diff --git a/app/controllers/PanDomainAuthActions.scala b/app/controllers/PanDomainAuthActions.scala
index 59b762ed..2cee9dab 100644
--- a/app/controllers/PanDomainAuthActions.scala
+++ b/app/controllers/PanDomainAuthActions.scala
@@ -5,6 +5,8 @@ import com.gu.pandomainauth.action.AuthActions
 import com.gu.pandomainauth.model.AuthenticatedUser
 import play.api.Logging
 import services.Permissions
+import play.api.mvc.{RequestHeader, Result}
+import play.api.mvc.Results.Forbidden
 
 trait PanDomainAuthActions extends AuthActions with Logging {
 
@@ -22,10 +24,14 @@ trait PanDomainAuthActions extends AuthActions with Logging {
       logger.warn(s"User ${authedUser.user.email} does not have atom_workshop_access permission")
     }
 
-    isValid // TODO && canAccess
+    isValid && canAccess
+  }
+
+  override def showUnauthedMessage(message: String)(implicit request: RequestHeader): Result = {
+    Forbidden(views.html.authError(message))
   }
 
   override def authCallbackUrl: String
 
   def permissions: Permissions
-}
\ No newline at end of file
+}
diff --git a/app/views/authError.scala.html b/app/views/authError.scala.html
new file mode 100644
index 00000000..aa73791a
--- /dev/null
+++ b/app/views/authError.scala.html
@@ -0,0 +1,13 @@
+@(message: String)
+<!DOCTYPE html>
+<html>
+  <head lang="en">
+    <meta charset="UTF-8">
+    <title>Atom Workshop - access denied</title>
+  </head>
+  <body>
+    <h1>Atom Workshop - access denied</h1>
+    <p>@message</p>
+    <p>If you require access to the Atom Workshop tool, please contact <a href="mailto:central.production@@theguardian.com">Central Production</a> for assistance</p>
+  </body>
+</html>