diff --git a/opa/user/delete.rego b/opa/user/delete.rego
new file mode 100644
index 0000000..ec31a55
--- /dev/null
+++ b/opa/user/delete.rego
@@ -0,0 +1,11 @@
+package user.delete
+
+default allow := false
+
+allow := true {
+    input.uuid == input.owner
+}
+
+allow := true {
+    input.role == "admin"
+}
diff --git a/opa/user/update.rego b/opa/user/update.rego
new file mode 100644
index 0000000..54d80a0
--- /dev/null
+++ b/opa/user/update.rego
@@ -0,0 +1,11 @@
+package user.update
+
+default allow := false
+
+allow := true {
+    input.uuid == input.owner
+}
+
+allow := true {
+    input.role == "admin"
+}