diff --git a/app/controllers/organisation_relationships_controller.rb b/app/controllers/organisation_relationships_controller.rb
index 65617baac..c0ea020b0 100644
--- a/app/controllers/organisation_relationships_controller.rb
+++ b/app/controllers/organisation_relationships_controller.rb
@@ -41,6 +41,7 @@ class OrganisationRelationshipsController < ApplicationController
 
   def create_stock_owner
     @organisation_relationship = organisation.parent_organisation_relationships.new(organisation_relationship_params)
+    authorize @organisation_relationship
     if @organisation_relationship.save(context: :stock_owner)
       flash[:notice] = "#{@organisation_relationship.parent_organisation.name} is now one of #{current_user.data_coordinator? ? 'your' : "this organisation's"} stock owners"
       redirect_to stock_owners_organisation_path
diff --git a/app/policies/organisation_relationship_policy.rb b/app/policies/organisation_relationship_policy.rb
new file mode 100644
index 000000000..1a9902be9
--- /dev/null
+++ b/app/policies/organisation_relationship_policy.rb
@@ -0,0 +1,12 @@
+class OrganisationRelationshipPolicy
+  attr_reader :user, :organisation_relationship
+
+  def initialize(user, organisation_relationship)
+    @user = user
+    @organisation_relationship = organisation_relationship
+  end
+
+  def create_stock_owner?
+    return true unless user.data_provider?
+  end
+end
diff --git a/spec/requests/organisation_relationships_controller_spec.rb b/spec/requests/organisation_relationships_controller_spec.rb
index 83af2b981..36e957c58 100644
--- a/spec/requests/organisation_relationships_controller_spec.rb
+++ b/spec/requests/organisation_relationships_controller_spec.rb
@@ -296,6 +296,27 @@ RSpec.describe OrganisationRelationshipsController, type: :request do
         end
       end
 
+      context "when directly adding a stock owner" do
+        let!(:stock_owner) { FactoryBot.create(:organisation) }
+        let(:params) do
+          {
+            "organisation_relationship": {
+              "parent_organisation_id": stock_owner.id,
+            },
+          }
+        end
+        let(:request) { post "/organisations/#{organisation.id}/stock-owners", headers:, params: }
+
+        it "returns 401 from users page" do
+          request
+          expect(response).to have_http_status(:unauthorized)
+        end
+
+        it "does not create a new organisation relationship" do
+          expect { request }.not_to change(OrganisationRelationship, :count)
+        end
+      end
+
       context "when accessing the managing agents tab" do
         context "with an organisation that the user belongs to" do
           let!(:managing_agent) { FactoryBot.create(:organisation) }