diff --git a/app/assets/javascripts/app/controllers/_profile/token_access.coffee b/app/assets/javascripts/app/controllers/_profile/token_access.coffee
index e02b88562..b80ae775a 100644
--- a/app/assets/javascripts/app/controllers/_profile/token_access.coffee
+++ b/app/assets/javascripts/app/controllers/_profile/token_access.coffee
@@ -1,7 +1,7 @@
 class Index extends App.ControllerContent
   requiredPermission: 'user_preferences.access_token'
   events:
-    'click [data-type=delete]': 'delete'
+    'click .js-delete': 'delete'
     'submit form.js-create': 'create'
 
   constructor: ->
@@ -22,24 +22,35 @@ class Index extends App.ControllerContent
       type:  'GET'
       url:   "#{@apiPath}/user_access_token"
       success: (data) =>
+        tokens = data.tokens
 
         # verify is rerender is needed
-        if !force && @lastestUpdated && data && data[0] && @lastestUpdated.updated_at is data[0].updated_at
+        if !force && @lastestUpdated && tokens && tokens[0] && @lastestUpdated.updated_at is tokens[0].updated_at
           return
-        @lastestUpdated = data[0]
-        @data = data
+        @lastestUpdated = tokens[0]
+        @tokens = data.tokens
+        @permissions = data.permissions
         @render()
     )
 
   render: =>
     @html App.view('profile/token_access')(
-      tokens: @data
+      tokens: @tokens
+      permissions: @permissions
     )
 
   create: (e) =>
     e.preventDefault()
     params = @formParam(e.target)
 
+    # check if min one permission exists
+    if _.isEmpty(params['permission'])
+      alert('Min. one permission is needed!')
+      return
+
+    if !_.isArray(params['permission'])
+      params['permission'] = [params['permission']]
+
     @ajax(
       id:          'user_access_token_create'
       type:        'POST'
diff --git a/app/assets/javascripts/app/views/generic/permission.jst.eco b/app/assets/javascripts/app/views/generic/permission.jst.eco
index 20646a163..101e1ecb7 100644
--- a/app/assets/javascripts/app/views/generic/permission.jst.eco
+++ b/app/assets/javascripts/app/views/generic/permission.jst.eco
@@ -1,4 +1,4 @@
-<div class="checkbox <%= @attribute.class %> checkbox">
+<div class="checkbox <%= @attribute.class %>">
 <% for permission in @permissions: %>
   <% if !permission.name.match(/\./): %>
   <label class="inline-label checkbox-replacement">
diff --git a/app/assets/javascripts/app/views/profile/token_access.jst.eco b/app/assets/javascripts/app/views/profile/token_access.jst.eco
index 207b4bfb0..0312f36fb 100644
--- a/app/assets/javascripts/app/views/profile/token_access.jst.eco
+++ b/app/assets/javascripts/app/views/profile/token_access.jst.eco
@@ -14,6 +14,33 @@
     </div>
     <div class="controls"><input id="token-label" type="text" name="label" value="" class="form-control js-input" required></div>
   </div>
+
+  <div class="permission form-group checkbox">
+
+    <div class="checkbox">
+    <% for permission in @permissions: %>
+      <% if !permission.name.match(/\./): %>
+      <label class="inline-label checkbox-replacement">
+        <input type="checkbox" value="<%= permission.name %>" name="permission" <% if @params && _.contains(@params.permissions, permission.id): %>checked<% end %> <% if permission.preferences.disabled: %>disabled<% end %>/>
+        <%- @Icon('checkbox', 'icon-unchecked') %>
+        <%- @Icon('checkbox-checked', 'icon-checked') %>
+        <span class="label-text"><%= permission.name %> - <span class="help-text"><%- @T(permission.note) %></span></span>
+      </label>
+      <% else: %>
+        <div style="padding-left: 20px;" class="js-subPermissionList">
+          <label class="inline-label checkbox-replacement">
+            <input type="checkbox" value="<%= permission.name %>" name="permission" <% if @params && _.contains(@params.permissions, permission.id): %>checked<% end %> <% if permission.preferences.disabled: %>disabled<% end %>/>
+            <%- @Icon('checkbox', 'icon-unchecked') %>
+            <%- @Icon('checkbox-checked', 'icon-checked') %>
+            <span class="label-text"><%= permission.name.replace(/^.+?\./, '') %> - <span class="help-text"><%- @T(permission.note) %></span></span>
+          </label>
+        </div>
+      <% end %>
+    <% end %>
+    </div>
+
+  </div>
+
   <button class="btn btn--primary js-submit"><%- @T('Create') %></button>
 </form>
 
@@ -24,6 +51,7 @@
   <thead>
     <tr>
       <th><%- @T('Name') %></th>
+      <th><%- @T('Permission') %></th>
       <th><%- @T('Created') %></th>
 <!--
       <th><%- @T('Expires') %></th>
@@ -40,6 +68,7 @@
     <% for token in @tokens: %>
       <tr>
         <td><%= token.label %></td>
+        <td><% if token.preferences && token.preferences.permission: %><%= token.preferences.permission.join(', ') %><% end %></td>
         <td><%- @humanTime(token.created_at) %></td>
   <!--
         <td><%- @humanTime(token.expired_at) %></td>
@@ -47,7 +76,7 @@
   -->
         <td class="settings-list-controls">
           <div>
-            <a class="settings-list-control" href="#" data-token-id="<%- token.id %>" data-type="delete" title="<%- @Ti('Delete') %>"><%- @Icon('trash') %></a>
+            <a class="settings-list-control js-delete" href="#" data-token-id="<%- token.id %>" title="<%- @Ti('Delete') %>"><%- @Icon('trash') %></a>
           </div>
       </tr>
     <% end %>
diff --git a/app/controllers/user_access_token_controller.rb b/app/controllers/user_access_token_controller.rb
index c6f759ad4..906a55da8 100644
--- a/app/controllers/user_access_token_controller.rb
+++ b/app/controllers/user_access_token_controller.rb
@@ -1,7 +1,7 @@
 # Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
 
 class UserAccessTokenController < ApplicationController
-  before_action :authentication_check
+  before_action { authentication_check(permission: 'user_preferences.access_token') }
 
   def index
     tokens = Token.where(action: 'api', persistent: true, user_id: current_user.id).order('updated_at DESC, label ASC')
@@ -12,7 +12,25 @@ class UserAccessTokenController < ApplicationController
       attributes.delete('name')
       token_list.push attributes
     }
-    model_index_render_result(token_list)
+    local_permissions = current_user.permissions
+    local_permissions_new = {}
+    local_permissions.each { |key, _value|
+      keys = Object.const_get('Permission').with_parents(key)
+      keys.each { |local_key|
+        next if local_permissions_new[local_key]
+        local_permissions_new[local_key] = false
+      }
+    }
+    permissions = []
+    Permission.all.order(:name).each { |permission|
+      next if !local_permissions_new.key?(permission.name)
+      permissions.push permission
+    }
+
+    render json: {
+      tokens: token_list,
+      permissions: permissions,
+    }, status: :ok
   end
 
   def create
diff --git a/app/controllers/user_devices_controller.rb b/app/controllers/user_devices_controller.rb
index 3b9c9a3da..d2105f984 100644
--- a/app/controllers/user_devices_controller.rb
+++ b/app/controllers/user_devices_controller.rb
@@ -1,7 +1,7 @@
 # Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
 
 class UserDevicesController < ApplicationController
-  before_action :authentication_check
+  before_action { authentication_check(permission: 'user_preferences.device') }
 
   def index
     devices = UserDevice.where(user_id: current_user.id).order('updated_at DESC, name ASC')