diff --git a/awx/main/access.py b/awx/main/access.py
index 956a1e7802..dc2d7f7a84 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -991,7 +991,7 @@ class CredentialAccess(BaseAccess):
     def can_change(self, obj, data):
         if not obj:
             return False
-        return self.user in obj.admin_role and self.check_related('organization', Organization, data, obj=obj)
+        return self.user in obj.admin_role and self.check_related('organization', Organization, data, obj=obj, role_field='credential_admin_role')
 
     def can_delete(self, obj):
         # Unassociated credentials may be marked deleted by anyone, though we
diff --git a/awx/main/models/credential/__init__.py b/awx/main/models/credential/__init__.py
index 86c3930299..0bba35b2ab 100644
--- a/awx/main/models/credential/__init__.py
+++ b/awx/main/models/credential/__init__.py
@@ -262,7 +262,7 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
     admin_role = ImplicitRoleField(
         parent_role=[
             'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
-            'organization.admin_role',
+            'organization.credential_admin_role',
         ],
     )
     use_role = ImplicitRoleField(
diff --git a/awx/main/models/organization.py b/awx/main/models/organization.py
index c82d911ecb..830b697c8a 100644
--- a/awx/main/models/organization.py
+++ b/awx/main/models/organization.py
@@ -49,6 +49,9 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVi
     inventory_admin_role = ImplicitRoleField(
         parent_role='admin_role',
     )
+    credential_admin_role = ImplicitRoleField(
+        parent_role='admin_role',
+    )
     auditor_role = ImplicitRoleField(
         parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
     )
diff --git a/awx/main/models/rbac.py b/awx/main/models/rbac.py
index 2ba1bef300..3267b0206d 100644
--- a/awx/main/models/rbac.py
+++ b/awx/main/models/rbac.py
@@ -39,6 +39,7 @@ role_names = {
     'admin_role'           : _('Admin'),
     'project_admin_role'   : _('Project Admin'),
     'inventory_admin_role' : _('Inventory Admin'),
+    'credential_admin_role': _('Credential Admin'),
     'auditor_role'         : _('Auditor'),
     'execute_role'         : _('Execute'),
     'member_role'          : _('Member'),
@@ -54,6 +55,7 @@ role_descriptions = {
     'admin_role'           : _('Can manage all aspects of the %s'),
     'project_admin_role'   : _('Can manage all projects of the %s'),
     'inventory_admin_role' : _('Can manage all inventories of the %s'),
+    'credential_admin_role': _('Can manage all credentials of the %s'),
     'auditor_role'         : _('Can view all settings for the %s'),
     'execute_role'         : _('May run the %s'),
     'member_role'          : _('User is a member of the %s'),