diff --git a/server/endpoints/system.js b/server/endpoints/system.js
index d060e503f0b86efe5d999bdb05f61007dd959f0f..3b578f94a212db52f601417d3c6889c39855d75a 100644
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -946,7 +946,7 @@ function systemEndpoints(app) {
 
   app.post(
     "/system/custom-models",
-    [validatedRequest],
+    [validatedRequest, flexUserRoleValid([ROLES.admin])],
     async (request, response) => {
       try {
         const { provider, apiKey = null, basePath = null } = reqBody(request);
diff --git a/server/utils/middleware/multiUserProtected.js b/server/utils/middleware/multiUserProtected.js
index 4f128ace14135a161040631c86093c6924a837b1..cf7e58cfe1bf1c3603b6894d24a20cec2b200975 100644
--- a/server/utils/middleware/multiUserProtected.js
+++ b/server/utils/middleware/multiUserProtected.js
@@ -8,8 +8,12 @@ const ROLES = {
 };
 const DEFAULT_ROLES = [ROLES.admin, ROLES.admin];
 
-// Explicitly check that multi user mode is enabled as well as that the
-// requesting user has the appropriate role to modify or call the URL.
+/**
+ * Explicitly check that multi user mode is enabled as well as that the
+ * requesting user has the appropriate role to modify or call the URL.
+ * @param {string[]} allowedRoles - The roles that are allowed to access the route
+ * @returns {function}
+ */
 function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) {
   return async (request, response, next) => {
     // If the access-control is allowable for all - skip validations and continue;
@@ -33,9 +37,12 @@ function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) {
   };
 }
 
-// Apply role permission checks IF the current system is in multi-user mode.
-// This is relevant for routes that are shared between MUM and single-user mode.
-// Checks if the requesting user has the appropriate role to modify or call the URL.
+/**
+ * Apply role permission checks IF the current system is in multi-user mode.
+ * This is relevant for routes that are shared between MUM and single-user mode.
+ * @param {string[]} allowedRoles - The roles that are allowed to access the route
+ * @returns {function}
+ */
 function flexUserRoleValid(allowedRoles = DEFAULT_ROLES) {
   return async (request, response, next) => {
     // If the access-control is allowable for all - skip validations and continue;