diff --git a/app/Http/Controllers/BaseController.php b/app/Http/Controllers/BaseController.php
index 7727fef4a4f0..45fa77bf03b8 100644
--- a/app/Http/Controllers/BaseController.php
+++ b/app/Http/Controllers/BaseController.php
@@ -234,6 +234,7 @@ class BaseController extends Controller
         }
 
         $transformer = new $this->entity_transformer($this->serializer);
+
         $updated_at = request()->has('updated_at') ? request()->input('updated_at') : 0;
 
         if ($user->getCompany()->is_large && $updated_at == 0) {
@@ -251,7 +252,6 @@ class BaseController extends Controller
                     $query->where('clients.updated_at', '>=', $updated_at)->with('contacts.company', 'gateway_tokens', 'documents');
 
                     if (! $user->hasPermission('view_client')) {
-                        // $query->where('clients.user_id', $user->id)->orWhere('clients.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('clients.user_id', $user->id)->orWhere('clients.assigned_user_id', $user->id);
@@ -270,7 +270,6 @@ class BaseController extends Controller
                     $query->where('updated_at', '>=', $updated_at)->with('invitations', 'documents');
 
                     if (! $user->hasPermission('view_credit')) {
-                        // $query->where('credits.user_id', $user->id)->orWhere('credits.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('credits.user_id', $user->id)->orWhere('credits.assigned_user_id', $user->id);
@@ -291,7 +290,6 @@ class BaseController extends Controller
                     $query->where('updated_at', '>=', $updated_at)->with('documents');
 
                     if (! $user->hasPermission('view_expense')) {
-                        // $query->where('expenses.user_id', $user->id)->orWhere('expenses.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('expenses.user_id', $user->id)->orWhere('expenses.assigned_user_id', $user->id);
@@ -301,14 +299,11 @@ class BaseController extends Controller
                 'company.groups' => function ($query) use ($updated_at, $user) {
                     $query->whereNotNull('updated_at')->with('documents');
 
-                // if(!$user->isAdmin())
-                    //   $query->where('group_settings.user_id', $user->id);
                 },
                 'company.invoices'=> function ($query) use ($updated_at, $user) {
                     $query->where('updated_at', '>=', $updated_at)->with('invitations', 'documents');
 
                     if (! $user->hasPermission('view_invoice')) {
-                        // $query->where('invoices.user_id', $user->id)->orWhere('invoices.assigned_user_id', $user->id);
 
 
                         $query->whereNested(function($query) use ($user) {
@@ -321,7 +316,6 @@ class BaseController extends Controller
                     $query->where('updated_at', '>=', $updated_at)->with('paymentables', 'documents');
 
                     if (! $user->hasPermission('view_payment')) {
-                        // $query->where('payments.user_id', $user->id)->orWhere('payments.assigned_user_id', $user->id);
                         
                         $query->whereNested(function($query) use ($user) {
                             $query->where('payments.user_id', $user->id)->orWhere('payments.assigned_user_id', $user->id);
@@ -340,13 +334,11 @@ class BaseController extends Controller
                     $query->where('updated_at', '>=', $updated_at)->with('documents');
 
                     if (! $user->hasPermission('view_product')) {
-                        // $query->where('products.user_id', $user->id)->orWhere('products.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('products.user_id', $user->id)->orWhere('products.assigned_user_id', $user->id);
 
                         });
-
                     }
                     
                 },
@@ -354,7 +346,6 @@ class BaseController extends Controller
                     $query->where('updated_at', '>=', $updated_at)->with('documents');
 
                     if (! $user->hasPermission('view_project')) {
-                        // $query->where('projects.user_id', $user->id)->orWhere('projects.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('projects.user_id', $user->id)->orWhere('projects.assigned_user_id', $user->id);
@@ -366,8 +357,6 @@ class BaseController extends Controller
                     $query->where('updated_at', '>=', $updated_at)->with('documents');
 
                     if (! $user->hasPermission('view_purchase_order')) {
-                        // $query->where('purchase_orders.user_id', $user->id)->orWhere('purchase_orders.assigned_user_id', $user->id);
-
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('purchase_orders.user_id', $user->id)->orWhere('purchase_orders.assigned_user_id', $user->id);
@@ -379,8 +368,6 @@ class BaseController extends Controller
                     $query->where('updated_at', '>=', $updated_at)->with('invitations', 'documents');
 
                     if (! $user->hasPermission('view_quote')) {
-                        // $query->where('quotes.user_id', $user->id)->orWhere('quotes.assigned_user_id', $user->id);
-
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('quotes.user_id', $user->id)->orWhere('quotes.assigned_user_id', $user->id);
@@ -392,7 +379,6 @@ class BaseController extends Controller
                     $query->where('updated_at', '>=', $updated_at)->with('invitations', 'documents', 'client.gateway_tokens', 'client.group_settings', 'client.company');
 
                     if (! $user->hasPermission('view_recurring_invoice')) {
-                        // $query->where('recurring_invoices.user_id', $user->id)->orWhere('recurring_invoices.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('recurring_invoices.user_id', $user->id)->orWhere('recurring_invoices.assigned_user_id', $user->id);
@@ -404,7 +390,6 @@ class BaseController extends Controller
                     $query->where('updated_at', '>=', $updated_at)->with('documents');
 
                     if (! $user->hasPermission('view_recurring_expense')) {
-                        // $query->where('recurring_expenses.user_id', $user->id)->orWhere('recurring_expenses.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('recurring_expenses.user_id', $user->id)->orWhere('recurring_expenses.assigned_user_id', $user->id);
@@ -416,7 +401,6 @@ class BaseController extends Controller
                     $query->where('updated_at', '>=', $updated_at)->with('documents');
 
                     if (! $user->hasPermission('view_task')) {
-                        // $query->where('tasks.user_id', $user->id)->orWhere('tasks.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('tasks.user_id', $user->id)->orWhere('tasks.assigned_user_id', $user->id);
@@ -431,7 +415,6 @@ class BaseController extends Controller
                     $query->where('updated_at', '>=', $updated_at)->with('contacts', 'documents');
 
                     if (! $user->hasPermission('view_vendor')) {
-                        // $query->where('vendors.user_id', $user->id)->orWhere('vendors.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('vendors.user_id', $user->id)->orWhere('vendors.assigned_user_id', $user->id);
@@ -622,7 +605,6 @@ class BaseController extends Controller
                     $query->where('clients.created_at', '>=', $created_at)->with('contacts.company', 'gateway_tokens', 'documents');
 
                     if (! $user->hasPermission('view_client')) {
-                        // $query->where('clients.user_id', $user->id)->orWhere('clients.assigned_user_id', $user->id);
      
                         $query->whereNested(function($query) use ($user) {
                             $query->where('clients.user_id', $user->id)->orWhere('clients.assigned_user_id', $user->id);
@@ -641,7 +623,6 @@ class BaseController extends Controller
                     $query->where('created_at', '>=', $created_at)->with('invitations', 'documents');
 
                     if (! $user->hasPermission('view_credit')) {
-                        // $query->where('credits.user_id', $user->id)->orWhere('credits.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('credits.user_id', $user->id)->orWhere('credits.assigned_user_id', $user->id);
@@ -655,13 +636,10 @@ class BaseController extends Controller
                     $query->where('created_at', '>=', $created_at)->with('documents');
 
                     if (! $user->hasPermission('view_expense')) {
-                        // $query->where('expenses.user_id', $user->id)->orWhere('expenses.assigned_user_id', $user->id);
                         
                         $query->whereNested(function($query) use ($user) {
                             $query->where('expenses.user_id', $user->id)->orWhere('expenses.assigned_user_id', $user->id);
                         });
-
-
                     }
                 },
                 'company.groups' => function ($query) use ($created_at, $user) {
@@ -671,7 +649,6 @@ class BaseController extends Controller
                     $query->where('created_at', '>=', $created_at)->with('invitations', 'documents');
 
                     if (! $user->hasPermission('view_invoice')) {
-                        // $query->where('invoices.user_id', $user->id)->orWhere('invoices.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('invoices.user_id', $user->id)->orWhere('invoices.assigned_user_id', $user->id);
@@ -683,7 +660,6 @@ class BaseController extends Controller
                     $query->where('created_at', '>=', $created_at)->with('paymentables', 'documents');
 
                     if (! $user->hasPermission('view_payment')) {
-                        // $query->where('payments.user_id', $user->id)->orWhere('payments.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('payments.user_id', $user->id)->orWhere('payments.assigned_user_id', $user->id);
@@ -698,7 +674,7 @@ class BaseController extends Controller
                     $query->where('created_at', '>=', $created_at)->with('documents');
 
                     if (! $user->hasPermission('view_product')) {
-                        // $query->where('products.user_id', $user->id)->orWhere('products.assigned_user_id', $user->id);
+
                         $query->whereNested(function($query) use ($user) {
                             $query->where('products.user_id', $user->id)->orWhere('products.assigned_user_id', $user->id);
                         });
@@ -708,7 +684,7 @@ class BaseController extends Controller
                     $query->where('created_at', '>=', $created_at)->with('documents');
 
                     if (! $user->hasPermission('view_project')) {
-                        // $query->where('projects.user_id', $user->id)->orWhere('projects.assigned_user_id', $user->id);
+
                         $query->whereNested(function($query) use ($user) {
                             $query->where('projects.user_id', $user->id)->orWhere('projects.assigned_user_id', $user->id);
                         });
@@ -718,7 +694,7 @@ class BaseController extends Controller
                     $query->where('created_at', '>=', $created_at)->with('documents');
 
                     if (! $user->hasPermission('view_purchase_order')) {
-                        // $query->where('purchase_orders.user_id', $user->id)->orWhere('purchase_orders.assigned_user_id', $user->id);
+
                         $query->whereNested(function($query) use ($user) {
                             $query->where('purchase_orders.user_id', $user->id)->orWhere('purchase_orders.assigned_user_id', $user->id);
                         });
@@ -729,7 +705,6 @@ class BaseController extends Controller
                     $query->where('created_at', '>=', $created_at)->with('invitations', 'documents');
 
                     if (! $user->hasPermission('view_quote')) {
-                        // $query->where('quotes.user_id', $user->id)->orWhere('quotes.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('quotes.user_id', $user->id)->orWhere('quotes.assigned_user_id', $user->id);
@@ -741,7 +716,6 @@ class BaseController extends Controller
                     $query->where('created_at', '>=', $created_at)->with('invitations', 'documents', 'client.gateway_tokens', 'client.group_settings', 'client.company');
 
                     if (! $user->hasPermission('view_recurring_invoice')) {
-                        // $query->where('recurring_invoices.user_id', $user->id)->orWhere('recurring_invoices.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('recurring_invoices.user_id', $user->id)->orWhere('recurring_invoices.assigned_user_id', $user->id);
@@ -753,7 +727,6 @@ class BaseController extends Controller
                     $query->where('created_at', '>=', $created_at)->with('documents');
 
                     if (! $user->hasPermission('view_task')) {
-//                        $query->where('tasks.user_id', $user->id)->orWhere('tasks.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('tasks.user_id', $user->id)->orWhere('tasks.assigned_user_id', $user->id);
@@ -768,7 +741,6 @@ class BaseController extends Controller
                     $query->where('created_at', '>=', $created_at)->with('contacts', 'documents');
 
                     if (! $user->hasPermission('view_vendor')) {
-                        // $query->where('vendors.user_id', $user->id)->orWhere('vendors.assigned_user_id', $user->id);
 
                         $query->whereNested(function($query) use ($user) {
                             $query->where('vendors.user_id', $user->id)->orWhere('vendors.assigned_user_id', $user->id);
@@ -807,7 +779,6 @@ class BaseController extends Controller
                     $query->where('created_at', '>=', $created_at)->with('documents');
 
                     if (! $user->hasPermission('view_recurring_expense')) {
-                        // $query->where('recurring_expenses.user_id', $user->id)->orWhere('recurring_expenses.assigned_user_id', $user->id);
     
                         $query->whereNested(function($query) use ($user) {
                             $query->where('recurring_expenses.user_id', $user->id)->orWhere('recurring_expenses.assigned_user_id', $user->id);
@@ -907,6 +878,7 @@ class BaseController extends Controller
         }
 /**/
 
+        // $query->exclude(['balance','credit_balance','paid_to_date']);
 
         if (request()->has('updated_at') && request()->input('updated_at') > 0) {
             $query->where('updated_at', '>=', date('Y-m-d H:i:s', intval(request()->input('updated_at'))));
diff --git a/app/Models/Client.php b/app/Models/Client.php
index 7b09fa68f80e..24dd322b942d 100644
--- a/app/Models/Client.php
+++ b/app/Models/Client.php
@@ -21,12 +21,12 @@ use App\Models\Project;
 use App\Models\Quote;
 use App\Models\Task;
 use App\Services\Client\ClientService;
+use App\Models\Traits\Excludable;
 use App\Utils\Traits\AppSetup;
 use App\Utils\Traits\ClientGroupSettingsSaver;
 use App\Utils\Traits\GeneratesCounter;
 use App\Utils\Traits\MakesDates;
 use App\Utils\Traits\MakesHash;
-use Exception;
 use Illuminate\Contracts\Translation\HasLocalePreference;
 use Illuminate\Database\Eloquent\SoftDeletes;
 use Illuminate\Support\Facades\Cache;
@@ -42,6 +42,7 @@ class Client extends BaseModel implements HasLocalePreference
     use GeneratesCounter;
     use AppSetup;
     use ClientGroupSettingsSaver;
+    use Excludable;
 
     protected $presenter = ClientPresenter::class;
 
@@ -132,6 +133,13 @@ class Client extends BaseModel implements HasLocalePreference
         'phone',
     ];
 
+    // public function scopeExclude($query)
+    // {
+    //     $query->makeHidden(['balance','paid_to_date']);
+
+    //     return $query;
+    // }
+
     public function getEntityType()
     {
         return self::class;
@@ -417,7 +425,7 @@ class Client extends BaseModel implements HasLocalePreference
             return $this->company;
         }
 
-        throw new Exception('Could not find a settings object', 1);
+        throw new \Exception('Could not find a settings object', 1);
     }
 
     public function documents()
diff --git a/app/Models/Traits/Excludable.php b/app/Models/Traits/Excludable.php
new file mode 100644
index 000000000000..06b494dd2808
--- /dev/null
+++ b/app/Models/Traits/Excludable.php
@@ -0,0 +1,38 @@
+<?php
+/**
+ * Invoice Ninja (https://invoiceninja.com).
+ *
+ * @link https://github.com/invoiceninja/invoiceninja source repository
+ *
+ * @copyright Copyright (c) 2022. Invoice Ninja LLC (https://invoiceninja.com)
+ *
+ * @license https://www.elastic.co/licensing/elastic-license
+ */
+
+namespace App\Models\Traits;
+
+trait Excludable {
+
+    /**
+     * Get the array of columns
+     * 
+     * @return mixed
+     */
+    private function getTableColumns() {
+        return $this->getConnection()->getSchemaBuilder()->getColumnListing($this->getTable());
+    }
+
+    /**
+     * Exclude an array of elements from the result.
+     * @param $query
+     * @param $columns
+     * 
+     * @return mixed
+     */
+    public function scopeExclude($query, $columns)
+    {
+        return $query->select(array_diff($this->getTableColumns(), (array) $columns));
+    }
+
+}
+
diff --git a/app/Models/User.php b/app/Models/User.php
index b27f81f043f7..2b802e5e1e43 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -372,6 +372,31 @@ class User extends Authenticatable implements MustVerifyEmail
 
     }
 
+    /**
+     * Used when we need to match exactly what permission
+     * the user has, and not aggregate owner and admins.
+     *
+     * This method is used when we need to scope down the query
+     * and display a limited subset.
+     * 
+     * @param  string  $permission '["view_all"]'
+     * @return boolean             
+     */
+    public function hasExactPermission(string $permission = ''): bool
+    {
+
+        $parts = explode('_', $permission);
+        $all_permission = '';
+
+        if (count($parts) > 1) {
+            $all_permission = $parts[0].'_all';
+        }
+
+        return  (is_int(stripos($this->token()->cu->permissions, $all_permission))) ||
+                (is_int(stripos($this->token()->cu->permissions, $permission)));
+
+    }
+
     public function documents()
     {
         return $this->morphMany(Document::class, 'documentable');
diff --git a/tests/Feature/BaseApiTest.php b/tests/Feature/BaseApiTest.php
index b980d8c1cdc6..b624387a3963 100644
--- a/tests/Feature/BaseApiTest.php
+++ b/tests/Feature/BaseApiTest.php
@@ -413,7 +413,7 @@ class BaseApiTest extends TestCase
         collect($this->list_routes)->filter(function ($route){
             return !in_array($route, ['users','designs','payment_terms']);
         })->each(function($route){
-            nlog($route);
+            // nlog($route);
             $response = $this->withHeaders([
                 'X-API-SECRET' => config('ninja.api_secret'),
                 'X-API-TOKEN' => $this->owner_token,
@@ -458,7 +458,7 @@ class BaseApiTest extends TestCase
         collect($this->list_routes)->filter(function ($route){
             return !in_array($route, ['users','designs','payment_terms']);
         })->each(function($route){
-            nlog($route);
+            // nlog($route);
             $response = $this->withHeaders([
                 'X-API-SECRET' => config('ninja.api_secret'),
                 'X-API-TOKEN' => $this->owner_token,
@@ -501,7 +501,7 @@ class BaseApiTest extends TestCase
         collect($this->list_routes)->filter(function ($route){
             return !in_array($route, ['users','designs','payment_terms']);
         })->each(function($route){
-            nlog($route);
+            // nlog($route);
             $response = $this->withHeaders([
                 'X-API-SECRET' => config('ninja.api_secret'),
                 'X-API-TOKEN' => $this->owner_token,
diff --git a/tests/Unit/PermissionsTest.php b/tests/Unit/PermissionsTest.php
new file mode 100644
index 000000000000..91fa3e9854a0
--- /dev/null
+++ b/tests/Unit/PermissionsTest.php
@@ -0,0 +1,125 @@
+<?php
+/**
+ * Invoice Ninja (https://invoiceninja.com).
+ *
+ * @link https://github.com/invoiceninja/invoiceninja source repository
+ *
+ * @copyright Copyright (c) 2021. Invoice Ninja LLC (https://invoiceninja.com)
+ *
+ * @license https://www.elastic.co/licensing/elastic-license
+ */
+
+namespace Tests\Unit;
+
+use App\Factory\CompanyUserFactory;
+use App\Models\Account;
+use App\Models\Company;
+use App\Models\CompanyToken;
+use App\Models\CompanyUser;
+use App\Models\Invoice;
+use App\Models\User;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Tests\MockAccountData;
+use Tests\TestCase;
+
+/**
+ * @test
+ */
+class PermissionsTest extends TestCase
+{
+
+    public User $user;
+
+    public CompanyUser $cu;
+
+    public Company $company;
+
+    protected function setUp() :void
+    {
+        parent::setUp();
+        $this->faker = \Faker\Factory::create();
+
+        $account = Account::factory()->create([
+            'hosted_client_count' => 1000,
+            'hosted_company_count' => 1000,
+        ]);
+
+        $account->num_users = 3;
+        $account->save();
+
+        $this->company = Company::factory()->create([
+            'account_id' => $account->id,
+        ]);
+
+        $this->user = User::factory()->create([
+            'account_id' => $account->id,
+            'confirmation_code' => '123',
+            'email' =>  $this->faker->safeEmail(),
+        ]);
+
+        $this->cu = CompanyUserFactory::create($this->user->id, $this->company->id, $account->id);
+        $this->cu->is_owner = false;
+        $this->cu->is_admin = false;
+        $this->cu->is_locked = false;
+        $this->cu->permissions = '["view_client"]';
+        $this->cu->save();
+
+        $this->token = \Illuminate\Support\Str::random(64);
+
+        $company_token = new CompanyToken;
+        $company_token->user_id = $this->user->id;
+        $company_token->company_id = $this->company->id;
+        $company_token->account_id = $account->id;
+        $company_token->name = 'test token';
+        $company_token->token = $this->token;
+        $company_token->is_system = true;
+        $company_token->save();
+
+    }
+
+    public function testExactPermissions()
+    {
+
+        $this->assertTrue($this->user->hasExactPermission("view_client"));
+        $this->assertFalse($this->user->hasExactPermission("view_all"));
+
+    }
+
+    public function testMissingPermissions()
+    {
+
+        $low_cu = CompanyUser::where(['company_id' => $this->company->id, 'user_id' => $this->user->id])->first();
+        $low_cu->permissions = '[""]';
+        $low_cu->save();
+
+        $this->assertFalse($this->user->hasExactPermission("view_client"));
+        $this->assertFalse($this->user->hasExactPermission("view_all"));
+
+    }
+
+    public function testViewAllValidPermissions()
+    {
+
+        $low_cu = CompanyUser::where(['company_id' => $this->company->id, 'user_id' => $this->user->id])->first();
+        $low_cu->permissions = '["view_all"]';
+        $low_cu->save();
+
+        $this->assertTrue($this->user->hasExactPermission("view_client"));
+        $this->assertTrue($this->user->hasExactPermission("view_all"));
+        
+    }
+
+    public function testViewClientPermission()
+    {
+
+        $low_cu = CompanyUser::where(['company_id' => $this->company->id, 'user_id' => $this->user->id])->first();
+        $low_cu->permissions = '["view_client"]';
+        $low_cu->save();
+
+        //this is aberrant
+        $this->assertTrue($this->user->hasPermission("viewclient"));
+
+    }
+
+}
+