diff --git a/src/main/java/eu/dissco/core/datacitepublisher/security/WebSecurityConfig.java b/src/main/java/eu/dissco/core/datacitepublisher/security/WebSecurityConfig.java
index b12f5b7..d210f50 100644
--- a/src/main/java/eu/dissco/core/datacitepublisher/security/WebSecurityConfig.java
+++ b/src/main/java/eu/dissco/core/datacitepublisher/security/WebSecurityConfig.java
@@ -6,7 +6,6 @@
 import org.springframework.boot.actuate.health.HealthEndpoint;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -22,9 +21,10 @@ public class WebSecurityConfig  {
   @Bean
   public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
     http.authorizeHttpRequests(authorizeHttpRequests -> authorizeHttpRequests
-        .requestMatchers(EndpointRequest.to(HealthEndpoint.class)).permitAll()
-        .requestMatchers(HttpMethod.GET, "**").permitAll()
-        .anyRequest().authenticated());
+        .requestMatchers(EndpointRequest.to(HealthEndpoint.class))
+        .permitAll()
+        .anyRequest()
+        .hasRole("orchestration-admin"));
 
     http.oauth2ResourceServer(jwtoauth2ResourceServer -> jwtoauth2ResourceServer.jwt((
         jwt -> jwt.jwtAuthenticationConverter(jwtAuthConverter)
diff --git a/src/test/java/eu/dissco/core/datacitepublisher/web/DataCiteClientTest.java b/src/test/java/eu/dissco/core/datacitepublisher/web/DataCiteClientTest.java
index df46072..b4b1439 100644
--- a/src/test/java/eu/dissco/core/datacitepublisher/web/DataCiteClientTest.java
+++ b/src/test/java/eu/dissco/core/datacitepublisher/web/DataCiteClientTest.java
@@ -152,13 +152,10 @@ void testDataCiteConflict() throws Exception {
         .setResponseCode(HttpStatus.UNPROCESSABLE_ENTITY.value())
         .setBody(givenDataCiteErrorResponse(true))
         .addHeader("Content-Type", "application/json"));
-    var expectedMessage = "DOI " + PID + " has already been taken";
 
-    // When
-    var e = assertThrows(DataCiteApiException.class,
+    // When / Then
+    assertThrows(DataCiteApiException.class,
         () -> dataCiteClient.sendDoiRequest(request, HttpMethod.POST, DOI));
-
-    assertThat(e.getMessage()).contains(expectedMessage);
   }
 
   @Test
@@ -169,13 +166,11 @@ void testDataCiteNotFound() throws Exception {
         .setResponseCode(HttpStatus.NOT_FOUND.value())
         .setBody(givenDataCiteErrorResponse(false))
         .addHeader("Content-Type", "application/json"));
-    var expectedMessage = ALT_ERROR + " DataCite credentials may be incorrect";
 
-    // When
-    var e = assertThrows(DataCiteApiException.class,
+    // When / Then
+    assertThrows(DataCiteApiException.class,
         () -> dataCiteClient.sendDoiRequest(request, HttpMethod.POST, DOI));
 
-    assertThat(e.getMessage()).contains(expectedMessage);
   }
 
   @Test