diff --git a/src/routes/users.js b/src/routes/users.js
index cb4bb5bde..5a2d69c6e 100644
--- a/src/routes/users.js
+++ b/src/routes/users.js
@@ -180,6 +180,7 @@ async function setGhost(req, res, next) {
 
     if (typeof req.body.password !== 'string' || !req.body.password) return next(new HttpError(400, 'password must be non-empty string'));
     if ('expiresAt' in req.body && typeof req.body.password !== 'number') return next(new HttpError(400, 'expiresAt must be a number'));
+    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
 
     const [error] = await safe(users.setGhost(req.resource, req.body.password, req.body.expiresAt || 0));
     if (error) return next(BoxError.toHttpError(error));