diff --git a/src/routes/admin.routes.js b/src/routes/admin.routes.js
index 80ca255..c9079a5 100644
--- a/src/routes/admin.routes.js
+++ b/src/routes/admin.routes.js
@@ -9,18 +9,14 @@ import { z } from 'zod';
 const router = express.Router();
 
 /**
- * Routes accessible to all authenticated users
+ * All admin routes require authentication and admin role
  */
 router.use(authenticate);
-
-// Zoznam všetkých userov (dostupné pre všetkých autentifikovaných používateľov)
-router.get('/users', adminController.getAllUsers);
-
-/**
- * Admin-only routes
- */
 router.use(requireAdmin);
 
+// Zoznam všetkých userov (admin only)
+router.get('/users', adminController.getAllUsers);
+
 /**
  * User management
  */
diff --git a/src/routes/audit.routes.js b/src/routes/audit.routes.js
index eeeb204..b5c2298 100644
--- a/src/routes/audit.routes.js
+++ b/src/routes/audit.routes.js
@@ -1,9 +1,11 @@
 import { Router } from 'express';
 import { getRecentAuditLogs } from '../controllers/audit.controller.js';
 import { authenticate } from '../middlewares/auth/authMiddleware.js';
+import { requireAdmin } from '../middlewares/auth/roleMiddleware.js';
 
 const router = Router();
 
-router.get('/', authenticate, getRecentAuditLogs);
+// Audit logs are admin only
+router.get('/', authenticate, requireAdmin, getRecentAuditLogs);
 
 export default router;
diff --git a/src/routes/note.routes.js b/src/routes/note.routes.js
index 9f128bc..a4b2892 100644
--- a/src/routes/note.routes.js
+++ b/src/routes/note.routes.js
@@ -1,6 +1,7 @@
 import express from 'express';
 import * as noteController from '../controllers/note.controller.js';
 import { authenticate } from '../middlewares/auth/authMiddleware.js';
+import { requireAdmin } from '../middlewares/auth/roleMiddleware.js';
 import { validateBody, validateParams } from '../middlewares/security/validateInput.js';
 import { createNoteSchema, updateNoteSchema } from '../validators/crm.validators.js';
 import { z } from 'zod';
@@ -14,8 +15,8 @@ router.use(authenticate);
  * Note management
  */
 
-// Get all notes
-router.get('/', noteController.getAllNotes);
+// Get all notes (admin only - returns all notes system-wide)
+router.get('/', requireAdmin, noteController.getAllNotes);
 
 // Get my reminders (must be before /:noteId to avoid route conflict)
 router.get('/my-reminders', noteController.getMyReminders);
diff --git a/src/routes/time-tracking.routes.js b/src/routes/time-tracking.routes.js
index 3f8db30..62bda77 100644
--- a/src/routes/time-tracking.routes.js
+++ b/src/routes/time-tracking.routes.js
@@ -1,6 +1,7 @@
 import express from 'express';
 import * as timeTrackingController from '../controllers/time-tracking.controller.js';
 import { authenticate } from '../middlewares/auth/authMiddleware.js';
+import { requireAdmin } from '../middlewares/auth/roleMiddleware.js';
 import { validateBody, validateParams } from '../middlewares/security/validateInput.js';
 import {
   startTimeEntrySchema,
@@ -32,8 +33,8 @@ router.post(
 // Get running time entry
 router.get('/running', timeTrackingController.getRunningTimeEntry);
 
-// Get all running time entries (for dashboard)
-router.get('/running-all', timeTrackingController.getAllRunningTimeEntries);
+// Get all running time entries (for dashboard) - admin only
+router.get('/running-all', requireAdmin, timeTrackingController.getAllRunningTimeEntries);
 
 // Get all time entries with filters
 router.get('/', timeTrackingController.getAllTimeEntries);