diff --git a/internal/lib/auth/tycovar.go b/internal/lib/auth/tycovar.go
index c746b795..a958fa6a 100644
--- a/internal/lib/auth/tycovar.go
+++ b/internal/lib/auth/tycovar.go
@@ -107,3 +107,7 @@ func (a AuthInfo) HasEmployeePosition() bool {
 func (a AuthInfo) IsReg() bool {
 	return a.Employee_Position_Code != nil && *a.Employee_Position_Code == string(ero.EPCReg)
 }
+
+func (a AuthInfo) IsSys() bool {
+	return a.User_ContractPosition_Code == string(ero.CSCSys)
+}
diff --git a/internal/use-case/main-use-case/patient/case.go b/internal/use-case/main-use-case/patient/case.go
index a53072fe..f82d114d 100644
--- a/internal/use-case/main-use-case/patient/case.go
+++ b/internal/use-case/main-use-case/patient/case.go
@@ -39,18 +39,7 @@ func Create(input e.CreateDto) (*d.Data, error) {
 	pl.SetLogInfo(&event, input, "started", "create")
 	mwRunner := newMiddlewareRunner(&event)
 
-	// check if user has employee position
-	if !input.AuthInfo.HasEmployeePosition() {
-		event.Status = "failed"
-		event.ErrInfo = pl.ErrorInfo{
-			Code:   "auth-forbidden",
-			Detail: "user has no employee position",
-			Raw:    errors.New("authentication failed"),
-		}
-		return nil, pl.SetLogError(&event, input)
-	}
-
-	if !input.AuthInfo.IsReg() {
+	if !input.AuthInfo.IsReg() || !input.AuthInfo.IsSys() {
 		event.Status = "failed"
 		event.ErrInfo = pl.ErrorInfo{
 			Code:   "auth-forbidden",
@@ -266,7 +255,7 @@ func Update(input e.UpdateDto) (*d.Data, error) {
 	pl.SetLogInfo(&event, input, "started", "update")
 	mwRunner := newMiddlewareRunner(&event)
 
-	if !input.AuthInfo.IsReg() {
+	if !input.AuthInfo.IsReg() || !input.AuthInfo.IsSys() {
 		event.Status = "failed"
 		event.ErrInfo = pl.ErrorInfo{
 			Code:   "auth-forbidden",