diff --git a/ui/console-src/router/guards/permission.ts b/ui/console-src/router/guards/permission.ts
index b513e9e0e0..0367d31963 100644
--- a/ui/console-src/router/guards/permission.ts
+++ b/ui/console-src/router/guards/permission.ts
@@ -1,22 +1,49 @@
+import { rbacAnnotations } from "@/constants/annotations";
 import { useRoleStore } from "@/stores/role";
+import { useUserStore } from "@/stores/user";
 import { hasPermission } from "@/utils/permission";
-import type { Router } from "vue-router";
+import type { Role } from "@halo-dev/api-client";
+import type { RouteLocationNormalized, Router } from "vue-router";
 
 export function setupPermissionGuard(router: Router) {
   router.beforeEach((to, _, next) => {
+    const userStore = useUserStore();
     const roleStore = useRoleStore();
-    const { uiPermissions } = roleStore.permissions;
-    const { meta } = to;
-    if (meta && meta.permissions) {
-      const flag = hasPermission(
-        Array.from(uiPermissions),
-        meta.permissions as string[],
-        true
-      );
-      if (!flag) {
-        next({ name: "Forbidden" });
-      }
+
+    if (isConsoleAccessDisallowed(userStore.currentRoles)) {
+      window.location.href = "/uc";
+      return;
+    }
+
+    if (checkRoutePermissions(to, roleStore.permissions.uiPermissions)) {
+      next();
+    } else {
+      next({ name: "Forbidden" });
     }
-    next();
   });
 }
+
+function isConsoleAccessDisallowed(currentRoles?: Role[]): boolean {
+  return (
+    currentRoles?.some(
+      (role) =>
+        role.metadata.annotations?.[rbacAnnotations.DISALLOW_ACCESS_CONSOLE] ===
+        "true"
+    ) || false
+  );
+}
+
+function checkRoutePermissions(
+  to: RouteLocationNormalized,
+  uiPermissions: string[]
+): boolean {
+  const { meta } = to;
+  if (meta?.permissions) {
+    return hasPermission(
+      Array.from(uiPermissions),
+      meta.permissions as string[],
+      true
+    );
+  }
+  return true;
+}