diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go
index 87d2f9c82..351b4ad3b 100644
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@@ -125,15 +125,17 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
 		return nil
 	}
 
+	bearerTok := reqInfo.Bearer()
+	impersonate := bearerTok != nil && bearerTok.Impersonate()
+
 	// if bearer token is not allowed, then ignore it
-	if !basicACL.AllowedBearerRules(reqInfo.Operation()) {
+	if impersonate || !basicACL.AllowedBearerRules(reqInfo.Operation()) {
 		reqInfo.CleanBearer()
 	}
 
 	var table eaclSDK.Table
 	cnr := reqInfo.ContainerID()
 
-	bearerTok := reqInfo.Bearer()
 	if bearerTok == nil {
 		eaclInfo, err := c.eaclSrc.GetEACL(cnr)
 		if err != nil {
diff --git a/pkg/services/object/acl/v2/request.go b/pkg/services/object/acl/v2/request.go
index 0cf734d7a..675768969 100644
--- a/pkg/services/object/acl/v2/request.go
+++ b/pkg/services/object/acl/v2/request.go
@@ -113,6 +113,10 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
 		return nil, nil, errEmptyVerificationHeader
 	}
 
+	if r.bearer != nil && r.bearer.Impersonate() {
+		return unmarshalPublicKeyWithOwner(r.bearer.SigningKeyBytes())
+	}
+
 	// if session token is presented, use it as truth source
 	if r.token != nil {
 		// verify signature of session token
@@ -125,9 +129,13 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
 		return nil, nil, errEmptyBodySig
 	}
 
-	key, err := unmarshalPublicKey(bodySignature.GetKey())
+	return unmarshalPublicKeyWithOwner(bodySignature.GetKey())
+}
+
+func unmarshalPublicKeyWithOwner(rawKey []byte) (*user.ID, *keys.PublicKey, error) {
+	key, err := unmarshalPublicKey(rawKey)
 	if err != nil {
-		return nil, nil, fmt.Errorf("invalid key in body signature: %w", err)
+		return nil, nil, fmt.Errorf("invalid signature key: %w", err)
 	}
 
 	var idSender user.ID