diff --git a/package/cla-sysrepo/cla-appliance.service.in b/package/cla-sysrepo/cla-appliance.service.in
index 8263bc8..b3ef5b0 100644
--- a/package/cla-sysrepo/cla-appliance.service.in
+++ b/package/cla-sysrepo/cla-appliance.service.in
@@ -11,6 +11,7 @@
 [Service]
 Type=notify
 ExecStart=/usr/bin/cla-sysrepod --io-log-level=5 --properties-log-level=5 --sr-bridge-log-level=5 --sysrepo-log-level=3 --appliance=__MODEL__
+Group=sysrepo
 PrivateTmp=yes
 PrivateDevices=no
 ProtectSystem=yes
diff --git a/package/cla-sysrepo/czechlight-install-yang.service b/package/cla-sysrepo/czechlight-install-yang.service
index b4202b9..4588f71 100644
--- a/package/cla-sysrepo/czechlight-install-yang.service
+++ b/package/cla-sysrepo/czechlight-install-yang.service
@@ -8,6 +8,7 @@
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/bin/bash /usr/bin/czechlight-install-yang.sh
+Group=sysrepo
 
 [Install]
 WantedBy=multi-user.target
diff --git a/package/cla-sysrepo/czechlight-install-yang.sh b/package/cla-sysrepo/czechlight-install-yang.sh
index db2387e..72b3f33 100755
--- a/package/cla-sysrepo/czechlight-install-yang.sh
+++ b/package/cla-sysrepo/czechlight-install-yang.sh
@@ -48,7 +48,7 @@
 
 sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/iana-hardware@2018-03-13.yang
 sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/ietf-hardware@2018-03-13.yang
-sysrepoctl --change ietf-hardware --permissions 0664 --enable-feature hardware-sensor
+sysrepoctl --change ietf-hardware --permissions 0660 --enable-feature hardware-sensor
 
 if [[ ${YANG_ROADM} == 1 ]]; then
     FEATURE_ARGS=""
@@ -57,54 +57,41 @@
             FEATURE_ARGS="${FEATURE_ARGS} --enable-feature ${FEATURE}"
         done
     fi
-    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-roadm-device@2021-03-05.yang ${FEATURE_ARGS}
-    sysrepoctl --change czechlight-roadm-device --group optics --permissions 0664
+    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-roadm-device@2021-03-05.yang ${FEATURE_ARGS} --permissions 0660
     sysrepocfg --datastore=startup --format=json --module=czechlight-roadm-device --import="${CLA_YANG}/${INITIAL_DATA}.json"
 fi
 
 if [[ ${YANG_COHERENT} == 1 ]]; then
-    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-coherent-add-drop@2021-03-05.yang
+    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-coherent-add-drop@2021-03-05.yang --permissions 0660
     sysrepocfg --datastore=startup --format=json --module=czechlight-coherent-add-drop --new-data="${CLA_YANG}/${INITIAL_DATA}.json"
-    sysrepoctl --change czechlight-coherent-add-drop --group optics --permissions 0664
+    sysrepoctl --change czechlight-coherent-add-drop --permissions 0660
 fi
 
 if [[ ${YANG_INLINE} == 1 ]]; then
-    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-inline-amp@2021-03-05.yang
+    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-inline-amp@2021-03-05.yang --permissions 0660
     sysrepocfg --datastore=startup --format=json --module=czechlight-inline-amp --import="${CLA_YANG}/${INITIAL_DATA}.json"
-    sysrepoctl --change czechlight-inline-amp --group optics --permissions 0664
 fi
 
 if [[ ${YANG_CALIBRATION} == 1 ]]; then
-    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-calibration-device@2019-06-25.yang
+    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-calibration-device@2019-06-25.yang --permissions 0660
     sysrepocfg --datastore=startup --format=json --module=czechlight-calibration-device --import="${CLA_YANG}/${INITIAL_DATA}.json"
-    sysrepoctl --change czechlight-calibration-device --group optics --permissions 0664
 fi
 
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-system@2014-08-06.yang
-sysrepoctl --change ietf-system --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-system@2014-08-06.yang --permissions 0660
 
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-lldp@2020-11-04.yang
-sysrepoctl --change czechlight-lldp --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-lldp@2020-11-04.yang --permissions 0660
 
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-system@2021-01-13.yang
-sysrepoctl --change czechlight-system --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-system@2021-01-13.yang --permissions 0660
 
 sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/iana-if-type@2017-01-19.yang
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-interfaces@2018-02-20.yang
-sysrepoctl --change ietf-interfaces --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ip@2018-02-22.yang
-sysrepoctl --change ietf-ip --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-routing@2018-03-13.yang
-sysrepoctl --change ietf-routing --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv4-unicast-routing@2018-03-13.yang
-sysrepoctl --change ietf-ipv4-unicast-routing --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv6-unicast-routing@2018-03-13.yang
-sysrepoctl --change ietf-ipv6-unicast-routing --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-network@2021-02-22.yang
-sysrepoctl --change czechlight-network --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-interfaces@2018-02-20.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ip@2018-02-22.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-routing@2018-03-13.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv4-unicast-routing@2018-03-13.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv6-unicast-routing@2018-03-13.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-network@2021-02-22.yang --permissions 0660
 
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-firewall@2021-01-25.yang
-sysrepoctl --change czechlight-firewall --permissions 0600
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-firewall@2021-01-25.yang --permissions 0600
 sysrepoctl --change ietf-access-control-list --enable-feature match-on-eth --enable-feature eth --enable-feature match-on-ipv4 --enable-feature ipv4 --enable-feature match-on-ipv6 --enable-feature ipv6 --enable-feature mixed-eth-ipv4-ipv6
 
 # If not do not copy here from startup -> running, running might be stale.
diff --git a/package/czechlight-cfg-fs/cfg-restore-sysrepo.service b/package/czechlight-cfg-fs/cfg-restore-sysrepo.service
index cac0f64..d289933 100644
--- a/package/czechlight-cfg-fs/cfg-restore-sysrepo.service
+++ b/package/czechlight-cfg-fs/cfg-restore-sysrepo.service
@@ -10,6 +10,7 @@
 RemainAfterExit=yes
 ExecStart=/bin/sysrepocfg -d startup -f json --import=/cfg/sysrepo/startup.json
 ExecStart=/bin/sysrepocfg -C startup
+Group=sysrepo
 StandardOutput=journal+console
 
 [Install]
diff --git a/package/czechlight-cfg-fs/nacm-restore.service b/package/czechlight-cfg-fs/nacm-restore.service
index 96dfb7c..2cb3dec 100644
--- a/package/czechlight-cfg-fs/nacm-restore.service
+++ b/package/czechlight-cfg-fs/nacm-restore.service
@@ -9,6 +9,7 @@
 RemainAfterExit=yes
 ExecStart=/bin/sysrepocfg -d startup -m ietf-netconf-acm -f json --import=/usr/share/yang-data/nacm.json
 ExecStart=/bin/sysrepocfg -C startup
+Group=sysrepo
 
 [Install]
 WantedBy=multi-user.target
diff --git a/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service b/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service
index 8f2642c..007bd7b 100644
--- a/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service
+++ b/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service
@@ -7,3 +7,4 @@
 Type=simple
 UMask=0077
 ExecStart=/bin/sh -c 'while true; do inotifywait -e CLOSE_WRITE /etc/sysrepo/data/*.startup && mkdir -p /cfg/sysrepo/ && sysrepocfg -d startup -f json -X > /cfg/sysrepo/startup.json; done'
+Group=sysrepo
diff --git a/package/rousette/rousette.service b/package/rousette/rousette.service
index 1f373e0..cb79d27 100644
--- a/package/rousette/rousette.service
+++ b/package/rousette/rousette.service
@@ -7,6 +7,9 @@
 [Service]
 Type=simple
 ExecStart=/usr/bin/rousette
+User=yangnobody
+Group=yangnobody
+SupplementaryGroups=sysrepo optics
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectSystem=yes
@@ -16,8 +19,6 @@
 LogRateLimitIntervalSec=10
 LogRateLimitBurst=30000
 SyslogLevel=alert
-User=yangnobody
-Group=yangnobody
 
 [Install]
 WantedBy=multi-user.target
diff --git a/package/velia/velia-firewall.service b/package/velia/velia-firewall.service
index 2f4a2f9..1fdb318 100644
--- a/package/velia/velia-firewall.service
+++ b/package/velia/velia-firewall.service
@@ -9,6 +9,7 @@
 [Service]
 Type=simple
 ExecStart=/usr/bin/veliad-firewall
+Group=sysrepo
 PrivateTmp=yes
 PrivateDevices=no
 ProtectSystem=yes
diff --git a/package/velia/velia-hardware-g1.service b/package/velia/velia-hardware-g1.service
index bef35f6..6e09df3 100644
--- a/package/velia/velia-hardware-g1.service
+++ b/package/velia/velia-hardware-g1.service
@@ -12,6 +12,7 @@
 [Service]
 Type=simple
 ExecStart=/usr/bin/veliad-hardware --appliance=czechlight-clearfog
+Group=sysrepo
 PrivateTmp=yes
 PrivateDevices=no
 ProtectSystem=yes
diff --git a/package/velia/velia-hardware-g2.service b/package/velia/velia-hardware-g2.service
index c39c3f8..84342b7 100644
--- a/package/velia/velia-hardware-g2.service
+++ b/package/velia/velia-hardware-g2.service
@@ -13,6 +13,7 @@
 [Service]
 Type=simple
 ExecStart=/usr/bin/veliad-hardware --appliance=czechlight-clearfog-g2
+Group=sysrepo
 PrivateTmp=yes
 PrivateDevices=no
 ProtectSystem=yes
diff --git a/package/velia/velia-health.service b/package/velia/velia-health.service
index f779bf6..05f66c2 100644
--- a/package/velia/velia-health.service
+++ b/package/velia/velia-health.service
@@ -9,6 +9,7 @@
 ExecStartPre=/bin/sh -c 'for COLOUR in red green blue; do echo none > /sys/class/leds/status:$${COLOUR}/trigger; echo 0 > /sys/class/leds/status:green/brightness; done'
 ExecStart=/usr/bin/veliad-health --appliance=czechlight-clearfog --systemd-ignore-unit=systemd-journal-upload.service
 ExecStopPost=/bin/sh -c 'for COLOUR in red green blue; do echo 0 > /sys/class/leds/status:$$COLOUR/brightness; done; [[ "$EXIT_CODE" == "exited" ]] && COLOUR="green" || COLOUR="red"; echo timer > /sys/class/leds/status:$$COLOUR/trigger; echo 256 > /sys/class/leds/status:$$COLOUR/brightness'
+Group=sysrepo
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectSystem=yes
diff --git a/package/velia/velia-system.service b/package/velia/velia-system.service
index cd8db60..6963e91 100644
--- a/package/velia/velia-system.service
+++ b/package/velia/velia-system.service
@@ -9,6 +9,7 @@
 [Service]
 Type=simple
 ExecStart=/usr/bin/veliad-system
+Group=sysrepo
 PrivateTmp=yes
 PrivateDevices=no
 ProtectSystem=yes
diff --git a/submodules/buildroot b/submodules/buildroot
index 2877c45..0308abf 160000
--- a/submodules/buildroot
+++ b/submodules/buildroot
@@ -1 +1 @@
-Subproject commit 2877c45ae36b4e8fbc694ea16bfcb16a27c96993
+Subproject commit 0308abfd2c725e32e7fcc31c73f8cb8319a30a2f
diff --git a/submodules/dependencies b/submodules/dependencies
index 18d9301..d5e3d9d 160000
--- a/submodules/dependencies
+++ b/submodules/dependencies
@@ -1 +1 @@
-Subproject commit 18d9301a741f7dda86cb4586e787577c87214592
+Subproject commit d5e3d9dd2a50d79844b95e23cf7b727877247e5e