diff --git a/red/api/auth/index.js b/red/api/auth/index.js
index 1152ce76e..10ecac7ac 100644
--- a/red/api/auth/index.js
+++ b/red/api/auth/index.js
@@ -56,7 +56,7 @@ function needsPermission(permission) {
                 if (permissions.hasPermission(req.authInfo.scope,permission)) {
                     return next();
                 }
-                log.audit({event: "permission.fail"},req);
+                log.audit({event: "permission.fail", permissions: permission},req);
                 return res.status(401).end();
             });
         } else {
diff --git a/red/api/auth/permissions.js b/red/api/auth/permissions.js
index 4e1862cd9..362acb232 100644
--- a/red/api/auth/permissions.js
+++ b/red/api/auth/permissions.js
@@ -1,5 +1,5 @@
 /**
- * Copyright 2015 IBM Corp.
+ * Copyright 2015, 2016 IBM Corp.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,41 +20,44 @@ var readRE = /^((.+)\.)?read$/
 var writeRE = /^((.+)\.)?write$/
 
 function hasPermission(userScope,permission) {
-    var i;
-    if (util.isArray(userScope)) {
-        if (userScope.length === 0) {
-            return false;
-        }
-        for (i=0;i<userScope.length;i++) {
-            if (!hasPermission(userScope[i],permission)) {
-                return false;
-            }
-        }
-        return true;
-    }
-
     if (permission === "") {
         return true;
     }
-
-    if (userScope === "*") {
-        return true;
-    }
+    var i;
 
     if (util.isArray(permission)) {
+        // Multiple permissions requested - check each one
         for (i=0;i<permission.length;i++) {
             if (!hasPermission(userScope,permission[i])) {
                 return false;
             }
         }
+        // All permissions check out
         return true;
     }
 
-    if (userScope === "read") {
-        return readRE.test(permission);
-    } else {
-        return false; // anything not allowed is disallowed
+    if (util.isArray(userScope)) {
+        if (userScope.length === 0) {
+            return false;
+        }
+        for (i=0;i<userScope.length;i++) {
+            if (hasPermission(userScope[i],permission)) {
+                return true;
+            }
+        }
+        return false;
     }
+
+    if (userScope === "*" || userScope === permission) {
+        return true;
+    }
+
+    if (userScope === "read" || userScope === "*.read") {
+        return readRE.test(permission);
+    } else if (userScope === "write" || userScope === "*.write") {
+        return writeRE.test(permission);
+    }
+    return false;
 }
 
 module.exports = {
diff --git a/test/red/api/auth/permissions_spec.js b/test/red/api/auth/permissions_spec.js
index b44ba5601..60dde7226 100644
--- a/test/red/api/auth/permissions_spec.js
+++ b/test/red/api/auth/permissions_spec.js
@@ -1,5 +1,5 @@
 /**
- * Copyright 2015 IBM Corp.
+ * Copyright 2015, 2016 IBM Corp.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,14 +31,22 @@ describe("Auth permissions", function() {
             permissions.hasPermission(["read"],"node.read").should.be.true;
             permissions.hasPermission(["read"],"write").should.be.false;
             permissions.hasPermission(["read"],"node.write").should.be.false;
+            permissions.hasPermission(["*.read"],"read").should.be.true;
+            permissions.hasPermission(["*.read"],"node.read").should.be.true;
+            permissions.hasPermission(["*.read"],"write").should.be.false;
+            permissions.hasPermission(["*.read"],"node.write").should.be.false;
         });
         it('a user with foo permissions',function() {
-            permissions.hasPermission("foo","foo").should.be.false;
+            permissions.hasPermission("foo","foo").should.be.true;
         });
         it('an array of permissions', function() {
             permissions.hasPermission(["*"],["foo.read","foo.write"]).should.be.true;
             permissions.hasPermission("read",["foo.read","foo.write"]).should.be.false;
             permissions.hasPermission("read",["foo.read","bar.read"]).should.be.true;
+            permissions.hasPermission(["flows.read"],["flows.read"]).should.be.true;
+            permissions.hasPermission(["flows.read"],["flows.write"]).should.be.false;
+            permissions.hasPermission(["flows.read","nodes.write"],["flows.write"]).should.be.false;
+            permissions.hasPermission(["flows.read","nodes.write"],["nodes.write"]).should.be.true;
         });
         it('permits an empty permission', function() {
             permissions.hasPermission("*","").should.be.true;