diff --git a/app/models/concerns/host_common.rb b/app/models/concerns/host_common.rb
index 98750229ec5..84a7880e8c8 100644
--- a/app/models/concerns/host_common.rb
+++ b/app/models/concerns/host_common.rb
@@ -33,7 +33,7 @@ def lookup_values_attributes= lookup_values_attributes
             mark_for_destruction ? lookup_values.delete(lookup_value) : lookup_value.save!
           end
         elsif !ActiveRecord::ConnectionAdapters::Column.value_to_boolean attr.delete(:_destroy)
-          LookupValue.create(attr.merge(:match => lookup_value_match))
+          LookupValue.create(attr.merge(:match => lookup_value_match, :host_or_hostgroup => self))
         end
       end
     end
diff --git a/app/models/lookup_value.rb b/app/models/lookup_value.rb
index b27db64e5ec..0f9d37bdedd 100644
--- a/app/models/lookup_value.rb
+++ b/app/models/lookup_value.rb
@@ -7,6 +7,7 @@ class LookupValue < ActiveRecord::Base
   before_validation :sanitize_match
   before_validation :validate_and_cast_value
   validate :validate_list, :validate_regexp
+  attr_accessor :host_or_hostgroup
 
   serialize :value
   attr_name :value
@@ -62,10 +63,10 @@ def enforce_permissions operation
     allowed = case match
       when /^fqdn=(.*)/
         # check if current fqdn is in our allowed list
-        Host.my_hosts.where(:name => $1).exists?
+        Host.my_hosts.where(:name => $1).exists? || self.host_or_hostgroup.try(:new_record?)
       when /^hostgroup=(.*)/
         # check if current hostgroup is in our allowed list
-        Hostgroup.my_groups.where(:label => $1).exists?
+        Hostgroup.my_groups.where(:label => $1).exists? || self.host_or_hostgroup.try(:new_record?)
       else
         false
     end
diff --git a/test/unit/host_test.rb b/test/unit/host_test.rb
index b107bdb3169..d5a900e54be 100644
--- a/test/unit/host_test.rb
+++ b/test/unit/host_test.rb
@@ -63,6 +63,18 @@ class HostTest < ActiveSupport::TestCase
     assert !host.new_record?
   end
 
+  test "non-admin user should be able to create host with new lookup value" do
+    User.current = users(:one)
+    User.current.roles << [roles(:manager)]
+    assert_difference('LookupValue.count') do
+      assert Host.create! :name => "abc.host123.com", :mac => "aabbecddeeff", :ip => "2.3.4.3",
+      :domain => domains(:mydomain), :operatingsystem => operatingsystems(:redhat),
+      :subnet => subnets(:one), :architecture => architectures(:x86_64), :puppet_proxy => smart_proxies(:puppetmaster),
+      :environment => environments(:production), :disk => "empty partition",
+      :lookup_values_attributes => {"new_123456" => {"lookup_key_id" => lookup_keys(:complex).id, "value"=>"some_value", "match" => "fqdn=abc.host123.com"}}
+    end
+  end
+
   test "should import facts from json stream" do
     h=Host.new(:name => "sinn1636.lan")
     h.disk = "!" # workaround for now