diff --git a/library/Icingadb/Authentication/ObjectAuthorization.php b/library/Icingadb/Authentication/ObjectAuthorization.php
index b18cb5f9..27f8dd3c 100644
--- a/library/Icingadb/Authentication/ObjectAuthorization.php
+++ b/library/Icingadb/Authentication/ObjectAuthorization.php
@@ -197,7 +197,7 @@ class ObjectAuthorization
         }
 
         foreach ($this->getAuth()->getUser()->getRoles() as $role) {
-            if (! $role->grants($permission)) {
+            if (! $role->grants($permission) || $role->denies($permission)) {
                 continue;
             }