diff --git a/src/RestWrite.js b/src/RestWrite.js
index f4bb7353..3832d59f 100644
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -28,6 +28,7 @@ function RestWrite(config, auth, className, query, data, originalData) {
   this.auth = auth;
   this.className = className;
   this.storage = {};
+  this.runOptions = {};
 
   if (!query && data.objectId) {
     throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, 'objectId ' +
@@ -67,6 +68,8 @@ function RestWrite(config, auth, className, query, data, originalData) {
 // status and location are optional.
 RestWrite.prototype.execute = function() {
   return Promise.resolve().then(() => {
+    return this.getUserAndRoleACL();
+  }).then(() => {
     return this.validateSchema();
   }).then(() => {
     return this.handleInstallation();
@@ -89,6 +92,19 @@ RestWrite.prototype.execute = function() {
   });
 };
 
+// Uses the Auth object to get the list of roles, adds the user id
+RestWrite.prototype.getUserAndRoleACL = function() {
+  if (this.auth.isMaster || !this.auth.user) {
+    return Promise.resolve();
+  }
+  return this.auth.getUserRoles().then((roles) => {
+    roles.push('*');
+    roles.push(this.auth.user.id);
+    this.runOptions.acl = roles;
+    return Promise.resolve();
+  });
+};
+
 // Validates this operation against the schema.
 RestWrite.prototype.validateSchema = function() {
   return this.config.database.validateObject(this.className, this.data);
@@ -645,24 +661,16 @@ RestWrite.prototype.runDatabaseOperation = function() {
     throw new Parse.Error(Parse.Error.INVALID_ACL, 'Invalid ACL.');
   }
 
-  var options = {};
-  if (!this.auth.isMaster) {
-    options.acl = ['*'];
-    if (this.auth.user) {
-      options.acl.push(this.auth.user.id);
-    }
-  }
-
   if (this.query) {
     // Run an update
     return this.config.database.update(
-      this.className, this.query, this.data, options).then((resp) => {
+      this.className, this.query, this.data, this.runOptions).then((resp) => {
         this.response = resp;
         this.response.updatedAt = this.updatedAt;
       });
   } else {
     // Run a create
-    return this.config.database.create(this.className, this.data, options)
+    return this.config.database.create(this.className, this.data, this.runOptions)
       .then(() => {
         var resp = {
           objectId: this.data.objectId,
diff --git a/src/rest.js b/src/rest.js
index 552fa6be..094e8ab6 100644
--- a/src/rest.js
+++ b/src/rest.js
@@ -56,12 +56,19 @@ function del(config, auth, className, objectId) {
       });
     }
     return Promise.resolve({});
+  }).then(() => {
+    if (!auth.isMaster) {
+      return auth.getUserRoles();
+    }else{
+      return Promise.resolve();
+    }
   }).then(() => {
     var options = {};
     if (!auth.isMaster) {
       options.acl = ['*'];
       if (auth.user) {
         options.acl.push(auth.user.id);
+        options.acl = options.acl.concat(auth.userRoles);
       }
     }