diff --git a/jupyterhub/apihandlers/base.py b/jupyterhub/apihandlers/base.py
index 917485af..b8a72dbf 100644
--- a/jupyterhub/apihandlers/base.py
+++ b/jupyterhub/apihandlers/base.py
@@ -293,16 +293,24 @@ class APIHandler(BaseHandler):
 
     def service_model(self, service):
         """Get the JSON model for a Service object"""
-        model = {}
-        scope_filter = self.get_scope_filter('read:services')
-        if scope_filter(service, kind='service'):
-            model = {
-                'kind': 'service',
-                'name': service.name,
-                'roles': [r.name for r in service.roles],
-                'admin': service.admin,
-            }
-            # todo: Remove once we replace admin flag with role check
+        model = {
+            'kind': 'service',
+            'name': service.name,
+            'roles': [r.name for r in service.roles],
+            'admin': service.admin,
+        }
+        # todo: remove admin key now we have roles?
+        access_map = {
+            'read:services': {'kind', 'name', 'roles', 'admin'},
+            'read:services:name': {'kind', 'name'},
+            'read:services:roles': {'kind', 'name', 'roles'},
+        }
+        allowed_keys = set()
+        for scope in access_map:
+            scope_filter = self.get_scope_filter(scope)
+            if scope_filter(service, kind='service'):
+                allowed_keys |= access_map[scope]
+        model = {key: model[key] for key in allowed_keys}
         return model
 
     _user_model_types = {
diff --git a/jupyterhub/apihandlers/users.py b/jupyterhub/apihandlers/users.py
index ac2a6461..e3171538 100644
--- a/jupyterhub/apihandlers/users.py
+++ b/jupyterhub/apihandlers/users.py
@@ -62,6 +62,7 @@ class UserListAPIHandler(APIHandler):
         'read:users:servers',
         'read:users:groups',
         'read:users:activity',
+        'read:users:roles',
     )
     def get(self):
         state_filter = self.get_argument("state", None)
@@ -176,6 +177,7 @@ class UserAPIHandler(APIHandler):
         'read:users:servers',
         'read:users:groups',
         'read:users:activity',
+        'read:users:roles',
     )
     async def get(self, user_name):
         user = self.find_user(user_name)
diff --git a/jupyterhub/roles.py b/jupyterhub/roles.py
index 6e3f1c90..493f625d 100644
--- a/jupyterhub/roles.py
+++ b/jupyterhub/roles.py
@@ -67,6 +67,7 @@ def expand_self_scope(name):
         'users:activity',
         'users:servers',
         'users:tokens',
+        'users:roles',
     ]
     read_scope_list = ['read:' + scope for scope in scope_list]
     scope_list.extend(read_scope_list)
diff --git a/jupyterhub/tests/test_scopes.py b/jupyterhub/tests/test_scopes.py
index 5569a29f..46dabc70 100644
--- a/jupyterhub/tests/test_scopes.py
+++ b/jupyterhub/tests/test_scopes.py
@@ -722,6 +722,7 @@ async def test_server_state_access(
                 'read:users!user=y',
                 'read:users:name!user=y',
                 'read:users:groups!user=y',
+                'read:users:roles!user=y',
                 'read:users:activity!user=y',
             },
         ),
@@ -733,6 +734,7 @@ async def test_server_state_access(
                 'read:users!user=y',
                 'read:users:name!user=y',
                 'read:users:groups!user=y',
+                'read:users:roles!user=y',
                 'read:users:activity!user=y',
             },
         ),