diff --git a/README.md b/README.md
index b75beb3..167d2db 100644
--- a/README.md
+++ b/README.md
@@ -214,7 +214,7 @@ Log in to Vault with `userpass` and an account that has `write` access to `auth/
 ```
 curl --silent --location --header 'X-Vault-Token: <token>' \
     --request POST \
-    --data '{"ttl":"768h","renewable":true,"display_name":"remco populates config files with secrets"}' \
+    --data '{"policies":["remco"],"renewable":true,"ttl":"768h","display_name":"remco populates config files with secrets"}' \
     'https://f.q.d.n/v1/auth/token/create-orphan'
 ```
 
diff --git a/policies/remco/remco.hcl b/policies/remco/remco.hcl
index 9695ad6..9fc7cf0 100644
--- a/policies/remco/remco.hcl
+++ b/policies/remco/remco.hcl
@@ -1,12 +1,22 @@
 # Allow listing secret parent-child connections (as in UI hierarchy). Subdir
 # underneath 'kv' secrets engine will remain hidden though, user has to
 # manually open up
-# ${VAULT_ADDR}/ui/vault/secrets/kv/list/for_{{identity.groups.ids.GROUPID.name}}
-path "kv/metadata/for_{{identity.groups.ids.GROUPID.name}}/*" {
+# ${VAULT_ADDR}/ui/vault/secrets/kv/list/for_{{identity.groups.ids.83754fb4-ee24-fa6a-52dd-50ef8f1d6665.name}}
+path "kv/metadata/for_{{identity.groups.ids.83754fb4-ee24-fa6a-52dd-50ef8f1d6665.name}}/*" {
+    capabilities = ["list"]
+}
+
+# Same but without ID, this allows an orphan token (i.e. that has no parent "entity_id") to also access this
+path "kv/metadata/for_rbacgroup_remco/*" {
     capabilities = ["list"]
 }
 
 # Grant read-only access to secrets
-path "kv/data/for_{{identity.groups.ids.GROUPID.name}}/*" {
+path "kv/data/for_{{identity.groups.ids.83754fb4-ee24-fa6a-52dd-50ef8f1d6665.name}}/*" {
+    capabilities = ["read"]
+}
+
+# Same but without ID, this allows an orphan token (i.e. that has no parent "entity_id") to also access this
+path "kv/data/for_rbacgroup_remco/*" {
     capabilities = ["read"]
 }