diff --git a/authentik/rbac/migrations/0003_alter_systempermission_options.py b/authentik/rbac/migrations/0003_alter_systempermission_options.py
new file mode 100644
index 000000000..8320edcae
--- /dev/null
+++ b/authentik/rbac/migrations/0003_alter_systempermission_options.py
@@ -0,0 +1,29 @@
+# Generated by Django 4.2.8 on 2023-12-20 10:02
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_rbac", "0002_systempermission"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="systempermission",
+            options={
+                "default_permissions": (),
+                "managed": False,
+                "permissions": [
+                    ("view_system_info", "Can view system info"),
+                    ("view_system_tasks", "Can view system tasks"),
+                    ("run_system_tasks", "Can run system tasks"),
+                    ("access_admin_interface", "Can access admin interface"),
+                    ("view_system_settings", "Can view system settings"),
+                    ("edit_system_settings", "Can edit system settings"),
+                ],
+                "verbose_name": "System permission",
+                "verbose_name_plural": "System permissions",
+            },
+        ),
+    ]
diff --git a/authentik/rbac/models.py b/authentik/rbac/models.py
index fe6096f7d..b3ff7e493 100644
--- a/authentik/rbac/models.py
+++ b/authentik/rbac/models.py
@@ -70,4 +70,6 @@ class SystemPermission(models.Model):
             ("view_system_tasks", _("Can view system tasks")),
             ("run_system_tasks", _("Can run system tasks")),
             ("access_admin_interface", _("Can access admin interface")),
+            ("view_system_settings", _("Can view system settings")),
+            ("edit_system_settings", _("Can edit system settings")),
         ]
diff --git a/authentik/tenants/api.py b/authentik/tenants/api.py
index 1fc423c77..006153f4d 100644
--- a/authentik/tenants/api.py
+++ b/authentik/tenants/api.py
@@ -6,7 +6,7 @@ from rest_framework import permissions
 from rest_framework.authentication import get_authorization_header
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.generics import RetrieveUpdateAPIView
-from rest_framework.permissions import IsAdminUser
+from rest_framework.permissions import SAFE_METHODS, IsAdminUser
 from rest_framework.request import Request
 from rest_framework.serializers import ModelSerializer
 from rest_framework.views import View
@@ -14,6 +14,7 @@ from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authentication import validate_auth
 from authentik.lib.config import CONFIG
+from authentik.rbac.permissions import HasPermission
 from authentik.tenants.models import Domain, Tenant
 
 
@@ -117,9 +118,17 @@ class SettingsView(RetrieveUpdateAPIView):
 
     queryset = Tenant.objects.filter(ready=True)
     serializer_class = SettingsSerializer
-    permission_classes = [IsAdminUser]
     filter_backends = []
 
+    def get_permissions(self):
+        return [
+            HasPermission(
+                "authentik_rbac.view_system_settings"
+                if self.request.method in SAFE_METHODS
+                else "authentik_rbac.edit_system_settings"
+            )()
+        ]
+
     def get_object(self):
         obj = self.request.tenant
         self.check_object_permissions(self.request, obj)