diff --git a/packages/rocketchat-authorization/server/publications/roles.coffee b/packages/rocketchat-authorization/server/publications/roles.coffee
index 4b2dc50d8ae144f1e9072d2009eeab934ba4f784..6a2c35852d4410ddebe1449f5e5b42586ff41f3f 100644
--- a/packages/rocketchat-authorization/server/publications/roles.coffee
+++ b/packages/rocketchat-authorization/server/publications/roles.coffee
@@ -2,6 +2,7 @@ Meteor.publish 'roles', ->
 	unless @userId
 		return @ready()
 
-	# @TODO validate permission
+	if not RocketChat.authz.hasPermission @userId, 'access-rocket-permissions'
+		throw new Meteor.Error "not-authorized"
 
 	return RocketChat.authz.getRoles()
diff --git a/packages/rocketchat-authorization/server/publications/usersInRole.coffee b/packages/rocketchat-authorization/server/publications/usersInRole.coffee
index 1fbdc57cad5210cc70b34d58fbb6979c771e296d..089cea8e671dbde2bbdb021da414e775579399b0 100644
--- a/packages/rocketchat-authorization/server/publications/usersInRole.coffee
+++ b/packages/rocketchat-authorization/server/publications/usersInRole.coffee
@@ -2,6 +2,7 @@ Meteor.publish 'usersInRole', (roleName) ->
 	unless @userId
 		return @ready()
 
-	# @TODO validate permission
+	if not RocketChat.authz.hasPermission @userId, 'access-rocket-permissions'
+		throw new Meteor.Error "not-authorized"
 
 	return RocketChat.authz.getUsersInRole roleName