diff --git a/mdm-security/grails-app/controllers/uk/ac/ox/softeng/maurodatamapper/security/CatalogueUserController.groovy b/mdm-security/grails-app/controllers/uk/ac/ox/softeng/maurodatamapper/security/CatalogueUserController.groovy
index e565b13a9..78b022f8c 100644
--- a/mdm-security/grails-app/controllers/uk/ac/ox/softeng/maurodatamapper/security/CatalogueUserController.groovy
+++ b/mdm-security/grails-app/controllers/uk/ac/ox/softeng/maurodatamapper/security/CatalogueUserController.groovy
@@ -90,6 +90,11 @@ class CatalogueUserController extends EditLoggingController<CatalogueUser> /* im
         // This will then make sure the groups actually have a record of the user inside them
         // Which will allow the save to persist the membership
         if (instance.hasChanged('groups')) {
+            if (instance.groups.any {UserGroup group -> !group.hasMember(instance)}) {
+                if (!currentUserSecurityPolicyManager.isApplicationAdministrator()) {
+                    return forbiddenDueToPermissions()
+                }
+            }
             instance.groups.each {group ->
                 if (!group.hasMember(instance)) group.addToGroupMembers(instance)
             }