diff --git a/src/controllers/04-invoice-controller.ts b/src/controllers/04-invoice-controller.ts
index 2033898..5902521 100644
--- a/src/controllers/04-invoice-controller.ts
+++ b/src/controllers/04-invoice-controller.ts
@@ -38,8 +38,6 @@ const MANAGE_ROLES = [
   "branch_admin",
   "branch_manager",
   "branch_accountant",
-  "head_of_sale",
-  "sale",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
@@ -195,7 +193,7 @@ export class InvoiceController extends Controller {
 
   @Post()
   @OperationId("createInvoice")
-  @Security("keycloak", MANAGE_ROLES)
+  @Security("keycloak", MANAGE_ROLES.concat(["head_of_sale", "sale"]))
   async createInvoice(@Request() req: RequestWithUser, @Body() body: InvoicePayload) {
     const [quotation] = await prisma.$transaction([
       prisma.quotation.findUnique({
diff --git a/src/controllers/05-payment-controller.ts b/src/controllers/05-payment-controller.ts
index 01b4c31..196054f 100644
--- a/src/controllers/05-payment-controller.ts
+++ b/src/controllers/05-payment-controller.ts
@@ -35,8 +35,6 @@ const MANAGE_ROLES = [
   "branch_admin",
   "branch_manager",
   "branch_accountant",
-  "head_of_sale",
-  "sale",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
@@ -112,7 +110,7 @@ export class QuotationPayment extends Controller {
   }
 
   @Put("{paymentId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES.concat(["head_of_sale", "sale"]))
   async updatePayment(
     @Path() paymentId: string,
     @Body() body: { amount?: number; date?: Date; paymentStatus?: PaymentStatus },
diff --git a/src/controllers/05-quotation-controller.ts b/src/controllers/05-quotation-controller.ts
index ccce491..63a0b17 100644
--- a/src/controllers/05-quotation-controller.ts
+++ b/src/controllers/05-quotation-controller.ts
@@ -155,8 +155,6 @@ const MANAGE_ROLES = [
   "branch_admin",
   "branch_manager",
   "branch_accountant",
-  "head_of_sale",
-  "sale",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
@@ -418,7 +416,7 @@ export class QuotationController extends Controller {
   }
 
   @Post()
-  @Security("keycloak", MANAGE_ROLES)
+  @Security("keycloak", MANAGE_ROLES.concat(["head_of_sale", "sale"]))
   async createQuotation(@Request() req: RequestWithUser, @Body() body: QuotationCreate) {
     const ids = {
       employee: body.worker.filter((v) => typeof v === "string"),
@@ -669,7 +667,7 @@ export class QuotationController extends Controller {
   }
 
   @Put("{quotationId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES.concat(["head_of_sale", "sale"]))
   async editQuotation(
     @Request() req: RequestWithUser,
     @Path() quotationId: string,