diff --git a/server/api/graphql_root_run.go b/server/api/graphql_root_run.go
index 97b4a30fcc..12c4c84c65 100644
--- a/server/api/graphql_root_run.go
+++ b/server/api/graphql_root_run.go
@@ -312,6 +312,10 @@ func (r *RunRootResolver) UpdateRunTaskActions(ctx context.Context, args struct
 	}
 	userID := c.r.Header.Get("Mattermost-User-ID")
 
+	if err = c.permissions.RunManageProperties(userID, args.RunID); err != nil {
+		return "", err
+	}
+
 	if err := validateTaskActions(*args.TaskActions); err != nil {
 		return "", err
 	}
diff --git a/server/api_graphql_runs_test.go b/server/api_graphql_runs_test.go
index b4666fd03d..63369d59d8 100644
--- a/server/api_graphql_runs_test.go
+++ b/server/api_graphql_runs_test.go
@@ -900,6 +900,7 @@ func TestUpdateRun(t *testing.T) {
 func TestUpdateRunTaskActions(t *testing.T) {
 	e := Setup(t)
 	e.CreateBasic()
+	e.CreateGuest()
 
 	t.Run("task actions mutation create and update", func(t *testing.T) {
 		createNewRunWithNoChecklists := func(t *testing.T) *client.PlaybookRun {
@@ -934,6 +935,22 @@ func TestUpdateRunTaskActions(t *testing.T) {
 		// create a new task action
 		triggerPayload := "{\"keywords\":[\"one\", \"two\"], \"user_ids\":[\"abc\"]}"
 		actionPayload := "{\"enabled\":false}"
+
+		errorResp, err := UpdateRunTaskActions(e.PlaybooksClientGuest, run.ID, 0, 0, &[]app.TaskAction{
+			{
+				Trigger: app.Trigger{
+					Type:    app.KeywordsByUsersTriggerType,
+					Payload: triggerPayload,
+				},
+				Actions: []app.Action{{
+					Type:    app.MarkItemAsDoneActionType,
+					Payload: actionPayload,
+				}},
+			},
+		})
+		require.NotEmpty(t, errorResp.Errors)
+		require.NoError(t, err)
+
 		response, err := UpdateRunTaskActions(e.PlaybooksClient, run.ID, 0, 0, &[]app.TaskAction{
 			{
 				Trigger: app.Trigger{