diff --git a/scm-it/src/test/java/sonia/scm/it/PermissionsITCase.java b/scm-it/src/test/java/sonia/scm/it/PermissionsITCase.java
index 07e2a36534..6335907e76 100644
--- a/scm-it/src/test/java/sonia/scm/it/PermissionsITCase.java
+++ b/scm-it/src/test/java/sonia/scm/it/PermissionsITCase.java
@@ -53,6 +53,7 @@ import static org.junit.Assert.assertEquals;
 import static sonia.scm.it.RepositoryUtil.addAndCommitRandomFile;
 import static sonia.scm.it.RestUtil.given;
 import static sonia.scm.it.ScmTypes.availableScmTypes;
+import static sonia.scm.it.TestData.callUserPermissions;
 
 @RunWith(Parameterized.class)
 public class PermissionsITCase {
@@ -61,6 +62,7 @@ public class PermissionsITCase {
   public static final String USER_PASS = "pass";
   private static final String USER_WRITE = "user_write";
   private static final String USER_OWNER = "user_owner";
+  private static final String USER_OTHER = "user_other";
 
   @Rule
   public TemporaryFolder temporaryFolder = new TemporaryFolder();
@@ -87,29 +89,56 @@ public class PermissionsITCase {
     TestData.createUserPermission(USER_WRITE, PermissionType.WRITE, repositoryType);
     TestData.createUser(USER_OWNER, USER_PASS);
     TestData.createUserPermission(USER_OWNER, PermissionType.OWNER, repositoryType);
+    TestData.createUser(USER_OTHER, USER_PASS);
     createdPermissions = 3;
   }
 
   @Test
-  public void everyUserShouldSeePermissions() {
+  public void readUserShouldSeePermissions() {
     List<Object> userPermissions = TestData.getUserPermissions(USER_READ, USER_PASS, repositoryType);
     assertEquals(userPermissions.size(), createdPermissions);
-    userPermissions = TestData.getUserPermissions(USER_WRITE, USER_PASS, repositoryType);
-    assertEquals(userPermissions.size(), createdPermissions);
-    userPermissions = TestData.getUserPermissions(USER_OWNER, USER_PASS, repositoryType);
-    assertEquals(userPermissions.size(), createdPermissions);
   }
 
   @Test
-  public void everyUserShouldCloneRepository() throws IOException {
+  public void writeUserShouldSeePermissions() {
+    List<Object> userPermissions = TestData.getUserPermissions(USER_WRITE, USER_PASS, repositoryType);
+    assertEquals(userPermissions.size(), createdPermissions);
+  }
+
+  @Test
+  public void ownerShouldSeePermissions() {
+    List<Object> userPermissions = TestData.getUserPermissions(USER_OWNER, USER_PASS, repositoryType);
+    assertEquals(userPermissions.size(), createdPermissions);
+  }
+
+  @Test
+  public void otherUserShouldNotSeePermissions() {
+    callUserPermissions(USER_OTHER, USER_PASS, repositoryType, HttpStatus.SC_FORBIDDEN);
+  }
+
+  @Test
+  public void readUserShouldCloneRepository() throws IOException {
     RepositoryClient client = RepositoryUtil.createRepositoryClient(repositoryType, temporaryFolder.newFolder(), USER_READ, USER_PASS);
     assertEquals(1, Objects.requireNonNull(client.getWorkingCopy().list()).length);
-    client = RepositoryUtil.createRepositoryClient(repositoryType, temporaryFolder.newFolder(), USER_WRITE, USER_PASS);
+  }
+
+  @Test
+  public void writeUserShouldCloneRepository() throws IOException {
+    RepositoryClient client = RepositoryUtil.createRepositoryClient(repositoryType, temporaryFolder.newFolder(), USER_WRITE, USER_PASS);
     assertEquals(1, Objects.requireNonNull(client.getWorkingCopy().list()).length);
-    client = RepositoryUtil.createRepositoryClient(repositoryType, temporaryFolder.newFolder(), USER_OWNER, USER_PASS);
+  }
+
+  @Test
+  public void ownerShouldCloneRepository() throws IOException {
+    RepositoryClient client = RepositoryUtil.createRepositoryClient(repositoryType, temporaryFolder.newFolder(), USER_OWNER, USER_PASS);
     assertEquals(1, Objects.requireNonNull(client.getWorkingCopy().list()).length);
   }
 
+  @Test
+  public void otherUserShouldNotCloneRepository() {
+    TestData.callRepository(USER_OTHER, USER_PASS, repositoryType, HttpStatus.SC_FORBIDDEN);
+  }
+
   @Test(expected = RepositoryClientException.class)
   public void userWithReadPermissionShouldBeNotAuthorizedToCommit() throws IOException {
     createAndCommit(USER_READ);
diff --git a/scm-it/src/test/java/sonia/scm/it/RepositoryUtil.java b/scm-it/src/test/java/sonia/scm/it/RepositoryUtil.java
index 6706fba21d..e755f3c3c1 100644
--- a/scm-it/src/test/java/sonia/scm/it/RepositoryUtil.java
+++ b/scm-it/src/test/java/sonia/scm/it/RepositoryUtil.java
@@ -8,14 +8,11 @@ import sonia.scm.repository.Person;
 import sonia.scm.repository.client.api.ClientCommand;
 import sonia.scm.repository.client.api.RepositoryClient;
 import sonia.scm.repository.client.api.RepositoryClientFactory;
-import sonia.scm.web.VndMediaType;
 
 import java.io.File;
 import java.io.IOException;
 import java.util.UUID;
 
-import static sonia.scm.it.RestUtil.given;
-
 public class RepositoryUtil {
 
   private static final RepositoryClientFactory REPOSITORY_CLIENT_FACTORY = new RepositoryClientFactory();
@@ -25,13 +22,7 @@ public class RepositoryUtil {
   }
 
   static RepositoryClient createRepositoryClient(String repositoryType, File folder, String username, String password) throws IOException {
-    String httpProtocolUrl = given(VndMediaType.REPOSITORY, username, password)
-
-      .when()
-      .get(TestData.getDefaultRepositoryUrl(repositoryType))
-
-      .then()
-      .statusCode(HttpStatus.SC_OK)
+    String httpProtocolUrl = TestData.callRepository(username, password, repositoryType, HttpStatus.SC_OK)
       .extract()
       .path("_links.httpProtocol.href");
 
diff --git a/scm-it/src/test/java/sonia/scm/it/TestData.java b/scm-it/src/test/java/sonia/scm/it/TestData.java
index e9177807eb..b758c81c0e 100644
--- a/scm-it/src/test/java/sonia/scm/it/TestData.java
+++ b/scm-it/src/test/java/sonia/scm/it/TestData.java
@@ -1,5 +1,6 @@
 package sonia.scm.it;
 
+import io.restassured.response.ValidatableResponse;
 import org.apache.http.HttpStatus;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -22,7 +23,7 @@ public class TestData {
 
   public static final String USER_SCM_ADMIN = "scmadmin";
   public static final String USER_ANONYMOUS = "anonymous";
-private static final List<String> PROTECTED_USERS = asList(USER_SCM_ADMIN, USER_ANONYMOUS);
+  private static final List<String> PROTECTED_USERS = asList(USER_SCM_ADMIN, USER_ANONYMOUS);
 
   private static Map<String, String> DEFAULT_REPOSITORIES = new HashMap<>();
 
@@ -48,7 +49,7 @@ private static final List<String> PROTECTED_USERS = asList(USER_SCM_ADMIN, USER_
         "                \"active\": true,\n" +
         "                \"admin\": false,\n" +
         "                \"creationDate\": \"2018-08-21T12:26:46.084Z\",\n" +
-        "                \"displayName\": \""+username+"\",\n" +
+        "                \"displayName\": \"" + username + "\",\n" +
         "                \"mail\": \"user1@scm-manager.org\",\n" +
         "                \"name\": \"" + username + "\",\n" +
         "                \"password\": \"" + password + "\",\n" +
@@ -66,8 +67,8 @@ private static final List<String> PROTECTED_USERS = asList(USER_SCM_ADMIN, USER_
     given(VndMediaType.PERMISSION)
       .when()
       .content("{\n" +
-        "\t\"type\": \""+permissionType.name()+"\",\n" +
-        "\t\"name\": \""+name+"\",\n" +
+        "\t\"type\": \"" + permissionType.name() + "\",\n" +
+        "\t\"name\": \"" + name + "\",\n" +
         "\t\"groupPermission\": false\n" +
         "\t\n" +
         "}")
@@ -77,18 +78,32 @@ private static final List<String> PROTECTED_USERS = asList(USER_SCM_ADMIN, USER_
     ;
   }
 
- public static List<Object> getUserPermissions(String username, String password, String repositoryType) {
-   return given(VndMediaType.PERMISSION, username, password)
-     .when()
-     .get(TestData.getDefaultPermissionUrl(repositoryType))
-     .then()
-     .statusCode(HttpStatus.SC_OK)
-     .extract()
-     .body().jsonPath().getList("");
- }
+  public static List<Object> getUserPermissions(String username, String password, String repositoryType) {
+    return callUserPermissions(username, password, repositoryType, HttpStatus.SC_OK)
+      .extract()
+      .body().jsonPath().getList("");
+  }
 
-  private static String getDefaultPermissionUrl(String repositoryType) {
-    return getDefaultRepositoryUrl(repositoryType)+"/permissions/";
+  public static ValidatableResponse callUserPermissions(String username, String password, String repositoryType, int expectedStatusCode) {
+    return given(VndMediaType.PERMISSION, username, password)
+      .when()
+      .get(TestData.getDefaultPermissionUrl(repositoryType))
+      .then()
+      .statusCode(expectedStatusCode);
+  }
+
+  public static ValidatableResponse callRepository(String username, String password, String repositoryType, int expectedStatusCode) {
+    return given(VndMediaType.REPOSITORY, username, password)
+
+      .when()
+      .get(getDefaultRepositoryUrl(repositoryType))
+
+      .then()
+      .statusCode(expectedStatusCode);
+  }
+
+  public static String getDefaultPermissionUrl(String repositoryType) {
+    return getDefaultRepositoryUrl(repositoryType) + "/permissions/";
   }