diff --git a/accounts/pkg/service/v0/accounts.go b/accounts/pkg/service/v0/accounts.go
index dc128cabb4..193a041c3b 100644
--- a/accounts/pkg/service/v0/accounts.go
+++ b/accounts/pkg/service/v0/accounts.go
@@ -65,12 +65,7 @@ func (s Service) hasAccountManagementPermissions(ctx context.Context) bool {
 	// get roles from context
 	roleIDs, ok := roles.ReadRoleIDsFromContext(ctx)
 	if !ok {
-		/**
-		 * FIXME: with this we are skipping permission checks on all requests that are coming in without roleIDs in the
-		 * metadata context. This is a huge security impairment, as that's the case not only for grpc requests but also
-		 * for unauthenticated http requests and http requests coming in without hitting the ocis-proxy first.
-		 */
-		return true
+		return false
 	}
 
 	// check if permission is present in roles of the authenticated account