diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/rest/GridRestProcessor.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/rest/GridRestProcessor.java
index 9a665f08da25b..d49eacd1e8040 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/rest/GridRestProcessor.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/rest/GridRestProcessor.java
@@ -904,7 +904,6 @@ private void authorize(GridRestRequest req) throws SecurityException {
 
             case CLUSTER_ACTIVE:
             case CLUSTER_INACTIVE:
-            case CLUSTER_CURRENT_STATE:
                 perm = SecurityPermission.ADMIN_OPS;
 
                 break;
@@ -921,6 +920,7 @@ private void authorize(GridRestRequest req) throws SecurityException {
             case ATOMIC_DECREMENT:
             case NAME:
             case LOG:
+            case CLUSTER_CURRENT_STATE:
             case CLUSTER_NAME:
             case AUTHENTICATE:
             case ADD_USER:
diff --git a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/GridClientPermissionCheckTest.java b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/GridClientPermissionCheckTest.java
new file mode 100644
index 0000000000000..9c4aaa2dff49a
--- /dev/null
+++ b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/GridClientPermissionCheckTest.java
@@ -0,0 +1,106 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.security.client;
+
+import java.util.Collections;
+import org.apache.ignite.IgniteException;
+import org.apache.ignite.configuration.ConnectorConfiguration;
+import org.apache.ignite.configuration.DataRegionConfiguration;
+import org.apache.ignite.configuration.DataStorageConfiguration;
+import org.apache.ignite.configuration.IgniteConfiguration;
+import org.apache.ignite.internal.IgniteEx;
+import org.apache.ignite.internal.client.GridClient;
+import org.apache.ignite.internal.client.GridClientConfiguration;
+import org.apache.ignite.internal.client.GridClientException;
+import org.apache.ignite.internal.client.GridClientFactory;
+import org.apache.ignite.internal.client.GridClientProtocol;
+import org.apache.ignite.internal.processors.security.AbstractSecurityTest;
+import org.apache.ignite.internal.processors.security.impl.TestSecurityData;
+import org.apache.ignite.internal.processors.security.impl.TestSecurityPluginConfiguration;
+import org.apache.ignite.plugin.security.SecurityCredentials;
+import org.apache.ignite.plugin.security.SecurityCredentialsBasicProvider;
+import org.apache.ignite.plugin.security.SecurityPermissionSetBuilder;
+import org.apache.ignite.testframework.GridTestUtils;
+
+import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALLOW_ALL;
+
+/** Security tests for client. */
+public class GridClientPermissionCheckTest extends AbstractSecurityTest {
+    /** Host. */
+    private static final String HOST = "127.0.0.1";
+    /** Admin. */
+    private static final String ADMIN = "admin";
+    /** User. */
+    private static final String USER = "user";
+
+    /** {@inheritDoc} */
+    @Override protected IgniteConfiguration getConfiguration(String gridName) throws Exception {
+        IgniteConfiguration cfg = super.getConfiguration(gridName);
+
+        TestSecurityPluginConfiguration secCfg = secPluginCfg(ADMIN, ADMIN, ALLOW_ALL,
+            new TestSecurityData(USER, USER,
+                new SecurityPermissionSetBuilder().defaultAllowAll(false).build()
+            ));
+
+        DataStorageConfiguration dsc = new DataStorageConfiguration()
+            .setDefaultDataRegionConfiguration(
+                new DataRegionConfiguration().setPersistenceEnabled(true)
+            );
+
+        cfg.setDataStorageConfiguration(dsc)
+            .setConnectorConfiguration(new ConnectorConfiguration().setPort(ConnectorConfiguration.DFLT_TCP_PORT))
+            .setAuthenticationEnabled(true)
+            .setPluginConfigurations(secCfg);
+
+        return cfg;
+    }
+
+    /**
+     * @param login Login.
+     * @param pwd   Password.
+     * @return Client.
+     * @throws GridClientException In case of error.
+     */
+    protected GridClient client(String login, String pwd) throws GridClientException {
+        GridClientConfiguration cfg = new GridClientConfiguration()
+            .setSecurityCredentialsProvider(new SecurityCredentialsBasicProvider(new SecurityCredentials(login, pwd)))
+            .setProtocol(GridClientProtocol.TCP)
+            .setServers(Collections.singleton(HOST + ":" + ConnectorConfiguration.DFLT_TCP_PORT));
+        return GridClientFactory.start(cfg);
+    }
+
+    /**
+     * Test that getting cluster status is working without ADMIN_OPS permissions,
+     * but setting cluster status causes an error.
+     *
+     * @throws Exception If failed.
+     */
+    public void testClusterStatus() throws Exception {
+        IgniteEx ignite = startGrids(1);
+
+        ignite.cluster().active(true);
+
+        try (GridClient client = client(USER, USER)) {
+            assertTrue(client.state().active());
+
+            GridTestUtils.assertThrows(log, () -> client.state().active(false), IgniteException.class, "Authorization failed [perm=ADMIN_OPS");
+
+            assertTrue(client.state().active());
+        }
+    }
+}
diff --git a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
index 20e2083a85c2e..f85ea664c6e38 100644
--- a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
+++ b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
@@ -26,6 +26,7 @@
 import org.apache.ignite.internal.processors.security.cache.closure.CacheLoadRemoteSecurityContextCheckTest;
 import org.apache.ignite.internal.processors.security.cache.closure.EntryProcessorRemoteSecurityContextCheckTest;
 import org.apache.ignite.internal.processors.security.cache.closure.ScanQueryRemoteSecurityContextCheckTest;
+import org.apache.ignite.internal.processors.security.client.GridClientPermissionCheckTest;
 import org.apache.ignite.internal.processors.security.client.ThinClientPermissionCheckTest;
 import org.apache.ignite.internal.processors.security.compute.ComputePermissionCheckTest;
 import org.apache.ignite.internal.processors.security.compute.closure.ComputeTaskRemoteSecurityContextCheckTest;
@@ -63,6 +64,7 @@ public static TestSuite suite() throws Exception {
         suite.addTestSuite(EntryProcessorRemoteSecurityContextCheckTest.class);
         suite.addTestSuite(DataStreamerRemoteSecurityContextCheckTest.class);
         suite.addTestSuite(CacheLoadRemoteSecurityContextCheckTest.class);
+        suite.addTestSuite(GridClientPermissionCheckTest.class);
         suite.addTestSuite(ThinClientPermissionCheckTest.class);
         suite.addTestSuite(IgniteSecurityProcessorTest.class);
         suite.addTestSuite(MultipleSSLContextsTest.class);