diff --git a/src/config/api-server/tests/test_perms2.py b/src/config/api-server/tests/test_perms2.py
index 5073ff80d7f..82d64c440b2 100644
--- a/src/config/api-server/tests/test_perms2.py
+++ b/src/config/api-server/tests/test_perms2.py
@@ -730,6 +730,36 @@ def test_check_obj_perms_api(self):
             perms = user.check_perms(vn.get_uuid())
             self.assertEquals(perms, ExpectedPerms[user.name])
 
+    # check owner of internally created ri is cloud-admin (bug #1528796)
+    def test_ri_owner(self):
+        """
+        1) Create a virtual network as a non-admin user.
+        2) Verify owner of automatically created routing instance is cloud-admin
+        """
+
+        alice = self.alice
+        bob   = self.bob
+        admin = self.admin
+
+        # allow permission to create virtual-network
+        for user in self.users:
+            logger.info( "%s: project %s to allow full access to role %s" % \
+                (user.name, user.project, user.role))
+            # note that collection API is set for create operation
+            vnc_fix_api_access_list(self.admin.vnc_lib, user.project_obj,
+                rule_str = 'virtual-networks %s:CRUD' % user.role)
+
+        # Create VN as non-admin user
+        vn_fq_name = [self.domain_name, alice.project, self.vn_name]
+        vn = VirtualNetwork(self.vn_name, self.alice.project_obj)
+        self.alice.vnc_lib.virtual_network_create(vn)
+        vn_obj = vnc_read_obj(self.admin.vnc_lib, 'virtual-network', name = vn_fq_name)
+        self.assertNotEquals(vn_obj, None)
+
+        # Verify owner of automatically created routing instance is cloud-admin
+        ri_name = [self.domain_name, alice.project, self.vn_name, self.vn_name]
+        ri = vnc_read_obj(self.admin.vnc_lib, 'routing-instance', name = ri_name)
+        self.assertEquals(ri.get_perms2().owner, 'cloud-admin')
 
     def tearDown(self):
         self._api_svr_greenlet.kill()
diff --git a/src/config/api-server/vnc_cfg_api_server.py b/src/config/api-server/vnc_cfg_api_server.py
index 59e7992f3e1..5b2e26e54c3 100644
--- a/src/config/api-server/vnc_cfg_api_server.py
+++ b/src/config/api-server/vnc_cfg_api_server.py
@@ -2484,13 +2484,19 @@ def _get_default_id_perms(self, obj_type):
         return id_perms_dict
     # end _get_default_id_perms
 
-    def _ensure_perms2_present(self, obj_type, obj_uuid, obj_dict):
+    def _ensure_perms2_present(self, obj_type, obj_uuid, obj_dict, project_id=None):
         """
         Called at resource creation to ensure that id_perms is present in obj
         """
         # retrieve object and permissions
         perms2 = self._get_default_perms2(obj_type)
 
+        # set ownership of object to creator tenant
+        if obj_type == 'project' and 'uuid' in obj_dict:
+            perms2['owner'] = str(obj_dict['uuid']).replace('-','')
+        elif project_id:
+            perms2['owner'] = project_id
+
         if (('perms2' not in obj_dict) or
                 (obj_dict['perms2'] is None)):
             # Resource creation
@@ -3000,11 +3006,8 @@ def _http_post_common(self, request, obj_type, obj_dict):
 
         # Ensure object has at least default permissions set
         self._ensure_id_perms_present(obj_type, None, obj_dict)
-        self._ensure_perms2_present(obj_type, None, obj_dict)
-
-        # set ownership of object to creator tenant
-        owner = request.headers.environ.get('HTTP_X_PROJECT_ID', None)
-        obj_dict['perms2']['owner'] = owner
+        self._ensure_perms2_present(obj_type, None, obj_dict,
+            request.headers.environ.get('HTTP_X_PROJECT_ID', None))
 
         # TODO check api + resource perms etc.