diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm
index cbc76e1..abe65a4 100644
--- a/lib/perl/OVH/Bastion.pm
+++ b/lib/perl/OVH/Bastion.pm
@@ -600,13 +600,14 @@ sub touch_file {
     }
 
     # else
+    warn_syslog(sprintf("Couldn't touch file '%s' with perms %o: %s", $file, $perms, $!));
     return R('KO', msg => "Couldn't create file $file: $!");
 }
 
 sub create_file_if_not_exists {
     my %params = @_;
     my $file   = $params{'file'};
-    my $perms  = $params{'perms'};     # must be an octal value (not a string)
+    my $perms  = $params{'perms'};    # must be an octal value (not a string)
     my $group  = $params{'group'};
 
     my $fh;
diff --git a/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm b/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm
index a1cbcdb..3181186 100644
--- a/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm
+++ b/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm
@@ -51,23 +51,26 @@ sub preconditions {
             return R('ERR_INVALID_PARAMETER', msg => "Invalid remote user ($user) specified");
         }
 
-        # policy check for guest accesses: if group forces ttl, the account creation must comply
-        $fnret = OVH::Bastion::group_config(group => $group, key => "guest_ttl_limit");
+        if ($action eq 'add') {
 
-        # if this config key is not set, no policy enforce has been requested, otherwise, check it:
-        if ($fnret) {
-            my $max = $fnret->value();
-            if (!$ttl) {
-                return R('ERR_INVALID_PARAMETER',
-                        msg => "This group requires guest accesses to have a TTL set, to a duration of "
-                      . OVH::Bastion::duration2human(seconds => $max)->value->{'duration'}
-                      . " or less");
-            }
-            if ($ttl > $max) {
-                return R('ERR_INVALID_PARAMETER',
-                        msg => "The TTL you specified is invalid, this group requires guest accesses to have a TTL of "
-                      . OVH::Bastion::duration2human(seconds => $max)->value->{'duration'}
-                      . " maximum");
+            # policy check for guest accesses: if group forces ttl, the account creation must comply
+            $fnret = OVH::Bastion::group_config(group => $group, key => "guest_ttl_limit");
+
+            # if this config key is not set, no policy enforce has been requested, otherwise, check it:
+            if ($fnret) {
+                my $max = $fnret->value();
+                if (!$ttl) {
+                    return R('ERR_INVALID_PARAMETER',
+                            msg => "This group requires guest accesses to have a TTL set, to a duration of "
+                          . OVH::Bastion::duration2human(seconds => $max)->value->{'duration'}
+                          . " or less");
+                }
+                if ($ttl > $max) {
+                    return R('ERR_INVALID_PARAMETER',
+                            msg => "The TTL you specified is invalid, this group requires guest accesses to have a TTL of "
+                          . OVH::Bastion::duration2human(seconds => $max)->value->{'duration'}
+                          . " maximum");
+                }
             }
         }
     }