diff --git a/devops-service/db/mongo/models/user.rb b/devops-service/db/mongo/models/user.rb
index 9a35f98..7b3e835 100644
--- a/devops-service/db/mongo/models/user.rb
+++ b/devops-service/db/mongo/models/user.rb
@@ -9,7 +9,8 @@ class User < MongoModel
   ROOT_USER_NAME = 'root'
   ROOT_PASSWORD = ''
 
-  PRIVILEGES = ["r", "w", "rw", ""]
+  PRIVILEGES = ["r", "w", "x"]
+  PRIVILEGES_REGEX = /x?y?z?/
 
   attr_accessor :id, :password, :privileges, :email
   types :id => {:type => String, :empty => false},
@@ -24,7 +25,7 @@ class User < MongoModel
   end
 
   def all_privileges
-    privileges_with_value("rw")
+    privileges_with_value("rwx")
   end
 
   def default_privileges
@@ -32,7 +33,9 @@ class User < MongoModel
   end
 
   def grant cmd, priv=''
-    raise InvalidCommand.new "Invalid privileges '#{priv}'. Available values are '#{PRIVILEGES.join("', '")}'" unless PRIVILEGES.include?(priv)
+    if !priv.empty? and PRIVILEGES_REGEX.match(priv).empty?
+      raise InvalidCommand.new "Invalid privileges '#{priv}'. Available values are '#{PRIVILEGES.join("', '")}'"
+    end
     raise InvalidCommand.new "Can't grant privileges to root" if self.id == ROOT_USER_NAME
 
     case cmd
diff --git a/devops-service/routes/v2.0/deploy.rb b/devops-service/routes/v2.0/deploy.rb
index 30dd8b4..22cfd6b 100644
--- a/devops-service/routes/v2.0/deploy.rb
+++ b/devops-service/routes/v2.0/deploy.rb
@@ -34,7 +34,7 @@ module Version2_0
     # * *Returns* : text stream
     post "/deploy" do
       check_headers :content_type
-      check_privileges("server", "w")
+      check_privileges("server", "x")
       r = create_object_from_json_body
       names = check_array(r["names"], "Parameter 'names' should be a not empty array of strings")
       tags = check_array(r["tags"], "Parameter 'tags' should be an array of strings", String, true) || []
diff --git a/devops-service/routes/v2.0/project.rb b/devops-service/routes/v2.0/project.rb
index 6c4f1f9..170acd4 100644
--- a/devops-service/routes/v2.0/project.rb
+++ b/devops-service/routes/v2.0/project.rb
@@ -366,7 +366,7 @@ module Version2_0
     # * *Returns* : text stream
     post "/project/:id/deploy" do
       check_headers :content_type
-      check_privileges("project", "w")
+      check_privileges("project", "x")
       obj = create_object_from_json_body
       check_string(obj["deploy_env"], "Parameter 'deploy_env' should be a not empty string", true)
       check_array(obj["servers"], "Parameter 'servers' should be a not empty array of strings", String, true)
diff --git a/devops-service/routes/v2.0/script.rb b/devops-service/routes/v2.0/script.rb
index ec8d9b0..abe3183 100644
--- a/devops-service/routes/v2.0/script.rb
+++ b/devops-service/routes/v2.0/script.rb
@@ -57,7 +57,7 @@ module Version2_0
     #
     # * *Returns* : text stream
     post "/script/command/:node_name" do
-      check_privileges("script", "w")
+      check_privileges("script", "x")
       user = request.env['REMOTE_USER']
       s = BaseRoutes.mongo.server_by_chef_node_name params[:node_name]
       BaseRoutes.mongo.check_project_auth s.project, s.deploy_env, user
@@ -96,7 +96,7 @@ module Version2_0
     # * *Returns* : text stream
     post "/script/run/:script_name" do
       check_headers :content_type
-      check_privileges("script", "w")
+      check_privileges("script", "x")
       file_name = params[:script_name]
       @file = File.join(DevopsService.config[:scripts_dir], check_filename(file_name, "Parameter 'script_name' must be a not empty string", false))
       halt(404, "File '#{file_name}' does not exist") unless File.exists?(@file)