Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserManageAction.java
===================================================================
diff -u -rff056fe666b6a9a6c93cb2c02fa520345c1b077f -r97f34e32e359c8bc50394be756e4f1efa109f832
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserManageAction.java	(.../UserManageAction.java)	(revision ff056fe666b6a9a6c93cb2c02fa520345c1b077f)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserManageAction.java	(.../UserManageAction.java)	(revision 97f34e32e359c8bc50394be756e4f1efa109f832)
@@ -40,6 +40,7 @@
 import org.apache.struts.action.ActionMessage;
 import org.apache.struts.action.ActionMessages;
 import org.lamsfoundation.lams.usermanagement.Organisation;
+import org.lamsfoundation.lams.usermanagement.Role;
 import org.lamsfoundation.lams.usermanagement.User;
 import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
 import org.lamsfoundation.lams.util.WebUtil;
@@ -87,11 +88,8 @@
 			saveErrors(request,errors);
 			return mapping.findForward("error");
 		}
-		log.debug("userlist orgId: "+orgId);
+		log.debug("orgId: "+orgId);
 		
-		// check user permission
-		//String username = request.getRemoteUser();
-		
 		// get org name
 		Organisation organisation = (Organisation)service.findById(Organisation.class,orgId);
 		if(organisation==null) {
@@ -100,8 +98,20 @@
 			return mapping.findForward("error");
 		}
 		String orgName = organisation.getName();
-		log.debug("userlist orgName: "+orgName);
+		log.debug("orgName: "+orgName);
 		
+		Integer userId = service.getUserByLogin(request.getRemoteUser()).getUserId();
+        // check permission
+		if(request.isUserInRole(Role.SYSADMIN)){
+			request.setAttribute("canAdd",true);
+		}else if(!service.isUserInRole(userId,orgId,Role.COURSE_ADMIN)){
+			errors.add("authorisation",new ActionMessage("error.authorisation"));
+			saveErrors(request,errors);
+			return mapping.findForward("error");
+		}else{
+			request.setAttribute("canAdd",organisation.getCourseAdminCanAddNewUsers());
+		}
+		
 		// get list of users in org
 		List<User> users = service.getUsersFromOrganisation(orgId);
 		if(users==null){
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserOrgAction.java
===================================================================
diff -u -r370771dd36b12f8db61a236712478388e83bc78d -r97f34e32e359c8bc50394be756e4f1efa109f832
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserOrgAction.java	(.../UserOrgAction.java)	(revision 370771dd36b12f8db61a236712478388e83bc78d)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserOrgAction.java	(.../UserOrgAction.java)	(revision 97f34e32e359c8bc50394be756e4f1efa109f832)
@@ -99,28 +99,23 @@
 		}
 		Integer orgType = organisation.getOrganisationType().getOrganisationTypeId();
 		request.setAttribute("orgType",orgType);
-		
-		// check user permission
-		//String username = request.getRemoteUser();
-		
+				
 		// get list of users in org
+		User user = (User)service.getUserByLogin(request.getRemoteUser());
 		List<User> users = new ArrayList<User>();
 		if(request.isUserInRole(Role.SYSADMIN)){
 			users = service.findAll(User.class);
-		}else if(request.isUserInRole(Role.COURSE_ADMIN)){
-			if(true){  // org allows admin to add users
-				if(true){  // org allows admin to browse all users
+		}else if(service.isUserInRole(user.getUserId(),orgId,Role.COURSE_ADMIN)){
+			if(organisation.getCourseAdminCanAddNewUsers()){
+				if(organisation.getCourseAdminCanBrowseAllUsers()){
 					users = service.findAll(User.class);
 				}else if(orgType.equals(new Integer(OrganisationType.CLASS_TYPE))){
 					users = service.getUsersFromOrganisation(parentOrg.getOrganisationId());
 				}else if(orgType.equals(new Integer(OrganisationType.COURSE_TYPE))){
 					users = service.getUsersFromOrganisation(orgId);
-					/*errors.add("permission",new ActionMessage("error.need.browse.permission"));
-					saveErrors(request,errors);
-					return mapping.findForward("userorg");*/
 				}
 			}else{
-				errors.add("permission",new ActionMessage("error.need.add.permission"));
+				errors.add("authorisation",new ActionMessage("error.authorisation"));
 				saveErrors(request,errors);
 				return mapping.findForward("error");
 			}
Index: lams_admin/web/userlist.jsp
===================================================================
diff -u -r4d20310bee119052061dda3443aa0c0936fd2bf4 -r97f34e32e359c8bc50394be756e4f1efa109f832
--- lams_admin/web/userlist.jsp	(.../userlist.jsp)	(revision 4d20310bee119052061dda3443aa0c0936fd2bf4)
+++ lams_admin/web/userlist.jsp	(.../userlist.jsp)	(revision 97f34e32e359c8bc50394be756e4f1efa109f832)
@@ -15,10 +15,12 @@
   <fmt:message key="admin.user.manage" />
 </h2>
 <p align="right">
-<input type="button" value='<fmt:message key="admin.user.create"/>' onclick=javascript:document.location='user.do?method=edit&orgId=1' />
-<logic:notEqual name="UserManageForm" property="orgId" value="1">
-  <input type="button" value='<fmt:message key="admin.user.add"/>' onclick=javascript:document.location='userorg.do?orgId=<bean:write name="UserManageForm" property="orgId"/>' /></p>
-</logic:notEqual>
+  <logic:equal name="canAdd" value="true">
+    <input type="button" value='<fmt:message key="admin.user.create"/>' onclick=javascript:document.location='user.do?method=edit&orgId=<bean:write name="UserManageForm" property="orgId"/>' />
+    <logic:notEqual name="UserManageForm" property="orgId" value="1">
+      <input type="button" value='<fmt:message key="admin.user.add"/>' onclick=javascript:document.location='userorg.do?orgId=<bean:write name="UserManageForm" property="orgId"/>' /></p>
+    </logic:notEqual>
+  </logic:equal>
 <table class="alternative-color" width=100%>
 <tr>
 	<th></th>