diff --git a/api/handler/acl.go b/api/handler/acl.go
index 9db3d8dd..67d6e911 100644
--- a/api/handler/acl.go
+++ b/api/handler/acl.go
@@ -751,14 +751,13 @@ func addUsers(resource *astResource, astO *astOperation, users []string) {
 func removeUsers(resource *astResource, astOperation *astOperation, users []string) {
 	for _, astOp := range resource.Operations {
 		if astOp.Role == astOperation.Role && astOp.Op == astOperation.Op && astOp.Action == astOperation.Action {
-			ind := 0
+			filteredUsers := astOp.Users[:0] // new slice without allocation
 			for _, user := range astOp.Users {
-				if containsStr(users, user) {
-					astOp.Users = append(astOp.Users[:ind], astOp.Users[ind+1:]...)
-				} else {
-					ind++
+				if !containsStr(users, user) {
+					filteredUsers = append(filteredUsers, user)
 				}
 			}
+			astOp.Users = filteredUsers
 			return
 		}
 	}
diff --git a/api/handler/acl_test.go b/api/handler/acl_test.go
index 3f13eeac..91399169 100644
--- a/api/handler/acl_test.go
+++ b/api/handler/acl_test.go
@@ -394,7 +394,7 @@ func TestRemoveUsers(t *testing.T) {
 			Bucket: "bucket",
 		},
 		Operations: []*astOperation{{
-			Users:  []string{"user1", "user3"},
+			Users:  []string{"user1", "user3", "user4"},
 			Role:   eacl.RoleUser,
 			Op:     eacl.OperationPut,
 			Action: eacl.ActionAllow,
@@ -407,11 +407,10 @@ func TestRemoveUsers(t *testing.T) {
 		Action: eacl.ActionAllow,
 	}
 
-	removeUsers(resource, op, []string{"user1", "user2"})
+	removeUsers(resource, op, []string{"user1", "user2", "user4"})
 
 	require.Equal(t, len(resource.Operations), 1)
-	require.Equal(t, resource.Name(), resource.Name())
-	require.Equal(t, resource.Operations[0].Users, []string{"user3"})
+	require.Equal(t, []string{"user3"}, resource.Operations[0].Users)
 }
 
 func TestBucketAclToPolicy(t *testing.T) {