diff --git a/package.json b/package.json
index 17d8ae414..271bc3f2d 100644
--- a/package.json
+++ b/package.json
@@ -99,6 +99,7 @@
     "lodash.pick": "^4.1.0",
     "lodash.pickby": "^4.2.0",
     "lodash.remove": "^4.0.1",
+    "lodash.some": "^4.2.0",
     "lodash.sortby": "^4.2.0",
     "lodash.startswith": "^4.0.0",
     "lodash.trim": "^4.2.0",
diff --git a/src/api/resource-set.js b/src/api/resource-set.js
index 434917f3c..e3f988785 100644
--- a/src/api/resource-set.js
+++ b/src/api/resource-set.js
@@ -1,3 +1,15 @@
+import filter from 'lodash.filter'
+import some from 'lodash.some'
+
+import {
+  Unauthorized
+} from '../api-errors'
+import {
+  forEach
+} from '../utils'
+
+// ===================================================================
+
 export function create ({ name, subjects, objects }) {
   return this.createResourceSet(name, subjects, objects)
 }
@@ -87,11 +99,28 @@ get.params = {
 
 // -------------------------------------------------------------------
 
-export function getAll () {
-  return this.getAllResourceSets()
-}
+export async function getAll () {
+  const { user } = this
+  if (!user) {
+    throw new Unauthorized()
+  }
 
-getAll.permission = 'admin'
+  const sets = await this.getAllResourceSets()
+
+  if (user.permission === 'admin') {
+    return sets
+  }
+
+  const subjects = {
+    [user.id]: true
+  }
+  forEach(user.groups, groupId => {
+    subjects[groupId] = true
+  })
+  const predicate = id => subjects[id]
+
+  return filter(sets, set => some(set.subjects, predicate))
+}
 
 // -------------------------------------------------------------------