diff --git a/aleksis/core/rules.py b/aleksis/core/rules.py
index ae2f12129cd8193cb0f5fba9887a6a45c2c92785..2251a504434052f5faaf94c91cd0317cd68ee21c 100644
--- a/aleksis/core/rules.py
+++ b/aleksis/core/rules.py
@@ -1,7 +1,7 @@
 import rules
 from rules import is_superuser
 
-from .models import AdditionalField, Announcement, Group, GroupType, Person
+from .models import AdditionalField, Announcement, Group, GroupType, Holiday, Person
 from .util.predicates import (
     has_any_object,
     has_global_perm,
@@ -412,3 +412,28 @@ rules.add_perm("core.view_progress_rule", view_progress_predicate)
 
 view_calendar_feed_predicate = has_person
 rules.add_perm("core.view_calendar_feed_rule", view_calendar_feed_predicate)
+
+# Holidays
+
+view_holiday_predicate = has_person & (
+    has_global_perm("core.view_holiday") | has_object_perm("core.view_holiday")
+)
+rules.add_perm("core.view_holiday_rule", view_holiday_predicate)
+
+view_holidays_predicate = has_person & (
+    has_global_perm("core.view_holiday") | has_any_object("core.view_holiday", Holiday)
+)
+rules.add_perm("core.view_holidays_rule", view_holidays_predicate)
+
+edit_holiday_predicate = has_person & (
+    has_global_perm("core.change_holiday") | has_object_perm("core.change_holiday")
+)
+rules.add_perm("core.edit_holiday_rule", edit_holiday_predicate)
+
+create_holiday_predicate = has_person & (has_global_perm("core.add_holiday"))
+rules.add_perm("core.create_holiday_rule", create_holiday_predicate)
+
+delete_holiday_predicate = has_person & (
+    has_global_perm("core.delete_holiday") | has_object_perm("core.delete_holiday")
+)
+rules.add_perm("core.delete_holiday_rule", delete_holiday_predicate)
diff --git a/aleksis/core/schema/holiday.py b/aleksis/core/schema/holiday.py
index b742b373e8f368ae2f6760f1361340b36a07fa7a..4ac8e82399b0227f6908e783ef7e9e27bb4a83cd 100644
--- a/aleksis/core/schema/holiday.py
+++ b/aleksis/core/schema/holiday.py
@@ -4,6 +4,7 @@ from graphene_django_cud.mutations import (
     DjangoBatchPatchMutation,
     DjangoCreateMutation,
 )
+from guardian.shortcuts import get_objects_for_user
 
 from ..models import Holiday
 from .base import (
@@ -28,29 +29,29 @@ class HolidayType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):
 
     @classmethod
     def get_queryset(cls, queryset, info):
-        return queryset  # FIXME filter this queryset based on permissions
+        return get_objects_for_user(info.context.user, "core.view_holiday", queryset)
 
 
 class HolidayCreateMutation(DjangoCreateMutation):
     class Meta:
         model = Holiday
-        permissions = ("core.create_holiday",)
+        permissions = ("core.create_holiday_rule",)
         only_fields = ("holiday_name", "date_start", "date_end")
 
 
 class HolidayDeleteMutation(DeleteMutation):
     klass = Holiday
-    permission_required = "core.delete_holiday"
+    permission_required = "core.delete_holiday_rule"
 
 
 class HolidayBatchDeleteMutation(PermissionBatchDeleteMixin, DjangoBatchDeleteMutation):
     class Meta:
         model = Holiday
-        permissions = ("core.delete_holiday",)
+        permissions = ("core.delete_holiday_rule",)
 
 
 class HolidayBatchPatchMutation(PermissionBatchPatchMixin, DjangoBatchPatchMutation):
     class Meta:
         model = Holiday
-        permissions = ("core.change_holiday",)
-        only_fields = ("holiday_name", "date_start", "date_end")
+        permissions = ("core.edit_holiday_rule",)
+        only_fields = ("id", "holiday_name", "date_start", "date_end")