diff --git a/src/accesscontrol.js b/src/accesscontrol.js
index bc9c51cb4..f743d33d5 100644
--- a/src/accesscontrol.js
+++ b/src/accesscontrol.js
@@ -10,6 +10,7 @@ exports = module.exports = {
     SCOPE_USERS: 'users',
     SCOPE_MAIL: 'mail',
     SCOPE_CLIENTS: 'clients',
+    SCOPE_DOMAINS: 'domains',
 
     // roles are handled just like the above scopes, they are parallel to scopes
     // scopes enclose API groups, roles specify the usage role
@@ -32,6 +33,9 @@ function validateScope(scope) {
         exports.SCOPE_CLOUDRON,
         exports.SCOPE_SETTINGS,
         exports.SCOPE_USERS,
+        exports.SCOPE_DOMAIN,
+        exports.SCOPE_CLIENTS,
+        exports.SCOPE_MAIL,
         '*',    // includes all scopes, but not roles
         exports.SCOPE_ROLE_SDK
     ];
diff --git a/src/server.js b/src/server.js
index 1f9afe530..7279159db 100644
--- a/src/server.js
+++ b/src/server.js
@@ -97,6 +97,7 @@ function initializeExpressSync() {
     var settingsScope = routes.accesscontrol.scope(accesscontrol.SCOPE_SETTINGS);
     var mailScope = routes.accesscontrol.scope(accesscontrol.SCOPE_MAIL);
     var clientsScope = routes.accesscontrol.scope(accesscontrol.SCOPE_CLIENTS);
+    var domainsScope = routes.accesscontrol.scope(accesscontrol.SCOPE_DOMAINS);
 
     // csrf protection
     var csrf = routes.oauth2.csrf;
@@ -254,11 +255,11 @@ function initializeExpressSync() {
     router.post('/api/v1/backups', settingsScope, routes.users.requireAdmin, routes.backups.create);
 
     // domain routes
-    router.post('/api/v1/domains', settingsScope, routes.users.requireAdmin, routes.domains.add);
-    router.get ('/api/v1/domains', settingsScope, routes.users.requireAdmin, routes.domains.getAll);
-    router.get ('/api/v1/domains/:domain', settingsScope, routes.users.requireAdmin, routes.domains.get);
-    router.put ('/api/v1/domains/:domain', settingsScope, routes.users.requireAdmin, routes.domains.update);
-    router.del ('/api/v1/domains/:domain', settingsScope, routes.users.requireAdmin, routes.users.verifyPassword, routes.domains.del);
+    router.post('/api/v1/domains', domainsScope, routes.users.requireAdmin, routes.domains.add);
+    router.get ('/api/v1/domains', domainsScope, routes.users.requireAdmin, routes.domains.getAll);
+    router.get ('/api/v1/domains/:domain', domainsScope, routes.users.requireAdmin, routes.domains.get);
+    router.put ('/api/v1/domains/:domain', domainsScope, routes.users.requireAdmin, routes.domains.update);
+    router.del ('/api/v1/domains/:domain', domainsScope, routes.users.requireAdmin, routes.users.verifyPassword, routes.domains.del);
 
     // caas routes
     router.post('/api/v1/caas/change_plan', cloudronScope, routes.users.requireAdmin, routes.users.verifyPassword, routes.caas.changePlan);