diff --git a/src/routes/test/common.js b/src/routes/test/common.js
index f4babea22..296bf7abb 100644
--- a/src/routes/test/common.js
+++ b/src/routes/test/common.js
@@ -31,6 +31,14 @@ exports = module.exports = {
         token: null
     },
 
+    admin: {
+        id: null,
+        username: 'administrator',
+        password: 'Foobar?1339',
+        email: 'admin@cloudron.local',
+        token: null
+    },
+
     user: {
         id: null,
         username: 'user',
@@ -54,7 +62,7 @@ async function setupServer() {
 }
 
 async function setup() {
-    const owner = exports.owner, serverUrl = exports.serverUrl, user = exports.user;
+    const owner = exports.owner, serverUrl = exports.serverUrl, user = exports.user, admin = exports.admin;
 
     await setupServer();
     await safe(fs.promises.unlink(support._sshInfo().filePath));
@@ -74,6 +82,16 @@ async function setup() {
     owner.token = response.body.token;
     owner.id = response.body.userId;
 
+    // create an admin
+    response = await superagent.post(`${serverUrl}/api/v1/users`)
+        .query({ access_token: owner.token })
+        .send({ username: admin.username, email: admin.email, password: admin.password });
+    expect(response.status).to.equal(201);
+    admin.id = response.body.id;
+    // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
+    const token1 = await tokens.add({ identifier: admin.id, clientId: 'test-client-id', expires: Date.now() + (60 * 60 * 1000), name: 'fromtest' });
+    admin.token = token1.accessToken;
+
     // create user
     response = await superagent.post(`${serverUrl}/api/v1/users`)
         .query({ access_token: owner.token })
@@ -81,8 +99,8 @@ async function setup() {
     expect(response.status).to.equal(201);
     user.id = response.body.id;
     // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
-    const token = await tokens.add({ identifier: user.id, clientId: 'test-client-id', expires: Date.now() + (60 * 60 * 1000), name: 'fromtest' });
-    user.token = token.accessToken;
+    const token2 = await tokens.add({ identifier: user.id, clientId: 'test-client-id', expires: Date.now() + (60 * 60 * 1000), name: 'fromtest' });
+    user.token = token2.accessToken;
 
     await settings._set(settings.APPSTORE_API_TOKEN_KEY, exports.appstoreToken); // appstore token
 }
diff --git a/src/routes/test/eventlog-test.js b/src/routes/test/eventlog-test.js
index 8992f6644..35ae57403 100644
--- a/src/routes/test/eventlog-test.js
+++ b/src/routes/test/eventlog-test.js
@@ -101,7 +101,7 @@ describe('Eventlog API', function () {
                 .query({ access_token: owner.token, page: 1, per_page: 10, actions: 'cloudron.activate, user.add' });
 
             expect(response.statusCode).to.equal(200);
-            expect(response.body.eventlogs.length).to.equal(3);
+            expect(response.body.eventlogs.length).to.equal(4);
         });
 
         it('succeeds with search', async function () {
diff --git a/src/routes/test/support-test.js b/src/routes/test/support-test.js
index 6684d7b16..6528d04fb 100644
--- a/src/routes/test/support-test.js
+++ b/src/routes/test/support-test.js
@@ -13,7 +13,7 @@ const common = require('./common.js'),
     superagent = require('superagent');
 
 describe('Support API', function () {
-    const { setup, cleanup, serverUrl, owner, mockApiServerOrigin, appstoreToken } = common;
+    const { setup, cleanup, serverUrl, owner, mockApiServerOrigin, appstoreToken, user, admin } = common;
 
     before(setup);
     after(cleanup);
@@ -169,7 +169,25 @@ describe('Support API', function () {
             expect(scope2.isDone()).to.be.ok();
         });
 
-        it('succeeds with app type', async function () {
+        it('normal user cannot open tickets', async function () {
+            const response = await superagent.post(`${serverUrl}/api/v1/support/ticket`)
+                .send({ type: 'app_missing', subject: 'some subject', description: 'some description' })
+                .query({ access_token: user.token })
+                .ok(() => true);
+
+            expect(response.statusCode).to.equal(403);
+        });
+
+        it('admin also cannot open tickets', async function () {
+            const response = await superagent.post(`${serverUrl}/api/v1/support/ticket`)
+                .send({ type: 'app_missing', subject: 'some subject', description: 'some description' })
+                .query({ access_token: admin.token })
+                .ok(() => true);
+
+            expect(response.statusCode).to.equal(403);
+        });
+
+        it('owner can open tickets', async function () {
             const scope2 = nock(mockApiServerOrigin)
                 .filteringRequestBody(function (/* unusedBody */) { return ''; }) // strip out body
                 .post(`/api/v1/ticket?accessToken=${appstoreToken}`)