diff --git a/database/roles.go b/database/roles.go
index e303abc..7beeac1 100644
--- a/database/roles.go
+++ b/database/roles.go
@@ -112,6 +112,19 @@ var Roles = RoleActions{
 		ModelFile:                          _r__,
 		ModelResult:                        none,
 	},
+	"Download": {
+		ModelScenario:                      none,
+		ModelComponentConfiguration:        none,
+		ModelDashboard:                     none,
+		ModelWidget:                        none,
+		ModelInfrastructureComponent:       none,
+		ModelInfrastructureComponentAction: none,
+		ModelUser:                          none,
+		ModelUsers:                         none,
+		ModelSignal:                        none,
+		ModelFile:                          _r__,
+		ModelResult:                        none,
+	},
 }
 
 func ValidateRole(c *gin.Context, model ModelName, action CRUD) error {
diff --git a/routes/file/file_middleware.go b/routes/file/file_middleware.go
index acdacb6..897fa52 100644
--- a/routes/file/file_middleware.go
+++ b/routes/file/file_middleware.go
@@ -49,9 +49,12 @@ func CheckPermissions(c *gin.Context, operation database.CRUD) (bool, File) {
 		return false, f
 	}
 
-	ok, _ := scenario.CheckPermissions(c, operation, "body", int(f.ScenarioID))
-	if !ok {
-		return false, f
+	if operation != database.Read {
+		// check access to scenario only if operation is not Read (=download) of file
+		ok, _ := scenario.CheckPermissions(c, operation, "body", int(f.ScenarioID))
+		if !ok {
+			return false, f
+		}
 	}
 
 	return true, f