diff --git a/admin/app/controllers/settings/emailserver/emailserver.controller.js b/admin/app/controllers/settings/emailserver/emailserver.controller.js
index 41d453c1..b6407355 100644
--- a/admin/app/controllers/settings/emailserver/emailserver.controller.js
+++ b/admin/app/controllers/settings/emailserver/emailserver.controller.js
@@ -1,10 +1,16 @@
 'use strict';
 
-app.controller('EmailServerController', function($scope, $translate,$uibModal, EmailServerService,toaster,SweetAlert) {
-
-
+app.controller('EmailServerController', function($scope,
+	$window,
+    $translate,
+    $uibModal,
+    EmailServerService,
+    toaster,
+    SweetAlert) {
+    $scope.cur_user = JSON.parse($window.localStorage.getItem("myems_admin_ui_current_user"));
 	$scope.getAllEmailServers = function() {
-		EmailServerService.getAllEmailServers(function (response) {
+	    let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
+		EmailServerService.getAllEmailServers(headers, function (response) {
 			if (angular.isDefined(response.status) && response.status === 200) {
 				$scope.emailservers = response.data;
 			} else {
@@ -28,7 +34,8 @@ app.controller('EmailServerController', function($scope, $translate,$uibModal, E
 		    }
 		});
 		modalInstance.result.then(function(emailserver) {
-			EmailServerService.addEmailServer(emailserver, function (response) {
+			let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
+			EmailServerService.addEmailServer(emailserver, headers, function (response) {
 				if (angular.isDefined(response.status) && response.status === 201) {
 					toaster.pop({
 						type: "success",
@@ -67,7 +74,8 @@ app.controller('EmailServerController', function($scope, $translate,$uibModal, E
 		});
 
 		modalInstance.result.then(function (modifiedEmailServer) {
-	        EmailServerService.editEmailServer(modifiedEmailServer,function (response){
+			let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
+	        EmailServerService.editEmailServer(modifiedEmailServer, headers, function (response){
 	            if(angular.isDefined(response.status) && response.status === 200){
 					toaster.pop({
 						type: "success",
@@ -103,7 +111,8 @@ app.controller('EmailServerController', function($scope, $translate,$uibModal, E
 		        closeOnCancel: true },
 		    function (isConfirm) {
 		        if (isConfirm) {
-		            EmailServerService.deleteEmailServer(emailserver, function (response) {
+				    let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
+		            EmailServerService.deleteEmailServer(emailserver, headers, function (response) {
 		            	if (angular.isDefined(response.status) && response.status === 204) {
                             toaster.pop({
                                 type: "success",
diff --git a/admin/app/controllers/users/user/user.controller.js b/admin/app/controllers/users/user/user.controller.js
index 42301675..71063a83 100644
--- a/admin/app/controllers/users/user/user.controller.js
+++ b/admin/app/controllers/users/user/user.controller.js
@@ -8,7 +8,6 @@ app.controller('UserController', function ($scope,
 	toaster,
 	$translate,
 	SweetAlert) {
-
 	$scope.cur_user = JSON.parse($window.localStorage.getItem("myems_admin_ui_current_user"));
 	$scope.getAllUsers = function () {
 		let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token };
diff --git a/admin/app/services/settings/emailserver/emailserver.service.js b/admin/app/services/settings/emailserver/emailserver.service.js
index 46f6e6f6..fedd7b08 100644
--- a/admin/app/services/settings/emailserver/emailserver.service.js
+++ b/admin/app/services/settings/emailserver/emailserver.service.js
@@ -1,8 +1,8 @@
 'use strict';
 app.factory('EmailServerService', function($http) {
     return {
-        getAllEmailServers:function(callback){
-            $http.get(getAPI()+'emailservers')
+        getAllEmailServers:function(headers, callback){
+            $http.get(getAPI()+'emailservers', {headers})
             .then(function (response) {
                 callback(response);
             }, function (response) {
@@ -17,32 +17,32 @@ app.factory('EmailServerService', function($http) {
                 callback(response);
             });
         },
-        addEmailServer: function(emailserver, callback) {
-            $http.post(getAPI()+'emailservers',{data:emailserver})
+        addEmailServer: function(emailserver, headers, callback) {
+            $http.post(getAPI()+'emailservers', {data:emailserver}, {headers})
             .then(function (response) {
                 callback(response);
             }, function (response) {
                 callback(response);
             });
         },
-        editEmailServer: function(emailserver, callback) {
-            $http.put(getAPI()+'emailservers/'+emailserver.id,{data:emailserver})
+        editEmailServer: function(emailserver, headers, callback) {
+            $http.put(getAPI()+'emailservers/' + emailserver.id, {data:emailserver}, {headers})
             .then(function (response) {
                 callback(response);
             }, function (response) {
                 callback(response);
             });
         },
-        deleteEmailServer: function(emailserver, callback) {
-            $http.delete(getAPI()+'emailservers/'+emailserver.id)
+        deleteEmailServer: function(emailserver, headers, callback) {
+            $http.delete(getAPI()+'emailservers/' + emailserver.id, {headers})
             .then(function (response) {
                 callback(response);
             }, function (response) {
                 callback(response);
             });
         },
-        getEmailServer: function(id, callback) {
-            $http.get(getAPI()+'emailservers/'+id)
+        getEmailServer: function(emailserver, headers, callback) {
+            $http.get(getAPI()+'emailservers/' + emailserver.id, {headers})
             .then(function (response) {
                 callback(response);
             }, function (response) {
diff --git a/myems-api/core/emailserver.py b/myems-api/core/emailserver.py
index 2603c3b7..ac69286a 100644
--- a/myems-api/core/emailserver.py
+++ b/myems-api/core/emailserver.py
@@ -4,7 +4,7 @@ import mysql.connector
 import config
 import base64
 import re
-from core.useractivity import user_logger
+from core.useractivity import user_logger, access_control
 
 
 class EmailServerCollection:
@@ -19,6 +19,7 @@ class EmailServerCollection:
 
     @staticmethod
     def on_get(req, resp):
+        access_control(req)
         cnx = mysql.connector.connect(**config.myems_fdd_db)
         cursor = cnx.cursor()
 
@@ -48,6 +49,7 @@ class EmailServerCollection:
     @user_logger
     def on_post(req, resp):
         """Handles POST requests"""
+        access_control(req)
         try:
             raw_json = req.stream.read().decode('utf-8')
         except Exception as ex:
@@ -150,6 +152,7 @@ class EmailServerItem:
 
     @staticmethod
     def on_get(req, resp, id_):
+        access_control(req)
         if not id_.isdigit() or int(id_) <= 0:
             raise falcon.HTTPError(falcon.HTTP_400, '400 Bad Request')
 
@@ -179,6 +182,8 @@ class EmailServerItem:
     @staticmethod
     @user_logger
     def on_delete(req, resp, id_):
+        """Handles DELETE requests"""
+        access_control(req)
         if not id_.isdigit() or int(id_) <= 0:
             raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST',
                                    description='API.INVALID_EMAIL_SERVER_ID')
@@ -207,6 +212,7 @@ class EmailServerItem:
     @user_logger
     def on_put(req, resp, id_):
         """Handles PUT requests"""
+        access_control(req)
         try:
             raw_json = req.stream.read().decode('utf-8')
         except Exception as ex: