diff --git a/inc/auth.php b/inc/auth.php
index d0f21c825e348880febb27008d899a615285036a..fbdb2b439287057c914d5f9753ffe8244e3eda3b 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -123,19 +123,27 @@ function auth_setup() {
  */
 function auth_loadACL() {
     global $config_cascade;
+    global $USERINFO;
 
     if(!is_readable($config_cascade['acl']['default'])) return array();
 
     $acl = file($config_cascade['acl']['default']);
 
     //support user wildcard
-    if(isset($_SERVER['REMOTE_USER'])) {
+    if(isset($_SERVER['REMOTE_USER'])){
         $len = count($acl);
         for($i = 0; $i < $len; $i++) {
             if($acl[$i]{0} == '#') continue;
-            list($id, $rest) = preg_split('/\s+/', $acl[$i], 2);
-            $id      = str_replace('%USER%', cleanID($_SERVER['REMOTE_USER']), $id);
-            $rest    = str_replace('%USER%', auth_nameencode($_SERVER['REMOTE_USER']), $rest);
+            list($id,$rest) = preg_split('/\s+/',$acl[$i],2);
+            if(strstr($acl[$i], '%GROUP%')){
+                foreach($USERINFO['grps'] as $grp){
+                    $nid   = str_replace('%GROUP%',cleanID($grp),$id);
+                    $nrest = str_replace('%GROUP%',auth_nameencode($grp),$rest);
+                    $acl[] = "$nid\t$nrest";
+                }
+            }
+            $id   = str_replace('%USER%',cleanID($_SERVER['REMOTE_USER']),$id);
+            $rest = str_replace('%USER%',auth_nameencode($_SERVER['REMOTE_USER']),$rest);
             $acl[$i] = "$id\t$rest";
         }
     }
@@ -632,6 +640,7 @@ function auth_nameencode($name, $skip_group = false) {
 
     // never encode wildcard FS#1955
     if($name == '%USER%') return $name;
+    if($name == '%GROUP%') return $name;
 
     if(!isset($cache[$name][$skip_group])) {
         if($skip_group && $name{0} == '@') {
diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php
index c3461b78b2d494808e1b6239409d045694f79c19..1f88c6ff9cb9a6872542572550320a4075c41aed 100644
--- a/lib/plugins/acl/admin.php
+++ b/lib/plugins/acl/admin.php
@@ -84,7 +84,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
             $this->who = '@'.ltrim($auth->cleanGroup($who),'@');
         }elseif($_REQUEST['acl_t'] == '__u__' && $who){
             $this->who = ltrim($who,'@');
-            if($this->who != '%USER%'){ #keep wildcard as is
+            if($this->who != '%USER%' && $this->who != '%GROUP%'){ #keep wildcard as is
                 $this->who = $auth->cleanUser($this->who);
             }
         }elseif($_REQUEST['acl_t'] &&
@@ -140,7 +140,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
                             if ($who!='@ALL') {
                                 $who = '@'.ltrim($auth->cleanGroup($who),'@');
                             }
-                        } elseif ($who != '%USER%'){ #keep wildcard as is
+                        } elseif ($who != '%USER%' && $who != '%GROUP%'){ #keep wildcard as is
                             $who = $auth->cleanUser($who);
                         }
                         $who = auth_nameencode($who,true);