diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@@ -1224,6 +1224,7 @@
     'PasteQueryConduitAPIMethod' => 'applications/paste/conduit/PasteQueryConduitAPIMethod.php',
     'PasteReplyHandler' => 'applications/paste/mail/PasteReplyHandler.php',
     'PeopleBrowseUserDirectoryCapability' => 'applications/people/capability/PeopleBrowseUserDirectoryCapability.php',
+    'PeopleCreateUsersCapability' => 'applications/people/capability/PeopleCreateUsersCapability.php',
     'PeopleUserLogGarbageCollector' => 'applications/people/garbagecollector/PeopleUserLogGarbageCollector.php',
     'Phabricator404Controller' => 'applications/base/controller/Phabricator404Controller.php',
     'PhabricatorAPCSetupCheck' => 'applications/config/check/PhabricatorAPCSetupCheck.php',
@@ -4382,6 +4383,7 @@
     'PasteQueryConduitAPIMethod' => 'PasteConduitAPIMethod',
     'PasteReplyHandler' => 'PhabricatorMailReplyHandler',
     'PeopleBrowseUserDirectoryCapability' => 'PhabricatorPolicyCapability',
+    'PeopleCreateUsersCapability' => 'PhabricatorPolicyCapability',
     'PeopleUserLogGarbageCollector' => 'PhabricatorGarbageCollector',
     'Phabricator404Controller' => 'PhabricatorController',
     'PhabricatorAPCSetupCheck' => 'PhabricatorSetupCheck',
diff --git a/src/applications/people/application/PhabricatorPeopleApplication.php b/src/applications/people/application/PhabricatorPeopleApplication.php
--- a/src/applications/people/application/PhabricatorPeopleApplication.php
+++ b/src/applications/people/application/PhabricatorPeopleApplication.php
@@ -78,6 +78,9 @@
 
   protected function getCustomCapabilities() {
     return array(
+      PeopleCreateUsersCapability::CAPABILITY => array(
+        'default' => PhabricatorPolicies::POLICY_ADMIN,
+      ),
       PeopleBrowseUserDirectoryCapability::CAPABILITY => array(),
     );
   }
diff --git a/src/applications/people/capability/PeopleCreateUsersCapability.php b/src/applications/people/capability/PeopleCreateUsersCapability.php
new file mode 100644
--- /dev/null
+++ b/src/applications/people/capability/PeopleCreateUsersCapability.php
@@ -0,0 +1,16 @@
+<?php
+
+final class PeopleCreateUsersCapability
+  extends PhabricatorPolicyCapability {
+
+  const CAPABILITY = 'people.create.users';
+
+  public function getCapabilityName() {
+    return pht('Can Create Users');
+  }
+
+  public function describeCapabilityRejection() {
+    return pht('You do not have permission to create users.');
+  }
+
+}
diff --git a/src/applications/people/controller/PhabricatorPeopleController.php b/src/applications/people/controller/PhabricatorPeopleController.php
--- a/src/applications/people/controller/PhabricatorPeopleController.php
+++ b/src/applications/people/controller/PhabricatorPeopleController.php
@@ -37,13 +37,14 @@
 
     $viewer = $this->getRequest()->getUser();
 
-    if ($viewer->getIsAdmin()) {
-      $crumbs->addAction(
-        id(new PHUIListItemView())
-          ->setName(pht('Create New User'))
-          ->setHref($this->getApplicationURI('create/'))
-          ->setIcon('fa-plus-square'));
-    }
+    $can_create = $this->hasApplicationCapability(
+      PeopleCreateUsersCapability::CAPABILITY);
+    $crumbs->addAction(
+      id(new PHUIListItemView())
+      ->setName(pht('Create New User'))
+      ->setHref($this->getApplicationURI('create/'))
+      ->setDisabled(!$can_create)
+      ->setIcon('fa-plus-square'));
 
     return $crumbs;
   }
diff --git a/src/applications/people/controller/PhabricatorPeopleCreateController.php b/src/applications/people/controller/PhabricatorPeopleCreateController.php
--- a/src/applications/people/controller/PhabricatorPeopleCreateController.php
+++ b/src/applications/people/controller/PhabricatorPeopleCreateController.php
@@ -3,8 +3,9 @@
 final class PhabricatorPeopleCreateController
   extends PhabricatorPeopleController {
 
-  public function processRequest() {
-    $request = $this->getRequest();
+  public function handleRequest(AphrontRequest $request) {
+    $this->requireApplicationCapability(
+      PeopleCreateUsersCapability::CAPABILITY);
     $admin = $request->getUser();
 
     id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
diff --git a/src/applications/people/controller/PhabricatorPeopleLdapController.php b/src/applications/people/controller/PhabricatorPeopleLdapController.php
--- a/src/applications/people/controller/PhabricatorPeopleLdapController.php
+++ b/src/applications/people/controller/PhabricatorPeopleLdapController.php
@@ -3,9 +3,9 @@
 final class PhabricatorPeopleLdapController
   extends PhabricatorPeopleController {
 
-  public function processRequest() {
-
-    $request = $this->getRequest();
+  public function handleRequest(AphrontRequest $request) {
+    $this->requireApplicationCapability(
+      PeopleCreateUsersCapability::CAPABILITY);
     $admin = $request->getUser();
 
     $content = array();
diff --git a/src/applications/people/controller/PhabricatorPeopleNewController.php b/src/applications/people/controller/PhabricatorPeopleNewController.php
--- a/src/applications/people/controller/PhabricatorPeopleNewController.php
+++ b/src/applications/people/controller/PhabricatorPeopleNewController.php
@@ -3,17 +3,13 @@
 final class PhabricatorPeopleNewController
   extends PhabricatorPeopleController {
 
-  private $type;
-
-  public function willProcessRequest(array $data) {
-    $this->type = $data['type'];
-  }
-
-  public function processRequest() {
-    $request = $this->getRequest();
+  public function handleRequest(AphrontRequest $request) {
+    $this->requireApplicationCapability(
+      PeopleCreateUsersCapability::CAPABILITY);
+    $type = $request->getURIData('type');
     $admin = $request->getUser();
 
-    switch ($this->type) {
+    switch ($type) {
       case 'standard':
         $is_bot = false;
         break;
@@ -36,7 +32,6 @@
 
     $new_email = null;
 
-    $request = $this->getRequest();
     if ($request->isFormPost()) {
       $welcome_checked = $request->getInt('welcome');