diff --git a/app/models/ability.rb b/app/models/ability.rb
index 5cf5b8d..3602bac 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -1,4 +1,6 @@
 class Ability
+  CRUD = [:read, :create, :edit, :update, :destroy]
+  
   include CanCan::Ability
   attr_accessor :user
   attr_accessor :context
@@ -7,30 +9,48 @@ class Ability
     @user = options[:user] || User.new
     @context = options[:context] || :application
     
+    action_aliases
     if user.persisted?
-    
-      # can manage his domains and records
-      can :manage, Domain, :user_id => user.id
-      can :manage, Record, :domain => {:user_id => user.id}
-      cannot :delete, SOA # it's deleted with the parent domain
-      
-      # can manage his hosts
-      can :manage, A, :user_id => user.id #, :domain => {:name => Settings.host_domains}
+      owner_abilities
+      sharing_abilities
+    end
+
+    # See the wiki for details: https://github.com/ryanb/cancan/wiki/Defining-Abilities
+  end
+  
+  protected
+  
+  def owner_abilities
+    # can manage his domains and records
+    can CRUD, Domain, :user_id => user.id
+    can CRUD, Record, :domain => {:user_id => user.id}
+    cannot :delete, SOA # it's deleted with the parent domain
       
-      # can manage permissions for his domains
-      can :manage, Permission, :domain => {:user_id => user.id}
+    # can manage his hosts
+    can CRUD, A, :user_id => user.id #, :domain => {:name => Settings.host_domains}
       
-      # can manage shared domains and records
-      can :manage, Domain, :permissions.outer => {:user_id => user.id}
-      can :manage, Record, :domain => {:permissions.outer => {:user_id => user.id}}
+    # can manage permissions for his domains
+    can CRUD, Permission, :domain => {:user_id => user.id}
+    can :crud_permissions, Domain, :user_id => user.id
+  end
+  
+  def sharing_abilities
+    # can manage shared domains and records
+    can CRUD, Domain, :permissions.outer => {:user_id => user.id}
+    can CRUD, Record, :domain => {:permissions.outer => {:user_id => user.id}}
       
-      # can manage shared domains and records descendants
-      for domain in user.permitted_domains
-        can :manage, Domain, :name_reversed.matches => "#{domain.name_reversed}.%" # descendants
-        can :manage, Record, :domain => {:name_reversed.matches => "#{domain.name_reversed}.%"} # descendant's
-      end
+    # can manage shared domains and records descendants
+    for domain in user.permitted_domains
+      can CRUD, Domain, :name_reversed.matches => "#{domain.name_reversed}.%" # descendants
+      can CRUD, Record, :domain => {:name_reversed.matches => "#{domain.name_reversed}.%"} # descendant's
     end
-
-    # See the wiki for details: https://github.com/ryanb/cancan/wiki/Defining-Abilities
   end
+  
+  def action_aliases
+    alias_action :row, :show_search, :render_field, :to => :read
+    alias_action :update_column, :add_association, :edit_associated, 
+      :edit_associated, :new_existing, :add_existing, :to => :edit
+    alias_action :delete, :destroy_existing, :to => :destroy
+  end
+  
 end
diff --git a/app/views/domains/_list_record_columns.html.erb b/app/views/domains/_list_record_columns.html.erb
index d9f80a1..5f9b99e 100644
--- a/app/views/domains/_list_record_columns.html.erb
+++ b/app/views/domains/_list_record_columns.html.erb
@@ -11,7 +11,12 @@
     </td>
   <% elsif column.name == :permissions %>
     <td class="<%= column_class(column, column_value, record) %>" >
-      <% column_value = 'Permissions (0)' if column_value == '-' %>
+      <% 
+      if column_value == '-'
+        column_value = 'Permissions (0)'
+        authorized &&= can?(:crud_permissions, record)
+      end
+      %>
       <%= authorized ? render_list_column(column_value, column, record) : column_value %>
     </td>
   <% else %>