diff --git a/CHANGELOG.md b/CHANGELOG.md
index b05db037..7d82b740 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@
     * Fixed HTML Entities in titles [#2028](https://github.com/getgrav/grav-plugin-admin/issues/2028)
     * Fixed deleting list field options completely, didn't save changes [#2056](https://github.com/getgrav/grav-plugin-admin/issues/2056)
     * Fixed `onAdminAfterAddMedia` and `onAdminAfterDelMedia` events always pointing to the home page
+    * Fixed ACL for Configuration tabs [#771](https://github.com/getgrav/grav-plugin-admin/issues/771)
 
 # v1.10.3
 ## 02/01/2021
diff --git a/admin.php b/admin.php
index 4118b133..bafa24b7 100644
--- a/admin.php
+++ b/admin.php
@@ -858,6 +858,9 @@ class AdminPlugin extends Plugin
             'authorize' => [
                 'admin.configuration.system',
                 'admin.configuration.site',
+                'admin.configuration.media',
+                'admin.configuration.security',
+                'admin.configuration.info',
                 'admin.super'],
             'priority' => 9
         ];
diff --git a/classes/plugin/Admin.php b/classes/plugin/Admin.php
index fdc77ab7..4e6af151 100644
--- a/classes/plugin/Admin.php
+++ b/classes/plugin/Admin.php
@@ -246,23 +246,62 @@ class Admin
     /**
      * Return the found configuration blueprints
      *
+     * @param bool $checkAccess
      * @return array
      */
-    public static function configurations()
+    public static function configurations(bool $checkAccess = false): array
     {
-        $configurations = [];
+        $grav = Grav::instance();
+
+        /** @var Admin $admin */
+        $admin = $grav['admin'];
 
         /** @var UniformResourceIterator $iterator */
-        $iterator = Grav::instance()['locator']->getIterator('blueprints://config');
+        $iterator = $grav['locator']->getIterator('blueprints://config');
 
+        // Find all main level configuration files.
+        $configurations = [];
         foreach ($iterator as $file) {
             if ($file->isDir() || !preg_match('/^[^.].*.yaml$/', $file->getFilename())) {
                 continue;
             }
-            $configurations[] = $file->getBasename('.yaml');
+
+            $name = $file->getBasename('.yaml');
+
+            // Check that blueprint exists and is not hidden.
+            $data = $admin->data('config/'. $name);
+            if (!is_callable([$data, 'blueprints'])) {
+                continue;
+            }
+
+            $blueprint = $data->blueprints();
+            if (!$blueprint) {
+                continue;
+            }
+
+            $test = $blueprint->toArray();
+            if (empty($test['form']['hidden']) && (!empty($test['form']['field']) || !empty($test['form']['fields']))) {
+                $configurations[$name] = true;
+            }
         }
 
-        return $configurations;
+        // Remove scheduler and backups configs (they belong to the tools).
+        unset($configurations['scheduler'], $configurations['backups']);
+
+        // Sort configurations.
+        ksort($configurations);
+        $configurations = ['system' => true, 'site' => true] + $configurations + ['info' => true];
+
+        if ($checkAccess) {
+            // ACL checks.
+            foreach ($configurations as $name => $value) {
+                if (!$admin->authorize(['admin.configuration.' . $name, 'admin.super'])) {
+                    unset($configurations[$name]);
+                }
+            }
+        }
+
+        return array_keys($configurations);
     }
 
     /**
diff --git a/languages/en.yaml b/languages/en.yaml
index bb221e3e..350b48c6 100644
--- a/languages/en.yaml
+++ b/languages/en.yaml
@@ -1088,4 +1088,5 @@ PLUGIN_ADMIN:
   RES_MAX_HEIGHT_HELP: "The maximum height allowed for an image to be added"
   RESIZE_QUALITY: "Resize Quality"
   RESIZE_QUALITY_HELP: "The quality to use when resizing an image. Between 0 and 1 value."
-  PIXELS: "pixels"
\ No newline at end of file
+  PIXELS: "pixels"
+  ACCESS_ADMIN_CONFIGURATION_SECURITY: "Manage Security Configuration"
diff --git a/pages/admin/config.md b/pages/admin/config.md
index 12f822d9..4bd61cd8 100644
--- a/pages/admin/config.md
+++ b/pages/admin/config.md
@@ -3,7 +3,5 @@ title: Config
 expires: 0
 
 access:
-    admin.configuration.system: true
-    admin.configuration.site: true
-    admin.super: true
+    admin.login: true
 ---
diff --git a/permissions.yaml b/permissions.yaml
index e0db534d..c6b48441 100644
--- a/permissions.yaml
+++ b/permissions.yaml
@@ -24,6 +24,8 @@ actions:
             label: PLUGIN_ADMIN.ACCESS_ADMIN_CONFIGURATION_SITE
           media:
             label: PLUGIN_ADMIN.ACCESS_ADMIN_CONFIGURATION_MEDIA
+          security:
+            label: PLUGIN_ADMIN.ACCESS_ADMIN_CONFIGURATION_SECURITY
           info:
             label: PLUGIN_ADMIN.ACCESS_ADMIN_CONFIGURATION_INFO
       pages:
diff --git a/themes/grav/templates/config.html.twig b/themes/grav/templates/config.html.twig
index 5c9af480..f897e334 100644
--- a/themes/grav/templates/config.html.twig
+++ b/themes/grav/templates/config.html.twig
@@ -1,18 +1,17 @@
 {% extends 'partials/base.html.twig' %}
 
+{% set configurations = admin.configurations(true) %}
 {% set config_slug = uri.basename %}
 {% if config_slug == 'config' %}
-    {% set config_slug = authorize(['admin.configuration.system', 'admin.super']) ? 'system' : 'site' %}
+    {% set config_slug = configurations|first %}
 {% endif %}
 {% set isInfo = (config_slug == 'info') %}
 
 {% set tab_title_string = "PLUGIN_ADMIN." ~ config_slug|upper %}
-{% set tab_title = (tab_title_string|tu == tab_title_string ? config_slug|capitalize : tab_title_string|tu)  %}
+{% set tab_title = (tab_title_string|tu == tab_title_string ? config_slug|capitalize : tab_title_string|tu)  ?: 'Not Found' %}
 {% set title = "PLUGIN_ADMIN.CONFIGURATION"|tu ~ ": " ~ tab_title %}
 
-{% set config_ignores = ['scheduler', 'backups'] %}
-
-{% if not isInfo %}
+{% if config_slug and not isInfo %}
     {% set data = admin.data('config/' ~ config_slug) %}
 {% endif %}
 
@@ -36,49 +35,24 @@
 {% endblock %}
 
 {% block content_top %}
-    {% if data.file.filename %}
+    {% if authorize('admin.super') and data.file.filename %}
     <div class="alert notice">{{ "PLUGIN_ADMIN.SAVE_LOCATION"|tu }}: <b>{{ data.file.filename|replace({(base_path):''}) }}</b></div>
     {% endif %}
 
     <div class="form-tabs">
         <div class="tabs-nav">
-
-            {% if authorize(['admin.configuration.system', 'admin.super']) %}
-            <a {% if config_slug == 'system' %}class="active"{% endif %} href="{{ admin_route('/config/system') }}">
-                <span>{{ "PLUGIN_ADMIN.SYSTEM"|tu }}</span>
-            </a>
-            {% endif %}
-
-            {% if authorize(['admin.configuration.site', 'admin.super']) %}
-            <a {% if config_slug == 'site' %}class="active"{% endif %} href="{{ admin_route('/config/site') }}">
-                <span>{{ "PLUGIN_ADMIN.SITE"|tu }}</span>
-            </a>
-            {% endif %}
-
-            {% for configuration in admin.configurations if (configuration not in config_ignores) %}
-                {% if authorize(['admin.configuration.' ~ configuration, 'admin.configuration_' ~ configuration, 'admin.super']) %}
-                    {% set current_blueprints = admin.data('config/' ~ configuration).blueprints.toArray() %}
-                    {% if configuration != 'system' and configuration != 'site' and not current_blueprints.form.hidden and (current_blueprints.form.fields is not empty or current_blueprints.form.field is not empty) %}
-                        <a {% if config_slug == configuration %}class="active"{% endif %} href="{{ admin_route('/config/' ~ configuration) }}">
-                            {% set configuration_string = "PLUGIN_ADMIN." ~ configuration|upper %}
-                            <span>{{ (configuration_string|tu == configuration_string ? configuration|capitalize : configuration_string|tu) }}</span>
-                        </a>
-                    {% endif %}
-                {% endif %}
+            {% for configuration in configurations %}
+                <a {% if config_slug == configuration %}class="active"{% endif %} href="{{ admin_route('/config/' ~ configuration) }}">
+                    {% set configuration_string = "PLUGIN_ADMIN." ~ configuration|upper %}
+                    <span>{{ (configuration_string|tu == configuration_string ? configuration|capitalize : configuration_string|tu) }}</span>
+                </a>
             {% endfor %}
-
-            {% if authorize(['admin.configuration.info', 'admin.super']) %}
-            <a {% if config_slug == 'info' %}class="active"{% endif %} href="{{ admin_route('/config/info') }}">
-                <span>{{ "PLUGIN_ADMIN.INFO"|tu }}</span>
-            </a>
-            {% endif %}
-
         </div>
     </div>
 {% endblock %}
 
 {% block content %}
-    {% if authorize(['admin.configuration.' ~ config_slug, 'admin.configuration_' ~ config_slug, 'admin.super']) %}
+    {% if config_slug in configurations %}
         {% if isInfo %}
             <div id="phpinfo">
                 <div style="margin-left:1.5rem">
@@ -87,11 +61,16 @@
                 {{ admin.phpinfo|raw }}
             </div>
         {% else %}
-            <div class="config-wrapper-{{  config_slug }}">
+            <div class="config-wrapper-{{ config_slug }}">
             {% include 'partials/blueprints.html.twig' with { blueprints: data.blueprints, data: data } %}
             </div>
         {% endif %}
+        {% include 'partials/modal-changes-detected.html.twig' %}
+        {% include 'partials/modal-changelog.html.twig' %}
+    {% else %}
+        {% do page.modifyHeader('http_response_code', 404) %}
+        <div class="config-wrapper">
+            <h2>Not found</h2>
+        </div>
     {% endif %}
-    {% include 'partials/modal-changes-detected.html.twig' %}
-    {% include 'partials/modal-changelog.html.twig' %}
 {% endblock %}