diff --git a/back_latienda/permissions.py b/back_latienda/permissions.py
new file mode 100644
index 0000000..f39454a
--- /dev/null
+++ b/back_latienda/permissions.py
@@ -0,0 +1,21 @@
+from rest_framework import permissions
+
+
+class IsCreator(permissions.BasePermission):
+    """
+    Grant permission is request.user same as obj.creator
+    """
+
+    def has_object_permission(self, request, view, obj):
+        if obj is not None:
+            # allow is authenticated and method is safe
+            if request.method in permissions.SAFE_METHODS:
+                return True
+
+            # admins always have permission
+            if request.user.is_staff is True:
+                return True
+            # permission if user is the object's creator
+            return obj.creator == request.user
+        return False
+
diff --git a/companies/views.py b/companies/views.py
index a2db901..194c26c 100644
--- a/companies/views.py
+++ b/companies/views.py
@@ -2,10 +2,15 @@ from django.shortcuts import render
 
 # Create your views here.
 from rest_framework import viewsets
+from rest_framework.permissions import IsAuthenticatedOrReadOnly
+
 from companies.models import Company
 from companies.serializers import CompanySerializer
 
+from back_latienda.permissions import IsCreator
+
 
 class CompanyViewSet(viewsets.ModelViewSet):
       queryset = Company.objects.all()
       serializer_class = CompanySerializer
+      permission_classes = [IsAuthenticatedOrReadOnly, IsCreator]