diff --git a/.travis.yml b/.travis.yml
index 7ddad4a13..dc5babd18 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -11,4 +11,4 @@ install:
 
 script:
   - ansible-playbook --syntax-check spec/travis.yml
-  - ansible-playbook --sudo -v --diff spec/travis.yml --skip-tags "sysctl"
+  - ansible-playbook --sudo -v --diff spec/travis.yml --skip-tags "sysctl" --extra-vars "os_security_users_allow=change_user"
diff --git a/roles/ansible-os-hardening/tasks/minimize_access.yml b/roles/ansible-os-hardening/tasks/minimize_access.yml
index f24ea5229..058ac9b17 100644
--- a/roles/ansible-os-hardening/tasks/minimize_access.yml
+++ b/roles/ansible-os-hardening/tasks/minimize_access.yml
@@ -14,5 +14,5 @@
   file: dest='/etc/shadow' owner=root group=root mode=0600
 
 - name: change su-binary to only be accessible to user and group root
-  file: dest='/bin/su' owner=root group=root mode
-  when: security_users_allow|default(None) != None
+  file: dest='/bin/su' owner=root group=root mode=0750
+  when: os_security_users_allow != None