diff --git a/awx/api/views.py b/awx/api/views.py
index 1edeb4eb39..0fd632aa5a 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -1208,7 +1208,12 @@ class UserRolesList(SubListCreateAttachDetachAPIView):
             return Response(data, status=status.HTTP_400_BAD_REQUEST)
 
         if sub_id == self.request.user.admin_role.pk:
-            raise PermissionDenied('You may not remove your own admin_role.')
+            raise PermissionDenied('You may not perform any action with your own admin_role.')
+
+        role = get_object_or_404(Role, pk=sub_id)
+        user_content_type = ContentType.objects.get_for_model(User)
+        if role.content_type == user_content_type:
+            raise PermissionDenied('You may not change the membership of a users admin_role')
 
         return super(UserRolesList, self).post(request, *args, **kwargs)
 
diff --git a/awx/main/tests/functional/api/test_user.py b/awx/main/tests/functional/api/test_user.py
index d739d417c0..4ebd46f225 100644
--- a/awx/main/tests/functional/api/test_user.py
+++ b/awx/main/tests/functional/api/test_user.py
@@ -66,3 +66,13 @@ def test_create_delete_create_user(post, delete, admin):
     }, admin)
     print(response.data)
     assert response.status_code == 201
+
+@pytest.mark.django_db
+def test_add_user_admin_role_member(post, user):
+    admin = user('admin', is_superuser=True)
+    normal = user('normal')
+
+    url = reverse('api:user_roles_list', args=(admin.pk,))
+    response = post(url, {'id':normal.admin_role.pk}, admin)
+    assert response.status_code == 403
+    assert 'not change membership' in response.rendered_content