diff --git a/server/src/handlers/http/query.rs b/server/src/handlers/http/query.rs
index 22a4c7fcc..eac411028 100644
--- a/server/src/handlers/http/query.rs
+++ b/server/src/handlers/http/query.rs
@@ -89,7 +89,7 @@ impl FromRequest for Query {
                 match permission {
                     Permission::Stream(Action::All, _) => authorized = true,
                     Permission::StreamWithTag(Action::Query, stream, tag)
-                        if stream == query.stream_name =>
+                        if stream == query.stream_name || stream == "*" =>
                     {
                         authorized = true;
                         if let Some(tag) = tag {
diff --git a/server/src/rbac/role.rs b/server/src/rbac/role.rs
index 62cb3320f..ab793de80 100644
--- a/server/src/rbac/role.rs
+++ b/server/src/rbac/role.rs
@@ -110,7 +110,7 @@ pub mod model {
         Admin,
         Editor,
         Writer { stream: String },
-        Reader { stream: String, tag: String },
+        Reader { stream: String, tag: Option<String> },
     }
 
     impl From<&DefaultPrivilege> for RoleBuilder {
@@ -121,9 +121,13 @@ pub mod model {
                 DefaultPrivilege::Writer { stream } => {
                     writer_perm_builder().with_stream(stream.to_owned())
                 }
-                DefaultPrivilege::Reader { stream, tag } => reader_perm_builder()
-                    .with_stream(stream.to_owned())
-                    .with_tag(tag.to_owned()),
+                DefaultPrivilege::Reader { stream, tag } => {
+                    let mut reader = reader_perm_builder().with_stream(stream.to_owned());
+                    if let Some(tag) = tag {
+                        reader = reader.with_tag(tag.to_owned())
+                    }
+                    reader
+                }
             }
         }
     }