diff --git a/Chart.yaml b/Chart.yaml
index 9d5c1a3c96ed3cce043b194044775860f2d42fd3..26cf9bf25a81dd2b619b2ad5833a660c60806431 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,4 +1,4 @@
 apiVersion: v2
 name: constraint-templates
-version: 1.4.27
+version: 1.5.0
 appVersion: 1.0.0
diff --git a/rego/allow_rollout_restart/policy.rego b/rego/allow_rollout_restart/policy.rego
index 7bbafcaa8a918bab2d5dd97b6581a2bc69f63380..74e505f00aec1bf56bc2bcb91b9f6fcbe52a4383 100644
--- a/rego/allow_rollout_restart/policy.rego
+++ b/rego/allow_rollout_restart/policy.rego
@@ -1,13 +1,20 @@
 package allow_rollout_restart
 
-
+# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
 violation[{"msg": msg}] {
     not input.review.userInfo.username == "flux"
+    not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")
     input.review.kind.kind == "Deployment"
-	input.review.operation == "PATCH"
-    new_annotations := json.remove(input.review.object,["metadata/annotations/kubectl.kubernetes.io.restartedAt"])
-    old_annotations := json.remove(input.review.oldObject,["metadata/annotations/kubectl.kubernetes.io.restartedAt"]) 
+    input.review.operation == "UPDATE"
+    new_annotations := json.remove(input.review.object,["spec/template/metadata/annotations/kubectl.kubernetes.io~1restartedAt","metadata/generation","metadata/managedFields"])
+    old_patched_annotations := json.patch(input.review.oldObject,[{"op": "add", "path": "spec/template/metadata/annotations/kubectl.kubernetes.io~1restartedAt", "value": 3}])
+    old_annotations := json.remove(old_patched_annotations,["spec/template/metadata/annotations/kubectl.kubernetes.io~1restartedAt","metadata/generation","metadata/managedFields"])
     old_annotations != new_annotations
-	msg := sprintf("Only patch to annotation kubectl.kubernetes.io.restartedAt is allowed. Used '%v'", [input.review.object.metadata.annotations] )
+	msg := sprintf("Only patch to annotation kubectl.kubernetes.io.restartedAt is allowed. ",[])
+
 }
 
+
+contains(grouparray,testgroup) {
+    grouparray[_] = testgroup
+}
\ No newline at end of file
diff --git a/rego/allow_rollout_restart/policy_test.rego b/rego/allow_rollout_restart/policy_test.rego
index 528df95cfdefad3b97ccffcdaa933f90d967b6ce..ba82538e08d1a0f07446a5558ec50d62dc207257 100644
--- a/rego/allow_rollout_restart/policy_test.rego
+++ b/rego/allow_rollout_restart/policy_test.rego
@@ -65,17 +65,25 @@ review_deployment_patch_extra_annotations(annotationname,annotationvalue,usernam
         "kind": "Deployment"
       },
       "object": {
-        "metadata": {
-            "annotations": {
-                "dreaded_gazebo": "indeed",
-                annotationname: annotationvalue
+        "spec": {
+          "template: {
+            "metadata": {
+              "annotations": {
+                  "dreaded_gazebo": "indeed",
+                  annotationname: annotationvalue
+              }
             }
+          }
         }
       },
       "oldObject": {
-        "metadata": {
-          "annotations": {
-            "kubectl.kubernetes.io.restartedAt": previousrestarted
+        "spec": {
+          "template: {
+            "metadata": {
+              "annotations": {
+                "kubectl.kubernetes.io.restartedAt": previousrestarted
+              }
+            } 
           }
         }
       }
@@ -94,16 +102,24 @@ review_deployment_patch_existing(annotationname,annotationvalue,username,previou
         "kind": "Deployment"
       },
       "object": {
-        "metadata": {
-            "annotations": {
-                annotationname: annotationvalue
+        "spec": {
+          "template": {
+            "metadata": {
+              "annotations": {
+                  annotationname: annotationvalue
+              }
             }
+          }
         }
       },
       "oldObject": {
-        "metadata": {
-          "annotations": {
-            "kubectl.kubernetes.io.restartedAt": previousrestarted
+        "spec": {
+          "template": {
+            "metadata": {
+              "annotations": {
+                "kubectl.kubernetes.io.restartedAt": previousrestarted
+              }
+            }
           }
         }
       }
@@ -122,15 +138,23 @@ review_deployment_patch_absent(annotationname,annotationvalue,username) = out {
         "kind": "Deployment"
       },
       "oldObject": {
-        "metadata": {
-            "annotations": {}
+        "spec": {
+          "template": {
+            "metadata": {
+              "annotations": {}
+            }
+          }
         }
       }, 
       "object": {
-        "metadata": {
-            "annotations": {
-                annotationname: annotationvalue
+        "spec": {
+          "template": {
+            "metadata": {
+                "annotations": {
+                    annotationname: annotationvalue
+                }
             }
+          }
         }
       }
     }