diff --git a/README.md b/README.md
index 3cbaaa3..96c629c 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,36 @@ localazy: {
   },
 ```
 
+## 🔐 Access control (RBAC)
+
+The plugin registers four Strapi permission actions, all visible under
+**Settings → Administration Panel → Roles → Plugins → Localazy** (grouped
+by `General` and `Settings` sub-categories):
+
+| Action                                                              | Unlocks                                                                                                                                                                                                                                                                               |
+| ------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `Localazy → Read` (`plugin::localazy.read`)                         | Localazy menu link, Overview, Activity Logs (list + detail), Content-Manager side panel & Localazy status column, read endpoints (identity, project, models, plugin settings, **content-transfer-setup**, sync cursor, activity logs, troubleshooting bundle, entry-exclusion state). |
+| `Localazy → Transfer` (`plugin::localazy.transfer`)                 | Upload, Download, Entry Exclusion mutations (incl. Content-Manager bulk actions), Activity Log session clearing. Reading the content-transfer-setup is bundled under `Read` above so transfer-only roles can still open the Upload/Download pages.                                    |
+| `Localazy → Settings → Read` (`plugin::localazy.settings.read`)     | Adds the Localazy Settings menu links (Global Settings, Content Transfer Setup) to the admin sidebar. Form controls render read-only — Save, Cancel, the Content Transfer Setup tree, and the webhook setup buttons are disabled without `Settings → Update`.                         |
+| `Localazy → Settings → Update` (`plugin::localazy.settings.update`) | **Connecting / disconnecting the Localazy account**, webhook setup, updating Content Transfer Setup, and updating Global Settings.                                                                                                                                                    |
+
+> **Note:** the **Webhook author** picker in _Localazy Settings → Global
+> Settings_ populates from Strapi's core `/admin/users` endpoint, which is
+> gated by Strapi's own `admin::users.read` permission — independent of the
+> plugin's actions. A role with only the plugin's `Settings → Read` will
+> still see the rest of the page; the author dropdown silently falls back
+> to an empty list.
+
+Server is the enforcement perimeter — all admin-typed plugin routes are
+gated by `admin::hasPermissions`, so UI gates are convenience only.
+
+### Upgrade note
+
+Strapi grants new actions to the **Super Admin** role automatically. **Other
+roles (Editor, Author, custom roles) keep no Localazy access until an admin
+re-grants the actions** under _Settings → Administration Panel → Roles →
+Plugins → Localazy_. Plan this step when upgrading from `<= 1.4.x`.
+
 ## 🛟 Support
 
 If you encounter any issues or have questions, feel free to contact us through whichever channel suits you best:
diff --git a/admin/src/components/LocalazyPanel.tsx b/admin/src/components/LocalazyPanel.tsx
index 1bb1edc..c186301 100644
--- a/admin/src/components/LocalazyPanel.tsx
+++ b/admin/src/components/LocalazyPanel.tsx
@@ -4,13 +4,17 @@ import { useTranslation } from 'react-i18next';
 
 import type { PanelComponent } from '@strapi/content-manager/strapi-admin';
 import { Typography, Toggle } from '@strapi/design-system';
+import { useRBAC } from '@strapi/strapi/admin';
 import EntryExclusionService from '../modules/entry-exclusion/services/entry-exclusion-service';
+import { PERMISSIONS } from '../constants/permissions';
 
 import '../i18n';
 
 const LocalazyPanel: PanelComponent = () => {
   const { t } = useTranslation();
 
+  const { allowedActions } = useRBAC([...PERMISSIONS.READ, ...PERMISSIONS.TRANSFER]);
+
   const location = useLocation();
   const [isExcluded, setIsExcluded] = useState(false);
   const [isLoading, setIsLoading] = useState(true);
@@ -41,7 +45,7 @@ const LocalazyPanel: PanelComponent = () => {
   // Load the current exclusion state when we have the entry information
   useEffect(() => {
     const loadExclusionState = async () => {
-      if (!contentType || !documentId) {
+      if (!contentType || !documentId || !allowedActions.canRead) {
         setIsLoading(false);
         return;
       }
@@ -59,7 +63,11 @@ const LocalazyPanel: PanelComponent = () => {
     };
 
     void loadExclusionState();
-  }, [contentType, documentId]);
+  }, [contentType, documentId, allowedActions.canRead]);
+
+  if (!allowedActions.canRead) {
+    return null;
+  }
 
   // Handle toggle change
   const handleToggleChange = async (event: React.ChangeEvent<HTMLInputElement>) => {
@@ -92,7 +100,7 @@ const LocalazyPanel: PanelComponent = () => {
           checked={isExcluded}
           onLabel='True'
           offLabel='False'
-          disabled={isLoading || !contentType || !documentId}
+          disabled={isLoading || !contentType || !documentId || !allowedActions.canTransfer}
           onChange={handleToggleChange}
         />
       </div>
diff --git a/admin/src/components/LocalazyStatusColumn.tsx b/admin/src/components/LocalazyStatusColumn.tsx
index b4b0da9..04f2720 100644
--- a/admin/src/components/LocalazyStatusColumn.tsx
+++ b/admin/src/components/LocalazyStatusColumn.tsx
@@ -1,20 +1,23 @@
 import React, { useEffect, useState } from 'react';
 import { useTranslation } from 'react-i18next';
 import { useTheme } from 'styled-components';
+import { useRBAC } from '@strapi/strapi/admin';
 import EntryExclusionService from '../modules/entry-exclusion/services/entry-exclusion-service';
+import { PERMISSIONS } from '../constants/permissions';
 import '../i18n';
 
 // TODO: define props interface
 const LocalazyStatusColumn = ({ data, model }: any) => {
   const { t } = useTranslation();
   const theme = useTheme();
+  const { allowedActions } = useRBAC(PERMISSIONS.READ);
 
   const [isExcluded, setIsExcluded] = useState<boolean | null>(null);
   const [isLoading, setIsLoading] = useState(true);
 
   useEffect(() => {
     const checkStatus = async () => {
-      if (!data?.documentId || !model) {
+      if (!data?.documentId || !model || !allowedActions.canRead) {
         setIsLoading(false);
         return;
       }
@@ -31,7 +34,11 @@ const LocalazyStatusColumn = ({ data, model }: any) => {
     };
 
     void checkStatus();
-  }, [data?.documentId, model]);
+  }, [data?.documentId, model, allowedActions.canRead]);
+
+  if (!allowedActions.canRead) {
+    return null;
+  }
 
   if (isLoading) {
     return <span style={{ color: theme.colors.neutral600, fontSize: '12px' }}>...</span>;
diff --git a/admin/src/constants/permissions.ts b/admin/src/constants/permissions.ts
new file mode 100644
index 0000000..bc64d51
--- /dev/null
+++ b/admin/src/constants/permissions.ts
@@ -0,0 +1,35 @@
+import { PLUGIN_ID } from '../pluginId';
+
+/**
+ * Mirror of `server/src/constants/permissions.ts`. Admin code can't import from
+ * `server/`, so any rename must be applied in both files.
+ *
+ * `useRBAC` derives the boolean it returns under `allowedActions` from the LAST
+ * dotted segment of each UID, lowercased and prefixed with `can`:
+ *
+ *   plugin::localazy.read           → canRead
+ *   plugin::localazy.transfer       → canTransfer
+ *   plugin::localazy.settings.read  → canRead   (collides with READ above!)
+ *   plugin::localazy.settings.update → canUpdate
+ *
+ * Because `settings.read` and `read` both collapse to `canRead`, never pass
+ * both into the same `useRBAC` call — issue separate calls per distinct UID
+ * you need to check (one call returns one `canX` boolean per unique segment).
+ */
+export const PERMISSION_UIDS = {
+  READ: `plugin::${PLUGIN_ID}.read`,
+  TRANSFER: `plugin::${PLUGIN_ID}.transfer`,
+  SETTINGS_READ: `plugin::${PLUGIN_ID}.settings.read`,
+  SETTINGS_UPDATE: `plugin::${PLUGIN_ID}.settings.update`,
+} as const;
+
+export type PermissionUid = (typeof PERMISSION_UIDS)[keyof typeof PERMISSION_UIDS];
+
+type PermissionDescriptor = { action: PermissionUid; subject: null };
+
+export const PERMISSIONS: Record<keyof typeof PERMISSION_UIDS, PermissionDescriptor[]> = {
+  READ: [{ action: PERMISSION_UIDS.READ, subject: null }],
+  TRANSFER: [{ action: PERMISSION_UIDS.TRANSFER, subject: null }],
+  SETTINGS_READ: [{ action: PERMISSION_UIDS.SETTINGS_READ, subject: null }],
+  SETTINGS_UPDATE: [{ action: PERMISSION_UIDS.SETTINGS_UPDATE, subject: null }],
+};
diff --git a/admin/src/index.ts b/admin/src/index.ts
index 5738855..ed68625 100644
--- a/admin/src/index.ts
+++ b/admin/src/index.ts
@@ -1,6 +1,7 @@
 import { PLUGIN_ID } from './pluginId';
 import { Initializer } from './components/Initializer';
 import { Localazy } from './modules/@common/components/Icons/Localazy';
+import { PERMISSIONS } from './constants/permissions';
 import React from 'react';
 
 export default {
@@ -81,7 +82,7 @@ export default {
       });
 
       if (contentManagerPlugin?.apis?.addBulkAction) {
-        const { useNotification } = await import('@strapi/strapi/admin');
+        const { useNotification, useRBAC } = await import('@strapi/strapi/admin');
         await import('./i18n');
         const { useTranslation } = await import('react-i18next');
 
@@ -89,6 +90,11 @@ export default {
           const { documents, model } = props;
           const { toggleNotification } = useNotification();
           const { t } = useTranslation();
+          const { allowedActions } = useRBAC(PERMISSIONS.TRANSFER);
+
+          if (!allowedActions.canTransfer) {
+            return null;
+          }
 
           return {
             label: t('plugin_settings.bulk_action_exclude_from_translation'),
@@ -133,6 +139,11 @@ export default {
         const IncludeToTranslationAction = ({ documents, model }: any) => {
           const { toggleNotification } = useNotification();
           const { t } = useTranslation();
+          const { allowedActions } = useRBAC(PERMISSIONS.TRANSFER);
+
+          if (!allowedActions.canTransfer) {
+            return null;
+          }
 
           return {
             label: t('plugin_settings.bulk_action_include_to_translation'),
@@ -194,6 +205,7 @@ const addMenuLink = (app: any) => {
       defaultMessage: 'Localazy',
     },
     Component: () => import('./pages/LocalazyApp'),
+    permissions: PERMISSIONS.READ,
   });
 };
 
@@ -216,7 +228,7 @@ const addSettingsSection = (app: any) => {
         },
         to: `${PLUGIN_ID}/global-settings`,
         Component: () => import('./pages/LocalazyGlobalSettings'),
-        permissions: [],
+        permissions: PERMISSIONS.SETTINGS_READ,
       },
       // Content Transfer Setup
       {
@@ -227,7 +239,7 @@ const addSettingsSection = (app: any) => {
         },
         to: `${PLUGIN_ID}/content-transfer-setup`,
         Component: () => import('./pages/LocalazyContentTransferSetup'),
-        permissions: [],
+        permissions: PERMISSIONS.SETTINGS_READ,
       },
     ]
   );
diff --git a/admin/src/modules/@common/components/LanguagesSelector.tsx b/admin/src/modules/@common/components/LanguagesSelector.tsx
index d0349bb..39e76e7 100644
--- a/admin/src/modules/@common/components/LanguagesSelector.tsx
+++ b/admin/src/modules/@common/components/LanguagesSelector.tsx
@@ -11,6 +11,7 @@ interface LanguageSelectorProps {
   projectLanguages: any[];
   preselectedLanguages: any[];
   onChange: (values: any) => void;
+  disabled?: boolean;
 }
 
 const LanguagesSelector: React.FC<LanguageSelectorProps> = (props: LanguageSelectorProps) => {
@@ -46,6 +47,7 @@ const LanguagesSelector: React.FC<LanguageSelectorProps> = (props: LanguageSelec
         onClear={() => setSelectedLanguages([])}
         value={selectedLanguages || []}
         onChange={(values: any) => onChange(values)}
+        disabled={props.disabled}
         multi
         withTags
       >
diff --git a/admin/src/modules/login/components/LoginButton.tsx b/admin/src/modules/login/components/LoginButton.tsx
index 5fbd22b..8ecc13a 100644
--- a/admin/src/modules/login/components/LoginButton.tsx
+++ b/admin/src/modules/login/components/LoginButton.tsx
@@ -1,13 +1,15 @@
 import { useState } from 'react';
 import PropTypes from 'prop-types';
-import { Button } from '@strapi/design-system';
+import { Button, Tooltip } from '@strapi/design-system';
 import { useTranslation } from 'react-i18next';
+import { useRBAC } from '@strapi/strapi/admin';
 import { getOAuthAuthorizationUrl } from '@localazy/generic-connector-client';
 import LocalazyLoginService from '../services/localazy-login-service';
 import { getStrapiDefaultLocale } from '../../@common/utils/get-default-locale';
 import { isoStrapiToLocalazy } from '../../@common/utils/iso-locales-utils';
 import config from '../../../config';
 import { LocalazyIdentity } from '../../user/model/localazy-identity';
+import { PERMISSIONS } from '../../../constants/permissions';
 import { Locales } from '@localazy/api-client';
 
 interface LoginButtonProps {
@@ -16,6 +18,8 @@ interface LoginButtonProps {
 
 const LoginButton = (props: LoginButtonProps) => {
   const { t } = useTranslation();
+  const { allowedActions } = useRBAC(PERMISSIONS.SETTINGS_UPDATE);
+  const canConnect = !!allowedActions.canUpdate;
 
   const [isLoading, setIsLoading] = useState(false);
   const login = async () => {
@@ -42,11 +46,21 @@ const LoginButton = (props: LoginButtonProps) => {
     props.onResultFetched(pollResult);
   };
 
+  const button = (
+    <Button variant='default' size='L' loading={isLoading} onClick={login} disabled={!canConnect}>
+      {t('login.login_with_localazy')}
+    </Button>
+  );
+
   return (
     <div>
-      <Button variant='default' size='L' loading={isLoading} onClick={login}>
-        {t('login.login_with_localazy')}
-      </Button>
+      {canConnect ? (
+        button
+      ) : (
+        <Tooltip label={t('login.requires_settings_update_permission')}>
+          <span>{button}</span>
+        </Tooltip>
+      )}
     </div>
   );
 };
diff --git a/admin/src/modules/login/components/LogoutButton.tsx b/admin/src/modules/login/components/LogoutButton.tsx
index abe1df4..3bbd8ff 100644
--- a/admin/src/modules/login/components/LogoutButton.tsx
+++ b/admin/src/modules/login/components/LogoutButton.tsx
@@ -1,10 +1,12 @@
 import { useState } from 'react';
-import { Button } from '@strapi/design-system';
+import { Button, Tooltip } from '@strapi/design-system';
 import { useTranslation } from 'react-i18next';
 import { SignOut } from '@strapi/icons';
+import { useRBAC } from '@strapi/strapi/admin';
 import LocalazyUserService from '../../user/services/localazy-user-service';
 import { useLocalazyIdentity } from '../../../state/localazy-identity';
 import { emptyIdentity } from '../../user/model/localazy-identity';
+import { PERMISSIONS } from '../../../constants/permissions';
 
 interface LogoutButtonProps {
   onResultFetched: () => void;
@@ -14,6 +16,8 @@ const LogoutButton: React.FC<LogoutButtonProps> = (props) => {
   const { t } = useTranslation();
   const [isLoading, setIsLoading] = useState(false);
   const { setIdentity } = useLocalazyIdentity();
+  const { allowedActions } = useRBAC(PERMISSIONS.SETTINGS_UPDATE);
+  const canDisconnect = !!allowedActions.canUpdate;
 
   const logout = async () => {
     setIsLoading(true);
@@ -28,11 +32,21 @@ const LogoutButton: React.FC<LogoutButtonProps> = (props) => {
     props.onResultFetched();
   };
 
+  const button = (
+    <Button startIcon={<SignOut />} variant='secondary' loading={isLoading} onClick={logout} disabled={!canDisconnect}>
+      {t('login.logout_from_localazy')}
+    </Button>
+  );
+
   return (
     <div>
-      <Button startIcon={<SignOut />} variant='secondary' loading={isLoading} onClick={logout}>
-        {t('login.logout_from_localazy')}
-      </Button>
+      {canDisconnect ? (
+        button
+      ) : (
+        <Tooltip label={t('login.requires_settings_update_permission')}>
+          <span>{button}</span>
+        </Tooltip>
+      )}
     </div>
   );
 };
diff --git a/admin/src/modules/login/locale/en.ts b/admin/src/modules/login/locale/en.ts
index 968de6f..2a72fcc 100644
--- a/admin/src/modules/login/locale/en.ts
+++ b/admin/src/modules/login/locale/en.ts
@@ -5,4 +5,6 @@ export default {
     'You have to own a Localazy account for the plugin to work properly.',
   read_the_documentation: 'Read the documentation',
   logout_from_localazy: 'Disconnect from Localazy',
+  requires_settings_update_permission:
+    'Requires Localazy "settings.update" permission. Ask an admin to grant it under Settings → Roles → Plugins → Localazy.',
 };
diff --git a/admin/src/modules/plugin-settings/components/Tree.tsx b/admin/src/modules/plugin-settings/components/Tree.tsx
index 7507dbc..072ce3e 100644
--- a/admin/src/modules/plugin-settings/components/Tree.tsx
+++ b/admin/src/modules/plugin-settings/components/Tree.tsx
@@ -14,9 +14,10 @@ interface TreeProps {
   objects: any[];
   onTreeItemClick: (key: string[], currentValue: boolean) => void;
   initiallyExpanded: boolean;
+  disabled?: boolean;
 }
 
-const Tree: React.FC<TreeProps> = ({ objects, onTreeItemClick, initiallyExpanded = false }) => {
+const Tree: React.FC<TreeProps> = ({ objects, onTreeItemClick, initiallyExpanded = false, disabled = false }) => {
   const { t } = useTranslation();
 
   const [, setIsExpanded] = useState(initiallyExpanded);
@@ -82,7 +83,7 @@ const Tree: React.FC<TreeProps> = ({ objects, onTreeItemClick, initiallyExpanded
               <Box key={passedKey} marginTop={6} marginBottom={6} marginLeft={6}>
                 {isSubbranchObject && (
                   <Checkbox
-                    disabled={hasAllNullValue}
+                    disabled={disabled || hasAllNullValue}
                     checked={getCheckedState(hasTruthyValue, hasFalsyValue)}
                     onCheckedChange={() => onTreeItemClick(flattenedKeys, hasTruthyValue)}
                   >
@@ -96,7 +97,7 @@ const Tree: React.FC<TreeProps> = ({ objects, onTreeItemClick, initiallyExpanded
                     </Flex>
                   </Checkbox>
                 )}
-                <TreeItem onTreeItemClick={onTreeItemClick} passedKey={passedKey}>
+                <TreeItem onTreeItemClick={onTreeItemClick} passedKey={passedKey} disabled={disabled}>
                   {createTree(key, value, passedKey)}
                 </TreeItem>
               </Box>
@@ -106,7 +107,16 @@ const Tree: React.FC<TreeProps> = ({ objects, onTreeItemClick, initiallyExpanded
       );
     }
 
-    return <TreeItem onTreeItemClick={onTreeItemClick} key={path} passedKey={path} label={name} value={branch} />;
+    return (
+      <TreeItem
+        onTreeItemClick={onTreeItemClick}
+        key={path}
+        passedKey={path}
+        label={name}
+        value={branch}
+        disabled={disabled}
+      />
+    );
   };
 
   return (
@@ -127,6 +137,7 @@ const Tree: React.FC<TreeProps> = ({ objects, onTreeItemClick, initiallyExpanded
                       label={`switch_tree_${key}`}
                       onCheckedChange={() => onTreeItemClick([`${key}.__model__`], value.__model__)}
                       checked={!!value.__model__}
+                      disabled={disabled}
                       style={{ marginRight: '1rem' }}
                     />
                   </Flex>
diff --git a/admin/src/modules/plugin-settings/components/TreeItem.tsx b/admin/src/modules/plugin-settings/components/TreeItem.tsx
index 75dc021..db0825e 100644
--- a/admin/src/modules/plugin-settings/components/TreeItem.tsx
+++ b/admin/src/modules/plugin-settings/components/TreeItem.tsx
@@ -7,9 +7,17 @@ interface TreeItemProps {
   children?: any;
   passedKey: string;
   onTreeItemClick: (key: any, currentValue: any) => void;
+  disabled?: boolean;
 }
 
-const TreeItem: React.FC<TreeItemProps> = ({ label, value, children, passedKey = '', onTreeItemClick }) => {
+const TreeItem: React.FC<TreeItemProps> = ({
+  label,
+  value,
+  children,
+  passedKey = '',
+  onTreeItemClick,
+  disabled = false,
+}) => {
   const onChange = (key: any, currentValue: any) => {
     onTreeItemClick(key, currentValue);
   };
@@ -17,7 +25,7 @@ const TreeItem: React.FC<TreeItemProps> = ({ label, value, children, passedKey =
   return (
     <>
       {typeof value === 'boolean' && (
-        <Checkbox checked={value} onCheckedChange={() => onChange([passedKey], value)}>
+        <Checkbox checked={value} disabled={disabled} onCheckedChange={() => onChange([passedKey], value)}>
           {label || '-'}
         </Checkbox>
       )}
diff --git a/admin/src/modules/plugin-settings/components/WebhookSetup.tsx b/admin/src/modules/plugin-settings/components/WebhookSetup.tsx
index 71f4fd3..99baa48 100644
--- a/admin/src/modules/plugin-settings/components/WebhookSetup.tsx
+++ b/admin/src/modules/plugin-settings/components/WebhookSetup.tsx
@@ -9,7 +9,11 @@ const LOCALAZY_DOCS_URL = 'https://localazy.com/docs/general/webhooks';
 
 type WebhookState = 'loading' | 'configured' | 'not_configured';
 
-function WebhookSetup() {
+interface WebhookSetupProps {
+  disabled?: boolean;
+}
+
+function WebhookSetup({ disabled = false }: WebhookSetupProps = {}) {
   const { t } = useTranslation();
 
   const [state, setState] = useState<WebhookState>('loading');
@@ -98,7 +102,7 @@ function WebhookSetup() {
             </Typography>
           </Box>
           <Box marginTop={3}>
-            <Button variant='tertiary' onClick={() => setShowModal(true)}>
+            <Button variant='tertiary' disabled={disabled} onClick={() => setShowModal(true)}>
               {t('plugin_settings.webhook_setup_reconfigure')}
             </Button>
           </Box>
@@ -117,7 +121,9 @@ function WebhookSetup() {
             {t('plugin_settings.webhook_setup_description')}
           </Typography>
           <Flex gap={3} marginTop={3} alignItems='center'>
-            <Button onClick={() => setShowModal(true)}>{t('plugin_settings.webhook_setup_button')}</Button>
+            <Button disabled={disabled} onClick={() => setShowModal(true)}>
+              {t('plugin_settings.webhook_setup_button')}
+            </Button>
             <Link href={LOCALAZY_DOCS_URL} isExternal startIcon={<LinkIcon />}>
               {t('plugin_settings.webhook_setup_docs_link')}
             </Link>
diff --git a/admin/src/modules/plugin-settings/locale/en.ts b/admin/src/modules/plugin-settings/locale/en.ts
index 88779d8..a871291 100644
--- a/admin/src/modules/plugin-settings/locale/en.ts
+++ b/admin/src/modules/plugin-settings/locale/en.ts
@@ -32,6 +32,9 @@ export default {
   webhook_author_info:
     'Select the author signed under the webhook actions (required by Strapi for certain actions, e.g. creating a locale).',
   webhook_author_placeholder: 'Select webhook actions author',
+  webhook_author_permission_required:
+    'You need the Strapi “Users and Roles → Users → Read” permission (admin::users.read) to view and pick a webhook author.',
+  webhook_author_unknown_user: 'User #{{id}}',
   webhook_languages: 'Allowed webhook languages',
   webhook_languages_info:
     'Select the languages from Localazy. Translations of selected languages would be downloaded. If no language is selected, all translations will be downloaded.',
diff --git a/admin/src/modules/plugin-settings/services/plugin-settings-service.ts b/admin/src/modules/plugin-settings/services/plugin-settings-service.ts
index dd23c4a..0607457 100644
--- a/admin/src/modules/plugin-settings/services/plugin-settings-service.ts
+++ b/admin/src/modules/plugin-settings/services/plugin-settings-service.ts
@@ -46,6 +46,19 @@ export default class PluginSettingsService {
     }
   }
 
+  // Read-gated counterpart for per-user UI prefs (last visited route, sort
+  // prefs). Server filters the body to a fixed allowlist; sending anything else
+  // is silently dropped, so callers must only pass UI-pref fields here.
+  static async updatePluginSettingsUiPrefs(data: { defaultRoute?: string; activityLogsSort?: any }) {
+    try {
+      const result = await axiosInstance.put(`${BASE_PATH}/ui-prefs`, data);
+
+      return result.data;
+    } catch (e) {
+      throw e;
+    }
+  }
+
   static async getSyncCursor() {
     try {
       const result = await axiosInstance.get(`${BASE_PATH}/sync-cursor`);
diff --git a/admin/src/pages/ActivityLogs.tsx b/admin/src/pages/ActivityLogs.tsx
index 8b98d06..2e546fb 100644
--- a/admin/src/pages/ActivityLogs.tsx
+++ b/admin/src/pages/ActivityLogs.tsx
@@ -1,5 +1,5 @@
 import React, { useState, useEffect, useRef, useCallback } from 'react';
-import { Layouts } from '@strapi/strapi/admin';
+import { Layouts, useRBAC } from '@strapi/strapi/admin';
 import { useTranslation } from 'react-i18next';
 import { Box, Flex, Button, Typography, Tabs, Dialog, Alert, Field, DatePicker } from '@strapi/design-system';
 import { Trash, Download, Information } from '@strapi/icons';
@@ -11,6 +11,7 @@ import SessionsTable from '../modules/activity-logs/components/SessionsTable';
 import PluginSettingsService from '../modules/plugin-settings/services/plugin-settings-service';
 import { PLUGIN_ID } from '../pluginId';
 import { PLUGIN_ROUTES } from '../modules/@common/utils/redirect-to-plugin-route';
+import { PERMISSIONS } from '../constants/permissions';
 import useDebouncedSearch from '../modules/activity-logs/hooks/use-debounced-search';
 import type { SessionItem, SortKey, SortDirection } from '../modules/activity-logs/models/activity-logs';
 
@@ -22,6 +23,9 @@ export type ActivityLogsProps = {
 const ActivityLogs: React.FC<ActivityLogsProps> = (props) => {
   const { t } = useTranslation();
   const navigate = useNavigate();
+  const {
+    allowedActions: { canTransfer },
+  } = useRBAC(PERMISSIONS.TRANSFER);
 
   const [isLoading, setIsLoading] = useState(true);
   const [sessions, setSessions] = useState<SessionItem[]>([]);
@@ -38,7 +42,7 @@ const ActivityLogs: React.FC<ActivityLogsProps> = (props) => {
   const debouncedSaveSortPrefs = useCallback((prefs: Record<string, { key: string; direction: string }>) => {
     if (saveSortTimerRef.current) clearTimeout(saveSortTimerRef.current);
     saveSortTimerRef.current = setTimeout(() => {
-      void PluginSettingsService.updatePluginSettings({ activityLogsSort: prefs });
+      void PluginSettingsService.updatePluginSettingsUiPrefs({ activityLogsSort: prefs });
     }, 1000);
   }, []);
 
@@ -102,7 +106,7 @@ const ActivityLogs: React.FC<ActivityLogsProps> = (props) => {
       void fetchSessions('upload');
     };
     void init();
-    void PluginSettingsService.updatePluginSettings({ defaultRoute: PLUGIN_ROUTES.ACTIVITY_LOGS });
+    void PluginSettingsService.updatePluginSettingsUiPrefs({ defaultRoute: PLUGIN_ROUTES.ACTIVITY_LOGS });
   }, []);
 
   return (
@@ -115,7 +119,12 @@ const ActivityLogs: React.FC<ActivityLogsProps> = (props) => {
             <Button variant='secondary' startIcon={<Download />} onClick={onExportLogs}>
               {t('activity_logs.export_logs')}
             </Button>
-            <Button variant='danger-light' startIcon={<Trash />} onClick={() => setShowClearConfirm(true)}>
+            <Button
+              variant='danger-light'
+              startIcon={<Trash />}
+              disabled={!canTransfer}
+              onClick={() => setShowClearConfirm(true)}
+            >
               {t('activity_logs.clear_logs')}
             </Button>
           </Flex>
diff --git a/admin/src/pages/App.tsx b/admin/src/pages/App.tsx
index 884ab1d..c16a727 100644
--- a/admin/src/pages/App.tsx
+++ b/admin/src/pages/App.tsx
@@ -8,13 +8,14 @@ import PluginSettingsService from '../modules/plugin-settings/services/plugin-se
 import { useHeaderTitle } from '../modules/@common/utils/use-header-title';
 import { useHeaderSubtitle } from '../modules/@common/utils/use-header-subtitle';
 import Login from './Login';
-import { Layouts, Page } from '@strapi/strapi/admin';
+import { Layouts, Page, useRBAC } from '@strapi/strapi/admin';
 import SideNav from '../modules/@common/components/SideNav';
 import Overview from './Overview';
 import { getDefaultTheme } from '../modules/strapi/utils/get-default-theme';
 import Loader from '../modules/@common/components/PluginPageLoader';
 import { HeadingFixGlobalStyle } from '../modules/@common/styles/heading-fix';
 import PluginErrorBoundary from '../components/PluginErrorBoundary';
+import { PERMISSIONS } from '../constants/permissions';
 
 // import and load resources
 import '../i18n';
@@ -31,6 +32,11 @@ const App = () => {
   const headerTitle = useHeaderTitle();
   const headerSubtitle = useHeaderSubtitle();
 
+  const {
+    allowedActions: { canRead, canTransfer },
+    isLoading: isLoadingPermissions,
+  } = useRBAC([...PERMISSIONS.READ, ...PERMISSIONS.TRANSFER]);
+
   const normalizedPath = location.pathname.replace(/\/+$/, '');
   const pluginRoot = `/plugins/${PLUGIN_ID}`;
   const isAtPluginRoot = normalizedPath === pluginRoot;
@@ -56,6 +62,34 @@ const App = () => {
     void fetchData();
   }, [isLoggedIn, isFetchingIdentity, normalizedPath]);
 
+  if (isLoadingPermissions) {
+    return (
+      <DesignSystemProvider theme={getDefaultTheme()}>
+        <HeadingFixGlobalStyle />
+        <Box background='neutral100'>
+          <Layouts.Root>
+            <Loader />
+          </Layouts.Root>
+        </Box>
+      </DesignSystemProvider>
+    );
+  }
+
+  if (!canRead) {
+    return (
+      <DesignSystemProvider theme={getDefaultTheme()}>
+        <HeadingFixGlobalStyle />
+        <Box background='neutral100'>
+          <Layouts.Root>
+            <Page.NoPermissions />
+          </Layouts.Root>
+        </Box>
+      </DesignSystemProvider>
+    );
+  }
+
+  const transferElement = (page: JSX.Element) => (canTransfer ? page : <Page.NoPermissions />);
+
   return (
     <DesignSystemProvider theme={getDefaultTheme()}>
       <HeadingFixGlobalStyle />
@@ -72,8 +106,14 @@ const App = () => {
                 path={`overview`}
                 element={<Overview title={headerTitle} subtitle={headerSubtitle} isLoadingProp={false} />}
               />
-              <Route path={`upload`} element={<Upload title={headerTitle} subtitle={headerSubtitle} />} />
-              <Route path={`download`} element={<Download title={headerTitle} subtitle={headerSubtitle} />} />
+              <Route
+                path={`upload`}
+                element={transferElement(<Upload title={headerTitle} subtitle={headerSubtitle} />)}
+              />
+              <Route
+                path={`download`}
+                element={transferElement(<Download title={headerTitle} subtitle={headerSubtitle} />)}
+              />
               <Route path={`activity-logs`} element={<ActivityLogs title={headerTitle} subtitle={headerSubtitle} />} />
               <Route
                 path={`activity-logs/:sessionId`}
diff --git a/admin/src/pages/ContentTransferSetup.tsx b/admin/src/pages/ContentTransferSetup.tsx
index 44a330e..1039856 100644
--- a/admin/src/pages/ContentTransferSetup.tsx
+++ b/admin/src/pages/ContentTransferSetup.tsx
@@ -2,7 +2,7 @@ import React, { useEffect, useState } from 'react';
 import { useTranslation } from 'react-i18next';
 import isEqual from 'lodash-es/isEqual';
 import cloneDeep from 'lodash-es/cloneDeep';
-import { Layouts } from '@strapi/strapi/admin';
+import { Layouts, useRBAC } from '@strapi/strapi/admin';
 import { Check } from '@strapi/icons';
 import { Box, Button, Alert, Flex, Divider, Typography } from '@strapi/design-system';
 import set from 'lodash-es/set';
@@ -15,6 +15,7 @@ import hasModelChanged from '../modules/plugin-settings/functions/has-model-chan
 import buildContentTransferSetupSchema from '../modules/plugin-settings/functions/build-content-transfer-setup-schema';
 import { Tree } from '../modules/plugin-settings/components/Tree';
 import { ContentTransferSetupEmpty } from '../modules/plugin-settings/components/ContentTransferSetupEmpty';
+import { PERMISSIONS } from '../constants/permissions';
 
 // import and load resources
 import '../i18n';
@@ -27,6 +28,13 @@ const ContentTransferSetup: React.FC = () => {
    */
   const { t } = useTranslation();
 
+  /**
+   * Settings.update gate — read-only for users without it.
+   */
+  const {
+    allowedActions: { canUpdate: canUpdateSettings },
+  } = useRBAC(PERMISSIONS.SETTINGS_UPDATE);
+
   /**
    * Component state
    */
@@ -175,12 +183,12 @@ const ContentTransferSetup: React.FC = () => {
         subtitle={t('plugin_settings.content_transfer_setup_description')}
         primaryAction={
           <Flex gap={2}>
-            <Button variant='secondary' disabled={!hasUnsavedChanges} onClick={onCancelClick}>
+            <Button variant='secondary' disabled={!canUpdateSettings || !hasUnsavedChanges} onClick={onCancelClick}>
               {t('plugin_settings.cancel')}
             </Button>
             <Button
               startIcon={<Check />}
-              disabled={!hasUnsavedChanges}
+              disabled={!canUpdateSettings || !hasUnsavedChanges}
               onClick={() => {
                 void saveContentTransferSetup(formModel);
               }}
@@ -225,7 +233,12 @@ const ContentTransferSetup: React.FC = () => {
             {formModel.map((tree, index) => {
               return (
                 <Box key={`box_tree_${index}`} marginBottom={3}>
-                  <Tree onTreeItemClick={onTreeItemClick} objects={tree} initiallyExpanded={index === 0} />
+                  <Tree
+                    onTreeItemClick={onTreeItemClick}
+                    objects={tree}
+                    initiallyExpanded={index === 0}
+                    disabled={!canUpdateSettings}
+                  />
                 </Box>
               );
             })}
diff --git a/admin/src/pages/Download.tsx b/admin/src/pages/Download.tsx
index fea2362..893f9fd 100644
--- a/admin/src/pages/Download.tsx
+++ b/admin/src/pages/Download.tsx
@@ -1,6 +1,4 @@
 import React, { useState, useEffect } from 'react';
-import cloneDeep from 'lodash-es/cloneDeep';
-import set from 'lodash-es/set';
 import { Layouts } from '@strapi/strapi/admin';
 import { Box, Button, Alert, Flex, Divider, Typography, Dialog } from '@strapi/design-system';
 import { Download as DownloadIcon } from '@strapi/icons';
@@ -63,20 +61,16 @@ const Download: React.FC<DownloadProps> = (props) => {
   const [projectLanguages, setProjectLanguages] = useState([]);
 
   /**
-   * Global Settings form model
+   * Per-session UI language pick. Sent with each download request rather than
+   * persisted to plugin-settings, so callers without `settings.update` (e.g.
+   * `read + transfer`) can still influence the download — the persisted
+   * `download.uiLanguages` field is only writable via `settings.update`-gated
+   * routes and we must not call them from this `transfer`-gated page.
    */
-  const [formModel, setFormModel] = useState<any>({});
+  const [uiLanguages, setUiLanguages] = useState<string[]>([]);
 
-  const onDownloadLanguagesChange = (languages: any[]) => {
-    const newFormModel = cloneDeep(formModel);
-    set(newFormModel, 'download.uiLanguages', languages);
-    setFormModel(newFormModel);
-
-    try {
-      void PluginSettingsService.updatePluginSettings(newFormModel);
-    } catch (e: any) {
-      console.error(e.message);
-    }
+  const onDownloadLanguagesChange = (languages: string[]) => {
+    setUiLanguages(languages);
   };
 
   const onDownloadClick = async (fullSync = false) => {
@@ -86,7 +80,7 @@ const Download: React.FC<DownloadProps> = (props) => {
       success: false,
       report: [],
     });
-    const result = await LocalazyDownloadService.download({ fullSync });
+    const result = await LocalazyDownloadService.download({ fullSync, uiLanguages });
     const { streamIdentifier } = result;
     downloadAlertsService.setStreamIdentifier(streamIdentifier);
     downloadAlertsService.onDownload((data: any) => {
@@ -138,9 +132,12 @@ const Download: React.FC<DownloadProps> = (props) => {
         project?.languages?.filter((language) => language.id !== project.sourceLanguage) || [];
       setProjectLanguages(projectLanguagesWithoutDefaultLanguage as any);
 
-      setFormModel(globalSettings);
+      // Seed the per-session pick from the last persisted value (if any) so
+      // the UI still feels stateful for users with `settings.update`, but the
+      // pick now travels with the download request itself.
+      setUiLanguages(Array.isArray(globalSettings?.download?.uiLanguages) ? globalSettings.download.uiLanguages : []);
 
-      void PluginSettingsService.updatePluginSettings({ defaultRoute: PLUGIN_ROUTES.DOWNLOAD });
+      void PluginSettingsService.updatePluginSettingsUiPrefs({ defaultRoute: PLUGIN_ROUTES.DOWNLOAD });
 
       setIsLoading(false);
     }
@@ -199,7 +196,7 @@ const Download: React.FC<DownloadProps> = (props) => {
             <Typography variant='omega'>{t('download.make_sure_note_c')}</Typography>
             <Box paddingTop={6}>
               <LanguagesSelector
-                preselectedLanguages={formModel?.download?.uiLanguages || []}
+                preselectedLanguages={uiLanguages}
                 projectLanguages={projectLanguages}
                 onChange={(languages) => onDownloadLanguagesChange(languages)}
                 label={t('download.ui_languages')}
diff --git a/admin/src/pages/GlobalSettings.tsx b/admin/src/pages/GlobalSettings.tsx
index 3a1ecf1..7755771 100644
--- a/admin/src/pages/GlobalSettings.tsx
+++ b/admin/src/pages/GlobalSettings.tsx
@@ -1,7 +1,7 @@
 import React, { useEffect, useState } from 'react';
 import { useTranslation } from 'react-i18next';
 import cloneDeep from 'lodash-es/cloneDeep';
-import { Layouts } from '@strapi/strapi/admin';
+import { Layouts, useRBAC } from '@strapi/strapi/admin';
 import { Check } from '@strapi/icons';
 import {
   Field,
@@ -25,6 +25,7 @@ import PluginSettingsService from '../modules/plugin-settings/services/plugin-se
 import StrapiUsersService from '../modules/plugin-settings/services/strapi-users-service';
 import ProjectService from '../modules/@common/services/project-service';
 import { AdminPanelUser } from '../modules/plugin-settings/models/admin-panel-user';
+import { PERMISSIONS } from '../constants/permissions';
 // TODO: ADD TYPES
 
 // import and load resources
@@ -36,6 +37,22 @@ const GlobalSettings: React.FC = () => {
    */
   const { t } = useTranslation();
 
+  /**
+   * Settings.update gate — controls are read-only without it.
+   */
+  const {
+    allowedActions: { canUpdate: canUpdateSettings },
+  } = useRBAC(PERMISSIONS.SETTINGS_UPDATE);
+
+  // `admin::users.read` powers the webhook-author dropdown (`/admin/users`).
+  // It's a core Strapi action, so we check it separately and skip the fetch
+  // when missing. `useRBAC` resolves async via `/admin/permissions/check`;
+  // the effect below waits on `isLoading` before reading `canRead`.
+  const {
+    allowedActions: { canRead: canReadAdminUsers },
+    isLoading: isLoadingAdminUsersRBAC,
+  } = useRBAC([{ action: 'admin::users.read', subject: null }]);
+
   /**
    * Project Languages without default language
    */
@@ -93,13 +110,19 @@ const GlobalSettings: React.FC = () => {
   };
 
   useEffect(() => {
+    if (isLoadingAdminUsersRBAC) {
+      return;
+    }
+
     async function fetchData() {
       setIsLoading(true);
 
       const [project, globalSettings, users] = await Promise.all([
         ProjectService.getConnectedProject(),
         PluginSettingsService.getPluginSettings(),
-        StrapiUsersService.getAdminPanelUsers(),
+        canReadAdminUsers
+          ? StrapiUsersService.getAdminPanelUsers().catch(() => [] as AdminPanelUser[])
+          : Promise.resolve([] as AdminPanelUser[]),
       ]);
 
       const projectLanguagesWithoutDefaultLanguage =
@@ -114,7 +137,9 @@ const GlobalSettings: React.FC = () => {
       setIsLoading(false);
     }
     void fetchData();
-  }, []);
+    // `canReadAdminUsers` is stable once `isLoadingAdminUsersRBAC` is false.
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [isLoadingAdminUsersRBAC]);
 
   return (
     <>
@@ -123,12 +148,12 @@ const GlobalSettings: React.FC = () => {
         subtitle={t('plugin_settings.global_settings_description')}
         primaryAction={
           <Flex gap={2}>
-            <Button variant='secondary' disabled={!hasUnsavedChanges} onClick={onCancelClick}>
+            <Button variant='secondary' disabled={!canUpdateSettings || !hasUnsavedChanges} onClick={onCancelClick}>
               {t('plugin_settings.cancel')}
             </Button>
             <Button
               startIcon={<Check />}
-              disabled={!hasUnsavedChanges}
+              disabled={!canUpdateSettings || !hasUnsavedChanges}
               onClick={() => {
                 void saveGlobalSettings(formModel);
               }}
@@ -171,6 +196,7 @@ const GlobalSettings: React.FC = () => {
                 <Toggle
                   offLabel={t('plugin_settings.off')}
                   onLabel={t('plugin_settings.on')}
+                  disabled={!canUpdateSettings}
                   checked={
                     typeof formModel?.upload?.allowAutomated === 'boolean' ? formModel.upload.allowAutomated : false
                   }
@@ -192,7 +218,8 @@ const GlobalSettings: React.FC = () => {
                   value={formModel?.upload?.automatedTriggers || []}
                   onChange={(values: any) => patchFormModel('upload.automatedTriggers', values)}
                   disabled={
-                    typeof formModel?.upload?.allowAutomated === 'boolean' ? !formModel.upload.allowAutomated : true
+                    !canUpdateSettings ||
+                    (typeof formModel?.upload?.allowAutomated === 'boolean' ? !formModel.upload.allowAutomated : true)
                   }
                   multi
                   withTags
@@ -211,6 +238,7 @@ const GlobalSettings: React.FC = () => {
                   hint={t('plugin_settings.deprecate_source_keys_on_delete_info')}
                   offLabel={t('plugin_settings.off')}
                   onLabel={t('plugin_settings.on')}
+                  disabled={!canUpdateSettings}
                   checked={
                     typeof formModel?.upload?.allowDeprecate === 'boolean' ? formModel.upload.allowDeprecate : false
                   }
@@ -234,7 +262,7 @@ const GlobalSettings: React.FC = () => {
                 {t('plugin_settings.webhook_setup_title')}
               </Typography>
               <br />
-              <WebhookSetup />
+              <WebhookSetup disabled={!canUpdateSettings} />
               <br />
               <br />
               <Divider />
@@ -253,6 +281,7 @@ const GlobalSettings: React.FC = () => {
                   hint={t('plugin_settings.processing_of_download_webhook_info')}
                   offLabel={t('plugin_settings.off')}
                   onLabel={t('plugin_settings.on')}
+                  disabled={!canUpdateSettings}
                   checked={
                     typeof formModel?.download?.processDownloadWebhook === 'boolean'
                       ? formModel.download.processDownloadWebhook
@@ -274,15 +303,42 @@ const GlobalSettings: React.FC = () => {
                   onClear={() => patchFormModel('download.webhookAuthorId', null)}
                   value={formModel?.download?.webhookAuthorId || null}
                   onChange={(value: any) => patchFormModel('download.webhookAuthorId', value)}
+                  disabled={!canUpdateSettings || !canReadAdminUsers}
                 >
-                  {users.map((user) => (
-                    <SingleSelectOption key={user.id} value={user.id}>
-                      {getUserLabel(user)}
-                    </SingleSelectOption>
-                  ))}
+                  {(() => {
+                    const savedAuthorId = formModel?.download?.webhookAuthorId;
+                    // Fall back to a stub option when the saved id is not in
+                    // the users list (e.g. role lacks `admin::users.read`),
+                    // so the SingleSelect still renders the configured author.
+                    // String-compare: the id can be a number (from the API)
+                    // or a string (after `SingleSelect`'s `onChange`).
+                    const needsFallback =
+                      savedAuthorId != null && !users.some((user) => String(user.id) === String(savedAuthorId));
+                    return (
+                      <>
+                        {needsFallback && (
+                          <SingleSelectOption key={`fallback-${savedAuthorId}`} value={savedAuthorId}>
+                            {t('plugin_settings.webhook_author_unknown_user', { id: savedAuthorId })}
+                          </SingleSelectOption>
+                        )}
+                        {users.map((user) => (
+                          <SingleSelectOption key={user.id} value={user.id}>
+                            {getUserLabel(user)}
+                          </SingleSelectOption>
+                        ))}
+                      </>
+                    );
+                  })()}
                 </SingleSelect>
                 <Field.Hint />
               </Field.Root>
+              {!canReadAdminUsers && (
+                <Box paddingTop={2}>
+                  <Typography variant='pi' textColor='warning600'>
+                    {t('plugin_settings.webhook_author_permission_required')}
+                  </Typography>
+                </Box>
+              )}
               {/* Webhook languages selector */}
               <br />
               <br />
@@ -293,6 +349,7 @@ const GlobalSettings: React.FC = () => {
                 label={t('plugin_settings.webhook_languages')}
                 hint={t('plugin_settings.webhook_languages_info')}
                 placeholder={t('plugin_settings.webhook_languages_placeholder')}
+                disabled={!canUpdateSettings}
               />
               {/* Webhook incremental sync */}
               <br />
@@ -302,6 +359,7 @@ const GlobalSettings: React.FC = () => {
                 <Toggle
                   offLabel={t('plugin_settings.off')}
                   onLabel={t('plugin_settings.on')}
+                  disabled={!canUpdateSettings}
                   checked={
                     typeof formModel?.download?.webhookIncrementalSync === 'boolean'
                       ? formModel.download.webhookIncrementalSync
diff --git a/admin/src/pages/LocalazyContentTransferSetup.tsx b/admin/src/pages/LocalazyContentTransferSetup.tsx
index eec4f59..1ff8bec 100644
--- a/admin/src/pages/LocalazyContentTransferSetup.tsx
+++ b/admin/src/pages/LocalazyContentTransferSetup.tsx
@@ -1,22 +1,39 @@
 import React from 'react';
 import { DesignSystemProvider } from '@strapi/design-system';
+import { Page, useRBAC } from '@strapi/strapi/admin';
 import { ContentTransferSetup } from './ContentTransferSetup';
 import FetchIdentity from '../modules/login/components/FetchIdentity';
 import { LocalazyIdentityProvider } from '../state/localazy-identity';
 import RequireLocalazyAuth from '../components/RequireLocalazyAuth';
 import { getDefaultTheme } from '../modules/strapi/utils/get-default-theme';
 import { HeadingFixGlobalStyle } from '../modules/@common/styles/heading-fix';
+import Loader from '../modules/@common/components/PluginPageLoader';
+import { PERMISSIONS } from '../constants/permissions';
 
-const LocalazyContentTransferSetup = () => (
-  <DesignSystemProvider theme={getDefaultTheme()}>
-    <HeadingFixGlobalStyle />
-    <LocalazyIdentityProvider>
-      <FetchIdentity />
-      <RequireLocalazyAuth>
-        <ContentTransferSetup />
-      </RequireLocalazyAuth>
-    </LocalazyIdentityProvider>
-  </DesignSystemProvider>
-);
+const LocalazyContentTransferSetup = () => {
+  // `addSettingsLink` permissions only hide the menu entry, not the route.
+  const {
+    allowedActions: { canRead: canReadSettings },
+    isLoading: isLoadingPermissions,
+  } = useRBAC(PERMISSIONS.SETTINGS_READ);
+
+  return (
+    <DesignSystemProvider theme={getDefaultTheme()}>
+      <HeadingFixGlobalStyle />
+      {isLoadingPermissions ? (
+        <Loader />
+      ) : !canReadSettings ? (
+        <Page.NoPermissions />
+      ) : (
+        <LocalazyIdentityProvider>
+          <FetchIdentity />
+          <RequireLocalazyAuth>
+            <ContentTransferSetup />
+          </RequireLocalazyAuth>
+        </LocalazyIdentityProvider>
+      )}
+    </DesignSystemProvider>
+  );
+};
 
 export default LocalazyContentTransferSetup;
diff --git a/admin/src/pages/LocalazyGlobalSettings.tsx b/admin/src/pages/LocalazyGlobalSettings.tsx
index 5f8f872..b35a710 100644
--- a/admin/src/pages/LocalazyGlobalSettings.tsx
+++ b/admin/src/pages/LocalazyGlobalSettings.tsx
@@ -1,22 +1,39 @@
 import React from 'react';
 import { DesignSystemProvider } from '@strapi/design-system';
+import { Page, useRBAC } from '@strapi/strapi/admin';
 import { GlobalSettings } from './GlobalSettings';
 import { LocalazyIdentityProvider } from '../state/localazy-identity';
 import FetchIdentity from '../modules/login/components/FetchIdentity';
 import RequireLocalazyAuth from '../components/RequireLocalazyAuth';
 import { getDefaultTheme } from '../modules/strapi/utils/get-default-theme';
 import { HeadingFixGlobalStyle } from '../modules/@common/styles/heading-fix';
+import Loader from '../modules/@common/components/PluginPageLoader';
+import { PERMISSIONS } from '../constants/permissions';
 
-const LocalazyGlobalSettings = () => (
-  <DesignSystemProvider theme={getDefaultTheme()}>
-    <HeadingFixGlobalStyle />
-    <LocalazyIdentityProvider>
-      <FetchIdentity />
-      <RequireLocalazyAuth>
-        <GlobalSettings />
-      </RequireLocalazyAuth>
-    </LocalazyIdentityProvider>
-  </DesignSystemProvider>
-);
+const LocalazyGlobalSettings = () => {
+  // `addSettingsLink` permissions only hide the menu entry, not the route.
+  const {
+    allowedActions: { canRead: canReadSettings },
+    isLoading: isLoadingPermissions,
+  } = useRBAC(PERMISSIONS.SETTINGS_READ);
+
+  return (
+    <DesignSystemProvider theme={getDefaultTheme()}>
+      <HeadingFixGlobalStyle />
+      {isLoadingPermissions ? (
+        <Loader />
+      ) : !canReadSettings ? (
+        <Page.NoPermissions />
+      ) : (
+        <LocalazyIdentityProvider>
+          <FetchIdentity />
+          <RequireLocalazyAuth>
+            <GlobalSettings />
+          </RequireLocalazyAuth>
+        </LocalazyIdentityProvider>
+      )}
+    </DesignSystemProvider>
+  );
+};
 
 export default LocalazyGlobalSettings;
diff --git a/admin/src/pages/Overview.tsx b/admin/src/pages/Overview.tsx
index 1bd91d9..a694665 100644
--- a/admin/src/pages/Overview.tsx
+++ b/admin/src/pages/Overview.tsx
@@ -39,7 +39,7 @@ const Overview: React.FC<OverviewProps> = ({ title, subtitle, isLoadingProp = fa
       const project = await ProjectService.getConnectedProject();
       setConnectedProject(project);
 
-      void PluginSettingsService.updatePluginSettings({ defaultRoute: PLUGIN_ROUTES.OVERVIEW });
+      void PluginSettingsService.updatePluginSettingsUiPrefs({ defaultRoute: PLUGIN_ROUTES.OVERVIEW });
 
       setIsLoading(false);
     }
diff --git a/admin/src/pages/Upload.tsx b/admin/src/pages/Upload.tsx
index 0136787..3a8656c 100644
--- a/admin/src/pages/Upload.tsx
+++ b/admin/src/pages/Upload.tsx
@@ -105,7 +105,7 @@ const Upload: React.FC<UploadProps> = (props: UploadProps) => {
       setModelChanged(modelChangedResult);
       setLocalesIncompatible(!localesCompatibleResult);
 
-      void PluginSettingsService.updatePluginSettings({ defaultRoute: PLUGIN_ROUTES.UPLOAD });
+      void PluginSettingsService.updatePluginSettingsUiPrefs({ defaultRoute: PLUGIN_ROUTES.UPLOAD });
 
       setIsLoading(false);
     }
diff --git a/package-lock.json b/package-lock.json
index f6ed2fb..a3f0ce7 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@localazy/strapi-plugin",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@localazy/strapi-plugin",
-      "version": "1.4.0",
+      "version": "1.5.0",
       "license": "MIT",
       "dependencies": {
         "jszip": "^3.10.1",
diff --git a/package.json b/package.json
index 3126e26..bf651f8 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@localazy/strapi-plugin",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "description": "The official Strapi Plugin by Localazy.",
   "keywords": [
     "strapi",
diff --git a/server/src/bootstrap.ts b/server/src/bootstrap.ts
index a81f20a..893ddee 100644
--- a/server/src/bootstrap.ts
+++ b/server/src/bootstrap.ts
@@ -2,8 +2,36 @@ import type { Core } from '@strapi/strapi';
 import { Server } from 'socket.io';
 import { WebSocketServer } from 'ws';
 import { PLUGIN_NAME } from './config/core/config';
+import { LOCALAZY_RBAC_ACTIONS } from './constants/permissions';
+
+const registerRbacActions = async (strapi: Core.Strapi) => {
+  try {
+    const permissionService = strapi.service('admin::permission') as
+      | { actionProvider?: { registerMany?: (actions: unknown[]) => Promise<unknown> } }
+      | undefined;
+    const actionProvider = permissionService?.actionProvider;
+
+    if (!actionProvider?.registerMany) {
+      strapi.log.warn(
+        `[${PLUGIN_NAME}] admin::permission.actionProvider unavailable — skipping RBAC action registration`
+      );
+      return;
+    }
+
+    await actionProvider.registerMany(LOCALAZY_RBAC_ACTIONS);
+  } catch (error) {
+    // A failure here drops EVERY plugin permission from the role editor —
+    // surface it loudly. registerMany validates the whole array up-front, so
+    // one bad entry kills all four.
+    strapi.log.error(
+      `[${PLUGIN_NAME}] Failed to register RBAC actions — plugin permissions will not appear in role editor: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+};
+
+const bootstrap = async ({ strapi }: { strapi: Core.Strapi }) => {
+  await registerRbacActions(strapi);
 
-const bootstrap = ({ strapi }: { strapi: Core.Strapi }) => {
   if (strapi.plugin(PLUGIN_NAME)?.config('enableSocketIO', true)) {
     process.nextTick(async () => {
       const io = new Server(strapi.server.httpServer, {
diff --git a/server/src/constants/permissions.ts b/server/src/constants/permissions.ts
new file mode 100644
index 0000000..dd6b901
--- /dev/null
+++ b/server/src/constants/permissions.ts
@@ -0,0 +1,71 @@
+import { PLUGIN_NAME } from '../config/core/config';
+
+/**
+ * UIDs as Strapi sees them after `pluginName` is prepended by the action provider.
+ * Use these to reference permissions from route policies, admin menu/settings links
+ * and `useRBAC` calls. Renaming any UID is a breaking change for existing role grants
+ * — bumping a minor version is not enough.
+ */
+export const PERMISSION_UIDS = {
+  READ: `plugin::${PLUGIN_NAME}.read`,
+  TRANSFER: `plugin::${PLUGIN_NAME}.transfer`,
+  SETTINGS_READ: `plugin::${PLUGIN_NAME}.settings.read`,
+  SETTINGS_UPDATE: `plugin::${PLUGIN_NAME}.settings.update`,
+} as const;
+
+export type PermissionUid = (typeof PERMISSION_UIDS)[keyof typeof PERMISSION_UIDS];
+
+type ActionRecord = {
+  section: 'plugins';
+  subCategory: string;
+  pluginName: string;
+  displayName: string;
+  uid: string;
+};
+
+/**
+ * Actions registered with `strapi.service('admin::permission').actionProvider.registerMany`
+ * during bootstrap. `pluginName` is prepended as `plugin::<pluginName>.` so the resulting
+ * UIDs become the ones in `PERMISSION_UIDS` above.
+ *
+ * All four actions live under `section: 'plugins'` so they appear together in the
+ * role editor's Plugins tab under "Localazy", grouped by `subCategory`. A previous
+ * split (settings-section for the two settings.* actions) caused them to land in a
+ * different tab — admins inspecting Plugins → Localazy only saw Read + Transfer and
+ * thought the other two were missing.
+ *
+ * Strapi's @strapi/admin yup validator (a) rejects `category` on `plugins`-section
+ * entries — `category` is only valid in `settings` section — and (b) allows
+ * `subCategory` on both `plugins` and `settings`. So we use `subCategory` alone for
+ * grouping here.
+ */
+export const LOCALAZY_RBAC_ACTIONS: ActionRecord[] = [
+  {
+    section: 'plugins',
+    subCategory: 'General',
+    pluginName: PLUGIN_NAME,
+    displayName: 'Read',
+    uid: 'read',
+  },
+  {
+    section: 'plugins',
+    subCategory: 'General',
+    pluginName: PLUGIN_NAME,
+    displayName: 'Transfer',
+    uid: 'transfer',
+  },
+  {
+    section: 'plugins',
+    subCategory: 'Settings',
+    pluginName: PLUGIN_NAME,
+    displayName: 'Read settings',
+    uid: 'settings.read',
+  },
+  {
+    section: 'plugins',
+    subCategory: 'Settings',
+    pluginName: PLUGIN_NAME,
+    displayName: 'Update settings',
+    uid: 'settings.update',
+  },
+];
diff --git a/server/src/controllers/localazy-transfer-controller.ts b/server/src/controllers/localazy-transfer-controller.ts
index 13d518e..d076eb5 100644
--- a/server/src/controllers/localazy-transfer-controller.ts
+++ b/server/src/controllers/localazy-transfer-controller.ts
@@ -39,6 +39,16 @@ const LocalazyTransferController = ({ strapi }: { strapi: Core.Strapi }) => ({
       // Determine fullSync mode
       let fullSync = ctx.request.body?.fullSync === true;
 
+      // UI callers send their per-session language pick in the body so
+      // `read + transfer` users (who cannot persist to plugin-settings) can
+      // still scope the download. Only string[] is accepted; anything else
+      // falls back to the persisted `download.uiLanguages` setting.
+      const rawUiLanguages = ctx.request.body?.uiLanguages;
+      const requestedUiLanguages: string[] | undefined =
+        Array.isArray(rawUiLanguages) && rawUiLanguages.every((code) => typeof code === 'string')
+          ? (rawUiLanguages as string[])
+          : undefined;
+
       // For webhook-initiated requests, respect the webhook incremental sync setting
       const requestInitiatorHelper = new RequestInitiatorHelper(strapi);
       if (requestInitiatorHelper.isInitiatedByLocalazyWebhook()) {
@@ -57,6 +67,7 @@ const LocalazyTransferController = ({ strapi }: { strapi: Core.Strapi }) => ({
           LocalazyTransferDownloadService.download({
             notificationService: JobNotificationService,
             fullSync,
+            requestedUiLanguages,
           }),
         1000
       );
diff --git a/server/src/controllers/plugin-settings-controller.ts b/server/src/controllers/plugin-settings-controller.ts
index 64d4692..c417338 100644
--- a/server/src/controllers/plugin-settings-controller.ts
+++ b/server/src/controllers/plugin-settings-controller.ts
@@ -18,6 +18,10 @@ const PluginSettingsController = ({ strapi: _strapi }: { strapi: Core.Strapi })
     ctx.body = await getPluginSettingsService().updatePluginSettings(ctx.request.body);
   },
 
+  async updatePluginSettingsUiPrefs(ctx) {
+    ctx.body = await getPluginSettingsService().updatePluginSettingsUiPrefs(ctx.request.body);
+  },
+
   async getSyncCursor(ctx) {
     ctx.body = await getPluginSettingsService().getSyncCursor();
   },
diff --git a/server/src/routes/activity-logs-routes.ts b/server/src/routes/activity-logs-routes.ts
index 05bed8a..e307d31 100644
--- a/server/src/routes/activity-logs-routes.ts
+++ b/server/src/routes/activity-logs-routes.ts
@@ -1,12 +1,17 @@
+import { PERMISSION_UIDS } from '../constants/permissions';
+
 const ROUTE_PREFIX = '/activity-logs';
 
+const readPolicy = [{ name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.READ] } }];
+const transferPolicy = [{ name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.TRANSFER] } }];
+
 const ActivityLogsRoutes = [
   {
     method: 'GET',
     path: `${ROUTE_PREFIX}`,
     handler: 'ActivityLogsController.getSessions',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
   {
@@ -14,7 +19,7 @@ const ActivityLogsRoutes = [
     path: `${ROUTE_PREFIX}/export`,
     handler: 'ActivityLogsController.exportSessions',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
   {
@@ -22,7 +27,7 @@ const ActivityLogsRoutes = [
     path: `${ROUTE_PREFIX}/:sessionId`,
     handler: 'ActivityLogsController.getSession',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
   {
@@ -30,7 +35,7 @@ const ActivityLogsRoutes = [
     path: `${ROUTE_PREFIX}`,
     handler: 'ActivityLogsController.clearSessions',
     config: {
-      policies: [],
+      policies: transferPolicy,
     },
   },
 ];
diff --git a/server/src/routes/debug-bundle-routes.ts b/server/src/routes/debug-bundle-routes.ts
index 7a0e211..afdc383 100644
--- a/server/src/routes/debug-bundle-routes.ts
+++ b/server/src/routes/debug-bundle-routes.ts
@@ -1,10 +1,14 @@
+import { PERMISSION_UIDS } from '../constants/permissions';
+
+const readPolicy = [{ name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.READ] } }];
+
 const DebugBundleRoutes = [
   {
     method: 'GET',
     path: '/activity-logs/:sessionId/bundle',
     handler: 'DebugBundleController.getBundle',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
 ];
diff --git a/server/src/routes/entry-exclusion-routes.ts b/server/src/routes/entry-exclusion-routes.ts
index da0eb04..785bcf8 100644
--- a/server/src/routes/entry-exclusion-routes.ts
+++ b/server/src/routes/entry-exclusion-routes.ts
@@ -1,12 +1,17 @@
+import { PERMISSION_UIDS } from '../constants/permissions';
+
 const ROUTE_PREFIX = '/entry-exclusion';
 
+const readPolicy = [{ name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.READ] } }];
+const transferPolicy = [{ name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.TRANSFER] } }];
+
 const EntryExclusionRoutes = [
   {
     method: 'GET',
     path: `${ROUTE_PREFIX}/:contentType/:documentId`,
     handler: 'EntryExclusionController.getEntryExclusion',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
   {
@@ -14,7 +19,7 @@ const EntryExclusionRoutes = [
     path: `${ROUTE_PREFIX}/:contentType/:documentId`,
     handler: 'EntryExclusionController.setEntryExclusion',
     config: {
-      policies: [],
+      policies: transferPolicy,
     },
   },
   {
@@ -22,7 +27,7 @@ const EntryExclusionRoutes = [
     path: `${ROUTE_PREFIX}/:contentType`,
     handler: 'EntryExclusionController.getContentTypeExclusions',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
 ];
diff --git a/server/src/routes/index.ts b/server/src/routes/index.ts
index b4ebd36..15f194a 100644
--- a/server/src/routes/index.ts
+++ b/server/src/routes/index.ts
@@ -9,9 +9,20 @@ import EntryExclusionRoutes from './entry-exclusion-routes';
 import ActivityLogsRoutes from './activity-logs-routes';
 import DebugBundleRoutes from './debug-bundle-routes';
 
+type AdminRoute = (typeof StrapiRoutes)[number];
+
+// StrapiRoutes is also exposed under the content-api group (API-token auth, no admin
+// userAbility on ctx.state). Strip the admin policies for that copy so existing
+// content-api callers keep working unchanged.
+const withoutAdminPolicies = (routes: AdminRoute[]): AdminRoute[] =>
+  routes.map((route) => ({
+    ...route,
+    config: { ...route.config, policies: [] },
+  }));
+
 export default {
   'content-api': {
-    routes: [...StrapiRoutes],
+    routes: withoutAdminPolicies(StrapiRoutes),
   },
   admin: {
     type: 'admin',
diff --git a/server/src/routes/localazy-auth-routes.ts b/server/src/routes/localazy-auth-routes.ts
index 7c12659..ec86346 100644
--- a/server/src/routes/localazy-auth-routes.ts
+++ b/server/src/routes/localazy-auth-routes.ts
@@ -1,12 +1,18 @@
+import { PERMISSION_UIDS } from '../constants/permissions';
+
 const ROUTE_PREFIX = '/auth';
 
+const settingsUpdatePolicy = [
+  { name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.SETTINGS_UPDATE] } },
+];
+
 const LocalazyAuthRoutes = [
   {
     method: 'GET',
     path: `${ROUTE_PREFIX}/generate-keys`,
     handler: 'LocalazyAuthController.generateKeys',
     config: {
-      policies: [],
+      policies: settingsUpdatePolicy,
     },
   },
   {
@@ -14,7 +20,7 @@ const LocalazyAuthRoutes = [
     path: `${ROUTE_PREFIX}/continuous-poll`,
     handler: 'LocalazyAuthController.continuousPoll',
     config: {
-      policies: [],
+      policies: settingsUpdatePolicy,
     },
   },
 ];
diff --git a/server/src/routes/localazy-project-routes.ts b/server/src/routes/localazy-project-routes.ts
index 804847d..65af7ce 100644
--- a/server/src/routes/localazy-project-routes.ts
+++ b/server/src/routes/localazy-project-routes.ts
@@ -1,12 +1,19 @@
+import { PERMISSION_UIDS } from '../constants/permissions';
+
 const ROUTE_PREFIX = '/project';
 
+const readPolicy = [{ name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.READ] } }];
+const settingsUpdatePolicy = [
+  { name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.SETTINGS_UPDATE] } },
+];
+
 const LocalazyProjectRoutes = [
   {
     method: 'GET',
     path: `${ROUTE_PREFIX}`,
     handler: 'LocalazyProjectController.getConnectedProject',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
   {
@@ -14,7 +21,7 @@ const LocalazyProjectRoutes = [
     path: `${ROUTE_PREFIX}/webhooks`,
     handler: 'LocalazyProjectController.getWebhookStatus',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
   {
@@ -22,7 +29,7 @@ const LocalazyProjectRoutes = [
     path: `${ROUTE_PREFIX}/webhooks/setup`,
     handler: 'LocalazyProjectController.setupWebhook',
     config: {
-      policies: [],
+      policies: settingsUpdatePolicy,
     },
   },
   {
@@ -30,7 +37,7 @@ const LocalazyProjectRoutes = [
     path: `${ROUTE_PREFIX}/strapi-url`,
     handler: 'LocalazyProjectController.getStrapiUrl',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
 ];
diff --git a/server/src/routes/localazy-transfer-routes.ts b/server/src/routes/localazy-transfer-routes.ts
index 0170c87..514acaa 100644
--- a/server/src/routes/localazy-transfer-routes.ts
+++ b/server/src/routes/localazy-transfer-routes.ts
@@ -1,12 +1,16 @@
+import { PERMISSION_UIDS } from '../constants/permissions';
+
 const ROUTE_PREFIX = '/transfer';
 
+const transferPolicy = [{ name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.TRANSFER] } }];
+
 const LocalazyTransferRoutes = [
   {
     method: 'POST',
     path: `${ROUTE_PREFIX}/upload`,
     handler: 'LocalazyTransferController.upload',
     config: {
-      policies: [],
+      policies: transferPolicy,
     },
   },
   {
@@ -14,7 +18,7 @@ const LocalazyTransferRoutes = [
     path: `${ROUTE_PREFIX}/download`,
     handler: 'LocalazyTransferController.download',
     config: {
-      policies: [],
+      policies: transferPolicy,
     },
   },
 ];
diff --git a/server/src/routes/localazy-user-routes.ts b/server/src/routes/localazy-user-routes.ts
index 9ada597..f6891af 100644
--- a/server/src/routes/localazy-user-routes.ts
+++ b/server/src/routes/localazy-user-routes.ts
@@ -1,12 +1,19 @@
+import { PERMISSION_UIDS } from '../constants/permissions';
+
 const ROUTE_PREFIX = '/user';
 
+const readPolicy = [{ name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.READ] } }];
+const settingsUpdatePolicy = [
+  { name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.SETTINGS_UPDATE] } },
+];
+
 const LocalazyUserRoutes = [
   {
     method: 'GET',
     path: `${ROUTE_PREFIX}`,
     handler: 'LocalazyUserController.getUser',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
   {
@@ -14,7 +21,7 @@ const LocalazyUserRoutes = [
     path: `${ROUTE_PREFIX}`,
     handler: 'LocalazyUserController.updateUser',
     config: {
-      policies: [],
+      policies: settingsUpdatePolicy,
     },
   },
   {
@@ -22,7 +29,7 @@ const LocalazyUserRoutes = [
     path: `${ROUTE_PREFIX}`,
     handler: 'LocalazyUserController.deleteUser',
     config: {
-      policies: [],
+      policies: settingsUpdatePolicy,
     },
   },
 ];
diff --git a/server/src/routes/plugin-settings-routes.ts b/server/src/routes/plugin-settings-routes.ts
index e3dc015..1f45d4d 100644
--- a/server/src/routes/plugin-settings-routes.ts
+++ b/server/src/routes/plugin-settings-routes.ts
@@ -1,12 +1,23 @@
+import { PERMISSION_UIDS } from '../constants/permissions';
+
 const ROUTE_PREFIX = '/plugin-settings';
 
+const readPolicy = [{ name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.READ] } }];
+const settingsUpdatePolicy = [
+  { name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.SETTINGS_UPDATE] } },
+];
+
 const PluginSettingsRoutes = [
   {
     method: 'GET',
     path: `${ROUTE_PREFIX}/content-transfer-setup`,
     handler: 'PluginSettingsController.getContentTransferSetup',
     config: {
-      policies: [],
+      // Upload/Download pages call this to detect "model changed" before
+      // transferring. Gating on `settings.read` would lock transfer-only
+      // roles out of the transfer pages, so the read is open to any plugin
+      // user. The destructive PUT below stays on `settings.update`.
+      policies: readPolicy,
     },
   },
   {
@@ -14,7 +25,7 @@ const PluginSettingsRoutes = [
     path: `${ROUTE_PREFIX}/content-transfer-setup`,
     handler: 'PluginSettingsController.updateContentTransferSetup',
     config: {
-      policies: [],
+      policies: settingsUpdatePolicy,
     },
   },
   {
@@ -22,7 +33,7 @@ const PluginSettingsRoutes = [
     path: `${ROUTE_PREFIX}/plugin-settings`,
     handler: 'PluginSettingsController.getPluginSettings',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
   {
@@ -30,7 +41,20 @@ const PluginSettingsRoutes = [
     path: `${ROUTE_PREFIX}/plugin-settings`,
     handler: 'PluginSettingsController.updatePluginSettings',
     config: {
-      policies: [],
+      // Persists destructive Global Settings (webhookConfig, download.*, upload.*).
+      // UI-pref-only writes use `PUT /plugin-settings/ui-prefs` (read-gated) below.
+      policies: settingsUpdatePolicy,
+    },
+  },
+  {
+    method: 'PUT',
+    path: `${ROUTE_PREFIX}/ui-prefs`,
+    handler: 'PluginSettingsController.updatePluginSettingsUiPrefs',
+    config: {
+      // Per-user UI state (last visited route, sort prefs). Service-side filters
+      // the body to a fixed allowlist so a `read`-only caller cannot reach the
+      // destructive fields that share the same plugin-settings store.
+      policies: readPolicy,
     },
   },
   {
@@ -38,7 +62,7 @@ const PluginSettingsRoutes = [
     path: `${ROUTE_PREFIX}/sync-cursor`,
     handler: 'PluginSettingsController.getSyncCursor',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
 ];
diff --git a/server/src/routes/strapi-routes.ts b/server/src/routes/strapi-routes.ts
index 688d988..da04c85 100644
--- a/server/src/routes/strapi-routes.ts
+++ b/server/src/routes/strapi-routes.ts
@@ -1,12 +1,19 @@
+import { PERMISSION_UIDS } from '../constants/permissions';
+
 const ROUTE_PREFIX = '/strapi';
 
+const readPolicy = [{ name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.READ] } }];
+const settingsUpdatePolicy = [
+  { name: 'admin::hasPermissions', config: { actions: [PERMISSION_UIDS.SETTINGS_UPDATE] } },
+];
+
 const StrapiRoutes = [
   {
     method: 'GET',
     path: `${ROUTE_PREFIX}/models`,
     handler: 'StrapiController.getModels',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
   {
@@ -14,7 +21,7 @@ const StrapiRoutes = [
     path: `${ROUTE_PREFIX}/localizable-models`,
     handler: 'StrapiController.getLocalizableModels',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
   {
@@ -22,7 +29,7 @@ const StrapiRoutes = [
     path: `${ROUTE_PREFIX}/lifecycle/localazy-webhooks`,
     handler: 'StrapiController.postLifecycleLocalazyWebhooks',
     config: {
-      policies: [],
+      policies: settingsUpdatePolicy,
     },
   },
   {
@@ -30,7 +37,7 @@ const StrapiRoutes = [
     path: `${ROUTE_PREFIX}/version`,
     handler: 'StrapiController.getPluginVersion',
     config: {
-      policies: [],
+      policies: readPolicy,
     },
   },
 ];
diff --git a/server/src/services/localazy-transfer-download-service.ts b/server/src/services/localazy-transfer-download-service.ts
index 35b3fbe..f1f685b 100644
--- a/server/src/services/localazy-transfer-download-service.ts
+++ b/server/src/services/localazy-transfer-download-service.ts
@@ -26,7 +26,10 @@ import { Language, Locales } from '@localazy/api-client';
 import { SyncCursor } from '../db/model/sync-cursor';
 import { JobNotificationServiceType } from './helpers/job-notification-service';
 
-const getFilteredLanguagesCodesForDownload = async (languagesCodes: string[]): Promise<string[]> => {
+const getFilteredLanguagesCodesForDownload = async (
+  languagesCodes: string[],
+  requestedUiLanguages?: string[]
+): Promise<string[]> => {
   const pluginSettingsServiceHelper = new PluginSettingsServiceHelper();
   const requestInitiatorHelper = new RequestInitiatorHelper(strapi);
   await pluginSettingsServiceHelper.setup();
@@ -35,8 +38,10 @@ const getFilteredLanguagesCodesForDownload = async (languagesCodes: string[]): P
     // called by a webhook
     localLanguagesCodes = pluginSettingsServiceHelper.getWebhookLanguagesCodes();
   } else if (requestInitiatorHelper.isInitiatedByLocalazyPluginUI()) {
-    // called by a user from the UI
-    localLanguagesCodes = pluginSettingsServiceHelper.getUiLanguagesCodes();
+    // called by a user from the UI — prefer the per-request pick over the
+    // persisted `download.uiLanguages` so `read + transfer` users (who cannot
+    // write that field) can still scope their download.
+    localLanguagesCodes = requestedUiLanguages ?? pluginSettingsServiceHelper.getUiLanguagesCodes();
   } else {
     strapi.log.warn('Called by an unknown initiator.');
     return languagesCodes;
@@ -53,9 +58,11 @@ const LocalazyTransferDownloadService = ({ strapi }: { strapi: Core.Strapi }) =>
   async download({
     notificationService,
     fullSync = false,
+    requestedUiLanguages,
   }: {
     notificationService: JobNotificationServiceType;
     fullSync?: boolean;
+    requestedUiLanguages?: string[];
   }) {
     console.time('download');
     const syncMode = fullSync ? 'Full sync' : 'Incremental sync';
@@ -160,7 +167,7 @@ const LocalazyTransferDownloadService = ({ strapi }: { strapi: Core.Strapi }) =>
      */
     let languagesCodes = projectLanguagesWithoutSourceLanguage.map((language) => language.code);
     // process filtered languages only / keep all if empty!
-    languagesCodes = await getFilteredLanguagesCodesForDownload(languagesCodes);
+    languagesCodes = await getFilteredLanguagesCodesForDownload(languagesCodes, requestedUiLanguages);
 
     /**
      * Iterate over languages and create the ones that are not present in Strapi
diff --git a/server/src/services/plugin-settings-service.ts b/server/src/services/plugin-settings-service.ts
index 1ad2c18..e7a3b71 100644
--- a/server/src/services/plugin-settings-service.ts
+++ b/server/src/services/plugin-settings-service.ts
@@ -5,6 +5,12 @@ import { KEY as PLUGIN_SETTINGS_KEY, PluginSettings, emptyPluginSettings } from
 import { KEY as SYNC_CURSOR_KEY, SyncCursor, emptySyncCursor } from '../db/model/sync-cursor';
 import getStrapiStore from '../db/model/utils/get-strapi-store';
 import { ContentTransferSetup } from '../models/plugin/content-transfer-setup';
+
+// Fields settable via the `read`-gated UI-prefs endpoint. Anything outside this
+// allowlist must go through `updatePluginSettings` (gated by `settings.update`).
+const UI_PREF_FIELDS = ['defaultRoute', 'activityLogsSort'] as const;
+type UiPrefField = (typeof UI_PREF_FIELDS)[number];
+export type PluginSettingsUiPrefs = Partial<Pick<PluginSettings, UiPrefField>>;
 const PluginSettingsService = ({ strapi }: { strapi: Core.Strapi }) => ({
   async getContentTransferSetup(): Promise<ContentTransferSetup> {
     const pluginStore = getStrapiStore(strapi);
@@ -51,6 +57,22 @@ const PluginSettingsService = ({ strapi }: { strapi: Core.Strapi }) => ({
     return newSettings;
   },
 
+  // Counterpart to `updatePluginSettings` for the `read`-gated UI-prefs route.
+  // Drops any field outside `UI_PREF_FIELDS` server-side so a `read`-only caller
+  // cannot reach `webhookConfig` / `download.*` / `upload.*` via the merge.
+  async updatePluginSettingsUiPrefs(prefs: PluginSettingsUiPrefs): Promise<PluginSettings> {
+    const sanitized: PluginSettingsUiPrefs = {};
+    if (prefs && typeof prefs === 'object') {
+      for (const field of UI_PREF_FIELDS) {
+        if (field in prefs) {
+          (sanitized as Record<string, unknown>)[field] = (prefs as Record<string, unknown>)[field];
+        }
+      }
+    }
+
+    return this.updatePluginSettings(sanitized);
+  },
+
   async getSyncCursor(): Promise<SyncCursor> {
     const pluginStore = getStrapiStore(strapi);
     const cursor = (await pluginStore.get({ key: SYNC_CURSOR_KEY })) as SyncCursor;
diff --git a/server/src/utils/__tests__/permissions.test.ts b/server/src/utils/__tests__/permissions.test.ts
new file mode 100644
index 0000000..301b6c8
--- /dev/null
+++ b/server/src/utils/__tests__/permissions.test.ts
@@ -0,0 +1,76 @@
+import { LOCALAZY_RBAC_ACTIONS, PERMISSION_UIDS } from '../../constants/permissions';
+
+describe('Localazy RBAC permission registry', () => {
+  it('exposes a stable UID for each persona-level action', () => {
+    // Renaming any of these UIDs is a breaking change for existing role grants.
+    expect(PERMISSION_UIDS).toEqual({
+      READ: 'plugin::localazy.read',
+      TRANSFER: 'plugin::localazy.transfer',
+      SETTINGS_READ: 'plugin::localazy.settings.read',
+      SETTINGS_UPDATE: 'plugin::localazy.settings.update',
+    });
+  });
+
+  it('snapshots the action records registered with admin::permission.actionProvider', () => {
+    expect(LOCALAZY_RBAC_ACTIONS).toMatchInlineSnapshot(`
+[
+  {
+    "displayName": "Read",
+    "pluginName": "localazy",
+    "section": "plugins",
+    "subCategory": "General",
+    "uid": "read",
+  },
+  {
+    "displayName": "Transfer",
+    "pluginName": "localazy",
+    "section": "plugins",
+    "subCategory": "General",
+    "uid": "transfer",
+  },
+  {
+    "displayName": "Read settings",
+    "pluginName": "localazy",
+    "section": "plugins",
+    "subCategory": "Settings",
+    "uid": "settings.read",
+  },
+  {
+    "displayName": "Update settings",
+    "pluginName": "localazy",
+    "section": "plugins",
+    "subCategory": "Settings",
+    "uid": "settings.update",
+  },
+]
+`);
+  });
+
+  it('declares every action under the localazy plugin namespace', () => {
+    for (const action of LOCALAZY_RBAC_ACTIONS) {
+      expect(action.pluginName).toBe('localazy');
+      expect(action.section).toBe('plugins');
+      expect(action.uid).not.toMatch(/^plugin::/);
+    }
+  });
+
+  // Strapi's @strapi/admin yup schema rejects `category` on `plugins`-section
+  // entries and registerMany() validates the full array up-front — a single
+  // mis-shaped entry silently drops ALL of our permissions from the role editor.
+  // Keeping every action in `plugins` (with `subCategory` for grouping, no
+  // `category` field) sidesteps the rejection and keeps all four visible in the
+  // Plugins tab of the role editor under "Localazy".
+  it('matches the Strapi action-provider plugins-section invariants', () => {
+    for (const action of LOCALAZY_RBAC_ACTIONS) {
+      expect(action.section).toBe('plugins');
+      expect(action).not.toHaveProperty('category');
+      expect(action.subCategory).toBeTruthy();
+    }
+  });
+
+  it('exposes one action record per persona UID', () => {
+    const concreteUids = LOCALAZY_RBAC_ACTIONS.map((a) => `plugin::${a.pluginName}.${a.uid}`).sort();
+    const expectedUids = Object.values(PERMISSION_UIDS).slice().sort();
+    expect(concreteUids).toEqual(expectedUids);
+  });
+});
diff --git a/server/src/utils/__tests__/plugin-settings-service.ui-prefs.test.ts b/server/src/utils/__tests__/plugin-settings-service.ui-prefs.test.ts
new file mode 100644
index 0000000..883be09
--- /dev/null
+++ b/server/src/utils/__tests__/plugin-settings-service.ui-prefs.test.ts
@@ -0,0 +1,84 @@
+import type { Core } from '@strapi/strapi';
+import PluginSettingsService from '../../services/plugin-settings-service';
+import { KEY as PLUGIN_SETTINGS_KEY } from '../../db/model/plugin-settings';
+
+type StoredValue = Record<string, unknown> | null;
+
+const buildFakeStrapi = (initial: StoredValue = null) => {
+  let state: StoredValue = initial ? JSON.parse(JSON.stringify(initial)) : null;
+  const store = {
+    get: async ({ key }: { key: string }) => (key === PLUGIN_SETTINGS_KEY ? state : null),
+    set: async ({ key, value }: { key: string; value: unknown }) => {
+      if (key === PLUGIN_SETTINGS_KEY) {
+        state = JSON.parse(JSON.stringify(value));
+      }
+    },
+  };
+  const strapi = {
+    store: () => store,
+    log: { warn: jest.fn(), info: jest.fn(), error: jest.fn() },
+  } as unknown as Core.Strapi;
+  return { strapi, getState: () => state };
+};
+
+describe('plugin-settings-service.updatePluginSettingsUiPrefs — read-gated allowlist', () => {
+  it('keeps allowlisted fields (defaultRoute, activityLogsSort) and merges with existing settings', async () => {
+    const { strapi, getState } = buildFakeStrapi({
+      defaultRoute: '/upload',
+      webhookConfig: { url: 'https://example/webhook' },
+    });
+    const service = PluginSettingsService({ strapi });
+
+    await service.updatePluginSettingsUiPrefs({
+      defaultRoute: '/download',
+      activityLogsSort: { download: { key: 'startedAt', direction: 'desc' } },
+    });
+
+    expect(getState()).toEqual({
+      // allowlisted writes applied
+      defaultRoute: '/download',
+      activityLogsSort: { download: { key: 'startedAt', direction: 'desc' } },
+      // pre-existing destructive fields untouched (merge, not overwrite)
+      webhookConfig: { url: 'https://example/webhook' },
+    });
+  });
+
+  it('drops every field outside the allowlist (cannot reach destructive settings)', async () => {
+    const { strapi, getState } = buildFakeStrapi({
+      defaultRoute: '/upload',
+      webhookConfig: { url: 'https://example/webhook' },
+    });
+    const service = PluginSettingsService({ strapi });
+
+    // Crafted payload mixing one allowlisted field with destructive ones a
+    // `read`-only caller must not be able to write through this route.
+    await service.updatePluginSettingsUiPrefs({
+      defaultRoute: '/download',
+      // The cast mirrors the kind of payload a hand-crafted request would send;
+      // the service must drop these even though TS would normally reject them.
+      ...({
+        webhookConfig: { url: 'https://attacker/webhook' },
+        download: { uiLanguages: ['xx'], webhookLanguages: ['xx'] },
+        upload: { allowAutomated: true },
+      } as object),
+    } as Parameters<typeof service.updatePluginSettingsUiPrefs>[0]);
+
+    expect(getState()).toEqual({
+      defaultRoute: '/download',
+      webhookConfig: { url: 'https://example/webhook' },
+    });
+  });
+
+  it('ignores non-object input rather than wiping settings', async () => {
+    const seed = { defaultRoute: '/upload' };
+    const { strapi, getState } = buildFakeStrapi(seed);
+    const service = PluginSettingsService({ strapi });
+
+    for (const bogus of [null, undefined, 'string', 42, true]) {
+      // Hand-crafted payloads can arrive as primitives; the service must
+      // treat them as an empty allowlisted patch and leave state untouched.
+      await service.updatePluginSettingsUiPrefs(bogus as never);
+      expect(getState()).toEqual(seed);
+    }
+  });
+});
diff --git a/server/src/utils/__tests__/routes.permissions.test.ts b/server/src/utils/__tests__/routes.permissions.test.ts
new file mode 100644
index 0000000..a4593da
--- /dev/null
+++ b/server/src/utils/__tests__/routes.permissions.test.ts
@@ -0,0 +1,112 @@
+import routes from '../../routes';
+import { PERMISSION_UIDS } from '../../constants/permissions';
+
+type AdminRoute = {
+  method: string;
+  path: string;
+  handler: string;
+  config: { policies: Array<{ name: string; config?: { actions?: string[] } }> };
+};
+
+const adminRoutes = routes.admin.routes as unknown as AdminRoute[];
+const contentApiRoutes = routes['content-api'].routes as unknown as AdminRoute[];
+const publicRoutes = routes.LocalazyPublicTransferRoutes.routes as unknown as Array<
+  AdminRoute & { config: { auth?: boolean; middlewares?: string[] } }
+>;
+
+// Source-of-truth mapping. Keep aligned with the route → action table in the
+// LOC-7 plan; any change here is a breaking change for existing role grants.
+const EXPECTED_ROUTE_ACTIONS: Record<string, string> = {
+  // strapi-routes
+  'GET /strapi/models': PERMISSION_UIDS.READ,
+  'GET /strapi/localizable-models': PERMISSION_UIDS.READ,
+  'POST /strapi/lifecycle/localazy-webhooks': PERMISSION_UIDS.SETTINGS_UPDATE,
+  'GET /strapi/version': PERMISSION_UIDS.READ,
+  // localazy-auth-routes
+  'GET /auth/generate-keys': PERMISSION_UIDS.SETTINGS_UPDATE,
+  'GET /auth/continuous-poll': PERMISSION_UIDS.SETTINGS_UPDATE,
+  // localazy-user-routes
+  'GET /user': PERMISSION_UIDS.READ,
+  'PUT /user': PERMISSION_UIDS.SETTINGS_UPDATE,
+  'DELETE /user': PERMISSION_UIDS.SETTINGS_UPDATE,
+  // localazy-project-routes
+  'GET /project': PERMISSION_UIDS.READ,
+  'GET /project/webhooks': PERMISSION_UIDS.READ,
+  'POST /project/webhooks/setup': PERMISSION_UIDS.SETTINGS_UPDATE,
+  'GET /project/strapi-url': PERMISSION_UIDS.READ,
+  // localazy-transfer-routes
+  'POST /transfer/upload': PERMISSION_UIDS.TRANSFER,
+  'POST /transfer/download': PERMISSION_UIDS.TRANSFER,
+  // plugin-settings-routes
+  // GET is `read` (not `settings.read`) so transfer-only roles can still open
+  // Upload/Download (they call this to detect "model changed"). The PUT below
+  // remains `settings.update`-gated.
+  'GET /plugin-settings/content-transfer-setup': PERMISSION_UIDS.READ,
+  'PUT /plugin-settings/content-transfer-setup': PERMISSION_UIDS.SETTINGS_UPDATE,
+  'GET /plugin-settings/plugin-settings': PERMISSION_UIDS.READ,
+  'PUT /plugin-settings/plugin-settings': PERMISSION_UIDS.SETTINGS_UPDATE,
+  'PUT /plugin-settings/ui-prefs': PERMISSION_UIDS.READ,
+  'GET /plugin-settings/sync-cursor': PERMISSION_UIDS.READ,
+  // entry-exclusion-routes
+  'GET /entry-exclusion/:contentType/:documentId': PERMISSION_UIDS.READ,
+  'PUT /entry-exclusion/:contentType/:documentId': PERMISSION_UIDS.TRANSFER,
+  'GET /entry-exclusion/:contentType': PERMISSION_UIDS.READ,
+  // activity-logs-routes
+  'GET /activity-logs': PERMISSION_UIDS.READ,
+  'GET /activity-logs/export': PERMISSION_UIDS.READ,
+  'GET /activity-logs/:sessionId': PERMISSION_UIDS.READ,
+  'DELETE /activity-logs': PERMISSION_UIDS.TRANSFER,
+  // debug-bundle-routes
+  'GET /activity-logs/:sessionId/bundle': PERMISSION_UIDS.READ,
+};
+
+const keyOf = (route: AdminRoute) => `${route.method} ${route.path}`;
+
+describe('admin routes — admin::hasPermissions wiring', () => {
+  it('declares every admin route in the expected action mapping', () => {
+    const declared = adminRoutes.map(keyOf).sort();
+    const expected = Object.keys(EXPECTED_ROUTE_ACTIONS).sort();
+    // Any new admin route MUST be added to EXPECTED_ROUTE_ACTIONS so reviewers
+    // see a deliberate permission choice in the diff.
+    expect(declared).toEqual(expected);
+  });
+
+  it('gates every admin route with admin::hasPermissions + the expected action UID', () => {
+    for (const route of adminRoutes) {
+      const key = keyOf(route);
+      const expectedAction = EXPECTED_ROUTE_ACTIONS[key];
+      const policies = route.config.policies ?? [];
+      expect({ key, policies }).toEqual({
+        key,
+        policies: [
+          {
+            name: 'admin::hasPermissions',
+            config: { actions: [expectedAction] },
+          },
+        ],
+      });
+    }
+  });
+});
+
+describe('content-api routes — left unprotected by admin::hasPermissions', () => {
+  it('strips admin policies so API-token callers still work', () => {
+    // The route file ships with admin policies, but the content-api group
+    // gets a cloned copy with `policies: []` so API-token auth (which has no
+    // ctx.state.userAbility) keeps working unchanged.
+    for (const route of contentApiRoutes) {
+      expect(route.config.policies).toEqual([]);
+    }
+  });
+});
+
+describe('public webhook route — unchanged', () => {
+  it('stays signature-verified rather than RBAC-gated', () => {
+    expect(publicRoutes).toHaveLength(1);
+    const [route] = publicRoutes;
+    expect(route.path).toBe('/public/transfer/download');
+    expect(route.config.auth).toBe(false);
+    expect(route.config.middlewares).toEqual(['plugin::localazy.verifyWebhook']);
+    expect(route.config.policies).toEqual([]);
+  });
+});