diff --git a/qrtr_account/migrations/0019_rule_bank_acc.py b/qrtr_account/migrations/0019_rule_bank_acc.py
new file mode 100644
index 0000000..819ac62
--- /dev/null
+++ b/qrtr_account/migrations/0019_rule_bank_acc.py
@@ -0,0 +1,19 @@
+# Generated by Django 3.2.3 on 2024-08-01 00:55
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('qrtr_account', '0018_auto_20240118_0319'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='rule',
+            name='bank_acc',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='qrtr_account.bankaccount'),
+        ),
+    ]
diff --git a/qrtr_account/models.py b/qrtr_account/models.py
index 2de98d8..0cbd7bc 100644
--- a/qrtr_account/models.py
+++ b/qrtr_account/models.py
@@ -108,6 +108,7 @@ class Schedule(models.Model):
 
 
 class Rule(models.Model):
+    bank_acc = models.ForeignKey(BankAccount, on_delete=models.CASCADE, null=True, blank=True)
     kinds = [("refill", "Refill"), ("increase", "Increase"), ("goal", "Goal")]
     kind = models.CharField(choices=kinds, max_length=255)
     when_to_run = models.ForeignKey(Schedule, on_delete=models.CASCADE)
diff --git a/qrtr_account/views.py b/qrtr_account/views.py
index 9718984..25d1617 100644
--- a/qrtr_account/views.py
+++ b/qrtr_account/views.py
@@ -18,6 +18,13 @@ from allauth.socialaccount.providers.twitter.views import TwitterOAuthAdapter
 from dj_rest_auth.social_serializers import TwitterLoginSerializer
 from api.mixins import ReadWriteSerializerMixin
 
+class OwnedAccountsMixin():
+
+    def accessible_accounts(self):
+        usr = self.request.user
+        return usr.owned_accounts.all()\
+            .union(usr.admin_accounts.all())\
+            .union(usr.view_accounts.all())
 
 class TwitterLogin(SocialLoginView):
     serializer_class = TwitterLoginSerializer
@@ -28,7 +35,7 @@ class FacebookLogin(SocialLoginView):
     adapter_class = FacebookOAuth2Adapter
 
 
-class AccountViewSet(ReadWriteSerializerMixin, viewsets.ModelViewSet):
+class AccountViewSet(ReadWriteSerializerMixin, viewsets.ModelViewSet, OwnedAccountsMixin):
     """API endpoint that allows accounts to  be viewed or edited
     """
     permission_classes = [IsAuthenticated]
@@ -37,8 +44,11 @@ class AccountViewSet(ReadWriteSerializerMixin, viewsets.ModelViewSet):
     read_serializer_class = AccountReadSerializer
     write_serializer_class = AccountWriteSerializer
 
+    def get_queryset(self):
+        return self.accessible_accounts()
 
-class BankAccountViewSet(viewsets.ModelViewSet):
+
+class BankAccountViewSet(viewsets.ModelViewSet, OwnedAccountsMixin):
     """API endpoint that allows BankAccounts to  be viewed or edited
     """
     permission_classes = [IsAuthenticated]
@@ -51,8 +61,12 @@ class BankAccountViewSet(viewsets.ModelViewSet):
             return BankAccountSerializerPOST
         return BankAccountSerializer
 
+    def get_queryset(self):
+        return BankAccount.objects.filter(
+            qrtr_account__in=self.accessible_accounts().values_list('id'))
 
-class SliceViewSet(viewsets.ModelViewSet):
+
+class SliceViewSet(viewsets.ModelViewSet, OwnedAccountsMixin):
     """API endpoint that allows BankAccounts to  be viewed.
     """
     permission_classes = [IsAuthenticated]
@@ -68,6 +82,11 @@ class SliceViewSet(viewsets.ModelViewSet):
         # 'slice_of': ['exact']
     }
 
+    def get_queryset(self):
+        return Slice.objects.select_related('bank_acc').filter(
+            bank_acc__qrtr_account__in=self.accessible_accounts().values_list('id')
+        )
+
 class SubscriptionPlanViewSet(viewsets.ModelViewSet):
 
     queryset = SubscriptionPlan.objects.all()
@@ -82,7 +101,7 @@ class InstitutionViewSet(viewsets.ReadOnlyModelViewSet):
     serializer_class = InstitutionSerializer
 
 
-class TransactionViewSet(viewsets.ModelViewSet):
+class TransactionViewSet(viewsets.ModelViewSet, OwnedAccountsMixin):
     """API endpoint that allows BankAccounts to  be viewed.
     """
     permission_classes = [IsAuthenticated]
@@ -119,8 +138,13 @@ class TransactionViewSet(viewsets.ModelViewSet):
         child2 = Transaction.objects.create(**base_information)
         child2.name = f"{child1.name}.split2"
 
+    def get_queryset(self):
+        return Transaction.objects.select_related('bank').filter(
+            bank__qrtr_account__in=self.accessible_accounts().values_list('id')
+        ).filter(is_split=False)
 
-class SliceTransactionViewSet(viewsets.ModelViewSet):
+
+class SliceTransactionViewSet(viewsets.ModelViewSet, OwnedAccountsMixin):
 
     permission_classes = [IsAuthenticated]
     serializer_class = SliceTransactionSerializer
@@ -134,13 +158,23 @@ class SliceTransactionViewSet(viewsets.ModelViewSet):
         # 'slice_of': ['exact']
     }
 
+    def get_queryset(self):
+        return Slice.objects.select_related('bank_acc').filter(
+            bank_acc__qrtr_account__in=self.accessible_accounts().values_list('id')
+        )
+
     # def get_queryset(self):
     #     return Transaction.objects.filter(slice__pk=self.kwargs.get('slice_pk'))
 
 
-class RuleViewSet(viewsets.ReadOnlyModelViewSet):
+class RuleViewSet(viewsets.ReadOnlyModelViewSet, OwnedAccountsMixin):
     """API endpoint that allows BankAccounts to  be viewed.
     """
     permission_classes = [IsAuthenticated]
     queryset = Rule.objects.all()
     serializer_class = RuleSerializer
+
+    def get_queryset(self):
+        return Rule.objects.select_related('bank_acc').filter(
+            bank_acc__qrtr_account__in=self.accessible_accounts().values_list('id')
+        )
\ No newline at end of file