diff --git a/lib/NGCP/Panel/Controller/API/PbxDeviceModels.pm b/lib/NGCP/Panel/Controller/API/PbxDeviceModels.pm
index 6a05fd8770..90578934b5 100644
--- a/lib/NGCP/Panel/Controller/API/PbxDeviceModels.pm
+++ b/lib/NGCP/Panel/Controller/API/PbxDeviceModels.pm
@@ -25,7 +25,7 @@ sub allowed_methods{
 # curl -v -X POST --user $USER --insecure -F front_image=@sandbox/spa504g-front.jpg -F mac_image=@sandbox/spa504g-back.jpg -F json='{"reseller_id":1, "vendor":"Cisco", "model":"SPA999", "linerange":[{"name": "Phone Keys", "can_private":true, "can_shared":true, "can_blf":true, "keys":[{"labelpos":"top", "x":5110, "y":5120},{"labelpos":"top", "x":5310, "y":5320}]}]}' https://localhost:4443/api/pbxdevicemodels/
 
 sub api_description {
-    return 'Specifies a model to be set in <a href="#pbxdeviceconfigs">PbxDeviceConfigs</a>. Use a Content-Type "multipart/form-data", provide front_image and mac_image parts with the actual images, and an additional json part with the properties specified below, e.g.: <code>curl -X POST --user $USER -F front_image=@/path/to/front.png -F mac_image=@/path/to/mac.png -F json=\'{"reseller_id":...}\' https://example.org:1443/api/pbxdevicemodels/</code>';
+    return 'Specifies a model to be set in <a href="#pbxdeviceconfigs">PbxDeviceConfigs</a>. Use a Content-Type "multipart/form-data", provide front_image and mac_image parts with the actual images, and an additional json part with the properties specified below, e.g.: <code>curl -X POST --user $USER -F front_image=@/path/to/front.png -F mac_image=@/path/to/mac.png -F json=\'{"reseller_id":...}\' https://example.org:1443/api/pbxdevicemodels/</code> This resource is read-only to subscriberadmins.';
 };
 
 sub query_params {
@@ -114,7 +114,7 @@ __PACKAGE__->config(
     action => {
         map { $_ => {
             ACLDetachTo => '/api/root/invalid_user',
-            AllowedRole => [qw/admin reseller/],
+            AllowedRole => [qw/admin reseller subscriberadmin/],
             Args => 0,
             Does => [qw(ACL CheckTrailingSlash RequireSSL)],
             Method => $_,
@@ -207,6 +207,12 @@ sub OPTIONS :Allow {
 sub POST :Allow {
     my ($self, $c) = @_;
 
+    if ($c->user->roles eq 'subscriberadmin') {
+        $c->log->error("role subscriberadmin cannot create pbxdevicemodels");
+        $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid role. Cannot create pbxdevicemodel.");
+        return;
+    }
+
     my $guard = $c->model('DB')->txn_scope_guard;
     {
         last unless $self->forbid_link_header($c);
diff --git a/lib/NGCP/Panel/Controller/API/PbxDeviceModelsItem.pm b/lib/NGCP/Panel/Controller/API/PbxDeviceModelsItem.pm
index 9d4b50f0af..1b16f4d9f5 100644
--- a/lib/NGCP/Panel/Controller/API/PbxDeviceModelsItem.pm
+++ b/lib/NGCP/Panel/Controller/API/PbxDeviceModelsItem.pm
@@ -38,7 +38,7 @@ __PACKAGE__->config(
     action => {
         map { $_ => {
             ACLDetachTo => '/api/root/invalid_user',
-            AllowedRole => [qw/admin reseller/],
+            AllowedRole => [qw/admin reseller subscriberadmin/],
             Args => 1,
             Does => [qw(ACL RequireSSL)],
             Method => $_,
@@ -104,6 +104,13 @@ sub OPTIONS :Allow {
 
 sub PATCH :Allow {
     my ($self, $c, $id) = @_;
+
+    if ($c->user->roles eq 'subscriberadmin') {
+        $c->log->error("role subscriberadmin cannot edit pbxdevicemodel");
+        $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid role. Cannot edit pbxdevicemodel.");
+        return;
+    }
+
     my $guard = $c->model('DB')->txn_scope_guard;
     {
         my $preference = $self->require_preference($c);
@@ -149,6 +156,13 @@ sub PATCH :Allow {
 
 sub PUT :Allow {
     my ($self, $c, $id) = @_;
+
+    if ($c->user->roles eq 'subscriberadmin') {
+        $c->log->error("role subscriberadmin cannot edit pbxdevicemodel");
+        $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid role. Cannot edit pbxdevicemodel.");
+        return;
+    }
+
     my $guard = $c->model('DB')->txn_scope_guard;
     {
         my $preference = $self->require_preference($c);
diff --git a/lib/NGCP/Panel/Controller/API/PbxDeviceProfiles.pm b/lib/NGCP/Panel/Controller/API/PbxDeviceProfiles.pm
index 88f3952428..76281f242d 100644
--- a/lib/NGCP/Panel/Controller/API/PbxDeviceProfiles.pm
+++ b/lib/NGCP/Panel/Controller/API/PbxDeviceProfiles.pm
@@ -20,7 +20,7 @@ sub allowed_methods{
 }
 
 sub api_description {
-    return 'Specifies a profile to be set in <a href="#pbxdevices">PbxDevices</a>.';
+    return 'Specifies a profile to be set in <a href="#pbxdevices">PbxDevices</a>. This item is read-only to subscriberadmins.';
 };
 
 sub query_params {
@@ -67,7 +67,7 @@ __PACKAGE__->config(
     action => {
         map { $_ => {
             ACLDetachTo => '/api/root/invalid_user',
-            AllowedRole => [qw/admin reseller/],
+            AllowedRole => [qw/admin reseller subscriberadmin/],
             Args => 0,
             Does => [qw(ACL CheckTrailingSlash RequireSSL)],
             Method => $_,
@@ -160,6 +160,12 @@ sub OPTIONS :Allow {
 sub POST :Allow {
     my ($self, $c) = @_;
 
+    if ($c->user->roles eq 'subscriberadmin') {
+        $c->log->error("role subscriberadmin cannot create pbxdeviceprofiles");
+        $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid role. Cannot create pbxdeviceprofile.");
+        return;
+    }
+
     my $guard = $c->model('DB')->txn_scope_guard;
     {
         my $resource = $self->get_valid_post_data(
diff --git a/lib/NGCP/Panel/Controller/API/PbxDeviceProfilesItem.pm b/lib/NGCP/Panel/Controller/API/PbxDeviceProfilesItem.pm
index 8c643ca975..200316464f 100644
--- a/lib/NGCP/Panel/Controller/API/PbxDeviceProfilesItem.pm
+++ b/lib/NGCP/Panel/Controller/API/PbxDeviceProfilesItem.pm
@@ -37,7 +37,7 @@ __PACKAGE__->config(
     action => {
         map { $_ => {
             ACLDetachTo => '/api/root/invalid_user',
-            AllowedRole => [qw/admin reseller/],
+            AllowedRole => [qw/admin reseller subscriberadmin/],
             Args => 1,
             Does => [qw(ACL RequireSSL)],
             Method => $_,
@@ -103,6 +103,13 @@ sub OPTIONS :Allow {
 
 sub PATCH :Allow {
     my ($self, $c, $id) = @_;
+
+    if ($c->user->roles eq 'subscriberadmin') {
+        $c->log->error("role subscriberadmin cannot edit pbxdeviceprofiles");
+        $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid role. Cannot edit pbxdeviceprofile.");
+        return;
+    }
+
     my $guard = $c->model('DB')->txn_scope_guard;
     {
         my $preference = $self->require_preference($c);
@@ -146,6 +153,13 @@ sub PATCH :Allow {
 
 sub PUT :Allow {
     my ($self, $c, $id) = @_;
+
+    if ($c->user->roles eq 'subscriberadmin') {
+        $c->log->error("role subscriberadmin cannot edit pbxdeviceprofiles");
+        $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid role. Cannot edit pbxdeviceprofile.");
+        return;
+    }
+
     my $guard = $c->model('DB')->txn_scope_guard;
     {
         my $preference = $self->require_preference($c);
diff --git a/lib/NGCP/Panel/Role/API/PbxDeviceModels.pm b/lib/NGCP/Panel/Role/API/PbxDeviceModels.pm
index 93c34b4921..ae42146493 100644
--- a/lib/NGCP/Panel/Role/API/PbxDeviceModels.pm
+++ b/lib/NGCP/Panel/Role/API/PbxDeviceModels.pm
@@ -92,10 +92,17 @@ sub resource_from_item {
 
 sub _item_rs {
     my ($self, $c) = @_;
-    my $item_rs = $c->model('DB')->resultset('autoprov_devices');
-    if($c->user->roles eq "admin") {
+    my $item_rs = $c->model('DB')->resultset('autoprov_devices')
+        ->search_rs(undef,{ prefetch => {autoprov_device_line_ranges => 'annotations'} });
+    if ($c->user->roles eq "admin") {
     } elsif ($c->user->roles eq "reseller") {
         $item_rs = $item_rs->search({ reseller_id => $c->user->reseller_id });
+    } elsif ($c->user->roles eq "subscriberadmin") {
+        my $reseller_id = $c->user->contract->contact->reseller_id;
+        return unless $reseller_id;
+        $item_rs = $item_rs->search({
+            reseller_id => $reseller_id,
+        });
     }
 
     return $item_rs;
diff --git a/lib/NGCP/Panel/Role/API/PbxDeviceProfiles.pm b/lib/NGCP/Panel/Role/API/PbxDeviceProfiles.pm
index c88e8c180a..b93d9d5d1f 100644
--- a/lib/NGCP/Panel/Role/API/PbxDeviceProfiles.pm
+++ b/lib/NGCP/Panel/Role/API/PbxDeviceProfiles.pm
@@ -36,6 +36,7 @@ sub hal_from_item {
             NGCP::Panel::Utils::DataHalLink->new(relation => 'self', href => sprintf("%s%d", $self->dispatch_path, $item->id)),
             NGCP::Panel::Utils::DataHalLink->new(relation => "ngcp:$type", href => sprintf("/api/%s/%d", $type, $item->id)),
             NGCP::Panel::Utils::DataHalLink->new(relation => 'ngcp:pbxdeviceconfigs', href => sprintf("/api/pbxdeviceconfigs/%d", $item->config_id)),
+            NGCP::Panel::Utils::DataHalLink->new(relation => 'ngcp:pbxdevicemodels', href => sprintf("/api/pbxdevicemodels/%d", $item->config->device_id)),
         ],
         relation => 'ngcp:'.$self->resource_name,
     );
@@ -61,17 +62,22 @@ sub resource_from_item {
 
     $resource{id} = int($item->id);
     $resource{config_id} = int($item->config_id);
+    $resource{device_id} = int($item->config->device_id) if ($item->config);
     return \%resource;
 }
 
 sub _item_rs {
     my ($self, $c) = @_;
     my $item_rs = $c->model('DB')->resultset('autoprov_profiles');
-    if($c->user->roles eq "admin") {
+    if ($c->user->roles eq "admin") {
     } elsif ($c->user->roles eq "reseller") {
         $item_rs = $item_rs->search(
             { 'device.reseller_id' => $c->user->reseller_id, },
             { prefetch => { 'config' => 'device', }});
+    } elsif ($c->user->roles eq "subscriberadmin") {
+        $item_rs = $item_rs->search(
+            { 'device.reseller_id' => $c->user->contract->contact->reseller_id, },
+            { prefetch => { 'config' => 'device', }});
     }
 
     return $item_rs;