diff --git a/build.sbt b/build.sbt
index 9671a8cd..01f99d6e 100644
--- a/build.sbt
+++ b/build.sbt
@@ -1,6 +1,6 @@
 import com.typesafe.sbt.packager.docker
-import com.typesafe.sbt.packager.docker.ExecCmd
-import scalariform.formatter.preferences._
+import com.typesafe.sbt.packager.docker.{DockerChmodType, ExecCmd}
+import scalariform.formatter.preferences.*
 
 val rokkuVersion = scala.sys.env.getOrElse("ROKKU_VERSION", "SNAPSHOT")
 
@@ -87,8 +87,11 @@ scalariformPreferences := scalariformPreferences.value
     .setPreference(NewlineAtEndOfFile, true)
     .setPreference(SingleCasePatternOnNewline, false)
 
+dockerChmodType := DockerChmodType.UserGroupWriteExecute
+dockerCommands     += ExecCmd("RUN", "mkdir", "-p", "/opt/docker/lib/plugins")  //additional libs e.g. for authorization plugin
+
 // hack for ranger conf dir - should contain files like ranger-s3-security.xml etc.
-bashScriptDefines / scriptClasspath ~= (cp => cp :+ ":/etc/rokku")
+bashScriptDefines / scriptClasspath ~= (cp => cp :+ ":/etc/rokku"+ ":/opt/docker/lib/plugins/*")
 
 //Coverage settings
 Compile / coverageMinimum := 70
diff --git a/src/main/resources/application.conf b/src/main/resources/application.conf
index 47c1ca41..4714e981 100644
--- a/src/main/resources/application.conf
+++ b/src/main/resources/application.conf
@@ -9,11 +9,7 @@ rokku {
         allow-create-delete-buckets = ${?ROKKU_ALLOW_CREATE_DELETE_BUCKETS}
         enabled-audit = ${?ROKKU_ENABLED_AUDIT}
         class-name = ${?ROKKU_ACCESS_CONTROL_CLASS_NAME}
-        plugin-params {
-                    appId = ${?ROKKU_RANGER_API_ID}
-                    userDomainPostfix = ${?ROKKU_RANGER_USER_DOMAIN_POSTFIX}
-                    rolePrefix = ${?ROKKU_RANGER_ROLE_PREFIX}
-                }
+        plugin-params = ${?ROKKU_ACCESS_CONTROL_PLUGIN_PARAMS}
     }
     storage.s3 {
         # Settings for reaching backing storage.
diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf
index 9c355214..a2d4d775 100644
--- a/src/main/resources/reference.conf
+++ b/src/main/resources/reference.conf
@@ -10,14 +10,7 @@ rokku {
         allow-create-delete-buckets = true
         enabled-audit = false
         class-name = "com.ing.wbaa.rokku.proxy.provider.AccessControlProviderRanger"
-        plugin-params {
-            appId = "testservice"
-            # make sure the service_type is equal to what is specified in
-            # ranger-s3-security.xml
-            serviceType = "s3"
-            userDomainPostfix = ""
-            rolePrefix = "role_"
-        }
+        plugin-params = "{appId:testservice, serviceType:s3, rolePrefix:role_}"
     }
 
     storage.s3 {
diff --git a/src/main/scala/com/ing/wbaa/rokku/proxy/config/AccessControlProviderSettings.scala b/src/main/scala/com/ing/wbaa/rokku/proxy/config/AccessControlProviderSettings.scala
index 0bc278d1..427aa905 100644
--- a/src/main/scala/com/ing/wbaa/rokku/proxy/config/AccessControlProviderSettings.scala
+++ b/src/main/scala/com/ing/wbaa/rokku/proxy/config/AccessControlProviderSettings.scala
@@ -1,7 +1,7 @@
 package com.ing.wbaa.rokku.proxy.config
 
 import akka.actor.{ ExtendedActorSystem, Extension, ExtensionId, ExtensionIdProvider }
-import com.typesafe.config.Config
+import com.typesafe.config.{ Config, ConfigFactory }
 
 import scala.jdk.CollectionConverters._
 
@@ -10,7 +10,7 @@ class AccessControlProviderSettings(config: Config) extends Extension {
   val createDeleteBucketsEnabled: Boolean = config.getBoolean("rokku.access-control.allow-create-delete-buckets")
   val auditEnabled: Boolean = config.getBoolean("rokku.access-control.enabled-audit")
   val className: String = config.getString("rokku.access-control.class-name")
-  val pluginParams: Map[String, String] = config.getConfig("rokku.access-control.plugin-params")
+  val pluginParams: Map[String, String] = ConfigFactory.parseString(config.getString("rokku.access-control.plugin-params"))
     .entrySet().asScala.map(e => e.getKey -> e.getValue.unwrapped().toString).toMap
 }
 
diff --git a/src/main/scala/com/ing/wbaa/rokku/proxy/provider/AccessControlProviderRanger.scala b/src/main/scala/com/ing/wbaa/rokku/proxy/provider/AccessControlProviderRanger.scala
index f390075b..b6a9b654 100644
--- a/src/main/scala/com/ing/wbaa/rokku/proxy/provider/AccessControlProviderRanger.scala
+++ b/src/main/scala/com/ing/wbaa/rokku/proxy/provider/AccessControlProviderRanger.scala
@@ -64,7 +64,7 @@ class AccessControlProviderRanger(config: java.util.Map[String, String]) extends
         prepareAccessRequest(rangerResource, request.accessType, null, Set(UserGroup(s"${config.get(ROLE_PREFIX_PARAM)}${roleValue}")).map(_.value.toLowerCase))
       case _ =>
         prepareAccessRequest(
-          rangerResource, request.accessType, request.user + config.get(USER_DOMAIN_POSTFIX_PARAM), request.userGroups.asScala.map(_.toLowerCase).toSet)
+          rangerResource, request.accessType, request.user + config.getOrDefault(USER_DOMAIN_POSTFIX_PARAM, ""), request.userGroups.asScala.map(_.toLowerCase).toSet)
     }
 
     rangerRequest.setAction(request.action)