diff --git a/src/mcvsphere/permissions.py b/src/mcvsphere/permissions.py
index 1fda649..26efbe2 100644
--- a/src/mcvsphere/permissions.py
+++ b/src/mcvsphere/permissions.py
@@ -120,10 +120,11 @@ TOOL_PERMISSIONS: dict[str, PermissionLevel] = {
     "configure_ntp": PermissionLevel.HOST_ADMIN,
     "set_service_policy": PermissionLevel.HOST_ADMIN,
     # ═══════════════════════════════════════════════════════════════════════
-    # FULL_ADMIN - Everything including guest OS and service control (10 tools)
+    # FULL_ADMIN - Everything including guest OS and service control (11 tools)
     # ═══════════════════════════════════════════════════════════════════════
     "start_service": PermissionLevel.FULL_ADMIN,
     "stop_service": PermissionLevel.FULL_ADMIN,
+    "restart_service": PermissionLevel.FULL_ADMIN,
     # Guest OS operations (requires guest credentials, high privilege)
     "run_command_in_guest": PermissionLevel.FULL_ADMIN,
     "list_guest_processes": PermissionLevel.FULL_ADMIN,
@@ -191,9 +192,10 @@ def get_user_permissions(groups: list[str] | None) -> set[PermissionLevel]:
 
     Returns:
         Set of granted permission levels (union of all group permissions).
+        Returns empty set if no recognized groups (deny all access).
     """
     if not groups:
-        return {PermissionLevel.READ_ONLY}
+        return set()  # No groups = no permissions (enforces RBAC)
 
     permissions: set[PermissionLevel] = set()
 
@@ -201,10 +203,7 @@ def get_user_permissions(groups: list[str] | None) -> set[PermissionLevel]:
         if group in GROUP_PERMISSIONS:
             permissions.update(GROUP_PERMISSIONS[group])
 
-    # Default to read-only if no recognized groups
-    if not permissions:
-        permissions.add(PermissionLevel.READ_ONLY)
-
+    # No fallback - unrecognized groups get no permissions
     return permissions