diff --git a/fas/client/fas.conf b/fas/client/fas.conf
index 58e06a6..d878c7a 100644
--- a/fas/client/fas.conf
+++ b/fas/client/fas.conf
@@ -28,6 +28,10 @@ restricted_groups = sysadmin
 ; security meaning
 ssh_restricted_groups = sysadmin-web
 
+; aliases_template: Gets prepended to the aliases file when it is generated by
+; fasClient
+aliases_template = /tmp/template.txt
+
 [users]
 ; default shell given to people in [host] groups
 shell = /bin/bash
@@ -44,7 +48,7 @@ home_backup_dir = /tmp/fedora
 ; is a powerfull way to restrict access to a machine.  An alternative example
 ; could be given to people who should only have cvs access on the machine. 
 ; setting this value to "/usr/bin/cvs server" would do this.
-ssh_restricted_app = /usr/local/bin/restricted-shell
+ssh_restricted_app = "/usr/bin/cvs server"
 
 ; restricted_shell - The shell given to users in the ssh_restricted_groups
 restricted_shell = /sbin/nologin
diff --git a/fas/fas/auth.py b/fas/fas/auth.py
index 551e062..fad4a96 100644
--- a/fas/fas/auth.py
+++ b/fas/fas/auth.py
@@ -15,14 +15,13 @@ def isAdmin(person):
     '''
     admingroup = config.get('admingroup')
     try:
-        group = Groups.by_name(admingroup)
-    except InvalidRequestError:
+        if person.group_roles[admingroup].role_status == 'approved':
+            return True
+        else:
+            return False
+    except KeyError:
         print '%s - Your admin group could not be found!' % admingroup
         return False
-    if group in person.approved_memberships:
-        return True
-    else:
-        return False
     
 def canAdminGroup(person, group):
     '''
@@ -74,29 +73,26 @@ def signedCLAPrivs(person):
     '''
     Returns True if the user has completed the GPG-signed CLA
     '''
+    cla_sign_group =config.get('cla_sign_group')
     try:
-        cla_sign_group = Groups.by_name(config.get('cla_sign_group'))
-    except InvalidRequestError:
-        turbogears.flash(_("cla_sign_group Does not exist!  Please create it!"))
-        return False
-    if isApproved(person, cla_sign_group):
-        return True
-    else:
+        if person.group_roles[cla_sign_group].role_status == 'approved':
+            return True
+        else:
+            return False
+    except KeyError:
         return False
 
 def clickedCLAPrivs(person):
     '''
     Returns True if the user has completed the click-through CLA
     '''
+    cla_click_group = config.get('cla_click_group')
     try:
-        cla_click_group = Groups.by_name(config.get('cla_click_group'))
-    except InvalidRequestError:
-        turbogears.flash(_("cla_click_group Does not exist!  Please create it!"))
-        return False 
-    if signedCLAPrivs(person) or \
-        isApproved(person, cla_click_group):
-        return True
-    else:
+        if person.group_roles[cla_click_group].role_status == 'approved':
+            return True
+        else:
+            return False
+    except KeyError:
         return False
 
 def canEditUser(person, target):
diff --git a/fas/fas/model.py b/fas/fas/model.py
index 2b277bb..4664b5c 100644
--- a/fas/fas/model.py
+++ b/fas/fas/model.py
@@ -34,7 +34,7 @@ from sqlalchemy.orm import relation
 from sqlalchemy import String, Unicode, Integer, DateTime
 # A few sqlalchemy tricks:
 # Allow viewing foreign key relations as a dictionary
-from sqlalchemy.orm.collections import column_mapped_collection
+from sqlalchemy.orm.collections import column_mapped_collection, attribute_mapped_collection
 # Allow us to reference the remote table of a many:many as a simple list
 from sqlalchemy.ext.associationproxy import association_proxy
 from sqlalchemy import select, and_
@@ -294,6 +294,7 @@ class PersonRoles(SABase):
     '''Record people that are members of groups.'''
     def __repr__(cls):
         return "PersonRole(%s,%s,%s,%s)" % (cls.member.username, cls.group.name, cls.role_type, cls.role_status)
+    groupname = association_proxy('group', 'name')
 
 class Configs(SABase):
     '''Configs for applications that a Fedora Contributor uses.'''
@@ -412,10 +413,10 @@ class VisitIdentity(SABase):
 # mappers for filtering roles
 #
 mapper(ApprovedRoles, ApprovedRolesSelect, properties = {
-    'group': relation(Groups, backref='approved_roles')
+    'group': relation(Groups, backref='approved_roles', lazy = False)
     })
 mapper(UnApprovedRoles, UnApprovedRolesSelect, properties = {
-    'group': relation(Groups, backref='unapproved_roles')
+    'group': relation(Groups, backref='unapproved_roles', lazy = False)
     })
 
 mapper(People, PeopleTable, properties = {
@@ -425,6 +426,10 @@ mapper(People, PeopleTable, properties = {
     'person_emails': relation(PersonEmails, backref = 'person',
         collection_class = column_mapped_collection(
             PersonEmailsTable.c.email)),
+    # This name is kind of confusing.  It's to allow person.group_roles['groupname'] in order to make auth.py (hopefully) slightly faster.  
+    'group_roles': relation(PersonRoles,
+        collection_class = attribute_mapped_collection('groupname'),
+        primaryjoin = PeopleTable.c.id==PersonRolesTable.c.person_id),
     'approved_roles': relation(ApprovedRoles, backref='member',
         primaryjoin = PeopleTable.c.id==ApprovedRoles.c.person_id),
     'unapproved_roles': relation(UnApprovedRoles, backref='member',
@@ -436,9 +441,10 @@ mapper(EmailPurposes, EmailPurposesTable, properties = {
         primaryjoin = PersonEmailsTable.c.id==EmailPurposesTable.c.email_id)
     })
 mapper(PersonRoles, PersonRolesTable, properties = {
-    'member': relation(People, backref = 'roles',
+    'member': relation(People, backref = 'roles', lazy = False,
         primaryjoin=PersonRolesTable.c.person_id==PeopleTable.c.id),
-    'group': relation(Groups, backref='roles'),
+    'group': relation(Groups, backref='roles', lazy = False,
+        primaryjoin=PersonRolesTable.c.group_id==GroupsTable.c.id),
     'sponsor': relation(People, uselist=False,
         primaryjoin = PersonRolesTable.c.sponsor_id==PeopleTable.c.id)
     })
diff --git a/fas/fas/templates/group/view.html b/fas/fas/templates/group/view.html
index 8b52457..bbfd22f 100644
--- a/fas/fas/templates/group/view.html
+++ b/fas/fas/templates/group/view.html
@@ -81,38 +81,38 @@
           <th py:if="can_sponsor">${_('Action')}</th>
         </tr>
       </thead>
-      <tr py:for="role in group.roles">
-        <td><a href="${tg.url('/user/view/%s' % role.member.username)}">${role.member.username}</a></td>
-        <td py:if='role.sponsor'><a href="${tg.url('/user/view/%s' % role.sponsor.username)}">${role.sponsor.username}</a></td>
-        <td py:if='not role.sponsor'>${_('None')}</td>
-        <td>${role.creation.astimezone(timezone).strftime('%Y-%m-%d %H:%M:%S %Z')}</td>
-        <td py:if='role.approval'>${role.approval.astimezone(timezone).strftime('%Y-%m-%d %H:%M:%S %Z')}</td>
-        <td py:if='not role.approval'>${_('None')}</td>
-        <td>${role.role_status}</td>
-        <td>${role.role_type}</td>
+      <tr py:for="role in sorted([(role.member.username, role) for role in group.roles ])">
+        <td><a href="${tg.url('/user/view/%s' % role[1].member.username)}">${role[1].member.username}</a></td>
+        <td py:if='role[1].sponsor'><a href="${tg.url('/user/view/%s' % role[1].sponsor.username)}">${role.sponsor.username}</a></td>
+        <td py:if='not role[1].sponsor'>${_('None')}</td>
+        <td>${role[1].creation.astimezone(timezone).strftime('%Y-%m-%d %H:%M:%S %Z')}</td>
+        <td py:if='role[1].approval'>${role[1].approval.astimezone(timezone).strftime('%Y-%m-%d %H:%M:%S %Z')}</td>
+        <td py:if='not role[1].approval'>${_('None')}</td>
+        <td>${role[1].role_status}</td>
+        <td>${role[1].role_type}</td>
         <!-- This section includes all action items -->
         <td py:if="can_sponsor">
           <ul class="actions">
-            <li py:if="role.role_status == 'unapproved'">
+            <li py:if="role[1].role_status == 'unapproved'">
             <py:if test="group.needs_sponsor">
-            <a href="${tg.url('/group/sponsor/%s/%s' % (group.name, role.member.username))}">${_('Sponsor')}</a>
+            <a href="${tg.url('/group/sponsor/%s/%s' % (group.name, role[1].member.username))}">${_('Sponsor')}</a>
             <script type="text/javascript">var hb1 = new HelpBalloon({dataURL: '${tg.url('/help/get_help/group_sponsor')}'});</script>
             </py:if>
             <py:if test="not group.needs_sponsor">
-            <a href="${tg.url('/group/sponsor/%s/%s' % (group.name, role.member.username))}">${_('Approve')}</a>
+            <a href="${tg.url('/group/sponsor/%s/%s' % (group.name, role[1].member.username))}">${_('Approve')}</a>
             <script type="text/javascript">var hb2 = new HelpBalloon({dataURL: '${tg.url('/help/get_help/group_approve')}'});</script>
             </py:if>
             </li>
-            <li py:if="auth.canRemoveUser(person, group, role.member)">
-            <a href="${tg.url('/group/remove/%s/%s' % (group.name, role.member.username))}">${_('Remove')}</a>
+            <li py:if="auth.canRemoveUser(person, group, role[1].member)">
+            <a href="${tg.url('/group/remove/%s/%s' % (group.name, role[1].member.username))}">${_('Remove')}</a>
             <script type="text/javascript">var hb3 = new HelpBalloon({dataURL: '${tg.url('/help/get_help/group_remove')}'});</script>
             </li>
-            <li py:if="auth.canUpgradeUser(person, group, role.member)">
-            <a href="${tg.url('/group/upgrade/%s/%s' % (group.name, role.member.username))}">${_('Upgrade')}</a>
+            <li py:if="auth.canUpgradeUser(person, group, role[1].member)">
+            <a href="${tg.url('/group/upgrade/%s/%s' % (group.name, role[1].member.username))}">${_('Upgrade')}</a>
             <script type="text/javascript">var hb4 = new HelpBalloon({dataURL: '${tg.url('/help/get_help/group_upgrade')}'});</script>
             </li>
-            <li py:if="auth.canDowngradeUser(person, group, role.member)">
-            <a href="${tg.url('/group/downgrade/%s/%s' % (group.name, role.member.username))}">${_('Downgrade')}</a>
+            <li py:if="auth.canDowngradeUser(person, group, role[1].member)">
+            <a href="${tg.url('/group/downgrade/%s/%s' % (group.name, role[1].member.username))}">${_('Downgrade')}</a>
             <script type="text/javascript">var hb5 = new HelpBalloon({dataURL: '${tg.url('/help/get_help/group_downgrade')}'});</script>
             </li>
           </ul>
diff --git a/fas/fas/templates/home.html b/fas/fas/templates/home.html
index cad0c93..40c6c9a 100644
--- a/fas/fas/templates/home.html
+++ b/fas/fas/templates/home.html
@@ -29,7 +29,7 @@
         <li py:if="cla == None">
           ${_('CLA Not Signed.  To become a full Fedora Contributor please ')}<a href="${tg.url('/cla/')}">${_('sign the CLA')}</a>.
         </li>
-        <li py:if="not person.ssh_key">You have not submitted an SSH key, some Fedora resources require an ssh.  Please submit yours by editing <a href="${tg.url('/user/edit')}">My Account</a></li>
+        <li py:if="not person.ssh_key">You have not submitted an SSH key, some Fedora resources require an ssh key.  Please submit yours by editing <a href="${tg.url('/user/edit')}">My Account</a></li>
       </ul>
   </body>
 </html>