diff --git a/config/vufind/permissions.ini b/config/vufind/permissions.ini
index 87f703e397b4f7849d57cec6c3d3516848f0433d..9f555da90b0d667460ad9f6a7cdde15aed945be7 100644
--- a/config/vufind/permissions.ini
+++ b/config/vufind/permissions.ini
@@ -54,9 +54,16 @@
 ;
 ; access.AdminModule - Controls access to the admin panel (if enabled in config.ini)
 ; access.EITModule - Controls access to the EBSCO EIT module (if active)
+; access.StaffViewTab - Controls access to the staff view tab in record mode
 ; access.SummonExtendedResults - Controls visibility of protected Summon results
 
 ; Default configuration for the EIT module; see EIT.ini for some notes on this.
 [default.EITModule]
 role = loggedin
 permission = access.EITModule
+
+; Show staff view for all users by default
+[default.StaffViewTab]
+role[] = guest
+role[] = loggedin
+permission = access.StaffViewTab
\ No newline at end of file
diff --git a/module/VuFind/config/module.config.php b/module/VuFind/config/module.config.php
index 9fa8631b69b77dff5c5caf16b5c5db2965cacc88..2a639ccad26186d0b2365edee6025664ca20bd9e 100644
--- a/module/VuFind/config/module.config.php
+++ b/module/VuFind/config/module.config.php
@@ -472,6 +472,9 @@ $config = [
                     'staffviewmarc' => 'VuFind\RecordTab\StaffViewMARC',
                     'toc' => 'VuFind\RecordTab\TOC',
                 ],
+                'initializers' => [
+                    'ZfcRbac\Initializer\AuthorizationServiceInitializer'
+                ],
             ],
             'related' => [
                 'abstract_factories' => ['VuFind\Related\PluginFactory'],
diff --git a/module/VuFind/src/VuFind/RecordTab/AbstractBase.php b/module/VuFind/src/VuFind/RecordTab/AbstractBase.php
index a88673550007997b907c19244016b3c83d8ed1a0..11a6c60a74631619c25fa7a407e3b122a5aff016 100644
--- a/module/VuFind/src/VuFind/RecordTab/AbstractBase.php
+++ b/module/VuFind/src/VuFind/RecordTab/AbstractBase.php
@@ -26,6 +26,8 @@
  * @link     http://vufind.org/wiki/vufind2:record_tabs Wiki
  */
 namespace VuFind\RecordTab;
+use ZfcRbac\Service\AuthorizationServiceAwareInterface,
+    ZfcRbac\Service\AuthorizationServiceAwareTrait;
 
 /**
  * Record tab abstract base class
@@ -36,8 +38,19 @@ namespace VuFind\RecordTab;
  * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
  * @link     http://vufind.org/wiki/vufind2:record_tabs Wiki
  */
-abstract class AbstractBase implements TabInterface
+abstract class AbstractBase implements TabInterface, 
+    AuthorizationServiceAwareInterface
 {
+    use AuthorizationServiceAwareTrait;
+
+    /**
+     * Permission that must be granted to access this module (null for no
+     * restriction)
+     *
+     * @var string
+     */
+    protected $accessPermission = null;
+
     /**
      * Record driver associated with the tab
      *
@@ -59,7 +72,15 @@ abstract class AbstractBase implements TabInterface
      */
     public function isActive()
     {
-        // Assume active by default; subclasses may add rules.
+        // If accessPermission is set, check for authorization to enable tab
+        if (!empty($this->accessPermission)) {
+            $auth = $this->getAuthorizationService();
+            if (!$auth) {
+                throw new \Exception('Authorization service missing');
+            }
+            return $auth->isGranted($this->accessPermission);
+        }
+
         return true;
     }
 
diff --git a/module/VuFind/src/VuFind/RecordTab/StaffViewArray.php b/module/VuFind/src/VuFind/RecordTab/StaffViewArray.php
index cf58f7127186d2f50ad96b891b0319e6c3c6b4a6..b789be81dde3b4c388665e930cc2824efc82fbf3 100644
--- a/module/VuFind/src/VuFind/RecordTab/StaffViewArray.php
+++ b/module/VuFind/src/VuFind/RecordTab/StaffViewArray.php
@@ -38,6 +38,14 @@ namespace VuFind\RecordTab;
  */
 class StaffViewArray extends AbstractBase
 {
+    /**
+     * Constructor
+     */
+    public function __construct()
+    {
+        $this->accessPermission = 'access.StaffViewTab';
+    }
+
     /**
      * Get the on-screen description for this tab.
      *
diff --git a/module/VuFind/src/VuFind/RecordTab/StaffViewMARC.php b/module/VuFind/src/VuFind/RecordTab/StaffViewMARC.php
index 575980955b5bca46b0e4ace871ee648e60016e16..61976130dafff5dc069f0eeef9fadb8356b0dcdc 100644
--- a/module/VuFind/src/VuFind/RecordTab/StaffViewMARC.php
+++ b/module/VuFind/src/VuFind/RecordTab/StaffViewMARC.php
@@ -38,6 +38,14 @@ namespace VuFind\RecordTab;
  */
 class StaffViewMARC extends AbstractBase
 {
+    /**
+     * Constructor
+     */
+    public function __construct()
+    {
+        $this->accessPermission = 'access.StaffViewTab';
+    }
+
     /**
      * Get the on-screen description for this tab.
      *
diff --git a/module/VuFind/src/VuFind/Role/DynamicRoleProviderFactory.php b/module/VuFind/src/VuFind/Role/DynamicRoleProviderFactory.php
index 6919369692e981aeece18dbdc7032fc7f8c103be..bc3f99b7e91df0688f25f9edf4357e0d72dba1e0 100644
--- a/module/VuFind/src/VuFind/Role/DynamicRoleProviderFactory.php
+++ b/module/VuFind/src/VuFind/Role/DynamicRoleProviderFactory.php
@@ -135,6 +135,13 @@ class DynamicRoleProviderFactory implements FactoryInterface
             $permissions['legacy.AdminModule']['permission'] = 'access.AdminModule';
         }
 
+        // Add staff view setting it they are absent:
+        if (!$this->permissionDefined($permissions, 'access.StaffViewTab')) {
+            $permissions['legacy.StaffViewTab']['role'] = ['guest', 'loggedin'];
+            $permissions['legacy.StaffViewTab']['permission']
+                = 'access.StaffViewTab';
+        }
+
         // Add EIT settings if they are absent:
         if (!$this->permissionDefined($permissions, 'access.EITModule')) {
             $permissions['legacy.EITModule'] = [