diff --git a/src/Controller/ConfigController.php b/src/Controller/ConfigController.php
index 9e76378c..61f62ae5 100644
--- a/src/Controller/ConfigController.php
+++ b/src/Controller/ConfigController.php
@@ -18,6 +18,7 @@
 
 use Pimcore\Controller\UserAwareController;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Event\ControllerEvent;
 use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Component\Routing\RouterInterface;
 
@@ -40,6 +41,11 @@ public function __construct(private RouterInterface $router)
         $this->router = $router;
     }
 
+    public function onKernelControllerEvent(ControllerEvent $event): void
+    {
+        $this->checkPermission('bundle_ecommerce_back-office_order');
+    }
+
     /**
      * @Route("/js-config", name="pimcore_ecommerceframework_config_jsconfig", methods={"GET"})
      *
diff --git a/src/Controller/FindologicController.php b/src/Controller/FindologicController.php
index 372770af..d022f115 100644
--- a/src/Controller/FindologicController.php
+++ b/src/Controller/FindologicController.php
@@ -19,6 +19,7 @@
 use Pimcore\Controller\FrontendController;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Event\ControllerEvent;
 
 /**
  * Class FindologicController
@@ -29,6 +30,11 @@
  */
 class FindologicController extends FrontendController
 {
+    public function onKernelControllerEvent(ControllerEvent $event): void
+    {
+        $this->checkPermission('bundle_ecommerce_back-office_order');
+    }
+
     /**
      * create xml output for findologic
      */
diff --git a/src/Controller/IndexController.php b/src/Controller/IndexController.php
index 4a815e6c..298cb9fb 100644
--- a/src/Controller/IndexController.php
+++ b/src/Controller/IndexController.php
@@ -24,6 +24,7 @@
 use Symfony\Component\EventDispatcher\GenericEvent;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Event\ControllerEvent;
 use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
 use Symfony\Contracts\Translation\TranslatorInterface;
@@ -39,6 +40,12 @@ class IndexController extends UserAwareController
 {
     use JsonHelperTrait;
 
+    public function onKernelControllerEvent(ControllerEvent $event): void
+    {
+        $this->checkPermission('bundle_ecommerce_back-office_order');
+    }
+
+
     /**
      * @Route("/get-filter-groups", name="pimcore_ecommerceframework_index_getfiltergroups", methods={"GET"})
      *
diff --git a/src/Controller/VoucherController.php b/src/Controller/VoucherController.php
index 7a1e7e34..cdf3f53f 100644
--- a/src/Controller/VoucherController.php
+++ b/src/Controller/VoucherController.php
@@ -55,6 +55,8 @@ public function __construct(TokenStorageUserResolver $tokenStorageUserResolver,
 
     public function onKernelControllerEvent(ControllerEvent $event): void
     {
+        $this->checkPermission('bundle_ecommerce_pricing_rules');
+
         // set language
         $user = $this->tokenResolver->getUser();