diff --git a/data/datamysql/user.go b/data/datamysql/user.go
index 2ae8be0..d3c4a00 100644
--- a/data/datamysql/user.go
+++ b/data/datamysql/user.go
@@ -784,7 +784,7 @@ func (c *userRepo) getAddressSecondaryData(address entity.Address) (entity.Addre
 
 // GetAll returns a list of all active cards
 func (c *userRepo) GetAll() (list []entity.User, err error) {
-	return c.parseSet(c.conn.Query(c.getQuery() + " WHERE a.active = 1 "))
+	return c.parseSet(c.conn.Query(c.getQuery() + " AND a.active = 1 "))
 }
 
 // GetByID returns a single card data by its ID
diff --git a/server/serverconfig/authorization.go b/server/serverconfig/authorization.go
index c3a8c4f..78f0f3a 100644
--- a/server/serverconfig/authorization.go
+++ b/server/serverconfig/authorization.go
@@ -117,8 +117,8 @@ func (a *Config) policyObjectAttributes(c echo.Context, userDetails viewmodel.Us
 	objectIsNew := len(c.ParamValues()) <= 1
 	objectIsExisting := len(c.ParamValues()) > 1
 
-	existingUser := strings.Contains(c.Request().URL.Path, "/users") && objectIsNew
-	newUser := strings.Contains(c.Request().URL.Path, "/users") && objectIsExisting
+	existingUser := strings.Contains(c.Request().URL.Path, "/users") && objectIsExisting
+	newUser := strings.Contains(c.Request().URL.Path, "/users") && objectIsNew
 
 	existingOrganization := strings.Contains(c.Request().URL.Path, "/organization") && objectIsExisting
 	newOrganization := strings.Contains(c.Request().URL.Path, "/organization") && objectIsNew