diff --git a/src/settings/nm-settings-connection.c b/src/settings/nm-settings-connection.c
index c20ba8284a..a14b1594a4 100644
--- a/src/settings/nm-settings-connection.c
+++ b/src/settings/nm-settings-connection.c
@@ -242,6 +242,58 @@ session_changed_cb (NMSessionMonitor *self, gpointer user_data)
 
 /**************************************************************/
 
+/* Return TRUE if any active user in the connection's ACL has the given
+ * permission without having to authorize for it via PolicyKit.  Connections
+ * visible to everyone automatically pass the check.
+ */
+gboolean
+nm_settings_connection_check_permission (NMSettingsConnection *self,
+                                         const char *permission)
+{
+	NMSettingsConnectionPrivate *priv;
+	NMSettingConnection *s_con;
+	guint32 num, i;
+	const char *puser;
+
+	g_return_val_if_fail (self != NULL, FALSE);
+	g_return_val_if_fail (NM_IS_SETTINGS_CONNECTION (self), FALSE);
+
+	priv = NM_SETTINGS_CONNECTION_GET_PRIVATE (self);
+
+	if (priv->visible == FALSE)
+		return FALSE;
+
+	s_con = nm_connection_get_setting_connection (NM_CONNECTION (self));
+	g_assert (s_con);
+
+	/* Check every user in the ACL for a session */
+	num = nm_setting_connection_get_num_permissions (s_con);
+	if (num == 0) {
+		/* Visible to all so it's OK to auto-activate */
+		return TRUE;
+	}
+
+	for (i = 0; i < num; i++) {
+		/* For each user get their secret agent and check if that agent has the
+		 * required permission.
+		 *
+		 * FIXME: what if the user isn't running an agent?  PolKit needs a bus
+		 * name or a PID but if the user isn't running an agent they won't have
+		 * either.
+		 */
+		if (nm_setting_connection_get_permission (s_con, i, NULL, &puser, NULL)) {
+			NMSecretAgent *agent = nm_agent_manager_get_agent_by_user (priv->agent_mgr, puser);
+
+			if (agent && nm_secret_agent_has_permission (agent, permission))
+				return TRUE;
+		}
+	}
+
+	return FALSE;
+}
+
+/**************************************************************/
+
 static void
 only_system_secrets_cb (NMSetting *setting,
                         const char *key,
diff --git a/src/settings/nm-settings-connection.h b/src/settings/nm-settings-connection.h
index af90c5144d..bc9e3c4712 100644
--- a/src/settings/nm-settings-connection.h
+++ b/src/settings/nm-settings-connection.h
@@ -117,6 +117,9 @@ gboolean nm_settings_connection_is_visible (NMSettingsConnection *self);
 
 void nm_settings_connection_recheck_visibility (NMSettingsConnection *self);
 
+gboolean nm_settings_connection_check_permission (NMSettingsConnection *self,
+                                                  const char *permission);
+
 void nm_settings_connection_signal_remove (NMSettingsConnection *self);
 
 guint64 nm_settings_connection_get_timestamp (NMSettingsConnection *connection);