diff --git a/users/service.go b/users/service.go
index 8e9145bc17..16d7775c46 100644
--- a/users/service.go
+++ b/users/service.go
@@ -386,9 +386,14 @@ func (svc service) UpdateClientRole(ctx context.Context, token string, cli mgcli
 		UpdatedBy: tokenUserID,
 	}
 
+	if _, err := svc.authorize(ctx, auth.UserType, auth.UsersKind, client.ID, auth.MembershipPermission, auth.PlatformType, auth.MagistralaObject); err != nil {
+		return mgclients.Client{}, err
+	}
+
 	if err := svc.updateClientPolicy(ctx, cli.ID, cli.Role); err != nil {
 		return mgclients.Client{}, err
 	}
+
 	client, err = svc.clients.UpdateRole(ctx, client)
 	if err != nil {
 		// If failed to update role in DB, then revert back to platform admin policy in spicedb
@@ -694,19 +699,6 @@ func (svc service) addClientPolicyRollback(ctx context.Context, userID string, r
 }
 
 func (svc service) updateClientPolicy(ctx context.Context, userID string, role mgclients.Role) error {
-	res, err := svc.auth.Authorize(ctx, &magistrala.AuthorizeReq{
-		SubjectType: auth.UserType,
-		Subject:     userID,
-		Permission:  auth.MembershipPermission,
-		ObjectType:  auth.PlatformType,
-		Object:      auth.MagistralaObject,
-	})
-	if err != nil {
-		return err
-	}
-	if !res.Authorized {
-		return svcerr.ErrAuthorization
-	}
 	switch role {
 	case mgclients.AdminRole:
 		resp, err := svc.auth.AddPolicy(ctx, &magistrala.AddPolicyReq{