diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/business/IRelationshipService.java b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/business/IRelationshipService.java
index 1a9b060c9624c7f30b1d665971a1d4adf66c00ee..9f2c1ff033332c2ea1f6e6506e93ab5ab53626ae 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/business/IRelationshipService.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/business/IRelationshipService.java
@@ -63,13 +63,22 @@ public interface IRelationshipService
 
     @Transactional(propagation = Propagation.MANDATORY)
     @RolesAllowed(value =
-        { RoleWithHierarchy.SPACE_ETL_SERVER, RoleWithHierarchy.SPACE_POWER_USER })
+        { RoleWithHierarchy.SPACE_ETL_SERVER, RoleWithHierarchy.SPACE_POWER_USER,
+                RoleWithHierarchy.SPACE_USER })
     @Capability("ASSIGN_SAMPLE_TO_EXPERIMENT")
     public void assignSampleToExperiment(IAuthSession session,
             @AuthorizationGuard(guardClass = SamplePEPredicate.class)
             SamplePE sample, @AuthorizationGuard(guardClass = ExperimentPEPredicate.class)
             ExperimentPE experiment);
 
+    @Transactional(propagation = Propagation.MANDATORY)
+    @RolesAllowed(value =
+        { RoleWithHierarchy.SPACE_ETL_SERVER, RoleWithHierarchy.SPACE_POWER_USER })
+    @Capability("UNASSIGN_SAMPLE_FROM_EXPERIMENT")
+    public void checkCanUnassignSampleFromExperiment(IAuthSession session,
+            @AuthorizationGuard(guardClass = SamplePEPredicate.class)
+            SamplePE sample);
+
     @Transactional(propagation = Propagation.MANDATORY)
     @RolesAllowed(value =
         { RoleWithHierarchy.SPACE_ETL_SERVER, RoleWithHierarchy.SPACE_POWER_USER })
@@ -124,7 +133,8 @@ public interface IRelationshipService
 
     @Transactional(propagation = Propagation.MANDATORY)
     @RolesAllowed(value =
-        { RoleWithHierarchy.SPACE_ETL_SERVER, RoleWithHierarchy.SPACE_POWER_USER })
+        { RoleWithHierarchy.SPACE_ETL_SERVER, RoleWithHierarchy.SPACE_POWER_USER,
+                RoleWithHierarchy.SPACE_USER })
     @Capability("ADD_PARENT_TO_SAMPLE")
     public void addParentToSample(IAuthSession session,
             @AuthorizationGuard(guardClass = SamplePEPredicate.class)
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/business/RelationshipService.java b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/business/RelationshipService.java
index 2f9bed61c50c811b657573a4f332419381a57d55..1d970d49a6868ab87866749d56f66ef48090a67c 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/business/RelationshipService.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/business/RelationshipService.java
@@ -16,6 +16,8 @@
 
 package ch.systemsx.cisd.openbis.generic.server.business;
 
+import javax.annotation.Resource;
+
 import ch.systemsx.cisd.common.exceptions.UserFailureException;
 import ch.systemsx.cisd.openbis.generic.server.business.bo.util.SampleUtils;
 import ch.systemsx.cisd.openbis.generic.server.dataaccess.db.DAOFactory;
@@ -46,6 +48,13 @@ public class RelationshipService implements IRelationshipService
 
     private DAOFactory daoFactory;
 
+    /**
+     * Reference to this instance of service, but as a spring bean, so that we can call methods of
+     * this service and run the additional authorization.
+     */
+    @Resource(name = "relationship-service")
+    private IRelationshipService service;
+
     @Override
     public void assignExperimentToProject(IAuthSession session, ExperimentPE experiment,
             ProjectPE project)
@@ -68,6 +77,11 @@ public class RelationshipService implements IRelationshipService
     public void assignSampleToExperiment(IAuthSession session, SamplePE sample,
             ExperimentPE experiment)
     {
+        if (sample.getExperiment() != null)
+        {
+            service.checkCanUnassignSampleFromExperiment(session, sample);
+        }
+
         sample.setExperiment(experiment);
 
         for (DataPE dataset : sample.getDatasets())
@@ -76,6 +90,12 @@ public class RelationshipService implements IRelationshipService
         }
     }
 
+    @Override
+    public void checkCanUnassignSampleFromExperiment(IAuthSession session, SamplePE sample)
+    {
+        // all the logic is done by the authorization mechanism
+    }
+
     @Override
     public void unassignSampleFromExperiment(IAuthSession session, SamplePE sample)
     {
diff --git a/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/RelationshipServiceAuthorizationTest.java b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/RelationshipServiceAuthorizationTest.java
index eb92e1f57a5bfb0c9e3a8b4905d8fa845e160c0e..d97e361fccc7409355f16173625cc732407d1ffb 100644
--- a/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/RelationshipServiceAuthorizationTest.java
+++ b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/RelationshipServiceAuthorizationTest.java
@@ -632,15 +632,28 @@ public class RelationshipServiceAuthorizationTest extends BaseTest
 
     GuardedDomain destination = new SpaceDomain(instance);
 
-    AuthorizationRule spaceAdminOrSpaceEtlServer = and(
-            or(rule(source, RoleWithHierarchy.SPACE_POWER_USER),
-                    rule(source, RoleWithHierarchy.SPACE_ETL_SERVER)),
-            or(rule(destination, RoleWithHierarchy.SPACE_POWER_USER),
-                    rule(destination, RoleWithHierarchy.SPACE_ETL_SERVER)));
+    private static AuthorizationRule spaceAdminOrSpaceEtlServer(GuardedDomain domain)
+    {
+        return or(rule(domain, RoleWithHierarchy.SPACE_POWER_USER),
+                rule(domain, RoleWithHierarchy.SPACE_ETL_SERVER));
+    }
+
+    AuthorizationRule spaceAdminOrSpaceEtlServer = and(spaceAdminOrSpaceEtlServer(source),
+            spaceAdminOrSpaceEtlServer(destination));
+
+    AuthorizationRule spaceAdminOrSpaceEtlServerSingle = spaceAdminOrSpaceEtlServer(source);
+
+    private static AuthorizationRule spaceUserOrBetter(GuardedDomain domain)
+    {
+        return or(rule(domain, RoleWithHierarchy.SPACE_USER),
+                rule(domain, RoleWithHierarchy.SPACE_POWER_USER),
+                rule(domain, RoleWithHierarchy.SPACE_ETL_SERVER));
+    }
+
+    AuthorizationRule spaceUserOrBetter = and(spaceUserOrBetter(source),
+            spaceUserOrBetter(destination));
 
-    AuthorizationRule spaceAdminOrSpaceEtlServerSingle = or(
-            rule(source, RoleWithHierarchy.SPACE_POWER_USER),
-            rule(source, RoleWithHierarchy.SPACE_ETL_SERVER));
+    AuthorizationRule spaceUserOrBetterSingle = spaceUserOrBetter(source);
 
     AuthorizationRule instanceEtlServer = rule(instance, RoleWithHierarchy.INSTANCE_ETL_SERVER);
 
@@ -675,15 +688,15 @@ public class RelationshipServiceAuthorizationTest extends BaseTest
     @DataProvider(name = "rolesAllowedToAssignSampleToExperiment")
     RoleWithHierarchy[][] rolesAllowedToAssignSampleToExperiment()
     {
-        return RolePermutator.getAcceptedPermutations(spaceAdminOrSpaceEtlServer, source,
-                destination, instance);
+        return RolePermutator.getAcceptedPermutations(spaceUserOrBetter, source, destination,
+                instance);
     }
 
     @DataProvider(name = "rolesNotAllowedToAssignSampleToExperiment")
     RoleWithHierarchy[][] rolesNotAllowedToAssignSampleToExperiment()
     {
-        return RolePermutator.getAcceptedPermutations(not(spaceAdminOrSpaceEtlServer), source,
-                destination, instance);
+        return RolePermutator.getAcceptedPermutations(not(spaceUserOrBetter), source, destination,
+                instance);
     }
 
     @DataProvider(name = "rolesAllowedToUnassignSampleFromExperiment")
@@ -770,15 +783,15 @@ public class RelationshipServiceAuthorizationTest extends BaseTest
     @DataProvider(name = "rolesAllowedToAddParentToSample")
     RoleWithHierarchy[][] rolesAllowedToAddParentToSample()
     {
-        return RolePermutator.getAcceptedPermutations(spaceAdminOrSpaceEtlServer, source,
-                destination, instance);
+        return RolePermutator.getAcceptedPermutations(spaceUserOrBetter, source, destination,
+                instance);
     }
 
     @DataProvider(name = "rolesNotAllowedToAddParentToSample")
     RoleWithHierarchy[][] rolesNotAllowedToAddParentToSample()
     {
-        return RolePermutator.getAcceptedPermutations(not(spaceAdminOrSpaceEtlServer), source,
-                destination, instance);
+        return RolePermutator.getAcceptedPermutations(not(spaceUserOrBetter), source, destination,
+                instance);
     }
 
     @DataProvider(name = "rolesAllowedRemoveParentFromSample")
diff --git a/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/base/RelationshipServiceStub.java b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/base/RelationshipServiceStub.java
index 52777191325b9ca3eb6cf4f43509dde6e8d98c97..d55da9d1a24a7c9d498a4b4230410f5cd2f9aa28 100644
--- a/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/base/RelationshipServiceStub.java
+++ b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/base/RelationshipServiceStub.java
@@ -48,6 +48,11 @@ public class RelationshipServiceStub implements IRelationshipService
     {
     }
 
+    @Override
+    public void checkCanUnassignSampleFromExperiment(IAuthSession session, SamplePE sample)
+    {
+    }
+
     @Override
     public void unassignSampleFromExperiment(IAuthSession session, SamplePE sample)
     {