diff --git a/src/component/vocabulary/acl/AccessControlRecordForm.tsx b/src/component/vocabulary/acl/AccessControlRecordForm.tsx
index 4327a8e9..cca94bbe 100644
--- a/src/component/vocabulary/acl/AccessControlRecordForm.tsx
+++ b/src/component/vocabulary/acl/AccessControlRecordForm.tsx
@@ -18,6 +18,7 @@ import AccessControlHolderSelector from "./AccessControlHolderSelector";
 import Utils from "../../../util/Utils";
 import classNames from "classnames";
 import { AssetData } from "../../../model/Asset";
+import AccessLevel, { hasAccess } from "../../../model/acl/AccessLevel";
 
 interface AccessControlRecordFormProps {
   record: AccessControlRecord<any>;
@@ -26,6 +27,8 @@ interface AccessControlRecordFormProps {
   onChange: (change: Partial<AccessControlRecord<any>>) => void;
 }
 
+const accessGreaterThan = (a: AccessLevel, b?: string) => hasAccess(a, b);
+
 const HOLDER_TYPES = {
   "type.user": VocabularyUtils.USER,
   "type.usergroup": VocabularyUtils.USER_GROUP,
@@ -44,32 +47,50 @@ function resolveHolderType(record: AccessControlRecord<any>): string {
 }
 
 /**
- * The following holder types cannot have the maximum access level.
- */
-const RESTRICTED_HOLDER_TYPES = [
-  VocabularyUtils.USER_RESTRICTED,
-  VocabularyUtils.USER_GROUP,
-];
-/**
- * The following holder IRI (Restricted user role) cannot have the maximum access level.
+ * The following holder types cannot have the specified access levels or greater.
  */
-const RESTRICTED_HOLDER_IRI =
-  VocabularyUtils.NS_TERMIT + "omezen\u00fd-u\u017eivatel-termitu";
-
-const MAX_ACCESS_LEVEL =
-  VocabularyUtils.NS_TERMIT +
-  "\u00farove\u0148-p\u0159\u00edstupov\u00fdch-opr\u00e1vn\u011bn\u00ed/spr\u00e1va";
+const LIMITED_ACCESS_LEVEL_BY_HOLDER_TYPE = {
+  [VocabularyUtils.USER_ANONYMOUS]: AccessLevel.WRITE,
+  [VocabularyUtils.USER_RESTRICTED]: AccessLevel.SECURITY,
+  [VocabularyUtils.USER_GROUP]: AccessLevel.SECURITY,
+};
 
 function filterAccessLevels(accessLevels: RdfsResource[], holder?: AssetData) {
   if (!holder) {
     return accessLevels;
   }
-  const types = Utils.sanitizeArray(holder.types);
-  const shouldRestrict =
-    holder.iri === RESTRICTED_HOLDER_IRI ||
-    types.some((t) => RESTRICTED_HOLDER_TYPES.indexOf(t) !== -1);
-  return shouldRestrict
-    ? accessLevels.filter((r) => r.iri !== MAX_ACCESS_LEVEL)
+  let limitedAccessLevel: AccessLevel | undefined;
+  if (holder.types == null) {
+    return accessLevels;
+  }
+
+  const types = [...Utils.sanitizeArray(holder.types)];
+  // add the holder iri to the types
+  if (holder.iri) {
+    types.push(holder.iri);
+  }
+
+  types.forEach((type) => {
+    // if the type is in the limited access level list
+    if (LIMITED_ACCESS_LEVEL_BY_HOLDER_TYPE[type]) {
+      if (limitedAccessLevel) {
+        // compare the current max access level with the type max access level
+        // and set the higher one
+        limitedAccessLevel = accessGreaterThan(
+          limitedAccessLevel,
+          LIMITED_ACCESS_LEVEL_BY_HOLDER_TYPE[type]
+        )
+          ? limitedAccessLevel
+          : LIMITED_ACCESS_LEVEL_BY_HOLDER_TYPE[type];
+      } else {
+        // if no max access level is set, set it to the type max access level
+        limitedAccessLevel = LIMITED_ACCESS_LEVEL_BY_HOLDER_TYPE[type];
+      }
+    }
+  });
+
+  return limitedAccessLevel
+    ? accessLevels.filter((r) => !accessGreaterThan(limitedAccessLevel!, r.iri))
     : accessLevels;
 }
 
@@ -77,13 +98,12 @@ function shouldResetAccessLevel(
   holder?: AccessHolderType,
   currentAccessLevel?: string
 ) {
-  if (currentAccessLevel !== MAX_ACCESS_LEVEL || !holder) {
+  if (!holder || !currentAccessLevel || !holder.iri) {
     return false;
   }
-  return (
-    Utils.sanitizeArray(holder.types).some(
-      (t) => RESTRICTED_HOLDER_TYPES.indexOf(t) !== -1
-    ) || holder.iri === RESTRICTED_HOLDER_IRI
+  return accessGreaterThan(
+    LIMITED_ACCESS_LEVEL_BY_HOLDER_TYPE[holder.iri],
+    currentAccessLevel
   );
 }
 
diff --git a/src/i18n/cs.ts b/src/i18n/cs.ts
index 6f1104fb..aab8771d 100644
--- a/src/i18n/cs.ts
+++ b/src/i18n/cs.ts
@@ -229,7 +229,7 @@ const cs = {
     "administration.maintenance.invalidateCaches.success":
       "Cache úspěšně vyprázdněna.",
     "administration.maintenance.clearLongRunningTasksQueue":
-      "Vyprádznit frontu procesů na pozadí",
+      "Vyprázdnit frontu procesů na pozadí",
     "administration.maintenance.clearLongRunningTasksQueue.tooltip":
       "Vyprázdnit frontu procesů čekajících na zpracování na pozadí",
     "administration.maintenance.clearLongRunningTasksQueue.success":
diff --git a/src/util/VocabularyUtils.ts b/src/util/VocabularyUtils.ts
index bb21e375..b6d3f903 100644
--- a/src/util/VocabularyUtils.ts
+++ b/src/util/VocabularyUtils.ts
@@ -115,6 +115,7 @@ const VocabularyUtils = {
   USER_ADMIN: _NS_TERMIT + "administrátor-termitu",
   USER_LOCKED: _NS_TERMIT + "uzam\u010den\u00fd-u\u017eivatel-termitu",
   USER_DISABLED: _NS_TERMIT + "zablokovan\u00fd-u\u017eivatel-termitu",
+  USER_ANONYMOUS: _NS_TERMIT + "anonymn\u00ed-u\u017eivatel-termitu",
   USER_RESTRICTED: _NS_TERMIT + "omezen\u00fd-u\u017eivatel-termitu",
   USER_EDITOR: _NS_TERMIT + "pln\u00fd-u\u017eivatel-termitu",
   USER_GROUP: _NS_SIOC + "Usergroup",