diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml
index 263f5839..6688bd8f 100644
--- a/charts/shipyard/values.yaml
+++ b/charts/shipyard/values.yaml
@@ -368,9 +368,10 @@ conf:
     workflow_orchestrator:get_configdocs_status: rule:admin_read_access
     workflow_orchestrator:create_configdocs: rule:admin_create
     workflow_orchestrator:get_configdocs: rule:admin_read_access
+    workflow_orchestrator:get_configdocs_cleartext: rule:admin_create
     workflow_orchestrator:commit_configdocs: rule:admin_create
     workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access
-    workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_read_access
+    workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_create
     workflow_orchestrator:list_workflows: rule:admin_read_access
     workflow_orchestrator:get_workflow: rule:admin_read_access
     workflow_orchestrator:get_notedetails: rule:admin_read_access
diff --git a/doc/source/CLI.rst b/doc/source/CLI.rst
index 651ede11..3d38aef7 100644
--- a/doc/source/CLI.rst
+++ b/doc/source/CLI.rst
@@ -682,8 +682,10 @@ differences between the 'committed' and 'buffer' revision (default behavior).
   collection, this will return an empty response (default)
 
 \--cleartext-secrets
-  Returns cleartext secrets in encrypted documents, otherwise those values
-  are redacted. Only impacts returned documents, not lists of documents.
+  Returns secrets as cleartext for encrypted documents if the user has the
+  appropriate permissions in the target environment.  If the user does not
+  have the appropriate permissions and sets this flag to true an error is
+  returned.  Only impacts returned documents, not lists of documents.
 
 Sample
 ^^^^^^
@@ -750,8 +752,10 @@ applying Deckhand layering and substitution.
   prior commit. (default)
 
 \--cleartext-secrets
-  Returns secrets as cleartext for encrypted documents if the user has the appropriate
-  permissions in the target environment.
+  Returns secrets as cleartext for encrypted documents if the user has the
+  appropriate permissions in the target environment.  If the user does not
+  have the appropriate permissions and sets this flag to true an error is
+  returned.
 
 Sample
 ^^^^^^
diff --git a/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py b/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py
index 92c8ac4b..ac39f0d5 100644
--- a/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py
+++ b/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py
@@ -123,6 +123,11 @@ class ConfigDocsResource(BaseResource):
         cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False
         self._validate_version_parameter(version)
         helper = ConfigdocsHelper(req.context)
+
+        # Check access to cleartext_secrets
+        if cleartext_secrets:
+            policy.check_auth(req.context, policy.GET_CONFIGDOCS_CLRTXT)
+
         # Not reformatting to JSON or YAML since just passing through
         resp.body = self.get_collection(
             helper=helper, collection_id=collection_id, version=version,
diff --git a/src/bin/shipyard_airflow/shipyard_airflow/policy.py b/src/bin/shipyard_airflow/shipyard_airflow/policy.py
index fe506c3c..4b8bc429 100644
--- a/src/bin/shipyard_airflow/shipyard_airflow/policy.py
+++ b/src/bin/shipyard_airflow/shipyard_airflow/policy.py
@@ -36,6 +36,7 @@ INVOKE_ACTION_CONTROL = 'workflow_orchestrator:invoke_action_control'
 GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status'
 CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs'
 GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs'
+GET_CONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_configdocs_cleartext'
 COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs'
 GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs'
 GET_RENDEREDCONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_renderedconfigdocs_cleartext'  # noqa
@@ -162,7 +163,18 @@ class ShipyardPolicy(object):
         policy.DocumentedRuleDefault(
             GET_CONFIGDOCS,
             RULE_ADMIN_REQUIRED,
-            'Retrieve a collection of configuration documents',
+            ('Retrieve a collection of configuration documents with redacted '
+             'secrets'),
+            [{
+                'path': '/api/v1.0/configdocs/{collection_id}',
+                'method': 'GET'
+            }]
+        ),
+        policy.DocumentedRuleDefault(
+            GET_CONFIGDOCS_CLRTXT,
+            RULE_ADMIN_REQUIRED,
+            ('Retrieve a collection of configuration documents with cleartext '
+             'secrets.'),
             [{
                 'path': '/api/v1.0/configdocs/{collection_id}',
                 'method': 'GET'