diff --git a/controllers/middleware.go b/controllers/middleware.go
index c66c97b1..d4a3fff1 100644
--- a/controllers/middleware.go
+++ b/controllers/middleware.go
@@ -54,7 +54,7 @@ func userMiddleWare(handler http.Handler) http.Handler {
 		if keyID, ok := params["keyID"]; ok {
 			r.Header.Set("TARGET_RSRC_ID", keyID)
 		}
-		if nodeID, ok := params["nodeid"]; ok {
+		if nodeID, ok := params["nodeid"]; ok && r.Header.Get("TARGET_RSRC") != models.ExtClientsRsrc.String() {
 			r.Header.Set("TARGET_RSRC_ID", nodeID)
 		}
 		if hostID, ok := params["hostid"]; ok {
diff --git a/controllers/node.go b/controllers/node.go
index 134bd045..f8b37ccc 100644
--- a/controllers/node.go
+++ b/controllers/node.go
@@ -572,22 +572,22 @@ func createIngressGateway(w http.ResponseWriter, r *http.Request) {
 	}
 	// create network role for this gateway
 	logic.CreateRole(models.UserRolePermissionTemplate{
-		ID:        models.UserRole(fmt.Sprintf("net-%s-rag-%s", node.Network, host.Name)),
+		ID:        models.GetRAGRoleName(node.Network, host.Name),
 		NetworkID: node.Network,
 		NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
 			models.RemoteAccessGwRsrc: {
 				models.RsrcID(node.ID.String()): models.RsrcPermissionScope{
-					Read: true,
+					Read:      true,
+					VPNaccess: true,
 				},
 			},
 			models.ExtClientsRsrc: {
 				models.AllExtClientsRsrcID: models.RsrcPermissionScope{
-					Read:      true,
-					Create:    true,
-					Update:    true,
-					Delete:    true,
-					VPNaccess: true,
-					SelfOnly:  true,
+					Read:     true,
+					Create:   true,
+					Update:   true,
+					Delete:   true,
+					SelfOnly: true,
 				},
 			},
 		},
@@ -645,7 +645,7 @@ func deleteIngressGateway(w http.ResponseWriter, r *http.Request) {
 				for _, user := range users {
 					// delete role from user
 					if netRoles, ok := user.NetworkRoles[models.NetworkID(node.Network)]; ok {
-						delete(netRoles, models.UserRole(fmt.Sprintf("net-%s-rag-%s", node.Network, host.Name)))
+						delete(netRoles, models.GetRAGRoleName(node.Network, host.Name))
 						user.NetworkRoles[models.NetworkID(node.Network)] = netRoles
 						err = logic.UpsertUser(user)
 						if err != nil {
@@ -656,7 +656,7 @@ func deleteIngressGateway(w http.ResponseWriter, r *http.Request) {
 			} else {
 				slog.Error("failed to get users", "error", err)
 			}
-			logic.DeleteRole(models.UserRole(fmt.Sprintf("net-%s-rag-%s", node.Network, host.Name)))
+			logic.DeleteRole(models.GetRAGRoleName(node.Network, host.Name))
 		}()
 	}
 
diff --git a/logic/security.go b/logic/security.go
index 8a13d1fd..dbac624a 100644
--- a/logic/security.go
+++ b/logic/security.go
@@ -206,10 +206,12 @@ func SecurityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
 
 	return func(w http.ResponseWriter, r *http.Request) {
 		r.Header.Set("ismaster", "no")
+		logger.Log(0, "next", r.URL.String())
 		isGlobalAccesss := r.Header.Get("IS_GLOBAL_ACCESS") == "yes"
 		bearerToken := r.Header.Get("Authorization")
 		username, err := GetUserNameFromToken(bearerToken)
 		if err != nil {
+			logger.Log(0, "next 1", r.URL.String(), err.Error())
 			ReturnErrorResponse(w, r, FormatError(err, err.Error()))
 			return
 		}
@@ -276,6 +278,7 @@ func ContinueIfUserMatch(next http.Handler) http.HandlerFunc {
 		var params = mux.Vars(r)
 		var requestedUser = params["username"]
 		if requestedUser != r.Header.Get("user") {
+			logger.Log(0, "next 2", r.URL.String(), errorResponse.Message)
 			ReturnErrorResponse(w, r, errorResponse)
 			return
 		}
diff --git a/logic/user_mgmt.go b/logic/user_mgmt.go
index 3f582bec..15ce44b8 100644
--- a/logic/user_mgmt.go
+++ b/logic/user_mgmt.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 
 	"github.com/gravitl/netmaker/database"
+	"github.com/gravitl/netmaker/logger"
 	"github.com/gravitl/netmaker/models"
 )
 
@@ -52,17 +53,17 @@ var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{
 	NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
 		models.RemoteAccessGwRsrc: {
 			models.AllRemoteAccessGwRsrcID: models.RsrcPermissionScope{
-				Read: true,
+				Read:      true,
+				VPNaccess: true,
 			},
 		},
 		models.ExtClientsRsrc: {
 			models.AllExtClientsRsrcID: models.RsrcPermissionScope{
-				Read:      true,
-				Create:    true,
-				Update:    true,
-				Delete:    true,
-				VPNaccess: true,
-				SelfOnly:  true,
+				Read:     true,
+				Create:   true,
+				Update:   true,
+				Delete:   true,
+				SelfOnly: true,
 			},
 		},
 	},
@@ -378,13 +379,16 @@ func HasNetworkRsrcScope(permissionTemplate models.UserRolePermissionTemplate, n
 	return ok
 }
 func GetUserRAGNodes(user models.User) (gws map[string]models.Node) {
+	logger.Log(0, "------------> 7. getUserRemoteAccessGwsV1")
 	gws = make(map[string]models.Node)
 	userGwAccessScope := GetUserNetworkRolesWithRemoteVPNAccess(user)
+	logger.Log(0, fmt.Sprintf("User Gw Access Scope: %+v", userGwAccessScope))
 	_, allNetAccess := userGwAccessScope["*"]
 	nodes, err := GetAllNodes()
 	if err != nil {
 		return
 	}
+	logger.Log(0, "------------> 8. getUserRemoteAccessGwsV1")
 	for _, node := range nodes {
 		if node.IsIngressGateway && !node.PendingDelete {
 			if allNetAccess {
@@ -393,7 +397,7 @@ func GetUserRAGNodes(user models.User) (gws map[string]models.Node) {
 				gwRsrcMap := userGwAccessScope[models.NetworkID(node.Network)]
 				scope, ok := gwRsrcMap[models.AllRemoteAccessGwRsrcID]
 				if !ok {
-					if _, ok := gwRsrcMap[models.RsrcID(node.ID.String())]; !ok {
+					if scope, ok = gwRsrcMap[models.RsrcID(node.ID.String())]; !ok {
 						continue
 					}
 				}
@@ -404,12 +408,14 @@ func GetUserRAGNodes(user models.User) (gws map[string]models.Node) {
 			}
 		}
 	}
+	logger.Log(0, "------------> 9. getUserRemoteAccessGwsV1")
 	return
 }
 
 // GetUserNetworkRoles - get user network roles
 func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope) {
 	gwAccess = make(map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope)
+	logger.Log(0, "------------> 7.1 getUserRemoteAccessGwsV1")
 	platformRole, err := GetRole(user.PlatformRoleID)
 	if err != nil {
 		return
@@ -418,6 +424,7 @@ func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[mode
 		gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope)
 		return
 	}
+	logger.Log(0, "------------> 7.2 getUserRemoteAccessGwsV1")
 	for netID, roleMap := range user.NetworkRoles {
 		for roleID := range roleMap {
 			role, err := GetRole(roleID)
@@ -427,9 +434,16 @@ func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[mode
 						models.AllRemoteAccessGwRsrcID: {
 							Create:    true,
 							Read:      true,
+							Update:    true,
 							VPNaccess: true,
 							Delete:    true,
 						},
+						models.AllExtClientsRsrcID: {
+							Create: true,
+							Read:   true,
+							Update: true,
+							Delete: true,
+						},
 					}
 					break
 				}
@@ -443,6 +457,9 @@ func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[mode
 					} else {
 						for gwID, scope := range rsrcsMap {
 							if scope.VPNaccess {
+								if len(gwAccess[netID]) == 0 {
+									gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
+								}
 								gwAccess[netID][gwID] = scope
 							}
 						}
@@ -453,5 +470,6 @@ func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[mode
 			}
 		}
 	}
+	logger.Log(0, "------------> 7.3 getUserRemoteAccessGwsV1")
 	return
 }
diff --git a/migrate/migrate.go b/migrate/migrate.go
index b72f38b4..a4d4600f 100644
--- a/migrate/migrate.go
+++ b/migrate/migrate.go
@@ -323,22 +323,22 @@ func syncUsers() {
 					h, err := logic.GetHost(networkNodeI.HostID.String())
 					if err == nil {
 						logic.CreateRole(models.UserRolePermissionTemplate{
-							ID:        models.UserRole(fmt.Sprintf("net-%s-rag-%s", netI.NetID, h.Name)),
+							ID:        models.GetRAGRoleName(networkNodeI.Network, h.Name),
 							NetworkID: netI.NetID,
 							NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
 								models.RemoteAccessGwRsrc: {
 									models.RsrcID(networkNodeI.ID.String()): models.RsrcPermissionScope{
-										Read: true,
+										Read:      true,
+										VPNaccess: true,
 									},
 								},
 								models.ExtClientsRsrc: {
 									models.AllExtClientsRsrcID: models.RsrcPermissionScope{
-										Read:      true,
-										Create:    true,
-										Update:    true,
-										Delete:    true,
-										VPNaccess: true,
-										SelfOnly:  true,
+										Read:     true,
+										Create:   true,
+										Update:   true,
+										Delete:   true,
+										SelfOnly: true,
 									},
 								},
 							},
@@ -383,7 +383,7 @@ func syncUsers() {
 					if err != nil {
 						continue
 					}
-					r, err := logic.GetRole(models.UserRole(fmt.Sprintf("net-%s-rag-%s", gwNode.Network, h.Name)))
+					r, err := logic.GetRole(models.GetRAGRoleName(gwNode.Network, h.Name))
 					if err != nil {
 						continue
 					}
diff --git a/models/user_mgmt.go b/models/user_mgmt.go
index b68f90de..7d61ad26 100644
--- a/models/user_mgmt.go
+++ b/models/user_mgmt.go
@@ -1,6 +1,7 @@
 package models
 
 import (
+	"fmt"
 	"time"
 
 	jwt "github.com/golang-jwt/jwt/v4"
@@ -20,6 +21,10 @@ func (rid RsrcID) String() string {
 	return string(rid)
 }
 
+func GetRAGRoleName(netID, hostName string) UserRole {
+	return UserRole(fmt.Sprintf("netID-%s-rag-%s", netID, hostName))
+}
+
 var RsrcTypeMap = map[RsrcType]struct{}{
 	HostRsrc:           {},
 	RelayRsrc:          {},
diff --git a/pro/controllers/users.go b/pro/controllers/users.go
index d1fbb859..d21a1446 100644
--- a/pro/controllers/users.go
+++ b/pro/controllers/users.go
@@ -148,19 +148,21 @@ func removeUserFromRemoteAccessGW(w http.ResponseWriter, r *http.Request) {
 func getUserRemoteAccessGwsV1(w http.ResponseWriter, r *http.Request) {
 	// set header.
 	w.Header().Set("Content-Type", "application/json")
-
+	logger.Log(0, "------------> 1. getUserRemoteAccessGwsV1")
 	var params = mux.Vars(r)
 	username := params["username"]
 	if username == "" {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params username"), "badrequest"))
 		return
 	}
+	logger.Log(0, "------------> 2. getUserRemoteAccessGwsV1")
 	user, err := logic.GetUser(username)
 	if err != nil {
 		logger.Log(0, username, "failed to fetch user: ", err.Error())
 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
 		return
 	}
+	logger.Log(0, "------------> 3. getUserRemoteAccessGwsV1")
 	remoteAccessClientID := r.URL.Query().Get("remote_access_clientid")
 	var req models.UserRemoteGwsReq
 	if remoteAccessClientID == "" {
@@ -171,6 +173,7 @@ func getUserRemoteAccessGwsV1(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
+	logger.Log(0, "------------> 4. getUserRemoteAccessGwsV1")
 	reqFromMobile := r.URL.Query().Get("from_mobile") == "true"
 	if req.RemoteAccessClientID == "" && remoteAccessClientID == "" {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("remote access client id cannot be empty"), "badrequest"))
@@ -180,12 +183,13 @@ func getUserRemoteAccessGwsV1(w http.ResponseWriter, r *http.Request) {
 		req.RemoteAccessClientID = remoteAccessClientID
 	}
 	userGws := make(map[string][]models.UserRemoteGws)
-
+	logger.Log(0, "------------> 5. getUserRemoteAccessGwsV1")
 	allextClients, err := logic.GetAllExtClients()
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 		return
 	}
+	logger.Log(0, "------------> 6. getUserRemoteAccessGwsV1")
 	userGwNodes := logic.GetUserRAGNodes(*user)
 	logger.Log(0, fmt.Sprintf("1. User Gw Nodes: %+v", userGwNodes))
 	for _, extClient := range allextClients {