RocketChat · KevLehman · May 5, 2026 · May 5, 2026 · May 6, 2026 · May 6, 2026
diff --git a/.changeset/brave-fans-tie.md b/.changeset/brave-fans-tie.md
@@ -0,0 +1,6 @@
+---
+"@rocket.chat/meteor": patch
+"@rocket.chat/i18n": patch
+---
+
+Adds 4 new permissions (assigned to admins by default) to control the visibility of each tab inside the ABAC Administration panel
@@ -13,6 +13,7 @@ import RoomsContextualBarWithData from './ABACRoomsTab/RoomsContextualBarWithDat
 import RoomsPage from './ABACRoomsTab/RoomsPage';
 import SettingsPage from './ABACSettingTab/SettingsPage';
 import AdminABACTabs from './AdminABACTabs';
+import { useABACTabPermissions } from './hooks/useABACTabPermissions';
 import { useIsABACAvailable } from './hooks/useIsABACAvailable';
 import { useExternalLink } from '../../../hooks/useExternalLink';
 import { useLdapSync } from '../../../hooks/useLdapSync';
@@ -34,6 +35,7 @@ const AdminABACPage = ({ shouldShowWarning }: AdminABACPageProps) => {
 	const abacEnabled = useSetting('ABAC_Enabled');
 	const handleSyncNow = useLdapSync();
 	const isSyncDisabled = !ldapEnabled || !abacEnabled;
+	const tabPermissions = useABACTabPermissions();
 
 	const handleCloseContextualbar = useEffectEvent((): void => {
 		if (!context) {
@@ -84,21 +86,21 @@ const AdminABACPage = ({ shouldShowWarning }: AdminABACPageProps) => {
 				)}
 				<AdminABACTabs />
 				<PageContent>
-					{tab === 'settings' && <SettingsPage />}
-					{tab === 'room-attributes' && <AttributesPage />}
-					{tab === 'rooms' && <RoomsPage />}
-					{tab === 'logs' && <LogsPage />}
+					{tab === 'settings' && tabPermissions.settings && <SettingsPage />}
+					{tab === 'room-attributes' && tabPermissions['room-attributes'] && <AttributesPage />}
+					{tab === 'rooms' && tabPermissions.rooms && <RoomsPage />}
+					{tab === 'logs' && tabPermissions.logs && <LogsPage />}
 				</PageContent>
 			</Page>
 			{isABACAvailable === true && tab !== undefined && context !== undefined && (
 				<ContextualbarDialog onClose={() => handleCloseContextualbar()}>
-					{tab === 'room-attributes' && (
+					{tab === 'room-attributes' && tabPermissions['room-attributes'] && (
 						<>
 							{context === 'new' && <AttributesContextualBar onClose={() => handleCloseContextualbar()} />}
 							{context === 'edit' && _id && <AttributesContextualBarWithData id={_id} onClose={() => handleCloseContextualbar()} />}
 						</>
 					)}
-					{tab === 'rooms' && (
+					{tab === 'rooms' && tabPermissions.rooms && (
 						<>
 							{context === 'new' && <RoomsContextualBar onClose={() => handleCloseContextualbar()} />}
 							{context === 'edit' && _id && <RoomsContextualBarWithData id={_id} onClose={() => handleCloseContextualbar()} />}

@@ -4,6 +4,8 @@ import { memo, useEffect, useLayoutEffect } from 'react';
 import { useTranslation } from 'react-i18next';
 
 import AdminABACPage from './AdminABACPage';
+import type { ABACTab } from './hooks/useABACTabPermissions';
+import { ABAC_TAB_ORDER, useABACTabPermissions } from './hooks/useABACTabPermissions';
 import ABACUpsellModal from '../../../components/ABAC/ABACUpsellModal/ABACUpsellModal';
 import { useUpsellActions } from '../../../components/GenericUpsellModal/hooks';
 import PageSkeleton from '../../../components/PageSkeleton';
@@ -14,24 +16,28 @@ import EditableSettingsProvider from '../settings/EditableSettingsProvider';
 
 const AdminABACRoute = (): ReactElement => {
 	const { t } = useTranslation();
-	// TODO: Check what permission is needed to view the ABAC page
 	const canViewABACPage = usePermission('abac-management');
 	const { data: hasABAC = false } = useHasLicenseModule('abac');
 	const isModalOpen = !!useCurrentModal();
 	const tab = useRouteParameter('tab');
 	const router = useRouter();
+	const tabPermissions = useABACTabPermissions();
+	const firstAllowedTab = ABAC_TAB_ORDER.find((t) => tabPermissions[t]);
+	const isAllowedTab = (ABAC_TAB_ORDER as readonly string[]).includes(tab ?? '') && tabPermissions[tab as ABACTab];
 
-	// Check if setting exists in the DB to decide if we show warning or upsell
 	const ABACEnabledSetting = useSettingStructure('ABAC_Enabled');
 
 	useLayoutEffect(() => {
-		if (!tab) {
-			router.navigate({
-				name: 'admin-ABAC',
-				params: { tab: 'settings' },
-			});
+		if (firstAllowedTab && !isAllowedTab) {
+			router.navigate(
+				{
+					name: 'admin-ABAC',
+					params: { tab: firstAllowedTab },
+				},
+				{ replace: true },
+			);
 		}
-	}, [tab, router]);
+	}, [router, firstAllowedTab, isAllowedTab]);
 
 	const { shouldShowUpsell, handleManageSubscription } = useUpsellActions(hasABAC);
 
@@ -48,7 +54,7 @@ const AdminABACRoute = (): ReactElement => {
 		return <PageSkeleton />;
 	}
 
-	if (!canViewABACPage || (ABACEnabledSetting === undefined && !hasABAC)) {
+	if (!canViewABACPage || !firstAllowedTab || (ABACEnabledSetting === undefined && !hasABAC)) {
 		return <NotAuthorizedPage />;
 	}
 

@@ -2,10 +2,13 @@ import { Tabs, TabsItem } from '@rocket.chat/fuselage';
 import { useRouteParameter, useRouter } from '@rocket.chat/ui-contexts';
 import { useTranslation } from 'react-i18next';
 
+import { useABACTabPermissions } from './hooks/useABACTabPermissions';
+
 const AdminABACTabs = () => {
 	const { t } = useTranslation();
 	const router = useRouter();
 	const tab = useRouteParameter('tab');
+	const tabPermissions = useABACTabPermissions();
 	const handleTabClick = (tab: string) => {
 		router.navigate({
 			name: 'admin-ABAC',
@@ -14,18 +17,26 @@ const AdminABACTabs = () => {
 	};
 	return (
 		<Tabs>
-			<TabsItem selected={tab === 'settings'} onClick={() => handleTabClick('settings')}>
-				{t('Settings')}
-			</TabsItem>
-			<TabsItem selected={tab === 'room-attributes'} onClick={() => handleTabClick('room-attributes')}>
-				{t('ABAC_Room_Attributes')}
-			</TabsItem>
-			<TabsItem selected={tab === 'rooms'} onClick={() => handleTabClick('rooms')}>
-				{t('Rooms')}
-			</TabsItem>
-			<TabsItem selected={tab === 'logs'} onClick={() => handleTabClick('logs')}>
-				{t('ABAC_Logs')}
-			</TabsItem>
+			{tabPermissions.settings && (
+				<TabsItem selected={tab === 'settings'} onClick={() => handleTabClick('settings')}>
+					{t('Settings')}
+				</TabsItem>
+			)}
+			{tabPermissions['room-attributes'] && (
+				<TabsItem selected={tab === 'room-attributes'} onClick={() => handleTabClick('room-attributes')}>
+					{t('ABAC_Room_Attributes')}
+				</TabsItem>
+			)}
+			{tabPermissions.rooms && (
+				<TabsItem selected={tab === 'rooms'} onClick={() => handleTabClick('rooms')}>
+					{t('Rooms')}
+				</TabsItem>
+			)}
+			{tabPermissions.logs && (
+				<TabsItem selected={tab === 'logs'} onClick={() => handleTabClick('logs')}>
+					{t('ABAC_Logs')}
+				</TabsItem>
+			)}
 		</Tabs>
 	);
 };

@@ -0,0 +1,14 @@
+import { usePermission } from '@rocket.chat/ui-contexts';
+
+export type ABACTab = 'settings' | 'room-attributes' | 'rooms' | 'logs';
+
+export const ABAC_TAB_ORDER: ABACTab[] = ['settings', 'room-attributes', 'rooms', 'logs'];
+
+export const useABACTabPermissions = (): Record<ABACTab, boolean> => {
+	return {
+		'settings': usePermission('manage-abac-admin-settings'),
+		'room-attributes': usePermission('manage-abac-admin-room-attributes'),
+		'rooms': usePermission('manage-abac-admin-rooms'),
+		'logs': usePermission('view-abac-admin-audit'),
+	};
+};
@@ -68,7 +68,14 @@ export const {
 		href: '/admin/ABAC',
 		i18nLabel: 'ABAC',
 		icon: 'team-lock',
-		permissionGranted: (): boolean => hasPermission('abac-management'),
+		permissionGranted: (): boolean =>
+			hasPermission('abac-management') &&
+			hasAtLeastOnePermission([
+				'manage-abac-admin-settings',
+				'manage-abac-admin-room-attributes',
+				'manage-abac-admin-rooms',
+				'view-abac-admin-audit',
+			]),
 	},
 	{
 		href: '/admin/device-management',

diff --git a/apps/meteor/ee/server/api/abac/index.ts b/apps/meteor/ee/server/api/abac/index.ts
@@ -46,7 +46,7 @@ const abacEndpoints = API.v1
 		'abac/rooms/:rid/attributes',
 		{
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'manage-abac-admin-rooms'],
 			body: POSTRoomAbacAttributesBodySchema,
 			response: {
 				200: GenericSuccessSchema,
@@ -74,7 +74,7 @@ const abacEndpoints = API.v1
 		'abac/rooms/:rid/attributes',
 		{
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'manage-abac-admin-rooms'],
 			response: {
 				200: GenericSuccessSchema,
 				401: validateUnauthorizedErrorResponse,
@@ -97,7 +97,7 @@ const abacEndpoints = API.v1
 		'abac/rooms/:rid/attributes/:key',
 		{
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'manage-abac-admin-rooms'],
 			license: ['abac'],
 			body: POSTSingleRoomAbacAttributeBodySchema,
 			response: {
@@ -124,7 +124,7 @@ const abacEndpoints = API.v1
 		'abac/rooms/:rid/attributes/:key',
 		{
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'manage-abac-admin-rooms'],
 			body: PUTRoomAbacAttributeValuesBodySchema,
 			response: {
 				200: GenericSuccessSchema,
@@ -151,7 +151,7 @@ const abacEndpoints = API.v1
 		'abac/rooms/:rid/attributes/:key',
 		{
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'manage-abac-admin-rooms'],
 			response: {
 				200: GenericSuccessSchema,
 				401: validateUnauthorizedErrorResponse,
@@ -172,7 +172,7 @@ const abacEndpoints = API.v1
 		'abac/attributes',
 		{
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'manage-abac-admin-room-attributes'],
 			query: GETAbacAttributesQuerySchema,
 			response: {
 				200: GETAbacAttributesResponseSchema,
@@ -203,7 +203,7 @@ const abacEndpoints = API.v1
 		'abac/users/sync',
 		{
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'manage-abac-admin-room-attributes'],
 			license: ['abac', 'ldap-enterprise'],
 			body: POSTAbacUsersSyncBodySchema,
 			response: {
@@ -229,7 +229,7 @@ const abacEndpoints = API.v1
 		'abac/attributes',
 		{
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'manage-abac-admin-room-attributes'],
 			license: ['abac'],
 			body: POSTAbacAttributeDefinitionSchema,
 			response: {
@@ -253,7 +253,7 @@ const abacEndpoints = API.v1
 		'abac/attributes/:_id',
 		{
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'manage-abac-admin-room-attributes'],
 			license: ['abac'],
 			body: PUTAbacAttributeUpdateBodySchema,
 			response: {
@@ -278,7 +278,7 @@ const abacEndpoints = API.v1
 		'abac/attributes/:_id',
 		{
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'manage-abac-admin-room-attributes'],
 			response: {
 				200: GETAbacAttributeByIdResponseSchema,
 				401: validateUnauthorizedErrorResponse,
@@ -297,7 +297,7 @@ const abacEndpoints = API.v1
 		'abac/attributes/:_id',
 		{
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'manage-abac-admin-room-attributes'],
 			response: {
 				200: GenericSuccessSchema,
 				401: validateUnauthorizedErrorResponse,
@@ -316,7 +316,7 @@ const abacEndpoints = API.v1
 		'abac/attributes/:key/is-in-use',
 		{
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'manage-abac-admin-room-attributes'],
 			response: {
 				200: GETAbacAttributeIsInUseResponseSchema,
 				401: validateUnauthorizedErrorResponse,
@@ -334,7 +334,7 @@ const abacEndpoints = API.v1
 		'abac/rooms',
 		{
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'manage-abac-admin-rooms'],
 			response: {
 				200: GETAbacRoomsResponseValidator,
 				401: validateUnauthorizedErrorResponse,
@@ -364,7 +364,7 @@ const abacEndpoints = API.v1
 		'abac/pdp/health',
 		{
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'manage-abac-admin-settings'],
 			rateLimiterOptions: {
 				numRequestsAllowed: 5,
 				intervalTimeInMS: 60000,
@@ -396,7 +396,7 @@ const abacEndpoints = API.v1
 			},
 			query: GETAbacAuditEventsQuerySchema,
 			authRequired: true,
-			permissionsRequired: ['abac-management'],
+			permissionsRequired: ['abac-management', 'view-abac-admin-audit'],
 			license: ['abac', 'auditing'],
 		},
 		async function action() {

diff --git a/apps/meteor/ee/server/lib/abac/index.ts b/apps/meteor/ee/server/lib/abac/index.ts
@@ -1,7 +1,13 @@
 import { Permissions } from '@rocket.chat/models';
 
 export const createPermissions = async () => {
-	const permissions = [{ _id: 'abac-management', roles: ['admin'] }];
+	const permissions = [
+		{ _id: 'abac-management', roles: ['admin'] },
+		{ _id: 'manage-abac-admin-settings', roles: ['admin'] },
+		{ _id: 'manage-abac-admin-room-attributes', roles: ['admin'] },
+		{ _id: 'manage-abac-admin-rooms', roles: ['admin'] },
+		{ _id: 'view-abac-admin-audit', roles: ['admin'] },
+	];
 
 	for (const permission of permissions) {
 		void Permissions.create(permission._id, permission.roles);