diff --git a/app/Model/Server.php b/app/Model/Server.php
index 0a369f81f..c260fbff7 100644
--- a/app/Model/Server.php
+++ b/app/Model/Server.php
@@ -6407,6 +6407,14 @@ class Server extends AppModel
                     'type' => 'boolean',
                     'null' => true
                 ),
+                'limit_site_admins_to_host_org' => array(
+                    'level' => self::SETTING_RECOMMENDED,
+                    'description' => __('If enabled, it will only be possible to assign site admin roles to users belonging to the instance\'s host org.'),
+                    'value' => false,
+                    'test' => 'testBool',
+                    'type' => 'boolean',
+                    'null' => true
+                ),
                 'disable_browser_cache' => array(
                     'level' => 0,
                     'description' => __('If enabled, HTTP headers that block browser cache will be send. Static files (like images or JavaScripts) will still be cached, but not generated pages.'),
diff --git a/app/Model/User.php b/app/Model/User.php
index afbec075e..3b8318b18 100644
--- a/app/Model/User.php
+++ b/app/Model/User.php
@@ -262,6 +262,16 @@ class User extends AppModel
         if (empty($user['nids_sid'])) {
             $user['nids_sid'] = mt_rand(1000000, 9999999);
         }
+        if (!empty(Configure::read('Security.limit_site_admins_to_host_org'))){
+            if (!empty($user['role_id']) and !empty($user['org_id'] and $user['org_id'] != Configure::read('MISP.host_org_id'))){
+                $role = $this->Role->find('first', array(
+                    'conditions' => array('Role.id' => $user['role_id'])
+                ));
+                if (!empty($role) and $role['Role']['perm_site_admin'] === true){
+                    $this->invalidate('role_id', "Site admin roles can only be assigned to users of the host org on this instance.");
+                }
+            }
+        }
         return true;
     }