diff --git a/README.md b/README.md
index 84802f5..c7699fe 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ Some features of Astral:
 0) Configure Astral-specific Certificate Authority and Key-Value stores in Vault
 1) Authenticate requests for cerficates or secrets using a third party
    trusted source (JWT with signing key, eg)
-2) For certiciates:
+2) For certificates:
 	a) Authorize the request using a Domain Ownership registry, where domain owner 
 	   or authorized groups must match the identity of the requesting client
 	b) When authorized, obtain a certificate for the common name
diff --git a/test/integration/secrets_test.rb b/test/integration/secrets_test.rb
index bdb1ac8..4707bf5 100644
--- a/test/integration/secrets_test.rb
+++ b/test/integration/secrets_test.rb
@@ -19,6 +19,13 @@ class SecretsTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test "#update an existing secret with a different user is unauthorized" do
+    existing_path = create_secret
+    assert_response :success
+    create_secret(jwt_read_group, existing_path)
+    assert_response :unauthorized
+  end
+
   test "#show" do
     path = create_secret
     # view the secret
@@ -29,6 +36,16 @@ class SecretsTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test "#show with read_group is authorized" do
+    path = create_secret
+    # view the secret
+    get secret_path(path), headers: { "Authorization" => "Bearer #{jwt_read_group}" }
+    assert_response :success
+    %w[ data metadata lease_id ].each do |key|
+      assert_includes response.parsed_body["secret"].keys, key
+    end
+  end
+
   test "#delete" do
     path = create_secret
     # delete the secret
@@ -36,14 +53,19 @@ class SecretsTest < ActionDispatch::IntegrationTest
     assert_response :success
   end
 
+  test "#delete with a read-authorized user is unauthorized" do
+    path = create_secret
+    # delete the secret
+    delete destroy_secret_path(path), headers: { "Authorization" => "Bearer #{jwt_read_group}" }
+    assert_response :unauthorized
+  end
+
   private
 
-  def create_secret
-    # make a path
-    path = "top/secret/#{SecureRandom.hex}"
+  def create_secret(jwt = jwt_authorized, path = "top/secret/#{SecureRandom.hex}")
     # create the secret
-    post secrets_path, headers: { "Authorization" => "Bearer #{jwt_authorized}" },
-         params: { secret: { path: path, data: { password: "sicr3t" } } }
+    post secrets_path, headers: { "Authorization" => "Bearer #{jwt}" },
+         params: { secret: { path: path, data: { password: "sicr3t" }, groups: "read_group" } }
     path
   end
 
diff --git a/test/test_helper.rb b/test/test_helper.rb
index 8157058..ad9629b 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -22,9 +22,16 @@ def jwt_unauthorized
       @@unauthorized_token ||= JWT.encode(@@unauthorized_data, "bad_secret")
     end
 
+    def jwt_read_group
+      @@read_group_token ||= JWT.encode(@@read_group_data, Config[:jwt_signing_key])
+    end
+
     private
+
     @@authorized_data   = { "sub"=>"john.doe@example.com", "name"=>"John Doe", "iat"=>1516239022,
-                           "groups"=>[ "group1", "group2" ], "aud"=>"astral" }
+                            "groups"=>[ "group1", "group2" ], "aud"=>"astral" }
     @@unauthorized_data = { "sub"=>"application_name", "common_name"=>"example.com", "ip_sans"=>"10.0.1.100" }
+    @@read_group_data   = { "sub"=>"exene.cervenka@example.com", "name"=>"Exene Cervenka", "iat"=>1516239022,
+                            "groups"=>[ "read_group" ], "aud"=>"astral" }
   end
 end