainer
+	_, err = e.AddGroupingPolicies([][]string{
+		{"creator", "consumer"},
+		{"accountant", "creator"},
+		{"maintainer", "accountant"},
+	})
+
 	return err
 }