diff --git a/lib/NGCP/Panel/Form/Subscriber/SubscriberSubAdminAPI.pm b/lib/NGCP/Panel/Form/Subscriber/SubscriberSubAdminAPI.pm
index 49c6aead41..e32f09509f 100644
--- a/lib/NGCP/Panel/Form/Subscriber/SubscriberSubAdminAPI.pm
+++ b/lib/NGCP/Panel/Form/Subscriber/SubscriberSubAdminAPI.pm
@@ -4,6 +4,8 @@ use HTML::FormHandler::Moose;
 extends 'HTML::FormHandler';
 use NGCP::Panel::Utils::Form qw();
 
+#e164 administrative timezone profile_set are absent in web ui
+
 has_field 'contract' => (
     type => '+NGCP::Panel::Field::CustomerContract',
     label => 'Customer',
@@ -102,6 +104,7 @@ has_field 'administrative' => (
     type => 'Boolean',
     label => 'Administrative',
     required => 0,
+    readonly => 1,
     element_attr => {
         rel => ['tooltip'],
         title => ['Whether the subscriber can configure other subscribers within his Customer account.']
diff --git a/lib/NGCP/Panel/Role/API/Subscribers.pm b/lib/NGCP/Panel/Role/API/Subscribers.pm
index 86bf09b8de..a9f4b54e49 100644
--- a/lib/NGCP/Panel/Role/API/Subscribers.pm
+++ b/lib/NGCP/Panel/Role/API/Subscribers.pm
@@ -327,6 +327,8 @@ sub prepare_resource {
         }
         $resource->{customer_id} = $pilot->account_id;
         $resource->{status} = 'active';
+        #deny to create subscriberadmin, the same as in the web ui
+        $resource->{administrative} = $item ? $item->provisioning_voip_subscriber->admin : 0;
     }
     $resource->{e164} = delete $resource->{primary_number};
     $resource->{status} //= 'active';
diff --git a/lib/NGCP/Panel/Utils/Subscriber.pm b/lib/NGCP/Panel/Utils/Subscriber.pm
index 9b227fce44..a07b35fc37 100644
--- a/lib/NGCP/Panel/Utils/Subscriber.pm
+++ b/lib/NGCP/Panel/Utils/Subscriber.pm
@@ -219,6 +219,15 @@ sub create_subscriber {
         $c->log->warn("invalid license status: $status");
         # die("invalid license status: $status");
     }
+    if ($c->user->roles eq "reseller") {
+        if ($contract->contact->reseller_id ne $c->user->reseller_id) {
+            die("invalid contract id '".$contract->id."'");
+        }
+    } elsif ($c->user->roles eq "subscriberadmin" || $c->user->roles eq "subscriber") {#while we don't allow to create subscribers to subscriber role, of course
+        if ($contract->id ne $c->user->account_id) {
+            die("invalid contract id '".$contract->id."'");
+        }
+    }
 
     my ($profile_set, $profile);
     #as we don't allow to change customer (l. 624), so we shouldn't allow profile_set that belongs to other reseller