diff --git a/awx/ui/client/features/credentials/add-edit-credentials.controller.js b/awx/ui/client/features/credentials/add-edit-credentials.controller.js
index d60539218a..64d5c4a93c 100644
--- a/awx/ui/client/features/credentials/add-edit-credentials.controller.js
+++ b/awx/ui/client/features/credentials/add-edit-credentials.controller.js
@@ -21,6 +21,7 @@ function AddEditCredentialsController (
         credentialType,
         organization,
         isOrgEditableByUser,
+        sourceCredentials,
     } = models;
 
     const omit = ['user', 'team', 'inputs'];
@@ -131,7 +132,11 @@ function AddEditCredentialsController (
             const apiConfig = ConfigService.get();
 
             credentialType.mergeInputProperties();
-            const fields = credential.assignInputGroupValues(apiConfig, credentialType);
+            const fields = credential.assignInputGroupValues(
+                apiConfig,
+                credentialType,
+                sourceCredentials
+            );
 
             if (credentialType.get('name') === 'Google Compute Engine') {
                 fields.splice(2, 0, gceFileInputSchema);
@@ -417,6 +422,11 @@ function AddEditCredentialsController (
         if (isExternal) {
             data.results = data.results.filter(({ id }) => id !== credential.get('id'));
         }
+
+        // only show credentials we can use
+        data.results = data.results
+            .filter(({ summary_fields }) => summary_fields.user_capabilities.use);
+
         return data;
     };
 
diff --git a/awx/ui/client/features/credentials/index.js b/awx/ui/client/features/credentials/index.js
index cb9b8147ff..1bdec18f93 100644
--- a/awx/ui/client/features/credentials/index.js
+++ b/awx/ui/client/features/credentials/index.js
@@ -16,7 +16,9 @@ function CredentialsResolve (
     CredentialType,
     Organization,
     ProcessErrors,
-    strings
+    strings,
+    Rest,
+    GetBasePath,
 ) {
     const id = $stateParams.credential_id;
 
@@ -28,6 +30,7 @@ function CredentialsResolve (
         promises.credential = new Credential('options');
         promises.credentialType = new CredentialType();
         promises.organization = new Organization();
+        promises.sourceCredentials = $q.resolve({ data: { count: 0, results: [] } });
 
         return $q.all(promises);
     }
@@ -39,10 +42,15 @@ function CredentialsResolve (
             const typeId = models.credential.get('credential_type');
             const orgId = models.credential.get('organization');
 
+            Rest.setUrl(GetBasePath('credentials'));
+            const params = { target_input_sources__target_credential: id };
+            const sourceCredentialsPromise = Rest.get({ params });
+
             const dependents = {
                 credentialType: new CredentialType('get', typeId),
                 organization: new Organization('get', orgId),
-                credentialInputSources: models.credential.extend('GET', 'input_sources')
+                credentialInputSources: models.credential.extend('GET', 'input_sources'),
+                sourceCredentials: sourceCredentialsPromise
             };
 
             dependents.isOrgCredAdmin = dependents.organization.then((org) => org.search({ role_level: 'credential_admin_role' }));
@@ -51,6 +59,7 @@ function CredentialsResolve (
                 .then(related => {
                     models.credentialType = related.credentialType;
                     models.organization = related.organization;
+                    models.sourceCredentials = related.sourceCredentials;
 
                     const isOrgAdmin = _.some(models.me.get('related.admin_of_organizations.results'), (org) => org.id === models.organization.get('id'));
                     const isSuperuser = models.me.get('is_superuser');
@@ -79,7 +88,9 @@ CredentialsResolve.$inject = [
     'CredentialTypeModel',
     'OrganizationModel',
     'ProcessErrors',
-    'CredentialsStrings'
+    'CredentialsStrings',
+    'Rest',
+    'GetBasePath',
 ];
 
 function CredentialsRun ($stateExtender, legacy, strings) {
diff --git a/awx/ui/client/lib/components/input/secret.partial.html b/awx/ui/client/lib/components/input/secret.partial.html
index 23ef5f6d98..b4c1012862 100644
--- a/awx/ui/client/lib/components/input/secret.partial.html
+++ b/awx/ui/client/lib/components/input/secret.partial.html
@@ -14,11 +14,16 @@
             <span ng-if="state.tagMode && state.asTag" class="form-control at-Input">
               <div class="at-InputTagContainer">
                 <at-tag
-                  ng-show="state._tagValue"
+                  ng-show="(!state._disabled) && state._tagValue"
                   icon="external"
                   tag="state._tagValue"
                   remove-tag="state._onRemoveTag(state)"
                 />
+                <at-tag
+                  ng-show="state._disabled && state._tagValue"
+                  icon="external"
+                  tag="state._tagValue"
+                />
               </div>
             </span>
             <input ng-if="!state.asTag" type="{{ type }}"
diff --git a/awx/ui/client/lib/components/input/text.partial.html b/awx/ui/client/lib/components/input/text.partial.html
index bf080a1f41..3febbbedf7 100644
--- a/awx/ui/client/lib/components/input/text.partial.html
+++ b/awx/ui/client/lib/components/input/text.partial.html
@@ -13,11 +13,16 @@
           <span ng-if="state.asTag" class="form-control at-Input">
             <div class="at-InputTagContainer">
               <at-tag
-                ng-show="state._tagValue"
+                ng-show="(!state._disabled) && state._tagValue"
                 icon="external"
                 tag="state._tagValue"
                 remove-tag="state._onRemoveTag(state)"
               />
+              <at-tag
+                ng-show="state._disabled && state._tagValue"
+                icon="external"
+                tag="state._tagValue"
+              />
             </div>
           </span>
           <input ng-if="!state.asTag" type="text" class="form-control at-Input"
diff --git a/awx/ui/client/lib/components/input/textarea-secret.partial.html b/awx/ui/client/lib/components/input/textarea-secret.partial.html
index 988452ec2b..662055ce96 100644
--- a/awx/ui/client/lib/components/input/textarea-secret.partial.html
+++ b/awx/ui/client/lib/components/input/textarea-secret.partial.html
@@ -27,11 +27,17 @@
                 }"
               >
               <div class="at-InputTagContainer">
-                  <at-tag
-                    icon="external"
-                    tag="state._tagValue"
-                    remove-tag="state._onRemoveTag(state)"
-                  />
+                <at-tag
+                  ng-show="(!state._disabled) && state._tagValue"
+                  icon="external"
+                  tag="state._tagValue"
+                  remove-tag="state._onRemoveTag(state)"
+                />
+                <at-tag
+                  ng-show="state._disabled && state._tagValue"
+                  icon="external"
+                  tag="state._tagValue"
+                />
               </div>
             </div>
             <textarea
diff --git a/awx/ui/client/lib/components/input/textarea.partial.html b/awx/ui/client/lib/components/input/textarea.partial.html
index 4eb276f35f..4099a66323 100644
--- a/awx/ui/client/lib/components/input/textarea.partial.html
+++ b/awx/ui/client/lib/components/input/textarea.partial.html
@@ -18,6 +18,13 @@
             >
               <div class="at-InputTagContainer">
                 <at-tag
+                  ng-show="(!state._disabled) && state._tagValue"
+                  icon="external"
+                  tag="state._tagValue"
+                  remove-tag="state._onRemoveTag(state)"
+                />
+                <at-tag
+                  ng-show="state._disabled && state._tagValue"
                   icon="external"
                   tag="state._tagValue"
                   remove-tag="state._onRemoveTag(state)"
diff --git a/awx/ui/client/lib/models/Credential.js b/awx/ui/client/lib/models/Credential.js
index 3611302f7a..3f63c1e70a 100644
--- a/awx/ui/client/lib/models/Credential.js
+++ b/awx/ui/client/lib/models/Credential.js
@@ -30,7 +30,7 @@ function createFormSchema (method, config) {
     return schema;
 }
 
-function assignInputGroupValues (apiConfig, credentialType) {
+function assignInputGroupValues (apiConfig, credentialType, sourceCredentials) {
     let inputs = credentialType.get('inputs.fields');
 
     if (!inputs) {
@@ -79,7 +79,16 @@ function assignInputGroupValues (apiConfig, credentialType) {
             const { summary_fields } = this.get('related.input_sources.results')
                 .find(({ input_field_name }) => input_field_name === field.id);
             field._tagValue = summary_fields.source_credential.name;
+
+            const { source_credential: { id } } = summary_fields;
+            const src = sourceCredentials.data.results.find(obj => obj.id === id);
+            const canRemove = _.get(src, ['summary_fields', 'user_capabilities', 'delete'], false);
+
+            if (!canRemove) {
+                field._disabled = true;
+            }
         }
+
         return field;
     });