diff --git a/src/bors/handlers/review.rs b/src/bors/handlers/review.rs
index c40195c7..f52f6f7f 100644
--- a/src/bors/handlers/review.rs
+++ b/src/bors/handlers/review.rs
@@ -239,8 +239,10 @@ pub(super) async fn command_set_rollup(
     author: &GithubUser,
     rollup: RollupMode,
 ) -> anyhow::Result<()> {
-    if !has_permission(&repo_state, author, pr, PermissionType::Review).await? {
-        deny_request(&repo_state, pr.number(), author, PermissionType::Review).await?;
+    // Require only try for rollup commands, because rust-timer uses them, and we don't want to
+    // grant it approve permissions.
+    if !has_permission(&repo_state, author, pr, PermissionType::Try).await? {
+        deny_request(&repo_state, pr.number(), author, PermissionType::Try).await?;
         return Ok(());
     }
     db.set_rollup(pr.db, rollup).await
@@ -1084,6 +1086,18 @@ approved = ["+foo", "+baz", "-bar", "-foo2"]
         .await;
     }
 
+    #[sqlx::test]
+    async fn set_rollup_try_permissions(pool: sqlx::PgPool) {
+        run_test(pool, async |ctx: &mut BorsTester| {
+            ctx.post_comment(Comment::new((), "@bors rollup=never").with_author(User::try_user()))
+                .await?;
+            ctx.wait_for_pr((), |pr| pr.rollup == Some(RollupMode::Never))
+                .await?;
+            Ok(())
+        })
+        .await;
+    }
+
     #[sqlx::test]
     async fn rollup_preserved_after_approve(pool: sqlx::PgPool) {
         run_test(pool, async |ctx: &mut BorsTester| {