diff --git a/packages/worker/src/api/routes/global/users.js b/packages/worker/src/api/routes/global/users.js
index 5d28d18eb7..d9791362f4 100644
--- a/packages/worker/src/api/routes/global/users.js
+++ b/packages/worker/src/api/routes/global/users.js
@@ -6,6 +6,7 @@ const Joi = require("joi")
 const cloudRestricted = require("../../../middleware/cloudRestricted")
 const { buildUserSaveValidation } = require("../../utilities/validation")
 const selfController = require("../../controllers/global/self")
+const builderOrAdmin = require("../../../middleware/builderOrAdmin")
 
 const router = Router()
 
@@ -44,7 +45,7 @@ router
     buildUserSaveValidation(),
     controller.save
   )
-  .get("/api/global/users", adminOnly, controller.fetch)
+  .get("/api/global/users", builderOrAdmin, controller.fetch)
   .delete("/api/global/users/:id", adminOnly, controller.destroy)
   .get("/api/global/roles/:appId")
   .post(
diff --git a/packages/worker/src/middleware/builderOrAdmin.js b/packages/worker/src/middleware/builderOrAdmin.js
new file mode 100644
index 0000000000..6440766298
--- /dev/null
+++ b/packages/worker/src/middleware/builderOrAdmin.js
@@ -0,0 +1,10 @@
+module.exports = async (ctx, next) => {
+  if (
+    !ctx.internal &&
+    (!ctx.user || !ctx.user.builder || !ctx.user.builder.global) &&
+    (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)
+  ) {
+    ctx.throw(403, "Builder user only endpoint.")
+  }
+  return next()
+}