diff --git a/accounting/__pycache__/views.cpython-311.pyc b/accounting/__pycache__/views.cpython-311.pyc
index 30c1509..d619044 100644
Binary files a/accounting/__pycache__/views.cpython-311.pyc and b/accounting/__pycache__/views.cpython-311.pyc differ
diff --git a/accounting/views.py b/accounting/views.py
index 28476a5..c4dc4ef 100644
--- a/accounting/views.py
+++ b/accounting/views.py
@@ -14,6 +14,9 @@ import json
 
 @login_required
 def vat_report(request):
+    if not (request.user.is_staff or request.user.has_perm('core.view_reports')):
+        messages.error(request, _("You do not have permission to view reports."))
+        return redirect('index')
     start_date = request.GET.get('start_date')
     end_date = request.GET.get('end_date')
 
diff --git a/core/__pycache__/models.cpython-311.pyc b/core/__pycache__/models.cpython-311.pyc
index 05112f9..c269e3d 100644
Binary files a/core/__pycache__/models.cpython-311.pyc and b/core/__pycache__/models.cpython-311.pyc differ
diff --git a/core/__pycache__/views.cpython-311.pyc b/core/__pycache__/views.cpython-311.pyc
index 43fa783..f515055 100644
Binary files a/core/__pycache__/views.cpython-311.pyc and b/core/__pycache__/views.cpython-311.pyc differ
diff --git a/core/migrations/0038_alter_systemsetting_options.py b/core/migrations/0038_alter_systemsetting_options.py
new file mode 100644
index 0000000..c63568c
--- /dev/null
+++ b/core/migrations/0038_alter_systemsetting_options.py
@@ -0,0 +1,17 @@
+# Generated by Django 5.2.7 on 2026-02-11 17:17
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0037_alter_systemsetting_options'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='systemsetting',
+            options={'permissions': [('view_dashboard', 'Can view dashboard'), ('view_pos', 'Can access POS'), ('view_reports', 'Can view reports'), ('view_accounting', 'Can view accounting'), ('view_hr', 'Can view HR'), ('view_inventory', 'Can view inventory'), ('view_sales', 'Can view sales'), ('view_purchases', 'Can view purchases'), ('view_customers', 'Can view customers'), ('view_suppliers', 'Can view suppliers'), ('view_expenses', 'Can view expenses'), ('view_lpo', 'Can view LPO'), ('view_quotations', 'Can view quotations'), ('view_system', 'Can view system settings')]},
+        ),
+    ]
diff --git a/core/migrations/0039_alter_systemsetting_options.py b/core/migrations/0039_alter_systemsetting_options.py
new file mode 100644
index 0000000..1670ce2
--- /dev/null
+++ b/core/migrations/0039_alter_systemsetting_options.py
@@ -0,0 +1,17 @@
+# Generated by Django 5.2.7 on 2026-02-11 17:19
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0038_alter_systemsetting_options'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='systemsetting',
+            options={'permissions': [('view_dashboard', 'Can view dashboard'), ('view_pos', 'Can access POS'), ('view_reports', 'Can view reports'), ('view_accounting', 'Can view accounting'), ('view_hr', 'Can view HR'), ('view_inventory', 'Can view inventory'), ('view_sales', 'Can view sales'), ('view_purchases', 'Can view purchases'), ('view_customers', 'Can view customers'), ('view_suppliers', 'Can view suppliers'), ('view_expenses', 'Can view expenses'), ('view_lpo', 'Can view LPO'), ('view_quotations', 'Can view quotations'), ('view_system', 'Can view system settings')], 'verbose_name': 'System & App Access', 'verbose_name_plural': 'System & App Access'},
+        ),
+    ]
diff --git a/core/models.py b/core/models.py
index f8a7dc0..aaa7dde 100644
--- a/core/models.py
+++ b/core/models.py
@@ -415,6 +415,8 @@ class SystemSetting(models.Model):
     allow_zero_stock_sales = models.BooleanField(_("Allow selling items with 0 stock"), default=False)
 
     class Meta:
+        verbose_name = _("System & App Access")
+        verbose_name_plural = _("System & App Access")
         permissions = [
             ("view_dashboard", "Can view dashboard"),
             ("view_pos", "Can access POS"),
@@ -429,6 +431,7 @@ class SystemSetting(models.Model):
             ("view_expenses", "Can view expenses"),
             ("view_lpo", "Can view LPO"),
             ("view_quotations", "Can view quotations"),
+            ("view_system", "Can view system settings"),
         ]
 
     def __str__(self):
diff --git a/core/templates/base.html b/core/templates/base.html
index 245a880..c60e529 100644
--- a/core/templates/base.html
+++ b/core/templates/base.html
@@ -328,7 +328,7 @@
                 </li>
                 {% endif %}
 
-                {% if user.is_staff %}
+                {% if user.is_staff or perms.core.view_system %}
                 <!-- System Group -->
                 <li class="sidebar-group-header mt-1">
                     <a href="#systemSubmenu" data-bs-toggle="collapse" aria-expanded="{% if url_name == 'settings' or url_name == 'user_management' or url_name == 'cashier_registry' or '/admin/' in path %}true{% else %}false{% endif %}" class="dropdown-toggle-custom">
@@ -336,16 +336,21 @@
                         <i class="bi bi-chevron-down chevron"></i>
                     </a>
                     <ul class="collapse list-unstyled sub-menu {% if url_name == 'settings' or url_name == 'user_management' or url_name == 'cashier_registry' or '/admin/' in path %}show{% endif %}" id="systemSubmenu">
+                        {% if user.is_staff or perms.core.view_system %}
                         <li>
                             <a href="{% url 'settings' %}" class="{% if url_name == 'settings' %}active{% endif %}">
                                 <i class="bi bi-gear"></i> {% trans "Settings" %}
                             </a>
                         </li>
+                        {% endif %}
+                        {% if user.is_staff %}
                         <li>
                             <a href="{% url 'user_management' %}" class="{% if url_name == 'user_management' %}active{% endif %}">
                                 <i class="bi bi-person-lock"></i> {% trans "User Management" %}
                             </a>
                         </li>
+                        {% endif %}
+                        {% if user.is_staff or perms.core.view_system %}
                         <li>
                             <a href="{% url 'cashier_registry' %}" class="{% if url_name == 'cashier_registry' %}active{% endif %}">
                                 <i class="bi bi-display"></i> {% trans "Cashier Registry" %}
@@ -356,11 +361,14 @@
                                 <i class="bi bi-clock-history"></i> {% trans "Cashier Sessions" %}
                             </a>
                         </li>
+                        {% endif %}
+                        {% if user.is_staff %}
                         <li>
                             <a href="/admin/">
                                 <i class="bi bi-shield-lock"></i> {% trans "Django Admin" %}
                             </a>
                         </li>
+                        {% endif %}
                     </ul>
                 </li>
                 {% endif %}
diff --git a/core/views.py b/core/views.py
index a641c24..4bfb7ba 100644
--- a/core/views.py
+++ b/core/views.py
@@ -1031,7 +1031,11 @@ def expense_category_delete_view(request, pk):
 
 @login_required
 def expense_report(request):
-    return render(request, 'core/expense_report.html')
+    if not (request.user.is_staff or request.user.has_perm('core.view_reports')):
+        messages.error(request, _("You do not have permission to view reports."))
+        return redirect('index')
+    start_date = request.GET.get('start_date')
+    end_date = request.GET.get('end_date')
 
 @login_required
 def export_expenses_excel(request):
@@ -1041,10 +1045,16 @@ def export_expenses_excel(request):
 
 @login_required
 def reports(request):
+    if not (request.user.is_staff or request.user.has_perm('core.view_reports')):
+        messages.error(request, _("You do not have permission to view reports."))
+        return redirect('index')
     return render(request, 'core/reports.html')
 
 @login_required
 def customer_statement(request):
+    if not (request.user.is_staff or request.user.has_perm('core.view_reports')):
+        messages.error(request, _("You do not have permission to view reports."))
+        return redirect('index')
     customers = Customer.objects.all().order_by('name')
     selected_customer = None
     sales = []
@@ -1090,6 +1100,9 @@ def customer_statement(request):
 
 @login_required
 def supplier_statement(request):
+    if not (request.user.is_staff or request.user.has_perm('core.view_reports')):
+        messages.error(request, _("You do not have permission to view reports."))
+        return redirect('index')
     suppliers = Supplier.objects.all().order_by('name')
     selected_supplier = None
     purchases = []
@@ -1135,6 +1148,9 @@ def supplier_statement(request):
 
 @login_required
 def cashflow_report(request):
+    if not (request.user.is_staff or request.user.has_perm('core.view_reports')):
+        messages.error(request, _("You do not have permission to view reports."))
+        return redirect('index')
     start_date = request.GET.get('start_date')
     end_date = request.GET.get('end_date')