diff --git a/hooks/rabbit_utils.py b/hooks/rabbit_utils.py
index 3ce3e312..ac67e4c5 100644
--- a/hooks/rabbit_utils.py
+++ b/hooks/rabbit_utils.py
@@ -16,6 +16,7 @@ COOKIE_PATH = '/var/lib/rabbitmq/.erlang.cookie'
 ENV_CONF = '/etc/rabbitmq/rabbitmq-env.conf'
 RABBITMQ_CONF = '/etc/rabbitmq/rabbitmq.config'
 SSH_USER = 'juju_rabbit'
+RABBIT_USER = 'rabbitmq'
 LIB_PATH = '/var/lib/rabbitmq/'
 
 
@@ -229,6 +230,7 @@ def synchronize_service_credentials():
     peers = cluster.peer_units()
     if peers and not cluster.oldest_peer(peers):
         utils.juju_log('INFO', 'Deferring action to oldest service unit.')
+        return
 
     utils.juju_log('INFO', 'Synchronizing service passwords to all peers.')
     unison.sync_to_peers(peer_interface='cluster',
diff --git a/hooks/rabbitmq_server_relations.py b/hooks/rabbitmq_server_relations.py
index 22b84dcc..8ff780c5 100755
--- a/hooks/rabbitmq_server_relations.py
+++ b/hooks/rabbitmq_server_relations.py
@@ -34,8 +34,8 @@ def install():
 
     # ensure user + permissions for peer relations that
     # may be syncing data there via SSH_USER.
-    unison.ensure_user(user=rabbit.SSH_USER, group='rabbit')
-    rabbit.execute("chmod -R u+wrx %s" % rabbit.LIB_PATH)
+    unison.ensure_user(user=rabbit.SSH_USER, group=rabbit.RABBIT_USER)
+    rabbit.execute("chmod g+wrx %s" % rabbit.LIB_PATH)
 
 
 def amqp_changed(relation_id=None, remote_unit=None, needs_leader=True):
@@ -59,6 +59,9 @@ def amqp_changed(relation_id=None, remote_unit=None, needs_leader=True):
         password = subprocess.check_output(cmd).strip()
         with open(password_file, 'wb') as out:
             out.write(password)
+        # assign current user and permissions
+        rabbit.execute("chmod g+wrx %s" % password_file)
+        rabbit.execute("chown %s:%s %s" % rabbit.RABBIT_USER, rabbit.RABBIT_USER, password_file)
 
     rabbit.create_vhost(vhost)
     rabbit.create_user(rabbit_user, password)
@@ -290,7 +293,7 @@ def update_nrpe_checks():
 
     nrpe_compat = NRPE()
     nrpe_compat.add_check(
-        shortname='rabbitmq',
+        shortname=rabbit.RABBIT_USER,
         description='Check RabbitMQ',
         check_cmd='{}/check_rabbitmq.py --user {} --password {} --vhost {}'
                   ''.format(NAGIOS_PLUGINS, user, password, vhost)
@@ -317,7 +320,7 @@ MAN_PLUGIN = 'rabbitmq_management'
 
 def config_changed():
     unison.ensure_user(user=rabbit.SSH_USER, group='rabbit')
-    rabbit.execute("chmod -R u+wrx %s" % rabbit.LIB_PATH)
+    rabbit.execute("chmod g+wrx %s" % rabbit.LIB_PATH)
 
     if utils.config_get('management_plugin') is True:
         rabbit.enable_plugin(MAN_PLUGIN)