diff --git a/jobs/cc_deployment_updater/spec b/jobs/cc_deployment_updater/spec
index 641a812b51..2b9cc47289 100644
--- a/jobs/cc_deployment_updater/spec
+++ b/jobs/cc_deployment_updater/spec
@@ -208,6 +208,10 @@ properties:
     description: "The file descriptors made available to each app instance"
     default: 16384
 
+  cc.additional_allowed_process_users:
+    default: []
+    description: "Allow-list of users that a Process/Task may use in addition to 'vcap'. The 'vcap' user is always permitted."
+
   cc.locket.host:
     default: "locket.service.cf.internal"
     description: "Hostname of the Locket server"
diff --git a/jobs/cc_deployment_updater/templates/cloud_controller_ng.yml.erb b/jobs/cc_deployment_updater/templates/cloud_controller_ng.yml.erb
index 67189dceea..5c96e92178 100644
--- a/jobs/cc_deployment_updater/templates/cloud_controller_ng.yml.erb
+++ b/jobs/cc_deployment_updater/templates/cloud_controller_ng.yml.erb
@@ -133,6 +133,7 @@ default_app_memory: <%= p("cc.default_app_memory") %>
 default_app_disk_in_mb: <%= p("cc.default_app_disk_in_mb") %>
 maximum_app_disk_in_mb: <%= p("cc.maximum_app_disk_in_mb") %>
 instance_file_descriptor_limit: <%= p("cc.instance_file_descriptor_limit") %>
+additional_allowed_process_users: <%= p("cc.additional_allowed_process_users") %>
 
 deployment_updater:
   update_frequency_in_seconds: <%= p("deployment_updater.update_frequency_in_seconds") %>
diff --git a/jobs/cloud_controller_clock/spec b/jobs/cloud_controller_clock/spec
index 990c7f7070..0d42516f69 100644
--- a/jobs/cloud_controller_clock/spec
+++ b/jobs/cloud_controller_clock/spec
@@ -422,6 +422,10 @@ properties:
     default: 2048
     description: "The maximum amount of disk a user can request"
 
+  cc.additional_allowed_process_users:
+    default: []
+    description: "Allow-list of users that a Process/Task may use in addition to 'vcap'. The 'vcap' user is always permitted."
+
   cc.newrelic.license_key:
     default: ~
     description: "The api key for NewRelic"
diff --git a/jobs/cloud_controller_clock/templates/cloud_controller_ng.yml.erb b/jobs/cloud_controller_clock/templates/cloud_controller_ng.yml.erb
index 5fd80db002..b1030f8ac2 100644
--- a/jobs/cloud_controller_clock/templates/cloud_controller_ng.yml.erb
+++ b/jobs/cloud_controller_clock/templates/cloud_controller_ng.yml.erb
@@ -72,6 +72,7 @@ maximum_app_disk_in_mb: <%= p("cc.maximum_app_disk_in_mb") %>
 max_retained_deployments_per_app: <%= p("cc.max_retained_deployments_per_app") %>
 max_retained_builds_per_app: <%= p("cc.max_retained_builds_per_app") %>
 max_retained_revisions_per_app: <%= p("cc.max_retained_revisions_per_app") %>
+additional_allowed_process_users: <%= p("cc.additional_allowed_process_users") %>
 
 default_app_log_rate_limit_in_bytes_per_second: <%= p("cc.default_app_log_rate_limit_in_bytes_per_second") %>
 
diff --git a/jobs/cloud_controller_ng/spec b/jobs/cloud_controller_ng/spec
index 21fa0eef91..2d5bc70ab3 100644
--- a/jobs/cloud_controller_ng/spec
+++ b/jobs/cloud_controller_ng/spec
@@ -844,6 +844,10 @@ properties:
     default: "2048M"
     description: "Maximum body size for nginx bits uploads"
 
+  cc.additional_allowed_process_users:
+    default: []
+    description: "Allow-list of users that a Process/Task may use in addition to 'vcap'. The 'vcap' user is always permitted."
+
   cc.default_app_log_rate_limit_in_bytes_per_second:
     default: -1
     description: "Default application log rate limit"
diff --git a/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb b/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb
index c300ac2f5b..a8dfdd3f5d 100644
--- a/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb
+++ b/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb
@@ -128,6 +128,7 @@ cpu_weight_max_memory: <%= p("cc.cpu_weight_max_memory") %>
 default_app_memory: <%= p("cc.default_app_memory") %>
 default_app_disk_in_mb: <%= p("cc.default_app_disk_in_mb") %>
 maximum_app_disk_in_mb: <%= p("cc.maximum_app_disk_in_mb") %>
+additional_allowed_process_users: <%= p("cc.additional_allowed_process_users") %>
 
 default_app_log_rate_limit_in_bytes_per_second: <%= p("cc.default_app_log_rate_limit_in_bytes_per_second") %>
 
diff --git a/jobs/cloud_controller_worker/spec b/jobs/cloud_controller_worker/spec
index 2e405ae667..9126e8329e 100644
--- a/jobs/cloud_controller_worker/spec
+++ b/jobs/cloud_controller_worker/spec
@@ -364,6 +364,10 @@ properties:
     default: 2048
     description: "The maximum amount of disk a user can request"
 
+  cc.additional_allowed_process_users:
+    default: []
+    description: "Allow-list of users that a Process/Task may use in addition to 'vcap'. The 'vcap' user is always permitted."
+
   cc.allow_app_ssh_access:
     default: true
     description: "Allow users to change the value of the app-level allow_ssh attribute"
diff --git a/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb b/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb
index 61a6b050c3..7583a43b37 100644
--- a/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb
+++ b/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb
@@ -63,6 +63,7 @@ jobs:
 default_app_memory: <%= p("cc.default_app_memory") %>
 default_app_disk_in_mb: <%= p("cc.default_app_disk_in_mb") %>
 maximum_app_disk_in_mb: <%= p("cc.maximum_app_disk_in_mb") %>
+additional_allowed_process_users: <%= p("cc.additional_allowed_process_users") %>
 
 instance_file_descriptor_limit: <%= p("cc.instance_file_descriptor_limit") %>