diff --git a/spp_area/README.rst b/spp_area/README.rst
index bd8dfabb..3798a92b 100644
--- a/spp_area/README.rst
+++ b/spp_area/README.rst
@@ -140,6 +140,14 @@ Dependencies
 Changelog
 =========
 
+19.0.2.0.1
+~~~~~~~~~~
+
+- fix(security): grant ``group_area_viewer`` (read-only) to
+  spp_user_roles support roles (Global Support, Global Support Manager,
+  Local Support) so they can browse area records per the OP#951 menu
+  audit.
+
 19.0.2.0.0
 ~~~~~~~~~~
 
diff --git a/spp_area/__manifest__.py b/spp_area/__manifest__.py
index 29ef826e..ea8d9533 100644
--- a/spp_area/__manifest__.py
+++ b/spp_area/__manifest__.py
@@ -6,7 +6,7 @@
     "name": "OpenSPP Area Management",
     "summary": "Establishes direct associations between OpenSPP registrants, beneficiary groups, and their corresponding geographical administrative areas. It validates registrant-area linkages against official area types, ensuring data integrity and enabling targeted program delivery and analysis.",
     "category": "OpenSPP/Core",
-    "version": "19.0.2.0.0",
+    "version": "19.0.2.0.1",
     "sequence": 1,
     "author": "OpenSPP.org",
     "website": "https://github.com/OpenSPP/OpenSPP2",
@@ -33,6 +33,7 @@
         "security/privileges.xml",
         "security/groups.xml",
         "security/ir.model.access.csv",
+        "data/user_roles.xml",
         "wizard/area_import_language_wizard_views.xml",
         "views/area_base.xml",
         "views/area_tag.xml",
diff --git a/spp_area/data/user_roles.xml b/spp_area/data/user_roles.xml
new file mode 100644
index 00000000..9597d31d
--- /dev/null
+++ b/spp_area/data/user_roles.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+Part of OpenSPP. See LICENSE file for full copyright and licensing details.
+
+Role extensions: grant `group_area_viewer` (read-only) to spp_user_roles support
+roles whose audited menu visibility should include "Area" (OP#951).
+
+System Admin sees the menu via `spp_security.group_spp_admin` → `group_area_manager`.
+-->
+<odoo noupdate="1">
+    <record id="spp_user_roles.global_role_support" model="res.users.role">
+        <field name="implied_ids" eval="[Command.link(ref('group_area_viewer'))]" />
+    </record>
+    <record id="spp_user_roles.global_role_support_manager" model="res.users.role">
+        <field name="implied_ids" eval="[Command.link(ref('group_area_viewer'))]" />
+    </record>
+    <record id="spp_user_roles.local_role_support" model="res.users.role">
+        <field name="implied_ids" eval="[Command.link(ref('group_area_viewer'))]" />
+    </record>
+</odoo>
diff --git a/spp_area/readme/HISTORY.md b/spp_area/readme/HISTORY.md
index 4aaf9afe..618438f5 100644
--- a/spp_area/readme/HISTORY.md
+++ b/spp_area/readme/HISTORY.md
@@ -1,3 +1,7 @@
+### 19.0.2.0.1
+
+- fix(security): grant `group_area_viewer` (read-only) to spp_user_roles support roles (Global Support, Global Support Manager, Local Support) so they can browse area records per the OP#951 menu audit.
+
 ### 19.0.2.0.0
 
 - Initial migration to OpenSPP2
diff --git a/spp_area/static/description/index.html b/spp_area/static/description/index.html
index 131f7568..c560d902 100644
--- a/spp_area/static/description/index.html
+++ b/spp_area/static/description/index.html
@@ -537,6 +537,15 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.1</h1>
+<ul class="simple">
+<li>fix(security): grant <tt class="docutils literal">group_area_viewer</tt> (read-only) to
+spp_user_roles support roles (Global Support, Global Support Manager,
+Local Support) so they can browse area records per the OP#951 menu
+audit.</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>
diff --git a/spp_base_common/README.rst b/spp_base_common/README.rst
index ad40b624..be0d2e0a 100644
--- a/spp_base_common/README.rst
+++ b/spp_base_common/README.rst
@@ -120,6 +120,21 @@ Dependencies
 Changelog
 =========
 
+19.0.2.0.1
+~~~~~~~~~~
+
+- fix(security): add ``groups="base.group_system"`` to the existing
+  ``<menuitem id="base.menu_management" />`` override in
+  ``views/main_view.xml``. Out of the box the Apps top-level menu has no
+  group restriction and is visible to every logged-in user, violating
+  the OP#951 audit's ``Apps: no`` rows. The override here is the single
+  authoritative declaration for this menu's attributes in the OpenSPP
+  install (sequence, custom OpenSPP icon, and now group_ids); doing the
+  gating anywhere upstream (e.g. a ``post_init_hook`` in
+  ``spp_security``) is unreliable because this ``<menuitem>`` reload
+  re-writes the record without a ``groups`` attribute and resets
+  ``group_ids`` to empty.
+
 19.0.2.0.0
 ~~~~~~~~~~
 
diff --git a/spp_base_common/__manifest__.py b/spp_base_common/__manifest__.py
index 6cda488f..7c74a003 100644
--- a/spp_base_common/__manifest__.py
+++ b/spp_base_common/__manifest__.py
@@ -5,7 +5,7 @@
 {
     "name": "OpenSPP Base (Common)",
     "category": "OpenSPP/Core",
-    "version": "19.0.2.0.0",
+    "version": "19.0.2.0.1",
     "sequence": 1,
     "author": "OpenSPP.org",
     "website": "https://github.com/OpenSPP/OpenSPP2",
diff --git a/spp_base_common/readme/HISTORY.md b/spp_base_common/readme/HISTORY.md
index 4aaf9afe..44df7f97 100644
--- a/spp_base_common/readme/HISTORY.md
+++ b/spp_base_common/readme/HISTORY.md
@@ -1,3 +1,7 @@
+### 19.0.2.0.1
+
+- fix(security): add `groups="base.group_system"` to the existing `<menuitem id="base.menu_management" />` override in `views/main_view.xml`. Out of the box the Apps top-level menu has no group restriction and is visible to every logged-in user, violating the OP#951 audit's `Apps: no` rows. The override here is the single authoritative declaration for this menu's attributes in the OpenSPP install (sequence, custom OpenSPP icon, and now group_ids); doing the gating anywhere upstream (e.g. a `post_init_hook` in `spp_security`) is unreliable because this `<menuitem>` reload re-writes the record without a `groups` attribute and resets `group_ids` to empty.
+
 ### 19.0.2.0.0
 
 - Initial migration to OpenSPP2
diff --git a/spp_base_common/static/description/index.html b/spp_base_common/static/description/index.html
index 691cdafb..9358c6c5 100644
--- a/spp_base_common/static/description/index.html
+++ b/spp_base_common/static/description/index.html
@@ -495,6 +495,22 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.1</h1>
+<ul class="simple">
+<li>fix(security): add <tt class="docutils literal"><span class="pre">groups=&quot;base.group_system&quot;</span></tt> to the existing
+<tt class="docutils literal">&lt;menuitem <span class="pre">id=&quot;base.menu_management&quot;</span> /&gt;</tt> override in
+<tt class="docutils literal">views/main_view.xml</tt>. Out of the box the Apps top-level menu has no
+group restriction and is visible to every logged-in user, violating
+the OP#951 audit’s <tt class="docutils literal">Apps: no</tt> rows. The override here is the single
+authoritative declaration for this menu’s attributes in the OpenSPP
+install (sequence, custom OpenSPP icon, and now group_ids); doing the
+gating anywhere upstream (e.g. a <tt class="docutils literal">post_init_hook</tt> in
+<tt class="docutils literal">spp_security</tt>) is unreliable because this <tt class="docutils literal">&lt;menuitem&gt;</tt> reload
+re-writes the record without a <tt class="docutils literal">groups</tt> attribute and resets
+<tt class="docutils literal">group_ids</tt> to empty.</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>
diff --git a/spp_base_common/views/main_view.xml b/spp_base_common/views/main_view.xml
index ed189568..1cf85ac8 100644
--- a/spp_base_common/views/main_view.xml
+++ b/spp_base_common/views/main_view.xml
@@ -7,10 +7,22 @@
         sequence="-1"
     />
 
+    <!--
+        Gate the Apps top-level menu on base.group_system per the OP#951
+        role/menu audit (only System Admin should see Apps). spp_base_common
+        already overrides this menuitem to set the OpenSPP web_icon; adding
+        the groups attribute here is reliable because this <menuitem> runs
+        AFTER any upstream module's post_init_hook on fresh install AND on
+        every subsequent module upgrade. Doing the same gating from a
+        post_init_hook in an upstream module (e.g. spp_security) does not
+        survive because a later `<menuitem>` reload re-writes the record
+        without a `groups` attribute, resetting group_ids to empty.
+    -->
     <menuitem
         id="base.menu_management"
         name="Apps"
         web_icon="spp_base_common,static/description/OpenSPP-Icons-App.png"
+        groups="base.group_system"
     />
     <menuitem
         id="base.menu_administration"
diff --git a/spp_change_request_v2/README.rst b/spp_change_request_v2/README.rst
index 346551e7..79f32813 100644
--- a/spp_change_request_v2/README.rst
+++ b/spp_change_request_v2/README.rst
@@ -853,6 +853,17 @@ Before declaring a new CR type complete:
 Changelog
 =========
 
+19.0.2.0.4
+~~~~~~~~~~
+
+- fix(security): align CR Requestor / CR Local Validator / CR HQ
+  Validator roles with the OP#951 menu audit — replace the
+  ``spp_registry.group_registry_read`` (Tier-3, no menu) link with
+  ``spp_registry.group_registry_viewer`` so these roles see the Registry
+  menu; add ``spp_hazard.group_hazard_viewer`` so they retain Hazard
+  visibility once the menu root is gated. Adds ``spp_hazard`` to module
+  dependencies.
+
 19.0.2.0.3
 ~~~~~~~~~~
 
diff --git a/spp_change_request_v2/__manifest__.py b/spp_change_request_v2/__manifest__.py
index c565429a..1b6bdc64 100644
--- a/spp_change_request_v2/__manifest__.py
+++ b/spp_change_request_v2/__manifest__.py
@@ -1,6 +1,6 @@
 {
     "name": "OpenSPP Change Request V2",
-    "version": "19.0.2.0.3",
+    "version": "19.0.2.0.4",
     "sequence": 50,
     "category": "OpenSPP",
     "summary": "Configuration-driven change request system with UX improvements, conflict detection and duplicate prevention",
@@ -16,6 +16,7 @@
         "spp_security",
         "spp_approval",
         "spp_event_data",
+        "spp_hazard",
         "spp_dms",
         "spp_vocabulary",
     ],
diff --git a/spp_change_request_v2/data/user_roles.xml b/spp_change_request_v2/data/user_roles.xml
index 041c3788..c8e4e736 100644
--- a/spp_change_request_v2/data/user_roles.xml
+++ b/spp_change_request_v2/data/user_roles.xml
@@ -18,7 +18,8 @@ User roles for Change Request module.
             eval="[
                 Command.link(ref('base.group_user')),
                 Command.link(ref('group_cr_manager')),
-                Command.link(ref('spp_registry.group_registry_read')),
+                Command.link(ref('spp_registry.group_registry_viewer')),
+                Command.link(ref('spp_hazard.group_hazard_viewer')),
             ]"
         />
     </record>
@@ -34,7 +35,8 @@ User roles for Change Request module.
             eval="[
                 Command.link(ref('base.group_user')),
                 Command.link(ref('group_cr_validator')),
-                Command.link(ref('spp_registry.group_registry_read')),
+                Command.link(ref('spp_registry.group_registry_viewer')),
+                Command.link(ref('spp_hazard.group_hazard_viewer')),
             ]"
         />
     </record>
@@ -50,7 +52,8 @@ User roles for Change Request module.
             eval="[
                 Command.link(ref('base.group_user')),
                 Command.link(ref('group_cr_validator_hq')),
-                Command.link(ref('spp_registry.group_registry_read')),
+                Command.link(ref('spp_registry.group_registry_viewer')),
+                Command.link(ref('spp_hazard.group_hazard_viewer')),
             ]"
         />
     </record>
diff --git a/spp_change_request_v2/readme/HISTORY.md b/spp_change_request_v2/readme/HISTORY.md
index 387d84da..bceb4822 100644
--- a/spp_change_request_v2/readme/HISTORY.md
+++ b/spp_change_request_v2/readme/HISTORY.md
@@ -1,3 +1,7 @@
+### 19.0.2.0.4
+
+- fix(security): align CR Requestor / CR Local Validator / CR HQ Validator roles with the OP#951 menu audit — replace the `spp_registry.group_registry_read` (Tier-3, no menu) link with `spp_registry.group_registry_viewer` so these roles see the Registry menu; add `spp_hazard.group_hazard_viewer` so they retain Hazard visibility once the menu root is gated. Adds `spp_hazard` to module dependencies.
+
 ### 19.0.2.0.3
 
 - fix: add HTML escaping to all computed Html fields with `sanitize=False` to prevent stored XSS (#50)
diff --git a/spp_change_request_v2/static/description/index.html b/spp_change_request_v2/static/description/index.html
index f8bf3e1a..9aed876c 100644
--- a/spp_change_request_v2/static/description/index.html
+++ b/spp_change_request_v2/static/description/index.html
@@ -1339,26 +1339,38 @@ <h2>Changelog</h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.4</h1>
+<ul class="simple">
+<li>fix(security): align CR Requestor / CR Local Validator / CR HQ
+Validator roles with the OP#951 menu audit — replace the
+<tt class="docutils literal">spp_registry.group_registry_read</tt> (Tier-3, no menu) link with
+<tt class="docutils literal">spp_registry.group_registry_viewer</tt> so these roles see the Registry
+menu; add <tt class="docutils literal">spp_hazard.group_hazard_viewer</tt> so they retain Hazard
+visibility once the menu root is gated. Adds <tt class="docutils literal">spp_hazard</tt> to module
+dependencies.</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.3</h1>
 <ul class="simple">
 <li>fix: add HTML escaping to all computed Html fields with
 <tt class="docutils literal">sanitize=False</tt> to prevent stored XSS (#50)</li>
 </ul>
 </div>
-<div class="section" id="section-2">
+<div class="section" id="section-3">
 <h1>19.0.2.0.2</h1>
 <ul class="simple">
 <li>fix: fix batch approval wizard line deletion (#130)</li>
 </ul>
 </div>
-<div class="section" id="section-3">
+<div class="section" id="section-4">
 <h1>19.0.2.0.1</h1>
 <ul class="simple">
 <li>fix: skip field types before getattr and isolate detail prefetch
 (#129)</li>
 </ul>
 </div>
-<div class="section" id="section-4">
+<div class="section" id="section-5">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>
diff --git a/spp_farmer_registry/README.rst b/spp_farmer_registry/README.rst
index bcfad58f..8a8edce9 100644
--- a/spp_farmer_registry/README.rst
+++ b/spp_farmer_registry/README.rst
@@ -68,6 +68,16 @@ Model                 Description
 Changelog
 =========
 
+19.0.2.0.2
+~~~~~~~~~~
+
+- fix(security): align Farm User / Farm Manager roles with the OP#951
+  menu audit — both farm roles now imply
+  ``spp_hazard.group_hazard_viewer`` and
+  ``spp_gis_report.group_gis_report_user`` so they retain Hazard and GIS
+  Reports menu visibility once those menu roots are gated. Adds
+  ``spp_hazard`` and ``spp_gis_report`` to module dependencies.
+
 19.0.2.0.1
 ~~~~~~~~~~
 
diff --git a/spp_farmer_registry/__manifest__.py b/spp_farmer_registry/__manifest__.py
index 853f77b5..e17bfd40 100644
--- a/spp_farmer_registry/__manifest__.py
+++ b/spp_farmer_registry/__manifest__.py
@@ -3,7 +3,7 @@
     "name": "OpenSPP Farmer Registry",
     "summary": "Farmer Registry with vocabulary-based fields, CEL variables, and Logic Studio integration",
     "category": "OpenSPP",
-    "version": "19.0.2.0.1",
+    "version": "19.0.2.0.2",
     "sequence": 1,
     "author": "OpenSPP.org",
     "website": "https://github.com/OpenSPP/OpenSPP2",
@@ -26,6 +26,9 @@
         "spp_land_record",
         "spp_irrigation",
         "spp_gis",
+        # OP#951 menu audit — roles get hazard / GIS reports menu access
+        "spp_hazard",
+        "spp_gis_report",
     ],
     "excludes": [
         "spp_base_farmer_registry",  # V1 module - incompatible _inherits definitions
diff --git a/spp_farmer_registry/data/user_roles.xml b/spp_farmer_registry/data/user_roles.xml
index b4dda081..5007e1a5 100644
--- a/spp_farmer_registry/data/user_roles.xml
+++ b/spp_farmer_registry/data/user_roles.xml
@@ -17,6 +17,8 @@
                 Command.link(ref('base.group_user')),
                 Command.link(ref('group_spp_farm_user')),
                 Command.link(ref('spp_registry.group_registry_officer')),
+                Command.link(ref('spp_hazard.group_hazard_viewer')),
+                Command.link(ref('spp_gis_report.group_gis_report_user')),
             ]"
         />
     </record>
@@ -35,6 +37,8 @@
                 Command.link(ref('group_spp_farm_manager')),
                 Command.link(ref('spp_irrigation.group_irrigation_manager')),
                 Command.link(ref('spp_registry.group_registry_manager')),
+                Command.link(ref('spp_hazard.group_hazard_viewer')),
+                Command.link(ref('spp_gis_report.group_gis_report_user')),
             ]"
         />
     </record>
diff --git a/spp_farmer_registry/readme/HISTORY.md b/spp_farmer_registry/readme/HISTORY.md
index 6b85f6dd..e3389d0a 100644
--- a/spp_farmer_registry/readme/HISTORY.md
+++ b/spp_farmer_registry/readme/HISTORY.md
@@ -1,3 +1,7 @@
+### 19.0.2.0.2
+
+- fix(security): align Farm User / Farm Manager roles with the OP#951 menu audit — both farm roles now imply `spp_hazard.group_hazard_viewer` and `spp_gis_report.group_gis_report_user` so they retain Hazard and GIS Reports menu visibility once those menu roots are gated. Adds `spp_hazard` and `spp_gis_report` to module dependencies.
+
 ### 19.0.2.0.1
 
 - fix(views): apply `spp_registry.x2many_no_padding` widget to the farm activities list on farm forms — removes the four empty placeholder rows Odoo 19 inserts on inline list-in-form views (#943).
diff --git a/spp_farmer_registry/static/description/index.html b/spp_farmer_registry/static/description/index.html
index 4b3f827b..02339a1f 100644
--- a/spp_farmer_registry/static/description/index.html
+++ b/spp_farmer_registry/static/description/index.html
@@ -436,6 +436,17 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.2</h1>
+<ul class="simple">
+<li>fix(security): align Farm User / Farm Manager roles with the OP#951
+menu audit — both farm roles now imply
+<tt class="docutils literal">spp_hazard.group_hazard_viewer</tt> and
+<tt class="docutils literal">spp_gis_report.group_gis_report_user</tt> so they retain Hazard and GIS
+Reports menu visibility once those menu roots are gated. Adds
+<tt class="docutils literal">spp_hazard</tt> and <tt class="docutils literal">spp_gis_report</tt> to module dependencies.</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.1</h1>
 <ul class="simple">
 <li>fix(views): apply <tt class="docutils literal">spp_registry.x2many_no_padding</tt> widget to the
@@ -443,7 +454,7 @@ <h1>19.0.2.0.1</h1>
 placeholder rows Odoo 19 inserts on inline list-in-form views (#943).</li>
 </ul>
 </div>
-<div class="section" id="section-2">
+<div class="section" id="section-3">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>
diff --git a/spp_gis_report/README.rst b/spp_gis_report/README.rst
index 4c2b22e7..a4779a87 100644
--- a/spp_gis_report/README.rst
+++ b/spp_gis_report/README.rst
@@ -151,6 +151,20 @@ Dependencies
 Changelog
 =========
 
+19.0.2.0.1
+~~~~~~~~~~
+
+- fix(security): grant ``group_gis_report_user`` to spp_user_roles'
+  Global Program Manager role so the OP#951 menu audit expectation
+  (Program Manager sees GIS Reports) is preserved once the GIS Reports
+  menu root is gated.
+- fix(views): gate the "GIS Reports" top-level menu
+  (``menu_gis_report_root``) on ``group_gis_report_user``. Previously
+  visible to every logged-in user; the OP#951 audit requires several
+  roles to NOT see it (Registry Viewer, Global Finance, Global Support,
+  Global Support Manager, Local Support, Global Registrar, Local
+  Registrar, CR roles).
+
 19.0.2.0.0
 ~~~~~~~~~~
 
diff --git a/spp_gis_report/__manifest__.py b/spp_gis_report/__manifest__.py
index 8a5e6d0c..997f8197 100644
--- a/spp_gis_report/__manifest__.py
+++ b/spp_gis_report/__manifest__.py
@@ -1,6 +1,6 @@
 {
     "name": "OpenSPP GIS Reports",
-    "version": "19.0.2.0.0",
+    "version": "19.0.2.0.1",
     "category": "OpenSPP",
     "summary": "Geographic visualization and reporting for social protection data",
     "author": "OpenSPP.org, OpenSPP",
@@ -26,6 +26,7 @@
         "security/ir.model.access.csv",
         # Data
         "data/gis_report_category_data.xml",
+        "data/user_roles.xml",
         "data/templates/coverage_templates.xml",
         "data/templates/disaster_templates.xml",
         "data/templates/demographic_templates.xml",
diff --git a/spp_gis_report/data/user_roles.xml b/spp_gis_report/data/user_roles.xml
new file mode 100644
index 00000000..f34da6eb
--- /dev/null
+++ b/spp_gis_report/data/user_roles.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+Part of OpenSPP. See LICENSE file for full copyright and licensing details.
+
+Role extensions: grant `group_gis_report_user` (read tier) to spp_user_roles
+roles whose audited menu visibility should include "GIS Reports" (OP#951).
+
+System Admin sees the menu via `spp_security.group_spp_admin` → `group_gis_report_manager`
+(wired in `spp_gis_report/security/groups.xml`).
+
+Roles defined in spp_programs / spp_farmer_registry have their gis_report_user
+extensions in those modules' own user_roles.xml.
+-->
+<odoo noupdate="1">
+    <record id="spp_user_roles.global_role_program_manager" model="res.users.role">
+        <field name="implied_ids" eval="[Command.link(ref('group_gis_report_user'))]" />
+    </record>
+</odoo>
diff --git a/spp_gis_report/readme/HISTORY.md b/spp_gis_report/readme/HISTORY.md
index 4aaf9afe..d519fd50 100644
--- a/spp_gis_report/readme/HISTORY.md
+++ b/spp_gis_report/readme/HISTORY.md
@@ -1,3 +1,8 @@
+### 19.0.2.0.1
+
+- fix(security): grant `group_gis_report_user` to spp_user_roles' Global Program Manager role so the OP#951 menu audit expectation (Program Manager sees GIS Reports) is preserved once the GIS Reports menu root is gated.
+- fix(views): gate the "GIS Reports" top-level menu (`menu_gis_report_root`) on `group_gis_report_user`. Previously visible to every logged-in user; the OP#951 audit requires several roles to NOT see it (Registry Viewer, Global Finance, Global Support, Global Support Manager, Local Support, Global Registrar, Local Registrar, CR roles).
+
 ### 19.0.2.0.0
 
 - Initial migration to OpenSPP2
diff --git a/spp_gis_report/static/description/index.html b/spp_gis_report/static/description/index.html
index 84ca57a7..19db8e2c 100644
--- a/spp_gis_report/static/description/index.html
+++ b/spp_gis_report/static/description/index.html
@@ -531,6 +531,21 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.1</h1>
+<ul class="simple">
+<li>fix(security): grant <tt class="docutils literal">group_gis_report_user</tt> to spp_user_roles’
+Global Program Manager role so the OP#951 menu audit expectation
+(Program Manager sees GIS Reports) is preserved once the GIS Reports
+menu root is gated.</li>
+<li>fix(views): gate the “GIS Reports” top-level menu
+(<tt class="docutils literal">menu_gis_report_root</tt>) on <tt class="docutils literal">group_gis_report_user</tt>. Previously
+visible to every logged-in user; the OP#951 audit requires several
+roles to NOT see it (Registry Viewer, Global Finance, Global Support,
+Global Support Manager, Local Support, Global Registrar, Local
+Registrar, CR roles).</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>
diff --git a/spp_gis_report/views/menu.xml b/spp_gis_report/views/menu.xml
index 93b57139..328a7489 100644
--- a/spp_gis_report/views/menu.xml
+++ b/spp_gis_report/views/menu.xml
@@ -11,6 +11,7 @@ Part of OpenSPP. See LICENSE file for full copyright and licensing details.
         name="GIS Reports"
         web_icon="spp_gis_report,static/description/OpenSPP-GIS-Reports-Menu-Icons.png"
         sequence="50"
+        groups="spp_gis_report.group_gis_report_user"
     />
 
     <!-- ========================================== -->
diff --git a/spp_grm/README.rst b/spp_grm/README.rst
index c40c98e9..d3502d33 100644
--- a/spp_grm/README.rst
+++ b/spp_grm/README.rst
@@ -153,6 +153,17 @@ Dependencies
 Changelog
 =========
 
+19.0.2.0.1
+~~~~~~~~~~
+
+- fix(views): gate the "Helpdesk" top-level menu
+  (``spp_grm_ticket_main_menu``) on ``group_grm_viewer``. Previously the
+  root menu had no ``groups=`` attribute and was visible to every
+  logged-in user; the OP#951 menu audit requires several roles to NOT
+  see it (Registry Viewer, Global Finance, Global Program Manager,
+  Program Viewer/Validator/Cycle Approver, Global Registrar, CR roles,
+  Farm User/Manager).
+
 19.0.2.0.0
 ~~~~~~~~~~
 
diff --git a/spp_grm/__manifest__.py b/spp_grm/__manifest__.py
index f378571c..179c4300 100644
--- a/spp_grm/__manifest__.py
+++ b/spp_grm/__manifest__.py
@@ -3,7 +3,7 @@
 {
     "name": "OpenSPP - Grievance Redress Mechanism",
     "summary": "Provides a centralized Grievance Redress Mechanism for receiving, tracking, and resolving beneficiary complaints and feedback. It supports multi-channel submission, manages resolution workflows through customizable stages, and links grievances directly to individual or group registrants.",
-    "version": "19.0.2.0.0",
+    "version": "19.0.2.0.1",
     "sequence": 1,
     "author": "OpenSPP.org",
     "website": "https://github.com/OpenSPP/OpenSPP2",
diff --git a/spp_grm/readme/HISTORY.md b/spp_grm/readme/HISTORY.md
index 4aaf9afe..ffafdb8f 100644
--- a/spp_grm/readme/HISTORY.md
+++ b/spp_grm/readme/HISTORY.md
@@ -1,3 +1,7 @@
+### 19.0.2.0.1
+
+- fix(views): gate the "Helpdesk" top-level menu (`spp_grm_ticket_main_menu`) on `group_grm_viewer`. Previously the root menu had no `groups=` attribute and was visible to every logged-in user; the OP#951 menu audit requires several roles to NOT see it (Registry Viewer, Global Finance, Global Program Manager, Program Viewer/Validator/Cycle Approver, Global Registrar, CR roles, Farm User/Manager).
+
 ### 19.0.2.0.0
 
 - Initial migration to OpenSPP2
diff --git a/spp_grm/static/description/index.html b/spp_grm/static/description/index.html
index 79ed528a..0d1621de 100644
--- a/spp_grm/static/description/index.html
+++ b/spp_grm/static/description/index.html
@@ -536,6 +536,18 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.1</h1>
+<ul class="simple">
+<li>fix(views): gate the “Helpdesk” top-level menu
+(<tt class="docutils literal">spp_grm_ticket_main_menu</tt>) on <tt class="docutils literal">group_grm_viewer</tt>. Previously the
+root menu had no <tt class="docutils literal">groups=</tt> attribute and was visible to every
+logged-in user; the OP#951 menu audit requires several roles to NOT
+see it (Registry Viewer, Global Finance, Global Program Manager,
+Program Viewer/Validator/Cycle Approver, Global Registrar, CR roles,
+Farm User/Manager).</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>
diff --git a/spp_grm/views/grm_ticket_menu.xml b/spp_grm/views/grm_ticket_menu.xml
index 6dc40e4c..3a629d00 100644
--- a/spp_grm/views/grm_ticket_menu.xml
+++ b/spp_grm/views/grm_ticket_menu.xml
@@ -6,6 +6,7 @@
         name="Helpdesk"
         sequence="16"
         web_icon="spp_grm,static/description/OpenSPP-Helpdesk2-Icons.png"
+        groups="spp_grm.group_grm_viewer"
     />
 
     <menuitem
diff --git a/spp_hazard/README.rst b/spp_hazard/README.rst
index 339300f1..c65df250 100644
--- a/spp_hazard/README.rst
+++ b/spp_hazard/README.rst
@@ -1187,6 +1187,21 @@ encounter unexpected behavior, please report it as a new issue.
 Changelog
 =========
 
+19.0.2.0.2
+~~~~~~~~~~
+
+- fix(security): grant ``group_hazard_viewer`` to spp_user_roles roles
+  (Registry Viewer, Program Manager, Global/Local Registrar) that the
+  OP#951 menu audit identifies as needing read-only Hazard menu access.
+  Other affected roles defined outside this module (program/CR/farm
+  roles) are wired in their own modules.
+- fix(views): gate the "Hazard and Emergency" top-level menu
+  (``hazard_main_menu_root``) on ``group_hazard_viewer``. Previously the
+  root menu had no ``groups=`` attribute and was visible to every
+  logged-in user; the OP#951 audit requires several roles to NOT see it
+  (Global Finance, Global Support, Global Support Manager, Local
+  Support).
+
 19.0.2.0.1
 ~~~~~~~~~~
 
diff --git a/spp_hazard/__manifest__.py b/spp_hazard/__manifest__.py
index 5513c07e..336923eb 100644
--- a/spp_hazard/__manifest__.py
+++ b/spp_hazard/__manifest__.py
@@ -8,7 +8,7 @@
     "for emergency response. Links registrants to disaster events with geographic scope "
     "and severity tracking to enable targeted humanitarian assistance.",
     "category": "OpenSPP/Targeting",
-    "version": "19.0.2.0.1",
+    "version": "19.0.2.0.2",
     "sequence": 1,
     "author": "OpenSPP.org",
     "website": "https://github.com/OpenSPP/OpenSPP2",
@@ -27,6 +27,7 @@
         "security/groups.xml",
         "security/ir.model.access.csv",
         "data/impact_type_data.xml",
+        "data/user_roles.xml",
         "views/hazard_category_views.xml",
         "views/hazard_incident_views.xml",
         "views/hazard_impact_views.xml",
diff --git a/spp_hazard/data/user_roles.xml b/spp_hazard/data/user_roles.xml
new file mode 100644
index 00000000..3f695013
--- /dev/null
+++ b/spp_hazard/data/user_roles.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+Part of OpenSPP. See LICENSE file for full copyright and licensing details.
+
+Role extensions: grant `group_hazard_viewer` to spp_user_roles roles whose
+audited menu visibility should include "Hazard and Emergency" (OP#951).
+
+Roles that should NOT see Hazard per the audit (Global Finance, Global Support,
+Global Support Manager, Local Support) are intentionally omitted.
+
+System Admin sees the menu via `spp_security.group_spp_admin` → `group_hazard_manager`
+(wired in `spp_hazard/security/groups.xml`), so no extension is needed for that role.
+
+Roles defined in spp_programs / spp_change_request_v2 / spp_farmer_registry have
+their hazard-viewer extensions in those modules' own user_roles.xml (this module
+does not depend on them).
+-->
+<odoo noupdate="1">
+    <record id="spp_user_roles.global_role_registry_viewer" model="res.users.role">
+        <field name="implied_ids" eval="[Command.link(ref('group_hazard_viewer'))]" />
+    </record>
+    <record id="spp_user_roles.global_role_program_manager" model="res.users.role">
+        <field name="implied_ids" eval="[Command.link(ref('group_hazard_viewer'))]" />
+    </record>
+    <record id="spp_user_roles.global_role_registrar" model="res.users.role">
+        <field name="implied_ids" eval="[Command.link(ref('group_hazard_viewer'))]" />
+    </record>
+    <record id="spp_user_roles.local_role_registrar" model="res.users.role">
+        <field name="implied_ids" eval="[Command.link(ref('group_hazard_viewer'))]" />
+    </record>
+</odoo>
diff --git a/spp_hazard/readme/HISTORY.md b/spp_hazard/readme/HISTORY.md
index a1e8dfe4..c02593c5 100644
--- a/spp_hazard/readme/HISTORY.md
+++ b/spp_hazard/readme/HISTORY.md
@@ -1,3 +1,8 @@
+### 19.0.2.0.2
+
+- fix(security): grant `group_hazard_viewer` to spp_user_roles roles (Registry Viewer, Program Manager, Global/Local Registrar) that the OP#951 menu audit identifies as needing read-only Hazard menu access. Other affected roles defined outside this module (program/CR/farm roles) are wired in their own modules.
+- fix(views): gate the "Hazard and Emergency" top-level menu (`hazard_main_menu_root`) on `group_hazard_viewer`. Previously the root menu had no `groups=` attribute and was visible to every logged-in user; the OP#951 audit requires several roles to NOT see it (Global Finance, Global Support, Global Support Manager, Local Support).
+
 ### 19.0.2.0.1
 
 - fix(views): apply `spp_registry.x2many_no_padding` widget to the hazard impacts list on registrant forms, and hide the table when empty (showing a muted info line instead) (#943).
diff --git a/spp_hazard/static/description/index.html b/spp_hazard/static/description/index.html
index 42c0a996..e6eb4f50 100644
--- a/spp_hazard/static/description/index.html
+++ b/spp_hazard/static/description/index.html
@@ -2455,6 +2455,22 @@ <h2><a class="toc-backref" href="#toc-entry-2">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.2</h1>
+<ul class="simple">
+<li>fix(security): grant <tt class="docutils literal">group_hazard_viewer</tt> to spp_user_roles roles
+(Registry Viewer, Program Manager, Global/Local Registrar) that the
+OP#951 menu audit identifies as needing read-only Hazard menu access.
+Other affected roles defined outside this module (program/CR/farm
+roles) are wired in their own modules.</li>
+<li>fix(views): gate the “Hazard and Emergency” top-level menu
+(<tt class="docutils literal">hazard_main_menu_root</tt>) on <tt class="docutils literal">group_hazard_viewer</tt>. Previously the
+root menu had no <tt class="docutils literal">groups=</tt> attribute and was visible to every
+logged-in user; the OP#951 audit requires several roles to NOT see it
+(Global Finance, Global Support, Global Support Manager, Local
+Support).</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.1</h1>
 <ul class="simple">
 <li>fix(views): apply <tt class="docutils literal">spp_registry.x2many_no_padding</tt> widget to the
@@ -2462,7 +2478,7 @@ <h1>19.0.2.0.1</h1>
 (showing a muted info line instead) (#943).</li>
 </ul>
 </div>
-<div class="section" id="section-2">
+<div class="section" id="section-3">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>
diff --git a/spp_hazard/views/menu.xml b/spp_hazard/views/menu.xml
index 2d93f526..fc5e6b5c 100644
--- a/spp_hazard/views/menu.xml
+++ b/spp_hazard/views/menu.xml
@@ -6,6 +6,7 @@
         name="Hazard and Emergency"
         web_icon="spp_hazard,static/description/OpenSPP-Web-Menu_Hazard__Emergency_Icon.png"
         sequence="45"
+        groups="spp_hazard.group_hazard_viewer"
     />
 
     <!-- Incidents Submenu -->
diff --git a/spp_programs/README.rst b/spp_programs/README.rst
index 0a60c52c..9a3ca880 100644
--- a/spp_programs/README.rst
+++ b/spp_programs/README.rst
@@ -254,6 +254,24 @@ Dependencies
 Changelog
 =========
 
+19.0.2.1.2
+~~~~~~~~~~
+
+- fix(security): align Program Viewer / Validator / Cycle Approver roles
+  with the OP#951 menu audit — Program Viewer additionally gets
+  ``group_registry_viewer`` + ``group_approval_viewer`` (read-only
+  Registry + Approvals access); all three program roles get
+  ``group_hazard_viewer`` + ``group_gis_report_user`` so they retain
+  Hazard / GIS Reports visibility once those menu roots are gated. Adds
+  ``spp_hazard`` and ``spp_gis_report`` to module dependencies.
+- fix(security): hide the Registry top-level menu for Global Program
+  Cycle Approver per the OP#951 audit. Swap Tier-2
+  ``spp_registry.group_registry_viewer`` (which gates the Registry menu)
+  for Tier-3 ``spp_registry.group_registry_write`` (ACL-only, no menu).
+  ``group_registry_write`` transitively implies ``group_registry_read``,
+  so the role keeps read+write access to registrant data via Programs
+  cross-references — only the dedicated top-level menu disappears.
+
 19.0.2.1.1
 ~~~~~~~~~~
 
diff --git a/spp_programs/__manifest__.py b/spp_programs/__manifest__.py
index 2b85f890..074cceee 100644
--- a/spp_programs/__manifest__.py
+++ b/spp_programs/__manifest__.py
@@ -4,7 +4,7 @@
     "name": "OpenSPP Programs",
     "summary": "Manage programs, cycles, beneficiary enrollment, entitlements (cash and in-kind), payments, and fund tracking for social protection.",
     "category": "OpenSPP/Core",
-    "version": "19.0.2.1.1",
+    "version": "19.0.2.1.2",
     "sequence": 1,
     "author": "OpenSPP.org",
     "website": "https://github.com/OpenSPP/OpenSPP2",
@@ -27,6 +27,8 @@
         "spp_user_roles",
         "spp_base_common",
         "spp_approval",
+        "spp_hazard",
+        "spp_gis_report",
         # CEL core libraries for expression-based managers
         "spp_cel_domain",
         "spp_cel_widget",
diff --git a/spp_programs/data/user_roles.xml b/spp_programs/data/user_roles.xml
index 66b6df1a..2dd46be0 100644
--- a/spp_programs/data/user_roles.xml
+++ b/spp_programs/data/user_roles.xml
@@ -12,6 +12,10 @@
             eval="[
                 Command.link(ref('base.group_user')),
                 Command.link(ref('group_programs_viewer')),
+                Command.link(ref('spp_registry.group_registry_viewer')),
+                Command.link(ref('spp_approval.group_approval_viewer')),
+                Command.link(ref('spp_hazard.group_hazard_viewer')),
+                Command.link(ref('spp_gis_report.group_gis_report_user')),
             ]"
         />
     </record>
@@ -43,12 +47,18 @@
     </record>
 
     <!-- Finance -->
+    <!--
+        Per OP#951 round-2: Finance role needs read on the full Programs menu
+        (programs / cycles / entitlements) on top of validator rights for
+        payment batches. group_programs_viewer is Tier-2 (gates the menu).
+    -->
     <record id="spp_user_roles.global_role_finance" model="res.users.role">
         <field
             name="implied_ids"
             eval="
             [
                 Command.link(ref('spp_programs.group_programs_validator')),
+                Command.link(ref('spp_programs.group_programs_viewer')),
             ]"
         />
     </record>
@@ -68,11 +78,24 @@
                 Command.link(ref('spp_registry.group_registry_viewer')),
                 Command.link(ref('spp_registry.group_registry_write')),
                 Command.link(ref('spp_approval.group_approval_approver')),
+                Command.link(ref('spp_hazard.group_hazard_viewer')),
+                Command.link(ref('spp_gis_report.group_gis_report_user')),
             ]"
         />
     </record>
 
     <!-- Program Cycle Approver -->
+    <!--
+        Registry: per OP#951 menu audit, Cycle Approver should NOT see the
+        Registry top-level menu, but must still be able to read/write
+        registrant data via Programs cross-references (e.g. opening a
+        partner form from a cycle membership line).
+
+        Solution: use Tier-3 `group_registry_write` (ACL only, no menu)
+        instead of Tier-2 `group_registry_viewer` (gates the menu).
+        `group_registry_write` transitively implies `group_registry_read`,
+        so read access is preserved.
+    -->
     <record id="global_role_program_cycle_approver" model="res.users.role">
         <field name="name">Global Program Cycle Approver</field>
         <field name="role_type">global</field>
@@ -84,9 +107,10 @@
                 Command.link(ref('base.group_user')),
                 Command.link(ref('spp_programs.group_programs_cycle_approver')),
                 Command.link(ref('spp_programs.group_programs_viewer')),
-                Command.link(ref('spp_registry.group_registry_viewer')),
                 Command.link(ref('spp_registry.group_registry_write')),
                 Command.link(ref('spp_approval.group_approval_approver')),
+                Command.link(ref('spp_hazard.group_hazard_viewer')),
+                Command.link(ref('spp_gis_report.group_gis_report_user')),
             ]"
         />
     </record>
diff --git a/spp_programs/readme/HISTORY.md b/spp_programs/readme/HISTORY.md
index bac79104..c281ad67 100644
--- a/spp_programs/readme/HISTORY.md
+++ b/spp_programs/readme/HISTORY.md
@@ -1,3 +1,8 @@
+### 19.0.2.1.2
+
+- fix(security): align Program Viewer / Validator / Cycle Approver roles with the OP#951 menu audit — Program Viewer additionally gets `group_registry_viewer` + `group_approval_viewer` (read-only Registry + Approvals access); all three program roles get `group_hazard_viewer` + `group_gis_report_user` so they retain Hazard / GIS Reports visibility once those menu roots are gated. Adds `spp_hazard` and `spp_gis_report` to module dependencies.
+- fix(security): hide the Registry top-level menu for Global Program Cycle Approver per the OP#951 audit. Swap Tier-2 `spp_registry.group_registry_viewer` (which gates the Registry menu) for Tier-3 `spp_registry.group_registry_write` (ACL-only, no menu). `group_registry_write` transitively implies `group_registry_read`, so the role keeps read+write access to registrant data via Programs cross-references — only the dedicated top-level menu disappears.
+
 ### 19.0.2.1.1
 
 - fix(views): apply `spp_registry.x2many_no_padding` widget to the Programs and Entitlements lists on registrant forms and to Program Membership inline lines — removes the four empty placeholder rows Odoo 19 inserts on inline list-in-form views (#943).
diff --git a/spp_programs/security/ir.model.access.csv b/spp_programs/security/ir.model.access.csv
index c4f38ed0..a1c5cb16 100644
--- a/spp_programs/security/ir.model.access.csv
+++ b/spp_programs/security/ir.model.access.csv
@@ -107,6 +107,8 @@ access_spp_program_membership_registry_read,Program Membership Registry Read Acc
 access_spp_program_membership_registry_write,Program Membership Registry Write Access,spp_programs.model_spp_program_membership,spp_registry.group_registry_write,1,1,1,0
 access_spp_program_membership_registrar,Program Membership Registrar Access,spp_programs.model_spp_program_membership,spp_registry.group_registry_officer,1,1,1,0
 access_spp_cycle_membership_registrar,Cycle Membership Registrar Access,spp_programs.model_spp_cycle_membership,spp_registry.group_registry_officer,1,1,1,0
+access_spp_cycle_registry_viewer,Cycle Registry Viewer Read,spp_programs.model_spp_cycle,spp_registry.group_registry_viewer,1,0,0,0
+access_spp_cycle_membership_registry_viewer,Cycle Membership Registry Viewer Read,spp_programs.model_spp_cycle_membership,spp_registry.group_registry_viewer,1,0,0,0
 access_spp_entitlement_registry_read,Entitlement Registry Read Access,spp_programs.model_spp_entitlement,spp_registry.group_registry_read,1,0,0,0
 access_spp_entitlement_registry_write,Entitlement Registry Write Access,spp_programs.model_spp_entitlement,spp_registry.group_registry_write,1,1,1,0
 access_spp_entitlement_registrar,Entitlement Registrar Access,spp_programs.model_spp_entitlement,spp_registry.group_registry_officer,1,0,0,0
diff --git a/spp_programs/static/description/index.html b/spp_programs/static/description/index.html
index a2c4be96..72bbe5e8 100644
--- a/spp_programs/static/description/index.html
+++ b/spp_programs/static/description/index.html
@@ -658,6 +658,25 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.1.2</h1>
+<ul class="simple">
+<li>fix(security): align Program Viewer / Validator / Cycle Approver roles
+with the OP#951 menu audit — Program Viewer additionally gets
+<tt class="docutils literal">group_registry_viewer</tt> + <tt class="docutils literal">group_approval_viewer</tt> (read-only
+Registry + Approvals access); all three program roles get
+<tt class="docutils literal">group_hazard_viewer</tt> + <tt class="docutils literal">group_gis_report_user</tt> so they retain
+Hazard / GIS Reports visibility once those menu roots are gated. Adds
+<tt class="docutils literal">spp_hazard</tt> and <tt class="docutils literal">spp_gis_report</tt> to module dependencies.</li>
+<li>fix(security): hide the Registry top-level menu for Global Program
+Cycle Approver per the OP#951 audit. Swap Tier-2
+<tt class="docutils literal">spp_registry.group_registry_viewer</tt> (which gates the Registry menu)
+for Tier-3 <tt class="docutils literal">spp_registry.group_registry_write</tt> (ACL-only, no menu).
+<tt class="docutils literal">group_registry_write</tt> transitively implies <tt class="docutils literal">group_registry_read</tt>,
+so the role keeps read+write access to registrant data via Programs
+cross-references — only the dedicated top-level menu disappears.</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.1.1</h1>
 <ul class="simple">
 <li>fix(views): apply <tt class="docutils literal">spp_registry.x2many_no_padding</tt> widget to the
@@ -666,7 +685,7 @@ <h1>19.0.2.1.1</h1>
 19 inserts on inline list-in-form views (#943).</li>
 </ul>
 </div>
-<div class="section" id="section-2">
+<div class="section" id="section-3">
 <h1>19.0.2.0.11</h1>
 <ul class="simple">
 <li>Fix <tt class="docutils literal">TypeError: 'NoneType' object is not iterable</tt> when clicking
@@ -677,7 +696,7 @@ <h1>19.0.2.0.11</h1>
 omit the state filter instead of crashing on <tt class="docutils literal">tuple(None)</tt></li>
 </ul>
 </div>
-<div class="section" id="section-3">
+<div class="section" id="section-4">
 <h1>19.0.2.0.10</h1>
 <ul class="simple">
 <li>Increase parallel-safe channel limits (cycle, eligibility_manager,
@@ -690,7 +709,7 @@ <h1>19.0.2.0.10</h1>
 submission on double-click</li>
 </ul>
 </div>
-<div class="section" id="section-4">
+<div class="section" id="section-5">
 <h1>19.0.2.0.9</h1>
 <ul class="simple">
 <li>Add context flags (<tt class="docutils literal">skip_registrant_statistics</tt>,
@@ -703,7 +722,7 @@ <h1>19.0.2.0.9</h1>
 <tt class="docutils literal">_compute_has_members</tt></li>
 </ul>
 </div>
-<div class="section" id="section-5">
+<div class="section" id="section-6">
 <h1>19.0.2.0.8</h1>
 <ul class="simple">
 <li>Replace OFFSET pagination with NTILE-based ID-range batching in all
@@ -714,7 +733,7 @@ <h1>19.0.2.0.8</h1>
 program and cycle</li>
 </ul>
 </div>
-<div class="section" id="section-6">
+<div class="section" id="section-7">
 <h1>19.0.2.0.7</h1>
 <ul class="simple">
 <li>Bulk membership creation using raw SQL INSERT ON CONFLICT DO NOTHING
@@ -723,7 +742,7 @@ <h1>19.0.2.0.7</h1>
 <tt class="docutils literal">_add_beneficiaries</tt> with bulk SQL path</li>
 </ul>
 </div>
-<div class="section" id="section-7">
+<div class="section" id="section-8">
 <h1>19.0.2.0.6</h1>
 <ul class="simple">
 <li>Remove unused entitlement_base_model.py (dead code, never imported)</li>
@@ -732,34 +751,34 @@ <h1>19.0.2.0.6</h1>
 payment, and fund tests (172 → 492 tests)</li>
 </ul>
 </div>
-<div class="section" id="section-8">
+<div class="section" id="section-9">
 <h1>19.0.2.0.5</h1>
 <ul class="simple">
 <li>Batch create entitlements and payments instead of one-by-one ORM
 creates</li>
 </ul>
 </div>
-<div class="section" id="section-9">
+<div class="section" id="section-10">
 <h1>19.0.2.0.4</h1>
 <ul class="simple">
 <li>Fetch fund balance once per approval batch instead of per entitlement</li>
 </ul>
 </div>
-<div class="section" id="section-10">
+<div class="section" id="section-11">
 <h1>19.0.2.0.3</h1>
 <ul class="simple">
 <li>Replace cycle computed fields (total_amount, entitlements_count,
 approval flags) with SQL aggregation queries</li>
 </ul>
 </div>
-<div class="section" id="section-11">
+<div class="section" id="section-12">
 <h1>19.0.2.0.2</h1>
 <ul class="simple">
 <li>Add composite indexes for frequent query patterns on entitlements and
 program memberships</li>
 </ul>
 </div>
-<div class="section" id="section-12">
+<div class="section" id="section-13">
 <h1>19.0.2.0.1</h1>
 <ul class="simple">
 <li>Replace Python-level uniqueness checks with SQL UNIQUE constraints for
@@ -768,7 +787,7 @@ <h1>19.0.2.0.1</h1>
 constraint creation</li>
 </ul>
 </div>
-<div class="section" id="section-13">
+<div class="section" id="section-14">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>
diff --git a/spp_programs/static/src/js/form_controller_create.js b/spp_programs/static/src/js/form_controller_create.js
index f0bc222c..2ebb31eb 100644
--- a/spp_programs/static/src/js/form_controller_create.js
+++ b/spp_programs/static/src/js/form_controller_create.js
@@ -5,19 +5,24 @@ import {patch} from "@web/core/utils/patch";
 import {onMounted, onPatched, onWillUnmount} from "@odoo/owl";
 
 /**
- * Patch FormController to respect context.create = false and disable create
- * for specific models (entitlements).
+ * Patch FormController to hide the form "New" button when the user lacks
+ * create permission, or for models where create is contextually forbidden.
  *
- * In Odoo 19, the "New" button may still appear in various scenarios:
- * - When navigating from list to form view with context.create = false
- * - When expanding a dialog (creates a new action without preserving context)
+ * In Odoo 19, `t-if="canCreate"` on the form template does not always prevent
+ * the "New" button from rendering — notably the breadcrumb-area button can
+ * leak through when the form arch was first loaded as a privileged user and
+ * cached, or in some action navigation flows. This patch enforces hiding via
+ * DOM manipulation for:
  *
- * This patch hides the New button via DOM manipulation for:
- * 1. Any view with context.create === false
- * 2. Entitlement models (should only be created from cycles)
+ * 1. Any view with `context.create === false`.
+ * 2. Models in MODELS_WITHOUT_CREATE (always-hide; never should be created
+ *    directly from the form, e.g. entitlements).
+ * 3. `this.canCreate === false` — i.e. the ACL-derived archInfo.activeActions
+ *    .create is false. This is the ACL-aware path that preserves the button
+ *    for users who DO have create permission.
  */
 
-// Models that should never show the create button
+// Models that should never show the create button regardless of ACL
 const MODELS_WITHOUT_CREATE = [
     "spp.entitlement",
     "spp.entitlement.inkind",
@@ -33,7 +38,8 @@ patch(FormController.prototype, {
         const modelName = this.props.resModel;
         const shouldHideCreate =
             this.props.context?.create === false ||
-            MODELS_WITHOUT_CREATE.includes(modelName);
+            MODELS_WITHOUT_CREATE.includes(modelName) ||
+            this.canCreate === false;
 
         if (shouldHideCreate) {
             this._hideCreateObserver = null;
diff --git a/spp_programs/views/cycle_compliance_view.xml b/spp_programs/views/cycle_compliance_view.xml
index 847fd2d2..cfd55912 100644
--- a/spp_programs/views/cycle_compliance_view.xml
+++ b/spp_programs/views/cycle_compliance_view.xml
@@ -18,6 +18,7 @@
                     class="btn-warning"
                     confirm="Filtering is a one-way action. Are you sure you want to apply compliance criteria?"
                     invisible="not allow_filter_compliance_criteria or compliance_criteria_applied"
+                    groups="spp_programs.group_programs_manager"
                 />
                 <field name="allow_filter_compliance_criteria" invisible="1" />
                 <field name="compliance_criteria_applied" invisible="1" />
diff --git a/spp_programs/views/cycle_view.xml b/spp_programs/views/cycle_view.xml
index c4a7cae4..f21d98cb 100644
--- a/spp_programs/views/cycle_view.xml
+++ b/spp_programs/views/cycle_view.xml
@@ -134,7 +134,7 @@ Part of OpenSPP. See LICENSE file for full copyright and licensing details.
                         string="Copy Beneficiaries"
                         icon="fa-copy"
                         invisible="state != 'draft'"
-                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer,spp_programs.group_programs_validator"
+                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer"
                     />
                     <button
                         name="action_prepare_entitlement"
@@ -142,7 +142,7 @@ Part of OpenSPP. See LICENSE file for full copyright and licensing details.
                         string="Prepare Entitlements"
                         icon="fa-list"
                         invisible="state not in ('draft', 'to_approve') or total_entitlements_count > 0"
-                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer,spp_programs.group_programs_validator"
+                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer"
                     />
                     <button
                         name="action_submit_for_approval"
@@ -218,7 +218,7 @@ Part of OpenSPP. See LICENSE file for full copyright and licensing details.
                         string="End Cycle"
                         icon="fa-stop"
                         invisible="state not in ('approved', 'distributed')"
-                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_validator"
+                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager"
                     />
                     <button
                         name="mark_cancelled"
@@ -226,7 +226,7 @@ Part of OpenSPP. See LICENSE file for full copyright and licensing details.
                         string="Cancel"
                         icon="fa-times"
                         invisible="state in ('ended', 'cancelled')"
-                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_validator"
+                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager"
                     />
                     <field
                         name="state"
diff --git a/spp_programs/views/programs_view.xml b/spp_programs/views/programs_view.xml
index b3c05f3b..de729847 100644
--- a/spp_programs/views/programs_view.xml
+++ b/spp_programs/views/programs_view.xml
@@ -99,7 +99,7 @@ Part of OpenSPP. See LICENSE file for full copyright and licensing details.
                         icon="fa-download"
                         class="btn-secondary"
                         invisible="state != 'active'"
-                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer,spp_programs.group_programs_validator"
+                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer"
                     />
                     <button
                         name="enroll_eligible_registrants"
@@ -108,7 +108,7 @@ Part of OpenSPP. See LICENSE file for full copyright and licensing details.
                         icon="fa-user-plus"
                         class="btn-primary"
                         invisible="state != 'active'"
-                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer,spp_programs.group_programs_validator"
+                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer"
                     />
                     <button
                         name="verify_eligibility"
@@ -116,7 +116,7 @@ Part of OpenSPP. See LICENSE file for full copyright and licensing details.
                         string="Verify Eligibility"
                         icon="fa-check-circle"
                         invisible="state != 'active'"
-                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer,spp_programs.group_programs_validator"
+                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer"
                     />
                     <button
                         name="create_new_cycle"
@@ -124,7 +124,7 @@ Part of OpenSPP. See LICENSE file for full copyright and licensing details.
                         string="New Cycle"
                         icon="fa-plus-circle"
                         invisible="state != 'active' or is_one_time_distribution"
-                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer,spp_programs.group_programs_validator"
+                        groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer"
                     />
                     <button
                         name="deduplicate_beneficiaries"
diff --git a/spp_registry/views/individual_views.xml b/spp_registry/views/individual_views.xml
index 682d948f..1bcb85f0 100644
--- a/spp_registry/views/individual_views.xml
+++ b/spp_registry/views/individual_views.xml
@@ -136,28 +136,28 @@
             <xpath expr="//sheet" position="replace">
                 <sheet>
                     <div name="button_box">
-                        <!-- Disable button - restricted to officers/managers -->
+                        <!-- Disable button - restricted to registry managers only -->
                         <button
                             type="action"
                             class="oe_stat_button"
                             icon="fa-ban"
                             name="%(spp_registry.action_disable_registrant_wizard)d"
                             invisible="disabled"
-                            groups="spp_registry.group_registry_officer,spp_registry.group_registry_manager"
+                            groups="spp_registry.group_registry_manager"
                             title="Disable"
                         >
                             <div class="o_form_field o_stat_info">
                                 <span class="o_stat_text">Disable</span>
                             </div>
                         </button>
-                        <!-- Enable button - restricted to officers/managers -->
+                        <!-- Enable button - restricted to registry managers only -->
                         <button
                             type="object"
                             class="oe_stat_button"
                             icon="fa-check"
                             name="enable_registrant"
                             invisible="not disabled"
-                            groups="spp_registry.group_registry_officer,spp_registry.group_registry_manager"
+                            groups="spp_registry.group_registry_manager"
                             title="Enable"
                         >
                             <div class="o_form_field o_stat_info">
diff --git a/spp_service_points/README.rst b/spp_service_points/README.rst
index 5a5a5d16..18f99997 100644
--- a/spp_service_points/README.rst
+++ b/spp_service_points/README.rst
@@ -123,6 +123,13 @@ Dependencies
 Changelog
 =========
 
+19.0.2.0.2
+~~~~~~~~~~
+
+- fix(security): grant ``group_service_points_viewer`` to
+  spp_user_roles' Global Registrar and Local Registrar roles so they can
+  browse service points per the OP#951 menu audit.
+
 19.0.2.0.1
 ~~~~~~~~~~
 
diff --git a/spp_service_points/__manifest__.py b/spp_service_points/__manifest__.py
index b2eb9fbd..a86fd9cb 100644
--- a/spp_service_points/__manifest__.py
+++ b/spp_service_points/__manifest__.py
@@ -4,7 +4,7 @@
 {
     "name": "OpenSPP Service Points Management",
     "category": "OpenSPP",
-    "version": "19.0.2.0.1",
+    "version": "19.0.2.0.2",
     "sequence": "1",
     "author": "OpenSPP.org",
     "website": "https://github.com/OpenSPP/OpenSPP2",
@@ -27,6 +27,7 @@
         "security/security_group.xml",
         "security/ir.model.access.csv",
         "security/record_rules.xml",
+        "data/user_roles.xml",
         "views/main_view.xml",
         "views/group_views.xml",
         "views/service_points_view.xml",
diff --git a/spp_service_points/data/user_roles.xml b/spp_service_points/data/user_roles.xml
new file mode 100644
index 00000000..356d3fa5
--- /dev/null
+++ b/spp_service_points/data/user_roles.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+Part of OpenSPP. See LICENSE file for full copyright and licensing details.
+
+Role extensions: grant `group_service_points_viewer` to spp_user_roles registrar
+roles whose audited menu visibility should include "Service Point" (OP#951).
+
+System Admin sees the menu via `spp_security.group_spp_admin` → `group_service_points_manager`.
+-->
+<odoo noupdate="1">
+    <record id="spp_user_roles.global_role_registrar" model="res.users.role">
+        <field
+            name="implied_ids"
+            eval="[Command.link(ref('group_service_points_viewer'))]"
+        />
+    </record>
+    <record id="spp_user_roles.local_role_registrar" model="res.users.role">
+        <field
+            name="implied_ids"
+            eval="[Command.link(ref('group_service_points_viewer'))]"
+        />
+    </record>
+</odoo>
diff --git a/spp_service_points/readme/HISTORY.md b/spp_service_points/readme/HISTORY.md
index 337c0ef3..17efad01 100644
--- a/spp_service_points/readme/HISTORY.md
+++ b/spp_service_points/readme/HISTORY.md
@@ -1,3 +1,7 @@
+### 19.0.2.0.2
+
+- fix(security): grant `group_service_points_viewer` to spp_user_roles' Global Registrar and Local Registrar roles so they can browse service points per the OP#951 menu audit.
+
 ### 19.0.2.0.1
 
 - fix(views): apply `spp_registry.x2many_no_padding` widget to the service points list on group forms — removes the four empty placeholder rows Odoo 19 inserts on inline list-in-form views (#943).
diff --git a/spp_service_points/security/ir.model.access.csv b/spp_service_points/security/ir.model.access.csv
index b7bc8ad4..7e4bd4e6 100644
--- a/spp_service_points/security/ir.model.access.csv
+++ b/spp_service_points/security/ir.model.access.csv
@@ -10,4 +10,4 @@ access_spp_service_point_manager,spp.service.point manager,spp_service_points.mo
 access_spp_service_point_user,Service Point User Access (Deprecated),spp_service_points.model_spp_service_point,spp_service_points.group_service_points_user,1,1,1,0
 
 access_spp_service_point_registry_read,Service Point Registry Read Access,spp_service_points.model_spp_service_point,spp_registry.group_registry_read,1,0,0,0
-access_spp_service_point_registry_write,Service Point Registry Write Access,spp_service_points.model_spp_service_point,spp_registry.group_registry_write,1,1,1,0
+access_spp_service_point_registry_write,Service Point Registry Write Access,spp_service_points.model_spp_service_point,spp_registry.group_registry_write,1,0,0,0
diff --git a/spp_service_points/static/description/index.html b/spp_service_points/static/description/index.html
index d2f725ab..0509270e 100644
--- a/spp_service_points/static/description/index.html
+++ b/spp_service_points/static/description/index.html
@@ -517,6 +517,14 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.2</h1>
+<ul class="simple">
+<li>fix(security): grant <tt class="docutils literal">group_service_points_viewer</tt> to
+spp_user_roles’ Global Registrar and Local Registrar roles so they can
+browse service points per the OP#951 menu audit.</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.1</h1>
 <ul class="simple">
 <li>fix(views): apply <tt class="docutils literal">spp_registry.x2many_no_padding</tt> widget to the
@@ -524,7 +532,7 @@ <h1>19.0.2.0.1</h1>
 placeholder rows Odoo 19 inserts on inline list-in-form views (#943).</li>
 </ul>
 </div>
-<div class="section" id="section-2">
+<div class="section" id="section-3">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>
diff --git a/spp_service_points/views/service_points_view.xml b/spp_service_points/views/service_points_view.xml
index ca574200..a9399f30 100644
--- a/spp_service_points/views/service_points_view.xml
+++ b/spp_service_points/views/service_points_view.xml
@@ -51,6 +51,7 @@
                         string="Enable Service Point"
                         class="btn-success"
                         invisible="not is_disabled or not id"
+                        groups="spp_service_points.group_service_points_officer,spp_service_points.group_service_points_manager"
                         confirm="Enable this service point? It will become active again."
                     />
                     <button
@@ -59,6 +60,7 @@
                         string="Disable Service Point"
                         class="btn-warning"
                         invisible="is_disabled or not id"
+                        groups="spp_service_points.group_service_points_officer,spp_service_points.group_service_points_manager"
                         confirm="Disable this service point? You will need to provide a reason."
                     />
                 </header>
diff --git a/spp_studio/README.rst b/spp_studio/README.rst
index 9ef3fa7e..0fe4bef8 100644
--- a/spp_studio/README.rst
+++ b/spp_studio/README.rst
@@ -149,6 +149,16 @@ Dependencies
 Changelog
 =========
 
+19.0.2.0.1
+~~~~~~~~~~
+
+- fix(security): drop the Program Manager → ``group_studio_viewer``
+  extension per the OP#951 menu audit (Program Manager should NOT see
+  the Studio top-level menu). Removes ``data/user_roles.xml`` from the
+  module entirely; System Admin retains Studio visibility via
+  ``spp_security.group_spp_admin`` → ``group_studio_manager`` (wired in
+  ``spp_studio/security/groups.xml``).
+
 19.0.2.0.0
 ~~~~~~~~~~
 
diff --git a/spp_studio/__manifest__.py b/spp_studio/__manifest__.py
index 1fa3921b..ea14eb2c 100644
--- a/spp_studio/__manifest__.py
+++ b/spp_studio/__manifest__.py
@@ -1,6 +1,6 @@
 {
     "name": "OpenSPP Studio",
-    "version": "19.0.2.0.0",
+    "version": "19.0.2.0.1",
     "category": "OpenSPP/Configuration",
     "summary": "No-code customization interface for OpenSPP",
     "author": "OpenSPP.org",
@@ -33,7 +33,6 @@
         "data/placement_zones.xml",
         "data/server_actions.xml",
         "data/audit_rules.xml",
-        "data/user_roles.xml",
         "data/variable_categories.xml",
         "data/standard_variables.xml",
         "data/default_personas.xml",
diff --git a/spp_studio/data/user_roles.xml b/spp_studio/data/user_roles.xml
deleted file mode 100644
index 59b58d6c..00000000
--- a/spp_studio/data/user_roles.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<odoo noupdate="1">
-    <!-- Extend Program Manager role to include Studio Viewer -->
-    <record id="spp_user_roles.global_role_program_manager" model="res.users.role">
-        <field
-            name="implied_ids"
-            eval="
-            [
-                Command.link(ref('spp_studio.group_studio_viewer')),
-            ]"
-        />
-    </record>
-</odoo>
diff --git a/spp_studio/readme/HISTORY.md b/spp_studio/readme/HISTORY.md
index 4aaf9afe..1354baa3 100644
--- a/spp_studio/readme/HISTORY.md
+++ b/spp_studio/readme/HISTORY.md
@@ -1,3 +1,7 @@
+### 19.0.2.0.1
+
+- fix(security): drop the Program Manager → `group_studio_viewer` extension per the OP#951 menu audit (Program Manager should NOT see the Studio top-level menu). Removes `data/user_roles.xml` from the module entirely; System Admin retains Studio visibility via `spp_security.group_spp_admin` → `group_studio_manager` (wired in `spp_studio/security/groups.xml`).
+
 ### 19.0.2.0.0
 
 - Initial migration to OpenSPP2
diff --git a/spp_studio/static/description/index.html b/spp_studio/static/description/index.html
index 2ec2563a..52b9095a 100644
--- a/spp_studio/static/description/index.html
+++ b/spp_studio/static/description/index.html
@@ -532,6 +532,17 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.1</h1>
+<ul class="simple">
+<li>fix(security): drop the Program Manager → <tt class="docutils literal">group_studio_viewer</tt>
+extension per the OP#951 menu audit (Program Manager should NOT see
+the Studio top-level menu). Removes <tt class="docutils literal">data/user_roles.xml</tt> from the
+module entirely; System Admin retains Studio visibility via
+<tt class="docutils literal">spp_security.group_spp_admin</tt> → <tt class="docutils literal">group_studio_manager</tt> (wired in
+<tt class="docutils literal">spp_studio/security/groups.xml</tt>).</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>
