diff --git a/app/models/iam/Policy.model.js b/app/models/iam/Policy.model.js
index ed9dbe2..f4dd7f4 100644
--- a/app/models/iam/Policy.model.js
+++ b/app/models/iam/Policy.model.js
@@ -65,34 +65,65 @@ class PolicyModel extends Model {
         return user_denials.length > 0 || group_denials.length > 0
     }
 
+    static async get_all_related(target_id) {
+        const all = [target_id]
+        const Machine = this.prototype.models.get('ldap:Machine')
+        const MachineGroup = this.prototype.models.get('ldap:MachineGroup')
+
+        const machine = await Machine.findById(target_id)
+        if ( machine?.active ) {
+            const groups = await MachineGroup.find({
+                active: true,
+                machine_ids: machine.id,
+            })
+
+            groups.map(x => all.push(x.id))
+        }
+
+        const group = await MachineGroup.findById(target_id)
+        if ( group?.active ) {
+            const machines = await Machine.find({
+                active: true,
+                _id: {
+                    $in: group.machine_ids.map(x => Machine.to_object_id(x)),
+                }
+            })
+
+            machines.map(x => all.push(x.id))
+        }
+
+        return all
+    }
+
     static async check_user_access(user, target_id) {
         const groups = await user.groups()
         const group_ids = groups.map(x => x.id)
+        const target_ids = await this.get_all_related(target_id)
 
         const user_approvals = await this.find({
             entity_id: user.id,
-            target_id,
+            target_id: { $in: target_ids },
             access_type: 'allow',
             active: true,
         })
 
         const user_denials = await this.find({
             entity_id: user.id,
-            target_id,
+            target_id: { $in: target_ids },
             access_type: 'deny',
             active: true,
         })
 
         const group_approvals = await this.find({
             entity_id: { $in: group_ids },
-            target_id,
+            target_id: { $in: target_ids },
             access_type: 'allow',
             active: true,
         })
 
         const group_denials = await this.find({
             entity_id: { $in: group_ids },
-            target_id,
+            target_id: { $in: target_ids },
             access_type: 'deny',
             active: true,
         })
diff --git a/app/models/ldap/Machine.model.js b/app/models/ldap/Machine.model.js
index 99238b3..9df9fe5 100644
--- a/app/models/ldap/Machine.model.js
+++ b/app/models/ldap/Machine.model.js
@@ -20,12 +20,6 @@ class MachineModel extends Model {
     }
 
     async to_api() {
-        let iam_filter = `(|(iamTarget=${this.id})`
-        for ( const group of (await this.groups()) ) {
-            iam_filter += `(iamTarget=${group.id})`
-        }
-        iam_filter += ')'
-
         return {
             id: this.id,
             name: this.name,
@@ -33,7 +27,7 @@ class MachineModel extends Model {
             host_name: this.host_name,
             location: this.location,
             ldap_visible: this.ldap_visible,
-            iam_filter,
+            iam_filter: `(|(iamTarget=${this.id}))`,
         }
     }