diff --git a/src/accesscontrol.js b/src/accesscontrol.js
index f29b87525..68efef9f6 100644
--- a/src/accesscontrol.js
+++ b/src/accesscontrol.js
@@ -117,7 +117,9 @@ function uninitialize(callback) {
 }
 
 function canonicalScope(scope) {
-    return scope.replace(exports.SCOPE_ANY, exports.VALID_SCOPES.join(','));
+    var scopes = scope.split(',');
+    scopes = scopes.map(function (s) { return s.replace(exports.SCOPE_ANY, exports.VALID_SCOPES.join(',')); });
+    return scopes.join(',');
 }
 
 function normalizeScope(allowedScope, wantedScope) {
diff --git a/src/test/accesscontrol-test.js b/src/test/accesscontrol-test.js
new file mode 100644
index 000000000..897324453
--- /dev/null
+++ b/src/test/accesscontrol-test.js
@@ -0,0 +1,22 @@
+/* jslint node:true */
+/* global it:false */
+/* global describe:false */
+/* global before:false */
+/* global after:false */
+
+'use strict';
+
+var accesscontrol = require('../accesscontrol.js'),
+    expect = require('expect.js');
+
+describe('access control', function () {
+    describe('canonicalScope', function () {
+        it('only * scope', function () {
+            expect(accesscontrol.canonicalScope('*')).to.be('apps,clients,cloudron,domains,mail,profile,settings,users');
+        });
+
+        it('* in the middle', function () {
+            expect(accesscontrol.canonicalScope('foo,bar,*')).to.be('foo,bar,apps,clients,cloudron,domains,mail,profile,settings,users');
+        });
+    });
+});