diff --git a/controllers/middleware.go b/controllers/middleware.go
index a7e6902c..2e321d6f 100644
--- a/controllers/middleware.go
+++ b/controllers/middleware.go
@@ -33,6 +33,9 @@ func userMiddleWare(handler http.Handler) http.Handler {
 		if strings.Contains(r.URL.Path, "ingress") {
 			r.Header.Set("TARGET_RSRC", models.RemoteAccessGwRsrc.String())
 		}
+		if strings.Contains(r.URL.Path, "createrelay") || strings.Contains(r.URL.Path, "deleterelay") {
+			r.Header.Set("TARGET_RSRC", models.RelayRsrc.String())
+		}
 		if strings.Contains(r.URL.Path, "gateway") {
 			r.Header.Set("TARGET_RSRC", models.EgressGwRsrc.String())
 		}
diff --git a/pro/controllers/relay.go b/pro/controllers/relay.go
index a3bacab6..8fb5ba3f 100644
--- a/pro/controllers/relay.go
+++ b/pro/controllers/relay.go
@@ -19,8 +19,8 @@ import (
 // RelayHandlers - handle Pro Relays
 func RelayHandlers(r *mux.Router) {
 
-	r.HandleFunc("/api/nodes/{network}/{nodeid}/createrelay", controller.Authorize(false, true, "user", http.HandlerFunc(createRelay))).Methods(http.MethodPost)
-	r.HandleFunc("/api/nodes/{network}/{nodeid}/deleterelay", controller.Authorize(false, true, "user", http.HandlerFunc(deleteRelay))).Methods(http.MethodDelete)
+	r.HandleFunc("/api/nodes/{network}/{nodeid}/createrelay", logic.SecurityCheck(true, http.HandlerFunc(createRelay))).Methods(http.MethodPost)
+	r.HandleFunc("/api/nodes/{network}/{nodeid}/deleterelay", logic.SecurityCheck(true, http.HandlerFunc(deleteRelay))).Methods(http.MethodDelete)
 	r.HandleFunc("/api/v1/host/{hostid}/failoverme", controller.Authorize(true, false, "host", http.HandlerFunc(failOverME))).Methods(http.MethodPost)
 }
 
diff --git a/pro/controllers/users.go b/pro/controllers/users.go
index ff9d7808..ca8edc3f 100644
--- a/pro/controllers/users.go
+++ b/pro/controllers/users.go
@@ -33,7 +33,7 @@ func UserHandlers(r *mux.Router) {
 
 	// User Role Handlers
 	r.HandleFunc("/api/v1/users/roles", logic.SecurityCheck(true, http.HandlerFunc(listRoles))).Methods(http.MethodGet)
-	r.HandleFunc("/api/v1/users/role", getRole).Methods(http.MethodGet)
+	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(getRole))).Methods(http.MethodGet)
 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(createRole))).Methods(http.MethodPost)
 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(updateRole))).Methods(http.MethodPut)
 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(deleteRole))).Methods(http.MethodDelete)
diff --git a/pro/logic/security.go b/pro/logic/security.go
index 4eb571de..4d328bcd 100644
--- a/pro/logic/security.go
+++ b/pro/logic/security.go
@@ -47,7 +47,7 @@ func NetworkPermissionsCheck(username string, r *http.Request) error {
 	// check for global network role
 	if netRoles, ok := user.NetworkRoles[models.AllNetworks]; ok {
 		for netRoleID := range netRoles {
-			err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID)
+			err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID, netID)
 			if err == nil {
 				return nil
 			}
@@ -55,7 +55,7 @@ func NetworkPermissionsCheck(username string, r *http.Request) error {
 	}
 	netRoles := user.NetworkRoles[models.NetworkID(netID)]
 	for netRoleID := range netRoles {
-		err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID)
+		err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID, netID)
 		if err == nil {
 			return nil
 		}
@@ -65,7 +65,7 @@ func NetworkPermissionsCheck(username string, r *http.Request) error {
 		if err == nil {
 			netRoles := userG.NetworkRoles[models.NetworkID(netID)]
 			for netRoleID := range netRoles {
-				err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID)
+				err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID, netID)
 				if err == nil {
 					return nil
 				}
@@ -76,7 +76,7 @@ func NetworkPermissionsCheck(username string, r *http.Request) error {
 	return errors.New("access denied")
 }
 
-func checkNetworkAccessPermissions(netRoleID models.UserRoleID, username, reqScope, targetRsrc, targetRsrcID string) error {
+func checkNetworkAccessPermissions(netRoleID models.UserRoleID, username, reqScope, targetRsrc, targetRsrcID, netID string) error {
 	networkPermissionScope, err := logic.GetRole(netRoleID)
 	if err != nil {
 		return err
@@ -96,7 +96,7 @@ func checkNetworkAccessPermissions(netRoleID models.UserRoleID, username, reqSco
 	if allRsrcsTypePermissionScope, ok := rsrcPermissionScope[models.RsrcID(fmt.Sprintf("all_%s", targetRsrc))]; ok {
 		// handle extclient apis here
 		if models.RsrcType(targetRsrc) == models.ExtClientsRsrc && allRsrcsTypePermissionScope.SelfOnly && targetRsrcID != "" {
-			extclient, err := logic.GetExtClient(targetRsrcID, networkPermissionScope.NetworkID.String())
+			extclient, err := logic.GetExtClient(targetRsrcID, netID)
 			if err != nil {
 				return err
 			}
diff --git a/pro/logic/user_mgmt.go b/pro/logic/user_mgmt.go
index 5bf90a3a..0578a87e 100644
--- a/pro/logic/user_mgmt.go
+++ b/pro/logic/user_mgmt.go
@@ -576,7 +576,13 @@ func GetFilteredNodesByUserAccess(user models.User, nodes []models.Node) (filter
 		if err != nil {
 			continue
 		}
-		networkNodes := logic.GetNetworkNodesMemory(nodes, userPermTemplate.NetworkID.String())
+		var networkNodes []models.Node
+		if userPermTemplate.NetworkID == models.AllNetworks {
+			networkNodes = nodes
+		} else {
+			networkNodes = logic.GetNetworkNodesMemory(nodes, userPermTemplate.NetworkID.String())
+		}
+
 		if userPermTemplate.FullAccess {
 			for _, node := range networkNodes {
 				nodesMap[node.ID.String()] = struct{}{}