diff --git a/content/reponode.go b/content/reponode.go
index eaea820..995827b 100644
--- a/content/reponode.go
+++ b/content/reponode.go
@@ -111,9 +111,11 @@ func (node *RepoNode) IsOneOfTheseMimeTypes(mimeTypes []string) bool {
 // CanBeAccessedByGroups can this node be accessed by at least one the given
 // groups
 func (node *RepoNode) CanBeAccessedByGroups(groups []string) bool {
-	if len(groups) == 0 || len(node.Groups) == 0 {
+	// no groups set on node => anybody can access it
+	if len(node.Groups) == 0 {
 		return true
 	}
+
 	for _, group := range groups {
 		for _, myGroup := range node.Groups {
 			if group == myGroup {
diff --git a/contentserver.go b/contentserver.go
index 17bc27f..c18954c 100644
--- a/contentserver.go
+++ b/contentserver.go
@@ -19,7 +19,7 @@ const (
 )
 
 var (
-	uniqushPushVersion = "content-server 1.3.1"
+	uniqushPushVersion = "content-server 1.3.4"
 	showVersionFlag    = flag.Bool("version", false, "version info")
 	address            = flag.String("address", "127.0.0.1:8081", "address to bind host:port")
 	varDir             = flag.String("var-dir", "/var/lib/contentserver", "where to put my data")
diff --git a/repo/repo.go b/repo/repo.go
index 388d67a..f1d1f46 100644
--- a/repo/repo.go
+++ b/repo/repo.go
@@ -72,10 +72,14 @@ func (repo *Repo) GetNodes(r *requests.Nodes) map[string]*content.Node {
 func (repo *Repo) getNodes(nodeRequests map[string]*requests.Node, env *requests.Env) map[string]*content.Node {
 	nodes := map[string]*content.Node{}
 	path := []*content.Item{}
-	groups := env.Groups
 	for nodeName, nodeRequest := range nodeRequests {
 		log.Debug("  adding node " + nodeName + " " + nodeRequest.ID)
 
+		groups := env.Groups
+		if len(nodeRequest.Groups) > 0 {
+			groups = nodeRequest.Groups
+		}
+
 		dimensionNode, ok := repo.Directory[nodeRequest.Dimension]
 		nodes[nodeName] = nil
 
@@ -125,15 +129,19 @@ func (repo *Repo) GetContent(r *requests.Content) (c *content.SiteContent, err e
 	c = content.NewSiteContent()
 	resolved, resolvedURI, resolvedDimension, node := repo.resolveContent(r.Env.Dimensions, r.URI)
 	if resolved {
-		log.Notice("200 for " + r.URI)
-		// forbidden ?!
-		c.Status = content.StatusOk
+		if !node.CanBeAccessedByGroups(r.Env.Groups) {
+			log.Notice("401 for " + r.URI)
+			c.Status = content.StatusForbidden
+		} else {
+			log.Notice("200 for " + r.URI)
+			c.Status = content.StatusOk
+			c.Data = node.Data
+		}
 		c.MimeType = node.MimeType
 		c.Dimension = resolvedDimension
 		c.URI = resolvedURI
 		c.Item = node.ToItem([]string{})
 		c.Path = node.GetPath()
-		c.Data = node.Data
 		// fetch URIs for all dimensions
 		uris := make(map[string]string)
 		for dimensionName := range repo.Directory {
diff --git a/requests/requests.go b/requests/requests.go
index ee0ea9d..792ed9b 100644
--- a/requests/requests.go
+++ b/requests/requests.go
@@ -14,6 +14,8 @@ type Node struct {
 	ID string `json:"id"`
 	// from which dimension
 	Dimension string `json:"dimension"`
+	// allowed access groups
+	Groups []string `json:"groups"`
 	// what do you want to see in your navigations, folders, images or unicorns
 	MimeTypes []string `json:"mimeTypes"`
 	// expand the navigation tree or just the path to the resolved content