diff --git a/app/controllers/registrar_controller.rb b/app/controllers/registrar_controller.rb
index 47d43a794..a665cee09 100644
--- a/app/controllers/registrar_controller.rb
+++ b/app/controllers/registrar_controller.rb
@@ -18,14 +18,14 @@ class RegistrarController < ApplicationController
       return
     end
     return if Rails.env.development?
-    riw = current_user.registrar.registrar_ip_white?(request.ip)
+    registrar_ip_whitelisted = current_user.registrar.registrar_ip_white?(request.ip)
 
-    aiw = true
+    api_ip_whitelisted = true
     if current_user.can?(:create, :epp_request)
-      aiw = current_user.registrar.api_ip_white?(request.ip)
+      api_ip_whitelisted = current_user.registrar.api_ip_white?(request.ip)
     end
 
-    return if riw && aiw
+    return if registrar_ip_whitelisted && api_ip_whitelisted
     flash[:alert] = t('ip_is_not_whitelisted')
     sign_out(current_user)
     redirect_to registrar_login_path and return
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 7b805b952..2fb84807d 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -30,13 +30,39 @@ class Ability
 
   def super # Registrar/api_user dynamic role
     static_registrar
-    static_epp
+    epp
     billing
   end
 
   def epp # Registrar/api_user dynamic role
     static_registrar
-    static_epp
+
+    # REPP
+    can(:manage, :repp)
+
+    # EPP
+    can(:create, :epp_login) # billing can establis epp connection in order to login
+    can(:create, :epp_requests)
+
+    # Epp::Domain
+    can(:info,     Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || pw.blank? ? true : d.auth_info == pw }
+    can(:check,    Epp::Domain)
+    can(:create,   Epp::Domain)
+    can(:renew,    Epp::Domain) { |d| d.registrar_id == @user.registrar_id }
+    can(:update,   Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
+    can(:transfer, Epp::Domain) { |d, pw| d.auth_info == pw }
+    can(:view_password, Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
+    can(:delete,   Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
+
+    # Epp::Contact
+    can(:info, Epp::Contact)           { |c, pw| c.registrar_id == @user.registrar_id || pw.blank? ? true : c.auth_info == pw }
+    can(:view_full_info, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
+    can(:check,  Epp::Contact)
+    can(:create, Epp::Contact)
+    can(:update, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
+    can(:delete, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
+    can(:renew,  Epp::Contact)
+    can(:view_password, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
   end
 
   def billing # Registrar/api_user dynamic role
@@ -44,7 +70,7 @@ class Ability
     can(:manage, Invoice) { |i| i.buyer_id == @user.registrar_id }
     can :manage, :deposit
     can :read, AccountActivity
-    static_epp_login # billing can establis epp connection in order to login
+    can(:create, :epp_login) # billing can establis epp connection in order to login
   end
 
   def customer_service # Admin/admin_user dynamic role
@@ -83,39 +109,6 @@ class Ability
   #
   # Static roles, linked from dynamic roles
   #
-  def static_epp_login
-    can(:create, :epp_login)
-  end
-
-  def static_epp
-    # REPP
-    can(:manage, :repp)
-
-    # EPP
-    static_epp_login
-    can(:create, :epp_requests)
-
-    # Epp::Domain
-    can(:info,     Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || pw.blank? ? true : d.auth_info == pw }
-    can(:check,    Epp::Domain)
-    can(:create,   Epp::Domain)
-    can(:renew,    Epp::Domain) { |d| d.registrar_id == @user.registrar_id }
-    can(:update,   Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
-    can(:transfer, Epp::Domain) { |d, pw| d.auth_info == pw }
-    can(:view_password, Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
-    can(:delete,   Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
-
-    # Epp::Contact
-    can(:info, Epp::Contact)           { |c, pw| c.registrar_id == @user.registrar_id || pw.blank? ? true : c.auth_info == pw }
-    can(:view_full_info, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
-    can(:check,  Epp::Contact)
-    can(:create, Epp::Contact)
-    can(:update, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
-    can(:delete, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
-    can(:renew,  Epp::Contact)
-    can(:view_password, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
-  end
-
   def static_registrar
     can :manage, Nameserver
     can :view, :registrar_dashboard