diff --git a/src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/OpcUaBrowseService.cs b/src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/OpcUaBrowseService.cs
index 6adec7f3..1fb2d686 100644
--- a/src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/OpcUaBrowseService.cs
+++ b/src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/OpcUaBrowseService.cs
@@ -2,6 +2,7 @@ using Microsoft.AspNetCore.Components.Authorization;
 using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Protocol;
 using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management;
 using ZB.MOM.WW.ScadaBridge.Communication;
+using ZB.MOM.WW.ScadaBridge.Security;
 
 namespace ZB.MOM.WW.ScadaBridge.CentralUI.Services;
 
@@ -44,7 +45,7 @@ public sealed class OpcUaBrowseService : IOpcUaBrowseService
         // CentralUI-side role guard — sites don't enforce envelope-level roles,
         // so the Design check must happen here before any cross-cluster traffic.
         var state = await _auth.GetAuthenticationStateAsync();
-        if (!state.User.IsInRole("Design"))
+        if (!state.User.HasClaim(JwtTokenService.RoleClaimType, "Design"))
         {
             return new BrowseOpcUaNodeResult(
                 Array.Empty<BrowseNode>(),