diff --git a/app/models/ability.rb b/app/models/ability.rb
new file mode 100644
index 000000000..7f5a533ca
--- /dev/null
+++ b/app/models/ability.rb
@@ -0,0 +1,43 @@
+class Ability
+  include CanCan::Ability
+
+  def initialize(member)
+    # See the wiki for details: https://github.com/ryanb/cancan/wiki/Defining-Abilities
+    member ||= Member.new # guest member (not logged in)
+
+    # everyone can do these things, even non-logged in
+    can :read, :all
+
+    if member.logged_in?
+
+      # managing your own user settings
+      can :update, Member, :id => member.id
+
+      # for now, anyone can create/edit/destroy crops
+      # (later, we probably want to limit this to a role)
+      can :create, Crop
+      can :update, Crop
+      can :destroy, Crop
+      can :create, ScientificName
+      can :update, ScientificName
+      can :destroy, ScientificName
+
+      # anyone can create a post, but only the author can edit/destroy
+      # it.
+      can :create, Post
+      can :update, Post, :author_id => member.id
+      can :destroy, Post, :author_id => member.id
+
+      # same deal for gardens and plantings
+      can :create, Garden
+      can :update, Garden, :owner_id => member.id
+      can :destroy, Garden, :owner_id => member.id
+
+      can :create, Planting
+      can :update, Planting, :garden => { :owner_id => member.id }
+      can :destroy, Planting, :garden => { :owner_id => member.id }
+
+    end
+
+  end
+end