diff --git a/ckan/logic/validators.py b/ckan/logic/validators.py
index 35c3df2bc1f..95dc534d8ba 100644
--- a/ckan/logic/validators.py
+++ b/ckan/logic/validators.py
@@ -19,6 +19,8 @@ def owner_org_validator(key, data, errors, context):
     value = data.get(key)
 
     if value is missing or value is None:
+        if not ckan.new_authz.check_config_permission('create_unowned_dataset'):
+            raise Invalid('A group must be supplied')
         data.pop(key, None)
         raise StopOnError
 
diff --git a/ckan/new_authz.py b/ckan/new_authz.py
index ad50393f59c..f7f911a8f1e 100644
--- a/ckan/new_authz.py
+++ b/ckan/new_authz.py
@@ -230,6 +230,7 @@ def _get_auth_function(action, profile=None):
     # these are prefixed with ckan.auth. in config to override
     'anon_create_dataset': False,
     'create_dataset_if_not_in_organization': True,
+    'create_unowned_dataset': True,
     'user_create_groups': True,
     'user_create_organizations': True,
     'create_user_via_api': False,
diff --git a/ckan/tests/logic/test_auth.py b/ckan/tests/logic/test_auth.py
index 911cd59ab06..8ad8d605fd5 100644
--- a/ckan/tests/logic/test_auth.py
+++ b/ckan/tests/logic/test_auth.py
@@ -11,6 +11,7 @@
     'user_create_groups': False,
     'user_create_organizations': False,
     'create_user_via_api': False,
+    'create_unowned_dataset': False,
 }
 
 new_authz.CONFIG_PERMISSIONS.update(INITIAL_TEST_CONFIG_PERMISSIONS)