diff --git a/pandora/user/decorators.py b/pandora/user/decorators.py
new file mode 100644
index 000000000..a8ba8bb8f
--- /dev/null
+++ b/pandora/user/decorators.py
@@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+# vi:si:et:sw=4:sts=4:ts=4
+try:
+    from django.contrib.auth.decorators import wraps
+except:
+    from django.utils.functional import wraps
+from ox.django.shortcuts import render_to_json_response, json_response
+
+def capability_required_json(capability):
+    def capability_required(function=None):
+        def _wrapped_view(request, *args, **kwargs):
+            if request.user.is_authenticated() and \
+                request.user.get_profile().capability(capability):
+                return function(request, *args, **kwargs)
+            return render_to_json_response(json_response(status=403, text='permissino denied'))
+        return wraps(function)(_wrapped_view)
+    return capability_required
diff --git a/pandora/user/views.py b/pandora/user/views.py
index b7b1913c2..fb7d0aeec 100644
--- a/pandora/user/views.py
+++ b/pandora/user/views.py
@@ -13,7 +13,7 @@ from django.db.models import Max
 from django.contrib.auth.models import User, Group
 
 from ox.django.shortcuts import render_to_json_response, json_response, get_object_or_404_json
-from ox.django.decorators import admin_required_json, login_required_json
+from ox.django.decorators import login_required_json
 import ox
 
 
@@ -22,7 +22,7 @@ from item.models import Access, Item
 from item import utils 
 
 import models
-
+from decorators import capability_required_json
 
 def signin(request):
     '''
@@ -303,7 +303,7 @@ def requestToken(request):
 actions.register(requestToken, cache=False)
 
 
-@admin_required_json
+@capability_required_json('canManageUsers')
 def editUser(request):
     '''
         takes {
@@ -356,7 +356,7 @@ def editUser(request):
     return render_to_json_response(response)
 actions.register(editUser, cache=False)
 
-@admin_required_json
+@capability_required_json('canManageUsers')
 def removeUser(request):
     '''
         takes {
@@ -440,7 +440,7 @@ def order_query(qs, sort):
         qs = qs.order_by(*order_by, nulls_last=True)
     return qs
 
-@admin_required_json
+@capability_required_json('canManageUsers')
 def findUsers(request):
     '''
         takes {