diff --git a/awx/api/generics.py b/awx/api/generics.py
index 8fc546f2e5..6b4b7c6c3a 100644
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -425,7 +425,7 @@ class SubListCreateAttachDetachAPIView(SubListCreateAPIView):
         sub = get_object_or_400(self.model, pk=sub_id)
 
         if not request.user.can_access(self.parent_model, 'unattach', parent,
-                                       sub, self.relationship):
+                                       sub, self.relationship, request.data):
             raise PermissionDenied()
 
         if parent_key:
diff --git a/awx/api/views.py b/awx/api/views.py
index ac954d677d..2b275d82c7 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -1759,7 +1759,7 @@ class GroupChildrenList(SubListCreateAttachDetachAPIView):
         sub = get_object_or_400(self.model, pk=sub_id)
 
         if not request.user.can_access(self.parent_model, 'unattach', parent,
-                                       sub, self.relationship):
+                                       sub, self.relationship, request.data):
             raise PermissionDenied()
 
         if sub.parents.exclude(pk=parent.pk).count() == 0:
diff --git a/awx/main/access.py b/awx/main/access.py
index afcb7672ac..b3a35b72c3 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -170,8 +170,8 @@ class BaseAccess(object):
             return bool(self.can_change(obj, None) and
                         self.user.can_access(type(sub_obj), 'read', sub_obj))
 
-    def can_unattach(self, obj, sub_obj, relationship):
-        return self.can_change(obj, None)
+    def can_unattach(self, obj, sub_obj, relationship, data=None):
+        return self.can_change(obj, data)
 
     def check_license(self, add_host=False, feature=None, check_expiration=True):
         reader = TaskSerializer()
@@ -1594,11 +1594,11 @@ class RoleAccess(BaseAccess):
 
     def can_attach(self, obj, sub_obj, relationship, data,
                    skip_sub_obj_read_check=False):
-        return self.can_unattach(obj, sub_obj, relationship)
+        return self.can_unattach(obj, sub_obj, relationship, data, skip_sub_obj_read_check)
 
     @check_superuser
-    def can_unattach(self, obj, sub_obj, relationship):
-        if relationship == 'members':
+    def can_unattach(self, obj, sub_obj, relationship, data=None, skip_sub_obj_read_check=False):
+        if not skip_sub_obj_read_check and relationship in ['members', 'member_role.parents']:
             if not check_user_access(self.user, sub_obj.__class__, 'read', sub_obj):
                 return False