diff --git a/bundles/icinga2/files/icinga2/api-users.conf b/bundles/icinga2/files/icinga2/api-users.conf
index 59be6f0..77e3737 100644
--- a/bundles/icinga2/files/icinga2/api-users.conf
+++ b/bundles/icinga2/files/icinga2/api-users.conf
@@ -1,7 +1,7 @@
-% for user, password in sorted(node.metadata.get('icinga2', {}).get('api_users', {}).items()):
+% for user, config in sorted(node.metadata.get('icinga2', {}).get('api_users', {}).items()):
 object ApiUser "${user}" {
-  password = "${password}"
-  permissions = [ "*" ]
+  password = "${config['password']}"
+  permissions = [ "${'", "'.join(sorted(config['permissions']))}" ]
 }
 
 % endfor
diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py
index 3a2305d..5a3f561 100644
--- a/bundles/icinga2/metadata.py
+++ b/bundles/icinga2/metadata.py
@@ -30,7 +30,12 @@ defaults = {
     },
     'icinga2': {
         'api_users': {
-            'root': repo.vault.password_for(f'{node.name} icinga2 api root'),
+            'root': {
+                'password': repo.vault.password_for(f'{node.name} icinga2 api root'),
+                'permissions': {
+                    '*',
+                },
+            },
         },
     },
     'icinga2_api': {