I'm struggling with understanding how I can allow users to create new records in the list, but only allow creators to update their own posts. E.g. the following structure: post { post1: { author: "user1" text: "Some text" } post2: { author: "user2" text: "Some text 2" } } Here, I want both users to be able to create new posts. But also protect, say, post2 from being edited by user1. Thus, only user1 can edit post1 and only user2 can edit post2. You'd want to do something like this: {"rules": { "post": { "$id": { ".write": "auth !== null && (!data.exists() || data.child('author').val() === auth