diff --git a/cm.sh b/cm.sh
index c2759f7cca50821996a5f2a03be67027f266ad6d..400039f5d9426224411dacb2c9708ac1194b1ffd 100755
--- a/cm.sh
+++ b/cm.sh
@@ -19,6 +19,7 @@
 # 2021-03-12  <axel.hahn@iml.unibe.ch>  create file for haproxy
 # 2021-03-22  <axel.hahn@iml.unibe.ch>  for haproxy: use chained cert instead of server cert
 # 2021-04-12  <axel.hahn@iml.unibe.ch>  reject multiple usage of fqdn in cli params
+# 2021-04-12  <axel.hahn@iml.unibe.ch>  optional: force excecution with a given user only
 # ======================================================================
 
 
@@ -220,6 +221,18 @@ function _testStaging(){
 	fi
 	echo
 }
+# internal function; if a user was set as CM_user then verify it with
+# current user
+function _testUser(){
+	if [ ! -z "$CM_user" ]; then
+		local _sUser=`id | cut -f 2 -d "(" | cut -f 1 -d ")"`
+		if [[ $_sUser != "$CM_user" ]]; then
+			echo "ERROR: Run this script under user [$CM_user] - not as $_sUser."
+			exit 1
+		fi
+	fi
+
+}
 
 # set update message in a file
 # param  string(s)  message
@@ -528,6 +541,7 @@ if [ $? -ne 0 ]; then
 	exit 1
 fi
 
+_testUser
 _testStaging
 
 test -z "${CM_diracme}" && CM_diracme=./certs
diff --git a/inc_config.sh.dist b/inc_config.sh.dist
index a5574099c8e14986e0783e94c873601b2e8988dc..9b12fcd6c70a19cf5fe838c28f58d5fe11530fa6 100644
--- a/inc_config.sh.dist
+++ b/inc_config.sh.dist
@@ -43,4 +43,9 @@ export ACME=../acme.sh/acme.sh
 # have no permission
 # export CM_certmatch="\.example\.com"
 
+# optional: force a user to execute cm.sh
+# this is for a central installation with a software deployment
+# like Ansible or puppet; default: none (=any user can run cm.sh)
+# export CM_user="ansible"
+
 # ----------------------------------------------------------------------
diff --git a/readme.md b/readme.md
index 60bb6effddf1137f98df539fa17428a45fd84e15..127e83296c26c982fea3155c50d5b812d54a17c3 100644
--- a/readme.md
+++ b/readme.md
@@ -25,9 +25,9 @@ A suggested structure is having acme.sh and this wrapper below the same parent d
 ```text
 /opt/letsenecrypt/
   |
-  +-- acms.sh/
+  +-- acme.sh/
   |     |
-  |     + acms.sh
+  |     + acme.sh
   |     + ...
   |
   +-- iml-certman/