diff --git a/app/controllers/concerns/foreman_wds/hosts_controller_extensions.rb b/app/controllers/concerns/foreman_wds/hosts_controller_extensions.rb
index c15211b5ee255394d3293068109689c84a952aa3..dd9897a327ed7abc48f99ce89f3a6760eca2e0dd 100644
--- a/app/controllers/concerns/foreman_wds/hosts_controller_extensions.rb
+++ b/app/controllers/concerns/foreman_wds/hosts_controller_extensions.rb
@@ -14,5 +14,14 @@ module ForemanWds
 
       super(top_level_hash)
     end
+
+    def action_permission
+      case params[:action]
+      when 'wds_server_selected', 'wds_image_selected'
+        :edit
+      else
+        super
+      end
+    end
   end
 end
diff --git a/app/controllers/wds_servers_controller.rb b/app/controllers/wds_servers_controller.rb
index 89587e83257eadd8b48d1664a4437386eb6bacbc..590c46ed58b41d838510318280ef4ca77178575f 100644
--- a/app/controllers/wds_servers_controller.rb
+++ b/app/controllers/wds_servers_controller.rb
@@ -77,4 +77,15 @@ class WdsServersController < ::ApplicationController
   def find_server
     @wds_server = WdsServer.find(params[:id])
   end
+
+  def action_permission
+    case params[:action]
+    when 'wds_clients', 'wds_images'
+      :view
+    when 'test_connection', 'refresh_cache', 'delete_wds_client'
+      :edit
+    else
+      super
+    end
+  end
 end
diff --git a/lib/foreman_wds/engine.rb b/lib/foreman_wds/engine.rb
index ad8f7b5b527dec601ae1b747ec2717feeed2e0aa..3a5be0415da576476802c3e5b006532f73bc7a42 100644
--- a/lib/foreman_wds/engine.rb
+++ b/lib/foreman_wds/engine.rb
@@ -17,6 +17,33 @@ module ForemanWds
       Foreman::Plugin.register :foreman_wds do
         requires_foreman '>= 1.16'
 
+        security_block :foreman_wds do
+          permission :view_wds_servers, {
+            wds_servers: %i[index show auto_complete_search wds_clients wds_images]
+          }, resource_type: 'WdsServer'
+          permission :create_wds_servers, {
+            wds_servers: %i[create new]
+          }, resource_type: 'WdsServer'
+          permission :edit_wds_servers, {
+            wds_servers: %i[edit update test_connection refresh_cache delete_wds_client]
+          }, resource_type: 'WdsServer'
+          permission :destroy_wds_servers, {
+            wds_servers: %i[destroy]
+          }, resource_type: 'WdsServer'
+
+          # permission :edit_hosts, {
+          #   hosts: %i[wds_server_selected wds_image_selected]
+          # }, resource_type: 'Host'
+        end
+
+        Foreman::AccessControl.permissions(:edit_hosts).actions.concat [
+          'hosts/wds_server_selected', 'hosts/wds_image_selected'
+        ]
+
+        role 'WDS Server Manager', %i[view_wds_servers create_wds_servers edit_wds_servers destroy_wds_servers]
+
+        add_all_permissions_to_default_roles
+
         # add menu entry
         menu :top_menu, :wds_servers,
              url_hash: { controller: :wds_servers, action: :index },