diff --git a/apps/acls/models/command_acl.py b/apps/acls/models/command_acl.py
index bec473250..37ce641f9 100644
--- a/apps/acls/models/command_acl.py
+++ b/apps/acls/models/command_acl.py
@@ -124,11 +124,9 @@ class CommandFilterACL(OrgModelMixin, BaseACL):
         return ticket
 
     @classmethod
-    def get_queryset(
-            cls, user_id=None, user_group_id=None, account=None,
-            asset_id=None, org_id=None
-    ):
-        from assets.models import Account
+    def get_command_groups(cls, user_id=None, user_group_id=None, account=None, asset_id=None, org_id=None):
+
+        from assets.models import Account, Asset
         user_groups = []
         user = get_object_or_none(User, pk=user_id)
         if user:
@@ -152,11 +150,14 @@ class CommandFilterACL(OrgModelMixin, BaseACL):
             org_id = asset.org_id
             q |= Q(assets=asset)
         if q:
-            cmd_filters = CommandFilter.objects.filter(q).filter(is_active=True)
+            cmd_filters = cls.objects.filter(q).filter(is_active=True)
             if org_id:
                 cmd_filters = cmd_filters.filter(org_id=org_id)
-            rule_ids = cmd_filters.values_list('rules', flat=True)
-            rules = cls.objects.filter(id__in=rule_ids)
+            filter_ids = cmd_filters.values_list('id', flat=True)
+            command_group_ids = cls.commands.through.objects\
+                .filter(commandfilteracl_id__in=filter_ids)\
+                .values_list('commandgroup_id', flat=True)
+            cmd_groups = CommandGroup.objects.filter(id__in=command_group_ids)
         else:
-            rules = cls.objects.none()
-        return rules
+            cmd_groups = CommandGroup.objects.none()
+        return cmd_groups
diff --git a/apps/authentication/models/connection_token.py b/apps/authentication/models/connection_token.py
index 850a6c589..b3f5ba981 100644
--- a/apps/authentication/models/connection_token.py
+++ b/apps/authentication/models/connection_token.py
@@ -156,16 +156,16 @@ class ConnectionToken(OrgModelMixin, JMSBaseModel):
         return self.domain.random_gateway()
 
     @lazyproperty
-    def cmd_filter_rules(self):
-        from assets.models import CommandFilterRule
+    def acl_command_groups(self):
+        from acls.models import CommandFilterACL
         kwargs = {
             'user_id': self.user.id,
             'account': self.account,
         }
         if self.asset:
             kwargs['asset_id'] = self.asset.id
-        rules = CommandFilterRule.get_queryset(**kwargs)
-        return rules
+        cmd_groups = CommandFilterACL.get_command_groups(**kwargs)
+        return cmd_groups
 
 
 class SuperConnectionToken(ConnectionToken):
diff --git a/apps/authentication/serializers/connection_token.py b/apps/authentication/serializers/connection_token.py
index 225b8c8db..30ad46975 100644
--- a/apps/authentication/serializers/connection_token.py
+++ b/apps/authentication/serializers/connection_token.py
@@ -2,6 +2,7 @@ from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
 from assets.models import Asset, CommandFilterRule, Account, Platform
+from acls.models import CommandGroup
 from assets.serializers import PlatformSerializer, AssetProtocolsSerializer
 from authentication.models import ConnectionToken
 from orgs.mixins.serializers import OrgResourceModelSerializerMixin
@@ -89,8 +90,9 @@ class ConnectionTokenAssetSerializer(serializers.ModelSerializer):
 
     class Meta:
         model = Asset
-        fields = ['id', 'name', 'address', 'protocols',
-                  'org_id', 'specific']
+        fields = [
+            'id', 'name', 'address', 'protocols', 'category', 'type', 'org_id', 'specific'
+        ]
 
 
 class SimpleAccountSerializer(serializers.ModelSerializer):
@@ -123,14 +125,14 @@ class ConnectionTokenGatewaySerializer(serializers.ModelSerializer):
         ]
 
 
-class ConnectionTokenCmdFilterRuleSerializer(serializers.ModelSerializer):
-    """ Command filter rule """
+class ConnectionTokenACLCmdGroupSerializer(serializers.ModelSerializer):
+    """ ACL command group"""
 
     class Meta:
-        model = CommandFilterRule
+        model = CommandGroup
         fields = [
             'id', 'type', 'content', 'ignore_case', 'pattern',
-            'priority', 'action', 'date_created',
+            'action', 'date_created',
         ]
 
 
@@ -145,23 +147,23 @@ class ConnectionTokenPlatform(PlatformSerializer):
 
 
 class ConnectionTokenSecretSerializer(OrgResourceModelSerializerMixin):
-    expire_now = serializers.BooleanField(label=_('Expired now'), default=True)
     user = ConnectionTokenUserSerializer(read_only=True)
     asset = ConnectionTokenAssetSerializer(read_only=True)
     account = ConnectionTokenAccountSerializer(read_only=True)
     gateway = ConnectionTokenGatewaySerializer(read_only=True)
     platform = ConnectionTokenPlatform(read_only=True)
-    # cmd_filter_rules = ConnectionTokenCmdFilterRuleSerializer(many=True)
+    acl_command_groups = ConnectionTokenACLCmdGroupSerializer(read_only=True, many=True)
     actions = ActionChoicesField()
     expire_at = serializers.IntegerField()
+    expire_now = serializers.BooleanField(label=_('Expired now'), write_only=True, default=True)
 
     class Meta:
         model = ConnectionToken
         fields = [
             'id', 'value', 'user', 'asset', 'account', 'platform',
+            'acl_command_groups',
             'protocol', 'gateway', 'actions', 'expire_at', 'expire_now',
         ]
         extra_kwargs = {
             'value': {'read_only': True},
-            'expire_now': {'write_only': True},
         }