diff --git a/ee/app/models/ee/vulnerability.rb b/ee/app/models/ee/vulnerability.rb
index 4435a2ebc67e11d8bcdfe86b1d94f645a292a6ee..df5f403b1ab5a9ad602b6141229ab7b782da51a1 100644
--- a/ee/app/models/ee/vulnerability.rb
+++ b/ee/app/models/ee/vulnerability.rb
@@ -390,6 +390,7 @@ def trigger_false_positive_detection
         return unless sast?
         return unless high_or_critical_severity?
         return unless project.duo_sast_fp_detection_enabled
+        return unless Ability.allowed?(author, :duo_workflow, project)
 
         run_after_commit_or_now do
           ::Vulnerabilities::TriggerFalsePositiveDetectionWorkflowWorker.perform_async(id)
diff --git a/ee/spec/models/ee/vulnerability_spec.rb b/ee/spec/models/ee/vulnerability_spec.rb
index a11e4909f6bca1c4fe32f1449c4e97991f0907a5..95ce33aa4f11b142fcda645019de4cde083f7bc8 100644
--- a/ee/spec/models/ee/vulnerability_spec.rb
+++ b/ee/spec/models/ee/vulnerability_spec.rb
@@ -1575,6 +1575,7 @@
         with_them do
           before do
             project.update!(duo_sast_fp_detection_enabled: duo_sast_fp_detection_enabled)
+            allow(Ability).to receive(:allowed?).with(user, :duo_workflow, project).and_return(true)
           end
 
           it 'triggers or does not trigger false positive detection workflow based on conditions' do
@@ -1592,6 +1593,37 @@
             create(:vulnerability, report_type, severity, author: user, project: project)
           end
         end
+
+        context 'when author does not have duo_workflow permission' do
+          before do
+            project.update!(duo_sast_fp_detection_enabled: true)
+            allow(Ability).to receive(:allowed?).with(user, :duo_workflow, project).and_return(false)
+          end
+
+          it 'does not trigger false positive detection workflow' do
+            expect(::Vulnerabilities::TriggerFalsePositiveDetectionWorkflowWorker)
+              .not_to receive(:perform_async)
+
+            create(:vulnerability, :sast, :critical, author: user, project: project)
+          end
+        end
+
+        context 'when author has duo_workflow permission' do
+          before do
+            project.update!(duo_sast_fp_detection_enabled: true)
+            allow(Ability).to receive(:allowed?).with(user, :duo_workflow, project).and_return(true)
+          end
+
+          it 'triggers false positive detection workflow for high severity SAST vulnerability' do
+            expect_next_instance_of(::Vulnerability) do |instance|
+              expect(instance).to receive(:run_after_commit_or_now).and_yield
+            end
+            expect(::Vulnerabilities::TriggerFalsePositiveDetectionWorkflowWorker)
+              .to receive(:perform_async).with(anything)
+
+            create(:vulnerability, :sast, :high, author: user, project: project)
+          end
+        end
       end
     end
 
diff --git a/ee/spec/services/vulnerabilities/auto_dismiss_service_spec.rb b/ee/spec/services/vulnerabilities/auto_dismiss_service_spec.rb
index 30245a9d8a9d7dcf7784d8e9671f81a1f24abea9..fce463500a7574c97ea81c909957df5cdb4ccc7e 100644
--- a/ee/spec/services/vulnerabilities/auto_dismiss_service_spec.rb
+++ b/ee/spec/services/vulnerabilities/auto_dismiss_service_spec.rb
@@ -86,6 +86,7 @@
       let(:ability_allowed) { true }
 
       before do
+        allow(Ability).to receive(:allowed?).and_return(true)
         allow(Ability).to receive(:allowed?).with(bot_user, :create_vulnerability_state_transition,
           project).and_return(ability_allowed)
       end