diff --git a/api/.env b/api/.env
index b25f22a..f255c7f 100644
--- a/api/.env
+++ b/api/.env
@@ -72,9 +72,13 @@ POSTGRES_DB=api
 ###> docker-compose/database ###
 
 ###< secrity-user_in_memory ###
-USER_IN_MEMORY_USERNAME=admin
-USER_IN_MEMORY_PASSWORD=admin
-USER_IN_MEMORY_HASHED_PASSWORD='USER_IN_MEMORY_HASHED_PASSWORD'
+USER_ADMIN_IN_MEMORY_USERNAME=admin
+USER_ADMIN_IN_MEMORY_PASSWORD=admin
+USER_ADMIN_IN_MEMORY_HASHED_PASSWORD='USER_ADMIN_IN_MEMORY_HASHED_PASSWORD'
+
+USER_GAME_IN_MEMORY_USERNAME=game
+USER_GAME_IN_MEMORY_PASSWORD=game
+USER_GAME_IN_MEMORY_HASHED_PASSWORD='USER_GAME_IN_MEMORY_HASHED_PASSWORD'
 ###> secrity-user_in_memory ###
 
 ###> symfony/mercure-bundle ###
diff --git a/api/.env.test b/api/.env.test
index 9db7d36..018cb07 100644
--- a/api/.env.test
+++ b/api/.env.test
@@ -10,8 +10,11 @@ PANTHER_ERROR_SCREENSHOT_DIR=./var/error-screenshots
 TRUSTED_HOSTS=^example\.com|localhost$
 
 ###< secrity-user_in_memory ###
-USER_IN_MEMORY_USERNAME=admin
-USER_IN_MEMORY_PASSWORD=admin
+USER_ADMIN_IN_MEMORY_USERNAME=admin
+USER_ADMIN_IN_MEMORY_PASSWORD=admin
+
+USER_GAME_IN_MEMORY_USERNAME=game
+USER_GAME_IN_MEMORY_PASSWORD=game
 ###> secrity-user_in_memory ###
 
 ###> twitter-authentication ###
diff --git a/api/config/packages/security.yaml b/api/config/packages/security.yaml
index 6b081b8..04dfd86 100644
--- a/api/config/packages/security.yaml
+++ b/api/config/packages/security.yaml
@@ -8,7 +8,8 @@ security:
         app_user_provider:
             memory:
                 users:
-                    '%env(USER_IN_MEMORY_USERNAME)%': { password: '%env(USER_IN_MEMORY_HASHED_PASSWORD)%', roles: ['ROLE_ADMIN'] }
+                    '%env(USER_ADMIN_IN_MEMORY_USERNAME)%': { password: '%env(USER_ADMIN_IN_MEMORY_HASHED_PASSWORD)%', roles: ['ROLE_ADMIN'] }
+                    '%env(USER_GAME_IN_MEMORY_USERNAME)%': { password: '%env(USER_GAME_IN_MEMORY_HASHED_PASSWORD)%', roles: ['ROLE_GAME'] }
     firewalls:
         dev:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
@@ -60,4 +61,5 @@ when@test:
             app_user_provider:
                 memory:
                     users:
-                        '%env(USER_IN_MEMORY_USERNAME)%': { password: '%env(USER_IN_MEMORY_PASSWORD)%', roles: [ 'ROLE_ADMIN' ] }
+                        '%env(USER_ADMIN_IN_MEMORY_USERNAME)%': { password: '%env(USER_ADMIN_IN_MEMORY_PASSWORD)%', roles: [ 'ROLE_ADMIN' ] }
+                        '%env(USER_GAME_IN_MEMORY_USERNAME)%': { password: '%env(USER_GAME_IN_MEMORY_PASSWORD)%', roles: ['ROLE_GAME'] }
diff --git a/api/src/Entity/Game.php b/api/src/Entity/Game.php
index 7bb68d4..29095fe 100644
--- a/api/src/Entity/Game.php
+++ b/api/src/Entity/Game.php
@@ -29,11 +29,11 @@
     ApiResource(
         types: ['https://schema.org/VideoGame'],
         operations: [
-            new GetCollection(),
+            new GetCollection(security: 'is_granted("ROLE_ADMIN") || is_granted("ROLE_GAME")'),
             new Get(),
             new Put(
                 denormalizationContext: ['groups' => ['put']],
-                security: 'is_granted("ROLE_ADMIN") && object.getScore() === null',
+                security: '(is_granted("ROLE_ADMIN") || is_granted("ROLE_GAME")) && object.getScore() === null',
                 validationContext: ['groups' => ['putValidation']],
                 processor: GamePutProcessor::class
             ),
diff --git a/api/src/Entity/Lot.php b/api/src/Entity/Lot.php
index b2bbae0..07ef57d 100644
--- a/api/src/Entity/Lot.php
+++ b/api/src/Entity/Lot.php
@@ -29,7 +29,7 @@
     operations: [
         new GetCollection(),
         new Post(),
-        new Get(),
+        new Get(security: 'is_granted("ROLE_ADMIN") || is_granted("ROLE_GAME")'),
         new Put(),
         new Delete(validationContext: ['groups' => ['deleteValidation']], processor: LotProcessor::class),
     ],
diff --git a/api/src/Entity/MediaObject.php b/api/src/Entity/MediaObject.php
index 2c7e39e..a36605d 100644
--- a/api/src/Entity/MediaObject.php
+++ b/api/src/Entity/MediaObject.php
@@ -59,7 +59,7 @@
             validationContext: ['groups' => ['Default', 'media_object_create']],
             deserialize: false,
         ),
-        new Get(),
+        new Get(security: 'is_granted("ROLE_ADMIN") || is_granted("ROLE_GAME")'),
         new Put(denormalizationContext: ['groups' => ['put']]),
         new Delete(),
     ],
diff --git a/api/src/Entity/Player.php b/api/src/Entity/Player.php
index 4aae26e..37b82e0 100644
--- a/api/src/Entity/Player.php
+++ b/api/src/Entity/Player.php
@@ -27,7 +27,7 @@
 #[ApiResource(
     operations: [
         new GetCollection(),
-        new Get(),
+        new Get(security: 'is_granted("ROLE_ADMIN") || is_granted("ROLE_GAME")'),
     ],
     mercure: ['private' => true],
     order: ['lastPlayDate' => 'DESC', 'name' => 'ASC'],
diff --git a/api/src/Entity/TwitterAccountToFollow.php b/api/src/Entity/TwitterAccountToFollow.php
index 7d5410e..cd3e5b3 100644
--- a/api/src/Entity/TwitterAccountToFollow.php
+++ b/api/src/Entity/TwitterAccountToFollow.php
@@ -30,7 +30,7 @@
 #[UniqueEntity('username')]
 #[ApiResource(
     operations: [
-        new GetCollection(),
+        new GetCollection(security: 'is_granted("ROLE_ADMIN") || is_granted("ROLE_GAME")'),
         new Post(validationContext: ['groups' => new GroupSequence(['firstPostValidation', 'secondPostValidation'])], processor: TwitterAccountToFollowProcessor::class),
         new Get(),
         new Put(denormalizationContext: ['groups' => ['put']], processor: TwitterAccountToFollowProcessor::class),
diff --git a/api/src/Entity/TwitterHashtag.php b/api/src/Entity/TwitterHashtag.php
index 34d5a9e..63160a1 100644
--- a/api/src/Entity/TwitterHashtag.php
+++ b/api/src/Entity/TwitterHashtag.php
@@ -26,7 +26,7 @@
 #[UniqueEntity('hashtag')]
 #[ApiResource(
     operations: [
-        new GetCollection(),
+        new GetCollection(security: 'is_granted("ROLE_ADMIN") || is_granted("ROLE_GAME")'),
         new Post(),
         new Get(),
         new Put(denormalizationContext: ['groups' => ['put']]),
diff --git a/api/tests/Security/LoginTest.php b/api/tests/Security/LoginTest.php
index 9850afb..33fac4d 100644
--- a/api/tests/Security/LoginTest.php
+++ b/api/tests/Security/LoginTest.php
@@ -18,9 +18,9 @@ final class LoginTest extends ApiTestCase
      */
     public function testLogin(): void
     {
-        static::createClient()->request('POST', '/login', ['json' => [
-            'username' => $_ENV['USER_IN_MEMORY_USERNAME'],
-            'password' => $_ENV['USER_IN_MEMORY_PASSWORD'],
+        self::createClient()->request('POST', '/login', ['json' => [
+            'username' => $_ENV['USER_ADMIN_IN_MEMORY_USERNAME'],
+            'password' => $_ENV['USER_ADMIN_IN_MEMORY_PASSWORD'],
         ]]);
 
         self::assertResponseIsSuccessful();
@@ -32,7 +32,7 @@ public function testLogin(): void
      */
     public function testLoginFail(): void
     {
-        static::createClient()->request('POST', '/login', ['json' => [
+        self::createClient()->request('POST', '/login', ['json' => [
             'username' => 'invalid user',
             'password' => 'invalid password',
         ]]);
@@ -50,9 +50,9 @@ public function testLoginFail(): void
      */
     public static function getLoginToken(): string
     {
-        $token = static::createClient()->request('POST', '/login', ['json' => [
-            'username' => $_ENV['USER_IN_MEMORY_USERNAME'],
-            'password' => $_ENV['USER_IN_MEMORY_PASSWORD'],
+        $token = self::createClient()->request('POST', '/login', ['json' => [
+            'username' => $_ENV['USER_ADMIN_IN_MEMORY_USERNAME'],
+            'password' => $_ENV['USER_ADMIN_IN_MEMORY_PASSWORD'],
         ]]);
 
         self::assertResponseIsSuccessful();