diff --git a/src/routes/test/groups-test.js b/src/routes/test/groups-test.js
index 52bc80708..5dce9f211 100644
--- a/src/routes/test/groups-test.js
+++ b/src/routes/test/groups-test.js
@@ -15,13 +15,15 @@ var appdb = require('../../appdb.js'),
     superagent = require('superagent'),
     server = require('../../server.js'),
     settings = require('../../settings.js'),
+    tokendb = require('../../tokendb.js'),
     nock = require('nock'),
     userdb = require('../../userdb.js');
 
 var SERVER_URL = 'http://localhost:' + config.get('port');
 
 var USERNAME = 'admin', PASSWORD = 'Foobar?1337', EMAIL ='silly@me.com';
-var token = null;
+var USERNAME_1 = 'user', PASSWORD_1 = 'Foobar?1337', EMAIL_1 ='happy@me.com';
+var token, token_1 = null;
 
 var server;
 function setup(done) {
@@ -48,8 +50,22 @@ function setup(done) {
 
                 callback();
             });
+        },
+        function (callback) {
+            superagent.post(SERVER_URL + '/api/v1/users')
+                   .query({ access_token: token })
+                   .send({ username: USERNAME_1, email: EMAIL_1, invite: false })
+                   .end(function (error, result) {
+                expect(result).to.be.ok();
+                expect(result.statusCode).to.eql(201);
+
+                token_1 = tokendb.generateToken();
+
+                // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
+                tokendb.add(token_1, tokendb.PREFIX_USER + USERNAME_1, 'test-client-id',  Date.now() + 100000, '*', callback);
+            });
         }
-    ], done);
+  ], done);
 }
 
 function cleanup(done) {
@@ -73,6 +89,15 @@ describe('Groups API', function () {
             });
         });
 
+        it('cannot get groups as normal user', function (done) {
+            superagent.get(SERVER_URL + '/api/v1/groups')
+                   .query({ access_token: token_1 })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(403);
+                done();
+            });
+        });
+
         it('can get groups', function (done) {
             superagent.get(SERVER_URL + '/api/v1/groups')
                    .query({ access_token: token })
@@ -127,6 +152,15 @@ describe('Groups API', function () {
             });
         });
 
+        it('cannot get existing group with normal user', function (done) {
+            superagent.get(SERVER_URL + '/api/v1/groups/admin')
+                  .query({ access_token: token_1 })
+                  .end(function (error, result) {
+                expect(result.statusCode).to.equal(403);
+                done();
+            });
+        });
+
         it('can get existing group', function (done) {
             superagent.get(SERVER_URL + '/api/v1/groups/admin')
                   .query({ access_token: token })
diff --git a/src/server.js b/src/server.js
index 7bc018875..d3e3646dd 100644
--- a/src/server.js
+++ b/src/server.js
@@ -110,9 +110,9 @@ function initializeExpressSync() {
     router.post('/api/v1/users/:userId/invite', usersScope, routes.user.requireAdmin, routes.user.sendInvite);
 
     // Group management
-    router.get ('/api/v1/groups', usersScope, routes.groups.list);
+    router.get ('/api/v1/groups', usersScope, routes.user.requireAdmin, routes.groups.list);
     router.post('/api/v1/groups', usersScope, routes.user.requireAdmin, routes.groups.create);
-    router.get ('/api/v1/groups/:groupId', usersScope, routes.groups.get);
+    router.get ('/api/v1/groups/:groupId', usersScope, routes.user.requireAdmin, routes.groups.get);
     router.del ('/api/v1/groups/:groupId', usersScope, routes.user.requireAdmin, routes.user.verifyPassword, routes.groups.remove);
 
     // form based login routes used by oauth2 frame