diff --git a/uw_cfg_common.module b/uw_cfg_common.module
index e5ff0eb86dcbad2709c5a91b4644d825283e083f..c5f83d95731e047bb6b2f5de93c80fe3dd7dfd10 100644
--- a/uw_cfg_common.module
+++ b/uw_cfg_common.module
@@ -750,6 +750,56 @@ function uw_cfg_common_block_content_create_access(AccountInterface $account, ar
   return AccessResult::neutral();
 }
 
+/**
+ * Implements hook_ENTITY_TYPE_access() for webform entities.
+ */
+function uw_cfg_common_webform_access(WebformInterface $webform, string $operation, AccountInterface $account): AccessResult {
+  // Always allow access for Form editor so they can see the forms they create.
+  if ($account->hasPermission('create webform')) {
+    return AccessResult::neutral();
+  }
+
+  // Allow access to submissions for Form results access.
+  if ($account->hasPermission('view any webform submission') && $operation === 'submission_view_any') {
+    return AccessResult::neutral();
+  }
+
+  switch ($webform->getThirdPartySetting('uw_cfg_common', 'access_control_method')) {
+    case 'anon':
+      if (!$account->isAnonymous()) {
+        return AccessResult::forbidden();
+      }
+      break;
+
+    case 'auth':
+      if (!$account->isAuthenticated()) {
+        return AccessResult::forbidden();
+      }
+      break;
+
+    case 'group':
+      // Must be authenticated for group auth.
+      if (!$account->isAuthenticated()) {
+        return AccessResult::forbidden();
+      }
+      // Access control by Active Directory group.
+      $user_ad_groups = uw_cfg_common_get_user_ad_groups() ?: [];
+      // Required group. If at least one is provided, the user must be in it.
+      $ad_require_groups = $webform->getThirdPartySetting('uw_cfg_common', 'ad_require_groups');
+      if ($ad_require_groups && !array_intersect($ad_require_groups, $user_ad_groups)) {
+        return AccessResult::forbidden();
+      }
+      // Deny group. If at least one is provided, the user must not be in it.
+      $ad_deny_groups = $webform->getThirdPartySetting('uw_cfg_common', 'ad_deny_groups');
+      if ($ad_deny_groups && array_intersect($ad_deny_groups, $user_ad_groups)) {
+        return AccessResult::forbidden();
+      }
+      break;
+  }
+
+  return AccessResult::neutral();
+}
+
 /**
  * Implements hook_views_plugins_field_alter().
  */