diff --git a/app/Http/Controllers/ServerController.php b/app/Http/Controllers/ServerController.php
index 07c749632e63afe5dce2e2c2667ca880e672e989..82aa0fab73bb65e34b8c802575e9dd96311bbeda 100644
--- a/app/Http/Controllers/ServerController.php
+++ b/app/Http/Controllers/ServerController.php
@@ -2,8 +2,10 @@
 namespace App\Http\Controllers;
 
 use App\Server;
-use Illuminate\Support\Facades\Validator;
+
 use Illuminate\Http\Request;
+use Illuminate\Validation\Rule;
+use Illuminate\Support\Facades\Auth;
 
 class ServerController extends Controller
 {
@@ -14,26 +16,11 @@ class ServerController extends Controller
         $this->middleware('auth');
     }
 
-    /**
-     * Get a validator for an incoming registration request.
-     *
-     * @param  array  $data
-     * @return \Illuminate\Contracts\Validation\Validator
-     */
-    protected function validator(array $data)
-    {
-        return Validator::make($data, [
-            'name' => 'required|string|regex:/^[a-zA-Z0-9\s\-\.]+$/|max:255'
-        ]);
-    }
-
-    /**
-     * Display a listing of the resource.
-     *
-     */
-    public function index()
+    private function rules() : array
     {
-        // return view("server.index", array("servers" => Server::all()->sortBy("name")));
+        return [
+            'name' => 'required|string|regex:/^[a-zA-Z0-9\s\-\.]+$/|max:255',
+            "organization_id" => Rule::in(Auth::user()->organizations->modelKeys())];
     }
 
     /**
@@ -43,6 +30,7 @@ class ServerController extends Controller
      */
     public function create()
     {
+        $this->authorize("create", Server::class);
         return view("server.edit", ["server" => new Server()]);
     }
 
@@ -53,6 +41,7 @@ class ServerController extends Controller
      */
     public function store(Request $request)
     {
+        $this->authorize("create", Server::class);
         return $this->saveAndRedirect($request, new Server());
     }
 
@@ -63,6 +52,7 @@ class ServerController extends Controller
      */
     public function show(Server $server)
     {
+        $this->authorize("show", $server);
         return view("server.show", ["server" => $server]);
     }
 
@@ -73,6 +63,7 @@ class ServerController extends Controller
      */
     public function edit(Server $server)
     {
+        $this->authorize("update", $server);
         return view("server.edit", array("server" => $server));
     }
 
@@ -84,12 +75,13 @@ class ServerController extends Controller
      */
     public function update(Request $request, Server $server)
     {
+        $this->authorize("update", $server);
         return $this->saveAndRedirect($request, $server);
     }
 
     private function saveAndRedirect(Request $request, Server $server)
     {
-        $this->validator($request->all())->validate();
+        $request->validate($this->rules());
 
         $server->name = $request->name;
         $server->organization_id = $request->organization_id;
@@ -103,9 +95,10 @@ class ServerController extends Controller
      *
      * @param  int  $id
      */
-    public function destroy($id)
+    public function destroy(Server $server)
     {
-        Server::find($id)->delete();
+        $this->authorize("destroy", $server);
+        $server->delete();
         return back();
     }
 }
diff --git a/app/Policies/ServerPolicy.php b/app/Policies/ServerPolicy.php
new file mode 100644
index 0000000000000000000000000000000000000000..6aa59f038223be26bee2b1088c48280bee3954be
--- /dev/null
+++ b/app/Policies/ServerPolicy.php
@@ -0,0 +1,33 @@
+<?php
+
+namespace App\Policies;
+
+use App\User;
+use App\Server;
+use Illuminate\Auth\Access\HandlesAuthorization;
+
+class ServerPolicy
+{
+    use HandlesAuthorization;
+
+
+    public function create(User $user)
+    {
+        return true;
+    }
+    
+    public function show(User $user, Server $server)
+    {
+        return $user->ownsOrganization($server->organization);
+    }
+    
+    public function update(User $user, Server $server)
+    {
+        return $user->ownsOrganization($server->organization);
+    }
+    
+    public function destroy(User $user, Server $server)
+    {
+        return $user->ownsOrganization($server->organization);
+    }
+}
diff --git a/routes/web.php b/routes/web.php
index a3ea189f55141e1e4b6d794de91eba4984a749df..56bb0b1247bc270ec10885ac9671b699992c3e9c 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -52,4 +52,4 @@ Route::get(
 )->name("organization.public.dashboard");
 Route::resource('app/organizations', 'OrganizationController');
 Route::resource("app/organizations.user", "OrganizationUserController")->only(["create", "store", "destroy"]);
-Route::resource('app/servers', 'ServerController');
+Route::resource('app/servers', 'ServerController')->except(["index"]);