diff --git a/flaschengeist/plugins/balance/__init__.py b/flaschengeist/plugins/balance/__init__.py
index 5a24c8a..144e799 100644
--- a/flaschengeist/plugins/balance/__init__.py
+++ b/flaschengeist/plugins/balance/__init__.py
@@ -84,7 +84,7 @@ def set_limit(userid, current_session: Session):
 
 
 @balance_bp.route("/users/<userid>/balance", methods=["GET"])
-@login_required()
+@login_required(permission=permissions.SHOW)
 def get_balance(userid, current_session: Session):
     """Get balance of user, optionally filtered
 
@@ -99,9 +99,7 @@ def get_balance(userid, current_session: Session):
     Returns:
         JSON object containing credit, debit and balance or HTTP error
     """
-    if (userid == current_session._user.userid and not current_session._user.has_permission(permissions.SHOW)) or (
-        userid != current_session._user.userid and not current_session._user.has_permission(permissions.SHOW_OTHER)
-    ):
+    if userid != current_session._user.userid and not current_session._user.has_permission(permissions.SHOW_OTHER):
         raise Forbidden
 
     # Might raise NotFound
diff --git a/flaschengeist/plugins/roles/__init__.py b/flaschengeist/plugins/roles/__init__.py
index b3710f6..be7ab4f 100644
--- a/flaschengeist/plugins/roles/__init__.py
+++ b/flaschengeist/plugins/roles/__init__.py
@@ -13,12 +13,11 @@ from flaschengeist.controller import roleController
 
 roles_bp = Blueprint("roles", __name__)
 _permission_edit = "roles_edit"
-_permission_delete = "roles_delete"
 
 
 class RolesPlugin(Plugin):
     def __init__(self, config):
-        super().__init__(config, roles_bp, permissions=[_permission_edit, _permission_delete])
+        super().__init__(config, roles_bp, permissions=[_permission_edit])
 
 
 @roles_bp.route("/roles", methods=["GET"])
@@ -125,7 +124,7 @@ def edit_role(role_name, current_session):
 
 
 @roles_bp.route("/roles/<role_name>", methods=["DELETE"])
-@login_required(permission=_permission_delete)
+@login_required(permission=_permission_edit)
 def delete_role(role_name, current_session):
     """Delete role
 
@@ -136,7 +135,7 @@ def delete_role(role_name, current_session):
         current_session: Session sent with Authorization Header
 
     Returns:
-        HTTP-200 or HTTP error
+        HTTP-204 or HTTP error
     """
     role = roleController.get(role_name)
     roleController.delete(role)