diff --git a/app/models/user.rb b/app/models/user.rb
index b4ddd69679..1dba360a35 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -193,6 +193,7 @@ def self.from_omniauth(auth)
     user.assign_attributes(display_name: auth.info.first_name, ppid: auth.uid, uid: auth.info.net_id)
     # tezprox@emory.edu isn't a real email address
     user.email = auth.info.net_id + '@emory.edu' unless auth.info.net_id == 'tezprox'
+    Avalon::RoleControls.add_user_role(user.username, 'administrator') unless Avalon::RoleControls.user_roles(user.username).include?('administrator')
     user.save
     user
   end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index f6bc5df58c..4bd9b3ce96 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -224,7 +224,7 @@
           )
         end
 
-        it "updates ppid and display_name with values from shibboleth" do
+        it "updates ppid and display_name and group with values from shibboleth" do
           expect(user.uid).to eq auth_hash.info.net_id
           expect(user.ppid).to eq auth_hash.uid
           expect(user.display_name).to eq auth_hash.info.first_name
@@ -235,6 +235,7 @@
           expect(user.ppid).to eq updated_auth_hash.uid
           expect(user.display_name).not_to eq auth_hash.info.first_name
           expect(user.display_name).to eq updated_auth_hash.info.first_name
+          expect(Avalon::RoleControls.user_roles(user.username)).to include('administrator')
         end
       end