diff --git a/selinux/manifests/init.pp b/selinux/manifests/init.pp
index a8cd734..4e06339 100644
--- a/selinux/manifests/init.pp
+++ b/selinux/manifests/init.pp
@@ -62,16 +62,21 @@ class selinux {
 #
 # === Parameters
 #
+#   $client_users:
+#       Array of users allowed to access the setroubleshoot server.
+#       Defaults to ["*"].
+#
 #   $mailto:
 #       Array of email addresses where to send SELinux alerts.
 #       Disabled by default.
 #
-class selinux::setroubleshoot($mailto=undef) {
+class selinux::setroubleshoot($client_users=["*"], $mailto=undef) {
 
     if $::selinux == "true" {
         package { "setroubleshoot":
             ensure => installed,
         }
+
         if $::operatingsystem in ["CentOS","RedHat"] and $::operatingsystemrelease =~ /^[1-5]\./ {
             service { "setroubleshoot":
                 ensure    => running,
@@ -80,6 +85,15 @@ class selinux::setroubleshoot($mailto=undef) {
                 require   => Package["setroubleshoot"],
             }
         }
+
+        $client_users_real = inline_template("<%= @client_users.join(',') %>")
+        augeas { "set-setroubleshoot-client_users":
+            changes => "set access/client_users '${client_users_real}'",
+            incl    => "/etc/setroubleshoot/setroubleshoot.conf",
+            lens    => "Puppet.lns",
+            require => Package["setroubleshoot"],
+        }
+
         if $mailto {
             if !$mail_server {
                 $mail_server = "127.0.0.1"