diff --git a/netbox/users/models.py b/netbox/users/models.py
index fa3277456..7987ccb7a 100644
--- a/netbox/users/models.py
+++ b/netbox/users/models.py
@@ -10,6 +10,7 @@ from django.db.models.signals import post_save
 from django.dispatch import receiver
 from django.utils import timezone
 
+from utilities.querysets import RestrictedQuerySet
 from utilities.utils import flatten_dict
 
 
@@ -262,6 +263,8 @@ class ObjectPermission(models.Model):
         help_text="Queryset filter matching the applicable objects of the selected type(s)"
     )
 
+    objects = RestrictedQuerySet.as_manager()
+
     class Meta:
         verbose_name = "Permission"
 
diff --git a/netbox/users/tests/test_api.py b/netbox/users/tests/test_api.py
index f507192ee..2494c8f31 100644
--- a/netbox/users/tests/test_api.py
+++ b/netbox/users/tests/test_api.py
@@ -1,10 +1,9 @@
 from django.contrib.auth.models import Group, User
 from django.contrib.contenttypes.models import ContentType
 from django.urls import reverse
-from rest_framework import status
 
 from users.models import ObjectPermission
-from utilities.testing import APITestCase
+from utilities.testing import APIViewTestCases, APITestCase
 
 
 class AppTest(APITestCase):
@@ -17,7 +16,12 @@ class AppTest(APITestCase):
         self.assertEqual(response.status_code, 200)
 
 
-class ObjectPermissionTest(APITestCase):
+class ObjectPermissionTest(APIViewTestCases.APIViewTestCase):
+    model = ObjectPermission
+    brief_fields = []
+
+    # TODO: Add a nested serializer for ObjectPermission
+    test_list_objects_brief = None
 
     @classmethod
     def setUpTestData(cls):
@@ -48,43 +52,7 @@ class ObjectPermissionTest(APITestCase):
             objectpermission.groups.add(groups[i])
             objectpermission.users.add(users[i])
 
-    def test_get_objectpermission(self):
-        objectpermission = ObjectPermission.objects.first()
-        url = reverse('users-api:objectpermission-detail', kwargs={'pk': objectpermission.pk})
-        response = self.client.get(url, **self.header)
-
-        self.assertEqual(response.data['id'], objectpermission.pk)
-
-    def test_list_objectpermissions(self):
-        url = reverse('users-api:objectpermission-list')
-        response = self.client.get(url, **self.header)
-
-        self.assertEqual(response.data['count'], ObjectPermission.objects.count())
-
-    def test_create_objectpermission(self):
-        data = {
-            'object_types': ['dcim.site'],
-            'groups': [Group.objects.first().pk],
-            'users': [User.objects.first().pk],
-            'actions': ['view', 'add', 'change', 'delete'],
-            'constraints': {'name': 'TEST4'},
-        }
-
-        url = reverse('users-api:objectpermission-list')
-        response = self.client.post(url, data, format='json', **self.header)
-
-        self.assertHttpStatus(response, status.HTTP_201_CREATED)
-        self.assertEqual(ObjectPermission.objects.count(), 4)
-        objectpermission = ObjectPermission.objects.get(pk=response.data['id'])
-        self.assertEqual(objectpermission.groups.first().pk, data['groups'][0])
-        self.assertEqual(objectpermission.users.first().pk, data['users'][0])
-        self.assertEqual(objectpermission.actions, data['actions'])
-        self.assertEqual(objectpermission.constraints, data['constraints'])
-
-    def test_create_objectpermission_bulk(self):
-        groups = Group.objects.all()[:3]
-        users = User.objects.all()[:3]
-        data = [
+        cls.create_data = [
             {
                 'object_types': ['dcim.site'],
                 'groups': [groups[0].pk],
@@ -107,38 +75,3 @@ class ObjectPermissionTest(APITestCase):
                 'constraints': {'name': 'TEST6'},
             },
         ]
-
-        url = reverse('users-api:objectpermission-list')
-        response = self.client.post(url, data, format='json', **self.header)
-
-        self.assertHttpStatus(response, status.HTTP_201_CREATED)
-        self.assertEqual(ObjectPermission.objects.count(), 6)
-
-    def test_update_objectpermission(self):
-        objectpermission = ObjectPermission.objects.first()
-        data = {
-            'object_types': ['dcim.site', 'dcim.device'],
-            'groups': [g.pk for g in Group.objects.all()[:2]],
-            'users': [u.pk for u in User.objects.all()[:2]],
-            'actions': ['view'],
-            'constraints': {'name': 'TEST'},
-        }
-
-        url = reverse('users-api:objectpermission-detail', kwargs={'pk': objectpermission.pk})
-        response = self.client.put(url, data, format='json', **self.header)
-
-        self.assertHttpStatus(response, status.HTTP_200_OK)
-        self.assertEqual(ObjectPermission.objects.count(), 3)
-        objectpermission = ObjectPermission.objects.get(pk=response.data['id'])
-        self.assertEqual(objectpermission.groups.first().pk, data['groups'][0])
-        self.assertEqual(objectpermission.users.first().pk, data['users'][0])
-        self.assertEqual(objectpermission.actions, data['actions'])
-        self.assertEqual(objectpermission.constraints, data['constraints'])
-
-    def test_delete_objectpermission(self):
-        objectpermission = ObjectPermission.objects.first()
-        url = reverse('users-api:objectpermission-detail', kwargs={'pk': objectpermission.pk})
-        response = self.client.delete(url, **self.header)
-
-        self.assertHttpStatus(response, status.HTTP_204_NO_CONTENT)
-        self.assertEqual(ObjectPermission.objects.count(), 2)
diff --git a/netbox/utilities/testing/api.py b/netbox/utilities/testing/api.py
index fb8b0d795..1e2063a6d 100644
--- a/netbox/utilities/testing/api.py
+++ b/netbox/utilities/testing/api.py
@@ -170,9 +170,6 @@ class APIViewTestCases:
             """
             POST a single object with permission.
             """
-            initial_count = self.model.objects.count()
-            url = self._get_list_url()
-
             # Add object-level permission
             obj_perm = ObjectPermission(
                 actions=['add']
@@ -181,7 +178,8 @@ class APIViewTestCases:
             obj_perm.users.add(self.user)
             obj_perm.object_types.add(ContentType.objects.get_for_model(self.model))
 
-            response = self.client.post(url, self.create_data[0], format='json', **self.header)
+            initial_count = self.model.objects.count()
+            response = self.client.post(self._get_list_url(), self.create_data[0], format='json', **self.header)
             self.assertHttpStatus(response, status.HTTP_201_CREATED)
             self.assertEqual(self.model.objects.count(), initial_count + 1)
             self.assertInstanceEqual(self.model.objects.get(pk=response.data['id']), self.create_data[0], api=True)
@@ -190,9 +188,6 @@ class APIViewTestCases:
             """
             POST a set of objects in a single request.
             """
-            initial_count = self.model.objects.count()
-            url = self._get_list_url()
-
             # Add object-level permission
             obj_perm = ObjectPermission(
                 actions=['add']
@@ -201,7 +196,8 @@ class APIViewTestCases:
             obj_perm.users.add(self.user)
             obj_perm.object_types.add(ContentType.objects.get_for_model(self.model))
 
-            response = self.client.post(url, self.create_data, format='json', **self.header)
+            initial_count = self.model.objects.count()
+            response = self.client.post(self._get_list_url(), self.create_data, format='json', **self.header)
             self.assertHttpStatus(response, status.HTTP_201_CREATED)
             self.assertEqual(self.model.objects.count(), initial_count + len(self.create_data))