diff --git a/examples/privacytenant/ent/schema/group.go b/examples/privacytenant/ent/schema/group.go
index da7eeb19f..25cabd0b6 100644
--- a/examples/privacytenant/ent/schema/group.go
+++ b/examples/privacytenant/ent/schema/group.go
@@ -46,6 +46,10 @@ func (Group) Policy() ent.Policy {
 	return privacy.Policy{
 		Mutation: privacy.MutationPolicy{
 			rule.DenyMismatchedTenants(),
+			privacy.OnMutationOperation(
+				rule.FilterTenantRule(),
+				ent.OpUpdateOne|ent.OpDeleteOne,
+			),
 		},
 	}
 }
diff --git a/examples/privacytenant/example_test.go b/examples/privacytenant/example_test.go
index d861b7212..4237607d7 100644
--- a/examples/privacytenant/example_test.go
+++ b/examples/privacytenant/example_test.go
@@ -38,6 +38,7 @@ func Example_PrivacyTenant() {
 	// User(id=1, name=a8m, foods=[])
 	// User(id=2, name=nati, foods=[Sushi Burritos])
 	// Group(id=1, name=entgo.io)
+	// Group(id=1, name=entgo)
 }
 
 func Do(ctx context.Context, client *ent.Client) error {
@@ -88,11 +89,11 @@ func Do(ctx context.Context, client *ent.Client) error {
 	// the group and the users are connected to the same tenant.
 	_, err = client.Group.Create().SetName("entgo.io").SetTenant(hub).AddUsers(nati).Save(admin)
 	if !errors.Is(err, privacy.Deny) {
-		return fmt.Errorf("expect operatio to fail, since user (nati) is not connected to the same tenant")
+		return fmt.Errorf("expect operation to fail, since user (nati) is not connected to the same tenant")
 	}
 	_, err = client.Group.Create().SetName("entgo.io").SetTenant(hub).AddUsers(nati, a8m).Save(admin)
 	if !errors.Is(err, privacy.Deny) {
-		return fmt.Errorf("expect operatio to fail, since some users (nati) are not connected to the same tenant")
+		return fmt.Errorf("expect operation to fail, since some users (nati) are not connected to the same tenant")
 	}
 	entgo, err := client.Group.Create().SetName("entgo.io").SetTenant(hub).AddUsers(a8m).Save(admin)
 	if err != nil {
@@ -100,5 +101,17 @@ func Do(ctx context.Context, client *ent.Client) error {
 	}
 	fmt.Println(entgo)
 
+	// Expect operation to fail, because the FilterTenantRule rule makes sure
+	// that tenants can update and delete their groups.
+	err = entgo.Update().SetName("fail.go").Exec(labView)
+	if !ent.IsNotFound(err) {
+		return fmt.Errorf("expect operation to fail, since the group (entgo) is managed by a different tenant (hub)")
+	}
+	entgo, err = entgo.Update().SetName("entgo").Save(hubView)
+	if err != nil {
+		return fmt.Errorf("expect operation to pass, but got %v", err)
+	}
+	fmt.Println(entgo)
+
 	return nil
 }
diff --git a/examples/privacytenant/rule/rule.go b/examples/privacytenant/rule/rule.go
index c3e4a5b60..2daa956dc 100644
--- a/examples/privacytenant/rule/rule.go
+++ b/examples/privacytenant/rule/rule.go
@@ -40,7 +40,7 @@ func AllowIfAdmin() privacy.QueryMutationRule {
 }
 
 // FilterTenantRule is a query rule that filters out entities that are not in the tenant.
-func FilterTenantRule() privacy.QueryRule {
+func FilterTenantRule() privacy.QueryMutationRule {
 	type TeamsFilter interface {
 		WhereHasTenantWith(...predicate.Tenant)
 	}