diff --git a/tests/api/test_user.py b/tests/api/test_user.py
index dd03335a4..2f02fdac2 100644
--- a/tests/api/test_user.py
+++ b/tests/api/test_user.py
@@ -368,6 +368,26 @@ def test_user_api_with_restricted_access(pub):
     assert resp.json['err_desc'] == 'restricted API access'
 
 
+def test_users_api_with_restricted_access(pub, local_user):
+    role = pub.role_class(name='test')
+    role.store()
+
+    access = ApiAccess()
+    access.name = 'test'
+    access.access_identifier = 'test'
+    access.access_key = '12345'
+    access.roles = [role]
+    access.store()
+
+    resp = get_app(pub).get(sign_uri('/api/users/', orig='test', key='12345'), status=403)
+    assert resp.json['err'] == 1
+    assert resp.json['err_desc'] == 'restricted API access'
+
+    resp = get_app(pub).get(sign_uri('/api/users/%s/' % local_user.id, orig='test', key='12345'), status=403)
+    assert resp.json['err'] == 1
+    assert resp.json['err_desc'] == 'restricted API access'
+
+
 def test_user_forms_limit_offset(pub, local_user):
     if not pub.is_using_postgresql():
         pytest.skip('this requires SQL')
diff --git a/wcs/api.py b/wcs/api.py
index b6e03d206..b63f41ff4 100644
--- a/wcs/api.py
+++ b/wcs/api.py
@@ -974,6 +974,10 @@ class ApiUsersDirectory(Directory):
             # allowed to submit forms (as they have a form to select an user).
             raise AccessForbiddenError('unsigned request or user has no access to backoffice')
 
+        api_user = get_user_from_api_query_string()
+        if api_user and api_user.is_api_user:
+            raise AccessForbiddenError('restricted API access')
+
         criterias = [st.Null('deleted_timestamp')]
         query = get_request().form.get('q')
         if query:
@@ -1020,6 +1024,11 @@ class ApiUsersDirectory(Directory):
     def _q_lookup(self, component):
         if not (is_url_signed() or (get_request().user and get_request().user.can_go_in_admin())):
             raise AccessForbiddenError('unsigned request or user has no access to backoffice')
+
+        api_user = get_user_from_api_query_string()
+        if api_user and api_user.is_api_user:
+            raise AccessForbiddenError('restricted API access')
+
         user_class = get_publisher().user_class
         try:
             int(component)  # makes sure this is an id
diff --git a/wcs/api_access.py b/wcs/api_access.py
index d8748810c..c8b0c53d7 100644
--- a/wcs/api_access.py
+++ b/wcs/api_access.py
@@ -88,6 +88,9 @@ class ApiAccess(XmlStorableObject):
             is_admin = False
             is_api_user = True
 
+            def can_go_in_admin(self):
+                return False
+
             def can_go_in_backoffice(self):
                 return False