diff --git a/swift/common/middleware/swauth.py b/swift/common/middleware/swauth.py
index 76ad4495f4..d4df1aa7ab 100644
--- a/swift/common/middleware/swauth.py
+++ b/swift/common/middleware/swauth.py
@@ -849,6 +849,12 @@ class Swauth(object):
                 raise Exception('Could not retrieve user object: %s %s' %
                                 (path, resp.status))
             body = resp.body
+            display_groups = [g['name'] for g in json.loads(body)['groups']]
+            if ('.admin' in display_groups and
+                not self.is_reseller_admin(req)) or \
+               ('.reseller_admin' in display_groups and
+                not self.is_super_admin(req)):
+                return HTTPForbidden(request=req)
         return Response(body=body)
 
     def handle_put_user(self, req):
diff --git a/test/unit/common/middleware/test_swauth.py b/test/unit/common/middleware/test_swauth.py
index ea78347d7a..19d07fc8fa 100644
--- a/test/unit/common/middleware/test_swauth.py
+++ b/test/unit/common/middleware/test_swauth.py
@@ -2354,8 +2354,7 @@ class TestAuth(unittest.TestCase):
              "auth": "plaintext:key"})),
             # GET of requested user object
             ('200 Ok', {}, json.dumps(
-                {"groups": [{"name": "act:usr"}, {"name": "act"},
-                            {"name": ".admin"}],
+                {"groups": [{"name": "act:usr"}, {"name": "act"}],
                  "auth": "plaintext:key"}))]))
         resp = Request.blank('/auth/v2/act/usr',
             headers={'X-Auth-Admin-User': 'act:adm',
@@ -2363,11 +2362,86 @@ class TestAuth(unittest.TestCase):
             ).get_response(self.test_auth)
         self.assertEquals(resp.status_int, 200)
         self.assertEquals(resp.body, json.dumps(
-            {"groups": [{"name": "act:usr"}, {"name": "act"},
-                        {"name": ".admin"}],
+            {"groups": [{"name": "act:usr"}, {"name": "act"}],
              "auth": "plaintext:key"}))
         self.assertEquals(self.test_auth.app.calls, 2)
 
+    def test_get_user_account_admin_fail_getting_account_admin(self):
+        self.test_auth.app = FakeApp(iter([
+            # GET of user object (account admin check)
+            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
+             {"name": "test"}, {"name": ".admin"}],
+             "auth": "plaintext:key"})),
+            # GET of requested user object [who is an .admin as well]
+            ('200 Ok', {}, json.dumps(
+                {"groups": [{"name": "act:usr"}, {"name": "act"},
+                            {"name": ".admin"}],
+                 "auth": "plaintext:key"})),
+            # GET of user object (reseller admin check [and fail here])
+            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
+             {"name": "test"}, {"name": ".admin"}],
+             "auth": "plaintext:key"}))]))
+        resp = Request.blank('/auth/v2/act/usr',
+            headers={'X-Auth-Admin-User': 'act:adm',
+                     'X-Auth-Admin-Key': 'key'}
+            ).get_response(self.test_auth)
+        self.assertEquals(resp.status_int, 403)
+        self.assertEquals(self.test_auth.app.calls, 3)
+
+    def test_get_user_account_admin_fail_getting_reseller_admin(self):
+        self.test_auth.app = FakeApp(iter([
+            # GET of user object (account admin check)
+            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
+             {"name": "test"}, {"name": ".admin"}],
+             "auth": "plaintext:key"})),
+            # GET of requested user object [who is a .reseller_admin]
+            ('200 Ok', {}, json.dumps(
+                {"groups": [{"name": "act:usr"}, {"name": "act"},
+                            {"name": ".reseller_admin"}],
+                 "auth": "plaintext:key"}))]))
+        resp = Request.blank('/auth/v2/act/usr',
+            headers={'X-Auth-Admin-User': 'act:adm',
+                     'X-Auth-Admin-Key': 'key'}
+            ).get_response(self.test_auth)
+        self.assertEquals(resp.status_int, 403)
+        self.assertEquals(self.test_auth.app.calls, 2)
+
+    def test_get_user_reseller_admin_fail_getting_reseller_admin(self):
+        self.test_auth.app = FakeApp(iter([
+            # GET of user object (account admin check)
+            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
+             {"name": "test"}, {"name": ".reseller_admin"}],
+             "auth": "plaintext:key"})),
+            # GET of requested user object [who also is a .reseller_admin]
+            ('200 Ok', {}, json.dumps(
+                {"groups": [{"name": "act:usr"}, {"name": "act"},
+                            {"name": ".reseller_admin"}],
+                 "auth": "plaintext:key"}))]))
+        resp = Request.blank('/auth/v2/act/usr',
+            headers={'X-Auth-Admin-User': 'act:adm',
+                     'X-Auth-Admin-Key': 'key'}
+            ).get_response(self.test_auth)
+        self.assertEquals(resp.status_int, 403)
+        self.assertEquals(self.test_auth.app.calls, 2)
+
+    def test_get_user_super_admin_succeed_getting_reseller_admin(self):
+        self.test_auth.app = FakeApp(iter([
+            # GET of requested user object
+            ('200 Ok', {}, json.dumps(
+                {"groups": [{"name": "act:usr"}, {"name": "act"},
+                            {"name": ".reseller_admin"}],
+                 "auth": "plaintext:key"}))]))
+        resp = Request.blank('/auth/v2/act/usr',
+            headers={'X-Auth-Admin-User': '.super_admin',
+                     'X-Auth-Admin-Key': 'supertest'}
+            ).get_response(self.test_auth)
+        self.assertEquals(resp.status_int, 200)
+        self.assertEquals(resp.body, json.dumps(
+            {"groups": [{"name": "act:usr"}, {"name": "act"},
+                        {"name": ".reseller_admin"}],
+             "auth": "plaintext:key"}))
+        self.assertEquals(self.test_auth.app.calls, 1)
+
     def test_get_user_groups_not_found(self):
         self.test_auth.app = FakeApp(iter([
             # GET of account container (list objects)