diff --git a/pkg/rbac/rbac.go b/pkg/rbac/rbac.go
index b0c1d047b..0602a8f77 100644
--- a/pkg/rbac/rbac.go
+++ b/pkg/rbac/rbac.go
@@ -72,6 +72,14 @@ func CompileAndAuthorize(actorPermission Permission, toUpdate []Permission) (Per
 		}
 		permission = permission | update
 	}
+	// Ensure impled permissions. The actor must also have the impled permissions by definition.
+	for has, needs := range requiredPermission {
+		if Can(permission, has) {
+			for _, required := range needs {
+				permission = permission | required
+			}
+		}
+	}
 	return permission, nil
 }
 
@@ -145,6 +153,21 @@ const (
 	UserWrite = 1 << iota
 )
 
+// --
+// Required / Implied permissions.
+// Write permissions require subordinate read.
+// --
+
+var (
+	// requiredPermissions is not exported since maps cannot be constant.
+	requiredPermission = map[Permission][]Permission{
+		APIKeyWrite:    {APIKeyRead},
+		SettingsWrite:  {SettingsRead},
+		MobileAppWrite: {MobileAppRead},
+		UserWrite:      {UserRead},
+	}
+)
+
 // --
 // Legacy permissions
 // --