diff --git a/rhodecode/apps/admin/views/user_groups.py b/rhodecode/apps/admin/views/user_groups.py
--- a/rhodecode/apps/admin/views/user_groups.py
+++ b/rhodecode/apps/admin/views/user_groups.py
@@ -51,6 +51,7 @@ class AdminUserGroupsView(BaseAppView, D
 
     # permission check in data loading of
     # `user_groups_list_data` via UserGroupList
+    @LoginRequired()
     @NotAnonymous()
     @view_config(
         route_name='user_groups', request_method='GET',
@@ -60,6 +61,7 @@ class AdminUserGroupsView(BaseAppView, D
         return self._get_template_context(c)
 
     # permission check inside
+    @LoginRequired()
     @NotAnonymous()
     @view_config(
         route_name='user_groups_data', request_method='GET',
diff --git a/rhodecode/apps/admin/views/users.py b/rhodecode/apps/admin/views/users.py
--- a/rhodecode/apps/admin/views/users.py
+++ b/rhodecode/apps/admin/views/users.py
@@ -69,6 +69,7 @@ class AdminUsersView(BaseAppView, DataGr
             # is a pyramid view
             raise HTTPFound('/')
 
+    @LoginRequired()
     @HasPermissionAllDecorator('hg.admin')
     @view_config(
         route_name='users', request_method='GET',
@@ -77,6 +78,7 @@ class AdminUsersView(BaseAppView, DataGr
         c = self.load_default_context()
         return self._get_template_context(c)
 
+    @LoginRequired()
     @HasPermissionAllDecorator('hg.admin')
     @view_config(
         # renderer defined below