diff --git a/app/Controllers/Http/EmployeesController.ts b/app/Controllers/Http/EmployeesController.ts
index 97576d3..ab9ec26 100644
--- a/app/Controllers/Http/EmployeesController.ts
+++ b/app/Controllers/Http/EmployeesController.ts
@@ -4,13 +4,20 @@ import UpdateEmployeeValidator from 'App/Validators/UpdateEmployeeValidator'
 import CreateEmployeeValidator from 'App/Validators/CreateEmployeeValidator'
 
 import Database from '@ioc:Adonis/Lucid/Database'
+import Logger from '@ioc:Adonis/Core/Logger'
 
 // TODO: #1 Implement paginator for Employee-Index
 export default class EmployeesController {
-  public async index ({bouncer}: HttpContextContract) {
+  public async index ({bouncer, request}: HttpContextContract) {
     await bouncer.authorize('employees.index')
 
-    return await Database.from('employees').select('*')
+    const limit: number = request.qs().limit ?? 10
+    const page: number = request.qs().page ?? 1
+    const sort_by = await this.sort_by(request.qs().sort_by)
+
+    const employees = await Database.from('employees').orderBy(sort_by).paginate(page, limit)
+
+    return employees
   }
 
   public async store ({request}: HttpContextContract) {
@@ -36,36 +43,62 @@ export default class EmployeesController {
   public async show ({params, bouncer}: HttpContextContract) { 
     const emp = await Employee.findOrFail(params.id)
 
-    if (await bouncer.denies('employees.show', emp)){
-      return 'Not admin or wrong user'
-    }
+    await bouncer.authorize('employees.show', emp)
 
     return emp
   }
 
-  public async update ({params, request}: HttpContextContract) {
+  public async update ({params, bouncer, response, request}: HttpContextContract) {
 
     const employee : Employee = await Employee.findOrFail(params.id)
+    const editContractHours : boolean = employee.contractHours !== request.input('contractHours')
 
-    try {
-      const payload = await request.validate(UpdateEmployeeValidator)
-      
-      employee.firstName = payload.firstName
-      employee.lastName = payload.lastName ?? ''
-      employee.shorthand = payload.shorthand
-      employee.email = payload.email ?? ''
-      employee.phone = payload.phone ?? ''
-      employee.mobile = payload.mobile ?? ''
+    await bouncer.authorize('employees.update', editContractHours, employee)
+
+    const payload = await request.validate(UpdateEmployeeValidator)
+   
+    if (editContractHours){
       employee.contractHours = payload.contractHours ?? 0
-
-      return await employee.save()
-    
-    } catch(error) {
-      return error
     }
+
+    employee.firstName = payload.firstName
+    employee.lastName = payload.lastName ?? ''      
+    employee.shorthand = payload.shorthand
+    employee.email = payload.email ?? ''
+    employee.phone = payload.phone ?? ''
+    employee.mobile = payload.mobile ?? ''
+
+    await employee.save()
+      
+    return response.ok({
+      status: 200,
+      message: "Employee updated successfully"
+    })
   }
 
-  public async destroy ({params}: HttpContextContract) {
+  public async destroy ({params, bouncer}: HttpContextContract) {
+    await bouncer.authorize('employees.destroy')
+
     return await Database.from('employees').where('id', params.id).delete()
   }
+
+  private async sort_by(qs: string): Promise<{column : string, order?: 'asc' | 'desc' | undefined}[]> {
+    const regex : RegExp = /(asc|desc)\((\w+)\)/gi
+    const client = Database.connection()
+    let result: {
+      column: string, 
+      order?: 'asc' | 'desc' | undefined
+    }[] = []
+
+    const columns = await client.columnsInfo('employees')
+    const match = qs?.matchAll(regex) ?? []
+    
+    for (const item of match) {
+      if( columns.hasOwnProperty(item[2]) && (item[1] === 'asc' || item[1] === 'desc')) result.push({column: item[2], order: item[1]})
+    }
+
+    if(result.length === 0) result.push({column: 'last_name'})
+
+    return result
+  }
 }
diff --git a/start/bouncer.ts b/start/bouncer.ts
index 947c7bb..127ae9c 100644
--- a/start/bouncer.ts
+++ b/start/bouncer.ts
@@ -34,11 +34,34 @@ import Employee from 'App/Models/Employee'
 export const { actions } = Bouncer
 
     .define('employees.index', (user: User) => {
-        return user.role === 'admin'
+        if(user.role !== 'admin') return Bouncer.deny('You are not allowed to view all employees')
+        return true
     })
 
     .define('employees.show', (user: User, employee : Employee) => {
-        return user.role === 'admin' || user.id === employee.userId
+        if(user.role !== 'admin' && user.id !== employee.userId){
+            return Bouncer.deny('You are not allowd to view employees other than yourself')
+        }
+        return true
+    })
+
+    .define('employees.store', (user: User) => {
+        if(user.role !== 'admin') return Bouncer.deny('You are not allowd to create any employees')
+        return true
+    })
+
+    .define('employees.destroy', (user: User) => {
+        if(user.role !== 'admin') return Bouncer.deny('You are not allowed to delete any employees')
+        return true
+    })
+
+    .define('employees.update', (user: User, editContractHours : boolean, employee: Employee) => {
+        if(user.id !== employee.userId && user.role !== 'admin'){
+            return Bouncer.deny('You are not allowed to edit employees other than yourself.')
+        } else if (editContractHours && user.role !== 'admin'){
+            return Bouncer.deny('You are not allowed to edit your contract hours.')
+        }
+        return true
     })
 
 /*