diff --git a/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java b/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
index de22e9ddb5e..1ea8d2ea282 100755
--- a/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
+++ b/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
@@ -2196,7 +2196,7 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra
                                 NetworkAccountVO networkAccount = _networkAccountDao.getAccountNetworkMapByNetworkId(networkFinal.getId());
                                 if (networkAccount != null)
                                     _networkAccountDao.remove(networkAccount.getId());
-                                
+
                                 // remove its related ACL permission
                                 Pair<AclEntityType, Long> networkMsg = new Pair<AclEntityType, Long>(AclEntityType.Network, networkFinal.getId());
                                 _messageBus.publish(_name, EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, PublishScope.LOCAL, networkMsg);
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
index 1b915d5afe3..65249a6e608 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
@@ -172,7 +172,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
         List<AclGroup> groups = _iamSrv.listAclGroups(caller.getId());
         for (AclGroup group : groups) {
             // for each group find the grand parent groups.
-            List<AclGroup> parentGroups = _iamSrv.listParentAclGroupsOnPath(group.getPath());
+            List<AclGroup> parentGroups = _iamSrv.listParentAclGroups(group.getId());
             for (AclGroup parentGroup : parentGroups) {
                 policies.addAll(_iamSrv.listRecursiveAclPoliciesByGroup(parentGroup.getId()));
             }
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java
index 8299819fddd..8ff81eda731 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java
@@ -83,6 +83,17 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySe
         long accountId = caller.getAccountId();
         // Get the static Policies of the Caller
         List<AclPolicy> policies = _iamService.listAclPolicies(accountId);
+
+        // add the policies that grant recursive access
+        List<AclGroup> groups = _iamService.listAclGroups(caller.getId());
+        for (AclGroup group : groups) {
+            // for each group find the grand parent groups.
+            List<AclGroup> parentGroups = _iamService.listParentAclGroups(group.getId());
+            for (AclGroup parentGroup : parentGroups) {
+                policies.addAll(_iamService.listRecursiveAclPoliciesByGroup(parentGroup.getId()));
+            }
+        }
+
         // for each policy, find granted permission with Resource scope
         List<Long> entityIds = new ArrayList<Long>();
         for (AclPolicy policy : policies) {
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
index 2679aaae48f..2b26e72974c 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
@@ -85,7 +85,7 @@ public interface IAMService {
     List<AclPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
             String entityType);
 
-    List<AclGroup> listParentAclGroupsOnPath(String path);
+    List<AclGroup> listParentAclGroups(long groupId);
 
     List<AclPolicy> listRecursiveAclPoliciesByGroup(long groupId);
 
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
index d6cf8cdb377..e4e048d80d8 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
@@ -257,8 +257,13 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
     }
 
     @Override
-    public List<AclGroup> listParentAclGroupsOnPath(String path) {
+    public List<AclGroup> listParentAclGroups(long groupId) {
+        AclGroup group = _aclGroupDao.findById(groupId);
+        if (group == null) {
+            throw new InvalidParameterValueException("Unable to find acl group by id " + groupId);
+        }
 
+        String path = group.getPath();
         List<String> pathList = new ArrayList<String>();
 
         String[] parts = path.split("/");