diff --git a/src/api2/config/tape_encryption_keys.rs b/src/api2/config/tape_encryption_keys.rs
index dcaab904..46781130 100644
--- a/src/api2/config/tape_encryption_keys.rs
+++ b/src/api2/config/tape_encryption_keys.rs
@@ -7,12 +7,17 @@ use proxmox::{
         ApiMethod,
         Router,
         RpcEnvironment,
+        Permission,
     },
     tools::fs::open_file_locked,
 };
 
 use crate::{
     config::{
+        acl::{
+            PRIV_TAPE_AUDIT,
+            PRIV_TAPE_MODIFY,
+        },
         tape_encryption_keys::{
             TAPE_KEYS_LOCKFILE,
             load_keys,
@@ -44,6 +49,9 @@ use crate::{
         type: Array,
         items: { type: KeyInfo },
     },
+    access: {
+        permission: &Permission::Privilege(&["tape", "pool"], PRIV_TAPE_AUDIT, false),
+    },
 )]
 /// List existing keys
 pub fn list_keys(
@@ -93,6 +101,9 @@ pub fn list_keys(
             },
         },
     },
+    access: {
+        permission: &Permission::Privilege(&["tape", "pool"], PRIV_TAPE_MODIFY, false),
+    },
 )]
 /// Change the encryption key's password (and password hint).
 pub fn change_passphrase(
@@ -161,6 +172,9 @@ pub fn change_passphrase(
     returns: {
         schema: TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
     },
+    access: {
+        permission: &Permission::Privilege(&["tape", "pool"], PRIV_TAPE_MODIFY, false),
+    },
 )]
 /// Create a new encryption key
 pub fn create_key(
@@ -198,6 +212,9 @@ pub fn create_key(
     returns: {
         type: KeyInfo,
     },
+    access: {
+        permission: &Permission::Privilege(&["tape", "pool"], PRIV_TAPE_AUDIT, false),
+    },
 )]
 /// Get key config (public key part)
 pub fn read_key(
@@ -232,6 +249,9 @@ pub fn read_key(
             },
         },
     },
+    access: {
+        permission: &Permission::Privilege(&["tape", "pool"], PRIV_TAPE_MODIFY, false),
+    },
 )]
 /// Remove a encryption key from the database
 ///