diff --git a/kubernetes/opa/common/common.rego b/kubernetes/opa/common/common.rego
index 65d6045bc0dc7df0089314119a2468a9b987ff8a..bd491b89a113f5f29858c94c56a3f23aec4b79a4 100644
--- a/kubernetes/opa/common/common.rego
+++ b/kubernetes/opa/common/common.rego
@@ -51,10 +51,10 @@ token_roles = user_token.payload.roles {
 userid = token_userid {
     not http_request.headers["x-authenticated-for"]
 } else = token_userid {
-    http_request.headers["x-authenticated-for"] == "" # This is a temporary fix as the mobile app is sending empty headers as x-authenticated-for: ""
+    count(http_request.headers["x-authenticated-for"]) == 0 # This is a temporary fix as the mobile app is sending empty headers as x-authenticated-for: ""
 } else = for_token_userid {
     http_request.headers["x-authenticated-for"]
-    http_request.headers["x-authenticated-for"] != ""
+    count(http_request.headers["x-authenticated-for"]) > 0
 }
 
 acls_check(acls) = indicies {
@@ -80,9 +80,14 @@ federation_id_check {
 
 parent_id_check {
     http_request.headers["x-authenticated-for"]
+    count(http_request.headers["x-authenticated-for"]) > 0
     token_userid == for_token_parentid
 }
 
+parent_id_check {
+    count(http_request.headers["x-authenticated-for"]) == 0
+}
+
 parent_id_check {
     not http_request.headers["x-authenticated-for"]
 }