EPIC Goal

Currently, RBAC in RHDH secures Plugin APIs, Backend data access and Route-level authorization. However, the uers still see sidebar links for plugins they cannot access, entity tabs appear even when the user lacks permission and clicking restricted items leads to 403 or empty states.

This creates confusing UX and compliance concerns

We need UI-level visibility control aligned with RBAC policy decisions.

Background/Feature Origin

Why is this important?

Users should not see links that lead to "Access Denied"

User Scenarios

Dependencies (internal and external)

Acceptance Criteria

• Sidebar items are rendered only if the user has permission to view it
• Tabs are hidden when unauthorized
• Attempting to manually navigate to a URL for a hidden page, the user should be redirected to a standard "404 Not Found" or "Unauthorized" page rather than seeing a broken UI shell.

Out of Scope (Optional)

• Component-level Hiding: Hiding individual buttons or fields within a specific page (this should be handled by the individual plugin's internal logic).

• Conditional Visibility based on Entity Metadata: Hiding tabs based on specific labels or annotations within a catalog-info.yaml (this is existing Backstage functionality; this ticket focuses on RBAC integration).