diff --git a/src/main/kotlin/com/example/config/Security.kt b/src/main/kotlin/com/example/config/Security.kt
index 45a2485..eb6cc79 100644
--- a/src/main/kotlin/com/example/config/Security.kt
+++ b/src/main/kotlin/com/example/config/Security.kt
@@ -1,7 +1,9 @@
 package com.example.config
 
+import com.example.config.AuthenticatedUser.Companion.ADMINISTER_REQUIRED
 import com.example.shared.CafeUserRole
 import com.example.config.AuthenticatedUser.Companion.CUSTOMER_REQUIRED
+import com.example.config.AuthenticatedUser.Companion.USER_REQUIRED
 import io.ktor.http.*
 import io.ktor.server.application.*
 import io.ktor.server.auth.*
@@ -17,6 +19,22 @@ fun Application.configureSecurity() {
                 call.respond(HttpStatusCode.Forbidden, "only for customer");
             }
         }
+        session<AuthenticatedUser>(USER_REQUIRED) {
+            validate { session: AuthenticatedUser ->
+                session.takeIf { it.userRoles.isNotEmpty() }
+            }
+            challenge {
+                call.respond(HttpStatusCode.Forbidden, "only for user");
+            }
+        }
+        session<AuthenticatedUser>(ADMINISTER_REQUIRED) {
+            validate { session: AuthenticatedUser ->
+                session.takeIf { it.userRoles.contains(CafeUserRole.ADMINISTER) }
+            }
+            challenge {
+                call.respond(HttpStatusCode.Forbidden, "only for administer");
+            }
+        }
     }
 }
 
diff --git a/src/main/kotlin/com/example/config/Session.kt b/src/main/kotlin/com/example/config/Session.kt
index 096a61c..9b0c63a 100644
--- a/src/main/kotlin/com/example/config/Session.kt
+++ b/src/main/kotlin/com/example/config/Session.kt
@@ -28,6 +28,8 @@ data class AuthenticatedUser(
         fun none() = AuthenticatedUser(0, listOf())
 
         const val SESSION_NAME = "CU_SESSION_ID"
+        const val USER_REQUIRED = "user-required"
         const val CUSTOMER_REQUIRED = "customer-required"
+        const val ADMINISTER_REQUIRED = "administer-required"
     }
 }
diff --git a/src/main/kotlin/com/example/domain/repository/CafeOrderRepository.kt b/src/main/kotlin/com/example/domain/repository/CafeOrderRepository.kt
index dcba2f7..c48da0c 100644
--- a/src/main/kotlin/com/example/domain/repository/CafeOrderRepository.kt
+++ b/src/main/kotlin/com/example/domain/repository/CafeOrderRepository.kt
@@ -1,11 +1,14 @@
 package com.example.domain.repository
 
+import com.example.domain.CafeMenuTable
 import com.example.domain.CafeOrderTable
+import com.example.domain.CafeUserTable
 import com.example.domain.ExposedCrudRepository
 import com.example.domain.model.CafeOrder
 import com.example.shared.dto.OrderDto
 import org.jetbrains.exposed.dao.id.EntityID
 import org.jetbrains.exposed.sql.ResultRow
+import org.jetbrains.exposed.sql.SortOrder
 import org.jetbrains.exposed.sql.selectAll
 import org.jetbrains.exposed.sql.statements.InsertStatement
 import org.jetbrains.exposed.sql.statements.UpdateStatement
@@ -66,7 +69,31 @@ class CafeOrderRepository(
      *          inner join cafe_menu m on m.id = o.cafe_menu_id
      * order by o.id desc;
      */
-    fun findByOrders(): List<OrderDto.DisplayResponse> {
-        TODO()
+    fun findByOrders(): List<OrderDto.DisplayResponse> = dbQuery {
+        val query = table
+            .innerJoin(CafeUserTable)
+            .innerJoin(CafeMenuTable)
+            .select(
+                CafeOrderTable.orderCode,
+                CafeOrderTable.price,
+                CafeOrderTable.status,
+                CafeOrderTable.orderedAt,
+                CafeOrderTable.id,
+                CafeMenuTable.name,
+                CafeUserTable.nickname,
+            )
+            .orderBy(CafeOrderTable.id to SortOrder.DESC)
+
+        query.map {
+            OrderDto.DisplayResponse(
+                orderCode = it[table.orderCode],
+                menuName = it[CafeMenuTable.name],
+                customerName = it[CafeUserTable.nickname],
+                price = it[table.price],
+                status = it[table.status],
+                orderedAt = it[table.orderedAt],
+                id = it[table.id].value
+            )
+        }
     }
-}
+}
\ No newline at end of file
diff --git a/src/main/kotlin/com/example/route/MenuRoute.kt b/src/main/kotlin/com/example/route/MenuRoute.kt
index 348a0e3..0eac2b4 100644
--- a/src/main/kotlin/com/example/route/MenuRoute.kt
+++ b/src/main/kotlin/com/example/route/MenuRoute.kt
@@ -1,7 +1,12 @@
 package com.example.route
 
+import com.example.config.AuthenticatedUser
+import com.example.domain.model.CafeMenu
 import com.example.service.MenuService
+import io.ktor.http.*
 import io.ktor.server.application.*
+import io.ktor.server.auth.*
+import io.ktor.server.request.*
 import io.ktor.server.response.*
 import io.ktor.server.routing.*
 import org.koin.ktor.ext.inject
@@ -13,4 +18,24 @@ fun Route.menuRoute() {
         val menu = menuService.findAll()
         call.respond(menu)
     }
-}
\ No newline at end of file
+
+    authenticate(AuthenticatedUser.ADMINISTER_REQUIRED) {
+        post("/menus") {
+            val menu = call.receive<CafeMenu>()
+            val createdMenu = menuService.createMenu(menu)
+            call.respond(createdMenu)
+        }
+
+        put("/menus") {
+            val menu = call.receive<CafeMenu>()
+            val updatedMenu = menuService.updateMenu(menu)
+            call.respond(updatedMenu)
+        }
+
+        delete("/menus/{id}") {
+            val id = call.parameters["id"]?.toLong()!!
+            menuService.deleteMenu(id)
+            call.respond(HttpStatusCode.OK)
+        }
+    }
+}
diff --git a/src/main/kotlin/com/example/route/OrderRoute.kt b/src/main/kotlin/com/example/route/OrderRoute.kt
index 82e2968..df3fa60 100644
--- a/src/main/kotlin/com/example/route/OrderRoute.kt
+++ b/src/main/kotlin/com/example/route/OrderRoute.kt
@@ -21,17 +21,23 @@ fun Route.orderRoute() {
             val code = orderService.createOrder(createRequest, call.authenticatedUser())
             call.respond(code)
         }
-        get("/orders/{orderCode}") {
-            val orderCode = call.parameters["orderCode"]!!
-            val order = orderService.getOrder(orderCode, call.authenticatedUser())
-            call.respond(order)
-        }
         put("/orders/{orderCode}/status") {
             val orderCode = call.parameters["orderCode"]!!
             val state = call.receive<OrderDto.UpdateStatusRequest>().status
             orderService.updateOrderStatus(orderCode, state, call.authenticatedUser())
             call.respond(HttpStatusCode.OK)
         }
+    }
+
+    authenticate(AuthenticatedUser.USER_REQUIRED) {
+        get("/orders/{orderCode}") {
+            val orderCode = call.parameters["orderCode"]!!
+            val order = orderService.getOrder(orderCode, call.authenticatedUser())
+            call.respond(order)
+        }
+    }
+
+    authenticate(AuthenticatedUser.ADMINISTER_REQUIRED) {
         get("/orders") {
             val orders: List<OrderDto.DisplayResponse> = orderService.getOrders()
             call.respond(orders)
diff --git a/src/main/kotlin/com/example/service/OrderService.kt b/src/main/kotlin/com/example/service/OrderService.kt
index 13db89a..6a25d25 100644
--- a/src/main/kotlin/com/example/service/OrderService.kt
+++ b/src/main/kotlin/com/example/service/OrderService.kt
@@ -68,8 +68,10 @@ class OrderService(
         authenticatedUser: AuthenticatedUser,
         order: CafeOrder,
     ) {
-        if (authenticatedUser.userId != order.cafeUserId) {
-            throw CafeException(ErrorCode.FORBIDDEN)
+        if (authenticatedUser.isOnlyCustomer()) {
+            if (authenticatedUser.userId != order.cafeUserId) {
+                throw CafeException(ErrorCode.FORBIDDEN)
+            }
         }
     }
 
@@ -90,6 +92,6 @@ class OrderService(
     }
 
     fun getOrders(): List<OrderDto.DisplayResponse> {
-        TODO("Not yet implemented")
+        return cafeOrderRepository.findByOrders()
     }
 }