diff --git a/Makefile b/Makefile
index c1b7d582e1..fd9d87cd2e 100644
--- a/Makefile
+++ b/Makefile
@@ -298,12 +298,10 @@ requirements_tower_dev:
 # Install third-party requirements needed for running unittests in jenkins
 requirements_jenkins:
 	if [ "$(VENV_BASE)" ]; then \
-		. $(VENV_BASE)/tower/bin/activate; \
-		$(VENV_BASE)/tower/bin/pip install -Ir requirements/requirements_jenkins.txt; \
+		. $(VENV_BASE)/tower/bin/activate && pip install -Ir requirements/requirements_jenkins.txt; \
 	else \
 		pip install -Ir requirements/requirements_jenkins.txt; \
-	fi && \
-	$(NPM_BIN) install csslint
+	fi
 
 requirements: requirements_ansible requirements_tower
 
@@ -317,8 +315,8 @@ develop:
 	    pip uninstall -y awx; \
 	    $(PYTHON) setup.py develop; \
 	else \
-	    sudo pip uninstall -y awx; \
-	    sudo $(PYTHON) setup.py develop; \
+	    pip uninstall -y awx; \
+	    $(PYTHON) setup.py develop; \
 	fi
 
 version_file:
@@ -448,7 +446,7 @@ pylint: reports
 
 check: flake8 pep8 # pyflakes pylint
 
-TEST_DIRS=awx/main/tests
+TEST_DIRS ?= awx/main/tests
 # Run all API unit tests.
 test:
 	@if [ "$(VENV_BASE)" ]; then \
diff --git a/adhoc.controller-test.js b/adhoc.controller-test.js
deleted file mode 100644
index d49c699994..0000000000
--- a/adhoc.controller-test.js
+++ /dev/null
@@ -1,199 +0,0 @@
-import '../support/node';
-
-import adhocModule from 'inventories/manage/adhoc/main';
-import RestStub from '../support/rest-stub';
-
-describe("adhoc.controller", function() {
-    var $scope, $rootScope, $location, $stateParams, $stateExtender,
-        CheckPasswords, PromptForPasswords, CreateLaunchDialog, AdhocForm,
-        GenerateForm, Rest, ProcessErrors, ClearScope, GetBasePath, GetChoices,
-        KindChange, LookUpInit, CredentialList, Empty, Wait;
-
-    var $controller, ctrl, generateFormCallback, waitCallback, locationCallback,
-        getBasePath, processErrorsCallback, restCallback, stateExtenderCallback;
-
-    beforeEach("instantiate the adhoc module", function() {
-        angular.mock.module(adhocModule.name);
-    });
-
-    before("create spies", function() {
-        getBasePath = function(path) {
-            return '/' + path + '/';
-        };
-        generateFormCallback = {
-            inject: angular.noop
-        };
-        waitCallback = sinon.spy();
-        locationCallback = {
-            path: sinon.spy()
-        };
-        processErrorsCallback = sinon.spy();
-        restCallback = new RestStub();
-        stateExtenderCallback = {
-            addState: angular.noop
-        }
-    });
-
-
-    beforeEach("mock dependencies", angular.mock.module(['$provide', function(_provide_) {
-        var $provide = _provide_;
-
-        $provide.value('$location', locationCallback);
-        $provide.value('CheckPasswords', angular.noop);
-        $provide.value('PromptForPasswords', angular.noop);
-        $provide.value('CreateLaunchDialog', angular.noop);
-        $provide.value('AdhocForm', angular.noop);
-        $provide.value('GenerateForm', generateFormCallback);
-        $provide.value('Rest', restCallback);
-        $provide.value('ProcessErrors', processErrorsCallback);
-        $provide.value('ClearScope', angular.noop);
-        $provide.value('GetBasePath', getBasePath);
-        $provide.value('GetChoices', angular.noop);
-        $provide.value('KindChange', angular.noop);
-        $provide.value('LookUpInit', angular.noop);
-        $provide.value('CredentialList', angular.noop);
-        $provide.value('Empty', angular.noop);
-        $provide.value('Wait', waitCallback);
-        $provide.value('$stateExtender', stateExtenderCallback);
-        $provide.value('$stateParams', angular.noop);
-        $provide.value('$state', angular.noop);
-    }]));
-
-    beforeEach("put the controller in scope", inject(function($rootScope, $controller) {
-        var scope = $rootScope.$new();
-        ctrl = $controller('adhocController', {$scope: scope});
-    }));
-
-    beforeEach("put $q in scope", window.inject(['$q', function($q) {
-        restCallback.$q = $q;
-    }]));
-    /*
-    describe("setAvailableUrls", function() {
-        it('should only have the specified urls ' +
-            'available for adhoc commands', function() {
-                var urls = ctrl.privateFn.setAvailableUrls();
-                expect(urls).to.have.keys('adhocUrl', 'inventoryUrl',
-                    'machineCredentialUrl');
-
-                var count = 0;
-                var i;
-
-                for (i in urls) {
-                    if (urls.hasOwnProperty(i)) {
-                        count++;
-                    }
-                }
-                expect(count).to.equal(3);
-            });
-
-    });
-
-    describe("setFieldDefaults", function() {
-        it('should set the select form field defaults' +
-            'based on user settings', function() {
-                var verbosity_options = [
-                        {label: "0 (Foo)", value: 0, name: "0 (Foo)",
-                            isDefault: false},
-                        {label: "1 (Bar)", value: 1, name: "1 (Bar)",
-                            isDefault: true},
-                    ],
-                    forks_field = {};
-
-                forks_field.default = 3;
-
-                $scope.$apply(function() {
-                    ctrl.privateFn.setFieldDefaults(verbosity_options,
-                        forks_field.default);
-                });
-
-                expect($scope.forks).to.equal(forks_field.default);
-                expect($scope.verbosity.value).to.equal(1);
-            });
-    });
-
-    describe("setLoadingStartStop", function() {
-        it('should start the controller working state when the form is ' +
-            'loading', function() {
-                waitCallback.reset();
-                ctrl.privateFn.setLoadingStartStop();
-                expect(waitCallback).to.have.been.calledWith("start");
-            });
-        it('should stop the indicator after all REST calls in the form load have ' +
-            'completed', function() {
-                var forks_field = {},
-                    adhoc_verbosity_options = {};
-                forks_field.default = "1";
-                $scope.$apply(function() {
-                    $scope.forks_field = forks_field;
-                    $scope.adhoc_verbosity_options = adhoc_verbosity_options;
-                });
-                waitCallback.reset();
-                $scope.$emit('adhocFormReady');
-                $scope.$emit('adhocFormReady');
-                expect(waitCallback).to.have.been.calledWith("stop");
-            });
-    });
-
-    describe("instantiateArgumentHelp", function() {
-        it("should initially provide a canned argument help response", function() {
-            expect($scope.argsPopOver).to.equal('<p>These arguments are used ' +
-                'with the specified module.</p>');
-        });
-
-        it("should change the help response when the module changes", function() {
-            $scope.$apply(function () {
-                $scope.module_name = {value: 'foo'};
-            });
-            expect($scope.argsPopOver).to.equal('<p>These arguments are used ' +
-                'with the specified module. You can find information about ' +
-                'the foo module <a ' +
-                'id=\"adhoc_module_arguments_docs_link_for_module_foo\" ' +
-                'href=\"http://docs.ansible.com/foo_module.html\" ' +
-                'target=\"_blank\">here</a>.</p>');
-        });
-
-        it("should change the help response when the module changes again", function() {
-            $scope.$apply(function () {
-                $scope.module_name = {value: 'bar'};
-            });
-            expect($scope.argsPopOver).to.equal('<p>These arguments are used ' +
-                'with the specified module. You can find information about ' +
-                'the bar module <a ' +
-                'id=\"adhoc_module_arguments_docs_link_for_module_bar\" ' +
-                'href=\"http://docs.ansible.com/bar_module.html\" ' +
-                'target=\"_blank\">here</a>.</p>');
-        });
-
-        it("should change the help response back to the canned response " +
-            "when no module is selected", function() {
-                $scope.$apply(function () {
-                    $scope.module_name = null;
-                });
-                expect($scope.argsPopOver).to.equal('<p>These arguments are used ' +
-                    'with the specified module.</p>');
-        });
-    });
-
-    describe("instantiateHostPatterns", function() {
-        it("should initialize the limit object based on the provided host " +
-            "pattern", function() {
-                ctrl.privateFn.instantiateHostPatterns("foo:bar");
-                expect($scope.limit).to.equal("foo:bar");
-            });
-
-        it("should set the providedHostPatterns variable to the provided host " +
-            "pattern so it is accesible on form reset", function() {
-                ctrl.privateFn.instantiateHostPatterns("foo:bar");
-                expect($scope.providedHostPatterns).to.equal("foo:bar");
-            });
-
-        it("should remove the hostPattern from rootScope after it has been " +
-            "utilized", function() {
-                $rootScope.hostPatterns = "foo";
-                expect($rootScope.hostPatterns).to.exist;
-                ctrl.privateFn.instantiateHostPatterns("foo");
-                expect($rootScope.hostPatterns).to.not.exist;
-            });
-    });
-    */
-});
diff --git a/awx/api/generics.py b/awx/api/generics.py
index 51598979d8..1a3e5e2910 100644
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -235,6 +235,13 @@ class ListAPIView(generics.ListAPIView, GenericAPIView):
     def get_queryset(self):
         return self.request.user.get_queryset(self.model)
 
+    def paginate_queryset(self, queryset):
+        page = super(ListAPIView, self).paginate_queryset(queryset)
+        # Queries RBAC info & stores into list objects
+        if hasattr(self, 'capabilities_prefetch') and page is not None:
+            cache_list_capabilities(page, self.capabilities_prefetch, self.model, self.request.user)
+        return page
+
     def get_description_context(self):
         opts = self.model._meta
         if 'username' in opts.get_all_field_names():
diff --git a/awx/api/permissions.py b/awx/api/permissions.py
index 285441421d..ecd725bc6e 100644
--- a/awx/api/permissions.py
+++ b/awx/api/permissions.py
@@ -49,6 +49,9 @@ class ModelAccessPermission(permissions.BasePermission):
             if not check_user_access(request.user, view.parent_model, 'read',
                                      parent_obj):
                 return False
+            if hasattr(view, 'parent_key'):
+                if not check_user_access(request.user, view.model, 'add', {view.parent_key: parent_obj.pk}):
+                    return False
             return True
         elif getattr(view, 'is_job_start', False):
             if not obj:
@@ -206,6 +209,8 @@ class ProjectUpdatePermission(ModelAccessPermission):
 
 class UserPermission(ModelAccessPermission):
     def check_post_permissions(self, request, view, obj=None):
-        if request.user.is_superuser:
+        if not request.data:
+            return request.user.admin_of_organizations.exists()
+        elif request.user.is_superuser:
             return True
         raise PermissionDenied()
diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index ee7784afad..fa442192c2 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -37,6 +37,7 @@ from polymorphic import PolymorphicModel
 # AWX
 from awx.main.constants import SCHEDULEABLE_PROVIDERS
 from awx.main.models import * # noqa
+from awx.main.access import get_user_capabilities
 from awx.main.fields import ImplicitRoleField
 from awx.main.utils import get_type_for_model, get_model_for_type, build_url, timestamp_apiformat, camelcase_to_underscore, getattrd
 from awx.main.conf import tower_settings
@@ -345,6 +346,19 @@ class BaseSerializer(serializers.ModelSerializer):
                 }
         if len(roles) > 0:
             summary_fields['object_roles'] = roles
+
+        # Advance display of RBAC capabilities
+        if hasattr(self, 'show_capabilities'):
+            view = self.context.get('view', None)
+            parent_obj = None
+            if view and hasattr(view, 'parent_model'):
+                parent_obj = view.get_parent_object()
+            if view and view.request and view.request.user:
+                user_capabilities = get_user_capabilities(
+                    view.request.user, obj, method_list=self.show_capabilities, parent_obj=parent_obj)
+                if user_capabilities:
+                    summary_fields['user_capabilities'] = user_capabilities
+
         return summary_fields
 
     def get_created(self, obj):
@@ -553,6 +567,7 @@ class UnifiedJobTemplateSerializer(BaseSerializer):
 
 
 class UnifiedJobSerializer(BaseSerializer):
+    show_capabilities = ['start', 'delete']
 
     result_stdout = serializers.SerializerMethodField()
 
@@ -697,11 +712,12 @@ class UserSerializer(BaseSerializer):
     ldap_dn = serializers.CharField(source='profile.ldap_dn', read_only=True)
     external_account = serializers.SerializerMethodField(help_text='Set if the account is managed by an external service')
     is_system_auditor = serializers.BooleanField(default=False)
+    show_capabilities = ['edit', 'delete']
 
     class Meta:
         model = User
         fields = ('*', '-name', '-description', '-modified',
-                  '-summary_fields', 'username', 'first_name', 'last_name',
+                  'username', 'first_name', 'last_name',
                   'email', 'is_superuser', 'is_system_auditor', 'password', 'ldap_dn', 'external_account')
 
     def to_representation(self, obj):
@@ -822,6 +838,7 @@ class UserSerializer(BaseSerializer):
 
 
 class OrganizationSerializer(BaseSerializer):
+    show_capabilities = ['edit', 'delete']
 
     class Meta:
         model = Organization
@@ -906,6 +923,7 @@ class ProjectSerializer(UnifiedJobTemplateSerializer, ProjectOptionsSerializer):
     status = serializers.ChoiceField(choices=Project.PROJECT_STATUS_CHOICES, read_only=True)
     last_update_failed = serializers.BooleanField(read_only=True)
     last_updated = serializers.DateTimeField(read_only=True)
+    show_capabilities = ['start', 'schedule', 'edit', 'delete']
 
     class Meta:
         model = Project
@@ -1014,6 +1032,7 @@ class BaseSerializerWithVariables(BaseSerializer):
 
 
 class InventorySerializer(BaseSerializerWithVariables):
+    show_capabilities = ['edit', 'delete', 'adhoc']
 
     class Meta:
         model = Inventory
@@ -1064,12 +1083,14 @@ class InventoryDetailSerializer(InventorySerializer):
 
 
 class InventoryScriptSerializer(InventorySerializer):
+    show_capabilities = ['copy', 'edit', 'delete']
 
     class Meta:
         fields = ()
 
 
 class HostSerializer(BaseSerializerWithVariables):
+    show_capabilities = ['edit', 'delete']
 
     class Meta:
         model = Host
@@ -1180,6 +1201,7 @@ class HostSerializer(BaseSerializerWithVariables):
 
 
 class GroupSerializer(BaseSerializerWithVariables):
+    show_capabilities = ['start', 'copy', 'schedule', 'edit', 'delete']
 
     class Meta:
         model = Group
@@ -1284,6 +1306,7 @@ class GroupVariableDataSerializer(BaseVariableDataSerializer):
 class CustomInventoryScriptSerializer(BaseSerializer):
 
     script = serializers.CharField(trim_whitespace=False)
+    show_capabilities = ['edit', 'delete']
 
     class Meta:
         model = CustomInventoryScript
@@ -1454,6 +1477,7 @@ class InventoryUpdateCancelSerializer(InventoryUpdateSerializer):
 
 
 class TeamSerializer(BaseSerializer):
+    show_capabilities = ['edit', 'delete']
 
     class Meta:
         model = Team
@@ -1522,8 +1546,12 @@ class RoleSerializer(BaseSerializer):
         return ret
 
 
+class RoleSerializerWithParentAccess(RoleSerializer):
+    show_capabilities = ['unattach']
+
 
 class ResourceAccessListElementSerializer(UserSerializer):
+    show_capabilities = []  # Clear fields from UserSerializer parent class
 
     def to_representation(self, user):
         '''
@@ -1539,18 +1567,25 @@ class ResourceAccessListElementSerializer(UserSerializer):
         ret = super(ResourceAccessListElementSerializer, self).to_representation(user)
         object_id = self.context['view'].object_id
         obj = self.context['view'].resource_model.objects.get(pk=object_id)
+        if self.context['view'].request is not None:
+            requesting_user = self.context['view'].request.user
+        else:
+            requesting_user = None
 
         if 'summary_fields' not in ret:
             ret['summary_fields'] = {}
 
         def format_role_perm(role):
             role_dict = { 'id': role.id, 'name': role.name, 'description': role.description}
-            try:
+            if role.content_type is not None:
                 role_dict['resource_name'] = role.content_object.name
                 role_dict['resource_type'] = role.content_type.name
                 role_dict['related'] = reverse_gfk(role.content_object)
-            except:
-                pass
+                role_dict['user_capabilities'] = {'unattach': requesting_user.can_access(
+                    Role, 'unattach', role, user, 'members', data={}, skip_sub_obj_read_check=False)}
+            else:
+                # Singleton roles should not be managed from this view, as per copy/edit rework spec
+                role_dict['user_capabilities'] = {'unattach': False}
             return { 'role': role_dict, 'descendant_roles': get_roles_on_resource(obj, role)}
 
         def format_team_role_perm(team_role, permissive_role_ids):
@@ -1563,20 +1598,21 @@ class ResourceAccessListElementSerializer(UserSerializer):
                     'team_id': team_role.object_id,
                     'team_name': team_role.content_object.name
                 }
-                try:
+                if role.content_type is not None:
                     role_dict['resource_name'] = role.content_object.name
                     role_dict['resource_type'] = role.content_type.name
                     role_dict['related'] = reverse_gfk(role.content_object)
-                except:
-                    pass
+                    role_dict['user_capabilities'] = {'unattach': requesting_user.can_access(
+                        Role, 'unattach', role, team_role, 'parents', data={}, skip_sub_obj_read_check=False)}
+                else:
+                    # Singleton roles should not be managed from this view, as per copy/edit rework spec
+                    role_dict['user_capabilities'] = {'unattach': False}
                 ret.append({ 'role': role_dict, 'descendant_roles': get_roles_on_resource(obj, team_role)})
             return ret
 
         team_content_type = ContentType.objects.get_for_model(Team)
         content_type = ContentType.objects.get_for_model(obj)
 
-
-        content_type = ContentType.objects.get_for_model(obj)
         direct_permissive_role_ids = Role.objects.filter(content_type=content_type, object_id=obj.id).values_list('id', flat=True)
         all_permissive_role_ids = Role.objects.filter(content_type=content_type, object_id=obj.id).values_list('ancestors__id', flat=True)
 
@@ -1621,6 +1657,7 @@ class ResourceAccessListElementSerializer(UserSerializer):
 
 
 class CredentialSerializer(BaseSerializer):
+    show_capabilities = ['edit', 'delete']
 
     class Meta:
         model = Credential
@@ -1825,6 +1862,7 @@ class JobOptionsSerializer(BaseSerializer):
 
 
 class JobTemplateSerializer(UnifiedJobTemplateSerializer, JobOptionsSerializer):
+    show_capabilities = ['start', 'schedule', 'copy', 'edit', 'delete']
 
     status = serializers.ChoiceField(choices=JobTemplate.JOB_TEMPLATE_STATUS_CHOICES, read_only=True, required=False)
 
@@ -1860,21 +1898,6 @@ class JobTemplateSerializer(UnifiedJobTemplateSerializer, JobOptionsSerializer):
         d = super(JobTemplateSerializer, self).get_summary_fields(obj)
         if obj.survey_spec is not None and ('name' in obj.survey_spec and 'description' in obj.survey_spec):
             d['survey'] = dict(title=obj.survey_spec['name'], description=obj.survey_spec['description'])
-        request = self.context.get('request', None)
-
-        # Check for conditions that would create a validation error if coppied
-        validation_errors, resources_needed_to_start = obj.resource_validation_data()
-
-        if request is None or request.user is None:
-            d['can_copy'] = False
-            d['can_edit'] = False
-        elif request.user.is_superuser:
-            d['can_copy'] = not validation_errors
-            d['can_edit'] = True
-        else:
-            d['can_copy'] = (not validation_errors) and request.user.can_access(JobTemplate, 'add', {"reference_obj": obj})
-            d['can_edit'] = request.user.can_access(JobTemplate, 'change', obj, {})
-
         d['recent_jobs'] = self._recent_jobs(obj)
         return d
 
@@ -2561,6 +2584,7 @@ class JobLaunchSerializer(BaseSerializer):
         return attrs
 
 class NotificationTemplateSerializer(BaseSerializer):
+    show_capabilities = ['edit', 'delete']
 
     class Meta:
         model = NotificationTemplate
@@ -2674,6 +2698,7 @@ class LabelSerializer(BaseSerializer):
         return res
 
 class ScheduleSerializer(BaseSerializer):
+    show_capabilities = ['edit', 'delete']
 
     class Meta:
         model = Schedule
diff --git a/awx/api/views.py b/awx/api/views.py
index e6bd86cae4..38bbb1470c 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -854,7 +854,7 @@ class TeamUsersList(BaseUsersList):
 class TeamRolesList(SubListCreateAttachDetachAPIView):
 
     model = Role
-    serializer_class = RoleSerializer
+    serializer_class = RoleSerializerWithParentAccess
     metadata_class = RoleMetadata
     parent_model = Team
     relationship='member_role.children'
@@ -953,6 +953,7 @@ class ProjectList(ListCreateAPIView):
 
     model = Project
     serializer_class = ProjectSerializer
+    capabilities_prefetch = ['admin', 'update']
 
     def get_queryset(self):
         projects_qs = Project.accessible_objects(self.request.user, 'read_role')
@@ -1151,6 +1152,7 @@ class UserList(ListCreateAPIView):
 
     model = User
     serializer_class = UserSerializer
+    capabilities_prefetch = ['admin']
     permission_classes = (UserPermission,)
 
     def post(self, request, *args, **kwargs):
@@ -1191,7 +1193,7 @@ class UserTeamsList(ListAPIView):
 class UserRolesList(SubListCreateAttachDetachAPIView):
 
     model = Role
-    serializer_class = RoleSerializer
+    serializer_class = RoleSerializerWithParentAccess
     metadata_class = RoleMetadata
     parent_model = User
     relationship='roles'
@@ -1511,6 +1513,7 @@ class InventoryList(ListCreateAPIView):
 
     model = Inventory
     serializer_class = InventorySerializer
+    capabilities_prefetch = ['admin', 'adhoc']
 
     def get_queryset(self):
         qs = Inventory.accessible_objects(self.request.user, 'read_role')
@@ -1742,6 +1745,7 @@ class GroupList(ListCreateAPIView):
 
     model = Group
     serializer_class = GroupSerializer
+    capabilities_prefetch = ['inventory.admin', 'inventory.adhoc', 'inventory.update']
 
 '''
 Useful when you have a self-refering ManyToManyRelationship.
@@ -2210,6 +2214,10 @@ class JobTemplateList(ListCreateAPIView):
     model = JobTemplate
     serializer_class = JobTemplateSerializer
     always_allow_superuser = False
+    capabilities_prefetch = [
+        'admin', 'execute',
+        {'copy': ['project.use', 'inventory.use', 'credential.use', 'cloud_credential.use', 'network_credential.use']}
+    ]
 
     def post(self, request, *args, **kwargs):
         ret = super(JobTemplateList, self).post(request, *args, **kwargs)
@@ -3680,6 +3688,7 @@ class NotificationTemplateTest(GenericAPIView):
     model = NotificationTemplate
     serializer_class = EmptySerializer
     new_in_300 = True
+    is_job_start = True
 
     def post(self, request, *args, **kwargs):
         obj = self.get_object()
diff --git a/awx/main/access.py b/awx/main/access.py
index 813851d226..fae143a6de 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -116,6 +116,18 @@ def check_user_access(user, model_class, action, *args, **kwargs):
             return result
     return False
 
+def get_user_capabilities(user, instance, **kwargs):
+    '''
+    Returns a dictionary of capabilities the user has on the particular
+    instance.  *NOTE* This is not a direct mapping of can_* methods into this
+    dictionary, it is intended to munge some queries in a way that is
+    convenient for the user interface to consume and hide or show various
+    actions in the interface.
+    '''
+    for access_class in access_registry.get(type(instance), []):
+        return access_class(user).get_user_capabilities(instance, **kwargs)
+    return None
+
 def check_superuser(func):
     '''
     check_superuser is a decorator that provides a simple short circuit
@@ -207,6 +219,78 @@ class BaseAccess(object):
             elif "features" not in validation_info:
                 raise LicenseForbids("Features not found in active license.")
 
+    def get_user_capabilities(self, obj, method_list=[], parent_obj=None):
+        if obj is None:
+            return {}
+        user_capabilities = {}
+
+        # Custom ordering to loop through methods so we can reuse earlier calcs
+        for display_method in ['edit', 'delete', 'start', 'schedule', 'copy', 'adhoc', 'unattach']:
+            if display_method not in method_list:
+                continue
+
+            # Validation consistency checks
+            if display_method == 'copy' and isinstance(obj, JobTemplate):
+                validation_errors, resources_needed_to_start = obj.resource_validation_data()
+                if validation_errors:
+                    user_capabilities[display_method] = False
+                    continue
+            elif display_method == 'start' and isinstance(obj, Group):
+                if obj.inventory_source and not obj.inventory_source._can_update():
+                    user_capabilities[display_method] = False
+                    continue
+
+            # Grab the answer from the cache, if available
+            if hasattr(obj, 'capabilities_cache') and display_method in obj.capabilities_cache:
+                user_capabilities[display_method] = obj.capabilities_cache[display_method]
+                continue
+
+            # Aliases for going form UI language to API language
+            if display_method == 'edit':
+                method = 'change'
+            elif display_method == 'copy':
+                method = 'add'
+            elif display_method == 'adhoc':
+                method = 'run_ad_hoc_commands'
+            else:
+                method = display_method
+
+            # Shortcuts in certain cases by deferring to earlier property
+            if display_method == 'schedule':
+                user_capabilities['schedule'] = user_capabilities['edit']
+                continue
+            elif display_method == 'delete' and not isinstance(obj, (User, UnifiedJob)):
+                user_capabilities['delete'] = user_capabilities['edit']
+                continue
+            elif display_method == 'copy' and isinstance(obj, (Group, Host)):
+                user_capabilities['copy'] = user_capabilities['edit']
+                continue
+
+            # Preprocessing before the access method is called
+            data = {}
+            if method == 'add':
+                if isinstance(obj, JobTemplate):
+                    data['reference_obj'] = obj
+
+            # Compute permission
+            access_method = getattr(self, "can_%s" % method)
+            if method in ['change']: # 3 args
+                user_capabilities[display_method] = access_method(obj, data)
+            elif method in ['delete', 'start', 'run_ad_hoc_commands']: # 2 args
+                user_capabilities[display_method] = access_method(obj)
+            elif method in ['add']: # 2 args with data
+                user_capabilities[display_method] = access_method(data)
+            elif method in ['attach', 'unattach']: # parent/sub-object call
+                if type(parent_obj) == Team:
+                    relationship = 'parents'
+                    parent_obj = parent_obj.member_role
+                else:
+                    relationship = 'members'
+                user_capabilities[display_method] = access_method(
+                    obj, parent_obj, relationship, skip_sub_obj_read_check=True, data=data)
+
+        return user_capabilities
+
 
 class UserAccess(BaseAccess):
     '''
@@ -526,6 +610,12 @@ class GroupAccess(BaseAccess):
                                  "active_jobs": active_jobs})
         return True
 
+    def can_start(self, obj):
+        # Used as another alias to inventory_source start access for user_capabilities
+        if obj and obj.inventory_source:
+            return self.user.can_access(InventorySource, 'start', obj.inventory_source)
+        return False
+
 class InventorySourceAccess(BaseAccess):
     '''
     I can see inventory sources whenever I can see their group or inventory.
@@ -594,6 +684,13 @@ class InventoryUpdateAccess(BaseAccess):
         # Inventory cascade deletes to inventory update, descends from org admin
         return self.user in obj.inventory_source.inventory.admin_role
 
+    def can_start(self, obj):
+        # For relaunching
+        if obj and obj.inventory_source:
+            access = InventorySourceAccess(self.user)
+            return access.can_start(obj.inventory_source)
+        return False
+
     @check_superuser
     def can_delete(self, obj):
         return self.user in obj.inventory_source.inventory.admin_role
@@ -815,6 +912,12 @@ class ProjectUpdateAccess(BaseAccess):
         # Project updates cascade delete with project, admin role descends from org admin
         return self.user in obj.project.admin_role
 
+    def can_start(self, obj):
+        # for relaunching
+        if obj and obj.project:
+            return self.user in obj.project.update_role
+        return False
+
     @check_superuser
     def can_delete(self, obj):
         return obj and self.user in obj.project.admin_role
@@ -855,7 +958,9 @@ class JobTemplateAccess(BaseAccess):
         Users who are able to create deploy jobs can also run normal and check (dry run) jobs.
         '''
         if not data:  # So the browseable API will work
-            return True
+            return (
+                Project.accessible_objects(self.user, 'use_role').exists() or
+                Inventory.accessible_objects(self.user, 'use_role').exists())
 
         # if reference_obj is provided, determine if it can be coppied
         reference_obj = data.pop('reference_obj', None)
@@ -1132,6 +1237,10 @@ class SystemJobAccess(BaseAccess):
     '''
     model = SystemJob
 
+    def can_start(self, obj):
+        return False # no relaunching of system jobs
+
+# TODO:
 class WorkflowJobTemplateNodeAccess(BaseAccess):
     '''
     I can see/use a WorkflowJobTemplateNode if I have read permission
@@ -1762,6 +1871,12 @@ class NotificationTemplateAccess(BaseAccess):
     def can_delete(self, obj):
         return self.can_change(obj, None)
 
+    @check_superuser
+    def can_start(self, obj):
+        if obj.organization is None:
+            return False
+        return self.user in obj.organization.admin_role
+
 class NotificationAccess(BaseAccess):
     '''
     I can see/use a notification if I have permission to
@@ -1970,8 +2085,13 @@ class RoleAccess(BaseAccess):
 
     @check_superuser
     def can_unattach(self, obj, sub_obj, relationship, data=None, skip_sub_obj_read_check=False):
-        if not skip_sub_obj_read_check and relationship in ['members', 'member_role.parents']:
-            if not check_user_access(self.user, sub_obj.__class__, 'read', sub_obj):
+        if not skip_sub_obj_read_check and relationship in ['members', 'member_role.parents', 'parents']:
+            # If we are unattaching a team Role, check the Team read access
+            if relationship == 'parents':
+                sub_obj_resource = sub_obj.content_object
+            else:
+                sub_obj_resource = sub_obj
+            if not check_user_access(self.user, sub_obj_resource.__class__, 'read', sub_obj_resource):
                 return False
 
         if isinstance(obj.content_object, ResourceMixin) and \
diff --git a/awx/main/management/commands/create_preload_data.py b/awx/main/management/commands/create_preload_data.py
index a6b1e41f0d..caeba2c0a3 100644
--- a/awx/main/management/commands/create_preload_data.py
+++ b/awx/main/management/commands/create_preload_data.py
@@ -47,3 +47,4 @@ class Command(BaseCommand):
                                        inventory=i,
                                        credential=c)
         print('Default organization added.')
+        print('Demo Credential, Inventory, and Job Template added.')
diff --git a/awx/main/models/jobs.py b/awx/main/models/jobs.py
index 9356884a19..34adcb73a4 100644
--- a/awx/main/models/jobs.py
+++ b/awx/main/models/jobs.py
@@ -340,6 +340,10 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, ResourceMixin):
                 errors.append("'%s' value missing" % survey_element['variable'])
             elif survey_element['type'] in ["textarea", "text", "password"]:
                 if survey_element['variable'] in data:
+                    if type(data[survey_element['variable']]) not in (str, unicode):
+                        errors.append("Value %s for '%s' expected to be a string." % (data[survey_element['variable']],
+                                                                                      survey_element['variable']))
+                        continue
                     if 'min' in survey_element and survey_element['min'] not in ["", None] and len(data[survey_element['variable']]) < int(survey_element['min']):
                         errors.append("'%s' value %s is too small (length is %s must be at least %s)." %
                                       (survey_element['variable'], data[survey_element['variable']], len(data[survey_element['variable']]), survey_element['min']))
@@ -348,6 +352,10 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, ResourceMixin):
                                       (survey_element['variable'], data[survey_element['variable']], survey_element['max']))
             elif survey_element['type'] == 'integer':
                 if survey_element['variable'] in data:
+                    if type(data[survey_element['variable']]) != int:
+                        errors.append("Value %s for '%s' expected to be an integer." % (data[survey_element['variable']],
+                                                                                        survey_element['variable']))
+                        continue
                     if 'min' in survey_element and survey_element['min'] not in ["", None] and survey_element['variable'] in data and \
                        data[survey_element['variable']] < int(survey_element['min']):
                         errors.append("'%s' value %s is too small (must be at least %s)." %
@@ -356,20 +364,18 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, ResourceMixin):
                        data[survey_element['variable']] > int(survey_element['max']):
                         errors.append("'%s' value %s is too large (must be no more than %s)." %
                                       (survey_element['variable'], data[survey_element['variable']], survey_element['max']))
-                    if type(data[survey_element['variable']]) != int:
-                        errors.append("Value %s for '%s' expected to be an integer." % (data[survey_element['variable']],
-                                                                                        survey_element['variable']))
             elif survey_element['type'] == 'float':
                 if survey_element['variable'] in data:
+                    if type(data[survey_element['variable']]) not in (float, int):
+                        errors.append("Value %s for '%s' expected to be a numeric type." % (data[survey_element['variable']],
+                                                                                            survey_element['variable']))
+                        continue
                     if 'min' in survey_element and survey_element['min'] not in ["", None] and data[survey_element['variable']] < float(survey_element['min']):
                         errors.append("'%s' value %s is too small (must be at least %s)." %
                                       (survey_element['variable'], data[survey_element['variable']], survey_element['min']))
                     if 'max' in survey_element and survey_element['max'] not in ["", None] and data[survey_element['variable']] > float(survey_element['max']):
                         errors.append("'%s' value %s is too large (must be no more than %s)." %
                                       (survey_element['variable'], data[survey_element['variable']], survey_element['max']))
-                    if type(data[survey_element['variable']]) not in (float, int):
-                        errors.append("Value %s for '%s' expected to be a numeric type." % (data[survey_element['variable']],
-                                                                                            survey_element['variable']))
             elif survey_element['type'] == 'multiselect':
                 if survey_element['variable'] in data:
                     if type(data[survey_element['variable']]) != list:
diff --git a/awx/main/models/workflow.py b/awx/main/models/workflow.py
index 683ef741a5..b27f7cd36b 100644
--- a/awx/main/models/workflow.py
+++ b/awx/main/models/workflow.py
@@ -177,7 +177,6 @@ class WorkflowJobNode(WorkflowNodeBase):
         # TODO: merge artifacts, add ancestor_artifacts to kwargs
         if extra_vars:
             data['extra_vars'] = extra_vars
-        print ' job KV data: ' + str(data)
         return data
 
 class WorkflowJobOptions(BaseModel):
diff --git a/awx/main/tasks.py b/awx/main/tasks.py
index fe46166afb..097dca517d 100644
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -654,7 +654,8 @@ class BaseTask(Task):
             if status == 'canceled':
                 raise Exception("Task %s(pk:%s) was canceled (rc=%s)" % (str(self.model.__class__), str(pk), str(rc)))
             else:
-                raise Exception("Task %s(pk:%s) encountered an error (rc=%s)" % (str(self.model.__class__), str(pk), str(rc)))
+                raise Exception("Task %s(pk:%s) encountered an error (rc=%s), please see task stdout for details." %
+                                (str(self.model.__class__), str(pk), str(rc)))
         if not hasattr(settings, 'CELERY_UNIT_TEST'):
             self.signal_finished(pk)
 
diff --git a/awx/main/tests/functional/api/test_job_template.py b/awx/main/tests/functional/api/test_job_template.py
index 88437a0037..68a7e7aecd 100644
--- a/awx/main/tests/functional/api/test_job_template.py
+++ b/awx/main/tests/functional/api/test_job_template.py
@@ -3,12 +3,11 @@ import mock
 
 # AWX
 from awx.api.serializers import JobTemplateSerializer, JobLaunchSerializer
-from awx.main.models.jobs import JobTemplate, Job
+from awx.main.models.jobs import Job
 from awx.main.models.projects import ProjectOptions
 from awx.main.migrations import _save_password_keys as save_password_keys
 
 # Django
-from django.test.client import RequestFactory
 from django.core.urlresolvers import reverse
 from django.apps import apps
 
@@ -141,131 +140,7 @@ def test_job_template_role_user(post, organization_factory, job_template_factory
     response = post(url, dict(id=jt_objects.job_template.execute_role.pk), objects.superusers.admin)
     assert response.status_code == 204
 
-# Test protection against limited set of validation problems
 
-@pytest.mark.django_db
-def test_bad_data_copy_edit(admin_user, project):
-    """
-    If a required resource (inventory here) was deleted, copying not allowed
-    because doing so would caues a validation error
-    """
-
-    jt_res = JobTemplate.objects.create(
-        job_type='run',
-        project=project,
-        inventory=None,  ask_inventory_on_launch=False, # not allowed
-        credential=None, ask_credential_on_launch=True,
-        name='deploy-job-template'
-    )
-    serializer = JobTemplateSerializer(jt_res)
-    request = RequestFactory().get('/api/v1/job_templates/12/')
-    request.user = admin_user
-    serializer.context['request'] = request
-    response = serializer.to_representation(jt_res)
-    assert not response['summary_fields']['can_copy']
-    assert response['summary_fields']['can_edit']
-
-# Tests for correspondence between view info and actual access
-
-@pytest.mark.django_db
-def test_admin_copy_edit(jt_copy_edit, admin_user):
-    "Absent a validation error, system admins can do everything"
-
-    # Serializer can_copy/can_edit fields
-    serializer = JobTemplateSerializer(jt_copy_edit)
-    request = RequestFactory().get('/api/v1/job_templates/12/')
-    request.user = admin_user
-    serializer.context['request'] = request
-    response = serializer.to_representation(jt_copy_edit)
-    assert response['summary_fields']['can_copy']
-    assert response['summary_fields']['can_edit']
-
-@pytest.mark.django_db
-def test_org_admin_copy_edit(jt_copy_edit, org_admin):
-    "Organization admins SHOULD be able to copy a JT firmly in their org"
-
-    # Serializer can_copy/can_edit fields
-    serializer = JobTemplateSerializer(jt_copy_edit)
-    request = RequestFactory().get('/api/v1/job_templates/12/')
-    request.user = org_admin
-    serializer.context['request'] = request
-    response = serializer.to_representation(jt_copy_edit)
-    assert response['summary_fields']['can_copy']
-    assert response['summary_fields']['can_edit']
-
-@pytest.mark.django_db
-def test_org_admin_foreign_cred_no_copy_edit(jt_copy_edit, org_admin, machine_credential):
-    """
-    Organization admins without access to the 3 related resources:
-    SHOULD NOT be able to copy JT
-    SHOULD be able to edit that job template, for nonsensitive changes
-    """
-
-    # Attach credential to JT that org admin can not use
-    jt_copy_edit.credential = machine_credential
-    jt_copy_edit.save()
-
-    # Serializer can_copy/can_edit fields
-    serializer = JobTemplateSerializer(jt_copy_edit)
-    request = RequestFactory().get('/api/v1/job_templates/12/')
-    request.user = org_admin
-    serializer.context['request'] = request
-    response = serializer.to_representation(jt_copy_edit)
-    assert not response['summary_fields']['can_copy']
-    assert response['summary_fields']['can_edit']
-
-@pytest.mark.django_db
-def test_jt_admin_copy_edit(jt_copy_edit, rando):
-    """
-    JT admins wihout access to associated resources SHOULD NOT be able to copy
-    SHOULD be able to make nonsensitive changes"""
-
-    # random user given JT admin access only
-    jt_copy_edit.admin_role.members.add(rando)
-    jt_copy_edit.save()
-
-    # Serializer can_copy/can_edit fields
-    serializer = JobTemplateSerializer(jt_copy_edit)
-    request = RequestFactory().get('/api/v1/job_templates/12/')
-    request.user = rando
-    serializer.context['request'] = request
-    response = serializer.to_representation(jt_copy_edit)
-    assert not response['summary_fields']['can_copy']
-    assert response['summary_fields']['can_edit']
-
-@pytest.mark.django_db
-def test_proj_jt_admin_copy_edit(jt_copy_edit, rando):
-    "JT admins with access to associated resources SHOULD be able to copy"
-
-    # random user given JT and project admin abilities
-    jt_copy_edit.admin_role.members.add(rando)
-    jt_copy_edit.save()
-    jt_copy_edit.project.admin_role.members.add(rando)
-    jt_copy_edit.project.save()
-
-    # Serializer can_copy/can_edit fields
-    serializer = JobTemplateSerializer(jt_copy_edit)
-    request = RequestFactory().get('/api/v1/job_templates/12/')
-    request.user = rando
-    serializer.context['request'] = request
-    response = serializer.to_representation(jt_copy_edit)
-    assert response['summary_fields']['can_copy']
-    assert response['summary_fields']['can_edit']
-
-# Functional tests - create new JT with all returned fields, as the UI does
-
-@pytest.mark.django_db
-@mock.patch.object(ProjectOptions, "playbooks", project_playbooks)
-def test_org_admin_copy_edit_functional(jt_copy_edit, org_admin, get, post):
-    get_response = get(reverse('api:job_template_detail', args=[jt_copy_edit.pk]), user=org_admin)
-    assert get_response.status_code == 200
-    assert get_response.data['summary_fields']['can_copy']
-
-    post_data = get_response.data
-    post_data['name'] = '%s @ 12:19:47 pm' % post_data['name']
-    post_response = post(reverse('api:job_template_list', args=[]), user=org_admin, data=post_data)
-    assert post_response.status_code == 201
-    assert post_response.data['name'] == 'copy-edit-job-template @ 12:19:47 pm'
 
 @pytest.mark.django_db
 @mock.patch.object(ProjectOptions, "playbooks", project_playbooks)
@@ -277,7 +152,6 @@ def test_jt_admin_copy_edit_functional(jt_copy_edit, rando, get, post):
 
     get_response = get(reverse('api:job_template_detail', args=[jt_copy_edit.pk]), user=rando)
     assert get_response.status_code == 200
-    assert not get_response.data['summary_fields']['can_copy']
 
     post_data = get_response.data
     post_data['name'] = '%s @ 12:19:47 pm' % post_data['name']
diff --git a/awx/main/tests/functional/api/test_rbac_displays.py b/awx/main/tests/functional/api/test_rbac_displays.py
new file mode 100644
index 0000000000..eb94e01dff
--- /dev/null
+++ b/awx/main/tests/functional/api/test_rbac_displays.py
@@ -0,0 +1,323 @@
+import pytest
+
+from django.core.urlresolvers import reverse
+from django.test.client import RequestFactory
+
+from awx.main.models.jobs import JobTemplate
+from awx.main.models import Role, Group
+from awx.main.access import (
+    access_registry,
+    get_user_capabilities
+)
+from awx.main.utils import cache_list_capabilities
+from awx.api.serializers import JobTemplateSerializer
+
+# This file covers special-cases of displays of user_capabilities
+# general functionality should be covered fully by unit tests, see:
+#   awx/main/tests/unit/api/test_serializers.py :: 
+#           TestJobTemplateSerializerGetSummaryFields.test_copy_edit_standard
+#   awx/main/tests/unit/test_access.py ::
+#           test_user_capabilities_method
+
+
+@pytest.mark.django_db
+class TestOptionsRBAC:
+    """
+    Several endpoints are relied-upon by the UI to list POST as an
+    allowed action or not depending on whether the user has permission
+    to create a resource.
+    """
+
+    def test_inventory_group_host_can_add(self, inventory, alice, options):
+        inventory.admin_role.members.add(alice)
+
+        response = options(reverse('api:inventory_hosts_list', args=[inventory.pk]), alice)
+        assert 'POST' in response.data['actions']
+        response = options(reverse('api:inventory_groups_list', args=[inventory.pk]), alice)
+        assert 'POST' in response.data['actions']
+
+    def test_inventory_group_host_can_not_add(self, inventory, bob, options):
+        inventory.read_role.members.add(bob)
+
+        response = options(reverse('api:inventory_hosts_list', args=[inventory.pk]), bob)
+        assert 'POST' not in response.data['actions']
+        response = options(reverse('api:inventory_groups_list', args=[inventory.pk]), bob)
+        assert 'POST' not in response.data['actions']
+
+    def test_user_list_can_add(self, org_member, org_admin, options):
+        response = options(reverse('api:user_list'), org_admin)
+        assert 'POST' in response.data['actions']
+
+    def test_user_list_can_not_add(self, org_member, org_admin, options):
+        response = options(reverse('api:user_list'), org_member)
+        assert 'POST' not in response.data['actions']
+
+
+@pytest.mark.django_db
+class TestJobTemplateCopyEdit:
+    """
+    Tests contain scenarios that were raised as issues in the past,
+    which resulted from failed copy/edit actions even though the buttons
+    to do these actions were displayed.
+    """
+
+    @pytest.fixture
+    def jt_copy_edit(self, job_template_factory, project):
+        objects = job_template_factory(
+            'copy-edit-job-template',
+            project=project)
+        return objects.job_template
+
+    def fake_context(self, user):
+        request = RequestFactory().get('/api/v1/resource/42/')
+        request.user = user
+
+        class FakeView(object):
+            pass
+
+        fake_view = FakeView()
+        fake_view.request = request
+        context = {}
+        context['view'] = fake_view
+        context['request'] = request
+        return context
+
+    def test_validation_bad_data_copy_edit(self, admin_user, project):
+        """
+        If a required resource (inventory here) was deleted, copying not allowed
+        because doing so would caues a validation error
+        """
+
+        jt_res = JobTemplate.objects.create(
+            job_type='run',
+            project=project,
+            inventory=None,  ask_inventory_on_launch=False, # not allowed
+            credential=None, ask_credential_on_launch=True,
+            name='deploy-job-template'
+        )
+        serializer = JobTemplateSerializer(jt_res)
+        serializer.context = self.fake_context(admin_user)
+        response = serializer.to_representation(jt_res)
+        assert not response['summary_fields']['user_capabilities']['copy']
+        assert response['summary_fields']['user_capabilities']['edit']
+
+    def test_sys_admin_copy_edit(self, jt_copy_edit, admin_user):
+        "Absent a validation error, system admins can do everything"
+        serializer = JobTemplateSerializer(jt_copy_edit)
+        serializer.context = self.fake_context(admin_user)
+        response = serializer.to_representation(jt_copy_edit)
+        assert response['summary_fields']['user_capabilities']['copy']
+        assert response['summary_fields']['user_capabilities']['edit']
+
+    def test_org_admin_copy_edit(self, jt_copy_edit, org_admin):
+        "Organization admins SHOULD be able to copy a JT firmly in their org"
+        serializer = JobTemplateSerializer(jt_copy_edit)
+        serializer.context = self.fake_context(org_admin)
+        response = serializer.to_representation(jt_copy_edit)
+        assert response['summary_fields']['user_capabilities']['copy']
+        assert response['summary_fields']['user_capabilities']['edit']
+
+    def test_org_admin_foreign_cred_no_copy_edit(self, jt_copy_edit, org_admin, machine_credential):
+        """
+        Organization admins without access to the 3 related resources:
+        SHOULD NOT be able to copy JT
+        SHOULD be able to edit that job template, for nonsensitive changes
+        """
+
+        # Attach credential to JT that org admin can not use
+        jt_copy_edit.credential = machine_credential
+        jt_copy_edit.save()
+
+        serializer = JobTemplateSerializer(jt_copy_edit)
+        serializer.context = self.fake_context(org_admin)
+        response = serializer.to_representation(jt_copy_edit)
+        assert not response['summary_fields']['user_capabilities']['copy']
+        assert response['summary_fields']['user_capabilities']['edit']
+
+    def test_jt_admin_copy_edit(self, jt_copy_edit, rando):
+        """
+        JT admins wihout access to associated resources SHOULD NOT be able to copy
+        SHOULD be able to make nonsensitive changes"""
+
+        # random user given JT admin access only
+        jt_copy_edit.admin_role.members.add(rando)
+        jt_copy_edit.save()
+
+        serializer = JobTemplateSerializer(jt_copy_edit)
+        serializer.context = self.fake_context(rando)
+        response = serializer.to_representation(jt_copy_edit)
+        assert not response['summary_fields']['user_capabilities']['copy']
+        assert response['summary_fields']['user_capabilities']['edit']
+
+    def test_proj_jt_admin_copy_edit(self, jt_copy_edit, rando):
+        "JT admins with access to associated resources SHOULD be able to copy"
+
+        # random user given JT and project admin abilities
+        jt_copy_edit.admin_role.members.add(rando)
+        jt_copy_edit.save()
+        jt_copy_edit.project.admin_role.members.add(rando)
+        jt_copy_edit.project.save()
+
+        serializer = JobTemplateSerializer(jt_copy_edit)
+        serializer.context = self.fake_context(rando)
+        response = serializer.to_representation(jt_copy_edit)
+        assert response['summary_fields']['user_capabilities']['copy']
+        assert response['summary_fields']['user_capabilities']['edit']
+
+
+@pytest.fixture
+def mock_access_method(mocker):
+    mock_method = mocker.MagicMock()
+    mock_method.return_value = 'foobar'
+    mock_method.__name__ = 'bars' # Required for a logging statement
+    return mock_method
+
+@pytest.mark.django_db
+class TestAccessListCapabilities:
+    """
+    Test that the access_list serializer shows the exact output of the RoleAccess.can_attach
+     - looks at /api/v1/inventories/N/access_list/
+     - test for types: direct, indirect, and team access
+    """
+
+    extra_kwargs = dict(skip_sub_obj_read_check=False, data={})
+
+    def _assert_one_in_list(self, data, sublist='direct_access'):
+        "Establish that exactly 1 type of access exists so we know the entry is the right one"
+        assert len(data['results']) == 1
+        assert len(data['results'][0]['summary_fields'][sublist]) == 1
+    
+    def test_access_list_direct_access_capability(
+            self, inventory, rando, get, mocker, mock_access_method):
+        inventory.admin_role.members.add(rando)
+
+        with mocker.patch.object(access_registry[Role][0], 'can_unattach', mock_access_method):
+            response = get(reverse('api:inventory_access_list', args=(inventory.id,)), rando)
+
+        mock_access_method.assert_called_once_with(inventory.admin_role, rando, 'members', **self.extra_kwargs)
+        self._assert_one_in_list(response.data)
+        direct_access_list = response.data['results'][0]['summary_fields']['direct_access']
+        assert direct_access_list[0]['role']['user_capabilities']['unattach'] == 'foobar'
+
+    def test_access_list_indirect_access_capability(
+            self, inventory, organization, org_admin, get, mocker, mock_access_method):
+        with mocker.patch.object(access_registry[Role][0], 'can_unattach', mock_access_method):
+            response = get(reverse('api:inventory_access_list', args=(inventory.id,)), org_admin)
+
+        mock_access_method.assert_called_once_with(organization.admin_role, org_admin, 'members', **self.extra_kwargs)
+        self._assert_one_in_list(response.data, sublist='indirect_access')
+        indirect_access_list = response.data['results'][0]['summary_fields']['indirect_access']
+        assert indirect_access_list[0]['role']['user_capabilities']['unattach'] == 'foobar'
+
+    def test_access_list_team_direct_access_capability(
+            self, inventory, team, team_member, get, mocker, mock_access_method):
+        team.member_role.children.add(inventory.admin_role)
+
+        with mocker.patch.object(access_registry[Role][0], 'can_unattach', mock_access_method):
+            response = get(reverse('api:inventory_access_list', args=(inventory.id,)), team_member)
+
+        mock_access_method.assert_called_once_with(inventory.admin_role, team.member_role, 'parents', **self.extra_kwargs)
+        self._assert_one_in_list(response.data)
+        direct_access_list = response.data['results'][0]['summary_fields']['direct_access']
+        assert direct_access_list[0]['role']['user_capabilities']['unattach'] == 'foobar'
+
+
+@pytest.mark.django_db
+def test_team_roles_unattach(mocker, team, team_member, inventory, mock_access_method, get):
+    team.member_role.children.add(inventory.admin_role)
+
+    with mocker.patch.object(access_registry[Role][0], 'can_unattach', mock_access_method):
+        response = get(reverse('api:team_roles_list', args=(team.id,)), team_member)
+
+    # Did we assess whether team_member can remove team's permission to the inventory?
+    mock_access_method.assert_called_once_with(
+        inventory.admin_role, team.member_role, 'parents', skip_sub_obj_read_check=True, data={})
+    assert response.data['results'][0]['summary_fields']['user_capabilities']['unattach'] == 'foobar'
+
+@pytest.mark.django_db
+def test_user_roles_unattach(mocker, organization, alice, bob, mock_access_method, get):
+    # Add to same organization so that alice and bob can see each other
+    organization.member_role.members.add(alice)
+    organization.member_role.members.add(bob)
+
+    with mocker.patch.object(access_registry[Role][0], 'can_unattach', mock_access_method):
+        response = get(reverse('api:user_roles_list', args=(alice.id,)), bob)
+
+    # Did we assess whether bob can remove alice's permission to the inventory?
+    mock_access_method.assert_called_once_with(
+        organization.member_role, alice, 'members', skip_sub_obj_read_check=True, data={})
+    assert response.data['results'][0]['summary_fields']['user_capabilities']['unattach'] == 'foobar'
+
+@pytest.mark.django_db
+def test_team_roles_unattach_functional(team, team_member, inventory, get):
+    team.member_role.children.add(inventory.admin_role)
+    response = get(reverse('api:team_roles_list', args=(team.id,)), team_member)
+    # Team member should be able to remove access to inventory, becauase
+    # the inventory admin_role grants that ability
+    assert response.data['results'][0]['summary_fields']['user_capabilities']['unattach']
+
+@pytest.mark.django_db
+def test_user_roles_unattach_functional(organization, alice, bob, get):
+    organization.member_role.members.add(alice)
+    organization.member_role.members.add(bob)
+    response = get(reverse('api:user_roles_list', args=(alice.id,)), bob)
+    # Org members can not revoke the membership of other members
+    assert not response.data['results'][0]['summary_fields']['user_capabilities']['unattach']
+
+
+@pytest.mark.django_db
+def test_prefetch_jt_capabilities(job_template, rando):
+    job_template.execute_role.members.add(rando)
+    qs = JobTemplate.objects.all()
+    cache_list_capabilities(qs, ['admin', 'execute'], JobTemplate, rando)
+    assert qs[0].capabilities_cache == {'edit': False, 'start': True}
+
+@pytest.mark.django_db
+def test_prefetch_group_capabilities(group, rando):
+    group.inventory.adhoc_role.members.add(rando)
+    qs = Group.objects.all()
+    cache_list_capabilities(qs, ['inventory.admin', 'inventory.adhoc'], Group, rando)
+    assert qs[0].capabilities_cache == {'edit': False, 'adhoc': True}
+
+@pytest.mark.django_db
+def test_prefetch_jt_copy_capability(job_template, project, inventory, machine_credential, rando):
+    job_template.project = project
+    job_template.inventory = inventory
+    job_template.credential = machine_credential
+    job_template.save()
+
+    qs = JobTemplate.objects.all()
+    cache_list_capabilities(qs, [{'copy': [
+        'project.use', 'inventory.use', 'credential.use',
+        'cloud_credential.use', 'network_credential.use'
+    ]}], JobTemplate, rando)
+    assert qs[0].capabilities_cache == {'copy': False}
+
+    project.use_role.members.add(rando)
+    inventory.use_role.members.add(rando)
+    machine_credential.use_role.members.add(rando)
+
+    cache_list_capabilities(qs, [{'copy': [
+        'project.use', 'inventory.use', 'credential.use',
+        'cloud_credential.use', 'network_credential.use'
+    ]}], JobTemplate, rando)
+    assert qs[0].capabilities_cache == {'copy': True}
+
+@pytest.mark.django_db
+def test_group_update_capabilities_possible(group, inventory_source, admin_user):
+    group.inventory_source = inventory_source
+    group.save()
+
+    capabilities = get_user_capabilities(admin_user, group, method_list=['start'])
+    assert capabilities['start']
+
+@pytest.mark.django_db
+def test_group_update_capabilities_impossible(group, inventory_source, admin_user):
+    inventory_source.source = ""
+    inventory_source.save()
+    group.inventory_source = inventory_source
+    group.save()
+
+    capabilities = get_user_capabilities(admin_user, group, method_list=['start'])
+    assert not capabilities['start']
+
diff --git a/awx/main/tests/unit/api/serializers/test_job_template_serializers.py b/awx/main/tests/unit/api/serializers/test_job_template_serializers.py
index dc0c672a70..ba47b09e7f 100644
--- a/awx/main/tests/unit/api/serializers/test_job_template_serializers.py
+++ b/awx/main/tests/unit/api/serializers/test_job_template_serializers.py
@@ -6,9 +6,13 @@ import mock
 from awx.api.serializers import (
     JobTemplateSerializer,
 )
+from awx.api.views import JobTemplateDetail
 from awx.main.models import (
+    Role,
+    User,
     Job,
 )
+from rest_framework.test import APIRequestFactory
 
 #DRF
 from rest_framework import serializers
@@ -77,21 +81,33 @@ class TestJobTemplateSerializerGetSummaryFields():
         summary = get_summary_fields_mock_and_run(JobTemplateSerializer, job_template)
         assert 'survey' not in summary
 
-    @pytest.mark.skip(reason="RBAC needs to land")
-    def test_can_copy_true(self, mocker, job_template):
-        pass
+    def test_copy_edit_standard(self, mocker, job_template_factory):
+        """Verify that the exact output of the access.py methods
+        are put into the serializer user_capabilities"""
 
-    @pytest.mark.skip(reason="RBAC needs to land")
-    def test_can_copy_false(self, mocker, job_template):
-        pass
+        jt_obj = job_template_factory('testJT', project='proj1', persisted=False).job_template
+        jt_obj.id = 5
+        jt_obj.admin_role = Role(id=9, role_field='admin_role')
+        jt_obj.execute_role = Role(id=8, role_field='execute_role')
+        jt_obj.read_role = Role(id=7, role_field='execute_role')
+        user = User(username="auser")
+        serializer = JobTemplateSerializer(job_template)
+        serializer.show_capabilities = ['copy', 'edit']
+        serializer._summary_field_labels = lambda self: []
+        serializer._recent_jobs = lambda self: []
+        request = APIRequestFactory().get('/api/v1/job_templates/42/')
+        request.user = user
+        view = JobTemplateDetail()
+        view.request = request
+        serializer.context['view'] = view
 
-    @pytest.mark.skip(reason="RBAC needs to land")
-    def test_can_edit_true(self, mocker, job_template):
-        pass
+        with mocker.patch("awx.main.models.rbac.Role.get_description", return_value='Can eat pie'):
+            with mocker.patch("awx.main.access.JobTemplateAccess.can_change", return_value='foobar'):
+                with mocker.patch("awx.main.access.JobTemplateAccess.can_add", return_value='foo'):
+                    response = serializer.get_summary_fields(jt_obj)
 
-    @pytest.mark.skip(reason="RBAC needs to land")
-    def test_can_edit_false(self, mocker, job_template):
-        pass
+        assert response['user_capabilities']['copy'] == 'foo'
+        assert response['user_capabilities']['edit'] == 'foobar'
 
 class TestJobTemplateSerializerValidation(object):
 
diff --git a/awx/main/tests/unit/models/test_job_template_unit.py b/awx/main/tests/unit/models/test_job_template_unit.py
index a156d1e920..088b4d3d7c 100644
--- a/awx/main/tests/unit/models/test_job_template_unit.py
+++ b/awx/main/tests/unit/models/test_job_template_unit.py
@@ -50,3 +50,32 @@ def test_job_template_survey_password_redaction(job_template_with_survey_passwor
     """Tests the JobTemplate model's funciton to redact passwords from
     extra_vars - used when creating a new job"""
     assert job_template_with_survey_passwords_unit.survey_password_variables() == ['secret_key', 'SSN']
+
+def test_job_template_survey_variable_validation(job_template_factory):
+    objects = job_template_factory(
+        'survey_variable_validation',
+        organization='org1',
+        inventory='inventory1',
+        credential='cred1',
+        persisted=False,
+    )
+    obj = objects.job_template
+    obj.survey_spec = {
+        "description": "",
+        "spec": [
+            {
+                "required": True,
+                "min": 0,
+                "default": "5",
+                "max": 1024,
+                "question_description": "",
+                "choices": "",
+                "variable": "a",
+                "question_name": "Whosyourdaddy",
+                "type": "text"
+            }
+        ],
+        "name": ""
+    }
+    obj.survey_enabled = True
+    assert obj.survey_variable_validation({"a": 5}) == ["Value 5 for 'a' expected to be a string."]
diff --git a/awx/main/tests/unit/test_access.py b/awx/main/tests/unit/test_access.py
index b400a09596..650ed19864 100644
--- a/awx/main/tests/unit/test_access.py
+++ b/awx/main/tests/unit/test_access.py
@@ -134,3 +134,28 @@ class TestWorkflowAccessMethods:
             with mock.patch('awx.main.access.get_object_or_400', mock_get_object):
                 assert access.can_add({'organization': 1})
 
+
+@pytest.mark.django_db
+def test_user_capabilities_method():
+    """Unit test to verify that the user_capabilities method will defer
+    to the appropriate sub-class methods of the access classes.
+    Note that normal output is True/False, but a string is returned
+    in these tests to establish uniqueness.
+    """
+
+    class FooAccess(BaseAccess):
+        def can_change(self, obj, data):
+            return 'bar'
+
+        def can_add(self, data):
+            return 'foobar'
+
+    user = User(username='auser')
+    foo_access = FooAccess(user)
+    foo = object()
+    foo_capabilities = foo_access.get_user_capabilities(foo, ['edit', 'copy'])
+    assert foo_capabilities == {
+        'edit': 'bar',
+        'copy': 'foobar'
+    }
+
diff --git a/awx/main/tests/unit/test_network_credential.py b/awx/main/tests/unit/test_network_credential.py
index 8ef5c4cb5e..6517c14a89 100644
--- a/awx/main/tests/unit/test_network_credential.py
+++ b/awx/main/tests/unit/test_network_credential.py
@@ -74,6 +74,7 @@ def test_net_cred_ssh_agent(mocker, get_ssh_version):
         mocker.patch.object(run_job, 'should_use_proot', return_value=False)
         mocker.patch.object(run_job, 'run_pexpect', return_value=('successful', 0))
         mocker.patch.object(run_job, 'open_fifo_write', return_value=None)
+        mocker.patch.object(run_job, 'post_run_hook', return_value=None)
 
         run_job.run(mock_job.id)
         assert run_job.update_model.call_count == 3
diff --git a/awx/main/utils.py b/awx/main/utils.py
index 270d62e50f..0603e05997 100644
--- a/awx/main/utils.py
+++ b/awx/main/utils.py
@@ -33,7 +33,7 @@ logger = logging.getLogger('awx.main.utils')
 
 __all__ = ['get_object_or_400', 'get_object_or_403', 'camelcase_to_underscore', 'memoize',
            'get_ansible_version', 'get_ssh_version', 'get_awx_version', 'update_scm_url',
-           'get_type_for_model', 'get_model_for_type', 'to_python_boolean',
+           'get_type_for_model', 'get_model_for_type', 'cache_list_capabilities', 'to_python_boolean',
            'ignore_inventory_computed_fields', 'ignore_inventory_group_removal',
            '_inventory_updates', 'get_pk_from_dict', 'getattrd', 'NoDefaultProvided',
            'get_current_apps', 'set_current_apps']
@@ -409,6 +409,72 @@ def get_model_for_type(type):
             return ct_model
 
 
+def cache_list_capabilities(page, prefetch_list, model, user):
+    '''
+    Given a `page` list of objects, the specified roles for the specified user
+    are save on each object in the list, using 1 query for each role type
+
+    Examples:
+    capabilities_prefetch = ['admin', 'execute']
+      --> prefetch the admin (edit) and execute (start) permissions for
+          items in list for current user
+    capabilities_prefetch = ['inventory.admin']
+      --> prefetch the related inventory FK permissions for current user,
+          and put it into the object's cache
+    capabilities_prefetch = [{'copy': ['inventory.admin', 'project.admin']}]
+      --> prefetch logical combination of admin permission to inventory AND
+          project, put into cache dictionary as "copy"
+    '''
+    from django.db.models import Q
+    page_ids = [obj.id for obj in page]
+    for obj in page:
+        obj.capabilities_cache = {}
+
+    for prefetch_entry in prefetch_list:
+
+        display_method = None
+        if type(prefetch_entry) is dict:
+            display_method = prefetch_entry.keys()[0]
+            paths = prefetch_entry[display_method]
+        else:
+            paths = prefetch_entry
+
+        if type(paths) is not list:
+            paths = [paths]
+
+        # Build the query for accessible_objects according the user & role(s)
+        qs_obj = None
+        for role_path in paths:
+            if '.' in role_path:
+                res_path = '__'.join(role_path.split('.')[:-1])
+                role_type = role_path.split('.')[-1]
+                if qs_obj is None:
+                    qs_obj = model.objects
+                parent_model = model._meta.get_field(res_path).related_model
+                kwargs = {'%s__in' % res_path: parent_model.accessible_objects(user, '%s_role' % role_type)}
+                qs_obj = qs_obj.filter(Q(**kwargs) | Q(**{'%s__isnull' % res_path: True}))
+            else:
+                role_type = role_path
+                qs_obj = model.accessible_objects(user, '%s_role' % role_type)
+
+        if display_method is None:
+            # Role name translation to UI names for methods
+            display_method = role_type
+            if role_type == 'admin':
+                display_method = 'edit'
+            elif role_type in ['execute', 'update']:
+                display_method = 'start'
+
+        # Union that query with the list of items on page
+        ids_with_role = set(qs_obj.filter(pk__in=page_ids).values_list('pk', flat=True))
+
+        # Save data item-by-item
+        for obj in page:
+            obj.capabilities_cache[display_method] = False
+            if obj.pk in ids_with_role:
+                obj.capabilities_cache[display_method] = True
+
+
 def get_system_task_capacity():
     '''
     Measure system memory and use it as a baseline for determining the system's capacity
diff --git a/awx/ui/.npmrc b/awx/ui/.npmrc
new file mode 100644
index 0000000000..d883e4fa13
--- /dev/null
+++ b/awx/ui/.npmrc
@@ -0,0 +1 @@
+progress=false
diff --git a/awx/ui/client/src/access/roleList.partial.html b/awx/ui/client/src/access/roleList.partial.html
index 1478c9dc37..365a20f061 100644
--- a/awx/ui/client/src/access/roleList.partial.html
+++ b/awx/ui/client/src/access/roleList.partial.html
@@ -1,13 +1,13 @@
 <div class="RoleList-tagContainer"
     ng-repeat="entry in access_list">
     <div class="RoleList-deleteContainer"
-        ng-if="entry.explicit"
+        ng-if="entry.explicit && entry.user_capabilities.unattach"
         ng-click="deletePermission(permission, entry)">
-        <i ng-if="entry.explicit"
+        <i ng-if="entry.explicit && entry.user_capabilities.unattach"
             class="fa fa-times RoleList-tagDelete"></i>
     </div>
     <div class="RoleList-tag"
-        ng-class="{'RoleList-tag--deletable': entry.explicit,
+        ng-class="{'RoleList-tag--deletable': entry.explicit && entry.user_capabilities.unattach,
             'RoleList-tag--team': entry.team_id}"
         aw-tool-tip='{{entry.team_name | sanitize}}' aw-tip-placement='bottom'>
         <span class="RoleList-name">{{ entry.name }}</span>
diff --git a/awx/ui/client/src/app.js b/awx/ui/client/src/app.js
index b3425609fe..0f925812f6 100644
--- a/awx/ui/client/src/app.js
+++ b/awx/ui/client/src/app.js
@@ -839,6 +839,7 @@ var tower = angular.module('Tower', [
                 // If browser refresh, set the user_is_superuser value
                 $rootScope.user_is_superuser = Authorization.getUserInfo('is_superuser');
                 $rootScope.user_is_system_auditor = Authorization.getUserInfo('is_system_auditor');
+
                 // state the user refreshes we want to open the socket, except if the user is on the login page, which should happen after the user logs in (see the AuthService module for that call to OpenSocket)
                 if (!_.contains($location.$$url, '/login')) {
                     ConfigService.getConfig().then(function() {
diff --git a/awx/ui/client/src/controllers/Credentials.js b/awx/ui/client/src/controllers/Credentials.js
index 66b016dc50..11e2b4e435 100644
--- a/awx/ui/client/src/controllers/Credentials.js
+++ b/awx/ui/client/src/controllers/Credentials.js
@@ -14,9 +14,14 @@
 export function CredentialsList($scope, $rootScope, $location, $log,
     $stateParams, Rest, Alert, CredentialList, GenerateList, Prompt, SearchInit,
     PaginateInit, ReturnToCaller, ClearScope, ProcessErrors, GetBasePath,
-    SelectionInit, GetChoices, Wait, $state, $filter) {
+    SelectionInit, GetChoices, Wait, $state, $filter, rbacUiControlService) {
     ClearScope();
 
+    rbacUiControlService.canAdd('credentials')
+        .then(function(canAdd) {
+            $scope.canAdd = canAdd;
+        });
+
     Wait('start');
 
     var list = CredentialList,
@@ -129,7 +134,7 @@ CredentialsList.$inject = ['$scope', '$rootScope', '$location', '$log',
     '$stateParams', 'Rest', 'Alert', 'CredentialList', 'generateList', 'Prompt',
     'SearchInit', 'PaginateInit', 'ReturnToCaller', 'ClearScope',
     'ProcessErrors', 'GetBasePath', 'SelectionInit', 'GetChoices', 'Wait',
-    '$state', '$filter'
+    '$state', '$filter', 'rbacUiControlService'
 ];
 
 
@@ -138,7 +143,6 @@ export function CredentialsAdd($scope, $rootScope, $compile, $location, $log,
     ReturnToCaller, ClearScope, GenerateList, SearchInit, PaginateInit,
     LookUpInit, OrganizationList, GetBasePath, GetChoices, Empty, KindChange,
     OwnerChange, FormSave, $state, CreateSelect2) {
-
     ClearScope();
 
     // Inject dynamic view
@@ -337,6 +341,7 @@ export function CredentialsEdit($scope, $rootScope, $compile, $location, $log,
     }
 
     ClearScope();
+
     var defaultUrl = GetBasePath('credentials'),
         generator = GenerateForm,
         form = CredentialForm,
@@ -344,10 +349,17 @@ export function CredentialsEdit($scope, $rootScope, $compile, $location, $log,
         master = {},
         id = $stateParams.credential_id,
         relatedSets = {};
+
     generator.inject(form, { mode: 'edit', related: true, scope: $scope });
     generator.reset();
     $scope.id = id;
 
+    $scope.$watch('credential_obj.summary_fields.user_capabilities.edit', function(val) {
+        if (val === false) {
+            $scope.canAdd = false;
+        }
+    });
+
     $scope.canShareCredential = false;
 
     if ($rootScope.current_user.is_superuser) {
diff --git a/awx/ui/client/src/controllers/Jobs.js b/awx/ui/client/src/controllers/Jobs.js
index 3f0e3bdcfd..0e2f46f736 100644
--- a/awx/ui/client/src/controllers/Jobs.js
+++ b/awx/ui/client/src/controllers/Jobs.js
@@ -13,7 +13,7 @@
 
 export function JobsListController ($rootScope, $log, $scope, $compile, $stateParams,
     ClearScope, LoadSchedulesScope,
-    LoadJobsScope, AllJobsList, ScheduledJobsList, GetChoices, GetBasePath, Wait) {
+    LoadJobsScope, AllJobsList, ScheduledJobsList, GetChoices, GetBasePath, Wait, $state) {
 
     ClearScope();
 
@@ -61,6 +61,11 @@ export function JobsListController ($rootScope, $log, $scope, $compile, $statePa
             }
         }
         jobs_scope = $scope.$new(true);
+
+        jobs_scope.viewJob = function (id) {
+            $state.transitionTo('jobDetail', {id: id});
+        };
+        
         jobs_scope.showJobType = true;
         LoadJobsScope({
             parent_scope: $scope,
@@ -153,4 +158,4 @@ export function JobsListController ($rootScope, $log, $scope, $compile, $statePa
 
 JobsListController.$inject = ['$rootScope', '$log', '$scope', '$compile', '$stateParams',
 'ClearScope', 'LoadSchedulesScope', 'LoadJobsScope',
-'AllJobsList', 'ScheduledJobsList', 'GetChoices', 'GetBasePath', 'Wait'];
+'AllJobsList', 'ScheduledJobsList', 'GetChoices', 'GetBasePath', 'Wait', '$state'];
diff --git a/awx/ui/client/src/controllers/Projects.js b/awx/ui/client/src/controllers/Projects.js
index 60692d581e..f5db4a2b8c 100644
--- a/awx/ui/client/src/controllers/Projects.js
+++ b/awx/ui/client/src/controllers/Projects.js
@@ -15,10 +15,16 @@ export function ProjectsList ($scope, $rootScope, $location, $log, $stateParams,
     Rest, Alert, ProjectList, GenerateList, Prompt, SearchInit,
     PaginateInit, ReturnToCaller, ClearScope, ProcessErrors, GetBasePath,
     SelectionInit, ProjectUpdate, Refresh, Wait, GetChoices, Empty,
-    Find, GetProjectIcon, GetProjectToolTip, $filter, $state) {
-
+    Find, GetProjectIcon, GetProjectToolTip, $filter, $state, rbacUiControlService) {
     ClearScope();
 
+    $scope.canAdd = false;
+
+    rbacUiControlService.canAdd('projects')
+        .then(function(canAdd) {
+            $scope.canAdd = canAdd;
+        });
+
     Wait('start');
 
     var list = ProjectList,
@@ -369,7 +375,7 @@ ProjectsList.$inject = ['$scope', '$rootScope', '$location', '$log',
     'SearchInit', 'PaginateInit', 'ReturnToCaller', 'ClearScope',
     'ProcessErrors', 'GetBasePath', 'SelectionInit', 'ProjectUpdate',
     'Refresh', 'Wait', 'GetChoices', 'Empty', 'Find',
-    'GetProjectIcon', 'GetProjectToolTip', '$filter', '$state'
+    'GetProjectIcon', 'GetProjectToolTip', '$filter', '$state', 'rbacUiControlService'
 ];
 
 
@@ -379,6 +385,15 @@ export function ProjectsAdd(Refresh, $scope, $rootScope, $compile, $location, $l
     OrganizationList, CredentialList, GetChoices, DebugForm, Wait, $state,
     CreateSelect2) {
 
+    Rest.setUrl(GetBasePath('projects'));
+    Rest.options()
+        .success(function(data) {
+            if (!data.actions.POST) {
+                $state.go("^");
+                Alert('Permission Error', 'You do not have permission to add a project.', 'alert-info');
+            }
+        });
+
     ClearScope();
 
     // Inject dynamic view
@@ -559,6 +574,12 @@ export function ProjectsEdit($scope, $rootScope, $compile, $location, $log,
 
     ClearScope('htmlTemplate');
 
+    $scope.$watch('project_obj.summary_fields.user_capabilities.edit', function(val) {
+        if (val === false) {
+            $scope.canAdd = false;
+        }
+    });
+
     // Inject dynamic view
     var form = ProjectsForm(),
         generator = GenerateForm,
diff --git a/awx/ui/client/src/controllers/Teams.js b/awx/ui/client/src/controllers/Teams.js
index a8eed62bc5..aded8e5824 100644
--- a/awx/ui/client/src/controllers/Teams.js
+++ b/awx/ui/client/src/controllers/Teams.js
@@ -14,10 +14,16 @@
 export function TeamsList($scope, $rootScope, $location, $log, $stateParams,
     Rest, Alert, TeamList, GenerateList, Prompt, SearchInit, PaginateInit,
     ReturnToCaller, ClearScope, ProcessErrors, SetTeamListeners, GetBasePath,
-    SelectionInit, Wait, $state, Refresh, $filter) {
-
+    SelectionInit, Wait, $state, Refresh, $filter, rbacUiControlService) {
     ClearScope();
 
+    $scope.canAdd = false;
+
+    rbacUiControlService.canAdd('teams')
+        .then(function(canAdd) {
+            $scope.canAdd = canAdd;
+        });
+
     var list = TeamList,
         defaultUrl = GetBasePath('teams'),
         generator = GenerateList,
@@ -126,7 +132,7 @@ TeamsList.$inject = ['$scope', '$rootScope', '$location', '$log',
     '$stateParams', 'Rest', 'Alert', 'TeamList', 'generateList', 'Prompt',
     'SearchInit', 'PaginateInit', 'ReturnToCaller', 'ClearScope',
     'ProcessErrors', 'SetTeamListeners', 'GetBasePath', 'SelectionInit', 'Wait',
-    '$state', 'Refresh', '$filter'
+    '$state', 'Refresh', '$filter', 'rbacUiControlService'
 ];
 
 
@@ -137,6 +143,15 @@ export function TeamsAdd($scope, $rootScope, $compile, $location, $log,
     ClearScope('htmlTemplate'); //Garbage collection. Don't leave behind any listeners/watchers from the prior
     //$scope.
 
+    Rest.setUrl(GetBasePath('teams'));
+    Rest.options()
+        .success(function(data) {
+            if (!data.actions.POST) {
+                $state.go("^");
+                Alert('Permission Error', 'You do not have permission to add a team.', 'alert-info');
+            }
+        });
+
     // Inject dynamic view
     var defaultUrl = GetBasePath('teams'),
         form = TeamForm,
@@ -208,6 +223,12 @@ export function TeamsEdit($scope, $rootScope, $location,
 
     $scope.team_id = id;
 
+    $scope.$watch('team_obj.summary_fields.user_capabilities.edit', function(val) {
+        if (val === false) {
+            $scope.canAdd = false;
+        }
+    });
+
 
     generator.inject(form, { mode: 'edit', related: true, scope: $scope });
     generator.reset();
diff --git a/awx/ui/client/src/controllers/Users.js b/awx/ui/client/src/controllers/Users.js
index 103e1d1c84..eb55a1bbb2 100644
--- a/awx/ui/client/src/controllers/Users.js
+++ b/awx/ui/client/src/controllers/Users.js
@@ -34,10 +34,16 @@ function user_type_sync($scope) {
 export function UsersList($scope, $rootScope, $location, $log, $stateParams,
     Rest, Alert, UserList, GenerateList, Prompt, SearchInit, PaginateInit,
     ReturnToCaller, ClearScope, ProcessErrors, GetBasePath, SelectionInit,
-    Wait, $state, Refresh, $filter) {
-
+    Wait, $state, Refresh, $filter, rbacUiControlService) {
     ClearScope();
 
+    $scope.canAdd = false;
+
+    rbacUiControlService.canAdd('users')
+        .then(function(canAdd) {
+            $scope.canAdd = canAdd;
+        });
+
     var list = UserList,
         defaultUrl = GetBasePath('users'),
         generator = GenerateList,
@@ -136,7 +142,7 @@ UsersList.$inject = ['$scope', '$rootScope', '$location', '$log',
     '$stateParams', 'Rest', 'Alert', 'UserList', 'generateList', 'Prompt',
     'SearchInit', 'PaginateInit', 'ReturnToCaller', 'ClearScope',
     'ProcessErrors', 'GetBasePath', 'SelectionInit', 'Wait', '$state',
-    'Refresh', '$filter'
+    'Refresh', '$filter', 'rbacUiControlService'
 ];
 
 
@@ -148,6 +154,15 @@ export function UsersAdd($scope, $rootScope, $compile, $location, $log,
     ReturnToCaller, ClearScope, GetBasePath, LookUpInit, OrganizationList,
     ResetForm, Wait, CreateSelect2, $state) {
 
+    Rest.setUrl(GetBasePath('users'));
+    Rest.options()
+        .success(function(data) {
+            if (!data.actions.POST) {
+                $state.go("^");
+                Alert('Permission Error', 'You do not have permission to add a user.', 'alert-info');
+            }
+        });
+
     ClearScope();
 
     // Inject dynamic view
@@ -279,6 +294,12 @@ export function UsersEdit($scope, $rootScope, $location,
     $scope.user_type = user_type_options[0];
     $scope.$watch('user_type', user_type_sync($scope));
 
+    $scope.$watch('user_obj.summary_fields.user_capabilities.edit', function(val) {
+        if (val === false) {
+            $scope.canAdd = false;
+        }
+    });
+
     var setScopeFields = function(data){
         _(data)
         .pick(function(value, key){
diff --git a/awx/ui/client/src/forms/Credentials.js b/awx/ui/client/src/forms/Credentials.js
index d503f53905..abcbbd476d 100644
--- a/awx/ui/client/src/forms/Credentials.js
+++ b/awx/ui/client/src/forms/Credentials.js
@@ -32,13 +32,15 @@ export default
                     type: 'text',
                     addRequired: true,
                     editRequired: true,
-                    autocomplete: false
+                    autocomplete: false,
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 description: {
                     label: 'Description',
                     type: 'text',
                     addRequired: false,
-                    editRequired: false
+                    editRequired: false,
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 organization: {
                     addRequired: false,
@@ -52,7 +54,8 @@ export default
                     awPopOver: "<p>If no organization is given, the credential can only be used by the user that creates the credential.  Organization admins and system administrators can assign an organization so that roles for the credential can be assigned to users and teams in that organization.</p>",
                     dataTitle: 'Organization ',
                     dataPlacement: 'bottom',
-                    dataContainer: "body"
+                    dataContainer: "body",
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 kind: {
                     label: 'Type',
@@ -83,7 +86,8 @@ export default
                     dataTitle: 'Type',
                     dataPlacement: 'right',
                     dataContainer: "body",
-                    hasSubForm: true
+                    hasSubForm: true,
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 access_key: {
                     label: 'Access Key',
@@ -96,12 +100,13 @@ export default
                     autocomplete: false,
                     apiField: 'username',
                     subForm: 'credentialSubForm',
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 secret_key: {
                     label: 'Secret Key',
                     type: 'sensitive',
                     ngShow: "kind.value == 'aws'",
-                    ngDisabled: "secret_key_ask",
+                    ngDisabled: "secret_key_ask || !(credential_obj.summary_fields.user_capabilities.edit || canAdd)",
                     awRequiredWhen: {
                         reqExpression: "aws_required",
                         init: false
@@ -123,7 +128,8 @@ export default
                     dataTitle: 'STS Token',
                     dataPlacement: 'right',
                     dataContainer: "body",
-                    subForm: 'credentialSubForm'
+                    subForm: 'credentialSubForm',
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 "host": {
                     labelBind: 'hostLabel',
@@ -139,7 +145,8 @@ export default
                         reqExpression: 'host_required',
                         init: false
                     },
-                    subForm: 'credentialSubForm'
+                    subForm: 'credentialSubForm',
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 "subscription": {
                     label: "Subscription ID",
@@ -156,7 +163,8 @@ export default
                     dataTitle: 'Subscription ID',
                     dataPlacement: 'right',
                     dataContainer: "body",
-                    subForm: 'credentialSubForm'
+                    subForm: 'credentialSubForm',
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 "username": {
                     labelBind: 'usernameLabel',
@@ -168,7 +176,8 @@ export default
                         init: false
                     },
                     autocomplete: false,
-                    subForm: "credentialSubForm"
+                    subForm: "credentialSubForm",
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 "email_address": {
                     labelBind: 'usernameLabel',
@@ -183,7 +192,8 @@ export default
                     dataTitle: 'Email',
                     dataPlacement: 'right',
                     dataContainer: "body",
-                    subForm: 'credentialSubForm'
+                    subForm: 'credentialSubForm',
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 "api_key": {
                     label: 'API Key',
@@ -196,7 +206,8 @@ export default
                     autocomplete: false,
                     hasShowInputButton: true,
                     clear: false,
-                    subForm: 'credentialSubForm'
+                    subForm: 'credentialSubForm',
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 "password": {
                     labelBind: 'passwordLabel',
@@ -209,13 +220,14 @@ export default
                         reqExpression: "password_required",
                         init: false
                     },
-                    subForm: "credentialSubForm"
+                    subForm: "credentialSubForm",
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 "ssh_password": {
                     label: 'Password',
                     type: 'sensitive',
                     ngShow: "kind.value == 'ssh'",
-                    ngDisabled: "ssh_password_ask",
+                    ngDisabled: "ssh_password_ask || !(credential_obj.summary_fields.user_capabilities.edit || canAdd)",
                     addRequired: false,
                     editRequired: false,
                     subCheckbox: {
@@ -247,7 +259,8 @@ export default
                     dataTitle: 'Private Key',
                     dataPlacement: 'right',
                     dataContainer: "body",
-                    subForm: "credentialSubForm"
+                    subForm: "credentialSubForm",
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 "ssh_key_unlock": {
                     label: 'Private Key Passphrase',
@@ -255,7 +268,7 @@ export default
                     ngShow: "kind.value == 'ssh' || kind.value == 'scm'",
                     addRequired: false,
                     editRequired: false,
-                    ngDisabled: "keyEntered === false || ssh_key_unlock_ask",
+                    ngDisabled: "keyEntered === false || ssh_key_unlock_ask || !(credential_obj.summary_fields.user_capabilities.edit || canAdd)",
                     subCheckbox: {
                         variable: 'ssh_key_unlock_ask',
                         ngShow: "kind.value == 'ssh'",
@@ -278,7 +291,8 @@ export default
                     "<code>sudo | su | pbrun | pfexec | runas</code> <br>(defaults to <code>sudo</code>)</p>",
                     dataPlacement: 'right',
                     dataContainer: "body",
-                    subForm: 'credentialSubForm'
+                    subForm: 'credentialSubForm',
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 "become_username": {
                     labelBind: 'becomeUsernameLabel',
@@ -287,13 +301,14 @@ export default
                     addRequired: false,
                     editRequired: false,
                     autocomplete: false,
-                    subForm: 'credentialSubForm'
+                    subForm: 'credentialSubForm',
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 "become_password": {
                     labelBind: 'becomePasswordLabel',
                     type: 'sensitive',
                     ngShow: "(kind.value == 'ssh' && (become_method && become_method.value)) ",
-                    ngDisabled: "become_password_ask",
+                    ngDisabled: "become_password_ask || !(credential_obj.summary_fields.user_capabilities.edit || canAdd)",
                     addRequired: false,
                     editRequired: false,
                     subCheckbox: {
@@ -309,7 +324,8 @@ export default
                     type: 'text',
                     label: 'Client ID',
                     subForm: 'credentialSubForm',
-                    ngShow: "kind.value === 'azure_rm'"
+                    ngShow: "kind.value === 'azure_rm'",
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 secret:{
                     type: 'sensitive',
@@ -317,20 +333,23 @@ export default
                     autocomplete: false,
                     label: 'Client Secret',
                     subForm: 'credentialSubForm',
-                    ngShow: "kind.value === 'azure_rm'"
+                    ngShow: "kind.value === 'azure_rm'",
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 tenant: {
                     type: 'text',
                     label: 'Tenant ID',
                     subForm: 'credentialSubForm',
-                    ngShow: "kind.value === 'azure_rm'"
+                    ngShow: "kind.value === 'azure_rm'",
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 authorize: {
                     label: 'Authorize',
                     type: 'checkbox',
                     ngChange: "toggleCallback('host_config_key')",
                     subForm: 'credentialSubForm',
-                    ngShow: "kind.value === 'net'"
+                    ngShow: "kind.value === 'net'",
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 authorize_password: {
                     label: 'Authorize Password',
@@ -339,6 +358,7 @@ export default
                     autocomplete: false,
                     subForm: 'credentialSubForm',
                     ngShow: "authorize && authorize !== 'false'",
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 "project": {
                     labelBind: 'projectLabel',
@@ -355,7 +375,8 @@ export default
                         reqExpression: 'project_required',
                         init: false
                     },
-                    subForm: 'credentialSubForm'
+                    subForm: 'credentialSubForm',
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 "domain": {
                     labelBind: 'domainLabel',
@@ -371,13 +392,14 @@ export default
                     dataContainer: "body",
                     addRequired: false,
                     editRequired: false,
-                    subForm: 'credentialSubForm'
+                    subForm: 'credentialSubForm',
+                    ngDisabled: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 "vault_password": {
                     label: "Vault Password",
                     type: 'sensitive',
                     ngShow: "kind.value == 'ssh'",
-                    ngDisabled: "vault_password_ask",
+                    ngDisabled: "vault_password_ask || !(credential_obj.summary_fields.user_capabilities.edit || canAdd)",
                     addRequired: false,
                     editRequired: false,
                     subCheckbox: {
@@ -394,11 +416,17 @@ export default
             buttons: {
                 cancel: {
                     ngClick: 'formCancel()',
+                    ngShow: '(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
+                },
+                close: {
+                    ngClick: 'formCancel()',
+                    ngShow: '!(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 save: {
                     label: 'Save',
                     ngClick: 'formSave()', //$scope.function to call on click, optional
-                    ngDisabled: true //Disable when $pristine or $invalid, optional
+                    ngDisabled: true,
+                    ngShow: '(credential_obj.summary_fields.user_capabilities.edit || canAdd)' //Disable when $pristine or $invalid, optional
                 }
             },
 
@@ -421,7 +449,8 @@ export default
                             label: 'Add',
                             awToolTip: 'Add a permission',
                             actionClass: 'btn List-buttonSubmit',
-                            buttonContent: '&#43; ADD'
+                            buttonContent: '&#43; ADD',
+                            ngShow: '(credential_obj.summary_fields.user_capabilities.edit || canAdd)'
                         }
                     },
 
diff --git a/awx/ui/client/src/forms/Groups.js b/awx/ui/client/src/forms/Groups.js
index e3327d442e..32723ff5f2 100644
--- a/awx/ui/client/src/forms/Groups.js
+++ b/awx/ui/client/src/forms/Groups.js
@@ -26,14 +26,16 @@ export default
                     type: 'text',
                     addRequired: true,
                     editRequired: true,
-                    tab: 'properties'
+                    tab: 'properties',
+                    ngDisabled: '!(group_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 description: {
                     label: 'Description',
                     type: 'text',
                     addRequired: false,
                     editRequired: false,
-                    tab: 'properties'
+                    tab: 'properties',
+                    ngDisabled: '!(group_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 variables: {
                     label: 'Variables',
@@ -65,7 +67,8 @@ export default
                     ngChange: 'sourceChange(source)',
                     addRequired: false,
                     editRequired: false,
-                    ngModel: 'source'
+                    ngModel: 'source',
+                    ngDisabled: '!(group_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 credential: {
                     label: 'Cloud Credential',
@@ -77,7 +80,8 @@ export default
                     awRequiredWhen: {
                         reqExpression: "cloudCredentialRequired",
                         init: "false"
-                    }
+                    },
+                    ngDisabled: '!(group_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 source_regions: {
                     label: 'Regions',
@@ -92,7 +96,8 @@ export default
                     awPopOver: "<p>Click on the regions field to see a list of regions for your cloud provider. You can select multiple regions, " +
                         "or choose <em>All</em> to include all regions. Tower will only be updated with Hosts associated with the selected regions." +
                         "</p>",
-                    dataContainer: 'body'
+                    dataContainer: 'body',
+                    ngDisabled: '!(group_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 instance_filters: {
                     label: 'Instance Filters',
@@ -112,7 +117,8 @@ export default
                         "<blockquote>tag:Name=test*</blockquote>\n" +
                         "<p>View the <a href=\"http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-DescribeInstances.html\" target=\"_blank\">Describe Instances documentation</a> " +
                         "for a complete list of supported filters.</p>",
-                    dataContainer: 'body'
+                    dataContainer: 'body',
+                    ngDisabled: '!(group_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 group_by: {
                     label: 'Only Group By',
@@ -137,7 +143,8 @@ export default
                         "<li>VPC ID: <strong>vpcs &raquo; vpc-5ca1ab1e</strong></li>" +
                         "<li>Tag None: <strong>tags &raquo; tag_none</strong></li>" +
                         "</ul><p>If blank, all groups above are created except <em>Instance ID</em>.</p>",
-                    dataContainer: 'body'
+                    dataContainer: 'body',
+                    ngDisabled: '!(group_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 inventory_script: {
                     label :  "Custom Inventory Script",
@@ -149,6 +156,7 @@ export default
                     addRequired: true,
                     editRequired: true,
                     ngRequired: "source && source.value === 'custom'",
+                    ngDisabled: '!(group_obj.summary_fields.user_capabilities.edit || canAdd)',
                 },
                 custom_variables: {
                     id: 'custom_variables',
@@ -269,7 +277,8 @@ export default
                         dataTitle: 'Overwrite',
                         dataContainer: 'body',
                         dataPlacement: 'right',
-                        labelClass: 'checkbox-options'
+                        labelClass: 'checkbox-options',
+                        ngDisabled: '!(group_obj.summary_fields.user_capabilities.edit || canAdd)'
                     }, {
                         name: 'overwrite_vars',
                         label: 'Overwrite Variables',
@@ -283,7 +292,8 @@ export default
                         dataTitle: 'Overwrite Variables',
                         dataContainer: 'body',
                         dataPlacement: 'right',
-                        labelClass: 'checkbox-options'
+                        labelClass: 'checkbox-options',
+                        ngDisabled: '!(group_obj.summary_fields.user_capabilities.edit || canAdd)'
                     }, {
                         name: 'update_on_launch',
                         label: 'Update on Launch',
@@ -296,7 +306,8 @@ export default
                         dataTitle: 'Update on Launch',
                         dataContainer: 'body',
                         dataPlacement: 'right',
-                        labelClass: 'checkbox-options'
+                        labelClass: 'checkbox-options',
+                        ngDisabled: '!(group_obj.summary_fields.user_capabilities.edit || canAdd)'
                     }]
                 },
                 update_cache_timeout: {
@@ -321,11 +332,17 @@ export default
 
             buttons: {
                 cancel: {
-                    ngClick: 'formCancel()'
+                    ngClick: 'formCancel()',
+                    ngShow: '(group_obj.summary_fields.user_capabilities.edit || canAdd)'
+                },
+                close: {
+                    ngClick: 'formCancel()',
+                    ngShow: '!(group_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 save: {
                     ngClick: 'formSave()',
-                    ngDisabled: true
+                    ngDisabled: true,
+                    ngShow: '(group_obj.summary_fields.user_capabilities.edit || canAdd)'
                 }
             },
 
diff --git a/awx/ui/client/src/forms/Hosts.js b/awx/ui/client/src/forms/Hosts.js
index 0da34d3e2e..a1c0e69537 100644
--- a/awx/ui/client/src/forms/Hosts.js
+++ b/awx/ui/client/src/forms/Hosts.js
@@ -46,13 +46,15 @@ export default
                         "</blockquote>",
                     dataTitle: 'Host Name',
                     dataPlacement: 'right',
-                    dataContainer: 'body'
+                    dataContainer: 'body',
+                    ngDisabled: '!(host.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 description: {
                     label: 'Description',
                     type: 'text',
                     addRequired: false,
-                    editRequired: false
+                    editRequired: false,
+                    ngDisabled: '!(host.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 variables: {
                     label: 'Variables',
@@ -83,10 +85,16 @@ export default
             buttons: {
                 cancel: {
                     ngClick: 'formCancel()',
+                    ngShow: '(host.summary_fields.user_capabilities.edit || canAdd)'
+                },
+                close: {
+                    ngClick: 'formCancel()',
+                    ngShow: '!(host.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 save: {
                     ngClick: 'formSave()',
-                    ngDisabled: true
+                    ngDisabled: true,
+                    ngShow: '(host.summary_fields.user_capabilities.edit || canAdd)'
                 }
             },
 
diff --git a/awx/ui/client/src/forms/Inventories.js b/awx/ui/client/src/forms/Inventories.js
index 6467bf28d3..72852079c3 100644
--- a/awx/ui/client/src/forms/Inventories.js
+++ b/awx/ui/client/src/forms/Inventories.js
@@ -26,14 +26,16 @@ export default
                     type: 'text',
                     addRequired: true,
                     editRequired: true,
-                    capitalize: false
+                    capitalize: false,
+                    ngDisabled: '!(inventory_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 inventory_description: {
                     realName: 'description',
                     label: 'Description',
                     type: 'text',
                     addRequired: false,
-                    editRequired: false
+                    editRequired: false,
+                    ngDisabled: '!(inventory_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 organization: {
                     label: 'Organization',
@@ -44,7 +46,8 @@ export default
                     awRequiredWhen: {
                         reqExpression: "organizationrequired",
                         init: "true"
-                    }
+                    },
+                    ngDisabled: '!(inventory_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 variables: {
                     label: 'Variables',
@@ -63,17 +66,24 @@ export default
                         '<p>View YAML examples at <a href="http://docs.ansible.com/YAMLSyntax.html" target="_blank">docs.ansible.com</a></p>',
                     dataTitle: 'Inventory Variables',
                     dataPlacement: 'right',
-                    dataContainer: 'body'
+                    dataContainer: 'body',
+                    ngDisabled: '!(inventory_obj.summary_fields.user_capabilities.edit || canAdd)' // TODO: get working
                 }
             },
 
             buttons: {
                 cancel: {
-                    ngClick: 'formCancel()'
+                    ngClick: 'formCancel()',
+                    ngShow: '(inventory_obj.summary_fields.user_capabilities.edit || canAdd)'
+                },
+                close: {
+                    ngClick: 'formCancel()',
+                    ngHide: '(inventory_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 save: {
                     ngClick: 'formSave()',
-                    ngDisabled: true
+                    ngDisabled: true,
+                    ngShow: '(inventory_obj.summary_fields.user_capabilities.edit || canAdd)'
                 }
             },
 
@@ -94,7 +104,8 @@ export default
                             label: 'Add',
                             awToolTip: 'Add a permission',
                             actionClass: 'btn List-buttonSubmit',
-                            buttonContent: '&#43; ADD'
+                            buttonContent: '&#43; ADD',
+                            ngShow: '(inventory_obj.summary_fields.user_capabilities.edit || canAdd)'
                         }
                     },
 
diff --git a/awx/ui/client/src/forms/JobTemplates.js b/awx/ui/client/src/forms/JobTemplates.js
index 5d56907c88..3ec35b2288 100644
--- a/awx/ui/client/src/forms/JobTemplates.js
+++ b/awx/ui/client/src/forms/JobTemplates.js
@@ -27,14 +27,16 @@ export default
                     type: 'text',
                     addRequired: true,
                     editRequired: true,
-                    column: 1
+                    column: 1,
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 description: {
                     label: 'Description',
                     type: 'text',
                     addRequired: false,
                     editRequired: false,
-                    column: 1
+                    column: 1,
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 job_type: {
                     label: 'Job Type',
@@ -56,7 +58,8 @@ export default
                         variable: 'ask_job_type_on_launch',
                         ngShow: "!job_type.value || job_type.value !== 'scan'",
                         text: 'Prompt on launch'
-                    }
+                    },
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 inventory: {
                     label: 'Inventory',
@@ -78,7 +81,8 @@ export default
                         variable: 'ask_inventory_on_launch',
                         ngShow: "!job_type.value || job_type.value !== 'scan'",
                         text: 'Prompt on launch'
-                    }
+                    },
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 project: {
                     label: 'Project',
@@ -100,12 +104,13 @@ export default
                     dataTitle: 'Project',
                     dataPlacement: 'right',
                     dataContainer: "body",
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 playbook: {
                     label: 'Playbook',
                     type:'select',
                     ngOptions: 'book for book in playbook_options track by book',
-                    ngDisabled: "job_type.value === 'scan' && project_name === 'Default'",
+                    ngDisabled: "(job_type.value === 'scan' && project_name === 'Default') || !(job_template_obj.summary_fields.user_capabilities.edit || canAdd)",
                     id: 'playbook-select',
                     awRequiredWhen: {
                         reqExpression: "playbookrequired",
@@ -138,7 +143,8 @@ export default
                     subCheckbox: {
                         variable: 'ask_credential_on_launch',
                         text: 'Prompt on launch'
-                    }
+                    },
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 cloud_credential: {
                     label: 'Cloud Credential',
@@ -153,7 +159,8 @@ export default
                         "running playbook, allowing provisioning into the cloud without manually passing parameters to the included modules.</p>",
                     dataTitle: 'Cloud Credential',
                     dataPlacement: 'right',
-                    dataContainer: "body"
+                    dataContainer: "body",
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 network_credential: {
                     label: 'Network Credential',
@@ -167,7 +174,8 @@ export default
                     awPopOver: "<p>Network credentials are used by Ansible networking modules to connect to and manage networking devices.</p>",
                     dataTitle: 'Network Credential',
                     dataPlacement: 'right',
-                    dataContainer: "body"
+                    dataContainer: "body",
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 forks: {
                     label: 'Forks',
@@ -186,7 +194,8 @@ export default
                         ' target=\"_blank\">ansible configuration file</a>.</p>',
                     dataTitle: 'Forks',
                     dataPlacement: 'right',
-                    dataContainer: "body"
+                    dataContainer: "body",
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)' // TODO: get working
                 },
                 limit: {
                     label: 'Limit',
@@ -203,7 +212,8 @@ export default
                     subCheckbox: {
                         variable: 'ask_limit_on_launch',
                         text: 'Prompt on launch'
-                    }
+                    },
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 verbosity: {
                     label: 'Verbosity',
@@ -216,7 +226,8 @@ export default
                     awPopOver: "<p>Control the level of output ansible will produce as the playbook executes.</p>",
                     dataTitle: 'Verbosity',
                     dataPlacement: 'right',
-                    dataContainer: "body"
+                    dataContainer: "body",
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 job_tags: {
                     label: 'Job Tags',
@@ -235,7 +246,8 @@ export default
                     subCheckbox: {
                         variable: 'ask_tags_on_launch',
                         text: 'Prompt on launch'
-                    }
+                    },
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 skip_tags: {
                     label: 'Skip Tags',
@@ -254,7 +266,8 @@ export default
                     subCheckbox: {
                         variable: 'ask_skip_tags_on_launch',
                         text: 'Prompt on launch'
-                    }
+                    },
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 checkbox_group: {
                     label: 'Options',
@@ -270,7 +283,8 @@ export default
                         dataPlacement: 'right',
                         dataTitle: 'Become Privilege Escalation',
                         dataContainer: "body",
-                        labelClass: 'stack-inline'
+                        labelClass: 'stack-inline',
+                        ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                     }, {
                         name: 'allow_callbacks',
                         label: 'Allow Provisioning Callbacks',
@@ -284,7 +298,8 @@ export default
                         dataPlacement: 'right',
                         dataTitle: 'Allow Provisioning Callbacks',
                         dataContainer: "body",
-                        labelClass: 'stack-inline'
+                        labelClass: 'stack-inline',
+                        ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                     }]
                 },
                 callback_url: {
@@ -299,7 +314,8 @@ export default
                     awPopOverWatch: "callback_help",
                     dataPlacement: 'top',
                     dataTitle: 'Provisioning Callback URL',
-                    dataContainer: "body"
+                    dataContainer: "body",
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 host_config_key: {
                     label: 'Host Config Key',
@@ -312,7 +328,8 @@ export default
                     awPopOverWatch: "callback_help",
                     dataPlacement: 'right',
                     dataTitle: "Host Config Key",
-                    dataContainer: "body"
+                    dataContainer: "body",
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 labels: {
                     label: 'Labels',
@@ -325,7 +342,8 @@ export default
                     dataTitle: 'Labels',
                     dataPlacement: 'right',
                     awPopOver: "<p>Optional labels that describe this job template, such as 'dev' or 'test'. Labels can be used to group and filter job templates and completed jobs in the Tower display.</p>",
-                    dataContainer: 'body'
+                    dataContainer: 'body',
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 variables: {
                     label: 'Extra Variables',
@@ -348,14 +366,15 @@ export default
                     subCheckbox: {
                         variable: 'ask_variables_on_launch',
                         text: 'Prompt on launch'
-                    }
+                    },
+                    ngDisabled: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)' // TODO: get working
                 }
             },
 
             buttons: { //for now always generates <button> tags
                 add_survey: {
                     ngClick: 'addSurvey()',
-                    ngShow: 'job_type.value !== "scan" && !survey_exists',
+                    ngShow: 'job_type.value !== "scan" && !survey_exists && (job_template_obj.summary_fields.user_capabilities.edit || canAdd)',
                     awFeature: 'surveys',
                     awToolTip: 'Surveys allow users to be prompted at job launch with a series of questions related to the job. This allows for variables to be defined that affect the playbook run at time of launch.',
                     dataPlacement: 'top'
@@ -363,14 +382,25 @@ export default
                 edit_survey: {
                     ngClick: 'editSurvey()',
                     awFeature: 'surveys',
-                    ngShow: 'job_type.value !== "scan" && survey_exists'
+                    ngShow: 'job_type.value !== "scan" && survey_exists && (job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
+                },
+                view_survey: {
+                    ngClick: 'editSurvey()',
+                    awFeature: 'surveys',
+                    ngShow: 'job_type.value !== "scan" && survey_exists && !(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 cancel: {
-                    ngClick: 'formCancel()'
+                    ngClick: 'formCancel()',
+                    ngShow: '(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
+                },
+                close: {
+                    ngClick: 'formCancel()',
+                    ngShow: '!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 save: {
                     ngClick: 'formSave()',    //$scope.function to call on click, optional
-                    ngDisabled: "job_templates_form.$invalid || can_edit!==true"//true          //Disable when $pristine or $invalid, optional and when can_edit = false, for permission reasons
+                    ngDisabled: "job_templates_form.$invalid",//true          //Disable when $pristine or $invalid, optional and when can_edit = false, for permission reasons
+                    ngShow: '(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                 }
             },
 
@@ -394,7 +424,8 @@ export default
                             label: 'Add',
                             awToolTip: 'Add a permission',
                             actionClass: 'btn List-buttonSubmit',
-                            buttonContent: '&#43; ADD'
+                            buttonContent: '&#43; ADD',
+                            ngShow: '(job_template_obj.summary_fields.user_capabilities.edit || canAdd)'
                         }
                     },
 
diff --git a/awx/ui/client/src/forms/Organizations.js b/awx/ui/client/src/forms/Organizations.js
index 7c678e09c7..377d5a911e 100644
--- a/awx/ui/client/src/forms/Organizations.js
+++ b/awx/ui/client/src/forms/Organizations.js
@@ -25,23 +25,31 @@ export default
                     type: 'text',
                     addRequired: true,
                     editRequired: true,
-                    capitalize: false
+                    capitalize: false,
+                    ngDisabled: '!(organization_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 description: {
                     label: 'Description',
                     type: 'text',
                     addRequired: false,
-                    editRequired: false
+                    editRequired: false,
+                    ngDisabled: '!(organization_obj.summary_fields.user_capabilities.edit || canAdd)'
                 }
             },
 
             buttons: { //for now always generates <button> tags
                 cancel: {
-                    ngClick: 'formCancel()'
+                    ngClick: 'formCancel()',
+                    ngShow: '(organization_obj.summary_fields.user_capabilities.edit || canAdd)'
+                },
+                close: {
+                    ngClick: 'formCancel()',
+                    ngShow: '!(organization_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 save: {
                     ngClick: 'formSave()', //$scope.function to call on click, optional
-                    ngDisabled: true //Disable when $pristine or $invalid, optional
+                    ngDisabled: true,
+                    ngShow: '(organization_obj.summary_fields.user_capabilities.edit || canAdd)'
                 }
             },
 
@@ -62,7 +70,8 @@ export default
                             label: 'Add',
                             awToolTip: 'Add a permission',
                             actionClass: 'btn List-buttonSubmit',
-                            buttonContent: '&#43; ADD'
+                            buttonContent: '&#43; ADD',
+                            ngShow: '(organization_obj.summary_fields.user_capabilities.edit || canAdd)'
                         }
                     },
 
diff --git a/awx/ui/client/src/forms/Projects.js b/awx/ui/client/src/forms/Projects.js
index 7064c01ff3..409386b348 100644
--- a/awx/ui/client/src/forms/Projects.js
+++ b/awx/ui/client/src/forms/Projects.js
@@ -30,13 +30,15 @@ angular.module('ProjectFormDefinition', ['SchedulesListDefinition'])
                 type: 'text',
                 addRequired: true,
                 editRequired: true,
-                capitalize: false
+                capitalize: false,
+                ngDisabled: '!(project_obj.summary_fields.user_capabilities.edit || canAdd)'
             },
             description: {
                 label: 'Description',
                 type: 'text',
                 addRequired: false,
-                editRequired: false
+                editRequired: false,
+                ngDisabled: '!(project_obj.summary_fields.user_capabilities.edit || canAdd)'
             },
             organization: {
                 label: 'Organization',
@@ -50,7 +52,8 @@ angular.module('ProjectFormDefinition', ['SchedulesListDefinition'])
                 },
                 dataTitle: 'Organization',
                 dataContainer: 'body',
-                dataPlacement: 'right'
+                dataPlacement: 'right',
+                ngDisabled: '!(project_obj.summary_fields.user_capabilities.edit || canAdd)'
             },
             scm_type: {
                 label: 'SCM Type',
@@ -61,6 +64,7 @@ angular.module('ProjectFormDefinition', ['SchedulesListDefinition'])
                 addRequired: true,
                 editRequired: true,
                 hasSubForm: true,
+                ngDisabled: '!(project_obj.summary_fields.user_capabilities.edit || canAdd)'
             },
             missing_path_alert: {
                 type: 'alertblock',
@@ -82,7 +86,8 @@ angular.module('ProjectFormDefinition', ['SchedulesListDefinition'])
                     '<p>Use PROJECTS_ROOT in your environment settings file to determine the base path value.</p>',
                 dataTitle: 'Project Base Path',
                 dataContainer: 'body',
-                dataPlacement: 'right'
+                dataPlacement: 'right',
+                ngDisabled: '!(project_obj.summary_fields.user_capabilities.edit || canAdd)'
             },
             local_path: {
                 label: 'Playbook Directory',
@@ -99,7 +104,8 @@ angular.module('ProjectFormDefinition', ['SchedulesListDefinition'])
                     '<p>Use PROJECTS_ROOT in your environment settings file to determine the base path value.</p>',
                 dataTitle: 'Project Path',
                 dataContainer: 'body',
-                dataPlacement: 'right'
+                dataPlacement: 'right',
+                ngDisabled: '!(project_obj.summary_fields.user_capabilities.edit || canAdd)'
             },
             scm_url: {
                 label: 'SCM URL',
@@ -115,7 +121,8 @@ angular.module('ProjectFormDefinition', ['SchedulesListDefinition'])
                 awPopOver: "set in controllers/projects",
                 dataTitle: 'SCM URL',
                 dataContainer: 'body',
-                dataPlacement: 'right'
+                dataPlacement: 'right',
+                ngDisabled: '!(project_obj.summary_fields.user_capabilities.edit || canAdd)'
             },
             scm_branch: {
                 labelBind: "scmBranchLabel",
@@ -123,7 +130,8 @@ angular.module('ProjectFormDefinition', ['SchedulesListDefinition'])
                 ngShow: "scm_type && scm_type.value !== 'manual'",
                 addRequired: false,
                 editRequired: false,
-                subForm: 'sourceSubForm'
+                subForm: 'sourceSubForm',
+                ngDisabled: '!(project_obj.summary_fields.user_capabilities.edit || canAdd)'
             },
             credential: {
                 label: 'SCM Credential',
@@ -134,7 +142,8 @@ angular.module('ProjectFormDefinition', ['SchedulesListDefinition'])
                 ngClick: 'lookUpCredential()',
                 addRequired: false,
                 editRequired: false,
-                subForm: 'sourceSubForm'
+                subForm: 'sourceSubForm',
+                ngDisabled: '!(project_obj.summary_fields.user_capabilities.edit || canAdd)'
             },
             checkbox_group: {
                 label: 'SCM Update Options',
@@ -151,7 +160,8 @@ angular.module('ProjectFormDefinition', ['SchedulesListDefinition'])
                     dataTitle: 'SCM Clean',
                     dataContainer: 'body',
                     dataPlacement: 'right',
-                    labelClass: 'checkbox-options stack-inline'
+                    labelClass: 'checkbox-options stack-inline',
+                    ngDisabled: '!(project_obj.summary_fields.user_capabilities.edit || canAdd)'
                 }, {
                     name: 'scm_delete_on_update',
                     label: 'Delete on Update',
@@ -163,7 +173,8 @@ angular.module('ProjectFormDefinition', ['SchedulesListDefinition'])
                     dataTitle: 'SCM Delete',
                     dataContainer: 'body',
                     dataPlacement: 'right',
-                    labelClass: 'checkbox-options stack-inline'
+                    labelClass: 'checkbox-options stack-inline',
+                    ngDisabled: '!(project_obj.summary_fields.user_capabilities.edit || canAdd)'
                 }, {
                     name: 'scm_update_on_launch',
                     label: 'Update on Launch',
@@ -174,7 +185,8 @@ angular.module('ProjectFormDefinition', ['SchedulesListDefinition'])
                     dataTitle: 'SCM Update',
                     dataContainer: 'body',
                     dataPlacement: 'right',
-                    labelClass: 'checkbox-options stack-inline'
+                    labelClass: 'checkbox-options stack-inline',
+                    ngDisabled: '!(project_obj.summary_fields.user_capabilities.edit || canAdd)'
                 }]
             },
             scm_update_cache_timeout: {
@@ -193,17 +205,24 @@ angular.module('ProjectFormDefinition', ['SchedulesListDefinition'])
                     'and a new project update will be performed.</p>',
                 dataTitle: 'Cache Timeout',
                 dataPlacement: 'right',
-                dataContainer: "body"
+                dataContainer: "body",
+                ngDisabled: '!(project_obj.summary_fields.user_capabilities.edit || canAdd)' // TODO: get working
             }
         },
 
         buttons: {
             cancel: {
-                ngClick: 'formCancel()'
+                ngClick: 'formCancel()',
+                ngShow: '(project_obj.summary_fields.user_capabilities.edit || canAdd)'
+            },
+            close: {
+                ngClick: 'formCancel()',
+                ngShow: '!(project_obj.summary_fields.user_capabilities.edit || canAdd)'
             },
             save: {
                 ngClick: 'formSave()',
-                ngDisabled: true
+                ngDisabled: true,
+                ngShow: '(project_obj.summary_fields.user_capabilities.edit || canAdd)'
             }
         },
 
@@ -224,7 +243,8 @@ angular.module('ProjectFormDefinition', ['SchedulesListDefinition'])
                         label: 'Add',
                         awToolTip: 'Add a permission',
                         actionClass: 'btn List-buttonSubmit',
-                        buttonContent: '&#43; ADD'
+                        buttonContent: '&#43; ADD',
+                        ngShow: '(project_obj.summary_fields.user_capabilities.edit || canAdd)'
                     }
                 },
 
diff --git a/awx/ui/client/src/forms/Teams.js b/awx/ui/client/src/forms/Teams.js
index 45f0b3b04b..6023650156 100644
--- a/awx/ui/client/src/forms/Teams.js
+++ b/awx/ui/client/src/forms/Teams.js
@@ -25,13 +25,15 @@ export default
                     type: 'text',
                     addRequired: true,
                     editRequired: true,
-                    capitalize: false
+                    capitalize: false,
+                    ngDisabled: '!(team_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 description: {
                     label: 'Description',
                     type: 'text',
                     addRequired: false,
-                    editRequired: false
+                    editRequired: false,
+                    ngDisabled: '!(team_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 organization: {
                     label: 'Organization',
@@ -44,17 +46,24 @@ export default
                     awRequiredWhen: {
                         reqExpression: "orgrequired",
                         init: true
-                    }
+                    },
+                    ngDisabled: '!(team_obj.summary_fields.user_capabilities.edit || canAdd)'
                 }
             },
 
             buttons: {
                 cancel: {
-                    ngClick: 'formCancel()'
+                    ngClick: 'formCancel()',
+                    ngShow: '(team_obj.summary_fields.user_capabilities.edit || canAdd)'
+                },
+                close: {
+                    ngClick: 'formCancel()',
+                    ngShow: '!(team_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 save: {
                     ngClick: 'formSave()',
-                    ngDisabled: true
+                    ngDisabled: true,
+                    ngShow: '(team_obj.summary_fields.user_capabilities.edit || canAdd)'
                 }
             },
 
@@ -75,7 +84,8 @@ export default
                             label: 'Add',
                             awToolTip: 'Add user to team',
                             actionClass: 'btn List-buttonSubmit',
-                            buttonContent: '&#43; ADD'
+                            buttonContent: '&#43; ADD',
+                            ngShow: '(team_obj.summary_fields.user_capabilities.edit || canAdd)'
                         }
                     },
 
@@ -132,7 +142,8 @@ export default
                             'class': "List-actionButton--delete",
                             iconClass: 'fa fa-times',
                             awToolTip: 'Dissasociate permission from team',
-                            dataPlacement: 'top'
+                            dataPlacement: 'top',
+                            ngShow: 'permission.summary_fields.user_capabilities.unattach'
                         }
                     },
                     hideOnSuperuser: true
diff --git a/awx/ui/client/src/forms/Users.js b/awx/ui/client/src/forms/Users.js
index ddcda6e296..a93e549cae 100644
--- a/awx/ui/client/src/forms/Users.js
+++ b/awx/ui/client/src/forms/Users.js
@@ -26,21 +26,24 @@ export default
                     type: 'text',
                     addRequired: true,
                     editRequired: true,
-                    capitalize: true
+                    capitalize: true,
+                    ngDisabled: '!(user_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 last_name: {
                     label: 'Last Name',
                     type: 'text',
                     addRequired: true,
                     editRequired: true,
-                    capitalize: true
+                    capitalize: true,
+                    ngDisabled: '!(user_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 email: {
                     label: 'Email',
                     type: 'email',
                     addRequired: true,
                     editRequired: true,
-                    autocomplete: false
+                    autocomplete: false,
+                    ngDisabled: '!(user_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 username: {
                     label: 'Username',
@@ -49,7 +52,8 @@ export default
                         reqExpression: "not_ldap_user && external_account === null",
                         init: true
                     },
-                    autocomplete: false
+                    autocomplete: false,
+                    ngDisabled: '!(user_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 organization: {
                     label: 'Organization',
@@ -63,7 +67,8 @@ export default
                     awRequiredWhen: {
                         reqExpression: "orgrequired",
                         init: true
-                    }
+                    },
+                    ngDisabled: '!(user_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 password: {
                     label: 'Password',
@@ -74,7 +79,8 @@ export default
                     editRequired: false,
                     ngChange: "clearPWConfirm('password_confirm')",
                     autocomplete: false,
-                    chkPass: true
+                    chkPass: true,
+                    ngDisabled: '!(user_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 password_confirm: {
                     label: 'Confirm Password',
@@ -85,7 +91,8 @@ export default
                     editRequired: false,
                     awPassMatch: true,
                     associated: 'password',
-                    autocomplete: false
+                    autocomplete: false,
+                    ngDisabled: '!(user_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 user_type: {
                     label: 'User Type',
@@ -94,16 +101,23 @@ export default
                     disableChooseOption: true,
                     ngModel: 'user_type',
                     ngShow: 'current_user["is_superuser"]',
+                    ngDisabled: '!(user_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
             },
 
             buttons: {
                 cancel: {
-                    ngClick: 'formCancel()'
+                    ngClick: 'formCancel()',
+                    ngShow: '(user_obj.summary_fields.user_capabilities.edit || canAdd)'
+                },
+                close: {
+                    ngClick: 'formCancel()',
+                    ngShow: '!(user_obj.summary_fields.user_capabilities.edit || canAdd)'
                 },
                 save: {
                     ngClick: 'formSave()',
-                    ngDisabled: true
+                    ngDisabled: true,
+                    ngShow: '(user_obj.summary_fields.user_capabilities.edit || canAdd)'
                 }
             },
 
@@ -186,7 +200,8 @@ export default
                             label: 'Remove',
                             ngClick: 'deletePermissionFromUser(user_id, username, permission.name, permission.summary_fields.resource_name, permission.related.users)',
                             iconClass: 'fa fa-times',
-                            awToolTip: 'Dissasociate permission from user'
+                            awToolTip: 'Dissasociate permission from user',
+                            ngShow: 'permission.summary_fields.user_capabilities.unattach'
                         }
                     },
                     hideOnSuperuser: true
diff --git a/awx/ui/client/src/helpers/Parse.js b/awx/ui/client/src/helpers/Parse.js
index 5e76bc670d..a2715f6efd 100644
--- a/awx/ui/client/src/helpers/Parse.js
+++ b/awx/ui/client/src/helpers/Parse.js
@@ -46,7 +46,7 @@ export default
                 function createField(onChange, onReady, fld) {
                     //hide the textarea and show a fresh CodeMirror with the current mode (json or yaml)
 
-                    scope[fld + 'codeMirror'] = AngularCodeMirror();
+                    scope[fld + 'codeMirror'] = AngularCodeMirror(readOnly);
                     scope[fld + 'codeMirror'].addModes(global.$AnsibleConfig.variable_edit_modes);
                     scope[fld + 'codeMirror'].showTextArea({
                         scope: scope,
diff --git a/awx/ui/client/src/helpers/ProjectPath.js b/awx/ui/client/src/helpers/ProjectPath.js
index 91761fce0e..e0868b7bc4 100644
--- a/awx/ui/client/src/helpers/ProjectPath.js
+++ b/awx/ui/client/src/helpers/ProjectPath.js
@@ -3,7 +3,7 @@
  *
  * All Rights Reserved
  *************************************************/
- 
+
     /**
  * @ngdoc function
  * @name helpers.function:ProjectPath
@@ -47,11 +47,13 @@ export default
                     Rest.get()
                         .success(function (data) {
                             var opts = [], i;
-                            for (i = 0; i < data.project_local_paths.length; i++) {
-                                opts.push({
-                                    label: data.project_local_paths[i],
-                                    value: data.project_local_paths[i]
-                                });
+                            if (data.project_local_paths) {
+                                for (i = 0; i < data.project_local_paths.length; i++) {
+                                    opts.push({
+                                        label: data.project_local_paths[i],
+                                        value: data.project_local_paths[i]
+                                    });
+                                }
                             }
                             if (scope.local_path) {
                                 // List only includes paths not assigned to projects, so add the
diff --git a/awx/ui/client/src/inventories/add/inventory-add.controller.js b/awx/ui/client/src/inventories/add/inventory-add.controller.js
index ceb874f8ec..0e46f4f7be 100644
--- a/awx/ui/client/src/inventories/add/inventory-add.controller.js
+++ b/awx/ui/client/src/inventories/add/inventory-add.controller.js
@@ -16,6 +16,15 @@ function InventoriesAdd($scope, $rootScope, $compile, $location, $log,
     PaginateInit, LookUpInit, GetBasePath, ParseTypeChange, Wait, ToJSON,
     $state) {
 
+    Rest.setUrl(GetBasePath('inventory'));
+    Rest.options()
+        .success(function(data) {
+            if (!data.actions.POST) {
+                $state.go("^");
+                Alert('Permission Error', 'You do not have permission to add an inventory.', 'alert-info');
+            }
+        });
+
     ClearScope();
 
     // Inject dynamic view
diff --git a/awx/ui/client/src/inventories/edit/inventory-edit.controller.js b/awx/ui/client/src/inventories/edit/inventory-edit.controller.js
index d198683677..fd59e1961e 100644
--- a/awx/ui/client/src/inventories/edit/inventory-edit.controller.js
+++ b/awx/ui/client/src/inventories/edit/inventory-edit.controller.js
@@ -17,7 +17,6 @@ function InventoriesEdit($scope, $rootScope, $compile, $location,
     ParseVariableString, RelatedSearchInit, RelatedPaginateInit,
     Prompt, InitiatePlaybookRun, CreateDialog, deleteJobTemplate, $state,
     $filter) {
-
     ClearScope();
 
     // Inject dynamic view
@@ -32,6 +31,13 @@ function InventoriesEdit($scope, $rootScope, $compile, $location,
     form.formLabelSize = null;
     form.formFieldSize = null;
     $scope.inventory_id = inventory_id;
+
+    $scope.$watch('invnentory_obj.summary_fields.user_capabilities.edit', function(val) {
+        if (val === false) {
+            $scope.canAdd = false;
+        }
+    });
+
     generator.inject(form, { mode: 'edit', related: true, scope: $scope });
 
     generator.reset();
diff --git a/awx/ui/client/src/inventories/list/inventory-list.controller.js b/awx/ui/client/src/inventories/list/inventory-list.controller.js
index 54ed987ec6..a8d5fc73e7 100644
--- a/awx/ui/client/src/inventories/list/inventory-list.controller.js
+++ b/awx/ui/client/src/inventories/list/inventory-list.controller.js
@@ -14,7 +14,14 @@ function InventoriesList($scope, $rootScope, $location, $log,
     $stateParams, $compile, $filter, sanitizeFilter, Rest, Alert, InventoryList,
     generateList, Prompt, SearchInit, PaginateInit, ReturnToCaller,
     ClearScope, ProcessErrors, GetBasePath, Wait,
-    Find, Empty, $state) {
+    Find, Empty, $state, rbacUiControlService) {
+
+        $scope.canAdd = false;
+
+        rbacUiControlService.canAdd('inventory')
+            .then(function(canAdd) {
+                $scope.canAdd = canAdd;
+            });
 
     var list = InventoryList,
         defaultUrl = GetBasePath('inventory') + ($stateParams.status === 'sync-failed' ? '?not__inventory_sources_with_failures=0' : ''),
@@ -376,4 +383,4 @@ function InventoriesList($scope, $rootScope, $location, $log,
 export default ['$scope', '$rootScope', '$location', '$log',
     '$stateParams', '$compile', '$filter', 'sanitizeFilter', 'Rest', 'Alert', 'InventoryList',
     'generateList', 'Prompt', 'SearchInit', 'PaginateInit', 'ReturnToCaller',
-    'ClearScope', 'ProcessErrors', 'GetBasePath', 'Wait', 'Find', 'Empty', '$state', InventoriesList];
+    'ClearScope', 'ProcessErrors', 'GetBasePath', 'Wait', 'Find', 'Empty', '$state', 'rbacUiControlService', InventoriesList];
diff --git a/awx/ui/client/src/inventories/manage/groups/groups-add.controller.js b/awx/ui/client/src/inventories/manage/groups/groups-add.controller.js
index d1272f508b..c8662bd55c 100644
--- a/awx/ui/client/src/inventories/manage/groups/groups-add.controller.js
+++ b/awx/ui/client/src/inventories/manage/groups/groups-add.controller.js
@@ -6,9 +6,9 @@
 
  export default
     ['$state', '$stateParams', '$scope', 'GroupForm', 'CredentialList', 'inventoryScriptsListObject', 'ParseTypeChange', 'GenerateForm', 'inventoryData', 'LookUpInit',
-    'GroupManageService', 'GetChoices', 'GetBasePath', 'CreateSelect2', 'GetSourceTypeOptions',
+    'GroupManageService', 'GetChoices', 'GetBasePath', 'CreateSelect2', 'GetSourceTypeOptions', 'rbacUiControlService',
     function($state, $stateParams, $scope, GroupForm, CredentialList, InventoryScriptsList, ParseTypeChange, GenerateForm, inventoryData, LookUpInit,
-        GroupManageService, GetChoices, GetBasePath, CreateSelect2, GetSourceTypeOptions){
+        GroupManageService, GetChoices, GetBasePath, CreateSelect2, GetSourceTypeOptions, rbacUiControlService){
         var generator = GenerateForm,
             form = GroupForm();
 
@@ -16,6 +16,11 @@
         CredentialList = _.cloneDeep(CredentialList);
         CredentialList.fields.kind.noSearch = true;
 
+        rbacUiControlService.canAdd(GetBasePath('inventory') + $stateParams.inventory_id + "/groups")
+            .then(function(canAdd) {
+                $scope.canAdd = canAdd;
+            });
+
         $scope.formCancel = function(){
             $state.go('^');
         };
diff --git a/awx/ui/client/src/inventories/manage/groups/groups-edit.controller.js b/awx/ui/client/src/inventories/manage/groups/groups-edit.controller.js
index 941789f39d..5f9d6cb387 100644
--- a/awx/ui/client/src/inventories/manage/groups/groups-edit.controller.js
+++ b/awx/ui/client/src/inventories/manage/groups/groups-edit.controller.js
@@ -18,6 +18,12 @@
         CredentialList = _.cloneDeep(CredentialList);
         CredentialList.fields.kind.noSearch = true;
 
+        $scope.$watch('group_obj.summary_fields.user_capabilities.edit', function(val) {
+            if (val === false) {
+                $scope.canAdd = false;
+            }
+        });
+
         $scope.formCancel = function(){
             $state.go('^');
         };
@@ -256,6 +262,7 @@
                 $scope.credential_name = inventorySourceData.summary_fields.credential.name;
             }
             $scope = angular.extend($scope, groupData);
+            $scope.group_obj = groupData;
 
             // instantiate lookup fields
             if (inventorySourceData.source !== 'custom'){
diff --git a/awx/ui/client/src/inventories/manage/groups/groups-list.controller.js b/awx/ui/client/src/inventories/manage/groups/groups-list.controller.js
index ca56eeddd4..a2f843793b 100644
--- a/awx/ui/client/src/inventories/manage/groups/groups-list.controller.js
+++ b/awx/ui/client/src/inventories/manage/groups/groups-list.controller.js
@@ -5,13 +5,22 @@
  *************************************************/
  export default
     ['$scope', '$rootScope', '$state', '$stateParams', 'InventoryGroups', 'generateList', 'InventoryUpdate', 'GroupManageService', 'GroupsCancelUpdate', 'ViewUpdateStatus',
-    'InventoryManageService', 'groupsUrl', 'SearchInit', 'PaginateInit', 'GetSyncStatusMsg', 'GetHostsStatusMsg',
+    'InventoryManageService', 'groupsUrl', 'SearchInit', 'PaginateInit', 'GetSyncStatusMsg', 'GetHostsStatusMsg', 'Rest', 'GetBasePath', 'rbacUiControlService',
     function($scope, $rootScope, $state, $stateParams, InventoryGroups, generateList, InventoryUpdate, GroupManageService, GroupsCancelUpdate, ViewUpdateStatus,
-        InventoryManageService, groupsUrl, SearchInit, PaginateInit, GetSyncStatusMsg, GetHostsStatusMsg){
+        InventoryManageService, groupsUrl, SearchInit, PaginateInit, GetSyncStatusMsg, GetHostsStatusMsg, Rest, GetBasePath, rbacUiControlService){
         var list = InventoryGroups,
             view = generateList,
             pageSize = 20;
         $scope.inventory_id = $stateParams.inventory_id;
+
+        $scope.canAdd = false;
+
+        rbacUiControlService.canAdd(GetBasePath('inventory') + $scope.inventory_id + "/groups")
+            .then(function(canAdd) {
+                $scope.canAdd = canAdd;
+            });
+
+
         // The ncy breadcrumb directive will look at this attribute when attempting to bind to the correct scope.
         // In this case, we don't want to incidentally bind to this scope when editing a host or a group.  See:
         // https://github.com/ncuillery/angular-breadcrumb/issues/42 for a little more information on the
diff --git a/awx/ui/client/src/inventories/manage/hosts/hosts-add.controller.js b/awx/ui/client/src/inventories/manage/hosts/hosts-add.controller.js
index d0dd6c3c86..8dd3386871 100644
--- a/awx/ui/client/src/inventories/manage/hosts/hosts-add.controller.js
+++ b/awx/ui/client/src/inventories/manage/hosts/hosts-add.controller.js
@@ -5,10 +5,18 @@
  *************************************************/
 
  export default
-    ['$state', '$stateParams', '$scope', 'HostForm', 'ParseTypeChange', 'GenerateForm', 'HostManageService',
-    function($state, $stateParams, $scope, HostForm, ParseTypeChange, GenerateForm, HostManageService){
+    ['$state', '$stateParams', '$scope', 'HostForm', 'ParseTypeChange', 'GenerateForm', 'HostManageService', 'rbacUiControlService', 'GetBasePath',
+    function($state, $stateParams, $scope, HostForm, ParseTypeChange, GenerateForm, HostManageService, rbacUiControlService, GetBasePath){
         var generator = GenerateForm,
             form = HostForm;
+
+        $scope.canAdd = false;
+
+        rbacUiControlService.canAdd(GetBasePath('inventory') + $stateParams.inventory_id + "/hosts")
+            .then(function(canAdd) {
+                $scope.canAdd = canAdd;
+            });
+
         $scope.parseType = 'yaml';
         $scope.formCancel = function(){
             $state.go('^');
diff --git a/awx/ui/client/src/inventories/manage/hosts/hosts-edit.controller.js b/awx/ui/client/src/inventories/manage/hosts/hosts-edit.controller.js
index 9098e53333..94e7b69c23 100644
--- a/awx/ui/client/src/inventories/manage/hosts/hosts-edit.controller.js
+++ b/awx/ui/client/src/inventories/manage/hosts/hosts-edit.controller.js
@@ -9,6 +9,13 @@
     function($state, $stateParams, $scope, HostForm, ParseTypeChange, GenerateForm, HostManageService, host){
         var generator = GenerateForm,
             form = HostForm;
+
+        $scope.$watch('host.summary_fields.user_capabilities.edit', function(val) {
+            if (val === false) {
+                $scope.canAdd = false;
+            }
+        });
+
         $scope.parseType = 'yaml';
         $scope.formCancel = function(){
             $state.go('^');
diff --git a/awx/ui/client/src/inventories/manage/hosts/hosts-list.controller.js b/awx/ui/client/src/inventories/manage/hosts/hosts-list.controller.js
index 3c48cf8603..f42b9c39b3 100644
--- a/awx/ui/client/src/inventories/manage/hosts/hosts-list.controller.js
+++ b/awx/ui/client/src/inventories/manage/hosts/hosts-list.controller.js
@@ -5,12 +5,23 @@
  *************************************************/
  export default
     ['$scope', '$rootScope', '$state', '$stateParams', 'InventoryHosts', 'generateList', 'InventoryManageService', 'HostManageService',
-     'hostsUrl', 'SearchInit', 'PaginateInit', 'SetStatus', 'Prompt', 'Wait', 'inventoryData', '$filter',
+     'hostsUrl', 'SearchInit', 'PaginateInit', 'SetStatus', 'Prompt', 'Wait', 'inventoryData', '$filter', 'Rest', 'GetBasePath', 'rbacUiControlService',
     function($scope, $rootScope, $state, $stateParams, InventoryHosts, generateList, InventoryManageService, HostManageService,
-     hostsUrl, SearchInit, PaginateInit, SetStatus, Prompt, Wait, inventoryData, $filter){
+     hostsUrl, SearchInit, PaginateInit, SetStatus, Prompt, Wait, inventoryData, $filter, Rest, GetBasePath, rbacUiControlService){
+
         var list = InventoryHosts,
             view = generateList,
             pageSize = 20;
+
+        $scope.inventory_id = $stateParams.inventory_id;
+
+        $scope.canAdd = false;
+
+        rbacUiControlService.canAdd(GetBasePath('inventory') + $scope.inventory_id + "/hosts")
+            .then(function(canAdd) {
+                $scope.canAdd = canAdd;
+            });
+
         // The ncy breadcrumb directive will look at this attribute when attempting to bind to the correct scope.
         // In this case, we don't want to incidentally bind to this scope when editing a host or a group.  See:
         // https://github.com/ncuillery/angular-breadcrumb/issues/42 for a little more information on the
diff --git a/awx/ui/client/src/inventories/manage/inventory-manage.controller.js b/awx/ui/client/src/inventories/manage/inventory-manage.controller.js
index aceb174363..f3201d475a 100644
--- a/awx/ui/client/src/inventories/manage/inventory-manage.controller.js
+++ b/awx/ui/client/src/inventories/manage/inventory-manage.controller.js
@@ -3,21 +3,26 @@
  *
  * All Rights Reserved
  *************************************************/
- export default
- 	['$scope', '$state', function($scope, $state){
- 		$scope.groupsSelected = false;
- 		$scope.hostsSelected = false;
- 		$scope.hostsSelectedItems = [];
- 		$scope.groupsSelectedItems = [];
- 		$scope.setAdhocPattern = function(){
- 			var pattern = _($scope.groupsSelectedItems)
- 				.concat($scope.hostsSelectedItems)
- 				.map(function(item){
- 					return item.name;
- 				}).value().join(':');
- 			$state.go('inventoryManage.adhoc', {pattern: pattern});
- 		};
+export default
+    ['$scope', '$state', 'inventoryData', function($scope, $state, inventoryData){
+        $scope.groupsSelected = false;
+        $scope.hostsSelected = false;
+        $scope.hostsSelectedItems = [];
+        $scope.groupsSelectedItems = [];
+
+        $scope.canAdhoc = inventoryData.summary_fields.user_capabilities.adhoc;
+
+        $scope.setAdhocPattern = function(){
+            var pattern = _($scope.groupsSelectedItems)
+                .concat($scope.hostsSelectedItems)
+                .map(function(item){
+                    return item.name;
+                }).value().join(':');
+
+            $state.go('inventoryManage.adhoc', {pattern: pattern});
+        };
+
         $scope.$watchGroup(['groupsSelected', 'hostsSelected'], function(newVals) {
             $scope.adhocCommandTooltip = (newVals[0] || newVals[1]) ? "Run a command on the selected inventory" : "Select an inventory source by clicking the check box beside it. The inventory source can be a single group or host, a selection of multiple hosts, or a selection of multiple groups.";
         });
- 	}];
+    }];
diff --git a/awx/ui/client/src/inventory-scripts/add/add.controller.js b/awx/ui/client/src/inventory-scripts/add/add.controller.js
index de3be842b3..317d6d5c0a 100644
--- a/awx/ui/client/src/inventory-scripts/add/add.controller.js
+++ b/awx/ui/client/src/inventory-scripts/add/add.controller.js
@@ -8,20 +8,27 @@ export default
     [   '$rootScope', 'pagination', '$compile','SchedulerInit', 'Rest', 'Wait',
         'inventoryScriptsFormObject', 'ProcessErrors', 'GetBasePath', 'Empty',
         'GenerateForm', 'SearchInit' , 'PaginateInit',
-        'LookUpInit', 'OrganizationList', '$scope', '$state',
+        'LookUpInit', 'OrganizationList', '$scope', '$state', 'Alert',
         function(
             $rootScope, pagination, $compile, SchedulerInit, Rest, Wait,
             inventoryScriptsFormObject, ProcessErrors, GetBasePath, Empty,
             GenerateForm, SearchInit, PaginateInit,
-            LookUpInit, OrganizationList, $scope, $state
+            LookUpInit, OrganizationList, $scope, $state, Alert
         ) {
+            Rest.setUrl(GetBasePath('inventory_scripts'));
+            Rest.options()
+                .success(function(data) {
+                    if (!data.actions.POST) {
+                        $state.go("^");
+                        Alert('Permission Error', 'You do not have permission to add an inventory script.', 'alert-info');
+                    }
+                });
+
             var scope = $scope,
                 generator = GenerateForm,
                 form = inventoryScriptsFormObject,
                 url = GetBasePath('inventory_scripts');
 
-            $scope.canEdit = true;
-
             generator.inject(form, {
                 mode: 'add' ,
                 scope:scope,
diff --git a/awx/ui/client/src/inventory-scripts/edit/edit.controller.js b/awx/ui/client/src/inventory-scripts/edit/edit.controller.js
index 3a899cd5a4..2c1ee236df 100644
--- a/awx/ui/client/src/inventory-scripts/edit/edit.controller.js
+++ b/awx/ui/client/src/inventory-scripts/edit/edit.controller.js
@@ -17,6 +17,7 @@ export default
             LookUpInit, OrganizationList, inventory_script,
             $scope, $state
         ) {
+
             var generator = GenerateForm,
                 id = inventory_script.id,
                 form = inventoryScriptsFormObject,
@@ -24,6 +25,13 @@ export default
                 url = GetBasePath('inventory_scripts');
 
             $scope.inventory_script = inventory_script;
+
+            $scope.$watch('inventory_script_obj.summary_fields.user_capabilities.edit', function(val) {
+                if (val === false) {
+                    $scope.canAdd = false;
+                }
+            });
+
             generator.inject(form, {
                     mode: 'edit' ,
                     scope:$scope,
diff --git a/awx/ui/client/src/inventory-scripts/inventory-scripts.form.js b/awx/ui/client/src/inventory-scripts/inventory-scripts.form.js
index 96099587ef..95ebed3458 100644
--- a/awx/ui/client/src/inventory-scripts/inventory-scripts.form.js
+++ b/awx/ui/client/src/inventory-scripts/inventory-scripts.form.js
@@ -24,13 +24,15 @@ export default function() {
                 type: 'text',
                 addRequired: true,
                 editRequired: true,
-                capitalize: false
+                capitalize: false,
+                ngDisabled: '!(inventory_script_obj.summary_fields.user_capabilities.edit || canAdd)'
             },
             description: {
                 label: 'Description',
                 type: 'text',
                 addRequired: false,
-                editRequired: false
+                editRequired: false,
+                ngDisabled: '!(inventory_script_obj.summary_fields.user_capabilities.edit || canAdd)'
             },
             organization: {
                 label: 'Organization',
@@ -41,7 +43,8 @@ export default function() {
                 },
                 sourceModel: 'organization',
                 sourceField: 'name',
-                ngClick: 'lookUpOrganization()'
+                ngClick: 'lookUpOrganization()',
+                ngDisabled: '!(inventory_script_obj.summary_fields.user_capabilities.edit || canAdd)'
             },
             script: {
                 label: 'Custom Script',
@@ -51,7 +54,7 @@ export default function() {
                 addRequired: true,
                 editRequired: true,
                 awDropFile: true,
-                ngDisabled: '!canEdit',
+                ngDisabled: '!(inventory_script_obj.summary_fields.user_capabilities.edit || canAdd)',
                 rows: 10,
                 awPopOver: "<p>Drag and drop your custom inventory script file here or create one in the field to import your custom inventory. " +
                                     "<br><br> Script must begin with a hashbang sequence: i.e.... #!/usr/bin/env python</p>",
@@ -64,10 +67,16 @@ export default function() {
         buttons: { //for now always generates <button> tags
             cancel: {
                 ngClick: 'formCancel()',
+                ngShow: '(inventory_script_obj.summary_fields.user_capabilities.edit || canAdd)'
+            },
+            close: {
+                ngClick: 'formCancel()',
+                ngShow: '!(inventory_script_obj.summary_fields.user_capabilities.edit || canAdd)'
             },
             save: {
                 ngClick: 'formSave()', //$scope.function to call on click, optional
-                ngDisabled: 'custom_inventory_form.$pristine || custom_inventory_form.$invalid || !canEdit' //Disable when $pristine or $invalid, optional
+                ngDisabled: 'custom_inventory_form.$pristine || custom_inventory_form.$invalid', //Disable when $pristine or $invalid, optional
+                ngShow: '(inventory_script_obj.summary_fields.user_capabilities.edit || canAdd)'
             }
         }
     };
diff --git a/awx/ui/client/src/inventory-scripts/inventory-scripts.list.js b/awx/ui/client/src/inventory-scripts/inventory-scripts.list.js
index 213ff84dbf..ca48ecdecc 100644
--- a/awx/ui/client/src/inventory-scripts/inventory-scripts.list.js
+++ b/awx/ui/client/src/inventory-scripts/inventory-scripts.list.js
@@ -42,7 +42,8 @@ export default function(){
                 ngClick: 'addCustomInv()',
                 awToolTip: 'Create a new custom inventory',
                 actionClass: 'btn List-buttonSubmit',
-                buttonContent: '&#43; ADD'
+                buttonContent: '&#43; ADD',
+                ngShow: 'canAdd'
             }
         },
 
@@ -56,7 +57,16 @@ export default function(){
                 label: 'Edit',
                 "class": 'btn-sm',
                 awToolTip: 'Edit inventory script',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'inventory_script.summary_fields.user_capabilities.edit'
+            },
+            view: {
+                ngClick: "editCustomInv(inventory_script.id)",
+                label: 'View',
+                "class": 'btn-sm',
+                awToolTip: 'View inventory script',
+                dataPlacement: 'top',
+                ngShow: '!inventory_script.summary_fields.user_capabilities.edit'
             },
             "delete": {
                 ngClick: "deleteCustomInv(inventory_script.id, inventory_script.name)",
@@ -64,7 +74,8 @@ export default function(){
                 label: 'Delete',
                 "class": 'btn-sm',
                 awToolTip: 'Delete inventory script',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'inventory_script.summary_fields.user_capabilities.delete'
             }
         }
     };
diff --git a/awx/ui/client/src/inventory-scripts/list/list.controller.js b/awx/ui/client/src/inventory-scripts/list/list.controller.js
index c9f3e4d360..08e0db5f67 100644
--- a/awx/ui/client/src/inventory-scripts/list/list.controller.js
+++ b/awx/ui/client/src/inventory-scripts/list/list.controller.js
@@ -7,17 +7,24 @@
 export default
     [   '$rootScope','Wait', 'generateList', 'inventoryScriptsListObject',
         'GetBasePath' , 'SearchInit' , 'PaginateInit', 'Rest' , 'ProcessErrors',
-        'Prompt', '$state', '$filter',
+        'Prompt', '$state', '$filter', 'rbacUiControlService',
         function(
             $rootScope,Wait, GenerateList, inventoryScriptsListObject,
             GetBasePath, SearchInit, PaginateInit,
-            Rest, ProcessErrors, Prompt, $state, $filter
+            Rest, ProcessErrors, Prompt, $state, $filter, rbacUiControlService
         ) {
             var scope = $rootScope.$new(),
                 defaultUrl = GetBasePath('inventory_scripts'),
                 list = inventoryScriptsListObject,
                 view = GenerateList;
 
+            scope.canAdd = false;
+
+            rbacUiControlService.canAdd("inventory_scripts")
+                .then(function(canAdd) {
+                    scope.canAdd = canAdd;
+                });
+
             view.inject( list, {
                 mode: 'edit',
                 scope: scope
diff --git a/awx/ui/client/src/job-templates/add/job-templates-add.controller.js b/awx/ui/client/src/job-templates/add/job-templates-add.controller.js
index 39a9377c0a..0af5406c9d 100644
--- a/awx/ui/client/src/job-templates/add/job-templates-add.controller.js
+++ b/awx/ui/client/src/job-templates/add/job-templates-add.controller.js
@@ -21,6 +21,15 @@
              $state, CreateSelect2, $q
          ) {
 
+             Rest.setUrl(GetBasePath('job_templates'));
+             Rest.options()
+                 .success(function(data) {
+                     if (!data.actions.POST) {
+                         $state.go("^");
+                         Alert('Permission Error', 'You do not have permission to add a job template.', 'alert-info');
+                     }
+                 });
+
             ClearScope();
             // Inject dynamic view
             var defaultUrl = GetBasePath('job_templates'),
diff --git a/awx/ui/client/src/job-templates/edit/job-templates-edit.controller.js b/awx/ui/client/src/job-templates/edit/job-templates-edit.controller.js
index c30412504a..2bb0929cd4 100644
--- a/awx/ui/client/src/job-templates/edit/job-templates-edit.controller.js
+++ b/awx/ui/client/src/job-templates/edit/job-templates-edit.controller.js
@@ -36,6 +36,12 @@ export default
 
             ClearScope();
 
+            $scope.$watch('job_template_obj.summary_fields.user_capabilities.edit', function(val) {
+                if (val === false) {
+                    $scope.canAdd = false;
+                }
+            });
+
             var defaultUrl = GetBasePath('job_templates'),
                 generator = GenerateForm,
                 form = JobTemplateForm(),
diff --git a/awx/ui/client/src/job-templates/list/job-templates-list.controller.js b/awx/ui/client/src/job-templates/list/job-templates-list.controller.js
index 48cec89271..4e50f43fec 100644
--- a/awx/ui/client/src/job-templates/list/job-templates-list.controller.js
+++ b/awx/ui/client/src/job-templates/list/job-templates-list.controller.js
@@ -10,18 +10,24 @@ export default
         'Prompt', 'SearchInit', 'PaginateInit', 'ReturnToCaller', 'ClearScope',
         'ProcessErrors', 'GetBasePath', 'JobTemplateForm', 'CredentialList',
         'LookUpInit', 'InitiatePlaybookRun', 'Wait', '$compile',
-        '$state', '$filter',
+        '$state', '$filter', 'rbacUiControlService',
 
         function(
             $scope, $rootScope, $location, $log,
             $stateParams, Rest, Alert, JobTemplateList, GenerateList, Prompt,
             SearchInit, PaginateInit, ReturnToCaller, ClearScope, ProcessErrors,
             GetBasePath, JobTemplateForm, CredentialList, LookUpInit, InitiatePlaybookRun,
-            Wait, $compile, $state, $filter
+            Wait, $compile, $state, $filter, rbacUiControlService
         ) {
-
             ClearScope();
 
+            $scope.canAdd = false;
+
+            rbacUiControlService.canAdd("job_templates")
+                .then(function(canAdd) {
+                    $scope.canAdd = canAdd;
+                });
+
             var list = JobTemplateList,
                 defaultUrl = GetBasePath('job_templates'),
                 view = GenerateList,
diff --git a/awx/ui/client/src/job-templates/survey-maker/survey-maker.block.less b/awx/ui/client/src/job-templates/survey-maker/survey-maker.block.less
index f0976c5927..4e3597e7d0 100644
--- a/awx/ui/client/src/job-templates/survey-maker/survey-maker.block.less
+++ b/awx/ui/client/src/job-templates/survey-maker/survey-maker.block.less
@@ -70,6 +70,12 @@
     flex: 0 0 637px;
     max-width: 637px;
 }
+
+.SurveyMaker-previewPanel--viewOnly {
+    flex: 0 0 1155px;
+    max-width: 1155px;
+}
+
 .SurveyMaker-separatorPanel {
     display: flex;
     flex: 0 0 51px;
diff --git a/awx/ui/client/src/lists/AllJobs.js b/awx/ui/client/src/lists/AllJobs.js
index 1e3bb3629b..7aecc6bf57 100644
--- a/awx/ui/client/src/lists/AllJobs.js
+++ b/awx/ui/client/src/lists/AllJobs.js
@@ -94,28 +94,33 @@ export default
         fieldActions: {
 
             columnClass: 'col-lg-2 col-md-2 col-sm-3 col-xs-4',
-
+            "view": {
+                mode: "all",
+                ngClick: "viewJob(all_job.id)",
+                awToolTip: "View the job",
+                dataPlacement: "top"
+            },
             submit: {
                 icon: 'icon-rocket',
                 mode: 'all',
                 ngClick: 'relaunchJob($event, all_job.id)',
                 awToolTip: 'Relaunch using the same parameters',
                 dataPlacement: 'top',
-                ngHide: "all_job.type == 'system_job' "
+                ngShow: "!(all_job.type == 'system_job') && all_job.summary_fields.user_capabilities.start"
             },
             cancel: {
                 mode: 'all',
                 ngClick: 'deleteJob(all_job.id)',
                 awToolTip: 'Cancel the job',
                 dataPlacement: 'top',
-                ngShow: "all_job.status === 'running'|| all_job.status === 'waiting' || all_job.status === 'pending'"
+                ngShow: "(all_job.status === 'running'|| all_job.status === 'waiting' || all_job.status === 'pending') && all_job.summary_fields.user_capabilities.start"
             },
             "delete": {
                 mode: 'all',
                 ngClick: 'deleteJob(all_job.id)',
                 awToolTip: 'Delete the job',
                 dataPlacement: 'top',
-                ngShow: "all_job.status !== 'running' && all_job.status !== 'waiting' && all_job.status !== 'pending'"
+                ngShow: "(all_job.status !== 'running' && all_job.status !== 'waiting' && all_job.status !== 'pending') && all_job.summary_fields.user_capabilities.delete"
             }
         }
     });
diff --git a/awx/ui/client/src/lists/CompletedJobs.js b/awx/ui/client/src/lists/CompletedJobs.js
index 23e4f325a8..319ee98074 100644
--- a/awx/ui/client/src/lists/CompletedJobs.js
+++ b/awx/ui/client/src/lists/CompletedJobs.js
@@ -100,13 +100,14 @@ export default
                 ngClick: 'relaunchJob($event, completed_job.id)',
                 awToolTip: 'Relaunch using the same parameters',
                 dataPlacement: 'top',
-                ngHide: "completed_job.type == 'system_job' "
+                ngShow: "!completed_job.type == 'system_job' || completed_job.summary_fields.user_capabilities.start"
             },
             "delete": {
                 mode: 'all',
                 ngClick: 'deleteJob(completed_job.id)',
                 awToolTip: 'Delete the job',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'completed_job.summary_fields.user_capabilities.delete'
             }
         }
     });
diff --git a/awx/ui/client/src/lists/Credentials.js b/awx/ui/client/src/lists/Credentials.js
index 580b4b9f5b..d9496b1807 100644
--- a/awx/ui/client/src/lists/Credentials.js
+++ b/awx/ui/client/src/lists/Credentials.js
@@ -72,7 +72,17 @@ export default
                 label: 'Edit',
                 "class": 'btn-sm',
                 awToolTip: 'Edit credential',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'credential.summary_fields.user_capabilities.edit'
+            },
+
+            view: {
+                ngClick: "editCredential(credential.id)",
+                label: 'View',
+                "class": 'btn-sm',
+                awToolTip: 'View credential',
+                dataPlacement: 'top',
+                ngShow: '!credential.summary_fields.user_capabilities.edit'
             },
 
             "delete": {
@@ -81,7 +91,8 @@ export default
                 label: 'Delete',
                 "class": 'btn-sm',
                 awToolTip: 'Delete credential',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'credential.summary_fields.user_capabilities.delete'
             }
         }
     });
diff --git a/awx/ui/client/src/lists/Inventories.js b/awx/ui/client/src/lists/Inventories.js
index c371b83d21..fec3b27c2d 100644
--- a/awx/ui/client/src/lists/Inventories.js
+++ b/awx/ui/client/src/lists/Inventories.js
@@ -91,7 +91,8 @@ export default
                 ngClick: 'addInventory()',
                 awToolTip: 'Create a new inventory',
                 actionClass: 'btn List-buttonSubmit',
-                buttonContent: '&#43; ADD'
+                buttonContent: '&#43; ADD',
+                ngShow: 'canAdd'
             }
         },
 
@@ -103,13 +104,22 @@ export default
                 label: 'Edit',
                 ngClick: 'editInventory(inventory.id)',
                 awToolTip: 'Edit inventory',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'inventory.summary_fields.user_capabilities.edit'
+            },
+            view: {
+                label: 'View',
+                ngClick: 'editInventory(inventory.id)',
+                awToolTip: 'View inventory',
+                dataPlacement: 'top',
+                ngShow: '!inventory.summary_fields.user_capabilities.edit'
             },
             "delete": {
                 label: 'Delete',
                 ngClick: "deleteInventory(inventory.id, inventory.name)",
                 awToolTip: 'Delete inventory',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'inventory.summary_fields.user_capabilities.delete'
             }
         }
     });
diff --git a/awx/ui/client/src/lists/InventoryGroups.js b/awx/ui/client/src/lists/InventoryGroups.js
index c7f1a661e5..d228982dd3 100644
--- a/awx/ui/client/src/lists/InventoryGroups.js
+++ b/awx/ui/client/src/lists/InventoryGroups.js
@@ -143,7 +143,8 @@ export default
                 actionClass: 'btn List-buttonDefault',
                 buttonContent: 'RUN COMMANDS',
                 showTipWhenDisabled: true,
-                tooltipInnerClass: "Tooltip-wide"
+                tooltipInnerClass: "Tooltip-wide",
+                ngShow: 'canAdhoc'
                 // TODO: set up a tip watcher and change text based on when
                 // things are selected/not selected.  This is started and
                 // commented out in the inventory controller within the watchers.
@@ -155,7 +156,8 @@ export default
                 ngClick: "createGroup()",
                 awToolTip: "Create a new group",
                 actionClass: 'btn List-buttonSubmit',
-                buttonContent: '&#43; ADD GROUP'
+                buttonContent: '&#43; ADD GROUP',
+                ngShow: 'canAdd'
             }
         },
 
@@ -169,8 +171,8 @@ export default
                 ngClick: 'updateGroup(group)',
                 awToolTip: "{{ group.launch_tooltip }}",
                 dataTipWatch: "group.launch_tooltip",
-                ngShow: "group.status !== 'running' && group.status " +
-                    "!== 'pending' && group.status !== 'updating'",
+                ngShow: "(group.status !== 'running' && group.status " +
+                    "!== 'pending' && group.status !== 'updating') && group.summary_fields.user_capabilities.start",
                 ngClass: "group.launch_class",
                 dataPlacement: "top",
             },
@@ -180,8 +182,8 @@ export default
                 ngClick: "cancelUpdate(group.id)",
                 awToolTip: "Cancel sync process",
                 'class': 'red-txt',
-                ngShow: "group.status == 'running' || group.status == 'pending' " +
-                    "|| group.status == 'updating'",
+                ngShow: "(group.status == 'running' || group.status == 'pending' " +
+                    "|| group.status == 'updating') && group.summary_fields.user_capabilities.start",
                 dataPlacement: "top",
                 iconClass: "fa fa-minus-circle"
             },
@@ -189,7 +191,7 @@ export default
                 mode: 'all',
                 ngClick: "copyMoveGroup(group.id)",
                 awToolTip: 'Copy or move group',
-                ngShow: "group.id > 0",
+                ngShow: "group.id > 0 && group.summary_fields.user_capabilities.copy",
                 dataPlacement: "top"
             },
             schedule: {
@@ -198,21 +200,31 @@ export default
                 awToolTip: "{{ group.group_schedule_tooltip }}",
                 ngClass: "group.scm_type_class",
                 dataPlacement: 'top',
-                ngHide: "group.summary_fields.inventory_source.source === ''"
+                ngShow: "!(group.summary_fields.inventory_source.source === '') && group.summary_fields.user_capabilities.schedule"
             },
             edit: {
                 //label: 'Edit',
                 mode: 'all',
                 ngClick: "editGroup(group.id)",
                 awToolTip: 'Edit group',
-                dataPlacement: "top"
+                dataPlacement: "top",
+                ngShow: "group.summary_fields.user_capabilities.edit"
+            },
+            view: {
+                //label: 'Edit',
+                mode: 'all',
+                ngClick: "editGroup(group.id)",
+                awToolTip: 'View group',
+                dataPlacement: "top",
+                ngShow: "!group.summary_fields.user_capabilities.edit"
             },
             "delete": {
                 //label: 'Delete',
                 mode: 'all',
                 ngClick: "deleteGroup(group)",
                 awToolTip: 'Delete group',
-                dataPlacement: "top"
+                dataPlacement: "top",
+                ngShow: "group.summary_fields.user_capabilities.delete"
             }
         }
     });
diff --git a/awx/ui/client/src/lists/InventoryHosts.js b/awx/ui/client/src/lists/InventoryHosts.js
index 1c01a77021..1a01ae1ca2 100644
--- a/awx/ui/client/src/lists/InventoryHosts.js
+++ b/awx/ui/client/src/lists/InventoryHosts.js
@@ -78,21 +78,31 @@ export default
                 mode: 'all',
                 ngClick: "copyMoveHost(host.id)",
                 awToolTip: 'Copy or move host to another group',
-                dataPlacement: "top"
+                dataPlacement: "top",
+                ngShow: 'host.summary_fields.user_capabilities.edit'
             },
             edit: {
                 //label: 'Edit',
                 ngClick: "editHost(host.id)",
                 icon: 'icon-edit',
                 awToolTip: 'Edit host',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'host.summary_fields.user_capabilities.edit'
+            },
+            view: {
+                //label: 'Edit',
+                ngClick: "editHost(host.id)",
+                awToolTip: 'View host',
+                dataPlacement: 'top',
+                ngShow: '!host.summary_fields.user_capabilities.edit'
             },
             "delete": {
                 //label: 'Delete',
                 ngClick: "deleteHost(host.id, host.name)",
                 icon: 'icon-trash',
                 awToolTip: 'Delete host',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'host.summary_fields.user_capabilities.delete'
             }
         },
 
@@ -122,7 +132,8 @@ export default
                 ngClick: "createHost()",
                 awToolTip: "Create a new host",
                 actionClass: 'btn List-buttonSubmit',
-                buttonContent: '&#43; ADD HOST'
+                buttonContent: '&#43; ADD HOST',
+                ngShow: 'canAdd'
             }
         }
 
diff --git a/awx/ui/client/src/lists/JobTemplates.js b/awx/ui/client/src/lists/JobTemplates.js
index cd61344686..ce75bf3dd6 100644
--- a/awx/ui/client/src/lists/JobTemplates.js
+++ b/awx/ui/client/src/lists/JobTemplates.js
@@ -55,7 +55,8 @@ export default
                 basePaths: ['job_templates'],
                 awToolTip: 'Create a new template',
                 actionClass: 'btn List-buttonSubmit',
-                buttonContent: '&#43; ADD'
+                buttonContent: '&#43; ADD',
+                ngShow: 'canAdd'
             }
         },
 
@@ -68,7 +69,8 @@ export default
                 mode: 'all',
                 ngClick: 'submitJob(job_template.id)',
                 awToolTip: 'Start a job using this template',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'job_template.summary_fields.user_capabilities.start'
             },
             schedule: {
                 label: 'Schedule',
@@ -76,6 +78,7 @@ export default
                 ngClick: 'scheduleJob(job_template.id)',
                 awToolTip: 'Schedule future job template runs',
                 dataPlacement: 'top',
+                ngShow: 'job_template.summary_fields.user_capabilities.schedule'
             },
             copy: {
                 label: 'Copy',
@@ -83,7 +86,7 @@ export default
                 "class": 'btn-danger btn-xs',
                 awToolTip: 'Copy template',
                 dataPlacement: 'top',
-                ngHide: 'job_template.summary_fields.can_copy===false'
+                ngShow: 'job_template.summary_fields.user_capabilities.copy'
             },
             edit: {
                 label: 'Edit',
@@ -91,6 +94,15 @@ export default
                 awToolTip: 'Edit template',
                 "class": 'btn-default btn-xs',
                 dataPlacement: 'top',
+                ngShow: 'job_template.summary_fields.user_capabilities.edit'
+            },
+            view: {
+                label: 'View',
+                ngClick: "editJobTemplate(job_template.id)",
+                awToolTip: 'View template',
+                "class": 'btn-default btn-xs',
+                dataPlacement: 'top',
+                ngShow: '!job_template.summary_fields.user_capabilities.edit'
             },
             "delete": {
                 label: 'Delete',
@@ -98,6 +110,7 @@ export default
                 "class": 'btn-danger btn-xs',
                 awToolTip: 'Delete template',
                 dataPlacement: 'top',
+                ngShow: 'job_template.summary_fields.user_capabilities.delete'
             }
         }
     });
diff --git a/awx/ui/client/src/lists/Projects.js b/awx/ui/client/src/lists/Projects.js
index a209a9ae1d..93d940730a 100644
--- a/awx/ui/client/src/lists/Projects.js
+++ b/awx/ui/client/src/lists/Projects.js
@@ -65,7 +65,8 @@ export default
                 ngClick: 'addProject()',
                 awToolTip: 'Create a new project',
                 actionClass: 'btn List-buttonSubmit',
-                buttonContent: '&#43; ADD'
+                buttonContent: '&#43; ADD',
+                ngShow: "canAdd"
             },
             refresh: {
                 mode: 'all',
@@ -86,30 +87,40 @@ export default
                 awToolTip: "{{ project.scm_update_tooltip }}",
                 dataTipWatch: "project.scm_update_tooltip",
                 ngClass: "project.scm_type_class",
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: "project.summary_fields.user_capabilities.start"
             },
             schedule: {
                 mode: 'all',
                 ngClick: "editSchedules(project.id)",
                 awToolTip: "{{ project.scm_schedule_tooltip }}",
                 ngClass: "project.scm_type_class",
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: "project.summary_fields.user_capabilities.schedule"
             },
             edit: {
                 ngClick: "editProject(project.id)",
                 awToolTip: 'Edit the project',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: "project.summary_fields.user_capabilities.edit"
+            },
+            view: {
+                ngClick: "editProject(project.id)",
+                awToolTip: 'View the project',
+                dataPlacement: 'top',
+                ngShow: "!project.summary_fields.user_capabilities.edit",
+                icon: 'fa-eye',
             },
             "delete": {
                 ngClick: "deleteProject(project.id, project.name)",
                 awToolTip: 'Delete the project',
-                ngShow: "project.status !== 'updating' && project.status !== 'running' && project.status !== 'pending'",
+                ngShow: "(project.status !== 'updating' && project.status !== 'running' && project.status !== 'pending')  && project.summary_fields.user_capabilities.delete",
                 dataPlacement: 'top'
             },
             cancel: {
                 ngClick: "cancelUpdate(project.id, project.name)",
                 awToolTip: 'Cancel the SCM update',
-                ngShow: "project.status == 'updating' || project.status == 'running' || project.status == 'pending'",
+                ngShow: "(project.status == 'updating' || project.status == 'running' || project.status == 'pending') && project.summary_fields.user_capabilities.start",
                 dataPlacement: 'top'
             }
         }
diff --git a/awx/ui/client/src/lists/ScheduledJobs.js b/awx/ui/client/src/lists/ScheduledJobs.js
index be4e7bd22d..9f535c189e 100644
--- a/awx/ui/client/src/lists/ScheduledJobs.js
+++ b/awx/ui/client/src/lists/ScheduledJobs.js
@@ -78,13 +78,22 @@ export default
                 mode: "all",
                 ngClick: "editSchedule(schedule)",
                 awToolTip: "Edit the schedule",
-                dataPlacement: "top"
+                dataPlacement: "top",
+                ngShow: 'schedule.summary_fields.user_capabilities.edit'
+            },
+            "view": {
+                mode: "all",
+                ngClick: "editSchedule(schedule)",
+                awToolTip: "View the schedule",
+                dataPlacement: "top",
+                ngShow: '!schedule.summary_fields.user_capabilities.edit'
             },
             "delete": {
                 mode: 'all',
                 ngClick: 'deleteSchedule(schedule.id)',
                 awToolTip: 'Delete the schedule',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'schedule.summary_fields.user_capabilities.delete'
             }
         }
     });
diff --git a/awx/ui/client/src/lists/Schedules.js b/awx/ui/client/src/lists/Schedules.js
index 9159862976..1249932eb4 100644
--- a/awx/ui/client/src/lists/Schedules.js
+++ b/awx/ui/client/src/lists/Schedules.js
@@ -69,7 +69,8 @@ export default
                 ngClick: 'addSchedule()',
                 awToolTip: 'Add a new schedule',
                 actionClass: 'btn List-buttonSubmit',
-                buttonContent: '&#43; ADD'
+                buttonContent: '&#43; ADD',
+                ngShow: 'canAdd'
             }
         },
 
@@ -79,14 +80,23 @@ export default
                 ngClick: "editSchedule(schedule.id)",
                 icon: 'icon-edit',
                 awToolTip: 'Edit schedule',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'schedule.summary_fields.user_capabilities.edit'
+            },
+            view: {
+                label: 'View',
+                ngClick: "editSchedule(schedule.id)",
+                awToolTip: 'View schedule',
+                dataPlacement: 'top',
+                ngShow: '!schedule.summary_fields.user_capabilities.edit'
             },
             "delete": {
                 label: 'Delete',
                 ngClick: "deleteSchedule(schedule.id)",
                 icon: 'icon-trash',
                 awToolTip: 'Delete schedule',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'schedule.summary_fields.user_capabilities.delete'
             }
         }
     });
diff --git a/awx/ui/client/src/lists/Teams.js b/awx/ui/client/src/lists/Teams.js
index 5f12b07b53..73fbfe38e2 100644
--- a/awx/ui/client/src/lists/Teams.js
+++ b/awx/ui/client/src/lists/Teams.js
@@ -47,7 +47,8 @@ export default
                 ngClick: 'addTeam()',
                 awToolTip: 'Create a new team',
                 actionClass: 'btn List-buttonSubmit',
-                buttonContent: '&#43; ADD'
+                buttonContent: '&#43; ADD',
+                ngShow: 'canAdd'
             }
         },
 
@@ -61,16 +62,25 @@ export default
                 icon: 'icon-edit',
                 "class": 'btn-xs btn-default',
                 awToolTip: 'Edit team',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'team.summary_fields.user_capabilities.edit'
+            },
+            view: {
+                label: 'View',
+                ngClick: "editTeam(team.id)",
+                "class": 'btn-xs btn-default',
+                awToolTip: 'View team',
+                dataPlacement: 'top',
+                ngShow: '!team.summary_fields.user_capabilities.edit'
             },
-
             "delete": {
                 label: 'Delete',
                 ngClick: "deleteTeam(team.id, team.name)",
                 icon: 'icon-trash',
                 "class": 'btn-xs btn-danger',
                 awToolTip: 'Delete team',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'team.summary_fields.user_capabilities.delete'
             }
         }
     });
diff --git a/awx/ui/client/src/lists/Users.js b/awx/ui/client/src/lists/Users.js
index 5d86704db4..ad70d1c30f 100644
--- a/awx/ui/client/src/lists/Users.js
+++ b/awx/ui/client/src/lists/Users.js
@@ -44,7 +44,8 @@ export default
                 basePaths: ['organizations', 'users'], // base path must be in list, or action not available
                 awToolTip: 'Create a new user',
                 actionClass: 'btn List-buttonSubmit',
-                buttonContent: '&#43; ADD'
+                buttonContent: '&#43; ADD',
+                ngShow: 'canAdd'
             }
         },
 
@@ -58,7 +59,17 @@ export default
                 icon: 'icon-edit',
                 "class": 'btn-xs btn-default',
                 awToolTip: 'Edit user',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'user.summary_fields.user_capabilities.edit'
+            },
+
+            view: {
+                label: 'View',
+                ngClick: "editUser(user.id)",
+                "class": 'btn-xs btn-default',
+                awToolTip: 'View user',
+                dataPlacement: 'top',
+                ngShow: '!user.summary_fields.user_capabilities.edit'
             },
 
             "delete": {
@@ -67,7 +78,8 @@ export default
                 icon: 'icon-trash',
                 "class": 'btn-xs btn-danger',
                 awToolTip: 'Delete user',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'user.summary_fields.user_capabilities.delete'
             }
         }
     });
diff --git a/awx/ui/client/src/management-jobs/card/card.partial.html b/awx/ui/client/src/management-jobs/card/card.partial.html
index ae0d660b50..0b90bf8bdc 100644
--- a/awx/ui/client/src/management-jobs/card/card.partial.html
+++ b/awx/ui/client/src/management-jobs/card/card.partial.html
@@ -17,6 +17,7 @@
 				<div class="MgmtCards-actionItems">
 					<button class="MgmtCards-actionItem List-actionButton"
 						ng-click='chooseRunJob(card.id, card.name)'
+						ng-show='current_user.is_superuser'
 						data-placement="top" aw-tool-tip="Launch Management Job" data-original-title="" title="">
 						<i class="MgmtCards-actionItemIcon icon-launch"></i>
 					</button>
@@ -27,6 +28,7 @@
 					</button>
 					<button class="MgmtCards-actionItem List-actionButton"
 						ng-click='goToNotifications(card, card.id)'
+						ng-show='current_user.is_superuser'
 						data-placement="top" aw-tool-tip="Configure Notifications" data-original-title="" title="" ng-class="{'List-editButton--selected': activeCard === card.id && cardAction === 'notifications'}">
 						<i class="MgmtCards-actionItemIcon fa fa-bell-o"></i>
 					</button>
diff --git a/awx/ui/client/src/notifications/add/add.controller.js b/awx/ui/client/src/notifications/add/add.controller.js
index 0b58f2e257..122d822cf4 100644
--- a/awx/ui/client/src/notifications/add/add.controller.js
+++ b/awx/ui/client/src/notifications/add/add.controller.js
@@ -9,14 +9,23 @@ export default
         'NotificationsFormObject', 'ProcessErrors', 'GetBasePath', 'Empty',
         'GenerateForm', 'SearchInit' , 'PaginateInit', 'LookUpInit',
         'OrganizationList', '$scope', '$state', 'CreateSelect2', 'GetChoices',
-        'NotificationsTypeChange', 'ParseTypeChange',
+        'NotificationsTypeChange', 'ParseTypeChange', 'Alert',
         function(
             $rootScope, pagination, $compile, SchedulerInit, Rest, Wait,
             NotificationsFormObject, ProcessErrors, GetBasePath, Empty,
             GenerateForm, SearchInit, PaginateInit, LookUpInit,
             OrganizationList, $scope, $state, CreateSelect2, GetChoices,
-            NotificationsTypeChange, ParseTypeChange
+            NotificationsTypeChange, ParseTypeChange, Alert
         ) {
+            Rest.setUrl(GetBasePath('projects'));
+            Rest.options()
+                .success(function(data) {
+                    if (!data.actions.POST) {
+                        $state.go("^");
+                        Alert('Permission Error', 'You do not have permission to add a notification template.', 'alert-info');
+                    }
+                });
+
             var generator = GenerateForm,
                 form = NotificationsFormObject,
                 url = GetBasePath('notification_templates');
diff --git a/awx/ui/client/src/notifications/edit/edit.controller.js b/awx/ui/client/src/notifications/edit/edit.controller.js
index 44c50a71ce..0733096f83 100644
--- a/awx/ui/client/src/notifications/edit/edit.controller.js
+++ b/awx/ui/client/src/notifications/edit/edit.controller.js
@@ -26,6 +26,13 @@ export default
                 url = GetBasePath('notification_templates');
 
             $scope.notification_template = notification_template;
+
+            $scope.$watch('notification_template.summary_fields.user_capabilities.edit', function(val) {
+                if (val === false) {
+                    $scope.canAdd = false;
+                }
+            });
+
             generator.inject(form, {
                     mode: 'edit' ,
                     scope:$scope,
diff --git a/awx/ui/client/src/notifications/notification-templates-list/list.controller.js b/awx/ui/client/src/notifications/notification-templates-list/list.controller.js
index 04265f1181..7fc279534b 100644
--- a/awx/ui/client/src/notifications/notification-templates-list/list.controller.js
+++ b/awx/ui/client/src/notifications/notification-templates-list/list.controller.js
@@ -8,12 +8,12 @@ export default
     [   '$rootScope','Wait', 'generateList', 'NotificationTemplatesList',
         'GetBasePath' , 'SearchInit' , 'PaginateInit', 'Rest' ,
         'ProcessErrors', 'Prompt', '$state', 'GetChoices', 'Empty', 'Find',
-        'ngToast', '$compile', '$filter',
+        'ngToast', '$compile', '$filter', 'rbacUiControlService',
         function(
             $rootScope,Wait, GenerateList, NotificationTemplatesList,
             GetBasePath, SearchInit, PaginateInit, Rest,
             ProcessErrors, Prompt, $state, GetChoices, Empty, Find, ngToast,
-            $compile, $filter) {
+            $compile, $filter, rbacUiControlService) {
             var scope = $rootScope.$new(),
                 defaultUrl = GetBasePath('notification_templates'),
                 list = NotificationTemplatesList,
@@ -24,6 +24,13 @@ export default
                 scope: scope
             });
 
+            scope.canAdd = false;
+
+            rbacUiControlService.canAdd("notification_templates")
+                .then(function(canAdd) {
+                    scope.canAdd = canAdd;
+                });
+
             scope.removePostRefresh = scope.$on('PostRefresh', function () {
                 Wait('stop');
                 if (scope.notification_templates) {
diff --git a/awx/ui/client/src/notifications/notificationTemplates.form.js b/awx/ui/client/src/notifications/notificationTemplates.form.js
index cd0ff9d945..b796bb5ae2 100644
--- a/awx/ui/client/src/notifications/notificationTemplates.form.js
+++ b/awx/ui/client/src/notifications/notificationTemplates.form.js
@@ -27,13 +27,15 @@ export default function() {
                 type: 'text',
                 addRequired: true,
                 editRequired: true,
-                capitalize: false
+                capitalize: false,
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             description: {
                 label: 'Description',
                 type: 'text',
                 addRequired: false,
-                editRequired: false
+                editRequired: false,
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             organization: {
                 label: 'Organization',
@@ -44,7 +46,8 @@ export default function() {
                 awRequiredWhen: {
                     reqExpression: "organizationrequired",
                     init: "true"
-                }
+                },
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             notification_type: {
                 label:  'Type',
@@ -54,13 +57,15 @@ export default function() {
                 class: 'NotificationsForm-typeSelect',
                 ngOptions: 'type.label for type in notification_type_options track by type.value',
                 ngChange: 'typeChange()',
-                hasSubForm: true
+                hasSubForm: true,
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             username: {
                 label: 'Username',
                 type: 'text',
                 ngShow: "notification_type.value == 'email' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
 
             host: {
@@ -71,7 +76,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'email' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             sender: {
                 label: 'Sender Email',
@@ -81,7 +87,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'email' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             recipients: {
                 label: 'Recipient List',
@@ -97,7 +104,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'email' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             password: {
                 labelBind: 'passwordLabel',
@@ -108,7 +116,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'email' || notification_type.value == 'irc' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             port: {
                 labelBind: 'portLabel',
@@ -122,7 +131,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'email' || notification_type.value == 'irc'",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             channels: {
                 label: 'Destination Channels',
@@ -138,7 +148,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'slack'",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             rooms: {
                 label: 'Destination Channels',
@@ -154,7 +165,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'hipchat'",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             token: {
                 labelBind: 'tokenLabel',
@@ -165,7 +177,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'slack' || notification_type.value == 'pagerduty' || notification_type.value == 'hipchat'",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             account_token: {
                 label: 'Account Token',
@@ -176,7 +189,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'twilio' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             from_number: {
                 label: 'Source Phone Number',
@@ -188,7 +202,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'twilio' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             to_numbers: {
                 label: 'Destination SMS Number',
@@ -204,7 +219,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'twilio' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             account_sid: {
                 label: 'Account SID',
@@ -214,7 +230,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'twilio' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             subdomain: {
                 label: 'Pagerduty subdomain',
@@ -224,7 +241,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'pagerduty' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             service_key: {
                 label: 'API Service/Integration Key',
@@ -234,7 +252,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'pagerduty' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             client_name: {
                 label: 'Client Identifier',
@@ -244,7 +263,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'pagerduty' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             message_from: {
                 label: 'Label to be shown with notification',
@@ -254,7 +274,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'hipchat' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             api_url: {
                 label: 'API URL',
@@ -265,7 +286,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'hipchat' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             color: {
                 label: 'Notification Color',
@@ -277,13 +299,15 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'hipchat' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             notify: {
                 label: 'Notify Channel',
                 type: 'checkbox',
                 ngShow: "notification_type.value == 'hipchat' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             url: {
                 label: 'Target URL',
@@ -293,7 +317,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'webhook' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             headers: {
                 label: 'HTTP Headers',
@@ -313,7 +338,8 @@ export default function() {
                            '</pre></p>',
                 dataPlacement: 'right',
                 ngShow: "notification_type.value == 'webhook' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             server: {
                 label: 'IRC Server Address',
@@ -323,7 +349,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'irc' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             nickname: {
                 label: 'IRC Nick',
@@ -333,7 +360,8 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'irc' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             targets: {
                 label: 'Destination Channels or Users',
@@ -349,13 +377,15 @@ export default function() {
                     init: "false"
                 },
                 ngShow: "notification_type.value == 'irc' ",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             use_ssl: {
                 label: 'SSL Connection',
                 type: 'checkbox',
                 ngShow: "notification_type.value == 'irc'",
-                subForm: 'typeSubForm'
+                subForm: 'typeSubForm',
+                ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             checkbox_group: {
                 label: 'Options',
@@ -367,13 +397,15 @@ export default function() {
                     label: 'Use TLS',
                     type: 'checkbox',
                     ngShow: "notification_type.value == 'email' ",
-                    labelClass: 'checkbox-options stack-inline'
+                    labelClass: 'checkbox-options stack-inline',
+                    ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
                 }, {
                     name: 'use_ssl',
                     label: 'Use SSL',
                     type: 'checkbox',
                     ngShow: "notification_type.value == 'email'",
-                    labelClass: 'checkbox-options stack-inline'
+                    labelClass: 'checkbox-options stack-inline',
+                    ngDisabled: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
                 }]
             }
         },
@@ -381,9 +413,15 @@ export default function() {
         buttons: { //for now always generates <button> tags
             cancel: {
                 ngClick: 'formCancel()',
+                ngShow: '(notification_template.summary_fields.user_capabilities.edit || canAdd)'
+            },
+            close: {
+                ngClick: 'formCancel()',
+                ngShow: '!(notification_template.summary_fields.user_capabilities.edit || canAdd)'
             },
             save: {
-                ngClick: 'formSave()', //$scope.function to call on click, optional
+                ngClick: 'formSave()',
+                ngShow: '(notification_template.summary_fields.user_capabilities.edit || canAdd)', //$scope.function to call on click, optional
                 ngDisabled: true //Disable when $pristine or $invalid, optional
             }
         }
diff --git a/awx/ui/client/src/notifications/notificationTemplates.list.js b/awx/ui/client/src/notifications/notificationTemplates.list.js
index 06eb25615f..58d0794d4a 100644
--- a/awx/ui/client/src/notifications/notificationTemplates.list.js
+++ b/awx/ui/client/src/notifications/notificationTemplates.list.js
@@ -49,7 +49,8 @@ export default function(){
                 ngClick: 'addNotification()',
                 awToolTip: 'Create a new custom inventory',
                 actionClass: 'btn List-buttonSubmit',
-                buttonContent: '&#43; ADD'
+                buttonContent: '&#43; ADD',
+                ngShow: 'canAdd'
             }
         },
 
@@ -62,7 +63,8 @@ export default function(){
                 label: 'Edit',
                 "class": 'btn-sm',
                 awToolTip: 'Test notification',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'notification_template.summary_fields.user_capabilities.edit'
             },
             edit: {
                 ngClick: "editNotification(notification_template.id)",
@@ -70,7 +72,16 @@ export default function(){
                 label: 'Edit',
                 "class": 'btn-sm',
                 awToolTip: 'Edit notification',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'notification_template.summary_fields.user_capabilities.edit'
+            },
+            view: {
+                ngClick: "editNotification(notification_template.id)",
+                label: 'View',
+                "class": 'btn-sm',
+                awToolTip: 'View notification',
+                dataPlacement: 'top',
+                ngShow: '!notification_template.summary_fields.user_capabilities.edit'
             },
             "delete": {
                 ngClick: "deleteNotification(notification_template.id, notification_template.name)",
@@ -78,7 +89,8 @@ export default function(){
                 label: 'Delete',
                 "class": 'btn-sm',
                 awToolTip: 'Delete notification',
-                dataPlacement: 'top'
+                dataPlacement: 'top',
+                ngShow: 'notification_template.summary_fields.user_capabilities.delete'
             }
         }
     };
diff --git a/awx/ui/client/src/notifications/notifications.list.js b/awx/ui/client/src/notifications/notifications.list.js
index 553d125656..ed74e0b12b 100644
--- a/awx/ui/client/src/notifications/notifications.list.js
+++ b/awx/ui/client/src/notifications/notifications.list.js
@@ -65,7 +65,8 @@ export default function(){
                 ngClick: 'addNotificationTemplate()',
                 awToolTip: 'Create a new notification template',
                 actionClass: 'btn List-buttonSubmit',
-                buttonContent: '&#43; ADD NOTIFICATION TEMPLATE'
+                buttonContent: '&#43; ADD NOTIFICATION TEMPLATE',
+                ngShow: 'current_user.is_superuser || (current_user_admin_orgs && current_user_admin_orgs.length > 0)'
             }
         }
 
diff --git a/awx/ui/client/src/notifications/shared/notification-list-init.factory.js b/awx/ui/client/src/notifications/shared/notification-list-init.factory.js
index ba13bea4c9..e8a711e783 100644
--- a/awx/ui/client/src/notifications/shared/notification-list-init.factory.js
+++ b/awx/ui/client/src/notifications/shared/notification-list-init.factory.js
@@ -15,13 +15,21 @@
  */
 
 export default ['Wait', 'GetBasePath', 'ProcessErrors', 'Rest', 'GetChoices',
-    '$state',
-    function(Wait, GetBasePath, ProcessErrors, Rest, GetChoices, $state) {
+    '$state', '$rootScope',
+    function(Wait, GetBasePath, ProcessErrors, Rest, GetChoices, $state, $rootScope) {
     return function(params) {
         var scope = params.scope,
             url = params.url,
             id = params.id;
 
+        scope.current_user_admin_orgs = [];
+
+        Rest.setUrl($rootScope.current_user.related.admin_of_organizations);
+        Rest.get()
+            .success(function(data) {
+                scope.current_user_admin_orgs = data.results.map(i => i.name);
+            });
+
         scope.addNotificationTemplate = function(){
             $state.go('notifications.add');
         };
diff --git a/awx/ui/client/src/organizations/add/organizations-add.controller.js b/awx/ui/client/src/organizations/add/organizations-add.controller.js
index 87c450e903..d209926475 100644
--- a/awx/ui/client/src/organizations/add/organizations-add.controller.js
+++ b/awx/ui/client/src/organizations/add/organizations-add.controller.js
@@ -12,6 +12,15 @@ export default ['$scope', '$rootScope', '$compile', '$location',
         $stateParams, OrganizationForm, GenerateForm, Rest, Alert, ProcessErrors,
         ClearScope, GetBasePath, ReturnToCaller, Wait, $state) {
 
+        Rest.setUrl(GetBasePath('organizations'));
+        Rest.options()
+            .success(function(data) {
+                if (!data.actions.POST) {
+                    $state.go("^");
+                    Alert('Permission Error', 'You do not have permission to add an organization.', 'alert-info');
+                }
+            });
+
         ClearScope();
 
         // Inject dynamic view
diff --git a/awx/ui/client/src/organizations/edit/organizations-edit.controller.js b/awx/ui/client/src/organizations/edit/organizations-edit.controller.js
index 8b63401a31..061c9df43f 100644
--- a/awx/ui/client/src/organizations/edit/organizations-edit.controller.js
+++ b/awx/ui/client/src/organizations/edit/organizations-edit.controller.js
@@ -25,6 +25,12 @@ export default ['$scope', '$rootScope', '$compile', '$location',
             id = $stateParams.organization_id,
             relatedSets = {};
 
+        $scope.$watch('organization_obj.summary_fields.user_capabilities.edit', function(val) {
+            if (val === false) {
+                $scope.canAdd = false;
+            }
+        });
+
         $scope.$parent.activeMode = 'edit';
 
         $scope.$parent.activeCard = parseInt(id);
diff --git a/awx/ui/client/src/organizations/list/organizations-list.controller.js b/awx/ui/client/src/organizations/list/organizations-list.controller.js
index 84510a60dc..13ea87ce82 100644
--- a/awx/ui/client/src/organizations/list/organizations-list.controller.js
+++ b/awx/ui/client/src/organizations/list/organizations-list.controller.js
@@ -8,15 +8,22 @@ export default ['$stateParams', '$scope', '$rootScope', '$location',
     '$log', '$compile', 'Rest', 'PaginateInit',
     'SearchInit', 'OrganizationList', 'Alert', 'Prompt', 'ClearScope',
     'ProcessErrors', 'GetBasePath', 'Wait',
-    '$state', 'generateList', 'Refresh', '$filter',
+    '$state', 'generateList', 'Refresh', '$filter', 'rbacUiControlService',
     function($stateParams, $scope, $rootScope, $location,
         $log, $compile, Rest, PaginateInit,
         SearchInit, OrganizationList, Alert, Prompt, ClearScope,
         ProcessErrors, GetBasePath, Wait,
-        $state, generateList, Refresh, $filter) {
+        $state, generateList, Refresh, $filter, rbacUiControlService) {
 
         ClearScope();
 
+        $scope.canAdd = false;
+
+        rbacUiControlService.canAdd("organizations")
+            .then(function(canAdd) {
+                $scope.canAdd = canAdd;
+            });
+
         var defaultUrl = GetBasePath('organizations'),
             list = OrganizationList,
             pageSize = 24,
@@ -25,6 +32,7 @@ export default ['$stateParams', '$scope', '$rootScope', '$location',
         var parseCardData = function(cards) {
             return cards.map(function(card) {
                 var val = {}, url = '/#/organizations/' + card.id + '/';
+                val.user_capabilities = card.summary_fields.user_capabilities;
                 val.name = card.name;
                 val.id = card.id;
                 val.description = card.description || undefined;
diff --git a/awx/ui/client/src/organizations/list/organizations-list.partial.html b/awx/ui/client/src/organizations/list/organizations-list.partial.html
index 6018e602ce..9746cc5756 100644
--- a/awx/ui/client/src/organizations/list/organizations-list.partial.html
+++ b/awx/ui/client/src/organizations/list/organizations-list.partial.html
@@ -13,6 +13,7 @@
             <div class="List-actions">
                 <button class="btn List-buttonSubmit"
                     aw-tool-tip="Create a new organization"
+                    ng-show="canAdd"
                     ng-click="addOrganization()">
                     + ADD
                 </button>
@@ -31,13 +32,23 @@
                         <div class="OrgCards-actionItems">
                             <button class="OrgCards-actionItem
                                 List-actionButton"
+                                ng-show="card.user_capabilities.edit"
                                 ng-class="{'List-editButton--selected': (activeCard === card.id || card.isActiveCard) && activeMode === 'edit' }"
                                 ng-click="editOrganization(card.id)">
                                 <i class="OrgCards-actionItemIcon fa fa-pencil">
                                 </i>
                             </button>
+                            <button class="OrgCards-actionItem
+                                List-actionButton"
+                                ng-show="!card.user_capabilities.edit"
+                                ng-class="{'List-editButton--selected': (activeCard === card.id || card.isActiveCard) && activeMode === 'edit' }"
+                                ng-click="editOrganization(card.id)">
+                                <i class="OrgCards-actionItemIcon fa fa-search-plus">
+                                </i>
+                            </button>
                             <button class="OrgCards-actionItem List-actionButton
                                 List-actionButton--delete"
+                                ng-show="card.user_capabilities.delete"
                                 ng-click="deleteOrganization(card.id, card.name)">
                                 <i class="OrgCards-actionItemIcon
                                     fa fa-trash-o">
diff --git a/awx/ui/client/src/partials/survey-maker-modal.html b/awx/ui/client/src/partials/survey-maker-modal.html
index b87b6f961b..4ab7dfcc83 100644
--- a/awx/ui/client/src/partials/survey-maker-modal.html
+++ b/awx/ui/client/src/partials/survey-maker-modal.html
@@ -32,13 +32,13 @@
         </div>
     </div>
     <div class="SurveyMaker-content">
-        <div class="SurveyMaker-questionPanel">
+        <div class="SurveyMaker-questionPanel" ng-show="(job_template_obj.summary_fields.user_capabilities.edit || canAdd)">
             <div id="survey_maker_question_form"></div>
         </div>
-        <div class="SurveyMaker-separatorPanel">
+        <div class="SurveyMaker-separatorPanel" ng-show="(job_template_obj.summary_fields.user_capabilities.edit || canAdd)">
             <div class="SurveyMaker-contentSeparator"></div>
         </div>
-        <div class="SurveyMaker-previewPanel">
+        <div class="SurveyMaker-previewPanel" ng-class="{'SurveyMaker-previewPanel--viewOnly': !(job_template_obj.summary_fields.user_capabilities.edit || canAdd)}">
             <div style="display: flex; flex-direction: column; width: 100%;">
                 <div class="SurveyMaker-panelHeader">PREVIEW</div>
                 <div class="SurveyMaker-panelBody">
@@ -56,13 +56,13 @@
                                     <i>{{question.question_description}}</i>
                                 </div>
                                 <div class="SurveyMaker-previewInputRow">
-                                    <span dnd-handle class="SurveyMaker-reorderButton" data-placement="top" aw-tool-tip="Drag to reorder question" data-original-title="" title="">
+                                    <span dnd-handle class="SurveyMaker-reorderButton" data-placement="top" aw-tool-tip="Drag to reorder question" data-original-title="" title="" ng-show="(job_template_obj.summary_fields.user_capabilities.edit || canAdd)">
                                         <i class="fa fa-ellipsis-v"></i>
                                         <span>&nbsp;</span>
                                         <i class="fa fa-ellipsis-v"></i>
                                     </span>
                                     <survey-question class="SurveyMaker-previewInput" preview="true" question="question" ng-required="question.required" ng-disabled=true></survey-question>
-                                    <div class="SurveyMaker-previewActions">
+                                    <div class="SurveyMaker-previewActions" ng-show="(job_template_obj.summary_fields.user_capabilities.edit || canAdd)">
                                         <button class="List-actionButton" data-placement="top" ng-class="{'SurveyMaker-previewActions--selected' : editQuestionIndex == $index}" ng-click="editQuestion($index)" aw-tool-tip="Edit question" data-original-title="" title="">
                                             <i class="fa fa-pencil"></i>
                                         </button>
@@ -80,9 +80,10 @@
                 </div>
                 <div class="SurveyMaker-panelFooter">
                     <div class="Form-buttons">
-                        <button id="survey-delete-button" class="btn btn-sm SurveyMaker-deleteButton" ng-show="survey_exists" ng-click="showDeleteOverlay('survey')">DELETE SURVEY</button>
-                        <button id="survey-close-button" class="btn btn-sm Form-buttonDefault" ng-click="closeSurvey('survey-modal-dialog')">CANCEL</button>
-                        <button id="survey-save-button" class="btn btn-sm Form-saveButton" ng-click="saveSurvey()" ng-disabled="survey_questions.length < 1 || !can_edit || editQuestionIndex !== null">SAVE</button>
+                        <button id="survey-delete-button" class="btn btn-sm SurveyMaker-deleteButton" ng-show="survey_exists && (job_template_obj.summary_fields.user_capabilities.edit || canAdd)" ng-click="showDeleteOverlay('survey')">DELETE SURVEY</button>
+                        <button id="survey-close-button" class="btn btn-sm Form-buttonDefault" ng-click="closeSurvey('survey-modal-dialog')" ng-show="(job_template_obj.summary_fields.user_capabilities.edit || canAdd)">CANCEL</button>
+                        <button id="survey-close-button" class="btn btn-sm Form-buttonDefault" ng-click="closeSurvey('survey-modal-dialog')" ng-show="!(job_template_obj.summary_fields.user_capabilities.edit || canAdd)">CLOSE</button>
+                        <button id="survey-save-button" class="btn btn-sm Form-saveButton" ng-click="saveSurvey()" ng-disabled="survey_questions.length < 1 || !can_edit || editQuestionIndex !== null" ng-show="(job_template_obj.summary_fields.user_capabilities.edit || canAdd)">SAVE</button>
                     </div>
                 </div>
             </div>
diff --git a/awx/ui/client/src/scheduler/scheduler.controller.js b/awx/ui/client/src/scheduler/scheduler.controller.js
index dffa82098e..db8eaa7b29 100644
--- a/awx/ui/client/src/scheduler/scheduler.controller.js
+++ b/awx/ui/client/src/scheduler/scheduler.controller.js
@@ -14,11 +14,11 @@
 export default [
     '$scope', '$compile', '$location', '$stateParams', 'SchedulesList', 'Rest',
     'ProcessErrors', 'ReturnToCaller', 'ClearScope', 'GetBasePath', 'Wait',
-    'Find', 'LoadSchedulesScope', 'GetChoices', '$q', '$state',
+    'Find', 'LoadSchedulesScope', 'GetChoices', '$q', '$state', 'rbacUiControlService',
     function ($scope, $compile, $location, $stateParams,
     SchedulesList, Rest, ProcessErrors, ReturnToCaller, ClearScope,
     GetBasePath, Wait, Find, LoadSchedulesScope, GetChoices,
-    $q, $state) {
+    $q, $state, rbacUiControlService) {
         var schedList = _.cloneDeep(SchedulesList);
 
         ClearScope();
@@ -48,6 +48,14 @@ export default [
         }
         $scope.removeParentLoaded = $scope.$on('ParentLoaded', function() {
             url += "schedules/";
+
+            $scope.canAdd = false;
+
+            rbacUiControlService.canAdd(url)
+                .then(function(canAdd) {
+                    $scope.canAdd = canAdd;
+                });
+
             schedList.well = true;
 
             // include name of item in listTitle
diff --git a/awx/ui/client/src/scheduler/schedulerAdd.controller.js b/awx/ui/client/src/scheduler/schedulerAdd.controller.js
index 48dcbb764b..e1ffc75589 100644
--- a/awx/ui/client/src/scheduler/schedulerAdd.controller.js
+++ b/awx/ui/client/src/scheduler/schedulerAdd.controller.js
@@ -9,7 +9,6 @@ export default ['$compile', '$filter', '$state', '$stateParams', 'AddSchedule',
     'Rest', 'ParamPass',
     function($compile, $filter, $state, $stateParams, AddSchedule, Wait, $scope,
         $rootScope, CreateSelect2, ParseTypeChange, GetBasePath, Rest, ParamPass) {
-
     $scope.processSchedulerEndDt = function(){
         // set the schedulerEndDt to be equal to schedulerStartDt + 1 day @ midnight
         var dt = new Date($scope.schedulerUTCTime);
diff --git a/awx/ui/client/src/shared/form-generator.js b/awx/ui/client/src/shared/form-generator.js
index 66c4f750b8..821857e3f6 100644
--- a/awx/ui/client/src/shared/form-generator.js
+++ b/awx/ui/client/src/shared/form-generator.js
@@ -865,6 +865,7 @@ angular.module('FormGenerator', [GeneratorHelpers.name, 'Utilities', listGenerat
                             html += ">";
                             html += "<input type=\"checkbox\" ng-model=\"" + field.subCheckbox.variable + "\" ";
                             html += (field.subCheckbox.ngChange) ? "ng-change=\"" + field.subCheckbox.ngChange + "\" " : "";
+                            html += (field.ngDisabled) ? "ng-disabled=\"" + field.ngDisabled + "\" " : "";
                             html += "id=\"" + this.form.name + "_" + fld + "_ask_chbox\" ";
                             html += ">";
                             html += field.subCheckbox.text ? field.subCheckbox.text : "";
@@ -987,6 +988,7 @@ angular.module('FormGenerator', [GeneratorHelpers.name, 'Utilities', listGenerat
                             if (field.subCheckbox.ngDisabled) {
                                 html += "ng-disabled='" + field.subCheckbox.ngDisabled + "'";
                             }
+                            html += (field.ngDisabled) ? "ng-disabled=\"" + field.ngDisabled + "\" " : "";
                             html += ">";
                             html += field.subCheckbox.text ? field.subCheckbox.text : "";
                             html += "</label>";
@@ -1084,6 +1086,7 @@ angular.module('FormGenerator', [GeneratorHelpers.name, 'Utilities', listGenerat
                             if (field.subCheckbox.ngDisabled) {
                                 html += "ng-disabled='" + field.subCheckbox.ngDisabled + "'";
                             }
+                            html += (field.ngDisabled) ? "ng-disabled=\"" + field.ngDisabled + "\" " : "";
                             html += ">";
                             html += field.subCheckbox.text ? field.subCheckbox.text : "";
                             html += "</label>";
@@ -1151,6 +1154,7 @@ angular.module('FormGenerator', [GeneratorHelpers.name, 'Utilities', listGenerat
                             if (field.subCheckbox.ngDisabled) {
                                 html += "ng-disabled='" + field.subCheckbox.ngDisabled + "'";
                             }
+                            html += (field.ngDisabled) ? "ng-disabled=\"" + field.ngDisabled + "\" " : "";
                             html += ">";
                             html += field.subCheckbox.text ? field.subCheckbox.text : "";
                             html += "</label>";
@@ -1199,6 +1203,7 @@ angular.module('FormGenerator', [GeneratorHelpers.name, 'Utilities', listGenerat
                         html += (field.min || field.min === 0) ? this.attr(field, 'min') : "";
                         html += (field.max) ? this.attr(field, 'max') : "";
                         html += (field.ngChange) ? this.attr(field, 'ngChange') : "";
+                        html += (field.ngDisabled) ? "ng-disabled=\"" + field.ngDisabled + "\" " : "";
                         html += (field.slider) ? "id=\"" + fld + "-number\"" : (field.id) ? this.attr(field, 'id') : "";
                         html += (options.mode === 'edit' && field.editRequired) ? "required " : "";
                         html += (options.mode === 'add' && field.addRequired) ? "required " : "";
@@ -1219,6 +1224,7 @@ angular.module('FormGenerator', [GeneratorHelpers.name, 'Utilities', listGenerat
                             html += "<input type=\"checkbox\" ng-model=\"" +
                                 field.subCheckbox.variable + "\" ";
                             html += (field.subCheckbox.ngChange) ? "ng-change=\"" + field.subCheckbox.ngChange + "\" " : "";
+                            html += (field.ngDisabled) ? "ng-disabled=\"" + field.ngDisabled + "\" " : "";
                             html += "id=\"" + this.form.name + "_" + fld + "_ask_chbox\" ";
                             html += ">";
                             html += field.subCheckbox.text ? field.subCheckbox.text : "";
@@ -1422,6 +1428,7 @@ angular.module('FormGenerator', [GeneratorHelpers.name, 'Utilities', listGenerat
                             html += "<input type=\"checkbox\" ng-model=\"" +
                                 field.subCheckbox.variable + "\" ";
                             html += (field.subCheckbox.ngChange) ? "ng-change=\"" + field.subCheckbox.ngChange + "\" " : "";
+                            html += (field.ngDisabled) ? "ng-disabled=\"" + field.ngDisabled + "\" " : "";
                             html += "id=\"" + this.form.name + "_" + fld + "_ask_chbox\" ";
                             html += ">";
                             html += field.subCheckbox.text ? field.subCheckbox.text : "";
@@ -1693,6 +1700,10 @@ angular.module('FormGenerator', [GeneratorHelpers.name, 'Utilities', listGenerat
                                     button.label = 'Cancel';
                                     button['class'] = 'Form-cancelButton';
                                 }
+                                if (btn === 'close') {
+                                    button.label = 'Close';
+                                    button['class'] = 'Form-cancelButton';
+                                }
                                 if (btn === 'launch') {
                                     button.label = 'Launch';
                                     button['class'] = 'Form-launchButton';
@@ -1705,6 +1716,10 @@ angular.module('FormGenerator', [GeneratorHelpers.name, 'Utilities', listGenerat
                                     button.label = 'Edit Survey';
                                     button['class'] = 'Form-surveyButton';
                                 }
+                                if (btn === 'view_survey') {
+                                    button.label = 'View Survey';
+                                    button['class'] = 'Form-surveyButton';
+                                }
 
                                 // Build button HTML
                                 html += "<button type=\"button\" ";
diff --git a/awx/ui/client/src/shared/main.js b/awx/ui/client/src/shared/main.js
index 6279fbf1e7..60c812e12c 100644
--- a/awx/ui/client/src/shared/main.js
+++ b/awx/ui/client/src/shared/main.js
@@ -11,12 +11,14 @@ import lodashAsPromised from './lodash-as-promised';
 import stringFilters from './string-filters/main';
 import truncatedText from './truncated-text.directive';
 import stateExtender from './stateExtender.provider';
+import rbacUiControl from './rbacUiControl';
 
 export default
 angular.module('shared', [listGenerator.name,
         pagination.name,
         stringFilters.name,
-        'ui.router'
+        'ui.router',
+        rbacUiControl.name
     ])
     .factory('lodashAsPromised', lodashAsPromised)
     .directive('truncatedText', truncatedText)
diff --git a/awx/ui/client/src/shared/rbacUiControl.js b/awx/ui/client/src/shared/rbacUiControl.js
new file mode 100644
index 0000000000..4c8a00d827
--- /dev/null
+++ b/awx/ui/client/src/shared/rbacUiControl.js
@@ -0,0 +1,32 @@
+/*************************************************
+ * Copyright (c) 2015 Ansible, Inc.
+ *
+ * All Rights Reserved
+ *************************************************/
+
+export default
+    angular.module('rbacUiControl', [])
+        .service('rbacUiControlService', ['$q', 'GetBasePath', 'Rest', 'Wait', function($q, GetBasePath, Rest, Wait){
+            this.canAdd = function(apiPath) {
+                var canAddVal = $q.defer();
+
+                if (apiPath.indexOf("api/v1") > -1) {
+                    Rest.setUrl(apiPath);
+                } else {
+                    Rest.setUrl(GetBasePath(apiPath));
+                }
+
+                Wait("start");
+                Rest.options()
+                    .success(function(data) {
+                        if (data.actions.POST) {
+                            canAddVal.resolve(true);
+                        } else {
+                            canAddVal.reject(false);
+                        }
+                        Wait("stop");
+                    });
+
+                return canAddVal.promise;
+            };
+        }]);
diff --git a/awx/ui/karma.conf.js b/awx/ui/karma.conf.js
index 91e07bf67c..dbeab4a306 100644
--- a/awx/ui/karma.conf.js
+++ b/awx/ui/karma.conf.js
@@ -9,13 +9,13 @@ module.exports = function(config) {
         browsers: ['Chrome', 'Firefox'],
         coverageReporter: {
             reporters: [
-                { type: 'html', subdir: 'html' }
+                { type: 'html', subdir: 'html' },
             ]
         },
         frameworks: [
             'jasmine',
         ],
-        reporters: ['progress', 'coverage'],
+        reporters: ['progress', 'coverage', 'junit'],
         files: [
             './client/src/app.js',
             './node_modules/angular-mocks/angular-mocks.js',
@@ -86,7 +86,9 @@ module.exports = function(config) {
             }
         },
         junitReporter: {
-            outputFile: 'coverage/test-results.xml'
+            outputDir: 'coverage',
+            outputFile: 'ui-unit-test-results.xml',
+            useBrowserName: false
         }
     });
 };
diff --git a/awx/ui/npm-shrinkwrap.json b/awx/ui/npm-shrinkwrap.json
index 483276ace8..376a395a52 100644
--- a/awx/ui/npm-shrinkwrap.json
+++ b/awx/ui/npm-shrinkwrap.json
@@ -8,9 +8,9 @@
       "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.0.9.tgz"
     },
     "accepts": {
-      "version": "1.2.13",
-      "from": "accepts@>=1.2.13 <1.3.0",
-      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.2.13.tgz"
+      "version": "1.3.3",
+      "from": "accepts@>=1.3.3 <1.4.0",
+      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.3.tgz"
     },
     "acorn": {
       "version": "3.3.0",
@@ -50,9 +50,9 @@
       "resolved": "https://registry.npmjs.org/align-text/-/align-text-0.1.4.tgz"
     },
     "almond": {
-      "version": "0.3.2",
+      "version": "0.3.3",
       "from": "almond@>=0.3.1 <0.4.0",
-      "resolved": "https://registry.npmjs.org/almond/-/almond-0.3.2.tgz"
+      "resolved": "https://registry.npmjs.org/almond/-/almond-0.3.3.tgz"
     },
     "amdefine": {
       "version": "1.0.0",
@@ -149,11 +149,6 @@
           "version": "3.8.0",
           "from": "lodash@>=3.8.0 <3.9.0",
           "resolved": "https://registry.npmjs.org/lodash/-/lodash-3.8.0.tgz"
-        },
-        "rrule": {
-          "version": "2.2.0-dev",
-          "from": "jkbrzt/rrule#4ff63b2f8524fd6d5ba6e80db770953b5cd08a0c",
-          "resolved": "git://github.com/jkbrzt/rrule.git#4ff63b2f8524fd6d5ba6e80db770953b5cd08a0c"
         }
       }
     },
@@ -312,16 +307,9 @@
       "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-0.2.0.tgz"
     },
     "async": {
-      "version": "2.0.1",
-      "from": "async@>=2.0.1 <3.0.0",
-      "resolved": "https://registry.npmjs.org/async/-/async-2.0.1.tgz",
-      "dependencies": {
-        "lodash": {
-          "version": "4.15.0",
-          "from": "lodash@>=4.8.0 <5.0.0",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.15.0.tgz"
-        }
-      }
+      "version": "1.5.2",
+      "from": "async@>=1.0.0 <2.0.0",
+      "resolved": "https://registry.npmjs.org/async/-/async-1.5.2.tgz"
     },
     "async-each": {
       "version": "1.0.1",
@@ -333,10 +321,15 @@
       "from": "async-each-series@0.1.1",
       "resolved": "https://registry.npmjs.org/async-each-series/-/async-each-series-0.1.1.tgz"
     },
+    "asynckit": {
+      "version": "0.4.0",
+      "from": "asynckit@>=0.4.0 <0.5.0",
+      "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz"
+    },
     "autoprefixer": {
-      "version": "6.4.0",
+      "version": "6.4.1",
       "from": "autoprefixer@>=6.0.0 <7.0.0",
-      "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-6.4.0.tgz"
+      "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-6.4.1.tgz"
     },
     "aws-sign2": {
       "version": "0.6.0",
@@ -364,9 +357,9 @@
           "resolved": "https://registry.npmjs.org/json5/-/json5-0.4.0.tgz"
         },
         "lodash": {
-          "version": "4.15.0",
+          "version": "4.16.1",
           "from": "lodash@>=4.2.0 <5.0.0",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.15.0.tgz"
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz"
         },
         "source-map": {
           "version": "0.5.6",
@@ -381,9 +374,9 @@
       "resolved": "https://registry.npmjs.org/babel-generator/-/babel-generator-6.14.0.tgz",
       "dependencies": {
         "lodash": {
-          "version": "4.15.0",
+          "version": "4.16.1",
           "from": "lodash@>=4.2.0 <5.0.0",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.15.0.tgz"
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz"
         },
         "source-map": {
           "version": "0.5.6",
@@ -403,9 +396,9 @@
       "resolved": "https://registry.npmjs.org/babel-helper-define-map/-/babel-helper-define-map-6.9.0.tgz",
       "dependencies": {
         "lodash": {
-          "version": "4.15.0",
+          "version": "4.16.1",
           "from": "lodash@>=4.2.0 <5.0.0",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.15.0.tgz"
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz"
         }
       }
     },
@@ -435,9 +428,9 @@
       "resolved": "https://registry.npmjs.org/babel-helper-regex/-/babel-helper-regex-6.9.0.tgz",
       "dependencies": {
         "lodash": {
-          "version": "4.15.0",
+          "version": "4.16.1",
           "from": "lodash@>=4.2.0 <5.0.0",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.15.0.tgz"
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz"
         }
       }
     },
@@ -477,14 +470,14 @@
       "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-block-scoped-functions/-/babel-plugin-transform-es2015-block-scoped-functions-6.8.0.tgz"
     },
     "babel-plugin-transform-es2015-block-scoping": {
-      "version": "6.14.0",
+      "version": "6.15.0",
       "from": "babel-plugin-transform-es2015-block-scoping@>=6.14.0 <7.0.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-block-scoping/-/babel-plugin-transform-es2015-block-scoping-6.14.0.tgz",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-block-scoping/-/babel-plugin-transform-es2015-block-scoping-6.15.0.tgz",
       "dependencies": {
         "lodash": {
-          "version": "4.15.0",
+          "version": "4.16.1",
           "from": "lodash@>=4.2.0 <5.0.0",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.15.0.tgz"
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz"
         }
       }
     },
@@ -599,9 +592,9 @@
       "resolved": "https://registry.npmjs.org/babel-register/-/babel-register-6.14.0.tgz",
       "dependencies": {
         "lodash": {
-          "version": "4.15.0",
+          "version": "4.16.1",
           "from": "lodash@>=4.2.0 <5.0.0",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.15.0.tgz"
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz"
         }
       }
     },
@@ -611,45 +604,45 @@
       "resolved": "https://registry.npmjs.org/babel-runtime/-/babel-runtime-6.11.6.tgz"
     },
     "babel-template": {
-      "version": "6.14.0",
+      "version": "6.15.0",
       "from": "babel-template@>=6.14.0 <7.0.0",
-      "resolved": "https://registry.npmjs.org/babel-template/-/babel-template-6.14.0.tgz",
+      "resolved": "https://registry.npmjs.org/babel-template/-/babel-template-6.15.0.tgz",
       "dependencies": {
         "lodash": {
-          "version": "4.15.0",
+          "version": "4.16.1",
           "from": "lodash@>=4.2.0 <5.0.0",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.15.0.tgz"
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz"
         }
       }
     },
     "babel-traverse": {
-      "version": "6.14.0",
+      "version": "6.15.0",
       "from": "babel-traverse@>=6.14.0 <7.0.0",
-      "resolved": "https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.14.0.tgz",
+      "resolved": "https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.15.0.tgz",
       "dependencies": {
         "lodash": {
-          "version": "4.15.0",
+          "version": "4.16.1",
           "from": "lodash@>=4.2.0 <5.0.0",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.15.0.tgz"
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz"
         }
       }
     },
     "babel-types": {
-      "version": "6.14.0",
+      "version": "6.15.0",
       "from": "babel-types@>=6.14.0 <7.0.0",
-      "resolved": "https://registry.npmjs.org/babel-types/-/babel-types-6.14.0.tgz",
+      "resolved": "https://registry.npmjs.org/babel-types/-/babel-types-6.15.0.tgz",
       "dependencies": {
         "lodash": {
-          "version": "4.15.0",
+          "version": "4.16.1",
           "from": "lodash@>=4.2.0 <5.0.0",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.15.0.tgz"
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz"
         }
       }
     },
     "babylon": {
-      "version": "6.9.1",
+      "version": "6.10.0",
       "from": "babylon@>=6.9.0 <7.0.0",
-      "resolved": "https://registry.npmjs.org/babylon/-/babylon-6.9.1.tgz"
+      "resolved": "https://registry.npmjs.org/babylon/-/babylon-6.10.0.tgz"
     },
     "backo2": {
       "version": "1.0.2",
@@ -719,9 +712,9 @@
       "resolved": "https://registry.npmjs.org/big.js/-/big.js-3.1.3.tgz"
     },
     "binary-extensions": {
-      "version": "1.5.0",
+      "version": "1.6.0",
       "from": "binary-extensions@>=1.0.0 <2.0.0",
-      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-1.5.0.tgz"
+      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-1.6.0.tgz"
     },
     "bindings": {
       "version": "1.2.1",
@@ -739,15 +732,20 @@
       "resolved": "https://registry.npmjs.org/blob/-/blob-0.0.4.tgz"
     },
     "bluebird": {
-      "version": "3.4.3",
+      "version": "3.4.6",
       "from": "bluebird@>=3.3.0 <4.0.0",
-      "resolved": "https://registry.npmjs.org/bluebird/-/bluebird-3.4.3.tgz"
+      "resolved": "https://registry.npmjs.org/bluebird/-/bluebird-3.4.6.tgz"
     },
     "body-parser": {
       "version": "1.14.2",
       "from": "body-parser@>=1.14.0 <1.15.0",
       "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.14.2.tgz",
       "dependencies": {
+        "http-errors": {
+          "version": "1.3.1",
+          "from": "http-errors@>=1.3.1 <1.4.0",
+          "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.3.1.tgz"
+        },
         "qs": {
           "version": "5.2.0",
           "from": "qs@5.2.0",
@@ -781,39 +779,24 @@
       "resolved": "https://registry.npmjs.org/braces/-/braces-1.8.5.tgz"
     },
     "browser-sync": {
-      "version": "2.14.0",
+      "version": "2.16.0",
       "from": "browser-sync@>=2.14.0 <3.0.0",
-      "resolved": "https://registry.npmjs.org/browser-sync/-/browser-sync-2.14.0.tgz",
+      "resolved": "https://registry.npmjs.org/browser-sync/-/browser-sync-2.16.0.tgz",
       "dependencies": {
-        "camelcase": {
-          "version": "3.0.0",
-          "from": "camelcase@>=3.0.0 <4.0.0",
-          "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-3.0.0.tgz"
-        },
         "cliui": {
           "version": "3.2.0",
           "from": "cliui@>=3.2.0 <4.0.0",
           "resolved": "https://registry.npmjs.org/cliui/-/cliui-3.2.0.tgz"
         },
-        "micromatch": {
-          "version": "2.3.8",
-          "from": "micromatch@2.3.8",
-          "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-2.3.8.tgz"
-        },
-        "qs": {
-          "version": "6.2.0",
-          "from": "qs@6.2.0",
-          "resolved": "https://registry.npmjs.org/qs/-/qs-6.2.0.tgz"
-        },
         "window-size": {
           "version": "0.2.0",
           "from": "window-size@>=0.2.0 <0.3.0",
           "resolved": "https://registry.npmjs.org/window-size/-/window-size-0.2.0.tgz"
         },
         "yargs": {
-          "version": "4.7.1",
-          "from": "yargs@4.7.1",
-          "resolved": "https://registry.npmjs.org/yargs/-/yargs-4.7.1.tgz"
+          "version": "5.0.0",
+          "from": "yargs@5.0.0",
+          "resolved": "https://registry.npmjs.org/yargs/-/yargs-5.0.0.tgz"
         }
       }
     },
@@ -823,9 +806,9 @@
       "resolved": "https://registry.npmjs.org/browser-sync-client/-/browser-sync-client-2.4.2.tgz"
     },
     "browser-sync-ui": {
-      "version": "0.6.0",
-      "from": "browser-sync-ui@0.6.0",
-      "resolved": "https://registry.npmjs.org/browser-sync-ui/-/browser-sync-ui-0.6.0.tgz"
+      "version": "0.6.1",
+      "from": "browser-sync-ui@0.6.1",
+      "resolved": "https://registry.npmjs.org/browser-sync-ui/-/browser-sync-ui-0.6.1.tgz"
     },
     "browserify-zlib": {
       "version": "0.1.4",
@@ -834,13 +817,13 @@
     },
     "browserslist": {
       "version": "1.3.6",
-      "from": "browserslist@>=1.3.5 <1.4.0",
+      "from": "browserslist@>=1.3.6 <1.4.0",
       "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-1.3.6.tgz"
     },
     "bs-recipes": {
-      "version": "1.2.2",
-      "from": "bs-recipes@1.2.2",
-      "resolved": "https://registry.npmjs.org/bs-recipes/-/bs-recipes-1.2.2.tgz"
+      "version": "1.2.3",
+      "from": "bs-recipes@1.2.3",
+      "resolved": "https://registry.npmjs.org/bs-recipes/-/bs-recipes-1.2.3.tgz"
     },
     "buffer": {
       "version": "4.9.1",
@@ -885,9 +868,9 @@
       }
     },
     "caniuse-db": {
-      "version": "1.0.30000526",
-      "from": "caniuse-db@>=1.0.30000515 <2.0.0",
-      "resolved": "https://registry.npmjs.org/caniuse-db/-/caniuse-db-1.0.30000526.tgz"
+      "version": "1.0.30000539",
+      "from": "caniuse-db@>=1.0.30000527 <2.0.0",
+      "resolved": "https://registry.npmjs.org/caniuse-db/-/caniuse-db-1.0.30000539.tgz"
     },
     "caseless": {
       "version": "0.11.0",
@@ -905,9 +888,9 @@
       "resolved": "https://registry.npmjs.org/chalk/-/chalk-1.1.3.tgz"
     },
     "chokidar": {
-      "version": "1.5.1",
-      "from": "chokidar@1.5.1",
-      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-1.5.1.tgz"
+      "version": "1.6.0",
+      "from": "chokidar@1.6.0",
+      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-1.6.0.tgz"
     },
     "cli": {
       "version": "1.0.0",
@@ -915,9 +898,9 @@
       "resolved": "https://registry.npmjs.org/cli/-/cli-1.0.0.tgz",
       "dependencies": {
         "glob": {
-          "version": "7.0.6",
+          "version": "7.1.0",
           "from": "glob@>=7.0.5 <8.0.0",
-          "resolved": "https://registry.npmjs.org/glob/-/glob-7.0.6.tgz"
+          "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.0.tgz"
         }
       }
     },
@@ -949,9 +932,9 @@
       "resolved": "https://registry.npmjs.org/code-point-at/-/code-point-at-1.0.0.tgz"
     },
     "codemirror": {
-      "version": "5.18.2",
+      "version": "5.19.0",
       "from": "codemirror@>=5.17.0 <6.0.0",
-      "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.18.2.tgz"
+      "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.19.0.tgz"
     },
     "coffee-script": {
       "version": "1.10.0",
@@ -964,14 +947,14 @@
       "resolved": "https://registry.npmjs.org/colors/-/colors-1.1.2.tgz"
     },
     "combine-lists": {
-      "version": "1.0.0",
+      "version": "1.0.1",
       "from": "combine-lists@>=1.0.0 <2.0.0",
-      "resolved": "https://registry.npmjs.org/combine-lists/-/combine-lists-1.0.0.tgz",
+      "resolved": "https://registry.npmjs.org/combine-lists/-/combine-lists-1.0.1.tgz",
       "dependencies": {
         "lodash": {
-          "version": "4.15.0",
+          "version": "4.16.1",
           "from": "lodash@>=4.5.0 <5.0.0",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.15.0.tgz"
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz"
         }
       }
     },
@@ -1032,20 +1015,10 @@
       "from": "compression@>=1.5.2 <2.0.0",
       "resolved": "https://registry.npmjs.org/compression/-/compression-1.6.2.tgz",
       "dependencies": {
-        "accepts": {
-          "version": "1.3.3",
-          "from": "accepts@>=1.3.3 <1.4.0",
-          "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.3.tgz"
-        },
         "bytes": {
           "version": "2.3.0",
           "from": "bytes@2.3.0",
           "resolved": "https://registry.npmjs.org/bytes/-/bytes-2.3.0.tgz"
-        },
-        "negotiator": {
-          "version": "0.6.1",
-          "from": "negotiator@0.6.1",
-          "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.1.tgz"
         }
       }
     },
@@ -1054,6 +1027,11 @@
       "from": "concat-map@0.0.1",
       "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz"
     },
+    "concat-stream": {
+      "version": "1.5.0",
+      "from": "concat-stream@1.5.0",
+      "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz"
+    },
     "connect": {
       "version": "3.4.1",
       "from": "connect@3.4.1",
@@ -1340,12 +1318,19 @@
     "end-of-stream": {
       "version": "1.0.0",
       "from": "end-of-stream@1.0.0",
-      "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.0.0.tgz"
+      "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.0.0.tgz",
+      "dependencies": {
+        "once": {
+          "version": "1.3.3",
+          "from": "once@>=1.3.0 <1.4.0",
+          "resolved": "https://registry.npmjs.org/once/-/once-1.3.3.tgz"
+        }
+      }
     },
     "engine.io": {
-      "version": "1.6.9",
-      "from": "engine.io@1.6.9",
-      "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-1.6.9.tgz",
+      "version": "1.6.11",
+      "from": "engine.io@1.6.11",
+      "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-1.6.11.tgz",
       "dependencies": {
         "accepts": {
           "version": "1.1.4",
@@ -1368,16 +1353,16 @@
           "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.4.9.tgz"
         },
         "ws": {
-          "version": "1.0.1",
-          "from": "ws@1.0.1",
-          "resolved": "https://registry.npmjs.org/ws/-/ws-1.0.1.tgz"
+          "version": "1.1.0",
+          "from": "ws@1.1.0",
+          "resolved": "https://registry.npmjs.org/ws/-/ws-1.1.0.tgz"
         }
       }
     },
     "engine.io-client": {
-      "version": "1.6.9",
-      "from": "engine.io-client@1.6.9",
-      "resolved": "https://registry.npmjs.org/engine.io-client/-/engine.io-client-1.6.9.tgz",
+      "version": "1.6.11",
+      "from": "engine.io-client@1.6.11",
+      "resolved": "https://registry.npmjs.org/engine.io-client/-/engine.io-client-1.6.11.tgz",
       "dependencies": {
         "ws": {
           "version": "1.0.1",
@@ -1435,6 +1420,11 @@
       "from": "error-ex@>=1.2.0 <2.0.0",
       "resolved": "https://registry.npmjs.org/error-ex/-/error-ex-1.3.0.tgz"
     },
+    "es6-promise": {
+      "version": "3.2.1",
+      "from": "es6-promise@>=3.2.1 <3.3.0",
+      "resolved": "https://registry.npmjs.org/es6-promise/-/es6-promise-3.2.1.tgz"
+    },
     "escape-html": {
       "version": "1.0.3",
       "from": "escape-html@>=1.0.3 <1.1.0",
@@ -1571,21 +1561,48 @@
       "from": "extglob@>=0.3.1 <0.4.0",
       "resolved": "https://registry.npmjs.org/extglob/-/extglob-0.3.2.tgz"
     },
+    "extract-zip": {
+      "version": "1.5.0",
+      "from": "extract-zip@>=1.5.0 <1.6.0",
+      "resolved": "https://registry.npmjs.org/extract-zip/-/extract-zip-1.5.0.tgz",
+      "dependencies": {
+        "debug": {
+          "version": "0.7.4",
+          "from": "debug@0.7.4",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-0.7.4.tgz"
+        },
+        "minimist": {
+          "version": "0.0.8",
+          "from": "minimist@0.0.8",
+          "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz"
+        },
+        "mkdirp": {
+          "version": "0.5.0",
+          "from": "mkdirp@0.5.0",
+          "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.0.tgz"
+        }
+      }
+    },
     "extsprintf": {
       "version": "1.0.2",
       "from": "extsprintf@1.0.2",
       "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.0.2.tgz"
     },
     "fast-levenshtein": {
-      "version": "1.1.4",
-      "from": "fast-levenshtein@>=1.1.0 <2.0.0",
-      "resolved": "https://registry.npmjs.org/fast-levenshtein/-/fast-levenshtein-1.1.4.tgz"
+      "version": "2.0.4",
+      "from": "fast-levenshtein@>=2.0.4 <2.1.0",
+      "resolved": "https://registry.npmjs.org/fast-levenshtein/-/fast-levenshtein-2.0.4.tgz"
     },
     "faye-websocket": {
       "version": "0.10.0",
       "from": "faye-websocket@>=0.10.0 <0.11.0",
       "resolved": "https://registry.npmjs.org/faye-websocket/-/faye-websocket-0.10.0.tgz"
     },
+    "fd-slicer": {
+      "version": "1.0.1",
+      "from": "fd-slicer@>=1.0.1 <1.1.0",
+      "resolved": "https://registry.npmjs.org/fd-slicer/-/fd-slicer-1.0.1.tgz"
+    },
     "figures": {
       "version": "1.7.0",
       "from": "figures@>=1.3.5 <2.0.0",
@@ -1641,9 +1658,9 @@
       "resolved": "https://registry.npmjs.org/findup-sync/-/findup-sync-0.3.0.tgz"
     },
     "for-in": {
-      "version": "0.1.5",
+      "version": "0.1.6",
       "from": "for-in@>=0.1.5 <0.2.0",
-      "resolved": "https://registry.npmjs.org/for-in/-/for-in-0.1.5.tgz"
+      "resolved": "https://registry.npmjs.org/for-in/-/for-in-0.1.6.tgz"
     },
     "for-own": {
       "version": "0.1.4",
@@ -1656,9 +1673,9 @@
       "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz"
     },
     "form-data": {
-      "version": "1.0.1",
-      "from": "form-data@>=1.0.0-rc4 <1.1.0",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-1.0.1.tgz"
+      "version": "2.0.0",
+      "from": "form-data@>=2.0.0 <2.1.0",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.0.0.tgz"
     },
     "formidable": {
       "version": "1.0.17",
@@ -1686,9 +1703,9 @@
       "resolved": "https://registry.npmjs.org/fs-access/-/fs-access-1.0.0.tgz"
     },
     "fs-extra": {
-      "version": "0.26.7",
-      "from": "fs-extra@0.26.7",
-      "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-0.26.7.tgz"
+      "version": "0.30.0",
+      "from": "fs-extra@0.30.0",
+      "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-0.30.0.tgz"
     },
     "fs.realpath": {
       "version": "1.0.0",
@@ -2317,6 +2334,11 @@
       "from": "generate-object-property@>=1.1.0 <2.0.0",
       "resolved": "https://registry.npmjs.org/generate-object-property/-/generate-object-property-1.2.0.tgz"
     },
+    "get-caller-file": {
+      "version": "1.0.2",
+      "from": "get-caller-file@>=1.0.1 <2.0.0",
+      "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-1.0.2.tgz"
+    },
     "get-stdin": {
       "version": "4.0.1",
       "from": "get-stdin@>=4.0.1 <5.0.0",
@@ -2386,6 +2408,11 @@
       "from": "graceful-readlink@>=1.0.0",
       "resolved": "https://registry.npmjs.org/graceful-readlink/-/graceful-readlink-1.0.1.tgz"
     },
+    "grunt-cli": {
+      "version": "1.2.0",
+      "from": "grunt-cli@>=1.2.0 <2.0.0",
+      "resolved": "https://registry.npmjs.org/grunt-cli/-/grunt-cli-1.2.0.tgz"
+    },
     "grunt-known-options": {
       "version": "1.1.0",
       "from": "grunt-known-options@>=1.1.0 <1.2.0",
@@ -2413,11 +2440,6 @@
       "from": "grunt-legacy-util@>=1.0.0 <1.1.0",
       "resolved": "https://registry.npmjs.org/grunt-legacy-util/-/grunt-legacy-util-1.0.0.tgz",
       "dependencies": {
-        "async": {
-          "version": "1.5.2",
-          "from": "async@>=1.5.2 <1.6.0",
-          "resolved": "https://registry.npmjs.org/async/-/async-1.5.2.tgz"
-        },
         "lodash": {
           "version": "4.3.0",
           "from": "lodash@>=4.3.0 <4.4.0",
@@ -2430,11 +2452,6 @@
       "from": "handlebars@>=4.0.0 <4.1.0",
       "resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz",
       "dependencies": {
-        "async": {
-          "version": "1.5.2",
-          "from": "async@>=1.4.0 <2.0.0",
-          "resolved": "https://registry.npmjs.org/async/-/async-1.5.2.tgz"
-        },
         "source-map": {
           "version": "0.4.4",
           "from": "source-map@>=0.4.4 <0.5.0",
@@ -2491,6 +2508,11 @@
       "from": "has-flag@>=1.0.0 <2.0.0",
       "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-1.0.0.tgz"
     },
+    "hasha": {
+      "version": "2.2.0",
+      "from": "hasha@>=2.2.0 <2.3.0",
+      "resolved": "https://registry.npmjs.org/hasha/-/hasha-2.2.0.tgz"
+    },
     "hawk": {
       "version": "3.1.3",
       "from": "hawk@>=3.1.3 <3.2.0",
@@ -2544,29 +2566,31 @@
       "resolved": "https://registry.npmjs.org/http-browserify/-/http-browserify-1.7.0.tgz"
     },
     "http-errors": {
-      "version": "1.3.1",
-      "from": "http-errors@>=1.3.1 <1.4.0",
-      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.3.1.tgz"
+      "version": "1.5.0",
+      "from": "http-errors@>=1.5.0 <1.6.0",
+      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.5.0.tgz",
+      "dependencies": {
+        "inherits": {
+          "version": "2.0.1",
+          "from": "inherits@2.0.1",
+          "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.1.tgz"
+        }
+      }
     },
     "http-proxy": {
-      "version": "1.13.3",
-      "from": "http-proxy@1.13.3",
-      "resolved": "https://registry.npmjs.org/http-proxy/-/http-proxy-1.13.3.tgz"
+      "version": "1.14.0",
+      "from": "http-proxy@1.14.0",
+      "resolved": "https://registry.npmjs.org/http-proxy/-/http-proxy-1.14.0.tgz"
     },
     "http-proxy-middleware": {
       "version": "0.17.1",
       "from": "http-proxy-middleware@>=0.17.1 <0.18.0",
       "resolved": "https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-0.17.1.tgz",
       "dependencies": {
-        "http-proxy": {
-          "version": "1.14.0",
-          "from": "http-proxy@>=1.14.0 <2.0.0",
-          "resolved": "https://registry.npmjs.org/http-proxy/-/http-proxy-1.14.0.tgz"
-        },
         "lodash": {
-          "version": "4.15.0",
+          "version": "4.16.1",
           "from": "lodash@>=4.14.2 <5.0.0",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.15.0.tgz"
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz"
         }
       }
     },
@@ -2628,9 +2652,9 @@
       "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.5.tgz"
     },
     "inherits": {
-      "version": "2.0.1",
+      "version": "2.0.3",
       "from": "inherits@>=2.0.1 <2.1.0",
-      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.1.tgz"
+      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz"
     },
     "inquirer": {
       "version": "0.8.5",
@@ -2730,9 +2754,9 @@
       "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-2.0.1.tgz"
     },
     "is-my-json-valid": {
-      "version": "2.13.1",
+      "version": "2.14.0",
       "from": "is-my-json-valid@>=2.12.4 <3.0.0",
-      "resolved": "https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.13.1.tgz"
+      "resolved": "https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.14.0.tgz"
     },
     "is-number": {
       "version": "2.1.0",
@@ -2754,6 +2778,11 @@
       "from": "is-property@>=1.0.0 <2.0.0",
       "resolved": "https://registry.npmjs.org/is-property/-/is-property-1.0.2.tgz"
     },
+    "is-stream": {
+      "version": "1.1.0",
+      "from": "is-stream@>=1.0.1 <2.0.0",
+      "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-1.1.0.tgz"
+    },
     "is-typedarray": {
       "version": "1.0.0",
       "from": "is-typedarray@>=1.0.0 <1.1.0",
@@ -2794,11 +2823,6 @@
       "from": "istanbul@>=0.4.0 <0.5.0",
       "resolved": "https://registry.npmjs.org/istanbul/-/istanbul-0.4.5.tgz",
       "dependencies": {
-        "async": {
-          "version": "1.5.2",
-          "from": "async@>=1.0.0 <2.0.0",
-          "resolved": "https://registry.npmjs.org/async/-/async-1.5.2.tgz"
-        },
         "supports-color": {
           "version": "3.1.2",
           "from": "supports-color@>=3.1.0 <4.0.0",
@@ -2808,13 +2832,13 @@
     },
     "istanbul-lib-coverage": {
       "version": "1.0.0",
-      "from": "istanbul-lib-coverage@>=1.0.0-alpha.4 <2.0.0",
+      "from": "istanbul-lib-coverage@>=1.0.0 <2.0.0",
       "resolved": "https://registry.npmjs.org/istanbul-lib-coverage/-/istanbul-lib-coverage-1.0.0.tgz"
     },
     "istanbul-lib-instrument": {
-      "version": "1.1.1",
+      "version": "1.1.3",
       "from": "istanbul-lib-instrument@>=1.1.1 <2.0.0",
-      "resolved": "https://registry.npmjs.org/istanbul-lib-instrument/-/istanbul-lib-instrument-1.1.1.tgz"
+      "resolved": "https://registry.npmjs.org/istanbul-lib-instrument/-/istanbul-lib-instrument-1.1.3.tgz"
     },
     "javascript-detect-element-resize": {
       "version": "0.5.3",
@@ -2872,9 +2896,9 @@
       "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-0.5.0.tgz"
     },
     "json-schema": {
-      "version": "0.2.2",
-      "from": "json-schema@0.2.2",
-      "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.2.2.tgz"
+      "version": "0.2.3",
+      "from": "json-schema@0.2.3",
+      "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz"
     },
     "json-stringify-safe": {
       "version": "5.0.1",
@@ -2892,9 +2916,9 @@
       "resolved": "https://registry.npmjs.org/json5/-/json5-0.5.0.tgz"
     },
     "jsonfile": {
-      "version": "2.3.1",
+      "version": "2.4.0",
       "from": "jsonfile@>=2.1.0 <3.0.0",
-      "resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-2.3.1.tgz"
+      "resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-2.4.0.tgz"
     },
     "jsonpointer": {
       "version": "2.0.0",
@@ -2902,15 +2926,20 @@
       "resolved": "https://registry.npmjs.org/jsonpointer/-/jsonpointer-2.0.0.tgz"
     },
     "jsprim": {
-      "version": "1.3.0",
+      "version": "1.3.1",
       "from": "jsprim@>=1.2.2 <2.0.0",
-      "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.3.0.tgz"
+      "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.3.1.tgz"
     },
     "jstimezonedetect": {
       "version": "1.0.5",
       "from": "jstimezonedetect@1.0.5",
       "resolved": "https://registry.npmjs.org/jstimezonedetect/-/jstimezonedetect-1.0.5.tgz"
     },
+    "kew": {
+      "version": "0.7.0",
+      "from": "kew@>=0.7.0 <0.8.0",
+      "resolved": "https://registry.npmjs.org/kew/-/kew-0.7.0.tgz"
+    },
     "kind-of": {
       "version": "3.0.4",
       "from": "kind-of@>=3.0.2 <4.0.0",
@@ -2996,9 +3025,9 @@
       "resolved": "https://registry.npmjs.org/load-json-file/-/load-json-file-1.1.0.tgz"
     },
     "loader-utils": {
-      "version": "0.2.15",
+      "version": "0.2.16",
       "from": "loader-utils@>=0.2.6 <0.3.0",
-      "resolved": "https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.15.tgz"
+      "resolved": "https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.16.tgz"
     },
     "localtunnel": {
       "version": "1.8.1",
@@ -3015,6 +3044,11 @@
           "from": "assert-plus@>=0.1.5 <0.2.0",
           "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-0.1.5.tgz"
         },
+        "async": {
+          "version": "2.0.1",
+          "from": "async@>=2.0.1 <3.0.0",
+          "resolved": "https://registry.npmjs.org/async/-/async-2.0.1.tgz"
+        },
         "bl": {
           "version": "1.0.3",
           "from": "bl@>=1.0.0 <1.1.0",
@@ -3025,11 +3059,21 @@
           "from": "cliui@>=3.0.3 <4.0.0",
           "resolved": "https://registry.npmjs.org/cliui/-/cliui-3.2.0.tgz"
         },
+        "form-data": {
+          "version": "1.0.1",
+          "from": "form-data@>=1.0.0-rc3 <1.1.0",
+          "resolved": "https://registry.npmjs.org/form-data/-/form-data-1.0.1.tgz"
+        },
         "http-signature": {
           "version": "0.11.0",
           "from": "http-signature@>=0.11.0 <0.12.0",
           "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-0.11.0.tgz"
         },
+        "lodash": {
+          "version": "4.16.1",
+          "from": "lodash@>=4.8.0 <5.0.0",
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz"
+        },
         "qs": {
           "version": "5.2.1",
           "from": "qs@>=5.2.0 <5.3.0",
@@ -3172,14 +3216,14 @@
       "resolved": "https://registry.npmjs.org/mime/-/mime-1.2.4.tgz"
     },
     "mime-db": {
-      "version": "1.23.0",
-      "from": "mime-db@>=1.23.0 <1.24.0",
-      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.23.0.tgz"
+      "version": "1.24.0",
+      "from": "mime-db@>=1.24.0 <1.25.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.24.0.tgz"
     },
     "mime-types": {
-      "version": "2.1.11",
+      "version": "2.1.12",
       "from": "mime-types@>=2.1.7 <2.2.0",
-      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.11.tgz"
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.12.tgz"
     },
     "minimatch": {
       "version": "3.0.3",
@@ -3204,9 +3248,9 @@
       }
     },
     "moment": {
-      "version": "2.14.1",
+      "version": "2.15.1",
       "from": "moment@>=2.10.2 <3.0.0",
-      "resolved": "https://registry.npmjs.org/moment/-/moment-2.14.1.tgz"
+      "resolved": "https://registry.npmjs.org/moment/-/moment-2.15.1.tgz"
     },
     "ms": {
       "version": "0.7.1",
@@ -3229,9 +3273,9 @@
       "resolved": "https://registry.npmjs.org/nan/-/nan-2.4.0.tgz"
     },
     "negotiator": {
-      "version": "0.5.3",
-      "from": "negotiator@0.5.3",
-      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz"
+      "version": "0.6.1",
+      "from": "negotiator@0.6.1",
+      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.1.tgz"
     },
     "ng-toast": {
       "version": "2.0.0",
@@ -3353,9 +3397,9 @@
       "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.0.1.tgz"
     },
     "once": {
-      "version": "1.3.3",
+      "version": "1.4.0",
       "from": "once@>=1.0.0 <2.0.0",
-      "resolved": "https://registry.npmjs.org/once/-/once-1.3.3.tgz"
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz"
     },
     "open": {
       "version": "0.0.5",
@@ -3368,9 +3412,9 @@
       "resolved": "https://registry.npmjs.org/openurl/-/openurl-1.1.0.tgz"
     },
     "opn": {
-      "version": "3.0.3",
-      "from": "opn@>=3.0.2 <4.0.0",
-      "resolved": "https://registry.npmjs.org/opn/-/opn-3.0.3.tgz"
+      "version": "4.0.2",
+      "from": "opn@4.0.2",
+      "resolved": "https://registry.npmjs.org/opn/-/opn-4.0.2.tgz"
     },
     "optimist": {
       "version": "0.6.1",
@@ -3390,9 +3434,9 @@
       }
     },
     "optionator": {
-      "version": "0.8.1",
+      "version": "0.8.2",
       "from": "optionator@>=0.8.1 <0.9.0",
-      "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.8.1.tgz"
+      "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.8.2.tgz"
     },
     "options": {
       "version": "0.0.6",
@@ -3508,6 +3552,38 @@
       "from": "pbkdf2-compat@2.0.1",
       "resolved": "https://registry.npmjs.org/pbkdf2-compat/-/pbkdf2-compat-2.0.1.tgz"
     },
+    "pend": {
+      "version": "1.2.0",
+      "from": "pend@>=1.2.0 <1.3.0",
+      "resolved": "https://registry.npmjs.org/pend/-/pend-1.2.0.tgz"
+    },
+    "phantomjs-prebuilt": {
+      "version": "2.1.12",
+      "from": "phantomjs-prebuilt@>=2.1.12 <3.0.0",
+      "resolved": "https://registry.npmjs.org/phantomjs-prebuilt/-/phantomjs-prebuilt-2.1.12.tgz",
+      "dependencies": {
+        "async": {
+          "version": "2.0.1",
+          "from": "async@>=2.0.1 <3.0.0",
+          "resolved": "https://registry.npmjs.org/async/-/async-2.0.1.tgz"
+        },
+        "form-data": {
+          "version": "1.0.1",
+          "from": "form-data@>=1.0.0-rc4 <1.1.0",
+          "resolved": "https://registry.npmjs.org/form-data/-/form-data-1.0.1.tgz"
+        },
+        "lodash": {
+          "version": "4.16.1",
+          "from": "lodash@>=4.8.0 <5.0.0",
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz"
+        },
+        "request": {
+          "version": "2.74.0",
+          "from": "request@>=2.74.0 <2.75.0",
+          "resolved": "https://registry.npmjs.org/request/-/request-2.74.0.tgz"
+        }
+      }
+    },
     "pify": {
       "version": "2.3.0",
       "from": "pify@>=2.0.0 <3.0.0",
@@ -3523,11 +3599,6 @@
       "from": "pinkie-promise@>=2.0.0 <3.0.0",
       "resolved": "https://registry.npmjs.org/pinkie-promise/-/pinkie-promise-2.0.1.tgz"
     },
-    "pkg-conf": {
-      "version": "1.1.3",
-      "from": "pkg-conf@>=1.1.2 <2.0.0",
-      "resolved": "https://registry.npmjs.org/pkg-conf/-/pkg-conf-1.1.3.tgz"
-    },
     "pkg-up": {
       "version": "1.0.0",
       "from": "pkg-up@>=1.0.0 <2.0.0",
@@ -3551,9 +3622,9 @@
       }
     },
     "postcss": {
-      "version": "5.1.2",
+      "version": "5.2.0",
       "from": "postcss@>=5.0.0 <6.0.0",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-5.1.2.tgz",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-5.2.0.tgz",
       "dependencies": {
         "source-map": {
           "version": "0.5.6",
@@ -3600,15 +3671,20 @@
       "resolved": "https://registry.npmjs.org/private/-/private-0.1.6.tgz"
     },
     "process": {
-      "version": "0.11.8",
+      "version": "0.11.9",
       "from": "process@>=0.11.0 <0.12.0",
-      "resolved": "https://registry.npmjs.org/process/-/process-0.11.8.tgz"
+      "resolved": "https://registry.npmjs.org/process/-/process-0.11.9.tgz"
     },
     "process-nextick-args": {
       "version": "1.0.7",
       "from": "process-nextick-args@>=1.0.6 <1.1.0",
       "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-1.0.7.tgz"
     },
+    "progress": {
+      "version": "1.1.8",
+      "from": "progress@>=1.1.8 <1.2.0",
+      "resolved": "https://registry.npmjs.org/progress/-/progress-1.1.8.tgz"
+    },
     "promise": {
       "version": "7.1.1",
       "from": "promise@>=7.1.1 <8.0.0",
@@ -3632,7 +3708,14 @@
         "end-of-stream": {
           "version": "1.1.0",
           "from": "end-of-stream@>=1.1.0 <2.0.0",
-          "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.1.0.tgz"
+          "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.1.0.tgz",
+          "dependencies": {
+            "once": {
+              "version": "1.3.3",
+              "from": "once@>=1.3.0 <1.4.0",
+              "resolved": "https://registry.npmjs.org/once/-/once-1.3.3.tgz"
+            }
+          }
         }
       }
     },
@@ -3682,9 +3765,9 @@
       "resolved": "https://registry.npmjs.org/randomatic/-/randomatic-1.1.5.tgz"
     },
     "range-parser": {
-      "version": "1.0.3",
-      "from": "range-parser@>=1.0.3 <1.1.0",
-      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.0.3.tgz"
+      "version": "1.2.0",
+      "from": "range-parser@>=1.2.0 <1.3.0",
+      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.0.tgz"
     },
     "raw-body": {
       "version": "2.1.7",
@@ -3803,9 +3886,19 @@
       "resolved": "https://registry.npmjs.org/repeating/-/repeating-1.1.3.tgz"
     },
     "request": {
-      "version": "2.74.0",
+      "version": "2.75.0",
       "from": "request@>=2.0.0 <3.0.0",
-      "resolved": "https://registry.npmjs.org/request/-/request-2.74.0.tgz"
+      "resolved": "https://registry.npmjs.org/request/-/request-2.75.0.tgz"
+    },
+    "request-progress": {
+      "version": "2.0.1",
+      "from": "request-progress@>=2.0.1 <2.1.0",
+      "resolved": "https://registry.npmjs.org/request-progress/-/request-progress-2.0.1.tgz"
+    },
+    "require-directory": {
+      "version": "2.1.1",
+      "from": "require-directory@>=2.1.1 <3.0.0",
+      "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz"
     },
     "require-main-filename": {
       "version": "1.0.1",
@@ -3848,9 +3941,9 @@
       "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.5.4.tgz",
       "dependencies": {
         "glob": {
-          "version": "7.0.6",
+          "version": "7.1.0",
           "from": "glob@>=7.0.5 <8.0.0",
-          "resolved": "https://registry.npmjs.org/glob/-/glob-7.0.6.tgz"
+          "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.0.tgz"
         }
       }
     },
@@ -3859,6 +3952,11 @@
       "from": "ripemd160@0.2.0",
       "resolved": "https://registry.npmjs.org/ripemd160/-/ripemd160-0.2.0.tgz"
     },
+    "rrule": {
+      "version": "2.2.0-dev",
+      "from": "jkbrzt/rrule#4ff63b2f8524fd6d5ba6e80db770953b5cd08a0c",
+      "resolved": "git://github.com/jkbrzt/rrule.git#4ff63b2f8524fd6d5ba6e80db770953b5cd08a0c"
+    },
     "rx": {
       "version": "4.1.0",
       "from": "rx@4.1.0",
@@ -3897,31 +3995,26 @@
       "resolved": "https://registry.npmjs.org/semver/-/semver-5.3.0.tgz"
     },
     "send": {
-      "version": "0.13.2",
-      "from": "send@0.13.2",
-      "resolved": "https://registry.npmjs.org/send/-/send-0.13.2.tgz",
+      "version": "0.14.1",
+      "from": "send@0.14.1",
+      "resolved": "https://registry.npmjs.org/send/-/send-0.14.1.tgz",
       "dependencies": {
         "mime": {
           "version": "1.3.4",
           "from": "mime@1.3.4",
           "resolved": "https://registry.npmjs.org/mime/-/mime-1.3.4.tgz"
-        },
-        "statuses": {
-          "version": "1.2.1",
-          "from": "statuses@>=1.2.1 <1.3.0",
-          "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.2.1.tgz"
         }
       }
     },
     "serve-index": {
-      "version": "1.7.3",
-      "from": "serve-index@1.7.3",
-      "resolved": "https://registry.npmjs.org/serve-index/-/serve-index-1.7.3.tgz"
+      "version": "1.8.0",
+      "from": "serve-index@1.8.0",
+      "resolved": "https://registry.npmjs.org/serve-index/-/serve-index-1.8.0.tgz"
     },
     "serve-static": {
-      "version": "1.10.3",
-      "from": "serve-static@1.10.3",
-      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.10.3.tgz"
+      "version": "1.11.1",
+      "from": "serve-static@1.11.1",
+      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.11.1.tgz"
     },
     "server-destroy": {
       "version": "1.0.1",
@@ -3929,9 +4022,9 @@
       "resolved": "https://registry.npmjs.org/server-destroy/-/server-destroy-1.0.1.tgz"
     },
     "set-blocking": {
-      "version": "1.0.0",
-      "from": "set-blocking@>=1.0.0 <2.0.0",
-      "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-1.0.0.tgz"
+      "version": "2.0.0",
+      "from": "set-blocking@>=2.0.0 <3.0.0",
+      "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz"
     },
     "set-immediate-shim": {
       "version": "1.0.1",
@@ -3959,9 +4052,9 @@
       "resolved": "https://registry.npmjs.org/shelljs/-/shelljs-0.3.0.tgz"
     },
     "signal-exit": {
-      "version": "3.0.0",
+      "version": "3.0.1",
       "from": "signal-exit@>=3.0.0 <4.0.0",
-      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.0.tgz"
+      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.1.tgz"
     },
     "slash": {
       "version": "1.0.0",
@@ -3974,9 +4067,9 @@
       "resolved": "https://registry.npmjs.org/sntp/-/sntp-1.0.9.tgz"
     },
     "socket.io": {
-      "version": "1.4.6",
-      "from": "socket.io@1.4.6",
-      "resolved": "https://registry.npmjs.org/socket.io/-/socket.io-1.4.6.tgz",
+      "version": "1.4.8",
+      "from": "socket.io@1.4.8",
+      "resolved": "https://registry.npmjs.org/socket.io/-/socket.io-1.4.8.tgz",
       "dependencies": {
         "component-emitter": {
           "version": "1.2.0",
@@ -3984,9 +4077,9 @@
           "resolved": "https://registry.npmjs.org/component-emitter/-/component-emitter-1.2.0.tgz"
         },
         "socket.io-client": {
-          "version": "1.4.6",
-          "from": "socket.io-client@1.4.6",
-          "resolved": "https://registry.npmjs.org/socket.io-client/-/socket.io-client-1.4.6.tgz"
+          "version": "1.4.8",
+          "from": "socket.io-client@1.4.8",
+          "resolved": "https://registry.npmjs.org/socket.io-client/-/socket.io-client-1.4.8.tgz"
         }
       }
     },
@@ -4119,7 +4212,7 @@
     },
     "statuses": {
       "version": "1.3.0",
-      "from": "statuses@>=1.0.0 <2.0.0",
+      "from": "statuses@>=1.3.0 <2.0.0",
       "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.3.0.tgz"
     },
     "stream-browserify": {
@@ -4199,11 +4292,6 @@
       "from": "supports-color@>=2.0.0 <3.0.0",
       "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-2.0.0.tgz"
     },
-    "symbol": {
-      "version": "0.2.3",
-      "from": "symbol@>=0.2.1 <0.3.0",
-      "resolved": "https://registry.npmjs.org/symbol/-/symbol-0.2.3.tgz"
-    },
     "tapable": {
       "version": "0.1.10",
       "from": "tapable@>=0.1.8 <0.2.0",
@@ -4232,9 +4320,9 @@
       }
     },
     "test-exclude": {
-      "version": "2.1.1",
+      "version": "2.1.2",
       "from": "test-exclude@>=2.1.1 <3.0.0",
-      "resolved": "https://registry.npmjs.org/test-exclude/-/test-exclude-2.1.1.tgz"
+      "resolved": "https://registry.npmjs.org/test-exclude/-/test-exclude-2.1.2.tgz"
     },
     "text-table": {
       "version": "0.2.0",
@@ -4246,6 +4334,11 @@
       "from": "tfunk@>=3.0.1 <4.0.0",
       "resolved": "https://registry.npmjs.org/tfunk/-/tfunk-3.0.2.tgz"
     },
+    "throttleit": {
+      "version": "1.0.0",
+      "from": "throttleit@>=1.0.0 <2.0.0",
+      "resolved": "https://registry.npmjs.org/throttleit/-/throttleit-1.0.0.tgz"
+    },
     "through": {
       "version": "2.3.8",
       "from": "through@>=2.3.6 <3.0.0",
@@ -4338,6 +4431,11 @@
       "from": "type-is@>=1.6.10 <1.7.0",
       "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.13.tgz"
     },
+    "typedarray": {
+      "version": "0.0.6",
+      "from": "typedarray@>=0.0.5 <0.1.0",
+      "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz"
+    },
     "ua-parser-js": {
       "version": "0.7.10",
       "from": "ua-parser-js@0.7.10",
@@ -4408,7 +4506,14 @@
     "util": {
       "version": "0.10.3",
       "from": "util@>=0.10.3 <0.11.0",
-      "resolved": "https://registry.npmjs.org/util/-/util-0.10.3.tgz"
+      "resolved": "https://registry.npmjs.org/util/-/util-0.10.3.tgz",
+      "dependencies": {
+        "inherits": {
+          "version": "2.0.1",
+          "from": "inherits@2.0.1",
+          "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.1.tgz"
+        }
+      }
     },
     "util-deprecate": {
       "version": "1.0.2",
@@ -4421,9 +4526,9 @@
       "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.0.tgz"
     },
     "uuid": {
-      "version": "2.0.2",
+      "version": "2.0.3",
       "from": "uuid@>=2.0.2 <3.0.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-2.0.2.tgz"
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-2.0.3.tgz"
     },
     "validate-npm-package-license": {
       "version": "3.0.1",
@@ -4498,9 +4603,9 @@
           "resolved": "https://registry.npmjs.org/bl/-/bl-0.9.5.tgz"
         },
         "bluebird": {
-          "version": "2.10.2",
+          "version": "2.11.0",
           "from": "bluebird@>=2.9.30 <3.0.0",
-          "resolved": "https://registry.npmjs.org/bluebird/-/bluebird-2.10.2.tgz"
+          "resolved": "https://registry.npmjs.org/bluebird/-/bluebird-2.11.0.tgz"
         },
         "caseless": {
           "version": "0.9.0",
@@ -4604,9 +4709,9 @@
       }
     },
     "webpack-dev-middleware": {
-      "version": "1.6.1",
+      "version": "1.8.1",
       "from": "webpack-dev-middleware@>=1.0.11 <2.0.0",
-      "resolved": "https://registry.npmjs.org/webpack-dev-middleware/-/webpack-dev-middleware-1.6.1.tgz",
+      "resolved": "https://registry.npmjs.org/webpack-dev-middleware/-/webpack-dev-middleware-1.8.1.tgz",
       "dependencies": {
         "mime": {
           "version": "1.3.4",
@@ -4631,9 +4736,14 @@
       "resolved": "https://registry.npmjs.org/weinre/-/weinre-2.0.0-pre-I0Z7U9OV.tgz"
     },
     "which": {
-      "version": "1.2.10",
+      "version": "1.2.11",
       "from": "which@>=1.2.0 <1.3.0",
-      "resolved": "https://registry.npmjs.org/which/-/which-1.2.10.tgz"
+      "resolved": "https://registry.npmjs.org/which/-/which-1.2.11.tgz"
+    },
+    "which-module": {
+      "version": "1.0.0",
+      "from": "which-module@>=1.0.0 <2.0.0",
+      "resolved": "https://registry.npmjs.org/which-module/-/which-module-1.0.0.tgz"
     },
     "window-size": {
       "version": "0.1.0",
@@ -4672,6 +4782,11 @@
         }
       }
     },
+    "xmlbuilder": {
+      "version": "8.2.2",
+      "from": "xmlbuilder@8.2.2",
+      "resolved": "https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-8.2.2.tgz"
+    },
     "xmlhttprequest": {
       "version": "1.4.2",
       "from": "xmlhttprequest@1.4.2",
@@ -4698,9 +4813,9 @@
       "resolved": "https://registry.npmjs.org/yargs/-/yargs-3.10.0.tgz"
     },
     "yargs-parser": {
-      "version": "2.4.1",
-      "from": "yargs-parser@>=2.4.0 <3.0.0",
-      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-2.4.1.tgz",
+      "version": "3.2.0",
+      "from": "yargs-parser@>=3.2.0 <4.0.0",
+      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-3.2.0.tgz",
       "dependencies": {
         "camelcase": {
           "version": "3.0.0",
@@ -4709,6 +4824,11 @@
         }
       }
     },
+    "yauzl": {
+      "version": "2.4.1",
+      "from": "yauzl@2.4.1",
+      "resolved": "https://registry.npmjs.org/yauzl/-/yauzl-2.4.1.tgz"
+    },
     "yeast": {
       "version": "0.1.2",
       "from": "yeast@0.1.2",
diff --git a/awx/ui/package.json b/awx/ui/package.json
index 60d5ce4dcb..414150fa49 100644
--- a/awx/ui/package.json
+++ b/awx/ui/package.json
@@ -36,6 +36,7 @@
     "expose-loader": "^0.7.1",
     "grunt": "^1.0.1",
     "grunt-browser-sync": "^2.2.0",
+    "grunt-cli": "^1.2.0",
     "grunt-concurrent": "^2.3.0",
     "grunt-contrib-clean": "^1.0.0",
     "grunt-contrib-concat": "^1.0.1",
@@ -56,12 +57,15 @@
     "karma-firefox-launcher": "^1.0.0",
     "karma-html2js-preprocessor": "^1.0.0",
     "karma-jasmine": "^1.0.2",
+    "karma-junit-reporter": "^1.1.0",
+    "karma-phantomjs-launcher": "^1.0.2",
     "karma-sauce-launcher": "^1.0.0",
     "karma-sourcemap-loader": "^0.3.7",
     "karma-webpack": "^1.8.0",
     "less-plugin-autoprefix": "^1.4.2",
     "load-grunt-configs": "^1.0.0",
     "load-grunt-tasks": "^3.5.0",
+    "phantomjs-prebuilt": "^2.1.12",
     "time-grunt": "^1.4.0",
     "webpack": "^1.13.1",
     "webpack-dev-server": "^1.14.1"
diff --git a/tools/docker-compose/unit-tests/Dockerfile b/tools/docker-compose/unit-tests/Dockerfile
index 66f2c54558..8d51955273 100644
--- a/tools/docker-compose/unit-tests/Dockerfile
+++ b/tools/docker-compose/unit-tests/Dockerfile
@@ -29,12 +29,34 @@ RUN yum install -y \
 # Remove the 2 lines below and uncomment the 3 lines above to build
 # RPMs with the old JS build system.
 RUN curl --silent --location https://rpm.nodesource.com/setup_6.x | bash -
-RUN yum install -y nodejs
 
-RUN npm set progress=false
+RUN yum install -y nodejs
 
 WORKDIR "/ansible-tower"
 
-ENV VENV_BASE="/venv"
+# Copy requirements files
+COPY requirements/*.txt requirements/
+
+# Copy __init__.py so the Makefile can retrieve `awx.__version__`
+COPY awx/__init__.py awx/
+
+# Copy Makefile
+COPY Makefile .
+
+# Install tower runtime virtualenvs
+ENV SWIG_FEATURES="-cpperraswarn -includeall -I/usr/include/openssl"
+RUN make requirements
+
+# Install tower test requirements 
+ENV VENV_BASE=""
+RUN make requirements_jenkins
+
+# Build front-end deps
+COPY awx/ui/package.json awx/ui/
+
+RUN npm set progress=false
+
+RUN make ui-deps-built
+
 ENTRYPOINT ["/bin/bash", "-c"]
 CMD ["bash"]
diff --git a/tools/docker-compose/unit-tests/README.md b/tools/docker-compose/unit-tests/README.md
index c3fa200d38..49243893fe 100644
--- a/tools/docker-compose/unit-tests/README.md
+++ b/tools/docker-compose/unit-tests/README.md
@@ -6,6 +6,13 @@ $ docker-compose -f tools/docker-compose/unit-tests/docker-compose.yml run unit-
 
 This will start the container, install the dependencies, and run the unit tests.
 
+To rebuild:
+
+
+```shell
+$ docker-compose -f tools/docker-compose/unit-tests/docker-compose.yml build
+```
+
 If you just want to pop into a shell and poke around, run:
 
 ```shell
diff --git a/tools/docker-compose/unit-tests/docker-compose.yml b/tools/docker-compose/unit-tests/docker-compose.yml
index 77bf989475..125f93c6d4 100644
--- a/tools/docker-compose/unit-tests/docker-compose.yml
+++ b/tools/docker-compose/unit-tests/docker-compose.yml
@@ -7,7 +7,7 @@ services:
       dockerfile: tools/docker-compose/unit-tests/Dockerfile
     environment:
       SWIG_FEATURES: "-cpperraswarn -includeall -I/usr/include/openssl"
-    command: ["make requirements_test test"]
-
+      TEST_DIRS: "awx/main/tests/unit"
+    command: ["make test"]
     volumes:
       - ../../../:/ansible-tower