diff --git a/src/controllers/product/group-controller.ts b/src/controllers/product/group-controller.ts
index 0968394..d3dff29 100644
--- a/src/controllers/product/group-controller.ts
+++ b/src/controllers/product/group-controller.ts
@@ -35,14 +35,15 @@ type ProductGroupUpdate = {
 
 @Route("api/v1/product-group")
 @Tags("Product Group")
-@Security("keycloak")
 export class ProductGroup extends Controller {
   @Get("stats")
+  @Security("keycloak")
   async getProductGroupStats() {
     return await prisma.productGroup.count();
   }
 
   @Get()
+  @Security("keycloak")
   async getProductGroup(
     @Query() query: string = "",
     @Query() status?: Status,
@@ -110,6 +111,7 @@ export class ProductGroup extends Controller {
   }
 
   @Get("{groupId}")
+  @Security("keycloak")
   async getProductGroupById(@Path() groupId: string) {
     const record = await prisma.productGroup.findFirst({
       where: { id: groupId },
@@ -126,6 +128,7 @@ export class ProductGroup extends Controller {
   }
 
   @Post()
+  @Security("keycloak", ["system", "head_of_admin", "admin", "accountant"])
   async createProductGroup(@Request() req: RequestWithUser, @Body() body: ProductGroupCreate) {
     const record = await prisma.$transaction(
       async (tx) => {
@@ -163,6 +166,7 @@ export class ProductGroup extends Controller {
   }
 
   @Put("{groupId}")
+  @Security("keycloak", ["system", "head_of_admin", "admin", "accountant"])
   async editProductGroup(
     @Request() req: RequestWithUser,
     @Body() body: ProductGroupUpdate,
@@ -189,6 +193,7 @@ export class ProductGroup extends Controller {
   }
 
   @Delete("{groupId}")
+  @Security("keycloak", ["system", "head_of_admin", "admin", "accountant"])
   async deleteProductGroup(@Path() groupId: string) {
     const record = await prisma.productGroup.findFirst({ where: { id: groupId } });
 
diff --git a/src/controllers/product/type-controller.ts b/src/controllers/product/type-controller.ts
index 8e13c90..8f6e2b6 100644
--- a/src/controllers/product/type-controller.ts
+++ b/src/controllers/product/type-controller.ts
@@ -37,7 +37,6 @@ type ProductTypeUpdate = {
 
 @Route("api/v1/product-type")
 @Tags("Product Type")
-@Security("keycloak")
 export class ProductType extends Controller {
   @Get("stats")
   async getProductTypeStats() {
@@ -45,6 +44,7 @@ export class ProductType extends Controller {
   }
 
   @Get()
+  @Security("keycloak")
   async getProductType(
     @Query() query: string = "",
     @Query() productGroupId?: string,
@@ -87,6 +87,7 @@ export class ProductType extends Controller {
   }
 
   @Get("{typeId}")
+  @Security("keycloak", ["system", "head_of_admin", "admin", "accountant"])
   async getProductTypeById(@Path() typeId: string) {
     const record = await prisma.productType.findFirst({
       where: { id: typeId },
@@ -103,6 +104,7 @@ export class ProductType extends Controller {
   }
 
   @Post()
+  @Security("keycloak", ["system", "head_of_admin", "admin", "accountant"])
   async createProductType(@Request() req: RequestWithUser, @Body() body: ProductTypeCreate) {
     const productGroup = await prisma.productGroup.findFirst({
       where: { id: body.productGroupId },
@@ -159,6 +161,7 @@ export class ProductType extends Controller {
   }
 
   @Put("{typeId}")
+  @Security("keycloak", ["system", "head_of_admin", "admin", "accountant"])
   async editProductType(
     @Request() req: RequestWithUser,
     @Body() body: ProductTypeUpdate,
@@ -207,6 +210,7 @@ export class ProductType extends Controller {
   }
 
   @Delete("{typeId}")
+  @Security("keycloak", ["system", "head_of_admin", "admin", "accountant"])
   async deleteProductType(@Path() typeId: string) {
     const record = await prisma.productType.findFirst({ where: { id: typeId } });