diff --git a/modules/opencase_entities/src/CaseInvolvement.php b/modules/opencase_entities/src/CaseInvolvement.php
index 5ea82c8..525f4dc 100644
--- a/modules/opencase_entities/src/CaseInvolvement.php
+++ b/modules/opencase_entities/src/CaseInvolvement.php
@@ -13,4 +13,10 @@ class CaseInvolvement {
     $involvedIds = array_column($case->actors_involved->getValue(), 'target_id');
     return in_array($actorId, $involvedIds);
   }
+
+  public static function userIsInvolved_activity($account, $activity) {
+    $case_id = $activity->oc_case->target_id;
+    $case = \Drupal::entityTypeManager()->getStorage('oc_case')->load($case_id);
+    return self::userIsInvolved($account, $case);
+  }
 }
diff --git a/modules/opencase_entities/src/OCActivityAccessControlHandler.php b/modules/opencase_entities/src/OCActivityAccessControlHandler.php
index 7d48a41..f104107 100644
--- a/modules/opencase_entities/src/OCActivityAccessControlHandler.php
+++ b/modules/opencase_entities/src/OCActivityAccessControlHandler.php
@@ -24,11 +24,15 @@ class OCActivityAccessControlHandler extends EntityAccessControlHandler {
         if (!$entity->isPublished()) {
           return AccessResult::allowedIfHasPermission($account, 'view unpublished activity entities');
         }
-        return AccessResult::allowedIfHasPermission($account, 'view published activity entities');
-
-      case 'update':
-        return AccessResult::allowedIfHasPermission($account, 'edit activity entities');
-
+        return AccessResult::allowedIf(
+            $account->hasPermission('view published case entities')  // activity permissions are inherited from case
+            || CaseInvolvement::userIsInvolved_activity($account, $entity)
+        );
+      case 'update':  // allowed only if a) they can see the case the activity is on and b) they can edit cases
+        return AccessResult::allowedIf(
+            $account->hasPermission('edit case entities')
+            && ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved_activity($account, $entity))
+        );
       case 'delete':
         return AccessResult::allowedIfHasPermission($account, 'delete activity entities');
     }
diff --git a/modules/opencase_entities/src/OCCaseAccessControlHandler.php b/modules/opencase_entities/src/OCCaseAccessControlHandler.php
index 1f523ca..36e5eab 100644
--- a/modules/opencase_entities/src/OCCaseAccessControlHandler.php
+++ b/modules/opencase_entities/src/OCCaseAccessControlHandler.php
@@ -29,10 +29,10 @@ class OCCaseAccessControlHandler extends EntityAccessControlHandler {
             $account->hasPermission('view published case entities')
             || CaseInvolvement::userIsInvolved($account, $entity)
         );
-      case 'update':
+      case 'update':   // you can edit the case only if a) you can see it and b) you have the permission to edit cases.
         return AccessResult::allowedIf(
-            $account->hasPermission('edit published case entities')
-            || CaseInvolvement::userIsInvolved($account, $entity)
+            $account->hasPermission('edit case entities')
+            && ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved($account, $entity))
         );
       case 'delete':
         return AccessResult::allowedIfHasPermission($account, 'delete case entities');