diff --git a/Documentation/access-control.txt b/Documentation/access-control.txt
index 72e309a1be..397b99a742 100644
--- a/Documentation/access-control.txt
+++ b/Documentation/access-control.txt
@@ -1380,6 +1380,13 @@ allows the granted group to
 link:cmd-stream-events.html[stream Gerrit events via ssh].
 
 
+[[capability_viewAccess]]
+=== View Access
+
+Allow checking access rights for arbitrary (user, project) pairs,
+using the link:rest-api-projects.html#check-access[check.access]
+endpoint
+
 [[capability_viewAllAccounts]]
 === View All Accounts
 
diff --git a/Documentation/rest-api-projects.txt b/Documentation/rest-api-projects.txt
index 0ae3a6401c..0fbc73a46a 100644
--- a/Documentation/rest-api-projects.txt
+++ b/Documentation/rest-api-projects.txt
@@ -1311,7 +1311,7 @@ a link:#change-info[ChangeInfo] entity describing the resulting change.
 --
 
 Runs access checks for other users. This requires the
-link:access-control.html#capability_administrateServer[Administrate Server]
+link:access-control.html#capability_viewAccess[View Access]
 global capability.
 
 Input for the access checks that should be run must be provided in
diff --git a/java/com/google/gerrit/common/data/GlobalCapability.java b/java/com/google/gerrit/common/data/GlobalCapability.java
index c15f7b9fcd..e613d21ce0 100644
--- a/java/com/google/gerrit/common/data/GlobalCapability.java
+++ b/java/com/google/gerrit/common/data/GlobalCapability.java
@@ -114,6 +114,9 @@ public class GlobalCapability {
   /** Can view all pending tasks in the queue (not just the filtered set). */
   public static final String VIEW_QUEUE = "viewQueue";
 
+  /** Can query permissions for any (project, user) pair */
+  public static final String VIEW_ACCESS = "viewAccess";
+
   private static final List<String> NAMES_ALL;
   private static final List<String> NAMES_LC;
   private static final String[] RANGE_NAMES = {
@@ -143,6 +146,7 @@ public class GlobalCapability {
     NAMES_ALL.add(VIEW_CONNECTIONS);
     NAMES_ALL.add(VIEW_PLUGINS);
     NAMES_ALL.add(VIEW_QUEUE);
+    NAMES_ALL.add(VIEW_ACCESS);
 
     NAMES_LC = new ArrayList<>(NAMES_ALL.size());
     for (String name : NAMES_ALL) {
diff --git a/java/com/google/gerrit/server/config/CapabilityConstants.java b/java/com/google/gerrit/server/config/CapabilityConstants.java
index 502589266e..961dbbd958 100644
--- a/java/com/google/gerrit/server/config/CapabilityConstants.java
+++ b/java/com/google/gerrit/server/config/CapabilityConstants.java
@@ -43,4 +43,5 @@ public class CapabilityConstants extends TranslationBundle {
   public String viewConnections;
   public String viewPlugins;
   public String viewQueue;
+  public String viewAccess;
 }
diff --git a/java/com/google/gerrit/server/permissions/DefaultPermissionBackend.java b/java/com/google/gerrit/server/permissions/DefaultPermissionBackend.java
index 379cfc8dc9..8487d6e630 100644
--- a/java/com/google/gerrit/server/permissions/DefaultPermissionBackend.java
+++ b/java/com/google/gerrit/server/permissions/DefaultPermissionBackend.java
@@ -170,6 +170,7 @@ public class DefaultPermissionBackend extends PermissionBackend {
         case VIEW_ALL_ACCOUNTS:
         case VIEW_CONNECTIONS:
         case VIEW_PLUGINS:
+        case VIEW_ACCESS:
           return has(globalPermissionName(perm)) || isAdmin();
 
         case ACCESS_DATABASE:
diff --git a/java/com/google/gerrit/server/permissions/DefaultPermissionMappings.java b/java/com/google/gerrit/server/permissions/DefaultPermissionMappings.java
index 04057e09f6..9593521570 100644
--- a/java/com/google/gerrit/server/permissions/DefaultPermissionMappings.java
+++ b/java/com/google/gerrit/server/permissions/DefaultPermissionMappings.java
@@ -58,6 +58,7 @@ public class DefaultPermissionMappings {
           .put(GlobalPermission.VIEW_CONNECTIONS, GlobalCapability.VIEW_CONNECTIONS)
           .put(GlobalPermission.VIEW_PLUGINS, GlobalCapability.VIEW_PLUGINS)
           .put(GlobalPermission.VIEW_QUEUE, GlobalCapability.VIEW_QUEUE)
+          .put(GlobalPermission.VIEW_ACCESS, GlobalCapability.VIEW_ACCESS)
           .build();
 
   static {
diff --git a/java/com/google/gerrit/server/permissions/GlobalPermission.java b/java/com/google/gerrit/server/permissions/GlobalPermission.java
index 475eeeaafd..a789bd9fe6 100644
--- a/java/com/google/gerrit/server/permissions/GlobalPermission.java
+++ b/java/com/google/gerrit/server/permissions/GlobalPermission.java
@@ -50,7 +50,8 @@ public enum GlobalPermission implements GlobalOrPluginPermission {
   VIEW_CACHES,
   VIEW_CONNECTIONS,
   VIEW_PLUGINS,
-  VIEW_QUEUE;
+  VIEW_QUEUE,
+  VIEW_ACCESS;
 
   private static final Logger log = LoggerFactory.getLogger(GlobalPermission.class);
 
diff --git a/java/com/google/gerrit/server/restapi/project/CheckAccess.java b/java/com/google/gerrit/server/restapi/project/CheckAccess.java
index 2a6566875f..865f0778f6 100644
--- a/java/com/google/gerrit/server/restapi/project/CheckAccess.java
+++ b/java/com/google/gerrit/server/restapi/project/CheckAccess.java
@@ -68,7 +68,8 @@ public class CheckAccess implements RestModifyView<ProjectResource, AccessCheckI
   public AccessCheckInfo apply(ProjectResource rsrc, AccessCheckInput input)
       throws OrmException, PermissionBackendException, RestApiException, IOException,
           ConfigInvalidException {
-    permissionBackend.user(rsrc.getUser()).check(GlobalPermission.ADMINISTRATE_SERVER);
+    permissionBackend.user(rsrc.getUser()).check(GlobalPermission.VIEW_ACCESS);
+
     rsrc.getProjectState().checkStatePermitsRead();
 
     if (input == null) {
diff --git a/javatests/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java b/javatests/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java
index fac594ab7a..5404fdd480 100644
--- a/javatests/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java
+++ b/javatests/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java
@@ -36,6 +36,7 @@ class CapabilityInfo {
   public boolean viewConnections;
   public boolean viewPlugins;
   public boolean viewQueue;
+  public boolean viewAccess;
 
   static class QueryLimit {
     short min;
diff --git a/resources/com/google/gerrit/server/config/CapabilityConstants.properties b/resources/com/google/gerrit/server/config/CapabilityConstants.properties
index 1de7eeaf3f..6654837253 100644
--- a/resources/com/google/gerrit/server/config/CapabilityConstants.properties
+++ b/resources/com/google/gerrit/server/config/CapabilityConstants.properties
@@ -19,3 +19,4 @@ viewCaches = View Caches
 viewConnections = View Connections
 viewPlugins = View Plugins
 viewQueue = View Queue
+viewAccess = View Access