diff --git a/app/models/mixins/tenant_quotas_mixin.rb b/app/models/mixins/tenant_quotas_mixin.rb
new file mode 100644
index 00000000000..ff9690262a3
--- /dev/null
+++ b/app/models/mixins/tenant_quotas_mixin.rb
@@ -0,0 +1,13 @@
+module TenantQuotasMixin
+  extend ActiveSupport::Concern
+
+  def tenant_quotas_allowed?
+    current_user = User.current_user
+    return true if current_user.super_admin_user?
+    return true unless current_user.miq_user_role.tenant_admin_user?
+
+    current_tenant = current_user.current_tenant
+    # don't allow tenant quotas for current tenant and for ancestors
+    !(current_tenant == self || current_tenant.ancestor_ids.include?(id))
+  end
+end
diff --git a/app/models/tenant.rb b/app/models/tenant.rb
index 5c288093f3d..a587c9d4511 100644
--- a/app/models/tenant.rb
+++ b/app/models/tenant.rb
@@ -8,6 +8,7 @@ class Tenant < ApplicationRecord
 
   include ActiveVmAggregationMixin
   include CustomActionsMixin
+  include TenantQuotasMixin
 
   acts_as_miq_taggable
 
diff --git a/spec/models/mixins/tenant_quotas_mixin_spec.rb b/spec/models/mixins/tenant_quotas_mixin_spec.rb
new file mode 100644
index 00000000000..22426518c49
--- /dev/null
+++ b/spec/models/mixins/tenant_quotas_mixin_spec.rb
@@ -0,0 +1,44 @@
+describe TenantQuotasMixin do
+  before do
+    Tenant.seed
+  end
+
+  let(:root_tenant) do
+    Tenant.root_tenant
+  end
+
+  let(:super_admin_role)  { FactoryGirl.create(:miq_user_role, :features => MiqProductFeature::SUPER_ADMIN_FEATURE) }
+  let(:tenant_admin_role) { FactoryGirl.create(:miq_user_role, :features => MiqProductFeature::TENANT_ADMIN_FEATURE) }
+
+  let(:tenant_1)   { FactoryGirl.create(:tenant, :parent => root_tenant) }
+  let(:tenant_1_1) { FactoryGirl.create(:tenant, :parent => tenant_1) }
+  let(:tenant_1_2) { FactoryGirl.create(:tenant, :parent => tenant_1, :divisible => false) }
+
+  let(:group_tenant_1_tenant_admin) { FactoryGirl.create(:miq_group, :miq_user_role => tenant_admin_role, :tenant => tenant_1) }
+  let(:user_tenant_1_tenant_admin)  { FactoryGirl.create(:user, :miq_groups => [group_tenant_1_tenant_admin]) }
+
+  let(:group_tenant_1_super_admin) { FactoryGirl.create(:miq_group, :miq_user_role => super_admin_role, :tenant => tenant_1) }
+  let(:user_tenant_1_super_admin)  { FactoryGirl.create(:user, :miq_groups => [group_tenant_1_super_admin]) }
+
+  describe "#tenant_quotas_allowed?" do
+    it "allows managing on all tenant quotas when user is super admin" do
+      User.with_user(user_tenant_1_super_admin) do
+        expect(root_tenant.tenant_quotas_allowed?).to be_truthy
+        expect(tenant_1.tenant_quotas_allowed?).to be_truthy
+        expect(tenant_1_1.tenant_quotas_allowed?).to be_truthy
+        expect(tenant_1_2.tenant_quotas_allowed?).to be_truthy
+      end
+    end
+
+    context "user has tenant-admin role" do
+      it "allows managing on tenant quotas" do
+        User.with_user(user_tenant_1_tenant_admin) do
+          expect(root_tenant.tenant_quotas_allowed?).to be_falsey
+          expect(tenant_1.tenant_quotas_allowed?).to be_falsey
+          expect(tenant_1_1.tenant_quotas_allowed?).to be_truthy
+          expect(tenant_1_2.tenant_quotas_allowed?).to be_truthy
+        end
+      end
+    end
+  end
+end