diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index bc470a4788..13ed74dbd9 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -746,7 +746,6 @@ class PermissionSerializer(BaseSerializer):
             res['inventory']   = reverse('api:inventory_detail', args=(obj.inventory.pk,))
         return res
 
-
     def validate(self, attrs):
         # Can only set either user or team.
         if attrs['user'] and attrs['team']:
diff --git a/awx/main/access.py b/awx/main/access.py
index ca69acc389..7f0f1501b5 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -521,12 +521,12 @@ class CredentialAccess(BaseAccess):
     def can_add(self, data):
         if self.user.is_superuser:
             return True
-        if 'user' in data:
-            user_pk = get_pk_from_dict(data, 'user')
+        user_pk = get_pk_from_dict(data, 'user')
+        if user_pk:
             user_obj = get_object_or_400(User, pk=user_pk)
             return self.user.can_access(User, 'change', user_obj, None)
-        if 'team' in data:
-            team_pk = get_pk_from_dict(data, 'team')
+        team_pk = get_pk_from_dict(data, 'team')
+        if team_pk:
             team_obj = get_object_or_400(Team, pk=team_pk)
             return self.user.can_access(Team, 'change', team_obj, None)
         return False
@@ -534,6 +534,8 @@ class CredentialAccess(BaseAccess):
     def can_change(self, obj, data):
         if self.user.is_superuser:
             return True
+        if not self.can_add(data):
+            return False
         if self.user == obj.created_by:
             return True
         if obj.user:
diff --git a/awx/main/tests/projects.py b/awx/main/tests/projects.py
index 44c97859ae..db7ad30a8c 100644
--- a/awx/main/tests/projects.py
+++ b/awx/main/tests/projects.py
@@ -518,6 +518,19 @@ class ProjectsTest(BaseTest):
             data['ssh_key_unlock'] = TEST_SSH_KEY_DATA_UNLOCK
             self.post(url, data, expect=201)
 
+        # Test post as organization admin where team is part of org, but user
+        # creating credential is not a member of the team.  UI may pass user
+        # as an empty string instead of None.
+        normal_org = self.normal_django_user.admin_of_organizations.all()[0]
+        org_team = normal_org.teams.create(name='new empty team')
+        with self.current_user(self.normal_django_user):
+            data = {
+                'name': 'my team cred',
+                'team': org_team.pk,
+                'user': '',
+            }
+            self.post(url, data, expect=201)
+
         # FIXME: Check list as other users.
 
         # can edit a credential