diff --git a/pkg/api-server/resource_endpoints.go b/pkg/api-server/resource_endpoints.go
index c19f4886ee03..a4ac8afd34ee 100644
--- a/pkg/api-server/resource_endpoints.go
+++ b/pkg/api-server/resource_endpoints.go
@@ -172,11 +172,10 @@ func (r *resourceEndpoints) createResource(ctx context.Context, name string, mes
 }
 
 func (r *resourceEndpoints) updateResource(ctx context.Context, res model.Resource, restRes rest.Resource, response *restful.Response) {
-	_ = res.SetSpec(restRes.Spec)
-
 	if err := r.resourceAccess.ValidateUpdate(
 		model.ResourceKey{Mesh: res.GetMeta().GetMesh(), Name: res.GetMeta().GetName()},
 		res.GetSpec(),
+		restRes.Spec,
 		r.descriptor,
 		user.FromCtx(ctx),
 	); err != nil {
@@ -184,6 +183,8 @@ func (r *resourceEndpoints) updateResource(ctx context.Context, res model.Resour
 		return
 	}
 
+	_ = res.SetSpec(restRes.Spec)
+
 	if err := r.resManager.Update(ctx, res); err != nil {
 		rest_errors.HandleError(response, err, "Could not update a resource")
 	} else {
diff --git a/pkg/core/resources/access/admin_resource_access.go b/pkg/core/resources/access/admin_resource_access.go
index 713a70c8a029..6bdfbb9f5802 100644
--- a/pkg/core/resources/access/admin_resource_access.go
+++ b/pkg/core/resources/access/admin_resource_access.go
@@ -30,15 +30,15 @@ func NewAdminResourceAccess(cfg config_access.AdminResourcesStaticAccessConfig)
 
 var _ ResourceAccess = &adminResourceAccess{}
 
-func (a *adminResourceAccess) ValidateCreate(key model.ResourceKey, spec model.ResourceSpec, descriptor model.ResourceTypeDescriptor, user user.User) error {
+func (a *adminResourceAccess) ValidateCreate(_ model.ResourceKey, _ model.ResourceSpec, descriptor model.ResourceTypeDescriptor, user user.User) error {
 	return a.validateAdminAccess(user, descriptor)
 }
 
-func (a *adminResourceAccess) ValidateUpdate(key model.ResourceKey, spec model.ResourceSpec, descriptor model.ResourceTypeDescriptor, user user.User) error {
+func (a *adminResourceAccess) ValidateUpdate(_ model.ResourceKey, _ model.ResourceSpec, _ model.ResourceSpec, descriptor model.ResourceTypeDescriptor, user user.User) error {
 	return a.validateAdminAccess(user, descriptor)
 }
 
-func (a *adminResourceAccess) ValidateDelete(key model.ResourceKey, spec model.ResourceSpec, descriptor model.ResourceTypeDescriptor, user user.User) error {
+func (a *adminResourceAccess) ValidateDelete(_ model.ResourceKey, _ model.ResourceSpec, descriptor model.ResourceTypeDescriptor, user user.User) error {
 	return a.validateAdminAccess(user, descriptor)
 }
 
@@ -46,7 +46,7 @@ func (a *adminResourceAccess) ValidateList(descriptor model.ResourceTypeDescript
 	return a.validateAdminAccess(user, descriptor)
 }
 
-func (a *adminResourceAccess) ValidateGet(key model.ResourceKey, descriptor model.ResourceTypeDescriptor, user user.User) error {
+func (a *adminResourceAccess) ValidateGet(_ model.ResourceKey, descriptor model.ResourceTypeDescriptor, user user.User) error {
 	return a.validateAdminAccess(user, descriptor)
 }
 
diff --git a/pkg/core/resources/access/admin_resource_access_test.go b/pkg/core/resources/access/admin_resource_access_test.go
index 417d100c964d..e3ebeb39a1b0 100644
--- a/pkg/core/resources/access/admin_resource_access_test.go
+++ b/pkg/core/resources/access/admin_resource_access_test.go
@@ -75,6 +75,7 @@ var _ = Describe("Admin Resource Access", func() {
 		err := resourceAccess.ValidateUpdate(
 			model.ResourceKey{Name: "xyz"},
 			&system_proto.Secret{},
+			&system_proto.Secret{},
 			system.NewSecretResource().Descriptor(),
 			user.Admin,
 		)
@@ -88,6 +89,7 @@ var _ = Describe("Admin Resource Access", func() {
 		err := resourceAccess.ValidateUpdate(
 			model.ResourceKey{Name: "xyz"},
 			&system_proto.Secret{},
+			&system_proto.Secret{},
 			system.NewSecretResource().Descriptor(),
 			user.User{Name: "john doe", Groups: []string{"users"}},
 		)
diff --git a/pkg/core/resources/access/resource_access.go b/pkg/core/resources/access/resource_access.go
index f554d74fd66e..86d174a3fd35 100644
--- a/pkg/core/resources/access/resource_access.go
+++ b/pkg/core/resources/access/resource_access.go
@@ -7,7 +7,7 @@ import (
 
 type ResourceAccess interface {
 	ValidateCreate(key model.ResourceKey, spec model.ResourceSpec, desc model.ResourceTypeDescriptor, user user.User) error
-	ValidateUpdate(key model.ResourceKey, spec model.ResourceSpec, desc model.ResourceTypeDescriptor, user user.User) error
+	ValidateUpdate(key model.ResourceKey, currentSpec model.ResourceSpec, newSpec model.ResourceSpec, desc model.ResourceTypeDescriptor, user user.User) error
 	ValidateDelete(key model.ResourceKey, spec model.ResourceSpec, desc model.ResourceTypeDescriptor, user user.User) error
 	ValidateList(desc model.ResourceTypeDescriptor, user user.User) error
 	ValidateGet(key model.ResourceKey, desc model.ResourceTypeDescriptor, user user.User) error