diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.Security/ServiceCollectionExtensions.cs b/src/Server/ZB.MOM.WW.OtOpcUa.Security/ServiceCollectionExtensions.cs
index 2f8cf04f..9709b78c 100644
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Security/ServiceCollectionExtensions.cs
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Security/ServiceCollectionExtensions.cs
@@ -89,6 +89,9 @@ public static class ServiceCollectionExtensions
             // appsettings (e.g. "ot-driver-operator": "DriverOperator").
             o.AddPolicy("DriverOperator", policy =>
                 policy.RequireRole("DriverOperator", "FleetAdmin"));
+
+            // FleetAdmin: full administrative access; gates fleet-wide pages such as RoleGrants.
+            o.AddPolicy("FleetAdmin", policy => policy.RequireRole("FleetAdmin"));
         });
 
         return services;