diff --git a/app/controllers/decidim/analytics/admin/analytics_controller.rb b/app/controllers/decidim/analytics/admin/analytics_controller.rb
index 82c3271..584a599 100644
--- a/app/controllers/decidim/analytics/admin/analytics_controller.rb
+++ b/app/controllers/decidim/analytics/admin/analytics_controller.rb
@@ -4,8 +4,9 @@ module Decidim
   module Analytics
     module Admin
       class AnalyticsController < Analytics::Admin::ApplicationController
-
         def index
+          enforce_permission_to :read, :analytics
+
           @server_address = Rails.application.secrets.dig(:matomo, :server_address)
           @site_id = Rails.application.secrets.dig(:matomo, :site_id)
           @token_auth = Rails.application.secrets.dig(:matomo, :token_auth)
diff --git a/app/controllers/decidim/analytics/admin/application_controller.rb b/app/controllers/decidim/analytics/admin/application_controller.rb
index a52c081..4cfbd2f 100644
--- a/app/controllers/decidim/analytics/admin/application_controller.rb
+++ b/app/controllers/decidim/analytics/admin/application_controller.rb
@@ -9,6 +9,9 @@ module Admin
       # Note that it inherits from `Decidim::Admin::Components::BaseController`, which
       # override its layout and provide all kinds of useful methods.
       class ApplicationController < Decidim::Admin::ApplicationController
+        def permission_class_chain
+          [::Decidim::Analytics::Admin::Permissions] + super
+        end
       end
     end
   end
diff --git a/app/permissions/decidim/analytics/admin/permissions.rb b/app/permissions/decidim/analytics/admin/permissions.rb
new file mode 100644
index 0000000..a125588
--- /dev/null
+++ b/app/permissions/decidim/analytics/admin/permissions.rb
@@ -0,0 +1,25 @@
+
+
+# frozen_string_literal: true
+
+module Decidim
+  module Analytics
+    module Admin
+      class Permissions < Decidim::DefaultPermissions
+        def permissions
+          return permission_action if permission_action.scope != :admin
+          return permission_action unless user&.admin?
+
+          allow! if read_analytics?
+
+          permission_action
+        end
+
+        def read_analytics?
+          permission_action.subject == :analytics &&
+            permission_action.action == :read
+        end
+      end
+    end
+  end
+end