diff --git a/dashboard/src/Index.vue b/dashboard/src/Index.vue
index 102d46841..5a6608ba1 100644
--- a/dashboard/src/Index.vue
+++ b/dashboard/src/Index.vue
@@ -116,45 +116,45 @@ function onHashChange() {
 
   if (v === VIEWS.APPS) {
     view.value = VIEWS.APPS;
-  } else if (v.indexOf(VIEWS.APPSTORE) === 0) {
+  } else if (v.indexOf(VIEWS.APPSTORE) === 0 && profile.value.isAtLeastAdmin) {
     view.value = VIEWS.APPSTORE;
-  } else if (v.indexOf(VIEWS.APP) === 0) {
+  } else if (v.indexOf(VIEWS.APP+'/') === 0) { // this checks permissions within the view as we may have an app operator
     view.value = VIEWS.APP;
-  } else if (v === VIEWS.BACKUPS) {
+  } else if (v === VIEWS.BACKUPS && profile.value.isAtLeastAdmin) {
     view.value = VIEWS.BACKUPS;
-  } else if (v === VIEWS.BRANDING) {
+  } else if (v === VIEWS.BRANDING && profile.value.isAtLeastAdmin) {
     view.value = VIEWS.BRANDING;
-  } else if (v === VIEWS.DOMAINS) {
+  } else if (v === VIEWS.DOMAINS && profile.value.isAtLeastAdmin) {
     view.value = VIEWS.DOMAINS;
-  } else if (v === VIEWS.EMAIL) {
+  } else if (v === VIEWS.EMAIL && profile.value.isAtLeastMailManager) {
     view.value = VIEWS.EMAIL;
-  } else if (v === VIEWS.EMAILS_EVENTLOG) {
+  } else if (v === VIEWS.EMAILS_EVENTLOG && profile.value.isAtLeastMailManager) {
     view.value = VIEWS.EMAILS_EVENTLOG;
-  } else if (v === VIEWS.EMAILS_MAILBOXES) {
+  } else if (v === VIEWS.EMAILS_MAILBOXES && profile.value.isAtLeastMailManager) {
     view.value = VIEWS.EMAILS_MAILBOXES;
-  } else if (v === VIEWS.EMAILS_MAILINGLISTS) {
+  } else if (v === VIEWS.EMAILS_MAILINGLISTS && profile.value.isAtLeastMailManager) {
     view.value = VIEWS.EMAILS_MAILINGLISTS;
-  } else if (v.indexOf(VIEWS.EMAIL) === 0) {
+  } else if (v.indexOf(VIEWS.EMAIL+'/') === 0 && profile.value.isAtLeastMailManager) {
     view.value = VIEWS.EMAIL_DOMAIN;
-  } else if (v === VIEWS.EVENTLOG) {
+  } else if (v === VIEWS.EVENTLOG && profile.value.isAtLeastAdmin) {
     view.value = VIEWS.EVENTLOG;
-  } else if (v === VIEWS.NETWORK) {
+  } else if (v === VIEWS.NETWORK && profile.value.isAtLeastAdmin) {
     view.value = VIEWS.NETWORK;
   } else if (v === VIEWS.PROFILE) {
     view.value = VIEWS.PROFILE;
-  } else if (v === VIEWS.SERVICES) {
+  } else if (v === VIEWS.SERVICES && profile.value.isAtLeastAdmin) {
     view.value = VIEWS.SERVICES;
-  } else if (v === VIEWS.SETTINGS) {
+  } else if (v === VIEWS.SETTINGS && profile.value.isAtLeastAdmin) {
     view.value = VIEWS.SETTINGS;
-  } else if (v === VIEWS.SUPPORT) {
+  } else if (v === VIEWS.SUPPORT && profile.value.isAtLeastOwner) {
     view.value = VIEWS.SUPPORT;
-  } else if (v === VIEWS.SYSTEM) {
+  } else if (v === VIEWS.SYSTEM && profile.value.isAtLeastAdmin) {
     view.value = VIEWS.SYSTEM;
-  } else if (v === VIEWS.USER_DIRECTORY) {
+  } else if (v === VIEWS.USER_DIRECTORY && profile.value.isAtLeastAdmin) {
     view.value = VIEWS.USER_DIRECTORY;
-  } else if (v === VIEWS.USERS) {
+  } else if (v === VIEWS.USERS && profile.value.isAtLeastUserManager) {
     view.value = VIEWS.USERS;
-  } else if (v === VIEWS.VOLUMES) {
+  } else if (v === VIEWS.VOLUMES && profile.value.isAtLeastAdmin) {
     view.value = VIEWS.VOLUMES;
   } else {
     window.location.hash = '/' + VIEWS.APPS;
diff --git a/dashboard/src/views/AppConfigureView.vue b/dashboard/src/views/AppConfigureView.vue
index 5f281ee76..ea3fc591a 100644
--- a/dashboard/src/views/AppConfigureView.vue
+++ b/dashboard/src/views/AppConfigureView.vue
@@ -33,7 +33,7 @@ const installationStateLabel = AppsModel.installationStateLabel;
 
 const busy = ref(true);
 const id = ref('');
-const app = ref({});
+const app = ref(null);
 const view = ref('');
 const link = ref('');
 const infoMenu = ref([]);
@@ -64,7 +64,13 @@ async function onToggleRunState() {
 let refreshTimer = null;
 async function refresh() {
   const [error, result] = await appsModel.get(id.value);
-  if (error) return console.error(error);
+  if (error) {
+    if (error.status === 403) return window.location.hash = '/';
+    return console.error(error);
+  }
+
+  // prevent users who have no acces to
+  if (result.accessLevel !== 'admin' && result.accessLevel !== 'operator') return window.location.hash = '/';
 
   app.value = result;
 
@@ -143,6 +149,7 @@ onMounted(async () => {
   id.value = parts[0];
 
   await refresh();
+  if (!app.value) return;
 
   onSetView(parts[1] || 'info');