diff --git a/internal/services/v1/permissions.go b/internal/services/v1/permissions.go
index b0b5c47848..84ce45eabc 100644
--- a/internal/services/v1/permissions.go
+++ b/internal/services/v1/permissions.go
@@ -545,6 +545,10 @@ func (ps *permissionServer) LookupResources(req *v1.LookupResourcesRequest, resp
 func (ps *permissionServer) LookupSubjects(req *v1.LookupSubjectsRequest, resp v1.PermissionsService_LookupSubjectsServer) error {
 	ctx := resp.Context()
 
+	if req.OptionalConcreteLimit != 0 {
+		return ps.rewriteError(ctx, status.Errorf(codes.Unimplemented, "concrete limit is not yet supported"))
+	}
+
 	atRevision, revisionReadAt, err := consistency.RevisionFromContext(ctx)
 	if err != nil {
 		return ps.rewriteError(ctx, err)
diff --git a/internal/services/v1/permissions_test.go b/internal/services/v1/permissions_test.go
index ff0bd11f59..1b23c61017 100644
--- a/internal/services/v1/permissions_test.go
+++ b/internal/services/v1/permissions_test.go
@@ -855,6 +855,36 @@ func TestTranslateExpansionTree(t *testing.T) {
 	}
 }
 
+func TestLookupSubjectsWithConcreteLimit(t *testing.T) {
+	conn, cleanup, _, revision := testserver.NewTestServer(require.New(t), testTimedeltas[0], memdb.DisableGC, true, tf.StandardDatastoreWithData)
+	client := v1.NewPermissionsServiceClient(conn)
+	t.Cleanup(cleanup)
+
+	ctx := context.Background()
+
+	lsClient, err := client.LookupSubjects(ctx, &v1.LookupSubjectsRequest{
+		Resource: &v1.ObjectReference{
+			ObjectType: "document",
+			ObjectId:   "masterplan",
+		},
+		Permission:        "view",
+		SubjectObjectType: "user",
+		Consistency: &v1.Consistency{
+			Requirement: &v1.Consistency_AtLeastAsFresh{
+				AtLeastAsFresh: zedtoken.MustNewFromRevision(revision),
+			},
+		},
+		OptionalConcreteLimit: 2,
+	})
+	require.NoError(t, err)
+	for {
+		_, err := lsClient.Recv()
+		require.Error(t, err)
+		grpcutil.RequireStatus(t, codes.Unimplemented, err)
+		return
+	}
+}
+
 func TestLookupSubjects(t *testing.T) {
 	testCases := []struct {
 		resource        *v1.ObjectReference