diff --git a/files/auth/config.json b/files/auth/config.json
index 647ce5767696e40d2e35dae3741922f0c770a0bb..4fda70aa172ec74cbf0dc7551a1587d3459b3a23 100644
--- a/files/auth/config.json
+++ b/files/auth/config.json
@@ -66,6 +66,12 @@
 	"SAND" : {
 	    "message_size" : 102400,
 	    "groups" : [ "AUTH", "ADMC", "DB" ]
+	},
+
+	// Command-line tool for sandbox management.
+	"SAcl" : {
+	    "message_size" : 102400,
+	    "groups" : [ "SAND" ]
 	}
     },
 
@@ -100,7 +106,7 @@
 	{
 	    // A list of groups that we allow authenticating using this method. This is mandatory
 	    // for all elements in here.
-	    "allow" : [ "TEST", "EC", "SC", "MS", "ADMC", "SAND" ],
+	    "allow" : [ "TEST", "EC", "SC", "MS", "ADMC", "DB", "SAND" ],
 
 	    // The debug auth is the simplest. It just allows whatever the connected client
 	    // claimed. It is not good to use in production, and is always disabled unless the