diff --git a/controller/northbound/server/auth_interceptor.go b/controller/northbound/server/auth_interceptor.go
index cc127da9bbf47e3e7670ab25948331b642a8d7ca..96b11971ec603ed40b898522a52562e97b994ade 100644
--- a/controller/northbound/server/auth_interceptor.go
+++ b/controller/northbound/server/auth_interceptor.go
@@ -35,6 +35,11 @@ func (auth AuthInterceptor) Unary() grpc.UnaryServerInterceptor {
 		case *apb.CreateUsersRequest:
 			if len(r.User) < 2 {
 				return handler(ctx, req)
+			} else {
+				err := auth.authorize(ctx, info.FullMethod)
+				if err != nil {
+					return nil, err
+				}
 			}
 		default:
 			err := auth.authorize(ctx, info.FullMethod)
@@ -80,7 +85,16 @@ func (auth AuthInterceptor) authorize(ctx context.Context, method string) error
 			return err
 		}
 
-		err = verifyPermisisonForRequestedCall(claims, method)
+		user, err := userc.Get(store.Query{Name: claims.Username})
+		if err != nil {
+			return err
+		}
+
+		if user.GetToken() != token {
+			return status.Errorf(codes.PermissionDenied, "invalid token")
+		}
+
+		err = verifyPermisisonForRequestedCall(user.GetRoles(), method)
 		if err != nil {
 			return err
 		}
@@ -91,13 +105,8 @@ func (auth AuthInterceptor) authorize(ctx context.Context, method string) error
 	return nil
 }
 
-func verifyPermisisonForRequestedCall(claims *rbac.UserClaims, requestedMethod string) error {
-	user, err := userc.Get(store.Query{Name: claims.Username})
-	if err != nil {
-		return err
-	}
-
-	roles, err := rolec.GetAll()
+func verifyPermisisonForRequestedCall(userRoles map[string]string, requestedMethod string) error {
+	storedRoles, err := rolec.GetAll()
 	if err != nil {
 		return err
 	}
@@ -106,10 +115,10 @@ func verifyPermisisonForRequestedCall(claims *rbac.UserClaims, requestedMethod s
 	// first loop through map with roles associated to user
 	// second loop check if name of user role exists in roles
 	// third loop check if role associated to current user has permission for call
-	for _, userRole := range user.GetRoles() {
-		for _, role := range roles {
-			if userRole == role.Name() {
-				for _, permission := range role.GetPermissions() {
+	for _, userRole := range userRoles {
+		for _, storedRole := range storedRoles {
+			if userRole == storedRole.Name() {
+				for _, permission := range storedRole.GetPermissions() {
 					if permission == requestedMethod {
 						return nil
 					}