diff --git a/web-admin/src/features/authentication/AvatarButton.svelte b/web-admin/src/features/authentication/AvatarButton.svelte
index 9eb678d06e0..cb1b2f2b155 100644
--- a/web-admin/src/features/authentication/AvatarButton.svelte
+++ b/web-admin/src/features/authentication/AvatarButton.svelte
@@ -42,7 +42,7 @@
     />
   </DropdownMenu.Trigger>
   <DropdownMenu.Content>
-    {#if params.organization && params.project && params.dashboard}
+    {#if params.organization && params.project}
       <ProjectAccessControls
         organization={params.organization}
         project={params.project}
@@ -71,16 +71,18 @@
           </DropdownMenu.Sub>
         </svelte:fragment>
       </ProjectAccessControls>
-      <DropdownMenu.Item
-        href={`/${params.organization}/${params.project}/-/alerts`}
-      >
-        Alerts
-      </DropdownMenu.Item>
-      <DropdownMenu.Item
-        href={`/${params.organization}/${params.project}/-/reports`}
-      >
-        Reports
-      </DropdownMenu.Item>
+      {#if params.dashboard}
+        <DropdownMenu.Item
+          href={`/${params.organization}/${params.project}/-/alerts`}
+        >
+          Alerts
+        </DropdownMenu.Item>
+        <DropdownMenu.Item
+          href={`/${params.organization}/${params.project}/-/reports`}
+        >
+          Reports
+        </DropdownMenu.Item>
+      {/if}
     {/if}
 
     <ThemeToggle />
diff --git a/web-admin/src/features/navigation/TopNavigationBar.svelte b/web-admin/src/features/navigation/TopNavigationBar.svelte
index 2ad06decdcc..c5d44e601c1 100644
--- a/web-admin/src/features/navigation/TopNavigationBar.svelte
+++ b/web-admin/src/features/navigation/TopNavigationBar.svelte
@@ -4,6 +4,7 @@
   import ExploreBookmarks from "@rilldata/web-admin/features/bookmarks/ExploreBookmarks.svelte";
   import ShareDashboardPopover from "@rilldata/web-admin/features/dashboards/share/ShareDashboardPopover.svelte";
   import ShareProjectPopover from "@rilldata/web-admin/features/projects/user-management/ShareProjectPopover.svelte";
+  import { createAdminServiceGetProjectWithBearerToken } from "@rilldata/web-admin/features/public-urls/get-project-with-bearer-token";
   import Rill from "@rilldata/web-common/components/icons/Rill.svelte";
   import Breadcrumbs from "@rilldata/web-common/components/navigation/breadcrumbs/Breadcrumbs.svelte";
   import type { PathOption } from "@rilldata/web-common/components/navigation/breadcrumbs/types";
@@ -15,6 +16,7 @@
   import { runtime } from "@rilldata/web-common/runtime-client/runtime-store";
   import {
     createAdminServiceGetCurrentUser,
+    createAdminServiceGetDeploymentCredentials,
     createAdminServiceListOrganizations as listOrgs,
     createAdminServiceListProjectsForOrganization as listProjects,
     type V1Organization,
@@ -69,6 +71,43 @@
   $: onPublicURLPage = isPublicURLPage($page);
   $: onOrgPage = isOrganizationPage($page);
 
+  // When "View As" is active, fetch deployment credentials for the mocked user.
+  // TanStack Query deduplicates by query key, so if the project layout already
+  // ran this query, we get instant cache hits with zero extra network calls.
+  $: mockedUserId = $viewAsUserStore?.id;
+
+  $: mockedCredentialsQuery = createAdminServiceGetDeploymentCredentials(
+    organization,
+    project,
+    { userId: mockedUserId },
+    {
+      query: {
+        enabled: !!mockedUserId && !!organization && !!project,
+      },
+    },
+  );
+
+  $: mockedProjectQuery = createAdminServiceGetProjectWithBearerToken(
+    organization,
+    project,
+    $mockedCredentialsQuery.data?.accessToken ?? "",
+    undefined,
+    {
+      query: {
+        enabled: !!$mockedCredentialsQuery.data?.accessToken,
+      },
+    },
+  );
+
+  // Use effective permissions when "View As" is active (from server)
+  // Otherwise fall back to the props passed from the root layout
+  $: effectiveManageProjectMembers =
+    $mockedProjectQuery.data?.projectPermissions?.manageProjectMembers ??
+    manageProjectMembers;
+  $: effectiveCreateMagicAuthTokens =
+    $mockedProjectQuery.data?.projectPermissions?.createMagicAuthTokens ??
+    createMagicAuthTokens;
+
   $: loggedIn = !!$user.data?.user;
   $: rillLogoHref = !loggedIn ? "https://www.rilldata.com" : "/";
   $: logoUrl = organizationLogoUrl;
@@ -231,7 +270,7 @@
     {/if}
     <!-- NOTE: only project admin and editor can manage project members -->
     <!-- https://docs.rilldata.com/guide/administration/users-and-access/roles-permissions -->
-    {#if onProjectPage && manageProjectMembers}
+    {#if onProjectPage && effectiveManageProjectMembers}
       <ShareProjectPopover
         {organization}
         {project}
@@ -264,7 +303,9 @@
               {#if $alertsFlag}
                 <CreateAlert />
               {/if}
-              <ShareDashboardPopover {createMagicAuthTokens} />
+              <ShareDashboardPopover
+                createMagicAuthTokens={effectiveCreateMagicAuthTokens}
+              />
             {/if}
           </StateManagersProvider>
         {/key}
diff --git a/web-admin/src/features/view-as-user/viewAsUserStore.ts b/web-admin/src/features/view-as-user/viewAsUserStore.ts
index a2f9a0f0fa4..6763bcd0dd4 100644
--- a/web-admin/src/features/view-as-user/viewAsUserStore.ts
+++ b/web-admin/src/features/view-as-user/viewAsUserStore.ts
@@ -1,4 +1,87 @@
-import { writable } from "svelte/store";
+import { writable, get } from "svelte/store";
 import type { V1User } from "../../client";
+import { browser } from "$app/environment";
 
-export const viewAsUserStore = writable<V1User | null>(null);
+const STORAGE_KEY_PREFIX = "rill:viewAsUser:";
+
+function getStorageKey(org: string, project: string): string {
+  return `${STORAGE_KEY_PREFIX}${org}/${project}`;
+}
+
+function createViewAsUserStore() {
+  const store = writable<V1User | null>(null);
+  let currentScope: { org: string; project: string } | null = null;
+
+  return {
+    subscribe: store.subscribe,
+
+    /**
+     * Initialize the store for a specific project scope.
+     * Loads persisted state from sessionStorage if available.
+     */
+    initForProject(org: string, project: string): void {
+      if (!browser) return;
+
+      currentScope = { org, project };
+      const key = getStorageKey(org, project);
+
+      try {
+        const stored = sessionStorage.getItem(key);
+        if (stored) {
+          const user = JSON.parse(stored) as V1User;
+          store.set(user);
+        } else {
+          store.set(null);
+        }
+      } catch {
+        store.set(null);
+      }
+    },
+
+    /**
+     * Set the view-as user for the current project scope.
+     */
+    set(user: V1User | null): void {
+      store.set(user);
+
+      if (!browser || !currentScope) return;
+
+      const key = getStorageKey(currentScope.org, currentScope.project);
+      try {
+        if (user) {
+          sessionStorage.setItem(key, JSON.stringify(user));
+        } else {
+          sessionStorage.removeItem(key);
+        }
+      } catch {
+        // Ignore storage errors
+      }
+    },
+
+    /**
+     * Clear the view-as state (e.g., when navigating away from project).
+     */
+    clear(): void {
+      store.set(null);
+
+      if (!browser || !currentScope) return;
+
+      const key = getStorageKey(currentScope.org, currentScope.project);
+      try {
+        sessionStorage.removeItem(key);
+      } catch {
+        // Ignore storage errors
+      }
+      currentScope = null;
+    },
+
+    /**
+     * Get current value synchronously.
+     */
+    get(): V1User | null {
+      return get(store);
+    },
+  };
+}
+
+export const viewAsUserStore = createViewAsUserStore();
diff --git a/web-admin/src/routes/[organization]/[project]/+layout.svelte b/web-admin/src/routes/[organization]/[project]/+layout.svelte
index 13be2cdfa1a..c983cb6b533 100644
--- a/web-admin/src/routes/[organization]/[project]/+layout.svelte
+++ b/web-admin/src/routes/[organization]/[project]/+layout.svelte
@@ -27,6 +27,7 @@
 </script>
 
 <script lang="ts">
+  import { onNavigate } from "$app/navigation";
   import { page } from "$app/stores";
   import {
     V1DeploymentStatus,
@@ -57,6 +58,7 @@
   import type { CreateQueryOptions } from "@tanstack/svelte-query";
   import { queryClient } from "@rilldata/web-common/lib/svelte-query/globalQueryClient.ts";
   import { getRuntimeServiceListResourcesQueryKey } from "@rilldata/web-common/runtime-client";
+  import { onDestroy } from "svelte";
 
   const user = createAdminServiceGetCurrentUser();
 
@@ -65,6 +67,28 @@
     params: { organization, project, token },
   } = $page);
 
+  // Initialize view-as store for this project scope (loads from sessionStorage)
+  $: if (organization && project) {
+    viewAsUserStore.initForProject(organization, project);
+  }
+
+  // Clear view-as state when navigating to a different project
+  onNavigate(({ from, to }) => {
+    const changedProject =
+      !from ||
+      !to ||
+      from.params?.organization !== to.params?.organization ||
+      from.params?.project !== to.params?.project;
+    if (changedProject) {
+      viewAsUserStore.clear();
+    }
+  });
+
+  // Clear view-as state when unmounting (e.g., navigating to org page)
+  onDestroy(() => {
+    viewAsUserStore.clear();
+  });
+
   $: onProjectPage = isProjectPage($page);
   $: onPublicURLPage = isPublicURLPage($page);
   $: onPublicReportOrAlertPage =
@@ -122,7 +146,34 @@
   $: ({ data: mockedUserDeploymentCredentials } =
     $mockedUserDeploymentCredentialsQuery);
 
+  /**
+   * When "View As" is active, fetch the project using the mocked user's JWT.
+   * This returns the impersonated user's `projectPermissions` from the server.
+   */
+  $: mockedUserProjectQuery = createAdminServiceGetProjectWithBearerToken(
+    organization,
+    project,
+    mockedUserDeploymentCredentials?.accessToken ?? "",
+    undefined,
+    {
+      query: {
+        enabled: !!mockedUserDeploymentCredentials?.accessToken,
+      },
+    },
+  );
+
   $: ({ data: projectData, error: projectError } = $projectQuery);
+
+  /**
+   * Compute effective project permissions.
+   * When "View As" is active, use the impersonated user's permissions (from server).
+   * Otherwise, use the actual user's permissions.
+   */
+  $: effectiveProjectPermissions =
+    mockedUserId && $mockedUserProjectQuery.data?.projectPermissions
+      ? $mockedUserProjectQuery.data.projectPermissions
+      : projectData?.projectPermissions;
+
   $: deploymentStatus = projectData?.deployment?.status;
   // A re-deploy triggers `DEPLOYMENT_STATUS_UPDATING` status. But we can still show the project UI.
   $: isProjectAvailable =
@@ -168,7 +219,7 @@
 
 {#if onProjectPage && deploymentStatus === V1DeploymentStatus.DEPLOYMENT_STATUS_RUNNING}
   <ProjectTabs
-    projectPermissions={projectData.projectPermissions}
+    projectPermissions={effectiveProjectPermissions}
     {organization}
     {pathname}
     {project}
diff --git a/web-admin/src/routes/[organization]/[project]/explore/[dashboard]/+page.svelte b/web-admin/src/routes/[organization]/[project]/explore/[dashboard]/+page.svelte
index 07538000e80..3a163422d99 100644
--- a/web-admin/src/routes/[organization]/[project]/explore/[dashboard]/+page.svelte
+++ b/web-admin/src/routes/[organization]/[project]/explore/[dashboard]/+page.svelte
@@ -5,7 +5,6 @@
   import { getHomeBookmarkExploreState } from "@rilldata/web-admin/features/bookmarks/selectors";
   import DashboardBuilding from "@rilldata/web-common/features/dashboards/DashboardBuilding.svelte";
   import DashboardErrored from "@rilldata/web-admin/features/dashboards/DashboardErrored.svelte";
-  import { viewAsUserStore } from "@rilldata/web-admin/features/view-as-user/viewAsUserStore";
   import {
     DashboardBannerID,
     DashboardBannerPriority,
@@ -82,7 +81,6 @@
   );
 
   onNavigate(({ from, to }) => {
-    viewAsUserStore.set(null);
     errorStore.reset();
 
     const changedDashboard =