diff --git a/app/decorators.py b/app/decorators.py
index f0e990c..a1cfacf 100644
--- a/app/decorators.py
+++ b/app/decorators.py
@@ -61,3 +61,18 @@ def can_configure_dnssec(f):
 
         return f(*args, **kwargs)
     return decorated_function
+
+
+def can_create_domain(f):
+    """
+    Grant access if:
+        - user is in Operator role or higher, or
+        - allow_user_create_domain is on
+    """
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if g.user.role.name not in ['Administrator', 'Operator'] and not Setting().get('allow_user_create_domain'):
+            return redirect(url_for('error', code=401))
+
+        return f(*args, **kwargs)
+    return decorated_function
diff --git a/app/models.py b/app/models.py
index 816e226..82fabf9 100644
--- a/app/models.py
+++ b/app/models.py
@@ -1799,6 +1799,7 @@ class Setting(db.Model):
         'allow_quick_edit': True,
         'pretty_ipv6_ptr': False,
         'dnssec_admins_only': False,
+        'allow_user_create_domain': False,
         'bg_domain_updates': False,
         'site_name': 'PowerDNS-Admin',
         'pdns_api_url': '',
diff --git a/app/templates/admin_setting_basic.html b/app/templates/admin_setting_basic.html
index b289f75..d5bdb84 100644
--- a/app/templates/admin_setting_basic.html
+++ b/app/templates/admin_setting_basic.html
@@ -69,7 +69,7 @@
 <script>
     // set up history data table
     $("#tbl_settings").DataTable({
-        "paging" : true,
+        "paging" : false,
         "lengthChange" : false,
         "searching" : true,
         "ordering" : true,
diff --git a/app/templates/base.html b/app/templates/base.html
index 0b1e220..b69873c 100644
--- a/app/templates/base.html
+++ b/app/templates/base.html
@@ -108,10 +108,12 @@
         <li class="{{ 'active' if active_page == 'dashboard' else '' }}">
           <a href="{{ url_for('dashboard') }}"><i class="fa fa-dashboard"></i> Dashboard</a>
         </li>
-        {% if current_user.role.name in ['Administrator', 'Operator'] %}
+        {% if SETTING.get('allow_user_create_domain') %}
         <li class="{{ 'active' if active_page == 'new_domain' else '' }}">
           <a href="{{ url_for('domain_add') }}"><i class="fa fa-plus"></i> New Domain</a>
         </li>
+        {% endif %}
+        {% if current_user.role.name in ['Administrator', 'Operator'] %}
         <li class="header">ADMINISTRATION</li>
         <li class="{{ 'active' if active_page == 'admin_console' else '' }}">
           <a href="{{ url_for('admin_pdns') }}"><i class="fa fa-info-circle"></i> PDNS</a>
diff --git a/app/views.py b/app/views.py
index c109199..691072d 100644
--- a/app/views.py
+++ b/app/views.py
@@ -19,7 +19,7 @@ from .models import User, Account, Domain, Record, Role, Server, History, Anonym
 from app import app, login_manager
 from app.lib import utils
 from app.oauth import github_oauth, google_oauth
-from app.decorators import admin_role_required, operator_role_required, can_access_domain, can_configure_dnssec
+from app.decorators import admin_role_required, operator_role_required, can_access_domain, can_configure_dnssec, can_create_domain
 
 if app.config['SAML_ENABLED']:
     from onelogin.saml2.utils import OneLogin_Saml2_Utils
@@ -598,7 +598,7 @@ def domain(domain_name):
 
 @app.route('/admin/domain/add', methods=['GET', 'POST'])
 @login_required
-@operator_role_required
+@can_create_domain
 def domain_add():
     templates = DomainTemplate.query.all()
     if request.method == 'POST':
@@ -627,6 +627,11 @@ def domain_add():
             if result['status'] == 'ok':
                 history = History(msg='Add domain {0}'.format(domain_name), detail=str({'domain_type': domain_type, 'domain_master_ips': domain_master_ips, 'account_id': account_id}), created_by=current_user.username)
                 history.add()
+
+                # grant user access to the domain
+                Domain(name=domain_name).grant_privielges([current_user.username])
+
+                # apply template if needed
                 if domain_template != '0':
                     template = DomainTemplate.query.filter(DomainTemplate.id == domain_template).first()
                     template_records = DomainTemplateRecord.query.filter(DomainTemplateRecord.template_id == domain_template).all()
@@ -693,6 +698,7 @@ def domain_management(domain_name):
         new_user_list = request.form.getlist('domain_multi_user[]')
 
         # grant/revoke user privielges
+        d = Domain(name=domain_name)
         d.grant_privielges(new_user_list)
 
         history = History(msg='Change domain {0} access control'.format(domain_name), detail=str({'user_has_access': new_user_list}), created_by=current_user.username)
diff --git a/migrations/versions/4a666113c7bb_add_operator_role.py b/migrations/versions/4a666113c7bb_add_operator_role.py
index 43f91ba..057937f 100644
--- a/migrations/versions/4a666113c7bb_add_operator_role.py
+++ b/migrations/versions/4a666113c7bb_add_operator_role.py
@@ -24,10 +24,11 @@ def update_data():
         sa.sql.column('view', sa.String)
     )
 
-    # add ldap_operator_group setting
+    # add new settings
     op.bulk_insert(setting_table,
         [
             {'id': 44, 'name': 'ldap_operator_group', 'value': '', 'view': 'authentication'},
+            {'id': 45, 'name': 'allow_user_create_domain', 'value': 'False', 'view': 'basic'},
         ]
     )
 
@@ -54,5 +55,6 @@ def downgrade():
     op.execute("UPDATE user SET role_id = 2 WHERE role_id=3")
     op.execute("DELETE FROM role WHERE name = 'Operator'")
 
-    # delete ldap setting
-    op.execute("DELETE FROM setting WHERE name = 'ldap_operator_group'")
\ No newline at end of file
+    # delete settings
+    op.execute("DELETE FROM setting WHERE name = 'ldap_operator_group'")
+    op.execute("DELETE FROM setting WHERE name = 'allow_user_create_domain'")