diff --git a/pkg/auth/principal.go b/pkg/auth/principal.go
index 78da09cb27f493f034720d40d91f33b7b6ce7313..004db35f2eab6433b1889861e964666ab4a71a21 100644
--- a/pkg/auth/principal.go
+++ b/pkg/auth/principal.go
@@ -3,7 +3,6 @@ package auth
 import (
 	"context"
 
-	"git.perx.ru/perxis/perxis-go/pkg/data"
 	"git.perx.ru/perxis/perxis-go/pkg/environments"
 	"git.perx.ru/perxis/perxis-go/pkg/members"
 	"git.perx.ru/perxis/perxis-go/pkg/permission"
@@ -46,41 +45,5 @@ type OrganizationAccessor interface {
 }
 
 func hasEnvironmentAccess(ctx context.Context, envsrv environments.Environments, role *roles.Role, envID string) bool {
-	if role == nil || role.SpaceID == "" || envID == "" {
-		return false
-	}
-
-	if role.AllowManagement {
-		return true
-	}
-
-	envs := role.Environments
-
-	// Р•СЃР»Рё СЏРІРЅРѕ РЅРµ СѓРєР°Р·Р°РЅС‹ РґРѕСЃС‚СѓРїРЅС‹Рµ РѕРєСЂСѓР¶РµРЅРёСЏ - РґРѕСЃС‚СѓРї РїРѕ СѓРјРѕР»С‡Р°РЅРёСЋ Рє РѕРєСЂСѓР¶РµРЅРёСЋ master
-	if len(envs) == 0 {
-		envs = []string{environments.DefaultEnvironment}
-	}
-
-	for _, ce := range envs {
-		if envID == ce || data.GlobMatch(envID, ce) {
-			return true
-		}
-	}
-
-	e, err := envsrv.Get(WithSystem(ctx), role.SpaceID, envID)
-	if err != nil || e == nil {
-		return false
-	}
-
-	aliases := append(e.Aliases, e.ID)
-
-	for _, ce := range envs {
-		for _, al := range aliases {
-			if al == ce || data.GlobMatch(al, ce) {
-				return true
-			}
-		}
-	}
-
-	return false
+	return role != nil && role.CanAccessEnvironment(ctx, &environments.Environment{SpaceID: role.SpaceID, ID: envID}, envsrv)
 }
diff --git a/pkg/roles/role.go b/pkg/roles/role.go
index eecafb64135a8b4545fe7ef894529641ddbab69a..370470675cd40ae417d38b2ae8b8f7c4e7a63cfe 100644
--- a/pkg/roles/role.go
+++ b/pkg/roles/role.go
@@ -34,8 +34,8 @@ type Role struct {
 	AllowManagement bool `json:"allow_management" bson:"allow_management"`
 }
 
-func (r Role) CanAccessEnvironment(ctx context.Context, service environments.Environments, spaceID, envID string) bool {
-	if spaceID == "" || envID == "" {
+func (r Role) CanAccessEnvironment(ctx context.Context, env *environments.Environment, service environments.Environments) bool {
+	if env.SpaceID == "" || env.ID == "" {
 		return false
 	}
 
@@ -48,24 +48,24 @@ func (r Role) CanAccessEnvironment(ctx context.Context, service environments.Env
 		r.Environments = []string{environments.DefaultEnvironment}
 	}
 
-	for _, e := range r.Environments {
-		if envID == e || data.GlobMatch(envID, e) {
+	// Р•СЃР»Рё РѕРєСЂСѓР¶РµРЅРёРµ РїРµСЂРµРґР°РЅРѕ РЅРµ РїРѕР»РЅРѕРµ, СЌС‚Рѕ РѕР·РЅР°С‡Р°РµС‚, С‡С‚Рѕ РЅР°РґРѕ РµРіРѕ РїРµСЂРµР·Р°РїСЂРѕСЃРёС‚СЊ
+	if env.Description == "" && env.Aliases == nil && env.StateInfo == nil {
+		if data.GlobMatch(env.ID, r.Environments...) {
 			return true
 		}
-	}
 
-	env, err := service.Get(ctx, spaceID, envID)
-	if err != nil || env == nil {
-		return false
+		var err error
+		env, err = service.Get(ctx, env.SpaceID, env.ID)
+		if err != nil || env == nil {
+			return false
+		}
 	}
 
 	aliases := append(env.Aliases, env.ID)
 
-	for _, e := range r.Environments {
-		for _, a := range aliases {
-			if a == e || data.GlobMatch(a, e) {
-				return true
-			}
+	for _, a := range aliases {
+		if data.GlobMatch(a, r.Environments...) {
+			return true
 		}
 	}
 
diff --git a/pkg/auth/principal_test.go b/pkg/roles/role_test.go
similarity index 83%
rename from pkg/auth/principal_test.go
rename to pkg/roles/role_test.go
index 54e04ee4a8bf96151f9dfa9cf1edff0342ab03dd..ca794b1855cd96915dbe2002f144f3b907a50aa3 100644
--- a/pkg/auth/principal_test.go
+++ b/pkg/roles/role_test.go
@@ -1,4 +1,4 @@
-package auth
+package roles
 
 import (
 	"context"
@@ -6,16 +6,15 @@ import (
 
 	"git.perx.ru/perxis/perxis-go/pkg/environments"
 	mocksenvs "git.perx.ru/perxis/perxis-go/pkg/environments/mocks"
-	"git.perx.ru/perxis/perxis-go/pkg/roles"
 	"github.com/stretchr/testify/mock"
 )
 
-func Test_hasEnvironmentAccess(t *testing.T) {
+func TestRoleCanAccessEnvironment(t *testing.T) {
 	type args struct {
 		ctx      context.Context
 		envscall func(envsservice *mocksenvs.Environments)
-		role     *roles.Role
-		envID    string
+		role     *Role
+		env      *environments.Environment
 	}
 	tests := []struct {
 		name string
@@ -26,13 +25,13 @@ func Test_hasEnvironmentAccess(t *testing.T) {
 			name: "simple",
 			args: args{
 				ctx: context.Background(),
-				role: &roles.Role{
+				role: &Role{
 					ID:           "1",
 					SpaceID:      "space",
 					Description:  "Current",
 					Environments: []string{"env1", "env2"},
 				},
-				envID: "env1",
+				env: &environments.Environment{ID: "env1", SpaceID: "sp"},
 			},
 			want: true,
 		},
@@ -47,13 +46,13 @@ func Test_hasEnvironmentAccess(t *testing.T) {
 						Aliases: []string{"master"},
 					}, nil).Once()
 				},
-				role: &roles.Role{
+				role: &Role{
 					ID:           "1",
 					SpaceID:      "space",
 					Description:  "Current",
 					Environments: []string{"e*"},
 				},
-				envID: "env",
+				env: &environments.Environment{ID: "env", SpaceID: "sp"},
 			},
 			want: true,
 		},
@@ -68,13 +67,13 @@ func Test_hasEnvironmentAccess(t *testing.T) {
 						Aliases: []string{"master"},
 					}, nil).Once()
 				},
-				role: &roles.Role{
+				role: &Role{
 					ID:           "1",
 					SpaceID:      "space",
 					Description:  "Current",
 					Environments: []string{"*n*"},
 				},
-				envID: "env",
+				env: &environments.Environment{ID: "env", SpaceID: "sp"},
 			},
 			want: true,
 		},
@@ -89,13 +88,13 @@ func Test_hasEnvironmentAccess(t *testing.T) {
 						Aliases: []string{"master"},
 					}, nil).Once()
 				},
-				role: &roles.Role{
+				role: &Role{
 					ID:           "1",
 					SpaceID:      "space",
 					Description:  "Current",
 					Environments: []string{"*1"},
 				},
-				envID: "env",
+				env: &environments.Environment{ID: "env", SpaceID: "sp"},
 			},
 			want: true,
 		},
@@ -110,13 +109,13 @@ func Test_hasEnvironmentAccess(t *testing.T) {
 						Aliases: []string{"master"},
 					}, nil).Once()
 				},
-				role: &roles.Role{
+				role: &Role{
 					ID:           "1",
 					SpaceID:      "space",
 					Description:  "Current",
 					Environments: []string{"ma*"},
 				},
-				envID: "env1",
+				env: &environments.Environment{ID: "env1", SpaceID: "sp"},
 			},
 			want: true,
 		},
@@ -131,13 +130,13 @@ func Test_hasEnvironmentAccess(t *testing.T) {
 						Aliases: []string{"master"},
 					}, nil).Once()
 				},
-				role: &roles.Role{
+				role: &Role{
 					ID:           "1",
 					SpaceID:      "space",
 					Description:  "Current",
 					Environments: []string{"*"},
 				},
-				envID: "env1",
+				env: &environments.Environment{ID: "env1", SpaceID: "sp"},
 			},
 			want: true,
 		},
@@ -152,13 +151,13 @@ func Test_hasEnvironmentAccess(t *testing.T) {
 						Aliases: []string{"master"},
 					}, nil).Once()
 				},
-				role: &roles.Role{
+				role: &Role{
 					ID:           "1",
 					SpaceID:      "space",
 					Description:  "Current",
 					Environments: []string{"q*"},
 				},
-				envID: "env1",
+				env: &environments.Environment{ID: "env1", SpaceID: "sp"},
 			},
 			want: false,
 		},
@@ -170,7 +169,7 @@ func Test_hasEnvironmentAccess(t *testing.T) {
 				tt.args.envscall(envsservice)
 			}
 
-			if got := hasEnvironmentAccess(tt.args.ctx, envsservice, tt.args.role, tt.args.envID); got != tt.want {
+			if got := tt.args.role.CanAccessEnvironment(tt.args.ctx, tt.args.env, envsservice); got != tt.want {
 				t.Errorf("hasEnvironmentAccess() = %v, want %v", got, tt.want)
 			}
 		})