diff --git a/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerEndpoint.java b/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerEndpoint.java
index 5eec2b16c58e0de6de43737cec4f0c1abea98b03..12612c22e05806d2f4dd3d2dbf3e248b9268489f 100644
--- a/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerEndpoint.java
+++ b/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerEndpoint.java
@@ -12,7 +12,7 @@ import lombok.extern.log4j.Log4j2;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.transaction.annotation.Transactional;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import javax.validation.Valid;
@@ -37,7 +37,6 @@ public class ContainerEndpoint {
         this.containerService = containerService;
     }
 
-    @Transactional
     @GetMapping
     @ApiOperation(value = "List all containers", notes = "Lists the containers in the metadata database.")
     @ApiResponses({
@@ -52,7 +51,6 @@ public class ContainerEndpoint {
                         .collect(Collectors.toList()));
     }
 
-    @Transactional
     @PostMapping
     @ApiOperation(value = "Creates a new container", notes = "Creates a new container whose image is registered in the metadata database too.")
     @ApiResponses({
@@ -69,9 +67,8 @@ public class ContainerEndpoint {
                 .body(response);
     }
 
-    @Transactional
     @GetMapping("/{id}")
-    @ApiOperation(value = "Get all informations about a container", notes = "Since we follow the REST-principle, this method provides more information than the findAll method.")
+    @ApiOperation(value = "Get all information about a container", notes = "Since we follow the REST-principle, this method provides more information than the findAll method.")
     @ApiResponses({
             @ApiResponse(code = 200, message = "Get information about container."),
             @ApiResponse(code = 401, message = "Not authorized to get information about a container."),
@@ -84,7 +81,6 @@ public class ContainerEndpoint {
                 .body(containerMapper.containerToContainerDto(container));
     }
 
-    @Transactional
     @PutMapping("/{id}")
     @ApiOperation(value = "Change the state of a container", notes = "The new state can only be one of START/STOP.")
     @ApiResponses({
@@ -93,7 +89,8 @@ public class ContainerEndpoint {
             @ApiResponse(code = 401, message = "Not authorized to modify a container."),
             @ApiResponse(code = 404, message = "No container found with this id in metadata database."),
     })
-    public ResponseEntity<ContainerBriefDto> modify(@NotNull @PathVariable Long id, @Valid @RequestBody ContainerChangeDto changeDto)
+    public ResponseEntity<ContainerBriefDto> modify(@NotNull @PathVariable Long id,
+                                                    @Valid @RequestBody ContainerChangeDto changeDto)
             throws ContainerNotFoundException, DockerClientException {
         final Container container;
         if (changeDto.getAction().equals(ContainerActionTypeDto.START)) {
@@ -107,6 +104,7 @@ public class ContainerEndpoint {
 
     @DeleteMapping("/{id}")
     @ApiOperation(value = "Delete a container")
+    @PreAuthorize("hasRole('ROLE_DATA_STEWARD')")
     @ApiResponses({
             @ApiResponse(code = 200, message = "Deleted the container."),
             @ApiResponse(code = 401, message = "Not authorized to delete a container."),
diff --git a/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ImageEndpoint.java b/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ImageEndpoint.java
index 53eb0de4b110ddf4ea40bd540b4efbc27339dd88..09f7591ea9cb5e06fe4f189865c82b30a9e1ce48 100644
--- a/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ImageEndpoint.java
+++ b/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ImageEndpoint.java
@@ -18,7 +18,7 @@ import lombok.extern.log4j.Log4j2;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.transaction.annotation.Transactional;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import javax.validation.Valid;
@@ -42,7 +42,6 @@ public class ImageEndpoint {
         this.imageMapper = imageMapper;
     }
 
-    @Transactional
     @GetMapping
     @ApiOperation(value = "List all images", notes = "Lists the images in the metadata database.")
     @ApiResponses({
@@ -57,8 +56,8 @@ public class ImageEndpoint {
                         .collect(Collectors.toList()));
     }
 
-    @Transactional
     @PostMapping
+    @PreAuthorize("hasRole('DEVELOPER')")
     @ApiOperation(value = "Creates a new image", notes = "Creates a new image in the metadata database.")
     @ApiResponses({
             @ApiResponse(code = 201, message = "Successfully created a new image."),
@@ -73,7 +72,6 @@ public class ImageEndpoint {
                 .body(imageMapper.containerImageToImageDto(image));
     }
 
-    @Transactional
     @GetMapping("/{id}")
     @ApiOperation(value = "Get all informations about a image", notes = "Since we follow the REST-principle, this method provides more information than the findAll method.")
     @ApiResponses({
@@ -87,8 +85,8 @@ public class ImageEndpoint {
                 .body(imageMapper.containerImageToImageDto(image));
     }
 
-    @Transactional
     @PutMapping("/{id}")
+    @PreAuthorize("hasRole('DEVELOPER')")
     @ApiOperation(value = "Update image information", notes = "Polls new information about an image")
     @ApiResponses({
             @ApiResponse(code = 202, message = "Updated the information of a image."),
@@ -102,6 +100,7 @@ public class ImageEndpoint {
     }
 
     @DeleteMapping("/{id}")
+    @PreAuthorize("hasRole('DEVELOPER')")
     @ApiOperation(value = "Delete a image")
     @ApiResponses({
             @ApiResponse(code = 200, message = "Deleted the image."),
diff --git a/fda-database-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerDatabaseEndpoint.java b/fda-database-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerDatabaseEndpoint.java
index d30e25c8b248391f4c91d68a2905e477e1e7e292..cca4dca86db0a4864872943ded15141b355deea5 100644
--- a/fda-database-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerDatabaseEndpoint.java
+++ b/fda-database-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerDatabaseEndpoint.java
@@ -14,7 +14,7 @@ import lombok.extern.log4j.Log4j2;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.transaction.annotation.Transactional;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import javax.validation.Valid;
@@ -37,7 +37,6 @@ public class ContainerDatabaseEndpoint {
         this.databaseService = databaseService;
     }
 
-    @Transactional
     @GetMapping
     @ApiOperation(value = "List all databases", notes = "Currently a container supports only databases of the same image, e.g. there is one PostgreSQL engine running with multiple databases inside a container.")
     @ApiResponses({
@@ -52,7 +51,6 @@ public class ContainerDatabaseEndpoint {
         return ResponseEntity.ok(databases);
     }
 
-    @Transactional
     @PostMapping
     @ApiOperation(value = "Creates a new database in a container", notes = "Creates a new database in a container. Note that the backend distincts between numerical (req: categories), nominal (req: max_length) and categorical (req: max_length, siUnit, min, max, mean, median, standard_deviation, histogram) column types.")
     @ApiResponses({
@@ -63,7 +61,7 @@ public class ContainerDatabaseEndpoint {
             @ApiResponse(code = 405, message = "Unable to connect to database within container."),
     })
     public ResponseEntity<DatabaseDto> create(@NotBlank @PathVariable("id") Long id,
-                                                   @Valid @RequestBody DatabaseCreateDto createDto)
+                                              @Valid @RequestBody DatabaseCreateDto createDto)
             throws ImageNotSupportedException, ContainerNotFoundException, DatabaseMalformedException,
             AmqpException, ContainerConnectionException {
         final Database database = databaseService.create(id, createDto);
@@ -71,9 +69,8 @@ public class ContainerDatabaseEndpoint {
                 .body(databaseMapper.databaseToDatabaseDto(database));
     }
 
-    @Transactional
     @GetMapping("/{databaseId}")
-    @ApiOperation(value = "Get all informations about a database")
+    @ApiOperation(value = "Get all information about a database")
     @ApiResponses({
             @ApiResponse(code = 200, message = "The database information is displayed."),
             @ApiResponse(code = 400, message = "The payload contains invalid data."),
@@ -84,7 +81,8 @@ public class ContainerDatabaseEndpoint {
         return ResponseEntity.ok(databaseMapper.databaseToDatabaseDto(databaseService.findById(id, databaseId)));
     }
 
-    @DeleteMapping("/{id}")
+    @DeleteMapping("/{databaseId}")
+    @PreAuthorize("hasRole('ROLE_DEVELOPER') or hasRole('ROLE_DATA_STEWARD')")
     @ApiOperation(value = "Delete a database")
     @ApiResponses({
             @ApiResponse(code = 202, message = "The database was successfully deleted."),
diff --git a/fda-database-service/services/src/main/java/at/tuwien/config/WebSecurityConfig.java b/fda-database-service/services/src/main/java/at/tuwien/config/WebSecurityConfig.java
index 84aa080940b6685d609e1f09dd72d1b23a500851..6eca39eaf54418806f17aeb53e16d4c8f7bbf9f3 100644
--- a/fda-database-service/services/src/main/java/at/tuwien/config/WebSecurityConfig.java
+++ b/fda-database-service/services/src/main/java/at/tuwien/config/WebSecurityConfig.java
@@ -57,8 +57,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
         /* set permissions on endpoints */
         http.authorizeRequests()
                 /* our public endpoints */
-                .antMatchers(HttpMethod.GET, "/api/container/**").permitAll()
-                .antMatchers(HttpMethod.GET, "/api/image/**").permitAll()
+                .antMatchers(HttpMethod.GET, "container/**/database/**").permitAll()
                 /* our private endpoints */
                 .anyRequest().authenticated();
         /* add JWT token filter */