diff --git a/program/serializers.py b/program/serializers.py
index 6b47108e7ca2c7a70ad0867fd7133b2ab29681f7..30d9c6973f20ea6719da70081ad4a56d6309a594 100644
--- a/program/serializers.py
+++ b/program/serializers.py
@@ -189,7 +189,15 @@ class UserSerializer(serializers.ModelSerializer):
             profile = None
 
         if profile_data:
+            user = self.context.get("request").user
+
             if profile:
+                # having the update_user_profile permission overrides being the user
+                if not (user.has_perm("update_user_profile") or user.id == instance.id):
+                    raise exceptions.PermissionDenied(
+                        detail="You do not have permission to update this user profile."
+                    )
+
                 if "cba_username" in profile_data:
                     profile.cba_username = profile_data.get("cba_username")
 
@@ -199,6 +207,12 @@ class UserSerializer(serializers.ModelSerializer):
                 profile.updated_by = self.context.get("request").user.username
                 profile.save()
             else:
+                # having the create_user_profile permission overrides being the user
+                if not (user.has_perm("create_user_profile") or user.id == instance.id):
+                    raise exceptions.PermissionDenied(
+                        detail="You do not have permission to create this user profile."
+                    )
+
                 UserProfile.objects.create(
                     created_by=self.context.get("request").user.username,
                     user=instance,