diff --git a/app/controllers/api/v1/advisories_controller.rb b/app/controllers/api/v1/advisories_controller.rb
index f7ba63dd0..6356a77d4 100644
--- a/app/controllers/api/v1/advisories_controller.rb
+++ b/app/controllers/api/v1/advisories_controller.rb
@@ -36,7 +36,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
   protected
 
   def advisory_params
-    permit_params(:advisory, *policy(Advisory).permitted_attributes)
+    subject_params(Advisory)
   end
 
   def load_build_list
diff --git a/app/controllers/api/v1/base_controller.rb b/app/controllers/api/v1/base_controller.rb
index 3fa1c1dfe..5d25ef9f9 100644
--- a/app/controllers/api/v1/base_controller.rb
+++ b/app/controllers/api/v1/base_controller.rb
@@ -85,7 +85,7 @@ class Api::V1::BaseController < ApplicationController
   def update_subject(subject)
     authorize subject, :update?
     class_name = subject.class.name
-    if subject.update_attributes(params[class_name.underscore.to_sym] || {})
+    if subject.update_attributes(subject_params(subject.class))
       render_json_response subject, "#{class_name} has been updated successfully"
     else
       render_validation_error subject, "#{class_name} has not been updated"
diff --git a/app/controllers/api/v1/build_lists_controller.rb b/app/controllers/api/v1/build_lists_controller.rb
index 9d70f4f30..de9a8e0c6 100644
--- a/app/controllers/api/v1/build_lists_controller.rb
+++ b/app/controllers/api/v1/build_lists_controller.rb
@@ -78,7 +78,7 @@ class Api::V1::BuildListsController < Api::V1::BaseController
   private
 
   def build_list_params
-    permit_params(:build_list, *policy(BuildList).permitted_attributes)
+    subject_params(BuildList)
   end
 
   # Private: before_action hook which loads BuidList.
diff --git a/app/controllers/api/v1/groups_controller.rb b/app/controllers/api/v1/groups_controller.rb
index c9e8c6ea7..a701bbdd8 100644
--- a/app/controllers/api/v1/groups_controller.rb
+++ b/app/controllers/api/v1/groups_controller.rb
@@ -28,7 +28,7 @@ class Api::V1::GroupsController < Api::V1::BaseController
   end
 
   def create
-    @group = current_user.own_groups.new params[:group]
+    @group = current_user.own_groups.new(group_params)
     create_subject @group
   end
 
@@ -49,6 +49,10 @@ class Api::V1::GroupsController < Api::V1::BaseController
 
   private
 
+  def group_params
+    subject_params(Group)
+  end
+
   # Private: before_action hook which loads Group.
   def load_group
     @group = Group.find params[:id]
diff --git a/app/controllers/concerns/strong_params.rb b/app/controllers/concerns/strong_params.rb
index dbeec8cd6..1a5870e17 100644
--- a/app/controllers/concerns/strong_params.rb
+++ b/app/controllers/concerns/strong_params.rb
@@ -8,4 +8,9 @@ module StrongParams
       pp = pp[name] || ActionController::Parameters.new
     end.permit(*accessible.flatten)
   end
+
+
+  def subject_params(subject_class)
+    permit_params(subject_class.name.underscore.to_sym, *policy(subject_class).permitted_attributes)
+  end
 end
diff --git a/app/controllers/groups/profile_controller.rb b/app/controllers/groups/profile_controller.rb
index 27cbce4c9..27c409f25 100644
--- a/app/controllers/groups/profile_controller.rb
+++ b/app/controllers/groups/profile_controller.rb
@@ -43,7 +43,7 @@ class Groups::ProfileController < Groups::BaseController
   end
 
   def create
-    authorize @group = current_user.own_groups.build(params[:group])
+    authorize @group = current_user.own_groups.build(group_params)
     if @group.save
       flash[:notice] = t('flash.group.saved')
       redirect_to group_path(@group)
@@ -56,7 +56,7 @@ class Groups::ProfileController < Groups::BaseController
 
   def update
     authorize @group
-    if @group.update_attributes(params[:group])
+    if @group.update_attributes(group_params)
       update_avatar(@group, params)
       flash[:notice] = t('flash.group.saved')
       redirect_to group_path(@group)
@@ -81,6 +81,10 @@ class Groups::ProfileController < Groups::BaseController
 
   protected
 
+  def group_params
+    subject_params(Group)
+  end
+
   def paginate_projects(page)
     @projects.paginate(page: (page>0 ? page : nil), per_page: 24)
   end
diff --git a/app/controllers/projects/build_lists_controller.rb b/app/controllers/projects/build_lists_controller.rb
index 3cf2c2236..b51451ce1 100644
--- a/app/controllers/projects/build_lists_controller.rb
+++ b/app/controllers/projects/build_lists_controller.rb
@@ -206,7 +206,7 @@ class Projects::BuildListsController < Projects::BaseController
   protected
 
   def build_list_params
-    permit_params(:build_list, *policy(BuildList).permitted_attributes)
+    subject_params(BuildList)
   end
 
   def advisory_params
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 1ad775675..966b4f9f2 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -32,6 +32,13 @@ class GroupPolicy < ApplicationPolicy
     !user.guest? && ( is_admin? || owner? )
   end
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(uname description delete_avatar default_branch)
+  end
+
   class Scope < Scope
     def show
       scope