diff --git a/cmd/zrok/access_private.go b/cmd/zrok/access_private.go
index 345d5c10..0e4bc1df 100644
--- a/cmd/zrok/access_private.go
+++ b/cmd/zrok/access_private.go
@@ -15,8 +15,13 @@ import (
 	"syscall"
 )
 
+func init() {
+	accessCmd.AddCommand(newAccessPrivateCommand().cmd)
+}
+
 type accessPrivateCommand struct {
-	cmd *cobra.Command
+	cmd         *cobra.Command
+	bindAddress string
 }
 
 func newAccessPrivateCommand() *accessPrivateCommand {
@@ -27,6 +32,7 @@ func newAccessPrivateCommand() *accessPrivateCommand {
 	}
 	command := &accessPrivateCommand{cmd: cmd}
 	cmd.Run = command.run
+	cmd.Flags().StringVarP(&command.bindAddress, "bind", "b", "0.0.0.0:9191", "The address to bind the private frontend")
 	return command
 }
 
@@ -63,6 +69,7 @@ func (cmd *accessPrivateCommand) run(_ *cobra.Command, args []string) {
 	}
 
 	cfg := private_frontend.DefaultConfig("backend")
+	cfg.Address = cmd.bindAddress
 
 	c := make(chan os.Signal)
 	signal.Notify(c, os.Interrupt, syscall.SIGTERM)
diff --git a/cmd/zrok/main.go b/cmd/zrok/main.go
index f092ad71..5e333c80 100644
--- a/cmd/zrok/main.go
+++ b/cmd/zrok/main.go
@@ -15,6 +15,7 @@ func init() {
 	rootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Enable verbose logging")
 	rootCmd.PersistentFlags().BoolVarP(&panicInstead, "panic", "p", false, "Panic instead of showing pretty errors")
 	zrokdir.AddZrokApiEndpointFlag(&apiEndpoint, rootCmd.PersistentFlags())
+	rootCmd.AddCommand(accessCmd)
 	rootCmd.AddCommand(httpCmd)
 	rootCmd.AddCommand(shareCmd)
 }
diff --git a/cmd/zrok/share_private.go b/cmd/zrok/share_private.go
index 7c2f95b1..09c769b0 100644
--- a/cmd/zrok/share_private.go
+++ b/cmd/zrok/share_private.go
@@ -138,7 +138,7 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) {
 		}
 	}()
 
-	logrus.Infof("share your zrok service; use this command for access: 'zrok serve private %v'", resp.Payload.SvcName)
+	logrus.Infof("share your zrok service; use this command for access: 'zrok access private %v'", resp.Payload.SvcName)
 
 	for {
 		time.Sleep(30 * time.Second)
diff --git a/controller/access.go b/controller/access.go
index 9173dee1..3360b22b 100644
--- a/controller/access.go
+++ b/controller/access.go
@@ -5,6 +5,7 @@ import (
 	"github.com/openziti-test-kitchen/zrok/controller/store"
 	"github.com/openziti-test-kitchen/zrok/rest_model_zrok"
 	"github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/service"
+	rest_model_edge "github.com/openziti/edge/rest_model"
 	"github.com/sirupsen/logrus"
 )
 
@@ -66,7 +67,8 @@ func (h *accessHandler) Handle(params service.AccessParams, principal *rest_mode
 		return service.NewAccessInternalServerError()
 	}
 
-	if err := createServicePolicyDial(envZId, ssvc.Name, ssvc.ZId, edge); err != nil {
+	extraTags := &rest_model_edge.Tags{SubTags: map[string]interface{}{"zrokEnvironmentZId": envZId}}
+	if err := createServicePolicyDial(envZId, ssvc.Name, ssvc.ZId, edge, extraTags); err != nil {
 		logrus.Errorf("unable to create dial policy: %v", err)
 		return service.NewAccessInternalServerError()
 	}
diff --git a/controller/controller.go b/controller/controller.go
index 411dda6f..a24cc37b 100644
--- a/controller/controller.go
+++ b/controller/controller.go
@@ -36,6 +36,7 @@ func Run(inCfg *Config) error {
 	api.MetadataVersionHandler = metadata.VersionHandlerFunc(versionHandler)
 	api.ServiceAccessHandler = newAccessHandler()
 	api.ServiceShareHandler = newShareHandler()
+	api.ServiceUnaccessHandler = newUnaccessHandler()
 	api.ServiceUnshareHandler = newUnshareHandler()
 
 	if err := controllerStartup(); err != nil {
diff --git a/controller/edge.go b/controller/edge.go
index 5390f654..965e6919 100644
--- a/controller/edge.go
+++ b/controller/edge.go
@@ -109,7 +109,14 @@ func deleteServicePolicyBind(envZId, svcName string, edge *rest_management_api_c
 	return deleteServicePolicy(envZId, fmt.Sprintf("tags.zrokServiceName=\"%v\" and type=2", svcName), edge)
 }
 
-func createServicePolicyDial(envZId, svcName, svcZId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
+func createServicePolicyDial(envZId, svcName, svcZId string, edge *rest_management_api_client.ZitiEdgeManagement, tags ...*rest_model.Tags) error {
+	allTags := zrokTags(svcName)
+	for _, t := range tags {
+		for k, v := range t.SubTags {
+			allTags.SubTags[k] = v
+		}
+	}
+
 	var identityRoles []string
 	for _, proxyIdentity := range cfg.Proxy.Identities {
 		identityRoles = append(identityRoles, "@"+proxyIdentity)
@@ -127,7 +134,7 @@ func createServicePolicyDial(envZId, svcName, svcZId string, edge *rest_manageme
 		Semantic:          &semantic,
 		ServiceRoles:      serviceRoles,
 		Type:              &dialBind,
-		Tags:              zrokTags(svcName),
+		Tags:              allTags,
 	}
 	req := &service_policy.CreateServicePolicyParams{
 		Policy:  svcp,
diff --git a/controller/unaccess.go b/controller/unaccess.go
new file mode 100644
index 00000000..0af8797a
--- /dev/null
+++ b/controller/unaccess.go
@@ -0,0 +1,60 @@
+package controller
+
+import (
+	"fmt"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/openziti-test-kitchen/zrok/controller/store"
+	"github.com/openziti-test-kitchen/zrok/rest_model_zrok"
+	"github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/service"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type unaccessHandler struct{}
+
+func newUnaccessHandler() *unaccessHandler {
+	return &unaccessHandler{}
+}
+
+func (h *unaccessHandler) Handle(params service.UnaccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	svcName := params.Body.SvcName
+	envZId := params.Body.ZID
+
+	tx, err := str.Begin()
+	if err != nil {
+		logrus.Errorf("error starting transaction: %v", err)
+		return service.NewUnaccessInternalServerError()
+	}
+	defer func() { _ = tx.Rollback() }()
+
+	edge, err := edgeClient()
+	if err != nil {
+		logrus.Error(err)
+		return service.NewUnaccessInternalServerError()
+	}
+
+	var senv *store.Environment
+	if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), tx); err == nil {
+		for _, env := range envs {
+			if env.ZId == params.Body.ZID {
+				senv = env
+				break
+			}
+		}
+		if senv == nil {
+			err := errors.Errorf("environment with id '%v' not found for '%v", params.Body.ZID, principal.Email)
+			logrus.Error(err)
+			return service.NewUnaccessUnauthorized()
+		}
+	} else {
+		logrus.Errorf("error finding environments for account '%v': %v", principal.Email, err)
+		return service.NewUnaccessUnauthorized()
+	}
+
+	if err := deleteServicePolicy(envZId, fmt.Sprintf("tags.zrokServiceName=\"%v\" and tags.zrokEnvironmentZId=\"%v\" and type=1", svcName, envZId), edge); err != nil {
+		logrus.Errorf("error removing access to '%v' for '%v': %v", svcName, envZId, err)
+		return service.NewUnaccessInternalServerError()
+	}
+
+	return service.NewUnaccessOK()
+}