diff --git a/lib/read-only.js b/lib/read-only.js
index a8c6797..d048e96 100644
--- a/lib/read-only.js
+++ b/lib/read-only.js
@@ -1,4 +1,5 @@
 var debug = require('debug')('loopback-ds-readonly-mixin');
+var _ = require("lodash");
 
 module.exports = function(Model, options) {
   'use strict';
@@ -7,23 +8,33 @@ module.exports = function(Model, options) {
 
   // Make sure emailVerified is not set by creation
   Model.stripReadOnlyProperties = function(ctx, modelInstance, next) {
+
     var body = ctx.req.body;
     if (!body) {
       return next();
     }
+
+    var currentUser = ctx.req.currentUser;
+    if (currentUser && options.allowedRoles) {
+      var roleNames = _.map(currentUser.toObject().roles, 'name');
+      var allowed = _.intersection(options.allowedRoles, roleNames);
+      if (allowed.length) return next();
+    }
+
+    var err = new Error('Unable to update: ' + Model.modelName + ' property is read only');
+    err.statusCode = 403;
+
     var properties = (Object.keys(options).length) ? options : null;
-    if (properties) {
-      debug('Creating %s : Read only properties are %j', Model.modelName, properties);
-      Object.keys(properties).forEach(function(key) {
+    if (!properties) return next(err);
+    debug('Creating %s : Read only properties are %j', Model.modelName, properties);
+    Object.keys(properties).forEach(function(key) {
+      if (key !== "allowedRoles") {
         debug('The \'%s\' property is read only, removing incoming data', key);
         delete body[key];
-      });
-      next();
-    } else {
-      var err = new Error('Unable to update: ' + Model.modelName + ' is read only.');
-      err.statusCode = 403;
-      next(err);
-    }
+      }
+    });
+    if (!Object.keys(body).length) return next(err);
+    next();
   };
 
   // Make sure emailVerified is not set by creation