diff --git a/x/wasm/keeper/keeper_test.go b/x/wasm/keeper/keeper_test.go
index d962b63f..0886f65a 100644
--- a/x/wasm/keeper/keeper_test.go
+++ b/x/wasm/keeper/keeper_test.go
@@ -192,8 +192,10 @@ func TestEnforceValidPermissionsOnCreate(t *testing.T) {
 
 	deposit := sdk.NewCoins(sdk.NewInt64Coin("denom", 100000))
 	creator := keepers.Faucet.NewFundedAccount(ctx, deposit...)
+	other := keepers.Faucet.NewFundedAccount(ctx, deposit...)
 
 	onlyCreator := types.AccessTypeOnlyAddress.With(creator)
+	onlyOther := types.AccessTypeOnlyAddress.With(other)
 
 	specs := map[string]struct {
 		defaultPermssion    types.AccessType
@@ -213,6 +215,11 @@ func TestEnforceValidPermissionsOnCreate(t *testing.T) {
 			requestedPermission: nil,
 			grantedPermission:   types.AccessConfig{Permission: types.AccessTypeEverybody},
 		},
+		"explicitly set everybody": {
+			defaultPermssion:    types.AccessTypeEverybody,
+			requestedPermission: &types.AccessConfig{Permission: types.AccessTypeEverybody},
+			grantedPermission:   types.AccessConfig{Permission: types.AccessTypeEverybody},
+		},
 		"cannot override nobody": {
 			defaultPermssion:    types.AccessTypeNobody,
 			requestedPermission: &onlyCreator,
@@ -223,6 +230,21 @@ func TestEnforceValidPermissionsOnCreate(t *testing.T) {
 			requestedPermission: nil,
 			grantedPermission:   types.AccessConfig{Permission: types.AccessTypeNobody},
 		},
+		"only defaults to code creator": {
+			defaultPermssion:    types.AccessTypeOnlyAddress,
+			requestedPermission: nil,
+			grantedPermission:   onlyCreator,
+		},
+		"can explicitly set to code creator": {
+			defaultPermssion:    types.AccessTypeOnlyAddress,
+			requestedPermission: &onlyCreator,
+			grantedPermission:   onlyCreator,
+		},
+		"cannot override which address in only": {
+			defaultPermssion:    types.AccessTypeOnlyAddress,
+			requestedPermission: &onlyOther,
+			expError:            sdkerrors.ErrUnauthorized,
+		},
 	}
 	for msg, spec := range specs {
 		t.Run(msg, func(t *testing.T) {
diff --git a/x/wasm/types/types_test.go b/x/wasm/types/types_test.go
index 9f6503b8..11741593 100644
--- a/x/wasm/types/types_test.go
+++ b/x/wasm/types/types_test.go
@@ -394,6 +394,11 @@ func TestAccesConfigSubset(t *testing.T) {
 			check:    AccessConfig{Permission: AccessTypeEverybody},
 			isSubSet: false,
 		},
+		"unspecified > nobody": {
+			superSet: AccessConfig{Permission: AccessTypeNobody},
+			check:    AccessConfig{Permission: AccessTypeUnspecified},
+			isSubSet: false,
+		},
 		"nobody <= everybody": {
 			superSet: AccessConfig{Permission: AccessTypeEverybody},
 			check:    AccessConfig{Permission: AccessTypeNobody},
@@ -409,6 +414,11 @@ func TestAccesConfigSubset(t *testing.T) {
 			check:    AccessConfig{Permission: AccessTypeEverybody},
 			isSubSet: true,
 		},
+		"unspecified > everybody": {
+			superSet: AccessConfig{Permission: AccessTypeEverybody},
+			check:    AccessConfig{Permission: AccessTypeUnspecified},
+			isSubSet: false,
+		},
 		"nobody <= only": {
 			superSet: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "owner"},
 			check:    AccessConfig{Permission: AccessTypeNobody},
@@ -434,11 +444,6 @@ func TestAccesConfigSubset(t *testing.T) {
 			check:    AccessConfig{Permission: AccessTypeNobody},
 			isSubSet: false,
 		},
-		"unspecified > everybody": {
-			superSet: AccessConfig{Permission: AccessTypeEverybody},
-			check:    AccessConfig{Permission: AccessTypeUnspecified},
-			isSubSet: false,
-		},
 	}
 
 	for name, spec := range specs {