diff --git a/web/backend/src/authManager.ts b/web/backend/src/authManager.ts
index 5f49962a..9b271eec 100644
--- a/web/backend/src/authManager.ts
+++ b/web/backend/src/authManager.ts
@@ -99,6 +99,9 @@ export function setMapAuthorization(list: string[][]): Map<String, Array<String>
 // the range between 100000 and 999999, an error is thrown.
 export function readSCIPER(s: string): number {
   const n = parseInt(s, 10);
+  if (isNaN(n)) {
+    throw new Error(`${s} is not a number`);
+  }
   if (n < 100000 || n > 999999) {
     throw new Error(`SCIPER is out of range. ${n} is not between 100000 and 999999`);
   }
diff --git a/web/backend/src/controllers/users.ts b/web/backend/src/controllers/users.ts
index 4950dbe6..5951782d 100644
--- a/web/backend/src/controllers/users.ts
+++ b/web/backend/src/controllers/users.ts
@@ -1,6 +1,13 @@
 import express from 'express';
 
-import { addPolicy, addListPolicy, initEnforcer, isAuthorized, PERMISSIONS } from '../authManager';
+import {
+  addPolicy,
+  addListPolicy,
+  initEnforcer,
+  isAuthorized,
+  PERMISSIONS,
+  readSCIPER,
+} from '../authManager';
 
 export const usersRouter = express.Router();
 
@@ -36,6 +43,7 @@ usersRouter.post('/add_role', (req, res, next) => {
 
   if ('userId' in req.body) {
     try {
+      readSCIPER(req.body.userId);
       addPolicy(req.body.userId, req.body.subject, req.body.permission);
     } catch (error) {
       res.status(400).send(`Error while adding single user to roles: ${error}`);
@@ -45,6 +53,7 @@ usersRouter.post('/add_role', (req, res, next) => {
     next();
   } else if ('userIds' in req.body) {
     try {
+      req.body.userIds.every(readSCIPER);
       addListPolicy(req.body.userIds, req.body.subject, req.body.permission);
     } catch (error) {
       res.status(400).send(`Error while adding multiple users to roles: ${error}`);