diff --git a/app/api/access_requests.py b/app/api/access_requests.py
new file mode 100644
index 0000000..13cfc0e
--- /dev/null
+++ b/app/api/access_requests.py
@@ -0,0 +1,97 @@
+"""Access request API — users request access, admins approve/deny."""
+
+import logging
+from fastapi import APIRouter, Depends, HTTPException
+from pydantic import BaseModel
+from typing import Optional
+import duckdb
+
+from app.auth.dependencies import get_current_user, require_role, Role, _get_db
+from src.repositories.access_requests import AccessRequestRepository
+
+logger = logging.getLogger(__name__)
+router = APIRouter(prefix="/api/access-requests", tags=["access-requests"])
+
+
+class AccessRequestCreate(BaseModel):
+    table_id: str
+    reason: Optional[str] = ""
+
+
+@router.post("", status_code=201)
+async def create_request(
+    request: AccessRequestCreate,
+    user: dict = Depends(get_current_user),
+    conn: duckdb.DuckDBPyConnection = Depends(_get_db),
+):
+    """Submit an access request for a table."""
+    repo = AccessRequestRepository(conn)
+
+    # Check for duplicate pending request
+    if repo.has_pending_request(user["id"], request.table_id):
+        raise HTTPException(status_code=409, detail="You already have a pending request for this table")
+
+    req_id = repo.create(
+        user_id=user["id"],
+        user_email=user.get("email", ""),
+        table_id=request.table_id,
+        reason=request.reason or "",
+    )
+    return {"id": req_id, "status": "pending", "table_id": request.table_id}
+
+
+@router.get("/my")
+async def my_requests(
+    user: dict = Depends(get_current_user),
+    conn: duckdb.DuckDBPyConnection = Depends(_get_db),
+):
+    """List current user's access requests."""
+    repo = AccessRequestRepository(conn)
+    requests = repo.list_by_user(user["id"])
+    # Serialize timestamps
+    for r in requests:
+        for k in ("created_at", "reviewed_at"):
+            if r.get(k) and hasattr(r[k], "isoformat"):
+                r[k] = r[k].isoformat()
+    return {"requests": requests}
+
+
+@router.get("/pending")
+async def pending_requests(
+    user: dict = Depends(require_role(Role.ADMIN)),
+    conn: duckdb.DuckDBPyConnection = Depends(_get_db),
+):
+    """List all pending access requests (admin only)."""
+    repo = AccessRequestRepository(conn)
+    requests = repo.list_pending()
+    for r in requests:
+        for k in ("created_at", "reviewed_at"):
+            if r.get(k) and hasattr(r[k], "isoformat"):
+                r[k] = r[k].isoformat()
+    return {"requests": requests, "count": len(requests)}
+
+
+@router.post("/{request_id}/approve")
+async def approve_request(
+    request_id: str,
+    user: dict = Depends(require_role(Role.ADMIN)),
+    conn: duckdb.DuckDBPyConnection = Depends(_get_db),
+):
+    """Approve an access request (admin only). Auto-grants permission."""
+    repo = AccessRequestRepository(conn)
+    if repo.approve(request_id, reviewed_by=user.get("email", "")):
+        return {"status": "approved", "id": request_id}
+    raise HTTPException(status_code=404, detail="Request not found or already processed")
+
+
+@router.post("/{request_id}/deny")
+async def deny_request(
+    request_id: str,
+    user: dict = Depends(require_role(Role.ADMIN)),
+    conn: duckdb.DuckDBPyConnection = Depends(_get_db),
+):
+    """Deny an access request (admin only)."""
+    repo = AccessRequestRepository(conn)
+    if repo.deny(request_id, reviewed_by=user.get("email", "")):
+        return {"status": "denied", "id": request_id}
+    raise HTTPException(status_code=404, detail="Request not found or already processed")
diff --git a/app/main.py b/app/main.py
index db13e96..61e1a4f 100644
--- a/app/main.py
+++ b/app/main.py
@@ -24,6 +24,7 @@ from app.api.catalog import router as catalog_router
 from app.api.telegram import router as telegram_router
 from app.api.admin import router as admin_router
 from app.api.permissions import router as permissions_router
+from app.api.access_requests import router as access_requests_router
 from app.web.router import router as web_router
 
 logger = logging.getLogger(__name__)
@@ -103,6 +104,7 @@ def create_app() -> FastAPI:
     app.include_router(telegram_router)
     app.include_router(admin_router)
     app.include_router(permissions_router)
+    app.include_router(access_requests_router)
 
     # Web UI router (must be last — has catch-all routes)
     app.include_router(web_router)
diff --git a/app/web/router.py b/app/web/router.py
index 2759134..c1d62cc 100644
--- a/app/web/router.py
+++ b/app/web/router.py
@@ -26,6 +26,7 @@ from src.repositories.sync_settings import SyncSettingsRepository, DatasetPermis
 from src.repositories.knowledge import KnowledgeRepository
 from src.repositories.users import UserRepository
 from src.repositories.profiles import ProfileRepository
+from src.repositories.access_requests import AccessRequestRepository
 
 logger = logging.getLogger(__name__)
 router = APIRouter(tags=["web"])
@@ -240,27 +241,45 @@ async def catalog(
     try:
         from src.repositories.table_registry import TableRegistryRepository
         table_repo = TableRegistryRepository(conn)
+        perm_repo = DatasetPermissionRepository(conn)
+        access_repo = AccessRequestRepository(conn)
         registered = table_repo.list_all()
+
+        # Pre-fetch user's pending access requests
+        user_id = user.get("id", "")
+        user_requests = access_repo.list_by_user(user_id)
+        pending_request_table_ids = {
+            r["table_id"] for r in user_requests if r.get("status") == "pending"
+        }
+
         tables = []
         for tc in registered:
+            table_id = tc.get("id", "")
+            is_public = tc.get("is_public", True)
+            has_access = is_public or perm_repo.has_access(user_id, table_id)
+
             table_data = {
-                "id": tc.get("id", ""),
+                "id": table_id,
                 "name": tc.get("name", ""),
                 "description": tc.get("description", ""),
                 "dataset": tc.get("bucket"),
                 "sync_strategy": tc.get("sync_strategy", "full_refresh"),
                 "query_mode": tc.get("query_mode", "local"),
-                "profile": all_profiles.get(tc.get("id", "")),
+                "profile": all_profiles.get(table_id),
+                "is_public": is_public,
+                "has_access": has_access,
+                "pending_request": table_id in pending_request_table_ids,
             }
             # Add sync state
             for state in all_states:
-                if state["table_id"] == tc.get("id"):
+                if state["table_id"] == table_id:
                     table_data["last_sync"] = state.get("last_sync")
                     table_data["rows"] = state.get("rows")
                     break
             tables.append(table_data)
     except Exception as e:
         tables = []
+        pending_request_table_ids = set()
         logger.warning(f"Could not load catalog: {e}")
 
     # Build data_stats for catalog template
@@ -281,13 +300,20 @@ async def catalog(
             categories[ds] = {"name": ds, "tables": []}
         categories[ds]["tables"].append(t)
 
+    # Add count to each category (template expects .count)
+    catalog_data = []
+    for cat in categories.values():
+        cat["count"] = len(cat["tables"])
+        catalog_data.append(cat)
+
     ctx = _build_context(
         request, user=user,
         tables=tables,
         datasets=datasets,
         enabled_datasets=enabled_datasets,
         data_stats=data_stats,
-        categories=list(categories.values()),
+        categories=catalog_data,
+        catalog_data=catalog_data,
         metrics_data=[],
         sync_states=all_states,
         folder_mapping={},
@@ -391,3 +417,14 @@ async def admin_tables(
     tables = repo.list_all()
     ctx = _build_context(request, user=user, registered_tables=tables)
     return templates.TemplateResponse(request, "admin_tables.html", ctx)
+
+
+@router.get("/admin/permissions", response_class=HTMLResponse)
+async def admin_permissions_page(
+    request: Request,
+    user: dict = Depends(get_current_user),
+    conn: duckdb.DuckDBPyConnection = Depends(_get_db),
+):
+    """Admin page for managing permissions and access requests."""
+    ctx = _build_context(request, user=user)
+    return templates.TemplateResponse(request, "admin_permissions.html", ctx)
diff --git a/app/web/templates/admin_permissions.html b/app/web/templates/admin_permissions.html
new file mode 100644
index 0000000..1832d4f
--- /dev/null
+++ b/app/web/templates/admin_permissions.html
@@ -0,0 +1,1240 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Permissions Management - {{ config.INSTANCE_NAME }}</title>
+    {% if not config.THEME_FONT_URL %}
+    <link rel="preconnect" href="https://fonts.googleapis.com">
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet">
+    {% endif %}
+    <style>
+        :root {
+            /* Colors - Design System */
+            --primary: #0073D1;
+            --primary-light: rgba(0, 115, 209, 0.1);
+            --text-primary: #1A253C;
+            --text-secondary: #6B7280;
+            --background: #F5F7FA;
+            --surface: #FFFFFF;
+            --border: #E5E7EB;
+            --border-light: #F3F4F6;
+            --success: #10B77F;
+            --success-light: rgba(16, 183, 127, 0.1);
+            --warning: #F59F0A;
+            --warning-light: rgba(245, 159, 10, 0.1);
+            --error: #EA580C;
+            --error-light: rgba(234, 88, 12, 0.1);
+
+            /* Typography */
+            --font-primary: 'Inter', system-ui, sans-serif;
+            --font-mono: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
+
+            /* Shadows */
+            --shadow-sm: rgba(0, 0, 0, 0.05) 0px 1px 2px 0px;
+            --shadow-md: rgba(0, 0, 0, 0.1) 0px 4px 6px -1px;
+        }
+
+        * {
+            margin: 0;
+            padding: 0;
+            box-sizing: border-box;
+        }
+
+        body {
+            font-family: var(--font-primary);
+            font-size: 14px;
+            color: var(--text-primary);
+            background: var(--background);
+            line-height: 1.5;
+        }
+
+        /* ── Header ── */
+        .header {
+            background: var(--surface);
+            border-bottom: 1px solid var(--border);
+            padding: 0 32px;
+            height: 72px;
+            display: flex;
+            align-items: center;
+            justify-content: space-between;
+            position: sticky;
+            top: 0;
+            z-index: 100;
+        }
+
+        .header-left {
+            display: flex;
+            align-items: center;
+            gap: 16px;
+        }
+
+        .header-back {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            width: 32px;
+            height: 32px;
+            border-radius: 6px;
+            color: var(--text-secondary);
+            text-decoration: none;
+            transition: all 0.15s ease;
+        }
+
+        .header-back:hover {
+            background: var(--border-light);
+            color: var(--text-primary);
+        }
+
+        .header-logo-group {
+            display: flex;
+            flex-direction: column;
+            justify-content: center;
+            gap: 2px;
+        }
+
+        .header-logo svg {
+            display: block;
+        }
+
+        .header-subtitle {
+            font-size: 11px;
+            font-weight: 500;
+            color: var(--text-secondary);
+            letter-spacing: 0.4px;
+            text-transform: uppercase;
+            margin-top: 2px;
+        }
+
+        .header-right {
+            display: flex;
+            align-items: center;
+            gap: 12px;
+            font-size: 12px;
+            color: var(--text-secondary);
+        }
+
+        .header-nav-link {
+            font-size: 12px;
+            font-weight: 500;
+            color: var(--primary);
+            text-decoration: none;
+            padding: 6px 12px;
+            border-radius: 6px;
+            transition: all 0.15s ease;
+        }
+
+        .header-nav-link:hover {
+            background: var(--primary-light);
+        }
+
+        /* ── Page Title ── */
+        .page-title {
+            max-width: 1000px;
+            margin: 0 auto;
+            padding: 32px 24px 24px;
+        }
+
+        .page-title h1 {
+            font-size: 24px;
+            font-weight: 600;
+            color: var(--text-primary);
+            margin-bottom: 4px;
+        }
+
+        .page-title p {
+            font-size: 14px;
+            color: var(--text-secondary);
+        }
+
+        /* ── Content Layout ── */
+        .content {
+            max-width: 1000px;
+            margin: 0 auto;
+            padding: 0 24px 32px;
+            display: flex;
+            flex-direction: column;
+            gap: 24px;
+        }
+
+        /* ── Panel ── */
+        .panel {
+            background: var(--surface);
+            border: 1px solid var(--border);
+            border-radius: 12px;
+            overflow: hidden;
+            box-shadow: var(--shadow-sm);
+        }
+
+        .panel-header {
+            display: flex;
+            align-items: center;
+            justify-content: space-between;
+            padding: 20px 24px;
+            border-bottom: 1px solid var(--border-light);
+        }
+
+        .panel-header-left {
+            display: flex;
+            align-items: center;
+            gap: 12px;
+        }
+
+        .panel-header-icon {
+            width: 36px;
+            height: 36px;
+            border-radius: 8px;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            flex-shrink: 0;
+        }
+
+        .panel-title {
+            font-size: 16px;
+            font-weight: 600;
+            color: var(--text-primary);
+        }
+
+        .panel-subtitle {
+            font-size: 13px;
+            color: var(--text-secondary);
+            margin-top: 1px;
+        }
+
+        .panel-body {
+            padding: 20px 24px;
+        }
+
+        .panel-body-empty {
+            padding: 40px 24px;
+            text-align: center;
+            color: var(--text-secondary);
+            font-size: 13px;
+        }
+
+        /* ── Buttons ── */
+        .btn {
+            display: inline-flex;
+            align-items: center;
+            gap: 6px;
+            padding: 8px 16px;
+            border: none;
+            border-radius: 8px;
+            font-family: var(--font-primary);
+            font-size: 13px;
+            font-weight: 500;
+            cursor: pointer;
+            transition: all 0.15s ease;
+            white-space: nowrap;
+        }
+
+        .btn-primary {
+            background: var(--primary);
+            color: white;
+        }
+
+        .btn-primary:hover {
+            background: #005FA8;
+        }
+
+        .btn-primary:disabled {
+            opacity: 0.6;
+            cursor: not-allowed;
+        }
+
+        .btn-secondary {
+            background: var(--border-light);
+            color: var(--text-primary);
+        }
+
+        .btn-secondary:hover {
+            background: var(--border);
+        }
+
+        .btn-success {
+            background: var(--success-light);
+            color: #065F46;
+        }
+
+        .btn-success:hover {
+            background: rgba(16, 183, 127, 0.2);
+        }
+
+        .btn-danger {
+            background: var(--error-light);
+            color: var(--error);
+        }
+
+        .btn-danger:hover {
+            background: rgba(234, 88, 12, 0.2);
+        }
+
+        .btn-sm {
+            padding: 5px 10px;
+            font-size: 12px;
+            border-radius: 6px;
+        }
+
+        .btn-icon {
+            width: 28px;
+            height: 28px;
+            padding: 0;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            border-radius: 6px;
+            background: none;
+            border: none;
+            cursor: pointer;
+            color: var(--text-secondary);
+            transition: all 0.15s ease;
+        }
+
+        .btn-icon:hover {
+            background: var(--border-light);
+            color: var(--text-primary);
+        }
+
+        .btn-icon.danger:hover {
+            background: var(--error-light);
+            color: var(--error);
+        }
+
+        /* ── Badges ── */
+        .badge {
+            flex-shrink: 0;
+            font-size: 11px;
+            font-weight: 500;
+            border-radius: 6px;
+            padding: 3px 8px;
+            white-space: nowrap;
+        }
+
+        .badge-count {
+            background: var(--warning-light);
+            color: #92400E;
+            font-weight: 600;
+            min-width: 22px;
+            text-align: center;
+        }
+
+        .badge-read {
+            background: var(--primary-light);
+            color: var(--primary);
+        }
+
+        .badge-pending {
+            background: var(--warning-light);
+            color: #92400E;
+        }
+
+        /* ── Spinner ── */
+        .spinner {
+            display: inline-block;
+            width: 18px;
+            height: 18px;
+            border: 2px solid var(--border);
+            border-top-color: var(--primary);
+            border-radius: 50%;
+            animation: spin 0.6s linear infinite;
+        }
+
+        @keyframes spin {
+            to { transform: rotate(360deg); }
+        }
+
+        .spinner-lg {
+            width: 32px;
+            height: 32px;
+            border-width: 3px;
+        }
+
+        /* ── Loading state ── */
+        .loading-state {
+            display: flex;
+            flex-direction: column;
+            align-items: center;
+            gap: 12px;
+            padding: 40px 24px;
+            color: var(--text-secondary);
+            font-size: 13px;
+        }
+
+        /* ── Toast notification ── */
+        .toast {
+            position: fixed;
+            top: 84px;
+            right: 24px;
+            z-index: 200;
+            background: var(--surface);
+            border: 1px solid var(--border);
+            border-radius: 10px;
+            box-shadow: var(--shadow-md);
+            padding: 12px 16px;
+            display: flex;
+            align-items: center;
+            gap: 10px;
+            font-size: 13px;
+            transform: translateX(120%);
+            transition: transform 0.3s ease;
+            max-width: 360px;
+        }
+
+        .toast.visible {
+            transform: translateX(0);
+        }
+
+        .toast-success {
+            border-left: 3px solid var(--success);
+        }
+
+        .toast-error {
+            border-left: 3px solid var(--error);
+        }
+
+        .toast-icon {
+            width: 20px;
+            height: 20px;
+            flex-shrink: 0;
+        }
+
+        /* ── Request cards ── */
+        .request-card {
+            display: flex;
+            align-items: flex-start;
+            gap: 14px;
+            padding: 16px 0;
+            border-bottom: 1px solid var(--border-light);
+        }
+
+        .request-card:last-child {
+            border-bottom: none;
+        }
+
+        .request-avatar {
+            width: 36px;
+            height: 36px;
+            border-radius: 50%;
+            background: var(--primary-light);
+            color: var(--primary);
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            font-size: 14px;
+            font-weight: 600;
+            flex-shrink: 0;
+        }
+
+        .request-info {
+            flex: 1;
+            min-width: 0;
+        }
+
+        .request-header {
+            display: flex;
+            align-items: center;
+            gap: 8px;
+            flex-wrap: wrap;
+        }
+
+        .request-email {
+            font-weight: 500;
+            font-size: 13px;
+            color: var(--text-primary);
+        }
+
+        .request-table {
+            font-family: var(--font-mono);
+            font-size: 12px;
+            color: var(--primary);
+            background: var(--primary-light);
+            padding: 1px 7px;
+            border-radius: 4px;
+        }
+
+        .request-reason {
+            font-size: 13px;
+            color: var(--text-secondary);
+            margin-top: 4px;
+            line-height: 1.4;
+        }
+
+        .request-time {
+            font-size: 11px;
+            color: var(--text-secondary);
+            margin-top: 4px;
+        }
+
+        .request-actions {
+            display: flex;
+            align-items: center;
+            gap: 8px;
+            flex-shrink: 0;
+            padding-top: 2px;
+        }
+
+        /* ── Permissions table ── */
+        .perm-table {
+            width: 100%;
+            border-collapse: collapse;
+        }
+
+        .perm-table th {
+            text-align: left;
+            font-size: 11px;
+            font-weight: 600;
+            color: var(--text-secondary);
+            text-transform: uppercase;
+            letter-spacing: 0.4px;
+            padding: 10px 16px;
+            border-bottom: 1px solid var(--border);
+            background: var(--background);
+        }
+
+        .perm-table td {
+            padding: 12px 16px;
+            font-size: 13px;
+            border-bottom: 1px solid var(--border-light);
+            vertical-align: middle;
+        }
+
+        .perm-table tr:last-child td {
+            border-bottom: none;
+        }
+
+        .perm-table tr:hover td {
+            background: rgba(243, 244, 246, 0.5);
+        }
+
+        .perm-table .col-user {
+            max-width: 260px;
+            overflow: hidden;
+            text-overflow: ellipsis;
+            white-space: nowrap;
+        }
+
+        .perm-table .col-dataset {
+            font-family: var(--font-mono);
+            font-size: 12px;
+            max-width: 280px;
+            overflow: hidden;
+            text-overflow: ellipsis;
+            white-space: nowrap;
+        }
+
+        .perm-table .col-actions {
+            width: 80px;
+            text-align: right;
+        }
+
+        /* ── Modal overlay ── */
+        .modal-overlay {
+            display: none;
+            position: fixed;
+            top: 0;
+            left: 0;
+            right: 0;
+            bottom: 0;
+            background: rgba(0, 0, 0, 0.5);
+            z-index: 1000;
+            padding: 40px 24px;
+            overflow-y: auto;
+        }
+
+        .modal-overlay.active {
+            display: flex;
+            align-items: flex-start;
+            justify-content: center;
+        }
+
+        .modal {
+            max-width: 480px;
+            width: 100%;
+            background: var(--surface);
+            border-radius: 12px;
+            box-shadow: 0 20px 60px rgba(0, 0, 0, 0.3);
+            overflow: hidden;
+        }
+
+        .modal-header {
+            display: flex;
+            justify-content: space-between;
+            align-items: center;
+            padding: 20px 24px;
+            border-bottom: 1px solid var(--border);
+            background: var(--background);
+        }
+
+        .modal-header h2 {
+            font-size: 18px;
+            font-weight: 600;
+        }
+
+        .modal-close {
+            width: 32px;
+            height: 32px;
+            border: none;
+            background: none;
+            cursor: pointer;
+            border-radius: 6px;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            color: var(--text-secondary);
+            transition: all 0.15s;
+        }
+
+        .modal-close:hover {
+            background: var(--border-light);
+            color: var(--text-primary);
+        }
+
+        .modal-body {
+            padding: 24px;
+        }
+
+        .modal-footer {
+            display: flex;
+            justify-content: flex-end;
+            gap: 10px;
+            padding: 16px 24px;
+            border-top: 1px solid var(--border);
+            background: var(--background);
+        }
+
+        /* ── Form ── */
+        .form-group {
+            margin-bottom: 18px;
+        }
+
+        .form-group:last-child {
+            margin-bottom: 0;
+        }
+
+        .form-label {
+            display: block;
+            font-size: 13px;
+            font-weight: 500;
+            color: var(--text-primary);
+            margin-bottom: 6px;
+        }
+
+        .form-select {
+            width: 100%;
+            padding: 8px 12px;
+            border: 1px solid var(--border);
+            border-radius: 8px;
+            font-family: var(--font-primary);
+            font-size: 13px;
+            color: var(--text-primary);
+            background: var(--surface);
+            transition: border-color 0.15s;
+            cursor: pointer;
+            appearance: none;
+            background-image: url("data:image/svg+xml,%3Csvg width='12' height='12' viewBox='0 0 24 24' fill='none' stroke='%236B7280' stroke-width='2' stroke-linecap='round' stroke-linejoin='round' xmlns='http://www.w3.org/2000/svg'%3E%3Cpolyline points='6 9 12 15 18 9'/%3E%3C/svg%3E");
+            background-repeat: no-repeat;
+            background-position: right 12px center;
+            padding-right: 32px;
+        }
+
+        .form-select:focus {
+            outline: none;
+            border-color: var(--primary);
+            box-shadow: 0 0 0 3px rgba(0, 115, 209, 0.1);
+        }
+
+        .form-hint {
+            font-size: 12px;
+            color: var(--text-secondary);
+            margin-top: 4px;
+        }
+
+        /* ── Footer ── */
+        .footer {
+            text-align: center;
+            padding: 24px;
+            color: var(--text-secondary);
+            font-size: 12px;
+        }
+
+        .footer a {
+            color: var(--primary);
+            text-decoration: none;
+        }
+
+        .footer a:hover {
+            text-decoration: underline;
+        }
+
+        /* ── Responsive ── */
+        @media (max-width: 640px) {
+            .header {
+                padding: 0 16px;
+            }
+
+            .page-title {
+                padding: 24px 16px 16px;
+            }
+
+            .content {
+                padding: 0 16px 24px;
+            }
+
+            .panel-header {
+                flex-direction: column;
+                align-items: flex-start;
+                gap: 12px;
+            }
+
+            .request-card {
+                flex-direction: column;
+                gap: 10px;
+            }
+
+            .request-actions {
+                align-self: flex-end;
+            }
+
+            .perm-table .col-user {
+                max-width: 120px;
+            }
+
+            .perm-table .col-dataset {
+                max-width: 120px;
+            }
+
+            .modal {
+                margin: 16px;
+            }
+        }
+    </style>
+    {% include '_theme.html' %}
+</head>
+<body>
+
+    <!-- HEADER -->
+    <header class="header">
+        <div class="header-left">
+            <a href="{{ url_for('dashboard') }}" class="header-back" title="Back to Dashboard">
+                <svg width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                    <path d="M19 12H5M12 19l-7-7 7-7"/>
+                </svg>
+            </a>
+            <div class="header-logo-group">
+                <div class="header-logo">
+                    {{ config.LOGO_SVG | safe }}
+                </div>
+                <span class="header-subtitle">Permissions Management</span>
+            </div>
+        </div>
+        <div class="header-right">
+            <a href="/admin/tables" class="header-nav-link">Table Management</a>
+            <span>Admin</span>
+        </div>
+    </header>
+
+    <!-- PAGE TITLE -->
+    <div class="page-title">
+        <h1>Permissions Management</h1>
+        <p>Review access requests and manage user permissions for datasets</p>
+    </div>
+
+    <!-- CONTENT -->
+    <div class="content">
+
+        <!-- Pending Access Requests Panel -->
+        <div class="panel">
+            <div class="panel-header">
+                <div class="panel-header-left">
+                    <div class="panel-header-icon" style="background: var(--warning-light);">
+                        <svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="#92400E" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                            <circle cx="12" cy="12" r="10"/>
+                            <polyline points="12 6 12 12 16 14"/>
+                        </svg>
+                    </div>
+                    <div>
+                        <div class="panel-title">Pending Access Requests</div>
+                        <div class="panel-subtitle">Review and approve or deny user requests</div>
+                    </div>
+                </div>
+                <span class="badge badge-count" id="pendingCount" style="display: none;">0</span>
+            </div>
+            <div id="pendingContent">
+                <div class="loading-state" id="pendingLoading">
+                    <div class="spinner spinner-lg"></div>
+                    <span>Loading requests...</span>
+                </div>
+            </div>
+        </div>
+
+        <!-- User Permissions Panel -->
+        <div class="panel">
+            <div class="panel-header">
+                <div class="panel-header-left">
+                    <div class="panel-header-icon" style="background: var(--primary-light);">
+                        <svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="#0073D1" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                            <rect x="3" y="11" width="18" height="11" rx="2" ry="2"/>
+                            <path d="M7 11V7a5 5 0 0 1 10 0v4"/>
+                        </svg>
+                    </div>
+                    <div>
+                        <div class="panel-title">User Permissions</div>
+                        <div class="panel-subtitle" id="permSubtitle">All granted dataset permissions</div>
+                    </div>
+                </div>
+                <div style="display: flex; gap: 8px;">
+                    <button class="btn btn-secondary btn-sm" onclick="loadPermissions()">
+                        <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                            <polyline points="23 4 23 10 17 10"/>
+                            <path d="M20.49 15a9 9 0 1 1-2.12-9.36L23 10"/>
+                        </svg>
+                        Refresh
+                    </button>
+                    <button class="btn btn-primary btn-sm" onclick="openGrantModal()">
+                        <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                            <line x1="12" y1="5" x2="12" y2="19"/>
+                            <line x1="5" y1="12" x2="19" y2="12"/>
+                        </svg>
+                        Grant Access
+                    </button>
+                </div>
+            </div>
+            <div id="permContent">
+                <div class="loading-state" id="permLoading">
+                    <div class="spinner spinner-lg"></div>
+                    <span>Loading permissions...</span>
+                </div>
+            </div>
+        </div>
+
+    </div>
+
+    <!-- GRANT PERMISSION MODAL -->
+    <div class="modal-overlay" id="grantModal">
+        <div class="modal">
+            <div class="modal-header">
+                <h2>Grant Access</h2>
+                <button class="modal-close" onclick="closeGrantModal()">
+                    <svg width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                        <line x1="18" y1="6" x2="6" y2="18"/>
+                        <line x1="6" y1="6" x2="18" y2="18"/>
+                    </svg>
+                </button>
+            </div>
+            <div class="modal-body">
+                <div class="form-group">
+                    <label class="form-label" for="grantUser">User</label>
+                    <select class="form-select" id="grantUser">
+                        <option value="">Select a user...</option>
+                    </select>
+                </div>
+                <div class="form-group">
+                    <label class="form-label" for="grantDataset">Table / Dataset</label>
+                    <select class="form-select" id="grantDataset">
+                        <option value="">Select a table...</option>
+                    </select>
+                    <div class="form-hint">The table or dataset to grant access to</div>
+                </div>
+                <div class="form-group">
+                    <label class="form-label" for="grantAccess">Access Level</label>
+                    <select class="form-select" id="grantAccess">
+                        <option value="read">Read</option>
+                    </select>
+                </div>
+            </div>
+            <div class="modal-footer">
+                <button class="btn btn-secondary" onclick="closeGrantModal()">Cancel</button>
+                <button class="btn btn-primary" id="grantSubmitBtn" onclick="submitGrant()">Grant Access</button>
+            </div>
+        </div>
+    </div>
+
+    <!-- TOAST -->
+    <div class="toast" id="toast">
+        <div class="toast-icon" id="toastIcon"></div>
+        <span id="toastMessage"></span>
+    </div>
+
+    <!-- FOOTER -->
+    <footer class="footer">
+        <a href="{{ url_for('dashboard') }}">Back to Dashboard</a>
+    </footer>
+
+    <script>
+    /* ═══════════════════════════════════════════════════════════════
+       Admin Permissions - JavaScript
+       ═══════════════════════════════════════════════════════════════ */
+
+    // Cached data
+    var usersCache = [];
+    var tablesCache = [];
+
+    // ── Toast notification ──────────────────────────────────────
+
+    function showToast(message, type) {
+        var toast = document.getElementById('toast');
+        var icon = document.getElementById('toastIcon');
+        var msg = document.getElementById('toastMessage');
+
+        toast.className = 'toast toast-' + type;
+        msg.textContent = message;
+
+        if (type === 'success') {
+            icon.innerHTML = '<svg width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="#10B77F" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M22 11.08V12a10 10 0 1 1-5.93-9.14"/><polyline points="22 4 12 14.01 9 11.01"/></svg>';
+        } else {
+            icon.innerHTML = '<svg width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="#EA580C" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"/><line x1="15" y1="9" x2="9" y2="15"/><line x1="9" y1="9" x2="15" y2="15"/></svg>';
+        }
+
+        requestAnimationFrame(function() {
+            toast.classList.add('visible');
+        });
+
+        setTimeout(function() {
+            toast.classList.remove('visible');
+        }, 4000);
+    }
+
+    // ── Helpers ─────────────────────────────────────────────────
+
+    function escapeHtml(str) {
+        if (!str) return '';
+        var div = document.createElement('div');
+        div.textContent = str;
+        return div.innerHTML;
+    }
+
+    function timeAgo(isoString) {
+        if (!isoString) return '';
+        var date = new Date(isoString);
+        var now = new Date();
+        var seconds = Math.floor((now - date) / 1000);
+
+        if (seconds < 60) return 'just now';
+        var minutes = Math.floor(seconds / 60);
+        if (minutes < 60) return minutes + (minutes === 1 ? ' minute ago' : ' minutes ago');
+        var hours = Math.floor(minutes / 60);
+        if (hours < 24) return hours + (hours === 1 ? ' hour ago' : ' hours ago');
+        var days = Math.floor(hours / 24);
+        if (days < 30) return days + (days === 1 ? ' day ago' : ' days ago');
+        var months = Math.floor(days / 30);
+        return months + (months === 1 ? ' month ago' : ' months ago');
+    }
+
+    function getInitials(email) {
+        if (!email) return '?';
+        var name = email.split('@')[0];
+        var parts = name.split(/[._-]/);
+        if (parts.length >= 2) {
+            return (parts[0][0] + parts[1][0]).toUpperCase();
+        }
+        return name.substring(0, 2).toUpperCase();
+    }
+
+    function authHeaders() {
+        var token = document.cookie.split(';').find(function(c) {
+            return c.trim().startsWith('access_token=');
+        });
+        if (token) {
+            return {
+                'Authorization': 'Bearer ' + token.split('=')[1].trim(),
+                'Content-Type': 'application/json',
+            };
+        }
+        return {'Content-Type': 'application/json'};
+    }
+
+    // ── Pending Access Requests ─────────────────────────────────
+
+    function loadPending() {
+        var el = document.getElementById('pendingContent');
+        el.innerHTML = '<div class="loading-state"><div class="spinner spinner-lg"></div><span>Loading requests...</span></div>';
+
+        fetch('/api/access-requests/pending', {headers: authHeaders()})
+            .then(function(r) {
+                if (!r.ok) throw new Error('Failed to load requests');
+                return r.json();
+            })
+            .then(function(data) {
+                renderPending(data.requests || []);
+                var countEl = document.getElementById('pendingCount');
+                var count = (data.requests || []).length;
+                countEl.textContent = count;
+                countEl.style.display = count > 0 ? 'inline-block' : 'none';
+            })
+            .catch(function(err) {
+                el.innerHTML = '<div class="panel-body-empty" style="color: var(--error);">Failed to load requests: ' + escapeHtml(err.message) + '</div>';
+            });
+    }
+
+    function renderPending(requests) {
+        var el = document.getElementById('pendingContent');
+
+        if (!requests || requests.length === 0) {
+            el.innerHTML = '<div class="panel-body-empty">' +
+                '<svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="var(--text-secondary)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" style="margin-bottom: 8px; opacity: 0.5;"><path d="M22 11.08V12a10 10 0 1 1-5.93-9.14"/><polyline points="22 4 12 14.01 9 11.01"/></svg><br>' +
+                'No pending access requests' +
+                '</div>';
+            return;
+        }
+
+        var html = '<div class="panel-body">';
+        requests.forEach(function(req) {
+            var initials = getInitials(req.user_email);
+            var email = escapeHtml(req.user_email || req.user_id);
+            var tableId = escapeHtml(req.table_id);
+            var reason = escapeHtml(req.reason);
+            var time = timeAgo(req.created_at);
+            var reqId = escapeHtml(req.id);
+
+            html += '<div class="request-card">';
+            html += '<div class="request-avatar">' + initials + '</div>';
+            html += '<div class="request-info">';
+            html += '<div class="request-header">';
+            html += '<span class="request-email">' + email + '</span>';
+            html += '<span class="request-table">' + tableId + '</span>';
+            html += '</div>';
+            if (reason) {
+                html += '<div class="request-reason">' + reason + '</div>';
+            }
+            if (time) {
+                html += '<div class="request-time">' + time + '</div>';
+            }
+            html += '</div>';
+            html += '<div class="request-actions">';
+            html += '<button class="btn btn-success btn-sm" onclick="approveRequest(\'' + reqId + '\')" title="Approve">';
+            html += '<svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"/></svg>';
+            html += ' Approve</button>';
+            html += '<button class="btn btn-danger btn-sm" onclick="denyRequest(\'' + reqId + '\')" title="Deny">';
+            html += '<svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>';
+            html += ' Deny</button>';
+            html += '</div>';
+            html += '</div>';
+        });
+        html += '</div>';
+
+        el.innerHTML = html;
+    }
+
+    function approveRequest(id) {
+        fetch('/api/access-requests/' + id + '/approve', {
+            method: 'POST',
+            headers: authHeaders(),
+        })
+            .then(function(r) {
+                if (!r.ok) return r.json().then(function(d) { throw new Error(d.detail || 'Approve failed'); });
+                return r.json();
+            })
+            .then(function() {
+                showToast('Request approved', 'success');
+                loadPending();
+                loadPermissions();
+            })
+            .catch(function(err) {
+                showToast('Failed to approve: ' + err.message, 'error');
+            });
+    }
+
+    function denyRequest(id) {
+        if (!confirm('Deny this access request?')) return;
+
+        fetch('/api/access-requests/' + id + '/deny', {
+            method: 'POST',
+            headers: authHeaders(),
+        })
+            .then(function(r) {
+                if (!r.ok) return r.json().then(function(d) { throw new Error(d.detail || 'Deny failed'); });
+                return r.json();
+            })
+            .then(function() {
+                showToast('Request denied', 'success');
+                loadPending();
+            })
+            .catch(function(err) {
+                showToast('Failed to deny: ' + err.message, 'error');
+            });
+    }
+
+    // ── Permissions ─────────────────────────────────────────────
+
+    function loadPermissions() {
+        var el = document.getElementById('permContent');
+        el.innerHTML = '<div class="loading-state"><div class="spinner spinner-lg"></div><span>Loading permissions...</span></div>';
+
+        fetch('/api/admin/permissions', {headers: authHeaders()})
+            .then(function(r) {
+                if (!r.ok) throw new Error('Failed to load permissions');
+                return r.json();
+            })
+            .then(function(data) {
+                renderPermissions(data.permissions || []);
+                var count = (data.permissions || []).length;
+                document.getElementById('permSubtitle').textContent = count + ' permission' + (count !== 1 ? 's' : '') + ' granted';
+            })
+            .catch(function(err) {
+                el.innerHTML = '<div class="panel-body-empty" style="color: var(--error);">Failed to load permissions: ' + escapeHtml(err.message) + '</div>';
+            });
+    }
+
+    function renderPermissions(permissions) {
+        var el = document.getElementById('permContent');
+
+        if (!permissions || permissions.length === 0) {
+            el.innerHTML = '<div class="panel-body-empty">' +
+                'No permissions granted yet. Use "Grant Access" to add permissions.' +
+                '</div>';
+            return;
+        }
+
+        var html = '<table class="perm-table">';
+        html += '<thead><tr>';
+        html += '<th>User</th>';
+        html += '<th>Dataset / Table</th>';
+        html += '<th>Access</th>';
+        html += '<th class="col-actions"></th>';
+        html += '</tr></thead>';
+        html += '<tbody>';
+
+        permissions.forEach(function(p) {
+            var userId = escapeHtml(p.user_id);
+            var dataset = escapeHtml(p.dataset);
+            var access = escapeHtml(p.access || 'read');
+
+            html += '<tr>';
+            html += '<td class="col-user">' + userId + '</td>';
+            html += '<td class="col-dataset">' + dataset + '</td>';
+            html += '<td><span class="badge badge-read">' + access + '</span></td>';
+            html += '<td class="col-actions">';
+            html += '<button class="btn-icon danger" onclick="revokePermission(\'' + userId + '\', \'' + dataset + '\')" title="Revoke access">';
+            html += '<svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="3 6 5 6 21 6"/><path d="M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6m3 0V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2"/></svg>';
+            html += '</button>';
+            html += '</td>';
+            html += '</tr>';
+        });
+
+        html += '</tbody></table>';
+        el.innerHTML = html;
+    }
+
+    function revokePermission(userId, dataset) {
+        if (!confirm('Revoke access for "' + userId + '" to "' + dataset + '"?')) return;
+
+        fetch('/api/admin/permissions', {
+            method: 'DELETE',
+            headers: authHeaders(),
+            body: JSON.stringify({user_id: userId, dataset: dataset, access: 'none'}),
+        })
+            .then(function(r) {
+                if (!r.ok) return r.json().then(function(d) { throw new Error(d.detail || 'Revoke failed'); });
+                return r.json();
+            })
+            .then(function() {
+                showToast('Permission revoked', 'success');
+                loadPermissions();
+            })
+            .catch(function(err) {
+                showToast('Failed to revoke: ' + err.message, 'error');
+            });
+    }
+
+    // ── Grant Modal ─────────────────────────────────────────────
+
+    function openGrantModal() {
+        document.getElementById('grantModal').classList.add('active');
+        loadModalData();
+    }
+
+    function closeGrantModal() {
+        document.getElementById('grantModal').classList.remove('active');
+    }
+
+    function loadModalData() {
+        // Load users
+        fetch('/api/users', {headers: authHeaders()})
+            .then(function(r) { return r.ok ? r.json() : []; })
+            .then(function(users) {
+                usersCache = Array.isArray(users) ? users : [];
+                var select = document.getElementById('grantUser');
+                select.innerHTML = '<option value="">Select a user...</option>';
+                usersCache.forEach(function(u) {
+                    var opt = document.createElement('option');
+                    opt.value = u.id;
+                    opt.textContent = u.email + (u.name ? ' (' + u.name + ')' : '');
+                    select.appendChild(opt);
+                });
+            })
+            .catch(function() {});
+
+        // Load tables from admin registry
+        fetch('/api/admin/registered-tables', {headers: authHeaders()})
+            .then(function(r) { return r.ok ? r.json() : {tables: []}; })
+            .then(function(data) {
+                tablesCache = data.tables || [];
+                var select = document.getElementById('grantDataset');
+                select.innerHTML = '<option value="">Select a table...</option>';
+                tablesCache.forEach(function(t) {
+                    var opt = document.createElement('option');
+                    opt.value = t.id || t.name;
+                    opt.textContent = t.name || t.id;
+                    select.appendChild(opt);
+                });
+            })
+            .catch(function() {});
+    }
+
+    function submitGrant() {
+        var userId = document.getElementById('grantUser').value;
+        var dataset = document.getElementById('grantDataset').value;
+        var access = document.getElementById('grantAccess').value;
+
+        if (!userId || !dataset) {
+            showToast('Please select a user and a table', 'error');
+            return;
+        }
+
+        var btn = document.getElementById('grantSubmitBtn');
+        btn.disabled = true;
+        btn.textContent = 'Granting...';
+
+        fetch('/api/admin/permissions', {
+            method: 'POST',
+            headers: authHeaders(),
+            body: JSON.stringify({user_id: userId, dataset: dataset, access: access}),
+        })
+            .then(function(r) {
+                if (!r.ok) return r.json().then(function(d) { throw new Error(d.detail || 'Grant failed'); });
+                return r.json();
+            })
+            .then(function() {
+                showToast('Access granted', 'success');
+                closeGrantModal();
+                loadPermissions();
+            })
+            .catch(function(err) {
+                showToast('Failed to grant: ' + err.message, 'error');
+            })
+            .finally(function() {
+                btn.disabled = false;
+                btn.textContent = 'Grant Access';
+            });
+    }
+
+    // Close modal on backdrop click
+    document.getElementById('grantModal').addEventListener('click', function(e) {
+        if (e.target === this) closeGrantModal();
+    });
+
+    // Close modal on Escape key
+    document.addEventListener('keydown', function(e) {
+        if (e.key === 'Escape') closeGrantModal();
+    });
+
+    // ── Init ────────────────────────────────────────────────────
+
+    loadPending();
+    loadPermissions();
+
+    </script>
+</body>
+</html>
diff --git a/app/web/templates/admin_tables.html b/app/web/templates/admin_tables.html
index 5c9d2df..d82603f 100644
--- a/app/web/templates/admin_tables.html
+++ b/app/web/templates/admin_tables.html
@@ -750,7 +750,8 @@
             </div>
         </div>
         <div class="header-right">
-            Admin
+            <a href="/admin/permissions" style="font-size: 12px; font-weight: 500; color: var(--primary); text-decoration: none; padding: 6px 12px; border-radius: 6px; transition: all 0.15s ease;">Permissions</a>
+            <span>Admin</span>
         </div>
     </header>
 
diff --git a/app/web/templates/catalog.html b/app/web/templates/catalog.html
index 421601b..ce6d888 100644
--- a/app/web/templates/catalog.html
+++ b/app/web/templates/catalog.html
@@ -373,6 +373,158 @@
             background: rgba(243, 244, 246, 0.5);
         }
 
+        .table-row-locked {
+            opacity: 0.75;
+        }
+
+        .table-row-locked:hover {
+            background: rgba(234, 88, 12, 0.04);
+        }
+
+        .access-badge {
+            display: inline-block;
+            font-size: 11px;
+            font-weight: 600;
+            padding: 1px 6px;
+            border-radius: 4px;
+            margin-left: 6px;
+            vertical-align: middle;
+            font-family: var(--font-primary);
+        }
+
+        .access-badge.locked {
+            font-size: 13px;
+            padding: 0 2px;
+        }
+
+        .access-badge.pending {
+            background: #FFF7ED;
+            color: #EA580C;
+            border: 1px solid #FDBA74;
+        }
+
+        .btn-request-access {
+            font-size: 12px;
+            font-weight: 500;
+            padding: 4px 12px;
+            border-radius: 6px;
+            background: var(--primary-light);
+            color: var(--primary);
+            cursor: pointer;
+            transition: all 0.15s ease;
+            white-space: nowrap;
+        }
+
+        .btn-request-access:hover {
+            background: var(--primary);
+            color: #fff;
+        }
+
+        /* Request Access Modal */
+        .request-access-overlay {
+            display: none;
+            position: fixed;
+            top: 0;
+            left: 0;
+            right: 0;
+            bottom: 0;
+            background: rgba(0, 0, 0, 0.5);
+            z-index: 1100;
+            padding: 40px 24px;
+        }
+
+        .request-access-overlay.active {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+        }
+
+        .request-access-modal {
+            max-width: 500px;
+            width: 100%;
+            background: var(--surface);
+            border-radius: 12px;
+            box-shadow: 0 20px 60px rgba(0, 0, 0, 0.3);
+            overflow: hidden;
+        }
+
+        .request-access-modal .modal-header {
+            display: flex;
+            justify-content: space-between;
+            align-items: center;
+            padding: 20px 24px 16px;
+            border-bottom: 1px solid var(--border);
+        }
+
+        .request-access-modal .modal-header h3 {
+            font-size: 16px;
+            font-weight: 600;
+        }
+
+        .request-access-modal .modal-body {
+            padding: 20px 24px;
+        }
+
+        .request-access-modal .modal-body label {
+            display: block;
+            font-size: 13px;
+            font-weight: 500;
+            color: var(--text-secondary);
+            margin-top: 16px;
+            margin-bottom: 6px;
+        }
+
+        .request-access-modal .modal-body textarea {
+            width: 100%;
+            border: 1px solid var(--border);
+            border-radius: 8px;
+            padding: 10px 12px;
+            font-family: var(--font-primary);
+            font-size: 13px;
+            resize: vertical;
+        }
+
+        .request-access-modal .modal-body textarea:focus {
+            outline: none;
+            border-color: var(--primary);
+            box-shadow: 0 0 0 3px var(--primary-light);
+        }
+
+        .request-access-modal .modal-footer {
+            display: flex;
+            justify-content: flex-end;
+            gap: 8px;
+            padding: 16px 24px 20px;
+            border-top: 1px solid var(--border);
+        }
+
+        .request-access-modal .btn-secondary {
+            padding: 8px 16px;
+            border-radius: 8px;
+            border: 1px solid var(--border);
+            background: var(--surface);
+            font-size: 13px;
+            font-weight: 500;
+            cursor: pointer;
+            color: var(--text-primary);
+        }
+
+        .request-access-modal .btn-primary {
+            padding: 8px 16px;
+            border-radius: 8px;
+            border: none;
+            background: var(--primary);
+            color: #fff;
+            font-size: 13px;
+            font-weight: 500;
+            cursor: pointer;
+        }
+
+        .request-access-modal .btn-primary:disabled {
+            opacity: 0.6;
+            cursor: not-allowed;
+        }
+
         .table-row-left {
             flex: 1;
             min-width: 0;
@@ -1414,10 +1566,17 @@
                 </button>
                 <div class="accordion-content">
                     {% for table in category.tables %}
-                    <div class="table-row" {% if table.query_mode != 'remote' %}onclick="openProfiler('{{ table.name }}')"{% endif %}>
+                    <div class="table-row{% if not table.is_public and not table.has_access %} table-row-locked{% endif %}" {% if not table.is_public and not table.has_access %}{% if table.pending_request %}title="Access request pending"{% else %}onclick="openRequestModal('{{ table.id }}', '{{ table.name }}')"{% endif %}{% elif table.query_mode != 'remote' %}onclick="openProfiler('{{ table.name }}')"{% endif %}>
                         <div class="table-row-left">
                             <div class="table-row-name">
                                 {{ table.name }}
+                                {% if not table.is_public and not table.has_access %}
+                                    {% if table.pending_request %}
+                                    <span class="access-badge pending">Pending</span>
+                                    {% else %}
+                                    <span class="access-badge locked" title="Private table - request access">&#128274;</span>
+                                    {% endif %}
+                                {% endif %}
                                 {% if table.query_mode == 'remote' %}
                                 <span class="query-mode-badge live">Live</span>
                                 {% else %}
@@ -1426,7 +1585,9 @@
                             </div>
                             <div class="table-row-desc">{{ table.description }}</div>
                             <div class="table-sync-info">
-                                {% if table.query_mode == 'remote' %}
+                                {% if not table.is_public and not table.has_access and not table.pending_request %}
+                                <span style="color: var(--text-secondary);">Click to request access</span>
+                                {% elif table.query_mode == 'remote' %}
                                 <span class="live-dot"></span> Queried directly from BigQuery
                                 {% elif table.last_sync %}
                                 Synced {{ table.last_sync }}
@@ -1434,6 +1595,13 @@
                             </div>
                         </div>
                         <div class="table-row-right">
+                            {% if not table.is_public and not table.has_access %}
+                                {% if table.pending_request %}
+                                <span class="rows-badge" style="background: #FFF7ED; color: #EA580C;">Awaiting review</span>
+                                {% else %}
+                                <span class="btn-request-access" onclick="event.stopPropagation(); openRequestModal('{{ table.id }}', '{{ table.name }}')">Request Access</span>
+                                {% endif %}
+                            {% else %}
                             <span class="rows-badge{{ ' large' if table.rows_large }}">{{ table.rows_display }}</span>
                             {% if table.query_mode != 'remote' %}
                             <span class="profile-link">
@@ -1441,6 +1609,7 @@
                                 Profile
                             </span>
                             {% endif %}
+                            {% endif %}
                         </div>
                     </div>
                     {% endfor %}
@@ -2450,6 +2619,77 @@ document.addEventListener('keydown', e => {
 })();
 </script>
 
+<!-- ═══════════════ REQUEST ACCESS MODAL ═══════════════ -->
+<div id="requestAccessOverlay" class="request-access-overlay" onclick="if(event.target===this)closeRequestModal()">
+    <div class="request-access-modal">
+        <div class="modal-header">
+            <h3>Request Access</h3>
+            <button class="btn-secondary" style="border:none;font-size:18px;padding:4px 8px;line-height:1;" onclick="closeRequestModal()">&times;</button>
+        </div>
+        <div class="modal-body">
+            <p>Table: <strong id="requestTableName"></strong></p>
+            <label for="requestReason">Reason (optional)</label>
+            <textarea id="requestReason" rows="3" placeholder="Why do you need access to this table?"></textarea>
+            <p id="requestStatus" style="margin-top:12px;display:none;font-size:13px;"></p>
+        </div>
+        <div class="modal-footer">
+            <button class="btn-secondary" onclick="closeRequestModal()">Cancel</button>
+            <button class="btn-primary" id="submitRequestBtn" onclick="submitAccessRequest()">Request Access</button>
+        </div>
+    </div>
+</div>
+
+<script>
+let requestTableId = '';
+
+function openRequestModal(tableId, tableName) {
+    requestTableId = tableId;
+    document.getElementById('requestTableName').textContent = tableName;
+    document.getElementById('requestReason').value = '';
+    document.getElementById('requestStatus').style.display = 'none';
+    document.getElementById('submitRequestBtn').disabled = false;
+    document.getElementById('submitRequestBtn').textContent = 'Request Access';
+    document.getElementById('requestAccessOverlay').classList.add('active');
+}
+
+function closeRequestModal() {
+    document.getElementById('requestAccessOverlay').classList.remove('active');
+}
+
+async function submitAccessRequest() {
+    const reason = document.getElementById('requestReason').value;
+    const btn = document.getElementById('submitRequestBtn');
+    const status = document.getElementById('requestStatus');
+    btn.disabled = true;
+
+    try {
+        const resp = await fetch('/api/access-requests', {
+            method: 'POST',
+            headers: {'Content-Type': 'application/json'},
+            body: JSON.stringify({table_id: requestTableId, reason: reason})
+        });
+
+        if (resp.ok) {
+            status.textContent = 'Request submitted! An admin will review it.';
+            status.style.color = 'var(--success)';
+            status.style.display = 'block';
+            btn.textContent = 'Submitted';
+        } else if (resp.status === 409) {
+            status.textContent = 'You already have a pending request for this table.';
+            status.style.color = 'var(--warning)';
+            status.style.display = 'block';
+        } else {
+            throw new Error('Request failed');
+        }
+    } catch(e) {
+        status.textContent = 'Error submitting request. Please try again.';
+        status.style.color = 'var(--error)';
+        status.style.display = 'block';
+        btn.disabled = false;
+    }
+}
+</script>
+
 <!-- ═══════════════ METRIC MODAL ═══════════════ -->
 <div id="metricModalOverlay" class="metric-modal-overlay">
     <div id="metricModal" class="metric-modal" onclick="event.stopPropagation()">
diff --git a/src/db.py b/src/db.py
index 036063a..46a6339 100644
--- a/src/db.py
+++ b/src/db.py
@@ -149,6 +149,18 @@ CREATE TABLE IF NOT EXISTS dataset_permissions (
     access VARCHAR DEFAULT 'read',
     PRIMARY KEY (user_id, dataset)
 );
+
+CREATE TABLE IF NOT EXISTS access_requests (
+    id VARCHAR PRIMARY KEY,
+    user_id VARCHAR NOT NULL,
+    user_email VARCHAR NOT NULL,
+    table_id VARCHAR NOT NULL,
+    reason TEXT,
+    status VARCHAR DEFAULT 'pending',
+    reviewed_by VARCHAR,
+    reviewed_at TIMESTAMP,
+    created_at TIMESTAMP DEFAULT current_timestamp
+);
 """
 
 
diff --git a/src/repositories/access_requests.py b/src/repositories/access_requests.py
new file mode 100644
index 0000000..34754c7
--- /dev/null
+++ b/src/repositories/access_requests.py
@@ -0,0 +1,90 @@
+"""Repository for access requests."""
+
+import uuid
+from datetime import datetime, timezone
+from typing import Any, Optional, List, Dict
+
+import duckdb
+
+
+class AccessRequestRepository:
+    def __init__(self, conn: duckdb.DuckDBPyConnection):
+        self.conn = conn
+
+    def create(self, user_id: str, user_email: str, table_id: str, reason: str = "") -> str:
+        """Create a new access request. Returns request ID."""
+        req_id = str(uuid.uuid4())
+        now = datetime.now(timezone.utc)
+        self.conn.execute(
+            """INSERT INTO access_requests (id, user_id, user_email, table_id, reason, status, created_at)
+            VALUES (?, ?, ?, ?, ?, 'pending', ?)""",
+            [req_id, user_id, user_email, table_id, reason, now],
+        )
+        return req_id
+
+    def get(self, request_id: str) -> Optional[Dict[str, Any]]:
+        result = self.conn.execute("SELECT * FROM access_requests WHERE id = ?", [request_id]).fetchone()
+        if not result:
+            return None
+        columns = [desc[0] for desc in self.conn.description]
+        return dict(zip(columns, result))
+
+    def list_pending(self) -> List[Dict[str, Any]]:
+        """List all pending requests (for admin)."""
+        results = self.conn.execute(
+            "SELECT * FROM access_requests WHERE status = 'pending' ORDER BY created_at DESC"
+        ).fetchall()
+        if not results:
+            return []
+        columns = [desc[0] for desc in self.conn.description]
+        return [dict(zip(columns, row)) for row in results]
+
+    def list_by_user(self, user_id: str) -> List[Dict[str, Any]]:
+        """List all requests by a user."""
+        results = self.conn.execute(
+            "SELECT * FROM access_requests WHERE user_id = ? ORDER BY created_at DESC",
+            [user_id],
+        ).fetchall()
+        if not results:
+            return []
+        columns = [desc[0] for desc in self.conn.description]
+        return [dict(zip(columns, row)) for row in results]
+
+    def approve(self, request_id: str, reviewed_by: str) -> bool:
+        """Approve request and grant access."""
+        req = self.get(request_id)
+        if not req or req["status"] != "pending":
+            return False
+
+        now = datetime.now(timezone.utc)
+        self.conn.execute(
+            "UPDATE access_requests SET status = 'approved', reviewed_by = ?, reviewed_at = ? WHERE id = ?",
+            [reviewed_by, now, request_id],
+        )
+
+        # Auto-grant permission
+        from src.repositories.sync_settings import DatasetPermissionRepository
+        DatasetPermissionRepository(self.conn).grant(req["user_id"], req["table_id"], "read")
+
+        return True
+
+    def deny(self, request_id: str, reviewed_by: str) -> bool:
+        """Deny a request."""
+        req = self.get(request_id)
+        if not req or req["status"] != "pending":
+            return False
+
+        now = datetime.now(timezone.utc)
+        self.conn.execute(
+            "UPDATE access_requests SET status = 'denied', reviewed_by = ?, reviewed_at = ? WHERE id = ?",
+            [reviewed_by, now, request_id],
+        )
+        return True
+
+    def has_pending_request(self, user_id: str, table_id: str) -> bool:
+        """Check if user already has a pending request for this table."""
+        result = self.conn.execute(
+            "SELECT id FROM access_requests WHERE user_id = ? AND table_id = ? AND status = 'pending'",
+            [user_id, table_id],
+        ).fetchone()
+        return result is not None