diff --git a/demo/src/main/java/com/example/demo/configuration/SecurityConfiguration.java b/demo/src/main/java/com/example/demo/configuration/SecurityConfiguration.java
index 547e73e..a16e4f7 100644
--- a/demo/src/main/java/com/example/demo/configuration/SecurityConfiguration.java
+++ b/demo/src/main/java/com/example/demo/configuration/SecurityConfiguration.java
@@ -16,7 +16,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 
 @Configuration
 @EnableWebSecurity
-@EnableGlobalMethodSecurity(securedEnabled = true)
+@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
     private final Logger log = LoggerFactory.getLogger(SecurityConfiguration.class);
     private static final String LOGIN_URL = "/login";
diff --git a/demo/src/main/java/com/example/demo/supply/Order/OrderMvcController.java b/demo/src/main/java/com/example/demo/supply/Order/OrderMvcController.java
index 0e75409..9952476 100644
--- a/demo/src/main/java/com/example/demo/supply/Order/OrderMvcController.java
+++ b/demo/src/main/java/com/example/demo/supply/Order/OrderMvcController.java
@@ -4,6 +4,8 @@ import com.example.demo.supply.Product.ProductDto;
 import com.example.demo.supply.Product.ProductService;
 import com.example.demo.supply.Supplier.SupplierDto;
 import com.example.demo.supply.Supplier.SupplierService;
+import com.example.demo.supply.User.UserRole;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.validation.BindingResult;
@@ -55,6 +57,7 @@ public class OrderMvcController {
     }
 
     @GetMapping("/add")
+    @Secured({UserRole.AsString.ADMIN})
     public String addOrder(Model model) {
         model.addAttribute("orderDto", new OrderDtoForCreate());
         model.addAttribute("selectedSupplier", null);
@@ -64,6 +67,7 @@ public class OrderMvcController {
     }
 
     @PostMapping("/create")
+    @Secured({UserRole.AsString.ADMIN})
     public String saveOrder(Model model,
                             @ModelAttribute("orderDto") @Valid OrderDtoForCreate order,
                             BindingResult bindingResult) {
diff --git a/demo/src/main/java/com/example/demo/supply/Product/ProductMvcController.java b/demo/src/main/java/com/example/demo/supply/Product/ProductMvcController.java
index fabb9af..8496f7e 100644
--- a/demo/src/main/java/com/example/demo/supply/Product/ProductMvcController.java
+++ b/demo/src/main/java/com/example/demo/supply/Product/ProductMvcController.java
@@ -1,11 +1,16 @@
 package com.example.demo.supply.Product;
 
+import com.example.demo.supply.User.UserRole;
+import org.springframework.security.access.annotation.Secured;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.*;
 
 import javax.validation.Valid;
+import java.security.Principal;
 
 @Controller
 @RequestMapping("/product")
@@ -25,36 +30,49 @@ public class ProductMvcController {
 
     @GetMapping(value = {"/edit", "/edit/{id}"})
     public String editProduct(@PathVariable(required = false) Long id,
-                              Model model) {
-        if (id == null || id <= 0) {
-            model.addAttribute("productDto", new ProductDto());
-        } else {
-            model.addAttribute("productId", id);
-            model.addAttribute("productDto", new ProductDto(productService.findProduct(id)));
+                              Model model, Principal principal) {
+        String roleName = ((Authentication)principal).getAuthorities().toArray()[0].toString();
+        if(UserRole.ADMIN.toString().equals(roleName)) {
+            if (id == null || id <= 0) {
+                model.addAttribute("productDto", new ProductDto());
+            } else {
+                model.addAttribute("productId", id);
+                model.addAttribute("productDto", new ProductDto(productService.findProduct(id)));
+            }
+            return "product-edit";
         }
-        return "product-edit";
+        else return "redirect:/product";
     }
 
     @PostMapping(value = {"", "/{id}"})
     public String saveProduct(@PathVariable(required = false) Long id,
                               @ModelAttribute @Valid ProductDto productDto,
                               BindingResult bindingResult,
-                              Model model) {
-        if (bindingResult.hasErrors()) {
-            model.addAttribute("errors", bindingResult.getAllErrors());
-            return "product-edit";
+                              Model model,
+                              Principal principal) {
+        String roleName = ((Authentication)principal).getAuthorities().toArray()[0].toString();
+        if(UserRole.ADMIN.toString().equals(roleName)) {
+            if (bindingResult.hasErrors()) {
+                model.addAttribute("errors", bindingResult.getAllErrors());
+                return "product-edit";
+            }
+            if (id == null || id <= 0) {
+                productService.addProduct(productDto.getName(), productDto.getCost());
+            } else {
+                productService.updateProduct(id, productDto.getName(), productDto.getCost());
+            }
+            return "redirect:/product";
         }
-        if (id == null || id <= 0) {
-            productService.addProduct(productDto.getName(), productDto.getCost());
-        } else {
-            productService.updateProduct(id, productDto.getName(), productDto.getCost());
-        }
-        return "redirect:/product";
+        else return "redirect:/product";
     }
 
     @PostMapping("/delete/{id}")
-    public String deleteProduct(@PathVariable Long id) {
-        productService.deleteProduct(id);
-        return "redirect:/product";
+    public String deleteProduct(@PathVariable Long id, Principal principal) {
+        String roleName = ((Authentication)principal).getAuthorities().toArray()[0].toString();
+        if(UserRole.ADMIN.toString().equals(roleName)) {
+            productService.deleteProduct(id);
+            return "redirect:/product";
+        }
+        else return "redirect:/product";
     }
 }
diff --git a/demo/src/main/java/com/example/demo/supply/User/UserMvcController.java b/demo/src/main/java/com/example/demo/supply/User/UserMvcController.java
index e716000..c7366df 100644
--- a/demo/src/main/java/com/example/demo/supply/User/UserMvcController.java
+++ b/demo/src/main/java/com/example/demo/supply/User/UserMvcController.java
@@ -2,6 +2,7 @@ package com.example.demo.supply.User;
 
 import org.springframework.data.domain.Page;
 import org.springframework.security.access.annotation.Secured;
+import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -9,6 +10,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 
 
+import java.security.Principal;
 import java.util.List;
 import java.util.stream.IntStream;
 
@@ -22,19 +24,26 @@ public class UserMvcController {
     }
 
     @GetMapping
-    @Secured({UserRole.AsString.ADMIN})
     public String getUsers(@RequestParam(defaultValue = "1") int page,
                            @RequestParam(defaultValue = "5") int size,
-                           Model model) {
-        final Page<UserDto> users = userService.findAllPages(page, size)
-                .map(UserDto::new);
-        model.addAttribute("users", users);
-        final int totalPages = users.getTotalPages();
-        final List<Integer> pageNumbers = IntStream.rangeClosed(1, totalPages)
-                .boxed()
-                .toList();
-        model.addAttribute("pages", pageNumbers);
-        model.addAttribute("totalPages", totalPages);
-        return "users";
+                           Model model, Principal principal) {
+
+        String roleName = ((Authentication)principal).getAuthorities().toArray()[0].toString();
+        if(UserRole.ADMIN.toString().equals(roleName)) {
+            final Page<UserDto> users = userService.findAllPages(page, size)
+                    .map(UserDto::new);
+            model.addAttribute("users", users);
+            final int totalPages = users.getTotalPages();
+            final List<Integer> pageNumbers = IntStream.rangeClosed(1, totalPages)
+                    .boxed()
+                    .toList();
+            model.addAttribute("pages", pageNumbers);
+            model.addAttribute("totalPages", totalPages);
+            return "users";
+        }
+        else{
+            model.addAttribute("error", "Доступ запрещен");
+            return "error";
+        }
     }
 }
diff --git a/demo/src/main/resources/templates/default.html b/demo/src/main/resources/templates/default.html
index 2d87939..6c8bde5 100644
--- a/demo/src/main/resources/templates/default.html
+++ b/demo/src/main/resources/templates/default.html
@@ -42,6 +42,7 @@
                 <a class="nav-link" href="/logout">
                     Выход (<span th:text="${#authentication.name}"></span>)
                 </a>
+
             </ul>
         </div>
     </div>
diff --git a/demo/src/main/resources/templates/error.html b/demo/src/main/resources/templates/error.html
new file mode 100644
index 0000000..4926361
--- /dev/null
+++ b/demo/src/main/resources/templates/error.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en"
+      xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
+      xmlns:th="http://www.thymeleaf.org"
+      layout:decorate="~{default}">
+<body>
+<div class="container" layout:fragment="content">
+    <div class="alert alert-danger">
+        <span th:text="${error}"></span>
+    </div>
+    <a href="/">На главную</a>
+</div>
+</body>
+</html>
\ No newline at end of file
diff --git a/demo/src/main/resources/templates/product.html b/demo/src/main/resources/templates/product.html
index 7add966..8fdaece 100644
--- a/demo/src/main/resources/templates/product.html
+++ b/demo/src/main/resources/templates/product.html
@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html lang="en"
-      xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" xmlns:th="http://www.thymeleaf.org"
+      xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
+      xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity6"
+      xmlns:th="http://www.thymeleaf.org"
       layout:decorate="~{default}">
 <head>
 </head>
@@ -31,11 +33,11 @@
                         <td th:text="${product.cost}" />
                         <td style="width: 10%">
                             <div class="btn-group" role="group" aria-label="Basic example">
-                                <a class="btn btn-warning button-fixed button-sm"
+                                <a  class="btn btn-warning button-fixed button-sm"
                                    th:href="@{/product/edit/{id}(id=${product.id})}">
                                     <i class="fa fa-pencil" aria-hidden="true"></i> Изменить
                                 </a>
-                                <button type="button" class="btn btn-danger button-fixed button-sm"
+                                <button  type="button" class="btn btn-danger button-fixed button-sm"
                                         th:attr="onclick=|confirm('Удалить запись?') && document.getElementById('remove-${product.id}').click()|">
                                     <i class="fa fa-trash" aria-hidden="true"></i> Удалить
                                 </button>