diff --git a/app/controllers/client_api/users/invitations_controller.rb b/app/controllers/client_api/users/invitations_controller.rb
index eef944984..f6636b516 100644
--- a/app/controllers/client_api/users/invitations_controller.rb
+++ b/app/controllers/client_api/users/invitations_controller.rb
@@ -33,7 +33,7 @@ module ClientApi
 
       def check_invite_users_permission
         @team = Team.find_by_id(params[:team_id])
-        if @team && !is_admin_of_team(@team)
+        if @team && !can_create_user_team?(@team)
           respond_to do |format|
             format.json do
               render json: t('client_api.invite_users.permission_error'),
diff --git a/app/controllers/client_api/users/user_teams_controller.rb b/app/controllers/client_api/users/user_teams_controller.rb
index bf66fa4ff..afe4df565 100644
--- a/app/controllers/client_api/users/user_teams_controller.rb
+++ b/app/controllers/client_api/users/user_teams_controller.rb
@@ -3,6 +3,8 @@ module ClientApi
     class UserTeamsController < ApplicationController
       include ClientApi::Users::UserTeamsHelper
 
+      before_action :check_manage_user_team_permission
+
       def leave_team
         ut_service = ClientApi::UserTeamService.new(
           user: current_user,
@@ -44,6 +46,18 @@ module ClientApi
 
       private
 
+      def check_manage_user_team_permission
+        @user_team = UserTeam.find_by_id(params[:user_team])
+        unless can_update_or_delete_user_team?(@user_team)
+          respond_to do |format|
+            format.json do
+              render json: t('client_api.user_teams.permission_error'),
+                     status: 422
+            end
+          end
+        end
+      end
+
       def success_response(template, locals)
         respond_to do |format|
           format.json do
diff --git a/app/permissions/team.rb b/app/permissions/team.rb
index 0a1f18e11..a3ee98f50 100644
--- a/app/permissions/team.rb
+++ b/app/permissions/team.rb
@@ -1,5 +1,18 @@
 Canaid::Permissions.register_for(Team) do
+  # view projects
   can :read_team do |user, team|
     user.is_member_of_team?(team)
   end
+
+  # invite user to team
+  can :create_user_team do |user, team|
+    user.is_admin_of_team?(team)
+  end
+end
+
+Canaid::Permissions.register_for(UserTeam) do
+  # change user's role, remove user from team, leave team
+  can :update_or_delete_user_team do |user, user_team|
+    user == user_team.user || user.is_admin_of_team?(user_team.team)
+  end
 end
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 07ccd8802..f3d868cd5 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1820,6 +1820,7 @@ en:
     invalid_arguments: "Invalid arguments"
     generic_error_message: "Something went wrong! Please try again later."
     user_teams:
+      permission_error: "You don't have permission to manage users."
       leave_team_error: "An error occured."
       leave_flash: "Successfuly left team %{team}."
     user: