diff --git a/hawkbit-ddi/hawkbit-ddi-resource/src/test/java/org/eclipse/hawkbit/ddi/rest/resource/DdiRootControllerTest.java b/hawkbit-ddi/hawkbit-ddi-resource/src/test/java/org/eclipse/hawkbit/ddi/rest/resource/DdiRootControllerTest.java
index 6ad013c3d..014f4c1e0 100644
--- a/hawkbit-ddi/hawkbit-ddi-resource/src/test/java/org/eclipse/hawkbit/ddi/rest/resource/DdiRootControllerTest.java
+++ b/hawkbit-ddi/hawkbit-ddi-resource/src/test/java/org/eclipse/hawkbit/ddi/rest/resource/DdiRootControllerTest.java
@@ -10,7 +10,7 @@
 package org.eclipse.hawkbit.ddi.rest.resource;
 
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
 import static org.eclipse.hawkbit.im.authentication.SpPermission.TENANT_CONFIGURATION;
 import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.callAs;
 import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.getAs;
diff --git a/hawkbit-ddi/hawkbit-ddi-security/src/main/java/org/eclipse/hawkbit/security/controller/Authenticator.java b/hawkbit-ddi/hawkbit-ddi-security/src/main/java/org/eclipse/hawkbit/security/controller/Authenticator.java
index 87665e7e0..45ab60434 100644
--- a/hawkbit-ddi/hawkbit-ddi-security/src/main/java/org/eclipse/hawkbit/security/controller/Authenticator.java
+++ b/hawkbit-ddi/hawkbit-ddi-security/src/main/java/org/eclipse/hawkbit/security/controller/Authenticator.java
@@ -14,7 +14,7 @@ import java.util.List;
 import java.util.Objects;
 
 import lombok.EqualsAndHashCode;
-import org.eclipse.hawkbit.im.authentication.SpPermission;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
 import org.eclipse.hawkbit.security.SystemSecurityContext;
 import org.eclipse.hawkbit.tenancy.TenantAware;
@@ -77,7 +77,7 @@ public interface Authenticator {
         private static class AuthenticatedController extends AbstractAuthenticationToken {
 
             private static final Collection<GrantedAuthority> CONTROLLER_AUTHORITY =
-                    List.of(new SimpleGrantedAuthority(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                    List.of(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE));
             private final String controllerId;
 
             AuthenticatedController(final String tenant, final String controllerId) {
diff --git a/hawkbit-ddi/hawkbit-ddi-server/src/test/java/org/eclipse/hawkbit/app/ddi/PreAuthorizeEnabledTest.java b/hawkbit-ddi/hawkbit-ddi-server/src/test/java/org/eclipse/hawkbit/app/ddi/PreAuthorizeEnabledTest.java
index a7b2ccec5..71eb93926 100644
--- a/hawkbit-ddi/hawkbit-ddi-server/src/test/java/org/eclipse/hawkbit/app/ddi/PreAuthorizeEnabledTest.java
+++ b/hawkbit-ddi/hawkbit-ddi-server/src/test/java/org/eclipse/hawkbit/app/ddi/PreAuthorizeEnabledTest.java
@@ -13,6 +13,7 @@ import static org.assertj.core.api.Assertions.assertThat;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 
 import org.eclipse.hawkbit.im.authentication.SpPermission;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.test.util.WithUser;
 import org.junit.jupiter.api.Test;
 import org.springframework.http.HttpStatus;
@@ -39,7 +40,7 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
      * Tests whether request succeed if a role is granted for the user
      */
     @Test
-    @WithUser(authorities = { SpPermission.SpringEvalExpressions.CONTROLLER_ROLE }, autoCreateTenant = false)
+    @WithUser(authorities = { SpringEvalExpressions.CONTROLLER_ROLE }, autoCreateTenant = false)
     void successIfHasRole() throws Exception {
         mvc.perform(get("/DEFAULT/controller/v1/controllerId"))
                 .andExpect(result -> assertThat(result.getResponse().getStatus()).isEqualTo(HttpStatus.OK.value()));
diff --git a/hawkbit-dmf/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpMessageHandlerService.java b/hawkbit-dmf/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpMessageHandlerService.java
index 75a1270a2..208523036 100644
--- a/hawkbit-dmf/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpMessageHandlerService.java
+++ b/hawkbit-dmf/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpMessageHandlerService.java
@@ -36,7 +36,7 @@ import org.eclipse.hawkbit.dmf.json.model.DmfAttributeUpdate;
 import org.eclipse.hawkbit.dmf.json.model.DmfAutoConfirmation;
 import org.eclipse.hawkbit.dmf.json.model.DmfCreateThing;
 import org.eclipse.hawkbit.dmf.json.model.DmfUpdateMode;
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.ConfirmationManagement;
 import org.eclipse.hawkbit.repository.ControllerManagement;
 import org.eclipse.hawkbit.repository.EntityFactory;
diff --git a/hawkbit-mgmt/hawkbit-mgmt-resource/src/main/java/org/eclipse/hawkbit/mgmt/rest/resource/MgmtSystemManagementResource.java b/hawkbit-mgmt/hawkbit-mgmt-resource/src/main/java/org/eclipse/hawkbit/mgmt/rest/resource/MgmtSystemManagementResource.java
index 9660a4c09..d5a32f6a4 100644
--- a/hawkbit-mgmt/hawkbit-mgmt-resource/src/main/java/org/eclipse/hawkbit/mgmt/rest/resource/MgmtSystemManagementResource.java
+++ b/hawkbit-mgmt/hawkbit-mgmt-resource/src/main/java/org/eclipse/hawkbit/mgmt/rest/resource/MgmtSystemManagementResource.java
@@ -14,7 +14,7 @@ import java.util.Collections;
 import java.util.Objects;
 
 import lombok.extern.slf4j.Slf4j;
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.mgmt.json.model.systemmanagement.MgmtSystemCache;
 import org.eclipse.hawkbit.mgmt.json.model.systemmanagement.MgmtSystemStatisticsRest;
 import org.eclipse.hawkbit.mgmt.json.model.systemmanagement.MgmtSystemTenantServiceUsage;
diff --git a/hawkbit-mgmt/hawkbit-mgmt-resource/src/test/java/org/eclipse/hawkbit/mgmt/rest/resource/MgmtTargetTypeResourceTest.java b/hawkbit-mgmt/hawkbit-mgmt-resource/src/test/java/org/eclipse/hawkbit/mgmt/rest/resource/MgmtTargetTypeResourceTest.java
index 66021f050..b644e7f29 100644
--- a/hawkbit-mgmt/hawkbit-mgmt-resource/src/test/java/org/eclipse/hawkbit/mgmt/rest/resource/MgmtTargetTypeResourceTest.java
+++ b/hawkbit-mgmt/hawkbit-mgmt-resource/src/test/java/org/eclipse/hawkbit/mgmt/rest/resource/MgmtTargetTypeResourceTest.java
@@ -69,7 +69,9 @@ class MgmtTargetTypeResourceTest extends AbstractManagementApiIntegrationTest {
      * GET targettypes returns Forbidden when permission is missing
      */
     @Test
-    @WithUser(principal = "targetTypeTester", allSpPermissions = true, removeFromAllPermission = { SpPermission.READ_TARGET })
+    @WithUser(
+            principal = "targetTypeTester", allSpPermissions = true,
+            removeFromAllPermission = { SpPermission.READ_TARGET, SpPermission.READ_TARGET_TYPE })
     void getTargetTypesWithoutPermission() throws Exception {
         mvc.perform(get(TARGETTYPES_ENDPOINT).accept(MediaType.APPLICATION_JSON))
                 .andDo(MockMvcResultPrinter.print())
diff --git a/hawkbit-mgmt/hawkbit-mgmt-server/src/test/java/org/eclipse/hawkbit/app/mgmt/PreAuthorizeEnabledTest.java b/hawkbit-mgmt/hawkbit-mgmt-server/src/test/java/org/eclipse/hawkbit/app/mgmt/PreAuthorizeEnabledTest.java
index 1d1739302..38bc808f7 100644
--- a/hawkbit-mgmt/hawkbit-mgmt-server/src/test/java/org/eclipse/hawkbit/app/mgmt/PreAuthorizeEnabledTest.java
+++ b/hawkbit-mgmt/hawkbit-mgmt-server/src/test/java/org/eclipse/hawkbit/app/mgmt/PreAuthorizeEnabledTest.java
@@ -52,7 +52,10 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
      * Tests whether request returns distribution set if a role with scope is granted for the user
      */
     @Test
-    @WithUser(authorities = { SpPermission.CREATE_REPOSITORY, SpPermission.READ_REPOSITORY + "/name==DsOne" }, autoCreateTenant = false)
+    @WithUser(authorities = {
+            SpPermission.CREATE_REPOSITORY,
+            SpPermission.READ_REPOSITORY,
+            SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne" }, autoCreateTenant = false)
     void successIfHasRoleWithScope() throws Exception {
         createDsOne("successIfHasRoleWithScope");
         mvc.perform(get("/rest/v1/distributionsets")).andExpect(result -> {
@@ -65,7 +68,10 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
      * Tests whether request doesn't return distribution set if a role with scope doesn't grant access
      */
     @Test
-    @WithUser(authorities = { SpPermission.CREATE_REPOSITORY, SpPermission.READ_REPOSITORY + "/name==DsOne2" }, autoCreateTenant = false)
+    @WithUser(authorities = {
+            SpPermission.CREATE_REPOSITORY,
+            SpPermission.READ_REPOSITORY,
+            SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne2" }, autoCreateTenant = false)
     void failIfHasNoForbiddingScope() throws Exception {
         createDsOne("failIfHasNoForbiddingScope");
         mvc.perform(get("/rest/v1/distributionsets")).andExpect(result -> {
diff --git a/hawkbit-monolith/hawkbit-update-server/src/test/java/org/eclipse/hawkbit/app/PreAuthorizeEnabledTest.java b/hawkbit-monolith/hawkbit-update-server/src/test/java/org/eclipse/hawkbit/app/PreAuthorizeEnabledTest.java
index 271a22a2e..6ee8464bf 100644
--- a/hawkbit-monolith/hawkbit-update-server/src/test/java/org/eclipse/hawkbit/app/PreAuthorizeEnabledTest.java
+++ b/hawkbit-monolith/hawkbit-update-server/src/test/java/org/eclipse/hawkbit/app/PreAuthorizeEnabledTest.java
@@ -52,7 +52,10 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
      * Tests whether request returns distribution set if a role with scope is granted for the user
      */
     @Test
-    @WithUser(authorities = { SpPermission.CREATE_REPOSITORY, SpPermission.READ_REPOSITORY + "/name==DsOne" }, autoCreateTenant = false)
+    @WithUser(authorities = {
+            SpPermission.CREATE_REPOSITORY,
+            SpPermission.READ_REPOSITORY,
+            SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne" }, autoCreateTenant = false)
     void successIfHasRoleWithScope() throws Exception {
         createDsOne("successIfHasRoleWithScope");
         mvc.perform(get("/rest/v1/distributionsets")).andExpect(result -> {
@@ -65,7 +68,10 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
      * Tests whether request doesn't return distribution set if a role with scope doesn't grant access
      */
     @Test
-    @WithUser(authorities = { SpPermission.CREATE_REPOSITORY, SpPermission.READ_REPOSITORY + "/name==DsOne2" }, autoCreateTenant = false)
+    @WithUser(authorities = {
+            SpPermission.CREATE_REPOSITORY,
+            SpPermission.READ_REPOSITORY,
+            SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne2" }, autoCreateTenant = false)
     void failIfHasNoForbiddingScope() throws Exception {
         createDsOne("failIfHasNoForbiddingScope");
         mvc.perform(get("/rest/v1/distributionsets")).andExpect(result -> {
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ArtifactManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ArtifactManagement.java
index 8f5b97274..2f380c14a 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ArtifactManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ArtifactManagement.java
@@ -17,7 +17,7 @@ import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 
 import org.eclipse.hawkbit.repository.artifact.model.DbArtifact;
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.exception.ArtifactDeleteFailedException;
 import org.eclipse.hawkbit.repository.exception.ArtifactUploadFailedException;
 import org.eclipse.hawkbit.repository.exception.EntityAlreadyExistsException;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ConfirmationManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ConfirmationManagement.java
index 00e2feb7f..a5b9300e4 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ConfirmationManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ConfirmationManagement.java
@@ -15,7 +15,7 @@ import java.util.Optional;
 
 import jakarta.validation.constraints.NotEmpty;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.model.Action;
 import org.eclipse.hawkbit.repository.model.AutoConfirmationStatus;
 import org.eclipse.hawkbit.tenancy.TenantAware;
@@ -34,7 +34,7 @@ public interface ConfirmationManagement {
      * @param remark optional field to set a remark
      * @return the persisted {@link AutoConfirmationStatus}
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
+    @PreAuthorize(SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
     AutoConfirmationStatus activateAutoConfirmation(@NotEmpty String controllerId, final String initiator, final String remark);
 
     /**
@@ -44,7 +44,7 @@ public interface ConfirmationManagement {
      * @param code optional value to specify a code for the created action status
      * @param messages optional value to specify message for the created action status
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
+    @PreAuthorize(SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
     Action confirmAction(long actionId, Integer code, Collection<String> messages);
 
     /**
@@ -54,7 +54,7 @@ public interface ConfirmationManagement {
      * @param code optional value to specify a code for the created action status
      * @param messages optional value to specify message for the created action status
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
+    @PreAuthorize(SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
     Action denyAction(long actionId, Integer code, Collection<String> messages);
 
     /**
@@ -62,7 +62,7 @@ public interface ConfirmationManagement {
      *
      * @param controllerId to disable auto confirmation for
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
+    @PreAuthorize(SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
     void deactivateAutoConfirmation(@NotEmpty String controllerId);
 
     /**
@@ -71,8 +71,8 @@ public interface ConfirmationManagement {
      * @param controllerId to check the state for
      * @return instance of {@link AutoConfirmationStatus} wrapped in an {@link Optional}. Present if active and empty if disabled.
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER + SpPermission.SpringEvalExpressions.HAS_AUTH_OR +
-            SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(SpringEvalExpressions.IS_CONTROLLER + SpringEvalExpressions.HAS_AUTH_OR +
+            SpringEvalExpressions.HAS_AUTH_READ_TARGET)
     Optional<AutoConfirmationStatus> getStatus(@NotEmpty String controllerId);
 
     /**
@@ -81,6 +81,6 @@ public interface ConfirmationManagement {
      * @param controllerId of the target to check
      * @return a list of {@link Action}
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
     List<Action> findActiveActionsWaitingConfirmation(@NotEmpty String controllerId);
 }
\ No newline at end of file
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ControllerManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ControllerManagement.java
index ce42c7436..ad48e328c 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ControllerManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ControllerManagement.java
@@ -20,7 +20,7 @@ import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.builder.ActionStatusCreate;
 import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;
 import org.eclipse.hawkbit.repository.exception.CancelActionNotAllowedException;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DeploymentManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DeploymentManagement.java
index 8e969710d..107bb46c0 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DeploymentManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DeploymentManagement.java
@@ -19,7 +19,7 @@ import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.event.remote.TargetAssignDistributionSetEvent;
 import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;
 import org.eclipse.hawkbit.repository.exception.CancelActionNotAllowedException;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DistributionSetManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DistributionSetManagement.java
index 46b83e1a7..ae1af1f7f 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DistributionSetManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DistributionSetManagement.java
@@ -9,6 +9,9 @@
  */
 package org.eclipse.hawkbit.repository;
 
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_DISTRIBUTION_SET;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_UPDATE_DISTRIBUTION_SET;
+
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
@@ -17,7 +20,7 @@ import java.util.Optional;
 import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.builder.DistributionSetCreate;
 import org.eclipse.hawkbit.repository.builder.DistributionSetUpdate;
 import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;
@@ -51,7 +54,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @param id to look for.
      * @return {@link DistributionSet}
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     Optional<DistributionSet> getWithDetails(long id);
 
     /**
@@ -61,7 +64,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @return the found valid {@link DistributionSet}
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     DistributionSet getOrElseThrowException(long id);
 
     /**
@@ -69,7 +72,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      *
      * @param distributionSet the ID of the {@link DistributionSet} to be set to invalid
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
     void invalidate(DistributionSet distributionSet);
 
     /**
@@ -85,7 +88,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @throws AssignmentQuotaExceededException if the maximum number of {@link SoftwareModule}s is exceeded for the addressed
      *         {@link DistributionSet}.
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
     DistributionSet assignSoftwareModules(long id, @NotEmpty Collection<Long> moduleIds);
 
     /**
@@ -97,7 +100,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @throws EntityNotFoundException if given module or DS does not exist
      * @throws EntityReadOnlyException if use tries to change the {@link DistributionSet} s while the DS is already in use.
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
     DistributionSet unassignSoftwareModule(long id, long moduleId);
 
     /**
@@ -108,7 +111,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @return list of assigned ds
      * @throws EntityNotFoundException if tag with given ID does not exist or (at least one) of the distribution sets.
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
     List<DistributionSet> assignTag(@NotEmpty Collection<Long> ids, long tagId);
 
     /**
@@ -119,7 +122,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @return list of assigned ds
      * @throws EntityNotFoundException if tag with given ID does not exist or (at least one) of the distribution sets.
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
     List<DistributionSet> unassignTag(@NotEmpty Collection<Long> ids, long tagId);
 
     /**
@@ -131,7 +134,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @throws EntityAlreadyExistsException in case one of the meta-data entry already exists for the specific key
      * @throws AssignmentQuotaExceededException if the maximum number of meta-data entries is exceeded for the addressed {@link DistributionSet}
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
     void createMetadata(long id, @NotEmpty Map<String, String> metadata);
 
     /**
@@ -141,7 +144,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @return a paged result of all meta-data entries for a given distribution set id
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     Map<String, String> getMetadata(long id);
 
     /**
@@ -152,7 +155,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @param value meta data-entry to be new value
      * @throws EntityNotFoundException in case the meta-data entry does not exist and cannot be updated
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
     void updateMetadata(long id, @NotNull String key, @NotNull String value);
 
     /**
@@ -162,7 +165,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @param key of the meta-data element
      * @throws EntityNotFoundException if given set does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
     void deleteMetadata(long id, @NotEmpty String key);
 
     /**
@@ -171,7 +174,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @param id the distribution set id
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
     void lock(final long id);
 
     /**
@@ -182,7 +185,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @param id the distribution set id
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
     void unlock(final long id);
 
     /**
@@ -193,7 +196,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      * @throws InvalidDistributionSetException if distribution set with given ID is invalidated
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     DistributionSet getValid(long id);
 
     /**
@@ -205,7 +208,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @throws InvalidDistributionSetException if distribution set with given ID is invalidated
      * @throws IncompleteDistributionSetException if distribution set with given ID is incomplete
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     DistributionSet getValidAndComplete(long id);
 
     /**
@@ -215,7 +218,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @return the distribution set which is associated with the action
      * @throws EntityNotFoundException if action with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     Optional<DistributionSet> findByAction(long actionId);
 
     /**
@@ -225,7 +228,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @param version version of {@link DistributionSet}
      * @return the page with the found {@link DistributionSet}
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     Optional<DistributionSet> findByNameAndVersion(@NotEmpty String distributionName, @NotEmpty String version);
 
     /**
@@ -236,7 +239,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @param pageable the pagination parameter
      * @return all found {@link DistributionSet}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     Slice<DistributionSet> findByCompleted(Boolean complete, @NotNull Pageable pageable);
 
     /**
@@ -246,7 +249,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @param pageable page parameter
      * @return the page of found {@link DistributionSet}
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     Slice<DistributionSet> findByDistributionSetFilter(@NotNull DistributionSetFilter distributionSetFilter, @NotNull Pageable pageable);
 
     /**
@@ -260,7 +263,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
      * @throws EntityNotFoundException of distribution set tag with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     Page<DistributionSet> findByTag(long tagId, @NotNull Pageable pageable);
 
     /**
@@ -272,7 +275,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @return the page of found {@link DistributionSet}
      * @throws EntityNotFoundException of distribution set tag with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     Page<DistributionSet> findByRsqlAndTag(@NotNull String rsql, long tagId, @NotNull Pageable pageable);
 
     /**
@@ -282,7 +285,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      *         nor <code>null</code> to count both.
      * @return count of all found {@link DistributionSet}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     long countByCompleted(Boolean complete);
 
     /**
@@ -291,7 +294,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @param distributionSetFilter has details of filters to be applied.
      * @return count of {@link DistributionSet}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     long countByDistributionSetFilter(@NotNull DistributionSetFilter distributionSetFilter);
 
     /**
@@ -302,7 +305,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @return number of {@link DistributionSet}s
      * @throws EntityNotFoundException if type with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     long countByTypeId(long typeId);
 
     /**
@@ -312,7 +315,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @param id to check
      * @return <code>true</code> if in use
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     boolean isInUse(long id);
 
     /**
@@ -322,7 +325,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @param id to look for
      * @return List of Statistics for {@link org.eclipse.hawkbit.repository.model.Rollout}s status counts
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     List<Statistic> countRolloutsByStatusForDistributionSet(@NotNull Long id);
 
     /**
@@ -332,7 +335,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @param id to look for
      * @return List of Statistics for {@link org.eclipse.hawkbit.repository.model.Action}s status counts
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     List<Statistic> countActionsByStatusForDistributionSet(@NotNull Long id);
 
     /**
@@ -342,6 +345,6 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
      * @param id to look for
      * @return number of {@link org.eclipse.hawkbit.repository.builder.AutoAssignDistributionSetUpdate}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
     Long countAutoAssignmentsForDistributionSet(@NotNull Long id);
 }
\ No newline at end of file
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DistributionSetTagManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DistributionSetTagManagement.java
index ba426a3b1..147738ead 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DistributionSetTagManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DistributionSetTagManagement.java
@@ -14,7 +14,7 @@ import java.util.Optional;
 import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.builder.TagCreate;
 import org.eclipse.hawkbit.repository.builder.TagUpdate;
 import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DistributionSetTypeManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DistributionSetTypeManagement.java
index 82a68697b..3dbfa7d8e 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DistributionSetTypeManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DistributionSetTypeManagement.java
@@ -14,7 +14,7 @@ import java.util.Optional;
 
 import jakarta.validation.constraints.NotEmpty;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.builder.DistributionSetTypeCreate;
 import org.eclipse.hawkbit.repository.builder.DistributionSetTypeUpdate;
 import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RepositoryManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RepositoryManagement.java
index 94bdefe49..aa3e9d435 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RepositoryManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RepositoryManagement.java
@@ -18,7 +18,7 @@ import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;
 import org.eclipse.hawkbit.repository.exception.EntityReadOnlyException;
 import org.eclipse.hawkbit.repository.exception.RSQLParameterSyntaxException;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutExecutor.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutExecutor.java
index 7f5ae019f..ca7989c63 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutExecutor.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutExecutor.java
@@ -9,7 +9,7 @@
  */
 package org.eclipse.hawkbit.repository;
 
-import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 
 import org.eclipse.hawkbit.repository.model.Rollout;
 import org.eclipse.hawkbit.repository.model.Target;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutGroupManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutGroupManagement.java
index c90956c14..736f9ca8c 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutGroupManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutGroupManagement.java
@@ -13,7 +13,7 @@ import java.util.Optional;
 
 import jakarta.validation.constraints.NotNull;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;
 import org.eclipse.hawkbit.repository.exception.RSQLParameterSyntaxException;
 import org.eclipse.hawkbit.repository.exception.RSQLParameterUnsupportedFieldException;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutHandler.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutHandler.java
index 3854361df..d8d3d3e2b 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutHandler.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutHandler.java
@@ -9,7 +9,7 @@
  */
 package org.eclipse.hawkbit.repository;
 
-import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 
 import org.eclipse.hawkbit.repository.model.Rollout;
 import org.eclipse.hawkbit.repository.model.RolloutGroup;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutManagement.java
index b1d63b477..25fea974e 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/RolloutManagement.java
@@ -18,7 +18,7 @@ import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.builder.DynamicRolloutGroupTemplate;
 import org.eclipse.hawkbit.repository.builder.RolloutCreate;
 import org.eclipse.hawkbit.repository.builder.RolloutGroupCreate;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/SoftwareModuleManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/SoftwareModuleManagement.java
index 5a1f75156..50615fac3 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/SoftwareModuleManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/SoftwareModuleManagement.java
@@ -18,7 +18,7 @@ import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.builder.SoftwareModuleCreate;
 import org.eclipse.hawkbit.repository.builder.SoftwareModuleMetadataCreate;
 import org.eclipse.hawkbit.repository.builder.SoftwareModuleMetadataUpdate;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/SoftwareModuleTypeManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/SoftwareModuleTypeManagement.java
index e53882885..ae78aada5 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/SoftwareModuleTypeManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/SoftwareModuleTypeManagement.java
@@ -13,7 +13,7 @@ import java.util.Optional;
 
 import jakarta.validation.constraints.NotEmpty;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.builder.SoftwareModuleTypeCreate;
 import org.eclipse.hawkbit.repository.builder.SoftwareModuleTypeUpdate;
 import org.eclipse.hawkbit.repository.model.SoftwareModuleType;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/SystemManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/SystemManagement.java
index ce61da0e4..e2f11cb07 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/SystemManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/SystemManagement.java
@@ -13,7 +13,7 @@ import java.util.function.Consumer;
 
 import jakarta.validation.constraints.NotNull;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.model.DistributionSetType;
 import org.eclipse.hawkbit.repository.model.SoftwareModuleType;
 import org.eclipse.hawkbit.repository.model.TenantMetaData;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetFilterQueryManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetFilterQueryManagement.java
index 81523f616..de9a30541 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetFilterQueryManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetFilterQueryManagement.java
@@ -15,7 +15,7 @@ import jakarta.validation.ConstraintViolationException;
 import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotNull;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.builder.AutoAssignDistributionSetUpdate;
 import org.eclipse.hawkbit.repository.builder.TargetFilterQueryCreate;
 import org.eclipse.hawkbit.repository.builder.TargetFilterQueryUpdate;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetManagement.java
index 3c26ed1f3..fcc631985 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetManagement.java
@@ -9,6 +9,20 @@
  */
 package org.eclipse.hawkbit.repository;
 
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.BRACKET_CLOSE;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.BRACKET_OPEN;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_AND;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_CREATE_TARGET;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_DELETE_TARGET;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_PREFIX;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_TARGET;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_SUFFIX;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET;
+
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
@@ -21,7 +35,7 @@ import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpPermission;
 import org.eclipse.hawkbit.repository.builder.TargetCreate;
 import org.eclipse.hawkbit.repository.builder.TargetUpdate;
 import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;
@@ -53,6 +67,11 @@ public interface TargetManagement {
     String DETAILS_TAGS = "tags";
     String DETAILS_ACTIONS = "actions";
 
+    String HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET = BRACKET_OPEN +
+            HAS_AUTH_PREFIX + SpPermission.READ_DISTRIBUTION_SET + HAS_AUTH_SUFFIX +
+            HAS_AUTH_AND +
+            HAS_AUTH_PREFIX + SpPermission.READ_TARGET + HAS_AUTH_SUFFIX +
+            BRACKET_CLOSE;
     /**
      * Counts number of targets with the given distribution set assigned.
      *
@@ -60,7 +79,7 @@ public interface TargetManagement {
      * @return number of found {@link Target}s.
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
     long countByAssignedDistributionSet(long distributionSetId);
 
     /**
@@ -71,7 +90,7 @@ public interface TargetManagement {
      * @return the found number {@link Target}s
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     long countByFilters(@NotNull final FilterParams filterParams);
 
     /**
@@ -81,7 +100,7 @@ public interface TargetManagement {
      * @return number of found {@link Target}s.
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
     long countByInstalledDistributionSet(long distributionSetId);
 
     /**
@@ -92,7 +111,7 @@ public interface TargetManagement {
      * @return <code>true</code> if a {@link Target} exists.
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
     boolean existsByInstalledOrAssignedDistributionSet(long distributionSetId);
 
     /**
@@ -101,7 +120,7 @@ public interface TargetManagement {
      * @param rsql filter definition in RSQL syntax
      * @return the found number of {@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     long countByRsql(@NotEmpty String rsql);
 
     /**
@@ -110,7 +129,7 @@ public interface TargetManagement {
      * @param rsql filter definition in RSQL syntax
      * @return the found number of {@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     long countByRsqlAndUpdatable(@NotEmpty String rsql);
 
     /**
@@ -122,7 +141,7 @@ public interface TargetManagement {
      *         compatible with
      * @return the found number of{@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     long countByRsqlAndCompatible(@NotEmpty String rsql, @NotNull Long distributionSetIdTypeId);
 
     /**
@@ -134,7 +153,7 @@ public interface TargetManagement {
      *         compatible with
      * @return the found number of{@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     long countByRsqlAndCompatibleAndUpdatable(@NotEmpty String rsql, @NotNull Long distributionSetIdTypeId);
 
     /**
@@ -147,7 +166,7 @@ public interface TargetManagement {
      *         compatible with
      * @return the found number of{@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     long countByFailedInRollout(@NotEmpty String rolloutId, @NotNull Long dsTypeId);
 
     /**
@@ -157,7 +176,7 @@ public interface TargetManagement {
      * @return the found number of {@link Target}s
      * @throws EntityNotFoundException if {@link TargetFilterQuery} with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     long countByTargetFilterQuery(long targetFilterQueryId);
 
     /**
@@ -165,7 +184,7 @@ public interface TargetManagement {
      *
      * @return number of targets
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     long count();
 
     /**
@@ -176,7 +195,7 @@ public interface TargetManagement {
      * @throws EntityAlreadyExistsException given target already exists.
      * @throws ConstraintViolationException if fields are not filled as specified. Check {@link TargetCreate} for field constraints.
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_CREATE_TARGET)
+    @PreAuthorize(HAS_AUTH_CREATE_TARGET)
     Target create(@NotNull @Valid TargetCreate create);
 
     /**
@@ -190,7 +209,7 @@ public interface TargetManagement {
      * @throws ConstraintViolationException if fields are not filled as specified. Check {@link TargetCreate}
      *         for field constraints.
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_CREATE_TARGET)
+    @PreAuthorize(HAS_AUTH_CREATE_TARGET)
     List<Target> create(@NotNull @Valid Collection<TargetCreate> creates);
 
     /**
@@ -199,7 +218,7 @@ public interface TargetManagement {
      * @param ids the IDs of the targets to be deleted
      * @throws EntityNotFoundException if (at least one) of the given target IDs does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_DELETE_TARGET)
+    @PreAuthorize(HAS_AUTH_DELETE_TARGET)
     void delete(@NotEmpty Collection<Long> ids);
 
     /**
@@ -208,7 +227,7 @@ public interface TargetManagement {
      * @param controllerId the controller ID of the target to be deleted
      * @throws EntityNotFoundException if target with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_DELETE_TARGET)
+    @PreAuthorize(HAS_AUTH_DELETE_TARGET)
     void deleteByControllerID(@NotEmpty String controllerId);
 
     /**
@@ -222,7 +241,7 @@ public interface TargetManagement {
      * @return a page of the found {@link Target}s
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
     Slice<Target> findByTargetFilterQueryAndNonDSAndCompatibleAndUpdatable(
             long distributionSetId, @NotNull String rsql, @NotNull Pageable pageable);
 
@@ -236,7 +255,7 @@ public interface TargetManagement {
      * @return the count of found {@link Target}s
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
     long countByRsqlAndNonDSAndCompatibleAndUpdatable(long distributionSetId, @NotNull String rsql);
 
     /**
@@ -251,7 +270,7 @@ public interface TargetManagement {
      * @param pageable the pageable to enhance the query for paging and sorting
      * @return a page of the found {@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
+    @PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
     Slice<Target> findByRsqlAndNotInRolloutGroupsAndCompatibleAndUpdatable(
             @NotEmpty Collection<Long> groups, @NotNull String rsql, @NotNull DistributionSetType distributionSetType,
             @NotNull Pageable pageable);
@@ -266,7 +285,7 @@ public interface TargetManagement {
      * @param distributionSetType type of the {@link DistributionSet} the targets must be compatible with
      * @return count of the found {@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
+    @PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
     long countByRsqlAndNotInRolloutGroupsAndCompatibleAndUpdatable(
             @NotNull String rsql, @NotEmpty Collection<Long> groups, @NotNull DistributionSetType distributionSetType);
 
@@ -280,7 +299,7 @@ public interface TargetManagement {
      * @param pageable the pageable to enhance the query for paging and sorting
      * @return a page of the found {@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
+    @PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
     Slice<Target> findByFailedRolloutAndNotInRolloutGroups(
             @NotNull String rolloutId, @NotEmpty Collection<Long> groups, @NotNull Pageable pageable);
 
@@ -293,14 +312,14 @@ public interface TargetManagement {
      * @param groups the list of {@link RolloutGroup}s
      * @return count of the found {@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
+    @PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
     long countByFailedRolloutAndNotInRolloutGroups(@NotNull String rolloutId, @NotEmpty Collection<Long> groups);
 
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
+    @PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
     Slice<Target> findByRsqlAndNoOverridingActionsAndNotInRolloutAndCompatibleAndUpdatable(
             final long rolloutId, @NotNull String rsql, @NotNull DistributionSetType distributionSetType, @NotNull Pageable pageable);
 
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
+    @PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
     long countByActionsInRolloutGroup(final long rolloutGroupId);
 
     /**
@@ -312,7 +331,7 @@ public interface TargetManagement {
      * @return the found {@link Target}s
      * @throws EntityNotFoundException if rollout group with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     Slice<Target> findByInRolloutGroupWithoutAction(long group, @NotNull Pageable pageable);
 
     /**
@@ -323,7 +342,7 @@ public interface TargetManagement {
      * @return the found {@link Target}s
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
     Page<Target> findByAssignedDistributionSet(long distributionSetId, @NotNull Pageable pageable);
 
     /**
@@ -338,7 +357,7 @@ public interface TargetManagement {
      * @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
     Page<Target> findByAssignedDistributionSetAndRsql(long distributionSetId, @NotNull String rsql, @NotNull Pageable pageable);
 
     /**
@@ -347,7 +366,7 @@ public interface TargetManagement {
      * @param controllerIDs to look for.
      * @return List of found{@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     List<Target> getByControllerID(@NotEmpty Collection<String> controllerIDs);
 
     /**
@@ -356,7 +375,7 @@ public interface TargetManagement {
      * @param controllerId to look for.
      * @return {@link Target}
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     Optional<Target> getByControllerID(@NotEmpty String controllerId);
 
     /**
@@ -366,25 +385,25 @@ public interface TargetManagement {
      * @param detailsKey the key of the details to include, e.g. {@link #DETAILS_AUTO_CONFIRMATION_STATUS}
      * @return {@link Target}
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     Target getWithDetails(@NotEmpty String controllerId, String detailsKey);
 
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     default Target getWithDetails(@NotEmpty String controllerId) {
         return getWithDetails(controllerId, DETAILS_BASE);
     }
 
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     default Target getWithAutoConfigurationStatus(@NotEmpty String controllerId) {
         return getWithDetails(controllerId, DETAILS_AUTO_CONFIRMATION_STATUS);
     }
 
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     default Target getWithTags(@NotEmpty String controllerId) {
         return getWithDetails(controllerId, DETAILS_TAGS);
     }
 
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     default Target getWithActions(@NotEmpty String controllerId) {
         return getWithDetails(controllerId, DETAILS_ACTIONS);
     }
@@ -399,7 +418,7 @@ public interface TargetManagement {
      * @return the found {@link Target}s
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     Slice<Target> findByFilters(@NotNull FilterParams filterParams, @NotNull Pageable pageable);
 
     /**
@@ -410,7 +429,7 @@ public interface TargetManagement {
      * @return the found {@link Target}s
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
     Page<Target> findByInstalledDistributionSet(long distributionSetId, @NotNull Pageable pageReq);
 
     /**
@@ -426,7 +445,7 @@ public interface TargetManagement {
      * @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
     Page<Target> findByInstalledDistributionSetAndRsql(long distributionSetId, @NotNull String rsql, @NotNull Pageable pageReq);
 
     /**
@@ -436,7 +455,7 @@ public interface TargetManagement {
      * @param pageable page parameter
      * @return the found {@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     Page<Target> findByUpdateStatus(@NotNull TargetUpdateStatus status, @NotNull Pageable pageable);
 
     /**
@@ -445,7 +464,7 @@ public interface TargetManagement {
      * @param pageable pagination parameter
      * @return the found {@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     Slice<Target> findAll(@NotNull Pageable pageable);
 
     /**
@@ -458,7 +477,7 @@ public interface TargetManagement {
      *         given {@code fieldNameProvider}
      * @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     Slice<Target> findByRsql(@NotNull String rsql, @NotNull Pageable pageable);
 
     /**
@@ -472,7 +491,7 @@ public interface TargetManagement {
      *         given {@code fieldNameProvider}
      * @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     Slice<Target> findByTargetFilterQuery(long targetFilterQueryId, @NotNull Pageable pageable);
 
     /**
@@ -483,7 +502,7 @@ public interface TargetManagement {
      * @return list of matching targets
      * @throws EntityNotFoundException if target tag with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     Page<Target> findByTag(long tagId, @NotNull Pageable pageable);
 
     /**
@@ -498,7 +517,7 @@ public interface TargetManagement {
      *         given {@code fieldNameProvider}
      * @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     Page<Target> findByRsqlAndTag(@NotNull String rsql, long tagId, @NotNull Pageable pageable);
 
     /**
@@ -510,7 +529,7 @@ public interface TargetManagement {
      * @param targetFilterQuery to execute
      * @return true if it matches
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
     boolean isTargetMatchingQueryAndDSNotAssignedAndCompatibleAndUpdatable(
             @NotNull String controllerId, long distributionSetId, @NotNull String targetFilterQuery);
 
@@ -523,7 +542,7 @@ public interface TargetManagement {
      * @return {@link TargetTypeAssignmentResult} with all meta-data of the assignment outcome.
      * @throws EntityNotFoundException if target type with given id does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
+    @PreAuthorize(HAS_AUTH_UPDATE_TARGET)
     TargetTypeAssignmentResult assignType(@NotEmpty Collection<String> controllerIds, @NotNull Long typeId);
 
     /**
@@ -532,7 +551,7 @@ public interface TargetManagement {
      * @param controllerIds to remove the type from
      * @return {@link TargetTypeAssignmentResult} with all meta-data of the assignment outcome.
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
+    @PreAuthorize(HAS_AUTH_UPDATE_TARGET)
     TargetTypeAssignmentResult unassignType(@NotEmpty Collection<String> controllerIds);
 
     /**
@@ -544,7 +563,7 @@ public interface TargetManagement {
      * @return list of assigned targets
      * @throws EntityNotFoundException if given targetTagId or at least one of the targets do not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
     List<Target> assignTag(@NotEmpty Collection<String> controllerIds, long targetTagId, final Consumer<Collection<String>> notFoundHandler);
 
     /**
@@ -555,7 +574,7 @@ public interface TargetManagement {
      * @return list of assigned targets
      * @throws EntityNotFoundException if given targetTagId or at least one of the targets do not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
     List<Target> assignTag(@NotEmpty Collection<String> controllerIds, long targetTagId);
 
     /**
@@ -567,7 +586,7 @@ public interface TargetManagement {
      * @return list of unassigned targets
      * @throws EntityNotFoundException if given targetTagId or at least one of the targets do not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
+    @PreAuthorize(HAS_AUTH_UPDATE_TARGET)
     List<Target> unassignTag(@NotEmpty Collection<String> controllerIds, long targetTagId, final Consumer<Collection<String>> notFoundHandler);
 
     /**
@@ -578,7 +597,7 @@ public interface TargetManagement {
      * @return list of unassigned targets
      * @throws EntityNotFoundException if given targetTagId or at least one of the targets do not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
+    @PreAuthorize(HAS_AUTH_UPDATE_TARGET)
     List<Target> unassignTag(@NotEmpty Collection<String> controllerIds, long targetTagId);
 
     /**
@@ -587,7 +606,7 @@ public interface TargetManagement {
      * @param controllerId to un-assign for
      * @return the unassigned target
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
+    @PreAuthorize(HAS_AUTH_UPDATE_TARGET)
     Target unassignType(@NotEmpty String controllerId);
 
     /**
@@ -598,7 +617,7 @@ public interface TargetManagement {
      * @return the unassigned target
      * @throws EntityNotFoundException if TargetType with given target ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
+    @PreAuthorize(HAS_AUTH_UPDATE_TARGET)
     Target assignType(@NotEmpty String controllerId, @NotNull Long targetTypeId);
 
     /**
@@ -610,7 +629,7 @@ public interface TargetManagement {
      * @throws ConstraintViolationException if fields are not filled as specified. Check {@link TargetUpdate}
      *         for field constraints.
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
+    @PreAuthorize(HAS_AUTH_UPDATE_TARGET)
     Target update(@NotNull @Valid TargetUpdate update);
 
     /**
@@ -619,7 +638,7 @@ public interface TargetManagement {
      * @param id to look for
      * @return {@link Target}
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     Optional<Target> get(long id);
 
     /**
@@ -628,7 +647,7 @@ public interface TargetManagement {
      * @param ids the ids to for
      * @return the found {@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     List<Target> get(@NotNull Collection<Long> ids);
 
     /**
@@ -637,7 +656,7 @@ public interface TargetManagement {
      * @param controllerId of target
      * @return {@code true} if target with given ID exists
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     boolean existsByControllerId(@NotEmpty String controllerId);
 
     /**
@@ -647,7 +666,7 @@ public interface TargetManagement {
      * @return the found Tag set
      * @throws EntityNotFoundException if target with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     Set<TargetTag> getTags(@NotEmpty String controllerId);
 
     /**
@@ -657,7 +676,7 @@ public interface TargetManagement {
      * @return controller attributes as key/value pairs
      * @throws EntityNotFoundException if target with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     Map<String, String> getControllerAttributes(@NotEmpty String controllerId);
 
     /**
@@ -666,7 +685,7 @@ public interface TargetManagement {
      * @param controllerId of the target
      * @throws EntityNotFoundException if target with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
+    @PreAuthorize(HAS_AUTH_UPDATE_TARGET)
     void requestControllerAttributes(@NotEmpty String controllerId);
 
     /**
@@ -676,7 +695,7 @@ public interface TargetManagement {
      * @return {@code true}: update of controller attributes triggered.
      *         {@code false}: update of controller attributes not requested.
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     boolean isControllerAttributesRequested(@NotEmpty String controllerId);
 
     /**
@@ -686,7 +705,7 @@ public interface TargetManagement {
      * @param pageable page parameter
      * @return the found {@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET)
     Page<Target> findByControllerAttributesRequested(@NotNull Pageable pageable);
 
     /**
@@ -698,7 +717,7 @@ public interface TargetManagement {
      * @throws EntityAlreadyExistsException in case one of the metad-ata entry already exists for the specific key
      * @throws AssignmentQuotaExceededException if the maximum number of meta-data entries is exceeded for the addressed {@link Target}
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_UPDATE_REPOSITORY)
     void createMetadata(@NotEmpty String controllerId, @NotEmpty Map<String, String> metadata);
 
     /**
@@ -708,7 +727,7 @@ public interface TargetManagement {
      * @return the found target meta-data
      * @throws EntityNotFoundException if target with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_READ_REPOSITORY)
     Map<String, String> getMetadata(@NotEmpty String controllerId);
 
     /**
@@ -719,7 +738,7 @@ public interface TargetManagement {
      * @param value meta data-entry to be new value
      * @throws EntityNotFoundException in case the meta-data entry does not exist and cannot be updated
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_UPDATE_REPOSITORY)
     void updateMetadata(@NotEmpty String controllerId, @NotNull String key, @NotNull String value);
 
     /**
@@ -729,6 +748,6 @@ public interface TargetManagement {
      * @param key of the meta data element
      * @throws EntityNotFoundException if given target does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
+    @PreAuthorize(HAS_AUTH_UPDATE_REPOSITORY)
     void deleteMetadata(@NotEmpty String controllerId, @NotEmpty String key);
 }
\ No newline at end of file
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetTagManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetTagManagement.java
index 9fe96c724..159c1c59c 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetTagManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetTagManagement.java
@@ -18,7 +18,7 @@ import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.builder.TagCreate;
 import org.eclipse.hawkbit.repository.builder.TagUpdate;
 import org.eclipse.hawkbit.repository.exception.EntityAlreadyExistsException;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetTypeManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetTypeManagement.java
index 27050d31b..2840972df 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetTypeManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetTypeManagement.java
@@ -9,6 +9,16 @@
  */
 package org.eclipse.hawkbit.repository;
 
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.BRACKET_CLOSE;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.BRACKET_OPEN;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_AND;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_CREATE_TARGET_TYPE;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_DELETE_TARGET_TYPE;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_PREFIX;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_TARGET_TYPE;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_SUFFIX;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET_TYPE;
+
 import java.util.Collection;
 import java.util.List;
 import java.util.Optional;
@@ -31,58 +41,64 @@ import org.springframework.security.access.prepost.PreAuthorize;
  */
 public interface TargetTypeManagement {
 
+    String HAS_AUTH_READ_DISTRIBUTION_SET_AND_UPDATE_TARGET_TYPE = BRACKET_OPEN +
+            HAS_AUTH_PREFIX + SpPermission.READ_DISTRIBUTION_SET + HAS_AUTH_SUFFIX +
+            HAS_AUTH_AND +
+            HAS_AUTH_PREFIX + SpPermission.UPDATE_TARGET_TYPE + HAS_AUTH_SUFFIX +
+            BRACKET_CLOSE;
+
     /**
      * @param key as {@link TargetType#getKey()}
      * @return {@link TargetType}
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
     Optional<TargetType> getByKey(@NotEmpty String key);
 
     /**
      * @param name as {@link TargetType#getName()}
      * @return {@link TargetType}
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
     Optional<TargetType> getByName(@NotEmpty String name);
 
     /**
      * @return total count
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
     long count();
 
     /**
      * @param name as {@link TargetType#getName()}
      * @return total count by name
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
     long countByName(String name);
 
     /**
      * @param create TargetTypeCreate
      * @return targetType
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_CREATE_TARGET)
+    @PreAuthorize(HAS_AUTH_CREATE_TARGET_TYPE)
     TargetType create(@NotNull @Valid TargetTypeCreate create);
 
     /**
      * @param creates List of TargetTypeCreate
      * @return List of targetType
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_CREATE_TARGET)
+    @PreAuthorize(HAS_AUTH_CREATE_TARGET_TYPE)
     List<TargetType> create(@NotEmpty @Valid Collection<TargetTypeCreate> creates);
 
     /**
      * @param id targetTypeId
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_DELETE_TARGET)
+    @PreAuthorize(HAS_AUTH_DELETE_TARGET_TYPE)
     void delete(@NotNull Long id);
 
     /**
      * @param pageable Page
      * @return TargetType page
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
     Slice<TargetType> findAll(@NotNull Pageable pageable);
 
     /**
@@ -90,7 +106,7 @@ public interface TargetTypeManagement {
      * @param pageable Page
      * @return Target type
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
     Page<TargetType> findByRsql(@NotEmpty String rsql, @NotNull Pageable pageable);
 
     /**
@@ -100,28 +116,28 @@ public interface TargetTypeManagement {
      * @param pageable page parameter
      * @return the page of found {@link TargetType}
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
     Slice<TargetType> findByName(String name, @NotNull Pageable pageable);
 
     /**
      * @param id Target type ID
      * @return Target Type
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
     Optional<TargetType> get(long id);
 
     /**
      * @param ids List of Target type ID
      * @return Target type list
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
     List<TargetType> get(@NotEmpty Collection<Long> ids);
 
     /**
      * @param update TargetTypeUpdate
      * @return Target Type
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
+    @PreAuthorize(HAS_AUTH_UPDATE_TARGET_TYPE)
     TargetType update(@NotNull @Valid TargetTypeUpdate update);
 
     /**
@@ -129,15 +145,14 @@ public interface TargetTypeManagement {
      * @param distributionSetTypeIds Distribution set ID
      * @return Target type
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
-    TargetType assignCompatibleDistributionSetTypes(long id,
-            @NotEmpty Collection<Long> distributionSetTypeIds);
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_UPDATE_TARGET_TYPE)
+    TargetType assignCompatibleDistributionSetTypes(long id, @NotEmpty Collection<Long> distributionSetTypeIds);
 
     /**
      * @param id Target type ID
      * @param distributionSetTypeIds Distribution set ID
      * @return Target type
      */
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
+    @PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_UPDATE_TARGET_TYPE)
     TargetType unassignDistributionSetType(long id, long distributionSetTypeIds);
-}
+}
\ No newline at end of file
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java
index 6f18a99fb..a221da546 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java
@@ -13,7 +13,7 @@ import java.io.Serializable;
 import java.util.Map;
 import java.util.function.Function;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.exception.TenantConfigurationValidatorException;
 import org.eclipse.hawkbit.repository.model.PollStatus;
 import org.eclipse.hawkbit.repository.model.Target;
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TenantStatsManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TenantStatsManagement.java
index d62065d2f..39f9320ec 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TenantStatsManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TenantStatsManagement.java
@@ -9,7 +9,7 @@
  */
 package org.eclipse.hawkbit.repository;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.report.model.TenantUsage;
 import org.springframework.security.access.prepost.PreAuthorize;
 
diff --git a/hawkbit-repository/hawkbit-repository-core/src/main/java/org/eclipse/hawkbit/repository/RepositoryConfiguration.java b/hawkbit-repository/hawkbit-repository-core/src/main/java/org/eclipse/hawkbit/repository/RepositoryConfiguration.java
index 944d5e06a..589cb7471 100644
--- a/hawkbit-repository/hawkbit-repository-core/src/main/java/org/eclipse/hawkbit/repository/RepositoryConfiguration.java
+++ b/hawkbit-repository/hawkbit-repository-core/src/main/java/org/eclipse/hawkbit/repository/RepositoryConfiguration.java
@@ -15,7 +15,7 @@ import java.util.Optional;
 import java.util.function.Supplier;
 
 import org.aopalliance.intercept.MethodInvocation;
-import org.eclipse.hawkbit.im.authentication.SpRole;
+import org.eclipse.hawkbit.im.authentication.Hierarchy;
 import org.eclipse.hawkbit.tenancy.configuration.ControllerPollProperties;
 import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@@ -49,7 +49,7 @@ public class RepositoryConfiguration {
     @Bean
     @ConditionalOnMissingBean
     static RoleHierarchy roleHierarchy() {
-        return RoleHierarchyImpl.fromHierarchy(SpRole.DEFAULT_ROLE_HIERARCHY);
+        return RoleHierarchyImpl.fromHierarchy(Hierarchy.DEFAULT);
     }
 
     @Bean
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/DefaultAccessController.java b/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/DefaultAccessController.java
index 50069603b..53c3d745a 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/DefaultAccessController.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/DefaultAccessController.java
@@ -18,7 +18,6 @@ import java.util.Map;
 import java.util.Optional;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
-import java.util.stream.Stream;
 
 import lombok.extern.slf4j.Slf4j;
 import org.eclipse.hawkbit.ContextAware;
@@ -27,11 +26,8 @@ import org.eclipse.hawkbit.repository.exception.InsufficientPermissionException;
 import org.eclipse.hawkbit.repository.jpa.ql.EntityMatcher;
 import org.eclipse.hawkbit.repository.jpa.rsql.RsqlUtility;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.data.jpa.domain.Specification;
-import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.util.ObjectUtils;
 
@@ -41,10 +37,7 @@ public class DefaultAccessController<A extends Enum<A> & RsqlQueryField, T> impl
     private final Class<A> rsqlQueryFieldType;
     private final Map<Operation, List<String>> permissions = new EnumMap<>(Operation.class);
 
-    @Value("${hawkbit.jpa.security.default-access-controller.strict:false}")
-    private boolean strict;
     private ContextAware contextAware;
-    private RoleHierarchy roleHierarchy;
 
     public DefaultAccessController(final Class<A> rsqlQueryFieldType, final String... permissionTypes) {
         if (ObjectUtils.isEmpty(permissionTypes)) {
@@ -64,11 +57,6 @@ public class DefaultAccessController<A extends Enum<A> & RsqlQueryField, T> impl
         this.contextAware = contextAware;
     }
 
-    @Autowired(required = false)
-    void setRoleHierarchy(final RoleHierarchy roleHierarchy) {
-        this.roleHierarchy = roleHierarchy;
-    }
-
     @Override
     public Optional<Specification<T>> getAccessRules(final Operation operation) {
         if (contextAware.getCurrentTenant() != null && SYSTEM_USER.equals(contextAware.getCurrentUsername())) {
@@ -104,43 +92,26 @@ public class DefaultAccessController<A extends Enum<A> & RsqlQueryField, T> impl
 
     // returns null if ALL entities are accessible, otherwise returns a list of scopes
     // throws InsufficientPermissionException if no matching authority found (should not happen - should be already checked with @PreAuthorize)
-    // java:S1168 - returns null with purpose to indicate no scopes, privately used with attention
-    // java:S1168 - better readable at one place
-    @SuppressWarnings({ "java:S1168", "java:S1168" })
+    @SuppressWarnings("java:S1168") // java:S1168 - returns null with purpose to indicate no scopes, privately used with attention
     private List<String> getScopes(final Operation operation) {
         final List<String> operationPermissions = permissions.get(operation);
         final List<String> scopes = SecurityContextHolder.getContext().getAuthentication().getAuthorities().stream()
                 .map(GrantedAuthority::getAuthority)
                 .map(Permission::from)
-                .flatMap(permission -> roleHierarchy == null
-                        ? (operationPermissions.contains(permission.name()) ? Stream.of(permission) : Stream.empty())
-                        : roleHierarchy.getReachableGrantedAuthorities(List.of(new SimpleGrantedAuthority(permission.name())))
-                                .stream()
-                                .map(GrantedAuthority::getAuthority)
-                                .filter(operationPermissions::contains)
-                                .map(reachableAuthority -> new Permission(reachableAuthority, permission.scope())))
+                .filter(permission -> operationPermissions.contains(permission.name()))
                 .map(Permission::scope)
                 .distinct() // remove duplicates
                 .toList();
         if (scopes.isEmpty()) {
-            // no matching authority found for the operation
-            // the needed permission should have already been checked with @PreAuthorize
-            // could happen, for instance, in controller management, that checks ROLE_CONTROLLER and on its behalf
-            // calls pure repository methods as privileged
-            if (strict) {
-                throw new InsufficientPermissionException(
-                        String.format(
-                                "No matching authority found for operation %s" +
-                                        " (expects %s, should not happen - shall have already been checked with @PreAuthorize)",
-                                operation, operationPermissions));
-            } else {
-                // TODO - maybe in some future we could adapt permissions so controller roles to somehow apply what is needed
-                //  and to do not "assume" and to throw exception always
-                log.debug(
-                        "[{}] No matching authority found for operation {} (expects {}), they shall have already been checked with @PreAuthorize)",
-                        rsqlQueryFieldType, operation, operationPermissions);
-                return null;
-            }
+            // no matching permission scope found for the operation
+            // the required for the method permissions should have already been checked with @PreAuthorize
+            // however it could happen that there is no entity permission, e.g.:
+            // * in controller management, that checks ROLE_CONTROLLER and on its behalf calls pure repository methods as privileged
+            // * in case the entity permission(s) are implied - e.g. there is READ_REPOSITORY which implies READ_DISTRIBUTION_SET
+            log.debug(
+                    "[{}] No matching authority found for operation {} (expects {}), they shall have already been checked with @PreAuthorize)",
+                    rsqlQueryFieldType, operation, operationPermissions);
+            return null;
         } else if (scopes.contains(null)) {
             return null; // not scoped at all
         } else {
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/DefaultAccessControllerConfiguration.java b/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/DefaultAccessControllerConfiguration.java
index c47f6d03a..92f195ed4 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/DefaultAccessControllerConfiguration.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/DefaultAccessControllerConfiguration.java
@@ -32,12 +32,12 @@ public class DefaultAccessControllerConfiguration {
     @Bean
     @ConditionalOnProperty(name = "hawkbit.acm.access-controller.target-type.enabled", havingValue = "true", matchIfMissing = true)
     AccessController<JpaTargetType> targetTypeAccessController() {
-        return new DefaultAccessController<>(TargetTypeFields.class, "TARGET", "TARGET_TYPE");
+        return new DefaultAccessController<>(TargetTypeFields.class, "TARGET_TYPE");
     }
 
     @Bean
     @ConditionalOnProperty(name = "hawkbit.acm.access-controller.distribution-set.enabled", havingValue = "true", matchIfMissing = true)
     AccessController<JpaDistributionSet> distributionSetAccessController() {
-        return new DefaultAccessController<>(DistributionSetFields.class, "REPOSITORY", "DISTRIBUTION_SET");
+        return new DefaultAccessController<>(DistributionSetFields.class, "DISTRIBUTION_SET");
     }
 }
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/management/JpaRolloutManagement.java b/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/management/JpaRolloutManagement.java
index 0633d929a..d4c9a8f88 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/management/JpaRolloutManagement.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/management/JpaRolloutManagement.java
@@ -29,6 +29,7 @@ import jakarta.validation.constraints.NotNull;
 import lombok.extern.slf4j.Slf4j;
 import org.eclipse.hawkbit.ContextAware;
 import org.eclipse.hawkbit.im.authentication.SpPermission;
+import org.eclipse.hawkbit.im.authentication.SpRole;
 import org.eclipse.hawkbit.repository.DistributionSetManagement;
 import org.eclipse.hawkbit.repository.QuotaManagement;
 import org.eclipse.hawkbit.repository.RepositoryProperties;
@@ -200,7 +201,7 @@ public class JpaRolloutManagement implements RolloutManagement {
         // scheduled rollout, the creator shall have permissions to start rollout
         if (rolloutRequest.getStartAt() != null && rolloutRequest.getStartAt() != Long.MAX_VALUE && // if scheduled rollout
                 !systemSecurityContext.hasPermission(SpPermission.HANDLE_ROLLOUT) &&
-                !systemSecurityContext.hasPermission(SpPermission.SpringEvalExpressions.SYSTEM_ROLE)) {
+                !systemSecurityContext.hasPermission(SpRole.SYSTEM_ROLE)) {
             throw new InsufficientPermissionException("You need permission to start rollouts to create a scheduled rollout");
         }
         if (dynamicRolloutGroupTemplate != null && !rolloutRequest.isDynamic()) {
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/acm/DistributionSetAccessControllerTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/acm/DistributionSetAccessControllerTest.java
index b92d9a6e9..2f47ce7a6 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/acm/DistributionSetAccessControllerTest.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/acm/DistributionSetAccessControllerTest.java
@@ -11,9 +11,10 @@ package org.eclipse.hawkbit.repository.jpa.acm;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_DISTRIBUTION_SET;
 import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_REPOSITORY;
 import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_TARGET;
-import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_REPOSITORY;
+import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_DISTRIBUTION_SET;
 import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_TARGET;
 import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.runAs;
 import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.withUser;
@@ -38,6 +39,9 @@ import org.springframework.data.domain.Pageable;
 import org.springframework.test.context.ContextConfiguration;
 
 /**
+ * Note: Still all test gets READ_REPOSITORY since find methods are inherited with request for READ_REPOSITORY. However,
+ * using READ_DISTRIBUTION_SET scoping - the scopes still work.
+ * <p/>
  * Feature: Component Tests - Access Control<br/>
  * Story: Test Distribution Set Access Controller
  */
@@ -56,7 +60,8 @@ class DistributionSetAccessControllerTest extends AbstractJpaIntegrationTest {
         final Action hiddenAction = testdataFactory.performAssignment(hidden);
 
         runAs(withUser("user",
-                        READ_REPOSITORY + "/id==" + permitted.getId(),
+                READ_REPOSITORY,
+                        READ_DISTRIBUTION_SET + "/id==" + permitted.getId(),
                         READ_TARGET +"/controllerId==" + permittedAction.getTarget().getControllerId()), () -> {
             final Long permittedActionId = permitted.getId();
 
@@ -125,8 +130,9 @@ class DistributionSetAccessControllerTest extends AbstractJpaIntegrationTest {
         final SoftwareModule swModule = testdataFactory.createSoftwareModuleOs();
 
         runAs(withUser("user",
-                READ_REPOSITORY + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
-                UPDATE_REPOSITORY + "/id==" + permitted.getId()), () -> {
+                READ_REPOSITORY,
+                READ_DISTRIBUTION_SET + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
+                UPDATE_DISTRIBUTION_SET + "/id==" + permitted.getId()), () -> {
             // verify distributionSetManagement#assignSoftwareModules
             final List<Long> singleModuleIdList = Collections.singletonList(swModule.getId());
             assertThat(distributionSetManagement.assignSoftwareModules(permitted.getId(), singleModuleIdList))
@@ -185,8 +191,9 @@ class DistributionSetAccessControllerTest extends AbstractJpaIntegrationTest {
         distributionSetManagement.assignTag(Arrays.asList(permitted.getId(), readOnly.getId(), hidden.getId()), dsTagId);
 
         runAs(withUser("user",
-                READ_REPOSITORY + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
-                UPDATE_REPOSITORY + "/id==" + permitted.getId()), () -> {
+                READ_REPOSITORY,
+                READ_DISTRIBUTION_SET + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
+                UPDATE_DISTRIBUTION_SET + "/id==" + permitted.getId()), () -> {
             assertThat(distributionSetManagement.findByTag(dsTagId, Pageable.unpaged()).get().map(Identifiable::getId)
                     .toList()).containsOnly(permitted.getId(), readOnly.getId());
 
@@ -252,8 +259,9 @@ class DistributionSetAccessControllerTest extends AbstractJpaIntegrationTest {
                 .create(entityFactory.targetFilterQuery().create().name("test").query("id==*"));
 
         runAs(withUser("user",
-                READ_REPOSITORY + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
-                UPDATE_REPOSITORY + "/id==" + permitted.getId(),
+                READ_REPOSITORY,
+                READ_DISTRIBUTION_SET + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
+                UPDATE_DISTRIBUTION_SET + "/id==" + permitted.getId(),
                 // read / update target needed to update target filter query
                 READ_TARGET, UPDATE_TARGET), () -> {
             assertThat(targetFilterQueryManagement
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/acm/TargetTypeAccessControllerTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/acm/TargetTypeAccessControllerTest.java
index deafc71f0..78b94232c 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/acm/TargetTypeAccessControllerTest.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/acm/TargetTypeAccessControllerTest.java
@@ -11,15 +11,13 @@ package org.eclipse.hawkbit.repository.jpa.acm;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
-import static org.eclipse.hawkbit.im.authentication.SpPermission.DELETE_TARGET;
-import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_TARGET;
-import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_TARGET;
+import static org.eclipse.hawkbit.im.authentication.SpPermission.DELETE_TARGET_TYPE;
+import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_TARGET_TYPE;
+import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_TARGET_TYPE;
 import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.runAs;
 import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.withUser;
 
 import java.util.Arrays;
-import java.util.List;
-import java.util.stream.Stream;
 
 import org.eclipse.hawkbit.repository.Identifiable;
 import org.eclipse.hawkbit.repository.builder.TargetTypeCreate;
@@ -27,8 +25,6 @@ import org.eclipse.hawkbit.repository.builder.TargetTypeUpdate;
 import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;
 import org.eclipse.hawkbit.repository.exception.InsufficientPermissionException;
 import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
-import org.eclipse.hawkbit.repository.jpa.model.JpaTargetType;
-import org.eclipse.hawkbit.repository.jpa.specifications.TargetTypeSpecification;
 import org.eclipse.hawkbit.repository.model.TargetType;
 import org.junit.jupiter.api.Test;
 import org.springframework.data.domain.Pageable;
@@ -49,7 +45,7 @@ class TargetTypeAccessControllerTest extends AbstractJpaIntegrationTest {
         final TargetType permittedTargetType = targetTypeManagement.create(entityFactory.targetType().create().name("type1"));
         final TargetType hiddenTargetType = targetTypeManagement.create(entityFactory.targetType().create().name("type2"));
 
-        runAs(withUser("user", READ_TARGET + "/id==" + permittedTargetType.getId()), () -> {
+        runAs(withUser("user", READ_TARGET_TYPE + "/id==" + permittedTargetType.getId()), () -> {
             // verify targetTypeManagement#findAll
             assertThat(targetTypeManagement.findAll(Pageable.unpaged()).get().map(Identifiable::getId).toList())
                     .containsOnly(permittedTargetType.getId());
@@ -111,8 +107,8 @@ class TargetTypeAccessControllerTest extends AbstractJpaIntegrationTest {
         final TargetType readOnlyTargetType = targetTypeManagement.create(entityFactory.targetType().create().name("type2"));
 
         runAs(withUser("user",
-                        READ_TARGET + "/id==" + manageableTargetType.getId() + " or id==" + readOnlyTargetType.getId(),
-                        DELETE_TARGET + "/id==" + manageableTargetType.getId()), () -> {
+                        READ_TARGET_TYPE + "/id==" + manageableTargetType.getId() + " or id==" + readOnlyTargetType.getId(),
+                        DELETE_TARGET_TYPE + "/id==" + manageableTargetType.getId()), () -> {
             // delete the manageableTargetType
             targetTypeManagement.delete(manageableTargetType.getId());
 
@@ -132,8 +128,8 @@ class TargetTypeAccessControllerTest extends AbstractJpaIntegrationTest {
         final TargetType readOnlyTargetType = targetTypeManagement.create(entityFactory.targetType().create().name("type2"));
 
         runAs(withUser("user",
-                        READ_TARGET + "/id==" + manageableTargetType.getId() + " or id==" + readOnlyTargetType.getId(),
-                        UPDATE_TARGET + "/id==" + manageableTargetType.getId()), () -> {
+                        READ_TARGET_TYPE + "/id==" + manageableTargetType.getId() + " or id==" + readOnlyTargetType.getId(),
+                        UPDATE_TARGET_TYPE + "/id==" + manageableTargetType.getId()), () -> {
             // update the manageableTargetType
             targetTypeManagement.update(entityFactory.targetType().update(manageableTargetType.getId())
                     .name(manageableTargetType.getName() + "/new").description("newDesc"));
@@ -151,7 +147,7 @@ class TargetTypeAccessControllerTest extends AbstractJpaIntegrationTest {
      */
     @Test
     void verifyTargetTypeCreationBlockedByAccessController() {
-        runAs(withUser("user", READ_TARGET, UPDATE_TARGET), () -> {
+        runAs(withUser("user", READ_TARGET_TYPE, UPDATE_TARGET_TYPE), () -> {
             // verify targetTypeManagement#create for any type
             final TargetTypeCreate targetTypeCreate = entityFactory.targetType().create().name("type1");
             assertThatThrownBy(() -> targetTypeManagement.create(targetTypeCreate))
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ArtifactManagementSecurityTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ArtifactManagementSecurityTest.java
index c065d9ab2..5d5af16da 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ArtifactManagementSecurityTest.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ArtifactManagementSecurityTest.java
@@ -13,6 +13,7 @@ import java.io.ByteArrayInputStream;
 import java.util.List;
 
 import org.eclipse.hawkbit.im.authentication.SpPermission;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
 import org.eclipse.hawkbit.repository.model.ArtifactUpload;
 import org.eclipse.hawkbit.repository.test.util.WithUser;
@@ -59,7 +60,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void getPermissionCheck() {
         assertPermissions(() -> artifactManagement.get(1L), List.of(SpPermission.READ_REPOSITORY));
-        assertPermissions(() -> artifactManagement.get(1L), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
+        assertPermissions(() -> artifactManagement.get(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
     }
 
     /**
@@ -70,7 +71,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
         assertPermissions(() -> artifactManagement.getByFilenameAndSoftwareModule("filename", 1L),
                 List.of(SpPermission.READ_REPOSITORY), List.of(SpPermission.CREATE_REPOSITORY));
         assertPermissions(() -> artifactManagement.getByFilenameAndSoftwareModule("filename", 1L),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
     }
 
     /**
@@ -79,7 +80,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void findFirstBySHA1PermissionCheck() {
         assertPermissions(() -> artifactManagement.findFirstBySHA1("sha1"), List.of(SpPermission.READ_REPOSITORY));
-        assertPermissions(() -> artifactManagement.findFirstBySHA1("sha1"), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
+        assertPermissions(() -> artifactManagement.findFirstBySHA1("sha1"), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
     }
 
     /**
@@ -88,7 +89,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void getByFilenamePermissionCheck() {
         assertPermissions(() -> artifactManagement.getByFilename("filename"), List.of(SpPermission.READ_REPOSITORY));
-        assertPermissions(() -> artifactManagement.getByFilename("filename"), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
+        assertPermissions(() -> artifactManagement.getByFilename("filename"), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
     }
 
     /**
@@ -113,7 +114,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void loadArtifactBinaryPermissionCheck() {
         assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT), List.of(SpPermission.CREATE_REPOSITORY));
-        assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
+        assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
     }
 
 }
\ No newline at end of file
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ConfirmationManagementSecurityTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ConfirmationManagementSecurityTest.java
index 994e88b60..21aa966a0 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ConfirmationManagementSecurityTest.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ConfirmationManagementSecurityTest.java
@@ -12,6 +12,7 @@ package org.eclipse.hawkbit.repository.jpa.management;
 import java.util.List;
 
 import org.eclipse.hawkbit.im.authentication.SpPermission;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
 import org.junit.jupiter.api.Test;
 
@@ -45,7 +46,7 @@ class ConfirmationManagementSecurityTest extends AbstractJpaIntegrationTest {
     void getStatusPermissionsCheck() {
         assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpPermission.READ_TARGET),
                 List.of(SpPermission.CREATE_TARGET));
-        assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_TARGET));
+        assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_TARGET));
     }
 
     /**
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ControllerManagementSecurityTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ControllerManagementSecurityTest.java
index 3a559dcc2..7a2d06920 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ControllerManagementSecurityTest.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ControllerManagementSecurityTest.java
@@ -13,7 +13,8 @@ import java.net.URI;
 import java.util.List;
 import java.util.Map;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission;
+import org.eclipse.hawkbit.im.authentication.SpRole;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.exception.CancelActionNotAllowedException;
 import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
 import org.eclipse.hawkbit.repository.jpa.model.JpaAction;
@@ -33,7 +34,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void addCancelActionStatusPermissionsCheck() {
         assertPermissions(() -> controllerManagement.addCancelActionStatus(entityFactory.actionStatus().create(0L)),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -41,7 +42,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
      */
     @Test
     void getSoftwareModulePermissionsCheck() {
-        assertPermissions(() -> controllerManagement.getSoftwareModule(1L), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+        assertPermissions(() -> controllerManagement.getSoftwareModule(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -50,7 +51,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void findTargetVisibleMetaDataBySoftwareModuleIdPermissionsCheck() {
         assertPermissions(() -> controllerManagement.findTargetVisibleMetaDataBySoftwareModuleId(List.of(1L)),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -59,7 +60,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void addInformationalActionStatusPermissionsCheck() {
         assertPermissions(() -> controllerManagement.addInformationalActionStatus(entityFactory.actionStatus().create(0L)),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -68,7 +69,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void addUpdateActionStatusPermissionsCheck() {
         assertPermissions(() -> controllerManagement.addUpdateActionStatus(entityFactory.actionStatus().create(0L)),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -77,7 +78,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void findActiveActionWithHighestWeightPermissionsCheck() {
         assertPermissions(() -> controllerManagement.findActiveActionWithHighestWeight("controllerId"),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -86,7 +87,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void findActiveActionsWithHighestWeightPermissionsCheck() {
         assertPermissions(() -> controllerManagement.findActiveActionsWithHighestWeight("controllerId", 1),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -94,7 +95,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
      */
     @Test
     void findActionWithDetailsPermissionsCheck() {
-        assertPermissions(() -> controllerManagement.findActionWithDetails(1L), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+        assertPermissions(() -> controllerManagement.findActionWithDetails(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -103,7 +104,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void findActionStatusByActionPermissionsCheck() {
         assertPermissions(() -> controllerManagement.findActionStatusByAction(1L, Pageable.unpaged()),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -112,7 +113,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void findOrRegisterTargetIfItDoesNotExistPermissionsCheck() {
         assertPermissions(() -> controllerManagement.findOrRegisterTargetIfItDoesNotExist("controllerId", URI.create("someaddress")),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -122,7 +123,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     void findOrRegisterTargetIfItDoesNotExistWithDetailsPermissionsCheck() {
         assertPermissions(
                 () -> controllerManagement.findOrRegisterTargetIfItDoesNotExist("controllerId", URI.create("someaddress"), "name", "type"),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -131,7 +132,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void getActionForDownloadByTargetAndSoftwareModulePermissionsCheck() {
         assertPermissions(() -> controllerManagement.getActionForDownloadByTargetAndSoftwareModule("controllerId", 1L),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -139,7 +140,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
      */
     @Test
     void getPollingTimePermissionsCheck() {
-        assertPermissions(() -> controllerManagement.getPollingTime(null), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+        assertPermissions(() -> controllerManagement.getPollingTime(null), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -156,7 +157,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
                 // expected since action is not found
             }
             return null;
-        }, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+        }, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -165,7 +166,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void hasTargetArtifactAssignedPermissionsCheck() {
         assertPermissions(() -> controllerManagement.hasTargetArtifactAssigned("controllerId", "sha1Hash"),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -174,7 +175,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void hasTargetArtifactAssignedByIdPermissionsCheck() {
         assertPermissions(() -> controllerManagement.hasTargetArtifactAssigned(1L, "sha1Hash"),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -183,7 +184,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void updateControllerAttributesPermissionsCheck() {
         assertPermissions(() -> controllerManagement.updateControllerAttributes("controllerId", Map.of(), null),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -192,9 +193,9 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void getByControllerIdPermissionsCheck() {
         assertPermissions(() -> controllerManagement.getByControllerId("controllerId"),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
         assertPermissions(() -> controllerManagement.getByControllerId("controllerId"),
-                List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
+                List.of(SpRole.SYSTEM_ROLE));
     }
 
     /**
@@ -202,8 +203,8 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
      */
     @Test
     void getPermissionsCheck() {
-        assertPermissions(() -> controllerManagement.get(1L), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
-        assertPermissions(() -> controllerManagement.get(1L), List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
+        assertPermissions(() -> controllerManagement.get(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
+        assertPermissions(() -> controllerManagement.get(1L), List.of(SpRole.SYSTEM_ROLE));
     }
 
     /**
@@ -212,7 +213,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void getActionHistoryMessagesPermissionsCheck() {
         assertPermissions(() -> controllerManagement.getActionHistoryMessages(1L, 1),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -229,7 +230,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
                 // expected since action is not found
             }
             return null;
-        }, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+        }, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -240,7 +241,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
         assertPermissions(() -> {
             controllerManagement.updateActionExternalRef(1L, "externalRef");
             return null;
-        }, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+        }, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -249,7 +250,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void getActionByExternalRefPermissionsCheck() {
         assertPermissions(() -> controllerManagement.getActionByExternalRef("externalRef"),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -260,7 +261,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
         assertPermissions(() -> {
             controllerManagement.deleteExistingTarget("controllerId");
             return null;
-        }, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+        }, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -271,7 +272,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
         final Target target = testdataFactory.createTarget();
         assertPermissions(
                 () -> controllerManagement.getInstalledActionByTarget(target),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -281,7 +282,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     void activateAutoConfirmationPermissionsCheck() {
         assertPermissions(
                 () -> controllerManagement.activateAutoConfirmation("controllerId", "initiator", "remark"),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -292,7 +293,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
         assertPermissions(() -> {
             controllerManagement.deactivateAutoConfirmation("controllerId");
             return null;
-        }, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+        }, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
     /**
@@ -301,7 +302,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void updateOfflineAssignedVersionPermissionsCheck() {
         assertPermissions(() -> controllerManagement.updateOfflineAssignedVersion("controllerId", "distributionName", "version"),
-                List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+                List.of(SpringEvalExpressions.CONTROLLER_ROLE));
     }
 
 }
\ No newline at end of file
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ControllerManagementTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ControllerManagementTest.java
index 0388e6b86..097b0f92d 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ControllerManagementTest.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ControllerManagementTest.java
@@ -12,8 +12,8 @@ package org.eclipse.hawkbit.repository.jpa.management;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.assertj.core.api.Assertions.assertThatNoException;
-import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE;
-import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.CONTROLLER_ROLE;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
 import static org.eclipse.hawkbit.repository.jpa.configuration.Constants.TX_RT_MAX;
 import static org.eclipse.hawkbit.repository.model.Action.ActionType.DOWNLOAD_ONLY;
 import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.runAs;
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DeploymentManagementSecurityTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DeploymentManagementSecurityTest.java
index 8420dd93b..219cd6df9 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DeploymentManagementSecurityTest.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DeploymentManagementSecurityTest.java
@@ -13,6 +13,7 @@ import java.util.List;
 import java.util.Set;
 
 import org.eclipse.hawkbit.im.authentication.SpPermission;
+import org.eclipse.hawkbit.im.authentication.SpRole;
 import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
 import org.eclipse.hawkbit.repository.model.Action;
 import org.eclipse.hawkbit.repository.model.DeploymentRequest;
@@ -273,7 +274,7 @@ class DeploymentManagementSecurityTest extends AbstractJpaIntegrationTest {
     @Test
     void deleteActionsByStatusAndLastModifiedBeforePermissionsCheck() {
         assertPermissions(() -> deploymentManagement.deleteActionsByStatusAndLastModifiedBefore(Set.of(Action.Status.CANCELED), 1L),
-                List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
+                List.of(SpRole.SYSTEM_ROLE));
     }
 
     /**
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/RolloutManagementTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/RolloutManagementTest.java
index 92c9755e8..19aebba9e 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/RolloutManagementTest.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/RolloutManagementTest.java
@@ -32,6 +32,7 @@ import org.assertj.core.api.Assertions;
 import org.assertj.core.api.Condition;
 import org.awaitility.Awaitility;
 import org.eclipse.hawkbit.im.authentication.SpPermission;
+import org.eclipse.hawkbit.im.authentication.SpRole;
 import org.eclipse.hawkbit.repository.Identifiable;
 import org.eclipse.hawkbit.repository.OffsetBasedPageRequest;
 import org.eclipse.hawkbit.repository.builder.RolloutCreate;
@@ -1436,7 +1437,7 @@ class RolloutManagementTest extends AbstractJpaIntegrationTest {
                 SpPermission.READ_REPOSITORY, SpPermission.READ_TARGET, SpPermission.CREATE_ROLLOUT, SpPermission.HANDLE_ROLLOUT);
         final WithUser userWithSystemRole = SecurityContextSwitch.withUser(
                 "user_with_system_role",
-                SpPermission.SpringEvalExpressions.SYSTEM_ROLE);
+                SpRole.SYSTEM_ROLE);
 
         final String filter = "controllerId==" + rolloutName + "-*";
         // create scheduled rollout fails without handle rollout permission
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SystemManagementSecurityTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SystemManagementSecurityTest.java
index 86e3415c0..c1d2ab8e2 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SystemManagementSecurityTest.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SystemManagementSecurityTest.java
@@ -13,6 +13,8 @@ import java.util.List;
 
 import lombok.extern.slf4j.Slf4j;
 import org.eclipse.hawkbit.im.authentication.SpPermission;
+import org.eclipse.hawkbit.im.authentication.SpRole;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
 import org.junit.jupiter.api.Test;
 
@@ -50,7 +52,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
         assertPermissions(() -> {
             systemManagement.forEachTenant(log::info);
             return null;
-        }, List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
+        }, List.of(SpRole.SYSTEM_ROLE));
     }
 
     /**
@@ -77,7 +79,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
         assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_REPOSITORY), List.of(SpPermission.CREATE_REPOSITORY));
         assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_TARGET), List.of(SpPermission.CREATE_REPOSITORY));
         assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_TENANT_CONFIGURATION), List.of(SpPermission.CREATE_REPOSITORY));
-        assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
+        assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
     }
 
     /**
@@ -88,7 +90,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
         assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.READ_REPOSITORY), List.of(SpPermission.CREATE_REPOSITORY));
         assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.READ_TARGET), List.of(SpPermission.CREATE_REPOSITORY));
         assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.READ_TENANT_CONFIGURATION), List.of(SpPermission.CREATE_REPOSITORY));
-        assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
+        assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
     }
 
     /**
@@ -96,7 +98,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
      */
     @Test
     void getTenantMetadataByTenantPermissionsCheck() {
-        assertPermissions(() -> systemManagement.getTenantMetadata(1L), List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
+        assertPermissions(() -> systemManagement.getTenantMetadata(1L), List.of(SpRole.SYSTEM_ROLE));
     }
 
     /**
@@ -104,7 +106,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
      */
     @Test
     void createTenantMetadataPermissionsCheck() {
-        assertPermissions(() -> systemManagement.createTenantMetadata("tenant"), List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
+        assertPermissions(() -> systemManagement.createTenantMetadata("tenant"), List.of(SpRole.SYSTEM_ROLE));
     }
 
     /**
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SystemManagementTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SystemManagementTest.java
index 1aa17fbf2..340229c3e 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SystemManagementTest.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SystemManagementTest.java
@@ -15,7 +15,7 @@ import java.io.ByteArrayInputStream;
 import java.util.List;
 import java.util.Random;
 
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpRole;
 import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
 import org.eclipse.hawkbit.repository.model.ArtifactUpload;
 import org.eclipse.hawkbit.repository.model.DistributionSet;
@@ -137,27 +137,27 @@ class SystemManagementTest extends AbstractJpaIntegrationTest {
 
         for (int i = 0; i < tenants; i++) {
             final String tenantname = "TENANT" + i;
-            SecurityContextSwitch.getAs(SecurityContextSwitch.withUserAndTenant("bumlux", tenantname, true, true, false,
-                    SpringEvalExpressions.SYSTEM_ROLE), () -> {
-                systemManagement.getTenantMetadataWithoutDetails();
-                if (artifactSize > 0) {
-                    createTestArtifact(random);
-                    createDeletedTestArtifact(random);
-                }
-                if (targets > 0) {
-                    final List<Target> createdTargets = createTestTargets(targets);
-                    if (updates > 0) {
-                        for (int x = 0; x < updates; x++) {
-                            final DistributionSet ds = testdataFactory
-                                    .createDistributionSet("to be deployed" + x, true);
-
-                            assignDistributionSet(ds, createdTargets);
+            SecurityContextSwitch.getAs(SecurityContextSwitch.withUserAndTenant("bumlux", tenantname, true, true, false, SpRole.SYSTEM_ROLE),
+                    () -> {
+                        systemManagement.getTenantMetadataWithoutDetails();
+                        if (artifactSize > 0) {
+                            createTestArtifact(random);
+                            createDeletedTestArtifact(random);
                         }
-                    }
-                }
+                        if (targets > 0) {
+                            final List<Target> createdTargets = createTestTargets(targets);
+                            if (updates > 0) {
+                                for (int x = 0; x < updates; x++) {
+                                    final DistributionSet ds = testdataFactory
+                                            .createDistributionSet("to be deployed" + x, true);
 
-                return null;
-            });
+                                    assignDistributionSet(ds, createdTargets);
+                                }
+                            }
+                        }
+
+                        return null;
+                    });
         }
 
         return random;
diff --git a/hawkbit-repository/hawkbit-repository-test/src/main/java/org/eclipse/hawkbit/repository/test/TestConfiguration.java b/hawkbit-repository/hawkbit-repository-test/src/main/java/org/eclipse/hawkbit/repository/test/TestConfiguration.java
index cd553b0c9..0a17a1be5 100644
--- a/hawkbit-repository/hawkbit-repository-test/src/main/java/org/eclipse/hawkbit/repository/test/TestConfiguration.java
+++ b/hawkbit-repository/hawkbit-repository-test/src/main/java/org/eclipse/hawkbit/repository/test/TestConfiguration.java
@@ -17,6 +17,7 @@ import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.atomic.AtomicLong;
 
 import org.eclipse.hawkbit.ContextAware;
+import org.eclipse.hawkbit.im.authentication.Hierarchy;
 import org.eclipse.hawkbit.repository.artifact.ArtifactFilesystemProperties;
 import org.eclipse.hawkbit.repository.artifact.ArtifactFilesystemRepository;
 import org.eclipse.hawkbit.repository.artifact.ArtifactRepository;
@@ -24,7 +25,6 @@ import org.eclipse.hawkbit.repository.artifact.urlhandler.ArtifactUrlHandlerProp
 import org.eclipse.hawkbit.repository.artifact.urlhandler.PropertyBasedArtifactUrlHandler;
 import org.eclipse.hawkbit.cache.TenantAwareCacheManager;
 import org.eclipse.hawkbit.event.BusProtoStuffMessageConverter;
-import org.eclipse.hawkbit.im.authentication.SpRole;
 import org.eclipse.hawkbit.repository.ArtifactManagement;
 import org.eclipse.hawkbit.repository.ControllerManagement;
 import org.eclipse.hawkbit.repository.DeploymentManagement;
@@ -140,7 +140,7 @@ public class TestConfiguration implements AsyncConfigurer {
 
     @Bean
     SystemSecurityContext systemSecurityContext(final TenantAware tenantAware) {
-        return new SystemSecurityContext(tenantAware, RoleHierarchyImpl.fromHierarchy(SpRole.DEFAULT_ROLE_HIERARCHY));
+        return new SystemSecurityContext(tenantAware, RoleHierarchyImpl.fromHierarchy(Hierarchy.DEFAULT));
     }
 
     @Bean
diff --git a/hawkbit-repository/hawkbit-repository-test/src/main/java/org/eclipse/hawkbit/repository/test/util/AbstractIntegrationTest.java b/hawkbit-repository/hawkbit-repository-test/src/main/java/org/eclipse/hawkbit/repository/test/util/AbstractIntegrationTest.java
index 0848b7212..7a43417c1 100644
--- a/hawkbit-repository/hawkbit-repository-test/src/main/java/org/eclipse/hawkbit/repository/test/util/AbstractIntegrationTest.java
+++ b/hawkbit-repository/hawkbit-repository-test/src/main/java/org/eclipse/hawkbit/repository/test/util/AbstractIntegrationTest.java
@@ -11,8 +11,8 @@ package org.eclipse.hawkbit.repository.test.util;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_TENANT_CONFIGURATION;
-import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE;
-import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.SYSTEM_ROLE;
+import static org.eclipse.hawkbit.im.authentication.SpRole.SYSTEM_ROLE;
+import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.CONTROLLER_ROLE;
 
 import java.io.File;
 import java.io.IOException;
@@ -29,8 +29,6 @@ import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.FileUtils;
 import org.awaitility.Awaitility;
 import org.awaitility.core.ConditionFactory;
-import org.eclipse.hawkbit.repository.artifact.ArtifactRepository;
-import org.eclipse.hawkbit.repository.artifact.exception.ArtifactStoreException;
 import org.eclipse.hawkbit.repository.ArtifactManagement;
 import org.eclipse.hawkbit.repository.ConfirmationManagement;
 import org.eclipse.hawkbit.repository.ControllerManagement;
@@ -53,6 +51,8 @@ import org.eclipse.hawkbit.repository.TargetManagement;
 import org.eclipse.hawkbit.repository.TargetTagManagement;
 import org.eclipse.hawkbit.repository.TargetTypeManagement;
 import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
+import org.eclipse.hawkbit.repository.artifact.ArtifactRepository;
+import org.eclipse.hawkbit.repository.artifact.exception.ArtifactStoreException;
 import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;
 import org.eclipse.hawkbit.repository.model.Action;
 import org.eclipse.hawkbit.repository.model.Action.ActionType;
diff --git a/hawkbit-repository/hawkbit-repository-test/src/main/java/org/eclipse/hawkbit/repository/test/util/TestdataFactory.java b/hawkbit-repository/hawkbit-repository-test/src/main/java/org/eclipse/hawkbit/repository/test/util/TestdataFactory.java
index 804e3efd5..2492b9e32 100644
--- a/hawkbit-repository/hawkbit-repository-test/src/main/java/org/eclipse/hawkbit/repository/test/util/TestdataFactory.java
+++ b/hawkbit-repository/hawkbit-repository-test/src/main/java/org/eclipse/hawkbit/repository/test/util/TestdataFactory.java
@@ -10,7 +10,7 @@
 package org.eclipse.hawkbit.repository.test.util;
 
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.SYSTEM_ROLE;
+import static org.eclipse.hawkbit.im.authentication.SpRole.SYSTEM_ROLE;
 import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.runAs;
 import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.withUserAndTenant;
 
diff --git a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/Hierarchy.java b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/Hierarchy.java
new file mode 100644
index 000000000..64f12d87f
--- /dev/null
+++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/Hierarchy.java
@@ -0,0 +1,19 @@
+/**
+ * Copyright (c) 2025 Contributors to the Eclipse Foundation
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.eclipse.hawkbit.im.authentication;
+
+public class Hierarchy {
+
+    public static final String DEFAULT =
+            SpPermission.TARGET_HIERARCHY +
+            SpPermission.REPOSITORY_HIERARCHY +
+            SpPermission.TENANT_CONFIGURATION_HIERARCHY +
+            SpRole.DEFAULT_ROLE_HIERARCHY;
+}
\ No newline at end of file
diff --git a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java
index 68a4d3806..0d9730128 100644
--- a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java
+++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java
@@ -35,11 +35,22 @@ import org.springframework.security.core.GrantedAuthority;
 @Slf4j
 public final class SpPermission {
 
+    /**
+     * Permission to add new targets including their meta information.
+     */
+    public static final String CREATE_TARGET = "CREATE_TARGET";
     /**
      * Permission to read the targets (list and filter).
      */
     public static final String READ_TARGET = "READ_TARGET";
-
+    /**
+     * Permission to change/edit/update targets and to assign updates.
+     */
+    public static final String UPDATE_TARGET = "UPDATE_TARGET";
+    /**
+     * Permission to delete targets.
+     */
+    public static final String DELETE_TARGET = "DELETE_TARGET";
     /**
      * Permission to read the target security token. The security token is security
      * concerned and should be protected. So the combination
@@ -48,36 +59,28 @@ public final class SpPermission {
      */
     public static final String READ_TARGET_SEC_TOKEN = "READ_TARGET_SECURITY_TOKEN";
 
-    /**
-     * Permission to change/edit/update targets and to assign updates.
-     */
-    public static final String UPDATE_TARGET = "UPDATE_TARGET";
+    public static final String CREATE_TARGET_TYPE = "CREATE_TARGET_TYPE";
+    public static final String READ_TARGET_TYPE = "READ_TARGET_TYPE";
+    public static final String UPDATE_TARGET_TYPE = "UPDATE_TARGET_TYPE";
+    public static final String DELETE_TARGET_TYPE = "DELETE_TARGET_TYPE";
 
-    /**
-     * Permission to add new targets including their meta information.
-     */
-    public static final String CREATE_TARGET = "CREATE_TARGET";
-
-    /**
-     * Permission to delete targets.
-     */
-    public static final String DELETE_TARGET = "DELETE_TARGET";
+    public static final String CREATE_DISTRIBUTION_SET = "CREATE_DISTRIBUTION_SET";
+    public static final String READ_DISTRIBUTION_SET = "READ_DISTRIBUTION_SET";
+    public static final String UPDATE_DISTRIBUTION_SET = "UPDATE_DISTRIBUTION_SET";
+    public static final String DELETE_DISTRIBUTION_SET = "DELETE_DISTRIBUTION_SET";
 
     /**
      * Permission to read distributions and artifacts.
      */
     public static final String READ_REPOSITORY = "READ_REPOSITORY";
-
     /**
      * Permission to edit/update distributions and artifacts.
      */
     public static final String UPDATE_REPOSITORY = "UPDATE_REPOSITORY";
-
     /**
      * Permission to add distributions and artifacts.
      */
     public static final String CREATE_REPOSITORY = "CREATE_REPOSITORY";
-
     /**
      * Permission to delete distributions and artifacts.
      */
@@ -92,7 +95,6 @@ public final class SpPermission {
      * Permission to read the tenant settings.
      */
     public static final String READ_TENANT_CONFIGURATION = "READ_TENANT_CONFIGURATION";
-
     /**
      * Permission to read the gateway security token. The gateway security token is security
      * concerned and should be protected. So in addition to {@linkplain #READ_TENANT_CONFIGURATION},
@@ -100,47 +102,57 @@ public final class SpPermission {
      * implies both permissions - so it is sufficient to read the gateway security token.
      */
     public static final String READ_GATEWAY_SEC_TOKEN = "READ_GATEWAY_SECURITY_TOKEN";
-
     /**
      * Permission to administrate the tenant settings.
      */
     public static final String TENANT_CONFIGURATION = "TENANT_CONFIGURATION";
 
-    /**
-     * Permission to read a rollout.
-     */
-    public static final String READ_ROLLOUT = "READ_ROLLOUT";
-
     /**
      * Permission to create a rollout.
      */
     public static final String CREATE_ROLLOUT = "CREATE_ROLLOUT";
-
+    /**
+     * Permission to read a rollout.
+     */
+    public static final String READ_ROLLOUT = "READ_ROLLOUT";
     /**
      * Permission to update a rollout.
      */
     public static final String UPDATE_ROLLOUT = "UPDATE_ROLLOUT";
-
     /**
      * Permission to delete a rollout.
      */
     public static final String DELETE_ROLLOUT = "DELETE_ROLLOUT";
-
+    /**
+     * Permission to approve or deny a rollout prior to starting.
+     */
+    public static final String APPROVE_ROLLOUT = "APPROVE_ROLLOUT";
     /**
      * Permission to start/stop/resume a rollout.
      */
     public static final String HANDLE_ROLLOUT = "HANDLE_ROLLOUT";
 
-    /**
-     * Permission to approve or deny a rollout prior to starting.
-     */
-    public static final String APPROVE_ROLLOUT = "APPROVE_ROLLOUT";
-
     /**
      * Permission to administrate the system on a global, i.e. tenant independent scale. That includes the deletion of tenants.
      */
     public static final String SYSTEM_ADMIN = "SYSTEM_ADMIN";
 
+    private static final String IMPLIES = " > ";
+    private static final String LINE_BREAK = "\n";
+    public static final String TARGET_HIERARCHY =
+            CREATE_TARGET + IMPLIES + CREATE_TARGET_TYPE + LINE_BREAK +
+            READ_TARGET + IMPLIES + READ_TARGET_TYPE + LINE_BREAK +
+            UPDATE_TARGET + IMPLIES + UPDATE_TARGET_TYPE + LINE_BREAK +
+            DELETE_TARGET + IMPLIES + DELETE_TARGET_TYPE + LINE_BREAK;
+    public static final String REPOSITORY_HIERARCHY =
+            CREATE_REPOSITORY + IMPLIES + CREATE_DISTRIBUTION_SET + LINE_BREAK +
+            READ_REPOSITORY + IMPLIES + READ_DISTRIBUTION_SET + LINE_BREAK +
+            UPDATE_REPOSITORY + IMPLIES + UPDATE_DISTRIBUTION_SET + LINE_BREAK +
+            DELETE_REPOSITORY + IMPLIES + DELETE_DISTRIBUTION_SET + LINE_BREAK;
+    public static final String TENANT_CONFIGURATION_HIERARCHY =
+            TENANT_CONFIGURATION + IMPLIES + READ_TENANT_CONFIGURATION + LINE_BREAK +
+            TENANT_CONFIGURATION + IMPLIES + READ_GATEWAY_SEC_TOKEN + LINE_BREAK;
+
     /**
      * Return all permission.
      *
@@ -150,7 +162,8 @@ public final class SpPermission {
         final List<String> allPermissions = new ArrayList<>();
         final Field[] declaredFields = SpPermission.class.getDeclaredFields();
         for (final Field field : declaredFields) {
-            if (Modifier.isPublic(field.getModifiers()) && Modifier.isStatic(field.getModifiers())) {
+            if (Modifier.isPublic(field.getModifiers()) && Modifier.isStatic(field.getModifiers()) && Modifier.isFinal(field.getModifiers()) &&
+                    String.class.equals(field.getType())) {
                 try {
                     final String role = (String) field.get(null);
                     allPermissions.add(role);
@@ -161,82 +174,4 @@ public final class SpPermission {
         }
         return allPermissions;
     }
-
-    /**
-     * <p>
-     * Contains all the spring security evaluation expressions for the {@link PreAuthorize} annotation for method security.
-     * </p>
-     * <p>
-     * Examples:
-     * {@code
-     * hasRole([role])   Returns true if the current principal has the specified role.
-     * hasAnyRole([role1,role2])  Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings)
-     * principal   Allows direct access to the principal object representing the current user
-     * authentication Allows direct access to the current Authentication object obtained from the SecurityContext
-     * permitAll   Always evaluates to true
-     * denyAll  Always evaluates to false
-     * isAnonymous()  Returns true if the current principal is an anonymous user
-     * isRememberMe() Returns true if the current principal is a remember-me user
-     * isAuthenticated() Returns true if the user is not anonymous
-     * isFullyAuthenticated()  Returns true if the user is not an anonymous or a remember-me user
-     * }
-     * </p>
-     */
-    @NoArgsConstructor(access = AccessLevel.PRIVATE)
-    public static final class SpringEvalExpressions {
-
-        public static final String BRACKET_OPEN = "(";
-        public static final String BRACKET_CLOSE = ")";
-        public static final String HAS_AUTH_PREFIX = "hasAuthority" + BRACKET_OPEN + "'";
-        public static final String HAS_AUTH_SUFFIX = "'" + BRACKET_CLOSE;
-        public static final String HAS_AUTH_AND = " and ";
-        public static final String HAS_AUTH_OR = " or ";
-        
-        /**
-         * The role which contains the spring security context in case the system is executing code which is necessary to be privileged.
-         */
-        public static final String SYSTEM_ROLE = "ROLE_SYSTEM_CODE";
-
-        /**
-         * The role which contains in the spring security context in case ancontroller is authenticated.
-         */
-        public static final String CONTROLLER_ROLE = "ROLE_CONTROLLER";
-        /**
-         * The role which contained in the spring security context in case that a controller is authenticated, but only as 'anonymous'.
-         */
-        public static final String CONTROLLER_ROLE_ANONYMOUS = "ROLE_CONTROLLER_ANONYMOUS";
-
-        public static final String IS_SYSTEM_CODE = HAS_AUTH_PREFIX + SYSTEM_ROLE + HAS_AUTH_SUFFIX;
-
-        public static final String HAS_AUTH_UPDATE_TARGET = HAS_AUTH_PREFIX + UPDATE_TARGET + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_SYSTEM_ADMIN = HAS_AUTH_PREFIX + SYSTEM_ADMIN + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_READ_TARGET = HAS_AUTH_PREFIX + READ_TARGET + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_CREATE_TARGET = HAS_AUTH_PREFIX + CREATE_TARGET + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_DELETE_TARGET = HAS_AUTH_PREFIX + DELETE_TARGET + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET = BRACKET_OPEN + HAS_AUTH_PREFIX
-                + READ_REPOSITORY + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + UPDATE_TARGET + HAS_AUTH_SUFFIX
-                + BRACKET_CLOSE;
-        public static final String HAS_AUTH_CREATE_REPOSITORY = HAS_AUTH_PREFIX + CREATE_REPOSITORY + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_DELETE_REPOSITORY = HAS_AUTH_PREFIX + DELETE_REPOSITORY + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_READ_REPOSITORY = HAS_AUTH_PREFIX + READ_REPOSITORY + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_UPDATE_REPOSITORY = HAS_AUTH_PREFIX + UPDATE_REPOSITORY + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET = BRACKET_OPEN + HAS_AUTH_PREFIX
-                + READ_REPOSITORY + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + READ_TARGET + HAS_AUTH_SUFFIX
-                + BRACKET_CLOSE;
-        public static final String HAS_AUTH_DOWNLOAD_ARTIFACT = HAS_AUTH_PREFIX + DOWNLOAD_REPOSITORY_ARTIFACT + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ = HAS_AUTH_PREFIX + READ_ROLLOUT + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ = BRACKET_OPEN + HAS_AUTH_PREFIX
-                + READ_ROLLOUT + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + READ_TARGET + HAS_AUTH_SUFFIX
-                + BRACKET_CLOSE;
-        public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_CREATE = HAS_AUTH_PREFIX + CREATE_ROLLOUT + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_HANDLE = HAS_AUTH_PREFIX + HANDLE_ROLLOUT + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_APPROVE = HAS_AUTH_PREFIX + APPROVE_ROLLOUT + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_UPDATE = HAS_AUTH_PREFIX + UPDATE_ROLLOUT + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_DELETE = HAS_AUTH_PREFIX + DELETE_ROLLOUT + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_TENANT_CONFIGURATION_READ = HAS_AUTH_PREFIX + READ_TENANT_CONFIGURATION + HAS_AUTH_SUFFIX;
-        public static final String HAS_AUTH_TENANT_CONFIGURATION = HAS_AUTH_PREFIX + TENANT_CONFIGURATION + HAS_AUTH_SUFFIX;
-
-        public static final String IS_CONTROLLER = "hasAnyRole('" + CONTROLLER_ROLE_ANONYMOUS + "', '" + CONTROLLER_ROLE + "')";
-        public static final String IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET = IS_CONTROLLER + HAS_AUTH_OR + HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET;
-    }
 }
\ No newline at end of file
diff --git a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpRole.java b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpRole.java
index 24100a53d..415e85416 100644
--- a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpRole.java
+++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpRole.java
@@ -9,8 +9,6 @@
  */
 package org.eclipse.hawkbit.im.authentication;
 
-import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.SYSTEM_ROLE;
-
 import lombok.AccessLevel;
 import lombok.NoArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -27,6 +25,11 @@ public final class SpRole {
     public static final String ROLLOUT_ADMIN = "ROLE_ROLLOUT_ADMIN";
     public static final String TENANT_ADMIN = "ROLE_TENANT_ADMIN";
 
+    /**
+     * The role which contains the spring security context in case the system is executing code which is necessary to be privileged.
+     */
+    public static final String SYSTEM_ROLE = "ROLE_SYSTEM_CODE";
+
     private static final String IMPLIES = " > ";
     private static final String LINE_BREAK = "\n";
     public static final String TARGET_ADMIN_HIERARCHY =
@@ -48,9 +51,6 @@ public final class SpRole {
             ROLLOUT_ADMIN + IMPLIES + SpPermission.DELETE_ROLLOUT + LINE_BREAK +
             ROLLOUT_ADMIN + IMPLIES + SpPermission.HANDLE_ROLLOUT + LINE_BREAK +
             ROLLOUT_ADMIN + IMPLIES + SpPermission.APPROVE_ROLLOUT + LINE_BREAK;
-    public static final String TENANT_CONFIGURATION_HIERARCHY =
-            SpPermission.TENANT_CONFIGURATION + IMPLIES + SpPermission.READ_TENANT_CONFIGURATION + LINE_BREAK +
-            SpPermission.TENANT_CONFIGURATION + IMPLIES + SpPermission.READ_GATEWAY_SEC_TOKEN + LINE_BREAK;
     public static final String TENANT_ADMIN_HIERARCHY =
             TENANT_ADMIN + IMPLIES + TARGET_ADMIN + LINE_BREAK +
             TENANT_ADMIN + IMPLIES + REPOSITORY_ADMIN + LINE_BREAK +
@@ -64,7 +64,6 @@ public final class SpRole {
             TARGET_ADMIN_HIERARCHY +
             REPOSITORY_ADMIN_HIERARCHY +
             ROLLOUT_ADMIN_HIERARCHY +
-            TENANT_CONFIGURATION_HIERARCHY +
             TENANT_ADMIN_HIERARCHY +
             SYSTEM_ROLE_HIERARCHY;
 }
\ No newline at end of file
diff --git a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpringEvalExpressions.java b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpringEvalExpressions.java
new file mode 100644
index 000000000..0d1a66129
--- /dev/null
+++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpringEvalExpressions.java
@@ -0,0 +1,99 @@
+/**
+ * Copyright (c) 2025 Contributors to the Eclipse Foundation
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.eclipse.hawkbit.im.authentication;
+
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+import org.springframework.security.access.prepost.PreAuthorize;
+
+/**
+ * <p>
+ * Contains all the spring security evaluation expressions for the {@link PreAuthorize} annotation for method security.
+ * </p>
+ * <p>
+ * Examples:
+ * {@code
+ * hasRole([role])   Returns true if the current principal has the specified role.
+ * hasAnyRole([role1,role2])  Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings)
+ * principal   Allows direct access to the principal object representing the current user
+ * authentication Allows direct access to the current Authentication object obtained from the SecurityContext
+ * permitAll   Always evaluates to true
+ * denyAll  Always evaluates to false
+ * isAnonymous()  Returns true if the current principal is an anonymous user
+ * isRememberMe() Returns true if the current principal is a remember-me user
+ * isAuthenticated() Returns true if the user is not anonymous
+ * isFullyAuthenticated()  Returns true if the user is not an anonymous or a remember-me user
+ * }
+ * </p>
+ */
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public final class SpringEvalExpressions {
+
+    public static final String BRACKET_OPEN = "(";
+    public static final String BRACKET_CLOSE = ")";
+    public static final String HAS_AUTH_PREFIX = "hasAuthority" + BRACKET_OPEN + "'";
+    public static final String HAS_AUTH_SUFFIX = "'" + BRACKET_CLOSE;
+    public static final String HAS_AUTH_AND = " and ";
+    public static final String HAS_AUTH_OR = " or ";
+
+    /**
+     * The role which contains in the spring security context in case ancontroller is authenticated.
+     */
+    public static final String CONTROLLER_ROLE = "ROLE_CONTROLLER";
+    /**
+     * The role which contained in the spring security context in case that a controller is authenticated, but only as 'anonymous'.
+     */
+    public static final String CONTROLLER_ROLE_ANONYMOUS = "ROLE_CONTROLLER_ANONYMOUS";
+
+    public static final String IS_SYSTEM_CODE = HAS_AUTH_PREFIX + SpRole.SYSTEM_ROLE + HAS_AUTH_SUFFIX;
+
+    public static final String HAS_AUTH_SYSTEM_ADMIN = HAS_AUTH_PREFIX + SpPermission.SYSTEM_ADMIN + HAS_AUTH_SUFFIX;
+
+    public static final String HAS_AUTH_CREATE_TARGET = HAS_AUTH_PREFIX + SpPermission.CREATE_TARGET + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_UPDATE_TARGET = HAS_AUTH_PREFIX + SpPermission.UPDATE_TARGET + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_READ_TARGET = HAS_AUTH_PREFIX + SpPermission.READ_TARGET + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_DELETE_TARGET = HAS_AUTH_PREFIX + SpPermission.DELETE_TARGET + HAS_AUTH_SUFFIX;
+
+    public static final String HAS_AUTH_CREATE_TARGET_TYPE = HAS_AUTH_PREFIX + SpPermission.CREATE_TARGET_TYPE + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_UPDATE_TARGET_TYPE = HAS_AUTH_PREFIX + SpPermission.UPDATE_TARGET_TYPE + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_READ_TARGET_TYPE = HAS_AUTH_PREFIX + SpPermission.READ_TARGET_TYPE + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_DELETE_TARGET_TYPE = HAS_AUTH_PREFIX + SpPermission.DELETE_TARGET_TYPE + HAS_AUTH_SUFFIX;
+
+    public static final String HAS_AUTH_CREATE_DISTRIBUTION_SET = HAS_AUTH_PREFIX + SpPermission.CREATE_DISTRIBUTION_SET + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_UPDATE_DISTRIBUTION_SET = HAS_AUTH_PREFIX + SpPermission.UPDATE_DISTRIBUTION_SET + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_READ_DISTRIBUTION_SET = HAS_AUTH_PREFIX + SpPermission.READ_DISTRIBUTION_SET + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_DELETE_DISTRIBUTION_SET = HAS_AUTH_PREFIX + SpPermission.DELETE_DISTRIBUTION_SET + HAS_AUTH_SUFFIX;
+
+    public static final String HAS_AUTH_CREATE_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.CREATE_REPOSITORY + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_READ_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.READ_REPOSITORY + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_UPDATE_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.UPDATE_REPOSITORY + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_DELETE_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.DELETE_REPOSITORY + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_DOWNLOAD_ARTIFACT = HAS_AUTH_PREFIX + SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET = BRACKET_OPEN + HAS_AUTH_PREFIX
+            + SpPermission.READ_REPOSITORY + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + SpPermission.UPDATE_TARGET + HAS_AUTH_SUFFIX
+            + BRACKET_CLOSE;
+
+    public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_CREATE = HAS_AUTH_PREFIX + SpPermission.CREATE_ROLLOUT + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ = HAS_AUTH_PREFIX + SpPermission.READ_ROLLOUT + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_UPDATE = HAS_AUTH_PREFIX + SpPermission.UPDATE_ROLLOUT + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_DELETE = HAS_AUTH_PREFIX + SpPermission.DELETE_ROLLOUT + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_APPROVE = HAS_AUTH_PREFIX + SpPermission.APPROVE_ROLLOUT + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_HANDLE = HAS_AUTH_PREFIX + SpPermission.HANDLE_ROLLOUT + HAS_AUTH_SUFFIX;
+
+    public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ = BRACKET_OPEN + HAS_AUTH_PREFIX
+            + SpPermission.READ_ROLLOUT + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + SpPermission.READ_TARGET + HAS_AUTH_SUFFIX
+            + BRACKET_CLOSE;
+
+    public static final String HAS_AUTH_TENANT_CONFIGURATION_READ = HAS_AUTH_PREFIX + SpPermission.READ_TENANT_CONFIGURATION + HAS_AUTH_SUFFIX;
+    public static final String HAS_AUTH_TENANT_CONFIGURATION = HAS_AUTH_PREFIX + SpPermission.TENANT_CONFIGURATION + HAS_AUTH_SUFFIX;
+
+    public static final String IS_CONTROLLER = "hasAnyRole('" + CONTROLLER_ROLE_ANONYMOUS + "', '" + CONTROLLER_ROLE + "')";
+    public static final String IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET = IS_CONTROLLER + HAS_AUTH_OR + HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET;
+}
diff --git a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/SecurityContextTenantAware.java b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/SecurityContextTenantAware.java
index e5f7571e9..e32c51f1a 100644
--- a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/SecurityContextTenantAware.java
+++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/SecurityContextTenantAware.java
@@ -19,7 +19,7 @@ import java.util.function.Function;
 import java.util.function.Supplier;
 
 import org.eclipse.hawkbit.ContextAware;
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpRole;
 import org.eclipse.hawkbit.tenancy.TenantAware;
 import org.eclipse.hawkbit.tenancy.TenantAwareAuthenticationDetails;
 import org.eclipse.hawkbit.tenancy.TenantAwareUser;
@@ -42,8 +42,7 @@ public class SecurityContextTenantAware implements ContextAware {
 
     public static final String SYSTEM_USER = "system";
 
-    private static final Collection<? extends GrantedAuthority> SYSTEM_AUTHORITIES =
-            List.of(new SimpleGrantedAuthority(SpringEvalExpressions.SYSTEM_ROLE));
+    private static final Collection<? extends GrantedAuthority> SYSTEM_AUTHORITIES = List.of(new SimpleGrantedAuthority(SpRole.SYSTEM_ROLE));
 
     private final UserAuthoritiesResolver authoritiesResolver;
     private final SecurityContextSerializer securityContextSerializer;
diff --git a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/SystemSecurityContext.java b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/SystemSecurityContext.java
index 1be9ebe1f..61193920d 100644
--- a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/SystemSecurityContext.java
+++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/SystemSecurityContext.java
@@ -18,8 +18,10 @@ import java.util.concurrent.Callable;
 import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 
+import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
-import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.im.authentication.SpRole;
+import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
 import org.eclipse.hawkbit.tenancy.TenantAware;
 import org.eclipse.hawkbit.tenancy.TenantAwareAuthenticationDetails;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
@@ -161,19 +163,25 @@ public class SystemSecurityContext {
 
     /**
      * An implementation of the Spring's {@link Authentication} object which is used within a system security code block and
-     * wraps the original authentication object. The wrapped object contains the necessary {@link SpringEvalExpressions#SYSTEM_ROLE}
+     * wraps the original authentication object. The wrapped object contains the necessary {@link SpRole#SYSTEM_ROLE}
      * which is allowed to execute all secured methods.
      */
+    @Getter
     public static final class SystemCodeAuthentication implements Authentication {
 
         @Serial
         private static final long serialVersionUID = 1L;
 
-        private static final List<SimpleGrantedAuthority> AUTHORITIES = List.of(new SimpleGrantedAuthority(SpringEvalExpressions.SYSTEM_ROLE));
-        private final Authentication oldAuthentication;
+        private static final List<SimpleGrantedAuthority> AUTHORITIES = List.of(new SimpleGrantedAuthority(SpRole.SYSTEM_ROLE));
+
+        private final Object credentials;
+        private final Object details;
+        private final Object principal;
 
         private SystemCodeAuthentication(final Authentication oldAuthentication) {
-            this.oldAuthentication = oldAuthentication;
+            credentials = oldAuthentication != null ? oldAuthentication.getCredentials() : null;
+            details = oldAuthentication != null ? oldAuthentication.getDetails() : null;
+            principal = oldAuthentication != null ? oldAuthentication.getPrincipal() : null;
         }
 
         @Override
@@ -186,21 +194,6 @@ public class SystemSecurityContext {
             return AUTHORITIES;
         }
 
-        @Override
-        public Object getCredentials() {
-            return oldAuthentication != null ? oldAuthentication.getCredentials() : null;
-        }
-
-        @Override
-        public Object getDetails() {
-            return oldAuthentication != null ? oldAuthentication.getDetails() : null;
-        }
-
-        @Override
-        public Object getPrincipal() {
-            return oldAuthentication != null ? oldAuthentication.getPrincipal() : null;
-        }
-
         @Override
         public boolean isAuthenticated() {
             return true;
diff --git a/hawkbit-security-core/src/test/java/org/eclipse/hawkbit/im/authentication/SpPermissionTest.java b/hawkbit-security-core/src/test/java/org/eclipse/hawkbit/im/authentication/SpPermissionTest.java
deleted file mode 100644
index c8a1a357e..000000000
--- a/hawkbit-security-core/src/test/java/org/eclipse/hawkbit/im/authentication/SpPermissionTest.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/**
- * Copyright (c) 2015 Bosch Software Innovations GmbH and others
- *
- * This program and the accompanying materials are made
- * available under the terms of the Eclipse Public License 2.0
- * which is available at https://www.eclipse.org/legal/epl-2.0/
- *
- * SPDX-License-Identifier: EPL-2.0
- */
-package org.eclipse.hawkbit.im.authentication;
-
-import static org.assertj.core.api.Assertions.assertThat;
-
-import java.util.Collection;
-import java.util.LinkedList;
-import java.util.List;
-
-import org.junit.jupiter.api.Test;
-import org.springframework.util.ReflectionUtils;
-
-/**
- * Test {@link SpPermission}.
- * <p/>
- * Feature: Unit Tests - Security<br/>
- * Story: Permission Test
- */
-final class SpPermissionTest {
-
-    /**
-     * Try to double check if all permissions works as expected
-     */
-    @Test
-    void shouldReturnAllPermissions() {
-        List<String> expected = new LinkedList<>();
-        ReflectionUtils.doWithFields(SpPermission.class, f -> {
-            if (ReflectionUtils.isPublicStaticFinal(f) && String.class.equals(f.getType())) {
-                try {
-                    expected.add((String) f.get(null));
-                } catch (IllegalAccessException | IllegalArgumentException e) {
-                    // skip
-                }
-            }
-        });
-        final Collection<String> allAuthorities = SpPermission.getAllAuthorities();
-        assertThat(allAuthorities)
-                .hasSize(20)
-                .containsAll(expected);
-    }
-}
\ No newline at end of file