diff --git a/addons/cetmix_tower_server/security/cx_tower_key_security.xml b/addons/cetmix_tower_server/security/cx_tower_key_security.xml
new file mode 100644
index 0000000..5f53277
--- /dev/null
+++ b/addons/cetmix_tower_server/security/cx_tower_key_security.xml
@@ -0,0 +1,99 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<odoo>
+    <!-- Manager Read Rules -->
+    <record id="rule_key_manager_read_users" model="ir.rule">
+        <field name="name">Key: Manager Read Access - Users/Managers</field>
+        <field name="model_id" ref="model_cx_tower_key" />
+        <field
+            name="domain_force"
+        >['|', ('user_ids', 'in', [user.id]), ('manager_ids', 'in', [user.id])]</field>
+        <field name="groups" eval="[(4, ref('cetmix_tower_server.group_manager'))]" />
+        <field name="perm_read" eval="1" />
+        <field name="perm_write" eval="0" />
+        <field name="perm_create" eval="0" />
+        <field name="perm_unlink" eval="0" />
+    </record>
+
+    <record id="rule_key_manager_read_secret" model="ir.rule">
+        <field name="name">Key: Manager Read Access - Secret Type</field>
+        <field name="model_id" ref="model_cx_tower_key" />
+        <field name="domain_force">[('key_type', '=', 's')]</field>
+        <field name="groups" eval="[(4, ref('cetmix_tower_server.group_manager'))]" />
+        <field name="perm_read" eval="1" />
+        <field name="perm_write" eval="0" />
+        <field name="perm_create" eval="0" />
+        <field name="perm_unlink" eval="0" />
+    </record>
+
+    <record id="rule_key_manager_read_ssh" model="ir.rule">
+        <field name="name">Key: Manager Read Access - SSH Key</field>
+        <field name="model_id" ref="model_cx_tower_key" />
+        <field name="domain_force">[('key_type', '=', 'k'), '|',
+            ('server_ssh_ids.user_ids', 'in', [user.id]),
+            ('server_ssh_ids.manager_ids', 'in', [user.id])]</field>
+        <field name="groups" eval="[(4, ref('cetmix_tower_server.group_manager'))]" />
+        <field name="perm_read" eval="1" />
+        <field name="perm_write" eval="0" />
+        <field name="perm_create" eval="0" />
+        <field name="perm_unlink" eval="0" />
+    </record>
+
+    <!-- Manager Write/Create Rules -->
+    <record id="rule_key_manager_write_managers" model="ir.rule">
+        <field name="name">Key: Manager Write/Create Access - Managers</field>
+        <field name="model_id" ref="model_cx_tower_key" />
+        <field name="domain_force">[('manager_ids', 'in', [user.id])]</field>
+        <field name="groups" eval="[(4, ref('cetmix_tower_server.group_manager'))]" />
+        <field name="perm_read" eval="0" />
+        <field name="perm_write" eval="1" />
+        <field name="perm_create" eval="1" />
+        <field name="perm_unlink" eval="0" />
+    </record>
+
+    <record id="rule_key_manager_write_ssh" model="ir.rule">
+        <field name="name">Key: Manager Write/Create Access - SSH Key</field>
+        <field name="model_id" ref="model_cx_tower_key" />
+        <field name="domain_force">['&amp;', ('key_type', '=', 'k'),
+            ('server_ssh_ids.manager_ids', 'in', [user.id])]</field>
+        <field name="groups" eval="[(4, ref('cetmix_tower_server.group_manager'))]" />
+        <field name="perm_read" eval="0" />
+        <field name="perm_write" eval="1" />
+        <field name="perm_create" eval="1" />
+        <field name="perm_unlink" eval="0" />
+    </record>
+
+    <!-- Manager Delete Rules -->
+    <record id="rule_key_manager_unlink_managers" model="ir.rule">
+        <field name="name">Key: Manager Delete Access - Managers</field>
+        <field name="model_id" ref="model_cx_tower_key" />
+        <field
+            name="domain_force"
+        >[('manager_ids', 'in', [user.id]), ('create_uid', '=', user.id)]</field>
+        <field name="groups" eval="[(4, ref('cetmix_tower_server.group_manager'))]" />
+        <field name="perm_read" eval="0" />
+        <field name="perm_write" eval="0" />
+        <field name="perm_create" eval="0" />
+        <field name="perm_unlink" eval="1" />
+    </record>
+
+    <record id="rule_key_manager_unlink_ssh" model="ir.rule">
+        <field name="name">Key: Manager Delete Access - SSH Key</field>
+        <field name="model_id" ref="model_cx_tower_key" />
+        <field name="domain_force">[('key_type', '=', 'k'),
+            ('server_ssh_ids.manager_ids', 'in', [user.id]),
+            ('create_uid', '=', user.id)]</field>
+        <field name="groups" eval="[(4, ref('cetmix_tower_server.group_manager'))]" />
+        <field name="perm_read" eval="0" />
+        <field name="perm_write" eval="0" />
+        <field name="perm_create" eval="0" />
+        <field name="perm_unlink" eval="1" />
+    </record>
+
+    <!-- Root Access Rule -->
+    <record id="rule_key_root" model="ir.rule">
+        <field name="name">Key: Root Full Access</field>
+        <field name="model_id" ref="model_cx_tower_key" />
+        <field name="domain_force">[(1, '=', 1)]</field>
+        <field name="groups" eval="[(4, ref('cetmix_tower_server.group_root'))]" />
+    </record>
+</odoo>