diff --git a/src/main/kotlin/dev/fyloz/colorrecipesexplorer/model/EmployeePermission.kt b/src/main/kotlin/dev/fyloz/colorrecipesexplorer/model/EmployeePermission.kt
index 7f1aecc..5124243 100644
--- a/src/main/kotlin/dev/fyloz/colorrecipesexplorer/model/EmployeePermission.kt
+++ b/src/main/kotlin/dev/fyloz/colorrecipesexplorer/model/EmployeePermission.kt
@@ -2,11 +2,10 @@ package dev.fyloz.colorrecipesexplorer.model
 
 import org.springframework.security.core.GrantedAuthority
 import org.springframework.security.core.authority.SimpleGrantedAuthority
-import java.util.*
 
 enum class EmployeePermission(
-  val impliedPermissions: List<EmployeePermission> = listOf(),
-  val deprecated: Boolean = false
+    val impliedPermissions: List<EmployeePermission> = listOf(),
+    val deprecated: Boolean = false
 ) {
     READ_FILE,
     WRITE_FILE(listOf(READ_FILE)),
@@ -35,19 +34,21 @@ enum class EmployeePermission(
 
     ADD_TO_INVENTORY(listOf(VIEW_CATALOG)),
     DEDUCT_FROM_INVENTORY(listOf(VIEW_RECIPES)),
+    GENERATE_TOUCH_UP_KIT,
 
     ADMIN(
-      listOf(
-        EDIT_CATALOG,
+        listOf(
+            EDIT_CATALOG,
 
-        REMOVE_RECIPES,
-        REMOVE_USERS,
-        REMOVE_CATALOG,
+            REMOVE_RECIPES,
+            REMOVE_USERS,
+            REMOVE_CATALOG,
 
-        PRINT_MIXES,
-        ADD_TO_INVENTORY,
-        DEDUCT_FROM_INVENTORY
-      )
+            PRINT_MIXES,
+            ADD_TO_INVENTORY,
+            DEDUCT_FROM_INVENTORY,
+            GENERATE_TOUCH_UP_KIT
+        )
     ),
 
     // deprecated permissions
diff --git a/src/main/kotlin/dev/fyloz/colorrecipesexplorer/rest/files/TouchUpKitController.kt b/src/main/kotlin/dev/fyloz/colorrecipesexplorer/rest/files/TouchUpKitController.kt
index 997dbfa..6993025 100644
--- a/src/main/kotlin/dev/fyloz/colorrecipesexplorer/rest/files/TouchUpKitController.kt
+++ b/src/main/kotlin/dev/fyloz/colorrecipesexplorer/rest/files/TouchUpKitController.kt
@@ -4,10 +4,12 @@ import dev.fyloz.colorrecipesexplorer.service.files.TouchUpKitService
 import org.springframework.core.io.ByteArrayResource
 import org.springframework.http.MediaType
 import org.springframework.http.ResponseEntity
+import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.web.bind.annotation.*
 
 @RestController
 @RequestMapping("/api/touchup")
+@PreAuthorize("hasAuthority('GENERATE_TOUCH_UP_KIT')")
 class TouchUpKitController(
     private val touchUpKitService: TouchUpKitService
 ) {
diff --git a/src/test/kotlin/dev/fyloz/colorrecipesexplorer/service/files/TouchUpKitServiceTest.kt b/src/test/kotlin/dev/fyloz/colorrecipesexplorer/service/files/TouchUpKitServiceTest.kt
index 3e6ad10..4affc53 100644
--- a/src/test/kotlin/dev/fyloz/colorrecipesexplorer/service/files/TouchUpKitServiceTest.kt
+++ b/src/test/kotlin/dev/fyloz/colorrecipesexplorer/service/files/TouchUpKitServiceTest.kt
@@ -19,6 +19,7 @@ private class TouchUpKitServiceTestContext {
     val touchUpKitService = spyk(TouchUpKitServiceImpl(fileService, creProperties))
     val pdfDocumentData = mockk<ByteArrayResource>()
     val pdfDocument = mockk<PdfDocument> {
+        mockkStatic(PdfDocument::toByteArrayResource)
         mockkStatic(PdfDocument::toByteArrayResource)
         every { toByteArrayResource() } returns pdfDocumentData
     }