diff --git a/engines/dfc_provider/app/controllers/dfc_provider/application_controller.rb b/engines/dfc_provider/app/controllers/dfc_provider/application_controller.rb
index d403ba8958..8b5a239eb1 100644
--- a/engines/dfc_provider/app/controllers/dfc_provider/application_controller.rb
+++ b/engines/dfc_provider/app/controllers/dfc_provider/application_controller.rb
@@ -16,6 +16,12 @@ module DfcProvider
 
     private
 
+    def require_permission(scope)
+      return true if current_user.is_a? Spree::User
+
+      current_user.permissions(scope).where(enterprise: current_enterprise).exists?
+    end
+
     def check_authorization
       unauthorized if current_user.nil?
     end
diff --git a/engines/dfc_provider/app/controllers/dfc_provider/catalog_items_controller.rb b/engines/dfc_provider/app/controllers/dfc_provider/catalog_items_controller.rb
index 1fe2a0bde2..15705dc217 100644
--- a/engines/dfc_provider/app/controllers/dfc_provider/catalog_items_controller.rb
+++ b/engines/dfc_provider/app/controllers/dfc_provider/catalog_items_controller.rb
@@ -7,6 +7,8 @@ module DfcProvider
     before_action :check_enterprise
 
     def index
+      require_permission "ReadProducts"
+
       enterprises = current_user.enterprises.map do |enterprise|
         EnterpriseBuilder.enterprise(enterprise)
       end
diff --git a/engines/dfc_provider/app/services/api_user.rb b/engines/dfc_provider/app/services/api_user.rb
index 50afc792bd..82f671e88d 100644
--- a/engines/dfc_provider/app/services/api_user.rb
+++ b/engines/dfc_provider/app/services/api_user.rb
@@ -19,7 +19,10 @@ class ApiUser
   end
 
   def enterprises
-    permissions = DfcPermission.where(grantee: id, scope: "ReadProducts")
-    Enterprise.where(dfc_permissions: permissions)
+    Enterprise.where(dfc_permissions: permissions("ReadEnterprise"))
+  end
+
+  def permissions(scope)
+    DfcPermission.where(grantee: id, scope:)
   end
 end
diff --git a/engines/dfc_provider/spec/requests/catalog_items_spec.rb b/engines/dfc_provider/spec/requests/catalog_items_spec.rb
index c3f4c889cf..c35917c151 100644
--- a/engines/dfc_provider/spec/requests/catalog_items_spec.rb
+++ b/engines/dfc_provider/spec/requests/catalog_items_spec.rb
@@ -76,6 +76,10 @@ RSpec.describe "CatalogItems", swagger_doc: "dfc.yaml" do
 
           before {
             login_as nil
+            DfcPermission.create!(
+              user:, enterprise_id:,
+              scope: "ReadEnterprise", grantee: "cqcm-dev",
+            )
             DfcPermission.create!(
               user:, enterprise_id:,
               scope: "ReadProducts", grantee: "cqcm-dev",
diff --git a/engines/dfc_provider/spec/requests/enterprises_spec.rb b/engines/dfc_provider/spec/requests/enterprises_spec.rb
index 331626e46e..ce77208509 100644
--- a/engines/dfc_provider/spec/requests/enterprises_spec.rb
+++ b/engines/dfc_provider/spec/requests/enterprises_spec.rb
@@ -3,6 +3,7 @@
 require_relative "../swagger_helper"
 
 RSpec.describe "Enterprises", swagger_doc: "dfc.yaml" do
+  let(:Authorization) { nil }
   let!(:user) { create(:oidc_user) }
   let!(:enterprise) do
     create(
@@ -51,6 +52,26 @@ RSpec.describe "Enterprises", swagger_doc: "dfc.yaml" do
       produces "application/json"
 
       response "200", "successful" do
+        context "as platform user" do
+          let(:id) { 10_000 }
+          let(:sib_token) { file_fixture("startinblox_access_token.jwt").read }
+          let(:Authorization) { "Bearer #{sib_token}" }
+
+          before {
+            login_as nil
+            DfcPermission.create!(
+              user:, enterprise_id: id,
+              scope: "ReadEnterprise", grantee: "cqcm-dev",
+            )
+          }
+
+          around do |example|
+            Timecop.travel(Date.parse("2025-06-13")) { example.run }
+          end
+
+          run_test!
+        end
+
         context "without enterprise id" do
           let(:id) { "default" }