diff --git a/src/api2/admin/datastore.rs b/src/api2/admin/datastore.rs
index d5532804..b99984e6 100644
--- a/src/api2/admin/datastore.rs
+++ b/src/api2/admin/datastore.rs
@@ -950,10 +950,9 @@ pub fn prune(
         ns: ns.clone(),
     };
 
+    let worker_id = format!("{}:{}:{}", store, ns, group);
     let group = datastore.backup_group(ns, group);
 
-    let worker_id = format!("{}:{}", store, group);
-
     let mut prune_result = Vec::new();
 
     let list = group.list_backups()?;
@@ -1081,6 +1080,8 @@ pub fn prune_datastore(
     let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
 
     let datastore = DataStore::lookup_datastore(&store, Some(Operation::Write))?;
+    let ns = ns.unwrap_or_default();
+    let worker_id = format!("{}:{}", store, ns);
 
     let to_stdout = rpcenv.env_type() == RpcEnvironmentType::CLI;
 
@@ -1088,18 +1089,11 @@ pub fn prune_datastore(
 
     let upid_str = WorkerTask::new_thread(
         "prune",
-        Some(store.clone()),
+        Some(worker_id),
         auth_id.to_string(),
         to_stdout,
         move |worker| {
-            crate::server::prune_datastore(
-                worker,
-                auth_id,
-                prune_options,
-                datastore,
-                ns.unwrap_or_default(),
-                dry_run,
-            )
+            crate::server::prune_datastore(worker, auth_id, prune_options, datastore, ns, dry_run)
         },
     )?;
 
diff --git a/src/api2/node/tasks.rs b/src/api2/node/tasks.rs
index f045dcac..9cd50e0e 100644
--- a/src/api2/node/tasks.rs
+++ b/src/api2/node/tasks.rs
@@ -64,12 +64,17 @@ fn check_job_privs(auth_id: &Authid, user_info: &CachedUserInfo, upid: &UPID) ->
             )
         }
         ("prune", Some(workerid)) => {
-            return user_info.check_privs(
-                auth_id,
-                &["datastore", workerid],
-                PRIV_DATASTORE_MODIFY,
-                true,
-            );
+            let mut acl_path = vec!["datastore"];
+            acl_path.extend(workerid.split(':'));
+            let acl_path = match acl_path.len() {
+                4 => &acl_path[..3],    // contains group as fourth element
+                2 | 3 => &acl_path[..], // store + optional NS
+                _ => {
+                    bail!("invalid worker ID for prune task");
+                }
+            };
+
+            return user_info.check_privs(auth_id, acl_path, PRIV_DATASTORE_MODIFY, true);
         }
         _ => bail!("not a scheduled job task"),
     };
diff --git a/src/server/prune_job.rs b/src/server/prune_job.rs
index 3f2724dd..ca173091 100644
--- a/src/server/prune_job.rs
+++ b/src/server/prune_job.rs
@@ -104,14 +104,17 @@ pub fn do_prune_job(
 
     let worker_type = job.jobtype().to_string();
     let auth_id = auth_id.clone();
+    let worker_id = format!("{store}");
     let upid_str = WorkerTask::new_thread(
         &worker_type,
-        Some(job.jobname().to_string()),
+        Some(worker_id),
         auth_id.to_string(),
         false,
         move |worker| {
             job.start(&worker.upid().to_string())?;
 
+            task_log!(worker, "prune job '{}'", job.jobname());
+
             if let Some(event_str) = schedule {
                 task_log!(worker, "task triggered by schedule '{}'", event_str);
             }