diff --git a/Controller.php b/Controller.php
index b7b4e9f..0557d91 100644
--- a/Controller.php
+++ b/Controller.php
@@ -15,6 +15,8 @@ declare(strict_types = 1);
 namespace Modules\Profile;
 
 use Modules\Profile\Models\ProfileMapper;
+use Modules\Profile\Models\PermissionState;
+use phpOMS\Account\PermissionType;
 use phpOMS\Contract\RenderableInterface;
 use phpOMS\Message\RequestAbstract;
 use phpOMS\Message\ResponseAbstract;
@@ -114,6 +116,15 @@ class Controller extends ModuleAbstract implements WebInterface
     public function viewProfileList(RequestAbstract $request, ResponseAbstract $response, $data = null) : \Serializable
     {
         $view = new View($this->app, $request, $response);
+
+        if (!$this->app->accountManager->get($request->getHeader()->getAccount())->hasPermission(
+            PermissionType::READ, $this->app->orgId, $this->app->appName, self::MODULE_ID, PermissionState::PROFILE)
+        ) {
+            $view->setTemplate('/Web/Backend/Error/403_inline');
+            $response->getHeader()->setStatusCode(RequestStatusCode::R_403);
+            return $view;
+        }
+
         $view->setTemplate('/Modules/Profile/Theme/Backend/profile-list');
 
         $view->setData('accounts', ProfileMapper::getNewest(25));
@@ -133,11 +144,20 @@ class Controller extends ModuleAbstract implements WebInterface
      */
     public function viewProfileSingle(RequestAbstract $request, ResponseAbstract $response, $data = null) : \Serializable
     {
+        $view = new View($this->app, $request, $response);
+
+        if (!$this->app->accountManager->get($request->getHeader()->getAccount())->hasPermission(
+            PermissionType::READ, $this->app->orgId, $this->app->appName, self::MODULE_ID, PermissionState::PROFILE)
+        ) {
+            $view->setTemplate('/Web/Backend/Error/403_inline');
+            $response->getHeader()->setStatusCode(RequestStatusCode::R_403);
+            return $view;
+        }
+
         /** @var Head $head */
         $head = $response->get('Content')->getData('head');
         $head->addAsset(AssetType::CSS, '/Modules/Calendar/Theme/Backend/css/styles.css');
         
-        $view = new View($this->app, $request, $response);
         $view->setTemplate('/Modules/Profile/Theme/Backend/profile-single');
         $view->addData('nav', $this->app->moduleManager->get('Navigation')->createNavigationMid(1000301001, $request, $response));
 
diff --git a/Models/PermissionState.php b/Models/PermissionState.php
new file mode 100644
index 0000000..5267dd9
--- /dev/null
+++ b/Models/PermissionState.php
@@ -0,0 +1,32 @@
+<?php
+/**
+ * Orange Management
+ *
+ * PHP Version 7.1
+ *
+ * @category   TBD
+ * @package    TBD
+ * @copyright  Dennis Eichhorn
+ * @license    OMS License 1.0
+ * @version    1.0.0
+ * @link       http://website.orange-management.de
+ */
+declare(strict_types = 1);
+
+namespace Modules\Profile\Models;
+
+use phpOMS\Stdlib\Base\Enum;
+
+/**
+ * Permision state enum.
+ *
+ * @category   Tasks
+ * @package    Modules
+ * @license    OMS License 1.0
+ * @link       http://website.orange-management.de
+ * @since      1.0.0
+ */
+abstract class PermissionState extends Enum
+{
+    /* public */ const PROFILE = 1;
+}
diff --git a/Theme/Backend/Components/AccountGroupSelector/popup.tpl.php b/Theme/Backend/Components/AccountGroupSelector/popup.tpl.php
index 243ed26..5cdfa80 100644
--- a/Theme/Backend/Components/AccountGroupSelector/popup.tpl.php
+++ b/Theme/Backend/Components/AccountGroupSelector/popup.tpl.php
@@ -13,84 +13,76 @@
             <div class="tab-content">
                 <input type="radio" id="c-tab-1" name="tabular-2" checked>
                 <div class="tab">
-                    <table class="layout wf-100">
-                    <tbody>
-                        <tr><td colspan="2"><label for="iSearchAcc">Search</label>
-                        <tr><td colspan="2"><input type="text" id="iSearchAcc" name="receiver-search" data-action='[
+                    <label for="iSearchAcc">Search</label>
+                    <input type="text" id="iSearchAcc" name="receiver-search" data-action='[
+                        {
+                            "listener": "keyup", "action": [
+                                {"key": 1, "type": "utils.timer", "id": "iSearchAcc", "delay": 500, "resets": true},
+                                {"key": 2, "type": "dom.table.clear", "id": "acc-table"},
+                                {"key": 3, "type": "message.request", "uri": "{/base}/{/lang}/api/admin/find/account?search={#iSearchAcc}", "method": "GET", "request_type": "json"},
+                                {"key": 4, "type": "dom.table.append", "id": "acc-table", "aniIn": "fadeIn", "data": [], "bindings": {"id": "id", "name": "name/0"}, "position": -1}
+                            ]
+                        }
+                    ]' autocomplete="off">
+                    <table id="acc-table" class="table">
+                        <thead>
+                            <tr>
+                                <th data-name="id">ID
+                                <th data-name="name">Name
+                                <th data-name="address">Address
+                                <th data-name="city">City
+                                <th data-name="zip">Zip
+                                <th data-name="country">Country
+                                <!-- todo: get data from tr in action and pass it to next actions, or make new request based on table cell? -->
+                        <tbody data-action='[
                             {
-                                "listener": "keyup", "action": [
-                                    {"key": 1, "type": "utils.timer", "id": "iSearchAcc", "delay": 500, "resets": true},
-                                    {"key": 2, "type": "dom.table.clear", "id": "acc-table"},
-                                    {"key": 3, "type": "message.request", "uri": "{/base}/{/lang}/api/admin/find/account?search={#iSearchAcc}", "method": "GET", "request_type": "json"},
-                                    {"key": 4, "type": "dom.table.append", "id": "acc-table", "aniIn": "fadeIn", "data": [], "bindings": {"id": "id", "name": "name/0"}, "position": -1}
+                                "key": 1, "listener": "click", "selector": "#acc-table tbody tr", "action": [
+                                {"key": 1, "type": "dom.getvalue", "base": "self", "selector": ""},
+                                {"key": 2, "type": "dom.setvalue", "overwrite": false, "selector": "#{$id}-idlist", "value": "{0/id}", "data": ""},
+                                {"key": 3, "type": "dom.setvalue", "overwrite": false, "selector": "#{$id}-taglist", "value": "<span id=\"{$id}-taglist-{0/id}\" class=\"tag red\" data-id=\"{0/id}\"><i class=\"fa fa-times\"></i> {0/name/0}, {0/name/1}<span>", "data": ""},
+                                {"key": 4, "type": "dom.setvalue", "overwrite": true, "selector": "#{$id}", "value": "", "data": ""}
                                 ]
                             }
-                        ]' autocomplete="off">
-                        <tr><td colspan="2">
-                            <table id="acc-table" class="table">
-                                <thead>
-                                    <tr>
-                                        <th data-name="id">ID
-                                        <th data-name="name">Name
-                                        <th data-name="address">Address
-                                        <th data-name="city">City
-                                        <th data-name="zip">Zip
-                                        <th data-name="country">Country
-                                        <!-- todo: get data from tr in action and pass it to next actions, or make new request based on table cell? -->
-                                <tbody data-action='[
-                                    {
-                                        "key": 1, "listener": "click", "selector": "#acc-table tbody tr", "action": [
-                                        {"key": 1, "type": "dom.getvalue", "base": "self", "selector": ""},
-                                        {"key": 2, "type": "dom.setvalue", "overwrite": false, "selector": "#{$id}-idlist", "value": "{0/id}", "data": ""},
-                                        {"key": 3, "type": "dom.setvalue", "overwrite": false, "selector": "#{$id}-taglist", "value": "<span id=\"{$id}-taglist-{0/id}\" class=\"tag red\" data-id=\"{0/id}\"><i class=\"fa fa-times\"></i> {0/name/0}, {0/name/1}<span>", "data": ""},
-                                        {"key": 4, "type": "dom.setvalue", "overwrite": true, "selector": "#{$id}", "value": "", "data": ""}
-                                        ]
-                                    }
-                                ]'>
-                                <tfoot>
-                            </table>
-                        <tr><td colspan="2"><button type="button" data-action='[
-                                {
-                                    "listener": "click", "action": [
-                                        {"key": 1, "type": "dom.remove", "selector": "#acc-grp", "aniOut": "fadeOut"}
-                                    ]
-                                }
-                            ]'><?= $this->getHtml('Close', 'Admin') ?></button>
+                        ]'>
+                        <tfoot>
                     </table>
+                    <button type="button" data-action='[
+                            {
+                                "listener": "click", "action": [
+                                    {"key": 1, "type": "dom.remove", "selector": "#acc-grp", "aniOut": "fadeOut"}
+                                ]
+                            }
+                        ]'><?= $this->getHtml('Close', 'Admin') ?></button>
                 </div>
                 <input type="radio" id="c-tab-2" name="tabular-2">
                 <div class="tab">
-                    <table class="layout wf-100">
+                    <label for="iSearchGrp">Search</label>
+                    <input type="text" id="iSearchGrp" name="receiver-search" data-action='[
+                        {
+                            "listener": "keyup", "action": [
+                                {"key": 1, "type": "utils.timer", "id": "iSearchGrp", "delay": 500, "resets": true},
+                                {"key": 2, "type": "dom.table.clear", "id": "grp-table"},
+                                {"key": 3, "type": "message.request", "uri": "{/base}/{/lang}/api/admin/find/account?search={#iSearchGrp}", "method": "GET", "request_type": "json"},
+                                {"key": 4, "type": "dom.table.append", "id": "grp-table", "aniIn": "fadeIn", "data": [], "bindings": {"id": "id", "name": "name/0"}, "position": -1}
+                            ]
+                        }
+                    ]' autocomplete="off">
+                    <table id="grp-table" class="table">
+                        <thead>
+                            <tr>
+                                <th data-name="id">ID
+                                <th data-name="name">Name
+                                <th data-name="parent">Parent
                         <tbody>
-                        <tr><td colspan="2"><label for="iSearchGrp">Search</label>
-                        <tr><td><input type="text" id="iSearchGrp" name="receiver-search" data-action='[
+                        <tfoot>
+                    </table>
+                    <button type="button" data-action='[
                             {
-                                "listener": "keyup", "action": [
-                                    {"key": 1, "type": "utils.timer", "id": "iSearchGrp", "delay": 500, "resets": true},
-                                    {"key": 2, "type": "dom.table.clear", "id": "grp-table"},
-                                    {"key": 3, "type": "message.request", "uri": "{/base}/{/lang}/api/admin/find/account?search={#iSearchGrp}", "method": "GET", "request_type": "json"},
-                                    {"key": 4, "type": "dom.table.append", "id": "grp-table", "aniIn": "fadeIn", "data": [], "bindings": {"id": "id", "name": "name/0"}, "position": -1}
+                                "listener": "click", "action": [
+                                    {"key": 1, "type": "dom.remove", "selector": "#acc-grp", "aniOut": "fadeOut"}
                                 ]
                             }
-                        ]' autocomplete="off"><td>
-                        <tr><td colspan="2">
-                            <table id="grp-table" class="table">
-                                <thead>
-                                    <tr>
-                                        <th data-name="id">ID
-                                        <th data-name="name">Name
-                                        <th data-name="parent">Parent
-                                <tbody>
-                                <tfoot>
-                            </table>
-                        <tr><td colspan="2"><button type="button" data-action='[
-                                {
-                                    "listener": "click", "action": [
-                                        {"key": 1, "type": "dom.remove", "selector": "#acc-grp", "aniOut": "fadeOut"}
-                                    ]
-                                }
-                            ]'><?= $this->getHtml('Close', 'Admin') ?></button>
-                    </table>
+                        ]'><?= $this->getHtml('Close', 'Admin') ?></button>
                 </div>
             </div>
         </div>