diff --git a/src/api2/access.rs b/src/api2/access.rs
index 65becef5..c310870e 100644
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@@ -27,6 +27,7 @@ pub mod role;
 pub mod tfa;
 pub mod user;
 
+#[allow(clippy::large_enum_variant)]
 enum AuthResult {
     /// Successful authentication which does not require a new ticket.
     Success,
@@ -331,27 +332,20 @@ pub fn list_permissions(
     let user_info = CachedUserInfo::new()?;
     let user_privs = user_info.lookup_privs(&current_auth_id, &["access"]);
 
-    let auth_id = if user_privs & PRIV_SYS_AUDIT == 0 {
-        match auth_id {
-            Some(auth_id) => {
-                if auth_id == current_auth_id {
-                    auth_id
-                } else if auth_id.is_token()
+    let auth_id = match auth_id {
+        Some(auth_id) if auth_id == current_auth_id => current_auth_id,
+        Some(auth_id) => {
+            if user_privs & PRIV_SYS_AUDIT != 0 
+                || (auth_id.is_token()
                     && !current_auth_id.is_token()
-                    && auth_id.user() == current_auth_id.user()
-                {
-                    auth_id
-                } else {
-                    bail!("not allowed to list permissions of {}", auth_id);
-                }
+                    && auth_id.user() == current_auth_id.user())
+            {
+                auth_id
+            } else {
+                bail!("not allowed to list permissions of {}", auth_id);
             }
-            None => current_auth_id,
-        }
-    } else {
-        match auth_id {
-            Some(auth_id) => auth_id,
-            None => current_auth_id,
-        }
+        },
+        None => current_auth_id,
     };
 
     fn populate_acl_paths(
diff --git a/src/api2/node/tasks.rs b/src/api2/node/tasks.rs
index 8de35ca9..99470531 100644
--- a/src/api2/node/tasks.rs
+++ b/src/api2/node/tasks.rs
@@ -110,16 +110,12 @@ fn check_task_access(auth_id: &Authid, upid: &UPID) -> Result<(), Error> {
     } else {
         let user_info = CachedUserInfo::new()?;
 
-        let task_privs = user_info.lookup_privs(auth_id, &["system", "tasks"]);
-        if task_privs & PRIV_SYS_AUDIT != 0 {
-            // allowed to read all tasks in general
-            Ok(())
-        } else if check_job_privs(&auth_id, &user_info, upid).is_ok() {
-            // job which the user/token could have configured/manually executed
-            Ok(())
-        } else {
-            bail!("task access not allowed");
-        }
+        // access to all tasks
+        // or task == job which the user/token could have configured/manually executed
+
+        user_info.check_privs(auth_id, &["system", "tasks"], PRIV_SYS_AUDIT, false)
+            .or_else(|_| check_job_privs(&auth_id, &user_info, upid))
+            .or_else(|_| bail!("task access not allowed"))
     }
 }