diff --git a/services/keycloak/oneoffs/realm-settings-job.yaml b/services/keycloak/oneoffs/realm-settings-job.yaml
index ea88d83f..bb8d8608 100644
--- a/services/keycloak/oneoffs/realm-settings-job.yaml
+++ b/services/keycloak/oneoffs/realm-settings-job.yaml
@@ -1,15 +1,15 @@
 # services/keycloak/oneoffs/realm-settings-job.yaml
-# One-off job for sso/keycloak-realm-settings-36.
-# Purpose: keycloak realm settings 36 (see container args/env in this file).
-# Run by setting spec.suspend to false, reconcile, then set it back to true.
+# One-off job for sso/keycloak-realm-settings-37.
+# Purpose: keycloak realm settings 37 (see container args/env in this file).
+# This revision runs once to ensure the maintenance group exists for Metis access.
 # Safe to delete the finished Job/pod; it should not run continuously.
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-realm-settings-36
+  name: keycloak-realm-settings-37
   namespace: sso
 spec:
-  suspend: true
+  suspend: false
   backoffLimit: 0
   template:
     metadata:
@@ -336,6 +336,7 @@ spec:
               # Ensure basic realm groups exist for provisioning.
               ensure_group("dev")
               ensure_group("admin")
+              ensure_group("maintenance")
               ensure_group("demo")
               ensure_group("test")
               ensure_group("vaultwarden_grandfathered")
diff --git a/services/maintenance/kustomization.yaml b/services/maintenance/kustomization.yaml
index 787bb20a..60caaf8a 100644
--- a/services/maintenance/kustomization.yaml
+++ b/services/maintenance/kustomization.yaml
@@ -42,7 +42,7 @@ images:
   - name: registry.bstein.dev/bstein/ariadne
     newTag: 0.1.0-22 # {"$imagepolicy": "maintenance:ariadne:tag"}
   - name: registry.bstein.dev/bstein/metis
-    newTag: 0.1.0-1-amd64
+    newTag: 0.1.0-2-amd64
 configMapGenerator:
   - name: disable-k3s-traefik-script
     namespace: maintenance
diff --git a/services/maintenance/metis-configmap.yaml b/services/maintenance/metis-configmap.yaml
index 6a1c224c..0b0e6444 100644
--- a/services/maintenance/metis-configmap.yaml
+++ b/services/maintenance/metis-configmap.yaml
@@ -12,7 +12,6 @@ data:
   METIS_FLASH_HOSTS: titan-22
   METIS_LOCAL_HOST: titan-22
   METIS_ALLOWED_GROUPS: admin,maintenance,maintainer
-  METIS_ALLOWED_USERS: brad.stein@gmail.com,brad@bstein.dev,bstein
   METIS_MAX_DEVICE_BYTES: "300000000000"
   METIS_SENTINEL_PUSH_URL: http://metis.maintenance.svc.cluster.local/internal/sentinel/snapshot
   METIS_SENTINEL_INTERVAL_SEC: "1800"
diff --git a/services/maintenance/metis-deployment.yaml b/services/maintenance/metis-deployment.yaml
index 03cb956c..14999080 100644
--- a/services/maintenance/metis-deployment.yaml
+++ b/services/maintenance/metis-deployment.yaml
@@ -27,7 +27,7 @@ spec:
         node-role.kubernetes.io/accelerator: "true"
       containers:
         - name: metis
-          image: registry.bstein.dev/bstein/metis:0.1.0-1-amd64
+          image: registry.bstein.dev/bstein/metis:0.1.0-2-amd64
           imagePullPolicy: Always
           envFrom:
             - configMapRef:
diff --git a/services/maintenance/oauth2-proxy-metis.yaml b/services/maintenance/oauth2-proxy-metis.yaml
index 2d426523..8ffd311b 100644
--- a/services/maintenance/oauth2-proxy-metis.yaml
+++ b/services/maintenance/oauth2-proxy-metis.yaml
@@ -79,8 +79,11 @@ spec:
             - --scope=openid profile email groups
             - --email-domain=*
             - --allowed-group=admin
+            - --allowed-group=/admin
             - --allowed-group=maintenance
+            - --allowed-group=/maintenance
             - --allowed-group=maintainer
+            - --allowed-group=/maintainer
             - --set-xauthrequest=true
             - --pass-access-token=true
             - --set-authorization-header=true