diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index 027192125b..4cde14dba1 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -942,7 +942,6 @@ class UserSerializer(BaseSerializer):
             roles                  = self.reverse('api:user_roles_list',                  kwargs={'pk': obj.pk}),
             activity_stream        = self.reverse('api:user_activity_stream_list',        kwargs={'pk': obj.pk}),
             access_list            = self.reverse('api:user_access_list',                 kwargs={'pk': obj.pk}),
-            applications           = self.reverse('api:o_auth2_application_list',   kwargs={'pk': obj.pk}),
             tokens                 = self.reverse('api:o_auth2_token_list',         kwargs={'pk': obj.pk}),
             authorized_tokens      = self.reverse('api:user_authorized_token_list', kwargs={'pk': obj.pk}),
             personal_tokens        = self.reverse('api:o_auth2_personal_token_list',   kwargs={'pk': obj.pk}),
@@ -990,8 +989,8 @@ class UserAuthorizedTokenSerializer(BaseSerializer):
     class Meta:
         model = OAuth2AccessToken
         fields = (
-            '*', '-name', 'description', 'user', 'token', 'refresh_token',
-            'expires', 'scope', 'application',
+            '*', '-name', 'description', '-user', 'token', 'refresh_token',
+            'expires', 'scope', 'application'
         )
         read_only_fields = ('user', 'token', 'expires')
         
@@ -1041,12 +1040,13 @@ class OAuth2ApplicationSerializer(BaseSerializer):
         model = OAuth2Application
         fields = (
             '*', 'description', 'user', 'client_id', 'client_secret', 'client_type',
-            'redirect_uris',  'authorization_grant_type', 'skip_authorization',
+            'redirect_uris',  'authorization_grant_type', 'skip_authorization', 'organization'
         )
         read_only_fields = ('client_id', 'client_secret')
         read_only_on_update_fields = ('user', 'authorization_grant_type')
         extra_kwargs = {
-            'user': {'allow_null': False, 'required': True},
+            'user': {'allow_null': True, 'required': False},
+            'organization': {'allow_null': False},
             'authorization_grant_type': {'allow_null': False}
         }        
         
@@ -1195,7 +1195,7 @@ class OAuth2AuthorizedTokenSerializer(BaseSerializer):
     class Meta:
         model = OAuth2AccessToken
         fields = (
-            '*', '-name', 'description', 'user', 'token', 'refresh_token',
+            '*', '-name', 'description', '-user', 'token', 'refresh_token',
             'expires', 'scope', 'application',
         )
         read_only_fields = ('user', 'token', 'expires')
@@ -1312,6 +1312,7 @@ class OrganizationSerializer(BaseSerializer):
             admins      = self.reverse('api:organization_admins_list',         kwargs={'pk': obj.pk}),
             teams       = self.reverse('api:organization_teams_list',          kwargs={'pk': obj.pk}),
             credentials = self.reverse('api:organization_credential_list',     kwargs={'pk': obj.pk}),
+            applications           = self.reverse('api:o_auth2_application_list',   kwargs={'pk': obj.pk}),
             activity_stream = self.reverse('api:organization_activity_stream_list', kwargs={'pk': obj.pk}),
             notification_templates = self.reverse('api:organization_notification_templates_list', kwargs={'pk': obj.pk}),
             notification_templates_any = self.reverse('api:organization_notification_templates_any_list', kwargs={'pk': obj.pk}),
diff --git a/awx/main/access.py b/awx/main/access.py
index bf74f2a491..4b99717ddc 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -593,10 +593,7 @@ class OAuth2ApplicationAccess(BaseAccess):
     select_related = ('user',)
 
     def filtered_queryset(self):
-        accessible_users = User.objects.filter(
-            pk__in=self.user.admin_of_organizations.values('member_role__members')
-        ) | User.objects.filter(pk=self.user.pk)
-        return self.model.objects.filter(user__in=accessible_users)
+        return self.model.objects.filter(organization__in=self.user.organizations)
 
     def can_change(self, obj, data):
         return self.can_read(obj)
diff --git a/awx/main/migrations/0027_v330_modify_application.py b/awx/main/migrations/0027_v330_modify_application.py
new file mode 100644
index 0000000000..48e7b5e84e
--- /dev/null
+++ b/awx/main/migrations/0027_v330_modify_application.py
@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.11 on 2018-03-16 20:25
+from __future__ import unicode_literals
+
+import awx.main.fields
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0026_v330_emitted_events'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='oauth2application',
+            name='organization',
+            field=models.ForeignKey(help_text='Organization containing this application.', null=True, on_delete=django.db.models.deletion.CASCADE, related_name='applications', to='main.Organization'),
+        ),
+    ]
diff --git a/awx/main/models/oauth.py b/awx/main/models/oauth.py
index a1c13a23cd..a15b1cc2c1 100644
--- a/awx/main/models/oauth.py
+++ b/awx/main/models/oauth.py
@@ -31,7 +31,13 @@ class OAuth2Application(AbstractApplication):
         editable=False,
         validators=[RegexValidator(DATA_URI_RE)],
     )
-
+    organization = models.ForeignKey(
+        'Organization',
+        related_name='applications',
+        help_text=_('Organization containing this application.'),
+        on_delete=models.CASCADE,
+        null=True,
+    )
 
 class OAuth2AccessToken(AbstractAccessToken):