diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 41889d377..efc7e9a65 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -54,6 +54,7 @@ def list
   end
 
   def list_generic_users
+    authorize! :list_generic_user, @user
     result = User.where.not(id: @elevated_users.pluck(:id))
                  .values_for_select
     render json: result