diff --git a/app/controllers/api/v1/product_build_lists_controller.rb b/app/controllers/api/v1/product_build_lists_controller.rb
index b05e06fe2..a6136d0e4 100644
--- a/app/controllers/api/v1/product_build_lists_controller.rb
+++ b/app/controllers/api/v1/product_build_lists_controller.rb
@@ -2,21 +2,23 @@ class Api::V1::ProductBuildListsController < Api::V1::BaseController
   before_action :authenticate_user!
   skip_before_action :authenticate_user!, only: [:index, :show] if APP_CONFIG['anonymous_access']
 
-  load_and_authorize_resource :product, only: :index
-  load_and_authorize_resource
+  before_action :load_product,            only: :index
+  before_action :load_product_build_list, except: [:index, :create]
 
   def index
-    @product_build_lists = if @product
-                             @product.product_build_lists
-                           else
-                             ProductBuildList.accessible_by current_ability, :read
-                           end
+    @product_build_lists =
+      if @product
+        @product.product_build_lists
+      else
+       PlatformPolicy::Scope.new(current_user, ProductBuildList.joins(product: :platform)).show
+      #  ProductBuildList.accessible_by current_ability, :read
+      end
     @product_build_lists = @product_build_lists.joins(:product, :project, :arch)
     @product_build_lists = @product_build_lists.recent.paginate(paginate_params)
-    respond_to :json
   end
 
   def create
+    @product_build_list = ProductBuildList.new(params[:product_build_list])
     @product_build_list.project ||= @product_build_list.try(:product).try(:project)
     @product_build_list.main_script ||= @product_build_list.try(:product).try(:main_script)
     @product_build_list.params ||= @product_build_list.try(:product).try(:params)
@@ -25,7 +27,6 @@ class Api::V1::ProductBuildListsController < Api::V1::BaseController
   end
 
   def show
-    respond_to :json
   end
 
   def update
@@ -44,4 +45,15 @@ class Api::V1::ProductBuildListsController < Api::V1::BaseController
       render_validation_error @product_build_list, t("layout.product_build_lists.cancel_fail")
     end
   end
+
+  private
+
+  def load_product_build_list
+    authorize @product_build_list = ProductBuildList.find(params[:id])
+  end
+
+  # Private: before_action hook which loads Product.
+  def load_product
+    authorize @product = Product.find(params[:product_id]), :show? if params[:product_id]
+  end
 end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index a236d4207..3cfd0a937 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -13,15 +13,15 @@ class GroupPolicy < ApplicationPolicy
   end
 
   def reader?
-    local_reader?
+    is_admin? || local_reader?
   end
 
   def write?
-    owner? || local_writer?
+    is_admin? || owner? || local_writer?
   end
 
   def update?
-    owner? || local_admin?
+    is_admin? || owner? || local_admin?
   end
   alias_method :add_member?,      :update?
   alias_method :manage_members?,  :update?
@@ -32,7 +32,7 @@ class GroupPolicy < ApplicationPolicy
   alias_method :update_member?,   :update?
 
   def destroy?
-    owner?
+    is_admin? || owner?
   end
 
   def remove_user?
diff --git a/app/policies/product_build_list_policy.rb b/app/policies/product_build_list_policy.rb
index 73d43c73a..24b35114c 100644
--- a/app/policies/product_build_list_policy.rb
+++ b/app/policies/product_build_list_policy.rb
@@ -1,22 +1,27 @@
 class ProductBuildListPolicy < ApplicationPolicy
 
+  def index?
+    true
+  end
+
   def show?
-    PlatformPolicy.new(user, record.platform).show?
+    is_admin? || ProductPolicy.new(user, record.product).show?
   end
   alias_method :log?,  :show?
   alias_method :read?, :show?
 
   def create?
-    ProjectPolicy.new(user, record.project).write? || ProductPolicy.new(user, record.product).update?
+    return false unless record.project && record.product
+    is_admin? || ProjectPolicy.new(user, record.project).write? || ProductPolicy.new(user, record.product).update?
   end
   alias_method :cancel?, :create?
 
   def update?
-    ProductPolicy.new(user, record.product).update?
+    is_admin? || ProductPolicy.new(user, record.product).update?
   end
 
   def destroy?
-    ProductPolicy.new(user, record.product).destroy?
+    is_admin? || ProductPolicy.new(user, record.product).destroy?
   end
 
 end
diff --git a/app/policies/product_policy.rb b/app/policies/product_policy.rb
index 2662961f6..067571744 100644
--- a/app/policies/product_policy.rb
+++ b/app/policies/product_policy.rb
@@ -5,12 +5,12 @@ class ProductPolicy < ApplicationPolicy
   end
 
   def show?
-    PlatformPolicy.new(user, record.platform).show?
+    is_admin? || PlatformPolicy.new(user, record.platform).show?
   end
-  alias_method :read?,          :show?
+  alias_method :read?, :show?
 
   def create?
-    record.platform.main? && local_admin?(record.platform)
+    is_admin? || record.platform.main? && local_admin?(record.platform)
   end
   alias_method :clone?,   :create?
   alias_method :destroy?, :create?
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index e2e087001..4582803a9 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -7,6 +7,7 @@ class ProjectPolicy < ApplicationPolicy
   alias_method :preview?,                   :index?
 
   def show?
+    return true if is_admin?
     return true if record.public?
     return true if record.owner == user
     return true if record.owner.is_a?(Group) && user_group_ids.inclide?(record.owner_id)
@@ -19,12 +20,13 @@ class ProjectPolicy < ApplicationPolicy
   alias_method :refs_list?,                 :show?
 
   def create?
+    return true if is_admin?
     return false if user.guest?
     !record.try(:owner) || owner_policy.write?
   end
 
   def update?
-    owner? || local_admin?
+    is_admin? || owner? || local_admin?
   end
   alias_method :alias?,                     :update?
   alias_method :sections?,                  :update?
@@ -38,14 +40,15 @@ class ProjectPolicy < ApplicationPolicy
   alias_method :schedule?,                  :update?
 
   def destroy?
-    owner? || record.owner.is_a?(Group) && record.owner.actors.exists?(actor_type: 'User', actor_id: user.id, role: 'admin')
+    is_admin? || owner? || record.owner.is_a?(Group) && record.owner.actors.exists?(actor_type: 'User', actor_id: user.id, role: 'admin')
   end
 
   def mass_import?
-    user.platforms.main.find{ |p| local_admin?(p) }.present?
+    is_admin? || user.platforms.main.find{ |p| local_admin?(p) }.present?
   end
 
   def run_mass_import?
+    return true if is_admin?
     return false unless owner_policy.write?
     repo = Repository.find(record.add_to_repository_id)
     repo.platform.main? && PlatformPolicy.new(user, repo.platform).add_project?
@@ -53,7 +56,7 @@ class ProjectPolicy < ApplicationPolicy
 
   # for grack
   def write?
-    owner? || local_writer?
+    is_admin? || owner? || local_writer?
   end
 
   def possible_forks
diff --git a/spec/controllers/api/v1/advisories_controller_spec.rb b/spec/controllers/api/v1/advisories_controller_spec.rb
index 3565713e9..54dda6864 100644
--- a/spec/controllers/api/v1/advisories_controller_spec.rb
+++ b/spec/controllers/api/v1/advisories_controller_spec.rb
@@ -114,6 +114,16 @@ describe Api::V1::AdvisoriesController, type: :controller do
     it_should_behave_like 'api advisories user without admin rights'
   end
 
+  context 'for admin' do
+    before do
+      @admin = FactoryGirl.create(:admin)
+      http_login(@admin)
+    end
+
+    it_should_behave_like 'api advisories user with show rights'
+    it_should_behave_like 'api advisories user with admin rights'
+  end
+
   context 'for user who has access to update build_list' do
     before do
       @user = FactoryGirl.create(:user)
diff --git a/spec/controllers/api/v1/groups_controller_spec.rb b/spec/controllers/api/v1/groups_controller_spec.rb
index ffe77dd2b..340041fb4 100644
--- a/spec/controllers/api/v1/groups_controller_spec.rb
+++ b/spec/controllers/api/v1/groups_controller_spec.rb
@@ -221,6 +221,17 @@ describe Api::V1::GroupsController, type: :controller do
     it_should_behave_like 'api group user without owner rights'
   end
 
+  context 'for global admin' do
+    before do
+      @admin = FactoryGirl.create(:admin)
+      http_login(@admin)
+    end
+
+    it_should_behave_like 'api group user with reader rights'
+    it_should_behave_like 'api group user with admin rights'
+    it_should_behave_like 'api group user with owner rights'
+  end
+
   context 'for owner user' do
     before do
       @group = FactoryGirl.create(:group, owner: @user)
diff --git a/spec/controllers/api/v1/product_build_lists_controller.rb b/spec/controllers/api/v1/product_build_lists_controller.rb
index 205af598b..61be62e69 100644
--- a/spec/controllers/api/v1/product_build_lists_controller.rb
+++ b/spec/controllers/api/v1/product_build_lists_controller.rb
@@ -3,29 +3,29 @@ require 'spec_helper'
 shared_examples_for 'api user without reader rights' do
   it 'should not be able to perform show action', :anonymous_access  => false do
     get :show, id: @product_build_list.id, format: :json
-    response.status.should == 401
+    expect(response.status).to eq 401
   end
 
   it 'should be able to perform show action' do
     get :show, id: @product_build_list.id, format: :json
-    response.should be_success
+    expect(response).to be_success
   end
 
-  it 'should be able to perform show action for the personal platform' do
+  it 'should not be able to perform show action for the hidden platform' do
     @product_build_list.product.platform.update_column :visibility, 'hidden'
     get :show, id: @product_build_list.id, format: :json
-    response.should be_success
+    expect(response).to_not be_success
   end
 
   it 'should not be able to perform create action' do
     post :create, format: :json
-    response.status.should == 401
+    expect(response.status).to eq 401
   end
 
   [:update, :destroy].each do |action|
     it "should not be able to perform #{action} action" do
       put action, id: @product_build_list.id, format: :json
-      response.status.should == 401
+      expect(response.status).to eq 401
     end
   end
 end
@@ -33,24 +33,26 @@ end
 shared_examples_for 'api user with reader rights' do
   it 'should be able to perform show action' do
     get :show, id: @product_build_list.id, format: :json
-    response.should be_success
+    expect(response).to be_success
   end
 
   it 'should be able to perform show action for the hidden main platform' do
+    allow_any_instance_of(PlatformPolicy).to receive(:show?).and_return(true
+    )
     @product_build_list.product.platform.update_column :visibility, 'hidden'
     get :show, id: @product_build_list.id, format: :json
-    response.should be_success # because main platform
+    expect(response).to be_success
   end
 
   it 'should not be able to perform create action' do
     post :create, format: :json
-    response.status.should == 403
+    expect(response.status).to eq 403
   end
 
   [:update, :destroy].each do |action|
     it "should not be able to perform #{action} action" do
       put action, id: @product_build_list.id, format: :json
-      response.status.should == 403
+      expect(response.status).to eq 403
     end
   end
 end
@@ -68,52 +70,56 @@ shared_examples_for 'api user with admin rights' do
 
   it 'should be able to perform show action' do
     get :show, id: @product_build_list.id, format: :json
-    response.should be_success
+    expect(response).to be_success
   end
 
   it 'should be able to perform show action for the hidden platform' do
     @product_build_list.product.platform.update_column :visibility, 'hidden'
     get :show, id: @product_build_list.id, format: :json
-    response.should be_success
+    expect(response).to be_success
   end
 
   it 'should be able to perform create action' do
     post :create, @create_params, format: :json
-    response.should be_success
+    expect(response).to be_success
   end
 
   it 'ensures that product has been created' do
-    lambda { post :create, @create_params, format: :json }.should change{ ProductBuildList.count }.by(1)
+    expect do
+      post :create, @create_params, format: :json
+    end.to change(ProductBuildList, :count).by(1)
   end
 
   it "should be able to perform destroy action" do
     put :destroy, id: @product_build_list.id, format: :json
-    response.should be_success
+    expect(response).to be_success
   end
 
   it "ensures that product has been destroyed" do
-    lambda { put :destroy, id: @product_build_list.id, format: :json }.should change{ ProductBuildList.count }.by(-1)
+    expect do
+      put :destroy, id: @product_build_list.id, format: :json
+    end.to change(ProductBuildList, :count).by(-1)
   end
 
   it "should be able to perform update action" do
     put :update, @update_params.merge(id: @product_build_list.id), format: :json
-    response.should be_success
+    expect(response).to be_success
   end
 
   it "ensures that only not_delete field of product build list has been updated" do
     put :update, @update_params.merge(id: @product_build_list.id), format: :json
-    @product_build_list.reload.time_living.should == 150*60 # in seconds
-    @product_build_list.not_delete.should be_truthy
+    expect(@product_build_list.reload.time_living).to eq 150*60 # in seconds
+    expect(@product_build_list.not_delete).to be_truthy
   end
 
   it 'ensures that return correct answer for wrong creating action' do
     post :create, format: :json
-    response.status.should == 403 # Maybe 422?
+    expect(response.status).to eq 403 # Maybe 422?
   end
 end
 
 describe Api::V1::ProductBuildListsController, type: :controller do
-  before(:each) do
+  before do
     stub_symlink_methods
     FactoryGirl.create(:arch, name: 'x86_64')
 
@@ -126,7 +132,7 @@ describe Api::V1::ProductBuildListsController, type: :controller do
   end
 
   context 'for user' do
-    before(:each) do
+    before do
       http_login(@another_user)
     end
 
@@ -136,4 +142,4 @@ describe Api::V1::ProductBuildListsController, type: :controller do
   context 'for platform admin' do
     it_should_behave_like 'api user with admin rights'
   end
-end
\ No newline at end of file
+end