diff --git a/src/api2/admin/datastore.rs b/src/api2/admin/datastore.rs
index 6900c631..d2341b4e 100644
--- a/src/api2/admin/datastore.rs
+++ b/src/api2/admin/datastore.rs
@@ -32,14 +32,14 @@ use pxar::accessor::aio::Accessor;
 use pxar::EntryKind;
 
 use pbs_api_types::{
-    print_ns_and_snapshot, Authid, BackupContent, BackupNamespace, BackupType, Counts, CryptMode,
-    DataStoreListItem, DataStoreStatus, DatastoreWithNamespace, GarbageCollectionStatus,
-    GroupListItem, Operation, PruneOptions, RRDMode, RRDTimeFrame, SnapshotListItem,
-    SnapshotVerifyState, BACKUP_ARCHIVE_NAME_SCHEMA, BACKUP_ID_SCHEMA, BACKUP_NAMESPACE_SCHEMA,
-    BACKUP_TIME_SCHEMA, BACKUP_TYPE_SCHEMA, DATASTORE_SCHEMA, IGNORE_VERIFIED_BACKUPS_SCHEMA,
-    MAX_NAMESPACE_DEPTH, NS_MAX_DEPTH_SCHEMA, PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_BACKUP,
-    PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PRIV_DATASTORE_READ, PRIV_DATASTORE_VERIFY,
-    UPID_SCHEMA, VERIFICATION_OUTDATED_AFTER_SCHEMA,
+    print_ns_and_snapshot, privs_to_priv_names, Authid, BackupContent, BackupNamespace, BackupType,
+    Counts, CryptMode, DataStoreListItem, DataStoreStatus, DatastoreWithNamespace,
+    GarbageCollectionStatus, GroupListItem, Operation, PruneOptions, RRDMode, RRDTimeFrame,
+    SnapshotListItem, SnapshotVerifyState, BACKUP_ARCHIVE_NAME_SCHEMA, BACKUP_ID_SCHEMA,
+    BACKUP_NAMESPACE_SCHEMA, BACKUP_TIME_SCHEMA, BACKUP_TYPE_SCHEMA, DATASTORE_SCHEMA,
+    IGNORE_VERIFIED_BACKUPS_SCHEMA, MAX_NAMESPACE_DEPTH, NS_MAX_DEPTH_SCHEMA, PRIV_DATASTORE_AUDIT,
+    PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PRIV_DATASTORE_READ,
+    PRIV_DATASTORE_VERIFY, UPID_SCHEMA, VERIFICATION_OUTDATED_AFTER_SCHEMA,
 };
 use pbs_client::pxar::{create_tar, create_zip};
 use pbs_config::CachedUserInfo;
@@ -110,7 +110,13 @@ fn check_ns_privs(
         return Ok(true);
     }
 
-    proxmox_router::http_bail!(FORBIDDEN, "permission check failed");
+    let priv_names = privs_to_priv_names(full_access_privs | partial_access_privs).join("|");
+    let path = format!("/{}", store_with_ns.acl_path().join("/"));
+
+    proxmox_router::http_bail!(
+        FORBIDDEN,
+        "permission check failed - missing {priv_names} on {path}"
+    );
 }
 
 // helper to unify common sequence of checks:
diff --git a/src/server/pull.rs b/src/server/pull.rs
index 7781c6cc..948a75a1 100644
--- a/src/server/pull.rs
+++ b/src/server/pull.rs
@@ -16,9 +16,9 @@ use proxmox_router::HttpError;
 use proxmox_sys::task_log;
 
 use pbs_api_types::{
-    Authid, BackupNamespace, DatastoreWithNamespace, GroupFilter, GroupListItem, NamespaceListItem,
-    Operation, RateLimitConfig, Remote, SnapshotListItem, MAX_NAMESPACE_DEPTH,
-    PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY,
+    privs_to_priv_names, Authid, BackupNamespace, DatastoreWithNamespace, GroupFilter,
+    GroupListItem, NamespaceListItem, Operation, RateLimitConfig, Remote, SnapshotListItem,
+    MAX_NAMESPACE_DEPTH, PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY,
 };
 
 use pbs_client::{
@@ -800,10 +800,13 @@ fn check_ns_privs(
 
     // TODO re-sync with API, maybe find common place?
 
-    let user_privs = user_info.lookup_privs(owner, &store_with_ns.acl_path());
+    let path = &store_with_ns.acl_path();
+    let user_privs = user_info.lookup_privs(owner, path);
 
     if (user_privs & privs) == 0 {
-        bail!("no permission to modify parent/datastore.");
+        let priv_names = privs_to_priv_names(privs).join("|");
+        let path = path.join("/");
+        bail!("privilege(s) {priv_names} missing on /{path}");
     }
     Ok(())
 }