diff --git a/config/authorization/config.lisp b/config/authorization/config.lisp
index 6cb0405..5c2329f 100644
--- a/config/authorization/config.lisp
+++ b/config/authorization/config.lisp
@@ -55,7 +55,7 @@
 ;; specifications can be folded too.  This could help when building
 ;; indexes.
 
-(define-graph timesheet ("http://mu.semte.ch/graphs/redpencil")
+(define-graph timesheet ("http://mu.semte.ch/graphs/employees/")
   ("cal:Vevent" -> _)
   ("skos:Collection" -> _)
   ("foaf:Person" -> _)
@@ -109,29 +109,47 @@
           <http://mu.semte.ch/user-groups/admin> foaf:member ?user .
       } LIMIT 1")
 
-
 (supply-allowed-group "employee"
-  :parameters ()
+  :parameters ("employeeId")
   :query "PREFIX session: <http://mu.semte.ch/vocabularies/session/>
       PREFIX foaf: <http://xmlns.com/foaf/0.1/>
       PREFIX mu: <http://mu.semte.ch/vocabularies/core/>
-      SELECT ?account WHERE {
+      SELECT ?account ?employeeId WHERE {
           <SESSION_ID> session:account ?account .
           ?user foaf:account ?account .
           <http://mu.semte.ch/user-groups/employee> foaf:member ?user .
+          ?user mu:uuid ?employeeId .
       } LIMIT 1")
 
+(supply-allowed-group "kimai-each-employee"
+  :parameters ("employeeId")
+  :query "PREFIX foaf: <http://xmlns.com/foaf/0.1/>
+      PREFIX mu: <http://mu.semte.ch/vocabularies/core/>
+      SELECT ?employeeId WHERE {
+        <http://mu.semte.ch/user-groups/employee> foaf:member ?user .
+        ?user mu:uuid ?employeeId .
+      }")
+
+;; workaroud to avoid allowed-groups to be discarded because they don't have a grant
 (grant (read)
-       :to-graph (static)
-       :for-allowed-group "public")
+  :to-graph (static)
+  :for-allowed-group "public")
+
+(grant (read)
+  :to-graph (static)
+  :for-allowed-group "kimai-each-employee")
+;; end workaround
 
 (with-scope "http://services.redpencil.io/timekeeper-kimai-sync-service"
   (grant (read write)
-    :to-graph (kimai timesheet)
+    :to-graph (kimai)
     :for-allowed-group "public")
   (grant (read)
     :to-graph (users)
-    :for-allowed-group "public"))
+    :for-allowed-group "public")
+  (grant (read write)
+    :to-graph (timesheet)
+    :for-allowed-group "kimai-each-employee"))
 
 (grant (read write)
        :to-graph (timesheet)
diff --git a/config/migrations/20241219140000-move-timesheet-employee-specific-graph.sparql b/config/migrations/20241219140000-move-timesheet-employee-specific-graph.sparql
new file mode 100644
index 0000000..1441570
--- /dev/null
+++ b/config/migrations/20241219140000-move-timesheet-employee-specific-graph.sparql
@@ -0,0 +1,38 @@
+PREFIX skos: <http://www.w3.org/2004/02/skos/core#>
+PREFIX prov: <http://www.w3.org/ns/prov#>
+PREFIX cal: <http://www.w3.org/2002/12/cal/ical#>
+PREFIX mu: <http://mu.semte.ch/vocabularies/core/>
+DELETE {
+  GRAPH <http://mu.semte.ch/graphs/redpencil> {
+     ?s ?p ?o .
+     }
+} INSERT {
+  GRAPH ?g {
+    ?s ?p ?o .
+  }
+} WHERE {
+  GRAPH <http://mu.semte.ch/graphs/redpencil> {
+    ?s a skos:Collection .
+    ?s ?p ?o .
+    ?s prov:wasAssociatedWith ?employee .
+  }
+  ?employee mu:uuid ?employeeId .
+  BIND(IRI(CONCAT("http://mu.semte.ch/graphs/employees/", ?employeeId)) AS ?g)
+};
+DELETE {
+  GRAPH <http://mu.semte.ch/graphs/redpencil> {
+     ?s ?p ?o .
+     }
+} INSERT {
+  GRAPH ?g { 
+    ?s ?p ?o .
+  }
+} WHERE {
+  GRAPH <http://mu.semte.ch/graphs/redpencil> {
+    ?s a cal:Vevent .
+    ?s ?p ?o .
+    ?s prov:wasAssociatedWith ?employee .
+  }
+  ?employee mu:uuid ?employeeId .
+  BIND(IRI(CONCAT("http://mu.semte.ch/graphs/employees/", ?employeeId)) AS ?g)
+}