diff --git a/backend/controllers/caas_next_refid.rb b/backend/controllers/caas_next_refid.rb
index 8c31365..252d0a6 100644
--- a/backend/controllers/caas_next_refid.rb
+++ b/backend/controllers/caas_next_refid.rb
@@ -3,7 +3,7 @@ class ArchivesSpaceService < Sinatra::Base
   Endpoint.post('/plugins/caas_next_refid')
     .description("Get next ref_id for provided resource")
     .params(["resource_id", Integer, "The resource id", :required => "true"])
-    .permissions([])
+    .permissions([:administer_system])
     .returns([200, "{'resource_id', 'ID', 'next_refid', N}"]) \
   do
     existing_refid_record = CaasAspaceRefid.find(resource_id: params[:resource_id])
diff --git a/backend/spec/controller_caas_next_refid_spec.rb b/backend/spec/controller_caas_next_refid_spec.rb
index f23fa43..336ed36 100644
--- a/backend/spec/controller_caas_next_refid_spec.rb
+++ b/backend/spec/controller_caas_next_refid_spec.rb
@@ -43,6 +43,22 @@
           expect(JSON(last_response.body)['next_refid']).to eq(41)
         end
       end
+
+      context 'when a user without administer system permissions' do
+        before do
+          make_test_user('archivist')
+        end
+  
+        it 'denies access' do
+          as_test_user('archivist') do
+            post '/plugins/caas_next_refid', params = { resource_id: 1 }
+  
+            expect(last_response).not_to be_ok
+            expect(last_response.status).to eq(403)
+            expect(last_response.body).to match(/Access denied/)
+          end
+        end
+      end
     end
   end