diff --git a/lib/main/base_views.py b/lib/main/base_views.py
index 123d4667e8..0d1b84ec4d 100644
--- a/lib/main/base_views.py
+++ b/lib/main/base_views.py
@@ -46,5 +46,13 @@ class BaseDetail(generics.RetrieveUpdateDestroyAPIView):
     def delete_permissions_check(self, request, obj):
         raise exceptions.NotImplementedError()
 
+    def item_permissions_check(self, request, obj):
+
+        if request.method == 'GET':
+            return self.__class__.model.can_user_read(request.user, obj)
+        elif request.method in [ 'PUT' ]:
+            return self.__class__.model.can_user_administrate(request.user, obj)
+        return False
+
 
 
diff --git a/lib/main/models/__init__.py b/lib/main/models/__init__.py
index 26598de097..437d380f1d 100644
--- a/lib/main/models/__init__.py
+++ b/lib/main/models/__init__.py
@@ -35,7 +35,10 @@ class CommonModel(models.Model):
         raise exceptions.NotImplementedError()
 
     def can_user_delete(cls, user, obj):
-        return user in obj.admins.all()
+        raise exceptions.NotImplementedError
+
+    def can_user_access(cls, user, obj):
+        raise exceptions.NotImplementedError()
 
  
 class Tag(models.Model):
@@ -88,6 +91,16 @@ class Organization(CommonModel):
     def can_user_delete(cls, user, obj):
         return user in obj.admins.all()
 
+    def can_user_administrate(cls, user, obj):
+        return request.user in obj.admins.all()
+
+    def can_user_access(cls, user, obj):
+        return self.can_user_administrate(user,obj) or request.user in obj.users.all()
+
+    def can_user_delete(cls, user, obj):
+        return self.can_user_administrate(user, obj)
+
+
 class Inventory(CommonModel):
     ''' 
     an inventory source contains lists and hosts.