diff --git a/server/middleware/rbac.js b/server/middleware/rbac.js
index 021f6ee..57e4e34 100644
--- a/server/middleware/rbac.js
+++ b/server/middleware/rbac.js
@@ -126,6 +126,11 @@ const hasPermission = (userRole, permission) => {
  * @returns {boolean} - True if user has permission
  */
 const checkPermission = (userRole, resource, action) => {
+  // Normalize inputs to lowercase for case-insensitive comparison
+  const normalizedRole = userRole ? userRole.toLowerCase() : '';
+  const normalizedResource = resource ? resource.toLowerCase() : '';
+  const normalizedAction = action ? action.toLowerCase() : '';
+  
   // Map common actions to our permission system
   const actionMap = {
     'read': 'view',
@@ -149,11 +154,11 @@ const checkPermission = (userRole, resource, action) => {
     'ui_customization': 'branding'
   };
   
-  const mappedResource = resourceMap[resource] || resource;
-  const mappedAction = actionMap[action] || action;
+  const mappedResource = resourceMap[normalizedResource] || normalizedResource;
+  const mappedAction = actionMap[normalizedAction] || normalizedAction;
   const permission = `${mappedResource}.${mappedAction}`;
   
-  return hasPermission(userRole, permission);
+  return hasPermission(normalizedRole, permission);
 };
 
 /**
@@ -167,14 +172,14 @@ const requirePermission = (resource, action) => {
     if (!req.user || !req.user.role) {
       return res.status(403).json({
         success: false,
-        message: 'Access denied - no user role'
+        message: 'Insufficient permissions'
       });
     }
     
     if (!checkPermission(req.user.role, resource, action)) {
       return res.status(403).json({
         success: false,
-        message: 'Access denied - insufficient permissions'
+        message: 'Insufficient permissions'
       });
     }