diff --git a/web/src/main/java/it/pagopa/selfcare/dashboard/web/controller/UserV2Controller.java b/web/src/main/java/it/pagopa/selfcare/dashboard/web/controller/UserV2Controller.java
index 11734241c..8abd4f1a1 100644
--- a/web/src/main/java/it/pagopa/selfcare/dashboard/web/controller/UserV2Controller.java
+++ b/web/src/main/java/it/pagopa/selfcare/dashboard/web/controller/UserV2Controller.java
@@ -13,6 +13,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 
@@ -50,6 +51,7 @@ public List<InstitutionBaseResource> getInstitutions(Authentication authenticati
     @PostMapping(value = "/{userId}/suspend")
     @ResponseStatus(HttpStatus.NO_CONTENT)
     @ApiOperation(value = "", notes = "${swagger.dashboard.institutions.api.suspendUser}")
+    @PreAuthorize("hasPermission(new it.pagopa.selfcare.dashboard.web.security.ProductAclDomain(#institutionId, #productId), 'ADMIN')")
     public void suspendRelationship(@ApiParam("${swagger.dashboard.user.model.id}")
                                     @PathVariable("userId") String userId,
                                     @ApiParam("${swagger.dashboard.support.model.institutionId}")
@@ -67,6 +69,7 @@ public void suspendRelationship(@ApiParam("${swagger.dashboard.user.model.id}")
     @PostMapping(value = "/{userId}/activate")
     @ResponseStatus(HttpStatus.NO_CONTENT)
     @ApiOperation(value = "", notes = "${swagger.dashboard.institutions.api.activateUser}")
+    @PreAuthorize("hasPermission(new it.pagopa.selfcare.dashboard.web.security.ProductAclDomain(#institutionId, #productId), 'ADMIN')")
     public void activateRelationship(@ApiParam("${swagger.dashboard.user.model.id}")
                                      @PathVariable("userId") String userId,
                                      @RequestParam(value = "institutionId") String institutionId,
@@ -82,6 +85,7 @@ public void activateRelationship(@ApiParam("${swagger.dashboard.user.model.id}")
     @DeleteMapping(value = "/{userId}")
     @ResponseStatus(HttpStatus.NO_CONTENT)
     @ApiOperation(value = "", notes = "${swagger.dashboard.institutions.api.deleteUser}")
+    @PreAuthorize("hasPermission(new it.pagopa.selfcare.dashboard.web.security.ProductAclDomain(#institutionId, #productId), 'ADMIN')")
     public void deleteRelationshipById(@ApiParam("${swagger.dashboard.user.model.id}")
                                        @PathVariable("userId") String userId,
                                        @RequestParam(value = "institutionId") String institutionId,