diff --git a/src/xo-mixins/acls.js b/src/xo-mixins/acls.js
index 6436870e3..7cf1a8bc2 100644
--- a/src/xo-mixins/acls.js
+++ b/src/xo-mixins/acls.js
@@ -39,10 +39,9 @@ export default class {
       push.apply(acls, entries)
     })(acls.push)
 
-    const collection = this._acls
     await Promise.all(mapToArray(
       subjects,
-      subject => collection.get({subject}).then(pushAcls)
+      subject => this.getAclsForSubject(subject).then(pushAcls)
     ))
 
     return acls
@@ -67,6 +66,10 @@ export default class {
     return this._acls.get()
   }
 
+  async getAclsForSubject (subjectId) {
+    return this._acls.get({ subject: subjectId })
+  }
+
   async getPermissionsForUser (userId) {
     const [
       acls,
diff --git a/src/xo-mixins/subjects.js b/src/xo-mixins/subjects.js
index c3ed9b4cf..bdcdf59d0 100644
--- a/src/xo-mixins/subjects.js
+++ b/src/xo-mixins/subjects.js
@@ -100,6 +100,13 @@ export default class {
       })
       ::pCatch(noop) // Ignore any failures.
 
+    // Remove ACLs for this user.
+    this._xo.getAclsForSubject(id).then(acls => {
+      forEach(acls, acl => {
+        this._xo.removeAcl(id, acl.object, acl.action)::pCatch(noop)
+      })
+    })
+
     // Remove the user from all its groups.
     forEach(user.groups, groupId => {
       this.getGroup(groupId)