diff --git a/app/controllers/translations_controller.rb b/app/controllers/translations_controller.rb
index f5affe929ee..10439c8310f 100644
--- a/app/controllers/translations_controller.rb
+++ b/app/controllers/translations_controller.rb
@@ -1,4 +1,5 @@
 class TranslationsController < ApplicationController
+  before_action :translations_authorized?
   before_action :set_translation, only: [:show, :edit, :update, :destroy]
 
   def index
@@ -55,6 +56,12 @@ def set_translation
     @translation = Translation.find(params[:id])
   end
 
+  def translations_authorized?
+    return if authorize HbxProfile, :can_view_or_change_translations?
+
+    redirect_to root_path, :flash => { :error => "Access not allowed" }
+  end
+
   def translation_params
     params.require(:translation).permit(:key, :value)
   end
diff --git a/app/policies/hbx_profile_policy.rb b/app/policies/hbx_profile_policy.rb
index 9ff01cec6b5..ad37dbbb843 100644
--- a/app/policies/hbx_profile_policy.rb
+++ b/app/policies/hbx_profile_policy.rb
@@ -25,6 +25,10 @@ def can_submit_time_travel_request?
     role.permission.can_submit_time_travel_request
   end
 
+  def can_view_or_change_translations?
+    user_hbx_staff_role&.permission&.name == "super_admin"
+  end
+
   def send_broker_agency_message?
     role = user_hbx_staff_role
     return false unless role
diff --git a/spec/controllers/translations_controller_spec.rb b/spec/controllers/translations_controller_spec.rb
new file mode 100644
index 00000000000..44cd74c01d5
--- /dev/null
+++ b/spec/controllers/translations_controller_spec.rb
@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+RSpec.describe TranslationsController, :type => :controller do
+  let!(:super_admin_user) { FactoryBot.create(:user, :with_hbx_staff_role, person: super_admin_person) }
+  let!(:super_admin_permission) { FactoryBot.create(:permission, :super_admin) }
+  let!(:super_admin_person) { FactoryBot.create(:person) }
+  let!(:hbx_profile) { FactoryBot.create(:hbx_profile) }
+  let!(:hbx_super_admin_staff_role) do
+    HbxStaffRole.create!(person: super_admin_person, permission_id: super_admin_permission.id, subrole: super_admin_subrole, hbx_profile_id: hbx_profile.id)
+  end
+  let(:super_admin_subrole) { 'super_admin' }
+  let!(:test_translation) { FactoryBot.build(:translation, id: "1") }
+  let(:test_translation_id) { test_translation.id }
+  before :each do
+    sign_in(super_admin_user)
+    allow(Translation).to receive(:find).with("1").and_return(test_translation)
+  end
+  context "Permissions" do
+    context "#new" do
+      context "super admin" do
+        it "should be authorized" do
+          get :new
+          expect(response.status).to be(200)
+        end
+      end
+      context "non super admin user" do
+        before do
+          super_admin_permission.update_attributes!(name: "non_super_admin")
+        end
+        it "should not be authorized" do
+          get :new
+          expect(response).to_not eq(200)
+        end
+      end
+    end
+    context "#create" do
+      context "non super admin user" do
+        before do
+          super_admin_permission.update_attributes!(name: "non_super_admin")
+        end
+        it "should not be authorized" do
+          post :create, params: {translation: {key: "en.translation", value: "This is the translation."}}
+          expect(response).to_not eq(200)
+        end
+      end
+    end
+    context "#edit" do
+      context "super admin" do
+        it "should be authorized" do
+          get :edit, params: {id: test_translation.id}
+          expect(response.status).to be(200)
+        end
+      end
+      context "non super admin user" do
+        before do
+          super_admin_permission.update_attributes!(name: "non_super_admin")
+        end
+        it "should not be authorized" do
+          get :edit, params: {id: test_translation.id}
+          expect(response).to_not eq(200)
+        end
+      end
+    end
+    context "#update" do
+      context "non super admin user" do
+        before do
+          super_admin_permission.update_attributes!(name: "non_super_admin")
+        end
+        it "should not be authorized" do
+          put :update, params: {id: test_translation.id, translation: {key: "en.translation", value: "This is the translation."}}
+          expect(response).to_not eq(200)
+        end
+      end
+    end
+    context "#show" do
+      context "super admin" do
+        it "should be authorized" do
+          get :show, params: {id: test_translation.id}
+          expect(response.status).to be(200)
+        end
+      end
+      context "non super admin user" do
+        before do
+          super_admin_permission.update_attributes!(name: "non_super_admin")
+        end
+        it "should not be authorized" do
+          get :show, params: {id: test_translation.id}
+          expect(response).to_not eq(200)
+        end
+      end
+    end
+    context "#index" do
+      context "super admin" do
+        it "should be authorized" do
+          get :index
+          expect(response.status).to be(200)
+        end
+      end
+      context "non super admin user" do
+        before do
+          super_admin_permission.update_attributes!(name: "non_super_admin")
+        end
+        it "should not be authorized" do
+          get :index
+          expect(response).to_not eq(200)
+        end
+      end
+    end
+  end
+end