diff --git a/backend/internal/user.js b/backend/internal/user.js
index d13931d54a..fad0de2838 100644
--- a/backend/internal/user.js
+++ b/backend/internal/user.js
@@ -87,7 +87,13 @@ const internalUser = {
 		}
 
 		return access
-			.can("users:update", data.id)
+			.can("users:permissions", data.id)
+			.catch(() => {
+				delete data.roles;
+			})
+			.then(() => {
+				return access.can("users:update", data.id);
+			})
 			.then(() => {
 				// Make sure that the user being updated doesn't change their email to another user that is already using it
 				// 1. get user we want to update