diff --git a/MoviesWebApp/src/main/java/at/technikumwien/movies/MovieResource.java b/MoviesWebApp/src/main/java/at/technikumwien/movies/MovieResource.java
index da4b50d..76abf4f 100644
--- a/MoviesWebApp/src/main/java/at/technikumwien/movies/MovieResource.java
+++ b/MoviesWebApp/src/main/java/at/technikumwien/movies/MovieResource.java
@@ -11,7 +11,6 @@ import java.net.URI;
 import java.util.List;
 
 @Path("/movie")
-@RolesAllowed("MoviesUserRole")
 public class MovieResource {
     @Inject
     private MoviesService moviesService;
@@ -24,6 +23,7 @@ public class MovieResource {
             MediaType.APPLICATION_JSON,
             MediaType.APPLICATION_XML
     })
+    @RolesAllowed("MSRead")
     public List<Movie> retrieveAll() {
         return moviesService.findAll();
     }
@@ -33,6 +33,7 @@ public class MovieResource {
             MediaType.APPLICATION_JSON,
             MediaType.APPLICATION_XML
     })
+    @RolesAllowed("MSRead")
     @Path("/{id}")
     public Movie retrieve(@PathParam("id") long id) {
         return moviesService.findById(id);
@@ -40,6 +41,7 @@ public class MovieResource {
 
     @DELETE
     @Path("/{id}")
+    @RolesAllowed("MSWrite")
     public void delete(@PathParam("id") long id) {
         moviesService.removeById(id);
     }
@@ -49,6 +51,7 @@ public class MovieResource {
             MediaType.APPLICATION_JSON,
             MediaType.APPLICATION_XML
     })
+    @RolesAllowed("MSWrite")
     public Response create(Movie movie) {
         movie.setId(null); // Make sure that a new movie is added, not overwriting existing one
         List<Movie> newMovies = moviesService.save(List.of(movie));
@@ -64,6 +67,7 @@ public class MovieResource {
             MediaType.APPLICATION_XML
     })
     @Path("/{id}")
+    @RolesAllowed("MSWrite")
     public void update(@PathParam("id") long id, Movie movie) {
         movie.setId(id); // Make sure that a new movie is added, not overwriting existing one
         moviesService.save(List.of(movie));
diff --git a/MoviesWebApp/src/main/java/at/technikumwien/movies/MovieSecurityConfig.java b/MoviesWebApp/src/main/java/at/technikumwien/movies/MovieSecurityConfig.java
index 7bca2c7..3e6d7f5 100644
--- a/MoviesWebApp/src/main/java/at/technikumwien/movies/MovieSecurityConfig.java
+++ b/MoviesWebApp/src/main/java/at/technikumwien/movies/MovieSecurityConfig.java
@@ -7,8 +7,8 @@ import javax.security.enterprise.identitystore.DatabaseIdentityStoreDefinition;
 
 @BasicAuthenticationMechanismDefinition(realmName = "MoviesWebApp")
 @DeclareRoles({
-        "MoviesAdminRole",
-        "MoviesUerRole"
+        "MSRead",
+        "MSWrite"
 })
 @DatabaseIdentityStoreDefinition(
         dataSourceLookup = "java:jboss/datasources/MoviesDS",
diff --git a/MoviesWebApp/src/main/java/at/technikumwien/movies/MoviesService.java b/MoviesWebApp/src/main/java/at/technikumwien/movies/MoviesService.java
index dc182de..4332981 100644
--- a/MoviesWebApp/src/main/java/at/technikumwien/movies/MoviesService.java
+++ b/MoviesWebApp/src/main/java/at/technikumwien/movies/MoviesService.java
@@ -14,7 +14,6 @@ import java.util.logging.Logger;
 
 @Stateless
 @TransactionManagement(value=TransactionManagementType.CONTAINER)
-@RolesAllowed("MoviesUserRole")
 public class MoviesService {
     private static final Logger LOGGER = Logger.getLogger(MoviesService.class.getName());
 
@@ -27,6 +26,7 @@ public class MoviesService {
     @Inject
     private SecurityContext securityContext;
 
+    @RolesAllowed("MSRead")
     public Movie findById(long id) {
         LOGGER.info("findById() >> id=" + id);
 
@@ -38,6 +38,7 @@ public class MoviesService {
         return movie;
     }
 
+    @RolesAllowed("MSRead")
     public List<Movie> findByTitle(String title) {
         LOGGER.info("findByTitle() >> title=" + title);
 
@@ -46,6 +47,7 @@ public class MoviesService {
                 .getResultList();
     }
 
+    @RolesAllowed("MSRead")
     public List<Movie> findAll() {
         LOGGER.info("findAll()");
 
@@ -56,6 +58,7 @@ public class MoviesService {
                 .getResultList();
     }
 
+    @RolesAllowed("MSWrite")
     public void removeById(long id) {
         LOGGER.info("removeById() >> id=" + id);
 
@@ -63,6 +66,7 @@ public class MoviesService {
         em.remove(movie); //managed news required
     }
 
+    @RolesAllowed("MSRead")
     public List<Actor> findAllActors() {
         LOGGER.info("findAllActors)");
 
@@ -70,6 +74,7 @@ public class MoviesService {
                 .getResultList();
     }
 
+    @RolesAllowed("MSRead")
     public List<Studio> findAllStudios() {
         LOGGER.info("findAllStudios)");
 
@@ -77,6 +82,7 @@ public class MoviesService {
                 .getResultList();
     }
 
+    @RolesAllowed("MSRead")
     public Studio findStudioById(long id) {
         LOGGER.info("findStudioById() >> id=" + id);
 
@@ -88,8 +94,8 @@ public class MoviesService {
         return studio;
     }
 
-    // TODO maybe check if the movie already exists?
     @TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
+    @RolesAllowed("MSWrite")
     public List<Movie> save(List<Movie> movies) {
 
         try {
diff --git a/MoviesWebApp/src/main/java/at/technikumwien/movies/StudioResource.java b/MoviesWebApp/src/main/java/at/technikumwien/movies/StudioResource.java
index 6685a84..b4579f7 100644
--- a/MoviesWebApp/src/main/java/at/technikumwien/movies/StudioResource.java
+++ b/MoviesWebApp/src/main/java/at/technikumwien/movies/StudioResource.java
@@ -11,7 +11,6 @@ import java.net.URI;
 import java.util.List;
 
 @Path("/studio")
-@RolesAllowed("MoviesUserRole")
 public class StudioResource {
     @Inject
     private MoviesService moviesService;
@@ -24,6 +23,7 @@ public class StudioResource {
             MediaType.APPLICATION_JSON,
             MediaType.APPLICATION_XML
     })
+    @RolesAllowed("MSRead")
     public List<Studio> retrieveAll() {
         return moviesService.findAllStudios();
     }
@@ -34,6 +34,7 @@ public class StudioResource {
             MediaType.APPLICATION_XML
     })
     @Path("/{id}")
+    @RolesAllowed("MSRead")
     public Studio retrieve(@PathParam("id") long id) {
         return moviesService.findStudioById(id);
     }
diff --git a/MoviesWebApp/src/main/resources/META-INF/sql/security-data.sql b/MoviesWebApp/src/main/resources/META-INF/sql/security-data.sql
index 35d38a2..2a514b3 100644
--- a/MoviesWebApp/src/main/resources/META-INF/sql/security-data.sql
+++ b/MoviesWebApp/src/main/resources/META-INF/sql/security-data.sql
@@ -24,8 +24,11 @@ CREATE TABLE t_user_role (
 INSERT INTO t_user (id, username, password) VALUES (1, 'moviesadmin', SHA2('topsecret', 512));
 INSERT INTO t_user (id, username, password) VALUES (2, 'moviesuser', SHA2('topsecret', 512));
 
-INSERT INTO t_role (id, rolename) VALUES (1, 'MoviesAdminRole');
-INSERT INTO t_role (id, rolename) VALUES (2, 'MoviesUserRole');
+INSERT INTO t_role (id, rolename) VALUES (1, 'MSWrite');
+INSERT INTO t_role (id, rolename) VALUES (2, 'MSRead');
 
-INSERT INTO t_user_role (id, userid, roleid) VALUES (1, 1, 1);
-INSERT INTO t_user_role (id, userid, roleid) VALUES (2, 2, 2);
\ No newline at end of file
+-- TODO: Would be nice to add a trigger which automatically adds MSWrite users into MSRead
+
+INSERT INTO t_user_role (id, userid, roleid) VALUES (1, 1, 1); -- Admin can write
+INSERT INTO t_user_role (id, userid, roleid) VALUES (2, 1, 2); -- Admin can read
+INSERT INTO t_user_role (id, userid, roleid) VALUES (3, 2, 2); -- User can read
\ No newline at end of file