diff --git a/pom.xml b/pom.xml
index a26f0a069..02a2a3b8c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -15,7 +15,7 @@
     <description>Self Care Dashboard Backend</description>
 
     <properties>
-        <selc-commons.version>2.5.10</selc-commons.version>
+        <selc-commons.version>2.5.11</selc-commons.version>
         <sonar.host.url>https://sonarcloud.io/</sonar.host.url>
     </properties>
 
diff --git a/src/main/java/it/pagopa/selfcare/dashboard/security/SelfCarePermissionEvaluatorV2.java b/src/main/java/it/pagopa/selfcare/dashboard/security/SelfCarePermissionEvaluatorV2.java
index 639d32149..57f820a19 100644
--- a/src/main/java/it/pagopa/selfcare/dashboard/security/SelfCarePermissionEvaluatorV2.java
+++ b/src/main/java/it/pagopa/selfcare/dashboard/security/SelfCarePermissionEvaluatorV2.java
@@ -29,6 +29,10 @@ public class SelfCarePermissionEvaluatorV2 implements PermissionEvaluator {
     private final UserGroupRestClient userGroupRestClient;
     private final UserApiRestClient userApiRestClient;
     static final String REQUIRED_GROUP_ID_MESSAGE = "A user group id is required";
+    private static final String ISSUER_PAGOPA = "PAGOPA";
+    private static final List<String> PAGOPA_ALLOWED_PERMISSIONS = List.of(
+            "Selc:ViewInstitutionData"
+    );
 
 
     public SelfCarePermissionEvaluatorV2(UserGroupRestClient restClient, UserApiRestClient userApiRestClient) {
@@ -73,7 +77,22 @@ public boolean hasPermission(Authentication authentication, Object targetDomainO
         log.debug(LogUtils.CONFIDENTIAL_MARKER, "hasPermission authentication = {}, targetDomainObject = {}, permission = {}", authentication, targetDomainObject, permission);
         Assert.notNull(permission, "A permission type is required");
         boolean result = false;
-        String userId = ((SelfCareUser) authentication.getPrincipal()).getId();
+
+        SelfCareUser selfCareUser = (SelfCareUser) authentication.getPrincipal();
+        String userId = selfCareUser.getId();
+        String issuer = selfCareUser.getIssuer();
+
+        if (ISSUER_PAGOPA.equalsIgnoreCase(issuer)) {
+            log.debug("Issuer is PAGOPA, evaluating permission {}", permission);
+
+            boolean isAllowed = PAGOPA_ALLOWED_PERMISSIONS.stream()
+                    .anyMatch(p -> p.equalsIgnoreCase(permission.toString()));
+
+            log.debug("PAGOPA permission {} → {}", permission, isAllowed ? "GRANTED" : "DENIED");
+            log.trace("check Permission end (issuer PAGOPA)");
+            return isAllowed;
+        }
+
         if (targetDomainObject instanceof FilterAuthorityDomain filterAuthorityDomain) {
             if (StringUtils.hasText(filterAuthorityDomain.getGroupId())) {
                 UserGroupInfo userGroupInfo = getUserGroupById(filterAuthorityDomain.getGroupId());
diff --git a/src/main/java/it/pagopa/selfcare/dashboard/service/InstitutionV2ServiceImpl.java b/src/main/java/it/pagopa/selfcare/dashboard/service/InstitutionV2ServiceImpl.java
index b9b069519..da1df8dbd 100644
--- a/src/main/java/it/pagopa/selfcare/dashboard/service/InstitutionV2ServiceImpl.java
+++ b/src/main/java/it/pagopa/selfcare/dashboard/service/InstitutionV2ServiceImpl.java
@@ -23,6 +23,7 @@
 import org.springframework.core.io.Resource;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Service;
 import org.springframework.util.Assert;
@@ -39,6 +40,7 @@ public class InstitutionV2ServiceImpl implements InstitutionV2Service {
     static final String REQUIRED_INSTITUTION_MESSAGE = "An Institution id is required";
     private static final String REQUIRED_USER_ID = "A user id is required";
     private static final String A_USER_INFO_FILTER_OBJECT_IS_REQUIRED = "A UserInfoFilter object is required";
+    public static final String ISSUER_PAGOPA = "PAGOPA";
 
     private final List<RelationshipState> allowedStates;
     private final UserApiRestClient userApiRestClient;
@@ -100,13 +102,24 @@ public Institution findInstitutionById(String institutionId) {
         log.trace("findInstitutionById start");
         log.debug("findInstitutionById institutionId = {}", Encode.forJava(institutionId));
         Assert.hasText(institutionId, REQUIRED_INSTITUTION_MESSAGE);
-        String userId = ((SelfCareUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getId();
         log.trace("getInstitution start");
         log.debug("getInstitution institutionId = {}", Encode.forJava(institutionId));
         Institution institution = institutionMapper.toInstitution(coreInstitutionApiRestClient._retrieveInstitutionByIdUsingGET(institutionId, null).getBody());
         log.debug("getInstitution result = {}", institution);
         log.trace("getInstitution end");
         log.trace("getUserInstitutionWithActions start");
+
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        SelfCareUser selfCareUser = (SelfCareUser) authentication.getPrincipal();
+        String issuer = selfCareUser.getIssuer();
+
+        if (ISSUER_PAGOPA.equalsIgnoreCase(issuer)) {
+            log.debug("Issuer is PAGOPA, skipping user-institution permission checks");
+            return institution;
+        }
+
+        String userId = selfCareUser.getId();
+
         UserInstitutionWithActionsDto userInstitutionWithActionsDto = userMapper.toUserInstitutionWithActionsDto(userApiRestClient._getUserInstitutionWithPermission(institutionId, userId, null).getBody());
 
         if (Objects.isNull(userInstitutionWithActionsDto))
diff --git a/src/test/java/it/pagopa/selfcare/dashboard/security/SelfCarePermissionEvaluatorV2Test.java b/src/test/java/it/pagopa/selfcare/dashboard/security/SelfCarePermissionEvaluatorV2Test.java
index 198829de3..3045f568a 100644
--- a/src/test/java/it/pagopa/selfcare/dashboard/security/SelfCarePermissionEvaluatorV2Test.java
+++ b/src/test/java/it/pagopa/selfcare/dashboard/security/SelfCarePermissionEvaluatorV2Test.java
@@ -87,4 +87,24 @@ void hasPermissionReturnsFalseForInvalidDirectPermission() {
 
         assertFalse(permissionEvaluator.hasPermission(authentication, new FilterAuthorityDomain("institutionId", "productId", null), "Selc:ViewBilling"));
     }
+
+    @Test
+    void hasPermissionReturnsTrueForIssuerPagoPA() {
+        Authentication authentication = mock(Authentication.class);
+        SelfCareUser user = SelfCareUser.builder("userId").issuer("PAGOPA").build();
+
+        when(authentication.getPrincipal()).thenReturn(user);
+
+        assertTrue(permissionEvaluator.hasPermission(authentication, new FilterAuthorityDomain("institutionId", null, null), "Selc:ViewInstitutionData"));
+    }
+
+    @Test
+    void hasPermissionReturnsFalseForIssuerPagoPA() {
+        Authentication authentication = mock(Authentication.class);
+        SelfCareUser user = SelfCareUser.builder("userId").issuer("PAGOPA").build();
+
+        when(authentication.getPrincipal()).thenReturn(user);
+
+        assertFalse(permissionEvaluator.hasPermission(authentication, new FilterAuthorityDomain("institutionId", null, null), "Selc:ViewBilling"));
+    }
 }