diff --git a/databox/api/src/Security/Voter/AbstractVoter.php b/databox/api/src/Security/Voter/AbstractVoter.php
index ab35eb492..48e376d45 100644
--- a/databox/api/src/Security/Voter/AbstractVoter.php
+++ b/databox/api/src/Security/Voter/AbstractVoter.php
@@ -22,6 +22,8 @@ abstract class AbstractVoter extends Voter
     final public const EDIT = 'EDIT';
     final public const DELETE = 'DELETE';
     final public const EDIT_PERMISSIONS = 'EDIT_PERMISSIONS';
+    final public const OPERATOR = 'OPERATOR';
+    final public const OWNER = 'OWNER';
 
     protected EntityManagerInterface $em;
     protected Security $security;
diff --git a/databox/api/src/Security/Voter/AssetVoter.php b/databox/api/src/Security/Voter/AssetVoter.php
index ea0fa21bf..8188c9ec4 100644
--- a/databox/api/src/Security/Voter/AssetVoter.php
+++ b/databox/api/src/Security/Voter/AssetVoter.php
@@ -57,17 +57,17 @@ protected function voteOnAttribute(string $attribute, $subject, TokenInterface $
                 return $isOwner()
                     || $this->security->isGranted(self::SCOPE_PREFIX.'EDIT')
                     || $this->hasAcl(PermissionInterface::OPERATOR, $subject, $token)
-                    || $this->containerHasAcl($subject, PermissionInterface::OPERATOR, $token);
+                    || $this->voteOnContainer($subject, AbstractVoter::OPERATOR);
             case self::EDIT_ATTRIBUTES:
                 return $isOwner()
                     || $this->security->isGranted(self::SCOPE_PREFIX.'EDIT')
                     || $this->hasAcl(PermissionInterface::EDIT, $subject, $token)
-                    || $this->containerHasAcl($subject, PermissionInterface::EDIT, $token);
+                    || $this->voteOnContainer($subject, AbstractVoter::EDIT);
             case self::SHARE:
                 return $isOwner()
                     || $this->security->isGranted(self::SCOPE_PREFIX.'EDIT')
                     || $this->hasAcl(PermissionInterface::SHARE, $subject, $token)
-                    || $this->containerHasAcl($subject, PermissionInterface::EDIT, $token);
+                    || $this->voteOnContainer($subject, AbstractVoter::EDIT);
             case self::DELETE:
                 return $isOwner()
                     || $this->security->isGranted(self::SCOPE_PREFIX.'DELETE')
@@ -80,19 +80,15 @@ protected function voteOnAttribute(string $attribute, $subject, TokenInterface $
                 return $isOwner()
                     || $this->security->isGranted(self::SCOPE_PREFIX.'OWNER')
                     || $this->hasAcl(PermissionInterface::OWNER, $subject, $token)
-                    || $this->containerHasAcl($subject, PermissionInterface::OWNER, $token);
+                    || $this->voteOnContainer($subject, AbstractVoter::OWNER);
         }
 
         return false;
     }
 
-    private function containerHasAcl(Asset $asset, int $permission, TokenInterface $token): bool
+    private function voteOnContainer(Asset $asset, string|int $attribute): bool
     {
-        if (null !== $collection = $asset->getReferenceCollection()) {
-            return $this->hasAcl($permission, $collection, $token);
-        }
-
-        return $this->hasAcl($permission, $asset->getWorkspace(), $token);
+        return $this->security->isGranted($attribute, $asset->getReferenceCollection() ?? $asset->getWorkspace());
     }
 
     private function collectionGrantsAccess(Asset $subject): bool
diff --git a/databox/api/src/Security/Voter/CollectionVoter.php b/databox/api/src/Security/Voter/CollectionVoter.php
index e47f706aa..3da71862f 100644
--- a/databox/api/src/Security/Voter/CollectionVoter.php
+++ b/databox/api/src/Security/Voter/CollectionVoter.php
@@ -66,6 +66,12 @@ private function doVote(string $attribute, Collection $subject, TokenInterface $
             self::EDIT_PERMISSIONS => $isOwner()
                 || $this->hasAcl(PermissionInterface::OWNER, $subject, $token)
                 || (null !== $subject->getParent() && $this->security->isGranted($attribute, $subject->getParent())),
+            self::OPERATOR => $isOwner()
+                || $this->hasAcl(PermissionInterface::OPERATOR, $subject, $token)
+                || (null !== $subject->getParent() && $this->security->isGranted($attribute, $subject->getParent())),
+            self::OWNER => $isOwner()
+                || $this->hasAcl(PermissionInterface::OWNER, $subject, $token)
+                || (null !== $subject->getParent() && $this->security->isGranted($attribute, $subject->getParent())),
             default => false,
         };
     }
diff --git a/databox/api/src/Security/Voter/WorkspaceVoter.php b/databox/api/src/Security/Voter/WorkspaceVoter.php
index d10c27284..6ebdc1850 100644
--- a/databox/api/src/Security/Voter/WorkspaceVoter.php
+++ b/databox/api/src/Security/Voter/WorkspaceVoter.php
@@ -64,6 +64,12 @@ private function doVote(string $attribute, Workspace $subject, TokenInterface $t
             self::EDIT_PERMISSIONS => $isOwner()
                 || $this->hasAcl(PermissionInterface::OWNER, $subject, $token)
                 || $this->isAdmin(),
+            self::OPERATOR => $isOwner()
+                || $this->hasAcl(PermissionInterface::OPERATOR, $subject, $token),
+            self::OWNER => $isOwner()
+                || $this->hasAcl(PermissionInterface::OWNER, $subject, $token)
+                || $this->isAdmin(),
+
             default => false,
         };
     }