diff --git a/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java b/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java
index 85d05b2..f863fa8 100644
--- a/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java
+++ b/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java
@@ -57,7 +57,7 @@ public User getByUsername(@PathVariable("username") String username) {
 
     @PreAuthorize(
             "hasAuthority('" + SecurityConstants.ROLE_ADMIN + "') " +
-                    "or hasAuthority('" + SecurityConstants.ROLE_ADMIN + "') and @securityUtils.isMemberOfInstitution(#institutionKey)")
+                    "or hasAuthority('" + SecurityConstants.ROLE_USER + "') and @securityUtils.isMemberOfInstitution(#institutionKey)")
     @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
     public List<User> getUsers(@RequestParam(value = "institution", required = false) String institutionKey) {
         return institutionKey != null ? getByInstitution(institutionKey) : userService.findAll();