diff --git a/.env.example b/.env.example
index 33c168e8..3f7eb86c 100644
--- a/.env.example
+++ b/.env.example
@@ -48,3 +48,7 @@ PUSHER_APP_CLUSTER=mt1
 
 MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
 MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
+
+AUTH_ROLES_ENABLE=false
+AUTH_ROLES_HEADER="remote-groups"
+AUTH_ROLES_ADMIN="admin"
diff --git a/app/Http/Controllers/ItemController.php b/app/Http/Controllers/ItemController.php
index 07521b31..bd252763 100644
--- a/app/Http/Controllers/ItemController.php
+++ b/app/Http/Controllers/ItemController.php
@@ -33,34 +33,59 @@ class ItemController extends Controller
     /**
      * Display a listing of the resource on the dashboard.
      */
-    public function dash(): View
+    public function dash(Request $request): View
     {
         $treat_tags_as = \App\Setting::fetch('treat_tags_as');
 
         $data["treat_tags_as"] = $treat_tags_as;
 
-        if ($treat_tags_as == 'categories') {
-            $data['categories'] = Item::whereHas('children')->with('children', function ($query) {
-                $query->pinned()->orderBy('order', 'asc');
-            })->pinned()->orderBy('order', 'asc')->get();
+        if (config('app.auth_roles_enable')) {
+            $roles = explode(',', $request->header(config('app.auth_roles_header')));
+            if ($treat_tags_as == 'categories') {
+                $data['categories'] = Item::whereHas('children')->with('children', function ($query) {
+                    $query->pinned()->orderBy('order', 'asc');
+                })->pinned()->orderBy('order', 'asc')->get();
 
-        } elseif ($treat_tags_as == 'tags') {
-            $data['apps'] = Item::with('parents')->where('type', 0)->pinned()->orderBy('order', 'asc')->get();
-            $data['all_apps'] = Item::where('type', 0)->orderBy('order', 'asc')->get();
-            $data['taglist'] = Item::where('id', 0)->orWhere(function($query) {
-                $query->where('type', 1)->pinned();
-            })->orderBy('order', 'asc')->get();
+            } elseif ($treat_tags_as == 'tags') {
+                $data['apps'] = Item::with('parents')->where('type', 0)->pinned()->orderBy('order', 'asc')->get();
+                $data['all_apps'] = Item::where('type', 0)->orderBy('order', 'asc')->get();
+                $data['taglist'] = Item::where('id', 0)->orWhere(function($query) {
+                    $query->where('type', 1)->pinned();
+                })->orderBy('order', 'asc')->get();
+            } else {
+
+                $data['apps'] = Item::whereHas('parents', function ($query) {
+                    $query->where('id', 0);
+                })->whereIn('role', $roles)->orWhere('type', 1)->pinned()->orderBy('order', 'asc')->get();
+        
+                $data['all_apps'] = Item::whereHas('parents', function ($query) {
+                    $query->where('id', 0);
+                })->orWhere('type', 1)->orderBy('order', 'asc')->get();
+            }
         } else {
+            if ($treat_tags_as == 'categories') {
+                $data['categories'] = Item::whereHas('children')->with('children', function ($query) {
+                    $query->pinned()->orderBy('order', 'asc');
+                })->pinned()->orderBy('order', 'asc')->get();
 
-            $data['apps'] = Item::whereHas('parents', function ($query) {
-                $query->where('id', 0);
-            })->orWhere('type', 1)->pinned()->orderBy('order', 'asc')->get();
+            } elseif ($treat_tags_as == 'tags') {
+                $data['apps'] = Item::with('parents')->where('type', 0)->pinned()->orderBy('order', 'asc')->get();
+                $data['all_apps'] = Item::where('type', 0)->orderBy('order', 'asc')->get();
+                $data['taglist'] = Item::where('id', 0)->orWhere(function($query) {
+                    $query->where('type', 1)->pinned();
+                })->orderBy('order', 'asc')->get();
+            } else {
 
-            $data['all_apps'] = Item::whereHas('parents', function ($query) {
-                $query->where('id', 0);
-            })->orWhere(function ($query) {
-                $query->where('type', 1)->whereNot('id', 0);
-            })->orderBy('order', 'asc')->get();
+                $data['apps'] = Item::whereHas('parents', function ($query) {
+                    $query->where('id', 0);
+                })->orWhere('type', 1)->pinned()->orderBy('order', 'asc')->get();
+
+                $data['all_apps'] = Item::whereHas('parents', function ($query) {
+                    $query->where('id', 0);
+                })->orWhere(function ($query) {
+                    $query->where('type', 1)->whereNot('id', 0);
+                })->orderBy('order', 'asc')->get();
+            }
         }
 
         //$data['all_apps'] = Item::doesntHave('parents')->get();
diff --git a/app/Http/Controllers/TagController.php b/app/Http/Controllers/TagController.php
index 79f7ad6e..8e32dd46 100644
--- a/app/Http/Controllers/TagController.php
+++ b/app/Http/Controllers/TagController.php
@@ -88,11 +88,16 @@ class TagController extends Controller
      *
      * @param $slug
      */
-    public function show($slug): View
+    public function show($slug, Request $request): View
     {
         $item = Item::whereUrl($slug)->first();
         //print_r($item);
-        $data['apps'] = $item->children()->pinned()->orderBy('order', 'asc')->get();
+        if (config('app.auth_roles_enable')) {
+            $roles = explode(',', $request->header(config('app.auth_roles_header')));
+            $data['apps'] = $item->children()->whereIn('role', $roles)->pinned()->orderBy('order', 'asc')->get();
+        } else {
+            $data['apps'] = $item->children()->pinned()->orderBy('order', 'asc')->get();
+        }
         $data['tag'] = $item->id;
         $data['all_apps'] = $item->children;
 
diff --git a/app/Item.php b/app/Item.php
index b0e83b4f..719e50e7 100644
--- a/app/Item.php
+++ b/app/Item.php
@@ -33,6 +33,7 @@ use Symfony\Component\ClassLoader\ClassMapGenerator;
  * @property string|null $class
  * @property string|null $appid
  * @property string|null $appdescription
+ * @property string|null $role
  * @property-read \Illuminate\Database\Eloquent\Collection|Item[] $children
  * @property-read int|null $children_count
  * @property-read string $droppable
@@ -51,6 +52,7 @@ use Symfony\Component\ClassLoader\ClassMapGenerator;
  * @method static Builder|Item pinned()
  * @method static Builder|Item query()
  * @method static Builder|Item whereAppdescription($value)
+ * @method static Builder|Item whereRole($value)
  * @method static Builder|Item whereAppid($value)
  * @method static Builder|Item whereClass($value)
  * @method static Builder|Item whereColour($value)
@@ -105,6 +107,7 @@ class Item extends Model
         'user_id',
         'tag_id',
         'appid',
+        'role',
     ];
 
 
diff --git a/config/app.php b/config/app.php
index aff138a5..51f8860a 100644
--- a/config/app.php
+++ b/config/app.php
@@ -192,4 +192,8 @@ return [
         'Yaml' => Symfony\Component\Yaml\Yaml::class,
     ])->toArray(),
 
+    'auth_roles_enable' =>  (bool) env('AUTH_ROLES_ENABLE', false),
+    'auth_roles_header' =>  env('AUTH_ROLES_HEADER', 'remote-groups'),
+    'auth_roles_admin' =>  env('AUTH_ROLES_ADMIN', 'admin'),
+
 ];
diff --git a/database/migrations/2023_01_27_121000_add_role_to_item.php b/database/migrations/2023_01_27_121000_add_role_to_item.php
new file mode 100644
index 00000000..1ab8d44f
--- /dev/null
+++ b/database/migrations/2023_01_27_121000_add_role_to_item.php
@@ -0,0 +1,32 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+class AddRoleToItem extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::table('items', function (Blueprint $table) {
+            $table->text('role')->nullable();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        Schema::table('items', function (Blueprint $table) {
+            //
+        });
+    }
+}
diff --git a/lang/de/app.php b/lang/de/app.php
index c97d9874..6574c2fc 100644
--- a/lang/de/app.php
+++ b/lang/de/app.php
@@ -105,4 +105,5 @@ return array (
   'alert.success.user_restored' => 'Nutzer erfolgreich wiederhergestellt',
   'dashboard.reorder' => 'Elemente neu anordnen und anheften',
   'dashboard.settings' => 'Einstellungen',
+  'role' => 'Authentifizierungsrolle',
 );
\ No newline at end of file
diff --git a/lang/en/app.php b/lang/en/app.php
index bfd97649..130c2307 100644
--- a/lang/en/app.php
+++ b/lang/en/app.php
@@ -114,4 +114,5 @@ return array (
   'alert.success.user_restored' => 'User restored successfully',
   'dashboard.reorder' => 'Reorder and pin items',
   'dashboard.settings' => 'Settings',
+  'role' => 'Authentification role',
 );
\ No newline at end of file
diff --git a/resources/views/items/form.blade.php b/resources/views/items/form.blade.php
index 8d24a7f1..b7de5b3a 100644
--- a/resources/views/items/form.blade.php
+++ b/resources/views/items/form.blade.php
@@ -1,4 +1,4 @@
-    <section class="module-container">
+<section class="module-container">
         <header>
             <div class="section-title">{{ __('app.apps.preview') }}</div>
             <div class="module-actions">
@@ -76,6 +76,13 @@
                 {!! Form::select('tags[]', $tags, $current_tags, ['class' => 'tags', 'multiple']) !!}
             </div>
 
+            @if($app['config']->get('app.auth_roles_enable', false))
+            <div class="input">
+                <label>{{ __('app.role') }}</label>
+                {!! Form::text('role', $item->role ?? null, array('placeholder' => __('app.role'), 'id' => 'role', 'class' => 'form-control')) !!}
+            </div>
+            @endif
+
             <div class="input">
                 <div class="icon-container">
                     <div id="appimage">
diff --git a/resources/views/tags/form.blade.php b/resources/views/tags/form.blade.php
index 634632d0..40e0761f 100644
--- a/resources/views/tags/form.blade.php
+++ b/resources/views/tags/form.blade.php
@@ -1,4 +1,4 @@
-    <section class="module-container">
+<section class="module-container">
         <header>
             <div class="section-title">{{ __('app.apps.add_tag') }}</div>
             <div class="module-actions">
@@ -30,6 +30,13 @@
                 {!! Form::text('colour', null, array('placeholder' => __('app.apps.hex'),'class' => 'form-control color-picker')) !!}
                 <hr />
             </div>
+            @if($app['config']->get('app.auth_roles_enable', false))
+            <div class="input">
+                <label>{{ __('app.role') }}</label>
+                {!! Form::text('role', $item->role ?? null, array('placeholder' => __('app.role'), 'id' => 'role', 'class' => 'form-control')) !!}
+                <hr />
+            </div>
+            @endif
             <div class="input">
                 <label>{{ __('app.apps.icon') }}</label>
                 <div class="icon-container">
@@ -51,6 +58,19 @@
                     </div>
                 </div>
             </div>
+            <div class="input">
+            <label>{{ __('app.apps.pinned') }}</label>
+                {!! Form::hidden('pinned', '0') !!}
+                <label class="switch">
+                    <?php
+                    $checked = false;
+                    if(isset($item->pinned) && (bool)$item->pinned === true) $checked = true;
+                    $set_checked = ($checked) ? ' checked="checked"' : '';
+                    ?>                   
+                    <input type="checkbox" name="pinned" value="1"<?php echo $set_checked;?> />
+                    <span class="slider round"></span>
+                </label>
+            </div>
             
             <div id="sapconfig"></div>