diff --git a/awx/main/tests/functional/test_rbac_credential.py b/awx/main/tests/functional/test_rbac_credential.py
index 9de46f8115..fe115c550e 100644
--- a/awx/main/tests/functional/test_rbac_credential.py
+++ b/awx/main/tests/functional/test_rbac_credential.py
@@ -1,7 +1,10 @@
 import pytest
 
+from awx.main.access import CredentialAccess
+from awx.main.models.credential import Credential
 from awx.main.migrations import _rbac as rbac
 from django.apps import apps
+from django.contrib.auth.models import User
 
 @pytest.mark.django_db
 def test_credential_migration_user(credential, user, permissions):
@@ -51,3 +54,35 @@ def test_credential_migration_team_admin(credential, team, user, permissions):
     assert len(migrated) == 1
     assert credential.accessible_by(u, permissions['usage'])
 
+def test_credential_access_superuser():
+    u = User(username='admin', is_superuser=True)
+    access = CredentialAccess(u)
+    credential = Credential()
+
+    assert access.can_add(None)
+    assert access.can_change(credential, None)
+    assert access.can_delete(credential)
+
+@pytest.mark.django_db
+def test_credential_access_admin(user, organization, team, credential):
+    u = user('org-admin', False)
+    organization.admins.add(u)
+    team.organization = organization
+    team.save()
+
+    access = CredentialAccess(u)
+
+    assert access.can_add({'user': u.pk})
+    assert access.can_add({'team': team.pk})
+
+    assert not access.can_change(credential, {'user': u.pk})
+
+    # unowned credential can be deleted
+    assert access.can_delete(credential)
+
+    credential.created_by = u
+    credential.save()
+    assert not access.can_change(credential, {'user': u.pk})
+
+    team.users.add(u)
+    assert access.can_change(credential, {'user': u.pk})