diff --git a/src/routes/users.js b/src/routes/users.js
index eb98472bf..46d0d0133 100644
--- a/src/routes/users.js
+++ b/src/routes/users.js
@@ -49,12 +49,11 @@ function create(req, res, next) {
             displayName: user.displayName,
             email: user.email,
             fallbackEmail: user.fallbackEmail,
-            admin: user.admin,
             groupIds: [ ],
             resetToken: user.resetToken
         };
 
-        next(new HttpSuccess(201, userInfo ));
+        next(new HttpSuccess(201, userInfo));
     });
 }
 
@@ -68,8 +67,6 @@ function update(req, res, next) {
     if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));
     if ('username' in req.body && typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be a string'));
 
-    if (req.user.id !== req.params.userId && !req.user.admin) return next(new HttpError(403, 'Not allowed'));
-
     users.update(req.params.userId, req.body, auditSource(req), function (error) {
         if (error && error.reason === UsersError.BAD_FIELD) return next(new HttpError(400, error.message));
         if (error && error.reason === UsersError.ALREADY_EXISTS) return next(new HttpError(409, error.message));
@@ -94,8 +91,6 @@ function get(req, res, next) {
     assert.strictEqual(typeof req.params.userId, 'string');
     assert.strictEqual(typeof req.user, 'object');
 
-    if (req.user.id !== req.params.userId && !req.user.admin) return next(new HttpError(403, 'Not allowed'));
-
     users.get(req.params.userId, function (error, result) {
         if (error && error.reason === UsersError.NOT_FOUND) return next(new HttpError(404, 'No such user'));
         if (error) return next(new HttpError(500, error));