diff --git a/common/auth_util.go b/common/auth_util.go
index 0c215927..3731da93 100644
--- a/common/auth_util.go
+++ b/common/auth_util.go
@@ -27,7 +27,8 @@ import (
 
 const (
 	resourceURNTemplateCreateDestination   = "urn:cherami:dst:%v:%v"
-	resourceURNTemplateCreateConsumerGroup = "urn:cherami:dst:%v:%v"
+	resourceURNTemplateReadDestination     = "urn:cherami:dst:%v:%v"
+	resourceURNTemplateCreateConsumerGroup = "urn:cherami:cg:%v:%v"
 )
 
 // GetResourceURNCreateDestination returns the resource URN to create destination, e.g. urn:cherami:dst:zone1_prod:/prefix1
@@ -43,9 +44,9 @@ func GetResourceURNCreateDestination(scommon SCommon, dstPath *string) string {
 	return fmt.Sprintf(resourceURNTemplateCreateDestination, strings.ToLower(deploymentName), strings.ToLower(dstPathString))
 }
 
-// GetResourceURNCreateConsumerGroup returns the resource URN to create consumer group, e.g. urn:cherami:dst:zone1_prod:/dst1
+// GetResourceURNReadDestination returns the resource URN to read destination, e.g. urn:cherami:dst:zone1_prod:/dst1
 // We use URN (Uniform Resource Name) like this: https://www.ietf.org/rfc/rfc2141.txt
-func GetResourceURNCreateConsumerGroup(scommon SCommon, dstPath *string) string {
+func GetResourceURNReadDestination(scommon SCommon, dstPath *string) string {
 	var dstPathString string
 	if dstPath == nil {
 		dstPathString = ""
@@ -53,7 +54,20 @@ func GetResourceURNCreateConsumerGroup(scommon SCommon, dstPath *string) string
 		dstPathString = *dstPath
 	}
 	deploymentName := scommon.GetConfig().GetDeploymentName()
-	return fmt.Sprintf(resourceURNTemplateCreateConsumerGroup, strings.ToLower(deploymentName), strings.ToLower(dstPathString))
+	return fmt.Sprintf(resourceURNTemplateReadDestination, strings.ToLower(deploymentName), strings.ToLower(dstPathString))
+}
+
+// GetResourceURNCreateConsumerGroup returns the resource URN to create consumer group, e.g. urn:cherami:dst:zone1_prod:/dst1
+// We use URN (Uniform Resource Name) like this: https://www.ietf.org/rfc/rfc2141.txt
+func GetResourceURNCreateConsumerGroup(scommon SCommon, cgPath *string) string {
+	var cgPathString string
+	if cgPath == nil {
+		cgPathString = ""
+	} else {
+		cgPathString = getPathRootName(cgPath)
+	}
+	deploymentName := scommon.GetConfig().GetDeploymentName()
+	return fmt.Sprintf(resourceURNTemplateCreateConsumerGroup, strings.ToLower(deploymentName), strings.ToLower(cgPathString))
 }
 
 func getPathRootName(path *string) string {
diff --git a/common/auth_util_test.go b/common/auth_util_test.go
index 2125cb7f..b3d7f652 100644
--- a/common/auth_util_test.go
+++ b/common/auth_util_test.go
@@ -73,6 +73,30 @@ func (s *AuthUtilSuite) TestGetResourceURNCreateDestination() {
 	s.Equal("urn:cherami:dst:zone2_abc:root2", GetResourceURNCreateDestination(mockService, StringPtr("Root2/Dst2")))
 }
 
+func (s *AuthUtilSuite) TestGetResourceURNReadDestination() {
+	mockService := new(MockService)
+
+	config := &serviceConfig{}
+
+	mockService.On("GetConfig").Return(config)
+
+	s.Equal("urn:cherami:dst::", GetResourceURNReadDestination(mockService, nil))
+	s.Equal("urn:cherami:dst::", GetResourceURNReadDestination(mockService, StringPtr("")))
+
+	config.deploymentName = "zone1"
+	s.Equal("urn:cherami:dst:zone1:", GetResourceURNReadDestination(mockService, nil))
+	s.Equal("urn:cherami:dst:zone1:", GetResourceURNReadDestination(mockService, StringPtr("")))
+	s.Equal("urn:cherami:dst:zone1:/", GetResourceURNReadDestination(mockService, StringPtr("/")))
+	s.Equal("urn:cherami:dst:zone1://", GetResourceURNReadDestination(mockService, StringPtr("//")))
+
+	config.deploymentName = "Zone2_ABC"
+	s.Equal("urn:cherami:dst:zone2_abc:/dst1", GetResourceURNReadDestination(mockService, StringPtr("/Dst1")))
+	s.Equal("urn:cherami:dst:zone2_abc:/root2/dst2", GetResourceURNReadDestination(mockService, StringPtr("/Root2/Dst2")))
+
+	s.Equal("urn:cherami:dst:zone2_abc:dst2", GetResourceURNReadDestination(mockService, StringPtr("Dst2")))
+	s.Equal("urn:cherami:dst:zone2_abc:root2/dst2", GetResourceURNReadDestination(mockService, StringPtr("Root2/Dst2")))
+}
+
 func (s *AuthUtilSuite) TestGetResourceURNCreateConsumerGroup() {
 	mockService := new(MockService)
 
@@ -80,19 +104,19 @@ func (s *AuthUtilSuite) TestGetResourceURNCreateConsumerGroup() {
 
 	mockService.On("GetConfig").Return(config)
 
-	s.Equal("urn:cherami:dst::", GetResourceURNCreateConsumerGroup(mockService, nil))
-	s.Equal("urn:cherami:dst::", GetResourceURNCreateConsumerGroup(mockService, StringPtr("")))
+	s.Equal("urn:cherami:cg::", GetResourceURNCreateConsumerGroup(mockService, nil))
+	s.Equal("urn:cherami:cg::", GetResourceURNCreateConsumerGroup(mockService, StringPtr("")))
 
 	config.deploymentName = "zone1"
-	s.Equal("urn:cherami:dst:zone1:", GetResourceURNCreateConsumerGroup(mockService, nil))
-	s.Equal("urn:cherami:dst:zone1:", GetResourceURNCreateConsumerGroup(mockService, StringPtr("")))
-	s.Equal("urn:cherami:dst:zone1:/", GetResourceURNCreateConsumerGroup(mockService, StringPtr("/")))
-	s.Equal("urn:cherami:dst:zone1://", GetResourceURNCreateConsumerGroup(mockService, StringPtr("//")))
+	s.Equal("urn:cherami:cg:zone1:", GetResourceURNCreateConsumerGroup(mockService, nil))
+	s.Equal("urn:cherami:cg:zone1:", GetResourceURNCreateConsumerGroup(mockService, StringPtr("")))
+	s.Equal("urn:cherami:cg:zone1:/", GetResourceURNCreateConsumerGroup(mockService, StringPtr("/")))
+	s.Equal("urn:cherami:cg:zone1:/", GetResourceURNCreateConsumerGroup(mockService, StringPtr("//")))
 
 	config.deploymentName = "Zone2_ABC"
-	s.Equal("urn:cherami:dst:zone2_abc:/dst1", GetResourceURNCreateConsumerGroup(mockService, StringPtr("/Dst1")))
-	s.Equal("urn:cherami:dst:zone2_abc:/root2/dst2", GetResourceURNCreateConsumerGroup(mockService, StringPtr("/Root2/Dst2")))
+	s.Equal("urn:cherami:cg:zone2_abc:/dst1", GetResourceURNCreateConsumerGroup(mockService, StringPtr("/Dst1")))
+	s.Equal("urn:cherami:cg:zone2_abc:/root2", GetResourceURNCreateConsumerGroup(mockService, StringPtr("/Root2/Dst2")))
 
-	s.Equal("urn:cherami:dst:zone2_abc:dst2", GetResourceURNCreateConsumerGroup(mockService, StringPtr("Dst2")))
-	s.Equal("urn:cherami:dst:zone2_abc:root2/dst2", GetResourceURNCreateConsumerGroup(mockService, StringPtr("Root2/Dst2")))
+	s.Equal("urn:cherami:cg:zone2_abc:dst2", GetResourceURNCreateConsumerGroup(mockService, StringPtr("Dst2")))
+	s.Equal("urn:cherami:cg:zone2_abc:root2", GetResourceURNCreateConsumerGroup(mockService, StringPtr("Root2/Dst2")))
 }
diff --git a/services/frontendhost/frontend.go b/services/frontendhost/frontend.go
index 0c036207..115536de 100644
--- a/services/frontendhost/frontend.go
+++ b/services/frontendhost/frontend.go
@@ -1116,13 +1116,20 @@ func (h *Frontend) CreateConsumerGroup(ctx thrift.Context, createRequest *c.Crea
 		common.TagCnsPth: common.FmtCnsPth(createRequest.GetConsumerGroupName()),
 	})
 
-	authResource := common.GetResourceURNCreateConsumerGroup(h.SCommon, createRequest.DestinationPath)
-
+	// Check auth for read desitnation
+	authResource := common.GetResourceURNReadDestination(h.SCommon, createRequest.DestinationPath)
 	err = h.checkAuth(ctx, authResource, common.OperationRead, lclLg)
 	if err != nil {
 		return nil, err
 	}
 
+	// Check auth for create destination
+	authResource = common.GetResourceURNCreateConsumerGroup(h.SCommon, createRequest.ConsumerGroupName)
+	err = h.checkAuth(ctx, authResource, common.OperationCreate, lclLg)
+	if err != nil {
+		return nil, err
+	}
+
 	// request to controller
 	var cClient controller.TChanController
 	cClient, err = h.getControllerClient()