diff --git a/src/app/admin/page.tsx b/src/app/admin/page.tsx
index 5ab56a2..9640518 100644
--- a/src/app/admin/page.tsx
+++ b/src/app/admin/page.tsx
@@ -89,7 +89,8 @@ function formatBytes(bytes: number): string {
 }
 
 export default function AdminPage() {
-  const { user, loading: authLoading } = useAuth("admin");
+  const { user, loading: authLoading } = useAuth("domain_admin");
+  const isSuperAdmin = user?.role === "superadmin";
 
   // Dashboard state
   const [smtpStatus, setSmtpStatus] = useState<SMTPStatus | null>(null);
@@ -620,10 +621,10 @@ export default function AdminPage() {
             <TabsTrigger value="users">Benutzer</TabsTrigger>
             <TabsTrigger value="audit">Audit-Log</TabsTrigger>
             <TabsTrigger value="import">Import</TabsTrigger>
-            <TabsTrigger value="ldap" onClick={loadLDAP}>LDAP</TabsTrigger>
-            <TabsTrigger value="security">Security</TabsTrigger>
-            <TabsTrigger value="tenants" onClick={loadTenants}>Mandanten</TabsTrigger>
-            <TabsTrigger value="modules">Module</TabsTrigger>
+            {isSuperAdmin && <TabsTrigger value="ldap" onClick={loadLDAP}>LDAP</TabsTrigger>}
+            {isSuperAdmin && <TabsTrigger value="security">Security</TabsTrigger>}
+            {isSuperAdmin && <TabsTrigger value="tenants" onClick={loadTenants}>Mandanten</TabsTrigger>}
+            {isSuperAdmin && <TabsTrigger value="modules">Module</TabsTrigger>}
           </TabsList>
 
           {/* ── Dashboard ── */}
@@ -1166,7 +1167,8 @@ export default function AdminPage() {
                         <SelectContent>
                           <SelectItem value="user">User</SelectItem>
                           <SelectItem value="auditor">Auditor</SelectItem>
-                          <SelectItem value="admin">Admin</SelectItem>
+                          <SelectItem value="domain_admin">Domain Admin</SelectItem>
+                          {isSuperAdmin && <SelectItem value="superadmin">Superadmin</SelectItem>}
                         </SelectContent>
                       </Select>
                     </div>
diff --git a/src/app/admin/upload/page.tsx b/src/app/admin/upload/page.tsx
index dd21045..abd062d 100644
--- a/src/app/admin/upload/page.tsx
+++ b/src/app/admin/upload/page.tsx
@@ -17,7 +17,7 @@ function formatBytes(bytes: number): string {
 }
 
 export default function UploadPage() {
-  const { user, loading: authLoading } = useAuth("admin");
+  const { user, loading: authLoading } = useAuth("domain_admin");
 
   const [dragOver, setDragOver] = useState(false);
   const [selectedFiles, setSelectedFiles] = useState<File[]>([]);
diff --git a/src/components/navbar.tsx b/src/components/navbar.tsx
index e1e72c2..9f602d8 100644
--- a/src/components/navbar.tsx
+++ b/src/components/navbar.tsx
@@ -54,7 +54,7 @@ export function Navbar({ username, role }: NavbarProps) {
           >
             POP3 Import
           </Link>
-          {role === "admin" && (
+          {(role === "admin" || role === "domain_admin" || role === "superadmin") && (
             <Link
               href="/admin"
               className="text-sm text-muted-foreground hover:text-foreground transition-colors"
diff --git a/src/hooks/useAuth.ts b/src/hooks/useAuth.ts
index 126a43e..1ece603 100644
--- a/src/hooks/useAuth.ts
+++ b/src/hooks/useAuth.ts
@@ -7,7 +7,20 @@ import { getCachedUser, setCachedUser } from "@/lib/auth-cache";
 
 export { clearAuthCache } from "@/lib/auth-cache";
 
-export function useAuth(requireRole?: "admin" | "auditor") {
+// Role hierarchy: superadmin(5) > domain_admin(4) > admin(3) > auditor(2) > user(1)
+const roleLevels: Record<string, number> = {
+  user: 1,
+  auditor: 2,
+  admin: 3,
+  domain_admin: 4,
+  superadmin: 5,
+};
+
+export function hasRole(userRole: string, required: string): boolean {
+  return (roleLevels[userRole] ?? 0) >= (roleLevels[required] ?? 0);
+}
+
+export function useAuth(requireRole?: "admin" | "domain_admin" | "superadmin" | "auditor") {
   const router = useRouter();
   const cached = getCachedUser();
   const [user, setUser] = useState(cached);
@@ -16,11 +29,7 @@ export function useAuth(requireRole?: "admin" | "auditor") {
   const checkAuth = useCallback(async () => {
     const cached = getCachedUser();
     if (cached !== null) {
-      if (requireRole === "admin" && cached.role !== "admin") {
-        router.replace("/search");
-        return;
-      }
-      if (requireRole === "auditor" && cached.role !== "auditor" && cached.role !== "admin") {
+      if (requireRole && !hasRole(cached.role, requireRole)) {
         router.replace("/search");
         return;
       }
@@ -32,11 +41,7 @@ export function useAuth(requireRole?: "admin" | "auditor") {
     try {
       const me = await getMe();
       setCachedUser(me);
-      if (requireRole === "admin" && me.role !== "admin") {
-        router.replace("/search");
-        return;
-      }
-      if (requireRole === "auditor" && me.role !== "auditor" && me.role !== "admin") {
+      if (requireRole && !hasRole(me.role, requireRole)) {
         router.replace("/search");
         return;
       }