diff --git a/src/PowderCoating.Web/Controllers/OvenSchedulerController.cs b/src/PowderCoating.Web/Controllers/OvenSchedulerController.cs
index 6ec4ff4..11cdd70 100644
--- a/src/PowderCoating.Web/Controllers/OvenSchedulerController.cs
+++ b/src/PowderCoating.Web/Controllers/OvenSchedulerController.cs
@@ -11,7 +11,9 @@ using PowderCoating.Web.Hubs;
 
 namespace PowderCoating.Web.Controllers;
 
-[Authorize]
+// Oven batch scheduling is shop-floor job management — gated to CanManageJobs so
+// low-privilege roles can't create/modify/delete batches. (Audit #3, 2026-06-20.)
+[Authorize(Policy = AppConstants.Policies.CanManageJobs)]
 public class OvenSchedulerController : Controller
 {
     private readonly IUnitOfWork _unitOfWork;
diff --git a/src/PowderCoating.Web/Controllers/ToolsController.cs b/src/PowderCoating.Web/Controllers/ToolsController.cs
index 8f6efbd..938ce9b 100644
--- a/src/PowderCoating.Web/Controllers/ToolsController.cs
+++ b/src/PowderCoating.Web/Controllers/ToolsController.cs
@@ -9,11 +9,15 @@ using PowderCoating.Core.Entities;
 using PowderCoating.Core.Enums;
 using PowderCoating.Core.Interfaces;
 using PowderCoating.Infrastructure.Data;
+using PowderCoating.Shared.Constants;
 using System.Security.Claims;
 
 namespace PowderCoating.Web.Controllers;
 
-[Authorize]
+// Bulk import/export + QuickBooks migration tools — gated to the financial-management
+// permission so low-privilege roles (ReadOnly/Employee/ShopFloor) can't export or
+// import company data. (Audit #3, 2026-06-20.)
+[Authorize(Policy = AppConstants.Policies.CanManageInvoices)]
 public class ToolsController : Controller
 {
     private readonly IUnitOfWork _unitOfWork;