diff --git a/src/Foundation/Authorization.hs b/src/Foundation/Authorization.hs
index ff547456f..a4ca5385a 100644
--- a/src/Foundation/Authorization.hs
+++ b/src/Foundation/Authorization.hs
@@ -538,7 +538,7 @@ tagAccessPredicate AuthAdmin = cacheAPSchoolFunction SchoolAdmin (Just $ Right d
       -- Schools: access only to school admins
       SchoolR ssh _ -> $cachedHereBinary (mAuthId, ssh) . exceptT return return $ do
         authId <- maybeExceptT AuthenticationRequired $ return mAuthId
-        isAdmin <- lift $ exists [UserFunctionUser ==. authId, UserFunctionFunction ==. SchoolAdmin]
+        isAdmin <- lift . existsBy $ UniqueUserFunction authId ssh SchoolAdmin
         guardMExceptT isAdmin (unauthorizedI MsgUnauthorizedSchoolAdmin)
         return Authorized
       -- other routes: access to any admin is granted here
@@ -608,8 +608,8 @@ tagAccessPredicate AuthExamOffice = cacheAPSchoolFunction SchoolExamOffice (Just
         return Authorized
       SchoolR ssh _ -> $cachedHereBinary (mAuthId, ssh) . exceptT return return $ do
         authId <- maybeExceptT AuthenticationRequired $ return mAuthId
-        isAdmin <- lift $ exists [UserFunctionUser ==. authId, UserFunctionFunction ==. SchoolExamOffice]
-        guardMExceptT isAdmin (unauthorizedI MsgUnauthorizedSchoolExamOffice)
+        isExamOffice <- lift . existsBy $ UniqueUserFunction authId ssh SchoolExamOffice
+        guardMExceptT isExamOffice (unauthorizedI MsgUnauthorizedSchoolExamOffice)
         return Authorized
       _other -> $cachedHereBinary mAuthId . exceptT return return $ do
         authId <- maybeExceptT AuthenticationRequired $ return mAuthId