diff --git a/server/AyaNova/Controllers/WorkOrderController.cs b/server/AyaNova/Controllers/WorkOrderController.cs
index ab4833d4..fbf4ef98 100644
--- a/server/AyaNova/Controllers/WorkOrderController.cs
+++ b/server/AyaNova/Controllers/WorkOrderController.cs
@@ -251,7 +251,7 @@ namespace AyaNova.Api.Controllers
             if (!serverState.IsOpen)
                 return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
             WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
-            if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderStatus) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted)
+            if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted)
                 return StatusCode(403, new ApiNotAuthorizedResponse());
             if (!ModelState.IsValid)
                 return BadRequest(new ApiErrorResponse(ModelState));
@@ -274,7 +274,7 @@ namespace AyaNova.Api.Controllers
             if (!serverState.IsOpen)
                 return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
             WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
-            if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderStatus))
+            if (!Authorized.HasReadFullRole(HttpContext.Items, biz.BizType))
                 return StatusCode(403, new ApiNotAuthorizedResponse());
             if (!ModelState.IsValid)
                 return BadRequest(new ApiErrorResponse(ModelState));