diff --git a/partials/landingpages/modules/access.php b/partials/landingpages/modules/access.php
index 99bafb2..8fed0e9 100644
--- a/partials/landingpages/modules/access.php
+++ b/partials/landingpages/modules/access.php
@@ -12,16 +12,50 @@ if (!$module) {
 }
 
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $selectedUsers = is_array($_POST['auth_user_values'] ?? null) ? $_POST['auth_user_values'] : [];
+    $selectedGroups = is_array($_POST['auth_group_values'] ?? null) ? $_POST['auth_group_values'] : [];
+    $manualUsers = (string)($_POST['auth_users'] ?? '');
+    $manualGroups = (string)($_POST['auth_groups'] ?? '');
+
     modules()->saveAuth($moduleName, [
         'required' => isset($_POST['auth_required']),
-        'users' => (string)($_POST['auth_users'] ?? ''),
-        'groups' => (string)($_POST['auth_groups'] ?? ''),
+        'users' => array_merge($selectedUsers, preg_split('/[,\\n]+/', $manualUsers) ?: []),
+        'groups' => array_merge($selectedGroups, preg_split('/[,\\n]+/', $manualGroups) ?: []),
     ]);
     $notice = 'Zugriff gespeichert.';
     $module = modules()->get($moduleName) ?: $module;
 }
 
 $authConfig = is_array($module['auth'] ?? null) ? $module['auth'] : ['required' => false, 'users' => [], 'groups' => []];
+$allowedUsers = is_array($authConfig['users'] ?? null) ? array_values(array_filter(array_map('strval', $authConfig['users']))) : [];
+$allowedGroups = is_array($authConfig['groups'] ?? null) ? array_values(array_filter(array_map('strval', $authConfig['groups']))) : [];
+$knownUsers = modules()->knownAuthUsers();
+$knownGroups = modules()->knownAuthGroups();
+$currentUser = auth_user();
+if (is_array($currentUser) && trim((string)($currentUser['sub'] ?? '')) !== '') {
+    $currentSub = (string)$currentUser['sub'];
+    $hasCurrentUser = false;
+    foreach ($knownUsers as $knownUser) {
+        if ((string)($knownUser['sub'] ?? '') === $currentSub) {
+            $hasCurrentUser = true;
+            break;
+        }
+    }
+    if (!$hasCurrentUser) {
+        $knownUsers[] = [
+            'sub' => $currentSub,
+            'username' => (string)($currentUser['username'] ?? ''),
+            'email' => (string)($currentUser['email'] ?? ''),
+            'name' => (string)($currentUser['name'] ?? ''),
+            'groups' => is_array($currentUser['groups'] ?? null) ? $currentUser['groups'] : [],
+        ];
+    }
+}
+$knownGroups = array_values(array_unique(array_merge($knownGroups, auth_groups())));
+sort($knownGroups, SORT_NATURAL | SORT_FLAG_CASE);
+$knownUserValues = array_column($knownUsers, 'sub');
+$manualUsers = array_values(array_filter($allowedUsers, fn (string $value): bool => !in_array($value, $knownUserValues, true)));
+$manualGroups = array_values(array_filter($allowedGroups, fn (string $value): bool => !in_array($value, $knownGroups, true)));
 ?>
 <div class="card">
   <div class="pill">Zugriff</div>
@@ -40,15 +74,48 @@ $authConfig = is_array($module['auth'] ?? null) ? $module['auth'] : ['required'
       <span>Login fuer dieses Modul erforderlich</span>
     </label>
 
-    <label class="muted" style="display:grid; gap:6px;">
+    <div class="muted" style="display:grid; gap:8px;">
       <span>Erlaubte Benutzer</span>
-      <textarea name="auth_users" rows="3" placeholder="Keycloak-Sub, Benutzername oder E-Mail, je Zeile oder Komma"><?= e(implode("\n", is_array($authConfig['users'] ?? null) ? $authConfig['users'] : [])) ?></textarea>
-    </label>
+      <?php if ($knownUsers === []): ?>
+        <small class="muted">Noch keine Keycloak-User bekannt. User erscheinen hier, nachdem sie sich einmal angemeldet haben.</small>
+      <?php else: ?>
+        <div style="display:grid; gap:6px;">
+          <?php foreach ($knownUsers as $knownUser): ?>
+            <?php
+              $sub = (string)($knownUser['sub'] ?? '');
+              $label = trim((string)($knownUser['name'] ?? ''));
+              if ($label === '') {
+                  $label = trim((string)($knownUser['username'] ?? ''));
+              }
+              $email = trim((string)($knownUser['email'] ?? ''));
+              $suffix = $email !== '' && $email !== $label ? ' (' . $email . ')' : '';
+            ?>
+            <label style="display:flex; align-items:center; gap:10px;">
+              <input type="checkbox" name="auth_user_values[]" value="<?= e($sub) ?>" <?= in_array($sub, $allowedUsers, true) ? 'checked' : '' ?>>
+              <span><?= e(($label !== '' ? $label : $sub) . $suffix) ?></span>
+            </label>
+          <?php endforeach; ?>
+        </div>
+      <?php endif; ?>
+      <textarea name="auth_users" rows="3" placeholder="Weitere Keycloak-Sub, Benutzername oder E-Mail, je Zeile oder Komma"><?= e(implode("\n", $manualUsers)) ?></textarea>
+    </div>
 
-    <label class="muted" style="display:grid; gap:6px;">
+    <div class="muted" style="display:grid; gap:8px;">
       <span>Erlaubte Gruppen</span>
-      <textarea name="auth_groups" rows="3" placeholder="/admin oder mining-users, je Zeile oder Komma"><?= e(implode("\n", is_array($authConfig['groups'] ?? null) ? $authConfig['groups'] : [])) ?></textarea>
-    </label>
+      <?php if ($knownGroups === []): ?>
+        <small class="muted">Noch keine Keycloak-Gruppen bekannt. Gruppen werden aus angemeldeten Usern und gespeicherten Modulrechten gesammelt.</small>
+      <?php else: ?>
+        <div style="display:grid; gap:6px;">
+          <?php foreach ($knownGroups as $knownGroup): ?>
+            <label style="display:flex; align-items:center; gap:10px;">
+              <input type="checkbox" name="auth_group_values[]" value="<?= e($knownGroup) ?>" <?= in_array($knownGroup, $allowedGroups, true) ? 'checked' : '' ?>>
+              <span><?= e($knownGroup) ?></span>
+            </label>
+          <?php endforeach; ?>
+        </div>
+      <?php endif; ?>
+      <textarea name="auth_groups" rows="3" placeholder="Weitere Gruppen, je Zeile oder Komma"><?= e(implode("\n", $manualGroups)) ?></textarea>
+    </div>
 
     <small class="muted">Wenn Login aktiv ist und Benutzer/Gruppen leer bleiben, darf jeder eingeloggte Benutzer das Modul oeffnen.</small>
 
diff --git a/src/App/AuthService.php b/src/App/AuthService.php
index 72de276..66b6935 100644
--- a/src/App/AuthService.php
+++ b/src/App/AuthService.php
@@ -77,6 +77,8 @@ final class AuthService
         ];
         $_SESSION['auth_id_token'] = $idToken;
         $_SESSION['auth_expires_at'] = time() + self::SESSION_TTL;
+
+        $this->rememberKeycloakUser($claims, $groups);
     }
 
     public function canAccessModule(array $module): bool
@@ -111,6 +113,38 @@ final class AuthService
         return array_intersect($allowedGroups, $userGroups) !== [];
     }
 
+    private function rememberKeycloakUser(array $claims, array $groups): void
+    {
+        $pdo = $this->app->basePdo();
+        $sub = trim((string)($claims['sub'] ?? ''));
+        if (!$pdo || $sub === '') {
+            return;
+        }
+
+        $groupsJson = json_encode(array_values(array_unique(array_map('strval', $groups))), JSON_UNESCAPED_UNICODE);
+        if (!is_string($groupsJson)) {
+            $groupsJson = '[]';
+        }
+
+        $stmt = $pdo->prepare(
+            "INSERT INTO nexus_auth_users (sub, username, email, name, groups, last_login_at)
+             VALUES (:sub, :username, :email, :name, :groups, CURRENT_TIMESTAMP)
+             ON CONFLICT(sub) DO UPDATE SET
+                username = excluded.username,
+                email = excluded.email,
+                name = excluded.name,
+                groups = excluded.groups,
+                last_login_at = CURRENT_TIMESTAMP"
+        );
+        $stmt->execute([
+            'sub' => $sub,
+            'username' => (string)($claims['preferred_username'] ?? ''),
+            'email' => (string)($claims['email'] ?? ''),
+            'name' => (string)($claims['name'] ?? ''),
+            'groups' => $groupsJson,
+        ]);
+    }
+
     public function requireModuleAccess(array $module): void
     {
         if ($this->canAccessModule($module)) {
diff --git a/src/App/BaseSchema.php b/src/App/BaseSchema.php
index d5a041b..4646d6c 100644
--- a/src/App/BaseSchema.php
+++ b/src/App/BaseSchema.php
@@ -40,6 +40,27 @@ final class BaseSchema
             )"
         );
 
+        $pdo->exec(
+            "CREATE TABLE IF NOT EXISTS nexus_module_auth (
+                name TEXT PRIMARY KEY,
+                required BOOLEAN NOT NULL DEFAULT false,
+                users TEXT NOT NULL DEFAULT '[]',
+                groups TEXT NOT NULL DEFAULT '[]',
+                updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+            )"
+        );
+
+        $pdo->exec(
+            "CREATE TABLE IF NOT EXISTS nexus_auth_users (
+                sub TEXT PRIMARY KEY,
+                username TEXT,
+                email TEXT,
+                name TEXT,
+                groups TEXT NOT NULL DEFAULT '[]',
+                last_login_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+            )"
+        );
+
         $pdo->exec(
             "CREATE TABLE IF NOT EXISTS nexus_settings (
                 key TEXT PRIMARY KEY,
@@ -96,6 +117,27 @@ final class BaseSchema
             )"
         );
 
+        $pdo->exec(
+            "CREATE TABLE IF NOT EXISTS nexus_module_auth (
+                name TEXT PRIMARY KEY,
+                required INTEGER NOT NULL DEFAULT 0,
+                users TEXT NOT NULL DEFAULT '[]',
+                groups TEXT NOT NULL DEFAULT '[]',
+                updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+            )"
+        );
+
+        $pdo->exec(
+            "CREATE TABLE IF NOT EXISTS nexus_auth_users (
+                sub TEXT PRIMARY KEY,
+                username TEXT,
+                email TEXT,
+                name TEXT,
+                groups TEXT NOT NULL DEFAULT '[]',
+                last_login_at TEXT NOT NULL DEFAULT (datetime('now'))
+            )"
+        );
+
         $pdo->exec(
             "CREATE TABLE IF NOT EXISTS nexus_settings (
                 key TEXT PRIMARY KEY,
@@ -152,6 +194,27 @@ final class BaseSchema
             )"
         );
 
+        $pdo->exec(
+            "CREATE TABLE IF NOT EXISTS nexus_module_auth (
+                name VARCHAR(190) PRIMARY KEY,
+                required TINYINT NOT NULL DEFAULT 0,
+                users TEXT NOT NULL,
+                groups TEXT NOT NULL,
+                updated_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+            )"
+        );
+
+        $pdo->exec(
+            "CREATE TABLE IF NOT EXISTS nexus_auth_users (
+                sub VARCHAR(190) PRIMARY KEY,
+                username VARCHAR(190),
+                email VARCHAR(190),
+                name VARCHAR(190),
+                groups TEXT NOT NULL,
+                last_login_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+            )"
+        );
+
         $pdo->exec(
             "CREATE TABLE IF NOT EXISTS nexus_settings (
                 `key` VARCHAR(190) PRIMARY KEY,
diff --git a/src/App/ModuleManager.php b/src/App/ModuleManager.php
index 0bf5b6d..ba5aad3 100644
--- a/src/App/ModuleManager.php
+++ b/src/App/ModuleManager.php
@@ -248,6 +248,7 @@ final class ModuleManager
                 continue;
             }
 
+            $manifestAuth = is_array($data['auth'] ?? null) ? $data['auth'] : ['required' => false, 'users' => [], 'groups' => []];
             $module = [
                 'name' => $name,
                 'slug' => $name,
@@ -261,7 +262,7 @@ final class ModuleManager
                 'metadata_db_defaults' => $data['metadata_db_defaults'] ?? [],
                 'path' => $dir,
                 'entry' => '/module/' . rawurlencode($name),
-                'auth' => is_array($data['auth'] ?? null) ? $data['auth'] : ['required' => false, 'users' => [], 'groups' => []],
+                'auth' => $this->loadAuth($name, $manifestAuth),
                 'enabled_by_default' => (bool)($data['enabled_by_default'] ?? false),
                 'enabled' => false,
             ];
@@ -314,28 +315,121 @@ final class ModuleManager
             throw new \RuntimeException('Module not found.');
         }
 
-        $manifest = $module['path'] . '/module.json';
-        $raw = is_file($manifest) ? file_get_contents($manifest) : '';
-        $data = $raw ? json_decode($raw, true) : [];
-        if (!is_array($data)) {
-            $data = [];
-        }
-
-        $data['auth'] = [
+        $authConfig = [
             'required' => (bool) ($auth['required'] ?? false),
             'users' => $this->normalizeList($auth['users'] ?? []),
             'groups' => $this->normalizeList($auth['groups'] ?? []),
         ];
 
-        $json = json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
-        if (!is_string($json)) {
-            throw new \RuntimeException('Could not encode module metadata.');
+        if ($this->basePdo) {
+            $usersJson = json_encode($authConfig['users'], JSON_UNESCAPED_UNICODE);
+            $groupsJson = json_encode($authConfig['groups'], JSON_UNESCAPED_UNICODE);
+            if (!is_string($usersJson) || !is_string($groupsJson)) {
+                throw new \RuntimeException('Could not encode module auth.');
+            }
+
+            $stmt = $this->basePdo->prepare(
+                "INSERT INTO nexus_module_auth (name, required, users, groups, updated_at)
+                 VALUES (:name, :required, :users, :groups, CURRENT_TIMESTAMP)
+                 ON CONFLICT(name) DO UPDATE SET
+                    required = excluded.required,
+                    users = excluded.users,
+                    groups = excluded.groups,
+                    updated_at = CURRENT_TIMESTAMP"
+            );
+            $stmt->execute([
+                'name' => $name,
+                'required' => $authConfig['required'] ? 1 : 0,
+                'users' => $usersJson,
+                'groups' => $groupsJson,
+            ]);
+
+            $this->modules[$name]['auth'] = $authConfig;
+            return $authConfig;
         }
 
-        file_put_contents($manifest, $json . PHP_EOL, LOCK_EX);
-        $this->scanModules();
+        $this->modules[$name]['auth'] = $authConfig;
+        return $authConfig;
+    }
 
-        return $data['auth'];
+    public function knownAuthUsers(): array
+    {
+        if (!$this->basePdo) {
+            return [];
+        }
+
+        $stmt = $this->basePdo->query(
+            "SELECT sub, username, email, name, groups, last_login_at
+             FROM nexus_auth_users
+             ORDER BY COALESCE(NULLIF(name, ''), NULLIF(username, ''), email, sub)"
+        );
+        $users = [];
+        foreach ($stmt->fetchAll(\PDO::FETCH_ASSOC) as $row) {
+            $groups = json_decode((string)($row['groups'] ?? '[]'), true);
+            $row['groups'] = is_array($groups) ? array_values(array_filter(array_map('strval', $groups))) : [];
+            $users[] = $row;
+        }
+
+        return $users;
+    }
+
+    public function knownAuthGroups(): array
+    {
+        $groups = [];
+        foreach ($this->knownAuthUsers() as $user) {
+            foreach (($user['groups'] ?? []) as $group) {
+                $group = trim((string)$group);
+                if ($group !== '') {
+                    $groups[] = $group;
+                }
+            }
+        }
+        foreach ($this->modules as $module) {
+            $auth = is_array($module['auth'] ?? null) ? $module['auth'] : [];
+            foreach (($auth['groups'] ?? []) as $group) {
+                $group = trim((string)$group);
+                if ($group !== '') {
+                    $groups[] = $group;
+                }
+            }
+        }
+
+        sort($groups, SORT_NATURAL | SORT_FLAG_CASE);
+        return array_values(array_unique($groups));
+    }
+
+    private function loadAuth(string $name, array $fallback): array
+    {
+        $auth = [
+            'required' => (bool)($fallback['required'] ?? false),
+            'users' => $this->normalizeList($fallback['users'] ?? []),
+            'groups' => $this->normalizeList($fallback['groups'] ?? []),
+        ];
+
+        if (!$this->basePdo) {
+            return $auth;
+        }
+
+        $stmt = $this->basePdo->prepare(
+            "SELECT required, users, groups
+             FROM nexus_module_auth
+             WHERE name = :name
+             LIMIT 1"
+        );
+        $stmt->execute(['name' => $name]);
+        $row = $stmt->fetch(\PDO::FETCH_ASSOC);
+        if ($row === false) {
+            return $auth;
+        }
+
+        $users = json_decode((string)($row['users'] ?? '[]'), true);
+        $groups = json_decode((string)($row['groups'] ?? '[]'), true);
+
+        return [
+            'required' => (bool)($row['required'] ?? false),
+            'users' => $this->normalizeList(is_array($users) ? $users : []),
+            'groups' => $this->normalizeList(is_array($groups) ? $groups : []),
+        ];
     }
 
     private function normalizeList(mixed $values): array