diff --git a/src/accesscontrol.js b/src/accesscontrol.js
index 0f3fa7dbd..87edfd208 100644
--- a/src/accesscontrol.js
+++ b/src/accesscontrol.js
@@ -13,7 +13,7 @@ exports = module.exports = {
     SCOPE_USERS_READ: 'users:read',
     SCOPE_USERS_MANAGE: 'users:manage',
     SCOPE_APPSTORE: 'appstore',
-    VALID_SCOPES: [ 'apps', 'appstore', 'clients', 'cloudron', 'domains', 'mail', 'profile', 'settings', 'users' ],
+    VALID_SCOPES: [ 'apps', 'appstore', 'clients', 'cloudron', 'domains', 'mail', 'profile', 'settings', 'users' ], // keep this sorted
 
     SCOPE_ANY: '*',
 
@@ -49,13 +49,16 @@ var assert = require('assert'),
     debug = require('debug')('box:accesscontrol'),
     _ = require('underscore');
 
+// returns scopes that does not have wildcards and is sorted
 function canonicalScopeString(scope) {
-    return scope === exports.SCOPE_ANY ? exports.VALID_SCOPES.join(',') : scope;
+    if (scope === exports.SCOPE_ANY) return exports.VALID_SCOPES.join(',');
+
+    return scope.split(',').sort().join(',');
 }
 
 function intersectScopes(allowedScopes, wantedScopes) {
-    assert(Array.isArray(allowedScopes), 'Expecting array');
-    assert(Array.isArray(wantedScopes), 'Expecting array');
+    assert(Array.isArray(allowedScopes), 'Expecting sorted array');
+    assert(Array.isArray(wantedScopes), 'Expecting sorted array');
 
     return _.intersection(allowedScopes, wantedScopes);
 }
diff --git a/src/test/accesscontrol-test.js b/src/test/accesscontrol-test.js
index b2fa7aca7..9eea9099e 100644
--- a/src/test/accesscontrol-test.js
+++ b/src/test/accesscontrol-test.js
@@ -16,11 +16,7 @@ describe('access control', function () {
         });
 
         it('identity for non-*', function () {
-            expect(accesscontrol.canonicalScopeString('foo,bar')).to.be('foo,bar');
-        });
-
-        it('* is not expanded otherwise', function () {
-            expect(accesscontrol.canonicalScopeString('foo,bar,*')).to.be('foo,bar,*');
+            expect(accesscontrol.canonicalScopeString('foo,bar')).to.be('bar,foo'); // becomes sorted
         });
     });
 
@@ -35,7 +31,12 @@ describe('access control', function () {
         });
 
         it('everything is different', function () {
-            expect(accesscontrol.intersectScopes(['cloudron', 'domains' ], ['clients', 'apps'])).to.eql('');
+            expect(accesscontrol.intersectScopes(['cloudron', 'domains' ], ['clients', 'apps'])).to.eql([]);
+        });
+
+        xit('subscopes', function () {
+            expect(accesscontrol.intersectScopes(['apps:read' ], ['apps'])).to.eql(['apps:read']);
+            expect(accesscontrol.intersectScopes(['apps:read','profile','domains'], ['apps','domains:manage','profile'])).to.eql(['apps:read','domains:manage','profile']);
         });
     });