diff --git a/Module.php b/Module.php
index e62f7f5..0aa8c3f 100644
--- a/Module.php
+++ b/Module.php
@@ -237,8 +237,14 @@ public function createNamedParameter(
     //TODO need to refactor to normalize and condense
     protected function addAclRules()
     {
-        $services = $this->getServiceLocator();
-        $acl = $services->get('Omeka\Acl');
+        $serviceLocator = $this->getServiceLocator();
+        $acl = $serviceLocator->get('Omeka\Acl');
+        
+        // Get our new service from the service manager
+        $aclRuleManager = $serviceLocator->get(\Teams\Service\AclRuleManager::class);
+
+        // Delegate the complex task to our new, testable service
+        $aclRuleManager->applyRules($acl);
 
         $roles = $acl->getRoles();
         //entity rights are the actions of controllers
@@ -409,21 +415,13 @@ protected function addAclRules()
             ['roleIndex']
         );
 
+        // This remaining logic can also be moved to a service in a future refactoring
         $globalSettings = $this->getServiceLocator()->get('Omeka\Settings');
-        if (! $globalSettings->get('teams_site_admin_make_site')) {
-            $acl->deny(
-                'site_admin',
-                'Omeka\Entity\Site',
-                'create'
-            );
+        if (!$globalSettings->get('teams_site_admin_make_site')) {
+            $acl->deny('site_admin', \Omeka\Entity\Site::class, 'create');
         }
-
         if (!$globalSettings->get('teams_editor_make_site')) {
-            $acl->deny(
-                'editor',
-                'Omeka\Entity\Site',
-                'create'
-            );
+            $acl->deny('editor', \Omeka\Entity\Site::class, 'create');
         }
 
         $acl->deny(
diff --git a/config/module.config.php b/config/module.config.php
index 41dff7b..6474fbb 100644
--- a/config/module.config.php
+++ b/config/module.config.php
@@ -74,6 +74,13 @@
             dirname(__DIR__) . '/data/doctrine-proxies',
         ],
     ],
+    'service_manager' => [
+        'factories' => [
+            \Teams\Acl\TeamRolePermissionAssertion::class => \Teams\Acl\TeamRolePermissionAssertionFactory::class,
+            \Teams\Service\AclRuleManager::class => \Teams\Service\AclRuleManagerFactory::class,
+            \Teams\Service\TeamService::class => \Teams\Service\TeamServiceFactory::class,
+        ],
+    ],
     'form_elements' => [
         'invokables' => [
             Form\TeamForm::class => Form\TeamForm::class,
diff --git a/src/Acl/TeamRolePermissionAssertion.php b/src/Acl/TeamRolePermissionAssertion.php
new file mode 100644
index 0000000..702a378
--- /dev/null
+++ b/src/Acl/TeamRolePermissionAssertion.php
@@ -0,0 +1,25 @@
+<?php
+namespace Teams\Acl;
+
+use Laminas\Permissions\Acl\Acl;
+use Laminas\Permissions\Acl\Assertion\AssertionInterface;
+use Laminas\Permissions\Acl\Resource\ResourceInterface;
+use Laminas\Permissions\Acl\Role\RoleInterface;
+
+/**
+ * ACL assertion for team-based permission checks
+ */
+class TeamRolePermissionAssertion implements AssertionInterface
+{
+    public function assert(
+        Acl $acl,
+        RoleInterface $role = null,
+        ResourceInterface $resource = null,
+        $privilege = null
+    ) {
+        // This is a placeholder implementation
+        // In a real implementation, this would check team-based permissions
+        // For now, return true to allow the permission
+        return true;
+    }
+}
diff --git a/src/Acl/TeamRolePermissionAssertionFactory.php b/src/Acl/TeamRolePermissionAssertionFactory.php
new file mode 100644
index 0000000..d2b9fb8
--- /dev/null
+++ b/src/Acl/TeamRolePermissionAssertionFactory.php
@@ -0,0 +1,13 @@
+<?php
+namespace Teams\Acl;
+
+use Interop\Container\ContainerInterface;
+use Laminas\ServiceManager\Factory\FactoryInterface;
+
+class TeamRolePermissionAssertionFactory implements FactoryInterface
+{
+    public function __invoke(ContainerInterface $container, $requestedName, array $options = null)
+    {
+        return new TeamRolePermissionAssertion();
+    }
+}
diff --git a/src/Service/AclRuleManager.php b/src/Service/AclRuleManager.php
new file mode 100644
index 0000000..2cabb52
--- /dev/null
+++ b/src/Service/AclRuleManager.php
@@ -0,0 +1,49 @@
+<?php
+namespace Teams\Service;
+
+use Laminas\Permissions\Acl\Acl;
+use Teams\Acl\TeamRolePermissionAssertion;
+use Omeka\Permissions\Assertion\AssertionNegation;
+
+class AclRuleManager
+{
+    /**
+     * @var TeamRolePermissionAssertion
+     */
+    private $assertion;
+
+    public function __construct(TeamRolePermissionAssertion $assertion)
+    {
+        $this->assertion = $assertion;
+    }
+
+    public function applyRules(Acl $acl)
+    {
+        $omekaResources = [
+            \Omeka\Entity\Item::class,
+            \Omeka\Entity\ItemSet::class,
+            \Omeka\Entity\Media::class,
+            \Omeka\Entity\Site::class,
+            \Omeka\Entity\SitePage::class,
+            \Omeka\Entity\ResourceTemplate::class,
+            \Omeka\Entity\Asset::class,
+        ];
+        
+        $rolesToControl = ['site_admin', 'editor', 'author'];
+
+        $privilegesToControl = [
+            'update', 'edit',
+            'delete', 'delete-confirm',
+            'create', 'add',
+            'batch-delete', 'batch_delete', 'batch_delete_all',
+            'batch-update', 'batch_update_all',
+            'batch-edit', 'batch-edit-all',
+        ];
+        
+        $denyAssertion = new AssertionNegation($this->assertion);
+
+        foreach ($rolesToControl as $role) {
+            $acl->deny($role, $omekaResources, $privilegesToControl, $denyAssertion);
+        }
+    }
+}
diff --git a/src/Service/AclRuleManagerFactory.php b/src/Service/AclRuleManagerFactory.php
new file mode 100644
index 0000000..5c8e7db
--- /dev/null
+++ b/src/Service/AclRuleManagerFactory.php
@@ -0,0 +1,15 @@
+<?php
+namespace Teams\Service;
+
+use Interop\Container\ContainerInterface;
+use Laminas\ServiceManager\Factory\FactoryInterface;
+use Teams\Acl\TeamRolePermissionAssertion;
+
+class AclRuleManagerFactory implements FactoryInterface
+{
+    public function __invoke(ContainerInterface $container, $requestedName, array $options = null)
+    {
+        $assertion = $container->get(\Teams\Acl\TeamRolePermissionAssertion::class);
+        return new AclRuleManager($assertion);
+    }
+}
diff --git a/tests/Service/AclRuleManagerTest.php b/tests/Service/AclRuleManagerTest.php
new file mode 100644
index 0000000..0f40154
--- /dev/null
+++ b/tests/Service/AclRuleManagerTest.php
@@ -0,0 +1,46 @@
+<?php
+namespace Teams\Tests\Service;
+
+use Teams\Service\AclRuleManager;
+use Teams\Acl\TeamRolePermissionAssertion;
+use Laminas\Permissions\Acl\Acl;
+use Laminas\Permissions\Acl\Role\GenericRole;
+use Omeka\Entity\Item;
+use Tests\TestCase;
+
+class AclRuleManagerTest extends TestCase
+{
+    /** @var AclRuleManager */
+    private $ruleManager;
+
+    /** @var TeamRolePermissionAssertion|\PHPUnit\Framework\MockObject\MockObject */
+    private $assertionMock;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        $this->assertionMock = $this->createMock(TeamRolePermissionAssertion::class);
+        $this->ruleManager = new AclRuleManager($this->assertionMock);
+    }
+
+    public function testApplyRulesDeniesPreviouslyAllowedPermission()
+    {
+        // Arrange
+        $acl = new Acl;
+        $role = new GenericRole('editor');
+        $resource = new Item;
+        $acl->addRole($role);
+        $acl->addResource($resource);
+        $acl->allow($role, $resource, 'update');
+        $this->assertTrue($acl->isAllowed($role, $resource, 'update'));
+        
+        $this->assertionMock->method('assert')->willReturn(false);
+
+        // Act
+        $this->ruleManager->applyRules($acl);
+
+        // Assert
+        $this->assertFalse($acl->isAllowed($role, $resource, 'update'));
+    }
+}