diff --git a/app/controllers/schemes_controller.rb b/app/controllers/schemes_controller.rb
index 971b4bc04..d7599e130 100644
--- a/app/controllers/schemes_controller.rb
+++ b/app/controllers/schemes_controller.rb
@@ -140,7 +140,7 @@ private
   def authenticate_scope!
     head :unauthorized and return unless current_user.data_coordinator? || current_user.support?
 
-    if %w[show locations].include?(action_name) && !((current_user.organisation == @scheme.organisation) || current_user.support?)
+    if %w[show locations primary_client_group confirm_secondary_client_group secondary_client_group support details check_answers].include?(action_name) && !((current_user.organisation == @scheme.organisation) || current_user.support?)
       render_not_found and return
     end
   end
diff --git a/spec/requests/schemes_controller_spec.rb b/spec/requests/schemes_controller_spec.rb
index 392fcb3df..321b3ed1e 100644
--- a/spec/requests/schemes_controller_spec.rb
+++ b/spec/requests/schemes_controller_spec.rb
@@ -1003,4 +1003,70 @@ RSpec.describe SchemesController, type: :request do
       end
     end
   end
+
+  describe "#primary_client_group" do
+    context "when not signed in" do
+      it "redirects to the sign in page" do
+        get "/schemes/#{1}/primary-client-group"
+        expect(response).to redirect_to("/account/sign-in")
+      end
+    end
+
+    context "when signed in as a data provider" do
+      let(:user) { FactoryBot.create(:user) }
+
+      before do
+        sign_in user
+        get "/schemes/#{1}/primary-client-group"
+      end
+
+      it "returns 401 unauthorized" do
+        request
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+
+    context "when signed in as a data coordinator" do
+      let(:user) { FactoryBot.create(:user, :data_coordinator) }
+      let!(:scheme) { FactoryBot.create(:scheme, organisation: user.organisation) }
+      let!(:another_scheme) { FactoryBot.create(:scheme) }
+
+      before do
+        sign_in user
+        get "/schemes/#{scheme.id}/primary-client-group"
+      end
+
+      it "returns a template for a primary-client-group" do
+        expect(response).to have_http_status(:ok)
+        expect(page).to have_content("What client group is this scheme intended for?")
+      end
+
+      context "when attempting to access primary-client-group scheme page for another organisation" do
+        before do
+          get "/schemes/#{another_scheme.id}/primary-client-group"
+        end
+
+        it "returns 404 not_found" do
+          request
+          expect(response).to have_http_status(:not_found)
+        end
+      end
+    end
+
+    context "when signed in as a support user" do
+      let(:user) { FactoryBot.create(:user, :support) }
+      let!(:scheme) { FactoryBot.create(:scheme, organisation: user.organisation) }
+
+      before do
+        allow(user).to receive(:need_two_factor_authentication?).and_return(false)
+        sign_in user
+        get "/schemes/#{scheme.id}/primary-client-group"
+      end
+
+      it "returns a template for a primary-client-group" do
+        expect(response).to have_http_status(:ok)
+        expect(page).to have_content("What client group is this scheme intended for?")
+      end
+    end
+  end
 end