diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index ec5a1b8a312f..6c7ef6e5e5e1 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -2616,4 +2616,11 @@ public void preRenameRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx,
     accessChecker.requirePermission(getActiveUser(ctx), "renameRSGroup",
       null, Permission.Action.ADMIN);
   }
+
+  @Override
+  public void preUpdateRSGroupConfig(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+    final String groupName, final Map<String, String> configuration) throws IOException {
+    accessChecker
+      .requirePermission(getActiveUser(ctx), "updateRSGroupConfig", null, Permission.Action.ADMIN);
+  }
 }
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java
index 418aaf905133..c847198d1ffc 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java
@@ -340,6 +340,8 @@ public static class CPMasterObserver implements MasterCoprocessor, MasterObserve
     boolean postGetConfiguredNamespacesAndTablesInRSGroupCalled = false;
     boolean preRenameRSGroup = false;
     boolean postRenameRSGroup = false;
+    boolean preUpdateRSGroupConfig = false;
+    boolean postUpdateRSGroupConfig = false;
 
     public void resetFlags() {
       preBalanceRSGroupCalled = false;
@@ -372,6 +374,8 @@ public void resetFlags() {
       postGetConfiguredNamespacesAndTablesInRSGroupCalled = false;
       preRenameRSGroup = false;
       postRenameRSGroup = false;
+      preUpdateRSGroupConfig = false;
+      postUpdateRSGroupConfig = false;
     }
 
     @Override
@@ -546,5 +550,17 @@ public void postRenameRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx,
       String newName) throws IOException {
       postRenameRSGroup = true;
     }
+
+    @Override
+    public void preUpdateRSGroupConfig(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+      final String groupName, final Map<String, String> configuration) throws IOException {
+      preUpdateRSGroupConfig = true;
+    }
+
+    @Override
+    public void postUpdateRSGroupConfig(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+      final String groupName, final Map<String, String> configuration) throws IOException {
+      postUpdateRSGroupConfig = true;
+    }
   }
 }
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java
index fb6292c8a89f..5649242e3be7 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java
@@ -333,6 +333,16 @@ public void testRenameRSGroup() throws Exception {
     validateAdminPermissions(action);
   }
 
+  @Test
+  public void testUpdateRSGroupConfig() throws Exception {
+    AccessTestAction action = () -> {
+      checkPermission("updateRSGroupConfig");
+      return null;
+    };
+
+    validateAdminPermissions(action);
+  }
+
   private void validateAdminPermissions(AccessTestAction action) throws Exception {
     verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
     verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,