diff --git a/src/groups.js b/src/groups.js
index c19c6ea93..d84b53126 100644
--- a/src/groups.js
+++ b/src/groups.js
@@ -8,6 +8,7 @@ exports = module.exports = {
     create: create,
     remove: remove,
     get: get,
+    update: update,
     getWithMembers: getWithMembers,
     getAll: getAll,
     getAllWithMembers: getAllWithMembers,
@@ -18,7 +19,6 @@ exports = module.exports = {
     removeMember: removeMember,
     isMember: isMember,
 
-    setRoles: setRoles,
     getRoles: getRoles,
 
     getGroups: getGroups,
@@ -253,15 +253,16 @@ function addOwnerGroup(callback) {
     groupdb.add(constants.ADMIN_GROUP_ID, constants.ADMIN_GROUP_NAME, [ accesscontrol.ROLE_OWNER ], callback);
 }
 
-function setRoles(groupId, roles, callback) {
+function update(groupId, data, callback) {
     assert.strictEqual(typeof groupId, 'string');
-    assert(Array.isArray(roles));
+    assert(data && typeof data === 'object');
+    assert(Array.isArray(data.roles));
     assert.strictEqual(typeof callback, 'function');
 
-    var error = accesscontrol.validateRoles(roles);
+    var error = accesscontrol.validateRoles(data.roles);
     if (error) return callback(new GroupsError(GroupsError.BAD_FIELD, error.message));
 
-    groupdb.update(groupId, { roles: roles }, function (error) {
+    groupdb.update(groupId, { roles: data.roles }, function (error) {
         if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new GroupsError(GroupsError.NOT_FOUND));
         if (error) return callback(new GroupsError(GroupsError.INTERNAL_ERROR, error));
 
diff --git a/src/routes/groups.js b/src/routes/groups.js
index 6658c262d..ceec76269 100644
--- a/src/routes/groups.js
+++ b/src/routes/groups.js
@@ -4,7 +4,7 @@ exports = module.exports = {
     get: get,
     list: list,
     create: create,
-    setRoles: setRoles,
+    update: update,
     remove: remove,
     updateMembers: updateMembers
 };
@@ -51,7 +51,7 @@ function get(req, res, next) {
     });
 }
 
-function setRoles(req, res, next) {
+function update(req, res, next) {
     assert.strictEqual(typeof req.params.groupId, 'string');
     assert.strictEqual(typeof req.body, 'object');
 
@@ -60,7 +60,7 @@ function setRoles(req, res, next) {
         if (typeof role !== 'string') return next(new HttpError(400, 'roles must be an array of strings'));
     }
 
-    groups.setRoles(req.params.groupId, req.body.roles, function (error, group) {
+    groups.update(req.params.groupId, { roles: req.body.roles }, function (error) {
         if (error && error.reason === GroupsError.BAD_FIELD) return next(new HttpError(400, error.message));
         if (error) return next(new HttpError(500, error));
 
diff --git a/src/routes/test/groups-test.js b/src/routes/test/groups-test.js
index bb0d1abb2..7b692d014 100644
--- a/src/routes/test/groups-test.js
+++ b/src/routes/test/groups-test.js
@@ -156,7 +156,7 @@ describe('Groups API', function () {
 
     describe('Roles', function () {
         it('can set roles', function (done) {
-            superagent.put(SERVER_URL + '/api/v1/groups/' + groupObject.id + '/roles')
+            superagent.post(SERVER_URL + '/api/v1/groups/' + groupObject.id)
                 .query({ access_token: token })
                 .send({ roles: [ accesscontrol.ROLE_OWNER ]})
                 .end(function (error, result) {
@@ -166,7 +166,7 @@ describe('Groups API', function () {
         });
 
         it('fails with invalid roles', function (done) {
-            superagent.put(SERVER_URL + '/api/v1/groups/' + groupObject.id + '/roles')
+            superagent.post(SERVER_URL + '/api/v1/groups/' + groupObject.id)
                 .query({ access_token: token })
                 .send({ roles: [ 'bogus' ]})
                 .end(function (error, result) {
diff --git a/src/server.js b/src/server.js
index de8b4d09a..13b03d84b 100644
--- a/src/server.js
+++ b/src/server.js
@@ -153,7 +153,7 @@ function initializeExpressSync() {
     router.post('/api/v1/groups', usersScope, routes.groups.create);
     router.get ('/api/v1/groups/:groupId', usersScope, routes.groups.get);
     router.put ('/api/v1/groups/:groupId/members', usersScope, routes.groups.updateMembers);
-    router.put ('/api/v1/groups/:groupId/roles', usersScope, routes.groups.setRoles);
+    router.post('/api/v1/groups/:groupId', usersScope, routes.groups.update);
     router.del ('/api/v1/groups/:groupId', usersScope, routes.users.verifyPassword, routes.groups.remove);
 
     // form based login routes used by oauth2 frame
diff --git a/src/test/groups-test.js b/src/test/groups-test.js
index fba84b8bb..f5d1f1a2b 100644
--- a/src/test/groups-test.js
+++ b/src/test/groups-test.js
@@ -399,7 +399,7 @@ describe('Roles', function () {
     after(cleanup);
 
     it('can set roles', function (done) {
-        groups.setRoles(group0Object.id, [ accesscontrol.ROLE_OWNER ], function (error) {
+        groups.update(group0Object.id, { roles: [ accesscontrol.ROLE_OWNER ] }, function (error) {
             expect(error).to.be(null);
             done();
         });
@@ -422,7 +422,7 @@ describe('Roles', function () {
     });
 
     it('cannot set invalid role', function (done) {
-        groups.setRoles(group0Object.id, [ accesscontrol.ROLE_OWNER, 'janitor' ], function (error) {
+        groups.update(group0Object.id, { roles: [ accesscontrol.ROLE_OWNER, 'janitor' ] }, function (error) {
             expect(error).to.be.ok();
             done();
         });