diff --git a/app/controllers/api/v1/memberships_controller.rb b/app/controllers/api/v1/memberships_controller.rb
index c46ac7af4..fc4a6a325 100644
--- a/app/controllers/api/v1/memberships_controller.rb
+++ b/app/controllers/api/v1/memberships_controller.rb
@@ -6,7 +6,7 @@ class Api::V1::MembershipsController < Api::ApiController
   resource_actions :index, :show, :create, :update, :deactivate
   schema_type :strong_params
 
-  allowed_params :update, :state
+  allowed_params :update, :state, roles: []
 
   def create
     resources = resource_class.transaction(requires_new: true) do
diff --git a/spec/controllers/api/v1/memberships_controller_spec.rb b/spec/controllers/api/v1/memberships_controller_spec.rb
index a39289ff6..a6ebe9d9f 100644
--- a/spec/controllers/api/v1/memberships_controller_spec.rb
+++ b/spec/controllers/api/v1/memberships_controller_spec.rb
@@ -35,6 +35,23 @@
     end
 
     it_behaves_like "is updatable"
+
+    context 'when updating roles as group_admin' do
+      let(:other_user) { create(:user) }
+      let(:other_user_group) { create(:user_group, admin: authorized_user, private: true) }
+      let(:other_user_membership) { create(:membership, user: other_user, user_group: other_user_group, roles: ['group_member']) }
+
+      it 'allows update of membership roles' do
+        default_request user_id: authorized_user.id, scopes: scopes
+        params = {
+          memberships: { roles: ['group_admin'] },
+          id: other_user_membership.id
+        }
+
+        put :update, params: params
+        expect(other_user_membership.reload.roles).to eq(['group_admin'])
+      end
+    end
   end
 
   describe "#create" do