diff --git a/services/web/app/src/Features/Authentication/AuthenticationController.js b/services/web/app/src/Features/Authentication/AuthenticationController.js
index db8c0629c9..0b0158a90d 100644
--- a/services/web/app/src/Features/Authentication/AuthenticationController.js
+++ b/services/web/app/src/Features/Authentication/AuthenticationController.js
@@ -50,6 +50,20 @@ function checkCredentials(userDetailsMap, user, password) {
   return isValid
 }
 
+function reduceStaffAccess(staffAccess) {
+  const reducedStaffAccess = {}
+  for (const field in staffAccess) {
+    if (staffAccess[field]) {
+      reducedStaffAccess[field] = true
+    }
+  }
+  return reducedStaffAccess
+}
+
+function userHasStaffAccess(user) {
+  return user.staffAccess && Object.values(user.staffAccess).includes(true)
+}
+
 const AuthenticationController = {
   serializeUser(user, callback) {
     if (!user._id || !user.email) {
@@ -61,8 +75,6 @@ const AuthenticationController = {
       _id: user._id,
       first_name: user.first_name,
       last_name: user.last_name,
-      isAdmin: user.isAdmin,
-      staffAccess: user.staffAccess,
       email: user.email,
       referal_id: user.referal_id,
       session_created: new Date().toISOString(),
@@ -73,6 +85,13 @@ const AuthenticationController = {
       alphaProgram: user.alphaProgram || undefined, // only store if set
       betaProgram: user.betaProgram || undefined, // only store if set
     }
+    if (user.isAdmin) {
+      lightUser.isAdmin = true
+    }
+    if (userHasStaffAccess(user)) {
+      lightUser.staffAccess = reduceStaffAccess(user.staffAccess)
+    }
+
     callback(null, lightUser)
   },
 
diff --git a/services/web/test/unit/src/Authentication/AuthenticationControllerTests.js b/services/web/test/unit/src/Authentication/AuthenticationControllerTests.js
index 2c59df9ffe..70375db158 100644
--- a/services/web/test/unit/src/Authentication/AuthenticationControllerTests.js
+++ b/services/web/test/unit/src/Authentication/AuthenticationControllerTests.js
@@ -24,6 +24,34 @@ describe('AuthenticationController', function () {
       referal_id: 1234,
       isAdmin: false,
     }
+    this.staffUser = {
+      ...this.user,
+      staffAccess: {
+        publisherMetrics: true,
+        publisherManagement: false,
+        institutionMetrics: true,
+        institutionManagement: false,
+        groupMetrics: true,
+        groupManagement: false,
+        adminMetrics: true,
+        splitTestMetrics: false,
+        splitTestManagement: true,
+      },
+    }
+    this.noStaffAccessUser = {
+      ...this.user,
+      staffAccess: {
+        publisherMetrics: false,
+        publisherManagement: false,
+        institutionMetrics: false,
+        institutionManagement: false,
+        groupMetrics: false,
+        groupManagement: false,
+        adminMetrics: false,
+        splitTestMetrics: false,
+        splitTestManagement: false,
+      },
+    }
     this.password = 'banana'
     this.req = new MockRequest()
     this.res = new MockResponse()
@@ -181,6 +209,57 @@ describe('AuthenticationController', function () {
     })
   })
 
+  describe('serializeUser', function () {
+    describe('when isAdmin is false', function () {
+      it('does not return an isAdmin field', function () {
+        const isAdminMatcher = sinon.match(value => {
+          return !('isAdmin' in value)
+        })
+
+        this.AuthenticationController.serializeUser(this.user, this.callback)
+        expect(this.callback).to.have.been.calledWith(null, isAdminMatcher)
+      })
+    })
+
+    describe('when staffAccess fields are provided', function () {
+      it('only returns the fields set to true', function () {
+        const expectedStaffAccess = {
+          publisherMetrics: true,
+          institutionMetrics: true,
+          groupMetrics: true,
+          adminMetrics: true,
+          splitTestManagement: true,
+        }
+        const staffAccessMatcher = sinon.match(value => {
+          return (
+            Object.keys(value.staffAccess).length ===
+            Object.keys(expectedStaffAccess).length
+          )
+        })
+
+        this.AuthenticationController.serializeUser(
+          this.staffUser,
+          this.callback
+        )
+        expect(this.callback).to.have.been.calledWith(null, staffAccessMatcher)
+      })
+    })
+
+    describe('when all staffAccess fields are false', function () {
+      it('no staffAccess attribute is set', function () {
+        const staffAccessMatcher = sinon.match(value => {
+          return !('staffAccess' in value)
+        })
+
+        this.AuthenticationController.serializeUser(
+          this.noStaffAccessUser,
+          this.callback
+        )
+        expect(this.callback).to.have.been.calledWith(null, staffAccessMatcher)
+      })
+    })
+  })
+
   describe('passportLogin', function () {
     beforeEach(function () {
       this.info = null