diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go
index a068eadb..87d2f9c8 100644
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@@ -14,6 +14,7 @@ import (
 	bearerSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
 	eaclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
@@ -118,8 +119,6 @@ func (c *Checker) StickyBitCheck(info v2.RequestInfo, owner user.ID) bool {
 }
 
 // CheckEACL is a main check function for extended ACL.
-//
-// nolint: funlen
 func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
 	basicACL := reqInfo.BasicACL()
 	if !basicACL.Extendable() {
@@ -154,6 +153,44 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
 		return err
 	}
 
+	hdrSrc, err := c.getHeaderSource(cnr, msg, reqInfo)
+	if err != nil {
+		return err
+	}
+
+	eaclRole := getRole(reqInfo)
+
+	action, _ := c.validator.CalculateAction(new(eaclSDK.ValidationUnit).
+		WithRole(eaclRole).
+		WithOperation(eaclSDK.Operation(reqInfo.Operation())).
+		WithContainerID(&cnr).
+		WithSenderKey(reqInfo.SenderKey()).
+		WithHeaderSource(hdrSrc).
+		WithEACLTable(&table),
+	)
+
+	if action != eaclSDK.ActionAllow {
+		return errEACLDeniedByRule
+	}
+	return nil
+}
+
+func getRole(reqInfo v2.RequestInfo) eaclSDK.Role {
+	var eaclRole eaclSDK.Role
+	switch op := reqInfo.RequestRole(); op {
+	default:
+		eaclRole = eaclSDK.Role(op)
+	case acl.RoleOwner:
+		eaclRole = eaclSDK.RoleUser
+	case acl.RoleInnerRing, acl.RoleContainer:
+		eaclRole = eaclSDK.RoleSystem
+	case acl.RoleOthers:
+		eaclRole = eaclSDK.RoleOthers
+	}
+	return eaclRole
+}
+
+func (c *Checker) getHeaderSource(cnr cid.ID, msg any, reqInfo v2.RequestInfo) (eaclSDK.TypedHeaderSource, error) {
 	hdrSrcOpts := make([]eaclV2.Option, 0, 3)
 
 	hdrSrcOpts = append(hdrSrcOpts,
@@ -175,34 +212,9 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
 
 	hdrSrc, err := eaclV2.NewMessageHeaderSource(hdrSrcOpts...)
 	if err != nil {
-		return fmt.Errorf("can't parse headers: %w", err)
+		return nil, fmt.Errorf("can't parse headers: %w", err)
 	}
-
-	var eaclRole eaclSDK.Role
-	switch op := reqInfo.RequestRole(); op {
-	default:
-		eaclRole = eaclSDK.Role(op)
-	case acl.RoleOwner:
-		eaclRole = eaclSDK.RoleUser
-	case acl.RoleInnerRing, acl.RoleContainer:
-		eaclRole = eaclSDK.RoleSystem
-	case acl.RoleOthers:
-		eaclRole = eaclSDK.RoleOthers
-	}
-
-	action, _ := c.validator.CalculateAction(new(eaclSDK.ValidationUnit).
-		WithRole(eaclRole).
-		WithOperation(eaclSDK.Operation(reqInfo.Operation())).
-		WithContainerID(&cnr).
-		WithSenderKey(reqInfo.SenderKey()).
-		WithHeaderSource(hdrSrc).
-		WithEACLTable(&table),
-	)
-
-	if action != eaclSDK.ActionAllow {
-		return errEACLDeniedByRule
-	}
-	return nil
+	return hdrSrc, nil
 }
 
 // isValidBearer checks whether bearer token was correctly signed by authorized