diff --git a/app/models/user.rb b/app/models/user.rb
index b058b6d27f..b5c5361844 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -128,7 +128,9 @@ def hidden_attributes
     end
 
     def self_hidden_attributes
-      %w[role_unique_id identity_provider_unique_id user_name]
+      %w[role_unique_id identity_provider_unique_id user_name user_group_unique_ids agency_id
+         identity_provider_id reset_password_token reset_password_sent_at service_account
+         unlock_token locked_at failed_attempts identity_provider_sync]
     end
 
     def password_parameters
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index b14c202b12..0d68de420d 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1056,6 +1056,35 @@ def build_and_save_user(options = {})
     end
   end
 
+  describe '.permitted_api_params' do
+    before do
+      clean_data(User, Role, PrimeroModule, PrimeroProgram, FormSection, Agency, UserGroup, Child)
+      @module_cp = PrimeroModule.new(name: 'CP')
+      @module_cp.save(validate: false)
+
+      permission_case = Permission.new(
+        resource: Permission::CASE,
+        actions: [Permission::READ, Permission::WRITE, Permission::CREATE]
+      )
+      @role = Role.new(permissions: [permission_case], modules: [@module_cp])
+      @role.save(validate: false)
+      @group1 = UserGroup.create!(name: 'Group1')
+      @user1 = User.new(user_name: 'user1', role: @role, user_groups: [@group1])
+      @user1.save(validate: false)
+    end
+    context 'when user is not admin' do
+      it 'should not returm that are not allowed' do
+        expect(User.permitted_api_params(@user1, @user1)).not_to include(
+          *User.self_hidden_attributes
+        )
+      end
+    end
+
+    after do
+      clean_data(User, Role, PrimeroModule, PrimeroProgram, FormSection, Agency, UserGroup, Child)
+    end
+  end
+
   after do
     clean_data(Alert, User, Agency, Role, FormSection, Field)
   end
diff --git a/spec/requests/api/v2/users_controller_spec.rb b/spec/requests/api/v2/users_controller_spec.rb
index 6d64deeee0..977d7a2279 100644
--- a/spec/requests/api/v2/users_controller_spec.rb
+++ b/spec/requests/api/v2/users_controller_spec.rb
@@ -733,6 +733,7 @@
         data: {
           role_unique_id: 'test-role-1',
           identity_provider_unique_id: 'primeroims_2',
+          agency_id: @agency_a.id,
           user_name:
         }
       }
@@ -744,6 +745,7 @@
       expect(response).to have_http_status(200)
       expect(json['data']['id']).to eq(@user_d.id)
       expect(@user_d.role.unique_id).to eq(@role_manage_user.unique_id)
+      expect(@user_d.agency.unique_id).to eq(@agency_b.unique_id)
       expect(@user_d.user_name).not_to eq(user_name)
       expect(@user_d.identity_provider.unique_id).to eq(@identity_provider_a.unique_id)
     end