diff --git a/src/main/java/org/isf/config/SecurityConfig.java b/src/main/java/org/isf/config/SecurityConfig.java
index d48fda58..063b076b 100644
--- a/src/main/java/org/isf/config/SecurityConfig.java
+++ b/src/main/java/org/isf/config/SecurityConfig.java
@@ -305,6 +305,10 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 				.requestMatchers(HttpMethod.GET, "/reports/**").hasAnyAuthority("reports.read")
 				.requestMatchers(HttpMethod.PUT, "/reports/**").hasAuthority("reports.update")
 				.requestMatchers(HttpMethod.DELETE, "/reports/**").hasAuthority("reports.delete")
+				// Settings
+				.requestMatchers(HttpMethod.GET, "/settings/**").hasAnyAuthority("settings.read")
+				.requestMatchers(HttpMethod.PUT, "/settings/**").hasAuthority("settings.update")
+				.requestMatchers(HttpMethod.POST, "/settings/**").hasAuthority("settings.update")
 				// sms
 				.requestMatchers(HttpMethod.POST, "/sms/**").hasAuthority("sms.create")
 				.requestMatchers(HttpMethod.GET, "/sms/**").hasAnyAuthority("sms.read")
@@ -340,10 +344,6 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 				.requestMatchers(HttpMethod.GET, "/wards/**").hasAnyAuthority("wards.read")
 				.requestMatchers(HttpMethod.PUT, "/wards/**").hasAuthority("wards.update")
 				.requestMatchers(HttpMethod.DELETE, "/wards/**").hasAuthority("wards.delete")
-				// Settings
-				.requestMatchers(HttpMethod.GET, "/settings/**").hasAnyAuthority("settings.read")
-				.requestMatchers(HttpMethod.PUT, "/settings/**").hasAuthority("settings.update")
-				.requestMatchers(HttpMethod.POST, "/settings/**").hasAuthority("settings.update")
 
 				.anyRequest().authenticated()
 			)