diff --git a/pillar/api/file_storage/__init__.py b/pillar/api/file_storage/__init__.py
index e6f44966..4c48d55f 100644
--- a/pillar/api/file_storage/__init__.py
+++ b/pillar/api/file_storage/__init__.py
@@ -386,13 +386,8 @@ def before_returning_file(response):
 
 def strip_link_and_variations(response):
     # Check the access level of the user.
-    if current_user.is_anonymous:
-        has_full_access = False
-    else:
-        user_roles = current_user.roles
-        # TODO: convert to a capability and check for that.
-        access_roles = current_app.config['FULL_FILE_ACCESS_ROLES']
-        has_full_access = bool(user_roles.intersection(access_roles))
+    capability = current_app.config['FULL_FILE_ACCESS_CAP']
+    has_full_access = current_user.has_cap(capability)
 
     # Strip all file variations (unless image) and link to the actual file.
     if not has_full_access:
diff --git a/pillar/config.py b/pillar/config.py
index bca2a031..6489b14b 100644
--- a/pillar/config.py
+++ b/pillar/config.py
@@ -109,8 +109,8 @@ FILE_LINK_VALIDITY = defaultdict(
     gcs=3600 * 23,  # 23 hours for Google Cloud Storage.
 )
 
-# Roles with full GET-access to all variations of files.
-FULL_FILE_ACCESS_ROLES = {'admin', 'subscriber', 'demo'}
+# Capability with GET-access to all variations of files.
+FULL_FILE_ACCESS_CAP = 'subscriber'
 
 # Client and Subclient IDs for Blender ID
 BLENDER_ID_CLIENT_ID = 'SPECIAL-SNOWFLAKE-57'