diff --git a/CHANGES.md b/CHANGES.md
index 4018e3d..8bbf4c5 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -7,6 +7,11 @@ Known issues:
 
 ## 4.13.0 (not yet released)
 
+- [#120] Don't fail `triton instance list` if the retrieval of *image* info
+  (retrieved to get image name and version, as a bonus) fails with an
+  authorization error -- in case it is an RBAC failure where a subuser can
+  ListMachines, but not ListImages.
+
 - [#113] *Usage* errors now some "error help", including option or command
   synopses. Some examples (the new thing is marked with `>`):
 
diff --git a/TODO.txt b/TODO.txt
index 94c391c..ef40391 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -1,3 +1,8 @@
+- The 'shortcut' commands use `handlerFromSubcmd(...).dispatch`. That
+  doesn't run the subcmd class's `.init()` method. node-cmdln should provide
+  a way to do this. ... basically want to call the *main()* but with preparsed
+  options. Perhaps the init/fini should move into dispatch?
+
 triton create affinity support for tag matching, globs, regex
 
 note in README that full UUIDs is much faster in the API
diff --git a/lib/do_instance/do_list.js b/lib/do_instance/do_list.js
index 64dfe14..61e7884 100644
--- a/lib/do_instance/do_list.js
+++ b/lib/do_instance/do_list.js
@@ -47,6 +47,7 @@ function do_list(subcmd, opts, args, callback) {
         this.do_help('help', {}, [subcmd], callback);
         return;
     }
+    var log = self.top.log;
 
     var columns = columnsDefault;
     if (opts.o) {
@@ -70,7 +71,7 @@ function do_list(subcmd, opts, args, callback) {
     }
 
 
-    var imgs;
+    var imgs = [];
     var insts;
 
     vasync.parallel({funcs: [
@@ -78,7 +79,18 @@ function do_list(subcmd, opts, args, callback) {
             self.top.tritonapi.listImages({useCache: true},
                     function (err, _imgs) {
                 if (err) {
-                    next(err);
+                    if (err.statusCode === 403) {
+                        /*
+                         * This could be a authorization error due to RBAC
+                         * on a subuser. We don't want to fail `triton inst ls`
+                         * if the subuser can ListMachines, but not ListImages.
+                         */
+                        log.debug(err,
+                            'authz error listing images for insts info');
+                        next();
+                    } else {
+                        next(err);
+                    }
                 } else {
                     imgs = _imgs;
                     next();