diff --git a/k8s/core/argocd/values.yaml b/k8s/core/argocd/values.yaml
index 734efd9..8fc7cf7 100644
--- a/k8s/core/argocd/values.yaml
+++ b/k8s/core/argocd/values.yaml
@@ -32,18 +32,22 @@ configs:
     create: true
     policy.default: ""
     policy.csv: |
-      p, minecraft_manager, applications, get, */minecraft, allow
-      p, minecraft_manager, applications, update, */minecraft, allow
-      p, minecraft_manager, applications, sync, */minecraft, allow
-      p, minecraft_manager, applications, action/*, */minecraft, allow
-      p, minecraft_manager, logs, get, */minecraft, allow
-      p, minecraft_manager, applications, *, *, deny
-      p, minecraft_manager, applications, get, */minecraft, allow
-      p, minecraft_manager, applications, update, */minecraft, allow
-      p, minecraft_manager, applications, sync, */minecraft, allow
-      p, minecraft_manager, applications, action/*, */minecraft, allow
-      p, minecraft_manager, logs, get, */minecraft, allow
-      g, Minecraft Manager, role:minecraft-manager
+      # Policies for "Minecraft Manager" group
+      # Access to minecraft application in argocd project - view, edit, sync
+      p, Minecraft Manager, applications, get, argocd/minecraft, allow
+      p, Minecraft Manager, applications, update, argocd/minecraft, allow
+      p, Minecraft Manager, applications, sync, argocd/minecraft, allow
+      
+      # Access to actions on minecraft application resources (including restart)
+      p, Minecraft Manager, applications, action/*, argocd/minecraft, allow
+      
+      # Access to minecraft application logs
+      p, Minecraft Manager, logs, get, argocd/minecraft, allow
+      
+      # Bind group to minecraft role
+      g, Minecraft Manager, role:minecraft
+      
+
       g, ArgoCD Admins, role:admin
 
   secret: