diff --git a/src/main/java/de/ozgcloud/admin/security/SecurityConfiguration.java b/src/main/java/de/ozgcloud/admin/security/SecurityConfiguration.java
index 568d79a76fc6268d93b7ecc2e172ae9625d40ed1..7f5568322485399f5b65854febd831d248f2b961 100644
--- a/src/main/java/de/ozgcloud/admin/security/SecurityConfiguration.java
+++ b/src/main/java/de/ozgcloud/admin/security/SecurityConfiguration.java
@@ -54,6 +54,8 @@ public class SecurityConfiguration {
 
 		http.authorizeHttpRequests(requests -> requests
 				.requestMatchers(HttpMethod.GET, "/api/environment").permitAll()
+				.requestMatchers("/api/configuration/settings").hasRole("ADMIN_ADMIN")
+				.requestMatchers("/api/configuration/settings/**").hasRole("ADMIN_ADMIN")
 				.requestMatchers("/api").authenticated()
 				.requestMatchers("/api/**").authenticated()
 				.requestMatchers("/actuator").permitAll()
diff --git a/src/test/java/de/ozgcloud/admin/security/SecurityConfigurationITCase.java b/src/test/java/de/ozgcloud/admin/security/SecurityConfigurationITCase.java
index d8bf3dcae4e6b88a078fa58c860d8365bb77ae60..e9fb3386f80bf1d210b16ad0ec28daf38295937e 100644
--- a/src/test/java/de/ozgcloud/admin/security/SecurityConfigurationITCase.java
+++ b/src/test/java/de/ozgcloud/admin/security/SecurityConfigurationITCase.java
@@ -33,6 +33,7 @@ import org.junit.jupiter.params.provider.ValueSource;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.ResultActions;
 
@@ -46,9 +47,9 @@ class SecurityConfigurationITCase {
 	@Autowired
 	private MockMvc mockMvc;
 
-	@DisplayName("without authorization")
+	@DisplayName("without authentication")
 	@Nested
-	class TestWithoutAuthorization {
+	class TestWithoutAuthentication {
 
 		@DisplayName("allow for not found")
 		@SneakyThrows
@@ -132,9 +133,9 @@ class SecurityConfigurationITCase {
 		}
 	}
 
-	@DisplayName("with authorization")
+	@DisplayName("with authentication")
 	@Nested
-	class TestWithAuthorization {
+	class TestWithAuthentication {
 
 		static final String CLAIMS = """
 				{
@@ -147,7 +148,7 @@ class SecurityConfigurationITCase {
 		@ValueSource(strings = {
 				"/api/environment",
 				"/configserver/name/profile",
-				"/api", "/api/configuration", "/api/configuration/settings",
+				"/api", "/api/configuration"
 		})
 		@WithJwt(CLAIMS)
 		void shouldAllow(String path) {
@@ -156,9 +157,31 @@ class SecurityConfigurationITCase {
 			result.andExpect(status().isOk());
 		}
 
+		@Test
+		@SneakyThrows
+		@WithJwt(CLAIMS)
+		void shouldForbid() {
+			var result = doPerformAuthenticated("/api/configuration/settings");
+
+			result.andExpect(status().isForbidden());
+		}
+
 		@SneakyThrows
 		private ResultActions doPerformAuthenticated(String path) {
 			return mockMvc.perform(get(path));
 		}
 	}
+
+	@DisplayName("with admin role")
+	@Nested
+	class TestWithAdminRole {
+		@Test
+		@SneakyThrows
+		@WithMockUser(roles = "ADMIN_ADMIN")
+		void shouldAllow() {
+			var result = mockMvc.perform(get("/api/configuration/settings"));
+
+			result.andExpect(status().isOk());
+		}
+	}
 }