diff --git a/app/models/ability.rb b/app/models/ability.rb
index 0eaa75c01..bd4e24dde 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -6,7 +6,15 @@ class Ability
     alias_action :create, :read, :update, :destroy, :to => :crud
 
     user ||= User.new
-    if Rails.env.development? || Rails.env.test? || (REGISTRY_ENV == :admin && user.admin?)
+
+    # public user abilites
+    can :create, :session
+
+    if REGISTRY_ENV == :admin
+      can :create, :admin_session
+    end
+
+    if (Rails.env.production? ? REGISTRY_ENV == :admin && user.admin? : user.admin?)
       can :manage, Domain
       can :switch, :registrar
       can :crud, DomainTransfer
@@ -15,8 +23,10 @@ class Ability
       can :manage, Domain, registrar_id: user.registrar.id
       can :read, DomainTransfer, transfer_to_id: user.registrar.id
       can :read, DomainTransfer, transfer_from_id: user.registrar.id
-      can :approve_as_client, DomainTransfer, transfer_from_id: user.registrar.id, status: DomainTransfer::PENDING
+      can :approve_as_client, DomainTransfer, 
+        transfer_from_id: user.registrar.id, status: DomainTransfer::PENDING
     end
+
     # Define abilities for the passed in user here. For example:
     #
     #   user ||= User.new # guest user (not logged in)
diff --git a/app/views/layouts/login.haml b/app/views/layouts/login.haml
index 8946e07fa..93634d9ae 100644
--- a/app/views/layouts/login.haml
+++ b/app/views/layouts/login.haml
@@ -21,6 +21,8 @@
         %h2.form-signin-heading.text-center Eesti Interneti SA
         %hr
         / TODO: Refactor this when ID card login is done
-        = button_to 'ID card (gitlab)', 'sessions', class: 'btn btn-lg btn-primary btn-block', name: 'gitlab'
-        = button_to 'ID card (zone)', 'sessions', class: 'btn btn-lg btn-primary btn-block', name: 'zone'
-        = button_to 'ID card (elkdata)', 'sessions', class: 'btn btn-lg btn-primary btn-block', name: 'elkdata'
+        - if Rails.env.development? || (can? :create, :admin_session)
+          = button_to 'ID card (gitlab)', 'sessions', class: 'btn btn-lg btn-primary btn-block', name: 'gitlab'
+        - if can? :create, :session
+          = button_to 'ID card (zone)', 'sessions', class: 'btn btn-lg btn-primary btn-block', name: 'zone'
+          = button_to 'ID card (elkdata)', 'sessions', class: 'btn btn-lg btn-primary btn-block', name: 'elkdata'