diff --git a/pkg/service/audit_events.go b/pkg/service/audit_events.go
index 38522f6..61dd65a 100644
--- a/pkg/service/audit_events.go
+++ b/pkg/service/audit_events.go
@@ -25,7 +25,7 @@ func (svc *Service) CreateMapfixAuditComment(ctx context.Context, req api.Create
 		return err
 	}
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapReview
+		return ErrPermissionDeniedNeedRoleMapfixReview
 	}
 
 	userId, err := userInfo.GetUserID()
@@ -120,7 +120,7 @@ func (svc *Service) CreateSubmissionAuditComment(ctx context.Context, req api.Cr
 		return err
 	}
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapReview
+		return ErrPermissionDeniedNeedRoleSubmissionReview
 	}
 
 	userId, err := userInfo.GetUserID()
diff --git a/pkg/service/mapfixes.go b/pkg/service/mapfixes.go
index 722d437..2b17ea0 100644
--- a/pkg/service/mapfixes.go
+++ b/pkg/service/mapfixes.go
@@ -333,7 +333,7 @@ func (svc *Service) ActionMapfixReject(ctx context.Context, params api.ActionMap
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapReview
+		return ErrPermissionDeniedNeedRoleMapfixReview
 	}
 
 	userId, err := userInfo.GetUserID()
@@ -391,7 +391,7 @@ func (svc *Service) ActionMapfixRequestChanges(ctx context.Context, params api.A
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapReview
+		return ErrPermissionDeniedNeedRoleMapfixReview
 	}
 
 	// transaction
@@ -539,7 +539,7 @@ func (svc *Service) ActionMapfixTriggerUpload(ctx context.Context, params api.Ac
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapUpload
+		return ErrPermissionDeniedNeedRoleMapfixUpload
 	}
 
 	userId, err := userInfo.GetUserID()
@@ -615,7 +615,7 @@ func (svc *Service) ActionMapfixValidated(ctx context.Context, params api.Action
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapUpload
+		return ErrPermissionDeniedNeedRoleMapfixUpload
 	}
 
 	userId, err := userInfo.GetUserID()
@@ -701,7 +701,7 @@ func (svc *Service) ActionMapfixTriggerValidate(ctx context.Context, params api.
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapReview
+		return ErrPermissionDeniedNeedRoleMapfixReview
 	}
 
 	// read mapfix (this could be done with a transaction WHERE clause)
@@ -810,7 +810,7 @@ func (svc *Service) ActionMapfixRetryValidate(ctx context.Context, params api.Ac
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapReview
+		return ErrPermissionDeniedNeedRoleMapfixReview
 	}
 
 	userId, err := userInfo.GetUserID()
@@ -890,7 +890,7 @@ func (svc *Service) ActionMapfixAccepted(ctx context.Context, params api.ActionM
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapReview
+		return ErrPermissionDeniedNeedRoleMapfixReview
 	}
 
 	userId, err := userInfo.GetUserID()
diff --git a/pkg/service/service.go b/pkg/service/service.go
index 6c6f3e7..2114850 100644
--- a/pkg/service/service.go
+++ b/pkg/service/service.go
@@ -19,8 +19,10 @@ var (
 	ErrDelayReset = errors.New("Please give the validator at least 10 seconds to operate before attempting to reset the status")
 	ErrPermissionDeniedNotSubmitter = fmt.Errorf("%w: You must be the submitter to perform this action", ErrPermissionDenied)
 	ErrPermissionDeniedNeedRoleSubmissionRelease = fmt.Errorf("%w: Need Role SubmissionRelease", ErrPermissionDenied)
-	ErrPermissionDeniedNeedRoleMapUpload = fmt.Errorf("%w: Need Role MapUpload", ErrPermissionDenied)
-	ErrPermissionDeniedNeedRoleMapReview = fmt.Errorf("%w: Need Role MapReview", ErrPermissionDenied)
+	ErrPermissionDeniedNeedRoleMapfixUpload = fmt.Errorf("%w: Need Role MapfixUpload", ErrPermissionDenied)
+	ErrPermissionDeniedNeedRoleMapfixReview = fmt.Errorf("%w: Need Role MapfixReview", ErrPermissionDenied)
+	ErrPermissionDeniedNeedRoleSubmissionUpload = fmt.Errorf("%w: Need Role SubmissionUpload", ErrPermissionDenied)
+	ErrPermissionDeniedNeedRoleSubmissionReview = fmt.Errorf("%w: Need Role SubmissionReview", ErrPermissionDenied)
 	ErrPermissionDeniedNeedRoleMapDownload = fmt.Errorf("%w: Need Role MapDownload", ErrPermissionDenied)
 	ErrPermissionDeniedNeedRoleScriptWrite = fmt.Errorf("%w: Need Role ScriptWrite", ErrPermissionDenied)
 	ErrPermissionDeniedNeedRoleMaptest = fmt.Errorf("%w: Need Role Maptest", ErrPermissionDenied)
diff --git a/pkg/service/submissions.go b/pkg/service/submissions.go
index e7963d1..e15003d 100644
--- a/pkg/service/submissions.go
+++ b/pkg/service/submissions.go
@@ -322,7 +322,7 @@ func (svc *Service) ActionSubmissionReject(ctx context.Context, params api.Actio
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapReview
+		return ErrPermissionDeniedNeedRoleSubmissionReview
 	}
 
 	userId, err := userInfo.GetUserID()
@@ -380,7 +380,7 @@ func (svc *Service) ActionSubmissionRequestChanges(ctx context.Context, params a
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapReview
+		return ErrPermissionDeniedNeedRoleSubmissionReview
 	}
 
 	userId, err := userInfo.GetUserID()
@@ -560,7 +560,7 @@ func (svc *Service) ActionSubmissionTriggerUpload(ctx context.Context, params ap
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapUpload
+		return ErrPermissionDeniedNeedRoleSubmissionUpload
 	}
 
 	userId, err := userInfo.GetUserID()
@@ -643,7 +643,7 @@ func (svc *Service) ActionSubmissionValidated(ctx context.Context, params api.Ac
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapUpload
+		return ErrPermissionDeniedNeedRoleSubmissionUpload
 	}
 
 	userId, err := userInfo.GetUserID()
@@ -711,7 +711,7 @@ func (svc *Service) ActionSubmissionTriggerValidate(ctx context.Context, params
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapReview
+		return ErrPermissionDeniedNeedRoleSubmissionReview
 	}
 
 	// read submission (this could be done with a transaction WHERE clause)
@@ -803,7 +803,7 @@ func (svc *Service) ActionSubmissionRetryValidate(ctx context.Context, params ap
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapReview
+		return ErrPermissionDeniedNeedRoleSubmissionReview
 	}
 
 	userId, err := userInfo.GetUserID()
@@ -883,7 +883,7 @@ func (svc *Service) ActionSubmissionAccepted(ctx context.Context, params api.Act
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDeniedNeedRoleMapReview
+		return ErrPermissionDeniedNeedRoleSubmissionReview
 	}
 
 	userId, err := userInfo.GetUserID()