diff --git a/pillar.example b/pillar.example
index 040537a7..476c1360 100644
--- a/pillar.example
+++ b/pillar.example
@@ -68,10 +68,11 @@ postgres:
   # databases they can access. Records take one of these forms:
   #
   # acls:
-  #  - ['local', 'DATABASE',  'USER',  'METHOD']
-  #  - ['host', 'DATABASE',  'USER',  'ADDRESS', 'METHOD']
-  #  - ['hostssl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
-  #  - ['hostnossl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
+  #   group:
+  #     - ['local', 'DATABASE',  'USER',  'METHOD']
+  #     - ['host', 'DATABASE',  'USER',  'ADDRESS', 'METHOD']
+  #     - ['hostssl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
+  #     - ['hostnossl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
   #
   # The uppercase items must be replaced by actual values.
   # METHOD could be omitted, 'md5' will be appended by default.
@@ -81,10 +82,13 @@ postgres:
   # If ``acls`` item value is empty ('', [], null), then the contents of
   # ``pg_hba.conf`` file will not be touched at all.
   acls:
-    - ['local', 'db0', 'connuser', 'peer map=users_as_appuser']
-    - ['local', 'db1', 'localUser']
-    - ['host', 'db2', 'remoteUser', '192.168.33.0/24']
-    - ['host', 'all', 'all', '127.0.0.1/32', 'md5']
+    db1:
+      - ['local', 'db0', 'connuser', 'peer map=users_as_appuser']
+      - ['local', 'db1', 'localUser']
+    db2:
+      - ['host', 'db2', 'remoteUser', '192.168.33.0/24']
+    all:
+      - ['host', 'all', 'all', '127.0.0.1/32', 'md5']
 
   identity_map:
     - ['users_as_appuser', 'jdoe', 'connuser']
diff --git a/postgres/templates/pg_hba.conf.j2 b/postgres/templates/pg_hba.conf.j2
index 0dfcc4e4..52f2a4e8 100644
--- a/postgres/templates/pg_hba.conf.j2
+++ b/postgres/templates/pg_hba.conf.j2
@@ -20,21 +20,26 @@ local   all             postgres                                peer
 
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 
-{% for acl in acls %}
-  {%- if acl|first() == 'local' %}
+{%- if acls is list -%}
+  {%- set acls = {'_all': acls} %}
+{%- endif %}
+{%- for _, group in acls|dictsort %}
+  {%- for acl in group %}
+    {%- if acl|first() == 'local' %}
 
-    {%- if acl|length() == 3 %}
-      {%- do acl.extend(['', 'md5']) %}
-    {%- elif acl|length() == 4 %}
-      {%- do acl.insert(3, '') %}
-    {%- endif %}
+      {%- if acl|length() == 3 %}
+        {%- do acl.extend(['', 'md5']) %}
+      {%- elif acl|length() == 4 %}
+        {%- do acl.insert(3, '') %}
+      {%- endif %}
 
-  {%- else %}
+    {%- else %}
 
-    {%- if acl|length() == 4 %}
-      {%- do acl.append('md5') %}
-    {%- endif %}
+      {%- if acl|length() == 4 %}
+        {%- do acl.append('md5') %}
+      {%- endif %}
 
-  {%- endif %}
+    {%- endif %}
 {{ '{0:<7} {1:<15} {2:<15} {3:<23} {4}'.format(*acl) }}
-{% endfor %}
+  {%- endfor %}
+{%- endfor %}