diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/GroupController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/GroupController.java
index 4062ec080..6ebe985c6 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/GroupController.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/GroupController.java
@@ -4,6 +4,7 @@
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.stereotype.Controller;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.bind.annotation.DeleteMapping;
@@ -25,6 +26,7 @@ public class GroupController {
     @Autowired
     private IGroupService groupService;
 
+    @Secured("ROLE_ADMIN")
     @PostMapping
     @Transactional
     public ResponseEntity<?> create(@RequestBody Group group) {
@@ -45,6 +47,7 @@ public ResponseEntity<?> create(@RequestBody Group group) {
         return ResponseEntity.status(HttpStatus.CREATED).body(result);
     }
 
+    @Secured("ROLE_ADMIN")
     @PutMapping
     @Transactional
     public ResponseEntity<?> update(@RequestBody Group group) {
@@ -85,7 +88,8 @@ public ResponseEntity<?> getOne(@PathVariable String resourceId) {
         }
         return ResponseEntity.ok(g);
     }
-
+    
+    @Secured("ROLE_ADMIN")
     @DeleteMapping("/{resourceId}")
     @Transactional
     public ResponseEntity<?> delete(@PathVariable String resourceId) {