diff --git a/src/c3nav/control/forms.py b/src/c3nav/control/forms.py
index 7e683583..87f86ea4 100644
--- a/src/c3nav/control/forms.py
+++ b/src/c3nav/control/forms.py
@@ -66,9 +66,9 @@ class AccessPermissionForm(Form):
 
         # get access permission groups
         if request:
-            groups = AccessRestrictionGroup.qs_for_request(request)
+            groups = AccessRestrictionGroup.qs_for_request(request, can_grant=True)
         else:
-            groups = AccessRestrictionGroup.qs_for_user(author)
+            groups = AccessRestrictionGroup.qs_for_user(author, can_grant=True)
         groups = groups.prefetch_related(
             Prefetch('members', AccessRestriction.objects.only('pk'))
         )
@@ -99,9 +99,6 @@ class AccessPermissionForm(Form):
             "all": tuple(('g%d' % pk) for pk in self.group_contents.keys()) + tuple(restrictions_not_in_group),
         })
 
-        from pprint import pprint
-        pprint(self.access_restriction_choices)
-
         # construct choice field for access permissions
         choices = [('', _('choose permissions…')),  # noqa
                    ('all', ngettext_lazy('everything possible (%d permission)',
diff --git a/src/c3nav/mapdata/models/access.py b/src/c3nav/mapdata/models/access.py
index c5203c28..d6c79698 100644
--- a/src/c3nav/mapdata/models/access.py
+++ b/src/c3nav/mapdata/models/access.py
@@ -68,29 +68,29 @@ class AccessRestrictionGroup(TitledMixin, models.Model):
         default_related_name = 'accessrestrictiongroups'
 
     @classmethod
-    def qs_for_request(cls, request):
-        return cls.objects.filter(cls.q_for_request(request))
+    def qs_for_request(cls, request, can_grant=None):
+        return cls.objects.filter(cls.q_for_request(request, can_grant=can_grant))
 
     @classmethod
-    def q_for_request(cls, request):
+    def q_for_request(cls, request, can_grant=None):
         if request.user.is_authenticated and request.user.is_superuser:
             return Q()
         all_permissions = AccessRestriction.get_all()
-        permissions = AccessPermission.get_for_request(request)
+        permissions = AccessPermission.get_for_request(request, can_grant=can_grant)
         # now we filter out groups where the user doesn't have a permission for all members
         filter_perms = all_permissions - permissions
         return ~Q(members__pk__in=filter_perms)
 
     @classmethod
-    def qs_for_user(cls, user):
-        return cls.objects.filter(cls.q_for_user(user))
+    def qs_for_user(cls, user, can_grant=None):
+        return cls.objects.filter(cls.q_for_user(user, can_grant=can_grant))
 
     @classmethod
-    def q_for_user(cls, user):
+    def q_for_user(cls, user, can_grant=None):
         if user.is_authenticated and user.is_superuser:
             return Q()
         all_permissions = AccessRestriction.get_all()
-        permissions = AccessPermission.get_for_user(user)
+        permissions = AccessPermission.get_for_user(user, can_grant=can_grant)
         # now we filter out groups where the user doesn't have a permission for all members
         filter_perms = all_permissions - permissions
         return ~Q(members__pk__in=filter_perms)