diff --git a/backend/src/ee/services/permission/project-permission.ts b/backend/src/ee/services/permission/project-permission.ts
index 5a744e0645..d9fb2ae6a2 100644
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@@ -307,6 +307,7 @@ export type SecretSyncSubjectFields = {
 };
 
 export type PkiSyncSubjectFields = {
+  subscriberName?: string;
   name: string;
 };
 
diff --git a/backend/src/services/certificate-authority/certificate-authority-service.ts b/backend/src/services/certificate-authority/certificate-authority-service.ts
index 9a65ed8219..3c0b22bb8c 100644
--- a/backend/src/services/certificate-authority/certificate-authority-service.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-service.ts
@@ -332,8 +332,8 @@ export const certificateAuthorityServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionCertificateAuthorityActions.Read,
-      subject(ProjectPermissionSub.CertificateAuthorities, { name: "*" })
+      ProjectPermissionCertificateAuthorityActions.List,
+      ProjectPermissionSub.CertificateAuthorities
     );
 
     if (type === CaType.INTERNAL) {
@@ -724,7 +724,10 @@ export const certificateAuthorityServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionCertificateAuthorityActions.Read,
-      ProjectPermissionSub.CertificateAuthorities
+      subject(ProjectPermissionSub.CertificateAuthorities, {
+        caId: ca.id,
+        name: ca.name
+      })
     );
 
     return ca;
diff --git a/backend/src/services/pki-sync/pki-sync-service.ts b/backend/src/services/pki-sync/pki-sync-service.ts
index 83d20079a9..57a9a2aced 100644
--- a/backend/src/services/pki-sync/pki-sync-service.ts
+++ b/backend/src/services/pki-sync/pki-sync-service.ts
@@ -145,7 +145,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.Create,
-      subject(ProjectPermissionSub.PkiSyncs, { name: subscriber ? subscriber.name : name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: subscriber?.name,
+        name
+      })
     );
 
     // Get the destination app type based on PKI sync destination
@@ -233,9 +236,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.Edit,
-      currentSubscriber
-        ? subject(ProjectPermissionSub.PkiSyncs, { name: currentSubscriber.name })
-        : subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: currentSubscriber?.name,
+        name: pkiSync.name
+      })
     );
 
     if (name && name !== pkiSync.name) {
@@ -329,9 +333,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.Delete,
-      pkiSyncSubscriber
-        ? subject(ProjectPermissionSub.PkiSyncs, { name: pkiSyncSubscriber.name })
-        : subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: pkiSyncSubscriber?.name,
+        name: pkiSync.name
+      })
     );
 
     return pkiSyncDAL.deleteById(id);
@@ -404,9 +409,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.Read,
-      findSubscriber
-        ? subject(ProjectPermissionSub.PkiSyncs, { name: findSubscriber.name })
-        : subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: findSubscriber?.name,
+        name: pkiSync.name
+      })
     );
 
     const result = {
@@ -440,9 +446,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.SyncCertificates,
-      syncSubscriber
-        ? subject(ProjectPermissionSub.PkiSyncs, { name: syncSubscriber.name })
-        : subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: syncSubscriber?.name,
+        name: pkiSync.name
+      })
     );
 
     await pkiSyncQueue.queuePkiSyncSyncCertificatesById({ syncId: id });
@@ -481,9 +488,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.ImportCertificates,
-      importSubscriber
-        ? subject(ProjectPermissionSub.PkiSyncs, { name: importSubscriber.name })
-        : subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: importSubscriber?.name,
+        name: pkiSync.name
+      })
     );
 
     await pkiSyncQueue.queuePkiSyncImportCertificatesById({ syncId: id });
@@ -514,9 +522,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.RemoveCertificates,
-      removeSubscriber
-        ? subject(ProjectPermissionSub.PkiSyncs, { name: removeSubscriber.name })
-        : subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: removeSubscriber?.name,
+        name: pkiSync.name
+      })
     );
 
     await pkiSyncQueue.queuePkiSyncRemoveCertificatesById({ syncId: id });
@@ -554,9 +563,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.Edit,
-      pkiSyncSubscriber
-        ? subject(ProjectPermissionSub.PkiSyncs, { name: pkiSyncSubscriber.name })
-        : subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: pkiSyncSubscriber?.name,
+        name: pkiSync.name
+      })
     );
 
     await validateCertificatesProjectOwnership(certificateIds, pkiSync.projectId);
@@ -598,7 +608,9 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.Edit,
-      subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        name: pkiSync.name
+      })
     );
 
     const removedCount = await certificateSyncDAL.removeCertificates(pkiSyncId, certificateIds);
@@ -639,7 +651,9 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.Read,
-      subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        name: pkiSync.name
+      })
     );
 
     const result = await certificateSyncDAL.findWithDetails({