diff --git a/app/controllers/settings.rb b/app/controllers/settings.rb
index 443bf8a..612db61 100644
--- a/app/controllers/settings.rb
+++ b/app/controllers/settings.rb
@@ -1,7 +1,5 @@
 module Settings
   class SettingsController < ApplicationController
-    before_filter do
-      authorize! :manage_settings, current_user
-    end
+    
   end
 end
diff --git a/app/controllers/settings/plans_controller.rb b/app/controllers/settings/plans_controller.rb
index c6317da..c9a4adb 100644
--- a/app/controllers/settings/plans_controller.rb
+++ b/app/controllers/settings/plans_controller.rb
@@ -2,8 +2,10 @@
   class PlansController < SettingsController
 
     before_filter :get_settings
+    after_action :verify_authorized
 
     def show
+      authorize [:settings, plan]
       respond_to do |format|
         format.html
         format.partial
@@ -11,7 +13,7 @@
     end
 
     def update
-
+      authorize [:settings, plan]
       export_params = params[:export].try(:deep_symbolize_keys)
 
       settings = plan.super_settings(:export).tap do |s|
diff --git a/app/controllers/settings/projects_controller.rb b/app/controllers/settings/projects_controller.rb
index cc618b2..5a2d48d 100644
--- a/app/controllers/settings/projects_controller.rb
+++ b/app/controllers/settings/projects_controller.rb
@@ -4,13 +4,17 @@
     before_filter :get_plan_list_columns
     before_filter :get_settings
 
+    after_action :verify_authorized
+
     def show
+      authorize [:settings, Project]
       respond_to do |format|
         format.html
       end
     end
 
     def update
+      authorize [:settings, Project]
       columns = (params[:columns] || {})
 
       if @settings.update_attributes(columns: columns)
diff --git a/app/policies/settings/plan_policy.rb b/app/policies/settings/plan_policy.rb
new file mode 100644
index 0000000..f8bd066
--- /dev/null
+++ b/app/policies/settings/plan_policy.rb
@@ -0,0 +1,20 @@
+class Settings::PlanPolicy < ApplicationPolicy
+
+  attr_reader :user
+  attr_reader :plan
+
+  def initialize(user, plan)
+    raise Pundit::NotAuthorizedError, "must be logged in" unless user
+    @user = user
+    @plan = plan
+  end
+
+  def show?
+    @plan.readable_by(@user.id)
+  end
+
+  def update?
+    @plan.editable_by(@user.id)
+  end
+
+end
\ No newline at end of file
diff --git a/app/policies/settings/project_policy.rb b/app/policies/settings/project_policy.rb
new file mode 100644
index 0000000..08c333f
--- /dev/null
+++ b/app/policies/settings/project_policy.rb
@@ -0,0 +1,24 @@
+class Settings::ProjectPolicy < ApplicationPolicy
+  # this is the policy for app/controllers/settings/projects_controller.rb
+
+  attr_reader :user
+  attr_reader :projects
+
+  def initialize(user, settings)
+    raise Pundit::NotAuthorizedError, "must be logged in" unless user
+    @user = user
+    @settings = settings
+  end
+
+  # for this controller, we allow all actions as the "settings" object
+  # is curated by rails based on user, not on a passed param
+
+  def show?
+    true
+  end
+
+  def update?
+    true
+  end
+
+end
\ No newline at end of file