From aac3168c802c4e38ac65446cc7a66ff11542a2c9 Mon Sep 17 00:00:00 2001
From: Akhil Mohan <akhilmhdh@gmail.com>
Date: Sat, 19 Aug 2023 15:18:48 +0530
Subject: [PATCH] feat(rbac): implemented granular blocking of actions based on
 permissions on org level ui

---
 .../controllers/v1/organizationController.ts  |   2 +-
 .../permissions/OrgPermissionCan.tsx          |  50 ++
 frontend/src/components/permissions/index.tsx |   1 +
 .../OrgPermissionContext.tsx                  |  10 +-
 .../context/OrgPermissionContext/index.tsx    |   6 +
 .../src/context/OrgPermissionContext/types.ts |  22 +-
 frontend/src/context/index.tsx                |   8 +-
 frontend/src/hoc/index.tsx                    |   1 +
 frontend/src/hoc/withPermission/index.tsx     |   1 +
 .../src/hoc/withPermission/withPermission.tsx |  62 ++
 frontend/src/pages/org/[id]/billing/index.tsx |  35 +-
 .../src/pages/org/[id]/overview/index.tsx     | 622 +++++++++---------
 .../pages/org/[id]/secret-scanning/index.tsx  | 176 +++--
 .../src/views/Org/MembersPage/MembersPage.tsx |  82 +--
 .../OrgMembersTable/OrgMembersTable.tsx       | 175 +++--
 .../BillingPermission.tsx                     |  10 +-
 .../IncidentContactPermission.tsx             |  14 +-
 .../OrgRoleModifySection/MemberPermission.tsx |  17 +-
 .../OrgRoleModifySection/RolePermission.tsx   |  21 +-
 .../SecretScanningPermission.tsx              |  13 +-
 .../SettingsPermission.tsx                    |  13 +-
 .../OrgRoleModifySection/SsoPermission.tsx    |  13 +-
 .../WorkspacePermission.tsx                   |  10 +-
 .../components/RiskStatusSelection.tsx        |  65 +-
 .../BillingCloudTab/PreviewSection.tsx        | 251 +++----
 .../BillingDetailsTab/CompanyNameSection.tsx  | 168 +++--
 .../BillingDetailsTab/InvoiceEmailSection.tsx | 162 +++--
 .../BillingDetailsTab/PmtMethodsSection.tsx   |  77 +--
 .../BillingDetailsTab/PmtMethodsTable.tsx     |  31 +-
 .../BillingDetailsTab/TaxIDSection.tsx        |  58 +-
 .../BillingDetailsTab/TaxIDTable.tsx          |  31 +-
 .../BillingTabGroup/BillingTabGroup.tsx       |  84 +--
 .../components/OrgAuthTab/OrgAuthTab.tsx      |  16 +-
 .../components/OrgAuthTab/OrgSSOSection.tsx   | 248 +++----
 .../OrgGeneralTab/OrgGeneralTab.tsx           |  18 +-
 .../AddOrgIncidentContactModal.tsx            | 173 +++--
 .../OrgIncidentContactsSection.tsx            |  65 +-
 .../OrgIncidentContactsTable.tsx              |  23 +-
 .../OrgNameChangeSection.tsx                  | 112 ++--
 .../OrgServiceAccountsTable.tsx               | 593 +++++++++--------
 .../components/OrgTabGroup/OrgTabGroup.tsx    |  89 +--
 41 files changed, 1984 insertions(+), 1644 deletions(-)
 create mode 100644 frontend/src/components/permissions/OrgPermissionCan.tsx
 create mode 100644 frontend/src/components/permissions/index.tsx
 create mode 100644 frontend/src/hoc/index.tsx
 create mode 100644 frontend/src/hoc/withPermission/index.tsx
 create mode 100644 frontend/src/hoc/withPermission/withPermission.tsx

diff --git a/backend/src/controllers/v1/organizationController.ts b/backend/src/controllers/v1/organizationController.ts
index f34d6eec..4bad1db2 100644
--- a/backend/src/controllers/v1/organizationController.ts
+++ b/backend/src/controllers/v1/organizationController.ts
@@ -292,7 +292,7 @@ export const createOrganizationPortalSession = async (req: Request, res: Respons
 
   const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
   ForbiddenError.from(permission).throwUnlessCan(
-    GeneralPermissionActions.Create,
+    GeneralPermissionActions.Edit,
     OrgPermissionSubjects.Billing
   );
 
diff --git a/frontend/src/components/permissions/OrgPermissionCan.tsx b/frontend/src/components/permissions/OrgPermissionCan.tsx
new file mode 100644
index 00000000..0bfb44f7
--- /dev/null
+++ b/frontend/src/components/permissions/OrgPermissionCan.tsx
@@ -0,0 +1,50 @@
+import { FunctionComponent, ReactNode } from "react";
+import { BoundCanProps, Can } from "@casl/react";
+
+import {
+  OrgPermissionSubjects,
+  OrgWorkspacePermissionActions,
+  TOrgPermission,
+  useOrgPermission
+} from "@app/context/OrgPermissionContext";
+
+import { Tooltip } from "../v2";
+
+type Props = {
+  label?: ReactNode;
+} & BoundCanProps<TOrgPermission>;
+
+export const OrgPermissionCan: FunctionComponent<Props> = ({
+  label = "Permission Denied. Kindly contact your org admin",
+  children,
+  passThrough = true,
+  ...props
+}) => {
+  const permission = useOrgPermission();
+
+  return (
+    <Can
+      {...props}
+      passThrough={passThrough}
+      ability={props?.ability || permission}
+      I={OrgWorkspacePermissionActions.Read}
+      a={OrgPermissionSubjects.Sso}
+    >
+      {(isAllowed, ability) => {
+        // akhilmhdh: This is set as type due to error in casl react type.
+        const finalChild =
+          typeof children === "function"
+            ? children(isAllowed, ability as TOrgPermission)
+            : children;
+
+        if (!isAllowed && passThrough) {
+          return <Tooltip content={label}>{finalChild}</Tooltip>;
+        }
+
+        if (!isAllowed) return null;
+
+        return finalChild;
+      }}
+    </Can>
+  );
+};
diff --git a/frontend/src/components/permissions/index.tsx b/frontend/src/components/permissions/index.tsx
new file mode 100644
index 00000000..e86fa431
--- /dev/null
+++ b/frontend/src/components/permissions/index.tsx
@@ -0,0 +1 @@
+export { OrgPermissionCan } from "./OrgPermissionCan";
diff --git a/frontend/src/context/OrgPermissionContext/OrgPermissionContext.tsx b/frontend/src/context/OrgPermissionContext/OrgPermissionContext.tsx
index 4d968c06..5320ece6 100644
--- a/frontend/src/context/OrgPermissionContext/OrgPermissionContext.tsx
+++ b/frontend/src/context/OrgPermissionContext/OrgPermissionContext.tsx
@@ -3,13 +3,13 @@ import { createContext, ReactNode, useContext } from "react";
 import { useGetUserOrgPermissions } from "@app/hooks/api";
 
 import { useOrganization } from "../OrganizationContext";
-import { TPermission } from "./types";
+import { TOrgPermission } from "./types";
 
 type Props = {
   children: ReactNode;
 };
 
-const PermissionContext = createContext<null | TPermission>(null);
+const OrgPermissionContext = createContext<null | TOrgPermission>(null);
 
 export const OrgPermissionProvider = ({ children }: Props): JSX.Element => {
   const { currentOrg } = useOrganization();
@@ -37,11 +37,13 @@ export const OrgPermissionProvider = ({ children }: Props): JSX.Element => {
     );
   }
 
-  return <PermissionContext.Provider value={permission}>{children}</PermissionContext.Provider>;
+  return (
+    <OrgPermissionContext.Provider value={permission}>{children}</OrgPermissionContext.Provider>
+  );
 };
 
 export const useOrgPermission = () => {
-  const ctx = useContext(PermissionContext);
+  const ctx = useContext(OrgPermissionContext);
   if (!ctx) {
     throw new Error("useOrgPermission to be used within <OrgPermissionProvider>");
   }
diff --git a/frontend/src/context/OrgPermissionContext/index.tsx b/frontend/src/context/OrgPermissionContext/index.tsx
index 73cfe0a1..336777d6 100644
--- a/frontend/src/context/OrgPermissionContext/index.tsx
+++ b/frontend/src/context/OrgPermissionContext/index.tsx
@@ -1 +1,7 @@
 export { OrgPermissionProvider, useOrgPermission } from "./OrgPermissionContext";
+export type { TOrgPermission } from "./types";
+export {
+  OrgGeneralPermissionActions,
+  OrgPermissionSubjects,
+  OrgWorkspacePermissionActions
+} from "./types";
diff --git a/frontend/src/context/OrgPermissionContext/types.ts b/frontend/src/context/OrgPermissionContext/types.ts
index 29e08383..d385981d 100644
--- a/frontend/src/context/OrgPermissionContext/types.ts
+++ b/frontend/src/context/OrgPermissionContext/types.ts
@@ -1,13 +1,13 @@
 import { MongoAbility } from "@casl/ability";
 
-export enum GeneralPermissionActions {
+export enum OrgGeneralPermissionActions {
   Read = "read",
   Create = "create",
   Edit = "edit",
   Delete = "delete"
 }
 
-export enum WorkspacePermissionActions {
+export enum OrgWorkspacePermissionActions {
   Read = "read",
   Create = "create"
 }
@@ -24,13 +24,13 @@ export enum OrgPermissionSubjects {
 }
 
 export type OrgPermissionSet =
-  | [WorkspacePermissionActions, OrgPermissionSubjects.Workspace]
-  | [GeneralPermissionActions, OrgPermissionSubjects.Role]
-  | [GeneralPermissionActions, OrgPermissionSubjects.Member]
-  | [GeneralPermissionActions, OrgPermissionSubjects.Settings]
-  | [GeneralPermissionActions, OrgPermissionSubjects.IncidentAccount]
-  | [GeneralPermissionActions, OrgPermissionSubjects.Sso]
-  | [GeneralPermissionActions, OrgPermissionSubjects.SecretScanning]
-  | [GeneralPermissionActions, OrgPermissionSubjects.Billing];
+  | [OrgWorkspacePermissionActions, OrgPermissionSubjects.Workspace]
+  | [OrgGeneralPermissionActions, OrgPermissionSubjects.Role]
+  | [OrgGeneralPermissionActions, OrgPermissionSubjects.Member]
+  | [OrgGeneralPermissionActions, OrgPermissionSubjects.Settings]
+  | [OrgGeneralPermissionActions, OrgPermissionSubjects.IncidentAccount]
+  | [OrgGeneralPermissionActions, OrgPermissionSubjects.Sso]
+  | [OrgGeneralPermissionActions, OrgPermissionSubjects.SecretScanning]
+  | [OrgGeneralPermissionActions, OrgPermissionSubjects.Billing];
 
-export type TPermission = MongoAbility<OrgPermissionSet>;
+export type TOrgPermission = MongoAbility<OrgPermissionSet>;
diff --git a/frontend/src/context/index.tsx b/frontend/src/context/index.tsx
index 097703d1..b0279f1f 100644
--- a/frontend/src/context/index.tsx
+++ b/frontend/src/context/index.tsx
@@ -1,6 +1,12 @@
 export { AuthProvider } from "./AuthContext";
 export { OrgProvider, useOrganization } from "./OrganizationContext";
-export { OrgPermissionProvider,useOrgPermission } from "./OrgPermissionContext";
+export type { TOrgPermission } from "./OrgPermissionContext";
+export {
+  OrgGeneralPermissionActions,
+  OrgPermissionSubjects,
+  OrgWorkspacePermissionActions
+} from "./OrgPermissionContext";
+export { OrgPermissionProvider, useOrgPermission } from "./OrgPermissionContext";
 export { SubscriptionProvider, useSubscription } from "./SubscriptionContext";
 export { UserProvider, useUser } from "./UserContext";
 export { useWorkspace, WorkspaceProvider } from "./WorkspaceContext";
diff --git a/frontend/src/hoc/index.tsx b/frontend/src/hoc/index.tsx
new file mode 100644
index 00000000..d5dfb8dc
--- /dev/null
+++ b/frontend/src/hoc/index.tsx
@@ -0,0 +1 @@
+export { withPermission } from "./withPermission";
diff --git a/frontend/src/hoc/withPermission/index.tsx b/frontend/src/hoc/withPermission/index.tsx
new file mode 100644
index 00000000..d5dfb8dc
--- /dev/null
+++ b/frontend/src/hoc/withPermission/index.tsx
@@ -0,0 +1 @@
+export { withPermission } from "./withPermission";
diff --git a/frontend/src/hoc/withPermission/withPermission.tsx b/frontend/src/hoc/withPermission/withPermission.tsx
new file mode 100644
index 00000000..520ccff2
--- /dev/null
+++ b/frontend/src/hoc/withPermission/withPermission.tsx
@@ -0,0 +1,62 @@
+import { ComponentType } from "react";
+import { Abilities, AbilityTuple, Generics, SubjectType } from "@casl/ability";
+import { faLock } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { twMerge } from "tailwind-merge";
+
+import { TOrgPermission, useOrgPermission } from "@app/context";
+
+type Props<T extends Abilities> = (T extends AbilityTuple
+  ? {
+      action: T[0];
+      subject: Extract<T[1], SubjectType>;
+    }
+  : {
+      action: string;
+      subject: string;
+    }) & { className?: string; containerClassName?: string };
+
+export const withPermission = <T extends {}, J extends TOrgPermission>(
+  Component: ComponentType<T>,
+  { action, subject, className, containerClassName }: Props<Generics<J>["abilities"]>
+) => {
+  const HOC = (hocProps: T) => {
+    const permission = useOrgPermission();
+
+    // akhilmhdh: Set as any due to casl/react ts type bug
+    // REASON: casl due to its type checking can't seem to union even if union intersection is applied
+    if (permission.cannot(action as any, subject)) {
+      return (
+        <div
+          className={twMerge(
+            "container h-full mx-auto flex justify-center items-center",
+            containerClassName
+          )}
+        >
+          <div
+            className={twMerge(
+              "rounded-md bg-mineshaft-800 text-bunker-300 p-16 flex space-x-12 items-end",
+              className
+            )}
+          >
+            <div>
+              <FontAwesomeIcon icon={faLock} size="6x" />
+            </div>
+            <div>
+              <div className="text-4xl font-medium mb-2">Permission Denied</div>
+              <div className="text-sm">
+                You do not have permission to this page. <br /> Kindly contact your organization
+                administrator
+              </div>
+            </div>
+          </div>
+        </div>
+      );
+    }
+
+    return <Component {...hocProps} />;
+  };
+
+  HOC.displayName = "WithPermission";
+  return HOC;
+};
diff --git a/frontend/src/pages/org/[id]/billing/index.tsx b/frontend/src/pages/org/[id]/billing/index.tsx
index a752d93f..92585261 100644
--- a/frontend/src/pages/org/[id]/billing/index.tsx
+++ b/frontend/src/pages/org/[id]/billing/index.tsx
@@ -1,21 +1,28 @@
 import { useTranslation } from "react-i18next";
 import Head from "next/head";
 
+import { OrgGeneralPermissionActions, OrgPermissionSubjects, TOrgPermission } from "@app/context";
+import { withPermission } from "@app/hoc";
 import { BillingSettingsPage } from "@app/views/Settings/BillingSettingsPage";
 
-export default function SettingsBilling() {
-  const { t } = useTranslation();
+const SettingsBilling = withPermission<{}, TOrgPermission>(
+  () => {
+    const { t } = useTranslation();
 
-  return (
-    <div className="h-full bg-bunker-800">
-      <Head>
-        <title>{t("common.head-title", { title: t("billing.title") })}</title>
-        <link rel="icon" href="/infisical.ico" />
-        <meta property="og:image" content="/images/message.png" />
-      </Head>
-      <BillingSettingsPage />
-    </div>
-  );
-}
+    return (
+      <div className="h-full bg-bunker-800">
+        <Head>
+          <title>{t("common.head-title", { title: t("billing.title") })}</title>
+          <link rel="icon" href="/infisical.ico" />
+          <meta property="og:image" content="/images/message.png" />
+        </Head>
+        <BillingSettingsPage />
+      </div>
+    );
+  },
+  { action: OrgGeneralPermissionActions.Delete, subject: OrgPermissionSubjects.Billing }
+);
 
-SettingsBilling.requireAuth = true;
\ No newline at end of file
+Object.assign(SettingsBilling, { requireAuth: true });
+
+export default SettingsBilling;
diff --git a/frontend/src/pages/org/[id]/overview/index.tsx b/frontend/src/pages/org/[id]/overview/index.tsx
index 8a8d832c..e5323557 100644
--- a/frontend/src/pages/org/[id]/overview/index.tsx
+++ b/frontend/src/pages/org/[id]/overview/index.tsx
@@ -31,6 +31,7 @@ import * as Tabs from "@radix-ui/react-tabs";
 import * as yup from "yup";
 
 import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
+import { OrgPermissionCan } from "@app/components/permissions";
 import onboardingCheck from "@app/components/utilities/checks/OnboardingCheck";
 import {
   Button,
@@ -42,9 +43,22 @@ import {
   Skeleton,
   UpgradePlanModal
 } from "@app/components/v2";
-import { useSubscription, useUser, useWorkspace } from "@app/context";
-import { fetchOrgUsers, useAddUserToWs, useCreateWorkspace, useRegisterUserAction,useUploadWsKey } from "@app/hooks/api";
 import { useFetchServerStatus } from "@app/hooks/api/serverDetails";
+import {
+  OrgPermissionSubjects,
+  OrgWorkspacePermissionActions,
+  useSubscription,
+  useUser,
+  useWorkspace
+} from "@app/context";
+import { withPermission } from "@app/hoc";
+import {
+  fetchOrgUsers,
+  useAddUserToWs,
+  useCreateWorkspace,
+  useRegisterUserAction,
+  useUploadWsKey
+} from "@app/hooks/api";
 import { usePopUp } from "@app/hooks/usePopUp";
 
 import { encryptAssymmetric } from "../../../../components/utilities/cryptography/crypto";
@@ -301,9 +315,7 @@ const LearningItem = ({
             tabIndex={0}
             onClick={async () => {
               if (userAction && userAction !== "first_time_secrets_pushed") {
-                await registerUserAction.mutateAsync(
-                  userAction
-                );
+                await registerUserAction.mutateAsync(userAction);
               }
             }}
             className={`group relative flex h-[5.5rem] w-full items-center justify-between overflow-hidden rounded-md border ${
@@ -446,19 +458,20 @@ type TAddProjectFormData = yup.InferType<typeof formSchema>;
 
 // #TODO: Update all the workspaceIds
 
-export default function Organization() {
-  const { t } = useTranslation();
+const OrganizationPage = withPermission(
+  () => {
+    const { t } = useTranslation();
 
-  const router = useRouter();
+    const router = useRouter();
 
-  const { workspaces, isLoading: isWorkspaceLoading } = useWorkspace();
-  const orgWorkspaces =
-    workspaces?.filter(
-      (workspace) => workspace.organization === localStorage.getItem("orgData.id")
-    ) || [];
-  const currentOrg = String(router.query.id);
-  const { createNotification } = useNotificationContext();
-  const addWsUser = useAddUserToWs();
+    const { workspaces, isLoading: isWorkspaceLoading } = useWorkspace();
+    const orgWorkspaces =
+      workspaces?.filter(
+        (workspace) => workspace.organization === localStorage.getItem("orgData.id")
+      ) || [];
+    const currentOrg = String(router.query.id);
+    const { createNotification } = useNotificationContext();
+    const addWsUser = useAddUserToWs();
 
   const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
     "addNewWs",
@@ -537,24 +550,24 @@ export default function Organization() {
     ? subscription.workspacesUsed < subscription.workspaceLimit
     : true;
 
-  useEffect(() => {
-    onboardingCheck({
-      setHasUserClickedIntro,
-      setHasUserClickedSlack,
-      setHasUserPushedSecrets,
-      setUsersInOrg
-    });
-  }, []);
+    useEffect(() => {
+      onboardingCheck({
+        setHasUserClickedIntro,
+        setHasUserClickedSlack,
+        setHasUserPushedSecrets,
+        setUsersInOrg
+      });
+    }, []);
 
-  const isWorkspaceEmpty = !isWorkspaceLoading && orgWorkspaces?.length === 0;
+    const isWorkspaceEmpty = !isWorkspaceLoading && orgWorkspaces?.length === 0;
 
-  return (
-    <div className="mx-auto flex max-w-7xl flex-col justify-start bg-bunker-800 md:h-screen">
-      <Head>
-        <title>{t("common.head-title", { title: t("settings.members.title") })}</title>
-        <link rel="icon" href="/infisical.ico" />
-      </Head>
-      {!serverDetails?.redisConfigured && <div className="mb-4 flex flex-col items-start justify-start px-6 py-6 pb-0 text-3xl">
+    return (
+      <div className="mx-auto flex max-w-7xl flex-col justify-start bg-bunker-800 md:h-screen">
+        <Head>
+          <title>{t("common.head-title", { title: t("settings.members.title") })}</title>
+          <link rel="icon" href="/infisical.ico" />
+        </Head>
+        {!serverDetails?.redisConfigured && <div className="mb-4 flex flex-col items-start justify-start px-6 py-6 pb-0 text-3xl">
           <p className="mr-4 mb-4 font-semibold text-white">Announcements</p>
           <div className="w-full border border-blue-400/70 rounded-md bg-blue-900/70 p-2 text-base text-mineshaft-100 flex items-center">
             <FontAwesomeIcon icon={faExclamationCircle} className="text-2xl mr-4 p-4 text-mineshaft-50"/>
@@ -566,290 +579,309 @@ export default function Organization() {
             </Link>. 
           </div>
       </div>}
-      <div className="mb-4 flex flex-col items-start justify-start px-6 py-6 pb-0 text-3xl">
-        <p className="mr-4 font-semibold text-white">Projects</p>
-        <div className="mt-6 flex w-full flex-row">
-          <Input
-            className="h-[2.3rem] bg-mineshaft-800 text-sm placeholder-mineshaft-50 duration-200 focus:bg-mineshaft-700/80"
-            placeholder="Search by project name..."
-            value={searchFilter}
-            onChange={(e) => setSearchFilter(e.target.value)}
-            leftIcon={<FontAwesomeIcon icon={faMagnifyingGlass} />}
-          />
-          <Button
-            colorSchema="primary"
-            leftIcon={<FontAwesomeIcon icon={faPlus} />}
-            onClick={() => {
-              if (isAddingProjectsAllowed) {
-                handlePopUpOpen("addNewWs");
-              } else {
-                handlePopUpOpen("upgradePlan");
-              }
-            }}
-            className="ml-2"
-          >
-            Add New Project
-          </Button>
-        </div>
-        <div className="mt-4 grid w-full grid-cols-1 gap-4 lg:grid-cols-2 xl:grid-cols-3 2xl:grid-cols-4">
-          {isWorkspaceLoading &&
-            Array.apply(0, Array(3)).map((_x, i) => (
-              <div
-                key={`workspace-cards-loading-${i + 1}`}
-                className="min-w-72 flex h-40 flex-col justify-between rounded-md border border-mineshaft-600 bg-mineshaft-800 p-4"
-              >
-                <div className="mt-0 text-lg text-mineshaft-100">
-                  <Skeleton className="w-3/4 bg-mineshaft-600" />
-                </div>
-                <div className="mt-0 pb-6 text-sm text-mineshaft-300">
-                  <Skeleton className="w-1/2 bg-mineshaft-600" />
-                </div>
-                <div className="flex justify-end">
-                  <Skeleton className="w-1/2 bg-mineshaft-600" />
-                </div>
-              </div>
-            ))}
-          {orgWorkspaces
-            .filter((ws) => ws?.name?.toLowerCase().includes(searchFilter.toLowerCase()))
-            .map((workspace) => (
-              <div
-                key={workspace._id}
-                className="min-w-72 flex h-40 flex-col justify-between rounded-md border border-mineshaft-600 bg-mineshaft-800 p-4"
-              >
-                <div className="mt-0 text-lg text-mineshaft-100">{workspace.name}</div>
-                <div className="mt-0 pb-6 text-sm text-mineshaft-300">
-                  {workspace.environments?.length || 0} environments
-                </div>
-                <button
-                  type="button"
+        <div className="mb-4 flex flex-col items-start justify-start px-6 py-6 pb-0 text-3xl">
+          <p className="mr-4 font-semibold text-white">Projects</p>
+          <div className="mt-6 flex w-full flex-row">
+            <Input
+              className="h-[2.3rem] bg-mineshaft-800 text-sm placeholder-mineshaft-50 duration-200 focus:bg-mineshaft-700/80"
+              placeholder="Search by project name..."
+              value={searchFilter}
+              onChange={(e) => setSearchFilter(e.target.value)}
+              leftIcon={<FontAwesomeIcon icon={faMagnifyingGlass} />}
+            />
+            <OrgPermissionCan
+              I={OrgWorkspacePermissionActions.Create}
+              an={OrgPermissionSubjects.Workspace}
+            >
+              {(isAllowed) => (
+                <Button
+                  isDisabled={!isAllowed}
+                  colorSchema="primary"
+                  leftIcon={<FontAwesomeIcon icon={faPlus} />}
                   onClick={() => {
-                    router.push(`/project/${workspace._id}/secrets/overview`);
-                    localStorage.setItem("projectData.id", workspace._id);
+                    if (isAddingProjectsAllowed) {
+                      handlePopUpOpen("addNewWs");
+                    } else {
+                      handlePopUpOpen("upgradePlan");
+                    }
                   }}
+                  className="ml-2"
                 >
-                  <div className="group ml-auto w-max cursor-pointer rounded-full border border-mineshaft-600 bg-mineshaft-900 py-2 px-4 text-sm text-mineshaft-300 hover:border-primary-500/80 hover:bg-primary-800/20 hover:text-mineshaft-200">
-                    Explore{" "}
-                    <FontAwesomeIcon
-                      icon={faArrowRight}
-                      className="pl-1.5 pr-0.5 duration-200 group-hover:pl-2 group-hover:pr-0"
-                    />
-                  </div>
-                </button>
-              </div>
-            ))}
-        </div>
-        {isWorkspaceEmpty && (
-          <div className="w-full rounded-md border border-mineshaft-700 bg-mineshaft-800 px-4 py-6 text-base text-mineshaft-300">
-            <FontAwesomeIcon
-              icon={faFolderOpen}
-              className="mb-4 mt-2 w-full text-center text-5xl text-mineshaft-400"
-            />
-            <div className="text-center font-light">
-              You are not part of any projects in this organization yet. When you are, they will
-              appear here.
-            </div>
-            <div className="mt-0.5 text-center font-light">
-              Create a new project, or ask other organization members to give you necessary
-              permissions.
-            </div>
-          </div>
-        )}
-      </div>
-      {new Date().getTime() - new Date(user?.createdAt).getTime() < 30 * 24 * 60 * 60 * 1000 && (
-        <div className="mb-4 flex flex-col items-start justify-start px-6 py-6 pb-0 text-3xl">
-          <p className="mr-4 mb-4 font-semibold text-white">Onboarding Guide</p>
-          <div className="mb-3 grid w-full grid-cols-1 gap-3 lg:grid-cols-2 xl:grid-cols-3 2xl:grid-cols-4">
-            <LearningItemSquare
-              text="Watch Infisical demo"
-              subText="Set up Infisical in 3 min."
-              complete={hasUserClickedIntro}
-              icon={faHandPeace}
-              time="3 min"
-              userAction="intro_cta_clicked"
-              link="https://www.youtube.com/watch?v=PK23097-25I"
-            />
-            {orgWorkspaces.length !== 0 && (
-              <>
-                <LearningItemSquare
-                  text="Add your secrets"
-                  subText="Drop a .env file or type your secrets."
-                  complete={hasUserPushedSecrets}
-                  icon={faPlus}
-                  time="1 min"
-                  userAction="first_time_secrets_pushed"
-                  link={`/project/${orgWorkspaces[0]?._id}/secrets/overview`}
-                />
-                <LearningItemSquare
-                  text="Invite your teammates"
-                  subText="Infisical is better used as a team."
-                  complete={usersInOrg}
-                  icon={faUserPlus}
-                  time="2 min"
-                  link={`/org/${router.query.id}/members?action=invite`}
-                />
-              </>
-            )}
-            <div className="block xl:hidden 2xl:block">
-              <LearningItemSquare
-                text="Join Infisical Slack"
-                subText="Have any questions? Ask us!"
-                complete={hasUserClickedSlack}
-                icon={faSlack}
-                time="1 min"
-                userAction="slack_cta_clicked"
-                link="https://infisical.com/slack"
-              />
-            </div>
+                  Add New Project
+                </Button>
+              )}
+            </OrgPermissionCan>
           </div>
-          {orgWorkspaces.length !== 0 && (
-            <div className="group relative mb-3 flex h-full w-full cursor-default flex-col items-center justify-between overflow-hidden rounded-md border border-mineshaft-600 bg-mineshaft-800 pl-2 pr-2 pt-4 pb-2 text-mineshaft-100 shadow-xl duration-200">
-              <div className="mb-4 flex w-full flex-row items-center pr-4">
-                <div className="mr-4 flex w-full flex-row items-center">
-                  <FontAwesomeIcon icon={faNetworkWired} className="mx-2 w-16 text-4xl" />
-                  {false && (
-                    <div className="absolute left-12 top-10 flex h-7 w-7 items-center justify-center rounded-full bg-bunker-500 p-2 group-hover:bg-mineshaft-700">
-                      <FontAwesomeIcon
-                        icon={faCheckCircle}
-                        className="h-5 w-5 text-4xl text-green"
-                      />
-                    </div>
-                  )}
-                  <div className="flex flex-col items-start pl-0.5">
-                    <div className="mt-0.5 text-xl font-semibold">Inject secrets locally</div>
-                    <div className="text-sm font-normal">
-                      Replace .env files with a more secure and efficient alternative.
-                    </div>
+          <div className="mt-4 grid w-full grid-cols-1 gap-4 lg:grid-cols-2 xl:grid-cols-3 2xl:grid-cols-4">
+            {isWorkspaceLoading &&
+              Array.apply(0, Array(3)).map((_x, i) => (
+                <div
+                  key={`workspace-cards-loading-${i + 1}`}
+                  className="min-w-72 flex h-40 flex-col justify-between rounded-md border border-mineshaft-600 bg-mineshaft-800 p-4"
+                >
+                  <div className="mt-0 text-lg text-mineshaft-100">
+                    <Skeleton className="w-3/4 bg-mineshaft-600" />
+                  </div>
+                  <div className="mt-0 pb-6 text-sm text-mineshaft-300">
+                    <Skeleton className="w-1/2 bg-mineshaft-600" />
+                  </div>
+                  <div className="flex justify-end">
+                    <Skeleton className="w-1/2 bg-mineshaft-600" />
                   </div>
                 </div>
+              ))}
+            {orgWorkspaces
+              .filter((ws) => ws?.name?.toLowerCase().includes(searchFilter.toLowerCase()))
+              .map((workspace) => (
                 <div
-                  className={`w-28 pr-4 text-right text-sm font-semibold ${false && "text-green"}`}
+                  key={workspace._id}
+                  className="min-w-72 flex h-40 flex-col justify-between rounded-md border border-mineshaft-600 bg-mineshaft-800 p-4"
                 >
-                  About 2 min
+                  <div className="mt-0 text-lg text-mineshaft-100">{workspace.name}</div>
+                  <div className="mt-0 pb-6 text-sm text-mineshaft-300">
+                    {workspace.environments?.length || 0} environments
+                  </div>
+                  <button
+                    type="button"
+                    onClick={() => {
+                      router.push(`/project/${workspace._id}/secrets/overview`);
+                      localStorage.setItem("projectData.id", workspace._id);
+                    }}
+                  >
+                    <div className="group ml-auto w-max cursor-pointer rounded-full border border-mineshaft-600 bg-mineshaft-900 py-2 px-4 text-sm text-mineshaft-300 hover:border-primary-500/80 hover:bg-primary-800/20 hover:text-mineshaft-200">
+                      Explore{" "}
+                      <FontAwesomeIcon
+                        icon={faArrowRight}
+                        className="pl-1.5 pr-0.5 duration-200 group-hover:pl-2 group-hover:pr-0"
+                      />
+                    </div>
+                  </button>
                 </div>
+              ))}
+          </div>
+          {isWorkspaceEmpty && (
+            <div className="w-full rounded-md border border-mineshaft-700 bg-mineshaft-800 px-4 py-6 text-base text-mineshaft-300">
+              <FontAwesomeIcon
+                icon={faFolderOpen}
+                className="mb-4 mt-2 w-full text-center text-5xl text-mineshaft-400"
+              />
+              <div className="text-center font-light">
+                You are not part of any projects in this organization yet. When you are, they will
+                appear here.
+              </div>
+              <div className="mt-0.5 text-center font-light">
+                Create a new project, or ask other organization members to give you necessary
+                permissions.
               </div>
-              <TabsObject />
-              {false && <div className="absolute bottom-0 left-0 h-1 w-full bg-green" />}
             </div>
           )}
-          {orgWorkspaces.length !== 0 && (
-            <LearningItem
-              text="Integrate Infisical with your infrastructure"
-              subText="Connect Infisical to various 3rd party services and platforms."
-              complete={false}
-              icon={faPlug}
-              time="15 min"
-              link="https://infisical.com/docs/integrations/overview"
-            />
-          )}
         </div>
-      )}
-      <div className="mb-4 flex flex-col items-start justify-start px-6 py-6 pb-6 text-3xl">
-        <p className="mr-4 font-semibold text-white">Explore More</p>
-        <div
-          className="mt-4 grid w-full grid-flow-dense gap-4"
-          style={{ gridTemplateColumns: "repeat(auto-fill, minmax(256px, 4fr))" }}
-        >
-          {features.map((feature) => (
-            <div
-              key={feature._id}
-              className="flex h-44 w-96 flex-col justify-between rounded-md border border-mineshaft-600 bg-mineshaft-800 p-4"
-            >
-              <div className="mt-0 text-lg text-mineshaft-100">{feature.name}</div>
-              <div className="mb-4 mt-2 text-[15px] font-light text-mineshaft-300">
-                {feature.description}
-              </div>
-              <div className="flex w-full items-center">
-                <div className="text-[15px] font-light text-mineshaft-300">Setup time: 20 min</div>
-                <a
-                  target="_blank"
-                  rel="noopener noreferrer"
-                  className="group ml-auto w-max cursor-default rounded-full border border-mineshaft-600 bg-mineshaft-900 py-2 px-4 text-sm text-mineshaft-300 hover:border-primary-500/80 hover:bg-primary-800/20 hover:text-mineshaft-200"
-                  href="https://infisical.com/docs/documentation/getting-started/kubernetes"
-                >
-                  Learn more{" "}
-                  <FontAwesomeIcon
-                    icon={faArrowRight}
-                    className="pl-1.5 pr-0.5 duration-200 group-hover:pl-2 group-hover:pr-0"
+        {new Date().getTime() - new Date(user?.createdAt).getTime() < 30 * 24 * 60 * 60 * 1000 && (
+          <div className="mb-4 flex flex-col items-start justify-start px-6 py-6 pb-0 text-3xl">
+            <p className="mr-4 mb-4 font-semibold text-white">Onboarding Guide</p>
+            <div className="mb-3 grid w-full grid-cols-1 gap-3 lg:grid-cols-2 xl:grid-cols-3 2xl:grid-cols-4">
+              <LearningItemSquare
+                text="Watch Infisical demo"
+                subText="Set up Infisical in 3 min."
+                complete={hasUserClickedIntro}
+                icon={faHandPeace}
+                time="3 min"
+                userAction="intro_cta_clicked"
+                link="https://www.youtube.com/watch?v=PK23097-25I"
+              />
+              {orgWorkspaces.length !== 0 && (
+                <>
+                  <LearningItemSquare
+                    text="Add your secrets"
+                    subText="Drop a .env file or type your secrets."
+                    complete={hasUserPushedSecrets}
+                    icon={faPlus}
+                    time="1 min"
+                    userAction="first_time_secrets_pushed"
+                    link={`/project/${orgWorkspaces[0]?._id}/secrets/overview`}
+                  />
+                  <LearningItemSquare
+                    text="Invite your teammates"
+                    subText="Infisical is better used as a team."
+                    complete={usersInOrg}
+                    icon={faUserPlus}
+                    time="2 min"
+                    link={`/org/${router.query.id}/members?action=invite`}
                   />
-                </a>
+                </>
+              )}
+              <div className="block xl:hidden 2xl:block">
+                <LearningItemSquare
+                  text="Join Infisical Slack"
+                  subText="Have any questions? Ask us!"
+                  complete={hasUserClickedSlack}
+                  icon={faSlack}
+                  time="1 min"
+                  userAction="slack_cta_clicked"
+                  link="https://infisical.com/slack"
+                />
               </div>
             </div>
-          ))}
+            {orgWorkspaces.length !== 0 && (
+              <div className="group relative mb-3 flex h-full w-full cursor-default flex-col items-center justify-between overflow-hidden rounded-md border border-mineshaft-600 bg-mineshaft-800 pl-2 pr-2 pt-4 pb-2 text-mineshaft-100 shadow-xl duration-200">
+                <div className="mb-4 flex w-full flex-row items-center pr-4">
+                  <div className="mr-4 flex w-full flex-row items-center">
+                    <FontAwesomeIcon icon={faNetworkWired} className="mx-2 w-16 text-4xl" />
+                    {false && (
+                      <div className="absolute left-12 top-10 flex h-7 w-7 items-center justify-center rounded-full bg-bunker-500 p-2 group-hover:bg-mineshaft-700">
+                        <FontAwesomeIcon
+                          icon={faCheckCircle}
+                          className="h-5 w-5 text-4xl text-green"
+                        />
+                      </div>
+                    )}
+                    <div className="flex flex-col items-start pl-0.5">
+                      <div className="mt-0.5 text-xl font-semibold">Inject secrets locally</div>
+                      <div className="text-sm font-normal">
+                        Replace .env files with a more secure and efficient alternative.
+                      </div>
+                    </div>
+                  </div>
+                  <div
+                    className={`w-28 pr-4 text-right text-sm font-semibold ${
+                      false && "text-green"
+                    }`}
+                  >
+                    About 2 min
+                  </div>
+                </div>
+                <TabsObject />
+                {false && <div className="absolute bottom-0 left-0 h-1 w-full bg-green" />}
+              </div>
+            )}
+            {orgWorkspaces.length !== 0 && (
+              <LearningItem
+                text="Integrate Infisical with your infrastructure"
+                subText="Connect Infisical to various 3rd party services and platforms."
+                complete={false}
+                icon={faPlug}
+                time="15 min"
+                link="https://infisical.com/docs/integrations/overview"
+              />
+            )}
+          </div>
+        )}
+        <div className="mb-4 flex flex-col items-start justify-start px-6 py-6 pb-6 text-3xl">
+          <p className="mr-4 font-semibold text-white">Explore More</p>
+          <div
+            className="mt-4 grid w-full grid-flow-dense gap-4"
+            style={{ gridTemplateColumns: "repeat(auto-fill, minmax(256px, 4fr))" }}
+          >
+            {features.map((feature) => (
+              <div
+                key={feature._id}
+                className="flex h-44 w-96 flex-col justify-between rounded-md border border-mineshaft-600 bg-mineshaft-800 p-4"
+              >
+                <div className="mt-0 text-lg text-mineshaft-100">{feature.name}</div>
+                <div className="mb-4 mt-2 text-[15px] font-light text-mineshaft-300">
+                  {feature.description}
+                </div>
+                <div className="flex w-full items-center">
+                  <div className="text-[15px] font-light text-mineshaft-300">
+                    Setup time: 20 min
+                  </div>
+                  <a
+                    target="_blank"
+                    rel="noopener noreferrer"
+                    className="group ml-auto w-max cursor-default rounded-full border border-mineshaft-600 bg-mineshaft-900 py-2 px-4 text-sm text-mineshaft-300 hover:border-primary-500/80 hover:bg-primary-800/20 hover:text-mineshaft-200"
+                    href="https://infisical.com/docs/documentation/getting-started/kubernetes"
+                  >
+                    Learn more{" "}
+                    <FontAwesomeIcon
+                      icon={faArrowRight}
+                      className="pl-1.5 pr-0.5 duration-200 group-hover:pl-2 group-hover:pr-0"
+                    />
+                  </a>
+                </div>
+              </div>
+            ))}
+          </div>
         </div>
-      </div>
-      <Modal
-        isOpen={popUp.addNewWs.isOpen}
-        onOpenChange={(isModalOpen) => {
-          handlePopUpToggle("addNewWs", isModalOpen);
-          reset();
-        }}
-      >
-        <ModalContent
-          title="Create a new project"
-          subTitle="This project will contain your secrets and configurations."
+        <Modal
+          isOpen={popUp.addNewWs.isOpen}
+          onOpenChange={(isModalOpen) => {
+            handlePopUpToggle("addNewWs", isModalOpen);
+            reset();
+          }}
         >
-          <form onSubmit={handleSubmit(onCreateProject)}>
-            <Controller
-              control={control}
-              name="name"
-              defaultValue=""
-              render={({ field, fieldState: { error } }) => (
-                <FormControl
-                  label="Project Name"
-                  isError={Boolean(error)}
-                  errorText={error?.message}
-                >
-                  <Input {...field} placeholder="Type your project name" />
-                </FormControl>
-              )}
-            />
-            <div className="mt-4 pl-1">
+          <ModalContent
+            title="Create a new project"
+            subTitle="This project will contain your secrets and configurations."
+          >
+            <form onSubmit={handleSubmit(onCreateProject)}>
               <Controller
                 control={control}
-                name="addMembers"
-                defaultValue
-                render={({ field: { onBlur, value, onChange } }) => (
-                  <Checkbox
-                    id="add-project-layout"
-                    isChecked={value}
-                    onCheckedChange={onChange}
-                    onBlur={onBlur}
+                name="name"
+                defaultValue=""
+                render={({ field, fieldState: { error } }) => (
+                  <FormControl
+                    label="Project Name"
+                    isError={Boolean(error)}
+                    errorText={error?.message}
                   >
-                    Add all members of my organization to this project
-                  </Checkbox>
+                    <Input {...field} placeholder="Type your project name" />
+                  </FormControl>
                 )}
               />
-            </div>
-            <div className="mt-7 flex items-center">
-              <Button
-                isDisabled={isSubmitting}
-                isLoading={isSubmitting}
-                key="layout-create-project-submit"
-                className="mr-4"
-                type="submit"
-              >
-                Create Project
-              </Button>
-              <Button
-                key="layout-cancel-create-project"
-                onClick={() => handlePopUpClose("addNewWs")}
-                variant="plain"
-                colorSchema="secondary"
-              >
-                Cancel
-              </Button>
-            </div>
-          </form>
-        </ModalContent>
-      </Modal>
-      <UpgradePlanModal
-        isOpen={popUp.upgradePlan.isOpen}
-        onOpenChange={(isOpen) => handlePopUpToggle("upgradePlan", isOpen)}
-        text="You have exceeded the number of projects allowed on the free plan."
-      />
-      {/* <DeleteUserDialog isOpen={isDeleteOpen} closeModal={closeDeleteModal} submitModal={deleteMembership} userIdToBeDeleted={userIdToBeDeleted}/> */}
-    </div>
-  );
-}
+              <div className="mt-4 pl-1">
+                <Controller
+                  control={control}
+                  name="addMembers"
+                  defaultValue
+                  render={({ field: { onBlur, value, onChange } }) => (
+                    <Checkbox
+                      id="add-project-layout"
+                      isChecked={value}
+                      onCheckedChange={onChange}
+                      onBlur={onBlur}
+                    >
+                      Add all members of my organization to this project
+                    </Checkbox>
+                  )}
+                />
+              </div>
+              <div className="mt-7 flex items-center">
+                <Button
+                  isDisabled={isSubmitting}
+                  isLoading={isSubmitting}
+                  key="layout-create-project-submit"
+                  className="mr-4"
+                  type="submit"
+                >
+                  Create Project
+                </Button>
+                <Button
+                  key="layout-cancel-create-project"
+                  onClick={() => handlePopUpClose("addNewWs")}
+                  variant="plain"
+                  colorSchema="secondary"
+                >
+                  Cancel
+                </Button>
+              </div>
+            </form>
+          </ModalContent>
+        </Modal>
+        <UpgradePlanModal
+          isOpen={popUp.upgradePlan.isOpen}
+          onOpenChange={(isOpen) => handlePopUpToggle("upgradePlan", isOpen)}
+          text="You have exceeded the number of projects allowed on the free plan."
+        />
+        {/* <DeleteUserDialog isOpen={isDeleteOpen} closeModal={closeDeleteModal} submitModal={deleteMembership} userIdToBeDeleted={userIdToBeDeleted}/> */}
+      </div>
+    );
+  },
+  {
+    action: OrgWorkspacePermissionActions.Read,
+    subject: OrgPermissionSubjects.Workspace
+  }
+);
+
+Object.assign(OrganizationPage, { requireAuth: true });
 
-Organization.requireAuth = true;
+export default OrganizationPage;
diff --git a/frontend/src/pages/org/[id]/secret-scanning/index.tsx b/frontend/src/pages/org/[id]/secret-scanning/index.tsx
index e0f98243..626333e4 100644
--- a/frontend/src/pages/org/[id]/secret-scanning/index.tsx
+++ b/frontend/src/pages/org/[id]/secret-scanning/index.tsx
@@ -1,89 +1,133 @@
 import { useEffect, useState } from "react";
 import Head from "next/head";
-import { useRouter } from "next/router"
+import { useRouter } from "next/router";
 
+import { OrgPermissionCan } from "@app/components/permissions";
 import { Button } from "@app/components/v2";
+import { OrgGeneralPermissionActions, OrgPermissionSubjects } from "@app/context";
+import { withPermission } from "@app/hoc";
 import { SecretScanningLogsTable } from "@app/views/SecretScanning/components";
 
 import createNewIntegrationSession from "../../../api/secret-scanning/createSecretScanningSession";
 import getInstallationStatus from "../../../api/secret-scanning/getInstallationStatus";
 import linkGitAppInstallationWithOrganization from "../../../api/secret-scanning/linkGitAppInstallationWithOrganization";
 
-export default function SecretScanning() {
-  const router = useRouter()
-  const queryParams = router.query
-  const [integrationEnabled, setIntegrationStatus] = useState(false)
+const SecretScanning = withPermission(
+  () => {
+    const router = useRouter();
+    const queryParams = router.query;
+    const [integrationEnabled, setIntegrationStatus] = useState(false);
 
-  useEffect(()=>{
-    const linkInstallation = async () => {
-      if (typeof queryParams.state === "string" && typeof queryParams.installation_id === "string"){
-        try {
-          const isLinked = await linkGitAppInstallationWithOrganization(queryParams.installation_id as string, queryParams.state as string)
-          if (isLinked){
-            router.reload()
+    useEffect(() => {
+      const linkInstallation = async () => {
+        if (
+          typeof queryParams.state === "string" &&
+          typeof queryParams.installation_id === "string"
+        ) {
+          try {
+            const isLinked = await linkGitAppInstallationWithOrganization(
+              queryParams.installation_id as string,
+              queryParams.state as string
+            );
+            if (isLinked) {
+              router.reload();
+            }
+
+            console.log("installation verification complete");
+          } catch (e) {
+            console.log("app installation is stale, start new session", e);
           }
-          
-          console.log("installation verification complete")
-        }catch (e){
-          console.log("app installation is stale, start new session", e)
         }
-      }
-    }
+      };
 
-    const fetchInstallationStatus = async () => {
-      const status = await getInstallationStatus(String(localStorage.getItem("orgData.id")))
-      setIntegrationStatus(status)
-    }
+      const fetchInstallationStatus = async () => {
+        const status = await getInstallationStatus(String(localStorage.getItem("orgData.id")));
+        setIntegrationStatus(status);
+      };
 
-    fetchInstallationStatus()
-    linkInstallation()
-  },[queryParams.state, queryParams.installation_id])
+      fetchInstallationStatus();
+      linkInstallation();
+    }, [queryParams.state, queryParams.installation_id]);
 
-  const generateNewIntegrationSession = async () => {
-    const session = await createNewIntegrationSession(String(localStorage.getItem("orgData.id")))
-    router.push(`https://github.com/apps/infisical-radar/installations/new?state=${session.sessionId}`)
-  }
+    const generateNewIntegrationSession = async () => {
+      const session = await createNewIntegrationSession(String(localStorage.getItem("orgData.id")));
+      router.push(
+        `https://github.com/apps/infisical-radar/installations/new?state=${session.sessionId}`
+      );
+    };
 
-  return (
-    <div>
-      <Head>
-        <title>Secret scanning</title>
-        <link rel="icon" href="/infisical.ico" />
-        <meta property="og:image" content="/images/message.png" />
-      </Head>
-      <div className="flex justify-center bg-bunker-800 text-white w-full h-full">
-        <div className="max-w-7xl px-6 w-full">
-          <div className="mt-6 text-3xl font-semibold text-gray-200">Secret Scanning</div>      
-          <div className="mb-6 text-lg text-mineshaft-300">Automatically monitor your GitHub activity and prevent secret leaks</div>    
-          <div className="relative flex justify-between bg-mineshaft-800 border border-mineshaft-600 rounded-md p-6 mb-6">
-            <div className="flex flex-col items-start">
-              <div className="flex flex-row mb-1">Secret Scanning Status: {integrationEnabled ? <p className="text-green ml-1.5 font-semibold">Enabled</p> : <p className="text-red ml-1.5 font-semibold">Not enabled</p>}</div>
-              <div>{integrationEnabled ? <p className="text-mineshaft-300">Your GitHub organization is connected to Infisical, and is being continuously monitored for secret leaks.</p> : <p className="text-mineshaft-300">Connect your GitHub organization to Infisical.</p>}</div>
+    return (
+      <div>
+        <Head>
+          <title>Secret scanning</title>
+          <link rel="icon" href="/infisical.ico" />
+          <meta property="og:image" content="/images/message.png" />
+        </Head>
+        <div className="flex justify-center bg-bunker-800 text-white w-full h-full">
+          <div className="max-w-7xl px-6 w-full">
+            <div className="mt-6 text-3xl font-semibold text-gray-200">Secret Scanning</div>
+            <div className="mb-6 text-lg text-mineshaft-300">
+              Automatically monitor your GitHub activity and prevent secret leaks
             </div>
-            {integrationEnabled ? (
-              <div>
-                <div className="absolute right-[2.5rem] top-[2.5rem] animate-ping rounded-full h-6 w-6 bg-green flex items-center justify-center"/>
-                <div className="absolute right-[2.63rem] top-[2.63rem] animate-ping rounded-full h-5 w-5 bg-green flex items-center justify-center"/>
-                <div className="absolute right-[2.82rem] top-[2.82rem] animate-ping rounded-full h-3.5 w-3.5 bg-green flex items-center justify-center"/>
-              </div>
-            ) : (
-              <div className="flex items-center h-[3.25rem]">
-                <Button
-                  variant="solid"
-                  colorSchema="primary"
-                  onClick={generateNewIntegrationSession}
-                  className="py-2 h-min"
-                >
-                  Integrate with GitHub
-                </Button>
+            <div className="relative flex justify-between bg-mineshaft-800 border border-mineshaft-600 rounded-md p-6 mb-6">
+              <div className="flex flex-col items-start">
+                <div className="flex flex-row mb-1">
+                  Secret Scanning Status:{" "}
+                  {integrationEnabled ? (
+                    <p className="text-green ml-1.5 font-semibold">Enabled</p>
+                  ) : (
+                    <p className="text-red ml-1.5 font-semibold">Not enabled</p>
+                  )}
+                </div>
+                <div>
+                  {integrationEnabled ? (
+                    <p className="text-mineshaft-300">
+                      Your GitHub organization is connected to Infisical, and is being continuously
+                      monitored for secret leaks.
+                    </p>
+                  ) : (
+                    <p className="text-mineshaft-300">
+                      Connect your GitHub organization to Infisical.
+                    </p>
+                  )}
+                </div>
               </div>
-            )}
+              {integrationEnabled ? (
+                <div>
+                  <div className="absolute right-[2.5rem] top-[2.5rem] animate-ping rounded-full h-6 w-6 bg-green flex items-center justify-center" />
+                  <div className="absolute right-[2.63rem] top-[2.63rem] animate-ping rounded-full h-5 w-5 bg-green flex items-center justify-center" />
+                  <div className="absolute right-[2.82rem] top-[2.82rem] animate-ping rounded-full h-3.5 w-3.5 bg-green flex items-center justify-center" />
+                </div>
+              ) : (
+                <div className="flex items-center h-[3.25rem]">
+                  <OrgPermissionCan
+                    I={OrgGeneralPermissionActions.Create}
+                    a={OrgPermissionSubjects.SecretScanning}
+                  >
+                    {(isAllowed) => (
+                      <Button
+                        variant="solid"
+                        colorSchema="primary"
+                        onClick={generateNewIntegrationSession}
+                        className="py-2 h-min"
+                        isDisabled={!isAllowed}
+                      >
+                        Integrate with GitHub
+                      </Button>
+                    )}
+                  </OrgPermissionCan>
+                </div>
+              )}
+            </div>
+            <SecretScanningLogsTable />
           </div>
-          <SecretScanningLogsTable />
         </div>
       </div>
-    </div>
-  );
-}
+    );
+  },
+  { action: OrgGeneralPermissionActions.Read, subject: OrgPermissionSubjects.SecretScanning }
+);
+
+Object.assign(SecretScanning, { requireAuth: true });
 
-SecretScanning.requireAuth = true;
+export default SecretScanning;
diff --git a/frontend/src/views/Org/MembersPage/MembersPage.tsx b/frontend/src/views/Org/MembersPage/MembersPage.tsx
index 065825b4..d2c213dc 100644
--- a/frontend/src/views/Org/MembersPage/MembersPage.tsx
+++ b/frontend/src/views/Org/MembersPage/MembersPage.tsx
@@ -3,7 +3,8 @@ import { useTranslation } from "react-i18next";
 import { motion } from "framer-motion";
 
 import { Tab, TabList, TabPanel, Tabs } from "@app/components/v2";
-import { useOrganization } from "@app/context";
+import { OrgGeneralPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
+import { withPermission } from "@app/hoc";
 import { useGetRoles } from "@app/hooks/api";
 
 import { OrgMembersTable } from "./components/OrgMembersTable";
@@ -14,45 +15,48 @@ enum TabSections {
   Roles = "roles"
 }
 
-export const MembersPage = () => {
-  const { t } = useTranslation();
-  const { currentOrg } = useOrganization();
+export const MembersPage = withPermission(
+  () => {
+    const { t } = useTranslation();
+    const { currentOrg } = useOrganization();
 
-  const orgId = currentOrg?._id || "";
+    const orgId = currentOrg?._id || "";
 
-  const { data: roles } = useGetRoles({
-    orgId
-  });
+    const { data: roles } = useGetRoles({
+      orgId
+    });
 
-  return (
-    <div className="container mx-auto flex flex-col justify-between bg-bunker-800 text-white">
-      <div className="mb-6 w-full py-6 px-6 max-w-7xl mx-auto">
-        <p className="mr-4 mb-4 text-3xl font-semibold text-white">
-          {t("section.members.org-members")}
-        </p>
-        <Tabs defaultValue={TabSections.Member}>
-          <TabList>
-            <Tab value={TabSections.Member}>Members</Tab>
-            {process.env.NEXT_PUBLIC_NEW_PERMISSION_FLAG === "true" && (
-              <Tab value={TabSections.Roles}>Roles</Tab>
-            )}
-          </TabList>
-          <TabPanel value={TabSections.Member}>
-            <motion.div
-              key="panel-1"
-              transition={{ duration: 0.15 }}
-              initial={{ opacity: 0, translateX: 30 }}
-              animate={{ opacity: 1, translateX: 0 }}
-              exit={{ opacity: 0, translateX: 30 }}
-            >
-              <OrgMembersTable roles={roles} />
-            </motion.div>
-          </TabPanel>
-          <TabPanel value={TabSections.Roles}>
-            <OrgRoleTabSection roles={roles} />
-          </TabPanel>
-        </Tabs>
+    return (
+      <div className="container mx-auto flex flex-col justify-between bg-bunker-800 text-white">
+        <div className="mb-6 w-full py-6 px-6 max-w-7xl mx-auto">
+          <p className="mr-4 mb-4 text-3xl font-semibold text-white">
+            {t("section.members.org-members")}
+          </p>
+          <Tabs defaultValue={TabSections.Member}>
+            <TabList>
+              <Tab value={TabSections.Member}>Members</Tab>
+              {process.env.NEXT_PUBLIC_NEW_PERMISSION_FLAG === "true" && (
+                <Tab value={TabSections.Roles}>Roles</Tab>
+              )}
+            </TabList>
+            <TabPanel value={TabSections.Member}>
+              <motion.div
+                key="panel-1"
+                transition={{ duration: 0.15 }}
+                initial={{ opacity: 0, translateX: 30 }}
+                animate={{ opacity: 1, translateX: 0 }}
+                exit={{ opacity: 0, translateX: 30 }}
+              >
+                <OrgMembersTable roles={roles} />
+              </motion.div>
+            </TabPanel>
+            <TabPanel value={TabSections.Roles}>
+              <OrgRoleTabSection roles={roles} />
+            </TabPanel>
+          </Tabs>
+        </div>
       </div>
-    </div>
-  );
-};
+    );
+  },
+  { action: OrgGeneralPermissionActions.Read, subject: OrgPermissionSubjects.Member }
+);
diff --git a/frontend/src/views/Org/MembersPage/components/OrgMembersTable/OrgMembersTable.tsx b/frontend/src/views/Org/MembersPage/components/OrgMembersTable/OrgMembersTable.tsx
index e13a2ca0..2cdb0036 100644
--- a/frontend/src/views/Org/MembersPage/components/OrgMembersTable/OrgMembersTable.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgMembersTable/OrgMembersTable.tsx
@@ -14,6 +14,7 @@ import { yupResolver } from "@hookform/resolvers/yup";
 import * as yup from "yup";
 
 import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
+import { OrgPermissionCan } from "@app/components/permissions";
 import {
   decryptAssymmetric,
   encryptAssymmetric
@@ -41,7 +42,14 @@ import {
   Tr,
   UpgradePlanModal
 } from "@app/components/v2";
-import { useOrganization, useSubscription, useUser, useWorkspace } from "@app/context";
+import {
+  OrgGeneralPermissionActions,
+  OrgPermissionSubjects,
+  useOrganization,
+  useSubscription,
+  useUser,
+  useWorkspace
+} from "@app/context";
 import { usePopUp, useToggle } from "@app/hooks";
 import {
   useAddUserToOrg,
@@ -297,27 +305,32 @@ export const OrgMembersTable = ({ roles = [] }: Props) => {
             placeholder="Search members..."
           />
         </div>
-        <Button
-          leftIcon={<FontAwesomeIcon icon={faPlus} />}
-          onClick={() => {
-            if (!isLoadingSSOConfig && ssoConfig && ssoConfig.isActive) {
-              createNotification({
-                text: "You cannot invite users when SAML SSO is configured for your organization",
-                type: "error"
-              });
-
-              return;
-            }
-
-            if (isMoreUsersNotAllowed) {
-              handlePopUpOpen("upgradePlan");
-            } else {
-              handlePopUpOpen("addMember");
-            }
-          }}
-        >
-          Add Member
-        </Button>
+        <OrgPermissionCan I={OrgGeneralPermissionActions.Create} a={OrgPermissionSubjects.Member}>
+          {(isAllowed) => (
+            <Button
+              isDisabled={!isAllowed}
+              leftIcon={<FontAwesomeIcon icon={faPlus} />}
+              onClick={() => {
+                if (!isLoadingSSOConfig && ssoConfig && ssoConfig.isActive) {
+                  createNotification({
+                    text: "You cannot invite users when SAML SSO is configured for your organization",
+                    type: "error"
+                  });
+
+                  return;
+                }
+
+                if (isMoreUsersNotAllowed) {
+                  handlePopUpOpen("upgradePlan");
+                } else {
+                  handlePopUpOpen("addMember");
+                }
+              }}
+            >
+              Add Member
+            </Button>
+          )}
+        </OrgPermissionCan>
       </div>
       <div>
         <TableContainer>
@@ -345,48 +358,59 @@ export const OrgMembersTable = ({ roles = [] }: Props) => {
                         <Td>{name}</Td>
                         <Td>{email}</Td>
                         <Td>
-                          {status === "accepted" && (
-                            <Select
-                              defaultValue={
-                                role === "custom" ? findRoleFromId(customRole)?.slug : role
-                              }
-                              isDisabled={userId === u?._id}
-                              className="w-40 bg-mineshaft-600"
-                              dropdownContainerClassName="border border-mineshaft-600 bg-mineshaft-800"
-                              onValueChange={(selectedRole) =>
-                                onRoleChange(orgMembershipId, selectedRole)
-                              }
-                            >
-                              {roles
-                                .filter(({ slug }) =>
-                                  slug === "owner" ? isIamOwner || role === "owner" : true
-                                )
-                                .map(({ slug, name: roleName }) => (
-                                  <SelectItem value={slug} key={`owner-option-${slug}`}>
-                                    {roleName}
-                                  </SelectItem>
-                                ))}
-                            </Select>
-                          )}
-                          {(status === "invited" || status === "verified") &&
-                            serverDetails?.emailConfigured && (
-                              <Button
-                                className="w-40"
-                                colorSchema="primary"
-                                variant="outline_bg"
-                                onClick={() => onAddUserToOrg(email)}
-                              >
-                                Resend Invite
-                              </Button>
+                          <OrgPermissionCan
+                            I={OrgGeneralPermissionActions.Edit}
+                            a={OrgPermissionSubjects.Member}
+                          >
+                            {(isAllowed) => (
+                              <>
+                                {status === "accepted" && (
+                                  <Select
+                                    defaultValue={
+                                      role === "custom" ? findRoleFromId(customRole)?.slug : role
+                                    }
+                                    isDisabled={userId === u?._id || !isAllowed}
+                                    className="w-40 bg-mineshaft-600"
+                                    dropdownContainerClassName="border border-mineshaft-600 bg-mineshaft-800"
+                                    onValueChange={(selectedRole) =>
+                                      onRoleChange(orgMembershipId, selectedRole)
+                                    }
+                                  >
+                                    {roles
+                                      .filter(({ slug }) =>
+                                        slug === "owner" ? isIamOwner || role === "owner" : true
+                                      )
+                                      .map(({ slug, name: roleName }) => (
+                                        <SelectItem value={slug} key={`owner-option-${slug}`}>
+                                          {roleName}
+                                        </SelectItem>
+                                      ))}
+                                  </Select>
+                                )}
+                                {(status === "invited" || status === "verified") &&
+                                  serverDetails?.emailConfigured && (
+                                    <Button
+                                      isDisabled={!isAllowed}
+                                      className="w-40"
+                                      colorSchema="primary"
+                                      variant="outline_bg"
+                                      onClick={() => onAddUserToOrg(email)}
+                                    >
+                                      Resend Invite
+                                    </Button>
+                                  )}
+                                {status === "completed" && (
+                                  <Button
+                                    colorSchema="secondary"
+                                    isDisabled={!isAllowed}
+                                    onClick={() => onGrantAccess(u?._id, u?.publicKey)}
+                                  >
+                                    Grant Access
+                                  </Button>
+                                )}
+                              </>
                             )}
-                          {status === "completed" && (
-                            <Button
-                              colorSchema="secondary"
-                              onClick={() => onGrantAccess(u?._id, u?.publicKey)}
-                            >
-                              Grant Access
-                            </Button>
-                          )}
+                          </OrgPermissionCan>
                         </Td>
                         <Td>
                           {userWs ? (
@@ -428,16 +452,23 @@ export const OrgMembersTable = ({ roles = [] }: Props) => {
                         </Td>
                         <Td>
                           {userId !== u?._id && (
-                            <IconButton
-                              ariaLabel="delete"
-                              colorSchema="danger"
-                              isDisabled={userId === u?._id}
-                              onClick={() =>
-                                handlePopUpOpen("removeMember", { id: orgMembershipId })
-                              }
+                            <OrgPermissionCan
+                              I={OrgGeneralPermissionActions.Delete}
+                              a={OrgPermissionSubjects.Member}
                             >
-                              <FontAwesomeIcon icon={faTrash} />
-                            </IconButton>
+                              {(isAllowed) => (
+                                <IconButton
+                                  ariaLabel="delete"
+                                  colorSchema="danger"
+                                  isDisabled={userId === u?._id || !isAllowed}
+                                  onClick={() =>
+                                    handlePopUpOpen("removeMember", { id: orgMembershipId })
+                                  }
+                                >
+                                  <FontAwesomeIcon icon={faTrash} />
+                                </IconButton>
+                              )}
+                            </OrgPermissionCan>
                           )}
                         </Td>
                       </Tr>
diff --git a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/BillingPermission.tsx b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/BillingPermission.tsx
index 6fbeac9f..5d77d63e 100644
--- a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/BillingPermission.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/BillingPermission.tsx
@@ -38,10 +38,9 @@ export const BillingPermission = ({ isNonEditable, setValue, control }: Props) =
   const [isCustom, setIsCustom] = useToggle();
 
   const selectedPermissionCategory = useMemo(() => {
-    let score = 0;
     const actions = Object.keys(rule || {}) as Array<keyof typeof rule>;
     const totalActions = PERMISSIONS.length;
-    actions.forEach((key) => (score += rule[key] ? 1 : 0));
+    const score = actions.map((key) => (rule[key] ? 1 : 0)).reduce((a, b) => a + b, 0 as number);
 
     if (isCustom) return Permission.Custom;
     if (score === 0) return Permission.NoAccess;
@@ -52,11 +51,14 @@ export const BillingPermission = ({ isNonEditable, setValue, control }: Props) =
   }, [rule, isCustom]);
 
   useEffect(() => {
-    selectedPermissionCategory === Permission.Custom ? setIsCustom.on() : setIsCustom.off();
+    if (selectedPermissionCategory === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
   }, [selectedPermissionCategory]);
 
   const handlePermissionChange = (val: Permission) => {
-    val === Permission.Custom ? setIsCustom.on() : setIsCustom.off();
+    if (val === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
+
     switch (val) {
       case Permission.NoAccess:
         setValue(
diff --git a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/IncidentContactPermission.tsx b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/IncidentContactPermission.tsx
index 2d92f510..14fffb76 100644
--- a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/IncidentContactPermission.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/IncidentContactPermission.tsx
@@ -38,10 +38,9 @@ export const IncidentContactPermission = ({ isNonEditable, setValue, control }:
   const [isCustom, setIsCustom] = useToggle();
 
   const selectedPermissionCategory = useMemo(() => {
-    let score = 0;
     const actions = Object.keys(rule || {}) as Array<keyof typeof rule>;
     const totalActions = PERMISSIONS.length;
-    actions.forEach((key) => (score += rule[key] ? 1 : 0));
+    const score = actions.map((key) => (rule[key] ? 1 : 0)).reduce((a, b) => a + b, 0 as number);
 
     if (isCustom) return Permission.Custom;
     if (score === 0) return Permission.NoAccess;
@@ -52,14 +51,16 @@ export const IncidentContactPermission = ({ isNonEditable, setValue, control }:
   }, [rule, isCustom]);
 
   useEffect(() => {
-    selectedPermissionCategory === Permission.Custom ? setIsCustom.on() : setIsCustom.off();
+    if (selectedPermissionCategory === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
   }, [selectedPermissionCategory]);
 
   const handlePermissionChange = (val: Permission) => {
-    val === Permission.Custom ? setIsCustom.on() : setIsCustom.off();
+    if (val === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
+
     switch (val) {
       case Permission.NoAccess:
-        setIsCustom.off();
         setValue(
           "permissions.incident-contact",
           { read: false, edit: false, create: false, delete: false },
@@ -67,7 +68,6 @@ export const IncidentContactPermission = ({ isNonEditable, setValue, control }:
         );
         break;
       case Permission.FullAccess:
-        setIsCustom.off();
         setValue(
           "permissions.incident-contact",
           { read: true, edit: true, create: true, delete: true },
@@ -75,7 +75,6 @@ export const IncidentContactPermission = ({ isNonEditable, setValue, control }:
         );
         break;
       case Permission.ReadOnly:
-        setIsCustom.off();
         setValue(
           "permissions.incident-contact",
           { read: true, edit: false, create: false, delete: false },
@@ -83,7 +82,6 @@ export const IncidentContactPermission = ({ isNonEditable, setValue, control }:
         );
         break;
       default:
-        setIsCustom.on();
         setValue(
           "permissions.incident-contact",
           { read: false, edit: false, create: false, delete: false },
diff --git a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/MemberPermission.tsx b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/MemberPermission.tsx
index f924e52d..de758b48 100644
--- a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/MemberPermission.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/MemberPermission.tsx
@@ -31,31 +31,34 @@ const PERMISSIONS = [
 ] as const;
 
 export const MemberPermission = ({ isNonEditable, setValue, control }: Props) => {
-  const memberRule = useWatch({
+  const rule = useWatch({
     control,
     name: "permissions.member"
   });
   const [isCustom, setIsCustom] = useToggle();
 
   const selectedPermissionCategory = useMemo(() => {
-    let score = 0;
-    const actions = Object.keys(memberRule || {}) as Array<keyof typeof memberRule>;
+    const actions = Object.keys(rule || {}) as Array<keyof typeof rule>;
     const totalActions = PERMISSIONS.length;
-    actions.forEach((key) => (score += memberRule[key] ? 1 : 0));
+    const score = actions.map((key) => (rule[key] ? 1 : 0)).reduce((a, b) => a + b, 0 as number);
 
     if (isCustom) return Permission.Custom;
     if (score === 0) return Permission.NoAccess;
     if (score === totalActions) return Permission.FullAccess;
-    if (score === 1 && memberRule.read) return Permission.ReadOnly;
+    if (score === 1 && rule.read) return Permission.ReadOnly;
 
     return Permission.Custom;
-  }, [memberRule, isCustom]);
+  }, [rule, isCustom]);
 
   useEffect(() => {
-    selectedPermissionCategory === Permission.Custom ? setIsCustom.on() : setIsCustom.off();
+    if (selectedPermissionCategory === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
   }, [selectedPermissionCategory]);
 
   const handlePermissionChange = (val: Permission) => {
+    if (val === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
+
     switch (val) {
       case Permission.NoAccess:
         setValue(
diff --git a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/RolePermission.tsx b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/RolePermission.tsx
index 342d8773..c7700b20 100644
--- a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/RolePermission.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/RolePermission.tsx
@@ -31,34 +31,36 @@ const PERMISSIONS = [
 ] as const;
 
 export const RolePermission = ({ isNonEditable, setValue, control }: Props) => {
-  const roleRule = useWatch({
+  const rule = useWatch({
     control,
     name: "permissions.role"
   });
   const [isCustom, setIsCustom] = useToggle();
 
   const selectedPermissionCategory = useMemo(() => {
-    let score = 0;
-    const actions = Object.keys(roleRule || {}) as Array<keyof typeof roleRule>;
+    const actions = Object.keys(rule || {}) as Array<keyof typeof rule>;
     const totalActions = PERMISSIONS.length;
-    actions.forEach((key) => (score += roleRule[key] ? 1 : 0));
+    const score = actions.map((key) => (rule[key] ? 1 : 0)).reduce((a, b) => a + b, 0 as number);
 
     if (isCustom) return Permission.Custom;
     if (score === 0) return Permission.NoAccess;
     if (score === totalActions) return Permission.FullAccess;
-    if (score === 1 && roleRule.read) return Permission.ReadOnly;
+    if (score === 1 && rule.read) return Permission.ReadOnly;
 
     return Permission.Custom;
-  }, [roleRule, isCustom]);
+  }, [rule, isCustom]);
 
   useEffect(() => {
-    selectedPermissionCategory === Permission.Custom ? setIsCustom.on() : setIsCustom.off();
+    if (selectedPermissionCategory === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
   }, [selectedPermissionCategory]);
 
   const handlePermissionChange = (val: Permission) => {
+    if (val === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
+
     switch (val) {
       case Permission.NoAccess:
-        setIsCustom.off();
         setValue(
           "permissions.role",
           { read: false, edit: false, create: false, delete: false },
@@ -66,7 +68,6 @@ export const RolePermission = ({ isNonEditable, setValue, control }: Props) => {
         );
         break;
       case Permission.FullAccess:
-        setIsCustom.off();
         setValue(
           "permissions.role",
           { read: true, edit: true, create: true, delete: true },
@@ -74,7 +75,6 @@ export const RolePermission = ({ isNonEditable, setValue, control }: Props) => {
         );
         break;
       case Permission.ReadOnly:
-        setIsCustom.off();
         setValue(
           "permissions.role",
           { read: true, edit: false, create: false, delete: false },
@@ -82,7 +82,6 @@ export const RolePermission = ({ isNonEditable, setValue, control }: Props) => {
         );
         break;
       default:
-        setIsCustom.on();
         setValue(
           "permissions.role",
           { read: false, edit: false, create: false, delete: false },
diff --git a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/SecretScanningPermission.tsx b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/SecretScanningPermission.tsx
index 779ea51b..37b59b6b 100644
--- a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/SecretScanningPermission.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/SecretScanningPermission.tsx
@@ -38,10 +38,9 @@ export const SecretScannigPermission = ({ isNonEditable, setValue, control }: Pr
   const [isCustom, setIsCustom] = useToggle();
 
   const selectedPermissionCategory = useMemo(() => {
-    let score = 0;
     const actions = Object.keys(rule || {}) as Array<keyof typeof rule>;
     const totalActions = PERMISSIONS.length;
-    actions.forEach((key) => (score += rule[key] ? 1 : 0));
+    const score = actions.map((key) => (rule[key] ? 1 : 0)).reduce((a, b) => a + b, 0 as number);
 
     if (isCustom) return Permission.Custom;
     if (score === 0) return Permission.NoAccess;
@@ -52,13 +51,16 @@ export const SecretScannigPermission = ({ isNonEditable, setValue, control }: Pr
   }, [rule, isCustom]);
 
   useEffect(() => {
-    selectedPermissionCategory === Permission.Custom ? setIsCustom.on() : setIsCustom.off();
+    if (selectedPermissionCategory === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
   }, [selectedPermissionCategory]);
 
   const handlePermissionChange = (val: Permission) => {
+    if (val === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
+
     switch (val) {
       case Permission.NoAccess:
-        setIsCustom.off();
         setValue(
           "permissions.secret-scanning",
           { read: false, edit: false, create: false, delete: false },
@@ -66,7 +68,6 @@ export const SecretScannigPermission = ({ isNonEditable, setValue, control }: Pr
         );
         break;
       case Permission.FullAccess:
-        setIsCustom.off();
         setValue(
           "permissions.secret-scanning",
           { read: true, edit: true, create: true, delete: true },
@@ -74,7 +75,6 @@ export const SecretScannigPermission = ({ isNonEditable, setValue, control }: Pr
         );
         break;
       case Permission.ReadOnly:
-        setIsCustom.off();
         setValue(
           "permissions.secret-scanning",
           { read: true, edit: false, create: false, delete: false },
@@ -82,7 +82,6 @@ export const SecretScannigPermission = ({ isNonEditable, setValue, control }: Pr
         );
         break;
       default:
-        setIsCustom.on();
         setValue(
           "permissions.secret-scanning",
           { read: false, edit: false, create: false, delete: false },
diff --git a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/SettingsPermission.tsx b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/SettingsPermission.tsx
index 0bfc821e..c574901f 100644
--- a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/SettingsPermission.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/SettingsPermission.tsx
@@ -38,10 +38,9 @@ export const SettingsPermission = ({ isNonEditable, setValue, control }: Props)
   const [isCustom, setIsCustom] = useToggle();
 
   const selectedPermissionCategory = useMemo(() => {
-    let score = 0;
     const actions = Object.keys(rule || {}) as Array<keyof typeof rule>;
     const totalActions = PERMISSIONS.length;
-    actions.forEach((key) => (score += rule[key] ? 1 : 0));
+    const score = actions.map((key) => (rule[key] ? 1 : 0)).reduce((a, b) => a + b, 0 as number);
 
     if (isCustom) return Permission.Custom;
     if (score === 0) return Permission.NoAccess;
@@ -52,13 +51,16 @@ export const SettingsPermission = ({ isNonEditable, setValue, control }: Props)
   }, [rule, isCustom]);
 
   useEffect(() => {
-    selectedPermissionCategory === Permission.Custom ? setIsCustom.on() : setIsCustom.off();
+    if (selectedPermissionCategory === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
   }, [selectedPermissionCategory]);
 
   const handlePermissionChange = (val: Permission) => {
+    if (val === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
+
     switch (val) {
       case Permission.NoAccess:
-        setIsCustom.off();
         setValue(
           "permissions.settings",
           { read: false, edit: false, create: false, delete: false },
@@ -66,7 +68,6 @@ export const SettingsPermission = ({ isNonEditable, setValue, control }: Props)
         );
         break;
       case Permission.FullAccess:
-        setIsCustom.off();
         setValue(
           "permissions.settings",
           { read: true, edit: true, create: true, delete: true },
@@ -74,7 +75,6 @@ export const SettingsPermission = ({ isNonEditable, setValue, control }: Props)
         );
         break;
       case Permission.ReadOnly:
-        setIsCustom.off();
         setValue(
           "permissions.settings",
           { read: true, edit: false, create: false, delete: false },
@@ -82,7 +82,6 @@ export const SettingsPermission = ({ isNonEditable, setValue, control }: Props)
         );
         break;
       default:
-        setIsCustom.on();
         setValue(
           "permissions.settings",
           { read: false, edit: false, create: false, delete: false },
diff --git a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/SsoPermission.tsx b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/SsoPermission.tsx
index 25ae2438..3d6493fe 100644
--- a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/SsoPermission.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/SsoPermission.tsx
@@ -38,10 +38,9 @@ export const SsoPermission = ({ isNonEditable, setValue, control }: Props) => {
   const [isCustom, setIsCustom] = useToggle();
 
   const selectedPermissionCategory = useMemo(() => {
-    let score = 0;
     const actions = Object.keys(rule || {}) as Array<keyof typeof rule>;
     const totalActions = PERMISSIONS.length;
-    actions.forEach((key) => (score += rule[key] ? 1 : 0));
+    const score = actions.map((key) => (rule[key] ? 1 : 0)).reduce((a, b) => a + b, 0 as number);
 
     if (isCustom) return Permission.Custom;
     if (score === 0) return Permission.NoAccess;
@@ -52,13 +51,16 @@ export const SsoPermission = ({ isNonEditable, setValue, control }: Props) => {
   }, [rule, isCustom]);
 
   useEffect(() => {
-    selectedPermissionCategory === Permission.Custom ? setIsCustom.on() : setIsCustom.off();
+    if (selectedPermissionCategory === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
   }, [selectedPermissionCategory]);
 
   const handlePermissionChange = (val: Permission) => {
+    if (val === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
+
     switch (val) {
       case Permission.NoAccess:
-        setIsCustom.off();
         setValue(
           "permissions.sso",
           { read: false, edit: false, create: false, delete: false },
@@ -66,7 +68,6 @@ export const SsoPermission = ({ isNonEditable, setValue, control }: Props) => {
         );
         break;
       case Permission.FullAccess:
-        setIsCustom.off();
         setValue(
           "permissions.sso",
           { read: true, edit: true, create: true, delete: true },
@@ -74,7 +75,6 @@ export const SsoPermission = ({ isNonEditable, setValue, control }: Props) => {
         );
         break;
       case Permission.ReadOnly:
-        setIsCustom.off();
         setValue(
           "permissions.sso",
           { read: true, edit: false, create: false, delete: false },
@@ -82,7 +82,6 @@ export const SsoPermission = ({ isNonEditable, setValue, control }: Props) => {
         );
         break;
       default:
-        setIsCustom.on();
         setValue(
           "permissions.sso",
           { read: false, edit: false, create: false, delete: false },
diff --git a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/WorkspacePermission.tsx b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/WorkspacePermission.tsx
index b8fcf4b6..8e1abc87 100644
--- a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/WorkspacePermission.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/WorkspacePermission.tsx
@@ -36,10 +36,9 @@ export const WorkspacePermission = ({ isNonEditable, setValue, control }: Props)
   const [isCustom, setIsCustom] = useToggle();
 
   const selectedPermissionCategory = useMemo(() => {
-    let score = 0;
     const actions = Object.keys(rule || {}) as Array<keyof typeof rule>;
     const totalActions = PERMISSIONS.length;
-    actions.forEach((key) => (score += rule[key] ? 1 : 0));
+    const score = actions.map((key) => (rule[key] ? 1 : 0)).reduce((a, b) => a + b, 0 as number);
 
     if (isCustom) return Permission.Custom;
     if (score === 0) return Permission.NoAccess;
@@ -50,11 +49,14 @@ export const WorkspacePermission = ({ isNonEditable, setValue, control }: Props)
   }, [rule, isCustom]);
 
   useEffect(() => {
-    selectedPermissionCategory === Permission.Custom ? setIsCustom.on() : setIsCustom.off();
+    if (selectedPermissionCategory === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
   }, [selectedPermissionCategory]);
 
   const handlePermissionChange = (val: Permission) => {
-    val === Permission.Custom ? setIsCustom.on() : setIsCustom.off();
+    if (val === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
+
     switch (val) {
       case Permission.NoAccess:
         setValue("permissions.workspace", { read: false, create: false }, { shouldDirty: true });
diff --git a/frontend/src/views/SecretScanning/components/RiskStatusSelection.tsx b/frontend/src/views/SecretScanning/components/RiskStatusSelection.tsx
index 54b66725..e434f653 100644
--- a/frontend/src/views/SecretScanning/components/RiskStatusSelection.tsx
+++ b/frontend/src/views/SecretScanning/components/RiskStatusSelection.tsx
@@ -1,28 +1,47 @@
 import { useEffect, useState } from "react";
 
+import { OrgPermissionCan } from "@app/components/permissions";
+import { OrgGeneralPermissionActions, OrgPermissionSubjects } from "@app/context";
 import updateRiskStatus, { RiskStatus } from "@app/pages/api/secret-scanning/updateRiskStatus";
 
-export const RiskStatusSelection = ({riskId, currentSelection}: {riskId: any, currentSelection: any }) => {
-    const [selectedRiskStatus, setSelectedRiskStatus] = useState(currentSelection);
-    useEffect(()=>{
-        if (currentSelection !== selectedRiskStatus){
-            const updateSelection = async () =>{ 
-                await updateRiskStatus(String(localStorage.getItem("orgData.id")), riskId, selectedRiskStatus)
-            }
-            updateSelection()
-        }
-    },[selectedRiskStatus])
+export const RiskStatusSelection = ({
+  riskId,
+  currentSelection
+}: {
+  riskId: any;
+  currentSelection: any;
+}) => {
+  const [selectedRiskStatus, setSelectedRiskStatus] = useState(currentSelection);
+  useEffect(() => {
+    if (currentSelection !== selectedRiskStatus) {
+      const updateSelection = async () => {
+        await updateRiskStatus(
+          String(localStorage.getItem("orgData.id")),
+          riskId,
+          selectedRiskStatus
+        );
+      };
+      updateSelection();
+    }
+  }, [selectedRiskStatus]);
 
-    return (
-    <select
-        value={selectedRiskStatus}
-        onChange={(e) => setSelectedRiskStatus(e.target.value)}
-        className="block w-full py-2 px-3 rounded-md shadow-sm focus:outline-none focus:ring-blue-500 focus:border-blue-500"
-    >
-        <option>Unresolved</option>
-        <option value={RiskStatus.RESOLVED_FALSE_POSITIVE}>This is a false positive, resolved</option>
-        <option value={RiskStatus.RESOLVED_REVOKED}>I have rotated the secret, resolved</option>
-        <option value={RiskStatus.RESOLVED_NOT_REVOKED}>No rotate needed, resolved</option>
-    </select>         
-    );
-}
\ No newline at end of file
+  return (
+    <OrgPermissionCan I={OrgGeneralPermissionActions.Edit} a={OrgPermissionSubjects.SecretScanning}>
+      {(isAllowed) => (
+        <select
+          disabled={!isAllowed}
+          value={selectedRiskStatus}
+          onChange={(e) => setSelectedRiskStatus(e.target.value)}
+          className="block w-full py-2 px-3 rounded-md shadow-sm focus:outline-none focus:ring-blue-500 focus:border-blue-500"
+        >
+          <option>Unresolved</option>
+          <option value={RiskStatus.RESOLVED_FALSE_POSITIVE}>
+            This is a false positive, resolved
+          </option>
+          <option value={RiskStatus.RESOLVED_REVOKED}>I have rotated the secret, resolved</option>
+          <option value={RiskStatus.RESOLVED_NOT_REVOKED}>No rotate needed, resolved</option>
+        </select>
+      )}
+    </OrgPermissionCan>
+  );
+};
diff --git a/frontend/src/views/Settings/BillingSettingsPage/components/BillingCloudTab/PreviewSection.tsx b/frontend/src/views/Settings/BillingSettingsPage/components/BillingCloudTab/PreviewSection.tsx
index 9dd75136..fe7b03ac 100644
--- a/frontend/src/views/Settings/BillingSettingsPage/components/BillingCloudTab/PreviewSection.tsx
+++ b/frontend/src/views/Settings/BillingSettingsPage/components/BillingCloudTab/PreviewSection.tsx
@@ -1,125 +1,148 @@
+import { OrgPermissionCan } from "@app/components/permissions";
 import { Button } from "@app/components/v2";
-import { useOrganization,useSubscription  } from "@app/context";
-import { 
-    useCreateCustomerPortalSession,
-    useGetOrgPlanBillingInfo,
-    useGetOrgTrialUrl
+import {
+  OrgGeneralPermissionActions,
+  OrgPermissionSubjects,
+  useOrganization,
+  useSubscription
+} from "@app/context";
+import {
+  useCreateCustomerPortalSession,
+  useGetOrgPlanBillingInfo,
+  useGetOrgTrialUrl
 } from "@app/hooks/api";
 import { usePopUp } from "@app/hooks/usePopUp";
 
 import { ManagePlansModal } from "./ManagePlansModal";
 
 export const PreviewSection = () => {
-    const { currentOrg } = useOrganization();
-    const { subscription } = useSubscription();
-    const { data, isLoading } = useGetOrgPlanBillingInfo(currentOrg?._id ?? "");
-    const getOrgTrialUrl = useGetOrgTrialUrl();
-    const createCustomerPortalSession = useCreateCustomerPortalSession();
-    
-    const { popUp, handlePopUpOpen, handlePopUpToggle } = usePopUp([
-        "managePlan"
-    ] as const);
-    
-    const formatAmount = (amount: number) => {
-        const formattedTotal = (Math.floor(amount) / 100).toLocaleString("en-US", {
-            style: "currency",
-            currency: "USD",
+  const { currentOrg } = useOrganization();
+  const { subscription } = useSubscription();
+  const { data, isLoading } = useGetOrgPlanBillingInfo(currentOrg?._id ?? "");
+  const getOrgTrialUrl = useGetOrgTrialUrl();
+  const createCustomerPortalSession = useCreateCustomerPortalSession();
+
+  const { popUp, handlePopUpOpen, handlePopUpToggle } = usePopUp(["managePlan"] as const);
+
+  const formatAmount = (amount: number) => {
+    const formattedTotal = (Math.floor(amount) / 100).toLocaleString("en-US", {
+      style: "currency",
+      currency: "USD"
+    });
+
+    return formattedTotal;
+  };
+
+  const formatDate = (date: number) => {
+    const createdDate = new Date(date * 1000);
+    const day: number = createdDate.getDate();
+    const month: number = createdDate.getMonth() + 1;
+    const year: number = createdDate.getFullYear();
+    const formattedDate: string = `${day}/${month}/${year}`;
+
+    return formattedDate;
+  };
+
+  function formatPlanSlug(slug: string) {
+    return slug.replace(/(\b[a-z])/g, (match) => match.toUpperCase()).replace(/-/g, " ");
+  }
+
+  const handleUpgradeBtnClick = async () => {
+    try {
+      if (!subscription || !currentOrg) return;
+
+      if (!subscription.has_used_trial) {
+        // direct user to start pro trial
+        const url = await getOrgTrialUrl.mutateAsync({
+          orgId: currentOrg._id,
+          success_url: window.location.href
         });
-        
-        return formattedTotal;
-    }
-    
-    const formatDate = (date: number) => {
-        const createdDate = new Date(date * 1000);
-        const day: number = createdDate.getDate();
-        const month: number = createdDate.getMonth() + 1;
-        const year: number = createdDate.getFullYear();
-        const formattedDate: string = `${day}/${month}/${year}`;
-        
-        return formattedDate;
-    }
 
-    function formatPlanSlug(slug: string) {
-        return slug
-            .replace(/(\b[a-z])/g, match => match.toUpperCase())
-            .replace(/-/g, " ");
-    }
-    
-    const handleUpgradeBtnClick = async () => {
-        try {
-            if (!subscription || !currentOrg) return;
-            
-            if (!subscription.has_used_trial) {
-                // direct user to start pro trial
-                const url = await getOrgTrialUrl.mutateAsync({
-                    orgId: currentOrg._id,
-                    success_url: window.location.href
-                });
-                
-                window.location.href = url;
-            } else {
-                // open compare plans modal
-                handlePopUpOpen("managePlan");
-            }
-        } catch (err) {
-            console.error(err);
-        }
+        window.location.href = url;
+      } else {
+        // open compare plans modal
+        handlePopUpOpen("managePlan");
+      }
+    } catch (err) {
+      console.error(err);
     }
-    
-    return (
-        <div>
-            {subscription && subscription?.slug !== "enterprise" && subscription?.slug !== "pro" && subscription?.slug !== "pro-annual" && (
-                <div className="p-4 bg-mineshaft-900 rounded-lg flex-1 border border-mineshaft-600 mb-6 flex items-center bg-mineshaft-600">
-                    <div className="flex-1">
-                        <h2 className="text-xl font-semibold text-mineshaft-50">Become Infisical</h2>
-                        <p className="text-gray-400 mt-4">Unlimited members, projects, RBAC, smart alerts, and so much more</p>
-                    </div>
-                    <Button 
-                        // onClick={() => handlePopUpOpen("managePlan")}
-                        onClick={() => handleUpgradeBtnClick()}
-                        color="mineshaft"
-                    >
-                        {!subscription.has_used_trial ? "Start Pro Free Trial" : "Upgrade Plan"}
-                    </Button>
-                </div>
-            )}
-            {!isLoading && subscription && data && (
-                <div className="flex mb-6">
-                    <div className="p-4 bg-mineshaft-900 rounded-lg flex-1 mr-4 border border-mineshaft-600">
-                        <p className="mb-2 text-gray-400">Current plan</p>
-                        <p className="text-2xl text-mineshaft-50 font-semibold mb-8"> 
-                            {`${formatPlanSlug(subscription.slug)} ${subscription.status === "trialing" ? "(Trial)" : ""}`}
-                        </p>
-                        <button 
-                            type="button"
-                            onClick={async () => {
-                                 if (!currentOrg?._id) return;
-                                const { url } = await createCustomerPortalSession.mutateAsync(currentOrg._id);
-                                window.location.href = url;
-                            }}
-                            className="text-primary"
-                        >
-                            Manage plan &rarr; 
-                        </button>
-                    </div>
-                    <div className="p-4 bg-mineshaft-900 rounded-lg flex-1 border border-mineshaft-600 mr-4">
-                        <p className="mb-2 text-gray-400">Price</p>
-                        <p className="text-2xl mb-8 text-mineshaft-50 font-semibold">
-                            {subscription.status === "trialing" ? "$0.00 / month" : `${formatAmount(data.amount)} / ${data.interval}`}
-                        </p>
-                    </div>
-                    <div className="p-4 bg-mineshaft-900 rounded-lg flex-1 border border-mineshaft-600">
-                        <p className="mb-2 text-gray-400">Subscription renews on</p>
-                        <p className="text-2xl mb-8 text-mineshaft-50 font-semibold">
-                            {formatDate(data.currentPeriodEnd)}
-                        </p>
-                    </div>
-                </div>
-            )}
-            <ManagePlansModal 
-                popUp={popUp}
-                handlePopUpToggle={handlePopUpToggle}
-            />
+  };
+
+  return (
+    <div>
+      {subscription &&
+        subscription?.slug !== "enterprise" &&
+        subscription?.slug !== "pro" &&
+        subscription?.slug !== "pro-annual" && (
+          <div className="p-4 rounded-lg flex-1 border border-mineshaft-600 mb-6 flex items-center bg-mineshaft-600">
+            <div className="flex-1">
+              <h2 className="text-xl font-semibold text-mineshaft-50">Become Infisical</h2>
+              <p className="text-gray-400 mt-4">
+                Unlimited members, projects, RBAC, smart alerts, and so much more
+              </p>
+            </div>
+            <OrgPermissionCan
+              I={OrgGeneralPermissionActions.Create}
+              a={OrgPermissionSubjects.Billing}
+            >
+              {(isAllowed) => (
+                <Button
+                  onClick={() => handleUpgradeBtnClick()}
+                  color="mineshaft"
+                  isDisabled={!isAllowed}
+                >
+                  {!subscription.has_used_trial ? "Start Pro Free Trial" : "Upgrade Plan"}
+                </Button>
+              )}
+            </OrgPermissionCan>
+          </div>
+        )}
+      {!isLoading && subscription && data && (
+        <div className="flex mb-6">
+          <div className="p-4 bg-mineshaft-900 rounded-lg flex-1 mr-4 border border-mineshaft-600">
+            <p className="mb-2 text-gray-400">Current plan</p>
+            <p className="text-2xl text-mineshaft-50 font-semibold mb-8">
+              {`${formatPlanSlug(subscription.slug)} ${
+                subscription.status === "trialing" ? "(Trial)" : ""
+              }`}
+            </p>
+            <OrgPermissionCan
+              I={OrgGeneralPermissionActions.Edit}
+              a={OrgPermissionSubjects.Billing}
+            >
+              {(isAllowed) => (
+                <button
+                  type="button"
+                  onClick={async () => {
+                    if (!currentOrg?._id) return;
+                    const { url } = await createCustomerPortalSession.mutateAsync(currentOrg._id);
+                    window.location.href = url;
+                  }}
+                  disabled={!isAllowed}
+                  className="text-primary"
+                >
+                  Manage plan &rarr;
+                </button>
+              )}
+            </OrgPermissionCan>
+          </div>
+          <div className="p-4 bg-mineshaft-900 rounded-lg flex-1 border border-mineshaft-600 mr-4">
+            <p className="mb-2 text-gray-400">Price</p>
+            <p className="text-2xl mb-8 text-mineshaft-50 font-semibold">
+              {subscription.status === "trialing"
+                ? "$0.00 / month"
+                : `${formatAmount(data.amount)} / ${data.interval}`}
+            </p>
+          </div>
+          <div className="p-4 bg-mineshaft-900 rounded-lg flex-1 border border-mineshaft-600">
+            <p className="mb-2 text-gray-400">Subscription renews on</p>
+            <p className="text-2xl mb-8 text-mineshaft-50 font-semibold">
+              {formatDate(data.currentPeriodEnd)}
+            </p>
+          </div>
         </div>
-    );
-}
\ No newline at end of file
+      )}
+      <ManagePlansModal popUp={popUp} handlePopUpToggle={handlePopUpToggle} />
+    </div>
+  );
+};
diff --git a/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/CompanyNameSection.tsx b/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/CompanyNameSection.tsx
index 0f27757f..a11d053c 100644
--- a/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/CompanyNameSection.tsx
+++ b/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/CompanyNameSection.tsx
@@ -1,98 +1,92 @@
 import { useEffect } from "react";
-import { Controller, useForm } from "react-hook-form"; 
+import { Controller, useForm } from "react-hook-form";
 import { yupResolver } from "@hookform/resolvers/yup";
 import * as yup from "yup";
 
 import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
-import { 
-    Button,
-    FormControl,
-    Input
-} from "@app/components/v2";
-import { useOrganization } from "@app/context";
-import { 
-    useGetOrgBillingDetails,
-    useUpdateOrgBillingDetails
-} from "@app/hooks/api";
+import { OrgPermissionCan } from "@app/components/permissions";
+import { Button, FormControl, Input } from "@app/components/v2";
+import { OrgGeneralPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
+import { useGetOrgBillingDetails, useUpdateOrgBillingDetails } from "@app/hooks/api";
 
-const schema = yup.object({
+const schema = yup
+  .object({
     name: yup.string().required("Company name is required")
-}).required();
+  })
+  .required();
 
 export const CompanyNameSection = () => {
-    const { createNotification } = useNotificationContext();
-    const { currentOrg } = useOrganization();
-    const { reset, control, handleSubmit } = useForm({
-        defaultValues: {
-            name: ""
-        },
-        resolver: yupResolver(schema)
-    });
-    const { data } = useGetOrgBillingDetails(currentOrg?._id ?? "");
-    const { mutateAsync, isLoading } = useUpdateOrgBillingDetails();
-    
-    useEffect(() => {
-        if (data) {
-            reset({
-                name: data?.name ?? ""
-            });
-        }
-    }, [data]);
-    
-    const onFormSubmit = async ({ name }: { name: string }) => {
-        try {
-            if (!currentOrg?._id) return;
-            if (name === "") return;
-            await mutateAsync({
-                name,
-                organizationId: currentOrg._id
-            });
-        
-            createNotification({
-                text: "Successfully updated business name",
-                type: "success"
-            });
-        } catch (err) {
-            console.error(err);
-            createNotification({
-                text: "Failed to update business name",
-                type: "error"
-            });
-        }
+  const { createNotification } = useNotificationContext();
+  const { currentOrg } = useOrganization();
+  const { reset, control, handleSubmit } = useForm({
+    defaultValues: {
+      name: ""
+    },
+    resolver: yupResolver(schema)
+  });
+  const { data } = useGetOrgBillingDetails(currentOrg?._id ?? "");
+  const { mutateAsync, isLoading } = useUpdateOrgBillingDetails();
+
+  useEffect(() => {
+    if (data) {
+      reset({
+        name: data?.name ?? ""
+      });
+    }
+  }, [data]);
+
+  const onFormSubmit = async ({ name }: { name: string }) => {
+    try {
+      if (!currentOrg?._id) return;
+      if (name === "") return;
+      await mutateAsync({
+        name,
+        organizationId: currentOrg._id
+      });
+
+      createNotification({
+        text: "Successfully updated business name",
+        type: "success"
+      });
+    } catch (err) {
+      console.error(err);
+      createNotification({
+        text: "Failed to update business name",
+        type: "error"
+      });
     }
+  };
 
-    return (
-        <form 
-            onSubmit={handleSubmit(onFormSubmit)}
-            className="p-4 bg-mineshaft-900 mb-6 rounded-lg border border-mineshaft-600"
-        >
-            <h2 className="text-xl font-semibold flex-1 text-mineshaft-100 mb-8">
-                Business name
-            </h2>
-            <div className="max-w-md">
-                <Controller
-                    defaultValue=""
-                    render={({ field, fieldState: { error } }) => (
-                        <FormControl isError={Boolean(error)} errorText={error?.message}>
-                            <Input 
-                                placeholder="Acme Corp" 
-                                {...field} 
-                                className="bg-mineshaft-800" 
-                            />
-                        </FormControl>
-                    )}
-                    control={control}
-                    name="name"
-                />
-            </div>
-            <Button
-                type="submit"
-                colorSchema="secondary"
-                isLoading={isLoading}
-                isDisabled={isLoading}
-            >
-                Save
-            </Button>
-        </form>
-    );
-}
\ No newline at end of file
+  return (
+    <form
+      onSubmit={handleSubmit(onFormSubmit)}
+      className="p-4 bg-mineshaft-900 mb-6 rounded-lg border border-mineshaft-600"
+    >
+      <h2 className="text-xl font-semibold flex-1 text-mineshaft-100 mb-8">Business name</h2>
+      <div className="max-w-md">
+        <Controller
+          defaultValue=""
+          render={({ field, fieldState: { error } }) => (
+            <FormControl isError={Boolean(error)} errorText={error?.message}>
+              <Input placeholder="Acme Corp" {...field} className="bg-mineshaft-800" />
+            </FormControl>
+          )}
+          control={control}
+          name="name"
+        />
+      </div>
+      <OrgPermissionCan I={OrgGeneralPermissionActions.Edit} a={OrgPermissionSubjects.Billing}>
+        {(isAllowed) => (
+          <Button
+            type="submit"
+            colorSchema="secondary"
+            isLoading={isLoading}
+            isDisabled={isLoading || !isAllowed}
+          >
+            Save
+          </Button>
+        )}
+      </OrgPermissionCan>
+    </form>
+  );
+};
diff --git a/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/InvoiceEmailSection.tsx b/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/InvoiceEmailSection.tsx
index 441cb9cb..10bc836f 100644
--- a/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/InvoiceEmailSection.tsx
+++ b/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/InvoiceEmailSection.tsx
@@ -1,97 +1,93 @@
 import { useEffect } from "react";
-import { Controller, useForm } from "react-hook-form"; 
+import { Controller, useForm } from "react-hook-form";
 import { yupResolver } from "@hookform/resolvers/yup";
 import * as yup from "yup";
 
 import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
-import {
-  Button,
-  FormControl,
-  Input} from "@app/components/v2";
-import { useOrganization } from "@app/context";
-import { 
-    useGetOrgBillingDetails,
-    useUpdateOrgBillingDetails
-} from "@app/hooks/api";
+import { OrgPermissionCan } from "@app/components/permissions";
+import { Button, FormControl, Input } from "@app/components/v2";
+import { OrgGeneralPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
+import { useGetOrgBillingDetails, useUpdateOrgBillingDetails } from "@app/hooks/api";
 
-const schema = yup.object({
+const schema = yup
+  .object({
     email: yup.string().required("Email is required")
-}).required();
+  })
+  .required();
 
 export const InvoiceEmailSection = () => {
-    const { createNotification } = useNotificationContext();
-    const { currentOrg } = useOrganization();
-    const { reset, control, handleSubmit } = useForm({
-        defaultValues: {
-            email: ""
-        },
-        resolver: yupResolver(schema)
-    });
-    const { data } = useGetOrgBillingDetails(currentOrg?._id ?? "");
-    const { mutateAsync, isLoading } = useUpdateOrgBillingDetails();
+  const { createNotification } = useNotificationContext();
+  const { currentOrg } = useOrganization();
+  const { reset, control, handleSubmit } = useForm({
+    defaultValues: {
+      email: ""
+    },
+    resolver: yupResolver(schema)
+  });
+  const { data } = useGetOrgBillingDetails(currentOrg?._id ?? "");
+  const { mutateAsync, isLoading } = useUpdateOrgBillingDetails();
 
-    useEffect(() => {
-        if (data) {
-            reset({
-                email: data?.email ?? ""
-            });
-        }
-    }, [data]);
+  useEffect(() => {
+    if (data) {
+      reset({
+        email: data?.email ?? ""
+      });
+    }
+  }, [data]);
+
+  const onFormSubmit = async ({ email }: { email: string }) => {
+    try {
+      if (!currentOrg?._id) return;
+      if (email === "") return;
 
-    const onFormSubmit = async ({ email }: { email: string }) => {
-        try {
-            if (!currentOrg?._id) return;
-            if (email === "") return;
+      await mutateAsync({
+        email,
+        organizationId: currentOrg._id
+      });
 
-            await mutateAsync({
-                email,
-                organizationId: currentOrg._id
-            });
-            
-            createNotification({
-                text: "Successfully updated invoice email recipient",
-                type: "success"
-            });
-        } catch (err) {
-            console.error(err);
-            createNotification({
-                text: "Failed to update invoice email recipient",
-                type: "error"
-            });
-        }
+      createNotification({
+        text: "Successfully updated invoice email recipient",
+        type: "success"
+      });
+    } catch (err) {
+      console.error(err);
+      createNotification({
+        text: "Failed to update invoice email recipient",
+        type: "error"
+      });
     }
+  };
 
-    return (
-        <form 
-            onSubmit={handleSubmit(onFormSubmit)}
-            className="p-4 bg-mineshaft-900 mb-6 rounded-lg border border-mineshaft-600"
-        >
-            <h2 className="text-xl font-semibold flex-1 text-white mb-8">
-                Invoice email recipient
-            </h2>
-            <div className="max-w-md">
-                <Controller
-                    defaultValue=""
-                    render={({ field, fieldState: { error } }) => (
-                        <FormControl isError={Boolean(error)} errorText={error?.message}>
-                            <Input 
-                                placeholder="jane@acme.com" 
-                                {...field} 
-                                className="bg-mineshaft-800" 
-                            />
-                        </FormControl>
-                    )}
-                    control={control}
-                    name="email"
-                />
-            </div>
-            <Button
-                type="submit"
-                colorSchema="secondary"
-                isLoading={isLoading}
-            >
-                Save
-            </Button>
-        </form>
-    );
-}
\ No newline at end of file
+  return (
+    <form
+      onSubmit={handleSubmit(onFormSubmit)}
+      className="p-4 bg-mineshaft-900 mb-6 rounded-lg border border-mineshaft-600"
+    >
+      <h2 className="text-xl font-semibold flex-1 text-white mb-8">Invoice email recipient</h2>
+      <div className="max-w-md">
+        <Controller
+          defaultValue=""
+          render={({ field, fieldState: { error } }) => (
+            <FormControl isError={Boolean(error)} errorText={error?.message}>
+              <Input placeholder="jane@acme.com" {...field} className="bg-mineshaft-800" />
+            </FormControl>
+          )}
+          control={control}
+          name="email"
+        />
+      </div>
+      <OrgPermissionCan I={OrgGeneralPermissionActions.Edit} a={OrgPermissionSubjects.Billing}>
+        {(isAllowed) => (
+          <Button
+            type="submit"
+            colorSchema="secondary"
+            isLoading={isLoading}
+            isDisabled={isLoading || !isAllowed}
+          >
+            Save
+          </Button>
+        )}
+      </OrgPermissionCan>
+    </form>
+  );
+};
diff --git a/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/PmtMethodsSection.tsx b/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/PmtMethodsSection.tsx
index a124813e..011006db 100644
--- a/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/PmtMethodsSection.tsx
+++ b/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/PmtMethodsSection.tsx
@@ -1,46 +1,47 @@
-
 import { faPlus } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
-import {
-  Button
-} from "@app/components/v2";
-import { useOrganization } from "@app/context";
+import { OrgPermissionCan } from "@app/components/permissions";
+import { Button } from "@app/components/v2";
+import { OrgGeneralPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
 import { useAddOrgPmtMethod } from "@app/hooks/api";
 
 import { PmtMethodsTable } from "./PmtMethodsTable";
 
 export const PmtMethodsSection = () => {
-    const { currentOrg } = useOrganization();
-    const { mutateAsync, isLoading } = useAddOrgPmtMethod();
-    
-    const handleAddPmtMethodBtnClick = async () => {
-        if (!currentOrg?._id) return;
-        const url = await mutateAsync({
-            organizationId: currentOrg._id,
-            success_url: window.location.href,
-            cancel_url: window.location.href
-        });
-        
-        window.location.href = url;
-    }
-    
-    return (
-        <div className="p-4 bg-mineshaft-900 mb-6 rounded-lg border border-mineshaft-600">
-            <div className="flex items-center mb-8">
-                <h2 className="text-xl font-semibold flex-1 text-white">
-                    Payment methods
-                </h2>
-                <Button
-                    onClick={handleAddPmtMethodBtnClick}
-                    colorSchema="secondary"
-                    isLoading={isLoading}
-                    leftIcon={<FontAwesomeIcon icon={faPlus} />}
-                >
-                    Add method
-                </Button>
-            </div>
-            <PmtMethodsTable />
-        </div>
-    );
-}
\ No newline at end of file
+  const { currentOrg } = useOrganization();
+  const { mutateAsync, isLoading } = useAddOrgPmtMethod();
+
+  const handleAddPmtMethodBtnClick = async () => {
+    if (!currentOrg?._id) return;
+    const url = await mutateAsync({
+      organizationId: currentOrg._id,
+      success_url: window.location.href,
+      cancel_url: window.location.href
+    });
+
+    window.location.href = url;
+  };
+
+  return (
+    <div className="p-4 bg-mineshaft-900 mb-6 rounded-lg border border-mineshaft-600">
+      <div className="flex items-center mb-8">
+        <h2 className="text-xl font-semibold flex-1 text-white">Payment methods</h2>
+        <OrgPermissionCan I={OrgGeneralPermissionActions.Create} a={OrgPermissionSubjects.Billing}>
+          {(isAllowed) => (
+            <Button
+              onClick={handleAddPmtMethodBtnClick}
+              colorSchema="secondary"
+              isLoading={isLoading}
+              leftIcon={<FontAwesomeIcon icon={faPlus} />}
+              isDisabled={!isAllowed}
+            >
+              Add method
+            </Button>
+          )}
+        </OrgPermissionCan>
+      </div>
+      <PmtMethodsTable />
+    </div>
+  );
+};
diff --git a/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/PmtMethodsTable.tsx b/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/PmtMethodsTable.tsx
index 17f4fd21..6818dbb6 100644
--- a/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/PmtMethodsTable.tsx
+++ b/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/PmtMethodsTable.tsx
@@ -1,6 +1,7 @@
 import { faCreditCard, faXmark } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
+import { OrgPermissionCan } from "@app/components/permissions";
 import {
   EmptyState,
   IconButton,
@@ -13,7 +14,7 @@ import {
   THead,
   Tr
 } from "@app/components/v2";
-import { useOrganization } from "@app/context";
+import { OrgGeneralPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
 import { useDeleteOrgPmtMethod, useGetOrgPmtMethods } from "@app/hooks/api";
 
 export const PmtMethodsTable = () => {
@@ -52,17 +53,25 @@ export const PmtMethodsTable = () => {
                 <Td>{last4}</Td>
                 <Td>{`${exp_month}/${exp_year}`}</Td>
                 <Td>
-                  <IconButton
-                    onClick={async () => {
-                      await handleDeletePmtMethodBtnClick(_id);
-                    }}
-                    size="lg"
-                    colorSchema="danger"
-                    variant="plain"
-                    ariaLabel="update"
+                  <OrgPermissionCan
+                    I={OrgGeneralPermissionActions.Delete}
+                    a={OrgPermissionSubjects.Billing}
                   >
-                    <FontAwesomeIcon icon={faXmark} />
-                  </IconButton>
+                    {(isAllowed) => (
+                      <IconButton
+                        onClick={async () => {
+                          await handleDeletePmtMethodBtnClick(_id);
+                        }}
+                        size="lg"
+                        isDisabled={!isAllowed}
+                        colorSchema="danger"
+                        variant="plain"
+                        ariaLabel="update"
+                      >
+                        <FontAwesomeIcon icon={faXmark} />
+                      </IconButton>
+                    )}
+                  </OrgPermissionCan>
                 </Td>
               </Tr>
             ))}
diff --git a/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/TaxIDSection.tsx b/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/TaxIDSection.tsx
index 198e02f6..5e388461 100644
--- a/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/TaxIDSection.tsx
+++ b/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/TaxIDSection.tsx
@@ -1,38 +1,42 @@
-
 import { faPlus } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
+import { OrgPermissionCan } from "@app/components/permissions";
 import { Button } from "@app/components/v2";
+import { OrgGeneralPermissionActions, OrgPermissionSubjects } from "@app/context";
 import { usePopUp } from "@app/hooks/usePopUp";
 
 import { TaxIDModal } from "./TaxIDModal";
 import { TaxIDTable } from "./TaxIDTable";
 
 export const TaxIDSection = () => {
-    const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
-        "addTaxID"
-    ] as const);
+  const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
+    "addTaxID"
+  ] as const);
 
-    return (
-        <div className="p-4 bg-mineshaft-900 mb-6 rounded-lg border border-mineshaft-600">
-            <div className="flex items-center mb-8">
-                <h2 className="text-xl font-semibold flex-1 text-white">
-                    Tax ID
-                </h2>
-                <Button
-                    onClick={() => handlePopUpOpen("addTaxID")}
-                    colorSchema="secondary"
-                    leftIcon={<FontAwesomeIcon icon={faPlus} />}
-                >
-                    Add method
-                </Button>
-            </div>
-            <TaxIDTable />
-            <TaxIDModal 
-                popUp={popUp}
-                handlePopUpClose={handlePopUpClose}
-                handlePopUpToggle={handlePopUpToggle}
-            />
-        </div>    
-    );
-}
\ No newline at end of file
+  return (
+    <div className="p-4 bg-mineshaft-900 mb-6 rounded-lg border border-mineshaft-600">
+      <div className="flex items-center mb-8">
+        <h2 className="text-xl font-semibold flex-1 text-white">Tax ID</h2>
+        <OrgPermissionCan I={OrgGeneralPermissionActions.Edit} a={OrgPermissionSubjects.Billing}>
+          {(isAllowed) => (
+            <Button
+              onClick={() => handlePopUpOpen("addTaxID")}
+              colorSchema="secondary"
+              isDisabled={!isAllowed}
+              leftIcon={<FontAwesomeIcon icon={faPlus} />}
+            >
+              Add method
+            </Button>
+          )}
+        </OrgPermissionCan>
+      </div>
+      <TaxIDTable />
+      <TaxIDModal
+        popUp={popUp}
+        handlePopUpClose={handlePopUpClose}
+        handlePopUpToggle={handlePopUpToggle}
+      />
+    </div>
+  );
+};
diff --git a/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/TaxIDTable.tsx b/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/TaxIDTable.tsx
index 2779bb19..9980e468 100644
--- a/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/TaxIDTable.tsx
+++ b/frontend/src/views/Settings/BillingSettingsPage/components/BillingDetailsTab/TaxIDTable.tsx
@@ -1,6 +1,7 @@
 import { faFileInvoice, faXmark } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
+import { OrgPermissionCan } from "@app/components/permissions";
 import {
   EmptyState,
   IconButton,
@@ -13,7 +14,7 @@ import {
   THead,
   Tr
 } from "@app/components/v2";
-import { useOrganization } from "@app/context";
+import { OrgGeneralPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
 import { useDeleteOrgTaxId, useGetOrgTaxIds } from "@app/hooks/api";
 
 const taxIDTypeLabelMap: { [key: string]: string } = {
@@ -101,17 +102,25 @@ export const TaxIDTable = () => {
                 <Td>{taxIDTypeLabelMap[type]}</Td>
                 <Td>{value}</Td>
                 <Td>
-                  <IconButton
-                    onClick={async () => {
-                      await handleDeleteTaxIdBtnClick(_id);
-                    }}
-                    size="lg"
-                    colorSchema="danger"
-                    variant="plain"
-                    ariaLabel="update"
+                  <OrgPermissionCan
+                    I={OrgGeneralPermissionActions.Delete}
+                    a={OrgPermissionSubjects.Billing}
                   >
-                    <FontAwesomeIcon icon={faXmark} />
-                  </IconButton>
+                    {(isAllowed) => (
+                      <IconButton
+                        onClick={async () => {
+                          await handleDeleteTaxIdBtnClick(_id);
+                        }}
+                        size="lg"
+                        colorSchema="danger"
+                        variant="plain"
+                        ariaLabel="update"
+                        isDisabled={!isAllowed}
+                      >
+                        <FontAwesomeIcon icon={faXmark} />
+                      </IconButton>
+                    )}
+                  </OrgPermissionCan>
                 </Td>
               </Tr>
             ))}
diff --git a/frontend/src/views/Settings/BillingSettingsPage/components/BillingTabGroup/BillingTabGroup.tsx b/frontend/src/views/Settings/BillingSettingsPage/components/BillingTabGroup/BillingTabGroup.tsx
index d30fa6ff..bd37adf5 100644
--- a/frontend/src/views/Settings/BillingSettingsPage/components/BillingTabGroup/BillingTabGroup.tsx
+++ b/frontend/src/views/Settings/BillingSettingsPage/components/BillingTabGroup/BillingTabGroup.tsx
@@ -1,5 +1,8 @@
-import { Fragment } from "react"
-import { Tab } from "@headlessui/react"
+import { Fragment } from "react";
+import { Tab } from "@headlessui/react";
+
+import { OrgGeneralPermissionActions, OrgPermissionSubjects } from "@app/context";
+import { withPermission } from "@app/hoc";
 
 import { BillingCloudTab } from "../BillingCloudTab";
 import { BillingDetailsTab } from "../BillingDetailsTab";
@@ -7,43 +10,48 @@ import { BillingReceiptsTab } from "../BillingReceiptsTab";
 import { BillingSelfHostedTab } from "../BillingSelfHostedTab";
 
 const tabs = [
-    { name: "Infisical Cloud", key: "tab-infisical-cloud" },
-    { name: "Infisical Self-Hosted", key: "tab-infisical-self-hosted" },
-    { name: "Receipts", key: "tab-receipts" },
-    { name: "Billing details", key: "tab-billing-details" }
+  { name: "Infisical Cloud", key: "tab-infisical-cloud" },
+  { name: "Infisical Self-Hosted", key: "tab-infisical-self-hosted" },
+  { name: "Receipts", key: "tab-receipts" },
+  { name: "Billing details", key: "tab-billing-details" }
 ];
 
-export const BillingTabGroup = () => {
+export const BillingTabGroup = withPermission(
+  () => {
     return (
-        <Tab.Group>
-            <Tab.List className="mt-8 mb-6 border-b-2 border-mineshaft-800">
-                {tabs.map((tab) => (
-                    <Tab as={Fragment} key={tab.key}> 
-                        {({ selected }) => (
-                            <button 
-                                type="button"
-                                className={`w-30 py-2 mx-2 mr-4 font-medium text-sm outline-none ${selected ? "border-b border-white text-white" : "text-mineshaft-400"}`}
-                            >
-                                {tab.name}
-                            </button>
-                        )}
-                    </Tab>
-                ))}
-            </Tab.List>
-            <Tab.Panels>
-                <Tab.Panel>
-                    <BillingCloudTab />
-                </Tab.Panel>
-                <Tab.Panel>
-                    <BillingSelfHostedTab />
-                </Tab.Panel>
-                <Tab.Panel>
-                    <BillingReceiptsTab />
-                </Tab.Panel>
-                <Tab.Panel>
-                    <BillingDetailsTab />
-                </Tab.Panel>
-            </Tab.Panels>
-        </Tab.Group>
+      <Tab.Group>
+        <Tab.List className="mt-8 mb-6 border-b-2 border-mineshaft-800">
+          {tabs.map((tab) => (
+            <Tab as={Fragment} key={tab.key}>
+              {({ selected }) => (
+                <button
+                  type="button"
+                  className={`w-30 py-2 mx-2 mr-4 font-medium text-sm outline-none ${
+                    selected ? "border-b border-white text-white" : "text-mineshaft-400"
+                  }`}
+                >
+                  {tab.name}
+                </button>
+              )}
+            </Tab>
+          ))}
+        </Tab.List>
+        <Tab.Panels>
+          <Tab.Panel>
+            <BillingCloudTab />
+          </Tab.Panel>
+          <Tab.Panel>
+            <BillingSelfHostedTab />
+          </Tab.Panel>
+          <Tab.Panel>
+            <BillingReceiptsTab />
+          </Tab.Panel>
+          <Tab.Panel>
+            <BillingDetailsTab />
+          </Tab.Panel>
+        </Tab.Panels>
+      </Tab.Group>
     );
-}
\ No newline at end of file
+  },
+  { action: OrgGeneralPermissionActions.Read, subject: OrgPermissionSubjects.Billing }
+);
diff --git a/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgAuthTab.tsx b/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgAuthTab.tsx
index 9a367223..b7cf27c0 100644
--- a/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgAuthTab.tsx
+++ b/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgAuthTab.tsx
@@ -1,9 +1,15 @@
+import { OrgGeneralPermissionActions, OrgPermissionSubjects } from "@app/context";
+import { withPermission } from "@app/hoc";
+
 import { OrgSSOSection } from "./OrgSSOSection";
 
-export const OrgAuthTab = () => {
+export const OrgAuthTab = withPermission(
+  () => {
     return (
-        <div>
-            <OrgSSOSection />
-        </div>
+      <div>
+        <OrgSSOSection />
+      </div>
     );
-}
\ No newline at end of file
+  },
+  { action: OrgGeneralPermissionActions.Read, subject: OrgPermissionSubjects.Sso }
+);
diff --git a/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgSSOSection.tsx b/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgSSOSection.tsx
index 7b4e65cb..274d0e51 100644
--- a/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgSSOSection.tsx
+++ b/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgSSOSection.tsx
@@ -2,136 +2,150 @@ import { faPlus } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
+import { OrgPermissionCan } from "@app/components/permissions";
 import { Button, Switch, UpgradePlanModal } from "@app/components/v2";
-import { useOrganization, useSubscription } from "@app/context";
-import { 
-    useCreateSSOConfig,
-    useGetSSOConfig,
-    useUpdateSSOConfig
-} from "@app/hooks/api";
+import {
+  OrgGeneralPermissionActions,
+  OrgPermissionSubjects,
+  useOrganization,
+  useSubscription
+} from "@app/context";
+import { useCreateSSOConfig, useGetSSOConfig, useUpdateSSOConfig } from "@app/hooks/api";
 import { usePopUp } from "@app/hooks/usePopUp";
 
 import { SSOModal } from "./SSOModal";
 
 const ssoAuthProviderMap: { [key: string]: string } = {
-    "okta-saml": "Okta SAML",
-    "azure-saml": "Azure SAML",
-    "jumpcloud-saml": "JumpCloud SAML"
-}
+  "okta-saml": "Okta SAML",
+  "azure-saml": "Azure SAML",
+  "jumpcloud-saml": "JumpCloud SAML"
+};
 
 export const OrgSSOSection = (): JSX.Element => {
-    const { currentOrg } = useOrganization();
-    const { subscription } = useSubscription();
-    const { createNotification } = useNotificationContext();
-    const { data, isLoading } = useGetSSOConfig(currentOrg?._id ?? "");
-    const { mutateAsync } = useUpdateSSOConfig();
-    const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
-        "upgradePlan",
-        "addSSO"
-    ] as const);
-    
-    const { mutateAsync: createMutateAsync } = useCreateSSOConfig();
-    
-    const handleSamlSSOToggle = async (value: boolean) => {
-        try {
-            if (!currentOrg?._id) return;
+  const { currentOrg } = useOrganization();
+  const { subscription } = useSubscription();
+  const { createNotification } = useNotificationContext();
+  const { data, isLoading } = useGetSSOConfig(currentOrg?._id ?? "");
+  const { mutateAsync } = useUpdateSSOConfig();
+  const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
+    "upgradePlan",
+    "addSSO"
+  ] as const);
 
-            await mutateAsync({
-                organizationId: currentOrg?._id,
-                isActive: value
-            });
+  const { mutateAsync: createMutateAsync } = useCreateSSOConfig();
 
-            createNotification({
-                text: `Successfully ${value ? "enabled" : "disabled"} SAML SSO`,
-                type: "success"
-            });
-        } catch (err) {
-            console.error(err);
-            createNotification({
-                text: `Failed to ${value ? "enable" : "disable"} SAML SSO`,
-                type: "error"
-            });
-        }
+  const handleSamlSSOToggle = async (value: boolean) => {
+    try {
+      if (!currentOrg?._id) return;
+
+      await mutateAsync({
+        organizationId: currentOrg?._id,
+        isActive: value
+      });
+
+      createNotification({
+        text: `Successfully ${value ? "enabled" : "disabled"} SAML SSO`,
+        type: "success"
+      });
+    } catch (err) {
+      console.error(err);
+      createNotification({
+        text: `Failed to ${value ? "enable" : "disable"} SAML SSO`,
+        type: "error"
+      });
     }
-    
-    const addSSOBtnClick = async () => {
-        try {
-            if (subscription?.samlSSO && currentOrg) {
-                if (!data) {
-                    // case: SAML SSO is not configured
-                    // -> initialize empty SAML SSO configuration
-                    await createMutateAsync({
-                        organizationId: currentOrg._id,
-                        authProvider: "okta-saml",
-                        isActive: false,
-                        entryPoint: "",
-                        issuer: "",
-                        cert: ""
-                    });
-                }
+  };
 
-                handlePopUpOpen("addSSO");
-            } else {
-                handlePopUpOpen("upgradePlan");
-            }
-        } catch (err) {
-            console.error(err);
+  const addSSOBtnClick = async () => {
+    try {
+      if (subscription?.samlSSO && currentOrg) {
+        if (!data) {
+          // case: SAML SSO is not configured
+          // -> initialize empty SAML SSO configuration
+          await createMutateAsync({
+            organizationId: currentOrg._id,
+            authProvider: "okta-saml",
+            isActive: false,
+            entryPoint: "",
+            issuer: "",
+            cert: ""
+          });
         }
+
+        handlePopUpOpen("addSSO");
+      } else {
+        handlePopUpOpen("upgradePlan");
+      }
+    } catch (err) {
+      console.error(err);
     }
-    
-    return (
-        <div className="p-4 bg-mineshaft-900 mb-6 rounded-lg border border-mineshaft-600">
-            <div className="flex items-center mb-8">
-                <h2 className="text-xl font-semibold flex-1 text-white">
-                    SAML SSO Configuration
-                </h2>
-                {!isLoading && (
-                    <Button
-                        onClick={addSSOBtnClick}
-                        colorSchema="secondary"
-                        leftIcon={<FontAwesomeIcon icon={faPlus} />}
-                    >
-                        {data ? "Update SAML SSO" : "Set up SAML SSO"}
-                    </Button> 
-                )}
-            </div>
-            {data && (
-                <div className="mb-4">
-                    <Switch
-                        id="enable-saml-sso"
-                        onCheckedChange={(value) => handleSamlSSOToggle(value)}
-                        isChecked={data ? data.isActive : false}
-                    >
-                        Enable SAML SSO
-                    </Switch>
-                </div>
+  };
+
+  return (
+    <div className="p-4 bg-mineshaft-900 mb-6 rounded-lg border border-mineshaft-600">
+      <div className="flex items-center mb-8">
+        <h2 className="text-xl font-semibold flex-1 text-white">SAML SSO Configuration</h2>
+        {!isLoading && (
+          <OrgPermissionCan I={OrgGeneralPermissionActions.Create} a={OrgPermissionSubjects.Sso}>
+            {(isAllowed) => (
+              <Button
+                onClick={addSSOBtnClick}
+                colorSchema="secondary"
+                isDisabled={!isAllowed}
+                leftIcon={<FontAwesomeIcon icon={faPlus} />}
+              >
+                {data ? "Update SAML SSO" : "Set up SAML SSO"}
+              </Button>
+            )}
+          </OrgPermissionCan>
+        )}
+      </div>
+      {data && (
+        <div className="mb-4">
+          <OrgPermissionCan I={OrgGeneralPermissionActions.Edit} a={OrgPermissionSubjects.Sso}>
+            {(isAllowed) => (
+              <Switch
+                id="enable-saml-sso"
+                onCheckedChange={(value) => handleSamlSSOToggle(value)}
+                isChecked={data ? data.isActive : false}
+                isDisabled={!isAllowed}
+              >
+                Enable SAML SSO
+              </Switch>
             )}
-            <div className="mb-4">
-                <h3 className="text-mineshaft-400 text-sm">SSO identifier</h3>
-                <p className="text-gray-400 text-md">{(data && data._id !== "") ? data._id : "-"}</p>
-            </div>
-            <div className="mb-4">
-                <h3 className="text-mineshaft-400 text-sm">Type</h3>
-                <p className="text-gray-400 text-md">{(data && data.authProvider !== "") ? ssoAuthProviderMap[data.authProvider] : "-"}</p>
-            </div>
-            <div className="mb-4">
-                <h3 className="text-mineshaft-400 text-sm">Entrypoint</h3>
-                <p className="text-gray-400 text-md">{(data && data.entryPoint !== "") ? data.entryPoint : "-"}</p>
-            </div>
-            <div className="mb-4">
-                <h3 className="text-mineshaft-400 text-sm">Issuer</h3>
-                <p className="text-gray-400 text-md">{(data && data.issuer !== "") ? data.issuer : "-"}</p>
-            </div>
-            <SSOModal 
-                popUp={popUp}
-                handlePopUpClose={handlePopUpClose}
-                handlePopUpToggle={handlePopUpToggle}
-            />
-            <UpgradePlanModal
-                isOpen={popUp.upgradePlan.isOpen}
-                onOpenChange={(isOpen) => handlePopUpToggle("upgradePlan", isOpen)}
-                text="You can use SAML SSO if you switch to Infisical's Pro plan."
-            />
+          </OrgPermissionCan>
         </div>
-    );
-};
\ No newline at end of file
+      )}
+      <div className="mb-4">
+        <h3 className="text-mineshaft-400 text-sm">SSO identifier</h3>
+        <p className="text-gray-400 text-md">{data && data._id !== "" ? data._id : "-"}</p>
+      </div>
+      <div className="mb-4">
+        <h3 className="text-mineshaft-400 text-sm">Type</h3>
+        <p className="text-gray-400 text-md">
+          {data && data.authProvider !== "" ? ssoAuthProviderMap[data.authProvider] : "-"}
+        </p>
+      </div>
+      <div className="mb-4">
+        <h3 className="text-mineshaft-400 text-sm">Entrypoint</h3>
+        <p className="text-gray-400 text-md">
+          {data && data.entryPoint !== "" ? data.entryPoint : "-"}
+        </p>
+      </div>
+      <div className="mb-4">
+        <h3 className="text-mineshaft-400 text-sm">Issuer</h3>
+        <p className="text-gray-400 text-md">{data && data.issuer !== "" ? data.issuer : "-"}</p>
+      </div>
+      <SSOModal
+        popUp={popUp}
+        handlePopUpClose={handlePopUpClose}
+        handlePopUpToggle={handlePopUpToggle}
+      />
+      <UpgradePlanModal
+        isOpen={popUp.upgradePlan.isOpen}
+        onOpenChange={(isOpen) => handlePopUpToggle("upgradePlan", isOpen)}
+        text="You can use SAML SSO if you switch to Infisical's Pro plan."
+      />
+    </div>
+  );
+};
diff --git a/frontend/src/views/Settings/OrgSettingsPage/components/OrgGeneralTab/OrgGeneralTab.tsx b/frontend/src/views/Settings/OrgSettingsPage/components/OrgGeneralTab/OrgGeneralTab.tsx
index 5c1fb273..3c9c016a 100644
--- a/frontend/src/views/Settings/OrgSettingsPage/components/OrgGeneralTab/OrgGeneralTab.tsx
+++ b/frontend/src/views/Settings/OrgSettingsPage/components/OrgGeneralTab/OrgGeneralTab.tsx
@@ -3,13 +3,11 @@ import { OrgNameChangeSection } from "../OrgNameChangeSection";
 import { OrgServiceAccountsTable } from "../OrgServiceAccountsTable";
 
 export const OrgGeneralTab = () => {
-    return (
-        <div>
-            <OrgNameChangeSection />
-			<div className="p-4 bg-mineshaft-900 rounded-lg border border-mineshaft-600 mb-6">
-				<OrgServiceAccountsTable />
-			</div>
-			<OrgIncidentContactsSection />
-        </div>
-    );
-}
\ No newline at end of file
+  return (
+    <div>
+      <OrgNameChangeSection />
+      <OrgServiceAccountsTable />
+      <OrgIncidentContactsSection />
+    </div>
+  );
+};
diff --git a/frontend/src/views/Settings/OrgSettingsPage/components/OrgIncidentContactsSection/AddOrgIncidentContactModal.tsx b/frontend/src/views/Settings/OrgSettingsPage/components/OrgIncidentContactsSection/AddOrgIncidentContactModal.tsx
index 238c5d19..e28bbc38 100644
--- a/frontend/src/views/Settings/OrgSettingsPage/components/OrgIncidentContactsSection/AddOrgIncidentContactModal.tsx
+++ b/frontend/src/views/Settings/OrgSettingsPage/components/OrgIncidentContactsSection/AddOrgIncidentContactModal.tsx
@@ -3,17 +3,9 @@ import { yupResolver } from "@hookform/resolvers/yup";
 import * as yup from "yup";
 
 import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
-import {
-  Button,
-  FormControl,
-  Input,
-  Modal,
-  ModalContent
-} from "@app/components/v2";
+import { Button, FormControl, Input, Modal, ModalContent } from "@app/components/v2";
 import { useOrganization } from "@app/context";
-import {
-    useAddIncidentContact
-} from "@app/hooks/api";
+import { useAddIncidentContact } from "@app/hooks/api";
 import { useFetchServerStatus } from "@app/hooks/api/serverDetails";
 import { UsePopUpState } from "@app/hooks/usePopUp";
 
@@ -24,97 +16,90 @@ const addContactFormSchema = yup.object({
 type TAddContactForm = yup.InferType<typeof addContactFormSchema>;
 
 type Props = {
-    popUp: UsePopUpState<["addContact"]>;
-    handlePopUpClose: (popUpName: keyof UsePopUpState<["addContact"]>) => void;
-    handlePopUpToggle: (popUpName: keyof UsePopUpState<["addContact"]>, state?: boolean) => void;
+  popUp: UsePopUpState<["addContact"]>;
+  handlePopUpClose: (popUpName: keyof UsePopUpState<["addContact"]>) => void;
+  handlePopUpToggle: (popUpName: keyof UsePopUpState<["addContact"]>, state?: boolean) => void;
 };
 
 export const AddOrgIncidentContactModal = ({
-    popUp,
-    handlePopUpClose,
-    handlePopUpToggle
+  popUp,
+  handlePopUpClose,
+  handlePopUpToggle
 }: Props) => {
-    const { createNotification } = useNotificationContext();
-    const { currentOrg } = useOrganization();
-    const { data: serverDetails } = useFetchServerStatus()
-    const {
-        control,
-        handleSubmit,
-        reset
-    } = useForm<TAddContactForm>({ resolver: yupResolver(addContactFormSchema) });
+  const { createNotification } = useNotificationContext();
+  const { currentOrg } = useOrganization();
+  const { data: serverDetails } = useFetchServerStatus();
+  const { control, handleSubmit, reset } = useForm<TAddContactForm>({
+    resolver: yupResolver(addContactFormSchema)
+  });
 
-    const { mutateAsync, isLoading } = useAddIncidentContact();
-    
-    const onFormSubmit = async ({ email }: TAddContactForm) => {
-        try {
-            if (!currentOrg?._id) return;
-            
-            await mutateAsync({ 
-                orgId: currentOrg._id, 
-                email 
-            });
+  const { mutateAsync, isLoading } = useAddIncidentContact();
 
-            createNotification({
-                text: "Successfully added incident contact",
-                type: "success"
-            });
-            
-            if (serverDetails?.emailConfigured){
-                handlePopUpClose("addContact");
-            }
+  const onFormSubmit = async ({ email }: TAddContactForm) => {
+    try {
+      if (!currentOrg?._id) return;
 
-            reset();
-        } catch (err) {
-            console.error(err);
-            createNotification({
-                text: "Failed to add incident contact",
-                type: "error"
-            });
-        }
+      await mutateAsync({
+        orgId: currentOrg._id,
+        email
+      });
+
+      createNotification({
+        text: "Successfully added incident contact",
+        type: "success"
+      });
+
+      if (serverDetails?.emailConfigured) {
+        handlePopUpClose("addContact");
+      }
+
+      reset();
+    } catch (err) {
+      console.error(err);
+      createNotification({
+        text: "Failed to add incident contact",
+        type: "error"
+      });
     }
+  };
 
-    return (
-        <Modal
-            isOpen={popUp?.addContact?.isOpen}
-            onOpenChange={(isOpen) => {
-                handlePopUpToggle("addContact", isOpen);
-                reset();
-            }}
-        >
-            <ModalContent
-                title="Add an Incident Contact"
-                subTitle="This contact will be notified in the unlikely event of a severe incident."
+  return (
+    <Modal
+      isOpen={popUp?.addContact?.isOpen}
+      onOpenChange={(isOpen) => {
+        handlePopUpToggle("addContact", isOpen);
+        reset();
+      }}
+    >
+      <ModalContent
+        title="Add an Incident Contact"
+        subTitle="This contact will be notified in the unlikely event of a severe incident."
+      >
+        <form onSubmit={handleSubmit(onFormSubmit)}>
+          <Controller
+            control={control}
+            defaultValue=""
+            name="email"
+            render={({ field, fieldState: { error } }) => (
+              <FormControl label="Email" isError={Boolean(error)} errorText={error?.message}>
+                <Input {...field} />
+              </FormControl>
+            )}
+          />
+          <div className="mt-8 flex items-center space-x-4">
+            <Button size="sm" type="submit" isLoading={isLoading} isDisabled={isLoading}>
+              Add Incident Contact
+            </Button>
+            <Button
+              colorSchema="secondary"
+              variant="plain"
+              onClick={() => handlePopUpClose("addContact")}
             >
-                <form onSubmit={handleSubmit(onFormSubmit)}>
-                    <Controller
-                        control={control}
-                        defaultValue=""
-                        name="email"
-                        render={({ field, fieldState: { error } }) => (
-                        <FormControl label="Email" isError={Boolean(error)} errorText={error?.message}>
-                            <Input {...field} />
-                        </FormControl>
-                        )}
-                    />
-                    <div className="mt-8 flex items-center">
-                        <Button
-                            size="sm"
-                            type="submit"
-                            isLoading={isLoading}
-                            isDisabled={isLoading}
-                        >
-                            Add Incident Contact
-                        </Button>
-                        <Button
-                            colorSchema="secondary"
-                            variant="plain"
-                            onClick={() => handlePopUpClose("addContact")}
-                        >
-                            Cancel
-                        </Button>
-                    </div>
-                </form>
-            </ModalContent>
-        </Modal>
-    );
-}
\ No newline at end of file
+              Cancel
+            </Button>
+          </div>
+        </form>
+      </ModalContent>
+    </Modal>
+  );
+};
diff --git a/frontend/src/views/Settings/OrgSettingsPage/components/OrgIncidentContactsSection/OrgIncidentContactsSection.tsx b/frontend/src/views/Settings/OrgSettingsPage/components/OrgIncidentContactsSection/OrgIncidentContactsSection.tsx
index 29d1064a..a4b0ab01 100644
--- a/frontend/src/views/Settings/OrgSettingsPage/components/OrgIncidentContactsSection/OrgIncidentContactsSection.tsx
+++ b/frontend/src/views/Settings/OrgSettingsPage/components/OrgIncidentContactsSection/OrgIncidentContactsSection.tsx
@@ -2,42 +2,53 @@ import { useTranslation } from "react-i18next";
 import { faPlus } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
-import {
-    Button
-} from "@app/components/v2";
+import { OrgPermissionCan } from "@app/components/permissions";
+import { Button } from "@app/components/v2";
+import { OrgGeneralPermissionActions, OrgPermissionSubjects } from "@app/context";
+import { withPermission } from "@app/hoc";
 import { usePopUp } from "@app/hooks";
 
 import { AddOrgIncidentContactModal } from "./AddOrgIncidentContactModal";
 import { OrgIncidentContactsTable } from "./OrgIncidentContactsTable";
 
-export const OrgIncidentContactsSection = () => {
+export const OrgIncidentContactsSection = withPermission(
+  () => {
     const { t } = useTranslation();
     const { handlePopUpToggle, popUp, handlePopUpOpen, handlePopUpClose } = usePopUp([
-        "addContact"
+      "addContact"
     ] as const);
 
     return (
-        <div className="p-4 bg-mineshaft-900 rounded-lg border border-mineshaft-600">
-            <div className="flex justify-between mb-4">
-                <p className="min-w-max text-xl font-semibold">
-                    {t("section.incident.incident-contacts")}
-                </p>
-                <Button
-                    colorSchema="secondary"
-                    type="submit"
-                    leftIcon={<FontAwesomeIcon icon={faPlus} />}
-                    onClick={() => handlePopUpOpen("addContact")}
-                >
-                    Add contact
-                </Button>
-            </div>
-            <OrgIncidentContactsTable />
-            <AddOrgIncidentContactModal 
-                popUp={popUp}
-                handlePopUpClose={handlePopUpClose}
-                handlePopUpToggle={handlePopUpToggle}
-            />
+      <div className="p-4 bg-mineshaft-900 rounded-lg border border-mineshaft-600">
+        <div className="flex justify-between mb-4">
+          <p className="min-w-max text-xl font-semibold">
+            {t("section.incident.incident-contacts")}
+          </p>
+          <OrgPermissionCan
+            I={OrgGeneralPermissionActions.Create}
+            a={OrgPermissionSubjects.IncidentAccount}
+          >
+            {(isAllowed) => (
+              <Button
+                colorSchema="secondary"
+                type="submit"
+                isDisabled={!isAllowed}
+                leftIcon={<FontAwesomeIcon icon={faPlus} />}
+                onClick={() => handlePopUpOpen("addContact")}
+              >
+                Add contact
+              </Button>
+            )}
+          </OrgPermissionCan>
         </div>
+        <OrgIncidentContactsTable />
+        <AddOrgIncidentContactModal
+          popUp={popUp}
+          handlePopUpClose={handlePopUpClose}
+          handlePopUpToggle={handlePopUpToggle}
+        />
+      </div>
     );
-}
-
+  },
+  { action: OrgGeneralPermissionActions.Read, subject: OrgPermissionSubjects.IncidentAccount }
+);
diff --git a/frontend/src/views/Settings/OrgSettingsPage/components/OrgIncidentContactsSection/OrgIncidentContactsTable.tsx b/frontend/src/views/Settings/OrgSettingsPage/components/OrgIncidentContactsSection/OrgIncidentContactsTable.tsx
index 0d301157..4976d11f 100644
--- a/frontend/src/views/Settings/OrgSettingsPage/components/OrgIncidentContactsSection/OrgIncidentContactsTable.tsx
+++ b/frontend/src/views/Settings/OrgSettingsPage/components/OrgIncidentContactsSection/OrgIncidentContactsTable.tsx
@@ -3,6 +3,7 @@ import { faContactBook, faMagnifyingGlass, faTrash } from "@fortawesome/free-sol
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
+import { OrgPermissionCan } from "@app/components/permissions";
 import {
   DeleteActionModal,
   EmptyState,
@@ -17,7 +18,7 @@ import {
   THead,
   Tr
 } from "@app/components/v2";
-import { useOrganization } from "@app/context";
+import { OrgGeneralPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
 import { usePopUp } from "@app/hooks";
 import { useDeleteIncidentContact, useGetOrgIncidentContact } from "@app/hooks/api";
 
@@ -83,13 +84,21 @@ export const OrgIncidentContactsTable = () => {
               <Tr key={email}>
                 <Td className="w-full">{email}</Td>
                 <Td className="mr-4">
-                  <IconButton
-                    ariaLabel="delete"
-                    colorSchema="danger"
-                    onClick={() => handlePopUpOpen("removeContact", { email })}
+                  <OrgPermissionCan
+                    I={OrgGeneralPermissionActions.Delete}
+                    an={OrgPermissionSubjects.IncidentAccount}
                   >
-                    <FontAwesomeIcon icon={faTrash} />
-                  </IconButton>
+                    {(isAllowed) => (
+                      <IconButton
+                        ariaLabel="delete"
+                        colorSchema="danger"
+                        onClick={() => handlePopUpOpen("removeContact", { email })}
+                        isDisabled={!isAllowed}
+                      >
+                        <FontAwesomeIcon icon={faTrash} />
+                      </IconButton>
+                    )}
+                  </OrgPermissionCan>
                 </Td>
               </Tr>
             ))}
diff --git a/frontend/src/views/Settings/OrgSettingsPage/components/OrgNameChangeSection/OrgNameChangeSection.tsx b/frontend/src/views/Settings/OrgSettingsPage/components/OrgNameChangeSection/OrgNameChangeSection.tsx
index 3c22f01f..c1f1d449 100644
--- a/frontend/src/views/Settings/OrgSettingsPage/components/OrgNameChangeSection/OrgNameChangeSection.tsx
+++ b/frontend/src/views/Settings/OrgSettingsPage/components/OrgNameChangeSection/OrgNameChangeSection.tsx
@@ -4,8 +4,10 @@ import { yupResolver } from "@hookform/resolvers/yup";
 import * as yup from "yup";
 
 import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
+import { OrgPermissionCan } from "@app/components/permissions";
 import { Button, FormControl, Input } from "@app/components/v2";
-import { useOrganization } from "@app/context";
+import { OrgGeneralPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
+import { withPermission } from "@app/hoc";
 import { useRenameOrg } from "@app/hooks/api";
 
 const formSchema = yup.object({
@@ -14,49 +16,46 @@ const formSchema = yup.object({
 
 type FormData = yup.InferType<typeof formSchema>;
 
-export const OrgNameChangeSection = (): JSX.Element => {
-  const { currentOrg } = useOrganization();
-  const { createNotification } = useNotificationContext();
-  const {
-    handleSubmit,
-    control,
-    reset
-  } = useForm<FormData>({ resolver: yupResolver(formSchema) });
-  const { mutateAsync, isLoading } = useRenameOrg();
+export const OrgNameChangeSection = withPermission(
+  (): JSX.Element => {
+    const { currentOrg } = useOrganization();
+    const { createNotification } = useNotificationContext();
+    const { handleSubmit, control, reset } = useForm<FormData>({
+      resolver: yupResolver(formSchema)
+    });
+    const { mutateAsync, isLoading } = useRenameOrg();
 
-  useEffect(() => {
-    if (currentOrg) {
-      reset({ name: currentOrg.name });
-    }
-  }, [currentOrg]);
+    useEffect(() => {
+      if (currentOrg) {
+        reset({ name: currentOrg.name });
+      }
+    }, [currentOrg]);
 
-  const onFormSubmit = async ({ name }: FormData) => {
-    try {
-      if (!currentOrg?._id) return;
-      if (name === "") return;
+    const onFormSubmit = async ({ name }: FormData) => {
+      try {
+        if (!currentOrg?._id) return;
+        if (name === "") return;
 
-      await mutateAsync({ orgId: currentOrg?._id, newOrgName: name });
-      createNotification({
-        text: "Successfully renamed organization",
-        type: "success"
-      });
-    } catch (error) {
-      console.error(error);
-      createNotification({
-        text: "Failed to rename organization",
-        type: "error"
-      });
-    }
-  };
+        await mutateAsync({ orgId: currentOrg?._id, newOrgName: name });
+        createNotification({
+          text: "Successfully renamed organization",
+          type: "success"
+        });
+      } catch (error) {
+        console.error(error);
+        createNotification({
+          text: "Failed to rename organization",
+          type: "error"
+        });
+      }
+    };
 
-  return (
-    <form 
-      onSubmit={handleSubmit(onFormSubmit)}
-      className="p-4 bg-mineshaft-900 mb-6 rounded-lg border border-mineshaft-600"
-    >
-        <p className="text-xl font-semibold text-mineshaft-100 mb-4">
-          Organization name
-        </p>
+    return (
+      <form
+        onSubmit={handleSubmit(onFormSubmit)}
+        className="p-4 bg-mineshaft-900 mb-6 rounded-lg border border-mineshaft-600"
+      >
+        <p className="text-xl font-semibold text-mineshaft-100 mb-4">Organization name</p>
         <div className="mb-2 max-w-md">
           <Controller
             defaultValue=""
@@ -69,14 +68,25 @@ export const OrgNameChangeSection = (): JSX.Element => {
             name="name"
           />
         </div>
-        <Button
-          isLoading={isLoading}
-          colorSchema="primary"
-          variant="outline_bg"
-          type="submit"
-        >
-          Save
-        </Button>
-    </form>
-  );
-};
+        <OrgPermissionCan I={OrgGeneralPermissionActions.Edit} a={OrgPermissionSubjects.Settings}>
+          {(isAllowed) => (
+            <Button
+              isLoading={isLoading}
+              isDisabled={!isAllowed}
+              colorSchema="primary"
+              variant="outline_bg"
+              type="submit"
+            >
+              Save
+            </Button>
+          )}
+        </OrgPermissionCan>
+      </form>
+    );
+  },
+  {
+    action: OrgGeneralPermissionActions.Read,
+    subject: OrgPermissionSubjects.Settings,
+    containerClassName: "mb-4"
+  }
+);
diff --git a/frontend/src/views/Settings/OrgSettingsPage/components/OrgServiceAccountsTable/OrgServiceAccountsTable.tsx b/frontend/src/views/Settings/OrgSettingsPage/components/OrgServiceAccountsTable/OrgServiceAccountsTable.tsx
index 6ead6cf8..eaac5d7c 100644
--- a/frontend/src/views/Settings/OrgSettingsPage/components/OrgServiceAccountsTable/OrgServiceAccountsTable.tsx
+++ b/frontend/src/views/Settings/OrgSettingsPage/components/OrgServiceAccountsTable/OrgServiceAccountsTable.tsx
@@ -34,7 +34,13 @@ import {
   THead,
   Tr
 } from "@app/components/v2";
-import { useOrganization, useWorkspace } from "@app/context";
+import {
+  OrgGeneralPermissionActions,
+  OrgPermissionSubjects,
+  useOrganization,
+  useWorkspace
+} from "@app/context";
+import { withPermission } from "@app/hoc";
 import { usePopUp, useToggle } from "@app/hooks";
 import {
   // useCreateServiceAccount,
@@ -62,313 +68,322 @@ import // Controller,
 
 // type TAddServiceAccountForm = yup.InferType<typeof addServiceAccountFormSchema>;
 
-export const OrgServiceAccountsTable = () => {
-  const router = useRouter();
-  const { currentOrg } = useOrganization();
-  const { currentWorkspace } = useWorkspace();
+export const OrgServiceAccountsTable = withPermission(
+  () => {
+    const router = useRouter();
+    const { currentOrg } = useOrganization();
+    const { currentWorkspace } = useWorkspace();
 
-  const orgId = currentOrg?._id || "";
-  const [step, setStep] = useState(0);
-  const [isAccessKeyCopied, setIsAccessKeyCopied] = useToggle(false);
-  const [isPublicKeyCopied, setIsPublicKeyCopied] = useToggle(false);
-  const [isPrivateKeyCopied, setIsPrivateKeyCopied] = useToggle(false);
-  const [accessKey] = useState("");
-  const [publicKey] = useState("");
-  const [privateKey] = useState("");
-  const [searchServiceAccountFilter, setSearchServiceAccountFilter] = useState("");
-  const { handlePopUpToggle, popUp, handlePopUpOpen, handlePopUpClose } = usePopUp([
-    "addServiceAccount",
-    "removeServiceAccount"
-  ] as const);
+    const orgId = currentOrg?._id || "";
+    const [step, setStep] = useState(0);
+    const [isAccessKeyCopied, setIsAccessKeyCopied] = useToggle(false);
+    const [isPublicKeyCopied, setIsPublicKeyCopied] = useToggle(false);
+    const [isPrivateKeyCopied, setIsPrivateKeyCopied] = useToggle(false);
+    const [accessKey] = useState("");
+    const [publicKey] = useState("");
+    const [privateKey] = useState("");
+    const [searchServiceAccountFilter, setSearchServiceAccountFilter] = useState("");
+    const { handlePopUpToggle, popUp, handlePopUpOpen, handlePopUpClose } = usePopUp([
+      "addServiceAccount",
+      "removeServiceAccount"
+    ] as const);
 
-  const { data: serviceAccounts = [], isLoading: isServiceAccountsLoading } =
-    useGetServiceAccounts(orgId);
+    const { data: serviceAccounts = [], isLoading: isServiceAccountsLoading } =
+      useGetServiceAccounts(orgId);
 
-  // const createServiceAccount = useCreateServiceAccount();
-  const removeServiceAccount = useDeleteServiceAccount();
+    // const createServiceAccount = useCreateServiceAccount();
+    const removeServiceAccount = useDeleteServiceAccount();
 
-  useEffect(() => {
-    let timer: NodeJS.Timeout;
-    if (isAccessKeyCopied) {
-      timer = setTimeout(() => setIsAccessKeyCopied.off(), 2000);
-    }
+    useEffect(() => {
+      let timer: NodeJS.Timeout;
+      if (isAccessKeyCopied) {
+        timer = setTimeout(() => setIsAccessKeyCopied.off(), 2000);
+      }
 
-    if (isPublicKeyCopied) {
-      timer = setTimeout(() => setIsPublicKeyCopied.off(), 2000);
-    }
+      if (isPublicKeyCopied) {
+        timer = setTimeout(() => setIsPublicKeyCopied.off(), 2000);
+      }
 
-    if (isPrivateKeyCopied) {
-      timer = setTimeout(() => setIsPrivateKeyCopied.off(), 2000);
-    }
+      if (isPrivateKeyCopied) {
+        timer = setTimeout(() => setIsPrivateKeyCopied.off(), 2000);
+      }
 
-    return () => clearTimeout(timer);
-  }, [isAccessKeyCopied, isPublicKeyCopied, isPrivateKeyCopied]);
+      return () => clearTimeout(timer);
+    }, [isAccessKeyCopied, isPublicKeyCopied, isPrivateKeyCopied]);
 
-  // const {
-  //     control,
-  //     handleSubmit,
-  //     reset,
-  //     formState: { isSubmitting }
-  // } = useForm<TAddServiceAccountForm>({ resolver: yupResolver(addServiceAccountFormSchema) });
+    // const {
+    //     control,
+    //     handleSubmit,
+    //     reset,
+    //     formState: { isSubmitting }
+    // } = useForm<TAddServiceAccountForm>({ resolver: yupResolver(addServiceAccountFormSchema) });
 
-  // const onAddServiceAccount = async ({ name, expiresIn }: TAddServiceAccountForm) => {
-  //     if (!currentOrg?._id) return;
+    // const onAddServiceAccount = async ({ name, expiresIn }: TAddServiceAccountForm) => {
+    //     if (!currentOrg?._id) return;
 
-  //     const keyPair = generateKeyPair();
-  //     setPublicKey(keyPair.publicKey);
-  //     setPrivateKey(keyPair.privateKey);
+    //     const keyPair = generateKeyPair();
+    //     setPublicKey(keyPair.publicKey);
+    //     setPrivateKey(keyPair.privateKey);
 
-  //     const serviceAccountDetails = await createServiceAccount.mutateAsync({
-  //         name,
-  //         organizationId: currentOrg?._id,
-  //         publicKey: keyPair.publicKey,
-  //         expiresIn: Number(expiresIn)
-  //     });
+    //     const serviceAccountDetails = await createServiceAccount.mutateAsync({
+    //         name,
+    //         organizationId: currentOrg?._id,
+    //         publicKey: keyPair.publicKey,
+    //         expiresIn: Number(expiresIn)
+    //     });
 
-  //     setAccessKey(serviceAccountDetails.serviceAccountAccessKey);
+    //     setAccessKey(serviceAccountDetails.serviceAccountAccessKey);
 
-  //     setStep(1);
-  //     reset();
-  // }
+    //     setStep(1);
+    //     reset();
+    // }
 
-  const onRemoveServiceAccount = async () => {
-    const serviceAccountId = (popUp?.removeServiceAccount?.data as { _id: string })?._id;
-    await removeServiceAccount.mutateAsync(serviceAccountId);
-    handlePopUpClose("removeServiceAccount");
-  };
+    const onRemoveServiceAccount = async () => {
+      const serviceAccountId = (popUp?.removeServiceAccount?.data as { _id: string })?._id;
+      await removeServiceAccount.mutateAsync(serviceAccountId);
+      handlePopUpClose("removeServiceAccount");
+    };
 
-  const filteredServiceAccounts = useMemo(
-    () =>
-      serviceAccounts.filter(({ name }) => name.toLowerCase().includes(searchServiceAccountFilter)),
-    [serviceAccounts, searchServiceAccountFilter]
-  );
+    const filteredServiceAccounts = useMemo(
+      () =>
+        serviceAccounts.filter(({ name }) =>
+          name.toLowerCase().includes(searchServiceAccountFilter)
+        ),
+      [serviceAccounts, searchServiceAccountFilter]
+    );
 
-  const renderStep = (stepToRender: number) => {
-    switch (stepToRender) {
-      case 0:
-        return (
-          <div>
-            We are currently revising the service account mechanism. In the meantime, please use
-            service tokens or API key to fetch secrets via API request.
-          </div>
-          //    <form onSubmit={handleSubmit(onAddServiceAccount)}>
-          //         <Controller
-          //             control={control}
-          //             defaultValue=""
-          //             name="name"
-          //             render={({ field, fieldState: { error } }) => (
-          //                 <FormControl label="Name" isError={Boolean(error)} errorText={error?.message}>
-          //                 <Input {...field} />
-          //                 </FormControl>
-          //             )}
-          //         />
-          //         <Controller
-          //             control={control}
-          //             name="expiresIn"
-          //             defaultValue={String(serviceAccountExpiration?.[0]?.value)}
-          //             render={({ field: { onChange, ...field }, fieldState: { error } }) => {
-          //                 return (
-          //                     <FormControl
-          //                         label="Expiration"
-          //                         errorText={error?.message}
-          //                         isError={Boolean(error)}
-          //                     >
-          //                         <Select
-          //                             defaultValue={field.value}
-          //                             {...field}
-          //                             onValueChange={(e) => onChange(e)}
-          //                             className="w-full"
-          //                         >
-          //                         {serviceAccountExpiration.map(({ label, value }) => (
-          //                             <SelectItem value={String(value)} key={label}>
-          //                                 {label}
-          //                             </SelectItem>
-          //                         ))}
-          //                         </Select>
-          //                     </FormControl>
-          //                 );
-          //             }}
-          //         />
-          //         <div className="mt-8 flex items-center">
-          //             <Button
-          //                 className="mr-4"
-          //                 size="sm"
-          //                 type="submit"
-          //                 isLoading={isSubmitting}
-          //                 isDisabled={isSubmitting}
-          //             >
-          //                 Create Service Account
-          //             </Button>
-          //             <Button
-          //                 colorSchema="secondary"
-          //                 variant="plain"
-          //                 onClick={() => handlePopUpClose("addServiceAccount")}
-          //             >
-          //                 Cancel
-          //             </Button>
-          //         </div>
-          //     </form>
-        );
-      case 1:
-        return (
-          <>
-            <p>Access Key</p>
-            <div className="flex items-center justify-end rounded-md bg-white/[0.07] p-2 text-base text-gray-400">
-              <p className="mr-4 break-all">{accessKey}</p>
-              <IconButton
-                ariaLabel="copy icon"
-                colorSchema="secondary"
-                className="group relative"
-                onClick={() => {
-                  navigator.clipboard.writeText(accessKey);
-                  setIsAccessKeyCopied.on();
-                }}
-              >
-                <FontAwesomeIcon icon={isAccessKeyCopied ? faCheck : faCopy} />
-                <span className="absolute -left-8 -top-20 hidden w-28 translate-y-full rounded-md bg-bunker-800 py-2 pl-3 text-center text-sm text-gray-400 group-hover:flex group-hover:animate-fadeIn">
-                  Copy
-                </span>
-              </IconButton>
-            </div>
-            <p className="mt-4">Public Key</p>
-            <div className="flex items-center justify-end rounded-md bg-white/[0.07] p-2 text-base text-gray-400">
-              <p className="mr-4 break-all">{publicKey}</p>
-              <IconButton
-                ariaLabel="copy icon"
-                colorSchema="secondary"
-                className="group relative"
-                onClick={() => {
-                  navigator.clipboard.writeText(publicKey);
-                  setIsPublicKeyCopied.on();
-                }}
-              >
-                <FontAwesomeIcon icon={isPublicKeyCopied ? faCheck : faCopy} />
-                <span className="absolute -left-8 -top-20 hidden w-28 translate-y-full rounded-md bg-bunker-800 py-2 pl-3 text-center text-sm text-gray-400 group-hover:flex group-hover:animate-fadeIn">
-                  Copy
-                </span>
-              </IconButton>
-            </div>
-            <p className="mt-4">Private Key</p>
-            <div className="flex items-center justify-end rounded-md bg-white/[0.07] p-2 text-base text-gray-400">
-              <p className="mr-4 break-all">{privateKey}</p>
-              <IconButton
-                ariaLabel="copy icon"
-                colorSchema="secondary"
-                className="group relative"
-                onClick={() => {
-                  navigator.clipboard.writeText(privateKey);
-                  setIsPrivateKeyCopied.on();
-                }}
-              >
-                <FontAwesomeIcon icon={isPrivateKeyCopied ? faCheck : faCopy} />
-                <span className="absolute -left-8 -top-20 hidden w-28 translate-y-full rounded-md bg-bunker-800 py-2 pl-3 text-center text-sm text-gray-400 group-hover:flex group-hover:animate-fadeIn">
-                  Copy
-                </span>
-              </IconButton>
+    const renderStep = (stepToRender: number) => {
+      switch (stepToRender) {
+        case 0:
+          return (
+            <div>
+              We are currently revising the service account mechanism. In the meantime, please use
+              service tokens or API key to fetch secrets via API request.
             </div>
-          </>
-        );
-      default:
-        return <div />;
-    }
-  };
+            //    <form onSubmit={handleSubmit(onAddServiceAccount)}>
+            //         <Controller
+            //             control={control}
+            //             defaultValue=""
+            //             name="name"
+            //             render={({ field, fieldState: { error } }) => (
+            //                 <FormControl label="Name" isError={Boolean(error)} errorText={error?.message}>
+            //                 <Input {...field} />
+            //                 </FormControl>
+            //             )}
+            //         />
+            //         <Controller
+            //             control={control}
+            //             name="expiresIn"
+            //             defaultValue={String(serviceAccountExpiration?.[0]?.value)}
+            //             render={({ field: { onChange, ...field }, fieldState: { error } }) => {
+            //                 return (
+            //                     <FormControl
+            //                         label="Expiration"
+            //                         errorText={error?.message}
+            //                         isError={Boolean(error)}
+            //                     >
+            //                         <Select
+            //                             defaultValue={field.value}
+            //                             {...field}
+            //                             onValueChange={(e) => onChange(e)}
+            //                             className="w-full"
+            //                         >
+            //                         {serviceAccountExpiration.map(({ label, value }) => (
+            //                             <SelectItem value={String(value)} key={label}>
+            //                                 {label}
+            //                             </SelectItem>
+            //                         ))}
+            //                         </Select>
+            //                     </FormControl>
+            //                 );
+            //             }}
+            //         />
+            //         <div className="mt-8 flex items-center">
+            //             <Button
+            //                 className="mr-4"
+            //                 size="sm"
+            //                 type="submit"
+            //                 isLoading={isSubmitting}
+            //                 isDisabled={isSubmitting}
+            //             >
+            //                 Create Service Account
+            //             </Button>
+            //             <Button
+            //                 colorSchema="secondary"
+            //                 variant="plain"
+            //                 onClick={() => handlePopUpClose("addServiceAccount")}
+            //             >
+            //                 Cancel
+            //             </Button>
+            //         </div>
+            //     </form>
+          );
+        case 1:
+          return (
+            <>
+              <p>Access Key</p>
+              <div className="flex items-center justify-end rounded-md bg-white/[0.07] p-2 text-base text-gray-400">
+                <p className="mr-4 break-all">{accessKey}</p>
+                <IconButton
+                  ariaLabel="copy icon"
+                  colorSchema="secondary"
+                  className="group relative"
+                  onClick={() => {
+                    navigator.clipboard.writeText(accessKey);
+                    setIsAccessKeyCopied.on();
+                  }}
+                >
+                  <FontAwesomeIcon icon={isAccessKeyCopied ? faCheck : faCopy} />
+                  <span className="absolute -left-8 -top-20 hidden w-28 translate-y-full rounded-md bg-bunker-800 py-2 pl-3 text-center text-sm text-gray-400 group-hover:flex group-hover:animate-fadeIn">
+                    Copy
+                  </span>
+                </IconButton>
+              </div>
+              <p className="mt-4">Public Key</p>
+              <div className="flex items-center justify-end rounded-md bg-white/[0.07] p-2 text-base text-gray-400">
+                <p className="mr-4 break-all">{publicKey}</p>
+                <IconButton
+                  ariaLabel="copy icon"
+                  colorSchema="secondary"
+                  className="group relative"
+                  onClick={() => {
+                    navigator.clipboard.writeText(publicKey);
+                    setIsPublicKeyCopied.on();
+                  }}
+                >
+                  <FontAwesomeIcon icon={isPublicKeyCopied ? faCheck : faCopy} />
+                  <span className="absolute -left-8 -top-20 hidden w-28 translate-y-full rounded-md bg-bunker-800 py-2 pl-3 text-center text-sm text-gray-400 group-hover:flex group-hover:animate-fadeIn">
+                    Copy
+                  </span>
+                </IconButton>
+              </div>
+              <p className="mt-4">Private Key</p>
+              <div className="flex items-center justify-end rounded-md bg-white/[0.07] p-2 text-base text-gray-400">
+                <p className="mr-4 break-all">{privateKey}</p>
+                <IconButton
+                  ariaLabel="copy icon"
+                  colorSchema="secondary"
+                  className="group relative"
+                  onClick={() => {
+                    navigator.clipboard.writeText(privateKey);
+                    setIsPrivateKeyCopied.on();
+                  }}
+                >
+                  <FontAwesomeIcon icon={isPrivateKeyCopied ? faCheck : faCopy} />
+                  <span className="absolute -left-8 -top-20 hidden w-28 translate-y-full rounded-md bg-bunker-800 py-2 pl-3 text-center text-sm text-gray-400 group-hover:flex group-hover:animate-fadeIn">
+                    Copy
+                  </span>
+                </IconButton>
+              </div>
+            </>
+          );
+        default:
+          return <div />;
+      }
+    };
 
-  return (
-    <div className="w-full">
-      <div className="mb-4 flex justify-between">
-        <p className="text-xl font-semibold text-mineshaft-100">Service Accounts</p>
-        <Button
-          colorSchema="secondary"
-          leftIcon={<FontAwesomeIcon icon={faPlus} />}
-          onClick={() => {
-            setStep(0);
+    return (
+      <div className="p-4 bg-mineshaft-900 rounded-lg border border-mineshaft-600 mb-6">
+        <div className="mb-4 flex justify-between">
+          <p className="text-xl font-semibold text-mineshaft-100">Service Accounts</p>
+          <Button
+            colorSchema="secondary"
+            leftIcon={<FontAwesomeIcon icon={faPlus} />}
+            onClick={() => {
+              setStep(0);
+              // reset();
+              handlePopUpOpen("addServiceAccount");
+            }}
+          >
+            Add Service Account
+          </Button>
+        </div>
+        <Input
+          value={searchServiceAccountFilter}
+          onChange={(e) => setSearchServiceAccountFilter(e.target.value)}
+          leftIcon={<FontAwesomeIcon icon={faMagnifyingGlass} />}
+          placeholder="Search service accounts..."
+        />
+        <TableContainer className="mt-4">
+          <Table>
+            <THead>
+              <Th>Name</Th>
+              <Th className="w-full">Valid Until</Th>
+              <Th aria-label="actions" />
+            </THead>
+            <TBody>
+              {isServiceAccountsLoading && (
+                <TableSkeleton columns={5} innerKey="org-service-accounts" />
+              )}
+              {!isServiceAccountsLoading &&
+                filteredServiceAccounts.map(({ name, expiresAt, _id: serviceAccountId }) => {
+                  return (
+                    <Tr key={`org-service-account-${serviceAccountId}`}>
+                      <Td>{name}</Td>
+                      <Td>{new Date(expiresAt).toUTCString()}</Td>
+                      <Td>
+                        <div className="flex">
+                          <IconButton
+                            ariaLabel="edit"
+                            colorSchema="secondary"
+                            onClick={() => {
+                              if (currentWorkspace?._id) {
+                                router.push(
+                                  `/settings/org/${currentWorkspace._id}/service-accounts/${serviceAccountId}`
+                                );
+                              }
+                            }}
+                            className="mr-2"
+                          >
+                            <FontAwesomeIcon icon={faPencil} />
+                          </IconButton>
+                          <IconButton
+                            ariaLabel="delete"
+                            colorSchema="danger"
+                            onClick={() =>
+                              handlePopUpOpen("removeServiceAccount", { _id: serviceAccountId })
+                            }
+                          >
+                            <FontAwesomeIcon icon={faTrash} />
+                          </IconButton>
+                        </div>
+                      </Td>
+                    </Tr>
+                  );
+                })}
+            </TBody>
+          </Table>
+          {!isServiceAccountsLoading && filteredServiceAccounts?.length === 0 && (
+            <EmptyState title="No service accounts found" icon={faServer} />
+          )}
+        </TableContainer>
+        <Modal
+          isOpen={popUp?.addServiceAccount?.isOpen}
+          onOpenChange={(isOpen) => {
+            handlePopUpToggle("addServiceAccount", isOpen);
             // reset();
-            handlePopUpOpen("addServiceAccount");
           }}
         >
-          Add Service Account
-        </Button>
+          <ModalContent
+            title="Add Service Account"
+            subTitle="A service account represents a machine identity such as a VM or application client."
+          >
+            {renderStep(step)}
+          </ModalContent>
+        </Modal>
+        <DeleteActionModal
+          isOpen={popUp.removeServiceAccount.isOpen}
+          deleteKey="remove"
+          title="Do you want to remove this service account from the org?"
+          onChange={(isOpen) => handlePopUpToggle("removeServiceAccount", isOpen)}
+          onDeleteApproved={onRemoveServiceAccount}
+        />
       </div>
-      <Input
-        value={searchServiceAccountFilter}
-        onChange={(e) => setSearchServiceAccountFilter(e.target.value)}
-        leftIcon={<FontAwesomeIcon icon={faMagnifyingGlass} />}
-        placeholder="Search service accounts..."
-      />
-      <TableContainer className="mt-4">
-        <Table>
-          <THead>
-            <Th>Name</Th>
-            <Th className="w-full">Valid Until</Th>
-            <Th aria-label="actions" />
-          </THead>
-          <TBody>
-            {isServiceAccountsLoading && (
-              <TableSkeleton columns={5} innerKey="org-service-accounts" />
-            )}
-            {!isServiceAccountsLoading &&
-              filteredServiceAccounts.map(({ name, expiresAt, _id: serviceAccountId }) => {
-                return (
-                  <Tr key={`org-service-account-${serviceAccountId}`}>
-                    <Td>{name}</Td>
-                    <Td>{new Date(expiresAt).toUTCString()}</Td>
-                    <Td>
-                      <div className="flex">
-                        <IconButton
-                          ariaLabel="edit"
-                          colorSchema="secondary"
-                          onClick={() => {
-                            if (currentWorkspace?._id) {
-                              router.push(
-                                `/settings/org/${currentWorkspace._id}/service-accounts/${serviceAccountId}`
-                              );
-                            }
-                          }}
-                          className="mr-2"
-                        >
-                          <FontAwesomeIcon icon={faPencil} />
-                        </IconButton>
-                        <IconButton
-                          ariaLabel="delete"
-                          colorSchema="danger"
-                          onClick={() =>
-                            handlePopUpOpen("removeServiceAccount", { _id: serviceAccountId })
-                          }
-                        >
-                          <FontAwesomeIcon icon={faTrash} />
-                        </IconButton>
-                      </div>
-                    </Td>
-                  </Tr>
-                );
-              })}
-          </TBody>
-        </Table>
-        {!isServiceAccountsLoading && filteredServiceAccounts?.length === 0 && (
-          <EmptyState title="No service accounts found" icon={faServer} />
-        )}
-      </TableContainer>
-      <Modal
-        isOpen={popUp?.addServiceAccount?.isOpen}
-        onOpenChange={(isOpen) => {
-          handlePopUpToggle("addServiceAccount", isOpen);
-          // reset();
-        }}
-      >
-        <ModalContent
-          title="Add Service Account"
-          subTitle="A service account represents a machine identity such as a VM or application client."
-        >
-          {renderStep(step)}
-        </ModalContent>
-      </Modal>
-      <DeleteActionModal
-        isOpen={popUp.removeServiceAccount.isOpen}
-        deleteKey="remove"
-        title="Do you want to remove this service account from the org?"
-        onChange={(isOpen) => handlePopUpToggle("removeServiceAccount", isOpen)}
-        onDeleteApproved={onRemoveServiceAccount}
-      />
-    </div>
-  );
-};
+    );
+  },
+  {
+    action: OrgGeneralPermissionActions.Read,
+    subject: OrgPermissionSubjects.Settings,
+    containerClassName: "mb-4"
+  }
+);
diff --git a/frontend/src/views/Settings/OrgSettingsPage/components/OrgTabGroup/OrgTabGroup.tsx b/frontend/src/views/Settings/OrgSettingsPage/components/OrgTabGroup/OrgTabGroup.tsx
index 1d0ebeb6..cacbf1b5 100644
--- a/frontend/src/views/Settings/OrgSettingsPage/components/OrgTabGroup/OrgTabGroup.tsx
+++ b/frontend/src/views/Settings/OrgSettingsPage/components/OrgTabGroup/OrgTabGroup.tsx
@@ -1,59 +1,40 @@
-import { Fragment } from "react"
-import { Tab } from "@headlessui/react"
-
-import { useOrganization,useUser } from "@app/context";
-import {
-    useGetOrgUsers
-} from "@app/hooks/api";
+import { Fragment } from "react";
+import { Tab } from "@headlessui/react";
 
 import { OrgAuthTab } from "../OrgAuthTab";
 import { OrgGeneralTab } from "../OrgGeneralTab";
 
+const tabs = [
+  { name: "General", key: "tab-org-general" },
+  { name: "Authentication", key: "tab-org-auth" }
+];
 export const OrgTabGroup = () => {
-    const { currentOrg } = useOrganization();
-    const { user } = useUser();
-    const { data } = useGetOrgUsers(currentOrg?._id ?? "");
-
-    const isRoleSufficient = data?.some((orgUser) => {
-        return orgUser.role !== "member" && orgUser.user._id === user._id;
-    });
-
-    const tabs = [
-        { name: "General", key: "tab-org-general" },
-    ];
-        
-    if (isRoleSufficient) {
-        tabs.push(
-            { name: "Authentication", key: "tab-org-auth" }
-        );
-    }
-
-    return (
-        <Tab.Group>
-            <Tab.List className="mb-6 border-b-2 border-mineshaft-800 w-full">
-                {tabs.map((tab) => (
-                    <Tab as={Fragment} key={tab.key}> 
-                        {({ selected }) => (
-                            <button 
-                                type="button"
-                                className={`w-30 py-2 mx-2 mr-4 font-medium text-sm outline-none ${selected ? "border-b border-white text-white" : "text-mineshaft-400"}`}
-                            >
-                                {tab.name}
-                            </button>
-                        )}
-                    </Tab>
-                ))}
-            </Tab.List>
-            <Tab.Panels>
-                <Tab.Panel>
-                    <OrgGeneralTab />
-                </Tab.Panel>
-                {isRoleSufficient && (
-                    <Tab.Panel>
-                        <OrgAuthTab />
-                    </Tab.Panel>
-                )}
-            </Tab.Panels>
-        </Tab.Group>
-    );
-}
\ No newline at end of file
+  return (
+    <Tab.Group>
+      <Tab.List className="mb-6 border-b-2 border-mineshaft-800 w-full">
+        {tabs.map((tab) => (
+          <Tab as={Fragment} key={tab.key}>
+            {({ selected }) => (
+              <button
+                type="button"
+                className={`w-30 py-2 mx-2 mr-4 font-medium text-sm outline-none ${
+                  selected ? "border-b border-white text-white" : "text-mineshaft-400"
+                }`}
+              >
+                {tab.name}
+              </button>
+            )}
+          </Tab>
+        ))}
+      </Tab.List>
+      <Tab.Panels>
+        <Tab.Panel>
+          <OrgGeneralTab />
+        </Tab.Panel>
+        <Tab.Panel>
+          <OrgAuthTab />
+        </Tab.Panel>
+      </Tab.Panels>
+    </Tab.Group>
+  );
+};