diff --git a/app/models/user.rb b/app/models/user.rb
index e512800a573c48b2207efaa2c52c498e19df0ec4..b6d49daada82206e865259d65dde5ab9af1bbf4e 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -124,6 +124,7 @@ class User < ActiveRecord::Base
   validate :owns_notification_email, if: ->(user) { user.notification_email_changed? }
   validate :owns_public_email, if: ->(user) { user.public_email_changed? }
   validate :cannot_be_admin_and_auditor
+  validate :auditor_requires_license_add_on
   validates :avatar, file_size: { maximum: 200.kilobytes.to_i }
 
   before_validation :generate_password, on: :create
@@ -460,6 +461,12 @@ class User < ActiveRecord::Base
     end
   end
 
+  def auditor_requires_license_add_on
+    unless ::License.current && ::License.current.add_on?('GitLab_Auditor_User')
+      errors.add(:auditor, 'user cannot be created without the "GitLab_Auditor_User" addon')
+    end
+  end
+
   # Returns the groups a user has access to
   def authorized_groups
     union = Gitlab::SQL::Union.
@@ -538,6 +545,12 @@ class User < ActiveRecord::Base
     admin
   end
 
+  def auditor?
+    @license_allows_auditors ||= (::License.current && ::License.current.add_on?('GitLab_Auditor_User'))
+
+    @license_allows_auditors && self.auditor
+  end
+
   def admin_or_auditor?
     admin? || auditor?
   end
diff --git a/spec/factories/licenses.rb b/spec/factories/licenses.rb
index bfc483943778b5a609e6e8e557c0a9d4298abbfb..4faff875637fcf2dc09aeda574a2a9f7936b898b 100644
--- a/spec/factories/licenses.rb
+++ b/spec/factories/licenses.rb
@@ -6,7 +6,12 @@ FactoryGirl.define do
       { "Name" => FFaker::Name.name }
     end
     restrictions do
-      { add_ons: { 'GitLab_FileLocks' => 1 } }
+      {
+        add_ons: {
+          'GitLab_FileLocks' => 1,
+          'GitLab_Auditor_User' => 1
+        }
+      }
     end
     notify_users_at   { |l| l.expires_at }
     notify_admins_at  { |l| l.expires_at }
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 97a5fafac876c085592ae2bdf5d12db741317c10..a1c042611091c4c2a1c6d427ad39e8e3c04c4d4a 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1492,4 +1492,52 @@ describe User, models: true do
       expect(user.project_authorizations.where(access_level: Gitlab::Access::REPORTER).exists?).to eq(true)
     end
   end
+
+  describe 'the GitLab_Auditor_User add-on' do
+    context 'creating an auditor user' do
+      it "does not allow creating an auditor user if the addon isn't enabled" do
+        allow_any_instance_of(License).to receive(:add_ons).and_return({})
+
+        expect(build(:user, :auditor)).to be_invalid
+      end
+
+      it "does not allow creating an auditor user if no license is present" do
+        allow(License).to receive(:current).and_return nil
+
+        expect(build(:user, :auditor)).to be_invalid
+      end
+
+      it "allows creating an auditor user if the addon is enabled" do
+        allow_any_instance_of(License).to receive(:add_ons).and_return({ 'GitLab_Auditor_User' => 1 })
+
+        expect(build(:user, :auditor)).to be_valid
+      end
+    end
+
+    context '#auditor?' do
+      it "returns true for an auditor user if the addon is enabled" do
+        allow_any_instance_of(License).to receive(:add_ons).and_return({ 'GitLab_Auditor_User' => 1 })
+
+        expect(build(:user, :auditor)).to be_auditor
+      end
+
+      it "returns false for an auditor user if the addon is not enabled" do
+        allow_any_instance_of(License).to receive(:add_ons).and_return({})
+
+        expect(build(:user, :auditor)).not_to be_auditor
+      end
+
+      it "returns false for an auditor user if a license is not present" do
+        allow(License).to receive(:current).and_return nil
+
+        expect(build(:user, :auditor)).not_to be_auditor
+      end
+
+      it "returns false for a non-auditor user even if the addon is present" do
+        allow_any_instance_of(License).to receive(:add_ons).and_return({ 'GitLab_Auditor_User' => 1 })
+
+        expect(build(:user)).not_to be_auditor
+      end
+    end
+  end
 end