diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix
index cca9bbc..83230ed 100644
--- a/modules/netns-isolation.nix
+++ b/modules/netns-isolation.nix
@@ -75,6 +75,14 @@ in {
         };
       });
     };
+
+    allowedUser = mkOption {
+      type = types.str;
+      description = ''
+        User that is allowed to execute commands in the service network namespaces.
+        The user's group is also authorized.
+      '';
+    };
   };
 
   config = mkIf cfg.enable (mkMerge [
@@ -88,7 +96,7 @@ in {
     security.wrappers.netns-exec = {
       source  = "${pkgs.nix-bitcoin.netns-exec}/netns-exec";
       capabilities = "cap_sys_admin=ep";
-      owner = "${config.nix-bitcoin.operatorName}";
+      owner = cfg.allowedUser;
       permissions = "u+rx,g+rx,o-rwx";
     };
 
diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix
index e666ca1..d49307f 100644
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@@ -238,6 +238,7 @@ in {
             [ cfg.hardware-wallets.group ]);
       openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
     };
+    nix-bitcoin.netns-isolation.allowedUser = operatorName;
     # Give operator access to onion hostnames
     services.onion-chef.enable = true;
     services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];