diff --git a/acl/acl.go b/acl/acl.go
index 2467b09f..3c9e053c 100644
--- a/acl/acl.go
+++ b/acl/acl.go
@@ -83,12 +83,17 @@ func (as *aclService) get(ctx context.Context, spaceId string) (list.AclList, er
 }
 
 func (as *aclService) AddRecord(ctx context.Context, spaceId string, rec *consensusproto.RawRecord, limits Limits) (result *consensusproto.RawRecordWithId, err error) {
+	if limits.ReadMembers <= 1 && limits.WriteMembers <= 1 {
+		return nil, ErrLimitExceed
+	}
+
 	acl, err := as.get(ctx, spaceId)
 	if err != nil {
 		return nil, err
 	}
 	acl.RLock()
 	defer acl.RUnlock()
+
 	err = acl.ValidateRawRecord(rec, func(state *list.AclState) error {
 		var readers, writers int
 		for _, acc := range state.CurrentAccounts() {
diff --git a/acl/acl_test.go b/acl/acl_test.go
index fbddc728..3e835a98 100644
--- a/acl/acl_test.go
+++ b/acl/acl_test.go
@@ -82,7 +82,13 @@ func TestAclService_AddRecord(t *testing.T) {
 		assert.EqualError(t, err, testErr.Error())
 	})
 	t.Run("limit exceed", func(t *testing.T) {
-		// TODO:
+		fx := newFixture(t)
+		defer fx.finish(t)
+		_, err := fx.AddRecord(ctx, spaceId, inv.InviteRec, Limits{
+			ReadMembers:  1,
+			WriteMembers: 1,
+		})
+		assert.ErrorIs(t, err, ErrLimitExceed)
 	})
 }
 
@@ -136,7 +142,7 @@ func TestAclService(t *testing.T) {
 		require.NoError(t, err)
 		assert.True(t, res.IsOwner())
 	})
-	t.Run("ownerPUbKey", func(t *testing.T) {
+	t.Run("ownerPubKey", func(t *testing.T) {
 		res, err := fx.OwnerPubKey(ctx, spaceId)
 		require.NoError(t, err)
 		assert.Equal(t, ownerKeys.SignKey.GetPublic().Account(), res.Account())