diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index f95db1af383ada9ecffdeca35b6291c2c92070f7..72df170f1fd4ed561ff1a324b48581d042c9d569 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -6,6 +6,7 @@ class GroupsController < ApplicationController
 
   # Authorize
   before_filter :authorize_read_group!, except: [:new, :create]
+  before_filter :authorize_create_group!, only: [:new, :create]
 
   # Load group projects
   before_filter :projects, except: [:new, :create]
@@ -103,4 +104,8 @@ class GroupsController < ApplicationController
       return render_404
     end
   end
+
+  def authorize_create_group!
+    can?(current_user, :create_group, nil)
+  end
 end
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 63d720164a1f1257e2c43d8c7645f04024516ae3..6d087a959a9320f9f744f217619b997fcbd8942c 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -1,16 +1,25 @@
 class Ability
   class << self
-    def allowed(object, subject)
+    def allowed(user, subject)
+      return [] unless user.kind_of?(User)
+
       case subject.class.name
-      when "Project" then project_abilities(object, subject)
-      when "Issue" then issue_abilities(object, subject)
-      when "Note" then note_abilities(object, subject)
-      when "Snippet" then snippet_abilities(object, subject)
-      when "MergeRequest" then merge_request_abilities(object, subject)
-      when "Group", "Namespace" then group_abilities(object, subject)
-      when "UserTeam" then user_team_abilities(object, subject)
+      when "Project" then project_abilities(user, subject)
+      when "Issue" then issue_abilities(user, subject)
+      when "Note" then note_abilities(user, subject)
+      when "Snippet" then snippet_abilities(user, subject)
+      when "MergeRequest" then merge_request_abilities(user, subject)
+      when "Group", "Namespace" then group_abilities(user, subject)
+      when "UserTeam" then user_team_abilities(user, subject)
       else []
-      end
+      end.concat(global_abilities(user))
+    end
+
+    def global_abilities(user)
+      rules = []
+      rules << :create_group if user.can_create_group
+      rules << :create_team if user.can_create_team
+      rules
     end
 
     def project_abilities(user, project)
diff --git a/app/models/user.rb b/app/models/user.rb
index b61d2cb0d83e4031863bd34757f0e03b9395f992..469436e9e3ff53e3eb4a4230b6d6a3ccc9b2cf7d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -232,7 +232,7 @@ class User < ActiveRecord::Base
   end
 
   def can_create_group?
-    can_create_project?
+    can?(:create_group, nil)
   end
 
   def abilities
diff --git a/app/views/admin/users/_form.html.haml b/app/views/admin/users/_form.html.haml
index 45195152cb707d3a83dbf5466f0d28b76b651523..465568ade9efd098acd34b6c98ce65561043d69b 100644
--- a/app/views/admin/users/_form.html.haml
+++ b/app/views/admin/users/_form.html.haml
@@ -46,6 +46,14 @@
             = f.label :projects_limit
             .input= f.number_field :projects_limit
 
+          .clearfix
+            = f.label :can_create_group
+            .input= f.check_box :can_create_group
+
+          .clearfix
+            = f.label :can_create_team
+            .input= f.check_box :can_create_team
+
           .clearfix
             = f.label :admin do
               %strong.cred Administrator