diff --git a/changelog/unreleased/eos-acl-optimization.md b/changelog/unreleased/eos-acl-optimization.md
new file mode 100644
index 0000000000..038bb6bdf2
--- /dev/null
+++ b/changelog/unreleased/eos-acl-optimization.md
@@ -0,0 +1,3 @@
+Enhancement: Minor optimization in parsing EOS ACLs
+
+https://github.com/cs3org/reva/pull/1855
diff --git a/cmd/reva/ocm-invite-forward.go b/cmd/reva/ocm-invite-forward.go
index 8af0869c3d..219132fc75 100644
--- a/cmd/reva/ocm-invite-forward.go
+++ b/cmd/reva/ocm-invite-forward.go
@@ -45,7 +45,7 @@ func ocmInviteForwardCommand() *command {
 			return errors.New("token cannot be empty: use -token flag\n" + cmd.Usage())
 		}
 		if *idp == "" {
-			return errors.New("Provider domain cannot be empty: use -provider flag\n" + cmd.Usage())
+			return errors.New("Provider domain cannot be empty: use -idp flag\n" + cmd.Usage())
 		}
 
 		ctx := getAuthContext()
diff --git a/pkg/storage/utils/eosfs/eosfs.go b/pkg/storage/utils/eosfs/eosfs.go
index f5888a48f6..39e0186cea 100644
--- a/pkg/storage/utils/eosfs/eosfs.go
+++ b/pkg/storage/utils/eosfs/eosfs.go
@@ -1520,12 +1520,16 @@ func (fs *eosfs) permissionSet(ctx context.Context, eosFileInfo *eosclient.FileI
 	var perm provider.ResourcePermissions
 	for _, e := range eosFileInfo.SysACL.Entries {
 		var userInGroup bool
-		for _, g := range u.Groups {
-			if e.Qualifier == g {
-				userInGroup = true
+		if e.Type == acl.TypeGroup {
+			for _, g := range u.Groups {
+				if e.Qualifier == g {
+					userInGroup = true
+					break
+				}
 			}
 		}
-		if e.Qualifier == uid || userInGroup {
+
+		if (e.Type == acl.TypeUser && e.Qualifier == uid) || userInGroup {
 			mergePermissions(&perm, grants.GetGrantPermissionSet(e.Permissions, eosFileInfo.IsDir))
 		}
 	}