diff --git a/app/models/ability.rb b/app/models/ability.rb
index 7822a5278..66fc2f098 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -19,9 +19,37 @@ def initialize(user)
       can :export, :repositories
     elsif user.role_id == "staff_user"
       can :read, :all
+    elsif user.role_id == "provider_admin" && user.provider_id.present? && user.consortium_id.present?
+      can [:update, :read, :read_billing_information], Provider, symbol: user.provider_id.upcase
+      can [:manage], Provider do |provider|
+        provider.consortium_id == user.consortium_id.upcase
+      end
+      can [:read], Provider
+      can [:manage], ProviderPrefix do |provider_prefix|
+        provider_prefix.provider.consortium_id == user.consortium_id.upcase
+      end
+      can [:manage], Client do |client|
+        client.provider.consortium_id == user.consortium_id.upcase
+      end
+      can [:manage], ClientPrefix #, :client_id => user.provider_id
+
+      # if Flipper[:delete_doi].enabled?(user)
+      #   can [:manage], Doi, :provider_id => user.provider_id
+      # else
+      #   can [:read, :update], Doi, :provider_id => user.provider_id
+      # end
+
+      can [:read, :get_url, :transfer, :read_landing_page_results], Doi do |doi|
+        doi.provider.consortium_id == user.provider_id.upcase
+      end
+      can [:read], Doi
+      can [:read], User
+      can [:read], Phrase
+      can [:read], Activity do |activity|
+        activity.doi.findable? || activity.doi.provider.consortium_id == user.consortium_id.upcase
+      end
     elsif user.role_id == "provider_admin" && user.provider_id.present?
       can [:update, :read, :read_billing_information], Provider, symbol: user.provider_id.upcase
-      can [:manage], Provider, consortium_id: user.provider_id
       can [:read], Provider
       can [:manage], ProviderPrefix, provider_id: user.provider_id
       can [:manage], Client, provider_id: user.provider_id
diff --git a/app/models/user.rb b/app/models/user.rb
index 070cd7186..de632f5fc 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -11,7 +11,7 @@ class User
   # include helper module for caching infrequently changing resources
   include Cacheable
 
-  attr_accessor :name, :uid, :email, :role_id, :jwt, :password, :provider_id, :client_id, :beta_tester, :errors
+  attr_accessor :name, :uid, :email, :role_id, :jwt, :password, :consortium_id, :provider_id, :client_id, :beta_tester, :errors
 
   def initialize(credentials, options={})
     if credentials.present? && options.fetch(:type, "").downcase == "basic"
@@ -75,6 +75,10 @@ def is_beta_tester?
     beta_tester
   end
 
+  def consortium_id
+    provider_id if provider && provider.role_name == "ROLE_CONSORTIUM"
+  end
+
   def provider
     return nil unless provider_id.present?
 
diff --git a/spec/models/ability_spec.rb b/spec/models/ability_spec.rb
index 79554d8eb..f1da9a81c 100644
--- a/spec/models/ability_spec.rb
+++ b/spec/models/ability_spec.rb
@@ -4,7 +4,8 @@
 describe User, type: :model do
   let(:token) { User.generate_token }
   let(:user) { User.new(token) }
-  let(:provider) { create(:provider) }
+  let(:consortium) { create(:provider, role_name: "ROLE_CONSORTIUM") }
+  let(:provider) { create(:provider, consortium: consortium, role_name: "ROLE_CONSORTIUM_ORGANIZATION") }
   let(:client) { create(:client, provider: provider) }
   let(:prefix) { create(:prefix, prefix: "10.14454") }
   let!(:client_prefix) { create(:client_prefix, client: client, prefix: prefix) }
@@ -146,6 +147,38 @@
       it{ is_expected.not_to be_able_to(:destroy, doi) }
     end
 
+    context "when is a provider admin for a consortium" do
+      let(:token){ User.generate_token(role_id: "provider_admin", provider_id: consortium.symbol.downcase) }
+
+      it{ is_expected.to be_able_to(:read, user) }
+
+      it{ is_expected.to be_able_to(:read, provider) }
+      it{ is_expected.to be_able_to(:create, provider) }
+      it{ is_expected.to be_able_to(:update, provider) }
+      it{ is_expected.to be_able_to(:destroy, provider) }
+
+      it{ is_expected.to be_able_to(:read, client) }
+      it{ is_expected.to be_able_to(:create, client) }
+      it{ is_expected.to be_able_to(:update, client) }
+      it{ is_expected.to be_able_to(:destroy, client) }
+
+      it{ is_expected.not_to be_able_to(:read, prefix) }
+      it{ is_expected.not_to be_able_to(:create, prefix) }
+      it{ is_expected.not_to be_able_to(:update, prefix) }
+      it{ is_expected.not_to be_able_to(:destroy, prefix) }
+
+      it{ is_expected.to be_able_to(:read, provider_prefix) }
+      it{ is_expected.to be_able_to(:create, provider_prefix) }
+      it{ is_expected.to be_able_to(:update, provider_prefix) }
+      it{ is_expected.to be_able_to(:destroy, provider_prefix) }
+
+      it{ is_expected.to be_able_to(:read, doi) }
+      it{ is_expected.to be_able_to(:transfer, doi) }
+      it{ is_expected.not_to be_able_to(:create, doi) }
+      it{ is_expected.not_to be_able_to(:update, doi) }
+      it{ is_expected.not_to be_able_to(:destroy, doi) }
+    end
+
     context "when is a provider user" do
       let(:token){ User.generate_token(role_id: "provider_user", provider_id: provider.symbol.downcase) }
 
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 554ca5838..3c9a7cf70 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -26,6 +26,10 @@
         expect(user.role_id).to eq("staff_admin")
       end
 
+      it "has no consortium_id" do
+        expect(user.consortium_id).to be_nil
+      end
+
       it "has no provider_id" do
         expect(user.provider_id).to be_nil
       end
@@ -46,6 +50,35 @@
         expect(user.role_id).to eq("provider_admin")
       end
 
+      it "has no consortium_id" do
+        expect(user.consortium_id).to be_nil
+      end
+
+      it "has provider" do
+        expect(user.provider_id).to eq(provider.symbol.downcase)
+        expect(user.provider.name).to eq(provider.name)
+      end
+
+      it "has name" do
+        expect(user.name).to eq("My provider")
+      end
+    end
+  end
+
+  describe "from basic_auth consortium" do
+    let(:provider) { create(:provider, password_input: "12345", role_name: "ROLE_CONSORTIUM") }
+    let(:credentials) { provider.encode_auth_param(username: provider.symbol, password: 12345) }
+    let(:user) { User.new(credentials, type: "basic") }
+
+    describe 'User attributes' do
+      it "has role_id" do
+        expect(user.role_id).to eq("provider_admin")
+      end
+
+      it "has consortium_id" do
+        expect(user.consortium_id).to eq(provider.symbol.downcase)
+      end
+
       it "has provider" do
         expect(user.provider_id).to eq(provider.symbol.downcase)
         expect(user.provider.name).to eq(provider.name)
@@ -67,6 +100,10 @@
         expect(user.role_id).to eq("client_admin")
       end
 
+      it "has no consortium_id" do
+        expect(user.consortium_id).to be_nil
+      end
+
       it "has provider_id" do
         expect(user.provider_id).to eq(client.symbol.downcase.split(".").first)
       end