diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go
index 78e972eae..354c5d92d 100644
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@@ -124,15 +124,17 @@ func (c *Checker) CheckEACL(msg interface{}, reqInfo v2.RequestInfo) error {
 		return nil
 	}
 
+	bearerTok := reqInfo.Bearer()
+	impersonate := bearerTok != nil && bearerTok.Impersonate()
+
 	// if bearer token is not allowed, then ignore it
-	if !basicACL.AllowedBearerRules(reqInfo.Operation()) {
+	if impersonate || !basicACL.AllowedBearerRules(reqInfo.Operation()) {
 		reqInfo.CleanBearer()
 	}
 
 	var table eaclSDK.Table
 	cnr := reqInfo.ContainerID()
 
-	bearerTok := reqInfo.Bearer()
 	if bearerTok == nil {
 		eaclInfo, err := c.eaclSrc.GetEACL(cnr)
 		if err != nil {
diff --git a/pkg/services/object/acl/v2/request.go b/pkg/services/object/acl/v2/request.go
index 2a708c3f5..4aa115cb5 100644
--- a/pkg/services/object/acl/v2/request.go
+++ b/pkg/services/object/acl/v2/request.go
@@ -2,6 +2,7 @@ package v2
 
 import (
 	"crypto/ecdsa"
+	"crypto/elliptic"
 	"fmt"
 
 	sessionV2 "github.com/TrueCloudLab/frostfs-api-go/v2/session"
@@ -113,6 +114,12 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
 		return nil, nil, errEmptyVerificationHeader
 	}
 
+	if r.bearer != nil && r.bearer.Impersonate() {
+		issuer := bearer.ResolveIssuer(*r.bearer)
+		pubKey, err := keys.NewPublicKeyFromBytes(r.bearer.SigningKeyBytes(), elliptic.P256())
+		return &issuer, pubKey, err
+	}
+
 	// if session token is presented, use it as truth source
 	if r.token != nil {
 		// verify signature of session token