diff --git a/tests/unit/accounts/test_models.py b/tests/unit/accounts/test_models.py
index 7008049950f5..02889c6eede2 100644
--- a/tests/unit/accounts/test_models.py
+++ b/tests/unit/accounts/test_models.py
@@ -18,6 +18,7 @@
 from pyramid.authorization import Authenticated
 
 from warehouse.accounts.models import Email, RecoveryCode, User, UserFactory, WebAuthn
+from warehouse.authnz import Permissions
 from warehouse.utils.security_policy import principals_for
 
 from ...common.db.accounts import (
@@ -164,8 +165,20 @@ def test_has_no_burned_recovery_codes(self, db_session):
     def test_acl(self, db_session):
         user = DBUserFactory.create()
         assert user.__acl__() == [
-            ("Allow", "group:admins", "admin"),
-            ("Allow", "group:moderators", "moderator"),
+            (
+                "Allow",
+                "group:admins",
+                (
+                    Permissions.AdminUsersRead,
+                    Permissions.AdminUsersWrite,
+                    Permissions.AdminDashboardSidebarRead,
+                ),
+            ),
+            (
+                "Allow",
+                "group:moderators",
+                (Permissions.AdminUsersRead, Permissions.AdminDashboardSidebarRead),
+            ),
         ]
 
     @pytest.mark.parametrize(
diff --git a/tests/unit/organizations/test_models.py b/tests/unit/organizations/test_models.py
index 4d51ae1256ce..1c6eadab406f 100644
--- a/tests/unit/organizations/test_models.py
+++ b/tests/unit/organizations/test_models.py
@@ -17,6 +17,7 @@
 from pyramid.httpexceptions import HTTPPermanentRedirect
 from pyramid.location import lineage
 
+from warehouse.authnz import Permissions
 from warehouse.organizations.models import (
     OrganizationFactory,
     OrganizationRoleType,
@@ -115,8 +116,15 @@ def test_acl(self, db_session):
             acls.extend(acl)
 
         assert acls == [
-            (Allow, "group:admins", "admin"),
-            (Allow, "group:moderators", "moderator"),
+            (
+                Allow,
+                "group:admins",
+                (
+                    Permissions.AdminOrganizationsRead,
+                    Permissions.AdminOrganizationsWrite,
+                ),
+            ),
+            (Allow, "group:moderators", Permissions.AdminOrganizationsRead),
         ] + sorted(
             [
                 (
@@ -299,8 +307,15 @@ def test_acl(self, db_session):
             acls.extend(acl)
 
         assert acls == [
-            (Allow, "group:admins", "admin"),
-            (Allow, "group:moderators", "moderator"),
+            (
+                Allow,
+                "group:admins",
+                (
+                    Permissions.AdminOrganizationsRead,
+                    Permissions.AdminOrganizationsWrite,
+                ),
+            ),
+            (Allow, "group:moderators", Permissions.AdminOrganizationsRead),
         ] + sorted(
             [
                 (
diff --git a/tests/unit/packaging/test_models.py b/tests/unit/packaging/test_models.py
index 92e41fc807ce..c40d7b18033a 100644
--- a/tests/unit/packaging/test_models.py
+++ b/tests/unit/packaging/test_models.py
@@ -18,6 +18,7 @@
 from pyramid.authorization import Allow
 from pyramid.location import lineage
 
+from warehouse.authnz import Permissions
 from warehouse.organizations.models import TeamProjectRoleType
 from warehouse.packaging.models import File, ProjectFactory, ReleaseURL
 
@@ -158,8 +159,33 @@ def test_acl(self, db_session):
             acls.extend(acl)
 
         assert acls == [
-            (Allow, "group:admins", "admin"),
-            (Allow, "group:moderators", "moderator"),
+            (
+                Allow,
+                "group:admins",
+                (
+                    Permissions.AdminDashboardSidebarRead,
+                    Permissions.AdminObservationsRead,
+                    Permissions.AdminObservationsWrite,
+                    Permissions.AdminProhibitedProjectsWrite,
+                    Permissions.AdminProjectsDelete,
+                    Permissions.AdminProjectsRead,
+                    Permissions.AdminProjectsWrite,
+                    Permissions.AdminRoleAdd,
+                    Permissions.AdminRoleDelete,
+                ),
+            ),
+            (
+                Allow,
+                "group:moderators",
+                (
+                    Permissions.AdminDashboardSidebarRead,
+                    Permissions.AdminObservationsRead,
+                    Permissions.AdminObservationsWrite,
+                    Permissions.AdminProjectsRead,
+                    Permissions.AdminRoleAdd,
+                    Permissions.AdminRoleDelete,
+                ),
+            ),
         ] + sorted(
             [(Allow, f"oidc:{publisher.id}", ["upload"])], key=lambda x: x[1]
         ) + sorted(
@@ -415,8 +441,33 @@ def test_acl(self, db_session):
             acls.extend(acl)
 
         assert acls == [
-            (Allow, "group:admins", "admin"),
-            (Allow, "group:moderators", "moderator"),
+            (
+                Allow,
+                "group:admins",
+                (
+                    Permissions.AdminDashboardSidebarRead,
+                    Permissions.AdminObservationsRead,
+                    Permissions.AdminObservationsWrite,
+                    Permissions.AdminProhibitedProjectsWrite,
+                    Permissions.AdminProjectsDelete,
+                    Permissions.AdminProjectsRead,
+                    Permissions.AdminProjectsWrite,
+                    Permissions.AdminRoleAdd,
+                    Permissions.AdminRoleDelete,
+                ),
+            ),
+            (
+                Allow,
+                "group:moderators",
+                (
+                    Permissions.AdminDashboardSidebarRead,
+                    Permissions.AdminObservationsRead,
+                    Permissions.AdminObservationsWrite,
+                    Permissions.AdminProjectsRead,
+                    Permissions.AdminRoleAdd,
+                    Permissions.AdminRoleDelete,
+                ),
+            ),
         ] + sorted(
             [
                 (Allow, f"user:{owner1.user.id}", ["manage:project", "upload"]),
diff --git a/tests/unit/test_config.py b/tests/unit/test_config.py
index 82ab1f3c9fb9..eb34e58e8234 100644
--- a/tests/unit/test_config.py
+++ b/tests/unit/test_config.py
@@ -24,6 +24,7 @@
 from pyramid.tweens import EXCVIEW
 
 from warehouse import config
+from warehouse.authnz import Permissions
 from warehouse.utils.wsgi import ProxyFixer, VhmRootRemover
 
 
@@ -453,11 +454,69 @@ def test_root_factory_access_control_list():
     acl = config.RootFactory.__acl__
 
     assert acl == [
-        (Allow, "group:admins", "admin"),
-        (Allow, "group:admins", "admin_dashboard_access"),
-        (Allow, "group:moderators", "moderator"),
-        (Allow, "group:moderators", "admin_dashboard_access"),
-        (Allow, "group:psf_staff", "psf_staff"),
-        (Allow, "group:psf_staff", "admin_dashboard_access"),
+        (
+            Allow,
+            "group:admins",
+            (
+                Permissions.AdminBannerRead,
+                Permissions.AdminBannerWrite,
+                Permissions.AdminDashboardRead,
+                Permissions.AdminDashboardSidebarRead,
+                Permissions.AdminEmailsRead,
+                Permissions.AdminEmailsWrite,
+                Permissions.AdminFlagsRead,
+                Permissions.AdminFlagsWrite,
+                Permissions.AdminIpAddressesRead,
+                Permissions.AdminJournalRead,
+                Permissions.AdminMacaroonsRead,
+                Permissions.AdminMacaroonsWrite,
+                Permissions.AdminObservationsRead,
+                Permissions.AdminObservationsWrite,
+                Permissions.AdminOrganizationsRead,
+                Permissions.AdminOrganizationsWrite,
+                Permissions.AdminProhibitedProjectsRead,
+                Permissions.AdminProhibitedProjectsWrite,
+                Permissions.AdminProjectsDelete,
+                Permissions.AdminProjectsRead,
+                Permissions.AdminProjectsWrite,
+                Permissions.AdminRoleAdd,
+                Permissions.AdminRoleDelete,
+                Permissions.AdminSponsorsRead,
+                Permissions.AdminUsersRead,
+                Permissions.AdminUsersWrite,
+            ),
+        ),
+        (
+            Allow,
+            "group:moderators",
+            (
+                Permissions.AdminBannerRead,
+                Permissions.AdminDashboardRead,
+                Permissions.AdminDashboardSidebarRead,
+                Permissions.AdminEmailsRead,
+                Permissions.AdminFlagsRead,
+                Permissions.AdminJournalRead,
+                Permissions.AdminObservationsRead,
+                Permissions.AdminObservationsWrite,
+                Permissions.AdminOrganizationsRead,
+                Permissions.AdminProhibitedProjectsRead,
+                Permissions.AdminProjectsRead,
+                Permissions.AdminRoleAdd,
+                Permissions.AdminRoleDelete,
+                Permissions.AdminSponsorsRead,
+                Permissions.AdminUsersRead,
+            ),
+        ),
+        (
+            Allow,
+            "group:psf_staff",
+            (
+                Permissions.AdminBannerRead,
+                Permissions.AdminBannerWrite,
+                Permissions.AdminDashboardRead,
+                Permissions.AdminSponsorsRead,
+                Permissions.AdminSponsorsWrite,
+            ),
+        ),
         (Allow, Authenticated, "manage:user"),
     ]
diff --git a/warehouse/accounts/models.py b/warehouse/accounts/models.py
index 95ec80b5441c..ffec187b5ee2 100644
--- a/warehouse/accounts/models.py
+++ b/warehouse/accounts/models.py
@@ -35,6 +35,7 @@
 from sqlalchemy.orm import Mapped, mapped_column
 
 from warehouse import db
+from warehouse.authnz import Permissions
 from warehouse.events.models import HasEvents
 from warehouse.observations.models import HasObserversMixin
 from warehouse.sitemap.models import SitemapMixin
@@ -253,9 +254,25 @@ def __principals__(self) -> list[str]:
         return principals
 
     def __acl__(self):
+        # TODO: This ACL is duplicating permissions set in RootFactory.__acl__
+        #   If nothing else, setting the ACL on the model is more restrictive
+        #   than RootFactory.__acl__, which is why we duplicate
+        #   AdminDashboardSidebarRead here, otherwise the sidebar is not displayed.
         return [
-            (Allow, "group:admins", "admin"),
-            (Allow, "group:moderators", "moderator"),
+            (
+                Allow,
+                "group:admins",
+                (
+                    Permissions.AdminUsersRead,
+                    Permissions.AdminUsersWrite,
+                    Permissions.AdminDashboardSidebarRead,
+                ),
+            ),
+            (
+                Allow,
+                "group:moderators",
+                (Permissions.AdminUsersRead, Permissions.AdminDashboardSidebarRead),
+            ),
         ]
 
     def __lt__(self, other):
diff --git a/warehouse/admin/templates/admin/banners/edit.html b/warehouse/admin/templates/admin/banners/edit.html
index f685c8aa5d69..bcb98b4cd996 100644
--- a/warehouse/admin/templates/admin/banners/edit.html
+++ b/warehouse/admin/templates/admin/banners/edit.html
@@ -82,12 +82,12 @@ <h3 class="card-title">Create banner</h3>
 
 
             <div class="form-group">
-              <button type="submit" class="btn btn-danger" title="{{ 'Submitting requires staff privileges' if not request.has_permission('psf_staff') }}" {{ "disabled" if not request.has_permission('psf_staff') }}>Submit</button>
+              <button type="submit" class="btn btn-danger" title="{{ 'Submitting requires staff privileges' if not request.has_permission(Permissions.AdminBannerWrite) }}" {{ "disabled" if not request.has_permission(Permissions.AdminBannerWrite) }}>Submit</button>
 
               {% if banner %}
               <a class="btn btn-info" href="{{ request.route_path('admin.banner.preview', banner_id=banner.id) }}" rel="nofollow noopener noreferrer" target="_blank"><i class="icon fa fa-eye"></i> Preview Saved</a>
 
-              <button type="button" class="btn btn-danger float-right" data-toggle="modal" data-target="#deleteBanner" {{ "disabled" if not request.has_permission('psf_staff') }} value=>
+              <button type="button" class="btn btn-danger float-right" data-toggle="modal" data-target="#deleteBanner" {{ "disabled" if not request.has_permission(Permissions.AdminBannerWrite) }} value=>
                 <i class="icon fa fa-trash"></i> Delete banner
               </button>
               {% endif %}
diff --git a/warehouse/admin/templates/admin/banners/list.html b/warehouse/admin/templates/admin/banners/list.html
index f7c95bd4c32c..308568b0ffad 100644
--- a/warehouse/admin/templates/admin/banners/list.html
+++ b/warehouse/admin/templates/admin/banners/list.html
@@ -22,7 +22,7 @@
 {% block content %}
 
 <div class="card card-primary card-outline">
-  {% if request.has_permission('psf_staff') %}
+  {% if request.has_permission(Permissions.AdminBannerWrite) %}
   <div class="card-header">
     <a class="btn btn-primary" href="{{ request.route_path('admin.banner.create') }}"><i class="fa fa-plus"></i> Create Banner</a>
   </div>
diff --git a/warehouse/admin/templates/admin/base.html b/warehouse/admin/templates/admin/base.html
index abda52950949..0948ecd8fbef 100644
--- a/warehouse/admin/templates/admin/base.html
+++ b/warehouse/admin/templates/admin/base.html
@@ -111,7 +111,8 @@
       <!-- Sidebar Menu -->
       <nav class="mt-2">
         <ul class="nav nav-pills nav-sidebar flex-column" data-widget="treeview" role="menu" data-accordion="false">
-          {% if request.has_permission('moderator') %}
+          {# TODO: Is there a cleaner way to show/hide the allowed sections? #}
+          {% if request.has_permission(Permissions.AdminDashboardSidebarRead) %}
           <li class="nav-item">
             <a href="{{ request.route_path('admin.organization_application.list') }}" class="nav-link">
               <i class="fa fa-sitemap nav-icon"></i> <p>Organization Applications <span class="right badge badge-danger">New</span></p>
@@ -163,6 +164,7 @@
             </a>
           </li>
           {% endif %}
+          {# TODO: This is implicitly allowed for PSF Staff #}
           <li class="nav-item">
             <a href="{{ request.route_path('admin.banner.list') }}" class="nav-link">
               <i class="fa fa-quote-right nav-icon"></i> <p>Banners</p>
diff --git a/warehouse/admin/templates/admin/emails/list.html b/warehouse/admin/templates/admin/emails/list.html
index d6a9fef1d744..b496964f413d 100644
--- a/warehouse/admin/templates/admin/emails/list.html
+++ b/warehouse/admin/templates/admin/emails/list.html
@@ -36,6 +36,7 @@
 {% endblock %}
 
 {% block content %}
+{% if request.has_permission(Permissions.AdminEmailsWrite) %}
 <form method="POST" action={{ request.route_path('admin.emails.mass') }} enctype="multipart/form-data">
   <input name="csrf_token" type="hidden" value="{{ request.session.get_csrf_token() }}">
   <div class="card card-primary card-outline">
@@ -58,6 +59,7 @@ <h3 class="card-title">Send mass emails</h3>
     </div>
   </div>
 </form>
+{% endif %}
 
 <div class="card card-primary card-outline">
   <div class="card-header">
diff --git a/warehouse/admin/templates/admin/flags/index.html b/warehouse/admin/templates/admin/flags/index.html
index 7903f217bb53..021fe1717a1a 100644
--- a/warehouse/admin/templates/admin/flags/index.html
+++ b/warehouse/admin/templates/admin/flags/index.html
@@ -46,10 +46,10 @@ <h3 class="card-title">Edit Flags</h3>
           <input name="csrf_token" type="hidden" value="{{ csrf_token }}">
           <input name="id" type="hidden" value="{{ flag.id }}">
           <td><code>{{ flag.id }}</code></td>
-          <td><input name="description" size="50" value="{{ flag.description }}" {{ "disabled" if not request.has_permission('admin') }}></td>
+          <td><input name="description" size="50" value="{{ flag.description }}" {{ "disabled" if not request.has_permission(Permissions.AdminFlagsWrite) }}></td>
           <td>{{ flag.notify }}</td>
-          <td><input name="enabled" type="checkbox" {{ "disabled" if not request.has_permission('admin') }} {{ 'checked' if flag.enabled else '' }}></td>
-          <td><input type="submit" title="{{ 'Flag changes require superuser privileges' if not request.has_permission('admin') }}" value="Save" {{ "disabled" if not request.has_permission('admin') }}></td>
+          <td><input name="enabled" type="checkbox" {{ "disabled" if not request.has_permission(Permissions.AdminFlagsWrite) }} {{ 'checked' if flag.enabled else '' }}></td>
+          <td><input type="submit" title="{{ 'Flag changes require superuser privileges' if not request.has_permission(Permissions.AdminFlagsWrite) }}" value="Save" {{ "disabled" if not request.has_permission(Permissions.AdminFlagsWrite) }}></td>
         </form>
       </tr>
       {% endfor %}
diff --git a/warehouse/admin/templates/admin/macaroons/detail.html b/warehouse/admin/templates/admin/macaroons/detail.html
index 5229d18ece83..7db4d2eff0f4 100644
--- a/warehouse/admin/templates/admin/macaroons/detail.html
+++ b/warehouse/admin/templates/admin/macaroons/detail.html
@@ -70,7 +70,7 @@
   </div>
   <div class="card-footer">
     <div class="form-group">
-      <button type="button" class="btn btn-danger float-right" data-toggle="modal" data-target="#deleteMacaroon" {{ "disabled" if not request.has_permission('admin') }} value=>
+      <button type="button" class="btn btn-danger float-right" data-toggle="modal" data-target="#deleteMacaroon" {{ "disabled" if not request.has_permission(Permissions.AdminMacaroonsWrite) }} value=>
         <i class="icon fa fa-trash"></i> Delete Macaroon
       </button>
     </div>
diff --git a/warehouse/admin/templates/admin/organization_applications/detail.html b/warehouse/admin/templates/admin/organization_applications/detail.html
index adb98eb0547d..f81f86fe9062 100644
--- a/warehouse/admin/templates/admin/organization_applications/detail.html
+++ b/warehouse/admin/templates/admin/organization_applications/detail.html
@@ -13,24 +13,6 @@
 -#}
 {% extends "admin/base.html" %}
 
-{% macro render_field(label, field, input_id, placeholder=None, class=None) %}
-<div class="form-group{% if field.errors %} has-error{% endif %}">
-  <label for="{{ input_id }}" class="col-sm-2 control-label">{{ label }}</label>
-
-  <div class="col-sm-10">
-    {{ field(id=input_id, class=class, placeholder=placeholder, disabled=(not request.has_permission('admin')))}}
-
-    {% if field.errors %}
-    <div class="help-block">
-    {% for error in field.errors %}
-      <div>{{ error }}</div>
-    {% endfor %}
-    </div>
-    {% endif %}
-  </div>
-</div>
-{% endmacro %}
-
 {% block title %}Application for {{ organization_application.name }}{% endblock %}
 
 {% block breadcrumb %}
@@ -63,10 +45,10 @@ <h2 class="card-title">Actions</h2>
             Approve or decline request for organization named <strong>{{ organization_application.name }}</strong>?
           </p>
           <div class="form-group">
-            <button type="button" class="btn {{ 'btn-primary' if organization_application.is_approved != True else '' }} btn-block" data-toggle="modal" data-target="#approveModal" {{ 'disabled' if not request.has_permission('admin') or organization_application.is_approved == True }} title="{{ 'Admin permission required to approve organization request' if not request.has_permission('admin') else 'Organization request already approved' if organization_application.is_approved == True else 'Approve organization request' }}">
+            <button type="button" class="btn {{ 'btn-primary' if organization_application.is_approved != True else '' }} btn-block" data-toggle="modal" data-target="#approveModal" {{ 'disabled' if not request.has_permission(Permissions.AdminOrganizationsWrite) or organization_application.is_approved == True }} title="{{ 'Admin permission required to approve organization request' if not request.has_permission(Permissions.AdminOrganizationsWrite) else 'Organization request already approved' if organization_application.is_approved == True else 'Approve organization request' }}">
               <i class="icon fa fa-check"></i> Approve
             </button>
-            <button type="button" class="btn {{ 'btn-danger' if organization_application.is_approved != False else '' }} btn-block" data-toggle="modal" data-target="#declineModal" {{ 'disabled' if not request.has_permission('admin') or organization_application.is_approved == False }} title="{{ 'Admin permission required to decline organization request' if not request.has_permission('admin') else 'Organization request already declined' if organization_application.is_approved == False else 'Decline organization request' }}">
+            <button type="button" class="btn {{ 'btn-danger' if organization_application.is_approved != False else '' }} btn-block" data-toggle="modal" data-target="#declineModal" {{ 'disabled' if not request.has_permission(Permissions.AdminOrganizationsWrite) or organization_application.is_approved == False }} title="{{ 'Admin permission required to decline organization request' if not request.has_permission(Permissions.AdminOrganizationsWrite) else 'Organization request already declined' if organization_application.is_approved == False else 'Decline organization request' }}">
               <i class="icon fa fa-times"></i> Decline
             </button>
             {% if user %}
diff --git a/warehouse/admin/templates/admin/organizations/detail.html b/warehouse/admin/templates/admin/organizations/detail.html
index 40039503db46..f63108a7c5f6 100644
--- a/warehouse/admin/templates/admin/organizations/detail.html
+++ b/warehouse/admin/templates/admin/organizations/detail.html
@@ -13,24 +13,6 @@
 -#}
 {% extends "admin/base.html" %}
 
-{% macro render_field(label, field, input_id, placeholder=None, class=None) %}
-<div class="form-group{% if field.errors %} has-error{% endif %}">
-  <label for="{{ input_id }}" class="col-sm-2 control-label">{{ label }}</label>
-
-  <div class="col-sm-10">
-    {{ field(id=input_id, class=class, placeholder=placeholder, disabled=(not request.has_permission('admin')))}}
-
-    {% if field.errors %}
-    <div class="help-block">
-    {% for error in field.errors %}
-      <div>{{ error }}</div>
-    {% endfor %}
-    </div>
-    {% endif %}
-  </div>
-</div>
-{% endmacro %}
-
 {% block title %}{{ organization.name }}{% endblock %}
 
 {% block breadcrumb %}
diff --git a/warehouse/admin/templates/admin/prohibited_project_names/bulk.html b/warehouse/admin/templates/admin/prohibited_project_names/bulk.html
index 2e226ea3a549..0fc061f2729c 100644
--- a/warehouse/admin/templates/admin/prohibited_project_names/bulk.html
+++ b/warehouse/admin/templates/admin/prohibited_project_names/bulk.html
@@ -31,18 +31,18 @@ <h3 class="card-title">Prohibit project name</h3>
     <div class="card-body">
       <div class="form-group">
         <label for="prohibitedProjectName">Project name(s)</label>
-        <textarea name="projects" class="form-control" id="prohibitedProjectName" rows="20" placeholder="Enter project name(s) to prohibit " {{ "disabled" if not request.has_permission('admin') }} autocomplete="off" autocorrect="off" autocapitalize="off"></textarea>
+        <textarea name="projects" class="form-control" id="prohibitedProjectName" rows="20" placeholder="Enter project name(s) to prohibit " {{ "disabled" if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }} autocomplete="off" autocorrect="off" autocapitalize="off"></textarea>
       </div>
 
       <div class="form-group">
         <label for="prohibitedComment">Comment</label>
-        <textarea name="comment" class="form-control" id="prohibitedComment" rows="3" placeholder="Enter comment ..." {{ "disabled" if not request.has_permission('admin') }}></textarea>
+        <textarea name="comment" class="form-control" id="prohibitedComment" rows="3" placeholder="Enter comment ..." {{ "disabled" if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}></textarea>
       </div>
     </div>
 
     <div class="card-footer">
       <div class="float-right">
-        <button type="submit" class="btn btn-danger" title="{{ 'Submitting requires superuser privileges' if not request.has_permission('admin') }}" {{ "disabled" if not request.has_permission('admin') }}>Submit</button>
+        <button type="submit" class="btn btn-danger" title="{{ 'Submitting requires superuser privileges' if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}" {{ "disabled" if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}>Submit</button>
       </div>
     </div>
   </form>
diff --git a/warehouse/admin/templates/admin/prohibited_project_names/list.html b/warehouse/admin/templates/admin/prohibited_project_names/list.html
index b0f8ef3c5cf9..6a87f44e6887 100644
--- a/warehouse/admin/templates/admin/prohibited_project_names/list.html
+++ b/warehouse/admin/templates/admin/prohibited_project_names/list.html
@@ -66,7 +66,7 @@
             <input name="csrf_token" type="hidden" value="{{ request.session.get_csrf_token() }}">
             <input name="prohibited_project_name_id" type="hidden" value="{{ prohibited_project_name.id }}">
             <input name="next" type="hidden" value="{{ request.current_route_path() }}">
-            <button type="submit" class="btn btn-link" title="{{ 'Submitting requires superuser privileges' if not request.has_permission('admin') }}" {{ "disabled" if not request.has_permission('admin') }}>
+            <button type="submit" class="btn btn-link" title="{{ 'Submitting requires superuser privileges' if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}" {{ "disabled" if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}>
               <i class="fa fa-times"></i>
             </button>
           </form>
@@ -74,10 +74,10 @@
             <input name="csrf_token" type="hidden" value="{{ request.session.get_csrf_token() }}">
             <input name="project_name" type="hidden" value="{{ prohibited_project_name.name }}">
             <input name="next" type="hidden" value="{{ request.current_route_path() }}">
-            <button type="submit" class="btn btn-link" title="{{ 'Submitting requires superuser privileges' if not request.has_permission('admin') }}" {{ "disabled" if not request.has_permission('admin') }}>
+            <button type="submit" class="btn btn-link" title="{{ 'Submitting requires superuser privileges' if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}" {{ "disabled" if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}>
               <i class="fa fa-hands"></i>
             </button>
-            <input name="username" type="text">
+            <input name="username" type="text" {{ "disabled" if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}>
           </form>
         </td>
       </tr>
@@ -109,19 +109,19 @@ <h3 class="card-title">Prohibit project name</h3>
     <div class="card-body">
       <div class="form-group col-sm-4">
         <label for="prohibitedProjectName">Project name</label>
-        <input name="project" class="form-control" id="prohibitedProjectName" placeholder="Enter project name to prohibit " {{ "disabled" if not request.has_permission('admin') }} autocomplete="off" autocorrect="off" autocapitalize="off">
+        <input name="project" class="form-control" id="prohibitedProjectName" placeholder="Enter project name to prohibit " {{ "disabled" if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }} autocomplete="off" autocorrect="off" autocapitalize="off">
       </div>
 
       <div class="form-group col-sm-8">
         <label for="prohibitedComment">Comment</label>
-        <textarea name="comment" class="form-control" id="prohibitedComment" rows="3" placeholder="Enter comment ..." {{ "disabled" if not request.has_permission('admin') }}></textarea>
+        <textarea name="comment" class="form-control" id="prohibitedComment" rows="3" placeholder="Enter comment ..." {{ "disabled" if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}></textarea>
       </div>
     </div>
 
 
     <div class="card-footer">
       <div class="float-right">
-        <button type="submit" class="btn btn-primary" title="{{ 'Submitting requires superuser privileges' if not request.has_permission('admin') }}" {{ "disabled" if not request.has_permission('admin') }}>Submit</button>
+        <button type="submit" class="btn btn-primary" title="{{ 'Submitting requires superuser privileges' if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}" {{ "disabled" if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}>Submit</button>
       </div>
     </div>
   </form>
diff --git a/warehouse/admin/templates/admin/prohibited_user_names/bulk.html b/warehouse/admin/templates/admin/prohibited_user_names/bulk.html
index a3667d78f466..34dd38fd01e3 100644
--- a/warehouse/admin/templates/admin/prohibited_user_names/bulk.html
+++ b/warehouse/admin/templates/admin/prohibited_user_names/bulk.html
@@ -31,13 +31,13 @@ <h3 class="card-title">Prohibit user name</h3>
     <div class="card-body">
       <div class="form-group">
         <label for="prohibitedUserName">User name(s)</label>
-        <textarea name="users" class="form-control" id="prohibitedUserName" rows="20" placeholder="Enter user name(s) to prohibit " {{ "disabled" if not request.has_permission('admin') }} autocomplete="off" autocorrect="off" autocapitalize="off"></textarea>
+        <textarea name="users" class="form-control" id="prohibitedUserName" rows="20" placeholder="Enter user name(s) to prohibit " {{ "disabled" if not request.has_permission(Permissions.AdminUsersWrite) }} autocomplete="off" autocorrect="off" autocapitalize="off"></textarea>
       </div>
     </div>
 
     <div class="card-footer">
       <div class="float-right">
-        <button type="submit" class="btn btn-danger" title="{{ 'Submitting requires superuser privileges' if not request.has_permission('admin') }}" {{ "disabled" if not request.has_permission('admin') }}>Submit</button>
+        <button type="submit" class="btn btn-danger" title="{{ 'Submitting requires superuser privileges' if not request.has_permission(Permissions.AdminUsersWrite) }}" {{ "disabled" if not request.has_permission(Permissions.AdminUsersWrite) }}>Submit</button>
       </div>
     </div>
   </form>
diff --git a/warehouse/admin/templates/admin/projects/delete.html b/warehouse/admin/templates/admin/projects/delete.html
index 2ee4d6f1a3e5..3d99f6f7954c 100644
--- a/warehouse/admin/templates/admin/projects/delete.html
+++ b/warehouse/admin/templates/admin/projects/delete.html
@@ -34,13 +34,13 @@ <h3 class="card-title">Delete Project</h3>
         <label for="confirm_project_name">
           Are you sure you want to delete <strong>{{ project_name }}</strong>?
         </label>
-        <input name="confirm_project_name" id="confirm_project_name" class="form-control" type="text" placeholder="Enter project name to confirm" {{ "disabled" if not request.has_permission('admin') }} autocomplete="off" autocorrect="off" autocapitalize="off">
+        <input name="confirm_project_name" id="confirm_project_name" class="form-control" type="text" placeholder="Enter project name to confirm" {{ "disabled" if not request.has_permission(Permissions.AdminProjectsDelete) }} autocomplete="off" autocorrect="off" autocapitalize="off">
       </div>
     </div>
 
     <div class="card-footer">
       <div class="float-right">
-        <button type="submit" class="btn btn-primary" title="{{ 'Deleting requires superuser privileges' if not request.has_permission('admin') }}" {{ "disabled" if not request.has_permission('admin') }}>Confirm</button>
+        <button type="submit" class="btn btn-primary" title="{{ 'Deleting requires superuser privileges' if not request.has_permission(Permissions.AdminProjectsDelete) }}" {{ "disabled" if not request.has_permission(Permissions.AdminProjectsDelete) }}>Confirm</button>
       </div>
     </div>
   </div>
diff --git a/warehouse/admin/templates/admin/projects/detail.html b/warehouse/admin/templates/admin/projects/detail.html
index c2a261cf91e6..7a1d93c02bc7 100644
--- a/warehouse/admin/templates/admin/projects/detail.html
+++ b/warehouse/admin/templates/admin/projects/detail.html
@@ -15,24 +15,6 @@
 
 {% import "admin/utils/pagination.html" as pagination %}
 
-{% macro render_field(label, field, input_id, placeholder=None, class=None) %}
-<div class="form-group{% if field.errors %} has-error{% endif %}">
-  <label for="{{ input_id }}" class="col-sm-2 control-label">{{ label }}</label>
-
-  <div class="col-sm-10">
-    {{ field(id=input_id, class=class, placeholder=placeholder)}}
-
-    {% if field.errors %}
-    <div class="help-block">
-      {% for error in field.errors %}
-      <div>{{ error }}</div>
-      {% endfor %}
-    </div>
-    {% endif %}
-  </div>
-</div>
-{% endmacro %}
-
 {% block title %}{{ project.name }}{% endblock %}
 
 {% block breadcrumb %}
@@ -133,7 +115,7 @@
             <td><a href="{{ request.route_path('admin.user.detail', username=role.user.username) }}">{{ role.user.username }}</a></td>
             <td>{{ role.role_name }}</td>
             <td>
-              <button type="button" class="btn btn-danger" data-toggle="modal" data-target="#deleteRoleModal-{{ role.id }}" {{ "disabled" if not request.has_permission('moderator') }}>
+              <button type="button" class="btn btn-danger" data-toggle="modal" data-target="#deleteRoleModal-{{ role.id }}" {{ "disabled" if not request.has_permission(Permissions.AdminRoleDelete) }}>
               <i class="fa fa-trash"></i>
               </button>
               <div class="modal fade" id="deleteRoleModal-{{ role.id }}" tabindex="-1" role="dialog">
@@ -173,10 +155,10 @@ <h4 class="modal-title" id="exampleModalLabel">Remove role for {{ role.user.user
             <form method="POST" action="{{ request.route_path('admin.project.add_role', project_name=project.name) }}">
               <input name="csrf_token" type="hidden" value="{{ request.session.get_csrf_token() }}">
               <td>
-                <input name="username" class="form-control" placeholder="Username" required {{ "disabled" if not request.has_permission('moderator') }}>
+                <input name="username" class="form-control" placeholder="Username" required {{ "disabled" if not request.has_permission(Permissions.AdminRoleAdd) }}>
               </td>
               <td>
-                <select class="form-control" name="role_name" required {{ "disabled" if not request.has_permission('moderator') }}>
+                <select class="form-control" name="role_name" required {{ "disabled" if not request.has_permission(Permissions.AdminRoleAdd) }}>
                 <option disabled selected>Select a role</option>
                 {% for role_name in ['Maintainer', 'Owner'] %}
                 <option value="{{ role_name }}">
@@ -186,7 +168,7 @@ <h4 class="modal-title" id="exampleModalLabel">Remove role for {{ role.user.user
                 </select>
               </td>
               <td>
-                <button type="submit" class="btn btn-primary" {{ "disabled" if not request.has_permission('moderator') }}>
+                <button type="submit" class="btn btn-primary" {{ "disabled" if not request.has_permission(Permissions.AdminRoleAdd) }}>
                 <i class="fa fa-plus"></i>
                 </button>
               </td>
@@ -474,13 +456,13 @@ <h3 class="card-title">Prohibit Project Name</h3>
     <div class="card-body">
       <div class="form-group col-sm-12">
         <label for="prohibitedComment">Comment</label>
-        <textarea name="comment" class="form-control" id="prohibitedComment" rows="3" placeholder="Enter comment ..." {{ "disabled" if not request.has_permission('admin') }}></textarea>
+        <textarea name="comment" class="form-control" id="prohibitedComment" rows="3" placeholder="Enter comment ..." {{ "disabled" if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}></textarea>
       </div>
     </div>
 
     <div class="card-footer">
       <div class="float-right">
-        <button type="submit" class="btn btn-primary" title="{{ 'Submitting requires superuser privileges' if not request.has_permission('admin') }}" {{ "disabled" if not request.has_permission('admin') }}>Submit</button>
+        <button type="submit" class="btn btn-primary" title="{{ 'Submitting requires superuser privileges' if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}" {{ "disabled" if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}>Submit</button>
       </div>
     </div>
   </div>
diff --git a/warehouse/admin/templates/admin/sponsors/edit.html b/warehouse/admin/templates/admin/sponsors/edit.html
index 6fde6a01e018..91aa5bf01680 100644
--- a/warehouse/admin/templates/admin/sponsors/edit.html
+++ b/warehouse/admin/templates/admin/sponsors/edit.html
@@ -96,11 +96,11 @@ <h3 class="card-title">Create sponsor</h3>
             {{ render_field("Sidebar", form.sidebar, "sponsor-sidebar") }}
 
             <div class="form-group">
-              <button type="submit" class="btn btn-danger" title="{{ 'Submitting requires superuser privileges' if not request.has_permission('psf_staff') }}" {{ "disabled" if not request.has_permission('psf_staff') }}>Submit</button>
+              <button type="submit" class="btn btn-danger" title="{{ 'Submitting requires superuser privileges' if not request.has_permission(Permissions.AdminSponsorsWrite) }}" {{ "disabled" if not request.has_permission(Permissions.AdminSponsorsWrite) }}>Submit</button>
 
               {% if sponsor %}
               <div class="float-right">
-                <button type="button" class="btn btn-danger" data-toggle="modal" data-target="#deleteSponsor" {{ "disabled" if not request.has_permission('psf_staff') }} value=>
+                <button type="button" class="btn btn-danger" data-toggle="modal" data-target="#deleteSponsor" {{ "disabled" if not request.has_permission(Permissions.AdminSponsorsWrite) }} value=>
                   <i class="icon fa fa-trash"></i> Delete sponsor
                 </button>
               </div>
diff --git a/warehouse/admin/templates/admin/sponsors/list.html b/warehouse/admin/templates/admin/sponsors/list.html
index bd7e8387db26..7b97a9d8c772 100644
--- a/warehouse/admin/templates/admin/sponsors/list.html
+++ b/warehouse/admin/templates/admin/sponsors/list.html
@@ -22,7 +22,7 @@
 {% block content %}
 
 <div class="card card-primary card-outline">
-  {% if request.has_permission('psf_staff') %}
+  {% if request.has_permission(Permissions.AdminSponsorsWrite) %}
   <div class="card-header">
     <a class="btn btn-primary" href="{{ request.route_path('admin.sponsor.create') }}"><i class="fa fa-plus"></i> Create Sponsor</a>
   </div>
diff --git a/warehouse/admin/templates/admin/users/detail.html b/warehouse/admin/templates/admin/users/detail.html
index 5abd826b7c14..ff78af50c6a6 100644
--- a/warehouse/admin/templates/admin/users/detail.html
+++ b/warehouse/admin/templates/admin/users/detail.html
@@ -15,12 +15,14 @@
 
 {% import "admin/utils/pagination.html" as pagination %}
 
+{% set perms_admin_users_write = request.has_permission(Permissions.AdminUsersWrite) %}
+
 {% macro render_field(label, field, input_id, placeholder=None, class=None) %}
 <div class="form-group row{% if field.errors %} has-error{% endif %}">
   <label for="{{ input_id }}" class="col-sm-2 col-form-label">{{ label }}</label>
 
   <div class="col-sm-10">
-    {{ field(id=input_id, class=class, placeholder=placeholder, disabled=(not request.has_permission('admin')))}}
+    {{ field(id=input_id, class=class, placeholder=placeholder, disabled=(not perms_admin_users_write))}}
 
     {% if field.errors %}
     <div class="help-block">
@@ -35,7 +37,7 @@
 
 {% macro render_checkbox(label, field, input_id, class=None) %}
 <div class="form-check">
-  {{ field(id=input_id, class=class, disabled=(not request.has_permission('admin')))}}
+  {{ field(id=input_id, class=class, disabled=(not perms_admin_users_write))}}
   <label for="{{ input_id }}" class="form-check-label">{{ label }}</label>
 </div>
 {% endmacro %}
@@ -101,13 +103,13 @@ <h2 class="card-title">Actions</h2>
         </div>
         <div class="card-body">
           <div class="form-group">
-            <button type="button" class="btn btn-block btn-danger" data-toggle="modal" data-target="#nukeModal" {{ "disabled" if not request.has_permission('admin') }}>
+            <button type="button" class="btn btn-block btn-danger" data-toggle="modal" data-target="#nukeModal" {{ "disabled" if not perms_admin_users_write }}>
               <i class="icon fa fa-bomb"></i> Nuke user
             </button>
-            <button type="button" class="btn btn-block btn-danger" data-toggle="modal" data-target="#pwresetModal" {{ "disabled" if not request.has_permission('admin') }}>
+            <button type="button" class="btn btn-block btn-danger" data-toggle="modal" data-target="#pwresetModal" {{ "disabled" if not perms_admin_users_write }}>
               <i class="fa-solid fa-unlock-keyhole"></i> Reset password
             </button>
-            <button type="button" class="btn btn-block btn-danger" data-toggle="modal" data-target="#wipeFactorsModal" {{ "disabled" if not request.has_permission('admin') }}>
+            <button type="button" class="btn btn-block btn-danger" data-toggle="modal" data-target="#wipeFactorsModal" {{ "disabled" if not perms_admin_users_write }}>
               <i class="fa-solid fa-toilet-paper"></i> Wipe 2FA and recovery codes
             </button>
             <div class="modal fade" id="nukeModal" tabindex="-1" role="dialog">
@@ -309,7 +311,7 @@ <h3 class="card-title">Emails</h3>
             <div class="card-footer">
               <div class="form-group">
                 <div class="col-sm-offset-10 col-sm-2">
-                  <button type="submit" class="btn btn-danger" title="{{ 'Submitting requires superuser privileges' if not request.has_permission('admin') }}" {{ "disabled" if not request.has_permission('admin') }}>Submit</button>
+                  <button type="submit" class="btn btn-danger" title="{{ 'Submitting requires superuser privileges' if not perms_admin_users_write }}" {{ "disabled" if not perms_admin_users_write }}>Submit</button>
                 </div>
               </div>
             </div>
@@ -350,7 +352,7 @@ <h3 class="card-title">Add a new email</h3>
           <div class="card-footer">
             <div class="form-group">
               <div class="col-sm-offset-10 col-sm-2">
-                <button type="submit" class="btn btn-danger" title="{{ 'Submitting requires superuser privileges' if not request.has_permission('admin') }}" {{ "disabled" if not request.has_permission('admin') }}>Submit</button>
+                <button type="submit" class="btn btn-danger" title="{{ 'Submitting requires superuser privileges' if not perms_admin_users_write }}" {{ "disabled" if not perms_admin_users_write }}>Submit</button>
               </div>
             </div>
           </div>
diff --git a/warehouse/admin/views/banners.py b/warehouse/admin/views/banners.py
index af2516885ab6..4c77af43f7f6 100644
--- a/warehouse/admin/views/banners.py
+++ b/warehouse/admin/views/banners.py
@@ -16,6 +16,7 @@
 from pyramid.view import view_config
 from sqlalchemy.exc import NoResultFound
 
+from warehouse.authnz import Permissions
 from warehouse.banners.models import Banner
 from warehouse.forms import Form, URIValidator
 
@@ -23,7 +24,7 @@
 @view_config(
     route_name="admin.banner.list",
     renderer="admin/banners/list.html",
-    permission="admin_dashboard_access",
+    permission=Permissions.AdminBannerRead,
     request_method="GET",
     uses_session=True,
 )
@@ -35,7 +36,7 @@ def banner_list(request):
 @view_config(
     route_name="admin.banner.edit",
     renderer="admin/banners/edit.html",
-    permission="admin_dashboard_access",
+    permission=Permissions.AdminBannerRead,
     request_method="GET",
     uses_session=True,
     require_csrf=True,
@@ -44,7 +45,7 @@ def banner_list(request):
 @view_config(
     route_name="admin.banner.edit",
     renderer="admin/banners/edit.html",
-    permission="psf_staff",
+    permission=Permissions.AdminBannerWrite,
     request_method="POST",
     uses_session=True,
     require_csrf=True,
@@ -70,7 +71,7 @@ def edit_banner(request):
 @view_config(
     route_name="admin.banner.create",
     renderer="admin/banners/edit.html",
-    permission="admin_dashboard_access",
+    permission=Permissions.AdminBannerRead,
     request_method="GET",
     uses_session=True,
     require_csrf=True,
@@ -79,7 +80,7 @@ def edit_banner(request):
 @view_config(
     route_name="admin.banner.create",
     renderer="admin/banners/edit.html",
-    permission="psf_staff",
+    permission=Permissions.AdminBannerWrite,
     request_method="POST",
     uses_session=True,
     require_csrf=True,
@@ -104,7 +105,7 @@ def create_banner(request):
 @view_config(
     route_name="admin.banner.delete",
     require_methods=["POST"],
-    permission="psf_staff",
+    permission=Permissions.AdminBannerWrite,
     uses_session=True,
     require_csrf=True,
 )
@@ -129,7 +130,7 @@ def delete_banner(request):
 @view_config(
     route_name="admin.banner.preview",
     require_methods=["GET"],
-    permission="moderator",
+    permission=Permissions.AdminBannerRead,
     uses_session=True,
     require_csrf=True,
     has_translations=True,
diff --git a/warehouse/admin/views/core.py b/warehouse/admin/views/core.py
index 916ee7127c7d..2649d2159ff7 100644
--- a/warehouse/admin/views/core.py
+++ b/warehouse/admin/views/core.py
@@ -12,11 +12,13 @@
 
 from pyramid.view import view_config
 
+from warehouse.authnz import Permissions
+
 
 @view_config(
     route_name="admin.dashboard",
     renderer="admin/dashboard.html",
-    permission="admin_dashboard_access",
+    permission=Permissions.AdminDashboardRead,
     uses_session=True,
 )
 def dashboard(request):
diff --git a/warehouse/admin/views/emails.py b/warehouse/admin/views/emails.py
index 6e4be8bb2e74..9a7fbe30485e 100644
--- a/warehouse/admin/views/emails.py
+++ b/warehouse/admin/views/emails.py
@@ -21,6 +21,7 @@
 from sqlalchemy.exc import NoResultFound
 
 from warehouse.accounts.models import User
+from warehouse.authnz import Permissions
 from warehouse.email import send_email
 from warehouse.email.ses.models import EmailMessage
 from warehouse.events.tags import EventTag
@@ -30,7 +31,7 @@
 @view_config(
     route_name="admin.emails.list",
     renderer="admin/emails/list.html",
-    permission="moderator",
+    permission=Permissions.AdminEmailsRead,
     request_method="GET",
     uses_session=True,
 )
@@ -79,7 +80,7 @@ def email_list(request):
 
 @view_config(
     route_name="admin.emails.mass",
-    permission="admin",
+    permission=Permissions.AdminEmailsWrite,
     request_method="POST",
     uses_session=True,
     require_methods=False,
@@ -121,7 +122,7 @@ def email_mass(request):
 @view_config(
     route_name="admin.emails.detail",
     renderer="admin/emails/detail.html",
-    permission="moderator",
+    permission=Permissions.AdminEmailsRead,
     request_method="GET",
     uses_session=True,
 )
diff --git a/warehouse/admin/views/flags.py b/warehouse/admin/views/flags.py
index a25f2df19a20..8f893f3b5f16 100644
--- a/warehouse/admin/views/flags.py
+++ b/warehouse/admin/views/flags.py
@@ -14,12 +14,13 @@
 from pyramid.view import view_config
 
 from warehouse.admin.flags import AdminFlag
+from warehouse.authnz import Permissions
 
 
 @view_config(
     route_name="admin.flags",
     renderer="admin/flags/index.html",
-    permission="moderator",
+    permission=Permissions.AdminFlagsRead,
     request_method="GET",
     uses_session=True,
 )
@@ -29,7 +30,7 @@ def get_flags(request):
 
 @view_config(
     route_name="admin.flags.edit",
-    permission="admin",
+    permission=Permissions.AdminFlagsWrite,
     request_method="POST",
     uses_session=True,
     require_methods=False,
diff --git a/warehouse/admin/views/ip_addresses.py b/warehouse/admin/views/ip_addresses.py
index 1bc3da6f933f..11834e96607f 100644
--- a/warehouse/admin/views/ip_addresses.py
+++ b/warehouse/admin/views/ip_addresses.py
@@ -18,6 +18,7 @@
 from pyramid.view import view_config
 from sqlalchemy.exc import NoResultFound
 
+from warehouse.authnz import Permissions
 from warehouse.ip_addresses.models import IpAddress
 from warehouse.utils.paginate import paginate_url_factory
 
@@ -28,7 +29,7 @@
 @view_config(
     route_name="admin.ip_address.list",
     renderer="admin/ip_addresses/list.html",
-    permission="admin",
+    permission=Permissions.AdminIpAddressesRead,
     uses_session=True,
 )
 def ip_address_list(request: Request) -> dict[str, SQLAlchemyORMPage[IpAddress] | str]:
@@ -55,7 +56,7 @@ def ip_address_list(request: Request) -> dict[str, SQLAlchemyORMPage[IpAddress]
 @view_config(
     route_name="admin.ip_address.detail",
     renderer="admin/ip_addresses/detail.html",
-    permission="admin",
+    permission=Permissions.AdminIpAddressesRead,
     uses_session=True,
 )
 def ip_address_detail(request: Request) -> dict[str, IpAddress]:
diff --git a/warehouse/admin/views/journals.py b/warehouse/admin/views/journals.py
index 92f9d1bed18b..6a54d1b92c20 100644
--- a/warehouse/admin/views/journals.py
+++ b/warehouse/admin/views/journals.py
@@ -18,6 +18,7 @@
 from sqlalchemy import and_
 from sqlalchemy.orm import joinedload
 
+from warehouse.authnz import Permissions
 from warehouse.packaging.models import JournalEntry
 from warehouse.utils.paginate import paginate_url_factory
 
@@ -25,7 +26,7 @@
 @view_config(
     route_name="admin.journals.list",
     renderer="admin/journals/list.html",
-    permission="moderator",
+    permission=Permissions.AdminJournalRead,
     uses_session=True,
 )
 def journals_list(request):
diff --git a/warehouse/admin/views/macaroons.py b/warehouse/admin/views/macaroons.py
index 1ab016671b6c..751376c16a95 100644
--- a/warehouse/admin/views/macaroons.py
+++ b/warehouse/admin/views/macaroons.py
@@ -14,6 +14,7 @@
 from pyramid.view import view_config
 from sqlalchemy.orm import joinedload
 
+from warehouse.authnz import Permissions
 from warehouse.events.tags import EventTag
 from warehouse.macaroons.errors import InvalidMacaroonError
 from warehouse.macaroons.interfaces import IMacaroonService
@@ -24,7 +25,7 @@
 @view_config(
     route_name="admin.macaroon.decode_token",
     renderer="admin/macaroons/decode_token.html",
-    permission="admin",
+    permission=Permissions.AdminMacaroonsRead,
     request_method="GET",
     uses_session=True,
     require_csrf=True,
@@ -33,7 +34,7 @@
 @view_config(
     route_name="admin.macaroon.decode_token",
     renderer="admin/macaroons/decode_token.html",
-    permission="admin",
+    permission=Permissions.AdminMacaroonsRead,
     request_method="POST",
     uses_session=True,
     require_csrf=True,
@@ -69,7 +70,7 @@ def macaroon_decode_token(request):
 @view_config(
     route_name="admin.macaroon.detail",
     renderer="admin/macaroons/detail.html",
-    permission="admin",
+    permission=Permissions.AdminMacaroonsRead,
     uses_session=True,
 )
 def macaroon_detail(request):
@@ -90,7 +91,7 @@ def macaroon_detail(request):
 
 @view_config(
     route_name="admin.macaroon.delete",
-    permission="admin",
+    permission=Permissions.AdminMacaroonsWrite,
     uses_session=True,
     require_methods=False,
 )
diff --git a/warehouse/admin/views/organizations.py b/warehouse/admin/views/organizations.py
index bea8a1faa980..d20e57a02f0c 100644
--- a/warehouse/admin/views/organizations.py
+++ b/warehouse/admin/views/organizations.py
@@ -18,6 +18,7 @@
 from sqlalchemy import or_
 
 from warehouse.accounts.interfaces import IUserService
+from warehouse.authnz import Permissions
 from warehouse.events.tags import EventTag
 from warehouse.organizations.interfaces import IOrganizationService
 from warehouse.organizations.models import (
@@ -31,7 +32,7 @@
 @view_config(
     route_name="admin.organization.list",
     renderer="admin/organizations/list.html",
-    permission="moderator",
+    permission=Permissions.AdminOrganizationsRead,
     uses_session=True,
 )
 def organization_list(request):
@@ -132,7 +133,7 @@ def organization_list(request):
     route_name="admin.organization.detail",
     require_methods=False,
     renderer="admin/organizations/detail.html",
-    permission="admin",
+    permission=Permissions.AdminOrganizationsRead,
     has_translations=True,
     uses_session=True,
     require_csrf=True,
@@ -205,7 +206,7 @@ def organization_detail(request):
 @view_config(
     route_name="admin.organization_application.list",
     renderer="admin/organization_applications/list.html",
-    permission="moderator",
+    permission=Permissions.AdminOrganizationsRead,
     uses_session=True,
 )
 def organization_applications_list(request):
@@ -321,7 +322,7 @@ def organization_applications_list(request):
     route_name="admin.organization_application.detail",
     require_methods=False,
     renderer="admin/organization_applications/detail.html",
-    permission="admin",
+    permission=Permissions.AdminOrganizationsRead,
     has_translations=True,
     uses_session=True,
     require_csrf=True,
@@ -350,7 +351,7 @@ def organization_application_detail(request):
     route_name="admin.organization_application.approve",
     require_methods=["POST"],
     renderer="admin/organization_applicationss/approve.html",
-    permission="admin",
+    permission=Permissions.AdminOrganizationsWrite,
     has_translations=True,
     uses_session=True,
     require_csrf=True,
@@ -391,7 +392,7 @@ def organization_application_approve(request):
     route_name="admin.organization_application.decline",
     require_methods=["POST"],
     renderer="admin/organization_applications/decline.html",
-    permission="admin",
+    permission=Permissions.AdminOrganizationsWrite,
     has_translations=True,
     uses_session=True,
     require_csrf=True,
diff --git a/warehouse/admin/views/prohibited_project_names.py b/warehouse/admin/views/prohibited_project_names.py
index 9cea92c6c5a1..4083cb612564 100644
--- a/warehouse/admin/views/prohibited_project_names.py
+++ b/warehouse/admin/views/prohibited_project_names.py
@@ -22,6 +22,7 @@
 from sqlalchemy.exc import NoResultFound
 
 from warehouse.accounts.models import User
+from warehouse.authnz import Permissions
 from warehouse.packaging.models import (
     File,
     ProhibitedProjectName,
@@ -37,7 +38,7 @@
 @view_config(
     route_name="admin.prohibited_project_names.list",
     renderer="admin/prohibited_project_names/list.html",
-    permission="moderator",
+    permission=Permissions.AdminProhibitedProjectsRead,
     request_method="GET",
     uses_session=True,
 )
@@ -80,7 +81,7 @@ def prohibited_project_names(request):
 @view_config(
     route_name="admin.prohibited_project_names.add",
     renderer="admin/prohibited_project_names/confirm.html",
-    permission="moderator",
+    permission=Permissions.AdminProhibitedProjectsWrite,
     request_method="GET",
     uses_session=True,
 )
@@ -145,7 +146,7 @@ def confirm_prohibited_project_names(request):
 
 @view_config(
     route_name="admin.prohibited_project_names.release",
-    permission="admin",
+    permission=Permissions.AdminProhibitedProjectsWrite,
     request_method="POST",
     uses_session=True,
     require_methods=False,
@@ -208,7 +209,7 @@ def release_prohibited_project_name(request):
 
 @view_config(
     route_name="admin.prohibited_project_names.add",
-    permission="admin",
+    permission=Permissions.AdminProhibitedProjectsWrite,
     request_method="POST",
     uses_session=True,
     require_methods=False,
@@ -274,7 +275,7 @@ def add_prohibited_project_names(request):
 
 @view_config(
     route_name="admin.prohibited_project_names.remove",
-    permission="admin",
+    permission=Permissions.AdminProhibitedProjectsWrite,
     request_method="POST",
     uses_session=True,
     require_methods=False,
@@ -311,7 +312,7 @@ def remove_prohibited_project_names(request):
 @view_config(
     route_name="admin.prohibited_project_names.bulk_add",
     renderer="admin/prohibited_project_names/bulk.html",
-    permission="admin",
+    permission=Permissions.AdminProhibitedProjectsWrite,
     uses_session=True,
     require_methods=False,
 )
diff --git a/warehouse/admin/views/projects.py b/warehouse/admin/views/projects.py
index 79f21b76a388..fd6920795f12 100644
--- a/warehouse/admin/views/projects.py
+++ b/warehouse/admin/views/projects.py
@@ -20,6 +20,7 @@
 from sqlalchemy.orm import joinedload
 
 from warehouse.accounts.models import User
+from warehouse.authnz import Permissions
 from warehouse.forklift.legacy import MAX_FILESIZE, MAX_PROJECT_SIZE
 from warehouse.observations.models import ObservationKind
 from warehouse.packaging.models import JournalEntry, Project, Release, Role
@@ -38,7 +39,7 @@
 @view_config(
     route_name="admin.project.list",
     renderer="admin/projects/list.html",
-    permission="moderator",
+    permission=Permissions.AdminProjectsRead,
     request_method="GET",
     uses_session=True,
 )
@@ -75,7 +76,7 @@ def project_list(request):
 @view_config(
     route_name="admin.project.detail",
     renderer="admin/projects/detail.html",
-    permission="moderator",
+    permission=Permissions.AdminProjectsRead,
     request_method="GET",
     uses_session=True,
     require_csrf=True,
@@ -84,7 +85,7 @@ def project_list(request):
 @view_config(
     route_name="admin.project.detail",
     renderer="admin/projects/detail.html",
-    permission="admin",
+    permission=Permissions.AdminProjectsWrite,
     request_method="POST",
     uses_session=True,
     require_csrf=True,
@@ -154,7 +155,7 @@ def project_detail(project, request):
 @view_config(
     route_name="admin.project.observations",
     renderer="admin/projects/project_observations_list.html",
-    permission="moderator",
+    permission=Permissions.AdminObservationsRead,
     request_method="GET",
     uses_session=True,
 )
@@ -185,7 +186,7 @@ def project_observations_list(project, request):
 
 @view_config(
     route_name="admin.project.add_project_observation",
-    permission="moderator",
+    permission=Permissions.AdminObservationsWrite,
     request_method="POST",
     uses_session=True,
     require_methods=False,
@@ -241,7 +242,7 @@ def add_project_observation(project, request):
 @view_config(
     route_name="admin.project.releases",
     renderer="admin/projects/releases_list.html",
-    permission="moderator",
+    permission=Permissions.AdminProjectsRead,
     request_method="GET",
     uses_session=True,
 )
@@ -291,7 +292,7 @@ def releases_list(project, request):
 @view_config(
     route_name="admin.project.release",
     renderer="admin/projects/release_detail.html",
-    permission="moderator",
+    permission=Permissions.AdminProjectsRead,
     request_method="GET",
     uses_session=True,
 )
@@ -323,7 +324,7 @@ def release_detail(release, request):
 
 @view_config(
     route_name="admin.project.release.add_release_observation",
-    permission="moderator",
+    permission=Permissions.AdminObservationsWrite,
     request_method="POST",
     uses_session=True,
     require_methods=False,
@@ -383,7 +384,7 @@ def add_release_observation(release, request):
 
 @view_config(
     route_name="admin.project.release.render",
-    permission="moderator",
+    permission=Permissions.AdminProjectsRead,
     request_method="GET",
     uses_session=True,
     require_methods=False,
@@ -405,7 +406,7 @@ def release_render(release, request):
 @view_config(
     route_name="admin.project.journals",
     renderer="admin/projects/journals_list.html",
-    permission="moderator",
+    permission=Permissions.AdminProjectsRead,
     request_method="GET",
     uses_session=True,
 )
@@ -455,7 +456,7 @@ def journals_list(project, request):
 
 @view_config(
     route_name="admin.project.set_upload_limit",
-    permission="moderator",
+    permission=Permissions.AdminProjectsWrite,
     request_method="POST",
     uses_session=True,
     require_methods=False,
@@ -503,7 +504,7 @@ def set_upload_limit(project, request):
 
 @view_config(
     route_name="admin.project.set_total_size_limit",
-    permission="moderator",
+    permission=Permissions.AdminProjectsWrite,
     request_method="POST",
     uses_session=True,
     require_methods=False,
@@ -544,7 +545,7 @@ def set_total_size_limit(project, request):
 
 @view_config(
     route_name="admin.project.add_role",
-    permission="moderator",
+    permission=Permissions.AdminRoleAdd,
     request_method="POST",
     uses_session=True,
     require_methods=False,
@@ -614,7 +615,7 @@ def add_role(project, request):
 
 @view_config(
     route_name="admin.project.delete_role",
-    permission="moderator",
+    permission=Permissions.AdminRoleDelete,
     request_method="POST",
     uses_session=True,
     require_methods=False,
@@ -661,7 +662,7 @@ def delete_role(project, request):
 
 @view_config(
     route_name="admin.project.delete",
-    permission="admin",
+    permission=Permissions.AdminProjectsDelete,
     request_method="POST",
     uses_session=True,
     require_methods=False,
@@ -675,7 +676,7 @@ def delete_project(project, request):
 
 @view_config(
     route_name="admin.project.reindex",
-    permission="moderator",
+    permission=Permissions.AdminProjectsWrite,
     request_method="GET",
     uses_session=True,
     require_methods=False,
diff --git a/warehouse/admin/views/sponsors.py b/warehouse/admin/views/sponsors.py
index b2d3451c166d..414b606f212d 100644
--- a/warehouse/admin/views/sponsors.py
+++ b/warehouse/admin/views/sponsors.py
@@ -22,6 +22,7 @@
 from sqlalchemy.exc import NoResultFound
 
 from warehouse.admin.interfaces import ISponsorLogoStorage
+from warehouse.authnz import Permissions
 from warehouse.forms import Form, URIValidator
 from warehouse.sponsors.models import Sponsor
 
@@ -83,7 +84,7 @@ def validate(self, *args, **kwargs):
 @view_config(
     route_name="admin.sponsor.list",
     renderer="admin/sponsors/list.html",
-    permission="admin_dashboard_access",
+    permission=Permissions.AdminSponsorsRead,
     request_method="GET",
     uses_session=True,
 )
@@ -121,7 +122,7 @@ def _upload_image(image_name, request, form):
 @view_config(
     route_name="admin.sponsor.edit",
     renderer="admin/sponsors/edit.html",
-    permission="admin_dashboard_access",
+    permission=Permissions.AdminSponsorsRead,
     request_method="GET",
     uses_session=True,
     require_csrf=True,
@@ -130,7 +131,7 @@ def _upload_image(image_name, request, form):
 @view_config(
     route_name="admin.sponsor.edit",
     renderer="admin/sponsors/edit.html",
-    permission="psf_staff",
+    permission=Permissions.AdminSponsorsWrite,
     request_method="POST",
     uses_session=True,
     require_csrf=True,
@@ -161,7 +162,7 @@ def edit_sponsor(request):
 @view_config(
     route_name="admin.sponsor.create",
     renderer="admin/sponsors/edit.html",
-    permission="admin_dashboard_access",
+    permission=Permissions.AdminSponsorsRead,
     request_method="GET",
     uses_session=True,
     require_csrf=True,
@@ -170,7 +171,7 @@ def edit_sponsor(request):
 @view_config(
     route_name="admin.sponsor.create",
     renderer="admin/sponsors/edit.html",
-    permission="psf_staff",
+    permission=Permissions.AdminSponsorsWrite,
     request_method="POST",
     uses_session=True,
     require_csrf=True,
@@ -200,7 +201,7 @@ def create_sponsor(request):
 @view_config(
     route_name="admin.sponsor.delete",
     require_methods=["POST"],
-    permission="psf_staff",
+    permission=Permissions.AdminSponsorsWrite,
     uses_session=True,
     require_csrf=True,
 )
diff --git a/warehouse/admin/views/users.py b/warehouse/admin/views/users.py
index 383dd5cd0458..ab59dab0e1b4 100644
--- a/warehouse/admin/views/users.py
+++ b/warehouse/admin/views/users.py
@@ -25,6 +25,7 @@
 from warehouse import forms
 from warehouse.accounts.interfaces import IEmailBreachedService, IUserService
 from warehouse.accounts.models import DisableReason, Email, ProhibitedUserName, User
+from warehouse.authnz import Permissions
 from warehouse.email import send_password_compromised_email
 from warehouse.packaging.models import JournalEntry, Project, Role
 from warehouse.utils.paginate import paginate_url_factory
@@ -33,7 +34,7 @@
 @view_config(
     route_name="admin.user.list",
     renderer="admin/users/list.html",
-    permission="moderator",
+    permission=Permissions.AdminUsersRead,
     uses_session=True,
 )
 def user_list(request):
@@ -108,7 +109,7 @@ def validate_emails(self, field):
 @view_config(
     route_name="admin.user.detail",
     renderer="admin/users/detail.html",
-    permission="moderator",
+    permission=Permissions.AdminUsersRead,
     request_method="GET",
     uses_session=True,
     require_csrf=True,
@@ -117,7 +118,7 @@ def validate_emails(self, field):
 @view_config(
     route_name="admin.user.detail",
     renderer="admin/users/detail.html",
-    permission="admin",
+    permission=Permissions.AdminUsersWrite,
     request_method="POST",
     uses_session=True,
     require_csrf=True,
@@ -163,7 +164,7 @@ def user_detail(user, request):
 @view_config(
     route_name="admin.user.add_email",
     require_methods=["POST"],
-    permission="admin",
+    permission=Permissions.AdminUsersWrite,
     uses_session=True,
     require_csrf=True,
     context=User,
@@ -245,7 +246,7 @@ def _nuke_user(user, request):
 @view_config(
     route_name="admin.user.delete",
     require_methods=["POST"],
-    permission="admin",
+    permission=Permissions.AdminUsersWrite,
     uses_session=True,
     require_csrf=True,
     context=User,
@@ -277,7 +278,7 @@ def _user_reset_password(user, request):
 @view_config(
     route_name="admin.user.reset_password",
     require_methods=["POST"],
-    permission="admin",
+    permission=Permissions.AdminUsersWrite,
     has_translations=True,
     uses_session=True,
     require_csrf=True,
@@ -302,7 +303,7 @@ def user_reset_password(user, request):
 @view_config(
     route_name="admin.user.wipe_factors",
     require_methods=["POST"],
-    permission="admin",
+    permission=Permissions.AdminUsersWrite,
     has_translations=True,
     uses_session=True,
     require_csrf=True,
@@ -332,7 +333,7 @@ def user_wipe_factors(user, request):
 @view_config(
     route_name="admin.prohibited_user_names.bulk_add",
     renderer="admin/prohibited_user_names/bulk.html",
-    permission="admin",
+    permission=Permissions.AdminUsersWrite,
     uses_session=True,
     require_methods=False,
 )
diff --git a/warehouse/authnz/__init__.py b/warehouse/authnz/__init__.py
new file mode 100644
index 000000000000..57a16ea0d50d
--- /dev/null
+++ b/warehouse/authnz/__init__.py
@@ -0,0 +1,19 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from ._permissions import Permissions
+
+__all__ = ["Permissions"]
+
+"""
+Package containing authentication and authorization related code.
+"""
diff --git a/warehouse/authnz/_permissions.py b/warehouse/authnz/_permissions.py
new file mode 100644
index 000000000000..dd115b8ffa29
--- /dev/null
+++ b/warehouse/authnz/_permissions.py
@@ -0,0 +1,76 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from enum import StrEnum
+
+
+class Permissions(StrEnum):
+    """
+    Permissions can be specified in an ACL (`__acl__`) or `@view_config(permission=...)`
+    instead of using a string literal, minimizing the chance of typos.
+
+    They are also disconnected from Principals (users, groups, etc.), so they can be
+    used in a more generic way. For example, a permission could be used to allow a user
+    to edit their own profile, or to allow a group to edit any profile.
+
+    Naming should follow the format:
+        <optional scope>:<resource>:<action>
+
+    Where:
+        scope: The scope of the permission, such as "admin", "manage", "api"
+        resource: The resource being accessed
+        action: The action being performed on the resource
+
+    Keep the list alphabetized. Add spacing between logical groupings.
+    """
+
+    AdminBannerRead = "admin:banner:read"
+    AdminBannerWrite = "admin:banner:write"
+
+    AdminDashboardRead = "admin:dashboard:read"
+    # TODO: This is broad, and could be replaced in the base template with more
+    #       specific permissions per section. Other `__acl__`s need to be updated.
+    AdminDashboardSidebarRead = "admin:dashboard-sidebar:read"
+
+    AdminEmailsRead = "admin:emails:read"
+    AdminEmailsWrite = "admin:emails:write"
+
+    AdminFlagsRead = "admin:flags:read"
+    AdminFlagsWrite = "admin:flags:write"
+
+    AdminIpAddressesRead = "admin:ip-addresses:read"
+    AdminJournalRead = "admin:journal:read"
+
+    AdminMacaroonsRead = "admin:macaroons:read"
+    AdminMacaroonsWrite = "admin:macaroons:write"
+
+    AdminObservationsRead = "admin:observations:read"
+    AdminObservationsWrite = "admin:observations:write"
+
+    AdminOrganizationsRead = "admin:organizations:read"
+    AdminOrganizationsWrite = "admin:organizations:write"
+
+    AdminProhibitedProjectsRead = "admin:prohibited-projects:read"
+    AdminProhibitedProjectsWrite = "admin:prohibited-projects:write"
+
+    AdminProjectsDelete = "admin:projects:delete"
+    AdminProjectsRead = "admin:projects:read"
+    AdminProjectsWrite = "admin:projects:write"
+
+    AdminRoleAdd = "admin:role:add"
+    AdminRoleDelete = "admin:role:delete"
+
+    AdminSponsorsRead = "admin:sponsors:read"
+    AdminSponsorsWrite = "admin:sponsors:write"
+
+    AdminUsersRead = "admin:users:read"
+    AdminUsersWrite = "admin:users:write"
diff --git a/warehouse/config.py b/warehouse/config.py
index c33f70e221e4..769a3304a5af 100644
--- a/warehouse/config.py
+++ b/warehouse/config.py
@@ -29,6 +29,7 @@
 from pyramid.tweens import EXCVIEW
 from pyramid_rpc.xmlrpc import XMLRPCRenderer
 
+from warehouse.authnz import Permissions
 from warehouse.utils.static import ManifestCacheBuster
 from warehouse.utils.wsgi import ProxyFixer, VhmRootRemover
 
@@ -60,12 +61,70 @@ class RootFactory:
     __name__ = None
 
     __acl__ = [
-        (Allow, "group:admins", "admin"),
-        (Allow, "group:admins", "admin_dashboard_access"),
-        (Allow, "group:moderators", "moderator"),
-        (Allow, "group:moderators", "admin_dashboard_access"),
-        (Allow, "group:psf_staff", "psf_staff"),
-        (Allow, "group:psf_staff", "admin_dashboard_access"),
+        (
+            Allow,
+            "group:admins",
+            (
+                Permissions.AdminBannerRead,
+                Permissions.AdminBannerWrite,
+                Permissions.AdminDashboardRead,
+                Permissions.AdminDashboardSidebarRead,
+                Permissions.AdminEmailsRead,
+                Permissions.AdminEmailsWrite,
+                Permissions.AdminFlagsRead,
+                Permissions.AdminFlagsWrite,
+                Permissions.AdminIpAddressesRead,
+                Permissions.AdminJournalRead,
+                Permissions.AdminMacaroonsRead,
+                Permissions.AdminMacaroonsWrite,
+                Permissions.AdminObservationsRead,
+                Permissions.AdminObservationsWrite,
+                Permissions.AdminOrganizationsRead,
+                Permissions.AdminOrganizationsWrite,
+                Permissions.AdminProhibitedProjectsRead,
+                Permissions.AdminProhibitedProjectsWrite,
+                Permissions.AdminProjectsDelete,
+                Permissions.AdminProjectsRead,
+                Permissions.AdminProjectsWrite,
+                Permissions.AdminRoleAdd,
+                Permissions.AdminRoleDelete,
+                Permissions.AdminSponsorsRead,
+                Permissions.AdminUsersRead,
+                Permissions.AdminUsersWrite,
+            ),
+        ),
+        (
+            Allow,
+            "group:moderators",
+            (
+                Permissions.AdminBannerRead,
+                Permissions.AdminDashboardRead,
+                Permissions.AdminDashboardSidebarRead,
+                Permissions.AdminEmailsRead,
+                Permissions.AdminFlagsRead,
+                Permissions.AdminJournalRead,
+                Permissions.AdminObservationsRead,
+                Permissions.AdminObservationsWrite,
+                Permissions.AdminOrganizationsRead,
+                Permissions.AdminProhibitedProjectsRead,
+                Permissions.AdminProjectsRead,
+                Permissions.AdminRoleAdd,
+                Permissions.AdminRoleDelete,
+                Permissions.AdminSponsorsRead,
+                Permissions.AdminUsersRead,
+            ),
+        ),
+        (
+            Allow,
+            "group:psf_staff",
+            (
+                Permissions.AdminBannerRead,
+                Permissions.AdminBannerWrite,
+                Permissions.AdminDashboardRead,
+                Permissions.AdminSponsorsRead,
+                Permissions.AdminSponsorsWrite,
+            ),
+        ),
         (Allow, Authenticated, "manage:user"),
     ]
 
@@ -495,6 +554,7 @@ def configure(settings=None):
     # And some enums to reuse in the templates
     jglobals.setdefault("AdminFlagValue", "warehouse.admin.flags:AdminFlagValue")
     jglobals.setdefault("EventTag", "warehouse.events.tags:EventTag")
+    jglobals.setdefault("Permissions", "warehouse.authnz:Permissions")
     jglobals.setdefault(
         "OrganizationInvitationStatus",
         "warehouse.organizations.models:OrganizationInvitationStatus",
diff --git a/warehouse/organizations/models.py b/warehouse/organizations/models.py
index a79b87e3493d..5d7e351e48d8 100644
--- a/warehouse/organizations/models.py
+++ b/warehouse/organizations/models.py
@@ -40,6 +40,7 @@
 
 from warehouse import db
 from warehouse.accounts.models import User
+from warehouse.authnz import Permissions
 from warehouse.events.models import HasEvents
 from warehouse.utils.attrs import make_repr
 from warehouse.utils.db.types import bool_false, datetime_now
@@ -334,8 +335,15 @@ def __acl__(self):
         session = orm.object_session(self)
 
         acls = [
-            (Allow, "group:admins", "admin"),
-            (Allow, "group:moderators", "moderator"),
+            (
+                Allow,
+                "group:admins",
+                (
+                    Permissions.AdminOrganizationsRead,
+                    Permissions.AdminOrganizationsWrite,
+                ),
+            ),
+            (Allow, "group:moderators", Permissions.AdminOrganizationsRead),
         ]
 
         # Get all of the users for this organization.
diff --git a/warehouse/packaging/models.py b/warehouse/packaging/models.py
index f2f7bccf509b..d59c88385fa7 100644
--- a/warehouse/packaging/models.py
+++ b/warehouse/packaging/models.py
@@ -51,6 +51,7 @@
 
 from warehouse import db
 from warehouse.accounts.models import User
+from warehouse.authnz import Permissions
 from warehouse.classifiers.models import Classifier
 from warehouse.events.models import HasEvents
 from warehouse.integrations.vulnerabilities.models import VulnerabilityRecord
@@ -253,8 +254,37 @@ def __getitem__(self, version):
     def __acl__(self):
         session = orm.object_session(self)
         acls = [
-            (Allow, "group:admins", "admin"),
-            (Allow, "group:moderators", "moderator"),
+            # TODO: Similar to `warehouse.accounts.models.User.__acl__`, we express the
+            #       permissions here in terms of the permissions that the user has on
+            #       the project. This is more complex, as add ACL Entries based on other
+            #       criteria, such as the user's role in the project.
+            (
+                Allow,
+                "group:admins",
+                (
+                    Permissions.AdminDashboardSidebarRead,
+                    Permissions.AdminObservationsRead,
+                    Permissions.AdminObservationsWrite,
+                    Permissions.AdminProhibitedProjectsWrite,
+                    Permissions.AdminProjectsDelete,
+                    Permissions.AdminProjectsRead,
+                    Permissions.AdminProjectsWrite,
+                    Permissions.AdminRoleAdd,
+                    Permissions.AdminRoleDelete,
+                ),
+            ),
+            (
+                Allow,
+                "group:moderators",
+                (
+                    Permissions.AdminDashboardSidebarRead,
+                    Permissions.AdminObservationsRead,
+                    Permissions.AdminObservationsWrite,
+                    Permissions.AdminProjectsRead,
+                    Permissions.AdminRoleAdd,
+                    Permissions.AdminRoleDelete,
+                ),
+            ),
         ]
 
         # The project has zero or more OIDC publishers registered to it,
diff --git a/warehouse/templates/includes/admin/administer-project-include.html b/warehouse/templates/includes/admin/administer-project-include.html
index fe9bdfb3a8f9..a9ddc6c8f84c 100644
--- a/warehouse/templates/includes/admin/administer-project-include.html
+++ b/warehouse/templates/includes/admin/administer-project-include.html
@@ -12,7 +12,7 @@
  # limitations under the License.
 -#}
 
-{% if request.has_permission("moderator") %}
+{% if request.has_permission(Permissions.AdminProjectsRead) %}
 <div class="admin-include split-layout split-layout--middle">
   <span><b>Admin tools for project: <code>{{ project_name }}</code></b></span>
   <div>
@@ -23,7 +23,7 @@
     <form class="form-inline" method="GET" action="{{ request.route_path('admin.prohibited_project_names.add') }}">
       <input name="project" type="hidden" value="{{ project_name }}">
       <input name="comment" type="hidden" value="malware" id="prohibitedComment">
-      <button type="submit" class="button button--small button--danger" title="{{ "Submitting requires superuser privileges" if not request.has_permission('admin') }}"  {{ "disabled" if not request.has_permission('admin') or prohibited }}>Remove project as malware</button>
+      <button type="submit" class="button button--small button--danger" title="{{ "Submitting requires superuser privileges" if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) }}"  {{ "disabled" if not request.has_permission(Permissions.AdminProhibitedProjectsWrite) or prohibited }}>Remove project as malware</button>
     </form>
     {% endif %}
     <a href="https://inspector.pypi.io/project/{{ project_name }}/" class="button button--small button--tertiary package-description__edit-button">🕵️ Inspect</a>
diff --git a/warehouse/templates/includes/admin/administer-user-include.html b/warehouse/templates/includes/admin/administer-user-include.html
index 5c097a72ce7c..7216a8c8f14c 100644
--- a/warehouse/templates/includes/admin/administer-user-include.html
+++ b/warehouse/templates/includes/admin/administer-user-include.html
@@ -12,7 +12,7 @@
  # limitations under the License.
 -#}
 
-{% if request.has_permission("moderator") %}
+{% if request.has_permission(Permissions.AdminUsersRead) %}
 <div class="admin-include split-layout split-layout--middle">
   <span><b>Admin tools</b></span>
   <div>
diff --git a/warehouse/templates/includes/current-user-indicator.html b/warehouse/templates/includes/current-user-indicator.html
index 472a9fb09df6..e237a36c76d9 100644
--- a/warehouse/templates/includes/current-user-indicator.html
+++ b/warehouse/templates/includes/current-user-indicator.html
@@ -23,7 +23,7 @@
         </span>
       </button>
       <ul class="dropdown__content" aria-hidden="true" aria-label="{% trans %}Main menu{% endtrans %}">
-        {% if request.has_permission("admin_dashboard_access") %}
+        {% if request.has_permission(Permissions.AdminDashboardRead) %}
         <li>
           <a href="{{ request.route_path('admin.dashboard') }}" class="dropdown__link">
             <i class="fa fa-wrench" aria-hidden="true"></i>