diff --git a/config/api.yml b/config/api.yml
index 4245f387bd0..00f0fb44143 100644
--- a/config/api.yml
+++ b/config/api.yml
@@ -409,6 +409,14 @@
       :post:
       - :name: query
         :identifier: miq_cloud_networks_view
+    :subcollection_actions:
+      :get:
+      - :name: read
+        :identifier: miq_cloud_networks_view
+    :subresource_actions:
+      :get:
+      - :name: read
+        :identifier: miq_cloud_networks_view
   :clusters:
     :description: Clusters
     :identifier: ems_cluster
@@ -1124,10 +1132,6 @@
         :identifier: ems_infra_protect
       - :name: unassign
         :identifier: ems_infra_protect
-    :cloud_networks_subcollection_actions:
-      :get:
-      - :name: show
-      - :identifier: miq_cloud_networks_view
   :provision_dialogs:
     :description: Provisioning Dialogs
     :identifier: miq_ae_customization_explorer
diff --git a/spec/requests/api/cloud_networks_spec.rb b/spec/requests/api/cloud_networks_spec.rb
index b35cef3734c..14d621b0054 100644
--- a/spec/requests/api/cloud_networks_spec.rb
+++ b/spec/requests/api/cloud_networks_spec.rb
@@ -26,7 +26,7 @@
 
     it 'queries Providers cloud_networks' do
       cloud_network_ids = provider.cloud_networks.pluck(:id)
-      api_basic_authorize collection_action_identifier(:providers, :read, :get)
+      api_basic_authorize subcollection_action_identifier(:providers, :cloud_networks, :read, :get)
 
       run_get providers_cloud_networks_url, :expand => 'resources'
 
@@ -34,8 +34,16 @@
       expect_result_resources_to_include_data('resources', 'id' => cloud_network_ids)
     end
 
+    it "will not list cloud networks of a provider without the appropriate role" do
+      api_basic_authorize
+
+      run_get providers_cloud_networks_url
+
+      expect(response).to have_http_status(:forbidden)
+    end
+
     it 'queries individual provider cloud_network' do
-      api_basic_authorize collection_action_identifier(:providers, :read, :get)
+      api_basic_authorize(action_identifier(:cloud_networks, :read, :subresource_actions, :get))
       network = provider.cloud_networks.first
       cloud_network_url = "#{providers_cloud_networks_url}/#{network.id}"
 
@@ -44,6 +52,16 @@
       expect_single_resource_query('name' => network.name, 'id' => network.id, 'ems_ref' => network.ems_ref)
     end
 
+    it "will not show the cloud network of a provider without the appropriate role" do
+      api_basic_authorize
+      network = provider.cloud_networks.first
+      cloud_network_url = "#{providers_cloud_networks_url}/#{network.id}"
+
+      run_get cloud_network_url
+
+      expect(response).to have_http_status(:forbidden)
+    end
+
     it 'successfully returns providers on query when providers do not have cloud_networks attribute' do
       FactoryGirl.create(:ems_openshift) # Openshift does not respond to #cloud_networks
       FactoryGirl.create(:ems_amazon_with_cloud_networks) # Provider with cloud networks
@@ -70,7 +88,7 @@
       openshift = FactoryGirl.create(:ems_openshift)
       openshift_cloud_networks_url = "#{providers_url(openshift.id)}/cloud_networks"
 
-      api_basic_authorize collection_action_identifier(:providers, :read, :get)
+      api_basic_authorize subcollection_action_identifier(:providers, :cloud_networks, :read, :get)
 
       run_get openshift_cloud_networks_url, :expand => 'resources'