diff --git a/supabase/migrations/20260223090000_services_read_only_for_standard_it_dispatcher.sql b/supabase/migrations/20260223090000_services_read_only_for_standard_it_dispatcher.sql
new file mode 100644
index 00000000..9e938ee6
--- /dev/null
+++ b/supabase/migrations/20260223090000_services_read_only_for_standard_it_dispatcher.sql
@@ -0,0 +1,30 @@
+-- Make `services` list read-only for `standard`, `it_staff`, and `dispatcher` roles.
+-- Only `admin` may create/update/delete services.
+
+ALTER TABLE public.services ENABLE ROW LEVEL SECURITY;
+
+-- SELECT: allow read for standard, it_staff, dispatcher and admin
+DROP POLICY IF EXISTS "Services: select" ON public.services;
+CREATE POLICY "Services: select" ON public.services
+  FOR SELECT
+  USING (
+    EXISTS (
+      SELECT 1 FROM public.profiles p
+      WHERE p.id = auth.uid() AND p.role IN ('standard', 'it_staff', 'dispatcher', 'admin')
+    )
+  );
+
+-- WRITE (INSERT/UPDATE/DELETE): only admins may modify services
+DROP POLICY IF EXISTS "Services: admin manage" ON public.services;
+CREATE POLICY "Services: admin manage" ON public.services
+  FOR ALL
+  USING (
+    EXISTS (
+      SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role = 'admin'
+    )
+  )
+  WITH CHECK (
+    EXISTS (
+      SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role = 'admin'
+    )
+  );