diff --git a/source/java/org/alfresco/rest/api/impl/PeopleImpl.java b/source/java/org/alfresco/rest/api/impl/PeopleImpl.java
index 411b978acc..4e9b3ba592 100644
--- a/source/java/org/alfresco/rest/api/impl/PeopleImpl.java
+++ b/source/java/org/alfresco/rest/api/impl/PeopleImpl.java
@@ -428,7 +428,13 @@ public class PeopleImpl implements People
 	{
 		validateCreatePersonData(person);
 
-		// TODO: check, is this transaction safe?
+        if (! isAdminAuthority())
+        {
+            // note: do an explict check for admin here (since personExists does not throw 403 unlike createPerson,
+            // hence next block would cause 409 to be returned)
+            throw new PermissionDeniedException();
+        }
+
 		// Unfortunately PersonService.createPerson(...) only throws an AlfrescoRuntimeException
 		// rather than a more specific exception and does not use a message ID either, so there's
 		// no sensible way to know that it was thrown due to the user already existing - hence this check here.
diff --git a/source/test-java/org/alfresco/rest/api/tests/TestPeople.java b/source/test-java/org/alfresco/rest/api/tests/TestPeople.java
index 4a1eca19d9..f17f3c7138 100644
--- a/source/test-java/org/alfresco/rest/api/tests/TestPeople.java
+++ b/source/test-java/org/alfresco/rest/api/tests/TestPeople.java
@@ -430,17 +430,25 @@ public class TestPeople extends EnterpriseTestApi
 
         // -ve: person already exists
         {
-            publicApiClient.setRequestContext(new RequestContext(account1.getId(), account1Admin, "admin"));
+            String username = "myUserName03@"+account1.getId();
+            String password = "secret";
+
             Person person = new Person();
-            person.setUserName("myUserName03@"+account1.getId());
+            person.setUserName(username);
             person.setFirstName("Alison");
             person.setEmail("alison.smythe@example.com");
             person.setEnabled(true);
-            person.setPassword("secret");
+            person.setPassword(password);
+
+            publicApiClient.setRequestContext(new RequestContext(account1.getId(), account1Admin, "admin"));
             people.create(person);
 
-            // Attempt to create the person a second time.
+            // Attempt to create the person a second time - as admin expect 409
             people.create(person, 409);
+
+            publicApiClient.setRequestContext(new RequestContext(account1.getId(), username, password));
+            // Attempt to create the person a second time - as non-admin expect 403
+            people.create(person, 403);
         }
     }