diff --git a/src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor b/src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor
index 96652e6..78fb4f2 100644
--- a/src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor
+++ b/src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor
@@ -24,9 +24,6 @@
                             <li class="nav-item">
                                 <NavLink class="nav-link" href="/admin/api-keys">API Keys</NavLink>
                             </li>
-                            <li class="nav-item">
-                                <NavLink class="nav-link" href="/admin/smtp">SMTP Configuration</NavLink>
-                            </li>
                         </Authorized>
                     </AuthorizeView>
 
@@ -65,6 +62,35 @@
                         </Authorized>
                     </AuthorizeView>
 
+                    @* Notifications — mixed-role section; each item gated by its own policy.
+                       The header is ungated: every authenticated user holds at least one of
+                       Admin/Design/Deployment, so it always has a visible child. *@
+                    <div role="presentation" class="nav-section-header">Notifications</div>
+                    <AuthorizeView Policy="@AuthorizationPolicies.RequireAdmin">
+                        <Authorized Context="notifAdminContext">
+                            <li class="nav-item">
+                                <NavLink class="nav-link" href="/notifications/smtp">SMTP Configuration</NavLink>
+                            </li>
+                        </Authorized>
+                    </AuthorizeView>
+                    <AuthorizeView Policy="@AuthorizationPolicies.RequireDesign">
+                        <Authorized Context="notifDesignContext">
+                            <li class="nav-item">
+                                <NavLink class="nav-link" href="/notifications/lists">Notification Lists</NavLink>
+                            </li>
+                        </Authorized>
+                    </AuthorizeView>
+                    <AuthorizeView Policy="@AuthorizationPolicies.RequireDeployment">
+                        <Authorized Context="notifDeploymentContext">
+                            <li class="nav-item">
+                                <NavLink class="nav-link" href="/notifications/report">Notification Report</NavLink>
+                            </li>
+                            <li class="nav-item">
+                                <NavLink class="nav-link" href="/notifications/kpis">Notification KPIs</NavLink>
+                            </li>
+                        </Authorized>
+                    </AuthorizeView>
+
                     @* Monitoring — Health Dashboard is all-roles; Event Logs and
                        Parked Messages are Deployment-role only (Component-CentralUI). *@
                     <div role="presentation" class="nav-section-header">Monitoring</div>
@@ -79,9 +105,6 @@
                             <li class="nav-item">
                                 <NavLink class="nav-link" href="/monitoring/parked-messages">Parked Messages</NavLink>
                             </li>
-                            <li class="nav-item">
-                                <NavLink class="nav-link" href="/monitoring/notification-outbox">Notification Outbox</NavLink>
-                            </li>
                         </Authorized>
                     </AuthorizeView>
 
diff --git a/tests/ScadaLink.CentralUI.Tests/Layout/NavMenuTests.cs b/tests/ScadaLink.CentralUI.Tests/Layout/NavMenuTests.cs
new file mode 100644
index 0000000..c416456
--- /dev/null
+++ b/tests/ScadaLink.CentralUI.Tests/Layout/NavMenuTests.cs
@@ -0,0 +1,95 @@
+using System.Security.Claims;
+using Bunit;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Components;
+using Microsoft.AspNetCore.Components.Authorization;
+using Microsoft.AspNetCore.Components.Rendering;
+using Microsoft.Extensions.DependencyInjection;
+using ScadaLink.Security;
+using NavMenu = ScadaLink.CentralUI.Components.Layout.NavMenu;
+
+namespace ScadaLink.CentralUI.Tests.Layout;
+
+/// <summary>
+/// bUnit rendering tests for the sidebar <see cref="NavMenu"/>. They verify the
+/// new Notifications section: its items are gated per-policy, and the old
+/// <c>/admin/smtp</c> and <c>/monitoring/notification-outbox</c> routes are gone.
+/// The <c>AuthorizeView Policy=...</c> blocks evaluate the real policies, which
+/// require a claim of type <see cref="JwtTokenService.RoleClaimType"/> ("Role"),
+/// so the test principal carries claims of that exact type.
+/// </summary>
+public class NavMenuTests : BunitContext
+{
+    /// <summary>
+    /// Renders <see cref="NavMenu"/> under a principal holding the given roles.
+    /// <see cref="NavMenu"/>'s top-level <c>AuthorizeView</c> requires the
+    /// cascading <see cref="AuthenticationState"/>, so it is rendered inside a
+    /// <see cref="CascadingAuthenticationState"/>; the real policies are
+    /// registered so the per-item <c>AuthorizeView Policy=...</c> blocks are
+    /// genuinely evaluated.
+    /// </summary>
+    private IRenderedComponent<NavMenu> RenderWithRoles(params string[] roles)
+    {
+        var claims = new List<Claim> { new("Username", "tester") };
+        claims.AddRange(roles.Select(r => new Claim(JwtTokenService.RoleClaimType, r)));
+
+        var user = new ClaimsPrincipal(new ClaimsIdentity(claims, "TestAuth"));
+        Services.AddSingleton<AuthenticationStateProvider>(new TestAuthStateProvider(user));
+        Services.AddAuthorizationCore();
+        AuthorizationPolicies.AddScadaLinkAuthorization(Services);
+        // BunitContext pre-registers a placeholder IAuthorizationService that
+        // throws when AuthorizeView evaluates a policy. Force the real service
+        // so the per-item policy gating is genuinely exercised.
+        Services.AddSingleton<IAuthorizationService, DefaultAuthorizationService>();
+
+        var host = Render<CascadingAuthenticationState>(parameters => parameters
+            .Add(p => p.ChildContent, (RenderFragment)(builder =>
+            {
+                builder.OpenComponent<NavMenu>(0);
+                builder.CloseComponent();
+            })));
+
+        return host.FindComponent<NavMenu>();
+    }
+
+    [Fact]
+    public void NotificationsSection_ShowsAllItems_ForMultiRoleUser()
+    {
+        var cut = RenderWithRoles("Admin", "Design", "Deployment");
+
+        cut.WaitForAssertion(() =>
+        {
+            Assert.Contains("Notifications", cut.Markup);
+            Assert.Contains("/notifications/smtp", cut.Markup);
+            Assert.Contains("/notifications/lists", cut.Markup);
+            Assert.Contains("/notifications/report", cut.Markup);
+            Assert.Contains("/notifications/kpis", cut.Markup);
+        });
+    }
+
+    [Fact]
+    public void NotificationsSection_AdminOnlyUser_SeesOnlySmtp()
+    {
+        var cut = RenderWithRoles("Admin");
+
+        cut.WaitForAssertion(() =>
+        {
+            Assert.Contains("/notifications/smtp", cut.Markup);
+            Assert.DoesNotContain("/notifications/report", cut.Markup);
+            Assert.DoesNotContain("/notifications/lists", cut.Markup);
+            Assert.DoesNotContain("/notifications/kpis", cut.Markup);
+        });
+    }
+
+    [Fact]
+    public void OldRoutes_AreNoLongerLinked()
+    {
+        var cut = RenderWithRoles("Admin", "Design", "Deployment");
+
+        cut.WaitForAssertion(() =>
+        {
+            Assert.DoesNotContain("/admin/smtp", cut.Markup);
+            Assert.DoesNotContain("/monitoring/notification-outbox", cut.Markup);
+        });
+    }
+}