diff --git a/editoast/Cargo.lock b/editoast/Cargo.lock
index 2103747545b..01945449d8d 100644
--- a/editoast/Cargo.lock
+++ b/editoast/Cargo.lock
@@ -325,6 +325,7 @@ dependencies = [
  "futures 0.3.32",
  "itertools",
  "pretty_assertions",
+ "rstest",
  "serde",
  "stdext",
  "strum",
diff --git a/editoast/authz/Cargo.toml b/editoast/authz/Cargo.toml
index 6f5c1b98619..5b48e217ac3 100644
--- a/editoast/authz/Cargo.toml
+++ b/editoast/authz/Cargo.toml
@@ -22,6 +22,7 @@ utoipa.workspace = true
 common.workspace = true
 fga = { workspace = true, features = ["test_utilities"] }
 pretty_assertions.workspace = true
+rstest.workspace = true
 stdext.workspace = true
 tokio.workspace = true
 
diff --git a/editoast/authz/src/authorizer.rs b/editoast/authz/src/authorizer.rs
index a728531e5a7..d08b52b695e 100644
--- a/editoast/authz/src/authorizer.rs
+++ b/editoast/authz/src/authorizer.rs
@@ -93,16 +93,6 @@ impl<S: StorageDriver> Authorizer<S> {
             .give_infra_grant(&User(self.user_id), subject, infra, grant)
             .await
     }
-
-    pub async fn revoke_infra_grants(
-        &self,
-        subject: &Subject,
-        infra: &Infra,
-    ) -> Result<Authorization<()>, Error<S::Error>> {
-        self.regulator
-            .revoke_infra_grants(&User(self.user_id), subject, infra)
-            .await
-    }
 }
 
 impl<S: StorageDriver> std::fmt::Debug for Authorizer<S> {
diff --git a/editoast/authz/src/model.rs b/editoast/authz/src/model.rs
index 549ef84f578..3fa586f91cd 100644
--- a/editoast/authz/src/model.rs
+++ b/editoast/authz/src/model.rs
@@ -38,22 +38,6 @@ impl Subject {
             Subject::Group(group) => group.0,
         }
     }
-
-    pub(crate) async fn fetch<'a, T, E, Ureq, Greq>(
-        &'a self,
-        client: &fga::Client,
-        u: impl FnOnce(&'a User) -> Ureq,
-        g: impl FnOnce(&'a Group) -> Greq,
-    ) -> Result<T, E>
-    where
-        Ureq: fga::client::Request<Response = T, Error = E>,
-        Greq: fga::client::Request<Response = T, Error = E>,
-    {
-        match self {
-            Subject::User(user) => u(user).fetch(client).await,
-            Subject::Group(group) => g(group).fetch(client).await,
-        }
-    }
 }
 
 #[cfg(test)]
diff --git a/editoast/authz/src/regulator.rs b/editoast/authz/src/regulator.rs
index bead88f2baf..9141c7d5164 100644
--- a/editoast/authz/src/regulator.rs
+++ b/editoast/authz/src/regulator.rs
@@ -275,7 +275,10 @@ impl<S: StorageDriver> Regulator<S> {
         }
 
         // Remove existing grants before adding the new one
-        self.revoke_infra_grants_unchecked(subject, infra).await?;
+        let authorize = v2::special_authorizers::Authorize(&self.openfga);
+        authorize
+            .access_value(v2::infra_revoke_grant(*subject, *infra))
+            .await?;
 
         // Grant the new one
         let mut writes = self.openfga.prepare_writes();
@@ -387,132 +390,6 @@ impl<S: StorageDriver> Regulator<S> {
             })
             .await
     }
-
-    #[tracing::instrument(skip(self), ret(level = Level::DEBUG), err)]
-    pub async fn revoke_infra_grants(
-        &self,
-        issuer: &User,
-        subject: &Subject,
-        infra: &Infra,
-    ) -> Result<Authorization<()>, Error<S::Error>> {
-        // TODO: add a can_revoke privilege in the authorization model
-
-        // Revoking rules:
-        // 1. Only owners (and admins) can fully revoke grants
-        // 2. The last owner of a resource cannot be revoked, even by admins
-        // 3. An owner cannot revoke another owner
-
-        let is_subject_owner = match subject {
-            Subject::User(user) => {
-                self.openfga
-                    .check(Infra::owner().check(user, infra))
-                    .await?
-            }
-            Subject::Group(group) => {
-                self.openfga
-                    .check(Infra::owner().check(Group::member().userset(group), infra))
-                    .await?
-            }
-        };
-
-        if is_subject_owner {
-            let authorize = crate::v2::special_authorizers::Authorize(&self.openfga);
-            let current_owners = authorize
-                .access_value(crate::v2::infra_granted_subjects(*infra, InfraGrant::Owner))
-                .await?;
-            if current_owners.len() == 1 && current_owners.contains(subject) {
-                return Ok(Authorization::Denied {
-                    reason: "cannot remove the last owner from infrastructure",
-                });
-            }
-        }
-
-        if !self.is_admin(issuer).await? {
-            let is_issuer_owner = self
-                .openfga
-                .check(Infra::owner().check(issuer, infra))
-                .await?;
-
-            if !is_issuer_owner {
-                return Ok(Authorization::Denied {
-                    reason: "only owners can revoke grants",
-                });
-            }
-
-            // Rule 3: An owner cannot revoke another owner (only admins can)
-            if is_issuer_owner && is_subject_owner {
-                return Ok(Authorization::Denied {
-                    reason: "owner cannot revoke another owner",
-                });
-            }
-        }
-
-        self.revoke_infra_grants_unchecked(subject, infra).await?;
-        Ok(Authorization::Granted(()))
-    }
-
-    #[tracing::instrument(skip(self), ret(level = Level::DEBUG), err)]
-    pub async fn revoke_infra_grants_unchecked(
-        &self,
-        subject: &Subject,
-        infra: &Infra,
-    ) -> Result<(), Error<S::Error>> {
-        // No need to check if the infra exists. If it doesn't, there won't be any tuples in OpenFGA.
-        // And even if there is, we're about to remove them anyway.
-        // Likewise about both users.
-
-        let mut delete = self.openfga.prepare_deletes();
-
-        if subject
-            .fetch(
-                &self.openfga,
-                |user| Infra::reader().tuple(user, infra),
-                |group| Infra::reader().tuple(Group::member().userset(group), infra),
-            )
-            .await?
-        {
-            match subject {
-                Subject::User(user) => delete.push(&Infra::reader().tuple(user, infra)),
-                Subject::Group(group) => {
-                    delete.push(&Infra::reader().tuple(Group::member().userset(group), infra))
-                }
-            }
-        }
-
-        if subject
-            .fetch(
-                &self.openfga,
-                |user| Infra::writer().tuple(user, infra),
-                |group| Infra::writer().tuple(Group::member().userset(group), infra),
-            )
-            .await?
-        {
-            match subject {
-                Subject::User(user) => delete.push(&Infra::writer().tuple(user, infra)),
-                Subject::Group(group) => {
-                    delete.push(&Infra::writer().tuple(Group::member().userset(group), infra))
-                }
-            }
-        }
-
-        if subject
-            .fetch(
-                &self.openfga,
-                |user| Infra::owner().tuple(user, infra),
-                |group| Infra::owner().tuple(Group::member().userset(group), infra),
-            )
-            .await?
-        {
-            match subject {
-                Subject::User(user) => delete.push(&Infra::owner().tuple(user, infra)),
-                Subject::Group(group) => {
-                    delete.push(&Infra::owner().tuple(Group::member().userset(group), infra))
-                }
-            }
-        }
-        delete.execute().await?;
-        Ok(())
-    }
 }
 
 #[cfg(test)]
@@ -733,98 +610,4 @@ mod tests {
             .assert_infra_grant_eq(bob, infra, Some(InfraGrant::Reader))
             .await;
     }
-
-    // REVOKING TESTS
-
-    #[tokio::test(flavor = "multi_thread")]
-    async fn only_owners_can_revoke() {
-        let regulator = Regulator::new(crate::authz_client!(), MockAuthDriver::default());
-        let infra = Infra(1);
-        let alice = regulator.alice().await;
-        let bob = regulator.bob().await;
-
-        regulator
-            .set_infra_grant(alice, infra, InfraGrant::Writer)
-            .await;
-        regulator
-            .set_infra_grant(bob, infra, InfraGrant::Reader)
-            .await;
-
-        regulator
-            .revoke_infra_grants(&alice, &bob.into(), &infra)
-            .await
-            .expect("revoke operation should complete")
-            .expect_denied("only owners can revoke grants");
-
-        regulator
-            .assert_infra_grant_eq(bob, infra, Some(InfraGrant::Reader))
-            .await;
-    }
-
-    #[tokio::test(flavor = "multi_thread")]
-    async fn admins_can_revoke() {
-        let regulator = Regulator::new(crate::authz_client!(), MockAuthDriver::default());
-        let infra = Infra(1);
-        let alice = regulator.alice().await;
-        let walter = regulator.walter().await;
-
-        regulator
-            .set_infra_grant(alice, infra, InfraGrant::Reader)
-            .await;
-
-        regulator
-            .revoke_infra_grants(&walter, &alice.into(), &infra)
-            .await
-            .expect("revoke operation should complete")
-            .expect_allowed("admin can revoke grants");
-
-        regulator.assert_infra_grant_eq(alice, infra, None).await;
-    }
-
-    #[tokio::test(flavor = "multi_thread")]
-    async fn last_owner_cannot_be_revoked_by_admin() {
-        let regulator = Regulator::new(crate::authz_client!(), MockAuthDriver::default());
-        let infra = Infra(1);
-        let alice = regulator.alice().await;
-        let walter = regulator.walter().await;
-
-        regulator
-            .set_infra_grant(alice, infra, InfraGrant::Owner)
-            .await;
-
-        regulator
-            .revoke_infra_grants(&walter, &alice.into(), &infra)
-            .await
-            .expect("revoke operation should complete")
-            .expect_denied("last owner cannot be revoked");
-
-        regulator
-            .assert_infra_grant_eq(alice, infra, Some(InfraGrant::Owner))
-            .await;
-    }
-
-    #[tokio::test(flavor = "multi_thread")]
-    async fn owner_cannot_revoke_another_owner() {
-        let regulator = Regulator::new(crate::authz_client!(), MockAuthDriver::default());
-        let infra = Infra(1);
-        let alice = regulator.alice().await;
-        let bob = regulator.bob().await;
-
-        regulator
-            .set_infra_grant(alice, infra, InfraGrant::Owner)
-            .await;
-        regulator
-            .set_infra_grant(bob, infra, InfraGrant::Owner)
-            .await;
-
-        regulator
-            .revoke_infra_grants(&alice, &bob.into(), &infra)
-            .await
-            .expect("revoke operation should complete")
-            .expect_denied("owner cannot revoke another owner");
-
-        regulator
-            .assert_infra_grant_eq(bob, infra, Some(InfraGrant::Owner))
-            .await;
-    }
 }
diff --git a/editoast/authz/src/v2.rs b/editoast/authz/src/v2.rs
index 9eebd0aa868..4643cf302bc 100644
--- a/editoast/authz/src/v2.rs
+++ b/editoast/authz/src/v2.rs
@@ -15,6 +15,7 @@ use futures::future::BoxFuture;
 
 use crate::Group;
 use crate::Infra;
+use crate::InfraGrant;
 use crate::InfraPrivilege;
 use crate::Role;
 use crate::Subject;
@@ -59,6 +60,10 @@ pub enum Check {
     HasRole(Actor, Role),
     /// The actor needs an infra privilege to perform the operation
     HasInfraPrivilege(Actor, InfraPrivilege, Infra),
+    /// The subject must not have the specified effective infra grant
+    SubjectEffectiveInfraGrantIsNot(InfraGrant, Subject, Infra),
+    /// The subject must not be the last direct owner of the infra
+    IsntLastInfraOwner(Subject, Infra),
     /// The subject must exist in PostgreSQL
     SubjectExists(Subject),
     /// The infra must exist in PostgreSQL
@@ -317,3 +322,22 @@ pub mod special_authorizers {
         }
     }
 }
+
+impl<L, R, Rejection, Error> Authorizer for itertools::Either<L, R>
+where
+    L: Authorizer<Rejection = Rejection, Error = Error>,
+    R: Authorizer<Rejection = Rejection, Error = Error>,
+{
+    type Rejection = Rejection;
+    type Error = Error;
+
+    async fn authorize<'a, T>(
+        &'a self,
+        data: Protected<T>,
+    ) -> Result<Access<'a, T, Self::Rejection>, Self::Error> {
+        match self {
+            itertools::Either::Left(l) => l.authorize(data).await,
+            itertools::Either::Right(r) => r.authorize(data).await,
+        }
+    }
+}
diff --git a/editoast/authz/src/v2/infra.rs b/editoast/authz/src/v2/infra.rs
index 0d4dcf68968..4e25518444b 100644
--- a/editoast/authz/src/v2/infra.rs
+++ b/editoast/authz/src/v2/infra.rs
@@ -140,6 +140,61 @@ pub fn infra_effective_grant(subject: Subject, infra: Infra) -> Protected<Option
     ))
 }
 
+/// Revokes the (direct) grant a subject has on an [Infra], if any
+///
+/// Returns `true` if a grant was revoked, `false` otherwise, making the operation idempotent.
+/// No transaction is setup as OpenFGA does not support them.
+pub fn infra_revoke_grant(subject: Subject, infra: Infra) -> Protected<bool> {
+    let prot = infra_direct_grant(subject, infra).map(move |openfga, grant| {
+        async move {
+            let Some(grant) = grant else {
+                return Ok(false);
+            };
+
+            let mut delete = openfga.prepare_deletes();
+            match (subject, grant) {
+                (Subject::User(user), InfraGrant::Reader) => {
+                    delete.push(&Infra::reader().tuple(&user, &infra))
+                }
+                (Subject::User(user), InfraGrant::Writer) => {
+                    delete.push(&Infra::writer().tuple(&user, &infra))
+                }
+                (Subject::User(user), InfraGrant::Owner) => {
+                    delete.push(&Infra::owner().tuple(&user, &infra))
+                }
+                (Subject::Group(group), InfraGrant::Reader) => {
+                    delete.push(&Infra::reader().tuple(Group::member().userset(&group), &infra))
+                }
+                (Subject::Group(group), InfraGrant::Writer) => {
+                    delete.push(&Infra::writer().tuple(Group::member().userset(&group), &infra))
+                }
+                (Subject::Group(group), InfraGrant::Owner) => {
+                    delete.push(&Infra::owner().tuple(Group::member().userset(&group), &infra))
+                }
+            };
+            delete.execute().await?;
+            Ok(true)
+        }
+        .boxed()
+    });
+
+    // Revoking rules:
+    // 1. Only owners (and admins) can fully revoke grants
+    // 2. The last owner of a resource cannot be revoked (admins can)
+    // 3. An owner cannot revoke another owner
+    prot.with_check(Check::HasInfraPrivilege(
+        Actor::Issuer,
+        InfraPrivilege::CanShareOwnership,
+        infra,
+    ))
+    .with_check(Check::SubjectEffectiveInfraGrantIsNot(
+        InfraGrant::Owner,
+        subject,
+        infra,
+    ))
+    .with_check(Check::IsntLastInfraOwner(subject, infra))
+}
+
 pub fn infra_privileges(user: User, infra: Infra) -> Protected<HashSet<InfraPrivilege>> {
     Protected::new(move |openfga| {
         async move {
@@ -423,6 +478,58 @@ mod tests {
             .await;
     }
 
+    #[rstest::rstest]
+    #[case::user_reader(Subject::user(1), InfraGrant::Reader)]
+    #[case::user_writer(Subject::user(1), InfraGrant::Writer)]
+    #[case::user_owner(Subject::user(1), InfraGrant::Owner)]
+    #[case::group_reader(Subject::group(1), InfraGrant::Reader)]
+    #[case::group_writer(Subject::group(1), InfraGrant::Writer)]
+    #[case::group_owner(Subject::group(1), InfraGrant::Owner)]
+    #[tokio::test]
+    async fn revoke_infra_grant_ok(#[case] subject: Subject, #[case] grant: InfraGrant) {
+        let openfga = crate::authz_client!();
+        openfga.infra_set_grant(subject, Infra(1), grant).await;
+        assert!(openfga.infra_revoke_grant(subject, Infra(1)).await);
+        assert_eq!(openfga.infra_direct_grant(subject, Infra(1)).await, None);
+    }
+
+    #[tokio::test]
+    async fn revoke_infra_grant_noop() {
+        let openfga = crate::authz_client!();
+        assert!(!openfga.infra_revoke_grant(Subject::user(1), Infra(1)).await);
+    }
+
+    #[tokio::test]
+    async fn revoke_infra_grant_with_inherited() {
+        let openfga = crate::authz_client!();
+
+        openfga
+            .prepare_writes()
+            .write(&Group::member().tuple(&User(1), &Group(10)))
+            .write(&Infra::writer().tuple(Group::member().userset(&Group(10)), &Infra(1))) // inherited
+            .write(&Infra::reader().tuple(&User(1), &Infra(1))) // direct
+            .write(&Infra::owner().tuple(&User(1), &Infra(2))) // unrelated
+            .execute()
+            .await
+            .unwrap();
+
+        assert!(openfga.infra_revoke_grant(Subject::user(1), Infra(1)).await);
+        assert_eq!(
+            openfga.infra_direct_grant(Subject::user(1), Infra(1)).await,
+            None
+        );
+        assert_eq!(
+            openfga
+                .infra_effective_grant(Subject::user(1), Infra(1))
+                .await,
+            Some(InfraGrant::Writer)
+        );
+        assert_eq!(
+            openfga.infra_direct_grant(Subject::user(1), Infra(2)).await,
+            Some(InfraGrant::Owner)
+        );
+    }
+
     #[tokio::test]
     async fn infra_privileges_non_admin() {
         let openfga = crate::authz_client!();
diff --git a/editoast/authz/src/v2/test_client_ext.rs b/editoast/authz/src/v2/test_client_ext.rs
index 9c25e6ddcdc..b545e9b1aa7 100644
--- a/editoast/authz/src/v2/test_client_ext.rs
+++ b/editoast/authz/src/v2/test_client_ext.rs
@@ -13,17 +13,21 @@ use crate::v2::infra_direct_grant;
 use crate::v2::infra_effective_grant;
 use crate::v2::infra_granted_subjects;
 use crate::v2::infra_privileges;
+use crate::v2::infra_revoke_grant;
 use crate::v2::special_authorizers;
 
 pub trait TestClientExt {
     async fn subject_roles(&self, subject: &Subject) -> HashSet<Role>;
     async fn group_members(&self, group: &Group) -> HashSet<User>;
+
     async fn infra_effective_grant(&self, subject: Subject, infra: Infra) -> Option<InfraGrant>;
     async fn infra_direct_grant(
         &self,
         subject: impl Into<Subject>,
         infra: Infra,
     ) -> Option<InfraGrant>;
+    async fn infra_set_grant(&self, subject: Subject, infra: Infra, grant: InfraGrant);
+    async fn infra_revoke_grant(&self, subject: Subject, infra: Infra) -> bool;
     async fn infra_privileges(&self, user: User, infra: Infra) -> HashSet<InfraPrivilege>;
     async fn infra_granted_subjects(&self, infra: Infra, grant: InfraGrant) -> Vec<Subject>;
 }
@@ -68,6 +72,40 @@ impl TestClientExt for fga::Client {
             .unwrap()
     }
 
+    // TODO: use infra_set_grant -> Protected when available
+    async fn infra_set_grant(&self, subject: Subject, infra: Infra, grant: InfraGrant) {
+        let mut writes = self.prepare_writes();
+        match (subject, grant) {
+            (Subject::User(user), InfraGrant::Reader) => {
+                writes.push(&Infra::reader().tuple(&user, &infra))
+            }
+            (Subject::User(user), InfraGrant::Writer) => {
+                writes.push(&Infra::writer().tuple(&user, &infra))
+            }
+            (Subject::User(user), InfraGrant::Owner) => {
+                writes.push(&Infra::owner().tuple(&user, &infra))
+            }
+            (Subject::Group(group), InfraGrant::Reader) => {
+                writes.push(&Infra::reader().tuple(Group::member().userset(&group), &infra))
+            }
+            (Subject::Group(group), InfraGrant::Writer) => {
+                writes.push(&Infra::writer().tuple(Group::member().userset(&group), &infra))
+            }
+            (Subject::Group(group), InfraGrant::Owner) => {
+                writes.push(&Infra::owner().tuple(Group::member().userset(&group), &infra))
+            }
+        };
+        writes.execute().await.unwrap();
+    }
+
+    async fn infra_revoke_grant(&self, subject: Subject, infra: Infra) -> bool {
+        let authorize = special_authorizers::Authorize(self);
+        authorize
+            .access_value(infra_revoke_grant(subject, infra))
+            .await
+            .unwrap()
+    }
+
     async fn infra_privileges(&self, user: User, infra: Infra) -> HashSet<InfraPrivilege> {
         let authorize = special_authorizers::Authorize(self);
         authorize
diff --git a/editoast/src/authorizers.rs b/editoast/src/authorizers.rs
index 206a12e144e..d12beb643f6 100644
--- a/editoast/src/authorizers.rs
+++ b/editoast/src/authorizers.rs
@@ -8,7 +8,6 @@ use authz::v2::Protected;
 use editoast_models::prelude::*;
 use futures::FutureExt as _;
 use futures::StreamExt as _;
-use futures::TryFutureExt as _;
 use futures::stream::FuturesUnordered;
 use tracing::Instrument as _;
 
@@ -25,10 +24,7 @@ pub struct SystemAuthorizer<'a> {
 
 impl SystemAuthorizer<'_> {
     #[tracing::instrument(target = "SystemAuthorizer::check", skip_all, fields(?check), ret(level = "trace"), err)]
-    async fn check<'ch>(
-        &self,
-        check: &'ch Check,
-    ) -> Result<Option<&'ch Check>, editoast_models::Error> {
+    async fn check<'ch>(&self, check: &'ch Check) -> Result<Option<&'ch Check>, Error> {
         let conn = &mut self.conn.clone();
         Ok(match check {
             Check::SubjectExists(authz::Subject::User(user)) => {
@@ -41,14 +37,17 @@ impl SystemAuthorizer<'_> {
                 (!editoast_models::Infra::exists(conn, **infra).await?).then_some(check)
             }
             // checked by UserAuthorizer
-            Check::HasRole(..) | Check::HasInfraPrivilege(..) => None,
+            Check::HasRole(..)
+            | Check::HasInfraPrivilege(..)
+            | Check::SubjectEffectiveInfraGrantIsNot(..)
+            | Check::IsntLastInfraOwner(..) => None,
         })
     }
 }
 
 impl Authorizer for SystemAuthorizer<'_> {
     type Rejection = Check;
-    type Error = editoast_models::Error;
+    type Error = Error;
 
     #[tracing::instrument(skip_all)]
     async fn authorize<'a, T>(
@@ -103,10 +102,7 @@ impl<'c> UserAuthorizer<'c> {
     }
 
     #[tracing::instrument(target = "UserAutorizer::check", skip_all, fields(?check, issuer = ?self.user, roles = ?self.roles), ret(level = "trace"), err)]
-    async fn check<'ch>(
-        &self,
-        check: &'ch Check,
-    ) -> Result<Option<&'ch Check>, authz::v2::OpenFgaError> {
+    async fn check<'ch>(&self, check: &'ch Check) -> Result<Option<&'ch Check>, Error> {
         Ok(match check {
             Check::HasRole(Actor::Issuer, role) if !self.roles.contains(role) => Some(check),
             Check::HasRole(Actor::Issuer, _) => None,
@@ -125,6 +121,21 @@ impl<'c> UserAuthorizer<'c> {
                     .await?;
                 (!privileges.contains(privilege)).then_some(check)
             }
+            Check::SubjectEffectiveInfraGrantIsNot(grant, subject, infra) => {
+                let Ok(subject_grant) = authz::v2::infra_effective_grant(*subject, *infra)
+                    .access_authorized::<Infallible>(self.openfga)
+                    .access()
+                    .await?;
+                (subject_grant == Some(*grant)).then_some(check)
+            }
+            Check::IsntLastInfraOwner(subject, infra) => {
+                let Ok(owners) =
+                    authz::v2::infra_granted_subjects(*infra, authz::InfraGrant::Owner)
+                        .access_authorized::<Infallible>(self.openfga)
+                        .access()
+                        .await?;
+                (owners.len() == 1 && owners.contains(subject)).then_some(check)
+            }
             // checked by SystemAuthorizer
             Check::SubjectExists(_) | Check::InfraExists(_) => None,
         })
@@ -150,22 +161,11 @@ impl Authorizer for UserAuthorizer<'_> {
             // same thing for the system_authorizer
             let mut checks = FuturesUnordered::new();
             for check in &data.checks {
-                checks.push(
-                    system_authorizer
-                        .check(check)
-                        .map_err(Self::Error::from)
-                        .in_current_span()
-                        .boxed(),
-                );
+                checks.push(system_authorizer.check(check).in_current_span().boxed());
             }
             if !self.roles.contains(&authz::Role::Admin) {
                 for check in &data.checks {
-                    checks.push(
-                        self.check(check)
-                            .map_err(Self::Error::from)
-                            .in_current_span()
-                            .boxed(),
-                    );
+                    checks.push(self.check(check).in_current_span().boxed());
                 }
             }
             while let Some(result) = checks.next().await {
@@ -198,6 +198,7 @@ pub(crate) use impossible;
 
 #[cfg(test)]
 mod tests {
+    use authz::InfraGrant;
     use authz::InfraPrivilege;
     use authz::Role;
     use authz::v2::Actor;
@@ -362,6 +363,15 @@ mod tests {
         InfraPrivilege::CanDelete,
         authz::Infra(i64::MAX)
     ))]
+    #[case::subject_effective_infra_grant_is_not(Check::SubjectEffectiveInfraGrantIsNot(
+        InfraGrant::Owner,
+        authz::Subject::User(authz::User(i64::MAX)),
+        authz::Infra(i64::MAX)
+    ))]
+    #[case::isnt_last_infra_owner(Check::IsntLastInfraOwner(
+        authz::Subject::User(authz::User(i64::MAX)),
+        authz::Infra(i64::MAX)
+    ))]
     #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
     async fn system_authorizer_ignores_non_sanity_checks(#[case] check: Check) {
         let openfga = openfga().await;
@@ -453,6 +463,107 @@ mod tests {
         assert_eq!(authorize(&user_authorizer, check).await, Err(check));
     }
 
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    async fn user_authorizer_subject_effective_infra_grant_is_not() {
+        let openfga = openfga().await;
+        let pool = DbConnectionPoolV2::for_tests();
+        let issuer = create_user(&pool, "issuer").await;
+        let target = create_user(&pool, "target").await;
+        let infra = authz::Infra(create_empty_infra(&mut pool.get_ok()).await.id);
+        openfga
+            .write_tuples(&[authz::Infra::owner().tuple(&target, &infra)])
+            .await
+            .unwrap();
+        let user_authorizer = UserAuthorizer::new(issuer, vec![], &openfga, pool.get_ok());
+
+        let check = Check::SubjectEffectiveInfraGrantIsNot(
+            InfraGrant::Owner,
+            authz::Subject::User(target),
+            infra,
+        );
+        assert_eq!(authorize(&user_authorizer, check).await, Err(check));
+
+        let check = Check::SubjectEffectiveInfraGrantIsNot(
+            InfraGrant::Writer,
+            authz::Subject::User(target),
+            infra,
+        );
+        assert_eq!(authorize(&user_authorizer, check).await, Ok(()));
+    }
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    async fn user_authorizer_subject_effective_infra_grant_is_not_checks_inherited_grant() {
+        let openfga = openfga().await;
+        let pool = DbConnectionPoolV2::for_tests();
+        let issuer = create_user(&pool, "issuer").await;
+        let target = create_user(&pool, "target").await;
+        let group = create_group(&pool, "owners").await;
+        let infra = authz::Infra(create_empty_infra(&mut pool.get_ok()).await.id);
+        openfga
+            .prepare_writes()
+            .write(&authz::Group::member().tuple(&target, &group))
+            .write(&authz::Infra::owner().tuple(authz::Group::member().userset(&group), &infra))
+            .execute()
+            .await
+            .unwrap();
+        let user_authorizer = UserAuthorizer::new(issuer, vec![], &openfga, pool.get_ok());
+
+        let check = Check::SubjectEffectiveInfraGrantIsNot(
+            InfraGrant::Owner,
+            authz::Subject::User(target),
+            infra,
+        );
+        assert_eq!(authorize(&user_authorizer, check).await, Err(check));
+    }
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    async fn user_authorizer_isnt_last_infra_owner_user() {
+        let openfga = openfga().await;
+        let pool = DbConnectionPoolV2::for_tests();
+        let issuer = create_user(&pool, "issuer").await;
+        let owner = create_user(&pool, "owner").await;
+        let other_owner = create_user(&pool, "other-owner").await;
+        let no_grant = create_user(&pool, "no-grant").await;
+        let infra = authz::Infra(create_empty_infra(&mut pool.get_ok()).await.id);
+        openfga
+            .write_tuples(&[authz::Infra::owner().tuple(&owner, &infra)])
+            .await
+            .unwrap();
+        let user_authorizer = UserAuthorizer::new(issuer, vec![], &openfga, pool.get_ok());
+
+        let check = Check::IsntLastInfraOwner(authz::Subject::User(owner), infra);
+        assert_eq!(authorize(&user_authorizer, check).await, Err(check));
+
+        let check = Check::IsntLastInfraOwner(authz::Subject::User(no_grant), infra);
+        assert_eq!(authorize(&user_authorizer, check).await, Ok(()));
+
+        openfga
+            .write_tuples(&[authz::Infra::owner().tuple(&other_owner, &infra)])
+            .await
+            .unwrap();
+        let check = Check::IsntLastInfraOwner(authz::Subject::User(owner), infra);
+        assert_eq!(authorize(&user_authorizer, check).await, Ok(()));
+    }
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    async fn user_authorizer_isnt_last_infra_owner_group() {
+        let openfga = openfga().await;
+        let pool = DbConnectionPoolV2::for_tests();
+        let issuer = create_user(&pool, "issuer").await;
+        let group = create_group(&pool, "group").await;
+        let infra = authz::Infra(create_empty_infra(&mut pool.get_ok()).await.id);
+        openfga
+            .write_tuples(&[
+                authz::Infra::owner().tuple(authz::Group::member().userset(&group), &infra)
+            ])
+            .await
+            .unwrap();
+        let user_authorizer = UserAuthorizer::new(issuer, vec![], &openfga, pool.get_ok());
+
+        let check = Check::IsntLastInfraOwner(authz::Subject::Group(group), infra);
+        assert_eq!(authorize(&user_authorizer, check).await, Err(check));
+    }
+
     #[rstest]
     #[case::has_role(Check::HasRole(Actor::Issuer, Role::Admin))]
     #[case::has_infra_privilege(Check::HasInfraPrivilege(
@@ -460,6 +571,15 @@ mod tests {
         InfraPrivilege::CanWrite,
         authz::Infra(i64::MAX)
     ))]
+    #[case::subject_effective_infra_grant_is_not(Check::SubjectEffectiveInfraGrantIsNot(
+        InfraGrant::Owner,
+        authz::Subject::user(i64::MAX),
+        authz::Infra(i64::MAX)
+    ))]
+    #[case::isnt_last_infra_owner(Check::IsntLastInfraOwner(
+        authz::Subject::user(i64::MAX),
+        authz::Infra(i64::MAX)
+    ))]
     #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
     async fn user_authorizer_admin_bypass(#[case] check: Check) {
         let openfga = openfga().await;
diff --git a/editoast/src/views/authz.rs b/editoast/src/views/authz.rs
index 17925ff2823..1713c64135b 100644
--- a/editoast/src/views/authz.rs
+++ b/editoast/src/views/authz.rs
@@ -2,6 +2,7 @@ use std::collections::HashMap;
 use std::collections::HashSet;
 use std::sync::Arc;
 
+use crate::authorizers::SystemAuthorizer;
 use crate::authorizers::UserAuthorizer;
 use crate::authorizers::impossible;
 use crate::error::Result;
@@ -27,6 +28,7 @@ use editoast_models::Group;
 use editoast_models::Infra;
 use editoast_models::User;
 use editoast_models::prelude::*;
+use itertools::Either;
 use itertools::Itertools;
 use serde::Deserialize;
 use serde::Serialize;
@@ -655,6 +657,9 @@ pub(in crate::views) async fn update_grants(
         db_pool, regulator, ..
     }): State<AppState>,
     Extension(auth): AuthenticationExt,
+    Extension(user): Extension<Option<authz::User>>,
+    Extension(roles): Extension<Vec<Role>>,
+    Extension(authn): Extension<crate::authentication::Authentication>,
     Json(body): Json<BodyUpdateGrants>,
 ) -> Result<impl IntoResponse> {
     // Fetch subjects from the database and determine whether they're a user or a group.
@@ -726,41 +731,80 @@ pub(in crate::views) async fn update_grants(
             }
             Ok(StatusCode::CREATED)
         }
-        BodyUpdateGrants::Revoke(revoke) => {
-            for RevokeBody {
-                resource_type,
-                resource_id,
-                subject_id,
-            } in revoke
-            {
-                let subject = subjects
-                    .get(&subject_id)
-                    .ok_or_else(|| AuthzError::UnknownSubject { subject_id })?;
-                match resource_type {
-                    ResourceType::Infra => {
-                        match &auth {
-                            Authentication::Authenticated(authorizer) => {
-                                authorizer
-                                    .revoke_infra_grants(subject, &authz::Infra(resource_id))
-                                    .await
-                            }
-                            Authentication::SkipAuthorization { .. } => regulator
-                                .revoke_infra_grants_unchecked(subject, &authz::Infra(resource_id))
-                                .await
-                                .map(Authorization::Granted),
-                            Authentication::Unauthenticated => {
-                                return Err(AuthorizationError::Unauthorized.into());
-                            }
-                        }?
-                        .allowed()?;
-                    }
+        BodyUpdateGrants::Revoke(revokes) => {
+            let prot = revokes
+                .into_iter()
+                .map(|r| r.into_protected(&subjects))
+                .process_results(|iter| authz::v2::Protected::from_iter(iter))?;
+
+            // TODO: make an Extension to simplify this logic
+            let authorizer = match (authn, user) {
+                (
+                    crate::authentication::Authentication::Authenticated { .. }
+                    | crate::authentication::Authentication::Impersonating { .. },
+                    Some(user),
+                ) => Either::Left(UserAuthorizer::new(
+                    user,
+                    roles.clone(),
+                    regulator.openfga(),
+                    db_pool.get().await?,
+                )),
+                (crate::authentication::Authentication::Skip { .. }, _) => {
+                    Either::Right(SystemAuthorizer {
+                        openfga: regulator.openfga(),
+                        conn: db_pool.get().await?,
+                    })
+                }
+                (crate::authentication::Authentication::Unauthenticated, None) => {
+                    return Err(AuthorizationError::Unauthorized.into());
+                }
+                _ => {
+                    unreachable!(
+                        "Authenticated | Impersonating implies Some(user) and Unauthenticated implies None"
+                    );
+                }
+            };
+
+            match prot.authorize(&authorizer).await?.access().await? {
+                Ok(_) => Ok(StatusCode::NO_CONTENT),
+                Err(Check::InfraExists(infra)) => Err(AuthzError::UnknownResource {
+                    resource_id: *infra,
+                }
+                .into()),
+                Err(Check::SubjectExists(subject)) => Err(AuthzError::UnknownSubject {
+                    subject_id: subject.id(),
                 }
+                .into()),
+                Err(
+                    Check::HasInfraPrivilege(Actor::Issuer, InfraPrivilege::CanShareOwnership, _)
+                    | Check::SubjectEffectiveInfraGrantIsNot(..)
+                    | Check::IsntLastInfraOwner(..),
+                ) => Err(AuthorizationError::Forbidden.into()),
+                Err(check) => impossible!(check),
             }
-            Ok(StatusCode::NO_CONTENT)
         }
     }
 }
 
+impl RevokeBody {
+    fn into_protected(
+        self,
+        subjects: &HashMap<i64, authz::Subject>,
+    ) -> Result<authz::v2::Protected<bool>, AuthzError> {
+        let Self {
+            resource_type,
+            resource_id,
+            subject_id,
+        } = self;
+        let subject = subjects
+            .get(&subject_id)
+            .ok_or_else(|| AuthzError::UnknownSubject { subject_id })?;
+        Ok(match resource_type {
+            ResourceType::Infra => authz::v2::infra_revoke_grant(*subject, resource_id.into()),
+        })
+    }
+}
+
 #[editoast_derive::route(Role::Admin)]
 #[utoipa::path(
     get,
@@ -1170,6 +1214,126 @@ mod tests {
         assert_eq!(openfga.infra_direct_grant(writer, infra).await, None);
     }
 
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    async fn only_owners_can_revoke_infra_grants() {
+        let app = test_app!().enable_authorization(true).build();
+        let infra = create_small_infra(&mut app.db_pool().get_ok()).await;
+        let writer = app
+            .user("writer", "Writer")
+            .with_infra_grant(infra.id, InfraGrant::Writer)
+            .create()
+            .await;
+        let reader = app
+            .user("reader", "Reader")
+            .with_infra_grant(infra.id, InfraGrant::Reader)
+            .create()
+            .await;
+
+        app.fetch(app.post("/authz/grants").by_user(&writer).json(&json!({
+            "revoke": [
+                {
+                    "subject_id": reader.id,
+                    "resource_type": ResourceType::Infra,
+                    "resource_id": infra.id
+                }
+            ]
+        })))
+        .await
+        .assert_status(StatusCode::FORBIDDEN);
+
+        app.assert_infra_grant(infra.id, reader.id, Some(InfraGrant::Reader));
+    }
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    async fn admins_can_revoke_infra_grants() {
+        let app = test_app!().enable_authorization(true).build();
+        let infra = create_small_infra(&mut app.db_pool().get_ok()).await;
+        let admin = app
+            .user("admin", "Admin")
+            .with_roles([Role::Admin])
+            .create()
+            .await;
+        let reader = app
+            .user("reader", "Reader")
+            .with_infra_grant(infra.id, InfraGrant::Reader)
+            .create()
+            .await;
+
+        app.fetch(app.post("/authz/grants").by_user(&admin).json(&json!({
+            "revoke": [
+                {
+                    "subject_id": reader.id,
+                    "resource_type": ResourceType::Infra,
+                    "resource_id": infra.id
+                }
+            ]
+        })))
+        .await
+        .assert_status(StatusCode::NO_CONTENT);
+
+        app.assert_infra_grant(infra.id, reader.id, None);
+    }
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    async fn last_infra_owner_can_be_revoked_by_admin() {
+        let app = test_app!().enable_authorization(true).build();
+        let infra = create_small_infra(&mut app.db_pool().get_ok()).await;
+        let admin = app
+            .user("admin", "Admin")
+            .with_roles([Role::Admin])
+            .create()
+            .await;
+        let owner = app
+            .user("owner", "Owner")
+            .with_infra_grant(infra.id, InfraGrant::Owner)
+            .create()
+            .await;
+
+        app.fetch(app.post("/authz/grants").by_user(&admin).json(&json!({
+            "revoke": [
+                {
+                    "subject_id": owner.id,
+                    "resource_type": ResourceType::Infra,
+                    "resource_id": infra.id
+                }
+            ]
+        })))
+        .await
+        .assert_status(StatusCode::NO_CONTENT);
+
+        app.assert_infra_grant(infra.id, owner.id, None);
+    }
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    async fn owner_cannot_revoke_another_infra_owner() {
+        let app = test_app!().enable_authorization(true).build();
+        let infra = create_small_infra(&mut app.db_pool().get_ok()).await;
+        let alice = app
+            .user("alice", "Alice")
+            .with_infra_grant(infra.id, InfraGrant::Owner)
+            .create()
+            .await;
+        let bob = app
+            .user("bob", "Bob")
+            .with_infra_grant(infra.id, InfraGrant::Owner)
+            .create()
+            .await;
+
+        app.fetch(app.post("/authz/grants").by_user(&alice).json(&json!({
+            "revoke": [
+                {
+                    "subject_id": bob.id,
+                    "resource_type": ResourceType::Infra,
+                    "resource_id": infra.id
+                }
+            ]
+        })))
+        .await
+        .assert_status(StatusCode::FORBIDDEN);
+
+        app.assert_infra_grant(infra.id, bob.id, Some(InfraGrant::Owner));
+    }
+
     #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
     async fn give_grant_to_groups() {
         let app = test_app!().enable_authorization(true).build();