diff --git a/api/users.yml b/api/users.yml
index 53e9a6a2..2ed29469 100644
--- a/api/users.yml
+++ b/api/users.yml
@@ -46,7 +46,9 @@ paths:
         '400':
           description: Failed due to malformed query parameters.
         '401':
-          description: Missing or invalid access token provided.
+          description: |
+            Missing or invalid access token provided.
+            This endpoint is available only for administrators.
         '404':
           description: A non-existent entity request.
         '422':
diff --git a/users/service.go b/users/service.go
index 0366b01a..ae48ae55 100644
--- a/users/service.go
+++ b/users/service.go
@@ -251,11 +251,14 @@ func (svc usersService) ViewProfile(ctx context.Context, token string) (User, er
 }
 
 func (svc usersService) ListUsers(ctx context.Context, token string, offset, limit uint64, email string, m Metadata) (UserPage, error) {
-	_, err := svc.identify(ctx, token)
+	id, err := svc.identify(ctx, token)
 	if err != nil {
 		return UserPage{}, err
 	}
 
+	if err := svc.authorize(ctx, id.id, "authorities", "member"); err != nil {
+		return UserPage{}, errors.Wrap(ErrUnauthorizedAccess, err)
+	}
 	return svc.users.RetrieveAll(ctx, offset, limit, nil, email, m)
 }