From f0701b990211a66360b1d9f0bdcaf9535f21d7c3 Mon Sep 17 00:00:00 2001
From: nfebe <fenn25.fn@gmail.com>
Date: Mon, 26 Jan 2026 19:57:45 +0100
Subject: [PATCH 1/2] feat(auth): Add RBAC user interface for users and API
 keys

Add frontend support for multi-user authentication with RBAC:

- UsersView: User management with deployment assignment panel
- APIKeysView: API key creation, listing, and revocation
- LoginView: Toggle between username/password and API key login
- DashboardLayout: User info display, role-based nav items

Updated stores and services:
- auth store: currentUser, permissions, hasPermission()
- users store: User and API key state management
- api service: usersApi, apiKeysApi, deploymentUsersApi

Types added for User, APIKey, UserDeploymentAccess, Permission.

Signed-off-by: nfebe <fenn25.fn@gmail.com>
---
 src/layouts/DashboardLayout.vue |  62 ++-
 src/router/index.ts             |  12 +
 src/services/api.ts             |  73 ++++
 src/stores/auth.ts              | 101 +++++
 src/stores/users.ts             | 178 ++++++++
 src/types/index.ts              |  65 +++
 src/views/APIKeysView.vue       | 637 +++++++++++++++++++++++++++++
 src/views/LoginView.vue         | 120 +++++-
 src/views/UsersView.vue         | 695 ++++++++++++++++++++++++++++++++
 9 files changed, 1936 insertions(+), 7 deletions(-)
 create mode 100644 src/stores/users.ts
 create mode 100644 src/views/APIKeysView.vue
 create mode 100644 src/views/UsersView.vue

diff --git a/src/layouts/DashboardLayout.vue b/src/layouts/DashboardLayout.vue
index 4edb1eb..69086c0 100644
--- a/src/layouts/DashboardLayout.vue
+++ b/src/layouts/DashboardLayout.vue
@@ -182,6 +182,8 @@
           </div>
           <div v-show="expandedGroups.admin && !sidebarCollapsed" class="nav-group-items">
             <router-link to="/settings" class="nav-subitem" active-class="active"> Settings </router-link>
+            <router-link v-if="authStore.hasPermission('users:read')" to="/users" class="nav-subitem" active-class="active"> Users </router-link>
+            <router-link v-if="authStore.hasPermission('apikeys:read')" to="/api-keys" class="nav-subitem" active-class="active"> API Keys </router-link>
           </div>
         </div>
       </nav>
@@ -215,6 +217,15 @@
             </div>
           </div>
         </div>
+        <div v-if="!sidebarCollapsed && authStore.currentUser" class="user-info">
+          <div class="user-avatar">
+            <i class="pi pi-user" />
+          </div>
+          <div class="user-details">
+            <span class="user-name">{{ authStore.currentUser.username }}</span>
+            <span class="user-role">{{ authStore.currentUser.role }}</span>
+          </div>
+        </div>
         <div class="agent-status">
           <span class="status-dot" :class="{ online: agentOnline }" />
           <span v-if="!sidebarCollapsed" class="status-text">{{ agentOnline ? "Connected" : "Disconnected" }}</span>
@@ -271,11 +282,13 @@
 import { ref, reactive, computed, onMounted } from "vue";
 import { useRoute, useRouter } from "vue-router";
 import { useStatsStore } from "@/stores/stats";
+import { useAuthStore } from "@/stores/auth";
 import Logo from "@/components/base/Logo.vue";
 
 const route = useRoute();
 const router = useRouter();
 const statsStore = useStatsStore();
+const authStore = useAuthStore();
 const sidebarCollapsed = ref(false);
 const isRefreshing = ref(false);
 
@@ -344,6 +357,8 @@ const currentPageTitle = computed(() => {
     templates: "Templates",
     marketplace: "App Marketplace",
     settings: "Settings",
+    users: "Users",
+    "api-keys": "API Keys",
   };
   return titles[route.name as string] || "Dashboard";
 });
@@ -379,7 +394,7 @@ const breadcrumbs = computed(() => {
   } else if (["apps", "marketplace"].includes(routeName)) {
     crumbs.push({ label: "Apps", path: "" });
     crumbs.push({ label: currentPageTitle.value, path: "" });
-  } else if (routeName === "settings") {
+  } else if (["settings", "users", "api-keys"].includes(routeName)) {
     crumbs.push({ label: "Administration", path: "" });
     crumbs.push({ label: currentPageTitle.value, path: "" });
   } else if (routeName !== "home") {
@@ -402,12 +417,13 @@ const refreshAll = async () => {
 };
 
 const handleLogout = () => {
-  localStorage.removeItem("auth_token");
+  authStore.logout();
   router.push("/login");
 };
 
 onMounted(() => {
   statsStore.fetchAll();
+  authStore.fetchCurrentUser();
   setInterval(() => statsStore.fetchAll(), 15000);
 });
 </script>
@@ -628,6 +644,48 @@ onMounted(() => {
   background: #ef4444;
 }
 
+.user-info {
+  display: flex;
+  align-items: center;
+  gap: 0.75rem;
+  padding: 0.75rem;
+  background: rgba(255, 255, 255, 0.05);
+  border-radius: 6px;
+  margin-bottom: 0.75rem;
+}
+
+.user-avatar {
+  width: 32px;
+  height: 32px;
+  background: #3b82f6;
+  border-radius: 50%;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+}
+
+.user-avatar i {
+  font-size: 0.875rem;
+  color: white;
+}
+
+.user-details {
+  display: flex;
+  flex-direction: column;
+}
+
+.user-name {
+  font-size: 0.875rem;
+  font-weight: 500;
+  color: white;
+}
+
+.user-role {
+  font-size: 0.75rem;
+  color: #94a3b8;
+  text-transform: capitalize;
+}
+
 .agent-status {
   display: flex;
   align-items: center;
diff --git a/src/router/index.ts b/src/router/index.ts
index 9b8188c..f9d2761 100644
--- a/src/router/index.ts
+++ b/src/router/index.ts
@@ -124,6 +124,18 @@ const routes: RouteRecordRaw[] = [
         name: "dns-external",
         component: () => import("@/views/DnsExternalView.vue"),
       },
+      {
+        path: "users",
+        name: "users",
+        component: () => import("@/views/UsersView.vue"),
+        meta: { permission: "users:read" },
+      },
+      {
+        path: "api-keys",
+        name: "api-keys",
+        component: () => import("@/views/APIKeysView.vue"),
+        meta: { permission: "apikeys:read" },
+      },
     ],
   },
 ];
diff --git a/src/services/api.ts b/src/services/api.ts
index 5f6b6ff..c7120b1 100644
--- a/src/services/api.ts
+++ b/src/services/api.ts
@@ -1100,3 +1100,76 @@ export const powerDnsApi = {
   updateRecords: (zoneId: string, rrsets: PowerDNSRRSet[]) =>
     apiClient.patch<PowerDNSZone>(`/dns/powerdns/zones/${zoneId}`, { rrsets }),
 };
+
+import type { User, APIKey, UserRole, UserDeploymentAccess } from "@/types";
+
+export const usersApi = {
+  list: () => apiClient.get<{ users: User[] }>("/users"),
+
+  get: (id: number) =>
+    apiClient.get<{ user: User; deployments: UserDeploymentAccess[] }>(`/users/${id}`),
+
+  create: (data: { username: string; email?: string; password: string; role: UserRole }) =>
+    apiClient.post<{ user: User }>("/users", data),
+
+  update: (id: number, data: { username?: string; email?: string; role?: UserRole; is_active?: boolean }) =>
+    apiClient.put<{ user: User }>(`/users/${id}`, data),
+
+  delete: (id: number) => apiClient.delete(`/users/${id}`),
+
+  me: () =>
+    apiClient.get<{ user: User; permissions: string[]; deployments: UserDeploymentAccess[] }>("/users/me"),
+
+  updateMe: (data: { email?: string }) => apiClient.put<{ user: User }>("/users/me", data),
+
+  updatePassword: (data: { current_password: string; new_password: string }) =>
+    apiClient.put("/users/me/password", data),
+
+  getDeployments: (userId: number) =>
+    apiClient.get<{ deployments: UserDeploymentAccess[] }>(`/users/${userId}/deployments`),
+
+  assignDeployment: (userId: number, data: { deployment_name: string; access_level: string }) =>
+    apiClient.post(`/users/${userId}/deployments`, data),
+
+  updateDeployment: (userId: number, deploymentName: string, data: { access_level: string }) =>
+    apiClient.put(`/users/${userId}/deployments/${deploymentName}`, data),
+
+  removeDeployment: (userId: number, deploymentName: string) =>
+    apiClient.delete(`/users/${userId}/deployments/${deploymentName}`),
+};
+
+export const apiKeysApi = {
+  list: () => apiClient.get<{ api_keys: APIKey[] }>("/apikeys"),
+
+  get: (id: number) => apiClient.get<{ api_key: APIKey }>(`/apikeys/${id}`),
+
+  create: (data: {
+    name: string;
+    description?: string;
+    role?: UserRole;
+    permissions?: string[];
+    deployments?: string[];
+    expires_in?: number;
+    user_id?: number;
+  }) => apiClient.post<{ api_key: APIKey; message: string }>("/apikeys", data),
+
+  delete: (id: number) => apiClient.delete(`/apikeys/${id}`),
+
+  revoke: (id: number) => apiClient.post(`/apikeys/${id}/revoke`),
+};
+
+export const deploymentUsersApi = {
+  getUsers: (deploymentName: string) =>
+    apiClient.get<{
+      deployment_name: string;
+      users: Array<{
+        user_id: number;
+        username: string;
+        email?: string;
+        role: UserRole;
+        access_level: string;
+        granted_by?: number;
+        created_at: string;
+      }>;
+    }>(`/deployments/${deploymentName}/users`),
+};
diff --git a/src/stores/auth.ts b/src/stores/auth.ts
index c0cf704..8c9a0d6 100644
--- a/src/stores/auth.ts
+++ b/src/stores/auth.ts
@@ -1,6 +1,7 @@
 import { defineStore } from "pinia";
 import { ref, computed } from "vue";
 import axios from "axios";
+import type { User, Permission, UserDeploymentAccess } from "@/types";
 
 const apiClient = axios.create({
   baseURL: import.meta.env.VITE_API_URL || "/api",
@@ -14,8 +15,35 @@ export const useAuthStore = defineStore("auth", () => {
   const authEnabled = ref<boolean | null>(null);
   const loading = ref(false);
   const error = ref("");
+  const currentUser = ref<User | null>(null);
+  const permissions = ref<Permission[]>([]);
+  const deploymentAccess = ref<UserDeploymentAccess[]>([]);
 
   const isAuthenticated = computed(() => !!token.value);
+  const isAdmin = computed(() => currentUser.value?.role === "admin");
+  const isOperator = computed(() => currentUser.value?.role === "operator");
+  const isViewer = computed(() => currentUser.value?.role === "viewer");
+
+  const hasPermission = (permission: Permission): boolean => {
+    if (currentUser.value?.role === "admin") {
+      return true;
+    }
+    return permissions.value.includes(permission);
+  };
+
+  const canAccessDeployment = (deploymentName: string, level: "read" | "write" | "admin"): boolean => {
+    if (currentUser.value?.role === "admin") {
+      return true;
+    }
+
+    const access = deploymentAccess.value.find((d) => d.deployment_name === deploymentName);
+    if (!access) {
+      return false;
+    }
+
+    const levels = { read: 1, write: 2, admin: 3 };
+    return levels[access.access_level] >= levels[level];
+  };
 
   const checkAuthStatus = async () => {
     try {
@@ -36,6 +64,17 @@ export const useAuthStore = defineStore("auth", () => {
       const response = await apiClient.post("/auth/login", { api_key: apiKey });
       token.value = response.data.token;
       localStorage.setItem("auth_token", response.data.token);
+
+      if (response.data.user) {
+        currentUser.value = response.data.user;
+      }
+      if (response.data.permissions) {
+        permissions.value = response.data.permissions;
+      }
+      if (response.data.deployments) {
+        deploymentAccess.value = response.data.deployments;
+      }
+
       return true;
     } catch (e: any) {
       error.value = e.response?.data?.error || "Invalid API key";
@@ -45,8 +84,60 @@ export const useAuthStore = defineStore("auth", () => {
     }
   };
 
+  const loginWithCredentials = async (username: string, password: string) => {
+    loading.value = true;
+    error.value = "";
+
+    try {
+      const response = await apiClient.post("/auth/login", { username, password });
+      token.value = response.data.token;
+      localStorage.setItem("auth_token", response.data.token);
+
+      if (response.data.user) {
+        currentUser.value = response.data.user;
+      }
+      if (response.data.permissions) {
+        permissions.value = response.data.permissions;
+      }
+      if (response.data.deployments) {
+        deploymentAccess.value = response.data.deployments;
+      }
+
+      return true;
+    } catch (e: any) {
+      error.value = e.response?.data?.error || "Invalid username or password";
+      return false;
+    } finally {
+      loading.value = false;
+    }
+  };
+
+  const fetchCurrentUser = async () => {
+    if (!token.value) return;
+
+    try {
+      const authClient = axios.create({
+        baseURL: import.meta.env.VITE_API_URL || "/api",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${token.value}`,
+        },
+      });
+
+      const response = await authClient.get("/users/me");
+      currentUser.value = response.data.user;
+      permissions.value = response.data.permissions || [];
+      deploymentAccess.value = response.data.deployments || [];
+    } catch {
+      // User endpoint may not exist if using legacy auth
+    }
+  };
+
   const logout = () => {
     token.value = null;
+    currentUser.value = null;
+    permissions.value = [];
+    deploymentAccess.value = [];
     localStorage.removeItem("auth_token");
   };
 
@@ -62,9 +153,19 @@ export const useAuthStore = defineStore("auth", () => {
     authEnabled,
     loading,
     error,
+    currentUser,
+    permissions,
+    deploymentAccess,
     isAuthenticated,
+    isAdmin,
+    isOperator,
+    isViewer,
+    hasPermission,
+    canAccessDeployment,
     checkAuthStatus,
     login,
+    loginWithCredentials,
+    fetchCurrentUser,
     logout,
     getAuthHeader,
   };
diff --git a/src/stores/users.ts b/src/stores/users.ts
new file mode 100644
index 0000000..468b182
--- /dev/null
+++ b/src/stores/users.ts
@@ -0,0 +1,178 @@
+import { defineStore } from "pinia";
+import { ref } from "vue";
+import type { User, APIKey, UserRole, UserDeploymentAccess } from "@/types";
+import { usersApi, apiKeysApi } from "@/services/api";
+
+export const useUsersStore = defineStore("users", () => {
+  const users = ref<User[]>([]);
+  const apiKeys = ref<APIKey[]>([]);
+  const loading = ref(false);
+  const error = ref("");
+
+  const fetchUsers = async () => {
+    loading.value = true;
+    error.value = "";
+    try {
+      const response = await usersApi.list();
+      users.value = response.data.users;
+    } catch (e: any) {
+      error.value = e.response?.data?.error || "Failed to fetch users";
+    } finally {
+      loading.value = false;
+    }
+  };
+
+  const getUser = async (id: number) => {
+    try {
+      const response = await usersApi.get(id);
+      return response.data;
+    } catch (e: any) {
+      throw new Error(e.response?.data?.error || "Failed to get user");
+    }
+  };
+
+  const createUser = async (data: {
+    username: string;
+    email?: string;
+    password: string;
+    role: UserRole;
+  }) => {
+    try {
+      const response = await usersApi.create(data);
+      users.value.push(response.data.user);
+      return response.data.user;
+    } catch (e: any) {
+      throw new Error(e.response?.data?.error || "Failed to create user");
+    }
+  };
+
+  const updateUser = async (
+    id: number,
+    data: { username?: string; email?: string; role?: UserRole; is_active?: boolean }
+  ) => {
+    try {
+      const response = await usersApi.update(id, data);
+      const index = users.value.findIndex((u) => u.id === id);
+      if (index !== -1) {
+        users.value[index] = response.data.user;
+      }
+      return response.data.user;
+    } catch (e: any) {
+      throw new Error(e.response?.data?.error || "Failed to update user");
+    }
+  };
+
+  const deleteUser = async (id: number) => {
+    try {
+      await usersApi.delete(id);
+      users.value = users.value.filter((u) => u.id !== id);
+    } catch (e: any) {
+      throw new Error(e.response?.data?.error || "Failed to delete user");
+    }
+  };
+
+  const getUserDeployments = async (userId: number) => {
+    try {
+      const response = await usersApi.getDeployments(userId);
+      return response.data.deployments as UserDeploymentAccess[];
+    } catch (e: any) {
+      throw new Error(e.response?.data?.error || "Failed to get user deployments");
+    }
+  };
+
+  const assignDeployment = async (userId: number, deploymentName: string, accessLevel: string) => {
+    try {
+      await usersApi.assignDeployment(userId, { deployment_name: deploymentName, access_level: accessLevel });
+    } catch (e: any) {
+      throw new Error(e.response?.data?.error || "Failed to assign deployment");
+    }
+  };
+
+  const updateDeploymentAccess = async (userId: number, deploymentName: string, accessLevel: string) => {
+    try {
+      await usersApi.updateDeployment(userId, deploymentName, { access_level: accessLevel });
+    } catch (e: any) {
+      throw new Error(e.response?.data?.error || "Failed to update deployment access");
+    }
+  };
+
+  const removeDeploymentAccess = async (userId: number, deploymentName: string) => {
+    try {
+      await usersApi.removeDeployment(userId, deploymentName);
+    } catch (e: any) {
+      throw new Error(e.response?.data?.error || "Failed to remove deployment access");
+    }
+  };
+
+  const fetchAPIKeys = async () => {
+    loading.value = true;
+    error.value = "";
+    try {
+      const response = await apiKeysApi.list();
+      apiKeys.value = response.data.api_keys;
+    } catch (e: any) {
+      error.value = e.response?.data?.error || "Failed to fetch API keys";
+    } finally {
+      loading.value = false;
+    }
+  };
+
+  const createAPIKey = async (data: {
+    name: string;
+    description?: string;
+    role?: UserRole;
+    permissions?: string[];
+    deployments?: string[];
+    expires_in?: number;
+    user_id?: number;
+  }) => {
+    try {
+      const response = await apiKeysApi.create(data);
+      apiKeys.value.push(response.data.api_key);
+      return response.data;
+    } catch (e: any) {
+      throw new Error(e.response?.data?.error || "Failed to create API key");
+    }
+  };
+
+  const deleteAPIKey = async (id: number) => {
+    try {
+      await apiKeysApi.delete(id);
+      apiKeys.value = apiKeys.value.filter((k) => k.id !== id);
+    } catch (e: any) {
+      throw new Error(e.response?.data?.error || "Failed to delete API key");
+    }
+  };
+
+  const revokeAPIKey = async (id: number) => {
+    try {
+      await apiKeysApi.revoke(id);
+      const index = apiKeys.value.findIndex((k) => k.id === id);
+      if (index !== -1) {
+        apiKeys.value[index].is_active = false;
+      }
+    } catch (e: any) {
+      throw new Error(e.response?.data?.error || "Failed to revoke API key");
+    }
+  };
+
+  return {
+    users,
+    apiKeys,
+    loading,
+    error,
+    fetchUsers,
+    getUser,
+    createUser,
+    updateUser,
+    deleteUser,
+    getUserDeployments,
+    assignDeployment,
+    updateDeploymentAccess,
+    removeDeploymentAccess,
+    fetchAPIKeys,
+    createAPIKey,
+    deleteAPIKey,
+    revokeAPIKey,
+  };
+});
diff --git a/src/types/index.ts b/src/types/index.ts
index 57c0bde..7be640d 100644
--- a/src/types/index.ts
+++ b/src/types/index.ts
@@ -206,3 +206,68 @@ export interface DeploymentRateLimit {
   burst: number;
   enabled: boolean;
 }
+
+export type UserRole = "admin" | "operator" | "viewer";
+
+export interface User {
+  id: number;
+  uid: string;
+  username: string;
+  email?: string;
+  role: UserRole;
+  is_active: boolean;
+  created_at: string;
+  updated_at: string;
+  last_login_at?: string;
+  deployments?: UserDeploymentAccess[];
+}
+
+export interface UserDeploymentAccess {
+  deployment_name: string;
+  access_level: "read" | "write" | "admin";
+  granted_by?: number;
+  created_at: string;
+}
+
+export interface APIKey {
+  id: number;
+  key_id: string;
+  user_id: number;
+  name: string;
+  description?: string;
+  key_prefix: string;
+  role?: UserRole;
+  permissions?: string[];
+  deployments?: string[];
+  expires_at?: string;
+  last_used_at?: string;
+  last_used_ip?: string;
+  is_active: boolean;
+  created_at: string;
+  key?: string;
+}
+
+export type Permission =
+  | "deployments:read"
+  | "deployments:write"
+  | "deployments:delete"
+  | "certificates:read"
+  | "certificates:write"
+  | "certificates:delete"
+  | "networks:read"
+  | "networks:write"
+  | "networks:delete"
+  | "security:read"
+  | "security:write"
+  | "backups:read"
+  | "backups:write"
+  | "backups:delete"
+  | "users:read"
+  | "users:write"
+  | "users:delete"
+  | "apikeys:read"
+  | "apikeys:write"
+  | "apikeys:delete"
+  | "settings:read"
+  | "settings:write"
+  | "audit:read";
diff --git a/src/views/APIKeysView.vue b/src/views/APIKeysView.vue
new file mode 100644
index 0000000..7a52c3c
--- /dev/null
+++ b/src/views/APIKeysView.vue
@@ -0,0 +1,637 @@
+<template>
+  <div class="apikeys-view">
+    <div class="view-header">
+      <h1>API Keys</h1>
+      <div class="header-actions">
+        <button class="btn btn-icon" :disabled="loading" @click="loadAPIKeys">
+          <i class="pi pi-refresh" :class="{ 'pi-spin': loading }" />
+        </button>
+        <button class="btn btn-primary" @click="showCreateDialog = true">
+          <i class="pi pi-plus" />
+          <span>Create API Key</span>
+        </button>
+      </div>
+    </div>
+
+    <div v-if="loading && !apiKeys.length" class="loading-state">
+      <i class="pi pi-spin pi-spinner" />
+      <span>Loading API keys...</span>
+    </div>
+
+    <div v-else-if="error" class="error-state">
+      <i class="pi pi-exclamation-circle" />
+      <span>{{ error }}</span>
+      <button class="btn btn-sm" @click="loadAPIKeys">Retry</button>
+    </div>
+
+    <div v-else class="apikeys-content">
+      <div class="apikeys-table-container">
+        <table class="data-table">
+          <thead>
+            <tr>
+              <th>Name</th>
+              <th>Key Prefix</th>
+              <th>Role</th>
+              <th>Status</th>
+              <th>Last Used</th>
+              <th>Expires</th>
+              <th>Actions</th>
+            </tr>
+          </thead>
+          <tbody>
+            <tr v-for="key in apiKeys" :key="key.id">
+              <td class="name-cell">
+                <i class="pi pi-key" />
+                <div>
+                  <span class="key-name">{{ key.name }}</span>
+                  <span v-if="key.description" class="key-desc">{{ key.description }}</span>
+                </div>
+              </td>
+              <td>
+                <code>{{ key.key_prefix }}</code>
+              </td>
+              <td>
+                <span v-if="key.role" class="role-badge" :class="key.role">{{ key.role }}</span>
+                <span v-else class="role-badge inherit">Inherited</span>
+              </td>
+              <td>
+                <span class="status-badge" :class="key.is_active ? 'active' : 'inactive'">
+                  {{ key.is_active ? "Active" : "Revoked" }}
+                </span>
+              </td>
+              <td>{{ formatDate(key.last_used_at) }}</td>
+              <td>{{ formatExpiry(key.expires_at) }}</td>
+              <td class="actions-cell">
+                <button
+                  v-if="key.is_active"
+                  class="btn btn-icon btn-sm"
+                  title="Revoke"
+                  @click="confirmRevoke(key)"
+                >
+                  <i class="pi pi-ban" />
+                </button>
+                <button class="btn btn-icon btn-sm btn-danger" title="Delete" @click="confirmDelete(key)">
+                  <i class="pi pi-trash" />
+                </button>
+              </td>
+            </tr>
+          </tbody>
+        </table>
+      </div>
+    </div>
+
+    <!-- Create Dialog -->
+    <div v-if="showCreateDialog" class="modal-overlay" @click.self="closeDialogs">
+      <div class="modal-content">
+        <div class="modal-header">
+          <h2>Create API Key</h2>
+          <button class="btn btn-icon" @click="closeDialogs">
+            <i class="pi pi-times" />
+          </button>
+        </div>
+        <form @submit.prevent="createAPIKey">
+          <div class="form-group">
+            <label>Name</label>
+            <input v-model="formData.name" type="text" placeholder="e.g., CI/CD Pipeline" required />
+          </div>
+          <div class="form-group">
+            <label>Description (optional)</label>
+            <input v-model="formData.description" type="text" placeholder="What is this key used for?" />
+          </div>
+          <div class="form-group">
+            <label>Role Override (optional)</label>
+            <select v-model="formData.role">
+              <option value="">Inherit from user</option>
+              <option value="admin">Admin</option>
+              <option value="operator">Operator</option>
+              <option value="viewer">Viewer</option>
+            </select>
+            <small>Leave empty to inherit the role from the user account</small>
+          </div>
+          <div class="form-group">
+            <label>Expiration</label>
+            <select v-model="formData.expires_in">
+              <option :value="0">Never</option>
+              <option :value="86400">1 day</option>
+              <option :value="604800">7 days</option>
+              <option :value="2592000">30 days</option>
+              <option :value="7776000">90 days</option>
+              <option :value="31536000">1 year</option>
+            </select>
+          </div>
+          <div class="modal-actions">
+            <button type="button" class="btn" @click="closeDialogs">Cancel</button>
+            <button type="submit" class="btn btn-primary" :disabled="saving">
+              {{ saving ? "Creating..." : "Create" }}
+            </button>
+          </div>
+        </form>
+      </div>
+    </div>
+
+    <!-- New Key Dialog -->
+    <div v-if="showNewKeyDialog" class="modal-overlay">
+      <div class="modal-content">
+        <div class="modal-header">
+          <h2>API Key Created</h2>
+        </div>
+        <div class="new-key-content">
+          <div class="warning-banner">
+            <i class="pi pi-exclamation-triangle" />
+            <span>Copy this key now. You won't be able to see it again!</span>
+          </div>
+          <div class="key-display">
+            <code>{{ newKeyValue }}</code>
+            <button class="btn btn-icon" @click="copyKey">
+              <i class="pi" :class="copied ? 'pi-check' : 'pi-copy'" />
+            </button>
+          </div>
+        </div>
+        <div class="modal-actions">
+          <button class="btn btn-primary" @click="closeNewKeyDialog">Done</button>
+        </div>
+      </div>
+    </div>
+
+    <!-- Revoke Confirmation -->
+    <div v-if="showRevokeDialog" class="modal-overlay" @click.self="closeDialogs">
+      <div class="modal-content modal-sm">
+        <div class="modal-header">
+          <h2>Revoke API Key</h2>
+        </div>
+        <p>Are you sure you want to revoke API key <strong>{{ selectedKey?.name }}</strong>? This action cannot be undone.</p>
+        <div class="modal-actions">
+          <button class="btn" @click="closeDialogs">Cancel</button>
+          <button class="btn btn-danger" :disabled="saving" @click="revokeKey">
+            {{ saving ? "Revoking..." : "Revoke" }}
+          </button>
+        </div>
+      </div>
+    </div>
+
+    <!-- Delete Confirmation -->
+    <div v-if="showDeleteDialog" class="modal-overlay" @click.self="closeDialogs">
+      <div class="modal-content modal-sm">
+        <div class="modal-header">
+          <h2>Delete API Key</h2>
+        </div>
+        <p>Are you sure you want to delete API key <strong>{{ selectedKey?.name }}</strong>?</p>
+        <div class="modal-actions">
+          <button class="btn" @click="closeDialogs">Cancel</button>
+          <button class="btn btn-danger" :disabled="saving" @click="deleteKey">
+            {{ saving ? "Deleting..." : "Delete" }}
+          </button>
+        </div>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { ref, onMounted, computed } from "vue";
+import type { APIKey, UserRole } from "@/types";
+import { useUsersStore } from "@/stores/users";
+
+const usersStore = useUsersStore();
+
+const apiKeys = computed(() => usersStore.apiKeys);
+const loading = computed(() => usersStore.loading);
+const error = computed(() => usersStore.error);
+
+const showCreateDialog = ref(false);
+const showNewKeyDialog = ref(false);
+const showRevokeDialog = ref(false);
+const showDeleteDialog = ref(false);
+const selectedKey = ref<APIKey | null>(null);
+const newKeyValue = ref("");
+const copied = ref(false);
+const saving = ref(false);
+
+const formData = ref({
+  name: "",
+  description: "",
+  role: "" as UserRole | "",
+  expires_in: 0,
+});
+
+const loadAPIKeys = async () => {
+  await usersStore.fetchAPIKeys();
+};
+
+const createAPIKey = async () => {
+  saving.value = true;
+  try {
+    const result = await usersStore.createAPIKey({
+      name: formData.value.name,
+      description: formData.value.description || undefined,
+      role: formData.value.role || undefined,
+      expires_in: formData.value.expires_in || undefined,
+    });
+    newKeyValue.value = result.api_key.key || "";
+    showCreateDialog.value = false;
+    showNewKeyDialog.value = true;
+    formData.value = { name: "", description: "", role: "", expires_in: 0 };
+  } catch (e: any) {
+    alert(e.message);
+  } finally {
+    saving.value = false;
+  }
+};
+
+const confirmRevoke = (key: APIKey) => {
+  selectedKey.value = key;
+  showRevokeDialog.value = true;
+};
+
+const confirmDelete = (key: APIKey) => {
+  selectedKey.value = key;
+  showDeleteDialog.value = true;
+};
+
+const revokeKey = async () => {
+  if (!selectedKey.value) return;
+  saving.value = true;
+  try {
+    await usersStore.revokeAPIKey(selectedKey.value.id);
+    closeDialogs();
+  } catch (e: any) {
+    alert(e.message);
+  } finally {
+    saving.value = false;
+  }
+};
+
+const deleteKey = async () => {
+  if (!selectedKey.value) return;
+  saving.value = true;
+  try {
+    await usersStore.deleteAPIKey(selectedKey.value.id);
+    closeDialogs();
+  } catch (e: any) {
+    alert(e.message);
+  } finally {
+    saving.value = false;
+  }
+};
+
+const copyKey = async () => {
+  try {
+    await navigator.clipboard.writeText(newKeyValue.value);
+    copied.value = true;
+    setTimeout(() => {
+      copied.value = false;
+    }, 2000);
+  } catch {
+    // fallback
+  }
+};
+
+const closeDialogs = () => {
+  showCreateDialog.value = false;
+  showRevokeDialog.value = false;
+  showDeleteDialog.value = false;
+  selectedKey.value = null;
+};
+
+const closeNewKeyDialog = () => {
+  showNewKeyDialog.value = false;
+  newKeyValue.value = "";
+};
+
+const formatDate = (date?: string) => {
+  if (!date) return "Never";
+  return new Date(date).toLocaleDateString(undefined, {
+    year: "numeric",
+    month: "short",
+    day: "numeric",
+    hour: "2-digit",
+    minute: "2-digit",
+  });
+};
+
+const formatExpiry = (date?: string) => {
+  if (!date) return "Never";
+  const d = new Date(date);
+  if (d < new Date()) return "Expired";
+  return d.toLocaleDateString(undefined, {
+    year: "numeric",
+    month: "short",
+    day: "numeric",
+  });
+};
+
+onMounted(() => {
+  loadAPIKeys();
+});
+</script>
+
+<style scoped>
+.apikeys-view {
+  padding: 1.5rem;
+}
+
+.view-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  margin-bottom: 1.5rem;
+}
+
+.view-header h1 {
+  font-size: 1.5rem;
+  font-weight: 600;
+  color: var(--text-primary);
+}
+
+.header-actions {
+  display: flex;
+  gap: 0.5rem;
+}
+
+.loading-state,
+.error-state {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  padding: 3rem;
+  gap: 1rem;
+  color: var(--text-secondary);
+}
+
+.error-state {
+  color: var(--danger);
+}
+
+.apikeys-table-container {
+  background: var(--surface-card);
+  border-radius: 8px;
+  border: 1px solid var(--surface-border);
+  overflow: hidden;
+}
+
+.data-table {
+  width: 100%;
+  border-collapse: collapse;
+}
+
+.data-table th,
+.data-table td {
+  padding: 0.75rem 1rem;
+  text-align: left;
+  border-bottom: 1px solid var(--surface-border);
+}
+
+.data-table th {
+  background: var(--surface-ground);
+  font-weight: 600;
+  color: var(--text-secondary);
+  font-size: 0.8125rem;
+  text-transform: uppercase;
+}
+
+.data-table tbody tr:hover {
+  background: var(--surface-hover);
+}
+
+.name-cell {
+  display: flex;
+  align-items: center;
+  gap: 0.75rem;
+}
+
+.name-cell > div {
+  display: flex;
+  flex-direction: column;
+}
+
+.key-name {
+  font-weight: 500;
+}
+
+.key-desc {
+  font-size: 0.75rem;
+  color: var(--text-secondary);
+}
+
+code {
+  padding: 0.25rem 0.5rem;
+  background: var(--surface-ground);
+  border-radius: 4px;
+  font-family: monospace;
+  font-size: 0.8125rem;
+}
+
+.role-badge {
+  display: inline-block;
+  padding: 0.25rem 0.5rem;
+  border-radius: 4px;
+  font-size: 0.75rem;
+  font-weight: 500;
+  text-transform: capitalize;
+}
+
+.role-badge.admin {
+  background: rgba(var(--danger-rgb), 0.1);
+  color: var(--danger);
+}
+
+.role-badge.operator {
+  background: rgba(var(--warning-rgb), 0.1);
+  color: var(--warning);
+}
+
+.role-badge.viewer {
+  background: rgba(var(--info-rgb), 0.1);
+  color: var(--info);
+}
+
+.role-badge.inherit {
+  background: rgba(var(--text-secondary-rgb), 0.1);
+  color: var(--text-secondary);
+}
+
+.status-badge {
+  display: inline-block;
+  padding: 0.25rem 0.5rem;
+  border-radius: 4px;
+  font-size: 0.75rem;
+  font-weight: 500;
+}
+
+.status-badge.active {
+  background: rgba(var(--success-rgb), 0.1);
+  color: var(--success);
+}
+
+.status-badge.inactive {
+  background: rgba(var(--text-secondary-rgb), 0.1);
+  color: var(--text-secondary);
+}
+
+.actions-cell {
+  display: flex;
+  gap: 0.25rem;
+}
+
+.modal-overlay {
+  position: fixed;
+  top: 0;
+  left: 0;
+  right: 0;
+  bottom: 0;
+  background: rgba(0, 0, 0, 0.5);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  z-index: 1000;
+}
+
+.modal-content {
+  background: var(--surface-card);
+  border-radius: 8px;
+  width: 100%;
+  max-width: 480px;
+  max-height: 90vh;
+  overflow-y: auto;
+}
+
+.modal-content.modal-sm {
+  max-width: 400px;
+}
+
+.modal-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  padding: 1rem 1.5rem;
+  border-bottom: 1px solid var(--surface-border);
+}
+
+.modal-header h2 {
+  font-size: 1.125rem;
+  font-weight: 600;
+}
+
+.modal-content form,
+.modal-content p {
+  padding: 1.5rem;
+}
+
+.form-group {
+  margin-bottom: 1rem;
+}
+
+.form-group label {
+  display: block;
+  margin-bottom: 0.5rem;
+  font-weight: 500;
+  color: var(--text-secondary);
+}
+
+.form-group input,
+.form-group select {
+  width: 100%;
+  padding: 0.5rem 0.75rem;
+  border: 1px solid var(--surface-border);
+  border-radius: 4px;
+  background: var(--surface-ground);
+  color: var(--text-primary);
+}
+
+.form-group small {
+  display: block;
+  margin-top: 0.25rem;
+  font-size: 0.75rem;
+  color: var(--text-secondary);
+}
+
+.modal-actions {
+  display: flex;
+  justify-content: flex-end;
+  gap: 0.5rem;
+  padding: 1rem 1.5rem;
+  border-top: 1px solid var(--surface-border);
+}
+
+.new-key-content {
+  padding: 1.5rem;
+}
+
+.warning-banner {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  padding: 0.75rem 1rem;
+  background: rgba(var(--warning-rgb), 0.1);
+  border: 1px solid var(--warning);
+  border-radius: 4px;
+  color: var(--warning);
+  margin-bottom: 1rem;
+}
+
+.key-display {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  padding: 0.75rem;
+  background: var(--surface-ground);
+  border-radius: 4px;
+}
+
+.key-display code {
+  flex: 1;
+  word-break: break-all;
+  background: transparent;
+  padding: 0;
+}
+
+.btn {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.5rem;
+  padding: 0.5rem 1rem;
+  border: none;
+  border-radius: 4px;
+  background: var(--surface-ground);
+  color: var(--text-primary);
+  cursor: pointer;
+  font-size: 0.875rem;
+}
+
+.btn:hover {
+  background: var(--surface-hover);
+}
+
+.btn:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+.btn-primary {
+  background: var(--primary);
+  color: white;
+}
+
+.btn-primary:hover {
+  background: var(--primary-dark);
+}
+
+.btn-danger {
+  background: var(--danger);
+  color: white;
+}
+
+.btn-danger:hover {
+  background: var(--danger-dark);
+}
+
+.btn-icon {
+  padding: 0.5rem;
+}
+
+.btn-sm {
+  padding: 0.25rem 0.5rem;
+  font-size: 0.8125rem;
+}
+</style>
diff --git a/src/views/LoginView.vue b/src/views/LoginView.vue
index 3a5d8d5..898320c 100644
--- a/src/views/LoginView.vue
+++ b/src/views/LoginView.vue
@@ -26,10 +26,71 @@
       <div class="login-card">
         <div class="card-header">
           <h2>Sign In</h2>
-          <p>Enter your API key to access the dashboard</p>
+          <p>{{ loginMode === "credentials" ? "Enter your credentials" : "Enter your API key" }}</p>
         </div>
 
-        <form class="login-form" @submit.prevent="handleLogin">
+        <div class="login-mode-toggle">
+          <button
+            :class="{ active: loginMode === 'credentials' }"
+            @click="loginMode = 'credentials'"
+          >
+            <i class="pi pi-user" />
+            Username
+          </button>
+          <button
+            :class="{ active: loginMode === 'apikey' }"
+            @click="loginMode = 'apikey'"
+          >
+            <i class="pi pi-key" />
+            API Key
+          </button>
+        </div>
+
+        <form v-if="loginMode === 'credentials'" class="login-form" @submit.prevent="handleCredentialsLogin">
+          <div class="form-group">
+            <label for="username">Username</label>
+            <div class="input-wrapper">
+              <i class="pi pi-user" />
+              <input
+                id="username"
+                v-model="username"
+                type="text"
+                placeholder="Enter your username"
+                :class="{ error: auth.error }"
+                autocomplete="username"
+              />
+            </div>
+          </div>
+
+          <div class="form-group">
+            <label for="password">Password</label>
+            <div class="input-wrapper">
+              <i class="pi pi-lock" />
+              <input
+                id="password"
+                v-model="password"
+                :type="showPassword ? 'text' : 'password'"
+                placeholder="Enter your password"
+                :class="{ error: auth.error }"
+                autocomplete="current-password"
+              />
+              <button type="button" class="toggle-visibility" @click="showPassword = !showPassword">
+                <i :class="showPassword ? 'pi pi-eye-slash' : 'pi pi-eye'" />
+              </button>
+            </div>
+            <span v-if="auth.error" class="error-text">
+              <i class="pi pi-exclamation-circle" />
+              {{ auth.error }}
+            </span>
+          </div>
+
+          <button type="submit" class="login-btn" :disabled="auth.loading || !username || !password">
+            <i v-if="auth.loading" class="pi pi-spin pi-spinner" />
+            <span v-else>Sign In</span>
+          </button>
+        </form>
+
+        <form v-else class="login-form" @submit.prevent="handleAPIKeyLogin">
           <div class="form-group">
             <label for="apiKey">API Key</label>
             <div class="input-wrapper">
@@ -60,7 +121,8 @@
 
         <div class="help-text">
           <i class="pi pi-info-circle" />
-          <span>API keys are configured in the agent's config file</span>
+          <span v-if="loginMode === 'credentials'">Use your FlatRun account credentials</span>
+          <span v-else>API keys are managed in the dashboard settings</span>
         </div>
       </div>
     </div>
@@ -75,10 +137,22 @@ import Logo from "@/components/base/Logo.vue";
 
 const router = useRouter();
 const auth = useAuthStore();
+
+const loginMode = ref<"credentials" | "apikey">("credentials");
+const username = ref("");
+const password = ref("");
 const apiKey = ref("");
 const showKey = ref(false);
+const showPassword = ref(false);
 
-const handleLogin = async () => {
+const handleCredentialsLogin = async () => {
+  const success = await auth.loginWithCredentials(username.value, password.value);
+  if (success) {
+    router.push("/");
+  }
+};
+
+const handleAPIKeyLogin = async () => {
   const success = await auth.login(apiKey.value);
   if (success) {
     router.push("/");
@@ -150,7 +224,7 @@ const handleLogin = async () => {
 }
 
 .card-header {
-  margin-bottom: 2rem;
+  margin-bottom: 1.5rem;
 }
 
 .card-header h2 {
@@ -165,6 +239,42 @@ const handleLogin = async () => {
   font-size: var(--text-base);
 }
 
+.login-mode-toggle {
+  display: flex;
+  gap: 0.5rem;
+  margin-bottom: 1.5rem;
+  padding: 0.25rem;
+  background: var(--color-gray-100);
+  border-radius: var(--radius-sm);
+}
+
+.login-mode-toggle button {
+  flex: 1;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 0.5rem;
+  padding: 0.625rem 1rem;
+  background: transparent;
+  border: none;
+  border-radius: var(--radius-sm);
+  font-size: var(--text-sm);
+  font-weight: 500;
+  color: var(--color-gray-600);
+  cursor: pointer;
+  transition: all var(--transition-base);
+}
+
+.login-mode-toggle button:hover {
+  color: var(--color-gray-900);
+}
+
+.login-mode-toggle button.active {
+  background: white;
+  color: var(--color-primary-600);
+  box-shadow: var(--shadow-sm);
+}
+
 .login-form {
   margin-bottom: 1.5rem;
 }
diff --git a/src/views/UsersView.vue b/src/views/UsersView.vue
new file mode 100644
index 0000000..5656827
--- /dev/null
+++ b/src/views/UsersView.vue
@@ -0,0 +1,695 @@
+<template>
+  <div class="users-view">
+    <div class="view-header">
+      <h1>Users</h1>
+      <div class="header-actions">
+        <button class="btn btn-icon" :disabled="loading" @click="loadUsers">
+          <i class="pi pi-refresh" :class="{ 'pi-spin': loading }" />
+        </button>
+        <button class="btn btn-primary" @click="showCreateDialog = true">
+          <i class="pi pi-plus" />
+          <span>Add User</span>
+        </button>
+      </div>
+    </div>
+
+    <div v-if="loading && !users.length" class="loading-state">
+      <i class="pi pi-spin pi-spinner" />
+      <span>Loading users...</span>
+    </div>
+
+    <div v-else-if="error" class="error-state">
+      <i class="pi pi-exclamation-circle" />
+      <span>{{ error }}</span>
+      <button class="btn btn-sm" @click="loadUsers">Retry</button>
+    </div>
+
+    <div v-else class="users-content">
+      <div class="users-table-container">
+        <table class="data-table">
+          <thead>
+            <tr>
+              <th>Username</th>
+              <th>Email</th>
+              <th>Role</th>
+              <th>Status</th>
+              <th>Last Login</th>
+              <th>Actions</th>
+            </tr>
+          </thead>
+          <tbody>
+            <tr v-for="user in users" :key="user.id">
+              <td class="username-cell">
+                <i class="pi pi-user" />
+                <span>{{ user.username }}</span>
+              </td>
+              <td>{{ user.email || "-" }}</td>
+              <td>
+                <span class="role-badge" :class="user.role">{{ user.role }}</span>
+              </td>
+              <td>
+                <span class="status-badge" :class="user.is_active ? 'active' : 'inactive'">
+                  {{ user.is_active ? "Active" : "Inactive" }}
+                </span>
+              </td>
+              <td>{{ formatDate(user.last_login_at) }}</td>
+              <td class="actions-cell">
+                <button class="btn btn-icon btn-sm" title="Edit" @click="editUser(user)">
+                  <i class="pi pi-pencil" />
+                </button>
+                <button class="btn btn-icon btn-sm" title="Manage Deployments" @click="manageDeployments(user)">
+                  <i class="pi pi-box" />
+                </button>
+                <button
+                  v-if="user.id !== currentUser?.id"
+                  class="btn btn-icon btn-sm btn-danger"
+                  title="Delete"
+                  @click="confirmDelete(user)"
+                >
+                  <i class="pi pi-trash" />
+                </button>
+              </td>
+            </tr>
+          </tbody>
+        </table>
+      </div>
+    </div>
+
+    <!-- Create/Edit Dialog -->
+    <div v-if="showCreateDialog || showEditDialog" class="modal-overlay" @click.self="closeDialogs">
+      <div class="modal-content">
+        <div class="modal-header">
+          <h2>{{ showEditDialog ? "Edit User" : "Create User" }}</h2>
+          <button class="btn btn-icon" @click="closeDialogs">
+            <i class="pi pi-times" />
+          </button>
+        </div>
+        <form @submit.prevent="showEditDialog ? updateUser() : createUser()">
+          <div class="form-group">
+            <label>Username</label>
+            <input v-model="formData.username" type="text" required :disabled="showEditDialog" />
+          </div>
+          <div class="form-group">
+            <label>Email</label>
+            <input v-model="formData.email" type="email" />
+          </div>
+          <div v-if="!showEditDialog" class="form-group">
+            <label>Password</label>
+            <input v-model="formData.password" type="password" required />
+          </div>
+          <div class="form-group">
+            <label>Role</label>
+            <select v-model="formData.role" required>
+              <option value="admin">Admin</option>
+              <option value="operator">Operator</option>
+              <option value="viewer">Viewer</option>
+            </select>
+          </div>
+          <div v-if="showEditDialog" class="form-group">
+            <label class="checkbox-label">
+              <input v-model="formData.is_active" type="checkbox" />
+              <span>Active</span>
+            </label>
+          </div>
+          <div class="modal-actions">
+            <button type="button" class="btn" @click="closeDialogs">Cancel</button>
+            <button type="submit" class="btn btn-primary" :disabled="saving">
+              {{ saving ? "Saving..." : showEditDialog ? "Update" : "Create" }}
+            </button>
+          </div>
+        </form>
+      </div>
+    </div>
+
+    <!-- Deployments Dialog -->
+    <div v-if="showDeploymentsDialog" class="modal-overlay" @click.self="closeDialogs">
+      <div class="modal-content modal-lg">
+        <div class="modal-header">
+          <h2>Deployment Access for {{ selectedUser?.username }}</h2>
+          <button class="btn btn-icon" @click="closeDialogs">
+            <i class="pi pi-times" />
+          </button>
+        </div>
+        <div class="deployments-manager">
+          <div class="add-deployment-form">
+            <select v-model="newDeployment.name">
+              <option value="">Select deployment...</option>
+              <option v-for="dep in availableDeployments" :key="dep" :value="dep">{{ dep }}</option>
+            </select>
+            <select v-model="newDeployment.access_level">
+              <option value="read">Read</option>
+              <option value="write">Write</option>
+              <option value="admin">Admin</option>
+            </select>
+            <button class="btn btn-primary btn-sm" :disabled="!newDeployment.name" @click="addDeploymentAccess">
+              Add
+            </button>
+          </div>
+          <div v-if="userDeployments.length" class="deployments-list">
+            <div v-for="dep in userDeployments" :key="dep.deployment_name" class="deployment-item">
+              <span class="deployment-name">{{ dep.deployment_name }}</span>
+              <select :value="dep.access_level" @change="updateDeploymentAccess(dep.deployment_name, ($event.target as HTMLSelectElement).value)">
+                <option value="read">Read</option>
+                <option value="write">Write</option>
+                <option value="admin">Admin</option>
+              </select>
+              <button class="btn btn-icon btn-sm btn-danger" @click="removeDeploymentAccess(dep.deployment_name)">
+                <i class="pi pi-times" />
+              </button>
+            </div>
+          </div>
+          <div v-else class="no-deployments">
+            <i class="pi pi-info-circle" />
+            <span>No deployment access assigned</span>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <!-- Delete Confirmation -->
+    <div v-if="showDeleteDialog" class="modal-overlay" @click.self="closeDialogs">
+      <div class="modal-content modal-sm">
+        <div class="modal-header">
+          <h2>Delete User</h2>
+        </div>
+        <p>Are you sure you want to delete user <strong>{{ selectedUser?.username }}</strong>?</p>
+        <div class="modal-actions">
+          <button class="btn" @click="closeDialogs">Cancel</button>
+          <button class="btn btn-danger" :disabled="saving" @click="deleteUser">
+            {{ saving ? "Deleting..." : "Delete" }}
+          </button>
+        </div>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { ref, onMounted, computed } from "vue";
+import type { User, UserRole, UserDeploymentAccess } from "@/types";
+import { useUsersStore } from "@/stores/users";
+import { useAuthStore } from "@/stores/auth";
+import { deploymentsApi } from "@/services/api";
+
+const usersStore = useUsersStore();
+const authStore = useAuthStore();
+
+const users = computed(() => usersStore.users);
+const loading = computed(() => usersStore.loading);
+const error = computed(() => usersStore.error);
+const currentUser = computed(() => authStore.currentUser);
+
+const showCreateDialog = ref(false);
+const showEditDialog = ref(false);
+const showDeleteDialog = ref(false);
+const showDeploymentsDialog = ref(false);
+const selectedUser = ref<User | null>(null);
+const saving = ref(false);
+
+const formData = ref({
+  username: "",
+  email: "",
+  password: "",
+  role: "viewer" as UserRole,
+  is_active: true,
+});
+
+const userDeployments = ref<UserDeploymentAccess[]>([]);
+const allDeployments = ref<string[]>([]);
+const newDeployment = ref({ name: "", access_level: "read" });
+
+const availableDeployments = computed(() => {
+  const assigned = new Set(userDeployments.value.map((d) => d.deployment_name));
+  return allDeployments.value.filter((d) => !assigned.has(d));
+});
+
+const loadUsers = async () => {
+  await usersStore.fetchUsers();
+};
+
+const loadAllDeployments = async () => {
+  try {
+    const response = await deploymentsApi.list();
+    allDeployments.value = response.data.deployments.map((d) => d.name);
+  } catch {
+    // ignore
+  }
+};
+
+const editUser = (user: User) => {
+  selectedUser.value = user;
+  formData.value = {
+    username: user.username,
+    email: user.email || "",
+    password: "",
+    role: user.role,
+    is_active: user.is_active,
+  };
+  showEditDialog.value = true;
+};
+
+const manageDeployments = async (user: User) => {
+  selectedUser.value = user;
+  try {
+    userDeployments.value = await usersStore.getUserDeployments(user.id);
+  } catch {
+    userDeployments.value = [];
+  }
+  showDeploymentsDialog.value = true;
+};
+
+const confirmDelete = (user: User) => {
+  selectedUser.value = user;
+  showDeleteDialog.value = true;
+};
+
+const createUser = async () => {
+  saving.value = true;
+  try {
+    await usersStore.createUser({
+      username: formData.value.username,
+      email: formData.value.email || undefined,
+      password: formData.value.password,
+      role: formData.value.role,
+    });
+    closeDialogs();
+  } catch (e: any) {
+    alert(e.message);
+  } finally {
+    saving.value = false;
+  }
+};
+
+const updateUser = async () => {
+  if (!selectedUser.value) return;
+  saving.value = true;
+  try {
+    await usersStore.updateUser(selectedUser.value.id, {
+      email: formData.value.email || undefined,
+      role: formData.value.role,
+      is_active: formData.value.is_active,
+    });
+    closeDialogs();
+  } catch (e: any) {
+    alert(e.message);
+  } finally {
+    saving.value = false;
+  }
+};
+
+const deleteUser = async () => {
+  if (!selectedUser.value) return;
+  saving.value = true;
+  try {
+    await usersStore.deleteUser(selectedUser.value.id);
+    closeDialogs();
+  } catch (e: any) {
+    alert(e.message);
+  } finally {
+    saving.value = false;
+  }
+};
+
+const addDeploymentAccess = async () => {
+  if (!selectedUser.value || !newDeployment.value.name) return;
+  try {
+    await usersStore.assignDeployment(selectedUser.value.id, newDeployment.value.name, newDeployment.value.access_level);
+    userDeployments.value.push({
+      deployment_name: newDeployment.value.name,
+      access_level: newDeployment.value.access_level as "read" | "write" | "admin",
+      created_at: new Date().toISOString(),
+    });
+    newDeployment.value = { name: "", access_level: "read" };
+  } catch (e: any) {
+    alert(e.message);
+  }
+};
+
+const updateDeploymentAccess = async (deploymentName: string, accessLevel: string) => {
+  if (!selectedUser.value) return;
+  try {
+    await usersStore.updateDeploymentAccess(selectedUser.value.id, deploymentName, accessLevel);
+    const dep = userDeployments.value.find((d) => d.deployment_name === deploymentName);
+    if (dep) {
+      dep.access_level = accessLevel as "read" | "write" | "admin";
+    }
+  } catch (e: any) {
+    alert(e.message);
+  }
+};
+
+const removeDeploymentAccess = async (deploymentName: string) => {
+  if (!selectedUser.value) return;
+  try {
+    await usersStore.removeDeploymentAccess(selectedUser.value.id, deploymentName);
+    userDeployments.value = userDeployments.value.filter((d) => d.deployment_name !== deploymentName);
+  } catch (e: any) {
+    alert(e.message);
+  }
+};
+
+const closeDialogs = () => {
+  showCreateDialog.value = false;
+  showEditDialog.value = false;
+  showDeleteDialog.value = false;
+  showDeploymentsDialog.value = false;
+  selectedUser.value = null;
+  formData.value = {
+    username: "",
+    email: "",
+    password: "",
+    role: "viewer",
+    is_active: true,
+  };
+};
+
+const formatDate = (date?: string) => {
+  if (!date) return "Never";
+  return new Date(date).toLocaleDateString(undefined, {
+    year: "numeric",
+    month: "short",
+    day: "numeric",
+    hour: "2-digit",
+    minute: "2-digit",
+  });
+};
+
+onMounted(() => {
+  loadUsers();
+  loadAllDeployments();
+});
+</script>
+
+<style scoped>
+.users-view {
+  padding: 1.5rem;
+}
+
+.view-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  margin-bottom: 1.5rem;
+}
+
+.view-header h1 {
+  font-size: 1.5rem;
+  font-weight: 600;
+  color: var(--text-primary);
+}
+
+.header-actions {
+  display: flex;
+  gap: 0.5rem;
+}
+
+.loading-state,
+.error-state {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  padding: 3rem;
+  gap: 1rem;
+  color: var(--text-secondary);
+}
+
+.error-state {
+  color: var(--danger);
+}
+
+.users-table-container {
+  background: var(--surface-card);
+  border-radius: 8px;
+  border: 1px solid var(--surface-border);
+  overflow: hidden;
+}
+
+.data-table {
+  width: 100%;
+  border-collapse: collapse;
+}
+
+.data-table th,
+.data-table td {
+  padding: 0.75rem 1rem;
+  text-align: left;
+  border-bottom: 1px solid var(--surface-border);
+}
+
+.data-table th {
+  background: var(--surface-ground);
+  font-weight: 600;
+  color: var(--text-secondary);
+  font-size: 0.8125rem;
+  text-transform: uppercase;
+}
+
+.data-table tbody tr:hover {
+  background: var(--surface-hover);
+}
+
+.username-cell {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+}
+
+.role-badge {
+  display: inline-block;
+  padding: 0.25rem 0.5rem;
+  border-radius: 4px;
+  font-size: 0.75rem;
+  font-weight: 500;
+  text-transform: capitalize;
+}
+
+.role-badge.admin {
+  background: rgba(var(--danger-rgb), 0.1);
+  color: var(--danger);
+}
+
+.role-badge.operator {
+  background: rgba(var(--warning-rgb), 0.1);
+  color: var(--warning);
+}
+
+.role-badge.viewer {
+  background: rgba(var(--info-rgb), 0.1);
+  color: var(--info);
+}
+
+.status-badge {
+  display: inline-block;
+  padding: 0.25rem 0.5rem;
+  border-radius: 4px;
+  font-size: 0.75rem;
+  font-weight: 500;
+}
+
+.status-badge.active {
+  background: rgba(var(--success-rgb), 0.1);
+  color: var(--success);
+}
+
+.status-badge.inactive {
+  background: rgba(var(--text-secondary-rgb), 0.1);
+  color: var(--text-secondary);
+}
+
+.actions-cell {
+  display: flex;
+  gap: 0.25rem;
+}
+
+.modal-overlay {
+  position: fixed;
+  top: 0;
+  left: 0;
+  right: 0;
+  bottom: 0;
+  background: rgba(0, 0, 0, 0.5);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  z-index: 1000;
+}
+
+.modal-content {
+  background: var(--surface-card);
+  border-radius: 8px;
+  width: 100%;
+  max-width: 480px;
+  max-height: 90vh;
+  overflow-y: auto;
+}
+
+.modal-content.modal-lg {
+  max-width: 640px;
+}
+
+.modal-content.modal-sm {
+  max-width: 400px;
+}
+
+.modal-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  padding: 1rem 1.5rem;
+  border-bottom: 1px solid var(--surface-border);
+}
+
+.modal-header h2 {
+  font-size: 1.125rem;
+  font-weight: 600;
+}
+
+.modal-content form,
+.modal-content p {
+  padding: 1.5rem;
+}
+
+.form-group {
+  margin-bottom: 1rem;
+}
+
+.form-group label {
+  display: block;
+  margin-bottom: 0.5rem;
+  font-weight: 500;
+  color: var(--text-secondary);
+}
+
+.form-group input,
+.form-group select {
+  width: 100%;
+  padding: 0.5rem 0.75rem;
+  border: 1px solid var(--surface-border);
+  border-radius: 4px;
+  background: var(--surface-ground);
+  color: var(--text-primary);
+}
+
+.checkbox-label {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  cursor: pointer;
+}
+
+.checkbox-label input {
+  width: auto;
+}
+
+.modal-actions {
+  display: flex;
+  justify-content: flex-end;
+  gap: 0.5rem;
+  padding: 1rem 1.5rem;
+  border-top: 1px solid var(--surface-border);
+}
+
+.deployments-manager {
+  padding: 1.5rem;
+}
+
+.add-deployment-form {
+  display: flex;
+  gap: 0.5rem;
+  margin-bottom: 1rem;
+}
+
+.add-deployment-form select {
+  flex: 1;
+  padding: 0.5rem;
+  border: 1px solid var(--surface-border);
+  border-radius: 4px;
+  background: var(--surface-ground);
+}
+
+.deployments-list {
+  display: flex;
+  flex-direction: column;
+  gap: 0.5rem;
+}
+
+.deployment-item {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  padding: 0.5rem;
+  background: var(--surface-ground);
+  border-radius: 4px;
+}
+
+.deployment-name {
+  flex: 1;
+  font-weight: 500;
+}
+
+.deployment-item select {
+  padding: 0.25rem 0.5rem;
+  border: 1px solid var(--surface-border);
+  border-radius: 4px;
+  background: var(--surface-card);
+}
+
+.no-deployments {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 0.5rem;
+  padding: 2rem;
+  color: var(--text-secondary);
+}
+
+.btn {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.5rem;
+  padding: 0.5rem 1rem;
+  border: none;
+  border-radius: 4px;
+  background: var(--surface-ground);
+  color: var(--text-primary);
+  cursor: pointer;
+  font-size: 0.875rem;
+}
+
+.btn:hover {
+  background: var(--surface-hover);
+}
+
+.btn:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+.btn-primary {
+  background: var(--primary);
+  color: white;
+}
+
+.btn-primary:hover {
+  background: var(--primary-dark);
+}
+
+.btn-danger {
+  background: var(--danger);
+  color: white;
+}
+
+.btn-danger:hover {
+  background: var(--danger-dark);
+}
+
+.btn-icon {
+  padding: 0.5rem;
+}
+
+.btn-sm {
+  padding: 0.25rem 0.5rem;
+  font-size: 0.8125rem;
+}
+</style>

From 0bca360ed12ff93fa3acd320417f3e50fb76b659 Mon Sep 17 00:00:00 2001
From: nfebe <fenn25.fn@gmail.com>
Date: Wed, 28 Jan 2026 22:27:28 +0100
Subject: [PATCH 2/2] feat(auth): Add granular permissions UI and per-user
 overrides

Add resource-specific permission gates to router, sidebar, and
all view components for containers, images, volumes, databases,
infrastructure, scheduler, system, dns, registries, templates,
and traffic.

Add PermissionPicker component for editing user and API key
permissions. Rework UsersView with tabbed dialog (Profile,
Permissions, Deployments) and table columns showing permission
and deployment status.

Read deployment stats from authenticated /stats endpoint instead
of public /health to reflect per-user filtered counts.

Add PermissionPicker component tests and permission denial tests
for DeploymentsView, DeploymentDetailView, CronJobsView, and
SettingsView to verify write/delete buttons are hidden when the
user lacks the required permissions.

Signed-off-by: nfebe <fenn25.fn@gmail.com>
---
 src/components/PermissionPicker.test.ts | 169 ++++++++++
 src/components/PermissionPicker.vue     | 366 +++++++++++++++++++++
 src/layouts/DashboardLayout.vue         | 149 +++++++--
 src/router/index.ts                     |  42 ++-
 src/services/api.ts                     |  14 +-
 src/stores/auth.ts                      |  10 +
 src/stores/stats.ts                     |  12 +-
 src/stores/users.ts                     |   3 +-
 src/types/index.ts                      |  32 +-
 src/utils/permissions.ts                | 124 +++++++
 src/views/APIKeysView.vue               |  96 +++++-
 src/views/CertificatesView.vue          |   9 +-
 src/views/ContainersView.vue            |  18 +-
 src/views/CronJobsView.test.ts          |  52 ++-
 src/views/CronJobsView.vue              |  21 +-
 src/views/DeploymentDetailView.test.ts  |  63 +++-
 src/views/DeploymentDetailView.vue      |  12 +-
 src/views/DeploymentsView.test.ts       |  47 ++-
 src/views/DeploymentsView.vue           |  11 +-
 src/views/DockerPortsView.vue           |   6 +-
 src/views/ImagesView.vue                |  12 +-
 src/views/InfrastructureView.vue        |   9 +-
 src/views/LoginView.vue                 |  10 +-
 src/views/NetworksView.vue              |  22 +-
 src/views/SecurityView.vue              |  53 ++-
 src/views/ServicesView.vue              |  14 +-
 src/views/SettingsView.test.ts          |  10 +-
 src/views/SettingsView.vue              |  15 +-
 src/views/SystemPortsView.vue           |   4 +
 src/views/UsersView.vue                 | 408 +++++++++++++++++-------
 src/views/VolumesView.vue               |  14 +-
 31 files changed, 1582 insertions(+), 245 deletions(-)
 create mode 100644 src/components/PermissionPicker.test.ts
 create mode 100644 src/components/PermissionPicker.vue
 create mode 100644 src/utils/permissions.ts

diff --git a/src/components/PermissionPicker.test.ts b/src/components/PermissionPicker.test.ts
new file mode 100644
index 0000000..3b56086
--- /dev/null
+++ b/src/components/PermissionPicker.test.ts
@@ -0,0 +1,169 @@
+import { describe, it, expect } from "vitest";
+import { mount } from "@vue/test-utils";
+import PermissionPicker from "./PermissionPicker.vue";
+
+describe("PermissionPicker", () => {
+  const mountPicker = (props: { modelValue: string[]; readonly?: boolean }) => {
+    return mount(PermissionPicker, { props });
+  };
+
+  describe("Rendering", () => {
+    it("renders all permission groups", () => {
+      const wrapper = mountPicker({ modelValue: [] });
+      const groups = wrapper.findAll(".permission-group");
+      expect(groups.length).toBe(20);
+    });
+
+    it("displays group labels", () => {
+      const wrapper = mountPicker({ modelValue: [] });
+      const text = wrapper.text();
+      expect(text).toContain("Deployments");
+      expect(text).toContain("Containers");
+      expect(text).toContain("Databases");
+      expect(text).toContain("Infrastructure");
+      expect(text).toContain("DNS");
+      expect(text).toContain("Audit");
+    });
+
+    it("displays read/write/delete labels within groups", () => {
+      const wrapper = mountPicker({ modelValue: [] });
+      const text = wrapper.text();
+      expect(text).toContain("Read");
+      expect(text).toContain("Write");
+      expect(text).toContain("Delete");
+    });
+  });
+
+  describe("Selection state", () => {
+    it("checks selected permissions", () => {
+      const wrapper = mountPicker({
+        modelValue: ["deployments:read", "containers:write"],
+      });
+      const checkboxes = wrapper.findAll("input[type='checkbox']");
+      const checked = checkboxes.filter((cb) => (cb.element as HTMLInputElement).checked);
+      // 2 individual + their group toggles may or may not be checked
+      expect(checked.length).toBeGreaterThanOrEqual(2);
+    });
+
+    it("shows group as fully selected when all permissions are selected", () => {
+      const wrapper = mountPicker({
+        modelValue: ["deployments:read", "deployments:write", "deployments:delete"],
+      });
+      // First group toggle checkbox should be checked
+      const groupToggle = wrapper.find(".group-toggle input[type='checkbox']");
+      expect((groupToggle.element as HTMLInputElement).checked).toBe(true);
+    });
+
+    it("shows group as indeterminate when partially selected", () => {
+      const wrapper = mountPicker({
+        modelValue: ["deployments:read"],
+      });
+      const groupToggle = wrapper.find(".group-toggle input[type='checkbox']");
+      expect((groupToggle.element as HTMLInputElement).indeterminate).toBe(true);
+    });
+
+    it("shows group toggle unchecked when no permissions selected", () => {
+      const wrapper = mountPicker({ modelValue: [] });
+      const groupToggle = wrapper.find(".group-toggle input[type='checkbox']");
+      expect((groupToggle.element as HTMLInputElement).checked).toBe(false);
+      expect((groupToggle.element as HTMLInputElement).indeterminate).toBe(false);
+    });
+  });
+
+  describe("Toggling permissions", () => {
+    it("emits update when toggling a permission on", async () => {
+      const wrapper = mountPicker({ modelValue: [] });
+      const permCheckboxes = wrapper.findAll(".permission-item input[type='checkbox']");
+      await permCheckboxes[0].trigger("change");
+      const emitted = wrapper.emitted("update:modelValue");
+      expect(emitted).toBeTruthy();
+      expect(emitted![0][0]).toContain("deployments:read");
+    });
+
+    it("emits update when toggling a permission off", async () => {
+      const wrapper = mountPicker({
+        modelValue: ["deployments:read", "deployments:write"],
+      });
+      const permCheckboxes = wrapper.findAll(".permission-item input[type='checkbox']");
+      await permCheckboxes[0].trigger("change");
+      const emitted = wrapper.emitted("update:modelValue");
+      expect(emitted).toBeTruthy();
+      expect(emitted![0][0]).not.toContain("deployments:read");
+      expect(emitted![0][0]).toContain("deployments:write");
+    });
+
+    it("selects all group permissions when toggling group on", async () => {
+      const wrapper = mountPicker({ modelValue: [] });
+      const groupToggle = wrapper.find(".group-toggle input[type='checkbox']");
+      await groupToggle.trigger("change");
+      const emitted = wrapper.emitted("update:modelValue");
+      expect(emitted).toBeTruthy();
+      const value = emitted![0][0] as string[];
+      expect(value).toContain("deployments:read");
+      expect(value).toContain("deployments:write");
+      expect(value).toContain("deployments:delete");
+    });
+
+    it("deselects all group permissions when toggling fully selected group off", async () => {
+      const wrapper = mountPicker({
+        modelValue: ["deployments:read", "deployments:write", "deployments:delete"],
+      });
+      const groupToggle = wrapper.find(".group-toggle input[type='checkbox']");
+      await groupToggle.trigger("change");
+      const emitted = wrapper.emitted("update:modelValue");
+      expect(emitted).toBeTruthy();
+      const value = emitted![0][0] as string[];
+      expect(value).not.toContain("deployments:read");
+      expect(value).not.toContain("deployments:write");
+      expect(value).not.toContain("deployments:delete");
+    });
+
+    it("preserves other groups when toggling one group", async () => {
+      const wrapper = mountPicker({
+        modelValue: ["containers:read"],
+      });
+      const groupToggle = wrapper.find(".group-toggle input[type='checkbox']");
+      await groupToggle.trigger("change");
+      const emitted = wrapper.emitted("update:modelValue");
+      const value = emitted![0][0] as string[];
+      expect(value).toContain("containers:read");
+      expect(value).toContain("deployments:read");
+    });
+  });
+
+  describe("Readonly mode", () => {
+    it("hides checkboxes in readonly mode", () => {
+      const wrapper = mountPicker({
+        modelValue: ["deployments:read"],
+        readonly: true,
+      });
+      expect(wrapper.findAll("input[type='checkbox']").length).toBe(0);
+    });
+
+    it("shows granted/denied indicators in readonly mode", () => {
+      const wrapper = mountPicker({
+        modelValue: ["deployments:read"],
+        readonly: true,
+      });
+      expect(wrapper.findAll(".readonly-indicator.granted").length).toBeGreaterThan(0);
+      expect(wrapper.findAll(".readonly-indicator.denied").length).toBeGreaterThan(0);
+    });
+
+    it("hides group toggle checkboxes in readonly mode", () => {
+      const wrapper = mountPicker({
+        modelValue: [],
+        readonly: true,
+      });
+      expect(wrapper.findAll(".group-toggle").length).toBe(0);
+    });
+
+    it("still renders group labels in readonly mode", () => {
+      const wrapper = mountPicker({
+        modelValue: [],
+        readonly: true,
+      });
+      expect(wrapper.text()).toContain("Deployments");
+      expect(wrapper.text()).toContain("Containers");
+    });
+  });
+});
diff --git a/src/components/PermissionPicker.vue b/src/components/PermissionPicker.vue
new file mode 100644
index 0000000..b210319
--- /dev/null
+++ b/src/components/PermissionPicker.vue
@@ -0,0 +1,366 @@
+<template>
+  <div class="permission-picker">
+    <div v-for="group in permissionGroups" :key="group.key" class="permission-group">
+      <div class="group-header">
+        <label v-if="!readonly" class="checkbox-label group-toggle">
+          <input
+            type="checkbox"
+            :checked="isGroupFullySelected(group)"
+            :indeterminate="isGroupPartiallySelected(group)"
+            :disabled="readonly"
+            @change="toggleGroup(group)"
+          />
+          <span class="group-name">{{ group.label }}</span>
+        </label>
+        <span v-else class="group-name">{{ group.label }}</span>
+      </div>
+      <div class="group-permissions">
+        <label
+          v-for="perm in group.permissions"
+          :key="perm.value"
+          class="checkbox-label permission-item"
+          :class="{ selected: isSelected(perm.value), readonly }"
+        >
+          <input
+            v-if="!readonly"
+            type="checkbox"
+            :checked="isSelected(perm.value)"
+            @change="togglePermission(perm.value)"
+          />
+          <span v-else class="readonly-indicator" :class="isSelected(perm.value) ? 'granted' : 'denied'">
+            <i :class="isSelected(perm.value) ? 'pi pi-check' : 'pi pi-minus'" />
+          </span>
+          <span class="perm-label" :class="perm.level">{{ perm.label }}</span>
+        </label>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { computed } from "vue";
+
+interface PermissionEntry {
+  value: string;
+  label: string;
+  level: "read" | "write" | "delete";
+}
+
+interface PermissionGroup {
+  key: string;
+  label: string;
+  permissions: PermissionEntry[];
+}
+
+const props = defineProps<{
+  modelValue: string[];
+  readonly?: boolean;
+}>();
+
+const emit = defineEmits<{
+  "update:modelValue": [value: string[]];
+}>();
+
+const permissionGroups: PermissionGroup[] = [
+  {
+    key: "deployments",
+    label: "Deployments",
+    permissions: [
+      { value: "deployments:read", label: "Read", level: "read" },
+      { value: "deployments:write", label: "Write", level: "write" },
+      { value: "deployments:delete", label: "Delete", level: "delete" },
+    ],
+  },
+  {
+    key: "containers",
+    label: "Containers",
+    permissions: [
+      { value: "containers:read", label: "Read", level: "read" },
+      { value: "containers:write", label: "Write", level: "write" },
+      { value: "containers:delete", label: "Delete", level: "delete" },
+    ],
+  },
+  {
+    key: "images",
+    label: "Images",
+    permissions: [
+      { value: "images:read", label: "Read", level: "read" },
+      { value: "images:write", label: "Write", level: "write" },
+      { value: "images:delete", label: "Delete", level: "delete" },
+    ],
+  },
+  {
+    key: "volumes",
+    label: "Volumes",
+    permissions: [
+      { value: "volumes:read", label: "Read", level: "read" },
+      { value: "volumes:write", label: "Write", level: "write" },
+      { value: "volumes:delete", label: "Delete", level: "delete" },
+    ],
+  },
+  {
+    key: "databases",
+    label: "Databases",
+    permissions: [
+      { value: "databases:read", label: "Read", level: "read" },
+      { value: "databases:write", label: "Write", level: "write" },
+      { value: "databases:delete", label: "Delete", level: "delete" },
+    ],
+  },
+  {
+    key: "infrastructure",
+    label: "Infrastructure",
+    permissions: [
+      { value: "infrastructure:read", label: "Read", level: "read" },
+      { value: "infrastructure:write", label: "Write", level: "write" },
+    ],
+  },
+  {
+    key: "scheduler",
+    label: "Scheduler",
+    permissions: [
+      { value: "scheduler:read", label: "Read", level: "read" },
+      { value: "scheduler:write", label: "Write", level: "write" },
+      { value: "scheduler:delete", label: "Delete", level: "delete" },
+    ],
+  },
+  {
+    key: "system",
+    label: "System",
+    permissions: [
+      { value: "system:read", label: "Read", level: "read" },
+      { value: "system:write", label: "Write", level: "write" },
+    ],
+  },
+  {
+    key: "dns",
+    label: "DNS",
+    permissions: [
+      { value: "dns:read", label: "Read", level: "read" },
+      { value: "dns:write", label: "Write", level: "write" },
+    ],
+  },
+  {
+    key: "registries",
+    label: "Registries",
+    permissions: [
+      { value: "registries:read", label: "Read", level: "read" },
+      { value: "registries:write", label: "Write", level: "write" },
+      { value: "registries:delete", label: "Delete", level: "delete" },
+    ],
+  },
+  {
+    key: "templates",
+    label: "Templates",
+    permissions: [
+      { value: "templates:read", label: "Read", level: "read" },
+      { value: "templates:write", label: "Write", level: "write" },
+    ],
+  },
+  {
+    key: "traffic",
+    label: "Traffic",
+    permissions: [
+      { value: "traffic:read", label: "Read", level: "read" },
+      { value: "traffic:write", label: "Write", level: "write" },
+    ],
+  },
+  {
+    key: "networks",
+    label: "Networks",
+    permissions: [
+      { value: "networks:read", label: "Read", level: "read" },
+      { value: "networks:write", label: "Write", level: "write" },
+      { value: "networks:delete", label: "Delete", level: "delete" },
+    ],
+  },
+  {
+    key: "certificates",
+    label: "Certificates",
+    permissions: [
+      { value: "certificates:read", label: "Read", level: "read" },
+      { value: "certificates:write", label: "Write", level: "write" },
+      { value: "certificates:delete", label: "Delete", level: "delete" },
+    ],
+  },
+  {
+    key: "security",
+    label: "Security",
+    permissions: [
+      { value: "security:read", label: "Read", level: "read" },
+      { value: "security:write", label: "Write", level: "write" },
+    ],
+  },
+  {
+    key: "backups",
+    label: "Backups",
+    permissions: [
+      { value: "backups:read", label: "Read", level: "read" },
+      { value: "backups:write", label: "Write", level: "write" },
+      { value: "backups:delete", label: "Delete", level: "delete" },
+    ],
+  },
+  {
+    key: "users",
+    label: "Users",
+    permissions: [
+      { value: "users:read", label: "Read", level: "read" },
+      { value: "users:write", label: "Write", level: "write" },
+      { value: "users:delete", label: "Delete", level: "delete" },
+    ],
+  },
+  {
+    key: "apikeys",
+    label: "API Keys",
+    permissions: [
+      { value: "apikeys:read", label: "Read", level: "read" },
+      { value: "apikeys:write", label: "Write", level: "write" },
+      { value: "apikeys:delete", label: "Delete", level: "delete" },
+    ],
+  },
+  {
+    key: "settings",
+    label: "Settings",
+    permissions: [
+      { value: "settings:read", label: "Read", level: "read" },
+      { value: "settings:write", label: "Write", level: "write" },
+    ],
+  },
+  {
+    key: "audit",
+    label: "Audit",
+    permissions: [{ value: "audit:read", label: "Read", level: "read" }],
+  },
+];
+
+const selected = computed(() => new Set(props.modelValue));
+
+const isSelected = (perm: string): boolean => selected.value.has(perm);
+
+const isGroupFullySelected = (group: PermissionGroup): boolean => {
+  return group.permissions.every((p) => selected.value.has(p.value));
+};
+
+const isGroupPartiallySelected = (group: PermissionGroup): boolean => {
+  const some = group.permissions.some((p) => selected.value.has(p.value));
+  const all = group.permissions.every((p) => selected.value.has(p.value));
+  return some && !all;
+};
+
+const togglePermission = (perm: string) => {
+  const current = [...props.modelValue];
+  const idx = current.indexOf(perm);
+  if (idx >= 0) {
+    current.splice(idx, 1);
+  } else {
+    current.push(perm);
+  }
+  emit("update:modelValue", current);
+};
+
+const toggleGroup = (group: PermissionGroup) => {
+  const current = new Set(props.modelValue);
+  const allSelected = group.permissions.every((p) => current.has(p.value));
+
+  if (allSelected) {
+    group.permissions.forEach((p) => current.delete(p.value));
+  } else {
+    group.permissions.forEach((p) => current.add(p.value));
+  }
+  emit("update:modelValue", [...current]);
+};
+</script>
+
+<style scoped>
+.permission-picker {
+  display: grid;
+  grid-template-columns: repeat(auto-fill, minmax(220px, 1fr));
+  gap: 0.75rem;
+}
+
+.permission-group {
+  background: var(--surface-ground, #f8fafc);
+  border: 1px solid var(--surface-border, #e2e8f0);
+  border-radius: 6px;
+  padding: 0.625rem 0.75rem;
+}
+
+.group-header {
+  margin-bottom: 0.375rem;
+  padding-bottom: 0.375rem;
+  border-bottom: 1px solid var(--surface-border, #e2e8f0);
+}
+
+.group-name {
+  font-weight: 600;
+  font-size: 0.8125rem;
+  color: var(--text-primary, #0f172a);
+}
+
+.group-permissions {
+  display: flex;
+  flex-wrap: wrap;
+  gap: 0.375rem;
+}
+
+.checkbox-label {
+  display: flex;
+  align-items: center;
+  gap: 0.375rem;
+  cursor: pointer;
+  font-size: 0.8125rem;
+}
+
+.checkbox-label.readonly {
+  cursor: default;
+}
+
+.checkbox-label input[type="checkbox"] {
+  width: 14px;
+  height: 14px;
+  cursor: pointer;
+  accent-color: var(--primary, #3b82f6);
+}
+
+.permission-item {
+  padding: 0.125rem 0.375rem;
+  border-radius: 4px;
+}
+
+.perm-label {
+  font-size: 0.75rem;
+  font-weight: 500;
+}
+
+.perm-label.read {
+  color: var(--info, #3b82f6);
+}
+
+.perm-label.write {
+  color: var(--warning, #f59e0b);
+}
+
+.perm-label.delete {
+  color: var(--danger, #ef4444);
+}
+
+.readonly-indicator {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  width: 16px;
+  height: 16px;
+  border-radius: 3px;
+  font-size: 0.625rem;
+}
+
+.readonly-indicator.granted {
+  background: rgba(34, 197, 94, 0.15);
+  color: #16a34a;
+}
+
+.readonly-indicator.denied {
+  background: rgba(148, 163, 184, 0.15);
+  color: #94a3b8;
+}
+</style>
diff --git a/src/layouts/DashboardLayout.vue b/src/layouts/DashboardLayout.vue
index 69086c0..d441bd4 100644
--- a/src/layouts/DashboardLayout.vue
+++ b/src/layouts/DashboardLayout.vue
@@ -19,7 +19,7 @@
           <span v-if="!sidebarCollapsed">Dashboard</span>
         </router-link>
 
-        <div class="nav-group">
+        <div v-if="authStore.hasPermission('deployments:read')" class="nav-group">
           <div class="nav-group-header" @click="toggleGroup('stacks')">
             <i class="pi pi-layers" />
             <span v-if="!sidebarCollapsed">Stacks</span>
@@ -37,7 +37,15 @@
           </div>
         </div>
 
-        <div class="nav-group">
+        <div
+          v-if="
+            authStore.hasPermission('containers:read') ||
+            authStore.hasPermission('images:read') ||
+            authStore.hasPermission('volumes:read') ||
+            authStore.hasPermission('networks:read')
+          "
+          class="nav-group"
+        >
           <div class="nav-group-header" @click="toggleGroup('docker')">
             <i class="pi pi-box" />
             <span v-if="!sidebarCollapsed">Docker</span>
@@ -48,30 +56,62 @@
             />
           </div>
           <div v-show="expandedGroups.docker && !sidebarCollapsed" class="nav-group-items">
-            <router-link to="/containers" class="nav-subitem" active-class="active">
+            <router-link
+              v-if="authStore.hasPermission('containers:read')"
+              to="/containers"
+              class="nav-subitem"
+              active-class="active"
+            >
               <span class="nav-count">{{ stats.containers }}</span>
               Containers
             </router-link>
-            <router-link to="/images" class="nav-subitem" active-class="active">
+            <router-link
+              v-if="authStore.hasPermission('images:read')"
+              to="/images"
+              class="nav-subitem"
+              active-class="active"
+            >
               <span class="nav-count">{{ stats.images }}</span>
               Images
             </router-link>
-            <router-link to="/volumes" class="nav-subitem" active-class="active">
+            <router-link
+              v-if="authStore.hasPermission('volumes:read')"
+              to="/volumes"
+              class="nav-subitem"
+              active-class="active"
+            >
               <span class="nav-count">{{ stats.volumes }}</span>
               Volumes
             </router-link>
-            <router-link to="/networks" class="nav-subitem" active-class="active">
+            <router-link
+              v-if="authStore.hasPermission('networks:read')"
+              to="/networks"
+              class="nav-subitem"
+              active-class="active"
+            >
               <span class="nav-count">{{ stats.networks }}</span>
               Networks
             </router-link>
-            <router-link to="/docker-ports" class="nav-subitem" active-class="active">
+            <router-link
+              v-if="authStore.hasPermission('containers:read')"
+              to="/docker-ports"
+              class="nav-subitem"
+              active-class="active"
+            >
               <span class="nav-count">{{ stats.dockerPorts }}</span>
               Port Mappings
             </router-link>
           </div>
         </div>
 
-        <div class="nav-group">
+        <div
+          v-if="
+            authStore.hasPermission('system:read') ||
+            authStore.hasPermission('infrastructure:read') ||
+            authStore.hasPermission('scheduler:read')
+          "
+          class="nav-group"
+        >
           <div class="nav-group-header" @click="toggleGroup('system')">
             <i class="pi pi-server" />
             <span v-if="!sidebarCollapsed">System</span>
@@ -82,23 +122,45 @@
             />
           </div>
           <div v-show="expandedGroups.system && !sidebarCollapsed" class="nav-group-items">
-            <router-link to="/infrastructure" class="nav-subitem" active-class="active">
+            <router-link
+              v-if="authStore.hasPermission('infrastructure:read')"
+              to="/infrastructure"
+              class="nav-subitem"
+              active-class="active"
+            >
               <span class="nav-count">{{ stats.infrastructure }}</span>
               Infrastructure
             </router-link>
-            <router-link to="/system-ports" class="nav-subitem" active-class="active">
+            <router-link
+              v-if="authStore.hasPermission('system:read')"
+              to="/system-ports"
+              class="nav-subitem"
+              active-class="active"
+            >
               <span class="nav-count">{{ stats.ports }}</span>
               Ports
             </router-link>
-            <router-link to="/services" class="nav-subitem" active-class="active">
+            <router-link
+              v-if="authStore.hasPermission('system:read')"
+              to="/services"
+              class="nav-subitem"
+              active-class="active"
+            >
               <span class="nav-count">{{ stats.services }}</span>
               Services
             </router-link>
-            <router-link to="/cron-jobs" class="nav-subitem" active-class="active"> Cron Jobs </router-link>
+            <router-link
+              v-if="authStore.hasPermission('scheduler:read')"
+              to="/cron-jobs"
+              class="nav-subitem"
+              active-class="active"
+            >
+              Cron Jobs
+            </router-link>
           </div>
         </div>
 
-        <div class="nav-group">
+        <div v-if="authStore.hasPermission('databases:read')" class="nav-group">
           <div class="nav-group-header" @click="toggleGroup('databases')">
             <i class="pi pi-database" />
             <span v-if="!sidebarCollapsed">Databases</span>
@@ -116,7 +178,7 @@
           </div>
         </div>
 
-        <div class="nav-group">
+        <div v-if="authStore.hasPermission('dns:read')" class="nav-group">
           <div class="nav-group-header" @click="toggleGroup('dns')">
             <i class="pi pi-globe" />
             <span v-if="!sidebarCollapsed">DNS</span>
@@ -132,7 +194,10 @@
           </div>
         </div>
 
-        <div class="nav-group">
+        <div
+          v-if="authStore.hasPermission('security:read') || authStore.hasPermission('certificates:read')"
+          class="nav-group"
+        >
           <div class="nav-group-header" @click="toggleGroup('security')">
             <i class="pi pi-shield" />
             <span v-if="!sidebarCollapsed">Security</span>
@@ -143,15 +208,27 @@
             />
           </div>
           <div v-show="expandedGroups.security && !sidebarCollapsed" class="nav-group-items">
-            <router-link to="/security" class="nav-subitem" active-class="active"> Security & Monitoring </router-link>
-            <router-link to="/certificates" class="nav-subitem" active-class="active">
+            <router-link
+              v-if="authStore.hasPermission('security:read')"
+              to="/security"
+              class="nav-subitem"
+              active-class="active"
+            >
+              Security & Monitoring
+            </router-link>
+            <router-link
+              v-if="authStore.hasPermission('certificates:read')"
+              to="/certificates"
+              class="nav-subitem"
+              active-class="active"
+            >
               <span class="nav-count">{{ stats.certificates }}</span>
               Certificates
             </router-link>
           </div>
         </div>
 
-        <div class="nav-group">
+        <div v-if="authStore.hasPermission('templates:read')" class="nav-group">
           <div class="nav-group-header" @click="toggleGroup('extensions')">
             <i class="pi pi-th-large" />
             <span v-if="!sidebarCollapsed">Apps</span>
@@ -170,7 +247,14 @@
           </div>
         </div>
 
-        <div class="nav-group">
+        <div
+          v-if="
+            authStore.hasPermission('settings:read') ||
+            authStore.hasPermission('users:read') ||
+            authStore.hasPermission('apikeys:read')
+          "
+          class="nav-group"
+        >
           <div class="nav-group-header" @click="toggleGroup('admin')">
             <i class="pi pi-sliders-h" />
             <span v-if="!sidebarCollapsed">Administration</span>
@@ -181,9 +265,30 @@
             />
           </div>
           <div v-show="expandedGroups.admin && !sidebarCollapsed" class="nav-group-items">
-            <router-link to="/settings" class="nav-subitem" active-class="active"> Settings </router-link>
-            <router-link v-if="authStore.hasPermission('users:read')" to="/users" class="nav-subitem" active-class="active"> Users </router-link>
-            <router-link v-if="authStore.hasPermission('apikeys:read')" to="/api-keys" class="nav-subitem" active-class="active"> API Keys </router-link>
+            <router-link
+              v-if="authStore.hasPermission('settings:read')"
+              to="/settings"
+              class="nav-subitem"
+              active-class="active"
+            >
+              Settings
+            </router-link>
+            <router-link
+              v-if="authStore.hasPermission('users:read')"
+              to="/users"
+              class="nav-subitem"
+              active-class="active"
+            >
+              Users
+            </router-link>
+            <router-link
+              v-if="authStore.hasPermission('apikeys:read')"
+              to="/api-keys"
+              class="nav-subitem"
+              active-class="active"
+            >
+              API Keys
+            </router-link>
           </div>
         </div>
       </nav>
diff --git a/src/router/index.ts b/src/router/index.ts
index f9d2761..110ee9f 100644
--- a/src/router/index.ts
+++ b/src/router/index.ts
@@ -1,5 +1,7 @@
 import { createRouter, createWebHistory } from "vue-router";
 import type { RouteRecordRaw } from "vue-router";
+import type { Permission } from "@/types";
+import { useAuthStore } from "@/stores/auth";
 import DashboardLayout from "@/layouts/DashboardLayout.vue";
 
 const routes: RouteRecordRaw[] = [
@@ -23,106 +25,127 @@ const routes: RouteRecordRaw[] = [
         path: "deployments",
         name: "deployments",
         component: () => import("@/views/DeploymentsView.vue"),
+        meta: { permission: "deployments:read" },
       },
       {
         path: "deployments/:name",
         name: "deployment-detail",
         component: () => import("@/views/DeploymentDetailView.vue"),
+        meta: { permission: "deployments:read" },
       },
       {
         path: "containers",
         name: "containers",
         component: () => import("@/views/ContainersView.vue"),
+        meta: { permission: "containers:read" },
       },
       {
         path: "images",
         name: "images",
         component: () => import("@/views/ImagesView.vue"),
+        meta: { permission: "images:read" },
       },
       {
         path: "volumes",
         name: "volumes",
         component: () => import("@/views/VolumesView.vue"),
+        meta: { permission: "volumes:read" },
       },
       {
         path: "networks",
         name: "networks",
         component: () => import("@/views/NetworksView.vue"),
+        meta: { permission: "networks:read" },
       },
       {
         path: "docker-ports",
         name: "docker-ports",
         component: () => import("@/views/DockerPortsView.vue"),
+        meta: { permission: "containers:read" },
       },
       {
         path: "system-ports",
         name: "system-ports",
         component: () => import("@/views/SystemPortsView.vue"),
+        meta: { permission: "system:read" },
       },
       {
         path: "services",
         name: "services",
         component: () => import("@/views/ServicesView.vue"),
+        meta: { permission: "system:read" },
       },
       {
         path: "databases",
         name: "databases",
         component: () => import("@/views/DatabasesView.vue"),
+        meta: { permission: "databases:read" },
       },
       {
         path: "databases/:id",
         name: "database-manager",
         component: () => import("@/views/DatabaseManagerView.vue"),
+        meta: { permission: "databases:read" },
       },
       {
         path: "certificates",
         name: "certificates",
         component: () => import("@/views/CertificatesView.vue"),
+        meta: { permission: "certificates:read" },
       },
       {
         path: "apps",
         name: "apps",
         component: () => import("@/views/PluginsView.vue"),
+        meta: { permission: "templates:read" },
       },
       {
         path: "templates",
         name: "templates",
         component: () => import("@/views/TemplatesView.vue"),
+        meta: { permission: "templates:read" },
       },
       {
         path: "marketplace",
         name: "marketplace",
         component: () => import("@/views/MarketplaceView.vue"),
+        meta: { permission: "templates:read" },
       },
       {
         path: "settings",
         name: "settings",
         component: () => import("@/views/SettingsView.vue"),
+        meta: { permission: "settings:read" },
       },
       {
         path: "infrastructure",
         name: "infrastructure",
         component: () => import("@/views/InfrastructureView.vue"),
+        meta: { permission: "infrastructure:read" },
       },
       {
         path: "security",
         name: "security",
         component: () => import("@/views/SecurityView.vue"),
+        meta: { permission: "security:read" },
       },
       {
         path: "cron-jobs",
         name: "cron-jobs",
         component: () => import("@/views/CronJobsView.vue"),
+        meta: { permission: "scheduler:read" },
       },
       {
         path: "dns/zones",
         name: "dns-zones",
         component: () => import("@/views/DnsZonesView.vue"),
+        meta: { permission: "dns:read" },
       },
       {
         path: "dns/external",
         name: "dns-external",
         component: () => import("@/views/DnsExternalView.vue"),
+        meta: { permission: "dns:read" },
       },
       {
         path: "users",
@@ -151,11 +174,24 @@ router.beforeEach((to, _from, next) => {
 
   if (requiresAuth && !token) {
     next("/login");
-  } else if (to.path === "/login" && token) {
+    return;
+  }
+
+  if (to.path === "/login" && token) {
     next("/");
-  } else {
-    next();
+    return;
   }
+
+  const permission = to.meta.permission as Permission | undefined;
+  if (permission && token) {
+    const auth = useAuthStore();
+    if (!auth.hasPermission(permission)) {
+      next("/");
+      return;
+    }
+  }
+
+  next();
 });
 
 export default router;
diff --git a/src/services/api.ts b/src/services/api.ts
index c7120b1..3792fb4 100644
--- a/src/services/api.ts
+++ b/src/services/api.ts
@@ -1106,19 +1106,19 @@ import type { User, APIKey, UserRole, UserDeploymentAccess } from "@/types";
 export const usersApi = {
   list: () => apiClient.get<{ users: User[] }>("/users"),
 
-  get: (id: number) =>
-    apiClient.get<{ user: User; deployments: UserDeploymentAccess[] }>(`/users/${id}`),
+  get: (id: number) => apiClient.get<{ user: User; deployments: UserDeploymentAccess[] }>(`/users/${id}`),
 
-  create: (data: { username: string; email?: string; password: string; role: UserRole }) =>
+  create: (data: { username: string; email?: string; password: string; role: UserRole; permissions?: string[] }) =>
     apiClient.post<{ user: User }>("/users", data),
 
-  update: (id: number, data: { username?: string; email?: string; role?: UserRole; is_active?: boolean }) =>
-    apiClient.put<{ user: User }>(`/users/${id}`, data),
+  update: (
+    id: number,
+    data: { username?: string; email?: string; role?: UserRole; is_active?: boolean; permissions?: string[] },
+  ) => apiClient.put<{ user: User }>(`/users/${id}`, data),
 
   delete: (id: number) => apiClient.delete(`/users/${id}`),
 
-  me: () =>
-    apiClient.get<{ user: User; permissions: string[]; deployments: UserDeploymentAccess[] }>("/users/me"),
+  me: () => apiClient.get<{ user: User; permissions: string[]; deployments: UserDeploymentAccess[] }>("/users/me"),
 
   updateMe: (data: { email?: string }) => apiClient.put<{ user: User }>("/users/me", data),
 
diff --git a/src/stores/auth.ts b/src/stores/auth.ts
index 8c9a0d6..0903156 100644
--- a/src/stores/auth.ts
+++ b/src/stores/auth.ts
@@ -18,6 +18,7 @@ export const useAuthStore = defineStore("auth", () => {
   const currentUser = ref<User | null>(null);
   const permissions = ref<Permission[]>([]);
   const deploymentAccess = ref<UserDeploymentAccess[]>([]);
+  const userLoaded = ref(false);
 
   const isAuthenticated = computed(() => !!token.value);
   const isAdmin = computed(() => currentUser.value?.role === "admin");
@@ -28,6 +29,9 @@ export const useAuthStore = defineStore("auth", () => {
     if (currentUser.value?.role === "admin") {
       return true;
     }
+    if (token.value && !currentUser.value) {
+      return true;
+    }
     return permissions.value.includes(permission);
   };
 
@@ -74,6 +78,7 @@ export const useAuthStore = defineStore("auth", () => {
       if (response.data.deployments) {
         deploymentAccess.value = response.data.deployments;
       }
+      userLoaded.value = true;
 
       return true;
     } catch (e: any) {
@@ -102,6 +107,7 @@ export const useAuthStore = defineStore("auth", () => {
       if (response.data.deployments) {
         deploymentAccess.value = response.data.deployments;
       }
+      userLoaded.value = true;
 
       return true;
     } catch (e: any) {
@@ -130,6 +136,8 @@ export const useAuthStore = defineStore("auth", () => {
       deploymentAccess.value = response.data.deployments || [];
     } catch {
       // User endpoint may not exist if using legacy auth
+    } finally {
+      userLoaded.value = true;
     }
   };
 
@@ -138,6 +146,7 @@ export const useAuthStore = defineStore("auth", () => {
     currentUser.value = null;
     permissions.value = [];
     deploymentAccess.value = [];
+    userLoaded.value = false;
     localStorage.removeItem("auth_token");
   };
 
@@ -156,6 +165,7 @@ export const useAuthStore = defineStore("auth", () => {
     currentUser,
     permissions,
     deploymentAccess,
+    userLoaded,
     isAuthenticated,
     isAdmin,
     isOperator,
diff --git a/src/stores/stats.ts b/src/stores/stats.ts
index 84e96ab..7685680 100644
--- a/src/stores/stats.ts
+++ b/src/stores/stats.ts
@@ -53,16 +53,16 @@ export const useStatsStore = defineStore("stats", () => {
       if (healthRes.data.version?.version) {
         agentVersion.value = healthRes.data.version.version;
       }
-      if (healthRes.data.stats) {
-        deployments.total = healthRes.data.stats.total_deployments || 0;
-        deployments.running = healthRes.data.stats.running || 0;
-        deployments.stopped = healthRes.data.stats.stopped || 0;
-        deployments.error = healthRes.data.stats.error || 0;
-      }
 
       const statsRes = await healthApi.stats();
       if (statsRes.data) {
         const data = statsRes.data;
+        if (data.deployments) {
+          deployments.total = data.deployments.total_deployments || 0;
+          deployments.running = data.deployments.running || 0;
+          deployments.stopped = data.deployments.stopped || 0;
+          deployments.error = data.deployments.error || 0;
+        }
         containers.total = data.containers?.total || 0;
         containers.running = data.containers?.running || 0;
         containers.stopped = data.containers?.stopped || 0;
diff --git a/src/stores/users.ts b/src/stores/users.ts
index 468b182..aa355c6 100644
--- a/src/stores/users.ts
+++ b/src/stores/users.ts
@@ -36,6 +36,7 @@ export const useUsersStore = defineStore("users", () => {
     email?: string;
     password: string;
     role: UserRole;
+    permissions?: string[];
   }) => {
     try {
       const response = await usersApi.create(data);
@@ -48,7 +49,7 @@ export const useUsersStore = defineStore("users", () => {
 
   const updateUser = async (
     id: number,
-    data: { username?: string; email?: string; role?: UserRole; is_active?: boolean }
+    data: { username?: string; email?: string; role?: UserRole; is_active?: boolean; permissions?: string[] },
   ) => {
     try {
       const response = await usersApi.update(id, data);
diff --git a/src/types/index.ts b/src/types/index.ts
index 7be640d..5a25415 100644
--- a/src/types/index.ts
+++ b/src/types/index.ts
@@ -215,10 +215,12 @@ export interface User {
   username: string;
   email?: string;
   role: UserRole;
+  permissions?: string[];
   is_active: boolean;
   created_at: string;
   updated_at: string;
   last_login_at?: string;
+  deployment_count?: number;
   deployments?: UserDeploymentAccess[];
 }
 
@@ -270,4 +272,32 @@ export type Permission =
   | "apikeys:delete"
   | "settings:read"
   | "settings:write"
-  | "audit:read";
+  | "audit:read"
+  | "containers:read"
+  | "containers:write"
+  | "containers:delete"
+  | "images:read"
+  | "images:write"
+  | "images:delete"
+  | "volumes:read"
+  | "volumes:write"
+  | "volumes:delete"
+  | "databases:read"
+  | "databases:write"
+  | "databases:delete"
+  | "infrastructure:read"
+  | "infrastructure:write"
+  | "scheduler:read"
+  | "scheduler:write"
+  | "scheduler:delete"
+  | "system:read"
+  | "system:write"
+  | "dns:read"
+  | "dns:write"
+  | "registries:read"
+  | "registries:write"
+  | "registries:delete"
+  | "templates:read"
+  | "templates:write"
+  | "traffic:read"
+  | "traffic:write";
diff --git a/src/utils/permissions.ts b/src/utils/permissions.ts
new file mode 100644
index 0000000..9d521fb
--- /dev/null
+++ b/src/utils/permissions.ts
@@ -0,0 +1,124 @@
+import type { UserRole } from "@/types";
+
+const adminPermissions: string[] = [
+  "deployments:read",
+  "deployments:write",
+  "deployments:delete",
+  "certificates:read",
+  "certificates:write",
+  "certificates:delete",
+  "networks:read",
+  "networks:write",
+  "networks:delete",
+  "security:read",
+  "security:write",
+  "backups:read",
+  "backups:write",
+  "backups:delete",
+  "users:read",
+  "users:write",
+  "users:delete",
+  "apikeys:read",
+  "apikeys:write",
+  "apikeys:delete",
+  "settings:read",
+  "settings:write",
+  "audit:read",
+  "containers:read",
+  "containers:write",
+  "containers:delete",
+  "images:read",
+  "images:write",
+  "images:delete",
+  "volumes:read",
+  "volumes:write",
+  "volumes:delete",
+  "databases:read",
+  "databases:write",
+  "databases:delete",
+  "infrastructure:read",
+  "infrastructure:write",
+  "scheduler:read",
+  "scheduler:write",
+  "scheduler:delete",
+  "system:read",
+  "system:write",
+  "dns:read",
+  "dns:write",
+  "registries:read",
+  "registries:write",
+  "registries:delete",
+  "templates:read",
+  "templates:write",
+  "traffic:read",
+  "traffic:write",
+];
+
+const operatorPermissions: string[] = [
+  "deployments:read",
+  "deployments:write",
+  "certificates:read",
+  "certificates:write",
+  "networks:read",
+  "security:read",
+  "backups:read",
+  "backups:write",
+  "apikeys:read",
+  "apikeys:write",
+  "apikeys:delete",
+  "settings:read",
+  "containers:read",
+  "containers:write",
+  "images:read",
+  "images:write",
+  "volumes:read",
+  "volumes:write",
+  "databases:read",
+  "databases:write",
+  "infrastructure:read",
+  "infrastructure:write",
+  "scheduler:read",
+  "scheduler:write",
+  "system:read",
+  "system:write",
+  "dns:read",
+  "dns:write",
+  "registries:read",
+  "registries:write",
+  "templates:read",
+  "traffic:read",
+];
+
+const viewerPermissions: string[] = [
+  "deployments:read",
+  "certificates:read",
+  "networks:read",
+  "security:read",
+  "backups:read",
+  "apikeys:read",
+  "settings:read",
+  "containers:read",
+  "images:read",
+  "volumes:read",
+  "databases:read",
+  "infrastructure:read",
+  "scheduler:read",
+  "system:read",
+  "dns:read",
+  "registries:read",
+  "templates:read",
+  "traffic:read",
+];
+
+export function getRolePermissions(role: UserRole): string[] {
+  switch (role) {
+    case "admin":
+      return [...adminPermissions];
+    case "operator":
+      return [...operatorPermissions];
+    case "viewer":
+      return [...viewerPermissions];
+    default:
+      return [];
+  }
+}
diff --git a/src/views/APIKeysView.vue b/src/views/APIKeysView.vue
index 7a52c3c..ea125f5 100644
--- a/src/views/APIKeysView.vue
+++ b/src/views/APIKeysView.vue
@@ -6,7 +6,7 @@
         <button class="btn btn-icon" :disabled="loading" @click="loadAPIKeys">
           <i class="pi pi-refresh" :class="{ 'pi-spin': loading }" />
         </button>
-        <button class="btn btn-primary" @click="showCreateDialog = true">
+        <button v-if="canWrite" class="btn btn-primary" @click="showCreateDialog = true">
           <i class="pi pi-plus" />
           <span>Create API Key</span>
         </button>
@@ -63,14 +63,19 @@
               <td>{{ formatExpiry(key.expires_at) }}</td>
               <td class="actions-cell">
                 <button
-                  v-if="key.is_active"
+                  v-if="key.is_active && canWrite"
                   class="btn btn-icon btn-sm"
                   title="Revoke"
                   @click="confirmRevoke(key)"
                 >
                   <i class="pi pi-ban" />
                 </button>
-                <button class="btn btn-icon btn-sm btn-danger" title="Delete" @click="confirmDelete(key)">
+                <button
+                  v-if="canDelete"
+                  class="btn btn-icon btn-sm btn-danger"
+                  title="Delete"
+                  @click="confirmDelete(key)"
+                >
                   <i class="pi pi-trash" />
                 </button>
               </td>
@@ -100,14 +105,29 @@
           </div>
           <div class="form-group">
             <label>Role Override (optional)</label>
-            <select v-model="formData.role">
+            <select v-model="formData.role" @change="onRoleChange">
               <option value="">Inherit from user</option>
-              <option value="admin">Admin</option>
+              <option v-if="authStore.isAdmin" value="admin">Admin</option>
               <option value="operator">Operator</option>
               <option value="viewer">Viewer</option>
             </select>
             <small>Leave empty to inherit the role from the user account</small>
           </div>
+          <div class="form-group">
+            <label class="checkbox-label">
+              <input v-model="formData.useCustomPermissions" type="checkbox" @change="onCustomPermissionsToggle" />
+              <span>Customize permissions</span>
+            </label>
+            <small>Override the default permissions for the selected role</small>
+          </div>
+          <div v-if="formData.useCustomPermissions" class="form-group">
+            <label>Permissions</label>
+            <PermissionPicker v-model="formData.permissions" />
+          </div>
+          <div v-else-if="formData.role" class="form-group">
+            <label>Role permissions ({{ formData.role }})</label>
+            <PermissionPicker :model-value="roleDefaultPermissions" readonly />
+          </div>
           <div class="form-group">
             <label>Expiration</label>
             <select v-model="formData.expires_in">
@@ -159,7 +179,10 @@
         <div class="modal-header">
           <h2>Revoke API Key</h2>
         </div>
-        <p>Are you sure you want to revoke API key <strong>{{ selectedKey?.name }}</strong>? This action cannot be undone.</p>
+        <p>
+          Are you sure you want to revoke API key <strong>{{ selectedKey?.name }}</strong
+          >? This action cannot be undone.
+        </p>
         <div class="modal-actions">
           <button class="btn" @click="closeDialogs">Cancel</button>
           <button class="btn btn-danger" :disabled="saving" @click="revokeKey">
@@ -175,7 +198,10 @@
         <div class="modal-header">
           <h2>Delete API Key</h2>
         </div>
-        <p>Are you sure you want to delete API key <strong>{{ selectedKey?.name }}</strong>?</p>
+        <p>
+          Are you sure you want to delete API key <strong>{{ selectedKey?.name }}</strong
+          >?
+        </p>
         <div class="modal-actions">
           <button class="btn" @click="closeDialogs">Cancel</button>
           <button class="btn btn-danger" :disabled="saving" @click="deleteKey">
@@ -189,14 +215,20 @@
 
 <script setup lang="ts">
 import { ref, onMounted, computed } from "vue";
-import type { APIKey, UserRole } from "@/types";
+import type { APIKey, UserRole, Permission } from "@/types";
 import { useUsersStore } from "@/stores/users";
+import { useAuthStore } from "@/stores/auth";
+import PermissionPicker from "@/components/PermissionPicker.vue";
+import { getRolePermissions } from "@/utils/permissions";
 
 const usersStore = useUsersStore();
+const authStore = useAuthStore();
 
 const apiKeys = computed(() => usersStore.apiKeys);
 const loading = computed(() => usersStore.loading);
 const error = computed(() => usersStore.error);
+const canWrite = computed(() => authStore.hasPermission("apikeys:write" as Permission));
+const canDelete = computed(() => authStore.hasPermission("apikeys:delete" as Permission));
 
 const showCreateDialog = ref(false);
 const showNewKeyDialog = ref(false);
@@ -212,8 +244,28 @@ const formData = ref({
   description: "",
   role: "" as UserRole | "",
   expires_in: 0,
+  useCustomPermissions: false,
+  permissions: [] as string[],
 });
 
+const roleDefaultPermissions = computed(() => {
+  if (!formData.value.role) return [];
+  return getRolePermissions(formData.value.role as UserRole);
+});
+
+const onRoleChange = () => {
+  if (formData.value.useCustomPermissions && formData.value.role) {
+    formData.value.permissions = getRolePermissions(formData.value.role as UserRole);
+  }
+};
+
+const onCustomPermissionsToggle = () => {
+  if (formData.value.useCustomPermissions) {
+    const role = formData.value.role || authStore.currentUser?.role;
+    formData.value.permissions = role ? getRolePermissions(role as UserRole) : [];
+  }
+};
+
 const loadAPIKeys = async () => {
   await usersStore.fetchAPIKeys();
 };
@@ -225,12 +277,20 @@ const createAPIKey = async () => {
       name: formData.value.name,
       description: formData.value.description || undefined,
       role: formData.value.role || undefined,
+      permissions: formData.value.useCustomPermissions ? formData.value.permissions : undefined,
       expires_in: formData.value.expires_in || undefined,
     });
     newKeyValue.value = result.api_key.key || "";
     showCreateDialog.value = false;
     showNewKeyDialog.value = true;
-    formData.value = { name: "", description: "", role: "", expires_in: 0 };
+    formData.value = {
+      name: "",
+      description: "",
+      role: "",
+      expires_in: 0,
+      useCustomPermissions: false,
+      permissions: [],
+    };
   } catch (e: any) {
     alert(e.message);
   } finally {
@@ -491,7 +551,7 @@ code {
   background: var(--surface-card);
   border-radius: 8px;
   width: 100%;
-  max-width: 480px;
+  max-width: 720px;
   max-height: 90vh;
   overflow-y: auto;
 }
@@ -546,6 +606,17 @@ code {
   color: var(--text-secondary);
 }
 
+.checkbox-label {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  cursor: pointer;
+}
+
+.checkbox-label input[type="checkbox"] {
+  width: auto;
+}
+
 .modal-actions {
   display: flex;
   justify-content: flex-end;
@@ -609,12 +680,13 @@ code {
 }
 
 .btn-primary {
-  background: var(--primary);
+  background: var(--primary, #3b82f6);
   color: white;
+  font-weight: 600;
 }
 
 .btn-primary:hover {
-  background: var(--primary-dark);
+  background: var(--primary-dark, #2563eb);
 }
 
 .btn-danger {
diff --git a/src/views/CertificatesView.vue b/src/views/CertificatesView.vue
index 5810a62..f519888 100644
--- a/src/views/CertificatesView.vue
+++ b/src/views/CertificatesView.vue
@@ -16,11 +16,11 @@
       loading-text="Loading certificates..."
     >
       <template #actions>
-        <button class="btn btn-primary" @click="showRequestModal = true">
+        <button v-if="canWrite" class="btn btn-primary" @click="showRequestModal = true">
           <i class="pi pi-plus" />
           Request Certificate
         </button>
-        <button class="btn btn-secondary" :disabled="renewingAll" @click="handleRenewAll">
+        <button v-if="canWrite" class="btn btn-secondary" :disabled="renewingAll" @click="handleRenewAll">
           <i class="pi pi-sync" :class="{ 'pi-spin': renewingAll }" />
           Renew All
         </button>
@@ -99,6 +99,7 @@
                 <span>{{ cert.path }}</span>
               </div>
               <button
+                v-if="canDelete"
                 class="btn btn-danger-sm"
                 :disabled="deleting === cert.domain"
                 @click.stop="handleDelete(cert.domain)"
@@ -191,11 +192,15 @@
 import { ref, computed, onMounted } from "vue";
 import { certificatesApi } from "@/services/api";
 import { useNotificationsStore } from "@/stores/notifications";
+import { useAuthStore } from "@/stores/auth";
 import DataTable from "@/components/DataTable.vue";
 import ConfirmModal from "@/components/ConfirmModal.vue";
 import type { Certificate } from "@/types";
 
 const notifications = useNotificationsStore();
+const authStore = useAuthStore();
+const canWrite = authStore.hasPermission("certificates:write");
+const canDelete = authStore.hasPermission("certificates:delete");
 const certificates = ref<Certificate[]>([]);
 const loading = ref(false);
 const showRequestModal = ref(false);
diff --git a/src/views/ContainersView.vue b/src/views/ContainersView.vue
index bfa4c18..c50ad9d 100644
--- a/src/views/ContainersView.vue
+++ b/src/views/ContainersView.vue
@@ -74,36 +74,36 @@
       <template #cell-actions="{ item }">
         <div class="action-buttons">
           <button
-            v-if="item.state === 'running'"
+            v-if="canWrite && item.state === 'running'"
             class="action-btn stop"
             title="Stop"
             @click.stop="stopContainer(item.id)"
           >
             <Square :size="14" />
           </button>
-          <button v-else class="action-btn start" title="Start" @click.stop="startContainer(item.id)">
+          <button v-else-if="canWrite" class="action-btn start" title="Start" @click.stop="startContainer(item.id)">
             <Play :size="14" />
           </button>
-          <button class="action-btn restart" title="Restart" @click.stop="restartContainer(item.id)">
+          <button v-if="canWrite" class="action-btn restart" title="Restart" @click.stop="restartContainer(item.id)">
             <RotateCw :size="14" />
           </button>
           <button class="action-btn logs" title="Logs" @click.stop="showLogs(item.id, item.name)">
             <FileText :size="14" />
           </button>
-          <button class="action-btn delete" title="Remove" @click.stop="deleteContainer(item.id)">
+          <button v-if="canDelete" class="action-btn delete" title="Remove" @click.stop="deleteContainer(item.id)">
             <Trash2 :size="14" />
           </button>
         </div>
       </template>
 
       <template #bulk-actions="{ selectedItems, clearSelection }">
-        <button class="btn btn-sm btn-secondary" @click="bulkStart(selectedItems, clearSelection)">
+        <button v-if="canWrite" class="btn btn-sm btn-secondary" @click="bulkStart(selectedItems, clearSelection)">
           <Play :size="14" /> Start
         </button>
-        <button class="btn btn-sm btn-secondary" @click="bulkStop(selectedItems, clearSelection)">
+        <button v-if="canWrite" class="btn btn-sm btn-secondary" @click="bulkStop(selectedItems, clearSelection)">
           <Square :size="14" /> Stop
         </button>
-        <button class="btn btn-sm btn-danger" @click="bulkRemove(selectedItems, clearSelection)">
+        <button v-if="canDelete" class="btn btn-sm btn-danger" @click="bulkRemove(selectedItems, clearSelection)">
           <Trash2 :size="14" /> Remove
         </button>
       </template>
@@ -147,12 +147,16 @@
 import { ref, computed, onMounted } from "vue";
 import { useRouter } from "vue-router";
 import { containersApi } from "@/services/api";
+import { useAuthStore } from "@/stores/auth";
 import DataTable from "@/components/DataTable.vue";
 import LogsModal from "@/components/LogsModal.vue";
 import ConfirmModal from "@/components/ConfirmModal.vue";
 import { RefreshCw, Play, Square, RotateCw, FileText, Trash2, Package, Link } from "lucide-vue-next";
 
 const router = useRouter();
+const authStore = useAuthStore();
+const canWrite = authStore.hasPermission("containers:write");
+const canDelete = authStore.hasPermission("containers:delete");
 
 interface Container {
   id: string;
diff --git a/src/views/CronJobsView.test.ts b/src/views/CronJobsView.test.ts
index d864cc2..74f7eef 100644
--- a/src/views/CronJobsView.test.ts
+++ b/src/views/CronJobsView.test.ts
@@ -2,6 +2,7 @@ import { describe, it, expect, vi, beforeEach } from "vitest";
 import { mount, flushPromises } from "@vue/test-utils";
 import { createTestingPinia } from "@pinia/testing";
 import CronJobsView from "./CronJobsView.vue";
+import { useAuthStore } from "@/stores/auth";
 
 vi.mock("@/services/api", () => ({
   schedulerApi: {
@@ -150,13 +151,12 @@ describe("CronJobsView", () => {
   });
 
   const mountView = () => {
+    const pinia = createTestingPinia({ createSpy: vi.fn });
+    const authStore = useAuthStore(pinia);
+    (authStore.hasPermission as ReturnType<typeof vi.fn>).mockReturnValue(true);
     return mount(CronJobsView, {
       global: {
-        plugins: [
-          createTestingPinia({
-            createSpy: vi.fn,
-          }),
-        ],
+        plugins: [pinia],
         stubs: {
           ConfirmModal: true,
           Teleport: true,
@@ -538,4 +538,46 @@ describe("CronJobsView", () => {
       expect(wrapper.text()).toContain("No Matching Tasks");
     });
   });
+
+  describe("Permission gates", () => {
+    const mountViewDenied = () => {
+      const pinia = createTestingPinia({ createSpy: vi.fn });
+      return mount(CronJobsView, {
+        global: {
+          plugins: [pinia],
+          stubs: {
+            ConfirmModal: true,
+            Teleport: true,
+          },
+        },
+      });
+    };
+
+    it("hides New Cron Job button without scheduler:write", () => {
+      const wrapper = mountViewDenied();
+      expect(wrapper.find("button.btn-primary").exists()).toBe(false);
+    });
+
+    it("hides run/edit buttons but keeps history without scheduler:write", async () => {
+      const wrapper = mountViewDenied();
+      await flushPromises();
+      const secondaryBtns = wrapper.findAll("button.btn-sm.btn-secondary");
+      // Only history buttons remain (one per task), no run/edit buttons
+      for (const btn of secondaryBtns) {
+        expect(btn.text()).toContain("History");
+      }
+    });
+
+    it("hides delete button without scheduler:delete", async () => {
+      const wrapper = mountViewDenied();
+      await flushPromises();
+      expect(wrapper.findAll("button.btn-sm.btn-danger").length).toBe(0);
+    });
+
+    it("still renders task list without write permissions", async () => {
+      const wrapper = mountViewDenied();
+      await flushPromises();
+      expect(wrapper.text()).toContain("Scheduled Tasks");
+    });
+  });
 });
diff --git a/src/views/CronJobsView.vue b/src/views/CronJobsView.vue
index a20bce5..b76237d 100644
--- a/src/views/CronJobsView.vue
+++ b/src/views/CronJobsView.vue
@@ -6,7 +6,7 @@
         <p class="subtitle">Manage cron jobs and scheduled commands across deployments</p>
       </div>
       <div class="header-actions">
-        <button class="btn btn-primary" @click="openCreateModal">
+        <button v-if="canWrite" class="btn btn-primary" @click="openCreateModal">
           <i class="pi pi-plus" />
           New Cron Job
         </button>
@@ -49,7 +49,7 @@
       <i class="pi pi-clock" />
       <h3>No Scheduled Tasks</h3>
       <p>Create cron jobs to run commands in your containers on a schedule.</p>
-      <button class="btn btn-primary" @click="openCreateModal">
+      <button v-if="canWrite" class="btn btn-primary" @click="openCreateModal">
         <i class="pi pi-plus" />
         Create First Cron Job
       </button>
@@ -74,7 +74,7 @@
               <input
                 type="checkbox"
                 :checked="task.enabled"
-                :disabled="togglingTask === task.id"
+                :disabled="!canWrite || togglingTask === task.id"
                 @change="toggleTask(task)"
               />
               <span class="slider" />
@@ -116,7 +116,12 @@
         </div>
 
         <div class="task-footer">
-          <button class="btn btn-sm btn-secondary" :disabled="runningTask === task.id" @click="runTaskNow(task)">
+          <button
+            v-if="canWrite"
+            class="btn btn-sm btn-secondary"
+            :disabled="runningTask === task.id"
+            @click="runTaskNow(task)"
+          >
             <i :class="runningTask === task.id ? 'pi pi-spin pi-spinner' : 'pi pi-play'" />
             Run Now
           </button>
@@ -124,10 +129,10 @@
             <i class="pi pi-history" />
             History
           </button>
-          <button class="btn btn-sm btn-secondary" @click="openEditModal(task)">
+          <button v-if="canWrite" class="btn btn-sm btn-secondary" @click="openEditModal(task)">
             <i class="pi pi-pencil" />
           </button>
-          <button class="btn btn-sm btn-danger" @click="confirmDelete(task)">
+          <button v-if="canDelete" class="btn btn-sm btn-danger" @click="confirmDelete(task)">
             <i class="pi pi-trash" />
           </button>
         </div>
@@ -371,12 +376,16 @@ import { schedulerApi, deploymentsApi } from "@/services/api";
 import type { ScheduledTask, TaskExecution } from "@/services/api";
 import type { Deployment } from "@/types";
 import { useNotificationsStore } from "@/stores/notifications";
+import { useAuthStore } from "@/stores/auth";
 import ConfirmModal from "@/components/ConfirmModal.vue";
 
 const PAGE_SIZE = 12;
 const RECENT_EXECUTIONS_LIMIT = 10;
 const TASK_HISTORY_LIMIT = 50;
 
+const authStore = useAuthStore();
+const canWrite = authStore.hasPermission("scheduler:write");
+const canDelete = authStore.hasPermission("scheduler:delete");
 const notifications = useNotificationsStore();
 
 const tasks = ref<ScheduledTask[]>([]);
diff --git a/src/views/DeploymentDetailView.test.ts b/src/views/DeploymentDetailView.test.ts
index 29c4742..494c74d 100644
--- a/src/views/DeploymentDetailView.test.ts
+++ b/src/views/DeploymentDetailView.test.ts
@@ -2,6 +2,7 @@ import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
 import { mount, flushPromises } from "@vue/test-utils";
 import { createTestingPinia } from "@pinia/testing";
 import DeploymentDetailView from "./DeploymentDetailView.vue";
+import { useAuthStore } from "@/stores/auth";
 
 const mockRoute = {
   params: { name: "test-app" },
@@ -111,13 +112,12 @@ describe("DeploymentDetailView", () => {
   });
 
   const mountView = () => {
+    const pinia = createTestingPinia({ createSpy: vi.fn });
+    const authStore = useAuthStore(pinia);
+    (authStore.hasPermission as ReturnType<typeof vi.fn>).mockReturnValue(true);
     return mount(DeploymentDetailView, {
       global: {
-        plugins: [
-          createTestingPinia({
-            createSpy: vi.fn,
-          }),
-        ],
+        plugins: [pinia],
         mocks: {
           $route: mockRoute,
         },
@@ -365,4 +365,57 @@ describe("DeploymentDetailView", () => {
       expect(deploymentsApi.getEnvVars).toHaveBeenCalledWith("test-app");
     });
   });
+
+  describe("Permission gates", () => {
+    const mountViewDenied = () => {
+      const pinia = createTestingPinia({ createSpy: vi.fn });
+      return mount(DeploymentDetailView, {
+        global: {
+          plugins: [pinia],
+          mocks: {
+            $route: mockRoute,
+          },
+          stubs: {
+            RouterLink: {
+              template: "<a><slot /></a>",
+              props: ["to"],
+            },
+            teleport: true,
+            ContainerTerminal: true,
+            LogViewer: true,
+          },
+        },
+      });
+    };
+
+    it("hides start button without deployments:write", async () => {
+      const wrapper = mountViewDenied();
+      await flushPromises();
+      expect(wrapper.find(".btn-success").exists()).toBe(false);
+    });
+
+    it("hides stop button without deployments:write", async () => {
+      const wrapper = mountViewDenied();
+      await flushPromises();
+      expect(wrapper.find(".btn-warning").exists()).toBe(false);
+    });
+
+    it("hides restart button without deployments:write", async () => {
+      const wrapper = mountViewDenied();
+      await flushPromises();
+      expect(wrapper.find(".btn-info").exists()).toBe(false);
+    });
+
+    it("hides delete button without deployments:delete", async () => {
+      const wrapper = mountViewDenied();
+      await flushPromises();
+      expect(wrapper.find(".btn-danger").exists()).toBe(false);
+    });
+
+    it("still renders deployment detail view", async () => {
+      const wrapper = mountViewDenied();
+      await flushPromises();
+      expect(wrapper.find(".deployment-detail").exists()).toBe(true);
+    });
+  });
 });
diff --git a/src/views/DeploymentDetailView.vue b/src/views/DeploymentDetailView.vue
index e2c0a9d..94176b1 100644
--- a/src/views/DeploymentDetailView.vue
+++ b/src/views/DeploymentDetailView.vue
@@ -15,6 +15,7 @@
       </div>
       <div class="header-actions">
         <button
+          v-if="canWrite"
           class="btn btn-success"
           :disabled="loading || deployment?.status === 'running'"
           @click="handleOperation('start')"
@@ -22,6 +23,7 @@
           <i class="pi pi-play" /> Start
         </button>
         <button
+          v-if="canWrite"
           class="btn btn-warning"
           :disabled="loading || deployment?.status === 'stopped'"
           @click="handleOperation('stop')"
@@ -29,6 +31,7 @@
           <i class="pi pi-stop" /> Stop
         </button>
         <button
+          v-if="canWrite"
           class="btn btn-info"
           :disabled="loading || deployment?.status === 'stopped'"
           @click="handleOperation('restart')"
@@ -36,6 +39,7 @@
           <i class="pi pi-refresh" /> Restart
         </button>
         <button
+          v-if="canWrite"
           class="btn btn-secondary"
           :disabled="loading"
           @click="showRebuildModal = true"
@@ -43,10 +47,10 @@
         >
           <i class="pi pi-sync" /> Rebuild
         </button>
-        <button class="btn btn-secondary" :disabled="loading" @click="openPullImageModal">
+        <button v-if="canWrite" class="btn btn-secondary" :disabled="loading" @click="openPullImageModal">
           <i class="pi pi-download" /> Pull Image
         </button>
-        <button class="btn btn-danger" :disabled="loading" @click="confirmDelete">
+        <button v-if="canDelete" class="btn btn-danger" :disabled="loading" @click="confirmDelete">
           <i class="pi pi-trash" /> Delete
         </button>
       </div>
@@ -1247,6 +1251,7 @@ import {
   type EnvVar,
 } from "@/services/api";
 import { useNotificationsStore } from "@/stores/notifications";
+import { useAuthStore } from "@/stores/auth";
 import type { ProxyStatus, QuickAction, SecurityEvent, DeploymentSecurityConfig } from "@/types";
 import FileBrowser from "@/components/FileBrowser.vue";
 import LogViewer from "@/components/LogViewer.vue";
@@ -1257,6 +1262,9 @@ import BackupsTab from "@/components/BackupsTab.vue";
 const route = useRoute();
 const router = useRouter();
 const notifications = useNotificationsStore();
+const authStore = useAuthStore();
+const canWrite = authStore.hasPermission("deployments:write");
+const canDelete = authStore.hasPermission("deployments:delete");
 
 const backPath = computed(() => {
   return route.query.from === "infrastructure" ? "/infrastructure" : "/deployments";
diff --git a/src/views/DeploymentsView.test.ts b/src/views/DeploymentsView.test.ts
index fc624b7..02ebe62 100644
--- a/src/views/DeploymentsView.test.ts
+++ b/src/views/DeploymentsView.test.ts
@@ -2,6 +2,7 @@ import { describe, it, expect, vi, beforeEach } from "vitest";
 import { mount, flushPromises } from "@vue/test-utils";
 import { createTestingPinia } from "@pinia/testing";
 import DeploymentsView from "./DeploymentsView.vue";
+import { useAuthStore } from "@/stores/auth";
 
 vi.mock("@/services/api", () => ({
   deploymentsApi: {
@@ -88,13 +89,12 @@ describe("DeploymentsView", () => {
   });
 
   const mountView = () => {
+    const pinia = createTestingPinia({ createSpy: vi.fn });
+    const authStore = useAuthStore(pinia);
+    (authStore.hasPermission as ReturnType<typeof vi.fn>).mockReturnValue(true);
     return mount(DeploymentsView, {
       global: {
-        plugins: [
-          createTestingPinia({
-            createSpy: vi.fn,
-          }),
-        ],
+        plugins: [pinia],
         stubs: {
           DataTable: {
             template: `
@@ -251,4 +251,41 @@ describe("DeploymentsView", () => {
       expect((wrapper.vm as any).formatRelativeTime(now)).toBe("just now");
     });
   });
+
+  describe("Permission gates", () => {
+    const mountViewDenied = () => {
+      const pinia = createTestingPinia({ createSpy: vi.fn });
+      return mount(DeploymentsView, {
+        global: {
+          plugins: [pinia],
+          stubs: {
+            DataTable: {
+              template: `
+                <div class="data-table">
+                  <slot name="actions" />
+                  <div class="items">
+                    <slot name="grid" :items="items" />
+                  </div>
+                </div>
+              `,
+              props: ["items", "columns", "loading"],
+            },
+            OperationModal: true,
+            LogsModal: true,
+            NewDeploymentModal: true,
+          },
+        },
+      });
+    };
+
+    it("hides New Deployment button without deployments:write", () => {
+      const wrapper = mountViewDenied();
+      expect(wrapper.find("button.btn-primary").exists()).toBe(false);
+    });
+
+    it("still shows Refresh button without write permission", () => {
+      const wrapper = mountViewDenied();
+      expect(wrapper.text()).toContain("Refresh");
+    });
+  });
 });
diff --git a/src/views/DeploymentsView.vue b/src/views/DeploymentsView.vue
index 953e12f..c147e7e 100644
--- a/src/views/DeploymentsView.vue
+++ b/src/views/DeploymentsView.vue
@@ -17,7 +17,7 @@
       default-view-mode="grid"
     >
       <template #actions>
-        <button class="btn btn-primary" @click="showNewDeploymentModal = true">
+        <button v-if="canWrite" class="btn btn-primary" @click="showNewDeploymentModal = true">
           <Plus :size="16" />
           New Deployment
         </button>
@@ -83,6 +83,7 @@
       <template #cell-actions="{ item }">
         <div class="action-buttons">
           <button
+            v-if="canWrite"
             class="action-btn start"
             title="Start"
             :disabled="item.status === 'running'"
@@ -91,6 +92,7 @@
             <Play :size="14" />
           </button>
           <button
+            v-if="canWrite"
             class="action-btn stop"
             title="Stop"
             :disabled="item.status === 'stopped'"
@@ -99,6 +101,7 @@
             <Square :size="14" />
           </button>
           <button
+            v-if="canWrite"
             class="action-btn restart"
             title="Restart"
             :disabled="item.status === 'stopped'"
@@ -230,6 +233,7 @@
 
             <template #footer>
               <button
+                v-if="canWrite"
                 class="icon-btn start"
                 title="Start"
                 :disabled="deployment.status === 'running'"
@@ -238,6 +242,7 @@
                 <Play :size="14" />
               </button>
               <button
+                v-if="canWrite"
                 class="icon-btn stop"
                 title="Stop"
                 :disabled="deployment.status === 'stopped'"
@@ -246,6 +251,7 @@
                 <Square :size="14" />
               </button>
               <button
+                v-if="canWrite"
                 class="icon-btn restart"
                 title="Restart"
                 :disabled="deployment.status === 'stopped'"
@@ -295,6 +301,7 @@ import { ref, onMounted } from "vue";
 import { useRouter } from "vue-router";
 import { deploymentsApi } from "@/services/api";
 import { useNotificationsStore } from "@/stores/notifications";
+import { useAuthStore } from "@/stores/auth";
 import type { Deployment } from "@/types";
 import DataTable from "@/components/DataTable.vue";
 import DeploymentCard from "@/components/DeploymentCard.vue";
@@ -325,6 +332,8 @@ import type { Service } from "@/types";
 
 const router = useRouter();
 const notifications = useNotificationsStore();
+const authStore = useAuthStore();
+const canWrite = authStore.hasPermission("deployments:write");
 const deployments = ref<Deployment[]>([]);
 const loading = ref(true);
 const showNewDeploymentModal = ref(false);
diff --git a/src/views/DockerPortsView.vue b/src/views/DockerPortsView.vue
index eb44a71..67b82ca 100644
--- a/src/views/DockerPortsView.vue
+++ b/src/views/DockerPortsView.vue
@@ -59,7 +59,7 @@
       <template #cell-actions="{ item }">
         <div class="action-buttons">
           <button
-            v-if="item.containerStatus === 'running'"
+            v-if="canWrite && item.containerStatus === 'running'"
             class="action-btn stop"
             title="Stop Container"
             @click.stop="stopContainer(item.containerId, item.containerName)"
@@ -67,6 +67,7 @@
             <Square :size="14" />
           </button>
           <button
+            v-if="canWrite"
             class="action-btn restart"
             title="Restart Container"
             @click.stop="restartContainer(item.containerId, item.containerName)"
@@ -82,6 +83,7 @@
 <script setup lang="ts">
 import { ref, onMounted } from "vue";
 import { containersApi } from "@/services/api";
+import { useAuthStore } from "@/stores/auth";
 import { useNotificationsStore } from "@/stores/notifications";
 import DataTable from "@/components/DataTable.vue";
 import { RefreshCw, Plug, ExternalLink, Layers, Square, RotateCw } from "lucide-vue-next";
@@ -98,6 +100,8 @@ interface PortMapping {
   image: string;
 }
 
+const authStore = useAuthStore();
+const canWrite = authStore.hasPermission("containers:write");
 const portMappings = ref<PortMapping[]>([]);
 const loading = ref(false);
 const notifications = useNotificationsStore();
diff --git a/src/views/ImagesView.vue b/src/views/ImagesView.vue
index 1b050ba..3101f26 100644
--- a/src/views/ImagesView.vue
+++ b/src/views/ImagesView.vue
@@ -32,7 +32,7 @@
       :default-page-size="25"
     >
       <template #actions>
-        <button class="btn btn-primary" @click="showPullModal = true">
+        <button v-if="canWrite" class="btn btn-primary" @click="showPullModal = true">
           <i class="pi pi-download" />
           Pull Image
         </button>
@@ -77,6 +77,7 @@
             <i class="pi pi-info-circle" />
           </button>
           <button
+            v-if="canDelete"
             class="action-btn delete"
             :disabled="item.containers > 0"
             title="Remove"
@@ -134,10 +135,11 @@
               <button class="action-btn" title="Inspect" @click="inspectImage(image.id)">
                 <i class="pi pi-info-circle" />
               </button>
-              <button class="action-btn" title="Create Container" @click="createContainer(image.id)">
+              <button v-if="canWrite" class="action-btn" title="Create Container" @click="createContainer(image.id)">
                 <i class="pi pi-play" />
               </button>
               <button
+                v-if="canDelete"
                 class="action-btn delete"
                 title="Remove"
                 :disabled="image.containers > 0"
@@ -151,7 +153,7 @@
       </template>
 
       <template #bulk-actions="{ selectedItems, clearSelection }">
-        <button class="btn btn-sm btn-danger" @click="bulkRemove(selectedItems, clearSelection)">
+        <button v-if="canDelete" class="btn btn-sm btn-danger" @click="bulkRemove(selectedItems, clearSelection)">
           <i class="pi pi-trash" /> Remove
         </button>
       </template>
@@ -279,6 +281,7 @@
 <script setup lang="ts">
 import { ref, computed, onMounted, watch } from "vue";
 import { imagesApi, credentialsApi } from "@/services/api";
+import { useAuthStore } from "@/stores/auth";
 import DataTable from "@/components/DataTable.vue";
 import ConfirmModal from "@/components/ConfirmModal.vue";
 import type { RegistryCredential } from "@/types";
@@ -291,6 +294,9 @@ interface DockerImage {
   containers: number;
 }
 
+const authStore = useAuthStore();
+const canWrite = authStore.hasPermission("images:write");
+const canDelete = authStore.hasPermission("images:delete");
 const images = ref<DockerImage[]>([]);
 const loading = ref(false);
 const showPullModal = ref(false);
diff --git a/src/views/InfrastructureView.vue b/src/views/InfrastructureView.vue
index efa246a..e8efde3 100644
--- a/src/views/InfrastructureView.vue
+++ b/src/views/InfrastructureView.vue
@@ -59,7 +59,7 @@
 
         <template v-if="hasActions(service)" #footer>
           <button
-            v-if="!service.external && service.status === 'stopped'"
+            v-if="canWrite && !service.external && service.status === 'stopped'"
             class="btn btn-sm btn-success"
             :disabled="actionLoading === service.name"
             @click.stop="startService(service.name)"
@@ -68,7 +68,7 @@
             <span>Start</span>
           </button>
           <button
-            v-if="!service.external && service.status === 'running'"
+            v-if="canWrite && !service.external && service.status === 'running'"
             class="btn btn-sm btn-warning"
             :disabled="actionLoading === service.name"
             @click.stop="stopService(service.name)"
@@ -77,7 +77,7 @@
             <span>Stop</span>
           </button>
           <button
-            v-if="!service.external && service.status === 'running'"
+            v-if="canWrite && !service.external && service.status === 'running'"
             class="btn btn-sm btn-secondary"
             :disabled="actionLoading === service.name"
             @click.stop="restartService(service.name)"
@@ -114,12 +114,15 @@ import { ref, onMounted } from "vue";
 import { useRouter } from "vue-router";
 import { infrastructureApi, type InfraService } from "@/services/api";
 import { useNotificationsStore } from "@/stores/notifications";
+import { useAuthStore } from "@/stores/auth";
 import { executeWithServiceRestart } from "@/utils/resilientRequest";
 import DeploymentCard from "@/components/DeploymentCard.vue";
 import LogsModal from "@/components/LogsModal.vue";
 
 const router = useRouter();
 const notifications = useNotificationsStore();
+const authStore = useAuthStore();
+const canWrite = authStore.hasPermission("infrastructure:write");
 const loading = ref(false);
 const actionLoading = ref<string | null>(null);
 const services = ref<InfraService[]>([]);
diff --git a/src/views/LoginView.vue b/src/views/LoginView.vue
index 898320c..5535286 100644
--- a/src/views/LoginView.vue
+++ b/src/views/LoginView.vue
@@ -30,17 +30,11 @@
         </div>
 
         <div class="login-mode-toggle">
-          <button
-            :class="{ active: loginMode === 'credentials' }"
-            @click="loginMode = 'credentials'"
-          >
+          <button :class="{ active: loginMode === 'credentials' }" @click="loginMode = 'credentials'">
             <i class="pi pi-user" />
             Username
           </button>
-          <button
-            :class="{ active: loginMode === 'apikey' }"
-            @click="loginMode = 'apikey'"
-          >
+          <button :class="{ active: loginMode === 'apikey' }" @click="loginMode = 'apikey'">
             <i class="pi pi-key" />
             API Key
           </button>
diff --git a/src/views/NetworksView.vue b/src/views/NetworksView.vue
index bdb6f4c..b0335d5 100644
--- a/src/views/NetworksView.vue
+++ b/src/views/NetworksView.vue
@@ -16,7 +16,7 @@
       loading-text="Loading networks..."
     >
       <template #actions>
-        <button class="btn btn-primary" @click="showCreateModal = true">
+        <button v-if="canWrite" class="btn btn-primary" @click="showCreateModal = true">
           <i class="pi pi-plus" />
           Create Network
         </button>
@@ -26,7 +26,7 @@
       </template>
 
       <template #empty-action>
-        <button class="btn btn-primary" @click="showCreateModal = true">
+        <button v-if="canWrite" class="btn btn-primary" @click="showCreateModal = true">
           <i class="pi pi-plus" />
           Create Network
         </button>
@@ -49,7 +49,7 @@
       <template #cell-actions="{ item }">
         <div class="table-actions">
           <button
-            v-if="!isSystemNetwork(item.name)"
+            v-if="canWrite && !isSystemNetwork(item.name)"
             class="btn-icon-xs"
             title="Connect container"
             @click="openConnectModal(item)"
@@ -57,7 +57,7 @@
             <i class="pi pi-link" />
           </button>
           <button
-            v-if="!isSystemNetwork(item.name)"
+            v-if="canDelete && !isSystemNetwork(item.name)"
             class="btn-icon-xs danger"
             title="Delete"
             @click="confirmDelete(item)"
@@ -80,7 +80,7 @@
                 <h4>{{ network.name }}</h4>
                 <span class="network-id">{{ network.id }}</span>
               </div>
-              <div v-if="!isSystemNetwork(network.name)" class="network-actions">
+              <div v-if="canDelete && !isSystemNetwork(network.name)" class="network-actions">
                 <button class="btn-icon-sm danger" title="Delete network" @click="confirmDelete(network)">
                   <i class="pi pi-trash" />
                 </button>
@@ -113,7 +113,11 @@
                     <i class="pi pi-box" />
                     Connected Containers ({{ network.containers?.length || 0 }})
                   </span>
-                  <button v-if="!isSystemNetwork(network.name)" class="btn-text" @click="openConnectModal(network)">
+                  <button
+                    v-if="canWrite && !isSystemNetwork(network.name)"
+                    class="btn-text"
+                    @click="openConnectModal(network)"
+                  >
                     <i class="pi pi-link" />
                     Connect
                   </button>
@@ -126,7 +130,7 @@
                       <span class="container-ip">{{ container.ipv4 }}</span>
                     </div>
                     <button
-                      v-if="!isSystemNetwork(network.name)"
+                      v-if="canWrite && !isSystemNetwork(network.name)"
                       class="btn-icon-xs"
                       title="Disconnect"
                       @click="disconnectContainer(network.name, container.name)"
@@ -250,10 +254,14 @@
 import { ref, reactive, onMounted } from "vue";
 import { networksApi } from "@/services/api";
 import { useNotificationsStore } from "@/stores/notifications";
+import { useAuthStore } from "@/stores/auth";
 import DataTable from "@/components/DataTable.vue";
 import type { Network } from "@/types";
 
 const notifications = useNotificationsStore();
+const authStore = useAuthStore();
+const canWrite = authStore.hasPermission("networks:write");
+const canDelete = authStore.hasPermission("networks:delete");
 const networks = ref<Network[]>([]);
 const loading = ref(false);
 
diff --git a/src/views/SecurityView.vue b/src/views/SecurityView.vue
index 5f6b83e..dda5589 100644
--- a/src/views/SecurityView.vue
+++ b/src/views/SecurityView.vue
@@ -179,7 +179,12 @@
                 </div>
                 <div class="top-actions">
                   <span class="top-count">{{ ip.event_count }}</span>
-                  <button class="btn btn-icon btn-sm" title="Block IP" @click="showBlockIPDialog(ip.ip)">
+                  <button
+                    v-if="canWrite"
+                    class="btn btn-icon btn-sm"
+                    title="Block IP"
+                    @click="showBlockIPDialog(ip.ip)"
+                  >
                     <i class="pi pi-ban" />
                   </button>
                 </div>
@@ -202,7 +207,12 @@
               <span class="critical-event-type">{{ formatEventType(event.event_type) }}</span>
               <code class="critical-event-ip">{{ event.source_ip }}</code>
               <span class="critical-event-path">{{ event.request_path || "-" }}</span>
-              <button class="btn btn-icon btn-sm" title="Block IP" @click="showBlockIPDialog(event.source_ip)">
+              <button
+                v-if="canWrite"
+                class="btn btn-icon btn-sm"
+                title="Block IP"
+                @click="showBlockIPDialog(event.source_ip)"
+              >
                 <i class="pi pi-ban" />
               </button>
             </div>
@@ -298,7 +308,12 @@
                 </td>
                 <td>{{ event.status_code || "-" }}</td>
                 <td class="actions-cell">
-                  <button class="btn btn-icon btn-sm" title="Block IP" @click="showBlockIPDialog(event.source_ip)">
+                  <button
+                    v-if="canWrite"
+                    class="btn btn-icon btn-sm"
+                    title="Block IP"
+                    @click="showBlockIPDialog(event.source_ip)"
+                  >
                     <i class="pi pi-ban" />
                   </button>
                 </td>
@@ -331,7 +346,7 @@
       <div v-show="activeTab === 'blocked'" class="tab-content">
         <div class="section-header">
           <h3>Blocked IP Addresses</h3>
-          <button class="btn btn-primary btn-sm" @click="showAddBlockDialog = true">
+          <button v-if="canWrite" class="btn btn-primary btn-sm" @click="showAddBlockDialog = true">
             <i class="pi pi-plus" />
             Block IP
           </button>
@@ -355,6 +370,7 @@
                 </div>
               </div>
               <button
+                v-if="canWrite"
                 class="btn btn-danger-ghost btn-sm"
                 :disabled="unblockingIP === ip.ip"
                 @click="handleUnblockIP(ip.ip)"
@@ -372,7 +388,7 @@
       <div v-show="activeTab === 'routes'" class="tab-content">
         <div class="section-header">
           <h3>Protected Routes</h3>
-          <button class="btn btn-primary btn-sm" @click="showAddRouteDialog = true">
+          <button v-if="canWrite" class="btn btn-primary btn-sm" @click="showAddRouteDialog = true">
             <i class="pi pi-plus" />
             Add Route
           </button>
@@ -394,14 +410,19 @@
                 </div>
               </div>
               <div class="route-actions">
-                <label class="toggle-switch small">
+                <label v-if="canWrite" class="toggle-switch small">
                   <input type="checkbox" :checked="route.enabled" @change="toggleRoute(route)" />
                   <span class="toggle-slider" />
                 </label>
-                <button class="btn btn-icon btn-sm" title="Edit" @click="editRoute(route)">
+                <button v-if="canWrite" class="btn btn-icon btn-sm" title="Edit" @click="editRoute(route)">
                   <i class="pi pi-pencil" />
                 </button>
-                <button class="btn btn-icon btn-danger-ghost btn-sm" title="Delete" @click="confirmDeleteRoute(route)">
+                <button
+                  v-if="canWrite"
+                  class="btn btn-icon btn-danger-ghost btn-sm"
+                  title="Delete"
+                  @click="confirmDeleteRoute(route)"
+                >
                   <i class="pi pi-trash" />
                 </button>
               </div>
@@ -409,7 +430,7 @@
           </div>
         </div>
 
-        <div class="presets-section">
+        <div v-if="canWrite" class="presets-section">
           <h4>Quick Presets</h4>
           <div class="presets-row">
             <button class="preset-btn" @click="addPreset('wp-login')">
@@ -431,7 +452,12 @@
       <!-- Health Tab -->
       <div v-show="activeTab === 'health'" class="tab-content">
         <div class="health-actions">
-          <button class="btn btn-secondary" :disabled="refreshingScripts" @click="refreshSecurityScripts">
+          <button
+            v-if="canWrite"
+            class="btn btn-secondary"
+            :disabled="refreshingScripts"
+            @click="refreshSecurityScripts"
+          >
             <i class="pi pi-sync" :class="{ 'pi-spin': refreshingScripts }" />
             {{ refreshingScripts ? "Regenerating..." : "Regenerate Security Scripts" }}
           </button>
@@ -460,11 +486,11 @@
                 </div>
               </div>
               <div class="setting-control">
-                <label class="toggle-switch" :class="{ disabled: togglingRealtimeCapture }">
+                <label class="toggle-switch" :class="{ disabled: togglingRealtimeCapture || !canWrite }">
                   <input
                     type="checkbox"
                     :checked="realtimeCapture"
-                    :disabled="togglingRealtimeCapture"
+                    :disabled="togglingRealtimeCapture || !canWrite"
                     @change="toggleRealtimeCapture"
                   />
                   <span class="toggle-slider" />
@@ -620,12 +646,15 @@ import { ref, reactive, onMounted } from "vue";
 import { storeToRefs } from "pinia";
 import { useSecurityStore } from "@/stores/security";
 import { useNotificationsStore } from "@/stores/notifications";
+import { useAuthStore } from "@/stores/auth";
 import type { ProtectedRoute } from "@/types";
 import SecurityHealthCard from "@/components/SecurityHealthCard.vue";
 import TrafficDashboard from "@/components/TrafficDashboard.vue";
 
 const securityStore = useSecurityStore();
 const notifications = useNotificationsStore();
+const authStore = useAuthStore();
+const canWrite = authStore.hasPermission("security:write");
 
 const loading = ref(false);
 const activeTab = ref("stats");
diff --git a/src/views/ServicesView.vue b/src/views/ServicesView.vue
index bea4490..67514fd 100644
--- a/src/views/ServicesView.vue
+++ b/src/views/ServicesView.vue
@@ -61,7 +61,7 @@
       <template #cell-actions="{ item }">
         <div class="action-buttons">
           <button
-            v-if="item.active !== 'active'"
+            v-if="canWrite && item.active !== 'active'"
             class="action-btn start"
             title="Start Service"
             @click.stop="controlService(item.name, 'start')"
@@ -69,14 +69,19 @@
             <Play :size="14" />
           </button>
           <button
-            v-if="item.active === 'active'"
+            v-if="canWrite && item.active === 'active'"
             class="action-btn stop"
             title="Stop Service"
             @click.stop="controlService(item.name, 'stop')"
           >
             <Square :size="14" />
           </button>
-          <button class="action-btn restart" title="Restart Service" @click.stop="controlService(item.name, 'restart')">
+          <button
+            v-if="canWrite"
+            class="action-btn restart"
+            title="Restart Service"
+            @click.stop="controlService(item.name, 'restart')"
+          >
             <RotateCw :size="14" />
           </button>
         </div>
@@ -89,6 +94,7 @@
 import { ref, computed, onMounted } from "vue";
 import { systemServicesApi } from "@/services/api";
 import { useNotificationsStore } from "@/stores/notifications";
+import { useAuthStore } from "@/stores/auth";
 import DataTable from "@/components/DataTable.vue";
 import { RefreshCw, Cog, Play, Square, RotateCw } from "lucide-vue-next";
 
@@ -101,6 +107,8 @@ interface SystemService {
   sub: string;
 }
 
+const authStore = useAuthStore();
+const canWrite = authStore.hasPermission("system:write");
 const allServices = ref<SystemService[]>([]);
 const loading = ref(false);
 const activeFilter = ref("all");
diff --git a/src/views/SettingsView.test.ts b/src/views/SettingsView.test.ts
index 6358a0c..f07585e 100644
--- a/src/views/SettingsView.test.ts
+++ b/src/views/SettingsView.test.ts
@@ -2,6 +2,7 @@ import { describe, it, expect, vi, beforeEach } from "vitest";
 import { mount, flushPromises } from "@vue/test-utils";
 import { createTestingPinia } from "@pinia/testing";
 import SettingsView from "./SettingsView.vue";
+import { useAuthStore } from "@/stores/auth";
 
 vi.mock("@/services/api", () => ({
   settingsApi: {
@@ -72,13 +73,12 @@ describe("SettingsView", () => {
   });
 
   const mountView = () => {
+    const pinia = createTestingPinia({ createSpy: vi.fn });
+    const authStore = useAuthStore(pinia);
+    (authStore.hasPermission as ReturnType<typeof vi.fn>).mockReturnValue(true);
     return mount(SettingsView, {
       global: {
-        plugins: [
-          createTestingPinia({
-            createSpy: vi.fn,
-          }),
-        ],
+        plugins: [pinia],
       },
     });
   };
diff --git a/src/views/SettingsView.vue b/src/views/SettingsView.vue
index de6d00c..4bfdede 100644
--- a/src/views/SettingsView.vue
+++ b/src/views/SettingsView.vue
@@ -186,7 +186,7 @@
               </div>
             </div>
 
-            <div class="card-footer">
+            <div v-if="canWriteSettings" class="card-footer">
               <button class="btn btn-primary" :disabled="savingDomain" @click="saveDomainSettings">
                 <i v-if="savingDomain" class="pi pi-spin pi-spinner" />
                 <i v-else class="pi pi-save" />
@@ -472,7 +472,7 @@
           </div>
         </div>
 
-        <div class="save-footer">
+        <div v-if="canWriteSettings" class="save-footer">
           <button class="btn btn-primary" :disabled="savingInfrastructure" @click="saveInfrastructureSettings">
             <i v-if="savingInfrastructure" class="pi pi-spin pi-spinner" />
             <i v-else class="pi pi-save" />
@@ -609,7 +609,7 @@
           </div>
         </div>
 
-        <div class="save-footer">
+        <div v-if="canWriteSettings" class="save-footer">
           <button class="btn btn-primary" :disabled="savingSecurity" @click="saveSecuritySettings">
             <i v-if="savingSecurity" class="pi pi-spin pi-spinner" />
             <i v-else class="pi pi-save" />
@@ -630,7 +630,7 @@
             <i class="pi pi-key" />
             <h3>Registry Credentials</h3>
             <button
-              v-if="!showAddCredentialForm"
+              v-if="canWriteRegistries && !showAddCredentialForm"
               class="btn btn-primary btn-sm header-action"
               @click="showAddCredentialForm = true"
             >
@@ -741,7 +741,7 @@
                     <span v-if="cred.is_default" class="credential-badge default">Default</span>
                   </div>
                 </div>
-                <div class="credential-actions">
+                <div v-if="canDeleteRegistries" class="credential-actions">
                   <button
                     class="btn btn-icon btn-danger-ghost"
                     :disabled="deletingCredentialId === cred.id"
@@ -790,10 +790,15 @@ import { settingsApi, healthApi, templatesApi, credentialsApi } from "@/services
 import type { DomainSettings } from "@/services/api";
 import type { RegistryCredential } from "@/types";
 import { useNotificationsStore } from "@/stores/notifications";
+import { useAuthStore } from "@/stores/auth";
 import SecurityHealthCard from "@/components/SecurityHealthCard.vue";
 
 declare const __APP_VERSION__: string;
 
+const authStore = useAuthStore();
+const canWriteSettings = authStore.hasPermission("settings:write");
+const canWriteRegistries = authStore.hasPermission("registries:write");
+const canDeleteRegistries = authStore.hasPermission("registries:delete");
 const notifications = useNotificationsStore();
 const loading = ref(false);
 const savingDomain = ref(false);
diff --git a/src/views/SystemPortsView.vue b/src/views/SystemPortsView.vue
index 249afdb..e80615f 100644
--- a/src/views/SystemPortsView.vue
+++ b/src/views/SystemPortsView.vue
@@ -48,6 +48,7 @@
       <template #cell-actions="{ item }">
         <div class="action-buttons">
           <button
+            v-if="canWrite"
             class="action-btn kill"
             title="Kill Process"
             :disabled="!item.pid"
@@ -110,6 +111,7 @@
 import { ref, computed, onMounted } from "vue";
 import { portsApi } from "@/services/api";
 import { useNotificationsStore } from "@/stores/notifications";
+import { useAuthStore } from "@/stores/auth";
 import DataTable from "@/components/DataTable.vue";
 import { RefreshCw, Trash2, Network, AlertTriangle, X } from "lucide-vue-next";
 
@@ -122,6 +124,8 @@ interface Port {
   state: string;
 }
 
+const authStore = useAuthStore();
+const canWrite = authStore.hasPermission("system:write");
 const ports = ref<Port[]>([]);
 const loading = ref(false);
 const showKillModal = ref(false);
diff --git a/src/views/UsersView.vue b/src/views/UsersView.vue
index 5656827..ade2c0c 100644
--- a/src/views/UsersView.vue
+++ b/src/views/UsersView.vue
@@ -6,7 +6,7 @@
         <button class="btn btn-icon" :disabled="loading" @click="loadUsers">
           <i class="pi pi-refresh" :class="{ 'pi-spin': loading }" />
         </button>
-        <button class="btn btn-primary" @click="showCreateDialog = true">
+        <button v-if="canWrite" class="btn btn-primary" @click="showCreateDialog = true">
           <i class="pi pi-plus" />
           <span>Add User</span>
         </button>
@@ -32,8 +32,9 @@
               <th>Username</th>
               <th>Email</th>
               <th>Role</th>
+              <th>Permissions</th>
+              <th>Deployments</th>
               <th>Status</th>
-              <th>Last Login</th>
               <th>Actions</th>
             </tr>
           </thead>
@@ -47,21 +48,26 @@
               <td>
                 <span class="role-badge" :class="user.role">{{ user.role }}</span>
               </td>
+              <td>
+                <span v-if="user.permissions && user.permissions.length" class="perm-indicator custom">
+                  Custom ({{ user.permissions.length }})
+                </span>
+                <span v-else class="perm-indicator default">Role defaults</span>
+              </td>
+              <td>
+                <span class="deploy-count">{{ user.deployment_count ?? 0 }}</span>
+              </td>
               <td>
                 <span class="status-badge" :class="user.is_active ? 'active' : 'inactive'">
                   {{ user.is_active ? "Active" : "Inactive" }}
                 </span>
               </td>
-              <td>{{ formatDate(user.last_login_at) }}</td>
               <td class="actions-cell">
-                <button class="btn btn-icon btn-sm" title="Edit" @click="editUser(user)">
+                <button v-if="canWrite" class="btn btn-icon btn-sm" title="Edit" @click="editUser(user)">
                   <i class="pi pi-pencil" />
                 </button>
-                <button class="btn btn-icon btn-sm" title="Manage Deployments" @click="manageDeployments(user)">
-                  <i class="pi pi-box" />
-                </button>
                 <button
-                  v-if="user.id !== currentUser?.id"
+                  v-if="canDelete && user.id !== currentUser?.id"
                   class="btn btn-icon btn-sm btn-danger"
                   title="Delete"
                   @click="confirmDelete(user)"
@@ -84,85 +90,139 @@
             <i class="pi pi-times" />
           </button>
         </div>
+        <div class="dialog-tabs">
+          <button
+            class="tab-btn"
+            :class="{ active: activeTab === 'profile' }"
+            type="button"
+            @click="activeTab = 'profile'"
+          >
+            <i class="pi pi-user" />
+            Profile
+          </button>
+          <button
+            class="tab-btn"
+            :class="{ active: activeTab === 'permissions' }"
+            type="button"
+            @click="activeTab = 'permissions'"
+          >
+            <i class="pi pi-shield" />
+            Permissions
+          </button>
+          <button
+            v-if="showEditDialog"
+            class="tab-btn"
+            :class="{ active: activeTab === 'deployments' }"
+            type="button"
+            @click="activeTab = 'deployments'"
+          >
+            <i class="pi pi-box" />
+            Deployments
+            <span v-if="userDeployments.length" class="tab-count">{{ userDeployments.length }}</span>
+          </button>
+        </div>
         <form @submit.prevent="showEditDialog ? updateUser() : createUser()">
-          <div class="form-group">
-            <label>Username</label>
-            <input v-model="formData.username" type="text" required :disabled="showEditDialog" />
-          </div>
-          <div class="form-group">
-            <label>Email</label>
-            <input v-model="formData.email" type="email" />
-          </div>
-          <div v-if="!showEditDialog" class="form-group">
-            <label>Password</label>
-            <input v-model="formData.password" type="password" required />
-          </div>
-          <div class="form-group">
-            <label>Role</label>
-            <select v-model="formData.role" required>
-              <option value="admin">Admin</option>
-              <option value="operator">Operator</option>
-              <option value="viewer">Viewer</option>
-            </select>
-          </div>
-          <div v-if="showEditDialog" class="form-group">
-            <label class="checkbox-label">
-              <input v-model="formData.is_active" type="checkbox" />
-              <span>Active</span>
-            </label>
-          </div>
-          <div class="modal-actions">
-            <button type="button" class="btn" @click="closeDialogs">Cancel</button>
-            <button type="submit" class="btn btn-primary" :disabled="saving">
-              {{ saving ? "Saving..." : showEditDialog ? "Update" : "Create" }}
-            </button>
+          <!-- Profile Tab -->
+          <div v-show="activeTab === 'profile'" class="tab-panel">
+            <div class="form-group">
+              <label>Username</label>
+              <input v-model="formData.username" type="text" required :disabled="showEditDialog" />
+            </div>
+            <div class="form-group">
+              <label>Email</label>
+              <input v-model="formData.email" type="email" />
+            </div>
+            <div v-if="!showEditDialog" class="form-group">
+              <label>Password</label>
+              <input v-model="formData.password" type="password" required />
+            </div>
+            <div class="form-group">
+              <label>Role</label>
+              <select v-model="formData.role" required>
+                <option value="admin">Admin</option>
+                <option value="operator">Operator</option>
+                <option value="viewer">Viewer</option>
+              </select>
+            </div>
+            <div v-if="showEditDialog" class="form-group">
+              <label class="checkbox-label">
+                <input v-model="formData.is_active" type="checkbox" />
+                <span>Active</span>
+              </label>
+            </div>
           </div>
-        </form>
-      </div>
-    </div>
 
-    <!-- Deployments Dialog -->
-    <div v-if="showDeploymentsDialog" class="modal-overlay" @click.self="closeDialogs">
-      <div class="modal-content modal-lg">
-        <div class="modal-header">
-          <h2>Deployment Access for {{ selectedUser?.username }}</h2>
-          <button class="btn btn-icon" @click="closeDialogs">
-            <i class="pi pi-times" />
-          </button>
-        </div>
-        <div class="deployments-manager">
-          <div class="add-deployment-form">
-            <select v-model="newDeployment.name">
-              <option value="">Select deployment...</option>
-              <option v-for="dep in availableDeployments" :key="dep" :value="dep">{{ dep }}</option>
-            </select>
-            <select v-model="newDeployment.access_level">
-              <option value="read">Read</option>
-              <option value="write">Write</option>
-              <option value="admin">Admin</option>
-            </select>
-            <button class="btn btn-primary btn-sm" :disabled="!newDeployment.name" @click="addDeploymentAccess">
-              Add
-            </button>
+          <!-- Permissions Tab -->
+          <div v-show="activeTab === 'permissions'" class="tab-panel">
+            <div class="form-group">
+              <label class="checkbox-label">
+                <input v-model="formData.useCustomPermissions" type="checkbox" @change="onCustomPermissionsToggle" />
+                <span>Customize permissions</span>
+              </label>
+              <p v-if="!formData.useCustomPermissions" class="tab-hint">
+                Using <span class="role-perm-badge" :class="formData.role">{{ formData.role }}</span> role defaults.
+                Enable the checkbox above to override.
+              </p>
+            </div>
+            <PermissionPicker v-if="formData.useCustomPermissions" v-model="formData.customPermissions" />
+            <PermissionPicker v-else :model-value="selectedRolePermissions" readonly />
           </div>
-          <div v-if="userDeployments.length" class="deployments-list">
-            <div v-for="dep in userDeployments" :key="dep.deployment_name" class="deployment-item">
-              <span class="deployment-name">{{ dep.deployment_name }}</span>
-              <select :value="dep.access_level" @change="updateDeploymentAccess(dep.deployment_name, ($event.target as HTMLSelectElement).value)">
+
+          <!-- Deployments Tab (edit only) -->
+          <div v-if="showEditDialog" v-show="activeTab === 'deployments'" class="tab-panel">
+            <p class="tab-hint">Control which deployments this user can access and at what level.</p>
+            <div class="add-deployment-form">
+              <select v-model="newDeployment.name">
+                <option value="">Select deployment...</option>
+                <option v-for="dep in availableDeployments" :key="dep" :value="dep">{{ dep }}</option>
+              </select>
+              <select v-model="newDeployment.access_level">
                 <option value="read">Read</option>
                 <option value="write">Write</option>
                 <option value="admin">Admin</option>
               </select>
-              <button class="btn btn-icon btn-sm btn-danger" @click="removeDeploymentAccess(dep.deployment_name)">
-                <i class="pi pi-times" />
+              <button
+                type="button"
+                class="btn btn-primary btn-sm"
+                :disabled="!newDeployment.name"
+                @click="addDeploymentAccess"
+              >
+                Add
               </button>
             </div>
+            <div v-if="userDeployments.length" class="deployments-list">
+              <div v-for="dep in userDeployments" :key="dep.deployment_name" class="deployment-item">
+                <span class="deployment-name">{{ dep.deployment_name }}</span>
+                <select
+                  :value="dep.access_level"
+                  @change="updateDeploymentAccess(dep.deployment_name, ($event.target as HTMLSelectElement).value)"
+                >
+                  <option value="read">Read</option>
+                  <option value="write">Write</option>
+                  <option value="admin">Admin</option>
+                </select>
+                <button
+                  type="button"
+                  class="btn btn-icon btn-sm btn-danger"
+                  @click="removeDeploymentAccess(dep.deployment_name)"
+                >
+                  <i class="pi pi-times" />
+                </button>
+              </div>
+            </div>
+            <div v-else class="no-deployments">
+              <i class="pi pi-info-circle" />
+              <span>No deployment access assigned</span>
+            </div>
           </div>
-          <div v-else class="no-deployments">
-            <i class="pi pi-info-circle" />
-            <span>No deployment access assigned</span>
+
+          <div class="modal-actions">
+            <button type="button" class="btn" @click="closeDialogs">Cancel</button>
+            <button type="submit" class="btn btn-primary" :disabled="saving">
+              {{ saving ? "Saving..." : showEditDialog ? "Update" : "Create" }}
+            </button>
           </div>
-        </div>
+        </form>
       </div>
     </div>
 
@@ -172,7 +232,10 @@
         <div class="modal-header">
           <h2>Delete User</h2>
         </div>
-        <p>Are you sure you want to delete user <strong>{{ selectedUser?.username }}</strong>?</p>
+        <p>
+          Are you sure you want to delete user <strong>{{ selectedUser?.username }}</strong
+          >?
+        </p>
         <div class="modal-actions">
           <button class="btn" @click="closeDialogs">Cancel</button>
           <button class="btn btn-danger" :disabled="saving" @click="deleteUser">
@@ -186,10 +249,12 @@
 
 <script setup lang="ts">
 import { ref, onMounted, computed } from "vue";
-import type { User, UserRole, UserDeploymentAccess } from "@/types";
+import type { User, UserRole, UserDeploymentAccess, Permission } from "@/types";
 import { useUsersStore } from "@/stores/users";
 import { useAuthStore } from "@/stores/auth";
 import { deploymentsApi } from "@/services/api";
+import PermissionPicker from "@/components/PermissionPicker.vue";
+import { getRolePermissions } from "@/utils/permissions";
 
 const usersStore = useUsersStore();
 const authStore = useAuthStore();
@@ -198,13 +263,15 @@ const users = computed(() => usersStore.users);
 const loading = computed(() => usersStore.loading);
 const error = computed(() => usersStore.error);
 const currentUser = computed(() => authStore.currentUser);
+const canWrite = computed(() => authStore.hasPermission("users:write" as Permission));
+const canDelete = computed(() => authStore.hasPermission("users:delete" as Permission));
 
 const showCreateDialog = ref(false);
 const showEditDialog = ref(false);
 const showDeleteDialog = ref(false);
-const showDeploymentsDialog = ref(false);
 const selectedUser = ref<User | null>(null);
 const saving = ref(false);
+const activeTab = ref<"profile" | "permissions" | "deployments">("profile");
 
 const formData = ref({
   username: "",
@@ -212,12 +279,22 @@ const formData = ref({
   password: "",
   role: "viewer" as UserRole,
   is_active: true,
+  useCustomPermissions: false,
+  customPermissions: [] as string[],
 });
 
 const userDeployments = ref<UserDeploymentAccess[]>([]);
 const allDeployments = ref<string[]>([]);
 const newDeployment = ref({ name: "", access_level: "read" });
 
+const selectedRolePermissions = computed(() => getRolePermissions(formData.value.role));
+
+const onCustomPermissionsToggle = () => {
+  if (formData.value.useCustomPermissions) {
+    formData.value.customPermissions = [...getRolePermissions(formData.value.role)];
+  }
+};
+
 const availableDeployments = computed(() => {
   const assigned = new Set(userDeployments.value.map((d) => d.deployment_name));
   return allDeployments.value.filter((d) => !assigned.has(d));
@@ -236,26 +313,24 @@ const loadAllDeployments = async () => {
   }
 };
 
-const editUser = (user: User) => {
+const editUser = async (user: User) => {
   selectedUser.value = user;
+  const hasCustom = Array.isArray(user.permissions) && user.permissions.length > 0;
   formData.value = {
     username: user.username,
     email: user.email || "",
     password: "",
     role: user.role,
     is_active: user.is_active,
+    useCustomPermissions: hasCustom,
+    customPermissions: hasCustom ? [...user.permissions!] : [...getRolePermissions(user.role)],
   };
-  showEditDialog.value = true;
-};
-
-const manageDeployments = async (user: User) => {
-  selectedUser.value = user;
   try {
     userDeployments.value = await usersStore.getUserDeployments(user.id);
   } catch {
     userDeployments.value = [];
   }
-  showDeploymentsDialog.value = true;
+  showEditDialog.value = true;
 };
 
 const confirmDelete = (user: User) => {
@@ -271,6 +346,7 @@ const createUser = async () => {
       email: formData.value.email || undefined,
       password: formData.value.password,
       role: formData.value.role,
+      permissions: formData.value.useCustomPermissions ? formData.value.customPermissions : undefined,
     });
     closeDialogs();
   } catch (e: any) {
@@ -284,10 +360,18 @@ const updateUser = async () => {
   if (!selectedUser.value) return;
   saving.value = true;
   try {
+    const hadCustom = Array.isArray(selectedUser.value.permissions) && selectedUser.value.permissions.length > 0;
+    let permissions: string[] | undefined;
+    if (formData.value.useCustomPermissions) {
+      permissions = formData.value.customPermissions;
+    } else if (hadCustom) {
+      permissions = [];
+    }
     await usersStore.updateUser(selectedUser.value.id, {
       email: formData.value.email || undefined,
       role: formData.value.role,
       is_active: formData.value.is_active,
+      permissions,
     });
     closeDialogs();
   } catch (e: any) {
@@ -313,7 +397,11 @@ const deleteUser = async () => {
 const addDeploymentAccess = async () => {
   if (!selectedUser.value || !newDeployment.value.name) return;
   try {
-    await usersStore.assignDeployment(selectedUser.value.id, newDeployment.value.name, newDeployment.value.access_level);
+    await usersStore.assignDeployment(
+      selectedUser.value.id,
+      newDeployment.value.name,
+      newDeployment.value.access_level,
+    );
     userDeployments.value.push({
       deployment_name: newDeployment.value.name,
       access_level: newDeployment.value.access_level as "read" | "write" | "admin",
@@ -352,7 +440,6 @@ const closeDialogs = () => {
   showCreateDialog.value = false;
   showEditDialog.value = false;
   showDeleteDialog.value = false;
-  showDeploymentsDialog.value = false;
   selectedUser.value = null;
   formData.value = {
     username: "",
@@ -360,18 +447,12 @@ const closeDialogs = () => {
     password: "",
     role: "viewer",
     is_active: true,
+    useCustomPermissions: false,
+    customPermissions: [],
   };
-};
-
-const formatDate = (date?: string) => {
-  if (!date) return "Never";
-  return new Date(date).toLocaleDateString(undefined, {
-    year: "numeric",
-    month: "short",
-    day: "numeric",
-    hour: "2-digit",
-    minute: "2-digit",
-  });
+  userDeployments.value = [];
+  newDeployment.value = { name: "", access_level: "read" };
+  activeTab.value = "profile";
 };
 
 onMounted(() => {
@@ -497,6 +578,29 @@ onMounted(() => {
   color: var(--text-secondary);
 }
 
+.perm-indicator {
+  display: inline-block;
+  padding: 0.25rem 0.5rem;
+  border-radius: 4px;
+  font-size: 0.75rem;
+  font-weight: 500;
+}
+
+.perm-indicator.custom {
+  background: rgba(var(--warning-rgb), 0.1);
+  color: var(--warning);
+}
+
+.perm-indicator.default {
+  background: var(--surface-ground);
+  color: var(--text-secondary);
+}
+
+.deploy-count {
+  font-weight: 500;
+  color: var(--text-secondary);
+}
+
 .actions-cell {
   display: flex;
   gap: 0.25rem;
@@ -519,13 +623,13 @@ onMounted(() => {
   background: var(--surface-card);
   border-radius: 8px;
   width: 100%;
-  max-width: 480px;
+  max-width: 720px;
   max-height: 90vh;
   overflow-y: auto;
 }
 
 .modal-content.modal-lg {
-  max-width: 640px;
+  max-width: 720px;
 }
 
 .modal-content.modal-sm {
@@ -545,11 +649,75 @@ onMounted(() => {
   font-weight: 600;
 }
 
-.modal-content form,
 .modal-content p {
   padding: 1.5rem;
 }
 
+.dialog-tabs {
+  display: flex;
+  border-bottom: 1px solid var(--surface-border);
+  padding: 0 1.5rem;
+  gap: 0;
+}
+
+.tab-btn {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.375rem;
+  padding: 0.75rem 1rem;
+  border: none;
+  background: none;
+  color: var(--text-secondary);
+  font-size: 0.875rem;
+  font-weight: 500;
+  cursor: pointer;
+  border-bottom: 2px solid transparent;
+  margin-bottom: -1px;
+  transition:
+    color 0.15s,
+    border-color 0.15s;
+}
+
+.tab-btn:hover {
+  color: var(--text-primary);
+}
+
+.tab-btn.active {
+  color: var(--primary, #3b82f6);
+  border-bottom-color: var(--primary, #3b82f6);
+}
+
+.tab-count {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  min-width: 1.25rem;
+  height: 1.25rem;
+  padding: 0 0.375rem;
+  border-radius: 999px;
+  background: var(--surface-ground);
+  font-size: 0.6875rem;
+  font-weight: 600;
+  color: var(--text-secondary);
+}
+
+.tab-btn.active .tab-count {
+  background: rgba(var(--primary-rgb, 59, 130, 246), 0.1);
+  color: var(--primary, #3b82f6);
+}
+
+.tab-panel {
+  padding: 1.5rem;
+  min-height: 200px;
+}
+
+.tab-hint {
+  margin: 0.25rem 0 1rem;
+  font-size: 0.8125rem;
+  color: var(--text-secondary);
+  padding: 0;
+}
+
 .form-group {
   margin-bottom: 1rem;
 }
@@ -571,17 +739,42 @@ onMounted(() => {
   color: var(--text-primary);
 }
 
-.checkbox-label {
+.form-group label.checkbox-label {
   display: flex;
   align-items: center;
   gap: 0.5rem;
   cursor: pointer;
 }
 
-.checkbox-label input {
+.form-group label.checkbox-label input {
   width: auto;
 }
 
+.role-perm-badge {
+  display: inline-block;
+  padding: 0.125rem 0.375rem;
+  border-radius: 4px;
+  font-size: 0.6875rem;
+  font-weight: 500;
+  text-transform: capitalize;
+  margin-left: 0.375rem;
+}
+
+.role-perm-badge.admin {
+  background: rgba(var(--danger-rgb), 0.1);
+  color: var(--danger);
+}
+
+.role-perm-badge.operator {
+  background: rgba(var(--warning-rgb), 0.1);
+  color: var(--warning);
+}
+
+.role-perm-badge.viewer {
+  background: rgba(var(--info-rgb), 0.1);
+  color: var(--info);
+}
+
 .modal-actions {
   display: flex;
   justify-content: flex-end;
@@ -590,10 +783,6 @@ onMounted(() => {
   border-top: 1px solid var(--surface-border);
 }
 
-.deployments-manager {
-  padding: 1.5rem;
-}
-
 .add-deployment-form {
   display: flex;
   gap: 0.5rem;
@@ -667,12 +856,13 @@ onMounted(() => {
 }
 
 .btn-primary {
-  background: var(--primary);
+  background: var(--primary, #3b82f6);
   color: white;
+  font-weight: 600;
 }
 
 .btn-primary:hover {
-  background: var(--primary-dark);
+  background: var(--primary-dark, #2563eb);
 }
 
 .btn-danger {
diff --git a/src/views/VolumesView.vue b/src/views/VolumesView.vue
index a67f4ee..c2efa67 100644
--- a/src/views/VolumesView.vue
+++ b/src/views/VolumesView.vue
@@ -33,7 +33,7 @@
       default-view-mode="grid"
     >
       <template #actions>
-        <button class="btn btn-primary" @click="showCreateModal = true">
+        <button v-if="canWrite" class="btn btn-primary" @click="showCreateModal = true">
           <i class="pi pi-plus" />
           Create Volume
         </button>
@@ -41,14 +41,14 @@
           <i class="pi pi-refresh" :class="{ 'pi-spin': loading }" />
           Refresh
         </button>
-        <button class="btn btn-warning" :disabled="unusedVolumes === 0" @click="pruneVolumes">
+        <button v-if="canDelete" class="btn btn-warning" :disabled="unusedVolumes === 0" @click="pruneVolumes">
           <i class="pi pi-trash" />
           Prune Unused
         </button>
       </template>
 
       <template #empty-action>
-        <button class="btn btn-primary" @click="showCreateModal = true">
+        <button v-if="canWrite" class="btn btn-primary" @click="showCreateModal = true">
           <i class="pi pi-plus" />
           Create Volume
         </button>
@@ -82,6 +82,7 @@
             <i class="pi pi-info-circle" />
           </button>
           <button
+            v-if="canDelete"
             class="action-btn delete"
             title="Remove"
             :disabled="item.in_use"
@@ -167,6 +168,7 @@
                 <i class="pi pi-info-circle" />
               </button>
               <button
+                v-if="canDelete"
                 class="action-btn delete"
                 title="Remove"
                 :disabled="volume.in_use"
@@ -180,7 +182,7 @@
       </template>
 
       <template #bulk-actions="{ selectedItems, clearSelection }">
-        <button class="btn btn-sm btn-danger" @click="bulkRemove(selectedItems, clearSelection)">
+        <button v-if="canDelete" class="btn btn-sm btn-danger" @click="bulkRemove(selectedItems, clearSelection)">
           <i class="pi pi-trash" /> Remove
         </button>
       </template>
@@ -278,6 +280,7 @@
 <script setup lang="ts">
 import { ref, computed, onMounted } from "vue";
 import { volumesApi } from "@/services/api";
+import { useAuthStore } from "@/stores/auth";
 import DataTable from "@/components/DataTable.vue";
 import ConfirmModal from "@/components/ConfirmModal.vue";
 
@@ -292,6 +295,9 @@ interface Volume {
   containers?: string[];
 }
 
+const authStore = useAuthStore();
+const canWrite = authStore.hasPermission("volumes:write");
+const canDelete = authStore.hasPermission("volumes:delete");
 const volumes = ref<Volume[]>([]);
 const loading = ref(false);
 const showCreateModal = ref(false);