From 85707500ef1d80d5456a644e7cc1a20b160f86e9 Mon Sep 17 00:00:00 2001
From: chan <b24028@hanmaceng.co.kr>
Date: Wed, 10 Jun 2026 10:01:30 +0900
Subject: [PATCH] =?UTF-8?q?adminfront=20=EB=B0=8F=20=EB=B0=B1=EC=97=94?=
 =?UTF-8?q?=EB=93=9C:=20ReBAC=20=EA=B8=B0=EB=B0=98=20=EA=B0=81=20=ED=83=AD?=
 =?UTF-8?q?=EB=B3=84=20=EC=9D=BD=EA=B8=B0/=EC=93=B0=EA=B8=B0=20=EA=B6=8C?=
 =?UTF-8?q?=ED=95=9C=20=EC=A0=9C=EC=96=B4=20=EA=B5=AC=ED=98=84?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../coverage/adminTenantTabs.test.tsx         |   7 +
 .../tenants/components/DomainTagInput.tsx     |  21 ++-
 .../components/ParentTenantSelector.tsx       |   6 +-
 .../components/TenantPermissionGuard.tsx      |  26 +++
 .../hooks/useTenantPermission.test.tsx        | 126 ++++++++++++++
 .../tenants/hooks/useTenantPermission.ts      |  26 +++
 .../routes/TenantAdminsAndOwnersTab.tsx       |   5 +
 .../tenants/routes/TenantDetailPage.tsx       |  11 +-
 .../tenants/routes/TenantGroupsPage.tsx       |  18 +-
 .../tenants/routes/TenantProfilePage.tsx      |  30 +++-
 adminfront/src/lib/adminApi.ts                |   5 +
 backend/internal/handler/tenant_handler.go    |  80 +++++++--
 .../handler/tenant_handler_get_test.go        | 164 ++++++++++++++++++
 13 files changed, 485 insertions(+), 40 deletions(-)
 create mode 100644 adminfront/src/features/tenants/components/TenantPermissionGuard.tsx
 create mode 100644 adminfront/src/features/tenants/hooks/useTenantPermission.test.tsx
 create mode 100644 adminfront/src/features/tenants/hooks/useTenantPermission.ts
 create mode 100644 backend/internal/handler/tenant_handler_get_test.go

diff --git a/adminfront/src/features/coverage/adminTenantTabs.test.tsx b/adminfront/src/features/coverage/adminTenantTabs.test.tsx
index 722494d9..eeee7afd 100644
--- a/adminfront/src/features/coverage/adminTenantTabs.test.tsx
+++ b/adminfront/src/features/coverage/adminTenantTabs.test.tsx
@@ -93,6 +93,13 @@ vi.mock("react-oidc-context", () => ({
 }));
 
 vi.mock("../../lib/adminApi", () => ({
+  fetchMe: vi.fn(async () => users[0]),
+  fetchTenant: vi.fn(async (tenantId) => ({
+    id: tenantId,
+    name: "Test Tenant",
+    slug: "test-tenant",
+    userPermissions: { view: true, manage: true, manage_admins: true },
+  })),
   fetchTenantOwners: vi.fn(async () => [users[0]]),
   fetchTenantAdmins: vi.fn(async () => [users[1]]),
   addTenantOwner: vi.fn(async () => undefined),
diff --git a/adminfront/src/features/tenants/components/DomainTagInput.tsx b/adminfront/src/features/tenants/components/DomainTagInput.tsx
index ecfc5513..f2dc39eb 100644
--- a/adminfront/src/features/tenants/components/DomainTagInput.tsx
+++ b/adminfront/src/features/tenants/components/DomainTagInput.tsx
@@ -29,6 +29,7 @@ type DomainTagInputProps = {
   confirmedConflicts?: string[];
   onConfirmedConflictsChange?: (domains: string[]) => void;
   placeholder?: string;
+  disabled?: boolean;
 };
 
 export function DomainTagInput({
@@ -40,6 +41,7 @@ export function DomainTagInput({
   confirmedConflicts = [],
   onConfirmedConflictsChange,
   placeholder,
+  disabled = false,
 }: DomainTagInputProps) {
   const [input, setInput] = useState("");
   const [pendingConflict, setPendingConflict] = useState<DomainConflict | null>(
@@ -107,14 +109,16 @@ export function DomainTagInput({
             className="gap-1 rounded-md"
           >
             <span>{domain}</span>
-            <button
-              type="button"
-              className="inline-flex h-4 w-4 items-center justify-center rounded-sm hover:bg-background/60"
-              onClick={() => removeDomain(domain)}
-              aria-label={t("ui.common.remove", "삭제")}
-            >
-              <X size={12} />
-            </button>
+            {!disabled && (
+              <button
+                type="button"
+                className="inline-flex h-4 w-4 items-center justify-center rounded-sm hover:bg-background/60"
+                onClick={() => removeDomain(domain)}
+                aria-label={t("ui.common.remove", "삭제")}
+              >
+                <X size={12} />
+              </button>
+            )}
           </Badge>
         ))}
         <Input
@@ -133,6 +137,7 @@ export function DomainTagInput({
               tokenizeInput();
             }
           }}
+          disabled={disabled}
           className="h-7 min-w-[180px] flex-1 border-0 px-0 py-0 shadow-none focus-visible:ring-0"
           placeholder={value.length === 0 ? placeholder : undefined}
         />
diff --git a/adminfront/src/features/tenants/components/ParentTenantSelector.tsx b/adminfront/src/features/tenants/components/ParentTenantSelector.tsx
index 3b8830b7..17fbcd33 100644
--- a/adminfront/src/features/tenants/components/ParentTenantSelector.tsx
+++ b/adminfront/src/features/tenants/components/ParentTenantSelector.tsx
@@ -35,6 +35,7 @@ type ParentTenantSelectorProps = {
   localTenantFilter?: (tenant: TenantSummary) => boolean;
   compact?: boolean;
   controlTestId?: string;
+  disabled?: boolean;
 };
 
 export function ParentTenantSelector({
@@ -53,6 +54,7 @@ export function ParentTenantSelector({
   localTenantFilter,
   compact = false,
   controlTestId,
+  disabled = false,
 }: ParentTenantSelectorProps) {
   const [pickerOpen, setPickerOpen] = useState(false);
   const [localPickerOpen, setLocalPickerOpen] = useState(false);
@@ -112,6 +114,7 @@ export function ParentTenantSelector({
               variant="outline"
               size="sm"
               className={compact ? "h-8 shrink-0 px-2" : undefined}
+              disabled={disabled}
             >
               <Building2 className="h-4 w-4" />
               {orgChartPickerLabel ??
@@ -141,7 +144,7 @@ export function ParentTenantSelector({
         {localPickerLabel && (
           <Dialog open={localPickerOpen} onOpenChange={setLocalPickerOpen}>
             <DialogTrigger asChild>
-              <Button type="button" variant="outline" size="sm">
+              <Button type="button" variant="outline" size="sm" disabled={disabled}>
                 <Building2 className="h-4 w-4" />
                 {localPickerLabel}
               </Button>
@@ -228,6 +231,7 @@ export function ParentTenantSelector({
               className={compact ? "h-7 w-7 shrink-0" : "h-8 w-8"}
               onClick={() => onChange("")}
               aria-label={noneLabel}
+              disabled={disabled}
             >
               <X className="h-4 w-4" />
             </Button>
diff --git a/adminfront/src/features/tenants/components/TenantPermissionGuard.tsx b/adminfront/src/features/tenants/components/TenantPermissionGuard.tsx
new file mode 100644
index 00000000..7ddee376
--- /dev/null
+++ b/adminfront/src/features/tenants/components/TenantPermissionGuard.tsx
@@ -0,0 +1,26 @@
+import type React from "react";
+import { useTenantPermission } from "../hooks/useTenantPermission";
+
+interface TenantPermissionGuardProps {
+  tenantId: string;
+  relation: "view" | "manage" | "manage_admins";
+  fallback?: React.ReactNode;
+  children: React.ReactNode;
+}
+
+export function TenantPermissionGuard({
+  tenantId,
+  relation,
+  fallback = null,
+  children,
+}: TenantPermissionGuardProps) {
+  const { hasPermission, isLoading } = useTenantPermission(tenantId);
+
+  if (isLoading) return null;
+
+  if (!hasPermission(relation)) {
+    return <>{fallback}</>;
+  }
+
+  return <>{children}</>;
+}
diff --git a/adminfront/src/features/tenants/hooks/useTenantPermission.test.tsx b/adminfront/src/features/tenants/hooks/useTenantPermission.test.tsx
new file mode 100644
index 00000000..d5233b6a
--- /dev/null
+++ b/adminfront/src/features/tenants/hooks/useTenantPermission.test.tsx
@@ -0,0 +1,126 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { render, screen, waitFor } from "@testing-library/react";
+import { renderHook } from "@testing-library/react";
+import type React from "react";
+import { describe, expect, it, vi } from "vitest";
+import { fetchTenant, fetchMe } from "../../../lib/adminApi";
+import { useTenantPermission } from "./useTenantPermission";
+import { TenantPermissionGuard } from "../components/TenantPermissionGuard";
+
+vi.mock("../../../lib/adminApi", () => ({
+  fetchMe: vi.fn(),
+  fetchTenant: vi.fn(),
+}));
+
+function createWrapper() {
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: { retry: false },
+    },
+  });
+  return ({ children }: { children: React.ReactNode }) => (
+    <QueryClientProvider client={queryClient}>{children}</QueryClientProvider>
+  );
+}
+
+describe("useTenantPermission", () => {
+  it("returns true for all permissions if user is super_admin", async () => {
+    vi.mocked(fetchMe).mockResolvedValue({
+      id: "user-super",
+      role: "super_admin",
+    } as any);
+
+    vi.mocked(fetchTenant).mockResolvedValue({
+      id: "tenant-1",
+      name: "Super Tenant",
+      userPermissions: { view: false, manage: false, manage_admins: false },
+    } as any);
+
+    const { result } = renderHook(() => useTenantPermission("tenant-1"), {
+      wrapper: createWrapper(),
+    });
+
+    await waitFor(() => {
+      expect(result.current.isLoading).toBe(false);
+    });
+
+    expect(result.current.hasPermission("view")).toBe(true);
+    expect(result.current.hasPermission("manage")).toBe(true);
+    expect(result.current.hasPermission("manage_admins")).toBe(true);
+  });
+
+  it("returns permissions mapped from userPermissions for normal admins/users", async () => {
+    vi.mocked(fetchMe).mockResolvedValue({
+      id: "user-admin",
+      role: "tenant_admin",
+    } as any);
+
+    vi.mocked(fetchTenant).mockResolvedValue({
+      id: "tenant-2",
+      name: "Tenant Admin Corp",
+      userPermissions: { view: true, manage: true, manage_admins: false },
+    } as any);
+
+    const { result } = renderHook(() => useTenantPermission("tenant-2"), {
+      wrapper: createWrapper(),
+    });
+
+    await waitFor(() => {
+      expect(result.current.isLoading).toBe(false);
+    });
+
+    expect(result.current.hasPermission("view")).toBe(true);
+    expect(result.current.hasPermission("manage")).toBe(true);
+    expect(result.current.hasPermission("manage_admins")).toBe(false);
+  });
+});
+
+describe("TenantPermissionGuard", () => {
+  it("renders children when user has permission", async () => {
+    vi.mocked(fetchMe).mockResolvedValue({
+      id: "user-admin",
+      role: "tenant_admin",
+    } as any);
+
+    vi.mocked(fetchTenant).mockResolvedValue({
+      id: "tenant-3",
+      userPermissions: { view: true, manage: true, manage_admins: false },
+    } as any);
+
+    render(
+      <TenantPermissionGuard tenantId="tenant-3" relation="manage" fallback={<div>Access Denied</div>}>
+        <div>Access Granted</div>
+      </TenantPermissionGuard>,
+      { wrapper: createWrapper() }
+    );
+
+    await waitFor(() => {
+      expect(screen.getByText("Access Granted")).toBeInTheDocument();
+    });
+    expect(screen.queryByText("Access Denied")).not.toBeInTheDocument();
+  });
+
+  it("renders fallback when user lacks permission", async () => {
+    vi.mocked(fetchMe).mockResolvedValue({
+      id: "user-admin",
+      role: "tenant_admin",
+    } as any);
+
+    vi.mocked(fetchTenant).mockResolvedValue({
+      id: "tenant-4",
+      userPermissions: { view: true, manage: false, manage_admins: false },
+    } as any);
+
+    render(
+      <TenantPermissionGuard tenantId="tenant-4" relation="manage" fallback={<div>Access Denied</div>}>
+        <div>Access Granted</div>
+      </TenantPermissionGuard>,
+      { wrapper: createWrapper() }
+    );
+
+    await waitFor(() => {
+      expect(screen.getByText("Access Denied")).toBeInTheDocument();
+    });
+    expect(screen.queryByText("Access Granted")).not.toBeInTheDocument();
+  });
+});
diff --git a/adminfront/src/features/tenants/hooks/useTenantPermission.ts b/adminfront/src/features/tenants/hooks/useTenantPermission.ts
new file mode 100644
index 00000000..532627fc
--- /dev/null
+++ b/adminfront/src/features/tenants/hooks/useTenantPermission.ts
@@ -0,0 +1,26 @@
+import { useQuery } from "@tanstack/react-query";
+import { fetchTenant, fetchMe } from "../../../lib/adminApi";
+import { normalizeAdminRole } from "../../../lib/roles";
+
+export function useTenantPermission(tenantId: string) {
+  const { data: profile } = useQuery({
+    queryKey: ["me"],
+    queryFn: fetchMe,
+  });
+
+  const { data: tenant } = useQuery({
+    queryKey: ["tenant", tenantId],
+    queryFn: () => fetchTenant(tenantId),
+    enabled: !!tenantId,
+  });
+
+  const hasPermission = (requiredRelation: "view" | "manage" | "manage_admins"): boolean => {
+    // Super Admin always has full bypass access
+    if (normalizeAdminRole(profile?.role) === "super_admin") {
+      return true;
+    }
+    return !!tenant?.userPermissions?.[requiredRelation];
+  };
+
+  return { hasPermission, isLoading: !tenant };
+}
diff --git a/adminfront/src/features/tenants/routes/TenantAdminsAndOwnersTab.tsx b/adminfront/src/features/tenants/routes/TenantAdminsAndOwnersTab.tsx
index fc78435d..67d858b6 100644
--- a/adminfront/src/features/tenants/routes/TenantAdminsAndOwnersTab.tsx
+++ b/adminfront/src/features/tenants/routes/TenantAdminsAndOwnersTab.tsx
@@ -11,6 +11,7 @@ import {
 import { useState } from "react";
 import { useAuth } from "react-oidc-context";
 import { useNavigate, useParams } from "react-router-dom";
+import { useTenantPermission } from "../hooks/useTenantPermission";
 import { commonStickyTableHeaderClass } from "../../../../../common/ui/table";
 import { Badge } from "../../../components/ui/badge";
 import { Button } from "../../../components/ui/button";
@@ -69,6 +70,8 @@ export function TenantAdminsAndOwnersTab() {
   const _currentUserId = auth.user?.profile.sub;
   const { tenantId: tenantIdParam } = useParams<{ tenantId: string }>();
   const tenantId = tenantIdParam ?? "";
+  const { hasPermission } = useTenantPermission(tenantId);
+  const isWritable = hasPermission("manage_admins");
   const queryClient = useQueryClient();
   const [searchTerm, setSearchTerm] = useState("");
   const [dialogMode, setDialogMode] = useState<DialogMode | null>(null);
@@ -382,6 +385,7 @@ export function TenantAdminsAndOwnersTab() {
             <Button
               className="bg-primary text-primary-foreground hover:bg-primary/90"
               onClick={() => setDialogMode("owner")}
+              disabled={!isWritable}
             >
               <UserPlus className="mr-2 h-4 w-4" />
               {t("ui.admin.tenants.owners.add_button", "소유자 추가")}
@@ -471,6 +475,7 @@ export function TenantAdminsAndOwnersTab() {
             <Button
               className="bg-primary text-primary-foreground hover:bg-primary/90"
               onClick={() => setDialogMode("admin")}
+              disabled={!isWritable}
             >
               <UserPlus className="mr-2 h-4 w-4" />
               {t("ui.admin.tenants.admins.add_button", "관리자 추가")}
diff --git a/adminfront/src/features/tenants/routes/TenantDetailPage.tsx b/adminfront/src/features/tenants/routes/TenantDetailPage.tsx
index 11ef24d1..8dff791a 100644
--- a/adminfront/src/features/tenants/routes/TenantDetailPage.tsx
+++ b/adminfront/src/features/tenants/routes/TenantDetailPage.tsx
@@ -5,6 +5,7 @@ import { Button } from "../../../components/ui/button";
 import { fetchMe, fetchTenant } from "../../../lib/adminApi";
 import { t } from "../../../lib/i18n";
 import { normalizeAdminRole } from "../../../lib/roles";
+import { useTenantPermission } from "../hooks/useTenantPermission";
 
 function TenantDetailPage() {
   const params = useParams<{ tenantId: string }>();
@@ -17,13 +18,7 @@ function TenantDetailPage() {
     enabled: tenantId.length > 0,
   });
 
-  const { data: profile } = useQuery({
-    queryKey: ["me"],
-    queryFn: fetchMe,
-  });
-
-  const profileRole = normalizeAdminRole(profile?.role);
-  const canAccessSchema = profileRole === "super_admin";
+  const { hasPermission } = useTenantPermission(tenantId);
 
   const isPermissionsTab = location.pathname.includes("/permissions");
   const isOrganizationTab = location.pathname.includes("/organization");
@@ -110,7 +105,7 @@ function TenantDetailPage() {
         >
           {t("ui.admin.tenants.detail.tab_organization", "조직 관리")}
         </Link>
-        {canAccessSchema && (
+        {hasPermission("view") && (
           <Link
             to={`/tenants/${tenantId}/schema`}
             className={`px-6 py-3 text-sm font-medium transition-colors relative ${
diff --git a/adminfront/src/features/tenants/routes/TenantGroupsPage.tsx b/adminfront/src/features/tenants/routes/TenantGroupsPage.tsx
index df61e3b3..4696f54e 100644
--- a/adminfront/src/features/tenants/routes/TenantGroupsPage.tsx
+++ b/adminfront/src/features/tenants/routes/TenantGroupsPage.tsx
@@ -21,6 +21,7 @@ import {
 import type React from "react";
 import { useState } from "react";
 import { useParams } from "react-router-dom";
+import { useTenantPermission } from "../hooks/useTenantPermission";
 import { commonStickyTableHeaderClass } from "../../../../../common/ui/table";
 import { Badge } from "../../../components/ui/badge";
 import { Button } from "../../../components/ui/button";
@@ -126,6 +127,7 @@ interface UserGroupTreeNodeProps {
     AxiosError<{ error?: string }>,
     { groupId: string; userId: string }
   >;
+  isWritable?: boolean;
 }
 
 const UserGroupTreeNode: React.FC<UserGroupTreeNodeProps> = ({
@@ -137,6 +139,7 @@ const UserGroupTreeNode: React.FC<UserGroupTreeNodeProps> = ({
   onAddSubGroup,
   addMemberMutation,
   removeMemberMutation,
+  isWritable = true,
 }) => {
   const [isExpanded, setIsExpanded] = useState(true);
   const hasChildren = node.children.length > 0;
@@ -200,6 +203,7 @@ const UserGroupTreeNode: React.FC<UserGroupTreeNodeProps> = ({
                 e.stopPropagation();
                 onAddSubGroup(node.id);
               }}
+              disabled={!isWritable}
             >
               <Plus size={14} />
             </Button>
@@ -210,6 +214,7 @@ const UserGroupTreeNode: React.FC<UserGroupTreeNodeProps> = ({
                 e.stopPropagation();
                 onDelete(node.id);
               }}
+              disabled={!isWritable}
             >
               <Trash2 size={14} className="text-destructive" />
             </Button>
@@ -229,6 +234,7 @@ const UserGroupTreeNode: React.FC<UserGroupTreeNodeProps> = ({
             onAddSubGroup={onAddSubGroup}
             addMemberMutation={addMemberMutation}
             removeMemberMutation={removeMemberMutation}
+            isWritable={isWritable}
           />
         ))}
     </>
@@ -240,6 +246,9 @@ function TenantGroupsPage() {
   const tenantId = params.tenantId ?? "";
   const _queryClient = useQueryClient();
 
+  const { hasPermission } = useTenantPermission(tenantId);
+  const isWritable = hasPermission("manage");
+
   const [newGroupName, setNewGroupName] = useState("");
   const [newGroupDesc, setNewGroupNameDesc] = useState("");
   const [newGroupUnitType, setNewGroupUnitType] = useState("Team");
@@ -423,6 +432,7 @@ function TenantGroupsPage() {
                   id="name"
                   value={newGroupName}
                   onChange={(e) => setNewGroupName(e.target.value)}
+                  disabled={!isWritable}
                   placeholder={t(
                     "ui.admin.groups.form.name_placeholder",
                     "예: 개발팀, 인사팀",
@@ -437,6 +447,7 @@ function TenantGroupsPage() {
                   id="unitType"
                   value={newGroupUnitType}
                   onChange={(e) => setNewGroupUnitType(e.target.value)}
+                  disabled={!isWritable}
                   placeholder={t(
                     "ui.admin.groups.form.unit_level_placeholder",
                     "예: 본부, 팀, 셀",
@@ -449,9 +460,10 @@ function TenantGroupsPage() {
                 </Label>
                 <select
                   id="parentId"
-                  className="flex h-9 w-full rounded-md border border-input bg-background px-3 py-1 text-sm shadow-sm transition-colors file:border-0 file:bg-transparent file:text-sm file:font-medium placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring"
+                  className="flex h-9 w-full rounded-md border border-input bg-background px-3 py-1 text-sm shadow-sm transition-colors file:border-0 file:bg-transparent file:text-sm file:font-medium placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:cursor-not-allowed disabled:opacity-50"
                   value={newGroupParentId || ""}
                   onChange={(e) => setNewGroupParentId(e.target.value || null)}
+                  disabled={!isWritable}
                 >
                   <option value="">{t("ui.common.none", "없음")}</option>
                   {groupsQuery.data?.map((group) => (
@@ -469,6 +481,7 @@ function TenantGroupsPage() {
                   id="desc"
                   value={newGroupDesc}
                   onChange={(e) => setNewGroupNameDesc(e.target.value)}
+                  disabled={!isWritable}
                   placeholder={t(
                     "ui.admin.groups.form.desc_placeholder",
                     "그룹 용도 설명",
@@ -478,7 +491,7 @@ function TenantGroupsPage() {
               <Button
                 className="w-full"
                 onClick={() => createMutation.mutate()}
-                disabled={!newGroupName || createMutation.isPending}
+                disabled={!newGroupName || createMutation.isPending || !isWritable}
               >
                 {t("ui.admin.groups.form.submit", "생성하기")}
               </Button>
@@ -569,6 +582,7 @@ function TenantGroupsPage() {
                           onAddSubGroup={handleAddSubGroup}
                           addMemberMutation={addMemberMutation}
                           removeMemberMutation={removeMemberMutation}
+                          isWritable={isWritable}
                         />
                       ))}
                     </TableBody>
diff --git a/adminfront/src/features/tenants/routes/TenantProfilePage.tsx b/adminfront/src/features/tenants/routes/TenantProfilePage.tsx
index ed962b64..209f11e9 100644
--- a/adminfront/src/features/tenants/routes/TenantProfilePage.tsx
+++ b/adminfront/src/features/tenants/routes/TenantProfilePage.tsx
@@ -25,6 +25,7 @@ import {
 import { t } from "../../../lib/i18n";
 import { DomainTagInput } from "../components/DomainTagInput";
 import { ParentTenantSelector } from "../components/ParentTenantSelector";
+import { useTenantPermission } from "../hooks/useTenantPermission";
 import {
   formatDomainConflictMessage,
   type ServerDomainConflict,
@@ -52,6 +53,9 @@ export function TenantProfilePage() {
     enabled: tenantId.length > 0,
   });
 
+  const { hasPermission } = useTenantPermission(tenantId);
+  const isWritable = hasPermission("manage");
+
   const parentQuery = useQuery({
     queryKey: ["tenants", "list-all"],
     queryFn: () => fetchAllTenants(),
@@ -261,13 +265,13 @@ export function TenantProfilePage() {
                 {t("ui.admin.tenants.profile.name", "테넌트 이름")}{" "}
                 <span className="text-destructive">*</span>
               </Label>
-              <Input value={name} onChange={(e) => setName(e.target.value)} />
+              <Input value={name} onChange={(e) => setName(e.target.value)} disabled={!isWritable} />
             </div>
             <div data-testid="tenant-slug-slot" className="space-y-1">
               <Label className="text-sm font-semibold">
                 {t("ui.admin.tenants.profile.slug", "슬러그 (Slug)")}
               </Label>
-              <Input value={slug} onChange={(e) => setSlug(e.target.value)} />
+              <Input value={slug} onChange={(e) => setSlug(e.target.value)} disabled={!isWritable} />
             </div>
             <div data-testid="tenant-parent-picker-slot" className="min-w-0">
               <ParentTenantSelector
@@ -283,6 +287,7 @@ export function TenantProfilePage() {
                 excludeTenantId={tenantId}
                 compact
                 controlTestId="tenant-parent-picker-control"
+                disabled={!isWritable}
               />
             </div>
           </div>
@@ -300,6 +305,7 @@ export function TenantProfilePage() {
                 className="flex h-9 w-full rounded-md border border-input bg-transparent px-3 py-1 text-sm shadow-sm transition-colors file:border-0 file:bg-transparent file:text-sm file:font-medium placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:cursor-not-allowed disabled:opacity-50"
                 value={type}
                 onChange={(e) => setType(e.target.value)}
+                disabled={!isWritable}
               >
                 <option value="COMPANY">
                   {t("domain.tenant_type.company", "COMPANY (일반 기업)")}
@@ -346,9 +352,10 @@ export function TenantProfilePage() {
                     id="tenant-org-unit-type"
                     name="tenant-org-unit-type"
                     data-testid="tenant-org-unit-type-select"
-                    className="flex h-9 w-full rounded-md border border-input bg-transparent px-3 py-1 text-sm shadow-sm transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring"
+                    className="flex h-9 w-full rounded-md border border-input bg-transparent px-3 py-1 text-sm shadow-sm transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:cursor-not-allowed disabled:opacity-50"
                     value={orgUnitType}
                     onChange={(event) => setOrgUnitType(event.target.value)}
+                    disabled={!isWritable}
                   >
                     <option value="">{t("ui.common.none", "없음")}</option>
                     {orgUnitTypeOptions.map((option) => (
@@ -365,13 +372,14 @@ export function TenantProfilePage() {
                   <select
                     id="tenant-visibility"
                     name="tenant-visibility"
-                    className="flex h-9 w-full rounded-md border border-input bg-transparent px-3 py-1 text-sm shadow-sm transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring"
+                    className="flex h-9 w-full rounded-md border border-input bg-transparent px-3 py-1 text-sm shadow-sm transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:cursor-not-allowed disabled:opacity-50"
                     value={tenantVisibility}
                     onChange={(event) =>
                       setTenantVisibility(
                         event.target.value as TenantVisibility,
                       )
                     }
+                    disabled={!isWritable}
                   >
                     {TENANT_VISIBILITY_OPTIONS.map((option) => (
                       <option key={option.value} value={option.value}>
@@ -392,11 +400,12 @@ export function TenantProfilePage() {
                   </Label>
                   <select
                     id="worksmobileExcluded"
-                    className="flex h-9 w-full rounded-md border border-input bg-transparent px-3 py-1 text-sm shadow-sm transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring"
+                    className="flex h-9 w-full rounded-md border border-input bg-transparent px-3 py-1 text-sm shadow-sm transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:cursor-not-allowed disabled:opacity-50"
                     value={worksmobileExcluded ? "excluded" : "enabled"}
                     onChange={(event) =>
                       setWorksmobileExcluded(event.target.value === "excluded")
                     }
+                    disabled={!isWritable}
                   >
                     <option value="enabled">
                       {t(
@@ -424,6 +433,7 @@ export function TenantProfilePage() {
                 rows={2}
                 value={description}
                 onChange={(e) => setDescription(e.target.value)}
+                disabled={!isWritable}
               />
             </div>
             <div className="space-y-1">
@@ -442,6 +452,7 @@ export function TenantProfilePage() {
                 confirmedConflicts={forceDomainConflicts}
                 onConfirmedConflictsChange={setForceDomainConflicts}
                 placeholder="example.com, example.kr"
+                disabled={!isWritable}
               />
             </div>
             <div className="space-y-1">
@@ -454,6 +465,7 @@ export function TenantProfilePage() {
                   size="sm"
                   variant={status === "active" ? "default" : "outline"}
                   onClick={() => setStatus("active")}
+                  disabled={!isWritable}
                 >
                   {t("ui.common.status.active", "활성")}
                 </Button>
@@ -462,6 +474,7 @@ export function TenantProfilePage() {
                   size="sm"
                   variant={status === "inactive" ? "default" : "outline"}
                   onClick={() => setStatus("inactive")}
+                  disabled={!isWritable}
                 >
                   {t("ui.common.status.inactive", "비활성")}
                 </Button>
@@ -480,7 +493,7 @@ export function TenantProfilePage() {
         <Button
           variant="outline"
           onClick={handleDelete}
-          disabled={deleteMutation.isPending || isProtectedSeedTenant}
+          disabled={deleteMutation.isPending || isProtectedSeedTenant || !isWritable}
           title={
             isProtectedSeedTenant
               ? t(
@@ -499,7 +512,7 @@ export function TenantProfilePage() {
               variant="default"
               className="bg-green-600 hover:bg-green-700"
               onClick={handleApprove}
-              disabled={approveMutation.isPending}
+              disabled={approveMutation.isPending || !isWritable}
             >
               {t("ui.admin.tenants.profile.approve_button", "테넌트 승인")}
             </Button>
@@ -512,7 +525,8 @@ export function TenantProfilePage() {
             disabled={
               updateMutation.isPending ||
               tenantQuery.isLoading ||
-              name.trim() === ""
+              name.trim() === "" ||
+              !isWritable
             }
           >
             <Save size={16} />
diff --git a/adminfront/src/lib/adminApi.ts b/adminfront/src/lib/adminApi.ts
index f46c66c1..9a921438 100644
--- a/adminfront/src/lib/adminApi.ts
+++ b/adminfront/src/lib/adminApi.ts
@@ -33,6 +33,11 @@ export type TenantSummary = {
   config?: Record<string, unknown>;
   memberCount: number; // 해당 테넌트 직접 소속 인원
   totalMemberCount?: number; // 하위 테넌트 포함 전체 인원
+  userPermissions?: {
+    view: boolean;
+    manage: boolean;
+    manage_admins: boolean;
+  };
   createdAt: string;
   updatedAt: string;
 };
diff --git a/backend/internal/handler/tenant_handler.go b/backend/internal/handler/tenant_handler.go
index 9c6c7d67..90ae5ed2 100644
--- a/backend/internal/handler/tenant_handler.go
+++ b/backend/internal/handler/tenant_handler.go
@@ -84,20 +84,27 @@ func (h *TenantHandler) SetWorksmobileSyncer(syncer service.WorksmobileSyncer) {
 	h.Worksmobile = syncer
 }
 
+type tenantPermissions struct {
+	View         bool `json:"view"`
+	Manage       bool `json:"manage"`
+	ManageAdmins bool `json:"manage_admins"`
+}
+
 type tenantSummary struct {
-	ID               string         `json:"id"`
-	Type             string         `json:"type"`
-	ParentID         *string        `json:"parentId"`
-	Name             string         `json:"name"`
-	Slug             string         `json:"slug"`
-	Description      string         `json:"description"`
-	Status           string         `json:"status"`
-	Domains          []string       `json:"domains,omitempty"`
-	Config           domain.JSONMap `json:"config,omitempty"`
-	MemberCount      int64          `json:"memberCount"`
-	TotalMemberCount int64          `json:"totalMemberCount"`
-	CreatedAt        string         `json:"createdAt"`
-	UpdatedAt        string         `json:"updatedAt"`
+	ID               string             `json:"id"`
+	Type             string             `json:"type"`
+	ParentID         *string            `json:"parentId"`
+	Name             string             `json:"name"`
+	Slug             string             `json:"slug"`
+	Description      string             `json:"description"`
+	Status           string             `json:"status"`
+	Domains          []string           `json:"domains,omitempty"`
+	Config           domain.JSONMap     `json:"config,omitempty"`
+	MemberCount      int64              `json:"memberCount"`
+	TotalMemberCount int64              `json:"totalMemberCount"`
+	UserPermissions  *tenantPermissions `json:"userPermissions,omitempty"`
+	CreatedAt        string             `json:"createdAt"`
+	UpdatedAt        string             `json:"updatedAt"`
 }
 
 type tenantListResponse struct {
@@ -1678,6 +1685,53 @@ func (h *TenantHandler) GetTenant(c *fiber.Ctx) error {
 	summary.MemberCount = memberCounts[tenant.ID]
 	summary.TotalMemberCount = totalMemberCounts[tenant.ID]
 
+	// Populate Keto-based permissions for the current user
+	profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
+	if ok && profile != nil {
+		role := domain.NormalizeRole(profile.Role)
+		if role == domain.RoleSuperAdmin {
+			summary.UserPermissions = &tenantPermissions{
+				View:         true,
+				Manage:       true,
+				ManageAdmins: true,
+			}
+		} else {
+			// Query Keto in parallel for maximum performance
+			subject := "User:" + profile.ID
+			type checkResult struct {
+				relation string
+				allowed  bool
+				err      error
+			}
+			ch := make(chan checkResult, 3)
+			relations := []string{"view", "manage", "manage_admins"}
+			for _, rel := range relations {
+				go func(r string) {
+					allowed, err := h.Keto.CheckPermission(c.Context(), subject, "Tenant", tenant.ID, r)
+					ch <- checkResult{relation: r, allowed: allowed, err: err}
+				}(rel)
+			}
+
+			perms := &tenantPermissions{}
+			for range relations {
+				res := <-ch
+				if res.err != nil {
+					slog.Error("Failed to check Keto permission in GetTenant", "error", res.err, "relation", res.relation, "userID", profile.ID, "tenantID", tenant.ID)
+					continue
+				}
+				switch res.relation {
+				case "view":
+					perms.View = res.allowed
+				case "manage":
+					perms.Manage = res.allowed
+				case "manage_admins":
+					perms.ManageAdmins = res.allowed
+				}
+			}
+			summary.UserPermissions = perms
+		}
+	}
+
 	return c.JSON(summary)
 }
 
diff --git a/backend/internal/handler/tenant_handler_get_test.go b/backend/internal/handler/tenant_handler_get_test.go
new file mode 100644
index 00000000..3e059729
--- /dev/null
+++ b/backend/internal/handler/tenant_handler_get_test.go
@@ -0,0 +1,164 @@
+package handler
+
+import (
+	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/testsupport"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+func TestTenantHandler_GetTenant_SuperAdmin(t *testing.T) {
+	if !testsupport.DockerAvailable() {
+		t.Skip("Docker provider is unavailable in this environment")
+	}
+
+	db := newTenantHandlerSeedDeleteDB(t)
+	if err := db.AutoMigrate(&domain.TenantDomain{}); err != nil {
+		t.Fatalf("failed to migrate tenant domains: %v", err)
+	}
+
+	// Create a test tenant in DB with a valid UUID
+	tenant := domain.Tenant{
+		ID:     "00000000-0000-0000-0000-000000000010",
+		Name:   "Super Admin Test Tenant",
+		Slug:   "super-admin-test-tenant",
+		Type:   domain.TenantTypeCompany,
+		Status: domain.TenantStatusActive,
+	}
+	if err := db.Create(&tenant).Error; err != nil {
+		t.Fatalf("failed to create tenant: %v", err)
+	}
+
+	app := fiber.New()
+	mockSvc := new(MockTenantService)
+	mockKeto := new(devMockKetoService)
+	mockProjection := new(MockUserProjectionRepoForHandler)
+
+	// Mock projection status
+	mockProjection.On("IsReady", mock.Anything).Return(true, nil)
+	mockProjection.On("CountTenantMembers", mock.Anything, mock.Anything).Return(map[string]int64{"00000000-0000-0000-0000-000000000010": 5}, nil)
+	mockProjection.On("CountTenantMembersRecursive", mock.Anything, mock.Anything).Return(map[string]int64{"00000000-0000-0000-0000-000000000010": 5}, nil)
+
+	h := &TenantHandler{
+		DB:                 db,
+		Service:            mockSvc,
+		Keto:               mockKeto,
+		UserProjectionRepo: mockProjection,
+	}
+
+	// We'll simulate middleware setting "user_profile" for a Super Admin
+	app.Get("/tenants/:id", func(c *fiber.Ctx) error {
+		profile := &domain.UserProfileResponse{
+			ID:   "user-super-admin-id",
+			Role: domain.RoleSuperAdmin,
+		}
+		c.Locals("user_profile", profile)
+		return h.GetTenant(c)
+	})
+
+	req := httptest.NewRequest("GET", "/tenants/00000000-0000-0000-0000-000000000010", nil)
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var got tenantSummary
+	err = json.NewDecoder(resp.Body).Decode(&got)
+	if err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+
+	assert.Equal(t, "00000000-0000-0000-0000-000000000010", got.ID)
+	assert.Equal(t, "Super Admin Test Tenant", got.Name)
+	assert.NotNil(t, got.UserPermissions)
+	assert.True(t, got.UserPermissions.View)
+	assert.True(t, got.UserPermissions.Manage)
+	assert.True(t, got.UserPermissions.ManageAdmins)
+}
+
+func TestTenantHandler_GetTenant_NormalUser(t *testing.T) {
+	if !testsupport.DockerAvailable() {
+		t.Skip("Docker provider is unavailable in this environment")
+	}
+
+	db := newTenantHandlerSeedDeleteDB(t)
+	if err := db.AutoMigrate(&domain.TenantDomain{}); err != nil {
+		t.Fatalf("failed to migrate tenant domains: %v", err)
+	}
+
+	// Create a test tenant in DB with a valid UUID
+	tenant := domain.Tenant{
+		ID:     "00000000-0000-0000-0000-000000000020",
+		Name:   "Normal User Test Tenant",
+		Slug:   "normal-user-test-tenant",
+		Type:   domain.TenantTypeCompany,
+		Status: domain.TenantStatusActive,
+	}
+	if err := db.Create(&tenant).Error; err != nil {
+		t.Fatalf("failed to create tenant: %v", err)
+	}
+
+	app := fiber.New()
+	mockSvc := new(MockTenantService)
+	mockKeto := new(devMockKetoService)
+	mockProjection := new(MockUserProjectionRepoForHandler)
+
+	// Mock projection status
+	mockProjection.On("IsReady", mock.Anything).Return(true, nil)
+	mockProjection.On("CountTenantMembers", mock.Anything, mock.Anything).Return(map[string]int64{"00000000-0000-0000-0000-000000000020": 2}, nil)
+	mockProjection.On("CountTenantMembersRecursive", mock.Anything, mock.Anything).Return(map[string]int64{"00000000-0000-0000-0000-000000000020": 2}, nil)
+
+	h := &TenantHandler{
+		DB:                 db,
+		Service:            mockSvc,
+		Keto:               mockKeto,
+		UserProjectionRepo: mockProjection,
+	}
+
+	// Mock Keto response: allowed view/manage but not manage_admins
+	subject := "User:user-normal-id"
+	mockKeto.On("CheckPermission", mock.Anything, subject, "Tenant", "00000000-0000-0000-0000-000000000020", "view").Return(true, nil)
+	mockKeto.On("CheckPermission", mock.Anything, subject, "Tenant", "00000000-0000-0000-0000-000000000020", "manage").Return(true, nil)
+	mockKeto.On("CheckPermission", mock.Anything, subject, "Tenant", "00000000-0000-0000-0000-000000000020", "manage_admins").Return(false, nil)
+
+	// We'll simulate middleware setting "user_profile" for a regular admin/user
+	app.Get("/tenants/:id", func(c *fiber.Ctx) error {
+		profile := &domain.UserProfileResponse{
+			ID:   "user-normal-id",
+			Role: domain.RoleUser,
+		}
+		c.Locals("user_profile", profile)
+		return h.GetTenant(c)
+	})
+
+	req := httptest.NewRequest("GET", "/tenants/00000000-0000-0000-0000-000000000020", nil)
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var got tenantSummary
+	err = json.NewDecoder(resp.Body).Decode(&got)
+	if err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+
+	assert.Equal(t, "00000000-0000-0000-0000-000000000020", got.ID)
+	assert.Equal(t, "Normal User Test Tenant", got.Name)
+	assert.NotNil(t, got.UserPermissions)
+	assert.True(t, got.UserPermissions.View)
+	assert.True(t, got.UserPermissions.Manage)
+	assert.False(t, got.UserPermissions.ManageAdmins)
+
+	mockKeto.AssertExpectations(t)
+}