diff --git a/awx/main/access.py b/awx/main/access.py
index c053058f04..768545ce05 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -611,7 +611,8 @@ class OAuth2ApplicationAccess(BaseAccess):
     select_related = ('user',)
 
     def filtered_queryset(self):
-        return self.model.objects.filter(organization__in=self.user.organizations)
+        org_access_qs = Organization.accessible_objects(self.user, 'member_role')
+        return self.model.objects.filter(organization__in=org_access_qs)
 
     def can_change(self, obj, data):
         return self.user.is_superuser or self.check_related('organization', Organization, data, obj=obj, 
diff --git a/awx/main/tests/functional/test_rbac_oauth.py b/awx/main/tests/functional/test_rbac_oauth.py
index 5a53cf9108..eb6ba6b63d 100644
--- a/awx/main/tests/functional/test_rbac_oauth.py
+++ b/awx/main/tests/functional/test_rbac_oauth.py
@@ -34,8 +34,17 @@ class TestOAuth2Application:
                     client_type='confidential', authorization_grant_type='password', organization=organization
                 )
                 assert access.can_read(app) is can_access    
-                
-        
+
+        def test_admin_only_can_read(self, user, organization):
+            user = user('org-admin', False)
+            organization.admin_role.members.add(user)
+            access = OAuth2ApplicationAccess(user)
+            app = Application.objects.create(
+                name='test app for {}'.format(user.username), user=user,
+                client_type='confidential', authorization_grant_type='password', organization=organization
+            )
+            assert access.can_read(app) is True
+
         def test_app_activity_stream(self, org_admin, alice, organization):
             app = Application.objects.create(
                 name='test app for {}'.format(org_admin.username), user=org_admin,