diff --git a/src/controllers/customer-controller.ts b/src/controllers/customer-controller.ts
index 2b55fa4..f97ca6d 100644
--- a/src/controllers/customer-controller.ts
+++ b/src/controllers/customer-controller.ts
@@ -117,9 +117,9 @@ function imageLocation(id: string) {
 
 @Route("api/v1/customer")
 @Tags("Customer")
-@Security("keycloak")
 export class CustomerController extends Controller {
   @Get("type-stats")
+  @Security("keycloak")
   async stat() {
     const list = await prisma.customer.groupBy({
       by: "customerType",
@@ -139,6 +139,7 @@ export class CustomerController extends Controller {
   }
 
   @Get()
+  @Security("keycloak")
   async list(
     @Query() customerType?: CustomerType,
     @Query() query: string = "",
@@ -203,6 +204,7 @@ export class CustomerController extends Controller {
   }
 
   @Get("{customerId}")
+  @Security("keycloak")
   async getById(@Path() customerId: string) {
     const record = await prisma.customer.findFirst({
       include: {
@@ -230,6 +232,7 @@ export class CustomerController extends Controller {
   }
 
   @Post()
+  @Security("keycloak", ["system", "head_of_admin", "admin", "head_of_sale", "sale"])
   async create(@Request() req: RequestWithUser, @Body() body: CustomerCreate) {
     const { customerBranch, ...payload } = body;
 
@@ -341,6 +344,7 @@ export class CustomerController extends Controller {
   }
 
   @Put("{customerId}")
+  @Security("keycloak", ["system", "head_of_admin", "admin", "head_of_sale", "sale"])
   async editById(
     @Path() customerId: string,
     @Request() req: RequestWithUser,
@@ -500,6 +504,7 @@ export class CustomerController extends Controller {
   }
 
   @Delete("{customerId}")
+  @Security("keycloak", ["system", "head_of_admin", "admin", "head_of_sale", "sale"])
   async deleteById(@Path() customerId: string) {
     const record = await prisma.customer.findFirst({ where: { id: customerId } });