diff --git a/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java b/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
index cfbd68d3412eea162bc96582bddc8193a4781c31..8a9f4ed497bd429d8ef5c9f11ed6dd099812493a 100644
--- a/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
+++ b/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
@@ -1,6 +1,11 @@
 package org.caosdb.server.transaction;
 
 import java.util.List;
+import java.util.function.Predicate;
+import java.util.stream.Collectors;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+import org.caosdb.server.accessControl.ACMPermissions;
 import org.caosdb.server.database.backend.transaction.ListUsers;
 import org.caosdb.server.database.proto.ProtoUser;
 
@@ -10,7 +15,17 @@ public class ListUsersTransaction extends AccessControlTransaction {
 
   @Override
   protected void transaction() throws Exception {
-    users = execute(new ListUsers(), getAccess()).getUsers();
+    Subject currentUser = SecurityUtils.getSubject();
+    users = execute(new ListUsers(), getAccess()).getUsers().stream().filter(user -> currentUser.isPermitted(ACMPermissions.PERMISSION_RETRIEVE_USER_INFO(user.realm, user.name))
+        ).collect(Collectors.toList());
+    
+    // remove roles
+    for(ProtoUser user : users) {
+      if(!currentUser.isPermitted(ACMPermissions.PERMISSION_RETRIEVE_USER_ROLES(user.realm, user.name))) {
+        user.roles = null;
+      }
+    }
+
   }
 
   public List<ProtoUser> getUsers() {
diff --git a/src/main/java/org/caosdb/server/transaction/RetrieveACL.java b/src/main/java/org/caosdb/server/transaction/RetrieveACL.java
index f23a29a4428f5caf7fe94604b103127801710ad9..05ba7a423d462f22e0dbf48c67ce3ba65a99c31d 100644
--- a/src/main/java/org/caosdb/server/transaction/RetrieveACL.java
+++ b/src/main/java/org/caosdb/server/transaction/RetrieveACL.java
@@ -1,5 +1,6 @@
 package org.caosdb.server.transaction;
 
+import com.google.protobuf.ProtocolStringList;
 import java.util.UUID;
 import org.apache.shiro.SecurityUtils;
 import org.caosdb.server.database.backend.transaction.RetrieveEntityACLTransaction;
@@ -8,12 +9,13 @@ import org.caosdb.server.entity.EntityInterface;
 import org.caosdb.server.entity.container.TransactionContainer;
 import org.caosdb.server.permissions.EntityACL;
 import org.caosdb.server.permissions.EntityPermission;
-import com.google.protobuf.ProtocolStringList;
 
 public class RetrieveACL extends Transaction<TransactionContainer> {
 
   public RetrieveACL(ProtocolStringList idList) {
-    super(new TransactionContainer(SecurityUtils.getSubject(), System.currentTimeMillis(), UUID.randomUUID().toString()));
+    super(
+        new TransactionContainer(
+            SecurityUtils.getSubject(), System.currentTimeMillis(), UUID.randomUUID().toString()));
     for (String strId : idList) {
       getContainer().add(new Entity(Integer.parseInt(strId)));
     }