diff --git a/awx/main/access.py b/awx/main/access.py
index b0a15b2751..c6285beb5a 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1066,7 +1066,7 @@ class JobTemplateAccess(BaseAccess):
                 required_obj = getattr(obj, required_field, None)
                 if required_field not in data_for_change and required_obj is not None:
                     data_for_change[required_field] = required_obj.pk
-        return self.can_read(obj) and self.can_add(data_for_change)
+        return self.can_read(obj) and (self.can_add(data_for_change) if data is not None else True)
 
     def changes_are_non_sensitive(self, obj, data):
         '''
diff --git a/awx/main/tests/functional/test_rbac_job_templates.py b/awx/main/tests/functional/test_rbac_job_templates.py
index c8cc2b8502..8905eb21a0 100644
--- a/awx/main/tests/functional/test_rbac_job_templates.py
+++ b/awx/main/tests/functional/test_rbac_job_templates.py
@@ -240,3 +240,10 @@ def test_job_template_creator_access(project, rando, post):
     jt_obj = JobTemplate.objects.get(pk=jt_pk)
     # Creating a JT should place the creator in the admin role
     assert rando in jt_obj.admin_role
+
+@pytest.mark.django_db
+def test_associate_label(label, user, job_template):
+    access = JobTemplateAccess(user('joe', False))
+    job_template.admin_role.members.add(user('joe', False))
+    label.organization.read_role.members.add(user('joe', False))
+    assert access.can_attach(job_template, label, 'labels', None)
diff --git a/awx/main/tests/functional/test_rbac_label.py b/awx/main/tests/functional/test_rbac_label.py
index e425d50908..98daa5cdec 100644
--- a/awx/main/tests/functional/test_rbac_label.py
+++ b/awx/main/tests/functional/test_rbac_label.py
@@ -61,4 +61,3 @@ def test_label_access_user(label, user):
 
     assert access.can_read(label)
     assert access.can_add({'organization': label.organization.id})
-