diff --git a/src/main/java/aplus/insurancesystem/common/config/SecurityConfig.java b/src/main/java/aplus/insurancesystem/common/config/SecurityConfig.java
index 20eb894..100e66a 100644
--- a/src/main/java/aplus/insurancesystem/common/config/SecurityConfig.java
+++ b/src/main/java/aplus/insurancesystem/common/config/SecurityConfig.java
@@ -1,5 +1,6 @@
 package aplus.insurancesystem.common.config;
 
+import java.util.Arrays;
 import java.util.List;
 
 import org.springframework.context.annotation.Bean;
@@ -14,6 +15,7 @@
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@@ -21,6 +23,8 @@
 import aplus.insurancesystem.common.security.AplusAccessDeniedHandler;
 import aplus.insurancesystem.common.security.AplusAuthenticationFailureHandler;
 import aplus.insurancesystem.common.security.AplusAuthenticationSuccessHandler;
+import aplus.insurancesystem.common.security.RoleToPath;
+import aplus.insurancesystem.domain.customer.entity.customer.Role;
 
 @Configuration
 @EnableWebSecurity
@@ -55,10 +59,13 @@ public AuthenticationEntryPoint authenticationEntryPoint() {
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                 http
                 .authorizeHttpRequests((auth) -> auth
-//                        .requestMatchers("/customer/**").hasRole(Role.CUSTOMER.name())
-//                        .requestMatchers("/admin").hasRole(Role.ADMIN.name())
-                        .requestMatchers("/**").permitAll()
-                        .anyRequest().authenticated()
+                    .requestMatchers(
+                        Arrays.stream(RoleToPath.ADMIN_URL.values())
+                            .map(path -> new AntPathRequestMatcher(path.getUrl(), path.getMethod()))
+                            .toArray(AntPathRequestMatcher[]::new)
+                    ).hasRole(Role.ADMIN.name())
+                    .requestMatchers("/**").permitAll()
+                    .anyRequest().authenticated()
                 )
                 .csrf(AbstractHttpConfigurer::disable)
                 .cors((cors) -> cors
diff --git a/src/main/java/aplus/insurancesystem/common/security/RoleToPath.java b/src/main/java/aplus/insurancesystem/common/security/RoleToPath.java
index d4f6b53..abc1709 100644
--- a/src/main/java/aplus/insurancesystem/common/security/RoleToPath.java
+++ b/src/main/java/aplus/insurancesystem/common/security/RoleToPath.java
@@ -1,11 +1,37 @@
 package aplus.insurancesystem.common.security;
 
+import static org.springframework.http.HttpMethod.*;
+
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
+
 public class RoleToPath {
 
-    private static final String CUSTOMER_URL = "/customers";
-    private static final String INSURANCE_URL = "/insurances";
-    private static final String TERMS_URL = "/terms";
-    private static final String CONTRACT_URL = "/contracts";
-    private static final String PAYMENT_URL = "/payments";
-    private static final String INSURANCE_APPLICATION_URL = "/insurance-applications";
+    private static final String BASE_URL = "/api";
+
+    private static final String CUSTOMER_URL = BASE_URL + "/customers";
+    private static final String INSURANCE_URL = BASE_URL + "/insurances";
+    private static final String INSURANCE_APPLICATION_URL = BASE_URL + "/insurance-applications";
+    private static final String SURVEY_URL = BASE_URL + "/survey";
+    private static final String COMPENSATION_CLAIM = BASE_URL + "/compensation-claim";
+
+    @Getter
+    @RequiredArgsConstructor
+    public enum ADMIN_URL {
+        CUSTOMER_GRANT_AUTHORITY(CUSTOMER_URL + "/{id}/admin", GET.name()),
+        CUSTOMER_ALL(CUSTOMER_URL + "/all", GET.name()),
+        CUSTOMER_CONTRACT_MAINTENANCE(CUSTOMER_URL + "/contract-maintenance", GET.name()),
+        INSURANCE_DESIGN(INSURANCE_URL + "/design", POST.name()),
+        INSURANCE_REGISTER(INSURANCE_URL + "/{id}/register", POST.name()),
+        INSURANCE_MODIFY(INSURANCE_URL + "/{id}", PUT.name()),
+        INSURANCE_DELETE(INSURANCE_URL + "/{id}", DELETE.name()),
+        SURVEY(SURVEY_URL + "/{ccid}", POST.name()),
+        COMPENSATION_CLAIM_ALL(COMPENSATION_CLAIM + "/all", GET.name()),
+        INSURANCE_APPLICATION(INSURANCE_APPLICATION_URL, GET.name()),
+        INSURANCE_APPLICATION_APPROVAL(INSURANCE_APPLICATION_URL + "/{id}/approval", POST.name()),
+        INSURANCE_APPLICATION_REJECTION(INSURANCE_APPLICATION_URL + "/{id}/rejection", POST.name());
+
+        private final String url;
+        private final String method;
+    }
 }