diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py
index 01ad6d98ed..855d9e54e0 100644
--- a/awx/api/views/__init__.py
+++ b/awx/api/views/__init__.py
@@ -688,6 +688,7 @@ class TeamAccessList(ResourceAccessList):
 
 class ExecutionEnvironmentList(ListCreateAPIView):
 
+    always_allow_superuser = False
     model = models.ExecutionEnvironment
     serializer_class = serializers.ExecutionEnvironmentSerializer
     swagger_topic = "Execution Environments"
@@ -695,6 +696,7 @@ class ExecutionEnvironmentList(ListCreateAPIView):
 
 class ExecutionEnvironmentDetail(RetrieveUpdateDestroyAPIView):
 
+    always_allow_superuser = False
     model = models.ExecutionEnvironment
     serializer_class = serializers.ExecutionEnvironmentSerializer
     swagger_topic = "Execution Environments"
diff --git a/awx/main/access.py b/awx/main/access.py
index 7da6709c41..d2a2aa9f3b 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1329,13 +1329,10 @@ class ExecutionEnvironmentAccess(BaseAccess):
             Q(organization__isnull=True)
         ).distinct()
 
+    @check_superuser
     def can_add(self, data):
         if not data:  # So the browseable API will work
             return Organization.accessible_objects(self.user, 'execution_environment_admin_role').exists()
-        if obj.managed_by_tower:
-            raise PermissionDenied
-        if self.user.is_superuser:
-            return True
         return self.check_related('organization', Organization, data, mandatory=True,
                                   role_field='execution_environment_admin_role')