diff --git a/packages/bookshop/package.json b/packages/bookshop/package.json
index e3dd9784..9d63306c 100644
--- a/packages/bookshop/package.json
+++ b/packages/bookshop/package.json
@@ -7,6 +7,7 @@
     "@sap/cds": "latest",
     "@sap/xb-msg-amqp-v100": "^0.9.31-SNAPSHOT",
     "express": "*",
+    "passport": "^0.4.0",
     "sqlite3": "^4.1.0"
   },
   "scripts": {
@@ -21,6 +22,12 @@
       "messaging": {
         "kind": "enterprise-messaging"
       }
+    },
+    "auth": {
+      "passport": {
+        "strategy": "mock",
+        "users": { "alice": { "roles": [ "admin" ], "password": "secret", "ID": "ALICE" } }
+      }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/packages/bookshop/srv/admin-service.cds b/packages/bookshop/srv/admin-service.cds
index ec667018..1821e4b7 100644
--- a/packages/bookshop/srv/admin-service.cds
+++ b/packages/bookshop/srv/admin-service.cds
@@ -1,6 +1,6 @@
 using { sap.capire.bookshop as my } from '../db/schema';
 
-service AdminService @(_requires:'authenticated-user') {
+service AdminService @(requires:'admin') {
   entity Books as projection on my.Books;
   entity Authors as projection on my.Authors;
   entity Orders as select from my.Orders;
diff --git a/packages/bookshop/srv/admin-service.js b/packages/bookshop/srv/admin-service.js
index cba0105c..c6dd26ad 100644
--- a/packages/bookshop/srv/admin-service.js
+++ b/packages/bookshop/srv/admin-service.js
@@ -59,6 +59,9 @@ module.exports = cds.service.impl(function () {
 
 async function _readAddresses (req) {
   const businessPartner = req.user.id
+  if (!businessPartner) {
+    return req.reject('You need to be authorized.')
+  }
   const tx = bupaSrv.transaction(req)
   const ql = SELECT.from('API_BUSINESS_PARTNER.A_BusinessPartnerAddress').where(
     { BusinessPartner: businessPartner.toUpperCase() }
@@ -80,6 +83,9 @@ async function _readAddresses (req) {
 async function _fillAddress (req) {
   if (req.data.shippingAddress_AddressID) {
     const businessPartner = req.user.id
+    if (!businessPartner) {
+      return req.reject('You need to be authorized.')
+    }
     const tx = bupaSrv.transaction(req)
     const response = await tx.run(
       SELECT.from('API_BUSINESS_PARTNER.A_BusinessPartnerAddress')
diff --git a/packages/bookshop/srv/init.js b/packages/bookshop/srv/init.js
index 352db79b..49dd313f 100644
--- a/packages/bookshop/srv/init.js
+++ b/packages/bookshop/srv/init.js
@@ -23,6 +23,24 @@ module.exports = db => {
       StreetName: 'SAP-Allee',
       HouseNumber: '25'
     },
+    {
+      BusinessPartner: 'ALICE',
+      AddressID: '62640',
+      CityName: 'Walldorf',
+      PostalCode: '69190',
+      Country: 'Germany',
+      StreetName: 'Dietmar-Hopp-Allee',
+      HouseNumber: '16'
+    },
+    {
+      BusinessPartner: 'ALICE',
+      AddressID: '22222',
+      CityName: 'St. Leon-Rot',
+      PostalCode: '68789',
+      Country: 'Germany',
+      StreetName: 'SAP-Allee',
+      HouseNumber: '25'
+    },
     {
       BusinessPartner: '1003765',
       AddressID: '28241',