diff --git a/src/apps.js b/src/apps.js
index 19a502f68..dba558299 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -182,22 +182,16 @@ function validateAccessRestriction(accessRestriction) {
 
     if (accessRestriction === null) return null;
 
-    var noUsers = true, noGroups = true;
-
     if (accessRestriction.users) {
         if (!Array.isArray(accessRestriction.users)) return new AppsError(AppsError.BAD_FIELD, 'users array property required');
         if (!accessRestriction.users.every(function (e) { return typeof e === 'string'; })) return new AppsError(AppsError.BAD_FIELD, 'All users have to be strings');
-        noUsers = accessRestriction.users.length === 0;
     }
 
     if (accessRestriction.groups) {
         if (!Array.isArray(accessRestriction.groups)) return new AppsError(AppsError.BAD_FIELD, 'groups array property required');
         if (!accessRestriction.groups.every(function (e) { return typeof e === 'string'; })) return new AppsError(AppsError.BAD_FIELD, 'All groups have to be strings');
-        noGroups = accessRestriction.groups.length === 0;
     }
 
-    if (noUsers && noGroups) return new AppsError(AppsError.BAD_FIELD, 'users and groups array cannot both be empty');
-
     // TODO: maybe validate if the users and groups actually exist
     return null;
 }
diff --git a/src/nginx.js b/src/nginx.js
index b103c0f60..f26b990d2 100644
--- a/src/nginx.js
+++ b/src/nginx.js
@@ -30,8 +30,7 @@ function requiresOAuthProxy(app) {
     if (tmp === null) return false;
     if (app.manifest.addons['ldap'] || app.manifest.addons['oauth'] || app.manifest.addons['simpleauth']) return false;
 
-    // check if any restrictions are set
-    return !!((tmp.users && tmp.users.length) || (tmp.groups && tmp.groups.length));
+    return true;
 }
 
 function configureAdmin(certFilePath, keyFilePath, callback) {
diff --git a/src/test/apps-test.js b/src/test/apps-test.js
index 9387c1758..607a0cdda 100644
--- a/src/test/apps-test.js
+++ b/src/test/apps-test.js
@@ -225,7 +225,7 @@ describe('Apps', function () {
             expect(apps._validateAccessRestriction({ users: {} })).to.be.an(Error);
         });
 
-        it('does not allow no user input', function () {
+        it('allows no user input', function () {
             expect(apps._validateAccessRestriction({ users: [] })).to.be.an(Error);
         });