diff --git a/src/main/java/com/atomgraph/linkeddatahub/server/filter/request/AuthorizationFilter.java b/src/main/java/com/atomgraph/linkeddatahub/server/filter/request/AuthorizationFilter.java
index af0fca4e2..0948cfe3c 100644
--- a/src/main/java/com/atomgraph/linkeddatahub/server/filter/request/AuthorizationFilter.java
+++ b/src/main/java/com/atomgraph/linkeddatahub/server/filter/request/AuthorizationFilter.java
@@ -158,7 +158,7 @@ public void filter(ContainerRequestContext request) throws IOException
     public QuerySolutionMap getAuthorizationParams(Resource absolutePath, Resource agent, Resource accessMode)
     {
         QuerySolutionMap qsm = new QuerySolutionMap();
-        qsm.add(SPIN.THIS_VAR_NAME, absolutePath);
+        qsm.add("thisValue", absolutePath); // ?this is now assigned using VALUES
         qsm.add("Mode", accessMode);
         qsm.add(LDT.Ontology.getLocalName(), getApplication().getOntology());
         qsm.add(LDT.base.getLocalName(), getApplication().getBase());
diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml
index 27c714494..76abb4fe8 100644
--- a/src/main/webapp/WEB-INF/web.xml
+++ b/src/main/webapp/WEB-INF/web.xml
@@ -29,41 +29,37 @@ DESCRIBE ?auth
 FROM <urn:x-arq:UnionGraph>
 WHERE
   {
-    { ?auth  acl:agent  $agent}
-   UNION
-     { ?auth   acl:agentGroup  ?Group .
-       ?Group  foaf:member     $agent
-     }
-   UNION
-     { ?auth  acl:agentClass  foaf:Agent }
-   UNION
-     { ?auth  acl:agentClass  $AuthenticatedAgentClass }
+    VALUES ?this { $thisValue }
+    {
+        SELECT ?auth ?this ?Type
+        {
+            { ?auth  acl:agent  $agent}
+           UNION
+             { ?auth   acl:agentGroup  ?Group .
+               ?Group  foaf:member     $agent
+             }
+           UNION
+             { ?auth  acl:agentClass  foaf:Agent }
+           UNION
+             { ?auth  acl:agentClass  $AuthenticatedAgentClass }
 
-     ?auth  acl:mode  $Mode .
+             ?auth  acl:mode  $Mode .
 
-     { ?auth  acl:accessTo  $this }
-   UNION
-     { ?auth  acl:accessTo  $Container
-       SERVICE $endpoint
-         { GRAPH $Container
-             {   { $Container  a  def:Root }
-               UNION
-                 { $Container  a  dh:Container }
-             }
-           FILTER NOT EXISTS { GRAPH $this
-                                 { $this  ?thisP  ?thisO }
-                             }
-         }
-     }
-   UNION
-     {   { ?auth  acl:accessToClass  ?Type }
-       UNION
-         { ?auth  acl:accessToClass  ?Class .
-           ?Type (rdfs:subClassOf)* ?Class
-         }
-       SERVICE $endpoint
-         {   { GRAPH $this
-                 { $this  a  ?Type }
+              { ?auth  acl:accessTo  ?this }
+            UNION
+              { ?auth  acl:accessToClass  ?Type }
+            UNION
+              { ?auth  acl:accessToClass  ?Class .
+                ?Type (rdfs:subClassOf)* ?Class
+              }
+        }
+    }
+    SERVICE $endpoint
+      {
+         SELECT ?this ?Type
+         {
+             { GRAPH ?this
+                 { ?this  a  ?Type }
              }
            UNION
              { GRAPH $Container
@@ -72,18 +68,18 @@ WHERE
                      { $Container  a  dh:Container }
                    $Container  a  ?Type
                  }
-               FILTER NOT EXISTS { GRAPH $this
-                                     { $this  ?thisP  ?thisO }
+               FILTER NOT EXISTS { GRAPH ?this
+                                     { ?this  ?thisP  ?thisO }
                                  }
              }
            UNION
              { GRAPH ?g
-                 { $this  a  <http://www.semanticdesktop.org/ontologies/2007/03/22/nfo#FileDataObject> ;
+                 { ?this  a  <http://www.semanticdesktop.org/ontologies/2007/03/22/nfo#FileDataObject> ;
                           a  ?Type
                  }
              }
          }
-     }
+      }
   }
 ]]></param-value>
     </context-param>
@@ -98,7 +94,10 @@ PREFIX  sioc: <http://rdfs.org/sioc/ns#>
 DESCRIBE ?auth
 FROM <urn:x-arq:UnionGraph>
 WHERE
-  {   { ?auth  acl:mode           acl:Control .
+  {
+    VALUES ?this { $thisValue }
+
+      { ?auth  acl:mode           acl:Control .
         ?doc   foaf:primaryTopic  ?auth
           { ?auth  acl:agent  $agent }
         UNION
@@ -109,12 +108,12 @@ WHERE
     UNION
       { ?auth  acl:agentClass  $AuthenticatedAgentClass ;
                acl:mode        $Mode
-          { ?auth  acl:accessTo  $this
+          { ?auth  acl:accessTo  ?this
             OPTIONAL
-              { $this  a  ?Type }
+              { ?this  a  ?Type }
           }
         UNION
-          { $this  a  ?Type
+          { ?this  a  ?Type
               { ?auth  acl:accessToClass  ?Type }
             UNION
               { ?auth  acl:accessToClass  ?Class .
@@ -125,12 +124,12 @@ WHERE
     UNION
       { ?auth  acl:agentClass  foaf:Agent ;
                acl:mode        acl:Read
-          { ?auth  acl:accessTo  $this
+          { ?auth  acl:accessTo  ?this
             OPTIONAL
-              { $this  a  ?Type }
+              { ?this  a  ?Type }
           }
         UNION
-          { $this  a  ?Type
+          { ?this  a  ?Type
               { ?auth  acl:accessToClass  ?Type }
             UNION
               { ?auth  acl:accessToClass  ?Class .
@@ -138,7 +137,7 @@ WHERE
               }
           }
         # only namespace, signup, OAuth2 login and WebID profiles can be public in admin app, nothing else
-        FILTER ( $this IN (uri(concat(str($base), "ns")), uri(concat(str($base), "sign%20up")), uri(concat(str($base), "oauth2/login")), uri(concat(str($base), "oauth2/authorize/google"))) || strstarts(str($this), concat(str($base), "acl/agents/")) || strstarts(str($this), concat(str($base), "acl/public-keys/")))
+        FILTER ( ?this IN (uri(concat(str($base), "ns")), uri(concat(str($base), "sign%20up")), uri(concat(str($base), "oauth2/login")), uri(concat(str($base), "oauth2/authorize/google"))) || strstarts(str(?this), concat(str($base), "acl/agents/")) || strstarts(str(?this), concat(str($base), "acl/public-keys/")))
       }
   }
 ]]></param-value>