diff --git a/ee/initialize.go b/ee/initialize.go
index bc25b3ae..ff577e7d 100644
--- a/ee/initialize.go
+++ b/ee/initialize.go
@@ -48,6 +48,9 @@ func setControllerLimits() {
 	logic.Clients_Limit = Limits.Clients
 	logic.Free_Tier = Limits.FreeTier
 	servercfg.Is_EE = true
+	if logic.Free_Tier {
+		logic.Networks_Limit = 3
+	}
 }
 
 func resetFailover() {
diff --git a/ee/types.go b/ee/types.go
index 2e6a7c41..f59d21fd 100644
--- a/ee/types.go
+++ b/ee/types.go
@@ -17,6 +17,7 @@ var Limits = GlobalLimits{
 	Users:    0,
 	Nodes:    0,
 	Clients:  0,
+	Networks: 0,
 	FreeTier: false,
 }
 
diff --git a/logic/pro/networkuser.go b/logic/pro/networkuser.go
index 0cf8d95b..75958194 100644
--- a/logic/pro/networkuser.go
+++ b/logic/pro/networkuser.go
@@ -217,10 +217,9 @@ func IsUserClientAllowed(clients []models.ExtClient, network, userID, clientID s
 
 // IsUserNetAdmin - checks if a user is a net admin or not
 func IsUserNetAdmin(network, userID string) bool {
-	var isAdmin bool
 	user, err := GetNetworkUser(network, promodels.NetworkUserID(userID))
 	if err != nil {
-		return isAdmin
+		return false
 	}
 	return user.AccessLevel == NET_ADMIN
 }
diff --git a/logic/security.go b/logic/security.go
index e373d722..1b57dc8b 100644
--- a/logic/security.go
+++ b/logic/security.go
@@ -159,10 +159,10 @@ func UserPermissions(reqAdmin bool, netname string, token string) ([]string, str
 		return []string{ALL_NETWORK_ACCESS}, username, nil
 	}
 	// check network admin access
-	if len(netname) > 0 && (!authenticateNetworkUser(netname, userNetworks) || len(userNetworks) == 0) {
+	if len(netname) > 0 && (len(userNetworks) == 0 || !authenticateNetworkUser(netname, userNetworks)) {
 		return nil, username, Unauthorized_Err
 	}
-	if isEE && !pro.IsUserNetAdmin(netname, username) {
+	if isEE && len(netname) > 0 && !pro.IsUserNetAdmin(netname, username) {
 		return nil, "", Unauthorized_Err
 	}
 	return userNetworks, username, nil
@@ -181,7 +181,7 @@ func authenticateNetworkUser(network string, userNetworks []string) bool {
 	return StringSliceContains(userNetworks, network)
 }
 
-//Consider a more secure way of setting master key
+// Consider a more secure way of setting master key
 func authenticateDNSToken(tokenString string) bool {
 	tokens := strings.Split(tokenString, " ")
 	if len(tokens) < 2 {