diff --git a/SAS/TMSS/backend/test/CMakeLists.txt b/SAS/TMSS/backend/test/CMakeLists.txt
index 113f0d9774f469f25fac62fb4053c6560665ddfb..a90367a2eef58852a966b59ae3d5a9c2dbd5bb57 100644
--- a/SAS/TMSS/backend/test/CMakeLists.txt
+++ b/SAS/TMSS/backend/test/CMakeLists.txt
@@ -35,7 +35,7 @@ if(BUILD_TESTING)
     lofar_add_test(t_scheduling_units)
     lofar_add_test(t_scheduling)
     lofar_add_test(t_conversions)
-    lofar_add_test(t_permissions)
+    lofar_add_test(t_permissions_project_roles)
     lofar_add_test(t_permissions_system_roles)
     lofar_add_test(t_complex_serializers)
     lofar_add_test(t_observation_strategies_specification_and_scheduling_test)
diff --git a/SAS/TMSS/backend/test/t_permissions.run b/SAS/TMSS/backend/test/t_permissions.run
deleted file mode 100755
index 4adc6f4186ebd66e1d329c4a174dcbaf05a4754f..0000000000000000000000000000000000000000
--- a/SAS/TMSS/backend/test/t_permissions.run
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-
-# Run the unit test
-source python-coverage.sh
-python_coverage_test "*tmss*" t_permissions.py
-
diff --git a/SAS/TMSS/backend/test/t_permissions.sh b/SAS/TMSS/backend/test/t_permissions.sh
deleted file mode 100755
index c66d4e64d5c2a8d5494146563785bd567baf23c0..0000000000000000000000000000000000000000
--- a/SAS/TMSS/backend/test/t_permissions.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-./runctest.sh t_permissions
\ No newline at end of file
diff --git a/SAS/TMSS/backend/test/t_permissions.py b/SAS/TMSS/backend/test/t_permissions_project_roles.py
similarity index 80%
rename from SAS/TMSS/backend/test/t_permissions.py
rename to SAS/TMSS/backend/test/t_permissions_project_roles.py
index 3ae8aa2636bf6446ac58684256c64d7edcf7581b..40ec90a4850a149636986c3eccbedb49c606b6bb 100755
--- a/SAS/TMSS/backend/test/t_permissions.py
+++ b/SAS/TMSS/backend/test/t_permissions_project_roles.py
@@ -93,7 +93,7 @@ class ProjectPermissionTestCase(TestCase):
         # create the required permission entries to control what endpoint action requires which project role
         shared_support_role_url = BASE_URL + '/project_role/shared_support/'
         cls.test_data_creator.post_data_and_get_url(cls.test_data_creator.ProjectPermission(name='taskdraft', GET=[shared_support_role_url], POST=[shared_support_role_url]), '/project_permission/')
-        cls.test_data_creator.post_data_and_get_url(cls.test_data_creator.ProjectPermission(name='taskdraft-create_task_blueprint', GET=[shared_support_role_url]), '/project_permission/')
+        cls.test_data_creator.post_data_and_get_url(cls.test_data_creator.ProjectPermission(name='taskdraft-create_task_blueprint', POST=[shared_support_role_url]), '/project_permission/')
 
         cls.task_template_url = cls.test_data_creator.post_data_and_get_url(cls.test_data_creator.TaskTemplate(), '/task_template/')
 
@@ -166,7 +166,6 @@ class ProjectPermissionTestCase(TestCase):
         # make sure we cannot create a blueprint from it
         POST_and_assert_expected_response(self, taskdraft_url + '/create_task_blueprint/', {}, 403, {}, auth=self.auth)
 
-    @unittest.skip("TODO: fix test, there are issues with permissions since we changed the method from GET to POST")
     def test_task_draft_create_task_blueprint_GET_works_if_user_has_permission_for_related_project(self):
         # create task draft connected to project where we have 'shared_support' role
         taskdraft_test_data = self.test_data_creator.TaskDraft(scheduling_unit_draft_url=self.scheduling_unit_draft_shared_support_url, template_url=self.task_template_url)
@@ -175,11 +174,65 @@ class ProjectPermissionTestCase(TestCase):
         # make sure we cannot create a blueprint from it
         POST_and_assert_expected_response(self, taskdraft_url + '/create_task_blueprint/', {}, 201, {}, auth=self.auth)
 
+    def test_access_control_allow_header_return_all_methods_for_superuser(self):
+        with requests.Session() as session:
+            session.verify = False
+            session.auth = (AUTH.username, AUTH.password)
+
+            r = session.get(BASE_URL + '/task_draft/')
+            self.assertEqual(r.status_code, 200)
+            allowed_methods = r.headers['Access-Control-Allow-Methods'].split(', ')
+            for method in ['GET', 'POST', 'PUT', 'PATCH', 'DELETE']:
+                self.assertIn(method, allowed_methods)
+
+    def test_access_control_allow_header_reflects_user_permissions_in_list_view(self):
+        with requests.Session() as session:
+            session.verify = False
+            session.auth = self.auth
+
+            r = session.get(BASE_URL + '/task_draft/')
+            self.assertEqual(r.status_code, 200)
+            allowed_methods = r.headers['Access-Control-Allow-Methods'].split(', ')
+            for method in ['GET']:  # user has no general POST permission on the model (via system role)
+                self.assertIn(method, allowed_methods)
+            for method in ['POST', 'PUT', 'PATCH', 'DELETE']:
+                self.assertNotIn(method, allowed_methods)
+
+    def test_access_control_allow_header_reflects_user_permissions_in_detail_view(self):
+        # create task draft connected to project where we have 'shared_support' role
+        taskdraft_test_data = self.test_data_creator.TaskDraft(scheduling_unit_draft_url=self.scheduling_unit_draft_shared_support_url, template_url=self.task_template_url)
+        taskdraft_url = POST_and_assert_expected_response(self, BASE_URL + '/task_draft/', taskdraft_test_data, 201, taskdraft_test_data)['url']
+
+        with requests.Session() as session:
+            session.verify = False
+            session.auth = self.auth
+
+            r = session.get(taskdraft_url)
+            self.assertEqual(r.status_code, 200)
+            allowed_methods = r.headers['Access-Control-Allow-Methods'].split(', ')
+            for method in ['GET', 'POST']:  # user has POST permission on this particular object (via project role, see setUpClass)
+                self.assertIn(method, allowed_methods)
+            for method in ['PUT', 'PATCH', 'DELETE']:
+                self.assertNotIn(method, allowed_methods)
+
+    def test_access_control_allow_header_not_in_response_when_no_permission(self):
+
+        # create task draft connected to project where we have no role
+        taskdraft_test_data = self.test_data_creator.TaskDraft(scheduling_unit_draft_url=self.scheduling_unit_draft_forbidden_url, template_url=self.task_template_url)
+        taskdraft_url = POST_and_assert_expected_response(self, BASE_URL + '/task_draft/', taskdraft_test_data, 201, taskdraft_test_data)['url']
+
+        with requests.Session() as session:
+            session.verify = False
+            session.auth = self.auth
+            r = session.get(taskdraft_url)
+            self.assertEqual(r.status_code, 403)
+            self.assertNotIn('Access-Control-Allow-Methods', r.headers)
+
     # todo: add tests for other models with project permissions
 
 
 if __name__ == "__main__":
     logging.basicConfig(format='%(asctime)s %(levelname)s %(message)s',
                         level=logging.INFO)
-    unittest.main(defaultTest='ProjectPermissionTestCase.test_task_draft_create_task_blueprint_GET_works_if_user_has_permission_for_related_project')
+    unittest.main()
 
diff --git a/SAS/TMSS/backend/test/t_permissions_project_roles.run b/SAS/TMSS/backend/test/t_permissions_project_roles.run
new file mode 100755
index 0000000000000000000000000000000000000000..4a8360141b05412f5b177e2960a9445bed47e85e
--- /dev/null
+++ b/SAS/TMSS/backend/test/t_permissions_project_roles.run
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Run the unit test
+source python-coverage.sh
+python_coverage_test "*tmss*" t_permissions_project_roles.py
+
diff --git a/SAS/TMSS/backend/test/t_permissions_project_roles.sh b/SAS/TMSS/backend/test/t_permissions_project_roles.sh
new file mode 100755
index 0000000000000000000000000000000000000000..a81aa69b6a12a81c6edcb4d89edb711a41574d79
--- /dev/null
+++ b/SAS/TMSS/backend/test/t_permissions_project_roles.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./runctest.sh t_permissions_project_roles
\ No newline at end of file