diff --git a/aleksis/apps/tezor/rules.py b/aleksis/apps/tezor/rules.py
new file mode 100644
index 0000000000000000000000000000000000000000..98aa9de4d49b81646950b1704128336f68271a57
--- /dev/null
+++ b/aleksis/apps/tezor/rules.py
@@ -0,0 +1,72 @@
+import rules
+
+from .models.base import Client
+from .models.invoice import Invoice, InvoiceGroup
+
+from aleksis.core.util.predicates import has_person, has_global_perm, has_any_object, has_object_perm
+
+# View clients
+view_clients_predicate = has_person & (
+    has_global_perm("tezor.view_client") | has_any_object("tezor.view_client", Client)
+)
+rules.add_perm("tezor.view_clients_rule", view_clients_predicate)
+
+# View client
+view_client_predicate = has_person & (
+    has_global_perm("tezor.view_client") | has_object_perm("tezor.view_client")
+)
+rules.add_perm("tezor.view_client_rule", view_client_predicate)
+
+# Edit clients
+edit_client_predicate = has_person & (
+    has_global_perm("tezor.edit_client") | has_object_perm("tezor.edit_client")
+)
+rules.add_perm("tezor.edit_client_rule", edit_client_predicate)
+
+# Create clients
+create_client_predicate = has_person & (
+    has_global_perm("tezor.create_client") | has_any_object("tezor.create_client", Client)
+)
+rules.add_perm("tezor.create_client_rule", create_client_predicate)
+
+# Delete clients
+delete_client_predicate = has_person & (
+    has_global_perm("tezor.delete_client") | has_object_perm("tezor.delete_client")
+)
+rules.add_perm("tezor.delete_client_rule", delete_client_predicate)
+
+# View invoice groups
+view_invoice_groups_predicate = has_person & (
+    has_global_perm("tezor.view_invoice_group") | has_any_object("tezor.view_invoice_group", InvoiceGroup)
+)
+rules.add_perm("tezor.view_invoice_groups_rule", view_invoice_groups_predicate)
+
+# View invoice_group
+view_invoice_group_predicate = has_person & (
+    has_global_perm("tezor.view_invoice_group") | has_object_perm("tezor.view_invoice_group")
+)
+rules.add_perm("tezor.view_invoice_group_rule", view_invoice_group_predicate)
+
+# Edit invoice groups
+edit_invoice_group_predicate = has_person & (
+    has_global_perm("tezor.edit_invoice_group") | has_object_perm("tezor.edit_invoice_group")
+)
+rules.add_perm("tezor.edit_invoice_group_rule", edit_invoice_group_predicate)
+
+# Create invoice groups
+create_invoice_groups_predicate = has_person & (
+    has_global_perm("tezor.create_invoice_group") | has_any_object("tezor.create_invoice_group", InvoiceGroup)
+)
+rules.add_perm("tezor.create_invoice_groups_rule", create_invoice_groups_predicate)
+
+# Delete invoice groups
+delete_invoice_groups_predicate = has_person & (
+    has_global_perm("tezor.delete_invoice_group") | has_any_object("tezor.delete_invoice_group", InvoiceGroup)
+)
+rules.add_perm("tezor.delete_invoice_groups_rule", delete_invoice_groups_predicate)
+
+# View invoice
+view_invoice_predicate = has_person & (
+    has_global_perm("tezor.view_invoice") | has_object_perm("tezor.view_invoice")
+)
+rules.add_perm("tezor.view_invoice_rule", view_invoice_predicate)
diff --git a/aleksis/apps/tezor/views.py b/aleksis/apps/tezor/views.py
index ee4df3c658f103eb7e6415c95ae8e9e8389eac2d..27df0e260bcd2230782829338a781a54b2552044 100644
--- a/aleksis/apps/tezor/views.py
+++ b/aleksis/apps/tezor/views.py
@@ -57,7 +57,7 @@ class ClientListView(PermissionRequiredMixin, SingleTableView):
 
     model = Client
     table_class = ClientsTable
-    permission_required = "tezor.view_clients"
+    permission_required = "tezor.view_clients_rule"
     template_name = "tezor/client/list.html"
 
 
@@ -67,7 +67,7 @@ class ClientCreateView(PermissionRequiredMixin, AdvancedCreateView):
 
     model = Client
     form_class = EditClientForm
-    permission_required = "tezor.add_clients"
+    permission_required = "tezor.create_client_rule"
     template_name = "tezor/client/create.html"
     success_url = reverse_lazy("clients")
     success_message = _("The client has been created.")
@@ -79,7 +79,7 @@ class ClientEditView(PermissionRequiredMixin, AdvancedEditView):
 
     model = Client
     form_class = EditClientForm
-    permission_required = "tezor.edit_clients"
+    permission_required = "tezor.edit_client_rule"
     template_name = "tezor/client/edit.html"
     success_url = reverse_lazy("clients")
     success_message = _("The client has been saved.")
@@ -89,7 +89,7 @@ class ClientDeleteView(PermissionRequiredMixin, AdvancedDeleteView):
     """Delete view for client."""
 
     model = Client
-    permission_required = "tezor.delete_client"
+    permission_required = "tezor.delete_client_rule"
     template_name = "core/pages/delete.html"
     success_url = reverse_lazy("clients")
     success_message = _("The client has been deleted.")
@@ -98,7 +98,7 @@ class ClientDeleteView(PermissionRequiredMixin, AdvancedDeleteView):
 class ClientDetailView(PermissionRequiredMixin, DetailView):
 
     model = Client
-    permission_required = "tezor.view_client"
+    permission_required = "tezor.view_client_rule"
     template_name = "tezor/client/full.html"
 
     def get_context_data(self, object):
@@ -114,7 +114,7 @@ class ClientDetailView(PermissionRequiredMixin, DetailView):
 class InvoiceGroupDetailView(PermissionRequiredMixin, DetailView):
 
     model = InvoiceGroup
-    permission_required = "tezor.view_invoice_group"
+    permission_required = "tezor.view_invoice_group_rule"
     template_name = "tezor/invoice_group/full.html"
 
     def get_context_data(self, object):
@@ -134,7 +134,7 @@ class InvoiceGroupCreateView(PermissionRequiredMixin, AdvancedCreateView):
 
     model = InvoiceGroup
     form_class = EditInvoiceGroupForm
-    permission_required = "tezor.add_invoice_groups"
+    permission_required = "tezor.create_invoice_groups_rule"
     template_name = "tezor/invoice_group/create.html"
     success_url = reverse_lazy("clients")
     success_message = _("The invoice_group has been created.")
@@ -152,7 +152,7 @@ class InvoiceGroupEditView(PermissionRequiredMixin, AdvancedEditView):
 
     model = InvoiceGroup
     form_class = EditInvoiceGroupForm
-    permission_required = "tezor.edit_invoice_groups"
+    permission_required = "tezor.edit_invoice_group_rule"
     template_name = "tezor/invoice_group/edit.html"
     success_url = reverse_lazy("invoice_groups")
     success_message = _("The invoice_group has been saved.")
@@ -162,7 +162,7 @@ class InvoiceGroupDeleteView(PermissionRequiredMixin, AdvancedDeleteView):
     """Delete view for invoice_group."""
 
     model = InvoiceGroup
-    permission_required = "tezor.delete_invoice_group"
+    permission_required = "tezor.delete_invoice_group_rule"
     template_name = "core/pages/delete.html"
     success_url = reverse_lazy("invoice_groups")
     success_message = _("The invoice_group has been deleted.")
@@ -171,5 +171,5 @@ class InvoiceGroupDeleteView(PermissionRequiredMixin, AdvancedDeleteView):
 class InvoiceDetailView(PermissionRequiredMixin, DetailView):
 
     model = Invoice
-    permission_required = "tezor.view_invoice"
+    permission_required = "tezor.view_invoice_rule"
     template_name = "tezor/invoice/full.html"