diff --git a/models/time/src/index.ts b/models/time/src/index.ts
index 3c2e75959d..dbc9d8f8a9 100644
--- a/models/time/src/index.ts
+++ b/models/time/src/index.ts
@@ -27,7 +27,8 @@ import {
   type Timestamp,
   type Type,
   DateRangeMode,
-  IndexKind
+  IndexKind,
+  AccountRole
 } from '@hcengineering/core'
 import lead from '@hcengineering/lead'
 import {
@@ -194,6 +195,7 @@ export function createModel (builder: Builder): void {
     {
       label: time.string.Planner,
       icon: calendarPlugin.icon.Calendar,
+      accessLevel: AccountRole.User,
       alias: timeId,
       hidden: false,
       position: 'top',
@@ -208,6 +210,7 @@ export function createModel (builder: Builder): void {
     {
       label: time.string.Team,
       icon: time.icon.Team,
+      accessLevel: AccountRole.User,
       alias: 'team',
       hidden: false,
       component: time.component.Team
diff --git a/plugins/contact-resources/src/components/AccountArrayEditor.svelte b/plugins/contact-resources/src/components/AccountArrayEditor.svelte
index 6d327e8023..34fce7051e 100644
--- a/plugins/contact-resources/src/components/AccountArrayEditor.svelte
+++ b/plugins/contact-resources/src/components/AccountArrayEditor.svelte
@@ -132,7 +132,7 @@
 </script>
 
 <UserBoxList
-  _class={!allowGuests ? contact.mixin.Employee : contact.class.Person}
+  _class={contact.mixin.Employee}
   items={employees}
   {label}
   {emptyLabel}
diff --git a/plugins/contact-resources/src/components/PersonIdArrayEditor.svelte b/plugins/contact-resources/src/components/PersonIdArrayEditor.svelte
index b6aa0c04ee..96e6e73a7f 100644
--- a/plugins/contact-resources/src/components/PersonIdArrayEditor.svelte
+++ b/plugins/contact-resources/src/components/PersonIdArrayEditor.svelte
@@ -133,7 +133,7 @@
 </script>
 
 <UserBoxList
-  _class={!allowGuests ? contact.mixin.Employee : contact.class.Person}
+  _class={contact.mixin.Employee}
   items={employees}
   {label}
   {emptyLabel}
diff --git a/plugins/login-resources/src/components/Join.svelte b/plugins/login-resources/src/components/Join.svelte
index ae70502b38..17c73c512e 100644
--- a/plugins/login-resources/src/components/Join.svelte
+++ b/plugins/login-resources/src/components/Join.svelte
@@ -115,7 +115,7 @@
     if (location.query?.inviteId === undefined || location.query?.inviteId === null) return
     status = new Status(Severity.INFO, login.status.ConnectingToServer, {})
 
-    const [, result] = await checkJoined(location.query.inviteId)
+    const result = await checkJoined(location.query.inviteId)
     status = OK
     if (result != null) {
       setLoginInfo(result)
diff --git a/plugins/login-resources/src/utils.ts b/plugins/login-resources/src/utils.ts
index b93c051147..2d588d3a34 100644
--- a/plugins/login-resources/src/utils.ts
+++ b/plugins/login-resources/src/utils.ts
@@ -491,26 +491,18 @@ export function navigateToWorkspace (
   }
 }
 
-export async function checkJoined (inviteId: string): Promise<[Status, WorkspaceLoginInfo | null]> {
+export async function checkJoined (inviteId: string): Promise<WorkspaceLoginInfo | undefined> {
   const token = getMetadata(presentation.metadata.Token)
 
-  if (token == null) {
-    const loginInfo = await getAccountClient().getLoginInfoByToken()
-    if (loginInfo.token == null) {
-      return [unknownStatus('Please login'), null]
-    }
-  }
+  if (token == null) return
 
   try {
     const workspaceLoginInfo = await getAccountClient(token).checkJoin(inviteId)
 
-    return [OK, workspaceLoginInfo]
+    return workspaceLoginInfo
   } catch (err: any) {
-    if (err instanceof PlatformError) {
-      return [err.status, null]
-    } else {
+    if (!(err instanceof PlatformError)) {
       Analytics.handleError(err)
-      return [unknownError(err), null]
     }
   }
 }
diff --git a/server-plugins/calendar-resources/src/index.ts b/server-plugins/calendar-resources/src/index.ts
index 267b0edf61..70cf5b19cc 100644
--- a/server-plugins/calendar-resources/src/index.ts
+++ b/server-plugins/calendar-resources/src/index.ts
@@ -110,6 +110,9 @@ export async function OnEmployee (txes: Tx[], control: TriggerControl): Promise<
       )
     )[0]
     if (employee?.personUuid === undefined) continue
+    if (employee.role === 'GUEST') {
+      continue
+    }
 
     result.push(...(await createCalendar(control, employee.personUuid, socialId, socialId)))
   }
diff --git a/server-plugins/contact-resources/src/index.ts b/server-plugins/contact-resources/src/index.ts
index 48cb8ff1cd..71ef1fc107 100644
--- a/server-plugins/contact-resources/src/index.ts
+++ b/server-plugins/contact-resources/src/index.ts
@@ -102,11 +102,13 @@ export async function OnEmployeeCreate (_txes: Tx[], control: TriggerControl): P
     const account = person?.personUuid as AccountUuid
     if (account === undefined) continue
 
-    const spaces = await control.findAll(control.ctx, core.class.Space, { autoJoin: true })
-
     const txes = await createPersonSpace(account, mixinTx.objectId, control)
     result.push(...txes)
 
+    const emp = control.hierarchy.as(person, contact.mixin.Employee)
+    if (emp.role === 'GUEST') continue
+
+    const spaces = await control.findAll(control.ctx, core.class.Space, { autoJoin: true })
     for (const space of spaces) {
       if (space.members.includes(account)) continue
 
diff --git a/server-plugins/hr-resources/src/index.ts b/server-plugins/hr-resources/src/index.ts
index e8fbc76d57..b36879a80c 100644
--- a/server-plugins/hr-resources/src/index.ts
+++ b/server-plugins/hr-resources/src/index.ts
@@ -218,6 +218,8 @@ export async function OnEmployee (txes: Tx[], control: TriggerControl): Promise<
       continue
     }
 
+    if (employee.role === 'GUEST') continue
+
     result.push(
       control.txFactory.createTxMixin(ctx.objectId, ctx.objectClass, ctx.objectSpace, hr.mixin.Staff, {
         department: hr.ids.Head
diff --git a/server-plugins/love-resources/src/index.ts b/server-plugins/love-resources/src/index.ts
index a59357d54a..244e21d7f7 100644
--- a/server-plugins/love-resources/src/index.ts
+++ b/server-plugins/love-resources/src/index.ts
@@ -70,6 +70,15 @@ export async function OnEmployee (txes: Tx[], control: TriggerControl): Promise<
     if (val === undefined) {
       continue
     }
+    const user = (
+      await control.findAll(control.ctx, contact.mixin.Employee, { _id: actualTx.objectId as Ref<Employee> })
+    )[0]
+    if (user === undefined) {
+      continue
+    }
+    if (user.role === 'GUEST') {
+      continue
+    }
     if (val) {
       const freeRoom = (await control.findAll(control.ctx, love.class.Office, { person: null }))[0]
       if (freeRoom !== undefined) {
diff --git a/server/middleware/src/spaceSecurity.ts b/server/middleware/src/spaceSecurity.ts
index 50584b2b69..e2dcf3edd9 100644
--- a/server/middleware/src/spaceSecurity.ts
+++ b/server/middleware/src/spaceSecurity.ts
@@ -371,6 +371,23 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
     }
   }
 
+  private isForbiddenGuestTx (tx: TxCUD<Space>): boolean {
+    if (tx._class === core.class.TxRemoveDoc) return true
+    if (tx._class === core.class.TxCreateDoc) return false
+    if (tx._class === core.class.TxUpdateDoc) {
+      const updateTx = tx as TxUpdateDoc<Space>
+      const ops = updateTx.operations
+      const keys = ['members', 'private', 'archived', 'owners', 'autoJoin']
+      if (keys.some((key) => (ops as any)[key] !== undefined)) {
+        return true
+      }
+      if (ops.$push !== undefined || ops.$pull !== undefined) {
+        return true
+      }
+    }
+    return false
+  }
+
   private async processTx (ctx: MeasureContext<SessionData>, tx: Tx): Promise<void> {
     const h = this.context.hierarchy
     if (TxProcessor.isExtendsCUD(tx._class)) {
@@ -379,7 +396,9 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
       if (isSpace) {
         const account = ctx.contextData.account
         if (account.role === AccountRole.Guest) {
-          throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
+          if (this.isForbiddenGuestTx(cudTx as TxCUD<Space>)) {
+            throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
+          }
         }
         await this.handleTx(ctx, cudTx as TxCUD<Space>)
       }
diff --git a/services/calendar/pod-calendar/src/main.ts b/services/calendar/pod-calendar/src/main.ts
index eabc5e61cb..02456cbd40 100644
--- a/services/calendar/pod-calendar/src/main.ts
+++ b/services/calendar/pod-calendar/src/main.ts
@@ -54,12 +54,12 @@ export const main = async (): Promise<void> => {
       )
   })
 
-  const accountClient = getAccountClient(getServiceToken())
-
   setMetadata(serverClient.metadata.Endpoint, config.AccountsURL)
   setMetadata(serverClient.metadata.UserAgent, config.ServiceID)
   setMetadata(serverToken.metadata.Secret, config.Secret)
 
+  const accountClient = getAccountClient(getServiceToken())
+
   const pushHandler = new PushHandler(ctx, accountClient)
   const calendarController = CalendarController.getCalendarController(ctx, accountClient)
   await calendarController.startAll()