diff --git a/components/server/src/auth/resource-access.ts b/components/server/src/auth/resource-access.ts
index 0bfd60d7fd0797..930f6f9cc03c88 100644
--- a/components/server/src/auth/resource-access.ts
+++ b/components/server/src/auth/resource-access.ts
@@ -4,7 +4,7 @@
  * See License-AGPL.txt in the project root for license information.
  */
 
-import { Workspace, WorkspaceInstance, User, Snapshot, GitpodToken, Token } from "@gitpod/gitpod-protocol";
+import { Workspace, WorkspaceInstance, User, Snapshot, GitpodToken, Token, UserEnvVar } from "@gitpod/gitpod-protocol";
 
 declare var resourceInstance: GuardedResource;
 export type GuardedResourceKind = typeof resourceInstance.kind;
@@ -17,7 +17,8 @@ export type GuardedResource =
     GuardedGitpodToken |
     GuardedToken |
     GuardedUserStorage |
-    GuardedContentBlob
+    GuardedContentBlob |
+    GuardedEnvironmentVariable
 ;
 
 export interface GuardedWorkspace {
@@ -66,6 +67,13 @@ export interface GuardedToken {
     tokenOwnerID: string;
 }
 
+export interface GuardedEnvironmentVariable {
+    kind: "environmentVariable";
+    subject: UserEnvVar;
+    userID: string;
+    repositoryPattern: string;
+}
+
 export type ResourceAccessOp =
     "create" |
     "update" |
@@ -110,6 +118,8 @@ export class OwnerResourceGuard implements ResourceAccessGuard {
         switch (resource.kind) {
             case "contentBlob":
                 return resource.userID === this.userId;
+            case "environmentVariable":
+                return resource.userID === this.userId;
             case "gitpodToken":
                 return resource.subject.user.id === this.userId;
             case "snapshot":
@@ -226,6 +236,8 @@ export namespace ScopedResourceGuard {
         switch (resource.kind) {
             case "contentBlob":
                 return `${resource.userID}:${resource.name}`;
+            case "environmentVariable":
+                return `${resource.userID}:${resource.repositoryPattern}`;;
             case "gitpodToken":
                 return resource.subject.tokenHash;
             case "snapshot":
diff --git a/components/server/src/workspace/workspace-starter.ts b/components/server/src/workspace/workspace-starter.ts
index 7057e75d472731..b345ba4ad2a03b 100644
--- a/components/server/src/workspace/workspace-starter.ts
+++ b/components/server/src/workspace/workspace-starter.ts
@@ -645,6 +645,8 @@ export class WorkspaceStarter {
             "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "userStorage", subjectID: "*", operations: ["create", "get", "update"]}),
             "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "token", subjectID: "*", operations: ["get"]}),
             "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "contentBlob", subjectID: "*", operations: ["create", "get"]}),
+            // TODO: subjectID based on owner/repo from workspace.contextURL?
+            "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "environmentVariable", subjectID: "*", operations: ["create", "get", "update", "delete"]}),
         ]
     }