diff --git a/src/backend/routes/PersonRouter.ts b/src/backend/routes/PersonRouter.ts
index 456ac890..ecd17070 100644
--- a/src/backend/routes/PersonRouter.ts
+++ b/src/backend/routes/PersonRouter.ts
@@ -33,7 +33,7 @@ export class PersonRouter {
     app.get(['/api/person'],
       // common part
       AuthenticationMWs.authenticate,
-      AuthenticationMWs.authorise(UserRoles.User),
+      AuthenticationMWs.authorise(Config.Client.Faces.readAccessMinRole),
       VersionMWs.injectGalleryVersion,
 
       // specific part
diff --git a/src/common/config/public/ClientConfig.ts b/src/common/config/public/ClientConfig.ts
index d1da3ac1..8c320904 100644
--- a/src/common/config/public/ClientConfig.ts
+++ b/src/common/config/public/ClientConfig.ts
@@ -149,6 +149,8 @@ export module ClientConfig {
     keywordsToPersons: boolean = true;
     @ConfigProperty({type: UserRoles})
     writeAccessMinRole: UserRoles = UserRoles.Admin;
+    @ConfigProperty({type: UserRoles})
+    readAccessMinRole: UserRoles = UserRoles.User;
   }
 
   @SubConfigClass()
diff --git a/src/frontend/app/ui/frame/frame.component.html b/src/frontend/app/ui/frame/frame.component.html
index c507204f..ce656e54 100644
--- a/src/frontend/app/ui/frame/frame.component.html
+++ b/src/frontend/app/ui/frame/frame.component.html
@@ -17,7 +17,7 @@
            [routerLink]="['/gallery']"
            [queryParams]="queryService.getParams()" i18n>Gallery</a>
       </li>
-      <li class="nav-item" [routerLinkActive]="['active']" *ngIf="facesEnabled">
+      <li class="nav-item" [routerLinkActive]="['active']" *ngIf="isFacesAvailable()">
         <a class="nav-link" [routerLink]="['/faces']" i18n>Faces</a>
       </li>
     </ul>
diff --git a/src/frontend/app/ui/frame/frame.component.ts b/src/frontend/app/ui/frame/frame.component.ts
index 3275d47f..65521743 100644
--- a/src/frontend/app/ui/frame/frame.component.ts
+++ b/src/frontend/app/ui/frame/frame.component.ts
@@ -20,7 +20,6 @@ export class FrameComponent {
   public readonly authenticationRequired = Config.Client.authenticationRequired;
   public readonly title = Config.Client.applicationTitle;
   collapsed = true;
-  facesEnabled = Config.Client.Faces.enabled;
 
   constructor(private _authService: AuthenticationService,
               public notificationService: NotificationService,
@@ -33,6 +32,10 @@ export class FrameComponent {
     return this.user.value && this.user.value.role >= UserRoles.Admin;
   }
 
+  isFacesAvailable() {
+    return Config.Client.Faces.enabled && this.user.value && this.user.value.role >= Config.Client.Faces.readAccessMinRole;
+  }
+
 
   logout() {
     this._authService.logout();