diff --git a/CHANGES b/CHANGES
index b764a4f2f..e50aeffff 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2347,4 +2347,5 @@
 * Add way to impersonate users for presetup
 * mail: open up port 465 for mail submission (TLS)
 * Implement operator role for apps
+* sftp: normal users do not have SFTP access anymore. Use operator role instead
 
diff --git a/src/ldap.js b/src/ldap.js
index 23a77648e..36412bcd6 100644
--- a/src/ldap.js
+++ b/src/ldap.js
@@ -551,15 +551,6 @@ async function authenticateSftp(req, res, next) {
     res.end();
 }
 
-async function loadSftpConfig(req, res, next) {
-    const [error, servicesConfig] = await safe(settings.getServicesConfig());
-    if (error) return next(new ldap.OperationsError(error.toString()));
-
-    const sftpConfig = servicesConfig['sftp'] || {};
-    req.requireAdmin = sftpConfig.requireAdmin;
-    next();
-}
-
 async function userSearchSftp(req, res, next) {
     debug('sftp user search: dn %s, scope %s, filter %s (from %s)', req.dn.toString(), req.scope, req.filter.toString(), req.connection.ldap.id);
 
@@ -584,10 +575,7 @@ async function userSearchSftp(req, res, next) {
     if (userGetError) return next(new ldap.OperationsError(userGetError.toString()));
     if (!user) return next(new ldap.OperationsError('Invalid username'));
 
-    if (req.requireAdmin && users.compareRoles(user.role, users.ROLE_ADMIN) < 0) return next(new ldap.InsufficientAccessRightsError('Insufficient previleges'));
-
-    const canAccess = apps.canAccess(app, user);
-    if (!canAccess) return next(new ldap.InsufficientAccessRightsError('Not authorized'));
+    if (!apps.isOperator(app, user)) return next(new ldap.InsufficientAccessRightsError('Not authorized'));
 
     const obj = {
         dn: ldap.parseDN(`cn=${username}@${appFqdn},ou=sftp,dc=cloudron`).toString(),
@@ -688,7 +676,7 @@ async function start() {
     gServer.bind('ou=sendmail,dc=cloudron', authenticateMailAddon); // haraka (MSA auth)
 
     gServer.bind('ou=sftp,dc=cloudron', authenticateSftp);    // sftp
-    gServer.search('ou=sftp,dc=cloudron', loadSftpConfig, userSearchSftp);
+    gServer.search('ou=sftp,dc=cloudron', userSearchSftp);
 
     gServer.compare('cn=users,ou=groups,dc=cloudron', authenticateApp, groupUsersCompare);
     gServer.compare('cn=admins,ou=groups,dc=cloudron', authenticateApp, groupAdminsCompare);
diff --git a/src/routes/services.js b/src/routes/services.js
index b3677ad3e..f075d7a3c 100644
--- a/src/routes/services.js
+++ b/src/routes/services.js
@@ -44,11 +44,6 @@ async function configure(req, res, next) {
         memoryLimit: req.body.memoryLimit
     };
 
-    if (req.params.service === 'sftp') {
-        if (typeof req.body.requireAdmin !== 'boolean') return next(new HttpError(400, 'requireAdmin must be a boolean'));
-        data.requireAdmin = req.body.requireAdmin;
-    }
-
     const [error] = await safe(services.configureService(req.params.service, data));
     if (error) return next(BoxError.toHttpError(error));