diff --git a/app/api/v1/roles.rb b/app/api/v1/roles.rb
index a8a3d42..fd3f33f 100644
--- a/app/api/v1/roles.rb
+++ b/app/api/v1/roles.rb
@@ -5,14 +5,15 @@ module Api
 
       MAX_PER_PAGE = 50
 
-      resource :organizations do
-        segment "/:organization_id" do
+      resource :profiles do
+        segment "/:profile_id" do
           resource :roles do
 
             paginate max_per_page: MAX_PER_PAGE
             get do
-              organization = environment.profiles.find(params[:organization_id])
-              roles = Profile::Roles.organization_roles(organization.environment.id, organization.id)
+              profile = environment.profiles.find(params[:profile_id])
+              return forbidden! unless profile.kind_of?(Organization)
+              roles = Profile::Roles.organization_roles(profile.environment.id, profile.id)
               present_partial paginate(roles), with: Entities::Role
             end
             
diff --git a/test/api/roles_test.rb b/test/api/roles_test.rb
index d26d3dc..e841b37 100644
--- a/test/api/roles_test.rb
+++ b/test/api/roles_test.rb
@@ -16,8 +16,13 @@ class TolesTest < ActiveSupport::TestCase
     role1 = Role.create!(key: 'profile_administrator', name: 'admin', environment: environment)
     role2 = Role.new(key: 'profile_moderator', name: 'moderator', environment: environment)
     profile.custom_roles << role2
-    get "/api/v1/organizations/#{profile.id}/roles?#{params.to_query}"
+    get "/api/v1/profiles/#{profile.id}/roles?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equivalent [role1.id, role2.id], json['roles'].map {|r| r['id']}
   end
+
+  should 'return forbidden status when profile is not an organization' do
+    get "/api/v1/profiles/#{person.id}/roles?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
 end
--
libgit2 0.21.2