diff --git a/app/assets/stylesheets/application.bootstrap.scss b/app/assets/stylesheets/application.bootstrap.scss
index 9254303d881..57e48faba32 100644
--- a/app/assets/stylesheets/application.bootstrap.scss
+++ b/app/assets/stylesheets/application.bootstrap.scss
@@ -284,6 +284,21 @@ input.search-bar {
   }
 }
 
+.custom-select {
+  .select-brand-control {
+    border-color: var(--brand-color) !important;
+    box-shadow: 0 0 0 1px var(--brand-color) !important;
+  }
+
+  .select-brand-option {
+    background-color: whitesmoke;
+    color: var(--brand-color) !important;
+    &:active {
+      background-color: var(--brand-color-light) !important;
+    }
+  }
+}
+
 //Brand
 :root {
   --brand-color: '';
diff --git a/app/controllers/api/v1/admin/role_permissions_controller.rb b/app/controllers/api/v1/admin/role_permissions_controller.rb
index b694807ca1e..f1cf0f30ca2 100644
--- a/app/controllers/api/v1/admin/role_permissions_controller.rb
+++ b/app/controllers/api/v1/admin/role_permissions_controller.rb
@@ -50,7 +50,7 @@ def update
         private
 
         def role_params
-          params.require(:role).permit(:role_id, :name, :value)
+          params.require(:role).permit(:role_id, :name, :value, value: [])
         end
 
         def create_default_room
diff --git a/app/controllers/api/v1/recordings_controller.rb b/app/controllers/api/v1/recordings_controller.rb
index 09262909c0b..f241f552338 100644
--- a/app/controllers/api/v1/recordings_controller.rb
+++ b/app/controllers/api/v1/recordings_controller.rb
@@ -66,9 +66,13 @@ def destroy
       def update_visibility
         new_visibility = params[:visibility].to_s
 
-        new_visibility_params = visibility_params_of(new_visibility)
+        allowed_visibilities = JSON.parse(RolePermission.joins(:permission)
+                                            .find_by(role_id: current_user.role_id, permission: { name: 'AccessToVisibilities' })
+                                                        .value)
+
+        return render_error status: :forbidden unless allowed_visibilities.include?(new_visibility)
 
-        return render_error status: :bad_request if new_visibility_params.nil?
+        new_visibility_params = visibility_params_of(new_visibility)
 
         bbb_api = BigBlueButtonApi.new(provider: current_provider)
 
diff --git a/app/javascript/components/admin/roles/forms/EditRoleForm.jsx b/app/javascript/components/admin/roles/forms/EditRoleForm.jsx
index f2ee3793d50..b80e15dcdbf 100644
--- a/app/javascript/components/admin/roles/forms/EditRoleForm.jsx
+++ b/app/javascript/components/admin/roles/forms/EditRoleForm.jsx
@@ -18,6 +18,7 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Button, Stack } from 'react-bootstrap';
 import { useTranslation } from 'react-i18next';
+import Select from 'react-select';
 import Form from '../../../shared_components/forms/Form';
 import FormControl from '../../../shared_components/forms/FormControl';
 import useUpdateRole from '../../../../hooks/mutations/admin/roles/useUpdateRole';
@@ -31,7 +32,6 @@ import { useAuth } from '../../../../contexts/auth/AuthProvider';
 import RolePermissionRowPlaceHolder from '../RolePermissionRowPlaceHolder';
 import useEditRoleNameForm from '../../../../hooks/forms/admin/roles/useEditRoleNameForm';
 import useEditRoleLimitForm from '../../../../hooks/forms/admin/roles/useEditRoleLimitForm';
-import Select from "react-select";
 
 export default function EditRoleForm({ role }) {
   const { t } = useTranslation();
@@ -45,6 +45,14 @@ export default function EditRoleForm({ role }) {
 
   const { methods: methodsName, fields: fieldsName } = useEditRoleNameForm({ defaultValues: { name: role?.name } });
 
+  const visibilityOptions = [
+    { value: 'Published', label: 'Published' },
+    { value: 'Unpublished', label: 'Unpublished' },
+    { value: 'Protected', label: 'Protected' },
+    { value: 'Public', label: 'Public' },
+    { value: 'Public/Protected', label: 'Public/Protected' },
+  ];
+
   const {
     methods: methodsLimit,
     fields: fieldsLimit,
@@ -145,16 +153,19 @@ export default function EditRoleForm({ role }) {
                   </div>
                   <div>
                     <Select
-                      className="float-end"
+                      className="custom-select float-end"
                       isMulti
-                      filterOption={false}
-                      options={[
-                        { value: 'Published', label: 'Published' },
-                        { value: 'Unpublished', label: 'Unpublished' },
-                        { value: 'Protected', label: 'Protected' },
-                        { value: 'Public', label: 'Public' },
-                        { value: 'Public/Protected', label: 'Public/Protected' }
-                      ]}
+                      isClearable={false}
+                      isSearchable={false}
+                      defaultValue={visibilityOptions?.filter((vis) => JSON.parse(rolePermissions?.AccessToVisibilities)?.includes(vis.value))}
+                      options={visibilityOptions}
+                      onChange={(value) => {
+                        updatePermissionAPI.mutate({ role_id: role?.id, name: 'AccessToVisibilities', value: value.map((v) => v.value) });
+                      }}
+                      classNames={{
+                        control: (state) => (state.isFocused ? 'select-brand-control' : ''),
+                        option: (state) => (state.isFocused ? 'select-brand-option' : ''),
+                      }}
                     />
                   </div>
                 </Stack>
diff --git a/app/javascript/components/recordings/RecordingRow.jsx b/app/javascript/components/recordings/RecordingRow.jsx
index 82df5e7e563..b90ec40e0e5 100644
--- a/app/javascript/components/recordings/RecordingRow.jsx
+++ b/app/javascript/components/recordings/RecordingRow.jsx
@@ -47,7 +47,7 @@ export default function RecordingRow({
   const currentUser = useAuth();
   const redirectRecordingUrl = useRedirectRecordingUrl();
   const copyRecordingUrl = useCopyRecordingUrl();
-  const allowedVisibilities = JSON.parse(currentUser.permissions?.AccessToVisibilities)
+  const allowedVisibilities = JSON.parse(currentUser.permissions?.AccessToVisibilities);
 
   const localizedTime = localizeDateTimeString(recording?.recorded_at, currentUser?.language);
   const formats = recording.formats.sort(
@@ -107,7 +107,7 @@ export default function RecordingRow({
           defaultValue={recording.visibility}
           dropUp={dropUp}
         >
-          { (allowedVisibilities.includes('Public/Protected') || recording.visibility == 'Public/Protected') && (
+          { (allowedVisibilities.includes('Public/Protected') || recording.visibility === 'Public/Protected') && (
             <Dropdown.Item
               key="Public/Protected"
               value="Public/Protected"
@@ -117,7 +117,7 @@ export default function RecordingRow({
             </Dropdown.Item>
           )}
 
-          { (allowedVisibilities.includes('Public') || recording.visibility == 'Public') && (
+          { (allowedVisibilities.includes('Public') || recording.visibility === 'Public') && (
             <Dropdown.Item
               key="Public"
               value="Public"
@@ -127,7 +127,7 @@ export default function RecordingRow({
             </Dropdown.Item>
           )}
 
-          { (allowedVisibilities.includes('Protected') || recording.visibility == 'Protected') && (
+          { (allowedVisibilities.includes('Protected') || recording.visibility === 'Protected') && (
             <Dropdown.Item
               key="Protected"
               value="Protected"
@@ -137,7 +137,7 @@ export default function RecordingRow({
             </Dropdown.Item>
           )}
 
-          { (allowedVisibilities.includes('Published') || recording.visibility == 'Published') && (
+          { (allowedVisibilities.includes('Published') || recording.visibility === 'Published') && (
             <Dropdown.Item
               key="Published"
               value="Published"
@@ -147,7 +147,7 @@ export default function RecordingRow({
             </Dropdown.Item>
           )}
 
-          { (allowedVisibilities.includes('Unpublished') || recording.visibility == 'Unpublished') && (
+          { (allowedVisibilities.includes('Unpublished') || recording.visibility === 'Unpublished') && (
             <Dropdown.Item
               key="Unpublished"
               value="Unpublished"
diff --git a/app/services/tenant_setup.rb b/app/services/tenant_setup.rb
index d1754bae91e..e0d5dfab2dd 100644
--- a/app/services/tenant_setup.rb
+++ b/app/services/tenant_setup.rb
@@ -83,6 +83,7 @@ def create_role_permissions
     shared_list = Permission.find_by(name: 'SharedList')
     can_record = Permission.find_by(name: 'CanRecord')
     room_limit = Permission.find_by(name: 'RoomLimit')
+    access_to_visbilities = Permission.find_by(name: 'AccessToVisibilities')
 
     RolePermission.create! [
       { role: admin, permission: create_room, value: 'true' },
@@ -94,6 +95,7 @@ def create_role_permissions
       { role: admin, permission: shared_list, value: 'true' },
       { role: admin, permission: can_record, value: 'true' },
       { role: admin, permission: room_limit, value: '100' },
+      { role: admin, permission: access_to_visbilities, value: Recording::VISIBILITIES.values },
 
       { role: user, permission: create_room, value: 'true' },
       { role: user, permission: manage_users, value: 'false' },
@@ -104,6 +106,7 @@ def create_role_permissions
       { role: user, permission: shared_list, value: 'true' },
       { role: user, permission: can_record, value: 'true' },
       { role: user, permission: room_limit, value: '100' },
+      { role: user, permission: access_to_visbilities, value: Recording::VISIBILITIES.values },
 
       { role: guest, permission: create_room, value: 'false' },
       { role: guest, permission: manage_users, value: 'false' },
@@ -113,7 +116,8 @@ def create_role_permissions
       { role: guest, permission: manage_roles, value: 'false' },
       { role: guest, permission: shared_list, value: 'true' },
       { role: guest, permission: can_record, value: 'true' },
-      { role: guest, permission: room_limit, value: '100' }
+      { role: guest, permission: room_limit, value: '100' },
+      { role: guest, permission: access_to_visbilities, value: Recording::VISIBILITIES.values }
     ]
   end
 end
diff --git a/spec/controllers/recordings_controller_spec.rb b/spec/controllers/recordings_controller_spec.rb
index 8814adedee9..a2d5edbfe5a 100644
--- a/spec/controllers/recordings_controller_spec.rb
+++ b/spec/controllers/recordings_controller_spec.rb
@@ -229,8 +229,25 @@ def expect_to_update_recording_props_to(publish:, protect:, list:, visibility:)
       expect_to_update_recording_props_to(publish: true, protect: true, list: true, visibility: Recording::VISIBILITIES[:public_protected])
     end
 
-    context 'Unkown visibility' do
-      it 'returns :bad_request and does not update the recording' do
+    context 'AccessToVisibilities permission' do
+      before do
+        RolePermission.find_by(role: user.role, permission: Permission.find_by(name: 'AccessToVisibilities')).update(value: ['Published'])
+      end
+
+      it 'returns forbidden if the user is not permitted to use that format' do
+        expect_any_instance_of(BigBlueButtonApi).not_to receive(:publish_recordings)
+        expect_any_instance_of(BigBlueButtonApi).not_to receive(:update_recordings)
+
+        expect do
+          post :update_visibility, params: { visibility: 'Unpublished', id: recording.record_id }
+        end.not_to(change { recording.reload.visibility })
+
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
+    context 'Unknown visibility' do
+      it 'returns :forbidden and does not update the recording' do
         expect_any_instance_of(BigBlueButtonApi).not_to receive(:publish_recordings)
         expect_any_instance_of(BigBlueButtonApi).not_to receive(:update_recordings)
 
@@ -238,7 +255,7 @@ def expect_to_update_recording_props_to(publish:, protect:, list:, visibility:)
           post :update_visibility, params: { visibility: '404', id: recording.record_id }
         end.not_to(change { recording.reload.visibility })
 
-        expect(response).to have_http_status(:bad_request)
+        expect(response).to have_http_status(:forbidden)
       end
     end
 
@@ -248,6 +265,9 @@ def expect_to_update_recording_props_to(publish:, protect:, list:, visibility:)
 
       before do
         sign_in_user(signed_in_user)
+
+        # IDK where this is created so, small hack to remove it
+        RolePermission.find_by(permission: Permission.find_by(name: 'AccessToVisibilities'), value: 'false').destroy
       end
 
       it 'allows a shared user to update a recording visibility' do
diff --git a/spec/factories/role_factory.rb b/spec/factories/role_factory.rb
index 4003ddc2ba3..9b52b469979 100644
--- a/spec/factories/role_factory.rb
+++ b/spec/factories/role_factory.rb
@@ -25,9 +25,11 @@
       perm = Permission.find_or_create_by(name: 'CreateRoom')
       perm2 = Permission.find_or_create_by(name: 'RoomLimit')
       perm3 = Permission.find_or_create_by(name: 'SharedList')
+      perm4 = Permission.find_or_create_by(name: 'AccessToVisibilities')
       RolePermission.find_or_create_by(permission: perm, role:, value: 'true')
       RolePermission.find_or_create_by(permission: perm2, role:, value: '100')
       RolePermission.find_or_create_by(permission: perm3, role:, value: 'true')
+      RolePermission.find_or_create_by(permission: perm4, role:, value: Recording::VISIBILITIES.values)
     end
 
     trait :with_super_admin do