diff --git a/app/models/ability.rb b/app/models/ability.rb
index ae1f1ed..61fb180 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -4,11 +4,13 @@ class Ability
   include Hydra::Ability
   include Hyrax::Ability
 
-  self.ability_logic += [:everyone_can_create_curation_concerns]
+  # self.ability_logic += [:everyone_can_create_curation_concerns]
   self.ability_logic += [:deepblue_abilities]
 
   def deepblue_abilities
-    can [:doi], ActiveFedora::Base
+    if can_deposit?
+      can [:doi], ActiveFedora::Base
+    end
 
     alias_action :display_provenance_log,    to: :read
     alias_action :globus_clean_download,     to: :delete
@@ -36,6 +38,29 @@ def custom_permissions
     # if user_groups.include? 'special_group'
     #   can [:create], ActiveFedora::Base
     # end
+
+    # restrict depositing permissions
+    if can_deposit?
+      can [:create], DataSet
+      can [:create], FileSet
+    else
+      cannot [:create, :edit, :update, :destroy], DataSet
+      cannot [:create, :edit, :update, :destroy], FileSet
+    end
   end
 
+  def can_deposit?
+    # Short-circuit logic for admins, who should have the ability
+    # to deposit whether or not they are explicitly
+    # granted the depositing role in any workflows
+    # return true if admin? # FIXME: decide
+                         
+    # Are there any workflows where this user has the "depositing" responsibility
+    depositing_role = Sipity::Role.find_by(name: Hyrax::RoleRegistry::DEPOSITING)
+    return false unless depositing_role
+    Hyrax::Workflow::PermissionQuery.scope_processing_agents_for(user: current_user).any? do |agent|
+      agent.workflow_responsibilities.joins(:workflow_role)
+           .where('sipity_workflow_roles.role_id' => depositing_role.id).any?
+    end
+  end
 end