diff --git a/aleksis/apps/untis/menus.py b/aleksis/apps/untis/menus.py
index e4a817190119561c9c47508261ac2acf53f53ccd..ada88becf99c14623459d5a4867577dcd58f7819 100644
--- a/aleksis/apps/untis/menus.py
+++ b/aleksis/apps/untis/menus.py
@@ -6,18 +6,14 @@ MENUS = {
             "name": _("Untis XML import"),
             "url": "untis_xml_import",
             "validators": [
-                "menu_generator.validators.is_authenticated",
-                "menu_generator.validators.is_superuser",
-                "aleksis.core.util.core_helpers.has_person",
+                ("aleksis.core.util.predicates.permission_validator", "untis.do_xml_import"),
             ],
         },
         {
             "name": _("Link subjects to groups (for UNTIS MySQL import)"),
             "url": "untis_groups_subjects",
             "validators": [
-                "menu_generator.validators.is_authenticated",
-                "menu_generator.validators.is_superuser",
-                "aleksis.core.util.core_helpers.has_person",
+                ("aleksis.core.util.predicates.permission_validator", "untis.assign_subjects_to_groups"),
             ],
         },
     ]
diff --git a/aleksis/apps/untis/models.py b/aleksis/apps/untis/models.py
index 9080208ff684218dda8bac3a523677a4d9f4eecf..cd4dcfffd6e4a3f07b3f165980c952e2acea9d84 100644
--- a/aleksis/apps/untis/models.py
+++ b/aleksis/apps/untis/models.py
@@ -1,15 +1,10 @@
 # pylint: skip-file
 # flake8: noqa
 
-# This is an auto-generated Django model module.
-# You'll have to do the following manually to clean this up:
-#   * Rearrange models' order
-#   * Make sure each model has one field with primary_key=True
-#   * Make sure each ForeignKey has `on_delete` set to the desired behavior.
-#   * Remove `managed = False` lines if you wish to allow Django to create, modify, and delete the table
-# Feel free to rename the models, but don't rename db_table values or field names.
-from django.db import models
+# The main part of this module is auto-generated by Django.
 
+from django.db import models
+from django.utils.translation import gettext as _
 from aleksis.core.mixins import PureDjangoModel
 
 
@@ -4201,3 +4196,12 @@ class Views(models.Model, PureDjangoModel):
         unique_together = (
             ("school_id", "schoolyear_id", "version_id", "type", "views_id", "owner"),
         )
+
+
+class GlobalPermissions(models.Model):
+    class Meta:
+        managed = False
+        permissions = (
+            ("do_xml_import", _("Can do XML import")),
+            ("assign_subjects_to_groups", _("Can assign subjects to groups")),
+        )
diff --git a/aleksis/apps/untis/rules.py b/aleksis/apps/untis/rules.py
new file mode 100644
index 0000000000000000000000000000000000000000..873742401e128834dddc9473a8d7702165abf090
--- /dev/null
+++ b/aleksis/apps/untis/rules.py
@@ -0,0 +1,12 @@
+from rules import add_perm
+
+from aleksis.core.util.predicates import has_person, has_global_perm
+
+# Do XML import
+do_xml_import_predicate = has_person & has_global_perm("untis.do_xml_import")
+add_perm("untis.do_xml_import", do_xml_import_predicate)
+
+
+# Do XML import
+assign_subjects_to_groups_predicate = has_person & has_global_perm("untis.assign_subjects_to_groups")
+add_perm("untis.assign_subjects_to_groups", assign_subjects_to_groups_predicate)
diff --git a/aleksis/apps/untis/views.py b/aleksis/apps/untis/views.py
index d1d86e4e45bedeb7bda92bc078f3a5ed8bc7cc62..232d77f483ca6fc93def1651ba97e52171a66422 100644
--- a/aleksis/apps/untis/views.py
+++ b/aleksis/apps/untis/views.py
@@ -1,19 +1,18 @@
 from django.contrib import messages
-from django.contrib.auth.decorators import login_required
 from django.core.paginator import Paginator
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import render
 from django.utils.translation import gettext as _
 
-from aleksis.core.decorators import admin_required
+from rules.contrib.views import permission_required
+
 from aleksis.core.models import Group
 
 from .forms import UntisUploadForm, GroupSubjectFormset
 from .util.xml.xml import untis_import_xml
 
 
-@login_required
-@admin_required
+@permission_required("untis.do_xml_import")
 def xml_import(request: HttpRequest) -> HttpResponse:
     context = {}
 
@@ -30,8 +29,7 @@ def xml_import(request: HttpRequest) -> HttpResponse:
     return render(request, "untis/xml_import.html", context)
 
 
-# FIXME: Rule must check if setting is enabled
-@admin_required
+@permission_required("untis.assign_subjects_to_groups")
 def groups_subjects(request: HttpRequest) -> HttpResponse:
     """ Assign subjects to groups (for matching by MySQL importer) """
     context = {}