diff --git a/AsbCloudWebApi/Controllers/AdminUserRoleController.cs b/AsbCloudWebApi/Controllers/AdminUserRoleController.cs
index 34bca745..b608ee17 100644
--- a/AsbCloudWebApi/Controllers/AdminUserRoleController.cs
+++ b/AsbCloudWebApi/Controllers/AdminUserRoleController.cs
@@ -2,6 +2,7 @@
 using AsbCloudApp.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using System.Threading.Tasks;
 
 namespace AsbCloudWebApi.Controllers
 {
@@ -13,6 +14,22 @@ namespace AsbCloudWebApi.Controllers
         public AdminUserRoleController(IUserRoleService service)
             :base(service)
         {
+            InsertForbidAsync = (role, token) =>
+            {
+                return Task.FromResult(role?.IdType == 1);
+            };
+
+            UpdateForbidAsync = async (id, _, token) =>
+            {
+                var role = await service.GetAsync(id, token);
+                return role?.IdType == 1;
+            };
+
+            DeleteForbidAsync = async (id, token) =>
+            {
+                var role = await service.GetAsync(id, token);
+                return role?.IdType == 1;
+            };
         }
     }
 }
diff --git a/AsbCloudWebApi/Controllers/CrudController.cs b/AsbCloudWebApi/Controllers/CrudController.cs
index c5d4d926..8f2181ab 100644
--- a/AsbCloudWebApi/Controllers/CrudController.cs
+++ b/AsbCloudWebApi/Controllers/CrudController.cs
@@ -6,6 +6,7 @@ using System.Threading;
 using System.Linq;
 using System.Threading.Tasks;
 using System.Collections.Generic;
+using System;
 
 // For more information on enabling Web API for empty projects, visit https://go.microsoft.com/fwlink/?LinkID=397860
 namespace AsbCloudWebApi.Controllers
@@ -23,7 +24,9 @@ namespace AsbCloudWebApi.Controllers
     {
         protected readonly TService service;
 
-        public List<string> Roles { get; } = new List<string> { "Администратор" };
+        public Func<T, CancellationToken, Task<bool>> InsertForbidAsync { get; protected set; } = null;
+        public Func<int, T, CancellationToken, Task<bool>> UpdateForbidAsync { get; protected set; } = null;
+        public Func<int, CancellationToken, Task<bool>> DeleteForbidAsync { get; protected set; } = null;
 
         public CrudController(TService service)
         {
@@ -36,11 +39,9 @@ namespace AsbCloudWebApi.Controllers
         /// <param name="token">CancellationToken</param>
         /// <returns>все записи</returns>
         [HttpGet("all")]
-        public virtual async Task<ActionResult<IEnumerable<T>>> GetAll(CancellationToken token = default)
+        [Permission]
+        public virtual async Task<ActionResult<IEnumerable<T>>> GetAllAsync(CancellationToken token = default)
         {
-            if (!Roles.Any(role => User.IsInRole(role)))
-                return Forbid();
-
             var result = await service.GetAllAsync(token).ConfigureAwait(false);
             return Ok(result);
         }
@@ -52,11 +53,9 @@ namespace AsbCloudWebApi.Controllers
         /// <param name="token"></param>
         /// <returns>запись</returns>
         [HttpGet("{id}")]
-        public virtual async Task<ActionResult<T>> Get(int id, CancellationToken token = default)
+        [Permission]
+        public virtual async Task<ActionResult<T>> GetAsync(int id, CancellationToken token = default)
         {
-            if (!Roles.Any(role => User.IsInRole(role)))
-                return Forbid();
-
             var result = await service.GetAsync(id, token).ConfigureAwait(false);
             return Ok(result);
         }
@@ -68,11 +67,12 @@ namespace AsbCloudWebApi.Controllers
         /// <param name="token"></param>
         /// <returns>id</returns>
         [HttpPost]
+        [Permission]
         [ProducesResponseType(typeof(int), (int)System.Net.HttpStatusCode.OK)]
-        public virtual async Task<IActionResult> Insert([FromBody] T value, CancellationToken token = default)
+        public virtual async Task<IActionResult> InsertAsync([FromBody] T value, CancellationToken token = default)
         {
-            if (!Roles.Any(role => User.IsInRole(role)))
-                return Forbid();
+            if (InsertForbidAsync is not null && await InsertForbidAsync(value, token))
+                Forbid();
 
             var result = await service.InsertAsync(value, token).ConfigureAwait(false);
             return Ok(result);
@@ -86,11 +86,12 @@ namespace AsbCloudWebApi.Controllers
         /// <param name="token"></param>
         /// <returns>1 - успешно отредактировано, 0 - нет</returns>
         [HttpPut("{id}")]
+        [Permission]
         [ProducesResponseType(typeof(int), (int)System.Net.HttpStatusCode.OK)]
-        public virtual async Task<IActionResult> Put(int id, [FromBody] T value, CancellationToken token = default)
+        public virtual async Task<IActionResult> UpdateAsync(int id, [FromBody] T value, CancellationToken token = default)
         {
-            if (!Roles.Any(role => User.IsInRole(role)))
-                return Forbid();
+            if (UpdateForbidAsync is not null && await UpdateForbidAsync(id, value, token))
+                Forbid();
 
             var result = await service.UpdateAsync(id, value, token).ConfigureAwait(false);
             if (result == 0)
@@ -106,10 +107,10 @@ namespace AsbCloudWebApi.Controllers
         /// <returns>1 - успешно удалено, 0 - нет</returns>
         [HttpDelete("{id}")]
         [ProducesResponseType(typeof(int), (int)System.Net.HttpStatusCode.OK)]
-        public virtual async Task<IActionResult> Delete(int id, CancellationToken token = default)
+        public virtual async Task<IActionResult> DeleteAsync(int id, CancellationToken token = default)
         {
-            if (!Roles.Any(role => User.IsInRole(role)))
-                return Forbid();
+            if (DeleteForbidAsync is not null && await DeleteForbidAsync(id, token))
+                Forbid();
 
             var result = await service.DeleteAsync(id, token).ConfigureAwait(false);
             return Ok(result);