diff --git a/src/apps.js b/src/apps.js
index 7435444e6..51d80360d 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -37,7 +37,8 @@ exports = module.exports = {
 
     // exported for testing
     _validateHostname: validateHostname,
-    _validatePortBindings: validatePortBindings
+    _validatePortBindings: validatePortBindings,
+    _validateAccessRestriction: validateAccessRestriction
 };
 
 var addons = require('./addons.js'),
@@ -179,6 +180,21 @@ function validatePortBindings(portBindings, tcpPorts) {
     return null;
 }
 
+function validateAccessRestriction(accessRestriction) {
+    assert.strictEqual(typeof accessRestriction, 'string');
+
+    function validator(entry) {
+        if (entry === '') return true;
+        if (entry.indexOf('user-') === 0 && entry.length > 'user-'.length) return true;
+        return false;
+    }
+
+    var entries = accessRestriction.split(',').map(function (e) { return e.trim(); });
+    if (!entries.every(validator)) return new Error('Invalid accessRestriction');
+
+    return null;
+}
+
 function getDuplicateErrorDetails(location, portBindings, error) {
     assert.strictEqual(typeof location, 'string');
     assert.strictEqual(typeof portBindings, 'object');
@@ -251,18 +267,6 @@ function getAll(callback) {
     });
 }
 
-function validateAccessRestriction(accessRestriction) {
-    // TODO: make the values below enumerations in the oauth code
-    switch (accessRestriction) {
-    case '':
-    case 'roleUser':
-    case 'roleAdmin':
-        return null;
-    default:
-        return new Error('Invalid accessRestriction');
-    }
-}
-
 function purchase(appStoreId, callback) {
     assert.strictEqual(typeof appStoreId, 'string');
     assert.strictEqual(typeof callback, 'function');
diff --git a/src/test/apps-test.js b/src/test/apps-test.js
index b4ec9c78c..2eb49a2a3 100644
--- a/src/test/apps-test.js
+++ b/src/test/apps-test.js
@@ -158,5 +158,39 @@ describe('Apps', function () {
             });
         });
     });
+
+    describe('validateAccessRestriction', function () {
+        it('allows empty input', function () {
+            expect(apps._validateAccessRestriction('')).to.eql(null);
+        });
+
+        it('allows single user input', function () {
+            expect(apps._validateAccessRestriction('user-someuserid')).to.eql(null);
+        });
+
+        it('does not allow single user input with no prefix', function () {
+            expect(apps._validateAccessRestriction('someuserid')).to.be.an(Error);
+        });
+
+        it('does not allow single user input with unkown prefix', function () {
+            expect(apps._validateAccessRestriction('foobar-someuserid')).to.be.an(Error);
+        });
+
+        it('allows multi user input', function () {
+            expect(apps._validateAccessRestriction('user-someuserid,user-someuserid1,user-someuserid2,user-someuserid3')).to.eql(null);
+        });
+
+        it('allows multi user input with whitespace', function () {
+            expect(apps._validateAccessRestriction('user-someuserid ,user-someuserid1     ,user-someuserid2 , user-someuserid3')).to.eql(null);
+        });
+
+        it('does not allow multi user input with no prefix', function () {
+            expect(apps._validateAccessRestriction('user-someuserid,someuserid1,user-someuserid2,user-someuserid3')).to.be.an(Error);
+        });
+
+        it('does not allow multi user input with unkown prefix', function () {
+            expect(apps._validateAccessRestriction('user-someuserid,user-someuserid1,user-someuserid2,foo-someuserid3')).to.be.an(Error);
+        });
+    });
 });