diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java
index 3e1f4db27..82a928def 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java
@@ -109,8 +109,7 @@ public Iterable<EntityDescriptorRepresentation> getDisabledAndNotOwnedByAdmin()
     @GetMapping("/EntityDescriptor/{resourceId}")
     @Transactional
     public ResponseEntity<?> getOne(@PathVariable String resourceId) throws PersistentEntityNotFound, ForbiddenException {
-        return ResponseEntity.ok(entityDescriptorService
-                        .createRepresentationFromDescriptor(entityDescriptorService.getEntityDescriptorByResourceId(resourceId)));
+        return ResponseEntity.ok(entityDescriptorService.createRepresentationFromDescriptor(entityDescriptorService.getEntityDescriptorByResourceId(resourceId)));
     }
 
     @GetMapping(value = "/EntityDescriptor/{resourceId}", produces = "application/xml")
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java
index 7a20cac04..9d6a8d686 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java
@@ -8,7 +8,6 @@
 import edu.internet2.tier.shibboleth.admin.ui.security.exception.OwnershipConflictException;
 import edu.internet2.tier.shibboleth.admin.ui.security.model.Group;
 import edu.internet2.tier.shibboleth.admin.ui.security.model.Ownable;
-import edu.internet2.tier.shibboleth.admin.ui.security.model.OwnableType;
 import edu.internet2.tier.shibboleth.admin.ui.security.model.OwnerType;
 import edu.internet2.tier.shibboleth.admin.ui.security.model.Ownership;
 import edu.internet2.tier.shibboleth.admin.ui.security.model.Role;
@@ -167,15 +166,18 @@ public Set<String> getUserRoles(String username) {
     }
 
      // @TODO - probably delegate this out to something plugable at some point
-    public boolean isAuthorizedFor(Ownable ownableObject) {
+    public boolean canViewOrEditTarget(Ownable ownableObject) {
         switch (getCurrentUserAccess()) {
         case ADMIN: // Pure admin is authorized to do anything
             return true;
-        case GROUP: // if the current user's group matches the object's group we are good.
+        case GROUP: // if the current user's group matches the object's group OR the user is an approver to the object
             Set<Ownership> owners = ownershipRepository.findOwnableObjectOwners(ownableObject);
             String currentUsersGroupId = getCurrentUser().getGroupId();
+            List<String> userApproveForGroups = getCurrentUser().getGroup().getApproveForList();
+            // Check user is part of the owner's group
             for (Ownership owner : owners) {
-                if (currentUsersGroupId.equals(owner.getOwnerId()) && OwnerType.valueOf(owner.getOwnerType()) == OwnerType.GROUP) {
+                boolean isGroupOwner = OwnerType.valueOf(owner.getOwnerType()) == OwnerType.GROUP;
+                if (isGroupOwner && (currentUsersGroupId.equals(owner.getOwnerId())) || userApproveForGroups.contains(owner.getOwnerId())) {
                     return true;
                 }
             }
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java
index 9df95047c..bd605c8ef 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java
@@ -426,6 +426,11 @@ public Iterable<EntityDescriptorRepresentation> getAllDisabledAndNotOwnedByAdmin
         return entityDescriptorRepository.findAllDisabledAndNotOwnedByAdmin().map(ed -> createRepresentationFromDescriptor(ed)).collect(Collectors.toList());
     }
 
+    /**
+     * Get the "short" detail list of entity descriptors that match the current user's group. The intent is the list will be those
+     * EDs that the user would see on the dashboard.
+     * @throws ForbiddenException
+     */
     @Override
     public List<EntityDescriptorProjection> getAllEntityDescriptorProjectionsBasedOnUserAccess() throws ForbiddenException {
         switch (userService.getCurrentUserAccess()) {
@@ -467,7 +472,7 @@ public EntityDescriptor getEntityDescriptorByResourceId(String resourceId) throw
         if (ed == null) {
             throw new PersistentEntityNotFound(String.format("The entity descriptor with entity id [%s] was not found.", resourceId));
         }
-        if (!userService.isAuthorizedFor(ed)) {
+        if (!userService.canViewOrEditTarget(ed)) {
             throw new ForbiddenException();
         }
         return ed;
@@ -490,7 +495,7 @@ public EntityDescriptorRepresentation update(EntityDescriptorRepresentation edRe
         if (StringUtils.isEmpty(edRep.getIdOfOwner())) {
             edRep.setIdOfOwner(StringUtils.isNotEmpty(existingEd.getIdOfOwner()) ? existingEd.getIdOfOwner() :  userService.getCurrentUserGroup().getOwnerId());
         }
-        if (!userService.isAuthorizedFor(existingEd)) {
+        if (!userService.canViewOrEditTarget(existingEd)) {
             throw new ForbiddenException();
         }
         // Verify we're the only one attempting to update the EntityDescriptor