diff --git a/src/views/users.html b/src/views/users.html
index 0d0378fec..5364dea3a 100644
--- a/src/views/users.html
+++ b/src/views/users.html
@@ -278,6 +278,12 @@
               <multiselect ng-model="groupEdit.selectedUsers" options="(user.username || user.email) for user in allUsers" data-compare-by="email" data-multiple="true" filter-after-rows="5" scroll-after-rows="10"></multiselect>
             </div>
           </div>
+          <div class="form-group">
+            <label class="control-label">Access to Apps</label>
+            <div class="control-label">
+              <multiselect ng-model="groupEdit.selectedApps" options="(app.label || app.fqdn) for app in groupEdit.apps" data-compare-by="fqdn" data-multiple="true" filter-after-rows="5" scroll-after-rows="10"></multiselect>
+            </div>
+          </div>
           <input class="hide" type="submit" ng-disabled="groupEdit_form.$invalid || useredit.busy"/>
         </form>
       </div>
diff --git a/src/views/users.js b/src/views/users.js
index 8553fffde..ea687f8df 100644
--- a/src/views/users.js
+++ b/src/views/users.js
@@ -372,6 +372,9 @@ angular.module('Application').controller('UsersController', ['$scope', '$locatio
         name: '',
         source: '',
         selectedUsers: [],
+        selectedApps: [],
+        selectedAppsOriginal: [],
+        apps: [],
 
         show: function (groupInfo) {
             $scope.groupEdit.error = {};
@@ -379,6 +382,13 @@ angular.module('Application').controller('UsersController', ['$scope', '$locatio
             $scope.groupEdit.name = groupInfo.name;
             $scope.groupEdit.source = groupInfo.source;
             $scope.groupEdit.selectedUsers = groupInfo.userIds.map(function (uid) { return $scope.allUsersById[uid]; });
+            $scope.groupEdit.apps = Client.getInstalledApps();
+
+            $scope.groupEdit.selectedApps = Client.getInstalledApps().filter(function (app) {
+                if (app.accessRestriction === null || !Array.isArray(app.accessRestriction.groups)) return false;
+                return app.accessRestriction.groups.indexOf(groupInfo.id) !== -1;
+            });
+            angular.copy($scope.groupEdit.selectedApps, $scope.groupEdit.selectedAppsOriginal);
 
             $scope.groupEdit_form.$setPristine();
             $scope.groupEdit_form.$setUntouched();
@@ -412,13 +422,56 @@ angular.module('Application').controller('UsersController', ['$scope', '$locatio
                 var userIds = $scope.groupEdit.selectedUsers.map(function (u) { return u.id; });
 
                 Client.setGroupMembers($scope.groupEdit.groupInfo.id, userIds, function (error) {
-                    $scope.groupEdit.busy = false;
+                    if (error) {
+                        $scope.groupEdit.busy = false;
+                        return console.error('Unable to set group members.', error.statusCode, error.message);
+                    }
 
-                    if (error) return console.error('Unable to edit group.', error.statusCode, error.message);
+                    // find apps where ACL has changed
+                    var addedApps = $scope.groupEdit.selectedApps.filter(function (a) {
+                        return !$scope.groupEdit.selectedAppsOriginal.find(function (b) { return b.id === a.id; });
+                    });
+                    var removedApps = $scope.groupEdit.selectedAppsOriginal.filter(function (a) {
+                        return !$scope.groupEdit.selectedApps.find(function (b) { return b.id === a.id; });
+                    });
 
-                    refresh();
+                    async.eachSeries(addedApps, function (app, callback) {
+                        var accessRestriction = app.accessRestriction;
+                        if (!accessRestriction) accessRestriction = { users: [], groups: [] };
+                        if (!Array.isArray(accessRestriction.groups)) accessRestriction.groups = [];
 
-                    $('#groupEditModal').modal('hide');
+                        accessRestriction.groups.push($scope.groupEdit.groupInfo.id);
+
+                        Client.configureApp(app.id, 'access_restriction', { accessRestriction: accessRestriction }, callback);
+                    }, function (error) {
+                        if (error) {
+                            $scope.groupEdit.busy = false;
+                            return console.error('Unable to set added app access.', error.statusCode, error.message);
+                        }
+
+                        async.eachSeries(removedApps, function (app, callback) {
+                            var accessRestriction = app.accessRestriction;
+                            if (!accessRestriction) accessRestriction = { users: [], groups: [] };
+                            if (!Array.isArray(accessRestriction.groups)) accessRestriction.groups = [];
+
+                            var deleted = accessRestriction.groups.splice(accessRestriction.groups.indexOf($scope.groupEdit.groupInfo.id), 1);
+
+                            // if not found return early
+                            if (deleted.length === 0) return callback();
+
+                            Client.configureApp(app.id, 'access_restriction', { accessRestriction: accessRestriction }, callback);
+                        }, function (error) {
+                            $scope.groupEdit.busy = false;
+                            if (error) return console.error('Unable to set removed app access.', error.statusCode, error.message);
+
+                            refresh();
+
+                            // refresh apps to reflect change
+                            Client.refreshInstalledApps();
+
+                            $('#groupEditModal').modal('hide');
+                        });
+                    });
                 });
             });
         }