diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
new file mode 100644
index 0000000..0027ffe
--- /dev/null
+++ b/app/controllers/users_controller.rb
@@ -0,0 +1,76 @@
+class UsersController < ApplicationController
+  load_and_authorize_resource
+  before_filter :authenticate_user!
+  
+  # GET /users
+  # GET /users.json
+  def index
+    @users = @users.sort_by(&:name)
+
+    respond_to do |format|
+      format.html # index.html.erb
+      format.json { render :json => @users }
+    end
+  end
+
+  # GET /users/1
+  # GET /users/1.json
+  def show
+    respond_to do |format|
+      format.html # show.html.erb
+      format.json { render :json => @user }
+    end
+  end
+
+  # GET /users/new
+  # GET /users/new.json
+  def new
+    respond_to do |format|
+      format.html # new.html.erb
+      format.json { render :json => @user }
+    end
+  end
+
+  # GET /users/1/edit
+  def edit
+  end
+
+  # POST /users
+  # POST /users.json
+  def create
+    respond_to do |format|
+      if @user.save
+        format.html { redirect_to users_url, :notice => 'User was successfully created.' }
+        format.json { render :json => @user, :status => :created, :location => @user }
+      else
+        format.html { render :action => "new" }
+        format.json { render :json => @user.errors, :status => :unprocessable_entity }
+      end
+    end
+  end
+
+  # PUT /users/1
+  # PUT /users/1.json
+  def update
+    respond_to do |format|
+      if @user.update_attributes(params[:user])
+        format.html { redirect_to users_url, :notice => 'User was successfully updated.' }
+        format.json { head :no_content }
+      else
+        format.html { render :action => "edit" }
+        format.json { render :json => @user.errors, :status => :unprocessable_entity }
+      end
+    end
+  end
+
+  # DELETE /users/1
+  # DELETE /users/1.json
+  def destroy
+    @user.destroy
+
+    respond_to do |format|
+      format.html { redirect_to users_url, :notice => 'User successfully deleted.' }
+      format.json { head :no_content }
+    end
+  end
+end
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 3a28440..8523ae9 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -7,6 +7,7 @@ class Ability
         can :manage, :all
       else
         can :read, User, :id => user.id
+        can :read, Card, :user_id => user.id
       end
     end 
     # Define abilities for the passed in user here. For example:
diff --git a/app/views/cards/index.html.erb b/app/views/cards/index.html.erb
index 6791c16..5cebebe 100644
--- a/app/views/cards/index.html.erb
+++ b/app/views/cards/index.html.erb
@@ -1,7 +1,7 @@
 <h1>Listing cards</h1>
 
-<%= link_to 'New Card', new_card_path %>
-<%= link_to 'Upload all cards', upload_all_path %>
+<%= link_to 'New Card', new_card_path if can? :create, Card %>
+<%= link_to 'Upload all cards', upload_all_path if can? :upload_all, Card %>
 <table>
   <tr>
     <th>User</th>
@@ -22,9 +22,9 @@
     <td><%= card.id %></td>
     <td><%= card.card_number %></td>
     <td><%= if card.card_permissions == 1 then "Access" end %></td>
-    <td><%= link_to 'Upload', upload_path(card) %></td>
-    <td><%= link_to 'Edit', edit_card_path(card) %></td>
-    <td><%= link_to 'Destroy', card, :confirm => 'Are you sure? WARNING: THIS DOES NOT REMOVE THE CARD FROM THE DOOR SYSTEM! DISABLE AND UPLOAD IT FIRST.', :method => :delete %></td>
+    <td><%= link_to 'Upload', upload_path(card) if can? :upload, card %></td>
+    <td><%= link_to 'Edit', edit_card_path(card) if can? :update, card %></td>
+    <td><%= link_to 'Destroy', card, :confirm => 'Are you sure? WARNING: THIS DOES NOT REMOVE THE CARD FROM THE DOOR SYSTEM! DISABLE AND UPLOAD IT FIRST.', :method => :delete if can? :destroy, card %></td>
   </tr>
   <% end %>
 <% end %>
diff --git a/app/views/cards/show.html.erb b/app/views/cards/show.html.erb
index 381a4bd..e7785fa 100644
--- a/app/views/cards/show.html.erb
+++ b/app/views/cards/show.html.erb
@@ -1,6 +1,6 @@
 
 <p>
-  <b>Name:</b>
+  <b>Card Note:</b>
   <%= @card.name %>
 </p>
 
@@ -19,6 +19,6 @@
   <%= @card.card_permissions %>
 </p>
 
-<%= link_to 'Upload to Door', upload_path(@card) %>
+<%= link_to 'Upload to Door', upload_path(@card) if can? :upload, @card %>
 <%= link_to 'Edit', edit_card_path(@card) %> |
 <%= link_to 'Back', cards_path %>
diff --git a/app/views/cards/upload.html.erb b/app/views/cards/upload.html.erb
index 01f574c..5e23624 100644
--- a/app/views/cards/upload.html.erb
+++ b/app/views/cards/upload.html.erb
@@ -2,12 +2,12 @@
 <% if @upload_result %>
 <p>
   <b>Upload result:</b>
-  <%= @card.name %> uploaded successfully.
+  <%= @card.card_number %> uploaded successfully.
 </p>
 <% else %>
 <p>
   <b>Upload result:</b>
-  Error uploading <%= @card.name %>.
+  Error uploading <%= @card.card_number %>.
 </p>
 <% end %>
 
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 284eb5f..4065eb7 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -8,8 +8,9 @@
 </head>
 <body>
   <div id="header">
-    <%= link_to 'Cards', cards_path if user_signed_in? %>
-    <%= link_to 'Logs', door_logs_path if user_signed_in? %>
+    <%= link_to 'Users', users_path if can? :read, User %>
+    <%= link_to 'Cards', cards_path if can? :read, Card %>
+    <%= link_to 'Logs', door_logs_path if can? :read, DoorLog %>
     <%= link_to 'Sign out', destroy_user_session_path, :method => :delete if user_signed_in? %>
     <%= link_to 'Sign in', new_user_session_path unless user_signed_in? %>
   </div>
diff --git a/app/views/users/_form.html.erb b/app/views/users/_form.html.erb
new file mode 100644
index 0000000..78fa292
--- /dev/null
+++ b/app/views/users/_form.html.erb
@@ -0,0 +1,51 @@
+<%= form_for(@user) do |f| %>
+  <% if @user.errors.any? %>
+    <div id="error_explanation">
+      <h2><%= pluralize(@user.errors.count, "error") %> prohibited this user from being saved:</h2>
+
+      <ul>
+      <% @user.errors.full_messages.each do |msg| %>
+        <li><%= msg %></li>
+      <% end %>
+      </ul>
+    </div>
+  <% end %>
+
+  <div class="field">
+    <%= f.label :name %><br />
+    <%= f.text_field :name %>
+  </div>
+  <div class="field">
+    <%= f.label :email %><br />
+    <%= f.email_field :email %>
+  </div>
+  <% if @user.id.blank? || !params[:password].nil? %>
+  <div class="field">
+    <%= f.label :password %><br />
+    <%= f.password_field :password, :autocomplete => "off" %>
+  </div>
+  <div class="field">
+    <%= f.label :password_confirmation %><br />
+    <%= f.password_field :password_confirmation %>
+  </div>
+<% else %>
+  <div class="field">
+    <a href="?password=edit">Change Password</a>
+  </div>
+<% end %>
+  <div class="field">
+    <%= f.label :admin, "Admin?" %><br />
+    <%= f.check_box :admin %>
+  </div>
+  <div class="field">
+    <h3>Cards</h3>
+    <ul>
+    <% @user.cards.each do |c| %>
+      <li><%= link_to "#{c.card_number} #{c.name}", card_url(c) %></li>
+    <% end %>
+    </ul>
+  </div>
+  <div class="actions">
+    <%= f.submit %>
+  </div>
+<% end %>
diff --git a/app/views/users/edit.html.erb b/app/views/users/edit.html.erb
new file mode 100644
index 0000000..99bd4cc
--- /dev/null
+++ b/app/views/users/edit.html.erb
@@ -0,0 +1,6 @@
+<h1>Editing user</h1>
+
+<%= render 'form' %>
+
+<%= link_to 'Show', @user %> |
+<%= link_to 'Back', users_path %>
diff --git a/app/views/users/index.html.erb b/app/views/users/index.html.erb
new file mode 100644
index 0000000..b21e02d
--- /dev/null
+++ b/app/views/users/index.html.erb
@@ -0,0 +1,34 @@
+<h1>Listing users</h1>
+
+<% if can? :create, User %>
+  <%= link_to 'New User', new_user_path %>
+<% end %>
+<table>
+  <tr>
+    <th>Name</th>
+    <th>Email</th>
+    <th>Cards</th>
+    <th>Admin?</th>
+    <th></th>
+    <th></th>
+  </tr>
+  
+<% if !@users.blank? %>
+  <% @users.each do |user| %>
+  <tr>
+    <td><%= user.name %></td>
+    <td><%= user.email %></td>
+    <td>
+      <% user.cards.each do |c| %>
+        <%= link_to c.card_number, card_url(c) %><%= "," unless c == user.cards.last %>
+      <% end %>
+    </td>
+    <td><%= if user.admin? then "Admin" end %></td>
+    <td><%= link_to 'Edit', edit_user_path(user) if can? :update, user %></td>
+    <td><%= link_to 'Destroy', user, :confirm => 'Are you sure? WARNING: THIS DOES NOT REMOVE THE USER FROM THE DOOR SYSTEM! DISABLE THEM FIRST.', :method => :delete if can? :destroy, user %></td>
+  </tr>
+  <% end %>
+<% end %>
+</table>
+
+<br />
diff --git a/app/views/users/new.html.erb b/app/views/users/new.html.erb
new file mode 100644
index 0000000..efc0404
--- /dev/null
+++ b/app/views/users/new.html.erb
@@ -0,0 +1,5 @@
+<h1>New user</h1>
+
+<%= render 'form' %>
+
+<%= link_to 'Back', users_path %>
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb
new file mode 100644
index 0000000..f8609c0
--- /dev/null
+++ b/app/views/users/show.html.erb
@@ -0,0 +1,18 @@
+
+<p>
+  <b>Name:</b>
+  <%= @user.name %>
+</p>
+
+<p>
+  <b>Email:</b>
+  <%= @user.email %>
+</p>
+
+<p>
+  <b>Admin?</b>
+  <%= @user.admin %>
+</p>
+
+<%= link_to 'Edit', edit_user_path(@user) %> |
+<%= link_to 'Back', users_path %>
diff --git a/config/routes.rb b/config/routes.rb
index 56ed9fa..0e16b61 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,6 +1,7 @@
 Dooraccess::Application.routes.draw do
 
   devise_for :users
+  resources :users
 
   match 'cards/upload_all' => 'cards#upload_all', :as => :upload_all
   resources :cards