diff --git a/Gemfile b/Gemfile
index acf0d78..9a01326 100644
--- a/Gemfile
+++ b/Gemfile
@@ -3,6 +3,7 @@ ruby '2.2.3'
 
 gem 'rails', '4.2.5'
 gem 'bootstrap_form'
+gem 'cancancan'
 gem 'carrierwave', github: 'carrierwaveuploader/carrierwave'
 gem 'devise'
 gem 'http_logger'
diff --git a/Gemfile.lock b/Gemfile.lock
index 2f382e7..e10418d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -60,6 +60,7 @@ GEM
     bootstrap_form (2.3.0)
     builder (3.2.2)
     byebug (8.2.1)
+    cancancan (1.13.1)
     capybara (2.5.0)
       mime-types (>= 1.16)
       nokogiri (>= 1.3.3)
@@ -267,6 +268,7 @@ DEPENDENCIES
   annotate
   bootstrap_form
   byebug
+  cancancan
   carrierwave!
   coveralls
   devise
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 1eeeef4..9c20a99 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -3,6 +3,10 @@ class ApplicationController < ActionController::Base
   # For APIs, you may want to use :null_session instead.
   protect_from_forgery with: :exception
 
+  rescue_from CanCan::AccessDenied do |exception|
+    redirect_to root_url, alert: exception.message
+  end
+
   def new_session_path(_scope)
     root_path
   end
diff --git a/app/controllers/submissions_controller.rb b/app/controllers/submissions_controller.rb
index 4ad15f1..a6285a1 100644
--- a/app/controllers/submissions_controller.rb
+++ b/app/controllers/submissions_controller.rb
@@ -1,5 +1,14 @@
 class SubmissionsController < ApplicationController
   before_action :authenticate_user!
+  load_and_authorize_resource
+
+  def index
+    if current_user.admin?
+      @submissions = Submission.all.order(created_at: :desc)
+    else
+      @submissions = current_user.submissions.order(created_at: :desc)
+    end
+  end
 
   def new
     @submission = Submission.new
@@ -12,12 +21,16 @@ def create
     if @submission.save
       process_submission(@submission)
       flash.notice = 'Your Submission is now in progress.'
-      redirect_to root_path
+      redirect_to submissions_path
     else
       render 'new'
     end
   end
 
+  def package
+    send_file(Submission.find_by_id(params[:id]).sword_path)
+  end
+
   private
 
   def process_submission(submission)
diff --git a/app/models/ability.rb b/app/models/ability.rb
new file mode 100644
index 0000000..45519fe
--- /dev/null
+++ b/app/models/ability.rb
@@ -0,0 +1,10 @@
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    can :manage, Submission if user.admin?
+    can [:create, :read], Submission, user: user
+    # See the wiki for details:
+    # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
+  end
+end
diff --git a/app/models/user.rb b/app/models/user.rb
index fdc0b96..364cdc6 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -7,6 +7,7 @@
 #  uid        :string           not null
 #  created_at :datetime         not null
 #  updated_at :datetime         not null
+#  admin      :boolean
 #
 
 class User < ActiveRecord::Base
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 668c596..6950e4d 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -34,6 +34,7 @@
           <ul class="nav navbar-nav">
             <li><%= link_to "New Submission", new_submission_path %></li>
             <% if user_signed_in? %>
+              <li><%= link_to "Submissions", submissions_path %></li>
               <li><%= link_to("Sign out", destroy_user_session_path, method: :delete, id: "sign_in") %></li>
             <% else %>
               <li><%= link_to("Sign in", user_omniauth_authorize_path(:mit_oauth2), id: "sign_in") %></li>
diff --git a/app/views/submissions/index.html.erb b/app/views/submissions/index.html.erb
new file mode 100644
index 0000000..76695e7
--- /dev/null
+++ b/app/views/submissions/index.html.erb
@@ -0,0 +1,18 @@
+<h1>MIT DSpace Quick Submit Submissions</h1>
+
+<% if @submissions %>
+  <ul>
+  <% @submissions.each do |sub| %>
+    <li>
+      <strong><%= sub.title %></strong>
+      submitted: <%= time_ago_in_words(sub.created_at) %> ago
+      <br />
+      <% if current_user.admin? %>
+        <%= link_to('Sword Package', submission_package_path(sub)) %>
+      <% end %>
+    </li>
+  <% end %>
+  </ul>
+<% else %>
+  <p>You have no submissions in progress.</p>
+<% end %>
diff --git a/config/routes.rb b/config/routes.rb
index 1d64e32..7b57fd2 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,5 +1,6 @@
 Rails.application.routes.draw do
-  resources :submissions, only: [:new, :create]
+  resources :submissions, only: [:new, :create, :index]
+  get 'submissions/package/:id', to: 'submissions#package', as: :submission_package
 
   devise_for :users, :controllers => {
     :omniauth_callbacks => 'users/omniauth_callbacks'
diff --git a/db/migrate/20151208173727_add_admin_to_user.rb b/db/migrate/20151208173727_add_admin_to_user.rb
new file mode 100644
index 0000000..19b2233
--- /dev/null
+++ b/db/migrate/20151208173727_add_admin_to_user.rb
@@ -0,0 +1,5 @@
+class AddAdminToUser < ActiveRecord::Migration
+  def change
+    add_column :users, :admin, :boolean, default: false
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index a2eba12..233cd7e 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20151130204610) do
+ActiveRecord::Schema.define(version: 20151208173727) do
 
   create_table "submissions", force: :cascade do |t|
     t.integer  "user_id"
@@ -30,10 +30,11 @@
   add_index "submissions", ["user_id"], name: "index_submissions_on_user_id"
 
   create_table "users", force: :cascade do |t|
-    t.string   "email",      null: false
-    t.string   "uid",        null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.string   "email",                      null: false
+    t.string   "uid",                        null: false
+    t.datetime "created_at",                 null: false
+    t.datetime "updated_at",                 null: false
+    t.boolean  "admin",      default: false
   end
 
   add_index "users", ["uid"], name: "index_users_on_uid", unique: true
diff --git a/test/controllers/submissions_controller_test.rb b/test/controllers/submissions_controller_test.rb
index 52e7dd7..65ef57b 100644
--- a/test/controllers/submissions_controller_test.rb
+++ b/test/controllers/submissions_controller_test.rb
@@ -22,4 +22,52 @@ class SubmissionsControllerTest < ActionController::TestCase
     post :create, submission: { 'title': '' }
     assert_response :success
   end
+
+  test 'unauthenticated user redirects to login accessing index' do
+    get :index
+    assert_response :redirect
+  end
+
+  test 'authenticated user can access index' do
+    sign_in users(:one)
+    get :index
+    assert_not_nil assigns(:submissions)
+    assert_response :success
+  end
+
+  test 'non-admin users only see their own submissions' do
+    sign_in users(:one)
+    get :index
+    assert_equal(false, assigns(:submissions).include?(submissions(:sub_two)))
+    assert_equal(true, assigns(:submissions).include?(submissions(:sub_one)))
+    assert_response :success
+  end
+
+  test 'admin users see all submissions' do
+    sign_in users(:admin)
+    get :index
+    assert_equal(true, assigns(:submissions).include?(submissions(:sub_two)))
+    assert_equal(true, assigns(:submissions).include?(submissions(:sub_one)))
+    assert_response :success
+  end
+
+  test 'non-authenticated users cannot download package' do
+    get :package, id: submissions(:sub_one)
+    assert_response :redirect
+  end
+
+  test 'non-admin user cannot download package' do
+    sign_in users(:one)
+    get :package, id: submissions(:sub_one)
+    assert_response :redirect
+  end
+
+  test 'admin users can download package' do
+    sub = submissions(:sub_one)
+    File.write(sub.sword_path, 'Fakey fake fake')
+    sign_in users(:admin)
+    get :package, id: sub
+    assert_response :success
+    FileUtils.rm_f(sub.sword_path)
+  end
 end
diff --git a/test/features/submission_test.rb b/test/features/submission_create_pages_test.rb
similarity index 81%
rename from test/features/submission_test.rb
rename to test/features/submission_create_pages_test.rb
index 4c20dd2..11feffe 100644
--- a/test/features/submission_test.rb
+++ b/test/features/submission_create_pages_test.rb
@@ -1,31 +1,27 @@
 require 'test_helper'
 
-class SubmissionPagesTest < Capybara::Rails::TestCase
+class SubmissionCreatePagesTest < Capybara::Rails::TestCase
   def setup
+    auth_setup
     FileUtils.rm_f('tmp/69b9156a124c96bbdb55cad753810e14.zip')
     FileUtils.rm_f('tmp/40550618d6b4d97792b0773c97207186.zip')
-    Rails.application.env_config['devise.mapping'] = Devise.mappings[:user]
-    Rails.application.env_config['omniauth.auth'] =
-      OmniAuth.config.mock_auth[:mit_oauth2]
-    OmniAuth.config.test_mode = true
   end
 
   def teardown
-    OmniAuth.config.test_mode = false
-    OmniAuth.config.mock_auth[:mit_oauth2] = nil
+    auth_teardown
     @sub.documents.map(&:remove!) if @sub
   end
 
-  def mock_auth
+  def mock_auth(user)
     OmniAuth.config.mock_auth[:mit_oauth2] =
       OmniAuth::AuthHash.new(provider: 'mit_oauth2',
-                             uid: '123545',
-                             info: { email: 'bob@asdf.com' })
+                             uid: user.uid,
+                             info: { email: user.email })
     visit '/users/auth/mit_oauth2/callback'
   end
 
   def base_valid_form
-    mock_auth
+    mock_auth(users(:one))
     visit new_submission_path
     fill_in('Journal', with: 'Super Mega Journal')
     fill_in('Title', with: 'Alphabetical Order is Good Enough')
@@ -71,10 +67,9 @@ def base_valid_form
     click_on('Create Submission')
     assert_equal(Submission.count, (subs + 1))
     @sub = Submission.last
-    assert_equal('bob@asdf.com', @sub.user.email)
-    # Temporarily rendering mets for demo purposes. We'll get back to this.
-    # assert_equal(root_path, current_path)
-    # assert_text('Your Submission is now in progress')
+    assert_equal('abc123@example.com', @sub.user.email)
+    assert_equal(submissions_path, current_path)
+    assert_text('Your Submission is now in progress')
   end
 
   test 'multiple pdfs can be attached' do
diff --git a/test/features/submission_index_pages_test.rb b/test/features/submission_index_pages_test.rb
new file mode 100644
index 0000000..ee85c68
--- /dev/null
+++ b/test/features/submission_index_pages_test.rb
@@ -0,0 +1,49 @@
+require 'test_helper'
+
+class SubmissionIndexPagesTest < Capybara::Rails::TestCase
+  def setup
+    auth_setup
+    FileUtils.rm_f('tmp/69b9156a124c96bbdb55cad753810e14.zip')
+    FileUtils.rm_f('tmp/40550618d6b4d97792b0773c97207186.zip')
+  end
+
+  def teardown
+    auth_teardown
+    @sub.documents.map(&:remove!) if @sub
+  end
+
+  test 'index requires signin' do
+    visit submissions_path
+    assert_equal(root_path, current_path)
+    assert_text('Sign in')
+    assert_text('You need to sign in or sign up before continuing.')
+  end
+
+  test 'index shows own submissions' do
+    mock_auth(users(:one))
+    visit submissions_path
+    assert_text('Popcorn is a fruit.')
+    refute_text('Simple Secret Substitution Songs')
+  end
+
+  test 'admin index shows all submissions' do
+    user = users(:admin)
+    mock_auth(user)
+    visit submissions_path
+    assert_text('Popcorn is a fruit.')
+    assert_text('Simple Secret Substitution Songs')
+  end
+
+  test 'non admin users do not see sword download link' do
+    mock_auth(users(:one))
+    visit submissions_path
+    refute_link('Sword Package')
+  end
+
+  test 'admin users see sword download link' do
+    user = users(:admin)
+    mock_auth(user)
+    visit submissions_path
+    assert_link('Sword Package')
+  end
+end
diff --git a/test/fixtures/users.yml b/test/fixtures/users.yml
index efd1f5d..fc7661a 100644
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@@ -7,12 +7,18 @@
 #  uid        :string           not null
 #  created_at :datetime         not null
 #  updated_at :datetime         not null
+#  admin      :boolean
 #
 
 one:
-  uid: 'abc123'
-  email: 'abc123@example.com'
+  uid:   abc123
+  email: abc123@example.com
 
 two:
-  uid: 'def456'
-  email: 'def456@example.com'
+  uid:   def456
+  email: def456@example.com
+
+admin:
+  uid:   xyz789
+  email: xyz789@example.com
+  admin: true
diff --git a/test/models/user_test.rb b/test/models/user_test.rb
index 4bf4017..5cb6947 100644
--- a/test/models/user_test.rb
+++ b/test/models/user_test.rb
@@ -7,6 +7,7 @@
 #  uid        :string           not null
 #  created_at :datetime         not null
 #  updated_at :datetime         not null
+#  admin      :boolean
 #
 
 require 'test_helper'
diff --git a/test/test_helper.rb b/test/test_helper.rb
index dc2f2d6..d23bb8b 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -17,7 +17,26 @@ class TestCase
     # Setup all fixtures in test/fixtures/*.yml for all tests in alpha order.
     fixtures :all
 
-    # Add more helper methods to be used by all tests here...
+    def mock_auth(user)
+      OmniAuth.config.mock_auth[:mit_oauth2] =
+        OmniAuth::AuthHash.new(provider: 'mit_oauth2',
+                               uid: user.uid,
+                               info: { email: user.email })
+      visit '/users/auth/mit_oauth2/callback'
+    end
+
+    def auth_setup
+      Rails.application.env_config['devise.mapping'] = Devise.mappings[:user]
+      Rails.application.env_config['omniauth.auth'] =
+        OmniAuth.config.mock_auth[:mit_oauth2]
+      OmniAuth.config.test_mode = true
+    end
+
+    def auth_teardown
+      OmniAuth.config.test_mode = false
+      OmniAuth.config.mock_auth[:mit_oauth2] = nil
+      reset_session!
+    end
   end
 end