diff --git a/lib/MirrorCache/Schema/ResultSet/Server.pm b/lib/MirrorCache/Schema/ResultSet/Server.pm
index ac6d6cde..a91d4788 100644
--- a/lib/MirrorCache/Schema/ResultSet/Server.pm
+++ b/lib/MirrorCache/Schema/ResultSet/Server.pm
@@ -413,12 +413,13 @@ sub find_with_stability {
     my $sql;
 
     $sql = <<'END_SQL';
-select s.id, s.hostname, s.public_notes, shttp.rating as rating_http, shttps.rating as rating_https, sipv4.rating as rating_ipv4, sipv6.rating as rating_ipv6
+select s.id, s.hostname, s.public_notes, shttp.rating as rating_http, shttps.rating as rating_https, sipv4.rating as rating_ipv4, sipv6.rating as rating_ipv6, sa.username as admin_username
 from server s
 left join server_stability shttp  on s.id = shttp.server_id  and shttp.capability  = 'http'
 left join server_stability shttps on s.id = shttps.server_id and shttps.capability = 'https'
 left join server_stability sipv4  on s.id = sipv4.server_id  and sipv4.capability  = 'ipv4'
 left join server_stability sipv6  on s.id = sipv6.server_id  and sipv6.capability  = 'ipv6'
+left join server_admin sa         on s.id = sa.server_id
 where s.hostname = ?
 END_SQL
     my $prep = $dbh->prepare($sql);
diff --git a/lib/MirrorCache/WebAPI.pm b/lib/MirrorCache/WebAPI.pm
index e8815684..3d9ae1d1 100644
--- a/lib/MirrorCache/WebAPI.pm
+++ b/lib/MirrorCache/WebAPI.pm
@@ -201,9 +201,6 @@ sub _setup_webui {
     $rest_operator_r->delete('/server/:id')->to('table#destroy', table => 'Server');
     $rest_operator_r->put('/server/location/:id')->name('rest_put_server_location')->to('server_location#update_location');
     $rest_operator_r->put('/server/check_file')->name('rest_put_server_check_file')->to('server_check_file#start');
-    $rest_operator_r->post('/server/note/#hostname')->name('rest_put_server_note')->to('server_note#ins');
-    $rest_operator_r->get('/server/note/#hostname')->name('rest_get_server_note')->to('server_note#list');
-    $rest_operator_r->get('/server/contact/#hostname')->name('rest_get_server_contact')->to('server_note#list_contact');
     $rest_operator_r->post('/sync_tree')->name('rest_post_sync_tree')->to('folder_jobs#sync_tree');
 
     $rest_operator_r->post('/project')->to('table#create', table => 'Project');
@@ -221,6 +218,9 @@ sub _setup_webui {
     $rest_usr_r->put('/myserver/location/:id')->name('rest_put_myserver_location')->to('myserver_location#update_location');
     $rest_usr_r->post('/sync')->name('rest_post_sync')->to('folder_jobs#sync');
     $rest_usr_r->post('/request_sync')->name('rest_post_request_sync')->to('folder_jobs#request_sync');
+    $rest_usr_r->post('/server/note/#hostname')->name('rest_put_server_note')->to('server_note#ins');
+    $rest_usr_r->get('/server/note/#hostname')->name('rest_get_server_note')->to('server_note#list');
+    $rest_usr_r->get('/server/contact/#hostname')->name('rest_get_server_contact')->to('server_note#list_contact');
 
     $rest_r->get('/folder')->name('rest_folder')->to('table#list', table => 'Folder');
     $rest_r->get('/repmirror')->name('rest_repmirror')->to('report_mirror#list');
diff --git a/lib/MirrorCache/WebAPI/Controller/App/Server.pm b/lib/MirrorCache/WebAPI/Controller/App/Server.pm
index 967f8d64..2cfac68f 100644
--- a/lib/MirrorCache/WebAPI/Controller/App/Server.pm
+++ b/lib/MirrorCache/WebAPI/Controller/App/Server.pm
@@ -56,7 +56,10 @@ sub show {
         or return $self->reply->not_found;
 
     my $admin_email = '';
-    if ($self->is_operator) {
+    my $current_username = $self->current_username;
+    my $is_owner = 0;
+    $is_owner = 1 if ($current_username && $current_username eq ($f->{admin_username} // '' ));
+    if ($self->is_operator || $self->is_admin || $is_owner) {
         $admin_email = $self->schema->storage->dbh->selectrow_array("SELECT msg FROM server_note WHERE hostname = ? AND kind = 'Email' ORDER BY dt DESC LIMIT 1", undef, $hostname);
     }
     my $subsidiary;
@@ -83,6 +86,7 @@ sub show {
         rating_https => $f->{rating_https},
         rating_ipv4  => $f->{rating_ipv4},
         rating_ipv6  => $f->{rating_ipv6},
+        is_owner     => $is_owner,
     };
 
     return $self->render('app/server/show', server => $server);
diff --git a/lib/MirrorCache/WebAPI/Controller/Rest/ServerNote.pm b/lib/MirrorCache/WebAPI/Controller/Rest/ServerNote.pm
index 9fe5a7ba..0a4821a4 100644
--- a/lib/MirrorCache/WebAPI/Controller/Rest/ServerNote.pm
+++ b/lib/MirrorCache/WebAPI/Controller/Rest/ServerNote.pm
@@ -17,15 +17,32 @@ package MirrorCache::WebAPI::Controller::Rest::ServerNote;
 use Mojo::Base 'Mojolicious::Controller';
 use Data::Dumper;
 
+sub _has_permission {
+    my ($self, $hostname) = @_;
+    return 1 if $self->is_operator || $self->is_admin;
+
+    my $dbh = $self->schema->storage->dbh;
+    my $prep = $dbh->prepare('select username from server_admin where server_id = (select id from server where hostname = ?)');
+    $prep->execute($hostname);
+    my $res = $dbh->selectrow_hashref($prep);
+    print STDERR Dumper($res, $self->current_username);
+    if (my $username = $res->{username}) {
+        return 1 if $self->current_username eq $username;
+    }
+    return 0;
+}
+
 sub ins {
     my ($self) = @_;
 
     my $hostname = $self->param('hostname');
-    return $self->render(code => 400, text => "Mandatory argument is missing") unless $hostname;
+    return $self->render(status => 400, text => "Mandatory argument is missing") unless $hostname;
     my $acc      = $self->current_username;
     my $kind     = $self->param('kind');
     my $msg      = $self->param('msg');
 
+    return $self->render(status => 403, text => "User is not owner") unless $self->_has_permission($hostname);
+
     my $prep = $self->schema->storage->dbh->prepare('insert into server_note(hostname, dt, acc, kind, msg) values(?, now(), ?, ?, ?)');
     $prep->execute($hostname, $acc, $kind, $msg);
 
@@ -36,7 +53,10 @@ sub list {
     my ($self) = @_;
 
     my $hostname = $self->param("hostname");
-    return $self->render(code => 400, text => "Mandatory argument is missing") unless $hostname;
+    return $self->render(status => 400, text => "Mandatory argument is missing") unless $hostname;
+
+    return $self->render(status => 403, text => "User is not owner") unless $self->_has_permission($hostname);
+
 
     my $sql = "select * from server_note where hostname = ?::text order by dt desc";
     $sql =~ s/::text//g unless $self->schema->pg;
@@ -50,7 +70,8 @@ sub list_contact {
     my ($self) = @_;
 
     my $hostname = $self->param("hostname");
-    return $self->render(code => 400, text => "Mandatory argument is missing") unless $hostname;
+    return $self->render(status => 400, text => "Mandatory argument is missing") unless $hostname;
+    return $self->render(status => 403, text => "User is not owner") unless $self->_has_permission($hostname);
 
     my $sql = "select * from server_note where hostname = ?::text and not outdated and kind = 'email'";
     $sql =~ s/::text//g unless $self->schema->pg;
@@ -64,7 +85,7 @@ sub list_incident {
     my ($self) = @_;
 
     my $id = $self->param("id");
-    return $self->render(code => 400, text => "Mandatory argument is missing") unless $id;
+    return $self->render(status => 400, text => "Mandatory argument is missing") unless $id;
 
     my $sql = "select * from server_capability_check where server_id = ? order by dt desc";
 
diff --git a/lib/MirrorCache/WebAPI/Controller/Rest/Table.pm b/lib/MirrorCache/WebAPI/Controller/Rest/Table.pm
index 99c4509b..3ec4b870 100644
--- a/lib/MirrorCache/WebAPI/Controller/Rest/Table.pm
+++ b/lib/MirrorCache/WebAPI/Controller/Rest/Table.pm
@@ -56,7 +56,7 @@ sub list {
     my $table = $self->param("table");
     my %search;
     my %x;
-    my $region = $self->req->param('region');
+    my $region = $self->req->param('region') // "";
 
     if ($table eq 'Server' || $table eq 'MyServer') {
         %x = (
@@ -66,7 +66,6 @@ sub list {
               );
 
         my $a       = 'region';
-        my $pattern = '(^|,)' . $region . '(,|$)';
         my $regexp  = $self->schema->pg ? '~' : 'REGEXP';
         my $isnull  = "IS NULL";
         unless ($region) {
@@ -76,6 +75,7 @@ sub list {
             ];
 
         } else {
+            my $pattern = '(^|,)' . $region . '(,|$)';
             $search{'-and'} = [
                 '-or'  => [
                     [ "server_capability_declaration.capability" => $a ],
diff --git a/templates/app/server/show.html.ep b/templates/app/server/show.html.ep
index 6c550c7e..2ccbe2f1 100644
--- a/templates/app/server/show.html.ep
+++ b/templates/app/server/show.html.ep
@@ -34,10 +34,13 @@ span.ratingunknown {
 
 % content_for 'ready_function' => begin
     is_operator = <%= (is_operator) ? 'true' : 'false' %>;
+    is_admin    = <%= (is_admin) ? 'true' : 'false' %>;
     server_id   = <%= $server->{id} %>;
     subsidiary  = "<%= $server->{subsidiary} %>";
     provider    = "<%= $server->{provider} %>";
-    if (is_operator) {
+    username    = "<%= $server->{admin_username} %>";
+    is_owner    = <%= $server->{is_owner} %>;
+    if (is_owner || is_admin || is_operator) {
         hostname = "<%= $server->{hostname} %>";
         if (!provider) {
             setupServerNote(hostname);
@@ -83,7 +86,7 @@ span.ratingunknown {
         </div>
     </div>
 
-% if (is_operator) {
+% if (is_operator || is_admin || $server->{is_owner} ) {
     <h3>Private notes</h3>
 %     if ($server->{provider}) {
     <div>