diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index e45614df7..dc8aaf28e 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -17,8 +17,9 @@ class UserPolicy
   ].each do |method_name|
     define_method method_name do
       return true if @current_user.support?
+      return true if @current_user.data_coordinator? && @user.active?
 
-      @current_user.data_coordinator? && @user.active?
+      Rails.env.staging? && Rails.application.credentials[:staging_role_update_email_allowlist].include?(@current_user.email.split("@").last.downcase)
     end
   end
 
diff --git a/app/views/users/edit.html.erb b/app/views/users/edit.html.erb
index 4c610c22a..c524a9776 100644
--- a/app/views/users/edit.html.erb
+++ b/app/views/users/edit.html.erb
@@ -51,7 +51,7 @@
         <% end %>
       <% end %>
 
-      <% if current_user.data_coordinator? || current_user.support? %>
+      <% if UserPolicy.new(current_user, @user).edit_roles? %>
         <% roles = current_user.assignable_roles.map { |key, _| OpenStruct.new(id: key, name: key.to_s.humanize) } %>
 
         <%= f.govuk_collection_radio_buttons :role,
diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb
index 63f3317d8..f80422b7c 100644
--- a/spec/policies/user_policy_spec.rb
+++ b/spec/policies/user_policy_spec.rb
@@ -4,7 +4,7 @@ require "rails_helper"
 RSpec.describe UserPolicy do
   subject(:policy) { described_class }
 
-  let(:data_provider) { FactoryBot.create(:user, :data_provider) }
+  let(:data_provider) { FactoryBot.create(:user, :data_provider, email: "provider@example.com") }
   let(:data_coordinator) { FactoryBot.create(:user, :data_coordinator) }
   let(:support) { FactoryBot.create(:user, :support) }
 
@@ -63,6 +63,11 @@ RSpec.describe UserPolicy do
       expect(policy).not_to permit(data_provider, data_provider)
     end
 
+    it "as a provider it does not allow changing roles when user is in email allowlist" do
+      allow(Rails.application.credentials).to receive(:[]).with(:staging_role_update_email_allowlist).and_return(["example.com"])
+      expect(policy).not_to permit(data_provider, data_provider)
+    end
+
     it "as a coordinator allows changing other user's roles" do
       expect(policy).to permit(data_coordinator, data_provider)
     end
@@ -70,6 +75,26 @@ RSpec.describe UserPolicy do
     it "as a support user allows changing other user's roles" do
       expect(policy).to permit(support, data_provider)
     end
+
+    context "when on staging" do
+      context "and user is in the email allowlist" do
+        it "allows changing roles" do
+          allow(Rails.env).to receive(:staging?).and_return(true)
+          allow(Rails.application.credentials).to receive(:[]).with(:staging_role_update_email_allowlist).and_return(["example.com"])
+
+          expect(policy).to permit(data_provider, data_provider)
+        end
+      end
+
+      context "and user is not in the email allowlist" do
+        it "does not allow changing roles" do
+          allow(Rails.env).to receive(:staging?).and_return(true)
+          allow(Rails.application.credentials).to receive(:[]).with(:staging_role_update_email_allowlist).and_return(["something.com"])
+
+          expect(policy).not_to permit(data_provider, data_provider)
+        end
+      end
+    end
   end
 
   permissions :edit_dpo? do