diff --git a/app/policies/ticket/article_policy.rb b/app/policies/ticket/article_policy.rb
index 31309643b..e01c85a36 100644
--- a/app/policies/ticket/article_policy.rb
+++ b/app/policies/ticket/article_policy.rb
@@ -55,9 +55,9 @@ class Ticket::ArticlePolicy < ApplicationPolicy
   end
 
   def access?(query)
-    return false if record.internal == true && !user.permissions?('ticket.agent')
-
     ticket = Ticket.lookup(id: record.ticket_id)
+    return false if record.internal == true && !TicketPolicy.new(user, ticket).agent_read_access?
+
     Pundit.authorize(user, ticket, query)
   end
 end
diff --git a/app/policies/ticket_policy.rb b/app/policies/ticket_policy.rb
index 87ab085fd..fd56de931 100644
--- a/app/policies/ticket_policy.rb
+++ b/app/policies/ticket_policy.rb
@@ -41,6 +41,10 @@ class TicketPolicy < ApplicationPolicy
     raise Exceptions::UnprocessableEntity, 'Cannot follow-up on a closed ticket. Please create a new ticket.'
   end
 
+  def agent_read_access?
+    agent_access?('read')
+  end
+
   private
 
   def access?(access)
diff --git a/spec/factories/role.rb b/spec/factories/role.rb
index 6b2842562..55e6ae265 100644
--- a/spec/factories/role.rb
+++ b/spec/factories/role.rb
@@ -8,6 +8,10 @@ FactoryBot.define do
       permissions { Permission.where(name: 'ticket.agent') }
     end
 
+    trait :customer do
+      permissions { Permission.where(name: 'ticket.customer') }
+    end
+
     trait :admin do
       permissions { Permission.where(name: 'admin') }
     end
diff --git a/spec/policies/ticket/article_policy_spec.rb b/spec/policies/ticket/article_policy_spec.rb
index e469dec36..6b8d1be54 100644
--- a/spec/policies/ticket/article_policy_spec.rb
+++ b/spec/policies/ticket/article_policy_spec.rb
@@ -29,6 +29,15 @@ describe Ticket::ArticlePolicy do
       it { is_expected.to permit_actions(%i[show]) }
     end
 
+    context 'when agent and customer but no agent group access' do
+      let(:user) do
+        customer_role = create(:role, :customer)
+        create(:agent_and_customer, roles: [customer_role])
+      end
+
+      it { is_expected.not_to permit_actions(%i[show]) }
+    end
+
     context 'when customer' do
       let(:user) { ticket_customer }