diff --git a/internal/services/contest.go b/internal/services/contest.go
index 551eaa0..5feaa78 100644
--- a/internal/services/contest.go
+++ b/internal/services/contest.go
@@ -2,6 +2,7 @@ package services
 
 import (
 	"context"
+	"git.sch9.ru/new_gate/ms-tester/internal/lib"
 	"git.sch9.ru/new_gate/ms-tester/internal/models"
 )
 
@@ -13,37 +14,44 @@ type ContestStorage interface {
 }
 
 type ContestService struct {
-	contestStorage ContestStorage
+	contestStorage    ContestStorage
+	permissionService IPermissionService
 }
 
 func NewContestService(
 	contestStorage ContestStorage,
+	permissionService IPermissionService,
 ) *ContestService {
 	return &ContestService{
-		contestStorage: contestStorage,
+		contestStorage:    contestStorage,
+		permissionService: permissionService,
 	}
 }
 
 func (service *ContestService) CreateContest(ctx context.Context, contest *models.Contest) (int32, error) {
-	//userId := ctx.Value("user_id").(int32)
-	panic("access control is not implemented yet")
+	if !service.permissionService.Allowed(ctx, extractUser(ctx), "create") {
+		return 0, lib.ServiceError(nil, lib.ErrNoPermission, "permission denied")
+	}
 	return service.contestStorage.CreateContest(ctx, contest)
 }
 
 func (service *ContestService) ReadContestById(ctx context.Context, id int32) (*models.Contest, error) {
-	//userId := ctx.Value("user_id").(int32)
-	panic("access control is not implemented yet")
+	if !service.permissionService.Allowed(ctx, extractUser(ctx), "read") {
+		return nil, lib.ServiceError(nil, lib.ErrNoPermission, "permission denied")
+	}
 	return service.contestStorage.ReadContestById(ctx, id)
 }
 
 func (service *ContestService) UpdateContest(ctx context.Context, contest *models.Contest) error {
-	//userId := ctx.Value("user_id").(int32)
-	panic("access control is not implemented yet")
+	if !service.permissionService.Allowed(ctx, extractUser(ctx), "update") {
+		return lib.ServiceError(nil, lib.ErrNoPermission, "permission denied")
+	}
 	return service.contestStorage.UpdateContest(ctx, contest)
 }
 
 func (service *ContestService) DeleteContest(ctx context.Context, id int32) error {
-	//userId := ctx.Value("user_id").(int32)
-	panic("access control is not implemented yet")
+	if !service.permissionService.Allowed(ctx, extractUser(ctx), "delete") {
+		return lib.ServiceError(nil, lib.ErrNoPermission, "permission denied")
+	}
 	return service.contestStorage.DeleteContest(ctx, id)
 }
diff --git a/internal/services/participants.go b/internal/services/participants.go
index 8509bdb..1f2daa3 100644
--- a/internal/services/participants.go
+++ b/internal/services/participants.go
@@ -2,6 +2,7 @@ package services
 
 import (
 	"context"
+	"git.sch9.ru/new_gate/ms-tester/internal/lib"
 	"git.sch9.ru/new_gate/ms-tester/internal/models"
 )
 
@@ -14,36 +15,43 @@ type ParticipantStorage interface {
 
 type ParticipantService struct {
 	participantStorage ParticipantStorage
+	permissionService  IPermissionService
 }
 
 func NewParticipantService(
 	participantStorage ParticipantStorage,
+	permissionService IPermissionService,
 ) *ParticipantService {
 	return &ParticipantService{
 		participantStorage: participantStorage,
+		permissionService:  permissionService,
 	}
 }
 
 func (service *ParticipantService) CreateParticipant(ctx context.Context, participant *models.Participant) (int32, error) {
-	//userId := ctx.Value("user_id").(int32)
-	panic("access control is not implemented yet")
+	if !service.permissionService.Allowed(ctx, extractUser(ctx), "create") {
+		return 0, lib.ServiceError(nil, lib.ErrNoPermission, "permission denied")
+	}
 	return service.participantStorage.CreateParticipant(ctx, participant)
 }
 
 func (service *ParticipantService) ReadParticipantById(ctx context.Context, id int32) (*models.Participant, error) {
-	//userId := ctx.Value("user_id").(int32)
-	panic("access control is not implemented yet")
+	if !service.permissionService.Allowed(ctx, extractUser(ctx), "read") {
+		return nil, lib.ServiceError(nil, lib.ErrNoPermission, "permission denied")
+	}
 	return service.participantStorage.ReadParticipantById(ctx, id)
 }
 
 func (service *ParticipantService) UpdateParticipant(ctx context.Context, participant *models.Participant) error {
-	//userId := ctx.Value("user_id").(int32)
-	panic("access control is not implemented yet")
+	if !service.permissionService.Allowed(ctx, extractUser(ctx), "update") {
+		return lib.ServiceError(nil, lib.ErrNoPermission, "permission denied")
+	}
 	return service.participantStorage.UpdateParticipant(ctx, participant)
 }
 
 func (service *ParticipantService) DeleteParticipant(ctx context.Context, id int32) error {
-	//userId := ctx.Value("user_id").(int32)
-	panic("access control is not implemented yet")
+	if !service.permissionService.Allowed(ctx, extractUser(ctx), "delete") {
+		return lib.ServiceError(nil, lib.ErrNoPermission, "permission denied")
+	}
 	return service.participantStorage.DeleteParticipant(ctx, id)
 }
diff --git a/internal/services/solution.go b/internal/services/solution.go
index 29df2f7..d1e8c99 100644
--- a/internal/services/solution.go
+++ b/internal/services/solution.go
@@ -2,6 +2,7 @@ package services
 
 import (
 	"context"
+	"git.sch9.ru/new_gate/ms-tester/internal/lib"
 	"git.sch9.ru/new_gate/ms-tester/internal/models"
 )
 
@@ -13,37 +14,44 @@ type SolutionStorage interface {
 }
 
 type SolutionService struct {
-	solutionStorage SolutionStorage
+	solutionStorage   SolutionStorage
+	permissionService IPermissionService
 }
 
 func NewSolutionService(
 	solutionStorage SolutionStorage,
+	permissionService IPermissionService,
 ) *SolutionService {
 	return &SolutionService{
-		solutionStorage: solutionStorage,
+		solutionStorage:   solutionStorage,
+		permissionService: permissionService,
 	}
 }
 
 func (service *SolutionService) CreateSolution(ctx context.Context, solution models.Solution) (int32, error) {
-	//userId := ctx.Value("user_id").(int32)
-	panic("access control is not implemented yet")
+	if !service.permissionService.Allowed(ctx, extractUser(ctx), "create") {
+		return 0, lib.ServiceError(nil, lib.ErrNoPermission, "permission denied")
+	}
 	return service.solutionStorage.CreateSolution(ctx, solution)
 }
 
 func (service *SolutionService) ReadSolutionById(ctx context.Context, id int32) (models.Solution, error) {
-	//userId := ctx.Value("user_id").(int32)
-	panic("access control is not implemented yet")
+	if !service.permissionService.Allowed(ctx, extractUser(ctx), "read") {
+		return models.Solution{}, lib.ServiceError(nil, lib.ErrNoPermission, "permission denied")
+	}
 	return service.solutionStorage.ReadSolutionById(ctx, id)
 }
 
 func (service *SolutionService) RejudgeSolution(ctx context.Context, id int32) error {
-	//userId := ctx.Value("user_id").(int32)
-	panic("access control is not implemented yet")
+	if !service.permissionService.Allowed(ctx, extractUser(ctx), "update") {
+		return lib.ServiceError(nil, lib.ErrNoPermission, "permission denied")
+	}
 	return service.solutionStorage.RejudgeSolution(ctx, id)
 }
 
 func (service *SolutionService) DeleteSolution(ctx context.Context, id int32) error {
-	//userId := ctx.Value("user_id").(int32)
-	panic("access control is not implemented yet")
+	if !service.permissionService.Allowed(ctx, extractUser(ctx), "delete") {
+		return lib.ServiceError(nil, lib.ErrNoPermission, "permission denied")
+	}
 	return service.solutionStorage.DeleteSolution(ctx, id)
 }
diff --git a/internal/services/task.go b/internal/services/task.go
index 377adeb..68901cc 100644
--- a/internal/services/task.go
+++ b/internal/services/task.go
@@ -2,6 +2,7 @@ package services
 
 import (
 	"context"
+	"git.sch9.ru/new_gate/ms-tester/internal/lib"
 	"git.sch9.ru/new_gate/ms-tester/internal/models"
 )
 
@@ -11,25 +12,30 @@ type TaskStorage interface {
 }
 
 type TaskService struct {
-	taskStorage TaskStorage
+	taskStorage       TaskStorage
+	permissionService IPermissionService
 }
 
 func NewTaskService(
 	taskStorage TaskStorage,
+	permissionService IPermissionService,
 ) *TaskService {
 	return &TaskService{
-		taskStorage: taskStorage,
+		taskStorage:       taskStorage,
+		permissionService: permissionService,
 	}
 }
 
 func (service *TaskService) CreateTask(ctx context.Context, task models.Task) (int32, error) {
-	//userId := ctx.Value("user_id").(int32)
-	panic("access control is not implemented yet")
+	if !service.permissionService.Allowed(ctx, extractUser(ctx), "create") {
+		return 0, lib.ServiceError(nil, lib.ErrNoPermission, "permission denied")
+	}
 	return service.taskStorage.CreateTask(ctx, task)
 }
 
 func (service *TaskService) DeleteTask(ctx context.Context, id int32) error {
-	//userId := ctx.Value("user_id").(int32)
-	panic("access control is not implemented yet")
+	if !service.permissionService.Allowed(ctx, extractUser(ctx), "delete") {
+		return lib.ServiceError(nil, lib.ErrNoPermission, "permission denied")
+	}
 	return service.taskStorage.DeleteTask(ctx, id)
 }