diff --git a/src/main/java/de/thm/arsnova/services/CommentServiceImpl.java b/src/main/java/de/thm/arsnova/services/CommentServiceImpl.java
index 1a1428994a10c2eadce83c8b8128124b4fecb03c..82eaca02d32e40acd28b2c0cab50d0d518c55f0c 100644
--- a/src/main/java/de/thm/arsnova/services/CommentServiceImpl.java
+++ b/src/main/java/de/thm/arsnova/services/CommentServiceImpl.java
@@ -71,7 +71,7 @@ public class CommentServiceImpl extends EntityService<Comment> implements Commen
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#commentId, 'comment', 'owner')")
+	@PreAuthorize("hasPermission(#commentId, 'comment', 'owner')")
 	public void delete(final String commentId) {
 		final Comment comment = commentRepository.findOne(commentId);
 		if (comment == null) {
diff --git a/src/main/java/de/thm/arsnova/services/ContentServiceImpl.java b/src/main/java/de/thm/arsnova/services/ContentServiceImpl.java
index d7f9ef655a369b90d8046d1b9367213b5f6d8610..becc677eafe97194a17e5a88ef87720096ab9531 100644
--- a/src/main/java/de/thm/arsnova/services/ContentServiceImpl.java
+++ b/src/main/java/de/thm/arsnova/services/ContentServiceImpl.java
@@ -234,7 +234,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
 
 	/* FIXME: #content.getSessionKeyword() cannot be checked since keyword is no longer set for content. */
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#content.getSessionKeyword(), 'session', 'owner')")
+	@PreAuthorize("hasPermission(#content.getSessionKeyword(), 'session', 'owner')")
 	public Content save(final Content content) {
 		final Session session = sessionRepository.findByKeyword(content.getSessionKeyword());
 		content.setSessionId(session.getId());
@@ -266,7 +266,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
 
 	/* TODO: Only evict cache entry for the content's session. This requires some refactoring. */
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#contentId, 'content', 'owner')")
+	@PreAuthorize("hasPermission(#contentId, 'content', 'owner')")
 	@Caching(evict = {
 			@CacheEvict("answers"),
 			@CacheEvict(value = "questions", key = "#contentId"),
@@ -297,7 +297,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
 		this.publisher.publishEvent(event);
 	}
 
-	@PreAuthorize("isAuthenticated() and hasPermission(#session, 'owner')")
+	@PreAuthorize("hasPermission(#session, 'owner')")
 	@Caching(evict = {
 			@CacheEvict(value = "questions", allEntries = true),
 			@CacheEvict(value = "skillquestions", key = "#session.getId()"),
@@ -370,7 +370,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'content', 'owner')")
+	@PreAuthorize("hasPermission(#questionId, 'content', 'owner')")
 	public void startNewPiRoundDelayed(final String questionId, final int time) {
 		final ContentService contentService = this;
 		final User user = userService.getCurrentUser();
@@ -395,7 +395,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'content', 'owner')")
+	@PreAuthorize("hasPermission(#questionId, 'content', 'owner')")
 	public void cancelPiRoundChange(final String questionId) {
 		final Content content = contentRepository.findOne(questionId);
 		final Session session = sessionRepository.findOne(content.getSessionId());
@@ -426,7 +426,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'content', 'owner')")
+	@PreAuthorize("hasPermission(#questionId, 'content', 'owner')")
 	@CacheEvict("answers")
 	public void resetPiRoundState(final String questionId) {
 		final Content content = contentRepository.findOne(questionId);
@@ -446,7 +446,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'content', 'owner')")
+	@PreAuthorize("hasPermission(#questionId, 'content', 'owner')")
 	public void setVotingAdmission(final String questionId, final boolean disableVoting) {
 		final Content content = contentRepository.findOne(questionId);
 		final Session session = sessionRepository.findOne(content.getSessionId());
@@ -516,7 +516,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'content', 'owner')")
+	@PreAuthorize("hasPermission(#questionId, 'content', 'owner')")
 	public void deleteAnswers(final String questionId) {
 		final Content content = contentRepository.findOne(questionId);
 		content.resetQuestionState();
@@ -1005,7 +1005,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
 
 	/* TODO: Only evict cache entry for the answer's question. This requires some refactoring. */
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
 	@CacheEvict(value = "answers", allEntries = true)
 	public void deleteAllPreparationAnswers(String sessionkey) {
 		final Session session = getSession(sessionkey);
@@ -1020,7 +1020,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
 
 	/* TODO: Only evict cache entry for the answer's question. This requires some refactoring. */
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
 	@CacheEvict(value = "answers", allEntries = true)
 	public void deleteAllLectureAnswers(String sessionkey) {
 		final Session session = getSession(sessionkey);
diff --git a/src/main/java/de/thm/arsnova/services/MotdServiceImpl.java b/src/main/java/de/thm/arsnova/services/MotdServiceImpl.java
index 86c0382fb876e5d8b4aa952ebbbb8986e70eab63..4c699c696ec3da47eb0452e402fdd0d98cb2121e 100644
--- a/src/main/java/de/thm/arsnova/services/MotdServiceImpl.java
+++ b/src/main/java/de/thm/arsnova/services/MotdServiceImpl.java
@@ -70,13 +70,13 @@ public class MotdServiceImpl extends EntityService<Motd> implements MotdService
   }
 
   @Override
-  @PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
+  @PreAuthorize("hasPermission('', 'motd', 'admin')")
   public List<Motd> getAdminMotds() {
     return motdRepository.findGlobalForAdmin();
   }
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
 	public List<Motd> getAllSessionMotds(final String sessionkey) {
 		return motdRepository.findBySessionKey(sessionkey);
 	}
@@ -135,13 +135,13 @@ public class MotdServiceImpl extends EntityService<Motd> implements MotdService
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
+	@PreAuthorize("hasPermission('', 'motd', 'admin')")
 	public Motd save(final Motd motd) {
 		return createOrUpdateMotd(motd);
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
 	public Motd save(final String sessionkey, final Motd motd) {
 		Session session = sessionService.getByKey(sessionkey);
 		motd.setSessionId(session.getId());
@@ -150,13 +150,13 @@ public class MotdServiceImpl extends EntityService<Motd> implements MotdService
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
+	@PreAuthorize("hasPermission(1,'motd','admin')")
 	public Motd update(final Motd motd) {
 		return createOrUpdateMotd(motd);
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
 	public Motd update(final String sessionkey, final Motd motd) {
 		return createOrUpdateMotd(motd);
 	}
@@ -183,14 +183,14 @@ public class MotdServiceImpl extends EntityService<Motd> implements MotdService
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
+	@PreAuthorize("hasPermission('', 'motd', 'admin')")
 	@CacheEvict(cacheNames = "motds", key = "#motd.audience.concat(#motd.sessionkey)")
 	public void delete(Motd motd) {
 		motdRepository.delete(motd);
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
 	public void deleteBySessionKey(final String sessionkey, Motd motd) {
 		motdRepository.delete(motd);
 	}
diff --git a/src/main/java/de/thm/arsnova/services/SessionServiceImpl.java b/src/main/java/de/thm/arsnova/services/SessionServiceImpl.java
index d0f9a94daba760bc65e4f7790687d3fe475d0b8f..78dbf631ee96cd1fce1a692db38cb2b6b5ddbee4 100644
--- a/src/main/java/de/thm/arsnova/services/SessionServiceImpl.java
+++ b/src/main/java/de/thm/arsnova/services/SessionServiceImpl.java
@@ -262,7 +262,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
 		return this.getInternal(keyword, user);
 	}
 
-	@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
 	public Session getForAdmin(final String keyword) {
 		return sessionRepository.findByKeyword(keyword);
 	}
@@ -331,7 +331,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(1, 'motd', 'admin')")
+	@PreAuthorize("hasPermission('', 'motd', 'admin')")
 	public List<Session> getUserVisitedSessions(String username) {
 		return sessionRepository.findVisitedByUsername(username, 0, 0);
 	}
@@ -343,7 +343,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated()")
+	@PreAuthorize("hasPermission('', 'session', 'create')")
 	@Caching(evict = @CacheEvict(cacheNames = "sessions", key = "#result.keyword"))
 	public Session save(final Session session) {
 		if (connectorClient != null && session.getCourseId() != null) {
@@ -412,12 +412,9 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
 	}
 
 	@Override
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
 	public Session setActive(final String sessionkey, final Boolean lock) {
 		final Session session = sessionRepository.findByKeyword(sessionkey);
-		final User user = userService.getCurrentUser();
-		if (!session.isCreator(user)) {
-			throw new ForbiddenException("User is not session creator.");
-		}
 		session.setActive(lock);
 		this.publisher.publishEvent(new StatusSessionEvent(this, session));
 		sessionRepository.save(session);
@@ -426,7 +423,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#session, 'owner')")
+	@PreAuthorize("hasPermission(#session, 'owner')")
 	@CachePut(value = "sessions", key = "#session")
 	public Session update(final String sessionkey, final Session session) {
 		final Session existingSession = sessionRepository.findByKeyword(sessionkey);
@@ -455,7 +452,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(1, 'motd', 'admin')")
+	@PreAuthorize("hasPermission('', 'motd', 'admin')")
 	@Caching(evict = { @CacheEvict("sessions"), @CacheEvict(cacheNames = "sessions", key = "#sessionkey.keyword") })
 	public Session updateCreator(String sessionkey, String newCreator) {
 		final Session session = sessionRepository.findByKeyword(sessionkey);
@@ -483,7 +480,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#session, 'owner')")
+	@PreAuthorize("hasPermission(#session, 'owner')")
 	@CacheEvict("sessions")
 	public int[] deleteCascading(final Session session) {
 		int[] count = new int[] {0, 0, 0};
@@ -501,7 +498,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated()")
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'read')")
 	public ScoreStatistics getLearningProgress(final String sessionkey, final String type, final String questionVariant) {
 		final Session session = sessionRepository.findByKeyword(sessionkey);
 		ScoreCalculator scoreCalculator = scoreCalculatorFactory.create(type, questionVariant);
@@ -509,7 +506,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated()")
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'read')")
 	public ScoreStatistics getMyLearningProgress(final String sessionkey, final String type, final String questionVariant) {
 		final Session session = sessionRepository.findByKeyword(sessionkey);
 		final User user = userService.getCurrentUser();
@@ -518,7 +515,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated()")
+	@PreAuthorize("hasPermission('', 'session', 'create')")
 	public SessionInfo importSession(ImportExportSession importSession) {
 		final User user = userService.getCurrentUser();
 		final SessionInfo info = sessionRepository.importSession(user, importSession);
@@ -529,13 +526,13 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
 	public ImportExportSession exportSession(String sessionkey, Boolean withAnswerStatistics, Boolean withFeedbackQuestions) {
 		return sessionRepository.exportSession(sessionkey, withAnswerStatistics, withFeedbackQuestions);
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
 	public SessionInfo copySessionToPublicPool(String sessionkey, de.thm.arsnova.entities.transport.ImportExportSession.PublicPool pp) {
 		ImportExportSession temp = sessionRepository.exportSession(sessionkey, false, false);
 		temp.getSession().setPublicPool(pp);
@@ -550,17 +547,16 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
 	}
 
 	@Override
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'read')")
 	public SessionFeature getFeatures(String sessionkey) {
 		return sessionRepository.findByKeyword(sessionkey).getFeatures();
 	}
 
 	@Override
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
 	public SessionFeature updateFeatures(String sessionkey, SessionFeature features) {
 		final Session session = sessionRepository.findByKeyword(sessionkey);
 		final User user = userService.getCurrentUser();
-		if (!session.isCreator(user)) {
-			throw new UnauthorizedException("User is not session creator.");
-		}
 		session.setFeatures(features);
 		this.publisher.publishEvent(new FeatureChangeEvent(this, session));
 		sessionRepository.save(session);
@@ -569,12 +565,10 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
 	}
 
 	@Override
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
 	public boolean lockFeedbackInput(String sessionkey, Boolean lock) {
 		final Session session = sessionRepository.findByKeyword(sessionkey);
 		final User user = userService.getCurrentUser();
-		if (!session.isCreator(user)) {
-			throw new UnauthorizedException("User is not session creator.");
-		}
 		if (!lock) {
 			feedbackService.cleanFeedbackVotesBySessionKey(sessionkey, 0);
 		}
@@ -587,12 +581,10 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
 	}
 
 	@Override
+	@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
 	public boolean flipFlashcards(String sessionkey, Boolean flip) {
 		final Session session = sessionRepository.findByKeyword(sessionkey);
 		final User user = userService.getCurrentUser();
-		if (!session.isCreator(user)) {
-			throw new UnauthorizedException("User is not session creator.");
-		}
 		session.setFlipFlashcards(flip);
 		this.publisher.publishEvent(new FlipFlashcardsEvent(this, session));
 		sessionRepository.save(session);