diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index c98fc118e7b..5a23a5cb1d0 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -772,7 +772,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       familyMap.put(family, null);
     }
     requireNamespacePermission(c, "createTable",
-        desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.CREATE);
+        desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.ADMIN,
+        Action.CREATE);
   }
 
   @Override
@@ -1916,7 +1917,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   }
 
   /**
-   * Verifies user has CREATE privileges on
+   * Verifies user has CREATE or ADMIN privileges on
    * the Column Families involved in the bulkLoadHFile
    * request. Specific Column Write privileges are presently
    * ignored.
@@ -1928,7 +1929,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     for(Pair<byte[],String> el : familyPaths) {
       accessChecker.requirePermission(user, "preBulkLoadHFile",
         ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), el.getFirst(), null,
-        null, Action.CREATE);
+        null, Action.ADMIN, Action.CREATE);
     }
   }
 
@@ -1942,7 +1943,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
   throws IOException {
     requireAccess(ctx, "prePrepareBulkLoad",
-        ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE);
+        ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
+        Action.CREATE);
   }
 
   /**
@@ -1955,7 +1957,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
   throws IOException {
     requireAccess(ctx, "preCleanupBulkLoad",
-        ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE);
+        ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
+        Action.CREATE);
   }
 
   /* ---- EndpointObserver implementation ---- */
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index 1c9588ca622..1d6af1afaeb 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -396,11 +396,11 @@ public class TestAccessController extends SecureTestUtil {
     };
 
     // verify that superuser can create tables
-    verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
+    verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
 
     // all others should be denied
-    verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
-      USER_GROUP_READ, USER_GROUP_WRITE);
+    verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE);
   }
 
   @Test
@@ -997,9 +997,8 @@ public class TestAccessController extends SecureTestUtil {
       // User performing bulk loads must have privilege to read table metadata
       // (ADMIN or CREATE)
       verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE,
-        USER_GROUP_CREATE);
-      verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE,
-        USER_GROUP_ADMIN);
+        USER_GROUP_CREATE, USER_GROUP_ADMIN);
+      verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE);
     } finally {
       // Reinit after the bulk upload
       TEST_UTIL.getAdmin().disableTable(TEST_TABLE);
@@ -2881,9 +2880,8 @@ public class TestAccessController extends SecureTestUtil {
 
   private void verifyAnyCreate(AccessTestAction action) throws Exception {
     verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF,
-      USER_GROUP_CREATE);
-    verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
-      USER_GROUP_ADMIN);
+      USER_GROUP_CREATE, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE);
   }
 
   @Test
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java
index e4a7e84f325..292005412af 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java
@@ -287,11 +287,11 @@ public class TestAccessController3 extends SecureTestUtil {
     };
 
     // verify that superuser can create tables
-    verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
+    verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
 
     // all others should be denied
-    verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
-      USER_GROUP_READ, USER_GROUP_WRITE);
+    verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE);
   }
 
 }
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
index 9faa3d904b5..dbb5bfd1069 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
@@ -523,10 +523,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
       }
     };
 
-    //createTable            : superuser | global(C) | NS(C)
-    verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE);
-    verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
-      USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
-      USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN);
+    //createTable            : superuser | global(AC) | NS(AC)
+    verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE,
+      USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(createTable, USER_GLOBAL_WRITE, USER_GLOBAL_READ, USER_GLOBAL_EXEC,
+      USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, USER_TABLE_CREATE, USER_TABLE_WRITE,
+      USER_GROUP_READ, USER_GROUP_WRITE);
   }
 }