diff --git a/src/Foundation/Authorization.hs b/src/Foundation/Authorization.hs
index 6b16505a2..8ea01d228 100644
--- a/src/Foundation/Authorization.hs
+++ b/src/Foundation/Authorization.hs
@@ -1488,7 +1488,7 @@ tagAccessPredicate AuthEmpty = APDB $ \evalCtx eval' mAuthId route _ -> do
             cID <- encrypt wwId
             let route' = _WorkflowScopeRoute # (rScope', WorkflowWorkflowR cID WWWorkflowR)
             lift . evalWriterT $ evalWorkflowRoleFor' eval' mAuthId (Just wwId) role route' False
-        guardM . fmap (is _Authorized) $ ofoldl1' orAR' . mapNonNull evalRole =<< hoistMaybe (fromNullable $ otoList roles)
+        guardM . fmap (isn't _Authorized) $ ofoldl1' orAR' . mapNonNull evalRole =<< hoistMaybe (fromNullable $ otoList roles)
         return AuthorizedI18n
    in case route of
         r | Just (rScope, WorkflowInstanceR win WIWorkflowsR) <- r ^? _WorkflowScopeRoute