diff --git a/app/controllers/assets_controller.rb b/app/controllers/assets_controller.rb
index 719bcc654..2e44a88be 100644
--- a/app/controllers/assets_controller.rb
+++ b/app/controllers/assets_controller.rb
@@ -125,7 +125,7 @@ class AssetsController < ApplicationController
   def check_edit_permission
     if @assoc.class == Step
       render_403 && return unless can_manage_protocol_in_module?(@protocol) ||
-                                  can_update_protocol_in_repository?(@protocol)
+                                  can_manage_protocol_in_repository?(@protocol)
     elsif @assoc.class == Result
       render_403 and return unless can_manage_module?(@my_module)
     end
diff --git a/app/controllers/concerns/sample_actions.rb b/app/controllers/concerns/sample_actions.rb
index 2e94cdbec..0edb9166c 100644
--- a/app/controllers/concerns/sample_actions.rb
+++ b/app/controllers/concerns/sample_actions.rb
@@ -2,7 +2,6 @@ module SampleActions
   extend ActiveSupport::Concern
 
   def delete_samples
-    check_destroy_samples_permissions
 
     if params[:sample_ids].present?
       counter_user = 0
@@ -10,7 +9,7 @@ module SampleActions
       params[:sample_ids].each do |id|
         sample = Sample.find_by_id(id)
 
-        if sample && can_update_or_delete_sample?(sample)
+        if sample && can_manage_sample?(sample)
           sample.destroy
           counter_user += 1
         else
@@ -42,8 +41,4 @@ module SampleActions
       redirect_to samples_experiment_path(@experiment)
     end
   end
-
-  def check_destroy_samples_permissions
-    render_403 unless can_manage_samples?(@project.team)
-  end
 end
diff --git a/app/controllers/custom_fields_controller.rb b/app/controllers/custom_fields_controller.rb
index 56f738bb6..014caab75 100644
--- a/app/controllers/custom_fields_controller.rb
+++ b/app/controllers/custom_fields_controller.rb
@@ -4,7 +4,7 @@ class CustomFieldsController < ApplicationController
   before_action :load_vars, except: :create
   before_action :load_vars_nested, only: [:create, :destroy_html]
   before_action :check_create_permissions, only: :create
-  before_action :check_update_and_delete_permissions, except: :create
+  before_action :check_manage_permissions, except: :create
 
   def create
     @custom_field = CustomField.new(custom_field_params)
@@ -105,11 +105,11 @@ class CustomFieldsController < ApplicationController
   end
 
   def check_create_permissions
-    render_403 unless can_manage_sample_columns?(@team)
+    render_403 unless can_create_sample_columns?(@team)
   end
 
-  def check_update_and_delete_permissions
-    render_403 unless can_update_or_delete_custom_field?(@custom_field)
+  def check_manage_permissions
+    render_403 unless can_manage_sample_column?(@custom_field)
   end
 
   def custom_field_params
diff --git a/app/controllers/my_module_comments_controller.rb b/app/controllers/my_module_comments_controller.rb
index 5799372dd..2a0251384 100644
--- a/app/controllers/my_module_comments_controller.rb
+++ b/app/controllers/my_module_comments_controller.rb
@@ -183,7 +183,7 @@ class MyModuleCommentsController < ApplicationController
   end
 
   def check_add_permissions
-    render_403 unless can_create_comment_in_module?(@my_module)
+    render_403 unless can_create_comments_in_module?(@my_module)
   end
 
   def check_manage_permissions
diff --git a/app/controllers/my_modules_controller.rb b/app/controllers/my_modules_controller.rb
index 22b973915..51c98aa28 100644
--- a/app/controllers/my_modules_controller.rb
+++ b/app/controllers/my_modules_controller.rb
@@ -608,7 +608,8 @@ class MyModulesController < ApplicationController
   end
 
   def check_assign_repository_records_permissions
-    render_403 unless can_assign_repository_records_to_module?(@my_module)
+    render_403 unless module_page? &&
+                      can_assign_repository_rows_to_module?(@my_module)
   end
 
   def check_complete_module_permission
diff --git a/app/controllers/project_comments_controller.rb b/app/controllers/project_comments_controller.rb
index b02490737..9cf099cdc 100644
--- a/app/controllers/project_comments_controller.rb
+++ b/app/controllers/project_comments_controller.rb
@@ -174,7 +174,7 @@ class ProjectCommentsController < ApplicationController
   end
 
   def check_create_permissions
-    render_403 unless can_create_comment_in_project?(@project)
+    render_403 unless can_create_comments_in_project?(@project)
   end
 
   def check_manage_permissions
diff --git a/app/controllers/protocols_controller.rb b/app/controllers/protocols_controller.rb
index 0f110a58b..2be21efdb 100644
--- a/app/controllers/protocols_controller.rb
+++ b/app/controllers/protocols_controller.rb
@@ -18,7 +18,13 @@ class ProtocolsController < ApplicationController
     linked_children
     linked_children_datatable
   )
-  before_action :check_edit_permissions, only: %i(
+  before_action :check_view_all_permissions, only: %i(
+    index
+    datatable
+  )
+  # For update_from_parent and update_from_parent_modal we don't need to check
+  # read permission for the parent protocol
+  before_action :check_manage_in_module_permissions, only: %i(
     edit
     update_metadata
     update_keywords
@@ -26,14 +32,6 @@ class ProtocolsController < ApplicationController
     edit_keywords_modal
     edit_authors_modal
     edit_description_modal
-  )
-  before_action :check_view_all_permissions, only: %i(
-    index
-    datatable
-  )
-  # For update_from_parent and update_from_parent_modal we don't need to check
-  # read permission for the parent protocol
-  before_action :check_manage_permissions, only: %i(
     unlink
     unlink_modal
     revert
@@ -41,7 +39,7 @@ class ProtocolsController < ApplicationController
     update_from_parent
     update_from_parent_modal
   )
-  before_action :check_update_parent_permissions, only: %i(
+  before_action :check_manage_parent_in_repository_permissions, only: %i(
     update_parent
     update_parent_modal
   )
@@ -1066,27 +1064,17 @@ class ProtocolsController < ApplicationController
     end
   end
 
-  def check_edit_permissions
-    load_team_and_type
+  def check_manage_in_module_permissions
     @protocol = Protocol.find_by_id(params[:id])
-
-    unless can_update_protocol_in_repository?(@protocol)
-      render_403
-    end
-  end
-
-  def check_manage_permissions
-    @protocol = Protocol.find_by_id(params[:id])
-
-    render_403 if @protocol.blank? || !can_manage_protocol_in_module?(@protocol)
-  end
-
-  def check_update_parent_permissions
-    @protocol = Protocol.find_by_id(params[:id])
-
     render_403 unless @protocol.present? &&
-                      (can_read_protocol_in_module?(@protocol) ||
-                       can_update_protocol_in_repository(@protocol.parent))
+                      can_manage_protocol_in_module?(@protocol)
+  end
+
+  def check_manage_parent_in_repository_permissions
+    @protocol = Protocol.find_by_id(params[:id])
+    render_403 unless @protocol.present? &&
+                      can_read_protocol_in_module?(@protocol) &&
+                      can_manage_protocol_in_repository(@protocol.parent)
   end
 
   def check_load_from_repository_views_permissions
@@ -1130,7 +1118,7 @@ class ProtocolsController < ApplicationController
     @protocols = Protocol.where(id: params[:protocol_ids])
     @protocols.find_each do |protocol|
       if !protocol.in_repository_public? ||
-         !can_update_protocol_type_in_repository?(protocol)
+         !can_manage_protocol_in_repository?(protocol)
         respond_to { |f| f.json { render json: {}, status: :unauthorized } }
         return
       end
@@ -1141,7 +1129,7 @@ class ProtocolsController < ApplicationController
     @protocols = Protocol.where(id: params[:protocol_ids])
     @protocols.find_each do |protocol|
       if !protocol.in_repository_private? ||
-         !can_update_protocol_type_in_repository?(protocol)
+         !can_manage_protocol_in_repository?(protocol)
         respond_to { |f| f.json { render json: {}, status: :unauthorized } }
         return
       end
@@ -1152,7 +1140,7 @@ class ProtocolsController < ApplicationController
     @protocols = Protocol.where(id: params[:protocol_ids])
     @protocols.find_each do |protocol|
       if protocol.in_repository_archived? ||
-         !can_update_protocol_type_in_repository?(protocol)
+         !can_manage_protocol_in_repository?(protocol)
         respond_to { |f| f.json { render json: {}, status: :unauthorized } }
         return
       end
@@ -1163,7 +1151,7 @@ class ProtocolsController < ApplicationController
     @protocols = Protocol.where(id: params[:protocol_ids])
     @protocols.find_each do |protocol|
       if protocol.in_repository_active? ||
-         !can_update_protocol_type_in_repository?(protocol)
+         !can_manage_protocol_in_repository?(protocol)
         respond_to { |f| f.json { render json: {}, status: :unauthorized } }
         return
       end
diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb
index 79504d9af..0238ac5a8 100644
--- a/app/controllers/reports_controller.rb
+++ b/app/controllers/reports_controller.rb
@@ -450,11 +450,11 @@ class ReportsController < ApplicationController
   end
 
   def check_create_permissions
-    render_403 unless can_create_or_manage_reports?(@project)
+    render_403 unless can_manage_reports?(@project)
   end
 
   def check_manage_permissions
-    render_403 unless can_create_or_manage_reports?(@project)
+    render_403 unless can_manage_reports?(@project)
     render_404 unless params.include? :report_ids
   end
 
diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb
index 86ed5b094..57e90cc0d 100644
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@@ -6,7 +6,7 @@ class RepositoriesController < ApplicationController
   before_action :check_team, only: %i(parse_sheet import_records)
   before_action :check_view_all_permissions, only: :index
   before_action :check_view_permissions, only: :export_repository
-  before_action :check_edit_and_destroy_permissions, only:
+  before_action :check_manage_permissions, only:
     %i(destroy destroy_modal rename_modal update)
   before_action :check_create_permissions, only:
     %i(create_new_modal create copy_modal copy)
@@ -309,8 +309,8 @@ class RepositoriesController < ApplicationController
                       @team.repositories.count < Constants::REPOSITORIES_LIMIT
   end
 
-  def check_edit_and_destroy_permissions
-    render_403 unless can_update_or_delete_repository?(@repository)
+  def check_manage_permissions
+    render_403 unless can_manage_repository?(@repository)
   end
 
   def repository_params
diff --git a/app/controllers/repository_columns_controller.rb b/app/controllers/repository_columns_controller.rb
index a98f38d89..e67dda400 100644
--- a/app/controllers/repository_columns_controller.rb
+++ b/app/controllers/repository_columns_controller.rb
@@ -4,7 +4,7 @@ class RepositoryColumnsController < ApplicationController
   before_action :load_vars, except: :create
   before_action :load_vars_nested, only: :create
   before_action :check_create_permissions, only: :create
-  before_action :check_update_and_delete_permissions, except: :create
+  before_action :check_manage_permissions, except: :create
 
   def create
     @repository_column = RepositoryColumn.new(repository_column_params)
@@ -111,8 +111,8 @@ class RepositoryColumnsController < ApplicationController
     render_403 unless can_create_repository_columns?(@repository.team)
   end
 
-  def check_update_and_delete_permissions
-    render_403 unless can_update_or_delete_repository_column?(@repository_column)
+  def check_manage_permissions
+    render_403 unless can_manage_repository_column?(@repository_column)
   end
 
   def repository_column_params
diff --git a/app/controllers/repository_rows_controller.rb b/app/controllers/repository_rows_controller.rb
index d837579fe..88ba000dc 100644
--- a/app/controllers/repository_rows_controller.rb
+++ b/app/controllers/repository_rows_controller.rb
@@ -6,8 +6,7 @@ class RepositoryRowsController < ApplicationController
   before_action :load_vars, only: %i(edit update)
   before_action :load_repository, only: %i(create delete_records)
   before_action :check_create_permissions, only: :create
-  before_action :check_edit_permissions, only: %i(edit update)
-  before_action :check_destroy_permissions, only: :delete_records
+  before_action :check_manage_permissions, only: %i(edit update delete_records)
 
   def create
     record = RepositoryRow.new(repository: @repository,
@@ -171,7 +170,7 @@ class RepositoryRowsController < ApplicationController
     if selected_params
       selected_params.each do |row_id|
         row = @repository.repository_rows.find_by_id(row_id)
-        if row && can_update_or_delete_repository_row?(row)
+        if row && can_manage_repository_row?(row)
           row.destroy && deleted_count += 1
         end
       end
@@ -221,12 +220,10 @@ class RepositoryRowsController < ApplicationController
     render_403 unless can_manage_repository_rows?(@repository.team)
   end
 
-  def check_edit_permissions
-    render_403 unless can_update_or_delete_repository_row?(@record)
-  end
-
-  def check_destroy_permissions
-    render_403 unless can_manage_repository_rows?(@repository.team)
+  def check_manage_permissions
+    render_403 unless @repository.repository_rows.all? do |row|
+      can_manage_repository_row?(row)
+    end
   end
 
   def record_params
diff --git a/app/controllers/result_comments_controller.rb b/app/controllers/result_comments_controller.rb
index 884364a9f..6d4c48544 100644
--- a/app/controllers/result_comments_controller.rb
+++ b/app/controllers/result_comments_controller.rb
@@ -175,7 +175,7 @@ class ResultCommentsController < ApplicationController
   end
 
   def check_add_permissions
-    render_403 unless can_create_comment_in_module?(@my_module)
+    render_403 unless can_create_comments_in_module?(@my_module)
   end
 
   def check_manage_permissions
diff --git a/app/controllers/results_controller.rb b/app/controllers/results_controller.rb
index a66b01880..dffe877cc 100644
--- a/app/controllers/results_controller.rb
+++ b/app/controllers/results_controller.rb
@@ -1,6 +1,6 @@
 class ResultsController < ApplicationController
   before_action :load_vars
-  before_action :can_destroy_permissions
+  before_action :check_destroy_permissions
 
   def destroy
     act_log = t('my_modules.module_archive.table_log',
@@ -39,7 +39,7 @@ class ResultsController < ApplicationController
     @my_module = @result.my_module
   end
 
-  def can_destroy_permissions
-    render_403 unless can_delete_or_archive_result?(@my_module)
+  def check_destroy_permissions
+    render_403 unless can_manage_result?(@my_module)
   end
 end
diff --git a/app/controllers/sample_groups_controller.rb b/app/controllers/sample_groups_controller.rb
index e5f3d09dd..ff6e49e84 100644
--- a/app/controllers/sample_groups_controller.rb
+++ b/app/controllers/sample_groups_controller.rb
@@ -1,6 +1,8 @@
 class SampleGroupsController < ApplicationController
   before_action :load_vars_nested
-  before_action :check_permissions, except: %i(index sample_group_element)
+  before_action :check_view_permissions, only: %i(index sample_group_element)
+  before_action :check_manage_permissions, only: %i(create edit update destroy
+                                                    destroy_confirmation)
   before_action :set_sample_group, except: %i(create index)
   before_action :set_project_my_module, only: :index
   layout 'fluid'
@@ -133,8 +135,12 @@ class SampleGroupsController < ApplicationController
     render_404 unless @team
   end
 
-  def check_permissions
-    render_403 unless can_manage_sample_columns?(@team)
+  def check_view_permissions
+    render_403 unless can_read_team?(@team)
+  end
+
+  def check_manage_permissions
+    render_403 unless can_manage_sample_types_and_groups?(@team)
   end
 
   def sample_group_params
diff --git a/app/controllers/sample_types_controller.rb b/app/controllers/sample_types_controller.rb
index 0b499bd66..cefbd9ee1 100644
--- a/app/controllers/sample_types_controller.rb
+++ b/app/controllers/sample_types_controller.rb
@@ -1,6 +1,8 @@
 class SampleTypesController < ApplicationController
   before_action :load_vars_nested
-  before_action :check_permissions, except: %i(index sample_type_element)
+  before_action :check_view_permissions, only: %i(index sample_type_element)
+  before_action :check_manage_permissions, only: %i(create edit update destroy
+                                                    destroy_confirmation)
   before_action :set_sample_type, except: %i(create index)
   before_action :set_project_my_module, only: :index
   layout 'fluid'
@@ -129,8 +131,12 @@ class SampleTypesController < ApplicationController
     render_404 unless @team
   end
 
-  def check_permissions
-    render_403 unless can_manage_sample_columns?(@team)
+  def check_view_permissions
+    render_403 unless can_read_team?(@team)
+  end
+
+  def check_manage_permissions
+    render_403 unless can_manage_sample_types_and_groups?(@team)
   end
 
   def set_sample_type
diff --git a/app/controllers/samples_controller.rb b/app/controllers/samples_controller.rb
index 94684f2ff..459fbf445 100644
--- a/app/controllers/samples_controller.rb
+++ b/app/controllers/samples_controller.rb
@@ -7,8 +7,7 @@ class SamplesController < ApplicationController
   before_action :load_vars_nested, only: [:new, :create]
 
   before_action :check_create_permissions, only: %i(new create)
-  before_action :check_update_and_delete_permissions,
-                only: %i(edit update destroy)
+  before_action :check_manage_permissions, only: %i(edit update destroy)
 
   def new
     respond_to do |format|
@@ -308,11 +307,11 @@ class SamplesController < ApplicationController
   end
 
   def check_create_permissions
-    render_403 unless can_manage_samples?(@team)
+    render_403 unless can_create_samples?(@team)
   end
 
-  def check_update_and_delete_permissions
-    render_403 unless can_update_or_delete_sample?(@sample)
+  def check_manage_permissions
+    render_403 unless can_manage_sample?(@sample)
   end
 
   def sample_params
diff --git a/app/controllers/step_comments_controller.rb b/app/controllers/step_comments_controller.rb
index 523c674db..259fbc88a 100644
--- a/app/controllers/step_comments_controller.rb
+++ b/app/controllers/step_comments_controller.rb
@@ -184,7 +184,7 @@ class StepCommentsController < ApplicationController
   end
 
   def check_add_permissions
-    render_403 unless can_create_comment_in_module?(@protocol.my_module)
+    render_403 unless can_create_comments_in_module?(@protocol.my_module)
   end
 
   def check_manage_permissions
diff --git a/app/controllers/steps_controller.rb b/app/controllers/steps_controller.rb
index 084506f99..500994b2c 100644
--- a/app/controllers/steps_controller.rb
+++ b/app/controllers/steps_controller.rb
@@ -396,7 +396,7 @@ class StepsController < ApplicationController
       if step
         protocol = step.protocol
         if can_manage_protocol_in_module?(protocol) ||
-           can_update_protocol_in_repository?(protocol)
+           can_manage_protocol_in_repository?(protocol)
           if step.position > 0
             step_down = step.protocol.steps.where(position: step.position - 1).first
             step.position -= 1
@@ -443,7 +443,7 @@ class StepsController < ApplicationController
       if step
         protocol = step.protocol
         if can_manage_protocol_in_module?(protocol) ||
-           can_update_protocol_in_repository?(protocol)
+           can_manage_protocol_in_repository?(protocol)
           if step.position < step.protocol.steps.count - 1
             step_up = step.protocol.steps.where(position: step.position + 1).first
             step.position += 1
@@ -615,7 +615,7 @@ class StepsController < ApplicationController
 
   def check_manage_permissions
     render_403 unless can_manage_protocol_in_module?(@protocol) ||
-                      can_update_protocol_in_repository?(@protocol)
+                      can_manage_protocol_in_repository?(@protocol)
   end
 
   def check_complete_and_checkbox_permissions
diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb
index a5194d8db..2cdab52e4 100644
--- a/app/controllers/tags_controller.rb
+++ b/app/controllers/tags_controller.rb
@@ -141,7 +141,7 @@ class TagsController < ApplicationController
   end
 
   def check_manage_permissions
-    render_403 unless can_create_or_manage_tags?(@project)
+    render_403 unless can_manage_tags?(@project)
   end
 
   def tag_params
diff --git a/app/controllers/teams_controller.rb b/app/controllers/teams_controller.rb
index 14b7a7fce..a910df32a 100644
--- a/app/controllers/teams_controller.rb
+++ b/app/controllers/teams_controller.rb
@@ -1,7 +1,8 @@
 class TeamsController < ApplicationController
   before_action :load_vars, only: [:parse_sheet, :import_samples, :export_samples]
 
-  before_action :check_create_sample_permissions, only: [:parse_sheet, :import_samples]
+  before_action :check_create_samples_permissions, only: %i(parse_sheet
+                                                            import_samples)
   before_action :check_view_samples_permission, only: [:export_samples]
 
   def parse_sheet
@@ -258,10 +259,8 @@ class TeamsController < ApplicationController
     params.permit(sample_ids: [], header_ids: []).to_h
   end
 
-  def check_create_sample_permissions
-    unless can_manage_samples?(@team)
-      render_403
-    end
+  def check_create_samples_permissions
+    render_403 unless can_create_samples?(@team)
   end
 
   def check_view_samples_permission
diff --git a/app/controllers/wopi_controller.rb b/app/controllers/wopi_controller.rb
index a716628de..db188e112 100644
--- a/app/controllers/wopi_controller.rb
+++ b/app/controllers/wopi_controller.rb
@@ -294,7 +294,7 @@ class WopiController < ActionController::Base
         @breadcrumb_folder_name = @protocol.my_module.name
       else
         @can_read = can_read_protocol_in_repository?(@protocol)
-        @can_write = can_update_protocol_in_repository?(@protocol)
+        @can_write = can_manage_protocol_in_repository?(@protocol)
         @close_url = protocols_url(only_path: false,
                                    host: ENV['WOPI_USER_HOST'])
 
diff --git a/app/datatables/protocols_datatable.rb b/app/datatables/protocols_datatable.rb
index 21a3f213d..7770a7d5b 100644
--- a/app/datatables/protocols_datatable.rb
+++ b/app/datatables/protocols_datatable.rb
@@ -3,7 +3,7 @@ class ProtocolsDatatable < CustomDatatable
   include ActiveRecord::Sanitization::ClassMethods
   include InputSanitizeHelper
 
-  def_delegator :@view, :can_update_protocol_in_repository?
+  def_delegator :@view, :can_manage_protocol_in_repository?
   def_delegator :@view, :edit_protocol_path
   def_delegator :@view, :can_clone_protocol_in_repository?
   def_delegator :@view, :clone_protocol_path
@@ -82,8 +82,8 @@ class ProtocolsDatatable < CustomDatatable
       protocol = Protocol.find(record.id)
       result_data << {
         'DT_RowId': record.id,
-        'DT_CanEdit': can_update_protocol_in_repository?(protocol),
-        'DT_EditUrl': if can_update_protocol_in_repository?(protocol)
+        'DT_CanEdit': can_manage_protocol_in_repository?(protocol),
+        'DT_EditUrl': if can_manage_protocol_in_repository?(protocol)
                         edit_protocol_path(protocol,
                                            team: @team,
                                            type: @type)
diff --git a/app/helpers/results_helper.rb b/app/helpers/results_helper.rb
index 94afa84c9..fdff9b034 100644
--- a/app/helpers/results_helper.rb
+++ b/app/helpers/results_helper.rb
@@ -24,7 +24,7 @@ module ResultsHelper
   end
 
   def can_archive_result(result)
-    can_delete_or_archive_result?(result.my_module)
+    can_manage_result?(result.my_module)
   end
 
   def result_unlocked?(result)
diff --git a/app/helpers/samples_helper.rb b/app/helpers/samples_helper.rb
index 9ecf6591f..cd20f22e7 100644
--- a/app/helpers/samples_helper.rb
+++ b/app/helpers/samples_helper.rb
@@ -1,8 +1,4 @@
 module SamplesHelper
-  def can_add_sample_related_things_to_team
-    can_manage_sample_columns?(@team)
-  end
-
   def all_custom_fields
     CustomField.where(team_id: @team).order(:created_at)
   end
diff --git a/app/permissions/experiment.rb b/app/permissions/experiment.rb
index d7befaf91..3dc2db488 100644
--- a/app/permissions/experiment.rb
+++ b/app/permissions/experiment.rb
@@ -7,8 +7,8 @@ Canaid::Permissions.register_for(Experiment) do
     can_read_project?(user, experiment.project)
   end
 
-  # experiment: create, update, delete
-  # canvas: edit
+  # experiment: create/update/delete
+  # canvas: update
   # module: create, clone, reposition, create/update/delete connection,
   #         assign/reassign/unassign tags
   can :manage_experiment do |user, experiment|
@@ -50,7 +50,7 @@ Canaid::Permissions.register_for(Experiment) do
 end
 
 Canaid::Permissions.register_for(MyModule) do
-  # module: edit, archive, move
+  # module: update, archive, move
   # result: create, update
   can :manage_module do |user, my_module|
     can_manage_experiment?(user, my_module.experiment)
@@ -67,13 +67,13 @@ Canaid::Permissions.register_for(MyModule) do
   end
 
   # result: delete, archive
-  can :delete_or_archive_result do |user, my_module|
+  can :manage_result do |user, my_module|
     user.is_owner_of_project?(my_module.experiment.project)
   end
 
   # module: assign/unassign sample, assign/unassign repository record
   # NOTE: Use 'module_page? &&' before calling this permission!
-  can :assign_repository_records_to_module do |user, my_module|
+  can :assign_repository_rows_to_module do |user, my_module|
     user.is_technician_or_higher_of_project?(my_module.experiment.project)
   end
 
@@ -85,17 +85,17 @@ Canaid::Permissions.register_for(MyModule) do
   # module: create comment
   # result: create comment
   # step: create comment
-  can :create_comment_in_module do |user, my_module|
-    can_create_comment_in_project?(user, my_module.experiment.project)
+  can :create_comments_in_module do |user, my_module|
+    can_create_comments_in_project?(user, my_module.experiment.project)
   end
   # Module, its experiment and its project must be active for all the specified
   # permissions
   %i(manage_module
      manage_users_in_module
-     delete_or_archive_result
+     manage_result
      assign_sample_to_module
      complete_module
-     create_comment_in_module).each do |perm|
+     create_comments_in_module).each do |perm|
     can perm do |_, my_module|
       my_module.active? &&
         my_module.experiment.active? &&
@@ -106,7 +106,7 @@ end
 
 Canaid::Permissions.register_for(Protocol) do
   # protocol in module: read
-  # step: read, read comments, read assets, download assets
+  # step in module: read, read comments, read/download assets
   can :read_protocol_in_module do |user, protocol|
     if protocol.in_module?
       can_read_experiment?(user, protocol.my_module.experiment)
@@ -117,7 +117,7 @@ Canaid::Permissions.register_for(Protocol) do
 
   # protocol in module: create/update/delete, unlink, revert, update from
   # protocol in repository, update from file
-  # step: create/update/delete, reorder
+  # step in module: create/update/delete, reorder
   can :manage_protocol_in_module do |user, protocol|
     if protocol.in_module?
       can_manage_module?(user, protocol.my_module)
diff --git a/app/permissions/organization.rb b/app/permissions/organization.rb
index 0e4bb910a..062aca751 100644
--- a/app/permissions/organization.rb
+++ b/app/permissions/organization.rb
@@ -1,5 +1,6 @@
 Canaid::Permissions.register_generic do
-  can :create_teams do |user|
+  # organization: create team
+  can :create_teams do |_|
     true
   end
 end
diff --git a/app/permissions/project.rb b/app/permissions/project.rb
index 77da1edb4..b61558372 100644
--- a/app/permissions/project.rb
+++ b/app/permissions/project.rb
@@ -9,7 +9,7 @@ Canaid::Permissions.register_for(Project) do
       (project.visible? && user.is_member_of_team?(project.team))
   end
 
-  # project: update/delete/archive, assign/reassign/unassign users
+  # project: update/delete, archive, assign/reassign/unassign users
   can :manage_project do |user, project|
     user.is_owner_of_project?(project)
   end
@@ -25,23 +25,23 @@ Canaid::Permissions.register_for(Project) do
   end
 
   # experiment: create
-  can :create_experiment do |user, project|
+  can :create_experiments do |user, project|
     user.is_user_or_higher_of_project?(project)
   end
 
   # project: create comment
-  can :create_comment_in_project do |user, project|
+  can :create_comments_in_project do |user, project|
     user.is_technician_or_higher_of_project?(project)
   end
 
   # project: create/update/delete tag
   # module: assign/reassign/unassign tag
-  can :create_or_manage_tags do |user, project|
+  can :manage_tags do |user, project|
     user.is_user_or_higher_of_project?(project)
   end
 
-  # reports: create/delete
-  can :create_or_manage_reports do |user, project|
+  # reports: create, delete
+  can :manage_reports do |user, project|
     user.is_technician_or_higher_of_project?(project)
   end
 
@@ -49,10 +49,10 @@ Canaid::Permissions.register_for(Project) do
   %i(read_project
      manage_project
      archive_project
-     create_experiment
-     create_comment_in_project
-     create_or_manage_tags
-     create_or_manage_reports)
+     create_experiments
+     create_comments_in_project
+     manage_tags
+     manage_reports)
     .each do |perm|
     can perm do |_, project|
       project.active?
diff --git a/app/permissions/team.rb b/app/permissions/team.rb
index 669181027..22461e1b4 100644
--- a/app/permissions/team.rb
+++ b/app/permissions/team.rb
@@ -1,82 +1,81 @@
 Canaid::Permissions.register_for(Team) do
-  # view projects, view protocols
-  # leave team, view team users (ATWHO)
-  # view samples, export samples
-  # view repositories, view repository, export repository rows
+  # team: leave, read users, read projects, read/export samples,
+  #       read protocols, read/export repositories
+  #
   can :read_team do |user, team|
     user.is_member_of_team?(team)
   end
 
-  # edit team name, edit team description
+  # team: update
   can :update_team do |user, team|
     user.is_admin_of_team?(team)
   end
 
-  # invite user to team, change user's role, remove user from team
+  # team: assign/unassing user, change user role
   can :manage_team_users do |user, team|
     user.is_admin_of_team?(team)
   end
 
-  # create project
+  # project: create
   can :create_projects do |user, team|
     user.is_normal_user_or_admin_of_team?(team)
   end
 
-  # create protocol in repository, import protocol to repository
+  # protocol in repository: create, import
   can :create_protocols_in_repository do |user, team|
     user.is_normal_user_or_admin_of_team?(team)
   end
 
-  # create, import, edit, delete samples
-  can :manage_samples do |user, team|
+  # sample: create, import
+  can :create_samples do |user, team|
     user.is_normal_user_or_admin_of_team?(team)
   end
 
-  # create custom field
-  # create, update, delete sample type or sample group
-  can :manage_sample_columns do |user, team|
+  # sample: create field
+  can :create_sample_columns do |user, team|
     user.is_normal_user_or_admin_of_team?(team)
   end
 
-  # create, copy repository
+  # create/update/delete sample type/group
+  can :manage_sample_types_and_groups do |user, team|
+    user.is_normal_user_or_admin_of_team?(team)
+  end
+
+  # repository: create, clone
   can :create_repositories do |user, team|
-    user.is_admin_of_team?(team)
+    user.is_admin_of_team?(team) &&
+      team.repositories.count < Constants::REPOSITORIES_LIMIT
   end
 
-  # create, import, edit, delete repository records
-  can :manage_repository_rows do |user, team|
+  # repository: create/import record
+  can :create_repository_rows do |user, team|
     user.is_normal_user_or_admin_of_team?(team)
   end
 
-  # create repository column
+  # repository: create field
   can :create_repository_columns do |user, team|
     user.is_normal_user_or_admin_of_team?(team)
   end
 end
 
 Canaid::Permissions.register_for(Protocol) do
-  # view protocol in repository, export protocol from repository
-  # view step in protocol in repository, view or dowload step asset
+  # protocol in repository: read, export, read step, read/download step asset
   can :read_protocol_in_repository do |user, protocol|
     user.is_member_of_team?(protocol.team) &&
       (protocol.in_repository_public? ||
       protocol.in_repository_private? && user == protocol.added_by)
   end
 
-  # edit protocol in repository,
-  # create, edit, delete or reorder step in repository
-  can :update_protocol_in_repository do |user, protocol|
+  # protocol in repository: update, create/update/delete/reorder step,
+  #                         toggle visibility (public, private, archive,
+  #                         restore)
+  can :manage_protocol_in_repository do |user, protocol|
     protocol.in_repository_active? &&
-      can_update_protocol_type_in_repository?(user, protocol)
-  end
-
-  # toggle protocol visibility (public, private, archive, restore)
-  can :update_protocol_type_in_repository do |user, protocol|
-    user.is_normal_user_or_admin_of_team?(protocol.team) &&
+      user.is_normal_user_or_admin_of_team?(protocol.team) &&
       user == protocol.added_by
   end
 
-  # clone protocol in repository
+  # protocol in repository: clone
   can :clone_protocol_in_repository do |user, protocol|
     can_create_protocols_in_repository?(user, protocol.team) &&
       can_read_protocol_in_repository?(user, protocol)
@@ -84,37 +83,38 @@ Canaid::Permissions.register_for(Protocol) do
 end
 
 Canaid::Permissions.register_for(Sample) do
-  # edit, delete specific sample
-  can :update_or_delete_sample do |user, sample|
-    can_manage_samples?(user, sample.team)
+  # sample: update, delete
+  can :manage_sample do |user, sample|
+    can_create_samples?(user, sample.team)
   end
 end
 
 Canaid::Permissions.register_for(CustomField) do
-  # update, delete custom field
-  can :update_or_delete_custom_field do |user, custom_field|
-    can_manage_sample_columns?(user, custom_field.team)
+  # sample: update/delete field
+  can :manage_sample_column do |user, custom_field|
+    custom_field.sample_custom_fields.all? do |sample_custom_field|
+      can_create_sample_columns?(user, sample_custom_field.sample)
+    end
   end
 end
 
 Canaid::Permissions.register_for(Repository) do
-  # edit, destroy repository
-  can :update_or_delete_repository do |user, repository|
+  # repository: update, delete
+  can :manage_repository do |user, repository|
     can_create_repositories?(user, repository.team)
   end
 end
 
 Canaid::Permissions.register_for(RepositoryRow) do
-  # update, delete specific repository record
-  can :update_or_delete_repository_row do |user, repository_row|
-    can_manage_repository_rows?(user, repository_row.repository.team)
+  # repository: update/delete record
+  can :manage_repository_row do |user, repository_row|
+    can_create_repository_rows?(user, repository_row.repository.team)
   end
 end
 
 Canaid::Permissions.register_for(RepositoryColumn) do
-  # update, delete repository column
-  can :update_or_delete_repository_column do |user, repository_column|
+  # repository: update/delete field
+  can :manage_repository_column do |user, repository_column|
     can_create_repository_columns?(user, repository_column.repository.team)
   end
 end
-
diff --git a/app/views/experiments/canvas.html.erb b/app/views/experiments/canvas.html.erb
index 6921526e3..d3fec473c 100644
--- a/app/views/experiments/canvas.html.erb
+++ b/app/views/experiments/canvas.html.erb
@@ -41,7 +41,7 @@
         </div>
       </div>
 
-      <% if can_create_experiment?(@project) %>
+      <% if can_create_experiments?(@project) %>
         <%= link_to new_project_experiment_url(@project),
             remote: true,
             type: "button",
diff --git a/app/views/my_module_comments/_index.html.erb b/app/views/my_module_comments/_index.html.erb
index 5b736a1b2..ed9d2a4ff 100644
--- a/app/views/my_module_comments/_index.html.erb
+++ b/app/views/my_module_comments/_index.html.erb
@@ -14,7 +14,7 @@
     <%= render 'my_module_comments/list.html.erb', comments: @comments %>
   <% end %>
 </ul>
-<% if can_create_comment_in_module?(@my_module) %>
+<% if can_create_comments_in_module?(@my_module) %>
   <ul class="no-style double-line">
     <li>
       <hr>
diff --git a/app/views/my_module_tags/_index_edit.html.erb b/app/views/my_module_tags/_index_edit.html.erb
index e9f851da1..8ec64984a 100644
--- a/app/views/my_module_tags/_index_edit.html.erb
+++ b/app/views/my_module_tags/_index_edit.html.erb
@@ -11,7 +11,7 @@
             <h4><%= tag.name %></h4>
           </div>
             <div class="pull-right">
-              <% if can_create_or_manage_tags?(@my_module.experiment.project) %>
+              <% if can_manage_tags?(@my_module.experiment.project) %>
                 <%= link_to "", remote: true, class: 'btn btn-link edit-tag-link', title: t("experiments.canvas.modal_manage_tags.edit_tag") do %>
                   <span class="glyphicon glyphicon-adjust"></span>
                 <% end %>
@@ -28,7 +28,7 @@
             </div>
         </div>
 
-        <% if can_create_or_manage_tags?(@my_module.experiment.project) %>
+        <% if can_manage_tags?(@my_module.experiment.project) %>
           <div class="row tag-edit" style="display: none;">
             <%= bootstrap_form_for tag, remote: true, url: project_tag_path(@my_module.experiment.project, tag, format: :json), method: :put, html: { class: "edit-tag-form" } do |f| %>
               <%= hidden_field_tag :my_module_id, @my_module.id %>
@@ -55,7 +55,7 @@
 
 <hr>
 <div class="row">
-  <% if can_create_or_manage_tags?(@my_module.experiment.project) %>
+  <% if can_manage_tags?(@my_module.experiment.project) %>
     <%= bootstrap_form_for [@my_module, @new_mmt], remote: true, format: :json, html: { class: 'add-tag-form' } do |f| %>
       <div class="col-xs-6">
         <div class="well well-sm">
diff --git a/app/views/my_modules/archive/_result.html.erb b/app/views/my_modules/archive/_result.html.erb
index 2c275e4f3..b88c6f784 100644
--- a/app/views/my_modules/archive/_result.html.erb
+++ b/app/views/my_modules/archive/_result.html.erb
@@ -16,7 +16,7 @@
           <%= link_to option_text, result_table_download_path(result.result_table_id), data: {no_turbolink: true} %>
         <% end %>
       </li>
-      <% if can_delete_or_archive_result?(result.my_module) %>
+      <% if can_manage_result?(result.my_module) %>
       <li>
         <%= link_to t('my_modules.module_archive.option_delete'),
                     result_path(action: :delete, id: result.id),
diff --git a/app/views/my_modules/protocols/_protocol_status_bar_buttons.html.erb b/app/views/my_modules/protocols/_protocol_status_bar_buttons.html.erb
index 22d24c32a..6adf6e836 100644
--- a/app/views/my_modules/protocols/_protocol_status_bar_buttons.html.erb
+++ b/app/views/my_modules/protocols/_protocol_status_bar_buttons.html.erb
@@ -40,7 +40,7 @@
         <span class="caret"></span>
       </a>
       <ul class="dropdown-menu">
-        <% if can_read_protocol_in_module?(@protocol) && can_update_protocol_in_repository?(@protocol.parent) %>
+        <% if can_read_protocol_in_module?(@protocol) && can_manage_protocol_in_repository?(@protocol.parent) %>
           <li>
             <%= link_to update_parent_modal_protocol_path(@protocol, format: :json), remote: true, title: t("my_modules.protocols.protocol_status_bar.btns.update_parent_title"), data: { action: "update-parent" } do %>
               <%= t("my_modules.protocols.protocol_status_bar.btns.update_parent") %>
@@ -112,7 +112,7 @@
         <span class="caret"></span>
       </a>
       <ul class="dropdown-menu">
-        <% if can_read_protocol_in_module?(@protocol) && can_update_protocol_in_repository?(@protocol.parent) %>
+        <% if can_read_protocol_in_module?(@protocol) && can_manage_protocol_in_repository?(@protocol.parent) %>
           <li>
             <%= link_to update_parent_modal_protocol_path(@protocol, format: :json), remote: true, title: t("my_modules.protocols.protocol_status_bar.btns.update_parent_title"), data: { action: "update-parent" } do %>
               <%= t("my_modules.protocols.protocol_status_bar.btns.update_parent") %>
diff --git a/app/views/my_modules/repository.html.erb b/app/views/my_modules/repository.html.erb
index 70caa6c49..6b37f0095 100644
--- a/app/views/my_modules/repository.html.erb
+++ b/app/views/my_modules/repository.html.erb
@@ -13,7 +13,7 @@
 </div>
 
 <div class="toolbarButtons" style="display:none">
-  <% if module_page? && can_assign_repository_records_to_module?(@my_module) %>
+  <% if module_page? && can_assign_repository_rows_to_module?(@my_module) %>
     <button type="button" class="btn btn-default"
       data-assign-url="<%= assign_repository_records_my_module_path(@my_module, @repository)%>"
       id="assignRepositoryRecords" onclick="onClickAssignRecords()" disabled>
diff --git a/app/views/project_comments/_index.html.erb b/app/views/project_comments/_index.html.erb
index f773832ed..739731723 100644
--- a/app/views/project_comments/_index.html.erb
+++ b/app/views/project_comments/_index.html.erb
@@ -13,7 +13,7 @@
   <%= render 'project_comments/list.html.erb', comments: @comments %>
   <% end %>
 </ul>
-<% if can_create_comment_in_project?(@project) %>
+<% if can_create_comments_in_project?(@project) %>
   <ul class="no-style double-line">
     <li>
       <hr>
diff --git a/app/views/projects/show.html.erb b/app/views/projects/show.html.erb
index b0b82aca8..a0fe46e52 100644
--- a/app/views/projects/show.html.erb
+++ b/app/views/projects/show.html.erb
@@ -25,7 +25,7 @@
             <% end %>
           </ul>
         </div>
-        <% if can_create_experiment?(@project) %>
+        <% if can_create_experiments?(@project) %>
           <%= link_to new_project_experiment_url(@project),
                       remote: true,
                       type: "button",
@@ -51,7 +51,7 @@
 
     <%= content_tag(:div, '', class: 'clearfix visible-lg-block') if (index + 1) % 2 == 0 %>
   <% end %>
-  <% if can_create_experiment?(@project) %>
+  <% if can_create_experiments?(@project) %>
     <%= render 'projects/show/new_experiment' %>
   <% end %>
 </div>
diff --git a/app/views/protocols/_header.html.erb b/app/views/protocols/_header.html.erb
index d2265de5b..a4e930a1d 100644
--- a/app/views/protocols/_header.html.erb
+++ b/app/views/protocols/_header.html.erb
@@ -1,5 +1,5 @@
 <div class="page-header">
-  <% if can_update_protocol_in_repository?(@protocol) %>
+  <% if can_manage_protocol_in_repository?(@protocol) %>
     <a class="edit-name-link" data-action="edit-name" data-role="name-refresh" data-remote="true" href="<%= edit_name_modal_protocol_path(@protocol, format: :json) %>" style="color: inherit;">
       <%= render partial: "protocols/header/name_label.html.erb" %>
     </a>
@@ -41,7 +41,7 @@
 
   <div class="col-xs-12 col-sm-6 col-md-6">
     <div class="badge-icon bg-primary">
-      <% if can_update_protocol_in_repository?(@protocol) %>
+      <% if can_manage_protocol_in_repository?(@protocol) %>
         <a data-action="edit-keywords" data-remote="true" href="<%= edit_keywords_modal_protocol_path(@protocol, format: :json) %>" style="color: inherit;">
           <span class="glyphicon glyphicon-text-color"></span>
         </a>
@@ -51,7 +51,7 @@
     </div>
     <div class="well well-sm">
       <span class="hidden-xs hidden-sm hidden-md"><%=t "protocols.header.keywords" %>:</span>
-      <% if can_update_protocol_in_repository?(@protocol) %>
+      <% if can_manage_protocol_in_repository?(@protocol) %>
         <%= link_to edit_keywords_modal_protocol_path(@protocol, format: :json), remote: true, style: "color: inherit;", data: { action: "edit-keywords", role: "keywords-refresh" } do %>
           <%= render partial: "protocols/header/keywords_label.html.erb" %>
         <% end %>
@@ -63,7 +63,7 @@
 
   <div class="col-xs-12 col-sm-6 col-md-6">
     <div class="badge-icon bg-primary">
-      <% if can_update_protocol_in_repository?(@protocol) %>
+      <% if can_manage_protocol_in_repository?(@protocol) %>
         <a data-action="edit-authors" data-remote="true" href="<%= edit_authors_modal_protocol_path(@protocol, format: :json) %>" style="color: inherit;">
           <span class="glyphicon glyphicon-education"></span>
         </a>
@@ -73,7 +73,7 @@
     </div>
     <div class="well well-sm">
       <span class="hidden-xs hidden-sm hidden-md"><%=t "protocols.header.authors" %>:</span>
-      <% if can_update_protocol_in_repository?(@protocol) %>
+      <% if can_manage_protocol_in_repository?(@protocol) %>
         <%= link_to edit_authors_modal_protocol_path(@protocol, format: :json), remote: true, style: "color: inherit;", data: { action: "edit-authors", role: "authors-refresh" } do %>
           <%= render partial: "protocols/header/authors_label.html.erb" %>
         <% end %>
@@ -85,7 +85,7 @@
 
   <div class="col-xs-12 col-sm-12 col-md-12">
     <div class="badge-icon bg-primary">
-      <% if can_update_protocol_in_repository?(@protocol) %>
+      <% if can_manage_protocol_in_repository?(@protocol) %>
         <a data-action="edit-description" data-remote="true" href="<%= edit_description_modal_protocol_path(@protocol, format: :json) %>" style="color: inherit;">
           <span class="glyphicon glyphicon-info-sign"></span>
         </a>
@@ -95,7 +95,7 @@
     </div>
     <div class="well well-sm">
       <span class="hidden-xs hidden-sm hidden-md"><%=t "protocols.header.description" %>:</span>
-      <% if can_update_protocol_in_repository?(@protocol) %>
+      <% if can_manage_protocol_in_repository?(@protocol) %>
         <%= link_to edit_description_modal_protocol_path(@protocol, format: :json), remote: true, style: "color: inherit;", data: { action: "edit-description", role: "description-refresh" } do %>
           <%= render partial: "protocols/header/description_label.html.erb" %>
         <% end %>
diff --git a/app/views/protocols/_steps.html.erb b/app/views/protocols/_steps.html.erb
index 44e9ba9b7..bb059225c 100644
--- a/app/views/protocols/_steps.html.erb
+++ b/app/views/protocols/_steps.html.erb
@@ -1,7 +1,7 @@
 <div class="row">
   <div class="pull-right" style="margin: 20px 15px 0 0;">
     <% if can_manage_protocol_in_module?(@protocol) ||
-          can_update_protocol_in_repository?(@protocol) %>
+          can_manage_protocol_in_repository?(@protocol) %>
       <a href="#"
          class="btn btn-primary"
          data-action="new-step"
diff --git a/app/views/protocols/index/_protocol_preview_modal_footer.html.erb b/app/views/protocols/index/_protocol_preview_modal_footer.html.erb
index 629e17059..5bf6d9a20 100644
--- a/app/views/protocols/index/_protocol_preview_modal_footer.html.erb
+++ b/app/views/protocols/index/_protocol_preview_modal_footer.html.erb
@@ -1,5 +1,5 @@
 <button type="button" class="btn btn-default" data-dismiss="modal"><%=t "general.close" %></button>
-<% if can_update_protocol_in_repository?(@protocol) %>
+<% if can_manage_protocol_in_repository?(@protocol) %>
   <%= route_to_other_team_btn edit_protocol_path(protocol),
                               protocol.team,
                               t('general.edit') %>
diff --git a/app/views/reports/index.html.erb b/app/views/reports/index.html.erb
index e9308cc6a..af60f381e 100644
--- a/app/views/reports/index.html.erb
+++ b/app/views/reports/index.html.erb
@@ -4,7 +4,7 @@
 
 <div id="content">
   <div>
-    <% if can_create_or_manage_reports?(@project) %>
+    <% if can_manage_reports?(@project) %>
       <%= link_to new_project_reports_path(@project), class: 'btn btn-primary', id: 'new-report-btn', 'data-no-turbolink' => true do %>
         <span class="glyphicon glyphicon-plus" aria-hidden="true"></span>
         <span class="hidden-xs"><%=t "projects.reports.index.new" %></span>
diff --git a/app/views/repositories/_repository.html.erb b/app/views/repositories/_repository.html.erb
index f7a208f8f..432411aea 100644
--- a/app/views/repositories/_repository.html.erb
+++ b/app/views/repositories/_repository.html.erb
@@ -7,13 +7,11 @@
 
 <div id="repository-toolbar">
 
-  <% if can_manage_repository_rows?(repository.team) %>
+  <% if can_create_repository_rows?(repository.team) %>
     <button type="button" class="btn btn-default editAdd" id="addRepositoryRecord" onclick="onClickAddRecord()">
       <span class="glyphicon glyphicon-plus"></span>
       <span class="hidden-xs"><%= t("repositories.add_new_record") %></span>
     </button>
-  <% end %>
-  <% if can_manage_repository_rows?(repository.team) %>
     <button type="button" class="btn btn-default" id="importRecordsButton">
       <span class="glyphicon glyphicon-cloud-upload"></span>
       <span class="hidden-xs"><%= t('repositories.import_records.import') %></span>
@@ -34,16 +32,16 @@
            data-toggle="dropdown"
            aria-haspopup="true"
            aria-expanded="true"
-           <%= "disabled='disabled'" if !can_update_or_delete_repository?(repository) && !can_create_repositories?(repository.team) %>>
+           <%= "disabled='disabled'" if !can_manage_repository?(repository) && !can_create_repositories?(repository.team) %>>
         <span class="glyphicon glyphicon-cog"></span>
         <span class="caret"></span>
       </div>
-      <% if can_update_or_delete_repository?(repository) || can_create_repositories?(repository.team) %>
+      <% if can_manage_repository?(repository) || can_create_repositories?(repository.team) %>
         <ul class="dropdown-menu pull-right">
           <li class="dropdown-header">
             <%= t("repositories.index.options_dropdown.header") %>
           </li>
-          <% if can_update_or_delete_repository?(repository) %>
+          <% if can_manage_repository?(repository) %>
             <li>
               <%= link_to t('repositories.index.options_dropdown.rename'),
                           team_repository_rename_modal_path(repository_id: repository),
@@ -51,7 +49,7 @@
                           remote: true %>
             </li>
           <% end %>
-          <% if repository.team.repositories.count < Constants::REPOSITORIES_LIMIT %>
+          <% if can_create_repositories?(repository.team) %>
             <li>
               <%= link_to t('repositories.index.options_dropdown.copy'),
                           team_repository_copy_modal_path(repository_id: repository),
@@ -59,7 +57,7 @@
                           remote: true %>
             </li>
           <% end %>
-          <% if can_update_or_delete_repository?(repository) %>
+          <% if can_manage_repository?(repository) %>
             <li role="separator" class="divider"></li>
             <li>
               <%= link_to t('repositories.index.modal_delete.delete'),
@@ -110,22 +108,21 @@
   </button>
 </div>
 
-<!-- These buttons are appended to table in javascript, after table initialization. -->
+<!-- These buttons are appended to table in javascript, after table initialization -->
 <div class="toolbarButtons" style="display:none">
   <button type="button" class="btn btn-default editAdd" id="editRepositoryRecord" onclick="onClickEdit()" disabled>
     <span class="glyphicon glyphicon-pencil"></span>
     <span class="hidden-xs-custom"><%= t("repositories.edit_record") %></span>
   </button>
 
-  <% if can_manage_repository_rows?(repository.team) %>
-    <button type="button" class="btn btn-default"
-      id="deleteRepositoryRecordsButton" data-target="#deleteRepositoryRecord" data-toggle="modal" disabled>
-      <span class="glyphicon glyphicon-trash"></span>
-      <span class="hidden-xs-custom"><%= t'repositories.delete_record' %></span>
-        <%= submit_tag I18n.t('repositories.delete_record'), :class => "hidden
-        delete_repository_records_submit" %>
-    </button>
-  <% end %>
+  <!-- Don't check if user can manage the selected repository records, because the ones that he can't, will be left untouched -->
+  <button type="button" class="btn btn-default"
+    id="deleteRepositoryRecordsButton" data-target="#deleteRepositoryRecord" data-toggle="modal" disabled>
+    <span class="glyphicon glyphicon-trash"></span>
+    <span class="hidden-xs-custom"><%= t'repositories.delete_record' %></span>
+      <%= submit_tag I18n.t('repositories.delete_record'), :class => "hidden
+      delete_repository_records_submit" %>
+  </button>
 </div>
 
 <%= render partial: "repositories/repository_table.html.erb",
diff --git a/app/views/repositories/_repository_table.html.erb b/app/views/repositories/_repository_table.html.erb
index 0542b9469..7d602ec71 100644
--- a/app/views/repositories/_repository_table.html.erb
+++ b/app/views/repositories/_repository_table.html.erb
@@ -21,8 +21,8 @@
         <th id="added-by"><%= t("repositories.table.added_by") %></th>
         <% repository.repository_columns.order(:id).each do |column| %>
           <th class="repository-column" id="<%= column.id %>"
-            <%= 'data-editable' if can_update_or_delete_repository_column?(column) %>
-            <%= 'data-deletable' if can_update_or_delete_repository_column?(column) %>
+            <%= 'data-editable' if can_manage_repository_column?(column) %>
+            <%= 'data-deletable' if can_manage_repository_column?(column) %>
             <%= "data-edit-url='#{edit_repository_repository_column_path(repository, column)}'" %>
             <%= "data-update-url='#{repository_repository_column_path(repository, column)}'" %>
             <%= "data-destroy-html-url='#{repository_columns_destroy_html_path(repository, column)}'" %>
diff --git a/app/views/result_comments/_index.html.erb b/app/views/result_comments/_index.html.erb
index 2465fc539..1c3d30497 100644
--- a/app/views/result_comments/_index.html.erb
+++ b/app/views/result_comments/_index.html.erb
@@ -17,7 +17,7 @@
     <%= render 'result_comments/list.html.erb', comments: @comments %>
   <% end %>
 </ul>
-<% if can_create_comment_in_module?(@my_module) then %>
+<% if can_create_comments_in_module?(@my_module) then %>
   <ul class="no-style double-line">
     <li>
       <hr>
diff --git a/app/views/search/results/partials/_step_text.html.erb b/app/views/search/results/partials/_step_text.html.erb
index 3f39b430c..0a6bef2ab 100644
--- a/app/views/search/results/partials/_step_text.html.erb
+++ b/app/views/search/results/partials/_step_text.html.erb
@@ -2,7 +2,7 @@
 <% query ||= nil %>
 <% text = query.present? ? highlight(step.name, query.strip.split(/\s+/)) : step.name %>
 
-<% if step.protocol.in_module? && can_view_steps_in_protocol(step.protocol) %>
+<% if can_read_protocol_in_module?(step.protocol) %>
   <% if target == :comment %>
   <%= route_to_other_team protocols_my_module_path(step.protocol.my_module, ctarget: "step-panel-#{step.id}"),
                           step.protocol.team,
@@ -12,7 +12,7 @@
                           step.protocol.team,
                           text %>
   <% end %>
-<% elsif step.protocol.in_repository? && can_update_protocol_in_repository?(step.protocol) %>
+<% elsif can_manage_protocol_in_repository?(step.protocol) %>
   <%= route_to_other_team edit_protocol_path(step.protocol),
                           step.protocol.team,
                           text %>
diff --git a/app/views/shared/_samples.html.erb b/app/views/shared/_samples.html.erb
index dafdacd19..a27beacc1 100644
--- a/app/views/shared/_samples.html.erb
+++ b/app/views/shared/_samples.html.erb
@@ -21,7 +21,7 @@
     data-module-id="<%= @my_module.id %>"
   <% end %>>
 
-  <% if can_manage_samples?(@team) %>
+  <% if can_create_samples?(@team) %>
     <button type="button" class="btn btn-default editAdd" id="addSample" onclick="onClickAddSample()">
       <span class="glyphicon glyphicon-plus"></span>
       <span class="hidden-xs"><%= t("samples.add_new_sample") %></span>
@@ -51,7 +51,7 @@
         <span class="caret"></span>
       </button>
       <ul class="dropdown-menu dropdown-menu-right smart-dropdown" id="samples-columns-list">
-        <% if can_manage_sample_columns?(@team) %>
+        <% if can_create_sample_columns?(@team) %>
           <li class="add-new-column-form">
             <div id="new-column-form" class="form-group" data-action="<%= team_custom_fields_path(@team) %>">
               <div class="input-group">
@@ -69,15 +69,15 @@
     </div>
   </div>
 
-  <% if can_add_sample_related_things_to_team %>
-  <div class="dropdown pull-right" style="display: inline;">
-    <%= link_to(t('samples.types_and_groups'),
-                team_sample_types_path(@team,
-                  project_id: (@project.id if @project),
-                  my_module_id: (@my_module.id if @my_module),
-                  experiment_id: (@experiment.id if @experiment)),
-                class: 'btn btn-default' ) %>
-  </div>
+  <% if can_manage_sample_types_and_groups?(@team) %>
+    <div class="dropdown pull-right" style="display: inline;">
+      <%= link_to(t('samples.types_and_groups'),
+                  team_sample_types_path(@team,
+                    project_id: (@project.id if @project),
+                    my_module_id: (@my_module.id if @my_module),
+                    experiment_id: (@experiment.id if @experiment)),
+                  class: 'btn btn-default' ) %>
+    </div>
   <% end %>
 </div>
 
@@ -92,24 +92,23 @@
   </button>
 </div>
 
-<!-- These buttons are appended to table in javascript, after table initialization. -->
+<!-- These buttons are appended to table in javascript, after table initialization -->
 <div class="toolbarButtons" style="display:none">
   <button type="button" class="btn btn-default editAdd" id="editSample" onclick="onClickEdit()" disabled>
     <span class="glyphicon glyphicon-pencil"></span>
     <span class="hidden-xs-custom"><%= t("samples.edit_sample") %></span>
   </button>
 
-  <% if can_manage_samples?(@team) %>
-    <button type="button" class="btn btn-default"
-      id="deleteSamplesButton" data-target="#deleteSamples" data-toggle="modal" disabled>
-      <span class="glyphicon glyphicon-trash"></span>
-      <span class="hidden-xs-custom"><%= t'samples.delete_samples' %></span>
-        <%= submit_tag I18n.t('samples.delete_samples'), :class => "hidden
-        delete_samples_submit" %>
-    </button>
-  <% end %>
+  <!-- Don't check if user can manage the selected samples, because the ones that he can't, will be left untouched -->
+  <button type="button" class="btn btn-default"
+    id="deleteSamplesButton" data-target="#deleteSamples" data-toggle="modal" disabled>
+    <span class="glyphicon glyphicon-trash"></span>
+    <span class="hidden-xs-custom"><%= t'samples.delete_samples' %></span>
+      <%= submit_tag I18n.t('samples.delete_samples'), :class => "hidden
+      delete_samples_submit" %>
+  </button>
 
-  <% if module_page? && can_assign_repository_records_to_module?(@my_module) %>
+  <% if module_page? && can_assign_repository_rows_to_module?(@my_module) %>
     <button type="button" class="btn btn-default"
       id="assignSamples" onclick="$(this).next().click();" disabled>
       <span class="glyphicon glyphicon-ok-circle"></span>
@@ -146,8 +145,8 @@
         <% all_custom_fields.each do |cf| %>
         <th class="custom-field"
             id="<%= cf.id %>"
-            <%= 'data-editable' if can_update_or_delete_custom_field?(cf) %>
-            <%= 'data-deletable' if can_update_or_delete_custom_field?(cf) %>
+            <%= 'data-editable' if can_manage_sample_column?(cf) %>
+            <%= 'data-deletable' if can_manage_sample_column?(cf) %>
             <%= "data-edit-url='#{edit_team_custom_field_path(@team, cf)}'" %>
             <%= "data-update-url='#{team_custom_field_path(@team, cf)}'" %>
             <%= "data-destroy-html-url='#{team_custom_field_destroy_html_path(@team, cf)}'" %>
diff --git a/app/views/step_comments/_index.html.erb b/app/views/step_comments/_index.html.erb
index 6142db39b..15d984164 100644
--- a/app/views/step_comments/_index.html.erb
+++ b/app/views/step_comments/_index.html.erb
@@ -17,7 +17,7 @@
     <%= render 'step_comments/list.html.erb', comments: @comments %>
   <% end %>
 </ul>
-<% if can_create_comment_in_module?(@protocol.my_module) %>
+<% if can_create_comments_in_module?(@protocol.my_module) %>
   <ul class="no-style double-line">
     <li>
       <hr>
diff --git a/app/views/steps/_step.html.erb b/app/views/steps/_step.html.erb
index b5e60ab0a..78afde174 100644
--- a/app/views/steps/_step.html.erb
+++ b/app/views/steps/_step.html.erb
@@ -6,7 +6,7 @@
     <div class="panel-heading">
       <div class="panel-options pull-right">
         <% if can_manage_protocol_in_module?(@protocol) ||
-              can_update_protocol_in_repository?(@protocol) %>
+              can_manage_protocol_in_repository?(@protocol) %>
           <a data-action="move-step"
              class="btn btn-link"
              href="<%= move_up_step_path(step, format: :json) %>"
diff --git a/app/views/steps/_wopi_controlls.html.erb b/app/views/steps/_wopi_controlls.html.erb
index 3f4bf9242..1623f5d02 100644
--- a/app/views/steps/_wopi_controlls.html.erb
+++ b/app/views/steps/_wopi_controlls.html.erb
@@ -15,7 +15,7 @@
 <% view_only ||= false %>
 <% if !view_only %>
   <% if can_manage_protocol_in_module?(@protocol) ||
-        can_update_protocol_in_repository?(@protocol) %>
+        can_manage_protocol_in_repository?(@protocol) %>
     <%= wopi_asset_edit_button(asset) %>
   <% end %>
 <% end %>