diff --git a/api/app/controllers/mno_enterprise/jpi/v1/admin/users_controller.rb b/api/app/controllers/mno_enterprise/jpi/v1/admin/users_controller.rb
index 0df85f94b..56b1df609 100644
--- a/api/app/controllers/mno_enterprise/jpi/v1/admin/users_controller.rb
+++ b/api/app/controllers/mno_enterprise/jpi/v1/admin/users_controller.rb
@@ -40,10 +40,14 @@ def create
 
     # PATCH /mnoe/jpi/v1/admin/users/:id
     def update
-      @user = MnoEnterprise::User.find(params[:id])
-      @user.update(user_params)
+      if current_user.admin_role == "admin"
+        @user = MnoEnterprise::User.find(params[:id])
+        @user.update(user_params)
 
-      render :show
+        render :show
+      else
+        render :index, status: :unauthorized
+      end
     end
 
     # DELETE /mnoe/jpi/v1/admin/users/1
diff --git a/api/spec/controllers/mno_enterprise/jpi/v1/admin/users_controller_spec.rb b/api/spec/controllers/mno_enterprise/jpi/v1/admin/users_controller_spec.rb
index fcade192f..00bea7ce6 100644
--- a/api/spec/controllers/mno_enterprise/jpi/v1/admin/users_controller_spec.rb
+++ b/api/spec/controllers/mno_enterprise/jpi/v1/admin/users_controller_spec.rb
@@ -92,16 +92,31 @@ def hash_for_user(user)
 
     describe 'PUT #update' do
       subject { put :update, id: user.id, user: {admin_role: 'staff'} }
+      let(:current_user) { build(:user, :admin) }
 
       before do
-        api_stub_for(put: "/users/#{user.id}", response: ->{ user.admin_role = 'staff'; from_api(user) })
+        api_stub_for(get: "/users/#{current_user.id}", response: from_api(current_user))
+        sign_in current_user
+
+        user.admin_role = nil
+        api_stub_for(put: "/users/#{user.id}", response: -> { user.admin_role = 'staff'; from_api(user) })
         subject
       end
 
-      it { expect(response).to be_success }
+      context 'when admin' do
+        it { expect(response).to be_success }
+
+        # Test that the user is updated by testing the api endpoint was called
+        it { expect(user.admin_role).to eq('staff') }
+      end
 
-      # Test that the user is updated by testing the api endpoint was called
-      it { expect(user.admin_role).to eq('staff') }
+      context 'when staff' do
+        let(:current_user) { build(:user, :staff) }
+
+        it { expect(response).to have_http_status(:unauthorized) }
+
+        it { expect(user.admin_role).to be_nil }
+      end
     end
 
     describe 'DELETE #destroy' do
diff --git a/core/app/controllers/mno_enterprise/application_controller.rb b/core/app/controllers/mno_enterprise/application_controller.rb
index 6d18bd0c0..0badde2d7 100644
--- a/core/app/controllers/mno_enterprise/application_controller.rb
+++ b/core/app/controllers/mno_enterprise/application_controller.rb
@@ -98,8 +98,12 @@ def return_to_url(resource)
     # Redirect to previous url and reset it
     def after_sign_in_path_for(resource)
       previous_url = session.delete(:previous_url)
-      url = MnoEnterprise.router.dashboard_path || main_app.root_url
-      return (return_to_url(resource) || previous_url || url)
+      default_url = if resource.respond_to?(:admin_role) && resource.admin_role.present?
+        MnoEnterprise.router.admin_path
+      else
+        MnoEnterprise.router.dashboard_path || main_app.root_url
+      end
+      return (return_to_url(resource) || previous_url || default_url)
     end
 
     # Some controllers needs to redirect to 'MySpace' which breaks if you dont use mnoe-frontend
diff --git a/core/lib/mno_enterprise/core.rb b/core/lib/mno_enterprise/core.rb
index ddcdc4e82..689eb7408 100644
--- a/core/lib/mno_enterprise/core.rb
+++ b/core/lib/mno_enterprise/core.rb
@@ -53,6 +53,10 @@ def terms_url
       @terms_url || '#'
     end
 
+    def admin_path
+      @admin_path || '/admin/'
+    end
+
     def launch_url(id,opts = {})
       host_url("/launch/#{id}",opts)
     end
diff --git a/core/lib/mno_enterprise/testing_support/factories/users.rb b/core/lib/mno_enterprise/testing_support/factories/users.rb
index 900108f05..ce67223db 100644
--- a/core/lib/mno_enterprise/testing_support/factories/users.rb
+++ b/core/lib/mno_enterprise/testing_support/factories/users.rb
@@ -4,7 +4,7 @@
 # Use as such: build(:api_user)
 # See http://stackoverflow.com/questions/10032760/how-to-define-an-array-hash-in-factory-girl
 FactoryGirl.define do
-  
+
   factory :user, class: MnoEnterprise::User do
     sequence(:id)
     sequence(:uid) { |n| "usr-fda9#{n}" }
@@ -20,28 +20,32 @@
     created_at 2.days.ago
     updated_at 2.days.ago
     sso_session "1fdd5sf5a73D7sd1as2a4sd541"
-    admin_role false
+    admin_role nil
 
     confirmation_sent_at 2.days.ago
     confirmation_token "wky763pGjtzWR7dP44PD"
     confirmed_at 1.days.ago
-    
+
     trait :unconfirmed do
       confirmed_at nil
     end
 
     trait :admin do
-      admin_role true
+      admin_role 'admin'
+    end
+
+    trait :staff do
+      admin_role 'staff'
     end
 
     trait :with_deletion_request do
       deletion_request { build(:deletion_request).attributes }
     end
-    
+
     trait :with_organizations do
       organizations { [build(:organization).attributes] }
     end
-    
+
     # Properly build the resource with Her
     initialize_with { new(attributes).tap { |e| e.clear_attribute_changes! } }
   end
diff --git a/core/spec/controllers/mno_enterprise/application_controller_spec.rb b/core/spec/controllers/mno_enterprise/application_controller_spec.rb
index c241b1653..99d8392f3 100644
--- a/core/spec/controllers/mno_enterprise/application_controller_spec.rb
+++ b/core/spec/controllers/mno_enterprise/application_controller_spec.rb
@@ -2,14 +2,30 @@
 
 module MnoEnterprise
   describe ApplicationController, type: :controller do
+    # create an anonymous subclass of ApplicationController to expose protected methods
+    controller(MnoEnterprise::ApplicationController) do
+      def after_sign_in_path_for(resource)
+        super
+      end
+      def add_param_to_fragment(url, param_name, param_value)
+        super
+      end
+    end
+
     describe '#add_param_to_fragment' do
-      let(:controller) { MnoEnterprise::ApplicationController.new }
+      it { expect(controller.add_param_to_fragment('/#/platform/accounts', 'foo', 'bar')).to eq('/#/platform/accounts?foo=bar') }
+      it { expect(controller.add_param_to_fragment('/', 'foo', 'bar')).to eq('/#?foo=bar') }
+      it { expect(controller.add_param_to_fragment('/#/platform/dashboard/he/43?en=690', 'foo', 'bar')).to eq('/#/platform/dashboard/he/43?en=690&foo=bar') }
+      it { expect(controller.add_param_to_fragment('/#/platform/dashboard/he/43?en=690', 'foo', [{msg: 'yolo'}])).to eq('/#/platform/dashboard/he/43?en=690&foo=%7B%3Amsg%3D%3E%22yolo%22%7D') }
+    end
 
-      it { expect(subject.send(:add_param_to_fragment, '/#/platform/accounts', 'foo', 'bar')).to eq('/#/platform/accounts?foo=bar') }
-      it { expect(subject.send(:add_param_to_fragment, '/', 'foo', 'bar')).to eq('/#?foo=bar') }
-      it { expect(subject.send(:add_param_to_fragment, '/#/platform/dashboard/he/43?en=690', 'foo', 'bar')).to eq('/#/platform/dashboard/he/43?en=690&foo=bar') }
-      it { expect(subject.send(:add_param_to_fragment, '/#/platform/dashboard/he/43?en=690', 'foo', [{msg: 'yolo'}])).to eq('/#/platform/dashboard/he/43?en=690&foo=%7B%3Amsg%3D%3E%22yolo%22%7D') }
+    describe '#after_sign_in_path_for' do
+      before { @request.env["devise.mapping"] = Devise.mappings[:user] }
+
+      it { expect(controller.after_sign_in_path_for(User.new())).to eq('/dashboard/') }
+      it { expect(controller.after_sign_in_path_for(User.new(admin_role: "staff"))).to eq('/admin/') }
+      it { expect(controller.after_sign_in_path_for(User.new(admin_role: ""))).to eq('/dashboard/') }
+      it { expect(controller.after_sign_in_path_for(User.new(admin_role: "admin"))).to eq('/admin/') }
     end
   end
-
 end
diff --git a/core/spec/controllers/mno_enterprise/i18n_spec.rb b/core/spec/controllers/mno_enterprise/i18n_spec.rb
index e4d49bf9d..614dff7ea 100644
--- a/core/spec/controllers/mno_enterprise/i18n_spec.rb
+++ b/core/spec/controllers/mno_enterprise/i18n_spec.rb
@@ -1,7 +1,7 @@
 require 'rails_helper'
 
 module MnoEnterprise
-  describe ApplicationController, type: :controller do
+  describe 'ApplicationController I18n', type: :controller do
     # Anonymous controller
     controller do
       include MnoEnterprise::Concerns::Controllers::I18n
diff --git a/frontend-admin/src/app/components/mnoe-api/admin/current-user.svc.coffee b/frontend-admin/src/app/components/mnoe-api/admin/current-user.svc.coffee
index 22d57797e..87d474c0b 100644
--- a/frontend-admin/src/app/components/mnoe-api/admin/current-user.svc.coffee
+++ b/frontend-admin/src/app/components/mnoe-api/admin/current-user.svc.coffee
@@ -7,7 +7,7 @@
 # fork of the upstream library
 
 
-@App.service 'MnoeCurrentUser', (MnoeApiSvc, $window, $state) ->
+@App.service 'MnoeCurrentUser', (MnoeApiSvc, $window, $state, $q) ->
   _self = @
 
   # Store the current_user promise
@@ -27,4 +27,14 @@
         response
     )
 
+  @skipIfNotAdmin = () ->
+    if _self.user.admin_role? && _self.user.admin_role == 'admin'
+      return $q.resolve()
+    else
+      $timeout(->
+        # Runs after the authentication promise has been rejected.
+        $state.go('dashboard.home')
+      )
+      $q.reject()
+
   return @
diff --git a/frontend-admin/src/app/index.route.coffee b/frontend-admin/src/app/index.route.coffee
index 428086bc5..064002637 100644
--- a/frontend-admin/src/app/index.route.coffee
+++ b/frontend-admin/src/app/index.route.coffee
@@ -43,6 +43,8 @@
       controllerAs: 'vm'
       ncyBreadcrumb:
         label: 'Staff'
+      resolve:
+        skip: (MnoeCurrentUser) -> MnoeCurrentUser.skipIfNotAdmin()
     .state 'dashboard.customers',
       url: '/customers'
       templateUrl: 'app/views/customers/customers.html'