diff --git a/management/server/permissions/roles/network_admin.go b/management/server/permissions/roles/network_admin.go
index 761933386..e95d58381 100644
--- a/management/server/permissions/roles/network_admin.go
+++ b/management/server/permissions/roles/network_admin.go
@@ -23,9 +23,9 @@ var NetworkAdmin = RolePermissions{
 		},
 		modules.Groups: {
 			operations.Read:   true,
-			operations.Create: false,
-			operations.Update: false,
-			operations.Delete: false,
+			operations.Create: true,
+			operations.Update: true,
+			operations.Delete: true,
 		},
 		modules.Settings: {
 			operations.Read:   true,
@@ -87,5 +87,11 @@ var NetworkAdmin = RolePermissions{
 			operations.Update: true,
 			operations.Delete: true,
 		},
+		modules.Peers: {
+			operations.Read:   true,
+			operations.Create: false,
+			operations.Update: false,
+			operations.Delete: false,
+		},
 	},
 }
diff --git a/management/server/user.go b/management/server/user.go
index dea1f30db..44ad3b68f 100644
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -357,6 +357,7 @@ func (am *DefaultAccountManager) CreatePAT(ctx context.Context, accountID string
 		return nil, err
 	}
 
+	// @note this is essential to prevent non admin users with Pats create permission frpm creating one for a service user
 	if initiatorUserID != targetUserID && !(initiatorUser.HasAdminPower() && targetUser.IsServiceUser) {
 		return nil, status.NewAdminPermissionError()
 	}