diff --git a/client/src/graphql/generated.ts b/client/src/graphql/generated.ts
index 1e468e28..36472d22 100644
--- a/client/src/graphql/generated.ts
+++ b/client/src/graphql/generated.ts
@@ -4890,6 +4890,7 @@ export const GQLUserPermission = {
   EditMrtQueues: 'EDIT_MRT_QUEUES',
   ManageOrg: 'MANAGE_ORG',
   ManagePolicies: 'MANAGE_POLICIES',
+  ManageRoles: 'MANAGE_ROLES',
   ManuallyActionContent: 'MANUALLY_ACTION_CONTENT',
   MutateLiveRules: 'MUTATE_LIVE_RULES',
   MutateNonLiveRules: 'MUTATE_NON_LIVE_RULES',
@@ -9468,7 +9469,7 @@ export type GQLAppealSettingsQuery = {
   } | null;
   readonly me?: {
     readonly __typename: 'User';
-    readonly role?: GQLUserRole | null;
+    readonly permissions: ReadonlyArray<GQLUserPermission>;
   } | null;
 };
 
@@ -12267,7 +12268,7 @@ export type GQLManualReviewJobInfoQuery = {
   readonly me?: {
     readonly __typename: 'User';
     readonly id: string;
-    readonly role?: GQLUserRole | null;
+    readonly permissions: ReadonlyArray<GQLUserPermission>;
     readonly reviewableQueues: ReadonlyArray<{
       readonly __typename: 'ManualReviewQueue';
       readonly id: string;
@@ -31524,7 +31525,7 @@ export const GQLAppealSettingsDocument = gql`
       appealsCallbackBody
     }
     me {
-      role
+      permissions
     }
   }
 `;
@@ -33762,7 +33763,7 @@ export const GQLManualReviewJobInfoDocument = gql`
           ...JobFields
         }
       }
-      role
+      permissions
     }
   }
   ${GQLItemTypeFragmentFragmentDoc}
diff --git a/client/src/webpages/dashboard/mrt/ManualReviewAppealSettings.tsx b/client/src/webpages/dashboard/mrt/ManualReviewAppealSettings.tsx
index 39bb37bb..9fa74296 100644
--- a/client/src/webpages/dashboard/mrt/ManualReviewAppealSettings.tsx
+++ b/client/src/webpages/dashboard/mrt/ManualReviewAppealSettings.tsx
@@ -1,3 +1,4 @@
+import { userHasPermissions } from '@/routing/permissions';
 import { gql } from '@apollo/client';
 import { Input, notification } from 'antd';
 import Link from 'antd/lib/typography/Link';
@@ -10,6 +11,7 @@ import FormHeader from '../components/FormHeader';
 import FormSectionHeader from '../components/FormSectionHeader';
 
 import {
+  GQLUserPermission,
   useGQLAppealSettingsQuery,
   useGQLUpdateAppealSettingsMutation,
 } from '../../../graphql/generated';
@@ -23,7 +25,7 @@ gql`
       appealsCallbackBody
     }
     me {
-      role
+      permissions
     }
   }
 
@@ -87,6 +89,10 @@ export default function ManualReviewAppealSettings() {
     return <FullScreenLoading />;
   }
 
+  const canManageOrg = userHasPermissions(data?.me?.permissions, [
+    GQLUserPermission.ManageOrg,
+  ]);
+
   const onUpdateAppealSettings = async () =>
     updateAppealSettings({
       variables: {
@@ -169,15 +175,15 @@ export default function ManualReviewAppealSettings() {
       <CoopButton
         title="Save Settings"
         disabled={
-          data?.me?.role !== 'ADMIN' ||
+          !canManageOrg ||
           !appealsCallbackUrl ||
           !validateJSON(appealsCallbackHeaders) ||
           !validateJSON(appealsCallbackBody)
         }
         loading={updateLoading}
         disabledTooltipTitle={(() => {
-          if (data?.me?.role !== 'ADMIN') {
-            return "To edit these settings, ask your organization's admin to upgrade your role to Admin.";
+          if (!canManageOrg) {
+            return 'You do not have permission to edit appeal settings. Ask your organization administrator for access.';
           }
           if (!appealsCallbackUrl) {
             return 'The Callback URL is required.';
diff --git a/client/src/webpages/dashboard/mrt/manual_review_job/ManualReviewJobReview.tsx b/client/src/webpages/dashboard/mrt/manual_review_job/ManualReviewJobReview.tsx
index 50957421..9960da8a 100644
--- a/client/src/webpages/dashboard/mrt/manual_review_job/ManualReviewJobReview.tsx
+++ b/client/src/webpages/dashboard/mrt/manual_review_job/ManualReviewJobReview.tsx
@@ -1,28 +1,25 @@
 import Sidebar1 from '@/icons/lni/Design/sidebar-1.svg?react';
 import AngleDoubleRight from '@/icons/lni/Direction/angle-double-right.svg?react';
+import { userHasPermissions } from '@/routing/permissions';
 import { __throw } from '@/utils/misc';
 import { isNonEmptyString } from '@/utils/string';
 import { multilevelListFromFlatList } from '@/utils/tree';
-import {
-  DownOutlined,
-  EditOutlined,
-  LoadingOutlined,
-} from '@ant-design/icons';
+import { DownOutlined, EditOutlined, LoadingOutlined } from '@ant-design/icons';
 import { gql } from '@apollo/client';
 import { Button, Dropdown, Input, Select, Tooltip } from 'antd';
 import { useCallback, useContext, useEffect, useRef, useState } from 'react';
 import { Helmet } from 'react-helmet-async';
 import { useNavigate, useParams } from 'react-router-dom';
 
-import ActionParametersModal, {
-  defaultValuesForParameters,
-} from '@/components/ActionParametersModal';
-import { type ActionParameterValues } from '@/components/ActionParameterInputs';
 import ComponentLoading from '../../../../components/common/ComponentLoading';
 import CopyTextComponent from '../../../../components/common/CopyTextComponent';
 import CoopModal from '../../components/CoopModal';
 import { CoopModalFooterButtonProps } from '../../components/CoopModalFooter';
 import PolicyDropdown from '../../components/PolicyDropdown';
+import { type ActionParameterValues } from '@/components/ActionParameterInputs';
+import ActionParametersModal, {
+  defaultValuesForParameters,
+} from '@/components/ActionParametersModal';
 import Drawer from '@/components/common/Drawer';
 
 import {
@@ -38,6 +35,7 @@ import {
   GQLThreadAppealManualReviewJobPayload,
   GQLUserManualReviewJobPayload,
   GQLUserPenaltySeverity,
+  GQLUserPermission,
   useGQLDequeueManualReviewJobMutation,
   useGQLLogSkipMutation,
   useGQLManualReviewJobInfoQuery,
@@ -51,8 +49,8 @@ import { filterNullOrUndefined } from '../../../../utils/collections';
 import { getFieldValueForRole } from '../../../../utils/itemUtils';
 import { recomputeSelectedRelatedActions } from '../../../../utils/manualReviewTool';
 import HTMLRenderer from '../../policies/HTMLRenderer';
-import { JOB_FRAGMENT } from './jobFragment';
 import { ITEM_TYPE_FRAGMENT } from '../../rules/rule_form/RuleForm';
+import { JOB_FRAGMENT } from './jobFragment';
 import ManualReviewJobDequeueErrorComponent from './ManualReviewJobDequeueErrorComponent';
 import MergedReportsComponent from './MergedReportsComponent';
 import ReportInfoComponent from './ReportInfoComponent';
@@ -66,8 +64,8 @@ import {
 } from './v2/ManualReviewJobRelatedActionsStore';
 import NCMECReviewUser from './v2/ncmec/NCMECReviewUser';
 import ManualReviewJobEnqueuedRelatedActions from './v2/related_actions/ManualReviewJobEnqueuedRelatedActions';
-import { useEnqueueActionGate } from './v2/useEnqueueActionGate';
 import ManualReviewJobListOfThreadsComponent from './v2/threads/ManualReviewJobListOfThreadsComponent';
+import { useEnqueueActionGate } from './v2/useEnqueueActionGate';
 import ManualReviewJobPrimaryUserComponent from './v2/user/ManualReviewJobPrimaryUserComponent';
 
 const { Option } = Select;
@@ -76,7 +74,9 @@ const { TextArea } = Input;
 // Narrows the GraphQL union of action types to "this one declares parameter
 // inputs". Only `CustomAction` carries `parameters`; everything else is
 // treated as no-parameter.
-function actionHasParameters(action: { __typename?: string } | undefined): boolean {
+function actionHasParameters(
+  action: { __typename?: string } | undefined,
+): boolean {
   if (!action || !('parameters' in action)) return false;
   const params = (action as { parameters?: readonly unknown[] | null })
     .parameters;
@@ -161,7 +161,7 @@ gql`
           ...JobFields
         }
       }
-      role
+      permissions
     }
   }
 
@@ -630,16 +630,16 @@ function ManualReviewJobReviewImpl(props: {
   const job = closedJob
     ? closedJob
     : jobData
-    ? jobData.dequeueManualReviewJob?.job
-    : data?.me?.reviewableQueues
-        .find((queue) => queue.id === queueId)
-        ?.jobs.find((job) => job.id === jobId);
+      ? jobData.dequeueManualReviewJob?.job
+      : data?.me?.reviewableQueues
+          .find((queue) => queue.id === queueId)
+          ?.jobs.find((job) => job.id === jobId);
   const pendingJobCount = jobData?.dequeueManualReviewJob
     ? jobData.dequeueManualReviewJob.numPendingJobs
     : data?.me?.reviewableQueues
-    ? data?.me?.reviewableQueues.find((queue) => queue.id === queueId)
-        ?.pendingJobCount
-    : undefined;
+      ? data?.me?.reviewableQueues.find((queue) => queue.id === queueId)
+          ?.pendingJobCount
+      : undefined;
 
   const [logSkip] = useGQLLogSkipMutation({
     // This is safe because we check it before calling logSkip
@@ -712,14 +712,17 @@ function ManualReviewJobReviewImpl(props: {
   if (!closedJob && !queue) {
     throw Error(`Queue not found for ID ${queueId}`);
   }
-  const userIsAdmin = data.me?.role === 'ADMIN';
+  const userCanBypassSkipRestriction = userHasPermissions(
+    data.me?.permissions,
+    [GQLUserPermission.ManageOrg],
+  );
 
   const filteredActions = org.actions.filter(
     ({ id }) => !queue?.hiddenActionIds?.includes(id),
   );
   const { payload, policyIds } = job;
   const reportHistory =
-    'reportHistory' in job.payload ? job.payload.reportHistory ?? [] : [];
+    'reportHistory' in job.payload ? (job.payload.reportHistory ?? []) : [];
 
   const modal = (
     <CoopModal
@@ -797,7 +800,8 @@ function ManualReviewJobReviewImpl(props: {
   const threadItems =
     payload.__typename === 'UserManualReviewJobPayload' ||
     payload.__typename === 'ContentManualReviewJobPayload'
-      ? (payload.itemThreadContentItems as ReadonlyArray<GQLContentItem>) ?? []
+      ? ((payload.itemThreadContentItems as ReadonlyArray<GQLContentItem>) ??
+        [])
       : [];
   const policiesFromIds = (policyIds: readonly string[]) =>
     policyIds.map((policyId) => {
@@ -860,17 +864,18 @@ function ManualReviewJobReviewImpl(props: {
 
   // Builds the standard target descriptor for the reported item. Hoisted so
   // both the direct-add path and the modal Save handler use the same shape.
-  const reportedItemTarget = (): ManualReviewJobEnqueuedPrimaryActionData['target'] => ({
-    identifier: {
-      itemId: reportedItem.id,
-      itemTypeId: reportedItem.type.id,
-    },
-    displayName:
-      getFieldValueForRole<GQLSchemaFieldRoles, keyof GQLSchemaFieldRoles>(
-        reportedItem,
-        'displayName',
-      ) ?? reportedItem.id,
-  });
+  const reportedItemTarget =
+    (): ManualReviewJobEnqueuedPrimaryActionData['target'] => ({
+      identifier: {
+        itemId: reportedItem.id,
+        itemTypeId: reportedItem.type.id,
+      },
+      displayName:
+        getFieldValueForRole<GQLSchemaFieldRoles, keyof GQLSchemaFieldRoles>(
+          reportedItem,
+          'displayName',
+        ) ?? reportedItem.id,
+    });
 
   // Returns the parameter spec for a CustomAction by id, or `[]` for
   // built-ins / actions without a spec. Looks up against `decisionActions`
@@ -939,7 +944,8 @@ function ManualReviewJobReviewImpl(props: {
       className="sticky flex flex-col border border-gray-200 border-solid rounded-md shrink-0"
       data-testid="manual-review-decision-action-list"
     >
-      {decisionActions.map((action) => {
+      {decisionActions
+        .map((action) => {
           const { key, selected, label } = (() => {
             if ('type' in action) {
               return {
@@ -1201,7 +1207,8 @@ function ManualReviewJobReviewImpl(props: {
   );
 
   const skipToNextJobButton =
-    org.hideSkipButtonForNonAdmins && !userIsAdmin ? undefined : (
+    org.hideSkipButtonForNonAdmins &&
+    !userCanBypassSkipRestriction ? undefined : (
       <Button
         className="bottom-0 w-1/3 !px-2 mb-2 overflow-hidden !border-slate-200 !hover:fill-[#40a9ff] !focus:fill-[#40a9ff]"
         onClick={skipToNextJob}
@@ -1340,8 +1347,8 @@ function ManualReviewJobReviewImpl(props: {
           payload.__typename === 'UserManualReviewJobPayload'
             ? filterNullOrUndefined(payload.reportedItems ?? [])
             : payload.__typename === 'ContentManualReviewJobPayload'
-            ? [{ id: payload.item.id, typeId: payload.item.type.id }]
-            : []
+              ? [{ id: payload.item.id, typeId: payload.item.type.id }]
+              : []
         }
         otherItems={payload.itemThreadContentItems as readonly GQLContentItem[]}
         allActions={filteredActions}
@@ -1598,8 +1605,7 @@ function ManualReviewJobReviewImpl(props: {
                 onSave={(values) => {
                   if (paramsModal.mode === 'create') {
                     const action = decisionActions.find(
-                      (a) =>
-                        !('type' in a) && a.id === paramsModal.actionId,
+                      (a) => !('type' in a) && a.id === paramsModal.actionId,
                     );
                     if (action) {
                       addPrimaryAction(action, { ...values });
diff --git a/server/graphql/generated.ts b/server/graphql/generated.ts
index c570fdf3..86a1b2a9 100644
--- a/server/graphql/generated.ts
+++ b/server/graphql/generated.ts
@@ -4957,6 +4957,7 @@ export const GQLUserPermission = {
   EditMrtQueues: 'EDIT_MRT_QUEUES',
   ManageOrg: 'MANAGE_ORG',
   ManagePolicies: 'MANAGE_POLICIES',
+  ManageRoles: 'MANAGE_ROLES',
   ManuallyActionContent: 'MANUALLY_ACTION_CONTENT',
   MutateLiveRules: 'MUTATE_LIVE_RULES',
   MutateNonLiveRules: 'MUTATE_NON_LIVE_RULES',
diff --git a/server/graphql/modules/apiKey.resolver.test.ts b/server/graphql/modules/apiKey.resolver.test.ts
new file mode 100644
index 00000000..193c1f74
--- /dev/null
+++ b/server/graphql/modules/apiKey.resolver.test.ts
@@ -0,0 +1,48 @@
+import { UserPermission } from '../../services/userManagementService/index.js';
+import { Query } from './apiKey.js';
+
+describe('apiKey resolvers', () => {
+  function makeCtx(permissions: readonly UserPermission[]) {
+    const getActiveApiKeyForOrg = jest.fn(async () => ({ key: 'secret' }));
+    const ctx = {
+      getUser: () => ({
+        id: 'user-1',
+        orgId: 'org-1',
+        getPermissions: () => permissions,
+      }),
+      services: { ApiKeyService: { getActiveApiKeyForOrg } },
+    };
+    return { ctx, getActiveApiKeyForOrg };
+  }
+
+  describe('Query.apiKey', () => {
+    it('throws unauthenticatedError when caller is not authenticated', async () => {
+      const { ctx, getActiveApiKeyForOrg } = makeCtx([
+        UserPermission.MANAGE_ORG,
+      ]);
+      const unauthenticatedCtx = { ...ctx, getUser: () => null };
+      await expect(Query.apiKey({}, {}, unauthenticatedCtx)).rejects.toThrow(
+        'Authenticated user required',
+      );
+      expect(getActiveApiKeyForOrg).not.toHaveBeenCalled();
+    });
+
+    it('throws forbiddenError when caller lacks MANAGE_ORG', async () => {
+      const { ctx, getActiveApiKeyForOrg } = makeCtx([UserPermission.VIEW_MRT]);
+      await expect(Query.apiKey({}, {}, ctx)).rejects.toThrow(
+        'User does not have permission to view the org API key',
+      );
+      expect(getActiveApiKeyForOrg).not.toHaveBeenCalled();
+    });
+
+    it('returns the existence indicator when caller has MANAGE_ORG', async () => {
+      const { ctx, getActiveApiKeyForOrg } = makeCtx([
+        UserPermission.MANAGE_ORG,
+      ]);
+      await expect(Query.apiKey({}, {}, ctx)).resolves.toBe(
+        'API key exists (hidden for security)',
+      );
+      expect(getActiveApiKeyForOrg).toHaveBeenCalledWith('org-1');
+    });
+  });
+});
diff --git a/server/graphql/modules/apiKey.ts b/server/graphql/modules/apiKey.ts
index 394c8276..5ce73ae3 100644
--- a/server/graphql/modules/apiKey.ts
+++ b/server/graphql/modules/apiKey.ts
@@ -1,14 +1,17 @@
-import { ErrorType, CoopError } from '../../utils/errors.js';
+import { CoopError, ErrorType } from '../../utils/errors.js';
 import { logErrorJson } from '../../utils/logging.js';
+import { forbiddenError, unauthenticatedError } from '../utils/errors.js';
 import { gqlErrorResult, gqlSuccessResult } from '../utils/gqlResult.js';
-import { forbiddenError } from '../utils/errors.js';
 
 /** Context shape required by rotateWebhookSigningKey (avoids importing resolvers). */
 type RotateWebhookSigningKeyContext = {
-  getUser: () => {
-    orgId: string;
-    getPermissions: () => readonly string[];
-  } | null | undefined;
+  getUser: () =>
+    | {
+        orgId: string;
+        getPermissions: () => readonly string[];
+      }
+    | null
+    | undefined;
   dataSources: {
     orgAPI: { rotateWebhookSigningKey: (orgId: string) => Promise<string> };
   };
@@ -60,7 +63,7 @@ const typeDefs = /* GraphQL */ `
   }
 
   union RotateWebhookSigningKeyResponse =
-      RotateWebhookSigningKeySuccessResponse
+    | RotateWebhookSigningKeySuccessResponse
     | RotateWebhookSigningKeyError
 
   type Query {
@@ -77,10 +80,16 @@ const Query: any = {
   async apiKey(_: any, __: any, context: any) {
     const user = context.getUser();
     if (!user || !user.orgId) {
-      throw forbiddenError('User does not have permission to check if key exists');
+      throw unauthenticatedError('Authenticated user required');
+    }
+    if (!user.getPermissions().includes('MANAGE_ORG')) {
+      throw forbiddenError(
+        'User does not have permission to view the org API key',
+      );
     }
 
-    const apiKeyRecord = await context.services.ApiKeyService.getActiveApiKeyForOrg(user.orgId);
+    const apiKeyRecord =
+      await context.services.ApiKeyService.getActiveApiKeyForOrg(user.orgId);
     if (!apiKeyRecord) {
       return process.env.NODE_ENV !== 'production' ? '' : '';
     }
@@ -93,19 +102,24 @@ const Mutation: any = {
   async rotateApiKey(_: any, { input }: any, context: any) {
     const user = context.getUser();
     if (!user || !user.orgId) {
-      throw forbiddenError('User does not have permission to rotate the API key');
+      throw forbiddenError(
+        'User does not have permission to rotate the API key',
+      );
     }
     if (!user.getPermissions().includes('MANAGE_ORG')) {
-      throw forbiddenError('User does not have permission to rotate the API key');
+      throw forbiddenError(
+        'User does not have permission to rotate the API key',
+      );
     }
 
     try {
-      const { apiKey, record } = await context.services.ApiKeyService.rotateApiKey(
-        user.orgId,
-        input.name,
-        input.description || null,
-        user.id
-      );
+      const { apiKey, record } =
+        await context.services.ApiKeyService.rotateApiKey(
+          user.orgId,
+          input.name,
+          input.description || null,
+          user.id,
+        );
 
       return gqlSuccessResult(
         {
@@ -120,7 +134,7 @@ const Mutation: any = {
             createdBy: record.createdBy,
           },
         },
-        'RotateApiKeySuccessResponse'
+        'RotateApiKeySuccessResponse',
       );
     } catch (error) {
       // Resolvers do not receive a request-scoped logger; use logErrorJson for structured server-side logging.
@@ -145,10 +159,14 @@ const Mutation: any = {
   ) {
     const user = context.getUser();
     if (!user || !user.orgId) {
-      throw forbiddenError('User does not have permission to rotate the webhook signing key');
+      throw forbiddenError(
+        'User does not have permission to rotate the webhook signing key',
+      );
     }
     if (!user.getPermissions().includes('MANAGE_ORG')) {
-      throw forbiddenError('User does not have permission to rotate the webhook signing key');
+      throw forbiddenError(
+        'User does not have permission to rotate the webhook signing key',
+      );
     }
 
     try {
diff --git a/server/graphql/modules/backtest.resolver.test.ts b/server/graphql/modules/backtest.resolver.test.ts
index 4bf3b336..462096dd 100644
--- a/server/graphql/modules/backtest.resolver.test.ts
+++ b/server/graphql/modules/backtest.resolver.test.ts
@@ -1,4 +1,7 @@
-import { UserRole } from '../../services/userManagementService/index.js';
+import {
+  UserPermission,
+  UserRole,
+} from '../../services/userManagementService/index.js';
 import {
   mapBacktestRowToGqlParent,
   type GraphQLBacktestParent,
@@ -134,6 +137,10 @@ describe('backtest resolvers', () => {
           id: 'user-1',
           orgId: 'org-1',
           role: UserRole.MODERATOR,
+          getPermissions: () => [
+            UserPermission.VIEW_MRT,
+            UserPermission.VIEW_MRT_DATA,
+          ],
         }),
         services: {
           ModerationConfigService: { getRuleByIdAndOrg },
diff --git a/server/graphql/modules/backtest.ts b/server/graphql/modules/backtest.ts
index 01ad2c12..1c39aad8 100644
--- a/server/graphql/modules/backtest.ts
+++ b/server/graphql/modules/backtest.ts
@@ -1,7 +1,4 @@
-import {
-  hasPermission,
-  UserPermission,
-} from '../../services/userManagementService/index.js';
+import { UserPermission } from '../../services/userManagementService/index.js';
 import { type RuleExecutionResult } from '../datasources/RuleApi.js';
 import { type GraphQLBacktestParent } from '../datasources/ruleKyselyPersistence.js';
 import { type GQLMutationCreateBacktestArgs } from '../generated.js';
@@ -116,7 +113,7 @@ const resolvers = {
       if (user == null) {
         throw unauthenticatedError('Authenticated user required');
       }
-      if (!hasPermission(UserPermission.RUN_BACKTEST, user.role)) {
+      if (!user.getPermissions().includes(UserPermission.RUN_BACKTEST)) {
         throw forbiddenError('User not authorized to create backtests.');
       }
 
diff --git a/server/graphql/modules/integration.resolver.test.ts b/server/graphql/modules/integration.resolver.test.ts
new file mode 100644
index 00000000..4fda545c
--- /dev/null
+++ b/server/graphql/modules/integration.resolver.test.ts
@@ -0,0 +1,86 @@
+import { UserPermission } from '../../services/userManagementService/index.js';
+import { resolvers } from './integration.js';
+
+// The MANAGE_ORG check fires before any data-source or integration-registry
+// lookup, so these tests exercise the forbidden path with a minimal mock ctx
+// that never gets reached for the underlying API calls.
+
+describe('integration resolvers', () => {
+  function makeCtx(permissions: readonly UserPermission[]) {
+    const getConfigWithMetadata = jest.fn();
+    const setConfig = jest.fn();
+    const setConfigByIntegrationId = jest.fn();
+    const ctx = {
+      getUser: () => ({
+        id: 'user-1',
+        orgId: 'org-1',
+        getPermissions: () => permissions,
+      }),
+      dataSources: {
+        integrationAPI: {
+          getConfigWithMetadata,
+          setConfig,
+          setConfigByIntegrationId,
+        },
+      },
+    };
+    return { ctx, getConfigWithMetadata, setConfig, setConfigByIntegrationId };
+  }
+
+  it('Query.integrationConfig throws forbiddenError when caller lacks MANAGE_ORG', async () => {
+    const { ctx, getConfigWithMetadata } = makeCtx([UserPermission.VIEW_MRT]);
+    const Query = resolvers.Query as {
+      integrationConfig: (
+        parent: unknown,
+        args: { name: string },
+        ctx: unknown,
+      ) => Promise<unknown>;
+    };
+    await expect(
+      Query.integrationConfig({}, { name: 'OPEN_AI' }, ctx),
+    ).rejects.toThrow(
+      'User does not have permission to view integration configs',
+    );
+    expect(getConfigWithMetadata).not.toHaveBeenCalled();
+  });
+
+  it('Mutation.setIntegrationConfig throws forbiddenError when caller lacks MANAGE_ORG', async () => {
+    const { ctx, setConfig } = makeCtx([UserPermission.VIEW_MRT]);
+    const Mutation = resolvers.Mutation as {
+      setIntegrationConfig: (
+        parent: unknown,
+        args: { input: unknown },
+        ctx: unknown,
+      ) => Promise<unknown>;
+    };
+    await expect(
+      Mutation.setIntegrationConfig({}, { input: {} }, ctx),
+    ).rejects.toThrow(
+      'User does not have permission to update integration configs',
+    );
+    expect(setConfig).not.toHaveBeenCalled();
+  });
+
+  it('Mutation.setPluginIntegrationConfig throws forbiddenError when caller lacks MANAGE_ORG', async () => {
+    const { ctx, setConfigByIntegrationId } = makeCtx([
+      UserPermission.VIEW_MRT,
+    ]);
+    const Mutation = resolvers.Mutation as {
+      setPluginIntegrationConfig: (
+        parent: unknown,
+        args: { input: { integrationId: string; credential: unknown } },
+        ctx: unknown,
+      ) => Promise<unknown>;
+    };
+    await expect(
+      Mutation.setPluginIntegrationConfig(
+        {},
+        { input: { integrationId: 'fake', credential: {} } },
+        ctx,
+      ),
+    ).rejects.toThrow(
+      'User does not have permission to update integration configs',
+    );
+    expect(setConfigByIntegrationId).not.toHaveBeenCalled();
+  });
+});
diff --git a/server/graphql/modules/integration.ts b/server/graphql/modules/integration.ts
index 71ceced3..d7b1958f 100644
--- a/server/graphql/modules/integration.ts
+++ b/server/graphql/modules/integration.ts
@@ -11,7 +11,7 @@ import {
   type GQLQueryResolvers,
 } from '../generated.js';
 import { type ResolverMap } from '../resolvers.js';
-import { unauthenticatedError } from '../utils/errors.js';
+import { forbiddenError, unauthenticatedError } from '../utils/errors.js';
 import { gqlErrorResult, gqlSuccessResult } from '../utils/gqlResult.js';
 
 const typeDefs = /* GraphQL */ `
@@ -221,6 +221,11 @@ const Query: GQLQueryResolvers = {
       if (user == null) {
         throw unauthenticatedError('Unauthenticated User');
       }
+      if (!user.getPermissions().includes('MANAGE_ORG')) {
+        throw forbiddenError(
+          'User does not have permission to view integration configs',
+        );
+      }
 
       if (!getIntegrationRegistry().has(name)) {
         throw makeIntegrationConfigUnsupportedIntegrationError({
@@ -270,6 +275,11 @@ const Mutation: GQLMutationResolvers = {
       if (user == null) {
         throw unauthenticatedError('Unauthenticated User');
       }
+      if (!user.getPermissions().includes('MANAGE_ORG')) {
+        throw forbiddenError(
+          'User does not have permission to update integration configs',
+        );
+      }
       const newConfig = await context.dataSources.integrationAPI.setConfig(
         params.input,
         user.orgId,
@@ -299,6 +309,11 @@ const Mutation: GQLMutationResolvers = {
       if (user == null) {
         throw unauthenticatedError('Unauthenticated User');
       }
+      if (!user.getPermissions().includes('MANAGE_ORG')) {
+        throw forbiddenError(
+          'User does not have permission to update integration configs',
+        );
+      }
       const newConfig =
         await context.dataSources.integrationAPI.setConfigByIntegrationId(
           params.input.integrationId,
diff --git a/server/graphql/modules/manualReviewTool.ts b/server/graphql/modules/manualReviewTool.ts
index 9660da2a..dd9b853e 100644
--- a/server/graphql/modules/manualReviewTool.ts
+++ b/server/graphql/modules/manualReviewTool.ts
@@ -3,10 +3,7 @@ import _ from 'lodash';
 
 import { itemSubmissionWithTypeIdentifierToItemSubmission } from '../../services/itemProcessingService/index.js';
 import { NCMECIncidentType as NCMECIncidentTypeValues } from '../../services/ncmecService/index.js';
-import {
-  getPermissionsForRole,
-  UserPermission,
-} from '../../services/userManagementService/index.js';
+import { UserPermission } from '../../services/userManagementService/index.js';
 import {
   asyncIterableToArray,
   filterNullOrUndefined,
@@ -2411,7 +2408,7 @@ const Mutation: GQLMutationResolvers = {
       await context.services.ManualReviewToolService.deleteAllJobsFromQueue({
         orgId: user.orgId,
         queueId: params.queueId,
-        userPermissions: getPermissionsForRole(user.role),
+        userPermissions: user.getPermissions(),
       });
       return gqlSuccessResult(
         { _: true },
diff --git a/server/graphql/modules/org.resolver.test.ts b/server/graphql/modules/org.resolver.test.ts
index 45e6c052..929cf1fc 100644
--- a/server/graphql/modules/org.resolver.test.ts
+++ b/server/graphql/modules/org.resolver.test.ts
@@ -1,5 +1,6 @@
 import { type Action } from '../../services/moderationConfigService/index.js';
-import { resolveOrgActions } from './org.js';
+import { UserPermission } from '../../services/userManagementService/index.js';
+import { resolveOrgActions, resolvers } from './org.js';
 
 function makeAction(
   id: string,
@@ -101,4 +102,100 @@ describe('Org resolvers', () => {
       expect(hasNCMECReportingEnabled).not.toHaveBeenCalled();
     });
   });
+
+  describe('Org sensitive field resolvers require MANAGE_ORG', () => {
+    function makeCtx(opts: {
+      orgId: string;
+      permissions: readonly UserPermission[];
+      callerOrgId?: string;
+    }) {
+      const getActivatedApiKeyForOrg = jest.fn(async () => ({
+        key: 'api-key-secret',
+      }));
+      const getPublicSigningKeyPem = jest.fn(async () => 'PEM_BODY');
+      const getAllIntegrationConfigs = jest.fn(async () => []);
+      const ctx = {
+        getUser: () => ({
+          id: 'user-1',
+          orgId: opts.callerOrgId ?? opts.orgId,
+          getPermissions: () => opts.permissions,
+        }),
+        dataSources: {
+          orgAPI: { getActivatedApiKeyForOrg, getPublicSigningKeyPem },
+          integrationAPI: { getAllIntegrationConfigs },
+        },
+      };
+      return {
+        ctx,
+        getActivatedApiKeyForOrg,
+        getPublicSigningKeyPem,
+        getAllIntegrationConfigs,
+      };
+    }
+
+    const orgParent = { id: 'org-1' };
+    const Org = resolvers.Org as Record<
+      'apiKey' | 'publicSigningKey' | 'integrationConfigs',
+      (
+        parent: typeof orgParent,
+        args: unknown,
+        ctx: unknown,
+      ) => Promise<unknown>
+    >;
+
+    it('Org.apiKey throws forbiddenError when caller lacks MANAGE_ORG', async () => {
+      const { ctx, getActivatedApiKeyForOrg } = makeCtx({
+        orgId: 'org-1',
+        permissions: [UserPermission.VIEW_MRT],
+      });
+      await expect(Org.apiKey(orgParent, {}, ctx)).rejects.toThrow(
+        'User does not have permission to view the org API key',
+      );
+      expect(getActivatedApiKeyForOrg).not.toHaveBeenCalled();
+    });
+
+    it('Org.apiKey returns the key when caller has MANAGE_ORG', async () => {
+      const { ctx, getActivatedApiKeyForOrg } = makeCtx({
+        orgId: 'org-1',
+        permissions: [UserPermission.MANAGE_ORG],
+      });
+      await expect(Org.apiKey(orgParent, {}, ctx)).resolves.toBe(
+        'api-key-secret',
+      );
+      expect(getActivatedApiKeyForOrg).toHaveBeenCalledWith('org-1');
+    });
+
+    it('Org.publicSigningKey throws forbiddenError when caller lacks MANAGE_ORG', async () => {
+      const { ctx, getPublicSigningKeyPem } = makeCtx({
+        orgId: 'org-1',
+        permissions: [UserPermission.VIEW_MRT],
+      });
+      await expect(Org.publicSigningKey(orgParent, {}, ctx)).rejects.toThrow(
+        'User does not have permission to view the webhook signing key',
+      );
+      expect(getPublicSigningKeyPem).not.toHaveBeenCalled();
+    });
+
+    it('Org.integrationConfigs throws forbiddenError when caller lacks MANAGE_ORG', async () => {
+      const { ctx, getAllIntegrationConfigs } = makeCtx({
+        orgId: 'org-1',
+        permissions: [UserPermission.VIEW_MRT],
+      });
+      await expect(Org.integrationConfigs(orgParent, {}, ctx)).rejects.toThrow(
+        'User does not have permission to view integration configs',
+      );
+      expect(getAllIntegrationConfigs).not.toHaveBeenCalled();
+    });
+
+    it('Org.apiKey still throws unauthenticatedError when caller is in a different org (IDOR guard runs first)', async () => {
+      const { ctx } = makeCtx({
+        orgId: 'org-1',
+        callerOrgId: 'other-org',
+        permissions: [UserPermission.MANAGE_ORG],
+      });
+      await expect(Org.apiKey(orgParent, {}, ctx)).rejects.toThrow(
+        'User required.',
+      );
+    });
+  });
 });
diff --git a/server/graphql/modules/org.ts b/server/graphql/modules/org.ts
index 055905ea..5884b65a 100644
--- a/server/graphql/modules/org.ts
+++ b/server/graphql/modules/org.ts
@@ -349,6 +349,11 @@ const Org: GQLOrgResolvers = {
     if (!user || user.orgId !== org.id) {
       throw unauthenticatedError('User required.');
     }
+    if (!user.getPermissions().includes('MANAGE_ORG')) {
+      throw forbiddenError(
+        'User does not have permission to view the org API key',
+      );
+    }
     const apiKey = await context.dataSources.orgAPI.getActivatedApiKeyForOrg(
       org.id,
     );
@@ -368,6 +373,11 @@ const Org: GQLOrgResolvers = {
     if (!user || user.orgId !== org.id) {
       throw unauthenticatedError('User required.');
     }
+    if (!user.getPermissions().includes('MANAGE_ORG')) {
+      throw forbiddenError(
+        'User does not have permission to view integration configs',
+      );
+    }
 
     return context.dataSources.integrationAPI.getAllIntegrationConfigs(
       org.id,
@@ -438,6 +448,11 @@ const Org: GQLOrgResolvers = {
     if (!user || user.orgId !== org.id) {
       throw unauthenticatedError('User required.');
     }
+    if (!user.getPermissions().includes('MANAGE_ORG')) {
+      throw forbiddenError(
+        'User does not have permission to view the webhook signing key',
+      );
+    }
     return context.dataSources.orgAPI.getPublicSigningKeyPem(org.id);
   },
   async hasNCMECReportingEnabled(org, _, context) {
@@ -592,7 +607,9 @@ const Org: GQLOrgResolvers = {
       throw unauthenticatedError('Authenticated user required');
     }
     if (!user.getPermissions().includes('MANAGE_ORG')) {
-      throw forbiddenError('User does not have permission to view org safety settings');
+      throw forbiddenError(
+        'User does not have permission to view org safety settings',
+      );
     }
     const orgDefaults =
       await context.services.UserManagementService.getOrgDefaultUserInterfaceSettings(
@@ -730,7 +747,9 @@ const Mutation: GQLMutationResolvers = {
       throw unauthenticatedError('User required.');
     }
     if (!user.getPermissions().includes('MANAGE_ORG')) {
-      throw forbiddenError('User does not have permission to update org safety settings');
+      throw forbiddenError(
+        'User does not have permission to update org safety settings',
+      );
     }
     await context.services.UserManagementService.upsertOrgDefaultUserInterfaceSettings(
       {
@@ -772,7 +791,9 @@ const Mutation: GQLMutationResolvers = {
     }
 
     if (!user.getPermissions().includes('MANAGE_ORG')) {
-      throw forbiddenError('User does not have permission to manage SSO settings');
+      throw forbiddenError(
+        'User does not have permission to manage SSO settings',
+      );
     }
 
     return context.services.OrgSettingsService.updateSamlSettings({
diff --git a/server/graphql/modules/retroaction.resolver.test.ts b/server/graphql/modules/retroaction.resolver.test.ts
index b829aa54..d3faa5d7 100644
--- a/server/graphql/modules/retroaction.resolver.test.ts
+++ b/server/graphql/modules/retroaction.resolver.test.ts
@@ -1,4 +1,7 @@
-import { UserRole } from '../../services/userManagementService/index.js';
+import {
+  UserPermission,
+  UserRole,
+} from '../../services/userManagementService/index.js';
 import { resolvers } from './retroaction.js';
 
 describe('retroaction resolvers', () => {
@@ -12,6 +15,10 @@ describe('retroaction resolvers', () => {
           id: 'user-1',
           orgId: 'org-1',
           role: UserRole.MODERATOR,
+          getPermissions: () => [
+            UserPermission.VIEW_MRT,
+            UserPermission.VIEW_MRT_DATA,
+          ],
         }),
         services: {
           ModerationConfigService: { getRuleByIdAndOrg },
diff --git a/server/graphql/modules/retroaction.ts b/server/graphql/modules/retroaction.ts
index 085f08b2..bd018864 100644
--- a/server/graphql/modules/retroaction.ts
+++ b/server/graphql/modules/retroaction.ts
@@ -1,7 +1,4 @@
-import {
-  hasPermission,
-  UserPermission,
-} from '../../services/userManagementService/index.js';
+import { UserPermission } from '../../services/userManagementService/index.js';
 import { type GQLMutationRunRetroactionArgs } from '../generated.js';
 import { type Context } from '../resolvers.js';
 import { forbiddenError, unauthenticatedError } from '../utils/errors.js';
@@ -43,7 +40,7 @@ const resolvers = {
       if (user == null) {
         throw unauthenticatedError('Authenticated user required');
       }
-      if (!hasPermission(UserPermission.RUN_RETROACTION, user.role)) {
+      if (!user.getPermissions().includes(UserPermission.RUN_RETROACTION)) {
         throw forbiddenError('User not authorized to run retroaction.');
       }
 
diff --git a/server/graphql/modules/routingRule.ts b/server/graphql/modules/routingRule.ts
index dc31c3a9..f64eca2a 100644
--- a/server/graphql/modules/routingRule.ts
+++ b/server/graphql/modules/routingRule.ts
@@ -1,7 +1,4 @@
-import {
-  hasPermission,
-  UserPermission,
-} from '../../services/userManagementService/index.js';
+import { UserPermission } from '../../services/userManagementService/index.js';
 import { isCoopErrorOfType } from '../../utils/errors.js';
 import {
   isNonEmptyArray,
@@ -127,10 +124,9 @@ const RoutingRule: GQLRoutingRuleResolvers = {
       throw unauthenticatedError('User required');
     }
 
-    const userCanEditMRTQueues = hasPermission(
-      UserPermission.EDIT_MRT_QUEUES,
-      user.role,
-    );
+    const userCanEditMRTQueues = user
+      .getPermissions()
+      .includes(UserPermission.EDIT_MRT_QUEUES);
 
     const queueSelector = {
       orgId: user.orgId,
diff --git a/server/graphql/modules/user.resolver.test.ts b/server/graphql/modules/user.resolver.test.ts
new file mode 100644
index 00000000..92f172f2
--- /dev/null
+++ b/server/graphql/modules/user.resolver.test.ts
@@ -0,0 +1,159 @@
+import jwt from 'jsonwebtoken';
+
+import { UserPermission } from '../../services/userManagementService/index.js';
+import { resolvers } from './user.js';
+
+describe('user resolvers', () => {
+  describe('Mutation.deleteUser', () => {
+    function makeCtx(permissions: readonly UserPermission[]) {
+      const deleteUser = jest.fn(async () => true);
+      const ctx = {
+        getUser: () => ({
+          id: 'admin-1',
+          orgId: 'org-1',
+          getPermissions: () => permissions,
+        }),
+        dataSources: { userAPI: { deleteUser } },
+      };
+      return { ctx, deleteUser };
+    }
+
+    const Mutation = resolvers.Mutation as {
+      deleteUser: (
+        parent: unknown,
+        args: { id: string },
+        ctx: unknown,
+      ) => Promise<unknown>;
+    };
+
+    it('throws forbiddenError when caller lacks MANAGE_ORG', async () => {
+      const { ctx, deleteUser } = makeCtx([
+        UserPermission.VIEW_MRT,
+        UserPermission.VIEW_MRT_DATA,
+      ]);
+      await expect(
+        Mutation.deleteUser({}, { id: 'victim-1' }, ctx),
+      ).rejects.toThrow('User does not have permission to delete users');
+      expect(deleteUser).not.toHaveBeenCalled();
+    });
+
+    it('delegates to userAPI.deleteUser when caller has MANAGE_ORG', async () => {
+      const { ctx, deleteUser } = makeCtx([UserPermission.MANAGE_ORG]);
+      await expect(
+        Mutation.deleteUser({}, { id: 'victim-1' }, ctx),
+      ).resolves.toBe(true);
+      expect(deleteUser).toHaveBeenCalledWith({
+        id: 'victim-1',
+        orgId: 'org-1',
+      });
+    });
+  });
+
+  describe('User.readMeJWT does not leak org secrets to non-admins', () => {
+    const TEST_JWT_SECRET = 'test-readme-jwt-secret';
+    let originalSecret: string | undefined;
+
+    beforeAll(() => {
+      originalSecret = process.env.READ_ME_JWT_SECRET;
+      process.env.READ_ME_JWT_SECRET = TEST_JWT_SECRET;
+    });
+    afterAll(() => {
+      if (originalSecret == null) {
+        delete process.env.READ_ME_JWT_SECRET;
+      } else {
+        process.env.READ_ME_JWT_SECRET = originalSecret;
+      }
+    });
+
+    function makeReadMeCtx(permissions: readonly UserPermission[]) {
+      const getActivatedApiKeyForOrg = jest.fn(async () => ({
+        key: 'org-api-key-SHOULD-NEVER-LEAK',
+      }));
+      const getPublicSigningKeyPem = jest.fn(async () => 'SIGNING_KEY_PEM');
+      const ctx = {
+        getUser: () => ({
+          id: 'user-1',
+          orgId: 'org-1',
+          getPermissions: () => permissions,
+        }),
+        dataSources: {
+          orgAPI: { getActivatedApiKeyForOrg, getPublicSigningKeyPem },
+        },
+      };
+      return { ctx, getActivatedApiKeyForOrg, getPublicSigningKeyPem };
+    }
+
+    const userParent = {
+      id: 'user-1',
+      orgId: 'org-1',
+      email: 't@example.com',
+      firstName: 'Test',
+      lastName: 'User',
+    };
+
+    const User = resolvers.User as {
+      readMeJWT: (
+        parent: typeof userParent,
+        args: unknown,
+        ctx: unknown,
+      ) => Promise<string | null>;
+    };
+
+    // Narrow the resolver's `Promise<string | null>` to a string and decode
+    // the JWT in one place so individual tests stay focused on the assertions
+    // that matter to them. Throws (and fails the test) if the resolver
+    // unexpectedly returns null or jwt.verify yields a string payload.
+    async function decodeReadMeJWT(
+      token: string | null,
+    ): Promise<jwt.JwtPayload> {
+      expect(token).not.toBeNull();
+      if (token == null) {
+        throw new Error('readMeJWT returned null');
+      }
+      const decoded = jwt.verify(token, TEST_JWT_SECRET);
+      if (typeof decoded === 'string') {
+        throw new Error('readMeJWT decoded to a string payload');
+      }
+      return decoded;
+    }
+
+    it('returns a JWT with null apiKey/publicSigningKey for non-MANAGE_ORG callers', async () => {
+      const { ctx, getActivatedApiKeyForOrg, getPublicSigningKeyPem } =
+        makeReadMeCtx([UserPermission.VIEW_MRT]);
+      const payload = await decodeReadMeJWT(
+        await User.readMeJWT(userParent, {}, ctx),
+      );
+      expect(payload.apiKey).toBeNull();
+      expect(payload.publicSigningKey).toBeNull();
+      expect(payload.email).toBe('t@example.com');
+      // The data sources should never be hit when the caller has no claim
+      // to the org secrets — protects against perf-cost amplification too.
+      expect(getActivatedApiKeyForOrg).not.toHaveBeenCalled();
+      expect(getPublicSigningKeyPem).not.toHaveBeenCalled();
+    });
+
+    it('embeds org secrets in the JWT for MANAGE_ORG callers', async () => {
+      const { ctx, getActivatedApiKeyForOrg, getPublicSigningKeyPem } =
+        makeReadMeCtx([UserPermission.MANAGE_ORG]);
+      const payload = await decodeReadMeJWT(
+        await User.readMeJWT(userParent, {}, ctx),
+      );
+      expect(payload.apiKey).toBe('org-api-key-SHOULD-NEVER-LEAK');
+      expect(payload.publicSigningKey).toBe('SIGNING_KEY_PEM');
+      expect(getActivatedApiKeyForOrg).toHaveBeenCalledWith('org-1');
+      expect(getPublicSigningKeyPem).toHaveBeenCalledWith('org-1');
+    });
+
+    it('returns null and skips the orgAPI when the parent user does not match the authenticated user', async () => {
+      // The identity guard must short-circuit before any secret lookup —
+      // otherwise a privileged user could query readMeJWT against another
+      // user's parent and surface their org secrets in the resulting JWT.
+      const { ctx, getActivatedApiKeyForOrg, getPublicSigningKeyPem } =
+        makeReadMeCtx([UserPermission.MANAGE_ORG]);
+      const otherUser = { ...userParent, id: 'different-user' };
+      await expect(User.readMeJWT(otherUser, {}, ctx)).resolves.toBeNull();
+      expect(getActivatedApiKeyForOrg).not.toHaveBeenCalled();
+      expect(getPublicSigningKeyPem).not.toHaveBeenCalled();
+    });
+  });
+});
diff --git a/server/graphql/modules/user.ts b/server/graphql/modules/user.ts
index 8a6ee093..005a7500 100644
--- a/server/graphql/modules/user.ts
+++ b/server/graphql/modules/user.ts
@@ -7,9 +7,8 @@ import {
   type GQLQueryResolvers,
   type GQLUserResolvers,
 } from '../generated.js';
-import { gqlSuccessResult } from '../utils/gqlResult.js';
-
 import { forbiddenError, unauthenticatedError } from '../utils/errors.js';
+import { gqlSuccessResult } from '../utils/gqlResult.js';
 
 const typeDefs = /* GraphQL */ `
   enum UserRole {
@@ -37,6 +36,7 @@ const typeDefs = /* GraphQL */ `
     MANAGE_POLICIES
     VIEW_INVESTIGATION
     VIEW_RULES_DASHBOARD
+    MANAGE_ROLES
   }
 
   enum UserPenaltySeverity {
@@ -135,7 +135,7 @@ const typeDefs = /* GraphQL */ `
   }
 
   union ChangePasswordResponse =
-      ChangePasswordSuccessResponse
+    | ChangePasswordSuccessResponse
     | ChangePasswordError
 
   type Mutation {
@@ -217,6 +217,9 @@ const Mutation: GQLMutationResolvers = {
     if (user == null) {
       throw unauthenticatedError('Authenticated user required');
     }
+    if (!user.getPermissions().includes('MANAGE_ORG')) {
+      throw forbiddenError('User does not have permission to delete users');
+    }
 
     return context.dataSources.userAPI.deleteUser({
       id: params.id,
@@ -348,11 +351,25 @@ const User: GQLUserResolvers = {
 
       const { email, firstName, lastName, orgId } = user;
       const name = `${firstName} ${lastName}`;
-      const [apiKeyRes, publicSigningKey] = await Promise.all([
-        dataSources.orgAPI.getActivatedApiKeyForOrg(orgId),
-        dataSources.orgAPI.getPublicSigningKeyPem(orgId),
-      ]);
-      const apiKey = apiKeyRes === false ? null : apiKeyRes.key;
+
+      // The ReadMe JWT can include the org's API key and webhook signing key
+      // so docs can prefill them — but only for users who are already
+      // entitled to see those secrets via the normal MANAGE_ORG-gated
+      // surfaces. Otherwise, decoding the JWT would leak org secrets to any
+      // authenticated user.
+      const canSeeOrgSecrets = authedUser
+        .getPermissions()
+        .includes('MANAGE_ORG');
+      let apiKey: string | null = null;
+      let publicSigningKey: string | null = null;
+      if (canSeeOrgSecrets) {
+        const [apiKeyRes, signingKey] = await Promise.all([
+          dataSources.orgAPI.getActivatedApiKeyForOrg(orgId),
+          dataSources.orgAPI.getPublicSigningKeyPem(orgId),
+        ]);
+        apiKey = apiKeyRes === false ? null : apiKeyRes.key;
+        publicSigningKey = signingKey;
+      }
 
       return jwt.sign(
         { name, email, apiKey, publicSigningKey },
diff --git a/server/services/userManagementService/index.ts b/server/services/userManagementService/index.ts
index 7b52fe5a..ebfcaa88 100644
--- a/server/services/userManagementService/index.ts
+++ b/server/services/userManagementService/index.ts
@@ -10,5 +10,4 @@ export {
   UserPermissionsForRole,
   UserRole,
   getPermissionsForRole,
-  hasPermission,
 } from './permissioning.js';
diff --git a/server/services/userManagementService/permissioning.test.ts b/server/services/userManagementService/permissioning.test.ts
new file mode 100644
index 00000000..557a3e04
--- /dev/null
+++ b/server/services/userManagementService/permissioning.test.ts
@@ -0,0 +1,70 @@
+import {
+  getPermissionsForRole,
+  UserPermission,
+  UserPermissionsForRole,
+  UserRole,
+} from './permissioning.js';
+
+describe('permissioning', () => {
+  describe('MANAGE_ROLES', () => {
+    it('is included in ADMIN by default (so ADMIN can edit roles in v1.0)', () => {
+      expect(getPermissionsForRole(UserRole.ADMIN)).toContain(
+        UserPermission.MANAGE_ROLES,
+      );
+    });
+
+    it.each([
+      UserRole.RULES_MANAGER,
+      UserRole.ANALYST,
+      UserRole.MODERATOR_MANAGER,
+      UserRole.MODERATOR,
+      UserRole.CHILD_SAFETY_MODERATOR,
+      UserRole.EXTERNAL_MODERATOR,
+    ])(
+      'is NOT granted to %s by default — non-admins must not edit role permissions until granular permissions land',
+      (role) => {
+        expect(getPermissionsForRole(role)).not.toContain(
+          UserPermission.MANAGE_ROLES,
+        );
+      },
+    );
+  });
+
+  describe('UserPermissionsForRole seed map', () => {
+    it('has an entry for every UserRole', () => {
+      for (const role of Object.values(UserRole)) {
+        expect(UserPermissionsForRole.has(role)).toBe(true);
+      }
+    });
+
+    it('grants ADMIN every UserPermission (used as the upper bound for v1.0)', () => {
+      const adminPermissions = new Set(getPermissionsForRole(UserRole.ADMIN));
+      for (const permission of Object.values(UserPermission)) {
+        expect(adminPermissions.has(permission)).toBe(true);
+      }
+    });
+  });
+
+  describe('getPermissionsForRole', () => {
+    it('returns an empty array for an unknown role rather than throwing', () => {
+      expect(getPermissionsForRole('NOT_A_ROLE')).toEqual([]);
+    });
+
+    it('returns a fresh array on every call so the canonical seed cannot be corrupted', () => {
+      const first = getPermissionsForRole(UserRole.ADMIN);
+      const second = getPermissionsForRole(UserRole.ADMIN);
+      // Different array references prove callers can't share state — even
+      // if a caller hands the array off to code that mutates it, the next
+      // call will get a fresh copy and authz won't drift across requests.
+      expect(first).not.toBe(second);
+      expect(first).toEqual(second);
+
+      // Also assert the resolver can't accidentally hand back the seed
+      // map's literal value: the seed is a Map, and the inner array is the
+      // value stored under UserRole.ADMIN. We cannot reach into that Map
+      // from here without breaking encapsulation, but the reference check
+      // above is sufficient to guarantee the spread happens on every call.
+      expect(first).toContain(UserPermission.MANAGE_ROLES);
+    });
+  });
+});
diff --git a/server/services/userManagementService/permissioning.ts b/server/services/userManagementService/permissioning.ts
index 176f04b5..966dc566 100644
--- a/server/services/userManagementService/permissioning.ts
+++ b/server/services/userManagementService/permissioning.ts
@@ -48,6 +48,10 @@ export enum UserPermission {
   // Allows users to use Investigation tool
   VIEW_INVESTIGATION = 'VIEW_INVESTIGATION',
   VIEW_RULES_DASHBOARD = 'VIEW_RULES_DASHBOARD',
+  // Allows a user to view, rename, and edit role permissions in their org.
+  // Granted to ADMIN by default; carved out as a separate capability so role
+  // editing can be delegated without granting full MANAGE_ORG (see issue #406).
+  MANAGE_ROLES = 'MANAGE_ROLES',
 }
 
 const UserRoles = [
@@ -79,7 +83,14 @@ export const UserRole = makeEnumLike(UserRoles);
 export type UserRole = keyof typeof UserRole;
 
 /**
- * Maps UserRoles to all the UserPermissions that each Role has
+ * Maps UserRoles to all the UserPermissions that each Role has.
+ *
+ * This map is the canonical seed for a user's permissions and is consumed by
+ * `getPermissionsForRole` in the persistence layer when building the
+ * `getPermissions()` accessor on a user. **Do not branch on a role string**
+ * elsewhere in the codebase — capability checks must go through
+ * `user.getPermissions().includes(...)` so that future per-org role editing
+ * (issue #406) Just Works without further refactors.
  */
 export const UserPermissionsForRole = new Map<UserRole, UserPermission[]>([
   [UserRole.ADMIN, Object.values(UserPermission)],
@@ -146,11 +157,16 @@ export const UserPermissionsForRole = new Map<UserRole, UserPermission[]>([
   [UserRole.EXTERNAL_MODERATOR, [UserPermission.VIEW_MRT]],
 ]);
 
-// all defined.
-export function hasPermission(permission: UserPermission, role: UserRole) {
-  return getPermissionsForRole(role).includes(permission);
-}
-
-export function getPermissionsForRole(role: UserRole) {
-  return UserPermissionsForRole.get(role) ?? [];
+/**
+ * Resolves the permission set for a role from {@link UserPermissionsForRole}.
+ * Persistence-layer only — resolvers must use `user.getPermissions()`.
+ *
+ * Accepts any string (the persistence layer reads `role` from a varchar
+ * column that may surface legacy values) and returns a fresh array on every
+ * call so callers can't mutate the canonical seed; unknown roles resolve to
+ * `[]` so authz fails closed without crashing the request.
+ */
+export function getPermissionsForRole(role: string): UserPermission[] {
+  const seed = UserPermissionsForRole.get(role);
+  return seed ? [...seed] : [];
 }