diff --git a/awx/main/models/credential/__init__.py b/awx/main/models/credential/__init__.py
index 894b16ed2c36..af73e407b673 100644
--- a/awx/main/models/credential/__init__.py
+++ b/awx/main/models/credential/__init__.py
@@ -21,6 +21,7 @@
 from django.utils.encoding import force_str
 from django.utils.functional import cached_property
 from django.utils.timezone import now
+from django.contrib.auth.models import User
 
 # AWX
 from awx.api.versioning import reverse
@@ -41,6 +42,7 @@
     ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
     ROLE_SINGLETON_SYSTEM_AUDITOR,
 )
+from awx.main.models import Team
 from awx.main.utils import encrypt_field
 from . import injectors as builtin_injectors
 
@@ -315,6 +317,15 @@ def _get_dynamic_input(self, field_name):
         else:
             raise ValueError('{} is not a dynamic input field'.format(field_name))
 
+    def validate_role_assignment(self, actor, role_definition):
+        if isinstance(actor, User):
+            if actor.is_superuser or self.organization in actor.organizations:
+                return
+        if isinstance(actor, Team):
+            if actor.organization == self.organization:
+                return
+        return f"You cannot grant credential access to a {actor._meta.object_name} not in the credentials' organization"
+
 
 class CredentialType(CommonModelNameNotUnique):
     """