diff --git a/apiserver/main.py b/apiserver/main.py
index 5cba6e03e92656b04198c171588483d36936acbf..6a9f227b1244fb521f6039fc5ff65005be0ec6be 100644
--- a/apiserver/main.py
+++ b/apiserver/main.py
@@ -128,9 +128,18 @@ async def keycloak_token(request: Request):
     # store it in the session cookie, return it via a redirect to the user frontend
     username = user['preferred_username']
     email = user['email']
+    groups = user['groups']
+
     if userdb.get(username) is None:
-        # add user to db
-        userdb.add_external_auth_user(username, email)
+        # check if user should be added, and with or without secrets
+        access_group = "datacat_write"
+        secrets_group = "datacat_secrets"
+        if access_group not in groups:
+            raise HTTPException(403, "User is not authorized for write access to the datacatalogue.")
+        if secrets_group not in groups:
+            userdb.add_external_auth_user(username, email)
+        else:
+            userdb.add_external_auth_user(username, email, True)
     datacat_user = userdb.get(username)
 
     access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRES_MINUTES)
@@ -142,7 +151,7 @@ async def keycloak_token(request: Request):
     # set token in cookie, this can then be extractet via the frontend javascript
     response = RedirectResponse("/login.html?external_auth=True")
     response.set_cookie(
-        key="datacat_auth_token", value=access_token, secure=True, expires=datetime.utcnow()+timedelta(minutes=5) # TODO get domain from settings
+        key="datacat_auth_token", value=access_token, secure=True, expires=datetime.utcnow()+timedelta(minutes=5)
     ) 
 
     return response
diff --git a/apiserver/security/user.py b/apiserver/security/user.py
index 6e95462403a2aab8e8f90dbaa9c40fc5560e17b7..2ed2ce0cac53413343bcd7864188c48eedd766c5 100644
--- a/apiserver/security/user.py
+++ b/apiserver/security/user.py
@@ -116,8 +116,8 @@ class JsonDBInterface(AbstractDBInterface):
         self.__save_all(data)
         log.debug("Deleted user %s from userdb.", username)
 
-    def add_external_auth_user(cls, username: str, email: str):
-        cls.add(UserInDB(username=username, email=email))
+    def add_external_auth_user(cls, username: str, email: str, secrets: bool = False):
+        cls.add(UserInDB(username=username, email=email, has_secrets_access=secrets))
 
 
 pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")