diff --git a/main.tf b/main.tf
index 0f379cd..93d6b98 100644
--- a/main.tf
+++ b/main.tf
@@ -219,6 +219,14 @@ resource "keycloak_openid_client" "guac_client" {
   ]
 }
 
+resource "keycloak_openid_group_membership_protocol_mapper" "guac_group_membership_mapper" {
+  realm_id = keycloak_realm.realm.id
+  name = "groups"
+  claim_name = "groups"
+  client_id = keycloak_openid_client.guac_client.id
+  full_path = false
+}
+
 resource "random_password" "guac_db_pw" {
   length           = 16
   special          = false
@@ -286,6 +294,23 @@ EOT
   ]
 }
 
+resource "guacamole_connection_group" "routers" {
+  parent_identifier = "ROOT"
+  name = "Routers"
+  type = "organizational"
+}
+
+resource "guacamole_user_group" "admingroup" {
+  identifier = "Admins"
+  system_permissions = ["ADMINISTER"]
+  connection_groups = [
+    guacamole_connection_group.routers.id
+  ]
+  attributes {
+    disabled = false
+  }
+}
+
 resource "keycloak_openid_client" "nautobot_client" {
   realm_id = keycloak_realm.realm.id
   client_id = "nautobot"
@@ -608,12 +633,6 @@ resource "proxmox_vm_qemu" "vyos_router" {
   EOF
 }
 
-resource "guacamole_connection_group" "routers" {
-  parent_identifier = "ROOT"
-  name = "Routers"
-  type = "organizational"
-}
-
 resource "guacamole_connection_ssh" "vyos_vms" {
   for_each = { for x in proxmox_vm_qemu.vyos_router: x.name => x }
   name = each.value.name