diff --git a/jupyterhub/apihandlers/users.py b/jupyterhub/apihandlers/users.py
index 5263db86..9fbe63f9 100644
--- a/jupyterhub/apihandlers/users.py
+++ b/jupyterhub/apihandlers/users.py
@@ -15,7 +15,6 @@ from tornado.iostream import StreamClosedError
 
 from .. import orm
 from ..roles import assign_default_roles
-from ..roles import update_roles
 from ..scopes import needs_scope
 from ..user import User
 from ..utils import isoformat
@@ -57,7 +56,7 @@ class UserListAPIHandler(APIHandler):
     @needs_scope(
         'read:users',
         'read:users:name',
-        'reda:users:servers',
+        'read:users:servers',
         'read:users:groups',
         'read:users:activity',
     )
diff --git a/jupyterhub/app.py b/jupyterhub/app.py
index 1b90976f..8131cad7 100644
--- a/jupyterhub/app.py
+++ b/jupyterhub/app.py
@@ -1884,11 +1884,16 @@ class JupyterHub(Application):
                             db, entity=orm_obj, rolename=predef_role['name']
                         )
 
-        # make sure all users, services and tokens have at least one role (update with default)
-        for bearer in role_bearers:
-            Class = orm.get_class(bearer)
-            for obj in db.query(Class):
-                if len(obj.roles) < 1:
+        # make sure that on no admin situation, all roles are reset
+        admin_role = orm.Role.find(db, name='admin')
+        if not admin_role.users:
+            app_log.info(
+                "No admin users found; assuming hub upgrade. Initializing default roles for all entities"
+            )
+            for bearer in role_bearers:
+                Class = orm.get_class(bearer)
+                for obj in db.query(Class):
+                    # if len(obj.roles) < 1: # todo: Should I check if some roles are already assigned?
                     roles.assign_default_roles(db, entity=obj)
         db.commit()
 
@@ -1994,6 +1999,8 @@ class JupyterHub(Application):
             if orm_service is None:
                 # not found, create a new one
                 orm_service = orm.Service(name=name)
+                if spec.get('admin', False):
+                    roles.update_roles(self.db, entity=orm_service, roles=['admin'])
                 self.db.add(orm_service)
             orm_service.admin = spec.get('admin', False)
             self.db.commit()
diff --git a/jupyterhub/roles.py b/jupyterhub/roles.py
index 53b1d084..1712f9ad 100644
--- a/jupyterhub/roles.py
+++ b/jupyterhub/roles.py
@@ -230,7 +230,7 @@ def _switch_default_role(db, obj, admin):
 
 def assign_default_roles(db, entity):
     """Assigns the default roles to an entity:
-    users and services get 'user' role, unless they have admin flag
+    users and services get 'user' role, or admin role if they have admin flag
     Tokens get 'token' role"""
     default_token_role = orm.Role.find(db, 'token')
     # tokens can have only 'token' role as default
@@ -246,13 +246,10 @@ def assign_default_roles(db, entity):
 
 
 def update_roles(db, entity, roles):
-    """Updates object's roles if specified,
-    assigns default if no roles specified"""
-    Class = type(entity)
+    """Updates object's roles"""
     standard_permissions = {'all', 'read:all'}
     for rolename in roles:
-        if Class == orm.APIToken:
-
+        if isinstance(entity, orm.APIToken):
             role = orm.Role.find(db, rolename)
             if role:
                 # compare the requested role permissions with the owner's permissions (scopes)
@@ -266,7 +263,7 @@ def update_roles(db, entity, roles):
                     owner = db.query(orm.Service).get(entity.service_id)
                 if owner:
                     owner_scopes = expand_roles_to_scopes(owner)
-                    if (extra_scopes).issubset(owner_scopes):
+                    if extra_scopes.issubset(owner_scopes):
                         role.tokens.append(entity)
                     else:
                         raise ValueError(