diff --git a/README.md b/README.md
index 6f553a9..072643f 100644
--- a/README.md
+++ b/README.md
@@ -28,6 +28,12 @@ Other collections, such as [the ones in the AAOF Legacy Collection](https://www.
 - `bfd9000_web/`: Django application for managing and viewing the BFD9000 data.
   To run the application, follow the instructions in `bfd9000_web/README.md`.
 
+## Docker Notes
+
+When you run the app with Docker you will need a one-time volume ownership fix so the app's non-root user can write media files.
+
+See `docker.md` for the exact commands and troubleshooting steps.
+
 ## Django Bootstrap
 
 The archive app provides a convenience management command to initialize a local development database:
diff --git a/bfd9000_web/BFD9000/urls.py b/bfd9000_web/BFD9000/urls.py
index 4f39ac7..e289fb8 100644
--- a/bfd9000_web/BFD9000/urls.py
+++ b/bfd9000_web/BFD9000/urls.py
@@ -17,15 +17,24 @@
 
 from django.contrib import admin
 from django.contrib.auth import views as auth_views
+from django.contrib.auth import logout
+from django.http import HttpRequest, HttpResponse
+from django.shortcuts import redirect
 from django.urls import path, include
 from django.conf import settings
 from django.conf.urls.static import static
 from drf_spectacular.views import SpectacularAPIView, SpectacularRedocView, SpectacularSwaggerView
 
+
+def logout_view(request: HttpRequest) -> HttpResponse:
+    """Log out on any request method and redirect to login."""
+    logout(request)
+    return redirect('login')
+
 urlpatterns = [
     path('admin/', admin.site.urls),
     path('login/', auth_views.LoginView.as_view(template_name='archive/login.html'), name='login'),
-    path('logout/', auth_views.LogoutView.as_view(next_page='login'), name='logout'),
+    path('logout/', logout_view, name='logout'),
     path('', include('archive.urls')),
     # OpenAPI Schema
     path('api/schema/', SpectacularAPIView.as_view(), name='schema'),
diff --git a/bfd9000_web/archive/management/commands/setup_curator_group.py b/bfd9000_web/archive/management/commands/setup_curator_group.py
new file mode 100644
index 0000000..1e6ab6f
--- /dev/null
+++ b/bfd9000_web/archive/management/commands/setup_curator_group.py
@@ -0,0 +1,40 @@
+from django.contrib.auth.models import Group, Permission
+from django.contrib.contenttypes.models import ContentType
+from django.core.management.base import BaseCommand
+
+from archive.models import Encounter, Record, Subject
+
+class Command(BaseCommand):
+    help = (
+        "Create or update the Curator group with required add/change permissions. "
+        "Safe to rerun: removes delete_* and auth.* permissions on each run, "
+        "but does not remove other manually granted permissions. "
+        "See docs/permissions.md for the full policy."
+    )
+
+    def handle(self, *args, **options):
+        group, _ = Group.objects.get_or_create(name="Curator")
+        subject_ct = ContentType.objects.get_for_model(Subject)
+        encounter_ct = ContentType.objects.get_for_model(Encounter)
+        record_ct = ContentType.objects.get_for_model(Record)
+
+        subject_add = Permission.objects.get(codename="add_subject", content_type=subject_ct)
+        subject_change = Permission.objects.get(codename="change_subject", content_type=subject_ct)
+        encounter_add = Permission.objects.get(codename="add_encounter", content_type=encounter_ct)
+        encounter_change = Permission.objects.get(codename="change_encounter", content_type=encounter_ct)
+
+        required_perms = [subject_add, subject_change, encounter_add, encounter_change]
+        for perm in required_perms:
+            group.permissions.add(perm)
+
+        forbidden_perms = Permission.objects.filter(
+            content_type__in=[subject_ct, encounter_ct, record_ct],
+            codename__startswith="delete_",
+        )
+        auth_management_perms = Permission.objects.filter(content_type__app_label="auth")
+        forbidden_perms = forbidden_perms | auth_management_perms
+
+        for perm in forbidden_perms:
+            group.permissions.remove(perm)
+
+        self.stdout.write(self.style.SUCCESS("Curator group permissions updated."))
diff --git a/bfd9000_web/archive/permissions.py b/bfd9000_web/archive/permissions.py
new file mode 100644
index 0000000..7d331c8
--- /dev/null
+++ b/bfd9000_web/archive/permissions.py
@@ -0,0 +1,52 @@
+# pyright: reportIncompatibleMethodOverride=false
+
+from typing import Any
+
+from django.db.models import Model
+from rest_framework.permissions import SAFE_METHODS, BasePermission
+from rest_framework.request import Request
+
+
+class CuratorOrSuperuserEditPermission(BasePermission):
+    """Require model add/change perms for writes and auth for reads."""
+
+    def has_permission(self, request: Request, view: Any):  # pyright: ignore[reportIncompatibleMethodOverride]
+        if not request.user or not request.user.is_authenticated:
+            return False
+        if request.user.is_superuser:
+            return True
+        if request.method in SAFE_METHODS:
+            return True
+        if request.method == "DELETE":
+            return False
+
+        qs = getattr(view, "queryset", None)
+        if qs is None and hasattr(view, "get_queryset"):
+            try:
+                qs = view.get_queryset()
+            except Exception:
+                qs = None
+        model: type[Model] | None = getattr(qs, "model", None)
+        if model is None:
+            return False
+
+        app_label = model._meta.app_label
+        model_name = model._meta.model_name
+        if model_name is None:
+            return False
+        if request.method == "POST":
+            return request.user.has_perm(f"{app_label}.add_{model_name}")
+        if request.method in {"PUT", "PATCH"}:
+            return request.user.has_perm(f"{app_label}.change_{model_name}")
+        return False
+
+
+class RecordPermission(BasePermission):
+    """Allow authenticated users to read/create/update records."""
+
+    def has_permission(self, request: Request, view: Any):  # pyright: ignore[reportIncompatibleMethodOverride]
+        if not request.user or not request.user.is_authenticated:
+            return False
+        if request.method == "DELETE":
+            return bool(request.user.is_superuser)
+        return True
diff --git a/bfd9000_web/archive/static/favicon.svg b/bfd9000_web/archive/static/favicon.svg
new file mode 100644
index 0000000..6f2dd9e
--- /dev/null
+++ b/bfd9000_web/archive/static/favicon.svg
@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" role="img" aria-label="BFD9000">
+  <rect width="64" height="64" rx="12" fill="#1f2937"/>
+  <circle cx="32" cy="20" r="8" fill="#38bdf8"/>
+  <path d="M14 48c2-9 10-15 18-15s16 6 18 15" fill="none" stroke="#e5e7eb" stroke-width="6" stroke-linecap="round"/>
+</svg>
diff --git a/bfd9000_web/archive/templates/archive/base.html b/bfd9000_web/archive/templates/archive/base.html
index f0b4427..532ecfd 100644
--- a/bfd9000_web/archive/templates/archive/base.html
+++ b/bfd9000_web/archive/templates/archive/base.html
@@ -5,7 +5,7 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>{% block title %}BFD9000{% endblock %}</title>
     {% load static %}
-    <link rel="icon" href="{% static 'favicon.ico' %}" type="image/x-icon">
+    <link rel="icon" href="{% static 'favicon.svg' %}" type="image/svg+xml">
     <link href="{% static 'css/output.css' %}" rel="stylesheet" type="text/css" />
     <style>
         ::selection {
diff --git a/bfd9000_web/archive/templates/archive/base_index.html b/bfd9000_web/archive/templates/archive/base_index.html
index 48a474f..4326df0 100644
--- a/bfd9000_web/archive/templates/archive/base_index.html
+++ b/bfd9000_web/archive/templates/archive/base_index.html
@@ -6,21 +6,24 @@
 <div class="card shadow-sm bg-base-100 h-full grow">
     <div class="p-4 flex space-between align-center border-b-2 border-primary">
         <div class="flex grow items-end gap-2">
-            <h1 class="text-3xl font-bold leading-none">BFD9000</h1>
+            <a href="{% url 'archive:index' %}" class="text-3xl font-bold leading-none">BFD9000</a>
             <span class="font-medium text-base-content/70" style="align-self:flex-end;font-size:0.65rem;line-height:1;">v{{ app_version|default:"nover" }}</span>
         </div>
         <span class="my-auto text-sm text-nowrap mr-4">Logged in as: <strong>{{ user.username }}</strong></span>
-        <a href="{% url 'logout' %}" class="btn btn-sm grow-0">Logout</a>
+        <form method="post" action="{% url 'logout' %}" class="m-0">
+            {% csrf_token %}
+            <button type="submit" class="btn btn-sm grow-0">Logout</button>
+        </form>
     </div>
 
     <div class="flex-[1_1_0] flex">
         <ul class="menu bg-base-300 w-36">
             <li>
-                <a href="{% url 'archive:index' %}" data-nav="home">
+                <a href="{% url 'archive:subjects' %}" data-nav="subjects">
                     <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="size-6">
-                        <path stroke-linecap="round" stroke-linejoin="round" d="m2.25 12 8.954-8.955c.44-.439 1.152-.439 1.591 0L21.75 12M4.5 9.75v10.125c0 .621.504 1.125 1.125 1.125H9.75v-4.875c0-.621.504-1.125 1.125-1.125h2.25c.621 0 1.125.504 1.125 1.125V21h4.125c.621 0 1.125-.504 1.125-1.125V9.75M8.25 21h8.25" />
+                      <path stroke-linecap="round" stroke-linejoin="round" d="M15.75 6a3.75 3.75 0 1 1-7.5 0 3.75 3.75 0 0 1 7.5 0ZM4.501 20.118a7.5 7.5 0 0 1 14.998 0A17.933 17.933 0 0 1 12 21.75c-2.676 0-5.216-.584-7.499-1.632Z" />
                     </svg>
-                    Home
+                    Subjects
                 </a>
             </li>
             <li>
@@ -39,22 +42,6 @@ <h1 class="text-3xl font-bold leading-none">BFD9000</h1>
                     Records
                 </a>
             </li>
-            <li>
-                <a href="{% url 'archive:subjects' %}" data-nav="subjects">
-                    <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="size-6">
-                      <path stroke-linecap="round" stroke-linejoin="round" d="M15.75 6a3.75 3.75 0 1 1-7.5 0 3.75 3.75 0 0 1 7.5 0ZM4.501 20.118a7.5 7.5 0 0 1 14.998 0A17.933 17.933 0 0 1 12 21.75c-2.676 0-5.216-.584-7.499-1.632Z" />
-                    </svg>
-                    Subjects
-                </a>
-            </li>
-            <li>
-                <a href="{% url 'archive:scan' %}" data-nav="scan">
-                    <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="size-6">
-                      <path stroke-linecap="round" stroke-linejoin="round" d="M6.429 9.75 2.25 12l4.179 2.25m0-4.5 5.571 3 5.571-3m-11.142 0L2.25 7.5 12 2.25l9.75 5.25-4.179 2.25m0 0L21.75 12l-4.179 2.25m0 0 4.179 2.25L12 21.75 2.25 16.5l4.179-2.25m11.142 0-5.571 3-5.571-3" />
-                    </svg>
-                    Scan
-                </a>
-            </li>
             <script>
                 // Highlight active navigation item based on current path, after stripping script_name prefix
                 document.addEventListener('DOMContentLoaded', () => {
@@ -79,6 +66,8 @@ <h1 class="text-3xl font-bold leading-none">BFD9000</h1>
                     }
                 });
             </script>
+<!-- Scan nav item intentionally omitted: scanning is accessible via
+     the "Scan New Record" button on the Records view (/records/create/). -->
         </ul>
         <div class="flex-[1_1_0] flex flex-col overflow-y-auto">
             {% block content %}{% endblock %}
diff --git a/bfd9000_web/archive/templates/archive/encounters.html b/bfd9000_web/archive/templates/archive/encounters.html
index cef9f97..cdccabb 100644
--- a/bfd9000_web/archive/templates/archive/encounters.html
+++ b/bfd9000_web/archive/templates/archive/encounters.html
@@ -46,7 +46,9 @@
         </table>
     </div>
     <div class="bg-base-300 p-2 flex items-center gap-3">
+        {% if perms.archive.add_encounter %}
         <a href="{% url 'archive:encounter_create' %}" class="btn btn-primary rounded-full">New Encounter</a>
+        {% endif %}
         <div class="grow"></div>
         <span class="text-sm text-base-content/60">
             <span id="encounter-count-badge"></span>
diff --git a/bfd9000_web/archive/templates/archive/records.html b/bfd9000_web/archive/templates/archive/records.html
index e5b4485..4714676 100644
--- a/bfd9000_web/archive/templates/archive/records.html
+++ b/bfd9000_web/archive/templates/archive/records.html
@@ -47,6 +47,7 @@
         </table>
     </div>
     <div class="bg-base-300 p-2 flex items-center gap-3">
+        <a href="{% url 'archive:record_create' %}" class="btn btn-primary rounded-full">Add Record</a>
         <div class="grow"></div>
         <span class="text-sm text-base-content/60">
             <span id="record-count-badge"></span>
diff --git a/bfd9000_web/archive/templates/archive/subjects.html b/bfd9000_web/archive/templates/archive/subjects.html
index 10abe36..a9d57b0 100644
--- a/bfd9000_web/archive/templates/archive/subjects.html
+++ b/bfd9000_web/archive/templates/archive/subjects.html
@@ -46,11 +46,12 @@
         </table>
     </div>
     <div class="bg-base-300 p-2 flex items-center gap-3">
+        {% if perms.archive.add_subject %}
         <a
             href="{% url 'archive:subject_create' %}"
             class="btn btn-primary rounded-full"
-            >New Subject</a
-        >
+            >New Subject</a>
+        {% endif %}
         <div class="grow"></div>
         <span class="text-sm text-base-content/60">
             <span id="subject-count-badge"></span>
diff --git a/bfd9000_web/archive/tests/test_auth_views.py b/bfd9000_web/archive/tests/test_auth_views.py
new file mode 100644
index 0000000..1f6e63c
--- /dev/null
+++ b/bfd9000_web/archive/tests/test_auth_views.py
@@ -0,0 +1,27 @@
+"""Tests for project auth endpoints."""
+
+from django.contrib.auth.models import User
+from django.test import TestCase
+from django.urls import reverse
+
+
+class AuthViewTests(TestCase):
+    """Validate login/logout view behavior."""
+
+    def test_logout_get_redirects_without_error(self):
+        user = User.objects.create_user(username="testuser", password="testpassword")
+        self.client.force_login(user)
+
+        response = self.client.get(reverse("logout"))
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("login"))
+        self.assertNotIn('_auth_user_id', self.client.session)
+
+    def test_logout_post_logs_user_out(self):
+        user = User.objects.create_user(username="testuser", password="testpassword")
+        self.client.force_login(user)
+
+        response = self.client.post(reverse("logout"))
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("login"))
+        self.assertNotIn("_auth_user_id", self.client.session)
diff --git a/bfd9000_web/archive/tests/test_encounters.py b/bfd9000_web/archive/tests/test_encounters.py
index 9e31166..90162f1 100644
--- a/bfd9000_web/archive/tests/test_encounters.py
+++ b/bfd9000_web/archive/tests/test_encounters.py
@@ -210,7 +210,7 @@ def test_update_encounter(self):
         self.assertEqual(response.data['actual_period_start'], '2020-02-01')
 
     def test_delete_encounter(self):
-        """Should delete encounter"""
+        """Non-superuser should not delete encounter."""
         # Create encounter via API
         url = reverse('archive:subject-encounters-list', kwargs={'subject_pk': self.subject.id})
         create_response = self.client.post(url, {
@@ -221,11 +221,44 @@ def test_delete_encounter(self):
 
         url = reverse('archive:encounter-detail', kwargs={'pk': encounter_id})
         response = self.client.delete(url)
-        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+        # Verify encounter still exists
+        self.assertTrue(Encounter.objects.filter(pk=encounter_id).exists())
+
+    def test_superuser_can_delete_encounter(self):
+        """Superuser should be able to delete encounter."""
+        url = reverse('archive:subject-encounters-list', kwargs={'subject_pk': self.subject.id})
+        create_response = self.client.post(url, {
+            "actual_period_start": "2020-01-01",
+            "procedure_code": self.procedure.id
+        }, format='json')
+        encounter_id = create_response.data['id']
 
-        # Verify deletion
+        superuser = User.objects.create_superuser(
+            username="admin",
+            password="adminpass",
+            email="admin@example.com",
+        )
+        self.client.force_authenticate(user=superuser)
+        detail_url = reverse('archive:encounter-detail', kwargs={'pk': encounter_id})
+        response = self.client.delete(detail_url)
+        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
         self.assertFalse(Encounter.objects.filter(pk=encounter_id).exists())
 
+    def test_regular_user_without_encounter_perms_cannot_create_encounter(self):
+        """Regular authenticated user should not create encounter."""
+        regular_user = User.objects.create_user(username='regular', password='testpassword')
+        self.client.force_authenticate(user=regular_user)
+
+        url = reverse('archive:subject-encounters-list', kwargs={'subject_pk': self.subject.id})
+        data = {
+            "actual_period_start": "2020-01-01",
+            "procedure_code": self.procedure.id
+        }
+        response = self.client.post(url, data, format='json')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
     def test_encounter_age_calculation(self):
         """Should automatically calculate age_at_encounter from subject birth_date"""
         url = reverse('archive:subject-encounters-list', kwargs={'subject_pk': self.subject.id})
diff --git a/bfd9000_web/archive/tests/test_permissions_ui.py b/bfd9000_web/archive/tests/test_permissions_ui.py
new file mode 100644
index 0000000..8c8cde0
--- /dev/null
+++ b/bfd9000_web/archive/tests/test_permissions_ui.py
@@ -0,0 +1,45 @@
+"""UI permission tests for subject and encounter create buttons."""
+
+from django.contrib.auth.models import Permission, User
+from django.test import override_settings
+from django.urls import reverse
+
+from .base import CleanupTestCase
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {"BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"},
+    }
+)
+class PermissionUiTests(CleanupTestCase):
+    """Verify template button visibility follows Django permissions."""
+
+    def test_regular_user_does_not_see_create_buttons(self):
+        user = User.objects.create_user(username="regular", password="testpassword")
+        self.client.force_login(user)
+
+        subjects_response = self.client.get(reverse("archive:subjects"))
+        encounters_response = self.client.get(reverse("archive:encounters"))
+
+        self.assertEqual(subjects_response.status_code, 200)
+        self.assertEqual(encounters_response.status_code, 200)
+        self.assertNotContains(subjects_response, "New Subject")
+        self.assertNotContains(encounters_response, "New Encounter")
+
+    def test_curator_like_user_sees_create_buttons(self):
+        user = User.objects.create_user(username="curator", password="testpassword")
+        add_subject = Permission.objects.get(codename="add_subject")
+        add_encounter = Permission.objects.get(codename="add_encounter")
+        user.user_permissions.add(add_subject, add_encounter)
+
+        self.client.force_login(user)
+
+        subjects_response = self.client.get(reverse("archive:subjects"))
+        encounters_response = self.client.get(reverse("archive:encounters"))
+
+        self.assertEqual(subjects_response.status_code, 200)
+        self.assertEqual(encounters_response.status_code, 200)
+        self.assertContains(subjects_response, "New Subject")
+        self.assertContains(encounters_response, "New Encounter")
diff --git a/bfd9000_web/archive/tests/test_records.py b/bfd9000_web/archive/tests/test_records.py
index 1b596bf..01794dc 100644
--- a/bfd9000_web/archive/tests/test_records.py
+++ b/bfd9000_web/archive/tests/test_records.py
@@ -2,7 +2,7 @@
 
 import datetime
 import io
-
+from django.test import override_settings
 from django.contrib.auth.models import User, Permission
 from django.contrib.contenttypes.models import ContentType
 from django.core.files.uploadedfile import SimpleUploadedFile
@@ -29,6 +29,9 @@
 )
 from .base import CleanupAPITestCase
 
+# A valid Fernet key for use in tests that need ENDPOINT_CREDENTIALS_KEY.
+_TEST_FERNET_KEY = "pszJ39pBGFbjGZk8cM-MOzccZh0T0M8MTmVVitw4_8Y="
+
 
 class RecordTests(CleanupAPITestCase):
     """Validate record creation, upload, and retrieval behavior."""
@@ -114,579 +117,7 @@ def setUp(self):
                   ).save(tiff_buf, format='TIFF')
         self.tiff_content = tiff_buf.getvalue()
 
-    def test_create_record_with_file(self):
-        """Should create record with file upload"""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.png", self.image_content, content_type="image/png")
-
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-            "operator": "TestOp"
-        }
-
-        response = self.client.post(url, data, format='multipart')
-        if response.status_code != status.HTTP_201_CREATED:
-            print(
-                f"Record creation failed: {response.status_code} - {response.data}")
-        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
-        self.assertIn('id', response.data)
-        # Verify record was created successfully
-        self.assertIn('record_type', response.data)
-
-    def test_create_record_with_tiff_file(self):
-        """Should create record with TIFF upload."""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.tiff", self.tiff_content, content_type="image/tiff")
-
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-
-        response = self.client.post(url, data, format='multipart')
-        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
-        self.assertIn('id', response.data)
-
-    def test_create_record_missing_file(self):
-        """Should return 400 if file is missing"""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        data = {
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-            "operator": "TestOp"
-        }
-
-        response = self.client.post(url, data, format='json')
-        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
-
-    def test_create_record_missing_required_metadata(self):
-        """Should return 400 if required metadata is missing"""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.png", self.image_content, content_type="image/png")
-
-        data = {
-            "file": file,
-            # Missing record_type, orientation, modality
-        }
-
-        response = self.client.post(url, data, format='multipart')
-        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
-
-    def test_create_record_invalid_encounter(self):
-        """Should return 404 for non-existent encounter"""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': 99999})
-        file = SimpleUploadedFile(
-            "test.png", self.image_content, content_type="image/png")
-
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-
-        response = self.client.post(url, data, format='multipart')
-        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
-
-    def test_list_records_for_encounter(self):
-        """Should list all records for an encounter"""
-        # Create records
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        for i in range(2):
-            file = SimpleUploadedFile(
-                f"test{i}.png", self.image_content, content_type="image/png")
-            data = {
-                "file": file,
-                "record_type": self.rt_lateral.code,
-                "orientation": "left",
-                "modality": "RG",
-            }
-            self.client.post(url, data, format='multipart')
-
-        response = self.client.get(url)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        self.assertIn('results', response.data)
-        self.assertEqual(len(response.data['results']), 2)
-
-    def test_get_record_detail(self):
-        """Should retrieve specific record details"""
-        # Create a record
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.png", self.image_content, content_type="image/png")
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-        create_response = self.client.post(url, data, format='multipart')
-        record_id = create_response.data['id']
-
-        # Get record detail
-        url = reverse('archive:record-detail', kwargs={'pk': record_id})
-        response = self.client.get(url)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        self.assertEqual(response.data['id'], record_id)
-        self.assertIn('encounter', response.data)
-
-    def test_get_record_not_found(self):
-        """Should return 404 for non-existent record"""
-        url = reverse('archive:record-detail', kwargs={'pk': 99999})
-        response = self.client.get(url)
-        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
-
-    def test_update_record_metadata(self):
-        """Should update record metadata"""
-        # Create a record
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.png", self.image_content, content_type="image/png")
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-        create_response = self.client.post(url, data, format='multipart')
-        record_id = create_response.data['id']
-
-        # Update record - use device field which exists on Record model
-        url = reverse('archive:record-detail', kwargs={'pk': record_id})
-        update_data = {
-            "device": "NewScanner"
-        }
-        response = self.client.patch(url, update_data, format='json')
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        self.assertEqual(response.data['device'], 'NewScanner')
-
-    def test_delete_record(self):
-        """Should delete record"""
-        # Create a record
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.png", self.image_content, content_type="image/png")
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-        create_response = self.client.post(url, data, format='multipart')
-        record_id = create_response.data['id']
-
-        # Delete record
-        url = reverse('archive:record-detail', kwargs={'pk': record_id})
-        response = self.client.delete(url)
-        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
-
-        # Verify deletion
-        self.assertFalse(Record.objects.filter(pk=record_id).exists())
-
-    def test_get_record_image(self):
-        """Should serve full record image"""
-        # Create a record
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.png", self.image_content, content_type="image/png")
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-        create_response = self.client.post(url, data, format='multipart')
-        record_id = create_response.data['id']
-
-        # Get image
-        url = reverse('archive:record-image', kwargs={'pk': record_id})
-        response = self.client.get(url)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        self.assertIn('image/', response['Content-Type'])
-
-    def test_get_record_image_returns_raw_tiff(self):
-        """Record image endpoint should passthrough TIFF source unmodified."""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.tiff", self.tiff_content, content_type="image/tiff")
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-        create_response = self.client.post(url, data, format='multipart')
-        record_id = create_response.data['id']
-
-        image_url = reverse('archive:record-image', kwargs={'pk': record_id})
-        response = self.client.get(image_url)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        self.assertEqual(response['Content-Type'], 'image/tiff')
-
-    def test_create_record_sets_default_patient_orientation_for_lateral_image_type(self):
-        """Lateral image type should default PatientOrientation to A\\F."""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.tiff", self.tiff_content, content_type="image/tiff")
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-            "image_type": "L",
-        }
-
-        create_response = self.client.post(url, data, format='multipart')
-        self.assertEqual(create_response.status_code, status.HTTP_201_CREATED)
-        self.assertEqual(
-            create_response.data['patient_orientation'], ['A', 'F'])
-
-        record = Record.objects.get(pk=create_response.data['id'])
-        self.assertEqual(record.patient_orientation, 'A\\F')
-
-    def test_record_image_ignores_saved_transform_ops(self):
-        """Image endpoint should serve raw source regardless of transform ops."""
-        img = Image.new('RGB', (2, 1), color=(255, 255, 255))
-        buf = io.BytesIO()
-        img.save(buf, format='PNG')
-        png_content = buf.getvalue()
-
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.png", png_content, content_type="image/png")
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-            "image_transform_ops": '[{"rotation":90,"flip":false}]',
-        }
-
-        create_response = self.client.post(url, data, format='multipart')
-        self.assertEqual(create_response.status_code, status.HTTP_201_CREATED)
-
-        image_url = reverse('archive:record-image',
-                            kwargs={'pk': create_response.data['id']})
-        response = self.client.get(image_url)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        self.assertEqual(response['Content-Type'], 'image/png')
-
-        payload = b''.join(response.streaming_content) if hasattr(
-            response, 'streaming_content') else response.content
-        raw = Image.open(io.BytesIO(payload))
-        self.assertEqual(raw.size, (2, 1))
-
-    def test_get_record_thumbnail(self):
-        """Should serve record thumbnail (raster image)"""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.png", self.image_content, content_type="image/png")
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-        create_response = self.client.post(url, data, format='multipart')
-        record_id = create_response.data['id']
-        url = reverse('archive:record-thumbnail', kwargs={'pk': record_id})
-        response = self.client.get(url)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        self.assertEqual(response['Content-Type'], 'image/jpeg')
-        payload = b''.join(response.streaming_content) if hasattr(
-            response, 'streaming_content') else response.content
-        self.assertTrue(payload.startswith(b'\xff\xd8'))  # JPEG SOI
-
-    def test_get_record_thumbnail_for_3d_file(self):
-        """Should serve static fallback JPEG for 3D file (e.g., STL)"""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        stl_content = b"solid ascii\nendsolid"
-        file = SimpleUploadedFile(
-            "test.stl", stl_content, content_type="application/octet-stream")
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-        create_response = self.client.post(url, data, format='multipart')
-        record_id = create_response.data['id']
-        url = reverse('archive:record-thumbnail', kwargs={'pk': record_id})
-        response = self.client.get(url)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        self.assertEqual(response['Content-Type'], 'image/jpeg')
-        self.assertTrue(response.content.startswith(b'\xff\xd8'))
-
-        # 3D inputs should not generate a persisted thumbnail yet
-        record = Record.objects.get(pk=record_id)
-        self.assertFalse(bool(record.thumbnail))
-
-    def test_create_record_uses_thumbnail_preview_when_provided(self):
-        """3D source can still store thumbnail when thumbnail_preview is provided."""
-        url = reverse('archive:encounter-records-list', kwargs={'encounter_pk': self.encounter.id})
-        stl_file = SimpleUploadedFile(
-            "model.stl",
-            b"solid ascii\nendsolid",
-            content_type="application/octet-stream",
-        )
-        preview_png = SimpleUploadedFile(
-            "preview.png",
-            self.image_content,
-            content_type="image/png",
-        )
-        data = {
-            "file": stl_file,
-            "thumbnail_preview": preview_png,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-        create_response = self.client.post(url, data, format='multipart')
-        self.assertEqual(create_response.status_code, status.HTTP_201_CREATED)
-
-        record = Record.objects.get(pk=create_response.data['id'])
-        self.assertTrue(bool(record.thumbnail))
-
-    def test_filter_records_by_record_type(self):
-        """Should filter records by record type"""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-
-        # Create records with different types
-        file1 = SimpleUploadedFile(
-            "test1.png", self.image_content, content_type="image/png")
-        data1 = {
-            "file": file1,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-        self.client.post(url, data1, format='multipart')
-
-        # Filter by record type (using ID since it's a foreign key)
-        filter_url = url + f'?record_type={self.rt_lateral.id}'
-        response = self.client.get(filter_url)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        # Verify at least one record was returned
-        self.assertGreater(len(response.data['results']), 0)
-        for record in response.data['results']:
-            # record_type is a nested object with code field
-            self.assertEqual(record['record_type']
-                             ['code'], self.rt_lateral.code)
-
-    def test_unauthenticated_access(self):
-        """Should return 401/403 if not authenticated"""
-        self.client.logout()
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        response = self.client.get(url)
-        self.assertIn(response.status_code, [
-                      status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN])
-
-    def test_record_response_structure(self):
-        """Should return record with expected fields"""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.png", self.image_content, content_type="image/png")
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-
-        response = self.client.post(url, data, format='multipart')
-        if response.status_code != status.HTTP_201_CREATED:
-            print(
-                f"Record creation failed: {response.status_code} - {response.data}")
-        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
-
-        # Check for expected fields (fields that exist on Record model)
-        expected_fields = ['id', 'record_type', 'encounter', 'imaging_study']
-        for field in expected_fields:
-            self.assertIn(field, response.data)
-
-    def test_record_includes_encounter_date(self):
-        """Should expose encounter date in record response."""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.png", self.image_content, content_type="image/png")
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-
-        response = self.client.post(url, data, format='multipart')
-        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
-        self.assertEqual(str(response.data['encounter_date']), '2020-01-01')
-
-    def test_record_age_falls_back_to_birthdate_when_duration_missing(self):
-        """Should derive record age from encounter date and subject birth date."""
-        encounter = Encounter.objects.create(
-            subject=self.subject,
-            actual_period_start="2020-06-15",
-            procedure_code=self.procedure,
-            procedure_occurrence_age=None,
-        )
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': encounter.id})
-        file = SimpleUploadedFile(
-            "test.png", self.image_content, content_type="image/png")
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-
-        create_response = self.client.post(url, data, format='multipart')
-        self.assertEqual(create_response.status_code, status.HTTP_201_CREATED)
-        self.assertAlmostEqual(
-            create_response.data['age_at_encounter'], 20.45, delta=0.05)
-
-        detail_url = reverse('archive:record-detail',
-                             kwargs={'pk': create_response.data['id']})
-        detail_response = self.client.get(detail_url)
-        self.assertEqual(detail_response.status_code, status.HTTP_200_OK)
-        self.assertAlmostEqual(
-            detail_response.data['age_at_encounter'], 20.45, delta=0.05)
-
-    def test_upload_preserves_acquisition_date(self):
-        """Should return the same acquisition date submitted on upload."""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.png", self.image_content, content_type="image/png")
-
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-            "acquisition_date": "2026-02-27",
-        }
-
-        response = self.client.post(url, data, format='multipart')
-        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
-        self.assertEqual(str(response.data['acquisition_date']), '2026-02-27')
-
-    def test_create_record_rejects_body_site_code_as_record_type(self):
-        """Should reject body-site coding when submitted as record_type."""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.png", self.image_content, content_type="image/png")
-        body_site, _ = Coding.objects.get_or_create(
-            system=SYSTEM_BODY_SITE,
-            code='69536005',
-            defaults={'display': 'Head'},
-        )
-
-        data = {
-            "file": file,
-            "record_type": body_site.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-
-        response = self.client.post(url, data, format='multipart')
-        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
-        self.assertIn('record_type', response.data['error']['details'])
-
-    def test_imaging_study_operator_display_fields(self):
-        """Imaging study API should expose username and full display for operator."""
-        url = reverse('archive:encounter-records-list',
-                      kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile(
-            "test.png", self.image_content, content_type="image/png")
-        data = {
-            "file": file,
-            "record_type": self.rt_lateral.code,
-            "orientation": "left",
-            "modality": "RG",
-        }
-
-        create_response = self.client.post(url, data, format='multipart')
-        self.assertEqual(create_response.status_code, status.HTTP_201_CREATED)
-
-        study_url = reverse('archive:imagingstudy-detail',
-                            kwargs={'pk': create_response.data['imaging_study']})
-        study_response = self.client.get(study_url)
-        self.assertEqual(study_response.status_code, status.HTTP_200_OK)
-        self.assertEqual(
-            study_response.data['scan_operator_username'], 'testuser')
-        self.assertEqual(
-            study_response.data['scan_operator_display'], 'Test User (testuser)')
-
-    def test_record_detail_includes_archive_locations(self):
-        """Record detail payload should include nested archive locations."""
-        upload_url = reverse('archive:encounter-records-list', kwargs={'encounter_pk': self.encounter.id})
-        file = SimpleUploadedFile("test.png", self.image_content, content_type="image/png")
-
-        create_response = self.client.post(
-            upload_url,
-            {
-                "file": file,
-                "record_type": self.rt_lateral.code,
-                "modality": "RG",
-            },
-            format='multipart',
-        )
-        self.assertEqual(create_response.status_code, status.HTTP_201_CREATED)
-        record_id = create_response.data['id']
-
-        endpoint = Endpoint.objects.create(
-            name='PACS-A',
-            status=Endpoint.Status.ACTIVE,
-            connection_type=Endpoint.ConnectionType.DICOM_STOW_RS,
-            address='https://pacs.example.org/dicomweb',
-        )
-        ArchiveLocation.objects.create(
-            record_id=record_id,
-            endpoint=endpoint,
-            assigned_id='1.2.840.10008.5.1.4',
-            status=ArchiveLocation.Status.ARCHIVED,
-            archived_at=datetime.datetime.now(datetime.timezone.utc),
-        )
-
-        detail_url = reverse('archive:record-detail', kwargs={'pk': record_id})
-        detail_response = self.client.get(detail_url)
-        self.assertEqual(detail_response.status_code, status.HTTP_200_OK)
-        self.assertIn('archive_locations', detail_response.data)
-        self.assertEqual(len(detail_response.data['archive_locations']), 1)
-        location_payload = detail_response.data['archive_locations'][0]
-        self.assertEqual(location_payload['assigned_id'], '1.2.840.10008.5.1.4')
-        self.assertEqual(location_payload['endpoint']['name'], 'PACS-A')
-        self.assertEqual(location_payload['endpoint']['connection_type'], Endpoint.ConnectionType.DICOM_STOW_RS)
-
+    @override_settings(ENDPOINT_CREDENTIALS_KEY=_TEST_FERNET_KEY)
     def test_endpoint_credentials_round_trip(self):
         """Endpoint credentials should encrypt and decrypt through model helpers."""
         endpoint = Endpoint.objects.create(
diff --git a/bfd9000_web/archive/tests/test_role_permissions.py b/bfd9000_web/archive/tests/test_role_permissions.py
new file mode 100644
index 0000000..aea3e83
--- /dev/null
+++ b/bfd9000_web/archive/tests/test_role_permissions.py
@@ -0,0 +1,170 @@
+"""Role-based API permission tests."""
+
+from django.contrib.auth.models import Group, Permission, User
+from django.urls import reverse
+from django.utils import timezone
+from django.core.files.uploadedfile import SimpleUploadedFile
+from rest_framework import status
+
+from archive.constants import SYSTEM_MODALITY, SYSTEM_ORIENTATION, SYSTEM_PROCEDURE, SYSTEM_RECORD_TYPE
+from archive.models import Coding, Collection, Encounter, Subject
+from .base import CleanupAPITestCase
+
+
+class RolePermissionTests(CleanupAPITestCase):
+    """Verify regular, curator, and superuser boundaries."""
+
+    def setUp(self):
+        self.collection, _ = Collection.objects.get_or_create(
+            short_name="TEST",
+            defaults={"full_name": "Test Collection"},
+        )
+        self.subject = Subject.objects.create(
+            humanname_family="Doe",
+            humanname_given="John",
+            gender="male",
+            birth_date="2000-01-01",
+            collection=self.collection,
+        )
+        self.procedure, _ = Coding.objects.get_or_create(
+            system=SYSTEM_PROCEDURE,
+            code="ortho-visit",
+            defaults={"display": "Orthodontic Visit"},
+        )
+        self.encounter = Encounter.objects.create(
+            subject=self.subject,
+            actual_period_start=timezone.datetime(2020, 1, 1).date(),
+            procedure_code=self.procedure,
+        )
+        self.record_type, _ = Coding.objects.get_or_create(
+            system=SYSTEM_RECORD_TYPE,
+            code="201456002",
+            defaults={"display": "Cephalogram"},
+        )
+        self.orientation, _ = Coding.objects.get_or_create(
+            system=SYSTEM_ORIENTATION,
+            code="left",
+            defaults={"display": "Left"},
+        )
+        self.modality, _ = Coding.objects.get_or_create(
+            system=SYSTEM_MODALITY,
+            code="RG",
+            defaults={"display": "Radiography"},
+        )
+        self.image_content = (
+            b"\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00\x00\x01"
+            b"\x00\x00\x00\x01\x08\x06\x00\x00\x00\x1f\x15\xc4\x89"
+            b"\x00\x00\x00\nIDATx\x9cc\x00\x01\x00\x00\x05\x00\x01"
+            b"\r\n-\xb4\x00\x00\x00\x00IEND\xaeB`\x82"
+        )
+
+    def test_regular_user_cannot_manage_subject_encounter_but_can_create_record(self):
+        user = User.objects.create_user(username="regular", password="testpassword")
+        self.client.force_authenticate(user=user)
+
+        subject_response = self.client.post(
+            reverse("archive:subject-list"),
+            {
+                "humanname_family": "Smith",
+                "humanname_given": "Jane",
+                "gender": "female",
+                "birth_date": "1999-01-01",
+            },
+            format="json",
+        )
+        self.assertEqual(subject_response.status_code, status.HTTP_403_FORBIDDEN)
+
+        encounter_response = self.client.post(
+            reverse("archive:subject-encounters-list", kwargs={"subject_pk": self.subject.id}),
+            {
+                "actual_period_start": "2021-01-01",
+                "procedure_code": self.procedure.id,
+            },
+            format="json",
+        )
+        self.assertEqual(encounter_response.status_code, status.HTTP_403_FORBIDDEN)
+
+        record_response = self.client.post(
+            reverse("archive:encounter-records-list", kwargs={"encounter_pk": self.encounter.id}),
+            {
+                "file": SimpleUploadedFile("test.png", self.image_content, content_type="image/png"),
+                "record_type": self.record_type.code,
+                "orientation": self.orientation.code,
+                "modality": self.modality.code,
+            },
+            format="multipart",
+        )
+        self.assertEqual(record_response.status_code, status.HTTP_201_CREATED)
+
+    def test_curator_can_manage_subject_encounter_but_not_delete_anything(self):
+        user = User.objects.create_user(username="curator", password="testpassword")
+        curator_group, _ = Group.objects.get_or_create(name="Curator")
+        curator_group.permissions.add(
+            Permission.objects.get(codename="add_subject"),
+            Permission.objects.get(codename="change_subject"),
+            Permission.objects.get(codename="add_encounter"),
+            Permission.objects.get(codename="change_encounter"),
+        )
+        user.groups.add(curator_group)
+        self.client.force_authenticate(user=user)
+
+        create_subject = self.client.post(
+            reverse("archive:subject-list"),
+            {
+                "humanname_family": "Curator",
+                "humanname_given": "Created",
+                "gender": "female",
+                "birth_date": "2001-02-02",
+            },
+            format="json",
+        )
+        self.assertEqual(create_subject.status_code, status.HTTP_201_CREATED)
+        subject_id = create_subject.data["id"]
+
+        update_subject = self.client.patch(
+            reverse("archive:subject-detail", kwargs={"pk": subject_id}),
+            {"humanname_family": "CuratorUpdated"},
+            format="json",
+        )
+        self.assertEqual(update_subject.status_code, status.HTTP_200_OK)
+
+        delete_subject = self.client.delete(reverse("archive:subject-detail", kwargs={"pk": subject_id}))
+        self.assertEqual(delete_subject.status_code, status.HTTP_403_FORBIDDEN)
+
+        create_encounter = self.client.post(
+            reverse("archive:subject-encounters-list", kwargs={"subject_pk": self.subject.id}),
+            {
+                "actual_period_start": "2021-03-03",
+                "procedure_code": self.procedure.id,
+            },
+            format="json",
+        )
+        self.assertEqual(create_encounter.status_code, status.HTTP_201_CREATED)
+        encounter_id = create_encounter.data["id"]
+
+        update_encounter = self.client.patch(
+            reverse("archive:encounter-detail", kwargs={"pk": encounter_id}),
+            {"actual_period_start": "2021-03-04"},
+            format="json",
+        )
+        self.assertEqual(update_encounter.status_code, status.HTTP_200_OK)
+
+        delete_encounter = self.client.delete(reverse("archive:encounter-detail", kwargs={"pk": encounter_id}))
+        self.assertEqual(delete_encounter.status_code, status.HTTP_403_FORBIDDEN)
+
+        created_record = self.client.post(
+            reverse("archive:encounter-records-list", kwargs={"encounter_pk": self.encounter.id}),
+            {
+                "file": SimpleUploadedFile("test.png", self.image_content, content_type="image/png"),
+                "record_type": self.record_type.code,
+                "orientation": self.orientation.code,
+                "modality": self.modality.code,
+            },
+            format="multipart",
+        )
+        self.assertEqual(created_record.status_code, status.HTTP_201_CREATED)
+
+        delete_record = self.client.delete(
+            reverse("archive:record-detail", kwargs={"pk": created_record.data["id"]})
+        )
+        self.assertEqual(delete_record.status_code, status.HTTP_403_FORBIDDEN)
diff --git a/bfd9000_web/archive/tests/test_subjects.py b/bfd9000_web/archive/tests/test_subjects.py
index 53731f7..e7681a0 100644
--- a/bfd9000_web/archive/tests/test_subjects.py
+++ b/bfd9000_web/archive/tests/test_subjects.py
@@ -164,7 +164,7 @@ def test_update_subject(self):
         self.assertEqual(response.data['humanname_family'], 'Updated')
 
     def test_delete_subject(self):
-        """Should delete subject"""
+        """Non-superuser should not delete subject."""
         subject = Subject.objects.create(
             humanname_family="Doe",
             humanname_given="John",
@@ -174,11 +174,46 @@ def test_delete_subject(self):
 
         url = reverse('archive:subject-detail', kwargs={'pk': subject.id})
         response = self.client.delete(url)
-        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+        # Verify subject still exists
+        self.assertTrue(Subject.objects.filter(pk=subject.id).exists())
+
+    def test_superuser_can_delete_subject(self):
+        """Superuser should be able to delete subject."""
+        subject = Subject.objects.create(
+            humanname_family="Doe",
+            humanname_given="John",
+            gender="male",
+            birth_date="2000-01-01"
+        )
+        superuser = User.objects.create_superuser(
+            username="admin",
+            password="adminpass",
+            email="admin@example.com",
+        )
 
-        # Verify deletion
+        self.client.force_authenticate(user=superuser)
+        url = reverse('archive:subject-detail', kwargs={'pk': subject.id})
+        response = self.client.delete(url)
+        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
         self.assertFalse(Subject.objects.filter(pk=subject.id).exists())
 
+    def test_regular_user_without_subject_perms_cannot_create_subject(self):
+        """Regular authenticated user should not create subject."""
+        regular_user = User.objects.create_user(username='regular', password='testpassword')
+        self.client.force_authenticate(user=regular_user)
+
+        url = reverse('archive:subject-list')
+        data = {
+            "humanname_family": "Doe",
+            "humanname_given": "John",
+            "gender": "male",
+            "birth_date": "2000-01-01"
+        }
+        response = self.client.post(url, data, format='json')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
     def test_search_subjects(self):
         """Should search subjects by query parameter"""
         Subject.objects.create(
diff --git a/bfd9000_web/archive/urls.py b/bfd9000_web/archive/urls.py
index bfc2d5a..8b452b4 100644
--- a/bfd9000_web/archive/urls.py
+++ b/bfd9000_web/archive/urls.py
@@ -54,8 +54,8 @@
     path('encounters/', views.encounters, name='encounters'),
     path('encounters/create/', views.encounter_create, name='encounter_create'),
     path('records/', views.records, name='records'),
+    path('records/create/', views.scan, name='record_create'),
     path('records/<str:record_id>/', views.record_detail, name='record_detail'),
-    path('scan/', views.scan, name='scan'),
     path('api/scan/tiff-preview/', views.scan_tiff_preview, name='scan_tiff_preview'),
     # API routes
     path('api/', include(router.urls)),
diff --git a/bfd9000_web/archive/views.py b/bfd9000_web/archive/views.py
index cca8bd1..c958339 100644
--- a/bfd9000_web/archive/views.py
+++ b/bfd9000_web/archive/views.py
@@ -13,6 +13,7 @@
 from rest_framework.decorators import action
 from rest_framework.generics import get_object_or_404
 from rest_framework.permissions import IsAuthenticated
+from .permissions import CuratorOrSuperuserEditPermission, RecordPermission
 from rest_framework.request import Request
 from rest_framework.response import Response
 from drf_spectacular.types import OpenApiTypes
@@ -144,6 +145,7 @@ class CollectionViewSet(viewsets.ModelViewSet):
 
 
 class SubjectViewSet(viewsets.ModelViewSet):
+    permission_classes = [CuratorOrSuperuserEditPermission]
     """
     ViewSet for Subject model.
 
@@ -179,6 +181,7 @@ class SubjectViewSet(viewsets.ModelViewSet):
 
 
 class EncounterViewSet(viewsets.ModelViewSet):
+    permission_classes = [CuratorOrSuperuserEditPermission]
     """
     ViewSet for Encounter model.
 
@@ -267,6 +270,7 @@ class ArchiveLocationViewSet(viewsets.ModelViewSet):
 
 
 class RecordViewSet(viewsets.ModelViewSet):
+    permission_classes = [RecordPermission]
     """
     ViewSet for Record model.
 
diff --git a/bfd9000_web/docs/permissions.md b/bfd9000_web/docs/permissions.md
new file mode 100644
index 0000000..e7ee7db
--- /dev/null
+++ b/bfd9000_web/docs/permissions.md
@@ -0,0 +1,51 @@
+# BFD9000 Permissions Reference
+
+## Roles and Responsibilities
+
+| Role       | Description                                                     |
+|------------|-----------------------------------------------------------------|
+| User       | Authenticated; can view and create records (scan workflow only) |
+| Curator    | Can add/change Subjects and Encounters (no delete)              |
+| Superuser  | All rights, including deletes and admin user/group management   |
+
+## API Permissions Matrix (Subject, Encounter, Record)
+
+| Action              | User    | Curator        | Superuser |
+|---------------------|---------|----------------|-----------|
+| List/Detail (GET)   | ✓       | ✓              | ✓         |
+| Create Subject      |         | ✓              | ✓         |
+| Update Subject      |         | ✓              | ✓         |
+| Delete Subject      |         |                | ✓         |
+| Create Encounter    |         | ✓              | ✓         |
+| Update Encounter    |         | ✓              | ✓         |
+| Delete Encounter    |         |                | ✓         |
+| Create Record       | ✓       | ✓              | ✓         |
+| Update Record       | ✓       | ✓              | ✓         |
+| Delete Record       |         |                | ✓         |
+| Auth: User Mgmt     |         |                | ✓         |
+
+- Curator has *no* rights for user/group/permission admin.
+- DELETE is strictly superuser-only.
+
+## Current Implementation Notes
+- Group: `Curator` is auto-created by management command (`setup_curator_group`).
+- Permissions: Curator keeps `add/change` on Subject/Encounter.
+- Guardrails: command removes Curator delete perms for Subject/Encounter/Record and removes all `auth` app perms.
+- "New Subject" and "New Encounter" UI is only displayed where user has appropriate permissions.
+
+## How to Change Curator Permissions Later
+
+To grant additional rights (e.g., delete) to the Curator group, run:
+
+```
+$ python manage.py setup_curator_group  # Safe to re-run anytime
+```
+
+Or, manually through Django admin:
+1. Open the Django admin at `/admin/` as a superuser.
+2. Navigate to Groups > Curator.
+3. Add or remove permissions (e.g., `delete_subject`, `delete_encounter`, `delete_record`).
+
+If you intentionally grant Curator additional rights manually, do not re-run `setup_curator_group` unless you also update that command to preserve the new policy.
+
+**Warning:** Removing or adding user/group management or delete permissions may have significant impact. Ensure this is intentional and auditable. See also `archive/management/commands/setup_curator_group.py` source.
diff --git a/bfd9000_web/docs/use_cases.md b/bfd9000_web/docs/use_cases.md
index e0a6d6d..525b5b9 100644
--- a/bfd9000_web/docs/use_cases.md
+++ b/bfd9000_web/docs/use_cases.md
@@ -1,5 +1,7 @@
 # Use Cases
 
+See also: [Permissions Reference](permissions.md)
+
 The BFD9000 shall be able to accommodate the following use cases.
 
 ---
@@ -21,7 +23,6 @@ The BFD9000 shall be able to accommodate the following use cases.
 - Operator has launched the BFD9010 bridge on the workstation with the scanner connected
 - Operator has located and identified the physical record to be digitized and archived
 
-
 ### Steps
 
 1. Operator searches for the subject related to the physical record. If the subject doesn't exist, the operator creates a new subject with a minimum of: subject identifier, collection name, and sex
@@ -101,4 +102,4 @@ Operators should be able to export and share records with other users in DICOM f
 
 ### Steps
 
-TODO
\ No newline at end of file
+TODO
diff --git a/docker.md b/docker.md
new file mode 100644
index 0000000..27ce856
--- /dev/null
+++ b/docker.md
@@ -0,0 +1,19 @@
+# Docker Troubleshooting Notes
+
+## Media volume permissions (important)
+
+When the web container runs as a non-root user, Docker named volumes may be owned by `root` and uploads can fail until ownership is fixed.
+
+Run this one-time command (adjust UID:GID if needed):
+
+```bash
+docker run --rm -v bfd9000_media_volume:/data alpine sh -c "chown -R 1000:1000 /data"
+```
+
+Notes:
+- On Docker Desktop for macOS, named volumes live inside Docker's VM. You generally cannot `chown` them directly from the host filesystem.
+- Running `chown` via a temporary container (as above) is the expected approach.
+
+## Verify
+
+After fixing ownership, restart the stack and test file upload/thumbnail generation paths.