diff --git a/program/views.py b/program/views.py
index c84314c6f7c48af6935fa4eb0fbd7e13ea38cd65..5db8ac4c5d1999a97aea740746a3c82c0b3804f1 100644
--- a/program/views.py
+++ b/program/views.py
@@ -32,6 +32,7 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.pagination import LimitOffsetPagination
 from rest_framework.response import Response
 
+from django.conf import settings
 from django.contrib.auth.models import User
 from django.http import Http404, HttpResponse, JsonResponse
 from django.shortcuts import get_object_or_404
@@ -260,18 +261,18 @@ class APIUserViewSet(
     viewsets.GenericViewSet,
 ):
     serializer_class = UserSerializer
-    queryset = User.objects.all()
     filter_backends = [drf_filters.SearchFilter]
     search_fields = ["username", "first_name", "last_name", "email"]
 
     def get_queryset(self):
-        queryset = super().get_queryset()
+        """The queryset contains all the users only for privileged users."""
 
-        # Constrain access to oneself except for superusers.
-        if not self.request.user.is_superuser:
-            queryset = queryset.filter(pk=self.request.user.id)
+        qs = User.objects.all()
 
-        return queryset
+        if not self.request.user.groups.filter(name=settings.PRIVILEGED_GROUP).exists():
+            qs = qs.filter(pk=self.request.user.id)
+
+        return qs
 
     def create(self, request, *args, **kwargs):
         serializer = UserSerializer(
@@ -301,7 +302,6 @@ class APIUserViewSet(
     ),
 )
 class APIImageViewSet(viewsets.ModelViewSet):
-    queryset = Image.objects.all()
     serializer_class = ImageSerializer
     permission_classes = [permissions.IsAuthenticated]
     pagination_class = LimitOffsetPagination
@@ -583,7 +583,7 @@ class APIScheduleViewSet(
         them including notes.
         """
 
-        if not request.user.is_superuser:
+        if not request.user.groups.filter(name=settings.PRIVILEGED_GROUP).exists():
             return Response(status=status.HTTP_401_UNAUTHORIZED)
 
         # Only allow updating when with the `schedule` JSON object
@@ -699,7 +699,6 @@ class APINoteViewSet(
     filterset_class = filters.NoteFilterSet
     pagination_class = LimitOffsetPagination
     permission_classes = [permissions.DjangoModelPermissionsOrAnonReadOnly]
-    queryset = Note.objects.all()
     serializer_class = NoteSerializer
 
     def get_serializer_context(self):
@@ -710,13 +709,15 @@ class APINoteViewSet(
         return context
 
     def get_queryset(self):
-        qs = super().get_queryset().order_by("slug")
-        # Users should always be able to see notes
+        """The queryset contains all the notes if the method is safe, otherwise
+        - if the user is not in the privileged group, the notes owned by the user are filtered."""
+
+        qs = Note.objects.all()
+
         if self.request.method not in permissions.SAFE_METHODS:
-            # If the request is not by an admin,
-            # check that the timeslot is owned by the current user.
-            if not self.request.user.is_superuser:
+            if not self.request.user.groups.filter(name=settings.PRIVILEGED_GROUP).exists():
                 qs = qs.filter(timeslot__schedule__show__owners=self.request.user)
+
         return qs
 
     def _get_timeslot(self):
@@ -728,7 +729,7 @@ class APINoteViewSet(
         if timeslot_pk is None:
             raise ValidationError({"timeslot_id": [_("This field is required.")]}, code="required")
         qs = TimeSlot.objects.all()
-        if not self.request.user.is_superuser:
+        if not self.request.user.groups.filter(name=settings.ENTITLED_GROUPS[0]):
             qs = qs.filter(schedule__show__owners=self.request.user)
         try:
             return qs.get(pk=timeslot_pk)
diff --git a/steering/urls.py b/steering/urls.py
index a171bea7214497908c022d74083396ecc2d07623..c284b76ed46c329d2cd18c5ce2f58582d2b17c5b 100644
--- a/steering/urls.py
+++ b/steering/urls.py
@@ -49,12 +49,12 @@ from program.views import (
 admin.autodiscover()
 
 router = routers.DefaultRouter()
-router.register(r"users", APIUserViewSet)
+router.register(r"users", APIUserViewSet, basename="user")
 router.register(r"hosts", APIHostViewSet)
 router.register(r"shows", APIShowViewSet)
 router.register(r"schedules", APIScheduleViewSet)
 router.register(r"timeslots", APITimeSlotViewSet)
-router.register(r"notes", APINoteViewSet)
+router.register(r"notes", APINoteViewSet, basename="note")
 router.register(r"categories", APICategoryViewSet)
 router.register(r"topics", APITopicViewSet)
 router.register(r"types", APITypeViewSet)
@@ -64,7 +64,7 @@ router.register(r"languages", APILanguageViewSet)
 router.register(r"licenses", APILicenseViewSet)
 router.register(r"link-types", APILinkTypeViewSet)
 router.register(r"rrules", APIRRuleViewSet)
-router.register(r"images", APIImageViewSet)
+router.register(r"images", APIImageViewSet, basename="image")
 
 # Nested Routers