diff --git a/web/config.go b/web/config.go
index 81390732..3aa53f25 100644
--- a/web/config.go
+++ b/web/config.go
@@ -30,8 +30,8 @@ type Configuration struct {
 	ServerType      string   `json:"server_type"`       // DBS server type to start: DBSReader, DBSWriter, DBSMigrate, DBSMigration
 	Etag            string   `json:"etag"`              // etag value to use for ETag generation
 	CacheControl    string   `json:"cache_control"`     // Cache-Control value, e.g. max-age=300
-	CMSRole         string   `json:"cms_role"`          // cms role for write access
-	CMSGroup        string   `json:"cms_group"`         // cms group for write access
+	CMSRole         []string   `json:"cms_role"`          // cms role for write access
+	CMSGroup        []string   `json:"cms_group"`         // cms group for write access
 
 	// Migration server settings
 	MigrationDBFile          string `json:"migration_dbfile"`           // dbfile with secrets
diff --git a/web/middlewares.go b/web/middlewares.go
index 1bd7e82a..23012702 100644
--- a/web/middlewares.go
+++ b/web/middlewares.go
@@ -54,10 +54,24 @@ func authMiddleware(next http.Handler) http.Handler {
 		}
 
 		// check if user has proper roles to DBS (non GET) APIs
-		if r.Method != "GET" && Config.CMSRole != "" && Config.CMSGroup != "" {
-			status = CMSAuth.CheckCMSAuthz(r.Header, Config.CMSRole, Config.CMSGroup, "")
+		if r.Method != "GET" && len(Config.CMSRole) > 0 && len(Config.CMSGroup) > 0 {
+			if len(Config.CMSRole) != len(Config.CMSGroup) {
+				log.Println("not equal length of cms_role and cms_group attributes")
+				w.WriteHeader(http.StatusInternalServerError)
+				return
+			}
+			status = false
+			for i, role := range Config.CMSRole {
+				group := Config.CMSGroup[i]
+				// if user has at least one role/group (s)he ok to use the service
+				if CMSAuth.CheckCMSAuthz(r.Header, role, group, "") {
+					status = true
+					break
+				}
+			}
+			//             status = CMSAuth.CheckCMSAuthz(r.Header, Config.CMSRole, Config.CMSGroup, "")
 			if !status {
-				log.Printf("ERROR: fail to authorize used with role=%v and group=%v, HTTP headers %+v\n", Config.CMSRole, Config.CMSGroup, r.Header)
+				log.Printf("ERROR: fail to authorize user with role=%v and group=%v, HTTP headers %+v\n", Config.CMSRole, Config.CMSGroup, r.Header)
 				w.WriteHeader(http.StatusUnauthorized)
 				return
 			}