diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 5647a32..dd44fd3 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -73,46 +73,40 @@
   end
 
   def admin_index
-        if user_signed_in? && current_user.is_org_admin? then
-            respond_to do |format|
-                format.html # index.html.erb
-                format.json { render json: @organisation_users }
-            end
-        else
-            render(:file => File.join(Rails.root, 'public/403.html'), :status => 403, :layout => false)
+        authorize User
+        respond_to do |format|
+            format.html # index.html.erb
+            format.json { render json: @organisation_users }
         end
   end
 
     def admin_api_update
-        if user_signed_in? && current_user.is_org_admin? then
-          #iterate through all org users
-          user_ids = params[:api_user_ids].blank? ? [] : params[:api_user_ids].map(&:to_i)
-          admin_user_ids = params[:org_admin_ids].blank? ? [] : params[:org_admin_ids].map(&:to_i)
-          current_user.organisation.users.each do |user|
-            # if user_id in passed params
-            if user_ids.include? user.id
-              # run generate_or_keep
-              user.keep_or_generate_token!
-            # if not in passed params
-            else
-              # remove the token
-              user.remove_token!
-            end
-            # ORG_ADMINS
-            if admin_user_ids.include?( user.id) && !user.is_org_admin?
-              # add admin privleges
-              # MAGIC_STRING
-              user.roles << Role.find_by(name: constant("user_role_types.organisational_admin"))
-            # if user_id not in passed, but user is an admin
-            elsif !admin_user_ids.include?(user.id) && user.is_org_admin?
-              # strip admin privleges
-              user.roles.delete(Role.find_by(name: constant("user_role_types.organisational_admin")))
-            end
+        authorize User
+        #iterate through all org users
+        user_ids = params[:api_user_ids].blank? ? [] : params[:api_user_ids].map(&:to_i)
+        admin_user_ids = params[:org_admin_ids].blank? ? [] : params[:org_admin_ids].map(&:to_i)
+        current_user.organisation.users.each do |user|
+          # if user_id in passed params
+          if user_ids.include? user.id
+            # run generate_or_keep
+            user.keep_or_generate_token!
+          # if not in passed params
+          else
+            # remove the token
+            user.remove_token!
           end
-            #redirect_to admin_index
-        else
-            render(:file => File.join(Rails.root, 'public/403.html'), :status => 403, :layout => false)
+          # ORG_ADMINS
+          if admin_user_ids.include?( user.id) && !user.is_org_admin?
+            # add admin privleges
+            # MAGIC_STRING
+            user.roles << Role.find_by(name: constant("user_role_types.organisational_admin"))
+          # if user_id not in passed, but user is an admin
+          elsif !admin_user_ids.include?(user.id) && user.is_org_admin?
+            # strip admin privleges
+            user.roles.delete(Role.find_by(name: constant("user_role_types.organisational_admin")))
+          end
         end
+          #redirect_to admin_index
     end
 
 end
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
new file mode 100644
index 0000000..7a9a58e
--- /dev/null
+++ b/app/policies/user_policy.rb
@@ -0,0 +1,16 @@
+class UserPolicy
+  attr_reader :user
+
+  def initialize(user, users)
+    @user = user
+  end
+
+  def admin_index?
+    user.can_use_api? && user.can_grant_permissions?
+  end
+
+  def admin_api_update?
+    user.can_use_api? && user.can_grant_permissions?
+  end
+
+end
\ No newline at end of file