diff --git a/server/backend/internal/httpapi/manage/ui.go b/server/backend/internal/httpapi/manage/ui.go
index ffb2da0..2ba133d 100644
--- a/server/backend/internal/httpapi/manage/ui.go
+++ b/server/backend/internal/httpapi/manage/ui.go
@@ -394,7 +394,11 @@ func HandleManageUI(
 			return
 		}
 
-		assets, err := media.List(r.Context(), screen.TenantID)
+		ownerUserID := ""
+	if u := reqcontext.UserFromContext(r.Context()); u != nil && u.Role == "restricted" {
+		ownerUserID = u.ID
+	}
+	assets, err := media.List(r.Context(), screen.TenantID, ownerUserID)
 		if err != nil {
 			http.Error(w, "db error", http.StatusInternalServerError)
 			return
@@ -627,6 +631,11 @@ func HandleUploadMediaUI(media *store.MediaStore, screens *store.ScreenStore, up
 			tenantSlug = "default"
 		}
 
+		createdByUserID := ""
+		if u := reqcontext.UserFromContext(r.Context()); u != nil {
+			createdByUserID = u.ID
+		}
+
 		switch assetType {
 		case "web":
 			url := strings.TrimSpace(r.FormValue("url"))
@@ -637,7 +646,7 @@ func HandleUploadMediaUI(media *store.MediaStore, screens *store.ScreenStore, up
 			if title == "" {
 				title = url
 			}
-			_, err = media.Create(r.Context(), screen.TenantID, title, "web", "", url, "", 0)
+			_, err = media.Create(r.Context(), screen.TenantID, title, "web", "", url, "", createdByUserID, 0)
 		case "image", "video", "pdf":
 			file, header, ferr := r.FormFile("file")
 			if ferr != nil {
@@ -655,7 +664,7 @@ func HandleUploadMediaUI(media *store.MediaStore, screens *store.ScreenStore, up
 				http.Error(w, "Speicherfehler", http.StatusInternalServerError)
 				return
 			}
-			_, err = media.Create(r.Context(), screen.TenantID, title, assetType, storagePath, "", mimeType, size)
+			_, err = media.Create(r.Context(), screen.TenantID, title, assetType, storagePath, "", mimeType, createdByUserID, size)
 		default:
 			http.Error(w, "Unbekannter Typ", http.StatusBadRequest)
 			return
@@ -860,6 +869,13 @@ func HandleDeleteMediaUI(media *store.MediaStore, screens *store.ScreenStore, up
 		}
 
 		asset, err := media.Get(r.Context(), mediaID)
+
+		// K3: Restricted User darf nur eigene Medien löschen.
+		if u := reqcontext.UserFromContext(r.Context()); u != nil && !canDeleteMedia(u, asset) {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+
 		if err == nil && asset.StoragePath != "" {
 			os.Remove(filepath.Join(uploadDir, filepath.Base(asset.StoragePath))) //nolint:errcheck
 		}