diff --git a/service/internal/auth/casbin.go b/service/internal/auth/casbin.go
index 2f8d0d3220..5e15e7ef75 100644
--- a/service/internal/auth/casbin.go
+++ b/service/internal/auth/casbin.go
@@ -95,11 +95,11 @@ p,	role:standard,		/entityresolution/resolve,							write,  	allow
 ## gRPC routes
 ## for ERS, right now we don't care about requester role, just that a valid jwt is provided when the OPA engine calls (enforced in the ERS itself, not casbin)
 p,	role:unknown,			entityresolution.EntityResolutionService.ResolveEntities,					write,		allow
-p,	role:unknown,     kas.AccessService/Rewrap, 			                                  write,	  allow
+p,	role:unknown,     kas.AccessService/Rewrap, 			                                  *,	  allow
 ## HTTP routes
 ## for ERS, right now we don't care about requester role, just that a valid jwt is provided when the OPA engine calls (enforced in the ERS itself, not casbin)
 p,	role:unknown,			/entityresolution/resolve,							  write,		allow
-p,	role:unknown,		  /kas/v2/rewrap,													  write,		allow
+p,	role:unknown,		  /kas/v2/rewrap,													  *,		allow
 
 `