diff --git a/.github/workflows/approve-merge.yaml b/.github/workflows/approve-merge.yaml
new file mode 100644
index 0000000..44dd4f5
--- /dev/null
+++ b/.github/workflows/approve-merge.yaml
@@ -0,0 +1,25 @@
+name: Merge Release PR
+
+on:
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  pr_approved:
+    if: ${{ github.event.review.state == 'approved' && github.event.pull_request.base.ref == 'master' && github.event.pull_request.head.ref == 'next' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone git repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Merge PR
+        run: |
+          git checkout master
+          git merge --ff origin/next
+          git push -u origin master
+      - uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: release.yaml
+          ref: master
diff --git a/.github/workflows/pr-lint.yaml b/.github/workflows/pr-lint.yaml
index 1e6aa17..462366a 100644
--- a/.github/workflows/pr-lint.yaml
+++ b/.github/workflows/pr-lint.yaml
@@ -11,7 +11,7 @@ permissions:
   pull-requests: read
 
 jobs:
-  main:
+  lint:
     name: pr-lint
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/release-pr.yaml b/.github/workflows/release-pr.yaml
new file mode 100644
index 0000000..c956960
--- /dev/null
+++ b/.github/workflows/release-pr.yaml
@@ -0,0 +1,46 @@
+name: Release PR
+
+on:
+  push:
+    branches:
+      - next
+
+permissions:
+  contents: read
+
+jobs:
+  release_pr:
+    permissions:
+      issues: write
+      pull-requests: write
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+
+      - name: Install Dependencies
+        run: npm clean-install
+
+      - name: Generate Changes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -ex
+          echo '# Release Changes' > changes.md
+          npx semantic-release@22.0.12 -d -p '@semantic-release/release-notes-generator' -b next | grep -v semantic-release | tee -a changes.md
+          printf '\n---\n\n### Approve this PR to release above packages!' >> changes.md
+      - name: Create PR
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -ex
+          export PR_NUMBER=$(gh pr list -B master -H next --json number | jq -r '.[0].number')
+          if [[ "$(git rev-parse origin/master)" == "$(git rev-parse origin/next)" ]]; then exit 0; fi
+          if [[ "$PR_NUMBER" == "null" ]]; then gh pr create -B master -H next -t "chore: release" -F changes.md; fi
+          if [[ "$PR_NUMBER" != "null" ]]; then gh pr edit $PR_NUMBER -F changes.md; fi
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index ab841f2..ee8df1a 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - master
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -17,6 +18,8 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: master
 
       - uses: docker/login-action@v3
         with:
diff --git a/Dockerfile b/Dockerfile
index 27dc27d..dcd6d68 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -25,10 +25,7 @@ USER node
 ARG APP_HOME=/home/node/srv
 WORKDIR $APP_HOME
 
-COPY package.json package.json
-COPY package-lock.json package-lock.json
-
-COPY --chown=node:node . $APP_HOME
+COPY --chown=node:node ./cfg $APP_HOME/cfg
 COPY --chown=node:node --from=build $APP_HOME/lib $APP_HOME/lib
 
 EXPOSE 50051
diff --git a/src/utils.ts b/src/utils.ts
index 0ec6c01..fe2e563 100644
--- a/src/utils.ts
+++ b/src/utils.ts
@@ -36,9 +36,9 @@ export interface FilterType {
 
 // Create a ids client instance
 let idsClientInstance: UserServiceClient;
+const cfg = createServiceConfig(process.cwd());
 const getUserServiceClient = async () => {
   if (!idsClientInstance) {
-    const cfg = createServiceConfig(process.cwd());
     // identity-srv client to resolve subject ID by token
     const grpcIDSConfig = cfg.get('client:user');
     const loggerCfg = cfg.get('logger');
@@ -86,7 +86,7 @@ export async function checkAccessRequest(ctx: ACSClientContext, resource: Resour
 
   let result: DecisionResponse | PolicySetRQResponse;
   try {
-    result = await accessRequest(subject, resource, action, ctx, { operation });
+    result = await accessRequest(subject, resource, action, ctx, { operation, roleScopingEntityURN: cfg?.get('authorization:urns:organization') });
   } catch (err) {
     return {
       decision: Response_Decision.DENY,