diff --git a/app/api/__init__.py b/app/api/__init__.py
index ba6cbb5..c862280 100644
--- a/app/api/__init__.py
+++ b/app/api/__init__.py
@@ -33,6 +33,22 @@ def protected(func):
     return protected_function
 
 
+def requires_permission(permission, action_name='Action'):
+    def requires_permission_decorator(func):
+        @wraps(func)
+        def permission_protected_function(*args, **kwargs):
+            if permission not in g.current_account.role.permissions:
+                abort(403,
+                      message=(action_name+' is not allowed'),
+                      status='error')
+
+            return func(*args, **kwargs)
+
+        return permission_protected_function
+
+    return requires_permission_decorator
+
+
 class ProtectedResource(Resource):
     method_decorators = [protected]
 
diff --git a/app/api/resources/account.py b/app/api/resources/account.py
index 02c8f25..c14f13e 100644
--- a/app/api/resources/account.py
+++ b/app/api/resources/account.py
@@ -4,7 +4,7 @@ from marshmallow import Schema, fields
 from webargs.flaskparser import use_args
 from flasgger import swag_from
 import app.accounts as accounts
-from app.api import ProtectedResource
+from app.api import ProtectedResource, requires_permission
 
 
 class UserSchema(Schema):
@@ -65,6 +65,7 @@ class RoleResource(ProtectedResource):
 class RolesResource(ProtectedResource):
     @use_args(RoleCreationWrapperSchema())
     @swag_from('swagger/create_role_spec.yaml')
+    @requires_permission('CREATE_ROLE', 'Role creation')
     def post(self, args):
         args = args['role']
         success = accounts.create_role(args['display_name'],