diff --git a/management/server/account.go b/management/server/account.go
index dbd29e7a6..3303e9dee 100644
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -513,11 +513,6 @@ func (am *DefaultAccountManager) DeleteAccount(ctx context.Context, accountID, u
 		return err
 	}
 
-	// @note not necessary, below it explicitly checks for Owner role
-	// if !user.HasAdminPower() {
-	// 	return status.Errorf(status.PermissionDenied, "user is not allowed to delete account")
-	// }
-
 	if user.Role != types.UserRoleOwner {
 		return status.Errorf(status.PermissionDenied, "user is not allowed to delete account. Only account owner can delete account")
 	}
@@ -1067,9 +1062,8 @@ func (am *DefaultAccountManager) GetAccountIDFromUserAuth(ctx context.Context, u
 		return accountID, user.Id, nil
 	}
 
-	// @note, this can remain cause above we explicitly early return if auth id for a child account
-	if user.AccountID != accountID {
-		return "", "", status.Errorf(status.PermissionDenied, "user %s is not part of the account %s", userAuth.UserId, accountID)
+	if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user); err != nil {
+		return "", "", err
 	}
 
 	if !user.IsServiceUser && userAuth.Invited {
diff --git a/management/server/user.go b/management/server/user.go
index 6213c4e21..03a11c7b0 100644
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -347,7 +347,6 @@ func (am *DefaultAccountManager) CreatePAT(ctx context.Context, accountID string
 		return nil, err
 	}
 
-	// @todo how to handle this case, PAT can only be created own user?
 	if initiatorUserID != targetUserID && !(initiatorUser.HasAdminPower() && targetUser.IsServiceUser) {
 		return nil, status.NewAdminPermissionError()
 	}
@@ -381,7 +380,6 @@ func (am *DefaultAccountManager) DeletePAT(ctx context.Context, accountID string
 		return err
 	}
 
-	// @todo how to handle this case, PAT can only be deleted by own user?
 	if initiatorUserID != targetUserID && initiatorUser.IsRegularUser() {
 		return status.NewAdminPermissionError()
 	}
@@ -417,7 +415,6 @@ func (am *DefaultAccountManager) GetPAT(ctx context.Context, accountID string, i
 		return nil, err
 	}
 
-	// @todo how to handle this case, PAT can only be got by own user?
 	if initiatorUserID != targetUserID && initiatorUser.IsRegularUser() {
 		return nil, status.NewAdminPermissionError()
 	}
@@ -971,7 +968,9 @@ func (am *DefaultAccountManager) DeleteRegularUsers(ctx context.Context, account
 		return err
 	}
 
-	// @todo maybe add ValidateAccountPermission?
+	if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, initiatorUser); err != nil {
+		return err
+	}
 
 	if !initiatorUser.HasAdminPower() {
 		return status.NewAdminPermissionError()