diff --git a/partials/landingpages/modules/access.php b/partials/landingpages/modules/access.php
new file mode 100644
index 0000000..99bafb2
--- /dev/null
+++ b/partials/landingpages/modules/access.php
@@ -0,0 +1,61 @@
+<?php
+$moduleName = (string)($_GET['module'] ?? '');
+$module = modules()->get($moduleName);
+$notice = null;
+
+require_admin();
+
+if (!$module) {
+    http_response_code(404);
+    echo '<div class="card">Modul nicht gefunden.</div>';
+    return;
+}
+
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    modules()->saveAuth($moduleName, [
+        'required' => isset($_POST['auth_required']),
+        'users' => (string)($_POST['auth_users'] ?? ''),
+        'groups' => (string)($_POST['auth_groups'] ?? ''),
+    ]);
+    $notice = 'Zugriff gespeichert.';
+    $module = modules()->get($moduleName) ?: $module;
+}
+
+$authConfig = is_array($module['auth'] ?? null) ? $module['auth'] : ['required' => false, 'users' => [], 'groups' => []];
+?>
+<div class="card">
+  <div class="pill">Zugriff</div>
+  <h1 style="margin-top:.75rem;"><?= e($module['title']) ?> - Zugriffsrechte</h1>
+  <p class="muted">Diese Seite ist nur fuer eingeloggte Mitglieder der Gruppe <?= e(app()->config()->oidcAdminGroup) ?> verfuegbar.</p>
+
+  <?php if ($notice): ?>
+    <div class="card" style="margin-top:1rem; border-color:var(--accent-2);">
+      <?= e($notice) ?>
+    </div>
+  <?php endif; ?>
+
+  <form method="post" style="margin-top:1rem; display:grid; gap:14px; max-width:520px;">
+    <label class="muted" style="display:flex; align-items:center; gap:10px;">
+      <input type="checkbox" name="auth_required" value="1" <?= !empty($authConfig['required']) ? 'checked' : '' ?>>
+      <span>Login fuer dieses Modul erforderlich</span>
+    </label>
+
+    <label class="muted" style="display:grid; gap:6px;">
+      <span>Erlaubte Benutzer</span>
+      <textarea name="auth_users" rows="3" placeholder="Keycloak-Sub, Benutzername oder E-Mail, je Zeile oder Komma"><?= e(implode("\n", is_array($authConfig['users'] ?? null) ? $authConfig['users'] : [])) ?></textarea>
+    </label>
+
+    <label class="muted" style="display:grid; gap:6px;">
+      <span>Erlaubte Gruppen</span>
+      <textarea name="auth_groups" rows="3" placeholder="/admin oder mining-users, je Zeile oder Komma"><?= e(implode("\n", is_array($authConfig['groups'] ?? null) ? $authConfig['groups'] : [])) ?></textarea>
+    </label>
+
+    <small class="muted">Wenn Login aktiv ist und Benutzer/Gruppen leer bleiben, darf jeder eingeloggte Benutzer das Modul oeffnen.</small>
+
+    <div style="display:flex; gap:10px;">
+      <button class="cta-button" type="submit">Zugriff speichern</button>
+      <a class="nav-link" href="/modules/setup/<?= e($moduleName) ?>">Setup</a>
+      <a class="nav-link" href="/modules">Zurück</a>
+    </div>
+  </form>
+</div>
diff --git a/partials/landingpages/modules/index.php b/partials/landingpages/modules/index.php
index 6d7d371..22d22a9 100644
--- a/partials/landingpages/modules/index.php
+++ b/partials/landingpages/modules/index.php
@@ -51,6 +51,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
         <div style="margin-top:.75rem; display:flex; gap:10px; flex-wrap:wrap;">
           <a class="nav-link" href="/module/<?= e($module['name']) ?>">Öffnen</a>
           <a class="nav-link" href="/modules/setup/<?= e($module['name']) ?>">Setup</a>
+          <a class="nav-link" href="/modules/access/<?= e($module['name']) ?>">Zugriff</a>
           <form method="post" style="margin:0;">
             <input type="hidden" name="module" value="<?= e($module['name']) ?>">
             <button class="cta-button" name="action" value="disable" style="background:var(--panel); color:var(--text);">Deaktivieren</button>
diff --git a/partials/landingpages/modules/setup.php b/partials/landingpages/modules/setup.php
index 4380afe..51cd452 100644
--- a/partials/landingpages/modules/setup.php
+++ b/partials/landingpages/modules/setup.php
@@ -93,16 +93,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     }
 
     modules()->saveSettings($moduleName, $payload);
-    modules()->saveAuth($moduleName, [
-        'required' => isset($_POST['auth_required']),
-        'users' => (string)($_POST['auth_users'] ?? ''),
-        'groups' => (string)($_POST['auth_groups'] ?? ''),
-    ]);
     $notice = 'Setup gespeichert.';
     $current = array_replace_recursive($current, $payload);
     $module = modules()->get($moduleName) ?: $module;
 }
-$authConfig = is_array($module['auth'] ?? null) ? $module['auth'] : ['required' => false, 'users' => [], 'groups' => []];
 ?>
 <div class="card">
   <div class="pill">Setup</div>
@@ -127,6 +121,7 @@ $authConfig = is_array($module['auth'] ?? null) ? $module['auth'] : ['required'
         $type = (string)($field['type'] ?? 'text');
         $required = !empty($field['required']);
         $help = (string)($field['help'] ?? $field['description'] ?? '');
+        $postKey = str_replace('.', '_', $name);
 
         $value = '';
         if ($name === 'kea_auto_init') {
@@ -140,11 +135,11 @@ $authConfig = is_array($module['auth'] ?? null) ? $module['auth'] : ['required'
       <label class="muted" style="display:grid; gap:6px;">
         <span><?= e($label) ?></span>
         <?php if ($type === 'textarea'): ?>
-          <textarea name="<?= e($name) ?>" rows="3" <?= $required ? 'required' : '' ?>><?= e($value) ?></textarea>
+          <textarea name="<?= e($postKey) ?>" rows="3" <?= $required ? 'required' : '' ?>><?= e($value) ?></textarea>
         <?php elseif ($type === 'checkbox'): ?>
-          <input type="checkbox" name="<?= e($name) ?>" value="1" <?= $value === '1' ? 'checked' : '' ?>>
+          <input type="checkbox" name="<?= e($postKey) ?>" value="1" <?= $value === '1' ? 'checked' : '' ?>>
         <?php else: ?>
-          <input type="<?= e($type) ?>" name="<?= e($name) ?>" value="<?= e($value) ?>" <?= $required ? 'required' : '' ?>>
+          <input type="<?= e($type) ?>" name="<?= e($postKey) ?>" value="<?= e($value) ?>" <?= $required ? 'required' : '' ?>>
         <?php endif; ?>
         <?php if ($help !== ''): ?>
           <small class="muted"><?= e($help) ?></small>
@@ -152,25 +147,9 @@ $authConfig = is_array($module['auth'] ?? null) ? $module['auth'] : ['required'
       </label>
     <?php endforeach; ?>
 
-    <div class="card" style="padding:14px; background:var(--panel-2); display:grid; gap:12px;">
-      <strong>Modulzugriff</strong>
-      <label class="muted" style="display:flex; align-items:center; gap:10px;">
-        <input type="checkbox" name="auth_required" value="1" <?= !empty($authConfig['required']) ? 'checked' : '' ?>>
-        <span>Login fuer dieses Modul erforderlich</span>
-      </label>
-      <label class="muted" style="display:grid; gap:6px;">
-        <span>Erlaubte Benutzer</span>
-        <textarea name="auth_users" rows="3" placeholder="Keycloak-Sub, Benutzername oder E-Mail, je Zeile oder Komma"><?= e(implode("\n", is_array($authConfig['users'] ?? null) ? $authConfig['users'] : [])) ?></textarea>
-      </label>
-      <label class="muted" style="display:grid; gap:6px;">
-        <span>Erlaubte Gruppen</span>
-        <textarea name="auth_groups" rows="3" placeholder="/admin oder mining-users, je Zeile oder Komma"><?= e(implode("\n", is_array($authConfig['groups'] ?? null) ? $authConfig['groups'] : [])) ?></textarea>
-      </label>
-      <small class="muted">Wenn Login aktiv ist und Benutzer/Gruppen leer bleiben, darf jeder eingeloggte Benutzer das Modul oeffnen.</small>
-    </div>
-
     <div style="display:flex; gap:10px;">
       <button class="cta-button" type="submit">Speichern</button>
+      <a class="nav-link" href="/modules/access/<?= e($moduleName) ?>">Zugriff verwalten</a>
       <a class="nav-link" href="/modules">Zurück</a>
     </div>
   </form>
diff --git a/public/index.php b/public/index.php
index 482c403..9d32f19 100755
--- a/public/index.php
+++ b/public/index.php
@@ -25,7 +25,8 @@ $publicPaths = [
     'module/pi_control/terminal_info',
 ];
 $requiresGlobalAuth = in_array($uriPath, ['settings', 'users', 'modules', 'modules/install', 'modules/sql-import', 'debug', 'exports/database.sql'], true)
-    || str_starts_with($uriPath, 'modules/setup/');
+    || str_starts_with($uriPath, 'modules/setup/')
+    || str_starts_with($uriPath, 'modules/access/');
 if (defined('APP_AUTH_ENABLED') && APP_AUTH_ENABLED && $requiresGlobalAuth && !in_array($uriPath, $publicPaths, true)) {
     $user = auth_user();
     if (!$user) {
@@ -94,7 +95,7 @@ if (preg_match('~^api/module-auth/([a-zA-Z0-9_-]+)$~', $uriPath, $moduleAuthMatc
         echo json_encode(['error' => 'auth_required'], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
         exit;
     }
-    if (!$auth->canAccessModule($moduleMeta)) {
+    if (!auth_is_admin()) {
         http_response_code(403);
         header('Content-Type: application/json; charset=utf-8');
         echo json_encode(['error' => 'forbidden'], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
@@ -200,6 +201,9 @@ if (str_starts_with($uriPath, 'modules/install')) {
 } elseif (str_starts_with($uriPath, 'modules/setup/')) {
     $_GET['module'] = trim(substr($uriPath, strlen('modules/setup/')), '/');
     $target = $pagesBase . '/modules/setup.php';
+} elseif (str_starts_with($uriPath, 'modules/access/')) {
+    $_GET['module'] = trim(substr($uriPath, strlen('modules/access/')), '/');
+    $target = $pagesBase . '/modules/access.php';
 } elseif ($uriPath === 'modules/sql-import') {
     $target = $pagesBase . '/modules/sql_import.php';
 } elseif ($uriPath === 'auth/login') {