diff --git a/app/controllers/epp/domains_controller.rb b/app/controllers/epp/domains_controller.rb
index b936125f8..ef07729d0 100644
--- a/app/controllers/epp/domains_controller.rb
+++ b/app/controllers/epp/domains_controller.rb
@@ -5,6 +5,7 @@ class Epp::DomainsController < EppController
   before_action :find_password, only: [:info]
 
   def create
+    authorize! :create, Epp::EppDomain
     @domain = Epp::EppDomain.new_from_epp(params[:parsed_frame], current_user)
 
     if @domain.errors.any? || !@domain.save
@@ -20,6 +21,8 @@ class Epp::DomainsController < EppController
   end
 
   def check
+    authorize! :check, Epp::EppDomain
+
     names = params[:parsed_frame].css('name').map(&:text)
     @domains = Epp::EppDomain.check_availability(names)
     render_epp_response '/epp/domains/check'
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 6be658f9b..fb6ed87b1 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -28,6 +28,8 @@ class Ability
 
     # Epp::Domain
     can(:info, Epp::EppDomain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
+    can(:check,  Epp::EppDomain)
+    can(:create,  Epp::EppDomain)
   end
 
   def user