diff --git a/app/policies/break_escape/application_policy.rb b/app/policies/break_escape/application_policy.rb
new file mode 100644
index 0000000..a11f2e9
--- /dev/null
+++ b/app/policies/break_escape/application_policy.rb
@@ -0,0 +1,53 @@
+module BreakEscape
+  class ApplicationPolicy
+    attr_reader :user, :record
+
+    def initialize(user, record)
+      @user = user
+      @record = record
+    end
+
+    def index?
+      false
+    end
+
+    def show?
+      false
+    end
+
+    def create?
+      false
+    end
+
+    def new?
+      create?
+    end
+
+    def update?
+      false
+    end
+
+    def edit?
+      update?
+    end
+
+    def destroy?
+      false
+    end
+
+    class Scope
+      def initialize(user, scope)
+        @user = user
+        @scope = scope
+      end
+
+      def resolve
+        raise NotImplementedError
+      end
+
+      private
+
+      attr_reader :user, :scope
+    end
+  end
+end
diff --git a/app/policies/break_escape/game_policy.rb b/app/policies/break_escape/game_policy.rb
new file mode 100644
index 0000000..37152d7
--- /dev/null
+++ b/app/policies/break_escape/game_policy.rb
@@ -0,0 +1,46 @@
+module BreakEscape
+  class GamePolicy < ApplicationPolicy
+    def show?
+      # Owner or admin/account_manager
+      record.player == user || user&.admin? || user&.account_manager?
+    end
+
+    def update?
+      show?
+    end
+
+    def scenario?
+      show?
+    end
+
+    def ink?
+      show?
+    end
+
+    def bootstrap?
+      show?
+    end
+
+    def sync_state?
+      show?
+    end
+
+    def unlock?
+      show?
+    end
+
+    def inventory?
+      show?
+    end
+
+    class Scope < Scope
+      def resolve
+        if user&.admin? || user&.account_manager?
+          scope.all
+        else
+          scope.where(player: user)
+        end
+      end
+    end
+  end
+end
diff --git a/app/policies/break_escape/mission_policy.rb b/app/policies/break_escape/mission_policy.rb
new file mode 100644
index 0000000..b2563b7
--- /dev/null
+++ b/app/policies/break_escape/mission_policy.rb
@@ -0,0 +1,22 @@
+module BreakEscape
+  class MissionPolicy < ApplicationPolicy
+    def index?
+      true  # Everyone can see mission list
+    end
+
+    def show?
+      # Published missions or admin
+      record.published? || user&.admin? || user&.account_manager?
+    end
+
+    class Scope < Scope
+      def resolve
+        if user&.admin? || user&.account_manager?
+          scope.all
+        else
+          scope.published
+        end
+      end
+    end
+  end
+end