diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationService.java b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationService.java
index 77e1350c..257b2744 100644
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationService.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationService.java
@@ -181,7 +181,7 @@ public interface AuthorizationService {
             throw new PermissionDeniedException(
                     entityType,
                     privilegeType,
-                    getUserService().getCurrentUser().getUserInfo().uuid);
+                    getUserService().getCurrentUser().getUserInfo());
         }
     }
 
@@ -255,7 +255,7 @@ public interface AuthorizationService {
             throw new PermissionDeniedException(
                     type,
                     PrivilegeType.READ,
-                    currentUser.getUserInfo().uuid);
+                    currentUser.getUserInfo());
         }
     }
 
diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/PermissionDeniedException.java b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/PermissionDeniedException.java
index 7b01bb2b..f5f6e116 100644
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/PermissionDeniedException.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/PermissionDeniedException.java
@@ -11,6 +11,7 @@ package ch.ethz.seb.sebserver.webservice.servicelayer.authorization;
 import ch.ethz.seb.sebserver.gbl.api.EntityType;
 import ch.ethz.seb.sebserver.gbl.api.authorization.PrivilegeType;
 import ch.ethz.seb.sebserver.gbl.model.GrantEntity;
+import ch.ethz.seb.sebserver.gbl.model.user.UserAccount;
 
 /** Permission denied exception that refers to the checked entity type, privilege and
  * the user identifier of the user that did request the permission */
@@ -28,12 +29,12 @@ public class PermissionDeniedException extends RuntimeException {
     public PermissionDeniedException(
             final EntityType entityType,
             final PrivilegeType grantType,
-            final String userId) {
+            final UserAccount userAccount) {
 
-        super("No grant: " + grantType + " on type: " + entityType + " for user: " + userId);
+        super("No grant: " + grantType + " on type: " + entityType + " for user: " + userAccount.getUsername());
         this.entityType = entityType;
         this.privilegeType = grantType;
-        this.userId = userId;
+        this.userId = userAccount.getUsername();
     }
 
     public PermissionDeniedException(
diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/impl/AuthorizationServiceImpl.java b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/impl/AuthorizationServiceImpl.java
index 8ec7812e..d03d519d 100644
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/impl/AuthorizationServiceImpl.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/impl/AuthorizationServiceImpl.java
@@ -175,8 +175,8 @@ public class AuthorizationServiceImpl implements AuthorizationService {
         // grants for SEB client connections
         addPrivilege(EntityType.CLIENT_CONNECTION)
                 .forRole(UserRole.SEB_SERVER_ADMIN)
-                .withBasePrivilege(PrivilegeType.READ)
-                .forRole(UserRole.INSTITUTIONAL_ADMIN)
+                .withInstitutionalPrivilege(PrivilegeType.READ)
+                .andForRole(UserRole.INSTITUTIONAL_ADMIN)
                 .withInstitutionalPrivilege(PrivilegeType.READ)
                 .andForRole(UserRole.EXAM_ADMIN)
                 .withInstitutionalPrivilege(PrivilegeType.READ)
@@ -184,8 +184,6 @@ public class AuthorizationServiceImpl implements AuthorizationService {
                 .withInstitutionalPrivilege(PrivilegeType.MODIFY)
                 .create();
 
-        // TODO other entities
-
         // grants for user activity logs
         addPrivilege(EntityType.USER_ACTIVITY_LOG)
                 .forRole(UserRole.SEB_SERVER_ADMIN)
diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ClientEventController.java b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ClientEventController.java
index b5cc7a71..277e839d 100644
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ClientEventController.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ClientEventController.java
@@ -27,7 +27,6 @@ import ch.ethz.seb.sebserver.gbl.model.Page;
 import ch.ethz.seb.sebserver.gbl.model.session.ClientConnection;
 import ch.ethz.seb.sebserver.gbl.model.session.ClientEvent;
 import ch.ethz.seb.sebserver.gbl.model.session.ExtendedClientEvent;
-import ch.ethz.seb.sebserver.gbl.model.user.UserRole;
 import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
 import ch.ethz.seb.sebserver.gbl.util.Result;
 import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.ClientEventRecordDynamicSqlSupport;
@@ -127,7 +126,7 @@ public class ClientEventController extends ReadonlyEntityController<ClientEvent,
                     .byPK(entity.connectionId)
                     .getOrThrow();
 
-            checkRead(clientConnection.institutionId);
+            this.authorization.checkRead(clientConnection);
             return entity;
         });
     }
@@ -137,12 +136,11 @@ public class ClientEventController extends ReadonlyEntityController<ClientEvent,
         return true;
     }
 
-    private void checkRead(final Long institution) {
-        this.authorization.checkRole(
-                institution,
-                EntityType.CLIENT_EVENT,
-                UserRole.EXAM_ADMIN,
-                UserRole.EXAM_SUPPORTER);
+    private void checkRead(final Long institutionId) {
+        this.authorization.check(
+                PrivilegeType.READ,
+                EntityType.CLIENT_CONNECTION,
+                institutionId);
     }
 
 }
diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ReadonlyEntityController.java b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ReadonlyEntityController.java
index 60027ccd..1c83519a 100644
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ReadonlyEntityController.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ReadonlyEntityController.java
@@ -71,7 +71,7 @@ public abstract class ReadonlyEntityController<T extends Entity, M extends Entit
         throw new PermissionDeniedException(
                 getGrantEntityType(),
                 PrivilegeType.MODIFY,
-                this.authorization.getUserService().getCurrentUser().uuid());
+                this.authorization.getUserService().getCurrentUser().getUserInfo());
     }
 
     @Override
@@ -79,7 +79,7 @@ public abstract class ReadonlyEntityController<T extends Entity, M extends Entit
         throw new PermissionDeniedException(
                 getGrantEntityType(),
                 PrivilegeType.MODIFY,
-                this.authorization.getUserService().getCurrentUser().uuid());
+                this.authorization.getUserService().getCurrentUser().getUserInfo());
     }
 
     @Override
@@ -87,7 +87,7 @@ public abstract class ReadonlyEntityController<T extends Entity, M extends Entit
         throw new PermissionDeniedException(
                 getGrantEntityType(),
                 PrivilegeType.WRITE,
-                this.authorization.getUserService().getCurrentUser().uuid());
+                this.authorization.getUserService().getCurrentUser().getUserInfo());
     }
 
     @Override
@@ -95,7 +95,7 @@ public abstract class ReadonlyEntityController<T extends Entity, M extends Entit
         throw new PermissionDeniedException(
                 getGrantEntityType(),
                 PrivilegeType.WRITE,
-                this.authorization.getUserService().getCurrentUser().uuid());
+                this.authorization.getUserService().getCurrentUser().getUserInfo());
     }
 
 }