diff --git a/api/src/policies/users-policy.ts b/api/src/policies/users-policy.ts
index edca2d3..e0344a3 100644
--- a/api/src/policies/users-policy.ts
+++ b/api/src/policies/users-policy.ts
@@ -50,13 +50,12 @@ export class UsersPolicy extends PolicyFactory(User) {
   }
 
   permittedAttributes(): Path[] {
-    const attributes: (keyof Attributes<User>)[] = [
-      "email",
-      "auth0Subject",
-      "firstName",
-      "lastName",
-      "displayName",
-    ]
+    const attributes: (keyof Attributes<User>)[] = ["email", "firstName", "lastName", "displayName"]
+
+    if (this.user.isSystemAdmin) {
+      attributes.push("roles")
+      attributes.push("auth0Subject")
+    }
 
     return attributes
   }