diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgExtra.class.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgExtra.class.php
index bfdc68cb5f7da6f14f7fd7e6c6ff16fe49cf1089..f12d2b5a295363b006b36963167d3eed4058ab5c 100755
--- a/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgExtra.class.php
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgExtra.class.php
@@ -216,6 +216,12 @@ class TgExtra {
   // -----------------------------------------------------
   public function tgCrudCheckAccess( $inRequest ) {
 
+    // Must check in the following order:
+    // 1. Check if the tgcrud secret is correctly set, if not > authenticationFault
+    // 2. Check if the resource is existing, if not > unknownResourceFault
+    // 3. Check the session ID, if not valid > set result to false and return
+    // 4. Set the other results and return true
+
     $result = new tgCrudCheckAccessResponse();
     $objProjectInfo = new stdClass();
     $objFaultDetail = new stdClass();
@@ -239,7 +245,11 @@ class TgExtra {
 
         // Add the PDP result
         $result->result = $this->rbac->checkAccess( $inRequest->auth, $inRequest->operation, $inRequest->resource );
-
+	if( !isset( $arrResource[0]['tgispublic'] ) ) {
+	  $result->public = false;
+	} else {
+	  preg_match( "/^true$/i", $arrResource[0]['tgispublic'][0] ) ? $result->public = true : $result->public = false;
+	}
 
         // See if the object is a project role...
         for( $loObjectclass = 0; $loObjectclass < sizeof( $arrResource[0]['objectclass'] ); $loObjectclass++ ) {
@@ -283,6 +293,7 @@ class TgExtra {
         // Finally add the username and allowed
         // operations for the current session.
         $result->username = $this->rbac->sessionUser( $inRequest->auth );
+	
 
         try {
 
@@ -1557,9 +1568,10 @@ class TgExtra {
        return result;
     }
 
-    $filter = "(&";
+    $filter = "(|(&";
     if (strlen ($inRequest->name) > 0) {
-      $filter .= "(cn=" . $inRequest->name . ")";
+      // search also in sn or givenName if they are fully specified
+      $filter .= "(|(displayname=" . $inRequest->name . ")(sn=" . $inRequest->name . ")(givenname=". $inRequest->name . "))";
     }
     if	(strlen	($inRequest->mail) > 0) {
       $filter .= "(mail=" . $inRequest->mail . ")";
@@ -1568,6 +1580,11 @@ class TgExtra {
       $filter .= "(o=" . $inRequest->organisation . ")";
     }
     $filter .= "(!(tgagreesearch=FALSE)))";
+    // overload the name field for ePPN search in case someone has tgagreesearch=FALSE but client specified a UID completely 
+    if ( ! preg_match( "/\*/", $inRequest->name) ) {
+      $filter .= "(uid=" . $inRequest->name . ")";
+    }
+    $filter .= ")";
 
     $arrUserEntry = $this->connection['user']->search( $this->config->getValue( "authentication", "base" ), $filter, "sub" );