diff --git a/src/box/session.cc b/src/box/session.cc
index 441363776d6f9a09274fb422393874a062d70bbc..33b1feb4cc490d8849ff6f55a10ec7a945c027df 100644
--- a/src/box/session.cc
+++ b/src/box/session.cc
@@ -127,6 +127,11 @@ session_create_on_demand(int fd)
 	trigger_add(&fiber()->on_stop, &s->fiber_on_stop);
 	credentials_init(&s->credentials, admin_user->auth_token,
 			 admin_user->def->uid);
+	/*
+	 * At bootstrap, admin user access is not loaded yet (is
+	 * 0), force global access. @sa comment in session_init()
+	 */
+	s->credentials.universal_access = PRIV_ALL;
 	fiber_set_session(fiber(), s);
 	fiber_set_user(fiber(), &s->credentials);
 	return s;
@@ -201,7 +206,20 @@ session_init()
 		panic("out of memory");
 	mempool_create(&session_pool, &cord()->slabc, sizeof(struct session));
 	credentials_init(&admin_credentials, ADMIN, ADMIN);
-	/**
+	/*
+	 * For performance reasons, we do not always explicitly
+	 * look at user id in access checks, while still need to
+	 * ensure 'admin' user has full access to all objects in
+	 * the universe.
+	 *
+	 * This is why  _priv table contains a record with grants
+	 * of full access to universe to 'admin' user.
+	 *
+	 * Making a record in _priv table is, however,
+	 * insufficient, since some checks are done at bootstrap,
+	 * before _priv table is read (e.g. when we're
+	 * bootstrapping a replica in applier fiber).
+	 *
 	 * When session_init() is called, admin user access is not
 	 * loaded yet (is 0), force global access.
 	 */
diff --git a/test/replication/autobootstrap.result b/test/replication/autobootstrap.result
index b3ba22c3a1a4c979e7b952c62b46b3f2e6b39172..e45a3867b11ab8ddee0624223b829b0a5a082230 100644
--- a/test/replication/autobootstrap.result
+++ b/test/replication/autobootstrap.result
@@ -106,6 +106,58 @@ box.space.test:select()
 _ = test_run:cmd("switch default")
 ---
 ...
+_ = test_run:cmd("switch autobootstrap1")
+---
+...
+u1 = box.schema.user.create('test_u')
+---
+...
+box.schema.user.grant('test_u', 'read,write', 'universe')
+---
+...
+box.session.su('test_u')
+---
+...
+_ = box.schema.space.create('test_u'):create_index('pk')
+---
+...
+box.session.su('admin')
+---
+...
+_ = box.space.test_u:replace({1, 2, 3, 4})
+---
+...
+box.space.test_u:select()
+---
+- - [1, 2, 3, 4]
+...
+-- Synchronize
+vclock = test_run:get_vclock('autobootstrap1')
+---
+...
+_ = test_run:wait_vclock("autobootstrap2", vclock)
+---
+...
+_ = test_run:wait_vclock("autobootstrap3", vclock)
+---
+...
+_ = test_run:cmd("switch autobootstrap2")
+---
+...
+box.space.test_u:select()
+---
+- - [1, 2, 3, 4]
+...
+_ = test_run:cmd("switch autobootstrap3")
+---
+...
+box.space.test_u:select()
+---
+- - [1, 2, 3, 4]
+...
+_ = test_run:cmd("switch default")
+---
+...
 --
 -- Stop servers
 --
diff --git a/test/replication/autobootstrap.test.lua b/test/replication/autobootstrap.test.lua
index 826afc6009ac81938c5b844fa51415ac48f1eeae..8cb97d53d6a04d75d1db9f21cc0e6ceb7b059cab 100644
--- a/test/replication/autobootstrap.test.lua
+++ b/test/replication/autobootstrap.test.lua
@@ -52,6 +52,28 @@ _ = test_run:cmd("switch autobootstrap3")
 box.space.test:select()
 _ = test_run:cmd("switch default")
 
+
+_ = test_run:cmd("switch autobootstrap1")
+u1 = box.schema.user.create('test_u')
+box.schema.user.grant('test_u', 'read,write', 'universe')
+box.session.su('test_u')
+_ = box.schema.space.create('test_u'):create_index('pk')
+box.session.su('admin')
+_ = box.space.test_u:replace({1, 2, 3, 4})
+box.space.test_u:select()
+
+-- Synchronize
+vclock = test_run:get_vclock('autobootstrap1')
+_ = test_run:wait_vclock("autobootstrap2", vclock)
+_ = test_run:wait_vclock("autobootstrap3", vclock)
+
+_ = test_run:cmd("switch autobootstrap2")
+box.space.test_u:select()
+_ = test_run:cmd("switch autobootstrap3")
+box.space.test_u:select()
+
+_ = test_run:cmd("switch default")
+
 --
 -- Stop servers
 --