diff --git a/pkg/accesscontrol/access_set.go b/pkg/accesscontrol/access_set.go
index 7597cf7..2c2d2c5 100644
--- a/pkg/accesscontrol/access_set.go
+++ b/pkg/accesscontrol/access_set.go
@@ -144,20 +144,35 @@ func (a AccessListByVerb) Granted(verb string) (result map[string]Resources) {
 		verbs = append(verbs, "get")
 	}
 
-	for _, verb := range verbs {
-		for _, access := range a[verb] {
+	for _, access := range a[verb] {
+		resources := result[access.Namespace]
+		if access.ResourceName == All {
+			resources.All = true
+		} else {
+			if resources.Names == nil {
+				resources.Names = sets.String{}
+			}
+			resources.Names.Insert(access.ResourceName)
+		}
+		result[access.Namespace] = resources
+	}
+
+	if verb == "list" {
+		// look for objects referenced by get
+		for _, access := range a["get"] {
 			resources := result[access.Namespace]
 			if access.ResourceName == All {
-				resources.All = true
-			} else {
+				continue
+			} else if len(access.ResourceName) > 0 {
 				if resources.Names == nil {
 					resources.Names = sets.String{}
 				}
 				resources.Names.Insert(access.ResourceName)
+				result[access.Namespace] = resources
 			}
-			result[access.Namespace] = resources
 		}
 	}
+
 	return result
 }
 
diff --git a/pkg/stores/partition/store.go b/pkg/stores/partition/store.go
index 1961423..547eec1 100644
--- a/pkg/stores/partition/store.go
+++ b/pkg/stores/partition/store.go
@@ -101,7 +101,7 @@ func (s *Store) List(apiOp *types.APIRequest, schema *types.APISchema) (types.AP
 
 	result.Revision = lister.Revision()
 	result.Continue = lister.Continue()
-	return result, nil
+	return result, lister.Err()
 }
 
 func (s *Store) Create(apiOp *types.APIRequest, schema *types.APISchema, data types.APIObject) (types.APIObject, error) {
diff --git a/pkg/stores/proxy/proxy_store.go b/pkg/stores/proxy/proxy_store.go
index 7862b06..8be0bb3 100644
--- a/pkg/stores/proxy/proxy_store.go
+++ b/pkg/stores/proxy/proxy_store.go
@@ -213,6 +213,12 @@ func tableToObjects(obj map[string]interface{}) []unstructured.Unstructured {
 }
 
 func (s *Store) ByNames(apiOp *types.APIRequest, schema *types.APISchema, names sets.String) (types.APIObjectList, error) {
+	if apiOp.Namespace == "*" {
+		// This happens when you grant namespaced objects with "get" by name in a clusterrolebinding. We will treat
+		// this as an invalid situation instead of listing all objects in the cluster and filtering by name.
+		return types.APIObjectList{}, nil
+	}
+
 	adminClient, err := s.clientGetter.TableAdminClient(apiOp, schema, apiOp.Namespace)
 	if err != nil {
 		return types.APIObjectList{}, err