diff --git a/config/api.yml b/config/api.yml
index 3ef6355cfa4..6eb076dc21a 100644
--- a/config/api.yml
+++ b/config/api.yml
@@ -830,10 +830,6 @@
         :identifier: instance_guest_restart
       - :name: reset
         :identifier: instance_reset
-    :load_balancers_subcollection_actions:
-      :get:
-      - :name: show
-        :identifier: load_balancer_show
     :snapshots_subcollection_actions:
       :get:
       - :name: read
@@ -871,6 +867,14 @@
       :get:
       - :name: read
         :identifier: load_balancer_show
+    :subcollection_actions:
+      :get:
+      - :name: read
+        :identifier: load_balancer_show
+    :subresource_actions:
+      :get:
+      - :name: read
+        :identifier: load_balancer_show
   :measures:
     :description: Measures
     :identifier: measure
@@ -1124,10 +1128,6 @@
       :get:
       - :name: show
       - :identifier: miq_cloud_networks_view
-    :load_balancers_subcollection_actions:
-      :get:
-      - :name: show
-        :identifier: load_balancer_show
   :provision_dialogs:
     :description: Provisioning Dialogs
     :identifier: miq_ae_customization_explorer
diff --git a/spec/requests/api/instances_spec.rb b/spec/requests/api/instances_spec.rb
index 0dc1cfcb3a1..fb32b7e8af2 100644
--- a/spec/requests/api/instances_spec.rb
+++ b/spec/requests/api/instances_spec.rb
@@ -456,7 +456,7 @@ def update_raw_power_state(state, *instances)
     end
 
     it 'queries all load balancers on an instance' do
-      api_basic_authorize subcollection_action_identifier(:instances, :load_balancers, :show, :get)
+      api_basic_authorize subcollection_action_identifier(:instances, :load_balancers, :read, :get)
       expected = {
         'name'      => 'load_balancers',
         'resources' => [
@@ -469,12 +469,28 @@ def update_raw_power_state(state, *instances)
       expect(response.parsed_body).to include(expected)
     end
 
+    it "will not show an instance's load balancers without the appropriate role" do
+      api_basic_authorize
+
+      run_get("#{instances_url(@vm.id)}/load_balancers")
+
+      expect(response).to have_http_status(:forbidden)
+    end
+
     it 'queries a single load balancer on an instance' do
-      api_basic_authorize subcollection_action_identifier(:instances, :load_balancers, :show, :get)
+      api_basic_authorize subcollection_action_identifier(:instances, :load_balancers, :read, :get)
       run_get("#{instances_url(@vm.id)}/load_balancers/#{@load_balancer.id}")
 
       expect(response).to have_http_status(:ok)
       expect(response.parsed_body).to include('id' => @load_balancer.id)
     end
+
+    it "will not show an instance's load balancer without the appropriate role" do
+      api_basic_authorize
+
+      run_get("#{instances_url(@vm.id)}/load_balancers/#{@load_balancer.id}")
+
+      expect(response).to have_http_status(:forbidden)
+    end
   end
 end
diff --git a/spec/requests/api/providers_spec.rb b/spec/requests/api/providers_spec.rb
index 1ac518ff41e..202238bb20b 100644
--- a/spec/requests/api/providers_spec.rb
+++ b/spec/requests/api/providers_spec.rb
@@ -832,7 +832,7 @@ def gen_import_request
     end
 
     it 'queries all load balancers' do
-      api_basic_authorize subcollection_action_identifier(:providers, :load_balancers, :show, :get)
+      api_basic_authorize subcollection_action_identifier(:providers, :load_balancers, :read, :get)
       expected = {
         'resources' => [
           { 'href' => a_string_matching("#{providers_url(@provider.id)}/load_balancers/#{@load_balancer.id}") }
@@ -845,14 +845,30 @@ def gen_import_request
       expect(response.parsed_body).to include(expected)
     end
 
+    it "will not show a provider's load balancers without the appropriate role" do
+      api_basic_authorize
+
+      run_get("#{providers_url(@provider.id)}/load_balancers")
+
+      expect(response).to have_http_status(:forbidden)
+    end
+
     it 'queries a single load balancer' do
-      api_basic_authorize subcollection_action_identifier(:providers, :load_balancers, :show, :get)
+      api_basic_authorize subcollection_action_identifier(:providers, :load_balancers, :read, :get)
 
       run_get("#{providers_url(@provider.id)}/load_balancers/#{@load_balancer.id}")
 
       expect(response).to have_http_status(:ok)
       expect(response.parsed_body).to include('id' => @load_balancer.id)
     end
+
+    it "will not show a provider's load balancer without the appropriate role" do
+      api_basic_authorize
+
+      run_get("#{providers_url(@provider.id)}/load_balancers/#{@load_balancer.id}")
+
+      expect(response).to have_http_status(:forbidden)
+    end
   end
 
   describe 'edit custom_attributes on providers' do