diff --git a/Backend/src/main/java/com/ebdapo/backend/restcontroller/BenutzerController.java b/Backend/src/main/java/com/ebdapo/backend/restcontroller/BenutzerController.java
index f68bb616d2d2d8c2a759331fd1825c6fab176609..4303ed3758927376e09a3434eea3f81b703441d9 100644
--- a/Backend/src/main/java/com/ebdapo/backend/restcontroller/BenutzerController.java
+++ b/Backend/src/main/java/com/ebdapo/backend/restcontroller/BenutzerController.java
@@ -57,7 +57,13 @@ public class BenutzerController {
 
     @PostMapping("/apotheke/{apothekeId}/benutzer")
     public ResponseEntity<?> createNewBenutzer(@PathVariable String apothekeId, @RequestBody BenutzerAPIDetails benutzerData) {
-        if(!authController.checkIfAuthorized(authController.getCurrentUsername(), apothekeId)) {
+
+        //first user does not have to be authorized
+        boolean firstUser = apothekeRepo.findById(apothekeId).orElseThrow(InvalidInputException::new)
+                .getBenutzer().size() == 0;
+
+
+        if(!firstUser && !authController.checkIfAuthorized(authController.getCurrentUsername(), apothekeId)) {
             return new ResponseEntity<>(HttpStatus.FORBIDDEN);
         }
 
diff --git a/Backend/src/main/java/com/ebdapo/backend/security/SecurityConfiguration.java b/Backend/src/main/java/com/ebdapo/backend/security/SecurityConfiguration.java
index 0390bdb476c0589d7fdeaba38b6ebfb8383a156a..066a681413d341128b7ec3102af459582d3d70aa 100644
--- a/Backend/src/main/java/com/ebdapo/backend/security/SecurityConfiguration.java
+++ b/Backend/src/main/java/com/ebdapo/backend/security/SecurityConfiguration.java
@@ -38,7 +38,8 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter implemen
                 .antMatchers(HttpMethod.DELETE, "/**").hasAnyRole("ADMIN")
                 .antMatchers(HttpMethod.PUT, "â€‹/apothekeâ€‹/*â€‹/btmbuchungâ€‹/*").hasAnyRole("PRUEFER")
                 .antMatchers(HttpMethod.PUT, "/apotheke/**").hasAnyRole("BENUTZER","ADMIN")
-                .antMatchers(HttpMethod.POST, "/apotheke").hasAnyRole("BENUTZER", "ADMIN")
+                .antMatchers(HttpMethod.POST, "/apotheke").permitAll()
+                .antMatchers(HttpMethod.POST, "/apotheke/*").permitAll()
                 .antMatchers("/login", "/logout").permitAll()
 
                 //disable cross site forgery and disable cors protection